Myanmar CRG

pum;rdwfquf
]Cracker vrf;nTef} trnf&aom þpmtkyfudk cracking (reverse engineering) ESifhywfoufjyD;

tuRrf;w0if r&Sdao;aom 0goem&Sifrsm;twGuf &nf&G,fjyD; xkwfa0jcif;jzpfygonf/ Cracking ynm&yfonf
reverse engineering \ bmomcGJwpfckomjzpfjyD; tvGefyifeufeJ us,fjyefUvSonfhtwGuf avhvmp&m
taMumif;t&mrsm; rsm;jym;vSayonf/ xdkUaMumifh þpmtkyfwGif cracking udk pwifavhvmaomolrsm; odoifh
odxkdufaom tajccHtcsufrsm;udkom OD;pm;ay;í &Sif;jyxm;ygonf/ tcsdKUaom tqifhjrifhonfhtydkif;rsm;udk
csefvSyfxm;cJh&onfhtwGuf em;vnfay;apvdkygonf/
Cracking ynm&yfonf uRefawmfwdkYEkdifiHwGif acwfpm;jcif; r&SdvSao;yg/ tb,fhaMumifhqdkaomf jynf
wGif;wGif y&dk*&rfa&;om;jcif;twwfynmonfyif wGifus,frIr&Sdjcif;aMumifhjzpfonf/ Cracking onf y&dk*&rf
a&;om;jcif;ESifh qefUusifzufjzpfonfhtjyif y&dk*&rfa&;om;jcif; oabmw&m;udk em;vnfEdkifrSom avhvmEdkif
aom cufcJonfhynm&yfjzpfjcif;aMumifhwpfaMumif;? tvkyftudkiftcGifhtvrf; &&Sd&efvG,fulaom uGefysLwmbm
om&yfrsm;udkom avhvmvdkufpm;Mujcif;aMumihfwpfaMumif;? pirate version aqmhzf0Jvfrsm;udk aps;EIef;oufom
pGmjzifh tvG,fwul 0,f,l&&SdEdkifjcif;aMumifhwpfaMumif; cracking udk avhvmrIenf;yg;cJhMuonf/
,aeU tdkifwDavmuudk MunfhrnfqdkvQif aqmhzf0Jvfrsm; yvlysHí xGufay:vmMuonfudk awGU&ayrnf/
xdkUtwl y&dk*&rfoHk;pGJol awmfawmfrsm;rsm;onfvnf; aqmhzf0Jvfxkwfvkyfolrsm;tay: tvGeftrif; ,HkMunf
tm;xm;aeMuonfudk awGUjrifae&ygonf/ xkwfvkyfolrsm;udk,fwdkifuyif y&dk*&rfrm (developer) rsm;\ uk'f
wdkif;udk rppfaq;EdkifaomaMumifhvnf;aumif;? a&;om;aom y&kd*&rfrmrsm;\ r&dk;om;rIrsm;aMumifhvnf;aumif;?
malicious uk'frsm; a&;om;xnfhoGif;olrsm;aMumifhvnf;aumif; aps;uGufwGif&Sdaom y&dk*&rfrsm;tm; ,HkMunf
vufcHEdkif&ef cJ,Of;vmayonf/ xdkUaMumifh uRefawmfwdkUtaejzifh y&dk*&rfuk'frsm;udk wnf;jzwfppfaq;&ef
vdktyfvmygonf/ odkUaomf uRefawmfwdkUtaeESifh cracking udk vspfvsL&Ioifh^roifhESifh rlydkifcGifhtm;av;pm;&ef
ponfhtpGef;ESpfzufMum;wGif &yfwnfae&ayonf/ rnfodkUyifjzpfapumrl cracking ynm&yfonf aqmhzf0Jvf
a&;om;olrsm;ESifh oHk;pGJolrsm;twGuf rsm;pGmtusdK;&Sdaponfqdkaomtcsufudkrl jiif;r&onfrSm trSefjzpfygonf/
Cracking \ tusdK;aus;Zl;rsm;um; (1) malicious uk'frsm;udk &SmazGEdkifjcif;? (2) rxifrSwfaomcsdKU
,Gif;csuf^tjypfudk &SmazGEdkifjcif;? (3) tjcm;olrsm;\ uk'frsm;udk avhvmEdkifjcif;? (4) aqmhzf0Ja&;om;xkwfvkyf
olrsm;udk,fwdkif r&SmawGUao;aom tm;omcsufrsm;udk &SmazGawGU&SdEdkifjcif; wdkUjzpfygonf/ þae&mwGif ajym
Mum;vdkonfrSm cracking udkavhvm&eftwGuf pmzwfolonf y&dk*&rfbmompum;ESifh ywfoufí C (odkU)
Assembly wGif tuRrf;w0if&Sdjcif;? odkUwnf;r[kwf tjcm;y&dk*&rfbmompum;wpfckwGif uRrf;usifpGm wwf
ajrmufjyD;jzpf&ygrnf/
xyfrHí tMuHjyKvdkonfrSm "gwfyHkrsm;^&kyyf Hkrsm;udk Munfvifjywfom;pGm Munfh&IvdkvQif Acrobat
reader rS "gwfyHkrsm;udk Microsoft Paint odkUul;wifjyD; Munfh&I&efjzpfjyD;? pmom;rsm;udk zwf&I&mwGif Acrobat
reader \ 125% view (odkU) xdkxufydkaom &mcdkifEIef;jzifh zwf&I&efjzpfygonf/ odkUrSom &kyfyHkrsm;onf
Munfvif&Sif;vif;jyD; pmom;rsm;onf jywfom;aeygvdhrfrnf/ þpmtkyfudk zwf&I&ef Acrobat reader \
Version onf tedrfhqHk; 8.0 jzpf&ygrnf/
þpmtkyfudk xkwfa0&mwGif Version tjrJwrf;ajymif;vJrI &Sdaeygonf/ Version jrifhvmonfESifhtrQ
trSm;rsm; ydkrdkenf;yg;vmjyD; xyfavmif;jznfhpGufcsufrsm;? yg0ifonfhtcef;rsm;vnf; ydkrdkrsm;jym;vmygonf/
Oyrmajym&vQif Version 1.0 wGif tcef;(12)cef;omyg&Sdaomfvnf; ,ck Version 2.0 wGif tcef;(24)cef;
txdwdk;csJUyg0ifvmjyDjzpfygonf/ tcef;tcsdKUwGifvnf; xyfavmif;jznfhpGufcsufrsm; xnfhoGif;xm;onfhtwGuf
owdjyKí jyefvnfzwf&Iapvdkygonf/ Oyrmqdk&vQif Version 1.2 wGif ]tcef;(12) - Packer (Protector)
rsm;} tcef;ü Fish Packer taMumif;udk topfxnfhoGif;aqG;aEG;xm;ygonf/ ,ck Version wGif Teleport
Pro udk topfjyefvnfa&;om;xm;ygonf/
t&dk;om;qHk; 0efcH&vQif pma&;oludk,fwdkifyif cracking ESifhywfoufvQif pwifavhvmoltqifhxuf
ausmfvGef&HkrQomjzpfí þpmtkyfonf Beginner-to-Beginner Guide rQom jzpfygaMumif;ESifh trSm;rsm;awGU&Sd
ygu em;vnfcGifhvTwfapvdkygaMumif; ...
atmufwdkbm 4? 2009/ rsdK;jrifhxkduf
tMuHjyKpmrsm;âr;jref;csufrsm; ay;ydkUvdkygu myomyinthtike@gmail.com odkUay;ydkUEdkifygonf/

,ck pmzwfolwdkU vuf0,fa&muf&Sdaeaom ]Cracker vrf;nTe}f pmtkyfonf Trial Version omjzpfygonf/
rmwdum
pmrsufESm
pum;rdwfquf 3
tcef;(1) Cracker rsm;odxm;oifhaomtcsufrsm; 5
tcef;(2) tajccH C bmompum; 8
tcef;(3) tajccH Assembly bmompum; 26
tcef;(4) aqmhzf0Jvf protection 50
tcef;(5) Cracker wpfOD;twGufvdktyfaom tool rsm; 57
tcef;(6) Olly Debugger rdwfquf 63
tcef;(7) IDA Pro Advanced 5.2 rdwfquf 71
tcef;(8) PE Header 86
tcef;(9) Teleport Pro 1.54 y&dk*&rfESifh yxrqHk;tMudrf crack vkyfjcif; 120
tcef;(10) Patch vkyfjcif; (Beginner/Intermediate/Advanced) 134
tcef;(11) Cracker rsm; owdxm;oifhaom Windows API rsm; 155
tcef;(12) y&dk*&rf\ resource rsm;udk toHk;jyKí crack vkyfjcif; 167
tcef;(13) Packer (Protector) rsm; 174
tcef;(14) IAT ESifh API Redirection 198
tcef;(15) Visual Basic jzifh a&;om;xm;aom y&dk*&rfrsm;udk crack vkyfjcif; 220
tcef;(16) Delphi jzifh a&;om;xm;aom y&dk*&rfrsm;udk crack vkyfjcif; 243
tcef;(17) Java jzifh a&;om;xm;aom y&dk*&rfrsm;udk crack vkyfjcif; 251
tcef;(18) Visual Dot.net jzifh a&;om;xm;aom y&dk*&rfrsm;udk crack vkyfjcif; 266
tcef;(19) rdkbdkif;zkef; application rsm;udk crack vkyfjcif; 295
tcef;(20) Loader oDtkd&DESifh patch zdkifzefwD;jcif; 301
tcef;(21) Crypto uk'frsm;udk avhvmjcif; 309
tcef;(22) Polymorphic uk'frsm;udk avhvmjcif; 332
tcef;(23) Registration number udk tGefvdkif;wGif ppfaq;jcif;tm; z,f&Sm;jcif; 349
tcef;(24) Themida tm;avhvmjcif; 372
Cracking qdkif&ma0g[m&rsm; 399
Cracking qdkif&m tifwmeuf 0ufbfqdkufrsm; 407
References 410
tcef;(1) - Cracker rsm; odxm;oifhaom tcsufrsm; -5-
tcef;(1) - Cracker rsm; odxm;oifhaom tcsufrsm;

'D ]Cracker vrf;nTef} pmtkyfrSm uRefawmfhtaeeJU yxrqHk; &Sif;jycsifwmu cracker trnfcHxm;wJh
uRefawmfwkdU[m b,fvdkvlrsdK;awGvJ? bmaMumifh crack wJhtvkyfudk uRefawmfwdkU vkyfaeMuwmvJqdkwJh ar;cGef;
awG jzpfygw,f/ Cracker ppfppfwpfa,muf&JU vkyfief;wm0efawGuawmh y&dk*&rfawG b,fvdktvkyfvkyfovJ?
toHk;trsm;qHk; protection trsdK;tpm;awGubmawGvJ qdkwmudk avhvmwmjzpfjyD; uk'fawGudk b,fvkda&;&
rvJqdkwmudk pOf;pm;qHk;jzwfwmjzpfygw,f/ wcgw&HrSmawmh emrnfMuD;csifvdkU crack MuwmjzpfjyD;? wcgw&H
rSmawmh aqmhzf0JvftopfawGudk prf;oyfcsifvdkU crack Muwmjzpfygw,f/ 'Dae&mrSm jzwfajymvdkwmuawmh
y&dk*&rfwpfyk'fudk crack vkyfwmeJU crack vkyfxm;wJh^vkyfjyD;om; y&dk*&rfawGudk toHk;jyKwm[m &mZ0wfrIjzpf
jyD; Oya'udk csdK;azmuf&m a&mufygw,f/ (jrefrmEdkifiHtygt0if 0ifaiGenf;EdkifiHtcsdKUrSmawmh crack vkyfjyD;om;
y&dk*&rfawGudk &mcdkifEIef;tjynfheD;yg; w&m;r0if oHk;pGJaeMuqJyg/) 'gaMumifhrdkU MudKuf&ifyJjzpfjzpf? aiGydkaiGvQH
&Sd&ifyJjzpfjzpf aqmhzf0JvfawGudk 0,foHk;oifhygw,f/ 'grSr[kwf&ifawmh trial version awGudkom toHk;jyKyg/
Cracker wpfa,muf&JU t"duvkyfief;wm0efuawmh taMumif;t&mtopfawGudk avhvmvdkpdwf tjrJ
jzpfzdkUeJU tjcm;olawG&JUtvkyfudk tav;xm;zdkUyJjzpfygw,f/ bmaMumifh tav;xm;cdkif;&ovJqdk&if y&dk*&rfrm
awG[mvnf; vlom;awGyJ jzpfMuygw,f/ (qdkvdkwmu oifhtaeeJU y&dk*&rfrmawG&JU MudK;pm;tm;xkwfrIawG
uae tjrwfrxkwfcsifygeJU/)
Cracker ppfppfr[kwfwJh 'kp&dkufurÇmxJu cracker awGuawmh yHkrSef cracker awGvkyfaeMu
tvkyfudk vkyfudkifMuayr,fh olwdkUrSm udk,fusifhw&m;eJU &nfrSef;csuf r&SdMuygbl;/ olwdkU[m olwdkUtusdK;
tjrwftwGuf aqmhzf0JvfawGudk cdk;,la&mif;cszdkUom odygw,f/ 'DvdkvlrsdK;awGudk cracker vdkU rac:a0:ygbl;/
'gaMumifhrkdU aqmhzf0Jvfwpfckudk crack vkyfEdkifwdkif; cracker rjzpfygbl;/
Cracker awGeJU developer (y&dk*&rfrm) awGMum; uGJjym;csufuawmh developer awG[m olwdkU&JU
uk'fawGudk twwfEdkifqHk; vQdKU0Sufxm;MujyD; cracker awG&JU tpGrf;udkvJ avQmhwGufxm;Muygw,f/ Cracker
awGuawmh 'Dvdkr[kwfygbl;/ olwdkU[m olwdkUawGU&Sdxm;wJh enf;ynmtopfawGudk zdk&rfawGrSm tcrJhjzefUjzL;
jcif;? aqG;aEG;jcif;awG jyKvkyfMujyD; cracker wpfa,muf[m crack vkyfzdkU&m cufcJvSwJh aqmhzf0JvfawGukd
crack vkyfjyEdkifcJh&if olUudk tjcm; cracker awGu txifMuD;av;pm;wmukdom cH,lcsifMuwmjzpfygw,f/
'gaMumifhvJ cracking todkif;t0dkif;[m t&Sdeft[kefeUJ MuD;rm;us,fjyefUaewmjzpfygw,f/
aqmhzf0JvfawGudk bmaMumifh crack vkyfMuovJqdkwmuawmh crack vkyfjcif;tm;jzifh y&dk*&rfawG&JU
tvkyfvkyfyHk? uGefysLwmwpfvHk;&JU tvkyfvkyfyHk? y&dkqufqm&JU twGif;ydkif;pepfeJU vlawG&JU pOf;pm;awG;ac:yHkawG
udk tao;pdwfodvmygw,f/ taMumif;trsdK;rsdK;aMumifh cracking avmuuae pGefUcGmcJhr,fqdk&ifawmif t&if
u oifodxm;wmeJU tckoifodxm;wmawGudk EdIif;,SOfMunfhvdkufyg/ todcsif; tvGefuGmjcm;aewm owdjyKrd
ygvdrfhr,f/ vlawG&JUtjrifrSmawmh crack vkyfwm[m w&m;r0ifbl;vdkU xifaeygw,f/ 'Dtjrif[m rSm;aeyg
w,f/ y&dk*&rfwpfckudk b,fvdka&;xm;ovJqdkwmudk avhvm&HkoufoufomjzpfjyD;? crack vkyfxm;jyD;om;
aqmhzf0Jvfudk jzefUjzL;zdkU (tcrJhjzefUjzL;jcif;tygt0if) rMudK;pm;cJh&if? crack vkyfxm;jyD;om; aqmhzf0Jvfudk roHk;
pGJcJh&ifawmh &mZ0wfrIrajrmufygbl;/ Oya'eJUjidpGef;jcif; r&Sdygbl;/ (rSwcf suf/ /'Dpmtkyfa&;om;aepOf twGif;rSm
awmh jrefrmEdkifiHrSm cracked aqmhzf0JvfawG jzefUjzL;a&mif;cs?oHk;pGJolawG[m Oya'eJUjidpGef;jcif; r&Sdao;ygbl;/)
Cracker aumif;wpfa,muf jzpfzdkUtwGuf atmufygtajccHpnf;rsOf;rsm;udk em;vnfxm;zdkU vdkygw,f/
(1) oifhtaeeJU aqmhzf0Jvfwdkif;udk crack vkyfvdkU&rSm r[kwfygbl;/ 'Dtcsufudkawmh trSwf&aeyg/ bmaMumifh
vJqdkawmh oif[m OmPfMuD;&Sif r[kwfvdkUyg/ t&m&mudk odaezdkUqdkwm rjzpfEdkifygbl;/
(2) aqmhzf0Jvfwdkif;udk crack vkyfvdkU&ygw,f/ wpfcsdefcsdefrSmawmh aqmhzf0Jvfwdkif;[m crack vkyfvdkU &vmrSm
yg/ erlemajym&r,fqdk&if ASProtect 1.3 udk awGUpwkef;u crack vkyfvdkU rjzpfEdkifbl;vdkU xifcJhMuygw,f/
wpfESpf? ESpfESpfavmufvJMumawmh vlopfwef; 0goem&Sifav;awGuawmif tvG,fwul crack vkyfEdkifvm
MuwmawGU&ygw,f/ (Word to PDF Converter 3.0 aqmhzf0Jvf[m ASProtect 1.3 eJU protect vkyfxm;wm
jzpfygw,f/)
(3) oifh&JU tawGUtMuHKA[kokwawGudk rQa0yg/ wu,fvdkU oifhtaeeJU xl;jcm;wJhvn S hfuGufav;awG awGU&SdcJh
r,fqdk&if tjcm;olawGudk ajymjyyg/ usLwdk&D&,fawG? aqmif;yg;awG? crackme awG a&;om;yg/ Cracking eJU
ywfoufjyD; aemifvmr,fhrsdK;qufopf cracker awGudk ulnDEdkifzdkU oifwwfEdkifoavmuf vkyfay;yg/
(4) Cracking eJU ywfoufwJh usLwdk&DawG rsm;rsm;zwfay;yg/ pnf;rsOf; (1) rSm ajymxm;ovdk uRefawmfwdkU[m
taumif;qHk;awG r[kwfygbl;/ 'gayr,fh uRefawmfwdkU rodwJht&mawGudk tjcm;olawGu odaeMuygw,f/
olwdkUrodwmawGudkvJ uRefawmfwdkU odaeMuwm &Sdygw,f/ 'gaMumifh usLwdk&D&,fawGudk pOfqufrjywf zwf
ay;yg/
(5) uk'fawGudk avhvmyg/ oifhtaeeJU &IyfaxG;wJhy&dk*&rfwpfyk'f[m b,fvdktvkyo f vJqdkwm? olUudk b,fvdk
a&;xm;wmvJqdkwmod&if olUudk crack vkyfzdkU vG,fvmygvdrfhr,f/
(6) vltrsm;pk oHk;aeMuwJh tool awGudk odyfroHk;ygeJU/ Tool ajymif;oHk;Edkif&if ydkaumif;ygw,f/ 'grSom
shareware awGudka&;aewJh y&dk*&rfrmawGu oifh tool udk 0dkif;jyD;wdkufckdufwmudk rcH&rSmyg/ Tool wpfckudk
&SmjyD; avhvmyg/ uRrf;usifatmifvkyfyg/ oifudk,fwkdif tool wpfckjzpfygap/
(7) Cracking tzGJUtpnf;awGeJU qufoG,fyg/ ,m,Dtoif;0iftaeeJUjzpfygap toif;0ifyg/ 'Dtcg olwdkU
[m oifhudktultnDay;Muygvdrfhr,f/ oifuvJ tjcm;olawGudk tultnDay;aumif;ay;Edkifygvdrfhr,f/ aemuf
qHk;rSmawmh oifavhvmaewJh protection awGtaMumif; aumif;aumif; odvmygvdrfhr,f/
(8) tjrJwrf; topfjzpfaeygap/ 'Dtcsuf[m tvGefta&;MuD;ygw,f/ oif[m aemufqHk;xkwf tool awGudk
oHk;jyD; aemufqHk;ay:awGtaMumif; avhvmae&ygr,f/ Shareware a&;olawG&JUpm&if;udk oifh&JUtD;ar;vfrSm
aygif;xm;jyD; olwdkUeJU tquftoG,fvkyfyg/ olwdkUawG&JU enf;ynmawGudkavhvmyg/ olwdkUawGxJu wpf
a,mufavmuf eD;eD;jzpfatmif vkyfyg/
(9) udk,fwdkif &SmazGavhvmyg/ awGU&Sdcsuf^vSnfhuGuf topftqef;awGudk udk,fhbmomodatmifvkyfyg/ pmtkyf
pmwrf;rzwfbJ rdrdbmom ajz&Sif;EdkifzdkUvkyfyg/ topftqef;awG awGU&Sd&ifvJ tjcm;olawGudk oifMum;ay;zdkU
rarhygeJU/ udk,fwdkifavhvmjcif;uawmh taumif;qHk;ygyJ/
(10) aqmhzf0Jvfa&;om;olawG&JU y&dk*&rfawGudk tvGJoHk;pm;rvkyfygeJU/ olwdkUawG[m olwdkU&JUaqmhzf0JvfawG
jzpfvmatmif? atmifjrifvmatmif cufcufcJcJ MudK;pm;xm;&wmyg/ tjcm;olawG a&;xm;wJh crack/ keygen/
serial awGudkvJ tvGJoHk;pm; rvkyfygeJU/ 'guawmh w&m;rQwrIr&Sd? roifhawmfvdkUyg/
(11) uk'fawGrsm;rsm;a&;yg/ pmrsm;rsm;zwfyg/ Crack rsm;rsm;vkyfyg/ usLwdk&D&,f rsm;rsm;a&;yg/ Cracker
aumif;wpfa,muf jzpfvmygvdrfhr,f/
Cracking udk yxrqHk; pwifavhvmawmhr,fqdk&if oifhtaeeJU y&kd*&rfa&;om;jcif;eJU ywfoufwJh
tawGUtMuHK r&SdbJeJU vHk;0(vHk;0) rjzpfEdkifygbl;/ aqmhzf0Jvfawmfawmfrsm;rsm;udk Visual C++? Borland
Delphi eJU Dot.net y&dk*&rfbmompum;awGeJU a&;om;xm;wm jzpfygw,f/ ('Dbmompum;awGeJU a&;om;
xm;wmjzpfwJhtwGuf oifhtaeeJU 'Dy&dk*&rfbmompum;awGudk uRrf;usifwwfajrmuf&r,fvdkU qdkvdkwmr[kwf
ygbl;)/ Cracking vkyf&mrSm em;vnf&vG,fulzdkUtwGuf tultnDtay;EdkifqHk; bmompum;ESpfckuawmh C eJU
Assembly wdkUyg/ C [m Assembly xufpm&if ydkrkdvG,fulwJhtwGuf C udk t&ifavhvmvdkufyg/ oifhOmPf
&nfay:rlwnfjyD; tenf;qHk; 21&ufawmh Mumygvdrfhr,f/ 'DvdkavhvmjyD;rS crack vkyfzdkU MudK;pm;yg/ aemufwpf
ckuawmh Assembly bmompum;yg/ Assembly vdkUajymvdkuf&if vlawmfawmfrsm;rsm;u 16-bits acwfwkef;
u assembler awGudkyJ jrifjrifaewwfMuygw,f/ oifavhvm&r,fh Assembly bmompum;uawmh 32-bits
Assembly bmompum;yJ jzpfygw,f/
Cracking tajccHuawmh compile vkyfxm;wJh uGefysLwm binary uk'fawG (odkU) machine uk'fawG
udk avhvmzdkU jzpfygw,f/ y&dk*&rfawGudk uGefysLwmacwfOD;u vufcsnf;oufouf a&;cJhMuwmyg/ 'Dwkef;u
compiler qdkwm r&Sdao;ygbl;/ y&dk*&rfa&;wJh vkyfief;pOfuvJ t&rf;&IyfaxG;jyD; t&rf;yJ trSm;rsm;vSygw,f/
'gaMumifhrdkUvJ olwdkU[m vlom;pum;uae uGeyf sLwmbmompum;tjzpf ajymif;vJay;Edkifr,fh compiler udk
wDxGifcJhMuwmyg/ 'DaeUrSmawmh y&dk*&rfawG[m compile vkyfxm;wm (odkU) assemble vkyfxm;wmawG jzpfyg
w,f/ 'Duk'fawGudk disassembler wpfcktoHk;jyKjyD; binary uk'ftaeeJU jyefazmf&r,fqdk&if atmufygtwdkif;
awGU&rSmyg/
100100100101010010101010010100001100111001
Binary qdkwm ESpfvDpepfjzpfjyD; 0 eJU 1 udk tajccHygw,f/ 'gayr,fh 'Dvdkazmfjywm[m zwf&I&cufcJwJh
twGuf 16vDpepfjzpfwJh hexadecimal pepfudk xGifMuygw,f/ Hexadecimal pepfrSmawmh 0 uae 9 txd?
A (10) uae F (15) txd yg&Sdygw,f/ HEX uk'ftcsdKUudk azmfjyvdkufygw,f/
817D 0C 10010000 (HEX)
10000001011111010000110000010000000000010000000000000000 (BIN)
HEX uk'fawG[m toHk;rsm;vSygw,f/ bmaMumifhvJqdkawmh Intel xkwf CPU awG&JU mnemonic
rSmygwJh opcode awGudk HEX uk'fawGeJU azmfjyvdkUyg/
JNZ 00002A; 'Dae&mrSm JNZ mnemonic twGuf opcode [m 75h (117d) jzpfygw,f/
PUSH 0C8; 'Dae&mrSm PUSH mnemonic twGuf opcode [m 68h (104d) jzpfygw,f/
Assembly bmompum; tao;pdwfudkawmh ]tajccH Assembly bmompum;} oifcef;pmrSm zwf&I
avhvmyg/
'DaeUacwfrSmawmh vlodtrsm;qHk;eJU toHk;trsm;qHk; operating system uawmh Microsoft
Windows platform awGjzpfwJh Windows 98? Windows NT? Windows 2003? Windows XP?
Windows Vista? Windows 7 pwmawG jzpfygw,f/ 'D OS awGtm;vHk;[m tajccHtm;jzifhawmh Win32

API (Application Programming Interface) udk toHk;jyKMuwmcsif; wlygw,f/ (DOS acwfwkef;uawmh
uGefysLwm[mh'f0JvfawGeJU qufoG,fEdkifzdkU interrupt awGudk toHk;jyKcJh&ygw,f/) axmifeJUcsDwJh API function
awG[m DLL (Dynamic Link Library) zdkifawGtaeeJU Windows rSm wcgwnf;ygvmMuygw,f/ Oyrm
jy&&if kernel32.dll? GDI32.dll zdkif pwmawGyg/ Cracking vkyfr,fqdk&if 'D .dll zdkifawGeJU API function
awGudk em;vnfxm;&ygr,f/
oif[m Unix/ Linux avmuu vmwmqdk&ifawmh executable zdkifawG tvkyfvkyfEdkifzdkU ELF
format &Sdwm owdxm;rdrSmyg/ Windows rSmawmh PE format udk toHk;jyKygw,f/ PE udk toHk;jyKwJh zdkif
trsdK;tpm;awGuawmh .exe? .dll? .ocx? .sys? .cpl? .scr zdkifawGyJ jzpfygw,f/ Cracking vkyfr,fqdk&if
'DzdkifawGtaMumif;udk twGif;usus odxm;&ygr,f/
Cracker vlopfwef;awGtwGuf cracking eJUywfoufjyD; pdwf0ifpm;p&m taMumif;t&mawGuawmh
protect vkyfxm;wJh shareware awGjzpfygw,f/ 'gayr,fh tqifhjrifh cracker awG pdwf0ifpm;wmuawmh PE
zdkifawGudk packed/unpacked vkyfjcif;? tJ'DzdkifawGrSm function awGudk aygif;jcif;^jyKjyifjcif;? uk'frsm;udk
cdk;jcif;eJU cracking tool awGudk a&;om;jcif;wdkU jzpfygw,f/ 'gaMumifhrdkUvJ vlopfwef; cracker awG[m
shareware awGrSm ygvmwJh nag awGudk zsufjcif;? serial &Smjcif;awGudk t"du vkyfaqmifMujyD; aqmhzf0Jvf
awGudk register vkyfMuwm jzpfygw,f/ b,fae&mrSm protect vkyfxm;w,f? b,fvdk protect vkyfxm;w,f
qdkwmudk avhvmjyD; registrated version (cracked version) udk oHk;pGJMuwm olwdkUtwGufawmh tMuD;rm;qHk;
atmifjrifrIawGyJ jzpfygw,f/ 'DvdkrvkyfcifrSm cracker tm;vHk;[m rdrd protect vkyfxm;wJhaqmhzf0Jvf(y&dk
*&rf)udk crack vkyfEdkifzdkU tenf;qHk; tool wpfckawmh oHk;&ygw,f/ 'D tool udkawmh debugger (odkU)
decompiler (odkU) disassembler vdkU ac:ygw,f/
Debugger awGoHk;&wJh t"du&nf&G,fcsufuawmh y&dk*&rf tvkyfvkyfpOfrSm rdrdMudKufwJhae&mrSm cP
&yfxm;jyD; uk'fawGudk jyifEdkifzdkU jzpfygw,f/ bmaMumifhvJqdkawmh y&dk*&rfawGudk debug vkyfcsdefrSm tvGefrsm;
jym;vSwJh uk'fawG xGufvmygw,f/ 'Duk'fwdkif;udk avhvmzdkU uRefawmfwdkUrSm tcsdefr&Sdygbl;/ 'gaMumifh vdktyf
wJhae&m^ owfrSwfxm;wJhae&mrSm &yfwefUEdkifzdkU debugger udk toHk;jyK&jcif; jzpfygw,f/ toHk;rsm;vSwJh
debugger/ disassmebler awGuawmh Olly? IDA Pro eJU W32dasm wdkU jzpfygw,f/ Olly [m tcrJh oHk;pGJ
vdkU&wJhaqmhzf0JvfjzpfjyD; oHk;pGJolrsm;jym;vSygw,f/ 'gaMumifhrdkU tqifhjrifh cracker awG&JU oifcef;pmydkUcscsuf
awmfawmfrsm;rsm;[m Olly udk erlemxm;jyD; &Sif;jywm jzpfygw,f/
y&kd*&rfwpfckudk crack vkyfzdkU MudK;pm;awmhr,fqdk&if 'Dy&dk*&rfudk b,fbmompum;eJU a&;om;xm;wm
vJqdkwmodatmif yxrqHk; MudK;pm;oifhygw,f/ 'DtwGuf PEiD (odkU) CFF explorer pwJh tool awGvdkyg
w,f/ 'D tool awGeJU udk,f crack vkyfcsifwJhaqmhzf0Jvfudk b,fbmompum;eJU a&;xm;wmvJqdkwm t&ifod
atmifvkyf&ygw,f/ aqmhzf0Jvfudk Visual Basic eJU a&;xm;wmqdk&ifawmh Olly tpm; VB Decompiler udk
toHk;jyKwm ydkoifhawmfygw,f/ tvm;wlygyJ? Dot.net eJU a&;xm;wmqdk&if Dot.net reflector udk oHk;wm
ydkjyD;oifhawmfvG,fulygw,f/ usefwJh y&dk*&rfbmompum;awGtwGufuawmh Olly eJU debug vkyfEdkifygw,f/
(wu,fvdkU y&dk*&rfawGudk pack vkyfxm;&ifawmh t&if unpack vkyfjyD;rS crack vkyf&rSmjzpfygw,f/)
b,fvdk crack &rvJqdkwJhar;cGef;udk ar;cJhr,fqdk&ifawmh enf;vrf;awG trsm;MuD;&Sdw,fvdkUyJ ajym&rSm
jzpfygw,f/ rwlnDwJhjyóemwdkif;twGuf taumif;qHk;ajz&Sif;rIenf;vrf;udk &SmazG&wmuawmh cracker tay:
rSmyJ rlwnfygw,f/
xl;cRefwJh cracker aumif;wpfa,mufjzpfzdkUtwGufuawmh tifwmeufudk tcsdefrsm;rsm; toHk;jyKay;&yg
r,f/ tifwmeufuae tool topfawG? usLwdk&D&,ftopfawG download vkyfyg/ zdk&rfawG awmfawmfrsm;rsm;
rSm toif;0ifyg? aqG;aEG;yg? ar;jref;yg/ aqmhzf0Jvftopfqef;awGudk crack vkyfMunfhyg/ olrsm;a&;xm;wJh
usLwdk&D&,fawGudk em;vnfatmifzwfyg/ Crack vkyfxm;jyD;om;zdkifawGudkavhvmyg/ rdrdudk,fwkdif usLwdk&D&,f
awG a&;om;&rSmjzpfygw,f/
tcef;(2) - tajccH C bmompum; -8-
tcef;(2) - tajccH C bmompum;

Cracker aumif;wpfa,mufjzpfzdkUtwGuf y&dk*&rfbmompum;wpfckckudk uRrf;uRrf;usifusif wwf
ajrmufxm;&rSm jzpfwJhtwGuf 'Dtcef;rSm uRefawmfhtaeeJU C y&dk*&rfbmompum;udk xnfhoGif;&Sif;jyrSm
jzpfygw,f/ bmaMumifh tjcm;bmompum;udk ra&G;cs,f&ygovJvdkU ar;cGef;xkwfEdkifygw,f/ C++ qdk&if
ydkraumif;Edkifbl;vm;? Visual C++ qdk&if ydkjyD;rjynfhpHkbl;vm;vdkU oifhtaeeJU xifaumif;xifEdkifygw,f/ 'Dt
ar;twGuf tajzuawmh C y&dk*&rfbmompum;[m tajccHtusqHk;eJU t&dk;t&Sif;qHk; jzpfvdkUyg/ C++ [m C
bmompum;udk tvSay:t,Ofqifhatmif vkyfay;wmyJ &Sdygw,f/ tajccHtusqHk; vkyfaqmifcsufawGudk C
uom vkyfaqmifaejcif;jzpfygw,f/ Visual C++ uawmh Windows udk tajccHjyD; wnfaqmufxm;wm
aMumifh rvdktyfyJ uk'fawG[m&SnfaejyD; cracking udk pwifavhvmaewJh oifhtzdkU &IyfaxG;aerSm jzpfygw,f/ C
&JU tjcm;y&dk*&rfbmompum;awGtay: vTrf;rdk;EdkifwJhtcsufawGuawmh operator awG pHkvifjcif;? system eJU
ywfoufwJh function tpHktvifyg0ifjcif;eJU y&dk*&rfa&;om;&mwGif tvGef&dk;&Sif;jcif;? y&dk*&rfa&;om;jcif;\
tESpfom&udk azmfjyEdkifjcif;? Visual C++ udk tqifhjrSifh avhvmEdkifap&eftwGuf taxmuftuljyKjcif;wdkU
jzpfygw,f/ 'Doifcef;pmrSmawmh C &JU aemufcHordkif;aMumif;eJU jzpfay:vmyHkawGudk aqG;aEG;rSmr[kwfbJ C eJU
y&dk*&rfawGudk b,fvdka&;om;&rvJqdkwmudkom &Sif;jyrSmjzpfygw,f/ 'Dae&mrSm C eJU aps;uGuf0ifaqmhzf0Jvf
awG b,fvdkzefwD;rvJqdkwmudk aqG;aEG;rSmr[kwfbJ cracking vkyf&mrSm taxmuftuljyKEdkifr,fh C &JU
vkyfaqmifcsuf tydkif;awGudkom aqG;aEG;rSmjzpfygw,f/ 'gaMumifh graphics eJY ywfoufwJhtydkif;udk raqG;aEG;
bJ jzKwfcsefcJhygw,f/ (rSwf&ef/ / Graphics ydkif;[m DOS udk tajccHwJh 16-bits pepfjzpfwJhtwGuf rsuf
arSmufacwfrSm b,folrStoHk;rjyKMuawmhygbl;)/ 'ghtjyif structure ydkif;udkvJ cracking vkyf&mrSm toHk;
r0ifvSwJhtwGuf csefvSyfxm;cJhygw,f/ (rSwf&ef/ / Structure ydkif;udk C++ wGif tvGeftqifhjrifhaom
vkyfaqmifcsufrsm;yg0ifonfh class jzifh tpm;xdk;vdkufjyDjzpfygw,f)/ C udk pdwf0ifpm;vdkU xyfrHavhvmcsif&if
awmh Ivor Horton a&;om;wJh ] Beginning C - From Novice to Professional} pmtkyfudkzwf&IygvdkU
wdkufwGef;csifygw,f/ b,fbmom&yfudkyJ avhvmavhvm tao;pdwfodcsif&ifawmh pmtkyf rsm;rsm;zwfygvdkU
tMuHjyKvdkygw,f/ bmaMumifhvJqdkawmh pma&;q&mawG[m wpfa,mufeJUwpfa,muf &Sif;jyyHkcsif;? awG;ac:yHk
csif; rwlnDMuvdkUyg/
txl;owday;ajymMum;vdkwmu C y&dk*&rfbmompum;[m DOS udk tajcjyKjyD; wDxGifxm;wmjzpfwJh
twGuf C eJU a&;vdkufwJhy&dk*&rfawG[m y&dkqufqmudk &mcdkifEIef;tjynfh tvkyfvkyfapygw,f/ 'gaMumifh
Windows 98 aemufydkif;xGuf&SdwJh Windows awGeJU o[Zmw rjzpfawmhygbl;/ 'gaMumifh y&dk*&rfa&;&mrSm
uRefawmfwdkUtaeeJU Turbo C 2.0 (DOS version) udk ra&G;cs,fbJ Borland C++ 5.02 (Windows
version) udkyJ toHk;jyKrSmjzpfygw,f/ MudKwifowday;&wmuawmh Borland C++ 5.02 rSm y&dk*&rfa&;om;
rSmjzpfwJhtwGuf C++ eJU y&dk*&rfawGa&;aew,f xifrSmpdk;vdkUyg/ C bmompum; oufoufeJUom y&dk*&rfawG
a&;rSmjzpfygw,f/ 'gaMumifh Borland C++ 5.02 udk t&if install vkyfzdkU rarhygeJU/ jyD;&if Start menu Æ
All Programs Æ Borland C++ 5.02 Æ Borland C++ udk zGifhvdkufyg/ 'gqdk y&dk*&rf pwifa&;om;vdkU
&ygjyD/
(1) yxrqHk; C y&dk*&rf
yHk(1)rSm jyxm;wJhtwkdif; C++ compiler rSm uk'fawGudk &dkufxnfhvdkufyg/ 'Dy&dk*&rfuk'fawGudk source
code vdkU ac:a0:ygw,f/
yHk(1)
tcef;(2) - tajccH C bmompum; -9-
Ctrl + F9 (Run) udk ESdyfvdkuf&ifawmh compiler u uRefawmfwdkU a&;xm;wJh source uk'fudk exe
uk'ftjzpfajymif;ay;rSm jzpfygw,f/ (wu,fawmh source uk'fudk compiler u assembly uk'ftjzpfajymif;
ay;jyD; assembly uk'fudk assembler u exe uk'ftjzpfajymif;vJay;wm jzpfygw,f/)
yHk(2)
yHk(1)uuk'fudk run vdkuf&if yHk(2)twdkif; jrif&rSmyg/ 'Dy&dk*&rfav;[m wu,fawmh bmtvkyfrS
aumif;aumif;vkyfrSm r[kwfygbl;/ uGefysLwmzefom;jyifrSm ]Welcome to Cracking World} qdkwJhpmwef;udk
jyoay;&HkygyJ/ aumif;ygjyD? y&dk*&rftvkyfvkyfyHkudk tao;pdwf MunfhvdkufMu&atmif/
(1) yxrpmaMumif;u include qdkwmuawmh keyword wpfckjzpfygw,f/ uRefawmfwdkUtoHk;jyKr,fh header
zdkifawGudk C:\BC5\ atmufu include qdkwJh zdk'gatmufrSm xm;&Sdr,fhtaMumif; uGefysLwmukd ajymMum;wmyg/
<stdio.h> qdkwmuawmh include zdk'gatmufu stdio qdkwJhtrnfeJU header zdkifudk toHk;jyKygr,fvdkU
ajymwmyg/ (<stdio.h>tpm; "stdio.h" qdk&ifawmh C++ compiler tvkyfvkyfaewJh? wlnDwJhzdk'gatmufu
stdio qdkwJhtrnfeJU header zdkifudk toHk;jyKygr,fvdkU ajymwmyg/) stdio &JU t&Snfaumufuawmh STandarD
Input/Output jzpfygw,f/ 'D header zdkifawG&JU trnf[m t"dyÜm,f&SdvSygw,f/ tcsuftvufawGudk toGif;
txkwfvkyfr,fqdkwJhtaMumif; uGefysLwmudk compiler u yPmrMudKajymxm;wm jzpfygw,f/ bmawGudk
toGif;txkwfvkyfr,fqdkwmudkawmh twdtusajymjcif; r&Sdao;ygbl;/ conio &JU t&Snfaumufuawmh
CONsole Input/Output jzpfygw,f/ conio eJU stdio [m oabmw&m;csif;wlygw,f/ conio u pmom;awG
udk ta&mifawGeJU jyEdkifwmav;yJ enf;enf;uGmygw,f/
(2) int main() qdkwmuawmh y&dk*&rfuk'fawG a&;xnfh&r,fh t"duae&mjzpfjyD; oifa&;xnfhcsifwJhuk'fawGudk
'D main() function xJu { } xJrSm a&;&rSmjzpfygw,f/ printf() qdkwmuawmh function wpfckjzpfjyD;
udk,fazmfjyapcsifwJh taMumif;t&m? tcsuftvufawGudk uGefysLwmzefom;jyifrSm jyoay;ygw,f/ printf() udk
oHk;r,fqdk&if stdio.h zdkifudk aMunmay;&rSm jzpfygw,f/
(3) getch() uawmh 'GET CHaracter' &JU twdkaumufyg/ uGefysLwmuD;bkwfuae &dkufr,fhpmvHk;wpfvHk;udk
vufcHwmyg/ 'gayr,fh &dkufxnfhwJh pmvHk;udkawmh zefom;jyifrSm jyrSmr[kwfygbl;/ bmaMumifh 'D function udk
oHk;&wmvJqdk&if y&dk*&rf[m printf() udkvkyfaqmifjyD;&if csufcsif;jyD;qHk;oGm;rSmrdkU y&dk*&rfudk cP&yfxm;csifvdkU
olUudkoHk;&wmyg/ uD;bkwfuae ESpfouf&m key wpfckckudk ESdyfvdkuf&if getch() &JUvkyfaqmifcsuf jyD;oGm;rSmyg/
getch() udk oHk;r,fqdk&if conio.h zdkifudk aMunmay;&rSm jzpfygw,f/
(4) return uawmh main() function eJU oufqdkifygw,f/ ol[m y&dk*&rfuk'u
f dk atmifjrifpGm vkyfaqmifEdkifcJh
jyDjzpfwJhtaMumif; y&dk*&rfqD taMumif;jyefygw,f/
(2) 'kwd,ajrmuf C y&dk*&rf
#include <stdio.h> /* 2nd C Program */

#include <conio.h>
/* print Fahrenheit-Celsius table for fahr = 0, 20, … , 300 */
int main()
{
int fahr, celsius;
int lower, upper, step;
lower = 0; /* lower limit of temperature scale */
upper = 300; /* upper limit */
step = 20; /* step size */
fahr = lower;
while (fahr <= upper) {
celsius = 5 * (fahr - 32) / 9;
printf("%d\t%d\n", fahr, celsius);
fahr = fahr + step;
}
getch();
return 0; yHk(3)
}
tcef;(2) - tajccH C bmompum; - 10 -
yHk(3)rSm jrif&wmuawmh zm&if[dkufeJU pifwD*&dww

f efzdk;awGudk yHkaoenf;toHk;jyKjyD; wGufcsufay;wJh
y&dk*&rfuk'feJU xGuf&SdvmwJhtajzyg/ b,fzufuwefzdk; (0? 20? 40? 60? ponfjzifh)awGu zm&if[dkufwefzdk;
awGjzpfjyD; nmzufuwefzdk; (-17? -6? 4? 15? ponfjzifh)awGuawmh pifwD*&dwfwefzdk;awG jzpfygw,f/
y&dk*&rftvkyfvkyfyHkudk tao;pdwf MunfhMuygr,f/
(1) /* … */ oauFwudkawmh comment vdkUac:ygw,f/ wu,fvdkU y&dk*&rfeJU oufqdkifwJh taMumif;t&m
awGudk rSwfcsufay;csif&if comment oHk;ygw,f/ 'DvdkrSwfcsufay;xm;awmh 'Dy&dk*&rfudk bmtwGufa&;w,f?
b,fvdka&;xm;wmvJqdkwm tvG,fwul em;vnfEdkifygvdrfhr,f/ tjrJwrf; /* eJU pjyD; */ eJU tqHk;owf&yg
w,f/ C++ rSmqdk&ifawmh /* … */ tpm; \\ udk oHk;ygw,f/
(2) int qdkwmuawmh integer (udef;jynfh)udk qdkvdkwmyg/ uRefawmfwdkUxkwfr,fhtajzudk 'órudef;eJU rxGuf
apcsif&if int udktoHk;jyKygw,f/ fahr? celsius? lower? upper eJU step wdkUudkawmh identifier vdkU ac:a0:yg
w,f/ (Identifier acgif;pOfatmufwGif Munfhyg/)
(3) lower = 0; qdkwmuawmh yxrqHk;tajzxkwfapcsifwJh zm&if[dkuf'D*&D[m oknvdkU owfrSwfvdkufwmyg/
tjrifhqHk;zm&if[dkufuawmh 300 jzpfygw,f/ (rSwf&ef/ / main() function xJwGif pmaMumif;wpfaMumif;jyD;
wdkif; semi-colon (;) jzifh tqHk;owfay;&onf)/ step &JUqdkvdk&if;uawmh zm&if[dkufwefzdk; wpfckeJUwpfck[m
20'D*&Djcm;r,fvdkU qdkvdkwmyg/
(4) while(fahr<=upper){ … }uawmh zm&if[dkufwefzdk;[m tjrifhqHk;wefzdk;jzpfwJh 300'D*&Dxuf i,faepOf
twGif;jzpfap? wlnDaepOftwGif;jzpfap xJrSm&SdwJhuk'fawGudk tvkyfvkyfaeygvdkU qdkvdkwmyg/
(5) celsius = 5 * (fahr - 32) / 9; uawmh pifwD*&dwfwefzdk;udk &Smay;wJhyHkaoenf; jzpfygw,f/
(6) printf() function uawmh zm&if[dkufeJU pifwD*&dwfwdkU&JU wefzdk;awGudk tajzxkwfay;rSmyg/ %d udkawmh
udef;jynfhawGeJU ywfoufjyD; tajzxkwfwJhtcgrSm oHk;ygw,f/ \t (tab) uawmh tajzwpfckeJUwpfckMum; tab
key tuGmta0;wpfckpm (vufr0uf) jcm;ay;ygvdkU qdkvdkygw,f/ \n (new line) uawmh uGefysLwmzefom;
jyif&JU aemufwpfaMumif;udk oGm;ygvdkU qdkvdkygw,f/
(7) zm&if[dkufwefzdk;udk 20aygif;ygw,f/ jyD;&if while loop qDjyefoGm;ygw,f/ pifwD*&dwfwefzdk;udk wGufcsuf
jyD; tajzxkwfygw,f/ 'DvdkeJU zm&if[dkufwefzdk;[m 300xufrMuD;rcsif; while loop udkyJ aqmif&Gufygw,f/
300xufMuD;oGm;&ifawmh getch() function udk vkyfrSmjzpfygw,f/ jyD;&ifawmh y&dk*&rf&JU vkyfaqmifcsufjyD;qHk;
oGm;rSm jzpfygw,f/
(3) Data type
trsdK;tpm; yrmP
unsigned char 0 rS 255 xd
char 0 rS 255 xd
short int -32,768 rS 32,767 xd
unsigned int 0 rS 65,535 xd
int -32,768 rS 32,767 xd
unsigned long 0 rS 4,294,967,295 xd
enum -32,768 rS 32,767 xd
long -2,147,483,648 rS 2,147,483,647 xd
float 3.4 x 10-38 rS 1.7 x 10+38 xd
double 1.7 x10-308 rS 3.4 x10+308 xd
long double 3.4 x 10-4932 rS 1.1 x 10+4932 xd
Data type qdkwmuawmh rdrdtoHk;jyKr,fh identifier (variable) awGudk a'wmtrsdK;tpm; owfrSwf
ay;wmyg/ ukd,faMunmr,fh variable [m pmvHk;vm;? 'órudef;vm;? udef;jynfhvm;qdkwm aumif;aumif;od
xm;&ygr,f/ Oyrm pmvHk;awGeJUywfoufvm&if? (string) pmom;awGeJUywfoufvm&if char vdkU aMunmay;&
ygr,f/ udef;jynfhawGqdk&if int vdkU aMunm&ygw,f/ 'órudef;awGtwGufqdk&if float eJU double udk
toHk;jyKvdkU&ygw,f/
Variable wpfckudk char vdkU aMunm&if uGefysLwm&JU rSwfOmPfrSm 1 byte ae&m,lrSm jzpfygw,f/ 1
byte [m 8-bits eJU nDjyD; ydkjyD;&Sif;vif;atmif ESpfvDpepfeUJ jy&&ifawmh atmufygZ,m;uGuftwdkif; awGUjrif&rSm
yg/
1 1 1 1 1 1 1 1
Z,m;&JU tuGufi,fwpfckpD[m 1 bit udk udk,fpm;jyKjyD; olUxJrSm 1 (odkU) 0 qdkwJh wefzdk;ESpfckudkyJ xnfh
xm;Edkifygw,f/ ESpfvDpepfudk,fpm;jyKwJhtwGuf olUxJrSmtrsm;qHk;xnfhEdkifwJh ta&twGuf[m 0 uae 255 xd
256 rsdK;xdyJjzpfygw,f/ 11111111 = 28 = 256 {0 rS 255 xd } (oknwefzdk;udkyg xnfhwGufjcif;jzpfonf/)
char eJU ywfoufwJh erlemawGudk avhvmMunfhygr,f/
char variable_name; // character pmvHk;wpfvHk;jzifhom tvkyfvkyfonf/
char variable_name [20]; // string pmvHk; 20jzifh tvkyfvkyfEdkifonf/
char * variable; // pointer string pmvHk;a& tuefUtowfrJh tvkyfvkyfEdkifonf/
char udk zdkifawGxJu tcsuftvufawGudk toGif;txkwfvkyf&mrSm jzpfjzpf? database y&dk*&rfawGudk
a&;&mrSmyJjzpfjzpf? password eJUqdkifwJh y&dk*&rfawGudk a&;&mrSmyJjzpfjzpf toHk;trsm;qHk; jzpfygw,f/
int udk oHk;&ifawmh uGefysLwm&JUrSwfOmPfrSm 2 bytes ae&m,lygw,f/ 'gaMumifh olUxJrSm odrf;qnf;
xm;EdkifwJh *Pef;wefzdk;uawmh 2 bytes = 16 bits = 216 = 65536 xdjzpfygw,f/ int &JU toHk;jyKyHkawG
uawmh -
signed int variable_name; // 2 bytes -32,768 rS 32,767 xd
unsigned int variable_name; // 2 bytes 0 rS 65,535 xd
short int variable_name; // 2 bytes -32,768 rS 32,767 xd
long int variable_name; // 4 bytes -2,147,483,648 rS 2,147,483,647 xd
unsigned long int variable_name; // 4 bytes 0 rS 4,294,967,295 xd
signed eJU short udk xnfhjyD;raMunmay;vJ &ygw,f/ wu,fvdkU int variable_name; vdkUyJ
aMunmxm;&if compiler u signed short int variable_name; vdkU em;vnfygw,f/ C y&dk*&rfa&;&mrSm
bmaMumifh signed/ unsigned eJU short/ long awG aMunmae&ovJqdkwJh taMumif;&if;&Sdygw,f/ 'Djyóem
u DOS acwfwkef;u MuHKawGUcJh&wmyg/ tJ'Dtcsdefwkef;u RAM awG&JU yrmP[m tckacwfrSmvdk 1GB awG?
4GB awG r[kwfygbl;/ 64KB? 128KB avmufom&Sdygw,f/ DOS &JU uefUowfcsufuvJ 1MB xuf
MuD;wJh C y&dk*&rfawGudk toHk;jyKcGifhray;ygbl;/ 'gaMumifh y&dk*&rfrmawG[m olwdkU&JU y&dk*&rfudk uGefysLwm
rSwfOmPfxJrSm ae&m,lrIenf;atmif twwfEdkifqHk; MuHpnfMu&ygw,f/ 'gaMumifhvJ rvdktyf&if twwfEdkifqHk;
rSwfOmPfacRwmEdkifzdkU long tpm; short udk toHk;jyKMuygw,f/ qdkvdkwmu y&dk*&rfu wGufcsufvdkU&&SdwJh
tajz[m 40000 eJU 50000 0ef;usifMum;yJ &Sdr,fqdk&if oifhtaeeJU 'D variable udk b,fvdkaMunmoifhw,f
xifygovJ/ unsigned int variable_name; vm;? long int variable_name; vm;/ 'Dar;cGef;u variable
wpfckxJtwGufqdk&if odyfta&;rMuD;ayr,fh variable awG aomif;eJUcsDvmcJh&if pOf;pm;zdkU vdkvmygjyD/ int
variable_name [200] [100]; qdk&ifaum/ oifbmudk a&G;cs,frSmygvJ/ Variable ta&twGuf 20000 udk
udkifwG,fajz&Sif;csdefrSmawmh ta&;MuD;vmygjyD/ long int vdkU aMunm&if uGefysLwm&JUrSwfOmPfrSm 200 x 100
= 20000 x 4 bytes = 80KB ae&m,lygvdrfhr,f/ oifh&JU RAM [m 64KB yJ &Sdr,fqdkygawmh/ 'Dy&dk*&rf[m
stack overflow jzpfjyD; tvkyfvkyfrSm r[kwfygbl;/ (rSwfcsuf/ / 'DaeUacwfrSmawmh uGefysLwmrSwfOmPfrSm
ae&mb,favmuf,l,l pdwfylp&mr&Sdawmhygbl;/)
float uawmh 'órudef;awGudk udkifwG,fajz&Sif;&mrSm toHk;jyKjyD; rSwfOmPfrSm 4 bytes ae&m,lyg
w,f/ double udkvJ 'órudef;awGudk udkifwG,fajz&Si;f &mrSm toHk;jyKjyD; rSwfOmPfrSm 8 bytes ae&m,lyg
w,f/ 'ór 15ae&mpmwduszdkUvdkwJh odyÜHqdkif&mwGufcsufrIawGrSm toHk;rsm;ygw,f/ long double uawmh
double eJU wlygw,f/ rSwfOmPfrSm 10 bytes ae&mpmae&m,lygw,f/
(4) Identifier
rdrdMudKufESpfouf&m ay;wJh variable awG&JUtrnfudk identifier vdkU ac:ygw,f/ Identifier awGukd
trnfay;csdefrSm atmufygpnf;rsOf;awGudk vdkufem&ygw,f/
(1) Identifier \tponf pmvHk; (A-Z, a-z) (odkU) underscore om jzpf&rnf/
(2) Underscore (_) oauFwrSty useftxl;tu©&mrsm; roHk;&/
(3) Identifier \ pmvHk;ta&twGufonf 255vHk;xuf rydk&/
(4) Keyword rsm;udk identifier tjzpf raMunm&/ (Oyrm case? return)
(5) MY_Variable123 eJU my_Variable123 wdkUonf rwlnDMuyg/ pmvHk;tMuD;tao; uGJjym;rI&Sdonf/
atmufyg identifier rsm;uawmh rSefuefwJhyHkpHawG jzpfygw,f -

int get_result_from_program;
int x123;
atmufyg identifier rsm;uawmh rSm;,Gif;wJhyHkpHawG jzpfygw,f -
int 123data;
int while;
int base@location;
int get-result-from-program;
(5) wwd,ajrmuf C y&dk*&rf
#include <stdio.h> /* 3rd C Program */

#include <conio.h>
/* print Fahrenheit-Celsius table for fahr = 0, 20, … , 300 */
int main()
{
float fahr, celsius;
float lower, upper, step;
lower = 0; /* lower limit of temperature scale */
upper = 300; /* upper limit */
step = 20; /* step size */
fahr = lower;
while (fahr <= upper) {
celsius = 5.0 * (fahr - 32.0) / 9.0;
printf("%7.0f %10.3f\n", fahr, celsius);
fahr = fahr + step;
}
getch();
return 0;
} yHk(4)
'Dwwd,ajrmuf y&dk*&rf[m 'kwd,y&dk*&rfeJU oabmcsif;wlygw,f/ bmaMumifh 'Dae&mrSm xyfxnfh

oGif;&ovJqdk&if format specifier taMumif;udk &Sif;jycsifvdkUyg/ Format specifier udk printf() function
eJUwGJoHk;jyD; % eJU pavh&Sdygw,f/ toHk;jyKvdkU&wJh format specifier trsdK;tpm;awGuawmh flag character?
width specifier? precision specifier? input size modifier eJU conversion type character wdUk
jzpfygw,f/ 'Dae&mrSmawmh toHk;0ifr,fh? toHk;rsm;r,fh format specifier awGudkyJ &Sif;jyrSm jzpfygw,f/
%d udef;jynhf (integer) taeeJU jyocsif&if oHk;ygw,f/
%o &SpfvDpepf (octal) eJU jyocsif&if oHk;ygw,f/
%u unsigned integer taeeJU jyocsif&if oHk;ygw,f/
%x 16vDpepf (hexadecimal)udk pmvHk;ao;eJU jyygw,f/
%X 16vDpepf (hexadecimal)udk pmvHk;MuD;eJU jyygw,f/
%f 'órudef;eJU tajzxkwfay;ygw,f/
%e Exponential eJU tajzxkwfay;ygw,f/
%E xyfudef;eJU tajzxkwfay;ygw,f/
%c Character taeeJU tajzxkwfay;ygw,f/
%s String taeeJU tajzxkwfay;ygw,f/
%l long taeeJU tajzxkwfay;ygw,f/
%lf double taeeJU tajzxkwfay;ygw,f/
%L long double taeeJU tajzxkwfay;ygw,f/
yHk(4)u printf("%7.0f %10.3f\n", fahr, celsius); udk Munfhvdkufyg/ %7.0f rSm 7 qdkwmuawmh
b,fuae pmvHk; 7 vHk;pm ae&m,lr,fvdkU ajymwmyg/ f uawmh 'órudef;awGudk tajzxkwfwmyg/ %10.3f
rSmawmh 10 u yxrpmom;uae 10ae&mpmae&m,lr,fvdkU ajymwmjzpfjyD; .3 uawmh 'ór 3 ae&meJU
jyay;ygvdkU qdkvdkjcif;jzpfygw,f/ aemufwpfckuawmh escape sequence taMumif;jzpfygw,f/ toHk;rsm;qHk;
awGuawmh \t eJU \n wdkU jzpfygw,f/ \t uawmh tab key wpfae&mpmae&m,lr,fvdkU ajymwmjzpfjyD; \n uawmh
aemufwpfaMumif;udk qif;r,fvdkU ajymwmyg/
(6) keyword
C bmompum;rSm toHk;jyKvQuf&SdwJh keyword awGuawmh atmufygtwdkif; jzpfygw,f -
auto break case char const
default do double else enum
extern far float for goto
huge if int long near
register return short signed sizeof
static struct switch typedef union
unsigned void volatile while
Identifier awGudkaMunm&mrSm keyword awGudk variable trnfay;vdkUr&ygbl;/ Keyword wdkif;rSm
olU&JUvkyfaqmifcsuftoD;oD; &SdvkdUyg/ ta&;ygtoHk;rsm;wJh keyword awG&JU vkyfaqmifcsufawGukd oD;jcm;
acgif;pOfawGeJU aqG;aEG;rSm jzpfygw,f/
(7) if statement
if statement udk tajctaewpf&yf&yf[m rSefovm;^rSm;ovm; qHk;jzwfcdkif;wJhtcgrSm toHk;jyKyg
w,f/ wcgw&HrSm else keyword eJU wGJoHk;wmvJ&Sdygw,f/ olU&JU jzpfEdkifwJhyHkpHtcsdKUuawmh 'Dvdkyg ...
(1)
if(condition) statement;
(2)
if(condition) statement;
else statement;
(3)
if(condition1) statement;
else if(condition2) statement;
…
else statement;
(4)
…
(1) yxryHkpHudkawmh tajctaewpfckck[m rSe^f rrSef qHk;jzwfwJhtcgrSm toHk;jyKygw,f/

(2) 'kwd,yHkpHuawmh tajctaeESpfckteuf wpfckck[m vHk;0rSefudkrSef&r,fh tajctaerSm toHk;jyKygw,f/
(3) wwd,yHkpHuawmh tajctaeoHk;ck(odkU)oHk;ckxufydkwJhtxJu wpfckck[m vHk;0rSeu f dkrSef&r,fh tajctaerSm
toHk;jyKygw,f/
(4) pwkw¬yHkpHuawmh tajctaetm;vHk;[m rSefcsifreS f^rSm;csifrSm; jzpfEdkifwJhtajctaerSm oHk;ygw,f/
(8) pwkw¬ajrmuf C y&dk*&rf
yHk(5)
yHk(5)u uk'fawGudk run vdkuf&if yHk(6)twdkif;awGU&rSmyg/
yHk(6)
'Dy&dk*&rf[m uD;bkwfuae oif&dkufxnfhvdkufwJh *Pef;[m taygif;vm;? tEIwfvm;? oknvm;qdkwm
ppfaq;ay;rSm jzpfygw,f/ yHk(6)/ if statement udk oHk;jyD;a&;xm;wJh &dk;&Sif;vSwJh y&dk*&rfav;yg/ 'Dae&mrSm
topfxyfwdk;vmwmuawmh scanf() function yg/ olUtaMumif;udk tao;pdwfodcsif&ifawmh scanf ae&mrSm
mouse cursor udkxm;jyD; Ctrl+F1 udk ESdyfvdkufyg/ olUudk b,fvdktoHk;jyK&rvJqdkwJh Help ay:vmygvdrfhr,f/
yHk(7)/ tjcm; function awGudkvJ Ctrl+F1 EdSyfjyD; tao;pdwf MunfhvdkU&ygw,f/
yHk(7)
scanf() function udk uD;bkwfuae &dkufxnfhr,fh *Pef;? pmom;awGudkzwfzdkU toHk;jyKygw,f/
'Derlemy&dk*&rfrSm uRefawmfwdkUzwfr,fht&muawmh udef;jynfh*Pef;(%d) wpfck jzpfygw,f/ number_check
&JUa&SUrSm address sign (&) av;ygwm rarhygeJU/
Function awGtaMumif;odcsif&ifawmh Help udkrsm;rsm;zwfyg/ Help rSm ygvmwJh example awGudk
avhvmyg/ Example awGudk run Munfhyg/
(9) switch statement
if statement eJU oabmw&m;csif;wlwJh tjcm;wpfckuawmh switch statement jzpfygw,f/ olU&JU
toHk;jyK&r,fhyHkpHuawmh 'Dvdkyg ...
switch(expression){
case constant_expression1: statement;
case constant_expression2: statement;
default: : statement;
}
(10) 5ckajrmuf C y&dk*&rf

#include<stdio.h>
#include<conio.h>
#include<stdlib.h>
int main() { /* Copyright © Myo Myint Htike, 2009 */
int menu;
printf("Choose 1 to print \"Welcome!\" text. \n");
printf("Choose 2 to print \"Sorry!\" text. \n");
printf("Choose any number to exit!\n");
printf("Please enter a number: ");
scanf("%d", &menu);
switch(menu){
case 1: printf("Wecome!."); break;
case 2 : printf("Sorry!"); break;
default: exit(0);
} getch(); return 0; }
'Dy&dk*&rfuawmh switch statement udk b,fvdktoHk;jyK&rvJqdkwm jyowJh erlemy&dk*&rfyg/ b,fvdk

tvkyfvkyfovJqdkwmuawmh vufawGUprf;Munfhvdkufyg/ 'Dae&mrSm &Sif;jycsifwmuawmh exit() function yg/
exit() &JU t"dyÜm,fuawmh ]exit functions} yg/ qdkvdkcsifwmu teD;pyfqHk; function uaexGufr,fvdkU
qdkvdkwmyg/ olUudkoHk;r,fqkd&ifawmh stdlib.h <STandarD LIBrary> udk aMunmay;&ygr,f/ switch
statement udkawmh toHk;enf;vSwJhtwGuf ravhvmvJ &ygw,f/
(11) while loop
'Dwpfcgawmh loop awGtaMumif; avhvmMunfhygr,f/ Cracking vkyf&mrSm toHk;rsm;qHk;uawmh loop
awGyg/ Loop awG[m tvkyfwpfckudk owfrSwfxm;wJh tajctaewpfcktwGif;rSm Mudrfzefrsm;pGm vkyfay;yg
w,f/ toHk;trsm;qHk; loop awGuawmh for loop eJU while loop wdkUyg/ while loop &JU toHk;jyKrIyHkpHuawmh
atmufygtwdkif; jzpfygw,f/
while(condition)
statement;
while loop eJUywfoufwJh erlemy&dk*&rfudkawmh ra&;jyawmhygbl;/ bmaMumifhvJqdkawmh 'kwd,

ajrmuf C y&dk*&rfrSm while loop &JU tvkyfvkyfyHkudk &Sif;jyjyD;vdkUyg/ while loop uae cGJxGufoGm;jyD; while
loop eJUwlwJh aemuf loop wpfckuawmh do{ } while loop yg/ toHk;enf;wJhtwGuf r&Sif;jyawmhygbl;/
(12) for loop
for loop &JU toHk;jyKrIyHkpHuawmh atmufygtwdkif; jzpfygw,f/
for(expression1; condition; expression2)
statement;
for loop &JU tvkyfvkyfyHkuawmh yxrqHk; expression1 udk initialize vkyfygw,f/ jyD;awmh
condition [m rSefovm;? rSm;ovm; ppfygw,f/ rSef&ifawmh statement qDudk oGm;ygw,f/ jyD;awmh
expression2 udk vkyfygw,f/ expression2 udk vkyfaqmifjyD;wJhtcgrSm expression1 qDjyefa&mufvmygw,f/
jyD;awmh condition udk rSef^rrSef xyfppfygw,f/ Condition [m rSefaeoa&GU statement udk aqmif&GufaerSm
jzpfjyD; rSm;wJhtcgusrSom loop [m jyD;qHk;rSmjzpfygw,f/
#include<stdio.h>
#include<conio.h>
int main()
{ /* Copyright © Myo Myint Htike, 2009 */
int x, y, z; /* Declare 3 unknown variables */
for(x=0; x<10; x++) // for(1; 2; 14) After 14, then go to 1
for(y=0; y<10; y++) // for(3; 4; 12) 3=13
for(z=0; z<10; z++) // for(5; 6; 10) 5=11
if(2*x+3*y-4*z == -3) // if 7 = true then do 8, else go to 10
if(4*x-2*y+z == 6) // if 8 = true then do 9
if(x-3*y-2*z == -15) // if 9 = true then print x, y, z
printf(" x= %d\n y= %d\n z= %d",x,y,z);
getch();
return 0;
}
yHk(8)
yHk(8)uawmh rodudef; 3vHk;&SmwJhykpäm jzpfygw,f/ x? y eJU z udk &Smay;&rSmyg/ for loop oHk;jyD; ajz&Sif;
xm;wmyg/ 'Dy&dk*&rfudk aocsmMunfhr,fqdk&if bmocsFmnDrQjcif;rS roHk;bJ ajz&Sif;oGm;wm awGU&rSmyg/ 'Denf;
[m cracking vkyfwJhtcg password awGudk cefUrSef;&mrSm awmfawmftoHk;0ifvSygw,f/ y&dk*&rftvkyfvkyfyHk
udk MunfhvdkufMu&atmif/
(1) yxrqHk; uRefawmfwdkU &SmcsifwJh rodudef; 3vHk;udk udef;jynfhawGtjzpfaMunmygw,f/ (rSwfcsuf/ / rod
udef;ykpämwdkif;&JU tajzawG[m tjrJwrf; udef;jynfhjzpfaerSmawmh r[kwfygbl;/ udef;jynfheJU &SmvdkUr&&if float
vdkU aMunmyg/)
(2) for loop udk pwifygw,f/ for loop &JUtvkyfvkyfyHkudk aocsmem;vnfatmifMunfhyg/ yxrqHk; x &JUwefzdk;
udk oknvdkUowfrSwfygw,f/ jyD;awmh x [m 10 xuf i,f^ri,f ppfygw,f/ i,fcJh&if aemufwpfaMumif;udk
qif;oGm;ygw,f/ y &JUwefzdk;udk oknvdkUowfrSwfygw,f/ jyD;awmh y [m 10 xuf i,f^ri,f ppfygw,f/
i,fcJh&if aemufwpfaMumif;udk qif;oGm;ygw,f/ z &JUwefzdk;udk oknvdkUowfrSwfygw,f/ jyD;awmh z [m 10
xuf i,f^ri,f ppfygw,f/ i,fcJh&if aemufwpfaMumif;udk qif;oGm;ygw,f/ 'DwpfcgrSm (x=0, y=0, z=0)udk
2x+3y-4z rSm tpm;oGif;jyD; -3 eJU nD^rnD ppfygw,f/ nDcJh&if aemufwpfaMumif;udk qif;oGm;rSm jzpfygw,f/
rnDcJh&ifawmh z &JU wefzdk;rSm wpfaygif;rSm jzpfygw,f/ 'Dwpfcg z=0 uae z=1 jzpfvmygw,f/ z [m 10
xuf i,f^ri,f xyfppfygw,f/ i,fcJh&if aemufwpfaMumif;udk qif;oGm;ygw,f/ 'DwpfcgrSm (x=0, y=0,
z=1)udk 2x+3y-4z rSm tpm;oGif;jyD; -3 eJU nD^rnD xyfppfygw,f/ nDcJh&if aemufwpfaMumif;udk qif;oGm;rSm
jzpfygw,f/ rnDcJh&ifawmh z &JU wefzdk;rSm wpfaygif;rSm jzpfygw,f/ 'DvdkeJU x,y,z wefzdk;toD;oD;udk wpfaygif;
oGm;jyD; nDrQjcif; 3aMumif;rSm nD^rnD ppfrSm jzpfygw,f/ ppfr,fhta&twGufuawmh wpfMudrfuae tMudrfwpf
axmiftwGif; jzpfygw,f/ wu,fvdkU nDcJh&ifawmh printf() function udk oHk;jyD; x,y,z wdkU&JUwefzdk;awGudk
tajzxkwfay;rSm jzpfygw,f/
(3) x++ qdkwmuawmh x = x+1; eJUwlygw,f/ (Operator acgif;pOfatmufwGif Munfhyg/)
(14) operator
Operator awGudk atmufygtwdkif; wl&mtkyfpkzGJUEdkifygw,f/
(u) Arithmetic operator
(c) Unary operator
(*) Relational operator
(C) Assignement operator
(i) Logical operator
(p) Conditional operator
(q) Bitwise operator
(u) Arithmetic operator
Arithmetic operator awGuawmh atmufygtwdkif;jzpfygw,f-
+ (addition) Variable rsm; aygif;&mwGiftoHk;jyKonf/

- (subtraction) Variable rsm; EIwf&mwGiftoHk;jyKonf/
* (multiplication) Variable rsm; ajrSmuf&mwGiftoHk;jyKonf/
/ (division) Variable rsm; pm;&mwGiftoHk;jyKonf/
% (modulus) t<uif;&Sm&mwGifoHk;onf/
(c) Unary operator

Unary operator awGuawmh atmufygtwdkif;jzpfygw,f-
i++; (postincrement) Variable wefzdk;tm; wpfaygif;ay;onf/

i--; (postdecrement) Variable wefzdk;tm; wpfEIwfay;onf/
++i; (preincrement) Variable wefzdk;tm; wpfaygif;ay;onf/
--i; (predecrement) Variable wefzdk;tm; wpfEIwfay;onf/
yHkrSeftm;jzifhawmh olwdkUudk increment operator eJU decrement operator vdkU ac:a0:Muygw,f/

'Dae&mrSm owdxm;zdkUuawmh i++ eJU ++i wdkU uGJjym;rIudkyg/ atmufygtwdkif;aMunmr,fqdk&ifawmh olwdkU&JU
t"dyÜm,fu wlygw,f/
int i=0, j=0;
i++; ++j;
'Dae&mrSm i eJU j wdkU&JUwefzdk;[m wlrSmjzpfjyD; 1 qdkwJh tajzxGufrSmyg/ aemufxyfyHkpHwpfrsdK;udk Munfhyg
r,f/
int i=0, j=0, x=0, y=0;
x = x+(i++);
y = y+(++j);
'Dvdkqdk&ifawmh x &JUwefzdk;u oknjzpfaejyD; y &JUwefzdk;uawmh 1 jzpfvmrSmyg/ qdkvdkcsifwmuawmh i++

vdkUaMunmcJh&if i &JUvuf&Sdwefzdk;udk x rSmaygif;jyD;rS i &JUwefzdk;udk wpfaygif;rSmjzpfygw,f/ 'gaMumifh i++ udk
postincrement vdkUac:wmyg/
(*) Relational operator
Relational operator udkawmh if statement? for loop? while loop pwmawGeJU wGJoHk;jyD; tajctae
wpf&yf&yfudk EdIif;,SOf&mrSm? variable awGudk EdIif;,SOf&mrSm toHk;jyKygw,f/
== (equal) Variable wefzdk;ESpfckudk wlrwlppfygw,f/ wl&if tvkyfvkyfygw,f/
!= (not equal) Variable wefzdk;ESpfckudk wlrwlppfygw,f/ rwl&if tvkyfvkyfygw,f/
> (greater than) Variable wefzdk;[m MuD;rMuD;ppfygw,f/ MuD;&if tvkyfvkyfygw,f/
< (less than) Variable wefzdk;[m i,fri,fppfygw,f/ i,f&if tvkyfvkyfygw,f/
>= (greater or equal) Variable wefzdk;[m MuD;&if (odkU) nD&if tvkyfvkyfygw,f/
<= (less than or equal) Variable wefzdk;[m i,f&if (odkU) nD&if tvkyfvkyfygw,f/
(C) Assignement operator

Assignment operator awGudk wpfckckeJU nDay;&mrSm toHk;jyKjyD; olwdkUawGuawmh ...
= *= /= %= += -=
<<= >>= &= ^= |=
toHk;jyKyHkawGuawmh atmufygtwdkif; jzpfygw,f/
x = y +10; // x = y + 10;
x *= 10; // x = x * 10;
x /= 10; // x = x / 10;
x << = 3; // x = x << 3;
x ^ = 30; // x = x ^ 30;
(i) Logical operator
Logical operator awGuawmh atmufygtwdkif; jzpfygw,f -
&& (AND) tajctaeESpfckpvHk;rSef&if tvkyfvkyfygw,f/
|| (OR) tajctaeESpfckteuf wpfckrSef&if tvkyfvkyfygw,f/
! (NOT) tajctaerSm;&if tvkyfvkyfygw,f/
toHk;jyKyHkawGuawmh atmufygtwdkif; jzpfygw,f/
int x=0;
scanf("%d",&x);
if( x>0 && x<40) printf ("Fail");
if( x>75 || x == 75) printf ("Credit");
if(!x) printf("The value of x is zero.");
(p) Conditional operator
Conditional operator yHkpHuawmhh atmufygtwdkif; jzpfygw,f -
logical-OR-expression ? expression : conditional-expression
toHk;jyKyHkuawmh atmufygtwdkif; jzpfygw,f/
z = (a > b) ? a: b; /* z = max (a,b) */
a eJU b eJUxJu MuD;wJhwefzdk;udk ,lwJh 'DOyrmav;udk aemufwpfrsdK;jyefa&;&r,fqdk&if ...
if (a>b) z = a;
else z = b;
'Dae&mrSm z wefzdk;[m b,fvdkyJjzpfjzpf trsm;qHk;jzpfaerSm jzpfygw,f/
(q) Bitwise operator
Bitwise operator awGuawmh atmufygtwdkif; jzpfygw,f/
& (Bitwise AND)

| (Bitwise inclusive OR)
^ (Bitwise exclusive OR)(XOR)
~ (Bitwise complement) (NOT)
>> (Bitwise shift right)
<< (Bitwise shift left)
toHk;jyKyHkuawmh atmufygtwdkif; jzpfygw,f/

AND OR XOR NOT
Source Bit 001100 1100110 1
Destination Bit 0 1 0 1 0 1 0 1 0 1 0 1 X X
&v'f 000101 1101101 0
>> uawmh assembly bmompum;&JU SHR instruction eJUwljyD;? << uawmh assembly
bmompum;&JU SHR instruction eJUwlygw,f/ SHL eJU SHR [m register^rSwfOmPfae&mu bit awGudk
b,f^nmrSae owfrSwfxm;wJh bit ta&twGufudk a&wGufjyD; a&TUvdkufwmjzpfygw,f/ erlemMunfhyg/
int x = 0xBEEF; // x = 1011111011101111 (binaray)
x = x >> 4; // x = 0000101111101110
printf("x = %X", x); // x = BEE
ydkjyD;em;vnfapzdkU aemuferlemwpfckMunfhyg/
int x = 0xDEAD; // x = 1101111010101101 (bin)
x = (x >> 5) & ~ (~0 << 3); //
printf("x = %X", x); // x = 5 (101)
'Duk'fudk run vdkuf&ifawmh 5 qdkwJhtajz&rSmyg/ b,fvdk&ovJqdkwmawmh udk,fhbmomudk,f wGufMunfh
yg/ Hexadecimal uae binary? binary uae hexadecimal b,fvdkajymif;&rvJqdkwmudkawmh calculator
(calc.exe) eJU wGufcsufEdkifygw,f/
(15) Function
Function qdkwmuawmh vkyfaqmifcsufawGudk pkpnf;ay;xm;wJht&mwpfckjzpfjyD;? function wpfckrSm
yg0if&r,fh t*Fg&yfawGuawmh return type? function name? parameter list eJU uk'fa&;om;r,fh function
body wdkUjzpfygw,f/ Compiler rSm toifhygvmwJh function eJU rdrdudk,fwdkifzefwD;xm;wJh function qdkjyD;
function ESpfrsdK;ESpfpm; cGJjcm;Edkifygw,f/ Compiler rSmygvmwJh function awGuawmh printf()? scanf() pwJh
function awGjzpfygw,f/ olwdkUudk toHk;jyKawmhr,fqdk&if header file awG aMunmay;&ygw,f/ 'Dae&mrSm
awmh built-in function awGtaMumif;udk &Sif;jyrSm r[kwfygbl;/
#include<stdio.h> #include<conio.h>
int power (int m, int n);
int main()
{ int i;
for (i=0; i<10; ++i)
printf("%d %d %d\n", i, power(2,i), power(-3,i));
getch();
return 0; }
int power (int base, int n)
{ int i, p; p = 1;
for (i = 1; i <= n; ++i)
p = p * base; yHk(9)
return p; }
'Dy&dk*&rfuawmh 2 eJU -3 wdkU&JU xyfudef;wefzdk; q,fck (20, 21, 22, 23, 24, ..)udk &Smay;wmyg/
1/ int power (int m, int n); qdkwmuawmh uRefawmfwdkUzefwD;xm;wJh function udk toHk;jyKr,fvdkU aMunm
wmyg/ 'DvdkaMunmxm;wJhtwGuf main() function &JUtwGif;xJrSmyJjzpfjzpf? tjyifrSmyJjzpfjzpf MudKufwJhae&mu
ae power() function udk ac:oHk;vdkU &ygjyD/ bmaMumifh power() function udk MudKufwJhae&muae
ac:oHk;vdkU&wmvJqdkawmh olU&JU scope aMumifhyg/ wu,fawmh main() function &JU tjyifrSm int power (int
m, int n); vdkUa&;wm[m extern int power (int m, int n); vdkU a&;wmeJU twlwlygyJ/ 'Dae&mrSm extern [m
keyword wpfckjzpfjyD; olUudk storage class vdkUvJ ac:a0:ygw,f/
2/ Storage class 4rsdK;&Sdygw,f/ auto? extern? static eJU register wdkUyg/ Function wpfck&JUtwGif;rSm
bmrSa&;xm;jcif;r&SdbJ int? float? char vdkU&dk;&dk;wef;wef; aMunmxm;wJh data type awGtm;vHk;[m auto awG
ygyJ/ Function awG&JUtjyifbufrSm bmrSa&;xm;jcif;r&SdbJ int? float? char vdkU&dk;&dk;wef;wef; aMunmxm;wJh
data type awGtm;vHk;[m extern jzpfygw,f/ static eJU register wdkUuawmh toHk;enf;wJhtwGuf r&Sif;jy
awmhygbl;/ wu,fvdkU function awGrSm return jyefydkUp&m wefzdk;wpfckckr&SdcJh&if void vdkU aMunm&ygr,f/
(17) Array
Array qdkwmuawmh wlnDwJh data type awGudk pkpnf;ay;wJh variable wpfckyg/ wu,fvdkU rwlnDwJh
data type awGudk pkpnf;csif&ifawmh struct qdkwJh keyword udk toHk;jyK&rSmyg/ One dimensional array
wpfckudk aMunmyHkuawmh atmufygtwdkif;yg/
int myanmar[60];
int myanmar[60]; [m ausmif;om;ta,mufajcmufq,f&JU jrefrmpm&rSwfudk odrf;qnf;r,fvdkU aMu
nmwmyg/ wu,fvdkU array taeeJUom raMunmcJh&if uRefawmfwdkUtaeeJU int myanmar1, myanmar2,
myanmar3; ponfjzifh aMunm&rSmjzpfygw,f/ 'gqdk y&dk*&rf[m &Snfvsm;jyD; &IyfaxG;vmEdkifygw,f/ ydkjyD;
&Sif;vif;atmif aemufwpfckxyfMunfhygr,f/
int exam_result [60] [6];
'DyHkpHuawmh ausmif;om;ta,mufajcmufq,f&JU bmom&yfajcmufck&v'fudk odrf;qnf;r,fvdkU aMu
nmwmyg/ Two dimensional array wpfckjzpfygw,f/ 'Dae&mrSm &Sif;jyvdkwmuawmh exam_result [m
array &JUtrnfjzpfjyD;? 60 eJU 6 uawmh array element jzpfygw,f/ Array element udk wpfcgw&H array
index vdkUvJ ac:a0:ygw,f/ Array element [m tjrJwrf; 0 eJUpavh&SdjyD; tqHk;uawmh size-1 jzpfygw,f/
wu,fvdkU char udk array taeeJU aMunmr,fqdk&if character tpm; string jzpfoGm;aMumif; ]Data
type} acgif;pOfatmufrSm &Sif;jywm trSwf&yg/ 'gudk xyfMunfhygr,f/
char my_string [11] = "I Love You.";
int i;
for(i=0; i<11; i++)
printf("%c", my_string[i]);
'Duk'fudk run vdkuf&if 'I Love You.' qdkwJhpmom;udk jrif&rSmyg/ wu,fvdkU for(i=0; i<11; i++)
ae&mrSm for(i=1; i<12; i++) vdkUjyifvdkuf&if tajzuawmh ' Love You. ' jzpfrSmyg/ Full stop (.) &JUaemufrSm
space ( )udk awGU&rSmyg/ Array wpfck[m tjrJwrf; null terminator (\0) eJU qHk;avh&Sdygw,f/ wu,fvdkU 12
ae&mrSm 19 vkdUjyifvdkuf&if random pmvHk;awGxGufvmygvdrfhr,f/
(18) Pointer
Pointer qdw
k m variable wpfck&JU address udkodrf;xm;wJh variable wpfckyg/ Pointer udk C bmom
pum;rSm awmfawmfav; oHk;pGJwmawGU&ygw,f/ Pointer eJU array [mvJ awmfawmfav; qufpyfrI&Sdygw,f/
ydkjyD;&Sif;vif;atmif erlemwpfckudk Munfhygr,f/
int x = 1, y = 2, z[10]; // MOV DWORD PTR SS:[EBP-4], 1 (EBP udk 12FF8C vdkU ,lqygr,f/)
int *ip; // ip udk pointer taeeJUaMunmygw,f/
ip = &x; // LEA EAX, DWORD PTR SS:[EBP-4]
(ip [m x wefzdk;udk odrf;xm;wJh (load effective) address ae&mudkjyygr,f/ 12FF88 yg/)
y = *ip; // MOV EDX, DWORD PTR DS:[EAX] (y wefzdk;[m 1 jzpfvmygw,f/)
*ip = 0; // MOV DWORD PTR DS:[EAX], 0 (ip wefzdk;[m 0 jzpfvmygw,f/)
ip = &z[0]; // LEA EAX, DWORD PTR SS:[EBP-2C]
(ip [m z[0] wefzdk;udk odrf;xm;wJh (load effective) address ae&mudkjyygr,f/ 12FF60 yg/)
printf("%d %d %X %X", x, y, *ip, ip); // PUSH DWORD PTR SS:[EBP-4], PUSH EDX, PUSH
DWORD PTR DS:[EAX], PUSH EAX ('gaMumifh tajz[m 0 1 0 12FF60 jzpfygw,f/)
Unary operator wpfckjzpfwJh & uawmh object &JU address udk jyygw,f/ & operator [m
rSwfOmPfxJrSm variable eJU array element udkyJ point vkyfEdkifygw,f/ Expression? constant awGeJU
register variable awGudkawmh point vkyfEdkifjcif; r&Sdygbl;/
Unary operator (*) udkawmh indirection (odkU) dereferencing operator vdkU ac:ygw,f/ Pointer
tjzpftoHk;jyKcsdefrSm pointer u point vkyfwJh object udk &,lEdkifygw,f/
#include<stdio.h>
#include<conio.h>
int strlen(char *string);
int strcmp(char *string1, char *string2);
int main()
{ char get_string[100]; int length;
char *comp_str = "My Love";
gets(get_string);
length = strlen(get_string);
printf("String Length = %d", length);
if( (strcmp(get_string, comp_str)) !=0)
printf("\n\"%s\" and \"%s\" are not equal.",
get_string, comp_str);
getch(); return 0; }
/* strlen: return length of string s */
int strlen(char *s)
{
int n;
for (n = 0; *s != '\0'; s++)
n++; yHk(10)
return n;
}
\\ strcmp: return <0 if s<t, 0 if s==t, >0 if s>t
int strcmp(char *s, char *t)
{
for ( ; *s == *t; s++, t++)
if (*s == '\0') // if null-terminated string
return 0;
return *s - *t;
}
'Dy&dk*&rfuawmh oif&dkufxnfhvdkufwJhpmom;rSm yg0ifwJh pmvHk;ta&twGufudk azmfjyjyD; owfrSwfxm;

wJh pmom;eJU udkufnD^rnD ppfay;ygw,f/ 'Dy&dk*&rfrSm pointer eJU array awGudk wGJoHk;wm owdjyKrdrSmyg/
(20) String
'DwpfcgrSmawmh string awGtaMumif;udk tenf;i,f avhvmMuygr,f/ String eJU ywfoufwJh
function awGudk toHk;jyKr,fqdk&if <string.h> udk aMunmay;&ygr,f/ String function tcsdKUuawmh
atmufazmfjyygtwdkif;jzpfygw,f/
strcpy(str1,str2) str2 rSpmom;rsm;udk str1 xJodkU ul;xnfhay;jcif;/
strncpy(str1,str2,length) str2 rS owfrSwfxm;aomta&twGuftwdkif; pmom;rsm;udk str1 xJodkU ul;xnfhay;jcif;/
strcmp(str1,str2) str2 ESifh str1 wdkUudk EIdif;,SOfjcif;/
strcmpi(str1,str2) str2 ESifh str1 wdkUudk EIdif;,SOfjcif;/ (pmvHk;tMuD;tao;udk vspfvsL&I)
strlen(str) str \pmvHk;ta&twGufudk jyjcif;/
strcat(str1,str2) str2 ESifh str1 udk aygif;jyjcif;/ &v'fudk str1 wGif odrf;onf/
yHk(10)u y&dk*&rft&qdk&if strlen() function udk rdrdbmom rdrdzefwD;oGm;wm awGU&rSmyg/ wu,f

awmh 'Dy&dk*&rfu pointer awGtaMumif; &Sif;jycsifvdkU strlen() function udk udk,fhbmomudk,f a&;oGm;wmyg/
uRefawmfwdkUtaeeJU string eJUywfoufwJh function awmfawmfrsm;rsm;udk udk,fwdkifa&;p&m rvdkygbl;/
<string.h> udk aMunmjyD; toifh,loHk;&HkygyJ/ ydkjyD; &Sif;vif;atmif 9ckajrmuf y&dk*&rfudk Munfhyg/ strcmpi()
function udk wcgwnf; ,loHk;xm;wm awGU&rSmyg/
#include<stdio.h>
#include<conio.h>
#include<string.h>
void Password();
int main()
{ Password(); getch(); return 0; }
void Password(void)
{ /* Copyright © Myo Myint Htike, 2009 */
char password[80];
printf("\nEnter Password:");
gets(password);
if(strcmpi(password,"PASSWORD")==0)
printf("\nYou really did it. Congratulations!");
else{ printf("\nTry again!\n"); Password(); } yHk(11)
}
'Dy&dk*&rfuawmh jrefrmy&dk*&rfrmawmfawmfrsm;rsm; a&;avh&SdMuwJh password y&dk*&rfyg/ udD;bkwfu

ae password wpfckudk &dkufxnfhckdif;ygw,f/ Password [m rrSefbl;qdk&if aemufxyf password &dkufxnfh
cdkif;ygw,f/ rSef&ifawmh owfrSwfxm;wJh function udk tvkyfvkyfapygw,f/ 'Dy&dk*&rfrSm tm;enf;csuftrsm;
MuD;&Sdygw,f/ Debugger awGudk vspfvsL&Ixm;cJhr,fqdk&ifawmh 'Dy&dk*&rfa&;xm;wm[m awmfawmfynmom;
ygw,fvdkU ajymvdkU&ygw,f/ Function udk recursion oHk;jyD; y&dk*&rfudk uspfvspfatmif vkyfxm;wmyg/
(Recursion qdkwmuawmh function wpfckudk tMudrfMudrfjyefac:oHk;jcif;vdkU t"dyÜm,f&ygw,f/)
(22) File I/O
'DwpfcgrSmawmh zdkifwpfckuae tcsuftvufawGudk b,fvdkzwf&I&rvJqdkwJh zdkifeJUywfoufwJh
function tcsdKUudk avhvmMunfhygr,f/ zdkifeJU ywfoufwJh function awGudk toHk;jyKr,fqdk&if <stdio.h> udk
aMunmay;&ygr,f/ File function tcsdKUuawmh atmufazmfjyygtwdkif;jzpfygw,f/
fopen(filename,mode) zdkifudka&;&ef(odkU)zwf&efzGifhjcif;/
fclose(filename) zdkifudkydwfjcif;/
feof(filepointer) zdkif\tqHk;odkUa&mufra&mufpHkprf;jcif;/
fscanf(filepointer,format) zdkifrStcsuftvufrsm;zwfjcif;/
zdkif function awmfawmfrsm;rsm;[m omref input/output vkyfwJh function awmfawmfrsm;rsm;eJU

vkyfaqmifyHkcsif;wlygw,f/ uGJjym;wmav;wpfcku file function awGrSm b,fzdkifuae tcsuftvufawGudk
&,lr,fvdkU ajymay;&wmav;yJ ydkygw,f/
(23) aemufqHk; C y&dk*&rf
'Dwpfcg cracker test y&dk*&rfrSmyg&SdwJh jyóemav;wpfckudk ajz&Sif;wJh y&dk*&rfav; a&;Munfh ygr,f/
yHk(12)
043B374 PUSH EBP

0043B375 MOV EBP,ESP
0043B377 ADD ESP,-10
0043B37A PUSH EBX
0043B37B PUSH ESI
0043B37C PUSH EDI
0043B37D XOR ECX,ECX
0043B37F MOV [LOCAL.4],ECX
0043B382 MOV [LOCAL.1],EAX
0043B385 XOR EAX,EAX
0043B387 PUSH EBP
0043B38D PUSH DWORD PTR FS:[EAX]
0043B390 MOV DWORD PTR FS:[EAX],ESP
0043B393 XOR EBX,EBX
0043B395 XOR ESI,ESI
0043B397 MOV [LOCAL.2],10
0043B39E LEA EDX,[LOCAL.4]
0043B3A1 MOV EAX,[LOCAL.1]
0043B3A4 MOV EAX,DWORD PTR DS:[EAX+294]
0043B3AF MOV EAX,[LOCAL.4]
0043B3B7 TEST EAX,EAX
0043B3B9 JLE SHORT Cracker_.0043B3F5
0043B3BB MOV [LOCAL.3],EAX
0043B3BE MOV EDI,1
0043B3C3 LEA EDX,[LOCAL.4]
0043B3C6 MOV EAX,[LOCAL.1]
0043B3C9 MOV EAX,DWORD PTR DS:[EAX+294]
0043B3D4 MOV EAX,[LOCAL.4]
0043B3D7 MOVZX EAX,BYTE PTR DS:[EAX+EDI-1]
0043B3DC LEA EDX,DWORD PTR DS:[EDI+ESI]
0043B3DF ADD EAX,EDX
0043B3E1 MOV ESI,EAX
0043B3E3 ADD EBX,EBX
0043B3E5 XOR EBX,ESI
0043B3E7 MOV EAX,ESI
0043B3E9 CDQ
0043B3EA IDIV EDI
0043B3EC INC EDX
0043B3ED ADD EBX,EDX
0043B3EF INC EDI
0043B3F0 DEC [LOCAL.3]
0043B3F3 JNZ SHORT Cracker_.0043B3C3
0043B3F5 DEC [LOCAL.2]
0043B3F8 JNZ SHORT Cracker_.0043B39E
0043B3FA CMP ESI,3810
0043B400 JNZ SHORT Cracker_.0043B40A
0043B402 CMP EBX,402A4FE7
0043B408 JE SHORT Cracker_.0043B424
0043B40A MOV EAX,Cracker_.0043B4AC ; ASCII "Sorry, not the right one - try again !"
0043B40F CALL Cracker_.004338AC
0043B414 MOV EAX,[LOCAL.1]
0043B417 MOV EAX,DWORD PTR DS:[EAX+294]
0043B41D MOV EDX,DWORD PTR DS:[EAX]
0043B41F CALL DWORD PTR DS:[EDX+78]
0043B422 JMP SHORT Cracker_.0043B47D
0043B424 MOV EAX,EBX
0043B426 SUB EAX,ESI
0043B428 CMP EAX,402A17D7
0043B42D JE SHORT Cracker_.0043B449
yHk(13)
ay;xm;csufuawmh yHk(12)rSm jyxm;wJhtwdkif; jzpfygw,f/ pum;vHk;wpfvHk;udk cefUrSef;cdkif;wm jzpfyg

w,f/ Cracker test y&dk*&rf[m cracker awG&JU t&nftcsif;udk prf;oyfzdkU a&;xm;wJhy&dk*&rfjzpfjyD; tqifh(8)
qifh(very very easy? very easy? easy? not entirely easy? somewhat harder? hard? very hard? very
very hard) yg0ifygw,f/ oifjrifae&wJh tqifhuawmh tqifh(3) (easy level) jzpfygw,f/ 'Dy&dk*&rfudk
Olly debugger eJU ppfwJhtcsdefrSm awGU&wJhuk'fuawmh yHk(13)rSm jrif&wJhtwdkif; jzpfygw,f/ yHk(13)rSm jrif&
wJhuk'fudk ajz&Sif;zdkUqdkwm oifb,favmufyJawmfaeygap vufeJUcswGufzdkU? calculator eJU wGufzdkUqdkwm vHk;0
(vHk;0) rjzpfEdkifygbl;/ 'gaMumifh y&kd*&rfa&;jyD; ajz&Sif;zdkU MudK;pm;wmyg/ C eJU y&dk*&rfa&;wJhtcg yHk(14)twdkif;
awGUjrif&ygw,f/
#include <conio.h> // Compiled by Borland C++.
#include <stdio.h> // Coded by Myo Myint Htike.
#include <string.h> // Date - 2009 March 13
#include <stdlib.h>
#include <math.h>
int main()
{
FILE *fileread = fopen("english.dic","a+");
char password[50];
int EDI, i, j, EDX=0, EAX=0, ESI=0, EBX=0;
while(!feof(fileread)){
int character_count=0;
div_t div_result;
fscanf(fileread,"%s",password);
printf("%s\n",password);
character_count = strlen(password);
EDX=0;
ESI=0;
EDI=0;
EBX=0;
EDX=1;
for(i=0;i<16;i++){ // for loop 1
EDI=1;
for(j=0; j<character_count; j++){
EAX = password[j];
EDX = ESI+EDI;
EAX = EAX + EDX;
ESI = EAX;
EBX = EBX + EBX;
EBX = EBX ^ ESI;
EAX = ESI;
div_result = div( EAX, EDI );
EDX = div_result.rem ;
EDX++;
EBX= EBX +EDX;
EDI++;
} // end of for loop 2
} // end of for loop 1
if(ESI== 0x3810 && EBX == 0x402A4FE7){
printf("Word is = %s\n", password); // Ans: firmware
getch();
} // end of if statement
} // end of while loop
fclose(fileread);
getch();
return 0;
}
yHk(14)
yHk(14)rSm a&;jyxm;wJh source uk'f&JU tvkyfvkyfyHkudk wpfaMumif;csif;em;vnfatmifMunfhyg/ 'Dy&dk*&rf

&JUtvkyfvkyfyHkudk taotcsm em;vnfw,fqdk&ifawmh C bmompum;eJUywfoufjyD; uRefawmf&Sif;jywmtm;vHk;
oifem;vnfoGm;jyDvdkU ,HkMunfvdkufyg/ wu,fvdkU em;rvnfao;&ifawmh oifcef;pmudk jyefzwfvdkufygOD;/
1/ <stdlib.h> header file udk aMunmxm;wmuawmh div_t twGufyg/
2/ FILE *fileread = fopen("english.dic","a+"); qdkwmuawmh english.dic zdkifudk zwfr,fvdkU ajymwm
yg/ qdkvdkwmuawmh uRefawmfwdkU&SmaewJh password (word) [m 'D english.dic zdkifxJrSmjzpfygw,f/
Dictionary (.dic) zdkifawG[m password awGudk wdkufqdkifppfaq;&mrSm cracker awG toHk;jyKMuwJhzdkifawGjzpf
jyD; 'DzdkifawGxJrSm t*Fvdyftbd"mefxJu pum;vHk;aygif; odef;csDyg0ifygw,f/ pum;vHk;pHkav tajzudk &SmawGUzdkU
eD;pyfavjzpfygw,f/ 'D dictionary (.dic) zdkifawGudk tifwmeufuae download vkyf,lyg/ Cracker wpf
a,mufrSmawmh t*Fvdyftbd"meftjyif vufwif? jyifopf? tDwvD? aq;ynmtbd"mefpwJh tbd"mefaygif;pHk
&Sdxm;oifhygw,f/
3/ char password[50]; uawmh zwfr,fhpmvHk;ta&twGuf[m tvHk; 50 trsm;qHk;&Sdr,fvdkU aMunmay;wm
yg/ tvHk; 50 xufydk&SnfwJh t*Fvdyfpum;vHk;udk oifjrifzl;ygovm;/ jrifzl;&ifawmh 50 tpm; 200 vdkU ajymif;
vdkufyg/ 200 xufydk&SnfwJh t*Fvdyfpum;vHk;awmh r&Sdavmufawmhbl;vdkU xifygw,f/ ☺☺☺☺☺
4/ while(!feof(fileread)){ } uawmh english.dic zdkifudk zwfwm aemufqHk;pum;vHk;jyD;vdkU zdkiftqHk;udkr
a&mufrcsif;vdkU qdkvdkwmyg/ english.dic zdkifxJu &SdorQpum;vHk; tukefzwfr,fvdkU ajymwmyg/
5/ fscanf(fileread,"%s",password); udk toHk;jyKjyD; english.dic zdkifxJu yxrpum;vHk;udk zwfygw,f/
yxrpum;vHk;udk aaron vdkU ,lqMunfhvdkufMu&atmif/ 'gqdk password = "aaron" jzpfoGm;ygjyD/ password
udk printf() function oHk;jyD; zefom;jyifrSm jyapygw,f/ printf() function udk roHk;vJ&ygw,f/
6/ character_count = strlen(password); uawmh password pum;vHk;&JU pmvHk;ta&twGufudk wGufcsuf
ygw,f/ aaron jzpfwJhtwGuf 5vHk;jzpfygw,f/
7/ for(j=0; j<character_count; j++){ } uawmh password pum;vHk;&JU pmvHk;ta&twGufay:rlwnfjyD;
ajymif;vJaerSmyg/ 'Dae&mrSm 5vHk;jzpfwJhtwGuf for(j=0; j< 5; j++) jzpfrSmyg/
8/ EAX = password[j]; udk owdjyKyg/ EAX udk uRefawmfwdkU integer (int) vdkU aMunmxm;ygw,f/
password udkawmh character string (char [ ]) taeeJU aMunmxm;ygw,f/ vuf&SdtcsdefrSm C++ compiler
uem;vnfaewmuawmh password[5] = "aaron"; jzpfjyD; EAX = password[0] = 'a' = 0x61; jzpfygw,f/
'Dae&mrSm rSwfxm;zdkUu "a" eJU 'a' [m rwlygbl;/ "a" vdkUa&;&if string udk nTef;wmjzpfjyD;? 'a' vdkUa&;&ifawmh
character udk nTef;wmjzpfygw,f/ Character rSmawmh pmvHk;wpfvHk;wnf;omyg0ifEdkifjyD;? string rSmawmh
pmvHk;wpfvHk; (odkU) wpfvHk;xufydkrdkyg0ifygw,f/
9/ EDX = ESI + EDI; udkawmh em;vnfrSmyg/ ESI eJU EDI wdkU&JUwefzdk;awGudk &dk;&dk;wef;wef; aygif;wmyg/
EDX = ESI + EDI = 0 + 1 = 1 jzpfygw,f/
10/ EAX = EAX + EDX; udk ajz&Sif;&if EAX = 0x61 + 1 = 0x62 &ygw,f/
11/ 'gaMumifh ESI &JUwefzdk;[m 0x62 jzpfygw,f/
12/ EBX = EBX + EBX; uawmh EBX = 0 + 0 = 0 jzpfygw,f/
13/ EBX = EBX ^ ESI; uawmh EBX = 0 ^ 0x62 = 0x62 jzpfygw,f/
14/ EAX &JUwefzdk;[m ESI &JUwefzdk;eJU nDwJhtwGuf 0x62 jzpfygw,f/
15/ div_result = div(EAX, EDI); uawmh EAX udk EDI eJUpm;wmyg/ EAX = 0x62 / 1 = 0x62
jzpfygw,f/
16/ EDX = div_result.rem; t& pm;vdkU&wJht<uif;udk EDX rSm odrf;ygw,f/ 'gaMumifh EDX &JUwefzdk;[m
0 jzpfoGm;ygw,f/
17/ EDX++; vdkUa&;xm;wmaMumifh EDX &JUwefzdk;rSm wpfaygif;ygw,f/ 'DtcsdefrSm EDX &JUwefzdk;[m 1
jyefjzpfvmygw,f/
18/ EBX = EBX + EDX; uawmh EBX = 0x62 + 1= 0x63 jzpfvmygw,f/
19/ EDI++; t& EDI udk wpfaygif;wmaMumifh EDI [m 2 jzpfvmygw,f/
20/ jyD;&if for(j=0; j<5; j++) u j++ udkvkyfwmaMumifh j=0 tpm; j=1 jzpfvmjyD; aemufwpfMudrf for loop
udk xyfvkyfapjyefygw,f/ 'DvdkeJU for(j=0; j<5; j++)udk 5Mudrf? for(i=0;i<16;i++) udk 16Mudrf? pkpkaygif;
tMudrf 80 loop ywfjyD;wJhtcgrSm &vmwJhtajzuawmh ESI = 0x2200 eJU EBX = 0xBFC8757F wdkU
jzpfygw,f/
21/ ESI eJU EBX wdkU&JUtajz[m 0x3810? 0x402A4FE7 wdkUeJUnD^rnDppfjyD; nDcJh&if tajzrSefudkxkwfay;yg
w,f/ (rSwf&ef/ / aaron tpm; firmware udk y&dk*&rfuzwfcsdefrSm for(j=0; j<character_count; j++){ }
u for(j=0; j<8; j++) jzpfvmygw,f/ 'DvdkeJU for(j=0; j<8; j++)udk 8Mudrf? for(i=0;i<16;i++) udk 16Mudrf?
pkpkaygif; 128Mudrf loop ywfjyD;wJhtcgrSm &vmwJhtajzuawmh ESI = 0x3810 eJU EBX = 0x402A4FE7 wdkU
jzpfygw,f/)
22/ owdjyKapcsifwJhtcsufuawmh a = 0x61? b = 0x62? c = 0x63? ... ? z = 0x7A ponfjzifhjzpfjyD; A =
0x41? B = 0x42? C = 0x43? ... ? Z = 0x5A ponfjzifhjzpfygw,f/
tcef;(3) - tajccH Assembly bmompum; - 26 -
tcef;(3) - tajccH Assembly bmompum;

(1) ed'gef;
wu,fawmh Assembly bmompum;qdkwm uGefysLwmu em;vnfEdkifwJh ESpfvDuk'fawGudk tpm;xkd;zdkU
zefwD;xkwfvkyfxm;wmyg/ t&ifwkef;u high-level bmompum;awG ray:cifrSm y&dk*&rfawGudk Assembly
eJU a&;cJhMuwmyg/ Assembly uk'fawG[m y&dkqufqmtvkyfvkyfEdkifatmif instruction awGudk wdkuf&dkufazmfjy
ay;ygw,f/ Oyrmjy&&if -
ADD EAX, EDX
'D instruction [m *Pef;wefzdk;ESpfckudk aygif;ay;ygw,f/ EAX eJU EDX udkawmh register vdUk
ac:ygw,f/ olwdkUawGrSm wefzdk;awGyg0ifEdkifjyD; 'gawGudk y&dkqufqmxJrSm odrf;xm;wm jzpfygw,f/ 'Duk'fudk
16vDpepfuk'f(hexcode) jzpfwJh 66 03 C2 tjzpf ajymif;vdkufygw,f/ y&dkqufqm[m 'Duk'fawGudkzwfjyD;
oleJUudkufnDwJh instruction udk tvkyfvkyfwmyg/ C vdk highlevel bmompum;awG[m olwdkU&JU udk,fydkif
bmompum;awGudk Assembly tjzpfajymif;ygw,f/ Assembly u 'Duk'fawGudk ESpfvDuk'ftaeeJU ajymif;wm
jzpfygw,f/
C uk'f >> Compiler > >
Assembly uk'f
>>Assembler>> Raw output (hex)
a = a + b; ADD EAX, EDX 66 03 C2
'Dae&mrSm Assembly uk'f[m &dk;&dk;&Sif;&Sif;av;jzpfaewm owdjyKrdrSmyg/ Output uawmh C uk'fay:
rlwnfaeygw,f/
(2) bmaMumifh Assembly udk toHk;jyKwmvJ/
Assembly rSm y&dk*&rfa&;&wm[m cufcJw,fqdk&if C (odkU) tjcm;wpfckcktpm; Assembly udk
bmvdkU toHk;jyKMuygovJ/ tajzuawmh &Sif;ygw,f/ Assembly y&dk*&rfawG[m ao;i,fjyD; jrefqefvdkU
jzpfygw,f/ OmPf&nfwkvdk y&dk*&rfbmompum;awGrSm compiler awG[m uk'fudkxkwfay;EdkifzdkU cufcJvSyg
w,f/ Compiler awG[m b,favmufyifaumif;vmapumrl tjrefqHk;eJU t&G,ftpm;tao;qHk;jzpfzdkU
Assembly uk'fudkxkwfay;EdkifzdkU vkyf&ygw,f/ uk'fawGudk udk,fwdkifa&;om;Edkifr,fqdk&ifawmh ao;i,fjyD;jref
qefwJhuk'fudk xkwfay;EdkifrSmyg/ 'gayr,fh 'DvdkvkyfEdkifzdkUu high-level bmompum;awGxufpm&if
ydkrdkcufcJygw,f/
tcsdKU high-level bmompum;awGrSm&SdwJh uGJvGJcsufuawmh olwdkU[m tvkyfvkyfaecsdefrSm tcsdKUaom
vkyfaqmifcsufawGtwGuf DLL zdkifawGudk oHk;pGJ&ygw,f/ Oyrmjy&&if Visual C++ rSm olU&JU pHowfrSwfxm;
wJh C function awGyg0ifwJh msvcrt.dll zdkif&Sdygw,f/ 'g[m rsm;aomtm;jzifhawmh tqifajyaeayr,fh wcg
w&HrSmawmh DLL version eJUywfoufjyD; 'ku©a&muf&ygw,f/ 'gaMumifhrdkU oHk;pGJolawG[m 'DzdkifawGudk
uGefysLwmxJrSm tjrJwrf; xm;xm;&ygw,f/ Visual C++ twGufawmh 'g[m odyfjyóem r&SdvSygbl;/
olU&JUzdkifawG[m Windows rSm wcgwnf;ygvmwm rsm;ygw,f/ Visual Basic usawhm olU&JUbmompum;udk
Assmebly uk'ftaeeJU rajymif;vJay;Edkifygbl;/ (Version 5 eJU txufuawmh tenf;i,fjyKvkyfay;Edkif
ayr,fhvJ tjynfht0awmh r[kwfygbl;/) olwdkU[m Visual Basic Virtual Machine jzpfwJh msvbvm50.dll
zdkifudk rSDckdae&ygw,f/ VB rSm a&;wJhuk'fawG[m 'D DLL zdkifudk tMudrfrsm;pGm ac:oHk;wmawGU&ygw,f/
'gaMumifh VB y&dk*&rfawG[m aES;ae&wmyg/ Assembly uawmh tjrefqHk;bmompum;yg/ ol[m Windows
pepf&JU DLL zdkifawG jzpfwJh kernel32.dll? user32.dll pwmawGudkyJ oHk;vdkUyg/
vltrsm;pku Assembly bmompum;eJU y&dk*&rfa&;zdkU&m rjzpfEdkifbl;vdkU em;vnfrIvGJaeMuygw,f/
aocsmwmuawmh cufw,fqdkwm[kwfygw,f? 'gayr,fh rjzpfEdkifbl;qdkwmuawmh r[kwfygbl;/ ya&m*suf
MuD;MuD;rm;rm;udk Assembly eJUa&;zdkU&m wu,fhudk cufygw,f/ y&dk*&rftao;pm;av;awGa&;wmyJjzpfjzpf?
tjcm;y&dk*&rfbmompum;awGeJU a&;xm;wJh y&dk*&rfawGuae ac:oHk;wJhtcg jrefapzdkU DLL zdkifawGudk a&;om;
wJhtcgrSmom Assembly udk oHk;Muwm rsm;ygw,f/ tvm;wlyJ DOS eJU Windows y&dk*&rfawGrSm
MuD;MuD;rm;rm;uGJvGJrIawG &Sdygw,f/ DOS y&dk*&rfawG[m function tjzpf interrupt awGudk oHk;ygw,f/
Windows rSmawmh Application Programming Interface vdkUac:wJh API yg/ 'D interface rSm y&dk*&rfawG
twGufvdktyfwJh function awG yg0ifygw,f/ DOS y&dk*&rfawGrSmawmh interrupt awGrSm interrupt
eHygwfwpfckeJU function eHygwfwpfck &Sdygw,f/ Windows rSmawmh API funtion awGrSm trnfawG(Oyrm -
MessageBox, CreateWindowEx) &Sdygw,f/ oifhtaeeJU DLL awGudk import vkyf,lEdkifygw,f/ 'gawG
[m Assembly rSmawmh tvGefvG,fulvSygw,f/
(3) Assembly tajccH

(3.1) Opcodes
Assembly y&dk*&rfawGudk opcode awGeJU zefwD;xm;wmyg/ Opcode qdkwmuawmh y&dkqufqmu
em;vnfEdkifwJh instruction wpfckyg/ Oyrm -
ADD
ADD instruction [m *Pef;wefzdk;ESpfckudk aygif;ay;wmyg/ Opcode trsm;pkrSm operand awG&Sdyg
w,f/
ADD EAX, EDX (destination, source)
ADD rSm operand ESpfck &Sdygw,f/ 'Daygif;jcif;tydkif;rSm source wpfckeJU destination wpfck&Sdyg
w,f/ ol[m source xJuwefzdk;udk destination wefzdk;xJ aygif;xnfhay;wmyg/ jyD;&if &v'fudk destination
xJrSm odrf;xm;ay;ygw,f/ Operand awG[m trsdK;rsdK;jzpfEdkifygw,f/ (Oyrm - register? rSwfOmPfae&m?
vufiif;wefzdk;)
(3.2) Registers
Register yrmPtcsdKUuawmh 8-bit? 16-bit eJU 32-bit wdkU (MMX y&dkqufqmawGrSm 'DxufydkEdkif
ygw,f) jzpfygw,f/ 16-bit y&dk*&rfawGrSm toHk;jyKEdkifwmuawmh 16-bit registers eJU 8-bit registers
awGjzpfygw,f/ 32-bit y&dk*&rfawGrSmawmh 32-bit registers awGudkvnf; toHk;jyKEdkifygw,f/
tcsdKU register awG[m tjcm; register awG&JU tpdwftydkif; jzpfygw,f/ Oyrm - wu,fvdkU EAX
rSm EA7823BBh wefzdk;udk xnfhxm;r,fqdk&if tjcm; register awGrSm &SdEdkifwJh wefzdk;awGuawmh -
EAX EA 78 23 BB
AX EA 78 23 BB
AH EA 78 23 BB
AL EA 78 23 BB
AX, AH eJU AL wdkUuawmh EAX &JU tpdwftydkif;awGyg/ EAX [m 32-bit register wpfckyg/
(80386 txuf y&dkqufqmawGrSmyJ toHk;jyKEdkifygw,f/) AX rSm EAX &JU atmufydkif; 16-bit ygjyD; AH
rSmawmh AX &JU txufydkif;pmvHk;yg0ifygw,f/ AL rSmawmh AX &JU atmufydkif;pmvHk;yg0ifygw,f/ 'gaMumifh
AX [m 16-bit jzpfjyD; AL eJU AH uawmh 8-bit yg/ atmufrSmjyxm;wJh Oyrmuawmh register awG&JU
wefzdk;awGyg/
eax = EA7823BB (32-bit)
ax = 23BB (16-bit)
ah = 23 (8-bit)
al = BB (8-bit) 100100011010001010110
Register awGudk toHk;jyKyHkuawmh -
low‐level bmompum; high‐level bmompum;
mov eax, 12345678h EAX = 12345678h (305419896)
mov cl, ah CL = 56h (86)
sub cl, 10 CL = CL ‐ 10
mov al, cl AL = CL
tay:rSma&;xm;wJhuk'fudk enf;enf;avmuf ppfaq;MunfhvdkufMu&atmif/ MOV instruction [m
wefzdk;wpfckudk register wpfck? rSwfOmPf (odkU) vufiif;wefzdk;wpfckuae tjcm; register wpfckqDudk a&TYay;
Edkifygw,f/ 'Dhaemuf AH &JUwefzdk; (EAX &JU b,fzufrS 4vHk;ajrmuf)udk CL (ECX register &JU atmufqHk;
tydkif;)xJ ul;ydkUvdkufygw,f/ jyD;awmh CL xJuae 10 EIwfvdkufjyD; AL (EAX &JU atmufqHk;tydkif;)xJudk
jyefxnfhvdkufygw,f/
Register trsdK;tpm;uawmh trsm;MuD;&Sdygw,f/
(3.2.1) taxGaxGoHk; register rsm;

EAX (Accumulator) ocsFmqdkif&mudpörsm;ESifh string rsm;udk odrf;qnf;&efoHk;onf/
EBX (Base) stack rsm;ESifh csdwfquf&mwGif oHk;onf/
ECX (Counter) *Pef;rsm;aygif;&mwGif oHk;onf/
EDX (Data) trsm;tm;jzifh ocsFmpm;v'frS t<uif;udk odrf;qnf;onf/
olwdkUrSm trnftrsdK;rsdK; &Sdayr,fh MudKufovdk toHk;jyKEdkifygw,f/
(3.2.2) Segment register rsm;
Segment register vdkU ac:wmuawmh rSwfOmPf&JU segment udk toHk;jyKvdkUyg/ oifhtaeeJU 'gawG
udk Windows rSmawmh odxm;p&m vdkrSmr[kwfygbl;/ bmaMumifhvJqdkawmh Windows rSm flat rSwfOmPfpepf
&SdvdkUyg/ DOS rSmawmh rSwfOmPfudk 64KB &SdwJh segment awGtjzpf ydkif;vdkufygw,f/ 'gaMumifhrdkU oifhtae
eJU rSwfOmPfs&JU address udk owfrSwfcsif&if segment eJU offset udk atmufygtwdkif; (0172:0500
(segment:offset)) owfrSwf&ygr,f/ Windows rSmawmh segment &JU t&G,ftpm;[m 4GB awmif &Sdyg
w,f/ 'gaMumifhrdkU Windows rSm segment awGudk rvdkwmyg/ Segment awG[m tjrJwrf; 16-bit register
awG jzpfygw,f/
olwdkUrSm trnftrsdK;rsdK; &Sdayr,fh MudKufovdk toHk;jyKEdkifygw,f/
CS (Code segment) uk'frsm;udk odrf;qnf;xm;aom rSwfOmPftuefU
DS (Data Segment) tcsuftvufrsm;udk odrf;qnf;xm;aom rSwfOmPftuefU
ES (Extra Segment) AGD'D,dkudpö&yfrsm;twGuf toHk;rsm;onf/
SS (Stack Segment) Routine rsm;rS ay;ydkUaom address rsm;udk odrf;qnf;&ef toHk;jyKaom register
FS (286+) taxGaxGoHk; segment
GS (386+) taxGaxGoHk; segment
(3.2.3) Pointer/Index register rsm;
wu,fawmh oifhtaeeJU pointer register awGudk olwdkU&JUrlvwefzdk;udk rajymif;vJoa&GUawmh taxG
axGoHk; register awGtjzpf (EIP rSwyg;) toHk;jyKEdkifygw,f/ Pointer register vdkU ac:&wJhtaMumif;&if;u
awmh olwdkUawG[m rMumcPqdkovdk rSwfOmPf&JU address udk odrf;qnf;avh&SdvdkUyg/ tcsdKU opcode (movb,
scasb,..) awG[m olwdkUudk toHk;jyKMuygw,f/
esi (source index) string/array \ source udk owfrSwf&mwGifoHk;onf/

edi (destination index) string/array \ destination udk owfrSwf&mwGifoHk;onf/
eip aemuf instruction \ address udk odrf;xm;aomaMumifh wdkuf&dkuf
(instruction pointer) ajymif;vJí r&yg/ (]Olly Debugger} tcef;wGif Munfhyg/)
(3.2.4) Stack register rsm;
Stack register ESpfck &Sdygw,f/ ESP eJU EBP yg/ ESP uawmh rSwfOmPfxJrSm vuf&Sd stack &JU
ae&mudk odrf;xm;ygw,f/ EBP udkawmh function awGrSm local variable awGeJU oufqdkifwJh pointer tjzpf
toHk;jyKygw,f/
esp (stack pointer) stack rS wdusaom ae&mwpfckudk nTefjyonf/
ebp (base pointer) stack udpörsm;aqmif&Guf&ef stack pointer ESifh wGJokH;onf/
(4.0) rSwfOmPf
'Dtcef;rSmawmh Windows rSm rSwfOmPfawGudk b,fvdkudkifwG,f&rvJ qdkwm&Sif;jyyghr,f/
(4.1) DOS & Win 3.xx
DOS eJU Windows 3.xx rSm awGU&wJh 16-bit y&dk*&rfawGrSm rSwfOmPfudk segment awGeJU
cGJjcm;xm;ygw,f/ 'D segment awG[m t&G,ftpm;tm;jzifh 64KB &Sdygw,f/ rSwfOmPfudkac:oHk;zdkU segment
pointer eJU offset pointer wdkUvdkygw,f/ Segment pointer u b,f segment udk toHk;jyKr,fqdkwm
nTefjyjyD; offset pointer uawmh segment xJu olU&JUae&mudk nTefjyygw,f/ atmufygyHkudk Munfhyg/
rSwfOmPf
SEGMENT 1 SEGMENT 2 SEGMENT 3 SEGMENT
(64kb) (64kb) (64kb) 4(64kb)
ponfjzifh
rSwfxm;&rSmu ckuRefawmf&Sif;jyaewm[m 16-bit y&dk*&rfawGtwGuf jzpfygw,f/ tay:uZ,m;u

awmh rSwfOmPfwpfckvHk;udk 64KB qD segment awGcGJvdkufwmyg/ olUrSm trsm;qHk;taeeJU 65536 segment
&Sdygw,f/ tJ'DxJu segment wpfckudk xyfMunfhvdkufMu&atmif/
SEGMENT 1(64kb)
Offset 1 Offset 2 Offset 3 Offset 4 Offset 5 and so on
Segment xJu ae&mwpfckudk nTef;csifw,fqdk&ifawmh offset udk toHk;jyKygw,f/ Offset qdkwm

segment xJu ae&mwpfckyg/ Segment wpfckrSm trsm;qHk;taeeJU offset 65536 ck&Sdygw,f/ rSwfOmPfxJu
segment udk azmfjycsif&ifawmh -
SEGMENT:OFFSET
Oyrmjy&&if -
0030:4012
qdkvdkwmuawmh segment u 0030 jzpfjyD; offset u 4012 jzpfygw,f/ tJ'D address [m bmvJ
qdkwm odcsif&ifawmh yxrqHk; segment 30 qDudk oGm;&rSmjzpfjyD; 'D segment xJu offset 4012 udk &Sm&rSm
jzpfygw,f/ acgif;pOf(3)rSmwkef;u uRefawmfwdkU segment eJU pointer register taMumif;avhvmcJhMuyg
w,f/ Segment register trsdK;tpm;awGuawmh -
CS (Code segment)
DS (Data Segment)
ES (Extra Segment)
SS (Stack Segment)
FS (286+)
GS (386+)
ay;xm;wJhtrnfawG[m olwdkU&JU vkyfaqmifcsufudk,fpDudk azmfjyygw,f/ CS rSm vuf&Sdtvkyfvkyf
aewJhuk'f &Sdaeygw,f/ DS uawmh vuf&Sd segment twGuf tcsuftvufawGudk &,lay;zdkU jzpfygw,f/
Stack uawmh SS udk nTef;ygw,f/ ES? FS eJU GS uawmh taxGaxGoHk; register awGjzpfjyD; b,f segment
twGufrqdk oHk;Edkifygw,f/ Pointer register awGrSmawmh rsm;aomtm;jzifhawmh offset wpfckudk xnfhxm;avh
&Sdygw,f/ 'gayr,fh taxGaxGoHk; register awGjzpfwJh AX? BX? CX eJU DX rSmvnf; 'DtwGuf toHk;jyKEdkif
ygw,f/ IP u (CS xJrS) vuf&SdtvkyfvkyfaewJh instruction &JU offset udk nTefjyygw,f/
atmufrSmjyxm;wJhyHkuawmh crack vkyfwJhtcgrSm Olly debugger rSmjrif&wJh register awG&JU
tvkyfvkyfaeyHkyg/
SP uawmh (SS xJu) vuf&Sd stack ae&m&JU offset udk xnfhxm;ygw,f/

(4.2) 32-bit Windows
16-bit wkef;u y&dk*&rfawG a&;om;&mrSm segment awG[m r&Sdrjzpfvdktyfygw,f/ uHaumif;axmuf
rpGmeJU 32-bit windows (95 ESifhtxuf) rSmawmh 'Djyóemudk ajz&Sif;EdkifcJhygw,f/ Segment awG &Sdaeayr,fh
uRefawmfwdkUtaeeJU tav;xm;p&m rvdkawmhygbl;/ bmvdkUvJqdkawmh olwdkUawG[m 64KB r[kwfawmhyJ
4GB jzpfaevdkUyg/ wu,fvdkU segment register awGxJuwpfckudk ajymif;vJzdkU MudK;pm;cJhr,fqdk&if Windows
eJU jyóem wufaumif;wufygvdrfhr,f/ olwdkUrSm offset awGyJ&SdjyD; ckcsdefrSmawmh olwdkUawG[m 32-bit awG
jzpfygw,f/ 'gaMumifh olwdkU&JUtwdkif;twm[m oknuae 4,294,967,295 xdjzpfvmygw,f/ rSwfOmPfxJu
b,fae&mrqdk offset eJUyJ nTefjyEdkifygw,f/ 'g[m 16-bit xufpm&if 32-bit &JU taumif;qHk; tusdK;aus;Zl;
awGxJu wpfckjzpfygw,f/ 'gaMumifhrdkU oifhtaeeJU segment register awGudk ckcsdefrSm arhxm;vdkU &EdkifjyD;
tjcm; register awGudk ydkrdk*&kpdkufvdkU &jyDjzpfygw,f/
(5.0) Opcodes
Opcode awG[m y&dkqufqmtwGuf instruction awGjzpfygw,f/ Opcode awG[m wu,fawmh
16vDpepfuk'frlMurf;&JU ]zwfvdkU&wJhpmom;} yHkpHawGyg/ 'DtwGufaMumifh assembler [m y&dk*&rfbmompum;
awGrSm tedrfhqHk;tqifh jzpfaewmjzpfjyD; assembler rSma&;wJhb,ft&mrqdk 16vDpepfuk'ftjzpf wdkuf&dkuf
ajymif;vJwm jzpfygw,f/
'Dtcef;rSmawmh wGufcsufrI? bitwise ydkif;eJUqdkifwJh opcode tcsdKUudk aqG;aEG;rSmjzpfygw,f/ tjcm;
opcode awGjzpfwJh jump instruction? compare opcode pwmawGudkawmh aemuftcef;usrS aqG;aEG;rSm
jzpfygw,f/
(5.1) tajccH opcodes wGufcsufrI
MOV
'D instruction udkawmh wefzdk;wpfckudk wpfae&muae aemufwpfae&mudk a&TUzdkU (ul;zdkU) toHk;jyKyg
w,f/ 'D ]ae&m} qdkwJh toHk;tEIef;rSm register wpfckaomfvnf;aumif;? rSwfOmPfae&mwpfckaomfvnf;aumif;?
vufiif;wefzdk; (rlvwefzdk;) wpfckaomfvnf;aumif; jzpfEdkifygw,f/ mov instruction &JU yHkpHuawmh -
mov destination, source;
oifhtaeeJU register wpfcku wefzdk;wpfckudk aemufwpfcq
k D a&TUEdkifygw,f/ (rSwf&ef/ / instruction
[m wu,fawmh olU&JUtrnf ]move} tpm; wefzdk;udk aemufwpfae&mqDudk yGm;ay;vdkufwmyg/)
mov edx, ecx;
txufrSmjycJhwJh instruction [m ECX rSm&SdwJh[mawGudk EDX qD ul;ay;vdkufwmyg/ Source eJU
destination &JU t&G,ftpm;[m wlnD&ygr,f/ atmufrSmazmfjyxm;wJh instruction uawmh rSefuefrI r&Sdygbl;/
mov al, ecx; // yHkpHtrSm;
'D opcode [m DWORD (32-bit) yrmP&SdwJh wefzdk;wpfckudk byte(8-bit) yrmPavmufom&SdwJh
register ae&mwpfckxJudk xnfhzdkUMudK;pm;aewmyg/ 'gudkawmh mov instruction u vkyfay;Edkifjcif; r&Sdygbl;/
(tjcm; instruction awGuawmh vkyfay;Edkifygw,f/) 'gayr,fh atmufu instruction awGudkawmh mov
instruction rSm toHk;jyKvdkU&ygw,f/ bmaMumifhvJqdkawmh source eJU destination [m t&G,ftpm; uGJjym;rI
r&SdvdkUyg/
mov al, bl;
mov cl, dl;
mov cx, dx;
mov ecx, ebx;
rSwfOmPf&JUwnf&mudk offset wpfckeJU nTefjyygw,f/ rSwfOmPf&UJ wduswJhae&mwpfckuae wefzdk;
wpfckudk&,ljyD; register wpfckxJrSm tJ'Dwefzdk;udk vmxm;vdkU &ygw,f/ atmufygZ,m;udk Oyrmtjzpf,lyg/
offset 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F 40 41 42
data 0D 0A 50 32 44 57 25 7A 5E 72 EF 7D FF AD C7
(tuefUwpfckpDonf (byte) pmvHk;wpfvHk;udk udk,fpm;jyKonf/ )

'Dae&mrSm offset wefzdk;[m pmvHk;wpfvHk;udk udk,fpm;jyKaeayr,fhvJ ol[m 32-bit yg/ Oyrmtjzpf
3A udk Munfhyg/ ol[mvnf; 32-bit (0000003Ah) wefzdk;jzpfygw,f/ ae&mydk&atmifvdkU tcsdKUoHk;aeMu
r[kwfwJh wefzdk;enf; offset awGudk toHk;jyKwmyg/ wefzkd;tm;vHk;uawmh hexcode awG jzpfygw,f/
tay:Z,m;u offset 3A ae&mudk Munfhvdkufyg/ 'D offset rSm&SdwJh a'wmuawmh 25? 7A? 5E? 72?
EF ponfwdkU jzpfygw,f/ Offset 3A rSm xm;zdkUwefzdk;udk mov instruction eJU register wGJoHk;&r,fhyHkpH
uawmh -
mov eax, dword ptr [0000003Ah];
Instruction mov eax, dword ptr [0000003Ah] qdkvdkwmuawmh - 32-bit t&G,ftpm;&SdwJh

DWORD wefzdk;wpfckudk EAX register xJu 3Ah ae&mrSm xm;ygw,f/ 'D instruction udk tvkyfvkyfjyD;
aemufrSmawmh EAX rSm 725E7A25h wefzdk; a&mufvmygw,f/ rSwfOmPfxJrSm &SdaewJht&m (25 7A 5E 72)
awG[m ajymif;jyeftaetxm;eJU&Sdaewm owdjyKrdrSmyg/ 'g[m bmaMumifhvJqdkawmh rSwfOmPfxJrSm odrf;xm;
wJhwefzdk;awGudk endian enf;eJU pDxm;vdkUyg/ qdkvdkwmu nmzuftusqHk;pmvHk;[m significant tjzpfqHk;
pmvHk;yg/ pmvHk;awGpDwJh tpDtpOfuawmh ajymif;jyefyg/ Oyrmtenf;i,feJU &Sif;jy&ifawmh em;vnfrSmyg/
DWORD (32-bit) wefzdk; 10203040h udk rSwfOmPfrSm odrf;qnf;yHkuawmh - 40 30 20 10 (wefzdk;wpfckpD
[m pmvHk;wpfvHk; (8-bit) udk udk,fpm;jyKygw,f/)
WORD (16-bit) wefzdk; 4050h udk rSwfOmPfrSm odrf;qnf;yHkuawmh - 50 40
ydkrdk&Sif;vif;atmif xyfMunfhMuygr,f/
mov cl, byte ptr [34h] ; cl = 0Dh (tay:Z,m;udk Munfhyg/ )
mov dx, word ptr [3Eh] ; dx = 7DEFh (tay:Z,m;udk Munfhyg/ ajymif;jyefpDwm owd&yg/ )
t&G,ftpm;uawmh wcgw&HrSm ta&;rMuD;vSygbl;/
mov eax, [00403045h];
bmaMumifhvJqdkawmh EAX [m 32-bit register wpfckjzpfygw,f/ Assembler u rSwfOmPf&JU
00403045h ae&muae 32-bit wefzdk;udk ,l&r,fvdkU rSwf,lxm;ygw,f/
Immediate value (vufiif;wefzdk;)awGudkvJ toHk;jyKEdkifygw,f/
mov edx, 5006;
'guawmh EDX xJrSm 5006 qdkwJh wefzdk;wpfckudk xnfhxm;wmyg/ av;axmifhuGif;&JU qdkvdkcsufu
awmh av;axmifhuGif;xJu rSwfOmPfwnf&Sd&mrS wefzdk;wpfckudk &,lzdkU toHk;jyKwmyg/
mov eax, 403045h ; eax = 403045h
mov cx, [eax] ; EAX rSwfOmPfae&m (403045) wGif&Sdaom WORD t&G,ftpm;&Sdwefzdk;udk register CX
wGif xnfhxm;onf/
mov cx, [eax] rSm y&dkqufqm[m EAX xJrSm xnfhxm;wJhwefzdk; (rSwfOmPfwnfae&m) b,f
avmufvJqdkwm t&ifMunfhygw,f/ jyD;rSom rSwOf mPfxJu tJ'Dae&mrSm wefzdk;b,favmuf&SdovJqdkwm
qHk;jzwfjyD; 'D WORD (16-bit, tb,faMumifhqdkaomf CX onf 16-bit register jzpfaomaMumifh) udk CX
xJxnfhvdkuf ygw,f/
ADD, SUB, MUL, DIV
Opcode awmfawmfrsm;rsm;[m wGufcsufrIawG jyKvkyfMuygw,f/ oifhtaeeJU olwdkU&JUtrnfawmfawmf
rsm;rsm;udk cefUrSef;vdkU&ygw,f/ ADD (aygif;jcif;)? SUB (EIwfjcif;)? MUL (ajrSmufjcif;)? DIV (pm;jcif;)
ponfjzifh/
ADD opcode rSm atmufygyHkpHtwdkif;&Sdygw,f/
add destination, source
wGufcsufrI jyKvkyfyHku 'Dvdkyg/ destination = destination + source / atmufygyHkpHawGudk cGifhjyKyg
w,f/
Destination Source Example
Register Register add ecx, edx
Register Memory add ecx, dword ptr [104h] / add ecx, [edx]
Register Immediate value add eax, 102
Memory Immediate value add dword ptr [401231h], 80
Memory Register add dword ptr [401231h], edx
'D instruction [m tvGef&dk;&Sif;ygw,f/ ol[m source &JUwefzdk;ukd&,ljyD; destination wefzdk;qDoGm;
aygif;wmyg/ jyD;&if &v'fudk destination xJrSm xm;ygw,f/ tjcm;ocsFmqdkif&m instruction awGuawmh -
sub destination, source (destination = destination ‐ source)
mul destination, source (destination = destiantion * source)
div source (eax = eax / source, edx = remainer
EIwfjcif;[m aygif;jcif;eJU twlwlygyJ/ ajrSmufjcif;uawmh dest = dest * source/ pm;jcif;uawmh

enf;enf;av; xl;jcm;ygw,f/ bmaMumifhvJqdkawmh register awG[m udef;jynfhwefzdk;awG jzpfaevdkUyg (qdkvdk
wmu 'orudef;awG r[kwfygbl;)/ pm;vdkU&wJh&v'fudk pm;v'feJU t<uif;qdkjyD; cGJvdkufygw,f/ Oyrmjy&&if -
28/6 Æ pm;v'f=4, t<uif;=4
30/9 Æ pm;v'f=3, t<uif;=3
97/10 Æ pm;v'f=9, t<uif;=7
18/6 Æ pm;v'f=3, t<uif;=0
ckcsdefrSmawmh source &JU t&G,ftpm;ay:rlwnfjyD; pm;v'fudk EAX (EAX &JU tpdwftydkif;wpfck)rSm
odrf;jyD;? t<uif;udk EDX (EDX &JU tpdwftydkif;wpfck)rSm odrf;qnf;ygw,f/
Source t&G,ftpm; pm;jcif; pm;v'f t<uif;
BYTE (8-bits) ax / source AL AH
WORD (16-bits) dx:ax* / source AX DX
DWORD (32-bits) edx:eax* / source EAX EDX
* Oyrm/ tu,fí DX = 2030h? AX = 0040h? DX:AX = 20300040h/ DX:AX onf DWORD

wefzdk;jzpfjyD; DX onf tjrifhydkif; WORD jzpfjyD; AX onf tedrfhydkif; WORD jzpfonf/ EDX:EAX
uawmh QuadWORD wefzdk; (64-bit) jzpfjyD; tjrifhydkif;uawmh EDX jzpfjyD; tedrfhydkif;uawmh EAX
jzpfygw,f/
DIV opcode &JU source ae&mrSm jzpfEdkifwmuawmh -
• 8-bit register (AL, AH, CL,...)
• 16-bit register (AX, DX, ...)
• 32-bit register (EAX, EDX, ECX, ...)
• 8-bit rSwfOmPfwefzdk; (BYTE PTR [xxxx])
• 16-bit rSwfOmPfwefzdk; (WORD PTR [xxxx])
• 32-bit rSwfOmPfwefzdk; (DWORD PTR [xxxx])
Source uawmh vufiif;wefzdk; rjzpfEdkifygbl;/ bmaMumifhvJqdkawmh y&dkqufqmu source operand
&JU t&G,ftpm;udk rqHk;jzwfEdkifvdkUyg/
BITWISE OPERATIONS
'D instruction awGrSmawmh 'NOT' instruction rSwwyg; source aum? destination yg vdkygw,f/
Destination rSm&SdwJh bit toD;oD;udk source rSm&SdwJh bit awGeJU EdIif;,SOfygw,f/ Instruction ay:rlwnfjyD;
destination bit rSm 0 (odkU) 1 udk xm;ygw,f/
Instruction AND OR XOR NOT
Source Bit 001100 1100110 1
Destination Bit 0 1 0 1 0 1 0 1 0 1 0 1 X X
&v'f 000101 1101101 0
Oyrm -
mov ax, 3406;
mov dx, 13EAh;
xor ax, dx;
ax = 3406 (dec) = 0000110101001110 (bin)
dx = 13EA (hex) = 0001001111101010 (bin)
Source 0001001111101010 (dx)
Destination 0000110101001110 (ax)
&v'f 0001111010100101 (dx)
'D instruction jyD;wJhaemufrSmawmh dx = 0001111010100101 [7845 (dec), 1EA5 (hex)]

aemufOyrmwpfck
mov ecx, FFFF0000h;
not ecx;
FFFF0000 = 11111111111111110000000000000000 (bin) (16 1's, 16 0's)
oifhtaeeJU bit wdkif;udk ajymif;jyefvkyf&if? &vmrSmuawmh
00000000000000001111111111111111 (16 0's, 16 1's) = 0000FFFF (hex)
'gaMumifhrdkU NOT operation jyD;wJhaemufrSm ECX &JUwefzdk;uawmh 0000FFFFh jzpfygw,f/
IN/DECREMENTS
t&dk;&Sif;qHk; instruction ESpfckuawmh DEC eJU INC yg/ 'D instruction awG[m rSwfOmPfwnf&m
(odkU) register udk wpfaygif;ay;ÊIwfay;ygw,f/ &dk;&dk;av;a&;&Hkyg...
inc reg ‐> reg = reg + 1
dec reg ‐> reg = reg ‐ 1
inc dword ptr [103405] ‐> [103405] rSm&SdaewJh wefzdk;udk wpfaygif;ay;rSmyg/
dec dword ptr [103405] ‐> [103405] rSm&SdaewJh wefzdk;udk wpfEIwfay;rSmyg/
NOP
'D instruction uawmh vHk;vHk;MuD;udk bmrSrvkyfygbl;/ bmrSrvkyfEdkifvdkU toHk;r0ifbl;vdkUawmh rxif
ygeJU/ Crack vkyf&mrSm olUudk toHk;rsm;vSygw,f/ toHk;0ifqHk;ae&muawmh uk'fawGudk patch vkyfwJhae&mrSm
jzpfygw,f/
Bit Rotation and Shifting
rSwf&ef/ / atmufrSmazmfjyxm;wJh Oyrmawmfawmfrsm;rsm;[m 8-bit *Pef;awGudkyJ oHk;ygw,f/ 'gayr,fh ydk&Sif;
atmif yHkawGeJU jyygr,f/
Shift functions
SHL destination, count
SHR destination, count
SHL eJU SHR [m register^rSwfOmPfae&mu bit awGudk b,f^nmrSae a&wGufjyD; a&TUvdkufwmjzpfygw,f/
Oyrm
; 'Dae&mrSm al = 01011011 (bin) vdkU ,lqMunfhygr,f/
shr al, 3 ; al = 00001011
qdkvdkwmuawmh AL register xJu bit awGudk nmzuf 3ae&mpm a&TUvdkufwmyg/ 'gaMumifh AL [m
00001011 jzpfvmygw,f/ b,fzuftjcrf;u bit awGudk oknawGeJU tpm;xdk;vdkufjyD; nmzufu bit
awGudkawmh a&TUz,f&Sm;vdkufwmyg/ a&TUz,fvdkufwJh aemufqHk; bit udkawmh carry-flag xJrSm odrf;xm;ygw,f/
Carry-bit qdkwm y&dkqufqm&JU Flag register xJu bit wpfckyg/ ol[m wdkuf&dkufudkifwG,fEdkifwJh ('Dvdkvkyf
zdkU opcode awG&Sdaomfvnf;) EAX^ ECX vdk register wpfckr[kwfygbl;/ 'gayr,fh olU&JUtajz[m
instruction &JU&v'fay: rlwnfaeygw,f/ 'gudkaemufydkif;rSm &Sif;jyygr,f/ oifhtaeeJU rSwfxm;&rSmwpfck
uawmh carry qdkwm flag register xJu bit wpfckjzpfjyD; tzGifh^tydwf vkyfEdkifw,fqdkwmudkyg/ 'D bit [m
a&TUz,fcHvdkuf&wJh aemufqHk; bit eJU wlnDygw,f/
shl u shr eJUwlygw,f/ 'gayr,fh olu b,fzufudk a&TUwmyg/
; 'Dae&mrSm bl = 11100101 (binary) vdkU ,lqMunfhygr,f/
shl bl, 2;
Instruction jyD;wJhaemufrSmawmh BL [m 10010100 (bin) jzpfvmygw,f/ aemufqHk; bit ESpfckrSm
awmh oknawGeJU jznfhvdkufygw,f/ Carry bit uawmh 1 jzpfygw,f/ bmaMumifhvJqdkawmh aemufqHk;a&TUz,fcH
vdkuf&wJh bit u 1 jzpfaevdkUyg/
'DhaemufrSmawmh tjcm; opcode ESpfck &Sdygao;w,f/
SAL destination, count (Shift Arithmetic Left)
SAR destination, count (Shift Arithmetic Right)
SAL u SHL eJUwlygw,f/ 'gayr,fh SAR uawmh SHR eJU rwlygbl;/ SAR u oknawGeJU
a&TUz,fwm r[kwfayr,fh MSB (most significant bit) udk ul;ydkUygw,f/ Oyrm -
al = 10100110
sar al, 3
al = 11110100
sar al, 2
al = 11111101
bl = 00100110
sar bl, 3
bl = 00000010
Rotation functions
rol destination, count ; b,fodkU vSnfhonf/
ror destination, count ; nmodkU vSnfhonf/
rcl destination, count ; Carry rSwqifh b,fodkU vSnfhonf/
rcr destination, count ; Carry rSwqifh nmodkU vSnfhonf/
vSnhfwm[m a&TYovdkygyJ/ uGJjym;wmuawmh a&TUz,fcHvdkuf&wJh bit awGudk tjcm;zufudk xyfa&TUvdkuf
wmygyJ/
Oyrm/ / ror (rotate right)
Bit 7 Bit 6 Bit 5 Bit 4 Bit 3 Bit 2 Bit 1 Bit 0
rvSnfhrD 1 0 0 1 1 0 1 1
Rotate, count= 3 1 0 0 1 1 0 1 1 (a&TUz,f)
&v'f 1 1 0 1 0 0 1 1
tay:yHkrSm jrif&wJhtwdkif; bit awGudkvSnfhvdkufygw,f/ qdkvdkwmu wGef;xkwfcHvdkuf&wJh bit wdkif;[m
xyfrHjyD; tjcm;zufudk a&TUcH&ygw,f/ a&TUjcif;rSmvdkyJ carry bit awG[m aemufqHk;a&TUz,fcH&wJh bit udk
odrf;xm;ygw,f/ RCL eJU RCR uawmh ROL eJU RCR wdkUeJU wpfyHkpHwnf;yg/ olwdkU&JUtrnfawGudk,f
wdkifu ajymjywmuawmh olwdkU[m aemufqHk;a&TUz,fvdkufwJh bit udk nTefjyEdkifzdkU carry bit udk toHk;jyKMuyg
w,f/ ROL eJU ROR uvJ twlwlyJrdkU olwdkUtcsif;csif; uGJjym;rI r&SdMuygbl;/
Exchange
XCHG instruction uawmh vHk;vHk;MuD;udk &dk;&Sif;vSygw,f/ ol[m register ESpfck (odkU) register
wpfckeJU rSwfOmPfae&mwpfckudk vJvS,fay;Edkifygw,f/
eax = 237h
ecx = 978h
xchg eax, ecx
eax = 978h
ecx = 237h
(6.0) zdkifpepf
Assembly source zdkifawGudk section awGtaeeJU cGJxm;ygw,f/ Section awGuawmh code? data?
uninitialized data? constants? resource eJU relocations wdkU jzpfygw,f/ Resource sections udk
resource zdkifu xkwfay;wm jzpfygw,f/ (aemufydkif;wGifMunfhyg/) Relocation section uawmh uRefawmfwdkU
twGuf ta&;rMuD;ygbl;/ (olUrSm y&dk*&rfudk rSwfOmPf&JUtjcm;wae&mrSm ul;wifay;zdkU PE loader twGuf
tcsuftvufawG ygaumif;ygygvdrfhr,f/) ta&;MuD;wJh section awGuawmh code? data? uninitialized data
eJU constants wdkUyg/ Code section rSmygwmuawmh oifxifxm;wJhtwdkif; uk'fawGyg/ Data sections
rSmawmh zwfvdkU&â&;vdkU&wJh a'wmawG yg0ifygw,f/ Data section wpfckvHk;[m exe zdkifrSmyg0ifjyD; a'wm
awGeJU tpysdK;avh &Sdygw,f/
Unitialized data twGufuawmh tpydkif;rSm bmrSrygygbl;/ exe zdkifukd,fwdkifrSmawmif rygygbl;/
oluawmh Windows twGuf oD;oefUz,fxm;wJh rSwfOmPfwpfpdwfwpfa'oom jzpfygw,f/ 'D section rSm
a&;vdkU? zwfvdkU&ygw,f/ Constants uawmh data section eJU wlygw,f/ 'gayr,fh zwfvdkUyJ&ygw,f/ 'D
section udk constant twGufyJ toHk;jyKEdkifaomfvnf; ol[m include zdkifxJrSm constant awGudk aMunmxm;
&ifawmh ydkrdkvG,fuljyD;jrefqefvmygw,f/ 'DhaemufolwdkUudk vufiif;wefzdk;tjzpf oHk;&Hkyg/
(6.1) Section indicators

oifh&JU source zdkifawGrSm oifhtaeeJU section awGudk t"dyÜm,fzGifhxm;&ygr,f/
.code ; code section [m 'Dae&mu pygw,f/
.data ; data section [m 'Dae&mu pygw,f/
.data? ; unitialized data [m 'Dae&mu pygw,f/
.const ; constants section [m 'Dae&mu pygw,f/
tvkyfvkyfwJhzkdifawG (*.exe, *.dll, ...) [m Win32 rSmawmh PE (portable executable) yHkpHeJUyg/
ta&;MuD;wJh taMumif;t&mtcsdKUuvGJvdkU usefwmawGudk 'Dae&mrSm tao;pdwfaqG;aEG;rSm r[kwfygbl;/ (PE
header tcef;wGif tao;pdwf aqG;aEG;ygrnf/) Section awGudk PE header rSm 0daootcsdKUeJU MudKwif
teufzGifhxm;ygw,f/ tJ'gawGuawmh section name? RVA? offset? raw size? virtual size eJU flags wdUk
jzpfygw,f/ RVA (relative virtual address) uawmh section udk ul;wifay;r,fh rSwfOmPfxJu
qufEG,fwJhae&m jzpfygw,f/ 'Dae&mrSm relative qdkwJht"dyÜm,fu y&dk*&rftvkyfvyk fcsdefrSm rSwfOmPfxJrSm&SdwJh
base address eJU qufEG,faewmudk ajymwmyg/ 'D address [m PE-header rSmvJ &Sdaeayr,fh PE-loader
uyJ ajymif;vJay;Edkifygw,f (relocation-section udk toHk;jyKjyD;)/ Offset uawmh exe zdkifxJu yxrqHk;
a'wm&Sd&m raw offset omjzpfygw,f/ Virtual size uawmh rSwfOmPfrSmjzpfvmr,fh t&G,ftpm; jzpfyg
w,f/ Flag awGuawmh zwfzdkUâ&;zdkU^tvkyfvkyfzdkU pwmawGtwGuf flag awG jzpfygw,f/
(6.2) erlem y&dk*&rf
'guawmh erlemy&dk*&rfyg/
.data
Number1 dd 12033h
Number2 dw 100h,200h,300h,400h
Number3 db "blabla",0
.data?
Value dd ?
.code
mov eax, Number1
mov ecx, offset Number2
add ax, word ptr [ecx+4]
mov Value, eax
'Dy&dk*&rf[m aumif;aumif; assemble vkyfrSmr[kwfygbl;/ 'gayr,fh udpör&Sdygbl;/ oifh&JU assembly
y&dk*&rfrSm section xJrSmxm;&SdwJht&mwdkif;[m y&dk*&rfudk rSwfOmPfxJul;wifcsdefrSm exe zdkifxJ a&mufoGm;rSm
jzpfygw,f/ tay:rSmjyxm;wJh data section rSm label 3ck&Sdygw,f/ Number1? Number2 eJU Number3 yg/
'D label awG[m y&dk*&rfxJu olwdkU&Sd&mae&m&JU offset udk odrf;xm;ygw,f/ 'gaMumifhrdkU oifh&JUy&dk*&rfxJrSm
ae&mwpfckudk nTefjyzdkU olwdkUudk toHk;jyKEdkifygw,f/ DD uawmh tJ'Dae&mrSm wdkuf&dkufyJ DWORD wefzdk;
wpfckudk xm;ygw,f/ DW uawmh word jzpfjyD; DB u byte jzpfygw,f/ DB eJUqdk&if oifhtaeeJU string
awGudk toHk;jyKEdkifygw,f/ 'gaMumifhrdkU string qdkwm byte wefzdk;awGwGJxm;wJh tpkwpfck jzpfygw,f/
OyrmtaeeJU jy&&if -
33,20,01,00,00,01,00,02,00,03,00,04,62,6c,61,62,6c,61,00 (all hex numbers)
(wefzdk;wdkif;[m byte wpfckpD jzpfygw,f/)
uRefawmfhtaeeJU *Pef;tcsdKUudk ta&mifjc,fxm;ygw,f/ Number1 u byte 33 &Sd&m rSwfOmPfae&m
udk jyoygw,f/ Number 2 uawmh teDa&mif 00 &Sd&mjzpfjyD; Number3 uawmh tpdrf;a&mif 62 &Sd&mae&m
jzpfygw,f/ 'gudk oifhtaeeJU y&dk*&rfrSmoHk;&if ...
mov ecx, Number1
wu,fqdkvdkwmuawmh
mov ecx, dword ptr [rSwfOmPfxJrS dword 12033h wnf&Sd&mae&m]
'gayr,fh 'Dwpfck
qdkvdkwmuawmh ...
mov ecx, rSwfOmPfxJrS dword 12033h wnf&Sd&mae&m
yxrOyrmrSm? ECX [m Number1 &JU rSwfOmPfae&mrSm&SdwJh wefzdk;wpfckudk &&Sdygvdrfhr,f/ 'kwd,

wpfckrSmawmh ECX [m rSwfOmPfae&m (offset) jzpfvmygvdrfhr,f/ atmufuOyrmESpfckrSm wlnDwJhtusdK;ESpfck
&Sdygw,f/
(1)
mov ecx, Number1
(2)
mov ecx, dword ptr [ecx] (odkUr[kwf mov ecx, [ecx])
tck Oyrmudk jyefMunfhMuygr,f/
.data
Number1 dd 12033h
Number2 dw 100h,200h,300h,400h
Number3 db "blabla",0
.data?
Value dd ?
.code
mov eax, Number1
add ax, word ptr [ecx+4]
mov Value, eax
Label wefzdk;udk Number1? Number2 eJU Number3 wdkUvdk toHk;jyKEdkifygw,f/ 'gayr,fh ppcsif;rSm
awmh olUrSm oknyg0ifaeygvdrfhr,f/ bmaMumifhvJqdkawmh ol[m unitialized data section xJrSm &SdvdkUyg/
'g&JU tusdK;aus;Zl;uawmh .data? rSm oifaMunmcJhwmawGtm;vHk;[m executable rSm &SdrSmr[kwfygbl;/
rSwfOmPfrSmom &SdrSmyg/
.data?
ManyBytes1 db 5000 dup (?)
.data
ManyBytes2 db 5000 dup (0)
(5000 dup = udk,fyGm; 5000. Value db 4,4,4,4,4,4,4 = Value db 7 dup (4).)
ManyBytes1 [m oludk,fwdkif zdkifxJrSm &SdrSmr[kwfygbl;/ rSwfOmPfrSm pmvHk;a& 5000 csefvSyfxm;
wmyg/ 'gayr,fh ManyBytes2 uawmh executable xJrSm&SdjyD; zdkifudk 5000 bytes MuD;atmif vkyfygw,f/
oifh&JUzdkifrSm oknawG tvHk; 5000 ygvmrSmrdkU 'g[m toHk;awhmr0ifvSygbl;/
Code section uawmh assemble vkyfcH&&HkoufoufjzpfjyD;( raw code odkUajymif;jcif;) executable
xJrSmxm;ygw,f/ (trSefawmh ul;wifcsdefrSm rSwfOmPfxJrSmjzpfygw,f/)
(7.0) Conditional Jumps
Code section rSmawmh label udk 'Dvdk toHk;jyKvdkU &ygw,f/
.code
mov eax, edx
sub eax, ecx
cmp eax, 2
jz loc1
xor eax, eax
jmp loc2
loc1:
xor eax, eax
inc eax
loc2:
(xor eax, eax rSm eax = 0 vdkU qdkvdkwmyg/)
uk'fudk ppfMunfhvdkufMu&atmif/
mov eax, edx ; EAX xJrSm EDX udk xm;wmyg/
sub eax, ecx ; EAX xJu ECX udk EIwfygw,f/
cmp eax, 2; EAX udk 2 eJU EdIif;,SOfygw,f/

Cmp u instruction topfjzpfygw,f/ Cmp [m 'compare' vdkU t"dyÜm,f&ygw,f/ ol[m wefzdk;
ESpfck (reg, mem, imm)udk EdIif;,SOfjyD; olwdkUESpfck[m nDcJh&if Z-flag udk owfrSwfygw,f/ Zero-flag [m
carry vdkyJ flag register xJu bit wpfckjzpfygw,f/
jz loc1;
'Dwpfck[mvnf; topfwpfckjzpfygw,f/ oluawmh conditional jump yg/ Jz = jump if zero /
qdkvdkwmu zero flag udk owfrSwfvdkufcsdefrSm ausmfoGm;ygw,f/ loc1 uawmh rSwfOmPfxJu offset twGuf
label wpfckyg/ tJ'DrSm instructions 'xor eax, eax | inc eax' pygw,f/ 'gaMumifhrdkU jz loc1 [m wu,fvdkU
zero flag udk owfrSwfvdkuf&if loc1 rSm&SdwJh instruction qD ausmfoGm;rSmyg/
cmp eax, 2 ; EAX=2 jzpf&if zero flag udk owfrSwfrSmyg/
jz loc1 ; zero flag udk owfrSwfvdkuf&if loc1 qD ausmfoGm;ygr,f/
=
EAX [m 2 eJU nDcJh&if loc1 rSm&SdwJh instruction qD ausmfoGm;ygr,f/
aemufwpfckuawmh jmp loc2 yg/ ol[mvnf; jump wpfckyg/ 'gayr,fh oluawmh unconditional
jump yg/ olu tjrJwrf;ausmfvTm;ygw,f/ tay:uuk'fudk C bmompum;eJU twdtus jyefa&;jy&&if -
if ((edx ecx)==2)
{
eax = 1;
}
else
{
eax = 0;
}
BASIC y&dk*&rfbmompum;eJU a&;jy&&ifawmh
IF (edx ecx)=2 THEN
EAX = 1
ELSE
EAX = 0
END IF
(7.1) Flag register
Flag register rSm wGufcsufrIeJU tjcm;tjzpftysufrsm;ay:rlwnfjyD; owfrSwfjcif;^rowfrSwfjcif;
jyKvkyfwJh flag awG &Sdygw,f/ uRefawmfhtaeeJU 'gawGtukefvHk;udk aqG;aEG;rSm r[kwfygbl;/ ta&;MuD;wmtcsdKU
udkyJ aqG;aEG;rSm jzpfygw,f/
ZF (Zero flag)
wGufcsufrI&v'f[m oknjzpfcJh&if 'D flag udk owfrSwfygw,f/ (EdIif;,SOfw,fqdkwm wu,fawmh
EIwfjcif;wpfrsdK;om jzpfygw,f/ &v'fudk odrf;qnf;rI r&Sdayr,fh flag awGudkawmh owfrSwfygw,f/)
SF (Sign flag)
wu,fvdkU 'D flag udk oHk;cJh&if wGufcsufrIu &&SdvmwJhaemufqHk;udef;[m tEIwfjzpfygw,f/
CF (Carry flag)
wGufcsufrIjyD;wJhaemufrSmawmh xJrSm b,fzuftusqHk; bit yg0ifvmygw,f/
OF (Overflow flag)
wGufcsufwJhtcg ausmfvGefwGufcsufrdwmudk ajymwmyg/ qdkvdkwmu &v'f[m destination xJrSm
rawmfwm (rqefUwm)udk ajymwmyg/
'ghjyif tjcm; flags (Parity, Auxiliary, Trap, Interrupt, Direction, IOPL, Nested Task,
Resume & Virtual Mode) awGvnf; &Sdygao;w,f/ 'gayr,fh uRefawmfwdkU toHk;jyKrSm r[kwfwJhtwGuf
'gawGudk &Sif;jyawmhrSm r[kwfygbl;/
(7.2) Jump series

atmufrSmazmfjyxm;wmuawmh conditional jump eJUywfoufwm tukefyg/ olwdkUawG[m flag
awG&JU tajctaeay:rlwnfjyD; jump vkyfMuwmyg/ 'gayr,fh awmfawmfrsm;rsm;rSm &Sif;vif;vG,fulwJhtrnf
awG &Sdygw,f/ oifhtaeeJU b,f jump udk owfrSwfoHk;pGJw,fqdkwm odp&m rvdkygbl;/ 'Jump if greater or
equal' (jge) twGuf Oyrmjy&&if 'Sign flag = Overflow flag' jzpfygw,f/ aemufwpfckuawmh 'Jump if
zero' vdkUawGU&if 'Jump if Zero flag = 1' vdkU odxm;&ygr,f/
Z,m;zwfenf;
'Jump if above' - &JU qdkvkdcsufuawmh
cmp x, y; // x eJU y udk EdIif;,SOfygw,f/
// wu,fvdkU x [m y xufMuD;&if jump vkyfygr,f/
Opcode Meaning Condition

JA Jump if above CF=0 & ZF=0
JAE Jump if above or equal CF=0
JB Jump if below CF=1
JBE Jump if below or equal CF=1 or ZF=1
JC Jump if carry CF=1
JCXZ Jump if CX=0 register CX=0
JE (is the same as JZ) Jump if equal ZF=1
JG Jump if greater (signed) ZF=0 & SF=OF
JGE Jump if greater or equal (signed) SF=OF
JL Jump if less (signed) SF != OF
JLE Jump if less or equal (signed) ZF=1 or SF!=OF
JMP Unconditional Jump -
JNA Jump if not above CF=1 or ZF=1
JNAE Jump if not above or equal CF=1
JNB Jump if not below CF=0
JNBE Jump if not below or equal CF=1 & ZF=0
JNC Jump if not carry CF=0
JNE Jump if not equal ZF=0
JNG Jump if not greater (signed) ZF=1 or SF!=OF
JNGE Jump if not greater or equal (signed) SF!=OF
JNL Jump if not less (signed) SF=OF
JNLE Jump if not less or equal (signed) ZF=0 & SF=OF
JNO Jump if not overflow (signed) OF=0
JNP Jump if no parity PF=0
JNS Jump if not signed (signed) SF=0
JNZ Jump if not zero ZF=0
JO Jump if overflow (signed) OF=1
JP Jump if parity PF=1
JPE Jump if parity even PF=1
JPO Jump if paity odd PF=0
JS Jump if signed (signed) SF=1
JZ Jump if zero ZF=1
Jump instruction tm;vHk;rSm operand wpfckomvdkygw,f/ 'guawmh jump vkyfr,fhae&m&JU offset
yg/ Z,m;udk taotcsmMunfhr,fqdk&if unconditional jump (JMP) wpfckudkawGUrSmyg/ oluawmh wpfckckeJU
EdIif;,SOfwJhtvkyfudk vkyfrSmr[kwfygbl;/ Jump wef;vkyfrSmyg/
(8.0) *Pef;rsm;taMumif; waphwapmif;

y&dk*&rfbmompum; awmfawmfrsm;rsm;rSm udef;jynfheJU 'orudef; toHk;jyKwm[m variable aMunmrI
tay:rlwnfygw,f/ Assembler rSmawmh 'gawG[m vHk;vHk;uGJjym;ygw,f/ 'orudef;awG wGufcsufrIudk txl;
opcode awGeJUjyKvkyf&ygw,f/ 'gudk FPU (floating point unit) vdkUac:wJh tydky&dkqufqmu jyKvkyf
ay;ygw,f/ 'orudef;eJUywfoufwJh instruction awGtaMumif;udk aemufydkif;rSm aqG;aEG;ygr,f/ yxrawmh
udef;jynfhawGtaMumif; aqG;aEG;ygr,f/ C rSm signed eJU unsigned *Pef;qdkjyD; ESpfrsdK;&Sdygw,f/ Signed
qdkwmuawmh taygif;^tEIwfoauFw&SdwJh *Pef;awGudk ac:wmyg/ Unsigned uawmh tjrJwrf; taygif;yg/
atmufuZ,m;rSm uGJjym;rIav;awG MunfhvdkufMu&atmif/ (xyfajym&r,fqdk&if 'Dae&mrSm byte eJU Oyrmjyxm;
wmyg/ tjcm;t&G,ftpm;qdkvJ tvkyfvkyfyHk wlygw,f/)
wefzdk; 00 01 02 03 ... 7F 80 ... FC FD FE FF
Unsigned 00 01 02 03 ... 7F 80 ... FC FD FE FF
Signed 00 01 02 03 ... 7F -80 ... -04 -03 -02 -01
'gaMumifhrdkU signed *Pef;qdk&if pmvHk;udk tydkif;ESpfydkif; cGJvdkufygw,f/ taygif;wefzdk;twGuf 0 uae
7F xd? tEIwfwefzdk;twGuf 80 uae FF xd jzpfygw,f/ wefzdk;twGufqdk&ifvnf; twlwlygyJ/ taygif; = 0
- 7FFFFFFFh? tEIwf = 80000000 - FFFFFFFFh / oif*&kjyKrdovdkyJ tEIwf*Pef;awGMu&if significant
bit udk owfrSwfygw,f/ bmaMumifhvJqdkawmh olwdkU[m 80000000h xufMuD;vdkUyg/ 'D bit udk sign bit vdkU
ac:ygw,f/
(8.1) Signed vm;? unsigned vm;/
oifa&m? y&dkqufqmyg wefzdk;wpfck[m signed vm;? unsigned vm; rodEdkifygbl;/ owif;aumif;
wpfckuawmh taygif;eJU tEIwfrSm *Pef;wpfck[m signed jzpfjzpf? unsigned jzpfjzpf ta&;rMuD;ygbl;/
wGufyg/ / -4 + 9
FFFFFFFC + 00000009 = 00000005. (rSefygw,f/)
wGufyg/ / 5 - (-9)
00000005 - FFFFFFF7 = 0000000E (olvJyJ rSefygw,f/) ( 5 - -9 = 14)
owif;qdk;wpfckuawmh olwdkU[m ajrSmufjcif;? pm;jcif;eJU EdIif;,SOfjcif;wdkUrSm rrSefygbl;/ 'gaMumifhrdkU
signed *Pef;awGtwGuf txl; mul eJU div opcode awG &Sdygw,f/
imul ESifh idiv
mul xufpm&if imul rSm &SdwJh tm;omcsufuawmh olUrSm vufiif;wefzdk;awGudk oHk;Edkifygw,f/
imul src
imul src, immed
imul dest,src, 8 bit immed
imul dest,src
idiv src
olwdkUawG[m mul? div wdkUeJUwlayr,fh olwdkUawG[m signed wefzdk;awGeJUom wGufcsufygw,f/
EdIif;,SOf&mrSmvJ unsigned *Pef;awGeJU wlnDpGmtoHk;jyKEdkifayr,fh flag awGudk owfrSwfwmawmh uGJjym;yg
w,f/ 'gaMumifhrdkU signed eJU unsigned *Pef;awGtwGuf uGJjym;wJh jump instruction awG &Sdae&wmyg/
cmp ax, bx
ja offset
JA [m unsigned jump yg/ (Jump if above)/ ax = FFFFh (FFFFh unsigned, -1 signed) eJU
bx = 0005h (5 unsigned, 5 signed) wdkUudk pOf;pm;Munhfyg/ FFFFh [m (unsigned) wefzdk;tm;jzifh 0005
xuf jrifhwmaMumifh JA instruction [m ausmfvTm;rSmyg/ 'gayr,fh JG instruction udkawmh signed jump
tjzpf oHk;ygw,f/
cmp ax, bx
jg somewhere
JG instruction uawmh jump jzpfrSm r[kwfygbl;/ bmaMumifhvJqdkawmh -1 [m 5 xuf rMuD;vdkUyg/
rSwfxm;&rSmuawmh -
k m signed/ unsigned jzpfw,fqdkwmuawmh oifhtaeeJU 'D*Pef;udk udkifwG,frItay:yJ
*Pef;wpfc[
rlwnfygw,f/
(9.0) aemufxyf opcode rsm;

'guawmh aemufxyf opcode tcsdKU jzpfygw,f/
TEST
TEST [m logical AND vkyfaqmifcsufudk aqmif&GufjyD; dest eJU src qdkwJh ESpfck&SdjyD; &v'fay:
rlwnfjyD; flag register udk owfrSwfygw,f/ &v'fudkawmh udk,fwdkifrodrf;ygbl;/ TEST udk toHk;jyKwJhae&m
uawmh Oyrmjyxm;wJhtwdkif; register wpfckxJu bit wpfckudk prf;oyfzdkUjzpfygw,f/
test eax, 100b ; (b u ESpfvDpepf&JU twdkaumufyg/ )
jnz bitset
wu,fvdkU EAX xJu wwd,ajrmuf bit (nmzufrSonf)udk owfrSwfa&G;cs,fvdkuf&if JNZ [m
jump jzpfygvdrfhr,f/ TEST &JU trsm;qHk;toHk;jyKrIuawmh register wpfck[m oknjzpf^rjzpf prf;oyfwJh
tcgrSm jzpfygw,f/
test ecx, ecx
jz somewhere
ECX [m oknjzpfcJh&if JZ [m jump jzpfygvdrfhr,f/
STACK OPCODES
Stack opcodeawG taMumif;rajymjycifrSm stack qdkwmbmvJqdkwm t&if&Sif;jyyghr,f/ Stack qdkwm
rSwfOmPfxJu ae&mwpfckjzpfjyD; stack pointer register jzpfwJh ESP eJU nTefjyygw,f/ Stack [m ,m,D
wefzdk;awGxm;zdkU ae&mwpfck jzpfygw,f/ olUrSm wefzdk;awGudkxm;zdkUeJU jyef&,lzdkU PUSH eJU POP qdkwJh
instruction ESpfck&Sdygw,f/ PUSH uawmh stack xJudk wefzdk;wpfckvmxnfhjyD; POP uawmh xyfrHqGJxkwf
wmyg/ Stack xJudk aemufqHk;vmxnfhwmudk t&ifxkwf,lygw,f/ wefzdk;wpfckudk stack rSm vmxm;&if
stack pointer [m avsmhenf;vmygw,f/ z,f&Sm;csdefrSmawmh stack pointer wdk;vmygw,f/
OyrmudkMunfhyg/
(1) mov ecx, 100
(2) mov eax, 200
(3) push ecx ; ECX udk odrf;ygw,f/
(4) push eax
(5) xor ecx, eax
(6) add ecx, 400
(7) mov edx, ecx
(8) pop ebx
(9) pop ecx
&Sif;vif;csuf
1: ECX wGif 100 udk vmxm;onf/
2: EAX wGif 200 udk vmxm;onf/
3: push ecx (=100) (stack rSm yxrqHk;vmxm;wmyg/)
4: push eax (=200) (stack rSm aemufqHk;vmxm;wmyg/)
5/6/7: ECX eJU ywfoufwJhvkyfaqmifcsufawG vkyfygw,f/ ECX &JU wefzdk;awG ajymif;vJaeygw,f/
8: pop ebx: EBX [m 200 jzpfvmygw,f/ (aemufqHk;vmxm;vdkUyg/ t&ifqHk;xkwf,lygw,f/)
9: pop ecx: ECX [m 100 jzpfvmygw,f/ (yxrqHk;vmxm;vdkUyg/ aemufqHk;xkwf,lygw,f/)
PUSH/POP vkyfjcif;jzifh rSwfOmPfxJrmS bmawGjzpfysufaevJqdkwmMunfhzdkU atmufygZ,m;udk Munfh
yg/
Offset 1203 1204 1205 1206 1207 1208 1209 120A 120B
Value 00 00 00 00 00 00 00 00 00
ESP
('Dae&mrSm stack
[m yxrqHk; oknawG jznfhoGm;ygw,f/ 'gayr,hf wu,fhwu,frSmawmh 'Dvdk
r[kwfygbl;/ ESP [m ESP nTefjywJh offset udk &nf&G,fygw,f/)
mov ax, 4560h
push ax
Offset 1203 1204 1205 1206 1207 1208 1209 120A 120B
Value 00 00 60 45 00 00 00 00 00
ESP
mov cx, FFFFh
push cx
Offset 1203 1204 1205 1206 1207 1208 1209 120A 120B
Value FF FF 60 45 00 00 00 00 00
ESP
pop edx
Offset 1203 1204 1205 1206 1207 1208 1209 120A 120B
Value FF FF 60 45 00 00 00 00 00
ESP
ckcsdefrSm EDX [m 4560FFFFh jzpfaeygjyD/
CALL & RET
Call wpfck[m tcsdKUuk'fawGqD ausmfvTm;EdkifjyD; RET-instruction udkawGUwJhtcg csufcsif;yJjyefa&muf
vmygw,f/ oifhtaeeJU olwdkUawGudk tjcm;y&kd*&rfbmompum;awGrSm function awGtjzpf? subroutine
awGtjzpf awGUEdkifygw,f/ Oyrm -
; ..code..
call 0455659
; ..more code..
; Code at 455659:
add eax, 500
mul eax, edx
ret
CALL instruction tvkyfvkyfwJhtcgrSm y&dkqufqm[m 455659 rSm&SdwJhuk'fqD ausmfoGm;jyD; RET
ra&mufrDxd instruction awGudk tvkyfvkyfygw,f/ jyD;awmh CALL tjyD;u instruction awGqD jyefvSnfh
ygw,f/ CALL u jump jzpfoGm;wJhuk'fudkawmh procedure vdkU ac:ygw,f/ CALL [m EIP (aemufnTef
Mum;csufudk tvkyfvkyfaprnfh pointer)udk stack ay: push vkyfygw,f/ jyD;awmh RET-instruction u pop
jyefvkyfay;ygw,f/ oifhtaeeJU CALL twGuf argument awG owfrSwfvdkU&ygw,f/ 'gudk PUSH eJU jyKvkyf
Edkifygw,f/
push something
push something2
call procedure
CALL twGif;rSmawmh argument awGudk stack xJuzwfjyD;toHk;jyKEdkifygw,f/ Local variables
(qdkvdkwmu procedure xJtwGif;rSmomvdkwJh a'wmrsm;) awGudkvJ stack xJrSmxm;odkvdkU&ygw,f/ uRefawmfh
taeeJU 'gawGudk tao;pdwfaqG;aEG;rSm r[kwfygbl;/ bmvdkUvJqdkawmh 'gawGudk masm (Macro Assembler)
eJU tasm (Turbo Assembler) rSm tvG,fwulvkyfEdkifvdkUyg/ oifhtaeeJU procedure awGudk jyKvkyfEdkifw,f
qdkwmeJU olwdkUawG[m parameter awGudkoHk;wm trSwf&&if awmfygjyD/ ta&;MuD;wmwpfcsuf uawmh -
Procedure wpfck&JU return value udk xnfhxm;zdkU EAX udk tjrJwrf;eD;yg; toHk;jyKygw,f/
'gawG[m windows function awGtwGufvJ rSefuefygw,f/ trSefrSmawmh oifh&JUudk,fydkif
procedure rSmawmh tjcm;b,f register udkrqdk toHk;jyKEdkifygw,f/ 'gayr,fh EAX uawmh pHwpfckjzpf
ygw,f/ pum;rpyf instruction wpfck&JU oHk;EHI;yHkudk &Sif;jyvdkygw,f/
lea edi, namebuffer ; EDI [m rdrd&dkufxnfhvdkufwJh trnfxm;okd&m address jzpfygw,f/
mov eax, dword ptr ds:[edi] ; EAX xJudk pmvHk;av;vHk; oGm;xm;wmyg/ bmaMumifhvJqdkawmh DWORD
(4 bytes) [m pmvHk; av;vHk;eJU nDvdkUyg/
(10.0) Windows ESifh ywfoufaom Assmebly bmompum; tajccH
(10.1) API
Windows rSmy&dk*&rfa&;om;jcif;&JU tajccHtusqHk;tcsufuawmh Windows API (Application
Programming Interface) awGay:rlwnfaeygw,f/ API qdkwm OS ujznfhpGrf;ay;EdkifwJh function awGudk
pkpnf;ay;xm;wmyg/ Windows y&dk*&rfwdkif;[m 'D function awGudk toHk;jyKygw,f/ 'D function awG[m
Windows pepf&JU dll zdkifawGjzpfwJh kernel? user? gdi? shell? advapi pwJh zdkifawGxJrSm &Sdygw,f/ Function
ESpfrsdK;ESpfpm;&Sdygw,f/ ANSI eJU Unicode yg/ 'gawGuawmh string awGudk odrf;qnf;udkifwG,f&mrSm toHk;jyK
wJhenf;vrf;ESpfck jzpfygw,f/ ANSI eJUqdk&ifawmh pmvHk;wdkif;udk oauFw(ASCII uk'f)taeeJU azmfjyjyD;
string &JUtqHk;udkazmfjyzdkU \0 (null-terminated)udk toHk;jyKygw,f/ Unicode uawmh widechar ykHpHudk
toHk;jyKjyD; oauFwwpfckpDtwGuf pmvHk;ESpfvHk;toHk;jyKygw,f/ oluawmh w&kwf? jrefrmbmompum;awGvdk
pmvHk;a&ydkrdkvdktyfwJh bmompum;awGrSmtoHk;jyKygw,f/ Widechar string awG[m \20 eJU tqHk;owfavh
&Sdygw,f/ Windows uawmh ANSI function jzpfjzpf? Unicode function jzpfjzpf vufcHygw,f/ Oyrm
jy&&if -
MessageBoxA (ANSI)
MessageBoxW (W = widechar (unicode))
uRefawmfwdkUuawmh ANSI udk toHk;jyKrSm jzpfygw,f/
(10.2) DLL zdkifrsm;udk qGJ,loGif;jcif;
Windows API &JU function awGudk toHk;jyKzdkU DLL zdkifawGudk import vkyfzdkUvdkygw,f/ 'gawGudk
import libraries (.lib) awGeJU jyKvkyfEdkifygw,f/ 'D lib awG[m r&Sdrjzpfvdktyfygw,f/ bmaMumifhvJqdkawmh
olwdkU[m Windows pepfudk DLL awG ,m,Dul;,loHk;pGJzdkU cGifhjyKvdkUyg/ (qdkvdkwmu rSwfOmPfu dynamic
base addresse rSm)/ 'gudk includelib oHk;jyD; library wpfckudk xnfhoGif;Edkifygw,f/
includelib C:\masm32\lib\kernel32.lib (odkUr[kwf)
includelib \masm32\lib\kernel32.lib (odkUr[kwf)
includelib kernel32.lib
'gqdk kernel32.lib udk xnfhoGif;toHk;jyKawmhrSmyg/ 'Dae&mrSm include library wpfckwnf;uom
ta&;MuD;wm r[kwfygbl;/ include file (.inc) uvJ vdkygw,f/ 'gawGudkawmh l2inc y&dk*&rfoHk;jyD; library
awGuae tvdktavsmuf xkwfay;aewmyg/ include file wpfckudk a&;jy&r,fqdk&ifawmh 'Dvdkyg/
include \masm32\include\kernel32.inc
include file xJrSm DLL xJu function awGtwGuf prototype awGudk t"dyÜm,fzGifhxm;jyD;jzpfwm
aMumifh oifhtaeeJU invoke udk toHk;jyKjyD; oHk;pGJvdkU&ygjyD/
kernel32.inc:
...
MessageBoxA proto stdcall :DWORD, :DWORD, :DWORD, :DWORD
MessageBox textequ <MessageBoxA>
...
include file xJrSm ANSI function awGeJU wu,fh function trnfeJU wxyfwnf;usatmifvkyfxm;
wJh 'A' rygwJh function awGudk t"dyÜm,fzGifhxm;wm jrif&rSmyg/ oifhtaeeJU MessageBoxA tpm;
MessageBox udk oHk;Edkifygw,f/ oHk;pGJr,fh function awGtwGuf include library eJU include file awGudk
aMunmowfrSwfjyD;oGm;&ifawmh 'D function awGudk toHk;jyKvdkU &ygjyD/
invoke MessageBox, NULL, ADDR MsgText, ADDR MsgTitle, NULL
(10.3) Windows include file
Windows rSm txl; include file wpfckjzpfwJh windows.inc zdkif&Sdygw,f/ tJ'DzdkifxJrSm Windows
API twGufvdktyfwJh constant eJU structure tm;vHk;yg0ifygw,f/ Oyrmjy&&if message box rSm yHkpHtrsdK;rsdK;
&Sdygw,f/ Function &JU av;ckajrmuf parameter uawmh pwdkifyg/ NULL u MB_OK udk qdkvdkjyD; ol[m
OK button jzpfygw,f/ Windows include file rSm 'DvdkpwdkifrsdK;awGtwGuf t"dyÜm,fzGifhqdkcsufawG yg0ifyg
w,f/
MB_OK = 0
MB_OKCANCEL = ...
MB_YESNO = ...
'Dvdk t"dyÜm,fzGifhxm;vdkUvJ 'DtrnfawGudk oifhtaeeJU constant taeeJU oHk;vdkU&aewmyg/
invoke MessageBox, NULL, ADDR MsgText, ADDR MsgTitle, MB_YESNO
'DOyrmtwGuf include file udk aMunmr,fqdk&ifawmh 'DvkdaMunm&ygr,f/
include \masm32\include\windows.inc
(10.4) Frame
erlem frame wpfckudk MunfhMunfhygr,f/

.486
.model flat, stdcall
option casemap:none
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\gdi32.lib
include \masm32\include\user32.inc
include \masm32\include\gdi32.inc
.data
blahblah
.code
start:
blahblah
end start
'guawmh windows assembly source file (.asm) twGuf tajccH frame wpfckyg/
Assembler udk y&dkqufqm (odkUr[kwf tjrifh)twGuf awGxkwfay;zdkU ajymyg

.486 w,f/ oifhtaeeJU .386 udk toHk;jyKEdkifayr,fhvJ .486 uawmh rsm;aom tm;jzifh
aumif;aumif; tvkyfvkyfavh&Sdygw,f/
Flat rSwfOmPfudk toHk;jyKwmyg/ stdcall udk toHk;jyKygw,f/ qdkvdkwmu

function awGtwGuf parameter awGudk nmzufuae b,fzufudk push
.model flat, stdcall vkyfygw,f/ (aemufqHk;udk yxrqHk; push vkyfygw,f) jyD;oGm;csdefrSmawmh
function [m stack udk jyefjyKjyifay;&ygr,f/ 'g[m Windows API
function eJU DLL awGtm;vHk;eD;yg;twGuf pHyg/
Label twGufpmvHk;awG[m tMuD;tao; cGJjcm;rI&Sd^r&Sd pdppfygw,f/

option casemap:none
windows.inc zdkif aumif;aumif; tvkyfvkyfEdkifzdkU olUudk 'none' vdkU ay;&ygr,f/
includelib tay:rSm aqG;aEG;jyD;jzpfygw,f/

include tay:rSm aqG;aEG;jyD;jzpfygw,f/
.data data section \tp
.code code section \tp
Label [m y&dk*&rf&JUtpudk nTefjyygw,f/ 'start' vdkUawmh ac:zdkUrvdkygbl;/
start:
oifhtaeeJU MudKufwJhemrnf ay;Edkifygw,f/ tqHk;us&ifawmh 'end' statement udk
end start
oHk;zdkUawmh vdkygw,f/
aumif;jyD? uRefawmfwdkU yxrqHk;y&dk*&rfwpfyk'fudk a&;Munfhygr,f/ 'Dae&mrSm assemble vkyfzdkU

uRefawmfwdkUoHk;r,fh aqmhzf0JvfESpfckuawmh WinAsm Studio 5.1.5 eJU Macro Assembler 3.2.7 wdkU
jzpfygw,f/
.486
option casemap:none
.data
MsgText db "Hello world!", 0
MsgTitle db "This is a messagebox", 0
.code
start:
invoke MessageBox, NULL, ADDR MsgText, ADDR MsgTitle, MB_OKCANCEL or MB_ICONQUESTION
invoke ExitProcess, NULL
end start
'Duk'fawGudk assemble (Go All) vkyfvdkuf&if awGU&rSmawmh yHk(1)twdkif; jzpfygw,f/
yHk(1)
y&dk*&rftvkyfvkyfyHkudk &Sif;&&ifawmh ...
1/ MessageBox &JU toHk;jyKyHkuawmh 'Dvdkyg/ (Win32.hlp udk Munfhyg/)
int MessageBox(
HWND hWnd, // handle of owner window
LPCTSTR lpText, // address of text in message box
LPCTSTR lpCaption, // address of title of message box
UINT uType // style of message box
);
zefwD;r,fh message box &JU owner window udk owfrSwfygw,f/ wu,fvdkU 'D
hWnd
parameter [m NULL jzpfcJh&if message box rSm owner window &SdrSmr[kwfygbl;/
lpText Message taeeJU jyr,fh \0 eJU qHk;wJh string udk nTef;ygw,f/

acgif;pOftwGuf vdktyfwJh \0 eJU qHk;wJh string udk nTef;ygw,f/ wu,fvdkU 'Dae&mrSm
lpCaption
NULL vdkU oHk;cJh&if default acgif;pOfudk toHk;jyKrSm jzpfygw,f/
uType Dialog box &JU yHkpHudk azmfjy&rSmjzpfjyD; aygif;pyfxm;wJh flag awGyg0ifvmEdkifygw,f/

2/
hWnd uawmh NULL jzpfaerSmyg/ bmaMumifhvJqdkawmh uRefawmfwdkUy&dk*&rfrSm window r&SdvdkUyg/
lpText uawmh uRefawmfwdkUpmom;&JU pointer yg/ qdkvdkwmu 'D parameter [m uRefawmfwdkUowfrSwfcsif
wJhpmom;&Sd&m rSwfOmPf&JU offset wpfckjzpfygw,f/
lpCaption uawmh acgif;pOf&JUpmom;&Sd&m offset jzpfygw,f/
uType uawmh MB_OK? MB_OKCANCEL? MB_ICONERROR wdkUvdk wefzdk;awG aygif;pyfxm;wm
jzpfygw,f/
3/
MessageBox twGuf string ESpfckudk MudKwifowfrSwfygw,f/
.data
MsgText db "Hello world!",0
MsgTitle db "This is a messagebox",0
¾ .data uawmh data section &JU tpudk nTefjyygw,f/ db uawmh byte jzpfjyD; \0 eJU tqHk;owfatmif
vdkU 0 udk xnfhxm;wmjzpfygw,f/ aemufwpfaMumif;uae ay:apcsif&ifawmh ... (13 = Carriage
Return, 10= Line Feed)
.data
MsgText db "Hello world!",13,10
db "I'm a messagebox",13,10
db "Hello again!",0
¾ MsgText uawmh yxr string &JU offset udk odrf;ygw,f/ MsgTitle uawmh 'kwd, string udk
odrf;ygw,f/ ckcsdefrSmawmh oifhtaeeJU MessageBox function udk oHk;vdkU&ygjyD/
invoke MessageBox, NULL, offset MsgText, offset MsgTitle, NULL
¾ invoke udk toHk;jyKxm;wmaMumifh oifhtaeeJU (ydkrdkpdwfcs&atmif) offset tpm; ADDR udk
toHk;jyKEdkifygw,f/
invoke MessageBox, NULL, ADDR MsgText, ADDR MsgTitle, NULL
¾ uRefawmfwdkUtaeeJU aemufqHk; parameter udk bmrSrowfrSwfcJhayr,fh aumif;aumif;MuD; tvkyfvkyf

ygw,f/ bmaMumifhvJqdkawmh MB_OK (OK button eJU message box) u 0 (NULL) eJU nDvdkU
yg/ 'gayr,fh oifhtaeeJU tjcm;b,fyHkpHudkrqdk toHk;jyKvdkU&ygw,f/
yHk(2)
4/
uType &JU t"dyÜm,fuawmh yHk(2)eJU yHk(3) twdkif; jzpfygw,f/
yHk(3)
(10.5) Win32 API
Windows API rSm Windows twGufvdktyfwJh y&dk*&rfawGzefwD;EdkifzdkU data type awG? constant
awG? function awGeJU structure awGyg0ifygw,f/ uRefawmfwdkUtoHk;jyKcJhwJh ExitProcess tygt0if API
function awmfawmfrsm;rsm;udk t"du DLL zdkif3ckjzpfwJh kernel32.dll? gdi32.dll eJU user32.dll wdkUrSm xm;&Sd
wmyg/
KERNEL32.DLL - Low level kernel services
GDI32.DLL - Graphics Device Interface: yHkqGJjcif;ESifh yHkESdyfjcif;/
USER32.DLL - User Interface controls? windows ESifh messaging services
BOOL SetWindowText(
HWND hWnd, // handle of window or control
LPCTSTR lpString // address of string);
'guawmh C yHkpHa&;xm;wmyg/ yHkpHtaeeJU jyefa&;jy&&if -
PUSH lpString;
PUSH hWnd;
CALL SetWindowText;
(11) &dk;&Sif;aom Dialog Box y&dk*&rf a&;om;jcif;
'DwpfcgrSmawmh Windows &JU zGJUpnf;wnfaqmufyHkudkausmfvdkufjyD; vufawGUy&dk*&rfa&;Munfhygr,f/
(tcgtcGifhoifhcJh&ifawmh &Sif;jyygr,f/) WinAsm Studio &JU File menu u New Project udk a&G;vdkufyg/
Project u Add new Rc udk a&G;vdkufyg/ jyD;&if Add New Dialog udka&G;yg/ 'DaemufrSmawmh caption
wpfck? button ESpfckeJU editbox wpfckudk zefwD;vdkufyg/ jyD;&if screen atmufajcem;u Resources tab udk
a&G;yg/ Caption box ukd ESpfcsufESdyfjyD; 'Simple Dialog Box Program' vdkU &dkufyg/ jyD;&if toolbox u edit
button udka&G;jyD; yHk(4)twdkif; qGJyg/
yHk(4)
jyD;&if button ESpfckudk zefwD;jyD; button awGrSm 'Say Hello' eJU 'Exit' vdkU jyifvdkufyg/ yHk(5)/
yHk(5)
'gqdk F12 udkESdyfjyD; uRefawmfwdkUzefwD;xm;wJh dialog box udk uk'ftaeeJU MunfhvdkufMu&atmif/
;This Resource Script was generated by WinAsm Studio.
#define IDD_DLG1001 1001
#define IDC_EDIT1002 1002
#define IDC_BUTTON1003 1003
#define IDC_BUTTON1004 1004
IDD_DLG1001 DIALOGEX 0,0,170,72
CAPTION "Simple Dialog Box Program"
FONT 8,"MS Sans Serif"
STYLE 0x10cc0000
EXSTYLE 0x00000000
BEGIN
CONTROL "",IDC_EDIT1002,"Edit",0x50010080,10,9,121,19,0x00000200
CONTROL "Say Hello",IDC_BUTTON1003,"Button",0x50010000,17,46,51,16,0x00000000
CONTROL "Exit",IDC_BUTTON1004,"Button",0x50010000,102,46,50,16,0x00000000
END
uRefawmfwdkUtaeeJU Dialog Box template eJUywfoufwJhuk'fawGudk a&;EdkifatmifvdkU dialogbox?
editbox? button wdkUeJUywfoufwJh trnfawGeJU control ID awGudk odxm;zdkU vdkygw,f/ 'gudk resource
script &JU tay:yxrqHk; 4aMumif;rSm awGUEdkifygw,f/ jyD;&if dialogbox.asm udka&G;jyD; atmufyguk'fawGudk
&dkufxnfhvdkufyg/
option casemap:none
include WINDOWS.INC
include user32.inc
include kernel32.inc
includelib USER32.LIB
includelib KERNEL32.LIB
DlgProc proto :DWORD,:DWORD,:DWORD,:DWORD
.data
Message db "Hello World", 0
.data?
hInstance HINSTANCE ?
.code
start:
invoke GetModuleHandle, NULL
mov hInstance, eax
invoke DialogBoxParam, hInstance, 1001, NULL, addr DlgProc, NULL
invoke ExitProcess, eax
⊕ DlgProc proc hWnd: HWND, uMsg: UINT, wParam: WPARAM, lParam: LPARAM
.if uMsg = = WM_COMMAND
mov eax, wParam
.if eax = = 1003
invoke SetDlgItemText, hWnd, 1002, ADDR Message
.elseif eax = = 1004

invoke SendMessage, hWnd, WM_CLOSE, 0, 0
.endif
.elseif uMsg = = WM_CLOSE
invoke EndDialog, hWnd, 0
.endif
xor eax, eax
Ret
DlgProc EndP
end start
yHk(6)
'Duk'fawGudk exe zdkiftjzpfajymif;vdkuf&if yHk(7)twdkif; awGU&rSmyg/
yHk(7)
(12) Keygen y&dk*&rf a&;om;jcif;
'Doifcef;pmuawmh cracker awGtwGuf tvGefta&;MuD;ygw,f/ bmaMumifhvJqdkawmh cracker awG
twGuf keygen [m r&Sdrjzpf toHk;vdkvdkUyg/ Keygen &SdrSom rdrdESpfouf&m oHk;pGJoltrnfeJUoufqdkifwJh
registration uk'fudk xkwfay;EdkifvdkUyg/ erlem keygen tcsdKUudk Munfhyg/ yHk(8)/
yHk(8)
aumif;jyD? keygen udk pa&;MunfhvdkufMu&atmif/ WinAsm Studio udkzGifhvdkufjyD; atmufygyHktwdkif;
jrif&atmif vkyfvdkufyg/ yHk(9)/ Edit control ESpfck? static text ESpfck? button oHk;ck &Sd&ygr,f/
yHk(9)
Static text ESpfckudk SS_CENTERIMAGE vdkU ajymif;ay;jyD; Serial editbox udk

ES_READONLY vdkU ajymif;yg/ Dialogbox udkawmh DS_CENTER vdkU ajymif;jyD; keygen.rc udk odr;f
qnf;yg/ jyD;&ifawmh keygen.asm rSm uk'fawGudk atmufygtwdkif; &dkufxnfhyg/ Main body rSm &dkufxnfh&rSm
uawmh -0001
0001 .386
0002 .model flat, stdcall
0003 option casemap:none
0004 include windows.inc
0005 include kernel32.inc
0006 include user32.inc
0007 includelib kernel32.lib
0008 includelib user32.lib
0009
0010 DlgProc proto :DWORD,:DWORD,:DWORD,:DWORD
0011
0012 .data?
0013 hInstance HINSTANCE ?
0014 NameBuffer db 32 dup(?)
0015 SerialBuffer db 32 dup(?)
0016
0017 .const
0018 IDD_KEYGEN equ 1001
0019 IDC_NAME equ 1002
0020 IDC_SERIAL equ 1003
0021 IDC_GENERATE equ 1004
0022 IDC_COPY equ 1005
0023 IDC_EXIT equ 1006
0024 ARIcon equ 2001
0025
0026 .code
0027 start:
0028 invoke GetModuleHandle, NULL
0029 mov hInstance, eax
0030 invoke DialogBoxParam, hInstance, IDD_KEYGEN, NULL, addr DlgProc, NULL
0031 invoke ExitProcess, eax
yHk(10)
'Dhaemuf uyfvdkufvmrSmuawmh Dialog procedure yJjzpfygw,f/
0033 DlgProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
0034 .if uMsg == WM_INITDIALOG
0035 invoke LoadIcon, hInstance, ARIcon
0036 invoke SendMessage, hWnd, WM_SETICON, 1, eax
0037 invoke GetDlgItem, hWnd, IDC_NAME
0038 invoke SetFocus, eax
00399 .elseif uMsg == WM_COMMAND
0040 mov eax, wParam
0041 .if eax == IDC_GENERATE
0042 invoke GetDlgItemText, hWnd, IDC_NAME, addr NameBuffer, 32
0043 call Generate
0044 invoke SetDlgItemText, hWnd, IDC_SERIAL, addr SerialBuffer
0045 .elseif eax == IDC_COPY
0046 invoke SendDlgItemMessage, hWnd, IDC_SERIAL, EM_SETSEL, 0, 1
0047 invoke SendDlgItemMessage, hWnd, IDC_SERIAL, WM_COPY, 0, 0
0048 .elseif eax == IDC_EXIT
0049 invoke SendMessage, hWnd, WM_CLOSE, 0, 0
0050 .endif
0051 .elseif uMsg == WM_CLOSE
0052 invoke EndDialog, hWnd, 0
0053 .endif
0054 xor eax, eax
0055 Ret
0056 DlgProc EndP
yHk(11)
jyD;&ifawmh serial number udk xkwfay;r,fh Generate procedure udk a&;&ygr,f/

0058 Generate proc
0059 invoke lstrlen, addr NameBuffer
0060 test eax, eax
0061 jle NOINPUT

0062 mov ecx, eax
0063 mov esi, offset NameBuffer
0064 mov edi, offset SerialBuffer
00655 @@:
0066 dec ecx
0067 mov dl, BYTE ptr [esi+ecx]
0068 mov BYTE ptr[edi], dl
0069 inc edi
0070 or ecx, ecx
0071 ja @b
0072 NOINPUT:
0073 Ret
0074 Generate EndP
0075 end start
yHk(12)
ckcsdefupjyD; yHk(10^11^12)rSm jyxm;wJhuk'fawGudk avhvmMunfhygr,f/
- pmaMumif;a& 14eJU 15rSmawGU&wmuawmh uninitialized string awGjzpfjyD; y&dk*&rfoHk;pGJolu &dkufxnfhwJh
trnfeJU wGufcsuf&&Sdvmr,fh serial udk odrf;zdkU jzpfygw,f/
- Generate function uawmh OyrmtaeeJU jyxm;wJh routine wpfckyg/ Name editbox rSm &dkufxnfhvdkufwJh
pmom;udk ajymif;jyefjyefpDay;wmyg/ lstrlen uawmh Name editbox rSm pmvHk;b,fESpfvHk;&dkufxnfhovJqdkwm
ppfygw,f/ &dkufxnfhvdkufwJh pmom;awGudk NameBuffer rSmxm;jyD; pmvHk;ta&twGufudkawmh EAX rSmxnfh
ygw,f/ wu,fvdkUbmpmvHk;rS r&dkufxnfhcJh&ifawmh NOINPUT qDa&mufoGm;rSmyg/
- wu,fvdkU &dkufxnfhvdkufwJhpmvHk;ta&twGuf[m oknxufMuD;cJh&ifawmh EAX xJupmvHk;ta&twGufudk
mov instruction oHk;jyD; ECX xJxnfhrSm jzpfygw,f/ ECX [m pmvHk;awGudk a&wGuf&mrSm oHk;ygw,f/
NameBuffer eJU SerialBuffer wdkU&JU rSwfOmPf address awGudkawmh ESI eJU EDI qDrSm odrf;ygw,f/ 'D
register ESpfckudkawmh string awGudk udkifwG,fwJhtcg source eJU destination udk nTef;zdkUtwGuf toHk;jyKyg
w,f/
- @@ uawmh trnfrJh label udk aMunm&mrSmoHk;ygw,f/ Routine t&SnfMuD;awGrSmawmh ESpfouf&m label
trsdK;rsdK;udk toHk;jyKMuayr,fh jump tao;pm;av;awGeJU loop tao;pm;av;awGtwGufudkawmh label trnf
odyfrwyfMuygbl;/ wu,fvdkU label ae&mrSm @f vdkUwyf&if teD;pyfqHk;a&SU label qDa&mufrSmjzpfjyD; @b
qdk&ifawmh teD;pyfqHk; label qDaemufjyefqkwfrSm jzpfygw,f/
- String udk ajymif;jyefvkyfay;wJh routine av;&JU tvkyfvkyfyHkuawmh 'Dvdkyg/ yxrqHk; counter jzpfwJh ECX
udk wpfEIwfvdkufygw,f/ 'gaMumifhvJ aemufqHk;tMudrf loop rSm wpftpm; okneJUtqHk;owfwmyg/ (qdkvdkwm
u? wu,fvdkU Name string &JUpmvHk;ta&twGuf[m ajcmufvHk;&Sdr,fqdk&if ECX [mcsufcsif;yJ 5 jzpfoGm;jyD;
5 uae okntxd routine [m ajcmufMudrfwdwd tvkyfvkyf(EIwf) oGm;rSmyg/) ESI rSmawmh NameBuffer &JU
yxrpmvHk;&JU address ygvmrSmjzpfjyD; ECX=0 jzpfcsdefrSmawmh ESI+ECX [m yxrpmvHk;udknTefrSmjzpfjyD;
ECX=5 jzpfcsdefrSmawmh ESI+ECX [m aemufqHk;pmvHk;udk nTefrSmyg/ yxr mov instruction uawmh
NameBuffer xJrSm&SdwJhaemufqHk;pmvHk;udk EDX register &JU aemufydkif;jzpfwJh DL xJudk ul;xnfhvdkufygw,f/
'kwd, mov instruction uawmh &&SdvmwJh 'DpmvHk;udk SerialBuffer &JU yxrpmvHk;ae&mxJudk ul;xnfhyg
w,f/ (EDI rSm odrf;wmyg/) 'DvdkeJU pmvHk;awGudk ajymif;jyefvSnfhjyD; xnfhvm&mrSm ECX [m oknra&mufcif
txd logical OR udk aqmif&GufjyD; zero flag udkowfrSwfygw,f/ Zero flag rjzpf&ifawmh @@ udka&muf
oGm;jyD; routine udk xyfvkyfrSmjzpfygw,f/
- 'guawmh &dk;&Sif;vSwJh a&;enf;yg/ oifhtaeeJU API function awGudkoHk;jyD; jyD;jynfhpHkwJh routine awGa&;
om;Edkifygw,f/
jyD;awmh uRefawmfwdkU&JU keygen y&dk*&rfxJudk "mwfyHkawG^toHawGxnfhMunfhEdkifygw,f/
tcef;(4) - aqmhzf0Jvf protection - 50 -
tcef;(4) - aqmhzf0Jvf protection

(þoifcef;pmudk a&;om;&mwGif y&dk*&rfrmwpfa,muf tjrifjzifh a&;om;xm;jcif;om jzpfonf/ y&dk*&rfrmrsm;
u ¤if;wdkU\aqmhzf0Jvfudk rnfonfhenf;rsm;jzifh protect vkyfxm;onfudk aqG;aEG;jcif;jzpfygonf/ rnfodkU
crack vkyf&rnfudk þtcef;wGif vHk;0aqG;aEG;rnf r[kwfyg/)
'Dwpfcgoifcef;pmuawmh crack vkyf&mrSm rjzpfraeMuHKawGU&r,fh aqmhzf0Jvf protection taMumif;
jzpfygw,f/ oifem;vnfxm;&rSmu z,f&Sm;vdkUr&wJh^z,f&Sm;zdkUrjzpfEdkifwJh protection qdkwm r&Sdao;bl;qdkwJh
tcsufudkyg/ (pum;csyf/ / wpfcgu rdkbdkif;aqmhzf0Jvfa&mif;csjcif; pme,fZif;&Sif;vif;yGJwpfckrSm jrefrmy&dk*&rf
rmwpfa,mufu olwdkUaqmhzf0Jvfudk b,fvdkrS crack vkyfvdkUr&EdkifwJhtaMumif; &Sif;jyzl;ygw,f/ urÇmUtawmf
qHk; cracker wpfOD;jzpfwJh Lena151 uawmh b,fvdkrS crack vkyfzdkUrjzpfEdkifwJh aqmhzf0Jvfwpfckudk ola&;zl;
aMumif;? 'gayr,fh oludk,fwdkifyif jyefjyD; crack vkyfEdkifaMumif; 0efcHcJhzl;ygw,f)/
'Dtcef;rSm oHk;EHI;r,fh protection qdkwm pack vkyfjyD; protect vkyfwmudk ajymcsifwm r[kwfygbl;/
(pack vkyfjyD; protect vkyfwJhenf;udkawmh ]Packer (Protector) rsm;} tcef;a&mufrS aqG;aEG;rSm jzpfygw,f/)
0g&ifhy&dk*&rfrmawGuvGJvdkU usefy&dk*&rfrm awmfawmfrsm;rsm;[m olwdkU&JU aqmhzf0JvfawGudk protection vkyf
xm;&mrSm tm;enf;rI? csdKU,Gif;csufav;awG &SdMuygw,f/ Protection udk rSefuefpGm a&;om;jcif; rjyKcJhEdkif&if
olwdkU&JUy&dk*&rfawGrSm jyoemay:vmrSm aMumufwJhtwGuf protection ydkif;ukd cufcJeufeJatmif ra&;Muygbl;/
(Oyrm - My Driver 3.11 qdk&if registration uk'fudk rSefuefpGm &dkufxnfhayr,fhvJ registration vkyfaqmif
csuf[m cPom atmifjrifygw,f/ 0,foHk;oludk,fwdkifyif tMudrfMudrf register vkyfae&ygw,f/) 'gaMumifhrdkU
olwdkU&JU y&dk*&rfawGudk vG,fulpGmyif protect vkyfxm;jyD; tcsdKUqdk protection rvkyfxm;oavmuf &Sdygw,f/
(jrefrmEdkifiHu aqmhzf0JvfawGrSmqdk protect vkyfxm;wm vufcsdK;a&wGufvdkU&ygw,f/)
Protection trsdK;tpm;awGtaMumif; odrSom crack vkyfwm vG,fulatmifjrifrSmyg/ EdkifiHwumrSm
y&dk*&rfrmawG t"dutoHk;jyKaeMuwJh aqmhzf0Jvf protection trsdK;tpm; 4rsdK;&Sdygw,f/ tJ'gawGuawmh-
(1) Registration number rsm;toHk;jyKjcif;
(2) tcsdef? tMudrfuefUowfcsufxm;jcif;
(3) Key zdkifrsm; toHk;jyKjcif;
(4) Hardware key (Dongle) rsm;toHk;jyKjcif; wdkYjzpfygw,f/
(1) Registration number rsm;toHk;jyKjcif;
Registration number rsm;toHk;jyKjcif;eJU ywfoufjyD; (5)rsdK; xyfjyD;cGJjcm;Edkifygw,f/
(1.1) Registration number tm; rlaoxm;jcif;?
(1.2) Registration number onf xnfhoGif;aoma'wmay:rlwnfí ajymif;vJjcif;?
(1.3) Registration number onf oHk;pGJol\ uGefysLwmay:rlwnfí ajymif;vJjcif;?
(1.4) Registration number udk Visual Basic odkUr[kwf Delphi y&dk*&rfrsm;jzifh jyKvkyfMujcif;?
(1.5) Registration number udk tGefvdkif;wGif ppfaq;jcif;wdkU jzpfygw,f/
(1.1) Registration number tm; rlaoxm;jcif;?
'Denf;udktoHk;jyKxm;wJh y&dk*&rfqdk&if oHk;pGJolwpfOD;[m registration number udk &dkufxnfhzdkU
vdkygw,f/ Registration number udk rlaoxm;wmaMumifh reversing vkyfwJholwpfa,muf[m registration
number udk debug vkyfjyD; tvG,fwul &SmazGawGU&SdEdkifygw,f/ yHk(1)/
yHk(1)
'Denf;udktoHk;jyKjcif;&JU tusdK;aus;Zl;wpfckuawmh tjcm;enf;awGudk toHk;jyKwmxufpm&if xnfhvdkuf
wJha'wmawGudk memory rSm rodrf;qnf;bJ tjcm;enf;awGeJU XOR vkyfjcif; (odkUr[kwf) jyefvnfwGufcsuf
jcif; jyKvkyfygvdrfhr,f/ rSefuefwJh registration number udk jyefvnfwGufcsufjyD; &&SdvmwJh&v'fawGudk

jyefvnfEdIif;,SOfygvdrfhr,f/ wu,fawmh oif[m registration number rSefudk &v'fawGuae jyefvnf&&SdzdkY
cufcJatmifjyKvkyfjcif;jzifh cracker awG em;vnfzdkYrvG,fulwJh &IyfaxG;vSwJh wGufcsufrIawGudk ydkrdkjyKvkyf&yg
r,f/
(1.2) Registration number onf xnfhoGif;aoma'wmay:rlwnfí ajymif;vJjcif;?
'Denf;uawmh rMumcPtoHk;jyKavh&SdMuwJhenf;yg/ 'Denf;rSmawmh registration number udk r&dkuf
xnfhcif trnf (odkY) ukrÜPDtrnf (odkU) tjcm;tcsuftvufawGudk t&ifjznfh&rSmyg/ jznfhoGif;vdkufwJh a'wm
awGay:rlwnfjyD; registration number uajymif;vJaerSmyg/ yHk(2)/
yHk(2)
y&dk*&rfrm[m ydktawGUtMuHK? t&nftcsif;&Sdav cracker awGtwGuf protection udk zsufqD;zdkY
ydkrdkcufcJatmif vkyfEdkifavygyJ/ bmyJjzpfjzpf b,fvdk&IyfaxG;wJh wGufcsufrIenf;pepfawGoHk;oHk; cracker
awGtaeeJYuawmh rSefuefwJh registration number udk&&SdzdkU y&dk*&rfuk'fawGudk aemufa,mifcHMutkef;rSmygyJ/
(1.3) Registration number onf oHk;pGJol\ uGefysLwmay:rlwnfí ajymif;vJjcif;?
'Denf;uawmh cracker awGtwGuf rtDromjzpfapwJh trsdK;tpm;yg/ *&krxm;wJh cracker qdk&if
aMumifawmifaMumifoGm; Edkifavmufygw,f/ bmvdkYvJqdkawmh olwdkU[m olwdkUuGefysLwmrSm b,fvdkyJ register
vkyfvkyf vkyfvdkYr&vdkUyg/ bmaMumifhvJqdkawmh registration number [m (Oyrm - hard drive &JY serial
number ay:rlwnfjyD;) ajymif;vJaevdkYyg/ yHk(3)/ (ta&;tMuD;qHk;u registration number udk owdxm;jyD;
azsmufxm;zdkYyg/ wu,fvdkY registration number udk awGYoGm;vdkU&Sd&if vG,fvifhwul rlaoeHygwfajymif;jyD;
y&dk*&rfudk b,fpufrSmrqdk wlnDwJh registration number eJU register vkyfEdkifvdkYyg/)
yHk(3)
(1.4) Registration number udk Visual basic odkUr[kwf Delphi y&dk*&rfrsm;jzifh jyKvkyfMujcif;
Visual Basic (VB) rSma&;xm;wJh registration number udk crack vkyf&wm[m rvG,fulvSygbl;/
bmvdkUvJqdkawmh y&dk*&rf bmompum;udk,fwdkifudku high level jzpfaevdkUygyJ/ uRefawmfwdkUtaeeJU crack
vkyfzdkUtwGuf debugger (disassembler) awGudk oHk;&wmjzpfwJhtwGuf high level jzpfvmavav
debugger u assembly uk'ftjzpfajymif;ay;&wm cufavavygyJ/ 'gaMumifh VB eJUa&;xm;wJh y&dk*&rfawG
udk debugger awGu bmomjyefay;jyD; xGufvmwJh assembly uk'f[m vlopfwef; cracker awG em;vnfzdkU
cufcJvSygw,f/
VB y&dk*&rfawGudk 'Dvdktkyfpk (3)pk cGJjcm;Edkifygw,f/
(1.4.1) VB4?
(1.4.2) VB5 ESifhtxuf?
(1.4.3) VB5 ESifhtxuf? (packed code wGif compile vkyfxm;aom)
(1.4.1) VB4
oHk;pGJolawmfawmfrsm;rsm;twGuf rodomvSaomfvnf; VB4 [m y&dk*&rfawGxJrSmawmh pdwfcs&rI
tvGefenf;ygw,f/ tawGUtMuHK&SdwJh cracker taeeJUuawmh registration number udk 5rdepftwGif; &SmawGU
Edkifygw,f/ yHk(4)/ bmaMumifhvJqdkawmh VB4 y&dk*&rfawG[m rsm;aomtm;jzifh &dkufoGif;vdkufwJh registration
number eJU MudKwifowfrSwfxm;wJh registration number udk EdIif;,SOfzdkU vb40016.dll (odkU) vb40032.dll
zdkifudk toHk;jyKvdkUyg/
yHk(4)
(1.4.2) VB5 ESifhtxuf
VB5 eJU umuG,fxm;wJh y&dk*&rfudk crack vkyf&wm[m VB4 eJUEdIif;,SOf&if tawmfav;ydkcufvmyg
w,f/ Cracker awmfawmfrsm;rsm;[m VB5 udk debugger awGeJU debug vkyfzdkU odyfjyD;pdwfrygMuygbl;/
bmvdkUvJqdkawmh uk'fawG[m zwfzdkUeJU em;vnfEdkifzdkU cufvdkUyg/ jyD;awmh ajc&maumufzdkYvnf; cufvdkYyg/
y&dk*&rfawGudk crack vkyfzdkY olwdkY&JYenf;vrf;awGuawmh oHk;pGJolwpfOD;wnf;oHk;EdkifwJh registration number
udkomxkwfay;jcif; (keygen rsm; ra&;om;jcif;udk qdkvdkygonf/) eJU vlwdkif;rdrdESpfouf&m registration
number udk xnfhoGif;Edkifatmif y&dk*&rfuk'fudk jyKjyifrGrf;rHjcif;wdkUom jyKvkyfMuygonf/ tawmfqHk; cracker
awGuom keygen awGudk a&;om;Muygw,f/ Cracker awGMum;rSmawmh VB5 y&dk*&rfawG[m rausmfMum;
vSygbl;/ bmvdkYvJqdkawmh registration number generator awGa&;zdkU cufcJvdkUyg/
'gqdk&if EdkifiHwumu y&dk*&rfrmawG[m olwdkU&JU y&dk*&rfawGudk VB eJU bmvdkUra&;MuygovJ/
uRefawmf a&SUrSmwifjycJhwmu VB y&dk*&rfawGudk debugger awGeJU uk'fjyefazmfwJhenf;yg/ Debugger awGeJU
uk'fjyefazmf&wm[m tvGefcufcJvSwJhtwGuf 'DjyoemawGudk ajz&Sif;EdkifzdkU taumif;qHk;enf;awGukd cracker
awGu &SmazGawGU&SdvmMuygw,f/ 'Denf;uawmh Smart Check eJU VB Decompiler tool awG&JU tultnDeJU
uk'fawGudk jyefazmfMuvmwmyg/ 'DtcgrSm jyefazmfvdkU&wJhuk'f[m b,favmufxdawmif vG,fulvmovJqdk
awmh compile rvkyfcif rl&if; soucre uk'ftxdeD;eD;wlwJhuk'fudk &atmiftxd jyefazmfvmEdkifygw,f/ 'Dvdk tool
awGudkawmh debugger vdkU rac:a0:bJ decompiler vdkUom ac:a0:Muygw,f/ 'D tool awG[m VB6 txd
aumif;aumif; decompile vkyfEdkifygw,f/ 'D tool awG ay:csdefupjyD; VB eJUa&;om;aeMuwJhy&dk*&rfrmawG
'ku©a&mufukefMujyD; Microsoft uvJ VB bmompum;udk qufvuftqifhjrifha&mif;csjcif; r&Sdawmhygbl;/
'gaMumifhrdkU VB [m version 6 rSmyJ &yfwefUaecJh&ygw,f/ oleJUtwl a&mif;cscJhwJh Visual C++ uawmh
vuf&SdrSm version 8 txd xGuf&SdaejyD; toHk;trsm;qHk; jzpfaevsuf&Sdygw,f/
VB y&dk*&rfawGudk b,folrS ra&;MuawmhbJ bmaMumifh &Sif;jyaewmvJvdkU oifhtaeeJU xifaumif;
xifaeygvdrfhr,f/ EdkifiHwumrSm VB y&dk*&rfawG[m 2001ckEpS fem;avmufrSm ed*Hk;csKyfoGm;cJhygw,f/ 'gayr,fh
jrefrmEdkifiHrSmawmh vuf&Sd 2009ckESpfxd aqmhzf0JvfawG&JU 50&mcdkifEIef;ausmfudk VB eJU a&;om;aeMuwkef;ygbJ/
'Davmufqdk em;vnfavmufjyD xifygw,f/
(1.5) Registration number udk tGefvdkif;wGif ppfaq;jcif;
tcsdKUy&dk*&rfawG[m registration number udk awmfwnfhrSefuefpGm toHk;jyKapzdkU aemufqHk;ay: enf;
ynmawGudk toHk;jyKvmMuygw,f/ Registration number udk &dkufoGif;vdkuf&if y&dk*&rfu tJ'gudk ppfaq;zdkU
twGuf tifwmeufuwqifh ydkYvdkufygw,f/ qmAmu tJ'Duk'f rSefrrSefudk prf;oyfjyD; taMumif;jyefygw,f/
y&dk*&rfuawmh rSefuefpGm register vkyfxm;jcif; &Sd^r&Sd ppfaq;ygw,f/ yHk(5)/ 'DvdktrsdK;tpm;awGeJU umuG,f
jcif;[m vG,fulvGef;vSwJhtwGuf tawGUtMuHK&SdwJh cracker awGuawmh tvG,fwul z,f&Sm;ypfEdkifygw,f/
yHk(5)
(2) tcsdef? tMudru f efUowfcsufxm;jcif;
tcsdefuefUowfcsuf&SdwJh y&dk*&rfawG[m oHk;pGJzdkUcGifhjyKxm;wJh umvausmfvGefjcif; &Sd^r&Sd ppfaq;yg
w,f/ 'Dvdkenf;eJUumuG,fwm[m odyfjyD;awmh xda&mufrIr&SdvSygbl;/ bmvdkYvJqdkawmh cracker wpfa,muf
[m tcsdefuefUowfcsufudk z,f&Sm;vdkuf&HkeJU y&kd*&rfudk vGwfvyfpGmtoHk;jyKEdkifvdkUyg/ yHk(6)/ Unregistered
version awGrSm oHk;pGJEdkifpGrf;yrmPudk uefUowfjcif;u ydkjyD; tqifajyygvdrfhr,f/ y&dk*&rf&JU vkyfaqmifEdkifpGrf;
tukefvHk;udk oHk;pGJcsif&ifawmh registered version udk 0,f,lapjcif;eJY oHk;pGJoludk zdtm;ay;EdkifrSmyg/
yHk(6)
tcsdefuefUowfcsufudk enf;rsdK;pHkeJY a&;om;avh&SdMuygw,f/ jzpfEdkifwmawGuawmh-
(2.1) rSefuefaom registration number xnfhjcif;jzifh tcsdefuefUowfcsufudk z,f&Sm;jcif;?
(2.2) Registration zdkifxnfhjcif;jzifh tcsdefuefUowfcsufudk z,f&Sm;jcif;?
(2.3) tcsdefuefUowfcsufudk z,f&Sm;jcif;jzifh full version udk roHk;pGJEdkifjcif;? (0,f,lrSom tjynfht0 oHk;pGJEdkif
jcif;)
(2.4) tcsdefuefUowfcsufudk Visual Basic jzifha&;om;jcif;?
(2.5) oHk;pGJrIuefUowfcsufudk oHk;pGJonfhtMudrfta&twGufESifhom owfrSwfjcif;/
(2.1) rSefuefaom registration number xnfhjcif;jzifh tcsdefuefUowfcsufudk z,f&Sm;jcif;?
'Denf;[m registration number enf;eJU twlwlygyJ/ rSefuefwJh registration number udk xnfhay;
vdkuf&HkeJY tcsdefuefUowfcsufudk z,f&Sm;ay;EdkifrSmyg/ yHk(7)/ uGJjym;wmwpfckuawmh rSefuefwJh registration
number rxnfhoGif;Edkif&if cGifhjyKxm;wJh tcsdefumvausmfomG ;wJhtcg y&dk*&rfudk vHk;0oHk;pGJvdkY r&atmif jyKvkyf
vdkufwmygyJ/
owdjyK&rSmuawmh 'Dvdky&dk*&rfudk a&;om;r,fqdk&if yxrqHk; y&dk*&rfudk pwifoHk;pGJwJYaeUudk registry
(odkUr[kwf) zdkifwpfzdkifrSm taotcsmrSwfxm;zdkYygyJ/ 'DvdkrSr[kwf&ifawmh oHk;pGJolu olUuGefysLwm&JU &ufpGJudk
aemufqkwfvdkuf&HkeJU uefUowfcsufudk ausmfvTm;oGm;ygvdrfhr,f/
yHk(7)
(2.2) Registration zdkifxnfhjcif;jzifh tcsdefuefUowfcsufudk z,f&Sm;jcif;?
'Denf;uawmh odyfoHk;avhoHk;xr&SdwJh tHhtm;oifhp&menf;yg/ pOf;pm;oifhwJhtcsufuawmh registrati-
on zdkifudk tifwmeufuae rydkYrdzdkYygyJ/ Cracker awG[m tcsdefuefUowfcsufudk a&;xm;wJh routine udk t"d
uxm;&SmazGygvdrfhr,f/ 'gaMumifh oif[m 'D&efuumuG,fEdkifatmif routine udk vHkjcHKrI&Sdatmif aqmif&Guf
&ygr,f/ Cracker wpfa,muf[m rSefuefwJh registration zdkifudk zefwD;cJygw,f/ yHk(8)/ bmvdkUvJqdkawmh
'DvdkvkyfzdkU tawmfav;cufvdkYyg/ olUtwGufydkvG,fwmu y&dk*&rfxJrSmygwJh tcsdefuefUowfcsuf routine udk
z,f&Sm;jcif;yJ jzpfygw,f/
<IDA Pro key file v5.1>

rhythm, 1 user, professional edition, 3/2009
#d@*â€RA®ÉÓ™j±Ê¦§-°ČkyĆ0-ă
yHk(8)
y&dk*&rfa&;om;wJhtcgrSm registration zdkifudk y&dk*&rf&JU directory atmufrSm &Sd^r&SdeJU zdkifxJrSm
rSefuefwJh a'wmawG yg^ryg ppfaq;wJh function awG ra&;rdygapygeJU/
(2.3) tcsdefuefUowfcsufudk z,f&Sm;&Hkjzifh full version udk roHk;pGJEdkifjcif;? (0,f,rl Som tjynfht0 oHk;pGJEdkif
jcif;)
Demo version y&dk*&rfawGuawmh 'Denf;udk toHk;rsm;ygw,f/ 'Dvdky&dk*&rfawGrSmqdk registration
number &dkufxnfhvdkYr&ygbl;/ oufwrf;ukefoGm;&if y&dk*&rfudk vHk;0oHk;pGJvdkU r&awmhygbl;/ oHk;pGJcsif&if
y&dk*&rfudk rjzpfrae 0,f&ygawmhr,f/ yHk(9)/
yHk(9)
Cracker awGuawmh tcsdefuefUowfcsuf routine udk&SmjyD; y&dk*&rfuk'fukd wkduf&dkuf ausmfvdkufyg
w,f/ 'gaMumifh y&dk*&rf[m oufwrf;ukef^rukef ppfaq;raeawmhyJ olUvkyfjrJtvkyfudk vkyfygawmhw,f/
(2.4) tcsdeu f efUowfcsufudk Visual Basic jzifha&;om;jcif;?
'Denf;udk ckacwfrSm us,fjyefUpGm toHk;rjyKMuawmhygbl;/
(2.5) oHk;pGJrIuefUowfcsufudk oHk;pGJonfhtMudrfta&twGufESifhom owfrSwfjcif;/
'Denf;[m tjcm;tcsdefuefUowfcsufenf;awGeJU tajccHtm;jzifh twlwlygyJ/ 'gayr,fh olu oHk;pGJwJh
aeUudk a&wGufwJhtpm; oHk;pGJwJhtMudrfudkom a&wGufjcif;yg/ 'Dvdka&wGufjcif;u reverser awGudk
taESmifht,Sufawmfawmf ay;ygw,f/ bmvdkUvJqdkawmh y&dk*&rf[m &ufpGJudk pHkprf;aep&m rvdkawmhbJ

oHk;pGJwJhtMudrf ta&twGufudkom registry (odkU) zdkifwpfckckrSm odrf;qnf;&efvdkvdkYyg/
(3) Key zdkifrsm; toHk;jyKjcif;
'Denf;uawmh rsm;aomtm;jzifh key zdkifudk aqmhzf0Jvfudk install vkyfxm;wJh directory atmufrSm
xm;&Sdygw,f/ y&dk*&rf[m 'DzdkifxJrSmygwJh taMumif;t&mawGudk zwf&Ippfaq;ygw,f/ wu,fvdkUom key
zdkif[m rSefuefcJhr,fqdk&if y&dk*&rf[m registered version tjzpf aqmif&Gufygw,f/ wu,fvdkUom key
zdkif[m aysmufysuf^rSm;,Gif;aer,fqdk&if y&dk*&rf[m unregistered version uJhodkUaqmif&Gufjcif; (odkU) vHk;0
tvkyfrvkyfbJ aeygvdrfhr,f/ key zdkifxJrSm oHk;pGJoleJU ywfoufwJh tcsuftvufawG? 0SufpmawGyg0ifaumif;
ygaeygvdrfhr,f/
'DvdktrsdK;tpm;udk (2)ydkif;cGJjyD;avhvmEdkifygw,f-
(3.1) rSefuefaomzdkifudk toHk;rjyKygu tcsdKUaomt*Fg&yfrsm;udk toHk;rjyKEdkifatmif wm;jrpfxm;jcif;?
(3.2) rSefuefaomzdkifudk toHk;rjyKygu y&dk*&rfudk tcsdefuefUowfcsuf xm;&Sdjcif;/
(3.1) rSefuefaomzdkifudk toHk;rjyKygu tcsdKUaomt*Fg&yfrsm;udk toHk;rjyKEdkifatmif wm;jrpfxm;jcif;
'Denf;uawmh tvGefaumif;wJhenf;yg/ Cracker awGuawmh 'Denf;udk rMudKufMuygbl;/ 'gayr,fhvJ
tjcm;enf;awGvdkyJ 'Denf;[mvJ z,f&Sm;cHEdkif&ygw,f/ 'Denf;rSmawmh rSefuefwJh key zdkifudk toHk;rjyK&if tcsdKU
t*Fg&yfawGudk toHk;rjyKEdkifatmif wm;jrpfxm;ygw,f/ qdk;wmu 'Denf;rSm y&dk*&rf[m key zdkifudk vdkuf&SmjyD;
rSefuefrI&Sd^r&Sd vdkufppfwmyJjzpfw,f/ yHk(10)/ 'gaMumifh cracker [m 'D routine udk vdkuf&SmvdkufjyD; y&dk*&rf
udkvSnfhpm;jcif; (odkU) registration zdkif&JU wnfaqmufyHkudk routine xJrSm avQmhcsvdkufygw,f/
yHk(10)
wu,fvdkY oif[m 'Denf;udk toHk;jyKr,fqdk&if registration zdkifudk encode vkyfzdkYvdkygw,f/ 'grSom
reverser [m registration zdkifudk vG,fvifhwul rzefwD;EdkifrSm jzpfygw,f/
(3.2) rSefuefaomzdkifudk toHk;rjyKygu y&dk*&rfudk tcsdefuefUowfcsuf xm;&Sdjcif;/
Antivirus ukrÜPDtrsm;pkuawmh 'Denf;udk toHk;jyKMuygw,f/ rSefuefwJh registration zdkifudk
toHk;rjyKygu y&dk*&rf[m unregistered jzpfjyD; tcsdefuefUowfcsuf &SdrSmjzpfygw,f/
(4) Hardware key (Dongle) rsm;toHk;jyKjcif;
Hardware key awGeJU umuG,fjcif;[m tjcm;enf;vrf;wpfckjzpfjyD; toHk;vJenf;vSygw,f/ cdk;ul;
wmudk umuG,fwJhypönf;jzpfwJh dongle udk uGefysLwm&JY I/O aygufrSm wyfqifjyD; toHk;jyKr,fh y&dk*&rfudkvJ
run xm;&ygr,f/
olUrSmawmh umuG,fjcif; (2)rsdK; &Sdygw,f/
(4.1) Hardware key rygbJ y&dk*&rfudk rpwifEdkifjcif;?
(4.2) y&dk*&rf\ vkyfaqmifcsuftcsdKUudk hardware key rygvQif toHk;jyKcGifh ray;jcif;/
HASP eJU Sentinel uawmh toHk;rsm;qHk; hardware key awGyg/ taumif;qHk;awGvdkUvJ ajymvdkU
&ygw,f/
(4.1) Hardware key rygbJ y&dk*&rfudk rpwifEdkifjcif;?

tcsdKU hardware key awGuawmh awmfawmf&dk;&Sif;ygw,f/ y&dk*&rfu a'wmudk hardware key
wyfxm;wJh port qD ydkUvdkufygw,f/ jyD;awmh taMumif;jyefwmudk apmifhygw,f/ wu,fvdkU bmrSrwHkUjyefcJhbl;
qdk&ifawmh error message ay:vmygvdrfhr,f/ yHk(11)/
ydkjyD;tqifhjrifhwJh hardware key awGuawmh ydkUvdkufwJh a'wmudk encode vkyfvdkufygw,f/
'grSr[kwf hardware key awGrSm EPROM awG ygvmEdkifygw,f/ jyD;&if hardware key awGrSm y&dk*&rf&JY
wpdwfwa'oudk yg0ifxnfhoGif; vmEdkifygw,f/ 'gqdk&if reverser awGrSm y&dk*&rf&SdcJh&ifawmif hardware
key r&SdvdkU protection udk rz,f&Sm;Edkifoavmuf eD;eD;yg/
yHk(11)
(4.2) y&dk*&rf\ vkyaf qmifcsuftcsdKUudk hardware key rygvQif toHk;jyKcGifh ray;jcif;/
'Denf;uawmh tvGef &dk;&Sif;ygw,f/ hardware key wyfxm;csdefrSm y&dk*&rfu tvkyfvkyfjyD; rwyf
xm;csdefrSm y&dk*&rf&JU tcsdKUvkyfaqmifrIawG tvkyfrvkyfygbl;/ bmvdkUvJqdkawmh y&dk*&rf&JY tcsdKUaomvkyf
aqmifcsufawGudk hardware key xJrSm wcgwnf; xnfhoGif;xm;vdkYyg/ 'Denf;uawmh tvGefyJ aumif;rGefvS
ygw,f/ Key awGtwGif;rSm rSwfOmPfxJ function awGudk decode vkyfzdkU uk'fawGawmif ygwwfygw,f/
Encoding uom aumif;aecJhr,fqdk&if protection udk key rygbJ z,f&Sm;zdkYqdkwm rjzpfEdkifygbl;/
HASP key
HASP key udk Aladdin Knowledge Systems rS xkwfvkyfygw,f/ yHk(12)/ HASP [m aqmhzf
0Jvfudk install vkyfcsdefrSm hardware key eJY csdwfqufvdkU&atmif olU&JUudk,fydkif driver awGudk install vkyfyg
w,f/
yHk(12)
Sentinel key
Rainbow Technology (www.rainbow.com) rS xkwfvkyfygw,f/ Sentinel [m HASP eJU
tvGefwlygw,f/ yHk(13)/
yHk(13)
tcef;(5) - Cracker wpfOD;twGuf vdktyfaom tool rsm; - 57 -
tcef;(5) - Cracker wpfOD;twGuf vdktyfaom tool rsm;

Cracking vkyf&mrSm txl;wDxGifxkwfvkyfxm;wJh tool awGvdktyfygw,f/ 'D tool awG[m omreftm;
jzifhawmh uGefysKwmoHk;pGJolawmfawmfrsm;rsm;eJU &if;ESD;uRrf;0ifrSm r[kwfygbl;/ (aqmhzf0Jvfa&;om;olawGawmif
tuRrf;0ifcsifrS 0ifEdkifrSm jzpfygw,f/) 'D tool awGudk tcrJhay;wm&Sdovdk? a&mif;cswmvJ&Sdygw,f/ (rsm;aom
tm;jzifh tcrJhay;avh&Sdygw,f/)/ 'D tool awGeJU &if;ESD;uRrf;0ifrSom xl;cRefwJh cracker aumif;wpfa,muf
jzpfvmrSm jzpfygw,f/ Tool awGudk atmufygtwdkif; 5rsdK;ydkif;jcm;jyD; aqG;aEG;rSm jzpfygw,f/ (rSwfcsuf/ /
azmfjyyg tool rsm;tm;vHk;onf Windows pepfoHk; OS rsm;twGufom jzpfygonf/ usef OS rsm;twGuf tool
rsm;udk csefvSyfxm;ygonf/)
(u) Disassemblers
(c) Decompilers
(*) Debuggers
(C) Hex Editors
(i) tjcm; tool rsm;
(u) Disassemblers
(1) Disassemblers qdkwmbmvJ/
Disassmebler qdkwm assembler &JU qefUusifzuf jzpfygw,f/ Assembler u assembly bmom
pum;eJU a&;xm;wJhuk'fawGudk ESpfvDpepfoHk; machine uk'ftjzpfajymif;csdefrSm? disassembler uawmh ESpfvD
uk'fawGudk assembly uk'ftjzpf jyefzefwD;zdkU MudK;yrf;wmyg/
Assembly bmompum;awGrSm toHk;jyKwJh y&dkqufqmay:rlwnfjyD; rwlnDwJh instruction uk'fawG
&Sdygw,f/ Disassembly vkyfief;pOfuawmh &dk;&Sif;vSygw,f/ pmvHk;awGudkvdkufzwfjyD; oleJUudkufnDwJh uk'f
tjzpf bmomjyefay;ygw,f/ Oyrm 55 (1010101) qdk&if PUSH EBP qdkwJh instruction rSef; disassem-
bler uodygw,f/
Disassmebler awmfawmfrsm;rsm;uawmh assembly instruction udkxkwfay;&mrSm Intel (odkU) AT &
T (odkU) HLA taeeJU xkwfay;Edkifygw,f/
(2) Professional tool rsm;
IDA Pro
IDA Pro uawmh aps;MuD;vSwJh tool wpfckjzpfygw,f/ Cracker awGtwGuftvGefaumif;rGefwJh tool
wpfckjzpfjyD; yg0ifwJh feature awGuvJ tvGefrsm;jym;vSygw,f/ IDA Pro &JU Standard single-user edition
twGuf $439 usygw,f/ Download vkyfEdkifwJh link uawmh atmufygtwdkif;jzpfygw,f/
http://www.datarescue.com/idabase/
PE Explorer
PE Explorer uawmh toHk;jyK&wm? &SmazG&wm vG,fulrIudk t"duxm;ygw,f/ IDA Pro wdkUvdk
feature awGjynfhraeayr,fh $130 qdkwJhaps;EIef;uawmh oifhwifhygw,f/
http://www.heaventools.com
W32DASM
W32DASM uawmh Windows twGuf taumif;qHk; 16/32 bit disassembler jzpfygw,f/
http://members.cox.net/w32dasm/
(3) Freeware tool rsm;
IDA 3.7
IDA 3.7 uawmh DOS GUI tool jzpfjyD; IDA Pro vdkygyJ/ olU&JUuefUowfcsufuawmh Z80? 6502?
Intel 8051? Intel i860? PDP-11 eJU x86 intsruction xkwfay;wJhtydkif;rSmawmh 486 y&dkqufqmtxdyJ &yg
w,f/
http://www.simtel.net
IDA Pro Freeware 4.1
IDA Pro eD;eD;awmh pGrf;aqmifay;ygw,f/ 'gayr,fh Intel uxkwfwJh x86 y&dkqufqmawGtwGufyJ

assembly uk'fxkwfay;EdkifjyD; Windows rSmom tvkyfvkyfygw,f/ Disassemble instruction awGuawmh
2003rwdkifrDxGuf&SdwJh y&dkqufqmawGtwGufom jzpfygw,f/
http://www.themel.com
IDA Pro Freeware 4.3
xGufjyD;om; version awGxufawmh GUI aumif;vmygw,f/
http://www.datarescue.be
BORG Disassembler
BORG uawmh GUI eJUjzpfjyD; taumif;qHk; Win32 disassembler jzpfygw,f/
http://www.caesum.com
HT Editor
HT Editor uawmh Intel x86 instruction awGudk analyze vkyfwJh disassembler jzpfygw,f/
aemufqHk;xkwf version uawmh Windows rSm tvkyfvkyfEdkifwJh console GUI y&dk*&rfjzpfygw,f/
http://the.sourceforge.net
diStorm64
disStorm uawmh open-source jzpfjyD; 80x86 eJU AMD64 y&dkqufqmawGtwGuf jzpfygw,f/
http://ragestorm.net
(4) Disassembler ESiyhf wfoufonfhord w
S zf ,
G &f mrsm;
uk'fESifha'wmudk oD;jcm;jzpfapjcif;
a'wmeJU (uk'f)awG[m exe zdkifxJrSm binary a'wmtaeeJU odrf;qnf;xm;wmaMumifh 'Dae&mrSm
ar;cGef;xkwfzdkU jzpfvmygw,f/ Disassembler [m uk'fvm;? a'wmvm; b,fvdkajymEdkifygovJ/ zwfvdkufwJh
pmvHk;wpfvHk;[m variable wpfckvm;? 'grSr[kwf instruction wpfck&JU tpdwftydkif;jzpfygovm;/
wu,fvdkUom a'wmawGudk exe zdkif&JU .data section rSmyJxm;&if? uk'fawGudkvJ .code section rSmyJ
xm;&if jyoemr&Sdygbl;/ a'wmawGudk .code section xJ wdkuf&dkufxnf;oGif;Edkifovkd (Oyrm... jump
address tables eJU constant strings)? exe uk'fawGudkvJ .data section xJrSm odrf;qnf;xm;Edkifygw,f/
(pepftopfawGrSmawmh 'Dudpöudk vHkjcHKa&;taMumif;jycsufeJU wm;qD;zdkU MudK;pm;aeygw,f/)
Disassembler awmfawmfrsm;rsm;uawmh oHk;pGJolawGudk uk'fjzpfap?a'wmjzpfap uk'f segment awGudk
ajymif;vJEdkifzdkU a&G;cs,fcGifhay;xm;ygw,f/ 'gayr,fhtcsdKU disassembler awGuawmh oD;jcm;jzpfapzdkU tvkdt
avsmufjyKvkyfygvdrfhr,f/
exe y&dk*&rfuae uk'feJUa'wmawGudk cGJjcm;jcif;&JUa,bl,sjyóemuawmh y&dk*&rf&yfwefUrIjyóemeJU
tvm;oP²mefwlygw,f/ tusdK;quftaeeJUuawmh disassembler [m y&dk*&rftm;vHk;twGuf uk'feJU a'wm
awGudk rSefuefpGm cGJjcm;ay;EdkifzdkUqdkwm rjzpfEdkifygbl;/ Rice &JUoDtdk&rft& y&dk*&rfawG&JU*kPfowådeJU ywfouf
jyD; pdwf0ifpm;p&maumif;wJh ar;cGef;tm;vHk;[m tqHk;tjzwfray;Edkifayr,fhvJ cracking ynm&yf[m 'Dvdk
oDtkd&Dydkif;qdkif&muefUowfcsufawGeJU jynfhESufaeygw,f/
tcsuftvufrsm; qHk;&HI;jcif;
y&dk*&rfudk compile vkyfcsdefrSm tcsuftvufawmfawmfrsm;rsm; aysmufqHk;ukefygw,f/ yHkrSeftm;jzifh C
uk'ftwGufqdk&if local variable trnfawG[m tzwfq,fr&atmif aysmufqHk;ukefygw,f/ Compilation udk
debug option eJUwGJjyD; vkyfr,fqdk&if function awG&JUtrnfawG? variable awG&JU trnfawG[m image
wpfckxJrSm &Sdaumif;&SdEdkifygw,f/ 'gayr,fhvJ 'DoauFwZ,m;awGudk stripping vdkUac:wJh process wpfcku
y,fzsufwm cH&Edkifygw,f/ taumif;pm; compiler uawmh jyefazmfay;Edkifaumif; ay;ygvdrhfr,f/ uk'fawG
xJu comment tm;vHk;udkawmh compiler u vspfvsL&Iygw,f/ 'gayr,fh olUae&meJUola&;xm;wJhuk'fawG?
inline function wpfcktjzpfa&;xm;wJhuk'fawG? C-preprocessor macro tjzpfa&;xm;wJhuk'fawGMum;u
uGJjym;jcm;em;rIudkawmh tqHk;tjzwfay;EdkifzdkU rjzpfEdkifygbl;/ udpöawmfawmfrsm;rsm;rSmawmh function (odkU)
variable awG&JU lexicographical scope udkqHk;jzwfzdkUqdkwm rjzpfEdkifygbl;/ wu,fvdkUom file1.c eJU file2.c
vkdUac:wJhzdkifESpfckudk twl compile vky?f link vkyfr,fqdk&if source zdkifawGMum;u delineation [m linking
tqifhrSmyJ aysmufuG,foGm;rSmyg/
(c) Decompilers
Disassembler eJU tvm;wlwJh decompiler awGuawmh exe uk'fawGudk high-level bmompum;
uk'ftaeeJU jyefxkwfay;wmjzpfygw,f/ rMumcPqdkovdkyJ high-level bmompum;[m C jzpfaeygw,f/
bmaMumifhvJqdkawmh C [m decompilation vkyf&mrSm vG,fulacsmarGUapzdkU awmfawmfav; &dk;&Sif;jyD; a&S;us
vGef;ygw,f/ Decompilation vkyf&mrSmvJ olUtm;enf;csufeJUol jzpfygw,f/ bmaMumifhvJqdkawmh compila-
tion vkyfuwnf;uudk tcsuftvufawmfawmfrsm;rsm;[m aysmufqHk;oGm;vdkU jzpfygw,f/ 'gawGudk decompi-
lation u jyefjyD;azmfay;EdkifrSm r[kwfygbl;/ Decompilation enf;ynm[m rzGHjzdK;ao;ygbl;/ 'gayr,fh &v'f
uawmh aumif;aew,fvdkU ajym&rSmyg/
Decompilation vkyfEdkif^rvkyfEdkif
Compiler taumif;pm;awG ay:aewJhacwfrSm ]decompilation vkyfzdkU jzpfEdkifao;vm;} vdkU tar;cHcJh
&&if obm0usrSm r[kwfygbl;/ tajzuawmh rsm;aomtm;jzifh vkyfvdkU&w,fvdkU ajz&rSmjzpfygw,f/ bmyJ
ajymajym trSm;r&SdwJh taumif;qHk; decompiler uawmh ,aeUxdawmh ray:ao;bl;vdkU ajym&rSmjzpfygw,f/
vuf&Sd decompiler awGuawmh cracker awGtwGuf tultnD&&Hkoufoufavmufom &Sdygao;w,f/
Decompiler rsm;
DCC Decompiler
Dcc uawmh decompilation vkyf&mrSm taumif;qHk;jzpfayr,fh vuf&SdrSmawmh zdkiftao;pm;av;awG
udkyJ vufcHygw,f/
http://www.itee.uq.edu.au/~cristina/dcc.html
Boomerang Decompiler Project
Boomerang decompiler udkawmh tpGrf;xufwJh decompiler jzpfatmifjyKvkyfaejyD; ,cktxdawmh C
uk'ftaeeJUyJ decompile vkyfEdkifygao;w,f/
http://boomerang.sourceforge.net
Reverse Engineering Compiler
REC uawmh tpGrf;xufwJh decompiler jzpfjyD; assembly uk'fawGudk C yHkoP²mefuk'ftaeeJU
decompile vkyfay;ygw,f/ xGuf&SdvmwJhuk'f[m C eJU assembly ESpfrsdK;jzpfaejyD; assembly oufoufxuf
pm&ifawmh ydkjyD;zwf&wm tqifajyygw,f/
http://www.backerstreet.com/rec/rec.htm
ExeToC
ExeToC uawhm &v'faumif;awG&SdwJh decompiler wpfckjzpfygw,f/
http://sourceforge.net/projects/exetoc
code-dump
code-dump uawmh PowerPC (PPC) Objective-C decompiler jzpfygw,f/
http://sourceforge.net/projects/code-dump
(*) Debuggers
Debugger awGuawmh cracker awG&JU taumif;qHk;rdwfaqGjzpfjyD; oHk;pGJolawG[m y&dk*&rfuk'fawGudk
wpfqifhcsif; tvkyfvkyfEdkifatmif cGifhjyKygw,f/ jyD;awmh wefzdk;trsdK;rsdK;eJU vkyfaqmifcsuftrsdK;rsdK;wkdUudk ppfaq;
Edkifygw,f/
tqifhjrifh debugger awGrSmawmh rMumcPqdkovdkyJ tajccH disassembler wpfck? HEX uk'fawG
wnf;jzwfzdkUeJU assemble jyefvkyfzdkU t*Fg&yfawG tenf;qHk; yg0ifavh&Sdygw,f/ Debugger awG[m oHk;pGJol
awGudk instruction? function call eJU rSwfOmPfae&mawGrSm breakpoint owfrSwfvdkU&atmif vkyfay;ygw,f/
Windows Debugger rsm;
OllyDbg
OllyDbg uawhm tpGrf;xufwJh Windows debugger jzpfjyD; olUrSm disassembly eJU assembly
engine wcgwnf;yg0ifygw,f/ tvGefrsm;jym;wJh feature awGyg0ifjyD; wefzdk;uawmh tcrJhjzpfygw,f/
Patching? disassembling eJU debugging vkyfzdkUtwGuf tvGeftoHk;0ifvSygw,f/
http://www.ollydbg.de/
SoftICE
SoftICE udk local kernel debugging twGuf toHk;jyKEdkifygw,f/ 'g[m tvGef&Sm;yg;vSwJh feature
wpfckjzpfjyD; tvGefwefzdk;&SdvSygw,f/ SoftICE [m 2006? {jyDrSmawmh aps;uGufrSm t0,fvdkufygw,f/
WinDBG
WinDBG uawhm MicroSoft u tcrJhay;wJh aqmhzf0Jvftpdwftydkif;wpfckjzpfjyD; user-mode
debugging odkU remote kernel-mode debugging twGuf toHk;jyKEdkifygw,f/ WinDBG [m emrnfMuD;
Visual Studio Debugger eJU rwlayr,fh GUI aumif;aumif;eJU vmygw,f/ 32-bit eJU 64-bit version
awGtaeeJU xGuf&Sdygw,f/
http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx
IDA Pro
DataRescue uxkwfvkyfjyD; y&dkqufqmrsdK;pHk? OS rsdK;pHkrSm tvkyfvkyfEdkifygw,f/
http://www.datarescue.com
(C) Hex Editors
Hex editor awGuawmh cracking vkyf&mrSm emrnfMuD;wJh tool awGr[kwfayr,fh binary source file
awGudk Munfh&mrSm? wdkuf&dkufwnf;jzwf&mrSmawmh toHk;0ifvSygw,f/ Hex editor awG[m debugger?
decompiler? disassembler awGeJUrMunfhEdkifwJh png vdk? jpg vdk zdkiftrsdK;tpm;awGudk Munfh&mrSmawmh
tvGeftoHk;0ifygw,f/ Hex editor awGtrsm;MuD;&Sdayr,fh toHk;trsm;qHk; tool awGudk azmfjyvdkufygw,f/
Windows Hex Editor rsm;
Cygnus Hex Editor FREE EDITION
tvGefjrefjyD; oHk;&vG,fulwJh tool jzpfygw,f/
http://www.softcircuits.com/cygnus/fe/
WinHex
zdkifeJU disk awGwnf;jzwfzdkU xkwfvkyfxm;wJh tool jzpfjyD; uGefysLwmrIcif;qdkif&meJU tcsuftvufjyef
vnf&SmazGa&;twGuf tqifhjrifhwJh pGrf;aqmif&nfrsm;ydkifqkdifygw,f/ (tpdk;&ydkif;qdkif&mESifh wyfrawmfwdkUwGif
vnf; toHk;jyKonf/)
http://www.x-ways.net/index-m.html
HexEdit
tpGrf;xufvSjyD; binary zdkifawGeJU disk awGudk wnf;jzwfEdkifygw,f/ Free version rSmawmh source
uk'fudk tcrJh&&SdEdkifjyD; shareware version vJ&Sdygw,f/
http://www.hexedit.com/
FlexHex
FAT32 zdkifawGxuf &IyfaxG;vSwJh NTFS zdkifawGtwGuf tjynfht0 toHk;jyKEdkifygw,f/ FlexHex
[m Sparse zdkifawGeJU b,f NTFS volume &JUzdkifawGeJU ywfoufwJh Alternate data stream udkvnf; vufcH
ygw,f/ OLE compound zdkifawG? flash card awGeJU tjcm; physical drive trsdK;tpm;awGtwGufvnf;
toHk;jyKEdkifygw,f/
http://www.heaventools.com/flexhex-hex-editor.htm
(i) tjcm; tool rsm;
'Dacgif;pOfatmufrSmawmh tool wpfckcsif;taMumif;udk tao;pdwf aqG;aEG;awmhrSm r[kwfygbl;/
SysInternals Tools
SysInternals uxkwfwJh tool awGrSm taumif;qHk; utility awGyg0ifjyD; olwdkUxJutrsm;pk[m
vHkjcHKa&;qdkif&muRrf;usifolawG? network administrator awGeJU cracker awGtwGuf tvGeftoHk;0ifvSyg
w,f/ txl;toHk;jyKoifhwJh utility awGuawmh Process Monitor? FileMon? TCPView? RegMon eJU
Process Explorer wdkU jzpfygw,f/
API Monitors
API monitor tool awGuawmh process (odkU) y&dk*&rfwpfck[m Win32 API &JU b,f function
awGudk ac:oHk;aew,fqdkwmudk apmifhMunfhay;wmyg/ 'gawG[m cracker awGtwGuf tvGefta&;ygvSygw,f/
Rohitab &JU API Monitor? Vitaly Evseenko &JU API Spy32? www.nektra.com &JU Spy Studio wdkUudk
toHk;jyKEdkifygw,f/
PE Tools
PE scanner uawmh udk,f debug vkyfcsifwJh exe y&dk*&rfudk b,fy&dk*&rfbmompum;eJU a&;xm;
w,f? b,f protector awGeJU umuG,fxm;w,fqdkwm ppfaq;ay;ygw,f/ 'ghtjyif tcsdKU tool awG[m PE
header udkvnf;wnf;jzwfEdkifygao;w,f/ PE tool awGuawmh Lord PE? PE Browse? PE Detective? PE
Disassembler? PE Explorer? PE Insight? PE Optimizer? PE Rebuilder? PE Tools? PE Viewer?
PEditor? PEiD? Stud PE? WPE eJU CFF Explorer wdkUjzpfygw,f/ toHk;trsm;qHk;uawmh Lord PE? PEiD
eJU CFF Explorer wdkUjzpfygw,f/
yHk(1) PEiD jzifh ppfaq;xm;yHk

Keygenning Tools
y&dk*&rfudk patch rvkyfbJ keygen yJa&;r,fqdk&if rdrdbmoma&;&wmrsm;ygw,f/ udk,fwdkif tptqHk;
ra&;csif&ifawmh olrsm;vkyfjyD;om; template ae&mrSm rdrduk'fudk xnfhjyD; keygen y&dk*&rfudk tvG,fwul
a&;om;Edkifygw,f/
NFO Editors
NFO editor awGuawmh patch (odkU) serial zdkifawGeJUtwl a&mxnfhay;zdkU .nfo zdkifzefwD;&mrSm
toHk;jyKygw,f/ .nfo zdkifawGrSm a&;om;avh&Sdwmuawmh cracker trnf? serial trSwf? cracking team
trnf? crack zdkiftrsdK;tpm;wdkU jzpfygw,f/
Patch File Maker
Crack zdkifawGudk oHk;pGJolawGxHay;r,fhtpm; t&G,fao;i,fzdkUtwGuf cracker awG[m patch zdkifawG
udk udk,fwdkifa&;om;avh&Sdygw,f/ Patch file maker awG[m owfrSwfxm;wJh y&dk*&rf&JU offset ae&mudk
jyifqifjcif;? Windows registry &JU owfrSwfxm;wJh key udk jyifjcif;wdkUudk jyKvkyfygw,f/ toHk;trsm;qHk;
patch making tool awGuawmh uPPP eJU Diablo Universal Patcher (dUP) wdkUjzpfygw,f/ 'D tool awGeJU
oufqdkifwJh template awGudkawmh www.tuts4you.com rSm tcrJh download vkyfEdkifygw,f/
yHk(2) erlem patch zdkif

Resource Editors
Resource editor uawmh pmom;awG? &kyfyHkawGudk jyifzdkU&meJU resource topfawGudk xyfxnfh&mrSm
t"dutoHk;jyKygw,f/ toHk;trsm;qHk; resource editor awGuawmh Exe Scope? Resource Editor?
Resource Hacker? Restorator? Window Hack eJU XN Resource Editor wdkU jzpfygw,f/
yHk(3) System properties udk resource editor jzifh jyefjyifxm;yHk
Compilers
Compiler awGuawmh cracking qdkif&mjyoemawGajz&Sif;&mrSm toHk;jyKzdkU jzpfygw,f/ oifESpfouf&m
y&dk*&rfbmompum;ay:rlwnfjyD; compiler trsdK;tpm;uGJjym;oGm;ygvdrfhr,f/
Dictionary Files
Dictionary zdkifawGuawmh password awGudk jyefazmf&mrSm toHk;jyKzdkU jzpfygw,f/ pmvHk;pHkav
password jyef&Sm&mrSm ydkvG,favjzpfygw,f/
Password Recovery Tools
Password revovery tool awGudk password jyefazmf&mrSm toHk;0ifvSygw,f/ emrnfMuD; tool
awGuawmh Elcomsoft Password Recovery eJU Passware Kit Enterprise wdkUjzpfygw,f/ 'D tool awGudk
toHk;jyKjyD; e-mail? internet? MS Word? MS Excel? MS Access? MS Powerpoint? Windows
password tp&SdwmawGudk jyefvnfazmf,lEdkifygw,f/
csefvSyfxm;cJhaom Tool rsm;
wu,fawmh tao;pdwfr&Si;f jyyJ csefvSyfxm;cJhwJh tool awGtrsm;MuD; &Sdygw,f/ 'gawGuawmh Visual
Basic y&dk*&rfawGudk decompile vkyfwJhtcgtoHk;jyKwJh tool awGjzpfwJh SmartCheck eJU VB Decompiler?
Delphi y&dk*&rfawGtwGuf DeDe? Foxpro y&dk*&rfawGtwGuf UnFox All? Java y&dk*&rfawGtwGuf Java
Decompiler eJU DJ Java Decompiler? Flash (SWF) zdkifawGtwGuf Sothink SWF Decompiler? MSI
zdkifawGtwGuf MSI Unpacker? Dot.Net y&dk*&rfawGtwGuf Crack.NET ? DisSharp eJU RedGate
DotNet Reflector wdkUjzpfygw,f/ Packer/unpacker awGtaMumif;udkawmh ]Packer (protector) rsm;}
acgif;pOfatmufrSm aqG;aEG;rSm jzpfygw,f/
tcef;(6) - Olly Debugger rdwfquf - 63 -
tcef;(6) - Olly Debugger rdwfquf

'Dtcef;rSm uRefawmfwdkUavhvmMu&rSmu cracking tool wpfckjzpfwJh OllyDbg taMumif;yg/
Cracker awGtwGufuawmh Oleh Yuschuk a&;om;wJh OllyDbg [m taumif;qHk; usermode debugger
yg/ olUrSm tvGeftpGrf;xufvSwJh disassembler ygvmygw,f/ tcsdKUaom beginner awG[m cracking
pwifvkyfaqmifzdkU MudK;yrf;MuwJhtcg Numega SoftICE vdk tvGef&IyfaxG;vSwJh tools awGeJU pwifMuwm
awGU&ygw,f/ ta&;MuD;wJh kernel-mode uk'fawGudk crack vkyfwmr[kwf&ifawmh OllyDbg &Sd&ifyJ
vHkavmufaeygjyD/ OllyDbg &JU tMuD;rm;qHk;pGrf;tm;uawmh uk'fawGudk cGJjcrf;pdwfjzmEdkifwJh olU&JUt*Fg&yfawG
ygyJ/ Oyrmajym&&if procedure &JU parameters awGeJU loops awGudk pdppfjcif;eJU constant? array? string
awGpHkprf;jcif;wdkUudk aumif;pGmvkyfay;Edkifygw,f/ 'Dvdk feature awGudk oleJUrsdK;wlwJhtjcm; debugger awGrSm
rawGUEdkifygbl;/ 'D debugger [m 80x86 EG,f0if y&dkqufqmtm;vHk;eJU tvkyfvkyfEdkifwJhtjyif awmfawmfrsm;
rsm;udkvnf; rSefuefpGm bmomjyefEdkifygw,f/ wu,fawmh Olly [m debugger tm;vHk;&JY taumif;qHk;
disassembly pGrf;aqmif&nfawG ydkifqdkifxm;w,f (IDA Pro debugger rSty) vdkU ajymr,fqkd&if vGefr,f
rxifygbl;/
Debugger Window
OllyDbg &JU t"dutusqHk; main window udk yHk(1)rSm jyxm;ygw,f/ 'ghtjyif main menu eJU
toolbar yg0ifygw,f/ Main window rSm informational pane 4ck yg0ifygw,f/ tJ'gawGuawmh
disassembler window (tay:b,f)? data window (atmufb,f)? registers window (tay:nm)?
stack window (atmufnm)/ 'ghtjyif tjcm; window awGvnf;&Sdygao;w,f/ toHk;jyKEdkifwJh windows
pm&if;udkawmh View menu rSm MunfhEdkifygw,f/ 'D windows awGxJu tcsdKUudkyJ &Sif;vif;azmfjyrSmjzpfjyD;
usefwJh[mawGudktoHk;jyKzdkU oifpdwf0ifpm;cJh&if udk,fwdkifyJ avhvmMunfhyg/
yHk(1)
Disassembler Window
Disassembler window rSm Address? Hex dump? Disassembly eJU Comment qdkjyD; aumfvH
4ck&Sdygw,f/ yHk(2)/
yHk(2)
Address — address aumfvH rSm memory ay:ul;wifr,fh command &JU virtual address yg0ifygw,f/
Column udk ESpfcsufEdSyfvdkuf&ifawmh address awGtpm; vuf&Sd address uae pwifa&wGufay;r,fh offset
awGtjzpf ajymif;vJoGm;rSm jzpfygw,f/ ($, $-2, $+4,… )
Hex dump — uk'faumfvHrSm uk'fawGudk operand wefzdk;taeeJY awGUjrif&ygvdrfhr,f/ 'ghjyif aumfvH[m
oifhtaeeJU y&dk*&rf&JUtvkyfvkyfyHkudk em;vnfapEdkifzdkU oauFwtrsdK;rsdK;udk jznfhpGrf;ay;ygw,f/ om"utm;
jzifh oauFwawG[m command awGudk b,fae&mudk jump (>) vkyf&r,f? jyD;awmh tay:âtmuf ( ˆ ? ˇ)
jump vkyfr,fqdkwm owfrSwfygw,f/ 'DaumfvHudk ESpc f sufEdSyfcJhr,fqdk&if yxraumfvHrSm&SdwJh address [m
teDa&mif highlight eJU jyaeygr,f/ qdkvdkwmu oifhtaeeJU tJ'D command (address) ae&mudk breakpoint
tjzpfowfrSwfvdkufwmygyJ/ 'Dae&ma&muf&if y&kd*&rftvkyfvkyfwm cP&yfay;ygvdkU cdkif;vdkufwmyg/
Disassembly — 'DaumfvHrSmawmh command twGuf Assembly &JU mnemonics awGyg0ifrSm jzpfyg
w,f/ Command udk ESpfcsufEdSyfcJhr,fqdk&if Assembly command udk wnf;jzwfEdkifzdkU window wpfck
ay:vmrSmjzpfygw,f/ tJ'Dae&mrSm oifhtaeeJU command udk MudKufovdk jyifqifEdkifygw,f/ jyifqifjyD;om;
command udkawmh rMumrD debug vkyf&mrSm toHk;jyKygvdrfhr,f/ 'Dhtjyif jyKjyifxm;wJh y&dk*&rfpmom; (uk'f)
awGudk executable module tjzpf ajymif;vJay;Edkifygw,f/ 'g[m tMuD;rm;qHk; tcGifhta&;wpf&yf jzpfyg
w,f/
Comment — 'DaumfvHrSmawmh command eJUywfoufwJh tjcm;tcsuftvufawG yg0ifygw,f/ 'Dae&mrSm
y&dk*&rf[m API functions eJU library functions awG&JU trnfawGudk pdppfygw,f/ 'DaumfvHudk ESpfcsufEdSyfcJh
r,fqdk&if oifhtaeeJU Assembly uk'f&JU vdkif;toD;oD;rSm&SdwJh comment awGrSm oifMudKufwmudk trSwft
om; vkyfEdkifygw,f/
The Data Window
'D window rSmawmh Address? Hex dump eJU ASCII (Unicode) qdkjyD; aumfvH 3ck ygygw,f/
'kwd,eJU wwd,aumfvHawGuawmh interpret vkyfwJhtcg ajymif;vJoGm;Edkifygw,f/ qdkvdkwmu cell xJrSm&SdwJh
pmom;awGudk Unicode tjzpfajymif;vJwJhtcg Hex dump aumfvHae&mrSm ASCII aumfvHa&muf&SdvmjyD;
Hex dump aumfvH aysmufoGm;rSmjzpfygw,f/ yHk(3)/
yHk(3)
The Registers Window
Registers window rSmawmh taxGaxGoHk; registers & FPU registers? taxGaxGoHk; registers &
MMX registers eJU taxGaxGoHk; registers & 3DNow registers qdkjyD; registers tkyfpk 3 pkyg0ifEdkifygw,f/
ESpfcsufEdSyfcJhr,fqdk&ifawmh oufqdkif&m register awGudk wnf;jzwfvdkU &ygw,f/ jrSm;awG tay:ESdyfcJh&if
registers window ajymif;vJaerSm jzpfygw,f/ yHk(4)/
yHk(4)
The Stack Window
Stack window uawmh stack xJrSm&SdwJht&mawGudk jyygw,f/ yxraumfvH (Address) uawmh
stack xJrSm&SdwJh cell address udk jyygw,f/ 'kwd,aumfvH (Value) uawmh cell xJrSmygwmawGudk
jyygw,f/ wwd,aumfvH (Comment) rSmawmh cell wefzdk;eJYywfoufwJh jzpfEdkifwJh comment awGyg0ifyg
w,f/ yHk(5)/
yHk(5)
tjcm; Windows rsm;

OllyDbg eJU pwifvkyfudkifawmhr,fqdk&if rSwfom;xm;oifhwmuawmh –
(u) b,f window rSmrqdk right click EdSyfcJhr,fqdk&if oufqdkif&m window &JU menu ay:vmygvdrfhr,f/ 'D
menu [m window ay:rlwnfjyD; uGJjym;aeygw,f/ 'D menu awGudk taotcsmavhvmzdkU tMuHjyKvdk
ygw,f/
(c) Window xJrSmygwJh t&mawG[m wpfckudkwpfck trSDo[J jyKaeygw,f/ Oyrmjy&&if? register awGudk
Munfhvdkufyg/ taxGaxGoHk; register xJuwpfckudk right click ESdyfMunfhvdkuf&if data area (follow in
dump) eJU stack area (follow in stack) rSm&SdwJh address awGvdkyJ olUxJrSm&SdwJht&mawGudk interpret
vkyfvdkU&ygw,f/
Debug Execution
Debugging qdkwm y&dk*&rfwpfyk'fudk mode toD;odD;rSm tvkyfvkyfapjyD; cGJjcrf;pdwfjzm pdppfwmyg/
'Dae&mrSm execution mode awGtaMumif; &Sif;jycsifygw,f/ Execute vkyfr,fhuk'fudk debugger rSm
xnfhoGif;xm;jyD;jyDvdkU rSwf,lvdkufyg/ Disassembler window [m Assembly uk'fudk jyoygw,f/ y&dk*&rf
udk execute vkyf&mrSm t"dutusqHk; mode awGuawmh –
(u) Procedure (tcsdKU y&dk*&rfbmompum;wGif procedure udk subroutine (odkU) function [k ac:a0:
onf/) awGudk ausmfvTm;wJh Step-by-step execution udk (step over) vdkUac:ygw,f/ F8 udk ESdyfxm;csdefrSm
vuf&Sd Assembly command udk tvkyfvkyfapygw,f/ Command awGudk tpDtpOfwus execute
vkyfjcif;jzifh tjcm; window (Register? Data? Stack) 3ck b,fvkd ajymif;vJoGm;ovJqdkwm jrifEdkifygw,f/ 'D
mode &JU wduswJht*Fg&yfuawmh wu,fvdkU aemuf command [m call procedure (CALL) udkom
tvkyfvkyfcJhr,fqdk&if procedure taeeJY zefwD;xm;wJh command tm;vHk;[m instruction wpfckwnf;taeeJU
om tvdktavsmuf execute vkyfrSmjzpfygw,f/ qdkvdkwmu call procedure (CALL) xJrSm&SdwJh uk'fawGudk
wpfaMumif;csif; ppfawmhrSm r[kwfygbl;/
(c) Procedure awGxJ 0ifa&mufvkyfEdkifwJh Step-by-step execution udk (step into) vdkUac:ygw,f/ 'D
mode rSm execute vkyfr,fqdk&ifawmh F7 udk ESdyfxm;&ygr,f/ jyD;cJhwJh mode eJU uGmjcm;csufuawmh CALL
command udk ac:,ltoHk;jyKcJhr,fqdk&if instruction tm;vHk;[m tpDtpOfwus execute vkyfrSm jzpfygw,f/
ckeuajymcJhwJhenf;vrf;awG (step over & step into) tpm; animation udk toHk;jyKjyD; tpm;xdk;Edkif
ygw,f/ mode toD;oD;twGuf <Ctrl>+<F8> eJU <Ctrl>+<F7> udk toHk;jyKEdkifygw,f/ 'D keyboard
shortcuts toD;oD;udk ESdyfjyD;csdefrSmawmh step over & step into command awG[m instruction
wpfckjyD;wpfckudk tcsdeftenf;i,f apmifhqdkif;jyD;vkyfygvdrfhr,f/ Instruction toD;oD;udk execute vkyfjyD;csdefrSm
awmh debugger window [m refresh vkyfay;rSmjzpfwJhtwGuf oifhtaeeJU ajymif;vJoGm;wmawGudk
ajc&mcHEdkifrSm jzpfygw,f/
b,ftcsdefrSmrqdk <Esc> key udk ESdyfcJhr,fqdk&if execute vkyfwmudk cP&yfay;rSmyg/ tvm;wlygyJ?
breakpoint udkawGU&ifvJ tvkyfvkyfaewm&yfoGm;rSmyg/ jyD;awmh debug vkyfcHae&wJh y&dk*&rfuvJ exception
wpfckudk xkwfay;rSm jzpfygw,f/
Step-by-step program execution &JY tjcm;enf;wpfckuawmh trace mode ygbJ/ Trace mode [m
animation eJU wlygw,f/ 'gayr,fh 'DtcsdefrSm debugger window [m tqifhwdkif;rSmawmh refresh vkyfrSm
r[kwfygbl;/ step over eJU step into wdkUeJUqdkifwJh tracing vdkufwJh enf;vrf; 2ckudkawmh <Ctrl>+<F12>
and <Ctrl>+<F11> key awGESdyfjyD; toHk;jyKEdkifygw,f/ Tracing rSmvnf; &yfcsif&ifawmh animation
rSmoHk;wJh enf;vrf;awGtoHk;jyKjyD; &yfwefUEdkifygw,f/ command toD;oD;udk execute vkyfjyD;csdefrSmawmh olU&JU
execution eJUqdkifwJh owif;tcsuftvufawGudk t"duuswJh tracing buffer xJudk ul;wifvdkufygw,f/
tJ'gudk View menu u Run trace command udk toHk;jyKjyD; Munfh&IEdkifygw,f/ qE´&Sd&ifawmh tracing
buffer xJrSm&SdwJh[mawGudk pmom;zdkiftaeeJU odrf;qnf;xm;Edkifygw,f/ tvm;wlyJ b,ftcsdefrSm tracing
vdkufwm&yfcsifovJqdkawm condition awGeJU t"dyÜm,fzGifhxm;Edkifygw,f/ (set trace condition) - <Ctrl>+
<T> / yHk(6)/
yHk(6)
Trace mode twGuf atmufyg condition awGudk owfrSwfEdkifygw,f –
(u) Break vkyfwJhtcg ae&m,lr,fh address awG&JU range?
(c) tajctaeowfrSwfcsufrsm; ( EAX>100000 uJhodkUaom)/ wu,fvdkU EAX>100000 om rSefuefcJhr,f
qdk&if tracing vkyfwm &yfoGm;rSm jzpfygw,f/
(*) Tracing vkyfaecsdefrSm &yfwefYr,hf tcsdKU command awG&JY ta&twGuf/
Procedure u return udk rawGUcifxdom uk'fudk execute vkyfapzdkY debugger udk ckdif;apzdkU
jzpfEdkifygw,f/ (execute till return)/ aemufwpfrsdK;ajym&&if vuf&Sd procedure &JY uk'ftm;vHk;udkom
execute vkyfrSm jzpfygw,f/ <Ctrl>+<F9> key udk toHk;jyKygw,f/
aemufqHk;taeeJU wu,fvdkU tracing vdkufaecsdefrSm wpfae&m&ma&mufvdkU oifhtaeeJY e,fuRHoGm;jyD
xifjyD; jyefxGufcJhcsif&ifawmh (execute till user code) command oHk;jyD; xGufvdkU&ygw,f/ 'grSr[kwf
<Alt>+<F9> key udk toHk;jyKEdkifygw,f/
Breakpoints
Breakpoint qdkwmuawmh wu,ftpGrf;xufvSwJh debugging tool wpfckyg/ Breakpoint awG[m
oifhudk y&dk*&rf&JUtvkyfvkyfyHkudk t&Sif;vif;qHk; em;vnfapEdkifygw,f/ owfrSwfxm;wJh tcsdefrSm&SdwJh registers?
stack eJU data awG&JU taetxm;udk rSwfom;ay;ygw,f/
Ordinary Breakpoints
Ordinary breakpoint awGudkawmh a&G;cs,fxm;wJh command awGeJU owfrSwfygw,f/ <F2> key
udk ESdyfjcif;jzifhaomfvnf;aumif;? (Hex dump) window ay:rSm ESpfcsufESdyfjcif;jzifhaomfvnf;aumif; toHk;jyK
Edkifygw,f/ &v'ftaeeJUuawmh yxraumfvHrSm&SdwJh address [m teDa&mifajymif;oGm;wmygyJ/ 'ghjyif
register? variable? stack awG&JU tajctaeudkvnf; ppfaq;Edkifygw,f/ <F2> key udk aemufwpfMudrfESdyf
&ifawmh breakpoint udk z,f&Sm;jyD;om; jzpfrSmyg/ 'D breakpoint udk b,fvdktcsdefrSm toHk;rsm;ovJqdkawmh
Windows API function awGudk apmifhMunfhwJhtcsdefrSm jzpfygw,f/
Conditional Breakpoints
Conditional breakpoint awGudkawmh <Shift>+<F2> key ESdyfjyD; toHk;jyKEdkifygw,f/ <Shift>+
<F2> key wGJudkESdyfvdkuf&if yHk(7)rSm jyxm;wJhtwdkif; combo box ay:vmrSmyg/ combo box xJrSm udk,fESpf
ouf&m condition wpfckudk xnfhoGif;xm;Edkifygw,f/ wu,fvdkU tJ'D condition [m rSefuefcJhr,fqdk&if
awmh command awGudk execute vkyfwm &yfoGm;rSmyg/ Debugger [m condition awGtrsm;MuD;ygwJh
&IyfaxG;vSwJh azmfjycsufawGudkawmif em;vnfygw,f/ 'D[mawGuawmh OyrmawGyg -
yHk(7)
(u) EAX = = 1 — 'guawmh EAX register [m wpfjzpfcJh&if debugger udk execute vkyfwm&yfapzdkU
trdefUay;wmyg/
(c) EAX = 0 and ECX > 10 — 'guawmh EAX register [m oknjzpfjyD; ECX register [m
wpfq,fxufMuD;cJh&if debugger tvkyfvkyfaewm&yfapzdkU trdefUay;wmyg/
(*) [STRING 427010] == 'Error' — 'guawmh virtual address (VA) 427010H rSm 'Error' qdkwJh
pmom;udk awGUcJU&if debugger udk execute vkyfwm&yfapzdkU trdefUay;wmyg/ 'DvdkvJa&;vdkU&ygw,f/ EAX =
= 'Error'/ 'gqdk EAX xJrSm&SdwJht&mtm;vHk;udk pointer uae pmom;tjzpfajymif;vJay;rSmyg/
(C) [427070] = 1231 — 'guawmh VA 427070H xJrSm&SdwJht&m[m 1231H eJU nDcJhr,fqdk&if
breakpoint udk owfrSwfrSmyg/
(i) [[427070]] = 1231 — 'guawmh address udk oG,f0dkuf toHk;jyKjcif;yg/ ajym&r,fqdk&if VA 427070H
xJrSm tjcm; VA wpfckygjyD; tJ'D VA xJrSm&SdwJht&m[m 1231H eJU nDrnDppfjyD; breakpoint udk
owfrSwfwmyg/
Conditional Breakpoints with a Log
oluawmh conditional breakpoints &JU tydkvkyfief;pOf extension wpfckom jzpfygw,f/
Conditional logging breakpoint udk owfrSwfzdkU <Shift>+<F4> key udk EdSyfEdkifygw,f/ b,ftcsdefrSmrqdk
'Dvdk breakpoint udk toHk;jyKcJhr,fqdk&if tJ'DjzpfpOfudk log zdkiftaeeJU rSwfwrf;wifxm;ygw,f/ Log
xJrSmygwJh t&mawGudk jyefMunfhcsifw,fqdk&if <Alt>+<L> key udk ESdyfjyD;aomfvnf;aumif;? View menu rS
Log command udk ESdyfjyD;aomfvnf;aumif; Munfh&IEdkifygw,f/ yHk(8)/
yHk(8)
Breakpoint to Windows Messages
Window function qD (twdtusajym&&if window class function qD) messages awG a&mufvm
wmaMumifh tcsdKU windows message rSm breakpoint udk owfrSwfEdkifzdkU application window [m
yGifhaezdkUvdkygw,f/ wenf;ajym&&if windowing application awG[m execution vkyfzdkUtwGuf pwif&yg
w,f/ &Sif;vif;vG,fulapzdkU &dk;&Sif;vSwJh application wpfckudk window wpfckeJYtwl debugger xJudk
oGif;vdkufygw,f/ 'D application udk pwifzdkUtwGuf <Ctrl>+<F8> udk ESdyfyg/ 'D application window [m
wpfpuúefUavmuf MumjyD;wJhtcgrSm touf0ifygw,f/ y&dk*&rf&JY wpfpdwfwpfa'oudk qufwdkuf execute
vkyfaecsdefrSmawmh owdxm;ay;yg/ Window function qDa&mufzdkU application u pHkprf;jyD; zefwD;xm;wJh
windows pm&if;udk ac:,l zdkUvdkygw,f/ 'gudk View menu u Windows udk toHk;jyKEdkifygw,f/ yHk(9)/
yHk(9)
yHk(9)rSm jyxm;wJh window [m investigator udk window descriptor? olU&JUtrnf? olU&JU
identifier eJU ta&;MuD;qHk;jzpfwJh window procedure &JU address (ClsProc)awG &SmazGapEdkifygw,f/
Window procedure &JY address eJY ywfoufwJh tcsuftvufawGu investigator udk window function
awG &SmEdkifapwJhtjyif omref breakpoint a&m? conditional breakpoint yg owfrSwfEdkifygw,f/ bmyJjzpfjzpf
window functions awGeJU tvkyfvkyfwJhtcg window message awG &SdwJhae&mrSm breakpoint awG
owfrSwfwm taumif;qHk;yg/ 'gaMumifh yHk(9)rSm jyxm;wJh window udk ESdyfvdkufjyD; context menu rS
Message breakpoint on ClassProc udk a&G;vdkufyg/ aemufxyf window wpfckay:vmrSmjzpfjyD; tJ'DrSm
atmufyg breakpoint parameter awGudk owfrSwfEdkifrSm jzpfygw,f/ yHk(10)/
(u) Drop-down list rS message udk a&G;yg/ atmufygwdkUudk rSwfom;yg/
(1) Message tpm; event udk a&G;cs,fvdkUvnf; &ygw,f/ tJ'D event awG[m window (odkU)
keyboard event awGudk zefwD;^zsufqD;jcif;uJhodkUaom message aygif;rsm;pGmjzpfEdkifygw,f/
(2) rdrdbmom rdrdowfrSwfEdkifwJh message awGudkvnf; a&G;cs,fEdkifygw,f/
(c) b,f message awG[m olwdkUxJub,folUqDuae a&mufvmovJqdkwmudk qHk;jzwfEdkifapzdkU track
vdkufr,fh window awGudk pm&if;jyKpkyg/ ay;xm;wJh window? ay;xm;wJh title eJY window tm;vHk;? (odkU)
window tm;vHk; yg0ifygw,f/
(*) Breakpoint b,fESpfMudrf touf0ifw,fqdkwm odapzdkU counter udk owfrSwfxm;yg/
(C) Breakpoint touf0ifcsdefrSm y&dk*&rftvkyfvkyfwmudk &yfoifh^ r&yfoifhqdkwm owfrSwfyg/
(i) Breakpoint touf0ifcsdefrSm record udk log xJ b,fvdka&;&rvJqdkwm owfrSwfxm;yg/
yHk(10)
Breakpoints to the Import Functions
Debug vkyfzdkY module xJudk import tvkyfcH&wJh trnfpm&if;udk vdkcsif&ifawmh <Ctrl>+<N> udk
ESdyfyg/ yHk(11)/ 'DhaemufrSm window udk right click ESdyfjyD; atmufygwdkUudkvnf; jyKvkyfEdkifygw,f-
(u) Import vkyfxm;wJh function udk ac:,ltoHk;jyKcsdefrSm breakpoint udk owfrSwfEdkifygw,f/ (Toggle
breakpoint on import)
(c) Import vkyfxm;wJh function udk ac:,ltoHk;jyKcsdefrSm conditional breakpoint udk owfrSwfEdkifyg
w,f/ (Conditional breakpoint on import)
(*) Import vkyfxm;wJh function udk ac:,ltoHk;jyKcsdefrSm conditional breakpoint udk log vkyfjyD;
owfrSwfEdkifygw,f/ (Conditional log breakpoint on import)
(C) owfrSwfxm;wJh trnfeJYqdkifwJh tcsdwftqufwdkif;rSm breakpoint udk owfrSwfEdkifygw,f/ (Set
breakpoint on every reference) {'D command u Find references to import (Enter key) eJU
wlygw,f/ jcm;em;csufu Find references to import u breakpoint udk udk,fvdkcsifrS
xyfrHa&G;cs,f&wmyg/}
(i) ay;xm;wJhJ trnfeJYqufEG,faewJh reference wdkif;rSm log vkyfjyD; breakpoint udk owfrSwfEdkifygw,f/
Set log breakpoint on every reference)
(p) Breakpoint tm;vHk;udk z,f&Sm;wmyg/ (Remove all breakpoints)
yHk(11)
Breakpoints at the Memory Area
OllyDbg debugger u memory area rSm breakpoint wpfckwnf;udk owfrSwfzdkY vufcHygw,f/
'DvdkvkyfzdkU disassembler window (odkU) data window udk a&G;cs,fyg/ 'Dhaemuf context menu rS
Breakpoint | Memory on access (odkU) Breakpoint | Memory on write command awGudk
a&G;cs,fEdkifygw,f/ 'gjyD;&ifawmh rMumcifuowfrSwfvdkufwJh breakpoint udk toHk;jyKzdkU toifhjzpfaerSmyg/
Breakpoint yxrwpfrsdK;uawmh (on access) uk'feJU a'wmawGtwGuf jzpfEdkifayr,fh 'kwd, breakpoint
wpfrsdK;uawmh (on write) uk'fawGtwGufom jzpfEdkifygw,f/ Breakpoint awGudk context menu rS
Breakpoint | Remove memory breakpoint udk a&G;cs,fjcif;jzifh z,f&Sm;Edkifygw,f/ yHk(12)/
yHk(12)
Breakpoints in the Memory Window
Memory window (Alt + M) uawmh debug vkyfxm;wJh y&dk*&rftwGuf (odkU) olUbmom
olUenf;olU[efeJY debug vkyfxm;wJh y&dk*&rfawGu oD;oefUcsefxm;wJh memory block awGudk jyoygw,f/ 'D
window rSm breakpoint wpfckudk owfrSwfzdkYom jzpfEdkifygw,f/ 'DvdkvkyfzdkU right-click rS Set memory
breakpoint on access udk (odkU) Set memory breakpoint on write udk a&G;cs,fyg/ Breakpoint udk
z,f&Sm;csif&ifawmh Remove memory breakpoint udk a&G;Edkifygw,f/
Hardware Breakpoints
omref breakpoint awGudkawmh INT 3 interrupt vector twGuf toHk;jyKygw,f/ 'Dvdk breakpoint
awGudk toHk;jyKjcif;u y&dk*&rfudk tvkyfvkyfcdkif;&mrSm aES;oGm;apygw,f/ b,fvdkyJqdkygap? Intel Pentium
microprocessor awGuawmh debug registers (DR0-DR3) 4ckudk jznfhpGrf;ay;xm;ygw,f/ 'D register
awGrSm breakpoint 4ckeJU vuf&Sdy&dk*&rf&JU virtual address wdkU yg0ifEdkifygw,f/ Command wpfcku
toHk;jyKxm;wJh address [m 'D register wpfckwpfavawGxJu address eJUnDaecsdefrSm? processor [m
debugger rSm &Sdxm;wJh exception wpfckudk xkwfvdkufygw,f/ Hardware breakpoint awGuawmh debug
vkyfxm;wJh y&dk*&rf&JY tvkyfvkyfyHkudkawmh aES;auG;aprSmr[kwfygbl;/ bmyJjzpfjzpf? olwdkUxJu 4ckrQom jzpfyg
w,f/ Hardware breakpoint wpfckudk owfrSwfr,fqdk&ifawmh disassembler window udk oGm;yg/ jyD;&if
context menu u Breakpoint | Hardware on execution commandudk a&G;yg/ 'grSr[kwf&if main
menu u Breakpoint | Hardware on access (odkU) Breakpoint | Hardware on write command

udk toHk;jyKEdkifygw,f/ Hardware breakpoint awGudk zsufcsif&ifawmh context menu u Breakpoint |
Remove hardware breakpoints command udk toHk;jyKyg/ yHk(13)/
yHk(13)
tjcm;pGrf;aqmifEdkifrIrsm;
Watch expressions Window
OllyDbg u expression awGudk apmifhMunfhzdkU special window wpfckudk ay;xm;ygw,f/
Conditional breakpoint awGtaMumif; &Sif;jycJhwkef;u expression awGtaMumif;ygvmcJhwmudk trSwf&yg/
Memory cell awGeJU register awGyg0ifwJh &IyfaxG;vSwJh expression awGudk toHk;jyKzdkUqdkwm jzpfEdkifygw,f/
'D expression awGudk vkdtyfovdk &IyfaxG;apvdkU &ygw,f/ Watch expressions window udk zGifhzdkUuawmh
View | Watches command udk toHk;jyKyg/ Watch expressions window yGifhvmcsdefrSmawmh right click
ESdyfjyD; Add Watches command udk a&G;cs,fyg/ 'gjyD;&ifawmh debugger u apmifhMunfhay;r,fh expression
wpfckudk owfrSwfEdkifygw,f/ aemufwpfrsdK;ajym&&ifawmh olU&JU HEX wefzdk;udk jyoygw,f/ yHk(14)rSm
expression 4ckyg0ifwJh Watch expressions window udk jyoxm;wmjzpfjyD; b,f processor &JU
command udkrqdk execute vkyfjcif;jzihf wefzdk;awGudk apmifhMunfhaejyD;jyoygw,f/
yHk(14)
tcsuftvufrsm;udk &SmazGjcif;
OllyDbg rSm MudKufwJhowif;tcsuftvuf (ASCII? UNICODE? HEX )awGudk <Ctrl>+<B>
key ESdyfjyD; &SmazGEdkifygw,f/ yHk(15)/ Command wpfckcsif;udk &Smr,fqdk&if <Ctrl>+<F> key? command
awGaygif;xm;wmudk &Smr,fqdk&if <Ctrl>+<S> key udk toHk;jyKEdkifygw,f/ <Ctrl>+<L> key (Next)
uawmh aemufqHk; &SmcJhwJh[mudkyJ xyf&Smay;wmyg/
yHk(15)
Executable Module udk jyifqifodrf;qnf;jcif;
OllyDbg rSm uRefawmfwdkU jyifcJhwJhuk'fawGudk odrf;qnf;jyD; executable y&dk*&rftopftjzpf odrf;
qnf;Edkifygw,f/ 'Dvdkvkyfcsif&if Copy to execution | Selection (odkU) Copy to execution | All
modifications command udk a&G;vdkuf&HkygyJ/ jyD;&if udk,fxm;csifwJhae&mrSm udk,fMudKufwJh zdkiftrnfopf
ay;jyD; odrf;qnf;vdkuf&HkygyJ/
tcef;(7) – IDA Pro Advanced 5.2 rdwfquf - 71 -
tcef;(7) – IDA Pro Advanced 5.2 rdwfquf

(FOR ONLY FULL VERSION)
(1) Virtual memory taMumif;
(2) y&dk*&rf\ GUI
yHk(1)
(3) exe uk'fudk ul;wifjcif;
yHk(2)
yHk(3)
yHk(4)
(4) Disassembler Window
yHk(5)
yHk(6)
yHk(7)
yHk(8)
yHk(9)
(5) tjcm; Window rsm;
yHk(10)
yHk(11)
yHk(12)
yHk(13)
yHk(14)
yHk(15)
yHk(16)
yHk(17)
yHk(18)
yHk(19)
yHk(20)
yHk(21)
yHk(22)
yHk(23)
(6) Menu ESifh toolbar
if ( LCData ) {
lstrcpyA(v5, &LCData);
v7 = LoadLibraryExA(ValueName, 0, 2u);
v3 = v7;
if ( !v7 )
{
v14 = 0;
lstrcpyA(v5, &LCData);
v3 = LoadLibraryExA(ValueName, 0, 2u);
}
}
yHk(24)
yHk(25)
yHk(26)
(7) Built-In IDA Pro y&dk*&rfbmompum;
#include <idc.idc>
static main(void)
{
// Your Code here;
}
yHk(27)
yHk(28)
tcef;(8) - PE Header - 86 -
tcef;(8) - PE Header
(1) PE zdkifzGJUpnf;yHk
Portable Executable (PE) qdkwm 32-bit eJU 64-bit Windows OS awGrSm toHk;jyKaeMuwJh
executable (EXE) zdkif? object (DLL) zdkifawGtwGuf zdkifyHkpHwpfck jzpfygw,f/ Portable qdkwJhtoHk;tEIef;
udku 32-bit eJU 64-bit Windows OS awGMum; tjyeftvSef vG,fvifhwul toHk;jyKEdkifwmudk &nfnTef;wm
yg/ PE yHkpHqdkwm tajccHtm;jzifhawmh wrapped executable code awGudk pDrHzdkU Windows OS loader
twGuf vdktyfwJhowif;tcsuftvufawGudk encapsulate vkyfay;wJh data structure wpfckyg/ tJ'DrSm link
vkyfzdkUtwGuf dynamic library reference awG? API udk export eJU import vkyfzdkU table awG? resource
management data awGeJU TLS data awGyg0ifygw,f/ 'DyHkpHudk pdwful;xkwfvkyfcJhwmuawmh Microsoft
jzpfjyD; 1993rSmawmh pHjzpfvmygw,f/
"Portable Executable" vdkU a&G;cs,fvdkuf&wmuawmh intent [m Windows tm;vHk;twGuf tajccH
tusqHk;zdkifyHkpHjzpfjyD; CPU wdkif;rSm tvkyfvkyfEdkifvdkUyg/ ajym&&ifawmh Windows NT rsdK;quf? Windows
95 rsdK;qufeJU Windows CE wdkUrSm toHk;jyKEdkifvkdUyg/
yHk(1)rSm jyxm;wmuawmh PE zdkifwpfckrSmyg0ifwJh tajccHzGJUpnf;wnfaqmufyHk jzpfygw,f/
yHk(1)
tenf;qHk;awmh PE zdkifrSm section ESpfck&Sdygw,f/ wpfckuawmh uk'af wGtwGufjzpfjyD;? aemufwpfcku
awmh a'wmawGtwGuf jzpfygw,f/ Windows NT &JU application wpfckrSmawmh 9ckavmuf&Sdygw,f/
olwdkUawGuawmh .text? .bss? .rdata? .data? .rsrc? .edata? .idata? .pdata eJU .debug wdkU jzpfygw,f/ tcsKdU
application awGuawmh 'D section awGtm;vHk;rvdkygbl;/ tcsdKUuawmh olwdkU&JUvdktyfcsufeJUywfoufjyD;
'DxufydkwmvJ jzpfEdkifygw,f/
zdkifwpfckrSm tawGUrsm;wJh section awGuawmh ...
- executable code section .text (Microsoft)? CODE (Borland)
- data section .data, .rdata, .bss (Microsoft)? DATA, BSS (Borland)
- resources section .rsrc
- export data section .edata
- import data section .idata
- debug information section .debug
Section trnfawG[m wu,fawmh ta&;rygvSygbl;/ OS uvJ 'DtrnfawGudk vspfvsL&Ixm;yg
w,f/ ta&;MuD;wJhtcsufuawmh disk ay:rSm&SdwJh PE zdkifwpfck&JU zGJUpnf;yHk[m rSwfOmPfay:ul;wifvdkufcsdef
rSm&SdwJh tajctaeeJU wpfyHkpHwnf;ygbJ/ 'gaMumifhrdkU wu,fvdkU oifhtaeeJU tcsuftvufawGudk disk ay:u
zdkifrSmae&mcsxm;Edkifr,fqdk&if?zdkifudkrSwfOmPfay:ul;wifvdkufcsdefrSmvJ'DtcsuftvufawGudk &SmazGvdkU&&ygr,f/
b,fvdkyJjzpfygap olUudk rSwfOmPfay: wpfyHkpHwnf; ul;wifvdkufwm r[kwfygbl;/ Windows loader
u b,ftydkif;awGudk map in vkyfzdkUvdkovJ? b,ftydkif;awGudk csefxm;cJh&rvJqdkwmudk qHk;jzwfygw,f/ Map
in rvkyfwJh tcsuftvufawGudkawmh map in vkyfr,fh b,ftydkif;udkrqdk ausmfvGefjyD; zdkif&JUaemufqHk;rSm ae&m

csxm;ygw,f/ (Oyrm - debug information)
rSwfOmPfay:ul;wifvdkufcsdefrSmeJU disk ay:rSm&SdwJh zdkif&JU item wpfck&JUwnfae&m[m uGJjym;avh&Sdyg
w,f/ bmaMumifhvJqdkawmh Windows utoHk;jyKwJh page udktajcjyKwJh virtual memoy management
pepfaMumifh jzpfygw,f/ Section awGudk RAM ay:ul;wifvdkufwJhtcg olwdkU[m 4KB &SdwJh memory page
awGeJU udkufnDatmifae&jyD; section toD;oD;[m page topfupwif&ygw,f/ Virtual memoy uawmh
yHk(2)twdkif; jzpfygw,f/
yHk(2)
Virtual memory &JU vkyfaqmifcsufuawmh aqmhzf0JvfawG[m physical memory udkwdkuf&dkuf
oHk;pGJapr,fhtpm; y&dkqufqmeJU OS wdkU[m olwdkUESpfckMum; rjrif&wJhtvTmwpfckudk zefwD;vdkufwmyg/
rSwfOmPfeJU csdwfqufzdkUMudK;pm;vdkufwkdif; y&kdqufqm[m b,f process uae b,f physical memory
address udk wu,foHk;pGJr,fqdkwmudk page table eJU nSdEdIif;ygw,f/ rSwfOmPfu pmvHk;toD;oD;twGuf table
entry wpfck&SdzdkUqdkwm vufawGUrSmawmh rjzpfEdkifygbl;/ (page table [m physical memory pkpkaygif;xuf
MuD;aeygw,f/) 'gaMumifh y&dkqufqmawG[m rSwfOmPfudk page awGtjzpf ydkif;jcm;&wmjzpfygw,f/ 'g&JU
tusdK;&v'fawGuawmh -
(1) ajrmufjrm;vSpGmaom address space awGudk zefwD;Edkifygw,f/ Address space qdkwmuawmh rSwfOmPf
eJU access vkyfzdkUom cGifhjyKxm;wJh oD;jcm; page wpfckjzpfygw,f/ qdkvdkwmuawmh vuf&Sd y&dk*&rf (odkU)
process eJUom oufqdkifygw,f/ aocsmwmu y&dk*&rfawG[m wpfckeJUwpfck oD;jcm;pD&SdaeMuwmyg/ 'gaMumifh
rdkUvJ y&dk*&rfwpfckrSm crash jzpfcJh&if tjcm;y&dk*&rfwpfck&JU address space udk taESmifht,Sufrjzpfapwmyg/
(2) rSwfOmPfudk b,fvdk access vkyf&rvJqdkwJh pnf;rsOf;awGtwGuf y&dkqufqmudk twif;tMuyfvkyfcdkif;
Edkifygw,f/ PE zdkifawGrSm section awGudk vdktyfygw,f/ bmaMumifhvJqdkawmh zdkifxJu e,fy,ftrsdK;rsdK;udk
module wpfck ul;wifvdkufcsdefwdkif; memory manager u rwlnDpGm oabmxm;vdkUyg/ ul;wifcsdefrSm
section header xJu olwdkU&JU setting awGtay: tajccHwJh section trsdK;rsdK;twGuf memory manager [m
memory page awGay:rSm access vkyfEdkifwJhtcGifhtmPmudk owfrSwfygw,f/ 'Dtcsufu owfrSwfxm;wJh
section [m zwfvdkU&wmvm;? a&;vdkU&wmvm;? execute vkyfvdkU&wmvm; qHk;jzwfygw,f/ Section toD;
oD;[m xHk;pHtwdkif;yJ fresh page wpfckuaepoifhw,fvdkU qdkvdkjcif;jzpfygw,f/
bmyJjzpfjzpf Windows twGuf page size uawmh 4096 bytes (1000h) jzpfygw,f/ Disk ay:u page
boundary twdkif; exe uk'fudk nSd,lr,fqdk&ifawmh tv[ójzpfue k frSmyg/ bmaMumifhvJqdkawmh vdktyfwm
xufydkjyD; t&G,ftpm;MuD;rm;aprSm jzpfvdkUyg/ 'gaMumifhrdkUvJ PE header rSmrwlnDwJh Alignment field
ESpfck&Sdygw,f/ olwdkUawGuawmh section alignment eJU file alignment yg/ Section alignment qdkwm
uawmh tay:rSmqdkxm;wJhtwdkif; rSwfOmPfxJrSm section awGudk b,fvdknSd,lrvJqdkwm jzpfygw,f/
(3) PE zdkifawGudk windows loader u rSwfOmPfxJudk ul;wifvdkufcsdefrSm &SdaewJhtaetxm;udk module vdkU

ac:ygw,f/ zdkif mapping pwifwJh yxrqHk; address udk HMODULE vdkUac:ygw,f/ rSwfOmPfxJrSm&SdwJh
module wpfck[m execution vkyfzdkUvdktyfwJh exe zdkifuae uk'f? a'wmeJU resource awGudk azmfjyEdkifygw,f/
(2) DOS Header
PE zdkifawG[m DOS header eJU pavh&SdjyD; zdkif&JU yxrqHk; 64 bytes tjzpfawGU&ygw,f/ y&dk*&rf[m
DOS uaepwiftvkyfvkyf&wmjzpfygw,f/ 'gaMumifh DOS u rSefuefwJh executable zdkifjzpfaMumif; todt
rSwfjyKrSom header aemufrSm odrf;qnf;xm;wJh DOS stub udk tvkyfvkyfrSm jzpfygw,f/ DOS stub uawmh
yHkrSeftm;jzifh 'This program must be run under Microsoft Windows' qdkwJhpmom;udk xkwfay;avh&SdjyD;
oludk,fwdkifawmif DOS y&dk*&rfjzpfEdkifygw,f/ Windows application awGudk build vkyfcsdefrSm linker u
oifh&JU exe zdkifxJudk winstub.exe vdkUac:wJh stub y&dk*&rfudk link csdwfay;vdkufwm jzpfygw,f/
DOS header [m structure wpfckjzpfjyD; windows.inc (odkU) winnt.h zdkifawGrSm olUudk t"dyÜm,fzGifh
qdkxm;ygw,f/ (wu,fvdkU oifhrSm assembler (odkU) compiler udk install vkyfjyD;om;&SdcJh&if olwdkUawGudk
\include\ directory atmufrSm&SmEdkifygw,f/ DOS header rSm member ta&twGuf 19 ck&SdjyD; magic eJU
lfanew uawmh pdwf0ifpm;p&maumif;ygw,f/
IMAGE_DOS_HEADER STRUCT
e_magic WORD ?
e_cblp WORD ?
e_cp WORD ?
e_crlc WORD ?
e_cparhdr WORD ?
e_minalloc WORD ?
e_maxalloc WORD ?
e_ss WORD ?
e_sp WORD ?
e_csum WORD ?
e_ip WORD ?
e_cs WORD ?
e_lfarlc WORD ?
e_ovno WORD ?
e_res WORD 4 dup (?)
e_oemid WORD ?
e_oeminfo WORD ?
e_res2 WORD 10 dup (?)
e_lfanew DWORD ?
IMAGE_DOS_HEADER ENDS
PE zdkifxJrSm&SdwJh DOS header &JU magic ydkif;rSmyg0ifwmuawmh 4Dh? 5Ah wefzdk; (MS-DOS &JU
rlvyHkpHjyKolawGxJuwpfOD;jzpfwJh Mark Zbikowsky udkudk,fpm;jyKwJh MZ pmvHk;) jzpfjyD;? ol[m rSefuefwJh
DOS header jzpfaMumif; oabmaqmifygw,f/ MZ [m yxrqHk; pmvHk;ESpfvHk;jzpfjyD; hex editor eJUzGifhxm;
wJh b,f PE zdkifrSmrqdk awGYjrifEdkifygw,f/
lfanew [m DWORD wpfckjzpfjyD; DOS header &JU tqHk;eJU DOS stub rpcifMum;rSm wnf&Sdyg
w,f/ olUrSmy&dk*&rftpeJUywfoufwJh PE header &JU offset yg0ifygw,f/ Windows loader u 'D offset udk
&SmazGygw,f/ 'gaMumifhrdkUvJ DOS stub udk ausmfEdkifjyD; PE header qDwdkuf&dkufoGm;Edkifwmyg/ (rSwf&ef/ /
DWORD (double word) = 4bytes (odkU) 32bit? WORD = 2bytes (odkU) 16bit/ wcgw&HrSm DWORD
udk dd vdkUvJ jrif&Edkifygw,f/ dw uawmh WORD jzpfjyD; byte twGufuawmh db yg/ yHk(3)/
yHk(3)
DOS header udkawmh PE zdkif&JU yxrqHk; 64 bytes tjzpfawGU&aMumif; ajymcJhygw,f/ qdkvdkwmu
yHk(3)&JU yxrqHk; 4aMumif; (offset 0000 uae offset 0040 xd)jzpfygw,f/ DOS stub rpcif aemufqHk;
DWORD rSm yg0ifwmuawmh 00h 01h 00h 00h jzpfygw,f/ aemufqHk;pmvHk;uae ajymif;jyefjyefpD&if
jzpfvmrSmuawmh 00 00 01 00h jzpfjyD;? PE header pwifr,fhae&mjzpfygw,f/ PE header [mvnf;
olUoauFwjzpfwJh 50h, 45h, 00h, 00h eJU pwifygw,f/ ("PE" qdkwJhpmvHk;aemufrSm oknawGvdkufygw,f/)
wu,fvdkUom PE header &JU oauFwae&mrSm PE tpm; NE vdkUawGU&if 'Dzdkif[m 16-bit
Windows rSmtvkyfvkyfwJh NE zdkifjzpfygw,f/ tvm;wl LE vdkUawGU&if Windows 3.x virtual device
driver (VxD) jzpfjyD;? LX vdkUawGU&if OS/2 2.0 zdkifjzpfygw,f/
(3) PE Header
PE header uawmh IMAGE_NT_HEADERS vdkUac:wJh structure wpfckjzpfygw,f/ 'D structure
rSm Windows loader u r&SdrjzpfvdktyfwJh tcsuftvufawGyg0ifygw,f/ IMAGE_NT_HEADERS rSm
member 3ckyg0ifjyD; olwdkUudk windows.inc rSm t"dyÜm,fzGifhqdkxm;jyD;jzpfygw,f/
IMAGE_NT_HEADERS STRUCT
Signature DWORD ?
FileHeader IMAGE_FILE_HEDER <>
OptionalHeader IMAGE_OPTIONAL_HEADER32 <>
IMAGE_NT_HEADERS END
- Signature uawmh DWORD jzpfjyD; olUrSmyg0ifwmuawmh 50h, 45h, 00h, 00h qdkwJh wefzdk;
(oknawGvdkufwJh ]PE}) jzpfygw,f/
- FileHeader uawmh PE zdkif&JU aemufxyf 20bytes jzpfjyD; zdkif&JU physical layout eJU *kPfowdåawG
yg0ifygw,f/ (Oyrm- section ta&twGuf)
- OptionalHeader uawmh aemufxyf 224bytes jzpfjyD; PE zdkiftwGif;u logical layout eJU
ywfoufwJhtaMumif;awG yg0ifygw,f/ (Oyrm- AddressOfEntryPoint)/ olU&JUt&G,ftpm;udk ay;Edkifwm
uawmh FileHeader &JU member wpfckuyg/ 'D member awG&JU structure udkvnf; windows.inc rSm
t"dyÜm,fzGifhqdkxm;jyD;jzpfygw,f/
FileHeader udk atmufygtwdkif;azmfjyEdkifygw,f/
IMAGE_FILE_HEADER STRUCT
Machine WORD ?
NumberOfSections WORD ?
TimeDateStamp DWORD ?
PointerToSymbolTable DWORD ?
NumberOfSymbols DWORD ?
SizeOfOptionalHeader WORD ?
Characteristics WORD ?
IMAGE_FILE_HEADER ENDS
'DxJuawmfawmfrsm;rsm;udkawmh uRefawmfwdkU toHk;jyKrSmr[kwfygbl;/ 'gayr,fh NumberOfSections
udkawmh PE zdkifxJu section awGudk zsufcsif&ifyJjzpfjzpf? xyfxnfhcsif&ifyJjzpfjzpf toHk;jyK&ygw,f/
Characteristics rSmawmh flag awGyg0ifjyD; olwdkU[m PE zdkifudk executable zdkif(odkU) DLL zdkifvm;qdkwmudk
ajymay;Edkifygw,f/ PE header &JUtpuae 7ckajrmufpmvHk;[m NumberOfSections ygyJ/ Section b,fESpf
ckygovJqdkwm ajymygw,f/ yHk(4)/
yHk(4)
yHk(4)t& uRefawmfwdkU zGifhxm;wJh PE zdkifrSm section 5ck&Sdaewm awGU&ygw,f/ PE browse eJU Lord
PE wdkUudk toHk;jyKxm;ygw,f/
OptionalHeader uawmh 224bytes ae&m,lygw,f/ aemufqHk; 128bytes rSmawmh DataDirectory
yg0ifygw,f/
IMAGE_OPTIONAL_HEADER32 STRUCT
Magic WORD ?
MajorLinkerVersion BYTE ?
MinorLinkerVersion BYTE ?
SizeOfCode DWORD ?
SizeOfInitializedData DWORD ?
SizeOfUninitializedData DWORD ?
AddressOfEntryPoint DWORD ?
BaseOfCode DWORD ?
BaseOfData DWORD ?
ImageBase DWORD ?
SectionAlignment DWORD ?
FileAlignment DWORD ?
MajorOperatingSystemVersion WORD ?
MinorOperatingSystemVersion WORD ?
MajorImageVersion WORD ?
MinorImageVersion WORD ?
MajorSubsystemVersion WORD ?
MinorSubsystemVersion WORD ?
Win32VersionValue DWORD ?
SizeOfImage DWORD ?
SizeOfHeaders DWORD ?
CheckSum DWORD ?
Subsystem WORD ?
DllCharacteristics WORD ?
SizeOfStackReserve DWORD ?
SizeOfStackCommit DWORD ?
SizeOfHeapReserve DWORD ?
SizeOfHeapCommit DWORD ?
LoaderFlags DWORD ?
NumberOfRvaAndSizes DWORD ?
DataDirectory IMAGE_DATA_DIRECTORY
IMAGE_OPTIONAL_HEADER32 ENDS
AddressOfEntryPoint - PE loader u PE zdkifudk run zdkUtoifhjzpfcsdefrSm yxrqHk;tvkyfvkyfr,fh

instruction &Sd&m RVA/ oifhtaeeJU oifMudKufESpfouf&m instruction udk tvkyfvkyfapcsif&ifawmh RVA udk
ajymif;wmyJjzpfjzpf? instruction udk jyifwmyJjzpfjzpf jyKvkyfEdkifygw,f/ Packer awGuawmh rsm;aomtm;jzifh
olwdkU&JU decompression stub &Sd&mudk nTef;MuwmjzpfwJhtwGuf y&dk*&rfudk execute vkyfwJhtcgrSm rlv entry
point (OEP) &Sd&mudk ausmfvTm;jcif;jzpfygw,f/ Starforce enf;ynmeJU protect vkyfxm;wJh zdkifawG[m disk
ay:rSm wnf&SdcsdefrSm .CODE section qdkwm r&Sdygbl;/ Execute vkyfcsdefrSom virtual memory xJukd
a&mufvmwmyg/ olUudk virtual address eJU azmfjyygw,f/
ImageBase - PE zdkifawGtwGuf preferred load address yg/ Oyrmajym&&if wu,fvdkU 'D field xJrSm
yg0ifwJhwefzdk;[m 400000h jzpfcJhr,fqdk&if? PE loader u 400000h upwJh virtual address ae&mxJ zdkifudk
ul;wifzdkU MudK;pm;ygvdrfhr,f/ 'Preferred' qdkwJhtoHk;tEHI;&JU qdkvdkcsufuawmh tjcm; module wpfckckudk 'D
address range rSm awGU&r,fqdk&if PE loader [m 'D address rSm zdkifudk ul;wifay;rSm r[kwfygbl;/ 99&m
cdkifEIef;avmufuawmh 400000h jzpfygw,f/
SectionAlignment - rSwfOmPfxJwGif section rsm;udk alignment csxm;rI/ erlemjy&&if wu,fvdkU 'D field
xJuwefzdk;[m 4096 (1000h) jzpf&if section wdkif;[m 4096bytes &JUajrSmufazmfudef;*Pef;awGeJU pwif&yg
r,fvdkUqdkvdkwmyg/ wu,fvdkU yxrqHk; section [m 401000h rSm&SdjyD; olU&JUt&G,ftpm;[m 10bytes yJ&SdcJh
&ifawmif aemuf section [m 402000h rSm prSmyg/ 401000h eJU 402000h Mum;u vGwfaewJh address
ae&mawGudkawmh rsm;om;tm;jzifh toHk;jyKrSm r[kwfygbl;/
FileAlignment - zdkifxJwGif section rsm;udk alignment csxm;rI/ erlemjy&&if wu,fvdkU 'D field xJu
wefzdk;[m 512 (200h) jzpf&if section wdkif;[m 512bytes &JUajrSmufazmfudef;*Pef;awGeJU pwif&ygr,fvdkU
qdkvdkwmyg/ wu,fvdkU yxrqHk; section [m offset 200h rSm&SdjyD; olU&JUt&G,ftpm;[m 10bytes yJ&SdcJh&if
awmif aemuf section [m 400h rSm prSmyg/ 512 eJU 1024 Mum;u vGwfaewJh offset ae&mawGudkawmh toHk;
jyKrSm r[kwfygbl;/
SizeOfImage - rSwfOmPfxJu PE image &JU pkpkaygif;t&G,ftpm;jzpfygw,f/ SectionAlignment t&
align vkyfxm;wJh header tm;vHk;eJU section tm;vHk;&JUaygif;v'fjzpfygw,f/
SizeOfHeaders - section table eJU header tm;vHk;wdkU&JU t&G,ftpm;yJ jzpfygw,f/ jcHKajym&&if 'Dwefzdk;[m
zdkift&G,ftpm;xJuae zdkifxJrSm&SdwJh section tm;vHk;aygif;xm;wJh t&G,ftpm;udk EIwfjcif;eJU nDrQygw,f/
DataDirectory - IMAGE_DATA_DIRECTORY structure 16 ck&SdwJh array wpfckjzpfjyD; wpfckpD[m

import address table (IAT) vdk PE zdkifxJu ta&;MuD;wJh data structure wpfckpDeJU qufEG,faeygw,f/
yHk(5)rSm azmfjyxm;wmuawmh PE header &JU zGJUpnf;yHkudk hexeditor eJU Munfhxm;wmyg/ owdjyK&rSm
uawmh DOS header eJU PE header &JU b,ftpdwftydkif;rqdk hexeditor rSmMunfh&if t&G,ftpm;eJU
yHkoP²mefawG[m wlnDaerSmyg/ DOS STUB uawmh t&G,ftpm; ajymif;vJEdkifygw,f/
yHk(5)
PE header taMumif;udk Olly rSmvJ tao;pdwf MunfhvdkU&ygw,f/ Olly debugger udk zGifhjyD; Alt +
M udkESdyfyg/ yHk(6)twdkif; jrif&ygr,f/
yHk(6)
yHk(6)u PE header qdkwJh pmom;ae&mudk right-click ESdyfjyD; Dump in CPU udk a&G;&if yHk(7)twdkif;
jrif&rSm jzpfygw,f/
yHk(7)
yHk(7)u hex window rSm right-click ESdyfjyD; special u PE header udk a&G;vdkuf&ifawmh yHk(8)
twdkif; jrif&rSmyg/
yHk(8)
(4) Data Directory
DataDirectory taMumif; xyfajym&r,fqdk&ifawmh DataDirectory qdkwm OptionalHeader &JU
aemufqHk; 128bytes yJjzpfygw,f/ OptionalHeader qdkwmuvJ PE header jzpfwJh IMAGE_NT_
HEADERS &JU aemufqHk; member jzpfygw,f/
a&SUrSmajymcJhovdk DataDirectory [m 16 ck&SdwJh IMAGE_DATA_DIRECTORY &JU array
wpfckjzpfjyD; structure wpfckpD[m PE zdkifxJu ta&;MuD;wJh data structure wpfckpDeJU qufEG,faeygw,f/
Array toD;oD;[m import table vdk MudKwifowfrSwfxm;whJ item wpfckpDudk &nfnTef;ygw,f/ Structure rSm
member ESpfck&SdjyD; wpfcku wnfae&meJU aemufwpfcku t&G,ftpm;udk jyygw,f/
IMAGE_DATA_DIRECTORY STRUCT
VirtualAddress DWORD ?
isize DWORD ?
IMAGE_DATA_DIRECTORY ENDS
VirtualAddress uawmh data structure &JU relative virtual address (RVA) jzpfygw,f/ isize
uawmh byte eJUjywJh data structure &JU t&G,ftpm;jzpfygw,f/
windows.inc rSm aMunmxm;wJh directory 16 ck&JUtrnfawGuawmh atmufygtwdkif; jzpfygw,f -
IMAGE_DIRECTORY_ENTRY_EXPORT equ 0
IMAGE_DIRECTORY_ENTRY_IMPORT equ 1
IMAGE_DIRECTORY_ENTRY_RESOURCE equ 2
IMAGE_DIRECTORY_ENTRY_EXCEPTION equ 3
IMAGE_DIRECTORY_ENTRY_SECURITY equ 4
IMAGE_DIRECTORY_ENTRY_BASERELOC equ 5
IMAGE_DIRECTORY_ENTRY_DEBUG equ 6
IMAGE_DIRECTORY_ENTRY_COPYRIGHT equ 7
IMAGE_DIRECTORY_ENTRY_GLOBALPTR equ 8
IMAGE_DIRECTORY_ENTRY_TLS equ 9
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG equ 10
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT equ 11
IMAGE_DIRECTORY_ENTRY_IAT equ 12
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT equ 13
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR equ 14
IMAGE_NUMBEROF_DIRECTORY_ENTRIES equ 16
LordPE rSm erlem exe zdkifwpfckudkMunfhr,fqdk&if yHk(9)twdkif; jrif&rSmyg/
yHk(9)
yHk(9)udk Munfhr,fqdk&if tjyma&mif highlight jc,fxm;wJh 4ckrSty usefwJhtoHk;rjyKwJhtuGufae&m
awGrSm oknawGeJU jynhfaewm awGU&rSmyg/
yHk(10)
yHk(10)udkMunfhr,fqdk&if import directory udk yef;a&mifeJU jyxm;ygw,f/ yxrqHk; 4bytes uawmh
40000h (ajymif;jyefpDwmjzpfygw,f) jzpfygw,f/ Import directory &JU t&G,ftpm;uawmh 1CDCh bytes
jzpfygw,f/ PE header &JUtpuae DWORD 80bytes [m tjrJwrf; import directory &JU RVA
yJjzpfygw,f/ t0ga&mifuawmh resource directory jzpfjyD;? c&rf;a&mifuawmh TLS directory jzpfygw,f/
wduswJh directory wpfckudk xm;&SdzdkUtwGuf oifhtaeeJU data directory uaepjyD; virtual address
udkwGufcsuf&ygr,f/ 'Dhaemufawmh b,f directory [m b,f section xJrSm&Sdw,fqdkwm odEdkifzdkU virtual
address udk toHk;jyKyg/ b,f section xJrSm b,f directory awGygovJqdkwm odwmeJU wduswJh offset udk
&SmEdkifzdkU 'D section &JU section header udk toHk;jyKyg/
(5) Section Table
Section table uawmh PE header aemufrSm uyfvdkufvmwmyg/ ol[m IMAGE_SECTION_
HEADER structure yHkpH array wpfckjzpfjyD; member toD;oD;rSm attribute eJU virtual offset pwJh PE
zdkifxJu section toD;oD;&JUtaMumif;tcsufawGyg0ifygw,f/ Section ta&twGufudkazmfjyEdkifwmu file
header &JU 'kwd, member jzpfw,fqdkwm trSwf&yg/ (PE header &JUtprS 6bytes pmae&m)/ wu,fvdkU
om PE zdkifrSm section 8ck&Sdw,fqdk&if table xJu 'D structure xJrSmvJ tyGm; 8 ck&SdrSmyg/ Header
structure toD;oD;[m 40bytes &SdjyD; windows.inc rSm 'DvdkaMunmxm;ygw,f/
IMAGE_SECTION_HEADER STRUCT
Name1 BYTE IMAGE_SIZEOF_SHORT_NAME dup (?)
union Misc
PhysicalAddress DWORD ?
VirtualSize DWORD ?
ends
VirtualAddress DWORD ?
SizeOfRawData DWORD ?
PointerToRawData DWORD ?
PointerToRelocations DWORD ?
PointerToLinenumbers DWORD ?
NumberOfRelocations WORD ?
NumberOfLinenumbers WORD ?
Characteristics DWORD ?
IMAGE_SECTION_HEADER ENDS
IMAGE_SIZEOF_SHORT_NAME equ 8
'D structure xJu member wdkif;[m toHk;r0ifvSwJhtwGuf wu,fta&;MuD;wJh member

awGtaMumif;udkom &Sif;jyygr,f/
Name1 - ('D field [m 8bytes &Sdygw,f) trnf[m label wpfckrQomjzpfjyD; uGufvyftaeeJU xm;&ifawmif
&ygw,f/ owdxm;&rSmu ol[m ASCII string r[kwfwJhtwGuf \0 (null terminator) eJU tqHk;owfp&m
rvkdygbl;/
VirtualSize - (DWORD union) Section xJrSm&SdwJh a'wmawG&JU wu,fht&G,ftpm;jzpfjyD; byte eJU
jyygw,f/ ol[m disk ay:rSm&SdwJh section &JU t&G,ftpm; (SizeOfRawData) xuf enf;aumif;enf;Edkif
ygw,f/ wu,fvdkU 'Dwefzdk;[m SizeOfRawData xuf MuD;aeygu section rSm oknawGeJU jynfhaerSmjzpfyg
w,f/
VirtualAddress- Section &JU RVA jzpfygw,f/ PE loader [m rSwfOmPfxJ section udk map vkyfcsdefrSm
'D field xJu wefzdk;udk ppfaq;jyD; toHk;jyKygw,f/ 'gaMumifhrdkU wu,fvdkU 'D field xJu wefzdk;[m 1000h
jzpfr,fqdk&if PE zdkif[m 400000h rSm pwifjyD; section uawmh 401000h rSm prSmyg/
SizeOfRawData - Disk ay:u zdkifxJrSm&SdwJh section &JUa'wmt&G,ftpm;jzpfygw,f/ Module header rS
FileAlignment \ qwdk;udef;jzpfjyD;? wu,fvdkU olUwefzdk;[m virtual size xufi,fae&if section &JU
usefwJhtydkif;awG[m okneJU jynfhaerSm jzpfygw,f/ Section rSm uninitialized a'wmawG oufoufyJ &Sdcsdef
rSm 'Dae&m[m oknjzpf&ygr,f/
PointerToRawData - (Raw Offset) - PointerToRawData [m tvGeftoHk;0ifvSygw,f/ bmaMumifhvJ
qdkawmh ol[m zdkif&JUtpuae section &JUa'wmawGxd&SdwJh offset jzpfaevdkUyg/ wu,fvdkU ol[moknjzpfcJh&if
zdkifxJrSm section &JUa'wmawG ygrSmr[kwfygbl;/ ol[m module header u FileAlignment &JU qwdk;udef;
jzpf&ygr,f/ Section rSm unintialized a'wmawGoufoufyJ&SdcsdefrSm 'Dae&m[m oknjzpf&ygr,f/ PE loader
uawmh 'D field xJrSm&SdwJhwefzdk;udktoHk;jyKjyD; zdkifxJub,f section rSm a'wmawG&SdovJqdkwm &Smygvdrfhr,f/
Characteristics - section rSmyg0ifwJh exe uk'f? initialized data? uninitialized data pwmawGudk a&;jcif;^
zwfjcif;pwJh flag awGyg0ifygw,f/
FLAG EXPLANATION
00000008 Section should not be padded to next boundary
00000020 Section contains code
00000040 Section contains initialised data (which will become initialised with real values before the file is
launched)
00000080 Section contains unitialised data (which will be initialised as 00 byte values before launch)
00000200 Section contains comments for the linker
00000800 Section contents will not become part of image
00001000 Section contents comdat (Common Block Data)
00008000 Section contents cannot be accessed relative to GP

1-800000 Boundary alignment settings
01000000 Section contains extended relocations
02000000 Section can be discarded (e.g. .reloc)
04000000 Section is not cacheable
08000000 Section is pageable
10000000 Section is shareable
20000000 Section is executable
40000000 Section is readable
80000000 Section is writable
PE header rSmwkef;u section 5ckawGUcJh&wJh uRefawmfwdkU&JUy&dk*&rfudk hexeditor eJU Munfhvdkuf&if
yHk(11)twdkif; jrif&rSmyg/
yHk(11)
yHk(11)u tpdrf;a&mifeJU jyxm;wmuawmh PointerToRawData yg/ ydkjyD;&Sif;vif;atmif yHk(12)twdkif;
LordPE eJU Munfhygr,f/
yHk(12)
Section header tjyD;rSmawmh section awGudk &Smygw,f/ Disk ay:uzdkifxJrSmawmh section
toD;oD;[m wpfckuaepwifygw,f/ qdkvdkwmu Optional header rSmawGU&wJh FileAlignment wefzdk;&JU
ajrSmufazmfudef;tcsdKUuaejzpfygw,f/ Section toD;oD;&JU a'wmawGMum;rSmawmh oknawGjzpfaerSmyg/
RAM ay:udkul;wifcsdefrSm section awG[m page boundary ay:rSmyJtjrJwrf; pwifMuygw,f/
'gaMumifhrdkU section toD;oD;&JU yxrqHk; byte [m memory page eJU oufqdkifwmyg/ x86 CPU &JU page
awGuawmh 4kB eJU align vkyfxm;jyD; IA-64 uawmh 8kB eJU align vkyfxm;ygw,f/ 'D alignement
wefzdk;udkawmh OptionalHeader rSmvdkyJ SectionAlignment xJrSm odrf;xm;ygw,f/
Oyrmjy&&if? wu,fvdkU optional header [m file offset 981 rSmqHk;jyD; FileAlignment [m 512
jzpfr,fqdk&if yxrqHk; section [m byte 1024 rSm pygvdrfhr,f/ rSwfxm;&rSmuawmh oifhtaeeJU section
awGudk PointerToRawData (odkU) VirtualAddress uae &SmEdkifygw,f/ 'gaMumifh alignment awGeJU
tjiif;yGm;aep&m rvdkawmhygbl;/
(6) PE File Sections
Section awGrSm yg0ifwmuawmh uk'f? a'wm? resource eJUtjcm; tcsuftvufawGyg0ifygw,f/
Section toD;oD;rSm header wpfckeJU body (raw data)wpfckyg0ifygw,f/ Section table xJrSm section
header awGyg0ifayr,fh section body awGrSm tMurf;zsif; zdkifzGJUpnf;yHk ryg&Smygbl;/ a'wmawGudk decipher
jyefazmfzdkU header rSm vHkavmufwJhtcsuftvufawGeJU jynfhpHkaeoa&GU linker u olwdkUudk pkpnf;csif&if
pkpnf;Edkifygw,f/
Windows NT application wpfckrSm MudKwifowfrSwfxm;wJh section trnf 9 ckavmuf&Sdygw,f/
olwdkUawGuawmh .text? .bss? .data? .rdata? .rsrc? .edata? .idata? .pdata eJU .debug wdkUjzpfygw,f/ tcsdKU
application awGrSmawmh 'D section awGtm;vHk;rvdkygbl;/ tcsdKUawGrSmawmh 'DxufydkjyD;vdktyfEdkifygw,f/
(6.1) Executable code section

Windows NT rSmawmh code segment tm;vHk;[m .text (odkU) CODE vdkU ac:wJh section
wpfckwnf;rSmyJ &Sdygw,f/ Windows NT u virtual memory pDrHcefUcGJrIpepfudktoHk;jyKjyD;? MuD;rm;wJh code
secton wpfck&Sdjcif;u OS twGufa&m? application developer twGufyg pDrHcefUcGJ&mrSm vG,fulapygw,f/ 'D
secton rSm tapmydkif;uazmfjycJhwJh entry point eJU IAT &Sd&mudkjywJh jump thunk table wdkUyg0ifygw,f/
(6.2) Data section
.bss section u function wpfck(odkU) source module xJu static tjzpfaMunmxm;wJh variable
tm;vHk;tygt0if application twGuf uninitialized data awGudk udk,fpm;jyKygw,f/
.rdata uawmh literal string? constant eJU debug directory information wdkUvdk read-only
a'wmawGudk udk,fpm;jyKygw,f/
tjcm; variable awGtm;vHk; (stack wGifawGU&aom automatic variable rSwyg;)udkawmh .data
section rSm odrf;wmjzpfygw,f/
(6.3) Resource section
.rsrc section rSmawmh module wpfckeJU ywfoufwJh resource tcsuftvufawGyg0ifygw,f/ yxr
qHk; 16bytes uawmh tjcm; section trsm;pkvdkyJ header tjzpfyg0ifygw,f/ 'gayr,fh 'D section &JUa'wm
awGudk resource editor toHk;jyKjyD;Munhfr,fqdk&if resource tree taeeJUzGJUpnf;xm;wm jrif&rSmyg/
ResHacker uawmh tcrJh&&SdEdkifwJh tool wpfckjzpfjyD; resource awGudk topfxnfhjcif;? zsufjcif;? jyKjyifjcif;
jyKvkyfEdkifygw,f/ yHk(13)/
yHk(13)
'D tool udk dialog box awGMunfh&mrSm toHk;rsm;vSygw,f/ tcsdKU shareware application
awGrSmygwJh nag screen awGudkvG,fulpGmzsufypfEdkifygw,f/
(6.4) Export data section
.edata section rSmawmh application (odkU) DLL twGufvdktyfwJh export directory yg0ifygw,f/
olUrSm export vkyfxm;wJh function awG&JU address awGeJU trnfawGyg0ifygw,f/ 'gudkawmh aemufydkif;usrS
tao;pdwf &Sif;jyygr,f/
(6.5) Import data section
.idata section rSmawmh Import Directory eJU Import Address Table tygt0if import
vkyfxm;wJh function awGeJUywfoufwJh tcsuftvufrsdK;pHk yg0ifygw,f/ olUudkvJ aemufrSyJ tao;pdwf
aqG;aEG;rSm jzpfygw,f/
(6.6) Debug inforamtion section
Debug information udkawmh .debug section rSm yxrqHk;xm;&Sdygw,f/ PE zdkif[m oD;jcm;pD&SdwJh
debug zdkifawGudk vufcHygw,f/ (omreftm;jzifhawmh .dbg extension eJU jzpfygw,f/) Debug section rSm
debug information awGyg0ifayr,fh debug directory awGuawmh tapmydkif;uajymcJhwJh .rdata section rSm
&SdMuwmyg/ Debug directory toD;oD;[m .debug section rSm&SdwJh debug information udkyJ jyefnTef;Mu
ygw,f/
(6.7) Base Relocation section

Linker u exe zdkifwpfckudk zefwD;vdkufcsdefrSm rSwfOmPfxJu b,fae&may: zdkifudk map-in vkyfrvJ
qdkwmudk cefUrSef;ygw,f/ 'gudktajccHjyD; linker u exe zdkifxJudk uk'feJU a'wmwdkU&JU wu,fh address awG
vmxm;ygw,f/ wu,fvdkUom loader [m linker u ,lqvdkufwJh base address rSm&SdwJhzdkifudkom ul;wif
Edkifr,fqkd&if .reloc section a'wmudk vdkrSmr[kwfwJhtjyif vspfvsL&IcH&rSmyg/
.reloc section rSm&SdwJh entry awGudk base relocation vkdUac:ygw,f/ bmaMumifhvJqdkawmh olwdkUudk
toHk;jyKrI[m loaded image &JU base address ay:rlwnfvdkUyg/ Base relocation awGuawmh image xJu
location awGudkpkpnf;xm;wmjzpfjyD; olwdkUxJudkaygif;xnfhzdkU wefzdk;wpfckawmhvdkygvdrfhr,f/ Base relocation
&JU yHkpHuawmh enf;enf;av;xl;qef;aeygw,f/ Base relocation entry awGudk chunk wGJawGtaeeJU
package vkyfxm;wmyg/ Chunk toD;oD;[m image xJu 4KB page wpfcktwGuf relocation vdkU
azmfjywmyg/
Base relocation b,fvdktvkyfvkyfovJqdkwmod&atmif OyrmwpfckMunfh&atmif/ Exe zdkifwpfckudk
base address 0x10000 eJU csdwfxm;w,fvdkU ,lqMuygpdkU/ Image xJu offset 0x2134 [m string &JU
address ygwJh pointer wpfckjzpfygw,f/ String [m physical address 0x14002 u pygw,f/ 'gaMumifh
pointer rSm 0x14002 wefzdk;yg0ifygw,f/ zdkifudk load vkyfcsdefrSm loader u physical address 0x60000
rSmpwifwJh image udk map vkyfzdkUvdkaMumif; qHk;jzwfygw,f/ Linker-assumed base load address eJU
actual load address wdkUMum; jcm;em;csufudk delta vdkUac:ygw,f/ 'Dae&mrSmawmh delta [m 0x50000
jzpfygw,f/ Image wpfckvHk;[m rSwfOmPfxJrSm 0x50000bytes rsm;aewmaMumifh string [m cktcgrSmawmh
address 0x64002 rSm jzpfygw,f/ Pointer uae string udknTef;jcif;[m ckcsdefrSmawmh rrSefawmhygbl;/ exe
zdkifrSm string &Sd&mudknTef;wJh pointer &JU rSwfOmPfwnfae&mtwGuf base relocation wpfckyg0ifygw,f/
Base relocation udk qHk;jzwfzdkU loader u base relocation address rSm&SdwJhrl&if;wefzdk;rSm delta wefzdk;udk
vmaygif;ygw,f/ 'Dae&mrSmawmh loader u rl&if; pointer wefzdk;jzpfwJh 0x14002 rSm 0x50000 udk vmaygif;
rSmjzpfjyD; &v'fjzpfwJh 0x64002 udkawmh pointer &JUrSwfOmPfxJjyefodrf;rSm jzpfygw,f/
(7) Export Sections
'D section uawmh DLL awGeJU t"duywfoufygw,f/ atmufrSmazmfjyxm;wJh pmydk'fawGuawmh
Win32 Programmer's Reference ujzpfjyD; DLL taMumif;udk &Sif;jyxm;wmjzpfygw,f/
In Microsoft® Windows® dynamic-link libraries (DLL) are modules that contain functions and data. A DLL is
loaded at runtime by its calling modules (.EXE or DLL). When a DLL is loaded it is mapped into the address space
of the calling process.
DLLs can define two kinds of functions: exported and internal. The exported functions can be called by other
modules. Internal functions can only be called from within the DLL where they are defined. Although DLLs can
export data its data is usually only used by its functions.
DLLs provide a way to modularize applications so that functionality can be updated and reused more easilly. They
also help reduce memory overhead when several applications use the same functionality at the same time because
although each application gets its own copy of the data they can share the code.
The Microsoft® Win32® application programming interface (API) is implemented as a set of dynamic-link libraries
so any process using the Win32 API uses dynamic linking.
Funtion awGudk DLL wpfcku trnftaeeJUaomfvnf;aumif; oridianl taeeJUaomfvnf;aumif;

enf;ESpfrsdK;eJU export vkyfEdkifygw,f/ Ordinal qdkwmuawmh 16-bit (WORD) *Pef;wpfckjzpfjyD; function
wpfckudk wduswJh DLL wpfckrSm xl;jcm;pGm owfrSwfxm;wmyg/ Ordinal enf;eJU export vkyfjcif;udk aemuf
ydkif;rSm aqG;aEG;ygr,f/
wu,fvdkU function wpfckudk trnft& export vkyfr,fqdk&if? tjcm; DLL awG (odkU) exe awGu
function udk ac:oHk;csdefrSm olwdkU[m GetProcAddress rSm&SdwJh olU&JUtrnfa&m? ordinal yg toHk;jyKygw,f/
GetProcAddress function [m export vkyfxm;wJh DLL &JU address ukdjyefydkUay;ygw,f/ Win32
Programmer's Reference uawmh GetProcAddress &JU tvkyfvkyfyHkudk atmufygtwdkif; &Sif;jyxm;ygw,f/
(wu,fawmh 'Dxufydk&Sdayr,fhvJ Microsoft u azmfjyjcif;r&Sdygbl;/) 'Dae&mrSm highlight jc,fxm;wmawGudk
owdxm;jyD; zwfapcsifygw,f/
GetProcAddress
The GetProcAddress function returns the address of the specified exported dynamic-link library (DLL) function.
FARPROC GetProcAddress(
HMODULE hModule, // handle to DLL module
LPCSTR lpProcName // name of function
);
Parameters
hModule
Identifies the DLL module that contains the function. The LoadLibrary or GetModuleHandle function
returns this handle.
lpProcName
Points to a null-terminated string containing the function name, or specifies the function's ordinal value. If
this parameter is an ordinal value, it must be in the low-order word; the high-order word must be zero.
Return Values
If the function succeeds, the return value is the address of the DLL's exported function.
If the function fails, the return value is NULL. To get extended error information, call GetLastError.
Remarks
The GetProcAddress function is used to retrieve addresses of exported functions in DLLs.
The spelling and case of the function name pointed to by lpProcName must be identical to that in the EXPORTS
statement of the source DLL's module-definition (.DEF) file.
The lpProcName parameter can identify the DLL function by specifying an ordinal value associated with the
function in the EXPORTS statement. GetProcAddress verifies that the specified ordinal is in the range 1 through
the highest ordinal value exported in the .DEF file. The function then uses the ordinal as an index to read the
function's address from a function table. If the .DEF file does not number the functions consecutively from 1 to N
(where N is the number of exported functions), an error can occur where GetProcAddress returns an invalid, non-
NULL address, even though there is no function with the specified ordinal.
In cases where the function may not exist, the function should be specified by name rather than by ordinal value.
See Also
FreeLibrary, GetModuleHandle, LoadLibrary
GetProcAddress u 'gudk bmaMumifhvkyfEdkifwmvJqdkawmh export vkyfxm;wJh function &JU trnf
awGeJU address awGudk Export Directory xJu structure wpfckrSm odrf;qnf;xm;vdkUyg/ uRefawmfwdkUtae
eJU Export Directory udk &SmazGEdkifygw,f/ bmaMumifhvJqdkawmh ol[m data directory xJu yxrqHk;
element jzpfjyD; oleJUywfoufwJh RVA [m PE header tp&JU offset 78h ae&mrSm &SdvdkUyg/
Export structure udk IMAGE_EXPORT_DIRECTORY vdkUac:ygw,f/ olUrSm member tae
eJU 11 ck&SdjyD; tcsdKUuawmh ta&;rMuD;ygbl;/
IMAGE_EXPORT_DIRECTORY STRUCT
MajorVersion WORD ?
MinorVersion WORD ?
nName DWORD ?
nBase DWORD ?
NumberOfFunctions DWORD ?
NumberOfNames DWORD ?
AddressOfFunctions DWORD ?
AddressOfNames DWORD ?
AddressOfNameOrdinals DWORD ?
IMAGE_EXPORT_DIRECTORY ENDS
nName - Module &JU internal trnfjzpfygw,f/ 'D field [m vkdtyfygw,f/ bmaMumifhvJqdkawmh zdkif
trnfudk oHk;pGJolu ajymif;vJEdkifvdkUyg/ 'Dvkdajymif;cJhr,fqdk&if PE loader u 'D internal trnfudk toHk;jyKyg
vdrfhr,f/
nBase - Starting ordinal number (index awGudk function &JU address array tjzpf&SdaezdkUvdkygw,f/)
NumberOfFunctions - Module u export vkyfxm;wJh function pkpkaygif; (oauFwawGtjzpfvJ
&nfnTef;avh&Sdygw,f)
NumberOfNames - trnft& export vkyfxm;wJh oauFw*Pef;/ 'Dwefzdk;[m module xJrSm&SdwJh
function/symbol tm;vHk;&JU*Pef; r[kwfygbl;/ 'D*Pef;twGuf oifhtaeeJU NumberOfFunctions udk
ppfaq;zdkUvdktyfygw,f/ ol[m 0 jzpfEdkifygw,f/ 'Dae&mrSmawmh module udk ordinal taeeJUom export
vkyfEdkifygw,f/ wu,fvdkU yxrudpörSm export vkyfr,fh function/symbol omr&SdcJh&if? data directory
xJu export table &JU RVA [m oknjzpfygvdrfhr,f/
AddressOfFunctions - Module/Export Address Table (EAT) xJrSm&SdwJh function awG&JU RVA
eJUqdkifwJh pointer awG&JU array wpfckudk nTefjywJh RVA wpfck/ Module xJrSm&SdwJh function
awGtm;vHk;eJUqdkifwJh RVA awGudkawmh array wpfckrSm odrf;qnf;xm;jyD;? 'D field [m array &JU head udk
nTefjyaeygw,f/
AddressOfNames - Module/Export Name Table (ENT)xJrSm&SdwJh function trnfawGeJUqdkifwJh RVA

awG&JU array udk nTefjyaewJh RVA wpfck/
AddressOfNameOrdinals - trnf&SdjyD;om; function/Export Ordinal Table (EOT) awG&JU ordinal
awGyg0ifwJh 16-bit array wpfckudk nTefjyaewJh RVA wpfck/
yHk(14)
'gaMumifhrdkU IMAGE_EXPORT_DIRECTORY structure [m array oHk;ckeJU ASCII string
table wpfckudk nTefaeygw,f/ ta&;tMuD;qHk; array uawmh EAT jzpfjyD;? ol[m export vkyfxm;wJh
function awG&JU address awGyg0ifwJh function pointer awG&JU array wpfckjzpfygw,f/ tjcm; array ESpfck
(EAT eJU EOT)uawmh assending tpDtpOfeJU tjydKif run EdkifjyD; function trnfay:rlwnfygw,f/
'gaMumifhrdkU function wpfck&JU trnftwGuf binary search udk aqmif&GufEdkifwmjzpfjyD; tjcm; array
wpfckrSmawGU&SdwJh olU&JU ordinal rSm tajzxkwfygvdrfhr,f/ Ordinal uawmh &dk;&dk;wef;wef; index wpfckjzpfjyD;
'D function twGuf EAT jzpfygw,f/
EOT array [m trnfawGeJU address awGMum; linkage wpfcktjzpfwnf&SdwmaMumifh olUrSm ENT
array xuf element ydkjyD;yg0ifEdkifrSm r[kwfygbl;/ qdkvdkwmu trnftoD;oD;rSm associated address
wpfckom&SdEdkifvdkUyg/ ajymif;jyefqdk&ifawmh rrSefygbl;? address wpfckrSm associate vkyfxm;wJh trnftajrmuf
tjrm;&SdvdkUyg/ wu,fvdkU alias awGeJU function awG[m wlnDwJh address udkyJ &nfnTef;Mur,fqdk&if? 'Dh
aemufrSm ENT uvJ EOT xuf element awGydk&Sdvmygvdrfhr,f/
yHk(15)
Oyrmjy&&if? wu,fvdkU DLL wpfck[m function 40avmufudk export vkyfr,fqdk&if? AddressOf

Functions (EAT) u nTef;r,fh array xJrSm member 40avmufawmh&Sd&ygr,f/ NumberOfFunctions
field rSmvJ wefzdk;40avmuf &Sd&ygr,f/
Function wpfck&JU address udk olU&JU trnfuae&SmzdkUqdk&if OS u yxrqHk; Export Directory
xJu NumberOfFunctions eJU NumberOfNames wdkU&JUwefzdk;udk &&Sdxm;&ygr,f/ aemufwpfqifhuawmh
AddressOfNames (ENT) eJU AddressOfNameOrdinals (EOT) u nTefjywJh array [m function
trnfudk &Smygw,f/ wu,fvdkU ENT xJrSm trnfudk&SmawGUcJh&if EOT xJrSm&SdwJh associated element xJu
wefzdk;udk extract vkyfjyD; EAT twGuf index tjzpftoHk;jyKygw,f/
Oyrmjy&&if uRefawmfwdkU&JU function 40&SdwJh DLL xJrSm functionX udk &SmazGMunfhygr,f/
wu,fvdkU ENT xJu 39ckajrmuf element xJu uRefawmfwdkU functionX &JUtrnf(tjcm; pointer rS
oG,f0kdufjyD;)udk &Smcsderf Sm? uRefawmfwdkUtaeeJU ENT xJu 39ckajrmuf element xJrSmMunfhjyD; wefzdk; 5 udk
awGUygw,f/ 'Dhaemuf functionX &JU RVA udk&SmzdkU uRefawmfwdkU Munfh&rSmu EAT &JU 5ckajrmuf element
rSmjzpfygw,f/
wu,fvdkU function wpfck&JU ordinal &SdjyD;om;jzpfr,fqdk&if? oifhtaeeJU EAT qD wdkuf&dkufoGm;jcif;
jzifh olU&JU address udk &SmazGEdkifygw,f/ Function &JUtrnfudktoHk;jyKjcif;xuf ordinal uae function
wpfck&JU address udk&,ljcif;[m ydkjyD;vG,fulvsifjrefayr,fhvJ qdk;usdK;uawmh module udkxdef;odrf;zdkU&m cufcJ
vSygw,f/ wu,fvkdU DLL udk upgrade/update vkyfjyD; function awG&JU ordinal awG[mvJ ajymif;vJr,f
qdk&if? DLL ay:rSDcdkaewJh tjcm; y&dk*&rfawGvJ ysufukefygvdrfhr,f/
(7.1) Ordinal oufoufjzifh export vkyjf cif;
NumberOfFunctions uawmh tenf;qHk; numberOfNames eJU nD&ygr,f/ bmyJjzpfjzpf wpfcg
w&HrSmawmh NumberOfNames [m NumberOfFunctions xufenf;aeygvdrfhr,f/ Function wpfck[m
ordinal oufoufeJUom export vkyfcH&r,fqdk&if ENT eJU EOT ESpfckpvHk;rSm entry awG&SdrSm r[kwfygbl;/
olUrSm trnfwpfckawmif &SdrSmr[kwfygbl;/ trnfr&SdwJh function awGudk ordinal oufoufeJUom export
vkyfEdkifrSm jzpfygw,f/
Oyrmjy&&if? wu,fvdkU function 70&SdjyD; ENT xJrSm entry 40yJ&Sdr,fqdk&if? module xJrSm ordinal
oufoufeJU export vkyfxm;wJh function 30yJ&Sdw,fvdkU qdkvdkwmyg/ cktcgrSmawmh 'D function awG[m
bmawGvJqdkwm b,fvdkavhvmprf;ppf&ygrvJ/ 'Dudpö[m rvG,fvSygbl;/ oifhtaeeJU exclusion eJU prf;ppf
oifhygw,f/ qdkvdkwmu EAT xJu entry awG[m ordinal oufoufeJU export vkyfxm;wJh function awG&JU
RVA awGyg0ifwJh EOT uae reference vkyfxm;jcif;r&SdvdkUyg/
y&dk*&rfrmuawmh .def zdkifxJrSm&SdwJh starting ordinal *Pef;udk owfrSwfEdkifygw,f/ Oyrmajym&&if?
yHk(15)u table [m 200 rSmpwifEdkifygw,f/ Array xJu yxrqHk; vGwfaewJh entry 200pmtwGufvdktyf
csufudk wm;qD;zdkU&mtwGuf nBase member rSm starting wefzdk;udkxnfhxm;jyD;? loader u EAT &JU rSefuef
wJh index udk&&SdEdkifzdkUtwGuf olUqDuae ordinal *Pef;udk subtract vkyfygw,f/
(7.2) Export Forwarding
wcgw&HrSmawmh function awG[m wduswJh DLL wpfckuae export vkyfyHkay:aeayr,fh wu,fwrf;
olwdkU&Sdaewmu vkH;vHk;MuD;uGJjym;jcm;em;aewJh DLL wpfckrSmyg/ 'gudk export forwarding vdkU ac:ygw,f/
Oyrmjy&&if? WinNT? Win2k eJU XP wdkUrSm kernel32.dll &JU function jzpfwJh HeapAlloc [m ntdll.dll u
export vkyfxm;wJh RtlAllocHeap function taeeJU forward vkyfcHxm;&wmyg/ ntdll.dll rSmvJ Windows
kernel eJU wdkuf&dkuf interface jzpfwJh native API yg0ifygw,f/ Forward vkyfjcif;udk .DEF zdkifxJrSm&SdwJh
txl; instruction wpfcku link vkyfwJhtcsdefrSm aqmif&Gufwmjzpfygw,f/
Forward vkyfjcif;[m bHkjzpfwJh Win32 API set wpfckudk vSpf[jyozdkUeJU Windows NT eJU
Windows 98 wdkUMum; internal API set wdkU&JU ta&;ygwJh low-level qdkif&muGJjym;jcm;em;rIudk zHk;uG,fzdkU
toHk;jyKwJh Microsoft &JU enf;vrf;wpf&yfjzpfygw,f/
Application awGudkawmh native API set xJrSm&SdwJh call function awGtaeeJU ,lqvdkUr&ygbl;/
bmaMumifhvJqdkawmh Windows 9x eJU Windows 2k/XP wdkU&JU internal API set awGMum; o[ZmwjzpfrIudk
azmufzsuf&mMuvdkUyg/ 'gaMumifhrdkUvJ pack vkyfxm;wJh exe zkdifawGudk unpack vkyfwJhtcg OS wpfckrSm
olwdkU&JU import awGudk udk,fwdkif reconstruct vkyfwJhtcg tjcm; OS wpfckrSm tvkyfrvkyfEdkifwmyg/ 'g[m
forwarding pepfaMumifhaomfvnf;aumif;? tjcm;tcsuftvufawG ajymif;vJjcif;aMumihfaomfvnf;aumif;
jzpfEdkifygw,f/
oauFw (function)wpfckudk forward vkyfcsdefrSm olU&JU RVA [m vuf&Sd module xJrSm&SdwJh uk'f^
a'wm address rjzpfEdkifygbl;/ EAT table rSm DLL &JU ASCII string eJUqdkifwJh pointer wpfckyg0if&r,hf
tpm; forward vkyfr,fh function trnfyJ yg0ifygw,f/ a&SUOyrmrSmawmh ol[m ntdll.dll &JU RtlAlloc
Heap jzpfygvdrfhr,f/
wu,fvdkU function wpfcktwGuf EAT entry [m Export section (qdkvdkwmu ASCII string)
xJrSm&SdwJh address wpfckudk point vkyfjyDqdk&if oifhtaeeJU 'D function udk forward vkyfxm;w,fqdkwm
odxm;&ygr,f/
(8) Import Sections
Import section (.idata) rSmawmh DLL uae import vkyfxm;wJh function awGtm;vHk;&JU
tcsuftvufawGyg0ifygw,f/ 'D tcsuftvufawGudk rsm;pGmaom data structure awGrSm odrf;qnf;xm;wm
yg/ olwdkUxJu ta&;tMuD;qHk;uawmh aemufydkif;rSmaqG;aEG;r,hf Import Directory eJU Import Address
Table wdkUjzpfygw,f/ tcsdKU executable zdkifawGrSm Bound_Import eJU Delay_Import directory wdkUvJ
&SdEdkifygw,f/ Delay_Import uawmh uRefawmfwdkUtwGuf odyfta&;rMuD;ygbl;/ 'gayr,fh Bound_Import
directory udkawmh aemufydkif;rSm aqG;aEG;rSm jzpfygw,f/
Windows loader &JUwm0efuawmh application u toHk;jyKwJh DLL awGxJutm;vHk;udk load
vkyfzdkUeJU olwdkUudk process address space tjzpf map vkyfay;zdkU jzpfygw,f/ 'ghjyif trsdK;rsdK;aom DLL
awGxJrSm&SdwJh import vkyfxm;wJh function awGtm;vHk;&JU address awGudk &SmazGzdkUvJjzpfjyD; load vkyfcH&wJh
tcsdefrSm executable twGuf toHk;jyKvdkU&atmifvJ vkyfay;ygw,f/
DLL wpfckxJu function awG&JU address awG[m static rjzpfygbl;/ 'gayr,fh DLL twGuf
updated version awGxGufvmcsdefrSmawmh ajymif;vJukefygw,f/ 'gaMumifh application awGudk taotcsma&;
om;xm;wJh function address awG toHk;jyKjyD; wnfaqmufvdkU r&Edkifawmhygbl;/ 'DhtwGufaMumifh run
aecsdefrSm executable zdkifwpfck&JUuk'fawGudk Mudrfzefrsm;pGm ajymif;vJrIvkyfp&mrvdkwJh mechanism wpfckudk
zefwD;zdkUvdktyfvmygw,f/ 'gudk Import Address Table (IAT) wpfcktoHk;jyKjyD; ajz&Sif;Edkifygw,f/ 'g[m
windows loader u DLL tjzpf load vkyfcsdefrSm jznfhqnf;ay;wJh function address awGeJUqdkifwJh pointer
awG&JU table wpfckomjzpfygw,f/
Pointer table wpfckudk toHk;jyKjcif;jzifh loader [m uk'fxJu b,fae&mrSmrqdk olwdkUudk ac:,loHk;wJh
tcgrSm import vkyfxm;wJh function awG&JU address awGudk ajymif;vJzdkU vdkawmhrSmr[kwfygbl;/ vkyf&rSmu
import table xJu ae&mwpfckrSm rSefuefwJh address udk aygif;&rSmjzpfygw,f/
(8.1) Import Directory
Import Directory qdkwm wu,fawmh IMAGE_IMPORT_DESCRIPTOR structure &JU array
wpfckomjzpfygw,f/ Structure wdkif;[m 20bytes jzpfjyD; uRefawmfwdkU PE zdkifu b,f function awGukd
import vkyfxm;w,fqdkwJh DLL eJUywfoufwJhtaMumif;awG yg0ifygw,f/Oyrmjy&&if wu,fvdkU uRefawmf
wdkU PE zdkifu rwlnDwJh DLL zdkif 10cku function awGudk import vkyfcJhr,fqdk&if 'D array xJrSm IMAGE_
IMPORT_DESCRIPTOR 10ck&SdaerSm jzpfygw,f/ 'D array xJu structure ta&twGufudk nTefjywJh
field awmh &SdrSmr[kwfygbl;/ 'Dtpm; aemufqHk; structure rSm oknawGeJUjynfhaewJh filed awGyJ &SdaerSmyg/
Export Directory rSmvdkyJ oifhtaeeJU Import Directory b,fae&mrSm &SdovJqdkwm &SmazGEdkifyg
w,f/ (PE header tp&JU 80 bytes jzpfygw,f/) yxrqHk;eJU aemufqHk; member awGuawmh ta&;MuD;qHk;
jzpfygw,f/
IMAGE_IMPORT_DIRECTORY STRUCT
union
OriginalFirstThunk DWORD ?
ends
ForwardChain DWORD ?
Name1 DWORD ?
FirstThunk DWORD ?
IMAGE_IMPORT_DIRECTORY ENDS
yxrqHk; member jzpfwJh OriginalFirstThunk uawmh DWORD union jzpfygw,f/ flag

tpHkvnf;jzpfEdkifygw,f/ bmyJjzpfjzpf Microsoft uawmh olU&JU t"dyÜm,fukd ajymif;vJcJhjyD; WINNT.H udk
update vkyfzdkU b,fawmhrS pdk;&drfp&mr&Sdygbl;/ 'D field rSm wu,fwrf;yg0ifwmuawmh IMAGE_THUNK_
DATA structure awGxJu array wpfck&JU RVA yJjzpfygw,f/
TimeDateStamp udkawmh oknvdkU owfrSwfygw,f/ (olUrSm -1 jzpfcJh&if)/ ForwarderChain

member udkawmh pwdkifa[mif; binding twGuf toHk;jyKwmjzpfjyD; 'Dae&mrSm pOf;pm;rSmr[kwfygbl;/
Name1 rSmawmh DLL &JU ASCII trnfeJUqdkifwJh pointer (RVA) wpfckyg0ifygw,f/
aemufqHk; member jzpfwJh FirstThunk rSmvnf; DWORD t&G,ftpm;&SdwJh IMAGE_THUNK_
DATA structure array wpfck&JU RVA yg0ifygw,f/ yxrqHk; array &JU duplicate wpfckvnf;jzpfygw,f/
wu,fvdkU azmfjyyg function [m bound import jzpfw,fqdk&if 'DhaemufrSmawmh FirstThunk rSm IMAGE
_THUNK_DATA eJUqdkifwJh RVA tpm; function &JU wu,fh address yg0ifrSmyg/ 'D structure awGukd
atmufygtwdkif; t"dyÜm,fzGifhEdkifygw,f/
IMAGE_THUNK_DATA32 STRUCT
union u1
ForwarderString DWORD ?
Function DWORD ?
Ordinal DWORD ?
AddressOfData DWORD ?
ends
IMAGE_THUNK_DATA32 ENDS
IMAGE_THUNK_DATA toD;oD;[m DWORD union wpfckjzpfygw,f/ Disk ay:u

zdkifxJrSmawmh olUrSm import vkyfxm;wJh function &JU ordinal a&m? IMAGE_IMPORT_BY_NAME
structure eJUqdkifwJh RVA wpfckygyg0ifygw,f/ wpfMudrfrSmawmh FirstThunk u nTefjyaewJhwpfck[m
import vkyfxm;wJh function awG&JU address awGeJU overwrite tvkyfcH&jyD; ol[m Import Address Table
jzpfvmygw,f/
IMAGE_IMPORT_BY_NAME udkawmh atmufygtwdkif; a&;om;Edkifygw,f/
IMAGE_IMPORT_BY_NAME STRUCT
Hint WORD ?
Name1 BYTE ?
IMAGE_IMPORT_BY_NAME ENDS
Hint - Hint rSmawmh function wnf&Sd&m DLL &JU Export Address Table eJUqdkifwJh index yg0ifygw,f/
'Dudkawmhh u toHk;jyKzdkU jzpfygw,f/ 'gaMumifhrdkU DLL &JU Export Address Table xJu function udk
tjrefMunfh&IEdkifwmyg/ 'D index rSm&SdwJh trnfudk MudK;pm;wJhtcg? wu,fvdkU ol[m match rjzpfcJhbl;qdk&if
binary search [m trnfudk&SmazG jyD;ajrmufjyDjzpfygw,f/ 'Dwefzdk;[m r&Sdrjzpfawmh r[kwfygbl;/ tcsdKU
linker awGuawmh 'Dae&mrSm oknvdkU owfrSwfMuygw,f/
Name1 - Name1 rSmawmh import vkyfxm;wJh function &JUtrnfyg0ifygw,f/ trnfuawmh null-
terminated (\0) ASCII string jzpfygw,f/ rSwfxm;&rSmu Name1 &JU t&G,ftpm;udk byte taeeJU
t"dyÜm,fzGifhxm;wmjzpfygw,f/ 'gayr,fh ol[m wu,fwrf;rSmawmh variable t&G,ftpm;&SdwJh field wpfck
jzpfygw,f/ Structure wpfckxJrSm variable t&G,ftpm;&SdwJh field wpfckudk azmfjyEdkifzdkU enf;vrf;r&SdvdkUyg/
ta&;tMuD;qHk;tydkif;awGuawmh import vkyfxm;wJh DLL trnfawGeJU IMAGE_THUNK_
DATA structure &JU array awGyJ jzpfygw,f/ IMAGE_THUNK_DATA structure toD;oD;[m DLL
uae import vkyfxm;wJh function wpfckqDeJU qufEG,faeygw,f/ OriginalFirstThunk eJU FirstThunk u
nTefjywJh array awG[m wjydKifwnf; run EdkifjyD; null DWORD eJU tqHk;owfygw,f/ Import vkyfxm;wJh
DLL toD;oD;twGuf olwdkUawG[m IMAGE_THUNK_DATA structure &JU oD;jcm;pD&SdaewJh array
twGJawGjzpfygw,f/
'grSr[kwf 'gudkxm;zdkU tjcm;enf;vrf;uawmh ajrmufrsm;vSpGmaom IMAGE_IMPORT_BY_
NAME structure awGyJjzpfygw,f/ oifhtaeeJU array ESpfckudk zefwD;Edkifygw,f/ jyD;awmh olwdkUudk IMAGE
_IMPORT_BY_NAME structure awG&JU RVA awGeJU jznfhqnf;&rSmjzpfygw,f/ 'gaMumifh array ESpfckvHk;
rSm wlnDwJhwefzdk;awG yg0ifae&ygr,f/ (qdkvdkwmu wduswJh duplicate)/ tcktcgrSmawmh oifhtaeeJU yxr
qHk; array &JU RVA udk OriginalFirstThunk eJU nDay;&rSmjzpfjyD; 'kwd, array &JU RVA udkawmh First
Thunk eJUnDay;&rSmjzpfygw,f/
OriginalFirstThunk eJU FirstThunk xJrSm&SdwJh element ta&twGufuawmh DLL uae import
vkyfxm;wJh function ta&twGufay: rlwnfygw,f/ Oyrmjy&&if? wu,fvdkU PE zdkifu user32.dll uae
function q,fckudk import vkyfr,fqdk&if IMAGE_IMPORT_DESCRIPTOR structure xJrSm&SdwJh
Name1 rSm user32.dll string &JU RVA yg0ifrSmjzpfjyD;? array toD;oD;rSm IMAGE_THUNK_DATA
q,fck&SdrSmjzpfygw,f/
tjydKif&SdaewJh array ESpfckudkawmh trnftrsdK;rsdK;uae ac:,loHk;rSmjzpfayr,fh toHk;trsm;qHk;uawmh

Import Address Table (FirstThunk u point vkyfwJh wpfcktwGuf) eJU Import Name Table (odkU)
Import Lookup Table (OriginalFirstThunk u point vkyfwJh wpfcktwGuf)wdkU jzpfygw,f/
bmaMumifh IMAGE_IMPORT_BY_NAME structure eJUqdkifwJh pointer &JU parallel array
ESpfck&Sd&wmygvJ/ Import Name Table awGudkawmh oD;oefUz,fxm;jyD; b,fawmhrS modify vkyfrSmr[kwf
ygbl;/ Import Address Table awGudk loader u wu,fh function address awGeJU overwrite vkyfvdkufwm
yg/ Import Name Table awGxJrSm&SdwJh RVA awG&JU array awGuawmh rajymif;vJbJusefaerSmyg/ 'gaMumifh
wu,fvdkU import vkyfxm;wJh function awG&JUtrnfudk &SmazGzdkU vkdtyfcsufujrifhrm;vm&if? PE loader u
olwdkUudk&SmazGae&OD;rSmyg/
IAT udk Data Directory xJu entry number 12 u point vkyfaomfvnf; tcsdKU linker awGu 'D
directory entry udk owfrSwfjcif;r&Sdygbl;/ Application uawmh run aerSmjzpfygw,f/ Loader uawmh
'gudk import resolution vkyfcsdeftwGif;rSm IAT awGudk read-write tjzpf ,m,DrSwfom;zdkUtwGufom
toHk;jyKwmjzpfjyD; olrygvJ import awGudk ajz&Sif;EdkifrSm jzpfygw,f/
'guawmh Windows loader u read-only section xJrSm&Sdcsdef IAT udk overwrite vkyfzdkU
b,fvdkpGrf;aqmifEdkifw,fqdkwJhtaMumif;yJ jzpfygw,f/ Load vkyfwJhtcsdefrSmawmh system u read/write
vkyfzdkU import awGyg0ifwJh page awG&JU attribute awGudk ,m,Dtm;jzifh owfrSwfygw,f/ wpfMudrfrSmawmh
import table u page awGudk initialize vkyfjcif;[m olwdkU&JU rlv protected vkyfxm;wJh attribute
awGjzpfapzdkU aESmifhaES;apygw,f/
yHk(16)
Import vkyfxm;wJh function awG&JU call awG[m IAT xJu function pointer uwpfqifh
tvkyfvkyfMuwmyg/ yHkpH 2rsdK;taeeJU vkyfEdkifygw,f/ wpfckuawmh aemufwpfckxufydkjyD; toHk;0ifygw,f/
OyrmtaeeJU FirstThunk array &JU entry awGxJuwpfckudk &nfnTef;wJh address 00405030 udk pOf;pm;Munfh
vdkufMu&atmif/ olUudk loader u user32.dll xJu GetMessage &JU address eJUtwl overwrite vkyfxm;
ygw,f/
GetMessage udkac:oHk;zdkU toifhawmfqHk;enf;vrf;uawmh atmufygtwdkif;jzpfygw,f/
0040100C CALL DWORD PTR [00405030]
'Denf;uawmh odyftqifrajyygbl;/
0040100C CALL [00402200]
…
…
00402200 JMP DWORD PTR [00405030]
qdkvdk&if;uawmh 'kwd,enf;uvJ &v'ftwlwlygyJ/ 'gayr,fh xyfxnfh&r,fhuk'fpmvHk;[m 5vHk;ydkvm
rSmjzpfjyD; tydk jump aMumifh execute vkyf&mrSmvJ ydkMumrSmjzpfygw,f/
bmaMumifh import vkyfxm;wJh function awGudk 'Dvdkenf;eJU jyKvkyfMuwmygvJ... Compiler uawmh

wlnDwJh module xJrSm&SdwJh ordinary function awGeJU import vkyfxm;wJh function awGudk cGJjcm;aerSm
r[kwfbJ ESpfckvHk;twGuf wlnDwJh output udkomxkwfay;rSm jzpfygw,f/ CALL [XXXXXXXX]
[XXXXXXXX] ae&mrSmawmh u aemufydkif;rSm jznfhay;r,fh wu,fhuk'f address wpfck&Sd&rSmjzpfygw,f/
(pointer r[kwfygbl;)/ Linker uawmh import vkyfxm;wJh function &JU address udk odrSmr[kwfygbl;/
'gaMumifhrdkU uk'f&JU tpm;xdk; chunk wpfckudk toHk;jyK&rSmjzpfygw,f/ tay:u JMP stub rSm jrifEdkifygw,f/
Compiler udk DLL xJJrSm&SdwJh function &Sd&majymjyEdkifzdkU oifhawmfwJhyHkpHuawmh _declspec
(dllimport) modifier toHk;jyKjyD; &&SdEdkifygw,f/ 'DhaemufrSmawmh ol[m CALL DWORD PTR
[XXXXXXXX] udkxkwfay;rSmjzpfygw,f/
wu,fvdkU exe udk compiler vkyfcsdefrSm _declspec(dllimport) udk toHk;rjyKcJhbl;qdk&if uk'fawGxJu
ae&mtcsdKUrSm import vkyfxm;wJh function awGtwGuf twlwuGpkpnf;xm;wJh jump stub awG &SdkaerSmyg/
olUudkawmh transfer area (odkU) trampoline (odkU) jump thunk table pwJh trnftrsdK;rsdK;eJU odMuygw,f/
(8.2) Ordinal oufoufjzifh function rsm;tm; export vkyfjcif;
Export section wkef;u aqG;aEG;cJhovdkyJ tcsdKU function awGudk ordinal oufoufeJUom export
vkyfMuygw,f/ 'Dae&mrSmawmh caller's module xJrSm 'D function twGuf IMAGE_IMPORT_BY_
NAME &SdrSmr[kwfygbl;/ 'Dtpm; 'D function twGuf function &JU ordinal yg0ifwJh IMAGE_THUNK_
DATA yJ&SdrSmyg/
exe zdkifudk ul;rwifcif? MSB (most significant bit) (odkU) high bit udkMunfhjcif;tm;jzifh
IMAGE_THUNK_DATA wpfckrSm ordinal wpfck (odkU) RVA wpfckyg0ifjcif;&Sd^r&Sd oifhtaeeJU ajymEdkif
ygw,f/ wu,fvdkUom owfrSwfcJh&if lower 31 bits udk ordinal wefzdk;wpfcktaeeJU ,lrSmjzpfygw,f/
wu,fvdkU rowfrSwfbJ zsufvdkufr,fqdk&if wefzdk;uawmh IMAGE_IMPORT_BY_NAME eJUqdkifwJh
RVA wpfckjzpfrSmyg/ Microsoft uawmh DWORD MSB jzpfwJh IMAGE_ORDINAL_FLAG32 twGuf
toifhygjyD;om; constant wpfckudk owfrSwfay;xm;ygw,f/ olUrSmawmh 80000000h wefzdk;&Sdygw,f/
Oyrmjy&&if? wu,fvdkU function wpfckudk ordinal oufoufeJU export vkyfvdkuf&if olU&JU ordinal
[m 1234h jzpfjyD;? 'D function twGuf IMAGE_THUNK_DATA uawmh 80001234h jzpfrSmyg/
(8.3) Bound Import
Loader u PE zdkifwpfckudk rSwfOmPfxJul;wifwJhtcgrSm ol[m import table udk ppfaq;jyD;
vdktyfwJh DLL awGudk process &JU address ae&mvGwfawGqD ul;wifygw,f/ 'DhaemufrSmawmh ol[m
FirstThunk u nTefjywJh array qDa&mufvmjyD;? import vkyfxm;wJh function awG&JU wu,fh address awGeJU
IMAGE_THUNK_DATA awGudk tpm;xdk;ygw,f/ wu,fvdkU y&dk*&rfrm[m wenf;enf;eJU function
awG&JU address awGudk rSefuefpGmwGufcsufEdkifr,fqdk&if? PE loader u PE zdkifudk run wJhtcsdefwdkif;rSm
IMAGE_THUNK_DATA awGudk jyKjyifp&m rvkdawmhygbl;/ bmaMumifhvJqdkawmh address rSef[m
tJ'DrSm&SdaevdkYyg/
Bind.exe qdkwJh utility wpfckuawmh Microsoft &JU compiler awGeJU ygvmjyD; PE zdkif&JU IAT
(FirstThunk array) udk ppfjyD; IMAGE_THUNK_DATA awGudk import vkyfxm;wJh function awG&JU
address awGeJU tpm;xdk;ygw,f/ zdkifudkul;wifcsdefrSm PE loader u address awGrSefuefjcif;&Sd^r&Sd
ppfaq;oifhygw,f/ wu,fvdkU DLL version awG[m PE zdkifxJu[mawGeJU rudkufnDbl;qdk&if (odkU) DLL
awGudk jyefvnfae&mcsxm;ay;zdkU vdkr,fqdk&if? PE loader u bound address awG[m oHk;r&awmhbl;qdkwm
odjyD; address opfudkwGufcsufzdkU Import Name Table (OriginalFirstThunk array) qDoGm;ygw,f/
'gaMumifhrdkUzdkifudkul;wifzdkU INT udkrvdkayrJh INT r&SdcJh&if exe zdkifawGudk bound vkyfvdkUr&ygbl;/
Borland &JU linker jzpfwJh TLINK [m INT udk zefwD;ray;EdkifwJhtwGuf Borland u xkwfay;wJhzdkifawG[m
bound vkyfvdkUr&ygbl;/ INT aysmufqHk;jcif;&JU aemufxyftusdK;qufudkawmh aemuftcef;usrSyJ aqG;aEG;yg
r,f/
(8.4) Bound Import_Import Directory
Loader u bound address awGrSef^rrSefqHk;jzwfzdkU toHk;jyKwJh tcsuftvufawGudk IMAGE_
BOUND_IMPORT_DESCRIPTOR structure xJrSm xm;&Sdwmjzpfygw,f/ Bound executable wpfckrSm
yg0ifwmuawmh 'D structure awG&JUpm&if;jzpfjyD; import vkyfxm;wJh DLL toD;oD;twGuf wpfckuawmh
bound vkyfxm;jyD;jzpfygw,f/
IMAGE_BOUND_IMPORT_DESCRIPTOR STRUCT
OffsetModuleName WORD ?
NumberOfModuleForwarderRefs WORD ?
IMAGE_BOUND_IMPORT_DESCRIPTOR ENDS
TimeDateStamp member [m export vkyfaewJh DLL FileHeader &JU TimeDateStamp eJY

udkufnD&ygr,f/ wu,fvdkU rudkufnD&if loader u binary [m rSm;,Gif;aewJh DLL udk bound vkyfaew,f
vdkU,lqjyD; imort pm&if;udk jyefjyD; patch vkyfygvdrfhr,f/ 'gawG[m export vkyfaewJh DLL version rudkuf
nD&if (odkU)rSwfOmPfxJrSm jyefvnfae&mcsxm;zdkUvdk&if jzpfwmyg/
OffsetModuleName member rSmyg0ifwmuawmh yxr IMAGE_BOUND_IMPORT_
DESCRIPTOR uae okneJUqHk;wJh ASCII xJrSm&SdwJh DLL &JUtrnfxd offset (RVA r[kwfygbl;) jzpfyg
w,f/
NumberOfModuleForwarderRefs member rSmawmh IMAGE_BOUND_FORWARDER_
REF structure awG&JUa&twGufjzpfygw,f/
IMAGE_BOUND_FORWARDER_REF STRUCT
OffsetModuleName WORD ?
Reserved WORD ?
IMAGE_BOUND_FORWARDER_REF ENDS
'D structure eJU jyD;cJhwJh structure ESpfckudk EdIif;,SOfvdkuf&if aemufqHk; member jzpfwJh Reserved
rSwyg; usefwmawGtm;vHk; wlwmawGU&rSmyg/ tjcm; DLL udk forward vkyfwJh function wpfckeJUywfoufjyD;
bind vkyfcsdefrSm 'D forward vkyfxm;wJh DLL &JU rSefuefrIudk ul;wifwJhtcsdefrSmvJ ppfaq;&ygr,f/ IMAGE
_BOUND_FORWARDER_REF rSm forward vkyfxm;wJh DLL awG&JU tao;pdwftcsuftvufawG
yg&Sdygw,f/
Oyrmjy&&if kernel32.dll xJu function wpfckjzpfwJh HeapAlloc [m ntdll.dll xJu RtlAllocate
Heap udk forward vkyfw,fvdkU,lqMuygpdkU/ wu,fvdkU uRefawmfwdkUu HeapAlloc udk import vkyfxm;wJh
application wpfckudk zefwD;vdkufjyD; application rSm bind.exe udk toHk;jyKvdkufr,fqdk&if ntdll.dll &JU
IMAGE_BOUND_FORWARDER_REF uajc&mcHr,fh kernel32.dll twGuf IMAGE_BOUND_
IMPORT_DESCRIPTOR wpfck&Sdvmygr,f/
owdjyK&ef/ / Function awG&JUtrnfawG[m 'D structure awGxJrSm yg0ifrSmr[kwfygbl;/ bmaMumifhvJqdkawmh
loader u b,f function awGudk IMAGE_IMPORT_DESCRIPTOR uae bound vkyfr,fqdkwm
odxm;vdkUyg/
(9) Loader
'Dtcef;uawmh r&Sdrjzpfawmh r[kwfayr,fh OS &JU tvkyfvkyfyHkudk eufeufeeJ Jodvdkolrsm;twGuf &nf
&G,fygw,f/ jyD;cJhwJh tcef;i,f(7)eJU tcef;i,f(8)wdkUb,fvdkqufEG,frI&SdovJqdkwmudkvJ &Sif;jycsifwmyg/
(9.1) Loader ubmvkyfovJ/
Executable zdkifwpfck tvkyfvkyfcsdefrSm Windows loader u process twGuf virtual address
vGwfwpfckudk zefwD;vdkufjyD; executable module udk disk uae process &JU address vGwfxJ ae&mcsxm;
vdkufygw,f/ Loader u image udk toifhawmfqHk; base address rSm ul;wifzdkUMudK;pm;jyD; rSwfOmPfxJrSm
Section awGudk ae&mcsxm;ygw,f/ Loader u section table udk ausmfvTm;jyD;? base address rSm section
&JU RVA udkaygif;jyD; wGufcsufvdkU&vmwJh address rSm section toD;oD;udk ae&mcsygw,f/ Page attribute
awGudkawmh section &JU characteristic vdktyfcsuft& owfrSwfwmjzpfygw,f/ rSwfOmPfxJrSm section awGudk
ae&mcsxm;jyD;aemufrSmawmh load address [m ImageBase xJrSm&SdwJh toihfawmfqHk; base address eJUnD^
rnD loader u base relocation udkaqmif&Gufygw,f/
'DhaemufrSmawmh import table udkppfaq;jyD; vdktyfwJh DLL awGudk process &JU address ae&mvGwx f J
map vkyf,lygw,f/ DLL module awGtm;vHk;udk ae&mcsxm;jyD;aemufrSmawmh loader u DLL toD;oD;&JU
export section udkppfaq;jyD; import vkyfxm;wJh wu,fh function address udk nTefjyEdkifzdkU IAT udk jyifyg
w,f/ wu,fvdkU oauFwr&SdcJh&if (tvGefjzpfcJygw,f) loader u error jyrSmyg/
Cracking vkyf&mrSm pdwf0ifpm;zdkUaumif;wmawGuawmh DLL awGudk ul;wifjyD; import awGudk
ajz&Sif;&wmjzpfygw,f/ 'DjzpfpOfawG[m &IyfaxG;vSjyD; Microsoft u a&;om;xkwfa0jcif;r&SdwJh ntdll.dll
xJrSm&SdwJh (forward vkyfxm;wJh) trsdK;rsdK;aom function awGeJU routine awGoHk;jyD;ajz&Sif;&ygw,f/ uRefawmf
tapmydkif;u ajymcJhovdkyJ Function forwarding qdkwm bHkjzpfwJh Win32 API set wpfckudk vSpf[jyozdkUeJU
rwlnDwJh OS awGMum; low-level function awGuGJjym;jcm;em;rIudk zHk;uG,fzdkU toHk;jyKwJh Microsoft &JU enf;
vrf;wpf&yfjzpfygw,f/ GetProcesAddress vdk &if;ESD;uRrf;0ifaewJh kernel32 function awmfawmfrsm;rsm;
[m wu,fvkyf&wJh LdrGetProcAddress vdk ntdll.dll udk export vkyfcsdefrSmjzpfaewJh &dk;&Sif;vSwJh wrapper
awGomjzpfygw,f/
'gawGudk vufawGUusus jrifcsif&ifawmh oifhtaeeJU Win Debugger 6.x eJU windows symbol
package (Microsoft uae tcrJh&,lEdkifygw,f)udk install vkyfzdkUvdkygw,f/ 'grSr[kwf&ifawmh SoftIce 4.x
vdk kernel-mode debugger udk install vkyfzdkUvdkygw,f/ oifhtaeeJU Olly rSmawmh Microsoft
symbolserver udk toHk;jyKr,fvdkU configure vkyfxm;&if 'D function awGudk Munfh&HkoufoufMunfhvdkU&rSm
yg/ 'DvdkrSr[kwf&ifawmh oifjrif&rSmu function trnfawGrygwJh pointer awGeJU memory address awGyg/
bmyJjzpfjzpf Olly uawmh user-mode debugger jzpfjyD; oifh&JY application udk load vkyfjyD;csdefrSm bmawG
jzpfysufaewmudkom jyygvdrfhr,f/ Loading process udkMunfhEdkifzdkU oifhudk cGifhjyKrSmawmh r[kwfygbl;/ Win
Debugger &JUvkyfaqmifcsufawGu Olly eJU EdIif;,SOfr,fqdk&if bmrSrajymyavmufayr,fh OS eJU wom;wnf;
jzpfjyD; loading process udk jyoygvdrfhr,f/ yHk(17)/
yHk(17)
Exe zdkifudk load vkyfwJhtcgrSm wGJvsufygvmMuwJh API trsdK;rsdK;[m kernel32.dll &JU
LoadLibraryExW function rSm vma&mufpkqHkvmMujyD; ntdll.dll &JU LdrpLoadDll function qD
OD;wnfoGm;ygw,f/ 'D function [m atmufygvkyfaqmifcsufawGudk aqmif&GufwJh LdrpCheckForLoader
Dll? LdrpMapDll? LdrpWalkImportDescriptor? LdrpUpdateLoadCount? LdrpRunInitialize
Routines eJU LdrpClearLoadInProgress pwJh subroutine 6 ckudk wdkuf&dkufac:,loHk;pGJygw,f/
1/ Module udk ul;wifxm;jyD; jzpf^rjzpf od&atmif ppfygw,f/
2/ Module eJU taxmuftyHhjzpfapr,fh tcsuftvufawGudk rSwfOmPfrSm ae&mcsygw,f/
3/ Module &JU import descriptor table qD oGm;ygw,f/ ('Dwpfckudk import vkyfaecsdefrSm tjcm; module
awGudk &Smygw,f/)
4/ 'D DLL aMumifhygvmwJh tjcm;[mawGvdkyJ module &JU load count udk update vkyfygw,f/
5/ Module udk initialize vkyfygw,f/
6/ ul;wifjyD;aMumif;jywJh tcsdKU flag awGudk &Sif;vif;ygw,f/
yHk(18)
DLL wpfck[m cascade taeeJUcsdwfxm;wJh tjcm; module awGudk import vkyfEdkifygw,f/ Loader
[m load vkyfzdkU vdktyfwmawGeJU oleJUywfoufwJh dependency awGudk od&Sdppfaq;EdkifzdkU module toD;oD;
uwqifh loop ywfzdkUvkdygvdrfhr,f/ 'gaMumifh LdrpWalkImportDescriptor yg0ifvm&jcif; jzpfygw,f/
olUrSm subroutine ESpfck&Sdygw,f/ LdrpLoadImportModule eJU LdrpSnapIAT wdkUjzpfygw,f/ yxrqHk;
Bound Imports Descriptor eJU yHkrSef Import Descriptor table awGudk ae&mcsxm;zdkU RtlImageDirectory
EntryToData qD call ESpfckeJU pwifygw,f/ rSwfxm;zdkUu loader [m bound imports awGudk yxrqHk;ppf
aq;wmyg/ Import directory r&Sdayr,fhvJ bound import awG&SdwJhtwGuf application u run wmjzpfyg
w,f/
aemufwpfckjzpfwJh LdrpLoadImportModule uawmh Import directory xJrSm&SdwJh DLL
toD;oD;twGuf Unicode string wpfckudk wnfaqmufygw,f/ 'DhaemufrSmawmh olwdkUawGudk ul;wifjyD;^rjyD;
odEdkifatmifvdkU LdrpCheckForLoadedDll udk toHk;csygw,f/
aemufwpfckjzpfwJh LdrpSnapIAT routine uawmh Import directory xJrSm&SdwJh DLL reference
awGtm;vHk;udk -1 wefzdk;jzpfaejcif;&Sd^r&Sd ppfaq;ygw,f/ (qdkvdkwmu xyfjyD; bound import awGudk yxrqHk;
ppfaq;ygw,f/) 'Dhaemuf IAT &JU memory prtotection udk PAGE_READWRITE tjzpf ajymif;vJjyD;
LdrpSnapThunk subroutine qDroGm;cif IAT xJrSm&SdwJh entry toD;oD;udk ppfaq;zdkU qufvufvkyfaqmif
ygw,f/
LdrpSnapThunk uawmh olU&JU address udkae&mcsxm;zdkU function wpfck&JU ordinal udk toHk;jyKjyD;
'gudk forward vkyfxm;jcif;&Sd^r&Sd qHk;jzwfygw,f/ 'grSr[kwf&ifawmh ol[m ordinal udk tjrefae&mcsxm;Edkif
zdkUtwGuf export table ay:u binary search wpfckudk toHk;jyKwJh LdrpNameToOrdinal udk ac:oHk;yg
w,f/ wu,fvkdU function udk rawGUbl;qdk&if STATUS_ENTRYPOINT_NOT_FOUND udk jyefydkUjyD;?
r[kwf&ifawmh API &JU entry point &SdwJh IAT xJrSm entry udk tpm;xkd;jyD; memory protection udk restore
jyefvkyfwJh LdrpSnapIAT qD jyefoGm;ygw,f/ ol[m vkyfief;tprSmwif ajymif;vJoGm;jyD; IAT yg0ifwJh
memory block ay:rSm cache refresh jyKvkyfEdkifzdkUtwGuf NtFlushInstructionCache udkac:oHk;jyD;
LdrpWalkImportDescriptor qD jyefoGm;ygw,f/
'g[m Windows version awGMum; wpfrlxl;jcm;wJh uGJjym;jcm;em;rIjzpfygw,f/ Windows 2000
rSmawmh exe zdkifudk ul;rwifcif ntdll.dll udk bound import taeeJUa&m? yHkrSef import directory taeeJUa&m
ul;wifzdkU twif;awmif;qdkygw,f/ Windows 9x eJU Windows XP rSmawmh import awGrygvJ application
udk tvkyfvkyfapEdkifygw,f/ Loader u rSwfOmPfxJrSm&SdwJh wu,fh address wpfckudk wGufcsufEdkifzdkUeJU API
wpfck[m forward vkyfxm;cH&jcif;&Sd^r&Sd odEdkifatmifvdkU import vkyfxm;wJh API wdkif;udk ppfaq;&rSmjzpfyg
w,f/ Import vkyfxm;wJh DLL toD;oD;rSm aemufxyf module awGygvmEdkifjyD; process uvJ dependen-
cy awGtm;vHk;udk ppfaq;jyD;pD;onfhwdkifatmif xyfcgxyfcg vkyfaqmifae&rSmjzpfygw,f/
(10) PE zdkiftwGif;odkU uk'fxnfhjcif;

Cracker awGtaeeJU protection scheme wpfckudk crack vkyfzdkUeJU vkyfaqmifcsuftopfawG xnfh
oGif;EdkifzdkU y&dk*&rfxJudk uk'fawGxnfhoGif;zdkU tajctaeawG wcgw&HrmS MuHKwwfygw,f/ zdkifxJudk uk'fxnfh
oGif;wJh t"duenf;vrf;MuD; 3ckuawmh -
1/ oifh&JUuk'ftwGuf vHkavmufwJhae&mvGwf&SdcJh&if &SdjyD;om; section wpfckxJrSm uk'fudka&;xnfhygw,f/
2/ wu,fvdkU vHkavmufwJhae&mr&SdcJh&if &SdjyD;om; section udk ae&mxyfcsJUygw,f/
3/ Secion topfwpfckudk xyfaygif;ygw,f/
(10.1) &SdjyD;om; section twGif; uk'fxnfhjcif;
uRefawmfwdkUtaeeJU &SdjyD;om; section xJudk uk'fawGaygif;xnhfcsifw,fqdk&if CODE section xJrSm
aygif;xnfhwm[m t&dk;&Sif;qHk;enf;ygyJ/ CODE section xJrSm 00 awGeJU jynfhaewJhae&mudk vdkuf&SmMunfh
vdkuf&atmif/ 'gudk ]cave} t,ltqvdkUac:ygw,f/ oifhawmfwJh cave wpfckudk&SmEdkifzdkU CODE section udk
LordPE eJU MunfhMu&atmif/
yHk(19)
'Dae&mrSm uRefawmfwdkU jrif&wmuawmh VirtualSize (00029E88) u SizeOfRawData (0002A0
00) xuf enf;enf;av;i,faewm awGU&ygw,f/ SizeOfRawData qdkwmuawmh oifh&JU hard disk ay:rSm
zdkifudk ae&mcsxm;wJhtcg ,lr,fhae&myrmPukd ajymjcif;jzpfygw,f/ rSwfxm;&rSmu 'Dzdkif&JU VirtualSize u
hard disk ay:rSm ae&m,lr,fh t&G,ftpm;xuf i,faeygw,f/ 'gu bmaMumifhjzpf&wmvJqdkawmh compiler
awG[m rMumcPqdkovdk wlnDwJhe,fedrdwfay:u section wpfckeJU ndSzdkU t&G,ftpm;udk teD;pyfqHk;jzpfatmif
,l&vdkUyg/ Hex editor eJU Munfh&ifawmh CODE section &JUtqHk; (DATA section rpwifcif) udk yHk(20)
twdkif; awGU&rSmyg/
yHk(20)
'Dae&mvGwfawGudk toHk;rjyKovdk rSwfOmPfxJudkvJ ul;rwifygbl;/ uRefawmfwdkUtaeeJU aocsmatmif
vkyf&rSmu uRefawmfwdkU xnfhoGif;r,fh uk'fawGudk rSwfOmPfxJul;atmif vkyfzdkUygyJ/ uRefawmfwdkUtaeeJU 'Dvdk
jzpfatmif size attribute udk ajymif;ay;&ygr,f/ ckcsdefrSmawmh 'D section &JU virtual size u 29E88 omjzpfyg
w,f/ bmaMumifhvJqdkawmh compiler u 'DavmufyJ vdktyfvdkUyg/ uRefawmfwdkUtaeeJUawmh 'Dxufenf;enf;
av; ydkvdktyfygw,f/ 'gaMumifhvJ LordPE rSm CODE section &JU virtual size udk 29FFF vdkU jyifvdkufyg
r,f/ ('g[m uRefawmfwdkU jyifEdkifwJh tjrifhqHk;t&G,ftpm;jzpfygw,f/ RawSize uawmh 2A000 jzpfygw,f/)
'DvdkjyKvkyfzdkU CODE qdkwJhpmom;ay:rSm right-click ESdyfjyD; edit section header udk a&G;yg/ VirtualSize
ae&mrSm 29FFF vdkUjyifjyD; zdkifudk odrf;qnf;vdkufyg/
'DwpfcgrSmawmh uRefawmfwdkU patch vkyfr,fhuk'fudk odrf;qnf;zdkU oifhawmfwJhae&mwpfckudk jyKvkyfvdkU
jyD;ygjyD/ uRefawmfwdkU jyifcJhwmu Section Table xJu CODE section twGuf VirtualSize DWORD
wefzdk;jzpfygw,f/ 'gudk uRefawmfwdkUtaeeJU hexeditor rSm udk,fwdkifjyifvJ &ygw,f/
'DxufydkjyD; &Sif;vif;atmifjyEdkifzdkUtwGuf erlem assembly stub av;a&;Munfhygr,f/ yxrqHk;vkyf&
rSmu LordPE rSmawGUcJhwJh entry point wefzdk; 0002ADB4 eJU ImageBase wefzdk; 400000 udk rSwfom;yg/
'gaMumifh Olly [m application udk ul;wifcsdefrSmawmh entry point [m 0042ADB4 jzpfrSmyg/ uRefawmf
wdkUtaeeJU atmufyguk'fawGudk aygif;xnfhjyD; entry point udk yxrqHk;uk'f&Sd&m 42AF00 udk ajymif;ygr,f/
MOV EAX, 0042ADB4 ; Load in EAX the Original Entry Point (OEP)
JMP EAX ; Jump to OEP

uRefawmfwdkUtaeeJU 'Duk'fawGudk tay:rSmjrif&wJh hexeditor xJu 0002A300h ae&mrSm xm;&rSmjzpf
ygw,f/ Olly rSmtoHk;jyKzdkUtwGuf 'D raw offset udk RVA ajymif;r,fqdk&ifawmh 'D yHkaoenf;av;udk oHk;&rSm
yg/
RVA = raw offset - raw offset of section + virtual offset of section + ImageBase
= 2A300h - 400h + 1000h + 400000h = 42AF00h
'gaMumifh Olly udkzGifhjyD; uRefawmfwdkU jyif&r,fhae&mudk wdkuf&dkufoGm;EdkifzdkU Ctrl + G udkESdyfyg/ jyD;&if
42AF00 udk &dkufxnfhjyD; uk'f&dkufxnfhr,fhae&moGm;yg/ jyD;&if yHk(21)twdkif; jyifyg/
yHk(21)
'DhaemufrSmawmh jyifxm;wJhuk'fawGudk odrf;qnf;zdkU right-click ESdyfjyD; Copy to executable u All
modification udka&G;yg/ 'Dtcg ay:vmwJh message box rSm Copy udka&G;vdkuf&if window wpfcktopfyGifh
vmygr,f/ 'D window rSm right-click ESdyfjyD; Save file udk a&G;jyD; MudKufESpfouf&mtrnfeJU odrf;vdkufyg/
zdkifudkodrf;jyD;oGm;&if LordPE rSm Entry point udk 0002AF00 vdkUajymif;jyD; zdkifudkodrf;qnf;vdkufyg/
Application tvkyfrvkyfprf;Munfhyg/ jyD;&if odrf;xm;wJhzdkifudk Olly rSm jyefzGifhMunfhyg/ Entry point ajymif;
aewm awGU&ygr,f/
yHk(22)
Hexeditor rSmMunfhvdkuf&if yHk(23)twdkif; awGU&rSmjzpfjyD; ae&mvGwfawG trsm;MuD; usefao;wmawGU&
rSmyg/
yHk(23)
(&SdjyD;om; section udkcsJUjcif;eJU section topfwdk;jcif;wdkUudk pmtkyfxlrnfpdk;í razmfjyawmhyg/ tao;pdwfodvdk
vQif ARTeam rS Goppit a&;om;aom PE File Format udk zwf&IygvdkU tMuHay;vdkygw,f/)
(11) PE header jyóemrsm;ajz&Sif;jcif;
yHk(24)
yHk(25)
yHk(26)
yHk(27)
yHk(28)
yHk(29)
yHk(30)
yHk(31)
yHk(32)
yHk(33)
yHk(34)
yHk(35)
yHk(36)
yHk(37)
yHk(38)
yHk(39)
yHk(40)
yHk(41)
yHk(42)
yHk(43)
(12) PE header wGif toHk;jyKaom a0g[m&rsm;

(ReverseMe.exe ESifh prf;oyfxm;jcif; jzpfygonf/)
(1) TimeDateStamp 3/17/2000, 1:04:06 AM (38D1291E)
TimeDateStamp qdkwm zdkifudk zefwD;cJhwJhtcsdefudk &nfnTef;ygw,f/ Olly rSmawmh Hex *Pef;eJY
jyygw,f/ ReverseMe y&dk*&rftwGufuawmh 38D1291E jzpfygw,f/ tcsdKU PE Viewer awGrSm Hex eJY
rjybJ &dk;&dk;yHkpHeJUyJ jyygw,f/ Oyrm - 3/17/2000, 1:04:06 AM/ 'Dwefzdk;[m 1970? Zefe0g&D 1 upwifcJhwJh
*&if;epfpHawmfcsdef&JU puúefUta&twGufjzpfjyD; zdkifrSmtvdktavsmufygvmwJhaeUpGJ^tcsdefawGxuf ydkjyD;wdusyg
w,f/ udk,fwdkifwGufcsufcsif&ifawmh 16vDpepf 38D1291E udk q,fvDpepfodkUajymif;yg/ puúefUaygif;
953231646 &vmygr,f/ puúefUjzpfaewJhtwGuf em&DodkUajymif;ygr,f/ 3600 eJU pm;wJhtcg 264786 &vmyg
w,f/ 'gudk&ufzGJUzdkU 24eJUpm;jyD; ckESpfzGJUzdkU 365eJU pm;ygr,f/ 'gqdk ESpf30 &vmygw,f/ 'gu tMurf;zsif;wGuf
csufwmyg/ uRefawmfwdkU &vmwJhtajzudk b,frSmoGm;aygif;&rvJqdkawmh ckeuqdkcJhwJh 1970? Zefe0g&D 1 &uf
rSmyg/ wdwdususwGufcsufvmcJhr,fqdk&if tajzrSefu 2000? rwf 17 qdkwJhtajzxGufrSmyg/
(2) Machine FILE_MACHINE_I386
'Dzdkifudk toHk;jyKr,fh uGefysLwm&JU y&dkqufqmtrsdK;tpm;yg/ toHk;rsm;wJhwefzdk;awGuawmh -
FILE_MACHINE_I386
Intel 80386 (odkU) aemufydkif;armf',frsm;ESifh o[Zmwjzpfaomy&dkqufqmrsm;/
FILE_MACHINE_AMD64
x64
FILE_MACHINE_IA64
Intel Itanium y&dkqufqmtkyfpkrsm;/
(3) Characteristics 0x10f (zdkif&JU0daooudk jyowJh flag awGyg/)
FILE_RELOCS_STRIPPED 0x1
(0x1 om jzpfcJhr,fqdk&if zdkifrSm base relocation rygygbl;/ 'ghaMumihf loader [m olU&JU base address rSmyJ
&Sd&rSmyg/ wu,fvdkU base address omr&SdcJhbl;qdk&if loader [m error jzpfaMumif;jyrSmyg/ Linker &JU yHkrSef
tvkyfuawmh EXE zdkifuae base relocaion udk z,fzdkYyg/)
FILE_EXECUTABLE_IMAGE 0x2
('guawmh image zdkif[m rSefuefaMumif;eJU tvkyfvkyfEdkifaMumif; jywmyg/ wu,fvdkU 'D flag om r&Sdbl;qdk
&if olu linker error jzpfaMumif; jyrSmyg/)
FILE_LINE_NUMS_STRIPPED 0x4
(COFF vdkif;awG z,f&Sm;cHvdkuf&wmyg/)
FILE_LOCAL_SYMS_STRIPPED 0x8
(Local oauFwawGtwGuf COFF oauFwZ,m;&JU entry awG z,f&Sm;cHvdkuf&wmyg/)
FILE_32BIT_MACHINE 0x100
(uGefysLwm[m 32-bit enf;ynmudk tajccHxm;wmyg/)
(4) Subsystem SUBSYSTEM_WINDOWS_GUI
'D image udk tvkyfvkyfzdkUtwGuf vdktyfwJh pepfcGJawGjzpfygw,f/ jzpfEdkifwJh wefzdk;awGuawmh -
SUBSYSTEM_NATIVE
Device driver rsm;ESifh Window \ rlv process rsm;/
SUBSYSTEM_WINDOWS_GUI
Window \ GUI
SUBSYSTEM_WINDOWS_CUI
Window \ pmvHk;pepfcGJ/
SUBSYSTEM_POSIX_CUI
Posix pmvHk;pepfcGJ/
SUBSYSTEM_WINDOWS_CE_GUI
Windows CE
SUBSYSTEM_EFI_APPLICATION
Extensible Firmware Interface (EFI) application.
SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER
Boot services yg0ifaom EFI driver/
SUBSYSTEM_EFI_RUNTIME_DRIVER
Run-time services yg0ifaom EFI driver/
SUBSYSTEM_EFI_ROM
EFI \ ROM image/
(5) LinkerVersion 5.12
zdkiftjzpf wnfaqmufzdkU toHk;jyKwJh linker &JU version/ Microsoft linker uaejzpfvmwJh PE
zdkifawGtwGufawmh 'D version eHygwf[m Visual Studio &JU version eHygwfeJU oufqdkifygw,f/
(6) SizeOfImage 20480 (0x5000)

zdkifudk rSwfOmPfxJodkU ul;wifvdkufaomtcg system rS oD;oefUz,fxm;&efvdkaom rSwfOmPfyrmP/
'Dae&m[m section alignment &JU qwdk;udef;wpfck jzpf&ygr,f/
(7) SizeOfCode 1024 (0x400)
Code section &JU t&G,fyrmP (Byte jzifh jyonf/)? (odkU) tu,fí code section ajrmufjrm;pGm
&SdcJhygu xkd section tm;vHk;\ aygif;v'f/
(8) SizeOfInitializedData 2560 (0xa00)
Initialized data section &JU t&G,fyrmP (Byte jzifh jyonf/)? (odkU) tu,fí initialized data
section ajrmufjrm;pGm&SdcJhygu xkd section tm;vHk;\ aygif;v'f/
(9) SizeOfUninitializedData 0 (0x0)
Unnitialized data section &JU t&G,fyrmP (Byte jzifh jyonf/)? (odkU) tu,fí uninitialized
data section ajrmufjrm;pGm&SdcJhygu xkd section tm;vHk;\ aygif;v'f/
(10) ImageBase 0x400000
Image \ yxrqHk;pmvHk;udk rSwfOmPfxJodkU ul;wifvdkufcsdefü ¤if;\ address/ xdkwefzdk;onf 64K
bytes \qwdk;udef; jzpfonf/ DLL zdkifrsm;twGuf yHkaowefzdk;rSm 0x10000000 jzpfonf/ 32-bit
application rsm;twGuf yHkaowefzdk;rSm 0x00400000 jzpfonf/
(11) BaseOfCode 0x401000
Code section \tpodkU nTefjyonf/ Image base eSifh qufET,frI&Sdonf/
(12) BaseOfData 0x402000
Data section \tpodkU nTefjyonf/ Image base eSifh qufET,frI&Sdonf/
(13) AddressOfEntryPoint 0x401000
Entry point function odkU nTefjyonf/ Image base address eSifh qufET,frI&Sdonf/ entry point
function onf DLL zdkifrsm;twGuf r&Sdvnf;&ayonf/ Entry point r&SdvQif þwefzdk;onf okn jzpfaeay
rnf/
(14) FileAlignment 512 (0x200)
Image zdkifxJ&Sd section rsm;\ raw a'wm alignment/ Byte jzifhjyonf/ wefzdk;onf 2 \ qwkd;
udef;rsm;jzpfjyD; 512 ESifh 64K Mum;(tptqHk;) jzpf&rnf/ yHkaowefzdk;rSm 512 jzpfonf/ tu,fí Section
Alignment onf system \ page t&G,ftpm;xufi,faeygu þwefzdk;onf SectionAlignment ESifh
wlnDaeoifhonf/
(15) SectionAlignment 4096 (0x1000)
Section rsm;\ Alignment udk rSwfOmPfwGif; ul;wifonf/ Byte jzifhjyonf/ þwefzdk;onf File
Alignment ESifh nD&rnf (odkU) MuD;&rnf/ yHkaowefzdk;onf system \ page t&G,ftpm; jzpfonf/
(16) OperatingSystemVersion 4.0
(17) SubsystemVersion 4.0
(18) ImageVersion 0.0
(19) CheckSum 46233 (0xb499)
Image \ wGufcsufxm;aomwefzdk;/ (a'wmrsm;udk odrf;qnf;&mwGif trSm;rsm;awGUMuHKjcif;&Sd^r&Sd ppf
aq;&ef toHk;jyKaom wGufcsufxm;onfhwefzdk;/ a'wmrsm;udk odrf;qnf;jyD;aomf ¤if;enf;vrf;udkyif toHk;jyKí
checksum udk wGufcsufygonf/ checksum ESpfck rwlnDcJhaomf error udkjyí a'wmudk aemufwpfMudrf jyef
vnfodrf;qnf;ygonf/ Checksum rsm;onf error wdkif;udk rppfaq;Edkifyg/ Checksum wdkUonf error
jzpfaeaoma'wmrsm;udk rjyifqifay;Edkifyg/) Checksum rsm;onf kernel-mode driver rsm;ESifh tcsdKUaom
system DLL rsm;twGuf vdktyfonf/ wenf;qdkaomf þae&mwGif oknjzpfí &ygonf/
(20) SizeOfStackReserve 1048576 (0x100000)
EXE zdkifrsm;wGif process xJ&Sd yxrqHk; thread \ MuD;xGm;vmEdkifaom tjrifhqHk;t&G,fyrmP/
'DrSwfOmPftm;vHk;udkawmh OD;qHk;ajymif;ay;rSm r[kwfygbl;/
(21) SizeOfStackCommit 4096 (0x1000)
EXE zdkifrsm;wGif stack xJodkU yxrOD;qHk;ajymif;ay;rnfh rSwfOmPfyrmP/

(22) SizeOfHeapReserve 1048576 (0x100000)
EXE zdkifrsm;wGif process heap &JU OD;qHk;oD;oefUz,fxm;r,ft&G,ftpm;/
(23) SizeOfHeapCommit 4096 (0x1000)
EXE zdkifrsm;wGif heap xJodkU yxrOD;qHk;ajymif;ay;rnfh rSwfOmPfyrmP/
(24) LoaderFlags 0 (0x0)
(toHk;rjyKawmhyg/)
(25) Win32VersionValue 0 (0x0)
(toHk;rjyKawmhyg/)
(26) PointerToRawData
Module zdkifxJrSm&SdwJh yxrqHk; page &JU page udknTef;wJh zdkif pointer/ ol[m module header u
FileAlignment &JU qwdk;udef; jzpf&ygr,f/ Section rSm uninitialized a'wmawGoufoufyJ &SdcsdefrSm 'Dae
&m[m oknjzpf&ygr,f/
(27) VirtualAddress
rSwfOmPfxJudk ul;wifvdkufaomtcg image base ESifh qufEG,fonfh section \ yxrqHk;aom
pmvHk; address jzpfonf/
(28) VirtualSize
rSwfOmPfxJudk ul;wifvdkufaomtcg section \ pkpkaygif;yrmP/ tu,fíom þwefzdk;onf Size
OfRawData xuf MuD;aeygu section onf oknjzifh jynfhaernfjzpfonf/
(29) SizeOfRawData
Disk ay:&Sd initialized a'wm\ t&G,ftpm;/ olonf module header rS FileAlignment \
qwdk;udef;jzpfonf/ tu,fí þwefzdk;onf Virtual Size xufi,faeygu section \ usefaomtydkif;rsm;
onf oknrsm;jzifh jynfhaernf/ Section rSm uninitialized a'wmawGoufoufyJ &SdcsdefrSm 'Dae&m[m okn
jzpf&ygr,f/
(30) Data Directory
Exe zdkifrsm;\ ta&;MuD;aomtydkif;rsm;udk nTefjyaeaom 16ckaom IMAGE_DATA_DIRECTO
RY \ array wpfck/ 'D array [m loader udk oGm;av&mwavQmuf emrnfrsm;udk EdIif;,SOfjyD; image
section toD;oD;udk tMudrfMudrfywfp&mrvkdbJ image &JU wduswJh section awGudk vsifvsifjrefjref &SmazGay;
apEdkifygw,f/ (Oyrm- import vkyfxm;wJh function Z,m;)
(a) Load Configuration
twGif;ydkif;pepf&JYppfaq;csufeJU jyoemajz&Sif;jcif;t*Fg&yfawGudk xdef;csKyfxm;wJh IMAGE_LOAD_
CONFIG_DIRECTORY zGJUpnf;yHkudk nTefjyygw,f/
(b) IAT (Import Address Table)
yxrqHk; Import Address Table (IAT) &JUtpudk nTefjyygw,f/ Import vkyfxm;wJh DLL toD;
oD;twGuf IAT awG[m rSwfOmPfxJrSm tpDt&Day:vmygw,f/ Size field uawmh IAT tm;vHk;&JU pkpkaygif;
yrmPudk jyygw,f/ Loader [m 'D address eJY t&G,ftpm;udk import resolution umvrSm IAT awGudk
readwrite tjzpf ,m,DrSwfom;zdkU toHk;jyKygw,f/
(c) TLS Table
Thread Local Storage &JU initialization section udk nTefjyygw,f/ TLS section rSm declspec
(thread) eJU aMunmxm;wJh thread &JU local variables awG yg0ifxm;ygw,f/ 'D variable awG oHk;csdefrSm
compiler u olwdkUudk .tls vdkUtrnf&wJh section rSm oGm;xm;ygw,f/ 'Dae&mrSm run aecsdefrSm vkdtyfr,fh
tydk variable awGtjyif a'wm&JU ueOD;wefzdk;awGvnf; yg0ifygw,f/
(d) Base Relocation Table
Base relocation information udk nTefjyygw,f/
(e) Debug Directory
IMAGE_DEBUG_DIRECTORY zGJUpnf;yHk&JY array wpfckudk nTefjyygw,f/ olwdkUtoD;oD;[m

image twGuf debug information tcsdKUudk azmfjyygw,f/
(f) Bound Import Table
IMAGE_BOUND_IMPORT_DESCRIPTOR awG&JY array wpfckudk nTefjyygw,f/
(g) Resource Table
Resources awGudk nTefjyygw,f/
(h) Delay Import Tables
Visual C++ u DELAYIMP.H rSm teufzGifhxm;wJh ClmgDelayDescr zGJUpnf;yHk&JU array
wpfckjzpfwJh Delayload information udk nTefjyygw,f/ olwdkUxJrSmawGU&wJh API udk yxrtMudrf ac:,l
roHk;rcsif; Delayloaded DLL awGudk ul;rwifygbl;/ Windows rSm delay loading DLL awGeJY ywfouf
jyD; vHk;vHk;vsm;vsm; ,HkMunf&avmufwJhtcsuf r&Sdbl;qdkwJhtcsufudk rSwfom;zdkU ta&;MuD;ygw,f/
SCN_CNT_INITIALIZED_DATA - Section rSm initialized a'wmawG yg0ifygw,f/
SCN_MEM_READ - Section udk zwfvdkU&ygw,f/
SCN_MEM_WRITE - Section udk a&;vdkU&ygw,f/
SCN_CNT_CODE - Section rSm execute vkyfvdkU&wJhuk'f yg0ifygw,f/
SCN_MEM_EXECLTTE - Section udkuk'ftjzpf execute vkyfvdkU ygw,f/
SCN_MEM_READ - Section udk vdktyfovdk z,f&Sm;Edkifygw,f/
SCN_MEM_SHARED - 'D section &JUa'wmawGyg0ifwJh physical page awGudkawmh 'D executable udk
ul;wifr,fh process tm;vHk;Mum; share ay;rSmyg/ 'gaMumifh process wdkif;[m 'D section rSm&SdwJh
a'wmtwGuf wlnDwduswJhwefzdk;udk jrif&rSmyg/ Process wpfck&JU Oyar,stm;vHk;Mum; share ay;zdkU global
variable awG jyKvkyfzdkUawmh toHk;0ifygw,f/
(i) .reloc Images Relocation Sections
(j) .rsrc Resource Directory Section
(k) .data Initialized Data Section
(l) .rdata Read Only Initialized Data Section
(m) .text Executed code section
(n) .idata Import Tables section
(o) .edata Export Table Section
(13) erlem PE signature rsm;
(13.1) ASPack v2.12
60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01
00401000: 60 PUSHAD
00401001: E8030000000 CALL 00401009H
00401006: E9EB045D45 JMP 459D14F6H
0040100B: 55 PUSH EBP
0040100C: C3 RET
0040100D: E801003E00 CALL 007E1013H
(13.2) Armadillo v1.xx - v2.xx
55 8B EC 53 8B 5D 08 56 8B 75 0C 57 8B 7D 10 85 F6
00401000: 55 PUSH EBP
00401001: 8BEC MOV EBP, ESP
00401003: 53 PUSH EBX
00401004: 8B5D08 MOV EBX, [EBP+08H]
00401007: 56 PUSH ESI

00401008: 8B750C MOV ESI, [EBP+0CH]
0040100B: 57 PUSH EDI
0040100C: 8B7D1O MOV EDI, [EBP+10H]
0040100F: 85F6 TEST ESI, ESI
tcef;(9) - Teleport Pro 1.54 y&dk*&rfESifh yxrqHk;tMudrf crack vkyfjcif; - 120 -
tcef;(9) - Teleport Pro 1.54 y&dk*&rfESifh yxrqHk;tMudrf crack vkyfjcif;

uRefawmfwdkU[m a&SUtcef;awGrSm cracking eJUywfoufwJh tajccHtkwfjrpfawGudk avhvmcJhygw,f/
'gaMumifh oifhtaeeJU C? Assembly bmompum;awGudk wD;rdacgufrd&Sdxm;jyDvdkU xifygw,f/ aqmhzf0JvfawG
udkvJ b,fvdkenf;eJU umuG,fxm;ovJqdkwmudkvJ odoGm;avmufygjyD/ Cracker wpfa,mufrSm &Sdoifh&Sdxdkuf
wJh tool awGtaMumif;udkvJ avhvmjyD;jzpfwJhtjyif 'DtxJu tool wpfckjzpfwJh Olly debugger taMumif;udkvJ
tMurf;zsif; em;vnfaeavmufygjyD/ tqHk;pGef ajym&&if cracking avmurSm em;vnf&cufw,fqdkwJh PE
header taMumif;udkawmif oifavhvmjyD;oGm;ygjyD/ bmyJajymajym oifavhvmcJhwm[m oDtdk&Doufoufom
jzpfygw,f/ vufawGUrygwJhoDtdk&D? oDtdk&DrygwJhvufawGU[m jyD;jynfhpHkjcif;? tESpfom&jynfh0jcif; r&SdwJh
twGuf udk,fwdkifvufawGU crack vkyfMunfhrSom cracking oabmw&m;awGudk aumif;aumif; em;vnf
vmrSmjzpfygw,f/ 'gaMumifh yxrqHk; crack vkyfjcif;tjzpf pD;yGm;jzpfaqmhzf0JvfwpfckjzpfwJh Teleport Pro
1.54 udk crack vkyfMunfhMuygr,f/ oifhtaeeJU update rjzpfawmhwJh y&dk*&rfudk erlemxm;jyD; bmaMumifh
crack vkyfjy&wmvJvdkU oHo,0ifygvdrfhr,f/ (uRefawmfwdkUtaeeJU aqmhzf0JvfawGudk crack vkyfaewm[m
aiGaMu;twGuf r[kwfygbl;/ ynm&yfwpfcktaeeJUom avhvmaejcif;jzpfygw,f/ 'gaMumifhrdkU crack vkyfxm;
jyD;om; aqmhzf0JvfawGudk w&m;r0if jzefUcsDâ&mif;cscJh&if jzpfay:vmrJh &v'fawG[m oifhwm0efomjzpfyg
aMumif; ...)
(1) y&dk*&rftvkyfvkyfyHkudk avhvmjcif;
uRefawmfwdkUtaeeJU aqmhzf0Jvfwpfckudk crack rvkyfcifodxm;&r,fh t"dutcsufuawmh 'Daqmhzf0Jvf
udk b,fy&dk*&rfbmompum;eJU a&;xm;ovJqdkwm t&ifodatmifvkyfzdkUyg/ 'grSom a&SUqufbmvkyf&rvJqdk
wm qHk;jzwfEdkifrSmjzpfygw,f/ aumif;jyD? Teleport Pro udk www.tenmax.com uae download vkyfjyD;
install vkyfvdkufyg/ Help menu u About ... udka&G;vdkuf&if yHk(1)twdkif; awGU&ygr,f/
yHk(1)
yHk(1)rSm jrif&wmuawmh unregistered version jzpfwJhtaMumif;yg/ 'gaMumifh register vkyfMunfhyg
r,f/ Help menu u Register udk a&G;vdkufyg/ yHk(2)twdkif; jrif&ygr,f/
yHk(2)
yHk(2)u Your name ae&mrSm Myanmar Cracking Team vdkU&dkufxnfhjyD; Registration code
ae&mrSm 4780610 (BABE16)vdkU &dkufMunfhygr,f/ 'gqdk yHk(3)twdkif; awGU&ygr,f/
yHk(3)
yHk(3)rSm jrif&wmuawmh uRefawmfwdkU&dkufxnfhvdkufwJh registration uk'f[mrSm;aewJhtaMumif;ajymwJh

MessageBox yg/ (rSwf&ef/ / tcsdKUy&dk*&rfawGrSm vSnfhuGufav;awG&Sdygw,f/ 'gubmvJqdkawmh regis-
tration uk'fudk&dkufxnfhvdkufwJhtcg rSefw,f^rSm;w,frajymbJ y&dk*&rfudk jyefzGifhcdkif;wmjzpfygw,f/ tcsdKU
y&dk*&rfawGqdk bm MessageBox rSawmif ay:rvmygbl;/ bmaMumifhvJqdkawmh 'Dvdky&dk*&rfawGu oif&dkuf
xnfhvdkufwJh registration uk'fudkcsufcsif;rppfvdkUyg/ Registry xJrSm (odkU) zdkifwpfzdkifrSm oif&dkufxnfh
vdkufwJhuk'fudkodrf;xm;jyD; aemufwpfMudrf y&dk*&rfudkzGifhjyD;tvkyfvkyfwJhtcgrS uk'fudkppfaq;wmjzpfygw,f/)
'D Message Box rSmjrif&wJh We're sorry! qdkwJhpmom;udk pm&GufvGwfwpf&GufrSm rSwfom;xm;yg/ toHk;0if
vmygvdrfhr,f/
aumif;jyD? y&dk*&rfudkydwfvdkufjyD; b,fbmompum;eJU a&;xm;ovJqdkwm ppfMunfhygr,f/ Program
files\Teleport Pro zdk'gatmufu pro.exe zdkifudk right-click ESdyfjyD; PEiD eJU ppfMunfhvdkufyg/ yHk(4)/
yHk(4)
yHk(4)t&qdk&ifawmh 'Dy&dk*&rfudk Visual C++ 6.0 eJU a&;xm;wmjzpfygw,f/ 'Davmufqdk uRefawmf
wdkUtwGuf vHkavmufygjyD/ pro.exe udk Olly rSm zGifhygr,f/ yHk(5)/
yHk(5)
yHk(5)rSmjrif&wmuawmh y&dk*&rf&JU entry point ae&myg/ (rSwfcsuf/ / Visual C++ jzifha&;xm;aom
y&dk*&rfrsm;onf yHk(5)wGifjyxm;onfhtwdkif; kernel32.GetVersion \tay:zuf&Sd PUSH EBP uk'f&Sd&m
virtual address onf entry point jzpfonf/) 'Dy&dk*&rfudk enf;(2)enf;eJU crack vkyfjyrSmjzpfygw,f/
yxrenf;uawmh SND Team u nick123b oHk;wJhenf;jzpfygw,f/ 'kwd,enf;uawmh ARTeam u
ThunderPwr oHk;wJhenf;jzpfygw,f/ tjcm;enf;awGudkawmh tvsOf;oifhwJhtcef;rSm azmfjyoGm;rSmjzpfygw,f/
(2) yxrenf; (nick123b@SND Team)
yHk(2)rSm register vkyfwkef;u yHk(3)twdkif; error message ay:vmwmrSwfrdr,fxifygw,f/
'Dmessage pmom;udk Olly rSm&SmMunfhvdkufMu&atmif/ yHk(5)rSm right-click ESdyfjyD; Search for u All
referenced text strings udk a&G;vdkufyg/ 'gqdk &Smxm;wJh text string awGygwJh window wpfckay:vmygr,f/
yHk(6)
ay:vmwJh window rSm yHk(6)twdkif; uRefawmfwdkU &SmcsifwJhpmom;udk &dkufxnfhjyD; OK udkESdyfvdkufyg/

'gayr,fh uRefawmfwdkU&SmwJh pmom;udk Olly eJU&SmwmrawGUygbl;/ bmaMumifhvJqdkawmh 'Dy&dk*&rfudk a&;om;
cJhwJh y&dk*&rfrmu We're sorry! pmom;udk .text section rSm ra&;om;bJ yHk(7)rSm jyxm;ovdk .data section
rSma&;om;xm;vdkU Olly u &SmrawGUEdkifwmyg/ (omreftm;jzifh y&dk*&rfrsm;\ 80%ausmfonf .text section
(code section) wGifom a&;om;Muygonf/)
yHk(7)
yHk(8)
yHk(8)udkMunfhvdkufawmh uRefawmfwdkU&SmaewJh message udkawGU&ygw,f/ yHk(7^8)wdkUudk PE Explorer
1.99 (www.heaventools.com) rSm zGifhMunfhxm;wmjzpfygw,f/
yHk(6)twdkif; text string udk&Smwm &SmrawGUvdkU oifhtaeeJU acgif;awmfawmfajcmufaeavmufjyD xifyg
w,f/ 'D message udk&SmawGUrSom uRefawmfwdkUtaeeJU serial a&;xm;wJh registration routine udkawGUjyD;
serial udk &SmazGEdkifrSm jzpfygw,f/ aumif;jyD? nick123b &JUenf;eJU serial udk &SmMunfhMu&atmif/
Olly rSm Ctrl + N (View Names) udk ESdyfvdkufyg/ yHk(9)twdkif; API awGudk jrif&ygr,f/
yHk(9)
yHk(9)rSm jyxm;wJhtwdkif; USER32.GetWindowTextA rSm right-click ESdyfjyD; Find references to
import (Enter key) udk a&G;vdkufyg/ yHk(10)twdkif; jrif&ygr,f/ (GetWindowTextA taMumif; tao;pdwf
udk ]Cracker rsm; owdxm;oifhaom Windows API rsm;} tcef;wGif zwf&Iyg/)
yHk(10)
yHk(10)rSm jrif&wJhtwdkif; right-click ESdyfjyD; Set breakpoint on every command udk a&G;vdkuf
yg/
yHk(11)
yHk(11)twdkif; GetWindowTextA udk breakpoint rowfrSwfcif pro.exe udk yHk(12)twdkif; Olly rSm
register vkyfaewm aocsmygap/ (qdkvdkwmu Teleport Pro udk Olly eJUzGifhjyD; register vkyfcdkif;wmyg/
yHk(12)rSm OK udkrESdyfcif yHk(9^10^11)rSm jrif&wJhtwdkif; breakpoint owfrSwfwm jzpfygw,f/)
yHk(12)
yHk(11)twdkif; breakpoint owfrSwfjyD;oGm;&ifawmh yHk(12)u OK udkESdyfvdkufyg/ yHk(13)twdkif; Get
WindowTextA() API &Sd&m breakpoint qD wef;a&mufoGm;ygvdrfhr,f/
yHk(13)
yHk(13)twdkif;jrif&wJhtcg yHk(14)udk jrif&wJhtxd F8 (step over) udkESdyfyg/
yHk(14)
yHk(14)udkMunfhyg/ CALL 0042EC7B rSm registration key wGufcsufjcif;udk vkyfaqmifygw,f/
'DhaemufrSmawmh EAX xJrSm&SdwJhwefzdk;wpfckeJU ESI xJrSm&SdwJhwefzdk;wpfckwdkUudk nD?rnD ppfygw,f/ wu,fvdkU
wefzdk;ESpfckrnDcJh&if BadBoy message qDa&mufoGm;rSmjzpfygw,f/ 'gaMumifh "JNZ 0042E2E1" qdkwJhae&m
a&muf&if F8 ESdyfvmwm &yfvdkufyg/ jyD;awmh Registers (FPU) window udkMunfhvdkufyg/ yHk(15)/
yHk(15)
yHk(15)&JU EAX register xJrSm uRefawmfwdkUvdkcsifwJh serial a&mufaeygjyD/ rSwfxm;&rSmu 'D serial
[m ECX register xJrSm&SdwJh "Myanmar Cracking Team" qdkwJh user twGufomjzpfygw,f/
bmaMumifhvJqdkawmh uRefawmfwdkUu yHk(12)rSm jyxm;wJhtwdkif; user name ae&mrSm "Myanmar Cracking

Team" vdkU &dkufxnfhcJhvdkUyg/
yHk(16)
wu,fawmh yHk(14)u EAX register xJrSm&SdwJh serial [m hexadecimal *Pef;omjzpfygw,f/
258680D9 ae&mudk ESpfcsufESdyfvdkufyg/ jyD;&if 629571801 udkul;,lvdkufyg/ yHk(17)/ 629571801 uom
serial tppftrSefjzpfygw,f/
yHk(17)
'gqdk uRefawmfwdkU vdkcsifwJh serial udk &&SdjyDjzpfwJhtwGuf Olly udkydwfvdkU&ygjyD/ Teleport Pro
y&dk*&rfudk jyefzGifhvdkufyg/ jyD;&if Help menu u Register … udka&G;jyD; register vkyfzdkU jyifqifyg/
yHk(18)
yHk(18)twdkif; Name eJU Registration Code udkjznfhjyD;&if OK udkESdyfvdkufyg/ yHk(19)twdkif;
jrif&ygr,f/
yHk(19)
ydkaocsmoGm;atmif Help menu u Register … udkxyfESdyfMunfhyg/ uRefawmfwdkU aemufwpfMudrf
register vkyfp&mrvdkawmhwm jrif&rSmyg/ yHk(20)/
yHk(20)
Help menu u About Teleport Pro … udka&G;jyD; Munfhvdkuf&ifawmh yHk(21)twdkif; jrif&rSmyg/
yHk(21)
'gqdk yxrenf;eJU uRefawmfwdkU&JU serial &Smjcif;tvkyfjyD;oGm;ygjyD/ 'Dvdkenf;eJU serial &Smwmudk
t*Fvdyfvdkawmh serial fishing (Serial zrf;jcif;)vdkUac:ygw,f/ Cracking avmurSmawmh serial fishing
enf;[m tcsdefukefoufomjyD; vG,fulvSwJhtwGuf toHk;rsm;vSygw,f/
(3) 'kwd,enf; (ThunderPwr @ARTeam)
'kwd,enf;uawmh yHk(22)rSmjrif&wJh MessageBox &Sd&mae&mudkt&if&SmjyD; registration routine udk
&SmazGwJhenf;jzpfygw,f/ (rSwfcsuf/ / a&SUydkif;u GetWindowTextA() API rSmowfrSwfxm;wJh breakpoint
awGudk z,f&Sm;jyD;aMumif; aocsmygap/)
Teleport Pro [m register vkyfwm atmifjrifoGm;&if aemufwpfMudrf register xyfvkyfvdkU r&awmh
ygbl;/ 'gaMumifh registry editor (regedit.exe) udkzGifhjyD; HKLM eJU HKCU wkdY&JU Software directory
atmufu Tennyson Maxwell directory key udkzsufypfvkdufyg/
yHk(22)
Olly rSm pro.exe udkzGifhjyD; F9 (Run) udkESdyfyg/ 'gqdk Teleport Pro y&dk*&rfyGifhvmwm jrif&ygr,f/
y&dk*&rf&JU Help menu u Register udkESdyfjyD; register vkyfMunfhyg/ yHk(22)twdkif; BadBoy MessageBox
udkjrif&ygr,f/ 'Dtcg Olly qDjyefoGm;jyD; F12 (Pause) udkESdyfyg/ F12 udkESdyf&wJhtaMumif;&if;uawmh y&dk*&rf
tvkyfvkyfwm cP&yfapcsifvdkUyg/ jyD;&if Olly &JU stack window rSm scroll qGJjyD; Munfhvdkufyg/ yHk(23)
twdkif; jrif&ygr,f/
yHk(23)
yHk(23)udk Munfhyg/ VA 0048F9B0 uawmh "We're sorry! …" pmom;udk odrf;qnf;xm;wJh
virtual address yg/ VA 0045389D uawmh yHk(22)u MessageBox API udkvkyfaqmifjyD;csdef a&muf&Sdr,fh
ae&myg/ ckcsdefrSm uRefawmfhtaeeJU pdwf0ifpm;wJh virtual address [m 0045389D jzpfygw,f/ bmaMumifhvJ
qdkawmh 'Daddress uae registration routine &Sd&mae&mudk ajc&mcHrSmrdkUvdkUyg/
yHk(24)
Registration routine udk ajc&mcHzdkU yHk(24)u highlight jzpfaewJhae&mrSm right-click ESdyfjyD;
Follow in Disassembler udka&G;yg/ yHk(25)twdkif; jrif&ygr,f/
yHk(25)
yHk(25)u 0045389D ae&mrSm breakpoint owfrSwfjyD; F9 udkESdyfr,fqdk&ifawmh aemufwpfcg
register vkyfwJhtcg 'Dae&mudk wef;a&mufvmrSm jzpfygw,f/ yHk(26)/
yHk(26)
'DtcgrSm yHk(25)eJUrwlwmuawmh pro.00453794 [m text string awGeJU jzpfvmygw,f/
yHk(27)
yHk(26)uuk'fawGudk F8 ESdyfjyD; uk'fawGppfvmwJhtcg yHk(26)u CALL udk vkyfaqmifjyD;wmeJU yHk(27)

&Sd&mudk a&mufvmrSmyg/ 'DwpfcgrSmawmh serial udk EAX register xJrSm b,fvdkrS&SmawGUawmhrSm r[kwfygbl;/
bmaMumihfvJqdkawmh y&dk*&rfu serial rSef^rrSefudk ppfaq;jyD;vdkU error message udkxkwfay;vdkufwmaMumifh
jzpfygw,f/ 'gaMumifhrdkU serial udkvdkcsif&if uRefawmfwdkUtaeeJU VA 0042E2D0 ae&mrSm breakpoint
owfrSwfjyD; y&dk*&rfudk aemufwpfMudrf register vkyfzdkUvdkygw,f/ 'D breakpoint udka&mufwJhtcg uRefawmf
wdkU&SmaewJh serial udk EAX register xJuae ul;,lvdkU&ygjyD/ aemufxyfpdwf0ifpm;p&maumif;wmuawmh
yHk(23)u RETURN to pro.0042E316 from pro.0045387B yg/ (Assembly oifcef;pmwkef;u CALL
wpfck[m olaemufxyfvkyfr,fh instruction &Sd&m address (EIP) udk stack rSmodrf;qnf;w,fvdkUajymcJhwmudk
trSwf&yg/ aemufxyfajymcJhao;wmuawmh CALL wpfckudkvkyfaqmifjyD;csdefrSm return value udk EAX rSm
tjrJwrf;eD;yg; odrf;qnf;w,fqdkwJhtaMumif;yg/)
(4) Teleport Pro y&dk*&rftwGuf keygen a&;om;jcif;
a&SUydkif;rSm uRefawmfwdkUtaeeJU serial zrf;jyD; Teleport Pro udk register vkyfjyD;oGm;ygjyD/ 'gayr,fh
trnfu "Myanmar Cracking Team" jzpfaeygw,f/ wu,fvdkU oifhtrnfeJU register vkyfcsif&if?
oifhrdwfaqG^cspfoltrnfeJU register vkyfcsif&if Olly eJU serial xyf&Sm&r,fqdk&if tcsdefukefvlyef;ygw,f/
'gaMumifhrdkU keygen a&;zdkUvdktyfvmygw,f/ "Myanmar Cracking Team" trnfeJU serial &Sm&mrSm
629571801 qdkjyD;&vmygw,f/ b,fvdk&vmrSef; oifhtaeeJU 0g;wm;wm;jzpfaerSm aocsmygw,f/ 'gaMumifh
serial key xkwfay;wJh routine udk taotcsm avhvmMunfhygr,f/ yHk(28)/
yHk(28)
'Dae&mrSm yHk(28)u CALL 0042EC7B [m serial key udkxkwfay;wJh routine jzpfw,fqdkwm
oifhtaeeJU &dyfrdrSmyg/ bmaMumifhvJqdkawmh 'D CALL udk vkyfaqmifjyD;csdefrSm uRefawmfwdkU &dkufxnfhwJh
serial eJU wGufcsufvdkU&vmwJh serial udk y&dk*&rfu EdIif;,SOfvdkUyg/ 'D CALL ae&mrSm breakpoint
owfrSwfvdkufjyD; y&dk*&rfudk (Ctrl+F2) jyefpwifvdkufyg/ jyD;&if F9 udkESdyfjyD; y&dk*&rfudk run yg/ Register
vkyfyg/ 'gqdk&if breakpoint owfrSwfxm;wJh VA 0042E2C8 ae&mudk a&mufvmygr,f/ VA 0042E2C8
ae&mudk a&mufvm&if F7 (step into) udkESdyfjyD; CALL xJudk 0ifMunfhygr,f/ yHk(29)/
yHk(29)
Serial key udkxkwfay;wJh routine av;uawmh yHk(29)rSm jyxm;oavmufygbJ/ VA 0042EC97
xdu pdwf0ifpm;p&mr&Sdygbl;/ &dkufxnfhvdkufwJh user trnf[m pmvHk;a& 5vHk;xufenf;^renf; ppfaq;wm
yJ&Sdygw,f/ 5vHk;xufrsm;&ifawmh VA 0042EC9A upjyD; serial wGufcsufjcif;vkyfief;pOfudk pwifrSm

jzpfygw,f/ avhvmMunfhvdkuf&atmif/
1/ EBX eJU ESI wdkUudk variable taeeJU aMunmygw,f/
2/ ESI = 5DFEE4A4 vdkU initialize vkyfygw,f/
3/ EBX wefzdk;udk oknjzpfatmifvkyfygw,f/
4/ TEST uawmh jump (JE) jzpf^rjzpf flag wefzdk;udk owfrSwfwmjzpfygw,f/
5/ EDI xJuwefzdk;awGudk ECX xJajymif;xnfhwmyg/ (Stack rSm aemufqHk;oGif;wmudk t&ifxkwf,l&yg
w,f/)
6/ EAX wefzdk;xJu 4 EIwfygw,f/ (EAX xJrSm ckeu uRefawmfwdkU &dkufxnfhvdkufwJh user trnfeJU
ywfoufwJh pmvHk;ta&twGuf &Sdygw,f/ "Myanmar Cracking Team" jzpfwJhtwGuf 21vHk;yg/)
7/ EBX eJU EAX wdkU EdIif;,SOfygw,f/
8/ wu,fvdkU EBX [m EAX xufri,fcJh&if jump jzpfrSmjzpfygw,f/ (ckcsdefrSmawmh EAX u 17 jzpfjyD;?
EBX u oknjzpfygw,f/)
9/ ESI wefzdk;eJU user trnfu yxrpmvHk; 4vHk;&JU Unicode (Hex) wefzdk;wdkUudk XOR vkyfrSmjzpfygw,f/
(ckcsdefrSmawmh ESI wefzdk;u 5DFEE4A4 jzpfjyD;? DS:[EBX+EDI] wefzdk;u 6E61794D jzpfygw,f/)
10/ EBX wefzdk;udk 1 aygif;ygw,f/
11/ 'DvdkeJU "Myanmar Cracking Team" qdkwJhpmvHk;awGudk ukefatmifzwf? XOR vkyfjyD; &vmwJhaemufqHk;
tajzudk EAX rSm odrf;ygw,f/
'gudk Assembly uk'ftaeeJU jyefa&;&ifawmh atmufygtwdkif;awGU&rSmyg/ 'guawmh uk'ftjynfhtpHk
r[kwfygbl;/ Serial key xkwfay;wJh ae&mav;udkyJ a&;xm;jcif;jzpfygw,f/ a&;om;xm;wJh y&dk*&rfrmu
awmh SND Team u Ziggy jzpfygw,f/
invoke lstrlenA, addr namebuffer ;get the length of the name string
mov ecx, eax ;copy length of name string in eax to ecx
sub ecx, 4 ;loop counter ecx = name string length - 4
lea edi, namebuffer ;edi = address to name string
mov esi, 05DFEE4A4h ;esi = starting code value = 04E6AF4BC hex
L005: ; Ripped code from Ziggy's KeygenMe
mov eax, dword ptr ds:[edi] ;load 4 name string ascii characters in eax
xor esi, eax ;exclusive or eax with the new edx value - result in esi
inc edi ;point to next group of 4 name chars
dec ecx ;decrement the loop counter
jnz L005 ;jump back if ecx loop counter not = zero
Assembly eJU keygen a&;om;enf;udkawmh ]tajccH Assembly bmompum;} tcef;rSm &Sif;jyjyD;
jzpfwJhtwGuf xyfrHr&Sif;jyawmhygbl;/ Keygen eJU ywfoufjyD;ajymvdkwmuawmh uRefawmfwdkUtaeeJU
keygen awG&JU GUI udk udk,fwdkifa&;p&mrvkdygbl;/ a&;xm;jyD;om; keygen template awGudk toifh,loHk;
&Hkyg/ Serial key awGudk xkwfay;r,fh registration routine udkom a&;ay;zdkUvdktyfygw,f/
;
; Ziggy April 2005
;
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
; Notes
;
; - Requires MASM32 V8
; - Requires linking with matching resource file ;
;
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
.586p
.mmx
option casemap :none
include \masm32\include\masm32.inc
include \masm32\macros\macros.asm
includelib \masm32\lib\masm32.lib
; Prototypes
DialogProc PROTO :DWORD,:DWORD,:DWORD,:DWORD
ClipboardCopy PROTO
KeygenProc PROTO
.const
DIALOG_1 equ 1 ;identifier in resource file
IDC_APPNAME equ 1001
IDC_NAME equ 1002
IDC_SERIAL equ 1003
BTN_CLOSE equ 1004
BTN_GENERATE equ 1005
BTN_COPY equ 1006
BTN_ABOUT equ 1007
; may need to edit these constants
MinNameLength equ 5 ; Should be consistent with .data NameTooShort
MaxNameLength equ 30 ; Maximum length of name string
; edit about text as needed
About_Text equ " ",13,10,"Keygenned by Ziggy ",13,10,10,\
"30 July 2008",13,10,13,10
Max_Buffer equ 100 ; set to at least maximum length of name or serial
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
.data
; edit app name as needed
Appname db "Myanmar Cracking Team proudly presents:",0
; following data not required if name not used to derive serial
NoName db 'No Name Entered',0
NameTooLong db 'Name is too long',0
NameTooShort db 'Name must be at least 5 characters',0 ; edit to match MinNameLength
NameOK db 'Press "Generate"',0
namebuffer dd Max_Buffer dup (00) ;buffer for entered name
genedserial dd Max_Buffer dup (00) ;buffer for genedserial
tempbuffer dd Max_Buffer dup (00) ;scratch buffer
fixedstring db " ",0
decimalformat db "%d",0
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
.data?
hInstance dd ? ;Module handle
handle dd ? ;Dialog handle
hIcon dd ? ;caption bar icon handle
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
.code
main :
invoke GetModuleHandleA,NULL
mov hInstance ,eax ; save handle for later use
;mov hIcon, FUNC(LoadIcon, hInstance,2) ; get the icon 2 resource
; setup the dialog processing

invoke DialogBoxParamA,hInstance,DIALOG_1,NULL, addr DialogProc,NULL
invoke ExitProcess,NULL ; terminate after dialog is closed
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
; Main Dialog Processing
DialogProc Proc hwnd:dword, message:dword, wParam:dword, lParam:dword

pushad
mov eax,hwnd
mov handle,eax ;save dialogbox handle, to use in other procedures
.IF message==WM_INITDIALOG
invoke SetDlgItemTextA,handle,IDC_APPNAME, addr Appname ;show the appname in dialog box
invoke SendMessage, handle,WM_SETICON,ICON_BIG,hIcon ; set icon on caption bar
.ELSEIF message==WM_COMMAND
mov eax,wParam
.IF ax==BTN_GENERATE ; "Generate" button presssed
; check name is ok, not too long & not too short
invoke GetDlgItemTextA,handle,IDC_NAME,ADDR namebuffer,Max_Buffer
.if eax == 0
invoke SetDlgItemTextA,handle,IDC_SERIAL, addr NoName
.elseif eax > MaxNameLength ; max namr length
invoke SetDlgItemTextA,handle,IDC_SERIAL,addr NameTooLong

.elseif eax < MinNameLength ; minimum name length
invoke SetDlgItemTextA,handle,IDC_SERIAL, addr NameTooShort
.elseif
;Invoke Keygen algo on 'generate' and name ok
Invoke KeygenProc ; do the business
.endif
.ELSEIF ax==BTN_CLOSE ; "Close" button pressed
jmp @close
.ELSEIF ax==BTN_ABOUT ; "About" button pressed
invoke MessageBox,handle,SADD(About_Text),
SADD(" ",34,"Myanmar Cracking Team",34),
MB_OK or MB_ICONINFORMATION
.ELSEIF ax==IDC_NAME ; name character enetered
; check name ok, not too long & not too short
invoke GetDlgItemTextA,handle,IDC_NAME,ADDR namebuffer,Max_Buffer
.if eax == 0
invoke SetDlgItemTextA,handle,IDC_SERIAL, addr NoName
.elseif eax > MaxNameLength ; max namr length
invoke SetDlgItemTextA,handle,IDC_SERIAL,addr NameTooLong
.elseif eax < MinNameLength ; minimum name length
invoke SetDlgItemTextA,handle,IDC_SERIAL, addr NameTooShort
.elseif
invoke SetDlgItemTextA,handle,IDC_SERIAL, addr NameOK
.endif
.ELSEIF ax==BTN_COPY ; "Copy" button pressed
invoke ClipboardCopy
.ENDIF
.ELSEIF message==WM_CLOSE ; dialog closed

@close:
invoke EndDialog,handle,NULL
popad
xor eax,eax
ret
.ELSE
popad
mov eax,FALSE
ret
.ENDIF
popad
xor eax,eax
ret
DialogProc endp
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
; Copy generated serial to the clipboard
; This function is not really necessary in a simple keygen but code is short
; and does not need any modification.
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
ClipboardCopy proc
pushad
invoke GetDlgItemText, handle, IDC_SERIAL, addr genedserial, SIZEOF genedserial

.if eax != 0
invoke OpenClipboard, handle
.if eax
invoke GlobalAlloc, GMEM_MOVEABLE or GMEM_DDESHARE, SIZEOF genedserial
.if eax != NULL
push eax
push eax
invoke GlobalLock, eax
mov edi, eax
mov esi, OFFSET genedserial
mov ecx, SIZEOF genedserial
rep movsb
pop eax
invoke GlobalUnlock, eax
invoke EmptyClipboard
pop eax
invoke SetClipboardData, CF_TEXT, eax

.endif
.endif
invoke CloseClipboard
.endif
popad
ret
ClipboardCopy endp
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
; your Key Generator Code goes in this procedure
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
KeygenProc PROC
nop ; these nops make the Keygen procedure easy to find in Olly
nop ; when debugging the keygen.
nop ; comment these out on final assembly
nop
nop
nop
nop
nop
;[[[[[[[[[[[[[[[[[ Your keygen code goes in here to replace the example

invoke lstrlenA, addr namebuffer ;** get the length of the name string
mov ecx, eax ;** copy length of name string in eax to ecx
sub ecx, 4 ;** loop counter ecx = name string length - 4
lea edi, namebuffer ;** edi = address to name string
mov esi, 05DFEE4A4h ;** edx = starting code value = 04E6AF4BC hex
L005:
mov eax, dword ptr ds:[edi] ;** load 4 name string ascii characters in eax
xor esi, eax ;** exclusive or eax with the new edx value - result in edx
inc edi ;** point to next group of 4 name chars
dec ecx ;** decrement the loop counter
jnz L005 ;** jump back if ecx loop counter not = zero
invoke wsprintf, addr tempbuffer, addr decimalformat, edx
invoke lstrcpyA, addr genedserial, addr fixedstring
invoke lstrcatA, addr genedserial, addr tempbuffer
;]]]]]]]]]]]]]]]]]]
invoke SetDlgItemTextA,handle,IDC_SERIAL, addr genedserial ; display serial
ret
KeygenProc ENDP
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
end main
'D assembly uk'fawGudk assemble vkyfvdkuf&if yHk(30)twdkif; awGU&rSmyg/
yHk(30)
Assembly eJU keygen a&;wm tqifajyygovm;/ rajybl;qdk&ifawmh C bmompum;eJU keygen
a&;enf;udk &Sif;jyygr,f/
#include <conio.h>
#include <stdio.h> // C Console Application
#include <string.h> // Compiler - Borland C++ 5.02
#include <memory.h> // Copyright © by Myo Myint Htike, September 14 2009
unsigned long StringtoHex(const char *string);
int main()
{
char User_Name[30] = {0};
char Read_4_Bytes[4] = {0};
unsigned long index = 0, ESI = 0x5DFEE4A4, EAX;
unsigned long string_length;
printf("Teleport Pro 1.3x - 1.5x Keygen");

printf("\n========================\n\n");
printf("\nYour Name : ");
scanf("%[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ ]",User_Name);
string_length = strlen(User_Name);
if(string_length < 5 || string_length > 30)
printf("Name must be 5->30 characters.\n");
while(index < string_length-4){
memmove(&Read_4_Bytes, &User_Name[index], 4);
strrev(Read_4_Bytes);
EAX = StringtoHex(Read_4_Bytes);
ESI = ESI ^ EAX;
index++;
}
printf("\nRegistration Code : %d\n",ESI);
getch();
return 0;
}
unsigned long StringtoHex(const char *string)
{
unsigned long hex_value = 0, index = 0;
const char *character_read = string;
while(*character_read){
hex_value = (hex_value*0x100) +(unsigned long)character_read[index];
character_read++;
}
return hex_value;
}
y&dk*&rf&JU tvkyfvkyfyHkuawmh -
1/ unsigned long StringtoHex(const char *string);
'guawmh udk,fydkif function wpfckudk toHk;jyKr,fvkdU MudKwifaMunmwmyg/

2/ char User_Name[30] = {0}, char Read_4_Bytes[5] = {0};
User name twGuf pmvHk;a& (30)zwfrSmjzpfygw,f/ 'DpmvHk;awGudk zwfjyD;xm;r,fh buffer ae&mudk

00 ('\0') awGeJU jznfhvdkufwmyg/ Read_4_Bytes[4] uvJ 'DvdkygyJ/
3/ unsigned long index = 0, ESI = 0x5DFEE4A4, EAX;
XOR vkyfr,fh ESI wefzdk;udk 0x5DFEE4A4 vdkU initialize vkyfygw,f/

4/ scanf("%[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ ]",User_Name);
Registration vkyfr,fh user name udkawmif;wmyg/ %s eJU zwf&if&ayr,fh user trnfrSm

rvdktyfwJhoauFwawG (space rSty) ygvmrSm pdk;&drfwJhtwGuf uefUowfvdkufwmjzpfygw,f/ 'gaMumifh
keyboard uae trnf&dkufxnfhwJhtcgrSm a-z? A-Z eJU space wdkUom &dkufxnfhvdkU&rSmjzpfygw,f/
Myanmar Cracking Team vdkU &dkufxnfhygr,f/
5/ string_length = strlen(User_Name);
&dkufxnfhvdkufwJh user name udk b,fESpfvHk;vJqdkwm wGufcsufygw,f/ Myanmar Cracking

Team jzpfwJhtwGuf 21vHk;jzpfygw,f/ wu,fvdkU user name [m 5vHk;xufenf;ae&ifyJjzpfjzpf?
tvHk;30xuf rsm;ae&ifyJjzpfjzpf serial trSm;udkyJ xkwfay;rSmjzpfygw,f/
6/ while(index < string_length-4){
string_length xJu 4EIwfwmjzpfwJhtwGuf string_length wefzdk;topf[m 17jzpfvmygr,f/
index wefzdk;uawmh ckcsdefrSm oknjzpfaeygr,f/ 'gaMumifh while loop udk 17Mudrfvkyfaqmifygr,f/
6.1/ memmove(&Read_4_Bytes, &User_Name[index], 4);
memmove() function uawmh &User_Name[0] = VA 12FF68 rSmpwJh 4D 79 61 6E (Myan)
pwJh pmvHk;4vHk;udk &Read_4_Bytes = VA 12FF88 rSm oGm;xm;apwmjzpfygw,f/ yHk(31)/
yHk(31)
6.2/ strrev(Read_4_Bytes);
Myan qdkwJh string udk ajymif;jyefvSefygw,f/ 'gaMumifh Myan [m nayM jzpfvmygw,f/

bmaMumifh strrev() function udkoHk;&ovJqdk&if y&dk*&rf[m endian enf;eJU a'wmawGudk zwfvdkUjzpfygw,f/
6.3/ EAX = StringtoHex(Read_4_Bytes);
StringtoHex() function uawmh ajymif;jyefvSefxm;wJh string awGudk XOR vkyfzdkUtwGuf
*Pef;tjzpfajymif;vJwmjzpfygw,f/ 'D function udkvkyfaqmifjyD;csdefrSmawmh EAX [m 6E61794D
jzpfvmygw,f/
6.3.1/ while(*character_read){
hex_value = (hex_value*0x100) +(unsigned long)character_read[index];
character_read++;
}
character_read u VA 12FF88 rSm&SdwJh yxrpmvHk; n udk zwfygw,f/ rSwfxm;&rSmuawmh
*character_read [m character_read[0] eJUnDjyD; character wpfvHk;udkzwfygw,f/
yHk(32)
zwfvdkufwJhpmvHk; n udk *Pef;tjzpfajymif;ygw,f/ hex_value wefzdk;[m 'DtcsdefrSm 6E16(11010)
jzpfvmygr,f/ character_read wefzdk;udk wpfaygif;vdkufwJhtwGuf character_read[1] jzpfvmjyD; a udk
zwfygw,f/ 'Dtcg hex_value = (6E*0x100) + 61 = 6E61 jzpfvmygw,f/ 'DvdkeJU 00 (\0) udk rawGUrcsif;
aemufxyfpmvHk;awGzwfaerSmjzpfygw,f/ aemufqHk;rSmawmh hex_value [m 6E61794D jzpfvmygw,f/
6E61794D wefzdk;udk EAX qD jyefydkUygw,f/
6.4/ ESI = ESI ^ EAX;
EAX (6E61794D) eJU ESI (5DFEE4A4) wdkUudk XOR vkyfygw,f/ &&SdvmwJh 339F9DE9
wefzdk;udk ESI rSmodrf;ygw,f/
6.5/ index++;
index wefzdk;udk wpfaygif;vdkufwJhtwGuf aemufwpfMudrf while loop udkvkyfaqmifcsdefrSm ...

while(index < string_length-4){ // while(1<17){
memmove(&Read_4_Bytes, &User_Name[index], 4); // Read_4_Bytes = "yanm";
strrev(Read_4_Bytes); // Read_4_Bytes = "mnay";
EAX = StringtoHex(Read_4_Bytes); // EAX = 6D6E6179;
ESI = ESI ^ EAX; // ESI = 339F9DE9 ^ 6D6E6179 = 5EF1FC90;
index++; // index = 2;}
}
// while (2<17){ ..................}
// while (3<17){ ..................}
// while (4<17){ ..................}
// ......................................etc
while(index < string_length-4){ // while(16<17){
memmove(&Read_4_Bytes, &User_Name[index], 4); // Read_4_Bytes = " Tea";
strrev(Read_4_Bytes); // Read_4_Bytes = "aeT ";
EAX = StringtoHex(Read_4_Bytes); // EAX = 61655420;
ESI = ESI ^ EAX; // ESI = 44E3D4F9 ^ 61655420 = 258680D916;
index++; // index = 17;}
}
7/ printf("\nRegistration Code : %d\n",ESI);
XOR vkyfjyD; aemufqHk;&vmwJhtajz (258680D916 = 62957180110)udk xkwfygw,f/ 629571801

uawmh Myanmar Cracking Team twGuf registration code jzpfygw,f/
'guawmh keygen tvkyfvkyfyHk tao;pdwfyg/
aemufqHk;taeeJU ajymjycsifwmuawmh registration routine udk tjrJwrf; exe zdkifxJrSm a&;xm;wm
r[kwfygbl;/ Kaspersky Internet Security 7.0 qdk&if olU&JU registration routine udk lic.ppl (wu,f
awmh .ppl vdkU zdkiftrsdK;tpm; owfrSwfxm;ayr,fh .dll zdkifomjzpfygw,f/)rSma&;xm;jyD; Xilisoft uxkwfwJh
aqmhzf0JvfawGrSmawmh UILib71.dll zdkif (odkU) UILib8_MFCDll.dll zdkifrSm a&;xm;wm jzpfwJhtaMumif;
ajymMum;&if;eJU ed*Hk;csKyfyg&ap/
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 134 -
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced)

tcef;(9)rSm uRefawmfwdkUavhvmcJhwmuawmh registration routine xJuae serial key udk
&SmazGwmjzpfygw,f/ 'gayr,fh y&dk*&rfwdkif;&JU serial key udk&SmazG&wm[m wu,fawmh rvG,fvSygbl;/
tcsdefukef vlyef;ygw,f/ 'gaMumifh tcsdKU cracker awGu tcsdefwdktwGif; Full version (registered
version) udkoHk;vdkU&atmif y&dk*&rfudk patch vkyfwJhenf;eJU crack Muygw,f/ y&dk*&rf&JU vdktyfwJhuk'ftcsdKUudk
jyifwmudk patch vkyfw,fvdkUac:ygw,f/ Patch vkyfxm;wJhzdkifawGudk y&kd*&rf install vkyfxm;wJh folder
atmufrSmoGm;jyD; rl&if;zdkifeJU tpm;xdk;&ygw,f/ yHk(1)rSm jrif&wmuawmh BookWorm *drf;y&dk*&rfudk patch
vkyfxm;jyD;taetxm; jzpfygw,f/ 'Dy&dk*&rfrSm serial &Sm&wm[m Teleport Pro rSmvdk rvG,fvSygbl;/
tcsdefawmfawmf,l&rSm jzpfygw,f/ 'ghaMumifh 'Dy&dk*&rfrSm registered vkyfxm;jcif;&Sd^r&SdppfwJh routine udkzsuf
jcif;? upm;csdefppfwJh routine udkzsufjcif;? rdepf60uefUowfcsufudkzsufjcif;wdkU jyKvkyfxm;ygw,f/ 'ghjyif
"Myanmar Cracking Team proudly PRESENTS…" qdkwJhpmom;udk xyfxnfhxm;jyD;? Trial Version
qdkwJht&kyfudk Registered Version qdkwJht&kyfeJU tpm;xdk;xm;ygw,f/
yHk(1)
'Dtcef;rSmawmh patch vkyfjcif;udk tydkif;(3)ydkif;cGJjyD; aqG;aEG;rSmjzpfygw,f/ yxrydkif;uawmh vlopf
wef; cracker awG vkyfavhvkyfx&SdwJh patch vkyfenf;jzpfjyD; tydkif;(2)uawmh tv,ftvwftqifh? tydkif;(3)
uawmh tqifhjrifh cracker awG vkyfavhvkyfx&SdwJh patch vkyfenf;jzpfygw,f/
(1) Beginner tqifh patch vkyfjcif; (Plain Stupid Method)
'Dacgif;pOfatmufrSmawmh vlopfwef;awG vkyfavhvkyfx&SdwJh patch vkyfenf;awGudk toHk;jyKjyD; crack
vkyfMunfhrSm jzpfygw,f/ Patch vkyfMunfhzdkUa&G;xm;wJh y&dk*&rfuawmh Exe password aqmhzf0Jvfudk
toHk;jyKjyD; protect vkyfxm;wJh calculator (calc.exe) y&dk*&rfjzpfygw,f/ Calculator y&dk*&rfudk Microsoft
Windows &JU system32 folder atmufrSm tvG,fwulawGUEdkifygw,f/ Exe password aqmhzf0Jvfudkawmh
www.salfeld.com rSm download vkyf,lEdkifygw,f/ Exe password aqmhzf0Jvf[m udk,froHk;apcsifwJh
y&dk*&rfawGudk tjcm;olawG rzGifhEdkifatmif password eJU umuG,frIay;EdkifwJh aqmhzf0Jvfwpfckjzpfygw,f/
oifhtaeeJU 'Dy&dk*&rfudkzGifhcsif&if rSefuefwJh password udk &dkufxnfhEdkif&ygr,f/ aumif;jyD? patch rvkyfcif
yxrqHk;vkyf&rSmuawmh Exe password udkzGifhjyD; calculator (calc.exe) y&dk*&rfudk password ay;zdkUyg/
yHk(2)/
yHk(2)
yHk(2)rSm jrif&wJhtwdkif; uRefawmfwdkU&JU calc.exe y&dk*&rfudk "DEADBEEF" qdkwJh password ay;jyD;
umuG,fvdkufygr,f/ 'gqdk icon &kyfav;ajymif;oGm;wm awGU&ygr,f/ yHk(3)/
yHk(3)
Password eJU umuG,fxm;wJh calc.exe zdkifudk zGifhMunfhygr,f/ 'gqdk yHk(4)twdkif; password
awmif;wJh dialog box wpfckay:vmrSmyg/
yHk(4)
Password udk rSefuefpGmr&dkufxnhfEdkif&ifawmh yHk(5)twdkif; jrif&rSmyg/
yHk(5)
'gqdk uRefawmfwdkUtaeeJU 'Dzdkifudk password rodbJzGifhvdkUr&wmawmh aocsmoGm;ygjyD/ yHkrSeftm;jzifh
awmh 'D password udkod&Sd&atmif vkyf&rSmjzpfayr,fh 'Dtcef;u patch vkyfenf;udkom aqG;aEG;rSmjzpfwJh
twGuf patch vkyfzdkU MudK;pm;MunfhMu&atmif/ yHk(5)rSm jrif&wJh "Password is incorrect…" pmom;udk
pm&GufvGwfwpfckrSm rSwfxm;yg/ Olly rSm calc.exe zdkifudkzGifhyg/ yHk(6)twdkif; jrif&ygr,f/
yHk(6)
yHk(6)rSm right-click ESdyfjyD; Search for u All referenced text strings udk a&G;yg/ Window
topfwpfck ay:vmygvdrfhr,f/ 'D window rSm right-click ESdyfjyD; Search for text udka&G;yg/ yHk(7)twdkif;
jrif&ygr,f/
yHk(7)
yHk(7)rSm uRefawmfwdkU&SmcsifwJh "Password is incorrect…" pmom;udk &dkufxnfhjyD; OK udka&G;vdkuf
yg/ yHk(8)twdkif; jrif&ygr,f/
yHk(8)
yHk(8)u hightlight jzpfaewJhae&mudk mouse eJU ESpfcsufESdyfvdkufyg/ yHk(9)twdkif; awGUygr,f/
yHk(9)
yHk(9)udk aocsmMunfhyg/ yHk(5)u error message udkjywJh routine (VA 0054C8AC) udk awGU&yg
r,f/ wu,fawmh error message routine udkvkyfaqmifwm[m CALL calc.00435C4C udkrausmfEdkifwm
aMumifhyg/ VA 0054C87C u JNZ instruction uvJ CALL calc.00435C4C udkausmfEdkifjcif; r&Sdygbl;/
yHk(10)/
yHk(10)
yHk(10)t&qdk&ifawmh CALL calc.00435C4C udkausmfEdkifwm VA 0054C873 u JE instruction

yJjzpfygw,f/ 'gaMumifh 'D VA 0054C86E ae&mrSm breakpoint owfrSwfjyD; F9 udkESdyfyg/ yHk(11)twdkif;
jrif&ygr,f/
yHk(11)
yHk(11)u textbox xJrSm "Cracker" vdkU&dkufxnfhvdkufyg/ uRefawmfwdkU breakpoint owfrSwfxm;wJh
ae&mudk wef;a&mufvmygr,f/ yHk(12)/
yHk(12)
yHk(12)u VA 0054C86E ae&mudka&muf&if register windows udkwpfcsufMunfhygr,f/ yHk(13)/
yHk(13)
yHk(13)udk Munfhvdkuf&if EAX register xJrSm "pFTZÛC" pmom;&SdjyD; EDX register xJrSm "wqt}
wutt" pmom;&Sdaewm awGU&ygr,f/ wu,fawmh "wqt}wutt" qdkwm yHk(2)rSm uRefawmfwdkU&dkufxnhfcJhwJh
password udk encrypt vkyfxm;wJhpmom;jzpfygw,f/ "pFTZÛC" uawmh "Cracker" udk encrypt vkyfxm;
wmyg/ yHk(12)rSmjrif&wJh VA 0054C86E u CALL routine uawmh "pFTZÛC" eJU "wqt}wutt" udk
nDrnDppfwmyg/ wu,fvdkUnD&if error message udkausmfoGm;rSmyg/ 'gqdk uRefawmfwdkU patch
vkyfMunfhMuygr,f/ trSefuawmh CALL calc.004046A0 ae&mrSm NOP instruction eJUtpm;xdk;jyD; JE
SHORT calc.0054C8D7 ae&mrSmawmh JMP SHORT calc.0054C8D7 eJUtpm;xdk;&rSmyg/ 'gayr,fh
'Dae&mrSmawmh uRefawmfhtaeeJU JE udk JMP vdkUjyifwmwpfckyJ vkyfygr,f/ (rSwfcsuf/ / NOP (No
operation) vdkUjyifwmuawmh password ESpfckudk rppfapwmjzpfygw,f/ JMP instruction uawmh error
message udk twif;ausmfcdkif;wmjzpfygw,f/) jyifvdkuf&ifawmh yHk(14)twdkif; jrif&ygr,f/
yHk(14)
yHk(14)twdkif; jyifjyD;&ifawmh right-click ESdyfjyD; Copy to executable u All modification udkESdyfjyD;
zdkifudk odrf;vdkufyg/ Patch vkyfxm;jyD;om;zdkifudk tvkyfvkyf^rvkyfod&atmif zdkifudkzGifhMunfhvdkufyg/ ay:vmwJh
password dialogbox rSm MudKufwJh password udk&dkufxnfhvdkufyg/ y&dk*&rfyGifhvmygvdrfhr,f/
(2) Intermediate tqifh patch vkyfjcif;
'DwpfcgrSmawmh cracking eJU ywfoufjyD; tv,ftvwftqifh patch vkyfjcif;udk prf;oyfMunfhyg
r,f/ b,folUudkrS xdcdkufrIr&SdapbJ avhvmprf;oyfzdkU a&G;cs,fxm;wJh y&dk*&rfuawmh MrBills yJjzpfygw,f/
'Dy&dk*&rfudk tifwmeufrSm vHk;0rawGUEdkifawmhygbl;/ ukrÜPDudka&mif;csjyD;jzpfovdk y&dk*&rf[mvJ qufxGufvm
jcif; r&Sdawmhygbl;/ aemufjyD; 'Daqmhzf0JvfudkvJ tjcm;olawG crack vkyfjyD;oGm;Muwm awGU&ygw,f/
MrBills udk SND Team &JU download section rSm tcrJh download &,lEdkifygw,f/ Lena &JU reversing
tutorial (7) rSm MrBills udkwpfcgwnf; xnfhoGif;ay;xm;wm awGU&rSmyg/
y&dk*&rftaMumif;udk odapzdkU y&dk*&rfudk Olly eJU PEiD wdkUrSm zGifhMunfhMuygr,f/ yHk(15)^yHk(16)/
yHk(15)
yHk(16)
PEiD uawmh PE zdkifawGrSmtoHk;rsm;vSwJh packer? cryptor eJU compiler trsdK;tpm;awGudk
pHkprf;ay;wJh tool wpfckjzpfygw,f/ PEiD &JU plugin wpfckjzpfwJh Krypto Analyser udk avhvmMunfhygr,f/
'D plugin av;[m module awGtwGif;rSm&SdwJh odjyD;om; crypto algorithm awGudk plugin u Krypto
oauFwawGeJU EdIif;,SOfjcif;tm;jzifh &SmazGygw,f/
yHk(1)udk Munfhr,fqdk&if MrBills qdkwJh aqmhzf0Jvf[m pack vkyfxm;jcif;r&SdbJ olUudk Visual C++
7.0 eJU a&;om;xm;wmudk awGU&ygr,f/ MrBills &JU version uawmh 2.1.0.1 jzpfygw,f/
yHk(17)
yHk(17)u Plugins rS Krypto Analyser udk a&G;vdkuf&if yHk(18)twdkif; jrif&rSmyg/
yHk(18)
yHk(18)udk Munfhr,fqdk&if toHk;jyKxm;wJh crypto algorithm awGudkawGU&ygw,f/ CRC check
taMumif;udk aemufydkif;oifcef;pmawGrSm aqG;aEG;rSm jzpfygw,f/ aumif;ygjyD? PEiD udk ydwfvdkufygr,f/
yHk(16)udk Munfhvdkufyg/ uRefawmfwdkU y&dk*&rfudk run (F9) Munfhygr,f/ 'gqdk yHk(19)twdkif; awGU&yg
r,f/
yHk(19)
yHk(19)rSm jrif&wJhtwdkif; uRefawmfwdkU register rvkyf&ao;ygbl;/ About udk ESdyfvdkufyg/
yHk(20)
About udkESdyfvdkuf&if yHk(20)twdkif; jrif&ygr,f/ 'DrmS awmh uRefawmfwdkU vkyfp&mbmrSr&Sdbl;vdkU xifyg
w,f/ Register... udk a&G;vdkufyg/ yHk(21)twdkif; jrif&ygr,f/
yHk(21)
yHk(21)t&qdk&if uRefawmfwdkU register vkyfzdkUvdkygjyD/ bmaMumifhvJqdkawmh register rvkyf&if tcsdKU

aomvkyfaqmifcsufawG tvkyfrvkyfbl;vdkY ajymaevdkYyg/ uRefawmfwdkU prf;jyD; register vkyfMunfhMuygr,f/
yHk(22)/
yHk(22)
uRefawmfwdkU uHraumif;ygbl;/ yHk(23)udkyJ jrif&ygw,f/
yHk(23)
yHk(9)[m uRefawmfwdkU patch vkyf&r,fhae&myg/ uRefawmfhtaeeJU t&iftcef;awGrSm text string
awGudk b,fvdk&Sm&rvJqdkwm &Sif;jycJhjyD;ygjyD/ 'DaeUtzdkUrSmvJ uRefawmfwdkUvdkcsifwm&zdkU 'Denf;vrf;udk toHk;jyK&
OD;rSmyg/ 'gaMumifh 'D text string awGxJu ta&;MuD;r,fxifwJhpum;vHk;udk rSwfom;vdkufyg/ aumif;ygjyD?
uRefawmfwdkUuk'fawGudk avhvmvdkufMu&atmif/ Olly qD jyefoGm;vdkufyg/ yHk(10)/
yHk(24)
Text string awGudk &SmzdkU yHk(24)rSm right-click ESdyfvdkufyg/ jyD;&if Search for rS All referenced
text strings udk a&G;vdkufyg/ 'gqdk text string window ay:vmygvdrfhr,f/ Text string window rSm
right-click ESdyfjyD; uRefawmfwdkU&SmcsifwJh text udk &Smygr,f/ yHk(25)/ r&SmcifrSm owday;vdkwmuawmh text
string window &JU tay:qHk;xda&mufatmif scroll vkyfjyD;rS right-click ESdyfzdkUyg/
yHk(25)
'gqdk uRefawmfwdkU &SmaewJh text udk &SmawGUygjyD/ yHk(26)/
yHk(26)
'gaMumifh text &Sd&m VA 004299BD ae&mudk ESpfcsufESdyfvdkufyg/ yHk(27)twdkif; jrif&ygr,f/
yHk(27)
yHk(13)u VA 004299BD [m "You have entered an ..." udk messagebox rSma&;zdkU
jyifqifaewmyg/ atmufudk scroll enf;enf;qGJjyD;Munfhvdkuf&if yHk(28)twdkif; jrif&rSmyg/
yHk(28)
uRefawmfwdkUvdkcsifwJhtajzu VA 004299F3 rSmyg/ VA 004299BD u BadBoy message jzpfjyD;
FVA 004299F3 uawmh GoodBoy message jzpfygw,f/ yHk(27)u JNZ [m VA 004299F1 qD jump
jzpfapwmawGU&ygw,f/ vufawGUrSmawmh JNZ [m VA 004299F1 qD jump rjzpfygbl;/ 'gaMumifhvJ
"You have entered an invalid email ..." qdkwJh BadBoy message udk jrif&wmyg/ wu,fvdkU JNZ
ae&mrSm JMP vdkU ajymif;cJhr,fqdk&if .........
yHk(29)
yHk(29)u TEST AL, AL udk Munfhvdkufyg/ AL [m GoodBoy vm;? BadBoy vm;qdkwm qHk;jzwf
ygw,f/ AL udk VA 004299AD u CALL function xJrSm owfrSwfxm;wm jzpfEdkifygw,f/ bmaMumifhvJ
qdkawmh wpfckckudkrEdIif;,SOfcif CALL function xJrSmEdIif;,SOfzdkUtwGuf owfrSwfwm[m ydkjyD;aumif;EdkifvdkUyg/
'g[m registration ppfaq;csuf jzpfygw,f/ 'Dae&mrSm rSwfcsufjyKvdkwmuawmh ... uRefawmfwdkUtaeeJU 'D
CALL function xJrSm AL udk b,fvdkowfrSwfxm;ovJqdkwmudk ppfaq;zdkUvdkvmjyDqdkwmudkyg/
'gaMumifh VA 004299AD ae&mudk breakpoint owfrSwfvdkufygr,f/ qufvdkufMu&atmif/
uRefawmfwdkUtaeeJU serial [m rSefuefjcif; &Sd^r&Sd ppfaq;wJh&v'fudk awGU&Sdxm;ygw,f/ TEST AL, AL
txufu CALL xJrSm&v'fudk owfrSwfxm;csdefrSm AL [m 'Dwefzdk;udk odrf;xm;ygw,f/ &v'fu taygif;
oabmaqmifcJh&if y&dk*&rfudk register vkyfzdkU Goodboy message &Sd&m VA 004299F1 udk a&mufvmrSmyg/
'grSr[kwf&ifawmh jump rjzpfEdkifovdk Badboy message vJ&&SdrSmyg/
tESpfcsKyf/ / JNZ aMumifh register vkyfzdkUtwGuf AL [m okneJUnDaevdkU r&ygbl;/
VA 004299AD &JU tay:udk scroll enf;enf;avmuf qGJMunfhvdkufMu&atmif/ yHk(30)/
yHk(30)
yHk(30)u text awG[m uRefawmfwdkUtwGuf bmrSta&;rygygbl;/ About box rSm ay:wJhpmawGyg/
Registration udk jyef run MunfhvdkufMu&atmif/ CALL xJrSm bmawG&SdovJqdkwm odEdkifzdkU VA
004299AD rSm breakpoint owfrSwfxm;ygw,f/
rSwfcsuf/ / Plain stupid method onf BadBoy udk ausmfvTm;Edkif&ef conditional jump rsm;tm; patch
vkyfjcif;omjzpfygonf/ rsm;aomtm;jzifh xdkenf;onf aqmhzf0Jvfrsm;udk register vkyf&eftwGuf vHkavmufjcif;
r&Sday/
'gaMumifhrdkU ckcsdefrSm uRefawmfwdkUtaeeJU CALL xJudk xJxJ0if0if 0ifa&mufjyD; register jzpf^rjzpf

qHk;jzwfwJh AL udk patch vkyfzdkU MudK;pm;rSmyg/
uRefawmfwdkU yHk(31)twdkif; xyfvkyfMunfhvdkufMu&atmif/ F9 udkESdyfyg/
yHk(31)
"Register Now" button udk ESdyfvdkufwJhtcgrSm ckeu uRefawmfwdkU breakpoint owfrSwfvdkufwJh
VA 004299AD ae&mudk a&mufvmygw,f/ yHk(32)/
yHk(32)
F7 udk ESdyfjyD; CALL xJ 0ifMunfhMu&atmif/ 'gqdk uRefawmfwdkU CALL xJ a&mufvmygjyD/ yHk(33)/
yHk(33)
aemufxyf bmqufjzpfrvJqdkwm od&atmifawmh F8 udkyJ ESdyfMuygr,f/ 'Dae&mrSm AL wefzdk;ajymif;
oGm;wmawGudk apmifhMunfhzdkUvdkwJhtaMumif; ajymyg&ap/ yHk(34)/
yHk(34)
rMumcifrSm ta&;MuD;wmawGudk awGU&awmhrSmyg/ yHk(35)u VA 0040715A ae&mrSm TEST AL, AL
udkawGUygovm;/
yHk(35)
jyD;awmh VA 0040715E u [5076A0]/ 'Dhaemuf VA 00407163 u JNZ? VA 00407170 u

TEST AL, AL? VA 00407174 u [5076A0]/ VA 00407155 u CALL udk taotcsmMunfhyg/
bmrsm;awGUjrifygovJ/ AL udk VA 00407155 u CALL xJrSm owfrSwfjyD;oGm;yHk&ygw,f/ 'gaMumifh
CALL xJrSm bmqufjzpfrvJqdkwm odEdkifzdkU Enter key udk ESdyfvkdufyg/ rSwfxm;&rSmu Enter key udk
ESdyfjcif;tm;jzifh uk'fawGudk ajc&mcHEdkifygw,f/ 'gayr,fh uk'fawGudkawmh run rSm r[kwfygbl;/ uk'fawGudk run
p&mrvdkbJ CALL txJrSm&SdwJh uk'fudkMunfhw,fvdkU qdkvdkwmyg/ 'gaMumifh instruction pointer &JU wnfae
&muvnf; Enter key acgufwJh VA rSmyJ &SdrSmyJ/ yHk(36)/
yHk(36)
VA 00407155 u CALL ae&mrSm Enter key udk ESdyfvkdufwJhtcg yHk(37)twdkif; jrif&ygw,f/
yHk(37)
MunfhvdkufMu&atmif/ VA 00407007 u MOV BL, AL/ VA 00407011 u MOV AL, BL/
AL xJudk BL xJuwefzdk;awGjyefa&TUw,f/ yxrqHk; AL xJuwefzdk;udk BL xJrSmxm;w,f/ VA 00407009
u CALL [m BL (& AL) tay: bmrStusdK;oufa&mufrIr&Sdwm oifhtaeeJU em;vnfrSmyg/ 'gayr,fh AL
&JUwefzdk;udk VA 00406FF9 u CALL rSm qHk;jzwfxm;ygw,f/ aumif;jyD/ AL udk VA 00406FF9 u
CALL 00406F4B xJrSm owfrSwfxm;wmrdkU 'D CALL ae&mudk breakpoint owfrSwfvdkufMu&atmif/
owdjyK&rSmu ckcsdefrSm uRefawmfwdkU[m CALL awG trsm;MuD;awGUae&wmudkyg/ tvm;wl trSwf
xm;&rSmu uRefawmfwdkU[m CALL xJrSm bm&Sdw,fqdkwmodEdkifzdkU CALL ae&mrSm Enter key udk ESdyfcJhw,f
qdkwmudkyg/ AL udk VA 00406FF9 u CALL xJrSm owfrSwfxm;^rxm; ppfaq;zdkU uRefawmfwdkU break-
point owfrSwfxm;wJh ae&mqDa&mufatmif F9 udkESdyfygr,f/ 'gqdk uRefawmfwdkU breakpoint owfrSwfxm;wJh
ae&mudk a&mufvmygjyD/ yHk(38)/
yHk(38)
aemuftqifhudk em;vnfzdkU oifhtwGuf t&rf;ta&;MuD;ygw,f/
(1) AL &JU wefzdk;udk rSwfom;yg/
(2) AL &JU wefzdk;udk owfrSwfw,fvdkU oHo,&SdwJh CALL udk execute vkyf&rSmjzpfygw,f/
(3) 'D CALL udk F7 ESdyfyg/
(4) AL eJU ywfoufwJh tcsuftvufawGudk xyf&Smyg/
yHk(39)
yHk(39)rSm jrif&wJhtwdkif;qdk&ifawmh AL [m oknrjzpfygbl;/ 'gaMumifhvJ TEST AL, AL u
wefzdk;wpfck jyefydkUwJhtcsdefrSm AL [m oknrjzpfEdkifwmyg/ tck CALL udk run zdkU F8 udkESdyfyg/ AL wefzdk;
ajymif;oGm;wmudk awGU&ygr,f/ yHk(40)/
yHk(40)
'gaMumifh VA 00406FF9 u CALL xJrSm AL wefzdk;udk oknvdkU owfrSwfvdkufygw,f/
Registration atmifjrifjcif; r&Sdygbl;/ bmawG qufjzpfrvJod&atmif F8 udk ESdyfyg/
aemufxyfxyfrSwf&rSmu aemuftqifhawGrSm AL eJU BL &JUwefzdk;awG b,fvdkajymif;oGm;rvJqdkwm
udkyg/
yHk(41)
yHk(41)u MOV BL, AL udk execute vkyfvdkuf&if BL &JUwefzdk;[mvnf; oknjzpfoGm;rSmyg/ bmvdkY
vJqdkawmh AL u oknjzpfaevdkUyg/ yHk(42)/
yHk(42)
yHk(43)
yHk(43)u VA 00407009 rSm&SdwJh CALL udk execute vkyfjyD;csdefrSmawmh AL &JU wefzdk;[m 1 vdkU
ajymif;oGm;wm awGU&ygw,f/ VA 00407011 u MOV AL, BL udk Munfhyg/ BL xJu[mudk bmvdkU AL
rSm vmxm;&wmvJ/
INFO: : wu,fvdkU y&dk*&rf[m EAX register eJUtwl tvkyfvkyfzkdUvdkr,fqdk&if olUwefzdk;udk tjcm;
register xJrSm ,m,DoGm;xm;ygvdrfhr,f/
uRefawmf aemufwpfMudrf&Sif;jyygOD;r,f/ 'grSom oifhtaeeJU y&dk*&rf b,fvdktvkyfvkyfw,fqkdwJh
t&omudk cHpm;&rSmjzpfw,f/
yHk(44)
yHk(44)rSmawmh AL &JU wefzdk;[m BL aMumifh oknjyefjzpfoGm;ygw,f/ 'gaMumifh VA 00407009 u
CALL [m AL eJU BL tay: bmoufa&mufrIrS r&Sdbl;vdkUajymcJhwJh uRefawmhf&JU aumufcsufawG[m rSefaejyD
aygh/ AL &JU tajctaeudk owfrSwfwm[m VA 00406FF9 u CALL rSmyg/ aemufqHk;taeeJU uRefawmf
wdkU&JU t&if CALL (Enter key udkrESdyfcif CALL udk qdkvdkwmyg/)qDoGm;EdkifzdkU F8 (odkU) F7 udkESdyfvdkufyg/
yHk(45) twdkif; jrif&ygvdrfhr,f/
yHk(45)
TEST AL, AL u jyefvmcsdefrSm AL &JU wefzdk;[m oknrjzpfwm trSwf&rSmyg/ (JNZ onf
register vkyfjcif;jzpf^rjzpf)
'Dae&mrSm AL [mbmjzpfrvJqdkwm avhvmvdkufMu&atmif/ F8 udkESdyfvdkufwJhtcg AL &JU wefzdk;[m
oknyJ jzpfaewkef;yg/ yHk(32)/
AL udk pointer ([5076A0]) xJ xm;wJhtcgrSmawmh ....
yHk(46)
Pointer &JU wefzdk;[m oknjzpfaeygao;w,f/ yHk(46)/ Register rvkyfxm;csdefrSmawmh jump rjzpf
Edkifygbl;/
aumif;jyD/ Register vkyfxm;jcif;&Sd^r&Sdukd VA 0040715E u pointer ([5076A0]) xJrSm xdef;
odrf;xm;w,fqdkwm em;vnfygovm;/ tvm;wl VA 00407174 u pointer ([5076A0]) rSma&myg/
yHk(45)/
VA 0040716B u CALL [m uRefawmfwdkU register rvkyfxm;csdefrSmom tvkyfvkyfEdkifygw,f/
ol[m unregistered string awGudkjyowJh CALL jzpfEdkifygw,f/ F8 udk qufESdyfMunfhygr,f/ VA 0040
715E u AL eJU ywfoufwJhtvkyfawGudk aemufydkif;usrS qufvkyfMuygr,f/ tvm;wl VA 00407174 u
AL udka&myg/
tck&Sif;jyaewm[m oifhtwGuf t&rf;aES;ae&ifawmh aqm&D;yg/ 'gawGtm;vHk;[m cracking eJU
tenf;i,fom ywfoufzl;MuwJh vlopfwef;awGtwGuf &IyfaxG;aevdrfhr,fvdkU xifxm;vdkYyg/ 'gaMumifh 'gawG
tm;vHk;udk uRefawmfhtaeeJU tao;pdwfaqG;aEG;ay;aewmyg/ 'gayr,fh 'gawGtm;vHk;udk cifAsm;taeeJU em;vnf
jyDvdkU ,lqwJhaemufrSmawmh aemufvmr,fhoifcef;pmawGrSm uRefawmfhtaeeJU tjrefoGm;zdkU uwdjyKygw,f/
F8 ukd ESdyfvmcJhyg/
yHk(47)
yHk(47)u JMP udkawmh &Sif;r,fvdkUxifygw,f/ JMP ae&mudk F8 ESdyfr,fqdk&if yHk(35)twdkif; jrif&yg

w,f/
yHk(48)
VA 00407076 rSm aemufxyf pointer ([5076A1]) wpfckawGU&ygw,f/ Pointer awGtaMumif;
&Sif;r,fvdkUxifygw,f/ VA 0040707D u JNZ [m uRefawmfwdkU register rvkyfxm;&if jump jzpfygr,f/
aumif;jyD/ F8 udkomESdyfvmcJhyg/ uRefawmfwdkU atmifjrifpGm register vkyfEdkifcJhjcif; &Sd^r&Sd yHk(49)rSmawGU&yg
w,f/
yHk(49)
aumif;jyD? uRefawmfwdkU[m bmvdkU BadBoy qDa&mufvm&ovJqdkwm &Sif;rSmyg/ yHk(49)/ VA
004299B9 u JNZ [m jump rjzpfygbl;/ yHk(50)/
yHk(50)
'gaMumifh register rjzpfygbl;/ bmqufjzpfrvJqdkwm qufMunfhMu&atmif/
yHk(51)
'gqdk yHk(51)twdkif; jrif&ygw,f/ ckcsdefrSm uRefawmfwdkU &SmaewJh CALL udk odygjyD/
aumif;jyD/ yHk(51)rSm OK udka&G;jyD; Olly udk aemufwpfMudrf jyefpvdkufyg/ owdjyK&rSmu breakpoint
window rSm VA 004299AD u breakpoint wpfckwnf;om &Sdygap/ y&dk*&rfudk run (F9) vdkufyg/ jyD;&if
yHk(31) twdkif; register xyfvkyfyg/ 'gqdk yHk(52)twdkif; uRefawmfwdkU owfrSwfxm;wJhae&mudk wef;a&mufvm
ygr,f/
yHk(52)
uRefawmfwdkUtaeeJU rSefuefwJh CALL udk &SmEdkifzdkU F7 udkESdyfjyD; VA 004299AD u CALL xJudk
0ifygr,f/
yHk(53)
VA 00407155 u CALL udk t&ifu uRefawmfwdkU 0ifa&mufcJhwm trSwf&rSmyg/ VA 00407155
a&muf&if F7 udk ESdyfyg/ yHk(54)twdkif; jrif&ygr,f/
yHk(54)
VA 00406FF9 u CALL a&mufonftxd F8 udk ESdyfvmcJhyg/
yHk(55)
yHk(55)u MOV BL, AL udk rSwfrdr,fxifygw,f/ ckcsdefrSmawmh VA 00406FF9 u CALL [m
uRefawmfwdkU oGm;&r,fh CALL vdkU qHk;jzwfxm;ygw,f/ 'gaMumifh F7 udkESdyfjyD; CALL xJ0ifygr,f/
yHk(56)twdkif; jrif&ygr,f/
yHk(56)
AL udk b,frSm owfrSwfxm;ovJqdkwm &SmMunfhygr,f/ atmufudk scroll qGJvmcJhyg/ uk'fawG
awmfawmfrsm;rsm;udk awGUygw,f/ yxrqHk;tMudrfjzpfvdkU xJxJ0if0if&SmzdkU rpOf;pm;awmhygbl;/ uRefawmfhtaeeJU
serial rSef^rSefppfaq;wJhae&mwpfckudk oHo,0ifrdygw,f/ 'gayr,fh 'gudkaemufydkif;usrSyJ ajymygr,f/ ckawmh
AL udk patch vkyfzdkUyJ MudK;pm;ygr,f/ wu,fawmh uRefawmfhtaeeJU uk'fawGudk wpfckrusef vdkufvHppfaq;
&rSmyg/ 'gudk Advanced Level Patching vdkU ac:ygw,f/
yHk(57)
ckawmh VA 00406FC5 u BL udk ajymif;zdkUMudK;pm;ygr,f/ yHk(58)/
yHk(58)
oifuawmh tjcm;wpfckckjzpfr,fvdkU xifaeygvdrfhr,f/ VA 00406FC5 ae&mrSm uRefawmfu MOV
AL, 1 (odkU) INC AL vdkU ajymif;ypfvdkufvdrfhr,fvdkU oifhtaeeJU xifxm;ygvdrfhr,f/
'Dae&mrSm uRefawmf &Sif;jyyg&ap/ y&dk*&rf pwifcsdefwdkif;rSm 'Dae&muuk'fudk execute vkyfygw,f/
'gayr,fh y&dk*&rf[m AL == 1 eJU pwifygw,f/ (register vkyfxm;&if)/ twdtusajym&&ifawmh y&dk*&rfudk
wu,f register vkyfxm;jcif;r&Sd&if y&dk*&rf[m unregister jzpfapygw,f/ 'gaMumifhvJ uRefawmfwdkU t&if
wkef;uvkyfcJhovdk VA 004299AD u JNZ ae&mrSm JMP vdkUajymif;cJhcsdefrSm y&dk*&rf[m cPwmom
register jzpfoGm;jyD; aemufwpfcsdef y&dk*&rfudk jyefpcsdefrSm unregister jzpfoGm;jcif; jzpfygw,f/
atmufazmfjyyguk'fawGudk oifudk,fwdkif prf;oyfapcsifygw,f/
MOV AL, 1 (odkU)
MOV BL, 1 (odkU) NOP
tm;vkH;uawmh y&dk*&rfudk register jzpfapygvdrfhr,f/ bmyJjzpfjzpf 'gawGtm;vHk;udk em;rvnfao;vJ
ta&;rMuD;ao;ygbl;/ aemufydkif;tcef;awGMu&if &Sif;oGm;rSmyg/ ckcsdefrSmawmh uRefawmfu MOV BL, 1 udk
assemble vkyfw,fvdkUyJ ,lqvdkufMu&atmif/
uRefawmfwdkUtaeeJU BL udk b,fae&mrSm owfrSwfxm;ovJqdkwm od&atmif VA 00406FBC u
CALL xJukd 0ifjyD;avhvmzdkU vdktyfygw,f/ 'gayr,fh avmavmq,fawmh 'DavmufeJUyJ awmfMuygawmh/
yHk(59)/
yHk(59)
F9 udk ESdyfjyD; bmqufjzpfrvJqdkwm Munfhygr,f/ yHk(60)/
yHk(60)
yHk(60)u OK udk ESdyfvkduf&if yHk(61)u [Unregistered] qdkwJhpmom; aysmufoGm;wm awGU&rSmyg/
yHk(61)
yHk(61)udkMunfh&if aemufwpfMudrf register vkyfp&mrvdkawmhwm awGU&rSmyg/
yHk(62)
'gqdk&ifawmh intermediate tqifh patch vkyfjcif;uawmh atmifjrifpGm jyD;qHk;oGm;ygjyD/ Patch
vkyfjyD;om;zdkifudk ESpfouf&mtrnfeJU odrf;vdkufyg/ ☻☻☻
(3) Advanced tqifh patch vkyfjcif;

INFO: : Plain stupid patch uawmh INFO: : Intermediate patch uawmh MOV AL, BYTE PTR
DS:[EAX+24] wdkUvdkuk'fawGudkawGU&if MOV AL,0 vdkUajymif;rSmjzpfjyD; olUudk bmomjyef&r,fqdk&ifawmh
]vdktyfwJhtydkif;twGuf register jzpfap jcif;} jzpfygw,f/
INFO: : Advanced patch uawmh
yHk(63)
yHk(64)
yHk(65)
yHk(66)
yHk(68)
yHk(69)
yHk(70)
yHk(71)
yHk(72)
yHk(73)
yHk(74)
yHk(75)
yHk(76)
yHk(77)
yHk(78)
yHk(79)
yHk(80)
yHk(81)
yHk(82)
yHk(83)
yHk(84)
yHk(85)
tcef;(11) - Cracker rsm; owdxm;oifhaom Windows API rsm; - 155 -
tcef;(11) -Cracker rsm; owdxm;oifhaom Windows API rsm;

INFO: : API (Application Programming Interface) qdkwmuawmh function awGudkpkpnf;xm;wJht&m
jzpfjyD; y&dk*&rfawGeJU OS Mum;qufoG,f&mrSm toHk;jyKygw,f/ Win32 API qdkwmuawmh function awG
trsm;MuD;pkpnf;xm;wJht&mjzpfjyD; Windows application awGtwGuf low-level programming interface
jzpfygw,f/ Microsoft u Win32 API &JU t*Fg&yfawGtrsm;pkyg0ifwJh high-level interface awGudk rdwf
qufcJhygw,f/ 'D interface awGxJu txif&Sm;qHk;uawmh MFC (Microsoft Foundation Classes) jzpfjyD;
Windows eJUqufoG,fzdkU C++ object awGudktoHk;jyKygw,f/ wu,fwrf;awmh MFC u OS udk ac:oHk;zdkU
Win32 API udktoHk;jyK&wmjzpfygw,f/ tckacwfrSm emrnfMuD;aewJh .Net Framework [mvJ OS &JU
service awGudkoHk;pGJEdkifzdkU System qdkwJh class udkoHk;pGJw,fqdkayr,fh ol[mvJaemufqHk;awmh Win32 API
udkac:oHk;&wmygyJ/ Win32 API rSm tMurf;zsif;tm;jzifh API 2000ausmfyg0ifjyD; Kernel ? USER eJU GDI
qdkjyD; tkyfpk3ckcGJEdkifygw,f/ aemufwpfckuawmh native API yg/ Native API uawmh Windows NT pepf
twGuf interface wpfckjzpfygw,f/ Windows NT rSmawmh Win32 API [m native API &JU tay:vTmrSm
&Sdygw,f/ NT kernel rSm GUI eJUywfoufjyD; bmrSvkyfp&mr&SdwJhtwGuf native API rSm graphics eJU
ywfoufwJhb,fvkyfief;rS ryg0ifygbl;/ 'gaMumifhrdkU vkyfaqmifcsuft&ajym&&if native API [m Windows
kernel eJUcsdwfquf&mrSm t"duusjyD; memory manager? I/O system? object manager? process? thread
wdkUeJU csdwfquftoHk;jyKygw,f/ Application y&dk*&rfawG[m native API awGudk b,fawmhrS wdkuf&dkufac:
roHk;ygbl;/ oHk;cJh&ifawmh Windows 98 eJU o[ZmwjzpfrIudk csdK;aygufapygvdrfhr,f/ Microsoft uvJ
native API awGeJUywfoufjyD; tcsuftvufawGrQa0jcif; r&SdwJhtwGuf Application y&dk*&rfawG[m OS eJU
qufoG,fzdkUtwGuf Win32 API awGudkyJ oHk;ae&OD;rSmjzpfygw,f/ Win32 API twGuf erlem DLL zdkifawG
uawmh kernel32.dll? user32.dll? gdi32.dll wdkUjzpfjyD; native API twGuf erlem DLL zdkifuawmh
ntdll.dll jzpfygw,f/ native API awG&JU xl;jcm;csufuawmh olwdkU&JU function trnfawGa&SUrSm Nt (Nt
CreateFile) eJU Zw (ZwCreateFile) pavh&Sdjcif;yg/
'Dtcef;rSmawmh cracking vkyf&mrSm owdxm;jyD;apmifhMunfh&r,fh API function awGtaMumif;udk
avhvmrSmjzpfygw,f/ API function awGtaMumif;udk tao;pdwfodxm;jcif;tm;jzihf crack vkyf&mrSm vG,ful
vmrSmjzpfygw,f/ 'DapmifhMunfh&r,fh API function awGuawmh atmufygtwdkif;jzpfygw,f -
Dialog Box rsm;ESifhywfoufonfhtcg
DialogBoxParamA
GetDlgItem
GetDlgItemInt
GetDlgItemText
GetWindowText
GetWindowWord
MessageBox rsm;ESifhywfoufonfhtcg
MessageBeep
MessageBoxA
MessageBoxEx
SendMessage
SendDlgItemMessage
Registry ESifhywfoufonfhtcg
RegCreateKey
RegDeleteKey
RegQueryValue
RegQueryValueEx
RegCloseKey
RegOpenKey
zdkifrStcsuftvufrsm;zwfjcif;â&;jcif;jyKaomtcg
ReadFile
WriteFile
CreateFile
INI zdkifrStcsuftvufrsm;zwfjcif;jyKaomtcg
GetPrivateProfileString
GetPrivateProfileInt
WritePrivateProfileString
tjcm;ae&mrS tcsuftvufrsm;udkzwfjcif;jyKaomtcg
LoadString
lstrcmp
MultiByteToWideChar
WideCharToMultiByte
wsprintf
tcsdef?&ufpGJwdkUESifhywfoufonfhtcg
GetFileTime
GetLocalTime
GetSystemTime
GetSystemTimeAsFileTime
SetTimer
SystemTimeToFileTime
NAG-window udk&Smvdkonfhtcg
CreateWindowEx
ShowWindow
UpdateWindow
MessageBox rSpmom;rsm;udk&Smvdkaomtcg
SendDlgItemMessage
SendMessage
SetDlgItemText
SetWindowText
Registration eJUywfoufwJh routine awGudkppfaq;wJhtcgrSmawmh atmufyg API rsm;udk t"duxm;
&SmazGzdkUvdkygw,f -
GetdlgItemText
GetWindowText
lstrcmp
GetPrivateProfileString
GetPrivateProfileInt
RegQueryValueEx
WritePrivateProfileString
WritePrivateProfileInt
(1) CreateProcess
BOOL CreateProcess(
LPCTSTR lpApplicationName, // pointer to name of executable module
LPTSTR lpCommandLine, // pointer to command line string
LPSECURITY_ATTRIBUTES lpProcessAttributes, // pointer to process security attributes
LPSECURITY_ATTRIBUTES lpThreadAttributes, // pointer to thread security attributes
BOOL bInheritHandles, // handle inheritance flag
DWORD dwCreationFlags, // creation flags
LPVOID lpEnvironment, // pointer to new environment block
LPCTSTR lpCurrentDirectory, // pointer to current directory name
LPSTARTUPINFO lpStartupInfo, // pointer to STARTUPINFO
LPPROCESS_INFORMATION lpProcessInformation // pointer to PROCESS_INFORMATION
);
(2) GetWindowText
int GetWindowText(
HWND hWnd, // handle of window or control with text
LPTSTR Buffer, // address of buffer for text
int Count // maximum number of characters to copy
);
(3) GetdlgItemText
UINT GetDlgItemText(
HWND hDlg, // handle of dialog box
int ControlID, // identifier of control
LPTSTR Buffer, // address of buffer for text
int Count // maximum size of string
);
yHk(1)
yHk(2)
DLG_REGIS DIALOG 20, 20, 142, 81
STYLE DS_MODALFRAME | WS_VISIBLE | WS_CAPTION | WS_SYSMENU
CAPTION "Enter Password"
LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
FONT 10, "Book Antiqua"
{
CONTROL "Textbox", 1000, EDIT, ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE |
WS_BORDER | WS_TABSTOP, 45, 22, 66, 11
CONTROL "OK", 1002, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP,
18, 55, 42, 15
CONTROL "Cancel", 1003, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE |
WS_TABSTOP, 80, 55, 42, 15
CONTROL "Password:", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 7, 23, 34,
10
}
yHk(3)
(4) GetDlgItem
HWND GetDlgItem(
int ControlID // identifier of control
);
(5) lstrcmp
int lstrcmp(
LPCTSTR lpString1, // address of first string
LPCTSTR lpString2 // address of second string
);
yHk(4)
(6) GetPrivateProfileString
DWORD GetPrivateProfileString(
LPCTSTR lpAppName, // points to section name
LPCTSTR lpKeyName, // points to key name
LPCTSTR lpDefault, // points to default string
LPTSTR lpReturnedString, // points to destination buffer
DWORD nSize, // size of destination buffer
LPCTSTR lpFileName // points to initialization filename
);
[section]
key = string
.
.
/
(7) GetPrivateProfileInt
UINT GetPrivateProfileInt(
LPCTSTR lpAppName, // address of section name
LPCTSTR lpKeyName, // address of key name
INT nDefault, // return value if key name is not found
LPCTSTR lpFileName // address of initialization filename
);
(8) RegQueryValueEx
LONG RegQueryValueEx(
HKEY hKey, // handle of key to query
LPTSTR lpValueName, // address of name of value to query
LPDWORD lpReserved, // reserved
LPDWORD lpType, // address of buffer for value type
LPBYTE lpData, // address of data buffer
LPDWORD lpcbData // address of data buffer size
);
(9) WritePrivateProfileString
BOOL WritePrivateProfileString(
LPCTSTR lpAppName, // pointer to section name
LPCTSTR lpKeyName, // pointer to key name
LPCTSTR lpString, // pointer to string to add
LPCTSTR lpFileName // pointer to initialization filename
);
#include "stdafx.h" // Compiler - Visual C++ 8.0, Win32 Console Application

#include <windows.h>
#include <tchar.h>
#include <stdio.h>
int main()
{
TCHAR inBuf[80];
HKEY hKey1, hKey2;
DWORD dwDisposition;
LONG lRetCode;
TCHAR szData[] = TEXT("USR:App Name\\Section1");
// Create the .ini file key.

lRetCode = RegCreateKeyEx ( HKEY_LOCAL_MACHINE,
TEXT("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\IniFileMapping\\appname.ini"),
0, NULL, REG_OPTION_NON_VOLATILE,
KEY_WRITE, NULL, &hKey1, &dwDisposition);
if (lRetCode != ERROR_SUCCESS)
{
printf ("Error in creating appname.ini key (%d).\n", lRetCode);
return (0) ;
}
// Set a section value

lRetCode = RegSetValueEx ( hKey1, TEXT("Section1"), 0,
REG_SZ, (BYTE *)szData, sizeof(szData));
{
printf ("Error in setting Section1 value\n");
// Close the key
lRetCode = RegCloseKey( hKey1 );
if( lRetCode != ERROR_SUCCESS )
{
printf("Error in RegCloseKey (%d).\n", lRetCode);
return (0) ;
}
}
// Create an App Name key
lRetCode = RegCreateKeyEx ( HKEY_CURRENT_USER, TEXT("App Name"),
0, NULL, REG_OPTION_NON_VOLATILE,
KEY_WRITE, NULL, &hKey2, &dwDisposition);
{
printf ("Error in creating App Name key (%d).\n", lRetCode);
// Close the key
{
return (0) ;
}
}
// Force the system to read the mapping into shared memory

// so that future invocations of the application will see it
// without the user having to reboot the system
WritePrivateProfileStringW( NULL, NULL, NULL, L"appname.ini" );
// Write some added values
WritePrivateProfileString (TEXT("Section1"), TEXT("FirstKey"),
TEXT("It all worked out OK."), TEXT("appname.ini"));
WritePrivateProfileString (TEXT("Section1"), TEXT("SecondKey"),
TEXT("By golly, it works!"), TEXT("appname.ini"));
WritePrivateProfileString (TEXT("Section1"), TEXT("ThirdKey"),
TEXT("Another test..."), TEXT("appname.ini"));
// Test
GetPrivateProfileString (TEXT("Section1"), TEXT("FirstKey"), TEXT("Error: GPPS failed"),
inBuf, 80, TEXT("appname.ini"));
_tprintf (TEXT("Key: %s\n"), inBuf);

// Close the keys
{
return(0);
}
{
return(0);
}
return(1);
}
yHk(5)
(10) CreateWindowEx
HWND CreateWindowEx(
DWORD ExtStyle, // extended window style
LPCTSTR ClassName, // pointer to registered class name
LPCTSTR WindowName, // pointer to window name
DWORD WindowStyle, // window style
int x, // horizontal position of window
int y, // vertical position of window
int Width, // window width
int Height, // window height
HWND hWndParent, // handle to parent or owner window
HMENU hMenu, // handle to menu, or child-window identifier
HINSTANCE hInstance, // handle to application instance
LPVOID lParam // pointer to window-creation data
);
(11) CreateFile
HANDLE CreateFile(
LPCTSTR FileName, // pointer to name of the file
DWORD DesiredAccess, // access (read-write) mode
DWORD Mode, // share mode
LPSECURITY_ATTRIBUTES pSecurity, // pointer to security attributes
DWORD dwCreationDistribution, // how to create
DWORD Attributes, // file attributes
HANDLE hTemplateFile // handle to file with attributes to copy
);
yHk(6)
int DialogBoxParamA(
HINSTANCE hInst, // handle to application instance
LPCTSTR pTemplate, // identifies dialog box template
HWND hOwner, // handle to owner window
DLGPROC DlgPro, // pointer to dialog box procedure
LPARAM lParam // initialization value
);
1 DIALOGEX 0, 0, 225, 142

STYLE DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_VISIBLE |
WS_CAPTION | WS_SYSMENU
EXSTYLE WS_EX_STATICEDGE
CAPTION " :: Ziggy's KeyGenMe #0 ::"
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
FONT 7, "MS SANS SERIF"
{
CONTROL 10, -1, STATIC, SS_BITMAP | SS_REALSIZEIMAGE | SS_SUNKEN | WS_CHILD |
WS_VISIBLE, 65535, 104, 200, 200
CONTROL "Name", 1002, EDIT, ES_CENTER | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 35, 30, 186, 10 ,
0x00020000
CONTROL "Serial", 1003, EDIT, ES_CENTER | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 35, 47, 186, 10 ,
0x00020000
CONTROL "Register", 1005, BUTTON, BS_PUSHBUTTON | BS_CENTER | BS_VCENTER | WS_CHILD |
WS_VISIBLE | WS_TABSTOP, 59, 62, 50, 12 , 0x00020000
CONTROL "About", 1007, BUTTON, BS_PUSHBUTTON | BS_CENTER | BS_VCENTER | WS_CHILD |
CONTROL "Close", 1004, BUTTON, BS_PUSHBUTTON | BS_CENTER | BS_VCENTER | WS_CHILD |
CONTROL "Appname", 1001, STATIC, SS_CENTER | SS_SUNKEN | WS_CHILD | WS_VISIBLE |
WS_GROUP, 35, 5, 186, 10 , 0x00020000
CONTROL " ", 1009, STATIC, SS_CENTER | WS_CHILD | WS_VISIBLE | WS_GROUP, 35, 19, 186, 10
CONTROL "Name", 4, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 6, 30, 26, 10
CONTROL "Serial", 5, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 6, 47, 26, 10
CONTROL 3, 1, STATIC, SS_ICON | WS_CHILD | WS_VISIBLE, 6, 4, 35, 35
CONTROL "Registered to : ", 5, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 6, 80, 50, 10
CONTROL " ", 1008, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 54, 80, 150, 10
CONTROL " ", 1010, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 54, 90, 180, 10
}
yHk(7)
(13) ShowWindow
BOOL ShowWindow(
HWND hWnd, // handle of window
int nCmdShow // show state of window
);
(14) MessageBox
int MessageBoxA(
HWND hOwner // handle of owner window
LPCTSTR Text, // address of text in message box
LPCTSTR Title, // address of title of message box
UINT Style // style of message box
);
yHk(8)
(15) SendMessage
LRESULT SendMessage(
HWND hWnd, // handle of destination window
UINT Msg, // message to send
WPARAM wParam, // first message parameter
LPARAM lParam // second message parameter
);
(16) SendDlgItemMessage
LONG SendDlgItemMessage(
int nIDDlgItem, // identifier of control
UINT Msg, // message to send
WPARAM wParam, // first message parameter
LPARAM lParam // second message parameter
);
(17) ReadFile
BOOL ReadFile(
HANDLE hFile, // handle of file to read
LPVOID Buffer, // address of buffer that receives data
DWORD BytesToRead, // number of bytes to read
LPDWORD pBytesRead, // address of number of bytes read
LPOVERLAPPED pOverlapped // address of structure for data
);
yHk(9)
(18) WriteFile
BOOL WriteFile(
HANDLE hFile, // handle to file to write to
LPCVOID Buffer, // pointer to data to write to file
DWORD BytesToWrite, // number of bytes to write
LPDWORD pBytesWritten, // pointer to number of bytes written
LPOVERLAPPED pOverlapped // pointer to structure needed for overlapped I/O
);
(19) GetSystemTime
VOID GetSystemTime(
LPSYSTEMTIME lpSystemTime // address of system time structure
);
(20) GetFileTime
BOOL GetFileTime(
HANDLE hFile, // identifies the file
LPFILETIME lpCreationTime, // address of creation time
LPFILETIME lpLastAccessTime, // address of last access time
LPFILETIME lpLastWriteTime // address of last write time
);
(21) SetTimer
UINT SetTimer(
HWND hWnd, // handle of window for timer messages
UINT TimerID, // timer identifier
UINT Timeout, // time-out value
TIMERPROC Timerproc // address of timer procedure
);
yHk(9)
tcef;(12) - y&dk*&rf\ resource rsm; toHk;jyKí crack vkyfjcif; - 166 -
tcef;(12) - y&dk*&rf\ resource rsm; toHk;jyKí crack vkyfjcif;

'Dtcef;rSmawmh y&dk*&rf&JU resource awGudk toHk;jyKjyD; crack vkyfMunfhrSmjzpfygw,f/ 'Denf;udk
bmaMumifh toHk;jyK&ovJqdkawmh crack vkyf&mrSm ydkrdkvsifjrefapvdkUyg/ 'Dwpfcg crack vkyfMunfhzdkU a&G;cs,f
xm;wJh y&dk*&rfuawmh Active Desktop Calendar Version 5.95 jzpfygw,f/ Active Desktop Calendar
qdkwmuawmh oifh&JU desktop rSm yHk(1)twdkif; jyu©'defeJU oifvkyfudkifr,fhtvkyf^vkyfjyD;om;tvkyfawGudk rSwf
ay;r,fh aqmhzf0Jvfwpfckjzpfygw,f/
yHk(1)
Active Desktop Calendar udk www.xemico.com uae download vkyfjyD; install vkyfvdkufyg/
yHk(2)
ADC udk zGifhvdkufwJhtcgrSmawmh yHk(2)twdkif; register rvkyf&ao;aMumif; awGU&rSmyg/ Help menu
u About Active Desktop Calendarudk a&G;Munfhvdkuf&ifawmh yHk(3)twdkif; awGU&rSmyg/
yHk(3)
aumif;jyD? Help menu u Registration udka&G;jyD; register vkyfMunfhMuygr,f/ yHk(4)/
yHk(4)
yHk(4)u Register button udka&G;vdkuf&ifawmh yHk(5)twdkif;jrif&rSmyg/
yHk(5)
'Davmufqdk&ifawmh &ygjyD/ y&dk*&rfudk patch vkyfMunfhMuygr,f/ Patch rvkyfcifrSm ADC y&dk*&rfudk
Resource Hacker aqmzhf0JvfeJU t&ifMunfhygr,f/ yHk(6)/
yHk(6)
Resource Hacker y&dk*&rf[m yHk(6)twdkif; y&dk*&rfwpfcku toHk;jyKwJh resource awGudk jyoay;yg
w,f/ y&dk*&rfwdkif;rSm .rscr section &Sdw,fqdkwm jyeftrSwf&yg/ omreftm;jzifhawmh Resource Hacker
aqmhzf0Jvf[m y&dk*&rfawG&JU resource udk MudKufESpfoufovdk jyifay;Edkifygw,f/ yHk(7)/
yHk(7)
rSwfxm;&rSmuawmh Resource Hacker aqmhzf0Jvf[m resource awGudkom jyifay;Edkifygw,f/ y&dk

*&rfwpfckudk register atmifjrifEdkifatmif vkyfay;Edkifjcif; r&Sdygbl;/ 'gaMumifh uRefawmfwdkUtaeeJU Resource
Hacker udk Olly Debugger eJU wGJoHk;&rSmyg/ yHk(3?4?5)wdkUudk jyefMunfhyg/ olwdkUawG[m dialog awGjzpfyg
w,f/ 'D dialog awGtaMumif; Resource Hacker rSm tao;pdwfMunfhvdkufMu&atmif/ yHk(6)u dialog
pmom;udk ESdyfvdkufyg/ yHk(8)twdkif; jrif&ygr,f/
yHk(8)
yHk(8)u 100 qdkwJhpmom;udk aocsmMunfhyg/ ol[m dialog trnfjzpfygw,f/ y&dk*&rf[m dialog
function udkac:roHk;cif dialog trnfudk stack ay:ul;wifygw,f/
yHk(9)
yHk(9)u 207 qdkwJhpmom;uawmh yHk(4)u registration box udkay:apwJh dialog jzpfygw,f/
yHk(10)
yHk(10)u 208 qdkwJhpmom;uawmh yHk(5)u BadBoy MessageBox udk ay:apwJh dialog yg/
aumif;jyD/ ADC y&dk*&rfudk Olly rSm zGifhygr,f/ yHk(11)/
yHk(11)
yHk(11)twdkif; jrif&wJhtcgrSm ckeu uRefawmfwdkUMunfhcJhwJh dialog trnfawGudk Olly rSm &SmMunfhvdkuf
Mu&atmif/ Olly rSm right-click ESdyfjyD; Search for u All commands udk a&G;vdkufyg/ yxrqHk;
registration vkyfwJh dialog (2007d = 00CFh)udk t&if&SmMunfhvdkufMu&atmif/ yHk(12)/
yHk(12)
yHk(12)rSm Find button udka&G;vdkuf&if yHk(13)twdkif; jrif&rSmyg/
yHk(13)
yHk(13)rSmjrif&wJh command wdkif;udk breakpoint owfrSwfygr,f/ Breakpoint owfrSwfjyD;&if F9
udkESdyfjyD; y&dk*&rfudk run vdkufyg/ jyD;&if Help menu u Registration udka&G;vdkufyg/ yHk(14)twdkif; awGUyg
r,f/
yHk(14)
yHk(14)u uRefawmfwdkUa&mufaewJh VA 0045EEC0 ae&muawmh registration dialog &Sd&m CALL
yg/ VA 0045EEA0 uawmh registration dialog &Sd&m CALL tpyg/ 'D CALL ukd b,f virtual
address uaeac:oHk;w,fqdkwm odcsif&if stack window rSm oGm;Munfhvdkufyg/ yHk(15)/
yHk(15)
yHk(15)t&qdk&ifawmh VA 0045EEA0 udkvkyfaqmifjyD;&if VA 00434E86 qDudkjyefoGm;r,fvdkU
ajymxm;ygw,f/ [kwf^r[kwfod&atmif right-click ESdyfjyD; Follow in Disassembler udka&G;vdkufyg/ yHk(16)
twdkif; jrif&ygr,f/
yHk(16)
wu,fawmh VA 0045EEA0 u CALL udk VA 00434E81 u ac:oHk;xm;wmyg/ 'Davmufqdk
em;vnfavmufjyDxifygw,f/ yHk(14)udk jyefMunfhvdkufyg/ yHk(14)twdkif;qdk&ifawmh dialog trnfudk stack
ay:pul;wifygjyD/ bmqufjzpfrvJqdkwmod&atmif F9 udkESdyfvdkufyg/ yHk(17)twdkif; jrif&ygr,f/
yHk(17)
yHk(17)twdkif; jrif&&ifawmh register rvkyfao;ygbl;/ yHk(10)rSmjrif&wJh dialog (208d = D0h)

udk&SmzdkU usefao;vdkUyg/ yHk(12)twdkif; PUSH 0D0h vdkU &dkufxnfhjyD; command wdkif;udk breakpoint
owfrSwfygr,f/ 'Dwpfcgawmh xl;xl;jcm;jcm; command wpfckyJawGUygw,f/ yHk(18)/
yHk(18)
yHk(18)&JU VA0045F0D3 ae&mu JE [m register vkyfwmatmifjrif^ratmifjrifudk qHk;jzwfjyD;
ratmifjrifcJh&if VA 0045F239 qDa&mufvmrSmyg/ 'gaMumifhvJ BadBoy DialogBox ay:vmwmyg/
'Duk'fudk JE tpm; NOP vkdUjyifvdkuf&ifawmh oifbmuk'f&dkufxnfhxnfh register vkyfwmatmifjrifygjyD/
yHk(19)/ 'gqdk uRefawmfwdkU jyifvdkufwJhuk'fawGudk ESpfouf&mzdkiftrnfeJU odrf;qnf;vdkufyg/
yHk(19)
ydkjyD;aocsmapcsif&ifawmh yHk(20)twdkif; registry editor (regedit.exe) rSmMunfhvdkufyg/
yHk(20)
odrf;vdkufwJhzdkifudk jyefzGifhjyD; Help menu u About Active Desktop Calendar udkMunfhvdkuf&if
awmh yHk(21)twdkif; jyaewkef;yg/
yHk(21)
'ghaMumifh 'D dialog (2007d = 0064h) &Sd&m virtual address rSmvJ breakpoint owfrSwfjyD; run
(F9) Munfhygr,f/ y&dk*&rf run aepOfwavQmufrSm PUSH 64 &Sd&m breakpoint wdkif;rSm cP&yfygvdrfhr,f/
rqdkifbl;qdk&if breakpoint udkjyefjzKwfyg/ (About Dialog udkac:oHk;wJh PUSH 64 breakpoint rSwyg;)
'DvdkeJU rqdkifwJh breakpoint awGjzKwfvmwm y&kd*&rf menu ay:vm&if Help menu u About ADC udk
a&G;yg/ 'Dwpfcg uRefawmfwdkU&SmaewJh About Dialog breakpoint &Sd&ma&mufvmygjyD/ yHk(22)/
yHk(22)
yHk(22)u VA 00401C60 uawmh routine &JUtp jzpfygw,f/ olUudkb,fu ac:oHk;ovJqdkwm
odcsif&ifawmh stack window rSm right-click ESdyfjyD; Follow in disassmeble udka&G;vdkufyg/ yHk(23)twdkif;
jrif&ygr,f/
yHk(23)
yHk(23)rSmjyxm;wJhtwdkif; VA 00401C60 udk VA 00401D48 u ac:oHk;wmyg/ F9 udk ESdyfvdkuf&if
awmh yHk(21)twdkif; awGU&ygr,f/ bmaMumifh "This is an unlicensed copy" qdkwJhpmom;ay:wmvJqdkwm
od&atmif About DialogBox (100d) udk Resource Hacker eJU jyefMunfhvdkufyg/ yHk(24)/
yHk(24)
yHk(24)udk Munfhvdkuf&ifvJ olUrSmvJ stack ay:ul;wifwJh *Pef; (1044d = 414h) &Sdwm awGU&rSmyg/
'Dae&mudk ausmfEdkif&if bmjzpfrvJqdkwm qufMunfhygr,f/ PUSH 414h udk&SmjyD; breakpoint owfrSwfyg
r,f/ jyD;&if Olly rSm y&dk*&rfudk jyefpjyD; Help menu u About ADC udk a&G;vdkufyg/ jyD;&if PUSH 414h
&Sd&m breakpoint qDa&mufatmif F9 ESdyfvmcJhyg/ aemufqHk;awmh yHk(25)twdkif; breakpoint &Sd&mudk a&mufvm
ygr,f/
yHk(25)
&Sif;vif;csuf/
413 = DeskLook Verson x.y

414 = This is an unlicensed copy.
415 = User
416 = Registration Code
417 = This is an unlicensed copy.
3FD = Buy &Online Now!
yHk(26)
yHk(25)u VA 00401DE2 uae yHk(26)u VA 00401EAC xd F8 ESdyfvmcJhyg/ uRefawmfwdkUtaeeJU
VA 00401EAC u JE rSm NOP vdkUajymif;vdkufyg/ jyD;&if ESpfouf&mtrnfeJU zdkifudkodrf;vdkufyg/ odrf;vdkuf
wJhzdkifudk zGifhjyD; Help menu u About ADC udka&G;vdkufyg/ yHk(27)twdkif; awGU&ygr,f/
yHk(27)
aemufwpfqifhuawmh splash screen rSmay:vmwJh "unregistered" qdkwJhpmom;udk aysmufapzdkUyg/
VA 004013E4 u JNZ ae&mrSm JMP vdkUjyifvdkufjyD; zdkifudkodrf;vdkufyg/ yHk(28)/
yHk(28)
yHk(28)&JU VA 004013DD u CALL [m register jzpf^rjzpfppfwJh routine qdkwm oifhtaeeJU
em;vnfr,fxifygw,f/ aumif;jyD/ y&dk*&rfudk jyefzGifhMunfhvdkufyg/ yHk(29)twdkif; awGU&ygr,f/
yHk(29)
ed*Hk;csKyftaeeJU ajym&&if Active Desktop Calendar udk atmifjrifpGm register vkyfEdkifatmifvdkU

uRefawmfwdkUtaeeJU ae&m3ckrSm uk'fawGudk jyifcJhygw,f/
(1) VA 004013E4 u JNZ ae&mrSm JMP (Splash Screen)
(2) VA 00401EAC u JE rSm NOP (About Dialog)
(3) VA0045F0D3 ae&mu JE rSm NOP (Registration Dialog)
'DvdkjyifcJh&mrSm uRefawmfawmfwdkUtaeeJU Resource Hacker y&dk*&rf&JUtultnDudk&,ljyD; tvG,fwul
jyifcJhwmyg/ (rSwfxm;&rSmuawmh Delphi eJU a&;om;xm;wJh y&dk*&rfawGudk crack vkyfr,fqdk&ifawmh
resource awGudk toHk;jyKjyD; crack rvkyfwm taumif;qHk;ygyJ/)
tcef;(13) - Packer (Protector) rsm; - 174 -
tcef;(13) -Packer (Protector) rsm;

'Dtcef;rSmawmh cracking avmurSm tawGUtrsm;qHk;jzpfwJh packer (protector) awGtaMumif;udk
aqG;aEG;rSmjzpfygw,f/ tESpfcsKyfajym&&ifawmh pack vkyfw,fqdkwm exe zdkifudk compress vkyfjcif;? execute
vkyfEdkifzdkU decompress jyefvkyfjcif;eJU execution pwifjcif;wdkUudk vkyfaqmifay;&r,fh decompression stub
udk xnfhoGif;pOf;pm;&wJh vkyfief;pOfyJjzpfygw,f/ Compress vkyfw,fqdkwmuawmh zdkifwpfckudk compress
vkyfwJh b,fenf;vrf;udkrqdkac:qdkwmjzpfjyD; exe zdkifwpfckxJrSm compress vkyfxm;wJhuk'fawGeJUtwl vdktyfwJh
decompression uk'fawGudkyg aygif;pyfxm;&Sdwmjzpfygw,f/ Execute vkyfcsdefrSmawmh rlv exe uk'fudk
jyefjyD; unpack vkyfygw,f/ tusdK;oufa&mufrIuawmh rlvu compress rvkyfxm;csdefrSm&SdwJh exe zdkifeJU
tvkyfvkyfwmtwlwlygyJ/ Compress vkyfxm;wJhzdkif&JU t*Fg&yfawGuawmh -
(1) zdkifpepftwGif; ae&m,lrIenf;jcif;
(2) zdkifpepfrS rSwfOmPfodkU a'wmrsm;a&TYajymif;&mwGif tcsdef,lrIenf;jcif;
(3) Execute rpwifcif compress rvkyfxm;aomzdkifxufpmvQif a'wmrsm;tm; dexompress vkyf&onfh
twGuf tcsdefydkukefjcif; wdkUjzpfygw,f/
Compress vkyfxm;wJh exe zdkifqdkwm exe zdkifwpfckudk archive wpfcktaeeJU jyKvkyfxm;ovdkygyJ/
(WinRar uJhodkUaom aqmhzf0JvfrsdK;jzifh archive vkyfxm;jcif;rsdK;) rwlwmuawmh compress vkyfxm;wJh
a'wmawGudk,fwdkifu exe zdkifjzpfaewmyg/
DOS? Windows eJU tjcm; OS awGtwGuf exe compressor trsdK;rsdK;&SdjyD; command line taeeJU
aomfvnf;aumif;? GUI version taeeJUaomfvnf;aumif; xGuf&Sdygw,f/
zdkifawGudk pack vkyfwJhtcg tusdK;eJU tjypfawG&Sdygw,f/ tusdK;awGuawmh -
(1) oifh&JUzdkifudk tifwmeufrSm wifxm;wJhtcgrSm download vkyfoltwGuf vsifjrefpGm download vkyfapEdkif
jcif;?
(2) oifh&JUaqmhzf0Jvfudk vlopfwef; cracker awG crack rvkyfEdkifatmif umuG,fxm;Edkifjcif; (Cracker
awG[m crack vkyfzdkU OD;pGm unpack vkyf&rSmjzpfygw,f/) wdkUjzpfygw,f/
t"duqdk;usdK;uawmh anti-virus awGeJU ywfoufygw,f/ Anti-virus awmfawmfrsm;rsm;[m pack
vkyfxm;wJhzdkiftcsdKUudk virus (odkU) trojan vdkUjrifaeMuygw,f/ (txl;ojzifh McAfee anti-virus)
Protector qdkwmuawmh wu,fwrf;ajym&&if &dk;&Sif;vSwJh packer wpfckygyJ/ Protector awGuawmh
&dk;&Sif;vSwJh packer awGxufpm&if uk'fawGudk ydkjyD;pdppfcGJjcm;ygw,f/ Protector awG&JU ta&;MuD;wJhtjypftcsdKU
uawmh protect vkyfxm;wJhzdkif&JU t&G,ftpm;ygyJ/ Packer awGu pack vkyfxm;wJh zdkifawGt&G,ftpm;awGudk
ao;i,fatmifvkyfaecsdefrSm protector awGuawmh cracker awG&efuumuG,fEdkifapzdkU uk'fawGudk tvGeftrif;
xnfhoGif;aeMuygw,f/ 'gaMumifhrdkUvJ protect vkyfxm;wJhtcsdKUzdkifawG(ao;i,faomzdkifrsm;)qdk rlvzdkifxuf
600% MuD;aewmawGU&ygw,f/ omref packer awGuawmh rlvzdkif&JUt&G,ftpm;udk tenf;qHk; 30% avmuf
avQmhcsEdkifygw,f/
aemufxyfta&;MuD;wJhtcsufuawmh tcsdKUy&dk*&rfrmawG[m olwdkU&JU malicious uk'fawG (virus?
worm)udkzHk;uG,fzdkU protect vkyfxm;wJhzdkifawGudk toHk;jyKMuygw,f/ 'Dvdk protect vkyfxm;rSom anti-virus
aqmhzf0JvfawGu csufcsif; pHkprf;rod&SdEdkifrSm jzpfygw,f/ 'ghaMumifhvJ oifhtaeeJU protector awGtaMumif;udk
aemaMuaeatmif odxm;&rSmjzpfjyD; olwdkUudk b,fvdk unpack vkyf&rvJqdkwm avhvmae&rSmjzpfygw,f/
Protector awG? packer awGeJUywfoufvm&if aemufxyfrSwfxm;&rSmuawmh entry point (EP)
qdkwm pack/protect vkyfxm;wJh y&dk*&rfudk Olly eJUzGifhwJhtcg yxrqHk;awGU&wJh virtual address jzpfjyD;
OEP (original entry point) qdkwmuawmh decompression stub vkyfaqmifjyD;csdefrSmawGU&wJh rlv entry
point udk ac:qdkwmjzpfygw,f/ (unpack/unprotect rvkyfxm;wJhzdkifawG&JU entry point eJUwlygw,f/)
Protector/packer awG[m y&dk*&rfudk rSwfOmPfrSm unpack vkyfMuwmjzpfygw,f/ 'DtcsdefrSm y&dk*&rf
qD command awGay;EdkifzdkU OEP &Sd&mudk jump vkyfwmjzpfjyD; rlvy&dk*&rfudk&&SdEdkifzdkU uRefawmfwdkUtaeeJU
y&dk*&rfudk dump vkyf,l&rSmjzpfygw,f/ 'Dvdk dump vkyf,lEdkifwJh t"duenf;vrf; (3)&yfuawmh -
(1) uk'fudk ajc&mcHygw,f/ (F8 udkESdyfjcif;jzifh)
(2) ESP register udk toHk;jyK&ygw,f/
(3) Compressor uxkwfay;wJh exception awGudk toHk;jyK&ygw,f/
'Dtcef;rSmawmh uRefawmfwdkUtaeeJU &dk;&Sif;vSwJh packer av;oHk;jyD; pack vkyfxm;wJh erlemy&dk*&rf

wpfckudk enf;vrf;ESpfrsdK;oHk;jyD; unpack vkyfMunfhygr,f/ yxrenf;uawmh pack vkyfxm;wJh exe zdkifudk
unpack vkyfjyD; patch vkyfwJhenf;jzpfjyD;? 'kwd,enf;uawmh inline-patch vkyfwJhenf;jzpfygw,f/ 'Dae&mrSm
uRefawmfwdkUoHk;r,fh tool uawmh UPX 2.03 (Ultimate Packer for eXecutables) jzpfjyD;
http://upx.sourceforge.net rSm tcrJh&&SdEdkifygw,f/
UPX aqmhzf0Jvf[m exe zdkifawGudk t&G,ftpm;ao;i,fatmif vkyfwJhae&mrSm emrnfMuD;vSjyD; tqifh
jrifhwJh protection enf;vrf;awGoHk;xm;jcif; r&Sdygbl;/ uRefawmfqdkvdkwJh UPX uawmh Marcus eJU Laszlo
wdkUa&;xm;wJh UPX aqmhzf0Jvfudk ajymwmyg/ yxrqHk; UPX eJU pack vkyfjyD;rS unpack vkyfMunfhygr,f/
(pum;rpyfajymcsifwmuawmh jrefrmaqmhzf0Jvfawmfawmfrsm;rsm;udk b,f packer eJUrS protect (pack)
vkyfxm;jcif;r&Sdovdk? pack vkyfxm;cH&wJh aqmhzf0Jvfawmfawmfrsm;[mvJ UPX eJU pack vkyfxm;Muwmjzpfyg
w,f/) UPX packed zdkifawGudk unpack vkyfEdkifwJh tool awmfawmfrsm;rsm;udk tifwmeufrSm tcrJh&&SdEdkif&JUom;
eJU uRefawmfwdkUu bmaMumifhtcsdefukefcHjyD; udk,fwdkif unpack vkyfzdkU MudK;pm;ae&ovJvdkU oifhtaeeJU oHo,
0ifaumif;0ifaeygvdrfhr,f/ tifwmeufrSm aMumfjimxm;wJh b,f unpacker tool awGudkrS r,HkMunfygeJU/ 'D
unpacker awG[m UPX packed zdkifawGudk wu,f unpack vkyfaumif;vkyfay;Edkifayr,fh exe zdkifawGrSm
vHkjcHKa&;qdkif&mtcsuftvufawGudk cdk;,lwJh rqdkifwJhuk'fawGudkyg tydkxnfhoGif;wwfMuygw,f/
(1) UPX jzifh pack vkyfjcif;
'Dae&mrSm pack vkyfzdkU uRefawmfwdkU toHk;jyKr,fh y&dk*&rfav;uawmh Windows rSm wcgwnf;ygvm
wJh calculator (calc.exe) y&dk*&rfav;jzpfygw,f/ Windows &JU System32 folder atmufrSm tvG,fwul
&SmEdkifygw,f/ Pack rvkyfcifrSm PEiD udkoHk;jyD; calc.exe udk bmy&dk*&rfbmompum;eJU a&;xm;wmvJqdkwm
Munfhygr,f/ yHk(1)/
yHk(1)
Start menu u Run .. ae&mrSm cmd vdkU&dkufxnhfjyD; Command prompt ukd zGifhyg/ bmaMumifh
command prompt udk toHk;jyK&ovJqdkawmh UPX aqmhzf0Jvf[m command-line utility jzpfaevdkUyg/
yHk(2)
yHk(2)rSmjrif&wJhtwdkif; command prompt rSm upx calc.exe vdkU&dkufxnfhjyD; Enter key ESdyfvdkuf&if
uRefawmfwdkU&JU y&dk*&rfav;udk UPX eJU pack vkyfjyD;oGm;ygjyD/ 'DwpfcgrSm pack vkyfxm;wJh calc.exe zdik u
f kd
PEiD eJU jyefjyD;ppfMunfhygr,f/ yHk(3)/
yHk(3)
yHk(3)t&awmh calc.exe udk UPX 0.89-2.9 eJU pack vkyfxm;ygw,fvkdU ajymygw,f/ Version
twdtusudkawmh ajymEdkifjcif; r&Sdygbl;/
yHk(4)
yHk(4)udkMunfhvdkuf&if .rsrc section om olU&JUrlvtrnfrajymif;bJusef&pfjyD; usefwJh section awGtm;
vHk; trnfajymif;ukefygw,f/ Pack rvkyfcif calc.exe udk PEiD &JU section viewer eJU Munfhxm;wmt&
awhm yHk(5)twdkif;jrif&ygw,f/ Pack vkyfjyD;csdefrSmawmh .text section? .data section? .rsrc section awGt
pm; UPX0? UPX1 eJU .rsrc section awGjzpfvmygw,f/ Section trnfawGtm;vHk;ajymif;oGm;jyD; .rsrc
section u bmvdkUtrnfrajymif;vJbJ usef&pfwmygvJ/ 'Dtcsufu pdwf0ifpm;zdkUaumif;ygw,f/ tjzpfrSefu
'Dvdkyg/ Windows 95 acwfwkef;u oleaut32.dll zdkif&JU LoadTypeLibEx function rSm bug wpfck&SdcJhyg
w,f/ 'guawmh rsrc qdkwJhpmom;udk&SmjyD; resource section udk tvkyfvkyfapzdkUjzpfygw,f/ 'gaMumifhrdkU
wu,fvdkU 'D section udktrnfajymif;vJcJhr,fqdk&if error wufvmrSmyg/ 'D bug udk jyifqifxm;jyD;jzpfayr,fh
vJ Windows eJU jyoemwufrSmpdk;&drfwJhtwGuf packer awmfawmfrsm;rsm;[m rsrc section udk trnfajymif;
jcif; odyfrvkyfMuygbl;/
yHk(5)
ckeu pack vkyfxm;wJhzdkifudk LordPE eJUzGifhjyD; pack rvkyfxm;ao;wJhzdkifeJU EdIif;,SOfMunfhr,fqdk&if
PE header twGif;ajymif;vJrIawGudk yHk(6) twdkif; awGU&rSmyg/ (LordPE u compare button udkESdyfyg/)
yHk(6)
(2) UPX jzifh pack vkyfxm;aomzdkiftm; unpack vkyfjcif;
'DwpfcgrSmawmh pack vkyfxm;wJhzdkifudk unpack vkyfMunfhygr,f/ Pack vkyfxm;wJhzdkifudk Olly
rSmzGifhr,fqdk&if yHk(7)twdkif; Olly u compress vkyfxm;wJhzdkifvm;vdkU ar;ygvdrfhr,f/
yHk(7)
yHk(7)rSm Yes vdkU ay;vdkuf&if yHk(8)twdkif; entry point &Sd&mudk a&mufvmygvdrfhr,f/
yHk(8)
UPX u uRefawmfwdkU application udk compress vkyfvdkufjyD; decompression algorithm yg0ifwJh
stub eJU uk'fawGudk tpm;xdk;csJUxGifvdkufwmyg/ Application &JU entry point ae&m[mvJ stub &JU tpae&m
taeeJU ajymif;vJjcif;cH&jyD; stub u olUtvkyfudkvkyfjyD;csdefrSmawmh execution u tck (UPX u olUbmomol
unpack vkyfjcif;) unpacked vkyfvdkufwJhy&dk*&rfudkpwifzdkU rlv entry point(OEP) &Sd&mudk jump vkyfyg
w,f/ rSwfxm;zdkUu stub u uRefawmfwdkU application udk decompress vkyfwm[m rSwfOmPfxJrSmjzpfjyD;
pack vkyfxm;wJh application &JY unpacked copy udk&zdkU rSwfOmPfae&mudk zdkiftjzpf dump vkyfwmjzpfyg
w,f/ bmyJjzpfjzpf application uawmh csufcsif; run rSm r[kwfao;ygbl;/ bmaMumifhvJqdkawmh dump
vkyfxm;wJhzdkifrSmvJ olU&JU section awG[m file alignment wefzdk;xuf rSwfOmPf&JU page boundary awGudk
align vkyfxm;&rSmrdkUvdkUyg/ Entry point uvJ decompression stub udk point vkyfaewkef;&SdaerSmjzpfjyD;
import directory uvJ rSm;aewmjzpfwJhtwGuf jyifqifzdkU vdktyfaevdkUyg/
rSwfxm;&rSmuawmh Olly xJu uRefawmfwdkU&JU entry point [m yxrqHk; instruction jzpfwJh
PUSHAD rSm&Sdygw,f/ PUSHAD qdkwmuawmh "PUSH all Double" udk qdkvdkwmjzpfjyD; CPU udk stack
ay:rSm&SdwJh EAX uaetpcsDjyD; EDI rSmtqHk;owfwJh 32bit (DOWRD) register tm;vHk;xJrSmygwJht&m
tm;vHk;udk odrf;xm;ay;zdkU nTefMum;ygw,f/ taotcsmMunfhr,fqdk&if stub [m OEP qDroGm;cifrSm
PUSHAD instruction eJU POPAD instruction Mum;uuk'fawGudk vkyfaqmifoGm;wm awGU&ygvdrfhr,f/
POPAD [m stack uae register xJrSm&SdwJht&mtm;vHk;udk ul;ygw,f/ qdkvdkwmuawmh stub u t&mtm;
vHk;udk jyef restore vkyfjyD; application u run wmrwdkifcif trace rvkyfbJ xGufoGm;ygw,f/
avmavmq,fawmh yxrqHk; instruction jzpfwJh PUSHAD taetxm;rSm&Sdaewkef;rSm aemufqHk;
POPAD instruction udk access rvkyfao;oa&GU stack xJrSm&SdwJh t&mtm;vHk;udk rxdbJxm;oifhygw,f/
wu,fvdkU uRefawmfwdkUu PUSHAD taetxm;rSm&Sdaewkef; stack &JU yxrqHk; 4bytes ae&mrSm
Hardware breakpoint udkxm;r,fqdk&if Olly u wlnDwJh 4bytes udk POPAD u access vkyfcsdefrSm
&yfoGm;rSmjzpfygw,f/ 'gqdk&if uRefawmfwdkU&JU entry point qDudk a&mufr,fh jmp instruction &Sd&m virtual
address udkawGUrSm jzpfygw,f/
'gaMumifhrdkU yHk(8)&JU PUSHAD instruction &Sd&mudkoGm;jyD; F7 udkESdyfygr,f/ jyD;&if brakpoint
owfrSwfzdkUvkyfygr,f/ ESP (stack pointer) xJrSm stack &JUxdyfydkif;wnfae&m tjrJyg0ifavh&Sdygw,f/ ESP
ae&mrSm right-click ESdyfjyD; Follow in Dump udka&G;yg/
yHk(9)
jyD;&if stack &JU yxrqHk; DWORD (pmvHk;4vHk;)udk a&G;yg/ jyD;&if right-click ESdyfjyD; Breakpoint u
Hardware, on access &JU Dword udka&G;yg/ yHk(10)/
yHk(10)
owfrSwfjyD;oGm;&ifawmh F9 udkESdyfyg/ 'gqdk breakpoint &Sd&mwef;a&mufvmygr,f/ yHk(11)/
yHk(11)
yHk(11)udk Munfhvdkuf&if PUSHAD uae POPAD xduk'fawGudk vkyfaqmifjyD;wm awGU&rSmyg/
yHk(11)u VA 01020E5B u JMP ae&m[m uRefawmfwdkU &SmaewJh^vdkcsifwJh entry point ae&mjzpfygw,f/
JMP xxx.xxxxxxxx udka&mufatmif VA 01020E5B ae&mrSm breakpoint owfrSwfjyD; F9 udkESdyfvdkufyg/
yHk(12)twdkif; entry point &Sd&mae&mudk a&mufvmrSmjzpfygw,f/ OEP xJuae ImageBase wefzdk;
1000000h udk EIwfvdkuf&if RVA wefzdk; 20E5Bh &ygw,f/ 'Dwefzdk;udk rSwfxm;yg/ aemufydkif;rSm toHk;0if
vmygvdrfhr,f/
yHk(12)
UPX eJU ywfoufwJh vQdKU0Sufcsufav;wpfckuawmh Olly &JU CPU window atmufqHk;udkoGm;yg/
yHk(13)twdkif; 00 awGeJU jynfhaewJh DB uk'fawGudk awGU&ygvdrfhr,f/
yHk(13)
jyD;&if yHk(14)twdkif; JMP instruction &Sd&mtxd tay:udk scroll qGJvmcJhyg/ jyD;&if 'D virtual
address udk breakpoint taeeJUowfrSwfjyD; F9 udk ESdyfvdkufr,fqdk&if JMP instruction &Sd&mudk
a&mufvmygr,f/ 'DhaemufrSmawmh F8/F7 udk ESdyfr,fqdk&if uRefawmfwdkU &SmaewJh EP ae&mudk a&mufvmrSmyg/
yHk(14)
INFO: : &dk;&Sif;jyD; wlnDwJh PUSHAD/POPAD mechanism udkoHk;wJh tjcm; packer awGuvJ OEP
&JUwefzdk;udk RET instruction vdkufwJh stack &JUxdyfqHk;ay:xm;zdkU PUSH instruction udktoHk;jyKjcif;jzifh
OEP qD jump vkyfEdkifygw,f/ CPU uawmh 'g[m function call wpfckuae jyefvmwmvdkUxifjyD; return
address udk stack &JUxdyfqHk;ay:rSm csefxm;ygw,f/
uRefawmfwdkUtaeeJU OEP udk&SmawGUwJhtcg Olly &JU plug-in wpfckjzpfwJh OllyDump udk toHk;jyKjyD;
dump vkyfMunfhygr,f/ Olly &JU Plugins uae OllyDump udka&G;vdkufjyD; Dump debugged process udk
ESdyfvdkufyg/ yHk(15)twdkif; jrif&ygr,f/
yHk(15)
pdwf0ifpm;p&maumif;wJht&mav;awGudk jyocsifvdkU yHk(15)u Fix Raw Size … eJU Rebuild Import
wdkUudk ra&G;bJ jzKwfxm;vdkufyg/ jyD;&if Dump button udkESdyfjyD; packed_dumped.exe trnfeJU zdkifudk
odrf;vdkufyg/ yHk(16)/
yHk(16)
yHk(16)u uRefawmfwdkU dump vkyfjyD; odrf;xm;cJhwJhzdkifudk jyefzGifhMunfh&if yHk(17)twdkif; error wufae
wm jrif&rSmyg/
yHk(17)
bmvdkU error wufae&wmvJqdkawmh uRefawmfwdkU&JU dump vkyfxm;wJhzdkifu olU&JU icon aysmufaewm
twGufaMumifhyg/ 'g[m zdkif&JUt&G,ftpm;MuD;vmvdkUyg/ Application udk LordPE rSmzGifhjyD; section awG
ae&mrSm Munfhvdkufyg/ yHk(18)/
yHk(18)
RawOffset eJU RawSize wdkU&JUwefzdk;awG[m rSm;aeygw,f/ 'gaMumifhrdkU application udk tvkyfvkyf

apzdkU section toD;oD;&JU Raw wefzdk;awGudk Virtual wefzdk;awGeJU vkdufnDay;ygr,f/ RawOffset ae&mrSm
VirtualAddress &JUwefzdk;udkxnfhjyD; RawSize ae&mrSm VirtualSize &JUwefzdk;udkxnfhygr,f/ 'Dvdkenf;eJU
section 3ckpvHk;rSmjyifjyD; zdkifudkodrf;vdkufyg/ (rSwfcsuf/ / wu,fvdkU OllyDump &JU "Fix Raw size &
Offset of Dump Image" checkbox udka&G;vdkuf&ifawmh 'Dvdkvkdufjyifp&mvdkrSm r[kwfygbl;/) 'gqdk&if
yHk(19)twdkif; jrif&ygjyD/
yHk(19)
'gayr,fh 0rf;enf;p&maumif;wmuawmh packed_dumped.exe zdkifudk zGifhvdkufwJhtcgrSm zdkifu
tvkyfrvkyfbJ yHk(20)twdkif; jrif&wmygyJ/
yHk(20)
rpdk;&drfygeJU/ 'gubmaMumifhvJqdkawmh import awGudk reconstruct (rebuild) vkyfzdkUvdkvdkUyg/ ]PE
header} tcef;rSm&Sif;jycJhovdk process wpfckudktoHk;jyKjyD; import awGudk udk,fwdkifvkyfvdkU &ygw,f/ bmyJ
jzpfjzpf udk,fwdkifjyKvkyfr,fqdk&ifawmh import vkyfxm;wJh function awGtrsm;MuD;&SdjyD;? import data awG
b,fvdkysufpD;oGm;wJhenf;vrf;awGay:rlwnfjyD; tcsdeftrsm;MuD;ukefrSmjzpfygw,f/ 'gudk tvkdtavsmufajz&Sif;
EdkifzdkU uRefawmfwdkUtaeeJU MackT &JU ImpRec 1.6 udk toHk;jyK&ygvdrfhr,f/
ImpRec 1.6 udk toHk;jyKawmhr,fqdk&if import awGudk&SmEdkifzdkU pack vkyfxm;wJhzdkifudk process
taeeJU attach vkyfxm;&ygr,f/ atmufygtwdkif; vkyfaqmifyg/
1/ yHk(21)twdkif; pack vkyfxm;wJh y&dk*&rfudk (packed.exe [m Olly rSm yGifhaewmaocsmygap)a&G;yg/
2/ OEP ae&mrSm virtual address 12475 udk &dkufxnhfyg/
yHk(21)
3/ jyD;&if IAT AutoSearch udk a&G;yg/ yHk(22)twdkif; jrif&ygr,f/ OK udkESdyfyg/
yHk(22)
4/ yHk(21)u Get Imports button udkESdyfyg/ yHk(23)twdkif; jrif&ygr,f/
yHk(23)
5/ Show Invalid button udk a&G;jyD; import awG rSef^rrSef ppfMunhfyg/ tm;vHk;rSefuefaeygw,f/
6/ Fix Dump button udk ESdyfjyD; uRefawmfwdkU aemufqHk;odrf;xm;wJh packed_dumped.exe zdkifudkzGifhyg/
yHk(24)twdkif; jrif&ygr,f/ wu,fvdkU jyóem&Sd&ifawmh section udk aygif;xnfhvdkUr&ygbl;vdkU error wufvm
ygr,f/
yHk(24)
7/ y&dk*&rfudkydwfjyD; aemufqHk;odrf;qnf;vdkufwJh packed_dumped_.exe udkzGifhMunfhyg/ aumif;aumif;tvkyf
vkyfwmudk awGU&rSmyg/
ImpRec u uRefawmfwdkU dump vkyfxm;wJh exe zdkifudk jyifqifjyD; odrf;qnf;vdkufwmyg/ wu,fvdkU
'Dzdkifudk PEiD rSmzGifhjyD;Munfhvdkuf&if unpack vkyfxm;jyD;om;zdkif(packed_dumped_.exe) &JUt&G,ftpm;[m
pack rvkyfcif rlvzdkif(calc.exe)xuf MuD;aewmawGU&jyD; "makct" eJU "newIID"vdkUac:wJh section ESpfck
ydkvmwmawGU&ygw,f/ "makct" section rSm ImpRec u import vkyfxm;wJh a'wmtopfawGudk xm;&Sdwm
jzpfygw,f/
yHk(25)
PEiD eJU packed_dumped_.exe zdkifudk jyefppfMunfh&if yHk(26)twdkif; awGU&rSmyg/
yHk(26)
tck &Sif;jycJhwmuawmh &dk;&Sif;vSwJh packer eJU pack vkyfxm;wmudk unpack jyefvkyfwmjzpfygw,f/
tqifhjrifh packer awGuawmh pack vkyfcsdefrSm zdkifxJudk protection enf;vrf;rsdK;pHkxnfhvdkufygw,f/ erlem
taeeJU ajym&&if anti-debugging eJU anti-tampering vSnfhpm;rIawG? uk'feJU IAT wdkUudk encrypt vkyfjcif;?
stolen bytes? API redirection ponfjzifhjzpfygw,f/
(3) Inline-patch enf;jzifh patch vkyfjcif;
wu,fvdkU pack vkyfxm;wJh zdkifudk patch vkyfzdkUrjzpfraevdktyfcJhr,fqdk&if inline-patch enf;vrf;udk
toHk;jyKjyD; 'Dzdkifudk unpack rvkyfbJ patch vkyfvdkU&ygw,f/ 'guawmh loader u decompression stub udk
aqmif&GufjyD;csdef rSwfOmPfxJrSm uk'fudk0ifjyifjyD; aemufqHk;rSmawmh application udk tvkyfvkyfEdkifapzdkU OEP
qD qufoGm;apjcif;jzpfygw,f/ aemufwpfrsdK;ajym&&if rSwfOmPfxJrSm application udk unpack rvkyf&ao;cif
jyifxm;wJh (patch) vkyfxm;wJhuk'fqD ausmfvTm;a&muf&Sdjcif;jzpfjyD;? aemufqHk;rSmawmh OEP qD jyefvnfausmf
vTm;a&muf&Sdvmwm jzpfygw,f/
'gudk &Sif;&Sif;vif;vif;odEdkifatmifvdkU uRefawmfwdkUtaeeJU pack vkyfxm;wJh exe zdkifxJudk Message
Box wpfckeJUywfoufwJhuk'fawGudk xnfhoGif;rSmjzpfygw,f/ jyD;&if rSwfOmPfxJrSm application [m b,ft
csdefrSm unpack vkyfjyD;jzpfrvJqdkwm od&atmifvkyfjyD; MessageBox u OK udkESdyfvdkuf&if OEP udk a&muf&Sd
aprSmjzpfjyD; application [mvJyHkrSeftwdkif; tvkyfvkyfrSm jzpfygw,f/
yxrqHk; vkyf&rSmuawmh pack vkyfxm;wJhzdkifxJ uRefawmfwdkU xnfhoGif;r,fhuk'ftwGuf ae&mvGwfudk
&SmazGzdkU hexeditor wpfckudk zGifh&rSmjzpfygw,f/ Section wpfck&JUtqHk;u ae&mvGwfawG[m uk'fxnfhoGif;zdkU
taumif;qHk;jzpfjyD; wu,fvdkU ae&mvGwfawGvdktyfcJhOD;r,fqdk&ifawmif uRefawmfwdkUtaeeJU ]PE zdkiftwGif;odkU
uk'frsm;aygif;xnhfjcif;} tcef;uenf;vrf;twdkif; section udk xyfcsJUvdkU&ygw,f/ UPX eJU pack vkyfxm;wJh
zdkifawGrSm ae&mvGwf&Sm&wm awmfawmfav;cufcJvSygw,f/ 'ghaMumifhvJ UPX eJU pack vkyfxm;wJh zdkifawG&JU
t&G,ftpm;[m awmfawmfav; i,faewmjzpfygw,f/ yHk(27)/
yHk(27)
yHk(27)twdkif; WinHex rSmjyifjyD; codeinject.exe qdkwJhtrnfeJU zdkifudkodrf;vdkufygr,f/ jyD;&if Olly
rSm codeinject.exe zdkifudk zGifhygr,f/ uRefawmfwdkU &dkufcJhwJh Unpacked… qdkwJhpmom;udk &SmzdkU Olly &JU Hex
window rSm right-click ESdyfjyD; Search for u Binary sting udka&G;yg/
yHk(28)
jyD;&if yHk(29)twdkif; Unpacked… qdkwJhpmom;udk &Smygw,f/
yHk(29)
'gqdk&if uRefawmfwdkU&SmaewJhpmom;awGudk yHk(30)twdkif; awGU&rSmyg/
yHk(30)
Unpacked… pmom;&Sd&m virtual address uawmh 010233C0 jzpfjyD; Myanmar Crackers …
pmom;&Sd&m virtual address uawmh 010233D0 jzpfygw,f/ 'D virtual address awGudk rSwfxm;&rSmjzpf
ygw,f/ jyD;&if Olly u udkESdyfjyD; VA 010233C0 &Sd&mudk wef;oGm;Munfhygr,f/ yHk(31)/
yHk(31)
yHk(31)u highlight vkyfxm;wJh uk'fawG[m uRefawmfwdkU &dkufxnfhxm;wJh pmom;awGjzpfygw,f/ VA
010233E0 upjyD; MessageBox eJUywfoufwJh tjcm;uk'fawGudk &dkufxnfhMuygr,f/
yHk(32)uawmh MessageBox eJUywfoufwJhuk'fawGudk &dkufxnfhtjyD; jrif&wJhyHkyg/
yHk(32)
jyD;&if Olly &JU plugin wpfckjzpfwJh Analyze This! udkESdyfjyD; uk'fawGudk analyze vkyfvdkufyg/ yHk(33)
twdkif; ajymif;vJoGm;wm jrif&ygr,f/
yHk(33)
yHk(32)udk Analyze This! eJU analyze vkyfwJhtcgrSm yHk(33)rSm highlight jc,fxm;wJhtwdkif;
rjrif&&ifawmh oif patch vkyfvdkufwJh y&kd*&rf[m error jyygvdrfhr,f/
yHk(34)
aumif;jyD? uRefawmfwdkUjyifxm;cJhwJh uk'fawGudk zdkiftaeeJU odrf;qnf;Muygr,f/ yHk(34)twdkif; jyifxm;
wJh uk'fawGygatmif highlight jc,fvdkufyg/ jyD;&if right-click ESdyfjyD; Copy to executable file udk a&G;vdkuf
yg/ yHk(35)twdkif; jrif&ygvdrfhr,f/
yHk(35)
yHk(35)rSm right-click ESdyfjyD; Save file udk a&G;vdkufyg/ rdrdpdwfMudKuftrnfeJU zdkifudkodrf;qnf;vdkuf
yg/ jyD;&if Olly udkydwfvdkufjyD; uRefawmfwdkU odrf;qnf;vdkufwJhzdkifudk zGifhvdkufyg/ t&ifutwdkif;yJ bmrS
xl;jcm;rIr&Sdygbl;/ bmaMumifhvJqdkawmh uRefawmfwdkUtaeeJU MessageBox &Sd&mudk nTefjyrIray;vdkufcJhvdkUyg/
Olly rSm aemufqHk;odrf;xm;wJhzdkifudk xyfzGifhvdkufyg/ udkESdyfjyD; VA 01020E5B &Sd&mudk wef;oGm;Munfhyg
r,f/ yHk(36)/
yHk(36)
yHk(36)u JMP 01012475 ae&mrSm uRefawmfwdkU&JU MessageBox &Sd&m virtual address jzpfwJh
010233E0 udk &dkufxnfhay;&ygr,f/ yHk(37)/
yHk(37)
jyD;&if MudKufwJhtrnfeJU zdkifudkodrf;vdkufyg/ Olly udk ydwfvdkufjyD; zdkifudk run Munfhyg/ yHk(37)twdkif;
jrif&ygvdrfhr,f/ OK ukdESdyfvdkuf&ifawmh calculator y&dk*&rfqD a&mufoGm;rSm jzpfygw,f/
yHk(38)
tckuRefawmf&Sif;jycJhwmuawmh unpack rvkyfbJ pack vkyfxm;wJhzdkifxJrSm uk'fawGudk 0ifjyifjcif;
(inline-patching) taMumif;yJjzpfygw,f/ 'D MessageBox av;udkxnhfzdkU bmaMumifh 'Davmufcuf&ovJvdkU
oifhtaeeJUxifaeygvdrfhr,f/ rSefygw,f/ Pack rvkyfxm;wJhzdkifawGrSm 'Dudpöu t&rf;vG,fygw,f/ Message
Box &Sd&mae&mudk entry point address ajymif;ay;vdkuf&HkygyJ/ jyD;&if olUrSmu ae&mvGwfawGtrsm;MuD; &Sdyg
w,f/ qdkvdkcsifwm MessageBox rajymeJU? textbox uae password awGppfwJh txda&;ay;vdkU&atmif ae&m
vGwfawGu aygvGef;ygw,f/ Inline-patching eJU xnhfoGif;wJh MessageBox &Sd&mudk wef;a&mufatmif zdkif&JU
entrypoint udk VA 01020CD0 tpm; VA 010233E0 vdkU ajymif;Munfhvdkufyg/ yHk(38)u MessageBox
awmh ay:vmEdkifayr,fh calculator y&dk*&rfudk tvkyfvkyfrSmr[kwfygbl;/ bmaMumifhygvJ? UPX &JU decom-
pression stub udk ausmfvTm;xm;vdkU jzpfygw,f/
UPX eJUywfoufwJh oifcef;pmuawmh 'DavmufygyJ/ oifhtaeeJU unpacking eJUywfoufwJh oDtdk&D
awG tenf;i,fem;vnfavmufjyDvdkU xifygw,f/ uRefawmfhtaeeJU unpacking eJUywfoufjyD; 'DrSmyJ&yfxm;
csifayr,fh tqifhjrifh packer awGtaMumif; ydkem;vnfEdkifapzdkU ActiveMARK taMumif;udk jznfhpGufaqG;aEG;
ygr,f/
(4) ActiveMark 5.0 jzifh pack vkyfxm;aomzdkiftm; unpack vkyjf cif;
Trymedia [m RealNetworks &JU tpdwftydkif;wpfckjzpfjyD; ActiveMark qdkwmuawmh Trymedia
&JU pack/protect vkyfwJhenf;ynmwpf&yfjzpfygw,f/ Trygames uawmh Trymedia &JU wpfpdwfwpfydkif;jzpfjyD;
Trymedia &JU *drf;awGudk download ydkif;qdkif&mudpö? trial qdkif&mudpöeJU a&mif;csjcif;udpöwdkUudk vkyfaqmifyg
w,f/
PopCap Games (www.popcap.com) u a&mif;cswJh*drf;rsm;? Infogrames (www.infogrames.
com) u a&mif;cswJh*drf;awmfawmfrsm;rsm;[m ActiveMARK eJU protect vkyfxm;Muwmjzpfygw,f/ Active
MARK eJU protect vkyfxm;wJh *drf;awGrSm registration r&Sdygbl;/ bmaMumifhvJqdkawmh 'D*drf;awG[m olwdkU&JU
owfrSwfxm;wJhtcsdeftwGif;rSm full version taeeJU upm;EdkifwJh demo *drf;awGjzpfaevdkUyg/ owfrSwfcsdefukef
oGm;&ifawmh upm;vdkU&awmhrSmr[kwfygbl;/ upm;cGifhjyKwJhtcsdefuvJ rsm;aomtm;jzifhawmh rdepf60yJ jzpfyg
w,f/ 'Doifcef;pmtwGuf Monopoly 3 udk unpack vkyfzdkU yxrqHk;pOf;pm;rdygw,f/ bmaMumifhvJqdkawmh
Monopoly 3 eJU ywfoufwJh crack zdkifudk tifwmeufrSm rawGUrdvdkUyg/ Share ay;xm;wJh crack zdkifawGuvJ
tvkyfrvkyfMuygbl;/ 'gayr,fh olU&JUzdkift&G,ftpm;u 258Mbytes jzpfaeawmh oifhtaeeJU tifwmeufuae
download vkyfzdkUtcuftcJ&SdEdkifygw,f/ 'ghaMumifhrdkU PopCap Games ua&mif;cswJh Zuma deluxe udkyJ
unpack vkyfzdkU a&G;cs,fvdkufygawmhw,f/ Zuma udk www.popcap.com uae download vkyf,ljyD; install
vkyfyg/
jyD;&if zuma.exe udk PEiD eJU ppfaq;Munfhyg/ yHk(39)/
yHk(39)
yHk(39)t&qdk&ifawmh zuma.exe [m ActiveMARK 5.x eJU protect vkyfxm;wmaocsmygw,f/

y&dk*&rf&JU oabmobm0udk taotcsmod&atmif Zuma udk zGifhMunfhvdkufyg/ yHk(40)/
yHk(40)
aumif;jyD? uRefawmfwdkU Zuma udk unpack vkyfMunfhMuygr,f/
(4) ActiveMark 5.0 jzifh pack vkyfxm;aomzdkiftm; dump vkyfjcif;
yxrqHk; zuma.exe udk zGifhxm;yg/ Olly udk zGifhyg/ Open menu u Attach udk a&G;cs,fyg/
yHk(41)
'Dhaemuf yHk(42)rSm jrif&wJhtwdkif; zuma.exe udk Attach vkyfyg/
yHk(42)
Attach vkyfjyD; zGifhwJhtcgrSm yHk(43)rSm jrif&wJhtwdkif; VA 7C901231 rSm &yfoGm;rSmyg/ wu,fawmh
ntdll.dll zdkif&JU DbgBreakPoint API function aMumifh &yfoGm;&wmyg/ Win32 Programmer's reference
rSmawmh DbgBreakPoint function taMumif;eJU ywfoufjyD; bmrS&Sif;jyxm;wmh rawGU&ygbl;/
yHk(43)
Olly rSm Alt+M udkESdyfjyD; memory map udk Munfhygr,f/ yHk(44)/
yHk(44)
yHk(44)u highlight jzpfaewJhae&muawmh second layer entry point &Sd&mae&myg/'Dae&mrSm right-
click ESdyfjyD; View in disassembler udk a&G;vdkufyg/ (odkU) Enter key udkESdyfyg/ yHk(45)twdkif; jrif&ygr,f/
yHk(45)
yHk(45)u highlight jzpfaewJhae&m (VA 005AE000)rSm right-click ESdyfjyD; Search for u All
intermodular calls udk a&G;cs,fyg/ yHk(46)twdkif; jrif&ygr,f/
yHk(46)
yHk(46)twdkif; jrif&wJhtcgrSm getversion vdkU &dkufxnfhyg/ GetVersion function udk &Smcsifwmyg/
GetVersion API udk awGUwJhtcg right-click ESdyfjyD; Follow in disassembler udka&G;yg/ yHk(47)twdkif; jrif&
ygr,f/
yHk(47)
yHk(47)u PUSH EBP ae&mrSm right-click ESdyfjyD; Breakpoint u Hardware, on execution

udka&G;yg/ jyD;&if Olly u udkESdyfjyD; zuma.exe udk cPydwfvdkufyg/
Olly &JU Option menu uae Debugging options udka&G;vdkufyg/ yHk(48)twdkif; jrif&ygr,f/
yHk(48)
yHk(48)rSm jrif&wJhtwdkif; Break on new module (DLL) udk a&G;ay;yg/ jyD;&if OK udkESdyfyg/
'DwpfcgrSmawmh zuma.exe udk attach rvkyfawmhygbl;/ Olly uae wpfcgwnf; zGifhygr,f/ yHk(49)/
yHk(49)
yHk(49)uawmh zuma.exe &JU entry point ae&myg/ 'gjyD;&ifawmh uRefawmfwdkU owfrSwfxm;wJh
hardware breakpoint ae&mxda&mufatmif F9 udk ESdyfvmcJhyg/ b,f awGudk tvkyfvkyfaewmvJqdkwm
yHk(50)twdkif; jrifae&ygvdrfhr,f/
yHk(50)
F9 udkqufwdkuf ESdyfvmwm aemufqHk;awmh yHk(51)twdkif; uRefawmfwdkU owfrSwfxm;wJh breakpoint
ae&mudk a&mufvmygw,f/ MudKajymcsifwmuawmh uk'fawGudk analyze rvkyfxm;ygeJU/ Analyze vkyfxm;r,f
qdk&if VA 00696E58 u PUSH EBP ae&mrSm DB 00 vdkUyJ ay:aerSmyg/
yHk(51)
yHk(51)u VA 00696E58 [m uRefawmfwdkU&SmaewJh OEP yJjzpfygw,f/ tckuRefawmfwdkU debug
vkyfxm;wJh process udk dump vkyfzdkU MudK;pm;Muygr,f/ Olly &JU plug-in wpfckjzpfwJh OllyDump udk
a&G;vdkufyg/ yHk(52)/
yHk(52)
yHk(52)u dump button udka&G;jyD; zdkifudk dumped.exe qdkwJhtrnfeJU odrf;vdkufyg/ UPX rSm dump
vkyfwkef;uvdkyJ dumped.exe zdkifudkzGifhvdkuf&if tvkyfvkyfrSm r[kwfygbl;/ 'ghaMumifh ImpREC udk zGifhjyD;
import awGudk jyif&ygr,f/ ImpREC (Import Reconstruction) udk oHk;&wJhtaMumif;&if;uawmh dumped
zdkifxJrSm&SdwJh aysmufaewJh function awGudk &SmzdkU^jyifzdkU^topfaygif;xnhfzdkU jzpfygw,f/ 'gawGudk rjyKjyifbJeJU
awmh oifh&JU dump zdkif[m rSefuefwJh PE zdkifjzpfvmrSm r[kwfygbl;/
yHk(53)
yHk(53)t& vkyfaqmif&rJh vkyfaqmifcsufawGuawmh ...
1/ Olly eJU zGifhxm;wJh zuma.exe udk active process taeeJU attach vkyfyg/
2/ Olly rSm zGifhMunfhwkef;u awGU&SdcJhwJh OEP (VA 00696E58) wefzdk;xJuae ImpREC rSmawGU&wJh
imagebase (VA 00400000) udk EIwfjyD;&&SdvmwJh (296E58) wefzdk;udk OEP tuGufrSm &dkufxnfhyg/
3/ OEP wefzdk;udk &dkufxnhfjyD;ygu IAT AutoSearch udk a&G;yg/ yHk(54)twdkif; jrif&ygr,f/
yHk(54)
4/ yHk(54)udk OK ay;jyD; Get Imports button udkESdyfyg/
5/ Import function awG rSef^rrSef odEdkifatmif Show Invalid button udk ESdyfjyD;Munfhyg/ 'Dae&mrSmawmh
tm;vHk;rSefaewm awGU&ygw,f/
6/ 'gaMumifhrdkU uRefawmfwdkU dump vkyfxm;wJh dumped.exe zdkifeJU zuma.exe zdkifudkEdIif;,SOfjyD; import
awGudk EdIif;,SOfEdkifatmifvdkU Fix Dump button udk a&G;yg/ yHk(55)twdkif; bmtrSm;rSr&SdbJ dumped_.exe
qdkwJhtrnfeJU zdkifudk odrf;qnf;oGm;wm awGU&rSmyg/
yHk(55)
'gqdk uRefawmfwdkU&JU dump zdkifudk jyifqifwmjyD;oGm;jyD jzpfwJhtwGuf ImpREC udkydwfvdkufjyD;
dumped_.exe zdkifudk zGifhMunfhyg/ bm error rSrjyawmhovdk dumped_.exe uvJ tvkyfvkyfwm rawGU&yg
bl;/ UPX udk unpack vkyfwkef;u 'DtqifhjyD;wJhtcsdefrSm unpack vkyfwJhudpö jyD;oGm;ygjyD/ ActiveMARK
rSmawmh tckrSprSmyg/ 'ghaMumifh WinHex udkzGifhjyD;uk'fawGudk jyifMuygr,f/
WinHex rSm dump vkyfjyD;jyifxm;wJh dumped_.exe zdkifeJU pack vkyfxm;wJh rlv zuma.exe zdkifudk
zGifhyg/ csJUxGifxm;wJh overlay data awG&JU yxrqHk; byte twGuf rlvzdkif&JUuk'fawGuae bmudk uRefawmfwdkU
&SmoifhygovJ/ TMSAMVOH qdkwJh ASCII string udk&SmwJhenf;uawmh tvG,fqHk;ygyJ/ r&SmcifrSm
'Dxufydk&Sif;atmifvdkU zuma.exe udk LordPE rSmzGifhjyD; section awGudk MunfhvdkufMu&atmif/ yHk(56)/
yHk(56)
yHk(56)u highlight jc,fxm;wJh *Pef;awGudk Munfhvdkufyg/ 'g[m uRefawmfwdkU executable zdkif&JU
aemufqHk; section xJu *Pef;awG jzpfygw,f/ olwdkUudk Raw offset eJU Raw size vdkU odxm;Muygw,f/
Windows loader u exe zdkifudk rSwfOmPfxJ ul;wifwm[m RawOffset (0012BA00) eJU RawSize
(00000200) aygif;vdkU&wJhwefzdk;jzpfwJh 0012BC00h xdomjzpfygw,f/ Zuma.exe zdkif&JU 'D address tpu
ae csJUxGifxm;wJh data block wpfckvHk;udkul;,ljyD; dumped_.exe zdkif&JUtqHk;rSm paste oGm;vkyf&rSmjzpfyg
w,f/ 'grSom dumped_.exe [m yHkrSeftvkyfvkyfrSm jzpfygw,f/
WinHex &JU Position menu u Go To Offset udka&G;jyD; uRefawmfwdkU oGm;csifwJh offset
0012BC00 udk &dkufxnfhygr,f/ yHk(57)/
yHk(57)
0012BC00 udk &dkufxnfhjyD; OK udkESdyfvdkuf&if yHk(58)twdkif; jrif&rSmyg/
yHk(58)
yHk(58)rSm jrif&wJh yxrqHk;pmvHk;rSm right-click ESdyfjyD; Beginning of block udk a&G;yg/ yHk(59)/
yHk(59)
jyD;&if zdkif&JU atmufqHk;xda&mufatmif scroll qGJyg/ jyD;&if yHk(60)rSmawGU&wJhtwdkif; aemufqHk;pmvHk;rSm
right-click ESdyfjyD; End of block udk a&G;cs,fyg/
yHk(60)
'gqdk&if yHk(61)twdkif; Hex wefzdk;tm;vHk;udk a&G;cs,fjyD;oGm;ygjyD/
yHk(61)
a&G;cs,fxm;wJh Hex wefzdk;awGudkul;zdkU vkyfMuygr,f/ Right-click ESdyfjyD; Edit udk a&G;cs,fyg/ jyD;&if
yHk(62)rSm jrif&wJhtwdkif; Copy Block u Hex Values udk a&G;cs,fyg/
yHk(62)
tckvkyf&rSmuawmh ul;xm;wJh Hex wefzdk;awGudk paste vkyfzdkUjzpfygw,f/ WinHex &JU dumped_
.exe tab udka&G;jyD; zdkif&JUtqHk;udkoGm;yg/ aemufqHk;pmvHk;&JUae&mrSm right-click ESdyfjyD; Edit udk a&G;cs,fyg/
jyD;&if yHk(63)rSm jyxm;wJhtwdkif; Clipboard Data u Paste udk a&G;cs,fyg/
yHk(63)
'DtcgrSm yHk(64)twdkif; paste vkyfrSmvm;vdkU ar;ygvdrfhr,f/
yHk(64)
Yes button udk a&G;vdkufwJhtcgrSm zuma.exe u Hex wefzdk;awG dumped_.exe zdkifxJudk
a&mufvmygvdrfhr,f/ dumped_.exe zdkifudkodrf;jyD; WinHex uaexGufvdkufyg/
'Dtcg dumped_.exe udk zGifhvdkuf&if yHk(40)twdkif; jrif&rSmyg/ (ae&mtcuftcJaMumifh yHkudk xyfrHr
azmfjyawmhygbl;/) 'gqdk&ifawmh uRefawmfwdkU&JU dump vkyfwJhvkyfief;pOf atmifjrifpGmjyD;qHk;oGm;ygjyD/ ☻☻
'gayr,fh tcsdefuefUowfcsufudkawmh z,f&Sm;Edkifjcif; r&Sdao;ygbl;/ 'ghaMumifh patch vkyfzdkU MudK;pm;&
ygOD;r,f/
(5) Dump vkyfxm;aomzdkiftm; patch vkyfjcif;
Dump vkyfxm;wJhzdkifudk patch vkyfzdkUtwGuf dumped_.exe udk Olly rSm zGifhyg/ yHk(65)/
yHk(65)
yHk(65)twdkif;jrif&wJhtcg right-click ESdyfjyD; Search for u All referenced text string udk a&G;yg/
'DhaemufrSmawmh yHk(66)rSm jyxm;wJhtwdkif; browser qdkwJh pmom;udk &Smygr,f/
yHk(66)
yHk(66)udk OK ay;wJhtcg yHk(67)twdkif; awGY&rSmyg/
yHk(67)
yHk(67)&JU highlight jc,fxm;wJhae&mrSm right-click ESdyfjyD; Follow in disassembler udk a&G;vdkuf&if
yHk(68)twdkif; jrif&rSmyg/ 'g[m browser pmvHk;ygwJh routine &JUtpeJU tqHk;jzpfygw,f/
yHk(68)
yHk(68)u VA 005F41A8 rSm right-click ESdyfjyD; Copy u To clipboard udk a&G;jyD; notepad
zdkifwpfckrSm paste vkyfyg/ 005F41A8 MOV EAX,dumped_.006A691C tpm; 005F41A8 browser
retn4 vdkU ajymif;yg/ jyD;&if yHk(66)uae dialog? timer? timeout pmom;awGudk&SmjyD; browse pmom;wkef;u
vkyfcJhovdkyJ routine &JU tp virtual address awGudk rSwfom;xm;ay;yg/ (rSwfcsuf/ / yHk(68)rSm teDawG
jyxm;wmu breakpoint owfrSwfzdkU r[kwfygbl;/ jrifomatmif jyxm;wmyg/)
xl;jcm;wmuawmh LoadStatePool pmom;yg/ pmom;udk &Smwmuawmh rxl;ygbl;/ 'gayr,fh 'Dpm
om;&Sd&mae&mudk breakpoint owfrSwfjyD; y&dk*&rfudk jyefpwm&wmu xl;ygw,f/ dumped_.exe udk Olly eJU
jyefzGifhwJhtcgrSm uRefawmfwdkU owfrSwfxm;wJh breakpoint ae&ma&muf&if yHk(69)twdkif; jrif&ygw,f/
yHk(69)
'Dwpfcgvkyf&rSmu yHk(70)twdkif; stack window udkoGm;jyD; highlight jzpfaewJhae&mrSm right-click
eSdyfyg/ jyD;&if Follow in disassembler udk a&G;ay;yg/ yHk(71)twdkif; jrif&ygr,f/
yHk(70)
yHk(71)u highlight jzpfaewJhae&m&JU virtual address udk rSwfxm;yg/
yHk(71)
'gqdk browser? dialog? timer? timeout eJU LoadStatePool wdkUeJU ywfoufwJh virtual address
tm;vHk;udk&ygjyD/ 'D virtual address awGrSm bmawGjyif&rvJqdkwmuawmh yHk(72)twdkif; jzpfygw,f/
yHk(72)
yHk(72)u virtual address awGrSm retn 4? retn 0c eJU retn toD;oD;udk tpm;xdk;yg/ jyD;&if patch
vkyfxm;wJhzdkifudk MudKufwJhtrnfeJU odr;f vdkufyg/ 'gqdk&if uRefawmfwdkU&JU Zuma Deluxe 1.0 udk MudKufESpfouf
ovdkupm;vdkU&ygjyD/
(6) Pack vkyfxm;aom trnfrodzdkiftm; unpack vkyfjcif;
'DwpfcgrSmawmh Fish Packer 1.04 eJU pack vkyfxm;wJh zdkifwpfckudk unpack vkyfMunfhygr,f/
uRefawmfwdkU&JUzdkifudk bmeJU pack vkyfxm;ovJqdkwm PEiD eJU ppfMunfhygr,f/ yHk(73)/
yHk(73)
yHk(73)rSmjrif&wJhtwdkif; PEiD u tajzay;Edkifjcif; r&Sdygbl;/ CFF Explorer eJUppfawmhvJ 'Dtwdkif;
ygyJ/ uRefawmfudk,fwdkif Fish Packer 1.04 eJU pack vkyfxm;vdkUom Fish Packer eJU pack vkyfxm;wJh
zdkifrSef;odwmyg/ aumif;jyD? 'Dzkdifudk unpack vkyfMunfhygr,f/ Unpack vkyfr,fh NFO Viewer.exe zdkifudk
Olly rSmzGifhvdkufyg/ (Protection ID eJUqdk&ifawmh Fish Packer 1.04 eJU pack vkyfxm;aMumif;jyrSmjzpfjyD;
Protection ID eJUppfaq;xm;wJh &v'fawG[m rSm;cJygw,f/ 'gayr,fh Protection ID [m protect/pack
vkyfxm;wJhzdkifawGudkom ppfaq;ay;EdkifwJh tm;enf;csuf&Sdygw,f/)
yHk(74)
Olly u yHk(74)rSmjrif&wJhtwdkif; PE zdkifr[kwfbl;vdkUajymaeygw,f/
yHk(75)
yHk(74)u OK button udka&G;vdkufwJhtcg yHk(75)twdkif; jrif&ygw,f/ yHkrSeftm;jzifh Olly eJUzGifh&if

entry point &Sd&mudka&muf&r,fhtpm; ntdll.dll zdkifxJa&mufaewmawGU&ygr,f/ pdwfrysufygeJU? uRefawmfwdkUrSm
enf;vrf;&Sdygw,f/ Alt+M udkESdyfjyD; Memory Map udkac:vdkufyg/ yHk(76)/
yHk(76)
yHk(76)u highlight jzpfaewJh PE header pmom;ae&mrSm ESpfcsufEdSyfvdkufjyD; PE signature &Sd&mudk
oGm;Munfhvdkufyg/ yHk(77)/
yHk(77)
yHk(77)rSm uRefawmfwdkUpdwf0ifpm;wmuawmh entry point &Sd&m address (40D6C8) yg/ 'D address
udk&wJhtcg Olly &JU Disassembler window rSm Ctrl+G ESdyfjyD; entry point(40D6C8) &Sd&mudkoGm;vdkufyg/
yHk(78)/
yHk(78)
yHk(78)u VA 0040D6C8 ae&mrSm breakpoint owfrSwfjyD; F9 (Run) udkESdyfvdkufyg/ 'Dtcg
breakpoint &Sd&mudkwef;a&mufvmygvdrfhr,f/ jyD;&if breakpoint udkjyefjzKwfjyD; aemufwpfaMumif;udkqif;EdkifzdkU
F8 (Step over) udkESdyfvdkufyg/ yHk(79)/
yHk(79)
yHk(79)rSmjrif&wJh VA 0040D6C9 udka&muf&ifawmh register window udkMunfhzdkUvdkvmygjyD/
bmaMumifhvJqdkawmh unpack vkyfawmhr,fqdk&if ESP register udk apmifhMunfhzdkUvdkvdkUyg/ yHk(80)/
yHk(80)
yHk(80)u ESP register ae&mrSm right-click ESdyfjyD; Follow in Dump udka&G;vdkuf&ifawmh yHk(81)
twdkif;jrif&rSmyg/
yHk(81)
yHk(81)u Dump window rSmjrif&wJh DWORD wefzdk;ae&mrSm right-click ESdyfjyD; Breakpoint u

Hardware, on access -> Dword udka&G;vdkufyg/ jyD;&ifawmh F9 (Run) udkESdyfjyD; hardware breakpoint
&Sd&mqDvmvdkufyg/ yHk(82)/
yHk(82)
yHk(82)u JMP [m entry point &Sd&mae&mudk nTef;aeygw,f/ wu,fawmh PUSH + RETN [m
JMP eJUwlygw,f/ ☺☺☺☺ 'gaMumifhrdkU tJ'Dae&mrSm JMP 00401000 jzpfvmjyD; 'D address [m OEP
&Sd&mqDudk nTef;aeygw,f/ yHk(83)twdkif; OEP &Sd&mudk jrif&wJhtxd F8 (Step over) udkESdyfvmcJhyg/
yHk(83)
yHk(83)twdkif;jrif&wJhtcgrSmawmh right-click ESdyfjyD; Dump debugged process udka&G;yg/ yHk(84)/
yHk(84)
yHk(84)twdkif;jrif&wJhtcgrSm dump vkyfzdkU Dump button udka&G;vdkufyg/ jyD;&ifawmhMudKufESpfouf&m
trnfeJU zdkifudkodrf;vdkufyg/ (rSwcf suf/ / Dump vkyfxm;wJhzdkif[m aumif;aumif;tvkyfvkyfrvkyf&ifawmh
ImpRec udkoHk;jyD; IAT udkjyifzdkUvdkygvdrfhr,f/) Dump vkyfxm;wJhzdkifudk PEiD eJUppfwJhtcgrSmawmh yHk(85)
twdkif; jrif&ygvdrfhr,f/
yHk(85)
tcef;(14) - IAT ESifh API Redirection - 198 -
tcef;(14) - IAT ESifh API Redirection

'Dtcef;rSmawmh pack vkyfxm;wJhzdkifawGudk unpack vkyf&mrSm rjzpfraeMuHKawGU&r,fh IAT (Import
Address Table) taMumif;udkaqG;aEG;rSmjzpfygw,f/ jyD;cJhwJhtcef;rSmwkef;u IAT taMumif;udk raqG;aEG;jzpfchJ
bJJ IAT awGudkjyif&mrSm ImpRec 1.7 udktoHk;jyKjyD;jyifcJhygw,f/ aemufydkif;rSmvJ IAT awGuawGUaeOD;rSmrdkU
IAT awGtaMumif;udk xnfhoGif;aqG;aEG;zdkU qHk;jzwfcJhwmjzpfygw,f/
Info: : Microsoft Windows awG[m wpfckeJUwpfck rwlnDMuovdk olwdkU&JU API function awGrSmvJ
rwlnDwJh address awG&SdMuygw,f/ bmaMumifhvJqdkawmh DLL zdkifawG&JU rwlnDwJh wnfaqmufyHkaMumifhyg/
Application wpfckpwifcsdefrSm olUrSm function awGtm;vHk;&JU pm&if;wpfck&Sdygw,f/ 'g[m rlvwkef;uawmh
application &JUtpdwftydkif;wpfck r[kwfygbl;/ 'D function awGudk import awGvdkUac:a0:jyD; olwdkU[m
operating system &JU DLL zdkifxJrSm&Sdwmyg/ 'gayr,fh application uawmh b,fae&mrSm&SdovJqdkwm
rod&Smygbl;/ Win32 exe zdkifjzpfwJh application wdkif;rSm IAT qdkwm&Sdygw,f/ 'D IAT [m y&dk*&rfxJrSmyJ
&Sdygw,f/ Application wpfcku Windows &JU API function wpfckudkac:oHk;wJhtcgrSm IAT udk lookup
table tjzpftoHk;jyKygw,f/ 'gaMumifh y&dk*&rftvkyfrvkyfcif y&dk*&rfu ac:oHk;zdkU&mtwGuf? IAT wpfckudk
wnfaqmufzdkU&mtwGuf Windows loader [m API toD;oD;&JU address toD;oD;udk&Sm&rSmjzpfygw,f/
y&dk*&rftvkyfvkyfaewJhtcsdefrSmawmh API wpfckudk ac:oHk;csifcJh&if IAT xJrSmMunfhjyD; DLL xJoGm;zdkUvdkwJh
address udk csufcsif;&SmazGygw,f/ exe zdkifwpfckudk pack vkyfxm;^ protect vkyfxm;csdefrSm cracker awG[m
'Dzdkifudk unpack vkyf&ygw,f/ 'D unpack vkyfxm;wJhzdkifudk rlvzdkiftwdkif;jzpf&atmifvkyf&ygr,f/ bmaMumifh
vJqdkawmh packer/protector awmfawmfrsm;rsm;u IAT udk zsufypfMuvdkUyg/ 'gaMumifhrdkUvJ exe zdkifudk
aumif;rGefpGm tvkyfvkyfapcsif&ifawmh IAT udk jyefwnfaqmufzdkU? jyefjyifzdkUvdkygw,f/ Import awGudk
jyefvnfwnfaqmufwm[m IAT udk jyefvnfwnfaqmufwmjzpfygw,f/ IAT udkjyefvnfwnfaqmufzdkU
twGuf IAT taMumif;udk tao;pdwfodzdkU vdkvmygjyD/
Info: : exe zdkifwpfckudk yxrqHk; ul;wifvdkufwJhtcsdefrSm Windows loader [m zdkifxJrSm&SdwJh PE structure
udkzwfzdkUeJU executable image udk rSwfOmPfay:ul;wifzdkU wm0ef&Sdygw,f/ Application utoHk;jyKwJh DLL
awGtm;vHk;udk ul;wifwmjzpfjyD; olwdkUudk process &JUae&mvGwfawGtjzpf ae&mcsxm;wmjzpfygw,f/ exe
zdkif[m DLL toD;oD;uvdktyfwJh function awGtm;vHk;udk pm&if;jyKpkygw,f/ Function address awG[m
yHkaor[kwfwmaMumifh run aecsdefrSm compile vkyfxm;wJhuk'fawGtm;vHk;udk ajymif;vJzdkUrvkdtyfbJ 'D variable
awGudkajymif;vJay;EdkifwJh mechanism wpfckvdktyfygw,f/ 'gudk IAT toHk;jyKjyD; ajz&Sif;Edkifygw,f/ IAT
qdkwmuawmh DLL zdkifawGudk ul;wifxm;csdefrSm Windows loader u jznfhpGufwJh function pointer
awG&JUZ,m;wpfckjzpfygw,f/ Application wpfckudk yxrqHk; compile vkyfpOfu IAT udkyHkpHjyKoGif;cJhwm
jzpfwJhtwGuf b,f API CALL awGurS cufcJpGma&;om;xm;wJh wdkuf&dkuf address awGudk toHk;rjyKMuay
r,fhvJ function pointer uwqifh tvkyfvkyfMuygw,f/ 'D pointer table udk enf;vrf;rsdK;pHkeJU &,lEdkif
ygw,f/ erlemtm;jzifhawmh CALL [pointer address] uaewdkuf&dkufaomfvnf;aumif;? JMP thunk table
rSaomfvnf;aumif;jzpfygw,f/ Pointer table udktoHk;jyKjcif;tm;jzifh loader [m API call udktoHk;jyKzdkU
vdktyfwJh uk'fxJrSm&SdwJh ae&mawGtm;vHk;udkjyifzdkU rvdkawmhygbl;/ vkyfzdkUvdkwmuawmh pointer udk table xJu
ae&mwpfckrSm aygif;ay;zdkUyg/
Info: : Pack vkyfxm;wJh exe zdkifawGrSmqdk&if olwdkUawG[m zdkifudkao;i,fapzdkU IAT awGudktjrJwrf; &IyfaxG;
apatmif vkyfxm;ygw,f/ 'g[m cracker awGudk unpack vkyfzdkUydkrdkcufcJapygw,f/ Pack vkyfxm;wJh
y&dk*&rfawGudk pHtjzpfowfrSwfxm;wJh compiler awGeJUxkwfMuwmjzpfjyD; 'Djyifxm;wJh mechanism udktvkyf
vkyfapzdkU yHkpHjyKxm;ygw,f/ wu,fvdkU packer wpfck[m import table mechanism udkzsufqD;ypfcJh&ifvJ
(qdkvdkwmu packer/protector [m ul;wifr,fh DLL eJU function awG&,feJU pointer awGudk b,fae&mrSm
xm;rvJqdkwmudk wGufcsuf&rSmjzpfygw,f/) rlvy&dk*&rftaeeJUuawmh decompression stub udkvkyfaqmifjyD;?
routine awGudk restore vkyfjyD;csdefrSm yHkrSeftvkyfvkyaf eOD;rSmjzpfygw,f/ tzsufcHxm;&wJh import table
wpfckudk b,fvdk restore vkyf&rvJqdkwmudk em;vnfEdkifzdkU uRefawmfwdkUtaeeJU import table udkb,fvdkae&m
csxm;ovJ? Windows loader u 'gudk parse vkyfzdkUbmawGjyKvkyfovJqdkwmudk t&ifodxm;zdkUvdkygw,f/
'Dae&mrSm IAT eJUywfoufjyD; erlemjyr,fhy&dk*&rfav;uawmh Lena151 &JU oifcef;pm(3)u Reverse
Me.exe y&dk*&rfyJjzpfygw,f/ www.tuts4you.com rSm download vkyf,lvdkufyg/
yHk(1)
yHk(1)uawmh ReverseMe.exe udk Olly rSmzGifhjyD;wJhtcg jrif&wJhyHkyg/ VA 00401002 uawmh API

&Sd&m CALL udkac:oHk;wmyg/ 'D CALL uawmh kernel32.dll xJrSm&SdwJh GetModuleHandleA function
udkac:oHk;wmjzpfygw,f/
yHk(2)
yHk(2)udkMunfhvdkuf&if tvm;wl CALL awGawGUrSmyg/ VA 0040104D uvJ kernel32.dll xJu
ExitProcess function udkac:oHk;wJh CALL jzpfygw,f/
yHk(3)
ExitProcess function &Sd&mae&mrSm ESpfcsufESdyfvdkuf&ifawmh yHk(3)twdkif;awGU&rSmyg/ olUudkMunfh&wm
uvJ tjcm; CALL awGvdkygyJ/ Olly uawmh 'g[m API wpfckudk ac:oHk;rSef;odygw,f/ ydkjyD;oJoJuGJuGJ
odEdkifatmifvdkU VA 0040104D ae&mudka&G;jyD; Enter key (Follow Call) udkESdyfvdkufyg/ yHk(4)twdkif;
jrif&ygr,f/
yHk(4)
'gqdk yHk(4)twdkif; jump (thunk) table &Sd&mqDa&mufvmygjyD/ 'gaMumifhrdkUvJ Olly u VA
0040104D [m API CALL wpfckudkac:roHk;cif tMudK CALL wpfckjzpfaMumif; odwmyg/ Application &JU
b,fae&mrSmrqdk ExitProcess API udkac:oHk;csifw,fqdk&if 'D address (0040104D) udkyJ toHk;jyK&rSm
jzpfygw,f/ 'grSom Windows loader u rSefuefwJh address udk&Smwm vG,fulaprSmyg/ 'gqdk VA
0040120E uaum b,f instruction udktvkyfvkyfapwmvJqdkwmodEdkifatmifvdkU tJ'Dae&mrSm Enter key
udkESdyfvdkufyg/ yHk(5)twdkif;jrif&ygr,f/
yHk(5)
wu,fawmh loader u data segment xJu DWORD wefzdk;wpfckqDudk jump vkyfoGm;wm
jzpfygw,f/ 'gaMumifhrdkU 'Dwefzdk;udkodEdkifatmifvdkU DWORD wefzdk;udkajc&mcHMunfhygr,f/ Dump window
rSm Ctrl+G ESdyfjyD; ay:vmwJhtuGufae&mrSm VA 402004 vdkU&dkufxnfhjyD; OK udka&G;vdkuf&ifawmh yHk(6)
twdkif; jrif&rSmyg/
yHk(6)
yHk(6)uawmh oufqdkif&m DLL xJrSm&SdaewJh API awG&JU address awGeJUtwl&SdaewJh IAT awG&Sd&m
ae&myg/ uRefawmfwdkU erlemxm;wmuawmh ExitProcess API udkyg/
yHk(7)
'gaMumifhrdkUvJ VA 00402004 udkMunfhvdkuf&if yHk(7)twdkif;jrifae&ygw,f/ Highlight vkyfxm;wJh
ae&muawmh uRefawmfwdkU API &Sd&mae&myg/ 7C81CAA2 uawmh API &Sd&m address yg/ (Endian enf;eJU
pDwmtrSwf&yg/) olUaemufrSmawmh DWORD wefzdk;wpfck(oknawG) uyfvdkufaewmawGUrSmyg/ 'DoknawG
aemufu DWORD wefzdk;awGuawmh aemuf DLL xJu API awGudk&nfnTef;ygw,f/ 'D DLL [m
user32.dll jzpfygw,f/ DWORD wefzdk;awGudkMunfhvdkuf&if 7xxxxxxx awGeJUpwm owdxm;rdrSmyg/ ydkjyD;
&Sif;vif;atmifvdkU 'gawGudk IAT xJrSmMunfhvdkufMu&atmif/ yHk(4)udkxyfMunfhvdkufyg/ kernel32.dll zdkifxJu
API ESpfckudk import vkyfxm;wmawGUrSmyg/ rSwfxm;&rSmuawmh IAT eJU imports table wdkU[m rwlbl;
qdkwmudkyg/
Info: : Imports table rSm oifhy&dk*&rftwGuf API awGudk link csdwfEdkifatmif Windows u vdktyfwJhtcsuf
tvufawGtm;vHk;&Sdygw,f/ Imports table rSm tvGef&dk;&Sif;vSwJh structure wpfck&Sdygw,f/ Import
vkyfxm;wJh DLL toD;oD;twGuf header wpfckpD&Sdygw,f/ olwdkU&JUtqHk;udk rSwfom;EdkifatmifvdkU vHk;vHk;MuD;
udk bmrSr&SdwJh tydkwpfckvJ&Sdygao;w,f/ Header toD;oD;rSmawmh DLL twGuftcsuftvufawGtm;vHk;
yg0ifygw,f/ ReverseMe.exe y&kd*&rftwGufqdk&ifawmh user32.dll eJU kernel32.dll u API awGudk
import vkyfr,fqdk&if oifhtaeeJU header 3ckudk&SmawGUrSmyg/ wpfckuawmh kernel32.dll twGufjzpfjyD; wpfck
uawmh user32.dll twGufjzpfygw,f/ tydkwpfckuawmh imports table &JUtqHk;udk rSwfom;zdkUjzpfygw,f/
Windows loader [m header toD;oD;uae tcsuftvufawGudkzwfjyD; 'DtcsuftvufawGudk IAT
jznfhpGuf&mrSmtoHk;jyKygw,f/ IAT qdkwmuawmh DLL toD;oD;twGuf IAT awGzGJUpnf;xm;wmudk ajymwm
yg/ DLL toD;oD;twGuf header udkawmh IMPORT_IMAGE_DIRECTORY vdkY ac:ygw,f/ IMAGE
qdkwJhpum;vHk;uawmh rSwfOmPfxJrSmvkyfwJhudpö&yfawGudk &nfnTef;wmjzpfjyD; offset awGtm;vHk;[m RVA awG
jzpfygw,f/ olUrSm atmufyg structure &Sdygw,f/
IMAGE_IMPORT_DESCRIPTOR:
OriginalFirstThunk
TimeDateStamp
ForwarderChain
Name
FirstThunk
Info: : Windows loader u IMPORT_IMAGE_DESCRIPTOR udkzwfcsdefrSm ol[m DLL udk t&if
ppfaq;ygw,f/ aemufrSom loader [m 'D DLL udk ul;wifwmjzpfjyD; IAT udkwnfaqmufzdkU pwifygw,f/
udkwnfaqmuf&wm[m enf;enf;av; vuf0ifygw,f/ Loader u yxrqHk; OriginalFirstThunk udk
ppfaq;wmjzpfayr,fh 'DtcsuftvufawGudk jyóemMuHKrSom toHk;jyKwmjzpfygw,f/ aemufwpfckuawmh
FirstThunk unTefjywJh trnftoD;oD;twGuf ol[m pointer udk API &JU address eJUtpm;xdk;wm jzpfyg
w,f/ wu,fvdkU tcsdKUaomtaMumif;awGt& API udk&SmrawGUcJh&ifawmh OriginalFirstThunk qDoGm;jyD; tJ'D
uae tcsuftvufawG&,lzdkU MudK;pm;ygw,f/ 'DaemufqHk;jzpfEdkifajcu tvkyfrvkyfcJh&ifawmh crash jzpfyg
w,f/ 'gaMumifh rSwfOmPfxJrSm FirstThunk xJu pointer awGtm;vHk;rSm API awG&JUtrnfawGeJUqdkifwJh
RVA awGtpm; vuf&Sd DLL uae API awGudknTef;wJh address awGyg0ifae&wmyg/ rSwfxm;&rSmuawmh
rSwfOmPfxJrSm exe udk ae&mcsxm;jyD;wJhaemufrSmawmh IAT wnfaqmufjcif;[m jyD;pD;ygjyD/
Info: : Loader [m FirstThunk xJu API trnftoD;oD;udkzwfjyD; olU&JU address udk&SmazGygw,f/
wu,fvdkU address udk&SmawGUcJh&if trnfae&mrSm address eJUtpm;xdk;vdkufjyD; 'DvdkrSr[kwf&ifawmh
OriginalFirstThunk qDoGm;jyD; xyfMudK;pm;ygw,f/ 'gaMumifhrdkU OriginalFirstThunk [m FirstThunk &JU
backup wpfckjzpfjyD; jyoemMuHKwJhtcgrSm toHk;jyKygw,f/ FirstThunk uawmh uRefawmfwdkU import vkyfzdkU
vdktyfwJh API awG&JUtrnfeJU ywfoufwJh pointer awGyg0ifwJh array wpfckjzpfygw,f/ wu,fvdkU ul;wif
vdkufwJh process [m rSefuefpGm tvkyfvkyfEdkifjyDqdk&ifawmh FirstThunk eJUqdkifwJh pointer awGtm;vHk;[m
API awG&JU address awGeJU overwrite vkyfwmcH&jyD; 'D address awGudkawmh IAT vdkUac:ygw,f/ y&dk*&rfu
CALL awGtm;vHk;[m IAT &Sd&mqD redirect vkyfjcif;cH&ygw,f/ Loader u IAT tjzpfa&;om;xm;wJh
address awGjzpfEdkifwmuawmh -
(1) API &JU wu,fh address?
(2) API qD jump vkyfrI?
(3) push RVA API
Info: : Import table udk tjynfht0rSefuefapEdkifzdkUtwGuf -
(1) RVA eJU import table wdkU&JUt&G,ftpm;[m import awGtwGuf data directory twGif; owfrSwf
xnfhoGif;zdkUvdkygw,f/ 'grSr[kwf&ifawmh Windows [m olUudkr&SmEdkifjzpfjyD; IAT udk taMumif;Mum;EdkifrSm
r[kwfygbl;/
(2) DLL toD;oD;udk IMAGE_IMPORT_DESCRIPTOR wpfckeJUaMunmyg/ Import table udk
vHk;0bmrSr&SdwJhwpfckeJUtqHk;owfyg/
(3) IMAGE_IMPORT_DESCRIPTOR rSm OriginalFirstThunk? FirstThunk eJU Name wdkUaumif;pGm
&Sdygap/ TimeDateStamp eJU ForwarderChain wdkUuawmh okntjzpfxm;vJ&ygw,f/ OriginalFirst
Thunk udkvJ okntjzpfxm;Edkifygw,f/
oDtkd&DawGudk qufwdkuf&Sif;jyvmwJhtwGuf oifhtaeeJU &IyfaxG;aeavmufjyDvdkU xifygw,f/ 'gaMumifh
ydkjyD;em;vnfEdkifapzdkU ReverseMe.exe eJUwGJMunfhvdkufMu&atmif/ ReverseMe.exe udk Olly rSm zGifhxm;yg/
Windows loader u yxrqHk;zwfwmuawmh y&dk*&rf&JU header udkyg/ IAT udkwnfaqmufzdkU
twGuf RVA 3C (400000 +3C = 40003C) ae&mrSmzwfwmyg/ yHk(8)/
yHk(8)
yHk(8)t&qdk&ifawmh PE header &Sd&mae&m[m VA 004000C0 jzpfygw,f/ VA 004000C0 &Sd&mudk
oGm;vdkuf&ifawmh yHk(9)twdkif; jrif&rSmjzpfygw,f/
yHk(9)
IAT &JU RVA wefzdk;udkawmh PE header &Sd&m&JU address wefzdk;rSm 80h aygif;jyD; &&SdvmwJhwefzdk;
VA 400140 ae&mrSm odrf;xm;jcif;jzpfygw,f/ (exe wdkif;twGuf 'Dae&mrSmtjrJ &Sdygw,f/) yHk(10)/
yHk(10)
yHk(10)t&qdk&ifawmh import table &Sdwmuawmh RVA 2050 rSmyg/
Info: : Import Table Address qdkwmuawmh import table &Sd&mae&mudk &Sm&r,fh address yg/ 'gudk IAT
eJU ra&maxG;apygeJU/ olwdkUESpcf k[m vHk;0uGJjym;jcm;em;ygw,f/
rSwf&ef/ / Import Table Address udk Olly rSm&Smwmuawmh bmjyóemrSr&Sdygbl;/ Olly [m header
eJUywfoufjyD;tcsuftvuf tjynfhtpHkudkay;ygw,f/ wu,fwrf; oifhtaeeJU vkyf&rSmuvJ Import Table
Address udk&SmzdkUyg/ bmyJjzpfjzpf tajccHudkodxm;jyD; udk,fbmvkyfaew,fqdkwmudk odxm;wm taumif;qHk;
vdkU uRefawmfhtaeeJUjrifwJhtwGuf tao;pdwf&Sif;jyae&wmyg/
aumif;jyD; Import Table Address &Sd&mudkMunfhvdkufMu&atmif/ yHk(11)/
yHk(11)
uRefawmfwdkUtapmydkif;u &SmawGUxm;wJh IAT awG&Sd&maemufrSm Import Table Address &Sad ewm
awGY&ygw,f/ Disassembler window &JU VA 00402050 udkoGm;vdkufyg/ yHk(12)/
yHk(12)
yHk(12)rSmjrif&wmuawmh uRefawmfwdkUtwGuf bmrSxl;jcm;rIrjzpfapygbl;/ Analyze This! udka&G;jyD;
analyze vkyfvdkufyg/ yHk(13)/
yHk(13)
yHk(13)rSmjrif&wmuawmh IMAGE_IMPORT_DESCRIPTOR array &Sd&mtydkif;jzpfygw,f/ yxr
eJU 'kwd,uawmh DLL toD;oD;twGuf IMAGE_IMPORT_DESCRIPTOR awGjzpfygw,f/ wwd,
ajrmufuawmh tqHk;owf IMAGE_IMPORT_DESCRIPTOR jzpfygw,f/ IMAGE_IMPORT_
DESCRIPTOR wdkif;rSm DWORD wefzdk; 5ckpD&SdMuygw,f/
yHk(13)rSmawGU&wJh yxrqHk; DWORD (00002098) uawmh OriginalFirstThunk jzpfygw,f/
ol[m loader udk vuf&Sd DLL uae import vkyfcH&r,fh API awG&JUtrnfawGudk b,fae&mrSm&Smr,fqdkwJh
tcsuftvufawGay;ygw,f/ wu,fvdkU IMAGE_BASE + 2098 &Sd&mudkoGm;cJhr,fqdk&if uRefawmfwdkU
taeeJU import vkyfr,fh API trnfawGudk awGUrSmyg/ (aemufydkif;wGifMunfhyg/)
'kwd, DWORD (00000000) uawmh TimeDateStamp jzpfjyD; uRefawmfwdkUtwGuf vHk;0toHk;
r0ifygbl;/ rsm;aomtm;jzifhawmh tm;vHk;[m oknawGjzpfaewwfygw,f/
wwd, DWORD (00000000) uawmh ForwarderChain jzpfjyD; uRefawmfwdkUtwGuf vHk;0toHk;
r0ifygbl;/ rsm;aomtm;jzifhawmh tm;vHk;[m oknawGjzpfaewwfygw,f/
pwkw¬ DWORD (000021D8) uawmh IMAGE_IMPORT_DESCRIPTOR eJUoufqdkifwJh
DLL &JUtrnf&Sd&m RVA jzpfygw,f/ uRefawmfwdkU&JU erlemy&dk*&rfrSmawmh 4021D8 rSm user32.dll
&SdwmawGUrSmyg/ (rMumcifawGUrSmyg/)
aemufqHk; DWORD (0000200C) uawmh FirstThunk jzpfygw,f/ Import vkyfxm;wJh function
awGtm;vHk;twGuf address awGtm;vHk;udk &SmEdkifzdkUtwGuf IAT &Sd&mudk nTefjyygw,f/ (Disk ay:rSm
r[kwfayr,fh wpfMudrfrSm exe zdkifudk rSwfOmPfxJ ul;wifjyD;csdefrSmawmh [kwfygw,f/)
uRefawmfwdkU&JU erlemy&dk*&rfrSmawmh oifhtaeeJU user32.dll uae import vkyfxm;wJh API awGt
wGuf IAT xJrSm&SdwJh address awGtm;vHk;udk vG,fulpGm&SmEdkifygw,f/ yHk(14)udkMunfhyg/ 40200C uaepwm
awGU&ygr,f/
yHk(14)
yHk(14)t&qdk&ifawmh API function 16ckudk vkyfxm;aMumif; awGU&ygw,f/ bmaMumifhajymEdkifwmvJ
qdkawmh 7xxxxxxx eJUpwJh address 16ckawGU&vdkUyg/ 'kwd,ajrmuf DLL (kernel32.dll) twGufvJ 'Denf;
twdkif;ygyJ/
yHk(15)
IAT xJrSm&SdwJh address awG[m yHk(16)twdkif; 402000 uaepwm awGU&ygr,f/
yHk(16)
aemufqHk;wpfck&JU DWORD wefzdk;5ckvHk;uawmh oknawGcsnf;jzpfaewm owdjyKrdrSmyg/ yHk(17)/
yHk(17)
Dump window rSmMunfhvdkuf&ifawmh yHk(18)twdkif; awGU&ygr,f/
yHk(18)
Import table &JU 'kwd,ydkif;uawmh DWORD awG&JU array awGjzpfygw,f/ yHk(19)/
yHk(19)
DWORD awG&JU array awGudkawmh IMAGE_IMPORT_DESCRIPTOR awG&JU OriginalFirst
Thunk awGu point vkyfwmjzpfygw,f/ 'D array awG&JU DWORD toD;oD;[m import vkyfxm;wJh
function wpfckeJU oufqdkifygw,f/ DWORD awG&JU array awGudk ydkif;jcm;xm;wm? tqHk;owfxm;wm
uawmh oknawGeJUjynfhaewJh DWORD wpfckujzpfygw,f/
yHk(20)rSmjrif&wmuawmh import table &JU wwd,ydkif;(aemufqHk;ydkif;)jzpfygw,f/
yHk(20)
yHk(20)rSmjrif&wJh pmom;awG (BeginPaint,.. ) uawmh import vkyfxm;wJh function awGeJU DLL

awGjzpfygw,f/ olUrSmawmh xHk;pHtwdkif;pDrSmawmh r[kwfygbl;/ DLL trnf[m function awGaemufu (odkU)
a&SUupDwmjzpfEdkifygw,f/
4021D8 rSm user32.dll &SdwmawGU&r,fvdkUtapmydkif;u ajymcJhygw,f/ yHk(21)/
yHk(21)
wu,fawmh uk'fxJrSmvJ oyf&yfaumif;rGefpGmwnfaqmufxm;wJh IAT udkawGUEdkifygw,f/ yHk(22)/
yHk(22)
yHk(22)udkMunfhvdkufr,fqdk&if kernel32.dll uae import vkyfxm;wJh API ESpfckeJU user32.dll uae
import vkyfxm;wJh API awGMum;rSm DWORD wefzdk;wpfckeJU ydkif;jcm;xm;jyD; tqHk;rSmawmh oknawGeJU
DWORD wefzdk;wpfcku ydkif;jcm;xm;wmawGU&ygw,f/
yHk(23)
yHk(23)udkMunfhyg/ Import vkyfxm;wJh function awGtm;vHk;&JUtrnfaemufrSm DLL trnfawGeJU
tqHk;owfxm;wm awGU&rSmyg/
'Davmufqdk&if import awGudk udk,fwdkifjyefwnfaqmufzdkU todynmvHkavmufjyDvdkU xifygw,f/
bmyJjzpfjzpf owif;aumif;wpfckuawmh import awGudk tvdktavsmufjyefwnfaqmufay;EdkifwJh tool aumif;
awG&Sdw,fqdkwJhtcsufyg/ wu,fawmh aqmhzf0JvfawGu DLL ajrmufjrm;pGmuae API awG tajrmuftjrm;ukd
import vkyfxm;cJhr,fqdk&if import awGudk udk,fwdkifjyefvnfwnfaqmuf&wm[m tcsdeftawmfMum,l&jyD;
pdwf&Iyfp&mvJaumif;vSygw,f/ Tool awGudk toHk;jyKr,fqdk&ifawmh uRefawmfwdkUtaeeJU API tm;vHk;eD;yg;udk
jyef recover vkyfEdkifrSmyg/ ckodxm;wJhtodeJU unpack vkyfxm;wJhzdkiftcsdKUudk b,fvdkjyifMurvJqdkwm
MunfhvdkufMu&atmif/
aumif;jyD FSG2.0 eJU pack vkyfxm;wJhzdkifwpfckudk unpack vkyfMunfhygr,f/ (oifhtaeeJU 'Dzdkifudk
unpack vkyfcsifw,fqdk&ifawmh Lena151 &JU oifcef;pm(21)udk download vkyf,lyg/ 'grSr[kwf&ifawmh
ESpfouf&m zdkifwpfckudk FSG eJU pack vkyfMunfhvdkufyg/ oabmw&m;csif;uawmh twlwlygyJ/)
yHk(24)
UnpackMe_FSG2.0.exe zdkifudk Olly rSmzGifhwJhtcg yHk(24)twdkif; awGU&ygw,f/ yHk(24)udkMunfh

vdkuf&if entry point &Sd&m[m enf;enf;av;vGJaewmawGU&ygw,f/ exe zdkifwdkif;&JU entry point [m tjrJwrf;
401000 uaepw,fvdkU ajymcJhzl;wm trSwf&ygovm;/ 'Dy&dk*&rfrSm 400154 uaepygw,f/ 'gqdk 'D address
[m PE header xJa&mufaewm aocsmygw,f/
FSG udk trace vkdufjcif;jzifh unpack vkyf&ygw,f/ wu,fvdkU oifhtaeeJU atmufudkenf;enf;av;
scroll qGJjyD;Munfhr,fqdk&if unpack vkyfwJh stub uk'f&JUtqHk;udk awGUygvdrfhr,f/ wu,fvdkU oifhtaeeJU trace
vdkufMunfhvkduf&if vnfaewJhbD;vdk ywfcsmvnfaewm owdjyKrdygvdrfhr,f/ rMumrDrSmawmh uk'f[m t"du
y&dk*&rfqD jump vkyfoGm;wm awGU&ygvdrfhr,f/ taotcsmMunfhr,fqdk&ifawmh jump wpfcku 'D stub xJu
ae ausmfxGufoGm;wmawGU&rSmyg/ MunfhvdkufMu&atmif/
yHk(25)
yHk(25)twdkif; VA 004001D1 ae&mrSm breakpoint owfrSwfMunfhvdkuf&atmif/ jyD;&if F9 (Run)
udkESdyfvdkufyg/ Breakpoint &Sd&ma&mufvmygvdrfhr,f/ yHk(26)/
yHk(26)
yHk(26)rSmjrif&wJhtwdkif; JMP [m y&dk*&rf&JU OEP (VA 00404000) &Sd&mqD jump vkyfrSmjzpfygw,f/
yHk(27)/
yHk(27)
yHk(27)rSm right-click ESdyfjyD; Analysis u Remove analysis from module udka&G;vdkuf&if
yHk(28)twdkif; awGU&rSmyg/
yHk(28)
yHk(28)twdkif;jrif&&ifawmh uRefawmfwdkU&JU zdkifudk dump vkyfygr,f/ Right-click ESdyfjyD; Dump
debugged process udka&G;vdkufyg/ yHk(29)twdkif; jrif&ygr,f/
uRefawmfwdkUtaeeJU yHkrSefenf;vrf;twdkif; dump vkyfvdkU&ygw,f/ bmyJjzpfjzpf yHk(29)rSmawmh
"Rebuild Import" udk uncheck vkyfzdkUawmh vdkygvdrfhr,f/ bmaMumifhygvJ/ FSG [m import awGudk
zsufypfvdkufwmjzpfjyD; Ollydump plugin u vHk;vHk;MuD; wvGJwacsmfvkyfrSmrdkUvdkUyg/ 'gaMumifh uRefawmfwdkU
taeeJU jyefjyifwmtcsdKUawmh vkyf&ygvdrfhr,f/ oifhtaeeJU checkbox udka&G;ay;vdkUawmh &ygw,f/ 'gayr,fh
dump zdkifu tvkyfvkyfrSmawmh r[kwfygbl;/ wu,fvdkU xJxJ0if0ifavhvmjyD;wJhaemufrSmawmh 'gudk&Sif;oGm;
rSmyg/
yHk(29)
yHk(29)u "Rebuild Import" checkbox udkjzKwfvdkufjyD; Dump button udka&G;yg/ jyD;&if dump.exe
trnfeJU zdkifudkodrf;qnf;vdkufyg/
wu,fawmh tjcm; tool awGeJUvJ dump vkyfvdkU&ygw,f/ Oyrm - LordPE? PE Tools/ yHk(30)/
yHk(30)
bmyJjzpfjzpf dump vkyfxm;wJhzdkifESpfckpvHk;uawmh tvkyfvkyfrSmr[kwfygbl;/ bmaMumifhvJqdkawmh
FSG u import awGudk zsufxm;vdkUyg/ 'gaMumifhrdkU import awGjyefwnfaqmufzdkU vdkvmygjyD/ Import
awGudk jyefwnfaqmufEdkifwJh tool awGtrsm;MuD;&Sdayr,fh uRefawmfhtaeeJU ImpRec 1.7 udkyJ oHk;ygr,f/
ImpRec udkzGifhjyD; process (UnpackMe_FSG2.0.exe) udk attach vkyfyg/
yHk(31)
UnpackMe_FSG2.0.exe zdkifudk attach vkyfjyD;csdefrSmawmh OEP wefzdk;udkjyifzdkUvdkygw,f/ ImpRec
u vuf&Sd process &JU EP udkyJodxm;ygw,f/ 'gaMumifh OEP ae&mrSm 4000 vdkUjyifvdkufyg/ jyD;&ifawmh
AutoSearch button ukda&G;vdkufyg/
yHk(32)
IAT &dS&mudk&Smwmawmh tqifajyygjyD/ yHk(31)u RVA ae&mrSm 11E8 udkxm;jyD; dump vkyfr,f
qdk&ifawmh oihf&JUjyifxm;wJh dump zdkif[m tvkyfvkyfrSmr[kwfygbl;/ uRefawmf'gudkb,fvdkodvJvdkU oifhtae
eJUxifaumif;xifygvdrfhr,f/ wu,fawmh prf;oyfjyD;oGm;vdkUyg/ RVA udk tao;pdwfavhvmMunfhvdkufMu
&atmif/ Olly &JU dump window rSm 4011E8 vdkU&dkufxnfhjyD; bmawGU&rvJqdkwmMunfhvdkufMu&atmif/
yHk(33)/
yHk(33)
wu,fawmh VA 4011E8 rSm&SdwmawGuawmh DLL wpfck&JU import awGyg/ tay:udk scroll
enf;enf;qGJjyD;Munfhvdkuf&if aemufxyf import awGudkawGU&OD;rSmyg/ yHk(34)/
yHk(34)
uRefawmfwdkUtaeeJU DLL (user32.dll/kernel32.dll) zdkifESpfck&JU import awGudk&Sd&m&SmzdkUyJvkdwmyg/
VA 4011E8 qdk&if DLL (kernel32.dll) zdkifwpfck&JU import (API) awGudkyJ ImpRec u&SmawGUrSmyg/ ☺☺
wu,fawmh ImpRec [m tvSnfhpm;cHvdkuf&wmyg/ 'gaMumifhrdkU VA 4011E8 ae&mrSm VA 401198 vdkU
jyifzdkUvdktyfygw,f/ 'grSom ImpRec u user32.dll zdkif&JU import awGudk &SmawGUrSmyg/
yHk(35)
yHk(35)twdkif; RVA udkjyifvdkufjyD; Get Imports button udkESdyfvdkuf&if yHk(36)twdkif; awGU&ygr,f/
(Size udkvJ 100 vdkUjyifvdkuf&if ydkaumif;ygr,f/ 'grSom ImpRec uydkjyD;pdppfEdkifrSmyg/)
yHk(36)
ImpRec u Thunk ESpfckudk awGUygw,f/ bmyJjzpfjzpf ESpfckpvHk;[m rSm;aeygw,f/ bmawGrSm;ae
w,fqdkwmod&atmif taygif;oauFwav;udka&G;vdkufyg/ rSm;aewJhae&mawGuawmh RVA 2118 rSmyg/
yHk(34)udkjyefMunfhvdkuf&if RVA 2118 rSm FFFFFFFF udkawGUrSmyg/ aemufwpfckuawmh RVA 11B8 rSmyg/
yHk(37)/
yHk(37)
wu,fawmh yHk(36^37)rSm jrif&wJh address awG[m wu,fr&Sdygbl;/ FSG u cracker awGudk

t&l;vkyfcsifvdkU wrifxnfhoGif;xm;wmyg/ 'gaMumifhrvkdtyfwJh 'D address awGudk zsufxkwfypfzdkUvdkygw,f/
yHk(38)
yHk(38)twdkif; rvdkwJh thunk awGrSm right-click ESdyfjyD; Cut thunk(s) udka&G;vdkufyg/ jyD;&if
aemufqHk;vkyf&rSmuawmh dump vkyfxm;wJhzdkifudk jyifzdkUyg/
yHk(39)
yHk(39)u Fix Dump button udkESdyfjyD; Olly rSm dump vkyfjyD;odrf;xm;wJh dump.exe zdkifudka&G;ay;yg/
ImpRec u dump_.exe qdkwJhtrnfeJUzdkifudk odrf;ay;ygvdrfhr,f/ yHk(40)/
yHk(40)
dump_.exe zdkifudkzGifhvdkuf&ifawmh yHk(41)twdkif; awGU&rSmyg/
yHk(41)
dump_.exe zdkifudk Olly rSmzGifhjyD;Munfhvdkuf&if yHk(42)twdkif; jrif&ygvdrfhr,f/
yHk(42)
(1) API Redirection

tckqdk import awGudk b,fvdkjyefwnfaqmuf&rvJqdkwm tMurf;zsif;avhvmjyD;ygjyD/ 'gayr,hf
tqifhjrifh packer awGudk unpack vkyfcsdefrSmawmh 'DavmuftodeJU rvHkavmufawmhygbl;/ IAT awGuae
wu,fjyefwnfaqmufzdkUvdkvmygjyD/ bmaMumifhvJqdkawmh
INFO: : API redirection qdkwmuawmh packer^protector trsm;

(2) Pack vkyfxm;aomzdkifudk unpack vkyjf cif;
yHk(43)
yHk(44)
yHk(45)
yHk(46)
yHk(47)
yHk(48)
yHk(49)
yHk(50)
yHk(51)
yHk(52)
yHk(53)
yHk(54)
(3) Redirection udkz,f&Sm;jcif;
yHk(55)
INFO: : wu,fawmh y&dk*&rf run aecsdefrSom unpacking stub u
yHk(56)
yHk(57)
INFO: : y&dk*&rfwpfck[m exe xJu import awGtm;vHk;udk&,lEdkifzdkUtwGuf
HINSTANCE LoadLibrary (
LPCTSTR lpLibFileName
);
FARPROC GetProcAddress(
HMODULE hModule,
LPCSTR lpProcName
);
yHk(58)
yHk(59)
yHk(60)
yHk(61)
☺☺☺
yHk(62)
INFO: : yHk(60)udkMunfh&if VA 0043803C rSm
yHk(63)
yHk(64)
yHk(65)
yHk(66)
yHk(67)
INFO: : VirtualProtect() function [m ac:,ltoHk;jyKaewJh
yHk(68)
yHk(69)
yHk(70)
yHk(71)
yHk(72)
yHk(73)
yHk(74)
yHk(75)
yHk(76)
☺☺☺
yHk(77)
yHk(78)
yHk(79)
yHk(80)
yHk(81)
yHk(82)
yHk(83)
tcef;(15) -Visual Basic jzifh a&;om;xm;aom y&dk*&rfrsm;udk crack vkyfjcif; - 220 -
tcef;(15) -Visual Basic jzifh a&;om;xm;aom y&dk*&rfrsm;udk crack vkyfjcif;

'DwpfcgrSmawmh VB eJUa&;om;xm;wJh y&dk*&rfawGudk crack vkyfMunfhrSmjzpfygw,f/ jrefrmy&dk*&rfrm
awG a&;om;xm;wJh y&dk*&rfawmfawmfrsm;rsm;[m VB eJU a&;om;xm;wmjzpfygw,f/ 'Dae&mrSm crack vkyfzdkU
a&G;cs,fxm;wJh erlemy&dk*&rfuawmh PC to Answering Machine 2.0.8.2 jzpfygw,f/ toHk;jyKr,fh tool
awGuawmh OllyDebug eJU SmartCheck wdkU jzpfygw,f/ Olly uawmh &if;ESD;jyD;om;jzpfvdkU bmrSrajym
vdkayr,hf SmartCheck qdkwJhaqmhzf0JvftaMumif;udkawmh tenf;i,frdwfqufay;vdkygw,f/ NuMega
Technologies' SmartCheck qdkwJhaqmhzf0JvfukrÜPDudk 1997rSm Compuware u &,lcJhygw,f/
Compuware [m SmartCheck udk 2001ckESpfavmufxdom development vkyfcJhygw,f/ 'Dhaemuf qufxkwf
jcif;r&Sdawmhygbl;/ SmartCheck udk shareware tjzpfa&mif;cscJhygw,f/ ckcsdefrSmawmh tifwmeufrSm
freeware tjzpfawGUEdkifygw,f/ Google udk toHk;jyKjyD; &SmEdkifygw,f/ tck uRefawmfoHk;aewmuawmh 6.20
jzpfygw,f/
(1) y&dk*&rf\ oabmobm0
PC to Answering Machine y&dk*&rfudk Olly rSma&m PEiD rSmyg zGifhvdkufyg/ yHk(1)/
yHk(1)
yHk(2)
xyfajym&&if uRefawmfhtaeeJU y&dk*&rfawGudkzGifh&if 'Dy&dk*&rfukd bmeJUa&;xm;ovJ^bmeJU pack vkyf
xm;ovJqdkwmod&atmif PEiD eJU yxrqHk; zGifhavh&Sdygw,f/ (oifhtaeeJU RDG Packer (odkU) CFF
Explorer wdkUeJUvJ zGifhEdkifygw,f/)
yHk(1)rSm highlight taeeJUjrif&wmuawmh y&dk*&rf&JU EP yg/ yHk(2)uawmh 'Dy&dk*&rfudk Visual Basic
eJU a&;xm;aMumif;jywmyg/ tck uRefawmfajymcsifwmuawmh Visual Basic taMumif;yg/
INFO: : Visual Basic qdkwm DOS acwfpm;wkef;u ay:cJhwJh BASIC bmompum;uae ay:xGufvmwJh
high-level languagewpfckyg/ BASIC &JU t&Snfaumufuawmh Beginners' All-purpose Symbolic
Instruction Code jzpfygw,f/ Visual Basic [m visual jzpfjyD; events driven y&dk*&rfbmompum;vJ
jzpfygw,f/ y&dk*&rfa&;om;jcif;udkvJ visual environment rSmwif vkyfEdkifygw,f/ y&dk*&rfrmawG[m object
awGudk MudKufovdk click Edkifygw,f/ vkyfaqmifcsuf(event)awGudk wkefUjyefUzdkU&mtwGuf object toD;oD;udk
oyfoyfa&;om;&ygw,f/ 'gaMumifhrdkUvJ Visual Basic y&dk*&rf[m subprogram ajrmufjrm;pGmeJU zGJUpnf;xm;
jcif; jzpfygw,f/ Subprogram wpfckpDrSm olwdkU&JU udk,fydkifuk'fawG &Sdygw,f/ Subprogram awG[m oD;jcm;pD
tvkyfvkyfEdkifygw,f/ jyD;&if wpfcsdefwnf;rSmyJ olwdkUawG[m tcsif;csif; csdwfquftoHk;jyKEdkifygw,f/
INFO: : Visual Basic application awG[m jynfhpHkpGm compiled vkyfxm;wJh application awG jzpfayr,fhvJ
olwdkU&JU tjyKtrlawGu OllyDbg &JU tvkyfawGudk &IyfaxG;apygw,f/ OllyDbg [m compiled language
awGtwGuf debugger jzpfayr,fhvJ VB udk udkifwG,fzdkU&mrSmawmh tvSrf;a0;aeygao;w,f/ C/C++ twGuf

qdk&ifawmh ydkaumif;wm awGU&ygw,f/ VB [m bmompum;t&aomfvnf;aumif;? y&dk*&rfrmawG&JU tjrifrSm
aomfvnf;aumif; aumif;rGefoifhawmfygw,f/
INFO: : VB y&dk*&rfawG[m external DLL (VB 6.0 rSmawmh MSVBVM60.dll jzpfygw,f/ tjcm;
version awGvJ tvm;wlzdkifawG &Sdygvdrfhr,f/) zdkifay:rSm rSDcdkae&ygw,f/ 'D DLL zdkif[m API eJU event
tm;vHk;udk udkifwG,fygw,f/ 'gaMumifhrdkU VB API tm;vHk;[m DLL xJrSm xnfhoGif;prf;oyfcHae&ygw,f/
Exe uk'f[mvJ 'DzdkifxJrSmyJ tcsdefwdkif;eD;eD; tvkyfvkyfae&ygw,f/ 'g[m cracking vkyfcsdefrSm tvGefta&;
MuD;vSygw,f/ Call stack [m Olly rSmawmh wu,fhudk MuHKawmifhMuHKcJ tultnDygyJ/ bmaMumifhvJqdkawmh
application [m awmufavQmufeD;yg; VB &JU wduswJh DLL zdkifxJrSm &SdaevdkYyg/ pum;rpyfajym&&ifawmh
application [m rsm;aomtm;jzifhawmh event handler awGjzpfjyD; event awG? message awGudk taMumif;
jyefzdkU DLL rS callback awGtjzpf toHk;jyKMuygw,f/ VB application &JU usefwJhtydkif;uawmh resource
awG? variable awGeJU event-handler awGeJU qufpyfzdkUtoHk;jyKwJh function awGyJ jzpfygw,f/
INFO: : VB [m stack-based jzpfygw,f/ qdkvdkwmu ol[m olU&JUvkyfaqmifcsuftm;vHk;twGuf system
stack udk toHk;jyKvdkUyg/ 'g[m register udk toHk;jyKwJh? function call vkyfaqmifcsuf aqmif&GufzdkUtwGuf
stack udk t"duxm;toHk;jyKwJh tjcm;bmompum;awGeJU rwlnDwJhtcsuf jzpfygw,f/ VB eJU zefwD;xm;wJh
application awG[m interpreted (odkU) p-code executable tjzpf compile vkyfygw,f/ Run aecsdefrSm
instruction awGudk run-time DLL u translate (odkU) interpret vkyfygw,f/ wu,fvdkU toHk;jyKcJh&if
p-code engine [m opcode awGudk process vkyfwJh &dk;&dk; machine omjzpfygw,f/ P-code instruction
awGu toHk;jyKwJh operand tm;vHk;udkawmh stack rSmyJ odrf;qnf;xm;wmyg/
oifhtaeeJU Olly rSm call stack udk Munfhcsifw,fqdk&if (Alt+K) udk ESdyfjyD; MunfhvdkU&ygw,f/ yHk(3)
uawmh (system) stack yg/
yHk(3)
INFO: : DLL (dynamic link library) [m y&dk*&rfi,fav;awGudk pkpnf;xm;jcif; jzpfygw,f/ olwdkUudk
y&dk*&rfwpfck tvkyfvkyfaecsdefrSm tJ'Dy&dk*&rfu vdktyfwJhtcsdefrSm ac:oHk;ygw,f/ rsm;aomtm;jzifhawmh exe
zdkifawGudk device awGeJU csdwfqufEdkifapygw,f/ (Oyrm - print xkwfcsifwJhtcsdefrSm printer eJU csdwfqufay;
ygw,f/)
INFO: : Oyrmwpfckjy&if oifh&JU harddisk rSm ae&mvGwfvdktyfwJhtcsdefrSmyg/ y&dk*&rfawG[m parameter
awGtjynfhyg&SdwJh function eJU call function yg0ifwJh DLL zdkifudk ac:,loHk;pGJEdkifygw,f/ DLL zdkifxJrSmyg
0ifwJh function awGudk xyfa&;p&mrvdktyfawmhwJhtwGuf exe zdkifawG[m zdkift&G,ftpm; ao;i,faewmyg/
INFO: : DLL zdkifawG[m exe zdkifawGeJU twl RAM xJudk ul;wifp&mrvdkwJhtwGuf RAM rSm ae&macR
wmEdkifygw,f/ DLL udkvdktyfvdkU ac:oHk;rSom RAM ay:a&mufvmrSm jzpfygw,f/ Oyrmjy&r,fqdk&if
oifhtaeeJU Microsoft Word rSm pmpDpm&dkuf vkyfaewJhtcsdefrSm printer eJU ywfoufwJh DLL zdkif[m tvkyf
vkyfrSm r[kwfygbl;/ Print xkwfwJhtcsdefrSom printer eJU ywfoufwJh DLL zdkifudk ac:,loHk;pGJrSmyg/
INFO: : jcHKMunhf&&ifawmh DLL qdkwm executable zdkifwpfckjzpfygw,f/ 'gayr,fh olUwpfzdkifwnf;qdk&if
awmh bmtvkyfrS rvkyfygbl;/ EXE zdkifawGu ac:oHk;rSom tvkyfvkyfygw,f/ 'gaMumifh exe zdkifawGrSm b,f
DLL udk oHk;pGJrvJqdkwm parameter awGeJU aMunmay;zdkU vdktyfygw,f/
ckcsdefrSmawmh oifhtaeeJU VB [m udkifwG,fzdkU&m tvGefcufcJvSr,fh bmompum;vdkU xifaumif;xif
aeygvdrfhr,f/ wu,fawmh oifxifaewm vGJaeygw,f/ uRefawmfwdkUrSm tvGeftoHk;0ifvSwJh tool awG&Sdyg
w,f/ aemufydkif;rSm 'gudk&Sif;jyygr,f/ bmyJjzpfjzpf Olly udk VB eJU ywfoufjyD; bmrS toHk;r0ifbl;vdkUawmh
rxifvdkufygeJU/ wu,fwrf;rSmawmh bmompum;toD;oD;[m assembly tjzpf translate tvkyfcH&wmygyJ/
tck y&dk*&rf&JU oabmobm0udk aqG;aEG;ygr,f/ uRefawmfhtaeeJU y&dk*&rfeJUywfoufjyD; rSwfcsufjyK
xm;wmuawmh ... y&dk*&rfudk install vkyfjyD; yxrqHk;tMudrf y&dk*&rfpwifcsdefrSm y&dk*&rf[m oifhuGefysLwm
twGuf vdktyfwmawGudkwGufcsufjyD; key wpfckudk twdtusowfrSwfvdkufygw,f/ 'g[m rlrrSefayr,fh
uRefawmfwdkUudk tawmfav;aumif;wJh hint udk ay;ygw,f/ qdkvdkwmu y&dk*&rf[m uk'fudk wpfckckuae owf
rSwfvdkufygw,f/ (Oyrm - harddisk ID) jyD;&if 'Duk'fudk wpfae&m&mrSm odrf;ygvdrfhr,f/ 'grSom y&dk*&rfudk
pwifcsdefrSm register vkyfxm;jcif; &Sd^r&Sd ppfEdkifrSmyg/
(2) Serial udk &SmazGjcif;
y&dk*&rf[m olpwufvmcsif;rSm register vkyfxm;jcif; &Sd^r&Sd ppfaq;zdkU vdkygw,f/ VB rSmawmh
DLL xJu API rSm jyKvkyfMuygw,f/ 'Dae&mrSm ta&;MuD;wmawGuawmh ...
(1) __vbaVarTstEq
(2) __vbaVarTstNe
(3) __vbaVarCmpEq
(4) __vbaStrCmp
(5) __vbaStrComp
(6) __vbaStCompVar
trSwfpOf(1?2?3)udkawmh ydkjyD; toHk;rsm;ygw,f/ 'gaMumifh yxrqHk; API jzpfwJh __vbaVarTstEq udk
prf;MunfhvdkufMu&atmif/
yHk(4)
ck yHk(4)rSm jrifae&wmuawmh entry point ae&myg/ Name module udk jrif&zdkU Ctrl+N udk
ESdyfvdkufyg/ yHk(5)/ jyD;&if &Sm&wmydkjrefatmifvdkU keyboard uae vbavartst vdkU &dkufvdkufyg/ vbaVarTstEq
&Sd&mqD wef;a&mufvmygvdrfhr,f/
yHk(5)
yHk(5)udk Munfhr,fqdk&if uRefawmfwdkU&SmaewJh API awG[m MSVBVM60.dll zdkifxJrSm&Sdaewm
owdjyKrdrSmyg/ vbaVarTstEq udk BP owfrSwfMuygr,f/ vbaVarTstEq udk right-click ESdyfjyD; Set
breakpoint on every reference udk a&G;vdkufyg/ Olly u breakpoint 88 ckawmif owfrSwfvdkufygw,f/
yHk(6)
jyD;&if run (F9) udk ESdyfyg/
yHk(7)
Olly [m yxrqHk;awGU&wJh vbaVarTstEq BP &Sd&mrSm &yfaeygvdrfhr,f/ 'Duk'frSmawmh bmrSr,fr,f

&&r&Sdwm awGU&ygw,f/ y&dk*&rf&JU oabmobm0udk odEdkifatmifvdkU F8 udkESdyfjyD; avhvmMunfhygr,f/
yHk(8)
VA 005BBD58 u CMP DI,SI [m pdwf0ifpm;zdkU aumif;ygw,f/ 'gayr,fh bmqufjzpfrvJqdkwm
od&atmif jump vkyfMunfhygr,f/
yHk(9)
yHk(9)u VA 005BBFC0 rSm jrif&wJh oeiu-564-oqei-97 [m uRefawmfwdkU &SmaewJh serial vm;vdkU
oHo,&Sdygw,f/ enf;enf;avmuf qufMunfhygr,f/ yHk(10)/
yHk(10)
oeiu-564-oqei-97 udk prf;MunfhvdkufMu&atmif/ Breakpoint awGtm;vHk;udk yxrqHk; z,f&Sm;vdkuf
yg/ (Ctrl + N udkESdyfjyD; Remove all breakpoints udk a&G;yg/)
(3) Register jyKvkyfjcif;
Breakpoint tm;vHk;udk z,f&Sm;jyD; y&dk*&rfudk run (F9) vdkufyg/ yHk(11)twdkif; jrif&ygr,f/
yHk(11)
yHk(11)rSm register vkyfzdkUtwGuf trnfrawmif;ygbl;/ wduswJh key wpfckom vkdygw,f/ 'D key udk
y&dk*&rf install pvkyfwkef;uwnf;u wGufcsufowfrSwfjyD; jzpfygw,f/ Register vkyfMunfhygr,f/
yHk(12)
oeiu-564-oqei-97 udk &dkufxnfhjyD; OK udk ESdyfvdkufyg/
yHk(13)
yHk(13)twdkif; registration atmifjrifaMumif; jrif&ygw,f/ 'gudkb,fvdkxifygovJ/ y&dk*&rfudkydwfjyD;
jyefpMunfhvdkufMu&atmif/
(4) Registration tm; prf;oyfjcif;
y&dk*&rfudk jyefpzdkU Olly rSm Ctrl+F2 udk ESdyfvdkufyg/ jyD;&if F9 udk ESdyfyg/ 'Dwpfcg y&dk*&rfwufvm
csdefrSm bm nagscreen udkrS rjrif&awmhygbl;/ Help menu u About udk a&G;vdkufawmhvJ tqifajyoGm;
ygjyD/ yHk(14)/
yHk(14)
'gaMumifh 'Dy&dk*&rfudk SmartCheck rSm ppfaq;MunfhMu&atmif/
(5) SmartCheck \ setting tm; jyifjcif;
'Dwpfcgawmh Numega &JU SmartCheck udk prf;MunfhMuygr,f/ SmartCheck udk VB y&dk*&rfawG
crack vkyfzdkUeJU debug vkyfzdkU txl;jyKvkyfxm;wmyg/ 'gayr,fh olU&JU setting tcsdKUudkawmh tenf;i,f jyif
ay;&ygr,f/ SmartCheck rSm PC to Answering Machine 2.0.8.2 udk zGifhvdkufyg/ zGifhjyD;oGm;&if
Program menu u Settings ... udk a&G;vdkufyg/ yHk(15)/
yHk(15)
yHk(15)u Leaks udk uncheck vkyfvdkufyg/ Save these settings ... udk a&G;yg/ jyD;&if Advanced
udk a&G;vdkufyg/
yHk(16)
yHk(16)rSm jrif&wJhtwdkif; a&G;ay;yg/
yHk(17)
aemufqHk;a&G;ay;&rSmu yHk(17)twdkif; jzpfygw,f/ 'gqdk setting udk jyifqifwJhtydkif; jyD;ygjyD/ PC to
Answering Machine 2.0.8.2 udk SmartCheck rSm run Munhfygr,f/ Run jyD;oGm;wJhtcg View menu
uae Event Summary udk a&G;vdkufyg/ yHk(18)/
yHk(18)
Event Summary window u uRefawmfwdkUudk toHk;0ifwJh tcsuftvufawG ay;ygw,f/
yHk(19)
View menu u Specific Events u uRefawmfwdkUudk ESpfouf&m events udkyJjyozdkU a&G;cs,fcGifh
ay;xm;ygw,f/
yHk(20)
yHk(20)udk owdxm;rdygovm;/ Sequence Numbers udk uRefawmf a&G;xm;ygw,f/ 'gav;[m
awmfawmfav; toHk;0ifvSygw,f/ aemufydkif;rSm uk'fawG axmifeJUcsDjyD; Munfhp&m rvdkatmif tultnDay;wm
awGU&ygvdrfhr,f/
wu,fvdkU uk'fawGtm;vHk;udk Munfhcsifw,fqdk&ifawmh View menu u Show All Events udk
a&G;vdkufyg/
(6) SmartCheck wGif serial udk &Smjcif;
uRefawmfwdkUtaeeJU SmartCheck &JU setting udkvJ jyifjyD;jyDqdkawmh serial &Smjcif;tvkyfudk pwif
vdkufMu&atmif/ Event awGudk MunfhvdkufwJhtcgrSm uRefawmfwdkUtwGuf toHk;r0ifwJhuk'fawGu rsm;aewm
awGU&ygw,f/ yHk(21)twdkif; atmufudk enf;enf;av; scroll qGJjyD; MunfhvdkufMu&atmif/
yHk(21)
wu,fhuk'f pwifwmuawmh yHk(21)rSmyg/
yHk(22)
yHk(22)udkMunfhvdkuf&if event aygif; 24734 awmif &SdwmawGU&ygw,f/ uawmh end program
yg/ 'gomrESdyfxm;bl;qdk&ifawmh event aygif; 1.5 oef;avmufawmif xGufvmygvdrfhr,f/ avmavmq,f
uRefawmfwdkUtwGufvdkwmu PC to Answering Machine 2.0.8.2 y&dk*&rf&JU tpydkif; tvkyfvkyfyHkudk ajc&mcH

zdkUyg/
yHk(23)
yHk(23)u pmaMumif;eHygwfudk Munhfr,fqdk&if pmaMumif;awG tukefrjyao;wm owdxm;rdrSmyg/ 'gu
bmvdkUvJqdkawmh uRefawmfwdkUu Show Errors and Specific Events udkyJ a&G;xm;vdkUyg/
yHk(24)
Show Errors and Specific Events udk a&G;vdkufr,fqdk&if yHk(24)twdkif; jrif&rSmyg/ uRefawmfwdkU
odxm;wmu y&dk*&rf pwifwifjcif;rSm wduswJh key wpfckudk ppfw,fqdkwmudkyg/ 'gudk &dk;&dk;av;yJ API
ae&mrSm &SmMunfhvdkuf&atmif/ yHk(25)/
yHk(25)
yHk(25)twdkif; &Smr,fqdk&if yHk(26)twdkif; awGUrSmyg/
yHk(26)
yHk(26)rSm jrif&wJhtwdkif; yxrqHk;awGUwJh API udk a&mufvmygw,f/ 'Dae&mrSm uRefawmfwdkUtaeeJU
API awGudk tao;pdwfavhvmrSm r[kwfygbl;/ aemufydkif;usrSyJ avhvmygr,f/ oHo,0ifp&maumif;wmu
pmaMumif;a& 3825 rSmyg/
yHk(27)
'gaMumifh tao;pdwf MunfhvdkU&atmif taygif;&kyfav;udk ESdyfjyD; Munfhygw,f/ 'gayr,fh bmrSrxl;
jcm;ygbl;/ pmaMumif;a& 3825 udk ESpfcsufESdyfjyD; Details window rSm MunfhwJhtcgrSmawmh yHk(28)twdkif;
jrif&ygw,f/
yHk(28)
yHk(28)rSm jrif&wmuawmh uRefawmfwdkU &SmaewJh serial yg/ SmartCheck [m omref registration
key udk &SmwJhae&mrSmawmh tvGefvG,fulvSaMumif;awGY&ygw,f/
INFO: : tcsdKU VB y&dk*&rfawGrSm anti-SmartCheck enf;awG xnfhoGif;xm;wmawGU&ygw,f/ olwdkUawG
[m rsm;aomtm;jzifh NuMega SmartCheck qdkwJh pmom;udk ppfaq;wm jzpfygw,f/ uRefawmfhqDrSmawmh
'Djyóemr&Sdygbl;/ bmvdkUvJqdkawmh uRefawmfu Repair 0.6 udkoHk;jyD; SmartCheck udk jyifxm;vdkUyg/
tvm;wl usefwJh tool awGudkvJ jyifEdkifygw,f/
'gqdk&if PC to Answering Machine 2.0.8.2 udk crack vkyfwm[matmifjrifpGmeJU jyD;qHk;oGm;ygjyD/
'Dvdkenf;eJU serial &Smwmudk serial fishing vkdUac:ygw,f/ tck uRefawmf&Si;f jycJhwmudk oifhtaeeJU aumif;
aumif;em;vnfao;rSm r[kwfygbl;/ bmaMumifhvJqdkawmh serial fishing enf;[m y&dk*&rfuk'fudk tMurf;zsif;
omavhvmjyD; debugger uxkwfay;wJh serial udkvdkuf&Sm&wmrdkUvdkUjzpfygw,f/ Serial udk ukd,fhbmomudk,f
wGufcsuf,lwm r[kwfvdkUyg/ 'DwpfcgrSmawmh VB y&kd*&rfawGudk tqifhjrifhjrifh crack vkyfMunfhMuygr,f/
Crack vkyfzdkUa&G;xm;wJh y&dk*&rfawGuawmh ReverseMe y&dk*&rfESpfyk'feJU registration enf;eJU umuG,fxm;
wJh freeware y&dk*&rfwpfyk'fjzpfwJh CrackersConvert 1.0 yg/ oifcef;pmudk rzwfcifrSm 'Dy&dk*&rf 3yk'fudk
SND Team &JU website uae download vkyf,lyg/ SND Team &JU tifwmeufvdyfpmudk aemufqufwGJrSm
azmfjyxm;ygw,f/ SND Team &JU download uP²u Lena's Reversing Tutorial - 10 zdkifudk download
vkyf,lyg/ 'DzdkifxJrSm vuf&SduRefawmf&Sif;jyr,fh oifcef;pmeJUtwl y&dk*&rf 3yk'fygvmrSm jzpfygw,f/ tcktcef;
uawmh Lena151 &JU oifcef;pmudk bmomjyefjcif; jzpfygw,f/ Crack vkyf&mrSm vdktyfwJh tool awGuawmh
OllyDebug? SmartCheck? VB Decompiler eJU Veoveo wdkUjzpfygw,f/ VB Decompiler uawmh
freeware jzpfjyD; www.vb-decompiler.org rSm download vkyf,lEdkifygw,f/
aumif;jyD? uRefawmfwdkU&JU crack vkyfjcif;udk pvdkufMu&atmif/
(7) ReverseMe1
yxrqHk; crack vkyfMunfhrSmu ReverseMe1 y&dk*&rfyJ jzpfygw,f/ SmartCheck rSm Tut.Reverse
Me1.exe zdkifudkzGifhjyD; run vdkufyg/ yHk(29)twdkif; jrif&ygr,f/
yHk(29)
yHk(29)rSm jrif&wmuawmh nag screen jzpfygw,f/ 'gudk b,fvdkz,f&Sm;&r,fqdkwm aemufrS
&Sif;jyyghr,f/ yxrqHk;uawmh ReverseMe y&dk*&rfudk b,fvdk register vkyf&rvJqdkwmyJ prf;Munfhygr,f/
yHk(30)
yHk(30)rSm jrif&wJh Form1_Load [m tvGefta&;MuD;ygw,f/ MessageBox [m yHk(1)u nag
screen udk jzpfapw,fqdkwm owdjyKrdygovm;/ Registration vkyfaqmifcsuf[m 'D Form1_Load jyD;&if
vmawmhrSmyg/ yHk(29)u OK udk ESdyfvdkufyg/ yHk(31)twdkif; jrif&ygr,f/
yHk(31)
yHk(31)u Regcode textbox ae&mrSm 123456 vdkU &dkufxnfhMunfhygr,f/ 'gqdk yHk(32)twdkif; jrif&rSm
yg/
yHk(32)
'ghtjyif yHk(30)ae&mrSm yHk(33)twdkif; event topfxyfwdk;vmygw,f/
yHk(33)
uRefawmfwdkUtaeeJU View u Show All Events udk a&G;vdkuf&if event tm;vHk;udk jrif&rSmyg/
Show All Events udk ra&G;cifrSm udk,fMunfhcsifwJh event udk t&ifa&G;xm;ay;&ygr,f/ 'grSr[kwf&if event
awGrsm;vGef;wJhtwGuf udk,f&SmcsifwJh event udk &SmvdkUawGUEdkifrSm r[kwfygbl;/ rsm;aomtm;jzifhawmh xxxxxx_
click vdkU a&;xm;&if xxxxxx [m button &JU trnfudk qdkvdkwm rsm;ygw,f/ y&dk*&rfrmawGuawmh button
awG&JUtrnfudk ajymif;avhr&Sdygbl;/ commandX vdkUyJ xm;xm;avh&Sdygw,f/ X uawmh eHygwfjzpfjyD; wpfu
ae pwifavh&Sdygw,f/
yHk(33)u Command1_Click ae&mrSm serial rSef^rrSefppfwmudk em;vnfygovm;/ 'gaMumifh 'Dae
&mudk aoaocsmcsmMunhfvdkufMu&atmif/ avmavmq,fawmh Tut.ReverseMe1.exe y&dk*&rfudk rvdkawmhwJh
twGuf cPydwfxm;vdkufMu&atmif/ pum;rpyfajym&&if yHk(33)u uRefawmfwdkUjrifae&wm[m event tusOf;
csKyfrQom jzpfygw,f/
yHk(33)u Command1_Click &JU b,fzufu taygif;t&kyfav;udk ESdyfvdkufyg/ yHk(34)/
yHk(34)
yHk(34)uvJ uRefawmfwdkUudk vHkavmufwJhtcsuftvufawG ray;ygbl;/ MsgBox qdkwJhpmom;udk a&G;
vdkuf&ifawmh yHk(35)twdkif; jrif&rSmyg/
yHk(35)
yHk(35)uawmh BadBoy yg/ aumif;jyD? yHk(34)u Text1.Text udk a&G;vdkuf&ifaum/ 'Dtwdkif;qdk&if

awmh bmrSrjrif&ygbl;/ View menu u Show All Events ( ) udk a&G;vdkufyg/ 'gqdk yHk(36)twdkif; jrif&
rSmyg/
yHk(36)
wu,fawmh bmrSrcufygbl;/ uRefawmfwdkUtaeeJU tm;vHk;udk jrifae&ygw,f/
__vbaStrCmp udk string awG EdIif;,SOfzdkUtwGuf oHk;ygw,f/
Oyrm/ / __vbaStrCmp(String: "xxxxxx", String: "yyyyyy") returns DWORD:0
'gayr,fh yHk(36)rSmawmh DWORD &JU wefzdk;[m FFFFFFFF jzpfaeygw,f/ bmvdkUvJqdkawmh
string ESpfck[m rwlnDvdkUyg/ yHk(31)u Regcode textbox ae&mrSm uRefawmfu 123456 vdkU &dkufxnfhcJhvdkU
yg/ 'gqdk uRefawmfwdkU&dkufxnfhcJhwJh serial twkudk bmeJU EdIif;,SOfcJhwmygvJ/ yHk(37)/
yHk(37)
aumif;jyD/ 123456 eJU EdIif;,SOfcJhwmuawmh I'mlena151 yg/
ckeu I'mlena151 [m BadBoy Message ray:cifrSm EdIif;,SOfcJhwm jzpfygw,f/ aumif;jyD/ Serial
[m bmvJqdkwm odjyD;oGm;wJhaemufrSm uRefawmfwdkUtaeeJU tJ'D serial udk prf;MunfhvdkufMu&atmif/
yHk(38)
yHk(38)twdkif; I'mlena151 vdkU &dkufxnfhvdkufwJhtcg registration atmifjrifwJhtaMumif; ajymwJh
messagebox ay:vmygw,f/ pum;rpyfajym&&if uRefawmfwdkU &dkufxnfhvdkufwJh serial [m bmwGufcsufrIrS
rygbJ vG,fvifhwul&vmwmyg/
uRefawmfwdkUtaeeJU nag screen udk &Sif;zdkUvdkygao;w,f/ SmartCheck [m VB rSm a&;xm;wJh
serial udk &SmzdkUtwGufawmh aumif;ygw,f/ 'gayr,fh nag udk z,f&Sm;zdkUtwGufawmh uRefawmfwdkUrSm 'Dxuf
aumif;wJh tool awG &Sdygw,f/ VB decompiler tool awG jzpfygw,f/ Oyrmajym&&if VB Decompiler
Lite (odkU) Pro/ uRefawmfuawmh VB Decompiler Pro 5.0 udk oHk;ygw,f/
aumif;jyD/ VB Decompiler udk zGifhvdkufMu&atmif/
yHk(39)
'guawmh VB Decompiler rSm uRefawmfwdkU&JU Tut.ReverseMe1.exe y&dk*&rfudk decompile

vkyfxm;wm jzpfygw,f/
INFO: : Compiler qdkwmuawmh rl&if;uk'fawGudk exe uk'ftjzpfajymif;vJay;wJh y&dk*&rfyg/ Decompiler
uawmh exe uk'fawGudk&,ljyD; rl&if;uk'ftjzpf jyefvnfajymif;ay;wmyg/ Decompiler [m txl;jyKvkyfxm;wJh
disassembler wpfrsdK;om jzpfygw,f/ Disassembler u exe uk'fawGudk assembley uk'ftjzpf ajymif;ay;
csdefrSm decompiler awGuawmh uk'fawGudk high-level bmompum;jzpfwJh C/C++ (odkU) VB bmompum;
tjzpf ajymif;ay;ygw,f/
yHk(39)udk Munfhvdkuf&if VB Decompiler [m olUtvkyfudkol aumif;aumif;vkyfxm;jyDvdkU xifyg
w,f/
uRefawmfwdkUtaeeJU uk'fawGudk t&ifavhvmMunfhygr,f/ yHk(39)&JU Form1 ab;em;u taygif;&kyf
av;udk ESdyfvdkufyg/
yHk(40)
uRefawmfhtjrifawmh y&dk*&rfbmpum;eJU tuRrf;w0if r&SdwJholawmif em;vnfr,fvdkU xifygw,f/
yHk(40)rSm jrif&wJh mnuabout u About box yg/ mnuexit uawmh Exit yg/ ommand2 uawmh Nag
button udk ESdyfwJhtcgrSmay:wmyg/ Form_Load uawmh nag yg/ Command1 uawmh Register button
udk ESdyfwJhtcgrSm ay:wmyg/ 'gqdk nag udk ay:apwJh routine [m VA b,frSm pay:ovJ MunfhMu&atmif/
Form_Load rSmaum Command2 rSmyg nag [m VA 402C17 rSm pay:w,fvdkU qdkxm;ygw,f/ [kwf^
r[kwf ESpfcsufESdyfjyD; MunfhvdkU&ygw,f/ Form_Load udk double click ESdyfyg/
yHk(41)
yHk(41)t& qdk&ifawmh nag screen udk 'DrSm zefwD;xm;w,fqdkwmuawmh aocsmygjyD/ bmvdkUvJqdk
awmh "Get rid of all Nags and find .." qdkwJU pmom;udk awGU&vdkUyg/
yHk(42)
yHk(42)uawmh nag screen &JU tqHk;yg/ VA 402C17 uawmh nag routine &JU tpyg/ aumif;jyD/
Tut.Reverse Me1.exe udk uRefawmfwdkU debugger rSm zGifhvdkufMu&atmif/ yHk(43)/
yHk(43)
jyD;&if uRefawmfwdkU oGm;csifwJh VA udk wef;a&mufEdkifatmifvdkU tool bar u udk ESdyfyg/

yHk(44)
VA 402C17 udk &dkufvdkufyg/ yHk(45)twdkif; jrif&ygr,f/
yHk(45)
yHk(45)rSm jrif&wmuawmh nag screen &JU tpyg/ VA 402C17 rSm breakpoint owfrSwfvdkufyg/
jyD;&if run (F9) udk EdSyfyg/
yHk(46)
yHk(46)rSm 'D nag screen jyD;&if b,fudka&mufr,fqdkwm jyaeygw,f/ VA 402C17 u PUSH
EBP ae&mrSm RET vdkU jyifvdkufygr,f/ 'gqdk uRefawmfwdkU nag &JU tptpm; tqHk;udk a&mufvmovdk
jzpfoGm;ygr,f/ jyD;&if run (F9) udk EdSyfyg/
yHk(47)
Nag ray:bJ yHk(47)om ay:vmygw,f/ aocsmatmifvdkU yHk(47)u Nag? udk ESdyfMunfhygr,f/ bmrS
ay:rvmygbl;/ Nag screen aysmufoGm;ygjyD/
(8) CrackersConvert
'Dwpfcg avhvmrSmuawmh CrackersConvert y&dk*&rfjzpfygw,f/ 'DwpfMudrfrSmawmh uRefawmfhtaeeJU
y&dk*&rf&JU oabmobm0awGudk avhvmaeawmhrSm r[kwfygbl;/ oifhbmom SmartCheck zGifhjyD; avhvmxm;
&rSmjzpfygw,f/ uRefawmfuawmh About &Sd&m wef;oGm;rSm jzpfygw,f/ About uae register button udk
ESdyf&if yHk(48)twdkif; registration box jrif&rSmyg/
yHk(48)
'ghjyif register button udk ESdyfvdkufwJhtcgrSm yHk(49)twdkif; jrif&ygw,f/
yHk(49)
INFO: : oifhtaeeJU MudKufwJh registration code udk xnfhoGif;Edkifygw,f/ uRefawmf bmvdkU 47806 vdkU
&dkufoGif;w,fqdkwm tHhMoaumif; thHMoaeygvdrfhr,f/ aumif;jyD? rsm;aomtm;jzifh y&dk*&rfawG[m registration
code udk rEdIif;,SOfcifrSm hex code tjzpf ajymif;avh&Sdygw,f/ 47806 udk hex code taeeJU ajymif;vdkuf&if
BABE jzpfoGm;ygw,f/ rSwf&vG,fwmaygh/
yHk(50)
yHk(48)u Validate udk ESdyfvdkuf&if yHk(50)twdkif; jrif&rSmyg/ uRefawmfwdkUtaeeJU uRefawmfwdkU &Smae
wmudk awGUjyDjzpfwJhtwGuf CrackersConvert y&dk*&rfudk ydwfvdkufygr,f/
yHk(51)
avmavmq,fawmh uRefawmfwdkUtaeeJU uk'fawGudk avhvmzdkU Overview window u yHk(51)twdkif;
Munfhvdkuf&atmif/
Len(String: "rhythm") returns LONG:6
&Sif;vif;csuf/ / "rhythm" \ string tvsm;(pmvHk;ta&twGuf)onf 6vHk;jzpfonf/
Mid(VARIANT:String:"abcdefg",long:1,VARIANT:Integer:1)
&Sif;vif;csuf/ / "abcdefg" \ yxrqHk;ae&mrSpwifjyD; yxrpmvHk;udk &,lonf/

Mid(VARIANT:String:"rhythm",long:1,VARIANT:Integer:5)
&Sif;vif;csuf/ / 'Dae&mrSmawmh yxrqHk;ae&muae pmvHk;5vHk;p,lygw,f/ ("rhyth")
Asc(String:"T") returns Integer:84
&Sif;vif;csuf/ / "T" \ q,fvDwefzdk;jzpfaom 84 udk &,lonf/
Asc(String:"r") returns Integer:114
&Sif;vif;csuf/ / 'Dae&mrSmawmh "r" \ q,fvDwefzdk;jzpfaom 114 udk &,lygw,f/
Len(String: "47806") returns LONG:5
&Sif;vif;csuf/ / "47806" \ string tvsm;(pmvHk;ta&twGuf) onf 5vHk;jzpfonf/
yHk(51)&JU atmufqHk;pmaMumif;uawmh BadBoy yg/
Len(String: "47806") returns LONG:5 qdkwJh pmaMumif;[m serial &JU pmvHk;ta&twGufyJ
ppfaq;wm owdxm;rdygovm;/ bmaMumifh serial udk rEdIif;,SOfygovJ/ uRefawmfwdkUtaeeJU BadBoy
ra&mufciftxd serial udk b,frSmEdIif;,SOfovJqdkwm &SmMuygr,f/ Len(String: "47806") returns
LONG:5 ukd a&G;vdkufjyD; Show all events ( ) udk ESdyfvdkufyg/ yHk(52)twdkif; jrif&ygr,f/
yHk(52)
yHk(52)udk Munfhyg/ wu,fawmh bmrSrcufygbl;/
__vbaVarMul(VARIANT:String:''114", VARIANT:Integer:20) returns DWORD:13F474
ckeu uRefawmfhemrnf&JU yxrpmvHk;udk 20eJU ajrSmufygw,f/
__vbaVarMul(VARIANT:String:''1", VARIANT: String:''2") returns ..
&Sif;vif;csuf/ / 1 ukd 2 jzifh ajrSmufonf/
__vbaVarMove(VARIANT:Double:2280,VARIANT:Empty) returns DWORD:13F48C
&v'fuawmh 2280 jzpfygw,f/
__vbaVarCat(VARIANT:String:"REG-"VARIANT:Double:2280) returns DWORD:13F474
jyD;&if REG-2280 jzpfapzdkU REG- eJU aygif;ygw,f/
__vbaVarCat(VARIANT:String:"REG-2280"VARIANT:String:"-CODE") returns
DWORD:13F464
jyD;&if REG-2280-CODE jzpfapzdkU CODE eJU aygif;ygw,f/
__vbaVarTstEq(VARIANT:String:"47806",VARIANT:String:"REG-2280-CODE") returns
DWORD:0
jyD;rS uRefawmfwdkU &dkufxnfhvdkufwJh serial eJU EdIif;,SOfygw,f/
__vbaVarTstEq(VARIANT:****,VARIANT:****) returns DWORD:0
&Sif;vif;csuf/ / __vbaVarTstEq ukd variants awG EdIif;,SOfzdkU toHk;jyKygw,f/ wu,fvdkU olwdkUawG[m
nDcJh&if DWORD &JU wefzdk;[m oknjzpfjyD; rnDcJh&ifawmh FFFFFFFF jzpfygr,f/ 'gaMumifh EAX [m
FFFFFFFF jzpfwmyg/ __vbaVarCmpEq eJU qifygw,f/
'gqdk uRefawmfwdkUvdktyfwJh serial udk&ygjyD/ User name u rhythm jzpfjyD; serial uawmh
REG-2280-CODE jzpfygw,f/
yHk(53)
yHk(53)u Validate udk ESdyfvdkufyg/
yHk(54)
'gqdk uRefawmfwdkU register vkyfwm atmifjrifygjyD/ yHk(54)/
INFO: : y&dk*&rf[m registration a'wmawGudk cconv.$$$ zdkifeJU cconv.ccc zdkifrSm a&;ygw,f/ jyD;&if
y&dk*&rfpwifcsdefrSm 'DtcsuftvufawGeJU udkufnD^rnDppfygw,f/
aumif;jyD? aemufxyf ReverseMe y&dk*&rfwpfyk'fudk avhvmMunfh&atmif/
(9) ReverseMe2
yHk(55)
ReverseMe2 udk Olly rSm zGifhxm;wm yHk(55)rSm awGUrSmyg/ oifhtaeeJU SmartCheck rSm rzGifhbJ
Olly rSm bmaMumifhzGifhovJqdkwm ar;csifygvdrfhr,f/ trSefuawmh ReverseMe2 udk SmartCheck rSm t&if
zGifhcJhygw,f/ 'gayr,fh zGifhvdkUr&ygbl;/ SmartCheck y&dk*&rf[m ReverseMe2 udk zGifhvdkufwmeJU tvdkvdk
ydwfoGm;ygw,f/ 'gaMumifh bmjzpfwmvJqdkwm od&atmif Olly rSm vmzGifhwmyg/ ReverseMe2 y&dk*&rfrSm
Anti-SmartCheck vSnfhpm;rIav;rsm; vkyfxm;ovm;vdkU xifrdvdkUyg/ ReverseMe2 [m SmartCheck udk
owdjyKrdvdkufwmeJU SmartCheck udk csufcsif;ydwfzdkU MudK;pm;vdkUyg/ b,fvdk ajz&Sif;rvJqdkwm MunfhvdkufMu&
atmif/
Debugger window rSm right-click ESdyfjyD; Search for rS All reference text strings udk
a&G;vdkufyg/ yHk(56)twdkif; jrif&ygr,f/ ReverseMe2 [m SmartCheck udk&Smwm [kwf^r[kwf Munfhvdkuf
Mu&atmif/
yHk(56)
yHk(56)u VA 00404525 rSm NuMega SmartCheck qdkwJhpmom;udk awGU&ygw,f/ VA
00404525 udk double click ESdyfjyD; uk'fukd avhvmMunfhvdkuf&atmif/ yHk(57)/
yHk(57)
ReverseMe [m NuMega SmartCheck qdkwJhpmom;udk&Smygw,f/ 'gaMumifhrdkU 'Dae&mrSm

uRefawmfwdkUtaeeJU tjcm;pmom;udk ajymif;ygr,f/ tvG,fulqHk;enf;udk jyygr,f/ Debugger window u
VA 00404525 rSm right-click ESdyfjyD; Follow in Dump u Immediate constant udk a&G;vdkufyg/
yHk(58)
yHk(58)twdkif; jrif&wJhtcg udk,fajymif;csifwJh pmvHk;udka&G;jyD; keyboard u udk,fMudKufwJh pmom;&dkuf
xnfh&HkygyJ/
yHk(59)
yHk(58)u 4D (M) ae&mudk a&G;xm;jyD; keyboard u B udk ESdyfvdkufwJhtcg yHk(59)twdkif; jrif&ygw,f/
yHk(60)
yHk(59)rSm OK udk ESdyfvdkufwJhtcg yHk(60)twdkif; jrif&ygw,f/ tvm;wlyJ 43(C) qdkwJh pmvHk;ae&mrSm
tjcm;pmvHk;eJU tpm;xkd;ygr,f/
yHk(61)
jyD;&if right-click ESdyfjyD; Copy to executable file udk a&G;yg/ yHk(62)udk jrif&ygr,f/
yHk(62)
yHk(62)rSm right-click ESdyfjyD; Save file udk a&G;vdkufyg/ jyD;awmh udk,fMudKufwJhtrnfeJU zdkifudkodrf;
vdkufyg/ 'Dwpfcgawmh uRefawmfwdkU odrf;vdkufwJhzdkifudk SmartCheck rSm zGifhvdkU&ygjyD/ bmjyóemrS r&Sdygbl;/
yHk(63) twdkif; jrif&ygjyD/
yHk(63)
'D anti-anti enf;ynmudk SmartCheck tjyif tjcm; tool awGjzpfwJh Olly? ImpRec eJU LordPE
wdkUrSmvJ toHk;jyKEdkifygw,f/ ReverseMe2 udk register vkyfMunfhMu&atmif/
yHk(64)
uRefawmfwdkUtaeeJU User name eJU Registration code udk &dkufxnfhayr,fhvJ Register button [m
disable jzpfaeygw,f/ 'gaMumifh uRefawmfwdkU register vkyfr& jzpfaeygw,f/ 'D ReverseMe y&dk*&rf[m
&dkufoGif;wJh pmvHk;wpfvHk;csif;udk rSef^rrSef vdkufppfaq;aeyHk&ygw,f/ yHk(65)/
yHk(65)
'gaMumifh uRefawmfwdkUtaeeJU bmudkMunfhzdkU vdkaeygovJ/ yHk(65)udk tao;pdwf avhvmMunfhygr,f/
yHk(66)
'Dae&mrSm y&dk*&rfu pmvHk;tcsdKUudk vdkufwGufaewm awGU&ygw,f/ 'gayr,fh yHk(66)u Text2.Text
udk xJxJ0if0if avhvmMunhfawmh bmrSrawGY&ygbl;/
yHk(67)
'gqdk yHk(67)udk pOf;pm;MunfhvdkufMu&atmif/ ReverseMe y&dk*&rfu y&dk*&rf pwifcsdefrSm register
rvkyfxm;ao;aMumif; odygw,f/
yHk(68)
yHk(68)u Text3.Text "UNREGISTERED" (String) udk tao;pdwf avhvmMunfh&atmif/
AppActivate(VARIANT:String:"NuSega S...", VARIANT:Missing) fails qdkwJh pmom;u
awmh NuSega S... qdkwJhpmom;udk &SmrawGUygbl;vdkU qdkvdkwmyg/ jyD;&if "Text3.Text "UNREGISTER-
ED" (String) qdkwJh pmom;udk MunfhvdkufMu&atmif/ uRefawmfwdkU&JU &SmazGjcif;vkyfief;pOf[m 'D UNREGIS-
TERED string rwdkifciftxdomjzpfr,fqdkwm oifhtaeeJU em;vnfxm;r,fvdkU xifygw,f/
yHk(69)
yHk(69)udk Munfhvdkufyg/ __vbaVarTstEq(..) u wpfckckudk EdIif;,SOfovdkygyJ/ __vbaVarTstEq(..)
udka&G;vdkufwJhtcg yHk(70)twdkif; jrif&ygr,f/
yHk(70)
odyfr&Sif;ao;ygbl;/ tao;pdwf avhvmMunfhygr,f/
yHk(71)
yHk(71)u Dir(VARIANT:String:"reginfo....",FLAGS:00000000) udk a&G;vdkuf&if yHk(72)twdkif;
jrif&ygr,f/
yHk(72)
ReverseMe [m reginfo.key qdkwJhzdkifudk &SmazGygw,f/ __vbaVarTstEq(..) [m reginfo.key
zdkif&Sd^r&Sdukd prf;oyfwmyg/ r&SdcJh&if UNREGISTERED qdkwJh pmom;udk main window rSmjyjyD; register
vkyfvdkUr&ygbl;/ qdkvdkwmu uRefawmfwdkUtaeeJU reginfo.key zdkifudk vdktyfvmygw,f/ 'gaMumifh reginfo.
key zdkifudkzefwD;vdkufygr,f/ Notepad udkzGifhjyD; zdkifudk reginfo.key trnfeJU odrf;vdkufyg/ jyD;&if Reverse
Me2 zdkifudk SmartCheck rSm jyefvmppfMunfhyg/
yHk(73)
'gqdk yHk(74)twdkif; jrif&ygr,f/ Register vkyfMunfhygr,f/
yHk(74)
aumif;jyD/ ckcsdefxdawmh register vkyfvdkUr&ao;ygbl;/ SmartCheck rSm bmawGrsm;ajymif;vJoGm;
ovJvdkU MunfhMuygr,f/
yHk(75)
yHk(75)u UNREGISTERED qdkwJhpmom;ae&mrSm Key File found qdkwJhpmom;wdk;vmwm awGUrSm
yg/ aumif;jyD/ 'Dwpfcg serial udkppfwJhuk'fawGudk jyefavhvmMunfhygr,f/
yHk(76)
Left(VARIANT:String:"rhythm",long:1)
&Sif;vif;csuf/ / trnf&JU yxrqHk;pmvHk;udk ,lygw,f/
Asc(String:"r") returns Integer:114
&Sif;vif;csuf/ / ASCII "r" udk udef;jynfhwefzdk; 114 tjzpf ajymif;vJygw,f/
Mid(VARIANT:String:"rhythm", long:2, VARIANT:Integer:1)
&Sif;vif;csuf/ / trnf&JU 'kwd,pmvHk;udk ,lygw,f/

Asc(String:"h") returns Integer:104
&Sif;vif;csuf/ / ASCII "h" udk udef;jynfhwefzdk; 104 tjzpf ajymif;vJygw,f/
jyD;awmh wwd,?pwkxåpmvHk; ... pojzifh ajymif;vJygw,f/ jyD;awmh ckeu *Pef;awGtm;vHk;udk
aygif;vdkufygw,f/ 114 + 104 + ../
Mid(VARIANT:String:"11410412...", long:2, VARIANT:Integer:10)
'Dwpfcg event tm;vHk;udk MunfhMunfhygr,f/ Show all events ( ) udk a&G;vdkufyg/
yHk(77)
yHk(77)rSm ckeu *Pef;awG vmaygif;wmudk awGUae&ygw,f/ ta&;MuD;wmu Mid(VARIANT:
String:"11410412...", long:2, VARIANT:Integer:10) pmaMumif;yg/ y&dk*&rf[m 'kwd,pmvHk;uae 10
vHk;ajrmuf pmvHk;txdom ,lygw,f/ 'gqdk ,l&r,fh*Pef;awGu 1410412111 om jzpfygw,f/
yHk(78)
jyD;&if yHk(78)udk qufMunfhyg/
__vbaVarSub(..) uawmh wpfckckudk EIwfwmyg/ jyD;&if __vbaVarTstEq(..) uwpfckckudk EdIif;,SOfyg
w,f/ 'gaMumifh uRefawmfwdkUtaeeJU tao;pdwfMunfhzdkU vdkvmygjyD/ taygif;&kyfav;udk ESdyfvdkufyg/
yHk(79)
yHk(79)udk Munfhvdkufawmh __vbaVarSub(..) [m __vbaVarTstEq(..) eJU bmrSrqdkifwm awGU&yg
w,f/ ☺☺☺
yHk(80)
'gayr,fh yHk(52)u __vbaVarTstEq(..) rSm wu,fh serial tppfudk EdIif;,SOfzdkUtwGuf double.dbval
tjzpfajymif;vdkufwm awGU&ygw,f/ wu,fawmh 1410412111 ukd EdIif;,SOfzdkUtwGuf ajymif;vdkufwmyg/
'gaMumifh wu,fh serial tppf[m .... ☺
yHk(81)
y&dk*&rf[m uRefawmfwdkU &dkufxnfhvdkufwJhtrnf&JU yxrqHk; 5vHk;udk ASCII tjzpfajymif;ygw,f/
jyD;&if tJ'DpmvHk;awGudk jyefqufygw,f/ 'Dhaemuf serial zefwD;zdkU qufxm;wJhpmvHk;&JU 2vHk;ajrmufuae 10vHk;
ajrmuftxd ,lygw,f/ uJ? serial udk MudK;pm;MunfhvdkufMu&atmif/
yHk(82)
uRefawmfwdkU serial [m rSefzdkUrsm;ygw,f/ bmvdkUvJqdkawmh Register button [m enable jyefjzpf
vmvdkUyg/
yHk(83)
yHk(82)u Register button udk a&G;vdkufwJhtcgrSm yHk(83)twdkif; jrif&ygw,f/ Register vkyfwm
atmifjrifoGm;ygjyD/
'Dwpfcg VB Decompiler udk zGifhvdkufyg/ bmaMumifhvJqdkawmh VB Decompiler &JU decompile
pGrf;&nfudk jycsifvdkUyg/
yHk(84)
yHk(84)twdkif; zGifhjyD;oGm;wJhtcg ReverseMe2 &JU oabmobm0udk odEdkifatmifvdkU Form_Load udk
ESpfcsufEdSyfjyD; scroll vkyfMunfhyg/ yHk(85)twdkif; jrif&ygr,f/
yHk(85)
Command1_Click udk ESpfcsufEdSyfjyD; scroll vkyfMunfhyg/ yHk(86)/
yHk(86)
'Dae&mrSm uRefawmfhtaeeJU Veoveo y&dk*&rfudk rdwfqufcsifygw,f/ 'D tool [m b,f button udkrqdk
enable/disable vkyfEdkifygw,f/ Munfhyg/
yHk(87)
Register button [m disable jzpfaeygw,f/ Veoveo y&dk*&rfudk zGifhvdkufyg/
yHk(88)
yHk(88)twdkif; Veoveo udk right-click ESdyfjyD; Enable Buttons (auto) udk a&G;vdkufyg/
yHk(89)
yHk(89)udk Munfhvdkuf&if Register button [m enable jzpfaeygjyD/ b,favmufvG,fovJqdkwm
awGYrSmyg/ wu,fawmh Register button [m enable jzpfvJ uRefawmfwdkU register vkyfvdkU&rSm r[kwfygbl;/
bmvdkUvJqdkawmh serial rSef^rrSefudk y&dk*&rfu ppfvdkUyg/
tcef;(16) - Delphi jzifh a&;om;xm;aom y&dk*&rfrsm;udk crack vkyfjcif; - 243 -
tcef;(16) - Delphi jzifh a&;om;xm;aom y&dk*&rfrsm;udk crack vkyfjcif;

jyD;cJhwJhtcef;rSmwkef;u Visual Basic eJUa&;om;xm;wJh y&dk*&rfawGudk b,fvdk crack &rvJqdkwm
&Sif;jycJhygw,f/ 'DwpfcgrSmawmh Delphi y&dk*&rfawGzuf vSnfhvdkufMu&atmif/ aqmhzf0JvfawG awmfawmfrsm;
rsm;udk Visual C++? Borland Delphi eJU Visual Dot.net wdkUeJUa&;om;xm;wJhtaMumif; ajymcJhzlk;wm
trSwf&yg/ 'gaMumifhrdkUvJ Delphi y&dk*&rfawGudk b,fvdk crack &rvJqdkwm uRefawmfhtaeeJU &Sif;jyzdkU
vdktyfvmjyDvdkU xifvdkUyg/ (wu,fawmh Delphi y&dk*&rfawG[m Visual C++ y&dk*&rfawGeJU oabmw&m;
csif;qifygw,f/)
'Dwpfcg crack vkyfzdkUa&G;cs,fxm;wJh y&dk*&rfuawmh File Recovery Angel 1.13 jzpfygw,f/
'Daqmhzf0Jvf[m oifzsufypfvkdufwJhzdkifawGudk jyefvnf&SmazG&mrSm taxmuftuljzpfapwJh y&dk*&rfwpfckjzpfjyD;
toHk;jyK&wmuvJ tvGefvG,fulvSygw,f/ www.filerecoveryangel.com rSm tcrJh download vkyf,lEdkif
ygw,f/
aumif;jyD? uRefawmfwdkUtaeeJU y&dk*&rfudk crack rvkyfcif y&kd*&rf&JU oabmobm0av;awG od&
atmifvdkU File Recovery Angel udkzGifhvdkufyg/
yHk(1)
File Recovery Angel udkzGifhjyD; Help menu u About udka&G;vdkufwJhtcg yHk(1)twdkif; jrif&yg
w,f/ ysufaewJhzdk'gwpfckudk recovery vkyfzdkUMudK;pm;wJhtcg yHk(2)twdkif;jrif&ygw,f/
yHk(2)
zdkifawGtrsm;MuD;udk recovery vkyfzdkUMudK;pm;awmhvJ yHk(3)twdkif; jrif&jyefygw,f/
yHk(3)
'D MessageBox awGuawmh oHk;pGJolawGudk 0,foHk;zdkU zdtm;ay;aewJh MessageBox awGyg/
aumif;jyD? 'Dy&dk*&rfudk bmeJUa&;xm;ovJqdkwm ppfMunfhMu&atmif/ yHk(4)/
yHk(4)
yHk(4)twdkif; PEiD eJUppfaq;csuft& awGU&Sdwmuawmh 'Dy&dk*&rfudk Delphi 4.0 (odkU) Delphi 5.0
eJUa&;om;xm;w,fqdkwJhtaMumif;yg/ Version twdtusudkawmh Delphi y&dk*&rfrmawGrSyJ linker version
udkMunfhjyD; cGJjcm;odygvdrfhr,f/ uRefawmfwdkUtwGufuawmh tMurf;zsif;od&ifyJ &ygjyD/
FileRecoveryAngel.exe zdkifudk Olly rSmzGifhjyD;Munfh&ifawmh entry point udk yHk(5)twdkif; awGU&yg
r,f/
yHk(5)
tvkyfvkyfyHkudk aocsmodEdkifatmifvdkU F9 (Run) udkESdyfvdkufyg/ jyD;&if Option menu u Register(R)
udka&G;jyD; register vkyfzdkUjyifqifyg/ yHk(6)/
yHk(6)
yHk(6)twdkif; Registration Name eJU Registration Key wdkUudk&dkufxnfhvdkufjyD; Register button
udka&G;vdkufyg/ yHk(7)twdkif; jrif&ygr,f/
yHk(7)
yHk(7)u "Register False" qdkwJhpmom;udkrSwfxm;jyD; Olly rSm text string taeeJU&Smvdkufyg/ jyD;&if 'D
text string &Sd&mudk vmvdkufyg/ yHk(8)/
yHk(8)
yHk(8)udk Munfhvdkuf&if 'D BadBoy message &Sd&m VA 00488FEA qD jump wpfckcku ausmfvTm;
a&muf&Sdvmwm awGYrSmyg/ avmavmq,fawmh 'D jump udk arhxm;vdkufyg/ yHk(7)twdkif; jrif&wJhtcgrSm F12
(Pause) udkESdyfjyD; y&dk*&rftvkyfvkyfwmudk cP&yfcdkif;vdkufyg/ jyD;&if Alt+K (Call Stack) udkESdyfjyD; Call
awGudk b,fuaeac:oHk;aeovJqdkwm Munfhvdkufyg/ yHk(9)/
yHk(9)
yHk(9)rSmjrif&ovdkyJ Olly [m Call awGeJUywfoufjyD;wduswJh tcsuftvufawGay;Edkifjcif; r&Sdygbl;/

'gaMumifhrdkU uRefawmfwdkUtaeeJU System Stack udkMunfhjyD; yHk(7)u error MessageBox udk b,fuae
ac:oHk;wmvJqdkwm Munfh&rSmjzpfygw,f/ (Delphi y&dk*&rfawGudk crack vkyf&mrSm Call Stack xuf System
Stack u ydkjyD;toHk;0ifygw,f/ Delphi y&dk*&rfawGudk crack vkyf&mrSm toHk;rsm;wJh aemufxyfenf;vrf;
uawmh FindWindowA API udk&Smwmyg/ bmaMumifhvJqdkawmh Delphi y&dk*&rfawG[m wduswJh class
trnf (odkU) title eJU yGihfaewJh window udk&Smavh&SdvdkUyg/)
yHk(10)
yHk(10)uawmh yHk(7)udk pause ay;xm;csdefrSm System Stack xJrSm jrif&wJhtaetxm;yg/
INFO: : Delphi uk'fawGudk Olly rSm disassemble vkyfwJhtcg jrif&wJhtaetxm;uawmh enf;enf;av;
xl;qef;aeygw,f/ (Comment eJU info awGu enf;aewmawGU&rSmyg/) bmaMumifhvJqdkawmh Olly udk call
awG backtrace vkyfcGifhrjyKvdkUyg/ Call Stack rSm [mvm[if;vif;jzpfaejyD; tcsuftvuftenf;i,fudkom
ay;Edkifygw,f/ 'gaMumifhrdkU Delphi y&dk*&rfawGrSm routine wpfckudk b,f call uaeac:oHk;wmvJ odcsif&if
System Stack udk toHk;jyK&ygw,f/ System Stack uae return address udkMunfhjyD; call &JUtpudk
vdkuf&Sm&wmuvJ tcsdefawmfawmfMumygw,f/ tvkyfodyfrjzpfygbl;/ tjcm;enf;vrf;wpfckawmh vdkaeygjyD/
bmaMumifhvJqdkawmh Olly u routine &JU wduswJh address tpudk rjyEdkifvdkUyg/
INFO: : Delphi [m pointer tjzpf reference vkyfwJh global variable awGeJU local variable awGudk
toHk;jyKygw,f/ Global variable awGtwGuf [REG+Constant] udkoHk;jyD;? local variable awGtwGuf
[REG-Constant] udktoHk;jyKygw,f/ REG uawmh register udkqdkvdkwmyg/ qdkvdkwmuawmh Olly [m
CALL DWORD PTR DS:[EBX+100] qdk&if backtrace rvkyfEdkifygbl;/ 'gaMumifhrdkU EBX wefzdk;ajymif;
wJhtcsdefrSm pointer twGufwefzdk;[mvJajymif;oGm;jyD; Olly u 'D call udk backtrace rvkyfvdkufEdkifwmyg/
'g[m Delphi y&dk*&rfawGeJUMuHKwJhtcgrSm wu,fhjyóemawGjzpfygw,f/ tjcm;bmompum;awGrSmvJ 'DvdkrsdK;
MuHKawGUEdkifayr,fh Delphi rSmavmuf rawGU&ygbl;/
INFO: : 'g[m tenf;i,fawmh pdk;&drfp&maumif;ygw,f/ uRefawmfwdkU uHaumif;wJhtcsufuawmh Delphi
twGuf tool wpfck &xm;vdkUyg/ 'D tool uawmh DaFixer &JU DeDe yg/ DeDe [m Borland Delphi
y&dk*&rfawGtwGuf zefwD;xm;wJh disassembler wpfckjzpfygw,f/ DeDe [m Delphi^Builder wdkUeJU
compile vkyfxm;wJh exe zdkifawGudk analyze vkyf&mrSm tvGefjrefvSwJh y&dk*&rfwpfckjzpfjyD; 'Dzdkif&JU dfm
zdkifawGtm;vHk;udk jyefay;Edkifygw,f/ 'D dfm zdkifawGudk Delphi rSm zGifhjyD;wnf;jzwfEdkifygw,f/ DeDe [m
string awG? import vkyfxm;wJh function call awG? classes methods call awG? unit xJu component
awG? Try-Except? Try-Finally block awGeJU reference vkyfxm;wJh uk'fawGtm;vHk;udk xkwfay;Edkifygw,f/
oifhtaeeJU dfm zdkif? pas zdkifeJU dpr zdkifawGygwJh Delphi project zdk'gwpfckudkvJ zefwD;Edkifygw,f/ Tool
wdkif;rSm tm;enf;csuf&Sdygw,f/ DeDe [m debugger r[kwfwJhtwGuf DeDe rSm patch vkyfzdkUqdkwm rjzpf
Edkifygbl;/ bmyJjzpfjzpf Olly eJU wGJoHk;&ifawmh&ygw,f/ DeDe 3.50.04 build 1635 udk download vkyf&if
DOI eJU DSF zdkifawGygygap/ DeDe eJUywfoufwJh aqmif;yg;awGuawmh DeDe &JU dede_doc directory
atmufrSm&Sdygw,f/ (DSF = = DeDe Symbol File) (DOI == DeDe Offset Information File)
INFO: : DeDe &JU configuration eJUywfoufjyD; ta&;MuD;wJhtcsufuawmh exe zdkifwpfckudk process
rvkyfcifrSm rSefuefwJh symbol zdkifawGudk load vkyfwmtaumif;qHk;yg/ DOI/DSF zdkifawGrygvJ DeDe [m
tvkyfvkyfEdkifayr,fh call sequence awGudk ajz&Sif;&mrSm rSefuefpGmjzpfEdkifzdkU DOI/DSF zdkifawGu tvGefta&;
MuD;ygw,f/
yHk(11)
yHk(11)twdkif; DeDe &JU Options menu u Symbols udka&G;jyD; Delphi 5.0 eJUqdkifwJh vcl5.dsf
zdkifudka&G;cs,fvdkufyg/ Delphi 7.0 y&dk*&rfawGudk analyze vkyfr,fqdk&ifawmh vcl7.dsf zdkifudka&G;&rSmyg/
DOI tab udkESdyfjyD; D5.doi zdkifudka&G;cs,fyg/ jyD;&ifawmh yHk(12)u Process button udkESdyfyg/
yHk(12)
yHk(12)u Process button udkESdyfvdkuf&ifawmh yHk(13)twdkif; MessageBox awGay:vmygvdrfhr,f/
yHk(13)
No button oma&G;vdkufyg/ yHk(14)twdkif; jrif&ygr,f/
yHk(14)
yHk(14)u Procedures tab udkESdyfvdkufyg/ 'gqdk&if File Recovery Angel utoHk;jyKwJh procedure
awGudkjrif&ygr,f/ TFrmMain uawmh y&dk*&rf&JU t"dutusqHk; Main menu &Sd&m procedure yg/
TFrmAbout uawmh About menu udkESdyfvdkufwJhtcgjrif&r,fh Form (dialog box) yg/ TFrmRegister
uawmh uRefawmfwdkU&SmaewJh Registration Form yg/ TFrmRegister udka&G;vdkufyg/ nmzufrSmjrif&wm
uawmh Olly rSm b,fvdkrSrjrifEdkifwJh routine &JUtpawGyg/ ImgRegistereClick udka&G;vdkufyg/ yHk(15)
twdkif; awGU&ygr,f/
yHk(15)
VA 00488E34 uawmh Registration routine &JUtpjzpfygw,f/ atmufudkenf;enf;avmuf scroll
qGJMunfhvdkuf&ifawmh yHk(16)twdkif; jrif&rSmyg/
yHk(16)
yHk(16)uawmh registration key udkrSm;,Gif;&dkufoGif;wJhtcg jrif&wJh Bad message jzpfygw,f/

udkawmh tcsdef&rSyJ oifhbmom avhvmMunfhyg/ wu,fawmh DeDe eJUywfoufwJh uRefawmfwdkU&JUtvkyf[m
yHk(14)rSmuwnf;u jyD;aeygjyD/ bmaMumifhvJqdkawmh registration routine &JU address tpudkawGUvdkufvdkU
yg/ Registration routine &JU address tpjzpfwJh VA 00488E34 udkrSwfxm;jyD; Olly rSm Ctrl+G ESdyfjyD;
&dkufxnfhvdkufyg/ yHk(17)/
yHk(17)
ckqdk&if DeDe udk ydwfvdkU&ygjyD/ yHk(17)twdkif; registration routine &JUtpudka&mufwJhtcgrSm
registration key udkppfwJhae&mudk MunfhvdkufMu&atmif/ VA 00488E34 ae&mrSm breakpoint owfrSwfjyD;
register xyfvkyfMunfhyg/ yHk(18)/
yHk(18)
yHk(18)rSm Register button udka&G;vdkuf&ifawmh uRefawmfwdkU breakpoint owfrSwfxm;wJh VA
00488E34 ae&mudka&mufvmygr,f/ 'Dtcg yHk(19)u VA 00488EFA udka&mufwJhtxd F8 (Step Over)
udkESdyfvmcJhyg/
yHk(19)
yHk(19)u VA 00488EFA [m registration key udkxkwfay;wJh routine wpfckjzpfygw,f/
Registration form &JU Registration name tuGufu "Myanmar Cracking Team" twGuf vdktyfwJh
"CA75FC30F7AD6E7C969032F175560906F79B9EE94E93D2D4302B92" qdkwJh key udkxkwfay;
jyD; EAX rSmodrf;ygw,f/ VA 00488F13 rSm&SdwJh CALL uawmh EAX u key eJU EDX rSmodrf;xm;wJh
"4.10.1979" wdkUudk EdIif;,SOfygw,f/ rSefcJh&ifawmh registry &JU "IsRegister" rSm "On" qdkjyD;odrf;ay;rSm
jzpfygw,f/ rSm;cJh&ifawmh qufoGm;rSmjzpfjyD; VA 00488F3F a&muf&if BadBoy ("Register False!")
qDoGm;^roGm; xyfEdIif;,SOfrSmjzpfygw,f/ 'Davmufqdk&ifawmh oifhtaeeJU bmqufvkyf&rvJqdkwm odavmufjyD
xifygw,f/
Olly udkydwfjyD; File Recovery Angel udk oD;oefUzGifhvdkufyg/ jyD;&if Option menu u Register
(R) udka&G;jyD; register vkyfvdkufyg/ yHk(20)/
yHk(20)
yHk(20)u Register button udkESdyfvdkuf&ifawmh yHk(21)twdkif;jrif&rSmyg/
yHk(21)
Help menu u About udka&G;vdkuf&ifawmh yHk(22)twdkif;jrif&rSmyg/ wu,fawmh File Recovery
Angel y&dk*&rf[m registration name ae&mrSm pmvHk;b,favmuf&dkufxnfhxnfh 12vHk;xufydkrppfygbl;/
'gaMumifhrdkUvJ "Myanmar Cracking Team" tpm; "Myanmar Crac"vdkUyJjywmyg/
yHk(22)
rSwfxm;&rSmuawmh rSefuefwJh key udkr&kdufxnhfyJ VA 00488F46 u BadBoy qDoGm;wJh JE udk
NOP vdkUjyifr,fqdk&if register vkyfaqmifjcif; cPwmom atmifjrifygr,f/ bmaMumifhvJqdkawmh y&dk*&rf[m
pwiftvkyfvkyfwJhtcgrSm registry xJu "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Frareg" eJU "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Unicode" ae&mESpfckatmufu Name eJU Unicodekey wdkUudkzwfjyD; rSef^rrSef
wdkufppfvdkUyg/ tao;pdwfodcsif&ifawmh yHk(23)u TFrmMain udkESdyfjyD; Munfh&IEdkifygw,f/
yHk(23)
yHk(23)u FormCreate [m Main menu udkzefwD;csdefrSm vkyfaqmifr,hfvkyfaqmifcsuf&Sd&m Virtual
address (00491A00) tpudkjyygw,f/ udk,fhbmomudk,f avhvmMunfhyg/
'DwpfcgrSmawmh uRefawmfhtaeeJU vSnfhuGufav;wpfckjycsifygw,f/ Teleport Pro 1.33 oifcef;pm

wkef;u oifhtaeeJU keygen a&;om;cJh&wmudk trSwf&aerSmyg/ Keygen routine udka&;&wm rcufayr,fh
usefwJhtydkif;awGa&;ae&wmaMumifh tcsdefawGukef&ygw,f/ uRefawmfhtaeeJUuawmh keygen a&;&wm tvGef
ysif;p&maumif;vSw,fvdkUxifygw,f/ 'gaMumifh keygen ra&;&bJJ key udktvdktavsmufxkwfay;EdkifwJh
vSnhfuGufav; oifhudk jyocsifygw,f/
yHk(24)
yHk(24)udk aocsmMunfhyg/ VA 00488EFA rSm oif&dkufxnhfvdkufwJh user trnfudkvdkufjyD; serial
udkxkwfay;vdkufygw,f/ 'D serial udk stack segment xJrSmoGm;xm;wmjzpfygw,f/ jyD;awmh stack xJuae
EAX qDajymif;a&TYvdkufjyD; EDX xJrSm&SdwJh oif&dkufxnhfvdkufwJh serial eJUEdIif;,SOfwmjzpfygw,f/ Serial
ESpfck[m rnDcJh&ifawmh Badboy &Sd&mqD a&mufoGm;rSmjzpfygw,f/ yHk(25)/
yHk(25)
yHk(25)udkMunfhyg/ VA 00489184 u "Register False!" qdkwJhpmom;udk EAX xJul;xnfhvdkufjyD;
serial ESpfckEdIif;,SOfwmrnDcJh&if Badboy message udkjyowmjzpfygw,f/ yHk(26)/
yHk(26)
"Register False!" qdkwJhpmom;tpm; uRefawmfwdkU&dkufxnfhvdkufwJh user name eJUywfoufwJh serial
udkjyEdkifr,fqdk&ifraumif;bl;vm;/ ☺☺☺☺☺☺☺☺☺☺
aumif;jyD? 'DvdkjyoEdkifzdkU enf;enf;MudK;pm;Munfhygr,f/ yHk(25)u VA 488FFB ae&mrSm MOV
EAX, 489184 tpm; MOV EAX, DWORD PTR SS:[EBP-C] vdkUjyifjyD; zdkifudkodrf;qnf;vdkufyg/
(rSwcf suf/ / wu,fh serial tppftrSefudk stack xJrSmcPoGm;xm;wJhtaMumif; ajymcJhwmtrSwf&yg/) uk'fawG
udkjyifjyD;odrf;vdkufwJhzdkifudk zGifhjyD; register vkyfMunfhvdkufyg/ yHk(27)/
yHk(27)
'Dwpfcgawmh rhythm qdkwJhtrnfeJU register vkyfMunfhygr,f/
yHk(28)
rhythm qdkwJhtrnfeJU register vkyfMunfhwJhtcg yHk(28)twdkif;jrif&ygw,f/ ☺☺☺☺☺☺☺

'Davmufqdk&ifawmh oifhtaeeJU &dyfrad vmufjyDxifygw,f/ yHk(28)rSmjrif&wJh key (0415BFA8C..)
uawmh rhythm qdkwJh user name twGuf y&dk*&rfuwGufcsufjyD;xkwfay;vdkufwJh serial key jzpfygw,f/ 'D
key udkrSwfxm;jyD; aemufwpfMudrf register vkyfwJhtcgrSm &dkufxnfhvdkuf&if registration vkyfief;atmifjrifpGm
jyD;pD;oGm;rSmyg/ yHk(29)/
yHk(29)
yHk(29)u register button udkESdyfvdkuf&if yHk(30)twdkif; jrif&rSmyg/
yHk(30)
Help menu u About udka&G;vdkuf&if yHk(31)twdkif; jrif&ygw,f/
yHk(31)
tcef;(17) - Java jzifh a&;om;xm;aom y&dk*&rfrsm;udk crack vkyfjcif; - 251 -
tcef;(17) - Java jzifh a&;om;xm;aom y&dk*&rfrsm;udk crack vkyfjcif;

'DwpfcgrSmawmh Java eJUa&;xm;wJh y&dk*&rfawGudk crack Munfhygr,f/ Java y&dk*&rfawGudk crack &m rSm
tjcm;y&dk*&rfawGeJU oabmw&m;csif; rwlnDwJhtwGuf xnfhoGif;aqG;aEG;&jcif;jzpfygw,f/
(1) Java Virtual Machine (JVM)
yHk(1)
yHk(2)
(2) Java Cracking Tools
Java y&dk*&rfawGudk crack &mrSm toHk;jyKwJh tool awGuawmh –
(u) CCK
(c) DJ Java Decompiler
(*) JDebugtool
(C) JAD
(i) JODE
(p) Java Decompiler

(3) VisualRoute tm;avhvmjcif;
yHk(3)
yHk(4)
yHk(5)
yHk(6)
yHk(7)
(4) Java cracking (uk'frsm;udk avhvmjcif;)
uRefawmfwdkUtaeeJU 'D loader zdkifudk external loader wpfckzefwD;jyD; patch vkyfvdkU&ygw,f/
(Oyrmajym&&if uRefawmfwdkUtaeeJU ,m,Dzdk'gudk emrnfaowpfckxm;wnfaqmufjyD; 'DtxJrSm patch vkyf
xm;wJh class awGxm;ygr,f/ 'gayr,fh 'gawG[m tjrift&awmh rvkdtyfygbl;/ aemufydkif;us&if &Sif;oGm;
rSmyg/)
public static void main(String args[])

{
PQ = System.currentTimeMillis();
QQ = args[0].indexOf('D') >= 0;
RQ("Java=" + System.getProperty("java.version"));
jexepackboot jexepackboot1 = new jexepackboot(); // New instance of the current class
int i = jexepackboot1.run(args); // Execute the Method run(String[ ] as)
if(i != 0)
System.exit(i);
}
yHk(8)
public jexepackboot( )
{
// Create a new object EP of type Properties
EP = new Properties();
}
yHk(9) Class constructor uk'f

import java.awt.*; // Also used for messagebox support
import java.io.*;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.*;
import java.util.zip.GZIPInputStream; // Added for messagebox support
yHk(10)
public jexepackboot( )
{
JOptionPane.showMessageDialog(null,"CLASS CONSTRUCTOR","Reversing info (jexepackboot)",
JOptionPane.INFORMATION_MESSAGE);
// Create a new object EP of type Properties
EP = new Properties();
}
public static void main(String args[])
{
JOptionPane.showMessageDialog(null,"MAIN METHOD - START", "Reversing info (jexepackboot)",
PQ = System.currentTimeMillis();
QQ = args[0].indexOf('D') >= 0;
RQ("Java=" + System.getProperty("java.version"));
jexepackboot jexepackboot1 = new jexepackboot();
int i = jexepackboot1.run(args);
if(i != 0){
JOptionPane.showMessageDialog(null,"MAIN METHOD - SYSTEM EXIT","Reversing info
(jexepackboot)", JOptionPane.INFORMATION_MESSAGE);
System.exit(i);
}
JOptionPane.showMessageDialog(null,"MAIN METHOD - END","Reversing info (jexepackboot)",
JOptionPane.INFORMATION_MESSAGE); }
yHk(11)
yHk(12)
(1) VisualRoute.exe
(2) java -mx256n jexepackboot ER ...
(3) START (jexepackboot.class)
(4) jexepackboot jexepackboot1 = new jexepackboot();
(5) jexepackboot1 (constructor)
(6) int i = jexepackboot1.run(args);
(7) END (jexepackboot.class)
yHk(13)
Args[0] = ER
Args[1] = <root>:\<prog_folder>\VisualRoute\VisualRoute.exe (full path of the main executable)
Args[2] = <root>:\DOCUME~1\<user>\<temp_set>\Temp\XE70DC8 (full path of the temporary folder)
private int run(String as[])
{
// install vkyfxm;aom java pepfudk ppfaq;onf/
if(!SQ())
return 9999;
if(as.length < 3)
return 10010;
// command-line wGif E ygvmjcif; &Sd^r&Sd ppfaq;onf/
boolean flag = as[0].indexOf('E') >= 0;
// command-line wGif R ygvmjcif; &Sd^r&Sd ppfaq;onf/
boolean flag1 = as[0].indexOf('R') >= 0;
// file onf main executable ESifhqdkifaom pointer wpfckjzpfonf/
File file = new File(as[1]);
// ,m,Dzdk'gvrf;aMumif;ukd string s taejzifh odrf;qnf;onf/
String s = as[2];
// "System properties key = jexepack.exe" udk item = <full path for VisualRoute.exe> ESifhtwl push vkyfonf/
UQ("exe", TQ = file.toString());
// "System properties key = jexepack.resdir" udk item = <,m,Dzdk'gvrf;aMumif;> ESifhtwl push vkyfonf/
UQ("resdir", s);
// file1 onf ,m,Dzdk'gESifhqdkifaom pointer wpfckjzpfonf/
File file1 = new File(s);
yHk(14)
private void UQ(String s, String s1)
{
Properties properties = System.getProperties();
properties.put("jexepack." + s, s1);
System.setProperties(properties);
String mybuffer = "key = jexepack." + s + "\nitem=" + s1;
JOption.showMessageDialog(null, mybuffer, "Reversing info (UQ method",
}
yHk(15)
rSwf&ef/ / System class [m key/value
// VisualRoute.exe image udk byte array abyte0[] taeeJU ul;wifygw,f/

byte abyte0[] = IM(file);
IM function &JUvkyfaqmifyHkuawmh atmufygtwdkif;jzpfygw,f/
private byte[] IM(File file)
{
RandomAccessFile randomaccessfile = null;
try
{
randomaccessfile = new RandomAccessFile(file, "r");
// zdkift&G,ftpm;udk &,ljyD; byte array topfwpfck\ t&G,ftpm;tjzpf owfrSwfonf/
byte abyte0[] = new byte[(int)randomaccessfile.length()];
// abyte0[] onf point vkyfcH&aomzdkifESifh t&G,ftpm;wlaom byte array wpfckjzpfonf/ yxrqHk; zdkifxJ&Sd t&mtm;vHk;
udkzwfjyD; abyte0 array taejzifh ul;,lonf/ ¤if;aemuf t&G,ftpm;udk aocsmap&ef ppfaq;onf/ tu,fí zwfcJhaom
a'wm\ t&G,ftpm;onf array t&G,ftpm;ESifh wlnDcJhvQif (zdkift&G,ftpm;ESifhwlnDcJhvQif) ul;,ljcif;vkyfief;pOfonf atmif
jrifpGm jyD;qHk;jyDjzpfonf/ xdkUaemuf uRefawmfwdkUtaejzifh abyte0[] array udk abyte1[] trnf&Sdaom topfwpfcktaejzifh ul;,l
EdkifjyDjzpfygonf/
if(abyte0.length == randomaccessfile.read(abyte0))
{
byte abyte1[] = abyte0; // abyte1[] onf one dimensional byte array wpfcktwGuf reference wpfckjzpfonf/
return abyte1;
}
}
catch(Exception _ex) { }
finally
{
try
{
// tm;vHk; tqifajyoGm;jyDjzpfonfhtwGuf file stream udkydwfvdkU&jyDjzpfonf/
randomaccessfile.close();
}
catch(Exception _ex) { }
}
return null;
}
private byte[] VQ(byte abyte0[], char c)
{
WQ = -1; // WQ udk -1 tjzpfowfrSwfonf/ tu,fí tm;vHk;tqifajycJhvQif þwefzdk;udk rajymif;vJEdkifyg/)
for(int i = 0; i + 28 < abyte0.length; i += 16)
if(BQ(abyte0, i) && abyte0[i + 15] == c)
{
int j = LQ(abyte0, i + 16);
int k = LQ(abyte0, i + 20);
long l = (long)j & 0xffffffffL | (long)k << 32;
int i1 = LQ(abyte0, i + 24);
int j1 = i + 16 + 8 + 4;
if(j1 + i1 <= abyte0.length)
{
if(1L == l * UM(abyte0, j1, j1 + i1))
return FO(new String(abyte0, 0, j1, i1));
WQ = 10092;
}
}
return null;
}
yHk(16)
private boolean BQ(byte abyte0[], int i)

{
int j = 0;
do
if(abyte0[i + j] != (char)(74 + (j * 3) / 2))
return false;
while(++j < 15);
return true;
}
yHk(17)
yHk(18)
Raw offset + Raw Size
400 + 1A00 = 1E00
1E00 + 800 = 2200
2600 + 600 = 2C00
2C00 + 1A00 = 4600 (Raw Size a'wmaygif;v'f)
yHk(19)
yHk(20)
yHk(21)
yHk(22)
yHk(23)
yHk(24)
yHk(25)
yHk(26)
// VisualRoute.exe udk byte array abyte0[] taejzifh ul;wifonf/
byte abyte0[] = IM(file);
// Image udkatmifjrifpGm ul;wifEdkifjcif;&Sd^r&Sd ppfaq;onf/
if(abyte0 == null)
return 10011;
// JKMNPQSTVWYZ\]_B udk overlay data tjzpf &Sd^r&Sd Munfhonf/
if(VQ(abyte0, 'B') == null)
if(WQ > 0)
return WQ;
else
return 10002;
// JKMNPQSTVWYZ\]_V \ overlay data segment rS byte rsm;udk extract vkyfonf/
// Byte rsm;udk decrypt vkyfjyD; abyte1[] byte array taejzifh tm;vHk;udkjyefxm;onf/
byte abyte1[] = VQ(abyte0, 'V');
if(WQ > 0)
return WQ;
// decrypt vkyfxm;aoma'wmrsm;udk disk ay:&Sd Vdata.dat zdkifxJodkU dump vkyf,lonf/
writeByteArrayToDisk(abyte1, "Vdata.dat", 0, 0, 0);
yHk(27)
private void writeByteArrayToDisk(byte bytebuffer[], String fileName, int start, int numbytes, int mode)
{
// Programmer = ThunderPwr of ARTEeam
File file = new File(fileName);
if (mode == 0)
{
try
{ // 0 rSonf aemufqHk; element xd byte array tm;vHk;udka&;onf/
FileOutputStream file_output = new FileOutputStream (file);
DataOutputStream data_out = new DataOutputStream (file_output);
for (it i = 0; i < bytebuffer.length; i++)
{
data_out.writeByte(bytebuffer[i]);
}
file_output.close();
}
catch(IOException e)
{
System.out.println ("IO exception = " + e);
}
}
else
{
try
{ // start + numbytes elements rS array section wpfckudka&;onf/
FileOutputStream file_output = new FileOutputStream (file);
DataOutputStream data_out = new DataOutputStream (file_output);
for (int i = start; i < start + numbytes; i++)
{
data_out.writeByte (bytebuffer[i]);
}
file_output.close();
catch (IOException e)
{
System.out.println ("IO exception = " + e);
}
}
}
// extract vkyfwm atmifjrifjcif; &Sd^r&Sd ppfaq;ygw,f/ 'DaemufrSmawmh array xJrSm&SdwJh string udk parsing vkyfjyD;awmh parse
vkyfxm;wJh string udk EP properties xJrSm odrf;qnf;EdkifzdkU twGJ(key? item)wpfcktjzpf xm;&Sdygw,f/
// EP propertes [m local database eJUwlwm trSwf&yg/
if(abyte1 != null)
{
for(StringTokenizer stringtokenizer = new StringTokenizer(new String(abyte1, 0), "\n");
stringtokenizer.hasMoreTokens();)
{
String s3 = stringtokenizer.nextToken();
int j = s3.indexOf('=');
if(j > 0)
EP.put(s3.substring(0, j), s3.substring(j+1));
String key = s3.substring(0, j);
String item = s3.substring(j+1);
}
}
packager JexePack 5.5a
main vr
target JM
mx 256
windowed yes
execwd *
yHk(28)
rSwfcsuf/ / JexePack qdkwmuawmh

'DukrÜPDuyJ aemufxyfxkwfvkyfvdkufwJh tool uawmh

// "build" key item jzifh Properties rS extract vkyfonf/
// xdkUaMumifh rnfonfh key rQ build ESifhrnDcJhvQif s2 u null tjzpfowfrSwfrnfjzpfonf/
String s2 = EP.getProperty("build");
if(s2 != null)
UQ("build", s2);
if(!SQ())
return 9999;
// zdkifa&;jcif; pwifonf/
if(flag)
{
RQ("extract=yes");
// JKMNPQSTVWYZ\]_Z udk&SmjyD; abyte2[] array taejzifh odrf;qnf;onf/
byte abyte2[] = VQ(abyte0, 'Z');
// tu,fí a'wmudk extract vkyfcJhaomf ¤if;udk disk ay:odrf;qnf;onf/
if(abyte2 != null && abyte2.length > 4)
{
Object obj = null;
abyte2 = XQ(abyte2);
int k = LQ(abyte2, 0);
int l = LQ(abyte2, 4);
abyte2 = YQ(abyte2, l, 8); // GZIP a'wm stream udk decompress vkyfonf/
int i1 = abyte2 != null ? ZQ(file1, abyte2, k) : 10034;
if(i1 > 0)
return i1;
RQ("extracted=" + k);
}
else if (WQ > 0)
return WQ;
else
return 10012;
}
// zdkifa&;jcif; jyD;qHk;onf/
if(!flag1)
return 12345;
// "main" key onf "vr" item taMumif; jzpfonf/

// xdkUaemuf þ statement onf s1 udk "vr" ESifhnDapvdrfhrnf/
String s1 = EP.getProperty("main");
if(s1 == null) // s1 = vr
return 10020;
// ,cktcg vr class topfudk Class.forName(<class_name>) statement toHk;jyKjyD; zefwD;onf/
Object obj1 = null;
int i = 0;
Class class1 = null;
try
{
class1 = Class.forName(s1);
}
catch(Throwable throwable)
{
obj1 = ((Object) (throwable));
i = 10024;
}
// Jz.Ky.Tx trnfESifh zdkiftopfwpfckudk ,m,Dzdk'gwGif zefwD;onf/
File file2 = new File(file1, "Jz.Ky.Tx");
if(obj1 == null)
{
if(!QM(file2, new byte[100]))
return 10013;
String as1[] = new String[as.length - 3];
for(int j1 = 0; j1 < as1.length; j1++)
as1[j1] = as[3 + j1];
// ,cktcsdefwGif jexepackboot udk daemon thread (cyclic) wpfcktaejzifh execute vkyfygvdrfhrnf/
Thread thread = new Thread(this);
thread.setDaemon(true);
thread.start();
// jexepackboot.class zdkifudk ,m,Dzkd'gxJrS zsufypfonf/
(new File(file1, getClass().getName() + ".class")).delete();
try
{ // topfwpfcktwGuf main Method udk execute vkyfonf/
RQ("main=" + s1); // s1 = vr
Method method = class1.getMethod("main", new Class[] {java.lang.String[].class});
method.invoke(null, new Object[] { as1 });
}
// zdkifa&;jcif; jyD;qHk;onf/
if(!flag1)
return 12345;
JoptionPane.showMessageDialog(null,"run Method, FILE WROTE\npatch the vr.class", "Reversing info
(jexepackboot)", JOptionPane.INFORMATION_MESSAGE);
(5) Java cracking (uk'frsm;udk tao;pdwfavhvmjcif;)

(useftydkif;rsm;udk aemuf version rsm;wGif qufvufazmfjyygrnf/)
tcef;(18) – Visual Dot.net jzifh a&;om;xm;aom y&dk*&rfrsm;udk crack vkyfjcif; - 266 -
tcef;(18) - Visual Dot.net jzifh a&;om;xm;aom y&dk*&rfrsm;udk crack vkyfjcif;

'Dwpfcg uRefawmfwdkUtaeeJU crack vkyfMunfhzdkU tvSnfhusvmwmuawmh .net y&dk*&rfawGudkyg/ .net
y&dk*&rfawGudk crack vkyf&wm[m native API awGeJUa&;om;xm;wJh tjcm;y&dk*&rfawGudk crack vkyf&wm
xuf trsm;MuD;vG,fulvmygw,f/ bmaMumifhvJqdkawmh y&dk*&rfudka&;om;xm;wJh source code awGudk
MunfhvdkU&vdkUyg/ b,f function awGudk b,ftcsuftvufawGeJU ac:oHk;wmutp MunfhvdkU&wJhtwGuf
cracker awGtwGuf crack vkyf&wm tvGefvG,fulvmygw,f/ bmyJjzpfjzpf crack rvkyfcifawmh .net &JU
oabmobm0udk em;vnfapcsifwJhtwGuf .net eJUywfoufwJh tajccHoDtdk&DawGudk t&if&Sif;jyygr,f/
(1) .net qdkonfrSm ...
y&dk*&rfrmtrsm;pktwGufuawmh .net eJUywfoufwJhoabmw&m;awG[m ya[Vdwpfyk'fvdkygyJ/ .net
qdkwmuawmh Microsoft &JU a&;yef;tpm;qHk;pum;vHk;awGxJuwpfvHk;jzpfjyD; ASP.net utp Visual
Studio.net tqHk;&SdwJh Microsoft &JU product awGrSm wGifus,fpGm toHk;jyKvsuf&Sdygw,f/ wu,fawmh .net
y&dk*&rfawGudk machine code tjzpf wdkuf&dkuf compile vkyfvdkufwmr[kwfygbl;/ (C++ wdkUvdk bmom
pum;awG[m machine code tjzpfwdkuf&dkuf compile vkyfcH&wmjzpfygw,f/) olwdkUudk IL vdkUac:wJh
Intemediate Language tjzpf compile vkyfvdkufwmyg/ oif[m Java eJUywfoufcJhzl;r,fqdk&ifawmh .net
Framework [m Java Virtual Machine vdkygyJ/ IL awGudk Java y&dk*&rfawGtjzpf compile vkyfay;
vdkufwJh bytecode awGeJU EdIif;,SOfEdkifygw,f/ 'Dvdk bytecode awGtjzpfajymif;vJay;vdkufjcif;[m y&dk*&rf
a&;om;jcif;&Iaxmifhuae Munfhr,fqdk&if aumif;usdK;ajrmufjrm;pGm (tvkyfvkyfwJhEIef; usqif;oGm;jcif;rSwyg;)
jzpfapygw,f/ Java &JUtaMumif;jycsufuawmh 'DvdkjyKvkyfjcif;tm;jzifh rwlnDwJh OS awGrSm Java y&dk*&rfawG
udktvkyfvkyfapEdkifjyD; rwlnDwJh y&dkqufqmtrsdK;rsdK;rSmawmif tvkyfvkyfapEdkifzdkUjzpfygw,f/ .net &JU t"du
&nf&G,fcsufu 'DtwGuf r[kwfayr,fh 'DZdkif;ydkif;qdkif&m csOf;uyfrIuawmh wlnDygw,f/
.net y&dk*&rfrmawGtwGuf IL &JUt"dutm;omcsufuawmh compile vkyfxm;wJhy&dk*&rfawGrSm
identifier (class name? function name? variable name) awG[m &SdaeMuwmjzpfygw,f/ (rSwfcsuf/ / C
y&dk*&rfawGudk compile vkyfwJhtcgrSm local variable trnfawG[m tzwfqnfr&atmif qHk;&IH;oGm;aMumif;
aqG;aEG;cJhzl;wm trSwf&yg/) 'Dtcsufu y&dk*&rfrmawGudk y&dk*&rfwpfck&JU rwlnDwJhtydkif;awGudk rwlnDwJh
bmompum;awGeJU a&;om;vdkU&apygw,f/
Cracker awGtwGuf t"dutm;omcsufjzpfapwmuvJ 'DtcsufygyJ/ bmaMumifhvJqdkawmh .net
y&dk*&rfawG[m olU&JU source udk bytecode eJUazmfjy&wmjzpfwJhtwGuf identifier awG[mvJ rysufr,Gif;&Sdae
&wmyg/ tvm;wlyJ? IL [m wu,fhy&dkqufqmuk'fxufpm&if enf;enf;av; higher-level jzpfvmwJhtwGuf
high-level bmompum;tjzpf vG,fulpGmjyefvnfwnfaqmufEdkifMuwmyg/ 'gudk odMuwJhtwGufaMumifh .net
y&dk*&rfawGudk rlv .net source code tjzpfjyefazmfay;Edkifr,fh tool awGudkzefwD;EdkifMuwmjzpfygw,f/ 'Dvdk
jyefazmfay;EdkifwJh tool aumif;av;wpfckudk Lutz Roeder ua&;om;cJhjyD; Reflector vdkUac:ygw,f/
(2) Tools
.net y&dk*&rfawG crack rvkyfcifrSm toHk;jyKr,fh tool av;awGtaMumif; aqG;aEG;ygr,f/ oifhtaeeJU
'D tool awGtm;vHk;udk wpfcsdefwnf;rSmawmh vdktyfrSm r[kwfygbl/ 'gayr,fh tool awGtm;vHk;&Sdxm;atmifawmh
vkyfxm;&rSmjzpfygw,f/
(2.1) Relector (.net assembly decompiler)
Relector uawmh .net component awGtwGuf class browser wpfckjzpfygw,f/ 'D tool av;[m
.net assembly xJrSmodrf;qnf;xm;wJh Meta data? IL instruction? resource? XML documention wdkUudk
&Smay;Edkifygw,f/
http://www.aisto.com/roeder/dotnet/
(2.2) ILDasm (.net assembly decompiler)
MSIL Disassembler uawmh MSIL Assembler (Ilasm.exe) twGuf tool wpfckjzpfygw,f/
ILDasm.exe [m Microsoft intermediate language (MSIL) uk'fawGygwJh PE zdkifudk,ljyD; Ilasm.exe
twGuf oifhawmfr,fh pmom;zdkiftjzpfzefwD;ay;ygw,f/
Reflector [m .net assembly udk IL uk'fawGtjzpf decompile vkyfay;Edkifayr,fh assembly xJu
IL instruction awG&JU wu,fh byte awGudk jyojcif;r&Sdygbl;/ ILDasm rSmawmh IL instruction awGudk hex
wefzdk;taeeJUjyoay;Edkifatmif a&G;cs,fvdkU&ygw,f/
Oyrmjy&&if - BLE instruction udkMunfhvdkufyg/ wu,fvdkUom yxrwefzdk;[m 'kwd,wefzdk;xuf
enf;ae&if (odkU) nDae&if owfrSwfxm;wJh instruction qD jump jzpfrSmyg/ (Native code awGrSmwkef;uawmh
JLE eJUwlygw,f/) wu,fvdkU hex editor rSmMunfhvdkuf&if wu,fh byte [m 3E jzpfaewmawGU&rSmyg/

BLE instruction tpm; BGT instruction vdkUajymif;vdkuf&ifawmh yxrwefzdk;[m 'kwd,wefzdk;xufMuD;&if
owfrSwfxm;wJh instruction qD jump jzpfrSmyg/ olUudkazmfjywmuawmh 3D yg/ wu,fvdkU 'Dae&mudk
jyifcsif&if hex editor qDoGm;jyD; 3E tpm; 3D vdkUjyif&rSmyg/
aumif;jyD? ILDasm eJUppfxm;wJh procedure wpfckudkMunfhvdkufMu&atmif/
.method public specialname instance class Scroller.Scroller/Title
get_Titles(object Index) cil managed
// SIG: 20 01 12 0C 1C
{
// Method begins at RVA 0xcd7c
// Code size 23 (0x17)
.maxstack 2
.locals init (class Scroller.Scroller/Title V_0)
IL_0000: /* 02 | */ ldarg.0
IL_0001: /* 7B | (04)00000D */ ldfld
IL_0006: /* 03 | */ ldarg.1
IL_0007: /* 28 | (0A)00005C */ call object
IL_000c: /* 6F | (0A)00005D */ callvirt instance object
IL_0011: /* 74 | (02)000003 */ castclass
Scroller.Scroller/Title
IL_0016: /* 2A | */ ret
} // end of method Scroller::get_Titles
'guawmh IL xJu uk'ftcsdKUyg/
IL_0000 : line eHygwf/
02 : xdk line wGif&Sdaom IL instruction rsm;\ wu,fh byte/
ldarg.0 : IL instruction/
'gawGudkem;rvnfvdkU pdwfrysufygeJU/ aemufydkif;rSm tao;pdwfaqG;aEG;ay;ygr,f/
Byte awG? IL instruction awGjrif&wJh tm;omcsufuawmh CALL wpfckudk NOP ay;csifwmyJ
jzpfjzpf? udk,f patch vkyfcsifwJhae&mudk jyifcsifwmyJjzpfjzpf tvG,fwuljyKjyifvdkU&ygw,f/ Offset udkwGuf
csufzdkU RVA udktoHk;jyK&rSmjzpfygw,f/
Ildasm uawmh Visual Studio 200x udk install vkyfwJhtcgrSm wcgwnf;ygvmwmjzpfwJhtwGuf
oD;oefU download vkyfp&mrvdkygbl;/
(2.3) WinHex (Hex editor)
b,f hex editor udkrqdk toHk;jyKEdkifayr,fh WinHex udkawmh tMudKufqHk;jzpfaevdkUyg/
http://www.x-ways.com/
(2.4) CFF Explorer (General PE File Explorer)
Assembly xJu metadata table awGeJU resource awGyg0ifwJh b,f PE zdkifrqdk&JU content awGudk
Munfh&I&mrSmawmh tawmfav;aumif;wJh tool wpfckjzpfygw,f/
http://www.ntcore.com
(2.5) SNS Remover (Strong Name Signature Remover)
tcsdKUaom .net assembly awG[m assembly awGudk zefwD;vdkufcsdefrSm tMuHtzefrvkyfEdkifatmif?
rjyKjyifEdkifatmifwm;qD;zdkU digital signature awGeJU sign vkyfxm;Muygw,f/ Strongly named assembly
xJu b,f byte udkrqdk jyifvdkufr,fqdk&if .net runtime u assembly udkpwifzdkU jiif;qefygvdrfhr,f/
'gayr,fh uRefawmfwdkU&JU SNS remover tool uawmh sign vkyfxm;wJh assembly uae signature field
udkz,f&Sm;Edkifygw,f/ 'Dae&mrSm ajymvdkwmuawmh uRefawmfwdkU&JU CFF explorer uvJ .net assembly uae
Strong Name signature udkz,f&Sm;EdkifjyD; PE zdkifudk jyefvnfwnfaqmufEdkifygw,f/ yHk(1)/ 'gayr,fh
uRefawmftaeeJU 'D tool av;udk ydkMudKufrdygw,f/
yHk(1)
http://www.pmode.com
(2.6) PEBrowse Professional (Disassembler/Debugger)

.net assembly awGudk disassemble vkyfEdkifwJh^ debug vkyfEdkifwJh debugger/disassembler wpfck
jzpfygw,f/ IL instruction awGeJU olwdkU&JUwu,fh byte awGudk jyoEdkifygw,f/ 'ghtjyif b,f JIT
compiler event udkrqdk break vkyfEkdifygw,f/ 'D debugger udktoHk;jyKjyD; .net IL instruction awGudk
ajc&mcHEdkifygw,f/ jyD;&ifaemufuG,frSm bmawGjzpfaeovJqdkwm odEdkifygw,f/
http://www.smidgeonsoft.com
(2.7) .Net Generic Unpacker (.Net assembly Unpacker)
oifhtaeeJU 'D tool udk .net assembly PE zdkifawGudk dump vkyfwJhtcgrSm vdkygvdrfhr,f/ .Net
reactor vdk tcsdKUaom .net protection aqmhzf0JvfawGu oifhy&dk*&rf&JU .net assembly udk pack vkyfMuwm
jzpfjyD; MSIL r[kwfwJh PE zdkifudkxkwfay;ygvdrfhr,f/ rSwfOmPfxJrSm tvkyfvkyfwJhtcgrSom oifhzdkif&JU
assembly awGudk unpack jyefvkyfMuwmjzpfygw,f/ 'Denf;ynmudkawmh rlv assembly &JU uk'fawGudk
&,ljcif;rS umuG,fEdkifzdkU toHk;jyKMuwmjzpfygw,f/ 'gayr,fh oifhtaeeJU 'gudk &dk;&Sif;vSwJh .net generic
unpacker oHk;jyD; ausmfvTm;Edkifygw,f/
http://www.ntcore.com
aemufqHk;taeeJU ajymvdkwmuawmh wcgw&HrSm Reflector [m tcsdKUaom procedure (odkU)
function awGudk oifhpdwfMudKufbmompum; (C#? VB? Delphi) tjzpf decompile rvkyfay;EdkifwJhtwGuf
oifhtaeeJU IL instruction awGudk &if;ESD;aezdkUvdktyfygw,f/ Native code awGudk crack vkyfzdkU Assembly
bmompum;udk avhvmwmxufpm&ifawmh IL uk'fawGudk avhvm&wm[m ydkrdkvG,fuljyD; vsifjrefpGmem;vnf
rSm jzpfygw,f/
(3) Opcode
'guawmh crack vkyf&mrSm ta&;MuD;qHk;tcsufjzpfygw,f/ oifjrifwJhtwdkif; .net application
awG[m olwdkU&JU y&dk*&rf instruction awGudk MSIL yHkpHeJUazmfjywmjzpfwJhtwGuf Visual Studio rSm
compile vkyfwJhtcg oifh&JU source code awGudk native machine uk'ftjzpf ajymif;vJay;rSmr[kwfygbl;/
'gayr,fh JIT compiler udktoHk;jyKjyD; compile vkyfr,fqdk&ifawmh native code tjzpfajymif;vJay;rSm
jzpfygw,f/ JIT qdkwmuawmh just-in-time compiler udkajymwmjzpfjyD; oifhy&dk*&rfawG&JU
tpdwftydkif;tcsdKUudk native code tjzpfajymif;vJay;rSmjzpfjyD; vdktyfwJhtcg execute vkyfrSmjzpfygw,f/
Ildasm uxGufvmwJhuk'ftcsdKUudk avhvmMunfhvdkuf&atmif/
IL_0000: /* 02 | */ ldarg.0
Line number Actual byte(s) IL instruction
Opcode qdkwmuawmh Microsoft Intermediate Language (MSIL) instruction awGudk
azmfjyjcif; jzpfygw,f/ wu,fvdkU oif[m a&SYydkif;tcef;awGudk aMunufpGmem;vnfxm;w,fqdk&if atmufyg
instruction awG[m bmudkqdkvdkw,fqdkwm odaerSmyg/
JMP JNE JLE NOP CALL ponf ...
MSIL opcode awGuawmh Intel y&dkqufqmawGtwGuf 'DZdkif;jyKxm;wJh native opcode awGeJU
rwlnDygbl;/ Oyrmjy&&if native code y&dk*&rfawGrSm CALL function &Sd&m offset udk oifodxm;jyD; 'D
CALL udktvkyfrvkyfapcsif&if y&dk*&rfudk hex editor rSmzGifhjyD; NOP (No OPertation) udk&nfpl;wJh 90
qdkwJh byte eJUtpm;xdk;&rSmjzpfygw,f/
MSIL rSmawmh 90 tpm; 00 eJUazmfjyygw,f/ 'g[mta&;MuD;wJhtcsufjzpfwJhtwGuf MSIL twGuf
vdktyfwJh opcode pm&if;udk azmfjyvdkufygw,f/ oifhtaeeJU .net y&dk*&rfawGudk crack vkyf&mrSm 'D opcode
awGtm;vHk;udk toHk;jyKp&mrvkdygbl;/ rsm;aomtm;jzifhawmh NOP eJU unregistered tajctaeawGudk ausmf
vTm;EdkifzdkU jump instruction awGudk trsm;qHk; toHk;jyK&rSmjzpfygw,f/
Opcode awGtaMumif;udk ydkrdkem;vnfapvdkwJhtwGuf bmomrjyefbJ rl&if;twdkif;azmfjyvdkufygw,f/
y&dk*&rfawGudk vufawGU crack wJhtcgMurSyJ vdktyfovdk bmomjyefay;rSmjzpfygw,f/ &Snfvsm;rSmpdk;wJh
twGuf toHk;rsm;wJh opcode awGudkyJ azmfjyvdkufygw,f/
Actual
Opcode Meaning
bytes
Computes the bitwise AND of two values and pushes the result onto the evaluation
And 5F
stack.
Beq Transfers control to a target instruction if two values are equal. 3B
Beq_S Transfers control to a target instruction (short form) if two values are equal. 2E
Transfers control to a target instruction if the first value is greater than or equal to the
Bge 3C
second value.
Transfers control to a target instruction (short form) if the first value is greater than or
Bge_S 2F
equal to the second value.
Transfers control to a target instruction if the the first value is greater than the second
Bge_Un 41
value, when comparing unsigned integer values or unordered float values.
Transfers control to a target instruction (short form) if if the the first value is greater
Bge_Un_S than the second value, when comparing unsigned integer values or unordered float 34
values.
Transfers control to a target instruction if the first value is greater than the second
Bgt 3D
value.
Transfers control to a target instruction (short form) if the first value is greater than the
Bgt_S 30
second value.
Transfers control to a target instruction if the first value is greater than the second
Bgt_Un 42
value, when comparing unsigned integer values or unordered float values.
Transfers control to a target instruction (short form) if the first value is greater than the
Bgt_Un_S 35
second value, when comparing unsigned integer values or unordered float values.
Transfers control to a target instruction if the first value is less than or equal to the
Ble 3E
second value.
Transfers control to a target instruction (short form) if the first value is less than or
Ble_S 31
equal to the second value.
Transfers control to a target instruction if the first value is less than or equal to the
Ble_Un 43
Transfers control to a target instruction (short form) if the first value is less than or
Ble_Un_S equal to the second value, when comparing unsigned integer values or unordered float 36
values.
Blt Transfers control to a target instruction if the first value is less than the second value. 3F
Transfers control to a target instruction (short form) if the first value is less than the
Blt_S 32
second value.
Transfers control to a target instruction if the first value is less than the second value,
Blt_Un 44
when comparing unsigned integer values or unordered float values.
Transfers control to a target instruction (short form) if the first value is less than the
Blt_Un_S 37
Transfers control to a target instruction when two unsigned integer values or unordered
Bne_Un 40
float values are not equal.
Transfers control to a target instruction (short form) when two unsigned integer values
Bne_Un_S 33
or unordered float values are not equal.
Br Unconditionally transfers control to a target instruction. 38
Transfers control to a target instruction if value is false, a null reference (Nothing in

Brfalse 39
Visual Basic), or zero.
Brfalse_S Transfers control to a target instruction if value is false, a null reference, or zero. 2C
Brtrue Transfers control to a target instruction if value is true, not null, or nonzero. 3A
Transfers control to a target instruction (short form) if value is true, not null, or non-
Brtrue_S 2D
zero.
Br_S Unconditionally transfers control to a target instruction (short form). 2B
Call Calls the method indicated by the passed method descriptor. 28
Compares two values. If the first value is less than the second, the integer value 1
Clt (int32) is pushed onto the evaluation stack; otherwise 0 (int32) is pushed onto the FF 04
evaluation stack.
Compares the unsigned or unordered values value1 and value2. If value1 is less than
Clt_Un value2, then the integer value 1 (int32) is pushed onto the evaluation stack; otherwise 0 FE 03
(int32) is pushed onto the evaluation stack.
Jmp Exits current method and jumps to specified method. 27

Ldarg Loads an argument (referenced by a specified index value) onto the stack. FE 09
Ldarga Load an argument address onto the evaluation stack. FF 0A
Ldarga_S Load an argument address, in short form, onto the evaluation stack. 0F
Ldarg_0 Loads the argument at index 0 onto the evaluation stack. 02
Ldarg_S Loads the argument (referenced by a specified short form index) onto the evaluation 0E
stack.
Ldc_I4 Pushes a supplied value of type int32 onto the evaluation stack as an int32. 20
Ldc_I4_0 Pushes the integer value of 0 onto the evaluation stack as an int32. 16
Ldc_I4_4 Pushes the integer value of 4 onto the evaluation stack as an int32. 1A
Ldc_I4_5 Pushes the integer value of 5 onto the evaluation stack as an int32. 1B
Ldc_I4_6 Pushes the integer value of 6 onto the evaluation stack as an int32. 1C
Ldc_I4_7 Pushes the integer value of 7 onto the evaluation stack as an int32. 1D
Ldc_I4_8 Pushes the integer value of 8 onto the evaluation stack as an int32. 1E
Ldc_I4_M1 Pushes the integer value of -1 onto the evaluation stack as an int32. 15
Ldc_I4_S Pushes the supplied int8 value onto the evaluation stack as an int32, short form. 1F
Ldstr Pushes a new object reference to a string literal stored in the metadata. 72
Leave Exits a protected region of code, unconditionally tranferring control to a specific target DD
instruction.
Leave_S Exits a protected region of code, unconditionally tranferring control to a target DE
instruction (short form).
Mul Multiplies two values and pushes the result on the evaluation stack. 5A
Mul_Ovf Multiplies two integer values, performs an overflow check, and pushes the result onto D8
the evaluation stack.
Mul_Ovf_Un Multiplies two unsigned integer values, performs an overflow check, and pushes the D9
result onto the evaluation stack.
Neg Negates a value and pushes the result onto the evaluation stack. 65
Newobj Creates a new object or a new instance of a value type, pushing an object reference 73
(type O) onto the evaluation stack.
Nop Fills space if opcodes are patched. No meaningful operation is performed although a 00
processing cycle can be consumed.
Not Computes the bitwise complement of the integer value on top of the stack and pushes 66
the result onto the evaluation stack as the same type.
Or Compute the bitwise complement of the two integer values on top of the stack and 60
pushes the result onto the evaluation stack.
Pop Removes the value currently on top of the evaluation stack. 26
Rem Divides two values and pushes the remainder onto the evaluation stack. 5D
Rem_Un Divides two unsigned values and pushes the remainder onto the evaluation stack. 5E
Ret Returns from the current method, pushing a return value (if present) from the caller's 2A
evaluation stack onto the callee's evaluation stack.
Rethrow Rethrows the current exception. FE 1A
Stind_I1 Stores a value of type int8 at a supplied address. 52
Stloc Pops the current value from the top of the evaluation stack and stores it in a the local FE 0E
variable list at a specified index.
Sub Subtracts one value from another and pushes the result onto the evaluation stack. 59
Sub_Ovf Subtracts one integer value from another, performs an overflow check, and pushes the DA
result onto the evaluation stack.
Subtracts one unsigned integer value from another, performs an overflow check, and DB
Sub_Ovf_Un
pushes the result onto the evaluation stack.
Switch Implements a jump table. 45
Throw Throws the exception object currently on the evaluation stack. 7A

Computes the bitwise XOR of the top two values on the evaluation stack, pushing 61
Xor
the result onto the evaluation stack.
b,f assembly udkrqdk crack vkyf&mrSm &ifqdkifMuHKawGU&r,fh t[efUtwm;awGuawmh atmufyg

twdkif;jzpfygw,f/ 'Dae&mrSm uRefawmfhtaeeJU tusOf;rQomazmfjyrSmjzpfjyD; tao;pdwfodcsif&ifawmh Google
rSm&SmjyD; MunfhEdkifygw,f/
(u) Obfuscation
'guawmh IsLicensed function wdkUvdk Method eJU class trnfawGudk uRefawmfwdkUr&SmEdkifatmif
zwfvdkUr&wJhpmvHk;awGtjzpf ajymif;vJay;wJhjzpfpOfudk qdkvdkwmyg/ Obfuscation [m oifhudk tcufawGUapEdkif
ayr,fh obfuscate vkyfxm;wJhuk'fuaewpfqifh trace vkyf&wm 'Davmuf rcufvSygbl;/ tajzuawmh
Reflector rSm bookmark awGxm;jcif;jzifhaomfvnf;aumif;? pm&GufvGwfwpf&GufrSm a&;rSwfjcif;jzifhaomf
vnf;aumif; ajz&Sif;Edkifygw,f/ Cracking rSmawmh pdwf&SnfzdkUvdkygw,f/ pdwfr&Snf&ifawmh crack vkyfvdkU
&rSmr[kwfygbl;/
(c) Encoded Strings
'guawmh awmfawmfav;qdk;ygw,f/ t&ifwkef;u Olly rSm string awG&Smwkef;u Search uae
wqifh &SmvdkU&ygw,f/ 'D string awGuaewqifh function (CALL) awG b,fvdktvkyfvkyfw,fqdkwmudk
Munfh&wm jzpfygw,f/ 'DrSmawmh "Invalid Serial Number" pwJh string awGudk jrif&rSmr[kwfygbl;/ String
awGudk zHk;uG,fEdkifzdkU toHk;trsm;qHk;enf;vrf;uawmh olwdkUudk encode vkyfjyD; encoded stream udk binary
.net resource tjzpfodrf;qnf;wmjzpfygw,f/ tcsdKU string awGudk vdktyfrSom encoded stream uae 'D
string awGudk&,lzdkU function wpfckudkac:oHk;wmyg/ 'Denf;&JU tm;enf;csufuawmh y&dk*&rftvkyfvkyf
wmjrefqefapzdkU decoding enf;vrf;udk jrefapay;&wmyg/ 'gaMumifhrdkU 'Denf;vrf;[m decode vkyfjcif;r&SdbJ
toHk;jyKwmxuf? string awGr&SdcsdefrSmtoHk;jyKwmxuf trsm;MuD;aES;aevdkU r&ygbl;/ rsm;aomtm;jzifhawmh
decoding function awG[m byte shifting enf;udktoHk;jyKjyD; string awGudk decode vkyfzdkU jyefpDwm
jzpfygw,f/ 'gayr,fh olwdkUudk decode vkyfzdkUvG,fygw,f/ Decoder (decoding function) udk awGUwmeJU
oifhtaeeJU string awGudk jyefazmfEdkifrSmjzpfjyD; oifudk,fwdkifawmif udk,fydkif decoder a&;om;EdkifrSmjzpfyg
w,f/ aemufydkif;rSmawmh aps;uGuf0ifaqmhzf0JawGrSm toHk;jyKaeMuwJh decoding function awGudk b,fvdk
crack vkyf&rvJqdkwmjyygr,f/
(*) Strong Name Signature
Digital signature [m digital document awG? text awG? data awGrSm authenticate vkyfzdkUjzpfjyD;
tcsuftvufawGudk rrSefruefrjyKEdkifatmif wm;qD;ygw,f/ Digital signature wpfckudkzefwD;zdkU publickey
cryptography udktoHk;jyKygw,f/ Digital signature wpfckudkzefwD;zdkU yxrqHk; 160-bit &SdwJh hash
wefzdk;wpfckeJU sign vkyfwmjzpfygw,f/ jyD;&ifawmh wduswJh private key wpfckoHk;jyD; encrypt vkyfygw,f/
Private key eJUoufqdkifwJh public key udk&Sdxm;wJh b,folrqdk author eJUywfoufwJhtcsuftvufawGudk
authenticate vkyfzdkU toHk;jyKEdkifjyD; data awGudk rajymif;vJxm;bl;qdk&ifawmh sign vkyfEdkifrSmyg/
'guawmh .net assembly awGudk jyKjyifajymif;vJjcif;rS umuG,fEdkifzdkU toHk;jyKMuwJh enf;vrf;wpf&yf
jzpfygw,f/ .net eJU zefwD;xm;wJh exe zdkifwpfckudk tvkyfvkyfapcsdefrSm y&dk*&rf[m string name signature
udkppfaq;ygvdrfhr,f/ wu,fvdkU &SdcJhr,fqdk&if digital signature udkppfaq;jyD;? ppfq;wmratmifjrif&ifawmh
'g[m assembly udkjyifxm;jyDqdkwmodvdkufjyD; y&dk*&rfudktvkyfvkyfapzdkU jiif;qefygvdrfhr,f/
oifhtaeeJU strong name signature b,fvdktvkyfvkyfovJqdkwJh tao;pdwftcsuftvufawGudk
tifwmeufrSm &SmazGEdkifygw,f/
(4) Entry Point Method (EPM) udk&Smjcif;
Entrypoint Method uawmh .net application pwifcsdefrSm ac:,loHk;wJh yxrqHk; Method jzpfjyD;?
'gudk Reflector (odkU) Ildasm rSmMunfhvdkU&zdkU ta&;MuD;ygw,f/ yHkrSef .net application wpfckrSmawmh
'DvdkyHkpH &Sdygw,f -
Public Shared Sub Main()
Application.Run (New MainForm)
End Sub
'D Method &JUta&;ygyHkuawmh oifhtaeeJU y&dk*&rf&JUvkyfaqmifcsufawGudk y&dk*&rfpwifwJhtcsdefup

jyD; register vkyfwJh routine &Sd&ma&mufwJhtxd ajc&mcHEdkifygw,f/
'D Method uae aemufxyf&&SdEdkifwJhtusdK;aus;Zl;uawmh crack vkyfr,fh application &JU t"du
form tjzpfoHk;r,fh MianForm class udkavhvmqef;ppfEdkifwmygyJ/ wu,fvdkU oifhtaeeJU Application.
run udktaotcsmMunfhr,fqdk&if 'D function xJt0if^txGufvkyfaewJh argument awG? argument wefzdk;
awGudk awGU&rSmyg/
Entrypoint RawData offset udk&SmzdkU oifhtaeeJU vkyfaqmif&rSmuawmh -
1/ Crack vkyfr,fh y&dk*&rfudk CFF explorer rSmzGifhyg/
2/ .NET directory node qDoGm;yg/
3/ *&pfuGufeJUjyxm;wJhwefzdk;awGxJu EntrypointToken row udk&Smyg/
4/ 'D row twGuf aemufqHk; column wefzdk;udkMunfhyg/ 'Dwefzdk;[m DWORD jzpfjyD; entrypoint Method
&Sd&mqD uRefawmfwdkUudk vrf;nTefygvdrfhr,f/
'Dae&mrSmawmh token wefzdk;udk 060000028 vdkU,lqygr,f/ oifhtaeeJUawmh token wefzdk;[m
wpfrsdK;MuD;yJvdkU cHpm;ae&rSmyg/ ol[m table wpfckeJU table &JU index udkazmfjywJh DWORD wefzdk;wpfck
jzpfygw,f/ qdkvkdwmu table wpfckeJU 'D table xJu row wpfckudk nTefjywmyg/ Oyrmjy&&if uRefawmfwdkU&JU
token wefzdk;udk 060000028 jzpfw,fvdkUowfrSwfMunfhMuygpdkU/
06 000028
Table index Row index in that table
'Dae&mrSm uRefawmfwdkUajymajymaewJh table qdkwmuawmh Methods table udkajymwmyg/ oifhtaeeJU
CFF explorer rSmMunfhr,fqdk&if Metadata Streams node atmufu Tables node rSmMunfhEdkifygw,f/
Tables node a&muf&ifawmh yHk(2)twdkif; Method table &Sd&mudk&Smygr,f/
yHk(2)
Method table udk expand vkyfjyD; index 40 (28h) udk&Smygr,f/ 'gqdk yHk(3)twdkif; awGU&ygr,f/
yHk(3)
yHk(3)u ae&mudka&G;cs,fjyD; 'D method eJUqdkifwJhtcsuftvufawGudk Munfh&IvdkU&yg
w,f/ 'Dae&mrSm uRefawmfwdkUpdwft0ifpm;qHk;uawmh yxrqHk; row jzpfjyD; 'D method &JU RVA udkazmfjyyg
w,f/ aemufqHk; column uwefzdk;udk zwfvdkuf&ifawmh 0x4974 jzpfygw,f/
(5) EPM twGuf zdkif offset udk CFF explorer jzifh&Smjcif;
.net PE zdkifwpfckrSmawmh .text? .reloc? .rsrc pwJh section 3ck&Sdygw,f/ .text section rSmawmh
Import Table? Import Address Table eJU .Net Section wdkYyg0ifygw,f/ .net PE zdkifwpfckudk atmufyg
tcsuftvufrsm;yg0ifw,fvdkU ,lqMunfhvdkufMu&atmif/
.net PE zdkiftwGuf ImageBase 0x400000

.text section virtual address 0x002000
.text section Raw address 0x000200
EntryPoint Method VA 0x004974
'Dzdkifudk rSwfOmPfay:ul;wifvdkufwJhtcgrSm jrif&wmuawmh -
0x400000 0x402000 0x404974 Å RVA
ImageBase > > > .text > > > EP_Method
0x0 0x2000 0x4974 Å VA
'gaMumifhrdkU zdkifudk rSwfOmPfrSmae&mcsxm;wJhtcg ImageBase &JU 0x2000 byte tuGmrSm .text
section udk&Sm&rSmjzpfygw,f/ Method data udkawmh ImageBase &JU 0x4974 byte tuGmrSm&Sm&rSmjzpfyg
w,f/
aumif;jyD? .text section rSm ep_method udk&SmzdkU offset udkwGufcsufMunfh&atmif/
Offset = [EP_Method VA] – [.text section VA]
= 0x4974 – 0x2000
= 0x2974
'gaMumifh method data [m .text section data &JU 0x2974 rSmpygw,f/ wu,fvdkU .text section
RawData Offset udktoHk;jyKcJh&if uRefawmfwdkUtaeeJU method twGuf RawData Offset udkvJ tvm;wl
wGufcsufEdkifygw,f/
Method RawData Offset = .text section RawData Offset + 0x2974
= 0x200 + 0x2974
= 2B74
'gaMumifh zdkifxJrSm&SdwJh Method Offset [m 2B74 jzpfygw,f/
yHk(3)u ae&mudk right-click ESdyfjyD; Disassemble Method udka&G;vdkuf&if
yHk(4)twdkif; jrif&ygw,f/
yHk(4)
t&Sif;qHk;yHkpHeJUjy&&ifawmh –
EPM File Offset = [EntryPoint VA] – [Section.txt VA] + [Section.txt RawAddress]
'Dwefzdk; 3ckvHk;udk CFF Explorer uae&&SdEkdifygw,f/ CFF Explorer rSm Address converter
yg&SdjyD; oifhrSm RVA wefzdk;&Sdxm;jyDqdk&if b,f Method &JU file offset udkrqdkwGufcsufEdkifygw,f/
(6) Entry Point Method (EPM) udk Ildasm jzifh&Smjcif;

'guawmh vG,fulwJhtvkyfjzpfjyD; Entrypoint Method disassembly uae wu,fh byte twGJawG
udk odxm;&rSmjzpfygw,f/ 'Denf;ukdawmh EPM r[kwfwJh b,f Method twGufrqdk toHk;jyKEdkifygw,f –
.method public hidebysig static void Main() cil managed
// SIG: 00 00 01
{
.entrypoint
.custom instance void
[mscorlib]System.STAThreadAttribute::.ctor() = ( 01 00 00 00 )
// Method begins at RVA 0x4974
// Code size 26 (0x1a)
.maxstack 8
IL_0000: /* 00 | */ nop
IL_0001: /* 28 | (0A)000078 */ call void
IL_0006: /* 00 | */ nop
IL_0007: /* 16 | */ ldc.i4.0
IL_0008: /* 28 | (0A) 000079 */ call void
IL_000d: /* 00 | */ nop
IL_000e: /* 73 | (06) 00003D */ newobj instance
IL_0013: /* 28 | (0A) 00007A */ call void
IL_0018: /* 00 | */ nop
IL_0019: /* 2A| */ ret
} // end of method Form1::Main
'guawmh &dk;&Sif;vSwJh .net application wpfckuae,lxm;wJh EntryPoint Method twGuf

disassembly jzpfjyD; 'D Method xJu IL instruction awGudkawGU&wmjzpfygw,f/ Hex editor wpfckrSm
atmufygpmom;wGJawGudk &SmMunfhyg/
IL_0001 287800000A
IL_0008 287900000A
'gaMumifh &Sm&r,fh HEX twGJuawmh 00 28 78 00 00 0A 00 16 28 79 00 00 0A jzpfygw,f/
yHkrSeftm;jzifhawmh 10vHk;avmuf&Smvdkuf&if offset trSefudk&SmawGUzdkU vHkavmufjyDxifygw,f/ yHk(5)uawmh
HEX twGJudk WinHex rSm &Smxm;wmjzpfygw,f/
yHk(5)
'gqdk&ifawmh wu,fh byte &Sd&m yxrqHk; offset udka&mufoGm;ygvdrfhr,f/ jyD;cJhwJhenf;vrf;wkef;u
oifa&muf&SdcJhwm[m Code byte rwdkifcifrSm&SdwJh Method Header byte udkyg/ .net Method wnfaqmuf
xm;yHkuawmh yHk(6)twdkif; jzpfygw,f/
yHk(6)
yxrenf;vrf;uawmh oifhudk > &Sd&mae&mqD a&mufapwmjzpfjyD; uk'fawG&Sd&m yxrqHk; byte qD
a&mufapcsif&ifawmh header t&G,ftpm;wefzdk; 1 (tjrJwrf; 1 jzpfaerSm r[kwfygbl;/) udkaygif;ay;&rSm
jzpfygw,f/ 'gaMumifh uRefawmfwdkU wGufcsufvdkU&wJhtajz[m 2B75 tpm; 2B74 jzpfae&wmyg/
(7) Entry Point Method node udk Ildasm Tree wGif&Smjcif;

Entrypoint Method twGuf decompilation udk oifhtaeeJUjrifcsifygovm;/ CFF explorer uae
EntryPoint Method RVA udkodjyD;wJhaemufrSmawmh olU&JUuk'fudkMunhfzdkU tcsdefa&mufygjyD/
'DtwGuf ILDasm udka&m? Reflector udkyg toHk;jyKEdkifygw,f/ 'gayr,fh rSwfxm;&rSmu ILDasm
[m .net Method awGtwGuf decompilation udk IL yHkpHtaeeJUom jyEdkifygw,f/ uHaumif;&ifawmh
Reflector u EntryPoint Method uk'fudk oifhpdwfMudKuf .net bmompum;taeeJU decompile vkyfay;rSm
jzpfygw,f/ 'grSr[kwf&ifawmh uk'fudk analyze vkyfzdkUuawmh ILDasm ay:rlwnfrSmjzpfygw,f/
ILDasm a&m? Reflector uyg assembly awGudk tree view taeeJUjyEdkifygw,f/ 'gayr,fh
ILDasm uom oif decompile vkyfwJh Method wdkif;twGuf RVA wefzdk;udk ajymjyEdkifrSm jzpfygw,f/
ILDasm eJU ppfxm;wJhuk'ftcsdKUudk MunfhvdkufMu&atmif/
.method public hidebysig static void Main() cil managed
// SIG: 00 00 01
{
.entrypoint
.custom instance void
[mscorlib]System.STAThreadAttribute::.ctor() = ( 01 00 00 00 )
// Method begins at RVA 0x4974
// Code size 26 (0x1a)
.maxstack 8
IL_0000: /* 00 | */ nop
IL_0001: /* 28 | (0A)000078 */ call void
IL_0006: /* 00 | */ nop
IL_0007: /* 16 | */ ldc.i4.0
IL_0008: /* 28 | (0A) 000079 */ call void
IL_000d: /* 00 | */ nop
IL_000e: /* 73 | (06) 00003D */ newobj instance
IL_0013: /* 28 | (0A) 00007A */ call void
IL_0018: /* 00 | */ nop
IL_0019: /* 2A| */ ret
} // end of method Form1::Main
tcsdefawmfawmfrsm;rsm;rSmawmh oif[m obfuscated uk'fawGudkawGU&rSmjzpfjyD; ILDasm xJu b,f

node [m EntryPoint Method qdkwm oifodEdkifrSm r[kwfygbl;/ wu,fvdkU &meJUcsDwJh? axmifeJUcsDwJh node
awGawGY&if ydk&Sm&cufrSmyg/
CFF explorer uae EntryPoint Method RVA udk oifhtaeeJU odjyD;jzpfygvdrfhr,f/ cktcgrSmawmh
EntryPoint Method node udk &Smjyygr,f/ ILDasm rSm b,f class rSmrqdk&SdwJh Method tcsdKUudk
decompile vkyfjyD; olU&JU RVA wefzdk;udkMunfh&rSmjzpfygw,f/ wu,fvdkU 'Dwefzdk;[m EPM RVA xuf
MuD;cJh&ifawmh higher-level node wpfckudk xyfMunfh&rSmjzpfygw,f/ Node awGtay:wufvmavav olU
Method twGuf RVA wefzdk;enf;avavjzpfygw,f/ 'Dvdkenf;eJU wpfrdepf? ESpfrdepf&Smvdkuf&ifawmh
ILDasm rSm EntryPoint Method node udk&SmawGUrSmjzpfygw,f/ (rSwfcsuf/ / 'Dvdk&Smr,fqdk&ifawmh
ILDasm &JU View menu u Sort by name udka&G;rxm;rdapzdkU owdxm;&rSmjzpfygw,f/)
(8) Entry Point Method (EPM) udk PEBrowse Debugger jzifhwGJoHk;jcif;
Crack vkyfr,fh application twGuf CFF explorer uae EntryPoint token udkodjyD;wJhaemuf
rSmawmh 'D token udk toHk;jyKjyD;awmh PEBrowse rSm EntryPoint Method udk&SmvdkU&ygw,f/ EPM udk JIT
compiler u compile vkyfcsdefrSm breakpoint xm;jcif;jzihf .net application udk break vkyfvdkU&ygw,f/
'DtwGuf oifhtaeeJU vkyfaqmif&rSmuawmh –
(1) Crack vkyfr,fh application udk PEBrowse rSmzGifhyg/ Library awGtm;vHk;eJU module awGtm;vHk;udk
ul;wifjyD;wJhtxd apmifhyg/
(2) PEBrowse [m EPM udkac:oHk;wm rwdkifcifem;av;rSm &yfoGm;ygvdrfhr,f/ 'gaMumifh 'Dtcsdef[m node
udk&SmzdkUeJU tJ'Dae&mrSm breakpoint owfrSwfzdkU taumif;qHk;ygyJ/
(3) Application udkul;wifcsdefrSm module xJrSm&SdwJh .net module awG[m teDa&mif icon awGeJUjzpfaeyg
vdrfhr,f/ yHk(7)/ Methods node udkMunfhvkduf&ifawmh Method awGudk,fpDeJU class awGudkawGU&ygvdrfhr,f/
(4) Method wdkif;twGuf token awGudk olwdkU&JUtrnfab;rSm awGU&ygvdrfhr,f/ Oyrmjy&&if – button1_
Click twGuf token uawmh 06000005 jzpfygw,f/
(5) CFF explorer uae EPM udkodxm;jyD;jzpfwJhtwGufaMumifh oifhtaeeJU rSefuefwJh node udk 'Dae&mrSm
&SmEdkifygw,f/ ILDasm u RVA rSmvdkyJ atmufudkqif;oGm;&if token wefzdk;wdk;oGm;ygvdrfhr,f/
(6) rSefuefwJh node udkawGU&ifawmh tJ'Dae&mrSm right-click ESdyfjyD; "Add Breakpoint" menu udka&G;vdkuf&Hk
ygyJ/
yHk(7)
(9) Patch vkyfjcif;tajccH
'DwpfcgrSmawmh .net application awGudk patch vkyfjcif;eJUywfoufjyD; avhvmMunfhvdkuf&atmif/
'Dwpfcg patch vkyfzdkUa&G;cs,fxm;wJh y&dk*&rfuawmh Dot_Net_ReverseMe_2.exe jzpfygw,f/ 'Dy&dk*&rfudk
www.tuts4you.com &JU download section uae download vkyf,lEdkifygw,f/ (oifhtaeeJU 'Dy&dk*&rfav;
udk &Sdrxm;vJ ta&;rMuD;ygbl;/ &Sif;jywmudk em;vnfatmifMunfhzdkUom ta&;MuD;ygw,f/) yxrqHk; patch
vkyfr,fh y&dk*&rfudk PEiD eJUppfMunfhygr,f/ yHk(8)/
yHk(8)
y&dk*&rfudk .net bmompum;eJU a&;xm;wmaocsmygw,f/ aumif;jyD? y&dk*&rfudkzGifhvdkufwJhtcg yHk(9)
twdkif;awGU&ygw,f/
yHk(9)
yHk(9)t&qdk&ifawmh uRefawmfwdkUtwGuf bmrSvkyfp&mr&Sdygbl;/ bmaMumifhvJqdkawmh serial &dkufxnfh
p&m textbox wdkU? serial rSef^rrSefppfwJh button wdkU rawGUvdkUyg/ 'gaMumifh a&;xm;wJhuk'fudkMunfhEdkifzdkU
y&dk*&rfudk Reflector eJUzGifhvdkufyg/ yHk(10)/
yHk(10)
'DtcgrSmawmh pdwf0ifpm;p&mawGudk awGU&ygjyD/ 'DtxJuwpfckuawmh IsRegistered qdkwJh boolean

class yg/ aemufwpfckuawmh CheckReg() function yg/ CheckReg() udk double-click ESdyfjyD;zGifhvdkuf&if
uRefawmfwdkU oHo,&Sdaewm rSefuefaMumif;awGU&ygr,f/ yHk(11)/
yHk(11)
'DwpfcgrSmawmh .ctor() taMumif;&Sif;jyrSmjzpfygw,f/ C++? Java? C# (odkU) b,f OOP (Object
Oriented Programming) bmompum;rSmrqdk olUrSmyg0ifwJh class member awG&JUwefzdk;udk initialize
vkyfzdkU constructor wpfckyg0ifwJh class awG&Sdygw,f/ .net rSmawmh class constructor udkemrnfay;avh
r&Sdygbl;/ Constructor &JUtwdkaumufjzpfwJh .ctor() qdkwJhtrnfomxm;ygw,f/ IsRegistered qdkwJh
member variable [m y&dk*&rfudk register vkyfxm;jcif;&Sd^r&Sd qHk;jzwfygw,f/ uRefawmfwdkUtwGuf
tcGifhta&;&&Sdapwmuawmh register jzpf^rjzpfudk constructor xJrSm initialize vkyfvdkUyg/ aumif;jyD? .ctor()
udkzGifhjyD; MunfhvdkufMu&atmif/ yHk(12)/
yHk(12)
wu,fawmh uRefawmfwdkUy&dk*&rfu unregistered jzpfaewm[m .ctor() xJu this.IsRegistered =
false; qdkwJh statement aMumifhjzpfygw,f/ 'Dae&mrSm false tpm; true vdkUjyifay;Edkifr,fqdk&ifawmh ... ☺☺
tckuRefawmfwdkU MunfhaewJh decompile vkyfxm;wJhuk'f[m C# bmompum;eJUjzpfygw,f/ yHk(12)udk
MSIL bmompum;eJU MunfhvdkufMu&atmif/ yHk(13)/
yHk(13)
yHk(13)uawmh bytecode taeeJU wdkuf&dkufbmomjyefwmyg/ .net y&dk*&rfawGudk patch vkyfzdkUqdk&if
awmh IL bmompum;taeeJUom Munfh&rSmjzpfygw,f/ wu,fawmh .net udk stack machine vdkUac:vdkU&yg
w,f/ bmaMumifhvJqdkawmh olUtvkyfawGudk register rSmxuf stack rSmvkyfvdkUyg/ Oyrmjy&&if A u
wefzdk;wpfckudk B udka&TUcsifw,fqdk&if A uwefzdk;udk stack ay: PUSH vkyfvdkufjyD; stack uaerSwqifh B
ay:jyef POP vkyfay;wmjzpfygw,f/ tjcm;pepfawGrSmqdk&ifawmh A uae B udkwdkuf&dkufa&TYajymif;jcif; (odkU)
,m,Dxm;&SdzdkUtwGuf register wpfckudk toHk;jyKjcif;rsdK; jyKvkyfygw,f/
yHk(13)udk taotcsmem;vnfEdkifzdkU IL opcode awGtaMumif; em;vnfaezdkUvdkygw,f/ yHk(13)udk
Munfhr,fqdk&if 'Duk'fESpfaMumif;twGuf stack udk tvGeftrif;toHk;jyKxm;wm awGU&rSmyg/this.IsRegistered
= false; pmaMumif;twGufudkyJ atmufrSmjyxm;wJhtwdkif; stack eJUywfoufwJhpmaMumif; 3aMumif;avmuf
bmomjyefxm;wmawGU&ygw,f/
L_0000: ldarg.0
L_0001: ldc.i4.0
L_0002: stfld bool Dot_Net_ReverseMe_2.frmMain::IsRegistered
'D IL instruction awGudk IL reference toHk;jyKjyD; bmomjyef&r,fqdk&if ...
ldarg.0 Argument 0 udk stack ay: ul;wifonf/
ldc.i4.0 0 udk stack ay: I4 tjzpf PUSH vkyfonf/
stfld Object obj \ field wefzdk;udk val ESifhtpm;xdk;onf/
'gudk Object-Oriented &JU pseudo uk'ftaeeJUjyefa&;jy&&ifawmh (arg0).IsRegistered = 0;
eJUwlygw,f/ Register tajctaejzpfapzdkU jyefjyifa&;oifhwmuawmh (arg0).IsRegistered = 1; jzpfygw,f/
t"dyÜm,fuawmh 'kwd, instruction udk ldc.i4.1 vkdUajymif;oifhw,fvdkU qdkvdkjcif;jzpfygw,f/
'guawmh tajccHuswJh cracking jzpfygw,f/ ldc.i4.0 &JU bytecode udkMunfhyg/ 0x16 jzpfygw,f/
ldc.i4.1 &JU bytecode uawmh 0x17 jzpfygw,f/ 'gqdk uRefawmfwdkU bmudktpm;xdk;&rvJqdkwm odygjyD/
Reflector u uRefawmfwdkUudk uk'fawGomjyygw,f/ uRefawmfwdkUajymif;csifwJh byte &Sd&m address udkrjyyg
bl;/ 'Dvdk byte/instruction awG&JU virtual address udkjyEdkifwJh tool udkawmh rawGUbl;ao;ygbl;/ 'gaMumifh
.ctor() udk Reflector rSmMunfhr,fhtpm; ILDasm eJUajymif; Munfhvdkufygr,f/ yHk(14)/
yHk(14)
wu,fawmh Method &Sd&m offset udk&Smenf;taMumif; uRefawmfwdkU avhvmjyD;ygjyD/ 'Dae&mrSmawmh
offset wefzdk;udk yHkaoenf;eJU rwGufcsufawmhbJ 02 16 7D 06 00 00 04 02 28 0E 00 00 0A qdkwJh hex
byte twGJudkyJ hex editor wpfckckrSm &dkufxnhfjyD; &SmMunfhygr,f/ yHk(15)/
yHk(15)
oifhtaeeJU MudKufwJh hex editor wpfckckudk toHk;jyKEdkifygw,f/ tckuRefawmftoHk;jyKxm;wmuawmh
WinHex 15.2 yg/ yHk(15)twdkif; &dkufxnhfjyD;&Smvdkuf&if yHk(16)twdkif;jrif&ygr,f/
yHk(16)
yHk(16)t&qdk&ifawmh .ctor() &Sd&m&JU offset tp[m 0x105C jzpfygw,f/ ydkjyD;aocsmapcsif&ifawmh
CFF explorer rSmMunfhEdkifygw,f/ yHk(16)u 16 ae&mrSm 17 vdkUjyifvdkufjyD; zdkifudkodrf;vdkufyg/ odrf;vdkufwJh
zkdifudk jyefzGifhMunhfvdkuf&ifawmh yHk(17)twdkif;awGU&rSmyg/
yHk(17)
'gqdk&ifawmh uRefawmfwdkU register vkyfwm atmifjrifoGm;ygjyD/ CheckReg() function udk b,fu
aeac:oHk;ovJqdkwm odcsif&ifawmh Reflector &JU CheckReg() function rSm right-click ESdyfjyD; Callee
Graph (Ctrl+E) udka&G;jyD;MunfhvdkU&ygw,f/ yHk(18)/
yHk(18)
Patch vkyfjyD; odrf;vdkufwJhzdkif&JU .ctor() udk Reflector rSmMunfhvdkuf&ifawmh yHk(19)twdkif;jrif&yg
w,f/
yHk(19)
(10) NsPack jzifh pack vkyfxm;aom .net zdkiftm; unpack vkyfjcif;
yHkrSeftm;jzifhawmh omref pack vkyfxm;wJh 32-bit PE zdkifawGrSmyJ unpack vkyfzdkU Olly udktoHk;jyKMu
wmjzpfygw,f/ 'DtcgrSmawmh .net zdkifawGudk Olly toHk;jyKjyD; unpack vkyfjyrSmjzpfygw,f/ Unpack vkyfzdkU
a&G;cs,fxm;wJhy&dk*&rfuawmh NsPack eJU pack vkyfxm;wJh UnPackMe_NsPack3.6.exe zdkifjzpfygw,f/
y&dk*&rfudk zGifhMunfhvdkufyg/ yHk(20)/
yHk(20)
PEiD eJUppfaq;Munhfvdkuf&ifawmh yHk(21)twdkif;awGU&ygw,f/
yHk(21)
aumif;jyD? y&dk*&rfudk Olly rSmzGifhvdkufyg/ yHk(22)/
yHk(22)
yHk(22)rSmjrif&wJhtwdkif; exe zdkif[m OEP rSm&yfwefUjcif;r&Sdovdk y&dk*&rf[m tvdktavsmuf run
aeygw,f/ uRefawmfwdkU bmvkyfoifhygovJ/ uRefawmfhtaeeJU tMuHjyKvdkwmuawmh unpack vkyfxm;wJhuk'f
awGudk rSwfOmPfxJrSm&SmzdkUyg/ 'gaMumifh owfrSwfxm;wJh string wpfckudk y&dk*&rf&JU resource xJrSm&Sm
Munfhyg/
&SmoifhwJh trnfawGuawmh button trnf? window caption eJU messagebox wdkUeJUqdkifwJh
tcsufawGjzpfygw,f/ 'Dae&mrSm uRefawmfwdkU&SmMunfhrSmuawmh yHk(20)rSmjrif&wJh button1 yg/ Resource
awGudk exe/DLL zdkifawGxJrSm unicode toGifeJU odrf;MuwmjzpfwJhtwGuf Alt+M udkESdyfjyD; button1
qdkwJhpmom;udk unicode taeeJU &SmMunfhMu&atmif/ yHk(23)/
yHk(23)
yHk(23)twdkif;&dkufxnfhjyD;&Smvdkuf&if yHk(24)twdkif; awGU&ygr,f/
yHk(24)
yHk(24)udk Text Unicode (64 chars) eJUMunfhvdkuf&ifawmh yHk(25)twdkif;awGU&rSmyg/
yHk(25)
'Dae&mrSmajymvdkwmuawmh yHk(24?25)rSmjrifae&wJh virtual address awG[m oifuGefysLwmrSmjrif&wJh
*Pef;awGeJU wlrSmr[kwfygbl;/ aemufjyD; ckuRefawmfwdkUa&muf&SdaewJhae&m[m resource section xJrSmr[kwf
ygbl;/ 'gaMumifhrdkU Alt+M ESdyfjyD; Ctrl+L eJU xyf&SmMunfhygr,f/ yHk(26)/
yHk(26)
yHk(26)rSm aemufxyf button1 wpfckudkawGU&jyefygjyD/ _CorExeMain udkawGUrdygovm;/ 'guawmh
.net application awGrSmom&SdwJh wpfckwnf;aom API yg/ Unicode view taeeJUMunfhvdkuf&if
yHk(27)twdkif; awGYygw,f/
yHk(27)
yHk(27)twdkif;qdk&ifawmh uRefawmfwdkU resource section xJajccsrdjyDqdkwm aocsmygw,f/
yHk(28)
aumif;jyD? yHk(27)udk HEX view taeeJUjyefMunfhjyD; tay:udk scroll enf;enf;qGJjyD;Munfhvdkuf&I fawmh
yHk(28)rSm jrif&wJhtwdkif; PE header &Sd&mudk awGU&rSmyg/
yHk(29)
yHk(28)u MZ &Sd&m virtual address (00CD0000) udkrSwfom;jyD; LordPE u Dump Region
udka&G;cs,fjyD; Dump button udka&G;cs,fyg/ 'gqdk unpack vkyfwmatmifjrifoGm;jyDjzpfygw,f/ Dump
vkyfxm;wJh Region00CD0000-00CD2000.exe zdkifudk PEiD eJUppfMunfh&ifawmh Microsoft .net bmom
pum;eJUa&;om;xm;aMumif;jyrSmyg/
(11) .net y&dk*&rfrS serial zrf;jcif;

'DwpfcgrSmawmh .net eJU ywfoufwJh serial-fishing taMumif;udk avhvmrSmjzpfygw,f/
yHk(30)
yHk(31)
yHk(32)
yHk(33)
yHk(34)
yHk(35)
yHk(36)
yHk(37)
yHk(38)
yHk(39)
yHk(40)
yHk(41)
yHk(42)
FILD load integer

FSTP store floating-point value and pop
FLD load floating-point value
FCOMIP compare floating-point, set %e flags, and pop
FSTP store floating-point value and pop
yHk(43)
yHk(44)
yHk(45)
yHk(46)
yHk(47)
yHk(48)
yHk(49)
yHk(50)
public Registration()
{
this.components = null;
this.InitializeComponent();
this.pictureReg.Image = Image.FromFile("Picture/nag_close.png");
StringBuilder volumeName = new StringBuilder(0x100);
StringBuilder fs = new StringBuilder(0x100);
bool flag = false;
Environment.GetLogicalDrives();
flag = GetVolumeInformation("c:", volumeName, (uint) (volumeName.Capacity - 1), out this.serialNum, out
this.serialNumLength, out this.flags, fs, (uint) (fs.Capacity - 1));
for (int i = 0; i <= 13; i++)
{
this.serialNum = (((((2 * this.serialNum) / 7) - (12 * this.serialNum)) + (11 * this.serialNum)) - 0x239875) ^
this.serialNum;
}
this.textcode.Text = this.serialNum.ToString();
}
yHk(51)
private void butOK_Click(object sender, EventArgs e)
{
string text;
FileStream stream;
BinaryWriter writer;
long num2 = Convert.ToInt64(this.serialNum);
long num4 = 0x1fca055L;
for (int i = 0; i <= 30; i++)
{
num2 = (7L * num2) ^ (num4 + 0x23c1bcL);
}
string strB = Convert.ToString(num2);
if (string.Compare(this.textregcode.Text, strB) == 0)
{
MessageBox.Show("Registered successfully!\r\nThank you for buying our product!", "Registration Successful!",
MessageBoxButtons.OK, MessageBoxIcon.Asterisk);
if (this.passControl != null)
{
this.passControl(this.textname);
}
base.Hide();
text = this.textname.Text;
stream = new FileStream("reg.key", FileMode.Create);
writer = new BinaryWriter(stream);
try
{
writer.Write(this.serialNum);
writer.Write(text);
}
finally
{
writer.Close();
stream.Close();
}
Registry.SetValue(@"HKEY_CURRENT_USER\Software\Myanmar Cracking Team\Windows Repair",
"UserName", text, RegistryValueKind.String);
}
yHk(52)
(12) .net y&dk*&rfrS Strong Name Signature tm;z,f&Sm;jcif;
yHk(53)
yHk(54)
yHk(55)
yHk(56)
yHk(57)
yHk(58)
yHk(59)
yHk(60)
yHk(61)
Offset 1018 – Flags – 01
Offset 1028 – StrongNameSignature RVA – 00
Offset 102C – StrongNameSignature Size – 00
Offset 1554 – Flags – 00
Offset 1558 – PublicKey – 00
yHk(62)
yHk(63)
yHk(64)
yHk(65)
yHk(66)
yHk(67)
.method public static hidebysig bool '() // CODE XREF: sub_2840+72_p
// sub_33A0+77_p ...
{
.locals init (bool V0,
class System.String V1,
class System.String V2,
class System.String[] V3)
call bool '::'()
stloc.0
ldloc.0
brfalse.s loc_3272
call class [mscorlib]System.Reflection.Assembly
[mscorlib]System.Reflection.Assembly::GetExecutingAssembly()
callvirt class [mscorlib]System.Reflection.AssemblyName
[mscorlib]System.Reflection.Assembly::GetName()
callvirt class System.String [mscorlib]System.Reflection.AssemblyName::get_Name()
stloc.1
ldc.i4.5
newarr [mscorlib]System.String
stloc.3
ldloc.3
ldc.i4.0
ldstr "Your evaluation period for "
stelem.ref
ldloc.3
ldc.i4.1
ldloc.1
stelem.ref
ldloc.3
ldc.i4.2
ldstr " has expired. Product functionality will be limited."
yHk(68) IDA Pro jzifh zGifhxm;yHk
yHk(69)
yHk(70)
yHk(71)
IDA View opcode (CFF Explorer) Instruction (CFF Explorer)
call class [mscorlib]System.Reflection.Assembly 28 E7 00 00 0A call 0x0A0000E7
callvirt class [mscorlib]System.Reflection 6F E8 00 00 0A callvirt 0x0A0000E8
yHk(72)
IDA View opcode (CFF Explorer) Instruction (CFF Explorer)
ldc.i4.0 16 ldc.i4.0
ret 2A ret
yHk(73)
tcef;(19) – rdkbdkif;zkef; application rsm;udk crack vkyfjcif; - 295 -
tcef;(19) – rdkbdkif;zkef; application rsm;udk crack vkyfjcif;

'DaeUacwf rdkbdkif;zkef; awmfawmfrsm;rsm;eJU smartphone awmfawmfrsm;rsm;[m zkef;tqifhwifrubJ
uGefysLwmeD;eD;jzpfvmygw,f/
yHk(1) Symbian smartphone zkef;rsm;

(1) Symbian OS qdkonfrSm ....
(2) Symbian Executable File Format

yHk(2) E32 zdkifyHkpH

class E32ImageHeader
{
public:
TUint32 iUid1;
TUint32 iUid2;
TUint32 iUid3;
TUint32 iCheck;
TUint iSignature; // 'EPOC'
TCpu iCpu; // 0x1000 = X86, 0x2000 = ARM, 0x4000 = M*Core
TUint iCheckSumCode; // sum of all 32 bit words in .text
TUint iCheckSumData; // sum of all 32 bit words in .data
TVersion iVersion;
TInt64 iTime;
TUint iFlags; // 0 = exe, 1 = dll, +2 = no call entry points
TInt iCodeSize; // size of code, import address table, constant data and export dir
TInt iDataSize; // size of initialized data
TInt iHeapSizeMin;
TInt iHeapSizeMax;
TInt iStackSize;
TInt iBssSize;
TUint iEntryPoint; // offset into code of entry point
TUint iCodeBase; // where the code is linked for
TUint iDataBase; // where the data is linked for
TInt iDllRefTableCount; // filling this in enables E32ROM to leave space for it
TUint iExportDirOffset; // offset into the file of the export address table
TInt iExportDirCount;
TInt iTextSize; // size of just the text section
TUint iCodeOffset; // file offset to code section
TUint iDataOffset; // file offset to data section
TUint iImportOffset; // file offset to import section
TUint iCodeRelocOffset; // relocations for code and const
TUint iDataRelocOffset; // relocations for data
TProcessPriority iPriority; // priority of this process
};
C:\>uidcrc 0x10000079 0x100039CE 0x00DD3103
0x10000079 0x100039CE 0x00DD3103 0xAE035303
PETRAN - PE file preprocessor V01.00 (Build 175)
Copyright (c) 1996-2001 Symbian Ltd.
E32ImageFile 'example_app.app' // file name (not in E32 image header)
V1.00(175) Time Stamp: 00e0be89,69063b40 // iVersion iTime
EPOC Dll for ARM CPU // iCpu
Entry points are not called // iFlags
Uids: 10000079 100039ce 10008ace (7ec529db) // iUid1, iUid2, iUid3 and iCheck
File Size: 00001368 // file size (not in E32 image header)
Code Size: 00000ed8 // iCodeSize
Data Size: 00000000 // iDataSize
Chk code/data: d4ad460a/00000000 // iCheckSumCode iCheckSumData

Min Heap Size: 00001000 // iHeapSizeMin
Max Heap Size: 00100000 // iHeapSizeMax
Stack Size: 00002000 // iStackSize
Code link addr: 10000000 // iCodeBase
Data link addr: 00000000 // iDataBase
Code reloc offset: 00001194 // iCodeRellocOffset
Data reloc offset: 00000000 // iDataRellocOffset
Dll ref table count: 4 // iDllRefTableCount
Offset Size Relocs NumOfRelocs
Code 00007c 000ed8 // iCodeOffset, iCodeSize
001194 0000e1 +000000 (entry pnt) // iCodeRellocOffset .. iEntryPoint
Data 000000 000000 // iDataOffset iDataSize
Bss 000000 // iBssSize
Export 000f50 000004 (1 entries) // iExportDirOffset iExportDirCount
Import 000f54 // iImportOffset
Code (text size=00000d08) // iTextSize
... // here the dump of the text section
225 relocs
... // here the dump of the relocation section
Idata Size=00000240
Offset of import address table (relative to code section): 00000d08
... // here the import tables information
yHk(4)
class E32ImportSection
{
public:
TInt iSize; // size of this section
// E32ImportBlock[iDllRefTableCount];
};
class E32RelocSection
{
public:
TInt iSize; // size of this relocation section
TInt iNumberOfRelocs; // number of relocations in this section
};
(rdkbdkif;zkef; application rsm;udk crack vkyfjcif;tm; aemuf version rsm;wGif qufvufazmfjyygrnf/)

tcef;(20) - Loader oDtdk&DESifh patch zdkifzefwD;jcif; - 301 -
tcef;(20) - Loader oDtdk&DESifh patch zdkifzefwD;jcif;

'DwpfcgrSmawmh loader eJYywfoufwJh oDtdk&DtcsdKUudk &Sif;jyjyD; loader zdkifeJU patch zdkifawGudk b,fvdk
zefwD;ovJqdkwm &Sif;jyrSmjzpfygw,f/ owday;csifwmuawmh uRefawmfwdkU[m cracking eJUywfoufwJh
tajccHtcsufawGudkom avhvmaejcif;jzpfwJhtwGuf loader udkb,fvdka&;om;&rvJqdkwmudk 'Dae&mrSm &Sif;jy
rSmr[kwfygbl;/ Loader eJU patch zdkifawGudk aqmhzf0JvfawGoHk;jyD; b,fvdkzefwD;rvJqdkwmudkom t"duxm;
aqG;aEG;rSmjzpfygw,f/ tao;pdwfodcsif&ifawmh ARTeam u Shub-Nigurrath eJU Thunderpwr wdkUa&;om;
wJh "Cracking with loaders: theory, general approach and a framework" aqmif;yg;udkzwf&IzdkU
tMuHjyKvdkygw,f/
Info: : Loader qdkwmuawmh process wpfckudkpwifwJh tao;pm; application wpfckjzpfjyD; unpack
vkyfaewJh^ protect vkyfxm;wmudkjyefajzaewJh process (aqmhzf0Jvf)udk apmifhqdkif;ygw,f/ 'DhaemufrSmawmh
y&dk*&rfxJu y&dk*&rfa&;om;ol csef&pfcJhwJhtrSm;awG^tm;enf;csufawGudkjyifqifEdkifzdkU rSwfOmPfxJu process
udk patch vkyfwmjzpfygw,f/ tm;enf;csufwpfckuawmh loader awG[m y&dk*&rfawGudk tjrJwrf; pwiftvkyf
vkyfEdkifapzdkUvdkygw,f/ yHkrSeftm;jzifhawmh loader awGeJU rl&if;y&kd*&rfawG[m wlnDwJh directory atmufrSm&Sd
Muygw,f/ tm;omcsufwpfckuawmh loader awG[m y&dk*&rfudk unpackvkyfzdkU^ protect vkyfxm;wmudk
jyefajzzdkUrvdkwmygyJ/ 'ghaMumifh cracking vkyf&mrSm tcsdefukefoufomapygw,f/ Loader eJU y&dk*&rfaygif;pyf
xm;jcif;udk father-child process vdkUazmfjyavh&SdMuygw,f/ 'Dae&mrSm loader uawmh father jzpfygw,f/
bmaMumifhvJqdkawmh ol[m y&dk*&rfudk xdef;csKyfxm;vdkUyg/ rl&if;y&dk*&rfuawmh child jzpfygw,f/ bmaMumifh
vJqdkawmh oluxdef;csKyfcH&vdkUyg/ Loader wpfckudkjyKvkyfzdkUqdkwm tvGefvG,fulvSygw,f/ GUI tool awGudk
toHk;jyKvdkuf&HkygyJ/ uk'fawGawmifa&;om;p&mrvdkygbl;/ vdktyfwJhtcsuftvuf tenf;i,f&dkufxnfhay;&Hkyg/
t"duuawmh b,f address rSm b,fpmvHk;awGudk patch vkyfr,fqdkwmyg/ dUP eJU ABEL wdkUuawmh
emrnfMuD; loader creator awGyg/ txl;owdjyKapcsifwJhtcsufuawmh patch vkyfzdkUapmifhqdkif;&r,fhtcsdefyg/
(rl&if;y&dk*&rfu rSwfOmPfxJrSm unpack vkyfaewJhtwGuf apmihfqdkif;ae&jcif;jzpfygw,f/) wu,fvdkU yxr
wpfMudrfrSm patch vkyfwmratmifjrifcJh&ifawmh patch vkyfr,fhtcsdefudk wdk;ay;zdkUMudK;pm;&ygr,f/ aemufxyf
txl; loader awG&Sdygao;w,f/ tcsdKUy&dk*&rfawG[m loader awGuae y&dk*&rfudk run aewmvm;ppfzdkUMudK;pm;
Muygw,f/ wu,fvdkU loader awG&SdaMumif; pHkprf;od&SdcJh&if y&dk*&rfudk unpack vkyfwJhtcsdefrSm rSwfOmPfxJu
virtual address ae&mawGudk ajymif;ypfvdkufygw,f/
'Dwpfcg crack vkyfMunfhr,fh aqmhzf0Jvfuawmh JSI Inc ua&mif;cswJh Windows NT Tips, Tricks,
and Registry Hacks aqmzhf0Jvfjzpfygw,f/ Windows Registry eJUywfoufwJh vQdKU0Sufcsufaygif;
wpfaomif;eD;yg;udk pkpnf;xm;wmjzpfjyD; 'Daqmhzf0Jvfudk www.jsiinc.com rSm tcrJh download vkyf,lvdkU
&ygw,f/ aqmhzf0Jvf&JUaps;EIef;uawmh $4000 ausmfjzpfjyD; vdkifpiftaeeJU 0,froHk;Edkif&ifawmh 1997ckESpfu
a&;om;cJhwJh pmrsufESm 100udkyJ tcrJhzwf&IEdkifygw,f/ y&dk*&rf&JUtrnfuawmh Jsittarh.exe jzpfygw,f/
wu,fawmh Jsittarh.exe [m HTML eJUa&;om;xm;wJhzdkifawGudk web compiler 1.3 toHk;jyKjyD; exe zdkif
taeeJU compile vkyfxm;wmjzpfygw,f/ y&dk*&rf&JUtvkyfvkyfyHkudk MunfhvdkufMu&atmif/ yHk(1)/
yHk(1)
yHk(1)uawmh Windows Registry eJUywfoufwJhtcsuftvufawGudk jywmyg/ yHk(1)u 79nn udkESdyf

Munfhvdkuf&if yHk(2)twdkif; jrif&ygw,f/
yHk(2)
yHk(2)u ESpfouf&mar;cGef;udk a&G;vdkufyg/ yHk(3)twdkif; password awmif;ygvdrfhr,f/
yHk(3)
yHk(3)twdkif; password &dkufxnhfvkdufjyD; OK button udkESdyfvdkuf&if bm MessageBox (Message)
rSray:bJ yHk(1)udk jyefa&mufoGm;ygw,f/ 'guawmh y&kd*&rftvkyfvkyfyHkyg/ aumif;jyD? y&dk*&rfudk PEiD eJU
ppfMunfhvdkufMu&atmif/ yHk(4)/
yHk(4)
PEiD eJU ppfaq;csuft&awmh PEtite 2.x vdkUjyygw,f/ Protection ID 6.2.3 uawmh PEtite 2.2
eJU protect vkyfxm;w,fvdkUajymygw,f/ Protection ID uawmh protector awGeJUywfoufjyD; ydkjyD;wduswJh
tajzudk ay;Edkifygw,f/ 'gqdk&ifawmh y&dk*&rfudk unpack vkyfzdkUvdkvmygjyD/ y&dk*&rfudk Olly rSmzGifhyg/
yHk(5)
yHk(5)udkMunfhyg/ VA 004BA042 uawmh entrypoint jzpfygw,f/ 'Dae&mudk aoaocsmcsmMunfhxm;

yg/ PUSHAD qdkwmuawmh DWORD wefzdk;tm;vHk;udk PUSH vkyfwJh instruction jzpfwJhtaMumif; ajymcJh
zl;wm jyeftrSwf&yg/ 'gaMumifhrdkU hardware breakpoint owfrSwfEdkifzdkU VA 004BA05D u PUSH EAX
&Sd&mudk F8 ESdyfjyD;oGm;vdkufyg/ VA 004BA05D a&muf&if register window &JU ESP register rSm right-
click udkESdyfjyD; Follow in Dump udka&G;cs,fyg/ yHk(6)/
yHk(6)
yHk(6)twdkif; Follow in Dump udka&G;vdkuf&ifawmh yHk(7)twdkif;jrif&rSmyg/
yHk(7)
yHk(7)u highlight jzpfaewJh 38 07 91 7C rSm right-click ESdyfjyD; Breakpoint u Hardware, on
access Æ WORD udka&G;vdkufyg/ jyD;&ifawmh F9 (Run) udkESdyfvdkufyg/ yHk(8)twdkif; jrif&ygr,f/
yHk(8)
F9 (Run) udkESdyfvdkufwJhtcgrSmawmh hardware breakpoint &Sd&m VA 004BA03D rSm &yfoGm;wm
awGU&ygr,f/ xl;qef;wmu uRefawmfwdkU entry point &Sd&m VA 004BA042 rSm MOV EAX, XXX tpm;
JMP 00484724 vdkUjzpfaewmawGY&ygw,f/ 'gaMumifhvJ 'D virtual address ae&mudk apmifhMunfh cdkif;xm;wm
jzpfygw,f/ ☺☺/ wu,fawmh PEtite u entry point ae&mem;rSmyJ uk'fawGudk decompress vkyfwmjzpf
ygw,f/ VA 004BA042 &Sd&mqDa&mufvmatmif F8 udkESdyfvmyg/ JMP 00484724 [m y&dk*&rf&JU OEP
&Sd&mudk jump vkyfygw,f/ yHk(9)/
yHk(9)
yHk(9)u OEP &Sd&mudka&mufjyDqdk&if dump vkyfygr,f/ Right-click ESdyfjyD; Dump debugged
process udka&G;vdkufyg/ yHk(10)twdkif; jrif&ygr,f/
yHk(10)
yHk(10)u Dump button udka&G;jyD; dump.exe trnfeJU zdkifudkodrf;vdkufyg/ jyD;&if odrf;xm;wJhzdkif

tvkyfvkyf^rvkyfod&atmif jyefzGifhMunfhvdkufyg/
yHk(11)
yHk(11)[m uRefawmfwdkU tapmydkif;ujrifcJhwJh yHk(1)eJUawmh vHk;vHk;MuD;jcm;em;aeygw,f/ zdkif&JUt&G,f
tpm;udk Munfhvdkufjyef&ifvJ yHk(12)twdkif; jrif&ygw,f/
yHk(12)
'DyHkpHtwdkif;qdk&ifawmh uRefawmfwdkU unpack vkyfvdkufwm tukefygrvmrSef;aocsmygw,f/ usefcJhwJh
tydkif;uawmh HTML zdkifawGygwJhtydkif;jzpfygw,f/ Dump vkyfvdkufwJhzdkifudk PEiD eJUppfMunfhyg/ Borland
Delphi 3.0 eJUa&;om;xm;w,fvdkUjyygw,f/ wu,fawmh uRefawmfwdkU dump vkyfvkdufwJhzdkif[m Web
Compiler aqmhzf0Jvfoufoufomjzpfygw,f/ dump.exe &JU File menu u Compiler Option udka&G;vdkuf
yg/ yHk(13)twdkif; jrif&ygr,f/ (Jsittarh.exe &JU File menu rSmawmh Compiler Option ygrvmygbl;/)
yHk(13)
yHk(13)udk taotcsmMunfhyg/ yHk(3^14)rSmjrif&wJh dialogbox [m yHk(13)aMumifhjzpfwmem;vnfyg
ovm;/ aqmhzf0Jvfu password udkxkwfay;zdkUtwGuf yxrqHk; master key wpfckudkzefwD;ygw,f/ jyD;awmhrS
user key ay:vdkufjyD; password udkzefwD;ygw,f/ 'DvkdrsdK; password routine uae password udkcefUrSef;zdkU
qdkwm enf;enf;av;awmh vuf0ifrSmyg/ TEAM LAXiTY uawmh key udkwGufcsufzl;ygw,f/ uRefawmf
cracking e,fy,fudk r0ifcifwkef;uawmh 'D key av;ukdyJtoHk;jyKcJhwmyg/ Key uawmh 15416??? jzpfyg
w,f/ 'Dae&mrSmawmh uRefawmfhtaeeJU key udkajymjyrSmr[kwfygbl;/ wu,fvdkU key udkodcsif&ifawmh oif
udk,fwdkif &SmazGwGufcsuf&rSmjzpfygw,f/ 'grSom cracker yDorSmjzpfygw,f/ ☺☺☺☺☺☺☺☺☺
yHk(14)
Dump.exe rSm tcsuftvuftcsdKUudk &SmazGod&SdjyD;wJhaemuf Jsittarh.exe udkjyefMunfhvdkufMu&atmif/
yHk(15)
yHk(15)rSm dump vkyfjyD; cP&yfxm;cJhwmudk jyefqufMu&atmif/ OEP ae&mudkodjyD;jyDrdkU hardware
breakpoint awGudk zsufvdkU&ygjyD/ zsufjyD;oGm;&ifawmh F9 (Run) udkESdyfvkdufyg/ yHk(1)twdkif;awGU&ygr,f/
'Dtaetxm;a&muf&if 79nn u 7900 » DNS problems in .. udkzGifhjyD; register vkyfzdkU MudK;pm;Munfhygr,f/
yHk(16)/
yHk(16)
yHk(16)twdkif;jrif&wJhtcgrSm Olly rSm F12 udkESdyfjyD; y&dk*&rfudk cP&yfvdkufyg/ yHk(17)twdkif; jrif&yg
r,f/
yHk(17)
Alt + K udkESdyfjyD; Call Stack udkMunfh&if yHk(18)twdkif;jrif&ygw,f/
yHk(18)
yHk(18)u procedure tptm;vHk;udk breakpoint owfrSwfyg/ Breakpoint owfrSwfzdkU 'D virtual

address ae&mrSm right-click ESdyfjyD; Show procedure (Enter key) udka&G;ay;yg/ Breakpoint owfrSwfjyD;
&ifawmh yHk(16)u OK button udka&G;vdkufyg/ yHk(19)twdkif; awGU&ygr,f/
yHk(19)
yHk(19)&JU VA 0047E52D u CALL 00403AFC udk ppfaq;Munfhvkdufyg/ EAX &JUwefzdk;awG
ajymif;vJaewm awGU&rSmyg/ 'Dae&mrSm pdwft0ifpm;qHk;uawmh VA 0047E53C ae&myg/ 'Dae&mrSm JE
0047E5E0 (0F,84,9E,00,00,00) tpm; JMP 0047E5E0 (E9,9F,00,00,00,90)vdkUjyifjyD; y&dk*&rfudk run
Munfhvdkufyg/ Breakpoint awGtm;vHk;udk rvkdawmhwJhtwGuf jyefjzKwfvkdufyg/ (rSwcf suf/ / Hex *Pef;awG
udkawmhh pm&GufvGwfwpf&GufrSmcsa&;xm;yg/ toHk;0ifvmygvdrfhr,f/)
yHk(20)
yHk(20)twdkif; uk'fudkjyifjyD; y&dk*&rfudk run MunfhvdkufwJhtcg yHk(21)twdkif; jrif&ygw,f/
yHk(21)
'gqdk uRefawmfwdkUzwfcsifaewJh taMumif;t&mudk key rodbJzwfvdkU&ygjyD/ 'gayr,fh 0rf;enf;p&m
aumif;wmuawmh y&dk*&rfudk Olly rSmzGifhxm;wkef;yJ 'DvdkzwfvdkU&wmyg/ uRefawmfwdkUtaeeJU MudKufwJhtcsdefrSm
MudKufovdkzwfvdkU&Edkifatmif patch vkyfzdkUawmhvdkygjyD/ aumif;jyD? uRefawmfwdkU uk'fawGjyifxm;wJhzdkifudk Olly
rSm odrf;qnf;vdkufyg/ yHk(22)rSm jrif&wJhtwdkif; zdkifudk odrf;qnf;vdkUr&ygbl;/
yHk(22)
bmaMumifh 'Dvdk error wuf&wmvJqdkwm tajz&Sm&atmif/ y&dk*&rf (Jsittarh.exe) udk Olly eJUjyefzGifh
vdkufyg/ Entry point (004BA042) udkatmufygtwdkif; awGU&ygw,f/
yHk(23)
'DtcsdefrSm uRefawmfwdkU patch vkyfr,fhae&mjzpfwJh VA 0047E53C qDoGm;MunfhvdkufMu&atmif/
yHk(23)/
yHk(24)
/// bmqdkbmuk'frS rawGUygbl;/ oknawGyJ&Sdygw,f/ ckeujrifcJhwJhuk'fawG[m decompression
stub u unpack vkyfjyD;ae&mvmcsay;xm;vdkUjzpfygw,f/ wu,fawmh unpack vkyfjyD;om;zdkifawGrSmqdk 'Dvdk
jyóemrsdK; MuHK&rSmr[kwfygbl;/ 'gayr,fh PEtite udk uRefawmfwdkU unpack vkyfwm ratmifjrifcJhygbl;/
'gaMumifh 'Djyóemudkajz&Sif;Edkifatmif loader zdkifudkzefwD;ay;zdkUvdkygjyD/ Loader &JUtvkyfuawmh PEtite u
y&dk*&rfudk rSwfOmPfrSm process tjzpfae&mcsxm;jyD; unpack vkyfcsdefrSm patch vkyfr,fh byte (uk'f)
udkvdkuf&SmjyD; udk,fESpfouf&m byte (uk'f) eJUtpm;xdk;zdkUjzpfygw,f/
Loader/Patch zdkifudkzefwD;zdkU ABEL Loader Generator 2.31 udkzGifhvdkufyg/ yHk(25)/
yHk(25)
jyD;&ifawmh atmufygtwdkif;aqmif&GufjyD; loader zdkifudk zefwD;vdkufyg –

1/ uRefawmfwdkU patch vkyfr,fhzdkiftrnf (Jsittarh.exe) udk&dkufxnhfyg/
2/ Loader zdkiftrnfudk owfrSwfyg/ (Jsittarh_Loader.exe)
3/ Timeout qdkwmuawmh loader u process udk load vkyfzdkU apmifh&r,fhtcsdefyg/ y&dkqufqm tjrefEIef;
enf;wJh uGefysLwmawGrSmqdk&ifawmh timeout wefzdk;udk 15 vkdUowfrSwfEdkifygw,f/
4/ Patch vkyfr,fh virtual address uawmh VA 0047E53C rSmjzpfjyD; jyifr,fh byte awGuawmh
uRefawmfckeu pm&GufvGwfrSm rSwfom;ckdif;xm;wJh HEX *Pef;awGjzpfygw,f/ (JE 0047E5E0 (0F,84,9E,
00,00,00) eJU JMP 0047E5E0 (E9,9F,00,00,00,90))/ yHk(26)/
5/ aemufqHk;tqifhuawmh Generate button udkESdyfvdkuf&Hkyg/
yHk(26)
Loader zdkifudkzefwD;jyD;wJhaemufrSmawmh loader zdkif (Jsittarh_Loader.exe) udk Jsittarh.exe eJU
directory wpfckwnf;atmufrSmxm;jyD;zGifhMunfhvdkufyg/ yHk(27)twdkif;awGU&jyD; bm key rS&dkufxnfhp&mrvdkbJ^
rawmif;bJ tm;vHk;tqifajyoGm;ygvdrfhr,f/
yHk(27)
tcef;(21) - Crypto uk'frsm;udk avhvmjcif; - 309 -
tcef;(21) - Crypto uk'frsm;udk avhvmjcif;

'DwpfcgrSmawmh crack vkyf&mrSm tawGUrsm;r,fh crypto uk'fawGtaMumif; avhvmrSmjzpfygw,f/ Crypto
qdkwmuawmh
(1) Transposition
- Yusceiyupioelyyonyueoeypioiorertsorrsnreigadobcmisrsnr
(2) Substitution
(2.1) Monoalphabetic substitution
rlvpmom;
- abcdefghijklmnopqrstuvwxyz
Crypt vkyfxm;aompmom;
- DEFGHIJKLMNOPQRSTUVWXYZABC ('DOyrmrSmawmh nmzufudk rotate vSnfhxm;
(2.2) Key ygaom Monoalphabetic substitution
(3) Frequency Analysis
(4) Le Chiffre Indéchiffrable
rlvpmom;
abcdefghijklmnopqrstuvwxyz
Crypt vkyf&efqGJxm;aomZ,m;
1 BCDEFGHIJKLMNOPQRSTUVWXYZA
2 CDEFGHIJKLMNOPQRSTUVWXYZAB
3 DEFGHIJKLMNOPQRSTUVWXYZABC
4 EFGHIJKLMNOPQRSTUVWXYZABCD
5 FGHIJKLMNOPQRSTUVWXYZABCDE
6 GHIJKLMNOPQRSTUVWXYZABCDEF
7 HIJKLMNOPQRSTUVWXYZABCDEFG
8 IJKLMNOPQRSTUVWXYZABCDEFGH
9 JKLMNOPQRSTUVWXYZABCDEFGHI
10 KLMNOPQRSTUVWXYZABCDEFGHIJ
11 LMNOPQRSTUVWXYZABCDEFGHIJK
12 MNOPQRSTUVWXYZABCDEFGHIJKL
13 NOPQRSTUVWXYZABCDEFGHIJKLM
14 OPQRSTUVWXYZABCDEFGHIJKLMN
15 PQRSTUVWXYZABCDEFGHIJKLMNO
16 QRSTUVWXYZABCDEFGHIJKLMNOP
17 RSTUVWXYZABCDEFGHIJKLMNOPQ
18 STUVWXYZABCDEFGHIJKLMNOPQR
19 TUVWXYZABCDEFGHIJKLMNOPQRS
20 UVWXYZABCDEFGHIJKLMNOPQRST
21 VWXYZABCDEFGHIJKLMNOPQRSTU
22 WXYZABCDEFGHIJKLMNOPQRSTUV
23 XYZABCDEFGHIJKLMNOPQRSTUVW
24 YZABCDEFGHIJKLMNOPQRSTUVWX
25 ZABCDEFGHIJKLMNOPQRSTUVWXY
26 ABCDEFGHIJKLMNOPQRSTUVWXYZ
(5) Charles Babbage & Vigenére
olpOf;pm;rdwmuawmh wu,fvdkU "the" udk crypt vkyfzdkU&m

Babbage &JUenf;vrf;uawmh &dk;&Sif;ygw,f/ 0SufpmawGxJrSm

Vigenére udk assembler wGifprf;oyfjcif;
Crypting:
add al,ah ;al is clear char and ah is key char
sub al,"A"+"A"
cmp al,25
jng @F
sub al,26 ;Overflow, wrap around
@@:
add al,"A" ;al is now crypted char
Decrypting:
sub al,ah ;al is crypt char and ah is key char
cmp al,0
jge @F
add al,26 ;Underflow, wrap around.
@@:
add al,"A" ;al is now clear char
BBLM RS VRJ XTYOETOSWP UNTYOJH XBLHCOQ DLVTSQX FHO T PRQMJLJ UJG?
QXJ CD FJDG YK JWTBTKM FHO BB DCXLYCHDS HYW WSBUDTOS NZ IUAA GNNS,
MQE QDMYC BB UUOI NZ VJRTI LLZVNRKOX.
QSTC IU DMY OBOFGBJHNX KEVGJYY XAOVSH UYW TIPUD?

YCHCIE SX ODBWG C PJUEANR....MSSEJ BB UUSSA EAN WJYQY NARCMOS.
Vigenére udka&Smif&Sm;jcif;
Vigenére crypto tpGrf;xufjcif;u
a b c d e f g h i j k l m n o p q r s t u v w x y z
09 48 13 01 14 10 06 23 32 15 04 26 22 18 00 38 94 29 11 17 08 34 60 28 21 02
12 81 41 03 16 31 25 39 70 37 27 58 05 95 35 19 20 61 89 52
33 62 45 24 50 73 51 59 07 40 36 30 63
47 79 44 56 83 84 66 54 42 76 43
53 46 65 88 71 72 77 86 49
67 55 68 93 91 90 80 96 69
78 57 99 75
92 64 85
74 97
82
87
98
HNE 0IQWtG OY98CKÂ5u YfTBÅ7| pA vÏÃ2ä] éJ 1W[UZÂjweh3 XÈ i
åÅçgÄvâ ìqmV-sSkboDÁÏI6 }dcaäYz xÉÆÊÇÎË ÍL åét2Wë ãSáÌèDíæT
2.2, 9u ï]HÂ0|Cà X13-5Ã ëZ7gycK. Ulî Ëpx8MEçeikÅÄI ÏtDQw1GB o
äJÁ æA 3éVAObfuch[ jqÇvsz| åWÃ2Â] ÈÆmV-ÎSád}xíïÉ 2.2 Êçg
vÅI2Ïë âãàA-îSHÌèDK0T ]EZì5t9Q GËäUé7u, årWc{ ÂB Å|xy1O3 vÏeÀ
kNäJ Dpën ÄV åéÃ2W].
(6) Playfair
C H A R L
E S B D F
G I/J K M N
O P Q T U
V W X Y Z
rlvpmom;
We meet at hammersmith bridge at seven.

Bigram xJ&Sdpmom;
we-me-et-at-ha-mx-me-rs-mi-th-br-id-ge-at-se-ve-nx
(7) ADFGX crypto
A D F G V X
A 8 p 3 d l n
D l t 4 0 a h
F 7 k b c 5 z
G j u 6 w g m
V x s v i r 2
X 9 e y 0 f q
rlvpmom;
Attack at 2230
Crypt vkyfxm;aompmom;
DV DD DD DV FG FD DV DD VX VX AF XG
M A R K A K M R
D V D D V D D D
D D D V D V D D
F G F D G D F F
D V D D V D D D
V X V X X X V V
A F X G F G A X
aemufqHk; crypt vkyfvdkufaompmom;
VD DD DV DD GD FF VD DD XX VV FG AX
bmaMumifh A? D? F? G? V eJU X udk toHk;jyK&ovJqdk&ifawmh
toHk;trsm;qHk; crypto algorithm awGuawmh ADELR32? AES?
(8) MD5 qdkonfrSm ...

Hash algorithm qdkwmuawmh
(9) Xilisoft Audio Converter \ serial udk&SmazGjcif;
yHk(1)
yHk(2)
yHk(3)
yHk(4)
yHk(5)
yHk(6)
yHk(7)
yHk(8)
yHk(9)
yHk(10)
yHk(11)
yHk(12)
'D loop udk vkyfaqmifjyD;csdefrSmawmh MyanmarCrackingTeam-1234-5678-9012-3456 [m BF A7
26 FF 5B A1 AD CF 43 A7 94 F1 82 16 6F 9C 6E 2C 4C DB 51 20 47 4A F5 B0 45 D3 CC 20 47
3D DF FD 19 53 D7 B7 jzpfoGm;ygw,f/ yHk(13)/
yHk(13)
yHk(14)
yHk(15)
yHk(16)
1/
yHk(17)
2/
yHk(18)
3/ MFC71.781 function uawmh
yHk(19)
4/ MFC71.4085 function udk
yHk(20)
5/ CALL UILib71.0034217
yHk(21)
6/ CALL UILib71.0035
yHk(22)
6.1/ CALL
yHk(23)
yHk(23
6.1.1/
yHk(24)
yHk(25)
6.1.2/
yHk(26)
yHk(27)
6.1.2.1/ yHk(27)u C
yHk(28)
yHk(28)eJU yHk(
yHk(29)
y
yHk(30)
yHk(31)
yHk(32)
6.1.3/
yHk(33)
yHk(34)
6.1.3.1/ CALL U
6.1.3.1.1/
yHk(35)
7/
yHk(36)
8/
yHk(37)
9/ yHk(36)rSm
yHk(38)
yHk(39)
9/ yHk(38)
yHk(40)
10/ yHk(41)u CALL MFC71.1916
yHk(41)
11/ yHk(42)u CALL MFC71.
yHk(42)
12/ yHk(42)u CALL
yHk(43)
,f/
yHk(44)
Xilisoft application awGeJUywfoufjyD; rSwfcsufjyK&r,fqdk&ifawmh ...
1/ Xilisoft application awG[
2/ Serial awG[m
5/ -1a□d□o□o□v.r□e.u□i□c□n□e.t.r00MYANMARCRACKINGTEAM-audioconverte)
6/ (Oyrm - ab6801efdd311d00c7a5a08b983315 d0)
7/
yHk(45)
yHk(46)
yHk(47)
yHk(48)
(10) Exe Password 2004 jzifh protect vkyfxm;aom password tm; jyefazmfjcif;
'DwpfcgrSmawmh ]Patch vkyfjcif;} oifcef;pmu ]Beginner tqifh patch vkyfjcif;} tcef;rSm protect
vkyfcJhwJh password udk jyefazmfMunfhygr,f/
'DwpfcgrSmawmh tajymif;tvJav;jzpfatmif calc.exe udk protect rvkyfbJ notepad.exe udkom
protect vkyfMunfhygr,f/ yHk(49)/
yHk(49)
yHk(50)
yHk(51)
yHk(52)
yHk(53)
yHk(54)
yHk(55)
yHk(56)
yHk(57)
yHk(58)
yHk(59)
1/ MOV EDX, [LOCAL.1]
2/ MOV DL, BYTE PTR DS:[EDX+ESI-1]
3/ MOV ECX, [LOCAL.2]
4/ MOV CL, BYTE PTR DS:[ECX+EBX-1]
5/ XOR DL, CL; DL = DL ^ CL = a ^ 3 = R
6/ MOV BYTE PTR DS:[EAX+ESI-1], DL
7/ INC EBX
8/ INC ESI
EDX xJrSm&SdwJh aemufxyfpmvHk;awGudk zwfEdkifzdkUtwGuf ESI wefzdk;udk wpfaygif;ygw,f/
- 'DvdkeJU wpfvHk;csif;udk vkyfygw,f/

XOR DL, CL; DL = DL ^ CL = b ^ 4= V
XOR DL, CL; DL = DL ^ CL = c ^ 5= V
XOR DL, CL; DL = DL ^ CL = d ^ 9= ]
XOR DL, CL; DL = DL ^ CL = e ^ 5= P
XOR DL, CL; DL = DL ^ CL = f ^ 0= V
-
#include<stdio.h> // Copyright © Myo Myint Htike, September 20 2009
#include<conio.h> // Compiler - Borland C++ 5.02
#include<string.h> // C Console Application
int main()
{
int index = 0;
char encrypted_password[30] = {0};
char decrypted_password[30] = {0};
char hash_value[20] = "3459501211xSSSFDb345";
scanf("%s", encrypted_password);
while(index < strlen(encrypted_password)){
decrypted_password[index] = encrypted_password[index] ^ hash_value[index];
index++;
}
printf("Serial is = %s", &decrypted_password[0]);
getch();
return 0;
}
yHk(60)
yHk(61)
yHk(62)
yHk(63)
yHk(64)
yHk(65)
yHk(66)
#include<stdio.h> // Copyright © Myo Myint Htike, September 20 2009
#include<conio.h> // Compiler - Borland C++ 5.02
int main()
{
int index = 0;
int encrypted_password[7] = {2, 6, 6, 0xD, 0, 6, 6};
char decrypted_password[30] = {0};
char hash_value[20] = "3459501211xSSSFDb345";
while(index < 7) {
decrypted_password[index] = encrypted_password[index] ^ hash_value[index];
index++;
}
printf("Serial is = %s", &decrypted_password[0]);
getch();
return 0;
}
yHk(67)
yHk(68)
tcef;(22) - Polymorphic uk'frsm;udk avhvmjcif; - 332 -
tcef;(22) - Polymorphic uk'frsm;udk avhvmjcif;

'DwpfcgrSmawmh cracker awG rodrjzpfodxm;&r,fh polymorphic uk'fawGtaMumif;udk avhvmrSmjzpf
ygw,f/
yHk(1)
yHk(2)
yHk(3)
yHk(4)
yHk(5)
yHk(6)
yHk(7)
yHk(8)
yHk(9)
INFO: : Olly u 'Duk'fawGudk
yHk(10)
yHk(11)
yHk(12)
yHk(13)
INFO: : MessageBoxA wpfckrSm &yfwefUapzdkU enf;vrf;trsm;MuD;&Sdygw,f/
yHk(14)
yHk(15)
The GetModuleHandle function returns a module handle for the specified module if the file has been
mapped into the address space of the calling process.
HMODULE GetModuleHandle(
LPCTSTR lpModuleName // address of module name to return handle for
);
Parameters
lpModuleName
Points to a null-terminated string that names a Win32 module (either a .DLL or .EXE file). If the filename
extension is omitted, the default library extension .DLL is appended. The filename string can include a trailing point
character (.) to indicate that the module name has no extension. The string does not have to specify a path. The name
is compared (case independently) to the names of modules currently mapped into the address space of the calling
process.
If this parameter is NULL, GetModuleHandle returns a handle of the file used to create the calling process.
Return Values
If the function succeeds, the return value is a handle to the specified module.
If the function fails, the return value is NULL. To get extended error information, call GetLastError.
yHk(16)
MOV EDI, 00401011; // EDI xJrSm
yHk(17)
yHk(18)
yHk(19)
yHk(20)
yHk(21)
INFO: : Encryption/Decryption qdkwmuawmh owif;tcsuftvufawGudk

INFO: : XOR instruction uawmh
yHk(22)
yHk(23)
yHk(24)
yHk(25)
INFO: : 'Dae&mrSm uk'fawG[m
yHk(26)
INFO: : Code section [m
yHk(27)
yHk(28)
INFO: : Self-modifying code qdkwmuawmh

INFO: : Self-modifying code awGudk
Polymorphic Adkif;&yfpfawGudkawmh
txufazmfjyygtcsufawGaMumifh cracker awG[m
yHk(29)
yHk(30)
yHk(31)
yHk(32)
yHk(33)
yHk(34)
yHk(34)udkMunfhr,fqdk&if self-modifying code u
yHk(35)
yHk(36)
E1 wefzdk;udk
yHk(37)
F8 udkESdyfjyD;
yHk(38)
yHk(38)udkMunfhr,fqdk&if
yHk(39)
VA 0040101F a&mufwJhtxd
int MessageBox(
HWND hWnd, // handle of owner window
LPCTSTR lpText, // address of text in message box
LPCTSTR lpCaption, // address of title of message box
UINT uType // style of message box
);
Parameters
hWnd
Identifies the owner window of the message box to be created. If this parameter is NULL, the message box
has no owner window.
wu,fvdkUom uRefawmfwdkUtaeeJU hWnd udk

'gayr,fh y&dk*&rfa&;om;ol Lena151 u 'D nag udk 2 bytes yJoHk;jyD; patch vkyfygvdkU cdkif;cJhygw,f/
yHk(40)
yHk(41)
'gaMumifh VA 40106A qD jump vkyfay;Edkifr,fh
INFO: : wu,fawmh nag udkz,f&Sm;wJh
yHk(42)
yHk(43)
yHk(44)
yHk(45)
yHk(46)
yHk(47)
INFO: : Self-modifying code &JU 'kwd,tpdwftydkif;uawmh
yHk(48)
yHk(49)
yHk(50)
yHk(51)
yHk(51)rSmjrif&wJhtwdkif; 'Dy&dk*&rfudka&;om;wJh y&dk*&rfrmu uRefawmfwdkUudk tcufawGUatmifvkyfwm
yg/ ajc&mcH&r,fh oufaoawGtm;vHk;udk olr(Lena151)u zsufqD;vdkufygw,f/
rSwfcsuf/ / wu,fawmh 'Dy&kd*&rfu oifhudk tajccHtawG;tac:&&HktwGuf jyowmjzpfygw,f/ vufawGYrSm
awmh
INFO: : Polymorphic uk'fqdkwmuawmh
INFO: : Encryption uawmh polymorphism udk
INFO: : Metamorphic uk'fqdkwmuawmh oludk,fwdkifjyefjyD;
INFO: : Alphanumeric uk'fuawmh
INFO: : Shell uk'fqdkwmuawmh aqmhzf0Jvf bug uae tcGifhaumif;,ljyD;
INFO: : Machine uk'f (odkU) machine bmompum; qdkwmuawmh
instruction set awGrSmvJ operand wpfckwav csdKUwJhEdkifygw,f/ (Oyrm - NOSC)
yHk(52)
yHk(53)
tusOf;csKyfjyef&Sif;jy&r,fqdk&ifawmh 'Dy&dk*&rfav;[m
yHk(54)
VA 401016 eJU
yHk(55)
yHk(56)
INFO: :
XOR A, B; // C
XOR A,
yHk(57)
yHk(58)
yHk(59)
yHk(60)
yHk(61)
yHk(62)
yHk(63)
yHk(64)
INFO: : uRefawmfhtaeeJU 1 byte
tcef;(23) - Registration number udk tGefvdkif;wGif ppfaq;jcif;tm; z,f&Sm;jcif; - 349 -
tcef;(23) - Registration number udk tGefvdkif;wGif ppfaq;jcif;tm; z,f&Sm;jcif;

]tcsdKUy&dk*&rfawG[m registration number udk awmfwnfhrSefuefpGm toHk;jyKapzdkU aemufqHk;ay: enf;ynmawG
udk toHk;jyKvmMuygw,f/ Registration number udk &dkufoGif;vdkuf&if y&dk*&rfu tJ'gudk ppfaq;zdkUtwGuf
tifwmeufuwqifh ydkYvdkufygw,f/ qmAmu tJ'Duk'f rSerf rSefudk prf;oyfjyD; taMumif;jyefygw,f/ y&dk*&rf
uawmh rSefuefpGm register vkyfxm;jcif; &Sd^r&Sd ppfaq;ygw,f/ } (]Software Protection} tcef;rS)
'DwpfcgrSmawmh registration udk tGefvdkif;rSmppfaq;wwfwJh y&dk*&rfawGudk crack vkyfMunfhrSmjzpfyg
w,f/ rsm;aomtm;jzifhawmh 'Dvdky&dk*&rfawG[m tifwmeufeJUqdkifwJhaqmhzf0JvfawG jzpfMuwmrsm;ygw,f/
'gaMumifhrdkUvJ olwdkUudk tifwmeuftquftoG,f&SdrSom toHk;jyKvdkU&ygw,f/ Crack vkyfzdkUa&G;cs,fxm;wJh
aqmhzf0Jvfuawmh Download Accelerator PLUS (DAP) jzpfygw,f/ DAP [m tifwmeufuzdkifawGudk
jrefEIef;jrifh speed eJU download vkyfay;EdkifwJhaqmhzf0JvfjzpfjyD; download vkyf&mrSmawmh taumif;qHk;eJU
tjrefqHk;aqmhzf0Jvfwpfckjzpfygw,f/ (tjcm; download accelerator aqmhzf0JvfwpfckjzpfwJh FlashGet
uawmh link awG cPcPajymif;vJavh&SdwJh zdkifawGudk resume taeeJU download vkyfay;EdkifwJh tm;omcsuf
awmh &Sdygw,f/) DAP ukd www.speedbit.com uae download vkyf,ljyD; install vkyfvdkufyg/ vuf&Sd
version uawmh trsdK;rsdK;ajymif;vJayEdkifayr,fh uRefawmferlem crack jyrSmuawmh Version 8.0.4.1 jzpfyg
w,f/ b,f version yJjzpfjzpf oabmw&m;csif;uawmh twlwlygyJ/
Crack rvkyfcif uRefawmfwdkU ppfaq;&rSmuawmh 'Dy&dk*&rfudk bmeJUa&;xm;ovJqdkwmudkyg/ yHk(1)/
yHk(1)
'Dy&dk*&rfudk SVK Protector eJU protect vkyfxm;wmjzpfygw,f/ omreftm;jzifhawmh uRefawmfhtaeeJU
pack vkyfxm;wmudk unpack vkyfjyzdkU wm0efr&Sdygbl;/ bmaMumifhvJqkdawmh unpack vkyfenf;udk ]Packer
(Protector) rsm;} tcef;rSm aqG;aEG;jyD;jzpfvdkUyg/ 'gayr,fh uRefawmfhtaeeJU 'Dtcef;rSm SVKP eJU pack
vkyfxm;wmudk b,fvdk unpack vkyf&rvJqdkwmudk wcgwnf;&Sif;jyrSmjzpfygw,f/ SVKP udk a&;om;ol
uawmh Pavol Cerven yg/ 'Demrnfudk aemufwpfcgxyfawGU&jyefygjyD/ SVKP eJUywfoufwJh unpacker
awGudkrawGU&wmuwaMumif;? SVKP eJUywfoufwJh unpacking oifcef;pmtcsdKU[mvJ tvkyfrjzpfwmu
waMumif;rdkU oihftaeeJU unpack vkyf&wmtcuftcJjzpfrSmpdk;&drfwJhtwGuf unpack vkyfenf;udkyg wcgwnf;
&Sif;jy&jcif;jzpfygw,f/ (AHTeam ua&;om;xm;wJh Quick Unpack 2.1 [m packer awmfawmfrsm;rsm;udk
unpack vkyfay;Edkifayr,fh SVKP eJU protect vkyfxm;wJhzdkifawGtwGuf jyóem tenf;i,f&Sdaeygw,f/)
SVKP [m zdkifudk protect vkyfzdkUtwGuf rwlnDwJh enf;vrf;4&yfudk toHk;jyKygw,f/ 'gawGuawmh (1) RSA
algorithm udk toHk;jyKjcif;? (2) API function rsm;udkvSnfhpm;rIjyKvkyfxm;jcif;? (3) anti-debug vSnfhpm;rI
rsm;xnfhoGif;xm;jcif;? (4) rSwfOmPfESifh tracer awGrS dump rvkyfEdkifatmifumuG,fxm;jcif; wdkUjzpfygw,f/
(1) SVKP jzifh protect vkyfxm;aomzdkiftm; unpack vkyjf cif;
'Doifcef;pmudk ydkjyD;em;vnfatmifvdkU uRefawmfhtaeeJU atmufygtwdkif; tydkif;(5)ydkif; cGJjyD;aqG;aEG;rSm
jzpfygw,f -
(1.1) OEP udk &Smjcif;
(1.2) Stolen byte rsm;udk &Smjcif;
(1.3) zdkifudk dump vkyfjcif;
(1.4) IAT udkjyifjcif;
(1.5) zdkifudkjyifjcif;
(1.1) OEP udk &Smjcif;

OEP udk&Sm&wmuawmh stolen code aMumifhyg/ bmaMumifhvJqdkawmh uRefawmfwdkUtaeeJU stole
tvkyfrcH&wJh rlv code section &JU yxrqHk; instruction rSm&SdwJh OEP em;rSm (OEP rSm r[kwfygbl;) break
vkyf&rSmrdkUvdkUyg/ aumif;jyD? DAP.exe zdkifudk Olly rSmrzGifhcif Olly csnf;oufoufzGifhvdkufyg/ jyD;&if Alt + O
udkESdyfjyD; Debugging options &JU SFX tab udka&G;vdkufyg/ yHk(2)/
yHk(2)
yHk(2)rSm jrif&wJhtwdkif; Trace real entry blockwise radio button udk a&G;cs,fyg/ 'ghtjyif Pass
exceptions to SFX extractor checkbox udkvJ check vkyfvdkufyg/ 'gawGudk bmaMumifh a&G;cs,f&ovJ
qdkwmawmh &Sif;jyawmhrSm r[kwfygbl;/ bmaMumifhvJqdkawmh Olly &JU Help zdkifrSm tao;pdwf &Sif;jyxm;vdkUyg/
Trace real entry blockwise (inaccurate)
OllyDbg uses 4-K blocks to step through the packed code. This method may cause detection of false real
entry.
Pass exceptions to SFX extractor
This option tells OllyDbg to pass some kinds of software exceptions that occur while tracing for real SFX
entry (memory access violation, INT3 breakpoint, division by 0, privileged or illegal instruction) directly to self-
extractor.
aumif;jyD? DAP.exe zdkifudk Olly rSmzGifhMunfhvdkufMu&atmif/ yHk(3)/
yHk(3)
yHk(3)rSm jrif&wJhtwdkif; VA 0053F432 rSm Olly [m &yfoGm;rSmyg/ ckqdk&if uRefawmfwdkU[m stolen
byte awGaemufu code section xJu yxrqHk; instruction &Sd&ma&mufaeygjyD/ 'gudk uRefawmfwdkU b,fvdk
odovJqdkwm odEdkifatmifvdkU VA 0053F432 &JU tay:zufudk scroll enf;enf;avmufqGJjyD; Munfh&atmif/
yHk(4)/
yHk(4)
wu,fawmh yHk(4)u uRefawmfwdkU jrif&wJh NOP instruction ae&mawGrSm uk'fawG&Sd&rSmyg/ aumif;jyD?

yHk(3)u VA 0053F432 ae&mudk pm&GufvGwfwpf&GufrSm rSwx f m;vdkufyg/ jyD;&ifawmh yHk(2)u Trace real
entry blockwise radio button tpm; Stop at entry of self-extractor udkjyefa&G;vdkufyg/
(1.2) Stolen bytes udk &Smjcif;
'guawmh unpack vkyf&mrSm tcufqHk;eJU tMumqHk;jzpfygw,f/ raMumufygeJU? oifxifoavmufawmh
r&Iyfygbl;/ yxrqHk; Ctrl + F2 udkESdyfjyD; y&dk*&rfudk jyefpvdkufyg/ 'Dtcg yHk(5)twdkif; ar;ygvdrfhr,f/
yHk(5)
yHk(5)u No button udk a&G;vdkufyg/ Entry point udka&mufwJhtcg Alt+O udkESdyfjyD; yHk(6)twdkif;
Exception tab udkjyifvdkufyg/
yHk(6)
yHk(6)rSm Memory access violation eJU Ignore aslo following … udk jzKwfvdkufygw,f/
'gjyD;&ifawmh yHk(7)twdkif; entry point &Sd&mudk jyefoGm;vdkufyg/
yHk(7)
yHk(7)rSm F7 udk wpfcgESdyfjyD; CALL function &Sd&m VA 00731001 udkoGm;yg/ CALL function
&Sd&mudk a&mufjyDqdk&if Registers window udk Munfhvdkufyg/ yHk(8)/
yHk(8)
yHk(8)udkMunfhvdkuf&if ESP register ae&mrSm eDaewmudk awGU&rSmyg/ bmaMumifhvJqdkawmh ESP
wefzdk;ajymif;vJoGm;vdkUyg/ 'Dae&mrSm right-click ESdyfjyD; Follow in Dump udka&G;vdkufyg/ yHk(9)twdkif;
awGU&ygr,f/
yHk(9)
yHk(9)u 38 07 91 70 ae&mrSm right-click ESdyfjyD; hardware, on access u Dword udka&G;vdkufyg/
jyD;&if F9 (Run) udk ESdyfvdkufyg/
yHk(10)
yHk(10)twdkif; exception udkjrif&wJhtcg Shift+F9 udkESdyfyg/ Exception error wufwdkif; Shift+F9
udkESdyfyg/ yHk(11)udkawGU&ygr,f/ SVKP version ay:rlwnfjyD; Shift+F9 udkESdyfwJhta&twGuf[m 4Mudrf (odkU)
4Mudrfxufydkygvdrfhr,f/
yHk(11)
yHk(11)twdkif;awGUwJhtcg Alt + M udkESdyfjyD; memory map window udkac:yg/ yHk(12)/
yHk(12)
yHk(12)u highlight jzpfaewJhae&mrSm right-click ESdyfjyD; set memory breakpoint on access udk
a&G;cs,fyg/ jyD;&if Shift+F9 udkESdyfyg/ yHk(13)twdkif; jrif&ygr,f/
yHk(13)
yHk(13)uawmh SVKP &JU decompression code jzpfygw,f/ 'Dtcg Alt+M udka&G;jyD; PE header
ay:rSm right-click ESdyfyg/ jyD;&if Remove memory breakpoint udka&G;cs,fyg/ 'Dvdk memory breakpoint
udkz,f&Sm;jyD;&ifawmh Shift+F9 udkESdyfyg/ aemufxyf PUSHAD instruction &Sd&mrSm &yfwefUygvdrfhr,f/
yHk(14)/
yHk(14)
yHk(14)twdkif;jrif&wJhtcg uRefawmftapmydkif;u pm&GufvGwfwpf&GufrSm rSwfcdkif;xm;wJh OEP (VA
0053F432) qDukdoGm;zdkU jyifygr,f/ Ctrl+G ukdESdyfjyD; OEP wefzdk;udk&dkufxnfhyg/ yHk(15)/
yHk(15)
yHk(15)u OK button udka&G;vdkuf&if yHk(16)twdkif; jrif&rSmyg/
yHk(16)
VA 0053F432 ae&mrSm omref breakpoint wpfckowfrSwfvdkuf&if yHk(16)twdkif;jrif&rSmyg/
aumif;jyD? 'DtcsdefrSm hardware breakpoint awGudkrvdkawmhwJhtwGuf Debug menu u Hadrware
breakpoints udka&G;jyD; breakpoint awGudkzsufvdkufyg/ jyD;&ifawmh trace vdkufEdkifzdkU Ctrl+F11 (Trace into)
udka&G;vdkufyg/ 'Dtcg uRefawmfwdkU omref breakpoint owfrSwfvdkufwJh OEP ae&mudk ESpfpuúefUtwGif;
a&mufvmygw,f/ 'DhaemufrSmawmh uRefawmfwdkU stolen bytes udk&SmzdkU trace vdkufcJhwJhae&mawGudk jyefMunfhzdkU
vdkvmygjyD/ Olly &JU View menu u Run trace udka&G;vdkufyg/ yHk(17)/
yHk(17)
yHk(17)uawmh Olly u PUSHAD uae CALL 0042B5E4 xd trace vkyfoGm;wmudk jywmyg/
Highlight jzpfaewJhae&muawmh uRefawmfwdkU&SmaewJh stolen bytes ygyJ/ ààà
INFO: : Stolen bytes qdkwmuawmh rlv exe zdkifuae ,lvmcJhwJh? rlv exe zdkifuaezsuf,lvmcJhwJh
pmvHk;awGjzpfjyD; packer &JU uk'fxJrSm vmxm;ygw,f/ 'DpmvHk;awG[m OEP rSm&SdwJh rSwfOmPfuae dump
vkyfjyD;wJhaemufrSmawmh dump vkyfxm;jyD;om; exe zdkifxJrSmawmif r&Sdawmhygbl;/ (&Sdr,fvdkU arQmfvifhxm;wJh
ae&mrSmawmif r&Sdawmhygbl;/) 'ghaMumifhrdkUvJ y&dk*&rfawG[m crash jzpfMuwmyg/ qdkvdkwmuawmh 'g[m
y&dk*&rfudk crack rvkyfEdkifatmif umuG,frw I pfckyg/ y&dk*&rfawGudk pack vkyfxm;wJhtcsdefrSmawmh crash
rjzpfygbl;/ bmaMumifhvJqdkawmh 'D stolen bytes awG[m OEP ra&mufciftwGif;rSm protector xJ run
aeMuvdkUyg/
(1.3) zdkifudk dump vkyjf cif;
'DwpfcgrSmawmh OEP udkawGUjyDjzpfwJhtwGuf process (Task ManagerrSmtvkyfvkyfaewJh DAP.exe)
udk dump vkyfMuygr,f/ Olly rSm right-click ESdyfjyD; make dump of process udka&G;vdkufyg/ yHk(18)twdkif;
awGU&ygr,f/
yHk(18)
yHk(18)u Get MAP button udka&G;vdkufyg/ yHk(19)/
yHk(19)
yHk(17)wkef;u uRefawmfwdkU&JU stolen byte awG&Sd&mudk rSwfrdygao;vm;/ 'Dae&mem;a&mufwJhtxd
scroll qGJjyD;Munfhvdkufr,fqdk&if yHk(19)twdkif; jrif&rSmyg/ 00E60000 ae&mudka&G;jyD; Add button udkESdyfyg/
yHk(20)
yHk(20)u Name qdkwJhtuGufrSm oifESpfouf&mtrnfwpfck &dkufxnhfvdkufjyD; Apply button

udka&G;vdkufyg/ yHk(21)twdkif;awGU&ygr,f/
yHk(21)
aemufxyfvkyf&rSmuawmh yHk(19)u 00E90000 ae&mudka&G;jyD; Add button udkESdyfyg/
yHk(22)
'DwpfcgrSmvJ yHk(22)u Name qdkwJhtuGufrSm oifESpfouf&mtrnfwpfck &dkufxnhfvdkufjyD; Apply
button udka&G;vdkufyg/ jyD;&ifawmh yHk(19)u Close button udka&G;vdkufyg/ yHk(23)twdkif; jrif&ygr,f/
yHk(23)
yHk(23)u teDa&mifeJU jyxm;wJhae&mawGtwdkif; jzpfatmifvkyfyg/ jyD;&if Dump button udkESdyfjyD;

dumped.exe qdkwJhtrnfeJUzdkifudk odrf;yg/ 'gqdk&ifawmh dump vkyfwmjyD;pD;ygjyD/
(1.4) IAT (Import Address Table) udkjyifjcif;
'DwpfcgrSmawmh IAT udkjyifzdkU vkyfygr,f/
yHk(24)
yHk(24)twdkif; OEP ae&mrSm 0013F432 udk&dkufxnfhjyD; AutoSearch button udka&G;cs,fyg/ Found
something! qdkwJh MessagBox ay:vmygvdrfhr,f/ 'Dtcg Get Import button udkESdyfjyD; import function
awGudk Munfhyg/ yHk(24)t&qdk function awmfawmfrsm;rsm;udk import vkyf&mrSm rSm;,Gif;aewm awGU&ygw,f/
tao;pdwfod&atmif Show Invalid button udka&G;cs,fyg/
yHk(25)
jyD;&ifawmh yHk(25)twdkif; 'D invalid jzpfaewJh address awGay: right-click ESdyfjyD; Trace Level1
(Disasm) udk a&G;cs,fyg/ yHk(26)twdkif; jrif&ygr,f/
yHk(26)
'DtcgrSmawmh dumped.exe zdkifudkjyifzdkUvkyfygawmhr,f/ yHk(24)u Fix Dump button udka&G;vdkufyg/

jyD;&if dumped.exe udka&G;ay;vdkufyg/ yHk(27)twdkif; jrif&ygr,f/
yHk(27)
yHk(27)twdkif;jrif&jyD;&ifawmh ImpREC u IAT jyifjyD;om;zdkifudk dumped_.exe trnfeJU tvdk
tavsmufodrf;qnf;ay;ygw,f/
(1.5) zdkifudkjyifjcif;
dumped_.exe tvkyfvkyf^rvkyfod&atmif zGifhMunfhygr,f/ yHk(28)/
yHk(28)
uRefawmfwdkU uHraumif;ygbl;/ Windows u uRefawmfwdkUzdkif[m PE zdkifr[kwfbl;vdkU ajymaeyg
w,f/ uRefawmfwdkU OEP udkjyifMunfhygr,f/ dumped_.exe udk PE Editor 1.7 rSm zGifhvdkufjyD; OEP udk
A805B3 vdkUajymif;vdkufyg/ yHk(29)/
yHk(29)
'Dae&mrSm owday;vdkwmuawmh OEP udkjyif&mrSm LordPE eJUrjyifygeJU/ LordPE eJUjyifwJh y&dk*&rf
awG[m trSm;rsm;vSygw,f/ (OEP ae&mrSm A805B3 vdkU&dkufcdkif;&wJhtaMumif;&if;uawmh yHk(17)u
uRefawmfwdkU&JU stolen bytes &Sd&m virtual address [m OEP [E805B3-400000 = A805B3h] tppftrSef
jzpfygw,f/) jyifjyD;&if zdkifudkodrf;vdkufyg/ 'gayr,fhvJ zdkifudkzGifhvdkuf&if yHk(28)twdkif; jyaewkef;ygyJ/
yHk(30)
wu,fawmh dumped_.exe rSm PE header jyóem&SdaevdkUyg/ 'gaMumifh CFF explorer rSm PE
header udkjyefjyifjyD; zdkifudkodrf;vdkufyg/ 'gqdk bmjyóemrSr&SdawmhbJ SVKP eJU protect vkyfxm;wJh
DAP.exe zdkifudk atmifjrifpGm unpack vkyfjyD;oGm;jyDjzpfygw,f/
(2) Registration number udk tGefvdkif;wGif ppfaq;jcif;tm; z,f&Sm;jcif;

yHk(31)
yHk(32)
yHk(33)
yHk(34)
yHk(35)
yHk(36)
yHk(37)
yHk(38)
yHk(39)
yHk(40)
yHk(41)
yHk(42)
yHk(43)
yHk(44)
PUSH 0F2BF = 62143,
"Your registration could not be completed due to unknown result from the activation server. \n\n Please try
again in a few minutes, or email sales@speedbit.com for more help.\n"
PUSH 0F2C0 = 62144,
"Your registration could not be completed due to submission of incorrect request to the Activation Server
\n\nPlease re-check the details you have entered or contact sales@speedbit.com \n"
PUSH 0F2BE = 62142,
"Your registration could not be completed due to lack of Internet connection with SpeedBit activation
server.\n\nPlease try again in a few minutes, or email sales@speedbit.com for more help.\n"
PUSH 0F2BD = 62141,
"Your registration could not be completed due to lack of Internet connection.\n\nPlease make sure you are
connected to the Internet.\n"
yHk(45)
yHk(46)
yHk(47)
yHk(48)
yHk(49)
yHk(50)
yHk(51)
yHk(51)rSm OK ESdyfjyD;&Smawmh uRefawmfwdkUvdkcsifwJh pmom;udk rawGUygbl;/ ÃàÀã
Resource Hacker udk toHk;jyKjyD; 'Dpmom;awGudk &SmMunfhygr,f/
yHk(52)
10003 = 2713 = DAP Premium

10008 = 2718 = DAP Unregistered
yHk(53)
yHk(54)
yHk(55)
yHk(56)
yHk(57)
yHk(58)
yHk(59)
yHk(60)
yHk(61)
yHk(62)
yHk(63)
yHk(64)
yHk(65)
yHk(66)
yHk(67)
yHk(68)
yHk(69)
yHk(70)
yHk(71)
yHk(72)
yHk(73)
yHk(74)
yHk(75)
yHk(76)
yHk(77)
yHk(78)
yHk(79)
yHk(80)
yHk(81)
yHk(82)
yHk(83)
yHk(84)
pum;rpyfajym&r,fqkd&ifawmh BetaMaster uawmh 004ADF16 rSm breakpoint &yfoGm;jyD;aemufrSm
yHk(85)
yHk(85)rSmjrif&wJhtwkdif; ? eJU
yHk(86)
tESpfcsKyfajymjy&r,fqdk&ifawmh uRefawmfwdkUtaeeJU DAP y&dk*&rfudk vsifjrefpGm patch vkyfEdkifwm[m
aemufqHk;taeeJU owday;vdkwmuawmh DAP 9.2 udk Armadillo 5.40 eJU protect vkyfxm;wmjzpfjyD;
registration scheme [mvJ ydkjyD;tqifhjrifhvmwm awGU&ygw,f/ DAP 9.2 udk 2009? Mo*kwfv? 3&ufrSm
download vkyfxm;wmjzpfygw,f/
yHk(87)
yHk(88)
yHk(89)
yHk(90)
tcef;(24) - Themida tm;avhvmjcif; - 372 -
tcef;(24) - Themida tm;avhvmjcif;

a&SUoifcef;pmawGrSm uRefawmfhtaeeJU packer/protector awG b,fvdktvkyfvkyfovJqdkwmudk
tMurf;zsif;aqG;aEG;cJhovdk
(1) Themida qdkonfrSm ...
Themida qdkwmuawmh
yHk(1)
Advanced Anti-Debugger –
Anti Dumpers –
Entrypoint Obfuscation –
Resources Encryption –
VMWare/ Virtual PC –
Advance API-Wrapping –
Anti-Patching –
Metamorph Security –
Advanced Debugger Monitors –
Compression – SecureEngine
Monitor Blockers – oifh application
Delphi/BCB form protection –
(2) SecureEngine qdkonfrSm ...
SecureEngine qdkwmuawmh
SecureEngine u toHk;jyKwJhenf;ynmawGuawmh atmufygtwdkif;jzpfygw,f –
AntiAPISpyer –
AntiBreakpoints –cracker awGu API &JUpHkprf;vdkUr&EdkifwJh routine tv,frSmom breakpoint

udkowfrSwfMuygw,f/
yHk(2) rSwfOmPfrS
yHk(3)
ClearCode –
CodeEncrypt –
yHk(4
yHk(5)
xor [esi], bh
sub [esi+1], bl
xor [esi+2], ah
xor [esi+3], al
add esi, 4
loop EncodeData
yHk(6) Encode vkyfxm;aoma'wm

xor [esi], bh
push ebx
sub ebx, eax
xor edi, ebx
pop ebx
sub [esi+1], bl
dec edi
xor edi, eax
xor [esi+2], ah
jmp short $+2
pusha
mov ecx, eax
xor ebx, edx
rdtsc
popa
xor [esi+3], al
rol edx, cl
sub edi, edx
push eax
xor eax, edi
mov edi, eax
pop eax
add esi, 4
dec edx
imul edx, eax, 3
loop EncodeData
yHk(7)
yHk(8) Polymorphic layer rsm;jzifh protect vkyfxm;aom application

yHk(9)
yHk(10) wlnDaomuk'fudk rwlnDpGmvkyfaqmifMuyHk
(3) Themida (Anti-Debugger) zdkiftm; unpack vkyfjcif;
yHk(11)
yHk(12)
yHk(13)
Protection Options for Unpackme_lvl1.exe

-----------------------------------
Macros Information
-----------------------------------
VM Macros: 0
CodeReplace Macros: 0
ENCRYPT Macros: 0
CLEAR Macros: 0
XBundler files
-----------------------------------
No files to bundle
Protection Options
-----------------------------------
Anti-Debugger: ENABLED
Anti-Dumpers: DISABLED
API-Wrapping Level: 0
Virtual Machine: ENABLED
Entry Point Ofuscation: DISABLED
Memory Guard: DISABLED
Anti-File Monitor: DISABLED
Anti-Registry Monitor: DISABLED
Resource Encryption: DISABLED
VMWare compatible: DISABLED
Delphi/BCB form protection: DISABLED
Advanced Protection Options
-----------------------------------
Encrypt Application: DISABLED
.NET assemblies: DISABLED
DLL plugin: DISABLED
Active Context: DISABLED
Last Section Name: hacnho
Compression
-----------------------------------
Application compression: DISABLED
Resources compression: DISABLED
SecureEngine compression: DISABLED
Virtual Machine Settings
-----------------------------------
Number of Virtual APIs wrapped: 0
Entry Point Virtualization: 0 instructions
Virtual Machine Processor: Mutable CISC
processor
Number of CPUs: 1
Opcode Type: Static opcodes
Dynamic Opcode: DISABLED
yHk(14)
Themida &JU Anti-Debugger option udk ausmfvTm;EdkifzdkUtwGuf

yHk(15)
yHk(16)
yHk(17)
yHk(18)
yHk(19)
yHk(20)
☺☺☺
yHk(21)
yHk(22)
yHk(23)
yHk(24)
yHk(25)
(4) Themida (Anti-Debugger? Anti-File/Registry Monitor) zdkiftm; unpack vkyfjcif;
Protection Options for Unpackm_lvl2.exe
---------------------------------
Macros Information
---------------------------------
VM Macros: 0
ENCRYPT Macros: 0
CLEAR Macros: 0
XBundler files
---------------------------------
No files to bundle
Protection Options
---------------------------------
Anti-Dumpers: DISABLED
Anti-File Monitor: ENABLED
Anti-Registry Monitor: ENABLED
---------------------------------
Compression
---------------------------------
Application compression: ENABLED
Resources compression: ENABLED
SecureEngine compression: ENABLED
---------------------------------
Virtual Machine Processor: Mutable CISC processor
Number of CPUs: 1
yHk(26)
yHk(27)
yHk(28)
yHk(29)
yHk(30)
y
yHk(31)
w,f/
yHk(32)
(5) Themida (Anti-Debugger? Anti-Dumpers ...) zdkiftm; unpack vkyfjcif;
Protection Options for Unpackme_lvl3.exe

---------------------------------
Macros Information
---------------------------------
VM Macros: 0
ENCRYPT Macros: 0
CLEAR Macros: 0
XBundler files
---------------------------------
No files to bundle
Protection Options
---------------------------------
Anti-Dumpers: ENABLED
---------------------------------
Compression
---------------------------------
---------------------------------

Number of CPUs: 1
yHk(33)
yHk(34)
yHk(35)
yHk(36)
yHk(37)
w,f/
yHk(38)
yHk(39)
☺☺☺
(6) Themida (Anti-Dumpers? Memory Guard ...) zdkiftm; unpack vkyfjcif;
Protection Options for Unpackm_lvl4.exe

---------------------------------
Macros Information
---------------------------------
VM Macros: 0
ENCRYPT Macros: 0
CLEAR Macros: 0
XBundler files
---------------------------------
No files to bundle
Protection Options
---------------------------------
Anti-Dumpers: ENABLED
Memory Guard: ENABLED
Resource Encryption: ENABLED
---------------------------------
Compression
---------------------------------
---------------------------------
Number of CPUs: 1
yHk(40)
yHk(41)
yHk(42)
yHk(43)
yHk(43)u code section rSm right-click ESdyfjyD; Set memory breakpoint on write udka&G;yg/ jyD;&if
F9 (Run) udkESdyfyg/
yHk(44)
yHk(44)twdkif;jrif&wJhtcg F8 (Step Over) udkwpfcgESdyfjyD; F9 (Run) udkxyfESdyfyg/
yHk(45)
yHk(46)
yHk(47)
yHk(48)
JMP 0052764C;
yHk(50)
yHk(51)
yHk(52)
yHk(53)
yHk(53)twdkif; breakpoint owfrSwfjyD;&ifawmh F9 udkESdyfyg/ Breakpoint &Sd&mqD a&mufvmygr,f/
yHk(54)/
yHk(55)
yHk(56)
(7) Default option a&G;cs,fjyD; pack vkyfxm;aom Themida zdkiftm; unpack vkyfjcif;
(u) OEP udk&SmazGjcif;
(u) OEP udk&SmazGjcif;
yHk(58)
2/ Breakpoint owfrSwfjyD;wJhtcg Shift+F9 udkESdyfjyD; EDI register udkapmifhMunfhyg/
yHk(59)
yHk(60)
yHk(61)
yHk(62)
yHk(63)
(c) IAT udkwnfaqmufjcif;
1/ y&dk*&rfudk jyefpvdkufyg/ (Ctrl+F2)
2/
yHk(64)
yHk(65)
yHk(66)
yHk(67)
'gqdk yHk(68)rSmjrif&wJhtwdkif;
yHk(68)
4/ 'Dhaemuf CRC
yHk(69)
yHk(70)
5/
yHk(71)
yHk(72)
6/ 'gqdk CRC udkppfaq;wJh
yHk(73)
7/ 'DtcgrSmawmh
yHk(74)
8/ 'Dtcg
yHk(75)
rSwf&ef/ / wu,fawmh OEP tppf&JU
yHk(76)
55 8B EC 6A FF 68 60 0E 45 00 68 C8 92 42 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83
C4 A8 53 56 57 89 65 E8 FF 15 DC 0A 46 00
yHk(77)
VA 004271D6 ae&mrSm CALL kernel32.GetVersion vdkUjyifygr,f/ (rjyifvJ &ygw,f/)
yHk(78)
jyD;&if
yHk(79)
yHk(80)
(*) Dump vkyfjcif;
yHk(81)
yHk(82)
yHk(83)
yHk(84)
ed*Hk;csKyftaeeJU ajymMum;vdkwmuawmh Themida [m version topfawGajymif;vJoGm;wdkif;
Cracking qdkif&ma0g[m&rsm; - 399 -
Cracking qdkif&ma0g[m&rsm;
ActiveMARK – Trymedia onf RealNetworks \ tpdwftydkif;wpfckjzpfjyD; ActiveMark rSm
Trymedia \ pack/protect vkyfonfhenf;ynmwpf&yfjzpfonf/ Trygames rSm Trymedia \ wpfpdwf
wpfydkif;jzpfjyD; Trymedia \*drf;rsm;udk download vkyfjcif;udpö? trial qdkif&mudpöESifh a&mif;csjcif;udpöwdkUudk
jyKvkyfonf/
alphanumeric code – Alphanumeric uk'fqdkonfrSm pmvHk;rsm;? *Pef;rsm;aygif;pyfxm;jcif;jzpfjyD;
¤if;wdkUudk uGefysLwmuom process vkyfEkdifonfh em;rvnfEdkifaomyHkpHwpfcktoGifjzifh a&;xm;jcif;jzpfonf/
erlem alphanumeric uk'fwpfckrSm ASCII jzpfonf/ xdkxufydkjyD;ajym&vQif alphanumeric uk'fqdkonfrSm
machine uk'fjzpfjyD; ¤if;wdkUudk vHk;0zwfr&Edkifaom ASCII pmvHk;tjzpf assemble vkyfjyD;a&;xm;jcif;jzpf
onf/
API – API [lonf OS ujznfhpGrf;ay;Edkifaom function rsm;tm; pkpnf;xm;jcif;omjzpfonf/ Windows
y&dk*&rftm;vHk;onf API unction rsm;udk toHk;jyKMuonf/ xdk function rsm;onf Windows pepf\ dll
zdkifrsm;jzpfaom kernel? user? gdi? shell? advapi ponfhzdkifrsm;xJwGif &Sdonf/ API udk native API ESifh
Win32 API [lí ESpfrsdK;cGJxm;onf/
API redirection – API redirection [lonf packer^protector trsm;pku IAT (okdUr[kwf import
table) tm; (wpfpdwfwpfa'o odkUr[kwf vHk;0)zsufqD;ypfvdkufaom vkyfaqmifcsufwpfckjzpfaomfvnf; IAT
xJwGif redirect tvkyfcH&aom API toD;oD;\ oufqdkif&muk'fESifhqdkifaom pointer wpfckudk a&;vdkufonf/
qdkvdkonfrSm packer onf pack^protect vkyfxm;aomy&dk*&rftwGuf system \ DLL rsm;xJrS API \
address udkay;Edkif&ef owdxm;&rnfjzpfonf/ API redirection vkyfxm;onfh y&dk*&rfawmfawmfrsm;rsm;onf
anti-virus aqmhzf0Jvfrsm;ESifh jyóemwufavh&Sdonf/
array – y&dk*&rfa&;om;jcif;wGif array onf wlnDaom a'wmtrsdK;tpm;udk pkpnf;ay;jyD; array xJwGif
yg0ifonfht&mrsm;udk ac:,loHk;pGJvdkvQif index (odkU) element jzifh ac:,loHk;pGJ&onf/ Array rsm;onf
y&dk*&rfa&;om;jcif;wGif tc&musvSonf/
ASCII – American Standard Code for Information Interchange \ twdkaumufjzpfjyD; pmvHk;rsm;?
*Pef;rsm;? oauFwrsm;yg0ifaom tu©&m 256vHk;&Sdonf/ ASCII udk 1968 ckESpfwGif hardware ESifh aqmhzf
0Jvfrsm;Mum; a'wmrsm;tm; ydkUaqmif&eftwGuf &nf&G,fjcif;jzpfonf/ ASCII udk pH ASCII ESifh xyfjznfh
ASCII [lí tpkESpfckcGJxm;onf/
assembler – Assembly bmompum;jzifh a&;om;xm;onfhy&dk*&rfrsm;tm; exe y&dk*&rfzdkiftjzpf ajymif;vJ
ay;aom y&dk*&rfjzpfonf/
Assembly language – Low-level y&kd*&rfbmompum;wpfckjzpfjyD; mnemonic uk'frsm;udk toHk;jyKonf/
Assembler udktoHk;jyKí machine bmompum;tjzpf ajymif;Edkifonf/ toHk;jyKonfh y&dkqufqmay:rlwnf
jyD; instruction rsm;uGJjym;rI&Sdonf/ Assembly bmompum;udk toHk;jyKjcif;\ tusdK;aus;Zl;um; tvkyf
vkyfonfh EIef;jrefqefvmjcif;? hardware ESifh y&dk*&rfrmMum; wdkuf&dkufqufoG,fEdkifjcif;wdkUjzpfonf/
BadBoy – Trial version aqmhzf0JvfwpfckwGif oHk;pGJoltm; 0,f,l&efzdtm;ay;aom message rsm;? aMumfjim
rsm;/ (odkU) Disassemble vkyfxm;aom y&dk*&rfwpfckwGif ¤if;wdkU&Sd&mae&m/
base address – tydkif;ESpfck&Sdaom rSwfOmPf address wpfck\ wpfpdwfwpfa'o/ ¤if;onf rajymif;vJbJ
&SdaejyD; wGufcsufrnfh a'wm byte wpfck\ ae&mnTef;rSwfwpfckudk jznfhpGrf;ay;onf/ Base address wpfck\
aemufwGif offset wefzdk;wpfckuyfvdkufjyD; tcsuftvufrsm;\ wdusaomae&mudk &SmEdkif&eftwGuf base wGif
¤if;wefzdk;udk vmaygif;&onf/ tapmydkif; OS rsm;wGif toHk;jyKonf/
base relocation – .reloc section rSm&Sdaom entry rsm;udk base relocation [kac:onf/ tb,fhaMumifh
qdkaomf ¤if;wdkUudk toHk;jyKrIonf loaded image \ base address ay:rlwnfíjzpfonf/ Base relocation
onf image xJrS wnfae&mrsm;udkpkpnf;xm;jcif;jzpfjyD; ¤if;wdkUxJ aygif;xnfh&ef wefzdk;wpfck vdkygvdrfhrnf/
Base relocation entry rsm;tm; chunk wGJrsm;taejzifh package vkyfxm;jcif;jzpfonf/ Chunk toD;oD;
onf image xJrS 4KB page wpfcktwGuf relocation [k azmfjyjcif;jzpfonf/
binary – udef;*Pef;pepfrsm;rS 0 ESifh 1 udkom azmfjyEdkifaom ESpfvDpepf/ xdk*Pef;rsm;udk logical wefzdk;
jzpfaom TRUE (okdU) FALSE taejzifh azmfjyEdkifonf/ ESpfvD*Pef;rsm;onf vlom;rsm;em;vnfEdkif&ef
cufcJaomaMumifh 8vDpepfESifh 16vDpepfudk toHk;rsm;Muonf/
bit – Binary digit \ twdkaumuf/ uGefysLwmu udkifwG,faomtcsuftvufrsm;wGif tao;qHk;,lepf/
Bitwpfckonf ESpfvD*Pef;wpfckrS 1 (odkU) 0 udkom azmfjyEdkifonf/ 8 bits onf pmvHk;wpfvHk;ESifhnDaom
aMumifh tu©&m? q,fvD*Pef;ESifh tjcm;pmvHk;rsm;udk azmfjyEdkifayonf/
breakpoint – y&kd*&rftvkyfvkyfjcif;udk &kwfw&uf &yfwefUEdkif&efESifh xdktcsdefwGif y&dk*&rfrnfodkUvkyfaqmif
aeonfudk Munfh&Ippfaq;Edkif&ef y&dk*&rfwGif;ü owfrSwfxm;onhf ae&mwpfck/ Breakpoint rsm;udk debugger
rsm;twGif; owfrSwfMujyD; rsm;aomtm;jzifh jump rsm;? call rsm;wGif toHk;jyKMuonf/ Breakpoint udk
aqmhzf0Jvf breakpoint? hardware breakpoint ESifh memory breakpoint [lí 3rsdK;cGJjcm;Edkifonf/
buffer overflow – tcsuftvufrsm;udk ajymif;a&TY&eftwGuf ,m,Dz,fxm;aom rSwfOmPfae&mrsm;wGif

rvdkvm;tyfaomtjzpfaMumifh rSwfOmPfwpfckvHk; jynfhvQHoGm;jcif;/ y&dk*&rfrmrsm; y&dk*&rfa&;&mwGif rSm;,Gif;
pGm a&;om;rIaMumifhaomfvnf;aumif;? [ufumrsm;u OS \pGrf;aqmif&nfudk usqif;apvdkaomaMumifh wdkuf
cdkufaomtcgwGifvnf;aumif; MuHKawGU&onf/
bypass – Crack vkyf&mwGif rvdkvm;tyfaom routine rsm;? messagebox rsm;udk ausmfvTm;jcif;? vSnfhpm;
jcif;/
cave – y&dk*&rfwpfckwGif uk'fâ'wmtjzpf toHk;rjyKbJ vGwfaeaomae&mrsm;/ ¤if;wdkUudk uk'frsm;xnfhoGif;
&eftwGuf toHk;jyKonf/
cell – tcsuftvufudk odrf;qnf;xm;onfh unit wpfck/ Oyrm binary cell wpfck\ unit wpfckonf 1 bit
ESifhywfoufaomtcsuftvufrsm;udk odrf;qnf;Edkifonf/
cell address – tcsuftvufudk odrf;qnf;xm;onfh cell &Sd&m address /
character – pmvHk;wpfvHk;aomfvnf;aumif;? *Pef;wpfckaomfvnf;aumif;? tjcm;oauFwwpfckckaomfvnf;
aumif; tu©&mwpfckudk udk,fpm;jyKonf/ y&dk*&rfbmompum;wGifrl character wpfck (odkU) wpfckxufydkaom
identifier wpfckudk string [kac:onf/
checksum – Image \ wGufcsufxm;aomwefzdk;/ (a'wmrsm;udk odrf;qnf;&mwGif trSm;rsm;awGUMuHKjcif;&Sd
^r&Sd ppfaq;&ef toHk;jyKaom wGufcsufxm;onfhwefzdk;/ a'wmrsm;udk odrf;qnf;jyD;aomf ¤if;enf;vrf;udkyif
toHk;jyKí checksum udkwGufcsufygonf/ checksum ESpfck rwlnDcJhaomf error udkjyí a'wmudk aemuf
wpfMudrf jyefvnfodrf;qnf;ygonf/ Checksum rsm;onf error wdkif;udk rppfaq;Edkifyg/ Checksum
wdkUonf error jzpfaeaoma'wmrsm;udk rjyifqifay;Edkifyg/) Checksum rsm;onf kernel-mode driver
rsm;ESifh tcsdKUaom system DLL rsm;twGuf vdktyfonf/
child – Process wpfckatmufwGif tvkyfvkyfaom aemuf process wpfck/ tu,fí parent process udk
ydwfcJhvQif child process onfvnf; tvdktavsmuf ydwfoGm;rnfjzpfonf/
class – OOP bmompum;wdkif;\ tajccH,lepf/ Class rsm;onf object rsm;udkzefwD;&mwGif toHk;jyKonfh
template rsm;jzpfMuonf/ Class rsm;udk a'wmtrsdK;tpm;topfzefwD;&ef toHk;jyKEdkifonf/ y&dk*&rfa&;om;
jcif;tm;vHk;udk class wpfcktwGif;wGif a&;om;Edkifonf/ Class rsm;wGif member varialble rsm;ESifh member
method rsm;yg0ifonf/
code segment – y&dk*&rf instruction rsm;yg&Sdaom memory segment wpfck/ y&dk*&rf tvkyfvkyfaomtcg
code segment udk memory segment tjzpf rSwfOmPfay: ul;wifonf/ yifry&dk*&rf segment ukd
rSwfOmPfwGifxm;&SdjyD; auxiliary segment rsm;udkrl vdktyfrSom ul;wifonf/
comment – y&dk*&rfESifh oufqdkifaom tcsuftvufrsm;udk rSwfcsufay;jcif;/ Compiler u xdkrSwfcsufrsm;
udk compile vkyfjcif;r&Sdyg/
compiler – Syntactic ESifh semantic pnf;rsOf;rsm;udk vdkufemjyD; high-level bmompum;rsm;jzifha&;om;
xm;aom source uk'frsm;udk y&dk*&rf execution rvkyfrD object uk'ftxdajymif;vJay;Edkifaom y&dk*&rf/
conditional breakpoint – owfrSwfxm;aom tajctaeESifh udkufnDvQif y&dk*&rfudk &yfwefUapEdkifonfh
tqifhjrifhaom breakpoint/
conditional jump – Low-level y&dk*&rfbmompum;rsm;wGif owfrSwfxm;aomae&modkUa&muf&ef tajc
taewpf&yfudk EdIif;,SOfjyD; nD^rnD qHk;jzwfaom jump instruction/ Oyrm JE? JNZ/
constant – y&dk*&rftvkyfvkyfaepOf wefzdk;rajymif;vJaom identifier/
crack – aqmhzf0Jvftopfrsm;\ a&;om;[efudk odvdkí uk'fudkMunfhjcif;? (odkU) Trial version aqmhzf0JvfrS
uefUowfcsufrsm;udk z,f&Sm;jcif;? uk'frsm;xnfhoGif;jcif;/
cracker – emrnfMuD;vdkaomaMumifhaomfvnf;aumif;? aqmhzf0Jvfrsm;\ tvkyfvkyfyHkudk odvdkaomaMumifh
aomfvnf;aumif; cracking vkyfol/
cracking – Crack vkyfjcif;? (odkU) crack vkyfjcif;ynm/
CrackMe – vlopfwef; cracker rsm;twGuf cracking ynmudk oifMum;ydkUcs&ef&nf&G,fí a&;om;xm;aom
erlemy&dk*&rf/ (odkU) tqifhjrifh cracker rsm;\ t&nftaoG;udk prf;oyf&ef cufcJeufeJpGm a&;om;xm;aom^
pack vkyfxm;aom y&dk*&rf/
CRC – Cyclic Redundancy Check \twdkaumuf/
crypto – tcsuftvufrsm;udk ajymif;vJ&ef uk'frsm;udk toHk;jyKjcif;/ zwf&Iolu ¤if;wdkUudk zwf&IEdkif&eftwGuf
key wpfckudk toHk;jyK&rnfjzpfonf/ Oyrm – Adobe Acrobat \ File-open password/
CS – uk'frsm;udk odrf;qnf;xm;aom rSwfOmPftuefU/ Code segment \twdkaumuf/
data segment – y&dk*&rfu vdktyfaomtcg ac:oHk;aom tcsuftvufrsm;udk odrf;qnf;xm;aom rSwfOmPf
tuefU/
debug – y&dk*&rfwGif; trSm;rsm;&Sd^r&Sd pHkprf;onf/ Cracker rsm;url uk'frsm;udk jyifqif&eftwGuf? crack
vkyf&eftwGuf debug vkyfMujcif;jzpfonf/
debugger – a'wmrsm;udk ppfaq;Edkif&eftwGuf? variable wefzdk;rsm;ajymif;vJoGm;jcif;udk apmifhMunfhppfaq;

Edkif&eftwGuf y&dk*&rfrmtm; y&dk*&rftwGif; wpfqifhcsif;Munfh&IEdkif&ef 'DZdkif;jyKxm;aom y&dk*&rf/ Cracker
rsm;twGuf r&Sdrjzpfvdktyfaom tool/
decimal – q,fvDoHk; *Pef;pepf/
decompiler – Assembly uk'f (odkU) machine uk'frS high-level source uk'ftjzpf ajymif;vJay;Edkifaom
y&dk*&rf/ jyóemum; tcsdKU Assembly bmompum;rsm;wGif high-level source uk'fESifh oufqdkifaomuk'f
r&Sdjcif;jzpfonf/
decompression stub – Pack vkyfxm;aom y&dk*&rfrsm;wGif pack vkyfxm;aom^ compress vkyfxm;aom
uk'fudk rl&if;uk'ftjzpf jyefajymif;ay;aomjzpfpOf (odkU) routine/
decryption – Encrypt vkyfxm;aom a'wmrsm;ukd rlvuk'ftoGifodkU jyefajymif;jcif;/
delay import table – Visual C++ u DELAYIMP.H wGif teufzGifhxm;onfh ClmgDelayDescr
zGJUpnf;yHk\ array wpfckjzpaom Delayload information udk nTefjyonf/ ¤if;wdkUxJwGifawGU&aom API udk
yxrtMudrf ac:,lroHk;rcsif; Delayloaded DLL rsm;tm;ul;wifjcif;r&Sdyg/ Windows wGif delay loading
DLL ESifhywfoufjyD; vHk;vHk;vsm;vsm; ,HkMunf&jcif;r&Sdyg/
destination – zdkifwpfckudk (odkU) wefzdk;wpfckudk ul;rnfh? a&TUrnfhae&m/
disassembler – Machine uk'fudk Assembly source uk'ftjzpfajymif;vJay;aom y&dk*&rf/ tcsdKU
debugger rsm;wGif built-in disassembler ygvmavh&SdjyD; exe y&dk*&rfudk vlom;wdkU zwf&IEdkifaom
Assembly bmompum;tjzpf Munfhí&aponf/
diversion code – Cracker rsm;udk vSnfhpm;&eftwGuf xnhfoGif;xm;aom y&dk*&rfESifh rqdkifonfhuk'f/
DLL – Dynamic Link Library \twdkaumuf/ Function rsm;ESifh a'wmrsm;yg0ifaom module/ DLL
wpfckudk exe zdkifrSaomfvnf;aumif;? tjcm; DLL zdkifwpfckrSaomfvnf;aumif; ac:,loHk;pGJonf/ DLL
wpfckudk rSwfOmPfay:ul;wifcsdefwGif ac:,loHk;onfh process \ address ae&mtjzpf ae&mcsxm;jcif;cH&
onf/ DLL zdkifrsm;udk vdktyfrSom ac:,loHk;pGJonfhtwGuf rSwfOmPfwGif ae&mvGwf ydkrdk&&Sdaponf/ DLL
zdkifwpfckudk tjcm;y&dk*&rfrsm;uvnf; toHk;jyKEdkifygonf/
dongle – Hardware key wGifMunfhyg/
DOS header – PE zdkifrsm;onf DOS header ESifhpavh&SdjyD; zdkif\ yxrqHk; 64 bytes tjzpfawGU&onf/
y&dk*&rfonf DOS rSpwiftvkyfvkyfonf/ xdkUaMumifh DOS u rSefuefaom executable zdkifjzpfaMumif;
todtrSwfjyKrSom header aemuwGif odrf;qnf;xm;aom DOS stub udk tvkyfvkyfrnfjzpfonf/ DOS
header onf structure wpfckjzpfjyD; windows.inc (odkU) winnt.h zdkifrsm;wGif ¤if;udk t"dyÜm,fzGifhqdkxm;
onf/ DOS header structure wGif member ta&twGuf 19 ck&Sdonf/
DOS stub – DOS stub onf yHkrSeftm;jzifh 'This program must be run under Microsoft Windows'
qdkaompmom;udk xkwfay;avh&SdjyD; ¤if;udk,fwdkifyif DOS y&dk*&rfjzpfEdkifonf/ Windows application rsm;udk
build vkyfcsdefwGif linker u exe zdkifxJodkU winstub.exe [kac:aom stub y&dk*&rfudk link csdwfay;vdkufjcif;
jzpfonf/
dotNet Reactor – .net y&dk*&rfrsm;udk crack vkyfjcif;rS umuG,fEdkif&ef protector vkyfay;aom protector/
double – 'órudef;rsm;udk aMunm&eftwGuf toHk;jyKaom keyword/ 1.7 x 10-308 rS 1.1 x 10+4932 xd
wefzdk;rsm;udk udkifwG,fEdkifonf/
driver – aqmzhf0Jvf? hardware rsm;udk OS ESifhcsdwfquf&mwGif r&Sdrjzpfvdktyfaom PE zdkifrsm;/
DS – tcsuftvufrsm;udk odrf;qnf;xm;aom rSwfOmPftuefU/ Data segment \twdkaumuf/
dump – rSwfOmPfxJrS decompress vkyfxm;aomzdkifudk disk ay:odkU odrf;qnf;jcif;/
EAX – ocsFmqdkif&mudpörsm;ESifh string rsm;udk odrf;qnf;&efoHk;aom register/
EBP – Stack udpörsm;aqmif&Guf&ef stack pointer ESifh wGJokH;onf/ Base pointer \twdkaumuf/
EBX – Stack rsm;ESifh csdwfquf&mwGif oHk;onfh register /
ECX – *Pef;rsm;aygif;&mESifh looping rsm;wGif oHk;onfh register/
EDI – String/array \ destination udk owfrSwf&mwGiftoHk;jyKonfh register/ Destination index \
twdkaumuf/
EDX – rsm;aomtm;jzifh ocsFmpm;v'frS t<uif;udk odrf;qnf;onfh register/
EIP – aemuf instruction \ address udk odrf;xm;ay;onfh register/ EIP wefzdk;udk ajymif;vJí r&yg/
encode – Cracker rsm;\ debug vkyfjcif;rSumuG,fEdkif&ef rl&if;uk'fudk toGifajymif;vJonf/ (odkU)
zdkift&G,ftpm;udk ao;i,fap&ef uk'fudkcsHKUonf/
endian – rSwfOmPfxJwGif hex wefzdk;rsm;udk ajymif;jyefpDjcif;/ nmzuftusqHk;pmvHk;onf significant tjzpf
qHk;pmvHk;jzpfonf/ Oyrm 72 5E 7A 25 wefzdk;udk rSwfOmPfwGif;wGif 25 7A 5E 72 tjzpf awGU&ygonf/
entry point – y&dk*&rfwGif;&Sd execution pwifrnfhae&mwpfck/ y&dk*&rfpwifzwf&I tvkyfvkyfrnfh yxrqHk;
instruction &Sd&m virtual address/
entrypoint Method – .net application pwifcsdefrSm ac:,loHk;onfh yxrqHk; Method jzpfjyD;? Method
\ ta&;ygyHkrSm y&dk*&rf\vkyfaqmifcsufrsm;udk y&dk*&rfpwifonfhtcsdefrSpjyD; register vkyfonfh routine
&Sd&ma&mufonftxd ajc&mcHEdkifjcif;jzpfonf/
enxor – XOR instruction udktoHk;jyKí encrypt vkyfjcif;/
ES – AGD'D,dkudpö&yfrsm;twGuf toHk;rsm;onf/ Extra segment \twdkaumuf/
ESI – String/array \ source udk owfrSwf&mwGifoHk;onf/ Source index \ twdkaumuf/
ESP – Stack rS wdusaom ae&mwpfckudk nTefjyonf/ Stack pointer \ twdkaumuf/
exe – rnfonfhzdkiftultnDrS rvdkbJ oD;oefU&yfwnfEdkifaom y&dk*&rf/
EXE Password 2004 – Salfeld computer rSxkwfvkyfjyD; exe zdkifrsm;udk olwyg; rzGifhapvdkaomtcg
password toHk;jyKí umuG,fEdkifaomy&dk*&rf/ Password udk exe twGif;wGifyif odrf;qnf;jyD; vdktyfrSmom
decrypt jyefvkyfygonf/
executable – tvkyfvkyfEdkifaom y&dk*&rf/ Oyrm - file0.bat? file1.exe? or file2.com/
exploit – OS (odkU) aqmhzf0Jvfwpfckck\ vHkjcHKa&;qdkif&mtm;enf;csufudk &SmazGjyD; tcGifhaumif;,lonf/
file alignment – zdkifxJwGif section rsm;udk alignment csxm;rI/ þ field xJrS wefzdk;onf 512 (200h)
jzpfvQif section wdkif;onf 512bytes \ ajrSmufazmfudef;*Pef;rsm;jzifh pwif&rnf/ tu,fí yxrqHk;
section onf offset 200h ü&SdjyD; ¤if;\t&G,ftpm;onf 10bytes om&SdcJhvQifyif aemuf section onf
400h wGifpwifrnfjzpfonf/ 512 eJU 1024 Mum;rS vGwfaeaom offset ae&mrsm;udkrl toHk;jyKrnf r[kwfay/
Fish Packer – UPX? UPack uJhodkU zdkif\t&G,ftpm;udk tao;i,fqHk;jzpfatmif compress vkyfay;aom
packer jzpfjyD; unpack vkyf&mwGif tenf;i,fcufcJrI&Sdygonf/
flag – tajctaeESpfckteufrS wpfckudk owfrSwfonfh register/ Zero flag onf wefzdk;ESpfckudk EdIif;,SOfaom
tcg nDcJhvQif flag wefzdk;udk 1 [kowfrSwfygonf/ Carry flag? parity flag? auxiliary flag? zero flag?
sign flag ponfjzifh flag rsm;pGm&Sdygonf/
flat memory – Windows OS rsm;wGif toHk;jyKonf/ Memory segment \ t&G,ftpm;onf 4GB &Sd
onf/
float – 'órudef;rsm;udk aMunm&eftwGuf toHk;jyKaom keyword/ 3.4 x 10 -38 rS 1.7 x 10 +38 xd wefzdk;
rsm;udk udkifwG,fEdkifonf/
freeware – tifwmeufwGif tcrJhay;aom y&dk*&rf/ Freeware aqmhzf0Jvfrsm;wGif register vkyfp&mrvdkyg/
FS – taxGaxGoHk; segment/ 80286 ESifhtxuf y&dkqufqmrsm;wGif toHk;jyKonf/
FSG – Fast Small Good \twdkaumuf/ exe zdkifrsm;udk compress vkyfay;aom packer y&dk*&rf/
full version – rnfonfhuefUowfcsufrSr&Sdaom? aqmhzf0Jvf\ pGrf;aqmifEdkifrItm;vHk;udk toHk;jyKEdkifaom
version/
function – owfrSwfxm;aomtvkyfudk vkyfaqmifEdkif&ef instruction rsm;udkpkpnf;xm;aom? statement
rsm;udkpkpnf;xm;aom y&dk*&rf\ routine wpfck/ udk ESifh [kESpfrsdK;cGJEdkifonf/ API? routine? subroutine?
call rsm;[kvnf;ac:onf/
GoodBoy – 0,f,lonfhtwGufaus;Zl;wifaMumif;? register vkyfjcif;atmifjrifaMumif;ponfh messagebox?
dialogbox rsm;ESifh ¤if;wdkUudkac:oHk;onfh routine rsm;? API rsm;/
GS – taxGaxGoHk; segment/ 80386 ESifhtxuf y&dkqufqmrsm;wGif toHk;jyKonf/
handle – Pointer wpfck\ pointer/ qdkvdkonfrSm tjcm; variable wpfck\ address yg0ifaom variable
wpfck/ ¤if;wGif vdkcsifaom object \ address yg0ifonf/ OS wpfckwGif pointer rsm;u ajymif;vG,faom
block wpfckudk nTef;aepOfwGif handle u rSwfOmPf\ rajymif;vJEdkifaomae&mwGif odrf;xm;onfh pointer
wpfckudk nTef;onf/ tu,fí y&dk*&rfrsm;onf handle rSompwifcJhvQif ¤if;wdkUu block udk&,lcsdefwdkif;wGif
OS rS y&dk*&rfrsm;tm;xdcdkufrI r&SdapbJ rSwfOmPfpDrHcefUcGJrIrsm;udk aqmif&GufEdkifrnfjzpfonf/
hardware breakpoint – omref breakpoint rsm;onf uk'frsm;ajymif;vJoGm;aomtcg breakpoint
ysufoGm;avh&Sdygonf/ owfrSwfxm;onhfae&m&Sd uk'fudk ac:,loHk;jcif;&Sd^r&Sd apmifhMunfhvdkaomtcgwGifvnf;
aumif;? dump window (data window) rS a'wmrsm;udk a&;jcif;? zwfjcif; &Sd^r&Sdudk apmifhMunfhvdkaomtcg
wGifvnf;aumif; hardware breakpoint udktoHk;jyKygonf/
hardware key – aqmhzf0Jvf(odkU)uGefysLwmudk w&m;r0ifoHk;pGJjcif;rS umuG,f&ef toHk;jyKaom printer port
connector uJhokdUaom device/ Dongle [kvnf;ac:onf/
HASP key – Aladdin Knowledge Systems rS xkwfvkyfonfh dongle key/
hexadecimal – *Pef;rsm;udk azmfjy&eftwGuf toHk;jyKonfh 16vDpepf/ pepfwGif q,fvDpepf*Pef;rsm;
jzpfaom 0-15 udkazmfjy&eftwGuf 0-9? A-F wdkUyg0ifonf/ 16vDpepf *Pef;wpfvHk;onf 4 bits ESifh nDrQ
onf/ Oyrm – ESpfvDpepf*Pef;jzpfaom 0101 0011 onf 16vDpepfwGif 53 ESihfwlnDonf/ ESpfvDpepfjzifh
azmfjyjcif;onf zwf&I&cufcJonfhtwGuf 16vDpepfjzpfaom hexadecimal pepfudk xGifMujcif;jzpfonf/ Intel
xkwf CPU awG\ mnemonic rSmygaom opcode rsm;ESifh shellcode rsm;udk HEX uk'frsm;ESifh azmfjyMu
onf/
hook – y&dk*&rfrmrS debug vkyf&mwGif^ vkyfaqmifcsufrsm;udktqifhjrSifh&mwGif tjcm; routine rsm;ESifhcsdwf

quf&ef? routine rsm;xnfhoGif;&ef routine^y&dk*&rfwpfckwGif;&Sd ae&mwpfck/
IAT – Import Address Table \twdkaumuf/ Win32 exe zdkifjzpfonfh application wdkif;wGif IAT &SdjyD;
application wpfcku Windows \ API function wpfckudkac:oHk;onfhtcgwGif IAT tm; lookup table
tjzpftoHk;jyKonf/ xdkUaMumifh y&dk*&rftvkyfrvkyfcif y&dk*&rfuac:oHk;&eftwGuf? IAT wpfckudk wnfaqmuf
&eftwGuf Windows loader onf API toD;oD;\ address toD;oD;udk&Sm&rnfjzpfonf/ y&dk*&rftvkyf
vkyfaeonfhtcsdefwGif API wpfckudk ac:oHk;vdkvQif IAT xJwGifMunfhjyD; DLL xJoGm;&efvdkaom address udk
csufcsif;&SmazGayonf/ Unpack vkyfxmonfhzdkifrsm;wGif packer/protector rsm;u IAT udk zsufxm;onfh
twGuf IAT udk jyefvnfwnfaqmuf&efvdkonf/
IDA – Interactive DisAssembler \twdkaumufjzpfjyD; DOS^WindowsÛnix^Macintosh^ Java^
.Net^Console y&dk*&rfrsm;tjyif tjcm; OS rsm;wGifa&;om;xm;wJh y&dk*&rfrsm;ukdyg debug vkyfay;Edkifaom
taumif;qHk;aom disassembler wpfckjzpfonf/
IL – .net y&dk*&rfrsm;ukd compile vkyf&mwGif machine uk'ftjzpf wdkuf&dkuf compile vkyfjcif;r[kwfbJ IL
[kac:aom Intemediate Language tjzpf compile vkyfvdkufjcif;jzpfonf/ IL &JUt"dutm;omcsufrSm
compile vkyfxm;onfhy&dk*&rfrsm;wGif identifier (class name? function name? variable name) rsm;
rysufr,Gif;yJ wnf&Sdaejcif;jzpfonf/
imagebase – PE zdkifrsm;twGuf preferred load address jzpfonf/ Imagebase wefzdk;onf 400000h
jzpfvQif PE loader u 400000h rSpwifaom virtual address ae&mwGif zdkifudk ul;wif&ef MudK;pm;ay
vdrfhrnf/ exe y&dk*&rfrsm;wGif imagebase wefzdk;onf 400000h jzpfjyD; (Visual C++ DLL method jzifh
compile vkyfxm;aom Windows OS \ y&dk*&rfzdkifrsm;rSty) dll zdkifrsm;wGifrl 1000000h jzpfonf/
immediate value – Assembly bmompum; instruction wpfck vkyfaqmifcsdefwGif toHk;jyKaom a'wm
wefzdk;/ Instruction xJ&Sd address wpfcku point vkyfjcif;xuf instruction xJwGif udk,fwdkifyg0ifonf/
index register – Index register rsm;udk ¤if;wdkU\rlvwefzdk; rajymif;vJoa&GU taxGaxGoHk; register rsm;
tjzpf (EIP rSwyg;) toHk;jyKEdkifonf/ Index register [kac:a0:onfhtaMumif;rSm ¤if;wdkUonf rMumcP
qdkovdk rSwfOmPf\ address udk odrf;qnf;avh&Sdíjzpfonf/ tcsdKU opcode (movb, scasb,..) rsm;onf
¤if;wdkUudk toHk;jyKMuonf/
inline patching – txl;ojzifh pack/protect vkyfxm;aomzdkifrsm;wGif zdkifudk unpack rvkyfawmhbJ uk'fjyif
jcif;? uk'ftopfxnfhoGif;jcif;/
instruction – Assembly bmompum;wGif mnemonics udkac:a0:aom toHk;tEIef;/
interpret – y&dk*&rfuk'frsm;udk machine uk'ftjzpfodkU wpfaMumif;csif;bmomjyefonf/
interpreter – Basic/ CNC bmompum;rsm;udk a&;om;Edkifaom? machine uk'ftjzpf interpret vkyfay;Edkif
aom y&dk*&rfi,f/
jump – owfrSwfxm;aom ae&modkU ausmfvTm;jcif;/
kernel – OS \ yifrausm&dk;jzpfjyD; rSwfOmPf? zdkifrsm;ESifh hardware rsm;udk pDrHcefUcGJonf/ ¤if;tjyif tcsdef
ESifh&ufpGJwdkUudkxdef;odrf;jcif;? application rsm;udkzGifhjcif;ESifh resource rsm;udkae&mcsxm;jcif;wdkU jyKvkyfonf/
keygen – oufqdkif&m user trnfESifhqdkifaom key udkxkwfay;Edkifaom cracker rsm;u zefwD;xm;aomzdkif/
KeygenMe – vlopfwef; cracker rsm;twGuf cracking ynmudk oifMum;ydkUcs&ef&nf&G,fjyD; a&;om;xm;
aom erlemy&dk*&rf/ (odkU) tqifhjrifh cracker rsm;\ t&nftaoG;udk prf;oyf&ef cufcJeufeJpGm a&;om;xm;
aomy&dk*&rf/
link – exe zdkiftjzpfodkU rajymif;rD DLL (odkU) OBJ zdkifrsm;ESifh csdwfqufjcif;/
linker – exe zdkiftjzpfodkUa&muf&Sd&ef DLL (odkU) OBJ zdkifrsm;ESifh csdwfquf&mwGif toHk;jyKonfh y&dk*&rf/
loader – Process wpfckudkpwifonfh tao;pm; application wpfckjzpfjyD; unpack vkyfaeonfh^protect
vkyfxm;jcif;udk jyefajzaeonfh process (aqmhzf0Jvf)udk apmifhqdkif;onf/ xdkUaemuf y&dk*&rfxJrS y&dk*&rfa&;
om;ol csef&pfcJhaomtrSm;rsm;^tm;enf;csufrsm;tm; tcGifhaumif;,ljyD; rSwfOmPfxJrS process udk patch
vkyfonf/
machine code – uGefysLwm\ CPU u wdkuf&dkufem;vnfEdkifaom instruction rsm;ESifh a'wmrsm;yg0ifaom
pepfwpfck/ CPU model wdkif;wGif ¤if;wdkU\udk,fydkif machine uk'f (odkU) instruction set &SdjyD;
wpfxyfwnf; uscsifrSusEdkifayvdrfhrnf/
malicious code – tzsuftarSmifhvkyfief;rsm;vkyfaqmif&ef? vHkjcHKa&;tcsuftvufrsm; cdk;,l&ef y&dk*&rfrsm;
wGif xnfhoGif;vdkuf^xm;aom y&dk*&rfESifh vHk;0roufqdkifaomuk'f/ Malicious uk'frsm;onf y&dk*&rfzdkif
tcsif;csif; ul;pufEdkifonf/
malware – Malicious uk'frsm;yg0ifaom aqmhzf0Jvf/
MD5 – MIT Lab ESifh RSA Data Security Inc. wdkUrS xkwfvkyfvdkufaom 128-bit encryption pepf/
erlemtm;jzifh phpBB zdk&rfrsm;wGif login password udk encrypt vkyf&mwGif toHk;jyKonf/
memory breakpoint – Section wpfcktwGif;? owfrSwfxm;onfh address e,fy,ftwGif; y&dk*&rfrS

tcsuftvufrsm;udk a&;om;aomtcg? tcsuftvufrsm;&,laomtcg od&SdEdkif&efESifh y&dk*&rfudk&yfwefUEdkif&ef
owfrSwfaom breakpoint/
metamorphic code – udk,fwdkifjyefjyD; y&dk*&rfjyefa&;Edkifonfhuk'f/ tcsdKUAdkif;&yfpfrsm;u zdkiftopfrsm;udk
ul;pufapvdkaomtcgwGif toHk;jyKonf/ xdkUaMumifh Adkif;&yfpfxdxm;aomy&dk*&rfrsm;onf rl&if;y&dk*&rfESifh
rnfonfhtcgrS wlnDawmhrnf r[kwfay/ uGefysLwmAdkif;&yfpfrsm;u þenf;udk toHk;jyK&onfh taMumif;&if;rSm
anti-virus aqmhzf0Jvfrsm;u ¤if;wdkU\ signature rsm;udkrSwfrdjcif;rS a&Smif&Sm;Edkif&efjzpfonf/
mnemonics – Assembly bmompum;wGif aygif;jcif;? EIwfjcif;paom vkyfaqmifcsufwpfckudk vkyfaqmif
Edkifaomuk'f/
module – Cracking wGif exe zdkifESifh ¤if; exe zdkifu ac:,ltoHk;jyKxm;aom DLL zdkifrsm;/
MoleBox – y&dk*&rfwpfck run aecsdefwGif vdktyfaomzdkiftm;vHk;udk exe zdkifwpfckwnf;tjzpf pack vkyfay;Edkif
aom tqifhjrifh packer/ tu,fíom DLL twGif;wGif registration routine a&;xm;ygu cracker tzdkU
crack vkyf&efcufcJaprnfjzpfonf/
nag screen – y&dk*&rfwpfckudk zGifh^ydwfaomtcg awGU&aom pdwftaESmifht,Sufjzpfaponfh message
screen ESifh aMumfjimrsm;/ Trial version aqmhzf0Jvfrsm;wGifom awGU&avh&Sdonf/
neutralize – Anti-virus aqmhzf0Jvfrsm;u Adkif;&yfpf(odkU) x&dk*sefudk pHkprf;od&Sdaomtcg Adkif;&yfpftwGif;&Sd
uk'fudkz,f&Sm;jcif; (odkU) Adkif;&yfzdkifudkzsufjcif; ponfwdkUudk jyKvkyfjcif;/
NFO – Crack vkyfxm;aomzdkifESihf oufqdkifaomtcsuftvufrsm;? cracking team rsm;ESifh ywfoufaom
tcsuftvufzdkif/
NSPack – exe? dll? ocx ponfhzdkiftrsdK;tpm;rsm;tjyif .net zdkifrsm;ukdyg compress vkyfay;Edkifaom
packer y&dk*&rf/ Pack vkyfxm;aomzdkift&G,ftpm;rSm UPX zdkifrsm;avmufyif&SdjyD; pack vkyfxm;aomzdkif
onf Windows 98 üwGifyif aumif;pGmtvkyfvkyfEdkifonf/
obfuscation – Method ESifh class trnfrsm;udk &Smír&Edkifatmif zwfír&Edkifaom pmvHk;rsm;tjzpf ajymif;vJ
ay;aomjzpfpOf/
octal – 8vD*Pef;pepf/
ocx – PE zdkiftrsdK;tpm;wpfckjzpfjyD; .dll zdkifuJhokdUyif imagebase onf 1,000,000 rSpwifonf/
offset – wdusaomuk'fwpfck&Sd&m address prSwfESifh ¤if;trSwfESifhtuGmta0;/
Olly – Cracker rsm;twGuf taumif;qHk;aom ring-3 debugger/
opcode – y&dkqufqmu em;vnfEdkifaom instruction wpfck/ Opcode trsm;pkwGif operand rsm;yg&Sdonf/
optional header – File header \aemufwGif uyfvsuf&Sdaom aemufxyf 224bytes jzpfjyD; PE
zdkiftwGif;&Sd logical layout ESifhywfoufaomtaMumif;t&mrsm; yg0ifonf/ (Oyrm- AddressOfEntry
Point)/
ordinary breakpoint – uk'frsm;wGif owfrSwfonfh omref breakpoint/
overflow flag – wefzdk;wpfckudk odrf;qnf;EdkifpGrf;yrmP xufausmfvGefaomtcg 1 wefzdk;udk owfrSwfonfh
flag/ twGuftcsufrsm;wGif trsm;qHk;toHk;jyKonf/
pack – exe zdkifudk compress vkyfjcif;? execute vkyfEdkifzdkU decompress jyefvkyfjcif;ESifh execution
pwifjcif;wdkUudk vkyfaqmifay;&onfh decompression stub udk xnfhoGif;pOf;pm;&aomvkyfief;pOf/ Pack
vkyfjcif;jzifh zdkift&G,ftpm;udk usoGm;apjyD; ae&mvGwfydkrdk&vmygonf/
packer – rlvzdkif\t&G,ftpm;udk tenf;qHk; 30% avmuf avQmhcsEdkifjyD; cracker rsm;twGuf uk'fudk
ajc&mcHEdkif&ef cufcJapaom y&dk*&rf/
patch – udk,fwkdifaomfvnf;aumif;? y&dk*&rf\tultnD,líaomfvnf;aumif; y&dk*&rfuk'fudk jyifqifonf/
PE file – Windows OS rsm;wGifom tvkyfvkyfaom y&dk*&rfrsm;? zdkifrsm;/
PE header – IMAGE_NT_HEADERS [kac:aom structure wpfckjzpfjyD; þ structure wGif
Windows loader u r&Sdrjzpfvdktyfaom tcsuftvufrsm;yg0ifonf/
PE signature – y&dk*&rfudk rnfonfh compiler jzifh compile vkyfxm;onf? rnfonfh packer jzifh pack
vkyfxm;onfudk od&SdEdkif&ef wdkufqdkifppfaq;aom hex uk'frsm;/
pirate version – Crack vkyfxm;aom? olwyg;\uk'fudk w&m;r0if &,loHk;pGJxm;aom aqmhzf0Jvf/
pointer to raw data – zdkif\tprS section \a'wmrsm;xd&Sdaom offset/ ¤if;onf module header rS
FileAlignment \qwdk;udef; jzpf&ayrnf/
pointer – Variable wpfck&JU address udkodrf;xm;aom variable wpfck/
polymorphic code – rlv algorithm udk yuwdtwdkif; &SdaeapatmifvkyfaepOftwGif; toGifajymif;vJ
oGm;aomuk'f/ þenf;ynmtm; uGefysLwmAdkif;&yfpfrsm;? shell uk'frsm;ESifh uGefysLwm worm rsm;u ¤if;wdkU
&Sdaejcif;udk zHk;uG,fEdkif&eftwGuf toHk;jyKonf/
protector – Packer wpfckomjzpfjyD; &dk;&Sif;aom packer rsm;xufpmvQif uk'frsm;tm; ydkjyD;pdppfcGJjcm;onf/
Protector rsm;\ t"dutm;enf;csufrSm protect vkyfxm;aomzdkif\ t&G,ftpm;jzpfonf/ Packer rsm;u
pack vkyfxm;aom zdkif\t&G,ftpm;rsm;udk ao;i,fatmifvkyfaecsdefwGif protector rsm;u cracker &efu

umuG,fEdkif&eftwGuf uk'frsm; tvGeftrif; xnfhoGif;MuonfhtwGuf protect vkyfxm;aom tcsdKUzdkifrsm;onf
(ao;i,faomzdkifrsm;) rlvzdkifxuf 600% MuD;oGm;aMumif; awGU&onf/
recursion – Function wpfckudk tMudrfMudrf vkyfaqmifjcif;/
Reflector – .net y&dk*&rfrsm;udk decompile vkyf&eftwGuf toHk;jyKaom aqmhzf0Jvf/ Decompile vkyfxm;
aomuk'frsm;udk C#? VB? Delphi? IL? Chrome ESifh Visual C++ bmompum;rsm;jzifh Munfh&IEdkifonf/
registration – aqmhzf0Jvfudk trial version rS full version jzpfap&eftwGuf vdktyfaom tcsuftvuf
rsm;udk &dkufxnhfjcif; (odkU) xdkodkUjyKvkyfEdkif&ef a&;om;xm;aomuk'frsm;/
registry – Cracking wGif registration ESifhywfoufaomtcsuftvufrsm;xm;&Sd&m database/
relocation table – Base relocation information udk nTefjyonf/
resource – y&dk*&rfwpfcktwGif;wGif yg0ifaom icon rsm;? bitmap rsm;? dialog rsm;ESifh string rsm;/
reversing – OS^y&dk*&rfwpfck\ oabmobm0udk debugging tool rsm;toHk;jyKí avhvmjcif;/
rip – vdktyfaomuk'fudk ,lonf? jzwfxkwfonf/
RSA – Encryption e,fy,fwGif wGifus,fpGmtoHk;jyKvQuf&Sdaeom public/private key algorithm/
Microsoft Windows wGif cryptographic service provider (CSP) tjzpftoHk;jyKonf/
RVA – Relative Virtual Address \twdkaumuf/
section – y&dk*&rfwpfcktwGif;&Sd uk'f? a'wmESifh resource rsm;odrf;qnf;&mae&m/
section alignment – PE header rSmrwlnDwJh Alignment field ESpfck&Sdygw,f/ olwdkUawGuawmh section
alignment eJU file alignment yg/ Section alignment qdkwm uawmh tay:rSmqdkxm;wJhtwdkif;
rSwfOmPfxJrSm section awGudk b,fvdknSd,lrvJqdkwm jzpfygw,f/ Section rsm;\ Alignment udk rSwfOmPf
wGif; ul;wifonf/ Byte jzifhjyonf/ þwefzdk;onf File Alignment ESifh nD&rnf (odkU) MuD;&rnf/ yHkao
wefzdk;onf system \ page t&G,ftpm; jzpfonf/
segment register – rSwfOmPf\ segment udk toHk;jyKonf/ 16-bit OS rsm;wGif toHk;jyKonf/ DOS wGif
rSwfOmPfudk 64KB &Sdaom segment rsm;tjzpf ydkif;vdkuonfhtwGuf rSwfOmPf\ address udk owfrSwfvdk
vQif segment ESifh offset udk atmufygtwdkif; (0172:0500 (segment:offset)) owfrSwf&onf/ Segment
register rsm;onf 16-bit register rsm;jzpfonf/
Sentinel – Rainbow Technology (www.rainbow.com) rS xkwfvkyfonfh dongle key/
serial fishing – Debug vkyf&mwGif y&dk*&rfu wGufcsufvdkufaom serial udk&SmazGjcif;/ Serial fishing udk
y&dk*&rfwdkif;wGif vkyfír&ay/
shareware – r0,fcif tcrJhoHk;pGJEdkifaom rlydkifcGifhvkyfxm;onfh aqmhzf0Jvf/
shellcode – aqmhzf0Jvf bug rsm;rSwqifh tcGifhaumif;,ljyD; payload tjzpftoHk;jyKaom machine uk'f\
wpfpdwfwpfa'o/ Machine wGiftvkyfvkyfaeaom aqmhzf0Jvf\tm;enf;csufudk tcGifhaumif;,ljyD; tcGifhr&Sd
aomoHk;pGJolrsm;tm; OS \ command-line rSwqifh uGefysLwmeJU csdwfqufEdkifatmifcGifhjyKygw,f/ yHkrSef
tm;jzifh null-terminated (\0) string taeESifhodrf;qnf;jcif;jzpfjyD; null character rsm;ryg0ifEdkifyg/
sign flag – taygif;^tEIwfoauFw jzpf^rjzpf owfrSwfaom flag/
size of raw data – Disk ay:&Sd zdkifxJrSm&dSaom section \a'wmt&G,ftpm;/ Module header rS
FileAlignment \qwdk;udef;jzpfjyD;? tu,fí ¤if;wefzdk;onf virtual size xufi,fvQif section \
usefaomtydkif;rsm;onf oknESifh jynfhaernfjzpfonf/ Section ü uninitialized a'wmoufoufom
&SdcsdefwGif þae&mü oknjzpf&ayrnf/
SmartCheck – VB y&dk*&rfrsm;udk serial zrf;&mwGif taumif;qHk;aom debugger/ SmartCheck jzifh VB
uk'frsm; tvkyfvkyfyHkudk event rsm;rSwqifh tao;pdwfMunfh&IEdkifonf/ SmartCheck onf p-code rsm;udk
debug vkyfEdkifjcif;r&Sdyg/
source – a&TUajymif;rnfhûl;,lrnfh a'wmrsm;&Sd&mae&m?
source code – y&dk*&rfbmompum;rsm;jzifh y&dk*&rfrmrsm; a&;om;xm;aomuk'f/
SS – Routine rsm;rS ay;ydkUaom address rsm;udk odrf;qnf;&ef toHk;jyKaom register/ Stack segment \
twdkaumuf/
stack – oD;oefUz,fxm;aom rSwfOmPfae&mjzpfjyD; ¤if;wGif y&dk*&rfu procedure? function call address?
parameter ESifh local variable wdkUESifhywfoufaom tcsuftvufwdkUudk odrf;qnf;onf/ Last in First Out
(LIFO) enf;ynmudk toHk;jyKonf/
stolen bytes – rlv exe zdkifrS ,lvmcJhaom? rlv exe zdkifrSzsuf,lvmchJaom pmvHk;rsm;jzpfjyD; packer \
uk'fxJwGif ¤if;wdkUudk vmxm;onf/ OEP a&mufcsdefwGif y&dk*&rfudk rSwfOmPfrS dump vkyf,laomtcg
dump vkyfvdkufaom exe zdkifxJwGif xdkpmvHk;rsm; yg&Sdawmhrnfr[kwfay/ xdkpmvHk;rsm; r&SdawmhvQif y&dk*&rf
rsm; aumif;pGmtvkyfvkyfEdkifrnfr[kwfay/ þenf;vrf;onf y&dk*&rfudk crack rvkyfEdkif&ef umuG,frIwpfck
jzpfonf/
string – wpfvHk; (odkU) wpfvHk;xufydkaom pum;vHk;rsm; yg0ifaompmom;/
StrongName – StrongName wpfckwGif y&dk*&rfESifhywfoufaom assembly \ identity rsm;yg0ifjyD;

¤if;wdkUrSm &dk;&Sif;vSaompmom;rsm;ESifhjzpfjyD; trnf? version trSwf? culture wdkUtjyif public key wpfckESifh
digital signature wpfckwdkU yg0ifEdkifonf/ ¤if;wdkUudk assembly zdkifwpfckrS oufqdkif&m private key udk
toHk;jyKjyD; xkwfay;jcif;jzpfonf/ Microsoft Visual Studio eJU .NET framework udktoHk;jyKMuaom
tjcm; tool rsm;u StrongName rsm;udk assembly wpfcktaejzifh owfrSwfEdkifonf/
SVKP - SVKP onf exe zdkifrsm;tm; protect vkyfay;onfh protector wpfckjzpfjyD; protect vkyf&eftwGuf
rwlnDaom enf;vrf;4&yfudk toHk;jyKonf/ ¤if;wdkUrSm (1) RSA algorithm udk toHk;jyKjcif;? (2) API
function rsm;udk vSnfhpm;rIjyKvkyfxm;jcif;? (3) anti-debug vSnfhpm;rIrsm;xnfhoGif;xm;jcif;? (4) rSwfOmPf
ESifh tracer rsm;rS dump rvkyfEdkifatmifumuG,fxm;jcif;wdkUjzpfonf/
Themida – aqmhzf0Jvfrsm;udk crack vkyfjcif;&efrS umuG,fEdkif&ef SecureEngine protection pepfudk
oHk;xm;onfh protection pepfwpfck/ Cracker rsm;tjrift& Themida onf oHk;pGJaeusaqmhzf0Jvf protector
rsm;ESifh vHk;0rwlbJ uGJjym;jcm;em;vsuf&Sdonf/ Developer rsm;twGufrl Themida onf vG,fulpGm toHk;jyK
EdkifjyD; ¤if;wdkUjzpfapcsifaom tqifhjrifhonfh protection rsm;udk vG,fulpGma&G;cs,fEdkifonf/
thread – MuD;rm;aom process wpfck (odkU) y&kd*&rfwpfck\ wpfpdwfwpfa'ojzpfaom process wpfck/
TimeDateStamp – TimeDateStamp onfzdkifudk zefwD;cJhaomtcsdefudk &nfnTef;onf/ Olly wGif ¤if;udk
hex *Pef;jzifhjyonf/ tcsdKU PE Viewer rsm;wGifrl hex ESifhrjybJ &dk;&dk;yHkpHESifhomjyonf/
TLS table – Thread Local Storage \ initialization section udknTefjyonf/ TLS section wGif
declspec (thread) jzifhaMunmxm;aom thread \ local variables rsm;yg0ifonf/ ¤if; variable rsm;toHk;
jyKcsdefwGif compiler u olwdkUtm; .tls [ktrnf&aom section wGifoGm;xm;onf/
tracer – owfrSwfxm;aom breakpoint a&mufonftxd y&dk*&rf\uk'frsm;udk wpfaMumif;csif;
ajc&mcHay;Edkifaom y&dk*&rf (odkU) function/
trial version – tcsdef^tMudrf tuefUtowfjzifh oHk;pGJ&aomaqmhzf0Jvf/
uncondition jump – rnfonfhtaMumif;jycsufjzpfygap owfrSwfxm;aom address odkUausmfvTm;aom
jump/
UNICODE – Unicode Consortium u 1988ESifh 1991umvtwGif; develope vkyfcJhaom 16-bit oHk;
pmvHk;/ pmvHk;wpfvHk;udk azmfjywdkif; 2 bytes toHk;jyKonf/ jzpfEdkifaom Unicode pmvHk; 65,536 xJrS 39,000
udktoHk;jyKvQuf&SdjyD; ¤if;wdkUxJrS 21,000 udk w&kwfpmvHk;rsm;twGuf toHk;jyKonf/ usef&SdaeaompmvHk;rsm;udk
rl tvGwfxm;&Sdxm;onf/
unpack – Pack vkyfxm;aoma'wmrsm;udk rlvuk'fodkU jyefajymif;jcif;/
unpacker – Pack vkyfxm;aom zdkifrsm;udk unpack jyefvkyfay;Edkifaomy&dk*&rf/
unregistered – 0,f,loHk;pGJjcif;r&Sdaom tajctae/
UPX – exe zdkifrsm;udk t&G,ftpm;ao;i,fatmif vkyf&mwGif emrnfMuD;vSjyD; tqifhjrifh protection
enf;vrf;rsm;oHk;xm;jcif; r&Sdaom packer/ Ultimate Packer for eXecutables \twdkaumuf/
virtual address – rSwfOmPfxJwGif application utoHk;jyKaom address /
virus – y&dk*&rfzdkifudk udk,fwdkifyGm;Edkifaom? ul;pufapEdkifaom raumif;aom &nf&G,fcsufjzifh uGefysLwmoHk;pGJ
oludk taESmifht,Sufjzpfapaom y&dk*&rfzdkif/ Adkif;&yfpfrsm;onf rawmfwqaomfvnf;aumif;? wrif&nf&G,fjyD;
aomfvnf;aumif; qdk;usdK;rsm;jzpfaponf/
worm – uGefysLwmtoD;oD;\ rSwfOmPfwGif udk,fyGm;rsm;xkwfay;aeaom? uGefysLwmrsm;Mum; ysHUESHUvQuf&Sd
aom y&dk*&rf/
zero flag – wefzdk;ESpfck EdIif;,SOf&mwGif(EIwf&mwGif) oknjzpf^rjzpfqHk;jzwfaom flag/
Cracking qdkif&m tifwmeuf0ufbfqdkufrsm; - 407 -
Crraacckkiinngg q
C qdkidkif&f&mm t
tiifw
fwmmeeu
uf0f0u
ufb
fbfq
fqdku
dkufrfrssmm;;
(1) ARTeam
http://www.accessroot.com
(2) SND Team (Seek and Destroy)
http://www.tuts4you.com
(3) AoRE (Art of Reverse Engineering)
http://www.aoreteam.com
(4) BiW Reversing
http://www.reversing.be
(5) Unpack Team (Chinese)
http://unpack.cn
http://www.cracktool.com
(6) Team ICU
http://www.teamicu.org
(7) AHTeam (Alien Hack)
http://www.ahteam.org
(8) RETeam (Reverse Engineering Team)
http://www.reteam.org
(9) True Team
http://www.lastepidemic.net/
(10) Reverse Engineering Association (Vietnamse)
http://www.reaonline.net/
(11) Cracking Tools (Russian)
http://www.cracklab.ru
(12) Cracking Tools (Chinese)
http://www.pediy.com
(13) Disassmebling Tools (Russian)
http://www.wasm.ru
(14) Arab Team 4 Reverse Engineering
http://www.at4re.com
(15) tjcm; Cracking qkdif&m0ufbfqdkufrsm;
http://board.anticrack.de
http://www.secretashell.com/PEid/
http://www.alame.com/vb/
http://www.woodmann.com
http://reng.ru/board/
http://www.absolutelock.de
http://www.ibsensoftware.com
http://pro-hack.ru
http://azmoaore.reversedcode.com
http://www.securitylab.ru/tools/
http://ap0x.jezgra.net/
http://www.openrce.org/
http://www.encryptpe.com/
http://www.chinadfcg.com/
http://www.cracking.com.cn/
http://www.debugman.com/
http://club.myarc.cn/
http://www.ccgcn.com/
http://forum.exetools.com/
http://crackmes.de/
http://petools.org.ru/
http://www.pearmor.com/
http://www.chinadcm.com/
http://bbs.wmzhe.com/
http://ocn.e5v.com/bbs/index.php
http://bbs.chinapyg.com/
http://bbs.vxer.cn/
http://bbs.thulu.com/
http://bbs.crsky.com/
http://bbs.cniso.org/
http://www.cracktool.com/
http://bbs.crkcn.com/
http://bbs.hanzify.org/index.php
(16) Cracked Version jzefUcsDaeaom0ufbfqdkufrsm;
http://www.appzworld.com
http://soft-best.net
http://0daycn.net
http://www.directdl.com
http://www.enfull.com
http://www.lugarus.com
http://www.megauploaded.com
http://www.rapidshared.org
http://www.9iv.com
http://www.ddlcentral.com
http://www.inethouse.com
http://www.freeserials.com
http://www.phazeddl.com
http://www.appzplanet.com
(17) Cracked Version jzefUcsDaeaomzdk&rfrsm;
http://www.projectxwarez.com
http://www.projectw.org
http://www.projectws.org
http://forumw.org
http://forum.ru
(18) y&dk*&rfa&;om;jcif;qdkif&m0ufbfqdkufrsm;
http://www.codeproject.com
http://www.functionx.com
http://www.ucancode.com
http://www.dreamincode.net
(19) Cracks? Serials ESifh Keygens jzefUcsDaeaom0ufbfqdkufrsm;
http://www.crackteam.ws
http://keygen.us
http://www.allseek.info
http://www.anycracks.com
http://www.bestserials.com
http://www.crack-cd.com
http://www.crackspider.net
http://www.cracksportal.com
http://www.freeserials.com
http://www.icracks.net
http://www.mscracks.com
http://www.thebugs.ws
References - 410 -
References
(01) Basic Rules of Cracking – ParaBytes
(02) Cracker Definition – Invoker
(03) A Little Guide for Wannabe Reverser – Zephyrous
(04) The C Programming Language – Brian W. Kernighan & Dennis M. Ritchie
(05) PC Assembly Language – Paul A. Carter
(06) Win32asm Tutorial – Thomax Bleeker
(07) Assembly for Beginners – The Cyborg
(08) Assembly Tutorials – Ralph
(09) Win32 Assembler Coding for Crackers 1.1 – Goppit
(10) Assembler : The Basics in Reversing – Lena151
(11) The Wikibook of Reverse Engineering
(12) CrackProof Your Software – Pavol Cerven
(13) Disassembling Code: IDA Pro and SoftICE – Vlad Pirogov
(14) RCE Emphasizing On Breaking Software Protection – tHE mUTABLE
(15) Portable Executable File Format – Goppit
(16) Basic Nag Removal + Header Problems – Lena151
(17) Indept Unpacking & Anti-Anti-Debugging, A Combination Packer & Protector – Lena151
(18) Serial Fishing Teleport Pro – nick123b
(19) Serial Fishing CD to MP3 Maker 1.15 – ThunderPwr
(20) KeygenMe Tutorial 1 – Ziggy
(21) Basic + Aesthetic Patching – Lena151
(22) Intermediate Level Patching, Kanal in PEiD – Lena151
(23) tElock + Advanced Patching – Lena151
(24) Win32 Programmer Reference – Microsoft
(25) Often Used APIs in Registration Schemes and Other – Lena151
(26) Reversing - Secrets of Reverse Engineering – Eldad Eilam
(27) Reversing Using the Program's Resources – Lena151
(28) ActiveMARK 5.xx (Dumping and Rebuilding) – SSIEvIN
(29) Unpacking Protections – Lena151
(30) Unpacking Advanced Packers – Lena151
(31) API Redirection – Lena151
(32) VB - Introduction to SmartCheck and Configuration – Lena151
(33) VB - Use of Decompilers and a Basic Anti-Anti-Trick – Lena151
(34) Delphi in Olly & DeDe – Lena151
(35) Insights and Practice in Basic (self) Keygenning – Lena151
(36) Java Target – ThunderPwr
(37) Reversing .Net – Kwazy Webbit
(38) .Net Reversing Tips – tKC
(39) Manul Unpacking .NET Applications – Newbie_Cracker
(40) Serial Fishing in .NET (Live Debugging) – zyzygy
(41) Removing StrongName Signature in .NET Applications – Newbie_Cracker
(42) Symbian Exploitation and Shellcode Development – Collin Mulliner
(43) Symbian Executable File Format – Antony Pranata
(44) Primer in Reversing Engineering Symbian 3rd Applications – argv
(45) Reversing Symbian S60 Applications 1.4 – Shub-Nigurrath
(46) Patching Packed Executables at Runtime Using Loaders – Lena151
(47) Basic Crypto Techniques – detten
(48) Keygenning MD5 – Nieylana
(49) Encryption Decryption Polymorphic Code – Lena151
(50) SVKP1.4x (Finding-The-OEP-Dumping) – Teddy Rogers
(51) Bypassing & Killing Server Checks – Lena151
(52) Themida 1.9.1.0 – UnpackMe – hacnho
(53) Themida Unpacking – Joker_Italy
(54) Unpacking Themida 1.x – SubZero
(55) Themida 1.9.1.0 Help
(56) Microsoft Computer Dictionary

Myanmar CRG

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Myanmar CRG

Uploaded by

Copyright:

Available Formats

pum;rdwfquf

]Cracker vrf;nTef} trnf&aom þpmtkyfudk cracking (reverse engineering) ESifhywfoufjyD;

atmufwdkbm 4? 2009/ rsdK;jrifhxkduf

tMuHjyKpmrsm;^ar;jref;csufrsm; ay;ydkUvdkygu myomyinthtike@gmail.com odkUay;ydkUEdkifygonf/

tcef;(1) - Cracker rsm; odxm;oifhaom tcsufrsm;

Windows Vista? Windows 7 pwmawG jzpfygw,f/ 'D OS awGtm;vHk;[m tajccHtm;jzifhawmh Win32

tcef;(2) - tajccH C bmompum;

#include <stdio.h> /* 2nd C Program */

yHk(3)rSm jrif&wmuawmh zm&if[dkufeJU pifwD*&dww

atmufyg identifier rsm;uawmh rSefuefwJhyHkpHawG jzpfygw,f -

#include <stdio.h> /* 3rd C Program */

'Dwwd,ajrmuf y&dk*&rf[m 'kwd,y&dk*&rfeJU oabmcsif;wlygw,f/ bmaMumifh 'Dae&mrSm xyfxnfh

(1) yxryHkpHudkawmh tajctaewpfckck[m rSe^f rrSef qHk;jzwfwJhtcgrSm toHk;jyKygw,f/

yHk(5)u uk'fawGudk run vdkuf&if yHk(6)twdkif;awGU&rSmyg/

(10) 5ckajrmuf C y&dk*&rf

'Dy&dk*&rfuawmh switch statement udk b,fvdktoHk;jyK&rvJqdkwm jyowJh erlemy&dk*&rfyg/ b,fvdk

while loop eJUywfoufwJh erlemy&dk*&rfudkawmh ra&;jyawmhygbl;/ bmaMumifhvJqdkawmh 'kwd,

+ (addition) Variable rsm; aygif;&mwGiftoHk;jyKonf/

(c) Unary operator

i++; (postincrement) Variable wefzdk;tm; wpfaygif;ay;onf/

yHkrSeftm;jzifhawmh olwdkUudk increment operator eJU decrement operator vdkU ac:a0:Muygw,f/

'Dvdkqdk&ifawmh x &JUwefzdk;u oknjzpfaejyD; y &JUwefzdk;uawmh 1 jzpfvmrSmyg/ qdkvdkcsifwmuawmh i++

(C) Assignement operator

& (Bitwise AND)

toHk;jyKyHkuawmh atmufygtwdkif; jzpfygw,f/

'Dy&dk*&rfuawmh oif&dkufxnfhvdkufwJhpmom;rSm yg0ifwJh pmvHk;ta&twGufudk azmfjyjyD; owfrSwfxm;

strncpy(str1,str2,length) str2 rS owfrSwfxm;aomta&twGuftwdkif; pmom;rsm;udk str1 xJodkU ul;xnfhay;jcif;/

strcmp(str1,str2) str2 ESifh str1 wdkUudk EIdif;,SOfjcif;/

strcmpi(str1,str2) str2 ESifh str1 wdkUudk EIdif;,SOfjcif;/ (pmvHk;tMuD;tao;udk vspfvsL&I)

strlen(str) str \pmvHk;ta&twGufudk jyjcif;/

yHk(10)u y&dk*&rft&qdk&if strlen() function udk rdrdbmom rdrdzefwD;oGm;wm awGU&rSmyg/ wu,f

(21) 9ckajrmuf C y&dk*&rf

'Dy&dk*&rfuawmh jrefrmy&dk*&rfrmawmfawmfrsm;rsm; a&;avh&SdMuwJh password y&dk*&rfyg/ udD;bkwfu

zdkif function awmfawmfrsm;rsm;[m omref input/output vkyfwJh function awmfawmfrsm;rsm;eJU

043B374 PUSH EBP

ay;xm;csufuawmh yHk(12)rSm jyxm;wJhtwdkif; jzpfygw,f/ pum;vHk;wpfvHk;udk cefUrSef;cdkif;wm jzpfyg

yHk(14)rSm a&;jyxm;wJh source uk'f&JU tvkyfvkyfyHkudk wpfaMumif;csif;em;vnfatmifMunfhyg/ 'Dy&dk*&rf

tcef;(3) - tajccH Assembly bmompum;

(3) Assembly tajccH

(3.2.1) taxGaxGoHk; register rsm;

esi (source index) string/array \ source udk owfrSwf&mwGifoHk;onf/

rSwfxm;&rSmu ckuRefawmf&Sif;jyaewm[m 16-bit y&dk*&rfawGtwGuf jzpfygw,f/ tay:uZ,m;u

Segment xJu ae&mwpfckudk nTef;csifw,fqdk&ifawmh offset udk toHk;jyKygw,f/ Offset qdkwm

SP uawmh (SS xJu) vuf&Sd stack ae&m&JU offset udk xnfhxm;ygw,f/

(tuefUwpfckpDonf (byte) pmvHk;wpfvHk;udk udk,fpm;jyKonf/ )

Instruction mov eax, dword ptr [0000003Ah] qdkvdkwmuawmh - 32-bit t&G,ftpm;&SdwJh

EIwfjcif;[m aygif;jcif;eJU twlwlygyJ/ ajrSmufjcif;uawmh dest = dest * source/ pm;jcif;uawmh

* Oyrm/ tu,fí DX = 2030h? AX = 0040h? DX:AX = 20300040h/ DX:AX onf DWORD

'D instruction jyD;wJhaemufrSmawmh dx = 0001111010100101 [7845 (dec), 1EA5 (hex)]

(6.1) Section indicators

yxrOyrmrSm? ECX [m Number1 &JU rSwfOmPfae&mrSm&SdwJh wefzdk;wpfckudk &&Sdygvdrfhr,f/ 'kwd,

cmp eax, 2; EAX udk 2 eJU EdIif;,SOfygw,f/

(7.2) Jump series

Opcode Meaning Condition

(8.0) *Pef;rsm;taMumif; waphwapmif;

(9.0) aemufxyf opcode rsm;

erlem frame wpfckudk MunfhMunfhygr,f/

Assembler udk y&dkqufqm (odkUr[kwf tjrifh)twGuf awGxkwfay;zdkU ajymyg

Flat rSwfOmPfudk toHk;jyKwmyg/ stdcall udk toHk;jyKygw,f/ qdkvdkwmu

Label twGufpmvHk;awG[m tMuD;tao; cGJjcm;rI&Sd^r&Sd pdppfygw,f/

includelib tay:rSm aqG;aEG;jyD;jzpfygw,f/

aumif;jyD? uRefawmfwdkU yxrqHk;y&dk*&rfwpfyk'fudk a&;Munfhygr,f/ 'Dae&mrSm assemble vkyfzdkU

lpText Message taeeJU jyr,fh \0 eJU qHk;wJh string udk nTef;ygw,f/

'Dwwd,ajrmuf y&dk&rf[m 'kwd,y&dk&rfeJU oabmcsif;wlygw,f/ bmaMumifh 'Dae&mrSm xyfxnfh

'Dy&dk&rfuawmh switch statement udk b,fvdktoHk;jyK&rvJqdkwm jyowJh erlemy&dk&rfyg/ b,fvdk

'Dy&dk&rfuawmh jrefrmy&dk&rfrmawmfawmfrsm;rsm; a&;avh&SdMuwJh password y&dk*&rfyg/ udD;bkwfu