Professional Documents
Culture Documents
awmh jrefrmEdkifiHrSm cracke vkyfxm;wJhaqmhzf0JvfawGudk jzefjY zL;a&mif;cs? oHk;pGJolawG[m Oya'eJjY idpGef;jcif; r&Sd
ao;ygbl;/)
Cracker aumif;wpfa,mufjzpfzt
kYd wGuu
f awmh atmufygtajccHpnf;rsOf;rsm;udk em;vnfxm;zdkY vdkyg
w,f-
(1) oifhtaeeJY aqmhzf0Jvfwdkif;udk crack vkyfv&kYd rSm r[kwfygbl;/ 'Dtcsufudkawmh trSwf&aeyg/ bmaMumifh
vJqdkawmh oif[m OmPfMuD;&Sif r[kwfvykY d g/ t&m&mudk odaezdq kY dkwm rjzpfEdkifygbl;/
(2) aqmhzf0Jvfwdkif;udk crack vkyfv&kYd ygw,f/ wpfcsdefcsdefrSmawmh aqmhzf0Jvfwdkif;[m crack vkyfvkYd &vmrSm
yg/ erlemajym&r,fqdk&if ASProtect 1.3 udk awGUpwkef;u crack vkyfvkYd rjzpfEdkifbl;vdkY xifcJhMuygw,f/
wpfESp?f ESpfESpfavmufvJMumawmh vlopfwef; 0goem&Sifav;awGuawmif tvG,fwul crack vkyfEdkifvm
MuwmawGU&ygw,f/ (Word to PDF Converter 3.0 aqmhzf0Jvf[m ASProtect 1.3 eJY protect vkyfxm;wm
jzpfygw,f/)
(3) oifh&JU tawGUtMuHKA[kokwawGudk rQa0yg/ wu,fvkY d oifhtaeeJY xl;jcm;wJhvSnhfuGufav;awG awGU&SdcJh
r,fqdk&if tjcm;olawGudk ajymjyyg/ usLwdk&D&,fawG? aqmif;yg;awG? crackme awG a&;om;yg/ Cracking eJY
ywfoufjyD; aemifvmr,fhrsdK;qufopf cracker awGudk ulnDEdkifzkY d oifwwfEdkifoavmuf vkyfay;yg/
(4) Cracking eJY ywfoufwJh usLwdk&DawG rsm;rsm;zwfay;yg/ pnf;rsOf;(1)rSm ajymxm;ovdk uRefawmfw[ kYd m
taumif;qHk;awG r[kwfygbl;/ t&m&mwdkif;udkvnf; avhvmzdkY tcsdefr&Sdygbl;/ 'gaMumifh uRefawmfwkYd rodwJh
t&mawGudk tjcm;olawGu odaeMuygw,f/ olwrkY d odwmawGudkvJ uRefawmfwkYo d daeMuwm &Sdygvdrfhr,f/
'DtwGuaf Mumifh usLwdk&D&,fawGudk pOfqufrjywf zwfay;yg/
(5) uk'fawGudk avhvmyg/ oifhtaeeJY ½IyfaxG;wJhy½dk*&rfwpfyk'f[m b,fvdktvkyv f kyfovJ? olUudk b,fvdk
a&;xm;wmvJqdkwmawGudk odr,fqdk&if&if olUudk crack vkyfzkYd vG,fvmygvdrfhr,f/
(6) vltrsm;pk oHk;aeMuwJh tool awGudk odyfroHk;ygeJ/Y Tool awGajymif;oHk;Edkif&if ydkaumif;ygw,f/ 'grSom
shareware awGuadk &;aewJh y½d*k &rfrmawGu oifh tool udk 0dkif;jyD;wdkufckdufwmudk rcH&rSmyg/ Tool wpfckudk
&SmjyD; avhvmyg/ uRrf;usifatmifvkyfyg/ oifudk,fwkdif tool wpfckjzpfygap/
(7) Cracking tzGJUtpnf;awGeJY qufoG,fyg/ ,m,Dtoif;0iftaeeJYjzpfygap toif;0ifyg/ 'Dtcg olw[ Y dk m
oifhudk tultnDay;Muygvdrfhr,f/ oifuvJ tjcm;olawGudk tultnDay;aumif;ay;Edkiyf gvdrfhr,f/ aemufqHk;
rSmawmh oifavhvmaewJh protection awGtaMumif; aumif;aumif; odvmygvdrfhr,f/
(8) tjrJwrf; topfjzpfaeygap/ 'Dtcsuf[m tvGefta&;MuD;ygw,f/ oif[m aemufqHk;xkwf tool awGuo dk Hk;
jyD; aemufqHk;ay:awGtaMumif; avhvmae&ygr,f/ Shareware a&;om;olawGudk oifh&JUtD;ar;vfrSm aygif;
xm;jyD; olwkYed JY tquftoG,fvkyfyg/ olwkaYd wG&JU enf;ynmawGudkavhvmyg/ olwakY d wGxJu wpfa,muf
avmuf eD;eD;jzpfatmifvkyfyg/
(9) udk,fwdkif &SmazGavhvmyg/ awGU&Sdcsuf^vSnfhuGuf topftqef;awGudk udk,fhbmomodatmifvkyfyg/ pmtkyf
pmwrf;rzwfbJ rdrdbmom ajz&Sif;Edkifzv kY d kyfyg/ topftqef;awG awGU&Sd&ifvJ tjcm;olawGudk oifMum;ay;zdkY
rarhygeJ/Y udk,fwdkifavhvmjcif;uawmh taumif;qHk;ygyJ/
(10) aqmhzf0Jvfa&;om;olawG&JU y½d*k &rfawGudk tvGJoHk;pm;rvkyfygeJ/Y olwkYdawG[m olwkY&d JUaqmhzf0JvfawG jzpf
vmatmif? atmifjrifvmatmif cufcufcJcJ MudK;pm;xm;&wmyg/ tjcm;olawG a&;xm;wJh crack/ keygen/
serial awGudk tvGJoHk;pm; rvkyfygeJ?Y cdk;rcsygeJY/ 'DvdkvkyfcJh&if oifhudk cracking tzGJYtpnf;awGu 0dkif;y,fwm
cH&rSmjzpfovdk oifyg0ifwJh team [mvnf; odu©musqif;ygvdrfhr,f/
(11) uk'fawGrsm;rsm;a&;yg/ pmrsm;rsm;zwfyg/ Crack rsm;rsm;vkyfyg/ usLwdk&D&,f rsm;rsm;a&;yg/ Cracker
aumif;wpfa,muf jzpfvmygvdrfhr,f/
tcef;(1) - Cracker rsm; odxm;oifhaom tcsufrsm; - 14 -
awGuawmh .exe? .dll? .ocx? .sys? .cpl? .scr zdkifawGyJ jzpfygw,f/ Cracking vkyfr,fqdk&if 'DzdkifawG
taMumif;udk twGif;usus odxm;&ygr,f/
vlopfwef; cracker awGtwGuf cracking eJyY wfoufjyD; pdwf0ifpm;p&m taMumif;t&mawGuawmh
protect vkyfxm;wJh shareware awGjzpfygw,f/ 'gayr,fh tqifhjrifh cracker awG pdwf0ifpm;wmuawmh PE
zdkifawGudk packed/unpacked vkyfjcif;? tJ'DzdkifawGrSm function awGudk aygif;jcif;^jyKjyifjcif;? (z,f&Sm;xm;wJh)
tzsufcHxm;&wJhuk'fawGudk jyef&Smjcif;eJY cracking tool awGudk a&;om;jcif;wdkY jzpfygw,f/ 'gaMumifhrv kY d nf;
vlopfwef; cracker awG[m shareware awGrSmygvmwJh nag awGudkzsufjcif;? serial awG&Smjcif;avmufom
t"duxm; vkyfaqmifMujyD; aqmhzf0Jvaf wGudk register vkyfMuygw,f/ b,fae&mrSm protect vkyfxm;w,f?
b,fvdk protect vkyfxm;w,fqdkwmudk avhvmjyD; registrated version (cracked version) udo k Hk;Ekdif&if
olwt kYd wGufawmh tMuD;rm;qHk; atmifjrifrIawGyJ jzpfygw,f/ b,fvdkyJjzpfjzpf crack rvkyfcifrSmawmh cracker
awGtm;vHk;[m protect vkyfxm;wJhaqmhzf0Jv(f y½d*k &rf)udk crack vkyfEdkifzkYd tenf;qHk; tool wpfckawmh toHk;jyK
&ygw,f/ 'D tool udkawmh debugger (od)kY decompiler (od)kY disassembler vdkY ac:ygw,f/
Debugger awGoHk;&wJh t"du&nf&G,fcsufuawmh y½d*k &rf tvkyfvkyfpOfrSm rdrdMudKufwJhae&mrSm cP
&yfxm;jyD; uk'fawGudk jyifEdkifzkY d jzpfygw,f/ bmaMumifhvJqdkawmh y½d*k &rfawGudk debug vkyfcsdefrSm tvGefrsm;
jym;vSwJh uk'fawG xGufvmygw,f/ 'Duk'fwdkif;udk avhvmzdkY uRefawmfwkrYd Sm tcsdefr&Sdygbl;/ 'gaMumifh vdktyf
wJhae&m^ owfrSwfxm;wJhae&mrSm &yfwefEY dkifzkYd debugger udk toHk;jyK&jcif; jzpfygw,f/ toHk;rsm;vSwJh
debugger/disassmebler awGuawmh Olly? IDA Pro eJY W32dasm wdkY jzpfygw,f/ Olly [m tcrJh oHk;pGJ
vd&kY wJhaqmhzf0JvfjzpfjyD; oHk;pGJolrsm;jym;vSygw,f/ 'gaMumifhrY dk tqifhjrifh cracker awG&JU oifcef;pmydkYcscsuf
awmfawmfrsm;rsm;[m Olly udk erlemxm;jyD; &Sif;jywm jzpfygw,f/
y½kd*&rfwpfckudk crack vkyfzkYd MudK;pm;awmhr,fqdk&if 'Dy½d*k &rfudk b,fbmompum;eJY a&;om;xm;wm
vJqdkwmodatmif yxrqHk; vkyfaqmifygw,f/ 'DtwGuf PEiD (od)kY CFF explorer pwJh tool awGvdkygw,f/
'D tool awGeJY udk,f crack vkyfcsifwJhaqmhzf0Jvfudk b,fbmompum;eJY a&;xm;wmvJqdkwm t&ifoad tmif
vkyfyg/ aqmhzf0Jvfudk Visual Basic eJY a&;xm;wmqdk&ifawmh Olly tpm; VB Decompiler udk toHk;jyKwm
ydkoifhawmfygw,f/ tvm;wlygyJ? Dot.net eJYa&;xm;wmqdk&if Dot.net reflector udo k Hk;wm ydkjyD;oifhawmf
vG,fulygw,f/ usefwyJh ½d*k &rfbmompum;awGtwGufuawmh Olly eJY debug vkyfEdkifygw,f/ (wu,fvkY d
y½d*k &rfawGudk pack vkyfxm;&ifawmh t&if unpack vkyfjyD;rS crack vkyf&rSmjzpfygw,f/)
b,fvdk crack &rvJqdkwJhar;cGef;udk ar;cJhr,fqdk&ifawmh enf;vrf;awG trsm;MuD;&Sdw,fvyY dk J ajym&rSm
jzpfygw,f/ rwlnDwJhjyóemwdkif;twGuf taumif;qHk;ajz&Sif;rIenf;vrf;udk &SmazG&wmuawmh cracker tay:
rSmyJ rlwnfygw,f/
xl;cRefwJh cracker aumif;wpfa,mufjzpfzt
dkY wGufuawmh tifwmeufudk tcsdefrsm;rsm; toHk;jyKay;&yg
r,f/ tifwmeufuae tool topfawG? usLwdk&D&,ftopfawG download vkyfyg/ zdk&rfawG awmfawmfrsm;rsm;
rSm toif;0ifyg? aqG;aEG;yg? ar;jref;yg/ aqmhzf0Jvftopfqef;awGudk crack vkyfMunfyh g/ olrsm;a&;xm;wJh
usLwdk&D&,fawGudk em;vnfatmifzwfyg/ Crack vkyfxm;jyD;om;zdkifawGudkavhvmyg/ rdrdudk,fwkdif usLwdk&D&,f
awG a&;om;ae&rSmjzpfaMumif; ....
tcef;(2) - tajccH C bmompum; - 17 -
yHk(1)
yHk(1)uuk'fudk run vdkuf&ifawmh yHk(2)twdkif; jrif&rSmyg/ 'Dy½d*k &rfav;[m wu,fawmh bmtvkyfrS
aumif;aumif;vkyfrSm r[kwfygbl;/ uGefysLwmzefom;jyifrSm ]Welcome to Cracking World} qdkwJhpmwef;udk
jyoay;&HkygyJ/ aumif;ygjyD? y½d*k &rftvkyfvkyfyHkudk tao;pdwf MunfhvdkufMu&atmif/
yHk(2)
1 1 1 1 1 1 1 1
Z,m;&JU tuGufi,fwpfckpD[m 1 bit udu k dk,fpm;jyKjyD; olUxJrSm 1 (od)kY 0 qdkwJh wefzdk;ESpfckudkyJ xnfh
xm;Edkifygw,f/ ESpfvDpepfudk,fpm;jyKwJhtwGuf olUxJrSmtrsm;qHk;xnfhEdkifwJh ta&twGuf[m 0 uae 255 xd
256 rsdK;xdyJjzpfygw,f/ 11111111 = 28 = 256 {0 rS 255 xd } (oknwefzdk;udkyg xnfhwGufjcif;jzpfonf/)
P
P
uawmh -
signed int variable_name; // 2 bytes -32,768 rS 32,767 xd
unsigned int variable_name; // 2 bytes 0 rS 65,535 xd
short int variable_name; // 2 bytes -32,768 rS 32,767 xd
long int variable_name; // 4 bytes -2,147,483,648 rS 2,147,483,647 xd
unsigned long int variable_name; // 4 bytes 0 rS 4,294,967,295 xd
signed eJY short udkxnfr
h aMunmay;vnf; &ygw,f/ wu,fvkY d int variable_name; vdykY J aMunm
xm;&if compiler u signed short int variable_name; vdekY m;vnfygw,f/ C y½d*k &rfa&;&mrSm bmaMumifh
signed/ unsigned eJY short/ long awG aMunmae&ovJqdkwJh taMumif;&if;&Sdygw,f/ 'Djyóemu DOS
acwfwkef;u MuHKawGUcJh&wmyg/ tJ'Dtcsdefwkef;u RAM awG&JUyrmP[m tckacwfrSmvdk 1GB awG? 4GB awG
r[kwfygbl;/ 64KB? 128KB avmufom&Sdygw,f/ DOS &JUuefUowfcsufuvnf; 1MB xufMuD;wJh C
y½d*k &rfawGudk toHk;jyKcGifhray;ygbl;/ 'gaMumifh y½d*k &rfrmawG[m olwk&Yd JU y½d*k &rfudk uGefysLwm rSwfOmPfxJrSm
ae&m,lrIenf;atmif twwfEdkifqHk; MuHpnfMu&ygw,f/ 'gaMumifhvnf; rvdktyf&if twwfEdkifqHk; rSwfOmPf
acRwmEdkifzkYd long tpm; short udt k oHk;jyKMuygw,f/ qdkvdkwmu y½d*k &rfu wGufcsufvkYd&&SdwJh tajz[m
40000 eJY 50000 0ef;usifMum;yJ &Sdr,fqdk&if oifhtaeeJY 'D variable udk b,fvdkaMunmoifhw,f xifygovJ/
unsigned int variable_name; vm;? long int variable_name; vm;/ 'Dar;cGef;u variable wpfckwnf;
twGufqdk&if odyfta&;rMuD;ayr,fh variable awGaomif;eJcY sDvmcJh&if pOf;pm;zdkY vdkvmygjyD/ int variable_
name [200] [100]; qdk&ifaum/ oifbmudk a&G;cs,frSmygvJ/ Variable ta&twGuf 20000 udk udkifwG,f
ajz&Sif;csdefrSmawmh ta&;MuD;vmygjyD/ long int vdkY aMunm&if uGefysLwm&JUrSwfOmPfrSm 200 x 100 = 20000
x 4 bytes = 80KB ae&m,lygvdrfhr,f/ oifh&JU RAM [m 64KB yJ&Sdr,fqdkygawmh/ 'Dy½d*k &rf[m stack
overflow jzpfjyD; tvkyfvkyfrSm r[kwfygbl;/ (rSwfcsuf/ / 'DaeUacwfrSmawmh uGefysLwmrSwfOmPfrSm ae&m
b,favmuf,l,l pdwfylp&mr&Sad wmhygbl;/)
float udak wmh 'órudef;awGudk udkifwG,fajz&Sif;&mrSm toHk;jyKjyD; rSwfOmPfrSm 4 bytes ae&m,lyg
w,f/ double udkvnf; 'órudef;awGudk udkifwG,fajz&Sif;&mrSm toHk;jyKjyD; rSwfOmPfrSm 8 bytes ae&m,lyg
w,f/ 'ór 15ae&mpmtxuf wduszdkv Y dkwJh odyÜHqdkif&mwGufcsufrIawGrSm toHk;rsm;ygw,f/ long double
uawmh double eJY wlygw,f/ rSwfOmPfrSm 10 bytes ae&mpmae&m,lygw,f/
(4) Identifier
rdrdMudKufESpfouf&may;wJh variable awG&JUtrnfudk identifier vdkY ac:ygw,f/ Identifier awGudk
trnfay;csdefrSm atmufygpnf;rsOf;awGudk vdkufem&ygw,f/
(1) Identifier \tponf pmvHk; (A-Z, a-z) (od)kY underscore om jzpf&rnf/
(2) Underscore (_) oauFwrSty useftxl;tu©&mrsm; roHk;&/
(3) Identifier \ pmvHk;ta&twGufonf 255vHk;xuf rydk&/
tcef;(2) - tajccH C bmompum; - 22 -
(1)
if(condition) statement;
(2)
if(condition) statement;
else statement;
(3)
if(condition1) statement;
else if(condition2) statement;
…
else statement;
(4)
if(condition1) statement;
if(condition2) statement;
…
yHk(5)
yHk(5)u uk'fawGudk run vdkuf&if yHk(6)twdkif;awGU&rSmyg/
yHk(6)
'Dy½d*k &rf[m uD;bkwfuae oif½dkufxnfhvdkufwJh *Pef;[m taygif;vm;? tEIwfvm;? oknvm;qdkwm
ppfaq;ay;rSm jzpfygw,f/ yHk(6)/ if statement udk oHk;jyD;a&;xm;wJh ½d;k &Sif;vSwJh y½d*k &rfav;yg/ 'Dae&mrSm
topfxyfwdk;vmwmuawmh scanf() function yg/ 'D function taMumif;udk tao;pdwfodcsif&ifawmh scanf
ae&mrSm mouse cursor udkxm;jyD; Ctrl+F1 udkESdyfvdkufyg/ olUudk b,fvdktoHk;jyK&rvJqdkwJh Help ay:vm
ygvdrfhr,f/ yHk(7)/ tjcm; function awGudkvnf; Ctrl+F1 EdSyfjyD; tao;pdwf MunfhvkY&d ygw,f/
tcef;(2) - tajccH C bmompum; - 25 -
yHk(7)
scanf() function udk uD;bkwfuae½duk fxnfhr,fh *Pef;? pmom;awGudkzwfzkY d toHk;jyKygw,f/ 'Derlem
y½d*k &rfrSm uRefawmfwzkY d wfr,fht&muawmh udef;jynfh*Pef;(%d) wpfck jzpfygw,f/ number_check &JUa&SUrSm
address sign (&) av;ygwm rarhygeJ/Y
Function awGtaMumif;odcsif&ifawmh Help udkrsm;rsm;zwfyg/ Help rSm ygvmwJh example awGudk
avhvmyg/ Example awGudk run Munfhyg/
(9) switch statement
if statement eJY oabmw&m;csif;wlwJh tjcm;wpfckuawmh switch statement jzpfygw,f/ olU&JU
toHk;jyK&r,fhyHkpHuawmh 'Dvdkyg ...
switch(expression){
case constant_expression1: statement;
case constant_expression2: statement;
default: : statement;
}
'Dy½d*k &rfuawmh switch statement udk b,fvdktoHk;jyK&rvJqdkwm jyowJh erlemy½d*k &rfyg/ b,fvdk
tvkyfvkyfovJqdkwmuawmh vufawGUprf;Munfhvdkufyg/ 'Dae&mrSm &Sif;jycsifwmuawmh exit() function yg/
exit() &JU t"dymÜ ,fuawmh ]exit functions} yg/ qdkvdkcsifwmu teD;pyfqHk; function uaexGufr,fvkYd
tcef;(2) - tajccH C bmompum; - 26 -
for loop &JU tvkyfvkyfyHkuawmh yxrqHk; expression1 udk initialize vkyfygw,f/ jyD;awmh
condition [m rSefovm;? rSm;ovm; ppfygw,f/ rSef&ifawmh statement qDudk oGm;ygw,f/ jyD;awmh
expression2 udk vkyfygw,f/ expression2 udk vkyfaqmifjyD;wJhtcgrSm expression1 qDjyefa&mufvmygw,f/
jyD;awmh condition udk rSef^rrSef xyfppfygw,f/ Condition [m rSefaeoa&GU statement udk aqmif&GufaerSm
jzpfjyD; rSm;wJhtcgusrSom loop [m jyD;qHk;rSmjzpfygw,f/
(13) 6ckajrmuf C y½dk*&rf
#include<stdio.h>
#include<conio.h>
int main()
{ /* Copyright © Myo Myint Htike, 2009 */
int x, y, z; /* Declare 3 unknown variables */
for(x=0; x<10; x++) // for(1; 2; 14) After 14, then go to 1
for(y=0; y<10; y++) // for(3; 4; 12) 3=13
for(z=0; z<10; z++) // for(5; 6; 10) 5=11
if(2*x+3*y-4*z == -3) // if 7 = true then do 8, else go to 10
if(4*x-2*y+z == 6) // if 8 = true then do 9
if(x-3*y-2*z == -15) // if 9 = true then print x, y, z
printf(" x= %d\n y= %d\n z= %d",x,y,z);
getch();
return 0;
}
yHk(8)
tcef;(2) - tajccH C bmompum; - 27 -
yHk(8)uawmh rodudef; 3vHk;&SmwJhykpäm jzpfygw,f/ x? y eJY z udk &Smay;&rSmyg/ for loop oHk;jyD; ajz&Sif;
xm;wmyg/ 'Dy½d*k &rfudk aocsmMunfhr,fqdk&if rodudef;oHk;vHk;&SmzdkY bmocsFmnDrQjcif;rS roHk;bJ ajz&Sif;oGm;wm
awGU&rSmyg/ 'Denf;[m cracking vkyw f Jhtcsdef password awGudk cefUrSef;&mrSm awmfawmftoHk;0ifvSygw,f/
y½d*k &rftvkyfvkyyf uHk dk MunfhvdkufMu&atmif/
(1) yxrqHk; uRefawmfwkY d &SmcsifwJh rodudef; 3vHk;udk udef;jynfhawGtjzpfaMunmygw,f/ (rSwfcsuf/ / rod
udef;ykpämwdkif;&JU tajzawG[m tjrJwrf; udef;jynfhjzpfaerSmawmh r[kwfygbl;/ udef;jynfeJh Y &SmvdrkY &&if float vdkY
aMunmyg/)
(2) for loop udk pwifygw,f/ for loop &JUtvkyfvkyfyHkudk aocsmem;vnfatmifMunfhyg/ yxrqHk; x &JUwefzdk;
udk oknvdo kY wfrSwfygw,f/ jyD;awmh x [m 10 xuf i,f^ri,f ppfygw,f/ i,fcJh&if aemufwpfaMumif;udk
qif;oGm;ygw,f/ y &JUwefzdk;udk oknvdo kY wfrSwfygw,f/ jyD;awmh y [m 10 xuf i,f^ri,f ppfygw,f/
i,fcJh&if aemufwpfaMumif;udk qif;oGm;ygw,f/ z &JUwefzdk;udk oknvdo kY wfrSwfygw,f/ jyD;awmh z [m 10
xuf i,f^ri,f ppfygw,f/ i,fcJh&if aemufwpfaMumif;udk qif;oGm;ygw,f/ 'DwpfcgrSm (x=0, y=0, z=0)udk
2x+3y-4z rSm tpm;oGif;jyD; -3 eJY nD^rnD ppfygw,f/ nDcJh&if aemufwpfaMumif;udk qif;oGm;rSm jzpfygw,f/
rnDcJh&ifawmh z &JU wefzdk;rSm wpfaygif;rSm jzpfygw,f/ 'Dwpfcg z=0 uae z=1 jzpfvmygw,f/ z [m 10
xuf i,f^ri,f xyfppfygw,f/ i,fcJh&if aemufwpfaMumif;udk qif;oGm;ygw,f/ 'DwpfcgrSm (x=0, y=0,
z=1)udk 2x+3y-4z rSm tpm;oGif;jyD; -3 eJY nD^rnD xyfppfygw,f/ nDcJh&if aemufwpfaMumif;udk qif;oGm;rSm
jzpfygw,f/ rnDcJh&ifawmh z &JU wefzdk;rSm wpfaygif;rSm jzpfygw,f/ 'Dvedk JY x,y,z wefzdk;toD;oD;udk wpfaygif;
oGm;jyD; nDrQjcif; 3aMumif;&JU nmbufuwefzdk;awGeJY nD^rnD ppfrSmjzpfygw,f/ ppfr,fhta&twGufuawmh
wpfMudrfuae tMudrfwpfaxmiftwGif; jzpfygw,f/ wu,fvkY d nDcJh&ifawmh printf() function udo k Hk;jyD; x,y,z
wd&kY JUwefzdk;awGudk tajzxkwfay;rSm jzpfygw,f/
(3) x++ qdkwmuawmh x = x+1; eJw
Y lygw,f/ (Operator acgif;pOfatmufwGif Munfhyg/)
(14) operator
Operator awGudk atmufygtwdkif; wl&mtkyfpkzGJUEdkifygw,f/
(u) Arithmetic operator
(c) Unary operator
(*) Relational operator
(C) Assignement operator
(i) Logical operator
(p) Conditional operator
(q) Bitwise operator
(u) Arithmetic operator
Arithmetic operator awGuawmh atmufygtwdkif;jzpfygw,f-
x *= 10; // x = x * 10;
x /= 10; // x = x / 10;
x << = 3; // x = x << 3;
x ^ = 30; // x = x ^ 30;
(i) Logical operator
Logical operator awGuawmh atmufygtwdkif;jzpfygw,f -
&& (AND) tajctaeESpfckpvHk;rSef&if tvkyfvkyfygw,f/
|| (OR) tajctaeESpfckteuf wpfckrSef&if tvkyfvkyfygw,f/
! (NOT) tajctaerSm;&if tvkyfvkyfygw,f/
toHk;jyKyHkawGuawmh atmufygtwdkif;jzpfygw,f -
int x=0;
scanf("%d",&x);
if( x>0 && x<40) printf ("Fail");
if( x>75 || x == 75) printf ("Credit");
if(!x) printf("The value of x is zero.");
(p) Conditional operator
Conditional operator yHkpHuawmhh atmufygtwdkif;jzpfygw,f -
logical-OR-expression ? expression : conditional-expression
toHk;jyKyHkuawmh atmufygtwdkif;jzpfygw,f -
z = (a > b) ? a: b; /* z = max (a,b) */
a eJY b eJx
Y Ju MuD;wJhwefzdk;udk ,lwJh 'DOyrmav;udk aemufwpfrsdK;jyefa&;&r,fqdk&if ...
