Cracker Guide (2016 October 4)

pum;rdwfquf
]Cracker vrf;nTef} trnf&aom þpmtkyfudk cracking (reverse engineering) ESifhywfoufjyD;

tuRrf;w0if r&Sdao;aom 0goem&Sifrsm;twGuf &nf&G,fjyD; xkwfa0jcif;jzpfygonf/ Reverse engineering
onf tvGefeufeJus,fjyefYvSNyD; ¤if;rScGJxGufvmaom cracking ynm&yfonf reverse engineering ESifh
&mEIef;jynfh oufqdkifygonf/ þpmtkyfwGif reverse engineering udk oD;oefYaqG;aEG;rnfr[kwfbJ cracking
ESifhoufqdkifaom reverse engineering udkom aqG;aEG;rnfjzpfygonf/
Cracking ynm&yfonf uRefawmfwYkdEdkifiw
H Gif acwfpm;jcif; r&SdvSao;yg/ tb,fhaMumifhqdkaomf jynf
wGif;wGif y½dk*&rfa&;om;jcif; twwfynmonfyif wGifus,facwfpm;rIr&Sdjcif;aMumifhjzpfygonf/ Cracking
onf y½dk*&rfa&;om;jcif;ESifh qefYusifzufjzpfonfhtjyif y½dk*&rfa&;om;jcif; oabmw&m;udk em;vnfEdkifrSom
avhvmEdkifaom ynm&yfjzpfjcif;aMumifhwpfaMumif;? uRefawmfwdkYEdkifiHwGif tvkyftudkiftcGift h vrf; &&Sd&efvG,f
ulaom uGefysLwm bmom&yfrsm;udkom avhvmvdkufpm;Mujcif;aMumihfwpfaMumif;? tpd;k &^tzGYJtpnf;wpfckck\
taxmuftyHhr&aomaMumifhwpfaMumif;? ynm&yf\eufeJtoHk;0ifrIudk od&Sdolenf;yg;jcif;aMumif;wpfaMumif;?
pirate version aqmhzf0Jvfrsm;udk aps;EIe;f csdKompGmjzifh vG,fvifhwul 0,f,l&&SdEdkifjcif;aMumifh wpfaMumif;
cracking ynm&yfudk avhvmvdkufpm;olenf;yg;cJhMuovdk cracking ynm&yf\ta&;ygrItcef;u@onf
vnf; arS;rSdefvsuf&Sdygonf/
,aeY tdkifwDavmuudk MunfhrnfqdkvQif aqmhzf0Jvfrsm; yvlysHí xGufay:vmMuonfudk awGU&ayrnf/
xkwfvkyforl sm;udk,w f kdifuyif y½dk*&rfrm (developer) rsm;\ uk'fwdkif;udk rppfaq;EdkifaomaMumifhvnf;
aumif;? r½dk;om;aomy½kd*&rfrmtcsdKU\ malicious uk'frsm; a&;om;xnfhoGi;f olrsm;aMumifhvnf;aumif;
aps;uGufwGif&dSaom y½dk*&rfrsm;tm; tMuGi;f rJh,HkMunfvufcHEdkif&ef cJ,Of;vmayonf/ aemufxyfjyóem
wpfckrSm uRefawmfwdkYEdkifiHwGif aqmhzf0Jvftawmfrsm;rsm;udk 0,froH;k Edkifjcif;jzpfonf/ þtcsufrsm;u
cracking ynm&yf tm;avhvm&ef vdktyfvmapygonf/
Cracking ynm&yfudk w&m;0ifa&;om;azmfjycGifhr&Sdyg/ xdkYaMumifh cracking ESifhywfoufaom
pmtkyrf sm;udk pmtkyfwkdufwGijf zpfap? tGefvkdi;f wGifjzpfap 0,f,lEdkifjcif;r&Sdyg/ odkYaomfvnf; cracking
ynm&yfonf urÇmwpf0Srf;wGif t&Sdet f [kefjrifhpGm us,fjyefYvsuf&Sdygonf/ om"ujy&vQif ta&SUawmiftm&S
EdkifiHwpfckjzpfaom AD,uferfEdkifiHonfyif cracking ynm&yfwGif EdkifiHwumESifh &ifabmifwef;aeygonf/
xdktcsdefwGif uRefawmfwdkYEdkifiHü olrsm;a&;om;xm;aom patch (crack) zdkifrsm;udkyif aumif;pGmtoHk;rcs
wwfao;aomolrsm; trsm;tjym; &Sdaeygao;onf/ xdkYaMumifhþpmtkyfu pmzwfolwdkYukd rsufpdyGihf? em;yGihf
jzpfaprnf[k arQmfvifhouJhodkY jrefrmtdkifwDavmu zGHYNzdK;wdk;wufa&;twGuf tkwfwpfcsyf? oJwpfyGifhjzpfaprnf[k
,HkMunfygonf/
þpmtkyfxGuf&Sdjcif;tay: tcsdKUu MudKqdkouJhodkY tjrifrMunfvifolrsm;? pd;k &drfolrsm;vnf; &Sdygonf/
pmtkyfwGif azmfjyxm;onfh oifcef;pmtrsm;pkrmS Edik fiHwumwGif vuf&dSa&mif;csvQuf&dSaom aqmhzf0Jvfrsm;\
tm;enf;csufrsm;rSwqifh aqmhzf0Jvfrsm;udk tcrJhoHk;pGJEdkifyHkrsm; jzpfonfhtwGuf ¤if;wdkY\aqmhzf0Jvfrsm; crack
vkyfcH&rnfudk pdk;&drfMujcif;jzpfygonf/ xdktcsuftwGuf pdk;&drf&efrvdkyg/ ,ckpmtkyfxkwfa0onfhumvtxd
w&m;enf;vrf;usus a&;om;xkwaf 0a&mif;csvQuf&Sdaom jrefrmaqmhzf0Jvfrsm;udk erlem crack vkyfjyjcif;? tGef
vdkif;wGif &S,f,may;rsdK; rjyKvkyfcJhyg/ tvm;wl jynfwGif;jzpfaqmhzf0Jvfrsm;taMumif;udk þpmtkyfwGif wpfvHk;
wpfyg'rQ aqG;aEG;jcif;rjyKxm;onft h wGuf jrefrm developer rsm;\tusdK;pD;yGm;udk pdk;pOf;rQyifrxdckdufEkdif[k
,HkMunfygonf/ Developer rsm;taejzifh þpmtkyfxJrS crack vkyfenf;rsm;udk od&jdS cif;jzifh rdrdwkdY
aqmhzf0Jvfrsm; crack vkyfrcH&ap&ef enf;vrf;rsm;udk BuHqEdkifygvdrfhrnf/ (owdjyK&ef/ þpmtkyfudk
a&;om;jcif;jyKonfjzpfap? ra&;om;onfjzpfap jrefrmaqmhzf0Jvfrsm; crack vkyfjcif;cHae&rnfomjzpfygonf/)
þpmtkyfudk zwf½IjyD; jzpfay:vmaom aumif;arG? qdk;arGtm;vHk;wdkYonf jynfwGif;xkwfukef aqmhzf0Jvfrsm;
tay:xm;&Sdaom pmzwfolrsm;\ cH,lcsufoufoufrQomjzpfygonf/
Cracking udk avhvmjcif;jzifh tusdK;wpfpHkwpf&mrQ r,kwfEdkif[k ,HkMunfygonf/ yxrqHk;tcsuftae
jzifh malware jyóemjzpfygonf/ ,aeYvli,fy½dk*&rfrmtcsdKUonf Adkif;&yfpfESifh x½dk*sefzefwD;jcif;? aqmhzf0Jvf
rsm;wGif malicious uk'frsm;xnfhoGif;jcif;jzifh rormrIrsm;udk usL;vGefvQuf&Sdygonf/ xdky½dk*&rfrsm;udk
a&;wwf½kHrQjzifh rdrdudk,frdrdvufraxmifaecsdefwGif ¤if;wdkY\y½dk*&rfrsm;onf cracker rsm;tzdkYrl uav;upm;
p&m oufoufrQomjzpfaeygonf/ Cracking ynm&yfudk wwfajrmufxm;vQif Adkif;&yfpfESifh x½dk*sefwdkY\
oabmobm0? tvkyfvkyfyHkwdkYudkavhvmEdkifjyD; aqmhzf0Jvfrsm;rS malicious uk'frsm;udkz,f&Sm;jcif;jzifh xdkjyó
emrsm;udk &mEIef;jynfh ajz&Sif;ay;Edkifygonf/ þae&mwGiaf jymMum;vdkonfrmS cracking ynm&yfonf
aqmhzf0Jvf protection rsm;udk z,f&Sm;½Hkoufouf toHk;0ifonfr[kwfaMumif;udk jzpfygonf/ 'kwd,tusdK;
aus;Zl;rSm y½dk*&rftvkyfvkyfaepOf error wufonhfjyóemESifhywfoufí jzpfygonf/ BuD;rm;vSaomaqmhzf
0Jvfrsm;wGif bug rsm;udk tvG,fwul &SmazGrawGU&SdEkdifyg/ xdk bug rsm;udk exception rsm;&Smjcif;jzihfjzpfap?
offset udk&Smíjzpfap cracking ynm&yfu vG,fvifhwul ajz&Sif;Edkifygonf/ wwd,tm;omcsufwpfckrSm
rdrdra&;wwfao;aom aqmhzf0Jvfwpfckudk a&;om;vdkygu a&;jyD;om;aqmhzf0Jvfwpfckudk crack vkyfjcif;jzifh
xdkaqmhzf0Jvf\ a&;om;yHk? a&;om;enf;udk Munfh½IEdkifjcif;jzpfonf/ þenf;tm;jzifh rdr\
d y½d*k &rfa&;om;jcif;
pGrf;&nf wdk;wufvmap&ef cracking u ulnDay;Edkifygonf/ aemufqHk;tcsufrSm crack vkyfjcif;tqifhqifhudk
em;vnfwwfuRrf;oGm;ygu rdr\ d aqmhzf0Jvfudk tjcm;olrsm; crack rvkyfEdkifap&ef wm;qD;Edkifjcif;jzpfygonf/
þae&mwGif tMuHjyKvdkonfhtcsufwpfck&Sdygonf/ Cracking udkavhvm&eftwGuf pmzwfolonf
y½dk*&rfbmompum;ESihfywfoufí C (odkY) Assembly wGif tuRrf;w0if&Sjd cif;? odkYwnf;r[kwf tjcm;y½dk*&rf
bmompum;wpfckckwGif uRrf;usifpGm wwfajrmufjyD;pD;NyD;jzpf&ygrnf/ (C ESihf Assembly bmompum;wdkYukd
þpmtkyfwGif wpfygwnf; xnfhoGif;&Sif;jyxm;ygonf/) þodkYqdk&jcif;rSm C ESihf Assembly wdkYonf low-
level y½dk*&rfbmompum;rsm;jzpfjyD; tjcm;bmompum;rsm;rSm high-level rsm;jzpfMuí crack vkyfonfhtcg
low-level bmompum;avhvmolrsm;twGuf ydkrv dk G,fulEkdifaomaMumifjh zpfygonf/
þpmtkyfudk ,cifu e-book taejzifh tGefvdkif;rS tcrJhjzefYcsDcJhygonf/ e-book rsm;wGif Version
rsm;jzifhxkwfa0cJhygonf/ aemufqHk;xkwfa0cJhaom pmtkyf Version rSm 2.2 (Second Edition) jzpfygonf/
¤if;pmtkyfwGif tcef;aygif; (46)cef; yg0ifygonf/ odkYaomf tcsdKUaomtcef;rsm;rSm a&;om;í rNyD;ao;yg/
,ckpmtkyfwGif tcef;aygif;(19)cef;om yg0ifygonf/ pmrsufESmta&twGuf avSsmhcsvdkonfhtwGuf aemufydkif;
tcef;rsm;udk csefvSyfxm;cJh&ygonf/ e-book ESifrh wlnDonfrmS ]tcef;(19) - Android Application rsm;udk
crack vkyfjcif;} tcef;onf e-book rsm;wGif ryg0ifcJhbJ ,aeYacwf\ vdktyfcsuft& topfxnfhoGi;f
xm;aomtcef; jzpfygonf/ pmzwfolrsm; tBudKufawGYrdrnf [kxifygonf/ tvm;wl ]tcef;(17) - Delphi
jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif;} ESifh ]tcef;(18) - Visual Dot.net jzifha&;om;xm;aom
y½dk*&rfrsm;udk crack vkyfjcif;} wdkYudkvnf; jyefvnfjznfhpGuf a&;om;xm;ygonf/
Cracking udk ,ckrS pwifavhvmaom pmzwfolrsm;tm; þae&mrS tMuHjyKvdkonfh tcsufwpfcsuf
&Sdygonf/ pmzwfoltaeESifh pmtkyfxJyg tcef;rsm;udk tpOfvdkufzwf½Ip&mrvdkyg/ wpfvHk;rusef em;vnfatmif
zwfp&mrvdkyg/ tcef;(1?2)wdkYudk ausnufatmifzwfyg/ tcef;(3?5)wdkYudk tMurf;zsif;zwfyg/ tcef;(4?6)wdkYudk
em;vnfatmifzwfyg/ tcef;(7?8) wdkYudk acwårzwfbJxm;yg/ tcef;(9)udk tvGwf&atmifvkyfyg? avhusifhyg/
tcef;(9)udk vHk;0em;vnfoGm;vQif tcef;(10?12)wdkYudk qufvufavhusifhyg/ xdktcg tcsdefwdktwGif;
cracking ESify
h wfoufí tajccH vHak vmufoGm;jyDjzpfygonf/ xdkYaemuf useftcef;rsm;udk pmzwfol ESpo f uf
ovdk avhvmEdkifjyDjzpfygonf/ pmzwfolrsm;twGuf rjzpfrae zwf½Ioifhaom tjcm;oifcef;pmrsm;rSm Lena151
a&;om;aom Reversing Tutorials (1-40) jzpfygonf/ xdYkjyif http://cin1team.biz rS ADG'D,dkusLwdk&D&,frsm;
udkvnf; rjzpfraeavhvmoifhygonf/
þpmtkyfa&;om;jcif;ESihfywfoufí tenf;i,f&Si;f jyvdkygonf/ pmzwfoltcsdKUu oifcef;pmtm;vH;k udk
uRefawmfa&;om;xm;onf[kxifaeygonf/ þpmtkyf&Sd tcef;trsm;pkudk wdkuf½dkufbmomjyefygonf/ odkYaomf
Lena151 \ oifcef;pmrsm;ukd bmomjyef&mwGif emrfpm;rsm;udk ajymif;oHk;xm;ygonf/ tb,faMumifq h kdaomf
Lena151 onf trsdK;orD;wpfOD; jzpfaeaomaMumifhjzpfonf/ tcsdKUudkrl wdkuf½dkufbmomjyefvQif pmzwfolrsm;
em;vnfEdkif&efcufaomaMumifh qDavsmfatmifbmomjyefygonf/ rvdktyfonfhtydkif;rsm;? ta&;rMuD;onfhtydkif;
rsm;? (AD,uferfbmompum;udk Google rSwqifhbmomjyefxm;aom) bmomjyef&cufonfh tydkif;rsm;udkrl
bmomjyefjcif; r&Sdyg/ pmtkyfwGif yg0ifaomtcef;tm;vHk;udk bmomjyefjcif; r&Sdyg/ tcsdKUrSm uRefawmfudk,fwdkif
a&;om;xm;jcif;jzpfygonf/ (Oyrm – tajccH C bmompum;)/ xdkYaMumifh xdkoifcef;pmrsm;ESihfywfoufaom
usLwdk&D&,frsm;udk tGefvkdi;f wGif &SmazGawGU&SdEkdifrnfr[kwfyg/ &nfnTef;udk;um;aom pmtkyfpmwrf;rsm;pm&if;
udkvnf; pmtky\ f aemufqufwGJwGif azmfjyxm;ygonf/
Olly jzifh vufawGY crack jyKvkyf&mwGif toifhawmfqHk;aom OS rSm Windows XP Professional
Service Pack 3 (32-bit Edition) jzpfygonf/ Windows XP udk ,aeYacwfwGif toHk;jyKolenf;yg;
aomaMumifh pmzwfoltaejzifh Windows XP udk Virtual box wGif install jyKvkyfNyD; toHk;jyK&ygrnf/
Install jyKvkyfyHktqifhqifhudk ADG'D,dkusLwdk&D&,fjzifh &Sif;jyxm;ygonf/ ADG'D,dkusLwd&
k D&,frsm;udk Munhf½I&ef
Flash aqmhzf0Jvfukd OD;pGm install jyKvkyfxm;&ygrnf/
þpmtkyfrsufESmzHk;? tcef;pOfwdkif;twGuf*&yfzpfESifh uPPP patch zdkif frame rsm;udk a&;qGJay;aom
uRefawmf\ZeD; ZMA? Myanmar Cracking Team \ team cracker rsm;jzpfMuaom mrzingyi007?
exitplus? Twizzy Indy? thandana? Orange Cracker ESifh pmzwfoltm;vHk;udk txl;yifaus;Zl;wif&Sdyg
aMumif; þae&mrS ajymMum;vdkygonf/
Mo*kwfv 13? 2016/

rhythm
(Myanmar Cracking Team)
þpmtkyfjzifh uG,fvGefolrdbESpfyg;jzpfaom AdkvfBuD;vSydk(jidrf;)ESifha':tkef;wifwdkYtm; uefawmhtyfygonf/

rmwdum
pmrsufESm
pum;rdwfquf 2
tcef;(1) Cracker rsm;odxm;oifhaomtcsufrsm; 12
tcef;(2) tajccH C bmompum; 17
yxrqHk; C y½dk*&rf
'kwd,ajrmuf C y½dk*&rf
Data type
Identifier
wwd,ajrmuf C y½dk*&rf
keyword
if statement
pwkw¬ajrmuf C y½dk*&rf
switch statement
5ckajrmuf C y½dk*&rf
while loop
for loop
Operator
Function
Array
Pointer
String
File I/O
aemufqHk; C y½dk*&rf
tcef;(3) tajccH Assembly bmompum; 40
ed'gef;
bmaMumifh Assembly udktoHk;jyKwmvJ/
Assembly tajccH
rSwfOmPf
Opcodes
zdkifpepf
Conditional Jumps
*Pef;rsm;taMumif; waphwapmif;
aemufxyf opcode rsm;
Windows ESifhywfoufaom Assmebly bmompum; tajccH
½dk;&Sif;aom Dialog Box y½dk*&rf a&;om;jcif;
Keygen y½dk*&rf a&;om;jcif;
tcef;(4) aqmhzf0Jvf protection 71
Registration number rsm;toHk;jyKjcif;
tcsdef? tMudrfuefYowfcsufxm;jcif;
Key zdkifrsm; toHk;jyKjcif;
Hardware key (Dongle) rsm;toHk;jyKjcif;
tcef;(5) Cracker wpfOD;twGufvdktyfaom tool rsm; 81
Disassemblers
Decompilers
Debuggers
Hex Editors
tjcm; tool rsm;
tcef;(6) Olly Debugger rdwfquf 90
Debugger Window
Disassembler Window
The Data Window
The Registers Window
The Stack Window
tjcm; Windows rsm;
Debug Execution
Breakpoints
tjcm;pGrf;aqmifEdkifrIrsm;
tcef;(7) IDA Pro Advanced 5.2 rdwfquf 101
Virtual memory taMumif;
y½dk*&rf\ GUI
exe uk'fudk ul;wifjcif;
Disassembler Window
tjcm; Window rsm;
Menu ESifh toolbar
Built-In IDA Pro y½dk*&rfbmompum;
tcef;(8) PE Header 121
PE zdkifzGJUpnf;yHk
DOS Header
PE Header
Data Directory
Section Table
PE File Sections
Export Sections
Import Sections
Loader
PE zdkiftwGif;odkY uk'fxnfhjcif;
PE header jyóemrsm;ajz&Sif;jcif;
PE header wGif toHk;jyKaom a0g[m&rsm;
tcef;(9) Teleport Pro 1.61 y½dk*&rfESifh yxrqHk;tMudrf crack vkyfjcif; 163
y½dk*&rftvkyfvkyfyHkudk avhvmjcif;
yxrenf; (nick123b@SND Team)
'kwd,enf; (ThunderPwr@ARTeam)
Teleport Pro y½dk*&rftwGuf keygen a&;om;jcif;
tcef;(10) Patch vkyfjcif; (Beginner/Intermediate/Advanced) 181
Beginner tqifh patch vkyfjcif; (Plain Stupid Method)
Intermediate tqifh patch vkyfjcif;
Advanced tqifh patch vkyfjcif;
tcef;(11) uPPP jzifh patch zdkifzefwD;jcif; 208
Internet Download Manager 6.0.x twGuf patch zdkifzefwD;jcif;
FlyHelp 6.1 twGuf patch zdkifzefwD;jcif;
tcef;(12) Cracker rsm; owdxm;oifhaom Windows API rsm; 215
CreateProcess
GetWindowText
GetdlgItemText
GetDlgItem
lstrcmp
GetPrivateProfileString
GetPrivateProfileInt
RegQueryValueEx
WritePrivateProfileString
CreateWindowEx
CreateFile
DialogBoxParamA
ShowWindow
MessageBox
SendMessage
SendDlgItemMessage
ReadFile
WriteFile
GetSystemTime
GetFileTime
SetTimer
tcef;(13) y½dk*&rf\ resource rsm;udk toHk;jyKí crack vkyfjcif; 230
tcef;(14) Packer (Protector) rsm; 240
UPX jzifh pack vkyfjcif;
UPX jzifh pack vkyfxm;aomzdkiftm; unpack vkyfjcif;
Inline-patch enf;jzifh patch vkyfjcif;
ActiveMark 5.0 jzifh pack vkyfxm;aomzdkiftm; unpack vkyfjcif;
ActiveMark 5.0 jzifh pack vkyfxm;aomzdkiftm; dump vkyfjcif;
Dump vkyfxm;aomzdkiftm; patch vkyfjcif;
Pack vkyfxm;aom trnfrodzdkiftm; unpack vkyfjcif;
tcef;(15) IAT ESifh API Redirection 273
API Redirection
Pack vkyfxm;aomzdkifudk unpack vkyfjcif;
Redirection udkz,f&Sm;jcif;
tcef;(16) Visual Basic jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; 302
y½dk*&rf\ oabmobm0
Serial udk&SmazGjcif;
Register jyKvkyfjcif;
Registration tm;prf;oyfjcif;
SmartCheck \ setting tm;jyifjcif;
SmartCheck wGif serial udk&Smjcif;
ReverseMe1
CrackersConvert
ReverseMe2
VB P-code y½dk*&rfrsm;udk crack vkyfjcif;
tcef;(17) Delphi jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; 338
tcef;(18) Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; 356
.net qdkonfrSm ...
Tools
Opcode
Entry Point Method (EPM) udk&Smjcif;
EPM twGuf zdkif offset udk CFF explorer jzifh&Smjcif;
Entry Point Method (EPM) udk Ildasm jzifh&Smjcif;
Entry Point Method node udk Ildasm Tree wGif&Smjcif;
Entry Point Method (EPM) udk PEBrowse Debugger jzifhwGJoHk;jcif;
Patch vkyfjcif;tajccH
NsPack jzifh pack vkyfxm;aom .net zdkiftm; unpack vkyfjcif;
.net y½dk*&rfrS serial zrf;jcif;
.net y½dk*&rfrS Strong Name Signature tm;z,f&Sm;jcif;
.net y½dk*&rfwGif;odkY uk'foGif;jyifqifjcif;
.net y½dk*&rftm; keygen jyefvnfa&;om;jcif;
tcef;(19) Android Application rsm;udk crack vkyfjcif; 408
Android OS qdkonfrSm ...
Android OS wnfaqmufxm;&SdyHk
APK qdkonfrSm ...
Crack vkyf&efjyifqifjcif;
Crack vkyfjcif;tusOf;csKyf
yxrqHk;tBudrf crack vkyf&efjyifqifjcif;
Crackme0_by_lohan tm; patch vkyfjcif;
Crackme0_by_lohan rS Serial udk&Smjcif;
Cracking qdkif&m tifwmeuf 0ufbfqdkufrsm; 426
References 428
tcef;(1) - Cracker rsm; odxm;oifhaom tcsufrsm; - 12 -
tcef;(1) - Cracker rsm; odxm;oifhaom tcsufrsm;

'D ]Cracker vrf;nTef} pmtkyfrSm uRefawmfhtaeeJY yxrqHk; &Sif;jycsifwmu cracker trnfcHxm;wJh
uRefawmfw[ kdY m b,fvdkvlrsdK;awGvJ? bmaMumifh crack wJhtvkyfudk uRefawmfwkY d vkyfaeMuwmvJqdkwJh ar;cGef;
awG jzpfygw,f/ Cracker ppfppfwpfa,muf&JU vkyfief;wm0efawGuawmh y½d*k &rfawG b,fvdktvkyfvkyfovJ?
toHk;trsm;qHk; protection trsdK;tpm;awGubmawGvJqdkwmudk avhvmjyD; uk'fawGudk b,fvkda&;&rvJqdkwm
udk pOf;pm;qHk;jzwfwmjzpfygw,f/ wcgw&HrSmawmh emrnfMuD;vdkwJhtwGuf crack MujyD;? wcgw&HrSmawmh
aqmhzf0JvftopfawGudk prf;oyfcsifvdkY crack vkyfMuygw,f/ 'Dae&mrSm jzwfajymvdkwmuawmh y½d*k &rfwpfcu k dk
crack vkyfwmeJY crack vkyfxm;wJ?h crack vkyfjyD;om; y½d*k &rfawGudk toHk;jyKwm[m &mZ0wfrIjzpfjyD; Oya'udk
csdK;azmuf&ma&mufygw,f/ (jrefrmEdkifiHtygt0if 0ifaiGenf;wJEdh kifiHtcsdKUrSmawmh crack vkyfjyD;om; y½d*k &rfawG
udk &mcdkifEIef;tjynfeh D;yg; w&m;r0if oHk;pGJaeMuqJyg/) 'gaMumifhrkY d MudKuf&ifyjJ zpfjzpf? aiGydkaiGvQH &Sd&ifyJ jzpfjzpf
aqmhzf0JvfawGudk 0,foHk;oifhygw,f/ 'grSr[kwf&ifawmh trial version awGudkom toHk;jyKyg/
Cracker wpfa,muf&JU t"duvkyfief;wm0efuawmh taMumif;t&mtopfawGudk avhvmvdkpdwf tjrJ
jzpfzdkYeJY tjcm;olawG&JUtvkyfudk tav;xm;zdykY Jjzpfygw,f/ bmaMumifh tav;xm;cdkif;&ovJqdk&if y½d*k &rfrm
awG[mvnf; vlom;awGyJ jzpfMuygw,f/ (qdkvdkwmu oifhtaeeJY y½d*k &rfrmawG&JU MudK;pm;tm;xkwfrIawGu
ae tjrwfrxkwfcsifygeJ/Y )
Cracker ppfppfr[kwfwJh 'kp½du k uf rÇmxJu cracker awGuawmh yHkrSef cracker awGvkyfaeMu tvkyf
udk vkyfudkifMuayr,fh olwkrY d Sm udk,fusifhw&m;eJY &nfrSef;csuf r&SdMuygbl;/ olw[
kY d m olwt
kYd usdK;tjrwftwGuf
aqmhzf0JvfawGudk cdk;,la&mif;cszdokY m odygw,f/ 'DvdkvlrsdK;awGudk cracker vdkY rac:a0:ygbl;/ 'gaMumifhrkdU
aqmhzf0Jvfwpfckudk crack vkyfEdkifwdkif; cracker rjzpfygbl;/
Cracker awGeJY developer (y½d* k &rfrm)awGMum; uGJjym;csufuawmh developer awG[m olwkY&d JU
uk'fawGudk twwfEdkifqHk; vQdKU0Sufxm;MujyD; cracker awG&JU tpGrf;udkvJ avQmhwGufxm;Muygw,f/ wpfOD;eJY
wpfOD;vJ ynmzvS,fcJygw,f/ Cracker awGuawmh 'Dvdkr[kwfygbl;/ olw[ kY d m olwakYd wGU&Sdxm;wJh enf;
ynmtopfawGudk zdk&rfawGrSm tcrJhjzefjY zL;jcif;? aqG;aEG;jcif;awGudk jyKvkyfMujyD; cracker wpfa,muf[m
crack vkyfzkY&
d m cufcJvSwJh aqmhzf0JvfawGukd crack vkyfjyEdkifcJh&if olUudk tjcm; cracker awGu txifMuD;
av;pm;rIudk cH,lcsifpdwfjyif;jyMuygw,f/ 'gaMumifhrdkYvnf; Requester Board vdkrsdK;rSm tNydKiftqdkif crack
vkyfaeMuNyD; cracking todkif;t0dkif;[m t&Sdeft[kefeJY MuD;rm; us,fjyefaY ewm awGY&ygw,f/
(pum;csyf/ / 'Dae&mrSm ]y½d*k &rfrm}qdkwJh toHk;tEIef;eJYywfoufjyD; tenf;i,f aqG;aEG;vdkygw,f/ y½d*k &rf
a&;om;wJholwdkif;udk y½d*k &rfrmvdkY rac:a0:ygbl;/ y½d*k &rfa&;om;jcif;udk ESpfq,fecJY sDjyD; wpdkufrwfrwfvkyf
vmolawG? y½d*k &rfa&;om;jcif;udk ]xHk;vdkacs? a&vdkaESmuf} uRrf;usifolawGudkom y½dk*&rfrmvdkY ac:a0:wmjzpf
ygw,f/ 'ghjyif ]cracker} qdkwJh toHk;tEIef;udkvJ em;vnfrIvGJaewmawGU&ygw,f/ Windows XP ray:cif
wkef;u olwpfyg;&JU OS xJudk w&m;r0if0ifa&mufwJh? tcsuftvufawGcdk;,lwJh hacker tao;pm;awGudk
cracker vdakY c:a0:Muygw,f/ 'DaeYacwfrSmawmh cracker qdkwJhtoHk;tEIef;[m aqmzhf0v J f protection awGudk
z,f&Sm;jcif;eJyY wfoufjyD; txl;jyKavhvmwJholawG? reverse engineer awGudkom &nfnTef;ygw,f/)
aqmhzf0JvfawGudk bmaMumifh crack vkyfMuovJqdkwmuawmh crack vkyfjcif;tm;jzifh y½d*k &rfawG&JU
tvkyfvkyfyHk? uGefysLwmwpfvHk;&JU tvkyfvkyfyHk? y½dq k ufqm&JU twGif;ydkif;pepfeJY vlawG&JU pOf;pm;awG;ac:yHkawG
udk tao;pdwo f dvm&vdkYjzpfygw,f/ taMumif;trsdK;rsdK;aMumifh cracking avmuuae pGecfY GmcJhr,fqdk&ifawmif
t&ifu oifodxm;wmeJY tckoifodxm;wmawGudk EdIif;,SOfMunfhvu dk fyg/ todcsif; tvGefuGmjcm;aewm owd
jyKrdygvdrfhr,f/ vlawG&JUtjrifrSmawmh crack vkyfwm[m w&m;r0ifbl;vdkY xifaeygw,f/ 'Dtjrif[m rSm;aeyg
w,f/ y½d*k &rfwpfckudk b,fvdka&;xm;ovJqdkwmudk avhvm½Ho k ufoufomjzpfjyD;? crack vkyfxm;jyD;om;
aqmhzf0Jvfudk jzefjY zL;zdkY (tcrJhjzefjY zL;jcif;tygt0if) rMudK;pm;cJh&if? crack vkyfxm;jyD;om; aqmhzf0Jvfudk roHk;
pGJcJh&ifawmh &mZ0wfrIrajrmufygbl;/ Oya'eJjidY pGef;jcif; r&Sdygbl;/ (rSwfcsuf/ / 'Dpmtkyfa&;om;aepOftwGif;rSm
awmh jrefrmEdkifiHrSm cracke vkyfxm;wJhaqmhzf0JvfawGudk jzefjY zL;a&mif;cs? oHk;pGJolawG[m Oya'eJjY idpGef;jcif; r&Sd
ao;ygbl;/)
Cracker aumif;wpfa,mufjzpfzt
kYd wGuu
f awmh atmufygtajccHpnf;rsOf;rsm;udk em;vnfxm;zdkY vdkyg
w,f-
(1) oifhtaeeJY aqmhzf0Jvfwdkif;udk crack vkyfv&kYd rSm r[kwfygbl;/ 'Dtcsufudkawmh trSwf&aeyg/ bmaMumifh
vJqdkawmh oif[m OmPfMuD;&Sif r[kwfvykY d g/ t&m&mudk odaezdq kY dkwm rjzpfEdkifygbl;/
(2) aqmhzf0Jvfwdkif;udk crack vkyfv&kYd ygw,f/ wpfcsdefcsdefrSmawmh aqmhzf0Jvfwdkif;[m crack vkyfvkYd &vmrSm
yg/ erlemajym&r,fqdk&if ASProtect 1.3 udk awGUpwkef;u crack vkyfvkYd rjzpfEdkifbl;vdkY xifcJhMuygw,f/
wpfESp?f ESpfESpfavmufvJMumawmh vlopfwef; 0goem&Sifav;awGuawmif tvG,fwul crack vkyfEdkifvm
MuwmawGU&ygw,f/ (Word to PDF Converter 3.0 aqmhzf0Jvf[m ASProtect 1.3 eJY protect vkyfxm;wm
jzpfygw,f/)
(3) oifh&JU tawGUtMuHKA[kokwawGudk rQa0yg/ wu,fvkY d oifhtaeeJY xl;jcm;wJhvSnhfuGufav;awG awGU&SdcJh
r,fqdk&if tjcm;olawGudk ajymjyyg/ usLwdk&D&,fawG? aqmif;yg;awG? crackme awG a&;om;yg/ Cracking eJY
ywfoufjyD; aemifvmr,fhrsdK;qufopf cracker awGudk ulnDEdkifzkY d oifwwfEdkifoavmuf vkyfay;yg/
(4) Cracking eJY ywfoufwJh usLwdk&DawG rsm;rsm;zwfay;yg/ pnf;rsOf;(1)rSm ajymxm;ovdk uRefawmfw[ kYd m
taumif;qHk;awG r[kwfygbl;/ t&m&mwdkif;udkvnf; avhvmzdkY tcsdefr&Sdygbl;/ 'gaMumifh uRefawmfwkYd rodwJh
t&mawGudk tjcm;olawGu odaeMuygw,f/ olwrkY d odwmawGudkvJ uRefawmfwkYo d daeMuwm &Sdygvdrfhr,f/
'DtwGuaf Mumifh usLwdk&D&,fawGudk pOfqufrjywf zwfay;yg/
(5) uk'fawGudk avhvmyg/ oifhtaeeJY ½IyfaxG;wJhy½dk*&rfwpfyk'f[m b,fvdktvkyv f kyfovJ? olUudk b,fvdk
a&;xm;wmvJqdkwmawGudk odr,fqdk&if&if olUudk crack vkyfzkYd vG,fvmygvdrfhr,f/
(6) vltrsm;pk oHk;aeMuwJh tool awGudk odyfroHk;ygeJ/Y Tool awGajymif;oHk;Edkif&if ydkaumif;ygw,f/ 'grSom
shareware awGuadk &;aewJh y½d*k &rfrmawGu oifh tool udk 0dkif;jyD;wdkufckdufwmudk rcH&rSmyg/ Tool wpfckudk
&SmjyD; avhvmyg/ uRrf;usifatmifvkyfyg/ oifudk,fwkdif tool wpfckjzpfygap/
(7) Cracking tzGJUtpnf;awGeJY qufoG,fyg/ ,m,Dtoif;0iftaeeJYjzpfygap toif;0ifyg/ 'Dtcg olw[ Y dk m
oifhudk tultnDay;Muygvdrfhr,f/ oifuvJ tjcm;olawGudk tultnDay;aumif;ay;Edkiyf gvdrfhr,f/ aemufqHk;
rSmawmh oifavhvmaewJh protection awGtaMumif; aumif;aumif; odvmygvdrfhr,f/
(8) tjrJwrf; topfjzpfaeygap/ 'Dtcsuf[m tvGefta&;MuD;ygw,f/ oif[m aemufqHk;xkwf tool awGuo dk Hk;
jyD; aemufqHk;ay:awGtaMumif; avhvmae&ygr,f/ Shareware a&;om;olawGudk oifh&JUtD;ar;vfrSm aygif;
xm;jyD; olwkYed JY tquftoG,fvkyfyg/ olwkaYd wG&JU enf;ynmawGudkavhvmyg/ olwakY d wGxJu wpfa,muf
avmuf eD;eD;jzpfatmifvkyfyg/
(9) udk,fwdkif &SmazGavhvmyg/ awGU&Sdcsuf^vSnfhuGuf topftqef;awGudk udk,fhbmomodatmifvkyfyg/ pmtkyf
pmwrf;rzwfbJ rdrdbmom ajz&Sif;Edkifzv kY d kyfyg/ topftqef;awG awGU&Sd&ifvJ tjcm;olawGudk oifMum;ay;zdkY
rarhygeJ/Y udk,fwdkifavhvmjcif;uawmh taumif;qHk;ygyJ/
(10) aqmhzf0Jvfa&;om;olawG&JU y½d*k &rfawGudk tvGJoHk;pm;rvkyfygeJ/Y olwkYdawG[m olwkY&d JUaqmhzf0JvfawG jzpf
vmatmif? atmifjrifvmatmif cufcufcJcJ MudK;pm;xm;&wmyg/ tjcm;olawG a&;xm;wJh crack/ keygen/
serial awGudk tvGJoHk;pm; rvkyfygeJ?Y cdk;rcsygeJY/ 'DvdkvkyfcJh&if oifhudk cracking tzGJYtpnf;awGu 0dkif;y,fwm
cH&rSmjzpfovdk oifyg0ifwJh team [mvnf; odu©musqif;ygvdrfhr,f/
(11) uk'fawGrsm;rsm;a&;yg/ pmrsm;rsm;zwfyg/ Crack rsm;rsm;vkyfyg/ usLwdk&D&,f rsm;rsm;a&;yg/ Cracker
aumif;wpfa,muf jzpfvmygvdrfhr,f/
Cracking udk yxrqHk; pwifavhvmawmhr,fqdk&if oifhtaeeJY y½kd*&rfa&;om;jcif;eJY ywfoufwJh

tawGUtMuHK r&SdbeJ JY vHk;0(vHk;0) rjzpfEdkifygbl;/ aqmhzf0Jvaf wmfawmfrsm;rsm;udk Visual C++? Borland
Delphi eJY Dot.net y½d*k &rfbmompum;awGeJY a&;om;xm;wm jzpfygw,f/ ('Dbmompum;awGeJY a&;om;
xm;wmjzpfwJhtwGuf oifhtaeeJY 'Dy½d*k &rfbmompum;awGudk uRrf;usifwwfajrmuf&r,fvkYd qdkvdkwmr[kwf
ygbl;)/ Cracking vkyf&mrSm em;vnf&vG,fulzt kY d wGuf tultnDtay;EdkifqHk; bmompum;ESpfckuawmh C eJY
Assembly wdy kY g/ C [m Assembly xufpm&if ydkrkdvG,fulwJhtwGuf C udk t&ifavhvmvdkufyg/ oifhOmPf
&nfay:rlwnfjyD; tenf;qHk; 21&ufawmh Mumygvdrfhr,f/ 'DvdkavhvmjyD;rS crack vkyfzkYd MudK;pm;yg/ aemufwpf
ckuawmh Assembly bmompum;yg/ Assembly vdkaY jymvdkuf&if vlawmfawmfrsm;rsm;u 16-bits acwfwkef;
u assembler awGudkyJ jrifjrifaewwfMuygw,f/ oifavhvm&r,fh Assembly bmompum;uawmh 32-bits
Assembly bmompum;yJ jzpfygw,f/ (vuf&SdrSmawmh 64-bits Assembly bmompum;awmifay:aeNyDjzpfyg
w,f/)
Cracking tajccHuawmh compile vkyfxm;wJh uGefysLwm binary uk'fawG (od)kY machine uk'fawG
udk avhvmzdkY jzpfygw,f/ y½d*k &rfawGudk uGefysLwmacwfOD;u vufcsnf;oufouf a&;cJhMuwmyg/ 'Dwkef;u
compiler qdkwm r&Sdao;ygbl;/ y½d*k &rfa&;wJh vkyfief;pOfuvJ t&rf;½IyfaxG;jyD; t&rf;yJ trSm;rsm;vSygw,f/
'gaMumifrh v kYd m vlom;pum;uae uGefysLwmbmompum;tjzpf ajymif;vJay;Edkifr,fh compiler udk
kYd J olw[
wDxGifcJhMuwmyg/ 'DaeYrSmawmh y½d*k &rfawG[m compile vkyfxm;wm (od)kY assemble vkyfxm;wmawG jzpfyg
w,f/ 'Duk'fawGudk disassembler wpfcktoHk;jyKjyD; binary uk'ftaeeJY jyefazmf&r,fqdk&if atmufygtwdkif;
awGU&rSmyg/
100100100101010010101010010100001100111001
Binary qdkwm ESpfvDpepfjzpfjyD; 0 eJY 1 udk tajccHygw,f/ 'gayr,fh 'Dvdkazmfjywm[m zwf½I&cufcJwJh
twGuf 16vDpepfjzpfwJh hexadecimal pepfudk xGifMuygw,f/ Hexadecimal pepfrSmawmh 0 uae 9 txd?
A (10) uae F (15) txd yg&Sdygw,f/ HEX uk'ftcsdKUudk azmfjyvdkufygw,f/
817D 0C 10010000 (HEX)
10000001011111010000110000010000000000010000000000000000 (BIN)
HEX uk'fawG[m toHk;rsm;vSygw,f/ bmaMumifhvJqdkawmh Intel xkwf CPU awG&JU mnemonic
rSmygwJh opcode awGudk HEX uk'af wGeJY azmfjyvdkyY g/
JNZ 00002A; 'Dae&mrSm JNZ mnemonic twGuf opcode [m 75h (117d) jzpfygw,f/
PUSH 0C8; 'Dae&mrSm PUSH mnemonic twGuf opcode [m 68h (104d) jzpfygw,f/
Assembly bmompum; tao;pdwfudkawmh ]tajccH Assembly bmompum;} oifcef;pmrSm zwf½I
avhvmyg/
'DaeYacwfrSmawmh vlodtrsm;qHk;eJY toHk;trsm;qHk; operating system uawmh Microsoft Windows
platform awGjzpfwJh Windows 98? Windows NT? Windows 2003? Windows XP? Windows Vista?
Windows 7/8 pwmawG jzpfygw,f/ 'D OS awGtm;vHk;[m tajccHtm;jzifah wmh Win32 API (Application
Programming Interface) udk toHk;jyKMuwmcsif; wlygw,f/ (DOS acwfwkef;uawmh uGefysLwm[mh'f0Jvf
awGeJY qufoG,fEdkifzkYd interrupt awGudk toHk;jyKcJ&h ygw,f/) axmifeJcY sDwJh API function awG[m DLL
(Dynamic Link Library) zdkifawGtaeeJY Windows rSm wcgwnf;ygvmMuygw,f/ Oyrmjy&&if kernel32.
dll? GDI32.dll zdkif pwmawGyg/ Cracking vkyfr,fqdk&if 'D .dll zdkifawGeJY API function awGuv dk nf;
em;vnfxm;&ygr,f/
oif[m Unix/ Linux avmuu vmwmqdk&ifawmh executable zdkifawG tvkyfvkyfEdkifzkY d ELF format
&Sdwm owdxm;rdrSmyg/ Windows rSmawmh PE format udk toHk;jyKygw,f/ PE udk toHk;jyKwJh zdkit
f rsdK;tpm;
awGuawmh .exe? .dll? .ocx? .sys? .cpl? .scr zdkifawGyJ jzpfygw,f/ Cracking vkyfr,fqdk&if 'DzdkifawG
taMumif;udk twGif;usus odxm;&ygr,f/
vlopfwef; cracker awGtwGuf cracking eJyY wfoufjyD; pdwf0ifpm;p&m taMumif;t&mawGuawmh
protect vkyfxm;wJh shareware awGjzpfygw,f/ 'gayr,fh tqifhjrifh cracker awG pdwf0ifpm;wmuawmh PE
zdkifawGudk packed/unpacked vkyfjcif;? tJ'DzdkifawGrSm function awGudk aygif;jcif;^jyKjyifjcif;? (z,f&Sm;xm;wJh)
tzsufcHxm;&wJhuk'fawGudk jyef&Smjcif;eJY cracking tool awGudk a&;om;jcif;wdkY jzpfygw,f/ 'gaMumifhrv kY d nf;
vlopfwef; cracker awG[m shareware awGrSmygvmwJh nag awGudkzsufjcif;? serial awG&Smjcif;avmufom
t"duxm; vkyfaqmifMujyD; aqmhzf0Jvaf wGudk register vkyfMuygw,f/ b,fae&mrSm protect vkyfxm;w,f?
b,fvdk protect vkyfxm;w,fqdkwmudk avhvmjyD; registrated version (cracked version) udo k Hk;Ekdif&if
olwt kYd wGufawmh tMuD;rm;qHk; atmifjrifrIawGyJ jzpfygw,f/ b,fvdkyJjzpfjzpf crack rvkyfcifrSmawmh cracker
awGtm;vHk;[m protect vkyfxm;wJhaqmhzf0Jv(f y½d*k &rf)udk crack vkyfEdkifzkYd tenf;qHk; tool wpfckawmh toHk;jyK
&ygw,f/ 'D tool udkawmh debugger (od)kY decompiler (od)kY disassembler vdkY ac:ygw,f/
Debugger awGoHk;&wJh t"du&nf&G,fcsufuawmh y½d*k &rf tvkyfvkyfpOfrSm rdrdMudKufwJhae&mrSm cP
&yfxm;jyD; uk'fawGudk jyifEdkifzkY d jzpfygw,f/ bmaMumifhvJqdkawmh y½d*k &rfawGudk debug vkyfcsdefrSm tvGefrsm;
jym;vSwJh uk'fawG xGufvmygw,f/ 'Duk'fwdkif;udk avhvmzdkY uRefawmfwkrYd Sm tcsdefr&Sdygbl;/ 'gaMumifh vdktyf
wJhae&m^ owfrSwfxm;wJhae&mrSm &yfwefEY dkifzkYd debugger udk toHk;jyK&jcif; jzpfygw,f/ toHk;rsm;vSwJh
debugger/disassmebler awGuawmh Olly? IDA Pro eJY W32dasm wdkY jzpfygw,f/ Olly [m tcrJh oHk;pGJ
vd&kY wJhaqmhzf0JvfjzpfjyD; oHk;pGJolrsm;jym;vSygw,f/ 'gaMumifhrY dk tqifhjrifh cracker awG&JU oifcef;pmydkYcscsuf
awmfawmfrsm;rsm;[m Olly udk erlemxm;jyD; &Sif;jywm jzpfygw,f/
y½kd*&rfwpfckudk crack vkyfzkYd MudK;pm;awmhr,fqdk&if 'Dy½d*k &rfudk b,fbmompum;eJY a&;om;xm;wm
vJqdkwmodatmif yxrqHk; vkyfaqmifygw,f/ 'DtwGuf PEiD (od)kY CFF explorer pwJh tool awGvdkygw,f/
'D tool awGeJY udk,f crack vkyfcsifwJhaqmhzf0Jvfudk b,fbmompum;eJY a&;xm;wmvJqdkwm t&ifoad tmif
vkyfyg/ aqmhzf0Jvfudk Visual Basic eJY a&;xm;wmqdk&ifawmh Olly tpm; VB Decompiler udk toHk;jyKwm
ydkoifhawmfygw,f/ tvm;wlygyJ? Dot.net eJYa&;xm;wmqdk&if Dot.net reflector udo k Hk;wm ydkjyD;oifhawmf
vG,fulygw,f/ usefwyJh ½d*k &rfbmompum;awGtwGufuawmh Olly eJY debug vkyfEdkifygw,f/ (wu,fvkY d
y½d*k &rfawGudk pack vkyfxm;&ifawmh t&if unpack vkyfjyD;rS crack vkyf&rSmjzpfygw,f/)
b,fvdk crack &rvJqdkwJhar;cGef;udk ar;cJhr,fqdk&ifawmh enf;vrf;awG trsm;MuD;&Sdw,fvyY dk J ajym&rSm
jzpfygw,f/ rwlnDwJhjyóemwdkif;twGuf taumif;qHk;ajz&Sif;rIenf;vrf;udk &SmazG&wmuawmh cracker tay:
rSmyJ rlwnfygw,f/
xl;cRefwJh cracker aumif;wpfa,mufjzpfzt
dkY wGufuawmh tifwmeufudk tcsdefrsm;rsm; toHk;jyKay;&yg
r,f/ tifwmeufuae tool topfawG? usLwdk&D&,ftopfawG download vkyfyg/ zdk&rfawG awmfawmfrsm;rsm;
rSm toif;0ifyg? aqG;aEG;yg? ar;jref;yg/ aqmhzf0Jvftopfqef;awGudk crack vkyfMunfyh g/ olrsm;a&;xm;wJh
usLwdk&D&,fawGudk em;vnfatmifzwfyg/ Crack vkyfxm;jyD;om;zdkifawGudkavhvmyg/ rdrdudk,fwkdif usLwdk&D&,f
awG a&;om;ae&rSmjzpfaMumif; ....
tcef;(2) - tajccH C bmompum; - 17 -
tcef;(2) - tajccH C bmompum;

Cracker aumif;wpfa,mufjzpfzkY d y½d* k &rfbmompum;wpfcck u k dk uRrf;uRrf;usifusif wwfajrmufxm;
&rSmjzpfwJhtwGuf 'Dtcef;rSm C y½d*k &rfbmompum;udk xnfhoGif;&Sif;jyrSm jzpfygw,f/ bmaMumifh tjcm;
bmompum;udk ra&G;cs,fovJvkYd oifhtaeeJY ar;cGef;xkwcf sifygvdrfhr,f/ C++ qdk&if ydkraumif;Edkifbl;vm;?
Visual C++ qdk&if ydkjyD;rjynfhpHkbl;vm;vdkY oifhtaeeJY xifaumif;xifEdkifygw,f/ 'Dtar;twGuf tajzuawmh
C y½d*k &rfbmompum;[m tajccHtusqHk;eJY t½dk;t&Sif;qHk; jzpfvykYd g/ C++ [m C bmompum;udk tvSay:
t,Ofqifhatmif vkyfay;wmyJ &Sdygw,f/ tajccHtusqHk; vkyfaqmifcsufawGudk C uom vkyfaqmifaejcif;
jzpfygw,f/ Visual C++ uawmh Windows udt k ajccHjyD; wnfaqmufxm;wmaMumifh uk'fawG[m rvdktyfbJ
&SnfaejyD; cracking udpk wifavhvmaewJh oifhtzdkY ½IyfaxG;aerSm jzpfygw,f/ C &JU tjcm;y½d*k &rfbmom
pum;awGtay: vTrf;rdk;EdkifwJhtcsufawGuawmh operator awGpHkvifjcif;? system eJyY wfoufwJh function tpHk
tvifyg0ifjcif;eJY y½d*k &rfa&;om;&mrSm tvGe½f dk;&Sif;jcif;? y½d*k &rfa&;om;jcif;&JU tESpfom&udk azmfjyEdkifjcif;?
Visual C++ udk tqifhjr§iafh vhvmEdkifapzdkY taxmuftuljyKjcif;wdkY jzpfygw,f/ 'Doifcef;pmrSmawmh C &JU
aemufcHordkif;aMumif;eJY jzpfay:vmyHkawGudk aqG;aEG;rSmr[kwfbJ C eJyY ½d*k &rfawGudk b,fvadk &;om;&rvJqdkwm
udkom &Sif;jyrSmjzpfygw,f/ 'Dae&mrSm C eJY aps;uGuf0ifaqmhzf0JvfawG b,fvdkzefwD;rvJqdkwmudk aqG;aEG;rSm
r[kwfbJ cracking vkyf&mrSm taxmuftuljyKEdkifr,fh C &JUvkyfaqmifcsuftydkif;awGudkom aqG;aEG;rSm
jzpfygw,f/ 'gaMumifh graphics eJY ywfoufwJhtydkif;udk raqG;aEG;bJ jzKwfcsefcJhygw,f/ (rSwf&ef/ / Graphics
ydkif;[m DOS udt k ajccHwJh 16-bits pepfjzpfwht J wGuf rsufarSmufacwfrSm b,folrt S oHk;rjyKMuawmhygbl;)/
'ghtjyif structure ydkif;udkvnf; cracking vkyf&mrSm toHk;r0ifvSwJhtwGuf csefxm;cJhygw,f/ (rSwf&ef/ /
Structure ydkif;udk C++ wGif tvGeftqifhjrifhaom vkyfaqmifcsufrsm;yg0ifonfh class jzifh tpm;xdk;vdkufjyD
jzpfygonf)/ C udpk dwf0ifpm;vdkY xyfrHavhvmcsif&ifawmh Ivor Horton a&;om;wJh ]Beginning C - From
Novice to Professional} pmtkyfuz dk wf½IygvdkY wdkufwGef;csifygw,f/ b,fbmom&yfudkyJ avhvmavhvm
tao;pdwfodcsif&ifawmh pmtkyrf sm;rsm;zwfygvdkY tMuHjyKvdkygw,f/ bmaMumifhvJqdkawmh pma&;q&mawG[m
wpfa,mufeJw Y pfa,muf &Sif;jyyHkcsif;? awG;ac:yHkcsif; rwlnDMuvdkyY g/
txl;owday;ajymMum;vdkwmu C y½d*k &rfbmompum;[m DOS udk tajcjyKjyD; wDxGifxm;wmjzpfwJh
twGuf C eJY a&;vdkufwyJh ½d*k &rfawG[m y½dq
k ufqmudk &mcdkifEIef;tjynfh tvkyfvkyfapwJhtwGuf Windows
XP eJY olUaemufydkif;xGuf&SdwJh Windows awGrSm o[Zmwrjzpfawmhygbl;/ 'gaMumifh uRefawmfwt kY d aeeJY
y½d*k &rfa&;&mrSm Turbo C 2.0 (DOS version) udk ra&G;cs,fbJ Borland C++ 5.02 (Windows version)
udkyJ toHk;jyKrSmjzpfygw,f/ BudKwifowday;&wJhtaMumif;uawmh Borland C++ 5.02 rSm y½d*k &rfa&;om;rSm
jzpfwJhtwGuf C++ eJY y½dk*&rfawGa&;aew,f xifrSmpdk;vdykY g/ C bmompum; oufoufeo JY m y½d*k &rfawG
a&;rSmjzpfygw,f/ 'gaMumifh Borland C++ 5.02 udk t&if install vkyfzkYd rarhygeJ/Y jyD;&if Start menu à
All Programs à Borland C++ 5.02 à Borland C++ udk zGifhvdkufyg/ 'gqdk y½d*k &rf pwifa&;om;vdkY
&ygjyD/
(1) yxrqHk; C y½dk*&rf
yHk(1)rSm jyxm;wJhtwkdif; C++ compiler rSm uk'fawGudk ½du
k fxnfhvdkufyg/ 'Dy½d*k &rfuk'fawGudk source
code vdkY ac:a0:ygw,f/
Ctrl + F9 (Run) udk ESdyfvdkuf&ifawmh compiler u uRefawmfwdkY a&;xm;wJh source uk'fudk exe
uk'ftjzpfajymif;ay;rSm jzpfygw,f/ (wu,fawmh source uk'fudk compiler u assembly uk'ftjzpfajymif;
jyD;rSom assembly uk'af wGudk assembler u execute vkyfEdkifwJhuk'ftjzpfajymif;vJay;wm jzpfygw,f/)
yHk(1)
yHk(1)uuk'fudk run vdkuf&ifawmh yHk(2)twdkif; jrif&rSmyg/ 'Dy½d*k &rfav;[m wu,fawmh bmtvkyfrS
aumif;aumif;vkyfrSm r[kwfygbl;/ uGefysLwmzefom;jyifrSm ]Welcome to Cracking World} qdkwJhpmwef;udk
jyoay;&HkygyJ/ aumif;ygjyD? y½d*k &rftvkyfvkyfyHkudk tao;pdwf MunfhvdkufMu&atmif/
yHk(2)
(1) yxrpmaMumif;u include qdkwmuawmh keyword wpfckjzpfygw,f/ uRefawmfwt kY d oHk;jyKr,fh header

zdkifawGudk C:\BC5\ atmufu include qdkwJh zdk'gatmufrSm xm;&Sw d htJ aMumif; uGefysLwmukd ajymMum;wmyg/
<stdio.h> qdkwmuawmh include zdk'gatmufu stdio qdkwJhtrnfeJY header zdkifudk toHk;jyKygr,fvdkY
ajymwmyg/ (<stdio.h>tpm; "stdio.h" qdk&ifawmh C++ compiler tvkyfvkyfaewJ?h wlnDwJhzdk'gatmufu
stdio qdkwJhtrnfeJY header zdkifudk toHk;jyKygr,fvkY d ajymwmyg/) stdio &JU t&Snfaumufuawmh STandarD
Input/Output jzpfygw,f/ 'D header zdkifawG&JU trnf[m t"dyÜm,f&v Sd Sygw,f/ tcsuftvufawGudk toGif;
txkwfvkyfr,fqdkwJhtaMumif; uGefysLwmudk compiler u yPmrBudKajymxm;wm jzpfygw,f/ bmawGudk
toGif;txkwfvkyfr,f? b,f function awGudkoHk;r,fqdkwmudak wmh twdtusajymjcif; r&Sdao;ygbl;/ conio
&JUt&Snfaumufuawmh CONsole Input/Output jzpfygw,f/ conio eJY stdio [m oabmw&m;csif;wlyg
w,f/ conio upmom;awGudk umvmeJjY yEdkiw f Jh uGJjym;rItenf;awmh&Sdygw,f/
(2) int main() qdw k muawmh y½d*k &rfuk'fawG a&;xnfh&r,fh t"duae&mjzpfjyD; oifa&;xnfhcsifwJhuk'fawGudk
'D main() function xJu { } xJrSm a&;&rSmjzpfygw,f/ printf() qdkwmuawmh function wpfcjk zpfjyD;
udk,fazmfjyapcsifwJh taMumif;t&m? tcsuftvufawGudk uGefysLwmzefom;jyifrSm jyoay;ygw,f/ printf() udk
oHk;r,fqdk&if stdio.h zdkifudk aMunmay;&rSm jzpfygw,f/
(3) getch() uawmh 'GET CHaracter' &JU twdkaumufyg/ uGefysLwmuD;bkwfuae ½dkufr,fhpmvHk;wpfvHk;udk
vufcHwmyg/ 'gayr,fh ½du k fxnfhwJh pmvHk;udkawmh zefom;jyifrSm jyrSmr[kwfygbl;/ bmaMumifh 'D function udk
oHk;&wmvJqdk&if y½d*k &rf[m printf() udkvkyfaqmifjyD;&if csufcsif;jyD;qHk;oGm;rSmrdkY y½dk*&rfudk cP&yfxm;csifvkY d
olUudkoHk;&wmyg/ uD;bkwfuae ESpfouf&m key wpfckckudk ESdyfvdkuf&if getch() &JUvkyfaqmifcsuf jyD;oGm;rSmyg/

getch() udk oHk;r,fqdk&if conio.h zdkifudk aMunmay;&rSm jzpfygw,f/
(4) return uawmh main() function eJY oufqdkifygw,f/ ol[m y½d*k &rfuk'fudk atmifjrifpGm vkyfaqmifEdkifcJh
jyDjzpfwJhtaMumif; y½d*k &rfqD taMumif;jyefygw,f/
(2) 'kwd,ajrmuf C y½dk*&rf
#include <stdio.h> /* 2nd C Program */

#include <conio.h>
/* print Fahrenheit-Celsius table for fahr = 0, 20, … , 300 */
int main()
{
int fahr, celsius;
int lower, upper, step;
lower = 0; /* lower limit of temperature scale */
upper = 300; /* upper limit */
step = 20; /* step size */
fahr = lower;
while (fahr <= upper) {
celsius = 5 * (fahr - 32) / 9;
printf("%d\t%d\n", fahr, celsius);
fahr = fahr + step;
}
getch();
return 0; yHk(3)
}
yHk(3)rSm jrif&wmuawmh zm&if[dkuef JY pifwD*&dww

f efzdk;awGudk yHkaoenf;toHk;jyKjyD; wGucf sufay;wJh
y½d*k &rfuk'ef JY xGuf&SdvmwJhtajzyg/ b,fzufuwefzdk; (0? 20? 40? 60? ponfjzifh)awGu zm&if[dkufwefzdk;
awGjzpfjyD; nmzufuwefzdk; (-17? -6? 4? 15? ponfjzifh)awGuawmh pifwD*&dwfwefzdk;awG jzpfygw,f/
y½d*k &rftvkyfvkyfyHkudk tao;pdwf MunfhMuygr,f/
(1) /* … */ oauFwudkawmh comment vdakY c:ygw,f/ wu,fvkYd y½d*k &rfeJY oufqdkifwJh taMumif;t&m
awGudk rSwfcsufay;csif&if comment oHk;ygw,f/ 'DvdkrSwfcsufay;xm;awmh 'Dy½d*k &rfudk bmtwGufa&;w,f?
b,fvdka&;xm;wmvJqdkwm tvG,fwul em;vnfEdkifygvdrfhr,f/ tjrJwrf; /* eJY pjyD; */ eJY tqHk;owf&yg
w,f/ C++ rSmqdk&ifawmh /* … */ tpm; \\ udk oHk;ygw,f/
(2) int qdkwmuawmh integer (udef;jynfh)udk qdkvdkwmyg/ uRefawmfwx dkY kwfr,fhtajzudk 'órudef;eJY rxGuf
apcsif&if int udktoHk;jyKygw,f/ fahr? celsius? lower? upper eJY step wdu kY dkawmh identifier vdkY ac:a0:yg
w,f/ (Identifier owfrSwfyHktm; Identifier acgif;pOfatmufwGif Munfhyg/)
(3) lower = 0; qdkwmuawmh yxrqHk;tajzxkwfapcsifwJh zm&if[dkuf'D*&D[m oknvdkY owfrSwfvdkufwmyg/
dk fuawmh 300 jzpfygw,f/ (rSwf&ef/ / main() function xJwGif pmaMumif;wpfaMumif;jyD;
tjrifhqHk;zm&if[u
wdkif; semi-colon (;) jzifh tqHk;owfay;&onf)/ step &JUqdkvdk&if;uawmh zm&if[dkufwefzdk; wpfcek w
JY pfck[m
20'D*&Djcm;r,fvkY d qdkvdkwmyg/
(4) while(fahr<=upper){ … }uawmh zm&if[dkufwefzdk;[m tjrifhqHk;wefzdk;jzpfwJh 300'D*&Dxuf i,faepOf
twGif;jzpfap? wlnDaepOftwGif;jzpfap xJrSm&SdwJhuk'fawGudk tvkyfvkyfaeygvdkY qdkvdkwmyg/
(5) celsius = 5 * (fahr - 32) / 9; uawmh pifwD*&dwfwefzdk;udk &Smay;wJhyHkaoenf; jzpfygw,f/

(6) printf() function uawmh zm&if[dkuef JY pifwD*&dwfwkY&d JU wefzdk;awGudk tajzxkwfay;rSmyg/ %d udkawmh
udef;jynfhawGeJY ywfoufjyD; tajzxkwfwJhtcgrSm oHk;ygw,f/ \t (tab) uawmh tajzwpfckew JY pfckMum; tab key
tuGmta0;wpfckpm (vufr0uf) jcm;ay;ygvdkY qdkvdkygw,f/ \n (new line) uawmh uGefysLwmzefom; jyif&JU
aemufwpfaMumif;udk oGm;ygvdkY qdkvdkygw,f/
(7) zm&if[dkufwefzdk;udk 20aygif;ygw,f/ jyD;&if while loop qDjyefoGm;ygw,f/ pifwD*&dwfwefzdk;udk wGufcsuf
jyD; tajzxkwfygw,f/ 'DvdkeJY zm&if[dkufwefzdk;[m 300xufrMuD;rcsif; while loop udkyJ aqmif&Gufygw,f/
300xufMuD;oGm;&ifawmh getch() function udk vkyfaqmifrSmjzpfygw,f/ jyD;&ifawmh y½d*k &rf&JU vkyfaqmifcsuf
jyD;qHk;oGm;rSm jzpfygw,f/
(3) Data type
trsdK;tpm; yrmP
unsigned char 0 rS 255 xd
char 0 rS 255 xd
short int -32,768 rS 32,767 xd
unsigned int 0 rS 65,535 xd
int -32,768 rS 32,767 xd
unsigned long 0 rS 4,294,967,295 xd
enum -32,768 rS 32,767 xd
long -2,147,483,648 rS 2,147,483,647 xd
float 3.4 x 10-38 rS 1.7 x 10+38 xd
P P
P P
double 1.7 x10-308 rS 3.4 x10+308 xd

P P
P P
long double 3.4 x 10-4932 rS 1.1 x 10+4932 xd

P P
P P
Data type qdkwmuawmh rdrdtoHk;jyKr,fh identifier (variable) awGudk a'wmtrsdK;tpm; owfrSwf

ay;wmyg/ ukd,faMunmr,fh variable [m pmvHk;vm;? 'órudef;vm;? udef;jynfhvm;qdkwm aumif;aumif;od
xm;&ygr,f/ Oyrm pmvHk;awGeyJY wfoufvm&if? pmom; (string)awGeJYywfoufvm&if char vdakY Munmay;&yg
r,f/ udef;jynfhawGqdk&if int vdkY aMunm&ygw,f/ 'órudef;awGtwGufqdk&if float eJY double udt
k oHk;jyKvdkY
&ygw,f/
Variable wpfckudk char vdkYaMunm&if uGefysLwm&JU rSwfOmPfrSm 1 byte ae&m,lrSm jzpfygw,f/ 1
byte [m 8-bits eJn
Y DjyD; ydkjyD;&Sif;vif;atmif ESpfvDpepfejJY y&&ifawmh atmufygZ,m;uGuftwdkif; awGUjrif&rSm
yg/
1 1 1 1 1 1 1 1
Z,m;&JU tuGufi,fwpfckpD[m 1 bit udu k dk,fpm;jyKjyD; olUxJrSm 1 (od)kY 0 qdkwJh wefzdk;ESpfckudkyJ xnfh
xm;Edkifygw,f/ ESpfvDpepfudk,fpm;jyKwJhtwGuf olUxJrSmtrsm;qHk;xnfhEdkifwJh ta&twGuf[m 0 uae 255 xd
256 rsdK;xdyJjzpfygw,f/ 11111111 = 28 = 256 {0 rS 255 xd } (oknwefzdk;udkyg xnfhwGufjcif;jzpfonf/)
P
P
char eJY ywfoufwJh erlemawGudk avhvmMunfhygr,f/

char variable_name; // character pmvHk;wpfvHk;jzifhom tvkyfvkyfonf/
char variable_name [20]; // string pmvHk; 20jzifh tvkyfvkyfEdkifonf/

char * variable; // pointer string pmvHk;a& tuefUtowfrJh tvkyfvkyfEdkifonf/
char udk zdkifawGxJu tcsuftvufawGudk toGif;txkwfvkyf&mrSm jzpfjzpf? database y½d* k &rfawGudk
a&;&mrSmyJjzpfjzpf? password eJq
Y dkifwJh y½d*k &rfawGudk a&;&mrSmyJjzpfjzpf toHk;trsm;qHk; jzpfygw,f/
int udk oHk;&ifawmh uGefysLwm&JUrSwfOmPfrSm 2 bytes ae&m,lygw,f/ 'gaMumifh olUxJrSm odrf;qnf;
xm;EdkifwJh *Pef;wefzdk;uawmh 2 bytes = 16 bits = 216 = 65536 xdjzpfygw,f/ int &JU toHk;jyKyHkawG
P
P
uawmh -
signed int variable_name; // 2 bytes -32,768 rS 32,767 xd
unsigned int variable_name; // 2 bytes 0 rS 65,535 xd
short int variable_name; // 2 bytes -32,768 rS 32,767 xd
long int variable_name; // 4 bytes -2,147,483,648 rS 2,147,483,647 xd
unsigned long int variable_name; // 4 bytes 0 rS 4,294,967,295 xd
signed eJY short udkxnfr
h aMunmay;vnf; &ygw,f/ wu,fvkY d int variable_name; vdykY J aMunm
xm;&if compiler u signed short int variable_name; vdekY m;vnfygw,f/ C y½d*k &rfa&;&mrSm bmaMumifh
signed/ unsigned eJY short/ long awG aMunmae&ovJqdkwJh taMumif;&if;&Sdygw,f/ 'Djyóemu DOS
acwfwkef;u MuHKawGUcJh&wmyg/ tJ'Dtcsdefwkef;u RAM awG&JUyrmP[m tckacwfrSmvdk 1GB awG? 4GB awG
r[kwfygbl;/ 64KB? 128KB avmufom&Sdygw,f/ DOS &JUuefUowfcsufuvnf; 1MB xufMuD;wJh C
y½d*k &rfawGudk toHk;jyKcGifhray;ygbl;/ 'gaMumifh y½d*k &rfrmawG[m olwk&Yd JU y½d*k &rfudk uGefysLwm rSwfOmPfxJrSm
ae&m,lrIenf;atmif twwfEdkifqHk; MuHpnfMu&ygw,f/ 'gaMumifhvnf; rvdktyf&if twwfEdkifqHk; rSwfOmPf
acRwmEdkifzkYd long tpm; short udt k oHk;jyKMuygw,f/ qdkvdkwmu y½d*k &rfu wGufcsufvkYd&&SdwJh tajz[m
40000 eJY 50000 0ef;usifMum;yJ &Sdr,fqdk&if oifhtaeeJY 'D variable udk b,fvdkaMunmoifhw,f xifygovJ/
unsigned int variable_name; vm;? long int variable_name; vm;/ 'Dar;cGef;u variable wpfckwnf;
twGufqdk&if odyfta&;rMuD;ayr,fh variable awGaomif;eJcY sDvmcJh&if pOf;pm;zdkY vdkvmygjyD/ int variable_
name [200] [100]; qdk&ifaum/ oifbmudk a&G;cs,frSmygvJ/ Variable ta&twGuf 20000 udk udkifwG,f
ajz&Sif;csdefrSmawmh ta&;MuD;vmygjyD/ long int vdkY aMunm&if uGefysLwm&JUrSwfOmPfrSm 200 x 100 = 20000
x 4 bytes = 80KB ae&m,lygvdrfhr,f/ oifh&JU RAM [m 64KB yJ&Sdr,fqdkygawmh/ 'Dy½d*k &rf[m stack
overflow jzpfjyD; tvkyfvkyfrSm r[kwfygbl;/ (rSwfcsuf/ / 'DaeUacwfrSmawmh uGefysLwmrSwfOmPfrSm ae&m
b,favmuf,l,l pdwfylp&mr&Sad wmhygbl;/)
float udak wmh 'órudef;awGudk udkifwG,fajz&Sif;&mrSm toHk;jyKjyD; rSwfOmPfrSm 4 bytes ae&m,lyg
w,f/ double udkvnf; 'órudef;awGudk udkifwG,fajz&Sif;&mrSm toHk;jyKjyD; rSwfOmPfrSm 8 bytes ae&m,lyg
w,f/ 'ór 15ae&mpmtxuf wduszdkv Y dkwJh odyÜHqdkif&mwGufcsufrIawGrSm toHk;rsm;ygw,f/ long double
uawmh double eJY wlygw,f/ rSwfOmPfrSm 10 bytes ae&mpmae&m,lygw,f/
(4) Identifier
rdrdMudKufESpfouf&may;wJh variable awG&JUtrnfudk identifier vdkY ac:ygw,f/ Identifier awGudk
trnfay;csdefrSm atmufygpnf;rsOf;awGudk vdkufem&ygw,f/
(1) Identifier \tponf pmvHk; (A-Z, a-z) (od)kY underscore om jzpf&rnf/
(2) Underscore (_) oauFwrSty useftxl;tu©&mrsm; roHk;&/
(3) Identifier \ pmvHk;ta&twGufonf 255vHk;xuf rydk&/
(4) Keyword rsm;udk identifier tjzpf raMunm&/ (Oyrm case? return)S S S S
(5) MY_Variable123 eJY my_Variable123 wdo

kY nf rwlnDMuyg/ pmvHk;tMuD;tao; uGJjym;rI&Sdonf/
atmufyg identifier rsm;uawmh rSefuefwJhyHkpHawG jzpfygw,f -
int get_result_from_program;
int x123;
atmufyg identifier rsm;uawmh rSm;,Gif;wJhyHkpHawG jzpfygw,f -
int 123data;
int while;
int base@location;
int get-result-from-program;
(5) wwd,ajrmuf C y½dk*&rf
#include <stdio.h> /* 3rd C Program */

#include <conio.h>
/* print Fahrenheit-Celsius table for fahr = 0, 20, … , 300 */
int main()
{
float fahr, celsius;
float lower, upper, step;
lower = 0; /* lower limit of temperature scale */
upper = 300; /* upper limit */
step = 20; /* step size */
fahr = lower;
while (fahr <= upper) {
celsius = 5.0 * (fahr - 32.0) / 9.0;
printf("%7.0f %10.3f\n", fahr, celsius);
fahr = fahr + step;
}
getch();
return 0;
} yHk(4)
'Dwwd,ajrmuf y½d*k &rf[m 'kwd,y½d*k &rfeJY oabmcsif;wlygw,f/ bmaMumifh 'Dae&mrSm xyfxnfh

oGif;&ovJq&dk if format specifier taMumif;udk &Sif;jycsifvykY d g/ Format specifier udk printf() function
Y GJoHk;jyD; % eJY pavh&Sdygw,f/ toHk;jyKvdkY&wJh format specifier trsdK;tpm;awGuawmh flag character?
eJw
width specifier? precision specifier? input size modifier eJY conversion type character wdkY jzpfygw,f/
'Dae&mrSmawmh toHk;0ifr,fh? toHk;rsm;r,fh format specifier awGudkyJ &Sif;jyrSm jzpfygw,f/
%d udef;jynhf (integer) taeeJY jyocsif&if oHk;ygw,f/
%o &SpfvDpepf (octal) eJY jyocsif&if oHk;ygw,f/
%u unsigned integer taeeJY jyocsif&if oHk;ygw,f/
%x 16vDpepf (hexadecimal)udk pmvHk;ao;eJY jyygw,f/

%X 16vDpepf (hexadecimal)udk pmvHk;MuD;eJY jyygw,f/
%f 'órudef;eJY tajzxkwfay;ygw,f/
%e Exponential eJY tajzxkwfay;ygw,f/
%E xyfudef;eJY tajzxkwfay;ygw,f/
%c Character taeeJY tajzxkwfay;ygw,f/
%s String taeeJY tajzxkwfay;ygw,f/
%l long taeeJY tajzxkwfay;ygw,f/
%lf double taeeJY tajzxkwfay;ygw,f/
%L long double taeeJY tajzxkwfay;ygw,f/
yHk(4)u printf("%7.0f %10.3f\n", fahr, celsius); udk Munfhvdkufyg/ %7.0f rSm 7 qdkwmuawmh
b,fuae pmvHk; 7 vHk;pm ae&m,lr,fvdkY ajymwmyg/ f uawmh 'órudef;awGudk tajzxkwfwmyg/ %10.3f
rSmawmh 10 u yxrpmom;uae 10ae&mpmae&m,lr,fvkY d ajymwmjzpfjyD; .3 uawmh 'ór 3 ae&meJY
jyay;ygvdkY qdkvdkjcif;jzpfygw,f/ aemufwpfckuawmh escape sequence taMumif;jzpfygw,f/ toHk;rsm;qHk;
escape sequence awGuawmh \t eJY \n wdkY jzpfygw,f/ \t uawmh tab key wpfae&mpmae&m,lr,fvkY d
ajymwmjzpfjyD; \n uawmh aemufwpfaMumif;udk qif;r,fvkY d ajymwmyg/
(6) keyword
C bmompum;rSm toHk;jyKvQuf&SdwJh keyword awGuawmh atmufygtwdkif; jzpfygw,f -
auto break case char const
default do double else enum
extern far float for goto
huge if int long near
register return short signed sizeof
static struct switch typedef union
unsigned void volatile while
Identifier awGuadk Munm&mrSm keyword awGudk variable trnfay;vdkYr&ygbl;/ Keyword wdkif;rSm
olU&JUvkyfaqmifcsuftoD;oD; &SdvkdUyg/ ta&;ygtoHk;rsm;wJh keyword awG&JU vkyfaqmifcsufawGukd oD;jcm;
acgif;pOfawGeJY aqG;aEG;rSm jzpfygw,f/
(7) if statement
tajctaewpf&yf&yf[m rSefovm;^rSm;ovm; qH;k jzwfcdkif;wJhtcgrSm if statement udt k oHk;jyKygw,f/
wcgw&HrSm else keyword eJY wGJoHk;wmvJ&Sdygw,f/ olU&JU jzpfEdkifwJhyHkpHtcsdKUuawmh 'Dvdkyg ...
(1)
if(condition) statement;
(2)
if(condition) statement;
else statement;
(3)
if(condition1) statement;
else if(condition2) statement;
…
else statement;
(4)
…
(1) yxryHkpHudkawmh tajctaewpfckck[m rSef^rrSef qHk;jzwfwJhtcgrSm toHk;jyKygw,f/

(2) 'kwd,yHkpHuawmh tajctaeESpfckteuf wpfckck[m vHk;0rSefudkrSef&r,fh tajctaerSm toHk;jyKygw,f/
(3) wwd,yHkpHuawmh tajctaeoHk;ck (od)kY oHk;ckxufydkwJhtxJu wpfckck[m vHk;0rSefudkrSef&r,fh tajctaerSm
toHk;jyKygw,f/
(4) pwkw¬yHkpHuawmh tajctaetm;vHk;[m rSefcsifrSef^rSm;csifrSm; jzpfEdkifwJhtajctaerSm oHk;ygw,f/
(8) pwkw¬ajrmuf C y½dk*&rf
yHk(5)
yHk(5)u uk'fawGudk run vdkuf&if yHk(6)twdkif;awGU&rSmyg/
yHk(6)
'Dy½d*k &rf[m uD;bkwfuae oif½dkufxnfhvdkufwJh *Pef;[m taygif;vm;? tEIwfvm;? oknvm;qdkwm
ppfaq;ay;rSm jzpfygw,f/ yHk(6)/ if statement udk oHk;jyD;a&;xm;wJh ½d;k &Sif;vSwJh y½d*k &rfav;yg/ 'Dae&mrSm
topfxyfwdk;vmwmuawmh scanf() function yg/ 'D function taMumif;udk tao;pdwfodcsif&ifawmh scanf
ae&mrSm mouse cursor udkxm;jyD; Ctrl+F1 udkESdyfvdkufyg/ olUudk b,fvdktoHk;jyK&rvJqdkwJh Help ay:vm
ygvdrfhr,f/ yHk(7)/ tjcm; function awGudkvnf; Ctrl+F1 EdSyfjyD; tao;pdwf MunfhvkY&d ygw,f/
yHk(7)
scanf() function udk uD;bkwfuae½duk fxnfhr,fh *Pef;? pmom;awGudkzwfzkY d toHk;jyKygw,f/ 'Derlem
y½d*k &rfrSm uRefawmfwzkY d wfr,fht&muawmh udef;jynfh*Pef;(%d) wpfck jzpfygw,f/ number_check &JUa&SUrSm
address sign (&) av;ygwm rarhygeJ/Y
Function awGtaMumif;odcsif&ifawmh Help udkrsm;rsm;zwfyg/ Help rSm ygvmwJh example awGudk
avhvmyg/ Example awGudk run Munfhyg/
(9) switch statement
if statement eJY oabmw&m;csif;wlwJh tjcm;wpfckuawmh switch statement jzpfygw,f/ olU&JU
toHk;jyK&r,fhyHkpHuawmh 'Dvdkyg ...
switch(expression){
case constant_expression1: statement;
case constant_expression2: statement;
default: : statement;
}
(10) 5ckajrmuf C y½dk*&rf

#include<stdio.h>
#include<conio.h>
#include<stdlib.h>
int main() { /* Copyright © Myo Myint Htike, 2009 */
int menu;
printf("Choose 1 to print \"Welcome!\" text. \n");
printf("Choose 2 to print \"Sorry!\" text. \n");
printf("Choose any number to exit!\n");
printf("Please enter a number: ");
scanf("%d", &menu);
switch(menu){
case 1: printf("Wecome!."); break;
case 2 : printf("Sorry!"); break;
default: exit(0);
} getch(); return 0; }
'Dy½d*k &rfuawmh switch statement udk b,fvdktoHk;jyK&rvJqdkwm jyowJh erlemy½d*k &rfyg/ b,fvdk
tvkyfvkyfovJqdkwmuawmh vufawGUprf;Munfhvdkufyg/ 'Dae&mrSm &Sif;jycsifwmuawmh exit() function yg/
exit() &JU t"dymÜ ,fuawmh ]exit functions} yg/ qdkvdkcsifwmu teD;pyfqHk; function uaexGufr,fvkYd
qdkvdkwmyg/ olUudkoHk;r,fqkd&ifawmh stdlib.h <STandarD LIBrary> udk aMunmay;&ygr,f/ switch

statement udkawmh toHk;enf;vSwJhtwGuf ravhvmvJ &ygw,f/
(11) while loop
'Dwpfcgawmh loop awGtaMumif; avhvmMunfhygr,f/ Cracking vkyf&mrSm toHk;rsm;qHk;uawmh loop
awGyg/ Loop awG[m vkyfaqmifcsufwpfckudk owfrSwfxm;wJh tajctaewpfcktwGif;rSm Mudrfzefrsm;pGm vkyf
aqmifay;ygw,f/ toHk;trsm;qHk; loop awGuawmh for loop eJY while loop wdykY g/ while loop &JU toHk;jyKrI
yHkpHuawmh atmufygtwdkif; jzpfygw,f/
while(condition)
statement;
while loop eJy Y wfoufwJh erlemy½d*k &rfudkawmh ra&;jyawmhygbl;/ bmaMumifhvJqdkawmh 'kwd,

ajrmuf C y½d*k &rfrSm while loop &JU tvkyfvkyfyHkudk &Sif;jyjyD;vdykY g/ while loop uae cGJxGufoGm;jyD; while
loop eJw
Y lwJh aemuf loop wpfckuawmh do{ } while loop yg/ toHk;enf;wJhtwGuf r&Sif;jyawmhygbl;/
(12) for loop
for loop &JU toHk;jyKrIyHkpHuawmh atmufygtwdkif; jzpfygw,f/
for(expression1; condition; expression2)
statement;
for loop &JU tvkyfvkyfyHkuawmh yxrqHk; expression1 udk initialize vkyfygw,f/ jyD;awmh
condition [m rSefovm;? rSm;ovm; ppfygw,f/ rSef&ifawmh statement qDudk oGm;ygw,f/ jyD;awmh
expression2 udk vkyfygw,f/ expression2 udk vkyfaqmifjyD;wJhtcgrSm expression1 qDjyefa&mufvmygw,f/
jyD;awmh condition udk rSef^rrSef xyfppfygw,f/ Condition [m rSefaeoa&GU statement udk aqmif&GufaerSm
jzpfjyD; rSm;wJhtcgusrSom loop [m jyD;qHk;rSmjzpfygw,f/
#include<stdio.h>
#include<conio.h>
int main()
{ /* Copyright © Myo Myint Htike, 2009 */
int x, y, z; /* Declare 3 unknown variables */
for(x=0; x<10; x++) // for(1; 2; 14) After 14, then go to 1
for(y=0; y<10; y++) // for(3; 4; 12) 3=13
for(z=0; z<10; z++) // for(5; 6; 10) 5=11
if(2*x+3*y-4*z == -3) // if 7 = true then do 8, else go to 10
if(4*x-2*y+z == 6) // if 8 = true then do 9
if(x-3*y-2*z == -15) // if 9 = true then print x, y, z
printf(" x= %d\n y= %d\n z= %d",x,y,z);
getch();
return 0;
}
yHk(8)
yHk(8)uawmh rodudef; 3vHk;&SmwJhykpäm jzpfygw,f/ x? y eJY z udk &Smay;&rSmyg/ for loop oHk;jyD; ajz&Sif;
xm;wmyg/ 'Dy½d*k &rfudk aocsmMunfhr,fqdk&if rodudef;oHk;vHk;&SmzdkY bmocsFmnDrQjcif;rS roHk;bJ ajz&Sif;oGm;wm
awGU&rSmyg/ 'Denf;[m cracking vkyw f Jhtcsdef password awGudk cefUrSef;&mrSm awmfawmftoHk;0ifvSygw,f/
y½d*k &rftvkyfvkyyf uHk dk MunfhvdkufMu&atmif/
(1) yxrqHk; uRefawmfwkY d &SmcsifwJh rodudef; 3vHk;udk udef;jynfhawGtjzpfaMunmygw,f/ (rSwfcsuf/ / rod
udef;ykpämwdkif;&JU tajzawG[m tjrJwrf; udef;jynfhjzpfaerSmawmh r[kwfygbl;/ udef;jynfeJh Y &SmvdrkY &&if float vdkY
aMunmyg/)
(2) for loop udk pwifygw,f/ for loop &JUtvkyfvkyfyHkudk aocsmem;vnfatmifMunfhyg/ yxrqHk; x &JUwefzdk;
udk oknvdo kY wfrSwfygw,f/ jyD;awmh x [m 10 xuf i,f^ri,f ppfygw,f/ i,fcJh&if aemufwpfaMumif;udk
qif;oGm;ygw,f/ y &JUwefzdk;udk oknvdo kY wfrSwfygw,f/ jyD;awmh y [m 10 xuf i,f^ri,f ppfygw,f/
i,fcJh&if aemufwpfaMumif;udk qif;oGm;ygw,f/ z &JUwefzdk;udk oknvdo kY wfrSwfygw,f/ jyD;awmh z [m 10
xuf i,f^ri,f ppfygw,f/ i,fcJh&if aemufwpfaMumif;udk qif;oGm;ygw,f/ 'DwpfcgrSm (x=0, y=0, z=0)udk
2x+3y-4z rSm tpm;oGif;jyD; -3 eJY nD^rnD ppfygw,f/ nDcJh&if aemufwpfaMumif;udk qif;oGm;rSm jzpfygw,f/
rnDcJh&ifawmh z &JU wefzdk;rSm wpfaygif;rSm jzpfygw,f/ 'Dwpfcg z=0 uae z=1 jzpfvmygw,f/ z [m 10
xuf i,f^ri,f xyfppfygw,f/ i,fcJh&if aemufwpfaMumif;udk qif;oGm;ygw,f/ 'DwpfcgrSm (x=0, y=0,
z=1)udk 2x+3y-4z rSm tpm;oGif;jyD; -3 eJY nD^rnD xyfppfygw,f/ nDcJh&if aemufwpfaMumif;udk qif;oGm;rSm
jzpfygw,f/ rnDcJh&ifawmh z &JU wefzdk;rSm wpfaygif;rSm jzpfygw,f/ 'Dvedk JY x,y,z wefzdk;toD;oD;udk wpfaygif;
oGm;jyD; nDrQjcif; 3aMumif;&JU nmbufuwefzdk;awGeJY nD^rnD ppfrSmjzpfygw,f/ ppfr,fhta&twGufuawmh
wpfMudrfuae tMudrfwpfaxmiftwGif; jzpfygw,f/ wu,fvkY d nDcJh&ifawmh printf() function udo k Hk;jyD; x,y,z
wd&kY JUwefzdk;awGudk tajzxkwfay;rSm jzpfygw,f/
(3) x++ qdkwmuawmh x = x+1; eJw
Y lygw,f/ (Operator acgif;pOfatmufwGif Munfhyg/)
(14) operator
Operator awGudk atmufygtwdkif; wl&mtkyfpkzGJUEdkifygw,f/
(u) Arithmetic operator
(c) Unary operator
(*) Relational operator
(C) Assignement operator
(i) Logical operator
(p) Conditional operator
(q) Bitwise operator
(u) Arithmetic operator
Arithmetic operator awGuawmh atmufygtwdkif;jzpfygw,f-
+ (addition) Variable rsm; aygif;&mwGiftoHk;jyKonf/

- (subtraction) Variable rsm; EIwf&mwGiftoHk;jyKonf/
* (multiplication) Variable rsm; ajrSmuf&mwGiftoHk;jyKonf/
/ (division) Variable rsm; pm;&mwGiftoHk;jyKonf/
% (modulus) t<uif;&Sm&mwGifoHk;onf/
(c) Unary operator

Unary operator awGuawmh atmufygtwdkif;jzpfygw,f-
i++; (postincrement) Variable wefzdk;tm; wpfaygif;ay;onf/

i--; (postdecrement) Variable wefzdk;tm; wpfEIwfay;onf/
++i; (preincrement) Variable wefzdk;tm; wpfaygif;ay;onf/
--i; (predecrement) Variable wefzdk;tm; wpfEIwfay;onf/
yHkrSeftm;jzifhawmh olwkuY d dk increment operator eJY decrement operator vdkY ac:a0:Muygw,f/

'Dae&mrSm owdxm;zdu kY awmh i++ eJY ++i wdkY uGJjym;rIudkyg/ atmufygtwdkif;aMunmr,fqdk&ifawmh olwkY&d JU
t"dymÜ ,fu wlygw,f/
int i=0, j=0;
i++; ++j;
'Dae&mrSm i eJY j wd&kY JUwefzk;d [m wlrSmjzpfjyD; 1 qdw
k Jh tajzxGufrSmyg/ aemufxyfyHkpHwpfrsdK;udk Munfhyg
r,f/
int i=0, j=0, x=0, y=0;
x = x+(i++);
y = y+(++j);
'Dvdkqdk&ifawmh x &JUwefzdk;u oknjzpfaejyD; y &JUwefzdk;uawmh 1 jzpfvmrSmyg/ qdkvdkcsifwmuawmh i++
vdakY MunmcJh&if i &JUvuf&Sdwefzdk;udk x rSmaygif;jyD;rS i &JUwefzdk;udk wpfaygif;rSmjzpfygw,f/ 'gaMumifh i++ udk
postincrement vdakY c:wmyg/
(*) Relational operator
Relational operator udkawmh if statement? for loop? while loop pwmawGeJY wGJoHk;jyD; tajctae
wpf&yf&yfudk EdIif;,SOf&mrSm? variable awGudk EdIif;,SOf&mrSm toHk;jyKygw,f/
== (equal) Variable wefzdk;ESpfckudk wlrwlppfygw,f/ wl&if tvkyfvkyfygw,f/
!= (not equal) Variable wefzdk;ESpfckudk wlrwlppfygw,f/ rwl&if tvkyfvkyfygw,f/
> (greater than) Variable wefzdk;[m MuD;rMuD;ppfygw,f/ MuD;&if tvkyfvkyfygw,f/
< (less than) Variable wefzdk;[m i,fri,fppfygw,f/ i,f&if tvkyfvkyfygw,f/
>= (greater or equal) Variable wefzdk;[m MuD;&if (odkY) nD&if tvkyfvkyfygw,f/
<= (less than or equal) Variable wefzdk;[m i,f&if (odkY) nD&if tvkyfvkyfygw,f/
(C) Assignement operator

Assignment operator awGudk wpfckcek JY nDay;&mrSm toHk;jyKjyD; olwakY d wGuawmh ...
= *= /= %= += -=
<<= >>= &= ^= |=
toHk;jyKyHkawGuawmh atmufygtwdkif;jzpfygw,f -
x = y +10; // x = y + 10;
x *= 10; // x = x * 10;
x /= 10; // x = x / 10;
x << = 3; // x = x << 3;
x ^ = 30; // x = x ^ 30;
(i) Logical operator
Logical operator awGuawmh atmufygtwdkif;jzpfygw,f -
&& (AND) tajctaeESpfckpvHk;rSef&if tvkyfvkyfygw,f/
|| (OR) tajctaeESpfckteuf wpfckrSef&if tvkyfvkyfygw,f/
! (NOT) tajctaerSm;&if tvkyfvkyfygw,f/
toHk;jyKyHkawGuawmh atmufygtwdkif;jzpfygw,f -
int x=0;
scanf("%d",&x);
if( x>0 && x<40) printf ("Fail");
if( x>75 || x == 75) printf ("Credit");
if(!x) printf("The value of x is zero.");
(p) Conditional operator
Conditional operator yHkpHuawmhh atmufygtwdkif;jzpfygw,f -
logical-OR-expression ? expression : conditional-expression
toHk;jyKyHkuawmh atmufygtwdkif;jzpfygw,f -
z = (a > b) ? a: b; /* z = max (a,b) */
a eJY b eJx
Y Ju MuD;wJhwefzdk;udk ,lwJh 'DOyrmav;udk aemufwpfrsdK;jyefa&;&r,fqdk&if ...
if (a>b) z = a;
else z = b;
'Dae&mrSm z wefzdk;[m b,fvdkyJjzpfjzpf trsm;qHk;jzpfaerSm jzpfygw,f/
(q) Bitwise operator
Bitwise operator awGuawmh atmufygtwdkif;jzpfygw,f -
& (Bitwise AND)
| (Bitwise inclusive OR)
^ (Bitwise exclusive OR)(XOR)
~ (Bitwise complement) (NOT)
>> (Bitwise shift right)
<< (Bitwise shift left)
toHk;jyKyHkuawmh atmufygtwdkif;jzpfygw,f -
AND OR XOR NOT
Source Bit 001100 1100110 1
Destination Bit 0 1 0 1 0 1 0 1 0 1 0 1 X X
&v'f 000101 1101101 0
>> uawmh assembly bmompum;&JU SHR instruction eJw Y ljyD;? << uawmh assembly
bmompum;&JU SHR instruction eJw
Y lygw,f/ SHL eJY SHR [m register^rSwfOmPfae&mu bit awGudk
b,f^nmrSae owfrSwfxm;wJh bit ta&twGufudk a&wGufjyD; a&TUvdkufwmjzpfygw,f/ erlemMunfhyg/
int x = 0xBEEF; // x = 1011111011101111 (binaray)
x = x >> 4; // x = 0000101111101110
printf("x = %X", x); // x = BEE
ydkjyD;em;vnfapzdkY aemuferlemwpfckMunfhyg/
int x = 0xDEAD; // x = 1101111010101101 (bin)
x = (x >> 5) & ~ (~0 << 3); //
printf("x = %X", x); // x = 5 (101)
'Duk'fudk run vdkuf&ifawmh 5 qdkwJhtajz&rSmyg/ b,fvdk&ovJqdkwmawmh udk,fhbmomudk,f wGufMunfh
yg/ Hexadecimal uae binary? binary uae hexadecimal b,fvdkajymif;&rvJqdkwmudkawmh calculator
(calc.exe) eJY wGufcsufEdkifygw,f/
(15) Function
Function qdkwmuawmh vkyfaqmifcsufawGudk pkpnf;ay;xm;wJht&mwpfckjzpfjyD;? function wpfckrSm
yg0if&r,fh t*Fg&yfawGuawmh return type? function name? parameter list eJY uk'fa&;om;r,fh function
body wdjkY zpfygw,f/ Compiler rSm toifhygvmwJh function eJY rdrdudk,fwdkifzefwD;xm;wJh function qdkjyD;
function ESpfrsdK;ESpfpm; cGJjcm;Edkifygw,f/ Compiler rSmygvmwJh function awGuawmh printf()? scanf() pwJh
function awGjzpfygw,f/ olwu kY d dk toHk;jyKawmhr,fqdk&if header file awG aMunmay;&ygw,f/ 'Dae&mrSm
awmh built-in function awGtaMumif;udk &Sif;jyrSm r[kwfygbl;/
#include<stdio.h> #include<conio.h>
int power (int m, int n);
int main()
{ int i;
for (i=0; i<10; ++i)
printf("%d %d %d\n", i, power(2,i), power(-3,i));
getch();
return 0; }
int power (int base, int n)
{ int i, p; p = 1;
for (i = 1; i <= n; ++i)
p = p * base; yHk(9)
return p; }
'Dy½d*k &rfuawmh 2 eJY -3 wdkY&JU xyfudef;wefzdk; q,fck (20, 21, 22, 23, 24, ..)udk &Smay;wmyg/
P
P
P
P
P
P P
P
P
P
1/ int power (int m, int n); qdkwmuawmh uRefawmfwzdkY efwD;xm;wJh function udk toHk;jyKr,fvkYd aMunm
wmyg/ 'DvdkaMunmxm;wJhtwGuf main() function &JUtwGif;xJrSmyJjzpfjzpf? tjyifrSmyJjzpfjzpf MudKufwJhae&mu
ae power() function udk ac:oHk;vdkY &ygjyD/ bmaMumifh power() function udk MudKufwJhae&muae
ac:oHk;vdkY&wmvJqdkawmh olU&JU scope aMumifhyg/ wu,fawmh main() function &JUtjyifrSm int power (int
m, int n); vdakY &;wm[m extern int power (int m, int n); vdkY a&;wmeJY twlwlygyJ/ 'Dae&mrSm extern [m
keyword wpfckjzpfjyD; olUudk storage class vdkv
Y J ac:a0:ygw,f/
2/ Storage class 4rsdK;&Sdygw,f/ auto? extern? static eJY register wdykY g/ Function wpfck&JUtwGif;rSm
bmrSa&;xm;jcif;r&SdbJ int? float? char vd½kY dk;½dk;wef;wef; aMunmxm;wJh data type awGtm;vHk;[m auto awG
ygyJ/ Function awG&JUtjyifbufrSm bmrSa&;xm;jcif;r&SdbJ int? float? char vd½kY dk;½dk;wef;wef; aMunmxm;wJh
data type awGtm;vHk;[m extern jzpfygw,f/ static eJY register wdu kY awmh toHk;enf;wJhtwGuf r&Sif;jy
awmhygbl;/ wu,fvkYd function awGrSm return jyefykYpd &m wefzdk;wpfckckr&SdcJh&if void vdkY aMunm&ygr,f/
(17) Array
Array qdkwmuawmh wlnDwJh data type awGudk pkpnf;ay;wJh variable wpfckyg/ wu,fvkY d rwlnDwJh
data type awGudk pkpnf;csif&ifawmh struct qdkwJh keyword udk toHk;jyK&rSmyg/ One dimensional array
wpfckudk aMunmyHkuawmh atmufygtwdkif;yg/
int myanmar[60];
int myanmar[60]; qdkwm ausmif;om;ta,mufajcmufq,f&JU jrefrmpm&rSwfudk odrf;qnf;r,fvkY d
aMunmwmyg/ wu,fvkY d array taeeJo
Y m raMunmcJh&if uRefawmfwt kY d aeeJY int myanmar1, myanmar2,
myanmar3; ponfjzifh aMunm&rSmjzpfygw,f/ 'gqdk y½d*k &rf[m &Snfvsm;jyD; ½IyfaxG;vmEdkifygw,f/ ydkjyD;
&Sif;vif;atmif aemufwpfckxyfMunfhygr,f/
int exam_result [60] [6];
'DyHkpHuawmh ausmif;om;ta,mufajcmufq,f&JU bmom&yfajcmufck&v'fudk odrf;qnf;r,fvY dk aMu
nmwmyg/ Two dimensional array wpfckjzpfygw,f/ 'Dae&mrSm &Sif;jyvdkwmuawmh exam_result [m
array &JUtrnfjzpfjyD;? 60 eJY 6 uawmh array element jzpfygw,f/ Array element udk wpfcgw&H array
index vdvkY J ac:a0:ygw,f/ Array element [m tjrJwrf; 0 eJpY avh&SdjyD; tqHk;uawmh size-1 jzpfygw,f/
wu,fvkYd char udk array taeeJY aMunmr,fqdk&if character tpm; string jzpfoGm;aMumif; ]Data
type} acgif;pOfatmufrSm &Sif;jywm trSwf&yg/ 'gudk xyfMunfhygr,f/
char my_string [11] = "I Love You.";
int i;
for(i=0; i<11; i++)
printf("%c", my_string[i]);
'Duk'fudk run vdkuf&if 'I Love You.' qdkwJhpmom;udk jrif&rSmyg/ wu,fvkY d for(i=0; i<11; i++)
ae&mrSm for(i=1; i<12; i++) vdjkY yifvdkuf&if tajzuawmh ' Love You. ' jzpfrSmyg/ Full stop (.) &JUaemufrSm
vnf; space( )udkawGU&rSmyg/ bmaMumifhvnf;qdkawmh Array wpfck[m tjrJwrf; null terminator (\0) eJY
qHk;avh&Sdygw,f/ wu,fvkY d 12 ae&mrSm 19 vkdUjyifvdkuf&if random pmvHk;awGxGufvmygvdrfhr,f/
(18) Pointer
Pointer qdkwm variable wpfck&JU address udkodrf;xm;wJh variable wpfckyg/ Pointer udk C bmom
pum;rSm awmfawmfav; oHk;pGJwmawGU&ygw,f/ Pointer eJY array [mvJ awmfawmfav; qufpyfrI&Sdygw,f/
ydkjyD;&Sif;vif;atmif erlemwpfckudk Munfhygr,f/
int x = 1, y = 2, z[10]; // MOV DWORD PTR SS:[EBP-4], 1 (EBP udk 12FF8C vdkY ,lqygr,f/)
int *ip; // ip udk pointer taeeJaY Munmygw,f/
ip = &x; // LEA EAX, DWORD PTR SS:[EBP-4]
(ip [m x wefzdk;udk odrf;xm;wJh (load effective) address ae&mudkjyygr,f/ 12FF88 yg/)
y = *ip; // MOV EDX, DWORD PTR DS:[EAX] (y wefzdk;[m 1 jzpfvmygw,f/)
*ip = 0; // MOV DWORD PTR DS:[EAX], 0 (ip wefzdk;[m 0 jzpfvmygw,f/)
ip = &z[0]; // LEA EAX, DWORD PTR SS:[EBP-2C]
(ip [m z[0] wefzdk;udk odrf;xm;wJh (load effective) address ae&mudkjyygr,f/ 12FF60 yg/)
printf("%d %d %X %X", x, y, *ip, ip); // PUSH DWORD PTR SS:[EBP-4], PUSH EDX, PUSH
DWORD PTR DS:[EAX], PUSH EAX ('gaMumifh tajz[m 0 1 0 12FF60 jzpfygw,f/)
Unary operator wpfckjzpfwJh & uawmh object &JU address udk jyygw,f/ & operator [m
rSwfOmPfxJrSm variable eJY array element udkyJ point vkyfEdkifygw,f/ Expression? constant awGeJY
register variable awGudkawmh point vkyfEdkifjcif; r&Sdygbl;/
Unary operator (*) udkawmh indirection (od)kY dereferencing operator vdkY ac:ygw,f/ Pointer
tjzpftoHk;jyKcsdefrSm pointer u point vkyfwJh object udk &,lEdkifygw,f/
#include<stdio.h>
#include<conio.h>
int strlen(char *string);
int strcmp(char *string1, char *string2);
int main()
{ char get_string[100]; int length;
char *comp_str = "My Love";
gets(get_string);
length = strlen(get_string);
printf("String Length = %d", length);
if( (strcmp(get_string, comp_str)) !=0)
printf("\n\"%s\" and \"%s\" are not equal.",
get_string, comp_str);
getch(); return 0; }
/* strlen: return length of string s */
int strlen(char *s)
{
int n;
for (n = 0; *s != '\0'; s++)
n++; yHk(10)
return n;
}
// strcmp: return <0 if s<t, 0 if s==t, >0 if s>t
int strcmp(char *s, char *t)
{
for ( ; *s == *t; s++, t++)
if (*s == '\0') // if null-terminated string
return 0;
return *s - *t;
}
'Dy½d*k &rfuawmh oif½dkufxnfhvdkufwJhpmom;rSm yg0ifwJh pmvHk;ta&twGufudk azmfjyjyD; owfrSwfxm;

wJh pmom;eJY udkufnD^rnD ppfay;ygw,f/ 'Dy½d*k &rfrSm pointer eJY array awGudk wGJoHk;wm owdjyKrdrSmyg/
(20) String
'DwpfcgrSmawmh string awGtaMumif;udk tenf;i,f avhvmMuygr,f/ String eJyY wfoufwJh function
awGudk toHk;jyKr,fqdk&if <string.h> udak Munmay;&ygr,f/ String function tcsdKUuawmh atmufazmfjyyg
twdkif;jzpfygw,f/
strcpy(str1,str2) str2 rSpmom;rsm;udk str1 xJokYd ul;xnfhay;jcif;/
strncpy(str1,str2,length) str2 rS owfrSwfxm;aomta&twGuftwdkif; pmom;rsm;udk str1 xJokYd ul;xnfhay;jcif;/
strcmp(str1,str2) str2 ESifh str1 wdu

kY dk EIdif;,SOfjcif;/
strcmpi(str1,str2) str2 ESifh str1 wdu
kY dk EIdif;,SOfjcif;/ (pmvHk;tMuD;tao;udk vspfvsL½I)
strlen(str) str \pmvHk;ta&twGufudk jyjcif;/
strcat(str1,str2) str2 ESifh str1 udk aygif;jyjcif;/ &v'fudk str1 wGif odrf;onf/
8ckajrmufy½d*k &rft&qdk&if built-in taeeJYygwJh strlen() function udak c:roHk;bJeJY rdrdbmomrdrd

zefwD;a&;om;xm;wm awGU&rSmyg/ wu,fawmh 'Dy½d*k &rfu pointer awGtaMumif; &Sif;jycsifvkY d strlen()
function eJY strcmp() function udk udk,fhbmomudk,f a&;om;xm;wmyg/ uRefawmfwt kY d aeeJY string eJY
ywfoufwJh function awmfawmfrsm;rsm;udk udk,fwdkifa&;p&m rvdkygbl;/ <string.h> udkaMunmjyD; toifh
,loHk;½Hyk gyJ/ ydkjyD;&Sif;vif;atmif 9ckajrmufy½d*k &rfudk Munfhyg/ strcmpi() function udk wcgwnf; ,loHk;xm;
wm awGU&rSmyg/
#include<stdio.h>
#include<conio.h>
#include<string.h>
void Password();
int main()
{
Password();
getch();
return 0;
}
void Password(void)
{ /* Copyright © Myo Myint Htike, 2009 */
char password[80];
printf("\nEnter Password:");
gets(password);
if(strcmpi(password,"PASSWORD")==0)
printf("\nYou really did it. Congratulations!"); yHk(11)
else{ printf("\nTry again!\n"); Password(); }
}
'Dy½d*k &rfuawmh jrefrmy½d*k &rfrmawmfawmfrsm;rsm; a&;avh&SdMuwJh password y½d*k &rfyg/ uD;bkwu

f
ae password wpfckudk ½du k fxnfhckdif;ygw,f/ Password rrSefbl;qdk&if aemufwpfBudrf password ½dkufxnfh
cdkif;ygw,f/ rSef&ifawmh owfrSwfxm;wJh function udktvkyfvkyfapygw,f/ 'Dy½dk*&rfrSm tm;enf;csuftrsm;
MuD;&Sdygw,f/ Debugger awGudk vspfvsL½Ixm;cJhr,fqdk&ifawmh 'Dy½d*k &rfa&;xm;wm[m awmfawmfynmom;
ygw,fvkYd ajymvdkY&ygw,f/ Function udk recursion enf;oHk;jyD; y½d*k &rfudk uspfvspfatmif vkyfxm;wmyg/
(Recursion qdkwmuawmh function wpfckudk tMudrfMudrfjyefac:oHk;jcif;vdkY t"dymÜ ,f&ygw,f/)
(22) File I/O
'DwpfcgrSmawmh zdkifwpfckuaetcsuftvufawGudk b,fvdkzwf½I&rvJqdkwJh zdkief JYywfoufwJh function
tcsdKUudk avhvmMunfhygr,f/ zdkief JYywfoufwJh function awGudk toHk;jyKr,fqdk&if <stdio.h> udk aMunmay;
&ygr,f/ File function tcsdKUuawmh atmufazmfjyygtwdkif;jzpfygw,f/
fopen(filename,mode) zdkifudka&;&ef(od)kY zwf&efzGifhjcif;/

fclose(filename) zdkifudkydwjf cif;/
feof(filepointer) zdki\
f tqHk;odakY &mufra&mufpHkprf;jcif;/
fscanf(filepointer,format) zdkifrStcsuftvufrsm;zwfjcif;/
zdkif function awmfawmfrsm;rsm;[m omref input/output vkyfwJh function awmfawmfrsm;rsm;eJY

vkyfaqmifyHkcsif;wlygw,f/ uGJjym;wmav;wpfcku file function awGrSm b,fzdkifuae tcsuftvufawGudk
&,lr,fvkYd ajymay;&wmav;yJ ydkygw,f/
(23) aemufqHk; C y½dk*&rf
'Dwpfcg cracker test y½d*k &rfrSmyg&SdwJh jyóemav;wpfckudk ajz&Sif;r,fh y½d*k &rfav; a&;Munfhygr,f/
yHk(12)
0043B390 MOV DWORD PTR FS:[EAX],ESP
0043B393 XOR EBX,EBX
0043B395 XOR ESI,ESI
0043B397 MOV [LOCAL.2],10
0043B39E LEA EDX,[LOCAL.4]
0043B3A1 MOV EAX,[LOCAL.1]
0043B3A4 MOV EAX,DWORD PTR DS:[EAX+294]
0043B3AF MOV EAX,[LOCAL.4]
0043B3B7 TEST EAX,EAX
0043B3B9 JLE SHORT Cracker_.0043B3F5
0043B3BB MOV [LOCAL.3],EAX
0043B3BE MOV EDI,1
0043B3C3 LEA EDX,[LOCAL.4]
0043B3C6 MOV EAX,[LOCAL.1]
0043B3C9 MOV EAX,DWORD PTR DS:[EAX+294]
0043B3D4 MOV EAX,[LOCAL.4]
0043B3D7 MOVZX EAX,BYTE PTR DS:[EAX+EDI-1]
0043B3DC LEA EDX,DWORD PTR DS:[EDI+ESI]
0043B3DF ADD EAX,EDX

0043B3E1 MOV ESI,EAX
0043B3E3 ADD EBX,EBX
0043B3E5 XOR EBX,ESI
0043B3E7 MOV EAX,ESI
0043B3E9 CDQ
0043B3EA IDIV EDI
0043B3EC INC EDX
0043B3ED ADD EBX,EDX
0043B3EF INC EDI
0043B3F0 DEC [LOCAL.3]
0043B3F3 JNZ SHORT Cracker_.0043B3C3
0043B3F5 DEC [LOCAL.2]
0043B3F8 JNZ SHORT Cracker_.0043B39E
0043B3FA CMP ESI,3810
0043B400 JNZ SHORT Cracker_.0043B40A
0043B402 CMP EBX,402A4FE7
0043B408 JE SHORT Cracker_.0043B424
0043B40A MOV EAX,Cracker_.0043B4AC ; ASCII "Sorry, not the right
one - try again !"
0043B40F CALL Cracker_.004338AC
0043B414 MOV EAX,[LOCAL.1]
0043B417 MOV EAX,DWORD PTR DS:[EAX+294]
0043B41D MOV EDX,DWORD PTR DS:[EAX]
0043B41F CALL DWORD PTR DS:[EDX+78]
0043B422 JMP SHORT Cracker_.0043B47D
0043B424 MOV EAX,EBX
0043B426 SUB EAX,ESI
0043B428 CMP EAX,402A17D7
0043B42D JE SHORT Cracker_.0043B449
yHk(13)
ay;xm;csufuawmh yHk(12)rSm jyxm;wJhtwdkif; jzpfygw,f/ pum;vHk;wpfvHk;udk cefUrSef;cdkif;wm jzpfyg
w,f/ Cracker test y½d*k &rf[m cracker awG&JU t&nftcsif;udk prf;oyfzkY d a&;xm;wJyh ½d*k &rfjzpfjyD; tqifh(8)
qif(h very very easy? very easy? easy? not entirely easy? somewhat harder? hard? very hard? very
very hard) yg0ifygw,f/ oifjrifae&wJh tqifhuawmh tqifh(3) (easy level) jzpfygw,f/ 'Dy½d*k &rfudk
Olly debugger eJY ppfwJhtcsdefrSm awGU&wJhuk'fuawmh yHk(13)rSm jrif&wJhtwdkif; jzpfygw,f/ yHk(13)rSm jrif&
kY dkwm oifb,favmufyJawmfaeygap vufeJYcswGufz?kYd calculator eJY wGufzq
wJhuk'fudk ajz&Sif;zdq kYd dkwm vHk;0
(vHk;0) rjzpfEdkifygbl;/ 'gaMumifh y&kd*&rfa&;jyD; ajz&Sif;zdkY MudK;pm;wmyg/ C eJY y½d*k &rfa&;wJhtcg yHk(14)twdkif;
awGUjrif&ygw,f/
#include <conio.h> // Compiled by Borland C++.
#include <stdio.h> // Coded by Myo Myint Htike.
#include <string.h> // Date - 2009 March 13
#include <stdlib.h>
#include <math.h>
int main()
{
FILE *fileread = fopen("english.dic","a+");
char password[50];
int EDI, i, j, EDX=0, EAX=0, ESI=0, EBX=0;
while(!feof(fileread)){
int character_count=0;
div_t div_result;
fscanf(fileread,"%s",password);
printf("%s\n",password);
character_count = strlen(password);
EDX=0;
ESI=0;
EDI=0;
EBX=0;
EDX=1;
for(i=0;i<16;i++){ // for loop 1
EDI=1;
for(j=0; j<character_count; j++){
EAX = password[j];
EDX = ESI+EDI;
EAX = EAX + EDX;
ESI = EAX;
EBX = EBX + EBX;
EBX = EBX ^ ESI;
EAX = ESI;
div_result = div( EAX, EDI );
EDX = div_result.rem ;
EDX++;
EBX= EBX +EDX;
EDI++;
} // end of for loop 2
} // end of for loop 1
if(ESI== 0x3810 && EBX == 0x402A4FE7){
printf("Word is = %s\n", password); // Ans: firmware
getch();
} // end of if statement
} // end of while loop
fclose(fileread);
getch();
return 0;
}
yHk(14)
yHk(14)rSm a&;jyxm;wJh source uk'f&JU tvkyfvkyfyHkudk wpfaMumif;csif;em;vnfatmifMunfhyg/ 'Dy½d*&rf
k
&JUtvkyfvkyfyuHk dk taotcsm em;vnfw,fqdk&ifawmh C bmompum;eJYywfoufjyD; uRefawmf&Sif;jywmtm;vHk;
oifem;vnfoGm;jyDvkY d ,HkMunfvdkufyg/ wu,fvkY d em;rvnfao;&ifawmh oifcef;pmudk jyefzwfvdkufygOD;/
1/ <stdlib.h> header file udk aMunmxm;wmuawmh div_t twGufyg/
2/ FILE *fileread = fopen("english.dic","a+"); qdkwmuawmh english.dic zdkifudk zwfr,fvdkY ajymwm
yg/ qdkvdkwmuawmh uRefawmfw&kY d SmaewJh password (word) [m 'D english.dic zdkifxJrSmjzpfygw,f/
Dictionary (.dic) zdkifawG[m password awGudk wdkufqdkifppfaq;&mrSm cracker awG toHk;jyKMuwJhzdkiaf wGjzpf
jyD; 'DzdkifawGxJrSm t*Fvdyftbd"mefxu

J pum;vHk;aygif; odef;csDyg0ifygw,f/ pum;vHk;pHkav tajzudk &SmawGUzdkY
eD;pyfavjzpfygw,f/ 'D dictionary (.dic) zdkifawGudk tifwmeufuae download vkyf,lyg/ Cracker wpf
a,mufrSmawmh t*Fvdyftbd"meftjyif vufwif? jyifopf? tDwvD? aq;ynmtbd"mefpwJh tbd"mefaygif;pHk
&Sdxm;oifhygw,f/
3/ char password[50]; uawmh zwfr,fhpmvHk;ta&twGuf[m tvHk; 50 trsm;qHk;&Sdr,fvkYd aMunmay;wm
yg/ tvHk; 50 xufydk&SnfwJh t*Fvdyfpum;vHk;udk oifjrifzl;ygovm;/ jrifzl;&ifawmh 50 tpm; 200 vdkY ajymif;
vdkufyg/ 200 xufydk&SnfwJh t*Fvdyfpum;vHk;awmh r&Sdavmufawmhbl;vdkY xifygw,f/ ☺☺☺☺☺
4/ while(!feof(fileread)){ } uawmh english.dic zdkifudk zwfwm aemufqHk;pum;vHk;jyD;vdkY zdkiftqHk;udrk
a&mufrcsif;vdkY qdkvdkwmyg/ english.dic zdkifxJu &SdorQpum;vHk; tukefzwfr,fvkY d ajymwmyg/
5/ fscanf(fileread,"%s", password); udt k oHk;jyKjyD; english.dic zdkifxJu yxrpum;vHk;udk zwfygw,f/
yxrpum;vHk;udk aaron vdkY ,lqMunfhvdkufMu&atmif/ 'gqdk password = "aaron" jzpfoGm;ygjyD/ password
udk printf() function oHk;jyD; armfeDwmrSm jyapygw,f/ printf() function udk roHk;csifvnf;&ygw,f/ roHk;
&ifawmh tvkyv f kyfwJhEIef; ydkrdkjrefqefvmrSmjzpfygw,f/
6/ character_count = strlen(password); uawmh password pum;vHk;&JU pmvHk;ta&twGufudk wGufcsuf
ygw,f/ aaron jzpfwJhtwGuf 5vHk;jzpfygw,f/
7/ for(j=0; j<character_count; j++){ } uawmh password pum;vHk;&JU pmvHk;ta&twGufay:rlwnfjyD;
ajymif;vJaerSmyg/ 'Dae&mrSm 5vHk;jzpfwJhtwGuf for(j=0; j< 5; j++) jzpfrSmyg/
8/ EAX = password[j]; udo k wdjyKyg/ EAX udk uRefawmfwkYd integer (int) vdkY aMunmxm;ygw,f/
password udkawmh character string (char [ ]) taeeJY aMunmxm;ygw,f/ vuf&t Sd csdefrSm C++ compiler
uem;vnfaewmuawmh password[5] = "aaron"; jzpfjyD; EAX = password[0] = 'a' = 0x61; jzpfygw,f/
'Dae&mrSm rSwfxm;zdku Y "a" eJY 'a' [mrwlygbl;/ "a" vdakY &;&if string udn
k Tef;wmjzpfjyD;? 'a' vdakY &;&ifawmh
character udn k Tef;wmjzpfygw,f/ Character rSmawmh pmvHk;wpfvHk;wnf;omyg0ifEdkifjyD;? string rSmawmh
pmvHk;wpfvHk; (od)kY wpfvHk;xufydkrdkyg0ifygw,f/
9/ EDX = ESI + EDI; udkawmh em;vnfrSmyg/ ESI eJY EDI wdkY&JUwefzdk;awGudk ½d;k ½dk;wef;wef; aygif;wmyg/
EDX = ESI + EDI = 0 + 1 = 1 jzpfygw,f/
10/ EAX = EAX + EDX; udk ajz&Sif;&if EAX = 0x61 + 1 = 0x62 &ygw,f/
11/ 'gaMumifh ESI &JUwefzdk;[m 0x62 jzpfygw,f/
12/ EBX = EBX + EBX; uawmh EBX = 0 + 0 = 0 jzpfygw,f/
13/ EBX = EBX ^ ESI; uawmh EBX = 0 ^ 0x62 = 0x62 jzpfygw,f/ 0 eJY 0x62 wdkYudk XOR vky&f if
0x62 yJ&wmjzpfygw,f/
14/ EAX &JUwefzdk;[m ESI &JUwefzdk;eJY nDwJhtwGuf 0x62 jzpfygw,f/
15/ div_result = div(EAX, EDI); uawmh EAX udk EDI eJpY m;wmyg/ EAX = 0x62 / 1 = 0x62
jzpfygw,f/
16/ EDX = div_result.rem; t& pm;vd&kY wJht<uif;udk EDX rSm odrf;ygw,f/ 'gaMumifh EDX &JUwefzdk;[m
0 jzpfoGm;ygw,f/
17/ EDX++; vdkYa&;xm;wmaMumifh EDX &JUwefzdk;rSm wpfaygif;ygw,f/ 'DtcsdefrSm EDX &JUwefzdk;[m 1
jyefjzpfvmygw,f/
18/ EBX = EBX + EDX; uawmh EBX = 0x62 + 1= 0x63 jzpfvmygw,f/
19/ EDI++; t& EDI udk wpfaygif;wmaMumifh EDI [m 2 jzpfvmygw,f/

20/ jyD;&if for(j=0; j<5; j++) u j++ udkvkyfwmaMumifh j=0 tpm; j=1 jzpfvmjyD; aemufwpfMudrf for loop
udk xyfvkyfapjyefygw,f/ 'Dvedk JY for(j=0; j<5; j++)udk 5Mudrf? for(i=0;i<16;i++) udk 16Mudrf? pkpkaygif;
tMudrf 80 loop ywfjyD;wJhtcgrSm &vmwJhtajzuawmh ESI = 0x2200 eJY EBX = 0xBFC8757F wdkY
jzpfygw,f/
21/ ESI eJY EBX wdkY&JUtajz[m 0x3810? 0x402A4FE7 wdekY n JY D^rnDppfjyD; nDcJh&if tajzrSefudkxkwfay;yg
w,f/ (rSwf&ef/ / aaron tpm; firmware udk y½d*k &rfuzwfcsdefrSm for(j=0; j<character_count; j++){ }
u for(j=0; j<8; j++) jzpfvmygw,f/ 'Dvedk JY for(j=0; j<8; j++)udk 8Mudrf? for(i=0;i<16;i++) udk 16Mudrf?
pkpkaygif; 128Mudrf loop ywfjyD;wJhtcgrSm &vmwJhtajzuawmh ESI = 0x3810 eJY EBX = 0x402A4FE7 wdkY
jzpfygw,f/)
22/ owdjyKapcsifwJhtcsufuawmh a = 0x61? b = 0x62? c = 0x63? ... ? z = 0x7A ponfjzifhjzpfjyD; A =
0x41? B = 0x42? C = 0x43? ... ? Z = 0x5A ponfjzifhjzpfygw,f/
tcef;(3) - tajccH Assembly bmompum; - 40 -
tcef;(3) - tajccH Assembly bmompum;

(1) ed'gef;
a&SUoifcef;pmrSm C eJY y½dk*&rfawGudk b,fvdka&;w,fqdkwmudk avhvmNyD;wJhaemufrSm Assembly eJY
y½dk*&rfa&;wwfatmif? Assembly uk'fawGudk em;vnfEdkifatmiftwGuf qufvufavhvmMuygr,f/
Assembly bmompum;qdkwm uGefysLwmu em;vnfEdkifwJh ESpfvDuk'fawGudk tpm;xkd;zdkY zefwD;xkwfvkyfxm;
wmyg/ t&ifwkef;u high‐level bmompum;awG ray:cifrSm y½d*k &rfawGudk Assembly eJY a&;cJhMuwmyg/
Assembly uk'fawG[m y½dkqufqmtvkyfvkyfEdkifatmif instruction awGudk wdku½ f dkufazmfjyay;ygw,f/ Oyrm
jy&&if -
ADD EAX, EDX
'D instruction [m *Pef;wefzdk;ESpfckudk aygif;ay;ygw,f/ EAX eJY EDX udkawmh register vdkY
ac:ygw,f/ olwkaYd wGrSm wefzdk;awGyg0ifEdkifjyD; 'gawGudk y½dq
k ufqmxJrSm odrf;xm;wm jzpfygw,f/ 'Duk'fudk
16vDpepfuk'f(hexcode) jzpfwJh 66 03 C2 tjzpf ajymif;vdkufygw,f/ y½dq k ufqm[m 'Duk'fawGudkzwfjyD;
oleuJY dkufnDwJh instruction udk tvkyfvkyfwmyg/ C vdk highlevel bmompum;awG[m olw&kY d JU udk,fydkif
bmompum;awGudk Assembly tjzpfajymif;ygw,f/ Assembly u 'Duk'fawGudk ESpfvDuk'ftaeeJY ajymif;wm
jzpfygw,f/
C uk'f Assembly uk'f
>> Compiler > > >>Assembler>> Raw output (hex)
a = a + b; ADD EAX, EDX 66 03 C2
'Dae&mrSm Assembly uk'f[m ½d;k ½dk;&Sif;&Sif;av;jzpfaewm owdjyKrdrSmyg/ Output uawmh C uk'fay:
rlwnfaeygw,f/
(2) bmaMumifh Assembly udk toHk;jyKwmvJ/
Assembly rSm y½d* k &rfa&;&wm[m cufcJw,fqdk&if C (od)kY tjcm;wpfckcktpm; Assembly udk
bmvdkY toHk;jyKMuovJ/ tajzuawmh &Sif;ygw,f/ Assembly y½d*k &rfawG[m ao;i,fjyD; jrefqefvkYd jzpfyg
w,f/ OmPf&nfwkvdk y½d*k &rfbmompum;awGrSm compiler awG[m uk'fudkxkwfay;EdkifzkY d cufcv J yS gw,f/
Compiler awG[m b,favmufyaJ umif;vmygap tjrefqHk;eJY t&G,ftpm;tao;qHk;jzpfzt kY d wGufuawmh
Assembly uk'fux dk kwfay;EdkifzdkY vkyf&ygw,f/ uk'fawGudk udk,fwdkifa&;om;Edkifr,fqdk&ifawmh ao;i,fjyD;jref
qefwJhuk'fudk xkwfay;EdkifrSmyg/ 'gayr,fh 'Dvv d high‐level bmompum;awGxufpm&if ydrk dkcufcJyg
dk kyfEdkifzkYu
w,f/
tcsdKU high‐level bmompum;awGrSm&SdwJh uGJvGJcsufuawmh olw[ kY d m tvkyfvkyfaecsdefrSm tcsdKUaom
vkyfaqmifcsufawGtwGuf DLL zdkifawGudk oHk;pGJ&ygw,f/ Oyrmjy&&if Visual C++ rSm olU&JU pHowfrSwfxm;
wJh C function awGyg0ifwJh msvcrt.dll zdkif&Sdygw,f/ 'g[m rsm;aomtm;jzifhawmh tqifajyaeayr,fh wcg
w&HrSmawmh DLL version eJyY wfoufjyD; 'ku©a&muf&ygw,f/ 'gaMumifhrkY d oHk;pGJolawG[m 'DzdkifawGudk
uGefysLwmxJrSm tjrJwrf; odrf;xm;&ygw,f/ Visual C++ twGufawmh 'g[m odyfjyóem r&SdvSygbl;/
olU&JUzdkifawG[m Windows rSm wcgwnf;ygvmwm rsm;ygw,f/ Visual Basic usawhm olU&JUbmompum;udk
Assmebly uk'ftaeeJY rajymif;vJay;Edkifygbl;/ (Version 5 eJt Y xufuawmh tenf;i,fjyKvkyfay;Edkifayr,fh
vnf; tjynfht0awmh r[kwfygbl;/) olw[ kY d m Visual Basic Virtual Machine jzpfwJh msvbvm50.dll
zdkifudk rSDckdae&ygw,f/ VB rSma&;wJhuk'fawG[m 'D DLL zdkifudk tMudrfrsm;pGm ac:oHk;wmawGU&ygw,f/
'gaMumifh VB y½d*k &rfawG[m aES;ae&wmyg/ Assembly uawmh tjrefqHk;bmompum;yg/ ol[m Windows
pepf&JU DLL zdkifawG jzpfwJh kernel32.dll? user32.dll pwmawGudkyJ oHk;vdykY g/
vltrsm;pku Assembly bmompum;eJY y½d*k &rfa&;zdkY&m rjzpfEdkifbl;vdkY em;vnfrIvGJaeMuygw,f/
aocsmwmuawmh cufw,fqdkwm[kwfygw,f? 'gayr,fh rjzpfEdkifbl;qdkwmuawmh r[kwfygbl;/ ya&m*suf
MuD;MuD;rm;rm;udk Assembly eJaY &;zdkY&m wu,fhudk cufygw,f/ y½d*k &rftao;pm;av;awGa&;wmyJjzpfjzpf?

tjcm;y½d*k &rfbmompum;awGeJY a&;xm;wJh y½d*k &rfawGuae ac:oHk;wJhtcg jrefapzdt kY wGuf DLL zdkifawGudk
a&;om;wJhtcgrSmjzpfjzpf Assembly udktoHk;jyKwm rsm;ygw,f/ tvm;wlyJ DOS eJY Windows
y½d*k &rfawGrSm MuD;MuD;rm;rm;uGJvGJrIawG &Sdygw,f/ DOS y½d*k &rfawG[m function tjzpf interrupt awGudk
oHk;ygw,f/ Windows rSmawmh Application Programming Interface vdakY c:wJh API awGudkoHk;ygw,f/ 'D
interface rSm y½d* k &rfawGtwGufvdktyfwJh function awGyg0ifygw,f/ DOS y½d*k &rfawGrSmoHk;wJh interrupt
awGrSm interrupt eHygwfwpfcek JY function eHygwfwpfck &Sdygw,f/ Windows &JU API funtion awGrSmawmh
trnfawG(Oyrm - MessageBox, CreateWindowEx) &Sdygw,f/ oift h aeeJY DLL awGudk import
vkyf,El dkifygw,f/ Import vkyfwmuawmh Assembly rSmtvGefvG,fuv l yS gw,f/
(3) Assembly tajccH
(3.1) Opcodes
Assembly y½dk*&rfawGudk opcode awGeJY zefwD;xm;wmyg/ Opcode qdkwmuawmh y½dq
k ufqmu
em;vnfEdkifwJh instruction wpfckyg/ Oyrm -
ADD
ADD instruction [m *Pef;wefzdk;ESpfckudk aygif;ay;wmyg/ Opcode trsm;pkrSm operand awG&Sdyg
w,f/
ADD EAX, EDX (destination, source)
ADD rSm operand ESpfck &Sdygw,f/ 'Daygif;jcif;tydkif;rSm source wpfce
k JY destination wpfck&Sdyg
w,f/ ol[m source xJuwefzdk;udk destination wefzdk;xJ aygif;xnfhay;wmyg/ jyD;&if &v'fudk destination
xJrSm odrf;xm;ay;ygw,f/ Operand awG[m trsdK;rsdK;jzpfEdkifygw,f/ (Oyrm - register? rSwfOmPfae&m?
vufiif;wefzdk;)
(3.2) Registers
Register yrmPtcsdKUuawmh 8‐bit? 16‐bit eJY 32‐bit wdkY (MMX y½dq k ufqmawGrSm 'DxufydkEdkif
ygw,f) jzpfygw,f/ 16‐bit y½d*k &rfawGrSm toHk;jyKEdkifwmuawmh 16‐bit registers eJY 8‐bit registers
awGjzpfygw,f/ 32‐bit y½d*k &rfawGrSmawmh 32‐bit registers awGudkvnf; toHk;jyKEdkifygw,f/
tcsdKU register awG[m tjcm; register awG&JU tpdwftydkif; jzpfygw,f/ Oyrm - wu,fvkY d EAX rSm
EA7823BBh wefzdk;udk xnfhxm;r,fqdk&if tjcm; register awGrSm &SdEdkifwJh wefzdk;awGuawmh -
EAX EA 78 23 BB
AX EA 78 23 BB
AH EA 78 23 BB
AL EA 78 23 BB
AX, AH eJY AL wdu kY awmh EAX &JU tpdwftydkif;awGyg/ EAX [m 32‐bit register wpfckyg/
(80386 txuf y½dq k ufqmawGrSmyJ toHk;jyKEdkifygw,f/) AX rSm EAX &JU atmufydkif; 16‐bit ygjyD; AH
rSmawmh AX &JU txufydkif;pmvHk;yg0ifygw,f/ AL rSmawmh AX &JU atmufydkif;pmvHk;yg0ifygw,f/ 'gaMumifh
AX [m 16‐bit jzpfjyD; AL eJY AH uawmh 8‐bit yg/ atmufrSmjyxm;wJh Oyrmuawmh register awG&JU
wefzdk;awGyg/
eax = EA7823BB (32‐bit)
ax = 23BB (16‐bit)
ah = 23 (8‐bit)
al = BB (8‐bit) 100100011010001010110
Register awGudk toHk;jyKyHkuawmh -
low‐level bmompum; high‐level bmompum;
mov eax, 12345678h EAX = 12345678h (305419896)
mov cl, ah CL = 56h (86)
sub cl, 10 CL = CL ‐ 10
mov al, cl AL = CL
tay:rSma&;xm;wJhuk'fudk enf;enf;avmuf ppfaq;MunfhvdkufMu&atmif/ MOV instruction [m
wefzdk;wpfckudk register wpfck? rSwfOmPf (od)kY vufiif;wefzdk;wpfckuae tjcm; register wpfckqDudk a&TYay;
Edkifygw,f/ 'Dhaemuf AH &JUwefzdk; (EAX &JU b,fzufrS 4vHk;ajrmuf)udk CL (ECX register &JU atmufqHk;
kY dkufygw,f/ jyD;awmh CL xJuae 10 EIwfvdkufjyD; AL (EAX &JU atmufqHk;tydkif;)xJudk
tydkif;)xJ ul;ydv
jyefxnfhvdkufygw,f/
Register trsdK;tpm;uawmh trsm;MuD;&Sdygw,f/
(3.2.1) taxGaxGoHk; register rsm;
EAX (Accumulator) ocsFmqdkif&mudpörsm;ESifh string rsm;udk odrf;qnf;&efoHk;onf/
EBX (Base) stack rsm;ESifh csdwfquf&mwGif oHk;onf/
ECX (Counter) *Pef;rsm;aygif;&mwGif oHk;onf/
EDX (Data) trsm;tm;jzifh ocsFmpm;v'frS t<uif;udk odrf;qnf;onf/
olwrkYd Sm trnftrsdK;rsdK; &Sdayr,fh MudKufovdk toHk;jyKEdkifygw,f/
(3.2.2) Segment register rsm;
Segment register vdkY ac:wmuawmh rSwfOmPf&JU segment udk toHk;jyKvdykY g/ oifhtaeeJY 'gawG udk
Windows rSmawmh odxm;p&m vdkrSmr[kwfygbl;/ bmaMumifhvJqdkawmh Windows rSm flat rSwfOmPfpepf
&SdvykYd g/ DOS rSmawmh rSwfOmPfudk 64KB &SdwJh segment awGtjzpf ydkif;vdkufygw,f/ 'gaMumifhrkY d oift
h ae eJY
rSwfOmPf&JU address udk owfrSwfcsif&if segment eJY offset udk atmufygtwdkif; (0172:0500
(segment:offset)) owfrSwf&ygr,f/ Windows rSmawmh segment &JU t&G,ftpm;[m 4GB awmif &Sdyg
w,f/ 'gaMumifhrkY d Windows rSm segment awGudk rvdkwmyg/ Segment awG[m tjrJwrf; 16‐bit register
awG jzpfygw,f/
olwrkYd Sm trnftrsdK;rsdK; &Sdayr,fh MudKufovdk toHk;jyKEdkifygw,f/
CS (Code segment) uk'frsm;udk odrf;qnf;xm;aom rSwfOmPftuefU
DS (Data Segment) tcsuftvufrsm;udk odrf;qnf;xm;aom rSwfOmPftuefU
ES (Extra Segment) AGD'D,dkudpö&yfrsm;twGuf toHk;rsm;onf/
SS (Stack Segment) Routine rsm;rS ay;ydkYaom address rsm;udk odrf;qnf;&ef toHk;jyKaom register
FS (286+) taxGaxGoHk; segment
GS (386+) taxGaxGoHk; segment
(3.2.3) Pointer/Index register rsm;

wu,fawmh oift h aeeJY pointer register awGudk olw&kYd JUrlvwefzdk;udk rajymif;vJoa&GUawmh taxG
axGoHk; register awGtjzpf (EIP rSwyg;) toHk;jyKEdkifygw,f/ Pointer register vdkY ac:&wJhtaMumif;&if;u
awmh olwakYd wG[m rMumcPqdkovdk rSwfOmPf&JU address udk odrf;qnf;avh&SdvykY d g/ tcsdKU opcode (movb,
scasb,..) awG[m olwu kYd dk toHk;jyKMuygw,f/
esi (source index) string/array \ source udk owfrSwf&mwGifoHk;onf/
edi (destination index) string/array \ destination udk owfrSwf&mwGifoHk;onf/
eip aemuf instruction \ address udk odrf;xm;aomaMumifh wdku½f dkuf
(instruction pointer) ajymif;vJí r&yg/ (]Olly Debugger} tcef;wGif Munfhyg/)
(3.2.4) Stack register rsm;
Stack register ESpfck &Sdygw,f/ ESP eJY EBP yg/ ESP uawmh rSwfOmPfxJrSm vuf&Sd stack &JU
ae&mudk odrf;xm;ygw,f/ EBP udkawmh function awGrSm local variable awGeJY oufqdkifwJh pointer tjzpf
toHk;jyKygw,f/
esp (stack pointer) stack rS wdusaom ae&mwpfckudk nTefjyonf/
ebp (base pointer) stack udpörsm;aqmif&Guf&ef stack pointer ESifh wGJokH;onf/
(4) rSwfOmPf
'Dtcef;rSmawmh Windows rSm rSwfOmPfawGudk b,fvdkudkifwG,f&rvJ qdkwm&Sif;jyyghr,f/
(4.1) DOS & Win 3.xx
DOS eJY Windows 3.xx rSm awGU&wJh 16‐bit y½d* k &rfawGrSm rSwfOmPfudk segment awGeJY
cGJjcm;xm;ygw,f/ 'D segment awG[m t&G,ftpm;tm;jzifh 64KB &Sdygw,f/ rSwfOmPfuadk c:oHk;zdkY segment
pointer eJY offset pointer wdv kY dkygw,f/ Segment pointer u b,f segment udk toHk;jyKr,fqdkwm
nTefjyjyD; offset pointer uawmh segment xJu olU&JUae&mudk nTefjyygw,f/ atmufygyHkudk Munfhyg/
rSwfOmPf
SEGMENT 1 SEGMENT 2 SEGMENT 3 SEGMENT
(64kb) (64kb) (64kb) 4(64kb)
ponfjzifh
rSwfxm;&rSmu ckuRefawmf&Sif;jyaewm[m 16‐bit y½d*k &rfawGtwGuf jzpfygw,f/ tay:uZ,m;u

awmh rSwOf mPfwpfckvHk;udk 64KB qD segment awGcGJvdkufwmyg/ olUrSm trsm;qHk;taeeJY 65536 segment
&Sdygw,f/ tJ'DxJu segment wpfckudk xyfMunfhvdkufMu&atmif/
SEGMENT 1(64kb)
Offset 1 Offset 2 Offset 3 Offset 4 Offset 5 and so on
Segment xJu ae&mwpfckudk nTef;csifw,fqdk&ifawmh offset udk toHk;jyKygw,f/ Offset qdkwm

segment xJu ae&mwpfckyg/ Segment wpfckrSm trsm;qHk;taeeJY offset 65536 ck&Sdygw,f/ rSwfOmPfxJu
segment udk azmfjycsif&ifawmh -
SEGMENT:OFFSET
Oyrmjy&&if -
0030:4012
qdkvdkwmuawmh segment u 0030 jzpfjyD; offset u 4012 jzpfygw,f/ tJ'D address [m bmvJ
qdkwm odcsif&ifawmh yxrqHk; segment 30 qDudk oGm;&rSmjzpfjyD; 'D segment xJu offset 4012 udk &Sm&rSm
jzpfygw,f/ acgif;pOf(3)rSmwkef;u uRefawmfwkY d segment eJY pointer register taMumif;avhvmcJhMuyg w,f/
Segment register trsdK;tpm;awGuawmh -
CS (Code segment)
DS (Data Segment)
ES (Extra Segment)
SS (Stack Segment)
FS (286+)
GS (386+)
ay;xm;wJt h rnfawG[m olw&kYd JU vkyfaqmifcsufudk,fpDudk azmfjyygw,f/ CS rSm vuf&Sdtvkyfvkyf
aewJu h k'f &Sdaeygw,f/ DS uawmh vuf&Sd segment twGuf tcsuftvufawGudk &,lay;zdkY jzpfygw,f/
Stack uawmh SS udk nTef;ygw,f/ ES? FS eJY GS uawmh taxGaxGoHk; register awGjzpfjyD; b,f segment
twGufrqdk oHk;Edkifygw,f/ Pointer register awGrSmawmh rsm;aomtm;jzifhawmh offset wpfckudk xnfhxm;avh
&Sdygw,f/ 'gayr,fh taxGaxGoHk; register awGjzpfwJh AX? BX? CX eJY DX rSmvnf; 'DtwGuf toHk;jyKEdkif
ygw,f/ IP u (CS xJrS) vuf&SdtvkyfvkyfaewJh instruction &JU offset udk nTefjyygw,f/
atmufrSmjyxm;wJhyHkuawmh crack vkyfwJhtcgrSm Olly debugger rSmjrif&wJh register awG&JU tvkyf
vkyfaeyHkyg/
SP uawmh (SS xJu) vuf&Sd stack ae&m&JU offset udk xnfhxm;ygw,f/

(4.2) 32‐bit Windows
16‐bit wkef;u y½d*k &rfawG a&;om;&mrSm segment awG[m r&Sdrjzpfvdktyfygw,f/ uHaumif;axmuf
rpGmeJY 32‐bit windows (95 ESit fh xuf) rSmawmh 'Djyóemudk ajz&Sif;EdkifcJhygw,f/ Segment awG &Sdaeayr,fh
uRefawmfwt dkY aeeJY tav;xm;p&m rvdkawmhygbl;/ bmvdv kY Jqdkawmh olwkaYd wG[m 64KB r[kwfawmhyJ 4GB
jzpfaevdykY g/ wu,fvkYd segment register awGxJuwpfckudk ajymif;vJzdkY MudK;pm;cJhr,fqdk&if Windows eJY
jyóem wufaumif;wufygvdrfhr,f/ olwrkY d Sm offset awGyJ&SdjyD; ckcsdefrSmawmh olwakY d wG[m 32‐bit awG
jzpfygw,f/ 'gaMumifh olwkY&d JUtwdkif;twm[m oknuae 4,294,967,295 xdjzpfvmygw,f/ rSwfOmPfxJu
b,fae&mrqdk offset eJyY J nTefjyEdkifygw,f/ 'g[m 16‐bit xufpm&if 32‐bit &JU taumif;qHk; tusdK;aus;Zl;
awGxJu wpfcjk zpfygw,f/ 'gaMumifhrkY d oift h aeeJY segment register awGudk ckcsdefrSm arhxm;vdkY &EdkifjyD; tjcm;
register awGudk ydkrdk*&kpdkufvkY d &jyDjzpfygw,f/
(5) Opcodes
Opcode awG[m y½dq k ufqmtwGuf instruction awGjzpfygw,f/ Opcode awG[m wu,fawmh
16vDpepfuk'frlMurf;&JU ]zwfv&kY d wJhpmom;} yHkpHawGyg/ 'DtwGufaMumifh assembler [m y½d*k &rfbmompum;
awGrSm tedrfhqHk;tqifh jzpfaewmjzpfjyD; assembler rSma&;wJb h ,ft&mrqdk 16vDpepfuk'ftjzpf wdku½f dkuf
ajymif;vJwm jzpfygw,f/
'Dtcef;rSmawmh wGufcsufrI? bitwise ydkif;eJq
Y dkifwJh opcode tcsdKUudk aqG;aEG;rSmjzpfygw,f/ tjcm;
opcode awGjzpfwJh jump instruction? compare opcode pwmawGudkawmh aemuftcef;usrS aqG;aEG;rSm
jzpfygw,f/
(5.1) tajccH opcodes wGufcsufrI
MOV
'D instruction udkawmh wefzdk;wpfckudk wpfae&muae aemufwpfae&mudk a&TUzdkY (ul;zd)kY toHk;jyKyg
w,f/ 'D ]ae&m} qdkwJh toHk;tEIef;rSm register wpfckaomfvnf;aumif;? rSwfOmPfae&mwpfckaomfvnf;aumif;?
vufiif;wefzdk; (rlvwefzdk;) wpfckaomfvnf;aumif; jzpfEdkifygw,f/ mov instruction &JU yHkpHuawmh -
mov destination, source;
h aeeJY register wpfcku wefzdk;wpfckudk aemufwpfckqD a&TUEdkifygw,f/ (rSwf&ef/ / instruction
oift
[m wu,fawmh olU&JUtrnf ]move} tpm; wefzdk;udk aemufwpfae&mqDudk yGm;ay;vdkufwmyg/)
mov edx, ecx;
txufrSmjycJhwJh instruction [m ECX rSm&SdwJh[mawGudk EDX qD ul;ay;vdkufwmyg/ Source eJY
destination &JU t&G,ftpm;[m wlnD&ygr,f/ atmufrSmazmfjyxm;wJh instruction uawmh rSefuefrI r&Sdygbl;/
mov al, ecx; // yHkpHtrSm;
'D opcode [m DWORD (32‐bit) yrmP&SdwJh wefzdk;wpfcu k dk byte(8‐bit) yrmPavmufom&SdwJh
register ae&mwpfckxu J dk xnfhzMkYd udK;pm;aewmyg/ 'gudkawmh mov instruction u vkyfay;Edkifjcif; r&Sdygbl;/
(tjcm; instruction awGuawmh vkyfay;Edkifygw,f/) 'gayr,fh atmufu instruction awGudkawmh mov
instruction rSm toHk;jyKvd& kY ygw,f/ bmaMumifhvJqdkawmh source eJY destination [m t&G,ftpm; uGJjym;rI
r&SdvkYyd g/
mov al, bl;
mov cl, dl;
mov cx, dx;
mov ecx, ebx;
rSwfOmPf&JUwnf&mudk offset wpfckeJY nTefjyygw,f/ rSwfOmPf&JU wduswJhae&mwpfckuae wefzdk;
wpfcku&dk ,ljyD; register wpfckxJrSm tJ'Dwefzdk;udk vmxm;vdkY &ygw,f/ atmufygZ,m;udk Oyrmtjzpf,lyg/
offset 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F 40 41 42
data 0D 0A 50 32 44 57 25 7A 5E 72 EF 7D FF AD C7
(tuefUwpfckpDonf (byte) pmvHk;wpfvHk;udk udk,fpm;jyKonf/ )

'Dae&mrSm offset wefzdk;[m pmvHk;wpfvHk;udk udk,fpm;jyKaeayr,fhvJ ol[m 32‐bit yg/ Oyrmtjzpf
3A udk Munfhyg/ ol[mvnf; 32‐bit (0000003Ah) wefzdk;jzpfygw,f/ ae&mydk&atmifvkY d tcsdKUoHk;aeMu
r[kwfwJh wefzdk;enf; offset awGudk toHk;jyKwmyg/ wefzkd;tm;vH;k uawmh hexcode awG jzpfygw,f/
tay:Z,m;u offset 3A ae&mudk Munfhvdkufyg/ 'D offset rSm&SdwJh a'wmuawmh 25? 7A? 5E? 72?
EF ponfwkYd jzpfygw,f/ Offset 3A rSm xm;zdw
kY efzdk;udk mov instruction eJY register wGJoHk;&r,fhyHkpH
uawmh -
mov eax, dword ptr [0000003Ah];
Instruction mov eax, dword ptr [0000003Ah] qdkvdkwmuawmh - 32‐bit t&G,ftpm;&SdwJh
DWORD wefzdk;wpfckudk EAX register xJu 3Ah ae&mrSm xm;ygw,f/ 'D instruction udk tvkyfvkyfjyD;
aemufrSmawmh EAX rSm 725E7A25h wefzdk; a&mufvmygw,f/ rSwfOmPfxJrSm &SdaewJht&m (25 7A 5E 72)
awG[m ajymif;jyeftaetxm;eJ&Y Sdaewm owdjyKrdrSmyg/ 'g[m bmaMumifhvJqdkawmh rSwfOmPfxJrSm odrf;xm;
wJhwefzdk;awGudk endian enf;eJY pDxm;vdkYyg/ qdkvdkwmu nmzuftusqHk;pmvHk;[m significant tjzpfqHk;
pmvHk;yg/ pmvHk;awGpDwJh tpDtpOfuawmh ajymif;jyefyg/ Oyrmtenf;i,feJY &Sif;jy&ifawmh em;vnfrSmyg/
DWORD (32‐bit) wefzdk; 10203040h udk rSwfOmPfrSm odrf;qnf;yHkuawmh - 40 30 20 10 (wefzdk;wpfckpD
[m pmvHk;wpfvHk; (8‐bit) udk udk,fpm;jyKygw,f/)
WORD (16‐bit) wefzdk; 4050h udk rSwfOmPfrSm odrf;qnf;yHkuawmh - 50 40
ydkrdk&Sif;vif;atmif xyfMunfhMuygr,f/
mov cl, byte ptr [34h] ; cl = 0Dh (tay:Z,m;udk Munfhyg/ )
mov dx, word ptr [3Eh] ; dx = 7DEFh (tay:Z,m;udk Munfhyg/ ajymif;jyefpDwm owd&yg/ )
t&G,ftpm;uawmh wcgw&HrSm ta&;rMuD;vSygbl;/
mov eax, [00403045h];
bmaMumifhvJqdkawmh EAX [m 32‐bit register wpfckjzpfygw,f/ Assembler u rSwfOmPf&JU
00403045h ae&muae 32‐bit wefzdk;udk ,l&r,fvkY d rSwf,lxm;ygw,f/
Immediate value (vufiif;wefzdk;)awGudkvJ toHk;jyKEdkifygw,f/
mov edx, 5006;
'guawmh EDX xJrSm 5006 qdkwJh wefzdk;wpfckudk xnfhxm;wmyg/ av;axmifhuGif;&JU qdkvdkcsufu
awmh av;axmifhuGif;xJu rSwfOmPfwnf&Sd&mrS wefzdk;wpfckudk &,lzY dk toHk;jyKwmyg/
mov eax, 403045h ; eax = 403045h
mov cx, [eax] ; EAX rSwfOmPfae&m (403045) wGif&Sdaom WORD t&G,ftpm;&Sdwefzdk;udk register CX
wGif xnfhxm;onf/
mov cx, [eax] rSm y½dkqufqm[m EAX xJrSm xnfhxm;wJhwefzdk; (rSwfOmPfwnfae&m) b,f
avmufvJqdkwm t&ifMunfhygw,f/ jyD;rSom rSwfOmPfxJu tJ'Dae&mrSm wefzdk;b,favmuf&SdovJqdkwm
qHk;jzwfjyD; 'D WORD (16‐bit, tb,faMumifhqdkaomf CX onf 16‐bit register jzpfaomaMumif)h udk CX
xJxnfhvdkuf ygw,f/
ADD, SUB, MUL, DIV
Opcode awmfawmfrsm;rsm;[m wGufcsufrIawG jyKvkyfMuygw,f/ oiftaeeJ h Y olw&kYd JUtrnfawmfawmf
rsm;rsm;udk cefUrSef;vd&kY ygw,f/ ADD (aygif;jcif;)? SUB (EIwfjcif;)? MUL (ajr§mufjcif;)? DIV (pm;jcif;)
ponfjzifh/
ADD opcode rSm atmufygyHkpHtwdkif;&Sdygw,f/
add destination, source
wGufcsufrI jyKvkyfyHku 'Dvdkyg/ destination = destination + source / atmufygyHkpHawGudk cGifhjyKyg

w,f/
Destination Source Example
Register Register add ecx, edx
Register Memory add ecx, dword ptr [104h] / add ecx, [edx]
Register Immediate value add eax, 102
Memory Immediate value add dword ptr [401231h], 80
Memory Register add dword ptr [401231h], edx
'D instruction [m tvGe½f dk;&Sif;ygw,f/ ol[m source &JUwefzdk;uk&d ,ljyD; destination wefzdk;qDoGm;
aygif;wmyg/ jyD;&if &v'fudk destination xJrSm xm;ygw,f/ tjcm;ocsFmqdkif&m instruction awGuawmh -
sub destination, source (destination = destination ‐ source)
mul destination, source (destination = destiantion * source)
div source (eax = eax / source, edx = remainer
EIwfjcif;[m aygif;jcif;eJY twlwlygyJ/ ajr§mufjcif;uawmh dest = dest * source/ pm;jcif;uawmh
enf;enf;av; xl;jcm;ygw,f/ bmaMumifhvJqdkawmh register awG[m udef;jynfhwefz;dk awG jzpfaevdykY g (qdkvdk
wmu 'orudef;awG r[kwfygbl;)/ pm;vd&kY wJ&h v'fudk pm;v'feJY t<uif;qdkjyD; cGJvdkufygw,f/ Oyrmjy&&if -
28/6 à pm;v'f=4, t<uif;=4
30/9 à pm;v'f=3, t<uif;=3
97/10 à pm;v'f=9, t<uif;=7
18/6 à pm;v'f=3, t<uif;=0
ckcsdefrSmawmh source &JU t&G,ftpm;ay:rlwnfjyD; pm;v'fudk EAX (EAX &JU tpdwftydkif;wpfck)rSm
odrf;jyD;? t<uif;udk EDX (EDX &JU tpdwftydkif;wpfck)rSm odrf;qnf;ygw,f/
Source t&G,ftpm; pm;jcif; pm;v'f t<uif;
BYTE (8-bits) ax / source AL AH
WORD (16-bits) dx:ax* / source AX DX
DWORD (32-bits) edx:eax* / source EAX EDX
* Oyrm/ tu,fí DX = 2030h? AX = 0040h? DX:AX = 20300040h/ DX:AX onf DWORD

wefzdk;jzpfjyD; DX onf tjrifhydkif; WORD jzpfjyD; AX onf tedrfhydkif; WORD jzpfonf/ EDX:EAX
uawmh QuadWORD wefzdk; (64‐bit) jzpfjyD; tjrifhydkif;uawmh EDX jzpfjyD; tedrfhydkif;uawmh EAX
jzpfygw,f/
DIV opcode &JU source ae&mrSm jzpfEdkifwmuawmh -
• 8-bit register (AL, AH, CL,...)
• 16-bit register (AX, DX, ...)
• 32-bit register (EAX, EDX, ECX, ...)
• 8-bit rSwfOmPfwefzdk; (BYTE PTR [xxxx])
• 16-bit rSwfOmPfwefzdk; (WORD PTR [xxxx])
• 32-bit rSwfOmPfwefzdk; (DWORD PTR [xxxx])
Source uawmh vufiif;wefzdk; rjzpfEdkifygbl;/ bmaMumifhvJqdkawmh y½dquf

k qmu source operand
&JU t&G,ftpm;udk rqHk;jzwfEdkifvykYd g/
BITWISE OPERATIONS
'D instruction awGrSmawmh 'NOT' instruction rSwwyg; source aum? destination yg vdkygw,f/
Destination rSm&SdwJh bit toD;oD;udk source rSm&SdwJh bit awGeJY EdIif;,SOfygw,f/ Instruction ay:rlwnfjyD;
destination bit rSm 0 (od)kY 1 udk xm;ygw,f/
Instruction AND OR XOR NOT
Source Bit 001100 1100110 1
Destination Bit 0 1 0 1 0 1 0 1 0 1 0 1 X X
&v'f 000101 1101101 0
Oyrm -
mov ax, 3406;
mov dx, 13EAh;
xor ax, dx;
ax = 3406 (dec) = 0000110101001110 (bin)
dx = 13EA (hex) = 0001001111101010 (bin)
Source 0001001111101010 (dx)
Destination 0000110101001110 (ax)
&v'f 0001111010100101 (dx)
'D instruction jyD;wJhaemufrSmawmh dx = 0001111010100101 [7845 (dec), 1EA5 (hex)]

aemufOyrmwpfck
mov ecx, FFFF0000h;
not ecx;
FFFF0000 = 11111111111111110000000000000000 (bin) (16 1's, 16 0's)
oifhtaeeJY bit wdkif;udk ajymif;jyefvkyf&if? &vmrSmuawmh
00000000000000001111111111111111 (16 0's, 16 1's) = 0000FFFF (hex)
'gaMumifhrkYd NOT operation jyD;wJhaemufrSm ECX &JUwefzdk;uawmh 0000FFFFh jzpfygw,f/
IN/DECREMENTS
t½dk;&Sif;qHk; instruction ESpfckuawmh DEC eJY INC yg/ 'D instruction awG[m rSwfOmPfwnf&m
(od)kY register udk wpfaygif;ay;ÊIwfay;ygw,f/ ½d;k ½dk;av;a&;&Hkyg...
inc reg ‐> reg = reg + 1
dec reg ‐> reg = reg ‐ 1
inc dword ptr [103405] ‐> [103405] rSm&SdaewJh wefzdk;udk wpfaygif;ay;rSmyg/
dec dword ptr [103405] ‐> [103405] rSm&SdaewJh wefzdk;udk wpfEIwfay;rSmyg/
NOP
'D instruction uawmh vHk;vHk;MuD;udk bmrSrvkyfygbl;/ bmrSrvkyfEdkifvY dk toHk;r0ifbl;vdakY wmh rxif

ygeJ/Y Crack vkyf&mrSm olUudk toHk;rsm;vSygw,f/ toHk;0ifqHk;ae&muawmh uk'fawGudk patch vkyfwJhae&mrSm
jzpfygw,f/
Bit Rotation and Shifting
rSwf&ef/ / atmufrSmazmfjyxm;wJh Oyrmawmfawmfrsm;rsm;[m 8‐bit *Pef;awGudkyJ oHk;ygw,f/ 'gayr,fh ydk&Sif;
atmif yHkawGeJY jyygr,f/
Shift functions
SHL destination, count
SHR destination, count
SHL eJY SHR [m register^rSwfOmPfae&mu bit awGudk b,f^nmrSae a&wGufjyD; a&TUvdkufwmjzpfygw,f/
Oyrm
; 'Dae&mrSm al = 01011011 (bin) vdkY ,lqMunfhygr,f/
shr al, 3 ; al = 00001011
qdkvdkwmuawmh AL register xJu bit awGudk nmzuf 3ae&mpm a&TUvdkufwmyg/ 'gaMumifh AL [m
00001011 jzpfvmygw,f/ b,fzuftjcrf;u bit awGudk oknawGeJY tpm;xdk;vdkufjyD; nmzufu bit
awGudkawmh a&TUz,f&Sm;vdkufwmyg/ a&TUz,fvdkufwJh aemufqHk; bit udkawmh carry‐flag xJrSm odrf;xm;ygw,f/
Carry‐bit qdkwm y½dq k ufqm&JU Flag register xJu bit wpfckyg/ ol[m wdku½f dkufudkifwG,fEdkifwJh ('Dvdkvkyf
zdkY opcode awG&Sdaomfvnf;) EAX^ ECX vdk register wpfckr[kwfygbl;/ 'gayr,fh olU&JUtajz[m
instruction &JU&v'fay: rlwnfaeygw,f/ 'gudkaemufydkif;rSm &Sif;jyygr,f/ oifhtaeeJY rSwfxm;&rSmwpfck
uawmh carry qdkwm flag register xJu bit wpfckjzpfjyD; tzGifh^tydwf vkyfEdkifw,fqdkwmudkyg/ 'D bit [m
a&TUz,fcHvdkuf&wJh aemufqHk; bit eJY wlnDygw,f/
shl u shr eJw
Y lygw,f/ 'gayr,fh olu b,fzufudk a&TUwmyg/
; 'Dae&mrSm bl = 11100101 (binary) vdkY ,lqMunfhygr,f/
shl bl, 2;
Instruction jyD;wJhaemufrSmawmh BL [m 10010100 (bin) jzpfvmygw,f/ aemufqHk; bit ESpfckrSm
awmh oknawGeJY jznfhvdkufygw,f/ Carry bit uawmh 1 jzpfygw,f/ bmaMumifhvJqdkawmh aemufqHk;a&TUz,fcH
vdkuf&wJh bit u 1 jzpfaevdkYyg/
'DhaemufrSmawmh tjcm; opcode ESpfck &Sdygao;w,f/
SAL destination, count (Shift Arithmetic Left)
SAR destination, count (Shift Arithmetic Right)
SAL u SHL eJw Y lygw,f/ 'gayr,fh SAR uawmh SHR eJY rwlygbl;/ SAR u oknawGeJY
a&TUz,fwm r[kwfayr,fh MSB (most significant bit) udk ul;ydkyY gw,f/ Oyrm -
al = 10100110
sar al, 3
al = 11110100
sar al, 2
al = 11111101
bl = 00100110
sar bl, 3
bl = 00000010
Rotation functions
rol destination, count ; b,fokYd vSnfhonf/
ror destination, count ; nmodkY vSnfhonf/
rcl destination, count ; Carry rSwqifh b,fokYd vSnfhonf/
rcr destination, count ; Carry rSwqifh nmodkY vSnfhonf/
vSnhfwm[m a&TYovdkygyJ/ uGJjym;wmuawmh a&TUz,fcHvdkuf&wJh bit awGudk tjcm;zufudk xyfa&TUvdkuf
wmygyJ/
Oyrm/ / ror (rotate right)
Bit 7 Bit 6 Bit 5 Bit 4 Bit 3 Bit 2 Bit 1 Bit 0
rvSnfhrD 1 0 0 1 1 0 1 1
Rotate, count= 3 1 0 0 1 1 0 1 1 (a&TUz,f)
&v'f 1 1 0 1 0 0 1 1
tay:yHkrSm jrif&wJhtwdkif; bit awGuv dk Snfhvdkufygw,f/ qdkvdkwmu wGef;xkwfcHvdkuf&wJh bit wdkif;[m
xyfrHjyD; tjcm;zufudk a&TUcH&ygw,f/ a&TUjcif;rSmvdkyJ carry bit awG[m aemufqHk;a&TUz,fcH&wJh bit udk
odrf;xm;ygw,f/ RCL eJY RCR uawmh ROL eJY RCR wdkYeJY wpfyHkpHwnf;yg/ olw&kY d JUtrnfawGudk,f wdkiu f
ajymjywmuawmh olw[ kY d m aemufqHk;a&TUz,fvdkufwJh bit udk nTefjyEdkifzkY d carry bit udk toHk;jyKMuyg w,f/
ROL eJY ROR uvJ twlwlyJrkYd olwdt kY csif;csif; uGJjym;rI r&SdMuygbl;/
Exchange
XCHG instruction uawmh vHk;vHk;MuD;udk ½d;k &Sif;vSygw,f/ ol[m register ESpfck (od)kY register
wpfcek JY rSwfOmPfae&mwpfckudk vJvS,fay;Edkifygw,f/
eax = 237h
ecx = 978h
xchg eax, ecx
eax = 978h
ecx = 237h
(6) zdkifpepf
Assembly source zdkifawGudk section awGtaeeJY cGJxm;ygw,f/ Section awGuawmh code? data?
uninitialized data? constants? resource eJY relocations wdkY jzpfygw,f/ Resource sections udk
resource zdkifu xkwfay;wm jzpfygw,f/ (aemufydkif;wGifMunfhyg/) Relocation section uawmh uRefawmfwdkY
twGuf ta&;rMuD;ygbl;/ (olUrSm y½d*k &rfudk rSwfOmPf&JUtjcm;wae&mrSm ul;wifay;zdkY PE loader twGuf
tcsuftvufawG ygaumif;ygygvdrfhr,f/) ta&;MuD;wJh section awGuawmh code? data? uninitialized data
eJY constants wdykY g/ Code section rSmygwmuawmh oifxifxm;wJhtwdkif; uk'fawGyg/ Data sections
rSmawmh zwfvkYd&â&;vdk&Y wJh a'wmawG yg0ifygw,f/ Data section wpfckvHk;[m exe zdkifrSmyg0ifjyD; a'wm
awGeJY tpysdK;avh &Sdygw,f/
Unitialized data twGufuawmh tpydkif;rSm bmrSrygygbl;/ exe zdkifukd,fwdkifrSmawmif rygygbl;/
oluawmh Windows twGuf oD;oefUz,fxm;wJh rSwfOmPfwpfpdwfwpfa'oom jzpfygw,f/ 'D section rSm
a&;vd?kY zwfv&kYd ygw,f/ Constants uawmh data section eJY wlygw,f/ 'gayr,fh zwfvydkY J&ygw,f/ 'D
section udk constant twGufyJ toHk;jyKEdkifaomfvnf; ol[m include zdkifxJrSm constant awGudk aMunmxm;
&ifawmh ydkrdkvG,fuljyD;jrefqefvmygw,f/ 'DhaemufolwkYdudk vufiif;wefzdk;tjzpf oHk;&Hkyg/
(6.1) Section indicators
oif&h JU source zdkifawGrSm oift
h aeeJY section awGudk t"dyÜm,fzGifhxm;&ygr,f/
.code ; code section [m 'Dae&mu pygw,f/
.data ; data section [m 'Dae&mu pygw,f/
.data? ; unitialized data [m 'Dae&mu pygw,f/
.const ; constants section [m 'Dae&mu pygw,f/
tvkyfvkyfwJhzkdifawG (*.exe, *.dll, ...) [m Win32 rSmawmh PE (portable executable) yHkpHeyJY g/
ta&;MuD;wJh taMumif;t&mtcsdKUuvGJvkYd usefwmawGudk 'Dae&mrSm tao;pdwfaqG;aEG;rSm r[kwfygbl;/ (PE
header tcef;wGif tao;pdwf aqG;aEG;ygrnf/) Section awGudk PE header rSm 0daootcsdKUeJY MudKwif
teufzGifhxm;ygw,f/ tJ'gawGuawmh section name? RVA? offset? raw size? virtual size eJY flags wdkY
jzpfygw,f/ RVA (relative virtual address) uawmh section udk ul;wifay;r,fh rSwfOmPfxJu
qufEG,fwJhae&m jzpfygw,f/ 'Dae&mrSm relative qdkwJht"dyÜm,fu y½d*k &rftvkyfvkyfcsdefrSm rSwfOmPfxJrSm&SdwJh
base address eJY qufEG,faewmudk ajymwmyg/ 'D address [m PE‐header rSmvJ &Sdaeayr,fh PE‐loader
uyJ ajymif;vJay;Edkifygw,f (relocation‐section udk toHk;jyKjyD;)/ Offset uawmh exe zdkifxJu yxrqHk;
a'wm&Sd&m raw offset omjzpfygw,f/ Virtual size uawmh rSwfOmPfrSmjzpfvmr,fh t&G,ftpm; jzpfyg
w,f/ Flag awGuawmh zwfz^kYd a&;zd^kY tvkyfvkyfzkYd pwmawGtwGuf flag awG jzpfygw,f/
(6.2) erlem y½dk*&rf
'guawmh erlemy½d*k &rfyg/
.data
Number1 dd 12033h
Number2 dw 100h,200h,300h,400h
Number3 db "blabla",0
.data?
Value dd ?
.code
mov eax, Number1
mov ecx, offset Number2
add ax, word ptr [ecx+4]
mov Value, eax
'Dy½d*k &rf[m aumif;aumif; assemble vkyfrSmr[kwyf gbl;/ 'gayr,fh udpör&Sdygbl;/ oif&h JU assembly
y½d*k &rfrSm section xJrSmxm;&Sdwt Jh &mwdkif;[m y½d*k &rfudk rSwfOmPfxu J l;wifcsdefrSm exe zdkifxJ a&mufoGm;rSm
jzpfygw,f/ tay:rSmjyxm;wJh data section rSm label 3ck&Sdygw,f/ Number1? Number2 eJY Number3 yg/
'D label awG[m y½d*k &rfxJu olw&kYd Sd&mae&m&JU offset udk odrf;xm;ygw,f/ 'gaMumifhrkY d oifh&JUy½d*k &rfxJrSm
ae&mwpfckudk nTefjyzdkY olwkYdudk toHk;jyKEdkifygw,f/ DD uawmh tJ'Dae&mrSm wdkuf½u dk fyJ DWORD wefzdk;
wpfckudk xm;ygw,f/ DW uawmh word jzpfjyD; DB u byte jzpfygw,f/ DB eJq h aeeJY string
Y dk&if oift
awGudk toHk;jyKEdkifygw,f/ 'gaMumifhrkY d string qdkwm byte wefzdk;awGwGJxm;wJh tpkwpfck jzpfygw,f/
OyrmtaeeJY jy&&if -
33,20,01,00,00,01,00,02,00,03,00,04,62,6c,61,62,6c,61,00 (all hex numbers)
(wefzdk;wdkif;[m byte wpfckpD jzpfygw,f/)
uRefawmfhtaeeJY *Pef;tcsdKUudk ta&mifjc,fxm;ygw,f/ Number1 u byte 33 &Sd&m rSwfOmPfae&m

udk jyoygw,f/ Number 2 uawmh teDa&mif 00 &Sd&mjzpfjyD; Number3 uawmh tpdrf;a&mif 62 &Sd&mae&m
jzpfygw,f/ 'gudk oift
h aeeJY y½d*k &rfrSmoHk;&if ...
mov ecx, Number1
wu,fqdkvdkwmuawmh
mov ecx, dword ptr [rSwfOmPfxJrS dword 12033h wnf&Sd&mae&m]
'gayr,fh 'Dwpfck
qdkvdkwmuawmh ...
mov ecx, rSwfOmPfxJrS dword 12033h wnf&Sd&mae&m
yxrOyrmrSm? ECX [m Number1 &JU rSwfOmPfae&mrSm&Sdwh J wefzdk;wpfckudk &&Sdygvdrfhr,f/ 'kwd,
wpfckrSmawmh ECX [m rSwfOmPfae&m (offset) jzpfvmygvdrfhr,f/ atmufuOyrmESpfckrSm wlnDwJhtusdK;ESpfck
&Sdygw,f/
( 1)
mov ecx, Number1
(2)
mov ecx, dword ptr [ecx] (odr
kY [kwf mov ecx, [ecx])
tck Oyrmudk jyefMunfhMuygr,f/
.data
Number1 dd 12033h
Number2 dw 100h,200h,300h,400h
Number3 db "blabla",0
.data?
Value dd ?
.code
mov eax, Number1
add ax, word ptr [ecx+4]
mov Value, eax
Label wefzdk;udk Number1? Number2 eJY Number3 wdv kY dk toHk;jyKEdkifygw,f/ 'gayr,fh ppcsif;rSm
awmh olUrSm oknyg0ifaeygvdrfhr,f/ bmaMumifhvJqdkawmh ol[m unitialized data section xJrSm &SdvydkY g/
'g&JU tusdK;aus;Zl;uawmh .data? rSm oifaMunmcJhwmawGtm;vHk;[m executable rSm &SdrSmr[kwfygbl;/
rSwfOmPfrSmom &SdrSmyg/
.data?
ManyBytes1 db 5000 dup (?)
.data
ManyBytes2 db 5000 dup (0)
(5000 dup = udk,fyGm; 5000. Value db 4,4,4,4,4,4,4 = Value db 7 dup (4).)
ManyBytes1 [m oludk,fwdkif zdkifxJrSm &SdrSmr[kwfygbl;/ rSwfOmPfrSm pmvHk;a& 5000 csefvSyfxm;

wmyg/ 'gayr,fh ManyBytes2 uawmh executable xJrSm&SdjyD; zdkifudk 5000 bytes MuD;atmif vkyfygw,f/
oif&h JUzdkifrSm oknawG tvHk; 5000 ygvmrSmrdkY 'g[m toHk;awhmr0ifvSygbl;/
Code section uawmh assemble vkyfcH&&HkoufoufjzpfjyD;( raw code odkYajymif;jcif;) executable
xJrmS xm;ygw,f/ (trSefawmh ul;wifcsdefrSm rSwfOmPfxJrSmjzpfygw,f/)
(7) Conditional Jumps
Code section rSmawmh label udk 'Dvdk toHk;jyKvdkY &ygw,f/
.code
mov eax, edx
sub eax, ecx
cmp eax, 2
jz loc1
xor eax, eax
jmp loc2
loc1:
xor eax, eax
inc eax
loc2:
(xor eax, eax rSm eax = 0 vdkY qdkvdkwmyg/)
uk'fudk ppfMunfhvdkufMu&atmif/
mov eax, edx ; EAX xJrSm EDX udk xm;wmyg/
sub eax, ecx ; EAX xJu ECX udk EIwfygw,f/
cmp eax, 2; EAX udk 2 eJY EdIif;,SOfygw,f/
Cmp u instruction topfjzpfygw,f/ Cmp [m 'compare' vdkY t"dymÜ ,f&ygw,f/ ol[m wefzdk;
ESpfck (reg, mem, imm)udk EdIif;,SOfjyD; olwEkY d Spfck[m nDcJh&if Z‐flag udk owfrSwfygw,f/ Zero‐flag [m
carry vdkyJ flag register xJu bit wpfckjzpfygw,f/
jz loc1;
'Dwpfck[mvnf; topfwpfckjzpfygw,f/ oluawmh conditional jump yg/ Jz = jump if zero /
qdkvdkwmu zero flag udk owfrSwfvdkufcsdefrSm ausmfoGm;ygw,f/ loc1 uawmh rSwOf mPfxJu offset twGuf
label wpfckyg/ tJ'DrSm instructions 'xor eax, eax | inc eax' pygw,f/ 'gaMumifhrkY d jz loc1 [m wu,fvkYd
zero flag udk owfrSwfvdkuf&if loc1 rSm&SdwJh instruction qD ausmfoGm;rSmyg/
cmp eax, 2 ; EAX=2 jzpf&if zero flag udk owfrSwfrSmyg/
jz loc1 ; zero flag udk owfrSwfvdkuf&if loc1 qD ausmfoGm;ygr,f/
=
EAX [m 2 eJY nDcJh&if loc1 rSm&SdwJh instruction qD ausmfoGm;ygr,f/
aemufwpfckuawmh jmp loc2 yg/ ol[mvnf; jump wpfckyg/ 'gayr,fh oluawmh unconditional
jump yg/ olu tjrJwrf;ausmfvTm;ygw,f/ tay:uuk'fudk C bmompum;eJY twdtus jyefa&;jy&&if -
if ((edx‐ecx)==2)
{
eax = 1;
}
else
{
eax = 0;
}
BASIC y½d*
k &rfbmompum;eJY a&;jy&&ifawmh
IF (edx‐ecx)=2 THEN
EAX = 1
ELSE
EAX = 0
END IF
(7.1) Flag register
Flag register rSm wGufcsufreI JY tjcm;tjzpftysufrsm;ay:rlwnfjyD; owfrSwfjcif;^rowfrSwfjcif;
jyKvkyfwJh flag awG &Sdygw,f/ uRefawmfhtaeeJY 'gawGtukefvHk;udk aqG;aEG;rSm r[kwfygbl;/ ta&;MuD;wmtcsdKU
udkyJ aqG;aEG;rSm jzpfygw,f/
ZF (Zero flag)
wGufcsufrI&v'f[m oknjzpfcJh&if 'D flag udk owfrSwfygw,f/ (EdIif;,SOfw,fqdkwm wu,fawmh
EIwfjcif;wpfrsdK;om jzpfygw,f/ &v'fudk odrf;qnf;rI r&Sdayr,fh flag awGudkawmh owfrSwfygw,f/)
SF (Sign flag)
wu,fvkYd 'D flag udk oHk;cJh&if wGufcsufrIu &&SdvmwJhaemufqHk;udef;[m tEIwfjzpfygw,f/
CF (Carry flag)
wGufcsufrIjyD;wJhaemufrSmawmh xJrSm b,fzuftusqHk; bit yg0ifvmygw,f/
OF (Overflow flag)
wGufcsufwJhtcg ausmfvGefwGufcsufrdwmudk ajymwmyg/ qdkvdkwmu &v'f[m destination xJrSm
rawmfwm (rqefUwm)udk ajymwmyg/
'ghjyif tjcm; flags (Parity, Auxiliary, Trap, Interrupt, Direction, IOPL, Nested Task,
Resume & Virtual Mode) awGvnf; &Sdygao;w,f/ 'gayr,fh uRefawmfwkY d toHk;jyKrSm r[kwfwJhtwGuf
'gawGudk &Sif;jyawmhrSm r[kwfygbl;/
(7.2) Jump series
atmufrSmazmfjyxm;wmuawmh conditional jump eJyY wfoufwm tukefyg/ olwkYad wG[m flag awG&JU
tajctaeay:rlwnfjyD; jump vkyfMuwmyg/ 'gayr,fh awmfawmfrsm;rsm;rSm &Sif;vif;vG,fulwJhtrnf awG
&Sdygw,f/ oift h aeeJY b,f jump udk owfrSwfoHk;pGJw,fqdkwm odp&m rvdkygbl;/ 'Jump if greater or
equal' (jge) twGuf Oyrmjy&&if 'Sign flag = Overflow flag' jzpfygw,f/ aemufwpfckuawmh 'Jump if
zero' vdakY wGU&if 'Jump if Zero flag = 1' vdkY odxm;&ygr,f/
Z,m;zwfenf;
'Jump if above' - &JU qdkvkdcsufuawmh
cmp x, y; // x eJY y udk EdIif;,SOfygw,f/
// wu,fvkYd x [m y xufMuD;&if jump vkyfygr,f/
Opcode Meaning Condition

JA Jump if above CF=0 & ZF=0
JAE Jump if above or equal CF=0
JB Jump if below CF=1
JBE Jump if below or equal CF=1 or ZF=1
JC Jump if carry CF=1
JCXZ Jump if CX=0 register CX=0
JE (is the same as JZ) Jump if equal ZF=1
JG Jump if greater (signed) ZF=0 & SF=OF
JGE Jump if greater or equal (signed) SF=OF
JL Jump if less (signed) SF != OF
JLE Jump if less or equal (signed) ZF=1 or SF!=OF
JMP Unconditional Jump -
JNA Jump if not above CF=1 or ZF=1
JNAE Jump if not above or equal CF=1
JNB Jump if not below CF=0
JNBE Jump if not below or equal CF=1 & ZF=0
JNC Jump if not carry CF=0
JNE Jump if not equal ZF=0
JNG Jump if not greater (signed) ZF=1 or SF!=OF
JNGE Jump if not greater or equal (signed) SF!=OF
JNL Jump if not less (signed) SF=OF
JNLE Jump if not less or equal (signed) ZF=0 & SF=OF
JNO Jump if not overflow (signed) OF=0
JNP Jump if no parity PF=0
JNS Jump if not signed (signed) SF=0
JNZ Jump if not zero ZF=0
JO Jump if overflow (signed) OF=1
JP Jump if parity PF=1
JPE Jump if parity even PF=1
JPO Jump if paity odd PF=0
JS Jump if signed (signed) SF=1
JZ Jump if zero ZF=1
Jump instruction tm;vHk;rSm operand wpfckomvdkygw,f/ 'guawmh jump vkyfr,fhae&m&JU offset
yg/ Z,m;udk taotcsmMunfhr,fqdk&if unconditional jump (JMP) wpfckudkawGUrSmyg/ oluawmh wpfckcek JY
EdIif;,SOfwJhtvkyfudk vkyfrSmr[kwfygbl;/ Jump wef;vkyfrSmyg/
(8) *Pef;rsm;taMumif; waphwapmif;

y½d*k &rfbmompum; awmfawmfrsm;rsm;rSm udef;jynfeh JY 'orudef; toHk;jyKwm[m variable aMunmrI
tay:rlwnfygw,f/ Assembler rSmawmh 'gawG[m vHk;vHk;uGJjym;ygw,f/ 'orudef;awG wGufcsufrIudk txl;
opcode awGejJY yKvkyf&ygw,f/ 'gudk FPU (floating point unit) vdakY c:wJh tydky½dq k ufqmu jyKvkyf
ay;ygw,f/ 'orudef;eJyY wfoufwJh instruction awGtaMumif;udk aemufydkif;rSm aqG;aEG;ygr,f/ yxrawmh
udef;jynfhawGtaMumif; aqG;aEG;ygr,f/ C rSm signed eJY unsigned *Pef;qdkjyD; ESpfrsdK;&Sdygw,f/ Signed
qdkwmuawmh taygif;^tEIwfoauFw&SdwJh *Pef;awGudk ac:wmyg/ Unsigned uawmh tjrJwrf; taygif;yg/
atmufuZ,m;rSm uGJjym;rIav;awG MunfhvdkufMu&atmif/ (xyfajym&r,fqdk&if 'Dae&mrSm byte eJY Oyrmjyxm;
wmyg/ tjcm;t&G,ftpm;qdkvJ tvkyfvkyfyHk wlygw,f/)
wefzdk; 00 01 02 03 ... 7F 80 ... FC FD FE FF
Unsigned 00 01 02 03 ... 7F 80 ... FC FD FE FF
Signed 00 01 02 03 ... 7F -80 ... -04 -03 -02 -01
'gaMumifhrkYd signed *Pef;qdk&if pmvHk;udk tydkif;ESpfydkif; cGJvdkufygw,f/ taygif;wefzdk;twGuf 0 uae
7F xd? tEIwfwefzdk;twGuf 80 uae FF xd jzpfygw,f/ wefzdk;twGufqdk&ifvnf; twlwlygyJ/ taygif; = 0
‐ 7FFFFFFFh? tEIwf = 80000000 ‐ FFFFFFFFh / oif*&kjyKrdovdkyJ tEIwf*Pef;awGMu&if significant
bit udk owfrSwfygw,f/ bmaMumifhvJqdkawmh olwkY[ d m 80000000h xufMuD;vdykY g/ 'D bit udk sign bit vdkY
ac:ygw,f/
(8.1) Signed vm;? unsigned vm;/
k ufqmyg wefzdk;wpfck[m signed vm;? unsigned vm; rodEdkifygbl;/ owif;aumif;
oifa&m? y½dq
wpfckuawmh taygif;eJY tEIwfrSm *Pef;wpfck[m signed jzpfjzpf? unsigned jzpfjzpf ta&;rMuD;ygbl;/
wGufyg/ / -4 + 9
FFFFFFFC + 00000009 = 00000005. (rSefygw,f/)
wGufyg/ / 5 ‐ (‐9)
00000005 ‐ FFFFFFF7 = 0000000E (olvJyJ rSefygw,f/) ( 5 ‐ ‐9 = 14)
owif;qdk;wpfckuawmh olw[
kY d m ajr§mufjcif;? pm;jcif;eJY EdIif;,SOfjcif;wdrkY Sm rrSefygbl;/ 'gaMumifhrkY d
signed *Pef;awGtwGuf txl; mul eJY div opcode awG &Sdygw,f/
imul ESifh idiv
mul xufpm&if imul rSm &SdwJh tm;omcsufuawmh olUrSm vufiif;wefzdk;awGudk oHk;Edkifygw,f/
imul src
imul src, immed
imul dest,src, 8‐bit immed
imul dest,src
idiv src
olwakYd wG[m mul? div wdkYewJY layr,fh olwkYad wG[m signed wefzdk;awGeo
JY m wGufcsufygw,f/
EdIif;,SOf&mrSmvJ unsigned *Pef;awGeJY wlnDpGmtoHk;jyKEdkifayr,fh flag awGudk owfrSwfwmawmh uGJjym;yg
w,f/ 'gaMumifhrkYd signed eJY unsigned *Pef;awGtwGuf uGJjym;wJh jump instruction awG &Sdae&wmyg/
cmp ax, bx
ja offset
JA [m unsigned jump yg/ (Jump if above)/ ax = FFFFh (FFFFh unsigned, ‐1 signed) eJY
bx = 0005h (5 unsigned, 5 signed) wdukY dk pOf;pm;Munhfyg/ FFFFh [m (unsigned) wefzdk;tm;jzifh 0005
xuf jrifhwmaMumifh JA instruction [m ausmfvTm;rSmyg/ 'gayr,fh JG instruction udkawmh signed jump
tjzpf oHk;ygw,f/
cmp ax, bx
jg somewhere
JG instruction uawmh jump jzpfrSm r[kwfygbl;/ bmaMumifhvJqdkawmh ‐1 [m 5 xuf rMuD;vdy
kY g/
rSwfxm;&rSmuawmh -
*Pef;wpfck[m signed/ unsigned jzpfw,fqdkwmuawmh oifhtaeeJY 'D*Pef;udk
udkifwG,frItay:yJ rlwnfygw,f/
(9) aemufxyf opcode rsm;
'guawmh aemufxyf opcode tcsdKU jzpfygw,f/
TEST
TEST [m logical AND vkyfaqmifcsufudk aqmif&GufjyD; dest eJY src qdkwJh ESpfck&SdjyD; &v'fay:
rlwnfjyD; flag register udk owfrSwfygw,f/ &v'fudkawmh udk,fwdkifrodrf;ygbl;/ TEST udk toHk;jyKwJhae&m
uawmh Oyrmjyxm;wJhtwdkif; register wpfckxJu bit wpfckudk prf;oyfzjkY d zpfygw,f/
test eax, 100b ; (b u ESpfvDpepf&JU twdkaumufyg/ )
jnz bitset
wu,fvkYd EAX xJu wwd,ajrmuf bit (nmzufrSonf)udk owfrSwfa&G;cs,fvdkuf&if JNZ [m
jump jzpfygvdrfhr,f/ TEST &JU trsm;qHk;toHk;jyKrIuawmh register wpfck[m oknjzpf^rjzpf prf;oyfwJh
tcgrSm jzpfygw,f/
test ecx, ecx
jz somewhere
ECX [m oknjzpfcJh&if JZ [m jump jzpfygvdrfhr,f/
STACK OPCODES
Stack opcodeawG taMumif;rajymjycifrSm stack qdkwmbmvJqdkwm t&if&Sif;jyyghr,f/ Stack qdkwm
rSwfOmPfxJu ae&mwpfckjzpfjyD; stack pointer register jzpfwJh ESP eJY nTefjyygw,f/ Stack [m ,m,D
wefzdk;awGxm;zdkY ae&mwpfck jzpfygw,f/ olUrSm wefzdk;awGudkxm;zdkYeJY jyef&,lzkYd PUSH eJY POP qdkwJh
instruction ESpfck&Sdygw,f/ PUSH uawmh stack xJudk wefzdk;wpfcvk mxnfhjyD; POP uawmh xyfrHqGJxkwf
wmyg/ Stack xJudk aemufqHk;vmxnfhwmudk t&ifxkwf,lygw,f/ wefzdk;wpfckudk stack rSm vmxm;&if
stack pointer [m avsmhenf;vmygw,f/ z,f&Sm;csdefrSmawmh stack pointer wdk;vmygw,f/
OyrmudkMunfhyg/
(1) mov ecx, 100
(2) mov eax, 200
(3) push ecx ; ECX udk odrf;ygw,f/
(4) push eax
(5) xor ecx, eax
(6) add ecx, 400
(7) mov edx, ecx
(8) pop ebx

(9) pop ecx
&Sif;vif;csuf
1: ECX wGif 100 udk vmxm;onf/
2: EAX wGif 200 udk vmxm;onf/
3: push ecx (=100) (stack rSm yxrqHk;vmxm;wmyg/)
4: push eax (=200) (stack rSm aemufqHk;vmxm;wmyg/)
5/6/7: ECX eJY ywfoufwJhvkyfaqmifcsufawG vkyfygw,f/ ECX &JU wefzdk;awG ajymif;vJaeygw,f/
8: pop ebx: EBX [m 200 jzpfvmygw,f/ (aemufqHk;vmxm;vdy kY g/ t&ifqHk;xkwf,lygw,f/)
9: pop ecx: ECX [m 100 jzpfvmygw,f/ (yxrqHk;vmxm;vdy kY g/ aemufq;Hk xkwf,lygw,f/)
PUSH/POP vkyfjcif;jzifh rSwfOmPfxJrSm bmawGjzpfysufaevJqdkwmMunfhzY dk atmufygZ,m;udk Munfh
yg/
Offset 1203 1204 1205 1206 1207 1208 1209 120A 120B
Value 00 00 00 00 00 00 00 00 00
ESP
('Dae&mrSm stack
[m yxrqHk; oknawG jznfhoGm;ygw,f/ 'gayr,hf wu,fhwu,frSmawmh 'Dvdk
r[kwfygbl;/ ESP [m ESP nTefjywJh offset udk &nf&G,fygw,f/)
mov ax, 4560h
push ax
Offset 1203 1204 1205 1206 1207 1208 1209 120A 120B
Value 00 00 60 45 00 00 00 00 00
ESP
mov cx, FFFFh
push cx
Offset 1203 1204 1205 1206 1207 1208 1209 120A 120B
Value FF FF 60 45 00 00 00 00 00
ESP
pop edx
Offset 1203 1204 1205 1206 1207 1208 1209 120A 120B
Value FF FF 60 45 00 00 00 00 00
ESP
ckcsdefrSm EDX [m 4560FFFFh jzpfaeygjyD/
CALL & RET
Call wpfck[m tcsdKUuk'fawGqD ausmfvTm;EdkifjyD; RET‐instruction udkawGUwJhtcg csufcsif;yJjyefa&muf
vmygw,f/ oifhtaeeJY olwakYd wGudk tjcm;y&kd*&rfbmompum;awGrSm function awGtjzpf? subroutine
awGtjzpf awGUEdkifygw,f/ Oyrm -
; ..code..
call 0455659
; ..more code..
; Code at 455659:
add eax, 500
mul eax, edx
ret
CALL instruction tvkyfvkyfwJhtcgrSm y½dqk ufqm[m 455659 rSm&SdwJhuk'fqD ausmfoGm;jyD; RET
ra&mufrDxd instruction awGudk tvkyfvkyfygw,f/ jyD;awmh CALL tjyD;u instruction awGqD jyefvSnfh
ygw,f/ CALL u jump jzpfoGm;wJhuk'fudkawmh procedure vdkY ac:ygw,f/ CALL [m EIP (aemufnTef
Mum;csufudk tvkyfvkyfaprnfh pointer)udk stack ay: push vkyfygw,f/ jyD;awmh RET‐instruction u pop
jyefvkyfay;ygw,f/ oifhtaeeJY CALL twGuf argument awG owfrSwfvkY&d ygw,f/ 'gudk PUSH eJY jyKvkyf
Edkifygw,f/
push something
push something2
call procedure
CALL twGif;rSmawmh argument awGudk stack xJuzwfjyD;toHk;jyKEdkifygw,f/ Local variables
(qdkvdkwmu procedure xJtwGif;rSmomvdkwJh a'wmrsm;) awGudkvJ stack xJrSmxm;odkv&kYd ygw,f/ uRefawmfh
taeeJY 'gawGudk tao;pdwfaqG;aEG;rSm r[kwfygbl;/ bmvdv kY Jqdkawmh 'gawGudk masm (Macro Assembler)
eJY tasm (Turbo Assembler) rSm tvG,fwulvkyfEdkifvykY d g/ oifhtaeeJY procedure awGudk jyKvkyfEdkifw,f
qdkwmeJY olwkYdawG[m parameter awGudkoHk;wm trSwf&&if awmfygjyD/ ta&;MuD;wmwpfcsuf uawmh -
Procedure wpfck&JU return value udk xnfhxm;zdkY EAX udk tjrJwrf;eD;yg; toHk;jyKygw,f/
'gawG[m windows function awGtwGufvJ rSefuefygw,f/ trSefrSmawmh oifh&JUudk,fydkif
procedure rSmawmh tjcm;b,f register udkrqdk toHk;jyKEdkifygw,f/ 'gayr,fh EAX uawmh pHwpfckjzpf
ygw,f/ pum;rpyf instruction wpfck&JU oHk;EHI;yHkudk &Sif;jyvdkygw,f/
lea edi, namebuffer ; EDI [m rdr½ d dkufxnfhvdkufwJh trnfxm;okd&m address jzpfygw,f/
mov eax, dword ptr ds:[edi] ; EAX xJudk pmvHk;av;vHk; oGm;xm;wmyg/ bmaMumifhvJqdkawmh DWORD
(4 bytes) [m pmvHk; av;vHk;eJY nDvkYdyg/
(10) Windows ESifhywfoufaom Assmebly bmompum; tajccH
(10.1) API
Windows rSmy½d* k &rfa&;om;jcif;&JU tajccHtusqHk;tcsufuawmh Windows API (Application
Programming Interface) awGay:rlwnfaeygw,f/ API qdkwm OS ujznfhpGrf;ay;EdkifwJh function awGudk
pkpnf;ay;xm;wmyg/ Windows y½d*k &rfwdkif;[m 'D function awGudk toHk;jyKygw,f/ 'D function awG[m
Windows pepf&JU dll zdkifawGjzpfwJh kernel? user? gdi? shell? advapi pwJh zdkifawGxJrSm &Sdygw,f/ Function
ESpfrsdK;ESpfpm;&Sdygw,f/ ANSI eJY Unicode yg/ 'gawGuawmh string awGudk odrf;qnf;udkifwG,f&mrSm toHk;jyK
wJhenf;vrf;ESpfck jzpfygw,f/ ANSI eJq Y dk&ifawmh pmvHk;wdkif;udk oauFw(ASCII uk'f)taeeJY azmfjyjyD; string
&JUtqHk;udkazmfjyzdkY \0 (null‐terminated)udk toHk;jyKygw,f/ Unicode uawmh widechar ykHpHudk toHk;jyKjyD;
oauFwwpfckpDtwGuf pmvHk;ESpfvHk;toHk;jyKygw,f/ oluawmh w&kwf? jrefrmbmompum;awGvdk
pmvHk;a&ydkrdkvdktyfwJh bmompum;awGrSmtoHk;jyKygw,f/ Widechar string awG[m \20 eJY tqHk;owfavh
&Sdygw,f/ Windows uawmh ANSI function jzpfjzpf? Unicode function jzpfjzpf vufcHygw,f/ Oyrm
jy&&if -
MessageBoxA (ANSI)
MessageBoxW (W = widechar (unicode))
dkY awmh ANSI udk toHk;jyKrSm jzpfygw,f/
uRefawmfwu
(10.2) DLL zdkifrsm;udk qGJ,loGif;jcif;

Windows API &JU function awGudk toHk;jyKzdkY DLL zdkifawGudk import vkyfzv kYd dkygw,f/ 'gawGudk
import libraries (.lib) awGeJY jyKvkyfEdkifygw,f/ 'D lib awG[m r&Sdrjzpfvdktyfygw,f/ bmaMumifhvJqdkawmh
olw[kYd m Windows pepfudk DLL awG ,m,Dul;,loHk;pGJzkYd cGifhjyKvdykY g/ (qdkvdkwmu rSwfOmPfu dynamic
base addresse rSm)/ 'gudk includelib oHk;jyD; library wpfckudk xnfhoGif;Edkifygw,f/
includelib C:\masm32\lib\kernel32.lib (odr kY [kwf)
includelib \masm32\lib\kernel32.lib (odr
kY [kwf)
includelib kernel32.lib
'gqdk kernel32.lib udk xnfhoGif;toHk;jyKawmhrSmyg/ 'Dae&mrSm include library wpfckwnf;uom
ta&;MuD;wm r[kwfygbl;/ include file (.inc) uvJ vdkygw,f/ 'gawGudkawmh l2inc y½d*k &rfoHk;jyD; library
awGuae tvdktavsmuf xkwfay;aewmyg/ include file wpfckudk a&;jy&r,fqdk&ifawmh 'Dvdkyg/
include \masm32\include\kernel32.inc
include file xJrSm DLL xJu function awGtwGuf prototype awGudk t"dyÜm,fzGifhxm;jyD;jzpfwm
aMumifh oifhtaeeJY invoke udk toHk;jyKjyD; oHk;pGJv&kY d ygjyD/
kernel32.inc:
...
MessageBoxA proto stdcall :DWORD, :DWORD, :DWORD, :DWORD
MessageBox textequ <MessageBoxA>
...
include file xJrSm ANSI function awGeJY wu,fh function trnfeJY wxyfwnf;usatmifvkyfxm;
wJh 'A' rygwJh function awGudk t"dyÜm,fzGifhxm;wm jrif&rSmyg/ oifhtaeeJY MessageBoxA tpm;
MessageBox udk oHk;Edkifygw,f/ oHk;pGJr,fh function awGtwGuf include library eJY include file awGudk
aMunmowfrSwfjyD;oGm;&ifawmh 'D function awGudk toHk;jyKvdkY &ygjyD/
invoke MessageBox, NULL, ADDR MsgText, ADDR MsgTitle, NULL
(10.3) Windows include file
Windows rSm txl; include file wpfckjzpfwJh windows.inc zdkif&Sdygw,f/ tJ'DzdkifxJrSm Windows
API twGufvdktyfwJh constant eJY structure tm;vHk;yg0ifygw,f/ Oyrmjy&&if message box rSm yHkpHtrsdK;rsdK;
&Sdygw,f/ Function &JU av;ckajrmuf parameter uawmh pwdkifyg/ NULL u MB_OK udk qdkvdkjyD; ol[m
OK button jzpfygw,f/ Windows include file rSm 'DvdkpwdkifrsdK;awGtwGuf t"dyÜm,fzGifhqdkcsufawG yg0ifyg
w,f/
MB_OK = 0
MB_OKCANCEL = ...
MB_YESNO = ...
kY J 'DtrnfawGudk oifhtaeeJY constant taeeJY oHk;vd&kY aewmyg/
'Dvdk t"dyÜm,fzGifhxm;vdv
invoke MessageBox, NULL, ADDR MsgText, ADDR MsgTitle, MB_YESNO
'DOyrmtwGuf include file udk aMunmr,fqdk&ifawmh 'DvkdaMunm&ygr,f/
include \masm32\include\windows.inc
(10.4) Frame
erlem frame wpfckudk MunfhMunfhygr,f/
.486
.model flat, stdcall
option casemap:none
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\gdi32.lib
include \masm32\include\user32.inc
include \masm32\include\gdi32.inc
.data
blahblah
.code
start:
blahblah
end start
'guawmh windows assembly source file (.asm) twGuf tajccH frame wpfckyg/
Assembler udk y½dqk ufqm (odrkY [kwf tjrifh)twGuf awGxkwfay;zdkY ajymyg

.486 w,f/ oifhtaeeJY .386 udk toHk;jyKEdkifayr,fhvJ .486 uawmh rsm;aom tm;jzifh
aumif;aumif; tvkyfvkyfavh&Sdygw,f/
Flat rSwfOmPfudk toHk;jyKwmyg/ stdcall udk toHk;jyKygw,f/ qdkvdkwmu

function awGtwGuf parameter awGudk nmzufuae b,fzufudk push
.model flat, stdcall vkyfygw,f/ (aemufqHk;udk yxrqHk; push vkyfygw,f) jyD;oGm;csdefrSmawmh
function [m stack udk jyefjyKjyifay;&ygr,f/ 'g[m Windows API
function eJY DLL awGtm;vHk;eD;yg;twGuf pHyg/
Label twGufpmvHk;awG[m tMuD;tao; cGJjcm;rI&Sd^r&Sd pdppfygw,f/

option casemap:none
windows.inc zdkif aumif;aumif; tvkyfvkyfEdkifzkY d olUudk 'none' vdkY ay;&ygr,f/
includelib tay:rSm aqG;aEG;jyD;jzpfygw,f/

include tay:rSm aqG;aEG;jyD;jzpfygw,f/
.data data section \tp
.code code section \tp
Label [m y½d* k &rf&JUtpudk nTefjyygw,f/ 'start' vdakY wmh ac:zdrkY vdkygbl;/
start:
end start
oifhtaeeJY MudKufwJhemrnf ay;Edkifygw,f/ tqHk;us&ifawmh 'end' statement udk
oHk;zdakY wmh vdkygw,f/
aumif;jyD? uRefawmfwdkY yxrqHk;y½d*k &rfwpfyk'fudk a&;Munfhygr,f/ 'Dae&mrSm assemble vkyfzkYd

uRefawmfwo dkY Hk;r,fh aqmhzf0JvfESpfckuawmh WinAsm Studio 5.1.5 eJY Macro Assembler 3.2.7 wdkY
jzpfygw,f/
.486
option casemap:none
.data
MsgText db "Hello world!", 0
MsgTitle db "This is a messagebox", 0
.code
start:
invoke MessageBox, NULL, ADDR MsgText, ADDR MsgTitle, MB_OKCANCEL or MB_ICONQUESTION
invoke ExitProcess, NULL
end start
'Duk'fawGudk assemble (Go All) vkyfvdkuf&if awGU&rSmawmh yHk(1)twdkif; jzpfygw,f/
yHk(1)
y½d*k &rftvkyfvkyfyHkudk &Sif;&&ifawmh ...
1/ MessageBox &JU toHk;jyKyHkuawmh 'Dvdkyg/ (Win32.hlp udk Munfhyg/)
int MessageBox(
HWND hWnd, // handle of owner window
LPCTSTR lpText, // address of text in message box
LPCTSTR lpCaption, // address of title of message box
UINT uType // style of message box
);
zefwD;r,fh message box &JU owner window udk owfrSwfygw,f/ wu,fvkY d 'D
hWnd
parameter [m NULL jzpfcJh&if message box rSm owner window &SdrSmr[kwfygbl;/
lpText Message taeeJY jyr,fh \0 eJY qHk;wJh string udk nTef;ygw,f/

acgif;pOftwGuf vdktyfwJh \0 eJY qHk;wJh string udk nTe;f ygw,f/ wu,fvkYd 'Dae&mrSm
lpCaption
NULL vdkY oHk;cJh&if default acgif;pOfudk toHk;jyKrSm jzpfygw,f/
uType Dialog box &JU yHkpHudk azmfjy&rSmjzpfjyD; aygif;pyfxm;wJh flag awGyg0ifvmEdkifygw,f/

2/
hWnd uawmh NULL jzpfaerSmyg/ bmaMumifhvJqdkawmh uRefawmfwy
kY d ½d*k &rfrSm window r&SdvykYd g/
lpText uawmh uRefawmfwp kY d mom;&JU pointer yg/ qdkvdkwmu 'D parameter [m uRefawmfwo
kYd wfrSwfcsif
wJhpmom;&Sd&m rSwfOmPf&JU offset wpfckjzpfygw,f/
lpCaption uawmh acgif;pOf&JUpmom;&Sd&m offset jzpfygw,f/
uType uawmh MB_OK? MB_OKCANCEL? MB_ICONERROR wdv
kY dk wefzdk;awG aygif;pyfxm;wm
jzpfygw,f/
3/ MessageBox twGuf string ESpfckudk MudKwifowfrSwfygw,f/

.data
MsgText db "Hello world!",0
MsgTitle db "This is a messagebox",0
Ø .data uawmh data section &JU tpudk nTefjyygw,f/ db uawmh byte jzpfjyD; \0 eJY tqHk;owfatmif
vdkY 0 udk xnfhxm;wmjzpfygw,f/ aemufwpfaMumif;uae ay:apcsif&ifawmh ... (13 = Carriage
Return, 10= Line Feed)
.data
MsgText db "Hello world!",13,10
db "I'm a messagebox",13,10
db "Hello again!",0
Ø MsgText uawmh yxr string &JU offset udk odrf;ygw,f/ MsgTitle uawmh 'kwd, string udk
h aeeJY MessageBox function udk oHk;vd&kY ygjyD/
odrf;ygw,f/ ckcsdefrSmawmh oift
invoke MessageBox, NULL, offset MsgText, offset MsgTitle, NULL
Ø invoke udk toHk;jyKxm;wmaMumifh oift
h aeeJY (ydkrdkpdwfcs&atmif) offset tpm; ADDR udk
toHk;jyKEdkifygw,f/
invoke MessageBox, NULL, ADDR MsgText, ADDR MsgTitle, NULL
Ø uRefawmfwtdkY aeeJY aemufqHk; parameter udk bmrSrowfrSwfcJhayr,fh aumif;aumif;MuD; tvkyfvkyf
ygw,f/ bmaMumifhvJqdkawmh MB_OK (OK button eJY message box) u 0 (NULL) eJY nDvkYd yg/
'gayr,fh oift h aeeJY tjcm;b,fyHkpHudkrqdk toHk;jyKvdkY&ygw,f/
yHk(2)
4/ uType &JU t"dyÜm,fuawmh yHk(2)eJY yHk(3) twdkif; jzpfygw,f/
yHk(3)
(10.5) Win32 API

Windows API rSm Windows twGufvdktyfwJh y½d*k &rfawGzefwD;EdkifzkY d data type awG? constant
awG? function awGeJY structure awGyg0ifygw,f/ uRefawmfwt dkY oHk;jyKcJhwJh ExitProcess tygt0if API
function awmfawmfrsm;rsm;udk t"du DLL zdkif3ckjzpfwJh kernel32.dll? gdi32.dll eJY user32.dll wdr
kY Sm xm;&Sd
wmyg/
KERNEL32.DLL ‐ Low level kernel services
GDI32.DLL ‐ Graphics Device Interface: yHkqGJjcif;ESifh yHkESdyfjcif;/
USER32.DLL - User Interface controls? windows ESifh messaging services
BOOL SetWindowText(
HWND hWnd, // handle of window or control
LPCTSTR lpString // address of string);
'guawmh C yHkpHa&;xm;wmyg/ yHkpHtaeeJY jyefa&;jy&&if -
PUSH lpString;
PUSH hWnd;
CALL SetWindowText;
(11) ½dk;&Sif;aom Dialog Box y½dk*&rf a&;om;jcif;
'DwpfcgrSmawmh Windows &JU zGJUpnf;wnfaqmufyHkudkausmfvdkujf yD; vufawGUy½d*k &rfa&;Munfhygr,f/
(tcgtcGifhoifhcJh&ifawmh &Sif;jyygr,f/) WinAsm Studio &JU File menu u New Project udk a&G;vdkufyg/
Project u Add new Rc udk a&G;vdkufyg/ jyD;&if Add New Dialog udka&G;yg/ 'DaemufrSmawmh caption
wpfck? button ESpfcek JY editbox wpfckudk zefwD;vdkufyg/ jyD;&if screen atmufajcem;u Resources tab udk
a&G;yg/ Caption box ukd ESpfcsufESdyfjyD; 'Simple Dialog Box Program' vdkY ½du
k fyg/ jyD;&if toolbox u edit
button udka&G;jyD; yHk(4)twdkif; qGJyg/
yHk(4)
jyD;&if button ESpfckudk zefwD;jyD; button awGrSm 'Say Hello' eJY 'Exit' vdkY jyifvdkufyg/ yHk(5)/
yHk(5)
'gqdk F12 udkESdyfjyD; uRefawmfwzkY d efwD;xm;wJh dialog box udk uk'ftaeeJY MunfhvdkufMu&atmif/
;This Resource Script was generated by WinAsm Studio.
#define IDD_DLG1001 1001
#define IDC_EDIT1002 1002
#define IDC_BUTTON1003 1003
#define IDC_BUTTON1004 1004
IDD_DLG1001 DIALOGEX 0,0,170,72
CAPTION "Simple Dialog Box Program"
FONT 8,"MS Sans Serif"
STYLE 0x10cc0000
EXSTYLE 0x00000000
BEGIN
CONTROL "",IDC_EDIT1002,"Edit",0x50010080,10,9,121,19,0x00000200
CONTROL "Say Hello",IDC_BUTTON1003,"Button",0x50010000,17,46,51,16,0x00000000
CONTROL "Exit",IDC_BUTTON1004,"Button",0x50010000,102,46,50,16,0x00000000
END
dkY aeeJY Dialog Box template eJyY wfoufwJhuk'fawGudk a&;EdkifatmifvkY d dialogbox?
uRefawmfwt
editbox? button wdkYeyJY wfoufwJh trnfawGeJY control ID awGudk odxm;zdkY vdkygw,f/ 'gudk resource script
&JU tay:yxrqHk; 4aMumif;rSm awGUEdkifygw,f/ jyD;&if dialogbox.asm udka&G;jyD; atmufyguk'fawGudk ½du
k fxnfh
vdkufyg/
option casemap:none
include WINDOWS.INC
include user32.inc
include kernel32.inc
includelib USER32.LIB
includelib KERNEL32.LIB
DlgProc proto :DWORD,:DWORD,:DWORD,:DWORD
.data
Message db "Hello World", 0
.data?
hInstance HINSTANCE ?
.code
start:
invoke GetModuleHandle, NULL
mov hInstance, eax
invoke DialogBoxParam, hInstance, 1001, NULL, addr DlgProc, NULL
invoke ExitProcess, eax
Å DlgProc proc hWnd: HWND, uMsg: UINT, wParam: WPARAM, lParam: LPARAM
.if uMsg = = WM_COMMAND
mov eax, wParam
.if eax = = 1003
invoke SetDlgItemText, hWnd, 1002, ADDR Message
.elseif eax = = 1004
invoke SendMessage, hWnd, WM_CLOSE, 0, 0
.endif
.elseif uMsg = = WM_CLOSE
invoke EndDialog, hWnd, 0
.endif
xor eax, eax
Ret
DlgProc EndP
end start
yHk(6)
'Duk'fawGudk exe zdkiftjzpfajymif;vdkuf&if yHk(7)twdki;f awGU&rSmyg/
yHk(7)
(12) Keygen y½dk*&rf a&;om;jcif;
'Doifcef;pmuawmh cracker awGtwGuf tvGefta&;MuD;ygw,f/ bmaMumifhvJqdkawmh cracker awG
twGuf keygen [m r&Sdrjzpf toHk;vdkvkYdyg/ Keygen &SdrSom rdrdESpfouf&m oHk;pGJoltrnfeo
JY ufqdkifwJh
registration uk'fudk xkwfay;EdkifvkYyd g/ erlem keygen tcsdKUudk Munfhyg/ yHk(8)/
yHk(8)
aumif;jyD? keygen udk pa&;MunfhvdkufMu&atmif/ WinAsm Studio udzk GifhvdkufjyD; atmufygyHktwdkif;
jrif&atmif vkyfvdkufyg/ yHk(9)/ Edit control ESpfck? static text ESpfck? button oH;k ck &Sd&ygr,f/
yHk(9)
Static text ESpfckudk SS_CENTERIMAGE vdkY ajymif;ay;jyD; Serial editbox udk

ES_READONLY vdkY ajymif;yg/ Dialogbox udkawmh DS_CENTER vdkY ajymif;jyD; keygen.rc udk odrf;
qnf;yg/ jyD;&ifawmh keygen.asm rSm uk'fawGudk atmufygtwdkif; ½du
k fxnfhyg/ Main body rSm ½du
k fxnfh&rSm
uawmh -0001
0001 .386
0002 .model flat, stdcall
0003 option casemap:none
0004 include windows.inc
0005 include kernel32.inc
0006 include user32.inc
0007 includelib kernel32.lib
0008 includelib user32.lib
0009
0010 DlgProc proto :DWORD,:DWORD,:DWORD,:DWORD
0011
0012 .data?
0013 hInstance HINSTANCE ?
0014 NameBuffer db 32 dup(?)
0015 SerialBuffer db 32 dup(?)
0016
0017 .const
0018 IDD_KEYGEN equ 1001
0019 IDC_NAME equ 1002
0020 IDC_SERIAL equ 1003
0021 IDC_GENERATE equ 1004
0022 IDC_COPY equ 1005
0023 IDC_EXIT equ 1006
0024 ARIcon equ 2001
0025
0026 .code
0027 start:
0028 invoke GetModuleHandle, NULL
0029 mov hInstance, eax
0030 invoke DialogBoxParam, hInstance, IDD_KEYGEN, NULL, addr DlgProc, NULL
0031 invoke ExitProcess, eax
yHk(10)
'Dhaemuf uyfvdkufvmrSmuawmh Dialog procedure yJjzpfygw,f/
0033 DlgProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
0034 .if uMsg == WM_INITDIALOG
0035 invoke LoadIcon, hInstance, ARIcon
0036 invoke SendMessage, hWnd, WM_SETICON, 1, eax
0037 invoke GetDlgItem, hWnd, IDC_NAME
0038 invoke SetFocus, eax
00399 .elseif uMsg == WM_COMMAND
0040 mov eax, wParam
0041 .if eax == IDC_GENERATE
0042 invoke GetDlgItemText, hWnd, IDC_NAME, addr NameBuffer, 32
0043 call Generate
0044 invoke SetDlgItemText, hWnd, IDC_SERIAL, addr SerialBuffer
0045 .elseif eax == IDC_COPY
0046 invoke SendDlgItemMessage, hWnd, IDC_SERIAL, EM_SETSEL, 0, ‐1
0047 invoke SendDlgItemMessage, hWnd, IDC_SERIAL, WM_COPY, 0, 0
0048 .elseif eax == IDC_EXIT
0049 invoke SendMessage, hWnd, WM_CLOSE, 0, 0
0050 .endif
0051 .elseif uMsg == WM_CLOSE
0052 invoke EndDialog, hWnd, 0

0053 .endif
0054 xor eax, eax
0055 Ret
0056 DlgProc EndP
yHk(11)
jyD;&ifawmh serial number udk xkwfay;r,fh Generate procedure udk a&;&ygr,f/

0058 Generate proc
0059 invoke lstrlen, addr NameBuffer
0060 test eax, eax
0061 jle NOINPUT
0062 mov ecx, eax
0063 mov esi, offset NameBuffer
0064 mov edi, offset SerialBuffer
00655 @@:
0066 dec ecx
0067 mov dl, BYTE ptr [esi+ecx]
0068 mov BYTE ptr[edi], dl
0069 inc edi
0070 or ecx, ecx
0071 ja @b
0072 NOINPUT:
0073 Ret
0074 Generate EndP
0075 end start
yHk(12)
ckcsdefupjyD; yHk(10^11^12)rSm jyxm;wJhuk'fawGudk avhvmMunfhygr,f/
- pmaMumif;a& 14eJY 15rSmawGU&wmuawmh uninitialized string awGjzpfjyD; y½d*k &rfoHk;pGJolu ½du
k fxnfhwJh
trnfeJY wGufcsuf&&Sdvmr,fh serial udk odrf;zdkY jzpfygw,f/
- Generate function uawmh OyrmtaeeJY jyxm;wJh routine wpfckyg/ Name editbox rSm ½du k fxnfhvdkufwJh
pmom;udk ajymif;jyefjyefpDay;wmyg/ lstrlen uawmh Name editbox rSm pmvHk;b,fESpfvHk;½du
k fxnfhovJqdkwm
k fxnfhvdkufwJh pmom;awGudk NameBuffer rSmxm;jyD; pmvHk;ta&twGufudkawmh EAX rSmxnfh
ppfygw,f/ ½du
ygw,f/ wu,fvb k fxnfhcJh&ifawmh NOINPUT qDa&mufoGm;rSmyg/
kYd mpmvHk;rS r½du
- wu,fvkYd ½dkufxnfhvdkufwJhpmvHk;ta&twGuf[m oknxufMuD;cJh&ifawmh EAX xJupmvHk;ta&twGufudk
mov instruction oHk;jyD; ECX xJxnfhrSm jzpfygw,f/ ECX [m pmvHk;awGudk a&wGuf&mrSm oHk;ygw,f/
NameBuffer eJY SerialBuffer wd& kY JU rSwfOmPf address awGudkawmh ESI eJY EDI qDrSm odrf;ygw,f/ 'D
register ESpfckudkawmh string awGudk udkifwG,fwJhtcg source eJY destination udk nTef;zdt
kY wGuf toHk;jyKyg
w,f/
- @@ uawmh trnfrJh label udk aMunm&mrSmoHk;ygw,f/ Routine t&SnfMuD;awGrSmawmh ESpfouf&m label
trsdK;rsdK;udk toHk;jyKMuayr,fh jump tao;pm;av;awGeJY loop tao;pm;av;awGtwGufudkawmh label trnf
odyfrwyfMuygbl;/ wu,fvkY d label ae&mrSm @f vdkYwyf&if teD;pyfqHk;a&SU label qDa&mufrSmjzpfjyD; @b
qdk&ifawmh teD;pyfqHk; label qDaemufjyefqkwfrSm jzpfygw,f/
- String udk ajymif;jyefvkyfay;wJh routine av;&JU tvkyfvkyfyHkuawmh 'Dvdkyg/ yxrqHk; counter jzpfwJh ECX
udk wpfEIwfvdkufygw,f/ 'gaMumifhvJ aemufqHk;tMudrf loop rSm wpftpm; okneJt Y qHk;owfwmyg/ (qdkvdkwm
u? wu,fvkYd Name string &JUpmvHk;ta&twGuf[m ajcmufvHk;&Sdr,fqdk&if ECX [mcsufcsif;yJ 5 jzpfoGm;jyD;
5 uae okntxd routine [m ajcmufMudrfwdwd tvkyfvkyf(EIwf) oGm;rSmyg/) ESI rSmawmh NameBuffer &JU
yxrpmvHk;&JU address ygvmrSmjzpfjyD; ECX=0 jzpfcsdefrSmawmh ESI+ECX [m yxrpmvHk;udknTefrSmjzpfjyD;
ECX=5 jzpfcsdefrSmawmh ESI+ECX [m aemufqHk;pmvHk;udk nTefrSmyg/ yxr mov instruction uawmh
NameBuffer xJrSm&SdwJhaemufqHk;pmvHk;udk EDX register &JU aemufydkif;jzpfwJh DL xJudk ul;xnfhvdkufygw,f/
'kwd, mov instruction uawmh &&SdvmwJh 'DpmvHk;udk SerialBuffer &JU yxrpmvHk;ae&mxJudk ul;xnfhyg
w,f/ (EDI rSm odrf;wmyg/) 'Dvked JY pmvHk;awGudk ajymif;jyefvSnjfh yD; xnfhvm&mrSm ECX [m oknra&mufcif
txd logical OR udk aqmif&GufjyD; zero flag udkowfrSwfygw,f/ Zero flag rjzpf&ifawmh @@ udka&muf
oGm;jyD; routine udk xyfvkyfrSmjzpfygw,f/
h aeeJY API function awGudkoHk;jyD; jyD;jynfhpHkwJh routine awGa&;
- 'guawmh ½d;k &Sif;vSwJh a&;enf;yg/ oift
om;Edkifygw,f/
jyD;awmh uRefawmfw&kY d JU keygen y½d*k &rfxJudk "mwfyHkawG^toHawGxnfhMunfhEdkifygw,f/
tcef;(4) - aqmhzf0Jvf protection - 71 -
tcef;(4) - aqmhzf0Jvf protection

(pum;csyf/ þoifcef;pmudk a&;om;&mwGif y½d*k &rfrmwpfa,muf tjrifjzifh a&;om;xm;jcif;om jzpfonf/
kY aqmhzf0Jvfudk rnfonfhenf;rsm;jzifh protect vkyfxm;onfudk aqG;aEG;jcif;jzpfygonf/
y½d*k &rfrmrsm;u ¤if;wd\
rnfokYd crack vkyf&rnfudk þtcef;wGif vHk;0aqG;aEG;rnf r[kwfyg/)
'Dwpfcgoifcef;pmuawmh crack vkyf&mrSm rjzpfraeMuHKawGU&r,fh aqmhzf0Jvf protection taMumif;
jzpfygw,f/ oifem;vnfxm;&rSmu z,f&Sm;vdrkY &wJh^z,f&Sm;zdkYrjzpfEdkifwJh protection qdkwm r&Sdao;bl;qdkwJh
tcsufudkyg/ aqmhhzf0Jvfwpfck crack tvkyfrcH&wm[m vlodenf;wmaMumifhwpfaMumif;? protection enf;
ynmtopfaMumifhaomfvnf;aumif; jzpfEdkifygw,f/ uRrf;usifwJh cracker wpfOD;&JUvufxJ tJ'Daqmhzf0Jvf
a&mufoGm;cJh&ifawmh taES;eJYtjrefawmh crack vkyfjcif;cH&rSm rvGJygbJ/
'Dtcef;rSm oHk;EHI;r,fh protection qdkwm pack vkyjf yD; protect vkywf mudk ajymcsifwm r[kwfygbl;/
(pack vkyfjyD; protect vkyfwJhenf;udkawmh ]Packer (Protector) rsm;} tcef;a&mufrS aqG;aEG;rSm jzpfygw,f/)
0g&ifhy½d*k &rfrmawGuvGJvkY d usefy½d*k &rfrm awmfawmfrsm;rsm;[m olw&kY d JU aqmhzf0JvfawGudk protection vkyf
xm;&mrSm tm;enf;rI? csdKU,Gif;csufav;awG &SdMuygw,f/ Protection udk rSefuefpGm a&;om;jcif; rjyKcJhEdkif&if
olw&kYd JUy½d*k &rfawGrSm jyoemay:vmrSm aMumufwJhtwGuf protection ydkif;ukd cufcJeufeJatmif ra&;Muygbl;/
(Oyrm - My Driver 3.11 qdk&if registration uk'fudk rSefuefpGm ½du k fxnfhayr,fhvJ registration vkyfaqmif
csuf[m cPom atmifjrifygw,f/ 0,foHk;oludk,fwdkifyif tMudrfMudrf register vkyfae&ygw,f/) 'gaMumifhrkY d
olw&kYd JU y½d*k &rfawGudk vG,fulpGmyif protect vkyfxm;jyD; tcsdKUqdk protection rvkyfxm;oavmuf &Sdygw,f/
(jrefrmEdkifiu H aqmhzf0JvfawGrSmqdk protect vkyfxm;wm vufcsdK;a&wGufv&kY d ygw,f/)
Protection trsdK;tpm;awGtaMumif; odrSom crack vkyfwm vG,fulatmifjrifrSmyg/ EdkifiHwumrSm
J f protection trsdK;tpm; 4rsdK;&Sdygw,f/ tJ'gawGuawmh-
y½d*k &rfrmawG t"dutoHk;jyKaeMuwJh aqmhzf0v
(1) Registration number rsm;toHk;jyKjcif;
(2) tcsdef? tMudrfuefo
Y wfcsufxm;jcif;
(3) Key zdkifrsm; toHk;jyKjcif;
(4) Hardware key (Dongle) rsm;toHk;jyKjcif; wdkYjzpfygw,f/
(1) Registration number rsm;toHk;jyKjcif;
Registration number rsm;toHk;jyKjcif;eJY ywfoufjyD; (5)rsdK; xyfjyD;cGJjcm;Edkifygw,f/
(1.1) Registration number tm; rlaoxm;jcif;?
(1.2) Registration number onf xnfhoGif;aoma'wmay:rlwnfí ajymif;vJjcif;?
(1.3) Registration number onf oHk;pGJo\
l uGefysLwmay:rlwnfí ajymif;vJjcif;?
(1.4) Registration number udk Visual Basic odrkY [kwf Delphi y½d*k &rfrsm;jzifh jyKvkyfMujcif;?
(1.5) Registration number udk tGefvdkif;wGif ppfaq;jcif;wdkY jzpfygw,f/
(1.1) Registration number tm; rlaoxm;jcif;?
k oHk;jyKxm;wJh y½d*k &rfqdk&if oHk;pGJolwpfOD;[m registration number udk ½du
'Denf;udt k fxnfhzkYd vdkyg
w,f/ Registration number udk rlaoxm;wmaMumifh cracking vkyfwJholwpfa,muf[m registration
number udk debug vkyfjyD; tvG,fwul &SmazGawGU&SdEdkifygw,f/ yHk(1)/
yHk(1)
'Denf;udktoHk;jyKjcif;&JU tusdK;aus;Zl;wpfckuawmh tjcm;enf;awGudk toHk;jyKwmxufpm&if xnfhvdkuf
wJha'wmawGudk memory rSm rodrf;qnf;bJ tjcm;enf;awGeJY XOR vkyfjcif; (odrkY [kwf) jyefvnfwGufcsuf
jcif; jyKvkyfygvdrfhr,f/ rSefuefwJh registration number udk jyefvnfwGufcsufjyD; &&SdvmwJ&h v'fawGudk
jyefvnfEdIif;,SOfygvdrfhr,f/ wu,fawmh registration number rSefudk &v'fawGuae jyefvnf&&SdzdkY cufcJ
atmifjyKvkyfjcif;jzifh oifhtaeeJY cracker awG em;vnfzdkYrvG,fulwJh &IyfaxG;vSwJh wGufcsufrIawGudk ydkrdkjyKvkyf
&ygr,f/
(1.2) Registration number onf xnfhoGif;aoma'wmay:rlwnfí ajymif;vJjcif;?
'Denf;uawmh rMumcP toHk;jyKavh&SdMuwJhenf;yg/ 'Denf;rSmawmh registration number udk r½du k f
xnfhcif trnf (odkY) ukrPÜ Dtrnf (od)kY tjcm;tcsuftvufawGudk t&ifjznfh&rSmyg/ jznfhoGif;vdkufwJh a'wm
awGay:rlwnfjyD; registration number uajymif;vJaerSmyg/ yHk(2)/
yHk(2)
y½d*k &rfrm[m ydktawGUtMuHK? t&nftcsif;&Sdav cracker awGtwGuf protection udk zsufqD;zdkY
ydkrdkcufcJatmif vkyfEdkifavygyJ/ bmyJjzpfjzpf b,fvdk&IyfaxG;wJh wGufcsufrIenf;pepfawGoHk;oHk; cracker awG
taeeJYuawmh rSefuefwJh registration number udk&&SdzkYd y½d*k &rfuk'fawGudk aemufa,mifcHMuOD;rSmygyJ/
(1.3) Registration number onf oHk;pGJol\ uGefysLwmay:rlwnfí ajymif;vJjcif;?
'Denf;uawmh cracker awGtwGuf rtDromjzpfapwJh trsdK;tpm;yg/ *&krxm;wJh cracker qdk&if
aMumifawmifaMumifoGm;Edkifavmufygw,f/ bmvdkYvJqdkawmh olw[ Yd GefysLwmrSm b,fvdkyJ register
Y dk m olwku
vkyfvkyf vkyfvdkYr&vdkYyg/ bmaMumifhvJqdkawmh registration number [m (Oyrm - hard drive &JY serial
number ay:rlwnfjyD;) ajymif;vJaevdkYyg/ yHk(3)/ (ta&;tMuD;qHk;u registration number udk ppfaq;wJh
routine udk owdxm;jyD; azsmufxm;zdkYyg/ wu,fvdkY routine udk awGYoGm;vd& kY Sd&if vG,fvifhwul rlaoeHygwf
ajymif;jyD; y½dk*&rfudk b,fpufrSmrqdk wlnDwJh registration number eJY register vkyfEidk fvdkYyg/)
yHk(3)
(1.4) Registration number udk Visual basic odkYr[kwf Delphi y½dk*&rfrsm;jzifh jyKvkyfMujcif;
Visual Basic (VB) rSma&;xm;wJh registration number udk crack vkyf&wm[m rvG,u f v
l Sygbl;/
bmvdv kY Jqdkawmh y½d*k &rf bmompum;udk,fwdkifudku high level jzpfaevdykY gyJ/ uRefawmfwt
dkY aeeJY crack
kYd wGuf debugger (disassembler) awGudk oHk;&wmjzpfwJhtwGuf high level jzpfvmavav debugger
vkyfzt
u assembly uk'ftjzpfajymif;ay;&wm cufavavygyJ/ 'gaMumifh VB eJaY &;xm;wJh y½d*k &rfawGudk debugger
awGu bmomjyefay;jyD; xGufvmwJh assembly uk'f[m vlopfwef; cracker awG em;vnfzkYd cufcJvSygw,f/
VB y½d*
k &rfawGudk 'Dvdktkyfpk (3)pk cGJjcm;Edkifygw,f/
(1.4.1) VB4?
(1.4.2) VB5 ESifhtxuf?
(1.4.3) VB5 ESifhtxuf? (packed code (p-code) tjzpf compile vkyfxm;aom)
(1.4.1) VB4
oHk;pGJolawmfawmfrsm;rsm;twGuf rodomvSayr,fh VB4 [m y½d*k &rfawGxJrSmawmh pdwfcs&rI tvGef
enf;ygw,f/ tawGUtMuHK&SdwJh cracker taeeJu Y awmh registration number udk 5rdepftwGif; &SmawGU
Edkifygw,f/ yHk(4)/ bmaMumifhvJqdkawmh VB4 y½d*k &rfawG[m rsm;aomtm;jzifh ½du
k foGif;vdkufwJh registration
number eJY MudKwifowfrSwfxm;wJh registration number udk EdIif;,SOfzkYd vb40016.dll (od)kY vb40032.dll
zdkifudk toHk;jyKvdkyY g/
yHk(4)
(1.4.2) VB5 ESifhtxuf
VB5 eJY umuG,x
f m;wJh y½d*k &rfudk crack vkyf&wm[m VB4 eJEY dIif;,SOf&if tawmfav;ydkcufvmyg
w,f/ Cracker awmfawmfrsm;rsm;[m VB5 udk debugger awGeJY debug vkyfzkYd odyfjyD;pdwfrygMuygbl;/
bmvdv kY Jqdkawmh uk'fawG[m zwfzkYed JY em;vnfEdkifzkYd cufvykYd g/ jyD;awmh ajc&maumufzdkYvnf; cufvdkYyg/

y½d*k &rfawGudk crack vkyfzdkY olw&dkY JUenf;vrf;awGuawmh oHk;pGJolwpfOD;wnf;oHk;EdkifwJh registration number
udkomxkwfay;jcif; (keygen rsm; ra&;om;jcif;udk qdkvdkygonf/)eJY vlwdkif;rdrdESpfouf&m registration
number udk xnfhoGif;Edkifatmif y½d* kY m jyKvkyfMuygonf/ tawmfqHk; cracker
k &rfuk'fudk jyKjyifrGrf;rHjcif;wdo
awGuom keygen awGudk a&;om;Muygw,f/ Cracker awGMum;rSmawmh VB5 y½d*k &rfawG[m rausmfMum;
vSygbl;/ bmvdkYvJqdkawmh keygen awGa&;zdkY cufcJvykYd g/
'gqdk&if EdkifiHwumu y½d*k &rfrmawG[m olw&kY d JU y½dk*&rfawGudk VB eJY bmvdkYra&;MuygovJ/
uRefawmf a&SUrSmwifjycJhwmu VB y½d*k &rfawGudk debugger awGeJY uk'fjyefazmfwJhenf;yg/ Debugger awGeJY
uk'fjyefazmf&wm[m tvGefcufcJvSwJhtwGuf 'DjyoemawGudk ajz&Sif;EdkifzY dk taumif;qHk;enf;awGukd cracker
awGu &SmazGawGU&SdvmMuygw,f/ 'Denf;uawmh Smart Check eJY VB Decompiler tool awG&JU tultnDeJY
uk'fawGudk jyefazmfMuvmwmyg/ 'DtcgrSm jyefazmfv&Y dk wJhuk'f[m b,favmufxdawmif vG,fulvmovJqdk
awmh compile rvkyfcif rl&if; soucre uk'ftxdeD;eD;wlwu Jh k'fudk &atmiftxd jyefazmfvmEdkifygw,f/ 'Dvdk tool
awGudkawmh debugger vdkY rac:a0:bJ decompiler vdo kY m ac:a0:Muygw,f/ 'D tool awG[m VB6 txd
aumif;aumif; decompile vkyfEdkifygw,f/ 'D tool awG ay:csdefupjyD; VB eJaY &;om;aeMuwJhy½d*k &rfrmawG
'kua© &mufukefMujyD; Microsoft uvJ VB bmompum;udk qufvuftqifhjr§ifha&mif;csjcif; r&Sdawmhygbl;/
'gaMumifhrkYd VB [m version 6 rSmyJ &yfwefaY ecJh&ygw,f/ olet JY wl a&mif;cscJhwJh Visual C++ uawmh
vuf&SdrSm version 9 txd xGuf&SdaejyD; toHk;trsm;qHk; jzpfaevsuf&Sdygw,f/
VB y½d* k &rfawGudk b,folrS ra&;MuawmhbJ bmaMumifh &Sif;jyaewmvJvY dk oifhtaeeJY xifaumif;
xifaeygvdrfhr,f/ EdkifiHwumrSm VB y½d*k &rfawG[m 2001ckESpfem;avmufrSm ed*Hk;csKyfoGm;cJhayr,fh jrefrmEdkifiH
rSmawmh vuf&Sd 2009ckESpfxd aqmhzf0JvfawG&JU 50&mcdkifEIef;ausmfudk VB eJY a&;om;aeMuwkef;ygbJ/ wu,f vdkY
jynfwGif;jzpfy½dk*&rfawGudk avhvmcsif&if avhvmEdkifvd&kY atmifjzpfygw,f/
(1.5) Registration number udk tGefvdkif;wGif ppfaq;jcif;
tcsdKUy½d*k &rfawG[m registration number udk awmfwnfhrSefuefpGm toHk;jyKapzdkY aemufqHk;ay: enf;
ynmawGudk toHk;jyKvmMuygw,f/ Registration number udk ½du k foGif;vdkuf&if y½d*k &rfu tJ'gudk ppfaq;zdkY
twGuf tifwmeufuwqifh ydkYvdkufygw,f/ qmAmu tJ'Duk'f rSefrrSefudk prf;oyfjyD; taMumif;jyefygw,f/
y½d*k &rfuawmh rSefuefpGm register vkyfxm;jcif; &Sd^r&Sd ppfaq;ygw,f/ yHk(5)/ 'DvdktrsdK;tpm;awGeJY umuG,f
jcif;[m vG,u f lvGef;vSwJhtwGuf tawGUtMuHK&SdwJh cracker awGuawmh tvG,fwul z,f&Sm;ypfEdkifygw,f/
yHk(5)
(2) tcsdef? tMudrfuefYowfcsufxm;jcif;
tcsdefuefo Y wfcsuf&w
Sd Jh y½dk*&rfawG[m oHk;pGzJ kYdcGifhjyKxm;wJh umvausmfvGefjcif; &Sd^r&Sd ppfaq;yg
Y muG,fwm[m odyfjyD;awmh xda&mufrrI &SdvSygbl;/ bmvdkYvJqdkawmh cracker wpfa,muf
w,f/ 'Dvdkenf;eJu
[m tcsdefuefo Y wfcsufudk z,f&Sm;vdkuf&HkeJY y&kd*&rfudk vGwfvyfpGmtoHk;jyKEdkifvykY d g/ yHk(6)/ Unregistered

version awGrSm oHk;pGJEdkifpGrf;yrmPudk uefoY wfjcif;u ydkjyD; tqifajyygvdrfhr,f/ y½dk*&rf&JU vkyfaqmifEdkifpGrf;
tukefvHk;udk oHk;pGJcsif&ifawmh registered version udk 0,f,lapjcif;eJY oHk;pGJoludk zdtm;ay;EdkifrSmyg/
yHk(6)
tcsdefuefo
Y wfcsufudk enf;rsdK;pHkeJY a&;om;avh&SdMuygw,f/ jzpfEdkifwmawGuawmh-
(2.1) rSefuefaom registration number xnfhjcif;jzifh tcsdefuefo
Y wfcsufudk z,f&Sm;jcif;?
(2.2) Registration zdkifxnfhjcif;jzifh tcsdefuefo
Y wfcsufudk z,f&Sm;jcif;?
Y wfcsufudk z,f&Sm;jcif;jzifh full version udk roHk;pGJEdkifjcif;? (0,f,lrSom tjynft
(2.3) tcsdefuefo h 0 oHk;pGJEdkif
jcif;)
(2.4) tcsdefuefo Y wfcsufudk Visual Basic jzifha&;om;jcif;?
(2.5) oHk;pGJrIuefo
Y wfcsufudk oHk;pGJonfhtMudrfta&twGufESifhom owfrSwfjcif;/
(2.1) rSefuefaom registration number xnfhjcif;jzifh tcsdefuefYowfcsufudk z,f&Sm;jcif;?
'Denf;[m registration number enf;eJY twlwlygyJ/ rSefuefwJh registration number udk xnfhay;
Y wfcsufudk z,f&Sm;ay;EdkifrSmyg/ yHk(7)/ uGJjym;wmwpfckuawmh rSefuefwJh registration
vdkuf&HkeJY tcsdefuefo
number rxnfhoGif;Edkif&if cGifhjyKxm;wJh tcsdefumvausmfoGm;wJhtcg y½d*&rfk udk vHk;0oHk;pGJvkY d r&atmif jyKvkyf
vdkufwmygyJ/
owdjyK&rSmuawmh 'Dvdky½d*k &rfudk a&;om;r,fqdk&if yxrqHk; y½d*k &rfudk pwifoHk;pGJwJYaeUudk registry
(odrkY [kwf) zdkifwpfzdkifrSm taotcsmrSwfxm;zdkYygyJ/ 'DvdkrSr[kwf&ifawmh oHk;pGJolu olUuGefysLwm&JU &ufpGJudk
aemufqkwfvdkuf&eHk JY uefo Y wfcsufudk ausmfvTm;oGm;ygvdrfhr,f/
yHk(7)
(2.2) Registration zdkifxnfhjcif;jzifh tcsdefuefYowfcsufudk z,f&Sm;jcif;?

'Denf;uawmh odyfok;H avhoHk;xr&SdwJh tHhtm;oifhp&menf;yg/ pOf;pm;oifhwJhtcsufuawmh registrati-
on zdkifudk tifwmeufuae rydYrk dzdkYygyJ/ Cracker awG[m tcsdefuefoY wfcsufudk a&;xm;wJh routine udk t"d
uxm;&SmazGygvdrfhr,f/ 'gaMumifh oif[m 'D&efuumuG,fEdkifatmif routine udk vHkjcHKrI&Sdatmif aqmif&Guf
&ygr,f/ Cracker wpfa,muf[m rSefuefwJh registration zdkifudk zefwD;cJygw,f/ yHk(8)/ bmvdv kY Jqdkawmh
'DvdkvkyfzkYd tawmfav;cufvdkYyg/ olUtwGufydkv, Y wfcsuf routine udk
G fwmu y½d*k &rfxJrSmygwJh tcsdefuefo
z,f&Sm;jcif;yJ jzpfygw,f/
<IDA Pro key file v5.1>
rhythm, 1 user, professional edition, 3/2009
#d@*â€RA®ÉÓ™j±Ê¦§°ČkyĆ0-ă
yHk(8)
y½d*k &rfa&;om;wJhtcgrSm registration zdkifudk y½d*k &rf&JU directory atmufrSm &Sd^r&SdeJY zdkifxJrSm
rSefuefwJh a'wmawG yg^ryg ppfaq;wJh function awG ra&;rdygapygeJ/Y
(2.3) tcsdefuefYowfcsufudk z,f&Sm;&Hkjzifh full version udk roHk;pGJEdkifjcif;? (0,f,lrSom tjynfht0
oHk;pGJEdkifjcif;)
Demo version y½d* k &rfawGuawmh 'Denf;udk toHk;rsm;ygw,f/ 'Dvdky½d*k &rfawGrSmqdk registration
number ½dkufxnfhvdkYr&ygbl;/ oufwrf;ukefoGm;&if y½d*k &rfudk vHk;0oHk;pGJvkY d r&awmhygbl;/ oHk;pGJcsif&if
y½d*k &rfudk rjzpfrae 0,f&ygawmhr,f/ Oyrm – POPCAP *drf;rsm;/ yHk(9)/
yHk(9)
Cracker awGuawmh tcsdefuefo
Y wfcsuf routine udk&SmjyD; y½d*k &rfuk'fukd wkdu½f dkuf ausmfvdkufyg
w,f/ 'gaMumifh y½d*k &rf[m oufwrf;ukef^rukef ppfaq;raeawmhyJ olUvkyfjrJtvkyfudk vkyfygawmhw,f/
(2.4) tcsdefuefYowfcsufudk Visual Basic jzifha&;om;jcif;?
'Denf;udk ckacwfrSm us,fjyefYpGm toHk;rjyKMuawmhygbl;/
(2.5) oHk;pGJrIuefYowfcsufudk oHk;pGJonfhtMudrfta&twGufESifhom owfrSwfjcif;/
'Denf;[m tjcm;tcsdefuefYowfcsufenf;awGeJY tajccHtm;jzifh twlwlygyJ/ 'gayr,fh olu oHk;pGJwJh
aeUudk a&wGufwJhtpm; oHk;pGJwJhtMudrfudkom a&wGufjcif;yg/ 'Dvdka&wGufjcif;u cracker awGudk taESmifh
t,Suf awmfawmfay;ygw,f/ bmvdv kY Jqdkawmh y½d*k &rf[m &ufpGJudk pHkprf;aep&m rvdkawmhbJ oHk;pGJwJhtMudrf
ta&twGufudkom registry (od)kY zdkifwpfckckrSm odrf;qnf;&efvdkvdkYyg/
(3) Key zdkifrsm; toHk;jyKjcif;
'Denf;uawmh rsm;aomtm;jzifh key zdkifudk aqmhzf0Jvfudk install vkyfxm;wJh directory atmufrSm
xm;&Sdygw,f/ y½d*k &rf[m 'DzdkifxJrSmygwJh taMumif;t&mawGudk zwf&Ippfaq;ygw,f/ wu,fvo Y dk m key
zdkif[m rSefuefcJhr,fqdk&if y½d*k &rf[m registered version tjzpf aqmif&Gufygw,f/ wu,fvo kY d m key
zdkif[m aysmufysuf^rSm;,Gif;aer,fqdk&if y½d*k &rf[m unregistered version uJhokYdaqmif&Gufjcif; (od)kY vHk;0
tvkyrf vkyfbJ aeygvdrfhr,f/ key zdkifxJrSm oHk;pGJoel JY ywfoufwJh tcsuftvufawG? 0SufpmawGyg0ifaumif;
ygaeygvdrfhr,f/
'DvdktrsdK;tpm;udk (2)ydkif;cGJjyD;avhvmEdkifygw,f-
(3.1) rSefuefaomzdkifudk toHk;rjyKygu tcsdKUaomt*Fg&yfrsm;udk toHk;rjyKEdkifatmif wm;jrpfxm;jcif;?
(3.2) rSefuefaomzdkifudk toHk;rjyKygu y½d*k &rfudk tcsdefuefoY wfcsuf xm;&Sdjcif;/
(3.1) rSefuefaomzdkifudk toHk;rjyKygu tcsdKUaomt*Fg&yfrsm;udk toHk;rjyKEdkifatmif wm;jrpfxm;jcif;
'Denf;uawmh tvGefaumif;wJhenf;yg/ Cracker awGuawmh 'Denf;udk rMudKufMuygbl;/ 'gayr,fhvJ
tjcm;enf;awGvdkyJ 'Denf;[mvJ z,f&Sm;cHEdkif&ygw,f/ 'Denf;rSmawmh rSefuefwJh key zdkifudk toHk;rjyK&if tcsdKU
t*Fg&yfawGudk toHk;rjyKEdkifatmif wm;jrpfxm;ygw,f/ qdk;wmu 'Denf;rSm y½d*&rf k [m key zdkifudk vdkuf&SmjyD;
rSefuefrI&Sd^r&Sd vdkufppfwmyJjzpfw,f/ yHk(10)/ 'gaMumifh cracker [m 'D routine udk vdu k f&SmvdkufjyD; y½d*k &rf
udkvSnfhpm;jcif; (od)kY registration zdkif&JU wnfaqmufyHkudk routine xJrSm avQmhcsvdkufygw,f/
yHk(10)
wu,fvdkY oif[m 'Denf;udk toHk;jyKr,fqdk&if registration zdkifudk encode vkyfzdkYvdkygw,f/ 'grSom
cracker [m registration zdkifudk vG,fvifhwul rzefwD;EdkifrSm jzpfygw,f/
(3.2) rSefuefaomzdkifudk toHk;rjyKygu y½dk*&rfudk tcsdefuefYowfcsuf xm;&Sdjcif;/
Antivirus ukrÜPDtrsm;pkuawmh 'Denf;udk toHk;jyKMuygw,f/ rSefuefwJh registration zdkifudk toHk;
rjyK&if y½d*k &rf[m unregistered jzpfjyD; tcsdefuefo
Y wfcsuf &SdrSmjzpfygw,f/
(4) Hardware key (Dongle) rsm;toHk;jyKjcif;

Hardware key awGeJY umuG,fjcif;[m tjcm;enf;vrf;wpfckjzpfjyD; toHk;vJenf;vSygw,f/ cdk;ul;
wmudk umuG,fwJhypönf;jzpfwJh dongle udk uGefysLwm&JY I/O aygufrSm wyfqifjyD; toHk;jyKr,fh y½d*k &rfudkvJ
run xm;&ygr,f/ Hardware key (dongle) awGudkawmh aps;EIef;BuD;jrifhvSwJhaqmhzf0JvfawGrSm trsm;qHk;
toHk;jyKygw,f/
olUrSmawmh umuG,fjcif; (2)rsdK; &Sdygw,f-
(4.1) Hardware key rygbJ y½d*k &rfudk rpwifEdkifjcif;?
(4.2) y½d*k &rf\ vkyfaqmifcsuftcsdKUudk hardware key rygvQif toHk;jyKcGifh ray;jcif;/
HASP eJY Sentinel uawmh toHk;rsm;qHk; hardware key awGyg/ taumif;qHk;awGvv
kY d J ajymvdkY
&ygw,f/
(4.1) Hardware key rygbJ y½dk*&rfudk rpwifEdkifjcif;?
tcsdKU hardware key awGuawmh awmfawmf½dk;&Sif;ygw,f/ y½d*k &rfu a'wmudk hardware key
wyfxm;wJh port qD ydv kY dkufygw,f/ jyD;awmh taMumif;jyefwmudk apmifhygw,f/ wu,fvY dk bmrSrwHkYjyefcJhbl;
qd&k ifawmh error message ay:vmygvdrfhr,f/ yHk(11)/
ydkjyD;tqifhjrifhwJh hardware key awGuawmh ydv kY dkufwJh a'wmudk encode vkyfvdkufygw,f/
'grSr[kwf hardware key awGrSm EPROM awG ygvmEdkifygw,f/ jyD;&if hardware key awGrSm y½d*k &rf&JY
wpfpdwfwpfa'oudk yg0ifxnfhoGif;vmEdkifygw,f/ 'gqdk&if cracker awGrSm y½d*k &rf&SdcJh&ifawmif hardware
key r&SdvdkY protection udk rz,f&Sm;Edkifoavmuf eD;eD;yg/
yHk(11)
(4.2) y½dk*&rf\ vkyfaqmifcsuftcsdKUudk hardware key rygvQif toHk;jyKcGifh ray;jcif;/
'Denf;uawmh tvGef ½d;k &Sif;ygw,f/ hardware key wyfxm;csdefrSm y½d*k &rfu tvkyfvkyfjyD; rwyf
xm;csdefrSm y½dk*&rf&JU tcsdKUvkyfaqmifrIawG tvkyfrvkyfygbl;/ bmvdvJ
kY qdkawmh y½d*k &rf&JY tcsdKUaomvkyf
aqmifcsufawGudk hardware key xJrSm wcgwnf; xnfhoGif;xm;vdkYyg/ 'Denf;uawmh tvGefyJ aumif;rGefvS
ygw,f/ Key awGtwGif;rSm rSwfOmPfxJ function awGudk decode vkyfzkYd uk'fawGawmif ygwwfygw,f/
Encoding uom aumif;aecJhr,fqdk&if protection udk key rygbJ z,f&Sm;zdkYqdkwm rjzpfEdkifygbl;/
HASP key
HASP (Hardware Against Software Piracy) key udk Aladdin Knowledge Systems
uxkwfvkyNf yD; aqmhzf0JvfxkwfvkyfjzefYcsDol 3aomif;ausmfu HASP tm;toHk;jyKvQuf&ySd gw,f/ 2010ckESpf
rSmawmh Safenet eJYaygif;oGm;cJhygw,f/ HASP [m aqmhzf0Jvfudk install vkyfcsdefrSm hardware key eJY
csdwfqufvkY&d atmif olU&JU udk,fydkif driver awGudk install vkyfygw,f/
yHk(12)
Sentinel key
Rainbow Technology (www.rainbow.com) uxkwfvkyfygw,f/ ,cktcg Rainbow tm;
Safenet (,ck Gemalto) rS 2003ckESpfwGif vTJajymif;,lvdkufygw,f/ Sentinel [m HASP eJY tvGefwlyg
w,f/ tpydkif;rSmawmh Sentinel key udk Parallel port toGifeJY xkwfvkyfMuNyD; aemufydkif;rSmawmh USB stick
taejzifh xkwfvkyfMuygw,f/ yHk(13)/ aqmhzf0Jvfvdkifpifrsm;udk pdwfBudKufpDrHcefYcGJEdkifzdkYtwGuf LDK
(Licensing Development Kit) rsm;yg wpfcgwnf; a&mif;csay;ygw,f/ 35oef;ausmfaom application
rsm;udk Sentinel eJY protect vkyfxm;Muygw,f/ Sentinel key eJY application udk csdwfquf&mwGif 128-bit
AES pm0Sufpepfudk toHk;jyKygw,f/
yHk(13)
tcef;(5) - Cracker wpfOD;twGuf vdktyfaom tool rsm; - 81 -
tcef;(5) - Cracker wpfOD;twGuf vdktyfaom tool rsm;

Cracking vkyf&mrSm txl;wDxGifxkwfvkyfxm;wJh tool awGvdktyfygw,f/ 'D tool awG[m omreftm;
jzifhawmh uGefysKwmoHk;pGJolawmfawmfrsm;rsm;eJY &if;ESD;uRrf;0ifrSm r[kwfygbl;/ (aqmhzf0Jvfa&;om;olawGawmif
tuRrf;0ifcsifrS 0ifEdkifrSm jzpfygw,f/) 'D tool awGudk tcrJhay;wm&Sdovdk? a&mif;cswmvJ&Sdygw,f/ (rsm;aom
tm;jzifh tcrJhay;avh&Sdygw,f/)/ 'D tool awGeJY &if;ESD;uRrf;0ifrSom xl;cRefwJh cracker aumif;wpfa,muf
jzpfvmrSm jzpfygw,f/ Tool awGudk atmufygtwdkif; 5rsdK;ydkif;jcm;NyD; aqG;aEG;rSm jzpfygw,f/ (rSwfcsuf/ /
azmfjyyg tool rsm;tm;vHk;onf Windows pepfoHk; OS rsm;twGufom jzpfygonf/ usef OS rsm;twGuf tool
rsm;udk csefvSyfxm;ygonf/)
(u) Disassemblers/
( c) Decompilers/
( *) Debuggers/
(C) Hex Editors/
( i) tjcm; tool rsm;/
(1) Disassemblers
(1.1) Disassemblers qdkwmbmvJ/
Disassmebler qdkwm assembler &JU qefUusifzuf jzpfygw,f/ Assembler u assembly bmom
pum;eJY a&;xm;wJhuk'fawGudk ESpfvDpepfoHk; machine uk't f jzpfajymif;csdefrSm? disassembler uawmh ESpfvD
uk'fawGudk assembly opcode uk'ftjzpf jyefzefwD;zdkY BudK;yrf;wmyg/
Assembly bmompum;awGrmS awmh toHk;jyKwJh y½dq k ufqmay:rlwnfNyD; rwlnDwJh instruction uk'f
awG&Sdygw,f/ Disassembly vkyfief;pOfuawmh ½d;k &Sif;vSygw,f/ Hex uk'fawGudkvdkufzwfNyD; oleu
JY dkufnDwJh
opcode uk'ftjzpf bmomjyefay;ygw,f/ Oyrm 55 (1010101) qdk&if PUSH EBP qdkwJh instruction rSef;
disassembler uodygw,f/
Disassmebler awmfawmfrsm;rsm;uawmh assembly instruction udkxkwfay;&mrSm Intel (od)kY AT &
T (od)kY HLA taeeJY xkwfay;Edkifygw,f/
(1.2) Professional tool rsm;
IDA Pro 6.8
IDA Pro uawmh aps;BuD;vSwJh tool wpfckjzpfygw,f/ Cracker awGtwGuftvGefaumif;rGefwJh tool
wpfckjzpfNyD; yg0ifwJh feature awGuvJ tvGefrsm;jym;vSygw,f/ IDA Pro &JU Professional edition twGuf
$1129 usygw,f/ Download vkyfEdkifwJh link uawmh atmufygtwdkif;jzpfygw,f/
https://www.hex-rays.com/products/ida/order.shtml
PE Explorer
PE Explorer uawmh toHk;jyK&wm? &SmazG&wm vG,fulrIudk t"duxm;ygw,f/ IDA Pro wdv
kY dk
feature awGjynfhraeayr,fh $75 qdkwJhaps;EIef;uawmh oifhwifhygw,f/
http://www.heaventools.com
W32DASM
W32DASM uawmh Windows twGuf taumif;qHk; 16/32 bit disassembler jzpfygw,f/
http://members.cox.net/w32dasm/
(1.3) Freeware tool rsm;
IDA 3.7
IDA 3.7 uawmh DOS GUI tool jzpfNyD; IDA Pro vdkygyJ/ olU&JUuefUowfcsufuawmh Z80? 6502?
Intel 8051? Intel i860? PDP-11 eJY x86 intsruction xkwfay;wJhtydkif;rSmawmh 486 y½dq
k ufqmtxdyJ
&ygw,f/
http://www.simtel.net
IDA Pro Freeware 4.9
IDA Pro eD;eD;awmh pGrf;aqmifay;ygw,f/ 'gayr,fh Intel uxkwfwJh x86 y½dq
k ufqmawGtwGufyJ
assembly uk'fxkwfay;EdkiNf yD; Windows rSmom tvkyfvkyfygw,f/ Disassemble instruction awGuawmh
2003rwdkifrDxGuf&SdwJh y½dq
k ufqmawGtwGufom jzpfygw,f/
http://www.themel.com
IDA Pro Freeware 4.3
xGuNf yD;om; version awGxufawmh GUI aumif;vmygw,f/
http://www.datarescue.be
BORG Disassembler
BORG uawmh GUI eJjY zpfNyD; taumif;qHk; Win32 disassembler jzpfygw,f/
http://www.caesum.com
HT Editor
HT Editor uawmh Intel x86 instruction awGudk analyze vkyfwJh disassembler jzpfygw,f/
aemufqHk;xkwf version uawmh Windows rSm tvkyfvkyfEdkifwJh console GUI y½d*k &rfjzpfygw,f/
http://the.sourceforge.net
diStorm64
disStorm uawmh open-source jzpfNyD; 80x86 eJY AMD64 y½dq
k ufqmawGtwGuf jzpfygw,f/
http://ragestorm.net
(1.4) Disassembler ESifhywfoufonfhodrSwfzG,f&mrsm;
uk'fESifha'wmudk oD;jcm;jzpfapjcif;
a'wmeJY (uk'f)awG[m exe zdkifxJrSm binary a'wmtaeeJY odrf;qnf;xm;wmaMumifh 'Dae&mrSm
ar;cGef;xkwfzkYd jzpfvmygw,f/ Disassembler [m uk'fvm;? a'wmvm; b,fvdkajymEdkiyf govJ/ zwfvdkufwJh
pmvHk;wpfvHk;[m variable wpfckvm;? 'grSr[kwf instruction wpfck&JU tpdwftydkif;jzpfygovm;/
wu,fvo kYd m a'wmawGudk exe zdkif&JU .data section rSmyJxm;&if? uk'fawGudkvJ .code section rSmyJ
xm;&if jyoemr&Sdygbl;/ a'wmawGudk .code section xJ wdku½f dkufxnfhoGif;Edkifovkd (Oyrm... jump address
tables eJY constant strings)? exe uk'fawGudkvJ .data section xJrSm odrf;qnf;xm;Edkifygw,f/ (pepftopf
awGrSmawmh 'Dudpuö dk vHNk cHKa&;taMumif;jycsufeJY wm;qD;zdkY BudK;pm;aeygw,f/)
Disassembler awmfawmfrsm;rsm;uawmh oH;k pGJolawGudk uk'fjzpfap? a'wmjzpfap uk'f segment
awGudk ajymif;vJEdkifzkYd a&G;cs,fcGifhay;xm;ygw,f/ 'gayr,fh tcsdKU disassembler awGuawmh oD;jcm;jzpfapzdkY
tvkdtavsmuf jyKvkyfygvdrfhr,f/
exe y½d*k &rfuae uk'ef JYa'wmawGudk cGJjcm;jcif;&JUa,bl,sjyóemuawmh y½d*&rf k &yfwefUrIjyóemeJY

tvm;oP²mefwlygw,f/ tusdK;quftaeeJu Y awmh disassembler [m y½d*k &rftm;vHk;twGuf uk'ef JY a'wm
kY d dkwm rjzpfEdkifygbl;/ Rice &JUoDtdk&rft& y½d*k &rfawG&JU*kPfowådeJY ywfouf
awGudk rSefuefpGm cGJjcm;ay;Edkifzq
NyD; pdwf0ifpm;p&maumif;wJh ar;cGef;tm;vHk;[m tqHk;tjzwfray;Edkiaf yr,fhvJ cracking ynm&yf[m 'Dvdk
oDtkd&Dydkif;qdkif&m uefUowfcsufawGeJY jynfhESufaeygw,f/
tcsuftvufrsm; qHk;½HI;jcif;
y½d*k &rfudk compile vkyfcsdefrSm tcsuftvufawmfawmfrsm;rsm; aysmufqHk;ukefygw,f/ yHkrSeftm;jzifh C
uk't f wGufqdk&if local variable trnfawG[m tzwfq,fr&atmif aysmufqHk;ukefygw,f/ Compilation udk
debug option eJw Y NGJ yD; vkyfr,fqdk&if function awG&JUtrnfawG? variable awG&JU trnfawG[m image
wpfckxJrSm &Sdaumif;&SdEdkifygw,f/ 'gayr,fhvJ 'DoauFwZ,m;awGudk stripping vdakY c:wJh process wpfcku
y,fzsufwm cH&Edkifygw,f/ taumif;pm; compiler awGuawmh jyefazmfay;Edkifaumif; ay;ygvdrhfr,f/ uk'fawG
xJu comment tm;vHk;udkawmh compiler u vspfvsL½Iygw,f/ 'gayr,fh olUae&meJo Y la&;xm;wJhuk'fawG?
inline function wpfcktjzpfa&;xm;wJhuk'fawG? C-preprocessor macro tjzpfa&;xm;wJhuk'fawGMum;u
uGJjym;jcm;em;rIuadk wmh tqHk;tjzwfay;EdkifzkYd rjzpfEdkifygbl;/ udpaö wmfawmfrsm;rsm;rSmawmh function (od)kY
variable awG&JU lexicographical scope udkqHk;jzwfzkYq d dkwm rjzpfEdkifygbl;/ wu,fvo kY d m file1.c eJY file2.c
vkdUac:wJhzdkifESpfckudk twl compile vkyf? link vkyfr,fqdk&if source zdkifawGMum;u delineation [m linking
tqifhrSmyJ aysmufuG,foGm;rSmyg/
(2) Decompilers
Disassembler eJY tvm;wlwJh decompiler awGuawmh exe uk'fawGudk high-level bmompum;
uk'ftaeeJY jyefxkwfay;wmjzpfygw,f/ rMumcPqdkovdkyJ high-level bmompum;[m C jzpfaeygw,f/
bmaMumifhvJqdkawmh C [m decompilation vkyf&mrSm vG,fulacsmarGUapzdkY awmfawmfav; ½d;k &Sif;NyD; a&S;us
vGef;ygw,f/ Decompilation vkyf&mrSmvJ olUtm;enf;csufeo JY l jzpfygw,f/ bmaMumifhvJqdkawmh compila-
tion vkyfuwnf;uudk tcsuftvufawmfawmfrsm;rsm;[m aysmufqHk;oGm;vdkY jzpfygw,f/ 'gawGudk decompi-
lation u jyefNyD;azmfay;EdkifrSm r[kwfygbl;/ Decompilation enf;ynm[m rzGHjzdK;ao;ygbl;/ 'gayr,fh &v'f
uawmh aumif;aew,fvdkY ajym&rSmyg/
Decompilation vkyfEdkif^rvkyfEdkif
Compiler taumif;pm;awG ay:aewJhacwfrSm ]decompilation vkyfzkYd jzpfEdkiaf o;vm;} vdkY tar;cHcJh
&&if obm0usrSm r[kwfygbl;/ tajzuawmh rsm;aomtm;jzifh vkyfvkY&d w,fvkYd ajz&rSmjzpfygw,f/ bmyJ
ajymajym trSm;r&SdwJh taumif;qHk; decompiler uawmh ,aeUxdawmh ray:ao;bl;vdkY ajym&rSmjzpfygw,f/
vuf&Sd decompiler awGuawmh cracker awGtwGuf tultnD&½Gkoufoufavmufom &Syd gao;w,f/
Decompiler rsm;
DCC Decompiler
DCC uawmh decompilation vkyf&mrSm taumif;qHk;jzpfayr,fh vuf&SdrSmawmh zdkiftao;pm;av;awG
udkyJ vufcHygw,f/
http://www.itee.uq.edu.au/~cristina/dcc.html
Boomerang Decompiler Project
Boomerang decompiler udak wmh tpGrf;xufwJh decompiler jzpfatmifjyKvkyfaeNyD; ,cktxdawmh C
uk'ftaeeJyY J decompile vkyfEdkifygao;w,f/
http://boomerang.sourceforge.net
Reverse Engineering Compiler

REC uawmh tpGrf;xufwJh decompiler jzpfNyD; assembly uk'fawGudk C yHkoP²mefuk'ftaeeJY
decompile vkyfay;ygw,f/ xGuf&SdvmwJhuk'f[m C eJY assembly ESpfrsdK;jzpfaeNyD; assembly oufoufxuf
pm&ifawmh ydNk yD;zwf&wm tqifajyygw,f/
http://www.backerstreet.com/rec/rec.htm
ExeToC
ExeToC uawhm &v'faumif;awG&SdwJh decompiler wpfckjzpfygw,f/
http://sourceforge.net/projects/exetoc
code-dump
code-dump uawmh PowerPC (PPC) Objective-C decompiler jzpfygw,f/
http://sourceforge.net/projects/code-dump
(3) Debuggers
Debugger awGuawmh cracker awG&JU taumif;qHk;rdwfaqGjzpfNyD; oHk;pGJolawG[m y½d*k &rfuk'fawGudk
wpfqifhcsif; tvkyfvkyfEdkifatmif cGifhjyKygw,f/ NyD;awmh wefzdk;trsdK;rsdK;eJY vkyfaqmifcsuftrsdK;rsdK;wkdUudk ppfaq;
Edkifygw,f/
tqifhjrifh debugger awGrSmawmh rMumcPqdkovdkyJ tajccH disassembler wpfc?k HEX uk'fawG
wnf;jzwfzkYed JY assemble jyefvkyfzdkY t*Fg&yfawG tenf;qHk; yg0ifavh&Sdygw,f/ Debugger awG[m oHk;pGJol
awGudk instruction? function call eJY rSwfOmPfae&mawGrSm breakpoint owfrSwv f kYd&atmif vkyfay;ygw,f/
Windows Debugger rsm;
OllyDbg
OllyDbg uawhm tpGrf;xufwJh Windows debugger jzpfNyD; olUrSm disassembly eJY assembly
engine wcgwnf;yg0ifygw,f/ tvGefrsm;jym;wJh feature awGyg0ifNyD; wefzdk;uawmh tcrJhjzpfygw,f/
Patching? disassembling eJY debugging vkyfzt
kYd wGuf tvGeftoHk;0ifvSygw,f/
http://www.ollydbg.de/
SoftICE
SoftICE udk local kernel debugging twGuf toHk;jyKEdkiyf gw,f/ 'g[m tvGef&Sm;yg;vSwJh feature
wpfckjzpfNyD; tvGefwefzdk;&SdvSygw,f/ SoftICE [m 2006? {NyDrSmawmh aps;uGufrSm t0,fvdkufygw,f/
WinDBG
WinDBG uawhm MicroSoft u tcrJhay;wJh aqmhzf0Jvt f pdwftydkif;wpfckjzpfNyD; user-mode
debugging rS remote kernel-mode debugging twGuf toHk;jyKEdkifygw,f/ WinDBG [m emrnfBuD;
Visual Studio Debugger eJY rwlayr,fh GUI aumif;aumif;eJY vmygw,f/ 32-bit eJY 64-bit version
awGtaeeJY xGuf&Sdygw,f/ Windows toD;oD;twGuf signature oD;oefU download vkyfzv dkY kdygw,f/
http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx
IDA Pro 6.6
DataRescue uxkwfvkyNf yD; y½dq k ufqmrsdK;pHk? OS rsdK;pHkrSm tvkyfvkyfEdkifygw,f/ wefzdk;uawmh
1129$ jzpfNyD; decompiler awGygr,fqdk&ifawmh olU&JUwefzdk;u 2350$ usoifhrSmjzpfygw,f/
https://www.hex-rays.com/products/ida/order.shtml
(4) Hex Editors

Hex editor awGuawmh cracking vkyf&mrSm emrnfBuD;wJh tool awGr[kwfayr,fh binary source file
awGudk Munfh&mrSm? wdku½f dkufwnf;jzwf&mrSmawmh toHk;0ifvSygw,f/ Hex editor awG[m debugger?
decompiler? disassembler awGer JY MunfhEdkifwJh png vd?k jpg vdk zdkiftrsdK;tpm;awGudk Munfh&mrSmawmh tvGef
toHk;0ifygw,f/ Hex editor awGtrsm;BuD;&Sdayr,fh toHk;trsm;qHk; tool awGudk azmfjyvdkufygw,f/
Windows Hex Editor rsm;
Cygnus Hex Editor FREE EDITION
tvGefjrefNyD; oHk;&vG,fulwJh tool jzpfygw,f/
http://www.softcircuits.com/cygnus/fe/
WinHex
zdkief JY disk awGwnf;jzwfzkYd xkwfvkyfxm;wJh tool jzpfNyD; uGefysLwmrIcif;qdkif&meJY tcsuftvufjyef
vnf&SmazGa&;twGuf tqifhjrifhwJh pGrf;aqmif&nfrsm;ydkifqkdifygw,f/ (tpdk;&ydkif;qdkif&mESifh wyfrawmfww
Y dk Gif
vnf; toHk;jyKonf/)
http://www.x-ways.net/index-m.html
HexEdit
tpGrf;xufvNS yD; binary zdkifawGeJY disk awGudk wnf;jzwfEdkifygw,f/ Free version rSmawmh source
uk'fudk tcrJh&&SdEdkiNf yD; shareware version vJ&Sdygw,f/
http://www.hexedit.com/
FlexHex
FAT32 zdkifawGxuf ½IyfaxG;vSwJh NTFS zdkifawGtwGuf tjynfht0 toHk;jyKEdkifygw,f/ FlexHex
[m sparse zdkifawGeJY b,f NTFS volume &JUzdkifawGeJY ywfoufwJh alternate data stream udkvnf; vufcH
ygw,f/ OLE compound zdkifawG? flash card awGeJY tjcm; physical drive trsdK;tpm;awGtwGufvnf;
toHk;jyKEdkifygw,f/
http://www.heaventools.com/flexhex-hex-editor.htm
(5) tjcm; tool rsm;
'Dacgif;pOfatmufrSmawmh tool wpfckcsif;taMumif;udk tao;pdwf aqG;aEG;awmhrSm r[kwfygbl;/
SysInternals Tools
SysInternals uxkwfwJh tool awGrSm taumif;qHk; utility awGyg0ifNyD; olwxkYd Jutrsm;pk[m
vHNk cHKa&;qdkif&muRrf;usifolawG? network administrator awGeJY cracker awGtwGuf tvGeftoHk;0ifvSyg
w,f/ txl;toHk;jyKoifw h Jh utility awGuawmh Process Monitor? FileMon? TCPView? RegMon eJY
Process Explorer wdkY jzpfygw,f/
API Monitors
API monitor tool awGuawmh process (od)kY y½d* k &rfwpfck[m Win32 API &JU b,f function
awGudk ac:oHk;aew,fqdkwmudk apmifhMunfhay;wmyg/ 'gawG[m cracker awGtwGuf tvGefta&;ygvSygw,f/
Rohitab &JU API Monitor? Vitaly Evseenko &JU API Spy32? www.nektra.com &JU Spy Studio wdu kY dk
toHk;jyKEdkifygw,f/ .net eJYa&;xm;wJh aqmhzf0JvfawGtvkyfvkyfyHkudk odcsif&ifawmh WinAPIOverride32
eJYajc&mcH&if taumif;qHk;&v'fudk ay;rSmjzpfygw,f/
PE Tools
PE scanner uawmh udk,f debug vkyfcsifwJh exe y½d* k &rfudk b,fy½d*k &rfbmompum;eJY a&;xm;
w,f? b,f protector awGeJY umuG,fxm;w,fqdkwm ppfaq;ay;ygw,f/ 'ghtjyif tcsdKU tool awG[m PE
header udkvnf;wnf;jzwfEdkifygao;w,f/ PE tool awGuawmh Lord PE? ProtectionID? PE Browse? PE
Detective? PE Disassembler? PE Explorer? PE Insight? PE Optimizer? PE Rebuilder? PE Tools? PE
Viewer? PEditor? PEiD? Stud PE? WPE eJY CFF Explorer wdkYjzpfygw,f/ toHk;trsm;qHk;uawmh Lord
PE? ProtectionID? PEiD eJY CFF Explorer wdjkY zpfygw,f/ ProtectionID &JU database udk ESpfpOf update
vkyfavh&SdNyD; ProtectionID upHkprf;ay;wJh&v'f[m rSm;cJygw,f/
yHk(1) ProtectionID jzifh ppfaq;xm;yHk

Keygenning Tools
y½d*k &rfudk patch rvkyfbJ keygen yJa&;r,fqdk&if rdrdbmoma&;&wmrsm;ygw,f/ udk,fwdkif tptqHk;
ra&;csif&ifawmh olrsm;vkyNf yD;om; template ae&mrSm rdrduk'fudk xnfNh yD; keygen y½d*k &rfudk tvG,fwul
a&;om;Edkifygw,f/
NFO Editors
NFO editor awGuawmh patch (od)kY serial zdkifawGet JY wl a&mxnfhay;zdkY .nfo zdkifzefwD;&mrSm
toHk;jyKygw,f/ .nfo zdkiaf wGrSm a&;om;avh&Sdwmuawmh cracker trnf? serial trSwf? cracking team
trnf? crack zdkiftrsdK;tpm;wdkY jzpfygw,f/
Patch File Maker
Crack zdkifawGudk oHk;pGJolawGxHay;r,fhtpm; t&G,fao;i,fzt
kY d wGuf cracker awG[m patch zdkifawG
udk udk,fwdkifa&;om;avh&Sdygw,f/ Patch file maker awG[m owfrSwfxm;wJh y½d*k &rf&JU offset ae&mudk
jyifqifjcif;? Windows registry &JU owfrSwfxm;wJh key udk jyifjcif;wdu kY dk jyKvkyfygw,f/ toHk;trsm;qHk;
patch making tool awGuawmh uPPP eJY Diablo Universal Patcher (dUP) wdkYjzpfygw,f/ 'D tool awGeJY
oufqdkifwJh template awGudkawmh www.tuts4you.com rSm tcrJh download vky, f lEdkifovdk 'Dpmtkyf&JU
DVD acGxJrSmvJ wygwnf; yg&Sdygw,f/
yHk(2) erlem patch zdkif

Resource Editors
Resource editor uawmh pmom;awG? ½kyfyHkawGudk jyifz&
kYd meJY resource topfawGudk xyfxnfh&mrSm
t"dutoHk;jyKygw,f/ toHk;trsm;qHk; resource editor awGuawmh Exe Scope? Resource Editor?
Resource Hacker? Restorator? Window Hack eJY XN Resource Editor wdkY jzpfygw,f/
yHk(3) System properties udk resource editor jzifh jyefjyifxm;yHk

Compilers
Compiler awGuawmh cracking qdkif&mjyoemawGajz&Sif;&mrSm toHk;jyKzdkY jzpfygw,f/ oifESpfouf&m
y½d*k &rfbmompum;ay:rlwnfNyD; compiler trsdK;tpm;uGJjym;oGm;ygvdrfhr,f/
Dictionary Files
Dictionary zdkifawGuawmh password awGudk jyefazmf&mrSm toHk;jyKzdkY jzpfygw,f/ pmvHk;pHkav
password jyef&Sm&mrSm ydkvG,favjzpfygw,f/
Password Recovery Tools
Password revovery tool awGudk password jyefazmf&mrSm toHk;0ifvSygw,f/ emrnfBuD; tool
awGuawmh Elcomsoft Password Recovery eJY Passware Kit Enterprise wdjkY zpfygw,f/ 'D tool awGudk
toHk;jyKNyD; e-mail? internet? MS Word? MS Excel? MS Access? MS Powerpoint? Windows

password tp&SdwmawGudk jyefvnfazmf,lEdkifygw,f/
csefvSyfxm;cJhaom Tool rsm;
wu,fawmh tao;pdwfr&Sif;jyyJ csefvSyfxm;cJhwJh tool awGtrsm;BuD; &Sdygw,f/ 'gawGuawmh Visual
Basic y½d*k &rfawGudk decompile vkyfwt Jh cgtoHk;jyKwJh tool awGjzpfwJh SmartCheck eJY VB Decompiler?
Delphi y½d* k &rfawGtwGuf DeDe? Foxpro y½d*k &rfawGtwGuf UnFox All? Java y½d*k &rfawGtwGuf Java
Decompiler eJY DJ Java Decompiler? Flash (SWF) zdkifawGtwGuf Sothink SWF Decompiler? MSI
zdkifawGtwGuf MSI Unpacker? Dot.Net y½d*k &rfawGtwGuf Crack.NET? DisSharp eJY RedGate DotNet
Reflector wdjkY zpfygw,f/ 'D tool awGudktoHk;jyKyHkudkawmh oufqdkif&mtcef;awGa&muf&if &Sif;jyrSmjzpfygw,f/
Packer/unpacker awGtaMumif;udkawmh ]Packer (protector) rsm;} tcef;rSm aqG;aEG;rSm jzpfygw,f/
tcef;(6) - Olly Debugger rdwfquf - 90 -
tcef;(6) - Olly Debugger rdwfquf

'Dtcef;rSm uRefawmfwakY d vhvmMu&rSmu cracking tool wpfckjzpfwJh OllyDbg taMumif;yg/
Cracker awGtwGufuawmh Oleh Yuschuk a&;om;wJh OllyDbg [m taumif;qHk; usermode debugger
yg/ olUrSm tvGeftpGrf;xufvSwJh disassembler ygvmygw,f/ tcsdKUaom beginner awG[m cracking
pwifvkyfaqmifzkY d MudK;yrf;MuwJhtcg Numega SoftICE vdk tvGe½f IyfaxG;vSwJh tools awGeJY pwifMuwm
awGU&ygw,f/ ta&;MuD;wJh kernel‐mode uk'fawGudk crack vkyfwmr[kwf&ifawmh OllyDbg &Sd&ifyJ
vHkavmufaeygjyD/ OllyDbg &JU tMuD;rm;qHk;pGrf;tm;uawmh uk'fawGudk cGJjcrf;pdwfjzmEdkifwJh olU&JUt*Fg&yfawG
ygyJ/ Oyrmajym&&if procedure &JU parameters awG? loops awGudk pdppfjcif;eJY constant? array? string
kY dk aumif;pGmvkyfay;Edkifygw,f/ aemufjyD; plugin ajrmufjrm;pGmudkvJ tcrJh &&SdEdkifygw,f/ 'Dvdk
awGpHkprf;jcif;wdu
feature awGudk oler JY sdK;wlwJhtjcm; debugger awGrSm rawGUEdkifygbl;/ 'D debugger [m 80x86 EG,f0if
y½dq
k ufqmtm;vHk;eJY tvkyfvkyfEdkifwJhtjyif awmfawmfrsm;rsm;udkvnf; rSefuefpGmbmomjyefEdkifygw,f/ wu,f
awmh Olly [m debugger tm;vHk;&JU taumif;qHk; disassembly pGrf;aqmif&nfawG ydkifqdkifxm;w,f (IDA
Pro rSty) vdkY ajymr,fqkd&if vGefr,f rxifygbl;/
(1) Debugger Window
OllyDbg &JU t"dutusqHk; main window udk yHk(1)rSm jyxm;ygw,f/ 'ghtjyif main menu eJY
toolbar yg0ifygw,f/ Main window rSm informational pane 4ck yg0ifygw,f/ tJ'gawGuawmh
disassembler window (tay:b,f)? data window (atmufb,f)? registers window (tay:nm)?
stack window (atmufnm)/ 'ghtjyif tjcm; window awGvnf;&Sdygao;w,f/ toHk;jyKEdkifwJh windows
pm&if;udkawmh View menu rSm MunfhEdkifygw,f/ 'D windows awGxJu tcsdKUudkyJ &Sif;vif;azmfjyrSmjzpfjyD;
usefwJh[mawGut
dk oHk;jyKzdkY oifpdwf0ifpm;cJh&if udk,fwdkifyJ avhvmMunfhyg/
yHk(1)
(2) Disassembler Window
yHk(2)
Disassembler window rSm Address? Hex dump? Disassembly eJY Comment qdkjyD; aumfvH
4ck&Sdygw,f/ yHk(2)/
Address — address aumfvH rSm memory ay:ul;wifr,fh command &JU virtual address yg0ifygw,f/
Column udk ESpfcsufEdSyfvdkuf&ifawmh address awGtpm; vuf&Sd address uae pwifa&wGufay;r,fh offset
awGtjzpf ajymif;vJoGm;rSm jzpfygw,f/ ($, $‐2, $+4,… )
Hex dump — uk'faumfvHrSm uk'fawGudk operand wefzdk;taeeJY awGUjrif&ygvdrfhr,f/ 'ghjyif aumfvH[m
oift
h aeeJY y½d*k &rf&JUtvkyfvkyfyHkudk em;vnfapEdkifzkY d oauFwtrsdK;rsdK;udk jznfhpGrf;ay;ygw,f/ om"utm;jzifh
oauFwawG[m command awGudk b,fae&mudk jump (>) vkyf&r,f? jyD;awmh tay:âtmuf ( ˆ ? ˇ) jump
vkyfr,fqdkwm owfrSwfygw,f/ 'DaumfvHudk ESpfcsufEdSyfcJhr,fqdk&if yxraumfvHrSm&SdwJh address [m
teDa&mif highlight eJY jyaeygr,f/ qdkvdkwmu oift h aeeJY tJ'D command (address) ae&mudk breakpoint
tjzpfowfrSwfvdkufwmygyJ/ 'Dae&ma&muf&if y&kd*&rftvkyfvkyfwm cP&yfay;ygvdkY cdkif;vdkufwmyg/
Disassembly — 'DaumfvHrSmawmh command twGuf Assembly &JU mnemonics awGyg0ifrSm jzpfyg
w,f/ Command udk ESpfcsufEdSyfcJhr,fqdk&if Assembly command udk wnf;jzwfEdkifzkY d window wpfck
ay:vmrSmjzpfygw,f/ tJ'Dae&mrSm oifth aeeJY command udk MudKufovdk jyifqifEdkifygw,f/ jyifqifjyD;om;
command udak wmh rMumrD debug vkyf&mrSm toHk;jyKygvdrfhr,f/ 'Dhtjyif jyKjyifxm;wJh y½d*k &rfpmom; (uk'f)
awGudk executable module tjzpf ajymif;vJay;Edkifygw,f/ 'g[m cracker twGufawmh tMuD;rm;qHk;
tcGit
fh a&;wpf&yf jzpfygw,f/
Comment — 'DaumfvHrSmawmh command eJy Y wfoufwJh tjcm;tcsuftvufawG yg0ifygw,f/ 'Dae&mrSm
y½d*k &rf[m API functions eJY library functions awG&JU trnfawGudk pdppfygw,f/ 'DaumfvHudk ESpfcsufEyfdS cJh
r,fqdk&if oifth aeeJY Assembly uk'f&JU vdkif;toD;oD;rSm&SdwJh comment awGrSm oifMudKufwmudk trSwft
om; vkyfEdkifygw,f/
(3) The Data Window
'D window rSmawmh Address? Hex dump eJY ASCII (Unicode) qdkjyD; aumfvH 3ck ygygw,f/
'kwd,eJY wwd,aumfvHawGuawmh interpret vkyfwJhtcg ajymif;vJoGm;Edkifygw,f/ qdkvdkwmu cell xJrSm&SdwJh
pmom;awGudk Unicode tjzpfajymif;vJwJhtcg Hex dump aumfvHae&mrSm ASCII aumfvHa&muf&SdvmjyD;
Hex dump aumfvH aysmufoGm;rSmjzpfygw,f/ yHk(3)/
yHk(3)
(4) The Registers Window
yHk(4)
Registers window rSmawmh taxGaxGoHk; registers & FPU registers? taxGaxGoHk; registers & MMX
registers eJY taxGaxGoHk; registers & 3DNow registers qdkjyD; registers tkyfpk 3 pkyg0ifEdkifygw,f/
ESpfcsufEdSyfcJhr,fqdk&ifawmh (EIP rSty) oufqdkif&m register awGudk wnf;jzwfvkYd &ygw,f/ jrm;awG (<)
tay:ESdyfcJh&if registers window ajymif;vJaerSm jzpfygw,f/ yHk(4)/
(5) The Stack Window
Stack window uawmh stack xJrSm&SdwJht&mawGudk jyygw,f/ yxraumfvH (Address) uawmh
stack xJrSm&SdwJh cell address udk jyygw,f/ 'kw, d aumfvH (Value) uawmh cell xJrSmygwmawGudk jyyg
w,f/ wwd,aumfvH (Comment) rSmawmh cell wefzdk;eJYywfoufwJh jzpfEdkifwJh comment awGyg0ifyg
w,f/ yHk(5)/ VB y½d*k &rfawG? Delphi y½d*k &rfawGudk crack vkyf&mrSm toHk;0ifvSygw,f/
yHk(5)
(6) tjcm; Windows rsm;
OllyDbg eJY pwifvkyfudkifawmhr,fqdk&if rSwfom;xm;oifhwmuawmh –
(u) b,f window rSmrqdk right click EdSyfcJhr,fqdk&if oufqdkif&m window &JU menu ay:vmygvdrfhr,f/ 'D
menu [m window ay:rlwnfjyD; uGJjym;aeygw,f/ 'D menu awGudk taotcsmavhvmzdkY tMuHjyKvdkygw,f/
(c) Window xJrSmygwJth &mawG[m wpfckudkwpfck trSDo[J jyKaeygw,f/ Oyrmjy&&if? register awGudk
Munfhvdkufyg/ taxGaxGoHk; register xJuwpfckudk right click ESdyfMunfhvdkuf&if data area (follow in
dump) eJY stack area (follow in stack) rSm&SdwJh address awGvdkyJ olUxJrSm&SdwJht&mawGudk interpret
vkyfv&kYd ygw,f/
(7) Debug Execution
Debugging qdkwm y½d* k &rfwpfyk'fudk mode toD;oD;rSm tvkyv
f kyfapjyD; cGJjcrf;pdwfjzm pdppfwmyg/
'Dae&mrSm execution mode awGtaMumif; &Sif;jycsifygw,f/ Execute vkyfr,fhuk'fudk debugger rSm
xnfhoGif;xm;jyD;jyDvkYd rSwf,lvdkuyf g/ Disassembler window [m Assembly uk'fudk jyoygw,f/ y½d*k &rf
udk execute vkyf&mrSm t"dutusqHk; mode awGuawmh –
(u) Procedure (tcsdKU y½d*k &rfbmompum;wGif procedure udk subroutine (od)kY function [k ac:a0:
onf/) xJudk0ifrppfbJ ausmfvTm;oGm;wJh Step-by-step execution udk (step over) vdakY c:ygw,f/ F8 udk
ESdyfxm;csdefrSm vuf&Sd Assembly command udk tvkyv f kyaf pygw,f/ Command awGudk tpDtpOfwus
execute vkyfjcif;jzifh tjcm; window (Register? Data? Stack) 3ck b,fvkd ajymif;vJoGm;ovJqdkwm jrifEdkif
ygw,f/ 'D mode &JU wduswJht*Fg&yfuawmh wu,fvkY d aemuf command [m call procedure (CALL)
udkom tvkyfvkyfcJhr,fqdk&if procedure taeeJY zefwD;xm;wJh command tm;vHk;[m instruction wpfckwnf;
taeeJo Y m tvdktavsmuf execute vkyfrSmjzpfygw,f/ qdkvdkwmu call procedure (CALL) xJrSm&SdwJh
uk'fawGudk wpfaMumif;csif; ppfawmhrSm r[kwfygbl;/
(c) Procedure awGxJ 0ifa&mufvkyfEdkifwJh Step-by-step execution udk (step into) vdakY c:ygw,f/ 'D
mode rSm execute vkyfr,fqdk&ifawmh F7 udk ESdyfxm;&ygr,f/ jyD;cJhwJh mode eJY uGmjcm;csufuawmh CALL
command udk ac:,ltoHk;jyKcJhr,fqdk&if instruction tm;vHk;[m tpDtpOfwus execute vkyfrSm jzpfygw,f/
ckeuajymcJhwJhenf;vrf;awG (step over & step into) tpm; animation udk toHk;jyKjyD; tpm;xdk;Edkif
ygw,f/ mode toD;oD;twGuf <Ctrl>+<F8> eJY <Ctrl>+<F7> udk toHk;jyKEdkifygw,f/ 'D keyboard
shortcuts toD;oD;udk ESdyfjyD;csdefrSmawmh step over & step into command awG[m instruction
wpfckjyD;wpfckudk tcsdeftenf;i,f apmifhqdkif;jyD;vkyfygvdrfhr,f/ Instruction toD;oD;udk execute vkyfjyD;csdefrSm
awmh debugger window [m refresh vkyfay;rSmjzpfwJhtwGuf oift h aeeJY ajymif;vJoGm;wmawGudk
ajc&mcHEdkifrSm jzpfygw,f/
b,ftcsdefrSmrqdk <Esc> key udk ESdyfcJhr,fqdk&if execute vkyfwmudk cP&yfay;rSmyg/ tvm;wlygyJ?
breakpoint udkawGU&ifvJ tvkyv f kyaf ewm&yfoGm;rSmyg/ jyD;awmh debug vkycf Hae&wJh y½d*k &rfuvJ exception
wpfckudk xkwfay;rSm jzpfygw,f/
Step-by-step program execution &JY tjcm;enf;wpfckuawmh trace mode ygbJ/ Trace mode [m
animation eJY wlygw,f/ 'gayr,fh 'DtcsdefrSm debugger window [m tqifhwdkif;rSmawmh refresh vkyfrSm
r[kwfygbl;/ step over eJY step into wdkYeq
JY dkifwJh tracing vdkufwJh enf;vrf; 2ckudkawmh <Ctrl>+<F12> and
<Ctrl>+<F11> key awGESdyfjyD; toHk;jyKEdkifygw,f/ Tracing rSmvnf; &yfcsif&ifawmh animation rSmoHk;wJh
enf;vrf;awGtoHk;jyKjyD; &yfwefUEdkifygw,f/ command toD;oD;udk execute vkyfjyD;csdefrSmawmh olU&JU
execution eJqY dkifwJh owif;tcsuftvufawGudk t"duuswJh tracing buffer xJudk ul;wifvdkufygw,f/
tJ'gudk View menu u Run trace command udk toHk;jyKjyD; Munf½h IEdkifygw,f/ qE´&Sd&ifawmh tracing
buffer xJrSm&SdwJh[mawGudk pmom;zdkiftaeeJY odrf;qnf;xm;Edkifygw,f/ tvm;wlyJ b,ftcsdefrSm tracing
vdkufwm&yfcsifovJqdkawm condition awGeJY t"dyÜm,fzGifhxm;Edkifygw,f/ (set trace condition) - <Ctrl>+
<T>/ yHk(6)/
yHk(6)
Trace vdkufwm[m serial fishing rSmawmh t&rf;ta&;ygygw,f/ Serial wpfckudk b,fvdkwGufxkwf

oGm;wmvJqdkwm Run Trace window rSmjrifae&vdkYyg/ Condition wpfckck rowfrSwfxm;&ifawmh vuf&Sd
EIP uae owfrSwfxm;wJh breakpoint ae&mtxd trace vkdufaerSmjzpfygw,f/ uk'fawGtrsm;MuD;udk trace
rvdkufrzd dkYawmh owdjyK&ygvdrfhr,f/
Trace mode twGuf atmufyg condition awGudk owfrSwfEdkifygw,f –
(u) Break vkyfwt
Jh cg ae&m,lr,fh address awG&JU range?
(c) tajctaeowfrSwcf sufrsm; (EAX>100000 uJhoakYd om)/ wu,fvkYd EAX>100000 tajztaeom
rSefuefcJhr,fqdk&if trace vkduw
f m &yfoGm;rSmjzpfygw,f/
(*) Trace vdkuaf ecsdefrSm &yfwefYr,hf tcsdKU command awG&JU ta&twGuf/
Procedure u return udk rawGUcifxdom uk'fudk execute vkyfapzdkY debugger udk ckdif;apzdkY jzpfEdkif
ygw,f/ (execute till return)/ aemufwpfrsdK;ajym&&if vuf&Sd procedure &JU uk'ftm;vHk;udkom execute
vkyfrSm jzpfygw,f/ <Ctrl>+<F9> key udk toHk;jyKygw,f/
aemufqHk;taeeJY wu,fvkYd tracing vdkuaf ecsderf Sm wpfae&m&ma&mufvkY d oift
h aeeJY e,fuRHoGm;jyD
xifjyD; jyefxGufcJhcsif&ifawmh (execute till user code) command oHk;jyD; xGufv&kYd ygw,f/ 'grSr[kwf
<Alt>+<F9> key udk toHk;jyKEdkifygw,f/
(8) Breakpoints
Breakpoint qdkwmuawmh wu,ftpGrf;xufvSwJh debugging tool wpfckyg/ Breakpoint awG[m
oifuh dk y½d*k &rf&JUtvkyfvkyfyHkudk t&Sif;vif;qHk; em;vnfapEdkifygw,f/ owfrSwfxm;wJh tcsdefrSm&SdwJh registers?
stack eJY data awG&JU taetxm;udk rSwfom;ay;ygw,f/
(8.1) Ordinary Breakpoints
Ordinary breakpoint awGudkawmh a&G;cs,fxm;wJh command awGeJY owfrSwfygw,f/ <F2> key udk
ESdyfjcif;jzifhaomfvnf;aumif;? (Hex dump) window ay:rSm ESpfcsufESdyfjcif;jzifhaomfvnf;aumif; toHk;jyK
Edkifygw,f/ &v'ftaeeJu Y awmh yxraumfvHrSm&SdwJh address [m teDa&mifajymif;oGm;wmygyJ/ 'ghjyif
register? variable? stack awG&JU tajctaeudkvnf; ppfaq;Edkifygw,f/ <F2> key udk aemufwpfMudrfESdyf
&ifawmh breakpoint udk z,f&Sm;jyD;om; jzpfrSmyg/ 'D breakpoint udk b,fvdktcsdefrSm toHk;rsm;ovJqdkawmh
Windows API function awGudk apmifhMunfhwJhtcsdefrSm jzpfygw,f/
(8.2) Conditional Breakpoints
Conditional breakpoint awGudkawmh <Shift>+<F2> key ESdyfjyD; toHk;jyKEdkifygw,f/ <Shift>+
<F2> key wGJudkESdyfvdkuf&if yHk(7)rSm jyxm;wJhtwdkif; combo box ay:vmrSmyg/ combo box xJrSm udk,fESpf
ouf&m condition wpfckudk xnfhoGif;xm;Edkifygw,f/ wu,fvkY d tJ'D condition [m rSefuefcJhr,fqdk&if awmh
command awGudk execute vkyfwm &yfoGm;rSmyg/ Debugger [m condition awGtrsm;MuD;ygwJh
½IyfaxG;vSwJh azmfjycsufawGudkawmif em;vnfygw,f/ 'D[mawGuawmh OyrmawGyg -
yHk(7)
(u) EAX = = 1 — 'guawmh EAX register [m wpfjzpfcJh&if debugger udk execute vkyfwm&yfapzdkY
trdefUay;wmyg/
(c) EAX = 0 and ECX > 10 — 'guawmh EAX register [m oknjzpfjyD; ECX register [m
wpfq,fxufMuD;cJh&if debugger tvkyv
f kyfaewm&yfapzdkY trdefUay;wmyg/
(*) [STRING 427010] == 'Error' — 'guawmh virtual address (VA) 427010h rSm 'Error' qdkwJh
pmom;udk awGUcJU&if debugger udk execute vkyfwm&yfapzdkY trdefUay;wmyg/ 'DvdkvJa&;vd&kY ygw,f/ EAX =
= 'Error'/ 'gqdk EAX xJrSm&SdwJht&mtm;vHk;udk pointer uae pmom;tjzpfajymif;vJay;rSmyg/
(C) [427070] = 1231 — 'guawmh VA 427070h xJrSm&SdwJht&m[m 1231h eJY nDcJhr,fqdk&if breakpoint
udk owfrSwfrSmyg/
(i) [[427070]] = 1231 — 'guawmh address udk oG,f0dkuf toHk;jyKjcif;yg/ ajym&r,fqdk&if VA 427070h
xJrSm tjcm; VA wpfckygjyD; tJ'D VA xJrSm&SdwJht&m[m 1231h eJY nDrnDppfjyD; breakpoint udk owfrSwf
wmyg/
(8.3) Conditional Breakpoints with a Log
oluawmh conditional breakpoints &JU tydkvkyfief;pOf extension wpfckom jzpfygw,f/
Conditional logging breakpoint udk owfrSwfzdkY <Shift>+<F4> key udk EdSyfEdkifygw,f/ b,ftcsdefrSmrqdk
'Dvdk breakpoint udk toHk;jyKcJhr,fqdk&if tJ'DjzpfpOfudk log zdkiftaeeJY rSwfwrf;wifxm;ygw,f/ Log xJrSmygwJh
t&mawGudk jyefMunfhcsifw,fqdk&if <Alt>+<L> key udk ESdyfjyD;aomfvnf;aumif;? View menu rS Log
command udk ESdyfjyD;aomfvnf;aumif; Munf½h IEdkifygw,f/ yHk(8)/
yHk(8)
(8.4) Breakpoint to Windows Messages
Window function qD (twdtusajym&&if window class function qD) messages awG a&mufvm
wmaMumifh tcsdKU windows message rSm breakpoint udk owfrSwfEdkifzkY d application window [m yGifhaezdkY
vdkygw,f/ wenf;ajym&&if windowing application awG[m execution vkyfzt kYd wGuf pwif&ygw,f/
&Sif;vif;vG,fual pzdkY ½dk;&Sif;vSwJh application wpfckudk window wpfckeJYtwl debugger xJudk oGif;vdkuf
ygw,f/ 'D application udk pwifzkt Yd wGuf <Ctrl>+<F8> udEk Sdyfyg/ 'D application window [m wpf
puúeafY vmuf MumjyD;wJhtcgrSm touf0ifygw,f/ y½d*k &rf&JU wpfpdwfwpfa'oudk qufwdkuf execute vkyfae
csdefrSmawmh owdxm;ay;yg/ Window function qDa&mufzkYd application u pHkprf;jyD; zefwD;xm;wJh

windows pm&if;udk ac:,lzdkYvdkygw,f/ 'gudk View menu u Windows udk toHk;jyKEdkifygw,f/ yHk(9)/
yHk(9)
yHk(9)rSmjyxm;wJh window [m investigator udk window descriptor? olU&JUtrnf? olU&JU identifier
eJY ta&;MuD;qHk;jzpfwJh window procedure &JU address (ClsProc) awG &SmazGapEdkifygw,f/ Window
procedure &JU address eJY ywfoufwJh tcsuftvufawGu investigator udk window function awG &SmEdkif
apwJhtjyif omref breakpoint a&m? conditional breakpoint yg owfrSwfEdkifygw,f/ bmyJjzpfjzpf window
functions awGeJY tvkyfvkyfwJhtcg window message awG&SdwJhae&mrSm breakpoint awG owfrSwfwm
taumif;qHk;yg/ 'gaMumifh yHk(9)rSmjyxm;wJh window udEk SdyfvdkufjyD; context menu u Message
breakpoint on ClassProc udk a&G;vdkufyg/ aemufxyf window wpfckay:vmrSmjzpfjyD; tJ'DrSm atmufyg
breakpoint parameter awGudk owfrSwfEdkifrSmjzpfygw,f/ yHk(10)/
yHk(10)
(u) Drop‐down list rS message udk a&G;yg/ atmufygwdu
kY dk rSwfom;yg/
(1) Message tpm; event udk a&G;cs,fvv dkY nf; &ygw,f/ tJ'D event awG[m window (od)kY
keyboard event awGudk zefwD;^zsufqD;jcif;uJhokYad om message aygif;rsm;pGmjzpfEdkifygw,f/
(2) rdrdbmom rdrdowfrSwfEdkifwJh message awGudkvnf; a&G;cs,fEdkifygw,f/
(c) b,f message awG[m olwx kYd Ju b,folUqDuae a&mufvmovJqdkwmudk qHk;jzwfEdkifapzdkY trace
vdkufr,fh window awGudk pm&if;jyKpkyg/ ay;xm;wJh window? ay;xm;wJh title eJY window tm;vHk;? (od)kY
window tm;vHk; yg0ifygw,f/
(*) Breakpoint b,fESpfMudrf touf0ifw,fqdkwm odapzdkY counter udk owfrSwfxm;yg/
(C) Breakpoint touf0ifcsdefrSm y½d*k &rftvkyfvkyfwmudk &yfoifh^ r&yfoifq

h dkwm owfrSwyf g/
(i) Breakpoint touf0ifcsdefrSm record udk log xJ b,fvdka&;&rvJqdkwm owfrSwfxm;yg/
(8.5) Breakpoints to the Import Functions
Debug vkyfzdkY module xJudk import tvkyfcH&wJh trnfpm&if;udk vdkcsif&ifawmh <Ctrl>+<N> udk
ESdyfyg/ yHk(11)/ 'DhaemufrSm window udk right click ESdyfjyD; atmufygwdu
kY dkvnf; jyKvkyfEdkifygw,f-
(u) Import vkyx
f m;wJh function udk ac:,ltoHk;jyKcsdefrSm breakpoint udk owfrSwfEdkifygw,f/ (Toggle
breakpoint on import)
(c) Import vkyxf m;wJh function udk ac:,ltoHk;jyKcsdefrSm conditional breakpoint udk owfrSwfEdkifyg
w,f/ (Conditional breakpoint on import)
(*) Import vkyx f m;wJh function udk ac:,ltoHk;jyKcsdefrSm conditional breakpoint udk log vkyfjyD;
owfrSwfEdkifygw,f/ (Conditional log breakpoint on import)
(C) owfrSwfxm;wJh trnfeJYqdkifwJh tcsdwftqufwdkif;rSm breakpoint udk owfrSwfEdkifygw,f/ (Set
breakpoint on every reference) {'D command u Find references to import (Enter key) eJY wlyg
w,f/ jcm;em;csufu Find references to import u breakpoint udk udk,fvdkcsifrS xyfrHa&G;cs,f&wmyg/}
JY ufEG,faewJh reference wdkif;rSm log vkyfjyD; breakpoint udk owfrSwfEdkifygw,f/
(i) ay;xm;wJJh trnfeq
Set log breakpoint on every reference)
(p) Breakpoint tm;vHk;udk z,f&Sm;wmyg/ (Remove all breakpoints)
yHk(11)
(8.6) Breakpoints at the Memory Area
OllyDbg debugger u memory area rSm breakpoint wpfckwnf;udk owfrSwfzdkY vufcHygw,f/
'DvdkvkyfzkYd disassembler window (od)kY data window udk a&G;cs,fyg/ 'Dhaemuf context menu rS
Breakpoint | Memory on access (od)kY Breakpoint | Memory on write command awGudk
a&G;cs,fEdkifygw,f/
yHk(12)
'gjyD;&ifawmh rMumcifuowfrSwfvdkufwJh breakpoint udk toHk;jyKzdkY toifhjzpfaerSmyg/ Breakpoint

yxrwpfrsdK;uawmh (on access) uk'ef JY a'wmawGtwGuf jzpfEdkifayr,fh 'kwd, breakpoint wpfrsdK;uawmh
(on write) uk'fawGtwGufom jzpfEdkifygw,f/ Breakpoint awGudk context menu rS Breakpoint |
Remove memory breakpoint udk a&G;cs,fjcif;jzifh z,f&Sm;Edkifygw,f/ yHk(12)/
(8.7) Breakpoints in the Memory Window
Memory window (Alt + M) uawmh debug vkyx f m;wJh y½d*k &rftwGuf (od)kY olUbmom olUenf;
olU[efeJY debug vkyx f m;wJh y½d*k &rfawGu oD;oefUcsefxm;wJh memory block awGudk jyoygw,f/ 'D
window rSm breakpoint wpfckudk owfrSwfzdkYom jzpfEdkifygw,f/ 'DvdkvkyfzkY d right‐click rS Set memory
breakpoint on access udk (od)kY Set memory breakpoint on write udk a&G;cs,fyg/ Breakpoint udk
z,f&Sm;csif&ifawmh Remove memory breakpoint udk a&G;Edkifygw,f/
(8.8) Hardware Breakpoints
omref breakpoint awGudkawmh INT 3 interrupt vector twGuf toHk;jyKygw,f/ 'Dvdk breakpoint
awGudk toHk;jyKjcif;u y½d*k &rfudk tvkyv f kyfcdkif;&mrSm aES;oGm;apygw,f/ b,fvdkyJqdkygap? Intel Pentium
microprocessor awGuawmh debug registers (DR0‐DR3) 4ckudk jznfhpGrf;ay;xm;ygw,f/ 'D register
awGrSm breakpoint 4ckeJY vuf&Sdy½d*k &rf&JU virtual address wdkY yg0ifEdkifygw,f/ Command wpfcku
toHk;jyKxm;wJh address [m 'D register wpfckwpfavawGxJu address eJn Y DaecsdefrSm? processor [m
debugger rSm &Sdxm;wJh exception wpfckudk xkwfvdkufygw,f/ Hardware breakpoint awGuawmh debug
vkyfxm;wJh y½d*k &rf&JU tvkyfvkyfyu
Hk dkawmh aES;auG;aprSmr[kwyf gbl;/ bmyJjzpfjzpf? olwx kY d Ju 4ckrQom jzpfyg
w,f/ Hardware breakpoint wpfckudk owfrSwfr,fqdk&ifawmh disassembler window udk oGm;yg/ jyD;&if
context menu u Breakpoint | Hardware on execution commandudk a&G;yg/ 'grSr[kwf&if main
menu u Breakpoint | Hardware on access (od)kY Breakpoint | Hardware on write command
udk toHk;jyKEdkifygw,f/ Hardware breakpoint awGudk zsufcsif&ifawmh context menu u Breakpoint |
Remove hardware breakpoints command udk toHk;jyKyg/ yH(k 13)/
yHk(13)
(9) tjcm;pGrf;aqmifEdkifrIrsm;
(9.1) Watch expressions Window
OllyDbg u expression awGudk apmifhMunfhzkY d special window wpfckudk ay;xm;ygw,f/
Conditional breakpoint awGtaMumif; &Sif;jycJhwkef;u expression awGtaMumif;ygvmcJhwmudk trSwf&yg/
Memory cell awGeJY register awGyg0ifwJh ½IyfaxG;vSwJh expression awGudk toHk;jyKzdq
kY dkwm jzpfEdkifygw,f/ 'D
expression awGudk vkdtyfovdk ½Iyaf xG;apvdkY &ygw,f/ Watch expressions window udk zGifhzku Yd awmh
View | Watches command udk toHk;jyKyg/ Watch expressions window yGifhvmcsdefrSmawmh right click
ESdyfjyD; Add Watches command udk a&G;cs,fyg/ 'gjyD;&ifawmh debugger u apmifhMunfhay;r,fh expression
wpfckudk owfrSwfEdkifygw,f/ aemufwpfrsdK;ajym&&ifawmh olU&JU HEX wefzdk;udk jyoygw,f/ yHk(14)rSm
expression 4ckyg0ifwJh Watch expressions window udk jyoxm;wmjzpfjyD; b,f processor &JU
command udkrqdk execute vkyjf cif;jzihf wefzdk;awGudk apmifhMunfah ejyD;jyoygw,f/
yHk(14)
tcsuftvufrsm;udk &SmazGjcif;
OllyDbg rSm MudKufwJhowif;tcsuftvuf (ASCII? UNICODE? HEX )awGudk <Ctrl>+<B>
key ESdyfjyD; &SmazGEdkifygw,f/ yHk(15)/ Command wpfckcsif;udk &Smr,fqdk&if <Ctrl>+<F> key? command
awGaygif;xm;wmudk &Smr,fqdk&if <Ctrl>+<S> key udk toHk;jyKEdkifygw,f/ <Ctrl>+<L> key (Next)
uawmh aemufqHk; &SmcJhwJh[mudyk J xyf&Smay;wmyg/
yHk(15)
Executable Module udk jyifqifodrf;qnf;jcif;
OllyDbg rSm uRefawmfwkY d jyifcJhwJhuk'fawGudk odrf;qnf;jyD; executable y½d*
k &rftopftjzpf odrf;
qnf;Edkifygw,f/ 'Dvdkvkyfcsif&if Copy to execution | Selection (od)kY Copy to execution | All
modifications command udk a&G;vdkuf&HkygyJ/ jyD;&if udk,fxm;csifwJhae&mrSm udk,fMudKufwJh zdkiftrnfopf
ay;jyD; odrf;qnf;vdkuf&HkygyJ/
tcef;(7) – IDA Pro Advanced 5.2 rdwfquf - 101 -
tcef;(7) - IDA Pro Advanced 5.2 rdwfquf

IDA Pro uawmh exe uk'fawGudk ppfaq;&mrSm taumif;qHk; tool wpfckjzpfygw,f/ NyD;cJhwJhtcef;rSm
avhvmcJhwJh Olly debugger uawmh oHk;pGJolawGtwGuf vG,fulpGm toHk;jyKEdkifayr,fhvnf; olU&JUuefo Y wf
csufuawmh PE uk'fawGudkom ppfaq;ay;Edkifygw,f/ IDA Pro uawmh DOS\Windows\Unix\
Macintosh\Java\.Net\Console y½d* k &rfawGtjyif tjcm; OS rSma&;xm;wJh y½d*k &rfawGudkyg ppfaq;ay;Edkif
ygw,f/ 'Dhtjyif Palm OS eJY mobile OS rSma&;om;xm;wJh y½d*k &rfawGudkyg ppfaq;ay;Edkifygw,f/ IDA
[m Olly vdkawmh uk'feyJY wfoufwJh aumufcsufcswmawG? ,lqcsufawG jyKvkyfrSmr[kwfygbl;/ 'gaMumifh
oifudk,fwdkif q&mrulbJ uk'fawGudk avhvm&rSmjzpfygw,f/ vdktyfwJh parameter awGuv dk nf; udk,fwdkif
jyKjyif&rSmjzpfygw,f/ IDA rSmwcgwnf;ygvmwJh y½d*k &rfbmompum;[m C eJYzGJUpnf;wnfaqmufyHk oabm
w&m;csif;wlwJhtwGuf oifhtwGuf taxmuftuljzpfaprSmyg/ tckpma&;aecsdefrSm IDA Pro 6.8 xGuf&SdNyD;
jzpfayr,fh oifcef;pmrSm toHk;jyKoGm;rSmuawmh IDA Pro 5.2 eJYomjzpfygw,f/
IDA uawmh Interactive DisAssembler &JUtwdkaumufjzpfygw,f/ IDA &JU About window udk
Munfhvdkufr,fqdk&if yxrqHk;trsdK;orD;y½d*k &rfrmjzpfwJh Augusta Ada Byron &JU ½kyfyHkav;udk awGU&rSmyg/
yxrqHk;odxm;zdv kY dkwmuawmh IDA package rSm idaw.exe (console) eJY idag.exe (GUI) qdkNyD; y½d*k &rf
ESpfrsdK;yg&Sdygw,f/ 'Dae&mrSm t"duxm;NyD; &Sif;jyrSmuawmh idag.exe (GUI) trsdK;tpm;udkjzpfygw,f/
(1) Virtual memory taMumif;
wu,fvkYd oifhtaeeJY exe module wpfckudk IDA rSmzGifhr,fqdk&if tJ'Dzdkif&SdwJh directory atmufrSm
zdkifESpfckudk zefwD;rSmjzpfygw,f/ 'DzdkifESpfckuawmh ID0 eJY ID1 qdkwJh extension awGygwJh t&ef virtual
memory zdkifawGjzpfygw,f/ 'DzdkifawGudk intermediate data awGodrf;qnf;zdkY IDA Pro u toHk;jyKwmyg/
wu,fvkYd oifhtaeeJY vuf&Sd exe zdkifudk ydwfvdkuf&ifyJjzpfjzpf? aemufwpfzdkifudk zGifh&ifyJjzpfjzpf 'DzdkifESpfzdkif[m
aysmufoGm;rSmjzpfygw,f/ 'DzdkifawGuawmh exe module eJY trnfwlrSmjzpfNyD; .ID1 extension eJzY dkifuawmh
exe module &JU image udkul;wifzt kYd wGuf toHk;jyKwmjzpfygw,f/ 'D image [m Windows OS &JU 32-bit
flat memory model xJudk ul;wifwJh image eJY wpfxyfwnf;jzpfygw,f/ 'gaMumifhvJ OS u execute
vkyfwJh module eJpY pfaq;wJhtydkif;rSm wpfxyfwnf;usapzdkY jzpfEdkifwmyg/ 'DtcsufuyJ IDA udk wrlxl;apwJh
debugger jzpfapwmyg/ Address toD;oD;twGuf zdkif[m 32-bit wpfckudk odrf;qnf;xm;wmjzpfNyD; 8-bit
cell wpfckuawmh owfrSwfxm;wJh address eJw Y lnND yD;? 24-bit attribute wpfckuawmh 'D cell eJyY wfoufwJh
t*Fg&yfawGudk t"dyÜm,fzGifhqdkwmjzpfygw,f/ txl;ojzifh 'D attribute [m instruction wpfcek yJY wfoufwJh
owfrSwfxm;wJh memory cell udka&m? a'wmudkyg owfrSwfEdkifygw,f/ 'Dtjyif 'D attribute [m string
xJrSm&SdwJh comment? cross-reference? label wdv kY dk tjcm; object awGudka&m owfrSwfEdkifygw,f/
IDA Pro u toHk;jyKwJh virtual memory eJw Y GJvkyfwJh mechanism uawmh Windows OS utoHk;
jyKwJh mechanism eJw Y lnDygw,f/ oD;oefY cell wpfckudk&,lcsdefrSm 'D cell yg0ifwJh page wpfckvHk;udk rlv
rSwfOmPf (buffer)xJ oGif;,lygw,f/ wu,fvkY d memory cell udk jyKjyifvdkufwJhtcgrSmawmh virtual
memory page wpfckvHk;udk jyefa&;cH&rSmyg/ IDA Pro uawmh memory page awG&JU tpdwftydkif;udk RAM
xJrSmudkifwG,fygw,f/ jyKjyifxm;wJh cell awGudkawmh tcgtm;avsmfpGm disk qDqGJ,lrSmyg/ Page wpfckudk
ul;wifzkYd vdktyfcsdefrSm page buffer ujynfhaecJh&if? IDA Pro u yxrqHk;jyifxm;cH&wJh page udkawGUzdkY
buffer udk&SmrSmjzpfNyD; 'gudk disk qD qGJ,lrSmjzpfygw,f/ NyD;&ifawmh vdktyfwJh page udk ae&mvGwfqD ul;wif
rSmjzpfygw,f/
ul;wif&r,fh module &JU image udkodrf;qnf;jcif;tjyif IDA pro [m label? function trnfawGeJY
comment wdv kY dktcsuftvufawGtwGuf rSwfOmPfudk vdktyfygw,f/ 'DtcsuftvufawGudkawmh .ID0
extension &SdwJhzdkifxJrSm odrf;wmjzpfygw,f/ w&m;0ifxkwfa0wJh pmtkyfpmwrf;awGrSmawmh 'DrSwfOmPfudk
btree twGufrSwfOmPfvkYd oHk;Muygw,f/
(2) y½dk*&rf\ GUI

exe y½d*
k &rfwpfckudk IDA rSmzGifhr,fqdk&ifawmh yHk(1)twdkif; jrif&rSmjzpfygw,f/ zGifhxm;wJhy½d*&rf
k udk
ppfaq;NyD;oGm;&ifawmh y½d*k &rf&JU b,fzufaxmifhrSm "The initial autoanalysis is finished" qdkwJhpmom;udk
jyrSmjzpfygw,f/
IDA Pro &JU main window rSm tab awGtrsm;BuD;awGU&rSmjzpfygw,f/ yHkrSefqdk&ifawmh tab (8)ck&SdrSm
jzpfayr,fh 'DxufvJydkEdkifygw,f/ oifhtaeeJY tab topfawGudk aygif;csif&ifawmh Views menu u Open
subviews udka&G;NyD; xyfwdk;vd& kY ygw,f/ IDA View eJY Hex View uawmh aemufxyf
xyfyGm;vdkY&ygw,f/ 'gaMumifh oifhtaeeJY uk'f? a'wm section awGudk rwlnDwJh window awGeJY
MunfhvrkYd Smjzpfygw,f/ wu,fvkY d aemufxyf window awG xyfwdk;vmr,fqdk&ifawmh IDA View-A? IDA
View-B? IDA View-C ponfjzifh jzpfvmrSmjzpfygw,f/
t"dutusqHk; window uawmh IDA View jzpfygw,f/ 'D window [m exe uk'fawGudk analysis
vkyNf yD;awmh &vmwJh&v'fawGudk jywmrdv
kY ykYd g/ yHk(1)/
yHk(1)
IDA Pro debugger eJY tvkyfvkyfr,fqdk&ifawmh 'Dy½d*k &rfudk udkifwG,fzkY d t"duenf;vrf; (3)ck&Sd
w,fqdkwm rarygeJ/Y olwakYd wGuawmh menu command? toolbar button eJY hotkey awGyJjzpfygw,f/ IDA
&JUvkyfaqmifcsufwdkif;twGufawmh hotkey awG&SdrSmr[kwfayr,fh toHk;trsm;qHk;vkyfaqmifcsufawGtwGuf
awmh hotkey awG&ySd gw,f/ Oyrmjy&r,fqdk&if ... wu,fvkY d tcsdKU data block awGu oifhudk oHo,jzpf
apw,fqdk&if C key udkESdyNf yD; (uk'ftwGuf twdkaumuf) 'gudk uk'ftjzpfajymif;Edkifygw,f/ aemufwpfcku
awmh wu,fvkYd Assembly command awG&JU tcsdKU block awG[m t"dyÜm,f&SdyHkray:bl;qdk&if oifhtaeeJY
'gudk D key ESdyNf yD; (a'wmtwGuf twdkaumuf) a'wmtjzpf ajymif;Edkifygw,f/
IDA Pro [m atmufyg configuration zdkifawGudk toHk;jyKygw,f ...
lda.cfg – yHkrSef configuration zdki/f
idatui.cfg – console y½d*
k &rfrsm;twGuf configuration zdki/f
idagui.cfg – GUI y½d*

k &rfrsm;twGuf configuration zdki/f
Configuration zdkifawG[m IDA main directory &JU CFG subdirectory atmufrSm&Sd&rSmjzpfyg
w,f/
(3) exe uk'fudk ul;wifjcif;
wu,fvo kYd moifhtaeeJY exe module wpfckudk IDA rSmzGifhr,fqdk&ifawmh yHk(2)twdkif;jrif&rSmyg/ 'D
window udktoHk;jyKNyD; oifhtaeeJY zGifhaewJh process eJY ueOD; analysis udk ajymif;vJv&kYd ygw,f/ 'D window
[m aemufydkif;rSm &Sif;jyr,fh configuration setting awGtrsm;BuD;udk ay;pGrf;Edkifygw,f/
udpöawmfawmfrsm;rsm;rSmawmh IDA u toifhawmfqHk; setting udk tBuHjyKNyD; oHk;pGJolu bmrSajymif;
vJay;zdkY vdktyfrSmr[kwfygbl;/ oifhtaeeJY OK button udkESdyfay;zdkyY J vdktyfygw,f/ atmufyg option awG udk
wcgw&HrSmomtoHk;jyKayr,fh tusOf;csKyfazmfjyay;vdkufygw,f/
- Load file (directory/name) as – 'Dae&mrSmawmh oifzGifhvdkufwJhy½d*k &rfzdkifudk IDA &JU vuf&Sd version
u odxm;wJh zdkif format (PE odrkY [kwf ELF)pm&if;awGew JY dkufppfNyD; jzpfEdkifwJhpm&if;udkjywmjzpfygw,f/ 'D
window rSmjrif&wJh tjcm; option awGuawmh oifzGifhwJhy½d*k &rftrsdK;tpm; ay:rlwnfNyD; ajymif;vJaerSm
jzpfygw,f/ Oyrmjy&&ifawmh ... PE module &JU MS-DOS stub udk disassemble vkyfr,fqdkygpd/kY
kYd wGuf pm&if;xJu MS-DOS executable option udka&G;&rSmjzpfygw,f/ wu,fvdkY y½dq
'Dvdkvkyfzt k ufqm
trsdK;tpm;udk ajymif;csifw,fqdk&ifvJ Set button udka&G;NyD; ajymif;vdkY&ygw,f/
yHk(2)
uRefawmfhtaeeJY xyfajymcsifwmuawmh module awGudk ppfwJhtcgrSm IDA u toifhawmfqHk;udk

a&G;NyD; pm&if;jyKpka&G;cs,f ay;xm;wm jzpfygw,f/ 'Dae&mrSm IDA u PE module udk yHkrSef PE module
tjzpfa&m? MS-DOS y½dk*&rftjzpfa&m? binary zdkit f jzpfa&m bmomjyefay;Edkifygw,f/ wu,fvdkY oifhtaeeJY
.net y½dk*&rfwpfckudk zGifhMunfh&ifyJ jzpfjzpf? Linux y½dk*&rfwpfyk'fudk zGifhMunfh&ifyJjzpfjzpf jyowJhpm&if;
uGmjcm;oGm;rSmjzpfygw,f/
- Processor type – Drop-down list wpfckjzpfNyD; a&G;cs,fxm;wJh module udk compile vkyfxm;wJh
y½dq
k ufqmtrsdK;tpm;udk a&G;cs,fcGifhjyKygw,f/
- Loading segment & Loading offset – oluawmh module udk owfrSwfxm;wJh offset &SdwJh
segment rSm ul;wifay;Edkifygw,f/ 'g[m MS-DOS module awGtwGufa&m? binary zdkifawGtwGufyg
oHk;0ifyg vdrhrf ,f/ 'D parameter awGudkawmh PE module awGtwGuf toHk;rjyKMuygbl;/
- Enabled – 'guawmh Analysis tkyfpku flag wpfckjzpfNyD; uk'fudk ueOD; analysis vkyfjcif;rS a&SmifMuOf
EdkifzdkY uncheck vkyfEdkifygw,f/ wu,fvkY d olUudka&G;xm;&ifawmh zdkifudkul;wifNyD;wmeJY analyze vkyfawmhrSm
jzpfygw,f/
- Indicator enabled – vkyfaqmif&r,fh analysis process indication udkowfrSwfwmjzpfygw,f/
- Create segments – olUudkawmh PE module awGtwGuf toHk;jyKjcif;r&Sdygbl;/ 'D flag udk toHk;jyK&if
awmh IDA uvdktyfwJh segment awGudk zefwD;rSmjzpfygw,f/
- Load resources – wu,fvkYd 'D flag udkowfrSwfxm;r,fqdk&ifawmh PE module &JU resource awGudk
ul;wifrSmjzpfygw,f/ Binary module awGtwGufuawmh 'D flag udk Load as code segment vdkYac:NyD;
toHk;jyKygw,f/ Oyrmjy&&if .com y½d*k &rfawGtwGufjzpfygw,f/ yHk(3)/
yHk(3)
- Rename DLL entries – wu,fvkYd 'D flag udkrowfrSwfxm;&if IDA u ordinal awGeJY import
vkyfxm;wJh function awGtwGuf xyfavmif; comment awGudkjznfhqnf;ay;ygw,f/ 'DvdkrSr[kwf&ifawmh
disassembler u function awGudktrnfajymif;vdkufrSm jzpfygw,f/
- Manual load – wu,fvkYd 'D flag udk a&G;xm;&ifawmh disassembler u ul;wifaewJh process &JU
tqifhwdkif;twGuf oHk;pGJoludk wdkifyifar;jref;aerSmjzpfygw,f/
- Fill segment gaps – oluawmh NE module awGtwGufom ta&;BuD;wJh flag jzpfNyD; disassmbler udk
intersegment ae&mudkjznfhqnf;ay;zdkY nTefMum;rSmjzpfygw,f/ 'gaMumifh BuD;rm;wJh segment wpfckudkzefwD;
&ygw,f/
- Make imports segment – 'D flag udkowfrSwfcsdefrSmawmh import vkyfxm;wJh tcsuftvufawGeJY
qdkifwJh .idata section udkom bmomjyefay;zdkY disassembler udkcdkif;ygw,f/
- Don't align segments – Segment awGudk n§zd kYd disassembler udkcdkif;ygw,f/ pdppfpOf;pm;wkef;
tqifhrSmawmh 'D flag udk module awGtwGuftoHk;jyKjcif; r&Sdygbl;/
- Kernel options1 – Flag awGejJY ywJh 'D window uawmh oHk;pGJoludk exe uk'fawG analyze vkyfwJhtcgrSm
ESpfouf&mudka&G;cs,fEdkifzkY d jyoygw,f/
Create offsets and segments using fixup info udk toHk;jyKjcif;jzifh oifhtaeeJY uk'f analysis
jzpfpOfxJu relocations table uae tcsuftvufawGudk toHk;jyKzdkY disassembler udk cdkif;Edkif
ygw,f/
Mark typical code sequence as code uawmh analysis jzpfpOfxJu yHkrSefy½dq
k ufqm
command sequence udktoHk;jyKzdkY disassembler udkckdif;ygw,f/
Delete instructions with no xrefs uawmh cross-reference vHk;0r&SdwJh y½dq
k ufqm
instruction awGudk vspfvsL½Icdkif;ygw,f/
Trace execution flow uawmh trace vkdufzc kYd GifhjyKygw,f/ 'grSom oifhtaeeJY y½dq
k ufqm
instruction awGudk &SmawGUEdkifrSmjzpfygw,f/
Create functions if call is present uawmh call awGeJY function awGudk rSwfxm;apzdkY
disassembler udkcdkif;ygw,f/
Analyze and create all xrefs uawmh t"duxm;a&G;cs,f&r,fht&mwpfckjzpfNyD; analysis xJu
cross-reference awGudk disassembler tm;toHk;jyKapygw,f/
Use FLIRT signatures uawmh signature awGtoHk;jyKNyD; library function awGudk rSwfrdapzdkY
twGuf Fast Library Identification and Recognition Technology (FLIRT) udktoHk;jyKapzdkY
disassembler udkckdif;ygw,f/
Create function if data xref data à code32 exists uawmh a'wm{&d,mxJrSm&SdwJh uk'ef JY
ywfoufwJh reference awGudk ppfaq;zdkY disassembler udkcdkif;ygw,f/
Rename jump function as j_ uawmh j_somewhere vdk jmp somewhere command
rQomygwJh ½d;k &Sif;vSwJh function awGudk trnfay;zdkjY zpfygw,f/
Rename empty function as nullsub_ uawmh nullsub_ vdk RET command wpfckygwJh
function awGudk trnfay;zdkYjzpfygw,f/
Create stack variables uawmh function awG&JU local variable awGeJY parameter awGudk zefwD;
(t"dyÜm,fzGifh)zdkjY zpfygw,f/
Trace stack pointer uawmh ESP register &JUwefzdk;udk trace vkdufzkYjd zpfygw,f/
Create ASCII string if data xref exists uawmh ASCII string tjzpf reference vkyfxm;wJh
data item udk olU&JUt&G,ftpm;[m wduswJhwefzdk;wpfckxufausmfvGefjcif;&Sd^r&Sd pOf;pm;EdkifzdkY jzpfyg
w,f/
Convert 32-bit instruction operand to offset uawmh address wpfckvdk y½dq k ufqm
instruction xJu wdku½ f dkuf data item wpfckudkpOf;pm;EdkifzdkY disassembler udck kdif;apNyD; BudKwifowf
rSwfxm;wJh interval xJudk olU&JUwefzdk;a&mufoGm;apygw,f/
Create offset if data xref to seg32 exists uawmh address awGvdk a'wm{&d,mxJrSm
odrf;qnf;xm;wJhwefzdk;awGudk pOf;pm;zdkY disassembler udkckdif;apNyD; BudKwifowfrSwfxm;wJh interval
xJudk olU&JUwefzdk;a&mufoGm;apygw,f/
make final analysis pass uawmh analysis vkyfwJhaemufqHk;tqifhudk vkyfaqmifNyD;csdefrSm
rpHk;prf;EdkifwJh byte awGtm;vHk;udk a'wm (od)kY instruction awGtjzpf ajymif;vJzkY d disassembler
udkcdkif;ygw,f/
– Kernel options2 – aemufxyf flag awGejJY ywJh 'D window uawmh oHk;pGJoludk exe uk'fawG analyze
vkyfwJhtcgrSm ESpfouf&mudka&G;cs,fEdkifzkY d jyoygw,f/
Locate and create jump tables udk jump table &JUt&G,ftpm;eJY address taMumif;
aumufcsufcsEdkifzdkY disassembler udkcdkif;ygw,f/
wu,fvkYd Coagulate data in the final pass flag udyk dwfxm;r,fqdk&if analysis &JU aemufqHk;
tqifhrSm code segment &JU byte awGudkom ajymif;vJay;rSmjzpfygw,f/ (Make final analysis
pass flag udkMunfhyg/)
Automatically hide library function uawmh FLIRT udktoHk;jyKNyD; pHkprf;xm;wJh library
function awGudk azsmufxm; (collapse) zdt
kY wGufoHk;ygw,f/
Propagate stack argument information uawmh aemufxyf call awG&SdvmcJh&if (tjcm;
function rSac:oHk;aom function wpfckuJho)kYd call &JU stack parameter eJYywfoufwJh tcsuf
tvufawGudk odrf;qnf;zdkY disassembler udkcdkif;ygw,f/
Propagate register argument information uawmh aemufxyf call awG&SdvmcJh&if (tjcm;
function rSac:oHk;aom function rsm;uJho)kYd call &JU register parameter eJy
Y wfoufwJh tcsuf
tvufawGudk odrf;qnf;zdkY disassembler udkcdkif;ygw,f/
Check for Unicode strings uawmh Unicode string awG&Sd^r&Sd y½d*
k &rfudk ppfaq;EdkifzkYd
jzpfygw,f/
Comment anonymous library functions uawmh wduswJh library function wpfckudk pHkprf;
&&SdwJhtcg library trnfeJY signature awGudktoHk;jyKNyD; trnfrod library function awGudk trSwf
tom;vkyfxm;zdkY disassembler udkcdkif;ygw,f/
Multiple copy library function recognition uawmh y½d*k &rfwGif;rSm&SdwJh wlnDwJh function &JU
copy tajrmuftrsm;udk rSwfxm;apzdkjY zpfygw,f/
Create function tails uawmh function tails udk&SmazGay;zdjkY zpfNyD; 'gawGudk function t"dyÜm,f
zGifhqdkcsufrSm vmaygif;rSmjzpfygw,f/
– Processor options – 'guawmh flag awGa&G;cs,fEdkifwJh window udkac:oHk;wJh button wpfckjzpfygw,f/
Convert immediate operand of "push" to offset uawmh PUSH command xJrSm&SdwJh
wdku½f dkuf operand udk offset wpfck (address wpfck)tjzpf ajymif;vJay;EdkifpGrf;udk nTefjyygw,f/
Convert db 90h after "jmp" to "nop" uawmh JMP command aemufu uyfygvmwJh 90H
byte awGudk NOP command awGtjzpf bmomjyefay;zdjkY zpfygw,f/
Convert immediate operand of "mov reg, …" to offset uawmh MOV reg, …
command (reg uawmh register udkqdkvdkwmyg/) xJrSm&SdwJh wdku½f dkuf operand udk offset wpfck
(address wpfck)tjzpf ajymif;vJay;EdkifpGrf;udk nTefjyygw,f/
Convert immediate operand of "mov memory, …" to offset uawmh MOV mem, …
command xJrSm&SdwJh wdkuf½u
dk f operand udk offset wpfck (address wpfck)tjzpf ajymif;vJay;Edkif
pGrf;udk nTefjyygw,f/
Disassemble zero opcode instructions uawmh atmufyg instruction (00 00: ADD
[EAX], AL) udk disassemble vkyfcdkif;ygw,f/ yHkrSefqdk&ifawmh olUudk ra&G;cs,fygbl;/ yHk(4)/
Advanced analysis of Borland's RTTI (RTTI qdkwmuawmh run-time type information
udk ajymwmyg/)uawmh IDA Pro udk RTTI structure awGudk ppfaq;zdkYeJY zefwD;zdkYcdkif;ygw,f/
Check "unknown_libname" for Borland's RTTI uawmh RTTI structure awG&SdwJhtcg
unknown_libname trSwftom;eJt
Y rnfawGudk ppfaq;zdckY dkif;wmjzpfygw,f/
Advanced analysis of catch/finally block after function uawmh catch/finally pwJh
exception proceffing block awGudk&Smcdkif;wmjzpfygw,f/
yHk(4)
Allow references with different segment bases uawmh owfrSwfxm;wJh address u
odrf;qnf;xm;wJhwefzdk;[m character wpfvHk;r[kwfcJh&ifawmif character awGeq JY dkifwJh reference
awGudkowfrSwfcdkif;ygw,f/ (character uk'fwpfcktjzpf razmfjycdkif;wmjzpfygw,f/)
Don't display reduntant instruction prefixes uawmh listing udk zwf&I&wm tqifajyapzdkY
command prefix tcsdKUudk azsmufxm;zdjkY zpfygw,f/
Interpret int 20 as VxDcall uawmh INT 20H udk VxDcall/jump tjzpf bmomjyefcdkif;wm
jzpfygw,f/
Enable FPU emulation instructions uawmh INT 3H wdv kY dk command awGudk arithmetic
coprocessor command awG&JU emulation awGtjzpf bmomjyefapzdjkY zpfygw,f/
Explicit RIP-addressing udk owfrSwfr,fqdk&ifawmh y½d*k &rfrSm relative instruction pointer
(RIP) addressing udkoHk;r,fvkYd ,lqrSmjzpfygw,f/ 'D flag ukdawmh 64-bit y½dq
k ufqmawGtwGuf
qkd&if a&G;cs,fay;xm;&rSmjzpfygw,f/
– System DLL directory – oluawmh IDA Pro u&Sm&r,fh DLL zdkifawG&Sd&m directory udk owfrSwf
wmjzpfygw,f/ oufqdkif&m library awGeJq
Y dkifwJh .ids zdkifawGuawmh cRif;csufjzpfygw,f/
(4) Disassembler Window
IDA Pro rSmawmh tvkyfawmfawmfrsm;rsm;udk disassembler window xJrSm vkyfaqmifMuwm jzpfyg
w,f/ 'gaMumifh 'D window taMumif;udk tao;pdwfodzv kY d dkygw,f/ 'Dae&mrSm axmufjycsifwmu
awmh 'D disassembler &JU developer awG[m disassemble vkyfxm;wJh function eJY olUudk&SmazGwJh
enf;vrf;awGudk azmfjyEdkifzdkY tav;teufxm; pOf;pm;cJhw,fqdkwJhtcsufjzpfygw,f/
Hiding functions – Disassembler window rSm function awGudk tusOf;csHK;yHkpH (hide) (od)kY
tus,fcsJUyHkpH (unhide) wdkYejJY yEdik fygw,f/ tusOf;csHK;yHkpHrSmawmh function udk pmaMumif;wpfaMumif;
wnf;eJY jywmyg/ 'DtoHk;0ifwJht*Fg&yfu oifhudk disassemble vkyfxm;wJhuk'fawGudk vG,fulpGmzwf&I
apEdkifzkYd taxmuftul jzpfaprSmyg/ Function awGudk tusOf;csHK;^tus,fcsJUzdkY numeric keypad u
(+)/(-) key awGudk toHk;jyK&ygr,f/ 'grSr[kwf&ifawmh View menu u Hide/Unhide udk a&G;Edkif
ygw,f/
Indicating functions – yHk(5)uawmh disassmebler window udkjywmjzpfygw,f/ 'D window &JU
b,fzuftusqHk;tydkif;udk owdxm;NyD;Munfhyg/ 'Dtydkif;uawmh listing udkMunf&h I&SmazG&mrSm ½d;k &Sif;
apzdkYjzpfygw,f/ Command awGudk tpufuav;awGejJY yxm;ygw,f/ wu,fvkY d pmaMumif;rSm
tpufwpfpufryg&ifawmh rSwfcsufwpfckyg0ifwJh string vdkY t"dyÜm,f&ygw,f/ wu,fvkY d oHk;pGJolu
'Dtpufae&mrSm mouse eJYESdyfvdkufr,fqdk&ifawmh IDA Pro u 'D address ae&mrSm breakpoint
owfrSwfygw,f/ Jump awGudkawmh tpuf(od)kY wpfqufwnf;rsOf;aMumif;awGeJY jyygw,f/ wpfquf
wnf;rsOf;awGuawmh unconditonal jump (JMP) awGudknTef;wmjzpfNyD; tpufawGeJY rsOf;awGuawmh
condtional jump (JE, JNZ) awGudkqdkvdkwmjzpfygw,f/
yHk(5)
Using Special Comments – y½d* k &rfwpfcktwGif;u address awGrSm b,f jump awGudk
(conditional jump ESifh unconditional jump odrkY [kwf CALL command) vkyfaqmifw,f?
nTef;w,fqdkwJh txl;rSwfcsufawG yg0ifygw,f/ wu,fvkY d reference u owfrSwfxm;wJh address
qD jump vkyfw,fvkYd t"dyÜm,f&&if rSwfcsufawG[m CODE XREF eJpY avh&Sdygw,f/ wu,fvkY d 'D
command [m a'wmtjzpf refernce vkyfcHxm;&w,fqdk&ifawmh (Oyrm –MOV EAX, OFFSET
L1) DATA XREF eJp Y ygw,f/ 'DrSwfcsufawGudkawmh cross-reference awGvkdUac:NyD; cross-
refernce trSwftom;aemufrSm colon vdkufygw,f/ olUaemufu address awGuawmh 'D refernce
awGpjzpf&m function (od)kY section &JUtpudkjywmjzpfygw,f/ 'D address ukd mouse eJY ESdyfjcif;
tm;jzifh owfrSwfxm;wJh instruction &Sd&mudknTef;wJh uk'ftydkif;tpudk pop-up window taeeJY
ac:,lEdkifygw,f/ Address rSmawmh <↑><↓> tu©&mawGyg0ifrSmjzpfNyD; 'D instruction udk refernce
vkyf&m uk'f&SdwJhpmaMumif;udk owfrSwfygw,f/ Reference pwifwJh pmaMumif;&Sd&mudk wef;oGm;csif
w,fqdk&ifawmh address ae&mrSm double-click ESdyfNyD;oGm;vd&kY ygw,f/ owfrSwfxm;wJh pmaMumif;
twGuf reference ta&twGuf[m 4ckxufenf;aer,fqdk&if olwu kY d dk pm&if;om jyKpkygw,f/ 'DvdkrS
r[kwf&ifawmh reference awGudk tpufawGejJY yrSmjzpfygw,f/ wu,fvkY d 'D address awGxJu
wpfckudk right-click ESdyNf yD; Jump to cross reference udka&G;vdkuf&if vdktyfwJh item &Sd&mudk
wef;oGm;Edkifygw,f/ yHk(6)/ 'gNyD;&ifawmh yHk(7)twdkif; address awGtm;vHk; pm&if;ay:vmygvdrfhr,f/
yHk(7)u oifoGm;csifwJh address udka&G;NyD; OK ukdESdyfvdkufyg/
yHk(6)
yHk(7)
Designating an address – Disassembler window xJu listing uawmh address wpfckudk
owfrSwfwJh enf;vrf;rsdK;pHkudk jyygw,f/ Oyrmtm;jzifh? wu,fvY dk API function wpfcek JY ywfouf
vmcJh&ifawmh 'D function &JUtrnfudk wduspGmowfrSwfygw,f/ 'Dtjyif IDA Pro u rsm;aomtm;
jzifh string awGeyJY wfoufvm&ifawmh pHkprf;od&Sdxm;wJh string awGudk reference awG&JUtrnfawG
tjzpf tajccHxm;ay;ygw,f/ erlemjy&r,fqkd&ifawmh You are wrong! qdkwJh pmom;ygwJh string
udk IDA u reference tjzpfowfrSwf&mrSmawmh 'D string udk aYouAreWrong tjzpfajymif;vdkufyg
w,f/ "a" eJpY wJh 'D prefix awGudk IDA Pro u ASCII string awGtjzpf,lqygw,f/ yHk(8)/
tjcm;trnfawGtm;vHk;uawmh prefix eJY address wpfckay:rlwnf NyD; function trnfawG (od)kY
data address awGudkowfrSwfygw,f/ yHk(9)rSmjrif&wJhtwdkif; atmufyg prefix awGudk oifhtaeeJY

BuHKawGU&Edkifygw,f –
sub_ – Function
locret_ – Address of the return instruction
loc_ – Instruction address
off_ – Data specifying the address (offset)
seg_ – Data specifying the segment address
asc_ – Address if an ASCII string
byte_ – Byte address
word_ – Word address
dword_ – Double word address
qword_ – Address of a 64-bit value
flt_ – Address of a 32-bit floating-point number
dbl_ – Address of a 64-bit floating-point number
tbyte_ – Address of an 80-bit floating-point number
stru_ – Structure address
algn_ – Alignment directive
unk_ – Address of an univestigated area
yHk(8)
yHk(9)
Using the context menu – Disassembler window eJY tvkyfwGJvkyfr,fqdk&if window wpfckrSm
right-click ESdyf&ifay:vmwJh context menu awGeJY tom;usae&rSmjzpfygw,f/ tcsdKU menu awG
uawmh oifa&G;wJhtydkif;udkrlwnfNyD; uGJjym;aerSmjzpfygw,f/ Oyrm function trnfawG? instruction
awG? rSwfcsufawGeJY a&G;xm;wJh block wdt kY wGuf listing rSmjzpfygw,f/ tcsdKU menu item awG
uawmh debugger wpfckuJhoakYd om IDA Pro &JUvkyfaqmifcsufawGeJY ywfoufaeygw,f/ (Run to
cursor? Add breakpoint ESifh Add execution trace)/ txl;ojzifh Rename menu udk
owdjyKapvdkygw,f/ 'D item u oifhudk command &JU operand awGudk wnf;jzwfapEdkifvykY d g/
Navigating a listing – ta&;BuD;qHk;udpö&yfuawmh listing udk &SmazGjyojcif;yJjzpfygw,f/
Crossreference u nTefjywJhae&mawGudk wef;oGm;Edkifygw,f/ aemufwpfenf;udkvJ (cross-
reference ae&mrSm double-click ESdyfjcif;jzifh) return jyefvmapzdtkY wGuf toHk;jyKEdkifygw,f/ (Oyrm?
conditional jump qDo?kYd CALL command qDod?kY odr kY [kwf MOV EAX, OFFSET address
uJhoakYd om command wpfckxJrS address qDo)kYd / odxm;&rSmuawmh IDA Pro [m oifh&JU jump
awGtm;vHk;udk rSwfxm;wmjzpfwJhtwGuf BudKufwJhtcsdefrSm BudKufwJhae&mudk button
awGoHk;NyD; a&SUwdk;? aemufqkwfv&kY d ygw,f/
(5) tjcm; Window rsm;
- Hex View – 'D window rSm ul;wifxm;wJh module &JU hex dump awGyg0ifNyD; 'D dump awGudk
ASCII pmvHk;awGeJjY yygw,f/ 'D window [m disassembler window eJy Y wfoufwJht&ef window
JY G,fulpGm synchronize vkyfEdkifygw,f/ 'Dvdkvkyfcsifw,fqdk&ifawmh yHk(10)twdkif; hex
wpfckjzpfwmrdkY olev
window &JU wpfae&m&mrSm right-click ESy d Nf yD; Synchronize with à IDA View udka&G;&ygr,f/
yHk(10)
'gqdkyHk(11)twdkif; VA 0040B440 &Sd&m IDA View udkwef;a&mufvmrSmjzpfygw,f/ qdkvdkwmu
awmh HEX pmvHk; 5E [m POP ESI eJn Y Dw,fqdkwJhtaMumif;yg/
yHk(11)
- Exports – 'D window rSmawmh export vkyfxm;wJh function awGpm&if; yg0ifygw,f/ 'g[m DLL
JY GJvkyf&mrSm toHk;0ifygw,f/ omref exe module awGtwGuf start function vdt
awGew kY rnf&wJh element
wpfckwnf;jyrSmyg/ yHk(12)/
yHk(12)
- Imports – 'D window rSmawmh import vkyfxm;wJh function awGeJY module awGpm&if; yg0ifygw,f/
Import vkyfxm;wJh function udk double-click ESdyfr,fqdk&ifawmh disassembler window qDa&mufoGm;rSm
jzpfNyD; entry point taeeJY awGU&SdrSmjzpfygw,f/ 'gaMumifhrkY d y½d*k &rfxJu 'D function eJyY wfoufwJh cross-
reference awGtm;vHk;udk oifhtaeeJY vG,fulpGm &SmawGUEdkifrSmjzpfygw,f/ yHk(13^14)/
yHk(13)
yHk(14)
- Names – 'D window rSmawmh import vkyfxm;wmawGtm;vHk;eJY library function awGyg0ifygw,f/
IDA Pro uodxm;wJh variable awGeJY lable awG&JUtrnfawGvnf; yg0ifygw,f/ trnftoD;oD;&JU b,fzuf
jcrf;rSm&SdwJhpmvHk;(t½kyf)uawmh trnftrsdK;tpm;jzpfygw,f/ yHk(15)/
yHk(15)
L – Library function
F – Regular functions and API functions
C – Instructuion (label)
A – ASCII string
D – Data
I – Imported function
trnf&Sd&mudk double-click ESdyfjcif;jzifh 'Dtrnfudkac:oHk;wJh y½d*k &rf&JUwnfae&mudk wef;a&mufoGm;
rSm jzpfygw,f/ wu,fvkY d trnfopfudk zefwD;csifw,fqdk&if ajymif;csifwJh address &Sd&mae&mrSm Insert key
udkESdyNf yD; ajymif;vd&kY ygw,f/ yHk(16)/
yHk(16)
½dkufxnfhvdkufwJhtrnfuawmh disassembler window rSmvJay:aerSmjzpfygw,f/ yHk(17)/
yHk(17)
- Functions – 'D window rSmawmh library function awGeJY import vkyfxm;wJh user function awG
tygt0if IDA Pro uodxm;wJh function awGpm&if;udk jyrSmjzpfygw,f/ yHk(18)/
yHk(18)
- Strings – 'D window rSmawmh disassembler u&SmawGUxm;wJh string awGtm;vHk;yg0ifrSmjzpfygw,f/
yHk(19)/
yHk(19)
String wpfckudk double-click ESdyfNyD;Munfhr,fqdk&if 'D string udk aMunmxm;wJhae&mudk wef;a&muf
oGm;rSmjzpfygw,f/ omreftm;jzifhawmh 'D window rSm C pwdkif string awGudkomjyoygw,f/ tjcm; string
trsdK;tpm;awGudk jyocsifw,fqdk&ifawmh 'D window rSm right-click ESdyNf yD; Setup command uaea&G;ay;
vd&kY ygw,f/ yHk(20)/
yHk(20)
- Structures – 'D window rSmawmh disassembler u&SmawGUxm;wJh structure awGtm;vHk;yg0ifrSmjzpfyg
w,f/ yHk(21)/ Structure topfwpfckudk xyfxnhfcsif&ifawmh Insert key udkESdyNf yD;xnfhv&kYd ygw,f/
yHk(21)
- Enums – 'D window uawmh y½d*k &rfwGif;rSm pHkprf;vdakY wGU&Sdxm;wJh enumeration awGtm;vHk;udk jyozdkY
&nf&G,fygw,f/
'Dhtjyif disassembler u tjcm; window awGudkvJ toHk;jyKEdkiyf gw,f/ txl;ojzifh Library
window jzpfygw,f/ tGefvdkif; help pepfrSmawmh 'D window udk signatures window vdakY c:ygw,f/ 'D
window rSmawmh library function awGudkod&SdapzdkY toHk;jyKwJh signature pm&if;udk jyoygw,f/ yHk(22)/
yHk(22)rSmjrif&wmuawmh function signature awGyg0ifwJhzdkiftrnf? 'D signature awGukdtoHk;jyKNyD; awGU&Sx d m;
wJh function ta&twGuf? 'D signature awGudktoHk;csxm;wJh function awGeq JY dkifwJh trnfwjkYd zpfygw,f/
yHk(22)
wu,fvkYd vdktyfwJh signature zdkifawGudk xyfxnfhcsifw,fqdk&ifawmh Insert key udkESdyNf yD; ESpfouf
&mudk xnfhoGif;Edkifygw,f/ yHk(23)/ 'Dzdkif&JU signature awGudkawmh function topfawGudk odapzdkt Y wGuf
csufcsif;toHk;jyKrSm jzpfygw,f/
yHk(23)
(6) Menu ESifh toolbar
IDA &JU menu eJY toolbar awGtaMumif;udkawmh tMurf;zsif;yJ &Sif;jyoGm;rSmjzpfygw,f/
File menu &JU item awGuawmh atmufygtwdkif;jzpfygw,f –
Open – Disassemble vkyfr,fh exe module udk zGifhzjdkY zpfygw,f/
Load – zdkiftrsdK;rsdK;udk zGifhzjkY d zpfygw,f/ Reload the input uawmh disassemble vkyfxm;wJh
module udk jyefzGifhzjdkY zpfygw,f/ Additional binary file uawmh database xJudk aemufxyf
binary file wpfck vmul;wifrSmjzpfygw,f/ IDS file uawmh owfrSwfxm;wJh import library &JU
function awGeJYywfoufwJhtcsuftvufawGyg0ifwJh IDS (intrusion-detection system) zdkifudkzGifhzkY d
jzpfygw,f/ (IDS directory xJrSm&SdwJh IDS zdkifawGtm;vHk;udk tvdktavsmuful;wifrSm jzpfygw,f/)
PDB file qdk&ifawmh debug tcsuftvufawGygwJh PDB zdkifudk ul;wifrSmjzpfygw,f/ DBG file
qdk&ifvJ debug tcsuftvufawGygwJhzdkifudk ul;wifrSmjzpfygw,f/ FLIRT signature file qd&k if
awmh signature zdkifawGudkul;wifNyD; toHk;csrSmjzpfygw,f/ (yH-k 22 rSmjrif&wJh signature window
xJrSm wlnDwJhvkyfaqmifcsufudk vkyfaqmifrSmjzpfygw,f/) Parse C header file uawmh
structure topfawGeJY enumeration topfawGudk aemufxyfaMunmzdt kY wGuf header zdik fuae
trsdK;tpm; t"dyÜm,fzGifhqdkcsufudk zwf½Iwmjzpfygw,f/ (Enums ESifh Structures window rsm;
taMumif;wGif Munfhyg/)
Produce File – Disassemble vkyfxm;wJhuk'fay:rlwnfNyD; zdkiftopftrsdK;rsdK;udk
zefwD;ay;ygw,f/ .map udkawmh debugger awGu toHk;jyKEdkifygw,f/ .asm uawmh Assembly
zdkifjzpfNyD; .lst uawmh IDA View rSmjrif&wJhuk'fawGudk odrf;ay;wmjzpfygw,f/ .inc? .exe? .dif. ?
html pwJh zdkifawGtae eJv Y J odrf;ay;Edkifygw,f/ Hex-Rays Decompiler udk install
vkyfxm;r,fqdk&ifawmh disassemble vkyfxm;wJh exe zdkifawGudk .c (C source code) zdkiftjzpf
decompile vkyfay;Edkifygw,f/ yHk(24)/
if ( LCData ) {
lstrcpyA(v5, &LCData);
v7 = LoadLibraryExA(ValueName, 0, 2u);
v3 = v7;
if ( !v7 )
{
v14 = 0;
lstrcpyA(v5, &LCData);
v3 = LoadLibraryExA(ValueName, 0, 2u);
}
}
yHk(24)
IDC file – Scritp zdkifawGudk ul;wifzkYed JY tvkyfvkyfapzdkYjzpfygw,f/
IDC command – Script awGudk csufcsif; execute vkyfEdkifzkYd window udk ac:oHk;wmjzpfygw,f/
Save… – vuf&Sd disassemble vkyfaewJh database udk .idb extension eJo
Y drf;qnf;wm jzpfyg
w,f/
Save as… – vuf&Sd disassemble vkyfaewJh database udk owfrSwfxm;wJhtrnfeJY odrf;wm
jzpfygw,f/
Close – Disassemble vkyfaewJh database udkodrf;NyD; disassemble vkyfxm;wJhzdkifudk ydwfwmyg/
Edit menu &JU item awGuawmh atmufygtwdkif;jzpfygw,f –
Copy – a&G;cs,fxm;wJht&mudk clipboard qDul;wifygw,f/
CODE – Block udk exe uk'ftjzpfajymif;vJygw,f/
DATA – a&G;cs,fxm;wJh block udk a'wmtjzpfajymif;vJygw,f/
Struct var… – Block udk a&G;xm;wJh structure tjzpfajymif;ygw,f/
Strings – String tjzpfajymif;vJygw,f/ (String trsdK;tpm;udkawmh submenu uae
a&G;cs,fEdkifygw,f/)
Array – BudKwifowfrSwfxm;wJh parameter awGeJY array tjzpf ajymif;vJay;ygw,f/
Undefine – BudKwifrowfrSwf&ao;wJh structure wpfck&JUa'wmtjzpf a&G;xm;wJh block
udk trSwftom;vkyfygw,f/
Name – trnfajymif;wmjzpfygw,f/
Operand type – Operand trsdK;tpm;udk owfrSwfwmjzpfygw,f/
Comments – rSwfcsufawG xnfhoGif;zdkjY zpfygw,f/
Segments – Segment awGudk udkifwG,fEdkifzjkY d zpfygw,f/
Structs – Structure awGudk udkifwG,fEdkifzjkY d zpfygw,f/
Functions – Function awGudk udkifwG,fEdkifzjkY d zpfygw,f/
Other – Alignment directive udkowfrSwfjcif;? instruction rsm;(od)kY a'wmrsm;udk
½dkufxnfhjcif;? ta&mifwpfa&mifjzifhjyjcif;pwJh tjcm;vkyfaqmifcsufawGudk aqmif&Gufwm
jzpfygw,f/
Plugins – tjcm; plug-in module awGudk toHk;jyKzdkYjzpfygw,f/
yHk(25)
Jump menu &JU item awGuawmh disassemble vkyfxm;wJhuk'fawGxJu jump trsdK;rsdK;twGuf
&nf&G,fwmjzpfygw,f/ Oyrm – owfrSwfxm;wJh address qD jump vkyfjcif;? owfrSwfxm;wJh function qD
jump vkyfjcif; (olUudkawmh list uae a&G;cs,fEdkifygw,f)? y½d*k &rf&JU entry point (EP) qD jump vkyfjcif;?
owfrSwfxm;wJh label qD jump vkyfjcif;/ yHk(25)/
Search menu &JU item awGuawmh disassemble vkyfxm;wJhpmom;xJrSm&SdwJh &SmazGwJhvkyfaqmif
csuftrsdK;rsdK;twGuf &nf&G,fygw,f/ Oyrm – pmom;udk&Smjcif;? aemufxyf a'wm block udk&Smjcif;? aemuf
xyf Assembly instruction udk&Smjcif;? aemufxyf byte sequence udk&Smjcif;/ yHk(26)/
yHk(26)
View menu &JU item awGudk toHk;jyKNyD; IDA Pro &JU jrifuGif;awGudk ESpfouf&mxm;vd& kY ygw,f/
Window topfawGudk xyfzGifhjcif; (Open Subviews)? toolbar awGudk zefwD;jcif;ESifh zsufjcif; Toolbars)?
function awGudk azsmufjcif;^jyefazmfjcif; (hide/unhide) wdjkY yKvkyfEdkifygw,f/
Debugger menu u command awGuawmh oifhudk IDA Pro &JU trsdK;rsdK;aom debugging
pGrf;aqmif&nfudk jyorSmjzpfygw,f/ 'gawGuawmh breakpoint rsm;udkudkifwG,fjcif; (Breakpoints)? watch
rsm;udkudkifwG,fjcif; (Watches)? trace vdkufjcif; (Tracing)? register trsdK;rsdK;xJrS wefzdk;rsm;udk Munfhjcif;
(General registers? Segment register? FPU register) wdjkY zpfygw,f/
Option menu uawmh IDA Pro &JU setting awGudk ajymif;vJzt
kY d wGufjzpfNyD; tapmydkif;rSm uRefawmf
&Sif;jycJhwJhtwdkif;jzpfygw,f/
Windows menu &JU item awGudktoHk;jyKNyD; IDA Pro &JU window awGudk udkifwG,fEdkifygw,f/
Help menu item awGuawmh oifhudk enf;ynmydkif;qdkif&m taxmuftulawGay;rSmyg/
(7) Built-In IDA Pro y½dk*&rfbmompum;
IDA Pro disassembler rSmawmh built-in y½d* k &rfbmompum;wpfckygvmygw,f/ 'gaMumifh y½d*k &rf
kYd dk disassemble vkyfxm;wJhuk'fawGtjzpf jyefvnfppfaq;
i,fav;awGudk udk,fwdkifa&;om;EdkiNf yD; olwu
Munfh&IEdkifrSmjzpfygw,f/
IDA Pro rSm wcgwnf;ygvmwJh y½d*k &rfbmompum;[m C (ANSI C) bmompum;eJY awmfawmf
av;qifygw,f/ 'gaMumifhvJ 'Dbmompum;&JUtrnf[m IDC (Interactive Disassembler C) jzpfaewmyg/
IDC subdirectory atmufrSm 'Dbmompum;eJYywfoufwJh erlemy½d*k &rfawG yg&Sdygw,f/ IDA Pro uawmh
'Dy½d*k &rfawGudk disassemble vkyfxm;wJhpmom;awGtjzpf analyze vkyfzt
kYd wGuf toHk;jyKwmjzpfygw,f/
'Dy½d*k &rfawGtm;vHk;udk analyze vkyf&wm vG,fulygw,f/ 'gaMumifh oifhtaeeJY IDC bmompum;udk
avhvmzdt
kY wGuf olwkYdawGudk toHk;jyKEdkifygw,f/
IDC command awGudk execute vkyfzkYd enf;vrf;ESpfck&Sdygw,f/
1/ yxrenf;vrf;uawmh command window udktoHk;jyKvdjkY zpfygw,f/ Command window udkac:oHk;zdkY
File | IDC command udka&G;NyD;aomfvnf;aumif;? Shift + F2 udkESdyfjcif;jzifhaomfvnf;aumif;
toHk;jyKEdkif ygw,f/ Command window uawmh yHk(27)twdkif;jzpfygw,f/ 'D window rSm IDC command
awGudk wnf;jzwfEdkifygw,f/ tm;vHk;NyD;pD;&ifawmh OK button udkESdyfvdku½f HkygyJ/ IDA Pro uawmh 'D
command awGudk bmomjyefNyD; execute vkyfzBkYd udK;pm;rSmjzpfygw,f/ 'gaMumifh 'D window udktoHk;jyKNyD;
½dk;&Sif;vSwhJ y½d*k &rfawGudk IDC bmompum;eJY a&;om;EdkifrSmjzpfygw,f/
2/ ydNk yD;tajccHuswJhcsOf;uyfenf;uawmh .IDC extension trnfeJY IDC uk'fawGyg0ifwJhzdkifawG zefwD;zdykY g/
y½d*k &rfwpfckudkzGifhzkY d File menu u Idc file udka&G;&ygr,f/ 'Dae&mrSmawmh y½dk*&rfudk compile vkyNf yD;
csufcsif; execute vkyfrSmjzpfygw,f/ 'Dhtjyif yHk(28)twdkif; aemufxyf window wpfckxyfay:vmrSmjzpfNyD;
y½d*k &rfuk'fudkwnf;jzwfzkYed JY y½d*k &rfudk execute vkyfzkYd button awGyg&SdrSmjzpfygw,f/
IDC rSm y½d*
k &rfa&;r,fqdk&if tenf;qHk;awmh atmufygtcsufawG yg0if&rSmjzpfygw,f/
#include <idc.idc>
static main(void)
{
// Your Code here;
}
yHk(27)
yHk(28)
ed*Hk;csKyftaeeJY IDA Pro taMumif; twGif;ususodcsif&if Chris Eagle a&;om;wJh ]The IDA Pro
Book – The Unofficial Guide to the World's Most Popular Disassembler} pmtkyfudkzwf½IzkYd
tBuHay;vdkygw,f/
tcef;(8) - PE Header - 121 -
tcef;(8) - PE Header
(1) PE zdkifzGJUpnf;yHk
Portable Executable (PE) qdkwm 32‐bit eJY 64‐bit Windows OS awGrSm toHk;jyKaeMuwJh
executable (EXE) zdkif? object (DLL) zdkifawGtwGuf zdkifyHkpHwpfck jzpfygw,f/ Portable qdkwJhtoHk;tEIef;
udku 32‐bit eJY 64‐bit Windows OS awGMum; tjyeftvSef vG,fvifhwul toHk;jyKEdkifwmudk &nfnTef;wm
yg/ PE yHkpHqdkwm tajccHtm;jzifhawmh wrap vkyfxm;wJh executable code awGudk pDrHzkYd Windows OS
loader twGuf vdktyfwo Jh wif;tcsuftvufawGudk encapsulate vkyfay;wJh data structure wpfckyg/ tJ'DrSm
link vkyfzkt
Yd wGuf dynamic library reference awG? API udk export eJY import vkyfzkYd table awG? resource
management data awGeJY TLS data awGyg0ifygw,f/ 'DyHkpHudk pdwful;xkwfvkyfcJhwmuawmh Microsoft
jzpfNyD; VAX/VMS rSmoHk;wJh COFF zdkifyHkpHuae erlem,lcJhwmjzpfygw,f/
"Portable Executable" vdkY a½G;cs,fvdkuf&wmuawmh intent [m Windows tm;vHk;twGuf tajccH
tusqHk;zdkifyHkpHjzpfNyD; CPU wdkif;rSm tvkyfvkyfEdkifvkYyd g/ ajym&&ifawmh Windows NT rsdK;quf? Windows 95
rsdK;qufeJY Windows CE wdrkY Sm toHk;jyKEdkifvkdUyg/ Microsoft compiler awGu xkwfay;wJh OBJ
zdkifawGuawmh COFF (Common Object File Format) yHkpHjzpfNyD; encoding vkyf&mrSm 8vDpepfudk toHk;jyK
ygw,f/ 64-bit Windows awGrSmawmh PE yHkpHudk tenf;i,fjyKjyifay;zdkY vdkygw,f/ yHk(1)rSm jyxm;wmu
awmh PE zdkifwpfckrSmyg0ifwJh tajccHzGJUpnf;wnfaqmufyHk jzpfygw,f/
DOS MZ Header
DOS Stub
PE header
Section Table
Section 1
Section 2
Section …
Section n
yHk(1)
PE zdkifrSm tenf;qHk;awmh section ESpfck&Sdygw,f/ wpfckuawmh uk'fawGtwGufjzpfNyD;? aemufwpfcku
awmh a'wmawGtwGuf jzpfygw,f/ Windows NT &JU application wpfckrSmawmh 9ckavmuf&Sdygw,f/
olwakYd wGuawmh .text? .bss? .rdata? .data? .rsrc? .edata? .idata? .pdata eJY .debug wdkY jzpfygw,f/ tcsKdU
application awGuawmh 'D section awGtm;vHk;rvdkygbl;/ tcsdKUuawmh olwkY&d JUvdktyfcsufey JY wfoufNyD;
'DxufydkwmvJ jzpfEdkifygw,f/
zdkifwpfckrSm tawGUrsm;wJh section awGuawmh ...
- executable code section .text (Microsoft)? CODE (Borland)
- data section .data, .rdata, .bss (Microsoft)? DATA, BSS (Borland)
- resources section .rsrc

- export data section .edata
- import data section .idata
- debug information section .debug
Section trnfawG[m wu,fawmh ta&;rygvSygbl;/ OS uvJ 'DtrnfawGudk vspfvsL½Ixm;yg
w,f/ ta&;BuD;wJhtcsufuawmh disk ay:rSm&SdwJh PE zdkifwpfck&JU zGJUpnf;yHk[m rSwfOmPfay:ul;wifvdkufcsdef
rSm&SdwJh tajctaeeJY wpfyHkpHwnf;ygbJ/ 'gaMumifhrkY d wu,fvkYd oifhtaeeJY tcsuftvufawGudk disk ay:u
zdkirf Smae&mcsxm;cJhr,fqdk&if? zdkifudkrSwfOmPfay:ul;wifvdkufcsdefrSmvJ 'DtcsuftvufawGudk &SmazGv&Y dk &ygr,f/
b,fvdkyJjzpfygap olUudk rSwfOmPfay: wpfyHkpHwnf; ul;wifvdkufwm r[kwfygbl;/ Windows loader
u b,ftydkif;awGudk ae&mcsxm;ay;zdv kY dkovJ? b,ftydkif;awGudk csefxm;cJh&rvJqdkwmudk qHk;jzwfygao;w,f/
vHk;0ae&mcsxm;p&mrvkdwJh tcsuftvufawGudkawmh ae&mcsxm;ay;r,fh b,f section tydkif;udkrqdk ausmf
vGeNf yD; zdkif&JUaemufqHk;rSm ae&mcsxm;ygw,f/ (Oyrm - debug information)
rSwfOmPfay: ul;wifvdkufcsdefrSmeJY disk ay:rSm&SdwJh zdkif&JU item wpfcw k nfae&mwdk[
Y m uGJjym;avh&Sdyg
w,f/ bmaMumifhvJqdkawmh Windows utoHk;jyKwJh page udktajcjyKwJh virtual memoy management
pepfaMumifh jzpfygw,f/ Section awGudk RAM ay:ul;wifvdkufwJhtcg olw[ kY d m 4KB &SdwJh memory page
awGeJY udkufnDatmifae&NyD; section toD;oD;[m page topfu pwif&ygw,f/ Virtual memoy uawmh
yHk(2)twdkif; jzpfygw,f/
yHk(2)
Virtual memory &JU vkyfaqmifcsufuawmh aqmhzf0JvfawGu physical memory udw k dku½f dkuf
oHk;pGJapr,fhtpm; y½dq k ufqmeJY OS ESpfckMum; rjrif&wJhtvTmwpfckudk zefwD;vdkufwmyg/ rSwfOmPfeJY csdwf
qufzBkYd udK;pm;vdkufwkdif; y&kdqufqm[m b,f process uae b,f physical memory address udk
wu,foHk;pGJr,fqdkwmudk page table eJY n§Ed diI f;ygw,f/ rSwfOmPfu pmvHk;toD;oD;twGuf table entry
wpfck&SdzqkYd dkwm vufawGUrSmawmh rjzpfEdkifygbl;/ (page table [m physical memory pkpkaygif;xuf BuD;ae
k ufqmawG[m rSwfOmPfudk page awGtjzpf ydkif;jcm;&wmjzpfygw,f/ 'g&JU tusdK;

ygw,f/) 'gaMumifh y½dq
&v'fawGuawmh -
(1) ajrmufjrm;vSpGmaom address space awGudk zefwD;Edkifygw,f/ Address space qdkwmuawmh rSwfOmPf
eJY access vkyfzo dkY m cGifhjyKxm;wJh oD;jcm; page wpfckjzpfygw,f/ qdkvdkwmuawmh vuf&Sd y½d*k &rf (od)kY
process eJo Y m oufqdkifygw,f/ aocsmwmu y½d*k &rfawG[m wpfckew JY pfck oD;jcm;pD&SdaeMuwmyg/ 'gaMumifh
kY J y½d*k &rfwpfckrSm crash jzpfcJh&if tjcm;y½d*k &rfwpfck&JU address space udk taESmifht,Sufrjzpfapwmyg/
rdv
(2) rSwfOmPfudk b,fvdk access vkyf&rvJqdkwJh pnf;rsOf;awGtwGuf y½dq k ufqmudk twif;tMuyfvkyfcdkif;
Edkifygw,f/ PE zdkifawGrSm section awGudk vdktyfygw,f/ bmaMumifhvJqdkawmh zdkifxJu e,fy,ftrsdK;rsdK;udk
module wpfck ul;wifvdkufcsdefwdkif; memory manager u rwlnDpGm oabmxm;vdy kY g/ ul;wifcsdefrSm
section header xJu olwkYd&JU setting awGtay: tajccHwJh section trsdK;rsdK;twGuf memory manager [m
memory page awGay:rSm access vkyfEdkifwJhtcGifhtmPmudk owfrSwfygw,f/ 'Dtcsufu owfrSwfxm;wJh
section [m zwfvkY& d wmvm;? a&;vd&kY wmvm;? execute vkyfvkYd&wmvm; qHk;jzwfygw,f/ Section toD;
oD;[m xHk;pHtwdkif;yJ fresh page wpfckuaepoifhw,fvkY d qdkvdkjcif;jzpfygw,f/
bmyJjzpfjzpf Windows twGuf page size uawmh 4096 bytes (1000h) jzpfygw,f/ Disk ay:u
page t½G,ftpm;twdkif; exe uk'fudk nSd,lr,fqdk&ifawmh tv[ójzpfukefrSmyg/ bmaMumifhvJqdkawmh vdktyf
kY d J PE header rSmrwlnDwJh alignment field ESpfck
wmxufyNdk yD; t½G,ftpm;BuD;rm;aprSm jzpfvydkY g/ 'gaMumifhrv
&Sdygw,f/ olwakYd wGuawmh section alignment eJY file alignment yg/ Section alignment qdkwm uawmh
tay:rSmqdkxm;wJhtwdkif; rSwfOmPfxJrSm section awGudk b,fvdknSd,lrvJqdkwm jzpfygw,f/
(3) PE zdkifawGudk windows loader u rSwfOmPfxJudk ul;wifvdkufcsdefrSm &SdaewJhtaetxm;udk module vdkY
ac:ygw,f/ zdkiaf wGudk ae&mcsxm;jcif;pwifwJh yxrqHk; address udk HMODULE vdakY c:ygw,f/ rSwfOmPf
xJrSm&SdwJh module wpfck[m exe zdkifuae process wpfcku vdktyfwJh uk'f? a'wmeJY resource awGtm;vHk;udk
azmfjyEdkifygw,f/ PE zdkif&JU tjcm;tydkif;awGudk zwf½Iv&kYd ayr,fh rSwfOmPfxJrSmawmh ae&mcsay;jcif; r&Sdygbl;/
(Oyrm - relocation)
(2) DOS Header
PE zdkifawG[m DOS header eJY pavh&NSd yD; zdkif&JU yxrqHk; 64 bytes tjzpfawGU&ygw,f/ y½d*k &rf[m
DOS uaepwiftvkyfvkyf&wmjzpfygw,f/ 'gaMumifh DOS u rSefuefwJh executable zdkifjzpfaMumif; todt
rSwfjyKrSom header aemufrSm odrf;qnf;xm;wJh DOS stub udk tvkyfvkyfrSm jzpfygw,f/ DOS stub uawmh
yHkrSeftm;jzifh 'This program must be run under Microsoft Windows' qdkwhJpmom;udk xkwfay;avh&SdNyD;
oludk,fwdkifawmif DOS y½d*k &rfjzpfEdkifygw,f/ Windows application awGudk build vkyfcsdefrSm linker u
oifh&JU exe zdkifxJudk winstub.exe vdakY c:wJh stub y½d*k &rfudk link csdwfay;vdkufwm jzpfygw,f/
DOS header [m structure wpfckjzpfNyD; windows.inc (od)kY winnt.h zdkifawGrSm olUudk t"dyÜm,fzGifh
qdkxm;ygw,f/ (wu,fvkYd oifhrSm assembler (od)kY compiler udk install vkyNf yD;om;&SdcJh&if olwkYad wGudk
\include\ directory atmufrSm&SmEdkifygw,f/ DOS header rSm member ta&twGuf 19 ck&NSd yD; magic eJY
lfanew uawmh pdwf0ifpm;p&maumif;ygw,f/
IMAGE_DOS_HEADER STRUCT
e_magic WORD ?
e_cblp WORD ?
e_cp WORD ?
e_crlc WORD ?
e_cparhdr WORD ?
e_minalloc WORD ?
e_maxalloc WORD ?
e_ss WORD ?
e_sp WORD ?
e_csum WORD ?
e_ip WORD ?
e_cs WORD ?
e_lfarlc WORD ?
e_ovno WORD ?
e_res WORD 4 dup (?)
e_oemid WORD ?
e_oeminfo WORD ?
e_res2 WORD 10 dup (?)
e_lfanew DWORD ?
IMAGE_DOS_HEADER ENDS
PE zdkifxJrSm&SdwJh DOS header &JU magic ydkif;rSmyg0ifwmuawmh 4Dh? 5Ah wefzdk; (MS-DOS &JU
rlvyHkpHjyKolawGxJuwpfOD;jzpfwJh Mark Zbikowsky udkudk,fpm;jyKwJh MZ pmvHk;) jzpfNyD;? ol[m rSefuefwJh
DOS header jzpfaMumif; oabmaqmifygw,f/ MZ [m yxrqHk; pmvHk;ESpfvHk;jzpfNyD; hex editor eJz Y Gifhxm;
wJh b,f PE zdkifrSmrqdk awGYjrifEdkifygw,f/
lfanew [m DWORD wpfckjzpfNyD; DOS header &JU tqHk;eJY DOS stub rpcifMum;rSm wnf&Sdyg
w,f/ olUrSmy½dk*&rftpeJyY wfoufwhJ PE header &JU offset yg0ifygw,f/ Windows loader u 'D offset udk
&SmazGygw,f/ 'gaMumifhrv kY d J DOS stub udk ausmfEdkiNf yD; PE header qDwdku½f dkufoGm;Edkifwmyg/ (rSwf&ef/ /
DWORD (double word) = 4bytes (od)kY 32bit? WORD = 2bytes (od)kY 16bit/ wcgw&HrSm DWORD
udk dd vdv
kY J jrif&Edkifygw,f/ dw uawmh WORD jzpfNyD; byte twGufuawmh db yg/ yHk(3)/
yHk(3)
DOS header udkawmh PE zdkif&JU yxrqHk; 64 bytes tjzpfawGU&aMumif; ajymcJhygw,f/ qdkvdkwmu
yHk(3)&JU yxrqHk; 4aMumif; (offset 0000 uae offset 0030 xd)jzpfygw,f/ DOS stub rpcif aemufqHk;
DWORD rSm yg0ifwmuawmh 00h 01h 00h 00h jzpfygw,f/ aemufqHk;pmvHk;uae ajymif;jyefjyefpD&if
jzpfvmrSmuawmh 00 00 01 00h jzpfNyD;? PE header pwifr,fhae&mjzpfygw,f/ PE header [mvnf;
olUoauFwjzpfwJh 50h, 45h, 00h, 00h eJY pwifygw,f/ ("PE" qdkwJhpmvHk;aemufrSm oknawGvdkufygw,f/)
wu,fvo kYd m PE header &JU oauFwae&mrSm PE tpm; NE vdakY wGU&if 'Dzdkif[m 16-bit Windows
rSmtvkyfvkyfwJh NE zdkifjzpfygw,f/ tvm;wl LE vdkYawGU&if Windows 3.x virtual device driver (VxD)
jzpfNyD;? LX vdakY wGU&if OS/2 2.0 zdkifjzpfygw,f/
(3) PE Header
PE header uawmh IMAGE_NT_HEADERS vdkYac:wJh structure wpfckjzpfygw,f/ 'D structure
rSm Windows loader u r&SdrjzpfvdktyfwJh tcsuftvufawGyg0ifygw,f/ IMAGE_NT_HEADERS rSm
member 3ckyg0ifNyD; olwkYdudk windows.inc rSm t"dyÜm,fzGifhqdkxm;NyD;jzpfygw,f/
IMAGE_NT_HEADERS STRUCT
Signature DWORD ?
FileHeader IMAGE_FILE_HEDER <>
OptionalHeader IMAGE_OPTIONAL_HEADER32 <>
IMAGE_NT_HEADERS END
- Signature uawmh DWORD jzpfNyD; olUrSmyg0ifwmuawmh 50h, 45h, 00h, 00h qdkwJh wefzdk;
(oknawGvdkufwJh ]PE}) jzpfygw,f/
- FileHeader uawmh PE zdkif&JU aemufxyf 20bytes jzpfNyD; zdkif&JU physical layout eJY *kPfowdåawG
yg0ifygw,f/ (Oyrm - section ta&twGuef JY exe zdkif[kwf^r[kw)f
- OptionalHeader uawmh aemufxyf 224bytes jzpfNyD; PE zdkiftwGif;u logical layout eJY
ywfoufwJhtaMumif;awG yg0ifygw,f/ (Oyrm- AddressOfEntryPoint)/ olU&JUt½G,ftpm;udk ay;Edkifwm
uawmh FileHeader &JU member wpfckuyg/ 'D member awG&JU structure udkvnf; windows.inc rSm
t"dyÜm,fzGifhqdkxm;NyD;jzpfygw,f/
FileHeader udk atmufygtwdkif;azmfjyEdkifygw,f/
IMAGE_FILE_HEADER STRUCT
Machine WORD 014C (Intel 386)
NumberOfSections WORD 0005
TimeDateStamp DWORD 846C26F0
PointerToSymbolTable DWORD 00000000
NumberOfSymbols DWORD 00000000
SizeOfOptionalHeader WORD 00E0
Characteristics WORD 818E (File is exe)
IMAGE_FILE_HEADER ENDS
'DxJuawmfawmfrsm;rsm;udkawmh uRefawmfwkY d toHk;jyKrSmr[kwfygbl;/ 'gayr,fh NumberOfSections
udkawmh PE zdkix f Ju section awGudk zsufcsif&ifyJjzpfjzpf? xyfxnfhcsif&ifyJjzpfjzpf toHk;jyK&ygw,f/
Characteristics rSmawmh flag awGyg0ifNyD; olw[
kYd m PE zdkiu f dk executable zdkif(od)kY DLL zdkifvm;qdkwmudk
ajymay;Edkifygw,f/ PE header &JUtpuae 7ckajrmufpmvHk;[m NumberOfSections ygyJ/ Section b,fESpf
ckygovJqdkwm ajymygw,f/ yHk(4)/
yHk(4)
yHk(4)t& uRefawmfwkYd zGifhxm;wJh PE zdkifrSm section 5ck&Sdaewm awGU&ygw,f/ PE browse eJY Lord
PE wdu
kY dk toHk;jyKxm;ygw,f/
OptionalHeader uawmh 224bytes ae&m,lygw,f/ aemufqHk; 128bytes rSmawmh DataDirectory
yg0ifygw,f/
IMAGE_OPTIONAL_HEADER32 STRUCT
Magic WORD 010B (PE32)
MajorLinkerVersion BYTE 02
MinorLinkerVersion BYTE 19
SizeOfCode DWORD 00000600
SizeOfInitializedData DWORD 00001800
SizeOfUninitializedData DWORD 00000000
AddressOfEntryPoint DWORD 00001000 (CODE)
BaseOfCode DWORD 00001000
BaseOfData DWORD 00002000
ImageBase DWORD 00400000
SectionAlignment DWORD 00001000
FileAlignment DWORD 00000200
MajorOperatingSystemVersion WORD 0001
MinorOperatingSystemVersion WORD 0000
MajorImageVersion WORD 0000
MinorImageVersion WORD 0000
MajorSubsystemVersion WORD 0003
MinorSubsystemVersion WORD 000A
Win32VersionValue DWORD 00000000
SizeOfImage DWORD 00006000
SizeOfHeaders DWORD 00000400
CheckSum DWORD 00000000
Subsystem WORD 0002 (Windows GUI)
DllCharacteristics WORD 0000
SizeOfStackReserve DWORD 00100000
SizeOfStackCommit DWORD 00002000
SizeOfHeapReserve DWORD 00100000
SizeOfHeapCommit DWORD 00000000
LoaderFlags DWORD 00000000
NumberOfRvaAndSizes DWORD 00000010
DataDirectory IMAGE_DATA_DIRECTORY
IMAGE_OPTIONAL_HEADER32 ENDS
AddressOfEntryPoint - PE loader u PE zdkifudk run zdt kY oifhjzpfcsdefrSm yxrqHk;tvkyfvkyfr,fh

instruction &Sd&m RVA/ oifhtaeeJY oifBudKufESpfouf&m instruction udk tvkyfvkyfapcsif&ifawmh RVA udk
ajymif;wmyJjzpfjzpf? instruction udk jyifwmyJjzpfjzpf jyKvkyfEdkifygw,f/ Packer awGuawmh rsm;aomtm;jzifh
olw&kYd JU decompression stub &Sd&mudk nTef;MuwmjzpfwJhtwGuf y½d*k &rfudk execute vkyfwJhtcgrSm rlv entry
point (OEP) &Sd&mudk ausmfvTm;jcif;jzpfygw,f/ Starforce enf;ynmeJY protect vkyfxm;wJh zdkifawG[m disk
ay:rSm wnf&SdcsdefrSm .CODE section qdkwm r&Sdygbl;/ Execute vkyfcsdefrSom virtual memory xJudk
a&mufvmwmyg/ olUudk virtual address eJY azmfjyygw,f/
ImageBase - PE zdkifawGtwGuf preferred load address yg/ Oyrmajym&&if wu,fvkY d 'D field xJrSm
yg0ifwJhwefzdk;[m 400000h jzpfcJhr,fqdk&if? PE loader u 400000h upwJh virtual address ae&mxJ zdkifudk
ul;wifzkYd BudK;pm;ygvdrfhr,f/ 'Preferred' qdkwJhtoHk;tEHI;&JU qdkvdkcsufuawmh tjcm; module wpfcck u
k dk 'D
address range rSm awGU&r,fqdk&if PE loader [m 'D address rSm zdkifudk ul;wifay;rSm r[kwfygbl;/ 99&m
cdkifEIef;avmufuawmh 400000h jzpfygw,f/ Microsoft Visual C++ x.x Method2 [Debug] eJY compile
vkyfxm;wJh zdkifawGtwGuaf wmh 1000000h jzpfygw,f/
SectionAlignment - rSwfOmPfxJwGif section rsm;udk alignment csxm;rI/ erlemjy&&if wu,fvkY d 'D
field xJuwefzdk;[m 4096 (1000h) jzpf&if section wdkif;[m 4096bytes &JUajr§mufazmfudef;*Pef;awGeJY
pwif&yg r,fvq dkY dkvdkwmyg/ wu,fvkYd yxrqHk; section [m 401000h rSm&SdNyD; olU&JUt½G,ftpm;[m
10bytes yJ&SdcJh&ifawmif aemuf section [m 402000h rSm prSmyg/ 401000h eJY 402000h Mum;u vGwfaewJh
address ae&mawGudkawmh rsm;om;tm;jzifh toHk;jyKrSm r[kwfygbl;/
FileAlignment - zdkixf JwGif section rsm;udk alignment csxm;rI/ erlemjy&&if wu,fvkY d 'D field xJu
wefzdk;[m 512 (200h) jzpf&if section wdkif;[m 512bytes &JUajr§mufazmfudef;*Pef;awGeJY pwif&ygr,fvkYd
qdkvdkwmyg/ wu,fvkYd yxrqHk; section [m offset 200h rSm&SNd yD; olU&JUt½G,ftpm;[m 10bytes yJ&Sdch&J if
awmif aemuf section [m 400h rSm prSmyg/ 512 eJY 1024 Mum;u vGwfaewJh offset ae&mawGudkawmh toHk;
jyKrSm r[kwfygbl;/
SizeOfImage - rSwfOmPfxJu PE image &JU pkpkaygif;t½G,ftpm;jzpfygw,f/ SectionAlignment t&
align vkyfxm;wJh header tm;vHk;eJY section tm;vHk;&JUaygif;v'fjzpfygw,f/
SizeOfHeaders - section table eJY header tm;vHk;wd& kY JU t½G,ftpm;yJ jzpfygw,f/ jcHKajym&&if 'Dwefzdk;[m
zdkift½G,ftpm;xJuae zdkifxJrSm&SdwJh section tm;vHk;aygif;xm;wJh t½G,ftpm;udk EIwfjcif;eJY nDrQygw,f/
DataDirectory - IMAGE_DATA_DIRECTORY structure 16 ck&SdwJh array wpfckjzpfNyD; wpfckpD[m
import address table (IAT) vdk PE zdkifxJu ta&;BuD;wJh data structure wpfckpeD JY qufEG,faeygw,f/
yHk(5)rSm azmfjyxm;wmuawmh PE header &JU zGJUpnf;yHkudk hexeditor eJY Munfhxm;wmyg/ owdjyK&rSm
uawmh DOS header eJY PE header &JU b,ftpdwftydkif;rqdk hexeditor rSmMunfh&if t½G,ftpm;eJY
yHkoP²mefawG[m wlnDaerSmyg/ DOS STUB uawmh t½G,ftpm; ajymif;vJEdkifygw,f/
yHk(5)
PE header taMumif;udk Olly rSmvJ tao;pdwf MunfhvkY&d ygw,f/ Olly debugger udk zGifhNyD; Alt +
M udkESdyfyg/ yHk(6)twdkif; jrif&ygr,f/
yHk(6)
yHk(6)u PE header qdkwJh pmom;ae&mudk right-click ESdyNf yD; Dump in CPU udk a½G;&if yHk(7)twdkif;
jrif&rSm jzpfygw,f/
yHk(7)
yHk(7)u hex window rSm right-click ESdyNf yD; special u PE header udk a½G;vdkuf&ifawmh yHk(8)
twdkif; jrif&rSmyg/
yHk(8)
(4) Data Directory

DataDirectory taMumif; xyfajym&r,fqdk&ifawmh DataDirectory qdkwm OptionalHeader &JU
aemufqHk; 128bytes yJjzpfygw,f/ OptionalHeader qdkwmuvJ PE header jzpfwJh IMAGE_NT_
HEADERS &JU aemufqHk; member jzpfygw,f/
a&SUrSmajymcJhovdk DataDirectory [m 16 ck&SdwJh IMAGE_DATA_DIRECTORY &JU array wpfck
jzpfNyD; structure wpfckpD[m PE zdkixf Ju ta&;BuD;wJh data structure wpfckpeD JY qufEG,faeygw,f/ Array
toD;oD;[m import table vdk BudKwifowfrSwfxm;whJ item wpfckpDudk &nfnTef;ygw,f/ Structure rSm
member ESpfck&NSd yD; wpfcku wnfae&meJY aemufwpfcku t½G,ftpm;udk jyygw,f/
IMAGE_DATA_DIRECTORY STRUCT
VirtualAddress DWORD ?
isize DWORD ?
IMAGE_DATA_DIRECTORY ENDS
VirtualAddress uawmh data structure &JU relative virtual address (RVA) jzpfygw,f/ isize
uawmh byte eJYjywJh data structure &JU t½G,ftpm;jzpfygw,f/
windows.inc rSm aMunmxm;wJh directory 16 ck&JUtrnfawGuawmh atmufygtwdkif; jzpfygw,f -
IMAGE_DIRECTORY_ENTRY_EXPORT equ 0 (export symbols)
IMAGE_DIRECTORY_ENTRY_IMPORT equ 1 (import symbols)
IMAGE_DIRECTORY_ENTRY_RESOURCE equ 2 (resources)
IMAGE_DIRECTORY_ENTRY_EXCEPTION equ 3 (exception)
IMAGE_DIRECTORY_ENTRY_SECURITY equ 4 (security)
IMAGE_DIRECTORY_ENTRY_BASERELOC equ 5 (base relocation)
IMAGE_DIRECTORY_ENTRY_DEBUG equ 6 (debug)
IMAGE_DIRECTORY_ENTRY_COPYRIGHT equ 7 (copyright string)
IMAGE_DIRECTORY_ENTRY_GLOBALPTR equ 8 (unknown)
IMAGE_DIRECTORY_ENTRY_TLS equ 9 (thread local storage)
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG equ 10 (load configuration)
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT equ 11 (bound import)
IMAGE_DIRECTORY_ENTRY_IAT equ 12 (import address table)
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT equ 13 (delay import)
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR equ 14 (COM descriptor)
IMAGE_NUMBEROF_DIRECTORY_ENTRIES equ 16
LordPE rSm erlem exe zdkifwpfckudkMunfhr,fqdk&if yHk(9)twdkif; jrif&rSmyg/
yHk(9)
yHk(9)udk Munfhr,fqdk&if tjyma&mif highlight jc,fxm;wJh 4ckrSty usefwt

Jh oHk;rjyKwJhtuGuaf e&m
awGrmS oknawGeJY jynhfaewm awGU&rSmyg/
yHk(10)
yHk(10)udkMunfhr,fqdk&if import directory udk yef;a&mifeJY jyxm;ygw,f/ yxrqHk; 4bytes uawmh
40000h (ajymif;jyefpDwmjzpfygw,f) jzpfygw,f/ Import directory &JU t½G,ftpm;uawmh 1CDCh bytes
jzpfygw,f/ PE header &JUtpuae DWORD 80bytes [m tNrJwrf; import directory &JU RVA
yJjzpfygw,f/ t0ga&mifuawmh resource directory jzpfNyD;? c&rf;a&mifuawmh TLS directory jzpfygw,f/
wduswJh directory wpfckudk xm;&SdztkY d wGuf oifhtaeeJY data directory uaepNyD; virtual address
udkwGufcsuf&ygr,f/ 'Dhaemufawmh b,f directory [m b,f section xJrSm&Sdw,fqdkwm odEdkifzkY d virtual
address udk toHk;jyKyg/ b,f section xJrSm b,f directory awGygovJqdkwm odwmeJY wduswJh offset udk
&SmEdkifzkYd 'D section &JU section header udk toHk;jyKyg/
(5) Section Table
Section table uawmh PE header aemufrSm uyfvdkufvmwmyg/ ol[m IMAGE_SECTION_
HEADER structure yHkpH array wpfckjzpfNyD; member toD;oD;rSm attribute eJY virtual offset pwJh PE
zdkifxJu section toD;oD;&JUtaMumif;tcsufawGyg0ifygw,f/ Section ta&twGufudkazmfjyEdkiw f mu file
header &JU 'kwd, member jzpfw,fqdkwm trSwf&yg/ (PE header &JUtprS 6bytes pmae&m)/ wu,fvkY d
om PE zdkifrSm section 8ck&Sdw,fqdk&if table xJu 'D structure xJrSmvJ tyGm; 8 ck&SdrSmyg/ Header
structure toD;oD;[m 40bytes &SNd yD; windows.inc rSm 'DvdkaMunmxm;ygw,f/
IMAGE_SECTION_HEADER STRUCT
Name1 BYTE IMAGE_SIZEOF_SHORT_NAME dup (?)
union Misc
PhysicalAddress DWORD ?
VirtualSize DWORD ?
ends
VirtualAddress DWORD ?
SizeOfRawData DWORD ?
PointerToRawData DWORD ?
PointerToRelocations DWORD ?
PointerToLinenumbers DWORD ?
NumberOfRelocations WORD ?
NumberOfLinenumbers WORD ?
Characteristics DWORD ?
IMAGE_SECTION_HEADER ENDS
IMAGE_SIZEOF_SHORT_NAME equ 8
'D structure xJu member wdkif;[m toHk;r0ifvSwJhtwGuf wu,fta&;BuD;wJh member

awGtaMumif;udkom &Sif;jyygr,f/
Name1 - ('D field [m 8bytes &Sdygw,f) trnf[m label wpfckrQomjzpfNyD; uGufvyftaeeJY xm;&ifawmif
&ygw,f/ owdxm;&rSmu ol[m ASCII string r[kwfwJhtwGuf \0 (null terminator) eJY tqHk;owfp&m
rvkdygbl;/
VirtualSize - (DWORD union) Section xJrSm&SdwJh a'wmawG&JU wu,fht½G,ftpm;jzpfNyD; byte eJY
jyygw,f/ ol[m disk ay:rSm&SdwJh section &JU t½G,ftpm; (SizeOfRawData) xuf enf;aumif;enf;Edkif
ygw,f/ wu,fvkYd 'Dwefzdk;[m SizeOfRawData xuf BuD;aeygu section rSm oknawGeJY jynfhaerSmjzpfyg
w,f/
VirtualAddress- Section &JU RVA jzpfygw,f/ PE loader [m rSwfOmPfxJ section udk map vkyfcsdefrSm
'D field xJu wefzdk;udk ppfaq;NyD; toHk;jyKygw,f/ 'gaMumifhrkY d wu,fvdkY 'D field xJu wefzdk;[m 1000h
jzpfr,fqdk&if PE zdkif[m 400000h rSm pwifNyD; section uawmh 401000h rSm prSmyg/
SizeOfRawData - Disk ay:u zdkifxJrSm&SdwJh section &JUa'wmt½G,ftpm;jzpfygw,f/ Module header rS
FileAlignment \ qwdk;udef;jzpfNyD;? wu,fvkYd olUwefzdk;[m virtual size xufi,fae&if section &JU
Jh ydkif;awG[m okneJY jynfhaerSm jzpfygw,f/ Section rSm uninitialized a'wmawG oufoufyJ &Sdcsdef
usefwt
rSm 'Dae&m[m oknjzpf&ygr,f/
PointerToRawData - (Raw Offset) - PointerToRawData [m tvGeftoHk;0ifvSygw,f/ bmaMumifhvJ
qdkawmh ol[m zdkif&JUtpuae section &JUa'wmawGxd&SdwJh offset jzpfaevdkyY g/ wu,fvkYd ol[moknjzpfcJh&if
zdkifxJrSm section &JUa'wmawG ygrSmr[kwfygbl;/ ol[m module header u FileAlignment &JU qwdk;udef;
jzpf&ygr,f/ Section rSm unintialized a'wmawGoufoufy&J SdcsdefrSm 'Dae&m[m oknjzpf&ygr,f/ PE loader
uawmh 'D field xJrSm&SdwJhwefzdk;udktoHk;jyKNyD; zdkifxJub,f section rSm a'wmawG&SdovJqdkwm &Smygvdrfhr,f/
Characteristics - section rSmyg0ifwJh exe uk'f? initialized data? uninitialized data pwmawGudk a&;jcif;^
zwfjcif;pwJh flag awGyg0ifygw,f/
FLAG EXPLANATION
00000008 Section should not be padded to next boundary
00000020 Section contains code
00000040 Section contains initialised data (which will become initialised with real values before the file is
launched)
00000080 Section contains unitialised data (which will be initialised as 00 byte values before launch)
00000200 Section contains comments for the linker
00000800 Section contents will not become part of image
00001000 Section contents comdat (Common Block Data)
00008000 Section contents cannot be accessed relative to GP
1-800000 Boundary alignment settings
01000000 Section contains extended relocations
02000000 Section can be discarded (e.g. .reloc)
04000000 Section is not cacheable
08000000 Section is pageable
10000000 Section is shareable
20000000 Section is executable
40000000 Section is readable
80000000 Section is writable
PE header rSmwkef;u section 5ckawGUcJh&wJh uRefawmfw&
kY d JUy½d*k &rfudk hexeditor eJY Munfhvdku&f if
yHk(11)twdkif; jrif&rSmyg/
yHk(11)
yHk(11)u tpdrf;a&mifeJY jyxm;wmuawmh PointerToRawData yg/ ydNk yD;&Sif;vif;atmif yHk(12)twdkif;
LordPE eJY Munfhygr,f/
yHk(12)
Section header tNyD;rSmawmh section awGudk &Smygw,f/ Disk ay:uzdkifxJrSmawmh section toD;
oD;[m offset wpfckuaepwifygw,f/ qdkvdkwmu Optional header rSmawGU&wJh FileAlignment wefzdk;&JU
ajrSmufazmfudef;tcsdKUuaejzpfygw,f/ Section toD;oD;&JU a'wmawGMum;rSmawmh oknawGjzpfaerSmyg/
RAM ay:udkul;wifcsdefrSm section awG[m page boundary ay:rSmyJtNrJwrf; pwifMuygw,f/
'gaMumifhrkYd section toD;oD;&JU yxrqHk; byte [m memory page eJY oufqdkifwmyg/ x86 CPU &JU page
awGuawmh 4kB eJY align vkyfxm;NyD; IA-64 uawmh 8kB eJY align vkyfxm;ygw,f/ 'D alignement
wefzdk;udkawmh OptionalHeader rSmvdkyJ SectionAlignment xJrSm odrf;xm;ygw,f/
Oyrmjy&&if? wu,fvkY d optional header [m file offset 981 rSmqHk;NyD; FileAlignment [m 512
jzpfr,fqdk&if yxrqHk; section [m byte 1024 rSm pygvdrfhr,f/ rSwfxm;&rSmuawmh oifhtaeeJY section
awGudk PointerToRawData (od)kY VirtualAddress uae &SmEdkifygw,f/ 'gaMumifh alignment awGeJY
tjiif;yGm;aep&m rvdkawmhygbl;/
(6) PE File Sections
Section awGrSm yg0ifwmuawmh uk'f? a'wm? resource eJY tjcm;tcsuftvufwjkYd zpfygw,f/
Section toD;oD;rSm header wpfckeJY body (raw data)wpfckyg0ifygw,f/ Section table xJrSm section
header awGyg0ifayr,fh section body awGrSm tMurf;zsif; zdkifzGJUpnf;yHk ryg&Smygbl;/ a'wmawGudk decipher
jyefazmfzdkY header rSm vHkavmufwJhtcsuftvufawGeJY jynfhpHkaeoa½GU linker u olwu kYd dk pkpnf;csif&if pkpnf;
Edkifygw,f/
Windows NT application wpfckrSm BudKwifowfrSwfxm;wJh section trnf 9 ckavmuf&Sdygw,f/
olwakYd wGuawmh .text? .bss? .data? .rdata? .rsrc? .edata? .idata? .pdata eJY .debug wdjkY zpfygw,f/ tcsdKU
application awGrSmawmh 'D section awGtm;vHk;rvdkygbl;/ tcsdKUawGrSmawmh 'DxufyNdk yD;vdktyfEdkifygw,f/
(6.1) Executable code section

Windows NT rSmawmh code segment tm;vHk;[m .text (od)kY CODE vdkY ac:wJh section
wpfckwnf;rSmyJ &Sdygw,f/ Windows NT u virtual memory pDrHcefcY GJrIpepfudktoHk;jyKNyD;? BuD;rm;wJh code
secton wpfck&Sdjcif;u OS twGufa&m? application developer twGufyg pDrHcefcY GJ&mrSm vG,fulapygw,f/ 'D
secton rSm tapmydkif;uazmfjycJhwJh entry point eJY IAT &Sd&mudkjywJh jump thunk table wdy
kY g0ifygw,f/
(6.2) Data section
.bss section u function wpfck(od)kY source module xJu static tjzpfaMunmxm;wJh variable
tm;vHk;tygt0if application twGuf uninitialized data awGudk udk,fpm;jyKygw,f/
.rdata uawmh literal string? constant eJY debug directory information wdv
kY dk read-only
a'wmawGudk udk,fpm;jyKygw,f/
tjcm; variable awGtm;vHk; (stack wGifawGU&aom automatic variable rSwyg;)udkawmh .data
section rSm odrf;wmjzpfygw,f/
(6.3) Resource section
.rsrc section rSmawmh module wpfcek JY ywfoufwJh resource tcsuftvufawGyg0ifygw,f/ yxr
qHk; 16bytes uawmh tjcm; section trsm;pkvdkyJ header tjzpfyg0ifygw,f/ 'gayr,fh 'D section &JUa'wm
awGudk resource editor toHk;jyKNyD;Munhfr,fqdk&if resource tree taeeJYzGJUpnf;xm;wm jrif&rSmyg/
ResHacker uawmh tcrJh&&SdEdkifwJh tool wpfckjzpfNyD; resource awGudk topfxnfhjcif;? zsufjcif;? jyKjyifjcif;
jyKvkyfEdkifygw,f/ yHk(13)/
yHk(13)
'D tool udk dialog box awGMunfh&mrSm toHk;rsm;vSygw,f/ tcsdKU shareware application awGrSm
ygwJh nag screen awGudk ResHacker oHk;NyD; vG,fulpGmzsufypfEdkifygw,f/
(6.4) Export data section
.edata section rSmawmh application (od)kY DLL twGufvdktyfwJh export directory yg0ifygw,f/
olUrSm export vkyfxm;wJh function awG&JU address awGeJY trnfawGyg0ifygw,f/ 'gudkawmh aemufydkif;usrS
tao;pdwf &Sif;jyygr,f/
(6.5) Import data section
.idata section rSmawmh Import Directory eJY Import Address Table tygt0if import vkyfxm;
wJh function awGeJYywfoufwJh tcsuftvufrsdK;pHk yg0ifygw,f/ olUudkvJ aemufrSyJ tao;pdwf aqG;aEG;rSm
jzpfygw,f/
(6.6) Debug inforamtion section

Debug information udak wmh .debug section rSm yxrqHk;xm;&Sdygw,f/ PE zdkif[m oD;jcm;pD&SdwJh
debug zdkiaf wGudk vufcHygw,f/ (omreftm;jzifhawmh .dbg extension eJY jzpfygw,f/) Debug section rSm
debug information awGyg0ifayr,fh debug directory awGuawmh tapmydkif;uajymcJhwJh .rdata section rSm
&SdMuwmyg/ Debug directory toD;oD;[m .debug section rSm&SdwJh debug information udkyJ jyefnTef;Mu
ygw,f/
(6.7) Base Relocation section
Linker u exe zdkifwpfckudk zefwD;vdkufcsdefrSm rSwfOmPfxJu b,fae&may: zdkifudk map-in vkyfrvJ
qdkwmudk cefrY Sef;ygw,f/ 'gudktajccHNyD; linker u exe zdkifxJudk uk'feJY a'wmwdkY&JU wu,fh address awG
vmxm;ygw,f/ wu,fvkYo d m loader [m linker u ,lqvdkufwJh base address rSm&SdwJhzdkifudkom ul;wif
Edkifr,fqkd&if .reloc section a'wmudk vdkrSmr[kwfwJhtjyif vspfvsL½IcH&rSmyg/
.reloc section rSm&SdwJh entry awGudk base relocation vkdUac:ygw,f/ bmaMumifhvJqdkawmh olwku Y d dk
toHk;jyKrI[m loaded image &JU base address ay:rlwnfvykYd g/ Base relocation awGuawmh image xJu
location awGudkpkpnf;xm;wmjzpfNyD; olwx kYd Judkaygif;xnfhzkY d wefzdk;wpfcak wmhvdkygvdrfhr,f/ Base relocation
&JU yHkpHuawmh enf;enf;av; xl;qef;aeygw,f/ Base relocation entry awGudk chunk wGJawGtaeeJY
package vkyfxm;wmyg/ Chunk toD;oD;[m image xJu 4KB page wpfcktwGuf relocation vdkY azmfjy
wmyg/
Base relocation b,fvdktvkyfvkyfovJqdkwmod&atmif OyrmwpfckMunfh&atmif/ Exe zdkifwpfckudk
base address 0x10000 eJY csdwfxm;w,fvkY d ,lqMuygpd/kY Image xJu offset 0x2134 [m string &JU
address ygwJh pointer wpfckjzpfygw,f/ String [m physical address 0x14002 u pygw,f/ 'gaMumifh
pointer rSm 0x14002 wefzdk;yg0ifygw,f/ zdkifudk load vkyfcsdefrSm loader u physical address 0x60000
rSmpwifwJh image udk map vkyfzkv Yd dkaMumif; qHk;jzwfygw,f/ Linker u,lqxm;wJh base load address eJY
wu,fh load address wdMkY um; jcm;em;csufudk delta vdakY c:ygw,f/ 'Dae&mrSmawmh delta [m 0x50000
jzpfygw,f/ Image wpfckvHk;[m rSwfOmPfxJrSm 0x50000bytes rsm;aewmaMumifh string [m cktcgrSmawmh
address 0x64002 rSm jzpfygw,f/ Pointer uae string udknTef;jcif;[m ckcsdefrSmawmh rrSefawmhygbl;/ exe
zdkifrSm string &Sd&mudknTef;wJh pointer &JU rSwfOmPfwnfae&mtwGuf base relocation wpfckyg0ifygw,f/
Base relocation udk qHk;jzwfzkYd loader u base relocation address rSm&SdwJhrl&if;wefzdk;rSm delta wefzdk;udk
vmaygif;ygw,f/ 'Dae&mrSmawmh loader u rl&if; pointer wefzdk;jzpfwJh 0x14002 rSm 0x50000 udk vmaygif;
rSmjzpfNyD; &v'fjzpfwJh 0x64002 udkawmh pointer &JUrSwfOmPfxJjyefodrf;rSm jzpfygw,f/
(7) Export Sections
'D section uawmh DLL awGeJY t"duywfoufygw,f/ atmufrSmazmfjyxm;wJh pmydk'fawGuawmh
Win32 Programmer's Reference ujzpfNyD; DLL taMumif;udk &Sif;jyxm;wmjzpfygw,f/
In Microsoft® Windows® dynamic-link libraries (DLL) are modules that contain functions and data. A DLL is
loaded at runtime by its calling modules (.EXE or DLL). When a DLL is loaded it is mapped into the address space
of the calling process.
DLLs can define two kinds of functions: exported and internal. The exported functions can be called by other
modules. Internal functions can only be called from within the DLL where they are defined. Although DLLs can
export data its data is usually only used by its functions.
DLLs provide a way to modularize applications so that functionality can be updated and reused more easilly. They
also help reduce memory overhead when several applications use the same functionality at the same time because
although each application gets its own copy of the data they can share the code.
The Microsoft® Win32® application programming interface (API) is implemented as a set of dynamic-link libraries
so any process using the Win32 API uses dynamic linking.
Funtion awGudk DLL wpfcku trnftaeeJaY omfvnf;aumif;? oridianl taeeJaY omfvnf;aumif;

enf;ESpfrsdK;eJY export vkyfEdkifygw,f/ Ordinal qdkwmuawmh 16-bit (WORD) *Pef;wpfckjzpfNyD; function
wpfckudk wduswJh DLL wpfckrSm xl;jcm;pGm owfrSwfxm;wmyg/ Ordinal enf;eJY export vkyfjcif;udk aemuf
ydkif;rSm aqG;aEG;ygr,f/
wu,fvkYd function wpfckudk trnft& export vkyfr,fqdk&if? tjcm; DLL awG (od)kY exe awGu
function udk ac:oHk;csdefrSm olw[
kY d m GetProcAddress rSm&SdwJh olU&JUtrnfa&m? ordinal yg toHk;jyKygw,f/
GetProcAddress function [m export vkyfxm;wJh DLL &JU address ukdjyefyakYd y;ygw,f/ Win32
Programmer's Reference uawmh GetProcAddress &JU tvkyfvkyfyHkudk atmufygtwdkif; &Sif;jyxm;ygw,f/
(wu,fawmh 'Dxufydk&Sdayr,fhvJ Microsoft u azmfjyjcif;r&Sdygbl;/) 'Dae&mrSm highlight jc,fxm;wmawGudk
owdxm;NyD; zwfapcsifygw,f/
GetProcAddress
The GetProcAddress function returns the address of the specified exported dynamic-link library (DLL) function.
FARPROC GetProcAddress(
HMODULE hModule, // handle to DLL module
LPCSTR lpProcName // name of function
);
Parameters
hModule
Identifies the DLL module that contains the function. The LoadLibrary or GetModuleHandle function
returns this handle.
lpProcName
Points to a null-terminated string containing the function name, or specifies the function's ordinal value. If
this parameter is an ordinal value, it must be in the low-order word; the high-order word must be zero.
Return Values
If the function succeeds, the return value is the address of the DLL's exported function.
If the function fails, the return value is NULL. To get extended error information, call GetLastError.
Remarks
The GetProcAddress function is used to retrieve addresses of exported functions in DLLs.
The spelling and case of the function name pointed to by lpProcName must be identical to that in the EXPORTS
statement of the source DLL's module-definition (.DEF) file.
The lpProcName parameter can identify the DLL function by specifying an ordinal value associated with the
function in the EXPORTS statement. GetProcAddress verifies that the specified ordinal is in the range 1 through
the highest ordinal value exported in the .DEF file. The function then uses the ordinal as an index to read the
function's address from a function table. If the .DEF file does not number the functions consecutively from 1 to N
(where N is the number of exported functions), an error can occur where GetProcAddress returns an invalid, non-
NULL address, even though there is no function with the specified ordinal.
In cases where the function may not exist, the function should be specified by name rather than by ordinal value.
See Also
FreeLibrary, GetModuleHandle, LoadLibrary
GetProcAddress u 'gudk bmaMumifhvkyfEdkifwmvJqdkawmh export vkyfxm;wJh function &JU trnf
awGeJY address awGudk Export Directory xJu structure wpfckrSm odrf;qnf;xm;vdykY g/ uRefawmfwt kYd aeeJY
Export Directory udk &SmazGEdkifygw,f/ bmaMumifhvJqdkawmh ol[m data directory xJu yxrqHk; element
jzpfNyD; oleJYywfoufwJh RVA [m PE header tp&JU offset 78h ae&mrSm &SdvkYyd g/
Export structure udk IMAGE_EXPORT_DIRECTORY vdakY c:ygw,f/ olUrSm member tae
eJY 11 ck&NSd yD; tcsdKUuawmh ta&;rBuD;ygbl;/
IMAGE_EXPORT_DIRECTORY STRUCT
TimeDateStamp DWORD ?
MajorVersion WORD ?
MinorVersion WORD ?
nName DWORD ?
nBase DWORD ?
NumberOfFunctions DWORD ?
NumberOfNames DWORD ?
AddressOfFunctions DWORD ?
AddressOfNames DWORD ?
AddressOfNameOrdinals DWORD ?
IMAGE_EXPORT_DIRECTORY ENDS
nName - Module &JU internal trnfjzpfygw,f/ 'D field [m vkdtyfygw,f/ bmaMumifhvJqdkawmh zdkif
trnfudk oHk;pGJolu ajymif;vJEdkifvkYyd g/ 'Dvkdajymif;cJhr,fqdk&if PE loader u 'D internal trnfudk toHk;jyKyg
vdrfhr,f/
nBase - Starting ordinal number (index awGudk function &JU address array tjzpf&Sdaezdv
kY dkygw,f/)
NumberOfFunctions - Module u export vkyfxm;wJh function pkpkaygif; (oauFwawGtjzpfvJ
&nfnTef; avh&Sdygw,f)
NumberOfNames - trnft& export vkyfxm;wJh oauFw*Pef;/ 'Dwefzdk;[m module xJrSm&SdwJh
function/symbol tm;vHk;&JU*Pef; r[kwfygbl;/ 'D*Pef;twGuf oifhtaeeJY NumberOfFunctions udk
ppfaq;zdv kY dktyfygw,f/ ol[m 0 jzpfEdkifygw,f/ 'Dae&mrSmawmh module udk ordinal taeeJo Y m export
vkyfEdkifygw,f/ wu,fvkY d yxrudpörSm export vkyfr,fh function/symbol omr&SdcJh&if? data directory xJu
export table &JU RVA [m oknjzpfygvdrfhr,f/
AddressOfFunctions - Module/Export Address Table (EAT) xJrSm&SdwJh function awG&JU RVA
Y dkifwJh pointer awG&JU array wpfckudk nTefjywJh RVA wpfck/ Module xJrSm&SdwJh function awGtm;vHk;eJY
eJq
qdik fwJh RVA awGudkawmh array wpfckrSm odrf;qnf;xm;NyD;? 'D field [m array &JU head udk nTefjyaeygw,f/
AddressOfNames - Module/Export Name Table (ENT)xJrSm&SdwJh function trnfawGeq
JY dkifwJh RVA
awG&JU array udk nTefjyaewJh RVA wpfck/
AddressOfNameOrdinals - trnf&NSd yD;om; function/Export Ordinal Table (EOT) awG&JU ordinal
awGyg0ifwJh 16-bit array wpfckudk nTefjyaewJh RVA wpfck/
yHk(14)
'gaMumifhrkYd IMAGE_EXPORT_DIRECTORY structure [m array oHk;ckeJY ASCII string table

wpfckudk nTefaeygw,f/ ta&;tBuD;qHk; array uawmh EAT jzpfNyD;? ol[m export vkyfxm;wJh function
awG&JU address awGyg0ifwJh function pointer awG&JU array wpfckjzpfygw,f/ tjcm; array ESpfck (EAT eJY
EOT)uawmh assending tpDtpOfeJY tjydKif run EdkifNyD; function trnfay:rlwnfygw,f/ 'gaMumifhrkY d
function wpfck&JU trnftwGuf binary search udk aqmif½GufEdkifwmjzpfNyD; tjcm; array wpfckrSmawGU&SdwJh
olU&JU ordinal rSm tajzxkwfygvdrfhr,f/ Ordinal uawmh ½d;k ½dk;wef;wef; index wpfckjzpfNyD; 'D function
twGuf EAT jzpfygw,f/
EOT array [m trnfawGeJY address awGMum; linkage wpfcktjzpfwnf&SdwmaMumifh olUrSm ENT
array xuf element ydNk yD;yg0ifEdkifrSm r[kwfygbl;/ qdkvdkwmu trnftoD;oD;rSm associated address
wpfckom&SdEdkifvykY d g/ ajymif;jyefqdk&ifawmh rrSefygbl;? address wpfckrSm associate vkyfxm;wJh trnftajrmuf
trsm;&SdvykYd g/ wu,fvkYd alias awGeJY function awG[m wlnDwJh address udkyJ &nfnTef;Mur,fqdk&if? 'Dh
aemufrSm ENT uvJ EOT xuf element awGydk&Sdvmygvdrfhr,f/
yHk(15)
Oyrmjy&&if? wu,fvkY d DLL wpfck[m function 40avmufudk export vkyfr,fqdk&if? AddressOf
Functions (EAT) u nTef;r,fh array xJrSm member 40avmufawmh&Sd&ygr,f/ NumberOfFunctions
field rSmvJ wefzdk;40avmuf &Sd&ygr,f/
Function wpfck&JU address udk olU&JU trnfuae&SmzdkYqdk&if OS u yxrqHk; Export Directory
xJu NumberOfFunctions eJY NumberOfNames wd&kY JUwefzdk;udk &&Sdxm;&ygr,f/ aemufwpfqifhuawmh
AddressOfNames (ENT) eJY AddressOfNameOrdinals (EOT) u nTefjywJh array [m function
trnfudk &Smygw,f/ wu,fvkY d ENT xJrSm trnfudk&SmawGUcJh&if EOT xJrSm&SdwJh associated element xJu
wefzdk;udk extract vkyNf yD; EAT twGuf index tjzpftoHk;jyKygw,f/
Oyrmjy&&if uRefawmfwkY&d JU function 40&SdwJh DLL xJrSm functionX udk &SmazGMunfhygr,f/ wu,f
vdkY ENT &JU 39ckajrmuf element xJu uRefawmfwkYd functionX &JUtrnf(tjcm; pointer rS oG,f0kduNf yD;)udk
kY d aeeJY ENT xJu 39ckajrmuf element xJrSmMunfNh yD; wefzdk; 5 udk awGUygw,f/
&SmcsdefrSm? uRefawmfwt
'Dhaemuf functionX &JU RVA udk&SmzdkY uRefawmfwkYd Munfh&rSmu EAT &JU 5ckajrmuf element rSmjzpfygw,f/
wu,fvkYd function wpfck&JU ordinal &SNd yD;om;jzpfr,fqdk&if? oifhtaeeJY EAT qD wdku½f dkufoGm;jcif;
jzifh olU&JU address udk &SmazGEdkifygw,f/ Function &JUtrnfudktoHk;jyKjcif;xuf ordinal uae function
wpfck&JU address udk&,ljcif;[m ydNk yD;vG,fulvsifjrefayr,fhvJ qdk;usdK;uawmh module udkxdef;odrf;zdkY&m cufcJ
vSygw,f/ wu,fvkdU DLL udk upgrade/update vkyfNyD; function awG&JU ordinal awG[mvJ ajymif;vJr,f
qdk&if? DLL ay:rSDcdkaewJh tjcm; y½d*k &rfawGvJ ysufukefygvdrfhr,f/
(7.1) Ordinal oufoufjzifh export vkyfjcif;

NumberOfFunctions uawmh tenf;qHk; NumberOfNames eJY nD&ygr,f/ bmyJjzpfjzpf wpfcg
w&HrSmawmh NumberOfNames [m NumberOfFunctions xufenf;aeygvdrfhr,f/ Function wpfck[m
ordinal oufoufeo JY m export vkyfcH&r,fqdk&if ENT eJY EOT ESpfckpvHk;rSm entry awG&SdrSm r[kwfygbl;/
olUrSm trnfwpfckawmif &SdrSmr[kwfygbl;/ trnfr&SdwJh function awGudk ordinal oufoufeo JY m export
vkyfEdkifrSm jzpfygw,f/
Oyrmjy&&if? wu,fvkY d function 70&SNd yD; ENT xJrSm entry 40yJ&Sdr,fqdk&if? module xJrSm ordinal
oufoufeJY export vkyfxm;wJh function 30yJ&Sdw,fvkYd qdkvdkwmyg/ cktcgrSmawmh 'D function awG[m
bmawGvJqdkwm b,fvdkavhvmprf;ppf&ygrvJ/ 'Dudpö[m rvG,fvSygbl;/ oifhtaeeJY exclusion eJY prf;ppf
oifhygw,f/ qdkvdkwmu EAT xJu entry awG[m ordinal oufoufeJY export vkyfxm;wJh function awG&JU
RVA awGyg0ifwJh EOT uae reference vkyfxm;jcif;r&Sdvy kY d g/
y½d*k &rfrmuawmh .def zdkifxJrSm&SdwJh starting ordinal *Pef;udk owfrSwfEdkifygw,f/ Oyrmajym&&if?
yHk(15)u table [m 200 rSmpwifEdkifygw,f/ Array xJu yxrqHk; vGwfaewJh entry 200pmtwGufvdktyf
csufudk wm;qD;zd&kY mtwGuf nBase member rSm starting wefzdk;udkxnfhxm;NyD;? loader u EAT &JU rSeu f ef
wJh index udk&&SdEdkifzt
kYd wGuf olUqDuae ordinal *Pef;udk subtract vkyfygw,f/
(7.2) Export Forwarding
wcgw&HrSmawmh function awG[m wduswJh DLL wpfckuae export vkyfyHkay:aeayr,fh wu,fwrf;
olw&kYd Sdaewmu vkH;vHk;BuD;uGJjym;jcm;em;aewJh DLL wpfckrSmyg/ 'gudk export forwarding vdkY ac:ygw,f/
Oyrmjy&&if? WinNT? Win2k eJY XP wdrkY Sm kernel32.dll &JU function jzpfwJh HeapAlloc [m ntdll.dll u
export vkyfxm;wJh RtlAllocHeap function taeeJY forward vkyfcHxm;&wmyg/ ntdll.dll rSmvJ Windows
kernel eJY wdku½f dkuf interface jzpfwJh native API yg0ifygw,f/ Forward vkyfjcif;udk .DEF zdkifxJrSm&SdwJh
txl; instruction wpfcku link vkyfwJhtcsdefrSm aqmif½Gufwmjzpfygw,f/
Forward vkyfjcif;[m bHkjzpfwJh Win32 API set wpfckudk vSpf[jyozdkYeJY Windows NT eJY
Windows 98 wdMkY um; internal API set wdk& Y JU ta&;ygwJh low-level qdkif&muGJjym;jcm;em;rIudk zHk;uG,fzkY d
toHk;jyKwJh Microsoft &JU enf;vrf;wpf&yfjzpfygw,f/
Application awGudkawmh native API set xJrSm&SdwJh call function awGtaeeJY ,lqvdr kY &ygbl;/
bmaMumifhvJqdkawmh Windows 9x eJY Windows 2k/XP wd&kY JU internal API set awGMum; o[ZmwjzpfrIudk
azmufzsuf&mMuvdykY g/ 'gaMumifhrv kY d J pack vkyfxm;wJh exe zkdifawGudk unpack vkyfwJhtcg? OS wpfckrSm
olw&kYd JU import awGudk udk,fwdkif reconstruct vkyfwJhtcg tjcm; OS wpfckrSm tvkyfrvkyfEdkifwmyg/ 'g[m
forwarding pepfaMumifhaomfvnf;aumif;? tjcm;tcsuftvufawG ajymif;vJjcif;aMumihfaomfvnf; aumif;
jzpfEdkifygw,f/
oauFw (function)wpfckudk forward vkyfcsdefrSm olU&JU RVA [m vuf&Sd module xJrSm&SdwJh uk'f^
a'wm address rjzpfEdkifygbl;/ EAT table rSm DLL &JU ASCII string eJq
Y dkifwJh pointer wpfckyg0if&r,hf
tpm; forward vkyfr,fh function trnfyJ yg0ifygw,f/ a&SUOyrmrSmawmh ol[m ntdll.dll &JU RtlAlloc
Heap jzpfygvdrfhr,f/
wu,fvkYd function wpfcktwGuf EAT entry [m Export section (qdkvdkwmu ASCII string)
xJrSm&SdwJh address wpfckudk point vkyNf yDqdk&if oifhtaeeJY 'D function udk forward vkyfxm;w,fqdkwm
odxm;&ygr,f/
(8) Import Sections

Import section (.idata) rSmawmh DLL uae import vkyfxm;wJh function awGtm;vHk;&JU
tcsuftvufawGyg0ifygw,f/ 'D tcsuftvufawGudk rsm;pGmaom data structure awGrSm odrf;qnf;xm;wm
yg/ olwx kYd Ju ta&;tBuD;qHk;uawmh aemufydkif;rSmaqG;aEG;r,hf Import Directory eJY Import Address
Table wdkYjzpfygw,f/ tcsdKU executable zdkifawGrSm Bound_Import eJY Delay_Import directory wdv kY J
&SdEdkifygw,f/ Delay_Import uawmh uRefawmfwt kY d wGuf odyfta&;rBuD;ygbl;/ 'gayr,fh Bound_Import
directory udkawmh aemufydkif;rSm aqG;aEG;rSm jzpfygw,f/
Windows loader &JUwm0efuawmh application u toHk;jyKwJh DLL awGxJutm;vHk;udk load
kYd dk process address space tjzpf map vkyfay;zdkY jzpfygw,f/ 'ghjyif trsdK;rsdK;aom DLL
vkyfzkYed JY olwu
awGxJrSm&SdwJh import vkyfxm;wJh function awGtm;vHk;&JU address awGudk &SmazGzv kY d JjzpfNyD; load vkyfcH&wJh
tcsdefrSm executable twGuf toHk;jyKvd&kY atmifvJ vkyfay;ygw,f/
DLL wpfckxJu function awG&JU address awG[m static rjzpfygbl;/ 'gayr,fh DLL twGuf
updated version awGxGufvmcsdefrSmawmh ajymif;vJukefygw,f/ 'gaMumifh application awGudk taotcsma&;
om;xm;wJh function address awG toHk;jyKNyD; wnfaqmufvkYd r&Edkifawmhygbl;/ 'DhtwGufaMumifh run
aecsdefrSm executable zdkifwpfck&JUuk'fawGudk Budrfzefrsm;pGm ajymif;vJrIvkyfp&mrvdkwJh mechanism wpfckudk
Y dktyfvmygw,f/ 'gudk Import Address Table (IAT) wpfcktoHk;jyKNyD; ajz&Sif;Edkifygw,f/ 'g[m
zefwD;zdkv
windows loader u DLL tjzpf load vkyfcsdefrSm jznfhqnf;ay;wJh function address awGeq JY dkifwJh pointer
awG&JU table wpfckomjzpfygw,f/
Pointer table wpfckudk toHk;jyKjcif;jzifh loader [m uk'fxJu b,fae&mrSmrqdk olwu kY d kd ac:,loHk;wJh
tcgrSm import vkyfxm;wJh function awG&JU address awGudk ajymif;vJzkYd vdkawmhrSmr[kwfygbl;/ vkyf&rSmu
import table xJu ae&mwpfcrk Sm rSefuefwJh address udk aygif;&rSmjzpfygw,f/
(8.1) Import Directory
Import Directory qdkwm wu,fawmh IMAGE_IMPORT_DESCRIPTOR structure &JU array
wpfckomjzpfygw,f/ Structure wdkif;[m 20bytes jzpfNyD; uRefawmfwkYd PE zdkifu b,f function awGudk
import vkyfxm;w,fqdkwJh DLL eJy Y wfoufwJhtaMumif;awG yg0ifygw,f/Oyrmjy&&if wu,fvY dk uRefawmf
wdkY PE zdkifu rwlnDwJh DLL zdkif 10cku function awGudk import vkyfcJhr,fqdk&if 'D array xJrSm IMAGE_
IMPORT_DESCRIPTOR 10ck&SdaerSm jzpfygw,f/ 'D array xJu structure ta&twGufudk nTefjywJh
field awmh &SdrSmr[kwfygbl;/ 'Dtpm; aemufqHk; structure rSm oknawGejJY ynfhaewJh filed awGyJ &SdaerSmyg/
Export Directory rSmvdkyJ oifhtaeeJY Import Directory b,fae&mrSm &SdovJqdkwm &SmazGEdkifyg
w,f/ (PE header tp&JU 80 bytes jzpfygw,f/) yxrqHk;eJY aemufqHk; member awGuawmh ta&;BuD;qHk;
jzpfygw,f/
IMAGE_IMPORT_DIRECTORY STRUCT
union
OriginalFirstThunk DWORD ?
ends
ForwardChain DWORD ?
Name1 DWORD ?
FirstThunk DWORD ?
IMAGE_IMPORT_DIRECTORY ENDS
yxrqHk; member jzpfwJh OriginalFirstThunk uawmh DWORD union jzpfygw,f/ flag

tpHkvnf;jzpfEdkifygw,f/ bmyJjzpfjzpf Microsoft uawmh olU&JU t"dyÜm,fukd ajymif;vJcNJh yD; WINNT.H udk
update vkyfzkYd b,fawmhrS pdk;&drfp&mr&Sdygbl;/ 'D field rSm wu,fwrf;yg0ifwmuawmh IMAGE_THUNK_

DATA structure awGxJu array wpfck&JU RVA yJjzpfygw,f/
TimeDateStamp udkawmh oknvdkY owfrSwfygw,f/ (olUrSm -1 jzpfcJh&if)/ ForwarderChain
member udkawmh pwdkifa[mif; binding twGuf toHk;jyKwmjzpfNyD; 'Dae&mrSm pOf;pm;rSmr[kwfygbl;/
Name1 rSmawmh DLL &JU ASCII trnfeq
JY dkifwJh pointer (RVA) wpfckyg0ifygw,f/
aemufqHk; member jzpfwJh FirstThunk rSmvnf; DWORD t½G,ftpm;&SdwJh IMAGE_THUNK_
DATA structure array wpfck&JU RVA yg0ifygw,f/ yxrqHk; array &JU duplicate wpfckvnf;jzpfygw,f/
wu,fvkYd azmfjyyg function [m bound import jzpfw,fqdk&if 'DhaemufrSmawmh FirstThunk rSm IMAGE
_THUNK_DATA eJq Y dkifwJh RVA tpm; function &JU wu,fh address yg0ifrSmyg/ 'D structure awGudk
atmufygtwdki;f t"dyÜm,fzGifhEdkifygw,f/
IMAGE_THUNK_DATA32 STRUCT
union u1
ForwarderString DWORD ?
Function DWORD ?
Ordinal DWORD ?
AddressOfData DWORD ?
ends
IMAGE_THUNK_DATA32 ENDS
IMAGE_THUNK_DATA toD;oD;[m DWORD union wpfckjzpfygw,f/ Disk ay:u

zdkifxJrSmawmh olUrSm import vkyfxm;wJh function &JU ordinal a&m? IMAGE_IMPORT_BY_NAME
structure eJq
Y dkifwJh RVA wpfckygyg0ifygw,f/ wpfBudrfrSmawmh FirstThunk u nTefjyaewJw k m import
h pfc[
vkyfxm;wJh function awG&JU address awGeJY overwrite tvkyfcH&NyD; ol[m Import Address Table
jzpfvmygw,f/
IMAGE_IMPORT_BY_NAME udkawmh atmufygtwdkif; a&;om;Edkifygw,f/
IMAGE_IMPORT_BY_NAME STRUCT
Hint WORD ?
Name1 BYTE ?
IMAGE_IMPORT_BY_NAME ENDS
Hint - Hint rSmawmh function wnf&Sd&m DLL &JU Export Address Table eJq Y dkifwJh index yg0ifygw,f/
'gudkawmhh PE Loader u toHk;jyKzdkY jzpfygw,f/ 'gaMumifhrkY d DLL &JU Export Address Table xJu
function udk tjrefMunf½ h IEdkifwmyg/ 'D index rSm&SdwJh trnfudk BudK;pm;wJhtcg? wu,fvkYd ol[m match
rjzpfcJhbl;qdk&if binary search [m trnfudk&SmazG NyD;ajrmufNyDjzpfygw,f/ 'Dwefzdk;[m r&Sdrjzpfawmh r[kwfyg
bl;/ tcsdKU linker awGuawmh 'Dae&mrSm oknvdkY owfrSwfMuygw,f/
Name1 - Name1 rSmawmh import vkyfxm;wJh function &JUtrnfyg0ifygw,f/ trnfuawmh null-
terminated (\0) ASCII string jzpfygw,f/ rSwfxm;&rSmu Name1 &JU t½G,ftpm;udk byte taeeJY
t"dyÜm,fzGifhxm;wmjzpfygw,f/ 'gayr,fh ol[m wu,fwrf;rSmawmh variable t½G,ftpm;&SdwJh field wpfck
jzpfygw,f/ Structure wpfckxJrSm variable t½G,ftpm;&SdwJh field wpfckudk azmfjyEdkifzkY d enf;vrf;r&SdvkYyd g/
ta&;tBuD;qHk;tydik f;awGuawmh import vkyfxm;wJh DLL trnfawGeJY IMAGE_THUNK_
DATA structure &JU array awGyJ jzpfygw,f/ IMAGE_THUNK_DATA structure toD;oD;[m DLL
uae import vkyfxm;wJh function wpfckqDeJY qufEG,faeygw,f/ OriginalFirstThunk eJY FirstThunk u
nTefjywJh array awG[m wjydKifwnf; run EdkiNf yD; null DWORD eJY tqHk;owfygw,f/ Import vkyfxm;wJh
DLL toD;oD;twGuf olwakYd wG[m IMAGE_THUNK_DATA structure &JU oD;jcm;pD&SdaewJh array

twGJawGjzpfygw,f/
'grSr[kwf 'gudkxm;zdkY tjcm;enf;vrf;uawmh ajrmufrsm;vSpGmaom IMAGE_IMPORT_BY_
NAME structure awGyJjzpfygw,f/ oifhtaeeJY array ESpfckudk zefwD;Edkifygw,f/ NyD;awmh olwu
kY d dk IMAGE
_IMPORT_BY_NAME structure awG&JU RVA awGeJY jznfhqnf;&rSmjzpfygw,f/ 'gaMumifh array ESpfckvHk;
rSm wlnDwJhwefzdk;awG yg0ifae&ygr,f/ (qdkvdkwmu wduswJh duplicate)/ tcktcgrSmawmh oifhtaeeJY yxr
qHk; array &JU RVA udk OriginalFirstThunk eJY nDay;&rSmjzpfNyD; 'kwd, array &JU RVA udkawmh First
Thunk eJnY aD y;&rSmjzpfygw,f/
OriginalFirstThunk eJY FirstThunk xJrSm&SdwJh element ta&twGufuawmh DLL uae import
vkyfxm;wJh function ta&twGufay: rlwnfygw,f/ Oyrmjy&&if? wu,fvkY d PE zdkifu user32.dll uae
function q,fckudk import vkyfr,fqdk&if IMAGE_IMPORT_DESCRIPTOR structure xJrSm&SdwJh
Name1 rSm user32.dll string &JU RVA yg0ifrSmjzpfNyD;? array toD;oD;rSm IMAGE_THUNK_DATA
q,fck&SdrSmjzpfygw,f/
tjydKif&SdaewJh array ESpfckudkawmh trnftrsdK;rsdK;uae ac:,loHk;rSmjzpfayr,fh toHk;trsm;qHk;uawmh
Import Address Table (FirstThunk u point vkyfwJh wpfcktwGuf) eJY Import Name Table (od)kY
Import Lookup Table (OriginalFirstThunk u point vkyfwJh wpfcktwGuf)wdkY jzpfygw,f/
bmaMumifh IMAGE_IMPORT_BY_NAME structure eJq Y dkifwJh pointer &JU parallel array
ESpfck&Sd&wmygvJ/ Import Name Table awGudkawmh oD;oefzY ,fxm;NyD; b,fawmhrS modify vkyfrSmr[kwf
ygbl;/ Import Address Table awGudk loader u wu,fh function address awGeJY overwrite vkyfvdkufwm
yg/ Import Name Table awGxJrSm&SdwJh RVA awG&JU array awGuawmh rajymif;vJbJusefaerSmyg/ 'gaMumifh
wu,fvkYd import vkyfxm;wJh function awG&JUtrnfudk &SmazGzkY d vkdtyfcsufujrifhrm;vm&if? PE loader u
olwu kYd dk&SmazGae&OD;rSmyg/
IAT udk Data Directory xJu entry number 12 u point vkyfaomfvnf; tcsdKU linker awGu 'D
directory entry udk owfrSwfjcif;r&Sdygbl;/ Application uawmh run aerSmjzpfygw,f/ Loader uawmh
'gudk import resolution vkycf sdetf wGif;rSm IAT awGudk read-write tjzpf ,m,DrSwfom;zdt
kY wGufom
toHk;jyKwmjzpfNyD; olrygvJ import awGudk ajz&Sif;EdkifrSm jzpfygw,f/
yHk(16)
'guawmh Windows loader u read-only section xJrSm&Sdcsdef IAT udk overwrite vkyfzdkY
b,fvdkpGrf;aqmifEdkifw,fqdkwJhtaMumif;yJ jzpfygw,f/ Load vkyfwJhtcsdefrSmawmh system u read/write
vkyfzdkY import awGyg0ifwJh page awG&JU attribute awGudk ,m,Dtm;jzifh owfrSwfygw,f/ wpfBudrfrSmawmh
import table u page awGudk initialize vkyfjcif;[m olwdkY&JU rlv protected vkyfxm;wJh attribute
awGjzpfapzdkY aESmifhaES;apygw,f/
Import vkyfxm;wJh function awG&JU call awG[m IAT xJu function pointer uwpfqifh
tvkyv f kyfMuwmyg/ yHkpH 2rsdK;taeeJY vkyEf dkifygw,f/ wpfckuawmh aemufwpfckxufyNdk yD; toHk;0ifygw,f/
OyrmtaeeJY FirstThunk array &JU entry awGxJuwpfckudk &nfnTef;wJh address 00405030 udk pOf;pm;Munfh
vdkufMu&atmif/ olUudk loader u user32.dll xJu GetMessage &JU address eJYtwl overwrite vkyfxm;
ygw,f/
GetMessage udkac:oHk;zdkY toifhawmfqHk;enf;vrf;uawmh atmufygtwdkif;jzpfygw,f/
0040100C CALL DWORD PTR [00405030]
'Denf;uawmh odyftqifrajyygbl;/
0040100C CALL [00402200]
…
…
00402200 JMP DWORD PTR [00405030]
qdkvdk&if;uawmh 'kwd,enf;uvJ &v'ftwlwlygyJ/ 'gayr,fh xyfxnfh&r,fhuk'fpmvHk;[m 5vHk;ydkvm
rSmjzpfNyD; tydk jump aMumifh execute vkyf&mrSmvJ ydkMumrSmjzpfygw,f/
bmaMumifh import vkyfxm;wJh function awGudk 'Dvdkenf;eJY jyKvkyfMuwmygvJ... Compiler uawmh
wlnDwJh module xJrmS &SdwJh ordinary function awGeJY import vkyfxm;wJh function awGudk cGJjcm;aerSm
r[kwfbJ ESpfckvHk;twGuf wlnDwJh output udkomxkwfay;rSm jzpfygw,f/ CALL [XXXXXXXX]
[XXXXXXXX] ae&mrSmawmh u aemufydkif;rSm jznfhay;r,fh wu,fhuk'f address wpfck&Sd&rSmjzpfygw,f/
(pointer r[kwfygbl;)/ Linker uawmh import vkyfxm;wJh function &JU address udk odrSmr[kwfygbl;/
'gaMumifhrkYd uk'f&JU tpm;xdk; chunk wpfckudk toHk;jyK&rSmjzpfygw,f/ tay:u JMP stub rSm jrifEdkifygw,f/
Compiler udk DLL xJJrSm&SdwJh function &Sd&majymjyEdkifzkY d oifhawmfwJhyHkpHuawmh _declspec
(dllimport) modifier toHk;jyKNyD; &&SdEdkifygw,f/ 'DhaemufrSmawmh ol[m CALL DWORD PTR
[XXXXXXXX] udkxkwfay;rSmjzpfygw,f/
wu,fvkYd exe udk compiler vkyfcsdefrSm _declspec(dllimport) udk toHk;rjyKcJhbl;qdk&if uk'fawGxJu
ae&mtcsdKUrSm import vkyfxm;wJh function awGtwGuf twlwuGpkpnf;xm;wJh jump stub awG &SdkaerSmyg/
olUudkawmh transfer area (od)kY trampoline (od)kY jump thunk table pwJh trnftrsdK;rsdK;eJY odMuygw,f/
(8.2) Ordinal oufoufjzifh function rsm;tm; export vkyfjcif;
Export section wkef;u aqG;aEG;cJhovdkyJ tcsdKU function awGudk ordinal oufoufeo
JY m export
vkyfMuygw,f/ 'Dae&mrSmawmh caller's module xJrSm 'D function twGuf IMAGE_IMPORT_BY_
NAME &SdrSmr[kwfygbl;/ 'Dtpm; 'D function twGuf function &JU ordinal yg0ifwJh IMAGE_THUNK_
DATA yJ&SdrSmyg/
exe zdkifudk ul;rwifcif? MSB (most significant bit) (od)kY high bit udkMunfhjcif;tm;jzifh
IMAGE_THUNK_DATA wpfckrSm ordinal wpfck (od)kY RVA wpfckyg0ifjcif;&Sd^r&Sd oifhtaeeJY ajymEdkif
ygw,f/ wu,fvo kYd m owfrSwfcJh&if lower 31 bits udk ordinal wefzdk;wpfcktaeeJY ,lrSmjzpfygw,f/
wu,fvkYd rowfrSwfbJ zsufvdkufr,fqdk&if wefzdk;uawmh IMAGE_IMPORT_BY_NAME eJq Y dkifwJh

RVA wpfckjzpfrSmyg/ Microsoft uawmh DWORD MSB jzpfwJh IMAGE_ORDINAL_FLAG32 twGuf
toifhygNyD;om; constant wpfckudk owfrSwfay;xm;ygw,f/ olUrSmawmh 80000000h wefzdk;&Sdygw,f/
Oyrmjy&&if? wu,fvkY d function wpfckudk ordinal oufoufeJY export vkyfvdkuf&if olU&JU ordinal
[m 1234h jzpfNyD;? 'D function twGuf IMAGE_THUNK_DATA uawmh 80001234h jzpfrSmyg/
(8.3) Bound Import
Loader u PE zdkifwpfckudk rSwfOmPfxJul;wifwJhtcgrSm ol[m import table udk ppfaq;NyD;
vdktyfwJh DLL awGudk process &JU address ae&mvGwfawGqD ul;wifygw,f/ 'DhaemufrSmawmh ol[m
FirstThunk u nTefjywJh array qDa&mufvmNyD;? import vkyfxm;wJh function awG&JU wu,fh address awGeJY
IMAGE_THUNK_DATA awGudk tpm;xdk;ygw,f/ wu,fvkY d y½d* k &rfrm[m wenf;enf;eJY function
awG&JU address awGudk rSefuefpGmwGufcsufEdkifr,fqdk&if? PE loader u PE zdkifudk run wJhtcsdefwdkif;rSm
IMAGE_THUNK_DATA awGudk jyKjyifp&m rvkdawmhygbl;/ bmaMumifhvJqdkawmh address rSef[m
tJ'DrSm&SdaevdkYyg/
Bind.exe qdkwJh utility wpfckuawmh Microsoft &JU compiler awGeJY ygvmNyD; PE zdkif&JU IAT
(FirstThunk array) udk ppfNyD; IMAGE_THUNK_DATA awGudk import vkyfxm;wJh function awG&JU
address awGeJY tpm;xdk;ygw,f/ zdkifudkul;wifcsdefrSm PE loader u address awGrSefuefjcif;&Sd^r&Sd
ppfaq;oifhygw,f/ wu,fvkY d DLL version awG[m PE zdkifxJu[mawGeJY rudkufnDbl;qdk&if (od)kY DLL
awGudk jyefvnfae&mcsxm;ay;zdkY vdkr,fqdk&if? PE loader u bound address awG[m oHk;r&awmhbl;qdkwm
odNyD; address opfudkwGufcsufzkYd Import Name Table (OriginalFirstThunk array) qDoGm;ygw,f/
'gaMumifhrkYzd dkifudkul;wifzkYd INT udkrvdkayrJh INT r&SdcJh&if exe zdkifawGudk bound vkyfvrkYd &ygbl;/
Borland &JU linker jzpfwJh TLINK [m INT udk zefwD;ray;EdkifwJhtwGuf Borland u xkwfay;wJhzdkifawG[m
bound vkyfvr kYd &ygbl;/ INT aysmufqHk;jcif;&JU aemufxyftusdK;qufudkawmh aemuftcef;usrSyJ aqG;aEG;yg
r,f/
(8.4) Bound Import_Import Directory
Loader u bound address awGrSef^rrSefqHk;jzwfzkY d toHk;jyKwJh tcsuftvufawGudk IMAGE_
BOUND_IMPORT_DESCRIPTOR structure xJrSm xm;&Sdwmjzpfygw,f/ Bound executable wpfckrSm
yg0ifwmuawmh 'D structure awG&JUpm&if;jzpfNyD; import vkyfxm;wJh DLL toD;oD;twGuf wpfckuawmh
bound vkyfxm;NyD;jzpfygw,f/
IMAGE_BOUND_IMPORT_DESCRIPTOR STRUCT
OffsetModuleName WORD ?
NumberOfModuleForwarderRefs WORD ?
IMAGE_BOUND_IMPORT_DESCRIPTOR ENDS
TimeDateStamp member [m export vkyfaewJh DLL FileHeader &JU TimeDateStamp eJY

udkufnD&ygr,f/ wu,fvkY d rudkufnD&if loader u binary [m rSm;,Gif;aewJh DLL udk bound vkyfaew,f
kY lqNyD; imort pm&if;udk jyefNyD; patch vkyfygvdrfhr,f/ 'gawG[m export vkyfaewJh DLL version rudkuf
vd,
nD&if (od)kY rSwfOmPfxJrSm jyefvnfae&mcsxm;zdv
kY dk&if jzpfwmyg/
OffsetModuleName member rSmyg0ifwmuawmh yxr IMAGE_BOUND_IMPORT_
DESCRIPTOR uae okneJqY Hk;wJh ASCII xJrSm&SdwJh DLL &JUtrnfxd offset (RVA r[kwfygbl;) jzpfyg
w,f/
NumberOfModuleForwarderRefs member rSmawmh IMAGE_BOUND_FORWARDER_

REF structure awG&JUa&twGufjzpfygw,f/
IMAGE_BOUND_FORWARDER_REF STRUCT
OffsetModuleName WORD ?
Reserved WORD ?
IMAGE_BOUND_FORWARDER_REF ENDS
'D structure eJY NyD;cJhwJh structure ESpfckudk EdIif;,SOfvdkuf&if aemufqHk; member jzpfwJh Reserved
rSwyg; usefwmawGtm;vHk; wlwmawGU&rSmyg/ tjcm; DLL udk forward vkyfwJh function wpfcek yJY wfoufNyD;
bind vkyfcsdefrSm 'D forward vkyfxm;wJh DLL &JU rSefuefrIudk ul;wifwJhtcsdefrSmvJ ppfaq;&ygr,f/ IMAGE
_BOUND_FORWARDER_REF rSm forward vkyfxm;wJh DLL awG&JU tao;pdwftcsuftvufawG
yg&Sdygw,f/
Oyrmjy&&if kernel32.dll xJu function wpfckjzpfwJh HeapAlloc [m ntdll.dll xJu RtlAllocate
Heap udk forward vkyfw,fv, kYd lqMuygpd/kY wu,fvkYd uRefawmfwukYd HeapAlloc udk import vkyfxm;wJh
application wpfckudk zefwD;vdkuNf yD; application rSm bind.exe udk toHk;jyKvdkufr,fqdk&if ntdll.dll &JU
IMAGE_BOUND_FORWARDER_REF uajc&mcHr,fh kernel32.dll twGuf IMAGE_BOUND_
IMPORT_DESCRIPTOR wpfck&Sdvmygr,f/
owdjyK&ef/ / Function awG&JUtrnfawG[m 'D structure awGxJrSm yg0ifrSmr[kwfygbl;/ bmaMumifhvJqdkawmh
loader u b,f function awGudk IMAGE_IMPORT_DESCRIPTOR uae bound vkyfr,fqdkwm
odxm;vdykY g/
(9) Loader
'Dtcef;uawmh r&Sdrjzpfawmh r[kwfayr,fh OS &JU tvkyfvkyfyHkudk eufeufeJeJodvdkolrsm;twGuf &nf
½G,fygw,f/ NyD;cJhwJh tcef;i,f(7)eJY tcef;i,f(8)wdb
kY ,fvdkqufEG,frI&SdovJqdkwmudkvJ &Sif;jycsifwmyg/
(9.1) Loader ubmvkyfovJ/
Executable zdkifwpfck tvkyfvkyfcsdefrSm Windows loader u process twGuf virtual address
vGwfwpfckudk zefwD;vdkuNf yD; executable module udk disk uae process &JU address vGwfxJ ae&mcsxm;
vdkufygw,f/ Loader u image udk toifhawmfqHk; base address rSm ul;wifzBkYd udK;pm;NyD; rSwfOmPfxJrSm
Section awGudk ae&mcsxm;ygw,f/ Loader u section table udk ausmfvTm;NyD;? base address rSm section
&JU RVA udkaygif;NyD; wGufcsufv&kYd vmwJh address rSm section toD;oD;udk ae&mcsygw,f/ Page attribute
awGudkawmh section &JU characteristic vdktyfcsuft& owfrSwfwmjzpfygw,f/ rSwfOmPfxJrSm section awGudk
ae&mcsxm;NyD;aemufrSmawmh load address [m ImageBase xJrSm&SdwhJ toihfawmfqHk; base address eJn Y D^
rnD loader u base relocation udkaqmif½Gufygw,f/
'DhaemufrSmawmh import table udkppfaq;NyD; vdktyfwJh DLL awGudk process &JU address ae&mvGwfxJ
map vkyf,lygw,f/ DLL module awGtm;vHk;udk ae&mcsxm;NyD;aemufrSmawmh loader u DLL toD;oD;&JU
export section udkppfaq;NyD; import vkyfxm;wJh wu,fh function address udk nTefjyEdkifzkY d IAT udk jyifyg
w,f/ wu,fvkYd oauFwr&SdcJh&if (tvGefjzpfcJygw,f) loader u error jyrSmyg/
Cracking vkyf&mrSm pdwf0ifpm;zdakY umif;wmawGuawmh DLL awGudk ul;wifNyD; import awGudk
ajz&Sif;&wmjzpfygw,f/ 'DjzpfpOfawG[m ½IyfaxG;vSNyD; Microsoft u a&;om;xkwfa0jcif;r&SdwJh ntdll.dll
xJrSm&SdwJh (forward vkyfxm;wJh) trsdK;rsdK;aom function awGeJY routine awGoHk;NyD;ajz&Sif;&ygw,f/ uRefawmf
tapmydkif;u ajymcJhovdkyJ Function forwarding qdkwm bHkjzpfwJh Win32 API set wpfckudk vSpf[jyozdkYeJY
rwlnDwJh OS awGMum; low-level function awGuGJjym;jcm;em;rIudk zHk;uG,fzdkY toHk;jyKwJh Microsoft &JU enf;
vrf;wpf&yfjzpfygw,f/ GetProcesAddress vdk &if;ESD;uRrf;0ifaewJh kernel32 function awmfawmfrsm;rsm;

[m wu,fvkyf&wJh LdrGetProcAddress vdk ntdll.dll udk export vkyfcsdefrSmjzpfaewJh ½dk;&Sif;vSwJh wrapper
awGomjzpfygw,f/
'gawGudk vufawGUusus jrifcsif&ifawmh oifhtaeeJY Win Debugger 6.x eJY windows symbol
package (Microsoft uae tcrJh&,lEdkifygw,f)udk install vkyfzv kYd dkygw,f/ 'grSr[kwf&ifawmh SoftIce 4.x
vdk kernel-mode debugger udk install vkyfzv kYd dkygw,f/ oifhtaeeJY Olly rSmawmh Microsoft
symbolserver udk toHk;jyKr,fvkYd configure vkyfxm;&if 'D function awGudk Munfh&o Hk ufoufMunfhvk&dY rSm
yg/ 'DvdkrSr[kwf&ifawmh oifjrif&rSmu function trnfawGrygwJh pointer awGeJY memory address awGyg/
bmyJjzpfjzpf Olly uawmh user-mode debugger jzpfNyD; oifh&JY application udk load vkyNf yD;csdefrSm bmawG
jzpfysufaewmudkom jyygvdrfhr,f/ Loading process udkMunfhEdkifzkYd oifhudk cGifhjyKrSmawmh r[kwfygbl;/ Win
Debugger &JUvkyfaqmifcsufawGu Olly eJY EdIif;,SOfr,fqdk&if bmrSrajymyavmufayr,fh OS eJY wom;wnf;
jzpfNyD; loading process udk jyoygvdrfhr,f/ yHk(17)/
yHk(17)
Exe zdkiu f dk load vkyfwJhtcgrSm wGJvsufygvmMuwJh API trsdK;rsdK;[m kernel32.dll &JU
LoadLibraryExW function rSm vma&mufpkqHkvmMuNyD; ntdll.dll &JU LdrpLoadDll function qD
OD;wnfoGm;ygw,f/ 'D function [m atmufygvkyfaqmifcsufawGudk aqmif½GufwJh LdrpCheckForLoader
Dll? LdrpMapDll? LdrpWalkImportDescriptor? LdrpUpdateLoadCount? LdrpRunInitialize
Routines eJY LdrpClearLoadInProgress pwJh subroutine 6 ckudk wdku½
f dkufac:,loHk;pGJygw,f/
1/ Module udk ul;wifxm;NyD; jzpf^rjzpf od&atmif ppfygw,f/
2/ Module eJY taxmuftyHhjzpfapr,fh tcsuftvufawGudk rSwfOmPfrSm ae&mcsygw,f/
3/ Module &JU import descriptor table qD oGm;ygw,f/ ('Dwpfckudk import vkyfaecsdefrSm tjcm; module
awGudk &Smygw,f/)
4/ 'D DLL aMumifyh gvmwJh tjcm;[mawGvdkyJ module &JU load count udk update vkyfygw,f/
5/ Module udk initialize vkyfygw,f/

6/ ul;wifNyD;aMumif;jywJh tcsdKU flag awGudk &Sif;vif;ygw,f/
yHk(18)
DLL wpfck[m cascade taeeJYcsdwfxm;wJh tjcm; module awGudk import vkyfEdkifygw,f/ Loader
[m load vkyfzkYd vdktyfwmawGeJY oleyJY wfoufwJh dependency awGudk od&Sdppfaq;EdkifzdkY module toD;oD;
uwqifh loop ywfzv kYd kdygvdrfhr,f/ 'gaMumifh LdrpWalkImportDescriptor yg0ifvm&jcif; jzpfygw,f/
olUrSm subroutine ESpfck&Sdygw,f/ LdrpLoadImportModule eJY LdrpSnapIAT wdjkY zpfygw,f/ yxrqHk;
Bound Imports Descriptor eJY yHkrSef Import Descriptor table awGudk ae&mcsxm;zdkY RtlImageDirectory
EntryToData qD call ESpfcek JY pwifygw,f/ rSwfxm;zdkYu loader [m bound imports awGudk yxrqHk;ppf
aq;wmyg/ Import directory r&Sdayr,fhvJ bound import awG&SdwJhtwGuf application u run wmjzpfyg
w,f/
aemufwpfckjzpfwh J LdrpLoadImportModule uawmh Import directory xJrSm&SdwJh DLL
toD;oD;twGuf Unicode string wpfckudk wnfaqmufygw,f/ 'DhaemufrSmawmh olwakY d wGudk ul;wifNyD;^rNyD;
odEdkifatmifvkYd LdrpCheckForLoadedDll udk toHk;csygw,f/
aemufwpfckjzpfwJh LdrpSnapIAT routine uawmh Import directory xJrSm&SdwJh DLL reference
awGtm;vHk;udk -1 wefzdk;jzpfaejcif;&S^d r&Sd ppfaq;ygw,f/ (qdkvdkwmu xyfNyD; bound import awGudk yxrqHk;
ppfaq;ygw,f/) 'Dhaemuf IAT &JU memory prtotection udk PAGE_READWRITE tjzpf ajymif;vJNyD;
LdrpSnapThunk subroutine qDroGm;cif IAT xJrSm&SdwJh entry toD;oD;udk ppfaq;zdkY qufvufvkyfaqmif
ygw,f/
LdrpSnapThunk uawmh olU&JU address udkae&mcsxm;zdkY function wpfck&JU ordinal udk toHk;jyKNyD;
'gudk forward vkyfxm;jcif;&Sd^r&Sd qHk;jzwfygw,f/ 'grSr[kwf&ifawmh ol[m ordinal udk tjrefae&mcsxm;Edkif
kY wGuf export table ay:u binary search wpfckudk toHk;jyKwJh LdrpNameToOrdinal udk ac:oHk;yg
zdt
w,f/ wu,fvkdU function udk rawGUbl;qdk&if STATUS_ENTRYPOINT_NOT_FOUND udk jyefyNkYd yD;?
r[kwf&ifawmh API &JU entry point &SdwJh IAT xJrSm entry udk tpm;xkd;NyD; memory protection udk restore
jyefvkyfwJh LdrpSnapIAT qD jyefoGm;ygw,f/ ol[m vkyfief;tprSmwif ajymif;vJoGm;NyD; IAT yg0ifwJh
memory block ay:rSm cache refresh jyKvkyfEdkifzt kYd wGuf NtFlushInstructionCache udak c:oHk;NyD;
LdrpWalkImportDescriptor qD jyefoGm;ygw,f/
'g[m Windows version awGMum; wpfrlxl;jcm;wJh uGJjym;jcm;em;rIjzpfygw,f/ Windows 2000
rSmawmh exe zdkifudk ul;rwifcif ntdll.dll udk bound import taeeJaY &m? yHkrSef import directory taeeJaY &m
ul;wifzkYd twif;awmif;qdkygw,f/ Windows 9x eJY Windows XP rSmawmh import awGrygvJ application
udk tvkyfvkyfapEdkifygw,f/ Loader u rSwfOmPfxJrSm&SdwJh wu,fh address wpfckudk wGufcsufEdkifzdkYeJY API
wpfck[m forward vkyfxm;cH&jcif;&Sd^r&Sd odEdkifatmifvdkY import vkyfxm;wJh API wdkif;udk ppfaq;&rSmjzpfyg
w,f/ Import vkyfxm;wJh DLL toD;oD;rSm aemufxyf module awGygvmEdkiNf yD; process uvJ dependen-
cy awGtm;vHk;udk ppfaq;NyD;pD;onfhwdkifatmif xyfcgxyfcg vkyfaqmifae&rSmjzpfygw,f/
(10) PE zdkiftwGif;odkY uk'fxnfhjcif;
Cracker awGtaeeJY protection scheme wpfckudk crack vkyfzkYe
d JY vkyfaqmifcsuftopfawG xnfh
oGif;Edkizf kYd y½d*k &rfxJudk uk'fawGxnfhoGif;zdkY tajctaeawG wcgw&HrSm BuHKwwfygw,f/ zdkifxJudk uk'fxnfh
oGif;wJh t"duenf;vrf;BuD; 3ckuawmh -
1/ oifh&JUuk'ftwGuf vHkavmufwJhae&mvGwf&cSd &Jh if &SNd yD;om; section wpfckxJrSm uk'fudka&;xnfhygw,f/
2/ wu,fvkYd vHkavmufwJhae&mr&SdcJh&if &SNd yD;om; section udk ae&mxyfcsJUygw,f/
3/ Secion topfwpfckudk xyfaygif;ygw,f/
(10.1) &SdNyD;om; section twGif; uk'fxnfhjcif;
uRefawmfwt dkY aeeJY &SNd yD;om; section xJudk uk'fawGaygif;xnhfcsifw,fqdk&if CODE section xJrSm
aygif;xnfhwm[m t½d;k &Sif;qHk;enf;ygyJ/ CODE section xJrSm 00 awGeJY jynfhaewJhae&mudk vdkuf&SmMunfh
vdkuf&atmif/ 'gudk ]cave} t,ltqvdakY c:ygw,f/ oifhawmfwJh cave wpfckudk&SmEdkifzkY d CODE section udk
LordPE eJY MunfhMu&atmif/
yHk(19)
'Dae&mrSm uRefawmfwkY d jrif&wmuawmh VirtualSize (00029E88) u SizeOfRawData (0002A0
00) xuf enf;enf;av;i,faewm awGU&ygw,f/ SizeOfRawData qdkwmuawmh oifh&JU hard disk ay:rSm
zdkifudk ae&mcsxm;wJhtcg ,lr,fhae&myrmPukd ajymjcif;jzpfygw,f/ rSwfxm;&rSmu 'Dzdkif&JU VirtualSize u
hard disk ay:rSm ae&m,lr,fh t½G,ftpm;xuf i,faeygw,f/ 'gu bmaMumifhjzpf&wmvJqdkawmh compiler
awG[m rMumcPqdkovdk wlnDwJhe,fedrdwfay:u section wpfcek JY ndSzkYd t½G,ftpm;udk teD;pyfqHk;jzpfatmif
,l&vdkYyg/ Hex editor eJY Munfh&ifawmh CODE section &JUtqHk; (DATA section rpwifcif) udk yHk(20)
twdkif; awGU&rSmyg/
yHk(20)
'Dae&mvGwfawGudk toHk;rjyKovdk rSwfOmPfxJudkvJ ul;rwifygbl;/ uRefawmfwtaeeJ dkY Y aocsmatmif
vkyf&rSmu uRefawmfwdkY xnfhoGif;r,fh uk'fawGudk rSwfOmPfxJul;atmif vkyfzkYyd gyJ/ uRefawmfwt kY d aeeJY 'Dvdk
jzpfatmif size attribute udk ajymif;ay;&ygr,f/ ckcsdefrSmawmh 'D section &JU virtual size u 29E88 omjzpfyg
w,f/ bmaMumifhvJqdkawmh compiler u 'DavmufyJ vdktyfvykY d g/ uRefawmfwt kYd aeeJaY wmh 'Dxufenf;enf;
av; ydkvdktyfygw,f/ 'gaMumifhvJ LordPE rSm CODE section &JU virtual size udk 29FFF vdkY jyifvdkufyg
r,f/ ('g[m uRefawmfwdkY jyifEdkifwJh tjrifhqHk;t½G,ftpm;jzpfygw,f/ RawSize uawmh 2A000 jzpfygw,f/)
'DvdkjyKvkyfzkYd CODE qdkwJhpmom;ay:rSm right-click ESdyNf yD; edit section header udk a½G;yg/ VirtualSize
ae&mrSm 29FFF vdjkY yifNyD; zdkifudk odrf;qnf;vdkufyg/
'DwpfcgrSmawmh uRefawmfwkY d patch vkyfr,fhuk'fudk odrf;qnf;zdkY oifhawmfwJhae&mwpfckudk jyKvkyfvkY d
NyD;ygNyD/ uRefawmfwkYd jyifcJhwmu Section Table xJu CODE section twGuf VirtualSize DWORD
wefzdk;jzpfygw,f/ 'gudk uRefawmfwt kY d aeeJY hexeditor rSm udk,fwdkifjyifvJ &ygw,f/
dkY wGuf erlem assembly stub av;a&;Munfhygr,f/ yxrqHk;vkyf&
'DxufyNdk yD; &Sif;vif;atmifjyEdkifzt
rSmu LordPE rSmawGUcJhwJh entry point wefzdk; 0002ADB4 eJY ImageBase wefzdk; 400000 udk rSwfom;yg/
'gaMumifh Olly [m application udk ul;wifcsdefrSmawmh entry point [m 0042ADB4 jzpfrSmyg/ uRefawmf
wdtkY aeeJY atmufyguk'fawGudk aygif;xnfNh yD; entry point udk yxrqHk;uk'f&Sd&m 42AF00 udk ajymif;ygr,f/
MOV EAX, 0042ADB4 ; Load in EAX the Original Entry Point (OEP)
JMP EAX ; Jump to OEP
uRefawmfwtdkY aeeJY 'Duk'fawGudk tay:rSmjrif&wJh hexeditor xJu 0002A300h ae&mrSm xm;&rSmjzpf
ygw,f/ Olly rSmtoHk;jyKzdkYtwGuf 'D raw offset udk RVA ajymif;r,fqdk&ifawmh 'D yHkaoenf;av;udk oHk;&rSm
yg/
RVA = raw offset - raw offset of section + virtual offset of section + ImageBase
= 2A300h - 400h + 1000h + 400000h = 42AF00h
'gaMumifh Olly udkzGiNfh yD; uRefawmfwkYd jyif&r,fhae&mudk wdku½f dkufoGm;EdkifzkYd Ctrl + G udkESdyfyg/ NyD;&if
42AF00 udk ½du
k fxnfNh yD; uk'½f dkufxnfhr,fhae&moGm;yg/ NyD;&if yHk(21)twdkif; jyifyg/
yHk(21)
'DhaemufrSmawmh jyifxm;wJhuk'fawGudk odrf;qnf;zdkY right-click ESdyNf yD; Copy to executable u All

modification udka½G;yg/ 'Dtcg ay:vmwJh message box rSm Copy udka½G;vdkuf&if window wpfcktopfyGifh
vmygr,f/ 'D window rSm right-click ESdyNf yD; Save file udk a½G;NyD; BudKufESpfouf&mtrnfeJY odrf;vdkufyg/
zdkifudkodrf;NyD;oGm;&if LordPE rSm Entry point udk 0002AF00 vdakY jymif;NyD; zdkifudkodrf;qnf;vdkufyg/
Application tvkyfrvkyfprf;Munfhyg/ NyD;&if odrf;xm;wJhzdkifudk Olly rSm jyefzGifhMunfhyg/ Entry point ajymif;
aewm awGU&ygr,f/
yHk(22)
Hexeditor rSmMunfhvdkuf&if yHk(23)twdkif; awGU&rSmjzpfNyD; ae&mvGwfawG trsm;BuD; usefao;wmawGU&
rSmyg/
yHk(23)
(&SNd yD;om; section udkcsJUjcif;eJY section topfwdk;jcif;wdkYudk pmtkyfxlrnfpdk;í razmfjyawmhyg/ tao;pdwfodvdk
vQif ARTeam rS Goppit a&;om;aom PE File Format udk zwf½IygvdkY tBuHay;vdkygw,f/)
(11) PE header jyóemrsm;ajz&Sif;jcif;
PE header udk avhvmcJhwmawmh [kwfygNyD/ bmaMumifh PE header udk'Davmuftao;pdwfavhvm&
wmvJvkYd oifhtaeeJY Za0Z0gjzpfaeygvdrfhr,f/ 'gaMumifhrkY d y½d*k &rfwpfyk'fudk vufawGUMunfhMuygr,f/ 'Dy½dk
*&rf (RegisterMe.oops.exe)udk Lena151 &JU oifcef;pm(3)rSm download vkyf,lEdkifygw,f/ y½d*k &rfudk
Olly rSmzGifhNyD;ppfMunfhvdkuf&if yHk(24)twdkif;awGU&ygw,f/
yHk(24)
Data (dump) window udkMunfhvdkuf&ifvJ yHk(25)twdkif; bmpmom;rSr&Sdwm awGU&rSmyg/
yHk(25)
aumif;NyD/ oifhtaeeJeY m;vnfxm;&rSmu tcsdKUAdkif;&yfpf (protector awGtygt0if)awG[m debug

f rkYd &Edkifatmif PE header xJrSm vSnfhpm;rIav;awG vkyfxm;wwfygw,f/ 'gaMumifh PE header udk
vkyv
enf;enf;avmuf MunfhvdkufMu&atmif/ Alt+M (Memory map) udkESdyfvdkufyg/ yHk(26)/
yHk(26)
yHk(26)udk Munfhvdkuf&if section awG aysmufaewm owdxm;rdrSmyg/ PE header wpfckwnf;&Sdaeyg
w,f/ uRefawmfwdkY t&ifjrifaeusjzpfwJh uk'f? a'wm pwmawG[m b,fa&mufoGm;ygvJ/ Header &JU yrmP
uvJ 5000 awmif jzpfaeygw,f/ rsm;aomtm;jzifh header &JU yrmP[m 1000 yJ &Sdw,fvkYd &Sif;jyzl;wm
trSwf&yg/
tckawmh enf;enf;avmuf &Sif;jyzdakY wmh vdkvmygNyD/ t"duajymif;vJrIawG rvkyfbJ PE header udkyJ
enf;enf;av; ajymif;vJvdkufwJhudpö/ (twdtusajym&&ifawmh Adkif;&yfpf? protector tcsdKU ponfwkdUyJ 'Dvdkvkyf
Edkifwmyg/) &v'ftaeeJY y½dk*&rf[m Windows XP rSm aumif;aumif;tvkyfvkyfaeayr,fh Olly uawmh
'Dajymif;vJxm;wJt
h &mawGtwGuf (t&m&mwdkif;udk &SmzdBkY udK;pm;&wJhtwGuf wcPavmufawmh tvky½f IyfEdkifyg
w,f/) awmfawmf OD;aESmufajcmufoGm;ygw,f/ Header udk MunfhvdkuMf u&atmif/ yHk(27)/
yHk(27)
yHk(26)&JU VA 00400000 ae&mudk ESpfcsufESdyfvdkuf&if yHk(27)twdkif; jrif&rSmyg/ Mouse eJY atmufudk
scroll enf;enf;qGJMunfhvdkufyg/
yHk(28)
yHk(28)&JU SizeofCode [m 40000400 tpm; 400 jzpf&rSmyg/ 'g[m VA 004000DC rSmyg/

aemufydkif;rSm ajymif;&rSmrdkY rSwfxm;vdkufyg/ SizeofInitializedData uawmh 400004A00 tpm; A00 jzpf&
rSmyg/
BaseofCode uawmh 40001000 tpm; 1000 jzpf&rSmyg/ BaseofData uawmh 40002000 tpm;
2000 jzpf&rSmyg/ atmufudk scroll enf;enf;qGJvdkufyg/ yHk(29)/
yHk(29)
NumberOfRvaAndSizes uawmh 40000004 tpm; 00000010 jzpf&rSmyg/ Export Table

address uawmh 500000 tpm; okn jzpf&rSmyg/ Export Table size uvnf; 500000 tpm; okn
jzpf&rSmyg/
uRefawmfhtaeeJY 'DtwGuf Olly xuf aumif;wJh tool awG &Sdw,fvkYd rSwfcsufay;csifygw,f/ 'gudk
aemufydkif;rSmaqG;aEG;ygr,f/ ckcsdefupNyD; ckeu uRefawmfajymcJhw*Jh Pef;awGudk wnf;jzwfMu&atmif/ uRefawmf
uawmh 'gawGudk Olly &JU dump window rSmyJvkyfrSmyg/
h aeeJY ajymif;csifwJh[mawGudk binary *Pef;ajymif;vdkuf&HkeJY wnf;jzwfvdkY&ygw,f/
(rSwfcsuf/ / oift
endian awGudkawmh rarhygeJ/Y aemufwpfBudrfxyfajymygr,f/ 'DvdkvkyfzdkY tool awG trsm;BuD;&Sdygw,f/ bmyJ
jzpfjzpf uRefawmfhtaeeJu
Y awmh oifbmvkyfaeovJqw dk m em;vnfzko
Yd m ta&;BuD;w,fvx kYd ifygw,f/
yHk(30)
yHk(30)rSm jyxm;wJhtwdkif; dump window rSm right‐click EdSyNf yD; Go to u Expression udk
oGm;vdkufyg/
yHk(31)
NyD;&if yHk(31)rSm jyxm;wJhtwdkif; 4000DC udk ½du
k fxnfhvdkufyg/ NyD;&if wnf;jzwfEdkifzkY d right‐click
EdSyNf yD; view executable file udk a½G;vdkufyg/ yHk(32)twdkif; jrif&ygvdrfhr,f/
yHk(32)
yHk(32)udk right‐click ESdyNf yD; binary menu rS edit udk a½G;yg/ yHk(33)twdkif; jrif&ygvdrfhr,f/
yHk(33)
ckcsdefupNyD; oift h aeeJY pwifwnf;jzwfvkY&d ygNyD/ (wu,fvkYd oift h aeeJY opcodes awGudk rSwfrd
ao;w,fqdk&ifaygh/)/ jzwfajym&&ifawmh memory module rSm wnf;jzwfwmu ydkvG,fayr,fh uRefawmfu
'Denf;udk jycsifvykY d g/ tm;vHk;udk wnf;jzwfNyD;&ifawmh yHk(34)twdkif; jrif&rSmyg/
yHk(34)
yHk(34)rSm jrif&wmuawmh uRefawmfwdkY wnf;jzwf&r,fht&mawGudk wnf;jzwftNyD;yg/ 'gNyD;&ifawmh
right‐click ESdyNf yD; Save file udak ½G;vdkufyg/ NyD;&if Olly eJY odrf;vdkufwzJh dkifudk jyefMunfhvdkufyg/ yHk(35)
twdkif; jrif&ygvdrfhr,f/
yHk(35)
yHk(35)rSmawmh t&ifuaysmufaewJh section awGudk jyefjrif&wm awGU&ygvdrfhr,f/ rSwfxm;oifhwJh
tcsufwpfcsufuawmh yHk(26)rSm jrifcJh&wJh header &JU t½G,ftpm; (5000) qdkwm section tm;vHk;aygif;eJY
header wdu kY dk aygif;xm;NyD;&vmwJh yrmPyg/
yHk(36)
PE header jyóemudk Olly eJYajz&Sif;&wm vuf0ifygw,f/ 'gaMumifh PE tool wpfckckudk toHk;jyKNyD;

ajz&Sif;Munfhygr,f/ 'DtwGufa½G;cs,fxm;wJh y½dk*&rfuawmh Lena151 &JU oifcef;pm(37)u UnpackMe#5
.exe y½dk*&rfyg/ 'Dy½dk*&rfudk PEiD eJYppfMunfh&mrSmawmh yHk(36)twdkif; awGU&ygw,f/
wu,fawmh UnpackMe#5 .exe udk Visual C++ eJaY &;om;xm;wm r[kwfygbl;/ Protector wpfck
cku Visual C++ eJaY &;om;xm;w,fvx kYd if&atmif vSnfhpm;xm;wmjzpfygw,f/ ckcsdefrSm protector awG
taMumif;udk aqG;aEG;ao;rSmr[kwfwJhtwGuf 'Dtcsufudk avmavmq,f arhxm;vdkufyg/
aumif;NyD? PE header eJyY wfoufNyD; bmawGvSnfhpm;xm;ovJqdkwm od&atmif y½d*k &rfudk Olly rSm
zGifhMunfhvdkufyg/ yHk(37)/
yHk(37)
yHk(37)rSmjrif&wJhtwdkif; bmuk'frSay:vmjcif;r&SdbJ y½d*k &rf run (hang) aewmawGU&ygw,f/ Task
manager udkMunfhvdkuf&ifawmh yHk(38)rSmjyxm;wJhtwdkif;awGU&ygw,f/
yHk(38)
UnpackMe#5.exe udk rzGifhcifwkef;u task manager &JU page file oHk;pGJrI[m 149MB yJ&Sdygw,f/
87KB yJ&SdwJh UnpackMe#5.exe y½d*
k &rfudkzGifhvdkufwJhtcsdefrSm bmaMumifh page file udktvGeftuRH oHk;pGJ&yg
ovJ/ PE header rSm jyóemwpfckckwufaeyHk&ygw,f/ 'ghaMumifh UnpackMe#5.exe udk PE Tools 1.5
eJzY GifhMunfhMu&atmif/ yHk(39)/
yHk(39)
Tools menu u PE Editor udka½G;NyD; UnpackMe#5.exe udkzGifhvdkuf&if yHk(39)twdkif; jrif&ygw,f/
yHk(39)u Optional Header button udka½G;vdkuf&if yHk(40)twdkif;jrif&ygr,f/
yHk(40)
Size Of Init Dat udk 3FA00? Size of UnInit Data udk 0? Base Of Code udk 3E000 ? Base of
Data udk 13000? Number Of Rva and Sizes udk 10? Size of Heap Commit udk 1000? Size of Heap
Reserver udk 100000? Size of Stack Commit udk 1000? Size of Stack Reserve udk 100000 vdjkY yifNyD;
zdkifudkodrf;vdkufyg/ odrf;vdkufwJhzdkifudk Olly rSmzGifhvdkufyg/ yHk(41)twdkif;jrif&ygr,f/
yHk(41)
yHk(41)u OK button udka½G;ay;vdkuf&ifawmh yHk(42)twdkif;jrif&ygr,f/
yHk(42)
yHk(41)u error message udkjrif&wmuawmh code section &JUwefzdk; rSm;aevdkjY zpfygw,f/ Olly u
error message jyayr,fh y½d*k &rfudk rSefuefpGmtvkyfvkyfrSmjzpfwJhtwGuf pdwfylp&mawmh r&Sdygbl;/ 'D error
rwufapcsif&ifawmh code section &JUwefzdk;udk memory map (Alt+M) rSmMunfhvdkufyg/ yHk(43)/
yHk(43)
'gaMumifhrkYd yHk(40)u Base Of Code rSmjyifcJhwJh 3E000 wefzdk;tpm; 1000 jzpf&rSmyg/ 'Dwefzdk;udk
PE editor wpfckckrSmjyifvdkuNf yD; zdkifudkodrf;vdkufr,fqdk&if bm error rS jyawmhrSm r[kwfygbl;/
(12) PE header wGif toHk;jyKaom a0g[m&rsm;
(ReverseMe.exe ESifh prf;oyfxm;jcif; jzpfygonf/)
(1) TimeDateStamp 3/17/2000, 1:04:06 AM (38D1291E)
TimeDateStamp qdkwm zdkifudk zefwD;cJhwJhtcsdefudk &nfnTef;ygw,f/ Olly rSmawmh Hex *Pef;eJY
jyygw,f/ ReverseMe y½d*k &rftwGufuawmh 38D1291E jzpfygw,f/ tcsdKU PE Viewer awGrSm Hex eJY
rjybJ ½dk;½dk;yHkpeH JyY J jyygw,f/ Oyrm - 3/17/2000, 1:04:06 AM/ 'Dwefzdk;[m 1970? Zefe0g&D 1 upwifcJhwJh
*&if;epfpHawmfcsdef&JU puúefYta&twGufjzpfNyD; zdkifrSmtvdktavsmufygvmwJhaeYpGJ^tcsdefawGxuf ydkNyD;wdusyg
w,f/ udk,fwdkifwGufcsufcsif&ifawmh 16vDpepf 38D1291E udk q,fvDpepfoakYd jymif;yg/ puúefYaygif;
953231646 &vmygr,f/ puúejfY zpfaewJhtwGuf em&DoakY d jymif;ygr,f/ 3600 eJY pm;wJhtcg 264786 &vmyg
w,f/ 'gudk&ufzGJUzdkY 24eJYpm;NyD; ckESpfzGJUzdkY 365eJY pm;ygr,f/ 'gqdk ESpf30 &vmygw,f/ 'gu tMurf;zsif;wGuf
csufwmyg/ uRefawmfwkY d &vmwJhtajzudk b,frSmoGm;aygif;&rvJqdkawmh ckeuqdkcJhwJh 1970? Zefe0g&D 1 &uf
rSmyg/ wdwdususwGufcsufvmcJhr,fqdk&if tajzrSefu 2000? rwf 17 qdkwJhtajzxGufrSmyg/
(2) Machine FILE_MACHINE_I386
'Dzdkifudk toHk;jyKr,fh uGefysLwm&JU y½dq
k ufqmtrsdK;tpm;yg/ toHk;rsm;wJhwefzdk;awGuawmh -
FILE_MACHINE_I386
Intel 80386 (od)kY aemufydkif;armf',frsm;ESifh o[Zmwjzpfaomy½dq
k ufqmrsm;/
FILE_MACHINE_AMD64
x64
FILE_MACHINE_IA64
Intel Itanium y½dq
k ufqmtkyfpkrsm;/
(3) Characteristics 0x10f (zdkif&JU0daooudk jyowJh flag awGyg/)
FILE_RELOCS_STRIPPED 0x1
(0x1 om jzpfcJhr,fqdk&if zdkifrSm base relocation rygygbl;/ 'ghaMumihf loader [m olU&JU base address rSmyJ
&Sd&rSmyg/ wu,fvkY d base address omr&SdcJhbl;qdk&if loader [m error jzpfaMumif;jyrSmyg/ Linker &JU yHkrSef
tvkyfuawmh EXE zdkifuae base relocaion udk z,fzdkYyg/)
FILE_EXECUTABLE_IMAGE 0x2
('guawmh image zdkif[m rSefuefaMumif;eJY tvkyfvkyfEdkifaMumif; jywmyg/ wu,fvkY d 'D flag om r&Sdbl;qdk
&if olu linker error jzpfaMumif; jyrSmyg/)
FILE_LINE_NUMS_STRIPPED 0x4
(COFF vdkif;awG z,f&Sm;cHvdkuf&wmyg/)
FILE_LOCAL_SYMS_STRIPPED 0x8
(Local oauFwawGtwGuf COFF oauFwZ,m;&JU entry awG z,f&Sm;cHvdkuf&wmyg/)
FILE_32BIT_MACHINE 0x100
(uGefysLwm[m 32‐bit enf;ynmudk tajccHxm;wmyg/)
(4) Subsystem SUBSYSTEM_WINDOWS_GUI
'D image udk tvkyfvkyfzt
kYd wGuf vdktyfwJh pepfcGJawGjzpfygw,f/ jzpfEdkifwJh wefzdk;awGuawmh -
SUBSYSTEM_NATIVE
Device driver rsm;ESifh Window \ rlv process rsm;/
SUBSYSTEM_WINDOWS_GUI
Window \ GUI
SUBSYSTEM_WINDOWS_CUI
Window \ pmvHk;pepfcGJ/
SUBSYSTEM_POSIX_CUI
Posix pmvHk;pepfcGJ/
SUBSYSTEM_WINDOWS_CE_GUI
Windows CE
SUBSYSTEM_EFI_APPLICATION
Extensible Firmware Interface (EFI) application.
SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER
Boot services yg0ifaom EFI driver/
SUBSYSTEM_EFI_RUNTIME_DRIVER
Run-time services yg0ifaom EFI driver/
SUBSYSTEM_EFI_ROM
EFI \ ROM image/
(5) LinkerVersion 5.12
zdkiftjzpf wnfaqmufzkY d toHk;jyKwJh linker &JU version/ Microsoft linker uaejzpfvmwJh PE
zdkifawGtwGufawmh 'D version eHygwf[m Visual Studio &JU version eHygwfeJY oufqdkifygw,f/
(6) SizeOfImage 20480 (0x5000)
zdkifudk rSwfOmPfxJokY d ul;wifvdkufaomtcg system rS oD;oefzY ,fxm;&efvdkaom rSwfOmPfyrmP/
'Dae&m[m section alignment &JU qwdk;udef;wpfck jzpf&ygr,f/
(7) SizeOfCode 1024 (0x400)
Code section &JU t½G,fyrmP (Byte jzifh jyonf/)? (od)kY tu,fí code section ajrmufjrm;pGm
&SdcJhygu xkd section tm;vHk;\ aygif;v'f/
(8) SizeOfInitializedData 2560 (0xa00)
Initialized data section &JU t½G,fyrmP (Byte jzifh jyonf/)? (od)kY tu,fí initialized data
section ajrmufjrm;pGm&SdcJhygu xkd section tm;vHk;\ aygif;v'f/
(9) SizeOfUninitializedData 0 (0x0)
Unnitialized data section &JU t½G,y f rmP (Byte jzifh jyonf/)? (od)kY tu,fí uninitialized
data section ajrmufjrm;pGm&SdcJhygu xkd section tm;vHk;\ aygif;v'f/
(10) ImageBase 0x400000
Image \ yxrqHk;pmvHk;udk rSwfOmPfxJokY d ul;wifvdkufcsdefü ¤if;\ address/ xdkwefzdk;onf 64K
bytes \qwdk;udef; jzpfonf/ DLL zdkifrsm;twGuf yHkaowefzdk;rSm 0x10000000 jzpfonf/ 32‐bit
application rsm;twGuf yHkaowefzdk;rSm 0x00400000 jzpfonf/
(11) BaseOfCode 0x401000
Code section \tpodkY nTefjyonf/ Image base eSifh qufET,frI&Sdonf/
(12) BaseOfData 0x402000
Data section \tpodkY nTefjyonf/ Image base eSifh qufET,frI&Sdonf/
(13) AddressOfEntryPoint 0x401000
Entry point function odkY nTefjyonf/ Image base address eSifh qufET,frI&Sdonf/ entry point
function onf DLL zdkifrsm;twGuf r&Sdvnf;&ayonf/ Entry point r&SdvQif þwefzdk;onf okn jzpfaeay
rnf/
(14) FileAlignment 512 (0x200)
Image zdkifxJ&Sd section rsm;\ raw a'wm alignment/ Byte jzifhjyonf/ wefzdk;onf 2 \ qwkd;
udef;rsm;jzpfNyD; 512 ESifh 64K Mum;(tptqHk;) jzpf&rnf/ yHkaowefzdk;rSm 512 jzpfonf/ tu,fí Section
Alignment onf system \ page t½G,ftpm;xufi,faeygu þwefzdk;onf SectionAlignment ESifh
wlnDaeoifhonf/
(15) SectionAlignment 4096 (0x1000)
Section rsm;\ Alignment udk rSwfOmPfwGif; ul;wifonf/ Byte jzifhjyonf/ þwefzdk;onf File
Alignment ESifh nD&rnf (od)kY BuD;&rnf/ yHkaowefzdk;onf system \ page t½G,ftpm; jzpfonf/
(16) OperatingSystemVersion 4.0
(17) SubsystemVersion 4.0
(18) ImageVersion 0.0
(19) CheckSum 46233 (0xb499)
Image \ wGufcsufxm;aomwefzdk;/ (a'wmrsm;udk odrf;qnf;&mwGif trSm;rsm;awGUBuHKjcif;&Sd^r&Sd ppf
aq;&ef toHk;jyKaom wGufcsufxm;onfhwefzdk;/ a'wmrsm;udk odrf;qnf;NyD;aomf ¤if;enf;vrf;udkyif toHk;jyKí
checksum udk wGufcsufygonf/ checksum ESpfck rwlnDcJhaomf error udkjyí a'wmudk aemufwpfBudrf jyef
vnfodrf;qnf;ygonf/ Checksum rsm;onf error wdkif;udk rppfaq;Edkifyg/ Checksum wdo kY nf error
jzpfaeaoma'wmrsm;udk rjyifqifay;Edkifyg/) Checksum rsm;onf kernel-mode driver rsm;ESifh tcsdKUaom
system DLL rsm;twGuf vdktyfonf/ wenf;qdkaomf þae&mwGif oknjzpfí &ygonf/
(20) SizeOfStackReserve 1048576 (0x100000)
EXE zdkifrsm;wGif process xJ&Sd yxrqHk; thread \ BuD;xGm;vmEdkifaom tjrifhqHk;t½G,fyrmP/
'DrSwfOmPftm;vHk;udkawmh OD;qHk;ajymif;ay;rSm r[kwfygbl;/
(21) SizeOfStackCommit 4096 (0x1000)
EXE zdkifrsm;wGif stack xJokYd yxrOD;qHk;ajymif;ay;rnfh rSwfOmPfyrmP/
(22) SizeOfHeapReserve 1048576 (0x100000)
EXE zdkifrsm;wGif process heap &JU OD;qHk;oD;oefzY ,fxm;r,ft½G,ftpm;/
(23) SizeOfHeapCommit 4096 (0x1000)
EXE zdkifrsm;wGif heap xJokYd yxrOD;qHk;ajymif;ay;rnfh rSwfOmPfyrmP/
(24) LoaderFlags 0 (0x0)
(toHk;rjyKawmhyg/)
(25) Win32VersionValue 0 (0x0)
(toHk;rjyKawmhyg/)
(26) PointerToRawData
Module zdkifxJrSm&SdwJh yxrqHk; page &JU page udn

k Tef;wJh zdkif pointer/ ol[m module header u
FileAlignment &JU qwdk;udef; jzpf&ygr,f/ Section rSm uninitialized a'wmawGoufoufyJ &SdcsdefrSm 'Dae
&m[m oknjzpf&ygr,f/
(27) VirtualAddress
rSwfOmPfxJudk ul;wifvdkufaomtcg image base ESifh qufEG,fonfh section \ yxrqHk;aom
pmvHk; address jzpfonf/
(28) VirtualSize
rSwfOmPfxJudk ul;wifvdkufaomtcg section \ pkpkaygif;yrmP/ tu,fíom þwefz;dk onf Size
OfRawData xuf BuD;aeygu section onf oknjzifh jynfhaernfjzpfonf/
(29) SizeOfRawData
Disk ay:&Sd initialized a'wm\ t½G,ftpm;/ olonf module header rS FileAlignment \
qwdk;udef;jzpfonf/ tu,fí þwefzdk;onf Virtual Size xufi,faeygu section \ usefaomtydkif;rsm;
onf oknrsm;jzifh jynfhaernf/ Section rSm uninitialized a'wmawGoufoufyJ &SdcsdefrSm 'Dae&m[m okn
jzpf&ygr,f/
(30) Data Directory
Exe zdkifrsm;\ ta&;BuD;aomtydkif;rsm;udk nTefjyaeaom 16ckaom IMAGE_DATA_DIRECTO
RY \ array wpfck/ 'D array [m loader udk oGm;av&mwavQmuf emrnfrsm;udk EdIif;,SOfNyD; image
section toD;oD;udk tBudrBf udrfywfp&mrvkdbJ image &JU wduswJh section awGudk vsifvsifjrefjref &SmazGay;
apEdkifygw,f/ (Oyrm- import vkyfxm;wJh function Z,m;)
(a) Load Configuration
twGif;ydkif;pepf&JYppfaq;csufeJY jyoemajz&Sif;jcif;t*Fg&yfawGudk xdef;csKyfxm;wJh IMAGE_LOAD_
CONFIG_DIRECTORY zGJUpnf;yHkudk nTefjyygw,f/
(b) IAT (Import Address Table)
yxrqHk; Import Address Table (IAT) &JUtpudk nTefjyygw,f/ Import vkyfxm;wJh DLL toD;
oD;twGuf IAT awG[m rSwOf mPfxJrSm tpDt&Day:vmygw,f/ Size field uawmh IAT tm;vHk;&JU pkpkaygif;
yrmPudk jyygw,f/ Loader [m 'D address eJY t½G,ftpm;udk import resolution umvrSm IAT awGudk
readwrite tjzpf ,m,DrSwfom;zdkY toHk;jyKygw,f/
(c) TLS Table
Thread Local Storage &JU initialization section udk nTefjyygw,f/ TLS section rSm declspec
(thread) eJY aMunmxm;wJh thread &JU local variables awG yg0ifxm;ygw,f/ 'D variable awG oHk;csdefrSm
compiler u olwu kYd dk .tls vdt
kY rnf&wJh section rSm oGm;xm;ygw,f/ 'Dae&mrSm run aecsdefrSm vkdtyfr,fh
tydk variable awGtjyif a'wm&JU ueOD;wefzdk;awGvnf; yg0ifygw,f/
(d) Base Relocation Table
Base relocation information udk nTefjyygw,f/
(e) Debug Directory
IMAGE_DEBUG_DIRECTORY zGJUpnf;yHk&JY array wpfckudk nTefjyygw,f/ olwt
kY d oD;oD;[m
image twGuf debug information tcsdKUudk azmfjyygw,f/
(f) Bound Import Table
IMAGE_BOUND_IMPORT_DESCRIPTOR awG&JY array wpfckudk nTefjyygw,f/

(g) Resource Table
Resources awGudk nTefjyygw,f/
(h) Delay Import Tables
Visual C++ u DELAYIMP.H rSm teufzGifhxm;wJh ClmgDelayDescr zGJUpnf;yHk&JU array
wpfckjzpfwJh Delayload information udk nTefjyygw,f/ olwx
kY d JrSmawGU&wJh API udk yxrtBudrf ac:,l
roHk;rcsif; Delayloaded DLL awGudk ul;rwifygbl;/ Windows rSm delay loading DLL awGeJY ywfouf
NyD; vHk;vHk;vsm;vsm; ,HkMunf&avmufwJhtcsuf r&Sdbl;qdkwJhtcsufudk rSwfom;zdkY ta&;BuD;ygw,f/
SCN_CNT_INITIALIZED_DATA ‐ Section rSm initialized a'wmawG yg0ifygw,f/
SCN_MEM_READ ‐ Section udk zwfv&
kYd ygw,f/
SCN_MEM_WRITE ‐ Section udk a&;vdk&
Y ygw,f/
SCN_CNT_CODE ‐ Section rSm execute vkyfvkY&
d wJhuk'f yg0ifygw,f/
SCN_MEM_EXECUTE ‐ Section udkuk'ftjzpf execute vkyfvkY&
d ygw,f/
SCN_MEM_DISCARDABLE ‐ Section udk vdktyfovdk z,f&Sm;Edkifygw,f/
SCN_MEM_SHARED ‐ 'D section &JUa'wmawGyg0ifwJh physical page awGudkawmh 'D executable udk
ul;wifr,fh process tm;vHk;Mum; share ay;rSmyg/ 'gaMumifh process wdkif;[m 'D section rSm&SdwJh a'wm
twGuf wlnDwduswJhwefzdk;udk jrif&rSmyg/ Process wpfck&JU Oyar,stm;vHk;Mum; share ay;zdkY global
variable awG jyKvkyfzkYad wmh toHk;0ifygw,f/
(i) .arch – Alpha architecture information section
(i) .bss – Uninitialized data section
(i) .crt – Data added for supporting the C++ runtime (CRT). A good example is the
function pointers that are used to call the constructors and destructors of static C++ objects.
(i) .data – Initialized data section
(i) .debug – Debug information section. A debug section exists only when debug
information is mapped in the address space. The default for the linker is that debug information
is not mapped into the address space of the image.
(i) .didat – Delayload import data. Found in executables built in nonrelease mode. In
release mode, the delayload data is merged into another section.
(i) .edata – Export tables section
(i) .idata – Import tables section
(i) .pdata – Exception information section
(i) .rdata – Read-only initialized data section
(i) .reloc – Image relocations section
(i) .rsrc – Resource directory section
(i) .text – Executable code section
(i) .tls – Thread-local storage section. The section contains data for supporting thread
local storage variables delcared with__declspec(thread). This includes the initial value of the
data, as well as additional variables needed by the runtime.
(i) .xdata – Exception information section
(13) erlem PE signature rsm;
(13.1) ASPack v2.12
60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01
00401000: 60 PUSHAD
00401001: E8030000000 CALL 00401009H
00401006: E9EB045D45 JMP 459D14F6H
0040100B: 55 PUSH EBP
0040100C: C3 RET
0040100D: E801003E00 CALL 007E1013H
(13.2) Armadillo v1.xx ‐ v2.xx
55 8B EC 53 8B 5D 08 56 8B 75 0C 57 8B 7D 10 85 F6
00401000: 55 PUSH EBP
00401001: 8BEC MOV EBP, ESP
00401003: 53 PUSH EBX
00401004: 8B5D08 MOV EBX, [EBP+08H]
00401007: 56 PUSH ESI
00401008: 8B750C MOV ESI, [EBP+0CH]
0040100B: 57 PUSH EDI
0040100C: 8B7D1O MOV EDI, [EBP+10H]
0040100F: 85F6 TEST ESI, ESI
tcef;(9) - Teleport Pro 1.61 y½d*k &rfESifh yxrqHk;tBudrf crack vkyfjcif; - 163 -
tcef;(9) - Teleport Pro 1.61 y½dk*&rfESifh yxrqHk;tBudrf crack vkyfjcif;

uRefawmfw[dkY m a&SUtcef;awGrSm cracking eJYywfoufwJh tajccHtkwfjrpfawGudk avhvmcJhygw,f/
'gaMumifh oifhtaeeJY C? Assembly bmompum;awGudk wD;rdacgufrd&Sdxm;NyDvkYd xifygw,f/ aqmhzf0JvfawG
udkvJ b,fvdkenf;eJY umuG,fxm;ovJqdkwmudkvJ odoGm;avmufygNyD/ Cracker wpfa,mufrSm &Sdoifh&Sdxdkuf
wJh tool awGtaMumif;udkvJ avhvmNyD;jzpfwJhtjyif 'DtxJu tool wpfckjzpfwJh Olly debugger taMumif;udkvJ
tMurf;zsif; em;vnfaeavmufygNyD/ tqHk;pGef ajym&&if cracking avmurSm em;vnf&cufw,fqdkwJh PE
header taMumif;udkawmif oifavhvmNyD;oGm;ygNyD/ bmyJajymajym oifavhvmcJhwm[m oDtdk&Doufoufom
jzpfygw,f/ vufawGUrygwJhoDtdk&D? oDtdk&DrygwJhvufawGU[m NyD;jynfhpHkjcif;? tESpfom&jynfh0jcif; r&SdwJh
twGuf udk,fwdkifvufawGU crack vkyfMunfhrSom cracking oabmw&m;awGudk aumif;aumif; em;vnfvmrSm
jzpfygw,f/ 'gaMumifh yxrqHk; crack vkyfjcif;tjzpf pD;yGm;jzpfaqmhzf0JvfwpfckjzpfwJh Teleport Pro 1.61 udk
crack vkyfMunfhMuygr,f/ oifhtaeeJY update rjzpfawmhwJh y½d*k &rfudk erlemxm;NyD; bmaMumifh crack vkyfjy&
wmvJvkYd oHo,0ifygvdrfhr,f/ (uRefawmfwt kY d aeeJY aqmhzf0JvfawGudk crack vkyfaewm[m aiGaMu;twGuf
r[kwfygbl;/ ynm&yfwpfcktaeeJo Y m avhvmaejcif;jzpfygw,f/ 'gaMumifhrkY d crack vkyfxm;NyD;om; aqmhzf0Jvf
awGudk w&m;r0if jzefYcsDâ&mif;cscJ&h if jzpfay:vmrJh &v'fawG[m oifhwm0efomjzpfygaMumif; ...)
(1) y½dk*&rftvkyfvkyfyHkudk avhvmjcif;
uRefawmfwt dkY aeeJY aqmhzf0Jvfwpfckudk crack rvkyfcifodxm;&r,fh t"dutcsufuawmh 'Daqmhzf0Jvf
udk b,fy½d*k &rfbmompum;eJY a&;xm;ovJqdkwm t&ifodatmifvkyfzykY d g/ 'grSom a&SUqufbmvkyf&rvJqdk
wm qHk;jzwfEdkifrSmjzpfygw,f/ aumif;NyD? Teleport Pro udk www.tenmax.com uae download vkyfNyD;
install vkyfvdkufyg/ Help menu u About ... udka&G;vdkuf&if yHk(1)twdkif; awGU&ygr,f/
yHk(1)
yHk(1)rSm jrif&wmuawmh unregistered version jzpfwJhtaMumif;yg/ 'gaMumifh register vkyfMunfhyg
r,f/ Help menu u Register udk a&G;vdkufyg/ yHk(2)twdkif; jrif&ygr,f/
yHk(2)
yHk(2)u Your name ae&mrSm Myanmar Cracking Team vdkY½du k fxnfNh yD; Registration code
ae&mrSm 4780610 (BABE16)vdkY ½dkufMunfhygr,f/ 'gqdk yHk(3)twdkif; awGU&ygr,f/
yHk(3)
yHk(3)rSm jrif&wmuawmh uRefawmfwkY½d du k fxnfhvdkufwJh registration uk'f[mrSm;aewJhtaMumif;ajymwJh
MessageBox yg/ (rSwf&ef/ / tcsdKUy½d*k &rfawGrSm vSnfhuGufav;awG&Sdygw,f/ 'gubmvJqdkawmh regis-
tration uk'fu½ dk dkufxnfhvdkufwJhtcg rSefw,f^rSm;w,frajymbJ y½d*k &rfudk jyefzGifhcdkif;wmjzpfygw,f/ tcsdKU
y½d*k &rfawGqdk bm MessageBox rSawmif ay:rvmygbl;/ bmaMumifhvJqdkawmh 'Dvdky½d*k &rfawGu oif½dkuf
xnfhvdkufwJh registration uk'fukcd sufcsif;rppfvkYyd g/ Registry xJrSm (od)kY zdkifwpfzdkifrSm oif½dkufxnfh
vdkufwJhuk'fudkodrf;xm;NyD; aemufwpfBudrf y½d*k &rfudkzGiNfh yD;tvkyfvkyfwJhtcgrS uk'fudkppfaq;wmjzpfygw,f/) 'D
Message Box rSmjrif&wJh We're sorry! qdkwJhpmom;udk pm&GufvGwfwpf&GufrSm rSwfom;xm;yg/ toHk;0if
vmygvdrfhr,f/
aumif;NyD? y½d*k &rfudkydwfvdkuNf yD; b,fbmompum;eJY a&;xm;ovJqdkwm ppfMunfhygr,f/ Program
files\Teleport Pro zdk'gatmufu pro.exe zdkifudk right-click ESdyNf yD; PEiD eJY ppfMunfhvdkufyg/ yHk(4)/
yHk(4)
yHk(4)t&qdk&ifawmh 'Dy½d*k &rfudk Visual C++ 6.0 eJY a&;xm;wmjzpfygw,f/ 'Davmufqdk uRefawmf
kY wGuf vHkavmufygNyD/ pro.exe udk Olly rSm zGifhygr,f/ yHk(5)/
wdt
yHk(5)
yHk(5)rSmjrif&wmuawmh y½d*k &rf&JU entry point ae&myg/ (rSwfcsuf/ / Visual C++ jzifha&;xm;aom
y½d*k &rfrsm;onf yHk(5)wGifjyxm;onfhtwdkif; kernel32.GetVersion \tay:zuf&Sd PUSH EBP uk'f&Sd&m
virtual address onf entry point jzpfonf/) 'Dy½d*k &rfudk enf;(2)enf;eJY crack vkyfjyrSmjzpfygw,f/
yxrenf;uawmh SND Team u nick123b oHk;wJhenf;jzpfygw,f/ 'kwd,enf;uawmh ARTeam u
ThunderPwr oHk;wJhenf;jzpfygw,f/ tjcm;enf;awGudkawmh tvsOf;oifhwJhtcef;rSm azmfjyoGm;rSmjzpfygw,f/
(2) yxrenf; (nick123b@SND Team)
yHk(2)rSm register vkyfwkef;u yHk(3)twdkif; error message ay:vmwmrSwfrdr,fxifygw,f/ 'D
message pmom;udk Olly rSm&SmMunfv h dkufMu&atmif/ yHk(5)rSm right-click ESdyNf yD; Search for u All
referenced text strings udak &G;vdkufyg/ 'gqdk &Smxm;wJh text string awGygwJh window wpfckay:vmyg
r,f/
yHk(6)
ay:vmwJh window rSm yHk(6)twdkif; uRefawmfwkY d &SmcsifwJhpmom;udk ½du
k fxnfNh yD; OK udkESdyfvdkufyg/
'gayr,fh uRefawmfwkY&d SmwJh pmom;udk Olly eJ&Y SmwmrawGUygbl;/ bmaMumifhvJqdkawmh 'Dy½d*k &rfudk a&;om;
cJhwJh y½d*k &rfrmu We're sorry! pmom;udk .text section rSm ra&;om;bJ yHk(7)rSm jyxm;ovdk .data section
rSma&;om;xm;vdkY Olly u &SmrawGUEdkifwmyg/ (omreftm;jzifh y½d*k &rfrsm;\ 80%ausmfonf .text section
(code section) wGifom a&;om;Muygonf/)
yHk(7)
yHk(8)
yHk(8)udkMunfhvdkufawmh uRefawmfw&kY d SmaewJh message udkawGU&ygw,f/ yHk(7^8)wdkYudk PE Explorer
1.99 (www.heaventools.com) rSm zGifhMunfhxm;wmjzpfygw,f/
yHk(6)twdkif; text string udk&Smwm &SmrawGUvdkY oifhtaeeJY acgif;awmfawmfajcmufaeavmufNyD xifyg
w,f/ 'D message udk&SmawGUrSom uRefawmfwt kY d aeeJY serial a&;xm;wJh registration routine udkawGUNyD;
serial udk &SmazGEdkifrSm jzpfygw,f/ aumif;NyD? nick123b &JUenf;eJY serial udk &SmMunfhMu&atmif/
Olly rSm Ctrl + N (View Names) udk ESdyfvdkufyg/ yHk(9)twdkif; API awGudk jrif&ygr,f/
yHk(9)
yHk(9)rSm jyxm;wJhtwdkif; USER32.GetWindowTextA rSm right-click ESdyNf yD; Find references to
import (Enter key) udk a&G;vdkufyg/ yHk(10)twdkif; jrif&ygr,f/ (GetWindowTextA taMumif; tao;pdwf
udk ]Cracker rsm; owdxm;oifhaom Windows API rsm;} tcef;wGif zwf½Iyg/)
yHk(10)
yHk(10)rSm jrif&wJhtwdkif; right-click ESyd Nf yD; Set breakpoint on every command udk a&G;vdkuf
yg/
yHk(11)
yHk(11)twdkif; GetWindowTextA udk breakpoint rowfrSwfcif pro.exe udk yHk(12)twdkif; Olly rSm
register vkyfaewm aocsmygap/ (qdkvdkwmu Teleport Pro udk Olly eJYzGifhNyD; register vkyfcdkif;wmyg/
yHk(12)rSm OK udkrESdyfcif yHk(9^10^11)rSm jrif&wJhtwdkif; breakpoint owfrSwfwm jzpfygw,f/)
yHk(12)
yHk(11)twdkif; breakpoint owfrSwNf yD;oGm;&ifawmh yHk(12)u OK udkESdyfvdkufyg/ yHk(13)twdkif; Get

WindowTextA() API &Sd&m breakpoint qD wef;a&mufoGm;ygvdrfhr,f/
yHk(13)
yHk(13)twdkif;jrif&wJhtcg yHk(14)udk jrif&wJhtxd F8 (step over) udkESdyfyg/
yHk(14)
yHk(14)udkMunfhyg/ CALL 0042F675 rSm registration key wGufcsufjcif;udk vkyfaqmifygw,f/
'DhaemufrSmawmh EAX xJrSm&SdwJhwefzdk;wpfcek JY ESI xJrSm&Sw
d Jhwefzdk;wpfckwu
kYd dk nD?rnD ppfygw,f/ wu,fvkY d
wefzdk;ESpfckrnDcJh&if BadBoy message qDa&mufoGm;rSmjzpfygw,f/ 'gaMumifh "JNZ 042ECDB" qdkwJhae&m
a&muf&if F8 ESdyfvmwm &yfvdkufyg/ NyD;awmh Registers (FPU) window udkMunfhvdkufyg/ yHk(15)/
yHk(15)
yHk(15)&JU EAX register xJrSm uRefawmfwv kY d dkcsifwJh serial a&mufaeygNyD/ rSwfxm;&rSmu 'D serial
[m ECX register xJrSm&SdwJh "Myanmar Cracking Team" qdkwJh user twGufomjzpfygw,f/
bmaMumifhvq J dkawmh uRefawmfwukY d yHk(12)rSm jyxm;wJhtwdkif; user name ae&mrSm "Myanmar Cracking
Team" vdkY ½dkufxnfhcJhvy
dkY g/
wu,fawmh yHk(15)u EAX register xJrSm&SdwJh serial [m hexadecimal *Pef;omjzpfygw,f/
258680D9 ae&mudk ESpfcsufESdyfvdkufyg/ NyD;&if 629571801 udkul;,lvdkufyg/ yHk(16)/ 629571801 uom
serial tppftrSefjzpfygw,f/
yHk(16)
'gqdk uRefawmfwkY d vdkcsifwJh serial udk &&SNd yDjzpfwJhtwGuf Olly udkydwfvkY&d ygNyD/ Teleport Pro
y½d*k &rfudk jyefzGifhvdkufyg/ NyD;&if Help menu u Register … udka&G;NyD; register vkyfzkYd jyifqifyg/
yHk(17)
yHk(17)twdkif; Name eJY Registration Code udkjznfNh yD;&if OK udkESdyfvdkufyg/ yHk(18)twdkif; jrif&yg
r,f/
yHk(18)
ydkaocsmoGm;atmif Help menu u Register … udkxyfESdyfMunfhyg/ uRefawmfwkY d aemufwpfBudrf
register vkyfp&mrvdkawmhwm jrif&rSmyg/ yHk(19)/
yHk(19)
Help menu u About Teleport Pro … udka&G;NyD; Munfhvdkuf&ifawmh yHk(20)twdkif; jrif&rSmyg/
yHk(20)
'gqdk yxrenf;eJY uRefawmfw&kYd JU serial &Smjcif;tvkyNf yD;oGm;ygNyD/ 'Dvdkenf;eJY serial &Smwmudk
t*Fvdyfvdkawmh serial fishing (Serial zrf;jcif;)vdakY c:ygw,f/ Cracking avmurSmawmh serial fishing
enf;[m tcsdefukefoufomNyD; vG,fulvSwJhtwGuf toHk;rsm;vSygw,f/
(3) 'kwd,enf; (ThunderPwr@ARTeam)
'kwd,enf;uawmh yHk(21)rSmjrif&wJh MessageBox &Sd&mae&mudkt&if&SmNyD; registration routine udk
&SmazGwJhenf;jzpfygw,f/ (rSwfcsuf/ / a&SUydkif;u GetWindowTextA() API rSmowfrSwfxm;wJh breakpoint
awGudk z,f&Sm;NyD;aMumif; aocsmygap/)
Teleport Pro [m register vkyfwm atmifjrifoGm;&if aemufwpfBudrf register xyfvkyfvkYd r&awmh
ygbl;/ 'gaMumifh registry editor (regedit.exe) udkzGifhNyD; HKLM eJY HKCU wkdY&JU Software directory
atmufu Tennyson Maxwell directory key udkzsufypfvkdufyg/
yHk(21)
Olly rSm pro.exe udkzGiNfh yD; F9 (Run) udkESdyfyg/ 'gqdk Teleport Pro y½d*
k &rfyGifhvmwm jrif&ygr,f/
y½d*k &rf&JU Help menu u Register udkESdyNf yD; register vkyfMunfhyg/ yHk(21)twdkif; BadBoy MessageBox
udkjrif&ygr,f/ 'Dtcg Olly qDjyefoGm;NyD; F12 (Pause) udkESdyfyg/ F12 udkESdyf&wJhtaMumif;&if;uawmh y½d*k &rf
tvkyfvkyfwm cP&yfapcsifvykY d g/ NyD;&if Olly &JU stack window rSm scroll qGNJ yD; Munfhvdkufyg/ yHk(22)
twdkif; jrif&ygr,f/
yHk(22)
yHk(22)udk Munfhyg/ VA 0049112C uawmh "We're sorry! …" pmom;udk odrf;qnf;xm;wJh virtual
address yg/ VA 004542CD uawmh yHk(21)u MessageBox API udkvkyfaqmifNyD;csdef a&muf&Sdr,fh
ae&myg/ ckcsdefrSm uRefawmfhtaeeJY pdwf0ifpm;wJh virtual address [m 004542CD jzpfygw,f/ bmaMumifhvJ
qdkawmh 'D address uae registration routine &Sd&mae&mudk ajc&mcHrSmrdkv
Y ykYd g/
yHk(23)
Registration routine udk ajc&mcHzkY d yHk(23)u highlight jzpfaewJhae&mrSm right-click ESdyfNyD; Follow
in Disassembler udka&G;yg/ yHk(24)twdkif; jrif&ygr,f/
yHk(24)
yHk(24)u 004542CD ae&mrSm breakpoint owfrSwNf yD; F9 udkESdyfr,fqdk&ifawmh aemufwpfcg
register vkyfwJhtcg 'Dae&mudk wef;a&mufvmrSm jzpfygw,f/ yHk(25)/
yHk(25)
'DtcgrSm yHk(24)eJrY wlwmuawmh pro.004541C4 [m text string awGeJY jzpfvmygw,f/
yHk(26)
yHk(25)uuk'fawGudk F8 ESdyNf yD; uk'fawGppfvmwJhtcg yHk(25)u CALL udk vkyfaqmifNyD;wmeJY yHk(26)
&Sd&mudk a&mufvmrSmyg/ 'DwpfcgrSmawmh serial udk EAX register xJrSm b,fvdkrS&SmawGUawmhrSm r[kwfygbl;/
bmaMumihfvJqdkawmh y½d*k &rfu serial rSef^rrSefudk ppfaq;NyD;vdkY error message udkxkwfay;vdkufwmaMumifh
jzpfygw,f/ 'gaMumifhrkY d serial udkvdkcsif&if uRefawmfwt kY d aeeJY VA 0042ECCA ae&mrSm breakpoint
owfrSwNf yD; y½d*k &rfudk aemufwpfBudrf register vkyfzkYdvdkygw,f/ 'D breakpoint udka&mufwJhtcg uRefawmf
wd&kY SmaewJh serial udk EAX register xJuae ul;,lv&kYd ygNyD/ aemufxyfpdwf0ifpm;p&maumif;wmuawmh
yHk(22)u RETURN to pro.0042ED10 from pro.004542AB yg/ (Assembly oifcef;pmwkef;u CALL
wpfck[m olaemufxyfvkyfr,fh instruction &Sd&m address (EIP) udk stack rSmodrf;qnf;w,fvakYd jymcJhwmudk
trSwf&yg/ aemufxyfajymcJhao;wmuawmh CALL wpfckudkvkyfaqmifNyD;csdefrSm return value udk EAX rSm
tNrJwrf;eD;yg; odrf;qnf;w,fqdkwJhtaMumif;yg/)
(4) Teleport Pro y½dk*&rftwGuf keygen a&;om;jcif;
kY d aeeJY serial zrf;NyD; Teleport Pro udk register vkyNf yD;oGm;ygNyD/ 'gayr,fh
a&SUydkif;rSm uRefawmfwt
trnfu "Myanmar Cracking Team" jzpfaeygw,f/ wu,fvkY d oifhtrnfeJY register vkyfcsif&if?
oifhrdwfaqG^cspfoltrnfeJY register vkyfcsif&if Olly eJY serial xyf&Sm&r,fqdk&if tcsdefukefvlyef;ygw,f/
'gaMumifhrkYd keygen a&;zdkYvdktyfvmygw,f/ "Myanmar Cracking Team" trnfeJY serial &Sm&mrSm
629571801 qdNk yD;&vmygw,f/ b,fvdk&vmrSef; oifhtaeeJY 0g;wm;wm;jzpfaerSm aocsmygw,f/ 'gaMumifh
serial key xkwfay;wJh routine udk taotcsm avhvmMunfhygr,f/ yHk(27)/
yHk(27)
'Dae&mrSm yHk(27)u CALL 0042F675 [m serial key udkxkwfay;wJh routine jzpfw,fqdkwm
oifhtaeeJY &dyfrdrSmyg/ bmaMumifhvJqdkawmh 'D CALL udk vkyfaqmifNyD;csdefrSm uRefawmfwkY d ½dkufxnfhwJh serial
eJY wGufcsufvkY&d vmwJh serial udk y½d*k &rfu EdIif;,SOfvkyYd g/ 'D CALL ae&mrSm breakpoint owfrSwfvdkuNf yD;
y½d*k &rfudk (Ctrl+F2) jyefpwifvdkufyg/ NyD;&if F9 udkESdyNf yD; y½d*k &rfudk run yg/ Register vkyfyg/ 'gqdk&if
breakpoint owfrSwfxm;wJh VA 0042ECC2 ae&mudk a&mufvmygr,f/ VA 0042ECC2 ae&mudk
a&mufvm&if F7 (step into) udkESdyNf yD; CALL xJudk 0ifMunfhygr,f/ yHk(28)/
yHk(28)
Serial key udkxkwfay;wJh routine av;uawmh yHk(28)rSm jyxm;oavmufygbJ/ VA 0042F691
k fxnfhvdkufwJh user trnf[m pmvHk;a& 5vHk;xufenf;^renf; ppfaq;wm
xdu pdwf0ifpm;p&mr&Sdygbl;/ ½du
yJ&Sdygw,f/ 5vHk;xufrsm;&ifawmh VA 0042F694 upNyD; serial wGufcsufjcif;vkyfief;pOfudk pwifrSm
jzpfygw,f/ avhvmMunfhvdkuf&atmif/
1/ EBX eJY ESI wdu
kY dk variable taeeJY aMunmygw,f/
2/ ESI = 5DFEE4A4 vdkY initialize vkyfygw,f/
3/ EBX wefzdk;udk oknjzpfatmifvkyfygw,f/
4/ TEST uawmh jump (JE) jzpf^rjzpf flag wefzdk;udk owfrSwfwmjzpfygw,f/
5/ EDI xJuwefzdk;awGudk ECX xJajymif;xnfhwmyg/ (Stack rSm aemufqHk;oGif;wmudk t&ifxkwf,l&yg
w,f/)
6/ EAX wefzdk;xJu 4 EIwfygw,f/ (EAX xJrSm ckeu uRefawmfwkY d ½dkufxnfhvdkufwJh user trnfeJY
ywfoufwJh pmvHk;ta&twGuf &Sdygw,f/ "Myanmar Cracking Team" jzpfwJhtwGuf 21vHk;yg/)
7/ EBX eJY EAX wdkY EdIif;,SOfygw,f/
8/ wu,fvkYd EBX [m EAX xufri,fcJh&if jump jzpfrSmjzpfygw,f/ (ckcsdefrSmawmh EAX u 17 jzpfNyD;?
EBX u oknjzpfygw,f/)
9/ ESI wefzdk;eJY user trnfu yxrpmvHk; 4vHk;&JU Unicode (Hex) wefzdk;wdu
kY dk XOR vkyfrSmjzpfygw,f/
(ckcsdefrSmawmh ESI wefzdk;u 5DFEE4A4 jzpfNyD;? DS:[EBX+EDI] wefzdk;u 6E61794D jzpfygw,f/)
10/ EBX wefzdk;udk 1 aygif;ygw,f/

11/ 'Dvedk JY "Myanmar Cracking Team" qdkwJhpmvHk;awGudk ukefatmifzwf? XOR vkyNf yD; &vmwJhaemufqHk;
tajzudk EAX rSm odrf;ygw,f/
'gudk Assembly uk'ftaeeJY jyefa&;&ifawmh atmufygtwdkif;awGU&rSmyg/ 'guawmh uk'ftjynfhtpHk
r[kwfygbl;/ Serial key xkwfay;wJh ae&mav;udkyJ a&;xm;jcif;jzpfygw,f/ a&;om;xm;wJh y½d*k &rfrmu
awmh SND Team u Ziggy jzpfygw,f/
invoke lstrlenA, addr namebuffer ;get the length of the name string
mov ecx, eax ;copy length of name string in eax to ecx
sub ecx, 4 ;loop counter ecx = name string length - 4
lea edi, namebuffer ;edi = address to name string
mov esi, 05DFEE4A4h ;esi = starting code value = 04E6AF4BC hex
L005: ; Ripped code from Ziggy's KeygenMe
mov eax, dword ptr ds:[edi] ;load 4 name string ascii characters in eax
xor esi, eax ;exclusive or eax with the new edx value - result in esi
inc edi ;point to next group of 4 name chars
dec ecx ;decrement the loop counter
jnz L005 ;jump back if ecx loop counter not = zero
Assembly eJY keygen a&;om;enf;udkawmh ]tajccH Assembly bmompum;} tcef;rSm &Sif;jyNyD;
jzpfwJhtwGuf xyfrHr&Sif;jyawmhygbl;/ Keygen eJY ywfoufNyD;ajymvdkwmuawmh uRefawmfwt
dkY aeeJY keygen
awG&JU GUI udk udk,fwdkifa&;p&mrvkdygbl;/ a&;xm;NyD;om; keygen template awGudk toifh,loHk;½Hyk g/
Serial key awGudk xkwfay;r,fh registration routine udkom a&;ay;zdv
kY dktyfygw,f/
;
; Ziggy April 2005
;
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
; Notes
;
; - Requires MASM32 V8
; - Requires linking with matching resource file ;
;
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
.586p
.mmx
option casemap :none
include \masm32\include\masm32.inc
include \masm32\macros\macros.asm
includelib \masm32\lib\masm32.lib
; Prototypes
DialogProc PROTO :DWORD,:DWORD,:DWORD,:DWORD
ClipboardCopy PROTO
KeygenProc PROTO
.const
DIALOG_1 equ 1 ;identifier in resource file
IDC_APPNAME equ 1001
IDC_NAME equ 1002
IDC_SERIAL equ 1003
BTN_CLOSE equ 1004
BTN_GENERATE equ 1005
BTN_COPY equ 1006

BTN_ABOUT equ 1007
; may need to edit these constants

MinNameLength equ 5 ; Should be consistent with .data NameTooShort
MaxNameLength equ 30 ; Maximum length of name string
; edit about text as needed
About_Text equ " ",13,10," Keygenned by Ziggy ",13,10,10,\
"30 July 2008",13,10,13,10
Max_Buffer equ 100 ; set to at least maximum length of name or serial
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
.data
; edit app name as needed
Appname db "Myanmar Cracking Team proudly presents: ",0
; following data not required if name not used to derive serial
NoName db 'No Name Entered',0
NameTooLong db 'Name is too long',0
NameTooShort db 'Name must be at least 5 characters',0 ; edit to match MinNameLength
NameOK db 'Press "Generate"',0
namebuffer dd Max_Buffer dup (00) ;buffer for entered name
genedserial dd Max_Buffer dup (00) ;buffer for genedserial
tempbuffer dd Max_Buffer dup (00) ;scratch buffer
fixedstring db " ",0
decimalformat db "%d",0
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
.data?
hInstance dd ? ;Module handle
handle dd ? ;Dialog handle
hIcon dd ? ;caption bar icon handle
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
.code
main :
invoke GetModuleHandleA,NULL
mov hInstance ,eax ; save handle for later use
;mov hIcon, FUNC(LoadIcon, hInstance,2) ; get the icon 2 resource
; setup the dialog processing

invoke DialogBoxParamA,hInstance,DIALOG_1,NULL, addr DialogProc,NULL
invoke ExitProcess,NULL ; terminate after dialog is closed
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
; Main Dialog Processing
DialogProc Proc hwnd:dword, message:dword, wParam:dword, lParam:dword

pushad
mov eax,hwnd
mov handle,eax ;save dialogbox handle, to use in other procedures
.IF message==WM_INITDIALOG
invoke SetDlgItemTextA,handle,IDC_APPNAME, addr Appname ;show the appname in dialog box
invoke SendMessage, handle,WM_SETICON,ICON_BIG,hIcon ; set icon on caption bar
.ELSEIF message==WM_COMMAND
mov eax,wParam
.IF ax==BTN_GENERATE ; "Generate" button presssed
; check name is ok, not too long & not too short
invoke GetDlgItemTextA,handle,IDC_NAME,ADDR namebuffer,Max_Buffer
.if eax == 0
invoke SetDlgItemTextA,handle,IDC_SERIAL, addr NoName
.elseif eax > MaxNameLength ; max namr length
invoke SetDlgItemTextA,handle,IDC_SERIAL,addr NameTooLong

.elseif eax < MinNameLength ; minimum name length
invoke SetDlgItemTextA,handle,IDC_SERIAL, addr NameTooShort
.elseif
;Invoke Keygen algo on 'generate' and name ok
Invoke KeygenProc ; do the business
.endif
.ELSEIF ax==BTN_CLOSE ; "Close" button pressed
jmp @close
.ELSEIF ax==BTN_ABOUT ; "About" button pressed
invoke MessageBox,handle,SADD(About_Text),
SADD(" ",34,"Myanmar Cracking Team",34),
MB_OK or MB_ICONINFORMATION
.ELSEIF ax==IDC_NAME ; name character enetered
; check name ok, not too long & not too short
invoke GetDlgItemTextA,handle,IDC_NAME,ADDR namebuffer,Max_Buffer
.if eax == 0
invoke SetDlgItemTextA,handle,IDC_SERIAL, addr NoName
.elseif eax > MaxNameLength ; max namr length
invoke SetDlgItemTextA,handle,IDC_SERIAL,addr NameTooLong
.elseif eax < MinNameLength ; minimum name length
invoke SetDlgItemTextA,handle,IDC_SERIAL, addr NameTooShort
.elseif
invoke SetDlgItemTextA,handle,IDC_SERIAL, addr NameOK
.endif
.ELSEIF ax==BTN_COPY ; "Copy" button pressed
invoke ClipboardCopy
.ENDIF
.ELSEIF message==WM_CLOSE ; dialog closed

@close:
invoke EndDialog,handle,NULL
popad
xor eax,eax
ret
.ELSE
popad
mov eax,FALSE
ret
.ENDIF
popad
xor eax,eax
ret
DialogProc endp
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
; Copy generated serial to the clipboard
; This function is not really necessary in a simple keygen but code is short
; and does not need any modification.
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
ClipboardCopy proc
pushad
invoke GetDlgItemText, handle, IDC_SERIAL, addr genedserial, SIZEOF genedserial

.if eax != 0
invoke OpenClipboard, handle
.if eax
invoke GlobalAlloc, GMEM_MOVEABLE or GMEM_DDESHARE, SIZEOF genedserial
.if eax != NULL

push eax
push eax
invoke GlobalLock, eax
mov edi, eax
mov esi, OFFSET genedserial
mov ecx, SIZEOF genedserial
rep movsb
pop eax
invoke GlobalUnlock, eax
invoke EmptyClipboard
pop eax
invoke SetClipboardData, CF_TEXT, eax
.endif
.endif
invoke CloseClipboard
.endif
popad
ret
ClipboardCopy endp
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
; your Key Generator Code goes in this procedure
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
KeygenProc PROC
nop ; these nops make the Keygen procedure easy to find in Olly
nop ; when debugging the keygen.
nop ; comment these out on final assembly
nop
nop
nop
nop
nop
;[[[[[[[[[[[[[[[[[ Your keygen code goes in here to replace the example
invoke lstrlenA, addr namebuffer ;** get the length of the name string
mov ecx, eax ;** copy length of name string in eax to ecx
sub ecx, 4 ;** loop counter ecx = name string length - 4
lea edi, namebuffer ;** edi = address to name string
mov esi, 05DFEE4A4h ;** edx = starting code value = 04E6AF4BC hex
L005:
mov eax, dword ptr ds:[edi] ;** load 4 name string ascii characters in eax
xor esi, eax ;** exclusive or eax with the new edx value - result in edx
inc edi ;** point to next group of 4 name chars
dec ecx ;** decrement the loop counter
jnz L005 ;** jump back if ecx loop counter not = zero
invoke wsprintf, addr tempbuffer, addr decimalformat, edx
invoke lstrcpyA, addr genedserial, addr fixedstring
invoke lstrcatA, addr genedserial, addr tempbuffer
;]]]]]]]]]]]]]]]]]]
invoke SetDlgItemTextA,handle,IDC_SERIAL, addr genedserial ; display serial
ret
KeygenProc ENDP
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
end main
'D assembly uk'fawGudk assemble vkyfvdkuf&if yHk(29)twdkif; awGU&rSmyg/

yHk(29)
Assembly eJY keygen a&;wm tqifajyygovm;/ rajybl;qdk&ifawmh C bmompum;eJY keygen
a&;enf;udk &Sif;jyygr,f/
#include <conio.h>
#include <stdio.h> // C Console Application
#include <string.h> // Compiler - Borland C++ 5.02
#include <memory.h> // Copyright © by Myo Myint Htike, September 14 2009
unsigned long StringtoHex(const char *string);
int main()
{
char User_Name[30] = {0};
char Read_4_Bytes[4] = {0};
unsigned long index = 0, ESI = 0x5DFEE4A4, EAX;
unsigned long string_length;
printf("Teleport Pro 1.3x - 1.6x Keygen ");
printf("\n========================\n\n");
printf("\nYour Name : ");
scanf("%[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ ] ",User_Name);
string_length = strlen(User_Name);
if(string_length < 5 || string_length > 30)
printf("Name must be 5->30 characters.\n");
while(index < string_length-4){
memmove(&Read_4_Bytes, &User_Name[index], 4);
strrev(Read_4_Bytes);
EAX = StringtoHex(Read_4_Bytes);
ESI = ESI ^ EAX;
index++;
}
printf("\nRegistration Code : %d\n",ESI);
getch();
return 0;
}
unsigned long StringtoHex(const char *string)
{
unsigned long hex_value = 0, index = 0;
const char *character_read = string;
while(*character_read){
hex_value = (hex_value*0x100) +(unsigned long)character_read[index];
character_read++;
}
return hex_value;
}
y½d*k &rf&JU tvkyfvkyfyHkuawmh -

1/ unsigned long StringtoHex(const char *string);
'guawmh udk,fydkif function wpfckudk toHk;jyKr,fvkdU BudKwifaMunmwmyg/

2/ char User_Name[30] = {0}, char Read_4_Bytes[5] = {0};
User name twGuf pmvHk;a& (30)zwfrSmjzpfygw,f/ 'DpmvHk;awGudk zwfNyD;xm;r,fh buffer ae&mudk
00 ('\0') awGeJY jznfhvdkufwmyg/ Read_4_Bytes[4] uvJ 'DvdkygyJ/
3/ unsigned long index = 0, ESI = 0x5DFEE4A4, EAX;
XOR vkyfr,fh ESI wefzdk;udk 0x5DFEE4A4 vdkY initialize vkyfygw,f/
4/ scanf("%[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ ] ",User_Name);
Registration vkyfr,fh user name udkawmif;wmyg/ %s eJY zwf&if&ayr,fh user trnfrSm rvdktyfwJh
oauFwawG (space rSty) ygvmrSmpdk;&drfwJhtwGuf uefYowfvdkufwmjzpfygw,f/ 'gaMumifh keyboard uae
trnf½dkufxnfhwJhtcgrSm a-z? A-Z eJY space wdo k fxnfhv&kYd rSmjzpfygw,f/ Myanmar Cracking
kY m ½du
Team vdkY ½dkufxnfhygr,f/
5/ string_length = strlen(User_Name);
½dkufxnfhvdkufwJh user name udk b,fESpfvHk;vJqdkwm wGufcsufygw,f/ Myanmar Cracking
Team jzpfwJhtwGuf (21)vHk;jzpfygw,f/ wu,fvkY d user name [m 5vHk;xufenf;ae&ifyJjzpfjzpf? tvHk;(30)
xufrsm;ae&ifyJjzpfjzpf serial trSm;udkyJ xkwfay;rSmjzpfygw,f/
6/ while(index < string_length-4){
string_length xJu 4EIwfwmjzpfwJhtwGuf string_length wefzdk;topf[m 17jzpfvmygr,f/ index
wefzdk;uawmh ckcsdefrSm oknjzpfaeygr,f/ 'gaMumifh while loop udk (17)Budrfvkyfaqmifygr,f/
6.1/ memmove(&Read_4_Bytes, &User_Name[index], 4);
memmove() function uawmh &User_Name[0] = VA 12FF68 rSmpwJh 4D 79 61 6E (Myan)

pwJh pmvHk;4vHk;udk &Read_4_Bytes = VA 12FF88 rSm oGm;xm;apwmjzpfygw,f/ yHk(31)/
yHk(31)
6.2/ strrev(Read_4_Bytes);
Myan qdkwJh string udk ajymif;jyefvSefygw,f/ 'gaMumifh Myan [m nayM jzpfvmygw,f/
bmaMumifh strrev() function udkoHk;&ovJqdk&if y½d*k &rf[m endian enf;eJY a'wmawGudk zwfvjkY d zpfygw,f/
6.3/ EAX = StringtoHex(Read_4_Bytes);
StringtoHex() function uawmh ajymif;jyefvSefxm;wJh string awGudk XOR vkyfzt kYd wGuf
*Pef;tjzpfajymif;vJwmjzpfygw,f/ 'D function udkvkyfaqmifNyD;csdefrSmawmh EAX [m 6E61794D
jzpfvmygw,f/
6.3.1/ while(*character_read){
hex_value = (hex_value*0x100) +(unsigned long)character_read[index];
character_read++;
}
character_read u VA 12FF88 rSm&SdwJh yxrpmvHk; n udk zwfygw,f/ rSwfxm;&rSmuawmh

*character_read [m character_read[0] eJn
Y ND yD; character wpfvHk;udkzwfygw,f/
yHk(32)
zwfvdkufwJhpmvHk; n udk *Pef;tjzpfajymif;ygw,f/ hex_value wefzdk;[m 'DtcsdefrSm 6E16(11010)
jzpfvmygr,f/ character_read wefzdk;udk wpfaygif;vdkufwJhtwGuf character_read[1] jzpfvmNyD; a udk
zwfygw,f/ 'Dtcg hex_value = (6E*0x100) + 61 = 6E61 jzpfvmygw,f/ 'DvdkeJY 00 (\0) udk rawGUrcsif;
aemufxyfpmvHk;awGzwfaerSmjzpfygw,f/ aemufqHk;rSmawmh hex_value [m 6E61794D jzpfvmygw,f/
6E61794D wefzdk;udk EAX qD jyefyykYd gw,f/
6.4/ ESI = ESI ^ EAX;
EAX (6E61794D) eJY ESI (5DFEE4A4) wdu
kY dk XOR vkyfygw,f/ &&SdvmwJh 339F9DE9
wefzdk;udk ESI rSmodrf;ygw,f/
6.5/ index++;
index wefzdk;udk wpfaygif;vdkufwJhtwGuf aemufwpfBudrf while loop udkvkyfaqmifcsdefrSm ...
while(index < string_length-4){ // while(1<17){
memmove(&Read_4_Bytes, &User_Name[index], 4); // Read_4_Bytes = "yanm";
strrev(Read_4_Bytes); // Read_4_Bytes = "mnay";
EAX = StringtoHex(Read_4_Bytes); // EAX = 6D6E6179;
ESI = ESI ^ EAX; // ESI = 339F9DE9 ^ 6D6E6179 = 5EF1FC90;
index++; // index = 2;}
}
// while (2<17){ ..................}
// while (3<17){ ..................}
// while (4<17){ ..................}
// ......................................etc
while(index < string_length-4){ // while(16<17){
memmove(&Read_4_Bytes, &User_Name[index], 4); // Read_4_Bytes = " Tea";
strrev(Read_4_Bytes); // Read_4_Bytes = "aeT ";
EAX = StringtoHex(Read_4_Bytes); // EAX = 61655420;
ESI = ESI ^ EAX; // ESI = 44E3D4F9 ^ 61655420 = 258680D9 16;
index++; // index = 17;}
}
7/ printf("\nRegistration Code : %d\n",ESI);

XOR vkyNf yD; aemufqHk;&vmwJhtajz (258680D916 = 62957180110)udk xkwfygw,f/ 629571801
uawmh Myanmar Cracking Team twGuf registration code jzpfygw,f/
'guawmh keygen tvkyfvkyfyHk tao;pdwfyg/
aemufqHk;taeeJY ajymjycsifwmuawmh registration routine udk tNrJwrf; exe zdkifxJrSm a&;xm;wm
r[kwfygbl;/ Kaspersky Internet Security 7.0 qdk&if olU&JU registration routine udk lic.ppl
(wu,f awmh .ppl vdkY zdkiftrsdK;tpm; owfrSwfxm;ayr,fh .dll zdkifomjzpfygw,f/)rSma&;xm;NyD; Xilisoft
uxkwfwJh aqmhzf0JvfawGrSmawmh UILib71.dll zdkif (od)kY UILib8_MFCDll.dll (od)kY imfc0.dll zdkifrSm
a&;xm;wm jzpfwJhtaMumif; ajymMum;&if;eJY ed*Hk;csKyfyg&ap/
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 181 -
tcef;(10) - Patch vkyfjcif; (Beginner/Intermediate/Advanced)

tcef;(9)rSm uRefawmfwadkY vhvmcJhwmuawmh registration routine xJuae serial key udk
&SmazGwmjzpfygw,f/ 'gayr,fh y½d*k &rfwdkif;&JU serial key udk&SmazG&wm[m wu,fawmh rvG,fvSygbl;/
tcsdefukef vlyef;ygw,f/ 'gaMumifh tcsdKU cracker awGu tcsdefwdktwGif; Full version (registered
version) udkoHk;vdkY&atmif y½d*k &rfudk patch vkyfwJhenf;eJY crack Muygw,f/ y½d*k &rf&JU vdktyfwJhuk'ftcsdKUudk
jyifwmudk patch vkyfw,fvakYd c:ygw,f/ Patch vkyfxm;wJhzdkifawGudk y½kd*&rf install vkyfxm;wJh folder
atmufrSmoGm;NyD; rl&if;zdkief JY tpm;xdk;&ygw,f/ yHk(1)rSm jrif&wmuawmh BookWorm *drf;y½d*k &rfudk patch
vkyfxm;NyD;taetxm; jzpfygw,f/ 'Dy½d*k &rfrSm serial &Sm&wm[m Teleport Pro rSmvdk rvG,fvSygbl;/
tcsdefawmfawmf,l&rSm jzpfygw,f/ 'ghaMumifh 'Dy½d*k &rfrSm registered vkyfxm;jcif;&Sd^r&SdppfwJh routine udkzsuf
jcif;? upm;csdefppfwJh routine udkzsufjcif;? rdepf60uefo Y wfcsufuzdk sufjcif;wdkY jyKvkyfxm;ygw,f/ 'ghjyif
"Myanmar Cracking Team proudly PRESENTS…" qdkwJhpmom;udk xyfxnfhxm;NyD;? Trial Version
qdkwJht½kyfudk Registered Version qdkwJht½kyef JY tpm;xdk;xm;ygw,f/
yHk(1)
'Dtcef;rSmawmh patch vkyfjcif;udk tydkif;(3)ydkif;cGNJ yD; aqG;aEG;rSmjzpfygw,f/ yxrydkif;uawmh vlopf
wef; cracker awG vkyfavhvkyfx&SdwJh patch vkyfenf;jzpfNyD; tydkif;(2)uawmh tv,ftvwftqifh? tydkif;(3)
uawmh tqifhjrifh cracker awG vkyfavhvkyfx&SdwJh patch vkyfenf;jzpfygw,f/
(1) Beginner tqifh patch vkyfjcif; (Plain Stupid Method)
'Dacgif;pOfatmufrSmawmh vlopfwef;awG vkyfavhvkyfx&SdwJh patch vkyfenf;awGudk toHk;jyKNyD; crack
vkyfMunfhrSm jzpfygw,f/ Patch vkyfMunfhzkYad ½G;xm;wJh y½d*k &rfuawmh Exe password aqmhzf0Jvfudk
toHk;jyKNyD; protect vkyfxm;wJh calculator (calc.exe) y½d*k &rfjzpfygw,f/ Calculator y½d*k &rfudk Microsoft
Windows &JU system32 folder atmufrSm tvG,fwulawGUEdkifygw,f/ Exe password aqmhzf0Jvfudkawmh
www.salfeld.com rSm download vkyf,lEdkifygw,f/ Exe password aqmhzf0Jvf[m udk,froHk;apcsifwJh
y½d*k &rfawGudk tjcm;olawG rzGifhEdkifatmif password eJY umuG,frIay;EdkifwJh aqmhzf0Jvfwpfckjzpfygw,f/

oifhtaeeJY 'Dy½d*k &rfudkzGifhcsif&if rSefuefwJh password udk ½du
k fxnfhEdkif&ygr,f/ aumif;NyD? patch rvkyfcif
yxrqHk;vkyf&rSmuawmh Exe password udkzGiNfh yD; calculator (calc.exe) y½d*k &rfudk password ay;zdykY g/
yHk(2)/
yHk(2)
yHk(2)rSm jrif&wJhtwdkif; uRefawmfw&kY d JU calc.exe y½d*k &rfudk "DEADBEEF" qdkwJh password ay;NyD;
umuG,fvdkufygr,f/ 'gqdk icon ½kyfav;ajymif;oGm;wm awGU&ygr,f/ yHk(3)/
yHk(3)
Password eJY umuG,fxm;wJh calc.exe zdkifudk zGifhMunfhygr,f/ 'gqdk yHk(4)twdik f; password
awmif;wJh dialog box wpfckay:vmrSmyg/
yHk(4)
Password udk rSefuefpGmr½dkufxnhfEdkif&ifawmh yHk(5)twdkif; jrif&rSmyg/
yHk(5)
'gqdk uRefawmfwktYd aeeJY 'Dzdkifudk password rodbJzGifhvrkYd &wmawmh aocsmoGm;ygNyD/ yHkrSeftm;jzifh

awmh 'D password udkod&Sd&atmif vkyf&rSmjzpfayr,fh 'Dtcef;u patch vkyfenf;udkom aqG;aEG;rSmjzpfwJh
twGuf patch vkyfzdkY BudK;pm;MunfhMu&atmif/ yHk(5)rSm jrif&wJh "Password is incorrect…" pmom;udk
pm½GufvGwfwpfckrSm rSwfxm;yg/ Olly rSm calc.exe zdkifudkzGifhyg/ yHk(6)twdkif; jrif&ygr,f/
yHk(6)
yHk(6)rSm right-click ESdyNf yD; Search for u All referenced text strings udk a½G;yg/ Window
topfwpfck ay:vmygvdrfhr,f/ 'D window rSm right-click ESdyNf yD; Search for text udka½G;yg/ yHk(7)twdkif;
jrif&ygr,f/
yHk(7)
yHk(7)rSm uRefawmfwkY&d SmcsifwJh "Password is incorrect…" pmom;udk ½du
k fxnfNh yD; OK udka½G;vdkuf
yg/ yHk(8)twdkif; jrif&ygr,f/
yHk(8)
yHk(8)u hightlight jzpfaewJhae&mudk mouse eJY ESpfcsufESdyfvdkufyg/ yHk(9)twdkif; awGUygr,f/
yHk(9)
yHk(9)udk aocsmMunfhyg/ yHk(5)u error message udjk ywJh routine (VA 0054C8AC) udk awGU&yg
r,f/ wu,fawmh error message routine udkvkyfaqmifwm[m CALL calc.00435C4C udkrausmfEdkifwm
aMumifhyg/ VA 0054C87C u JNZ instruction uvJ CALL calc.00435C4C udkausmfEdkifjcif; r&Sdygbl;/
yHk(10)/
yHk(10)
yHk(10)t&qdk&ifawmh CALL calc.00435C4C udkausmfEdkifwm VA 0054C873 u JE instruction
yJjzpfygw,f/ 'gaMumifh 'D VA 0054C86E ae&mrSm breakpoint owfrSwfNyD; F9 udkESdyfyg/ yHk(11)twdkif;
jrif&ygr,f/
yHk(11)
yHk(11)u textbox xJrSm "Cracker" vdkY½du
k fxnfhvdkufyg/ uRefawmfwkY d breakpoint owfrSwfxm;wJh
ae&mudk wef;a&mufvmygr,f/ yHk(12)/
yHk(12)
yHk(12)u VA 0054C86E ae&mudka&muf&if register windows udkwpfcsufMunfhygr,f/ yHk(13)/
yHk(13)
yHk(13)udk Munfhvdkuf&if EAX register xJrSm "pFTZÛC" pmom;&SNd yD; EDX register xJrSm "wqt}
wutt" pmom;&Sdaewm awGU&ygr,f/ wu,fawmh "wqt}wutt" qdkwm yHk(2)rSm uRefawmfwdkY½u dk fxnhfcJhwJh
password udk encrypt vkyfxm;wJhpmom;jzpfygw,f/ "pFTZÛC" uawmh "Cracker" udk encrypt vkyfxm;
wmyg/ yHk(12)rSmjrif&wJh VA 0054C86E u CALL routine uawmh "pFTZÛC" eJY "wqt}wutt" udk
nDrnDppfwmyg/ wu,fvkYn d &D if error message udkausmfoGm;rSmyg/ 'gqdk uRefawmfwkY d patch vkyfMunfhMuyg
r,f/ trSefuawmh CALL calc.004046A0 ae&mrSm NOP instruction eJYtpm;xdk;NyD; JE SHORT
calc.0054C8D7 ae&mrSmawmh JMP SHORT calc.0054C8D7 eJt Y pm;xdk;&rSmyg/ 'gayr,fh 'Dae&mrSmawmh
uRefawmfhtaeeJY JE udk JMP vdjkY yifwmwpfckyJ vkyfygr,f/ (rSwfcsuf/ / NOP (No operation) vdjkY yifwm
uawmh password ESpfckudk rppfapwmjzpfygw,f/ JMP instruction uawmh error message udk twif;
ausmfcdkif;wmjzpfygw,f/) jyifvdkuf&ifawmh yHk(14)twdkif; jrif&ygr,f/
yHk(14)
yHk(14)twdkif; jyifNyD;&ifawmh right-click ESdyNf yD; Copy to executable u All modification udkESdyfNyD;
zdkifudk odrf;vdkufyg/ Patch vkyfxm;NyD;om;zdkifudk tvkyfvkyf^rvkyfod&atmif zdkifudkzGiMfh unfv h dkufyg/ ay:vmwJh
password dialogbox rSm BudKufwJh password ud½ k dkufxnfhvdkufyg/ y½d*k &rfyGifhvmygvdrfhr,f/
(2) Intermediate tqifh patch vkyfjcif;

'DwpfcgrSmawmh cracking eJYywfoufNyD; tv,ftvwftqifh patch vkyfjcif;udk prf;oyfMunfhygr,f/
b,folUudkrS xdcdkufrIr&SdapbJ avhvmprf;oyfzdkY a½G;cs,fxm;wJh y½d*k &rfuawmh MrBills yJjzpfygw,f/
'Dy½d*k &rfudk tifwmeufrSm vHk;0rawGUEdkifawmhygbl;/ ukrÜPDudka&mif;csNyD;jzpfovdk y½d*k &rf[mvJ qufxGufvm
J fudkvJ tjcm;olawG crack vkyNf yD;oGm;Muwm awGU&ygw,f/ MrBills
jcif;r&Sdawmhygbl;/ aemufNyD; 'Daqmhzf0v
udk SND Team &JU download section rSm tcrJh download &,lEdkifygw,f/ Lena &JU reversing tutorial
(7) rSm MrBills udkwpfcgwnf; xnfhoGif;ay;xm;wm awGU&rSmyg/
y½d*k &rftaMumif;udk odapzdkY y½d*k &rfudk Olly eJY PEiD wdkYrSm zGifhMunfhMuygr,f/ yHk(15)ESifh yHk(16)/
yHk(15)
yHk(16)
PEiD uawmh PE zdkifawGrSmtoHk;rsm;vSwJh packer? cryptor eJY compiler trsdK;tpm;awGudk
pHkprf;ay;wJh tool wpfckjzpfygw,f/ PEiD &JU plugin wpfckjzpfwJh Krypto Analyser udk avhvmMunfhygr,f/
'D plugin av;[m module awGtwGif;rSm&SdwJh odNyD;om; crypto algorithm awGudk plugin u Krypto
oauFwawGeJY EdIif;,SOfjcif;tm;jzifh &SmazGygw,f/
yHk(1)udk Munfhr,fqdk&if MrBills qdkwJh aqmhzf0Jvf[m pack vkyfxm;jcif;r&SdbJ olUudk Visual C++
7.0 eJY a&;om;xm;wmudk awGU&ygr,f/ MrBills &JU version uawmh 2.1.0.1 jzpfygw,f/
yHk(17)
yHk(17)u Plugins rS Krypto Analyser udk a½G;vdkuf&if yHk(18)twdkif; jrif&rSmyg/
yHk(18)
yHk(18)udk Munfhr,fqdk&if toHk;jyKxm;wJh crypto algorithm awGuadk wGU&ygw,f/ CRC check
taMumif;udk aemufydkif;oifcef;pmawGrSm aqG;aEG;rSm jzpfygw,f/ aumif;ygNyD? PEiD udk ydwfvdkufygr,f/
yHk(16)udk Munfhvdkufyg/ uRefawmfwkY d y½d*k &rfudk run (F9) Munfhygr,f/ 'gqdk yHk(19)twdkif; awGU&yg
r,f/
yHk(19)
yHk(19)rSm jrif&wJhtwdkif; uRefawmfwkY d register rvkyf&ao;ygbl;/ About udkESdyfvdkufyg/
yHk(20)
About udE k Sdyfvdkuf&if yHk(20)twdkif; jrif&ygr,f/ 'DrSmawmh uRefawmfwY dk vkyfp&mbmrSr&Sdbl;vdkY xifyg
w,f/ Register... udak ½G;vdkufyg/ yHk(21)twdkif; jrif&ygr,f/
yHk(21)
yHk(21)t&qdk&if uRefawmfwkY d register vkyfzv
kYd dkygNyD/ bmaMumifhvJqdkawmh register rvkyf&if tcsdKU
aomvkyfaqmifcsufawG tvkyfrvkyfbl;vdkY ajymaevdkYyg/ uRefawmfwY dk prf;NyD; register vkyfMunfhMuygr,f/
yHk(22)/
yHk(22)
uRefawmfwdkY uHraumif;ygbl;/ yHk(23)udkyJ jrif&ygw,f/
yHk(23)
yHk(9)[m uRefawmfwkY d patch vkyf&r,fhae&myg/ uRefawmfhtaeeJY t&iftcef;awGrSm text string awGudk
b,fvdk&Sm&rvJqdkwm &Sif;jycJNh yD;ygNyD/ 'DaeUtzdkYrSmvJ uRefawmfwv
kY d dkcsifwm&zdkY 'Denf;vrf;udk toHk;jyK&OD;rSmyg/
'gaMumifh 'D text string awGxJu ta&;BuD;r,fxifwJhpum;vHk;udk rSwfom;vdkufyg/ aumif;ygNyD? uRefawmfwkYd
uk'fawGudk avhvmvdkufMu&atmif/ Olly qD jyefoGm;vdkufyg/ yHk(10)/
yHk(24)
Text string awGudk &SmzdkY yHk(24)rSm right‐click ESdyfvdkufyg/ NyD;&if Search for u All referenced
text strings udk a½G;vdkufyg/ 'gqdk text string window ay:vmygvdrfhr,f/ Text string window rSm
right‐click ESdyNf yD; uRefawmfw&

kYd SmcsifwJh text udk &Smygr,f/ yHk(25)/ r&SmcifrSm owday;vdkwmuawmh text
string window &JU tay:qHk;xda&mufatmif scroll vkyNf yD;rS right‐click ESdyfzy kYd g/
yHk(25)
'gqdk uRefawmfwkY d &SmaewJh text udk &SmawGUygNyD/ yHk(26)/
yHk(26)
'gaMumifh text &Sd&m VA 004299BD ae&mudk ESpfcsufESdyfvdkufyg/ yHk(27)twdkif; jrif&ygr,f/
yHk(27)
yHk(13)u VA 004299BD [m "You have entered an ..." udk messagebox rSma&;zdkY
jyifqifaewmyg/ atmufudk scroll enf;enf;qGNJ yD;Munfhvdkuf&if yHk(28)twdkif; jrif&rSmyg/
yHk(28)
uRefawmfwv dkY dkcsifwJhtajzu VA 004299F3 rSmyg/ VA 004299BD u BadBoy message jzpfNyD;
FVA 004299F3 uawmh GoodBoy message jzpfygw,f/ yHk(27)u JNZ [m VA 004299F1 qD jump
jzpfapwmawGU&ygw,f/ vufawGUrSmawmh JNZ [m VA 004299F1 qD jump rjzpfygbl;/ 'gaMumifhvJ
"You have entered an invalid email ..." qdkwJh BadBoy message udk jrif&wmyg/ wu,fvkY d JNZ
ae&mrSm JMP vdkY ajymif;cJhr,fqdk&if .........
yHk(29)
yHk(29)u TEST AL, AL udk Munfhvdkufyg/ AL [m GoodBoy vm;? BadBoy vm;qdkwm qHk;jzwf
ygw,f/ AL udk VA 004299AD u CALL function xJrSm owfrSwfxm;wm jzpfEdkifygw,f/ bmaMumifhvJ
qdkawmh wpfckckurdk EdIif;,SOfcif CALL function xJrSmEdIif;,SOfzt
dkY wGuf owfrSwfwm[m ydNk yD;aumif;EdkifvykYd g/
'g[m registration ppfaq;csuf jzpfygw,f/ 'Dae&mrSm rSwfcsufjyKvdkwmuawmh ... uRefawmfwt Y dk aeeJY 'D
CALL function xJrSm AL udk b,fvdkowfrSwfxm;ovJqdkwmudk ppfaq;zdv kY dkvmNyDqdkwmudkyg/
'gaMumifh VA 004299AD ae&mudk breakpoint owfrSwfvdkufygr,f/ qufvdkufMu&atmif/
uRefawmfwtdkY aeeJY serial [m rSefuefjcif; &Sd^r&Sd ppfaq;wJh&v'fudk awGU&Sdxm;ygw,f/ TEST AL, AL
txufu CALL xJrSm&v'fudk owfrSwfxm;csdefrSm AL [m 'Dwefzdk;udk odrf;xm;ygw,f/ &v'fu taygif;
oabmaqmifcJh&if y½d*k &rfudk register vkyfzkYd Goodboy message &Sd&m VA 004299F1 udk a&mufvmrSmyg/
'grSr[kwf&ifawmh jump rjzpfEdkifovdk Badboy message vJ&&SdrSmyg/
tESpfcsKyf/ / JNZ aMumifh register vkyfzt
kYd wGuf AL [m okneJn
Y DaevdkY r&ygbl;/
VA 004299AD &JU tay:udk scroll enf;enf;avmuf qGJMunfhvdkufMu&atmif/ yHk(30)/
yHk(30)
yHk(30)u text awG[m uRefawmfwt
kY d wGuf bmrSta&;rygygbl;/ About box rSm ay:wJph mawGyg/
Registration udk jyef run MunfhvdkufMu&atmif/ CALL xJrSm bmawG&SdovJqdkwm odEdkifzkY d VA
004299AD rSm breakpoint owfrSwfxm;ygw,f/
rSwfcsuf/ / Plain stupid method onf BadBoy udk ausmfvTm;Edkif&ef conditional jump rsm;tm; patch
vkyfjcif;omjzpfygonf/ rsm;aomtm;jzifh xdkenf;onf aqmhzf0Jvfrsm;udk register vkyf&eftwGuf vHkavmufjcif;
r&Sday/
'gaMumifhrkYd ckcsdefrSm uRefawmfwtkY d aeeJY CALL xJudk xJxJ0if0if 0ifa&mufNyD; register jzpf^rjzpf
qHk;jzwfwJh AL udk patch vkyfzkYd BudK;pm;rSmyg/
uRefawmfwdkY yHk(31)twdkif; register xyfvkyfMunfhvdkufMu&atmif/ F9 udEk Sdyfyg/
yHk(31)
"Register Now" button udk ESdyfvdkufwJhtcgrSm ckeu uRefawmfwkY d breakpoint owfrSwfvdkufwJh

VA 004299AD ae&mudk a&mufvmygw,f/ yHk(32)/
yHk(32)
F7 udk ESdyNf yD; CALL xJ 0ifMunfhMu&atmif/ 'gqdk uRefawmfwkY d CALL xJ a&mufvmygNyD/ yHk(33)/
yHk(33)
aemufxyf bmqufjzpfrvJqdkwm od&atmifawmh F8 udkyJ ESdyfMuygr,f/ 'Dae&mrSm AL wefzdk;ajymif;
oGm;wmawGudk apmifhMunfhzkYv
d dkwJhtaMumif; ajymyg&ap/ yHk(34)/
yHk(34)
rMumcifrSm ta&;BuD;wmawGudk awGU&awmhrSmyg/ yHk(35)u VA 0040715A ae&mrSm TEST AL, AL
udkawGUygovm;/
yHk(35)
NyD;awmh VA 0040715E u [5076A0]/ 'Dhaemuf VA 00407163 u JNZ? VA 00407170 u
TEST AL, AL? VA 00407174 u [5076A0]/ VA 00407155 u CALL udk taotcsmMunfhyg/
bmrsm;awGUjrifygovJ/ AL udk VA 00407155 u CALL xJrSm owfrSwNf yD;oGm;yHk&ygw,f/ 'gaMumifh
CALL xJrSm bmqufjzpfrvJqdkwm odEdkifzkY d Enter key udk ESdyfvkdufyg/ rSwfxm;&rSmu Enter key udk
ESdyfjcif;tm;jzifh uk'fawGudk ajc&mcHEdkifygw,f/ 'gayr,fh uk'fawGudkawmh run rSm r[kwfygbl;/ uk'fawGudk run
p&mrvdkbJ CALL txJrSm&SdwJh uk'fudkMunfhw,fvdkY qdkvdkwmyg/ 'gaMumifh instruction pointer &JUwnfae&m
uvJ Enter key acgufwJh VA rSmyJ &SdrSmyJ/ yHk(36)/
yHk(36)
VA 00407155 u CALL ae&mrSm Enter key udk ESdyfvkdufwJhtcg yHk(37)twdkif; jrif&ygw,f/
yHk(37)
MunfhvdkufMu&atmif/ VA 00407007 u MOV BL, AL/ VA 00407011 u MOV AL, BL/
AL xJudk BL xJuwefzdk;awGjyefa&TUw,f/ yxrqHk; AL xJuwefzdk;udk BL xJrSmxm;w,f/ VA 00407009
u CALL [m BL (& AL) tay: bmrStusdK;oufa&mufrrI &Sdwm oift h aeeJY em;vnfrSmyg/ 'gayr,fh AL
&JUwefzdk;udk VA 00406FF9 u CALL rSm qHk;jzwfxm;ygw,f/ aumif;NyD/ AL udk VA 00406FF9 u
CALL 00406F4B xJrSm owfrSwfxm;wmrdkY 'D CALL ae&mudk breakpoint owfrSwfvdkufMu&atmif/
kY d m CALL awG trsm;BuD;awGUae&wmudkyg/ tvm;wl trSwf
owdjyK&rSmu ckcsdefrSm uRefawmfw[
xm;&rSmu uRefawmfw[ kY d m CALL xJrSm bm&Sdw,fqdkwmodEdkifzkYd CALL ae&mrSm Enter key udk ESdyfcJhw,f
qdkwmudkyg/ AL udk VA 00406FF9 u CALL xJrSm owfrSwfxm;^rxm; ppfaq;zdkY uRefawmfwkYd break-
point owfrSwfxm;wJh ae&mqDa&mufatmif F9 udE k Sdyfygr,f/ 'gqdk uRefawmfwkY d breakpoint owfrSwfxm;wJh
ae&mudk a&mufvmygNyD/ yHk(38)/
yHk(38)
aemuftqifhudk em;vnfzkY d oift
h wGuf t&rf;ta&;BuD;ygw,f/
(1) AL &JU wefzdk;udk rSwfom;yg/

(2) AL &JU wefzdk;udk owfrSwfw,fvkY d oHo,&SdwJh CALL udk execute vkyf&rSmjzpfygw,f/
(3) 'D CALL udk F7 ESdyfyg/
(4) AL eJY ywfoufwJh tcsuftvufawGudk xyf&Smyg/
yHk(39)
yHk(39)rSm jrif&wJhtwdkif;qdk&ifawmh AL [m oknrjzpfygbl;/ 'gaMumifhvJ TEST AL, AL u
kYd JhtcsdefrSm AL [m oknrjzpfEdkifwmyg/ tck CALL udk run zdkY F8 udEk Sdyfyg/ AL wefzdk;
wefzdk;wpfck jyefyw
ajymif;oGm;wmudk awGU&ygr,f/ yH(k 40)/
yHk(40)
'gaMumifh VA 00406FF9 u CALL xJrSm AL wefzdk;udk oknvdkY owfrSwfvdkufygw,f/
Registration atmifjrifjcif; r&Sdygbl;/ bmawG qufjzpfrvJod&atmif F8 udk ESdyfyg/
aemufxyfxyfrSwf&rSmu aemuftqifhawGrSm AL eJY BL &JUwefzdk;awG b,fvdkajymif;oGm;rvJqdkwm
udkyg/
yHk(41)
yHk(41)u MOV BL, AL udk execute vkyfvdkuf&if BL &JUwefzdk;[mvnf; oknjzpfoGm;rSmyg/ bmvdkY
vJqdkawmh AL u oknjzpfaevdykY g/ yHk(42)/
yHk(42)
yHk(43)
yHk(43)u VA 00407009 rSm&SdwJh CALL udk execute vkyNf yD;csdefrSmawmh AL &JU wefzdk;[m 1 vdkY
ajymif;oGm;wm awGU&ygw,f/ VA 00407011 u MOV AL, BL udk Munfhyg/ BL xJu[mudk bmvdkY AL
rSm vmxm;&wmygvJ/
INFO: : wu,fvkYd y½d*
k &rf[m EAX register eJt
Y wl tvkyfvkyfzkdUvdkr,fqdk&if olUwefzdk;udk tjcm; register
xJrSm ,m,DoGm;xm;ygvdrfhr,f/
uRefawmf aemufwpfBudr&f Sif;jyygOD;r,f/ 'grSom oifhtaeeJY y½d*k &rf b,fvdktvkyv
f kyfw,fqkdwJh
t&omudk cHpm;&rSmjzpfw,f/
yHk(44)
yHk(44)rSmawmh AL &JU wefzdk;[m BL aMumifh oknjyefjzpfoGm;ygw,f/ 'gaMumifh VA 00407009 u
CALL [m AL eJY BL tay: bmoufa&mufrIrS r&Sdbl;vdakY jymcJhwJh uRefawmhf&JU aumufcsufawG[m rSefaeNyD
aygh/ AL &JU tajctaeudk owfrSwfwm[m VA 00406FF9 u CALL rSmyg/ aemufqHk;taeeJY uRefawmf
wd&kY JU t&if CALL (Enter key udrk ESdyfcif CALL udk qdkvdkwmyg/)qDoGm;EdkifzkY d F8 (od)kY F7 udkESdyfvdkufyg/
yHk(45)twdkif; jrif&ygvdrfhr,f/
yHk(45)
TEST AL, AL u jyefvmcsdefrSm AL &JU wefzdk;[m oknrjzpfwm trSwf&rSmyg/ (JNZ onf
register vkyfjcif;jzpf^rjzpf)
'Dae&mrSm AL [mbmjzpfrvJqdkwm avhvmvdkufMu&atmif/ F8 udEk SdyfvdkufwJhtcg AL &JU wefzdk;[m
oknyJ jzpfaewkef;yg/ yHk(32)/
AL udk pointer ([5076A0]) xJ xm;wJhtcgrSmawmh ....
yHk(46)
Pointer &JU wefzdk;[m oknjzpfaeygao;w,f/ yHk(46)/ Register rvkyfxm;csdefrSmawmh jump rjzpf
Edkifygbl;/
aumif;NyD/ Register vkyfxm;jcif;&Sd^r&Sdukd VA 0040715E u pointer ([5076A0]) xJrSm xdef;
odrf;xm;w,fqdkwm em;vnfygovm;/ tvm;wl VA 00407174 u pointer ([5076A0]) rSma&myg/
yHk(45)/
VA 0040716B u CALL [m uRefawmfwkYd register rvkyfxm;csdefrSmom tvkyfvkyfEdkifygw,f/
ol[m unregistered string awGujdk yowJh CALL jzpfEdkifygw,f/ F8 udk qufESdyfMunfhygr,f/ VA 0040
715E u AL eJY ywfoufwJhtvkyfawGudk aemufydkif;usrS qufvkyfMuygr,f/ tvm;wl VA 00407174 u
AL udka&myg/
tck&Sif;jyaewm[m oifth wGuf t&rf;aES;ae&ifawmh aqm&D;yg/ 'gawGtm;vHk;[m cracking eJY
tenf;i,fom ywfoufzl;MuwJh vlopfwef;awGtwGuf ½IyfaxG;aevdrfhr,fvkYd xifxm;vdkYyg/ 'gaMumifh 'gawG
tm;vHk;udk uRefawmfhtaeeJY tao;pdwfaqG;aEG;ay;aewmyg/ 'gayr,fh 'gawGtm;vHk;udk cifAsm;taeeJY em;vnf
NyDvkYd ,lqwJhaemufrSmawmh aemufvmr,fhoifcef;pmawGrSm uRefawmfhtaeeJY tjrefoGm;zdkY uwdjyKygw,f/
F8 ukd ESdyfvmcJhyg/
yHk(47)
yHk(47)u JMP udkawmh&Sif;r,fvx
kYd ifygw,f/ JMP ae&mudk F8ESdyfr,fqdk&ifyHk(35)twdkif;jrif&ygr,f/
yHk(48)
VA 00407076 rSm aemufxyf pointer ([5076A1]) wpfckawGU&ygw,f/ Pointer awGtaMumif;
&Sif;r,fvxdkY ifygw,f/ VA 0040707D u JNZ [m uRefawmfwdkY register rvkyfxm;&if jump jzpfygr,f/
aumif;NyD/ F8 udkomESdyfvmcJhyg/ uRefawmfwkY d atmifjrifpGm register vkyfEdkifcJhjcif; &Sd^r&Sd yHk(49)rSmawGU&yg
w,f/
yHk(49)
kYd m bmvdkY BadBoy qDa&mufvm&ovJqdkwm &Sif;rSmyg/ yH(k 49)/ VA

aumif;NyD? uRefawmfw[
004299B9 u JNZ [m jump rjzpfygbl;/ yHk(50)/
yHk(50)
'gaMumifh register rjzpfygbl;/ bmqufjzpfrvJqdkwm qufMunfhMu&atmif/
yHk(51)
'gqdk yHk(51)twdkif; jrif&ygw,f/ ckcsdefrSm uRefawmfwkY d &SmaewJh CALL udk odygNyD/
aumif;NyD/ yHk(51)rSm OK udka½G;NyD; Olly udk aemufwpfBudrf jyefpvdkufyg/ owdjyK&rSmu breakpoint
window rSm VA 004299AD u breakpoint wpfckwnf;om &Sdygap/ y½d*k &rfudk run (F9) vdkufyg/ NyD;&if
yHk(31) twdkif; register xyfvkyfyg/ 'gqdk yHk(52)twdkif; uRefawmfwkY d owfrSwfxm;wJhae&mudk wef;a&mufvm
ygr,f/
yHk(52)
dkY aeeJY rSefuefwJh CALL udk &SmEdkifzdkY F7 udEk SdyNf yD; VA 004299AD u CALL xJudk
uRefawmfwt
0ifygr,f/
yHk(53)
VA 00407155 u CALL udk t&ifu uRefawmfwkY d 0ifa&mufcJhwm trSwf&rSmyg/ VA 00407155
a&muf&if F7 udk ESdyfyg/ yHk(54)twdkif; jrif&ygr,f/
yHk(54)
VA 00406FF9 u CALL a&mufonftxd F8 udk ESdyfvmcJhyg/
yHk(55)
yHk(55)u MOV BL, AL udk rSwfrdr,fxifygw,f/ ckcsdefrSmawmh VA 00406FF9 u CALL [m
uRefawmfwdkY oGm;&r,fh CALL vdkY qHk;jzwfxm;ygw,f/ 'gaMumifh F7 udEk SdyNf yD; CALL xJ0ifygr,f/
yHk(56)twdkif; jrif&ygr,f/
yHk(56)
AL udk b,frSm owfrSwfxm;ovJqdkwm &SmMunfhygr,f/ atmufudk scroll qGJvmcJhyg/ uk'fawG
awmfawmfrsm;rsm;udk awGUygw,f/ yxrqHk;tBudrfjzpfvkYd xJxJ0if0if&SmzdkY rpOf;pm;awmhygbl;/ uRefawmfhtaeeJY
serial rSef^rSepf pfaq;wJhae&mwpfckudk oHo,0ifrdygw,f/ 'gayr,fh 'gudak emufydkif;usrSyJ ajymygr,f/ ckawmh
AL udk patch vkyfzy kYd J BudK;pm;ygr,f/ wu,fawmh uRefawmfhtaeeJY uk'fawGudk wpfckrusef vdkufvHppfaq;
&rSmyg/ 'gudk Advanced Level Patching vdkY ac:ygw,f/
yHk(57)
ckawmh VA 00406FC5 u BL udk ajymif;zdBkY udK;pm;ygr,f/ yHk(58)/
yHk(58)
oifuawmh tjcm;wpfckckjzpfr,fvkY d xifaeygvdrfhr,f/ VA 00406FC5 ae&mrSm uRefawmfu MOV

AL, 1 (od)kY INC AL vdkY ajymif;ypfvdkufvdrfhr,fvkY d oifhtaeeJY xifxm;ygvdrfhr,f/
'Dae&mrSm uRefawmf &Sif;jyyg&ap/ y½d*k &rf pwifcsdefwdkif;rSm 'Dae&muuk'fudk execute vkyfygw,f/
'gayr,fh y½d*k &rf[m AL == 1 eJY pwifygw,f/ (register vkyfxm;&if)/ twdtusajym&&ifawmh y½d*k &rfudk
wu,f register vkyfxm;jcif;r&Sd&if y½d*k &rf[m unregister jzpfapygw,f/ 'gaMumifhvJ uRefawmfwkYd t&if
wkef;uvkyfcJhovdk VA 004299AD u JNZ ae&mrSm JMP vdakY jymif;cJhcsdefrSm y½d*k &rf[m cPwmom
register jzpfoGm;NyD; aemufwpfcsdef y½d*k &rfudk jyefpcsdefrSm unregister jzpfoGm;jcif; jzpfygw,f/
atmufazmfjyyguk'fawGudk oifudk,fwdkif prf;oyfapcsifygw,f/
MOV AL, 1 (od)kY
MOV BL, 1 (od)kY NOP
tm;vkH;uawmh y½d*k &rfudk register jzpfapygvdrfhr,f/ bmyJjzpfjzpf 'gawGtm;vHk;udk em;rvnfao;vJ
ta&;rBuD;ao;ygbl;/ aemufydkif;tcef;awGMu&if &Sif;oGm;rSmyg/ ckcsdefrSmawmh uRefawmfu MOV BL, 1 udk
assemble vkyfw,fvkyYd J ,lqvdkufMu&atmif/
dkY aeeJY BL udk b,fae&mrSm owfrSwfxm;ovJqdkwm od&atmif VA 00406FBC u
uRefawmfwt
CALL xJudk 0ifNyD;avhvmzdkY vdktyfygw,f/ 'gayr,fh avmavmq,fawmh 'Davmufey JY J awmfMuygawmh/
yHk(59)/
yHk(59)
F9 udk ESdyNf yD; bmqufjzpfrvJqdkwm Munfhygr,f/ yHk(60)/
yHk(60)
yHk(60)u OK udk ESdyfvkduf&if yHk(61)u [Unregistered] qdkwpJh mom; aysmufoGm;wm awGU&rSmyg/
yHk(61)
yHk(61)udkMunfh&if aemufwpfBudrf register vkyfp&mrvdkawmhwm awGU&rSmyg/
yHk(62)
'gqdk&ifawmh intermediate tqifh patch vkyfjcif;uawmh atmifjrifpGm NyD;qHk;oGm;ygNyD/ Patch

vkyNf yD;om;zdkifudk ESpfouf&mtrnfeJY odrf;vdkufyg/ ☻☻☻
(3) Advanced tqifh patch vkyfjcif;
yHkrSeftm;jzifhawmh plain stupid patch vkyfwJhenf;? intermediate patch vkyfwJhenf;awGeJY register
vkyfwm tqifajyEdkifayr,fh tNrJwrf;awmh rjzpfEdkifygbl;/ 'gaMumifh 'DwpfcgrSm advanced tqifh patch vkyf
MunfhMurSmjzpfygw,f/
INFO: : Plain stupid patch uawmh JE wdv kY dk conditional jump awGudk tNrJwrf; jump jzpfapatmif
vkyfwJhenf;jzpfygw,f/ Intermediate patch uawmh CALL xJu AL wefzdk;udk 1 jzpfatmifvkyNf yD; jyefxGuf
vmcsdefrSm register jzpfapwmyg/ Plain stupid method udk ½d;k &Sif;pGm bmomjyef&r,fqdk&ifawmh ]Register
rjzpfaomfvnf; BadBoy udkausmfvTm;jcif;} jzpfygw,f/
INFO: : Intermediate patch uawmh MOV AL, BYTE PTR DS:[EAX+24] wdv kY dkuk'fawGudkawGU&if
MOV AL, 0 vdkYajymif;rSmjzpfNyD; olUudk bmomjyef&r,fqdk&ifawmh ]vdktyfwt
Jh ydkif;twGuf register jzpfap
jcif;} jzpfygw,f/
INFO: : Advanced patch uawmh b,fae&mrSm pointer wefzdk;udk owfrSwfovJqdkwmukd xJxJ0if0if
avhvmwmjzpfNyD; pointer twGuf setting ukdom patch vkyfwmjzpfygw,f/
'Doifcef;pmtwGuf avhvmzd&kY nf½G,fxm;wJh y½d*k &rfuawmh Noah's Ark Deluxe 1.1 jzpfNyD;
www.popcap.com rSm tcrJh download vkyf,lEdkifygw,f/ y½d*k &rf (WinNoah.exe)udk zGifhvdkuf&ifawmh
yHk(63)twdkif;jrif&rSmyg/
yHk(63)
upm;cGifhoufwrf;ukefoGm;NyDjzpfwJhtwGuf register vkyf&awmhrSmyg/ Register vkyfMunfh&ifawmh
yHk(64)twdkif; jrif&ygw,f/
yHk(64)
y½d*k &rf&JU oabmobm0udk odoGm;NyDrdkY Olly rSmuk'fawGudk zGifhMunfh&atmif/ yHk(65)/
yHk(65)
yHk(65)uawmh WinNoah.exe &JU EP &Sd&mjzpfygw,f/ yHk(64)u Badboy message udk&SmMunfh&
atmif/ yHk(66)/
yHk(66)
Search uae text string (Badboy message) awGudk&SmwJhtcg yHk(66)twdkif;jrif&ygw,f/ 'Dae&m
awGrSm breakpoint owfrSwNf yD; double-click ESdyfvdkufyg/ yHk(67)/
yHk(67)
yHk(67)rSmjrif&wmuawmh BadBoy udkac:oHk;wJh CALL &JUtpjzpfNyD; VA 0041A315 eJY VA
0041E853 wdu kY ae 'D CALL udk ac:oHk;Muwmjzpfygw,f/ VA 0041A315 eJY VA 0041E853 &Sd&mudk
MunfhvdkufMu&atmif/ yHk(68)/
yHk(68)
yHk(68)udk aocsmMunfhr,fqdk&if BadBoy CALL awGqDra&mufcifrSm CALL DWORD PTR
DS:[EAX+40]; qDt&ifoGm;NyD; registration vkyfaqmifcsufatmifjrifjcif;&Sd^r&Sd ppfaq;wmawGU&ygw,f/
ppfvmvdkY&wJh&v'fudk AL rSmodrf;ygw,f/ NyD;&if BadBoy udkausmfjcif;&Sd^r&Sdppfygw,f/ 'gqdk BadBoy udk
ausmfEdkifzdkY JNZ ae&mrSm JMP vdakY jymif;Munfhygr,f/ NyD;&ifawmh jyifxm;wJhuk'fudk odrf;qnf;vdkufNyD; y½dk
*&rfudk jyefzGifhMunfhvu dk fyg/ ESpfouf&mtrnfeJY ESpfouf&muk'fudk ½du k fxnhfvdkuf&if 'D*drf;udk upm;vd&kY wm
awGU&ygw,f/ 'gayr,fh 'D*drf;[m register vkyfwJhtcsdefrSmyJ registered jzpfygw,f/ tNrJwrf; registered
jzpfjcif;r&Sdygbl;/ 'gqdk&if aemufxyfxyfjyifzY dk vdktyfaeygNyD/ Olly rSmaemufxyf&SmvdkufMu&atmif/ yHk(69)/
yHk(69)
yHk(69)u string awG&Sd&mudkMunfhvdkufMu&atmif/ yHk(70)/
yHk(70)
yHk(70)uawmh register vkyfxm;jcif;&Sd^r&SdppfwJh CALL &JUtpjzpfNyD; olUudk ac:oHk;wJh VA awGu

awmh 41A158? 41A479? 41D469 eJY 420431 wdkYjzpfygw,f/ 'Dae&mawGrSm breakpoint owfrSwNf yD;
y½d*k &rfudk run (F9) Munfhvdkufyg/ yHk(63)twdkif;jrif&ygr,f/ yHk(63)u Click Here to Register Now.
udka½G;vdkuf&if yHk(71)twdkif; jrif&ygw,f/
yHk(71)
yHk(71)rSmjrif&wmuawmh uRefawmfwadkY emufqHk; owfrSwfvdkufwJh breakpoint av;ckxJu wpfckrSm
vm&yfwmjzpfygw,f/ 'Dae&mudk register vkyfrSoma&mufrSmjzpfygw,f/ Registered jzpfxm;wJholwpfa,muf
[m aemufxyf register vkyfzrkYd vdkawmhwJhtwGuf 'Dae&mrSm Click Here to Register Now. tpm; Click
Here to Play. jzpfae&rSmyg/ 'Dae&mudk ausmfEdkifr,fqdk&if register vkyfp&mrvkdawmhbl;vdkY xifygw,f/
'gaMumifh yHk(71)u JE ae&mwdkif;rSm JMP vdjkY yifNyD; y½dk*&rfudk odrf;vdkufyg/ odrf;xm;wJh y½d*k &rfudk zGifhMunhf
&ifawmh yHk(63)twdkif; jrifae&OD;rSmjzpfNyD; registered rjzpfygbl;/ 'gaMumifhrv kY d J conditional jump awGudk
jump vkyfwdkif;vJ registered rjzpfbl;vdkY uRefawmfajymcJhwmyg/
aumif;NyD/ yHk(71)u VA 4203E7 (CALL DWORD PTR DS:[EDX+10]) ae&mrSm breakpoint
owfrSwNf yD; b,f CALL udkac:oHk;w,fqdkwm MunfhMu&atmif/ yHk(72)/
yHk(72)
MOV ECX, DWORD PTR DS:[ESI+50]; // ECX= DS[00B78E70] = VA 49C518
CMP BYTE PTD DS:[ECX+328], BL; // DS[49C518+328] = 49C840, BL = 0
VA 00498C40 &JU data window rSm bmwefzdk;&SdovJqdkwm MunhfvkdufMu&atmif/ yHk(73)/
yHk(73)
yHk(73)rSmjrif&wJhtwdkif; DS[49C840] u byte wefzdk;eJY BL &JUwefzdk;udk EdIif;,SOfwJhtcg nDcJh&if VA

420416 udka&mufvmrSmjzpfygw,f/ yHk(74)/
yHk(74)
VA 420419: CMP BYTE PTD DS:[ECX+328], BL; // DS[49C518+328] = 49C840, BL = 0
VA 420419 u DS[49C840] u byte wefzdk;eJY BL &JUwefzdk;udk aemufwpfBudrfEdIif;,SOfwJhtcg
nDcJh&if VA 420424 udka&mufvmrSmjzpfygw,f/ 'DvkdeJY EdIif;,SOfvmwJhtcgrSm VA 00420431 u CALL udk
ausmfoGm;Edkifwm awGU&ygw,f/ 'gqdkbmaMumifh *drf;udkupm;vdkrY &wmygvJ/ wu,fawmh VA 00420431 u
CALL ausmfEdkifjcif;[m tNrJwrf;r[kwfvy dkY g/ NyD;&if BL &JUwefzdk;udk dump window &JU VA 00420431 u
byte wefzdk;eJY ESpBf udrfEdIif;,SOfwm awGU&ygw,f/ 'gaMumifh 'Dae&mrSm okntpm; 1 vdakY jymif;NyD; y½d*
k &rfudk run
(F9) Munfhyg/ yHk(75)/
yHk(75)
F9 udkESdyNf yD;Munfhr,fqdk&ifawmh yHk(76)twdkif;wefzdk;awG ajymif;vJoGm;wmawGU&ygw,f/
yHk(76)
yHk(74)u VA 4203E7 rSm&SdwJh brekapoint udkjzKwfNyD; F9 udkEdSyfvdkufyg/
yHk(77)
F9 udkESdyfvdkufwJhtcgrSmawmh yHk(77)twdkif;jrif&rSmjzpfygw,f/ 'gqdk dump window &JU VA

0049C840 rSm 1 vdkjY yifzkYq
d Hk;jzwfcJhwm rSefoGm;ygw,f/ y½d*k &rfudk Ctrl+F2 (restart) ESdyNf yD; jyefzGifhvdkufyg/
Dump window &JU VA 0049C840 rSm 1 vdjkY yifvdkufyg/ NyD;&ifawmh dump window rSm right-click ESdyNf yD;
Copy to executable file udka½G;wJhtcg yHk(78)twdkif; jrif&ygr,f/
yHk(78)
yHk(78)rSm right-click ESdyNf yD; ESpfouf&mtrnfeJY zdkifudkodrf;vdkufyg/ NyD;&if uRefawmfwkY d odrf;xm;wJh
zdkifudk jyefzGifhMunfhvdkufMu&atmif/
yHk(79)
wpfckckawmh xyfrSm;aeNyDxifygw,f/ yxrtBudrf uk'fjyifNyD; run wkef;u yHk(77)twdkif; jrif&yg
w,f/ ckzdkiftaeeJo Y drf;NyD;csdefrSmawmh yHk(79)twdkif; jrifae&ygw,f/ 'gaMumifh uk'fjyifNyD; odrf;vdkufwJhzdkifudk
Olly rSm jyefzGifhMunfhvdkufMu&atmif/ yHk(80)/
yHk(80)
Dump window &JU VA 0049C840 rSmawmh uRefawmfwkY d odrf;xm;wJhtwdkif;yJ&Sdygw,f/ 'Dae&mudk
apmifhMunfhzkYad wmh vdkaeNyDxifygw,f/
yHk(81)
'gaMumifh 'Dae&mrSm yHk(81)twdkif; hardware breakpoint owfrSwNf yD; apmifhMunfhygr,f/ Dump
window rSm right-click ESdyNf yD; Breakpoint u Hardware, on write à Byte udka½G;vdkufyg/ NyD;&ifawmh
F9 udkESdyNf yD; bmawGajymif;vJoGm;ovJqdkwm apmifhMunfhv&
kY d ygNyD/
yHk(82)
w&m;cHawmh awGUygNyD/ VA 0042ABFE u MOV BYTE PTR SS:[EBP+328], BL udk execute
vkyNf yD;csdefrSm dump window u VA 0049C840 &JU byte wefzdk;ajymif;oGm;wmjzpfygw,f/ F9 ukdxyfEdSyfyg/
yHk(83)
yHk(83)rSmjrif&wJhtwdkif; AL uvJ oknwefzdk;udk vmajymif;ygw,f/ aumif;NyD? 'Dae&mESpfckrSm 1 vdkY
jyifvdkuNf yD; zdkifudkodrf;vdkufr,fqdk&ifaum/ 'gqdk&ifawmh yHk(84)twdkif; jrif&rSmjzpfygw,f/
yHk(84)
ed*Hk;csKyftaeeJaY jym&&if Noah's Ark udk registered jzpfapzdkY uRefawmfwt
dkY aeeJY atmufygae&mESpfck
rSm uk'fawGudk jyifay;cJh&ygw,f -
1/ VA 0042ABFE u MOV BYTE PTR SS:[EBP+328], BL udk MOV BYTE PTR
SS:[EBP+328], 1/
2/ VA 0042D6B8 u MOV BYTE PTR SS:[EBP+328], AL udk MOV BYTE PTR

SS:[EBP+328], 1/
oifhudk 'DvdkjyifzakY d jymcJhayr,fh uRefawmfuawmh yHk(85)twdkif; aemufwpfrsdK;jyifcJhygw,f/ OmPf&Sdovdk
BudKufovdkjyifEdkifygw,f/ ☺ ☺ ☺ ☺
yHk(85)
tcef;(11) - uPPP jzifh patch zdkifzefwD;jcif; - 208 -
tcef;(11) - uPPP jzifh patch zdkifzefwD;jcif;

'DwpfcgrSmawmh uPPP udt
k oHk;jyKNyD; patch zdkifav;awGudk zefwD;Munfhygr,f/ yxrqHk; patch
zdkifav;awG&JU oabmobm0udk avhvmMunfhygr,f/
- Patch zdkifav;awG&JU tusdK;aus;Zl;uawmh zdkifqdkufao;ao;av;eJY aqmhzf0Jvfudk crack vkyfEdkifwm
jzpfygw,f/ qdkvdkwmu crack vkyfxm;NyD;om;zdkifudk upload vkyfay;p&m rvdktyfwJhtwGuf tifwmeufrSm
1MB ausmfwJh crack vkyfxm;wJh rl&if;zdkifawGudk upload vkyfay;p&m rvdkawmhbJ 200KB avmufom&SdwJh
patch zdkifvSvSav;awGudkyJ tifwmeufrSm wifay;p&m vdkygawmhw,f/
- Patch zdkifawG&JU tm;enf;csufuawmh rdrd b,fae&mrSm crack vkyfxm;ovJqdkwmudk developer awG?
tjcm; cracker awGu tvG,fwul &dyfrdod&SdapEdkifwm jzpfygw,f/ ('Dtcg developer awGu 'Dae&mudk
crack rvkyfEdkifatmif uk'fawGudk jyefvnfjyifqifEidk fovdk tjcm; cracker awG od&Sdjcif;tm;jzifh rdrd crack
vkyfwJhenf;vrf;udk twkcdk;Edkifygw,f/)
- Patch zdkif&JU uefYowfcsufuawmh patch zdkifzefwD;ol[m trSm;t,Gif; wpfpHkw&m jyKvkyfrdcJh&if crack
vkyfcH&wJhzdkif tvkyfrvkyfwmygyJ/
- Patch zdkiftaoeJY patch zdkift&SifqdkNyD; ESpfrsdK; &Sdygw,f/ Patch zdkiftaoawGuawmh owfrSwfxm;wJh
version udkom patch vkyfEdkifygw,f/ Version ajymif;&if tvkyfrvkyfawmhygbl;/
(1) Internet Download Manager 6.0.x twGuf patch zdkif zefwD;jcif;
Patch zdkif rzefwD;cif uPPP udk avhvmMunfh&atmif/
yHk(1)
yHk(1)rSmjrif&wmu c&ufvkyfr,fh application eJyY wfoufwJh tcsuftvufawGyg/ 'ghjyif aqmhzf0Jvf
udk crack vkyfol? crack vkyfwJhaeYpGJwdkYudkyg xnfhoGif;Edkifygw,f/
yHk(2)
yHk(2)rSmawmh b,fvdk patch vkyfcsifovJqdkwmudk a&G;cs,fEdkifygw,f/ Patch vkyfenf; (4)enf;

&Sdygw,f/ ('Dtydkif;rSmawmh Seek & Replace pattern eJY Registry patch wdkYudk toHk;jyKrSmjzpfygw,f/)
yHk(3)
yHk(3)uawmh udk,fay:apcsifwJh template av;awGeJY qdkifygw,f/ ESpfouf&m font? ESpfouf&m"mwfyHk?
ESpfouf&mwD;vHk;? ESpfouf&m icon wdkYudk a&G;cs,fEdkifygw,f/ 'DavmufodNyD;oGm;NyDqdkawmh patch zdkifudk
pwifzefwD;vdkufMu&atmif/
yxrqHk; Olly rSm patch vkyf&r,fh ae&mudk &SmMu&atmif/ (IDM 6.0.8 Build 3 eJY erlem
jyxm;jcif; jzpfygw,f/)
yHk(4)
TEST EDI, EDI (85 FF) ae&mudk XOR EDI, EDI (33 FF) eJY tpm;xdk;ygr,f/ 'grSom EDI
wefzdk;[m oknjzpfoGm;NyD; "Internet Download Manager has been registered with a fake Serial
Number. IDM is exiting..." qdw k Jh MessageBox udk ausmfvTm;EdkifrSm jzpfygw,f/ 'gayr,fh oifhtaeeJY
rSwfxm;&rSmu y½d*k &rfuk'fawGxJrSm TEST EDI, EDI [m trsm;MuD;ygygw,f/ uRefawmfwdkY a&G;cJhwmu
Seek & Replace method jzpfwJhtwGuf TEST EDI, EDI wdkif;udk XOR EDI, EDO wdkif;eJY
tpm;xdk;r,fqdk&if y½d*k &rf[m crash jzpfygvdrfhr,f/ 'gaMumifh ydkNyD;wduswJh tcsuftvufawGudk ay;&ygr,f/
'gaMumifh 8B F8 83 C4 04 85 FF 74 0A udk 8B F8 83 C4 04 33 FF 74 0A eJY tpm;xkd;ygr,f/
aemufxyf patch vkyf&r,fh wpfae&muawmh yHk(5)rSm jrif&wJhtwdkif; jzpfygw,f/
yHk(5)
IDM [m "Internet Download Manager has been registered with a fake Serial Number.
IDM is exiting..." udk encrypt vkyfxm;NyD; wu,fvdkY uRefawmfwdkY&JU serial [m tGefvdkif;u olY&JU database
xJrSm r&SdcJh&if nag pmwef;ay:NyD; y½d*k &rfudk ydwfrSmjzpfygw,f/ 'Dae&mudk ausmfvTm;&rSmjzpfygw,f/ JE
00444532 (74 6D) ae&mudk JMP 00444532 (EB 6D) eJY tpm;xdk;ygr,f/ PUSH 0 (6A 00) ae&mrSm
JMP 4444C3 eJY tpm;xdk;ygr,f/ 'gaMumifh 74 6D 6A 00 ae&mrSm EB 6D EB FC eJY tpm;xdk; ygr,f/
jyD;&ifawmh yHk(6)twdkif; tpm;xdk;zdkY vkyf&ygr,f/
yHk(6)
74 6D 6A 00 twGuf tpm;xdk;r,fh EB 6D EB FC twGufqdk&ifvnf; yHk(6)twdkif;vkyfNyD; Add to
list udk a&G;ay;&ygr,f/ 'gqdk IDMan.exe udk patch vkyfwm NyD;ygNyD/ Registry udk patch vkyfzdkYyJ
usefygw,f/
yHk(7)
yHk(7)rSmjrif&wJhtwdkif; zdkifudk odrf;qnf;NyD; yHk(1)u Create Patch button udk a&G;vdkufr,fqdk&if
uRefawmfwdkY vdkcsifwJh IDM patch zdkifudk &&SdNyD jzpfygw,f/ yHk(8)/
yHk(8)
(2) FlyHelp 6.1 twGuf patch zdkif zefwD;jcif;
'DwpfcgrSmawmh yxrydkif;wkef;u aqG;aEG;zdkY usefcJhwJh File Drop eJY Offset Patch wdkYudk aqG;aEG;rSm
jzpfygw,f/
yxrqHk;taeeJY uPPP udkzGifhNyD; Project à New vkyfNyD; vdktyfwJhtcsuftvufawGudk ½du
k fxnfhyg
r,f/ (tydkif;(1)rSm aqG;aEG;NyD;jzpfvdkY xyfrH raqG;aEG;awmhygbl;)
yHk(9)
'kwd,taeeJY udk,f patch vkyfcsifwJh trsdK;tpm;udk a&G;ygr,f/ yHk(10)/
yHk(10)
'Dae&mrSm toHk;jyKr,fh enf;vrf;awGuawmh File Drop eJY Offset Patch wdkYjzpfygw,f/ Offset
patch udk a&G;vdkufwJhtwGuf patch zdki[ f m taojzpfoGm;ygw,f/ qdkvdkwmu FlyHelp &JU aqmhzf0Jvf
version ajymif;oGm;&if patch zdkifu tvkyfvkyfawmhrSm r[kwfygbl;/
wwd,tqifhtaeeJY Offset Patch button udkEySd fNyD; udk,f patch vkyfr,fh offset eJY byte awGudk
EdIif;,SOfygr,f/ yHk(11)/ 'Dae&mrSm offset patch vkyfr,fh zdkifawGuawmh FSWebHelpLib.dll eJY HtmlView
Edit.dll wdkYjzpfygw,f/
yHk(11)
yHk(11)twdkif; rEdIif;,SOfcifrSm rl&if; HtmlViewEdit.dll zdkifudk emrnfajymif;xm;vdkY r&ygbl;/ Crack
vkyfxm;NyD;om; HtmlViewEdit(CRACKED).dll zdkifuvnf; toifh&Sdxm;&ygr,f/ EdIif;,SOfNyD;&if save
vkyfyg/ FSWebHelpLib.dll twGufvnf; tvm;wl jyKvkyfyg/ ('Dwpfcg aqmhzf0Jvfudkawmh udk,fwdkif crack
vkyf&rSm jzpfygw,f/ Crack vkyfenf;udkawmh r&Sif;jyawmhygbl;/)
aemufwpfqifhtaeeJY vkyf&rSmuawmh uRefawmfwdkY crack vkyfxm;wJh zdkifudk C:\Program Files\Fly
Help zdk'gatmuf oGm;xm;zdkYyJ jzpfygw,f/
yHk(12)
owdjyK&rSmuawmh Fly_Help.exe qdkwm FlyHelp.exe u arG;xkwfay;vdkufwJh child y½d*k &rfjzpfNyD;
'Dy&d*&rfudk FlyHelp.exe udkzGihfcsdefMurS xkwfoHk;wmyg/ usefwJhtcsdefrSm jyefzsufygw,f/ 'gaMumifh uRefawmf
wdkYtaeeJY crack vkyfxm;wJh uRefawmfwdkY zdkiu f dk rl&if; Fly_Help.exe eJY tpm;rxdk;EdkifatmifvdkY READ
ONLY/HIDDEN/SYSTEM wdkYudk a&G;cs,fay;xm;&wm jzpfygw,f/
aemufwpfqifhuawmh udk,fMudKufwJh template/theme udk a&G;cs,fwJhtydkif; jzpfygw,f/
yHk(13)
'gqdk&ifawmh patch vkyfzdkY jyifqifwJhtydkif; NyD;ygNyD/ yHk(9)u Create Patch button udk ESdyfvdkuf&HkygyJ/
'Dtcg yHk(14)rSmjrif&wJhtwdkif; jyD;jynfhpHkwJh patch zdkifwpfckudk &&SdvmrSmjzpfygw,f/
yHk(14)
tcef;(12) - Cracker rsm; owdxm;oifhaom Windows API rsm; - 215 -
tcef;(12) - Cracker rsm; owdxm;oifhaom Windows API rsm;

INFO: : API (Application Programming Interface) qdkwmuawmh function awGudkpkpnf;xm;wJht&m
jzpfNyD; y½d*k &rfawGeJY OS Mum;qufoG,f&mrSm toHk;jyKygw,f/ Win32 API qdkwmuawmh function awG
trsm;BuD;pkpnf;xm;wmjzpfNyD; Windows application awGtwGuf low-level programming interface
jzpfygw,f/ Microsoft u Win32 API &JU t*Fg&yfawGtrsm;pkyg0ifwJh high-level interface awGudk rdwf
qufcJhygw,f/ 'D interface awGxJu txif&Sm;qHk;uawmh MFC (Microsoft Foundation Classes) jzpfNyD;
Windows eJq Y ufoG,fzkYd C++ object awGudktoHk;jyKygw,f/ wu,fwrf;awmh MFC u OS udk ac:oHk;zdkY
Win32 API udktoHk;jyK&wmjzpfygw,f/ tckacwfrSm emrnfBuD;aewJh .Net Framework [mvJ OS &JU
service awGudkoHk;pGJEdkifzkY d System qdkwJh class udkoHk;pGJw,fqadk yr,fh ol[mvJaemufqHk;awmh Win32 API
udkac:oHk;&wmygyJ/ Win32 API rSm tMurf;zsif;tm;jzifh API 2000ausmfyg0ifNyD; Kernel? USER eJY GDI
qdNk yD; tkyfpk3ckcGJEdkifygw,f/ aemufwpfckuawmh native API yg/ Native API uawmh Windows NT pepf
twGuf interface wpfckjzpfygw,f/ Windows NT rSmawmh Win32 API [m native API &JU tay:vTmrSm
&Sdygw,f/ NT kernel rSm GUI eJYywfoufNyD; bmrSvkyfp&mr&SdwJhtwGuf native API rSm graphics eJY
ywfoufwJh b,fvkyfief;rSryg0ifygbl;/ 'gaMumifhrdkY vkyfaqmifcsuft&ajym&&if native API [m Windows
kernel eJc Y sdwfquf&mrSm t"duusNyD; memory manager? I/O system? object manager? process? thread
wdkYeJY csdwfquftoHk;jyKygw,f/ Application y½d*k &rfawG[m native API awGudk b,fawmhrS wdku½f dkufac:
roHk;ygbl;/ oHk;cJh&ifawmh Windows 98 eJY o[ZmwjzpfrIudk csdK;aygufapygvdrfhr,f/ Microsoft uvJ
native API awGey JY wfoufNyD; tcsuftvufawG rQa0jcif;r&SdwJhtwGuf Application y½d*k &rfawG[m OS eJY
qufoG,fzt kYd wGuf Win32 API awGudkyJ oHk;ae&OD;rSmjzpfygw,f/ Win32 API twGuf erlem DLL zdkifawG
uawmh kernel32.dll? user32.dll? gdi32.dll wdjkY zpfNyD; native API twGuf erlem DLL zdkifuawmh
ntdll.dll jzpfygw,f/ native API awG&JU xl;jcm;csufuawmh olw& kY d JU function trnfawGa&SUrSm Nt (Nt
CreateFile) eJY Zw (ZwCreateFile) pavh&Sdjcif;yg/
yHk(1) Win32 API rsm; kernel ESifhywfoufqufEG,faeyHk

Kernel API rsm;/ / BASE API vdkv Y Jac:a0:NyD; olwakY d wG[m kernel32.dll xJrSm&Sdygw,f/ olUrSm
zdkiftoGif;^txkwf? rSwfOmPfpDrHcefYcGJrI? object pDrHcefYcGJrI? process eJY thread pDrHcefYcGJrIpwJh GUI ryg0ifwJh
service awGtm;vHk;yg0ifygw,f/ kernel32.dll [m service trsdK;rsdK;udk vkyfaqmifEdkifzkY d low-level native
API jzpfwJh ntdll.dll udkac:oHk;ygw,f/ Kernel API awGudk zdkifawG? synchronization object awGpwJh
kernel-level object awGeJY wGJvkyf&mrSm? zefwD;&mrSm toHk;jyKygw,f/
GDI API rsm;/ / GDI API awGuawmh GDI32.dll xJrSm&SNd yD; rsOf;wpfaMumif;qGJjcif;? bitmap
wpfck udkjyojcif;pwJh graphics eJq Y dkifwJh service awGyg0ifygw,f/ rlvuawmh GDI awGudk kernel
module wpfckjzpfwJh WIN32K.sys rSm prf;oyfoHk;pGJcJhygw,f/ Device context? brush? pen pwJh graphic
qGJjcif;rSm toHk;jyKzdkY GDI [m GDI object awGudkt"duxm;ygw,f/ bmaMumifhvJqdkawmh 'D object awGudk
kernel &JU object manager u rudkifwG,fEdkifvkYyd g/
USER API rsm;/ / User32.dll rSmyg0ifNyD; window-management? menu? dialog box? user-
interface control pwJh higer-level GUI service awGyg0ifygw,f/ GUI object awGtm;vHk;udk USER u
GDI call awGoHk;NyD; qGJwmjzpfygw,f/ USER API awG[m kernel &JU object manager u
rudkifwG,fEdkifwJh window awG? menu awGvdk user interace eJq Y dkifwJh object awGudk t"duxm;
udkifwG,fygw,f/
'Dtcef;rSmawmh cracking vkyf&mrSm owdxm;NyD;apmifhMunfh&r,fh API function awGtaMumif;udk
avhvmrSmjzpfygw,f/ API function awGtaMumif;udk tao;pdwfodxm;jcif;tm;jzihf crack vkyf&mrSm vG,ful
vmrSmjzpfygw,f/ 'DapmifhMunfh&r,fh API function awGuawmh atmufygtwdkif;jzpfygw,f -
Dialog Box rsm;ESifhywfoufonfhtcg
DialogBoxParamA
GetDlgItem
GetDlgItemInt
GetDlgItemText
GetWindowText
GetWindowWord
MessageBox rsm;ESifhywfoufonfhtcg
MessageBeep
MessageBoxA
MessageBoxEx
SendMessage
SendDlgItemMessage
Registry ESifhywfoufonfhtcg
RegCreateKey
RegDeleteKey
RegQueryValue
RegQueryValueEx
RegCloseKey
RegOpenKey
zdkifrStcsuftvufrsm;zwfjcif;â&;jcif;jyKaomtcg
ReadFile
WriteFile
CreateFile
INI zdkifrStcsuftvufrsm;zwfjcif;jyKaomtcg
tjcm;ae&mrS tcsuftvufrsm;udkzwfjcif;jyKaomtcg
LoadString
lstrcmp
MultiByteToWideChar
WideCharToMultiByte
wsprintf
tcsdef?&ufpGJwdkYESifhywfoufonfhtcg
GetFileTime
GetLocalTime
GetSystemTime
GetSystemTimeAsFileTime
SetTimer
SystemTimeToFileTime
NAG-window udk&Smvdkonfhtcg
CreateWindowEx
ShowWindow
UpdateWindow
MessageBox rSpmom;rsm;udk&Smvdkaomtcg
SendDlgItemMessage
SendMessage
SetDlgItemText
SetWindowText
Registration eJy
Y wfoufwJh routine awGudkppfaq;wJhtcgrSmawmh atmufyg API rsm;udk t"duxm;
&SmazGzv
kYd dkygw,f -
GetdlgItemText
GetWindowText
lstrcmp
RegQueryValueEx
WritePrivateProfileInt
(1) CreateProcess
CreateProcess uawmh process topfwpfckudk zefwD;wmjzpfygw,f/ Process topfu owfrSwf
xm;wJh exe zdkifudk execute vkyfwmjzpfygw,f/
BOOL CreateProcess(
LPCTSTR lpApplicationName, // pointer to name of executable module
LPTSTR lpCommandLine, // pointer to command line string
LPSECURITY_ATTRIBUTES lpProcessAttributes, // pointer to process security attributes
LPSECURITY_ATTRIBUTES lpThreadAttributes, // pointer to thread security attributes
BOOL bInheritHandles, // handle inheritance flag
DWORD dwCreationFlags, // creation flags
LPVOID lpEnvironment, // pointer to new environment block
LPCTSTR lpCurrentDirectory, // pointer to current directory name
LPSTARTUPINFO lpStartupInfo, // pointer to STARTUPINFO
LPPROCESS_INFORMATION lpProcessInformation // pointer to PROCESS_INFORMATION
);
lpProcessInformation uawmh process eJoY ufqdkifwJh tcsuftvufawGudk xm;&Sd&m pointer

(Oyrm - 0x12F7C8) jzpfygw,f/ lpCommandLine uawmh execute vkyfr,fh command line &Sd&m
pointer (Oyrm - 0x12F758) jzpfygw,f/
0012F7C8 = lpProcessInformation = "jexepackboot ER \"C:\\Program Files\\VisualRoute\\
VisualRoute.exe\"
0012F758 = lpCommandLine = "java -mx256m jexepackboot ER \"C:\\Program Files\\
VisualRoute\\VisualRoute.exe\" \"C:\\DOCUME~1\\MYOMYI~1\\LOCALS~1\\Temp\\
X2C123E0\" "
'Derlem API rSm VisualRoute.exe u X2C123E0 zdk'gatmufuzdkifawGudk execute vkyNf yD;
register vkyfxm;jcif;&Sd^r&Sd ppfwmjzpfygw,f/
(2) GetWindowText
GetWindowText uawmh window &JU title bar wpfckcku pmom;awGudk buffer wpfckxJul;xnfh
ygw,f/ wu,fvokYd m window [m control wpfckomjzpfcJhr,fqdk&if control &JU pmom;awGudk ul;ygw,f/
Oyrmjy&&if – Textbox xJrSm oif½dkufxnfhvdkufwJhpmom;awGudk buffer xJul;rSmjzpfygw,f/
int GetWindowText(
HWND hWnd, // handle of window or control with text
LPTSTR Buffer, // address of buffer for text
int Count // maximum number of characters to copy
);
hWnd uawmh window (od)kY control rSm pmom;awGyg^ryg ppfygw,f/ Buffer uawmh pmom;
awGxm;r,fhae&mudk nTefjyygw,f/ Count uawmh trsm;qHk;ul;EdkifwJh pmvHk;ta&twGufjzpfygw,f/
(3) GetdlgItemText
GetdlgItemText uawmh dialog box wpfckxJrSm&SdwJh item eJy
Y wfoufwJh pmom; (od)kY title udk
zwfygw,f/
UINT GetDlgItemText(
HWND hDlg, // handle of dialog box
int ControlID, // identifier of control
LPTSTR Buffer, // address of buffer for text
int Count // maximum size of string
);
yHk(1)u erlem dialog box wpfckudkMunfhygr,f/
yHk(1)
yHk(1)u textbox ae&mrSm password tjzpf "Myo Myint Htike" vdkY½du k fcJhygw,f/ Password
ud½k dkufxnfNh yD;&if GetdlgItemText rSm breakpoint owfrSwfvdkufyg/ NyD;&if OK udkESdyfvdkufyg/ yHk(2)/
yHk(2)
yHk(2)udkMunfhyg/ Password textbox utrsm;qH;k zwfEdkifwJh pmvHk;ta&twGuf[m 17vHk;yJ &Sdygw,f/
'gudk Resource Hacker aqmhzf0JvfeMJY unfh&if atmufygtwdkif; awGU&rSmjzpfygw,f/
DLG_REGIS DIALOG 20, 20, 142, 81
STYLE DS_MODALFRAME | WS_VISIBLE | WS_CAPTION | WS_SYSMENU
CAPTION "Enter Password"
LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
FONT 10, "Book Antiqua"
{
CONTROL "Textbox", 1000, EDIT, ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE |
WS_BORDER | WS_TABSTOP, 45, 22, 66, 11
CONTROL "OK", 1002, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP,
18, 55, 42, 15
CONTROL "Cancel", 1003, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE |
WS_TABSTOP, 80, 55, 42, 15
CONTROL "Password:", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 7, 23, 34,
10
}
yHk(3)
yHk(2)rSmawGU&wJh ControlID &JUwefzdk; 3E8h (1000d) uawmh yHk(3)rSmjrif&wJhtwdkif; Textbox
control udkqdkvdkjcif;jzpfygw,f/ 'gaMumifh oifhtaeeJY Password dialog box udk&SmzdkY GetWindowText
rSm breakpoint rowfrSwfcsif&if PUSH 3E8h eJ&Y Smvdk&Y ygw,f/
Buffer uawmh oif½dkufxnhfvdkufwJh pmom;udk oGm;xm;r,fh dump window u virtual address
ae&myg/
GetdlgItemText [m WM_GETTEXT message udk control qDyy
kYd gw,f/ SetdlgItemText
uawmh GetdlgItemText eJY qefu
Y sifzufjzpfygw,f/
(4) GetDlgItem
GetDlgItem uawmh dialog box wpfckrSm&SdwJh control wpfck&JU pointer udk zwfygw,f/
The GetDlgItem function retrieves the handle of a control in the specified dialog box.
HWND GetDlgItem(
int ControlID // identifier of control
);
(5) lstrcmp
lstrcmp uawmh string ESpfckudk EdIif;,SOfygw,f/ wu,fvkY d string ESpfck[m nDcJh&if vkyfaqmifcsuf
atmifjrifaprSmjzpfygw,f/
int lstrcmp(
LPCTSTR lpString1, // address of first string
LPCTSTR lpString2 // address of second string
);
string ESpfckudk EdIif;,SOf&mrSm pmvHk;tBuD;^tao; uGJjym;rI&Sdygw,f/ yHk(4)/ API awGaemufrSm A
ygcJh&if 'D API [m ANSI pmvHk;awGeo JY ufqdkiNf yD; W ygcJh&ifawmh UNICODE pmvHk;awGeJY oufqdkifyg
w,f/
yHk(4)
(6) GetPrivateProfileString
GetPrivateProfileString uawmh initialization (*.ini) zdkifwpfckxJrSm&SdwJh section uae string
wpfckudk zwfygw,f/ Win32 udktajccHwJh application awG[m registry xJrSm initialization eJY ywfoufwJh
tcsuftvufawGudk odrf;qnf;avh&Sdygw,f/
DWORD GetPrivateProfileString(
LPCTSTR lpAppName, // points to section name
LPCTSTR lpKeyName, // points to key name
LPCTSTR lpDefault, // points to default string
LPTSTR lpReturnedString, // points to destination buffer
DWORD nSize, // size of destination buffer
LPCTSTR lpFileName // points to initialization filename
);
GetPrivateProfileString [m key wpfcktwGuf initialization zdkifudk&SmazGwmjzpfygw,f/ 'D

key [m section heading udkowfrSwfwJh lpAppName atmufu lpKeyName jzpfygw,f/ wu,fvkY d
key udkawGUcJhr,fqdk&if? function [m oufqdkif&m string udk buffer qDul;rSmjzpfygw,f/ wu,fvkY d key
r&SdcJhbl;qdk&ifawmh function [m lpDefault uowfrSwfvdkufwJh pmvHk;udk ul;rSmyg/
Initialization zdkifwpfckxJu section [m atmufygyHkpH&Sdygw,f...
[section]
key = string
.
.
wu,fvkYd lpAppName rSm Avmjzpfae&ifawmh GetPrivateProfileString u zdkifxJrSm&SdwJh

section trnfawGtm;vHk;udk buffer xJul;ygw,f/ wu,fvkYd lpKeyName rSm Avmjzpfae&ifawmh function
u section xJrSm&SdwJh key trnfawGtm;vHk;udk buffer xJul;ygw,f/
WIN.ini zdkifxJu string wpfckudk &,lvdk&ifawmh GetProfileString udktoHk;jyKygw,f/ wu,f
awmh GetPrivateProfileString [m *.ini zdkifawGqDu string awGudkzwfr,fhtpm; registry xJu
tcsuftvufawGudk zwfwmjzpfygw,f/
Oyrmjy&&if –
(1) Registry xJrSm ini zdkif&JUtrnfudkMunfhyg/ (Oyrm - myfile.ini )
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\IniFileMapping\
myfile.ini
(2) lpappName u owfrSwfvdkufwJh section trnfudk&Smyg/ 'Dtrnfuawmh myfile.ini zdkifatmuf (od)kY
myfile.ini zdkif&JU subkey wpfckatmufrSm&SdEdkifygw,f/ (od)kY r&SdEdkifygbl;/
(3) lpappName uowfrSwfvdkufwJh section trnf[m myfile.ini zdkifatmufrSm wefzdk;wpfck&SdcJh&if? oifh
taeeJY registry xJrSmowfrSwfxm;wJhwefzdk;awGuae section twGuf key awGudk&Sm&rSmyg/
(4) wu,fvo kYd m lpappName uowfrSwfvdkufwJh section trnf[m myfile.ini zdkif&JU subkey wpfck
jzpfcJhr,fqdk&ifawmh 'D subkey atmufrSm section twGuf key awGudk&Sm&rSmyg/
(5) wu,fvkYd lpappName uowfrSwfvdkufwJh section trnf r&SdcJhbl;qdk&if myfile.ini atmuf rSmawmh
trnfrJhwefzdk;wpfckawmh &Sdygvdrfhr,f/ 'Dwefzdk;[m section twGuf oif&SmaewJh key &JUae&m&SdwJh registry
xJu default ae&mwpfckudk owfrSwfygw,f/
(6) wu,fvkYd myfile.ini zdkiftwGuf subkey vkH;0r&SdcJhbl;qdk&if? section trnftwGuf entry vHk;0
r&Sdbl;qdk&if disk ay:rSm&SdwJh wu,fh myfile.ini zdkifudk&SmNyD; olUrSmygwJh tcsuftvufawGudk zwf&rSmjzpfyg
w,f/
Registry xJuwefzdk;awGudk MunfhwJhtcg awGU&r,hf prefix awG&JU t"dyÜm,fuawmh atmufygtwdkif;
jzpfygw,f/
! - 'DpmvHk;uawmh tcsuftvufawGudk registry rSma&m disk ay:u myfile.ini zdkifay:rSm a&;rSmjzpfygw,f/
# - 'DpmvHk;uawmh Windows 3.1 .ini zdkie
f JY t"duoufqdkifygw,f/
@ - 'DpmvHk;uawmh registry xJrSm vdkcsifwJh a'wmrawGUcJh&if disk ay:u .ini zdkifqDuae a'wmawGzwfwm
udk wm;qD;wmyg/
USR: - oluawmh HKEY_CURRENT_USER ukdqdkvdkwmyg/
SYS: - oluawmh HKEY_LOCAL_MACHINE\SOFTWARE ukdqdkvdkwmyg/
(7) GetPrivateProfileInt
GetPrivateProfileInt uawmh initialization (*.ini) zdkifwpfckxJrSm&SdwJh section uae udef;jynfh
wpfckudk zwfygw,f/
UINT GetPrivateProfileInt(
LPCTSTR lpAppName, // address of section name
LPCTSTR lpKeyName, // address of key name
INT nDefault, // return value if key name is not found
LPCTSTR lpFileName // address of initialization filename
);
(8) RegQueryValueEx
RegQueryValueEx uawmh registry key wpfck&JU trsdK;tpm;eJY wefzdk;wdu
kY dkzwfNyD; register
vkyfxm;jcif; &Sd^r&Sd ppfaq;ygw,f/
LONG RegQueryValueEx(
HKEY hKey, // handle of key to query
LPTSTR lpValueName, // address of name of value to query
LPDWORD lpReserved, // reserved
LPDWORD lpType, // address of buffer for value type
LPBYTE lpData, // address of data buffer
LPDWORD lpcbData // address of data buffer size
);
(9) WritePrivateProfileString
GetPrivateProfileString uawmh WritePrivateProfileString eJq
Y efu
Y sifbufjzpfygw,f/
BOOL WritePrivateProfileString(
LPCTSTR lpAppName, // pointer to section name
LPCTSTR lpKeyName, // pointer to key name
LPCTSTR lpString, // pointer to string to add
LPCTSTR lpFileName // pointer to initialization filename
);
erlemy½d*k &rfudk compiler rSm run Munfhvdkuf&if &Sif;oGm;rSmyg/

#include "stdafx.h" // Compiler - Visual C++ 8.0, Win32 Console Application

#include <windows.h>
#include <tchar.h>
#include <stdio.h>
int main()
{
TCHAR inBuf[80];
HKEY hKey1, hKey2;
DWORD dwDisposition;
LONG lRetCode;
TCHAR szData[] = TEXT("USR:App Name\\Section1");
// Create the .ini file key.
lRetCode = RegCreateKeyEx ( HKEY_LOCAL_MACHINE,
TEXT("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\IniFileMapping\\appname.ini "),
0, NULL, REG_OPTION_NON_VOLATILE,
KEY_WRITE, NULL, &hKey1, &dwDisposition);
if (lRetCode != ERROR_SUCCESS)
{
printf ("Error in creating appname.ini key (%d).\n ", lRetCode);
return (0) ;
}
// Set a section value

lRetCode = RegSetValueEx ( hKey1, TEXT("Section1"), 0,
REG_SZ, (BYTE *)szData, sizeof(szData));
{
printf ("Error in setting Section1 value\n");
// Close the key
lRetCode = RegCloseKey( hKey1 );
if( lRetCode != ERROR_SUCCESS )
{
printf("Error in RegCloseKey (%d).\n", lRetCode);
return (0) ;
}
}
// Create an App Name key

lRetCode = RegCreateKeyEx ( HKEY_CURRENT_USER, TEXT("App Name"),
0, NULL, REG_OPTION_NON_VOLATILE,
KEY_WRITE, NULL, &hKey2, &dwDisposition);
{
printf ("Error in creating App Name key (%d).\n ", lRetCode);
// Close the key
{
return (0) ;
}
}
// Force the system to read the mapping into shared memory
// so that future invocations of the application will see it
// without the user having to reboot the system
WritePrivateProfileStringW( NULL, NULL, NULL, L"appname.ini" );
// Write some added values
WritePrivateProfileString (TEXT("Section1"), TEXT("FirstKey"),
TEXT("It all worked out OK."), TEXT("appname.ini"));
WritePrivateProfileString (TEXT("Section1"), TEXT("SecondKey"),

TEXT("By golly, it works!"), TEXT("appname.ini"));
WritePrivateProfileString (TEXT("Section1"), TEXT("ThirdKey"),
TEXT("Another test..."), TEXT("appname.ini"));
// Test
GetPrivateProfileString (TEXT("Section1"), TEXT("FirstKey"), TEXT("Error: GPPS failed"),
inBuf, 80, TEXT("appname.ini"));
_tprintf (TEXT("Key: %s\n"), inBuf);
// Close the keys
{
return(0);
}
{
return(0);
}
return(1);
}
y½d*k &rf&JU tvkyfvkyfyHkuawmh 'Dvdkyg ...

(1) HKEY_LOCAL_MACHINE rSm appname.ini qdkwJh key udkzefwD;ygw,f/
(2) RegSetValueEx() oHk;NyD; Section1 &JUwefzdk;udk "USR:App Name\Section1" vdo
kY wfrSwfygw,f/
(3) HKEY_CURRENT_USER rSm "App Name" qdkwJh key udkzefwD;ygw,f/
(4) WritePrivateProfileString udkoHk;NyD; HKEY_LOCAL_MACHINE atmufu appname.ini
zdkif&Sd^r&Sd zwfygw,f/
(5) appname.ini zdkifudk awGUwJhtcg Section1 key udkzwfygw,f/ Section1 [m HKEY_CURRENT_
USER atmufu App Name\Section1 udknTef;wJhtwGuf registry editor u HKCU atmufrSm App
Name\Section1 subkey udk tvdktavsmufzefwD;ygw,f/ 'Dvdk zefwD;NyD;wJhaemufrSmawmh FirstKey udk
zefwD;NyD; "It all worked out OK." udka&;ygw,f/
(6) appname.ini zdkifudk awGUwJhtcg Section1 key udkzwfygw,f/ Section1 [m HKEY_CURRENT_
Name\Section1 subkey udk tvdktavsmufzefwD;ygw,f/ 'Dvdk zefwD;NyD;wJhaemufrSmawmh SecondKey udk
zefwD;NyD; "By golly, it works!" udka&;ygw,f/
(7) appname.ini zdik fudk awGUwJhtcg Section1 key udkzwfygw,f/ Section1 [m HKEY_CURRENT_
Name\Section1 subkey udk tvdktavsmufzefwD;ygw,f/ 'Dvdk zefwD;NyD;wJhaemufrSmawmh ThirdKey udk
zefwD;NyD; "Another test..." udka&;ygw,f/
(8) aemufwpfckuawmh GetPrivateProfileString udkoHk;NyD; HKLM atmufu Section1 nTef;wJhae&mudk
oGm;NyD; FirstKey udk&Smygw,f/ wu,fvkY d rawGUcJh&ifawmh buffer xJrSm GetPrivateProfileString u
tvdktavsmuf owfrSwfvdkufwJh "Error: GPPS failed" pmom;udkjyrSmjzpfygw,f/ FirstKey udkawGUcJh&if
awmh FirstKey rSmodrf;xm;wJh "It all worked out OK." pmom;udkjyrSmjzpfygw,f/
rSwf&ef/ / wu,fvkYd "USR:App Name\Section1"ae&mrSm "!USR:App Name\Section1" vdkY jyifvdkuf

&ifawmh C:\Windows atmufrSm appname.ini zdkifudkzefwD;NyD; HKCU atmufrSma&;r,fhpmom;awGudk
appname.ini rSmvJa&;rSmjzpfygw,f/ yHk(5)/ 'grsdK;udkawmh zdkifwpfck&JU registration setting awGudk vlrod?
olroda&;vdkwJhtcg toHk;rsm;ygw,f/ ☺☺☺
yHk(5)
(10) CreateWindowEx
CreateWindowEx uawmh overlapped (od)kY pop-up (od)kY child window awGrSm pwdkifawG
xyfavmif;xnfNh yD; zefwD;ay;wmjzpfygw,f/ 'DvdkrS r[kwf&ifawmh CreateWindow eJw
Y laerSm jzpfygw,f/
HWND CreateWindowEx(
DWORD ExtStyle, // extended window style
LPCTSTR ClassName, // pointer to registered class name
LPCTSTR WindowName, // pointer to window name
DWORD WindowStyle, // window style
int x, // horizontal position of window
int y, // vertical position of window
int Width, // window width
int Height, // window height
HWND hWndParent, // handle to parent or owner window
HMENU hMenu, // handle to menu, or child-window identifier
HINSTANCE hInstance, // handle to application instance
LPVOID lParam // pointer to window-creation data
);
CreateWindowEx eJt
Y wl ShowWindow? UpdateWindow API awG wGJoHk;ygw,f/
(11) CreateFile
CreateFile uawmh zdkifwpfckudk &SmazG? zefwD;&mrSm toHk;jyKygw,f/
HANDLE CreateFile(
LPCTSTR FileName, // pointer to name of the file
DWORD DesiredAccess, // access (read-write) mode
DWORD Mode, // share mode
LPSECURITY_ATTRIBUTES pSecurity, // pointer to security attributes
DWORD dwCreationDistribution, // how to create
DWORD Attributes, // file attributes
HANDLE hTemplateFile // handle to file with attributes to copy
);
CreateFile rSm owdjyKoifhwmuawmh Mode parameter udkyg/ Mode [m zdkifwpfck&SdcJh&if (od)kY
r&SdcJh&if b,fvdkvkyfaqmif&rvJqdkwm qHk;jzwfygw,f/ yHk(6)/
yHk(6)
Mode &JUwefzdk;awGuawmh atmufyg 5ckxJu wpfckckjzpfEdkifygw,f ... -

CREATE_NEW - zdkiftopfwpfckudk zefwD;ygw,f/ wu,fvkY d zdkif[m &SdaecJh&if function [m fail
jzpfoGm;rSmyg/ Fail jzpfoGm;&if EAX &JUwefzdk;[m FFFFFFFF (-1) jzpfoGm;ygr,f/ wu,fvkY d 'Dwefzdk;udk
jyifcsif&if Mode ae&mrSm PUSH 1; vdjkY yifvdkuf&Hkyg/
CREATE_ALWAYS - zdkiftopfwpfckudk zefwD;ygw,f/ wu,fvkY d zdkif[m &SdaecJh&if &SNd yD;om;zdkifudk
overwrite vkyNf yD; zdkiftopfwpfckudk zefwD;rSmjzpfygw,f/
OPEN_EXISTING - &SNd yD;om;zdkifudk zGifhygw,f/ zdkifr&SdcJh&ifawmh function &JUvkyfaqmifcsuf atmifjrifrSm
r[kwfygbl;/ 'gqdk EAX &JUwefzdk;[m FFFFFFFF (-1) jzpfoGm;ygr,f/
OPEN_ALWAYS - zdkif&SdcJh&if zdkifudkzGifhygw,f/ zdkifr&SdcJh&ifawmh CREATE_NEW udkoHk;NyD; zdkiftopf
wpfckudk zefwD;ygw,f/
TRUNCATE_EXISTING - zdkifudk zGifhvdkuNf yD; zdkifxJrSm&SdwJh t&mtm;vHk;udk zsufypfygw,f/ zdkifr&SdcJh&if
awmh EAX &JUwefzdk;[m FFFFFFFF (-1) jzpfygr,f/
(12) DialogBoxParamA
DialogBoxParamA uawmh modal dialog box wpfckudk zefwD;&mrSm toHk;jyKygw,f/ Dialog
box udkrjycifrSm function [m dialog box eJo
Y ufqdkifwJh procedure udk initialize vkyfygw,f/
int DialogBoxParamA(
HINSTANCE hInst, // handle to application instance
LPCTSTR pTemplate, // identifies dialog box template
HWND hOwner, // handle to owner window
DLGPROC DlgPro, // pointer to dialog box procedure
LPARAM lParam // initialization value
);
KeygenMe wpfck&JU dialog box wpfckudk Resource Hacker eJMY unfh&if atmufygtwdkif; awGU&yg
w,f/
1 DIALOGEX 0, 0, 225, 142
STYLE DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_VISIBLE |
WS_CAPTION | WS_SYSMENU
EXSTYLE WS_EX_STATICEDGE
CAPTION " :: Ziggy's KeyGenMe #0 ::"
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
FONT 7, "MS SANS SERIF"
{
CONTROL 10, -1, STATIC, SS_BITMAP | SS_REALSIZEIMAGE | SS_SUNKEN | WS_CHILD |
WS_VISIBLE, 65535, 104, 200, 200
CONTROL "Name", 1002, EDIT, ES_CENTER | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 35, 30, 186, 10 ,
0x00020000
CONTROL "Serial", 1003, EDIT, ES_CENTER | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 35, 47, 186, 10 ,
0x00020000
CONTROL "Register", 1005, BUTTON, BS_PUSHBUTTON | BS_CENTER | BS_VCENTER | WS_CHILD |
WS_VISIBLE | WS_TABSTOP, 59, 62, 50, 12 , 0x00020000
CONTROL "About", 1007, BUTTON, BS_PUSHBUTTON | BS_CENTER | BS_VCENTER | WS_CHILD |
CONTROL "Close", 1004, BUTTON, BS_PUSHBUTTON | BS_CENTER | BS_VCENTER | WS_CHILD |
CONTROL "Appname", 1001, STATIC, SS_CENTER | SS_SUNKEN | WS_CHILD | WS_VISIBLE |
WS_GROUP, 35, 5, 186, 10 , 0x00020000
CONTROL " ", 1009, STATIC, SS_CENTER | WS_CHILD | WS_VISIBLE | WS_GROUP, 35, 19, 186, 10
CONTROL "Name", 4, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 6, 30, 26, 10

CONTROL "Serial", 5, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 6, 47, 26, 10
CONTROL 3, 1, STATIC, SS_ICON | WS_CHILD | WS_VISIBLE, 6, 4, 35, 35
CONTROL "Registered to : ", 5, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 6, 80, 50, 10
CONTROL " ", 1008, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 54, 80, 150, 10
CONTROL " ", 1010, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 54, 90, 180, 10
}
'gudk Olly rSmMunfhr,fqdk&ifawmh yHk(7)twdkif; jrif&ygw,f/
yHk(7)
yHk(7)rSm DlgProc uawmh ta&;BuD;qHk; jzpfygw,f/ bmaMumifhvJqdkawmh dialog eJyY wfoufwJh
procedure &Sd&m virtual address (00401032) jzpfvy dkY g/ pTemplate uawmh dialog trnfjzpfygw,f/
yHkrSefqdk&ifawmh API wpfckudk vkyfaqmifNyD;wmeJY aemuf API udkvkyfaqmifrSmyg/ yHk(7)rSmawmh 00401041
udkvkyfaqmifNyD;csdefrSm 00401046 qDa&mufrvmbJ 0040104D qDa&mufvmrSmjzpfygw,f/
(13) ShowWindow
ShowWindow uawmh owfrSwfxm;wJh window udk jyozdkYjzpfygw,f/
BOOL ShowWindow(
HWND hWnd, // handle of window
int nCmdShow // show state of window
);
(14) MessageBox
MessageBox udkawmh cracking vkyf&mrSm rMumcP jrif&rSmjzpfygw,f/ MessageBox u
message box wpfckudk zefwD;jyorSmjzpfygw,f/ Message box wpfckrSm BudKwifowfrSwfxm;wJh icon awG?
button awG? pmom;awGeJY acgif;pOfawGyg0ifrSmjzpfygw,f/
int MessageBoxA(
HWND hOwner // handle of owner window
LPCTSTR Text, // address of text in message box
LPCTSTR Title, // address of title of message box
UINT Style // style of message box
);
MessageBox &JU tvkyfvkyfyHkudk em;vnfapEdkifzkY d yHk(8)udkMunfhyg/
yHk(8)
Style qdkwmuawmh message box rSm azmfjycsifwJh button awG? icon awGudk qdkvdkwmyg/ yHk(8)u
Oyrmt&qdk&ifawmh message box rSm OK button wpfckwnf;ygrSmyg/ bm icon rS rygygbl;/ (Message
Box taMumif; tao;pdwfudk ]tajccH Assembly bmompum;} tcef;rSm tus,faqG;aEG;NyD;jzpfygw,f/)
'Dae&mrSm owdxm;apvdkwmuawmh hOwner yg/ wu,fvkYd message box wpfckudk zefwD;csdefrSm
dialog box wpfck[m &SdaecJh&if hOwner udk dialog box &JU handle taeeJY toHk;jyK&ygw,f/ wu,fvkY d
hOwner ae&mrSm 1 jzpfae&ifawmh 'D message box udk jyoEdkifrSm r[kwfygbl;/
(15) SendMessage
SendMessage uawmh message wpfckudk window wpfckqD (od)kY window awGqDay;ydky Y gw,f/
Function [m owfrSwfxm;wJh window twGuf window procedure udkac:oHk;NyD; window procedure u
message udkvkyfaqmifNyD;csdefrSm return jyefjcif; r&Sdygbl;/ PostMessage uawmh thread wpfck&JU message
queue qD message csxm;NyD; csufcsif; jyefygw,f/
LRESULT SendMessage(
HWND hWnd, // handle of destination window
UINT Msg, // message to send
WPARAM wParam, // first message parameter
LPARAM lParam // second message parameter
);
(16) SendDlgItemMessage
SendDlgItemMessage uawmh dialog box wpfckxJrSm&SdwJh control qD message wpfckudk ay;ydkY
ygw,f/
LONG SendDlgItemMessage(
int nIDDlgItem, // identifier of control
UINT Msg, // message to send
WPARAM wParam, // first message parameter
LPARAM lParam // second message parameter
);
(17) ReadFile
ReadFile uawmh zdkifwpfckuae vdkcsifwJhtcsuftvufawGudk zwfygw,f/ pzwfr,hfae&mudkawmh
file pointer unTefjyygw,f/
BOOL ReadFile(
HANDLE hFile, // handle of file to read
LPVOID Buffer, // address of buffer that receives data
DWORD BytesToRead, // number of bytes to read
LPDWORD pBytesRead, // address of number of bytes read
LPOVERLAPPED pOverlapped // address of structure for data
);
Buffer uawmh zwfvdkufwJhpmvHk;udk xm;r,fhae&myg/ pBytesRead uawmh zwfvdkufwJh pmvHk;
ta&twGufyg/ BytesToRead uawmh trsm;qHk;zwfr,hf pmvHk;ta&twGufjzpfygw,f/ yHk(9)/
yHk(9)
(18) WriteFile
WriteFile uawmh zdkifxJrSm xm;csifwJhtcsuftvufawG oGm;a&;ygw,f/
BOOL WriteFile(
HANDLE hFile, // handle to file to write to
LPCVOID Buffer, // pointer to data to write to file
DWORD BytesToWrite, // number of bytes to write
LPDWORD pBytesWritten, // pointer to number of bytes written
LPOVERLAPPED pOverlapped // pointer to structure needed for overlapped I/O
);
(19) GetSystemTime
GetSystemTime uawmh vuf&Sd OS &JU &ufpeGJ JYtcsdefudk zwfygw,f/ tcsdefudkawmh UTC
(Coordinated Universal Time) eJaY zmfjyygw,f/
VOID GetSystemTime(
LPSYSTEMTIME lpSystemTime // address of system time structure
);
(20) GetFileTime
GetFileTime uawmh zdkifudkzefwD;cJhwJh? aemufqHk;jyKjyifcJhwJh &ufpGJetcsd
JY efudk zwfygw,f/
BOOL GetFileTime(
HANDLE hFile, // identifies the file
LPFILETIME lpCreationTime, // address of creation time
LPFILETIME lpLastAccessTime, // address of last access time
LPFILETIME lpLastWriteTime // address of last write time
);
(21) SetTimer
SetTimer uawmh owfrSwfxm;wJh tcsdefwpfckygwJh timer wpfckudk owfrSwfwmjzpfygw,f/
UINT SetTimer(
HWND hWnd, // handle of window for timer messages
UINT TimerID, // timer identifier
UINT Timeout, // time-out value
TIMERPROC Timerproc // address of timer procedure
);
SetTimer erlemwpfckudk Olly rSmMunfh&if atmufygtwdkif; awGU&rSmjzpfygw,f/ yHk(9)/
yHk(9)
hWnd uawmh timer eJw Y GJzufxm;wJh TPUtilWindow udkajymwmyg/ 'D window udk ac:,loHk;wJh
thread uomydkifqdkifygw,f/ wu,fvkY d hWnd om NULL jzpfcJh&if timer u b,f window eJr Y S wGJzuf
rSmr[kwfbJ TimerID udkvJ vspfvsL½IrSm jzpfygw,f/
TimerID uawmh oknr[kwfwJh timer identifier wefzdk;wpfckudk owfrSwfygw,f/
Timeout uawmh time-out jzpfr,fhtcsdefjzpfNyD; rDvDpuúefYeJY jyygw,f/ Timerproc uawmh timeout
jzpfwJhtcg tcsufay;r,fh? vkyfaqmifr,fh function &Sd&mudk jyygw,f/
KillTimer uawmh TimerID udkzsufqD;wJh API jzpfygw,f/
tcef;(13) - y½d*k &rf\ resource rsm;toHk;jyKí crack vkyfjcif; - 230 -
tcef;(13) - y½dk*&rf\ resource rsm;toHk;jyKí crack vkyfjcif;

'Dtcef;rSmawmh y½d*k &rf&JU resource awGudk toHk;jyKNyD; crack vkyfMunfhrSmjzpfygw,f/ 'Denf;udk
bmaMumifh toHk;jyK&ovJqdkawmh crack vkyf&mrSm ydkrdkvsifjrefapvdykY g/ 'Dwpfcg crack vkyfMunfhzkYd a½G;cs,f
xm;wJh y½d*k &rfuawmh Active Desktop Calendar Version 5.95 jzpfygw,f/ Active Desktop Calendar
qdkwmuawmh oifh&JU desktop rSm yHk(1)twdkif; jyu©'defeJY oifvkyfudkifr,fhtvkyf^vkyNf yD;om;tvkyfawGudk rSwf
ay;r,fh aqmhzf0Jvfwpfckjzpfygw,f/
yHk(1)
Active Desktop Calendar udk www.xemico.com uae download vkyNf yD; install vkyfvdkufyg/
yHk(2)
ADC udk zGifhvdkufwJhtcgrSmawmh yHk(2)twdkif; register rvkyf&ao;aMumif; awGU&rSmyg/ Help menu

u About Active Desktop Calendarudk a½G;Munfhvdkuf&ifawmh yHk(3)twdkif; awGU&rSmyg/
yHk(3)
aumif;NyD? Help menu u Registration udka½G;NyD; register vkyfMunfhMuygr,f/ yHk(4)/
yHk(4)
yHk(4)u Register button udka½G;vdkuf&ifawmh yHk(5)twdkif;jrif&rSmyg/
yHk(5)
'Davmufqdk&ifawmh &ygNyD/ y½d*k &rfudk patch vkyfMunfhMuygr,f/ Patch rvkyfcifrSm ADC y½d*k &rfudk
Resource Hacker aqmzhf0Jvef JY t&ifMunfhygr,f/ yHk(6)/
yHk(6)
Resource Hacker y½d* k &rf[m yHk(6)twdkif; y½d*k &rfwpfcku toHk;jyKwJh resource awGudk jyoay;yg
w,f/ y½d*k &rfwdkif;rSm .rscr section &Sdw,fqdkwm jyeftrSwf&yg/ omreftm;jzifhawmh Resource Hacker
aqmhzf0Jvf[m y½d*k &rfawG&JU resource udk MudKufESpfoufovdk jyifay;Edkifygw,f/ yHk(7)/
yHk(7)
rSwfxm;&rSmuawmh Resource Hacker aqmhzf0Jvf[m resource awGudkom jyifay;Edkifygw,f/ y½dk
*&rfwpfckudk register atmifjrifEdkifatmif vkyfay;Edkifjcif; r&Sdygbl;/ 'gaMumifh uRefawmfwt Y dk aeeJY Resource
Hacker udk Olly Debugger eJY wGJoHk;&rSmyg/ yHk(3?4?5)wdu kY dk jyefMunfhyg/ olwkaYd wG[m dialog awGjzpfyg
w,f/ 'D dialog awGtaMumif; Resource Hacker rSm tao;pdwfMunfhvdkufMu&atmif/ yHk(6)u dialog
pmom;udk ESdyfvdkufyg/ yHk(8)twdkif; jrif&ygr,f/
yHk(8)
yHk(8)u 100 qdkwJhpmom;udk aocsmMunfhyg/ ol[m dialog trnfjzpfygw,f/ y½dk*&rf[m dialog
function udkac:roHk;cif dialog trnfudk stack ay:ul;wifygw,f/
yHk(9)
yHk(9)u 207 qdkwJhpmom;uawmh yHk(4)u registration box udkay:apwJh dialog jzpfygw,f/
yHk(10)
yHk(10)u 208 qdkwJhpmom;uawmh yHk(5)u BadBoy MessageBox udak y:apwJh dialog yg/
aumif;NyD/ ADC y½d*k &rfudk Olly rSmzGifhygr,f/ yHk(11)/
yHk(11)
yHk(11)twdkif; jrif&wJhtcgrSm ckeu uRefawmfwMkY d unfhcJhwJh dialog trnfawGudk Olly rSm &SmMunfhvdkuf
Mu&atmif/ Olly rSm right-click ESdyNf yD; Search for u All commands udk a½G;vdkufyg/ yxrqHk;
registration vkyfwJh dialog (2007d = 00CFh)udk t&if&SmMunfhvdkufMu&atmif/ yHk(12)/
yHk(12)
yHk(12)rSm Find button udka½G;vdkuf&if yHk(13)twdkif; jrif&rSmyg/
yHk(13)
yHk(13)rSmjrif&wJh command wdkif;udk breakpoint owfrSwfygr,f/ Breakpoint owfrSwNf yD;&if F9
udkESdyNf yD; y½d*k &rfudk run vdkufyg/ NyD;&if Help menu u Registration udka½G;vdkufyg/ yHk(14)twdkif; awGUyg
r,f/
yHk(14)
yHk(14)u uRefawmfwakYd &mufaewJh VA 0045EEC0 ae&muawmh registration dialog &Sd&m CALL
yg/ VA 0045EEA0 uawmh registration dialog &Sd&m CALL tpyg/ 'D CALL ukd b,f virtual
address uaeac:oHk;w,fqdkwm odcsif&if stack window rSm oGm;Munfhvdkufyg/ yHk(15)/
yHk(15)
yHk(15)t&qdk&ifawmh VA 0045EEA0 udkvkyfaqmifNyD;&if VA 00434E86 qDujdk yefoGm;r,fvkYd
ajymxm;ygw,f/ [kwf^r[kwfod&atmif right-click ESdyNf yD; Follow in Disassembler udka½G;vdkufyg/ yHk(16)
twdkif; jrif&ygr,f/
yHk(16)
wu,fawmh VA 0045EEA0 u CALL udk VA 00434E81 u ac:oHk;xm;wmyg/ 'Davmufqdk
em;vnfavmufNyDxifygw,f/ yHk(14)udk jyefMunfhvdkufyg/ yHk(14)twdkif;qdk&ifawmh dialog trnfudk stack
ay:pul;wifygNyD/ bmqufjzpfrvJqdkwmod&atmif F9 udkESdyfvdkufyg/ yHk(17)twdkif; jrif&ygr,f/
yHk(17)
yHk(17)twdkif; jrif&&ifawmh register rvkyaf o;ygbl;/ yHk(10)rSmjrif&wJh dialog (208d = D0h)
udk&SmzdkY usefao;vdykY g/ yHk(12)twdkif; PUSH 0D0h vd½kY dkufxnfNh yD; command wdkif;udk breakpoint
owfrSwfygr,f/ 'Dwpfcgawmh xl;xl;jcm;jcm; command wpfckyJawGUygw,f/ yHk(18)/
yHk(18)
yHk(18)&JU VA0045F0D3 ae&mu JE [m register vkyfwmatmifjrif^ratmifjrifudk qHk;jzwfNyD;
ratmifjrifcJh&if VA 0045F239 qDa&mufvmrSmyg/ 'gaMumifhvJ BadBoy DialogBox ay:vmwmyg/
'Duk'fudk JE tpm; NOP vkdUjyifvdkuf&ifawmh oifbmuk'½f dkufxnfhxnfh register vkyfwmatmifjrifygNyD/
yHk(19)/ 'gqdk uRefawmfwkY d jyifvdkufwJhuk'fawGudk ESpfouf&mzdkiftrnfeJY odrf;qnf;vdkufyg/
yHk(19)
ydNk yD;aocsmapcsif&ifawmh yHk(20)twdkif; registry editor (regedit.exe) rSmMunfv
h dkufyg/
yHk(20)
f dk jyefzGiNfh yD; Help menu u About Active Desktop Calendar udkMunfhvdkuf&if
odrf;vdkufwzJh dkiu
awmh yHk(21)twdkif; jyaewkef;yg/
yHk(21)
'ghaMumifh 'D dialog (2007d = 0064h) &Sd&m virtual address rSmvJ breakpoint owfrSwNf yD; run
(F9) Munfhygr,f/ y½d*k &rf run aepOfwavQmufrSm PUSH 64 &Sd&m breakpoint wdkif;rSm cP&yfygvdrfhr,f/
rqdkifbl;qdk&if breakpoint udjk yefjzKwfyg/ (About Dialog udkac:oHk;wJh PUSH 64 breakpoint rSwyg;)
'Dvedk JY rqdkifwJh breakpoint awGjzKwfvmwm y½kd*&rf menu ay:vm&if Help menu u About ADC udk
a½G;yg/ 'Dwpfcg uRefawmfwkY&d SmaewJh About Dialog breakpoint &Sd&ma&mufvmygNyD/ yHk(22)/
yHk(22)
yHk(22)u VA 00401C60 uawmh routine &JUtp jzpfygw,f/ olUudkb,fu ac:oHk;ovJqdkwm
odcsif&ifawmh stack window rSm right-click ESdyfNyD; Follow in disassmeble udka½G;vdkufyg/ yHk(23)twdkif;
jrif&ygr,f/
yHk(23)
yHk(23)rSmjyxm;wJhtwdkif; VA 00401C60 udk VA 00401D48 u ac:oHk;wmyg/ F9 udk ESdyfvdkuf&if
awmh yHk(21)twdkif; awGU&ygr,f/ bmaMumifh "This is an unlicensed copy" qdkwJhpmom;ay:wmvJqdkwm
od&atmif About DialogBox (100d) udk Resource Hacker eJY jyefMunfhvdkufyg/ yHk(24)/
yHk(24)
yHk(24)udk Munfhvdkuf&ifvJ olUrSmvJ stack ay:ul;wifwJh *Pef; (1044d = 414h) &Sdwm awGU&rSmyg/
'Dae&mudk ausmfEdkif&if bmjzpfrvJqdkwm qufMunfhygr,f/ PUSH 414h udk&SmNyD; breakpoint owfrSwfyg
r,f/ NyD;&if Olly rSm y½d*k &rfudk jyefpNyD; Help menu u About ADC udk a½G;vdkufyg/ NyD;&if PUSH 414h
&Sd&m breakpoint qDa&mufatmif F9 ESdyfvmcJhyg/ aemufqHk;awmh yHk(25)twdkif; breakpoint &Sd&mudk a&mufvm

ygr,f/
yHk(25)
&Sif;vif;csuf/
413 = DeskLook Verson x.y
414 = This is an unlicensed copy.
415 = User
416 = Registration Code
417 = This is an unlicensed copy.
3FD = Buy &Online Now!
yHk(26)
yHk(25)u VA 00401DE2 uae yHk(26)u VA 00401EAC xd F8 ESdyfvmcJhyg/ uRefawmfwdt kY aeeJY
VA 00401EAC u JE rSm NOP vdakY jymif;vdkufyg/ NyD;&if ESpfouf&mtrnfeJY zdkifudkodrf;vdkufyg/ odrf;vdkuf
wJhzdkifudk zGifhNyD; Help menu u About ADC udka½G;vdkufyg/ yHk(27)twdkif; awGU&ygr,f/
yHk(27)
aemufwpfqifhuawmh splash screen rSmay:vmwJh "unregistered" qdkwJhpmom;udk aysmufapzdykY g/

VA 004013E4 u JNZ ae&mrSm JMP vdjkY yifvdkuNf yD; zdkifudkodrf;vdkufyg/ yHk(28)/
yHk(28)
yHk(28)&JU VA 004013DD u CALL [m register jzpf^rjzpfppfwJh routine qdkwm oifhtaeeJY
em;vnfr,fxifygw,f/ aumif;NyD/ y½d*k &rfudk jyefzGifhMunfhvdkufyg/ yHk(29)twdkif; awGU&ygr,f/
yHk(29)
ed*Hk;csKyftaeeJY ajym&&if Active Desktop Calendar udk atmifjrifpGm register vkyfEdkifatmifvkYd
uRefawmfwt dkY aeeJY ae&m3ckrSm uk'fawGudk jyifcJhygw,f/
(1) VA 004013E4 u JNZ ae&mrSm JMP (Splash Screen)
(2) VA 00401EAC u JE rSm NOP (About Dialog)
(3) VA0045F0D3 ae&mu JE rSm NOP (Registration Dialog)
'DvdkjyifcJh&mrSm uRefawmfawmfwt kYd aeeJY Resource Hacker y½d*k &rf&JUtultnDudk&,lNyD; tvG,fwul
jyifcJhwmyg/ (rSwfxm;&rSmuawmh Delphi eJY a&;om;xm;wJh y½d*k &rfawGudk crack vkyfr,fqdk&ifawmh
Resource Hacker aqmhzf0Jvfut dk oHk;jyKNyD; crack rvkyfwm taumif;qHk;ygyJ/ Delphi y½d*k &rfawGudk b,fvdk
crack vkyf&rvJqdkwmudk ]tcef;(17) - Delphi jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif;}rSm
tao;pdwfaqG;aEG;ygr,f/)
tcef;(14) - Packer (Protector) rsm; - 240 -
tcef;(14) - Packer (Protector) rsm;

'Dtcef;rSmawmh cracking avmurSm tawGUtrsm;qHk;jzpfwJh packer (protector) awGtaMumif;udk
aqG;aEG;rSmjzpfygw,f/ tESpfcsKyfajym&&ifawmh pack vkyfw,fqdkwm exe zdkifudk compress vkyfjcif;? execute
vkyfEdkifzkYd decompress jyefvkyfjcif;eJY execution pwifjcif;wdu
kY dk vkyfaqmifay;&r,fh decompression stub udk
xnfhoGif;pOf;pm;&wJh vkyfief;pOfyJjzpfygw,f/ Compress vkyfw,fqdkwmuawmh zdkifwpfckudk compress
vkyfwJh b,fenf;vrf;udkrqdkac:qdkwmjzpfjyD; exe zdkifwpfckxJrSm compress vkyfxm;wJhuk'fawGet JY wl vdktyfwJh
decompression uk'fawGudkyg aygif;pyfxm;&Sdwmjzpfygw,f/ Execute vkyfcsdefrSmawmh rlv exe uk'fudk
jyefjyD; unpack vkyfygw,f/ tusdK;oufa&mufrIuawmh rlvu compress rvkyfxm;csdefrSm&SdwJh exe zdkief JY
tvkyfvkyfwmtwlwlygyJ/ Compress vkyfxm;wJhzdkif&JU t*Fg&yfawGuawmh -
(1) zdkifpepftwGif; ae&m,lrIenf;jcif;?
(2) zdkifpepfrS rSwfOmPfokY d a'wmrsm;a&TYajymif;&mwGif tcsdef,lrIenf;jcif;?
(3) Execute rpwifcif compress rvkyfxm;aomzdkifxufpmvQif a'wmrsm;tm; dexompress vkyf&onfh
twGuf tcsdefydkukefjcif; wdkYjzpfygw,f/
Compress vkyfxm;wJh exe zdkifqdkwm exe zdkifwpfckudk archive wpfcktaeeJY jyKvkyfxm;ovdkygyJ/
(WinRAR uJhoakYd om aqmhzf0JvfrsdK;jzifh archive vkyfxm;jcif;rsdK;) rwlwmuawmh compress vkyfxm;wJh
a'wmawGudk,fwdkifu exe zdkifjzpfaewmyg/
DOS? Windows eJY tjcm; OS awGtwGuf exe compressor trsdK;rsdK;&SdjyD; command line taeeJY
aomfvnf;aumif;? GUI version taeeJaY omfvnf;aumif; xGuf&Sdygw,f/
zdkifawGudk pack vkyfwJhtcg tusdK;eJY tjypfawG&Sdygw,f/ tusdK;awGuawmh -
(1) oifh&JUzdkifudk tifwmeufrSm wifxm;wJhtcgrSm download vkyfoltwGuf vsifjrefpGm download vkyfapEdkif
jcif;?
(2) oifh&JUaqmhzf0Jvfudk vlopfwef; cracker awG crack rvkyfEdkifatmif umuG,fxm;Edkifjcif; (Cracker
awG[m crack vkyfzkYd OD;pGm unpack vkyf&rSmjzpfygw,f/) wdjkY zpfygw,f/
t"duqdk;usdK;uawmh anti-virus awGeJY ywfoufygw,f/ Anti-virus awmfawmfrsm;rsm;[m pack
vkyfxm;wJhzdkiftcsdKUudk virus (od)kY trojan vdjkY rifaeMuygw,f/ (txl;ojzifh McAfee anti-virus)
Protector qdkwmuawmh wu,fwrf;ajym&&if ½d;k &Sif;vSwJh packer wpfckygyJ/ Protector awGuawmh
½dk;&Sif;vSwJh packer awGxufpm&if uk'fawGudk ydkjyD;pdppfcGJjcm;ygw,f/ Protector awG&JU ta&;MuD;wJhtjypftcsdKU
uawmh protect vkyfxm;wJhzdkif&JU t&G,ftpm;ygyJ/ Packer awGu pack vkyfxm;wJh zdkifawGt&G,ftpm;awGudk
ao;i,fatmifvkyfaecsdefrSm protector awGuawmh cracker awG&efuumuG,fEdkifapzdkY uk'fawGudk tvGeftrif;
xnfhoGif;aeMuygw,f/ 'gaMumifhrv kY d J protect vkyfxm;wJhtcsdKUzdkifawG(ao;i,faomzdkifrsm;)qdk rlvzdkifxuf
600% MuD;aewmawGU&ygw,f/ omref packer awGuawmh rlvzdkif&JUt&G,ftpm;udk tenf;qHk; 30% avmuf
avQmhcsEdkifygw,f/
aemufxyfta&;MuD;wJhtcsufuawmh tcsdKUy½d*k &rfrmawG[m olw&kY d JU malicious uk'fawG (virus?
worm)udz k Hk;uG,fzdkY protect vkyfxm;wJhzdkifawGudk toHk;jyKMuygw,f/ 'Dvdk protect vkyfxm;rSom anti-virus
aqmhzf0Jvaf wGu csufcsif; pHkprf;rod&SdEdkifrSm jzpfygw,f/ 'ghaMumifhvJ oifhtaeeJY protector awGtaMumif;udk
aemaMuaeatmif odxm;&rSmjzpfjyD; olwu kY d dk b,fvdk unpack vkyf&rvJqdkwm avhvmae&rSmjzpfygw,f/
Protector awG? packer awGey JY wfoufvm&if aemufxyfrSwfxm;&rSmuawmh entry point (EP)
qdkwm pack/protect vkyfxm;wJh y½d*k &rfudk Olly eJYzGifhwJhtcg yxrqHk;awGU&wJh virtual address jzpfjyD; OEP
(original entry point) qdkwmuawmh decompression stub vkyfaqmifjyD;csdefrSmawGU&wJh rlv entry point
udak c:qdkwmjzpfygw,f/ (unpack/unprotect rvkyaf o;cifrSm&SdwzJh kdifawG&JU entry point udkqdkvdkwmyg/)
Protector/packer awG[m y½d*k &rfudk rSwfOmPfrSm unpack vkyfMuwmjzpfygw,f/ 'DtcsdefrSm y½d*k &rf
qD command awGay;EdkifzkYd OEP &Sd&mudk jump vkyfwmjzpfjyD; rlvy½d*k &rfudk&&SdEdkifzdkY uRefawmfwt
dkY aeeJY
y½d*k &rfudk dump vkyf,&l rSmjzpfygw,f/ 'Dvdk dump vkyf,lEdkiw
f Jh t"duenf;vrf; (3)&yfuawmh -
(1) uk'fudk ajc&mcHygw,f/ (F8 udkESdyfjcif;jzifh)
(2) ESP register udk toHk;jyK&ygw,f/
(3) Compressor uxkwfay;wJh exception awGudk toHk;jyK&ygw,f/
'Dtcef;rSmawmh uRefawmfwkYt d aeeJY ½dk;&Sif;vSwJh packer av;oHk;jyD; pack vkyfxm;wJh erlemy½d*k &rf
wpfckudk enf;vrf;ESpfrsdK;oHk;jyD; unpack vkyfMunfhygr,f/ yxrenf;uawmh pack vkyfxm;wJh exe zdkifudk
unpack vkyfjyD; patch vkyfwJhenf;jzpfjyD;? 'kw, d enf;uawmh inline-patch vkyfwJhenf;jzpfygw,f/ 'Dae&mrSm
uRefawmfwo dkY Hk;r,fh tool uawmh UPX 2.03 (Ultimate Packer for eXecutables) jzpfjyD;
http://upx.sourceforge.net rSm tcrJh&&SdEdkifygw,f/
HTU UTH
UPX aqmhzf0Jvf[m exe zdkifawGudk t&G,ftpm;ao;i,fatmif vkyfwJhae&mrSm emrnfMuD;vSjyD; tqifh

jrifhwJh protection enf;vrf;awGoHk;xm;jcif; r&Sdygbl;/ uRefawmfqdkvdkwJh UPX uawmh Marcus eJY Laszlo
wdakY &;xm;wJh UPX aqmhzf0Jvfudk ajymwmyg/ yxrqHk; UPX eJY pack vkyfjyD;rS unpack vkyfMunfhygr,f/
(pum;rpyfajymcsifwmuawmh jrefrmaqmhzf0Jvfawmfawmfrsm;rsm;udk b,f packer eJrY S protect (pack)
vkyfxm;jcif;r&Sdovdk? pack vkyfxm;cH&wJh aqmhzf0Jvfawmfawmfrsm;[mvJ UPX eJY pack vkyfxm;Muwmjzpfyg
w,f/) UPX packed zdkifawGudk unpack vkyEf dkiw f Jh tool awmfawmfrsm;rsm;udk tifwmeufrSm tcrJh&&SdEdkif&JUom;
eJY uRefawmfwu kYd bmaMumifhtcsdefukefcHjyD; udk,fwdkif unpack vkyfzkYd MudK;pm;ae&ovJvkYd oifhtaeeJY oHo,
0ifaumif;0ifaeygvdrfhr,f/ tifwmeufrSm aMumfjimxm;wJh b,f unpacker tool awGudkrS r,HkMunfygeJ/Y 'D
unpacker awG[m UPX packed zdkifawGudk wu,f unpack vkyfaumif;vkyfay;Edkifayr,fh exe zdkifawGrSm
vHkjcHKa&;qdkif&mtcsuftvufawGudk cdk;,lwJh rqdkifwJhuk'fawGudkyg tydkxnfhoGif;wwfMuygw,f/
(1) UPX jzifh pack vkyfjcif;
'Dae&mrSm pack vkyfzdkY uRefawmfwkYd toHk;jyKr,fh y½d*k &rfav;uawmh Windows rSm wcgwnf;ygvm
wJh calculator (calc.exe) y½d*k &rfav;jzpfygw,f/ Windows &JU System32 folder atmufrSm tvG,fwul
&SmEdkifygw,f/ Pack rvkycf ifrSm PEiD udkoHk;jyD; calc.exe udk bmy½d*k &rfbmompum;eJY a&;xm;wmvJqdkwm
Munfhygr,f/ yHk(1)/
yHk(1)
Start menu u Run .. ae&mrSm cmd vd½ kY dkufxnhfjyD; Command prompt ukd zGifhyg/ bmaMumifh
command prompt udk toHk;jyK&ovJqdkawmh UPX aqmhzf0Jvf[m command-line utility jzpfaevdkYyg/
yHk(2)
yHk(2)rSmjrif&wJhtwdkif; command prompt rSm upx calc.exe vd½kY dkufxnfhjyD; Enter key ESdyfvdkuf&if
uRefawmfw&dkY JU y½d*k &rfav;udk UPX eJY pack vkyfjyD;oGm;ygjyD/ 'DwpfcgrSm pack vkyfxm;wJh calc.exe zdkifudk
PEiD eJY jyefjyD;ppfMunfhygr,f/ yHk(3)/
yHk(3)
yHk(3)t&awmh calc.exe udk UPX 0.89-2.9 eJY pack vkyfxm;ygw,fvkdY ajymygw,f/ Version
twdtusudkawmh ajymEdkifjcif; r&Sdygbl;/ twdtusodcsif&ifawmh ProtectionID 6.x udktoHk;jyK&ygr,f/
yHk(4) Pack vkyfxm;aomzdkifudk jzifhppfaq;xm;yHk

yHk(4)udkMunfhvdkuf&if .rsrc section om olU&JUrlvtrnfrajymif;bJusef&pfjyD; usefwJh section awGtm;
vHk; trnfajymif;ukefygw,f/ Pack rvkyfcif calc.exe udk PEiD &JU section viewer eJY Munfhxm;wmt&
awhm yHk(5)twdkif;jrif&ygw,f/ Pack vkyfjyD;csdefrSmawmh .text section? .data section? .rsrc section awGt
pm; UPX0? UPX1 eJY .rsrc section awGjzpfvmygw,f/ Section trnfawGtm;vHk;ajymif;oGm;jyD; .rsrc
section u bmvdt kY rnfrajymif;vJbJ usef&pfwmygvJ/ 'Dtcsufu pdwf0ifpm;zdaumifkY ;ygw,f/ tjzpfrSefu
'Dvdkyg/ Windows 95 acwfwkef;u oleaut32.dll zdkif&JU LoadTypeLibEx function rSm bug wpfck&SdcJhyg
w,f/ 'guawmh rsrc qdkwpJh mom;udk&SmjyD; resource section udk tvkyfvkyfapzdjkY zpfygw,f/ 'gaMumifhrkY d
wu,fvkYd 'D section udktrnfajymif;vJcJhr,fqdk&if error wufvmrSmyg/ 'D bug udk jyifqifxm;jyD;jzpfayr,fh
vJ Windows eJY jyoemwufrSmpdk;&drfwJhtwGuf packer awmfawmfrsm;rsm;[m .rsrc section udk trnfajymif;
jcif; odyfrvkyfMuygbl;/
yHk(5)
ckeu pack vkyfxm;wJhzdkifudk LordPE eJzY GifhjyD; pack rvkyfxm;ao;wJhzdkifeJY EdIif;,SOfMunfhr,fqdk&if
PE header twGif;ajymif;vJrIawGudk yHk(6) twdkif; awGU&rSmyg/ (LordPE u compare button udkESdyfyg/)
yHk(6)
(2) UPX jzifh pack vkyfxm;aomzdkiftm; unpack vkyfjcif;

'DwpfcgrSmawmh pack vkyfxm;wJhzdkifudk unpack vkyfMunfhygr,f/ Pack vkyfxm;wJhzdkifudk Olly
rSmzGirfh ,fqdk&if yHk(7)twdkif; Olly u compress vkyfxm;wJhzdkifvm;vdkY ar;ygvdrfhr,f/
yHk(7)
yH(k 7)rSm Yes vdkY ay;vdkuf&if yHk(8)twdkif; entry point &Sd&mudk a&mufvmygvdrfhr,f/
yHk(8)
UPX u uRefawmfwkYd application udk compress vkyfvdkufjyD; decompression algorithm yg0ifwJh
stub eJY uk'fawGudk tpm;xdk;csJUxGifvdkufwmyg/ Application &JU entry point ae&m[mvJ stub &JU tpae&m
taeeJY ajymif;vJjcif;cH&jyD; stub u olUtvkyfudkvkyfjyD;csdefrSmawmh execution u tck (UPX u olUbmomol
unpack vkyfjcif;) unpacked vkyfvdkuw f Jhy½d*k &rfudkpwifzkY d rlv entry point(OEP) &Sd&mudk jump vkyfyg
w,f/ rSwfxm;zdu kY stub u uRefawmfwdkY application udk decompress vkyfwm[m rSwfOmPfxJrSmjzpfjyD;
pack vkyfxm;wJh application &JU unpacked copy udk&zdkY rSwfOmPfae&mudk zdkiftjzpf dump vkyfwmjzpfyg
w,f/ bmyJjzpfjzpf application uawmh csufcsif; run rSm r[kwfao;ygbl;/ bmaMumifhvJqdkawmh dump
vkyfxm;wJhzdkifrSmvJ olU&JU section awG[m file alignment wefzdk;xuf rSwfOmPf&JU page boundary awGudk
align vkyfxm;&rSmrdv kY kdyY g/ Entry point uvJ decompression stub udk point vkyfaewkef;&SdaerSmjzpfjyD;
import directory uvJ rSm;aewmjzpfwJhtwGuf jyifqifzkY d vdktyfaevdykY g/
rSwfxm;&rSmuawmh Olly xJu uRefawmfwk&Yd JU entry point [m yxrqHk; instruction jzpfwJh
PUSHAD rSm&Sdygw,f/ PUSHAD qdkwmuawmh "PUSH all Double" udk qdkvdkwmjzpfjyD; CPU udk stack
ay:rSm&SdwJh EAX uaetpcsDjyD; EDI rSmtqHk;owfwJh 32bit (DOWRD) register tm;vHk;xJrSmygwJht&m
tm;vHk;udk odrf;xm;ay;zdkY nTefMum;ygw,f/ taotcsmMunfhr,fqdk&if stub [m OEP qDroGm;cifrSm
PUSHAD instruction eJY POPAD instruction Mum;uuk'fawGudk vkyfaqmifoGm;wm awGU&ygvdrfhr,f/
POPAD [m stack uae register xJrSm&Sdwt Jh &mtm;vHk;udk ul;ygw,f/ qdkvdkwmuawmh stub u t&mtm;
vHk;udk jyef restore vkyfjyD; application u run wmrwdkifcif trace rvkyfbJ xGufoGm;ygw,f/
avmavmq,fawmh yxrqHk; instruction jzpfwJh PUSHAD taetxm;rSm&Sdaewkef;rSm aemufqHk;
POPAD instruction udk access rvkyfao;oa&GU stack xJrSm&SdwJh t&mtm;vHk;udk rxdbJxm;oifhygw,f/
wu,fvkYd uRefawmfwu kYd PUSHAD taetxm;rSm&Sdaewkef; stack &JU yxrqHk; 4bytes ae&mrSm Hardware
breakpoint udkxm;r,fqdk&if Olly u wlnDwJh 4bytes udk POPAD u access vkyfcsdefrSm
&yfoGm;rSmjzpfygw,f/ 'gqdk&if uRefawmfwk&Y d JU entry point qDudk a&mufr,fh jmp instruction &Sd&m virtual
address udak wGUrSm jzpfygw,f/
'gaMumifhrkYd yHk(8)&JU PUSHAD instruction &Sd&mudkoGm;jyD; F7 udkESdyfygr,f/ jyD;&if brakpoint
owfrSwfzv kYd kyfygr,f/ ESP (stack pointer) xJrSm stack &JUxdyfydkif;wnfae&m tjrJyg0ifavh&Sdygw,f/ ESP
ae&mrSm right-click ESdyfjyD; Follow in Dump udka&G;yg/
yHk(9)
jyD;&if stack &JU yxrqHk; DWORD (pmvHk;4vHk;)udk a&G;yg/ jyD;&if right-click ESdyfjyD; Breakpoint u
Hardware, on access &JU Dword udak &G;yg/ yHk(10)/
yHk(10)
owfrSwfjyD;oGm;&ifawmh F9 udkESdyfyg/ 'gqdk breakpoint &Sd&mwef;a&mufvmygr,f/ yHk(11)/
yHk(11)
yHk(11)udk Munfhvdkuf&if PUSHAD uae POPAD xduk'fawGudk vkyfaqmifjyD;wm awGU&rSmyg/
yHk(11)u VA 01020E5B u JMP ae&m[m uRefawmfwkY d &SmaewJh^vdkcsifwJh entry point ae&mjzpfygw,f/
JMP xxx.xxxxxxxx udka&mufatmif VA 01020E5B ae&mrSm breakpoint owfrSwfjyD; F9 udkESdyfvdkufyg/
yHk(12)twdkif; entry point &Sd&mae&mudk a&mufvmrSmjzpfygw,f/ OEP xJuae ImageBase wefzdk;
1000000h udk EIwfvdkuf&if RVA wefzdk; 20E5Bh &ygw,f/ 'Dwefzdk;udk rSwfxm;yg/ aemufydkif;rSm toHk;0if
vmygvdrfhr,f/
yHk(12)
UPX eJY ywfoufwJh vQdKU0Sufcsufav;wpfckuawmh Olly &JU CPU window atmufqHk;udkoGm;yg/
yHk(13)twdkif; 00 awGeJY jynfhaewJh DB uk'fawGudk awGU&ygvdrfhr,f/
yHk(13)
jyD;&if yHk(14)twdkif; JMP instruction &Sd&mtxd tay:udk scroll qGJvmcJhyg/ jyD;&if 'D virtual
address udk breakpoint taeeJo Y wfrSwfjyD; F9 udk ESdyfvdkufr,fqdk&if JMP instruction &Sd&mudk
a&mufvmygr,f/ 'DhaemufrSmawmh F8/F7 udk ESdyfr,fqdk&if uRefawmfwkY d &SmaewJh EP ae&mudk a&mufvmrSmyg/
yHk(14)
INFO: : ½dk;&Sif;jyD; wlnDwJh PUSHAD/POPAD mechanism udkoHk;wJh tjcm; packer awGuvJ OEP
&JUwefzdk;udk RET instruction vdkufwJh stack &JUxdyfqHk;ay:xm;zdkY PUSH instruction udt
k oHk;jyKjcif;jzifh OEP
qD jump vkyfEdkifygw,f/ CPU uawmh 'g[m function call wpfckuae jyefvmwmvdx kY ifjyD; return
address udk stack &JUxdyfqHk;ay:rSm csefxm;ygw,f/
uRefawmfwt dkY aeeJY OEP udk&SmawGUwJhtcg Olly &JU plug-in wpfckjzpfwJh OllyDump udk toHk;jyKjyD;
dump vkyfMunfhygr,f/ Olly &JU Plugins uae OllyDump udka&G;vdkufjyD; Dump debugged process udk
ESdyfvdkufyg/ yHk(15)twdkif; jrif&ygr,f/
yHk(15)
pdwf0ifpm;p&maumif;wJht&mav;awGudk jyocsifvkY d yHk(15)u Fix Raw Size … eJY Rebuild Import
kY kd ra&G;bJ jzKwfxm;vdkuyf g/ jyD;&if Dump button udkESdyfjyD; packed_dumped.exe trnfeJY zdkifudk
wdu
odrf;vdkufyg/ yHk(16)/
yHk(16)
yHk(16)u uRefawmfwkYd dump vkyfjyD; odrf;xm;cJhwJhzdkifudk jyefzGifhMunfh&if yHk(17)twdkif; error wufae
wm jrif&rSmyg/
yHk(17)
bmvdkY error wufae&wmvJqdkawmh uRefawmfw&kY d JU dump vkyfxm;wJhzdkifu olU&JU icon aysmufaewm
twGuaf Mumifhyg/ 'g[m zdkif&JUt&G,ftpm;MuD;vmvdykY g/ Application udk LordPE rSmzGifhjyD; section awG
ae&mrSm Munfhvdkufyg/ yHk(18)/
yHk(18)
RawOffset eJY RawSize wd& kY JUwefzdk;awG[m rSm;aeygw,f/ 'gaMumifhrkY d application udk tvkyfvkyf
apzdkY section toD;oD;&JU Raw wefzdk;awGudk Virtual wefzdk;awGeJY vkdun f Day;&ygr,f/ RawOffset ae&mrSm
VirtualAddress &JUwefzdk;udkxnfhjyD; RawSize ae&mrSm VirtualSize &JUwefzdk;udkxnfhygr,f/ 'Dvdkenf;eJY
section 3ckpvHk;rSmjyifjyD; zdkifudkodrf;vdkufyg/ (rSwfcsuf/ / wu,fvkYd OllyDump &JU "Fix Raw size &
Offset of Dump Image" checkbox udka&G;vdkuf&ifawmh 'Dvdkvkdufjyifp&mvdkrSm r[kwfygbl;/) 'gqdk&if
yHk(19)twdkif; jrif&ygjyD/
yHk(19)
'gayr,fh 0rf;enf;p&maumif;wmuawmh packed_dumped.exe zdkifudk zGifhvdkufwJhtcgrSm zdkifu
tvkyfrvkyfbJ yHk(20)twdkif; jrif&wmygyJ/
yHk(20)
rpdk;&drfygeJ/Y 'gubmaMumifhvJqdkawmh import awGudk reconstruct (rebuild) vkyfzv kYd dkvdykY g/ ]PE
header} tcef;rSm&Sif;jycJhovdk process wpfckudktoHk;jyKjyD; import awGudk udk,fwdkifvkyfvkY d &ygw,f/ bmyJ
jzpfjzpf udk,fwdkifjyKvkyfr,fqdk&ifawmh import vkyfxm;wJh function awGtrsm;MuD;&SdjyD;? import data awG
b,fvdkysufpD;oGm;wJhenf;vrf;awGay:rlwnfjyD; tcsdeftrsm;MuD;ukefrSmjzpfygw,f/ 'gudk tvkdtavsmufajz&Sif;
EdkifzdkY uRefawmfwt kYd aeeJY MackT &JU ImpRec 1.6 udk toHk;jyK&ygvdrfhr,f/
ImpRec 1.6 udk toHk;jyKawmhr,fqdk&if import awGudk&SmEdkifzkY d pack vkyfxm;wJhzdkifudk process taeeJY
attach vkyfxm;&ygr,f/ atmufygtwdkif; vkyfaqmifyg/
1/ yHk(21)twdkif; pack vkyfxm;wJh y½d*k &rfudk (packed.exe [m Olly rSm yGifhaewmaocsmygap)a&G;yg/
2/ OEP ae&mrSm virtual address 12475 udk ½du
k fxnhyf g/
yHk(21)
3/ jyD;&if IAT AutoSearch udk a&G;yg/ yHk(22)twdkif; jrif&ygr,f/ OK udEk Sdyyf g/
yHk(22)
4/ yHk(21)u Get Imports button udkESdyfyg/ yHk(23)twdkif; jrif&ygr,f/
yHk(23)
5/ Show Invalid button udk a&G;jyD; import awG rSef^rrSef ppfMunhfyg/ tm;vHk;rSefuefaeygw,f/
6/ Fix Dump button udk ESdyfjyD; uRefawmfwdkY aemufqHk;odrf;xm;wJh packed_dumped.exe zdkifudkzGifhyg/

yHk(24)twdkif; jrif&ygr,f/ wu,fvkY d jyóem&Sd&ifawmh section udk aygif;xnfhvrkYd &ygbl;vdkY error wufvm
ygr,f/
yHk(24)
7/ y½d*k &rfudkydwfjyD; aemufqHk;odrf;qnf;vdkufwJh packed_dumped_.exe udkzGifhMunfhyg/ aumif;aumif;tvkyf
vkyfwmudk awGU&rSmyg/
ImpRec u uRefawmfwkYd dump vkyfxm;wJh exe zdkifudk jyifqifjyD; odrf;qnf;vdkufwmyg/ wu,fvkY d
'Dzdkifudk PEiD rSmzGifhjyD;Munfhvdkuf&if unpack vkyfxm;jyD;om;zdkif(packed_dumped_.exe) &JUt&G,ftpm;[m
pack rvkyfcif rlvzdki(f calc.exe)xuf MuD;aewmawGU&jyD; "makct" eJY "newIID"vdkYac:wJh section ESpfck
ydkvmwmawGU&ygw,f/ "makct" section rSm ImpRec u import vkyfxm;wJh a'wmtopfawGudk xm;&Sdwm
jzpfygw,f/
yHk(25)
PEiD eJY packed_dumped_.exe zdkifudk jyefppfMunfh&if yHk(26)twdkif; awGU&rSmyg/
yHk(26)
tck &Sif;jycJhwmuawmh ½d;k &Sif;vSwJh packer eJY pack vkyfxm;wmudk unpack jyefvkyfwmjzpfygw,f/
tqifhjrifh packer awGuawmh pack vkyfcsdefrSm zdkifxJudk protection enf;vrf;rsdK;pHkxnfhvdkufygw,f/ erlem
taeeJY ajym&&if anti-debugging eJY anti-tampering vSnfhpm;rIawG? uk'ef JY IAT wdu kY dk encrypt vkyfjcif;?
stolen bytes? API redirection ponfjzifhjzpfygw,f/ aemufydkif;tcef;awGrSm 'gawGudk aqG;aEG;ay;ygr,f/
(3) Inline-patch enf;jzifh patch vkyfjcif;
wu,fvkYd pack vkyfxm;wJh zdkifudk patch vkyfzkrYd jzpfraevdktyfcJhr,fqdk&if inline-patch enf;vrf;udk
toHk;jyKjyD; 'Dzdkifudk unpack rvkyfbJ patch vkyfv&kYd ygw,f/ 'guawmh loader u decompression stub udk
aqmif&Gujf yD;csdef rSwfOmPfxJrSm uk'fu0dk ifjyifjyD; aemufqHk;rSmawmh application udk tvkyfvkyEf dkiaf pzdkY OEP qD
qufoGm;apjcif;jzpfygw,f/ aemufwpfrsdK;ajym&&if rSwfOmPfxJrSm application udk unpack rvkyf&ao;cif
jyifxm;wJh (patch) vkyfxm;wJhuk'fqD ausmfvTm;a&muf&jSd cif;jzpfjyD;? aemufqHk;rSmawmh OEP qD jyefvnfausmf
vTm;a&muf&Sdvmwm jzpfygw,f/
'gudk &Sif;&Sif;vif;vif;odEdkifatmifvkY d uRefawmfwt kYd aeeJY pack vkyfxm;wJh calc.xe zdkifxJudk
MessageBox wpfce k JYywfoufwJhuk'fawGudk xnfhoGif;rSmjzpfygw,f/ jyD;&if rSwfOmPfxJrSm application [m
b,ftcsderf Sm unpack vkyfjyD;jzpfrvJqdkwm od&atmifvkyyf gr,f/ MessageBox u OK udkESdyfvdkuf&if OEP
udk a&muf&SdaprSmjzpfjyD; application [mvJyHkrSeftwdkif; tvkyfvkyfrSm jzpfygw,f/
yxrqHk; vkyf&rSmuawmh pack vkyfxm;wJhzdkifxJ xnfhoGif;r,fhuk'ftwGuf ae&mvGwfudk &SmazGzY dk
calc.exe udk hexeditor wpfce k JY zGifh&rSmjzpfygw,f/ yHk(27)/ Section wpfck&JUtqHk;u ae&mvGwfawG[m
uk'x f nfhoGif;zdkY taumif;qHk;jzpfjyD; wu,fvkY d ae&mvGwfawGvdktyfcJhOD;r,fqdk&ifawmif uRefawmfwt kYd aeeJY ]PE
zdkif twGif;odkY uk'frsm;aygif;xnhfjcif;} tcef;uenf;vrf;twdkif; section udx k yfcsJUvd&kY ygw,f/ UPX eJY
pack vkyfxm;wJh zdkifawGrSm ae&mvGwf&Sm&wm awmfawmfav;cufcJvSygw,f/ 'ghaMumifhvJ UPX eJY pack
vkyfxm;wJhzdkifawG&JU t&G,ftpm;[m awmfawmfav; i,faewmjzpfygw,f/
yHk(27)
yHk(27)twdkif; WinHex rSmjyifjyD; packed(inline).exe qdkwJhtrnfeJY zdkifuodk drf;vdkufygr,f/ jyD;&if
Olly rSm packed(inline).exe zdkifudk zGifhygr,f/ uRefawmfwkY d ½dkufcJhwJh Unpacked… qdkwJhpmom;udk &SmzdkY
Olly &JU Hex window rSm right-click ESdyfjyD; Search for u Binary sting udka&G;yg/
yHk(28)
jyD;&if yHk(29)twdkif; Unpacked… qdkwJhpmom;udk &Smygw,f/
yHk(29)
'gqdk&if uRefawmfwkY&d SmaewJhpmom;awGudk yHk(30)twdkif; awGU&rSmyg/
yHk(30)
Unpacked… pmom;&Sd&m virtual address uawmh 010233C0 jzpfjyD; Myanmar Crackers …
pmom;&Sd&m virtual address uawmh 010233D0 jzpfygw,f/ 'D virtual address awGudk rSwfxm;&rSmjzpf
ygw,f/ jyD;&if Olly u udEk SdyfjyD; VA 010233C0 &Sd&mudk wef;oGm;Munfhygr,f/ yHk(31)/
yHk(31)
yHk(31)u highlight vkyfxm;wJh uk'fawG[m uRefawmfwkY d ½dkufxnfhxm;wJh pmom;awGjzpfygw,f/ VA
010233E0 upjyD; MessageBoxA eJy Y wfoufwJh tjcm;uk'fawGudk ½du k fxnfhMuygr,f/
yHk(32)uawmh MessageBoxA eJyY wfoufwJhuk'fawGudk ½du
k fxnfhtjyD; jrif&wJhyHkyg/
yHk(32)
jyD;&if Olly &JU plugin wpfckjzpfwJh Analyze This! udkESdyfjyD; uk'fawGudk analyze vkyfvdkufyg/ yHk(33)
twdkif; ajymif;vJoGm;wm jrif&ygr,f/
yHk(33)
yHk(32)udk Analyze This! eJY analyze vkyfwJhtcgrSm yHk(33)rSm highlight jc,fxm;wJhtwdkif; rjrif&
&ifawmh oif patch vkyfvdkufwJh y&kd*&rf[m error jyygvdrfhr,f/
yHk(34)
aumif;jyD? uRefawmfwjkY d yifxm;cJhwJh uk'fawGudk zdkiftaeeJY odrf;qnf;Muygr,f/ yHk(34)twdkif; jyifxm;
wJh uk'fawGygatmif highlight jc,fvdkufyg/ jyD;&if right-click ESdyfjyD; Copy to executable file udk a&G;vdkuf
yg/ yHk(35)twdkif; jrif&ygvdrfhr,f/
yHk(35)
yHk(35)rSm right-click ESdyfjyD; Save file udk a&G;vdkufyg/ rdrdpdwfMudKuftrnfeJY zdkifuo dk drf;qnf;vdkuf
yg/ jyD;&if Olly udkydwfvdkufjyD; uRefawmfwkY d odrf;qnf;vdkufwJhzdkifudk zGifhvdkufyg/ t&ifutwdkif;yJ bmrS
xl;jcm;rIr&Sdygbl;/ bmaMumifhvJqdkawmh uRefawmfwt kY d aeeJY MessageBoxA &Sd&mudk nTefjyrIray;vdkufcJhvykY d g/
Olly rSm aemufqHk;odrf;xm;wJhzdkifudk xyfzGifhvu dk fyg/ udkESdyfjyD; VA 01020E5B &Sd&mudk wef;oGm;Munfhyg
r,f/ yHk(36)/
yHk(36)
yHk(36)u JMP 01012475 ae&mrSm uRefawmfw&kY d JU MessageBoxA &Sd&m virtual address jzpfwJh
010233E0 udk ½du
k fxnfhay;&ygr,f/ yHk(37)/
yHk(37)
d drf;vdkufyg/ Olly udk ydwfvdkufjyD; zdkifudk run Munfhyg/ yHk(37)twdkif;
jyD;&if MudKufwJhtrnfeJY zdkifuko
jrif&ygvdrfhr,f/ OK ukdESdyfvdkuf&ifawmh calculator y½dk*&rfqD a&mufoGm;rSm jzpfygw,f/
yHk(38)
tckuRefawmf&Sif;jycJhwmuawmh unpack rvkyfbJ pack vkyfxm;wJhzdkifxJrSm uk'fawGudk 0ifjyifjcif;
(inline-patching) taMumif;yJjzpfygw,f/ 'D MessageBox av;udkxnhfzkYd bmaMumifh 'Davmufcuf&ovJvkY d
oifhtaeeJxY ifaeygvdrfhr,f/ rSefygw,f/ Pack rvkyfxm;wJzh dkifawGrSm 'Dudpu
ö t&rf;vG,fygw,f/ Message
Box &Sd&mae&mudk entry point address ajymif;ay;vdkuf&HkygyJ/ jyD;&if olUrSmu ae&mvGwfawGtrsm;MuD; &Sdyg
w,f/ qdkvdkcsifwm MessageBox rajymeJ?Y textbox uae password awGppfwJh txda&;ay;vd&kY atmif ae&m
vGwaf wGu aygvGef;ygw,f/ Inline-patching eJY xnhfoGif;wJh MessageBox &Sd&mudk wef;a&mufatmif zdkif&JU
entrypoint udk VA 01020CD0 tpm; VA 010233E0 vdkY ajymif;Munfhvdkufyg/ yHk(38)u MessageBox
awmh ay:vmEdkifayr,fh calculator y½d*k &rfudk tvkyfvkyfrSmr[kwfygbl;/ bmaMumifhygvJ? UPX &JU decom-
pression stub udk ausmfvTm;xm;vdkY jzpfygw,f/
UPX eJyY wfoufwJh oifcef;pmuawmh 'DavmufygyJ/ oifhtaeeJY unpacking eJyY wfoufwJh oDtdk&D
awG tenf;i,fem;vnfavmufjyDvkY d xifygw,f/ uRefawmfhtaeeJY unpacking eJYywfoufjyD; 'DrSmyJ&yfxm;
csifayr,fh tqifhjrifh packer awGtaMumif; ydkem;vnfEdkifapzdkY ActiveMARK taMumif;udk jznfhpGufaqG;aEG;
ygr,f/
(4) ActiveMark 5.0 jzifh pack vkyfxm;aomzdkiftm; unpack vkyfjcif;
Trymedia [m RealNetworks &JU tpdwftydkif;wpfckjzpfjyD; ActiveMark qdkwmuawmh Trymedia
&JU pack/protect vkyfwJhenf;ynmwpf&yfjzpfygw,f/ Trygames uawmh Trymedia &JU wpfpdwfwpfydkif;jzpfjyD;
Trymedia &JU *drf;awGudk download ydkif;qdkif&mudp?ö trial qdkif&mudpöeJY a&mif;csjcif;udpw
ö u
kYd dk vkyfaqmifyg
w,f/
PopCap Games (www.popcap.com) u a&mif;cswJh*drf;rsm;? Infogrames (www.infogrames.
HTU UTH HTU
com) u a&mif;cswJh*drf;awmfawmfrsm;rsm;[m ActiveMARK eJY protect vkyfxm;Muwmjzpfygw,f/ Active

UTH
MARK eJY protect vkyfxm;wJh *drf;awGrSm registration r&Sdygbl;/ bmaMumifhvJqdkawmh 'D*drf;awG[m olwkY&d JU
owfrSwfxm;wJhtcsdeftwGif;rSm full version taeeJY upm;Edkiw f Jh demo *drf;awGjzpfaevdykY g/ owfrSwfcsdefukef
oGm;&ifawmh upm;vdkY&awmhrSmr[kwfygbl;/ upm;cGifhjyKwJt h csdefuvJ rsm;aomtm;jzifhawmh rdepf60yJ jzpfyg
w,f/ 'Doifcef;pmtwGuf Monopoly 3 udk unpack vkyfzkYd yxrqH;k pOf;pm;rdygw,f/ bmaMumifhvJqdkawmh
Monopoly 3 eJY ywfoufwJh crack zdkifudk tifwmeufrSm rawGUrdvy kY d g/ Share ay;xm;wJh crack zdkifawGuvJ
tvkyfrvkyfMuygbl;/ 'gayr,fh olU&JUzdkift&G,ftpm;u 258Mbytes jzpfaeawmh oifhtaeeJY tifwmeufuae
download vkyfzt kYd cuftcJ&SdEdkifygw,f/ 'ghaMumifhrkY d PopCap Games ua&mif;cswJh Zuma deluxe udkyJ
unpack vkyfzkYd a&G;cs,fvdkufygawmhw,f/ Zuma udk www.popcap.com uae download vkyf,ljyD; install
HTU UTH
vkyfyg/
jyD;&if zuma.exe udk PEiD eJY ppfaq;Munfhyg/ yH(k 39)/
yHk(39)
yHk(39)t&qdk&ifawmh zuma.exe [m ActiveMARK 5.x eJY protect vkyfxm;wmaocsmygw,f/
y½d*k &rf&JU oabmobm0udk taotcsmod&atmif Zuma udk zGifhMunfhvdkufyg/ yHk(40)/
yHk(40)
aumif;jyD? uRefawmfwkYd Zuma udk unpack vkyfMunfhMuygr,f/

(4) ActiveMark 5.0 jzifh pack vkyfxm;aomzdkiftm; dump vkyfjcif;
yxrqHk; zuma.exe udk zGifhxm;yg/ Olly udk zGifhyg/ Open menu u Attach udk a&G;cs,fyg/
yHk(41)
'Dhaemuf yHk(42)rSm jrif&wJhtwdkif; zuma.exe udk Attach vkyfyg/
yHk(42)
Attach vkyfjyD; zGifhwJhtcgrSm yH(k 43)rSm jrif&wJhtwdkif; VA 7C901231 rSm &yfoGm;rSmyg/ wu,fawmh
ntdll.dll zdkif&JU DbgBreakPoint API function aMumifh &yfoGm;&wmyg/ DbgBreakPoint [m Win32 API
r[kwfwJhtwGuf help zdkifrSm oleyJY wfoufjyD; bmrS&Sif;jyxm;rSm r[kwfygbl;/
yHk(43)
Olly rSm Alt+M udE
k SdyfjyD; memory map udk Munfhygr,f/ yHk(44)/
yHk(44)
yHk(44)u highlight jzpfaewJhae&muawmh second layer entry point &Sd&mae&myg/ 'Dae&mrSm right-
click ESdyfjyD; View in disassembler udk a&G;vdkufyg/ (od)kY Enter key udkESdyfyg/ yHk(45)twdkif; jrif&ygr,f/
yHk(45)
yHk(45)u highlight jzpfaewJhae&m (VA 005AE000)rSm right-click ESdyfjyD; Search for u All
intermodular calls udk a&G;cs,fyg/ yHk(46)twdkif; jrif&ygr,f/
yHk(46)
yHk(46)twdkif; jrif&wJhtcgrSm getversion vdkY ½dkufxnfhyg/ GetVersion function udk &Smcsifwmyg/
GetVersion API udk awGUwJhtcg right-click ESdyfjyD; Follow in disassembler udka&G;yg/ yHk(47)twdkif; jrif&
ygr,f/
yHk(47)
yHk(47)u PUSH EBP ae&mrSm right-click ESdyfjyD; Breakpoint u Hardware, on execution

udka&G;yg/ jyD;&if Olly u udkESdyfjyD; zuma.exe udk cPydwfvdkufyg/
Olly &JU Option menu uae Debugging options udka&G;vdkufyg/ yHk(48)twdkif; jrif&ygr,f/
yHk(48)
yHk(48)rSm jrif&wJhtwdkif; Break on new module (DLL) udk a&G;ay;yg/ jyD;&if OK udkESdyfyg/
'DwpfcgrSmawmh zuma.exe udk attach rvkyfawmhygbl;/ Olly uae wpfcgwnf; zGifhygr,f/ yHk(49)/
yHk(49)
yHk(49)uawmh zuma.exe &JU entry point ae&myg/ 'gjyD;&ifawmh uRefawmfwkY d owfrSwfxm;wJh
hardware breakpoint ae&mxda&mufatmif F9 udk ESdyfvmcJhyg/ b,f module awGudk tvkyfvkyfaewmvJ
qdkwm yHk(50)twdkif; jrifae&ygvdrfhr,f/
yHk(50)
F9 udk qufwdkuEf Sdyfvmwm aemufqHk;awmh yHk(51)twdkif; uRefawmfwkY d owfrSwfxm;wJh breakpoint
ae&mudk a&mufvmygw,f/ MudKajymcsifwmuawmh uk'fawGudk analyze rvkyfxm;ygeJ/Y Analyze vkyfxm;r,f
qdk&if VA 00696E58 u PUSH EBP ae&mrSm DB 00 vdykY J ay:aerSmyg/
yHk(51)
yHk(51)u VA 00696E58 [m uRefawmfw&kYd SmaewJh OEP yJjzpfygw,f/ tckuRefawmfwkY d debug

vkyfxm;wJh process udk dump vkyfzkYd MudK;pm;Muygr,f/ Olly &JU plug-in wpfckjzpfwJh OllyDump udk
a&G;vdkufyg/ yHk(52)/
yHk(52)
yHk(52)u dump button udka&G;jyD; zdkifudk dumped.exe qdkwJhtrnfeJY odrf;vdkufyg/ UPX rSm dump
vkyfwkef;uvdkyJ dumped.exe zdkifudkzGifhvdkuf&if tvkyfvkyfrSm r[kwfygbl;/ 'ghaMumifh ImpREC udk zGifhjyD;
import awGudk jyif&ygr,f/ ImpREC (Import Reconstruction) udk oHk;&wJhtaMumif;&if;uawmh dumped
zdkifxJrSm&SdwJh aysmufaewJh function awGudk &Smzd^kY jyifz^kYd topfaygif;xnhfzkYd jzpfygw,f/ 'gawGudk rjyKjyifbJeJY
awmh oifh&JU dump zdkif[m rSefuefwJh PE zdkifjzpfvmrSm r[kwfygbl;/
yHk(53)
yHk(53)t& vkyfaqmif&r,fh vkyfaqmifcsufawGuawmh ...
1/ Olly eJY zGifhxm;wJh zuma.exe udk active process taeeJY attach vkyfyg/
2/ Olly rSm zGifhMunfhwkef;u awGU&SdcJhwJh OEP (VA 00696E58) wefzdk;xJuae ImpREC rSmawGU&wJh
imagebase (VA 00400000) udk EIwfjyD;&&SdvmwJh (296E58) wefzdk;udk OEP tuGufrSm ½du
k fxnfhyg/
3/ OEP wefzdk;udk ½du
k fxnhfjyD;ygu IAT AutoSearch udk a&G;yg/ yHk(54)twdkif; jrif&ygr,f/
yHk(54)
4/ yHk(54)udk OK ay;jyD; Get Imports button udkESdyfyg/
5/ Import function awG rSef^rrSef odEdkifatmif Show Invalid button udk ESdyfjyD;Munfhyg/ 'Dae&mrSmawmh
tm;vHk;rSefaewm awGU&ygw,f/
6/ 'gaMumifhrkY d uRefawmfwdkY dump vkyfxm;wJh dumped.exe zdkief JY zuma.exe zdkifudkEdIif;,SOfjyD; import awGudk
EdIif;,SOfEdkifatmifvkY d Fix Dump button udk a&G;yg/ yHk(55)twdkif; bmtrSm;rSr&SdbJ dumped_.exe
qdkwJhtrnfeJY zdkifudk odrf;qnf;oGm;wm awGU&rSmyg/
yHk(55)
'gqdk uRefawmfw&kY d JU dump zdkifudk jyifqifwmjyD;oGm;jyD jzpfwJhtwGuf ImpREC udkydwfvdkujf yD;
dumped_.exe zdkifudk zGifhMunfhyg/ bm error rSrjyawmhovdk dumped_.exe uvJ tvkyfvkyfwm rawGU&yg
bl;/ UPX udk unpack vkyfwkef;u 'DtqifhjyD;wJhtcsdefrSm unpack vkyfwJhudpö jyD;oGm;ygjyD/ ActiveMARK
rSmawmh tckrSprSmyg/ 'ghaMumifh WinHex udkzGifhjyD;uk'fawGudk jyifMuygr,f/
WinHex rSm dump vkyjf yD;jyifxm;wJh dumped_.exe zdkie f JY pack vkyfxm;wJh rlv zuma.exe zdkifudk
zGifhyg/ Exe xJygvmwJh overlay data awG&JUyxrqHk; byte twGuf rlvzdkif&JUuk'fawGuae bmudk uRefawmfwkY d
&SmoifhygovJ/ TMSAMVOH qdkwJh ASCII string udk&SmwJhenf;uawmh tvG,fqHk;ygyJ/ r&SmcifrSm
'Dxufyk&d Sif;atmifvdkY zuma.exe udk LordPE rSmzGijfh yD; section awGudk MunfhvdkufMu&atmif/ yHk(56)/
yHk(56)
yHk(56)u highlight jc,fxm;wJh *Pef;awGudk Munfhvdkufyg/ 'g[m uRefawmfwkY d executable zdkif&JU
aemufqHk; section xJu *Pef;awG jzpfygw,f/ olwkYu d dk Raw offset eJY Raw size vdkY odxm;Muygw,f/
Windows loader u exe zdkifudk rSwfOmPfxJ ul;wifwm[m RawOffset (0012BA00) eJY RawSize
(00000200) aygif;vdkY&wJhwefzdk;jzpfwJh 0012BC00h xdomjzpfygw,f/ Zuma.exe zdkif&JU 'D address tpu
ae csJUxGifxm;wJh data block wpfckvk;H udu k l;,ljyD; dumped_.exe zdkif&JUtqHk;rSm paste oGm;vkyf&rSmjzpfyg
w,f/ 'grSom dumped_.exe [m yHkrSeftvkyfvkyfrSm jzpfygw,f/
WinHex &JU Position menu u Go To Offset udka&G;jyD; uRefawmfwdkY oGm;csifwJh offset
0012BC00 udk ½du
k fxnfhygr,f/ yHk(57)/
yHk(57)
0012BC00 udk ½du
k fxnfhjyD; OK udkESdyfvdkuf&if yHk(58)twdkif; jrif&rSmyg/
yHk(58)
yHk(58)rSm jrif&wJh yxrqHk;pmvHk;rSm right-click ESdyfjyD; Beginning of block udk a&G;yg/ yHk(59)/
yHk(59)
jyD;&if zdkif&JU atmufqHk;xda&mufatmif scroll qGJyg/ jyD;&if yHk(60)rSmawGU&wJhtwdkif; aemufqHk;pmvHk;rSm
right-click ESdyfjyD; End of block udk a&G;cs,fyg/
yHk(60)
'gqdk&if yHk(61)twdkif; Hex wefzdk;tm;vHk;udk a&G;cs,fjyD;oGm;ygjyD/
yHk(61)
a&G;cs,fxm;wJh Hex wefzdk;awGudk ul;zdv
kY kyfMuygr,f/ Right-click ESdyfjyD; Edit udk a&G;cs,fyg/ jyD;&if
yHk(62)rSm jrif&wJhtwdkif; Copy Block u Hex Values udk a&G;cs,fyg/
U U U U
yHk(62)
tckvkyf&rSmuawmh ul;xm;wJh Hex wefzdk;awGudk paste vkyfzkYjd zpfygw,f/ WinHex &JU dumped_
.exe tab udak &G;jyD; zdkif&JUtqHk;udkoGm;yg/ aemufqHk;pmvHk;&JUae&mrSm right-click ESdyfjyD; Edit udak &G;cs,fyg/
jyD;&if yHk(63)rSm jyxm;wJhtwdkif; Clipboard Data u Paste udk a&G;cs,fyg/
U U U U
yHk(63)
'DtcgrSm yHk(64)twdkif; paste vkyfrSmvm;vdkY ar;ygvdrfhr,f/
yHk(64)
Yes button udk a&G;vdkufwJhtcgrSm zuma.exe u Hex wefzdk;awG dumped_.exe zdkifxJudk a&mufvm
ygvdrfhr,f/ dumped_.exe zdkifuodk drf;jyD; WinHex uaexGufvdkufyg/
'Dtcg dumped_.exe udk zGifhvdkuf&if yHk(40)twdkif; jrif&rSmyg/ (ae&mtcuftcJaMumifh yHkudk xyfrHr
Jh kyfief;pOf atmifjrifpGmjyD;qHk;oGm;ygjyD/ ☻☻
azmfjyawmhygbl;/) 'gqdk&ifawmh uRefawmfw&kYd JU dump vkyfwv
'gayr,fh tcsdefuefUowfcsufudkawmh z,f&Sm;Edkifjcif; r&Sdao;ygbl;/ 'ghaMumifh patch vkyfzdkY MudK;pm;&
ygOD;r,f/
(5) Dump vkyfxm;aomzdkiftm; patch vkyfjcif;
Dump vkyfxm;wJhzdkifudk patch vkyfzt
dkY wGuf dumped_.exe udk Olly rSm zGifhyg/ yHk(65)/
yHk(65)
yHk(65)twdkif;jrif&wJhtcg right-click ESdyfjyD; Search for u All referenced text string udak &G;yg/
'DhaemufrSmawmh yHk(66)rSm jyxm;wJhtwdkif; browser qdkwJh pmom;udk &Smygr,f/
yHk(66)
yHk(66)udk OK ay;wJhtcg yHk(67)twdkif; awGY&rSmyg/
yHk(67)
yHk(67)&JU highlight jc,fxm;wJhae&mrSm right-click ESdyfjyD; Follow in disassembler udk a&G;vdkuf&if
yHk(68)twdkif; jrif&rSmyg/ 'g[m browser pmvHk;ygwJh routine &JUtpeJY tqHk;jzpfygw,f/
yHk(68)
yHk(68)u VA 005F41A8 rSm right-click ESdyfjyD; Copy u To clipboard udk a&G;jyD; notepad
zdkifwpfckrSm paste vkyfyg/ 005F41A8 MOV EAX,dumped_.006A691C tpm; 005F41A8 browser
retn4 vdkY ajymif;yg/ jyD;&if yHk(66)uae dialog? timer? timeout pmom;awGudk&SmjyD; browse pmom;wkef;u
vkyfcJhovdkyJ routine &JU tp virtual address awGudk rSwfom;xm;ay;yg/ (rSwfcsuf/ / yHk(68)rSm teDawG
jyxm;wmu breakpoint owfrSwfzkYd r[kwfygbl;/ jrifomatmif jyxm;wmyg/)
xl;jcm;wmuawmh LoadStatePool pmom;yg/ pmom;udk &Smwmuawmh rxl;ygbl;/ 'gayr,fh 'Dpm
om;&Sd&mae&mudk breakpoint owfrSwfjyD; y½d*k &rfudk jyefp&wmyJ xl;ygw,f/ dumped_.exe udk Olly eJY
jyefzGifhwJhtcgrSm uRefawmfwkY d owfrSwfxm;wJh breakpoint ae&ma&muf&if yHk(69)twdkif; jrif&ygw,f/
yHk(69)
'Dwpfcgvkyf&rSmu yHk(70)twdkif; stack window udkoGm;jyD; highlight jzpfaewJhae&mrSm right-click
eSdyfyg/ jyD;&if Follow in disassembler udk a&G;ay;yg/ yHk(71)twdkif; jrif&ygr,f/
yHk(70)
yHk(71)u highlight jzpfaewJhae&m&JU virtual address udk rSwfxm;yg/
yHk(71)
'gqdk browser? dialog? timer? timeout eJY LoadStatePool wdekY JY ywfoufwJh virtual address
tm;vHk;ud&k ygjyD/ 'D virtual address awGrSm bmawGjyif&rvJqdkwmuawmh yHk(72)twdkif; jzpfygw,f/
yHk(72)
yHk(72)u virtual address awGrSm retn 4? retn 0c eJY retn toD;oD;udk tpm;xd;k yg/ jyD;&if patch
vkyfxm;wJhzdkifudk MudKufwJhtrnfeJY odrf;vdkufyg/ 'gqdk&if uRefawmfw&dkY JU Zuma Deluxe 1.0 udk MudKufESpfouf
ovdkupm;vd&kY ygjyD/
(6) Pack vkyfxm;aom trnfrodzdkiftm; unpack vkyfjcif;
'DwpfcgrSmawmh Fish Packer 1.04 eJY pack vkyfxm;wJh calc(Fish).exe zdkifwpfckudk unpack
vkyfMunfhygr,f/ uRefawmfw&kY d JUzdkifudk bmeJY pack vkyfxm;ovJqdkwm PEiD eJY ppfMunfhygr,f/ yH(k 73)/
yHk(73)
yHk(73)rSmjrif&wJhtwdkif; PEiD u tajzay;Edkifjcif; r&Sdygbl;/ CFF Explorer eJYppfawmhvJ 'Dtwdkif;
ygyJ/ uRefawmfudk,fwdkif Fish Packer 1.04 eJY pack vkyfxm;vdo kY m Fish Packer eJY pack vkyfxm;wJh
zdkifrSef;odwmyg/ aumif;jyD? 'Dzkdifudk unpack vkyfMunfhygr,f/ Unpack vkyfr,fh calc(Fish).exe zdkifudk Olly
rSmzGifhvdkufyg/ (Protection ID eJq Y dk&ifawmh Fish Packer 1.04 eJY pack vkyfxm;aMumif;jyrSmjzpfjyD;
Protection ID eJp Y pfaq;xm;wJh &v'fawG[m rSm;cJygw,f/ 'gayr,fh Protection ID [m protect/pack
vkyfxm;wJhzdkifawGudkom ppfaq;ay;EdkifwJh tm;enf;csuf&Sdygw,f/)
yHk(74)
Olly u yHk(74)rSmjrif&wJhtwdkif; PE zdkifr[kwfbl;vdkYajymaeygw,f/
yHk(75)
yHk(74)u OK button udka&G;vdkufwJhtcg yHk(75)twdkif; jrif&ygw,f/
yHkrSeftm;jzifh Olly eJYzGifh&if entry point &Sd&mudka&muf&r,fhtpm; ntdll.dll module xJa&mufaewm
awGU&ygr,f/ pdwfrysufygeJY? uRefawmfwkYrd Sm enf;vrf;&Sdygw,f/ Alt+M udkESdyfjyD; Memory Map udk
ac:vdkufyg/ yHk(76)/
yHk(76)
yHk(76)u highlight jzpfaewJh PE header pmom;ae&mrSm ESpfcsufEdSyfvdkufjyD; PE signature &Sd&mudk

oGm;Munfv
h dkufyg/ yHk(77)/
yHk(77)
yHk(77)rSm uRefawmfwpkY d dwf0ifpm;wmuawmh entry point &Sd&m address (10257D7) yg/ 'D address
udk&wJhtcg Olly &JU Disassembler window rSm Ctrl+G ESdyfjyD; entry point(10257D7) &Sd&mudkoGm;vdkufyg/
yHk(78)/
yHk(78)
yHk(78)u VA 10257D7 ae&mrSm breakpoint owfrSwfjyD; F9 (Run) udkESdyfvdkufyg/ 'Dtcg
breakpoint &Sd&mudkwef;a&mufvmygvdrfhr,f/ yHk(79)/
yHk(79)
'gu omrefvky½f dk;vkyfpOf unpack vkyzf kYd tpysdK;wmjzpfygw,f/ uRefawmfuawmh 'Denf;udk rMudKuf
ygbl;/ 'gaMumifh Olly Advanced plugin udk toHk;jyKygr,f/ yHk(80)/
yHk(80)
yHk(80)twdkif; Plugins menuàOlly AdvancedàKill NumOfRva Bug udka&G;ay;jyD; y½d*k &rfudk
Olly eJjY yefzGiv
fh dkufr,fqdk&if yHk(74)uae yHk(78)tqifhawGudkodp&mrvdkawmhbJ yHk(79)qD wdku½f dkufa&mufvmyg
vdrfhr,f/ ☻☻☻
yHk(79)twdkif; jrif&csdefrSm Alt + M (memory map) udkESdyfMunfhvdkufyg/ yHk(76)eJYrwlwm awGU&yg

r,f/ yHk(81)/
yHk(81)
yHk(81)udkMunfh&if calc(Fish).exe rSm section ESpfck&SdaewmawGU&ygr,f/ yHk(76)rSmwkef;uawmh rjrifcJh
&ygbl;/ .MCTeam uawmh compress vkyfxm;wJu h k'?f import awGeJY resource awG&SdwJh section
wpfckjzpfjyD; uawmh Fish Packer u uncompress vkyfxm;jyD;om;uk'fawGvmxm;r,fh? tvG,af jym
&&if uRefawmfwkY d dump vkyf&r,fh code section jzpfygw,f/ (rSwf&ef/ / UPX eJY pack vkyfxm;wJh
zdkifawGrSmqdk&if UPX0 [m code awGvmxm;r,fh code section jzpfjyD;? UPX1 uawmh compress
vkyfxm;wJhuk'fawG&Sd&m SFX section jzpfygw,f/)
yHk(81)u ae&mrSm right-click ESdyfjyD; Set breakpoint-on-access (F2) udka&G;yg/ jyD;&if F9
udkESdyfyg/ yHk(82)twdkif;jrif&ygr,f/
yHk(82)
yHk(82)rSmjrif&wmuawmh Fish Packer [m compress vkyfxm;wJhuk'fawGudk section
rSmae&mcsxm;jyD; 'Duk'fawG pzwfygjyD/ yHk(83)twdkif; jrif&wJhtxd F8 udkESdyfvmcJhyg/
0100018B 74 1A JE SHORT calc(Fish).010001A7 ; Decompression Stub
0100018D 8A07 MOV AL,BYTE PTR DS:[EDI]
0100018F 47 INC EDI
01000190 2C E8 SUB AL,0E8
01000192 3C 01 CMP AL,1
01000194 77 F7 JA SHORT calc(Fish).0100018D
01000196 8B07 MOV EAX,DWORD PTR DS:[EDI]
01000198 38D0 CMP AL,DL
0100019A 75 F1 JNZ SHORT calc(Fish).0100018D
0100019C 32C0 XOR AL,AL
0100019E 0FC8 BSWAP EAX
010001A0 01E8 ADD EAX,EBP
010001A2 29F8 SUB EAX,EDI
010001A4 AB STOS DWORD PTR ES:[EDI]
010001A5 E2 E6 LOOPD SHORT calc(Fish).0100018D
010001A7 AD LODS DWORD PTR DS:[ESI]
010001A8 85C0 TEST EAX,EAX
010001AA 74 37 JE SHORT calc(Fish).010001E3
010001AC 89C7 MOV EDI,EAX
010001AE 033B ADD EDI,DWORD PTR DS:[EBX]
010001B0 56 PUSH ESI ; module name (eg., kernel32.dll)
010001B1 FF53 0C CALL DWORD PTR DS:[EBX+C] ; kernel32.LoadLibraryA
010001B4 89C5 MOV EBP,EAX
010001B6 AC LODS BYTE PTR DS:[ ESI]
010001B7 84C0 TEST AL,AL

010001B9 75 FB JNZ SHORT calc(Fish).010001B6
010001BB AD LODS DWORD PTR DS:[ ESI]
010001BC 85C0 TEST EAX,EAX
010001BE 74 E7 JE SHORT calc(Fish).010001A7
010001C0 83EE 04 SUB ESI,4
010001C3 AD LODS DWORD PTR DS:[ ESI]
010001C4 A9 00000080 TEST EAX,80000000
010001C9 75 0B JNZ SHORT calc(Fish).010001D6
010001CB 83EE 04 SUB ESI,4
010001CE 56 PUSH ESI ; module name (eg., kernel32.dll)
010001CF 55 PUSH EBP ; function name (eg., GetVersion())
010001D0 FF53 10 CALL DWORD PTR DS:[EBX+10] ; kernel32.GetProcAddress
010001D3 AB STOS DWORD PTR ES:[EDI]
010001D4 EB E0 JMP SHORT calc(Fish).010001B6
010001D6 25 FFFFFF7F AND EAX,7FFFFFFF
010001DB 50 PUSH EAX
010001DC 55 PUSH EBP
010001DD FF53 10 CALL DWORD PTR DS:[EBX+10] ; kernel32.GetProcAddress
010001E0 AB STOS DWORD PTR ES:[EDI]
010001E1 EB D8 JMP SHORT calc(Fish).010001BB
010001E3 5F POP EDI ; POP ESP, so calc(Fish).010257DF
010001E4 C70361EBF600 MOV DWORD PTR DS:[EBX], 0F6EB61 ; POPAD & JMP , EBX = 010257DF
010001EA 66:C743F89068 MOV WORD PTR DS:[EBX-8], 6890
010001F0 66:C743FEC390 MOV WORD PTR DS:[EBX-2], 90C3
010001F6 C3 RETN
yHk(83)
yHk(83)rSmawmh tvkyfvkyfyHk tao;pdwfudk jyxm;ygw,f/ yxrqHk; decompresion stub udktoHk;jyKjyD;
uk'fawGudk decompress vkyfygw,f/ jyD;awmh LoadLibraryA() udktoHk;jyKjyD; import vkyfr,fh DLL
zdkifawGudk ac:ygw,f/ GetProcAddress udkoHk;jyD; import function awG&JU address udk&,lygw,f/ 'Dhaemuf
rSmawmh EBX xJudk 0F6EB61 opcode awGvmxm;ygw,f/ 61 uawmh POPAD jzpfjyD;? EBF6 uawmh
JMP xxx jzpfygw,f/ (Endian eJp Y Dwm owdjyKyg/) POP uawmh ESP xJua'wmawGudk jyefxkwf ,lwmyg/
Stack xJrSm aemufqHk;xnfhoGm;wmuawmh EBX eJYywfoufwaJh 'wmawGyg/ 'gaMumifh VA 010001F6
(RETN) udk vkyfaqmifjyD;csdefrSm VA 010257DF udkppfaq;rSmjzpfygw,f/ yHk(84)/
yHk(84)
yHk(84)twdkif;jrif&wJhtcg F8 ESpfcgESdyfvdkufyg/ yHk(85)twdkif;jrif&ygr,f/
yHk(85)
yHk(85)twdkif; jrif&wJhtcgrSmawmh EBX xJbmaMumifh 0F6EB61? 6890 eJY 90C3 wdkY ul;xnfh&wm
vJqdkwm em;vnfavmufjyDvx kY d ifygw,f/ PUSH + RETN [m JMP eJn
Y DwmaMumifh yHk(85)rSm F8 ESdyfcJh&if
uRefawmfwv dkY dkcsifwJh OEP qDa&mufjyDjzpfygw,f/ yHk(86)/☻☻☻
yHk(86)
yHk(86)twdkif; jrif&&ifawmh dump vkyfv&kYd jyDjzpfygw,f/ yHk(87)/
yHk(87)
tcef;(15) - IAT ESifh API Redirection - 273 -
tcef;(15) - IAT ESifh API Redirection

'Dtcef;rSmawmh pack vkyfxm;wJhzdkifawGudk unpack vkyf&mrSm rjzpfraeMuHKawGU&r,fh IAT (Import
Address Table) taMumif;udkaqG;aEG;rSmjzpfygw,f/ NyD;cJhwJhtcef;rSmwkef;u IAT taMumif;udk raqG;aEG;jzpfchJ
bJJ IAT awGudkjyif&mrSm ImpRec 1.7 udktoHk;jyKNyD;jyifcJhygw,f/ aemufydkif;rSmvJ IAT awGuawGUaeOD;rSmrdkY
IAT awGtaMumif;udk xnfhoGif;aqG;aEG;zdkY qHk;jzwfcJhwmjzpfygw,f/
Info: : Microsoft Windows awG[m wpfcek w JY pfck rwlnDMuovdk olwk&Yd JU API function awGrSmvJ
rwlnDwJh address awG&SdMuygw,f/ bmaMumifhvJqdkawmh DLL zdkiaf wG&JU rwlnDwJh wnfaqmufyHkaMumifhyg/
Application wpfckpwifcsdefrSm olUrSm function awGtm;vHk;&JU pm&if;wpfck&Sdygw,f/ 'g[m rlvwkef;uawmh
application &JUtpdwftydkif;wpfck r[kwfygbl;/ 'D function awGudk import awGvakYd c:a0:NyD; olw[ kYd m
operating system &JU DLL zdkifxJrSm&Sdwmyg/ 'gayr,fh application uawmh b,fae&mrSm&SdovJqdkwm
rod&Smygbl;/ Win32 exe zdkifjzpfwJh application wdkif;rSm IAT qdkwm&Sdygw,f/ 'D IAT [m y½dk*&rfxJrSmyJ
&Sdygw,f/ Application wpfcku Windows &JU API function wpfckudkac:oHk;wJhtcgrSm IAT udk lookup
table tjzpftoHk;jyKygw,f/ 'gaMumifh y½d*k &rftvkyfrvkyfcif y½d*k &rfu ac:oHk;zdkY&mtwGuf? IAT wpfckudk
wnfaqmufzkY&d mtwGuf Windows loader [m API toD;oD;&JU address toD;oD;udk&Sm&rSmjzpfygw,f/
y½d*k &rftvkyfvkyfaewJhtcsdefrSmawmh API wpfckudk ac:oHk;csifcJh&if IAT xJrSmMunfNh yD; DLL xJoGm;zdv kY dkwJh
address udk csufcsif;&SmazGygw,f/ exe zdkifwpfckudk pack vkyfxm;^ protect vkyfxm;csdefrSm cracker awG[m
'Dzdkifudk unpack vkyf&ygw,f/ 'D unpack vkyfxm;wJzh dkifudk rlvzdkiftwdkif;jzpf&atmifvkyf&ygr,f/ bmaMumifh
vJqdkawmh packer/protector awmfawmfrsm;rsm;u IAT udk zsufypfMuvdkyY g/ 'gaMumifhrv kY d J exe zdkifudk
aumif;rGefpGm tvkyfvkyfapcsif&ifawmh IAT udk jyefwnfaqmufz?kY d jyefjyifzv kYd dkygw,f/ Import awGudk
jyefvnfwnfaqmufwm[m IAT udk jyefvnfwnfaqmufwmjzpfygw,f/ IAT udkjyefvnfwnfaqmufzkY d
twGuf IAT taMumif;udk tao;pdwfodzkY d vdkvmygNyD/
Info: : exe zdkifwpfckudk yxrqHk; ul;wifvdkufwJhtcsdefrSm Windows loader [m zdkifxJrSm&SdwJh PE structure
udkzwfzkYed JY executable image udk rSwfOmPfay:ul;wifzkY d wm0ef&Sdygw,f/ Application utoHk;jyKwJh DLL
awGtm;vHk;udk ul;wifwmjzpfNyD; olwu kYd dk process &JUae&mvGwfawGtjzpf ae&mcsxm;wmjzpfygw,f/ exe
f m DLL toD;oD;uvdktyfwJh function awGtm;vHk;udk pm&if;jyKpkygw,f/ Function address awG[m
zdki[
yHkaor[kwfwmaMumifh run aecsdefrSm compile vkyfxm;wJhuk'fawGtm;vHk;udk ajymif;vJzrkYd vkdtyfbJ 'D variable
awGudkajymif;vJay;EdkifwJh mechanism wpfckvdktyfygw,f/ 'gudk IAT toHk;jyKNyD; ajz&Sif;Edkifygw,f/ IAT
qdkwmuawmh DLL zdkifawGudk ul;wifxm;csdefrSm Windows loader u jznfph Guw f Jh function pointer
awG&JUZ,m;wpfckjzpfygw,f/ Application wpfckudk yxrqHk; compile vkyfpOfu IAT udkyHkpHjyKoGif;cJhwm
jzpfwJhtwGuf b,f API CALL awGurS cufcJpGma&;om;xm;wJh wdku½f dkuf address awGudk toHk;rjyKMuay
r,fhvJ function pointer uwqifh tvkyfvkyfMuygw,f/ 'D pointer table udk enf;vrf;rsdK;pHek JY &,lEdkif
ygw,f/ erlemtm;jzifhawmh CALL [pointer address] uaewdku½f dkufaomfvnf;aumif;? JMP thunk table
rSaomfvnf;aumif;jzpfygw,f/ Pointer table udktoHk;jyKjcif;tm;jzifh loader [m API call udktoHk;jyKzdkY
Y d dkwmuawmh pointer udk table xJu
vdktyfwJh uk'fxJrSm&SdwJh ae&mawGtm;vHk;udkjyifzkY d rvdkawmhygbl;/ vkyfzkv
ae&mwpfckrSm aygif;ay;zdkYyg/
Info: : Pack vkyfxm;wJh exe zdkifawGrSmqdk&if olwkYad wG[m zdkifudkao;i,fapzdkY IAT awGudktjrJwrf; ½IyfaxG;
apatmif vkyfxm;ygw,f/ 'g[m cracker awGudk unpack vkyfzykYd dkrdkcufcJapygw,f/ Pack vkyfxm;wJh
y½d*k &rfawGudk pHtjzpfowfrSwfxm;wJh compiler awGeJYxkwfMuwmjzpfNyD; 'Djyifxm;wJh mechanism udktvkyf
vkyfapzdkY yHkpHjyKxm;ygw,f/ wu,fvkY d packer wpfck[m import table mechanism udkzsufqD;ypfcJh&ifvJ
(qdkvdkwmu packer/protector [m ul;wifr,fh DLL eJY function awG&,feJY pointer awGudk b,fae&mrSm
xm;rvJqdkwmudk wGufcsuf&rSmjzpfygw,f/) rlvy½d*k &rftaeeJu Y awmh decompression stub udkvkyfaqmifNyD;?
routine awGudk restore vkyNf yD;csdefrSm yHkrSeftvkyfvkyfaeOD;rSmjzpfygw,f/ tzsufcHxm;&wJh import table
wpfckudk b,fvdk restore vkyf&rvJqdkwmudk em;vnfEdkifzdkY uRefawmfwt

dkY aeeJY import table udb k ,fvdkae&m
csxm;ovJ? Windows loader u 'gudk parse vkyfzkb
Yd mawGjyKvkyfovJqdkwmudk t&ifox d m;zdv
kY dkygw,f/
'Dae&mrSm IAT eJyY wfoufNyD; erlemjyr,fyh ½d*k &rfav;uawmh Lena151 &JU oifcef;pm(3)u Reverse
Me.exe y½dk*&rfyJjzpfygw,f/ www.tuts4you.com rSm download vkyf,lvdkufyg/
yHk(1)
yH(k 1)uawmh ReverseMe.exe udk Olly rSmzGiNfh yD;wJhtcg jrif&wJhyHkyg/ VA 00401002 uawmh API
&Sd&m CALL udkac:oHk;wmyg/ 'D CALL uawmh kernel32.dll xJrSm&SdwJh GetModuleHandleA function
udkac:oHk;wmjzpfygw,f/
yHk(2)
yHk(2)udkMunfhvdkuf&if tvm;wl CALL awGawGUrSmyg/ VA 0040104D uvJ kernel32.dll xJu
ExitProcess function udkac:oHk;wJh CALL jzpfygw,f/
yHk(3)
ExitProcess function &Sd&mae&mrSm ESpfcsufESdyfvdkuf&ifawmh yHk(3)twdkif;awGU&rSmyg/ olUudkMunfh&wm
uvJ tjcm; CALL awGvdkygyJ/ Olly uawmh 'g[m API wpfckudk ac:oHk;rSef;odygw,f/ ydNk yD;oJoJuGJuGJ
odEdkifatmifvkYd VA 0040104D ae&mudka&G;NyD; Enter key (Follow Call) udkESdyfvdkufyg/ yHk(4)twdkif;
jrif&ygr,f/
yHk(4)
'gqdk yHk(4)twdkif; jump (thunk) table &Sd&mqDa&mufvmygNyD/ 'gaMumifhrkv

Yd J Olly u VA
0040104D [m API CALL wpfckudkac:roHk;cif tBudK CALL wpfckjzpfaMumif; odwmyg/ Application &JU
b,fae&mrSmrqdk ExitProcess API udkac:oHk;csifw,fqdk&if 'D address (0040104D) udkyJ toHk;jyK&rSm
jzpfygw,f/ 'grSom Windows loader u rSefuefwJh address udk&Smwm vG,fulaprSmyg/ 'gqdk VA
0040120E uaum b,f instruction udktvkyfvkyfapwmvJqdkwmodEdkifatmifvkY d tJ'Dae&mrSm Enter key
udkESdyfvdkufyg/ yHk(5)twdkif;jrif&ygr,f/
yHk(5)
wu,fawmh loader u data segment xJu DWORD wefzdk;wpfckqDudk jump vkyfoGm;wm
jzpfygw,f/ 'gaMumifhrkY d 'Dwefzdk;udkodEdkifatmifvkY d DWORD wefzdk;udkajc&mcHMunfhygr,f/ Dump window rSm
Ctrl+G ESdyNf yD; ay:vmwJhtuGuaf e&mrSm VA 402004 vdkY½du k fxnfNh yD; OK udka&G;vdkuf&ifawmh yHk(6) twdkif;
jrif&rSmyg/
yHk(6)
yHk(6)uawmh oufqdkif&m DLL xJrSm&SdaewJh API awG&UJ address awGeJt
Y wl&SdaewJh IAT awG&Sd&m
ae&myg/ uRefawmfwkY d erlemxm;wmuawmh ExitProcess API udkyg/
yHk(7)
'gaMumifhrvkYd J VA 00402004 udkMunfhvdkuf&if yHk(7)twdkif;jrifae&ygw,f/ Highlight vkyfxm;wJh
ae&muawmh uRefawmfwkY d API &Sd&mae&myg/ 7C81CAA2 uawmh API &Sd&m address yg/ (Endian enf;eJY
pDwmtrSwf&yg/) olUaemufrSmawmh DWORD wefzdk;wpfck(oknawG) uyfvdkufaewmawGUrSmyg/ 'DoknawG
aemufu DWORD wefzdk;awGuawmh aemuf DLL xJu API awGudk&nfnTef;ygw,f/ 'D DLL [m
user32.dll jzpfygw,f/ DWORD wefzdk;awGudkMunfhvdkuf&if 7xxxxxxx awGeJYpwm owdxm;rdrSmyg/ ydNk yD;
&Sif;vif;atmifvkYd 'gawGudk IAT xJrSmMunfhvdkufMu&atmif/ yHk(4)udkxyfMunfhvdkufyg/ kernel32.dll zdkifxJu
API ESpfckudk import vkyfxm;wmawGUrSmyg/ rSwfxm;&rSmuawmh IAT eJY imports table wd[ kY m rwlbl;
qdkwmudkyg/
Info: : Imports table rSm oifhy½d*k &rftwGuf API awGudk link csdwfEdkifatmif Windows u vdktyfwJhtcsuf
tvufawGtm;vHk;&Sdygw,f/ Imports table rSm tvGe½f dk;&Sif;vSwJh structure wpfck&Sdygw,f/ Import
vkyfxm;wJh DLL toD;oD;twGuf header wpfckpD&Sdygw,f/ olw&kYd JUtqHk;udk rSwfom;EdkifatmifvkY d vHk;vHk;BuD;
udk bmrSr&SdwJh tydkwpfckvJ&Sdygao;w,f/ Header toD;oD;rSmawmh DLL twGuftcsuftvufawGtm;vHk;

yg0ifygw,f/ ReverseMe.exe y½kd*&rftwGufqdk&ifawmh user32.dll eJY kernel32.dll u API awGudk
import vkyfr,fqdk&if oifhtaeeJY header 3ckudk&SmawGUrSmyg/ wpfckuawmh kernel32.dll twGufjzpfNyD; wpfck
uawmh user32.dll twGufjzpfygw,f/ tydkwpfckuawmh imports table &JUtqHk;udk rSwfom;zdkYjzpfygw,f/
Windows loader [m header toD;oD;uae tcsuftvufawGuzdk wfNyD; 'DtcsuftvufawGudk IAT
jznfhpGuf&mrSmtoHk;jyKygw,f/ IAT qdkwmuawmh DLL toD;oD;twGuf IAT awGzGJUpnf;xm;wmudk ajymwm
yg/ DLL toD;oD;twGuf header udkawmh IMPORT_IMAGE_DIRECTORY vdkY ac:ygw,f/ IMAGE
qdkwJhpum;vHk;uawmh rSwfOmPfxJrSmvkyfwJhudp&ö yfawGudk &nfnTef;wmjzpfNyD; offset awGtm;vHk;[m RVA awG
jzpfygw,f/ olUrSm atmufyg structure &Sdygw,f/
IMAGE_IMPORT_DESCRIPTOR:
OriginalFirstThunk
TimeDateStamp
ForwarderChain
Name
FirstThunk
Info: : Windows loader u IMPORT_IMAGE_DESCRIPTOR udz k wfcsdefrSm ol[m DLL udk t&if
ppfaq;ygw,f/ aemufrSom loader [m 'D DLL udk ul;wifwmjzpfNyD; IAT udkwnfaqmufzkYd pwifygw,f/
udkwnfaqmuf&wm[m enf;enf;av; vuf0ifygw,f/ Loader u yxrqHk; OriginalFirstThunk udk
ppfaq;wmjzpfayr,fh 'DtcsuftvufawGudk jyóemMuHKrSom toHk;jyKwmjzpfygw,f/ aemufwpfckuawmh
FirstThunk unTefjywJh trnftoD;oD;twGuf ol[m pointer udk API &JU address eJt Y pm;xdk;wm jzpfyg
w,f/ wu,fvkYd tcsdKUaomtaMumif;awGt& API udk&SmrawGUcJh&ifawmh OriginalFirstThunk qDoGm;NyD; tJ'D
uae tcsuftvufawG&,lzkYd BudK;pm;ygw,f/ 'DaemufqHk;jzpfEdkifajcu tvkyfrvkyfcJh&ifawmh crash jzpfyg
w,f/ 'gaMumifh rSwfOmPfxJrSm FirstThunk xJu pointer awGtm;vHk;rSm API awG&JUtrnfawGeq JY dkifwJh
RVA awGtpm; vuf&Sd DLL uae API awGudknTef;wJh address awGyg0ifae&wmyg/ rSwfxm;&rSmuawmh
rSwfOmPfxJrSm exe udk ae&mcsxm;NyD;wJhaemufrSmawmh IAT wnfaqmufjcif;[m NyD;pD;ygNyD/
Info: : Loader [m FirstThunk xJu API trnftoD;oD;udkzwfNyD; olU&JU address udk&SmazGygw,f/
wu,fvkYd address udk&SmawGUcJh&if trnfae&mrSm address eJt Y pm;xdk;vdkuNf yD; 'DvdkrSr[kwf&ifawmh
OriginalFirstThunk qDoGm;NyD; xyfBudK;pm;ygw,f/ 'gaMumifhrkY d OriginalFirstThunk [m FirstThunk &JU
backup wpfckjzpfNyD; jyoemMuHKwJhtcgrSm toHk;jyKygw,f/ FirstThunk uawmh uRefawmfwdkY import vkyfzkYd
vdktyfwJh API awG&JUtrnfeJY ywfoufwJh pointer awGyg0ifwJh array wpfckjzpfygw,f/ wu,fvkY d ul;wif
vdkufwJh process [m rSefuefpGm tvkyfvkyfEdkiNf yDqdk&ifawmh FirstThunk eJq
Y dkifwJh pointer awGtm;vHk;[m API
awG&JU address awGeJY overwrite vkyfwmcH&NyD; 'D address awGudkawmh IAT vdakY c:ygw,f/ y½d*k &rfu
CALL awGtm;vHk;[m IAT &Sd&mqD redirect vkyfjcif;cH&ygw,f/ Loader u IAT tjzpfa&;om;xm;wJh
address awGjzpfEdkifwmuawmh -
(1) API &JU wu,fh address?
(2) API qD jump vkyfrI?
(3) push RVA API
Info: : Import table udk tjynfht0rSefuefapEdkifzt
kY d wGuf -
(1) RVA eJY import table wd&kY JUt&G,ftpm;[m import awGtwGuf data directory twGif; owfrSwf
kY dkygw,f/ 'grSr[kwf&ifawmh Windows [m olUudkr&SmEdkifjzpfNyD; IAT udk taMumif;Mum;EdkifrSm
xnfhoGif;zdv
r[kwfygbl;/
(2) DLL toD;oD;udk IMAGE_IMPORT_DESCRIPTOR wpfckeaJY Munmyg/ Import table udk
vHk;0bmrSr&SdwJhwpfcket
JY qHk;owfyg/
(3) IMAGE_IMPORT_DESCRIPTOR rSm OriginalFirstThunk? FirstThunk eJY Name wdkYaumif;pGm
&Sdygap/ TimeDateStamp eJY ForwarderChain wdkYuawmh okntjzpfxm;vJ&ygw,f/ OriginalFirst
Thunk udkvJ okntjzpfxm;Edkifygw,f/
oDtkd&DawGudk qufwdkuf&Sif;jyvmwJhtwGuf oifhtaeeJY ½IyfaxG;aeavmufNyDvdkY xifygw,f/ 'gaMumifh
ydNk yD;em;vnfEdkifapzdkY ReverseMe.exe eJw
Y GJMunfhvdkufMu&atmif/ ReverseMe.exe udk Olly rSm zGifhxm;yg/
Windows loader u yxrqHk;zwfwmuawmh y½d*k &rf&JU header udkyg/ IAT udkwnfaqmufzdkY
twGuf RVA 3C (400000 +3C = 40003C) ae&mrSmzwfwmyg/ yHk(8)/
yHk(8)
yHk(8)t&qdk&ifawmh PE header &Sd&mae&m[m VA 004000C0 jzpfygw,f/ VA 004000C0 &Sd&mudk
oGm;vdkuf&ifawmh yHk(9)twdkif; jrif&rSmjzpfygw,f/
yHk(9)
IAT &JU RVA wefzdk;udkawmh PE header &Sd&m&JU address wefzdk;rSm 80h aygif;NyD; &&SdvmwJhwefzdk;
VA 400140 ae&mrSm odrf;xm;jcif;jzpfygw,f/ (exe wdkif;twGuf 'Dae&mrSmtjrJ &Sdygw,f/) yHk(10)/
yHk(10)
yHk(10)t&qdk&ifawmh import table &Sdwmuawmh RVA 2050 rSmyg/
Info: : Import Table Address qdkwmuawmh import table &Sd&mae&mudk &Sm&r,fh address yg/ 'gudk IAT
eJY ra&maxG;apygeJ/Y olwkYdESpfck[m vHk;0uGJjym;jcm;em;ygw,f/
rSwf&ef/ / Import Table Address udk Olly rSm&Smwmuawmh bmjyóemrSr&Sdygbl;/ Olly [m header
eJyY wfoufNyD;tcsuftvuf tjynfhtpHkudkay;ygw,f/ wu,fwrf; oifhtaeeJY vkyf&rSmuvJ Import Table
Address udk&SmzdkYyg/ bmyJjzpfjzpf tajccHudkodxm;NyD; udk,fbmvkyfaew,fqdkwmudk odxm;wm taumif;qHk;
vdkY uRefawmfhtaeeJYjrifwJhtwGuf tao;pdwf&Sif;jyae&wmyg/
aumif;NyD; Import Table Address &Sd&mudkMunfhvdkufMu&atmif/ yHk(11)/
yHk(11)
uRefawmfwtdkY apmydkif;u &SmawGUxm;wJh IAT awG&Sd&maemufrmS Import Table Address &Sdaewm
awGY&ygw,f/ Disassembler window &JU VA 00402050 udkoGm;vdkufyg/ yHk(12)/
yHk(12)
kY d wGuf bmrSxl;jcm;rIrjzpfapygbl;/ Analyze This! udka&G;NyD;
yHk(12)rSmjrif&wmuawmh uRefawmfwt
analyze vkyfvdkufyg/ yHk(13)/
yHk(13)
yHk(13)rSmjrif&wmuawmh IMAGE_IMPORT_DESCRIPTOR array &Sd&mtydkif;jzpfygw,f/ yxr
eJY 'kwd,uawmh DLL toD;oD;twGuf IMAGE_IMPORT_DESCRIPTOR awGjzpfygw,f/ wwd,
ajrmufuawmh tqHk;owf IMAGE_IMPORT_DESCRIPTOR jzpfygw,f/ IMAGE_IMPORT_
DESCRIPTOR wdkif;rSm DWORD wefzdk; 5ckpD&SdMuygw,f/
yHk(13)rSmawGU&wJh yxrqHk; DWORD (00002098) uawmh OriginalFirstThunk jzpfygw,f/
ol[m loader udk vuf&Sd DLL uae import vkycf H&r,fh API awG&JUtrnfawGudk b,fae&mrSm&Smr,fqdkwJh
tcsuftvufawGay;ygw,f/ wu,fvkY d IMAGE_BASE + 2098 &Sd&mudkoGm;cJhr,fqdk&if uRefawmfwkY d taeeJY
import vkyfr,fh API trnfawGudk awGUrSmyg/ (aemufydkif;wGifMunfhyg/)
'kwd, DWORD (00000000) uawmh TimeDateStamp jzpfNyD; uRefawmfwt
kYd wGuf vHk;0toHk;
r0ifygbl;/ rsm;aomtm;jzifhawmh tm;vHk;[m oknawGjzpfaewwfygw,f/
wwd, DWORD (00000000) uawmh ForwarderChain jzpfNyD; uRefawmfwt
kYd wGuf vHk;0toHk;
r0ifygbl;/ rsm;aomtm;jzifhawmh tm;vHk;[m oknawGjzpfaewwfygw,f/
pwkw¬ DWORD (000021D8) uawmh IMAGE_IMPORT_DESCRIPTOR eJo Y ufqdkifwJh

DLL &JUtrnf&Sd&m RVA jzpfygw,f/ uRefawmfwkY&d JU erlemy½dk*&rfrSmawmh 4021D8 rSm user32.dll
&SdwmawGUrSmyg/ (rMumcifawGUrSmyg/)
aemufqHk; DWORD (0000200C) uawmh FirstThunk jzpfygw,f/ Import vkyfxm;wJh function
awGtm;vHk;twGuf address awGtm;vHk;udk &SmEdkifzt kYd wGuf IAT &Sd&mudk nTefjyygw,f/ (Disk ay:rSm
r[kwaf yr,fh wpfBudrfrSm exe zdkifudk rSwfOmPfxJ ul;wifNyD;csdefrSmawmh [kwfygw,f/)
uRefawmfw&dkY JU erlemy½d*k &rfrSmawmh oifhtaeeJY user32.dll uae import vkyfxm;wJh API awGt
wGuf IAT xJrSm&SdwJh address awGtm;vHk;udk vG,fulpGm&SmEdkifygw,f/ yHk(14)udkMunfhyg/ 40200C uaepwm
awGU&ygr,f/
yHk(14)
yHk(14)t&qdk&ifawmh API function 16ckudk vkyfxm;aMumif; awGU&ygw,f/ bmaMumifhajymEdkifwmvJ
qdkawmh 7xxxxxxx eJpY wJh address 16ckawGU&vdkYyg/ 'kwd,ajrmuf DLL (kernel32.dll) twGufvJ 'Denf;
twdkif;ygyJ/
yHk(15)
IAT xJrSm&SdwJh address awG[m yHk(16)twdkif; 402000 uaepwm awGU&ygr,f/
yHk(16)
aemufqHk;wpfck&JU DWORD wefzdk;5ckvHk;uawmh oknawGcsnf;jzpfaewm owdjyKrdrSmyg/ yHk(17)/
yHk(17)
Dump window rSmMunfhvdkuf&ifawmh yHk(18)twdkif; awGU&ygr,f/
yHk(18)
Import table &JU 'kwd,ydkif;uawmh DWORD awG&JU array awGjzpfygw,f/ yHk(19)/
yHk(19)
DWORD awG&JU array awGudkawmh IMAGE_IMPORT_DESCRIPTOR awG&JU OriginalFirst
Thunk awGu point vkyfwmjzpfygw,f/ 'D array awG&JU DWORD toD;oD;[m import vkyfxm;wJh
function wpfce
k JY oufqdkifygw,f/ DWORD awG&JU array awGudk ydkif;jcm;xm;wm? tqHk;owfxm;wm
uawmh oknawGejJY ynfhaewJh DWORD wpfckujzpfygw,f/
yHk(20)rSmjrif&wmuawmh import table &JU wwd,ydkif;(aemufqHk;ydkif;)jzpfygw,f/
yHk(20)
yHk(20)rSmjrif&wJh pmom;awG (BeginPaint,.. ) uawmh import vkyfxm;wJh function awGeJY DLL
awGjzpfygw,f/ olUrSmawmh xHk;pHtwdkif;pDrSmawmh r[kwfygbl;/ DLL trnf[m function awGaemufu (od)kY
a&SUupDwmjzpfEdkifygw,f/
4021D8 rSm user32.dll &SdwmawGU&r,fvt
kY d apmydkif;u ajymcJhygw,f/ yHk(21)/
yHk(21)
wu,fawmh uk'fxJrSmvJ oyf&yfaumif;rGefpGmwnfaqmufxm;wJh IAT udkawGUEdkifygw,f/ yHk(22)/
yHk(22)
yHk(22)udkMunfhvdkufr,fqdk&if kernel32.dll uae import vkyfxm;wJh API ESpfckeJY user32.dll uae

import vkyfxm;wJh API awGMum;rSm DWORD wefzdk;wpfcek JY ydkif;jcm;xm;NyD; tqHk;rSmawmh oknawGeJY
DWORD wefzdk;wpfcku ydkif;jcm;xm;wmawGU&ygw,f/
yHk(23)
yHk(23)udkMunfhyg/ Import vkyfxm;wJh function awGtm;vHk;&JUtrnfaemufrSm DLL trnfawGeJY
tqHk;owfxm;wm awGU&rSmyg/
'Davmufqdk&if import awGudk udk,fwdkifjyefwnfaqmufzkY d todynmvHkavmufNyDvkYd xifygw,f/
bmyJjzpfjzpf owif;aumif;wpfckuawmh import awGudk tvdktavsmufjyefwnfaqmufay;EdkifwJh tool aumif;
awG&Sdw,fqdkwJhtcsufyg/ wu,fawmh aqmhzf0JvfawGu DLL ajrmufjrm;pGmuae API awG tajrmuftjrm;ukd
import vkyfxm;cJhr,fqdk&if import awGudk udk,fwdkifjyefvnfwnfaqmuf&wm[m tcsdeftawmfMum,l&NyD;
pdw½f Iyfp&mvJaumif;vSygw,f/ Tool awGudk toHk;jyKr,fqdk&ifawmh uRefawmfwktY d aeeJY API tm;vHk;eD;yg;udk
jyef recover vkyfEdkifrSmyg/ ckodxm;wJhtodeJY unpack vkyfxm;wJhzdkiftcsdKUudk b,fvdkjyifMurvJqdkwm
MunfhvdkufMu&atmif/
aumif;NyD FSG2.0 eJY pack vkyfxm;wJhzdkifwpfckudk unpack vkyfMunfhygr,f/ (oifhtaeeJY 'Dzdkifudk
unpack vkyfcsifw,fqdk&ifawmh Lena151 &JU oifcef;pm(21)udk download vkyf,lyg/ 'grSr[kwf&ifawmh
ESpfouf&m zdkifwpfckudk FSG eJY pack vkyfMunfhvdkufyg/ oabmw&m;csif;uawmh twlwlygyJ/)
yHk(24)
UnpackMe_FSG2.0.exe zdkifudk Olly rSmzGifhwJhtcg yHk(24)twdkif; awGU&ygw,f/ yHk(24)udkMunfh
vdkuf&if entry point &Sd&m[m enf;enf;av;vGJaewmawGU&ygw,f/ exe zdkifwdkif;&JU entry point [m tjrJwrf;
401000 uaepw,fvkYd ajymcJzh l;wm trSwf&ygovm;/ 'Dy½d*k &rfrSm 400154 uaepygw,f/ 'gqdk 'D address
[m PE header xJa&mufaewm aocsmygw,f/
FSG udk trace vkdufjcif;jzifh unpack vkyf&ygw,f/ wu,fvkY d oifhtaeeJY atmufudkenf;enf;av;
scroll qGNJ yD;Munfhr,fqdk&if unpack vkyfwJh stub uk'f&JUtqHk;udk awGUygvdrfhr,f/ wu,fvkY d oifhtaeeJY trace
vdkufMunfhvkduf&if vnfaewJhbD;vdk ywfcsmvnfaewm owdjyKrdygvdrfhr,f/ rMumrDrSmawmh uk'f[m t"du
y½d*k &rfqD jump vkyfoGm;wm awGU&ygvdrfhr,f/ taotcsmMunfhr,fqdk&ifawmh jump wpfcku 'D stub xJu
ae ausmfxGufoGm;wmawGU&rSmyg/ MunfhvdkufMu&atmif/
yHk(25)
yHk(25)twdkif; VA 004001D1 ae&mrSm breakpoint owfrSwfMunfhvdkuf&atmif/ NyD;&if F9 (Run)
udkESdyfvdkufyg/ Breakpoint &Sd&ma&mufvmygvdrfhr,f/ yHk(26)/
yHk(26)
yHk(26)rSmjrif&wJhtwdkif; JMP [m y½d*k &rf&JU OEP (VA 00404000) &Sd&mqD jump vkyfrSmjzpfygw,f/
yHk(27)/
yHk(27)
yHk(27)rSm right-click ESdyNf yD; Analysis u Remove analysis from module udka&G;vdkuf&if
yHk(28)twdkif; awGU&rSmyg/
yHk(28)
yHk(28)twdkif;jrif&&ifawmh uRefawmfw&dkY JU zdkifudk dump vkyfygr,f/ Right-click ESdyNf yD; Dump
debugged process udka&G;vdkufyg/ yHk(29)twdkif; jrif&ygr,f/
uRefawmfwt dkY aeeJY yHkrSefenf;vrf;twdkif; dump vkyfv&kYd ygw,f/ bmyJjzpfjzpf yHk(29)rSmawmh
"Rebuild Import" udk uncheck vkyfzakYd wmh vdkygvdrfhr,f/ bmaMumifhygvJ/ FSG [m import awGudk
zsufypfvdkufwmjzpfNyD; Ollydump plugin u vHk;vHk;BuD; wvGJwacsmfvkyfrSmrdvkY kdyY g/ 'gaMumifh uRefawmfwkY d
taeeJY jyefjyifwmtcsdKUawmh vkyf&ygvdrfhr,f/ oifhtaeeJY checkbox udka&G;ay;vdakY wmh &ygw,f/ 'gayr,fh
dump zdkifu tvkyfvkyfrSmawmh r[kwfygbl;/ wu,fvkY d xJxJ0if0ifavhvmNyD;wJhaemufrSmawmh 'gudk&Sif;oGm;
rSmyg/
yHk(29)
yHk(29)u "Rebuild Import" checkbox udkjzKwfvdkuNf yD; Dump button udka&G;yg/ NyD;&if dump.exe
trnfeJY zdkifudkodrf;qnf;vdkufyg/
wu,fawmh tjcm; tool awGev
JY J dump vkyfvkYd&ygw,f/ Oyrm - LordPE? PE Tools/ yHk(30)/
yHk(30)
bmyJjzpfjzpf dump vkyfxm;wJhzdkifESpfckpvHk;uawmh tvkyfvkyfrSmr[kwfygbl;/ bmaMumifhvJqdkawmh
FSG u import awGudk zsufxm;vdy kY g/ 'gaMumifhrkY d import awGjyefwnfaqmufzkY d vdkvmygNyD/ Import awGudk
jyefwnfaqmufEdkifwJh tool awGtrsm;BuD;&Sdayr,fh uRefawmfhtaeeJY ImpRec 1.7 udkyJ oHk;ygr,f/ ImpRec
udkzGiNfh yD; process (UnpackMe_FSG2.0.exe) udk attach vkyfyg/
yHk(31)
UnpackMe_FSG2.0.exe zdkifudk attach vkyNf yD;csdefrSmawmh OEP wefzdk;udkjyifzv
dkY dkygw,f/ ImpRec
u vuf&Sd process &JU EP udkyJodxm;ygw,f/ 'gaMumifh OEP ae&mrSm 4000 vdjkY yifvdkufyg/ NyD;&ifawmh
AutoSearch button ukda&G;vdkufyg/
yHk(32)
IAT &dS&mudk&Smwmawmh tqifajyygNyD/ yHk(31)u RVA ae&mrSm 11E8 udkxm;NyD; dump vkyfr,f
qdk&ifawmh oihf&JUjyifxm;wJh dump zdkif[m tvkyfvkyfrSmr[kwfygbl;/ uRefawmf'gudkb,fvdkodvJvY dk oifhtae
Y ifaumif;xifygvdrfhr,f/ wu,fawmh prf;oyfNyD;oGm;vdykY g/ RVA udk tao;pdwfavhvmMunfhvdkufMu
eJx
&atmif/ Olly &JU dump window rSm 4011E8 vdkY½du k fxnfNh yD; bmawGU&rvJqdkwmMunfhvdkufMu&atmif/
yHk(33)/
yHk(33)
wu,fawmh VA 4011E8 rSm&SdwmawGuawmh DLL wpfck&JU import awGyg/ tay:udk scroll
enf;enf;qGNJ yD;Munfhvdkuf&if aemufxyf import awGudkawGU&OD;rSmyg/ yHk(34)/
yHk(34)
dkY aeeJY DLL (user32.dll/kernel32.dll) zdkiEf Spfck&JU import awGu&dk Sd&m&SmzdykY v
uRefawmfwt J kdwmyg/
VA 4011E8 qdk&if DLL (kernel32.dll) zdkifwpfck&JU import (API) awGudkyJ ImpRec u&SmawGUrSmyg/ ☺☺
wu,fawmh ImpRec [m tvSnfhpm;cHvdkuf&wmyg/ 'gaMumifhrkY d VA 4011E8 ae&mrSm VA 401198 vdkY
dkY dktyfygw,f/ 'grSom ImpRec u user32.dll zdkif&JU import awGudk &SmawGUrSmyg/
jyifzv
yHk(35)
yHk(35)twdkif; RVA udkjyifvdkuNf yD; Get Imports button udkESdyfvdku&f if yHk(36)twdkif; awGU&ygr,f/
(Size udkvJ 100 vdjkY yifvdkuf&if ydkaumif;ygr,f/ 'grSom ImpRec uydNk yD;pdppfEdkifrSmyg/)
yHk(36)
ImpRec u Thunk ESpfckudk awGUygw,f/ bmyJjzpfjzpf ESpfckpvHk;[m rSm;aeygw,f/ bmawGrSm;ae
w,fqdkwmod&atmif taygif;oauFwav;udka&G;vdkufyg/ rSm;aewJhae&mawGuawmh RVA 2118 rSmyg/
yHk(34)udjk yefMunfhvdkuf&if RVA 2118 rSm FFFFFFFF udkawGUrSmyg/ aemufwpfckuawmh RVA 11B8 rSmyg/
yHk(37)/
yHk(37)
wu,fawmh yHk(36^37)rSm jrif&wJh address awG[m wu,fr&Sdygbl;/ FSG u cracker awGudk
t½l;vkycf sifvkYd wrifxnfhoGif;xm;wmyg/ 'gaMumifhrvkdtyfwJh 'D address awGudk zsufxkwfypfzv
kY d dkygw,f/
yHk(38)
yHk(38)twdkif; rvdkwJh thunk awGrSm right-click ESdyNf yD; Cut thunk(s) udka&G;vdkufyg/ NyD;&if
aemufqHk;vkyf&rSmuawmh dump vkyfxm;wJhzdkifudk jyifzkyY d g/
yHk(39)
yHk(39)u Fix Dump button udkESdyNf yD; Olly rSm dump vkyNf yD;odrf;xm;wJh dump.exe zdkifudka&G;ay;yg/
ImpRec u dump_.exe qdkwJhtrnfezJY dkifudk odrf;ay;ygvdrfhr,f/ yHk(40)/
yHk(40)
dump_.exe zdkifudkzGifhvdkuf&ifawmh yHk(41)twdkif; awGU&rSmyg/
yHk(41)
dump_.exe zdkifudk Olly rSmzGiNfh yD;Munfhvdkuf&if yHk(42)twdkif; jrif&ygvdrfhr,f/
yHk(42)
(1) API Redirection
tckqdk import awGudk b,fvjdk yefwnfaqmuf&rvJqdkwm tMurf;zsif;avhvmNyD;ygNyD/ 'gayr,hf
tqifhjrifh packer awGudk unpack vkyfcsdefrSmawmh 'DavmuftodeJY rvHkavmufawmhygbl;/ IAT awGuae
wu,fjyefwnfaqmufzv d kyfcJhwJh import table udk
kY d dkvmygNyD/ bmaMumifhvJqdkawmh a&SUydkif;rSm uRefawmfwkYv
jyefvnfwnfaqmufwm[m t&ifae&ma[mif;u IAT udkyJ nTefjyaewkef;rdykY g/ 'ghaMumifhrkYd pack vkyfxm;wJh
zdkifwpfckudk unpack vkyfjy&if;eJY API redirection taMumif;udk avhvmMuygr,f/ 'Dae&mrSm bm packer
udktoHk;jyKNyD; pack vkyfxm;w,fqdkwmawmh rpHkprf;awmhygbl;/ Pack vkyfxm;wJhzdkifudk Lena151 &JU
oifcef;pm(22)rSm download vkyf,lEdkifygw,f/
INFO: : API redirection qdkwmuawmh packer^protector trsm;pku IAT (okdUr[kwf import table)udk
(wpfpdwfwpfa'o odrkY [kwf vHk;0)zsufqD;ypfvdkufwJh vkyfaqmifcsufwpfckjzpfayr,fh IAT xJrSm redirect
tvkyfcH&wJh API toD;oD;&JU oufqdkif&muk'ef q
JY dkifwJh pointer wpfckudk a&;vdkufygw,f/ qdvk dkwmuawmh
packer [m pack^protect vkyfxm;wJhy½d*k &rftwGuf system &JU DLL awGxu J API &JU address udak y;Edkif
zdkY owdxm;&rSmjzpfygw,f/ API redirection vkyfxm;wJh y½d*k &rfawmfawmfrsm;rsm;[m anti-virus aqmhzf0Jvf
awGeJY jyóemwufavh&Sdwmudkawmh rSwfxm;&rSmjzpfygw,f/
(2) Pack vkyfxm;aomzdkifudk unpack vkyfjcif;
Pack vkyfxm;wJhzdkif (API Redirection Tutorial.exe) udk Olly rSmzGifhMunfhvdkuf&ifawmh yHk(43)
twdkif; awGU&rSmjzpfygw,f/
yHk(43)
yHk(43)rSmjrif&wmuawmh t&if pack vkyfxm;wJhzdkifawGvdkygyJ/ bmrSxl;jcm;rIr&Sdygbl;/ VA 0044CB
59 &Sd&mqDa&mufatmif F8 (Step over) udkESdyfvdkufyg/ VA 0044CB59 a&muf&if Register window udk
Munfhvdkufyg/ yHk(44)/
yHk(44)
yHk(44)u ESP register rSm right-click ESdyfNyD; Follow in Dump udka&G;vdkufyg/ yHk(45)twdkif; jrif&
ygr,f/
yHk(45)
yHk(45)u highlight aewJh DWORD (38 07 91 7C) rSm right-click ESdyNf yD; breakpoint u
Hardware on access à Dword udka&G;vdkufyg/ yHk(46)/
yHk(46)
yHk(46)twdkif; breakpoint owfrSwNf yD;oGm;&ifawmh F9 (Run) udkEdSyfvdkufyg/ yHk(47)twdkif; hardware
breakpoint &Sd&mudk a&mufoGm;ygr,f/
yHk(47)
CALL EAX qD F8 (Step over) eJo Y Gm;NyD; CALL EAX &Sd&ma&mufwJhtcg F7 (Step into)udk
ESdyfvdkuf&ifawmh yHk(48)twdkif; OEP &Sd&mudk a&mufoGm;rSmyg/
yHk(48)
'gqdk&ifawmh y½kd*&rfudk unpack vkyfzkYd Dump debugged process udka&G;vdkufyg/ yHk(49)/
yHk(49)
yHk(49)u Rebuild Import checkbox udkjzKwfvkdufyg/ Dump button udka&G;NyD; dump.exe trnfeJY
odrf;vdkufyg/ NyD;&if tvkyfvkyf^rvkyfod&atmif dump.exe udkzGifhMunfhvdkufyg/ bmrSay:rvmygbl;/ LLL
'gqdk Import awGeyJY wfoufNyD; jyóemwpfckckwufaewmawmh aocsmaeygNyD/ 'gaMumifhrkYd ImpRec
1.7 udkzGiNfh yD; dump.exe udkjyifzkYd BudK;pm;Munfhygr,f/ yHk(50)/
yHk(50)
yHk(50)udkjrif&if bmvkyf&r,fqdkwm oifem;vnfrSmjzpfygw,f/
(1) API Redirection Tutorial.exe udk attach vkyfyg/
(2) OEP wefzdk;ud½k dkufxnfNh yD; IAT AutoSearch button udEk Sdyfyg/
(3) Get Imports button udka&G;cs,fyg/ Import vkyfxm;wJh function ta&twGuf 618 ck&SdwmawGU&ygr,f/
(4) Show Invalid button udka&G;NyD; invalid jzpfaewJh function awGudkMunfhvdkuf&ifawmh yHk(51)twdkif;jrif&
ygr,f/
yHk(51)
yHk(51)rSmjrif&wJhtwdkif; ImpRec [m IAT xJu API wdkif;&JU address awGudk&SmrawGUygbl;/
'ghaMumifhrkdU 'Dae&mrSmaumufcsufcsvdkwmu API awGtm;vHk;udk &SmrawGUbJ dump vkyfwm[m tusdK;r&Sdyg
bl;/ (Dump vkyfxm;wJhzdkif[m crash jzpfygvdrfhr,f/) rsm;aomtm;jzifhawmh 'D pointer awG[m r&SdwJh
kYd aeeJY Cut thunk(s) udk

uk'fawGqD nTef;Muwmjzpfygw,f/ 'DvdktajctaersdK;rSmqdk&ifawmh uRefawmfwt
a&G;vkduf&if tqifajyoGm;wmawGU&ygw,f/ (tcsdKU packer awG[m cracker awGudk pdwftaESmifht,Suf
jzpfatmif r&SdwJh address awGudk wrifxnfhoGif;Muwmyg/)
'gayr,hf 'Dwpfcg yHk(51)rSmjrif&wJh address (00458C35) uawmh uk'fawGxJrSmjzpfaeygw,f/ tjcm;
invalid aewJh API 12ckudkMunfhvdkuf&ifvJ wu,f&SdaewJh address awGjzpfaeygw,f/ 'gaMumifh yHk(51)u
00458C35 ae&mudk right-click ESdyNf yD; Disassemble/ Hex View udka&G;vdkufyg/ yHk(52)/
yHk(52)
yHk(52)udkMunfhvdkuf&if 00458C35 &Sd&m[m wu,fhuk'fawG&Sd&mae&mjzpfaeygw,f/ Olly &JU memory
map rSmMunfhvdkuf&ifvJ packer &JU SFX section rSm&SdaewmawGU&ygw,f/ yHk(53)/
yHk(53)
Olly rSm 00458C35 &Sd&mudkMunfhvkduf&if yHk(54)twdkif;jrif&ygw,f/
yHk(54)
yHk(54)uuk'fawGuawmh API address (FindClose function) udkwGuaf y;wmjzpfygw,f/ 'gayr,fh
udprö &Sdygbl;/ uRefawmfwtkY d aeeJY section tm;vHk;udk dump vkyfr,fqdk&if API address awGudkwGufay;wJh
'Duk'fawGvJygvmrSmjzpfygw,f/ [kwfr[kwo f d&atmif prf;MunfhMu&atmif/ Olly udk Ctrl+F2(Restart)ESdyNf yD;
jyefpvdkufyg/
(3) Redirection udkz,f&Sm;jcif;
API Redirection Tutorial.exe udk Olly rSmjyefzGiv
fh dkuNf yD; VA 00458C35 &Sd&mudkoGm;Munfhvdkuf
yg/ yHk(55)/
yHk(55)
yHk(55)rSmjrif&wJhtwdkif; VA 00458C35 ae&mrSm bmrSr&Sdygbl;/
INFO: : wu,fawmh y½dk*&rf run aecsdefrSom unpacking stub u 'Dae&mrSm redirect vkyfr,fhuk'fudk
vma&;wmjzpfygw,f/ 'gaMumihfvJ OEP &Sw d Jah e&muae dump vkyw
f kef;u 'Dae&mrSm redirect vkyfxm;wJh
uk'fawGa&mufaevdkY API awGaysmufoGm;&wmjzpfw,f/ dump vkyfxm;wJhy½d*k &rfuvJ aumif;aumif;tvkyf
vkyfrSm r[kwfygbl;/
aumif;NyD? ImpRec udkjyefMunfh&atmif/ yHk(56)/
yHk(56)
yHk(56)udkMunfh&if API &Sd&mudk redirect vkyfwJh uk'f&Sd&m[m 00458C35 rSmjzpfNyD; 'D address udk
RVA 00438040 rSmowfrSwfvdkufwmjzpfygw,f/ yHk(57)/
yHk(57)
yHk(57)rSmjrif&wJhtwdkif; VA 00438040 u DWORD wefzdk;udkMunfhvdkufyg/ IAT udk 'Dae&mrSm
wnfaqmufwmjzpfayr,fh usefwJh API awGuawmh 'DtcsdefrSm packer &JUrlvuk'f&Sd&mudk redirect vkyfaeMu
wkef;ygyJ/ (Oyrm – 206C8BA9) 'gaMumifhrkYd IAT ukd b,ftcsdef? b,fae&mrSm b,fvdkzefwD;NyD; b,fvdka&;
ovJqdkwmod&atmif yHk(57)udk apmifhMunfhMu&atmif/ 'DxufyNdk yD; wdwdususajym&&ifawmh tjcm; redirect
vkyfxm;wJh API awGa&mygygw,f/
INFO: : y½d*k &rfwpfck[m exe xJu import awGtm;vHk;udk&,lEdkifzkt
Yd wGuf API ESpfckomvdkygw,f/ 'D API
ESpfckuawmh LoadLibraryA eJY GetProcAddress wdkjY zpfygw,f/ Win32.hlp rSm&Sif;jyxm;wmuawmh –
LoadLibray() function [m exe module udak c:oHk;wJh process &JU address ae&mvGwfrSm ae&mcs
xm;ygw,f/
HINSTANCE LoadLibrary (
LPCTSTR lpLibFileName
);
'Dae&mrSmawmh lpLibFileName u exe module zdkiftrnf&JU address jzpfygw,f/ wu,fvo kY d m
function [m atmifjrifpGmvkyfaqmifEdkifcJh&ifawmh return jyefyw
kYd Jhwefzdk;[m module eJq f Jh handle wpfck
Y dkiw
jzpfygw,f/
GetProcAddress() function uawmh export vkyfxm;wJh DLL function &JU address udk return
jyefyydkY gw,f/
FARPROC GetProcAddress(
HMODULE hModule,
LPCSTR lpProcName
);
'Dae&mrSmawmh hModule u DLL module eJq Y dkifwJh handle jzpfNyD; lpProcName uawmh function
&JUtrnfjzpfygw,f/ wu,fvkY d function [m atmifjrifpGmvkyfaqmifEdkifcJh&ifawmh return jyefywkYd Jh wefzdk;[m
DLL &JU export vkyfxm;wJh function &JU address jzpfygw,f/
aemufwpfrsdK;&Sif;jy&&ifawmh yxrqHk; LoadLibrary udk DLL zdkifwpfckckudk ul;wifzakY d c:oHk;NyD;aemuf
kY d Jh handle eJYwuG oifac:oHk;vdkwJh import vkyfxm;wJh API toD;oD;&JU address udk&&SdEdkif
rSmawmh jyefyw
ygw,f/
aumif;NyD? VA 00438040 u DWORD wefzdk;ae&mrSmbmawGjzpfovJqdkwmapmifhMunfhzY dk yHk(58)
twdkif; breakpoint owfrSwfMuygr,f/
yHk(58)
NyD;&ifawmh F9(Run) udkESdyNf yD; VA 00438040 ae&mudkapmifhMunfhyg/ yHk(59)/
yHk(59)
yHk(59)udkMunfh&if VA 00451B38 a&mufawmh DWORD (84B3D4CF) wefzdk;ajymif;oGm;wmawGU
rSmyg/ 'gayr,fh 'Dwefzdk;u uRefawmfwpdkY dwf0ifpm;wJhwefzdk;r[kwfygbl;/ F9 udkxyfESdyfyg/ VA 00451B56 u
DWORD (3963D4CF) wefzdk;udkvJ pdwfr0ifpm;ygbl;/ aemufxyf F9 udkxyfESdyfyg/ VA 0045BC2A u
DWORD (00040EDC) wefzdk;uvJ pdwf0ifpm;p&mraumif;jyefygbl;/ aemufxyf F9 udkxyfESdyfvkduf&ifawmh

yHk(60)twdkif;jrif&ygr,f/
yHk(60)
yHk(60)u DWORD (7C80EFD7)udkawmh pdwf0ifpm;ygw,f/ Registers window udkMunfhvdkufyg/
yHk(61)
yHk(60)u EAX register rSm FindClose() API &Sd&m address wefzdk;udk xm;vdkufyHkygyJ/ JJJ
yHk(62)
yHk(62)uawmh DWORD (7C80EFD7) wefzdk;ajymif;oGm;wJhae&m (hardware breakpoint owfrSwf
xm;wJhae&m)udk a&muf&Sdaewmyg/ b,fvdkyJjzpfjzpf packer [m IAT xJu API twGuf rSefuefwJh address
udk yxrqHk;a&;om;cJhygw,f/ aemufydkif;rSmawmh 'D address wefzdk;[m ajymif;vJoGm;ygw,f/ b,fae&mrSm
ajymif;vJw,fqdkwmod&atmif F8 udEk SdyfvmcJhyg/
INFO: : yHk(60)udkMunfh&if VA 0043803C rSm DWORD (7C80BAF1) wefzdk;wpfckowfrSwfxm;wm
awGU&rSmyg/ wu,fvkY d packer &JUtvkyfvkyfyHkudk taotcsmapmifhMunfhr,fqdk&if packer u wpfcsdefrSm DLL
dk mzwfNyD; yxrqHk; IAT xJu rSefuefwJh API address udka&;NyD; 'D API [m redirect
zdkifwpfckuo
vkyfxm;jcif;&Sd^r&Spd pfaq;wmjzpfygw,f/ NyD;rSom aemuf DLL udkzwfNyD; 'Denf;twdkif;ppfaq;wmjzpfygw,f/
bmyJjzpfjzpf yHk(60)u VA 00438040 ae&mudk rsufpd&Sif&Sief JY Munfhxm;NyD; F8 udkESdyfvmcJhyg/ yHk(63)
yHk(63)
yH(k 63)udkMunfhvdkufyg/ VA 004536F5 u CALL 00453E90 udkvkyfaqmifNyD;wmeJY DWORD
(00458C35) wefzdk;ajymif;oGm;ygw,f/ aocsmwmuawmh CALL 00453E90 xJrSm API &JU address udk
packer &JUuk'fqD redirect vkyfcHvdkuf&wmjzpfygw,f/ 'gaMumifh 'D CALL xJudk 0ifMunfhvdkufMu&atmif/
y½d*k &rfudk Olly rSmjyefzGifhvdkufyg/ (Ctrl+F2)/ NyD;&ifawmh yHk(62)u VA 4536A6 &Sd&mqDa&mufatmif F9 udk
f mvdkufyg/ 'DhaemufrSmawmh yHk(63)u VA 4536F0 &Sd&m CALL qD F8 udkESdyv
4BudrEf Sdyv f mvdkufyg/ CALL
qDa&muf&ifawmh F7 (Step into) udkESdyfvdkufyg/ yHk(64)twdkif; jrif&ygr,f/ (rSwfxm;&rSmu yHk(63)&JU VA
4536DF u JE 4536F8 [m CALL 00453E90 udkausmfvTm;Edkifw,fqdkwmudkyg/)
yHk(64)
yHk(64)uawmh API address udk redirect vkyfxm;jcif;&Sd^r&SdppfwJh CALL &Sd&muk'fjzpfygw,f/
00438040 u DWORD wefzdk;udkapmifhMunfhxm;yg/ yHk(65)/
yHk(65)
00438040 u DWORD (7C80EFD7) wefzdk;udkapmifhMunfhxm;&if;eJY F8 ESdyfvmcJhyg/
yHk(66)
yHk(66)rSmjrif&wJhtwdkif; VA 00453EF4 udka&mufwmeJY 00438040 u DWORD (00458C35)
wefzdk;ajymif;oGm;wm awGU&ygw,f/ wu,fawmh 'Dvdkwefzdk;ajymif;apzdkY packer u VirtualProtect() API
udktoHk;jyKcJhwmyg/
yHk(67)
NyD;awmh page access udk yHkrSeftwdkif;owfrSwfEdkifzkY d VirtualProtect udkxyfac:NyD; toHk;jyKcJhygw,f/
INFO: : VirtualProtect() function [m ac:,ltoHk;jyKaewJh process &JU virtual address ae&mvGwfxJu
page awG&JUe,fy,fwpfckay:u access protection udkajymif;vJay;ygw,f/ 'D function [m Virtual-
ProtectEx eJYawmhrwlygbl;/ VirtualProtectEx uawmh b,f process &JU access protection udkrqdk
ajymif;vJay;Edkifygw,f/ oifhtaeeJu Y awmh access protection wefzdk;udk page ppfppfawGrSmom owfrSwf
Edkifygw,f/ wu,fvkY d owfrSwfxm;wJhe,fy,ftwGif;rSm&SdwJh b,f page awGrqdk&JU tajctaeawGudk a&;rSwf
xm;jcif;r&Sd&ifawmh function [m atmifjrifpGmvkyfaqmifEdkifjcif;r&SdbJ page awG&JU access protection udk
jyKjyifEkid fjcif;r&SdbJ return jyefvmrSmjzpfygw,f/ VirtualProtect function [m ac:,ltoHk;jyKaewJh process
xJrSm&SdwJh rSwfOmPf&JU access protection udk ajymif;vJwmjzpfNyD; VirtualProtectEx function uawmh
owfrSwfxm;wJh process xJrSm&SdwJh rSwfOmPf&JU access protection udk ajymif;vJwmjzpfygw,f/
yHk(68)
yHk(68)udkMunfhyg/ VA 00453ED5 u PUSH EAX ae&mrSm bmawGajymif;vJoGm;ygovJ/ 438040
[m page e,fy,f&JU base address access jzpfygw,f/
'Dwefzdk;udk rlvtajctaetwdkif; jyefjzpfatmif VA 00453F02 rSm&SdwJh VirtualProtect() API u
aqmif&Gufwmjzpfygw,f/ VA 00453ED0 u PUSH 4 udkMunfhyg/ 4 bytes jzpfygw,f/
'Davmufqdk&if oihftaeeJY tawmfem;vnfoGm;NyDvkYd ,lqrdwJhtwGuf uRefawmfhtaeeJY redirection
twGuftajzudk &SmMunfhcsifygw,f/ Conditional jump awGudkMunfhyg/ yHk(69)/
yHk(69)
yHk(69)rSmjrif&wJh VA 00453EC8 u JE 00453F0F [m VirtualProtect() function ESpfckvHk;udk
ausmfvTm;Edkifwm owdjyKrdygovm;/ 'Dae&mrSm JMP 00453F0F vdjkY yifvdkufr,fqdk&if ...
wu,fvkYd vkdUjyifNyD; assemble vkyfvdkufr,fqdk&if API [m packer &JUuk'fqD redirect vkyfcH&awmh
rSmr[kwfayr,fh ck address uawmh IAT xJrSm &SdaeOD;rSmyg/ 'gayr,fh tjcm;enf;vrf;awG&Sdao;wJhtwGuf
'gudk aemufraS jymif;MunfhMu&atmif/ yHk(69)twdkif; F8 udkESdyfvmcJhyg/ VirtualProtect() uolU&JU
rlvwefzdk;udk b,fvdkjyef restore vkyfr,fqdkwm jyygr,f/
VA 453EF7 u PUSH ECX uawmh rlv access 0daooawG&SdwJh address yg/ PUSH EDX
uawmh characteristics yg/ yHk(70)/
yHk(70)
40 uawmh initialized data yg/ PUSH 4 uawmh 4 bytes yg/ PUSH EAX uawmh VA 438040
rSmjzpfygw,f/ F8 udkqufESdyfoGm;r,fqdk&if yHk(71)twdkif;awGUrSmyg/
yHk(71)
yHk(71)rSmjrif&wJhtwdkif; F8 udkESdyfoGm;r,fqdk&ifawmh y½dk*&rfu JMP 45363B udka&mufwJhtcg tay:

jyefwufoGm;NyD; aemuf API wpfck&JU address udkwGufrSmyg/ aemuf API wpfckuawmh lstrcmpi() function
jzpfygw,f/ yHk(72)udk Munfhr,fqdk&if lstrcmpi() function udkzwfcsdefrSmawmh API address udk ajymif;vJjcif;
r&SdwmawGU&ygw,f/ yHk(71)udk Munfhr,fqdk&if VA 4536DF u JE 004536F8 [m redirection CALL udk
ausmfvTm;EdkifwmawGU&ygw,f/
yHk(72)
Redirection jyóemudk ajz&Sif;zdt kY wGuf uRefawmfwt
kYd aeeJY enf;vrf;2ckudk toHk;jyKEdkifygw,f/
yxrenf;vrf;uawmh yHk(71)u VA 4536DF ae&mrSm JMP 4536F8 vdakY jymif;&rSmjzpfNyD; 'kwd,enf;u
awmh VA 4536F0 ae&mrSm NOP vdakY jymif;&rSmjzpfygw,f/
'gaMumifhrkYd VA 4536DF rSm right-click ESdyNf yD; Breakpoint u Hardware, on execution udk
a&G;yg/
yHk(73)
aemufxyfvkyf&rSmuawmh uRefawmfwdkY y½d*k &rf&JU OEP &Sd&m VA 4331B8 udkoGm;NyD; yHk(73)twdkif;
Breakpoint (Hardware, on execution) udkowfrSwfzkYy d g/ NyD;&ifawmh uRefawmfwtkY d &ifowfrSwfcJhwJh
hardware breakpoint awGudk zsufvdkufyg/ 'gqd&k if yHk(74)twdkif; topfowfrSwfvdkufwJh hardware break-
point ESpfckyJ usefygawmhr,f/
yHk(74)
y½d*k &rfudk Olly rSmjyefzGifhvdkuNf yD; F9 udkESdyfvdkufyg/ yHk(75)twdkif;jrif&ygr,f/
yHk(75)
yHk(75)twdkif;jrif&wJhtcg VA 4536DF u JE 4536F8 ae&mrSm JMP 4536F8 vdjkY yifNyD; VA
4536DF rSmowfrSwfxm;wJh hardware breakpoint udkjzKwfvdkufyg/ 'gqdk&ifawmh OEP rSmowfrSwfxm;wJh
hardware breakpoint wpfckomusefawmhrSmjzpfygw,f/ NyD;&if F9 udkESdyfvdkufyg/ yHk(76)rSmjrif&wJhtwdkif;
y½d*k &rf&JU OEP &Sd&mudka&mufoGm;rSmjzpfygw,f/
yHk(76)
'DtcsdefrSm Dump window udkMunfhvdkufyg/ yHk(77)twdkif;jrif&ygr,f/ JJJ
yHk(77)
yHk(77)u API awG&JU wu,fh address awGudk jrif&wmuawmh pdwfcsrf;omp&mygyJ/ 'gqdk&ifawmh
yHk(76)u Disassembly window rSm right-click ESdyfNyD; Dump debugged process udka&G;yg/ yHk(78)/
yHk(78)
Dump button udka&G;NyD; y½d*
k &rfudk Redirection_Fix.exe trnfeo JY drf;vdkufyg/ 'DwpfcgrSmawmh
Rebuild Import checkbox udka&G;xm;vd& kY ygw,f/ odrf;vdkufwJhzdkifudk jyefzGifhMunfhvdkufyg/ yHk(79)twdkif;
jrif&ygr,f/
yHk(79)
Redirection_Fix.exe zdkifu aumif;aumif; tvkyfvkyfayr,fh zdkif&JUt&G,ftpm;u enf;enf;av;BuD;
aewmawGU&ygw,f/ 'gaMumifhrkY d rvdktyfwJh section awGudk z,f&Sm;ypfygr,f/ LordPE udkzGiNfh yD; section
awGudkzsufzjkYd yifyg/ yHk(80)/
yHk(80)
yHk(80)rSmjrif&wJhtwdkif; wipe section header udka&G;NyD; section (4/5/6) udkzsufypfvdkuyf g/ yHk(81)/
yHk(81)
NyD;&if zdkifudkodrf;vdkuNf yD; PEiD rSm zGifhvdkufyg/ yHk(82)/
yHk(82)
PEiD &JU plug-in wpfckjzpfwJh Rebuild PE udka&G;NyD; yHk(82)u Rebuild button udka&G;vdkuf&ifawmh
y½d*k &rf[m 72.65% txd zdkift&G,ftpm; ao;oGm;rSmjzpfygw,f/ yHk(83)/
yHk(83)
'gqdk&ifawmh pack vkyfxm;wJh exe zdkifudk unpack vkyf&mrSm MuHKawGU&wJh API redirection jyóem
udk ajz&Sif;vdkYNyD;pD;oGm;NyDjzpfygw,f/
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 302 -
tcef;(16) - Visual Basic jzifh a&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif;

'DwpfcgrSmawmh VB eJaY &;om;xm;wJh y½d*k &rfawGudk crack vkyfMunfhrSmjzpfygw,f/ 2010 txd
jrefrmy½d*k &rfrmawG a&;om;xm;wJh y½d*k &rfawmfawmfrsm;rsm;[m VB eJY a&;om;xm;wmjzpfygw,f/ 'Dae&mrSm
crack vkyfzkYd a½G;cs,fxm;wJh erlemy½d*k &rfuawmh PC to Answering Machine 2.0.8.2 jzpfygw,f/
toHk;jyKr,fh tool awGuawmh OllyDebug eJY SmartCheck wdkY jzpfygw,f/ Olly uawmh &if;ESD;jyD;om;jzpfvkY d
rajymvdkayr,hf SmartCheck qdkwJhaqmhzf0JvftaMumif;udkawmh tenf;i,frdwfqufay;vdkygw,f/ NuMega
Technologies' SmartCheck qdkwaJh qmhzf0JvfukrÜPDudk 1997rSm Compuware u&,lcJhygw,f/
Compuware [m SmartCheck udk 2001ckESpfavmufxdom development vkyfcJhygw,f/ 'Dhaemuf qufxkwf
jcif;r&Sdawmhygbl;/ SmartCheck udk shareware tjzpfa&mif;cscJhygw,f/ ckcsdefrSmawmh tifwmeufrSm
freeware tjzpfawGUEdkifygw,f/ Google udk toHk;jyKjyD; &SmEdkifygw,f/ tck uRefawmfoHk;aewmuawmh 6.20
jzpfygw,f/
(1) y½dk*&rf\ oabmobm0
PC to Answering Machine y½d*
k &rfudk Olly rSma&m PEiD rSmyg zGifhvdkufyg/ yHk(1)/
yHk(1)
yHk(2)
xyfajym&&if uRefawmfhtaeeJY y½d*k &rfawGudkzGifh&if 'Dy½dk*&rfukd bmeJYa&;xm;ovJ^bmeJY pack vkyf
xm;ovJqdkwmod&atmif PEiD eJY yxrqHk; zGifhavh&Sdygw,f/ (oift h aeeJY RDG Packer (od)kY CFF
Explorer wdkYev
JY J zGifhEdkifygw,f/)
yHk(1)rSm highlight taeeJjY rif&wmuawmh y½d*k &rf&JU EP yg/ yHk(2)uawmh 'Dy½d*k &rfudk Visual Basic
eJY a&;xm;aMumif;jywmyg/ tck uRefawmfajymcsifwmuawmh Visual Basic taMumif;yg/
INFO: : Visual Basic qdkwm DOS acwfpm;wkef;u ay:cJhwJh BASIC bmompum;uae ay:xGufvmwJh
high‐level languagewpfckyg/ BASIC &JUt&Snfaumufuawmh Beginners' All‐purpose Symbolic
Instruction Code jzpfygw,f/ Visual Basic [m visual jzpfjyD; events driven y½d* k &rfbmompum;vJ
jzpfygw,f/ y½d*k &rfa&;om;jcif;udkvJ visual environment rSmwif vkyfEdkifygw,f/ y½d*k &rfrmawG[m object
awGudk MudKufovdk click Edkifygw,f/ vkyfaqmifcsuf(event)awGudk wkefUjyefzkYd&mtwGuf object toD;oD;udk
oyfoyfa&;om;&ygw,f/ 'gaMumifhrv kY d J Visual Basic y½d*k &rf[m subprogram ajrmufjrm;pGmeJY zGJUpnf;xm;
jcif; jzpfygw,f/ Subprogram wpfckpDrSm olwkY&d JU udk,fydkifuk'fawG &Sdygw,f/ Subprogram awG[m oD;jcm;pD
tvkyfvkyfEdkifygw,f/ jyD;&if wpfcsdefwnf;rSmyJ olwkYad wG[m tcsif;csif; csdwfquftoHk;jyKEdkifygw,f/
INFO: : Visual Basic application awG[m jynfhpHkpGm compiled vkyfxm;wJh application awG jzpfayr,fhvJ
olw&kYd JU tjyKtrlawGu OllyDbg &JU tvkyfawGudk ½IyfaxG;apygw,f/ OllyDbg [m compiled language
awGtwGuf debugger jzpfayr,fhvJ VB udk udkifwG,fzkY&d mrSmawmh tvSrf;a0;aeygao;w,f/ C/C++ twGuf
qdk&ifawmh ydkaumif;wm awGU&ygw,f/ VB [m bmompum;t&aomfvnf;aumif;? y½d*k &rfrmawG&JU tjrifrSm
aomfvnf;aumif; aumif;rGefoifhawmfygw,f/
INFO: : VB y½d* k &rfawG[m external DLL (VB 6.0 rSmawmh MSVBVM60.dll jzpfygw,f/ tjcm;
version awGvJ tvm;wlzdkifawG &Sdygvdrfhr,f/) zdkifay:rSm rSDcdkae&ygw,f/ 'D DLL zdkif[m API eJY event
tm;vHk;udk udkifwG,fygw,f/ 'gaMumifhrkY d VB API tm;vHk;[m DLL xJrSm xnfhoGif;prf;oyfcHae&ygw,f/
Exe uk'f[mvJ 'DzdkifxJrSmyJ tcsdefwdkif;eD;eD; tvkyfvkyfae&ygw,f/ 'g[m cracking vkyfcsdefrSm tvGefta&;
MuD;vSygw,f/ Call stack [m Olly rSmawmh wu,fhudk MuHKawmifhMuHKcJ tultnDygyJ/ bmaMumifhvJqdkawmh
application [m awmufavQmufeD;yg; VB &JU wduswJh DLL zdkifxJrSm &SdaevdkYyg/ pum;rpyfajym&&ifawmh
application [m rsm;aomtm;jzifhawmh event handler awGjzpfjyD; event awG? message awGudk taMumif;
jyefzdkY DLL rS callback awGtjzpf toHk;jyKMuygw,f/ VB application &JU usefwJhtydkif;uawmh resource
awG? variable awGeJY event‐handler awGeJY qufpyfzt kYd oHk;jyKwJh function awGyJ jzpfygw,f/
INFO: : VB [m stack‐based jzpfygw,f/ qdkvdkwmu ol[m olU&JUvkyfaqmifcsuftm;vH;k twGuf system
stack udk toHk;jyKvdkYyg/ 'g[m register udk toHk;jyKwJh? function call vkyfaqmifcsuf aqmif½Gufzdt
kY wGuf
stack udk t"duxm;toHk;jyKwJh tjcm;bmompum;awGeJY rwlnDwJhtcsuf jzpfygw,f/ VB eJY zefwD;xm;wJh
application awG[m interpreted (od)kY p‐code executable tjzpf compile vkyfygw,f/ Run aecsdefrSm
instruction awGudk run‐time DLL u translate (od)kY interpret vkyfygw,f/ wu,fvkY d toHk;jyKcJh&if
p‐code engine [m opcode awGudk process vkyfwJh ½d;k ½dk; machine omjzpfygw,f/ P-code instruction
awGu toHk;jyKwJh operand tm;vHk;udkawmh stack rSmyJ odrf;qnf;xm;wmyg/
oifth aeeJY Olly rSm call stack udk Munfhcsifw,fqdk&if (Alt+K) udk ESdyfjyD; Munfhv&kY d ygw,f/ yHk(3)
uawmh (system) stack yg/
yHk(3)
INFO: : DLL (dynamic link library) [m y½d* k &rfi,fav;awGudk pkpnf;xm;jcif; jzpfygw,f/ olwu kY d dk
y½d*k &rfwpfck tvkyfvkyfaecsdefrSm tJ'Dy½d*k &rfu vdktyfwJhtcsdefrSm ac:oHk;ygw,f/ rsm;aomtm;jzifhawmh exe
zdkifawGudk device awGeJY csdwfqufEdkifapygw,f/ (Oyrm - print xkwfcsifwJhtcsdefrSm printer eJY csdwfqufay;
ygw,f/)
INFO: : Oyrmwpfckjy&if oif&h JU harddisk rSm ae&mvGwfvdktyfwJhtcsdefrSmyg/ y½d*k &rfawG[m parameter
awGtjynfhyg&SdwJh function eJY call function yg0ifwJh DLL zdkifudk ac:,loHk;pGJEdkifygw,f/ DLL zdkifxJrSmyg
0ifwJh function awGudk xyfa&;p&mrvdktyfawmhwJhtwGuf exe zdkifawG[m zdkift½G,ftpm; ao;i,faewmyg/
INFO: : DLL zdkifawG[m exe zdkifawGet JY wl RAM xJudk ul;wifp&mrvdkwJhtwGuf RAM rSm ae&macR
wmEdkifygw,f/ DLL udk vdktyfvakYd c:oHk;rSom RAM ay:a&mufvmrSm jzpfygw,f/ Oyrmjy&r,fqdk&if
h aeeJY Microsoft Word rSm pmpDpm½du
oift k f vkyfaewJhtcsdefrSm printer eJY ywfoufwJh DLL zdkif[m tvkyf
vkyfrSm r[kwfygbl;/ Print xkwfwJhtcsdefrSom printer eJY ywfoufwJh DLL zdkifudk ac:,loHk;pGJrSmyg/
INFO: : jcHKMunhf&&ifawmh DLL qdkwm executable zdkifwpfckjzpfygw,f/ 'gayr,fh olUwpfzdkifwnf;qdk&if
awmh bmtvkyfrS rvkyfygbl;/ EXE zdkifawGu ac:oHk;rSom tvkyfvkyfygw,f/ 'gaMumifh exe zdkifawGrSm b,f
DLL udk oHk;pGJrvJqdkwm parameter awGeJY aMunmay;zdkY vdktyfygw,f/
h aeeJY VB [m udkifwG,fzkY&d m tvGefcufcJvSr,fh bmompum;vdkY xifaumif;xif
ckcsdefrSmawmh oift
aeygvdrfhr,f/ wu,fawmh oifxifaewm vGaJ eygw,f/ uRefawmfwkYrd Sm tvGeftoHk;0ifvSwJh tool awG&Sdyg
w,f/ aemufydkif;rSm 'gud&k Sif;jyygr,f/ bmyJjzpfjzpf Olly udk VB eJY ywfoufjyD; bmrS toHk;r0ifbl;vdkaY wmh
rxifvdkufygeJ/Y wu,fwrf;rSmawmh bmompum;toD;oD;[m assembly tjzpf translate tvkyfcH&wmygyJ/
tck y½d*k &rf&JU oabmobm0udk aqG;aEG;ygr,f/ uRefawmfhtaeeJY y½d*k &rfeyJY wfoufjyD; rSwfcsufjyK
xm;wmuawmh ... y½d*k &rfudk install vkyfjyD; yxrqHk;tMudrf y½d*k &rfpwifcsdefrSm y½d*k &rf[m oifu
h GefysLwm
twGuf vdktyfwmawGudkwGufcsufjyD; key wpfckudk twdtusowfrSwfvdkufygw,f/ 'g[m rlrrSefayr,fh
uRefawmfwu dkY dk tawmfav;aumif;wJh hint udk ay;ygw,f/ qdkvdkwmu y½dk*&rf[m uk'fudk wpfckckuae owf
rSwfvdkufygw,f/ (Oyrm - harddisk ID) jyD;&if 'Duk'fudk wpfae&m&mrSm odrf;ygvdrfhr,f/ 'grSom y½d*k &rfudk
pwifcsdefrSm register vkyfxm;jcif; &Sd^r&Sd ppfEdkifrSmyg/
(2) Serial udk&SmazGjcif;
y½d*k &rf[m olpwufvmcsif;rSm register vkyfxm;jcif; &Sd^r&Sd ppfaq;zdkY vdkygw,f/ VB rSmawmh
DLL xJu API rSm jyKvkyMf uygw,f/ 'Dae&mrSm ta&;MuD;wmawGuawmh ...
(1) __vbaVarTstEq
(2) __vbaVarTstNe
(3) __vbaVarCmpEq
(4) __vbaStrCmp
(5) __vbaStrComp
(6) __vbaStCompVar
trSwfpOf(1?2?3)udkawmh ydkjyD; toHk;rsm;ygw,f/ 'gaMumifh yxrqHk; API jzpfwJh __vbaVarTstEq udk
prf;MunfhvdkufMu&atmif/
yHk(4)
ck yHk(4)rSm jrifae&wmuawmh entry point ae&myg/ Name module udk jrif&zdkY Ctrl+N udk
ESdyfvdkufyg/ yHk(5)/ jyD;&if &Sm&wmydkjrefatmifvdkY keyboard uae vbavartst vdkY ½dkufvdkufyg/ vbaVarTstEq
&Sd&mqD wef;a&mufvmygvdrfhr,f/
yHk(5)
yHk(5)udk Munfhr,fqdk&if uRefawmfw&dkY SmaewJh API awG[m MSVBVM60.dll zdkifxJrSm&Sdaewm
owdjyKrdrSmyg/ vbaVarTstEq udk BP owfrSwfMuygr,f/ vbaVarTstEq udk right‐click ESdyfjyD; Set
breakpoint on every reference udk a½G;vdkufyg/ Olly u breakpoint 88 ckawmif owfrSwfvdkufygw,f/
yHk(6)
jyD;&if run (F9) udk ESdyfyg/
yHk(7)
Olly [m yxrqHk;awGU&wJh vbaVarTstEq BP &Sd&mrSm &yfaeygvdrfhr,f/ 'Duk'frSmawmh bmrSr,fr,f
&&r&Sdwm awGU&ygw,f/ y½dk*&rf&JU oabmobm0udk odEdkifatmifvdkY F8 udEk SdyfjyD; avhvmMunfhygr,f/
yHk(8)
VA 005BBD58 u CMP DI,SI [m pdwf0ifpm;zdkY aumif;ygw,f/ 'gayr,fh bmqufjzpfrvJqdkwm

od&atmif jump vkyfMunfhygr,f/
yHk(9)
yHk(9)u VA 005BBFC0 rSm jrif&wJh oeiu‐564‐oqei‐97 [m uRefawmfwkYd &SmaewJh serial vm;vdkY
oHo,&Sdygw,f/ enf;enf;avmuf qufMunfhygr,f/ yHk(10)/
yHk(10)
oeiu‐564‐oqei‐97 udk prf;MunfhvdkufMu&atmif/ Breakpoint awGtm;vHk;udk yxrqHk; z,f&Sm;vdkuf
yg/ (Ctrl + N udEk SdyfjyD; Remove all breakpoints udk a½G;yg/)
(3) Register jyKvkyfjcif;
Breakpoint tm;vHk;udk z,f&Sm;jyD; y½d*k &rfudk run (F9) vdkufyg/ yHk(11)twdkif; jrif&ygr,f/
yHk(11)
yHk(11)rSm register vkyfzt
kYd wGuf trnfrawmif;ygbl;/ wduswJh key wpfckom vkdygw,f/ 'D key udk
y½d*k &rf install pvkyfwkef;uwnf;u wGufcsufowfrSwfjyD; jzpfygw,f/ Register vkyfMunfhygr,f/
yHk(12)
oeiu‐564‐oqei‐97 udk ½du

k fxnfhjyD; OK udk ESdyfvdkufyg/
yHk(13)
yHk(13)twdkif; registration atmifjrifaMumif; jrif&ygw,f/ 'gudb
k ,fvdkxifygovJ/ y½d*k &rfudkydwfjyD;
jyefpMunfhvdkufMu&atmif/
(4) Registration tm; prf;oyfjcif;
y½d*k &rfudk jyefpzdkY Olly rSm Ctrl+F2 udk ESdyfvdkufyg/ jyD;&if F9 udk ESdyfyg/ 'Dwpfcg y½d*k &rfwufvm
csdefrSm bm nagscreen udkrS rjrif&awmhygbl;/ Help menu u About udk a½G;vdkufawmhvJ tqifajyoGm;
ygjyD/ yHk(14)/
yHk(14)
'gaMumifh 'Dy½d*k &rfudk SmartCheck rSm ppfaq;MunfhMu&atmif/
(5) SmartCheck \ setting tm; jyifjcif;
'Dwpfcgawmh Numega &JU SmartCheck udk prf;MunfhMuygr,f/ SmartCheck udk VB y½d*k &rfawG
crack vkyfzdkYeJY debug vkyfzkYd txl;jyKvkyfxm;wmyg/ 'gayr,fh olU&JU setting tcsdKUudkawmh tenf;i,f jyif
ay;&ygr,f/ SmartCheck rSm PC to Answering Machine 2.0.8.2 udk zGifhvdkufyg/ zGifhjyD;oGm;&if
Program menu u Settings ... udk a½G;vdkufyg/ yHk(15)/
yHk(15)
yHk(15)u Leaks udk uncheck vkyfvdkufyg/ Save these settings ... udk a½G;yg/ jyD;&if Advanced
udk a½G;vdkufyg/
yHk(16)
yHk(16)rSm jrif&wJhtwdkif; a½G;ay;yg/
yHk(17)
aemufqHk;a½G;ay;&rSmu yHk(17)twdkif; jzpfygw,f/ 'gqdk setting udk jyifqifwJhtydkif; jyD;ygjyD/ PC to
Answering Machine 2.0.8.2 udk SmartCheck rSm run Munhfygr,f/ Run jyD;oGm;wJhtcg View menu
uae Event Summary udk a½G;vdkufyg/ yHk(18)/
yHk(18)
Event Summary window u uRefawmfwu
dkY dk toHk;0ifwJh tcsuftvufawG ay;ygw,f/
yHk(19)
View menu u Specific Events u uRefawmfwu
kYd dk ESpfouf&m events udkyJjyozdkY a½G;cs,fcGifh
ay;xm;ygw,f/
yHk(20)
yHk(20)udk owdxm;rdygovm;/ Sequence Numbers udk uRefawmf a½G;xm;ygw,f/ 'gav;[m

awmfawmfav; toHk;0ifvSygw,f/ aemufydkif;rSm uk'fawG axmifeJcY sDjyD; Munfhp&m rvdkatmif tultnDay;wm
awGU&ygvdrfhr,f/
wu,fvkYd uk'fawGtm;vHk;udk Munfhcsifw,fqdk&ifawmh View menu u Show All Events udk
a½G;vdkufyg/
(6) SmartCheck wGif serial udk&Smjcif;
uRefawmfwt dkY aeeJY SmartCheck &JU setting udkvJ jyifjyD;jyDqdkawmh serial &Smjcif;tvkyfudk pwif
vdkufMu&atmif/ Event awGudk MunfhvdkufwJhtcgrSm uRefawmfwt dkY wGuf toHk;r0ifwuJh k'fawGu rsm;aewm
awGU&ygw,f/ yHk(21)twdkif; atmufudk enf;enf;av; scroll qGJjyD; MunfhvdkufMu&atmif/
yHk(21)
wu,fhuk'f pwifwmuawmh yHk(21)rSmyg/
yHk(22)
yHk(22)udkMunfhvdkuf&if event aygif; 24734 awmif &Sw
d mawGU&ygw,f/ uawmh end program
yg/ 'gomrESdyfxm;bl;qdk&ifawmh event aygif; 1.5 oef;avmufawmif xGufvmygvdrfhr,f/ avmavmq,f
uRefawmfwt f dkwmu PC to Answering Machine 2.0.8.2 y½d*k &rf&JU tpydkif; tvkyfvkyfyHkudk ajc&mcH
dkY wGuv
zdykY g/
yHk(23)
yHk(23)u pmaMumif;eHygwfudk Munhfr,fqdk&if pmaMumif;awG tukefrjyao;wm owdxm;rdrSmyg/ 'gu
bmvdv d Show Errors and Specific Events
kY Jqdkawmh uRefawmfwkYu udkyJ a½G;xm;vdykY g/
yHk(24)
Show Errors and Specific Events udk a½G;vdkufr,fqdk&if yHk(24)twdkif; jrif&rSmyg/ uRefawmfwdkY
odxm;wmu y½d*k &rf pwifwifjcif;rSm wduswJh key wpfckudk ppfw,fqw dk mudkyg/ 'gudk ½d;k ½dk;av;yJ API
ae&mrSm &SmMunfhvdkuf&atmif/ yHk(25)/
yHk(25)
yHk(25)twdkif; &Smr,fqdk&if yHk(26)twdkif; awGUrSmyg/
yHk(26)
yHk(26)rSm jrif&wJhtwdkif; yxrqHk;awGUwJh API udk a&mufvmygw,f/ 'Dae&mrSm uRefawmfwt
dkY aeeJY
API awGudk tao;pdwfavhvmrSm r[kwfygbl;/ aemufydkif;usrSyJ avhvmygr,f/ oHo,0ifp&maumif;wmu
pmaMumif;a& 2549 rSmyg/
yHk(27)
'gaMumifh tao;pdwf Munfhv&kY d atmif taygif;&kyfav;udk ESdyfjyD; Munfhygw,f/ 'gayr,fh bmrSrxl;
jcm;ygbl;/ pmaMumif;a& 2549 udk ESpfcsufESdyfjyD; Details window rSm MunfhwJhtcgrSmawmh yHk(28)twdkif;
jrif&ygw,f/
yHk(28)
yHk(28)rSm jrif&wmuawmh uRefawmfwdkY &SmaewJh serial yg/ SmartCheck [m omref registration
key udk &SmwJhae&mrSmawmh t&rf;vG,fuwl m awGY&ygw,f/
INFO: : tcsdKU VB y½d* k &rfawGrSm anti‐SmartCheck enf;awG xnfhoGif;xm;wmawGU&ygw,f/ olwakY d wG
[m rsm;aomtm;jzifh NuMega SmartCheck qdkwJh pmom;udk ppfaq;wm jzpfygw,f/ uRefawmfhqDrSmawmh
'Djyóemr&Sdygbl;/ bmvdkYvJqdkawmh uRefawmfu Repair 0.6 udo k Hk;jyD; SmartCheck udk jyifxm;vdykY g/
Repair 0.6 u usefwJh tool awGudkvJ jyifEdkifygw,f/
'gqdk&if PC to Answering Machine 2.0.8.2 udk crack vkyfwm[matmifjrifpGmeJY jyD;qHk;oGm;ygjyD/

'Dvdkenf;eJY serial &Smwmudk serial fishing vkdUac:ygw,f/ tck uRefawmf&Sif;jycJhwmudk oifhtaeeJY aumif;
aumif;em;vnfao;rSm r[kwfygbl;/ bmaMumifhvJqdkawmh serial fishing enf;[m y½d*k &rfuk'fudk tMurf;zsif;
omavhvmjyD; debugger uxkwfay;wJh serial udkvdkuf&Sm&wmrdv kY jkYd zpfygw,f/ Serial udk ukd,fhbmomudk,f
wGufcsuf,lwm r[kwfvykY d g/ 'DwpfcgrSmawmh VB y&kd*&rfawGudk tqifhjrifhjrifh crack vkyfMunfhMuygr,f/
Crack vkyfzkYad ½G;xm;wJh y½d*k &rfawGuawmh ReverseMe y½d* k &rfESpfyk'ef JY registration enf;eJY umuG,fxm; wJh
freeware y½d* k &rfwpfyk'jf zpfwJh CrackersConvert 1.0 yg/ oifcef;pmudk rzwfcifrSm 'Dy½d*k &rf 3yk'fudk SND
Team &JU website uae download vkyf,lyg/ SND Team &JU tifwmeufvdyfpmudk aemufqufwGJrSm
azmfjyxm;ygw,f/ SND Team &JU download u@u Lena's Reversing Tutorial - 10 zdkiu f dk download
vkyf,lyg/ 'DzdkifxJrSm vuf&SduRefawmf&Sif;jyr,fh oifcef;pmeJtwl
Y y½d*k &rf 3yk'fygvmrSm jzpfygw,f/ tcktcef;
uawmh Lena151 &JU oifcef;pmudk bmomjyefjcif; jzpfygw,f/ Crack vkyf&mrSm vdktyfwJh tool awGuawmh
OllyDebug? SmartCheck? VB Decompiler eJY Veoveo wdjkY zpfygw,f/ VB Decompiler uawmh
freeware jzpfjyD; www.vb-decompiler.org rSm download vkyf,lEdkifygw,f/
aumif;jyD? uRefawmfw&kY d JU crack vkyfjcif;udk pvdkufMu&atmif/
(7) ReverseMe1
yxrqHk; crack vkyfMunfhrSmu ReverseMe1 y½d*k &rfyJ jzpfygw,f/ SmartCheck rSm Tut.Reverse
Me1.exe zdkifudkzGifhjyD; run vdkufyg/ yHk(29)twdkif; jrif&ygr,f/
yHk(29)
yHk(29)rSm jrif&wmuawmh nag screen jzpfygw,f/ 'gudk b,fvzdk ,f&Sm;&r,fqdkwm aemufrS
&Sif;jyyghr,f/ yxrqHk;uawmh ReverseMe y½d*k &rfudk b,fvdk register vkyf&rvJqdkwmyJ prf;Munfhygr,f/
yHk(30)
yHk(30)rSm jrif&wJh Form1_Load [m tvGefta&;MuD;ygw,f/ MessageBox [m yHk(1)u nag
screen udk jzpfapw,fqdkwm owdjyKrdygovm;/ Registration vkyfaqmifcsuf[m 'D Form1_Load jyD;&if
vmawmhrSmyg/ yHk(29)u OK udk ESdyfvdkufyg/ yHk(31)twdkif; jrif&ygr,f/
yHk(31)
yHk(31)u Regcode textbox ae&mrSm 123456 vdkY ½dkufxnfhMunfhygr,f/ 'gqdk yHk(32)twdkif; jrif&rSm
yg/
yHk(32)
'ghtjyif yHk(30)ae&mrSm yHk(33)twdkif; event topfxyfwdk;vmygw,f/
yHk(33)
uRefawmfwt dkY aeeJY View u Show All Events udk a½G;vdkuf&if event tm;vHk;udk jrif&rSmyg/
Show All Events udk ra½G;cifrSm udk,fMunfhcsifwJh event udk t&ifa½G;xm;ay;&ygr,f/ 'grSr[kwf&if event
awGrsm;vGef;wJhtwGuf udk,f&SmcsifwJh event udk &SmvdkYawGUEdkifrSm r[kwfygbl;/ rsm;aomtm;jzifhawmh xxxxxx_
click vdkY a&;xm;&if xxxxxx [m button &JU trnfudk qdkvdkwm rsm;ygw,f/ y½d*k &rfrmawGuawmh button
awG&JUtrnfudk ajymif;avhr&Sdygbl;/ commandX vdykY J xm;xm;avh&Sdygw,f/ X uawmh eHygwfjzpfjyD; wpfu
ae pwifavh&Sdygw,f/
yHk(33)u Command1_Click ae&mrSm serial rSef^rrSefppfwmudk em;vnfygovm;/ 'gaMumifh 'Dae
d fMu&atmif/ avmavmq,fawmh Tut.ReverseMe1.exe y½d*k &rfudk rvdkawmhwJh
&mudk aoaocsmcsmMunhfvku
twGuf cPydwfxm;vdkufMu&atmif/ pum;rpyfajym&&if yHk(33)u uRefawmfwjY dk rifae&wm[m event tusOf;
csKyfrQom jzpfygw,f/
yHk(33)u Command1_Click &JU b,fzufu taygif;t&kyfav;udk ESdyfvdkufyg/ yHk(34)/
yHk(34)
yHk(34)uvJ uRefawmfwu Jh csuftvufawG ray;ygbl;/ MsgBox qdkwpJh mom;udk a½G;
kYd dk vHkavmufwt
vdkuf&ifawmh yHk(35)twdkif; jrif&rSmyg/
yHk(35)
yHk(35)uawmh BadBoy yg/ aumif;jyD? yHk(34)u Text1.Text udk a½G;vdkuf&ifaum/ 'Dtwdkif;qdk&if

awmh bmrSrjrif&ygbl;/ View menu u Show All Events ( ) udk a½G;vdkufyg/ 'gqdk yHk(36)twdkif; jrif&
rSmyg/
yHk(36)
wu,fawmh bmrSrcufygbl;/ uRefawmfwt
dkY aeeJY tm;vHk;udk jrifae&ygw,f/
__vbaStrCmp udk string awG EdIif;,SOfzt
kYd wGuf oHk;ygw,f/
Oyrm/ / __vbaStrCmp(String: "xxxxxx", String: "yyyyyy") returns DWORD:0
'gayr,fh yHk(36)rSmawmh DWORD &JU wefzdk;[m FFFFFFFF jzpfaeygw,f/ bmvdv kY Jqdkawmh
string ESpfck[m rwlnDvy kY d g/ yHk(31)u Regcode textbox ae&mrSm uRefawmfu 123456 vdkY ½dkufxnfhcJhvkYd
yg/ 'gqdk uRefawmfw½kY d dkufxnfhcJhwJh serial twkudk bmeJY EdIif;,SOfcJhwmygvJ/ yHk(37)/
yHk(37)
aumif;jyD/ 123456 eJY EdIif;,SOfcJhwmuawmh I'mlena151 yg/
ckeu I'mlena151 [m BadBoy Message ray:cifrSm EdIif;,SOfcJhwm jzpfygw,f/ aumif;jyD/ Serial
kY d aeeJY tJ'D serial udk prf;MunfhvdkufMu&atmif/
[m bmvJqdkwm odjyD;oGm;wJah emufrSm uRefawmfwt
yHk(38)
yHk(38)twdkif; I'mlena151 vdkY ½dkufxnfhvdkufwJhtcg registration atmifjrifwJhtaMumif; ajymwJh
messagebox ay:vmygw,f/ pum;rpyfajym&&if uRefawmfwkY d ½du k fxnfhvdkufwJh serial [m bmwGufcsufrIrS
rygbJ vG,fvifhwul&vmwmyg/
uRefawmfwt dkY aeeJY nag screen udk &Sif;zdv
kY dkygao;w,f/ SmartCheck [m VB rSm a&;xm;wJh
serial udk &Smzdt
kY wGufawmh aumif;ygw,f/ 'gayr,fh nag udk z,f&Sm;zdt kY wGufawmh uRefawmfwkYrd Sm 'Dxuf
aumif;wJh tool awG &Sdygw,f/ VB decompiler tool awG jzpfygw,f/ Oyrmajym&&if VB Decompiler
Lite (od)kY Pro/ uRefawmfuawmh VB Decompiler Pro 9.2 udk oHk;ygw,f/
aumif;jyD/ VB Decompiler udk zGifhvdkufMu&atmif/
yHk(39)
'guawmh VB Decompiler rSm uRefawmfw&kYd JU Tut.ReverseMe1.exe y½dk*&rfudk decompile
vkyfxm;wm jzpfygw,f/
INFO: : Compiler qdkwmuawmh rl&if;uk'fawGudk exe uk'ftjzpfajymif;vJay;wJh y½d*k &rfyg/ Decompiler
uawmh exe uk'fawGudk&,ljyD; rl&if;uk'ftjzpf jyefvnfajymif;ay;wmyg/ Decompiler [m txl;jyKvkyfxm;wJh
disassembler wpfrsdK;om jzpfygw,f/ Disassembler u exe uk'fawGudk assembley uk'ftjzpf ajymif;ay;
csdefrSm decompiler awGuawmh uk'fawGudk high‐level bmompum;jzpfwJh C/C++ (od)kY VB bmompum;
tjzpf ajymif;ay;ygw,f/
yHk(39)udk Munfhvdkuf&if VB Decompiler [m olUtvkyfuo
dk l aumif;aumif;vkyfxm;jyDvkY d xifyg
w,f/
uRefawmfwt dkY aeeJY uk'fawGudk t&ifavhvmMunfhygr,f/ yHk(39)&JU Form1 ab;em;u taygif;&kyf
av;udk ESdyfvdkufyg/
yHk(40)
uRefawmfhtjrifawmh y½d*k &rfbmpum;eJY tuRrf;w0if r&SdwJholawmif em;vnfr,fvkY d xifygw,f/
yHk(40)rSm jrif&wJh mnuabout u About box yg/ mnuexit uawmh Exit yg/ Command2 uawmh Nag
button udk ESdyfwJhtcgrSmay:wmyg/ Form_Load uawmh nag yg/ Command1 uawmh Register button
udk ESdyfwJhtcgrSm ay:wmyg/ 'gqdk nag udk ay:apwJh routine [m VA b,frSm pay:ovJ MunfhMu&atmif/
Form_Load rSmaum Command2 rSmyg nag [m VA 402C17 rSm pay:w,fvkY d qdkxm;ygw,f/ [kwf^
r[kwf ESpfcsufESdyfjyD; Munfhv&kY d ygw,f/ Form_Load udk double click ESdyfyg/
yHk(41)
yHk(41)t& qdk&ifawmh nag screen udk 'DrSm zefwD;xm;w,fqdkwmuawmh aocsmygjyD/ bmvdv

kY Jqdk
awmh "Get rid of all Nags and find .." qdkwJU pmom;udk awGU&vdykY g/
yHk(42)
yHk(42)uawmh nag screen &JU tqHk;yg/ VA 402C17 uawmh nag routine &JU tpyg/ aumif;jyD/
Tut.Reverse Me1.exe udk uRefawmfwdkY debugger rSm zGifhvdkufMu&atmif/ yHk(43)/
yHk(43)
jyD;&if uRefawmfwkY d oGm;csifwJh VA udk wef;a&mufEdkifatmifvdkY tool bar u udk ESdyfyg/
yHk(44)
VA 402C17 udk ½du
k fvdkufyg/ yHk(45)twdkif; jrif&ygr,f/
yHk(45)
yHk(45)rSm jrif&wmuawmh nag screen &JU tpyg/ VA 402C17 rSm breakpoint owfrSwfvdkufyg/
jyD;&if run (F9) udk EdSyfyg/
yHk(46)
yHk(46)rSm 'D nag screen jyD;&if b,fuadk &mufr,fqdkwm jyaeygw,f/ VA 402C17 u PUSH
EBP ae&mrSm RET vdkY jyifvdkufygr,f/ 'gqdk uRefawmfwkY d nag &JU tptpm; tqHk;udk a&mufvmovdk
jzpfoGm;ygr,f/ jyD;&if run (F9) udk EdSyfyg/
yHk(47)
Nag ray:bJ yHk(47)om ay:vmygw,f/ aocsmatmifvkY d yHk(47)u Nag? udk ESdyfMunfhygr,f/ bmrS
ay:rvmygbl;/ Nag screen aysmufoGm;ygjyD/
(8) CrackersConvert
'Dwpfcg avhvmrSmuawmh CrackersConvert y½d*k &rfjzpfygw,f/ 'DwpfMudrfrSmawmh uRefawmfhtaeeJY
y½d*k &rf&JU oabmobm0awGudk avhvmaeawmhrSm r[kwfygbl;/ oifbmom h SmartCheck zGifhjyD; avhvmxm;
&rSmjzpfygw,f/ uRefawmfuawmh About &Sd&m wef;oGm;rSm jzpfygw,f/ About uae register button udk
ESdyf&if yHk(48)twdkif; registration box jrif&rSmyg/
yHk(48)
'ghjyif register button udk ESdyfvdkufwJhtcgrSm yHk(49)twdkif; jrif&ygw,f/
yHk(49)
INFO: : oift h aeeJY MudKufwJh registration code udk xnfhoGif;Edkifygw,f/ uRefawmf bmvdkY 47806 vdkY
k awG[m registration
½dkufoGif;w,fqdkwm tHhMoaumif; thHMoaeygvdrfhr,f/ aumif;jyD? rsm;aomtm;jzifh y½d*&rf
code udk rEdIif;,SOfcifrSm hex code tjzpf ajymif;avh&Sdygw,f/ 47806 udk hex code taeeJY ajymif;vdkuf&if
BABE jzpfoGm;ygw,f/ rSwf&vG,fwmaygh/
yHk(50)
yHk(48)u Validate udk ESdyfvdkuf&if yHk(50)twdkif; jrif&rSmyg/ uRefawmfwt
Y dk aeeJY uRefawmfwdkY &Smae
wmudk awGUjyDjzpfwJhtwGuf CrackersConvert y½d*k &rfudk ydwfvdkufygr,f/
yHk(51)
kY d aeeJY uk'fawGudk avhvmzdkY Overview window u yHk(51)twdkif;
avmavmq,fawmh uRefawmfwt
Munfhvdkuf&atmif/
Len(String: "rhythm") returns LONG:6
&Sif;vif;csuf/ / "rhythm" \ string tvsm;(pmvHk;ta&twGuf)onf 6vHk;jzpfonf/
Mid(VARIANT:String:"abcdefg",long:1,VARIANT:Integer:1)
&Sif;vif;csuf/ / "abcdefg" \ yxrqHk;ae&mrSpwifjyD; yxrpmvHk;udk &,lonf/
Mid(VARIANT:String:"rhythm",long:1,VARIANT:Integer:5)
&Sif;vif;csuf/ / 'Dae&mrSmawmh yxrqHk;ae&muae pmvHk;5vHk;p,lygw,f/ ("rhyth")
Asc(String:"T") returns Integer:84
&Sif;vif;csuf/ / "T" \ q,fvDwefzdk;jzpfaom 84 udk &,lonf/
Asc(String:"r") returns Integer:114
&Sif;vif;csuf/ / 'Dae&mrSmawmh "r" \ q,fvDwefzdk;jzpfaom 114 udk &,lygw,f/
Len(String: "47806") returns LONG:5
&Sif;vif;csuf/ / "47806" \ string tvsm;(pmvHk;ta&twGuf) onf 5vHk;jzpfonf/
yHk(51)&JU atmufqHk;pmaMumif;uawmh BadBoy yg/
Len(String: "47806") returns LONG:5 qdkwJh pmaMumif;[m serial &JU pmvHk;ta&twGufyJ

ppfaq;wm owdxm;rdygovm;/ bmaMumifh serial udk rEdIif;,SOfygovJ/ uRefawmfwt kY d aeeJY BadBoy
ra&mufciftxd serial udk b,frSmEdIif;,SOfovJqdkwm &SmMuygr,f/ Len(String: "47806") returns
LONG:5 ukd a½G;vdkufjyD; Show all events ( ) udk ESdyfvdkufyg/ yHk(52)twdkif; jrif&ygr,f/
yHk(52)
yHk(52)udk Munfhyg/ wu,fawmh bmrSrcufygbl;/
__vbaVarMul(VARIANT:String:''114", VARIANT:Integer:20) returns DWORD:13F474
ckeu uRefawmfhemrnf&JU yxrpmvHk;udk 20eJY ajrSmufygw,f/
__vbaVarMul(VARIANT:String:''1", VARIANT: String:''2") returns ..
&Sif;vif;csuf/ / 1 ukd 2 jzifh ajrSmufonf/
__vbaVarMove(VARIANT:Double:2280,VARIANT:Empty) returns DWORD:13F48C
&v'fuawmh 2280 jzpfygw,f/
__vbaVarCat(VARIANT:String:"REG‐"VARIANT:Double:2280) returns DWORD:13F474
jyD;&if REG‐2280 jzpfapzdkY REG‐ eJY aygif;ygw,f/
__vbaVarCat(VARIANT:String:"REG‐2280"VARIANT:String:"‐CODE") returns
DWORD:13F464
jyD;&if REG‐2280‐CODE jzpfapzdkY CODE eJY aygif;ygw,f/
__vbaVarTstEq(VARIANT:String:"47806",VARIANT:String:"REG‐2280‐CODE") returns
DWORD:0
jyD;rS uRefawmfwkY d ½dkufxnfhvdkufwJh serial eJY EdIif;,SOfygw,f/
__vbaVarTstEq(VARIANT:****,VARIANT:****) returns DWORD:0
&Sif;vif;csuf/ / __vbaVarTstEq ukd variants awG EdIif;,SOfzkYd toHk;jyKygw,f/ wu,fvkYd olwakYd wG[m
nDcJh&if DWORD &JU wefzdk;[m oknjzpfjyD; rnDcJh&ifawmh FFFFFFFF jzpfygr,f/ 'gaMumifh EAX [m
FFFFFFFF jzpfwmyg/ __vbaVarCmpEq eJY qifygw,f/
kY d dktyfwJh serial ud&k ygjyD/ User name u rhythm jzpfjyD; serial uawmh
'gqdk uRefawmfwv
REG‐2280‐CODE jzpfygw,f/
yHk(53)
yHk(53)u Validate udk ESdyfvdkufyg/
yHk(54)
'gqdk uRefawmfwkY d register vkyfwm atmifjrifygjyD/ yHk(54)/
INFO: : y½d*
k &rf[m registration a'wmawGudk cconv.$$$ zdkifeJY cconv.ccc zdkifrSm a&;ygw,f/ jyD;&if
y½d*k &rfpwifcsdefrSm 'DtcsuftvufawGeJY udkufnD^rnDppfygw,f/
aumif;jyD? aemufxyf ReverseMe y½d*k &rfwpfyk'fudk avhvmMunfh&atmif/
(9) ReverseMe2
yHk(55)
ReverseMe2 udk Olly rSm zGifhxm;wm yHk(55)rSm awGUrSmyg/ oift h aeeJY SmartCheck rSm rzGifhbJ
Olly rSm bmaMumifhzGio
fh vJqdkwm ar;csifygvdrfhr,f/ trSefuawmh ReverseMe2 udk SmartCheck rSm t&if
zGifhcJhygw,f/ 'gayr,fh zGifhvrkY d &ygbl;/ SmartCheck y½d*k &rf[m ReverseMe2 udk zGifhvdkufwmeJY tvdkvdk
ydwfoGm;ygw,f/ 'gaMumifh bmjzpfwmvJqdkwm od&atmif Olly rSm vmzGifhwmyg/ ReverseMe2 y½d*k &rfrSm
Anti‐SmartCheck vSnfhpm;rIav;rsm; vkyfxm;ovm;vdkY xifrdvy kYd g/ ReverseMe2 [m SmartCheck udk
owdjyKrdvdkufwmeJY SmartCheck udk csufcsif;ydwfzdkY MudK;pm;vdykY g/ b,fvdk ajz&Sif;rvJqdkwm MunfhvdkufMu&
atmif/
Debugger window rSm right‐click ESdyfjyD; Search for rS All reference text strings udk
a½G;vdkufyg/ yHk(56)twdkif; jrif&ygr,f/ ReverseMe2 [m SmartCheck udk&Smwm [kwf^r[kwf Munfhvdkuf
Mu&atmif/
yHk(56)
yHk(56)u VA 00404525 rSm NuMega SmartCheck qdkwJhpmom;udk awGU&ygw,f/ VA
00404525 udk double click ESdyfjyD; uk'fukd avhvmMunfhvdkuf&atmif/ yHk(57)/
yHk(57)
ReverseMe [m NuMega SmartCheck qdkwJhpmom;ud&k Smygw,f/ 'gaMumifhrkY d 'Dae&mrSm

dkY aeeJY tjcm;pmom;udk ajymif;ygr,f/ tvG,fulqHk;enf;udk jyygr,f/ Debugger window u
uRefawmfwt
VA 00404525 rSm right‐click ESdyfjyD; Follow in Dump u Immediate constant udk a½G;vdkufyg/
yHk(58)
yHk(58)twdkif; jrif&wJhtcg udk,fajymif;csifwJh pmvHk;udka½G;jyD; keyboard u udk,fMudKufwJh pmom;½du
k f
xnfh&HkygyJ/
yHk(59)
yHk(58)u 4D (M) ae&mudk a½G;xm;jyD; keyboard u B udk ESdyfvdkufwJhtcg yHk(59)twdkif; jrif&ygw,f/
yHk(60)
yHk(59)rSm OK udk ESdyfvdkufwJhtcg yHk(60)twdkif; jrif&ygw,f/ tvm;wlyJ 43(C) qdkwJh pmvHk;ae&mrSm
tjcm;pmvHk;eJY tpm;xkd;ygr,f/
yHk(61)
jyD;&if right‐click ESdyfjyD; Copy to executable file udk a½G;yg/ yHk(62)udk jrif&ygr,f/
yHk(62)
yHk(62)rSm right‐click ESdyfjyD; Save file udk a½G;vdkufyg/ jyD;awmh udk,fMudKufwJhtrnfeJY zdkifuo
dk drf;
vdkufyg/ 'Dwpfcgawmh uRefawmfwkY d odrf;vdkufwJhzdkifudk SmartCheck rSm zGifhvkY&d ygjyD/ bmjyóemrS r&Sdygbl;/
yHk(63) twdkif; jrif&ygjyD/
yHk(63)
'D anti‐anti enf;ynmudk SmartCheck tjyif tjcm; tool awGjzpfwJh Olly? ImpRec eJY LordPE
wdrkY SmvJ toHk;jyKEdkifygw,f/ ReverseMe2 udk register vkyfMunfhMu&atmif/
yHk(64)
uRefawmfwt dkY aeeJY User name eJY Registration code udk ½du k fxnfhayr,fhvJ Register button [m
disable jzpfaeygw,f/ 'gaMumifh uRefawmfwkY d register vkyfr& jzpfaeygw,f/ 'D ReverseMe y½d* k &rf[m
½dkufoGif;wJh pmvHk;wpfvHk;csif;udk rSef^rrSef vdkufppfaq;aeyHk&ygw,f/ yHk(65)/
yHk(65)
'gaMumifh uRefawmfwt
kY d aeeJY bmudkMunfhzkYd vdkaeygovJ/ yHk(65)udk tao;pdwf avhvmMunfhygr,f/
yHk(66)
'Dae&mrSm y½d*k &rfu pmvHk;tcsdKUudk vdkufwGufaewm awGU&ygw,f/ 'gayr,fh yHk(66)u Text2.Text
udk xJxJ0if0if avhvmMunhfawmh bmrSrawGY&ygbl;/
yHk(67)
'gqdk yHk(67)udk pOf;pm;MunfhvdkuMf u&atmif/ ReverseMe y½d*k &rfu y½d*k &rf pwifcsdefrSm register
rvkyfxm;ao;aMumif; odygw,f/
yHk(68)
yHk(68)u Text3.Text ß "UNREGISTERED" (String) udk tao;pdwf avhvmMunfh&atmif/
AppActivate(VARIANT:String:"NuSega S...", VARIANT:Missing) fails qdkwJh pmom;u
awmh NuSega S... qdkwJhpmom;udk &SmrawGUygbl;vdkY qdkvdkwmyg/ jyD;&if "Text3.Text ß "UNREGISTER-
ED" (String) qdkwJh pmom;udk MunfhvdkufMu&atmif/ uRefawmfw&dkY JU &SmazGjcif;vkyfief;pOf[m 'D UNREGIS-
TERED string rwdkifciftxdomjzpfr,fqdkwm oift h aeeJY em;vnfxm;r,fvkYd xifygw,f/
yHk(69)
yHk(69)udk Munfhvdkufyg/ __vbaVarTstEq(..) u wpfckckudk EdIif;,SOfovdkygyJ/ __vbaVarTstEq(..)
udka½G;vdkufwJhtcg yHk(70)twdkif; jrif&ygr,f/
yHk(70)
odyfr&Sif;ao;ygbl;/ tao;pdwf avhvmMunfhygr,f/
yHk(71)
yHk(71)u Dir(VARIANT:String:"reginfo....",FLAGS:00000000) udk a½G;vdkuf&if yHk(72)twdkif;
jrif&ygr,f/
yHk(72)
ReverseMe [m reginfo.key qdkwJhzdkifudk &SmazGygw,f/ __vbaVarTstEq(..) [m reginfo.key
zdkif&Sd^r&Sdukd prf;oyfwmyg/ r&SdcJh&if UNREGISTERED qdkwJh pmom;udk main window rSmjyjyD; register
vkyfvrkYd &ygbl;/ qdkvdkwmu uRefawmfwt kY d aeeJY reginfo.key zdkifudk vdktyfvmygw,f/ 'gaMumifh reginfo.
key zdkifuz dk efwD;vdkufygr,f/ Notepad udzk GifhjyD; zdkifudk reginfo.key trnfeJY odrf;vdkufyg/ jyD;&if Reverse
Me2 zdkifudk SmartCheck rSm jyefvmppfMunfhyg/
yHk(73)
'gqdk yHk(74)twdkif; jrif&ygr,f/ Register vkyfMunfhygr,f/
yHk(74)
aumif;jyD/ ckcsdefxdawmh register vkyfvrkYd &ao;ygbl;/ SmartCheck rSm bmawGrsm;ajymif;vJoGm;
ovJvkYd MunfhMuygr,f/
yHk(75)
yHk(75)u UNREGISTERED qdkwJhpmom;ae&mrSm Key File found qdkwJhpmom;wdk;vmwm awGUrSm
yg/ aumif;jyD/ 'Dwpfcg serial udpk pfwu
Jh k'fawGudk jyefavhvmMunfhygr,f/
yHk(76)
Left(VARIANT:String:"rhythm",long:1)
&Sif;vif;csuf/ / trnf&JU yxrqHk;pmvHk;udk ,lygw,f/
Asc(String:"r") returns Integer:114
&Sif;vif;csuf/ / ASCII "r" udk udef;jynfhwefzdk; 114 tjzpf ajymif;vJygw,f/
Mid(VARIANT:String:"rhythm", long:2, VARIANT:Integer:1)

&Sif;vif;csuf/ / trnf&JU 'kwd,pmvHk;udk ,lygw,f/
Asc(String:"h") returns Integer:104
&Sif;vif;csuf/ / ASCII "h" udk udef;jynfhwefzdk; 104 tjzpf ajymif;vJygw,f/
jyD;awmh wwd,?pwkxåpmvHk; ... pojzifh ajymif;vJygw,f/ jyD;awmh ckeu *Pef;awGtm;vHk;udk
aygif;vdkufygw,f/ 114 + 104 + ../
Mid(VARIANT:String:"11410412...", long:2, VARIANT:Integer:10)
'Dwpfcg event tm;vHk;udk MunfhMunfhygr,f/ Show all events ( ) udk a½G;vdkufyg/
yHk(77)
yHk(77)rSm ckeu *Pef;awG vmaygif;wmudk awGUae&ygw,f/ ta&;MuD;wmu Mid(VARIANT:
String:"11410412...", long:2, VARIANT:Integer:10) pmaMumif;yg/ y½d*k &rf[m 'kwd,pmvHk;uae 10
vHk;ajrmuf pmvHk;txdom ,lygw,f/ 'gqdk ,l&r,fh*Pef;awGu 1410412111 om jzpfygw,f/
yHk(78)
jyD;&if yHk(78)udk qufMunfhyg/
__vbaVarSub(..) uawmh wpfckckudk EIwfwmyg/ jyD;&if __vbaVarTstEq(..) uwpfckckudk EdIif;,SOfyg
w,f/ 'gaMumifh uRefawmfwkYt
d aeeJY tao;pdwfMunfhzkYd vdkvmygjyD/ taygif;&kyfav;udk ESdyfvdkufyg/
yHk(79)
yHk(79)udk Munfhvdkufawmh __vbaVarSub(..) [m __vbaVarTstEq(..) eJY bmrSrqdkifwm awGU&yg
w,f/ ☻☻☻
yHk(80)
'gayr,fh yHk(52)u __vbaVarTstEq(..) rSm wu,fh serial tppfudk EdIif;,SOfzt
kY d wGuf double.dbval
tjzpfajymif;vdkufwm awGU&ygw,f/ wu,fawmh 1410412111 ukd EdIif;,SOfzkt Yd wGuf ajymif;vdkufwmyg/
'gaMumifh wu,fh serial tppf[m .... ☻☻☻
yHk(81)
y½dk*&rf[m uRefawmfwkYd ½dkufxnfhvdkufwtJh rnf&JU yxrqHk; 5vHk;udk ASCII tjzpfajymif;ygw,f/
jyD;&if tJ'DpmvHk;awGudk jyefqufygw,f/ 'Dhaemuf serial zefwD;zdkY qufxm;wJph mvHk;&JU 2vHk;ajrmufuae 10vHk;
ajrmuftxd ,lygw,f/ uJ? serial udk MudK;pm;MunfhvdkufMu&atmif/
yHk(82)
uRefawmfwdkY serial [m rSefzrkYd sm;ygw,f/ bmvdv
kY Jqdkawmh Register button [m enable jyefjzpf
vmvdykY g/
yHk(83)
yHk(82)u Register button udk a½G;vdkufwJhtcgrSm yHk(83)twdkif; jrif&ygw,f/ Register vkyfwm

atmifjrifoGm;ygjyD/
'Dwpfcg VB Decompiler udk zGifhvdkufyg/ bmaMumifhvJqdkawmh VB Decompiler &JU decompile
pGrf;&nfudk jycsifvkYyd g/
yHk(84)
yHk(84)twdkif; zGifhjyD;oGm;wJhtcg ReverseMe2 &JU oabmobm0udk odEdkifatmifvkY d Form_Load udk
ESpfcsufEdSyfjyD; scroll vkyfMunfhyg/ yHk(85)twdkif; jrif&ygr,f/
yHk(85)
Command1_Click udk ESpfcsufEdSyfjyD; scroll vkyfMunfhyg/ yHk(86)/
yHk(86)
'Dae&mrSm uRefawmfhtaeeJY Veoveo y½d*k &rfudk rdwfqufcsifygw,f/ 'D tool [m b,f button udkrqdk
enable/disable vkyfEdkifygw,f/ Munfhyg/
yHk(87)
Register button [m disable jzpfaeygw,f/ Veoveo y½d*

k &rfudk zGifhvdkufyg/
yHk(88)
yHk(88)twdkif; Veoveo udk right-click ESdyfjyD; Enable Buttons (auto) udk a½G;vdkufyg/
yHk(89)
yHk(89)udk Munfhvdkuf&if Register button [m enable jzpfaeygjyD/ b,favmufvG,fovJqdkwm
awGrY Smyg/ wu,fawmh Register button [m enable jzpfvJ uRefawmfwkY d register vkyfvkY&d rSm r[kwfygbl;/
bmvdv kY Jqdkawmh serial rSef^rrSefudk y½d*k &rfu ppfvydkY g/
(10) VB P-code y½dk*&rfrsm;udk crack vkyfjcif;
INFO: : P-code qdkwmuawmh execution vkyfcsdefrSom interpret tvkyfcH&wJh uk'fjzpfygw,f/ P-code
k ufqmawGu bmomrjyefEdkifwJh low-level uk'fawGtjzpfjrifEdkifygw,f/
awGudk uRefawmfw&dkY JU rdkufu½dyk ½dq
Java y½d* k &rfawGtvkyfvkyfapzdkY virtual machine vdkovdkyJ VB p-code awG tvkyfvkyfapzdkY virtual
machine vdkygw,f/ Virtual machine &SdrSom olu p-code awGudk native code awGtjzpf ajymif;vJay;
EdkifrSmjzpfygw,f/ VB rSmawmh olU&JU virtual machine [m MSVBVM50.DLL eJY MSVBVM60.DLL
zdkifawGrSm &SdaeMuygw,f/ 'D DLL zdkifawGrSm VB application awGu toHk;jyKaewJh API tm;vHk;&Sdygw,f/
Oyrmjy&&if Windows API MessageBox() &JU vkyfaqmifcsufew JY lwJh rtcMsgBox yg/ ta&;MuD;wJh
function awGeJY toHk;enf;wJh function awGudk p-code taeeJY compile vkyfoifhjyD; rMumcPoHk;avh&SdwJh
function awGudkawmh native code taeeJy Y J compile vkyfoifhygw,f/ P-code udk toHk;jyK&if vHkjcHKrI&Sdwm
rSefayr,fh y½d*k &rf vkyfaqmifcsufudkawmh aES;auG;apygw,f/ P-code awG[m rsm;aomtm;jzifh stack ay:rSmyJ
tvkyv f kyfavh&Sdygw,f/ 'gaMumifh instruction trsm;pk[m stack uae olw&kYd JU operand awGudk&,ljyD;
&vmwJh result udkvJ stack rSmyJ vmxm;ygw,f/ C/C++ y½d*k &rfawGrSmawmh p-code taeeJY compile
vkyfcsif&if #pragma udk toHk;jyKjyD; link vkyfcsdefrSm exe zdkifxJ 9KB avmuf&SdwJh run-time engine av;
wpfckudkxnfhoGif;ay;vdkufygw,f/ tcsdKU debugger awG[m p-code udk debug rvkyfEkdiw f Jh tm;enf;csuf
tcsdKU&Sdygw,f/
P-code taMumif;udk tao;pdwfod&SdEdkifzt kY d wGuf p-code eJY pack vkyfxm;wJh Engineering Power
Tools udk crack vkyfMunfhMu&atmif/ Engineering Power Tools 2.0.4 udk http://www.pwr-tools.com/
uae download vkyfjyD; install vkyfvdkufyg/ jyD;&if ept-2002.exe udk Olly eJY zGifhMunfhyg/
yHk(90)
yHk(90)rSm jrif&wJhtwdkif;qdk&if Olly u p-code zdkifawGudk debug vkyf&mrSm odyfjyD;taxmuftul
rjyKwmawGU&rSmyg/ A[kokwtaeeJaY jym&&if yHk(90)u ThunRTMain qdkwm VB &JU main() function udk
qdkvdkwmjzpfygw,f/ wu,fvkY d VB zdkifawGudk packer wpfckcek JY pack vkyfxm;cJh&if oifhtaeeJY ThunRT
Main ud& k SmjyD; tJ'Duae dump vky, f l&rSmjzpfygw,f/
ept-2002.exe zdkifudk Olly tpm; P32Dasm 2.5 rSmzGifhMunfhyg/ yHk(91)twdkif; jrif&ygr,f/
File: C:\Program Files\Engineering Power Tools - Plus Edition v2.0.4\ept-2002(ori).exe
P32Dasm v2.5
VB6 Application detected ... PCode
MAINFORM Events:
191. plus_options_show
192. plus_options_hide
193. plus_options_enable
Page_Setup Events:
2. Setup_calc
Pneumatic_cylinders Events:
11. metric_calc
12. inch_loader
13. metric_loader
Shear_Keys Events:
24. option_set
Volumes_of_Solids Events:
52. sphere_calc
53. spherical_sector_calc
54. spherical_segment_calc
55. spherical_zone_calc
56. spherical_wedge_calc
57. hollow_cylinder_calc
58. hollow_sphere_calc
59. torus_calc
Hydraulic_cylinders Events:
12. metric_calc
13. inch_loader
14. metric_loader
Splash Events:
37. pchk
shape_generator Events:
1. generate_rectangular_tubing
2. generate_circle
8. generate_hollow_circle
GearCalc Events:
17. metric_gear_calc
Beam_Calc Events:
9. Selector
10. selector_SI
Psychro_2 Events:
1. log10
2. calc_vapor_pressure
3. calc_vapor_pressure_2
4. calc_dewpoint
5. calc_enthalpy
6. calc_relative_humidity
7. calc_specific_volume
8. calc_humidity_ratio
9. calc_humidity_ratio_2
10. calc_atmospheric_pressure
11. calc_wet_bulb
15. calc_rh
17. calc_dp
Structural_Tubing Events:
12. combo_loader
Enclosure_Cooling Events:
15. Solve_Open_SI
16. Solve_Closed_SI
Duct_Size Events:
26. calc3
Plate_Deflection Events:
10. solve_SI
yHk(91)
y½d*k &rf&JU oabmobm0udk od&SdEdkiaf tmif ept-2002.exe udkzGiv
fh dkuyf g/ yHk(92)/
yHk(92)
yHk(92)rSmjrif&wmuawmh UNREGISTERED qdkwJhpmwef;jzpfygw,f/ 'Dpmwef;udkESdyfvkduf&if yHk(93)

twdkif;jrif&ygr,f/
yHk(93)
yHk(93)rSm awGUjrifcsuft&awmh uRefawmfwt dkY aeeJY Standard Edition (od)kY Plus Edition udk
toHk;jyKEdkifr,fvkYd qdkygw,f/ yHk(93)udk OK ay;vdkuf&ifawmh yHk(94)twdkif; jrif&ygr,f/
yHk(94)
yHk(94)uawmh uRefawmfwkY d ½dkufxnfhvdkufwJh rrSefbl;vdkY ajymygw,f/
yHk(95)
'gaMumifh yHk(95)rSmjrif&wJhtwdkif; tcsdKU function awGudk toHk;rjyKEdkifygbl;/ tck y½d*k &rf&JU oabm
obm0udk od&SdoGm;jyDrkY d P32Dasm udkjyefoGm;Muygr,f/ P32Dasm u References à Procedures udka½G;
vdkufyg/ yHk(96)/
yHk(96)
yHk(96)rSmjrif&wmuawmh y½d*k &rfrSmygwJh procedures pm&if;yg/
yHk(97)
Engineering Power Tool udkzGifhzGifhcsif; splash screen rSm register jzpf^rjzpfudk ppfaq;wm owd
jyKrdygovm;/ 'gaMumifh yHk(97)u 73.22 Form.Load() udka½G;vdkuf&if yHk(98)qD a&mufvmygvdrfhr,f/
Splash 73.22 Form.Load()
0016DF88: 6C ILdRf param_8
0016DFF4: 1B LitStr: "http://www.pwr-tools.com"
0016DFF7: 21 FLdPrThis
0016E18C: 1B LitStr: "\pwrtools.ini"
0016E18F: 2A ConcatStr
0016E21D: 1B LitStr: "USER NAME = "
0016E220: FB30 EqStr =
0016E26F: 23 FStStrNoPop var_108
0016E272: 1B LitStr: "REGISTRATION = "
0016E275: FB30 EqStr =
0016E277: C4 AndI4 And
0016E2C7: 1B LitStr: "REGISTRATION CODE = "
0016E2CA: FB30 EqStr =
0016E319: 23 FStStrNoPop var_108
0016E31C: 1B LitStr: "PASSWORD = "
0016E31F: FB30 EqStr =
0016E371: 1B LitStr: "SOFTWARE KEY = "
0016E374: FB30 EqStr =
0016E3BA: 3A LitVarStr: "<No Value>"
0016E3BF: 25 PopAdLdVar
0016E3C0: 1B LitStr: "User Name"
0016E3C3: 1B LitStr: "Settings"
0016E3C6: 1B LitStr: "EPTools"
0016E3C9: 0B ImpAdCallI2 GetSetting()
0016E3CE: FDB7 ImpAdStStr
0016E3D2: 3A LitVarStr: "<No Value>"
0016E3D7: 25 PopAdLdVar
0016E3D8: 1B LitStr: "Registration Code"
0016E3DB: 1B LitStr: "Settings"
0016E3DE: 1B LitStr: "EPTools"
0016E3E1: 0B ImpAdCallI2 GetSetting()
0016E3E6: FDB7 ImpAdStStr

0016E3EA: 3A LitVarStr: "<No Value>"
0016E3EF: 25 PopAdLdVar
0016E3F0: 1B LitStr: "Software Key"
0016E3F3: 1B LitStr: "Settings"
0016E3F6: 1B LitStr: "EPTools"
0016E3F9: 0B ImpAdCallI2 GetSetting()
0016E449: 7A ImpAdStI2 param_26
0016E44C: 1B LitStr: "Registered to: "
0016E44F: 76 ImpAdLdI4
0016E567: 04 FLdRfVar var_18C
0016E56A: FC22 CI4Var
0016E56C: 05 ImpAdLdRf
0016E56F: 4D CVarRef: var_AC
0016E574: 04 FLdRfVar var_98
0016E577: 0A ImpAdCallFPR4 Left()
0016E57C: 04 FLdRfVar var_98
0016E57F: FCF6 FStVar var_19C
0016E589: FB33 EqVarBool =
0016E58B: 1C BranchF 0016E60C
0016E58E: F4 LitI2_Byte: 255 0xFF (True)
0016E590: 7A ImpAdStI2 param_53
0016E593: 1B LitStr: "Show"
0016E596: 1B LitStr: "Plus Options"
0016E599: 1B LitStr: "Settings"
0016E59C: 1B LitStr: "EPTools"
0016E59F: 0A ImpAdCallFPR4 SaveSetting()
0016E5A4: F4 LitI2_Byte: 255 0xFF (True)
0016E5A6: 7A ImpAdStI2 param_26
0016E5A9: 1B LitStr: "Registered to: "
0016E5AC: 76 ImpAdLdI4
0016E5AF: 2A ConcatStr
0016E5B0: 23 FStStrNoPop var_108
0016E5B3: 21 FLdPrThis
0016E5B4: 0F VCallAd
0016E5B7: 19 FStAdFunc var_88
0016E5BA: 08 FLdPr var_88
0016E5F6: 0F VCallAd
0016E5F9: 19 FStAdFunc var_88
0016E5FC: 08 FLdPr var_88
0016E5FF: 0D VCallHresult PictureBox.Set_Visible()
0016E604: 1A FFree1Ad var_88
0016E607: 10 ThisVCallHresult
0016E60C: loc_0016E58B
0016E60C: loc_0016E4C7
0016E60C: loc_0016E4AF
0016E60C: 75 ImpAdLdI2
0016E60F: F4 LitI2_Byte: 0 0x0 (False)
0016E611: C6 EqI2 =
0016E612: 1C BranchF 0016E963
0016E615: F3 LitI2: 3800 0xED8
0016E618: EB CR8I2 Int(number)
0016E619: 37 PopFPR4
0016E963: loc_0016E612
0016E963: 13 ExitProcHresult
yHk(98)
yHk(98)uuk'fawGudk ppfaq;Munfhygr,f/ tcsdKUuk'fawGudk &SnfrSmpdk;vdkY jzwfcsefxm;cJhygw,f/

0016E589: EqVarBool = / / var_17C ESifh var_19C wdn
kY DrnD ppfaq;onf/ CMP ESifhwlonf/
0016E58B: BranchF 0016E60C = / / nDcJhvQif 0016E60C odo kY Gm;rnf/ BranchF (1C) onf JE
ESifhwlonf/ BranchT (1D) onf JNE ESifhwlonf/ Branch (1E) onf JMP ESifhwlonf/
yHk(98)uuk'fawGudk ydkjyD;&Sif;&Sif;vif;vif;odEdkifatmifvkY d VB Decompiler rSmppfMunfhvdkufwJhtcg
If ((Len(MemVar_5C103C) > 1) And (Len(MemVar_5C1038) > 1)) Then '56E60C
For var_168 = 1 To CVar(Len(MemVar_5C1040)): var_148 = var_168 'Variant
loc_56E4F8: var_110 = Mid$(MemVar_5C1040, CLng(var_148), 1)
If (var_110 <> "-") Then '56E513
loc_56E510: var_138 = var_138 & var_110
End If
Next var_168 'Variant
loc_56E534: MemVar_5C10C4 = Unknown_503BF8(MemVar_5C1038)
loc_56E53C: MemVar_5C10C4 = Unknown_4FD768()
loc_56E555: var_17C = CVar(Unknown_516920(Unknown_50507C(var_138))) 'Variant
If (var_17C = Left(MemVar_5C103C, CLng(Len(var_17C)))) Then '56E60C
loc_56E590: MemVar_5C1046 = &HFF
loc_56E59F: SaveSetting("EPTools","Settings","Plus Options","Show")
loc_56E5A6: MemVar_5C1044 = &HFF
loc_56E5BD: regbox.Text = "Registered to: " & MemVar_5C1038
loc_56E5D7: regbox.Forecolor = 0
loc_56E5EB: regbox.Fontbold = 0
loc_56E5FF: regpanel.Visible = 0
loc_56E607: Call Unknown_5000EC(MemVar_5C1044)
loc_56E60C: ' Referenced from: 56E4AF
End If
End If
yHk(99)
P-code eJYywfoufwJh prefix tcsdKUuawmhatmufygtwdkif;jzpfygw,f/ yHk(100)/
Ad Address
I# Integer
Imp Import
Ld Load
Lit Literal (ie “Hi”, 2,8)
Mem Memory
R# Real
Rf Reference
St Store
Str String
V Virtual
DOC Duplicate Opcode (Redirect to another opcode)
yHk(100)
wu,fawmh EPT u uRefawmfwkYd register vkyfxm;^rxm;udk registry xJuaezwfjyD; ppfaq;yg
w,f/ Register rvkyfxm;&if offset 0016E60C qD ausmfoGm;rSmjzpfygw,f/
dkY aeeJY 'D conditional jump awGudk NOP eJt
'gaMumifh uRefawmfwt Y pm;xdk;zdkY vdkvmygjyD/ NOP
Y pm;rxdk;cif VA 56E589 &Sd&mae&mudk Olly rSmzGifhMunfhygr,f/ yHk(101)/
eJt
yHk(101)
yHk(101)rSm hightlight jzpfaewJhae&mawGudk NOP eJt
Y pm;xdk;ygr,f/ P-code rSmawmh NOP eJw
Y lwJh
opcode u 90 r[kwfygbl;/ 21 (FLdPrThis) jzpfygw,f/ yHk(102)/
yHk(102)
yHk(102)twdkif;jyifjyD;&ifawmh uRefawmfwkY d patch vkyfcJhwJhzdkifudk odrf;vdkY&jyDjzpfygw,f/ jyD;&if
uRefawmfwdkY patch vkyfxm;zdkifudk run Munfhyg/ yHk(103)twdkif; jrif&ygr,f/
yHk(103)
uRefawmfuawmh regname.reg zdkifxJrSm yHk(104) twdkif;jyifjyD; registry xJudk merge vkyfvdkufyg
w,f/ bmaMumifhjyif&ovJqdkwmuawmh yHk(98)uuk'fudk Munfhvdkuf&if &Sif;rSmyg/
REGEDIT4
[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\EPTools\Settings]
"User Name"="Myanmar Cracking Team"
"Registration Code"="Don't Hate the Crackers! Hate the C0dez."
yHk(104)
'gqdk&ifawmh yHk(105)twdkif; awGU&rSmjzpfygw,f/
yHk(105)
uRefawmf&Sif;jycJhwmuawmh key r&SmbJ udk,fhemrnfeJY register vkyfenf;ygyJ/ Key &Smcsifw,fqdk&if
awmh oifudk,fwdkif prf;oyfMunfzh kYd tMuHay;vdkygw,f/
tcef;(17) - Delphi jzifh a&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 338 -
tcef;(17) - Delphi jzifh a&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif;

jyD;cJhwJhtcef;rSmwkef;u Visual Basic eJYa&;om;xm;wJh y½dk*&rfawGudk b,fvdk crack &rvJqdkwm
&Sif;jycJhygw,f/ 'DwpfcgrSmawmh Delphi y½dk*&rfawGzuf vSnfhvdkufMu&atmif/ aqmhzf0JvfawG awmfawmfrsm;
rsm;udk Visual C++? Borland Delphi eJY Visual Dot.net wdkYeJYa&;om;xm;wJhtaMumif; ajymcJhzl;wm
trSwf&yg/ 'gaMumifhrdkYvJ Delphi y½dk*&rfawGudk b,fvdk crack &rvJqdkwm uRefawmfhtaeeJY &Sif;jyzdkY
vdktyfvmjyDvdkY xifvdkYyg/ (wu,fawmh Delphi y½dk*&rfawG[m Visual C++ y½dk*&rfawGeJY oabmw&m;
csif;qifygw,f/)
'Dwpfcg crack vkyfzdkYa½G;cs,fxm;wJh y½dk*&rfuawmh File Recovery Angel 1.13 jzpfygw,f/
'Daqmhzf0Jvf[m oifzsufypfvkdufwJhzdkifawGudk jyefvnf&SmazG&mrSm taxmuftuljzpfapwJh y½dk*&rfwpfckjzpfjyD;
toHk;jyK&wmuvJ tvGefvG,fulvSygw,f/ www.filerecoveryangel.com rSm tcrJh download vkyf,lEdkif
ygw,f/
aumif;jyD? uRefawmfwdkYtaeeJY y½dk*&rfudk crack rvkyfcif y½kd*&rf&JU oabmobm0av;awG od&
atmifvdkY File Recovery Angel udkzGifhvdkufyg/
yHk(1)
File Recovery Angel udkzGifhjyD; Help menu u About udka½G;vdkufwJhtcg yHk(1)twdkif; jrif&yg
w,f/ ysufaewJhzdk'gwpfckudk recovery vkyfzdkYMudK;pm;wJhtcg yHk(2)twdkif;jrif&ygw,f/
yHk(2)
zdkifawGtrsm;MuD;udk recovery vkyfzdkYMudK;pm;awmhvJ yHk(3)twdkif; jrif&jyefygw,f/
yHk(3)
'D MessageBox awGuawmh oHk;pGJolawGudk 0,foHk;zdkY zdtm;ay;aewJh MessageBox awGyg/

aumif;jyD? 'Dy½dk*&rfudk bmeJYa&;xm;ovJqdkwm ppfMunfhMu&atmif/ yHk(4)/
yHk(4)
yHk(4)twdkif; PEiD eJYppfaq;csuft& awGU&Sdwmuawmh 'Dy½dk*&rfudk Delphi 4.0 (odkY) Delphi 5.0
eJYa&;om;xm;w,fqdkwJhtaMumif;yg/ Version twdtusudkawmh Delphi y½dk*&rfrmawGrSyJ linker version
udkMunfhjyD; cGJjcm;odygvdrfhr,f/ uRefawmfwdkYtwGufuawmh tMurf;zsif;od&ifyJ &ygjyD/
FileRecoveryAngel.exe zdkifudk Olly rSmzGifhjyD;Munfh&ifawmh entry point udk yHk(5)twdkif; awGU&yg
r,f/
yHk(5)
tvkyfvkyfyHkudk aocsmodEdkifatmifvdkY F9 (Run) udkESdyfvdkufyg/ jyD;&if Option menu u Register(R)
udka½G;jyD; register vkyfzdkYjyifqifyg/ yHk(6)/
yHk(6)
yHk(6)twdkif; Registration Name eJY Registration Key wdkYudk½dkufxnfhvdkufjyD; Register button
udka½G;vdkufyg/ yHk(7)twdkif; jrif&ygr,f/
yHk(7)
yHk(7)u "Register False" qdkwJhpmom;udkrSwfxm;jyD; Olly rSm text string taeeJY&Smvdkufyg/ jyD;&if 'D
text string &Sd&mudk vmvdkufyg/ yHk(8)/
yHk(8)
yHk(8)udk Munfhvdkuf&if 'D BadBoy message &Sd&m VA 00488FEA qD jump wpfckcku ausmfvTm;
a&muf&Sdvmwm awGYrSmyg/ avmavmq,fawmh 'D jump udk arhxm;vdkufyg/ yHk(7)twdkif; jrif&wJhtcgrSm F12
(Pause) udkESdyfjyD; y½dk*&rftvkyfvkyfwmudk cP&yfcdkif;vdkufyg/ jyD;&if Alt+K (Call Stack) udkESdyfjyD; Call
awGudk b,fuaeac:oHk;aeovJqdkwm Munfhvdkufyg/ yHk(9)/
yHk(9)
yHk(9)rSmjrif&ovdkyJ Olly [m Call awGeJYywfoufjyD;wduswJh tcsuftvufawGay;Edkifjcif; r&Sdygbl;/
'gaMumifhrdkY uRefawmfwdkYtaeeJY System Stack udkMunfhjyD; yHk(7)u error MessageBox udk b,fuae
ac:oHk;wmvJqdkwm Munfh&rSmjzpfygw,f/ (Delphi y½dk*&rfawGudk crack vkyf&mrSm Call Stack xuf System
Stack u ydkjyD;toHk;0ifygw,f/ Delphi y½dk*&rfawGudk crack vkyf&mrSm toHk;rsm;wJh aemufxyfenf;vrf;
uawmh FindWindowA API udk&Smwmyg/ bmaMumifhvJqdkawmh Delphi y½dk*&rfawG[m wduswJh class
trnf (odkY) title eJY yGihfaewJh window udk&Smavh&SdvdkYyg/)
yHk(10)
yHk(10)uawmh yHk(7)udk pause ay;xm;csdefrSm System Stack xJrSm jrif&wJhtaetxm;yg/
INFO: : Delphi uk'fawGudk Olly rSm disassemble vkyfwJhtcg jrif&wJhtaetxm;uawmh enf;enf;av;
xl;qef;aeygw,f/ (Comment eJY info awGu enf;aewmawGU&rSmyg/) bmaMumifhvJqdkawmh Olly udk call
awG backtrace vkyfcGifhrjyKvdkYyg/ Call Stack rSm [mvm[if;vif;jzpfaejyD; tcsuftvuftenf;i,fudkom
ay;Edkifygw,f/ 'gaMumifhrdkY Delphi y½dk*&rfawGrSm routine wpfckudk b,f call uaeac:oHk;wmvJ odcsif&if
System Stack udk toHk;jyK&ygw,f/ System Stack uae return address udkMunfhjyD; call &JUtpudk
vdkuf&Sm&wmuvJ tcsdefawmfawmfMumygw,f/ tvkyfodyfrjzpfygbl;/ tjcm;enf;vrf;wpfckawmh vdkaeygjyD/
bmaMumifhvJqdkawmh Olly u routine &JU wduswJh address tpudk rjyEdkifvdkYyg/
INFO: : Delphi [m global variable awGeJY local variable awGudk pointer tjzpf reference vkyfygw,f/
Global variable awGtwGuf [REG+Constant] udkoHk;jyD;? local variable awGtwGuf [REG-Constant]
udktoHk;jyKygw,f/ REG uawmh register udkqdkvdkwmyg/ qdkvdkwmuawmh Olly [m CALL DWORD
PTR DS:[EBX+100] qdk&if backtrace rvkyfEdkifygbl;/ 'gaMumifhrdkY EBX wefzdk;ajymif;wJhtcsdefrSm pointer
twGufwefzdk;[mvJajymif;oGm;jyD; Olly u 'D call udk backtrace rvkyfvdkufEdkifwmyg/ 'g[m Delphi y½dk*&rf
awGeJYMuHKwJhtcgrSm wu,fhjyóemawGjzpfygw,f/ tjcm;bmompum;awGrSmvJ 'DvdkrsdK; MuHKawGUEdkifayr,fh
Delphi rSmavmuf rawGU&ygbl;/
INFO: : 'g[m tenf;i,fawmh pdk;&drfp&maumif;ygw,f/ uRefawmfwdkY uHaumif;wJhtcsufuawmh Delphi
twGuf tool wpfck &xm;vdkYyg/ 'D tool uawmh DaFixer &JU DeDe yg/ DeDe [m Borland Delphi
y½dk*&rfawGtwGuf zefwD;xm;wJh disassembler wpfckjzpfygw,f/ DeDe [m Delphi^Builder wdkYeJY
compile vkyfxm;wJh exe zdkifawGudk analyze vkyf&mrSm tvGefjrefvSwJh y½dk*&rfwpfckjzpfjyD; 'Dzdkif&JU dfm
zdkifawGtm;vHk;udk jyefay;Edkifygw,f/ 'D dfm zdkifawGudk Delphi rSm zGifhjyD;wnf;jzwfEdkifygw,f/ DeDe [m
string awG? import vkyfxm;wJh function call awG? classes methods call awG? unit xJu component
awG? Try-Except? Try-Finally block awGeJY reference vkyfxm;wJh uk'fawGtm;vHk;udk xkwfay;Edkifygw,f/
oifhtaeeJY dfm zdkif? pas zdkifeJY dpr zdkifawGygwJh Delphi project zdk'gwpfckudkvJ zefwD;Edkifygw,f/ Tool
wdkif;rSm tm;enf;csuf&Sdygw,f/ DeDe [m debugger r[kwfwJhtwGuf DeDe rSm patch vkyfzdkYqdkwm rjzpf
Edkifygbl;/ bmyJjzpfjzpf Olly eJY wGJoHk;&ifawmh&ygw,f/ DeDe 3.50.04 build 1635 udk download vkyf&if
DOI eJY DSF zdkifawGygygap/ DeDe eJYywfoufwJh aqmif;yg;awGuawmh DeDe &JU dede_doc directory
atmufrSm&Sdygw,f/ (DSF = = DeDe Symbol File) (DOI == DeDe Offset Information File)
INFO: : DeDe &JU configuration eJYywfoufjyD; ta&;MuD;wJhtcsufuawmh exe zdkifwpfckudk process
rvkyfcifrSm rSefuefwJh symbol zdkifawGudk load vkyfwmtaumif;qHk;yg/ DOI/DSF zdkifawGrygvJ DeDe [m
tvkyfvkyfEdkifayr,fh call sequence awGudk ajz&Sif;&mrSm rSefuefpGmjzpfEdkifzdkY DOI/DSF zdkifawGu tvGefta&;
MuD;ygw,f/
yHk(11)
yHk(11)twdkif; DeDe &JU Options menu u Symbols udka½G;jyD; Delphi 5.0 eJYqdkifwJh vcl5.dsf
zdkifudka½G;cs,fvdkufyg/ Delphi 7.0 y½dk*&rfawGudk analyze vkyfr,fqdk&ifawmh vcl7.dsf zdkifudka½G;&rSmyg/
DOI tab udkESdyfjyD; D5.doi zdkifudka½G;cs,fyg/ jyD;&ifawmh yHk(12)u Process button udkESdyfyg/
yHk(12)
yHk(12)u Process button udkESdyfvdkuf&ifawmh yHk(13)twdkif; MessageBox awGay:vmygvdrfhr,f/
yHk(13)
No button oma½G;vdkufyg/ yHk(14)twdkif; jrif&ygr,f/
yHk(14)
yHk(14)u Procedures tab udkESdyfvdkufyg/ 'gqdk&if File Recovery Angel utoHk;jyKwJh procedure
awGudkjrif&ygr,f/ TFrmMain uawmh y½dk*&rf&JU t"dutusqHk; Main menu &Sd&m procedure yg/
TFrmAbout uawmh About menu udkESdyfvdkufwJhtcgjrif&r,fh Form (dialog box) yg/ TFrmRegister
uawmh uRefawmfwdkY&SmaewJh Registration Form yg/ TFrmRegister udka½G;vdkufyg/ nmzufrSmjrif&wm
uawmh Olly rSm b,fvdkrSrjrifEdkifwJh routine &JUtpawGyg/ ImgRegistereClick udka½G;vdkufyg/ yHk(15)
twdkif; awGU&ygr,f/
yHk(15)
VA 00488E34 uawmh Registration routine &JUtpjzpfygw,f/ atmufudkenf;enf;avmuf scroll
qGJMunfhvdkuf&ifawmh yHk(16)twdkif; jrif&rSmyg/
yHk(16)
yHk(16)uawmh registration key udkrSm;,Gif;½dkufoGif;wJhtcg jrif&wJh Bad message jzpfygw,f/
TFrmAbout udkawmh tcsdef&rSyJ oifhbmom avhvmMunfhyg/ wu,fawmh DeDe eJYywfoufwJh uRefawmf
wdkY&JUtvkyf[m yHk(14)rSmuwnf;u jyD;aeygjyD/ bmaMumifhvJqdkawmh registration routine &JU address
tpudkawGUvdkufvdkYyg/ Registration routine &JU address tpjzpfwJh VA 00488E34 udkrSwfxm;jyD; Olly rSm
Ctrl+G ESdyfjyD; ½dkufxnfhvdkufyg/ yHk(17)/
yHk(17)
ckqdk&if DeDe udk ydwfvdkY&ygjyD/ yHk(17)twdkif; registration routine &JUtpudka&mufwJhtcgrSm
registration key udkppfwJhae&mudk MunfhvdkufMu&atmif/ VA 00488E34 ae&mrSm breakpoint owfrSwfjyD;
register xyfvkyfMunfhyg/ yHk(18)/
yHk(18)
yHk(18)rSm Register button udka½G;vdkuf&ifawmh uRefawmfwdkY breakpoint owfrSwfxm;wJh VA
00488E34 ae&mudka&mufvmygr,f/ 'Dtcg yHk(19)u VA 00488EFA udka&mufwJhtxd F8 (Step Over)
udkESdyfvmcJhyg/
yHk(19)
yHk(19)u VA 00488EFA [m registration key udkxkwfay;wJh routine wpfckjzpfygw,f/
Registration form &JU Registration name tuGufu "Myanmar Cracking Team" twGuf vdktyfwJh
"CA75FC30F7AD6E7C969032F175560906F79B9EE94E93D2D4302B92" qdkwJh key udkxkwfay;
jyD; EAX rSmodrf;ygw,f/ VA 00488F13 rSm&SdwJh CALL uawmh EAX u key eJY EDX rSmodrf;xm;wJh
"4.10.1979" wdkYudk EdIif;,SOfygw,f/ rSefcJh&ifawmh registry &JU "IsRegister" rSm "On" qdkjyD;odrf;ay;rSm
jzpfygw,f/ rSm;cJh&ifawmh qufoGm;rSmjzpfjyD; VA 00488F3F a&muf&if BadBoy ("Register False!")
qDoGm;^roGm; xyfEdIif;,SOfrSmjzpfygw,f/ 'Davmufqdk&ifawmh oifhtaeeJY bmqufvkyf&rvJqdkwm odavmufjyD
xifygw,f/
Olly udkydwfjyD; File Recovery Angel udk oD;oefUzGifhvdkufyg/ jyD;&if Option menu u Register
(R) udka½G;jyD; register vkyfvdkufyg/ yHk(20)/
yHk(20)
yHk(20)u Register button udkESdyfvdkuf&ifawmh yHk(21)twdkif;jrif&rSmyg/
yHk(21)
Help menu u About udka½G;vdkuf&ifawmh yHk(22)twdkif;jrif&rSmyg/ wu,fawmh File Recovery
Angel y½dk*&rf[m registration name ae&mrSm pmvHk;b,favmuf½dkufxnfhxnfh 12vHk;xufydkrppfygbl;/
'gaMumifhrdkYvJ "Myanmar Cracking Team" tpm; "Myanmar Crac"vdkYyJjywmyg/
yHk(22)
rSwfxm;&rSmuawmh rSefuefwJh key udkr½kdufxnhfyJ VA 00488F46 u BadBoy qDoGm;wJh JE udk
NOP vdkYjyifr,fqdk&if register vkyfaqmifjcif; cPwmom atmifjrifygr,f/ bmaMumifhvJqdkawmh y½dk*&rf[m
pwiftvkyfvkyfwJhtcgrSm registry xJu "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Frareg" eJY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Unicode" ae&mESpfckatmufu Name eJY Unicodekey wdkYudkzwfjyD; rSef^rrSef
wdkufppfvdkYyg/ tao;pdwfodcsif&ifawmh yHk(23)u TFrmMain udkESdyfjyD; Munfh½IEdkifygw,f/
yHk(23)
yHk(23)u FormCreate [m Main menu udkzefwD;csdefrSm vkyfaqmifr,hfvkyfaqmifcsuf&Sd&m Virtual
address (00491A00) tpudkjyygw,f/ udk,fhbmomudk,f avhvmMunfhyg/
'DwpfcgrSmawmh uRefawmfhtaeeJY vSnfhuGufav;wpfckjycsifygw,f/ Teleport Pro 1.61 oifcef;pm
wkef;u oifhtaeeJY keygen a&;om;cJh&wmudk trSwf&aerSmyg/ Keygen routine udka&;&wm rcufayr,fh
usefwJhtydkif;awGa&;ae&wmaMumifh tcsdefawGukef&ygw,f/ uRefawmfhtaeeJYuawmh keygen a&;&wm tvGef
ysif;p&maumif;vSw,fvdkYxifygw,f/ 'gaMumifh keygen ra&;&bJJ key udktvdktavsmufxkwfay;EdkifwJh
vSnhfuGufav; oifhudk jyocsifygw,f/
yHk(24)
yHk(24)udk aocsmMunfhyg/ VA 00488EFA rSm oif½dkufxnhfvdkufwJh user trnfudkvdkufjyD; serial

udkxkwfay;vdkufygw,f/ 'D serial udk stack segment xJrSmoGm;xm;wmjzpfygw,f/ jyD;awmh stack xJuae
EAX qDajymif;a&TYvdkufjyD; EDX xJrSm&SdwJh oif½dkufxnhfvdkufwJh serial eJYEdIif;,SOfwmjzpfygw,f/ Serial
ESpfck[m rnDcJh&ifawmh Badboy &Sd&mqD a&mufoGm;rSmjzpfygw,f/ yHk(25)/
yHk(25)
yHk(25)udkMunfhyg/ VA 00489184 u "Register False!" qdkwJhpmom;udk EAX xJul;xnfhvdkufjyD;
serial ESpfckEdIif;,SOfwmrnDcJh&if Badboy message udkjyowmjzpfygw,f/ yHk(26)/
yHk(26)
"Register False!" qdkwJhpmom;tpm; uRefawmfwdkY½dkufxnfhvdkufwJh user name eJYywfoufwJh serial
udkjyEdkifr,fqdk&ifraumif;bl;vm;/ ☺☺☺☺☺☺☺☺☺☺
aumif;jyD? 'DvdkjyoEdkifzdkY enf;enf;MudK;pm;Munfhygr,f/ yHk(25)u VA 488FFB ae&mrSm MOV EAX,
489184 tpm; MOV EAX, DWORD PTR SS:[EBP-C] vdkYjyifjyD; zdkifudkodrf;qnf;vdkufyg/ (rSwfcsuf/ /
wu,fh serial tppftrSefudk stack xJrSmcPoGm;xm;wJhtaMumif; ajymcJhwmtrSwf&yg/) uk'fawG
udkjyifjyD;odrf;vdkufwJhzdkifudk zGifhjyD; register vkyfMunfhvdkufyg/ yHk(27)/
yHk(27)
'Dwpfcgawmh rhythm qdkwJhtrnfeJY register vkyfMunfhygr,f/
yHk(28)
rhythm qdkwJhtrnfeJY register vkyfMunfhwJhtcg yHk(28)twdkif;jrif&ygw,f/ ☺☺☺☺☺☺☺

'Davmufqdk&ifawmh oifhtaeeJY &dyfrad vmufjyDxifygw,f/ yHk(28)rSmjrif&wJh key (0415BFA8C..)
uawmh rhythm qdkwJh user name twGuf y½dk*&rfuwGufcsufjyD;xkwfay;vdkufwJh serial key jzpfygw,f/ 'D
key udkrSwfxm;jyD; aemufwpfMudrf register vkyfwJhtcgrSm ½dkufxnfhvdkuf&if registration vkyfief;atmifjrifpGm
jyD;pD;oGm;rSmyg/ yHk(29)/
yHk(29)
yHk(29)u register button udkESdyfvdkuf&if yHk(30)twdkif; jrif&rSmyg/
yHk(30)
Help menu u About udka½G;vdkuf&if yHk(31)twdkif; jrif&ygw,f/
yHk(31)
'DwpfcgrSmawmh Delphi y½dk*&rfwpfckudk Delphi debug zdkifwpfckuae tvG,fwul crack
vkyfvdkY&r,fh enf;vrf;wpfckudk &Sif;jyygr,f/ 'DtwGuf vdktyfwmuawmh Olly Debugger 2.0 udk
tenf;i,fjyKjyifxm;wJh SND 2.3 eJY Interactive Delphi Deconstructor wdkYjzpfygw,f/ a&G;cs,fxm;wJh
target zdkifuawmh Text to Speech Maker 2.6 jzpfygw,f/
INFO: : .map zdkif[m Borland Delphi eJY Borland C++ Builder wdkYu zefwD;vdkufwJh debug zdkif
jzpfygw,f/ Microsoft &JU debug zdkifawmh .dbg jzpfNyD; .map zdkif[m Microsoft debug tool jzpfwJh
windbg.exe eJY o[Zmwrjzpfygbl;/ Visual Studio uae zefwD;vdkufwJh debug zdkifuawmh .pdb
zdkifjzpfygw,f/ .map zkdifxJrSm ½dk;½dk;pmom;awG yg0ifNyD; 'Dpmom;awG[m function awG&JU oufqdkif&m offset
awGudk nTef;wmjzpfygw,f/ 'Doifcef;pmrSmoHk;r,f .map zdkifuawmh Delphi compiler uaexkwfay;wJh .map
zdkifr[kwfbJ decompiler awGuxkwfay;wJh .map zdkifomjzpfygw,f/
'Doifcef;pmrSm target zdkif&JU tvkyfvkyfyHk? oabmobm0awGudk r&Sif;jyawmhbJ vdk&if;udkom &Sif;jy
oGm;rSmjzpfygw,f/ IDR udkzGifhNyD; File menu u Load File  Autodetect Version udka&G;yg/ NyD;&if Text
to Speech Maker.exe udk a&G;yg/ yHk(32) twdkif;jrifygvdrhfr,f/
yHk(32)
Yes button udka&G;vdkufyg/ yHk(33) twdkif;jrif&ygvdrfhr,f/
yHk(33)
yHk(33)udkMunhf&if target zdkifudk a&;om;xm;wJh Delphi compiler version udk od&SdEdkifygw,f/
Delphi 7 eJYa&;om;xm;jcif;jzpfygw,f/ 'ghtjyif function trnfawG? variable trnfawGudkvnf; awGY&SdEdkif
ygw,f/
uRefawmfwdkY&JU target zdkifudk SND 2.3 (Olly Debugger) rSm zGifhMunfh&ifawmh yHk(34)twdkif;
jrif&rSmjzpfygw,f/
yHk(34)
yHk(34)rSmjrif&wJh function trnfawG? variable trnfawG r&SdwmawGY&rSmyg/ Olly rSm function
trnfawG? variable trnfawGudk awGY&zdkY Delphi debug (.map) zdkifudk import vkyfzdkYvdkygw,f/ 'gaMumifhrdkY
IDR uae .map zdkifudk zefwD;ygr,f/ IDR &JU Tools menu uae MAP Generator udka&G;NyD; Text to
Speech Maker.map zdkifudkodrf;yg/ 'gqdk&if IDR udkydwfvdkY&ygNyD/ SND &JU toolbar u button udkESdyfyg/
yHk(35)/
jzwfajym&&if Delphi debug (.map) zdkifudk IDR wpfckwnf;uom xkwfay;Edkifwm r[kwfbJ IDA
Pro disassmebler uvnf; tvm;wlxkwfay;Ekdifygw,f/ uRefawmfuawmh IDR uxkwfay;wJh .map zdkifudk
ykdoabmusrdygw,f/ IDR u support ay;wJh Delphi version rsm;uawmh Delphi 2? Delphi 3? Delphi
4? Delphi 5? Delphi 6? Delphi 7? Delphi 2005? Delphi 2006? Delphi 2007? Delphi 2009? Delphi
2010? DelphiXE1? DelphiXE2 ESifh DelphiXE3 wdkYjzpfygw,f/
yHk(35)
NyD;&if uRefawmfwdkYodrf;xm;wJh Text to Speech Maker.map zdkifudka&G;cs,fay;yg/ yHk(36)twdkif;
jrif&ygvdrfhr,f/
yHk(36)
yHk(36)twdkif;qdk&if Text to Speech Maker.map zdkifuae label aygif; (6469)udk SND Olly xJ
uRefawmfwdkY atmifjrifpGm xnfhoGif;EkdifNyDjzpfovdk function trnfawGudkvnf; jrifaeygNyD/
aumif;NyD/ y½dk*&rfudk run vdkufyg/ (F9)/ yHk(37)rSmjrif&wJhtwdkif; registration dialog ay:vmrSmyg/
wu,fvdkY uRefawmfwdkYtaeeJY y½dk*&rfudk 0,froHk;bl;qdk&if yxrqHk;pmvHk;ta&twGuf (300)udkom y½dk*&rfu
toHzdkiftjzpf ajymif;vJay;rSmyg/
user name ae&mrSm rhythm vdkY½dkufNyD; registration code ae&mrSm 4101979 vdkY½dkufxnfhNyD; OK
button udkESdyfyg/
yHk(37)
uRefawmfwdkY½dkufxnfhwJh registration code [mrSm;wJhtwGuf yHk(38)twdkif; badboy message
udkjrif&ygr,f/ Invalid user name or registration code udkrSwfxm;yg/
yHk(38)
y½dk*&rfudk jyefpyg/ (Ctrl + F2) / uk'fwpfckckay: right-click ESdyfNyD; Search for uae All
reference strings udka&G;yg/ Search box ay:vmygvdrhfr,f/ tJ'DrSm Invalid user name or registration
code udk½dkufxnfhNyD; &Smyg/ yHk(39)twdkif; jrifawGY&ygvdrfhr,f/
yHk(39)
yHk(39)u highlight jzpfaewJhae&mudk ESpfcsufESdyfyg/ yHk(40)twdkif;jrif&ygr,f/
yHk(40)
yHk(40)udkMunhf&if VA 4D87CC [m TRegForm.BtnOKClick function jzpfw,fqdkwm awGY&
ygvdrfhr,f/ t&ifoifcef;pmwkef;uqdk&if 'Dvdk function trnfudk jrif&rSm r[kwfygbl;/ 'ghtjyif GetText()?
MessageBox() funtion awGudkvnf; awGYjrif&ygw,f/ y½dk*&rf&JU tMurf;zsif;vkyfaqmifcsufuawmh VA
004D87ED rSm user name udkawmif;cHNyD; VA 004D87FB rSm registration code udkawmif;cHygr,f/
'DESpfckudk wGufcsufay;rSmuawmh VA 004D880D u CALL 4DCB9C xJrSmjzpfygw,f/ wu,fvkdY user
name eJYudkufnDwJh registration code udk rSefuefpGm ½dkufxnfhEdkifcJhr,fqdk&ifawmh VA 004D8825 u Good
Guy qDa&mufoGm;rSmjzpfygw,f/ uRefawmfwdkYtaeeJY registration code rSefuefpGm r½dkufoGif;EkdifcJhvdkY VA
004D8848 u Bad Boy qDa&mufvmwmjzpfygw,f/
VA 004D880D u CALL 4DCB9C rSm breakpoint owfrSwfyg/ (F2)/ NyD;&if y½dk*&rfudk
breakpoint qDa&mufwJhtxd run vdkufyg/ (F9)/ F7 (Step Into) udkESdyfNyD; registration code
b,fvdkppfovJqdkwm MunhfvkdufMu&atmif/ yHk(42)/
rppfcifrSm Mum;jzwfaqG;aEG;vdkwmu Text To Speech Maker &JU registration code udk RSA
(Rivest, Shamir, Adleman) pm0SufpepfeJY 0Sufxm;wmjzpfygw,f/ pm0SufpepfrSm Symmetric eJY
Asymmetric qdkNyD; pm0Sufenf; (2)rsdK;&Sdygw,f/ Symmetric pm0Sufenf;vrf;awG trsdK;rsdK;&Sdayr,fhvnf;
Asymmetric enf;rSmawmh pm0Sufenf;[m t"dutm;jzifh (3)rsdK;om &Sdygw,f/ 'gawGuawmh RSA? DSA
(Digital Signature Algorithm) eJY ECDSA (Elliptic Curve Digital Signature Algorithm)
wdkYjzpfygw,f/ Symmetric enf;u public key udktoHk;jyKNyD; Asymmetric enf;uawm public key a&m?
private key ygtoHk;jyKygw,f/ Asymmetric enf;udktoHk;jyKjcif;u vHkNcHKpdwfcs&rI &Sdayr,fhvnf; pmvHk;a&
256 bytes udkom 0Sufay;EdkifwJh tm;enf;csuf&Sdygw,f/ Text To Speech Maker &JU registration code udk
RSA &JU public key enf;vrf;udktoHk;jyKNyD; 0Sufxm;ygw,f/
Text To Speech Maker &JU registration code udk RSA &JU public key enf;vrf;oHk;NyD; 0Sufxm;
w,fqdkwm uRefawmfwdkY b,fvdkodovJ/ aumif;NyD/ AT4RE team &JU Hash & Crypto Detector 1.4
udkzGifhNyD; Text To Speech Maker y½dk*&rfudkppfMunhfyg/ yHk(41)/
yHk(41)
yHk(41)udkMunfh&if RSA function tcsdKU&JUtrnfawGudk awGY&rSmyg/ Function trnfawGrSm FGInt
vdkYygaewm owdxm;rdrSmyg/ FGInt qdkwmu Fast Gigantic Intergers &JUtwdktaumufjzpfNyD; 'D function
awGudk Walied Othman u wDxGifcJhwmyg/ Function vkyfaqmifyHktao;pdwfudk avhvmvdkY&apzdkYtwGuf
pmtkyfeJYtwlyg&SdwJh DVD acGxJrSm wpfcgwnf;xnfhoGif;ay;vdkufygw,f/
yHk(40)u CALL 4DCB9C [m pm0Sufjcif;pepfudk vkyfaqmifay;wJh function jzpfaMumif; tay:rSm
ajymcJhNyD;ygNyD/ b,fvdk0SufovJqdkwmudkawmh yHk(42)rSmMunhfygr,f/ VA 004DCBED rSm awGY&wJh 65537
[m RSA &JU public key (exponential) yg/ RSA Exp Dec function t& RSA exponential wefzdk;[m
q,fvDpepfjzpfrSmyg/ VA 004DCBED rSm awGY&wJh 1868345906848137 47591218298111 uawmh
RSA &JU modulus jzpfygw,f/ VA 004DCBF2 u CALL 004D42BC uawmh Base10StringToFGInt
function udkac:oHk;xm;wJh routine wpfckjzpfygw,f/ VA 004D3E94 uawmh FGIntRSAEncrypt
function jzpfNyD; uRefawmf wdkY&JU user name udk 256 bytes taeeJY rSwfxm;NyD; 0SufvdkY&vmwJh registration
code udkawmh 64 bytes taeeJYjyorSmjzpfygw,f/ 'DtwGuf FGint ConvertBase256to64 function
udktoHk;jyKxm;ygw,f/ wu,fawmh VA 004DCC24 rSm software breakpoint owfrSwfNyD; y½dk*&rfudk run
vdkuf&ifudkyJ uRefawmfwdkYvdkcsifwJh registration code trSefudk &&SdEdkifrSm jzpfygw,f/ y½dk*&rfu tvdktavsmuf
wGufxkwfay;vdkufwJh registration code uawmh 0+yJdoyj+eGdp4xR jzpfygw,f/ 'Duk'fudk uRefawmf
wdkY½dkufxnfhvdkufwJh registration code jzpfwJh 4101979 eJY LStrCmp funtion udktoHk;jyKNyD; EdIif;,SOfrSm
jzpfygw,f/ String 2ck[mwlnDcJh&if BL register xJudk 1 wefzdk;odrf;NyD; rwlnDcJh&ifawmh EAX register udk
okn jzpfaprSmyg/ y½dk*&rf[m AL register wefzdk; oknjzpf? rjzpfudk ppfaq;NyD; oknjzpfcJh&if Badyboy
message jzpfwJh "Invalid user name or registration code!" udkjyrSmjzpfygw,f/
yHk(42)
tck&Sif;jyaewm[m ½IyfaxG;aew,fvdkY xifae&ifawmh registration code udk tvG,fwul wGufxkwf
ay;Edkifr,fh enf;vrf;udk pOf;pm;Muygr,f/
yHk(43)
'DwpfcgrSmawmh Olly debugger rvdkbJ BudKufESpfouf&m registration code udk &&Sdatmif

vkyfMunhfygr,f/ 'gaMumifhrdkY AT4RE uxkwfwJh Keygener Assistant 2.1 tool udkzGifhyg/ NyD;&if
Encryption tab u Assymmetric  RSA  Encrypt-Decrypt udka&G;NyD; yHk(43)rSm jrif&wJhtwdkif;
encoding base setting rsm;udka&G;yg/ tm;vHk;a&G;NyD;oGm;vdkY Encrypt button udkESdyfr,fqdk&ifawmh
registration code jzpfwJh 0+yJdoyj+eGdp4xR wefzdk;udk tool u wGufcsufay;rSmjzpfygw,f/ wu,fvdkY
uRefawmfwdkYtaeeJY rhythm tpm; Myanmar Cracking Team vdkYajymif;cJhr,fqdk&if registration code u
aPaF+7ByOCYj0+XVujHcJ9cUJZW0l8Hwni jzpfrSmyg/
tjcm;tjcm;aom y½dk*&rfawGtwGufvnf; Keygener Assistant eJY Hash & Crypto Detector u
vG,fvifhwul registration code &atmifwGufxkwfay;EdkifrSmyg/ A[kokwtaeeJY odxm;oifhwmu 0Sufpm
pepftwGuf Delphi y½dk*&rfrmawG[m FGInt library udktoHk;rsm;NyD; Assembly y½dk*&rfrmawGuawmh
BigLib eJY BigNum library awGudk toHk;rsm;ygw,f/ Keygen jyefvnfa&;om;enf;udkawmh ]tqifhjrifh
keygen rsm;udk zefwD;jcif;} tcef;rSm aqG;aEG;oGm;rSmjzpfygw,f/
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 356 -
tcef;(18) - Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif;

'Dwpfcg uRefawmfwdkYtaeeJY crack vkyfMunfhzdkY tvSnfhusvmwmuawmh .net y½dk*&rfawGudkyg/ .net
y½dk*&rfawGudk crack vkyf&wm[m native API awGeJYa&;om;xm;wJh tjcm;y½dk*&rfawGudk crack vkyf&wm
xuf trsm;BuD;vG,fulvmygw,f/ bmaMumifhvJqdkawmh y½dk*&rfudka&;om;xm;wJh source code awGudk
MunfhvdkY&vdkYyg/ b,f function awGudk b,ftcsuftvufawGeJY ac:oH;k wmutp MunfhvdkY&wJhtwGuf
cracker awGtwGuf crack vkyf&wm tvGefv, G fulvmygw,f/ bmyJjzpfjzpf crack rvkyfcifawmh .net &JU
oabmobm0udk em;vnfapcsifwJhtwGuf .net eJYywfoufwJh tajccHoDtkd&DawGukd t&if&iS ;f jyygr,f/
(1) .net qdkonfrSm ...
y½dk*&rfrmtrsm;pktwGufuawmh .net eJYywfoufwJhoabmw&m;awG[m ya[Vdwpfyk'fvdkygyJ/ .net
qdkwmuawmh Microsoft &JU a&yef;tpm;qHk; pum;vHk;awGxJu wpfvHk;jzpfNyD; ASP.net utp Visual
Studio.net tqHk;&SdwJh Microsoft &JU product awGrSm wGifus,fpGm toHk;jyKvsuf&Sdygw,f/ wu,fawmh .net
y½dk*&rfawGudk machine code tjzpf wdkuf½dkuf compile vkyfvdkufwmr[kwfygbl;/ (C++ wdkYvkd bmom
pum;awG[m machine code tjzpfwdkuf½dkuf compile vkyfcH&wmjzpfygw,f/) olwdYkukd IL vdkYac:wJh
Intemediate Language tjzpf compile vkyfvdkufwmyg/ oif[m Java eJYywfoufchJz;l r,fqd& k ifawmh .net
Framework [m Java Virtual Machine vdy k gyJ/ IL awGudk Java y½d*k &rfawGtjzpf compile vkyfay;
vdkufwJh bytecode awGeJY EdIif;,SOfEdkifygw,f/ 'Dvdk bytecode awGtjzpfajymif;vJay;vdkufjcif;[m y½dk*&rf
a&;om;jcif;½Iaxmifhuae Munfhr,fqdk&if aumif;usdK;ajrmufjrm;pGm (tvkyfvkyfwJhEIef; usqif;oGm;jcif;rSwyg;)
jzpfapygw,f/ Java &JUtaMumif;jycsufuawmh 'DvdkjyKvkyfjcif;tm;jzifh rwlnDwJh OS awGrmS Java y½dk*&rfawG
udktvkyfvkyfapEdkifNyD; rwlnDwJh y½dkqufqmtrsdK;rsdK;rSmawmif tvkyfvkyfapEdkifzYkdjzpfygw,f/ .net &JU t"du
&nf½G,fcsufu 'DtwGuf r[kwfayr,fh 'DZdkif;ydkif;qdkif&m csOf;uyfrIuawmh wlnDygw,f/
.net y½dk*&rfrmawGtwGuf IL &JU t"dutm;omcsufuawmh compile vkyfxm;wJhy½dk*&rfawGrSm
identifier (class name? function name? variable name) awG[m &SdaeMuwmjzpfygw,f/ (rSwfcsuf/ / C
y½dk*&rfawGudk compile vkyfwhJtcgrSm local variable trnfawG[m tzwfqnfr&atmif qHk;½IH;oGm;aMumif;
aqG;aEG;cJhzl;wm trSwf&yg/) 'Dtcsufu y½dk*&rfrmawGudk y½dk*&rfwpfck&JU rwlnDwJhtydkif;awGudk rwlnDwJh
bmompum;awGeJY a&;om;vdkY&apygw,f/
Cracker awGtwGuf t"dutm;omcsufjzpfapwmuvJ 'DtcsufygyJ/ bmaMumifv h Jqkdawmh .net
y½dk*&rfawG[m olU&JU source udk bytecode eJYazmfjy&wmjzpfwJhtwGuf identifier awG[mvJ rysufr,Gif;&Sdae
&wmyg/ tvm;wlyJ? IL [m wu,fhy½dkqufqmuk'fxufpm&if enf;enf;av; higher-level jzpfvmwJhtwGuf
high-level bmompum;tjzpf vG,fulpmG jyefvnfwnfaqmufEkdifMuwmyg/ 'gudk odMuwJhtwGufaMumifh .net
y½dk*&rfawGudk rlv .net source code tjzpfjyefazmfay;Edkifr,fh tool awGudkzefwD;EdkifMuwmjzpfygw,f/ 'Dvdk
jyefazmfay;EdkifwJh tool aumif;av;wpfckudk Lutz Roeder ua&;om;cJhNyD; Reflector vdkYac:ygw,f/
(2) Tools
.net y½dk*&rfawG crack rvkyfcifrmS toH;k jyKr,fh tool av;awGtaMumif; aqG;aEG;ygr,f/ oifhtaeeJY 'D
tool awGtm;vHk;udk wpfcsdefwnf;rSmawmh vdktyfrSm r[kwfygbl/ 'gayr,fh tool awGtm;vHk;&Sdxm;atmifawmh
vkyfxm;&rSmjzpfygw,f/
(2.1) Relector (.net assembly decompiler)
Relector uawmh .net component awGtwGuf class browser wpfckjzpfygw,f/ 'D tool av;[m
.net assembly xJrSmodrf;qnf;xm;wJh Meta data? IL instruction? resource? XML documention wdkYudk
&Smay;Edkifygw,f/
http://www.aisto.com/roeder/dotnet/
(2.2) ILDasm (.net assembly decompiler)

MSIL Disassembler uawmh MSIL Assembler (Ilasm.exe) twGuf tool wpfckjzpfygw,f/
ILDasm.exe [m Microsoft intermediate language (MSIL) uk'fawGygwJh PE zdkifudk,lNyD; Ilasm.exe
twGuf oifhawmfr,fh pmom;zdkiftjzpfzefwD;ay;ygw,f/
Reflector [m .net assembly udk IL uk'fawGtjzpf decompile vkyfay;Edkifayr,fh assembly xJu
IL instruction awG&JU wu,fh byte awGudk jyojcif;r&Sdygbl;/ ILDasm rSmawmh IL instruction awGudk hex
wefzdk;taeeJYjyoay;Edkifatmif a½G;cs,fvdkY&ygw,f/
Oyrmjy&&if - BLE instruction udkMunfhvdkufyg/ wu,fvdkYom yxrwefzd;k [m 'kwd,wefz;kd xuf
enf;ae&if (odkY) nDae&if owfrSwfxm;wJh instruction qD jump jzpfrSmyg/ (Native code awGrSmwkef;uawmh
JLE eJYwlygw,f/) wu,fvdkY hex editor rSmMunfhvdkuf&if wu,fh byte [m 3E
jzpfaewmawGU&rSmyg/ BLE instruction tpm; BGT instruction vdkYajymif;vdkuf&ifawmh yxrwefzd;k [m
'kwd,wefzdk;xufBuD;&if owfrSwfxm;wJh instruction qD jump jzpfrSmyg/ olUudkazmfjywmuawmh 3D yg/
wu,fvdkY 'Dae&mudk jyifcsif&if hex editor qDomG ;NyD; 3E tpm; 3D vdjYk yif&rSmyg/
aumif;NyD? ILDasm eJYppfxm;wJh procedure wpfckudkMunfhvdkufMu&atmif/
.method public specialname instance class Scroller.Scroller/Title
get_Titles(object Index) cil managed
// SIG: 20 01 12 0C 1C
{
// Method begins at RVA 0xcd7c
// Code size 23 (0x17)
.maxstack 2
.locals init (class Scroller.Scroller/Title V_0)
IL_0000: /* 02 | */ ldarg.0
IL_0001: /* 7B | (04)00000D */ ldfld
IL_0006: /* 03 | */ ldarg.1
IL_0007: /* 28 | (0A)00005C */ call object
IL_000c: /* 6F | (0A)00005D */ callvirt instance object
IL_0011: /* 74 | (02)000003 */ castclass
Scroller.Scroller/Title
IL_0016: /* 2A | */ ret
} // end of method Scroller::get_Titles
'guawmh IL xJu uk'ftcsdKUyg/
IL_0000 : line eHygwf/
02 : xdk line wGif&dSaom IL instruction rsm;\ wu,fh byte/
ldarg.0 : IL instruction/
'gawGudkem;rvnfvdkY pdwfrysufygeJY/ aemufydkif;rSm tao;pdwfaqG;aEG;ay;ygr,f/
Byte awG? IL instruction awGjrif&wJh tm;omcsufuawmh CALL wpfckudk NOP ay;csifwmyJ
jzpfjzpf? udk,f patch vkyfcsifwJah e&mudk jyifcsifwmyJjzpfjzpf tvG,fwuljyKjyifvkd&Y ygw,f/ Offset udkwGuf
csufzdYk RVA udktoHk;jyK&rSmjzpfygw,f/
Ildasm uawmh Visual Studio 200x udk install vkyfwhJtcgrSm wcgwnf;ygvmwmjzpfwJhtwGuf
oD;oefU download vkyfp&mrvdkygbl;/
(2.3) WinHex (Hex editor)
b,f hex editor udkrqdk toHk;jyKEdkifayr,fh WinHex udkawmh tBudKufqHk;jzpfaevdkYyg/
http://www.x-ways.com/
(2.4) CFF Explorer (General PE File Explorer)
Assembly xJu metadata table awGeJY resource awGyg0ifwJh b,f PE zdkifrqdk&JU content awGudk
Munf½h &I mrSmawmh tawmfav;aumif;wJh tool wpfckjzpfygw,f/
http://www.ntcore.com
(2.5) SNS Remover (Strong Name Signature Remover)
tcsdKUaom .net assembly awG[m assembly awGudk zefwD;vdkufcsdefrSm tBuHtzefrvkyfEdkifatmif?
rjyKjyifEdkifatmifwm;qD;zdkY digital signature awGeJY sign vkyfxm;Muygw,f/ Strongly named assembly
xJu b,f byte udkrqdk jyifvdkufr,fqdk&if .net runtime u assembly udkpwifzYkd jiif;qefygvdrhfr,f/
'gayr,fh uRefawmfwdkY&JU SNS remover tool uawmh sign vkyfxm;wJh assembly uae signature field
udkz,f&Sm;Edkifygw,f/ 'Dae&mrSm ajymvdkwmuawmh uRefawmfwd&Yk UJ CFF explorer uvJ .net assembly uae
Strong Name signature udkz,f&Sm;EdkifNyD; PE zdkifudk jyefvnfwnfaqmufEdkifygw,f/ yHk(1)/ 'gayr,fh
uRefawmftaeeJY 'D tool av;udk ydkBudKufrdygw,f/
yHk(1)
http://www.pmode.com
(2.6) PEBrowse Professional (Disassembler/Debugger)
.net assembly awGukd disassemble vkyfEkdifwhJ^ debug vkyfEkdifwhJ debugger/disassembler wpfck
jzpfygw,f/ IL instruction awGeJY olwdkY&JUwu,fh byte awGudk jyoEdkifygw,f/ 'ghtjyif b,f JIT compiler
event udkrqdk break vkyfEdkifygw,f/ 'D debugger udktoHk;jyKNyD; .net IL instruction awGudk ajc&mcHEdkifyg
w,f/ NyD;&ifaemufuG,frSm bmawGjzpfaeovJqdkwm odEdkifygw,f/
http://www.smidgeonsoft.com
(2.7) .Net Generic Unpacker (.Net assembly Unpacker)
oifhtaeeJY .net assembly PE zdkifawGudk dump vkyfwhJtcgrSm 'D tool udk vdkygvdrfhr,f/ .Net
reactor vdk tcsdKUaom .net protection aqmhzf0JvfawGu oifhy½dk*&rf&JU .net assembly udk pack vkyfMuwm
jzpfNyD; MSIL r[kwfwJh PE zdkifudkxkwfay;ygvdrfhr,f/ rSwfOmPfxJrSm tvkyfvkyfwJhtcgrSom oifhzdkif&JU
assembly awGudk unpack jyefvkyfMuwmjzpfygw,f/ 'Denf;ynmudkawmh rlv assembly &JU uk'af wGukd
&,ljcif;rS umuG,fEdkifzdkY toHk;jyKMuwmjzpfygw,f/ 'gayr,fh oifhtaeeJY 'gudk ½dk;&Sif;vSwJh .net generic
unpacker oH;k NyD; ausmfvmT ;Edi
k yf gw,f/
http://www.ntcore.com
aemufqHk;taeeJY ajymvdkwmuawmh wcgw&HrSm Reflector [m tcsdKUaom procedure (odkY) function
awGudk oifhpdwfBudKufbmompum; (C#? VB? Delphi) tjzpf decompile rvkyfay;EdkifwJhtwGuf oifhtaeeJY
IL instruction awGudk &if;ESD;aezdkYvdktyfygw,f/ Native code awGudk crack vkyfzYkd Assembly
bmompum;udk avhvmwmxufpm&ifawmh IL uk'fawGudk avhvm&wm[m ydkrdkvG,fulNyD; vsifjrefpGmem;vnf
rSm jzpfygw,f/
(3) Opcode
'guawmh crack vkyf&mrSm ta&;BuD;qH;k tcsufjzpfygw,f/ oifjrifwJhtwdkif; .net application
awG[m olwdkY&JU y½dk*&rf instruction awGudk MSIL yHkpHeJYazmfjywmjzpfwJhtwGuf Visual Studio rSm compile
vkyfwhJtcg oifh&UJ source code awGudk native machine uk'ftjzpf ajymif;vJay;rSmr[kwfygbl;/ 'gayr,fh
JIT compiler udktoHk;jyKNyD; compile vkyfr,fqkd&ifawmh native code tjzpfajymif;vJay;rSm jzpfygw,f/ JIT
qdkwmuawmh just-in-time compiler udkajymwmjzpfNyD; oifhy½dk*&rfawG&JU tpdwftydkif; tcsdKUudk native code
tjzpfajymif;vJay;rSmjzpfNyD; vdktyfwJhtcg execute vkyfrSmjzpfygw,f/
Ildasm uxGufvmwJhuk'ftcsdKUudk avhvmMunfhvdkuf&atmif/
IL_0000: /* 02 | */ ldarg.0
Line number Actual byte(s) IL instruction
Opcode qdkwmuawmh Microsoft Intermediate Language (MSIL) instruction awGudk
azmfjyjcif; jzpfygw,f/ wu,fvdkY oif[m a&SYydkif;tcef;awGudk aMunufpGmem;vnfxm;w,fqdk&if atmufyg
instruction awG[m bmudkqdkvdkw,fqdkwm odaerSmyg/
JMP JNE JLE NOP CALL ponf ...
MSIL opcode awGuawmh Intel y½dq k ufqmawGtwGuf 'DZdkif;jyKxm;wJh native opcode awGeJY
rwlnDygbl;/ Oyrmjy&&if native code y½dk*&rfawGrSm CALL function &Sd&m offset udk oifodxm;NyD; 'D
CALL udt k vkyfrvkyaf pcsif&if y½dk*&rfukd hex editor rSmzGifhNyD; NOP (No OPertation) udk&nfpl;wJh 90
qdkwJh byte eJYtpm;xdk;&rSmjzpfygw,f/
MSIL rSmawmh 90 tpm; 00 eJaY zmfjyygw,f/ 'g[mta&;BuD;wJhtcsufjzpfwt hJ wGuf MSIL twGuf
vdktyfwJh opcode pm&if;udk azmfjyvdkufygw,f/ oifhtaeeJY .net y½dk*&rfawGukd crack vkyf&mrSm 'D opcode
awGtm;vHk;udk toHk;jyKp&mrvkdygbl;/ rsm;aomtm;jzifhawmh NOP eJY unregistered tajctaeawGudk ausmf
vTm;EdkifzdkY jump instruction awGudk trsm;qHk; toHk;jyK&rSmjzpfygw,f/
Opcode awGtaMumif;udk ydkrdkem;vnfapvdkwt
hJ wGuf bmomrjyefbJ rl&if;twdkif;azmfjyvdkufygw,f/
y½dk*&rfawGudk vufawGU crack wJhtcgMurSyJ vdktyfovdk bmomjyefay;rSmjzpfygw,f/ &Snfvsm;rSmpdk;wJh
twGuf toHk;rsm;wJh opcode awGudkyJ azmfjyvdkufygw,f/
Actual
Opcode Meaning
bytes
Computes the bitwise AND of two values and pushes the result onto the evaluation
And 5F
stack.
Beq Transfers control to a target instruction if two values are equal. 3B
Beq_S Transfers control to a target instruction (short form) if two values are equal. 2E
Transfers control to a target instruction if the first value is greater than or equal to the
Bge 3C
second value.
Transfers control to a target instruction (short form) if the first value is greater than or
Bge_S 2F
equal to the second value.
Transfers control to a target instruction if the the first value is greater than the second
Bge_Un 41
value, when comparing unsigned integer values or unordered float values.
Transfers control to a target instruction (short form) if if the the first value is greater
Bge_Un_S than the second value, when comparing unsigned integer values or unordered float 34
values.
Transfers control to a target instruction if the first value is greater than the second
Bgt 3D
value.
Transfers control to a target instruction (short form) if the first value is greater than the
Bgt_S 30
second value.
Transfers control to a target instruction if the first value is greater than the second
Bgt_Un 42
value, when comparing unsigned integer values or unordered float values.
Transfers control to a target instruction (short form) if the first value is greater than the
Bgt_Un_S 35
second value, when comparing unsigned integer values or unordered float values.
Transfers control to a target instruction if the first value is less than or equal to the
Ble 3E
second value.
Transfers control to a target instruction (short form) if the first value is less than or
Ble_S 31
equal to the second value.
Transfers control to a target instruction if the first value is less than or equal to the
Ble_Un 43
Transfers control to a target instruction (short form) if the first value is less than or
Ble_Un_S equal to the second value, when comparing unsigned integer values or unordered float 36
values.
Blt Transfers control to a target instruction if the first value is less than the second value. 3F
Transfers control to a target instruction (short form) if the first value is less than the
Blt_S 32
second value.
Transfers control to a target instruction if the first value is less than the second value,
Blt_Un 44
when comparing unsigned integer values or unordered float values.
Transfers control to a target instruction (short form) if the first value is less than the
Blt_Un_S 37
Transfers control to a target instruction when two unsigned integer values or unordered
Bne_Un 40
float values are not equal.
Transfers control to a target instruction (short form) when two unsigned integer values
Bne_Un_S 33
or unordered float values are not equal.
Br Unconditionally transfers control to a target instruction. 38
Transfers control to a target instruction if value is false, a null reference (Nothing in

Brfalse 39
Visual Basic), or zero.
Brfalse_S Transfers control to a target instruction if value is false, a null reference, or zero. 2C
Brtrue Transfers control to a target instruction if value is true, not null, or nonzero. 3A
Transfers control to a target instruction (short form) if value is true, not null, or non-
Brtrue_S 2D
zero.
Br_S Unconditionally transfers control to a target instruction (short form). 2B
Call Calls the method indicated by the passed method descriptor. 28
Compares two values. If the first value is less than the second, the integer value 1
Clt (int32) is pushed onto the evaluation stack; otherwise 0 (int32) is pushed onto the FF 04
evaluation stack.
Compares the unsigned or unordered values value1 and value2. If value1 is less than
Clt_Un value2, then the integer value 1 (int32) is pushed onto the evaluation stack; otherwise 0 FE 03
(int32) is pushed onto the evaluation stack.
Jmp Exits current method and jumps to specified method. 27

Ldarg Loads an argument (referenced by a specified index value) onto the stack. FE 09
Ldarga Load an argument address onto the evaluation stack. FF 0A
Ldarga_S Load an argument address, in short form, onto the evaluation stack. 0F
Ldarg_0 Loads the argument at index 0 onto the evaluation stack. 02
Ldarg_S Loads the argument (referenced by a specified short form index) onto the evaluation 0E
stack.
Ldc_I4 Pushes a supplied value of type int32 onto the evaluation stack as an int32. 20
Ldc_I4_0 Pushes the integer value of 0 onto the evaluation stack as an int32. 16
Ldc_I4_4 Pushes the integer value of 4 onto the evaluation stack as an int32. 1A
Ldc_I4_5 Pushes the integer value of 5 onto the evaluation stack as an int32. 1B
Ldc_I4_6 Pushes the integer value of 6 onto the evaluation stack as an int32. 1C
Ldc_I4_7 Pushes the integer value of 7 onto the evaluation stack as an int32. 1D
Ldc_I4_8 Pushes the integer value of 8 onto the evaluation stack as an int32. 1E
Ldc_I4_M1 Pushes the integer value of -1 onto the evaluation stack as an int32. 15
Ldc_I4_S Pushes the supplied int8 value onto the evaluation stack as an int32, short form. 1F
Ldstr Pushes a new object reference to a string literal stored in the metadata. 72
Leave Exits a protected region of code, unconditionally tranferring control to a specific target DD
instruction.
Leave_S Exits a protected region of code, unconditionally tranferring control to a target DE
instruction (short form).
Mul Multiplies two values and pushes the result on the evaluation stack. 5A
Mul_Ovf Multiplies two integer values, performs an overflow check, and pushes the result onto D8
the evaluation stack.
Mul_Ovf_Un Multiplies two unsigned integer values, performs an overflow check, and pushes the D9
result onto the evaluation stack.
Neg Negates a value and pushes the result onto the evaluation stack. 65
Newobj Creates a new object or a new instance of a value type, pushing an object reference 73
(type O) onto the evaluation stack.
Nop Fills space if opcodes are patched. No meaningful operation is performed although a 00
processing cycle can be consumed.
Not Computes the bitwise complement of the integer value on top of the stack and pushes 66
the result onto the evaluation stack as the same type.
Or Compute the bitwise complement of the two integer values on top of the stack and 60
pushes the result onto the evaluation stack.
Pop Removes the value currently on top of the evaluation stack. 26
Rem Divides two values and pushes the remainder onto the evaluation stack. 5D
Rem_Un Divides two unsigned values and pushes the remainder onto the evaluation stack. 5E
Ret Returns from the current method, pushing a return value (if present) from the caller's 2A
evaluation stack onto the callee's evaluation stack.
Rethrow Rethrows the current exception. FE 1A

Stind_I1 Stores a value of type int8 at a supplied address. 52
Stloc Pops the current value from the top of the evaluation stack and stores it in a the local FE 0E
variable list at a specified index.
Sub Subtracts one value from another and pushes the result onto the evaluation stack. 59
Sub_Ovf Subtracts one integer value from another, performs an overflow check, and pushes the DA
Subtracts one unsigned integer value from another, performs an overflow check, and DB
Sub_Ovf_Un
pushes the result onto the evaluation stack.
Switch Implements a jump table. 45
Throw Throws the exception object currently on the evaluation stack. 7A

Computes the bitwise XOR of the top two values on the evaluation stack, pushing the 61
Xor
b,f assembly udkrqdk crack vkyf&mrSm &ifqikd Bf uHKawGU&r,fh t[efUtwm;awGuawmh atmufyg

twdkif;jzpfygw,f/ 'Dae&mrSm uRefawmfhtaeeJY tusOf;rQomazmfjyrSmjzpfNyD; tao;pdwfodcsif&ifawmh Google
rSm&SmNyD; MunfhEdkifygw,f/
(u) Obfuscation
'guawmh IsLicensed function wdkYvdk Method eJY class trnfawGudk uRefawmfwdkYr&SmEdkifatmif
zwfvdkYr&wJhpmvHk;awGtjzpf ajymif;vJay;wJhjzpfpOfudk qdkvdkwmyg/ Obfuscation [m oifhudk tcufawGUapEdkif
ayr,fh obfuscate vkyfxm;wJhuk'fuaewpfqifh trace vkyf&wm 'Davmuf rcufvSygbl;/ tajzuawmh
Reflector rSm bookmark awGxm;jcif;jzifhaomfvnf;aumif;? pm½GufvGwfwpf½GufrSm a&;rSwfjcif;jzifhaomf
vnf;aumif; ajz&Sif;Edkifygw,f/ Cracking rSmawmh pdwf&SnfzdkYvdkygw,f/ pdwfr&Snf&ifawmh crack vkyfvdkY
&rSmr[kwfygbl;/
(c) Encoded Strings
'guawmh awmfawmfav;qd;k ygw,f/ t&ifwke;f u Olly rSm string awG&Smwkef;u Search uae
wqifh &SmvdkY&ygw,f/ 'D string awGuaewqifh function (CALL) awG b,fvdktvkyfvkyfw,fqdkwmudk
Munf&h wm jzpfygw,f/ 'DrmS awmh "Invalid Serial Number" pwJh string awGudk jrif&rSmr[kwfygbl;/ String
awGudk zHk;uG,fEdkifzdkY toHk;trsm;qHk;enf;vrf;uawmh olwdkYudk encode vkyfNyD; encoded stream udk binary
.net resource tjzpfodrf;qnf;wmjzpfygw,f/ tcsdKU string awGudk vdktyfrSom encoded stream uae 'D
string awGudk&,lzdkY function wpfckudkac:oHk;wmyg/ 'Denf;&JU tm;enf;csufuawmh y½dk*&rftvkyfvkyf
wmjrefqefapzdkY decoding enf;vrf;udk jrefapay;&wmyg/ 'gaMumifrh Ykd 'Denf;vrf;[m decode vkyjf cif;r&SdbJ
toHk;jyKwmxuf? string awGr&SdcsdefrSmtoHk;jyKwmxuf trsm;BuD;aES;aevdkY r&ygbl;/ rsm;aomtm;jzifhawmh
decoding function awG[m byte shifting enf;udktoHk;jyKNyD; string awGukd decode vkyfzdkY jyefpDwm
jzpfygw,f/ 'gayr,fh olwkdYukd decode vkyfzdkYvG,fygw,f/ Decoder (decoding function) udk awGUwmeJY
oifhtaeeJY string awGudk jyefazmfEdkifrSmjzpfNyD; oifudk,fwdkifawmif udk,fydkif decoder a&;om;EdkifrSmjzpfyg w,f/
aemufykdi;f rSmawmh aps;uGuf0ifaqmhzf0JawGrSm toHk;jyKaeMuwJh decoding function awGudk b,fvdk crack
vkyf&rvJqdkwmjyygr,f/
(*) Strong Name Signature
Digital signature [m digital document awG? text awG? data awGrSm authenticate vkyfzdkYjzpfNyD;
tcsuftvufawGudk rrSefruefrjyKEdkifatmif wm;qD;ygw,f/ Digital signature wpfckudkzefwD;zdkY public key
cryptography udktoHk;jyKygw,f/ Digital signature wpfckudkzefw;D zdkY yxrqHk; 160-bit &SdwJh hash
wefzdk;wpfckeJY sign vkyfwmjzpfygw,f/ NyD;&ifawmh wduswJh private key wpfckoHk;NyD; encrypt vkyfygw,f/
Private key eJYoufqdkifwJh public key udk&Sdxm;wJh b,folrqdk author eJYywfoufwJhtcsuftvufawGudk
authenticate vkyfzdkY toHk;jyKEdkifNyD; data awGudk rajymif;vJxm;bl;qdk&ifawmh sign vkyfEdkifrSmyg/
'guawmh .net assembly awGudk jyKjyifajymif;vJjcif;rS umuG,fEdkifzdkY toHk;jyKMuwJh enf;vrf;wpf&yf
jzpfygw,f/ .net eJY zefwD;xm;wJh exe zdkifwpfckudk tvkyfvkyfapcsdefrSm y½dk*&rf[m string name signature
udkppfaq;ygvdrfhr,f/ wu,fvdkY &SdcJhr,fqdk&if digital signature udkppfaq;NyD;? ppfq;wmratmifjrif&ifawmh
'g[m assembly udkjyifxm;NyDqdkwmodvdkufNyD; y½dk*&rfudktvkyfvkyfapzdkY jiif;qefygvdrfhr,f/
oifhtaeeJY strong name signature b,fvdktvkyfvkyfovJqdkwJh tao;pdwftcsuftvufawGudk
tifwmeufrSm &SmazGEdkifygw,f/
(4) Entry Point Method (EPM) udk&Smjcif;
Entrypoint Method uawmh .net application pwifcsdefrSm ac:,loHk;wJh yxrqHk; Method jzpfNyD;?
'gudk Reflector (odkY) Ildasm rSmMunfhvdkY&zdkY ta&;BuD;ygw,f/ yHkrSef .net application wpfckrSmawmh 'DvdkyHkpH
&Sdygw,f -
Public Shared Sub Main()
Application.Run (New MainForm)
End Sub
'D Method &JUta&;ygyHkuawmh oifhtaeeJY y½dk*&rf&JUvkyfaqmifcsufawGudk y½dk*&rfpwifwJhtcsdefup
NyD; register vkyfwJh routine &Sd&ma&mufwJhtxd ajc&mcHEdkifygw,f/
'D Method uae aemufxyf&&SdEdkifwJhtusdK;aus;Zl;uawmh crack vkyfr,fh application &JU t"du
form tjzpfoHk;r,fh MainForm class udkavhvmqef;ppfEdkifwmygyJ/ wu,fvkdY oifhtaeeJY Application.run
udktaotcsmMunfhr,fqdk&if 'D function xJ t0if^txGufvkyfaewJh argument awG? argument wefzdk;
awGudk awGU&rSmyg/
Entrypoint RawData offset udk&SmzdkY oifhtaeeJY vkyfaqmif&rSmuawmh -
1/ Crack vkyfr,fh y½dk*&rfukd CFF explorer rSmzGihfyg/
2/ .NET directory node qDoGm;yg/
3/ *&pfuGufeJYjyxm;wJhwefzdk;awGxJu EntrypointToken row ud&k mS yg/
4/ 'D row twGuf aemufqHk; column wefzdk;udkMunfhyg/ 'Dwefzdk;[m DWORD jzpfNyD; entrypoint Method
&Sd&mqD uRefawmfwYkdudk vrf;nTefygvdrhfr,f/
'Dae&mrSmawmh token wefzdk;udk 060000028 vdkY,lqygr,f/ oifhtaeeJYawmh token wefz;kd [m
wpfrsdK;BuD;yJvkdY cHpm;ae&rSmyg/ ol[m table wpfckeJY table &JU index udkazmfjywJh DWORD wefzdk;wpfck
jzpfygw,f/ qdkvdkwmu table wpfckeJY 'D table xJu row wpfckudk nTefjywmyg/ Oyrmjy&&if uRefawmfwdkY&JU
token wefzdk;udk 060000028 jzpfw,fvdkY owfrSwfMunfhMuygpdkY/
06 000028
Table index Row index in that table
'Dae&mrSm uRefawmfwkdYajymajymaewJh table qdkwmuawmh Methods table udkajymwmyg/ oifhtaeeJY
CFF explorer rSmMunfhr,fqdk&if Metadata Streams node atmufu Tables node rSmMunfhEdkifygw,f/
Tables node a&muf&ifawmh yHk(2)twdkif; Method table &Sd&mudk&Smygr,f/
yHk(2)
Method table udk expand vkyfNyD; index 40 (28h) udk&Smygr,f/ 'gqdk yHk(3)twdkif; awGU&ygr,f/
yHk(3)
yHk(3)u ae&mudka½G;cs,fNyD; 'D method eJYqkdifwJt
h csuftvufawGudk Munfh½IvdkY&yg
w,f/ 'Dae&mrSm uRefawmfwdkYpdwft0ifpm;qHk;uawmh yxrqHk; row jzpfNyD; 'D method &JU RVA udkazmfjyyg
w,f/ aemufqHk; column uwefzdk;udk zwfvdkuf&ifawmh 0x4974 jzpfygw,f/
(5) EPM twGuf zdkif offset udk CFF explorer jzifh&Smjcif;
.net PE zdkifwpfckrSmawmh .text? .reloc? .rsrc pwJh section 3ck&Sdygw,f/ .text section rSmawmh
Import Table? Import Address Table eJY .Net Section wdYkyg0ifygw,f/ .net PE zdkifwpfckukd atmufyg
tcsuftvufrsm;yg0ifw,fvdkY ,lqMunfhvdkufMu&atmif/
.net PE zdkiftwGuf ImageBase 0x400000
.text section virtual address 0x002000
.text section Raw address 0x000200
EntryPoint Method VA 0x004974
'Dzikd fukd rSwfOmPfay:ul;wifvkdufwhJtcgrSm jrif&wmuawmh -
0x400000 0x402000 0x404974  RVA
ImageBase > > > .text > > > EP_Method
0x0 0x2000 0x4974  VA
'gaMumifhrdkY zdkifudk rSwfOmPfrSmae&mcsxm;wJhtcg ImageBase &JU 0x2000 byte tuGmrSm .text
section udk&Sm&rSmjzpfygw,f/ Method data udkawmh ImageBase &JU 0x4974 byte tuGmrSm&Sm&rSmjzpfyg
w,f/
aumif;NyD? .text section rSm ep_method udk&SmzdkY offset udkwGufcsufMunfh&atmif/

Offset = [EP_Method VA] – [.text section VA]
= 0x4974 – 0x2000
= 0x2974
'gaMumifh method data [m .text section data &JU 0x2974 rSmpygw,f/ wu,fvdkY .text section
RawData Offset udktoHk;jyKcJh&if uRefawmfwdkYtaeeJY method twGuf RawData Offset udkvJ tvm;wl
wGufcsufEdkifygw,f/
Method RawData Offset = .text section RawData Offset + 0x2974
= 0x200 + 0x2974
= 2B74
'gaMumifh zdkifxJrSm&SdwJh Method Offset [m 2B74 jzpfygw,f/
yHk(3)u ae&mudk right-click ESdyfNyD; Disassemble Method udka½G;vdkuf&if yHk(4)
twdkif; jrif&ygw,f/
yHk(4)
t&Sif;qHk;yHkpHeJYjy&&ifawmh-
EPM File Offset = [EntryPoint VA] – [Section.txt VA] + [Section.txt RawAddress]
'Dwefzdk; 3ckvHk;udk CFF Explorer uae&&SdEkdifygw,f/ CFF Explorer rSm Address converter
yg&SdNyD; oifhrSm RVA wefzdk;&Sdxm;NyDqdk&if b,f Method &JU file offset udkrqdkwGufcsufEdkifygw,f/
(6) Entry Point Method (EPM) udk Ildasm jzifh&Smjcif;
'guawmh vG,fulwJhtvkyfjzpfNyD; Entrypoint Method disassembly uae wu,fh byte twGJawG
udk odxm;&rSmjzpfygw,f/ 'Denf;ukdawmh EPM r[kwfwJh b,f Method twGufrqdk toHk;jyKEdkifygw,f-
.method public hidebysig static void Main() cil managed

// SIG: 00 00 01
{
.entrypoint
.custom instance void
[mscorlib]System.STAThreadAttribute::.ctor() = ( 01 00 00 00 )
// Method begins at RVA 0x4974
// Code size 26 (0x1a)
.maxstack 8
IL_0000: /* 00 | */ nop
IL_0001: /* 28 | (0A)000078 */ call void
IL_0006: /* 00 | */ nop
IL_0007: /* 16 | */ ldc.i4.0
IL_0008: /* 28 | (0A) 000079 */ call void
IL_000d: /* 00 | */ nop
IL_000e: /* 73 | (06) 00003D */ newobj instance
IL_0013: /* 28 | (0A) 00007A */ call void
IL_0018: /* 00 | */ nop
IL_0019: /* 2A| */ ret
} // end of method Form1::Main
'guawmh ½dk;&Sif;vSwJh .net application wpfckuae,lxm;wJh EntryPoint Method twGuf

disassembly jzpfNyD; 'D Method xJu IL instruction awGudkawGU&wmjzpfygw,f/ Hex editor wpfckrSm
atmufygpmom;wGJawGudk &SmMunfhyg/
IL_0001 287800000A
IL_0008 287900000A
'gaMumifh &Sm&r,fh HEX twGJuawmh 00 28 78 00 00 0A 00 16 28 79 00 00 0A jzpfygw,f/
yHkrSeftm;jzifhawmh 10vHk;avmuf&Smvdkuf&if offset trSefudk&SmawGUzdkY vHkavmufNyDxifygw,f/ yHk(5)uawmh
HEX twGJudk WinHex rSm &Smxm;wmjzpfygw,f/
yHk(5)
'gqdk&ifawmh wu,fh byte &Sd&m yxrqHk; offset udka&mufomG ;ygvdrhfr,f/ NyD;cJhwhJenf;vrf;wke;f u
oifa&muf&SdcJhwm[m Code byte rwdkifcifrSm&SdwJh Method Header byte udkyg/ .net Method wnfaqmuf
xm;yHkuawmh yHk(6)twdkif; jzpfygw,f/
yHk(6)
yxrenf;vrf;uawmh oifhudk > &Sd&mae&mqD a&mufapwmjzpfNyD; uk'fawG&dS&m yxrqHk; byte qD

a&mufapcsif&ifawmh header t½G,ftpm;wefzdk; 1 (tNrJwrf; 1 jzpfaerSm r[kwfygbl;/) udkaygif;ay;&rSm
jzpfygw,f/ 'gaMumifh uRefawmfwYkd wGufcsufvdkY&wJhtajz[m 2B75 tpm; 2B74 jzpfae&wmyg/
(7) Entry Point Method node udk Ildasm Tree wGif&Smjcif;

Entrypoint Method twGuf decompilation udk oifhtaeeJYjrifcsifygovm;/ CFF explorer uae
EntryPoint Method RVA udkodNyD;wJhaemufrSmawmh olU&JUuk'fudkMunhfzdkY tcsdefa&mufygNyD/
'DtwGuf ILDasm udka&m? Reflector udkyg toHk;jyKEdkifygw,f/ 'gayr,fh rSwfxm;&rSmu ILDasm
[m .net Method awGtwGuf decompilation udk IL yHkpHtaeeJYom jyEdkifygw,f/ uHaumif;&ifawmh
Reflector u EntryPoint Method uk'fudk oifhpdwfBudKuf .net bmompum;taeeJY decompile vkyfay;rSm
jzpfygw,f/ 'grSr[kwf&ifawmh uk'fudk analyze vkyfzdkYuawmh ILDasm ay:rlwnfrSmjzpfygw,f/
ILDasm a&m? Reflector uyg assembly awGukd tree view taeeJYjyEdkifygw,f/ 'gayr,fh
ILDasm uom oif decompile vkyfwJh Method wdkif;twGuf RVA wefz;kd udk ajymjyEdi
k frSm jzpfygw,f/
ILDasm eJY ppfxm;wJhuk'ftcsdKUudk MunfhvdkufMu&atmif/
.method public hidebysig static void Main() cil managed
// SIG: 00 00 01
{
.entrypoint
.custom instance void
[mscorlib]System.STAThreadAttribute::.ctor() = ( 01 00 00 00 )
// Method begins at RVA 0x4974
// Code size 26 (0x1a)
.maxstack 8
IL_0000: /* 00 | */ nop
IL_0001: /* 28 | (0A)000078 */ call void
IL_0006: /* 00 | */ nop
IL_0007: /* 16 | */ ldc.i4.0
IL_0008: /* 28 | (0A) 000079 */ call void
IL_000d: /* 00 | */ nop
IL_000e: /* 73 | (06) 00003D */ newobj instance
IL_0013: /* 28 | (0A) 00007A */ call void
IL_0018: /* 00 | */ nop
IL_0019: /* 2A| */ ret
} // end of method Form1::Main
tcsdefawmfawmfrsm;rsm;rSmawmh oif[m obfuscated uk'fawGudkawGU&rSmjzpfNyD; ILDasm xJu b,f

node [m EntryPoint Method qdkwm oifodEdkifrSm r[kwfygbl;/ wu,fvdkY &meJYcsDwJh? axmifeJYcsDwJh node
awGawGY&if yd&k Sm&cufrmS yg/
CFF explorer uae EntryPoint Method RVA udk oifhtaeeJY odNyD;jzpfygvdrhfr,f/ cktcgrSmawmh
EntryPoint Method node udk &Smjyygr,f/ ILDasm rSm b,f class rSmrqdk&SdwJh Method tcsdKUudk
decompile vkyfNyD; olU&JU RVA wefzdk;udkMunfh&rSmjzpfygw,f/ wu,fvdkY 'Dwefzdk;[m EPM RVA xuf
BuD;cJ&h ifawmh higher-level node wpfckudk xyfMunfh&rSmjzpfygw,f/ Node awGtay:wufvmavav olU
Method twGuf RVA wefzdk;enf;avavjzpfygw,f/ 'Dvdkenf;eJY wpfrdepf? ESpr f ed pf&mS vdkuf&ifawmh ILDasm
rSm EntryPoint Method node udk&SmawGUrSmjzpfygw,f/ (rSwfcsuf/ / 'Dvdk&Smr,fqdk&ifawmh ILDasm &JU
View menu u Sort by name udka½G;rxm;rdapzdkY owdxm;&rSmjzpfygw,f/)
(8) Entry Point Method (EPM) udk PEBrowse Debugger jzifhwGJoHk;jcif;

Crack vkyrf ,fh application twGuf CFF explorer uae EntryPoint token udkodNyD;wJhaemuf
rSmawmh 'D token udk toH;k jyKNyD;awmh PEBrowse rSm EntryPoint Method udk&SmvdkY&ygw,f/ EPM udk JIT
compiler u compile vkyfcsdefrmS breakpoint xm;jcif;jzihf .net application udk break vkyfvdkY&ygw,f/
'DtwGuf oifhtaeeJY vkyfaqmif&rSmuawmh-
(1) Crack vkyfr,fh application udk PEBrowse rSmzGifhyg/ Library awGtm;vHk;eJY module awGtm;vHk;udk
ul;wifNyD;wJhtxd apmifhyg/
(2) PEBrowse [m EPM udkac:oH;k wm rwdkifcifem;av;rSm &yfomG ;ygvdrhfr,f/ 'gaMumifh 'Dtcsdef[m node
udk&SmzdkYeJY tJ'Dae&mrSm breakpoint owfrSwfzdkY taumif;qHk;ygyJ/
(3) Application udkul;wifcsdefrSm module xJrmS &SdwhJ .net module awG[m teDa&mif icon awGeJYjzpfaeyg
vdrfhr,f/ yHk(7)/ Methods node udkMunfhvkduf&ifawmh Method awGukd,fpDeJY class awGudkawGU&ygvdrfhr,f/
(4) Method wdkif;twGuf token awGudk olwdkY&JUtrnfab;rSm awGU&ygvdrfhr,f/ Oyrmjy&&if – button1_
Click twGuf token uawmh 06000005 jzpfygw,f/
(5) CFF explorer uae EPM udkodxm;NyD;jzpfwJhtwGufaMumifh oifhtaeeJY rSefuefwJh node udk 'Dae&mrSm
&SmEdkifygw,f/ ILDasm u RVA rSmvdkyJ atmufudkqif;oGm;&if token wefzdk;wdk;oGm;ygvdrfhr,f/
(6) rSefuefwJh node udkawGU&ifawmh tJ'Dae&mrSm right-click ESdyfNyD; "Add Breakpoint" menu udka½G;vdkuf½Hk
ygyJ/
yHk(7)
(9) Patch vkyfjcif;tajccH
'DwpfcgrSmawmh .net application awGudk patch vkyfjcif;eJYywfoufNyD; avhvmMunfhvdkuf&atmif/
'Dwpfcg patch vkyfzdkYa½G;cs,fxm;wJh y½dk*&rfuawmh Dot_Net_ReverseMe_2.exe jzpfygw,f/ 'Dy½dk*&rfudk
www.tuts4you.com &JU download section uae download vkyf,lEkdifygw,f/ (oift h aeeJY 'Dy½dk*&rfav;
udk &Sdrxm;vJ ta&;rBuD;ygbl;/ &Sif;jywmudk em;vnfatmifMunfhzdkYom ta&;BuD;ygw,f/) yxrqHk; patch
vkyfr,fh y½dk*&rfudk PEiD eJYppfMunfhygr,f/ yHk(8)/
yHk(8)
y½dk*&rfudk .net bmompum;eJY a&;xm;wmaocsmygw,f/ aumif;NyD? y½dk*&rfudkzGifhvdkufwJhtcg yHk(9)

twdkif;awGU&ygw,f/
yHk(9)
yHk(9)t&qdk&ifawmh uRefawmfwdkYtwGuf bmrSvkyfp&mr&Sdygbl;/ bmaMumifhvJqkdawmh serial ½dkufxnfh
p&m textbox wdkY? serial rSef^rrSefppfwhJ button wdkY rawGUvdkYyg/ 'gaMumifh a&;xm;wJhuk'fudkMunfhEdkifzdkY
y½dk*&rfudk Reflector eJYzGifhvdkufyg/ yHk(10)/
yHk(10)
'DtcgrSmawmh pdwf0ifpm;p&mawGudk awGU&ygNyD/ 'DtxJuwpfckuawmh IsRegistered qdkwJh boolean
class yg/ aemufwpfckuawmh CheckReg() function yg/ CheckReg() udk double-click ESdyfNyD;zGifhvdkuf&if
uRefawmfwdkY oHo,&Sdaewm rSefuefaMumif;awGU&ygr,f/ yHk(11)/
yHk(11)
'DwpfcgrSmawmh .ctor() taMumif;&Sif;jyrSmjzpfygw,f/ C++? Java? C# (odkY) b,f OOP (Object
Oriented Programming) bmompum;rSmrqdk olUrSmyg0ifwhJ class member awG&JUwefzdk;udk initialize
vkyfzdkY constructor wpfckyg0ifwJh class awG&Sdygw,f/ .net rSmawmh class constructor udkemrnfay;avh
r&Sdygbl;/ Constructor &JUtwdkaumufjzpfwJh .ctor() qdkwJhtrnfomxm;ygw,f/ IsRegistered qdkwJh
member variable [m y½dk*&rfudk register vkyfxm;jcif;&Sd^r&Sd qHk;jzwfygw,f/ uRefawmfwdkYtwGuf tcGifh
ta&;&&Sdapwmuawmh register jzpf^rjzpfudk constructor xJrSm initialize vkyfvdkYyg/ aumif;NyD? .ctor()
udkzGifhNyD; MunfhvdkufMu&atmif/ yHk(12)/
yHk(12)
wu,fawmh uRefawmfwdkYy½dk*&rfu unregistered jzpfaewm[m .ctor() xJu this.IsRegistered =
false; qdkwJh statement aMumifhjzpfygw,f/ 'Dae&mrSm false tpm; true vdkY jyifay;Edkifr,fqdk&if ... ☺☺☺
tckuRefawmfwdkY MunfhaewJh decompile vkyfxm;wJhuk'f[m C# bmompum;eJYjzpfygw,f/ yHk(12)udk
MSIL bmompum;eJY MunfhvdkufMu&atmif/ yHk(13)/
yHk(13)
yHk(13)uawmh bytecode taeeJY wdkuf½dkufbmomjyefwmyg/ .net y½dk*&rfawGudk patch vkyfzdkYqdk&if
awmh IL bmompum;taeeJYom Munfh&rSmjzpfygw,f/ wu,fawmh .net udk stack machine vdkYac:vdkY&yg
w,f/ bmaMumifhvJqdkawmh olUtvkyfawGudk register rSmxuf stack rSmvkyfvdkYyg/ Oyrmjy&&if A u
wefzdk;wpfckudk B udka&TUcsifw,fqdk&if A uwefzdk;udk stack ay: PUSH vkyfvdkuNf yD; stack uaerSwqifh B
ay: jyef POP vkyfay;wmjzpfygw,f/ tjcm;pepfawGrmS qdk&ifawmh A uae B udkwdkuf½dkufa&TYajymif;jcif; (odkY)
,m,Dxm;&SdzdkYtwGuf register wpfckudk toHk;jyKjcif;rsdK; jyKvkyfygw,f/
yHk(13)udk taotcsmem;vnfEdkifzdkY IL opcode awGtaMumif; em;vnfaezdkYvdkygw,f/ yHk(13)udk
Munfrh ,fqdk&if 'Duk'fESpfaMumif;twGuf stack udk tvGeftrif;toHk;jyKxm;wmawGU&rSmyg/ this.IsRegistered
= false; pmaMumif;twGufudkyJ atmufrSmjyxm;wJhtwdkif; stack eJYywfoufwJhpmaMumif; 3aMumif;avmuf
bmomjyefxm;wmawGU&ygw,f/
L_0000: ldarg.0
L_0001: ldc.i4.0
L_0002: stfld bool Dot_Net_ReverseMe_2.frmMain::IsRegistered
'D IL instruction awGudk IL reference toHk;jyKNyD; bmomjyef&r,fqdk&if ...
ldarg.0 Argument 0 udk stack ay: ul;wifonf/
ldc.i4.0 0 udk stack ay: I4 tjzpf PUSH vkyfonf/
stfld Object obj \ field wefzdk;udk val ESifhtpm;xdk;onf/
'gudk Object-Oriented &JU pseudo uk'ftaeeJYjyefa&;jy&&ifawmh (arg0).IsRegistered = 0;

eJYwlygw,f/ Register tajctaejzpfapzdkY jyefjyifa&;oifhwmuawmh (arg0).IsRegistered = 1; jzpfygw,f/
t"dyÜm,fuawmh 'kwd, instruction udk ldc.i4.1 vkUd ajymif;oifhw,fvkdY qdkvkdjcif;jzpfygw,f/
'guawmh tajccHuswJh cracking jzpfygw,f/ ldc.i4.0 &JU bytecode udkMunfhyg/ 0x16 jzpfygw,f/
ldc.i4.1 &JU bytecode uawmh 0x17 jzpfygw,f/ 'gqdk uRefawmfwdkY bmudktpm;xdk;&rvJqdkwm odygNyD/
Reflector u uRefawmfwYkdukd uk'af wGomjyygw,f/ uRefawmfwYkdajymif;csifwJh byte &Sd&m address udkrjyyg
bl;/ 'Dvdk byte/instruction awG&JU virtual address udkjyEdkifwJh tool udkawmh rawGUbl;ao;ygbl;/ 'gaMumifh
.ctor() udk Reflector rSmMunfhr,fhtpm; ILDasm eJYajymif; Munfhvdkufygr,f/ yHk(14)/
yHk(14)
wu,fawmh Method &Sd&m offset udk&Smenf;taMumif; uRefawmfwdkY avhvmNyD;ygNyD/ 'Dae&mrSmawmh
offset wefzdk;udk yHkaoenf;eJY rwGufcsufawmhbJ 02 16 7D 06 00 00 04 02 28 0E 00 00 0A qdw k hJ hex
byte twGJudkyJ hex editor wpfckckrSm ½dkufxnhfNyD; &SmMunfhygr,f/ yHk(15)/
yHk(15)
oifhtaeeJY BudKufwJh hex editor wpfckckudk toHk;jyKEdkifygw,f/ tckuRefawmftoHk;jyKxm;wmuawmh
WinHex 15.2 yg/ yHk(15)twdkif; ½dkufxnhfNyD;&Smvdkuf&if yHk(16)twdkif;jrif&ygr,f/
yHk(16)
yHk(16)t&qdk&ifawmh .ctor() &S&d m&JU offset tp[m 0x105C jzpfygw,f/ ydNk yD;aocsmapcsif&ifawmh
CFF explorer rSmMunfhEdkifygw,f/ yHk(16)u 16 ae&mrSm 17 vdkYjyifvdkufNyD; zdkifudkodrf;vdkufyg/ odrf;vdkufwJh
zkdifudk jyefzGifhMunhfvdkuf&ifawmh yHk(17)twdkif;awGU&rSmyg/
yHk(17)
'gqdk&ifawmh uRefawmfwYkd register vkyfwm atmifjrifoGm;ygNyD/ CheckReg() function udk b,fu
aeac:oHk;ovJqdkwm odcsif&ifawmh Reflector &JU CheckReg() function rSm right-click ESyd Nf yD; Callee
Graph (Ctrl+E) udka½G;NyD; MunfhvdkY&ygw,f/ yHk(18)/
yHk(18)
Patch vkyfNyD; odrf;vdkufwJhzdkif&JU .ctor() udk Reflector rSmMunfhvdkuf&ifawmh yHk(19)twdkif;jrif&yg
w,f/
yHk(19)
(10) NsPack jzifh pack vkyfxm;aom .net zdkiftm; unpack vkyfjcif;
yHkrSeftm;jzifhawmh omref pack vkyx
f m;wJh 32-bit PE zdkifawGrSmyJ unpack vkyfzdkY Olly udktoHk;jyKMu
wmjzpfygw,f/ 'DtcgrSmawmh .net zdkifawGudk Olly toHk;jyKNyD; unpack vkyfjyrSmjzpfygw,f/ Unpack vkyfzdkY
a½G;cs,fxm;wJhy½dk*&rfuawmh NsPack eJY pack vkyfxm;wJh UnPackMe_NsPack3.6.exe zdkifjzpfygw,f/

y½dk*&rfudk zGifhMunfhvdkufyg/ yHk(20)/
yHk(20)
PEiD eJYppfaq;Munhfvdkuf&ifawmh yHk(21)twdkif;awGU&ygw,f/
yHk(21)
aumif;NyD? y½dk*&rfudk Olly rSmzGifhvdkufyg/ yHk(22)/
yHk(22)
yHk(22)rSmjrif&wJhtwdkif; exe zdkif[m OEP rSm&yfwefUjcif;r&Sdovdk y½dk*&rf[m tvdktavsmuf run
aeygw,f/ uRefawmfwdkY bmvkyfoifhygovJ/ uRefawmfhtaeeJY tBuHjyKvdkwmuawmh unpack vkyfxm;wJhuk'f
awGudk rSwfOmPfxJrSm&SmzdkYyg/ 'gaMumifh owfrSwfxm;wJh string wpfckudk y½dk*&rf&JU resource xJrmS &Sm
Munfyh g/
&SmoifhwJh trnfawGuawmh button trnf? window caption eJY messagebox wdkYeJYqdkifwJh tcsuf
awGjzpfygw,f/ 'Dae&mrSm uRefawmfwdkY&SmMunfhrSmuawmh yHk(20)rSmjrif&wJh button1 yg/ Resource awGudk
exe/DLL zdi k fawGxJrmS unicode toGifeJY odrf;MuwmjzpfwJhtwGuf Alt+M udkESdyfNyD; button1 qdkwJhpmom;udk
unicode taeeJY &SmMunfhMu&atmif/ yHk(23)/
yHk(23)
yHk(23)twdkif;½dkufxnfhNyD;&Smvdkuf&if yHk(24)twdkif; awGU&ygr,f/
yHk(24)
yHk(24)udk Text Unicode (64 chars) eJYMunfhvdkuf&ifawmh yHk(25)twdkif;awGU&rSmyg/
yHk(25)
'Dae&mrSmajymvdkwmuawmh yHk(24?25)rSmjrifae&wJh virtual address awG[m oifuGefysLwmrSmjrif&wJh
*Pef;awGeYJ wlrmS r[kwfygbl;/ aemufNyD; ckuRefawmfwdkYa&muf&SdaewJhae&m[m resource section xJrSmr[kwf
ygbl;/ 'gaMumifhrdkY Alt+M ESdyfNyD; Ctrl+L eJY xyf&SmMunfhygr,f/ yHk(26)/
yHk(26)
yHk(26)rSm aemufxyf button1 wpfckudkawGU&jyefygNyD/ _CorExeMain udkawGUrdygovm;/ 'guawmh

.net application awGrSmom&SdwJh wpfckwnf;aom API yg/ Unicode view taeeJYMunfhvkduf&if yHk(27)
twdkif; awGYygw,f/
yHk(27)
yHk(27)twdkif;qdk&ifawmh uRefawmfwdkY resource section xJajccsrdNyDqkdwm aocsmygw,f/
yHk(28)
aumif;NyD? yHk(27)udk HEX view taeeJYjyefMunfhNyD; tay:udk scroll enf;enf;qGJNyD;Munfhvdkuf&if
awmh yHk(28)rSm jrif&wJhtwdkif; PE header &Sd&mudk awGU&rSmyg/
yHk(29)
yH(k 28)u MZ &S&d m virtual address (00CD0000) udkrSwfom;NyD; LordPE u Dump Region
udka½G;cs,fNyD; Dump button udka½G;cs,fyg/ 'gqdk unpack vkyfwmatmifjrifomG ;NyDjzpfygw,f/ Dump
vkyxf m;wJh Region00CD0000-00CD2000.exe zdkifudk PEiD eJYppfMunfh&ifawmh Microsoft .net bmom
pum;eJYa&;om;xm;aMumif;jyrSmyg/
(11) .net y½dk*&rfrS serial zrf;jcif;

'DwpfcgrSmawmh .net eJY ywfoufwJh serial fishing taMumif;udk avhvmrSmjzpfygw,f/ Byte awGudk
patch vkyfwm[m tNrJwrf;awmh tqifajyrSm r[kwfygbl;/ qdkvdkwmu rSefuefpGm register vkyfxm;jcif;
&Sd^r&Sdudk enf;rsdK;pHkeJY rMumcPppfaq;avh&SdwJh y½dk*&rfawGtwGuf 'Denf;vrf;[m tqifajyrSm r[kwfygbl;/
'gaMumifhrdkYvJ serial zrf;jcif;taMumif;udk aqG;aEG;&jcif; jzpfygw,f/ 'Doifcef;pmtwGuf vdktyfwJhy½dk*&rf
uawmh Crackme1.exe jzpfNyD; www.accessroot.com rSm download vkyf,lEdkifygw,f/
'Dy½dk*&rfudk Visual Dot.net eJYa&;om;xm;wmudk odNyD;om;jzpfwmrdkY PEiD eJY rppfawmhygbl;/
Crackme1.exe udkzGifhNyD; y½dk*&rf&JU oabmobm0udk avhvmMunfhvdkufMu&atmif/ yHk(30)/
yHk(30)
yHk(30)rSmjrif&wJhtwdkif; user name eJY serial udk½dkufxnfhNyD; Check button udkESdyfvdkufcsdefrSmawmh
yHk(31)twdkif; jrif&ygw,f/
yHk(31)
'Davmufqkd uRefawmfwYkd odcsifwmawG od&NyDrdkY Crackme1.exe udk .NET reflector rSmzGifhMunfhyg
r,f/ yHk(32)/
yHk(32)
btnCheck_Click udk a½G;vdkufwJhtcgrSmawmh yHk(32)twdkif; jrif&wmjzpfygw,f/
'Doifcef;pmrSm uRefawmfwYkd pdw0f ifpm;wmu serial routine r[kwfygbl;/ aemufqHk;xkwfay;vdkufwJh
serial [m bmvJqdkwmudkom odcsifwmyg/ .NET reflector [m .net uk'fawGudk Munfh½I&mrSm taumif;qHk;
tool jzpfayr,fhvJ uk'fawGudkwnf;jzwfjcif;? debug vkyjf cif;wdkY jyKvkyfay;Edi
k fjcif; r&Sdygbl;/ 'gaMumifh Myo
Myint Htike qdkwJh user name eJYoufqdkifwJh serial udk&SmEdkifzdkY PEBrowse Professional Interactive 9.0
udktoHk;jyKMuygr,f/ 'D tool udk toHk;rjyKcifrSm setting awGu atmufygtwdkif; jzpf&ygr,f/ yHk(33^34)/
yHk(33)
yHk(34)
yHk(33^34)twdkif; setting awGudk jyifNyD;&ifawmh Ctrl+S udkESdyfNyD; debug vkyfzdkYpwifyg/ yHk(35)/
yHk(35)
yHk(35)&JU b,fzuftjcrf;rSm teDa&mifjzpfaewmu tvkyfvkyfaewmudk jywmyg/ uRefawmfwdkYtaeeJY
y½dk*&rfuk'fwpfaMumif;csif;pDukd ppfaerSm r[kwfygbl;/ uk'fawGudk ppfaq;wJh shortcut key awGuawmh Olly
eJYwlrSmr[kwfygbl;/ PEBrowse &JU key awGuawmh Run(F5)? Step over(F10)? Step into(F11) toD;oD;
jzpfygw,f/ aumif;NyD? uRefawmfwdYk ppfaq;csifwhJae&mudk tjrefa&mufzkdY breakpoint owfrSwMf u&atmif/
yHk(35)u .NET Methods udkESdyfNyD; btnCheck_Click udka½G;vdkufyg/ yHk(36)/
yHk(36)
yHk(36)uawmh serial routine udk IL bmompum;taeeJY jrif&wmyg/ IL_00B3 ae&mrSm F9 ESdyfNyD;
breakpoint owfrSwfygr,f/ 'gqd& k ifawmh uRefawmfwkdY breakpoint owfrSwfxm;wJhae&mudk yHk(37)twdkif;
jrif&rSmjzpfygw,f/
yHk(37)
Breakpoint owfrSwfNyD;oGm;&ifawmh F5 udkESdyfNyD; y½dk*&rfudk run yg/
yHk(38)
y½dk*&rfudk run wJhtcg yHk(38)twdkif; wpfckay:vmygvdrfhr,f/ F5 udkxyfESdyfyg/ 'gqdk yHk(39)twdkif;
y½dk*&rfwufvmygvdrfrh ,f/
yHk(39)
yHk(39)twdkif;jrif&wJhtcgrSm user name eJY serial udk½dkufxnfhNyD; check button udka½G;ay;yg/ yHk(40)
yHk(40)
yHk(40)rSm jrif&wmuawmh uRefawmfwdkY breakpoint owfrSwfxm;wJhae&mudk a&mufaewmyg/ > u
vuf&Sd assemble vkyfr,fhae&mudk jyoygw,f/
yHk(41)
yHk(41)uawmh register window jzpfygw,f/ Disassembly window rSm F10 udkESdyfNyD; uk'fawGudk
wpfaMumif;csif;ppfwJhtcgrSmawmh register window rSm bmawGajymif;vJoGm;w,fqdkwmudk owdxm;NyD;apmifh
Munfh&ygr,f/ yHk(42)twdkif; VA 0x40E89B0 xda&mufwJhtxd F10 udkESdyfvmcJhyg/
yHk(42)
yHk(42)rSm floating-point wefzdk;ESpfckudk EIdif;,SOfwm awGU&ygw,f/ Floating-point eJYywfoufwJh
mnemonics awGudkMunfhMu&atmif/
FILD load integer
FSTP store floating-point value and pop
FLD load floating-point value
FCOMIP compare floating-point, set %e flags, and pop
FSTP store floating-point value and pop
JPE uawmh Jump if Parity even jzpfNyD; flag (PF) wefz;kd 1 jzpf&if jump jzpfrSmjzpfygw,f/
JNZ uawmh Jump if Not Zero jzpfNyD; flag (ZF) wefzdk; 0 jzpf&if jump jzpfrSmjzpfygw,f/
yHk(43)
FCOMIP u floating-point wefz;kd ESpc f kukdEIdi;f ,SOfNyD; parity flag udkowfrSwfygw,f/ olEdIif;,SOf
wJh wefzdk;ESpfckuawmh 4458204637983 eJY 4101979 wdkYjzpfygw,f/ 'Dwefzdk;ESpfckudk EdIif;,SOfwJhtcgrSm rnD
wJhtwGuf parity flag wefzdk;udk oknvdkYowfrSwfygw,f/ Parity flag wefzdk; [m 0 vm;? 1 vm;odcsif&if
awmh register window rSm right-click ESdyfNyD; EFLAGS udka½G;&ygr,f/ yHk(44)/
yHk(44)
yHk(44)uawmh FCOMIP instruction udk vkyfaqmifNyD;csdejf zpfygw,f/ Parity flag [m 0
jzpfaeygw,f/ FSTP instruction udkokH;NyD; 4101979 wefzdk;udk odrf;ygw,f/ Parity flag [m 0 jzpfwJh
twGuf JPE 0x40E89C6 [m VA 0x40E89C6 qD jump rjzpfEkdifawmhygbl;/ JNZ 0x40E89C6 uawmh
1 rjzpfwJhtwGuf VA 0x40E89C6 qD VA 0x40E89C6 vkyfrSmjzpfygw,f/ yHk(45)/
yHk(45)
'gaMumifhvJ F5 ESdyfvdkufwJhtcsdefrSm uRefawmfwdkYrjrifcsifwJh BadBoy message udkjrif&wmyg/
yHk(46)/
yHk(46)
Myo Myint Htike qdkwJh user name twGuf serial textbox rSm uRefawmfwdkY½dkufxnfhvdkufwJh
4101979 udk Crackme1.exe u wGufcsufvdkY&vmwJh 4458204637983 wefzdk;eJY EdIif;,SOfwmjzpfygw,f/
'gaMumifh Myo Myint Htike qdkwJh user name twGuf serial textbox rSm uRefawmfwdkY trSefwu,f
½dkufxnfh&r,fh *Pef;[m ... ☻☻☻
aumif;NyD/ PEBrowse udkydwfvdkufyg/ Crackme1.exe udkoD;oefUzGifhNyD; yHk(47)twdkif; register
vkyfMunfhygr,f/
yHk(47)
'gqdk&ifawmh yHk(48)twdkif; jrif&rSmjzpfygw,f/
yHk(48)
.net y½dk*&rfawGrSm serial &Sm&wm t&rf;vG,fvGef;w,fvdkY xifrdygovm;/ ☻☻☻
'gqdk&ifawmh oifxifwm rSm;oGm;NyDjzpfygw,f/ bmaMumifhvJqdkwm &Sif;&Sif;vif;vif; od&atmifvdkY
y½dk*&rfwpfyk'fudk erlemjyygr,f/ yHk(49)/
yHk(49)
'Dy½dk*&rfudk b,fvkda&;xm;ovJqdkwm odEdkifatmifvdkY .NET reflector rSmppfMunfhygr,f/ yHk(50)/
yHk(50)
yHk(50)u udkESdyfvkduf&ifawmh yHk(51)twdkif; jrif&ygw,f/
public Registration()
{
this.components = null;
this.InitializeComponent();
this.pictureReg.Image = Image.FromFile("Picture/nag_close.png");
StringBuilder volumeName = new StringBuilder(0x100);
StringBuilder fs = new StringBuilder(0x100);
bool flag = false;
Environment.GetLogicalDrives();
flag = GetVolumeInformation("c:", volumeName, (uint) (volumeName.Capacity - 1), out this.serialNum, out
this.serialNumLength, out this.flags, fs, (uint) (fs.Capacity - 1));
for (int i = 0; i <= 13; i++)
{
this.serialNum = (((((2 * this.serialNum) / 7) - (12 * this.serialNum)) + (11 * this.serialNum)) - 0x239875) ^
this.serialNum;
}
this.textcode.Text = this.serialNum.ToString();
}
yHk(51)
yHk(51)uawmh registration dialog udka½G;vdkufcsdefrSm y½dk*&rfu initialize vkyfwmjzpfygw,f/
udkESdyfvkduf&ifawmh yHk(52)twdki;f jrif&ygw,f/
private void butOK_Click(object sender, EventArgs e)

{
string text;
FileStream stream;
BinaryWriter writer;
long num2 = Convert.ToInt64(this.serialNum);
long num4 = 0x1fca055L;
for (int i = 0; i <= 30; i++)
{
num2 = (7L * num2) ^ (num4 + 0x23c1bcL);
}
string strB = Convert.ToString(num2);
if (string.Compare(this.textregcode.Text, strB) == 0)
{
MessageBox.Show("Registered successfully!\r\nThank you for buying our product!", "Registration Successful!",
MessageBoxButtons.OK, MessageBoxIcon.Asterisk);
if (this.passControl != null)
{
this.passControl(this.textname);
}
base.Hide();
text = this.textname.Text;
stream = new FileStream("reg.key", FileMode.Create);
writer = new BinaryWriter(stream);
try
{
writer.Write(this.serialNum);
writer.Write(text);
}
finally
{
writer.Close();
stream.Close();
}
Registry.SetValue(@"HKEY_CURRENT_USER\Software\Myanmar Cracking Team\Windows Repair",
"UserName", text, RegistryValueKind.String);
}
yHk(52)
yHk(51)uuk'fawGuawmh yHk(50)rSmjrif&wJh twGufjzpfygw,f/
wu,fawmh Windows Repair 1.0 y½d*k &rf[m uRefawmfwkdY harddisk u C: drive &JU serial number
udkzwfNyD; XOR vkyfygw,f/ XOR vkyfxm;wJhwefzdk;uawmh 3538139584 jzpfygw,f/ NyD;awmh uRefawmf
½dkufxnhfvdkufwJh 4101979 udk XOR vkyfNyD;&vmwJhwefzdk;wpfckeJY EdIi;f ,SOfwmjzpfygw,f/ wu,fvdkY serial
number [m rSefuefcJhr,fqdk&if reg.key zdkifrSm ½dkufxnfhvdkufwJh serial number udkodrf;rSmjzpfNyD; GoodBoy
message udk jyrSmjzpfygw,f/ uRefawmfhtaeeJY PEBrowse eJY serial-fishing vkyf&mrSm 3538139584
uk'ftwGuf HEX wefzdk; EAEF9EBE &vmygw,f/ 'Dwefzdk;udk decimal wefzdk;ajymif;NyD; registration
dialog rSm½dkufxnhfvdkufwJhtcgrSmawmh y½dk*&rfu serial rSm;aeygw,fvYkd ajymygw,f/ (wu,fawmh
uRefawmfwdkYudk jyowJh 3538139584 [m *Pef;r[kwfbJ pmom;awGjzpfaeygw,f/ PEBrowse [m
pmom;awGudk udkifwG,fEdkifjcif;r&Sdygbl;/ 'gaMumifh uRefawmfwdkY ½dkufxnhfwJh*Pef;wdkif;[m rSm;aewmjzpfyg
w,f/)
'gaMumifh 'DvdkjyóemrsdK; BuHKawGUcJhr,fqdk&ifawmh PEBrowse eJY serial &Smr,fhtpm; Visual
Studio.net eJY y½dk*&rfjyefa&;&rSm jzpfygw,f/ y½dk*&rfudk oD;oefUa&;p&mrvdkygbl;/ string strB = Convert.
ToString(num2); ae&matmufem;rSm this.textcode.Text = strB; vdkY jyifa&;vdkuf½HkygyJ/
ed*Hk;csKyftaeeJY ajymvdkwmuawmh tck serial &SmjycJhwm[m tvGef½dk;&Sif;vSwJh serial routine awGeJY
yg/ oifhtaeeJY a&mif;wef;0ifaqmhzf0JvfawGudk crack vkyfr,fqdk&ifawmh 'Dxuf tqaygif;&meJYcsDNyD; cufcJ
vSwJh serial routine awGeJY awGU&rSmjzpfygaMumif; ...
(12) .net y½dk*&rfrS Strong Name Signature tm;z,f&Sm;jcif;

Strong Name Signature eJYywfoufNyD; tenf;i,fajym&r,fqdk&ifawmh StrongName wpfckrSm
y½dk*&rfeJYywfoufwJh assembly &JU identity awGyg0ifNyD; olwdkYawGuawmh ½d;k &Si;f vSwhJpmom;awGeYJ trnf?
version trSwf? culture wdkYtjyif public key wpfckeJY digital signature wpfckwdkY yg0ifEdkifygw,f/ 'gawGudk
assembly zdkifwpfcu k ae oufqdkif&m private key udktoHk;jyKNyD; xkwfay;wmjzpfygw,f/ ('DzdkifrSm assembly
manifest awGygNyD; tjyeftvSeftm;jzifh assembly manifest rSmvJ assembly udkjyKjyifay;wJh
zdkifawGtm;vHk;&JU hash awGeJY trnfawGyg0ifygw,f/) Microsoft Visual Studio eJY .NET framework
udktoHk;jyKMuwJh tjcm; tool awG[m StrongName awGudk assembly wpfcktaeeJY owfrSwfEdkifygw,f/
'Doifcef;pmrSm .net exe zdkifawGeJY .net DLL zdkifawGrSm&SdwJh ½dk;&Sif;vSwJh StrongName (SN) awGudk
b,fvdkz,f&Sm;&rvJqdkwm avhvmMurSmjzpfygw,f/
wpfckwnf;aom exe/DLL zdkifxJrSm&SdwJh SN awGudkz,f&Sm;zdkY enf;vrf;tcsdKU &SdMuygw,f ...
t½dk;&Sif;qHk;enf;vrf;uawmh y½dk*&rfudk IL uk'fawGtaeeJY decompile vkyfNyD; SN udzk ,f&mS ;wmjzpf
ygw,f/ SN z,f&Sm;NyD;&ifawmh ILASM.exe zdkifudk toHk;jyKNyD; compile jyefvkyfwmjzpfygw,f/ 'guawmh
vHk;0ynmom;rygwJh enf;vrf;jzpfygw,f/ oifhtaeeJY pD;yGm;jzpfaqmhzf0JvfawGudk'Dvdkenf;oHk;NyD; jyef compile
vkyfvdkY&r,fvdkY rxifvdkufygeJY/ bmaMumifhvJqdkawmh 'Dy½dk*&rfawGrSm uk'fawGeJY function trnfawGudk
obfuscation vkyfxm;vdkYyg/
tjcm;enf;wpfckuawmh PE header udktoH;k jyKNyD; SN udk patch vkyfzdkYtwGuf toHk;0ifwJhtcsuf
tvuftcsdKUudk &,lzYkdyg/ 'DvdkvkyfzdkYtwGuf oifhtaeeJY zdkifESpfzdkif vdkygw,f/ wpfckuawmh SN eJYjzpfNyD;
aemufwpfckuawmh SN rygwJhzdkifjzpfygw,f/ NyD;&if olwdkY&JU PE header awGudk CFF explorer eJY EdIif;,SOf
&rSmjzpfygw,f/
'Doifcef;pmtwGuf a½G;xm;wJh y½dk*&rfuawmh StrongName.exe jzpfNyD; www.tuts4you.com rSm
download vkyf,lEkdifygw,f/ StrongName.exe y½dk*&rfudkzGifhvdkuf&ifawmh yHk(53)twdkif; jrif&rSmjzpfyg
w,f/
yHk(53)
wu,fawmh 'Dy½dk*&rfrmS xl;xl;axGaxG crack vkypf &mbmrSr&Sdygbl;/ 'gaMumifh useless qdkwJh
pmom;tpm; patched vdkYajymif;MunfhMu&atmif/ 'gudkawmh WinHex toHk;jyKNyD; jyifvdkY&ygw,f/ yHk(54)/
yHk(54)
yHk(54)twdkif; jyifNyD;&ifawmh zdkifudkodrf;NyD; jyefzGifhvdkufyg/ yHk(55)/
yHk(55)
y½dk*&rfu SN udkppfwmaMumifh uk'fudkenf;enf;av;jyifvdkufwmeJY 'Dvdk error wufvmwmjzpfyg
w,f/ 'gaMumifh SN &SdwJhzdkifeJY SN r&SdwJhzdkif bmawGuGmvJqdkwm enf;enf;av;MunfhvdkufMu&atmif/ No
StrongName.exe zdkifeJY StrongName.exe zdkifwdkYudk CFF explorer rSm zGifhMunfhygr,f/ yHk(56?57)/
yHk(56) SN r&Sdaom No StrongName.exe zdkif
yHk(57) SN &Sdaom StrongName.exe zdkif

Flag ae&mu 1 qdkwmuawmh COMIMAGE_FLAGS_ILONLY jzpfNyD; 9 qdkwmuawmh
COMIMAGE_FLAGS_ILONLY | COMIMAGE_FLAGS_STRONGNAMESIGNED vdkYqdkvkdwm
yg/ yHk(58)/
yHk(58)
'gaMumifh 'Dwefzdk;awGudk&SmNyD; patch vkyf&rSmjzpfygw,f/
MetaData Streams &JU Tables directory udk MunfhMu&atmif/ yHk(59)/
yHk(59)
Tables directory atmufu Assembly udkMunfhvdkuf&ifawmh yHk(60?61)twdkif; jrif&ygr,f/
yHk(60) SN r&Sdaom No StrongName.exe zdkif
yHk(61) SN &Sdaom StrongName.exe zdkif

StrongName udk z,f&Sm;zdkY StrongName.exe zkdif&JU offset awGrSm atmufygtwdkif;jyifay;&ygr,f-
Offset 1018 – Flags – 01
Offset 1028 – StrongNameSignature RVA – 00
Offset 102C – StrongNameSignature Size – 00
Offset 1554 – Flags – 00
Offset 1558 – PublicKey – 00
wu,fvdkY DLL zdkifwpfckudk exe zdkifwpfckuae ac:,loHk;wmjzpfNyD; 'D DLL zdkifxJrSm registration
routine udka&;om;xm;cJrh ,fqd&k if uRefawmfwdt Yk aeeJY DLL zdkifudk patch vkyf&rSmjzpfygw,f/ 'Dwpfcg
erlemjyr,fh y½dk*&rfuawmh Divelements Limited uxkwfwJh Navsight yg/ Navsight aqmhzf0JvfrSm
Demo.exe eJY Navsight.dll zdkifwdkYyg&Sdygw,f/
Demo.exe udkzGifhNyD; Show ExplorerBar Demonstration udka½G;r,fqdk&if yHk(62)twdkif;jrif&yg
w,f/
yHk(62)
OK button udk ESdyfvdkuf&ifawmh yHk(63)twdki;f jrif&rSmjzpfygw,f/
yHk(63)
yHk(63)&JU nmzufrSm&SdwJh Animate! button udkESdyfvdkuf&ifawmh b,fzufu task pane [maysmufomG ;
rSmjzpfygw,f/ aumif;NyD? uRefawmfwdkYtaeeJY 'gawGudk jyifzdkYvkdygr,f/ 'gayr,fh SN udk yxrqHk;z,f&Sm;&yg
r,f/ Navsight.dll zdkifxJu RSA1 qdkwJhpmom;udk WinHex rSm&SmNyD; olUrwdkifcifrmS &SdwJh 21ckajrmufeYJ
22ckajrmuf pmvHk;awG(80 0A)udk 00 00 vdkYajymif;vdkufyg/ yHk(64)/ (SN udkz,f&Sm;wJh 'Denf;uawmh
UnREalRCE {Persian Crackers} u Newbie_Cracker &JUenf;jzpfygw,f/)
yHk(64)
yHk(64)u Navsight.dll zdkifudk 80 0A tpm; 00 00 vdkYajymif;NyD; zdkifudkodrf;vdkufyg/ 'Dhaemuf
demo.exe zdkifudkzGifhMunfhwJhtcgrSmawmh yHk(65)twdkif; error wufaewm awGU&ygw,f/
yHk(65)
enf;enf;avmuf pOf;pm;Munfh&atmif/ uRefawmfwdkY[m DLL zdkifuae SN udkz,f&Sm;cJhygw,f/

h Jhenf;uvJ taumif;qHk;yg/ 'gqdkbmvdkY jyóemwufae&wmygvJ/ SN udk aemufxyf
uRefawmfwYkd oH;k cJw
ppfaq;rIawGrsm; xyf&SdaevdkYvm;/ wu,fvdkY SN udkppfaq;wmqdk&ifawmh DLL xJrmS awmh r[kwfavmufyg
bl;/ exe zdkifxJrSmyJ jzpfygvdrfhr,f/ Error message jzpfwJh Could not load file with PublicKeyToken =
75b7... udkMunfhyg/ 'gudkppfaq;EdkifzdkY Demo.exe udk CFF explorer eJYzGifhNyD; .NET Directory
rSm&SmMunfhyg/ yHk(66)/
yHk(66)
yHk(66)u Navisight udkMunfhr,fqdk&ifawmh yHk(67)twdkif;jrif&ygr,f/
yHk(67)
'guawmh uRefawmfwdkY vdkcsifwJhtcsufyg/ PublicKeyOrToken udkMunfhyg/ oifhtaeeJY exe zdkif
wpfcktjzpf compile vkyfpOfrmS .NET compiler u module toD;oD;&JU PublicKey udk olUtrnfawGvdkyJ
odrf;xm;ay;wmjzpfNyD; vkdcsifwJh module &JU PublicKey udk&SmNyD;ppfaq;&mrSm reference wpfcktaeeJY
PublicKeyOrToken udktoHk;jyKwmyg/ 'gaMumifh 'Dae&mrSm 0 vdkYajymif;vdkuf&if yHk(65)u error message
ay:vmawmhrSm r[kwfygbl;/ Demo.exe zdkif&JU Offset 0x26324 ae&mrSm 0 vdkYjyifNyD; zdkifudk odrf;vdkufyg/
Demo.exe zdkif aumif;aumif; tvkyfvkyfwmawGU&rSmyg/
'gqdk Navsight.dll zdkifudk patch vkyfvdkY&NyDjzpfygw,f/ Navsight.dll zdkifudk IDA Pro eJY Reflector
wdkYrSmzGifhNyD; evaluation period udk&mS yg/
.method public static hidebysig bool '() // CODE XREF: sub_2840+72_p
// sub_33A0+77_p ...
{
.locals init (bool V0,
class System.String V1,
class System.String V2,
class System.String[] V3)
call bool '::'()
stloc.0
ldloc.0
brfalse.s loc_3272
call class [mscorlib]System.Reflection.Assembly
[mscorlib]System.Reflection.Assembly::GetExecutingAssembly()
callvirt class [mscorlib]System.Reflection.AssemblyName
[mscorlib]System.Reflection.Assembly::GetName()
callvirt class System.String [mscorlib]System.Reflection.AssemblyName::get_Name()
stloc.1
ldc.i4.5
newarr [mscorlib]System.String
stloc.3
ldloc.3
ldc.i4.0
ldstr "Your evaluation period for "
stelem.ref
ldloc.3
ldc.i4.1
ldloc.1
stelem.ref
ldloc.3
ldc.i4.2
ldstr " has expired. Product functionality will be limited."
yHk(68) IDA Pro jzifh zGifhxm;yHk
yHk(68)udkMunfhr,fqdk&if call function() aemufrSm brfalse udkawGU&ygw,f/ bmrSrvkyf&ao;cifrSm
function trnfawGudk&SmMunfhyg/ Function trnfawGudk obfuscation vkyfxm;wJhtwGuf rawGU&ygbl;/ 'D
DLL zdkifudk oif compile jyefNyD;vkyfEdkifygovm;/ Reflector rSmvJtMumBuD; vdkuf&SmNyD;wJhaemufrSm
yHk(69)twdkif; awGU&ygw,f/
yHk(69)
yHk(69)udkMunfhvdkufjyefawmhvJ function awGudk obfuscation vkyfxm;wmawGU&ygw,f/ trSefu
awmh flag wefzdk;[m 0 jzpf&ygr,f/ 'gqdk flag wefzdk; 0 udk return jyefydkYr,fh function ub,fae&mrSm
&SdaeygovJ/
yHk(68)u IDA Pro udkoGm;NyD; call bool '::'() ae&mudk ESdyfvdkufyg/ tenf;i,f½IyfaxG;wJhuk'fawGudk
awGU&ygr,f/ uRefawmfwdkYtaeeJY function &JU return wefzdk;ukd FALSE vdkYjyifvdkY&ygw,f/ 'gayr,fh
tEÅ&m,f&SdEdkifwJhuk'fawG yg^ryg odEdkifatmifvdkY atmufudkenf;enf; scroll qGJMunfhvdkufyg/
yHk(70)
'gudk Reflector rSmMunfhygr,f/ yHk(71)/
yHk(71)
DLL u registry xJrSm NETFramework key &Sd^r&Sp
d pfaq;NyD; &Scd &hJ if Demo.exe udk yxrqHk;
zGihfchJwhJ &ufpJGeYJtcsdefudk rSwfom;xm;NyD; vuf&dS&ufpJGeYJtcsdefukdwGufcsufNyD; EdIi;f ,SOfygw,f/ wu,fvdYk
vuf&dStcsdef[m yxrqH;k zGihfchJwJhtcsdefxuf &uf30 ydkaecJh&if return wefzdk;[m TRUE jzpfNyD;? 'DvdkrSr[kwf
&ifawmh FALSE jzpfrmS yg/ 'gaMumifh tEÅ&m,f&dSEkdifwhJuk'fawG? function awGr&Sdawmhbl;qdkrS uRefawmfwdkY
taeeJY return wefzdk;udk 0 vdkY patch vkyfvkdY&rSmjzpfygw,f/
Patch vkyfzkdYtwGuf function &JU offset tp&Sd&m 0x4784 qDomG ;NyD; 16 2A vdkYjyifNyD; zdkifudk odrf;yg
r,f/ bmaMumifh jyif&wmvJqkdwm od&atmif yHk(68)udk jyefMunfhyg/
IDA View opcode (CFF Explorer) Instruction (CFF Explorer)
call class [mscorlib]System.Reflection.Assembly 28 E7 00 00 0A call 0x0A0000E7
callvirt class [mscorlib]System.Reflection 6F E8 00 00 0A callvirt 0x0A0000E8
yHk(72)
yHk(72)uawmh Offset 0x4784 rSm 16 2A vdYk patch rvkyfcif IDA Pro eJY CFF explorer wdYkrmS
jrif&wmyg/
IDA View opcode (CFF Explorer) Instruction (CFF Explorer)
ldc.i4.0 16 ldc.i4.0
ret 2A ret
yHk(73)
yHk(73)uawmh Offset 0x4784 rSm 16 2A vdYk patch vkyftNyD; IDA Pro eJY CFF explorer wdkYrmS
jrif&wmyg/ ldc.i4.0 qdkwmuawmh stack ay: int32 wefzdk;wpfckudk okntaeeJY ul;wifvdkufwmyg/
qdkvdkwmuawmh call awGudk rppfapawmhyJ 0 wefzdk;udk return jyefydYkvkduw
f mjzpfygw,f/
jyifxm;wJh y½dk*&rfudk jyefzGifhcsdefrmS awmh expiration dialog aysmufoGm;rSmjzpfygw,f/
(13) .net y½dk*&rfwGif;odkY uk'foGif;jyifqifjcif;
'DwpfcgrSmawmh y½dk*&rfxJu rvdktyfwJhuk'fawGudk z,f&Sm;NyD; y½dk*&rfudk Full Version jzpfapr,fh
enf;vrf;udk ajymjyrSmjzpfygw,f/ 'ghtjyif topfxnfhoGif;csifwJhuk'ftcsdKUudk b,fvdkxnfhoGif;rvJqdkwmudkyg
&Sif;jyrSmjzpfygw,f/ 'Doifcef;pmtwGuf a&G;cs,fxm;wJh target zdkifuawmh Black Freelance Group &JU
iScore2010 y½dk*&rfjzpfygw,f/ y½dk*&rfudk toHk;jyKzdkY .net Framework 2.0 eJY SQL Server wdkYvdktyfrSm
jzpfygw,f/
aumif;NyD/ iScore2010 y½dk*&rfudk zGifhvdkufyg/ y½dk*&rfudk zGifhvdkufwJhtcg yHk(74)rSmjrif&wJhtwdkif;
notepad.exe y½dk*&rf yGifhvmwmudkyJ jrif&rSmyg/
yHk(74)
bmaMumifhvJqkdawmh iScore2010 y½dk*&rfu key.bin zdkifudk &SmNyD; rawGYcJh&if Notepad
udkzGifhcdkif;xm;vdkYjzpfygw,f/ wu,fvdkY key.bin zdkif[m&Sdaeayr,fhvnf; rSefuefwJh registration uk'fudk
zdkifxJrSmodrf;qnf;xm;wm r[kwf&if y½dk*&rfu error wufNyD;ydwfoGm;rSmjzpfygw,f/ 'Dawmh uRefawmfwdkY
taeeJY 'DjyóemawGudk y½dk*&rf&JU b,fae&mrSmjzpfaeovJqdkwm od&atmif pHkprf;zdkY vdkvmygNyD/
'Dvdkajc&mcHEdkifzdkYtwGuf WinAPIOverride 6.4.1 udktoHk;jyKygr,f/ WinAPIOverride [m .net
y½dk*&rfawG&JU tvkyfvkyfyHkudk ajc&mcHzdkYtwGuf tawmfav; aumif;rGefwJh tool wpfckjzpfygw,f/ wpfcgw&HrSm
y½dk*&rfuwGufxkwfay;vdkufwJh serial udkawmif azmfjyay;EdkifpGrf;&Sdygw,f/
WinAPIOverride udkzGifhvdkufyg/ yHk(75)/
yHk(75)
yHk(75)rSm 0dkif;jyxm;wJhtwkdif; a&G;cs,fNyD; Start button udkESdyfyg/ y½dk*&rf error wufNyD;

ydwfoGm;wJhtcg Log window rSm y½d*k &rftvkyfvkyfpOfumvtwGif; b,f method awGudk vkyfaqmifoGm;
ovJqdkwm ppfaq;Munhfyg/ yHk(76)/
yHk(76)
yHk(76)rSmjrif&wJhtwdkif;qdk&if iScore2010 y½dk*&rf[m Program class atmufu Main() method
udk vkyfaqmifaeqJtcsdefrSm error wufoGm;yHk&ygw,f/ 'D Main() method udk tao;pdwfavhvmvdkY&atmif
iScore y½dk*&rfudk Reflector rSmzGifhygr,f/
[STAThread]
private static void Main()
{
int num;
string info = GetInfo("Win32_DiskDrive", "SerialNumber");
string str2 = GetInfo("Win32_NetworkAdapter", "MACAddress");
StringBuilder builder = new StringBuilder();
builder.Append(info);
BigInteger hash = GetHash(builder.ToString(), 0x40);
string[] strArray = str2.Split(new char[] { ':' });
StringBuilder builder2 = new StringBuilder();
for (num = 0; num < strArray.Length; num++)
{
if ((num % 2) == 0)
{
builder3.Append(strArray[num]);
}
else
{
builder4.Append(strArray[num]);
}
}
builder2.Append(builder3);
builder2.Append(builder4);
BigInteger integer2 = GetHash(builder2.ToString(), 0x40);
string str3 = hash.ToHexString();
string str4 = integer2.ToHexString();
int num2 = str3.Length + str4.Length;
int startIndex = 0;
int num4 = 0;
for (num = 0; num < num2; num++)

{
if (((num % 2) == 0) && (startIndex < str3.Length))
{
string str5 = str3.Substring(startIndex, 1);
builder5.Append(str5);
startIndex++;
}
else
{
string str6 = str4.Substring(num4, 1);
builder5.Append(str6);
num4++;
}
}
BigInteger integer3 = new BigInteger(builder5.ToString(), 0x10);
MD5CryptoServiceProvider provider = new MD5CryptoServiceProvider();
string str7 = new BigInteger(provider.ComputeHash(integer3.getBytes())).ToHexString();
string path = Application.StartupPath + @"\key.bin";
if (File.Exists(path))
{
byte[] message = FileManager.ReadBinary(path);
string passphrase = GetInfo("Win32_LogicalDisk", "VolumeSerialNumber");
string str10 = DecryptString(message, passphrase);
if (str7 == str10)
{
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false);
Application.Run(new Login());
}
else
{
OpenProcess();
}
}
else
{
OpenProcess();
}
}
yHk(77)
yH(k 77)udkMunfhr,fqkd&if uRefawfm&Si;f jyxm;wm enf;enf;avmuf oabmaygufavmufNyD xifygw,f/
tMurf;zsif;ajym&&if yxrqHk;taeeJY key.bin zdkifudk&Smygw,f/ key.bin zdkifudkawGY&if zdkifxJrSm0Sufxm;wJh
pmom;udk Hard disk &JU serial eHygwfeYJ decrypt vkyfvdkufNyD; &vmwJh string (str10) udk MD5 hash
wefzdk;udk BigInteger uaeajymif;xm;wJh string (str7) wefzdk;wpfckeJY EdIif;,SOfygw,f/ String ESpfck[m
wlnDr,fqdk&if y½dk*&rfudk qufvuftvkyfvkyfaprSmjzpfNyD; rwlnDchJ&ifyjJ zpfjzpf? key.bin zdkifudk &SmrawGYcJh&ifyJ
jzpfjzpf notepad.exe y½dk*&rfukdyJ zGihfaprSmjzpfygw,f/
yHk(77) udk jyefMunhfyg/ str7 eJY str10 omnD&if y½dk*&rf[m Login form wpfckudk tvkyfvkyfaprSm
jzpfygw,f/ 'Dawmh uRefawmfwYkdtwGuf ta&;BuD;wmu EnableVisualStyles()? SetCompatibleText
RenderingDefault() eJY Run() method awGom jzpfygw,f/ usefwmuawmh rvdkwJh uk'fawGaygh/ y½d* k &rfudk
registration rppfapbJ tvkyfvkyfapzdkY jyifMu&atmif/
iScore2010 udk Reflector rSmzGihfyg/ yHk(78)/
yHk(78)
yHk(78)utwkdif;jrif&wJhtcg Tool menu u Add-Ins submenu udkESdyfNyD; Reflexil plugin udk

install vkyfay;yg/ yHk(79)/
yHk(79)
aemufwpfBudrf Tool menu udkESdyfNyD; jyefMunhfr,fqdk&ifawmh Reflexil v2.0 qdkwJh sub-menu

wpfckay:aewm jrif&ygr,f/ Reflexil v2.0 udk Reflector 9.0.1.318 eJt Y wl DVD acGxJrSm xnfhay;xm;yg
w,f/ Reflexil [m Reflector twGuf plugin wpfckjzpfNyD; .net binary zdkifawGudk wnf;jzwfjcif;tjyif
uRefawmfwkdYjyifqifxm;wJh uk'fawGudk re-compile jyefvkyfjcif;? packer/protector/ obfuscator awGeJY
pack/obfuscate vkyfxm;wJh zdkiftcsdKUudk unpack/deobfuscate tvkyfudkvkyfay;wJh r&Sdrjzpf plugin av;wpfck
jzpfygw,f/
yHk(79)twdkif; Reflexil udkwifNyD;&ifawmh yHk(78)u Main() method udk jyefoGm;vdkufyg/ NyD;&if Tool
menu u Reflexil v2.0 submenu udka&G;vdkufyg/ 'gqdk yHk(80)twkdif; jrif&ygr,f/
yHk(80)
yHk(80)udkMunhf&if Reflexil u uRefawmfwdkY wnf;jzwfvdkY&atmiftwGuf IL uk'fawGudk xkwfay;xm;

wmyg/
yHk(81)
IL uk'fawGay: right-click ESdyfNyD; yHk(81)rSmjrif&wJhtwdkif; Replace all with code… udka&G;cs,f
vdkufyg/ ra&G;cs,fcifrSmawmh yHk(82)rSmjrif&wJh uk'foHk;aMumif;udk ul;vmcJhyg/
yHk(82)
NyD;&ifawmh yHk(83)rSmjrif&wJhtwdkif; jyifMu&atmif/
yHk(83)
yHk(83)utwdkif; jyifNyD;oGm;NyD; compile vkyfwJhtcsdefrSmawmh yHk(80? 81)rSmjrifcJh&wJh IL uk'fawG[m
yHk(84)twdkif; ajymif;vJoGm;rSm jzpfygw,f/
yHk(84)
h wdkif; odrf;zdkYjyifvdkufyg/ iScore ay:
'gqdk&ifawmh uRefawmfwdkY jyifvkdufwJhuk'fudk yHk(86)rSmjrif&wJt
right-click ESdyfNyD; Reflexil v2.0 menu u Save as… udka&G;vdkufyg/
h dkuf&ifawmh Notepad.exe y½dk*&rf yGifhrvmawmhbJ Login form qDwef;a&muf
odrf;xm;wJhzdkifudk zGifv
oGm;rSmjzpfygw,f/ rSefuefwJh user name eJY password udk½dkufoGif;r,fqdk&if y½dk*&rfudk oHk;pGJvdkY&ygNyD/
yHk(85)
yHk(86)
(14) .net y½dk*&rftm; keygen jyefvnfa&;om;jcif;
y½dk*&rfawGudk uk'fjyifwm? y½dk*&rfawGuae serial awGzrf;wm[m wpfBudrfwpfcgtwGufyJ aumif;yg
w,f/ y½dk*&rf&JU minor version ajymif;cJh&ifawmif aemufwpfBudrf uk'fjyifzdkY vdkvmygNyD/ wu,fvdkY serial
zrf;cJhw,fqdk&ifvJ 'D serial [m hardware ID ay:rlwnfchJ&if uGefysLwmwdkif;twGuf tvkyfvkyfrSm r[kwfyg
bl;/ Keygen a&;om;jcif;u oH;k pGJoltaeeJY y½dk*&rf&UJ major version rajymif;rcsif; toHk;jyKvdkY&aeOD;rSm
jzpfovdk wpfBudrfa&;NyD;wmeJY tBudrfaygif; ra&rwGufEkdiaf tmif vG,fvifhwul toHk;jyKaeEdkifrSmjzpfygw,f/
.net eJY keygen a&;jcif;u tjcm;aom y½dk*&rfbmompum;awGeJYrwlygbl;/ tvGefvG,fulvSygw,f/
rl&if;y½dk*&rfudk VB.net eJYyJa&;a&;? C# eJYyJa&;a&; uRefawmfwYkdtaeeJY rdrdBudKufEpS fouf&m .net bmompum;
wpfckckeJY jyefa&;om;Edkifygw,f/
'Doifcef;pmtwGufa&G;cs,fxm;wJh y½dk*&rfuawmh REteam u tKC &JU CrackMe#10 jzpfygw,f/
CrackMe#10 udkzGifhvkduf&if yHk(87)twdkif; jrif&ygr,f/
yHk(87)
CrackMe#10 zdkifudk Reflector rSmzGifhyg/ yHk(88)twdkif; jrif&ygr,f/
yHk(88)
yHk(88)rSm jrif&wmuawmh method eJY variable awGudk obfuscate vkyfxm;wJh taetxm;yg/
'Dtaetxm;udk uRefawmfwdkYtaeeJY keygen jyefa&;r,fqkd&if tawmftcufawGYrmS jzpfygw,f/ 'gaMumifh
obfuscate vkyfxm;wmudk deobfuscate vkyfzdkYvdktyfygw,f/
CrackME (1.0.0.0) ay: right-click ESdyfNyD; Reflexil v2.0 menu uae Obfuscator search …
udka&G;vdkufyg/ 'gqdk&if yHk(89)twdkif; jrif&ygr,f/
yHk(89)
yHk(89)rSm jrif&wJhtwdkif;qdk&if uRefawmfwdkY&JU CrackMe#10 zdkifudk SmartAssembly eJY obfuscate
vkyfxm;wmjzpfygw,f/ OK button udkESdyfNyD; clean vkyv f dkuf&if deobfuscate vkyfxm;wJh CrackME
#10.Cleaned.exe zdkifudk &vmrSmyg/ Deobfuscate vkyfxm;wJhzdkifudk Reflector rSmzGihfyg/ (rzGihfcifrmS
,cifuzGifhcJhwJh CrackME (1.0.0.0) ay: right-click ESdyfNyD; Close Assembly udka&G;xm;&ygr,f/)
yHk(90)
'Dtcg yHk(90)rSmjrif&wmuawmh yHk(88)eJY wlawmhrSm r[kwfygbl;/ Reflexil u deobfuscate
vkyfay;wJh method emrnfawG[m obfuscate vkyx f m;wJh method awGxufpm&if em;vnf&vG,fvmayr,fh
rlv method emrnfawGeJYawmh wpfxyfwnf;wlEdkifrSm r[kwfygbl;/ yHk(90)u ns7 class &JU Form_Main
method udkESdyfvdkuf&if yHk(91)twdkif; jrif&ygr,f/
public sealed class Form_Main : Form
{
public Form_Main()
{
base.Load += new EventHandler(this.Form_Main_Load);
base.Closing += new CancelEventHandler(this.Form_Main_Closing);
this.InitializeComponent();
}
private void button_0_Click(object sender, EventArgs e)

{
if (this.Text_name.Text.Trim().Length == 0)
{
Interaction.MsgBox("Invalid name, Try again", MsgBoxStyle.Critical, null);
}
else if (this.Text_name.Text.Trim().Length > 15)
{
}
else if (this.Text_Key.Text.Trim().Length == 0)
{
Interaction.MsgBox("Invalid Key, Try again", MsgBoxStyle.Critical, null);
}
else
{
string str;
byte[] bytes = Encoding.Default.GetBytes(this.Text_name.Text);
string[] strArray = new string[(bytes.Length - 1) + 1];
int num4 = bytes.Length - 1;
for (int i = 0; i <= num4; i++)
{
int num;
num += bytes[i];
strArray[i] = Conversions.ToString((int) (bytes[i] + num));
}
int num5 = strArray.Length - 1;
for (int j = 0; j <= num5; j++)
{
str = str + strArray[j];
}
byte[] buffer = Encoding.Default.GetBytes(str);
new SHA512Managed().ComputeHash(buffer);
string expression = Convert.ToBase64String(this.method_1(str));
if (expression.Length != this.Text_Key.Text.Length)
{
Interaction.MsgBox("Invalid Key !, Try again", MsgBoxStyle.Critical, null);
}
else if (Strings.Replace(expression, "A", "L", 1, -1, CompareMethod.Binary) !=
this.Text_Key.Text)
{
Interaction.MsgBox("Invalid Key !, Try again", MsgBoxStyle.Critical, null);
}
else
{
Interaction.MsgBox("Well Done... Now write the Keygen !!", MsgBoxStyle.
Information, null);
}
}
}
private byte[] method_1(string text)

{
SHA512Managed managed = new SHA512Managed();
managed.ComputeHash(Encoding.Default.GetBytes(text));
return managed.Hash;
}
yHk(91)
yHk(91)udk Munhfyg/ button_0_Click [m yHk(87)u Register button udkESdyfcsdefrSm vkyfaqmifr,fh
uk'fawGjzpfygw,f/ method_1 uawmh ½dkufxnfhvdkufwJh user name udk SHA512 pm0Sufenf;toHk;jyKNyD;
hash pmom;xkwfay;r,fh method jzpfygw,f/
aumif;NyD/ button_0_Click &JUvkyfaqmifykH tao;pdwfudk avhvmMunhf&atmif/
1/ if (this.Text_name.Text.Trim().Length == 0)
½dkufxnfhvdkufwJh user name [m uGufvyf [kwf^r[kwf ppfwmjzpfygw,f/ uGufvyfomjzpfaecJh&if
"Invalid name, Try again" vdYkjyorSmjzpfygw,f/
2/ else if (this.Text_name.Text.Trim().Length > 15)
'grSr[kwf .. ½dkufxnfhvdkufwJh user name [m pmvHk;ta&twGuf 15 vHk;xuf ausmf^rausmfudk
ppfwmjzpfygw,f/ ausmfcJh&if "Invalid name, Try again" vdkYjyorSmjzpfygw,f/ 'Dae&mrSm ajymcsifwmu
Trim() method udkoHk;xm;wmaMumifh user name &JUaemufrSm space awG rawmfwqygvmcJh&if tJ'D space
awGudk pmvHk;taeeJY a&wGufrSmr[kwfygbl;/ Oyrmajym&&if "rhythm (MCT) " vdkY½dkufxnfhcJh&if y½dk*&rfu
"rhythm (MCT)" vdkYom odaerSmjzpfygw,f/ pmvHk;a& 16 vHk;vdkY ra&wGufbJ 12 vHk;vdkYom a&wGufrSmjzpfyg
w,f/ "m" eJY "(" Mum;u space udkawmh pmvHk;taeeJY xnfhoGif;a&wGufygw,f/
3/ else if (this.Text_Key.Text.Trim().Length == 0)
aemufwpfcku key ae&mrSm bmrS½dkufrxnfhbJ uGufvyfyJxm;r,fqdk&if "Invalid key, Try again"
vdYkjyorSmjzpfygw,f/
4/ tqifh (1)uae tqifh(3)txd owfrSwfcsufeJY udkufnDcJhr,fqdk&if uRefawmfwdkY½dkufoGif;vkdufwJh user
name eJY key wdkY rSef^rrSefudk pppfawmhrSmjzpfygw,f/ yHk(92)rSmjrif&wJhtwdkif; user name eJY key udk
½dkufxnfhvdkufyg/
yHk(92)
4.1/ byte[] bytes = Encoding.Default.GetBytes(this.Text_name.Text);
uRefawmfwdkY½dkufxnfhvdkufwJh user name udk byte array taeeJY atmufygtwdkif; odrf;qnf;vdkufyg
w,f-
bytes[0x0C] = {0x72, 0x68, 0x79, 0x74, 0x68, 0x6D, 0x20, 0x28, 0x4D, 0x43, 0x54, 0x29};
4.2/ string[] strArray = new string[(bytes.Length - 1) + 1];
string array wpfckjzpfwJh strArray udak MunmNyD; initialize vkyfygw,f/ 'gaMumifh strArray &JU
index wefzdk;[m 12 (0x0C) jzpfvmygw,f/
4.3/ int num4 = bytes.Length - 1;
num4 &JUwefz;kd [m 11 (0x0B) jzpfygr,f/
4.4/ for (int i = 0; i <= num4; i++) // num4 = 11
{
int num;
num += bytes[i]; // num = num + bytes[i]
}
for loop udktoHk;jyKNyD; bytes[] array xJrSm&SdwJh wefzdk;awGudk num variable rSm&SdwJhwefzdk;eJYaygif;NyD;
&vmwJh&v'fudk string tjzpfajymif;vJNyD; strArray xJrSmodrf;qnf;rSm jzpfygw,f/ for loop udk (12)Budrf
jyKvkyfrSmjzpfayr,fh &SnfrSmpdk;vdkY yxr for loop eJY aemufqHk; for loop vkyfaqmifNyD;csdefrSm bmawGajymif;vJ
oGm;w,fqdkwmudkom &Sif;jyygr,f/
yxr for loop
for (int i = 0; i <= 11; i++)
{
int num;
num += bytes[i]; // num = 0 + bytes[0] = 0 + 0x72 = 0x7216 = 11410
// strArray[0] = 0x72 + 0x72 = 0xE416 = 228 (string)
}
aemufqHk; for loop
for (int i = 11; i <= 11; i++)
{
int num;
num += bytes[i]; // num = 0 + bytes[0] = 0x3C8 + 0x29 = 0x3F116 = 100910
// strArray[0] = 0x29 + 0x3F1 = 0x41A16 = 1050 (string)
}
4.5/ int num5 = strArray.Length - 1;
num5 &JUwefz;kd [m 11 (0x0B) jzpfygr,f/
4.6/ for (int j = 0; j <= num5; j++) // num5= 11
{
}
for loop udktoHk;jyKNyD; strArray[] array xJrSm&SdwJhwefzdk;awGudk str xJrSm&SdwJhwefzdk;awGeJY aygif;yg
w,f/ for loop udk (12)Budrf jyKvkyfrSmjzpfayr,fh &SnfrSmpdk;vdkY yxr for loop eJY aemufqHk; for loop vkyf
aqmifNyD;csdefrSm bmawGajymif;vJoGm;w,fqdkwmudkom &Sif;jyygr,f/

yxr for loop
for (int j = 0; j <= 11; j++)
{
str = str + strArray[j]; // str = "" + strArray[0] = "" + "228" = 228
}
aemufqHk; for loop
for (int j = 11; j <= 11; j++)
{
// str = str + strArray[11] = "2283224605716637777327808949511052" + "1050"
= 22832246057166377773278089495110521050
}
4.7/ byte[] buffer = Encoding.Default.GetBytes(str);
str xJrSm&SdwJhpmom;awGudk pmvHk;wpfvHk;csif;tvdkuf cGJxkwfNyD; buffer xJrSm atmufygtwdkif; odrf;yg
r,f-
buffer []={ 0x32, 0x32, 0x38, 0x33, 0x32, 0x32, 0x34, 0x36, 0x30, 0x35, 0x37, 0x31,
0x36, 0x36, 0x33, 0x37, 0x37, 0x37, 0x37, 0x33, 0x32, 0x37, 0x38, 0x30,
0x38, 0x39, 0x34, 0x39, 0x35, 0x31, 0x31, 0x30, 0x35, 0x32, 0x31, 0x30,
0x35, 0x30}
4.8/ new SHA512Managed().ComputeHash(buffer);
buffer xJrSm&SdwJh pmvHk;awGudk SHA512 pm0Sufenf;oH;k NyD; pm0Sufygw,f/ 'Dtcg atmufygtwdkif;
hash wefzdk;udk &&Sdygr,f-
HashValue[]={0xA0, 0x01, 0x84, 0xD9, 0x3A, 0xC5, 0x95, 0x20, 0xC1, 0x86, 0x83,
0x67, 0x1C, 0xC6, 0xF8, 0x00, 0x79, 0x51, 0x22, 0x45, 0xCB, 0x31,
0xAA, 0x72, 0x30, 0x10, 0x3C, 0x9E, 0xDA, 0x11, 0xA9, 0x28, 0x98,
0xC0, 0xF3, 0xD5, 0xD8, 0xA9, 0x6C, 0xA5, 0xAD, 0x82, 0xE9, 0xF9,
0x29, 0x0C, 0xA7, 0xEA, 0xD5, 0xDA, 0xD4, 0xA6, 0xB2, 0x89, 0xF0,
0xE6, 0xB1, 0x87, 0xCB, 0x0B, 0x1A, 0x08, 0x46, 0x82}
4.9/ string expression = Convert.ToBase64String(this.method_1(str));
method_1 method xJukd str wefzdk;jzpfwJh 22832246057166377773278089495110521050
udkxnfhoGif;vdkufNyD; wGufcsufvdkY &&SdvmwJhwefzdk;udk Base64 string tjzpfajymif;vJum expression xJrSm
odrf;qnf;ygw,f/ 'Dwefzdk;uawmh "oAGE2TrFlSDBhoNnHMb4AHlRIkXLMapyMBA8ntoRqSiYw
PPV2Klspa2C6fkpDKfq1drUprKJ8Oaxh8sLGghGgg==" jzpfygw,f/ 'Dwefzdk;b,fvdk&vmovJqdkwm
od&atmif method_1 method tvkyfvkyfyHk tao;pdwfMunfhygr,f/ 4.9.1/
4.9.1/ private byte[] method_1(string text)
{
}
method_1 method xJukd str wefzdk;jzpfwJh 22832246057166377773278089495110521050
a&mufvmygw,f/ 'Dwefzdk;udk SHA pm0SufpepfoH;k NyD; hash wefzdk;xkwfygw,f/ &&SdvmwJh hash wefzdk;u
awmh-
Hash[]={0xA0, 0x01, 0x84, 0xD9, 0x3A, 0xC5, 0x95, 0x20, 0xC1, 0x86, 0x83, 0x67,
0x1C, 0xC6, 0xF8, 0x00, 0x79, 0x51, 0x22, 0x45, 0xCB, 0x31, 0xAA, 0x72,
0x30, 0x10, 0x3C, 0x9E, 0xDA, 0x11, 0xA9, 0x28, 0x98, 0xC0, 0xF3, 0xD5,
0xD8, 0xA9, 0x6C, 0xA5, 0xAD, 0x82, 0xE9, 0xF9, 0x29, 0x0C, 0xA7, 0xEA,
0xD5, 0xDA, 0xD4, 0xA6, 0xB2, 0x89, 0xF0, 0xE6, 0xB1, 0x87, 0xCB, 0x0B,
0x1A, 0x08, 0x46, 0x82}
trSefawmh tqifh(4.7? 4.8)u rvdktyfygbl;/ bmaMumifhvJqdkawmh tqifh(4.9.1)eJY twlwlyJrdkY jzpfyg
w,f/
4.10/ if (expression.Length != this.Text_Key.Text.Length)
wGufcsufvYkd&vmwJh expression variable &JUpmom;rSmyg0ifwJh pmvHk;ta&twGufeJY uRefawmfwdkY
½dkufxnhfvdkufwJh key &JUpmvH;k ta&twGufudk wdkufppfygw,f/ wu,fvdkY rwlnDcJh&if "Invalid Key !, Try
again" udkjyygr,f/
expression = "oAGE2TrFlSDBhoNnHMb4AHlRIkXLMapyMBA8ntoRqSiYwPPV2Klspa2C6
fkpDKfq1drUprKJ8Oaxh8sLGghGgg=="
uRefawmfwdkY ½dkufxnfhvdkufaom key = "AnyPassword"
expression &JUpmom;rSmyg0ifwJh pmvHk;ta&twGuf[m (88)vHk;jzpfNyD; uRefawmfwdkY½dkufxnfhvdkufwJh
key uawmh pmvHk;a& (11)vHk;om &Sdygw,f/ 'Dawmh wlnDp&m taMumif;r&Sdygbl;/
4.11/ else if (Strings.Replace(expression, "A", "L", 1, -1, CompareMethod.Binary) !=
this.Text_Key.Text)
wGufcsufvYkd&vmwJh expression &JU pmom;awGxJrSm A qdkwhJpmvH;k ygvmcJh&if L pmvHk;eJY tpm;xdk;NyD;
&vmwJhwefzdk;[m uRefawmfwdkY½dkufxnfhvkdufwJh key eJY nD? rnD ppfaq;ygw,f/ rnD&if "Invalid Key !, Try
again" udkjyygr,f/
expression = "oLGE2TrFlSDBhoNnHMb4LHlRIkXLMapyMBL8ntoRqSiYwPPV2Klspa2C6
fkpDKfq1drUprKJ8Oaxh8sLGghGgg=="
4.12/ Interaction.MsgBox("Well Done... Now write the Keygen !!", MsgBoxStyle.
Information, null);
tay:utqifhawGtm;vHk;udk ausmfvTm;EkdifcJh&ifawmh oif[m cracker aumif;wpfa,muf jzpfygvdrhf
r,f/ oifhtaeeJY keygen udk pa&;vdkY&ygNyD/
Keygen ra&;om;cifrSm uRefawmfhtaeeJY axmufjyvdkwJhtcsuf wpfcsuf&Sdygw,f/ yxrtcsufu
tqif(h 4.7? 4.8)rSmawGYchJ&wJhu'k fukd uRefawmfwkdYtaeeJY rvdktyfygbl;/ ar;cGef;xkwfwJh y½dk*&rfrmtaeeJY rSm;
,Gif;NyD; tydkuk'fa&;oGif;xm;jcif;om jzpfygw,f/
aumif;NyD? keygen pa&;Mu&atmif/ C# eJYa&;om;xm;wJh keygen zdkiftwGuf source code awGudk
DVD acGxJrSmxnfhay;xm;ygw,f/ oifhtaeeJY uRefawmf &Si;f wmem;rvnfchJ&if acGxr
J mS ygwJh keygen zdkifudk
zGifhMunhfEdkifygw,f/
Keygen udk oifESpfouf&m y½dk*&rfbmompum;eJY a&;om;Ekdifygw,f/ 'gayr,fh uRefawmfuawmh C#
eJYyJ a&;om;csifygw,f/ bmaMumifhvJqdkawmh Reflector uxkwfay;vdkufwJh C# uk'fawGudk Visual Studio xJ
ul;,lNyD; uk'fawGudk vG,fvifhwul compile vkyfEkdifvdkYyJ jzpfygw,f/ uRefawmftoHk;jyKrSmuawmh Visual
Studio 2012 jzpfygw,f/ oifhtaeeJYawmh ESpfouf&m Visual Studio rSma&;om;Edkifygw,f/

uRefawmfhtaeeJY C# eJY b,fvdk y½dk*&rfa&;&rvJ? form awG b,fvdkzefwD;&rvJqdkwm &Sif;rjyygbl;/
C# a&;enf;eJYywfoufNyD; t*Fvdyfvdka&;om;xm;wJh pmtkyfawG trsm;BuD;xGuf&SdNyD;jzpfovdk jrefrmvdk &Sif;jy
xm;wJhpmtkyfawGvnf; xGux f m;wmjzpfwJhtwGuf tJ'DpmtkyfawG0,fzwf&IzdkYyJ tBuHay;vdkygw,f/
yxrqHk; yHk(93)rSmjrif&wJh form wpfckudk wnfaqmufvkdufyg/
yHk(93)
Name: aemufu TextBox udk Text_Name vdkYtrnfay;yg/ Key: aemufu TextBox udk
Text_Key vdkYtrnfay;yg/ Generate Button udk Generate vdkYtrnfay;vdkufyg/ NyD;&if Generate Button
ay:ESpfcsufESdyfNyD; Form1.cs zdkifxJrSm yHk(94)twdkif; jyifyg/
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using Microsoft.VisualBasic;
using Microsoft.VisualBasic.CompilerServices;
using System.Diagnostics;
using System.IO;
using System.Management;
using System.Security.Cryptography;
namespace tKC_Keygen
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
private byte[] SHA512(string text)
{
}
private void Generate_Click(object sender, EventArgs e)

{
if (Text_Name.Text.Trim().Length == 0)
{
}
else if (Text_Name.Text.Trim().Length > 15)
{
}
else
{
string str="";
byte[] bytes = Encoding.Default.GetBytes(Text_Name.Text);
string[] strArray = new string[(bytes.Length - 1) + 1];
int num4 = bytes.Length - 1;
int num = 0;
for (int i = 0; i <= num4; i++)
{
num += bytes[i];
}
int num5 = strArray.Length - 1;
for (int j = 0; j <= num5; j++)
{
}
string expression = Convert.ToBase64String(SHA512(str));
Text_Key.Text = Strings.Replace(expression, "A", "L", 1, -1, CompareMethod.Binary);
}
}
}
}
yHk(94)
yHk(94)uuk'fawGtwdkif; jyifqifNyD; Build menu u Build Solution (F6) udka&G;vdkuf&if yHk(95)
rSmawGY&wJh uRefawmfwdkY&JU keygen zdkifudk &&SdrSmjzpfygw,f/
yHk(95)
tcef;(19) – Android application rsm;udk crack vkyfjcif; - 408 -
tcef;(19) - Android application rsm;udk crack vkyfjcif;

'Dwpfacguf oifcef;pmrSmawmh Android application awGudk b,fvdk crack vkyf&rvJqkdwm
avhvmMuygr,f/ Crack rvkyfcifrSm android application awG&JU tvkyfvkyfyHkudk tenf;i,frdwfqufay;rSm
jzpfygw,f/
Android OS qdkonfrSm...
Android [m prwfzke;f awGeYJ wufbvufawGvkd touchscreen ygwJhrdkbdkif;zkef;awGtwGuf &nf&G,fNyD;
Linux kernel ay:tajccHum a&;qGJcJhwJh rdkbkdif;zkef;pufvnfywfrIpepfjzpfNyD; ¤if;udk wDxGifcJhwmuawmh
Android, Inc. jzpfum 2003 ckEp S rf mS wDxGifchJwmjzpfygw,f/ 2005 ckESpfrmS awmh Google u vufajymif;
0,f,lcJhygw,f/ 2013 ZlvdkifrSm Google Playstore rSm Android application aygif; 1oef;ausmf
wifxm;EdkifcJhNyD; download vkyf,lcJhwJhtBudrfta&twGufuawmh bDvD,H 50 ausmfchJygw,f/ 2013 {NyD-ar
ppfwrf;rsm;t& rdkbdkif;zkef; developer awGxJu 71% [m Android twGuf application rsm;udk
a&;om;cJhMuygw,f/ 2013 ZGefvrSmwif Android udktoHk;jyKolta&twGuf[m 538oef;ausmf &SdaeNyDjzpfyg
w,f/
Android OS wnfaqmufxm;&SdyHk
Android &JU zGJYpnf;wnfaqmufyHkrSm layer 4ck yg0ifNyD; olwdkYawGuawmh Applications layer?
Application Framework layer? Libraries layer eJY Linux Kernel layer wdkYjzpfygw,f/ yHk(1)/
yHk(1)
atmufqHk;u layer jzpfwhJ Linux Kernel layer rSm hardware tpdwftydkif;awGudk csdwfqufay;NyD;
Android &JUvHkNcHKa&;qdkif&mudpö&yfrsm;udkvnf; udkifwG,fygw,f/ Linux Kernel layer &JU tay:bufrSm&SdwJh
layer rSmawmh Surface Manager? Media Framework? SQLite? WebKit eJY OpenGL wdkYvdk toHk;0ifwJh
library zdkifawG&Sdygw,f/ 'D library zdkifawGudk C eJY C++ wdkYeJY a&;om;xm;wmjzpfNyD; zdkiftrsm;pkuawmh Linux
uae ,lxm;wmjzpfygw,f/ Android eJY Linux wdYk&UJ t"duuGmjcm;csufuawmh Linux &JU vkyfaqmifrI
awmfawmfrsm;rsm;rSm toHk;jyKwJh libc library tpm; bionic vdkYac:wJh jyKjyifxm;wJh udk,fydkif library zdkifudk
toHk;jyKjcif;jzpfygw,f/ Android 4.0 eJYatmufuawmh Linux kernel 2.6.x udktajccHxm;NyD; aemufydkif;xkwf
version awGuawmh Linux kernel 3.x udktajccHxm;wm jzpfygw,f/ yHk(2)/
Android Version Code Name API Level Linux Kernel
1.5 Cupcake 3 2.6.27
1.6 Donut 4 2.6.29
2.0/1 Éclair 5-7 2.6.29
2.2.x Froyo 8 2.6.32
2.3.x Gingerbread 9, 10 2.6.35
3.x.x Honeycomb 11-13 2.6.36
4.0.x Ice Cream Sandwich 14, 15 3.0.1
4.1.x Jelly Bean 16 3.0.31
4.2.x Jelly Bean 17 3.4.0
4.3 Jelly Bean 18 3.4.39
4.4 Kit Kat 19, 20 3.10
5.x Lollipop 21, 22 3.16.1
6.0 Marshmallow 23 3.18.10
yHk(2)
Android rSm application awG[m Dalvik Virtual Machine (DVM) vdkYac:wJh virtual
environment wpfckatmufrSm tvkyfvkyfygw,f/ Android 4.4 uaepNyD;awmh Android Runtime (ART)
qdkNyD; tjcm; runtime environment wpfck rdwfqufvmygw,f/ oHk;pGJolawGtaeeJY DVM eJY ART udk
ESpfouf&moH;k pGJEkdifygw,f/ Dalvik Virtual Machine [m stack udktajccHwJhpepftpm; register
udktajccHwJhpepfjzpfwmuvGJvdkY t*Fg&yfawGuawmh Java Virtual Machine (JVM) eJYqifwlygw,f/
'gaMumifrh Ykd application toD;oD;[m Dalvik Virtual Machine atmufrSm olU&JUudk,fydkifjzpfpOfawGeJY
tvkyfvkyfrSm jzpfNyD; wu,fvdkY rwlnDwJh application oHk;ckudk tvkyfvkyfapcJh&if rwlnDwJh jzpfpOf oHk;ckudk
awGY&ygvdrfhr,f/ Dalvik Virtual Machine uawmh .dex (Dalvik EXecutable) zdkiftrsdK;tpm;awGudk
tvkyfvkyfapygw,f/
oifhrSm Android ypönf;wpfck (odkY) Android emulator wpfck&Sdr,fqdk&ifawmh Android SDK
eJYtwlygwJh adb qdkwJh utility udk toHk;jyKNyD; Android pepfudk uGeyf sLwmeJY csdwfquftoH;k jyKEdkifygw,f/ adb
shell udk oifvkyfaqmifapcsifwJh command awGeJY vkyfaqmifcsufawGudk device eJYcsdwfqufNyD; cdkif;apEdkifzdkYeJY
device qDu tcsuftvufawGudk &,lzdkY toHk;jyKEdkifygw,f/ Android rSm Linux eJYwlnDwmu oif
command awGtjzpftoHk;jyKvdkufwJh binary zdkifawG[m /system/bin eJY /system/xbin folder awGatmufrSm
wnf&SdwmygyJ/ Playstore uaeyJjzpfjzpf? tjcm;ae&mwpfckckuaeyJjzpfjzpf download vkyfNyD; install
vkyxf m;wJh application &JU a'wmawGudkawmh /data/data xJrmS ae&mcsrSmjzpfNyD; rlv installtion zdkifjzpfwJh
.apk zdkifudkawmh /data/app ae&mrSmodrf;qnf;xm;rSmjzpfygw,f/
APK qdkonfrSm ...
uRefawmfwdkY Windows application awGudk crack rvkycf ifrmS .exe zdkif&JU PE structure udk
tao;pdwfavhvmcJhMuwm owd&OD;rSmyg/ Android rSmawmh uRefawmfwYkd crack vkyf&r,fh application awGu
.apk zdkifawGjzpfygw,f/ 'Dawmh .apk zdkifawGtaMumif;udk xJxJ0if0if odxm;rS crack vkyfwJhtcg vG,fulrmS
jzpfygw,f/ Android Package (APK) qdkwmuawmh Android application awGtwGuf owfrSwfxm;wJh
zdkif extension jzpfNyD; ol[m pkpnf;xm;wJh archive zdkifwpfckjzpfygw,f/ olUxJrSm application &JU vdktyfwJh
zdkifawG? folder awG yg0ifygw,f/ .apk zdkifwpfckckudk .zip vdkYajymif;vdkufNyD; WinRAR vdkaqmhzf0JvfeJY zip
jznfMunhfyg/ yHk(3)twdkif; jrif&ygr,f/
yHk(3)
(1) AndroidManifest.xml zdkif/ y½dk*&rfudk tvkyfvkyfapzdkY vdktyfwJh tedrfhqHk; Android version?
package trnf? activity rsm;pm&if;? application udktoHk;jyKzdkY vdktyfwJh permission awGvdk application eJY
qufEG,fwJhtcsuftvufawG yg0ifygw,f/ yHk(4)/
yHk(4)
(2) classses.dex zdkif/ Android application awG[m Java rSm compile vkyfMu&wmjzpfNyD; compile
vkyfNyD;csdefrSmawmh rlvuk'fawG[m .class zdkiaf wG jzpfukefygw,f/ 'Dah emufrmS awmh Android SDK
eJYtwlygvmwJh dx tool u .class zdkifawGudk Dalvik bytecode awGyg0ifwJh classes.dex zdkiftaeeJY
ajymif;vJay;vdkufwm jzpfygw,f/ .dex zdkifyHkpHtaeeJY compile vkyfcH&wJh class awGukd Dalvik virtual
machine uom em;vnfEdkifygw,f/
(3) META-INF folder/ Application &JU signature udkodrf;qnf;zdkY toHk;jyKwJh folder wpfckjzpfygw,f/
Developer awGrSm olwdkY&JU sign vkyfwJh key awG&SdMuNyD; olwdkY&JU application awGudk oD;jcm;pD sign vkyfMu
wmjzpfygw,f/ Sign vkyfxm;wJh application awGudkom device awGrSm install vkyfEdkifygw,f/ META-
INF folder atmufrSm zdkif(3)zdkif&SdNyD; 'DzdkifawGuawmh CERT.RSA? CERT.SF eJY MANIFEST.MF wdkYjzpf
ygw,f/ Sign vkyfzdkYtwGuf JDK (Java Development Kit)rSmygwJh jarsigner udktoHk;jyKwmjzpfygw,f/
CERT.RSA/ Application &JU certificate jzpfygw,f/ 'DzdkifxJrSm cert.sf &JU signature yg0ifygw,f/
Cert.rsa zdkif[m binary zdkifwpfckjzpfNyD; JDK rSmygvmwJh keytool eJYMunfh&if yHk(5)twdkif; jrifawGYEkdifygw,f/
C:\Program Files\Java\jdk1.8.0\bin>keytool -printcert -file cert.rsa
Owner: CN=SKW
Issuer: CN=SKW
Serial number: 5135b05d
Valid frome: Tue Mar 05 15:14:13 MMT 2013 until: Sat Feb 27 15:14:13 MMT 2038
Certificate fingerprints:
MD5: 50:62:74:1A:9E:A6:03:BA:2E:D4:1C:EC:68:A2:90:CF
SHA1: 99:8C:B9:F2:10:D4:BB:95:54:82:73:51:EC:AC:CC:A0:0C:43:FE:9D
SHA256: 25:26:BC:57:CA:6F:B5:72:EF:D0:E2:37:7A:A3:E6:72:91:8A:C2:A6:C0:
CC:E9:FC:AE:DE:89:46:26:E0:55:18
Signature algorithm name: SHA1withRSA
Version: 3
yHk(5)
CERT.SF/ Resource awGeJY MANIFEST.MF zdkifxJrSm&SdwJh oufqdkif&mpmaMumif;awG&JU SHA-1
digest awGpm&if; jzpfygw,f/ yHk(6)/
Signature-Version: 1.0
Created-By: 6.1.14
SHA1-Digest-Manifest-Main-Attributes: /bBVP0g9zoHQO3en+J7s4EG8GQc=
SHA1-Digest-Manifest: ocu27qPLWdPaX0CQbcSwfK64qpk=
Name: manifest
SHA1-Digest: O7G9CwuzLuQVf29oMCsO9UlJV/k=
Name: AndroidManifest.xml
SHA1-Digest: Qg6UEnU2ue+uEr1qpVKoSjGAX10=
yHk(6)
MANIFEST.MF/ pm&if;zdkifjzpfygw,f/ Manifest.mf zdkifxJrSmvJ cert.sf zdkifxJuvdk SHA1 digest
awGygayr,fh cert.sf zdkifxJu SHA1 digest awG[m Manifest.mf zdkifxJu oufqdkif&m entry &JU pmaMumif;
(3)aMumif;(pmaMumif;vGwfwpfaMumif;yg0if/)udk hash vkyfNyD;wGufcsufxm;wJh digest awGomjzpfygw,f/
(4) res folder/ resources.arsc xJudk compile rvkyfvdkufwJh resource awGudk odrf;qnf;&mae&mjzpfyg
w,f/ olUxJrSm layout eJY menu awGtjzpftoHk;jyKr,fh .xml zdkifawGyg0ifygw,f/
(5) resources.arsc zdkif/ Resource awGudk compress vkyfxm;wJhzdkifjzpfygw,f/
(6) assets folder/ Application utoHk;jyKwJh jyifyu resource awG (jrefrm font zdkifuJhodkY resource rsm;)
jzpfNyD; AssetManager u&,ltoHk;jyKEdkifwJh application asset awGyg0ifygw,f/
(7) lib folder/ Process &JU aqmhzf0Jvf layer eJYywfoufwJh compile vkyfxm;wJhuk'fawGyg0ifwJh folder
jzpfygw,f/ 'D folder xJrSm atmufu folder awGyg0ifEdkifygw,f-
armeabi: ARM processor rsm;om/
armeabi-v7a: ARMv7 ESihftxuf processor rsm;om/
arm64-v8a: ARMv8 arm64 ESit
hf xuf processor rsm;om/
x86: x86 processor rsm;om/
x86_64: x86_64 processor rsm;om/
mips: MIPS processor rsm;om/

APK zdkifwpfckjzpfay:vmyHkudk jyefaqG;aEG;&&if -
1/ Eclipse (odkY) Android Stuio rSm uRefawmfwdkY Java eJYa&;cJhwhJ R.java zdi
k ftygt0if .java zdkifawGudk
Java compiler (javac.exe) u .jar zdkiftjzpfajymif;vJay;vdkufNyD; dx (dexifiy) tool u classes.dex zdkifudk
xyfzefwD;ygw,f/
2/ tvm;wl res folder atmufu zdkifawG? aapt (Android Asset Packaging Tool) u
vma&mufaygif;xnfhwJh Resources.arsc zdkifeJY AndroidManifest.xml zdkifawG[m classes.dex zdkifeJYtwl
app_name.jar zdkifxJ a&mufvmygw,f/
3/ app_name.jar zdkifudk jarsigner tool toHk;jyKNyD; app_name.apk tjzpf zefwD;xkwfvkyfvkduy
f gw,f/
Crack vkyf&efjyifqifjcif;
Android APK zdkifawGudk crack vkyfzdkYtwGuf oifhrSm JDK (Java Development Kit) udk t&if
install vkyfay;xm;zdkY vdkygr,f/ JDK udk atmufygvifhuae download vkyf,lyg/ oifhuGefysLwmay:
rlwnfNyD; 32-bits eJY 64-bits qdkNyD;awmh uGmygvdrfhr,f/
http://www.oracle.com/technetwork/java/javase/downloads/index.html
JDK udk install vkyfNyD;&ifawmh Java udk uGefysLwm&JU b,fae&muaerqdk ac:,ltvkyfvkyfapEdkifzdkY
environment variable awGudk owfrSwfzdkY vdkygvdrfhr,f/ 'gaMumifh My Computer icon ay: right-click
ESdyfNyD; Properties udka&G;yg/ NyD;&if System Properties udka&G;yg/ 'Dtcg nmbufatmufaxmifhrSm
Environment Variables qdkwJh button av;udkjrif&rSmjzpfygw,f/ Environment Variables button
udkESdyfvdkuf&ifawmh yHk(7)twkdif;jrif&ygr,f/
yHk(7)
yH(k 7)u Path qdkwJhae&mudkESdyfNyD; variable wefzdk;udk yHk(8)twdkif; jyifyg/
yHk(8)
Java udkatmifjrifpGm install vkyaf qmifEkdijf cif; &S?d r&Sd ppfaq;csif&if command prompt udkzGifhNyD;
java -version vdkY½dkufxnfhMunfhyg/ oifh&JU Java version [m 1.x.x vdYk jy&ifawmh Java udk BudKufwJh
ae&muae ac:oHk;EdkifygNyD/
Crack vkyfjcif;tusOf;csKyf
1/ zkef;xJwGif install vkyfxm;aom APK zdkifudk ,lyg/ odkYr[kwf Google Playstore? Verizon?
Amazon ponfwdkYrS download vkyf,lyg/
2/ Application udk zGifhNyD; protection ESihfywfoufaom vu©Pmrsm;udk &SmazGyg/ Oyrm - ]Trial
Version}? ]This application is not licensed.}/
3/ Application udk uGefysLwmodkY ul;yg/
4/ Apktool ESifh Baksmali wdkYoHk;NyD; uk'frsm;udk disassemble vkyfyg/ (tjcm; ESpfouf&m tool
rsm;udkvnf; toHk;jyKEkdifygw,f/)
5/ Smali jzifh dump vkyfxm;aomzdkifrsm;udk Sublime Text uJhodkYaom text editor wpfckckwGifzGifhNyD;
protection ESifhywfoufNyD; jyifvdk? ajymif;vdkonfrsm;udk jyKvkyfyg/
6/ uk'frsm;udk reassemble jyKvkyfNyD; APK udk update vkyfyg/ Smali tool u classes.dex
zdkiftopfudkom xkwfay;rSmjzpfNyD; oifhtaejzifh APK xJoYkd classes.dex zdkifudk udk,fwdkifxnfhay;&rSm
jzpfygw,f/
7/ jyKjyifxm;aom APK zdkifudk sign vkyfyg/ 'gudkawmh BudKufwJh tool eJY jyKvkyfEdkifygw,f/ APK
awGtm;vH;k [m private key wpfckudk toHk;jyKNyD; digital enf;eJY sign vkyf&rSmjzpfygw,f/ 'DvdkrS
r[kwf&ifawmh Android u tvkyfvkyfaprSm r[kwfygbl;/ wu,fvdkY sign vkyfxm;NyD;om; APK zdkifudk
jyefjyifcJhr,fqdk&ifawmif xyfNyD;awmh sign jyefvkyf&rSmjzpfygw,f/ 'gaMumifhrdkY crack vkyfxm;wJh (odkY)
jyKjyifxm;wJh APK wpfckudk install vkyfzdkYvdkvmcJh&if t&ifta[mif;udk OD;pGm uninstall vkyfzdkYvdkw,fqdkwmudk
owdjyK&ygr,f/
8/ sign vkyx f m;wJh APK zdik u
f kd zipalign vkyfyg/ Zipalign vkyfjcif;jzifh APK &JU tvkyfvkyfapwJh
tcsdefudk wdkawmif;apNyD; RAM udk tenf;qHk;oHk;pGJatmif jyKvkyfay;ygw,f/ Android Studio rSmawmh build
vkyfwJhtcsdefrSm APK udktvdktavsmuf zipalign vkyfay;rSmjzpfayr,fh jyKjyifxm;wJh APK qdk&ifawmh
rdrdbmom zipalign vkyf&rSmjzpfygw,f/ Zipalign udk sign vkyfNyD;rSom jyKvkyf&rSmjzpfygw,f/
yxrqHk;tBudrf Crack vkyf&efjyifqifjcif;
yHk(9)
uRefawmfwdkYtaeeJY Android APK awGudk crack vkyfjcif;tqifhawGudk avhvmNyD;wJhaemufrSm

vufawGYem;vnfEdkifzdkY erlemzdkif APK wpfckudk crack vkyfMunhfMuygr,f/ 'DtwGuf a&G;cs,fxm;wJhzdkifuawmh
lohan &JU Crackme0 zdkifyJjzpfygw,f/ Crack vkyfwJhtcsdefrSm toHk;jyKr,fh tool uawmh URET Android
Reverser Toolkit jzpfygw,f/ yHk(9)/ 'D tool udk toHk;jyKjcif;tm;jzifh crack vkyf&r,fhtqifhawGudk trsm;BuD;
jrefaprSm jzpfygw,f/ 'D tool udkawmh pmtkyfxJu DVD tacGxJrmS &SmazG&&SdEdkifygw,f/ 'D tool xJrmS
aemufqHk;xGuf&Sdxm;wJh apktool eJY dex2jar wdkYudk tpm;xdk;xm;ygw,f/
URET Android Reverser Toolkit &JU vkyfaqmifcsufrsm;udk tenf;i,f &Sif;jyvdkygw,f/ 'D tool
rSm Decompile/Compile? Dex2Jar/Jar2Dex eJY Sign/Zipalign qdNk yD; vkyfaqmifcsuf (3)ckyg0ifygw,f/
Decompile/Compile ydkif;rSm rdrd decompile vkyfcsifwhJ APK zdkif(odkY) JAR zdkifuakd &G;ay;NyD;
Decompile button udkESdyfvdkufwmeJY udk,f decompile vkyfcsifwJh application &JUemrnfeJYwlwJh directory
wpfckudk wnfaqmufvdkufNyD; APK zdkifxJrSm yg0ifwJhzdkifawGudk zGxkwfvdkufrSmjzpfygw,f/ wu,fawmh
Crackme0_by_lohan.apk zdkifudk Crackme0_by_lohan.zip zdi k ftjzpf zdkif extension ajymif;vdkufNyD; ZIP
aqmhzf0JvfwpfckckeJY extract vkyfvdkuf&ifvJ &ygw,f/ (rSwfcsuf/ DEXGuard eJY umuG,x f m;wJh APK
zdkifawGudk 'D tool u decompile rvkyfEkdifygbl;/) yHk(9)u Decompile Classes checkbox eJY Decompile
Resources checkbox wdkYudkra&G;bJ omref decompile vkyfvdkuf&ifawmh yHk(10)twdkif;jrif&ygr,f/
yHk(10)
yHk(10)udk Munfhr,fqdk&if classes.dex zdkifudk awGYrSmyg/ Android application awGudk crack
vkyf&mrSm ta&;BuD;qHk;zdkifjzpfygw,f/ Eclipse rSmyJjzpfjzpf? Android Studio rSmyJjJ zpfjzpf a&;vdkufwhJuk'f
awG[m 'D classes.dex zdkifxJrSmyJ &Sdygw,f/ classes.dex zdkifudk Hex editor wpfckckeJYMunhfr,fqdk&if
yxrqHk;awGY&wJh 8 bytes [m magic number jzpfNyD; check sum eJY SHA-1 signature pwmawGvnf;
yg0ifwmawGY&ygr,f/ Dex header? method ID awG? string ID awGtaMumif;udkawmh DEX protector awGeJY
umuG,fxm;wJh classes.dex zdkifawGudk jyefjznfwJhtcsdefrSmawmh tao;pdwfodxm;&rSmjzpfygw,f/
wu,fvdkY yHk(9)u Decompile classes checkbox udka&G;cJhr,fqdk&if yHk(11)twdkif; classes.dex
zdkifaysmufaewm jrif&rSmjzpfygw,f/ olUtpm; smali qdkwJh folder wpfck wd;k vmwmjrif&ygr,f/
yHk(11)
rSwfxm;&rSmu oifhtaeeJY uk'fawGudk patch vkyfNyD; jyifcsif&ifawmh Decompile classes checkbox
udka&G;cs,f&rSmjzpfygw,f/ 'grSom classes.dex zdkifudk .smali zdkiftaeeJY decompile/disassemble vkyfrmS jzpf
ygw,f/ .smali zdkifxJu Dalvik uk'fawGudk rdrdpdwfBudKufjyefjyifNyD; compile vkyfwJhtcsdefrSmawmh jyKjyif

xm;wJh classes.dex zdkifyg0ifwJh APK zdkiftopfudk jyefvnf&&SdrSmjzpfygw,f/
wu,fvdkY keygen awGa&;r,fqdk&ifawmh 'Denf;u tqifajyrSm r[kwfygbl;/ bmaMumifhvJqdkawmh
Dalvik bytecode awGukd oifhtaeeJY em;vnfEdkifzYkd tcsde, f l&rSm jzpfvdkYyg/ 'DtcgrSm yHk(10)u classes.dex
zdkifudka&G;cs,fNyD; yHk(9)u Dex2jar udkESdyfwJhtcgrSm classes-dex2jar.jar zdkifudk &&SdvmrSmjzpfygw,f/ &vmwJh
zdkifukd ESpfouf&m Java Decompiler awGrSm java uk'ftaeeJY Munfh½IEkdifygw,f/
Crackme0_by_lohan.apk udk oifhzkef; (odkY) emulator wpfckckwGifzGifhNyD; install vkyfyg/ yHk(12)
twdkif; awGY&ygvdrfhr,f/
yHk(12)
Apk u registration code udk ½dkufxnfhcdkif;NyD; rSef? rrSef ppfaq;ygw,f/ uk'frrSefcJh&if "Invalid
serial!" qdkwJh Badboy message udkjyrSmjzpfygw,f/
Crackme0_by_lohan tm; patch vkyfjcif;
Lohan &JU Crackme zdkif tvkyfvkyfyHkudk avhvmNyD;wJhaemufrmS "Invalid serial!" tpm; Goodboy
message ay:atmif BudK;pm;Munhfvkduf&atmif/ URET Android Reverser Toolkit udkzGifhyg/
yHk(13)
yHk(13)rSm Decompile classs checkbox udka&G;NyD; Decompile button udkESdyfvdkufyg/ yHk(14)twdkif;
decompile vkyfxm;wJh smali folder udkawGY&ygvdrfhr,f/
yHk(14)
smali folder udkzGifhMunfhr,fqdk&if yHk(15)twdkif; .smali zdkifawGudk jrif&ygvdrfhr,f/
yHk(15)
yHk(15)u Main.smali zdkif[m Android IDE project zdkiftaeeJY compile rvkyfciftaexm;t&
ajymr,fqdk&if source [src] jzpfwJh Main.java zdkifjzpfNyD; R.smali uawmh IDE u tvdktavsmufxkwfay;wJh
R.java zdkifjzpfygw,f/ R$attr.smali? R.drawable.smali? R$layout.smali pwmawGuawmh R.java
zdkifxJu class awGudk oD;oefYzdkiftaeeJY cGJxkwfxm;wm jzpfygw,f/
Main.smali zdkifxJrSm uRefawmfwdkY &SmaewJh Goodboy message udk &SmawGYEdkifygw,f/ 'gayr,fh
uk'fawG[m Dalvik instruction awGjzpfwJhtwGuf oifhtaeeJY em;vnf&cufEdik fygw,f/ uRefawmfwdkY taeeJY
Dalvik uk'fawGtpm; Java uk'fawGtjzpf jrif&r,fqdk&if crack vkyfzdkY vG,fulrSmaocsmygw,f/ Smali
uk'fawGtpm; Java uk'fawGjrif&zdkY Java decompiler awmfawmfrsm;rsm; &Sdygw,f/ 'D decompiler awGxrJ mS rS
BytecodeViewer 2.9.8 udkawmh tBudKufqHk;yg/ yHk(16)/ bmaMumifhvJqdkawmh olUrSm Procyon? CFR? JD?
FernFlower eJY Krakatau wdkY wpfcgwnf; ygvmNyD;om;jzpfwJhtjyif tcsdKUaom ½dk;&Sif;wJh Java uk'ftcsdKUudk
compile jyefvkyfay;Edkifygw,f/
yHk(16)
yHk(16)uawmh BytecodeViewer eJYMunfhxm;wm jzpfygw,f/ b,fbuftpGefqHk;tuGufrSm
decompile vkyfNyD;om;zdkifawGudk jrif&rSmjzpfygw,f/ tv,futuGufuawmh Main.class zdkifudk Procyon
decompiler eJY decompile vkyfxm;wmjzpfNyD; nmbuftpGeq f ;kH tuGufuawmh Main.class udk Smali
decompiler eJY decompile vkyfxm;wmjzpfygw,f/
Main.class zdkifudk Procyon decompiler eJYjznfMunfhwJhtcg yHk(17)twkdif; jrif&ygr,f/
package com.lohan.crackme0;
import android.app.*;
import java.security.*;
import java.math.*;
import android.telephony.*;
import android.view.*;
import android.content.*;
import android.widget.*;
import android.os.*;
public class Main extends Activity implements View$OnClickListener

{
public static String generateHash(final String s) throws Exception {
final MessageDigest instance = MessageDigest.getInstance("MD5");
instance.update(s.getBytes(), 0, s.length());
return new BigInteger(1, instance.digest()).toString(16);
}
public String getMobileID() throws Exception {

return ((TelephonyManager)this.getSystemService("phone")).getDeviceId();
}
public void onClick(final View view) {

switch (view.getId()) {
default: {}
case 2131034113: {
final EditText editText = (EditText)this.findViewById(2131034114);
if (this.validateSerial(editText.getText().toString()) == 0) {
Toast.makeText((Context)this, (CharSequence)"Invalid serial!", 0).show();
return;
}
Toast.makeText((Context)this, (CharSequence)"Thanks for purchasing!", 0).show();
((Button)this.findViewById(2131034113)).setVisibility(4);
editText.setVisibility(4);
((TextView)this.findViewById(2131034112)).setText((CharSequence)"PRO VERSION!");
}
}
}
public void onCreate(final Bundle bundle) {

super.onCreate(bundle);
this.setContentView(2130903040);
((Button)this.findViewById(2131034113)).setOnClickListener((View$OnClickListener)this);
}
public int validateSerial(final String s) {

try {
if (generateHash(this.getMobileID()).equals(s)) {
return 1;
}
}
catch (Exception ex) {
ex.printStackTrace();
}
return 0;
}
}
yHk(17)
yHk(17)u Onclick() function udkMunhf&if Validate button udkESdyfwJhtcg uRefawmfwdkY½dkufxnfh
vdkufwJh serial udk validateSerial() function u ppfaq;vdkufwJh &v'f[m okneJY nDcJh&if "Invalid Serial!"
pmom;udk jyrSmjzpfygw,f/ rnDcJh&ifawmh "Thanks for purchasing!" pmom;udk jyrSmjzpfygw,f/ 'gaMumihf
'D&v'fukd okneJYrnDatmif jyifay;zdkYvkdtyfygw,f/ 'Dae&mudkjyifzdkYtwGuf yHk(15)u Main.smali udkzGifhyg/
.class public Lcom/lohan/crackme0/Main;

.super Landroid/app/Activity;
.source "Main.java"
# interfaces
.implements Landroid/view/View$OnClickListener;
# direct methods
.method public constructor <init>()V
.locals 0
.prologue
.line 15
invoke-direct {p0}, Landroid/app/Activity;-><init>()V
return-void
.end method
.method public static generateHash(Ljava/lang/String;)Ljava/lang/String;
.locals 4
.param p0, "id" # Ljava/lang/String;
.annotation system Ldalvik/annotation/Throws;
value = {
Ljava/lang/Exception;
}
.end annotation
.prologue
.line 28
const-string v1, "MD5"
invoke-static {v1},Ljava/security/MessageDigest;->getInstance(Ljava/lang/String;)Ljava/security/MessageDigest;
move-result-object v0
.line 29
.local v0, "m":Ljava/security/MessageDigest;
invoke-virtual {p0}, Ljava/lang/String;->getBytes()[B
const/4 v2, 0x0
invoke-virtual {p0}, Ljava/lang/String;->length()I
move-result v3
invoke-virtual {v0, v1, v2, v3}, Ljava/security/MessageDigest;->update([BII)V
.line 30
new-instance v1, Ljava/math/BigInteger;
const/4 v2, 0x1
invoke-virtual {v0}, Ljava/security/MessageDigest;->digest()[B
invoke-direct {v1, v2, v3}, Ljava/math/BigInteger;-><init>(I[B)V
const/16 v2, 0x10
invoke-virtual {v1, v2}, Ljava/math/BigInteger;->toString(I)Ljava/lang/String;
return-object v1
.end method
# virtual methods
.method public getMobileID()Ljava/lang/String;
.locals 3
.annotation system Ldalvik/annotation/Throws;
value = {
Ljava/lang/Exception;
}
.end annotation
.prologue
.line 36
const-string v2, "phone"
invoke-virtual {p0, v2}, Lcom/lohan/crackme0/Main;->getSystemService(Ljava/lang/String;)Ljava/lang/Object;
check-cast v1, Landroid/telephony/TelephonyManager;

.line 38
.local v1, "mTelephonyMgr":Landroid/telephony/TelephonyManager;
invoke-virtual {v1}, Landroid/telephony/TelephonyManager;->getDeviceId()Ljava/lang/String;
.line 39
.local v0, "imei":Ljava/lang/String;
return-object v0
.end method
.method public onClick(Landroid/view/View;)V
.locals 7
.param p1, "v" # Landroid/view/View;
.prologue
const/4 v6, 0x4
const/4 v5, 0x0
.line 43
invoke-virtual {p1}, Landroid/view/View;->getId()I
move-result v4
packed-switch v4, :pswitch_data_0
.line 62
:goto_0
return-void
.line 46
:pswitch_0
const v4, 0x7f050002
invoke-virtual {p0, v4}, Lcom/lohan/crackme0/Main;->findViewById(I)Landroid/view/View;
check-cast v1, Landroid/widget/EditText;
.line 47
.local v1, "et":Landroid/widget/EditText;
invoke-virtual {v1}, Landroid/widget/EditText;->getText()Landroid/text/Editable;
invoke-interface {v4}, Landroid/text/Editable;->toString()Ljava/lang/String;
.line 49
.local v2, "serial":Ljava/lang/String;
invoke-virtual {p0, v2}, Lcom/lohan/crackme0/Main;->validateSerial(Ljava/lang/String;)I
move-result v4
if-nez v4, :cond_0
.line 50
const-string v4, "Invalid serial!"
invoke-static {p0, v4, v5}, Landroid/widget/Toast;->
makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;
invoke-virtual {v4}, Landroid/widget/Toast;->show()V
goto :goto_0
.line 53
:cond_0
const-string v4, "Thanks for purchasing!"
invoke-static {p0, v4, v5}, Landroid/widget/Toast;->
makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;
invoke-virtual {v4}, Landroid/widget/Toast;->show()V
.line 54
check-cast v0, Landroid/widget/Button;
.line 55
.local v0, "btn":Landroid/widget/Button;
invoke-virtual {v0, v6}, Landroid/widget/Button;->setVisibility(I)V
.line 56
invoke-virtual {v1, v6}, Landroid/widget/EditText;->setVisibility(I)V
.line 57
const/high16 v4, 0x7f050000
check-cast v3, Landroid/widget/TextView;
.line 58
.local v3, "tv":Landroid/widget/TextView;
const-string v4, "PRO VERSION!"
invoke-virtual {v3, v4}, Landroid/widget/TextView;->setText(Ljava/lang/CharSequence;)V
goto :goto_0
.line 43
nop
:pswitch_data_0
.packed-switch 0x7f050001
:pswitch_0
.end packed-switch
.end method
.method public onCreate(Landroid/os/Bundle;)V
.locals 2
.param p1, "savedInstanceState" # Landroid/os/Bundle;
.prologue
.line 19
invoke-super {p0, p1}, Landroid/app/Activity;->onCreate(Landroid/os/Bundle;)V
.line 20
const/high16 v1, 0x7f030000
invoke-virtual {p0, v1}, Lcom/lohan/crackme0/Main;->setContentView(I)V
.line 22
check-cast v0, Landroid/widget/Button;
.line 23
.local v0, "button":Landroid/widget/Button;
invoke-virtual {v0, p0}, Landroid/widget/Button;->setOnClickListener(Landroid/view/View$OnClickListener;)V
.line 24
return-void
.end method
.method public validateSerial(Ljava/lang/String;)I
.locals 2
.param p1, "serial" # Ljava/lang/String;
.prologue
.line 67
:try_start_0
invoke-virtual {p0}, Lcom/lohan/crackme0/Main;->getMobileID()Ljava/lang/String;
invoke-static {v1}, Lcom/lohan/crackme0/Main;->generateHash(Ljava/lang/String;)Ljava/lang/String;
invoke-virtual {v1, p1}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
:try_end_0
.catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0
move-result v1
if-eqz v1, :cond_0
.line 68
const/4 v1, 0x1

.line 73
:goto_0
return v1
.line 69
:catch_0
move-exception v1
move-object v0, v1
.line 70
.local v0, "e":Ljava/lang/Exception;
invoke-virtual {v0}, Ljava/lang/Exception;->printStackTrace()V
.line 73
.end local v0 # "e":Ljava/lang/Exception;
:cond_0
const/4 v1, 0x0
goto :goto_0
.end method
yHk(18)
yHk(15)u Main.smali udkzGifhwJhtcg yHk(18)twkdif; jrif&ygr,f/ uRefawmfa&SUrSmajymcJhovdkyJ smali
zdkifawGuae uk'f&UJ qdkvkd&if;udk em;vnfzdYk tcsdefay;zwf&ygvdrhfr,f/ yH(k 18)u .line 49 ae&mem;udkMunfhyg/
wu,fvdkY v4 &JUwefz;kd [m oknr[kwfchJ&if cond_0 udkvkyfaqmifygvdkY a&;xm;wm awGY&ygr,f/ cond_0
qdw k mu "Thanks for purchasing" &SdwJhae&mjzpfygw,f/
uRefawmfwdkYtaeeJY rSefuefwJh serial udk½dkufxnfhwmr[kwfbl;qdk&if validateSerial() function u
wdkufqdkifppfaq;wJh&v'fu jzpfp&mtaMumif;r&Sdygbl;/ 'Doifcef;pmrSm uRefawmfwdkYtaeeJY serial tppfudk
&SmMunfhrmS r[kwfygbl;/ udk,v f kdcsifwhJtajzudk&zdkY uk'fukdom jyifrSmjzpfygw,f/ 'gaMumifh if-nez v4,:cond_0
ae&mrSm if-eqz v4,:cond_0 vdkYjyifMunhfygr,f/ qkdvdkwmu wu,fvYkd okneJYnDcJh&if Goodboy messgae
qDoGm;ygvdkY jyifvdkufwmygyJ/ jyifrSmu yHk(15)rSmjrif&wJh Main.smali zdkifxJrSmyg/ jyifNyD;&ifawmh yHk(13)u
Compile button udkESdyfvdkufyg/ 'gqdk yHk(19)rSmjrif&wJhtwkdif; dist folder topfatmufrSm uRefawmfwdkYjyKjyif
vdkufwJh Crackme0_by _lohan.apk zdkifa&mufaewm jrif&ygr,f/
yHk(19)
Crackme0_by _lohan.apk zdkifudk zkef;xJudk ul;xnhfNyD; install vkyMf unhy
f g/ 'Dtcg "There was a
problem parsing the package" udkjrif&ygvdrfhr,f/ 'D error udjk rif&wJhtaMumif;uawmh uRefawmfwdkYtaeeJY
Crackme0_by _lohan.apk zdkifudk sign eJY zipalign rvkyfrdvdkYjzpfygw,f/ 'gaMumifhrdkY dist folder atmufu
jyKjyifxm;wJh APK zdkifudka&G;NyD; sign eJY zipalign vkyfMuygr,f/
yHk(20)
sign vkyfr,fh APK zdkifudka&G;NyD; yHk(20)rSmjrif&wJh sign button udkESdyfyg/ 'gqd&
k if sign vkyNf yD;om;
Signed__Crackme0_by_lohan.apk zdkifukd &ygvdrhfr,f/ 'Dzdi k fudk zkef;xJjyeful;xnfhNyD; install vkyf
prf;oyfMunfhyg/ zdkifu aumif;rGefpGm tvkyfvkyfygvdrfhr,f/ zipalign udkawmh oifhtaeeJY rvkyfbJxm;Ekdifyg
w,f/ 'gayr,fh zdkift&G,ftpm; BuD;rm;wJh APK awGrSmqdk&ifawmh y½dk*&rf&JU vkyfaqmifcsuf jrefqefapzdkY
zipalign rjzpfrae vkyfoify
h gw,f/
yHk(21)
yHk(12)u EditText (TextBox) ae&mrSm BudKufwJhpmom;½dkufxnfhNyD; Validate button
udkESdyfcJhr,fqdk&if "Thanks for purchasing" qdkwJh message udk jyNyD; yHk(21)rSmjrif&wJhtwdkif; APK [m
PRO Version jzpfomG ;wmawGY&ygr,f/ 'Doifcef;pmudk csHKMunfh&if APK udk Pro version jzpfzkdYtwGuf
uRefawmfwdkYtaeeJY nez ae&mrSm eqz vdkY wpfckyJjyifvdkufwm owdjyKrdrSmyg/
Crackme0_by_lohan rS Serial udk&Smjcif;
a&SUoifcef;pmrSm uRefawmfwkdY avhvmcJhwmu APK wpfckudk Full version taeeJY tjrefqHk;
toHk;jyKvdkY&atmif uk'fudk b,fvdkjyKjyifrvJqkdwm jzpfygw,f/ 'Dwpfcgawmh uk'fukdrjyifbJ rSefuefwJh serial
wGufxkwfenf;udk avhvmMuygr,f/ 'DtwGuf vdktyfwmuawmh BytecodeViewer eJY Eclipse wdkYjzpfyg
w,f/ BytecodeViewer uawmh main.java udk b,fvdka&;om;xm;ovJqdkwm MunhfzdkYjzpfNyD; Eclipse
IDE uawmh Java eJY APK jyefvnfzefw;D zdYkjzpfygw,f/ Eclipse udk atmufuvifhrSm download
vkyf,lEkdifygw,f/
http://download.eclipse.org/eclipse/downloads/
'Doifcef;pmrSm Eclipse udk b,fvdktoHk;jyK&rvJqdkwm &Sif;jyrSm r[kwfbl;/ Eclipse eJYywfoufNyD;
a&;om;xm;wJhpmtkyfawG tGefvkdi;f rSm tvG,fwul download vkyf,lEkdifNyD; jrefrmvdka&;om;xm;wJh pmtkyf
aumif;awGvnf; tvG,fwul0,f,l&&SdaevdkYyg/ Android APK awGudk crack vkyrf ,fqkd&if Java udak wmh
tenf;i,f em;vnfxm;zdkY vdktyfygvdrhfr,f/ Eclipse rSma&;om;xm;wJh Android project zdkifudk DVD
acGxJrSmwpfcgwnf; xnfhay;vdkufygw,f/
aumif;NyD/ BytecodeViewer eJY decompile vkyfxm;wJh yHk(17)udk aocsmMunfhyg/ Registration
jzpfpOfukd tao;pdwfavhvmr,fqd&k if-
1/ APK u uRefawmfwu
Ykd kd serial wpfck ½dkufxnfhapygw,f/
2/ APK tvkyfvkyfaewJh rdkbdkif;zkef;&JU DeviceID (IMEI) udkvSrf;zwfygw,f/
3/ &vmwJh IMEI wefzdk;udk MD5 hash xkwfygw,f/
4/ &vmwJh MD5 hash wefzdk;udk 16vDpepf BigInteger wefzdk;ajymif;ygw,f/
5/ uRefawmfw½Ykd dkufxnfhvdkufwJh serial eJY BigInteger wefzdk;wdkY nD? rnD qHk;jzwfNyD; rnDcJh&if
"Invalid Serial!" message udk jyorSmjzpfygw,f/
Android project zdkifu AndroidManifest.xml zdi k f? src folder atmufu
MainActivity.java zdkif? res\layout folder atmufu activity_main.xml zdi
k f? res\menu folder
atmufu activity_main.xml zdkifeJY res\values folder atmufu strings.xml zdkifwdkYudk jyifMunhf
ygr,f/
yxrqHk; AndroidManifest.xml zdkifrSm zkef;&JUtajctaeudk zwf½IvdkY&EdkifwJh permission &atmif
yHk(22)twkdif; jyifygr,f/
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="lohan.crackme"
android:versionCode="1"
android:versionName="1.0" >
<uses-sdk
android:minSdkVersion="11"
android:targetSdkVersion="15" />
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
<application
android:icon="@drawable/ic_launcher"
android:label="@string/app_name"
android:theme="@style/AppTheme" >
<activity
android:name=".MainActivity"
android:label="@string/title_activity_main" >
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
</application>
</manifest>
yHk(22)
res\values folder atmufu strings.xml zdkifrSm yHk(23)twkdif; jyifygr,f/
<resources>
<string name="app_name">CrackMe</string>
<string name="hello_world">Hello world!</string>
<string name="menu_settings">Settings</string>
<string name="title_activity_main">MainActivity</string>
<string name="ValidateButton">Generate</string>
<string name="IMEI">My IMEI: </string>
<string name="Serial">My Serial: </string>
</resources>
yHk(23)
res\layout folder atmufu activity_main.xml zdkifrSm yHk(24)twkdif; jyifygr,f/
<RelativeLayout xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
android:layout_width="match_parent"
android:layout_height="match_parent" >
<Button
android:id="@+id/button1"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:layout_alignParentTop="true"
android:layout_centerHorizontal="true"
android:layout_marginTop="116dp"
android:onClick="Generate_Serial"
android:text="@string/ValidateButton" />
<EditText
android:id="@+id/edit_Text1"
android:layout_below="@+id/button1"
android:layout_marginTop="54dp"
android:ems="10"
android:text="@string/IMEI" />
<EditText
android:id="@+id/edit_Text2"
android:layout_alignParentLeft="true"
android:layout_below="@+id/edit_Text1"
android:ems="10"
android:text="@string/Serial" >
<requestFocus />
</EditText>
</RelativeLayout>
yHk(24)
res\ menu folder atmufu activity_main.xml zdkifrSm yHk(25)twkdif; jyifygr,f/
<menu xmlns:android="http://schemas.android.com/apk/res/android">
<item android:id="@+id/menu_settings"
android:title="@string/menu_settings"
android:orderInCategory="100"
android:showAsAction="never" />
</menu>
yHk(25)
src folder atmufu MainActivity.java zdkifrSm yHk(26)twkdif; jyifygr,f/
package lohan.crackme;
import java.math.BigInteger;
import java.security.MessageDigest;
import android.app.Activity;
import android.os.Bundle;
import android.telephony.TelephonyManager;
import android.view.View;
import android.widget.EditText;
import android.widget.TextView;
public class MainActivity extends Activity {
@Override
protected void onCreate(Bundle savedIstanceState){
{
super.onCreate(savedIstanceState);
setContentView(R.layout.activity_main);
}
}
public void Generate_Serial(View v) throws Exception

{
String MobileID = ((TelephonyManager)getSystemService("phone")).getDeviceId();
EditText editText1 = (EditText)findViewById(R.id.edit_Text1);

editText1.setText("My IMEI: " + MobileID, TextView.BufferType.EDITABLE);
MessageDigest localMessageDigest = MessageDigest.getInstance("MD5");

localMessageDigest.update(MobileID.getBytes(), 0, MobileID.length());
BigInteger bigInt = new BigInteger(1,localMessageDigest.digest());
String Actual_Serial = bigInt.toString(16);
EditText editText2 = (EditText)findViewById(R.id.edit_Text2);

editText2.setText("My Serial: " + Actual_Serial, TextView.BufferType.EDITABLE);
}
}
yHk(26)
yHk(26)twkdif;jyifNyD;&if uRefawmfwdkY&JU APK udk build vkyfvkdY&ygNyD/ Build vkyfvdkY&vmwJh
CrackMe.apk zdkifudk zkef;xJudkul;NyD; install vkyfMunhfyg/ Generate button udkESdyfwJhtcg yHk(27)twkdif;
oifhzke;f &JUIMEI eJY serial udkjrif&ygr,f/ Serial udkul;NyD; rlv APK rSm Validate vkyfvdkuf&if
Crackme0_by_lohan.apk [m Pro Version jzpfomG ;rSmyg/
yHk(27)
Cracking qdkif&m tifwmeuf0ufbfqdkufrsm; - 426 -
Crraacckkiinngg q
C qdkidkif&f&mm t
tiifw
fwmmeeu
uf0f0u
ufb
fbfq
fqdku
dkufrfrssmm;;
(Link rsm;udk 2015? 'DZifbm 20 &ufwGif ppfaq;xm;jcif;jzpfygonf/)
(1) Cracking qkdif&m0ufbfqdkufrsm;
http://www.accessroot.com
http://www.tuts4you.com
http://ricardonarvaja.info
http://unpack.cn
http://www.aoreteam.com
http://www.mmcrackingteam.org
http://www.myanmarcrackingteam.net
http://www.at4re.com
http://www.team-rept.com
https://tsrh.ws/
http://www.cin1team.biz
http://teamreis.altervista.org/
http://portal.uret.ml/
http://forum.assassin.ir/
http://quequero.org/
http://exelab.ru
http://forum.exetools.com/
http://reversing.ro/
http://board.b-at-s.info/index.php
https://www.facebook.com/groups/reaonline/
http://www.ahteam.org
http://www.reteam.org
http://www.reversing.be
http://reversingtools.blogspot.com
http://www.crack8.com
http://tools.pediy.com/
http://www.wasm.ru
http://forum.reverse4you.org
http://www.woodmann.com
http://reng.ru/board/
http://www.openrce.org/
http://crackmes.de/
http://jasi2169.blogspot.com
(2) Cracked Version jzefUcsDaeaom0ufbfqdkufrsm;

http://www.download-genius.com
http://www.xdowns.com/
http://soft-best.net
http://www.directdl.com
http://www.downloadprovider.me/?aff.id=3046&
http://avxhome.se/
http://www.9iv.com
http://www.freeserials.com
http://www.download-genius.com
Cracking qdkif&m tifwmeuf0ufbfqdkufrsm; - 427 -
(3) Cracked Version jzefUcsDaeaomzdk&rfrsm;

http://tehparadox.com/
https://www.warez-bb.org/
http://www.desirulez.me/
http://www.forumwizard.net/
http://www.computergamesforum.com/
(4) y½dk*&rfa&;om;jcif;qdkif&m0ufbfqdkufrsm;
http://www.codeproject.com
http://www.functionx.com
http://www.ucancode.com
http://www.dreamincode.net
http://www.codeguru.com
http://www.csharpkey.com/
http://www.hackchina.com
http://www.programmersheaven.com
http://stackoverflow.com/
http://blogs.technet.com/
http://www.flounder.com/
(5) Cracks? Serials ESifh Keygens jzefUcsDaeaom0ufbfqdkufrsm;

http://www.crackteam.ws
http://keygens.nl
http://www.crack.ms/
http://crackzplanet.com
http://www.bestserials.com
http://www.crackspider.net
http://www.cracksportal.com
http://www.freeserials.com
http://www.icracks.net
http://cracks4u.us/
http://www.thebugs.ws
http://netcrack.com/
http://distro.webscene.ir/
References - 428 -
References
(01) Basic Rules of Cracking – ParaBytes
(02) Cracker Definition – Invoker
(03) A Little Guide for Wannabe Reverser – Zephyrous
(04) The C Programming Language – Brian W. Kernighan & Dennis M. Ritchie
(05) PC Assembly Language – Paul A. Carter
(06) Win32asm Tutorial – Thomax Bleeker
(07) Assembly for Beginners – The Cyborg
(08) Assembly Tutorials – Ralph
(09) Win32 Assembler Coding for Crackers 1.1 – Goppit
(10) Assembler : The Basics in Reversing – Lena151
(11) The Wikibook of Reverse Engineering
(12) CrackProof Your Software – Pavol Cerven
(13) Disassembling Code: IDA Pro and SoftICE – Vlad Pirogov
(14) RCE Emphasizing On Breaking Software Protection – tHE mUTABLE
(15) Portable Executable File Format – Goppit
(16) Basic Nag Removal + Header Problems – Lena151
(17) Indept Unpacking & Anti-Anti-Debugging, A Combination Packer & Protector – Lena151
(18) Serial Fishing Teleport Pro – nick123b
(19) Serial Fishing CD to MP3 Maker 1.15 – ThunderPwr
(20) KeygenMe Tutorial 1 – Ziggy
(21) Basic + Aesthetic Patching – Lena151
(22) Intermediate Level Patching, Kanal in PEiD – Lena151
(23) tElock + Advanced Patching – Lena151
(24) Win32 Programmer Reference – Microsoft
(25) Often Used APIs in Registration Schemes and Other – Lena151
(26) Reversing - Secrets of Reverse Engineering – Eldad Eilam
(27) Reversing Using the Program's Resources – Lena151
(28) ActiveMARK 5.xx (Dumping and Rebuilding) – SSIEvIN
(29) Unpacking Protections – Lena151
(30) Unpacking Advanced Packers – Lena151
(31) API Redirection – Lena151
References - 429 -
(32) VB - Introduction to SmartCheck and Configuration – Lena151

(33) VB - Use of Decompilers and a Basic Anti-Anti-Trick – Lena151
(34) Info About P-code – Mahai
(35) P-code Instruction Meaning of Quick Fact – Nisy
(36) VB P-code Information – Mr Silver
(37) Delphi in Olly & DeDe – Lena151
(38) Insights and Practice in Basic (self) Keygenning – Lena151
(39) Reversing .Net – Kwazy Webbit
(40) Keygenning Text to Speech Maker– quygia128
(41) .Net Reversing Tips – tKC
(42) Manul Unpacking .NET Applications – Newbie_Cracker
(43) Serial Fishing in .NET (Live Debugging) – zyzygy
(44) Removing StrongName Signature in .NET Applications – Newbie_Cracker
(45) Learning Pentesting for Android Devices – Aditya Gupta
(46) Android Obfuscation Techniques – Matteo Pomilia
(47) Way of the Android Cracker – lohan+

Cracker Guide (2016 October 4)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cracker Guide (2016 October 4)

Uploaded by

Copyright:

Available Formats

pum;rdwfquf

]Cracker vrf;nTef} trnf&aom þpmtkyfudk cracking (reverse engineering) ESifhywfoufjyD;

Mo*kwfv 13? 2016/

þpmtkyfjzifh uG,fvGefolrdbESpfyg;jzpfaom AdkvfBuD;vSydk(jidrf;)ESifha':tkef;wifwdkYtm; uefawmhtyfygonf/

tcef;(1) - Cracker rsm; odxm;oifhaom tcsufrsm;

Cracking udk yxrqHk; pwifavhvmawmhr,fqdk&if oifhtaeeJY y½kd*&rfa&;om;jcif;eJY ywfoufwJh

tcef;(2) - tajccH C bmompum;

(1) yxrpmaMumif;u include qdkwmuawmh keyword wpfckjzpfygw,f/ uRefawmfwt kY d oHk;jyKr,fh header

olUudkoHk;&wmyg/ uD;bkwfuae ESpfouf&m key wpfckckudk ESdyfvdkuf&if getch() &JUvkyfaqmifcsuf jyD;oGm;rSmyg/

#include <stdio.h> /* 2nd C Program */

yHk(3)rSm jrif&wmuawmh zm&if[dkuef JY pifwD*&dww

(5) celsius = 5 * (fahr - 32) / 9; uawmh pifwD*&dwfwefzdk;udk &Smay;wJhyHkaoenf; jzpfygw,f/

double 1.7 x10-308 rS 3.4 x10+308 xd

long double 3.4 x 10-4932 rS 1.1 x 10+4932 xd

Data type qdkwmuawmh rdrdtoHk;jyKr,fh identifier (variable) awGudk a'wmtrsdK;tpm; owfrSwf

char eJY ywfoufwJh erlemawGudk avhvmMunfhygr,f/

char variable_name [20]; // string pmvHk; 20jzifh tvkyfvkyfEdkifonf/

(4) Keyword rsm;udk identifier tjzpf raMunm&/ (Oyrm case? return)S S S S

(5) MY_Variable123 eJY my_Variable123 wdo

#include <stdio.h> /* 3rd C Program */

'Dwwd,ajrmuf y½d*k &rf[m 'kwd,y½d*k &rfeJY oabmcsif;wlygw,f/ bmaMumifh 'Dae&mrSm xyfxnfh

%x 16vDpepf (hexadecimal)udk pmvHk;ao;eJY jyygw,f/

(1) yxryHkpHudkawmh tajctaewpfckck[m rSef^rrSef qHk;jzwfwJhtcgrSm toHk;jyKygw,f/

(10) 5ckajrmuf C y½dk*&rf

qdkvdkwmyg/ olUudkoHk;r,fqkd&ifawmh stdlib.h <STandarD LIBrary> udk aMunmay;&ygr,f/ switch

while loop eJy Y wfoufwJh erlemy½d*k &rfudkawmh ra&;jyawmhygbl;/ bmaMumifhvJqdkawmh 'kwd,

+ (addition) Variable rsm; aygif;&mwGiftoHk;jyKonf/

(c) Unary operator

i++; (postincrement) Variable wefzdk;tm; wpfaygif;ay;onf/

yHkrSeftm;jzifhawmh olwkuY d dk increment operator eJY decrement operator vdkY ac:a0:Muygw,f/

(C) Assignement operator

'Dy½d*k &rfuawmh oif½dkufxnfhvdkufwJhpmom;rSm yg0ifwJh pmvHk;ta&twGufudk azmfjyjyD; owfrSwfxm;

strcpy(str1,str2) str2 rSpmom;rsm;udk str1 xJokYd ul;xnfhay;jcif;/

strncpy(str1,str2,length) str2 rS owfrSwfxm;aomta&twGuftwdkif; pmom;rsm;udk str1 xJokYd ul;xnfhay;jcif;/

strcmp(str1,str2) str2 ESifh str1 wdu

8ckajrmufy½d*k &rft&qdk&if built-in taeeJYygwJh strlen() function udak c:roHk;bJeJY rdrdbmomrdrd

'Dy½d*k &rfuawmh jrefrmy½d*k &rfrmawmfawmfrsm;rsm; a&;avh&SdMuwJh password y½d*k &rfyg/ uD;bkwu

fopen(filename,mode) zdkifudka&;&ef(od)kY zwf&efzGifhjcif;/

zdkif function awmfawmfrsm;rsm;[m omref input/output vkyfwJh function awmfawmfrsm;rsm;eJY

0043B3DF ADD EAX,EDX

jyD; 'DzdkifawGxJrSm t*Fvdyftbd"mefxu

19/ EDI++; t& EDI udk wpfaygif;wmaMumifh EDI [m 2 jzpfvmygw,f/

tcef;(3) - tajccH Assembly bmompum;

MuD;MuD;rm;rm;udk Assembly eJaY &;zdkY&m wu,fhudk cufygw,f/ y½d*k &rftao;pm;av;awGa&;wmyJjzpfjzpf?

(3.2.3) Pointer/Index register rsm;

rSwfxm;&rSmu ckuRefawmf&Sif;jyaewm[m 16‐bit y½d*k &rfawGtwGuf jzpfygw,f/ tay:uZ,m;u

Segment xJu ae&mwpfckudk nTef;csifw,fqdk&ifawmh offset udk toHk;jyKygw,f/ Offset qdkwm

SP uawmh (SS xJu) vuf&Sd stack ae&m&JU offset udk xnfhxm;ygw,f/

(tuefUwpfckpDonf (byte) pmvHk;wpfvHk;udk udk,fpm;jyKonf/ )

wGufcsufrI jyKvkyfyHku 'Dvdkyg/ destination = destination + source / atmufygyHkpHawGudk cGifhjyKyg

* Oyrm/ tu,fí DX = 2030h? AX = 0040h? DX:AX = 20300040h/ DX:AX onf DWORD

Source uawmh vufiif;wefzdk; rjzpfEdkifygbl;/ bmaMumifhvJqdkawmh y½dquf

'D instruction jyD;wJhaemufrSmawmh dx = 0001111010100101 [7845 (dec), 1EA5 (hex)]

'D instruction uawmh vHk;vHk;MuD;udk bmrSrvkyfygbl;/ bmrSrvkyfEdkifvY dk toHk;r0ifbl;vdakY wmh rxif

uRefawmfhtaeeJY *Pef;tcsdKUudk ta&mifjc,fxm;ygw,f/ Number1 u byte 33 &Sd&m rSwfOmPfae&m

ManyBytes1 [m oludk,fwdkif zdkifxJrSm &SdrSmr[kwfygbl;/ rSwfOmPfrSm pmvHk;a& 5000 csefvSyfxm;

Opcode Meaning Condition

(8) *Pef;rsm;taMumif; waphwapmif;

(8) pop ebx

(10.2) DLL zdkifrsm;udk qGJ,loGif;jcif;

Assembler udk y½dqk ufqm (odrkY [kwf tjrifh)twGuf awGxkwfay;zdkY ajymyg

Flat rSwfOmPfudk toHk;jyKwmyg/ stdcall udk toHk;jyKygw,f/ qdkvdkwmu

Label twGufpmvHk;awG[m tMuD;tao; cGJjcm;rI&Sd^r&Sd pdppfygw,f/

includelib tay:rSm aqG;aEG;jyD;jzpfygw,f/

'Dwwd,ajrmuf y½dk &rf[m 'kwd,y½dk &rfeJY oabmcsif;wlygw,f/ bmaMumifh 'Dae&mrSm xyfxnfh

'Dy½dk &rfuawmh jrefrmy½dk &rfrmawmfawmfrsm;rsm; a&;avh&SdMuwJh password y½d*k &rfyg/ uD;bkwu

exe y½dk &rfuae uk'ef JYa'wmawGudk cGJjcm;jcif;&JUa,bl,sjyóemuawmh y½d&rf k &yfwefUrIjyóemeJY