Shulou(Shulou.com)05/31 Report--

This article is a detailed introduction to "using keywords to crack functions in android". The content is detailed, the steps are clear, and the details are properly handled. I hope this article "using keywords to crack functions in android" can help you solve your doubts. Let's go deeper and learn new knowledge together with the ideas of Xiaobian.

Tool preparation x64dbg

An open source binary debugger for Windows for malware analysis and reverse engineering executables without source code.

Winhex

WinHex is essentially a general purpose hex editor. Designed for the lowest level of data processing, as a versatile tool for computer systems criminological (forensic) investigations, for data recovery and IT security-in everyday use and emergency situations.

keymaker2

KeyMake is a powerful registry writer, the software uses assembly templates as the core, can facilitate users to eliminate complex instruction algorithms, so as to quickly produce the required registry!

OllyDbg

Ollydbg is a professional disassembly debugging tool, mainly used for some application compilation operations, software is best at analyzing function procedures, loop statements, API calls, the number of parameters in the function and import tables, etc.

brute force

This section explains how to modify the assembly code to bypass the program verification section (commonly known as patching) to change the final verification of the program

Tools used:

x64dbg

Plus Chinese search plug-in (Simplified Chinese keywords: search for Chinese character string)

The program to be analyzed is loaded with x64dbg

Click the x64dbg Run button to run the program, make it run so that it can load more information for analysis, and then use the string search tool to search

Find useful information based on keywords

Found some registered judgment jump, and in the jump under the breakpoint, so that it can interrupt analysis

The registration information is not complete.

No matter what you input, you don't prompt "Registration information is not complete." This prompt will make the jump at 00510465 not true.

Because the original je is equal to the branch, but when it does not equal, the jump is not executed, so binary editing is needed to abolish this jump, 0051047F jump is established, because the original jne is not equal to the branch, but when it does not equal, the jump is not executed, so it needs to be modified to jmp unconditional branch instruction.

Note: Because the breakpoint was downloaded at je command before, if you want to modify the command, delete the breakpoint here.

The registration code is correct, thank you for registering! judgment

No matter what you enter, you will be prompted "Registration code is correct, thank you for registering!" "This prompt is to make the jump at 00510543 not true,

Because the original jne is not equal to the time transfer, but the jump is not executed when it is equal, it needs binary editing to abolish this jump.

Note: After this method abolishes the jump instruction, its background color turns gray, and the display message is that the jump will not be executed.

run tests

After modification, fill in any registration information, click Register

Fill in any information, prompt registration success, show registered

Real Registration Code Search

Idea: Monitor memory data while the software is running, and query whether there is sensitive or available information

Tools used: Winhex

Run the software Click to register

Order No.: 112233

Registration code: china123study

Open Winhex for analysis

registry authoring

In the critical judgment ("Registration code correct, thank you for registering! EDX is found to have the correct registration code compared with the entered registration code, resulting in the disclosure of the correct registration code. According to this feature, EDX data is read, and the correct registration code is calculated by using the software's own code calculation mechanism.

Tools used: x64dbg, keymaker2

key points

EDX data can be read at breakpoint 0051053E

Because EDX data is in memory, it is estimated that keymaker2 will be used to make memory registry to read data.

Self registration code comparison mechanism reveals correct registration code

Use keymaker2 to read memory data and create a registry

Use the generated registry to read the correct registry key from the memory data

embeds

Tools used: x64dbg, od, winhex

The registration judgment will store the registration data file "hdwlz.dll" locally in the "C:\Windows\system32" directory

It failed to write registration information due to system protection reasons, further verifying its registration mechanism

Switch environment successfully written

View written data

The comparison found that the order information was written

After closing the program, it was found that the registration file was deleted and the dark pile appeared.

Because the DeleteFile function is used to delete files, the OD analysis function is used for analysis.

Found two references to the delete feature

Break points at these two calls for analysis

Start by looking for a breakpoint at the entry point of the program

Close the program and view breakpoint analysis

When closed, successfully broken at the entrance

Step through the analysis to read the order information point of the hdwlz.dll file

Step through analysis to contrast

Compare EAX data to 0x1CD6D0

Decimal information where EAX data is not order number

key jump greater than 1CD6D0(1890000) jump do not delete registration file, less than 1CD6D0(1890000) jump do not execute delete registration file

Read here, this article "android using keywords to crack the function" article has been introduced, want to master the knowledge points of this article also need to practice to understand, if you want to know more about the content of the article, welcome to pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.