?? lesson14042.htm
字號:
<html>
<head>
<title>看雪學苑</title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<style type="text/css">
<!--
.p8 { font-size: 8pt}
.p9 { font-size: 9pt}
a:hover { color: #00FF00}
a { text-decoration: none; color: #3333CC}
.p12 { font-size: 12pt; font-weight: bold; color: #FF3333}
-->
</style>
</head>
<body bgcolor="#FFFFFF" text="#000000" link="#000000" vlink="#000000" alink="#000000">
<a name="top"></a>
<script src="fubiao.js" tppabs="http://toye.dihou.org/img/fubiao.js"></script>
<table width="80%" border="1" cellspacing="0" cellpadding="0" align="center" bgcolor="#99CCFF" bordercolorlight="#99CCFF" bordercolordark="#99CCFF">
<tr>
<td width="72%" class="p9"><a href="javascript:if(confirm('http://toye.yeah.net/ \n\n這個文件不能通過 Teleport Pro 取回, 因為 它被訪問于一個域或在它的起始地址邊界外部的路徑上. \n\n你想從服務器打開它嗎?'))window.location='http://toye.yeah.net/'" tppabs="http://toye.yeah.net/">看雪教學</a></td>
<td width="10%" class="p9"> </td>
<td width="10%"><a href="index.htm" tppabs="http://toye.dihou.org/index.htm" class="p9">返回<br>
首頁 <br>
</a></td>
<td width="8%"><a href="molu.htm" tppabs="http://toye.dihou.org/molu.htm" class="p9">返回<br>
目錄 </a></td>
</tr>
</table>
<table width="80%" cellspacing="0" cellpadding="0" align="center">
<tr bgcolor="#FFFF33">
<td>
<div align="center"><span class="p"><b><font color="#FF3333" class="p11">第十課
crack常見技巧</font></b></span></div>
</td>
</tr>
</table>
<table border="1" width="80%" cellpadding="0" bordercolor="#86D8FF" bgcolor="#FBFDFF" align="center">
<tr>
<td width="50%" valign="middle" align="center" class="p9" height="20">
<div align="left"><span class="p9"><span class="p9">1、<span class="p9"><a href="lesson1401.htm" tppabs="http://toye.dihou.org/lesson1401.htm"><span class="p9"><span class="p9">一些常用方法</span></span></a></span></span></span></div>
</td>
<td width="50%" valign="top" class="p9" height="20">
<div align="left"><span class="p9"><span class="p9">5、<a href="lesson1406.htm" tppabs="http://toye.dihou.org/lesson1406.htm">Key
File保護</a></span></span></div>
</td>
</tr>
<tr>
<td width="50%" valign="middle" align="center" class="p9" height="20">
<div align="left"><span class="p9"><span class="p9">2、<span class="p9"><span class="p9"><a href="lesson1402.htm" tppabs="http://toye.dihou.org/lesson1402.htm">序列號方式</a></span></span></span></span></div>
</td>
<td width="50%" valign="top" class="p9" height="20"><span class="p9"><span class="p9">6、<span class="p9"><span class="p9"><a href="lesson1407.htm" tppabs="http://toye.dihou.org/lesson1407.htm">功能限制的程序</a></span></span> </span></span></td>
</tr>
<tr>
<td width="50%" valign="middle" align="center" class="p9" height="20">
<div align="left"><span class="p9"><span class="p9">3、<a href="lesson1403.htm" tppabs="http://toye.dihou.org/lesson1403.htm">NAG方式(警告窗口)</a></span></span></div>
</td>
<td width="50%" valign="top" class="p9" height="20"><span class="p9"><span class="p9">7、<span class="p9"><a href="lesson1408.htm" tppabs="http://toye.dihou.org/lesson1408.htm">InstallSHIELD
Setups </a></span></span></span></td>
</tr>
<tr>
<td width="50%" valign="middle" align="center" class="p9" height="20">
<div align="left"><span class="p9"><span class="p9">4、<font color="#FF3333">運行時間限制</font></span></span></div>
</td>
<td width="50%" valign="top" class="p9" height="20">8、<a href="lesson1410.htm" tppabs="http://toye.dihou.org/lesson1410.htm">CD-check</a></td>
</tr>
</table>
<p align="center" class="p9"><span class="p9"><span class="p9"><span class="p9">4、<a href="lesson1404.htm" tppabs="http://toye.dihou.org/lesson1404.htm">運行時間限制</a></span></span>
<a href="lesson14041.htm" tppabs="http://toye.dihou.org/lesson14041.htm">【習題】 </a></span></p>
<p><span class="p9">Essay : Cracking 99% of all Time Trials - Written by Mushy.
<br>
<br>
The Call Flow Approach :- <br>
<br>
What is a call flow ? <br>
********************* <br>
When a program is run or executed, it runs through a series of <br>
functions, procedures and instructions (both procedures <br>
and functions are collections of instructions that are <br>
grouped together to save space and time). A call flow <br>
is a listing or diagram of the path a program takes <br>
when it executes. This path can be different depending <br>
on the circumstances when the program was run. Imagine <br>
six procedures as follows : <br>
<br>
1.) GetSystemTime. (Checks the system time). <br>
2.) Installed. (Checks when you installed the program). <br>
3.) Expired. (Displays an expired message). <br>
4.) DaysLeft. (Displays the message 'you have % days left'). <br>
5.) Halt. (Quits the program). <br>
6.) Main. (The main program). <br>
<br>
Using the procedures, the psuedo asm code of a Time Trial <br>
protection would be something like this : <br>
<br>
00000001 :Call GetSystemTime. <br>
00000002 :Call Installed. <br>
00000003 :if (GetSystemTime - Installed) is greater than 30 days then <br>
00000004 : Call Expired, <br>
00000005 : Jmp Halt. <br>
00000006 :otherwise <br>
00000007 : Call DaysLeft, <br>
00000008 : Jmp Main. <br>
<br>
This would look something like this in real terms : <br>
<br>
Call 041829B0 (GetSystemTime) <br>
Call 0492832C (Installed) <br>
Cmp Ax,Bx (if statement) <br>
JL 04927435 (Jump or No Jump, depending on values ax and bx) <br>
Call 04348234 (Expired) <br>
Jmp 0432833C (Halt) <br>
---JL Address--- <br>
Call 04583BC0 (DaysLeft Message) <br>
Jmp 042392BC (Main Program) <br>
<br>
<br>
If you look at the above code you will see that the way the <br>
program runs depends on the values of ax and bx before the JL <br>
command. The problem is that in a large disassembly of code it <br>
is often difficult to find the right place to patch because there <br>
are so many cmp/jl or cmp/jne occurances. So how do we go about <br>
finding the correct location ? <br>
<br>
<br>
Finding the right location. <br>
*************************** <br>
<br>
Using the above code we can generate two possible program flows. <br>
When you are still in the 30 day trial period, the call flow <br>
would look like this : <br>
<br>
GetSystemTime <br>
Installed <br>
Cmp ax,bx <br>
JL (Jump) <br>
DaysLeft <br>
Main. <br>
<br>
When the trial period has expired the call flow would look like <br>
this : <br>
<br>
GetSystemTime <br>
Installed <br>
Cmp ax,bx <br>
JL ( No Jump ) <br>
Expired <br>
Halt. <br>
<br>
Using these two listings we can see that up until the JL command, <br>
everything is the same, except that the first listing Jumps and <br>
the second listing doesn`t. The JL command is dependant on the <br>
value of ax and bx. To crack a time trial, all we have to do <br>
is to either change the value of ax and bx (The correct way) so <br>
that you will always have a trial period (Or) change the JL to a <br>
Jmp and force the program to use the path of the first call flow. <br>
<br>
<br>
Ok,I understand the principle. Now show me how to do it ? <br>
********************************************************* <br>
<br>
The tools we need : <br>
<br>
SoftIce v3.23 installed with the Symbol Loader. <br>
A hex editor. <br>
(No disassembler is needed) <br>
<br>
Firstly, load up the symbol loader that is installed with softice. <br>
You can find it in the folder on the taskbar. Go to the file <br>
menu in the symbol loader and click on 'open module'. Then find and <br>
click on the Executable file / Program that you wish to crack. <br>
Once this has been done, go to the Module menu and click on Load <br>
Module. Normally, this will greet you with an error message telling <br>
you that an error has occured during sysmbol translation. Just click <br>
on 'Yes' to continue loading the exe file. Softice will now break due <br>
to symbol loader which can be confirmed by looking in the information <br>
window. You will also see a lot of lines in the code window that will <br>
look like this : <br>
<br>
FFFF INVALID <br>
FFFF INVALID <br>
FFFF INVALID <br>
FFFF INVALID <br>
FFFF INVALID <br>
<br>
etc,....... <br>
<br>
<br>
Ignore this,.... it is not an error. It is just displaying an area in <br>
memory that softice can`t determine yet. At this moment we are just <br>
going to set up softice so that it displays what we want in the <br>
command window. (Remember that everything in the command window <br>
is logged). <br>
<br>
<br>
Step 1 : Close the code window. <br>
******************************* <br>
Start by typing 'wc' in softice. This command toggles <br>
the code window. We DONT want the code window to display, so make <br>
sure that this window is closed. You can also close this window by <br>
using the mouse. You can so this by clicking on the top edge of the <br>
window that you want to close and drag it upwards as far as it will <br>
go. This will make the window disappear. <br>
<br>
<br>
Step 2 : Set a breakpoint on GetSystemTime. <br>
******************************************* <br>
We now need to set a breakpoint on GetSystemTime (One of the many <br>
used api functions to return the current Date and Time). You can <br>
set the breakpoint by typing 'BPX GetSystemTime' in the command <br>
window now. By the way,... GetSystemTime is just the address of <br>
the function. If you knew what the address of the function was, <br>
you could also of typed 'BPX 004283CD' etc,..... This means that <br>
you can also add an offset to a BPX for example 'BPX GetSystemTime + 4'. <br>
This will break at an offset of 4 from the start of the function. <br>
<br>
<br>
Step 3 : Continue loading the program. <br>
************************************** <br>
Now that you have set the breakpoint in softice (BPX GetSystemTime), it <br>
is time to let the program continue to load and run. All you have to do <br>
is to press CTRL and D together. As the program continues to load and <br>
run, eventually it will execute the Function 'GetSystemTime'. When <br>
this happens, softice will pop up and pause the program at the beginning <br>
of the Function. You will see the text 'BPX due to KERNEL32!GetSystemTime' <br>
appear in the command window. We are now in the correct place to start <br>
logging. <br>
<br>
<br>
Step 4 : Step out of the Function. <br>
********************************** <br>
Now that you are placed at beginning of the function 'GetSystemTime'. <br>
We need to step past it, so that we are at the next asm command <br>
directly after the whole function has executed. (Note: The function <br>
'GetSystemTime' is part of the Kernel32.dll found in the windows <br>
system directory). This function will always run the same set of <br>
commands regardless of the computers state, therefore we do not need <br>
to log the commands of this function. To step to the very next asm <br>
instruction after the function, all you need to do is press F11 <br>
(Function key 11) once. It is at this point that things start to get <br>
interesting. <br>
<br>
<br>
Step 5 : Log all commands, up until the nag screen. <br>
*************************************************** <br>
It`s now time to log everything. All you have to do is step through <br>
the code by pressing F10 (Function key 10) until the nag screen <br>
that display`s 'You have % day`s left' appear. You can hold down <br>
F10 until the screen pops up. You will notice that all the lines <br>
of executed code are displayed in the command window. All of this <br>
information is being logged in the softice Buffer. <br>
<br>
<br>
Step 6 : Save the log file. <br>
*************************** <br>
When the nag screen appears, it is time to save the first log file. <br>
You do this by clicking on the softice symbol loader that should <br>
still be loaded. It may be minimised at the bottom of your screen. If <br>
so, then just maximise it and go to the File Menu and click on <br>
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -