Để dừng bộ đếm nút Try Now!. Trên đây là một thí dụ nhỏ về cracking bằng IDA.. Hy vọng qua tut này các bạn sẽ thích IDA.. Một công cụ trên cả tuyệt vời.. The End… PS: Các nhóm crackers
Trang 1CODE:0048B8AB lea eax, [ebp+var_4]
CODE:0048B8AE mov edx, 3
CODE:0048B8B3 call sub_404474
CODE:0048B8B8 mov edx, [ebp+var_4]
CODE:0048B8BB mov eax, ebx
CODE:0048B8BD call @Controls@TControl@SetText$qqrx17System@ AnsiString
CODE:0048B8C2 lea eax, [ebp+var_C]
CODE:0048B8C5 call sub_475338
CODE:0048B8CA lea eax, [ebp+var_C]
CODE:0048B8CD mov edx, offset _str_System32_mssqlc.Text
CODE:0048B8D2 call @System@@LStrCat$qqrv
CODE:0048B8D7 mov eax, [ebp+var_C]
CODE:0048B8DA call sub_48B7D0
CODE:0048B8DF cmp al, 1
CODE:0048B8E1 jnz short loc_48B8F2
CODE:0048B8E3 xor edx, edx
CODE:0048B8E5 mov eax, [ebx+314h]
CODE:0048B8EB mov ecx, [eax]
CODE:0048B8ED call dword ptr [ecx+64h]
CODE:0048B8F0 jmp short loc_48B90D
Ok, patch thành EB Time trial removed
Để dừng bộ đếm nút Try Now! Tiếp tục tìm kiếm chuỗi Try Now Ta đến đây:
Tương tự ta double click vào CODE:0048B784 _str Try_Now dd 0FFFFFFFFh ; _top ; DATA XREF: sub_48B6D4+18o:
CODE:0048B6D4 ;
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
CODE:0048B6D4
CODE:0048B6D4 ; Attributes: bp-based frame
CODE:0048B6D4
CODE:0048B6D4 sub_48B6D4 proc near ; DATA XREF: CODE:0048B5C0o
CODE:0048B6D4
CODE:0048B6D4 var_8 = dword ptr -8
CODE:0048B6D4 var_4 = dword ptr -4
CODE:0048B6D4
CODE:0048B6D4 push ebp
Trang 2CODE:0048B6D5 mov ebp, esp
CODE:0048B6D7 push 0
CODE:0048B6D9 push 0
CODE:0048B6DB push ebx
CODE:0048B6DC mov ebx, eax
CODE:0048B6DE xor eax, eax
CODE:0048B6E0 push ebp
CODE:0048B6E1 push offset loc_48B775
CODE:0048B6E6 push dword ptr fs:[eax]
CODE:0048B6E9 mov fs:[eax], esp
CODE:0048B6EC push offset _str Try_Now .Text
CODE:0048B6F1 lea edx, [ebp+var_8]
CODE:0048B6F4 mov eax, ds:dword_4941D0
CODE:0048B6F9 call sub_4084B8
CODE:0048B6FE push [ebp+var_8]
CODE:0048B701 push offset _str .Text
CODE:0048B706 lea eax, [ebp+var_4]
CODE:0048B709 mov edx, 3
CODE:0048B70E call sub_404474
CODE:0048B713 mov edx, [ebp+var_4]
CODE:0048B716 mov eax, [ebx+314h]
CODE:0048B71C call @Controls@TControl@SetText$qqrx17System@Ans iString
CODE:0048B721 dec ds:dword_4941D0
CODE:0048B727 cmp ds:dword_4941D0, 0FFFFFFFFh
CODE:0048B72E jnz short loc_48B75A
CODE:0048B730 mov edx, offset _str Try_Now.Text
CODE:0048B735 mov eax, [ebx+314h]
CODE:0048B73B call @Controls@TControl@SetText$qqrx17System@Ans iString
CODE:0048B740 mov dl, 1
CODE:0048B742 mov eax, [ebx+314h]
CODE:0048B748 mov ecx, [eax]
CODE:0048B74A call dword ptr [ecx+64h]
CODE:0048B74D xor edx, edx
CODE:0048B74F mov eax, [ebx+320h]
CODE:0048B755 call unknown_libname_166 ; Borland Visual Component Library & Packages
CODE:0048B75A
CODE:0048B75A loc_48B75A: ; CODE XREF: sub_48B6D4+5Aj CODE:0048B75A xor eax, eax
CODE:0048B75C pop edx
CODE:0048B75D pop ecx
Trang 3CODE:0048B75E pop ecx
CODE:0048B75F mov fs:[eax], edx
CODE:0048B762 push offset loc_48B77C
CODE:0048B767
CODE:0048B767 loc_48B767: ; CODE XREF: sub_48B6D4+A6j
CODE:0048B767 lea eax, [ebp+var_8]
CODE:0048B76A mov edx, 2
CODE:0048B76F call @System@@LStrArrayClr$qqrv
CODE:0048B774 retn
CODE:0048B775 ; -
CODE:0048B775
CODE:0048B775 loc_48B775: ; DATA XREF: sub_48B6D4+Do
CODE:0048B775 jmp @System@@HandleFinally$qqrv
CODE:0048B77A ; -
CODE:0048B77A jmp short loc_48B767
CODE:0048B77C ; -
CODE:0048B77C
CODE:0048B77C loc_48B77C: ; DATA XREF: sub_48B6D4+8Eo CODE:0048B77C pop ebx
CODE:0048B77D pop ecx
CODE:0048B77E pop ecx
CODE:0048B77F pop ebp
CODE:0048B780 retn
CODE:0048B780 sub_48B6D4 endp ; sp = -0Ch
CODE:0048B780
CODE:0048B780 ; -
CODE:0048B781 align 4
CODE:0048B784 _str Try_Now dd 0FFFFFFFFh ; _top ; DATA XREF: sub_48B6D4+18o
CODE:0048B784 dd 10 ; Len
CODE:0048B784 db '&Try Now [',0 ; Text
CODE:0048B797 align 4
CODE:0048B798 _str dd 0FFFFFFFFh ; _top ; DATA XREF: sub_48B6D4+2Do
CODE:0048B798 dd 1 ; Len
CODE:0048B798 db ']',0 ; Text
CODE:0048B7A2 align 4
CODE:0048B7A4 _str Try_Now dd 0FFFFFFFFh ; _top ; DATA XREF: sub_48B6D4+5Co
CODE:0048B7A4 dd 8 ; Len
CODE:0048B7A4 db '&Try Now',0 ; Text
CODE:0048B7B5 align 4
CODE:0048B7B8
Trang 4
Nop CODE:0048B72E jnz short loc_48B75A thành 9090 Ok, Remove the
Counter
Trên đây là một thí dụ nhỏ về cracking bằng IDA Hy vọng qua tut này các bạn sẽ thích IDA Một công cụ trên cả tuyệt vời The End…
PS: Các nhóm crackers trên thế giới tôi không biết họ thường dùng gì để disasm nhưng các nhóm crackers của Pháp đều dùng IDA để rip code và keygen Và công cụ họ dùng là TMG Ripper Studio v 1.x.x
GrEeTs Fly Out: Deux, INFINITE,Computer_Angel, Zombie, NVH(c),softcracker_vn,
luucorp, Aaron, Canterwood, hhphong, R@dier, tlandn, , RCA, CTL, Moonbaby, kienmanowar, benina,TQN, the_lighthouse, Nini, hoadongnoi, hosiminh, Nilrem, Teerayoot, Ferrari, Kruger, Kelvin, Devilz, anh_surprised and you !
Special Thanx Cracks Latinos
Merci FFF, RiF, N-Gen (closed), ICI-TEAM pour me-aider des connaissances du Game
Cracking Thanx to author of OllyDBG
To be continued
Written by hacnho (tutorial date: Sai Gon 15/08/2005)
IDA Plugin : FindCrypt
Trong quá trình Analyze một chương trình thường thì chúng ta muốn quan tâm xem chương trình đó có sử dụng bất kì một thuật toán nào hay không.Các thông tin về các thuật toán được sử dụng trong chương trình đôi khi rất hữu trong quá trình Reverse của chúng ta Tôi có tìm thấy một Plug của IDA cho phép chúng ta có thể thực hiện được
Trang 5công việc này Theo như tác giả của nó nói thì Plugin này có thể nhận dạng được các Crypto sau :
Quote:
* Blowfish
* Camellia
* CAST
* CAST256
* CRC32
* DES
* GOST
* HAVAL
* MARS
* MD2
* MD4
* MD5
* PKCS_MD2 (byte sequence used in PKCS envelope)
* PKCS_MD5 (byte sequence used in PKCS envelope)
* PKCS_RIPEMD160 (byte sequence used in PKCS envelope)
* PKCS_SHA256 (byte sequence used in PKCS envelope)
* PKCS_SHA384 (byte sequence used in PKCS envelope)
* PKCS_SHA512 (byte sequence used in PKCS envelope)
* PKCS_Tiger (byte sequence used in PKCS envelope)
* RawDES
* RC2
* RC5
* RC6
* Rijndael
* SAFER
* SHA-1
* SHA-256
* SHA-512
* SHARK
* SKIPJACK
* Square
* Tiger
* Twofish
* WAKE
* Whirlpool
* zlib
Việc sử dụng nó rất đơn giản, chỉ việc copy file plw vào trong thư mục Plugin của IDA ,