tech2.txt

关于黑客的论坛的下载资料

这是ED!SON96所著的 Windows Cracking Tutorial v1.o  。

在网上号称“XX手册”，“XX入门”的东东很多，不过大多数是关于
如何破解UNIX帐号，Novell网络，而且其旧无比，比如说85年的:)
真正关于WINDOWS，或win95程序Crack(不是hack)的好文章不多，而且关于如何
入门的更是少见。

ED!SON96是网上比较有名的一个Cracker，经常在网上Post他破解
的Shareware。著名的Serv-U 2.0的破解就是他做的。这位高手所作的
所有Serial number破解都是以ED!SON96为User Name的，类似的其它Cracker
还有Pc97，都是在alt.cracks上经常能听到的。

这是ED！SON在去年写的一篇关于如何进行Windows程序破解的入门Tutorial。
我大概读了一下觉得对于据有一定汇编基础，和了解windows而想练习
破解的人会很有帮助，不敢自慝，post出来，希望对渴望学习Crack的朋友
能有所帮助。
PS：其所讨论的Task lock 3.0在所提供的URL上面找不到了，谁知道能够
upload到ftp上面让大家有练习的机会，Softice 95 在盗版CD上已经可以找到了
《速递五》我记得，不要在本版问哪里可以download到版权软件的问题。

ED！SON96的Homepage在http://ccnux.utm.my/edison/
不过最近他Retired了说，没有什么最新的crack了。:(
本文可在http://www.arosnet.se/users/yooden/wincrack.txt找到

 Windows Cracking Tutorial v1.o                                   Page  1 of 7
ED!SON's Windows 95 Cracking Tutorial v1.oo
===========================================

CONTENTS
========
1.  Introduction to Windows cracking
2.  Quick introduction to SoftICE/Win 2.oo
3.  Finding registration codes
3.1  Task Lock 3.00 - A simple registration number only protection
3.2  Command Line 95 - Easy name/code registration
4.  Making a keymaker for Command Line 95
5.  How PUSH and CALL and things really work when the program call a function
6.  About Visual Basic programs

APPENDIX
========
A.  Making SoftICE load symbols
B.  Syntax for the functions
C.  Where to obtain the softwares
D.  Contacting me


1. INTRUDUCTION TO WINDOWS CRACKING
===================================
Cracking a Windows program is most often more simple than a program running in
Dos. In Windows, it's hard to hide anything from anyone who really looks for
information, as long as Windows own functions are used.

The first (and often only) tool you need is SoftICE/Win 2.oo, a powerful
debugger from NuMega. Some people find it hard to use, but I will tell you how
to do efficient debugging with it, and I hope you'll understand me :-)
I have made an Appendix (A) with some SoftICE/Win 2.oo info you should read.
I never had any problems installing SoftICE, so if you have, I'll have to refer
to the manual.

URLs to all software you need are in Appendix C.

- ED!SON, edison@ccnux.utm.my
2. QUICK INTRODUCTION TO SOFTICE/WIN 2.OO
=========================================
This should be a fairly bad view of the SoftICE screen layout:

|--------------------|
|     Registers      |  Use 'R' to edit
|--------------------|
|    Data Window     |  Use 'D' to view an address, 'E' to edit
|--------------------|
|    Code Window     |  Use 'U' to view an address, 'A' to insert asm code
|--------------------|
|   Command Window   |  Type commands and read output here
|--------------------|

Other important keys are (in the default key layout):
'H'/F1   - On-line help
F5/Ctr+D - Run
F8       - Step into functions
F10      - Step over functions
F11      - Step out of function
3. FINDING REGISTRATION CODES
=============================
This is probably the easiest way to practice, to get a shareware program and
try to register it.

3.1 Task Lock 3.00 - A simple registration number only protection
=================================================================
This is a simple protection, only a code, that doesn't change.

3.1.1 Examining the program
===========================
Is it 16 or 32 bit? Where do I enter registration information? Does the help
give me any clue on how the registration works? Go and have a find out before
you continue!
....You should be checking now!...Are you checking?...Have you checked?...
OK, now you know it's a 32-bit Windows 95 application, and that you can
register the program by entering a single Registration Number in a dialog box
that appears when choosing the menu "Register|Register...". You also know, by
reading in help, that there are two types of registration: Individual and Site
License. So most probable there will be TWO checks for valid codes.
3.1.2 Trap the code routine
===========================
The codes are usually entered in normal Windows Edit boxes. To check the code,
the program must read the contents of the Edit box with one of these functions:

        16-bit                      32-bit
        ------                      ------
        GetWindowText               GetWindowTextA, GetWindowTextW
        GetDlgItemText              GetDlgItemTextA, GetDlgItemTextW