if (a>b) z = a;
else z = b;
'Dae&mrSm z wefzdk;[m b,fvdkyJjzpfjzpf trsm;qHk;jzpfaerSm jzpfygw,f/
(q) Bitwise operator
Bitwise operator awGuawmh atmufygtwdkif;jzpfygw,f -
& (Bitwise AND)
| (Bitwise inclusive OR)
^ (Bitwise exclusive OR)(XOR)
~ (Bitwise complement) (NOT)
>> (Bitwise shift right)
<< (Bitwise shift left)
toHk;jyKyHkuawmh atmufygtwdkif;jzpfygw,f -
AND OR XOR NOT
Source Bit 001100 1100110 1
Destination Bit 0 1 0 1 0 1 0 1 0 1 0 1 X X
&v'f 000101 1101101 0
tcef;(2) - tajccH C bmompum; - 30 -
>> uawmh assembly bmompum;&JU SHR instruction eJw Y ljyD;? << uawmh assembly
bmompum;&JU SHR instruction eJw
Y lygw,f/ SHL eJY SHR [m register^rSwfOmPfae&mu bit awGudk
b,f^nmrSae owfrSwfxm;wJh bit ta&twGufudk a&wGufjyD; a&TUvdkufwmjzpfygw,f/ erlemMunfhyg/
int x = 0xBEEF; // x = 1011111011101111 (binaray)
x = x >> 4; // x = 0000101111101110
printf("x = %X", x); // x = BEE
ydkjyD;em;vnfapzdkY aemuferlemwpfckMunfhyg/
int x = 0xDEAD; // x = 1101111010101101 (bin)
x = (x >> 5) & ~ (~0 << 3); //
printf("x = %X", x); // x = 5 (101)
'Duk'fudk run vdkuf&ifawmh 5 qdkwJhtajz&rSmyg/ b,fvdk&ovJqdkwmawmh udk,fhbmomudk,f wGufMunfh
yg/ Hexadecimal uae binary? binary uae hexadecimal b,fvdkajymif;&rvJqdkwmudkawmh calculator
(calc.exe) eJY wGufcsufEdkifygw,f/
(15) Function
Function qdkwmuawmh vkyfaqmifcsufawGudk pkpnf;ay;xm;wJht&mwpfckjzpfjyD;? function wpfckrSm
yg0if&r,fh t*Fg&yfawGuawmh return type? function name? parameter list eJY uk'fa&;om;r,fh function
body wdjkY zpfygw,f/ Compiler rSm toifhygvmwJh function eJY rdrdudk,fwdkifzefwD;xm;wJh function qdkjyD;
function ESpfrsdK;ESpfpm; cGJjcm;Edkifygw,f/ Compiler rSmygvmwJh function awGuawmh printf()? scanf() pwJh
function awGjzpfygw,f/ olwu kY d dk toHk;jyKawmhr,fqdk&if header file awG aMunmay;&ygw,f/ 'Dae&mrSm
awmh built-in function awGtaMumif;udk &Sif;jyrSm r[kwfygbl;/
(16) 7ckajrmuf C y½dk*&rf
#include<stdio.h> #include<conio.h>
int power (int m, int n);
int main()
{ int i;
for (i=0; i<10; ++i)
printf("%d %d %d\n", i, power(2,i), power(-3,i));
getch();
return 0; }
int power (int base, int n)
{ int i, p; p = 1;
for (i = 1; i <= n; ++i)
p = p * base; yHk(9)
return p; }
'Dy½d*k &rfuawmh 2 eJY -3 wdkY&JU xyfudef;wefzdk; q,fck (20, 21, 22, 23, 24, ..)udk &Smay;wmyg/
P
P
P
P
P
P P
P
P
P
1/ int power (int m, int n); qdkwmuawmh uRefawmfwzdkY efwD;xm;wJh function udk toHk;jyKr,fvkYd aMunm
wmyg/ 'DvdkaMunmxm;wJhtwGuf main() function &JUtwGif;xJrSmyJjzpfjzpf? tjyifrSmyJjzpfjzpf MudKufwJhae&mu
ae power() function udk ac:oHk;vdkY &ygjyD/ bmaMumifh power() function udk MudKufwJhae&muae
ac:oHk;vdkY&wmvJqdkawmh olU&JU scope aMumifhyg/ wu,fawmh main() function &JUtjyifrSm int power (int
m, int n); vdakY &;wm[m extern int power (int m, int n); vdkY a&;wmeJY twlwlygyJ/ 'Dae&mrSm extern [m
keyword wpfckjzpfjyD; olUudk storage class vdkv
Y J ac:a0:ygw,f/
tcef;(2) - tajccH C bmompum; - 31 -
2/ Storage class 4rsdK;&Sdygw,f/ auto? extern? static eJY register wdykY g/ Function wpfck&JUtwGif;rSm
bmrSa&;xm;jcif;r&SdbJ int? float? char vd½kY dk;½dk;wef;wef; aMunmxm;wJh data type awGtm;vHk;[m auto awG
ygyJ/ Function awG&JUtjyifbufrSm bmrSa&;xm;jcif;r&SdbJ int? float? char vd½kY dk;½dk;wef;wef; aMunmxm;wJh
data type awGtm;vHk;[m extern jzpfygw,f/ static eJY register wdu kY awmh toHk;enf;wJhtwGuf r&Sif;jy
awmhygbl;/ wu,fvkYd function awGrSm return jyefykYpd &m wefzdk;wpfckckr&SdcJh&if void vdkY aMunm&ygr,f/
(17) Array
Array qdkwmuawmh wlnDwJh data type awGudk pkpnf;ay;wJh variable wpfckyg/ wu,fvkY d rwlnDwJh
data type awGudk pkpnf;csif&ifawmh struct qdkwJh keyword udk toHk;jyK&rSmyg/ One dimensional array
wpfckudk aMunmyHkuawmh atmufygtwdkif;yg/
int myanmar[60];
int myanmar[60]; qdkwm ausmif;om;ta,mufajcmufq,f&JU jrefrmpm&rSwfudk odrf;qnf;r,fvkY d
aMunmwmyg/ wu,fvkY d array taeeJo
Y m raMunmcJh&if uRefawmfwt kY d aeeJY int myanmar1, myanmar2,
myanmar3; ponfjzifh aMunm&rSmjzpfygw,f/ 'gqdk y½d*k &rf[m &Snfvsm;jyD; ½IyfaxG;vmEdkifygw,f/ ydkjyD;
&Sif;vif;atmif aemufwpfckxyfMunfhygr,f/
int exam_result [60] [6];
'DyHkpHuawmh ausmif;om;ta,mufajcmufq,f&JU bmom&yfajcmufck&v'fudk odrf;qnf;r,fvY dk aMu
nmwmyg/ Two dimensional array wpfckjzpfygw,f/ 'Dae&mrSm &Sif;jyvdkwmuawmh exam_result [m
array &JUtrnfjzpfjyD;? 60 eJY 6 uawmh array element jzpfygw,f/ Array element udk wpfcgw&H array
index vdvkY J ac:a0:ygw,f/ Array element [m tjrJwrf; 0 eJpY avh&SdjyD; tqHk;uawmh size-1 jzpfygw,f/
wu,fvkYd char udk array taeeJY aMunmr,fqdk&if character tpm; string jzpfoGm;aMumif; ]Data
type} acgif;pOfatmufrSm &Sif;jywm trSwf&yg/ 'gudk xyfMunfhygr,f/
char my_string [11] = "I Love You.";
int i;
for(i=0; i<11; i++)
printf("%c", my_string[i]);
'Duk'fudk run vdkuf&if 'I Love You.' qdkwJhpmom;udk jrif&rSmyg/ wu,fvkY d for(i=0; i<11; i++)
ae&mrSm for(i=1; i<12; i++) vdjkY yifvdkuf&if tajzuawmh ' Love You. ' jzpfrSmyg/ Full stop (.) &JUaemufrSm
vnf; space( )udkawGU&rSmyg/ bmaMumifhvnf;qdkawmh Array wpfck[m tjrJwrf; null terminator (\0) eJY
qHk;avh&Sdygw,f/ wu,fvkY d 12 ae&mrSm 19 vkdUjyifvdkuf&if random pmvHk;awGxGufvmygvdrfhr,f/
(18) Pointer
Pointer qdkwm variable wpfck&JU address udkodrf;xm;wJh variable wpfckyg/ Pointer udk C bmom
pum;rSm awmfawmfav; oHk;pGJwmawGU&ygw,f/ Pointer eJY array [mvJ awmfawmfav; qufpyfrI&Sdygw,f/
ydkjyD;&Sif;vif;atmif erlemwpfckudk Munfhygr,f/
int x = 1, y = 2, z[10]; // MOV DWORD PTR SS:[EBP-4], 1 (EBP udk 12FF8C vdkY ,lqygr,f/)
int *ip; // ip udk pointer taeeJaY Munmygw,f/
ip = &x; // LEA EAX, DWORD PTR SS:[EBP-4]
(ip [m x wefzdk;udk odrf;xm;wJh (load effective) address ae&mudkjyygr,f/ 12FF88 yg/)
y = *ip; // MOV EDX, DWORD PTR DS:[EAX] (y wefzdk;[m 1 jzpfvmygw,f/)
*ip = 0; // MOV DWORD PTR DS:[EAX], 0 (ip wefzdk;[m 0 jzpfvmygw,f/)
ip = &z[0]; // LEA EAX, DWORD PTR SS:[EBP-2C]
(ip [m z[0] wefzdk;udk odrf;xm;wJh (load effective) address ae&mudkjyygr,f/ 12FF60 yg/)
tcef;(2) - tajccH C bmompum; - 32 -
printf("%d %d %X %X", x, y, *ip, ip); // PUSH DWORD PTR SS:[EBP-4], PUSH EDX, PUSH
DWORD PTR DS:[EAX], PUSH EAX ('gaMumifh tajz[m 0 1 0 12FF60 jzpfygw,f/)
Unary operator wpfckjzpfwJh & uawmh object &JU address udk jyygw,f/ & operator [m
rSwfOmPfxJrSm variable eJY array element udkyJ point vkyfEdkifygw,f/ Expression? constant awGeJY
register variable awGudkawmh point vkyfEdkifjcif; r&Sdygbl;/
Unary operator (*) udkawmh indirection (od)kY dereferencing operator vdkY ac:ygw,f/ Pointer
tjzpftoHk;jyKcsdefrSm pointer u point vkyfwJh object udk &,lEdkifygw,f/
(19) 8ckajrmuf C y½dk*&rf
#include<stdio.h>
#include<conio.h>
int strlen(char *string);
int strcmp(char *string1, char *string2);
int main()
{ char get_string[100]; int length;
char *comp_str = "My Love";
gets(get_string);
length = strlen(get_string);
printf("String Length = %d", length);
if( (strcmp(get_string, comp_str)) !=0)
printf("\n\"%s\" and \"%s\" are not equal.",
get_string, comp_str);
getch(); return 0; }
/* strlen: return length of string s */
int strlen(char *s)
{
int n;
for (n = 0; *s != '\0'; s++)
n++; yHk(10)
return n;
}
// strcmp: return <0 if s<t, 0 if s==t, >0 if s>t
int strcmp(char *s, char *t)
{
for ( ; *s == *t; s++, t++)
if (*s == '\0') // if null-terminated string
return 0;
return *s - *t;
}
strcat(str1,str2) str2 ESifh str1 udk aygif;jyjcif;/ &v'fudk str1 wGif odrf;onf/
#include<stdio.h>
#include<conio.h>
#include<string.h>
void Password();
int main()
{
Password();
getch();
return 0;
}
void Password(void)
{ /* Copyright © Myo Myint Htike, 2009 */
char password[80];
printf("\nEnter Password:");
gets(password);
if(strcmpi(password,"PASSWORD")==0)
printf("\nYou really did it. Congratulations!"); yHk(11)
else{ printf("\nTry again!\n"); Password(); }
}
yHk(12)
0043B390 MOV DWORD PTR FS:[EAX],ESP
0043B393 XOR EBX,EBX
0043B395 XOR ESI,ESI
0043B397 MOV [LOCAL.2],10
0043B39E LEA EDX,[LOCAL.4]
0043B3A1 MOV EAX,[LOCAL.1]
0043B3A4 MOV EAX,DWORD PTR DS:[EAX+294]
0043B3AF MOV EAX,[LOCAL.4]
0043B3B7 TEST EAX,EAX
0043B3B9 JLE SHORT Cracker_.0043B3F5
0043B3BB MOV [LOCAL.3],EAX
0043B3BE MOV EDI,1
0043B3C3 LEA EDX,[LOCAL.4]
0043B3C6 MOV EAX,[LOCAL.1]
0043B3C9 MOV EAX,DWORD PTR DS:[EAX+294]
0043B3D4 MOV EAX,[LOCAL.4]
0043B3D7 MOVZX EAX,BYTE PTR DS:[EAX+EDI-1]
0043B3DC LEA EDX,DWORD PTR DS:[EDI+ESI]
tcef;(2) - tajccH C bmompum; - 35 -
yHk(13)
ay;xm;csufuawmh yHk(12)rSm jyxm;wJhtwdkif; jzpfygw,f/ pum;vHk;wpfvHk;udk cefUrSef;cdkif;wm jzpfyg
w,f/ Cracker test y½d*k &rf[m cracker awG&JU t&nftcsif;udk prf;oyfzkY d a&;xm;wJyh ½d*k &rfjzpfjyD; tqifh(8)
qif(h very very easy? very easy? easy? not entirely easy? somewhat harder? hard? very hard? very
very hard) yg0ifygw,f/ oifjrifae&wJh tqifhuawmh tqifh(3) (easy level) jzpfygw,f/ 'Dy½d*k &rfudk
Olly debugger eJY ppfwJhtcsdefrSm awGU&wJhuk'fuawmh yHk(13)rSm jrif&wJhtwdkif; jzpfygw,f/ yHk(13)rSm jrif&
kY dkwm oifb,favmufyJawmfaeygap vufeJYcswGufz?kYd calculator eJY wGufzq
wJhuk'fudk ajz&Sif;zdq kYd dkwm vHk;0
(vHk;0) rjzpfEdkifygbl;/ 'gaMumifh y&kd*&rfa&;jyD; ajz&Sif;zdkY MudK;pm;wmyg/ C eJY y½d*k &rfa&;wJhtcg yHk(14)twdkif;
awGUjrif&ygw,f/
#include <conio.h> // Compiled by Borland C++.
#include <stdio.h> // Coded by Myo Myint Htike.
#include <string.h> // Date - 2009 March 13
#include <stdlib.h>
#include <math.h>
int main()
{
FILE *fileread = fopen("english.dic","a+");
tcef;(2) - tajccH C bmompum; - 36 -
char password[50];
int EDI, i, j, EDX=0, EAX=0, ESI=0, EBX=0;
while(!feof(fileread)){
int character_count=0;
div_t div_result;
fscanf(fileread,"%s",password);
printf("%s\n",password);
character_count = strlen(password);
EDX=0;
ESI=0;
EDI=0;
EBX=0;
EDX=1;
for(i=0;i<16;i++){ // for loop 1
EDI=1;
for(j=0; j<character_count; j++){
EAX = password[j];
EDX = ESI+EDI;
EAX = EAX + EDX;
ESI = EAX;
EBX = EBX + EBX;
EBX = EBX ^ ESI;
EAX = ESI;
div_result = div( EAX, EDI );
EDX = div_result.rem ;
EDX++;
EBX= EBX +EDX;
EDI++;
} // end of for loop 2
} // end of for loop 1
if(ESI== 0x3810 && EBX == 0x402A4FE7){
printf("Word is = %s\n", password); // Ans: firmware
getch();
} // end of if statement
} // end of while loop
fclose(fileread);
getch();
return 0;
}
yHk(14)
yHk(14)rSm a&;jyxm;wJh source uk'f&JU tvkyfvkyfyHkudk wpfaMumif;csif;em;vnfatmifMunfhyg/ 'Dy½d*&rf
k
&JUtvkyfvkyfyuHk dk taotcsm em;vnfw,fqdk&ifawmh C bmompum;eJYywfoufjyD; uRefawmf&Sif;jywmtm;vHk;
oifem;vnfoGm;jyDvkY d ,HkMunfvdkufyg/ wu,fvkY d em;rvnfao;&ifawmh oifcef;pmudk jyefzwfvdkufygOD;/
1/ <stdlib.h> header file udk aMunmxm;wmuawmh div_t twGufyg/
2/ FILE *fileread = fopen("english.dic","a+"); qdkwmuawmh english.dic zdkifudk zwfr,fvdkY ajymwm
yg/ qdkvdkwmuawmh uRefawmfw&kY d SmaewJh password (word) [m 'D english.dic zdkifxJrSmjzpfygw,f/
Dictionary (.dic) zdkifawG[m password awGudk wdkufqdkifppfaq;&mrSm cracker awG toHk;jyKMuwJhzdkiaf wGjzpf
tcef;(2) - tajccH C bmompum; - 37 -
EAX EA 78 23 BB
AX EA 78 23 BB
AH EA 78 23 BB
AL EA 78 23 BB
AX, AH eJY AL wdu kY awmh EAX &JU tpdwftydkif;awGyg/ EAX [m 32‐bit register wpfckyg/
(80386 txuf y½dq k ufqmawGrSmyJ toHk;jyKEdkifygw,f/) AX rSm EAX &JU atmufydkif; 16‐bit ygjyD; AH
rSmawmh AX &JU txufydkif;pmvHk;yg0ifygw,f/ AL rSmawmh AX &JU atmufydkif;pmvHk;yg0ifygw,f/ 'gaMumifh
