📄 lesson14042.htm
字号:
ECX,[3016D920] <br>
015F:300D231D 83C408 ADD
ESP,08 <br>
015F:300D2320 3BC1
CMP EAX,ECX <br>
015F:300D2322 0F841DFEFFFF JZ
300D2145
(JUMP ) <br>
015F:300D2145 8D542418 LEA
EDX,[ESP+18] <br>
015F:300D2149 6848D91630 PUSH
3016D948 <br>
015F:300D214E 52
PUSH EDX <br>
015F:300D214F E82CFDFFFF CALL
300D1E80 <br>
015F:300D2154 83C408 ADD
ESP,08 <br>
015F:300D2157 85C0
TEST EAX,EAX <br>
015F:300D2159 7D26
JGE 300D2181
(JUMP ) <br>
015F:300D2181 803DA480163003 CMP BYTE
PTR [301680A4],03 <br>
015F:300D2188 0F876D010000 JA
300D22FB
(NO JUMP) <br>
015F:300D218E 8BAC24D0000000 MOV EBP,[ESP+000000D0]
<br>
015F:300D2195 C745009F860100 MOV DWORD
PTR [EBP+00],0001869F <br>
015F:300D219C A0A4801630 MOV
AL,[301680A4] <br>
015F:300D21A1 A801
TEST AL,01 <br>
015F:300D21A3 744B
JZ 300D21F0
(NO JUMP) <br>
015F:300D21A5 33C0
XOR EAX,EAX <br>
015F:300D21A7 8D4C2418 LEA
ECX,[ESP+18] <br>
015F:300D21AB A0A5801630 MOV
AL,[301680A5] <br>
015F:300D21B0 51
PUSH ECX <br>
015F:300D21B1 6824D91630 PUSH
3016D924 <br>
015F:300D21B6 8D3440 LEA
ESI,[EAX*2+EAX] <br>
015F:300D21B9 C1E603 SHL
ESI,03 <br>
015F:300D21BC E85FFDFFFF CALL
300D1F20 <br>
015F:300D21C1 83C408 ADD
ESP,08 <br>
015F:300D21C4 3BC3
CMP EAX,EBX <br>
015F:300D21C6 0F8C2F010000 JL
300D22FB
(NO JUMP) <br>
015F:300D21CC 3BC6
CMP EAX,ESI <br>
015F:300D21CE 7C0A
JL 300D21DA
(JUMP ) <br>
015F:300D21DA 2BF0
SUB ESI,EAX <br>
015F:300D21DC B8ABAAAA2A MOV
EAX,2AAAAAAB <br>
015F:300D21E1 F7EE
IMUL ESI <br>
015F:300D21E3 C1FA02 SAR
EDX,02 <br>
015F:300D21E6 8BC2
MOV EAX,EDX <br>
015F:300D21E8 C1E81F SHR
EAX,1F <br>
015F:300D21EB 03D0
ADD EDX,EAX <br>
015F:300D21ED 895500 MOV
[EBP+00],EDX <br>
015F:300D21F0 F605A480163002 TEST BYTE
PTR [301680A4],02 <br>
015F:300D21F7 0F84B3000000 JZ
300D22B0
(JUMP ) <br>
015F:300D22B0 B909000000 MOV
ECX,00000009 <br>
015F:300D22B5 8D742418 LEA
ESI,[ESP+18] <br>
015F:300D22B9 BF48D91630 MOV
EDI,3016D948 <br>
015F:300D22BE F3A5
REPZ MOVSD <br>
015F:300D22C0 8B4500 MOV
EAX,[EBP+00] <br>
015F:300D22C3 33C9
XOR ECX,ECX <br>
015F:300D22C5 8A0DA9801630 MOV
CL,[301680A9] <br>
015F:300D22CB 3BC1
CMP EAX,ECX <br>
015F:300D22CD 7F05
JG 300D22D4
(JUMP ) <br>
015F:300D22D4 6A4C
PUSH 4C <br>
015F:300D22D6 6824D91630 PUSH
3016D924 <br>
015F:300D22DB E820FAFFFF CALL
300D1D00 <br>
015F:300D22E0 83C408 ADD
ESP,08 <br>
015F:300D22E3 A320D91630 MOV
[3016D920],EAX <br>
015F:300D22E8 6820D91630 PUSH
3016D920 <br>
015F:300D22ED E80EFBFFFF CALL
300D1E00 <br>
015F:300D22F2 83C404 ADD
ESP,04 <br>
015F:300D22F5 85C0
TEST EAX,EAX <br>
015F:300D22F7 8BC3
MOV EAX,EBX <br>
015F:300D22F9 7505
JNZ 300D2300
(JUMP ) <br>
015F:300D2300 5F
POP EDI <br>
015F:300D2301 5E
POP ESI <br>
015F:300D2302 5D
POP EBP <br>
015F:300D2303 5B
POP EBX <br>
015F:300D2304 81C4BC000000 ADD
ESP,000000BC <br>
015F:300D230A C3
RET <br>
015F:3000ADB6 8BF0
MOV ESI,EAX <br>
015F:3000ADB8 83C404 ADD
ESP,04 <br>
015F:3000ADBB 8D46FF LEA
EAX,[ESI-01] <br>
015F:3000ADBE 83F805 CMP
EAX,05 <br>
015F:3000ADC1 773D
JA 3000AE00
(JUMP ) <br>
<br>
<br>
Step 9 : Find the first point where the two log files differ. <br>
************************************************************* <br>
You may have noticed that the two log files are identical until the address
015F:3000ADC1. <br>
In the first log file, the command at this address doesn`t jump, but in the
second log file, <br>
the very same command Jumps. This is because the value of EAX at that point
in time are <br>
different in the two logs. <br>
