In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-05 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >
Share
Shulou(Shulou.com)05/31 Report--
This article is a detailed introduction to "using keywords to crack functions in android". The content is detailed, the steps are clear, and the details are properly handled. I hope this article "using keywords to crack functions in android" can help you solve your doubts. Let's go deeper and learn new knowledge together with the ideas of Xiaobian.
Tool preparation x64dbg
An open source binary debugger for Windows for malware analysis and reverse engineering executables without source code.
Winhex
WinHex is essentially a general purpose hex editor. Designed for the lowest level of data processing, as a versatile tool for computer systems criminological (forensic) investigations, for data recovery and IT security-in everyday use and emergency situations.
keymaker2
KeyMake is a powerful registry writer, the software uses assembly templates as the core, can facilitate users to eliminate complex instruction algorithms, so as to quickly produce the required registry!
OllyDbg
Ollydbg is a professional disassembly debugging tool, mainly used for some application compilation operations, software is best at analyzing function procedures, loop statements, API calls, the number of parameters in the function and import tables, etc.
brute force
This section explains how to modify the assembly code to bypass the program verification section (commonly known as patching) to change the final verification of the program
Tools used:
x64dbg
Plus Chinese search plug-in (Simplified Chinese keywords: search for Chinese character string)
The program to be analyzed is loaded with x64dbg
Click the x64dbg Run button to run the program, make it run so that it can load more information for analysis, and then use the string search tool to search
Find useful information based on keywords
Found some registered judgment jump, and in the jump under the breakpoint, so that it can interrupt analysis
The registration information is not complete.
No matter what you input, you don't prompt "Registration information is not complete." This prompt will make the jump at 00510465 not true.
Because the original je is equal to the branch, but when it does not equal, the jump is not executed, so binary editing is needed to abolish this jump, 0051047F jump is established, because the original jne is not equal to the branch, but when it does not equal, the jump is not executed, so it needs to be modified to jmp unconditional branch instruction.
Note: Because the breakpoint was downloaded at je command before, if you want to modify the command, delete the breakpoint here.
The registration code is correct, thank you for registering! judgment
No matter what you enter, you will be prompted "Registration code is correct, thank you for registering!" "This prompt is to make the jump at 00510543 not true,
Because the original jne is not equal to the time transfer, but the jump is not executed when it is equal, it needs binary editing to abolish this jump.
Note: After this method abolishes the jump instruction, its background color turns gray, and the display message is that the jump will not be executed.
run tests
After modification, fill in any registration information, click Register
Fill in any information, prompt registration success, show registered
Real Registration Code Search
Idea: Monitor memory data while the software is running, and query whether there is sensitive or available information
Tools used: Winhex
Run the software Click to register
Order No.: 112233
Registration code: china123study
Open Winhex for analysis
registry authoring
In the critical judgment ("Registration code correct, thank you for registering! EDX is found to have the correct registration code compared with the entered registration code, resulting in the disclosure of the correct registration code. According to this feature, EDX data is read, and the correct registration code is calculated by using the software's own code calculation mechanism.
Tools used: x64dbg, keymaker2
key points
EDX data can be read at breakpoint 0051053E
Because EDX data is in memory, it is estimated that keymaker2 will be used to make memory registry to read data.
Self registration code comparison mechanism reveals correct registration code
Use keymaker2 to read memory data and create a registry
Use the generated registry to read the correct registry key from the memory data
embeds
Tools used: x64dbg, od, winhex
The registration judgment will store the registration data file "hdwlz.dll" locally in the "C:\Windows\system32" directory
It failed to write registration information due to system protection reasons, further verifying its registration mechanism
Switch environment successfully written
View written data
The comparison found that the order information was written
After closing the program, it was found that the registration file was deleted and the dark pile appeared.
Because the DeleteFile function is used to delete files, the OD analysis function is used for analysis.
Found two references to the delete feature
Break points at these two calls for analysis
Start by looking for a breakpoint at the entry point of the program
Close the program and view breakpoint analysis
When closed, successfully broken at the entrance
Step through the analysis to read the order information point of the hdwlz.dll file
Step through analysis to contrast
Compare EAX data to 0x1CD6D0
Decimal information where EAX data is not order number
key jump greater than 1CD6D0(1890000) jump do not delete registration file, less than 1CD6D0(1890000) jump do not execute delete registration file
Read here, this article "android using keywords to crack the function" article has been introduced, want to master the knowledge points of this article also need to practice to understand, if you want to know more about the content of the article, welcome to pay attention to the industry information channel.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.