AX [m 16‐bit jzpfjyD; AL eJY AH uawmh 8‐bit yg/ atmufrSmjyxm;wJh Oyrmuawmh register awG&JU
wefzdk;awGyg/
eax = EA7823BB (32‐bit)
ax = 23BB (16‐bit)
tcef;(3) - tajccH Assembly bmompum; - 42 -
ah = 23 (8‐bit)
al = BB (8‐bit) 100100011010001010110
Register awGudk toHk;jyKyHkuawmh -
low‐level bmompum; high‐level bmompum;
mov eax, 12345678h EAX = 12345678h (305419896)
mov cl, ah CL = 56h (86)
sub cl, 10 CL = CL ‐ 10
mov al, cl AL = CL
tay:rSma&;xm;wJhuk'fudk enf;enf;avmuf ppfaq;MunfhvdkufMu&atmif/ MOV instruction [m
wefzdk;wpfckudk register wpfck? rSwfOmPf (od)kY vufiif;wefzdk;wpfckuae tjcm; register wpfckqDudk a&TYay;
Edkifygw,f/ 'Dhaemuf AH &JUwefzdk; (EAX &JU b,fzufrS 4vHk;ajrmuf)udk CL (ECX register &JU atmufqHk;
kY dkufygw,f/ jyD;awmh CL xJuae 10 EIwfvdkufjyD; AL (EAX &JU atmufqHk;tydkif;)xJudk
tydkif;)xJ ul;ydv
jyefxnfhvdkufygw,f/
Register trsdK;tpm;uawmh trsm;MuD;&Sdygw,f/
(3.2.1) taxGaxGoHk; register rsm;
EAX (Accumulator) ocsFmqdkif&mudpörsm;ESifh string rsm;udk odrf;qnf;&efoHk;onf/
EBX (Base) stack rsm;ESifh csdwfquf&mwGif oHk;onf/
ECX (Counter) *Pef;rsm;aygif;&mwGif oHk;onf/
EDX (Data) trsm;tm;jzifh ocsFmpm;v'frS t<uif;udk odrf;qnf;onf/
olwrkYd Sm trnftrsdK;rsdK; &Sdayr,fh MudKufovdk toHk;jyKEdkifygw,f/
(3.2.2) Segment register rsm;
Segment register vdkY ac:wmuawmh rSwfOmPf&JU segment udk toHk;jyKvdykY g/ oifhtaeeJY 'gawG udk
Windows rSmawmh odxm;p&m vdkrSmr[kwfygbl;/ bmaMumifhvJqdkawmh Windows rSm flat rSwfOmPfpepf
&SdvykYd g/ DOS rSmawmh rSwfOmPfudk 64KB &SdwJh segment awGtjzpf ydkif;vdkufygw,f/ 'gaMumifhrkY d oift
h ae eJY
rSwfOmPf&JU address udk owfrSwfcsif&if segment eJY offset udk atmufygtwdkif; (0172:0500
(segment:offset)) owfrSwf&ygr,f/ Windows rSmawmh segment &JU t&G,ftpm;[m 4GB awmif &Sdyg
w,f/ 'gaMumifhrkY d Windows rSm segment awGudk rvdkwmyg/ Segment awG[m tjrJwrf; 16‐bit register
awG jzpfygw,f/
olwrkYd Sm trnftrsdK;rsdK; &Sdayr,fh MudKufovdk toHk;jyKEdkifygw,f/
CS (Code segment) uk'frsm;udk odrf;qnf;xm;aom rSwfOmPftuefU
DS (Data Segment) tcsuftvufrsm;udk odrf;qnf;xm;aom rSwfOmPftuefU
ES (Extra Segment) AGD'D,dkudpö&yfrsm;twGuf toHk;rsm;onf/
SS (Stack Segment) Routine rsm;rS ay;ydkYaom address rsm;udk odrf;qnf;&ef toHk;jyKaom register
FS (286+) taxGaxGoHk; segment
GS (386+) taxGaxGoHk; segment
tcef;(3) - tajccH Assembly bmompum; - 43 -
qdkvdkwmuawmh segment u 0030 jzpfjyD; offset u 4012 jzpfygw,f/ tJ'D address [m bmvJ
qdkwm odcsif&ifawmh yxrqHk; segment 30 qDudk oGm;&rSmjzpfjyD; 'D segment xJu offset 4012 udk &Sm&rSm
jzpfygw,f/ acgif;pOf(3)rSmwkef;u uRefawmfwkY d segment eJY pointer register taMumif;avhvmcJhMuyg w,f/
Segment register trsdK;tpm;awGuawmh -
CS (Code segment)
DS (Data Segment)
ES (Extra Segment)
SS (Stack Segment)
FS (286+)
GS (386+)
ay;xm;wJt h rnfawG[m olw&kYd JU vkyfaqmifcsufudk,fpDudk azmfjyygw,f/ CS rSm vuf&Sdtvkyfvkyf
aewJu h k'f &Sdaeygw,f/ DS uawmh vuf&Sd segment twGuf tcsuftvufawGudk &,lay;zdkY jzpfygw,f/
Stack uawmh SS udk nTef;ygw,f/ ES? FS eJY GS uawmh taxGaxGoHk; register awGjzpfjyD; b,f segment
twGufrqdk oHk;Edkifygw,f/ Pointer register awGrSmawmh rsm;aomtm;jzifhawmh offset wpfckudk xnfhxm;avh
&Sdygw,f/ 'gayr,fh taxGaxGoHk; register awGjzpfwJh AX? BX? CX eJY DX rSmvnf; 'DtwGuf toHk;jyKEdkif
ygw,f/ IP u (CS xJrS) vuf&SdtvkyfvkyfaewJh instruction &JU offset udk nTefjyygw,f/
atmufrSmjyxm;wJhyHkuawmh crack vkyfwJhtcgrSm Olly debugger rSmjrif&wJh register awG&JU tvkyf
vkyfaeyHkyg/
(5) Opcodes
Opcode awG[m y½dq k ufqmtwGuf instruction awGjzpfygw,f/ Opcode awG[m wu,fawmh
16vDpepfuk'frlMurf;&JU ]zwfv&kY d wJhpmom;} yHkpHawGyg/ 'DtwGufaMumifh assembler [m y½d*k &rfbmompum;
awGrSm tedrfhqHk;tqifh jzpfaewmjzpfjyD; assembler rSma&;wJb h ,ft&mrqdk 16vDpepfuk'ftjzpf wdku½f dkuf
ajymif;vJwm jzpfygw,f/
'Dtcef;rSmawmh wGufcsufrI? bitwise ydkif;eJq
Y dkifwJh opcode tcsdKUudk aqG;aEG;rSmjzpfygw,f/ tjcm;
opcode awGjzpfwJh jump instruction? compare opcode pwmawGudkawmh aemuftcef;usrS aqG;aEG;rSm
jzpfygw,f/
(5.1) tajccH opcodes wGufcsufrI
MOV
'D instruction udkawmh wefzdk;wpfckudk wpfae&muae aemufwpfae&mudk a&TUzdkY (ul;zd)kY toHk;jyKyg
w,f/ 'D ]ae&m} qdkwJh toHk;tEIef;rSm register wpfckaomfvnf;aumif;? rSwfOmPfae&mwpfckaomfvnf;aumif;?
vufiif;wefzdk; (rlvwefzdk;) wpfckaomfvnf;aumif; jzpfEdkifygw,f/ mov instruction &JU yHkpHuawmh -
mov destination, source;
h aeeJY register wpfcku wefzdk;wpfckudk aemufwpfckqD a&TUEdkifygw,f/ (rSwf&ef/ / instruction
oift
[m wu,fawmh olU&JUtrnf ]move} tpm; wefzdk;udk aemufwpfae&mqDudk yGm;ay;vdkufwmyg/)
mov edx, ecx;
txufrSmjycJhwJh instruction [m ECX rSm&SdwJh[mawGudk EDX qD ul;ay;vdkufwmyg/ Source eJY
destination &JU t&G,ftpm;[m wlnD&ygr,f/ atmufrSmazmfjyxm;wJh instruction uawmh rSefuefrI r&Sdygbl;/
mov al, ecx; // yHkpHtrSm;
'D opcode [m DWORD (32‐bit) yrmP&SdwJh wefzdk;wpfcu k dk byte(8‐bit) yrmPavmufom&SdwJh
register ae&mwpfckxu J dk xnfhzMkYd udK;pm;aewmyg/ 'gudkawmh mov instruction u vkyfay;Edkifjcif; r&Sdygbl;/
(tjcm; instruction awGuawmh vkyfay;Edkifygw,f/) 'gayr,fh atmufu instruction awGudkawmh mov
instruction rSm toHk;jyKvd& kY ygw,f/ bmaMumifhvJqdkawmh source eJY destination [m t&G,ftpm; uGJjym;rI
r&SdvkYyd g/
mov al, bl;
mov cl, dl;
mov cx, dx;
mov ecx, ebx;
rSwfOmPf&JUwnf&mudk offset wpfckeJY nTefjyygw,f/ rSwfOmPf&JU wduswJhae&mwpfckuae wefzdk;
wpfcku&dk ,ljyD; register wpfckxJrSm tJ'Dwefzdk;udk vmxm;vdkY &ygw,f/ atmufygZ,m;udk Oyrmtjzpf,lyg/
offset 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F 40 41 42
data 0D 0A 50 32 44 57 25 7A 5E 72 EF 7D FF AD C7
tay:Z,m;u offset 3A ae&mudk Munfhvdkufyg/ 'D offset rSm&SdwJh a'wmuawmh 25? 7A? 5E? 72?
EF ponfwkYd jzpfygw,f/ Offset 3A rSm xm;zdw
kY efzdk;udk mov instruction eJY register wGJoHk;&r,fhyHkpH
uawmh -
mov eax, dword ptr [0000003Ah];
Instruction mov eax, dword ptr [0000003Ah] qdkvdkwmuawmh - 32‐bit t&G,ftpm;&SdwJh
DWORD wefzdk;wpfckudk EAX register xJu 3Ah ae&mrSm xm;ygw,f/ 'D instruction udk tvkyfvkyfjyD;
aemufrSmawmh EAX rSm 725E7A25h wefzdk; a&mufvmygw,f/ rSwfOmPfxJrSm &SdaewJht&m (25 7A 5E 72)
awG[m ajymif;jyeftaetxm;eJ&Y Sdaewm owdjyKrdrSmyg/ 'g[m bmaMumifhvJqdkawmh rSwfOmPfxJrSm odrf;xm;
wJhwefzdk;awGudk endian enf;eJY pDxm;vdkYyg/ qdkvdkwmu nmzuftusqHk;pmvHk;[m significant tjzpfqHk;
pmvHk;yg/ pmvHk;awGpDwJh tpDtpOfuawmh ajymif;jyefyg/ Oyrmtenf;i,feJY &Sif;jy&ifawmh em;vnfrSmyg/
DWORD (32‐bit) wefzdk; 10203040h udk rSwfOmPfrSm odrf;qnf;yHkuawmh - 40 30 20 10 (wefzdk;wpfckpD
[m pmvHk;wpfvHk; (8‐bit) udk udk,fpm;jyKygw,f/)
WORD (16‐bit) wefzdk; 4050h udk rSwfOmPfrSm odrf;qnf;yHkuawmh - 50 40
ydkrdk&Sif;vif;atmif xyfMunfhMuygr,f/
mov cl, byte ptr [34h] ; cl = 0Dh (tay:Z,m;udk Munfhyg/ )
mov dx, word ptr [3Eh] ; dx = 7DEFh (tay:Z,m;udk Munfhyg/ ajymif;jyefpDwm owd&yg/ )
t&G,ftpm;uawmh wcgw&HrSm ta&;rMuD;vSygbl;/
mov eax, [00403045h];
bmaMumifhvJqdkawmh EAX [m 32‐bit register wpfckjzpfygw,f/ Assembler u rSwfOmPf&JU
00403045h ae&muae 32‐bit wefzdk;udk ,l&r,fvkY d rSwf,lxm;ygw,f/
Immediate value (vufiif;wefzdk;)awGudkvJ toHk;jyKEdkifygw,f/
mov edx, 5006;
'guawmh EDX xJrSm 5006 qdkwJh wefzdk;wpfckudk xnfhxm;wmyg/ av;axmifhuGif;&JU qdkvdkcsufu
awmh av;axmifhuGif;xJu rSwfOmPfwnf&Sd&mrS wefzdk;wpfckudk &,lzY dk toHk;jyKwmyg/
mov eax, 403045h ; eax = 403045h
mov cx, [eax] ; EAX rSwfOmPfae&m (403045) wGif&Sdaom WORD t&G,ftpm;&Sdwefzdk;udk register CX
wGif xnfhxm;onf/
mov cx, [eax] rSm y½dkqufqm[m EAX xJrSm xnfhxm;wJhwefzdk; (rSwfOmPfwnfae&m) b,f
avmufvJqdkwm t&ifMunfhygw,f/ jyD;rSom rSwfOmPfxJu tJ'Dae&mrSm wefzdk;b,favmuf&SdovJqdkwm
qHk;jzwfjyD; 'D WORD (16‐bit, tb,faMumifhqdkaomf CX onf 16‐bit register jzpfaomaMumif)h udk CX
xJxnfhvdkuf ygw,f/
ADD, SUB, MUL, DIV
Opcode awmfawmfrsm;rsm;[m wGufcsufrIawG jyKvkyfMuygw,f/ oiftaeeJ h Y olw&kYd JUtrnfawmfawmf
rsm;rsm;udk cefUrSef;vd&kY ygw,f/ ADD (aygif;jcif;)? SUB (EIwfjcif;)? MUL (ajr§mufjcif;)? DIV (pm;jcif;)
ponfjzifh/
ADD opcode rSm atmufygyHkpHtwdkif;&Sdygw,f/
add destination, source
tcef;(3) - tajccH Assembly bmompum; - 47 -
sar bl, 3
bl = 00000010
Rotation functions
rol destination, count ; b,fokYd vSnfhonf/
ror destination, count ; nmodkY vSnfhonf/
rcl destination, count ; Carry rSwqifh b,fokYd vSnfhonf/
rcr destination, count ; Carry rSwqifh nmodkY vSnfhonf/
vSnhfwm[m a&TYovdkygyJ/ uGJjym;wmuawmh a&TUz,fcHvdkuf&wJh bit awGudk tjcm;zufudk xyfa&TUvdkuf
wmygyJ/
Oyrm/ / ror (rotate right)
Bit 7 Bit 6 Bit 5 Bit 4 Bit 3 Bit 2 Bit 1 Bit 0
rvSnfhrD 1 0 0 1 1 0 1 1
Rotate, count= 3 1 0 0 1 1 0 1 1 (a&TUz,f)
&v'f 1 1 0 1 0 0 1 1
tay:yHkrSm jrif&wJhtwdkif; bit awGuv dk Snfhvdkufygw,f/ qdkvdkwmu wGef;xkwfcHvdkuf&wJh bit wdkif;[m
xyfrHjyD; tjcm;zufudk a&TUcH&ygw,f/ a&TUjcif;rSmvdkyJ carry bit awG[m aemufqHk;a&TUz,fcH&wJh bit udk
odrf;xm;ygw,f/ RCL eJY RCR uawmh ROL eJY RCR wdkYeJY wpfyHkpHwnf;yg/ olw&kY d JUtrnfawGudk,f wdkiu f
ajymjywmuawmh olw[ kY d m aemufqHk;a&TUz,fvdkufwJh bit udk nTefjyEdkifzkY d carry bit udk toHk;jyKMuyg w,f/
ROL eJY ROR uvJ twlwlyJrkYd olwdt kY csif;csif; uGJjym;rI r&SdMuygbl;/
Exchange
XCHG instruction uawmh vHk;vHk;MuD;udk ½d;k &Sif;vSygw,f/ ol[m register ESpfck (od)kY register
wpfcek JY rSwfOmPfae&mwpfckudk vJvS,fay;Edkifygw,f/
eax = 237h
ecx = 978h
xchg eax, ecx
eax = 978h
ecx = 237h
(6) zdkifpepf
Assembly source zdkifawGudk section awGtaeeJY cGJxm;ygw,f/ Section awGuawmh code? data?