Have a look at the three lines of code : <br>
LEA EAX,[ESI-01] This looks at the byte at the address ESI-01
and puts the value in EAX. <br>
CMP EAX,05 This looks to see if the
value in EAX is equal to 5. <br>
JA 3000AE00 Jump if Above to address
300AE00. <br>
<br>
<br>
Step 10 : What do I do now ? <br>
**************************** <br>
We need to change the file so that the JA command does NOT jump. You can do
this several ways. <br>
The cheap`n`nasty way is to nop(No Operation) the 'JA 3000AE00' command by changing
the two <br>
values '77 3D' at address 015F:3000ADC1 to '90 90'. Although this will do the
job most of the <br>
time, the correct way is to lie to the rest of the program by changing the 'LEA
EAX,[ESI-01]' <br>
which is 3 bytes long ,the 'CMP EAX,05' which is also 3 bytes and the 'JA' command
(2 bytes) <br>
, (8 bytes in total for the three asm commands) with the command 'MOV EAX,00000005'
<br>
(5 bytes long) and 3 'NOP' commands (1 byte each). This ensures that the EAX
register has the <br>
correct value and you are replacing the same ammount of bytes in the program.
<br>
<br>
<br>
Step 11 : Pathcing the program. <br>
******************************* <br>
All that remains now is to load your program into your favourite Hex editor
and search for <br>
the pattern of bytes found in the log file for the LEA,CMP and JA commands and
patch it. <br>
For this example,.... <br>
Replace '8D46FF83F805773D' with 'B805000000909090'. <br>
<br>
B805000000 = MOV EAX,05 <br>
90 = NOP <br>
<br>
<br>
Note : You may need to narrow down your search for these bytes by adding the
two lines of <br>
bytes found above the asm code you are looking for into your search query. <br>
<br>
<br>
Ending Note. <br>
************ <br>
This way of cracking which I call the 'Call Flow Method' has many other possibilities
where <br>
there are two states of execution. <br>
For instance,.... <br>
Cracking CRC checking routines (Program modified/Not modified), <br>
Dongle protection (Dongle plugged in/Not plugged in), <br>
Three tries and your out password protection, <br>
Programs that only let you use a feature a certain number of times. <br>
<br>
I hope this tuorial will help people not only to speed up the cracking process,
but also help <br>
to understand HOW a program works and aid in the cracking of the more difficult
targets. <br>
I`m now off to drink loads of caffine and give my head a rest before starting
my next <br>
tut. <br>
<br>
L8R Mushy :-) <br>
<br>
<br>
<br>
Greetz go to : <br>
************** <br>
<br>
The TCS Crew. (Best in the land ;-) <br>
KM. (Only 1 more year to go : Freedom!!!!) <br>
The Magician (Keep those degrees rolling and don`t let the fedz win.) <br>
VnC (See ya at the show. Phone Me!!) <br>
Everyone at +fravia`s msgbd. <br>
Jeff (Great cracking board. Like the TIP of the day) </span></p>
<table width="80%" border="1" cellspacing="0" cellpadding="0" align="center" bgcolor="#99CCFF" bordercolorlight="#99CCFF" bordercolordark="#99CCFF">
<tr>
<td width="82%" class="p8" height="34">Copyright @看雪 2000 All rights reserved
<a href="mailto:toye@126.com">与我联系</a></td>
<td width="10%" class="p9" height="34"><a href="index.htm" tppabs="http://toye.dihou.org/index.htm">返回<br>
首页</a></td>
<td width="8%" class="p8" height="34"><a href="molu.htm" tppabs="http://toye.dihou.org/molu.htm" class="p9">返回<br>
目录</a></td>
</tr>
</table>
<p> </p>
</body>
</html>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -