Shulou(Shulou.com)06/02 Report--

(1) Serial number protection mechanism

Mathematical algorithm is the core of password encryption, but in general software encryption, it does not seem to be concerned by people, because most of the time software encryption itself is a programming skill. However, in recent years, with the popularity of serial number encryption programs, the proportion of mathematical algorithms in software encryption seems to be increasing.

Let's first take a look at how serial number encryption, which is popular on the Internet, works. When users download a shareware-- sharing software from the network, there is generally a time limit. After the trial period of the sharing software, you must register with the company of the software before you can continue to use it. In the registration process, the user generally tells the software company his personal information (usually the name) together with the credit card number, and the software company will calculate a serial code based on the user's information. After the user gets the serial code, enter the registration information and registration code in the software according to the steps required for registration. After the validity of the registration information is verified by the software, the software will remove all kinds of restrictions. This encryption is relatively simple to implement, does not require additional cost, and is very convenient for users to buy. 80% of the software on the Internet is protected in this way.

We note that the process of software verifying the legitimacy of a serial number is actually the process of verifying whether the conversion relationship between the user name and the serial number is correct. There are two basic types of verification. One is to generate the registration code according to the name entered by the user, and then compare it with the registration code entered by the user. The formula is as follows:

Serial number = F (user name)

However, this method is tantamount to reproducing the process of generating registration codes in user software, which is actually very unsafe, no matter how complex the conversion process is. The decryptor only needs to extract your conversion process from the program to compile a general registration program.

The other is to use the registration code to verify the correctness of the user name. The formula is as follows:

User name = F inverse (serial number) (e.g. ACDSEE, Xiaolou Note)

In fact, this is the inverse algorithm of the software company registration code calculation process, if the forward algorithm and reverse algorithm are not symmetrical algorithms, it is indeed difficult for the decryptor, but this algorithm is very difficult to design.

So someone considered the following algorithm:

F1 (user name) = F2 (serial number)

F1 and F2 are two completely different algorithms, but the feature words calculated by the user name through the F1 algorithm are equal to those calculated by the sequence number through the F2 algorithm. The design of this algorithm is relatively simple, and the confidentiality is much better than the above two algorithms. If F1 and F2 algorithms can be designed as irreversible algorithms, the confidentiality is quite good, but once the decryptor finds one of the inverse algorithms, this algorithm is not safe. It seems that no matter how hard the design of the unary algorithm is, it is difficult to make a big breakthrough, so what about duality?

Specific value = F (user name, serial number)

This algorithm looks quite good, the relationship between the user name and the serial number is no longer so clear, but at the same time, it also loses the one-to-one correspondence between the user name and the serial number. Software developers must maintain the uniqueness between the user name and the serial number themselves, but this does not seem to be difficult to do. Just build a database. Of course, you can also use this idea to divide the user name and serial number into several parts to construct a multivariate algorithm.

Specific value = F (user name 1, user name 2. Serial number 1, serial number 2.)

Most of the existing serial number encryption algorithms are designed by software developers, and most of them are quite simple. And although some algorithm writers have made great efforts, the results often do not get the results they want. In fact, there are many ready-made encryption algorithms available, such as RSADES,MD4,MD5, but these algorithms are used to encrypt ciphertext or passwords, which are somewhat different from serial number encryption. I would like to cite an example here, hoping to throw a brick to attract jade:

1. There is an encrypted ciphertext S in the software program.

2. Key = F (user name, serial number) use the above binary algorithm to get the key

3. Plaintext D = F-DES (ciphertext S, key) use the obtained key to decrypt the ciphertext to get plaintext D.

4. CRC = F-CRC (plaintext D) apply all kinds of CRC statistics to the plaintext

5. Check whether the CRC is correct. Design at least several CRC algorithms to check whether multiple CRC results are correct

In this way, the correct serial number can never be calculated without a known correct serial number.

(2) how to protect the serial number

To find the sequence number, or to modify the jump instruction after judging the sequence number, the most important thing is to use various tools to locate the code segment that determines the sequence number. These commonly used API include GetDlgItemInt, GetDlgItemTextA, GetTabbedTextExtentA, GetWindowTextA, Hmemcpy (Windows 9x only), lstrcmp, lstrlen, memcpy (limited to NT/2000).

1) the secret of data constraint

This concept is proposed by + ORC and is limited to the kind of protection in which registration codes are compared in clear text. In most serial number protected programs, the real and correct registration code or password (Password) will appear in memory at some point. Of course, the location of its occurrence is uncertain, but in most cases it will be within a range, that is, the place where the memory address of the user entering the serial number ±0X90 bytes is stored. This is due to a constraint on Windows data transfer within the tool used by the encrypter.

2) Hmemcpy function (commonly known as universal breakpoint)

The function Hmemcpy is an internal function of the Windows9x system, located in KERNEL32.DLL, and its function is to copy a piece of data in memory to another place. Because the Windows9x system frequently uses this function to deal with various strings, it is practical to use it as a breakpoint, which is the most commonly used breakpoint on the Windows9x platform. There is no such breakpoint in Windows NT/2K because its kernel is completely different from Windows9x.

3) S command

Because the S command ignores pages that are not in memory, you can use the 32-bit flat address segment descriptor 30h to search the entire 4GB (0~FFFFFFFFh) space, typically under Windows9x. The specific steps are as follows: first enter a name or a false serial number (such as 78787878), press Ctrl+D to switch to SoftICE, and issue the search command:

S 30:0 L ffffffff '7878787878'

Will search for the address: ss:ssssssss (these addresses may be more than one), and then use the bpm breakpoint to monitor the searched fake registration code, track how the program handles the entered serial number, and it is possible to find the correct serial number.

4) using message breakpoints

You can take advantage of message breakpoints WM_GETTEXT and WM_COMMAND in handling strings. The former is used to read the text in a control, such as copying the sequence number in the editing window to a buffer provided by the program; the latter is used to notify the parent window of a control, such as clicking the OK button after entering the serial number, the parent window of the button will receive a WM_COMMAND message indicating that the button has been clicked.

BMSG xxxx WM_GETTEXT (intercept sequence number)

BMSG xxxx WM_COMMAND (intercept OK button)

You can use the HWND command provided by SoftICE to get the information about the window handle, or you can use the Spy++ utility in Visual Studio to get the handle value of the corresponding window, and then set the breakpoint interception with BMSG. Example:

BMSG 0129 WM_COMMAND

2. Nag window

The original meaning of Nag is annoying. The Nag window is a window that software designers use to remind users to buy an official version from time to time. Software designers may think that when users can't stand these annoying windows in the trial version, they will consider buying the official version. It may pop up when the program starts or exits, or randomly or regularly at some point when the software is running, which is really annoying.

The three common methods to remove the warning window are: modifying program resources, static analysis, and dynamic analysis.

It is a good way to remove the warning window with the resource modification tool. You can change the properties of the warning window in the executable file to transparent and invisible, thus removing the warning window in disguise.

If you are dynamically tracking debugging, just find the code that created this window and skip it. The commonly used functions to display windows are MessageBoxA, MessageBoxExA, MessageBeep, DialogBoxParamA, ShowWindow, CreateWindowExA and so on. However, some warning windows do not use these breakpoints, so you can try to use messages to set breakpoints, which should generally be able to intercept.

Example: use message breakpoints to intercept warning windows:

Switch to SOFTICE and issue the command: HWND

You should see a message similar to the following:

Window-HandlehQueueSZQOwnerClass-NameWindow-Procedure0080 (0) 205732MSGSVR32#32711 (switch_win) 17EF:00004B6E0084 (1) 205732EXPLORERshell_trayWnd1487:0000016C.

Look for window handles for related applications in these lists. If there is an OK button on the NAG window, look for "button" in class name. If there is nothing on the NAG window, try to find the correct handle. The list of handles can be very long, but usually the handle of a NAG window is in front of the list.

Note: SMU Winspector tool is recommended here to help crack NAG. It can display the information you need: Window-Handle, Window-Class Name, Window-Text, Parent Window-Handle, Parent-Window Class Name, Parent Window-Text, Module...

As soon as you find the handle to the NAG window, apply the BMSG command to breakpoints above and below the Windows message. Now suppose the NAG window has an OK button, and you have found the correct handle (handle), and then issue the command:

BMSG 0084 WM_DESTROY

0084 is the handle of the NAG window. This command is that when the NAG window disappears from the screen, SoftICE will be interrupted. At this point, you will go deep into some unknown API functions, you can press F12 to return to the program. It is important to note that the purpose of the trace is to find out where the NAG window is initialized (with a break on the returned CALL). Most NAG windows use CALL like Created/Destroyed, so if you find these, you can keep track of them as needed.

3. Time limit

(1) timer

The trial version of some programs has a time limit every time it is run, for example, it stops working after running for 10 or 20 minutes, and the program must be rerun to work properly. There is naturally a timer in these programs to count the running time of the program.

1) use Settimer ()

The commonly used counter is the function Settimer (), and the timer created by calling this function can issue a message VM_TIMER, or call a callback function when a fixed period expires. Using this function will delay the time and the precision is not high.

2) use timeSetEvent ()

The most accurate periodic notification to the Windows driver is provided by Windows's multimedia service timeSetEvent (). Its time can be accurate to 1 millisecond.

3) use VXD

You can use VMM's Set_Global_time_Out () service to force a few milliseconds of the callback function to execute again, creating a "only once" timer. VXD can call Set_Global_time_Out () again in the callback to start the next timer, which provides a continuously running timer.

4) other

GetTickCount (): low precision

TimeGetTime (): you can return the time after the start of windows in milliseconds.

(2) time limit

Generally speaking, this kind of protected software has a time limit, such as a trial of 30 days, which will not be run after the trial period of the shared software. Only after paying for registration to the software author can you get a registered version with no time limit.

There are many programs of this type, which give you 10 days, 20 days, 30 days, etc. They are installed with a time stamp somewhere on your system, and each run compares the current system time with the time of installation to determine whether you can still use it.

Such as the most typical case of the 30-day limit:

Mov ecx,1E; put 1E (30-day decimal) into ecx

Mov eax, [esp+10]; put the number of days spent into eax

Cmp eax,ecx; compare here

Jl...

In this case, just change "mov eax, [esp+10]" to "mov eax,1".

To remember the current year, month of some hexadecimal representation, such as: 2000 hexadecimal is 07D0, and then use W32DASM to disassemble your program, using the method of looking for strings to find D007 (position upside down in the machine code) or other similar time numbers, it is possible to find valuable clues. Don't underestimate this method, which is very effective for programs that are not well guarded.

For example, if a program is limited to 2000, it may have the following generation code:

00037805 817C2404D0070000 cmp dword ptr [esp+04], 000007D0 compares whether it is in 2000.

(3) time-dependent function

1. GetSystemTime gets the current system time

Description:

Load the current system time in a SYSTEMTIME in the "Collaborative World time" (UTC, also known as GMT) format.

VOID GetSystemTime (

LPSYSTEMTIME lpSystemTime / / SYSTEMTIME, along with the structure loaded at the current time

);

2. The current local time of GetLocalTime

VOID GetLocalTime (

LPSYSTEMTIME lpSystemTime / / SYSTEMTIME, used to load the structure of local time

);

3. SystemTimeToFileTime loads a FILETIME structure according to the contents of a SYSTEMTIME structure

BOOL SystemTimeToFileTime (

CONST SYSTEMTIME * lpst, / / SYSTEMTIME, which contains a structure of system time information

LPFILETIME lpft / / FILETIME, a structure for loading file time

);

Return value: non-zero indicates success, zero indicates failure.

4. SetTimer creates a timer and pauses within a specified period of time.

UINT SetTimer (

HWND hwnd, / / time information handle

UINT idtimer, / / timer ID identifier

UINT uTimeout, / / pause time

TIMERPROC tmprc / / the address of the program entry that handles the timing process

);

4. Key File Protection [exercises]

Key File (Registration File) is a way to use files to register software. Key File is generally a small file, which can be a plain text file or a binary file containing non-displayable characters, which contains some encrypted or unencrypted data, such as user name, registration code, and so on. The file format is defined by the software author himself. The trial version of the software does not have a registration file, and when the user pays the author to register, the user will receive the registration file sent by the author, which may contain the user's personal information. Users can make the software an official version as long as they put the file in the specified directory. The file is usually placed in the installation directory of the software or in the system directory. Every time the software starts, it reads the data from the file, then uses some algorithm to process it, determines whether it is a correct registration file according to the result of the processing, and runs in the registered version mode if it is correct.

(1) to crack the general idea of Key File

1. The best tool for analyzing Key File is a hexadecimal tool, and ordinary text editing tools are not suitable.

two。 To deal with such programs, you first create a fake Key File file. General software allows Key File to have different sizes and file names. The content of the file you create must be easy to read, and adjust the size and file name of Key File according to the situation. Why is it easy to read? Because the target program reads the data from the Key File and then processes it, it is easy to read and helps you to analyze its operation.

3. Key File files exist in the form of'* .key'in most cases.

4. The Key File file name can be determined by using the W32DASM or hexadecimal tool to open the program by looking for a string

5. Read the user's manual (sometimes the author may mention it)

6. With Filemon, it can monitor the status of files in the system in real time, so when running the program, such as reading the Key File of the specified file name, the Key File file name will be displayed in Filemon. As soon as you find the Key File file name, create a fake Key File to be crack software directory, and then go to crack.

(2) to crack several commonly used functions of Key File under Windows:

Function ReadFile

Function: read data from a file

Parameter: Long. Non-zero indicates success and zero indicates failure.

BOOL ReadFile (

HANDLE hFile, / / Long, handle to the file

LPVOID lpBuffer, / / Any, a buffer used to hold read data

DWORD nNumberOfBytesToRead, / / Long, the number of characters to read

LPDWORD lpNumberOfBytesRead, / / Long, the number of characters actually read from the file

LPOVERLAPPED lpOverlapped / / address of structure for data

);

Function CreateFileA

Function: open and create files, pipes, mail slots, communication services, devices, and consoles

HANDLE CreateFileA (

LPCTSTR lpFileName, / / String, the name of the file to be opened

DWORD dwDesiredAccess, / / allow read and write access to the device

DWORD dwShareMode, / / sharing mode

LPSECURITY_ATTRIBUTES lpSecurityAttributes// points to a pointer to a SECURITY_ATTRIBUTES structure that defines the security features of the file (if supported by the operating system)

DWORD dwCreationDistribution, / / how to create a file

DWORD dwFlagsAndAttributes, / / file attributes

HANDLE hTemplateFile / / Long, if not zero, specifies a file handle. The new file will copy the extended properties from this file

);

Function _ lopen ()

Function: open the specified file in binary mode

HFILE _ lopen (

LPCSTR lpPathName, / / the name of the file to be opened

A combination of int iReadWrite / / access mode and shared mode constant

);

Function FindFirstFileA ()

Function: find a file based on its name

HANDLE FindFirstFile (

LPCTSTR lpFileName, / / the name of the file to search for. Can contain wildcards and can contain a path or relative pathname

LPWIN32_FIND_DATA lpFindFileData / / WIN32_FIND_DATA, this structure is used to load information about the files found. This structure can be used for subsequent search.

);

5. Programs with limited functions

This kind of program is usually the DEMO version or some of the options in the menu are grayed out. Some DEMO versions have some features that are not available at all. And some programs have all the functions, as long as it is normal after registration.

When you use some of the prohibited features of these DEMO programs, you will jump out of the prompt box and say that this is the DEMO version, and they usually call functions such as MessageBox [A] or DialogBox [A]. You can disassemble it in W32DASM, and you can usually find the following strings: "Function Not Avaible in Demo" or "Command Not Avaible" or "Can't save in Shareware/Demo". These CALL will be called accordingly and can be used as an indicator of your cracking.

In addition, some of the options in the menu are gray and cannot be used, and they are generally implemented through the following two functions:

(1) EnableMenuItem

Allow, disable, or gray the specified menu entry BOOL EnableMenuItem (

HMENU hMenu, / / menu handle

UINT uIDEnableItem, / / menu ID, in the form of permission, prohibition, or gray

UINT uEnable / / menu item banner

);

The code form of Returns in ASM is as follows:

PUSH uEnable / / uEnable=0, the menu option allows

PUSH uIDEnableItem

PUSH hWnd

CALL [KERNEL32!EnableMenuItem]

(2) EnableWindow

Allows or disables mouse and keyboard control of specified windows and entries (menu grayed out when prohibited) BOOL EnableWindow (

HWND hWnd, / / window handle

BOOL bEnable / / allow / disable input

);

Returns

Returns a TRUE if the window was previously disabled, otherwise FALSE.

6. Cd detection

The simple and most common CD protection is for the program to determine whether there is a specific file on the CD in the CD drive at startup, and if it does not exist, it is considered that the user does not have a genuine CD and refuses to run it. In the process of running the program, it is generally no longer checked for the existence of the CD. The specific implementation of Windows is generally like this: first use GetLogicalDriveStrings () or GetLogicalDrives () to get a list of all the drives installed in the system, and then use GetDriveType () to check each drive, if it is an optical drive, use CreateFileA () or FindFirstFileA () and other functions to check whether a specific file exists or not, and may further check the file properties, size, content, and so on. This kind of optical disc inspection is relatively easy to crack, as long as the decryptor uses the above function to set a breakpoint to find the place to check the optical drive when the program starts, and the judgment instruction can be modified to skip the optical disc inspection.

(1) you can take out the CD of the game (or other programs) and run the game, and some error messages will appear, such as: Please insert the-CD, or: You need the CD to play the -. Using this hint, you can use the serial data reference function to find the corresponding code for analysis in W32DASM.

(2) correlation function

1. GetDrivetype (a) determines the type of disk drive

UINT GetDriveType (

LPCTSTR lpRootPathName / / String, which contains a string of the root path of the drive

);

Return value

0

The drive is not recognized

one

The specified directory does not exist

two

DriveRemoveable

three

A Fixed Disk (HardDrive)

four

Remote Drive (Network)

five

Cd-Rom driver

six

If RamDisk is an ordinary program, you can change EAX from 5 to 3.

Note: some programs may detect files related to the root directory of the CD, and the volume label of CD may also be detected.

2. GetLogicalDrives determines which logical drive letters exist in the system.

This function has no arguments

The binary bits in the return value structure indicate which drives are present. Where bit 0 is set to 1 to indicate drive A: exists in the system; bit 1 is set to 1 to indicate the existence of B: drive; subanalogy 3, GetLogicalDriveStrings to get a string that contains the root drive paths of all current logical drives

DWORD GetLogicalDriveStrings (

DWORD nBufferLength, / / length of the string

LPTSTR lpBuffer / / the string used to load the logical drive name. Each name is separated by a NULL character, with two NULL after the last name to indicate abort (null abort)

);

Returns the number of characters loaded into the lpBuffer (excluding air stop characters). If the buffer is not long enough to accommodate the path, the return value becomes the required buffer size. Zero indicates failure. GetLastError4 and GetFileAttributesA will be set to determine the attributes of the specified file.

DWORD GetFileAttributes (

LPCTSTR lpFileName / / specify the name of a file for which you want to get attributes

);

5. GetFileSize determines the length of the file

DWORD GetFileSize (

HANDLE hFile, / / handle to the file

LPDWORD lpFileSizeHigh, / / specifies a long integer to load the first 32 bits of a 64-bit file. If the length does not exceed 2 ^ 32 bytes, the parameter can be set to NULL (become ByVal)

);

The return value returns the file length. & HFFFFFFFF indicates an error. Note that if lpFileSizeHigh is not NULL and the result is & HFFFFFFFF, then GetLastError must be called to determine whether an error has actually occurred, because this is a valid result. 6. GetLastError uses this function to get extended error information for the previously called api function

The return value is determined by the api function. Refer to the api32.txt file, which lists a series of error constants; they all start with the ERROR_ prefix. The commonly used error code is shown in the following table: ERROR_INVALID_HANDLE invalid handle passed as a parameter ERROR_CALL_NOT_IMPLEMENTED in win 95 calls the win32 api function ERROR_INVALID_PARAMETER function specially designed for win nt, there is an incorrect parameter 7, ReadFile reads the data from the file

Refer to the KEYFILE section for details.

8. Other CDROM information

Interrupt 2F is a mscdex interrupt, and bpint 2f, al=0 ah=15, is available to detect whether Mmscdex is installed.

You can also try to cut off with file access.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.