The last letter of the 32-bit functions tell if the function uses one-byte or
double-byte strings. Double-byte code is RARE.
Maybe you got my idea... "If I only could break on GetWindowText" And - you
can! But first you must be sure that these symbols are loaded by SoftICE. (See
Appendix A)

To set up a "trap" (really called breakpoint) in SoftICE, you first enter the
debugger with Ctrl+D, then use the command BPX followed by the name of the
function or a memory address. And Task Lock is 32-bit so let's put a breakpoint
on GetWindowTextA. If that doesn't work, we can try the others.
Type like this in SoftICE:
Type like this in SoftICE:
        :bpx getwindowtexta

If you get an error message like "No LDT", make sure you don't run any other
applications in the background. I've noticed that Norton Commander/Dos disturbs
this function. You can check if you got any breakpoint by listing breakpoints:
        :bl

This would give something like:
        00)   BPX USER32!GetWindowTextA C=01

To get out of SoftICE, you press Ctrl+D again

Well, anyway, you have set your breakpoint that will trap any call to
GetWindowTextA. Now let's try to enter some value in the registration number
field and press OK... You press OK... and you just get a stupid message box
telling you your code was wrong. So it wasn't GetWindowTextA... Let's try
GetDlgItemTextA. First we erase the old breakpoint:
        :bc 0
(0 means number of breakpoint in the breakpoint list)

 And now set the new one:
        :bpx getdlgitemtexta
Let's try again...


3.1.3 In the debugger
=====================
Wow! It worked! You're now inside SoftICE, at the place where the function
GetDlgItemTextA starts. To jump to wherever it was called from, press the key
F11. You are now inside SGLSET.EXE, if you're not sure, look on the line
between the code and the command window, it should look something like this:
        ----------SGLSET!.text+1B13----------

You can also disable the breakpoint now by doing this:
        :bd 0

To enable it later if you want to run again do like this then:
        :be 0

The first line in the code window looks like this:
        CALL    [USER32!GetDlgItemTextA]

To see the lines above, press Ctrl+Up arrow a few times, until you see the
To see the lines above, press Ctrl+Up arrow a few times, until you see the
lines below. If you don't know anything about Assembler, I have added comments
to the lines.
        RET                                     ; End of function
        PUSH    EBP                             ; Beginning of function
        MOV     EBP, ESP                        ; ...
        SUB     ESP, 0000009C                   ; ...
        PUSH    ESI                             ; ...
    >   LEA     EAX, [EBP-34]                   ; EAX = EBP-34
        PUSH    EDI                             ; ...
        MOVE    ESI, ECX                        ; ...
        PUSH    32                              ; Save: Maximum size of string
    >   PUSH    EAX                             ; Save: Address of text buffer
        PUSH    000003F4                        ; Save: Identifier of control
        PUSH    DWORD PTR [ESI+1C]              ; Save: Handle of dialog box
        CALL    [USER32!GetDlgItemTextA]        ; Get the text

The PUSH commands means save the values for later use. I have marked the
important lines with a '>' char. By looking at this we know that the address to
the text buffer was stored in EAX, and that EAX was EBP-34. So now we look at
EBP-34 like this:
        :d ebp-3
You should now be able to read what you entered if you look in the data window.
Now we have to find a place where your code is matched with a working one. So
we step through the program one instruction at a time with F10 until we find
something about EBP-34... You don't step for very long until this code pops up:
    >   LEA     EAX, [EBP+FFFFFF64]             ; EAX = EBP-9C
        LEA     ECX, [EBP-34]                   ; ECX = EBP-34
        PUSH    EAX                             ; Save: EAX
        PUSH    ECX                             ; Save: ECX
    >   CALL    00403DD0                        ; Call a function
        ADD     ESP, 08                         ; Erase saved information
        TEST    EAX, EAX                        ; Check function return
        JNZ     00402BC0                        ; Jump if not zero

To me, this looks directly like a string compare function. They work like this:
        * Input two strings, return zero if equal, otherwise non-zero

And why should the program compare a string with the one you entered? To see if
it was valid! (As you probably already have figured out)

Well, what is hiding behind the address [EBP+FFFFFF64] then? SoftICE doesn't
handle negative numbers very well, so to find out the real value of this you do
this calculation:
this calculation:
        100000000 - FFFFFF64 = 9C

You can do the calculation in SoftICE like this:
        :? 0-FFFFFF64

The number 100000000 is too big for SoftICE, but on the other hand it gives the
same result.

And now... time to look what hides behind EBP-9C... Do like this:
        :d ebp-9c

The data window will now show a long row of numbers - the code! But remember
what I said earlier... two types of registration gives two codes... so after
you've written down the code you got, we continue stepping width F10... We come