uninitialized data? constants? resource eJY relocations wdkY jzpfygw,f/ Resource sections udk
resource zdkifu xkwfay;wm jzpfygw,f/ (aemufydkif;wGifMunfhyg/) Relocation section uawmh uRefawmfwdkY
twGuf ta&;rMuD;ygbl;/ (olUrSm y½d*k &rfudk rSwfOmPf&JUtjcm;wae&mrSm ul;wifay;zdkY PE loader twGuf
tcsuftvufawG ygaumif;ygygvdrfhr,f/) ta&;MuD;wJh section awGuawmh code? data? uninitialized data
eJY constants wdykY g/ Code section rSmygwmuawmh oifxifxm;wJhtwdkif; uk'fawGyg/ Data sections
rSmawmh zwfvkYd&^a&;vdk&Y wJh a'wmawG yg0ifygw,f/ Data section wpfckvHk;[m exe zdkifrSmyg0ifjyD; a'wm
awGeJY tpysdK;avh &Sdygw,f/
Unitialized data twGufuawmh tpydkif;rSm bmrSrygygbl;/ exe zdkifukd,fwdkifrSmawmif rygygbl;/
oluawmh Windows twGuf oD;oefUz,fxm;wJh rSwfOmPfwpfpdwfwpfa'oom jzpfygw,f/ 'D section rSm
a&;vd?kY zwfv&kYd ygw,f/ Constants uawmh data section eJY wlygw,f/ 'gayr,fh zwfvydkY J&ygw,f/ 'D
tcef;(3) - tajccH Assembly bmompum; - 51 -
section udk constant twGufyJ toHk;jyKEdkifaomfvnf; ol[m include zdkifxJrSm constant awGudk aMunmxm;
&ifawmh ydkrdkvG,fuljyD;jrefqefvmygw,f/ 'DhaemufolwkYdudk vufiif;wefzdk;tjzpf oHk;&Hkyg/
(6.1) Section indicators
oif&h JU source zdkifawGrSm oift
h aeeJY section awGudk t"dyÜm,fzGifhxm;&ygr,f/
.code ; code section [m 'Dae&mu pygw,f/
.data ; data section [m 'Dae&mu pygw,f/
.data? ; unitialized data [m 'Dae&mu pygw,f/
.const ; constants section [m 'Dae&mu pygw,f/
tvkyfvkyfwJhzkdifawG (*.exe, *.dll, ...) [m Win32 rSmawmh PE (portable executable) yHkpHeyJY g/
ta&;MuD;wJh taMumif;t&mtcsdKUuvGJvkYd usefwmawGudk 'Dae&mrSm tao;pdwfaqG;aEG;rSm r[kwfygbl;/ (PE
header tcef;wGif tao;pdwf aqG;aEG;ygrnf/) Section awGudk PE header rSm 0daootcsdKUeJY MudKwif
teufzGifhxm;ygw,f/ tJ'gawGuawmh section name? RVA? offset? raw size? virtual size eJY flags wdkY
jzpfygw,f/ RVA (relative virtual address) uawmh section udk ul;wifay;r,fh rSwfOmPfxJu
qufEG,fwJhae&m jzpfygw,f/ 'Dae&mrSm relative qdkwJht"dyÜm,fu y½d*k &rftvkyfvkyfcsdefrSm rSwfOmPfxJrSm&SdwJh
base address eJY qufEG,faewmudk ajymwmyg/ 'D address [m PE‐header rSmvJ &Sdaeayr,fh PE‐loader
uyJ ajymif;vJay;Edkifygw,f (relocation‐section udk toHk;jyKjyD;)/ Offset uawmh exe zdkifxJu yxrqHk;
a'wm&Sd&m raw offset omjzpfygw,f/ Virtual size uawmh rSwfOmPfrSmjzpfvmr,fh t&G,ftpm; jzpfyg
w,f/ Flag awGuawmh zwfz^kYd a&;zd^kY tvkyfvkyfzkYd pwmawGtwGuf flag awG jzpfygw,f/
(6.2) erlem y½dk*&rf
'guawmh erlemy½d*k &rfyg/
.data
Number1 dd 12033h
Number2 dw 100h,200h,300h,400h
Number3 db "blabla",0
.data?
Value dd ?
.code
mov eax, Number1
mov ecx, offset Number2
add ax, word ptr [ecx+4]
mov Value, eax
'Dy½d*k &rf[m aumif;aumif; assemble vkyfrSmr[kwyf gbl;/ 'gayr,fh udpör&Sdygbl;/ oif&h JU assembly
y½d*k &rfrSm section xJrSmxm;&Sdwt Jh &mwdkif;[m y½d*k &rfudk rSwfOmPfxu J l;wifcsdefrSm exe zdkifxJ a&mufoGm;rSm
jzpfygw,f/ tay:rSmjyxm;wJh data section rSm label 3ck&Sdygw,f/ Number1? Number2 eJY Number3 yg/
'D label awG[m y½d*k &rfxJu olw&kYd Sd&mae&m&JU offset udk odrf;xm;ygw,f/ 'gaMumifhrkY d oifh&JUy½d*k &rfxJrSm
ae&mwpfckudk nTefjyzdkY olwkYdudk toHk;jyKEdkifygw,f/ DD uawmh tJ'Dae&mrSm wdkuf½u dk fyJ DWORD wefzdk;
wpfckudk xm;ygw,f/ DW uawmh word jzpfjyD; DB u byte jzpfygw,f/ DB eJq h aeeJY string
Y dk&if oift
awGudk toHk;jyKEdkifygw,f/ 'gaMumifhrkY d string qdkwm byte wefzdk;awGwGJxm;wJh tpkwpfck jzpfygw,f/
OyrmtaeeJY jy&&if -
33,20,01,00,00,01,00,02,00,03,00,04,62,6c,61,62,6c,61,00 (all hex numbers)
(wefzdk;wdkif;[m byte wpfckpD jzpfygw,f/)
tcef;(3) - tajccH Assembly bmompum; - 52 -
else
{
eax = 0;
}
BASIC y½d*
k &rfbmompum;eJY a&;jy&&ifawmh
IF (edx‐ecx)=2 THEN
EAX = 1
ELSE
EAX = 0
END IF
(7.1) Flag register
Flag register rSm wGufcsufreI JY tjcm;tjzpftysufrsm;ay:rlwnfjyD; owfrSwfjcif;^rowfrSwfjcif;
jyKvkyfwJh flag awG &Sdygw,f/ uRefawmfhtaeeJY 'gawGtukefvHk;udk aqG;aEG;rSm r[kwfygbl;/ ta&;MuD;wmtcsdKU
udkyJ aqG;aEG;rSm jzpfygw,f/
ZF (Zero flag)
wGufcsufrI&v'f[m oknjzpfcJh&if 'D flag udk owfrSwfygw,f/ (EdIif;,SOfw,fqdkwm wu,fawmh
EIwfjcif;wpfrsdK;om jzpfygw,f/ &v'fudk odrf;qnf;rI r&Sdayr,fh flag awGudkawmh owfrSwfygw,f/)
SF (Sign flag)
wu,fvkYd 'D flag udk oHk;cJh&if wGufcsufrIu &&SdvmwJhaemufqHk;udef;[m tEIwfjzpfygw,f/
CF (Carry flag)
wGufcsufrIjyD;wJhaemufrSmawmh xJrSm b,fzuftusqHk; bit yg0ifvmygw,f/
OF (Overflow flag)
wGufcsufwJhtcg ausmfvGefwGufcsufrdwmudk ajymwmyg/ qdkvdkwmu &v'f[m destination xJrSm
rawmfwm (rqefUwm)udk ajymwmyg/
'ghjyif tjcm; flags (Parity, Auxiliary, Trap, Interrupt, Direction, IOPL, Nested Task,
Resume & Virtual Mode) awGvnf; &Sdygao;w,f/ 'gayr,fh uRefawmfwkY d toHk;jyKrSm r[kwfwJhtwGuf
'gawGudk &Sif;jyawmhrSm r[kwfygbl;/
(7.2) Jump series
atmufrSmazmfjyxm;wmuawmh conditional jump eJyY wfoufwm tukefyg/ olwkYad wG[m flag awG&JU
tajctaeay:rlwnfjyD; jump vkyfMuwmyg/ 'gayr,fh awmfawmfrsm;rsm;rSm &Sif;vif;vG,fulwJhtrnf awG
&Sdygw,f/ oift h aeeJY b,f jump udk owfrSwfoHk;pGJw,fqdkwm odp&m rvdkygbl;/ 'Jump if greater or
equal' (jge) twGuf Oyrmjy&&if 'Sign flag = Overflow flag' jzpfygw,f/ aemufwpfckuawmh 'Jump if
zero' vdakY wGU&if 'Jump if Zero flag = 1' vdkY odxm;&ygr,f/
Z,m;zwfenf;
'Jump if above' - &JU qdkvkdcsufuawmh
cmp x, y; // x eJY y udk EdIif;,SOfygw,f/
// wu,fvkYd x [m y xufMuD;&if jump vkyfygr,f/
tcef;(3) - tajccH Assembly bmompum; - 55 -
JA [m unsigned jump yg/ (Jump if above)/ ax = FFFFh (FFFFh unsigned, ‐1 signed) eJY
bx = 0005h (5 unsigned, 5 signed) wdukY dk pOf;pm;Munhfyg/ FFFFh [m (unsigned) wefzdk;tm;jzifh 0005
xuf jrifhwmaMumifh JA instruction [m ausmfvTm;rSmyg/ 'gayr,fh JG instruction udkawmh signed jump
tjzpf oHk;ygw,f/
cmp ax, bx
jg somewhere
JG instruction uawmh jump jzpfrSm r[kwfygbl;/ bmaMumifhvJqdkawmh ‐1 [m 5 xuf rMuD;vdy
kY g/
rSwfxm;&rSmuawmh -
*Pef;wpfck[m signed/ unsigned jzpfw,fqdkwmuawmh oifhtaeeJY 'D*Pef;udk
udkifwG,frItay:yJ rlwnfygw,f/
(9) aemufxyf opcode rsm;
'guawmh aemufxyf opcode tcsdKU jzpfygw,f/
TEST
TEST [m logical AND vkyfaqmifcsufudk aqmif&GufjyD; dest eJY src qdkwJh ESpfck&SdjyD; &v'fay:
rlwnfjyD; flag register udk owfrSwfygw,f/ &v'fudkawmh udk,fwdkifrodrf;ygbl;/ TEST udk toHk;jyKwJhae&m
uawmh Oyrmjyxm;wJhtwdkif; register wpfckxJu bit wpfckudk prf;oyfzjkY d zpfygw,f/
test eax, 100b ; (b u ESpfvDpepf&JU twdkaumufyg/ )
jnz bitset
wu,fvkYd EAX xJu wwd,ajrmuf bit (nmzufrSonf)udk owfrSwfa&G;cs,fvdkuf&if JNZ [m
jump jzpfygvdrfhr,f/ TEST &JU trsm;qHk;toHk;jyKrIuawmh register wpfck[m oknjzpf^rjzpf prf;oyfwJh
tcgrSm jzpfygw,f/
test ecx, ecx
jz somewhere
ECX [m oknjzpfcJh&if JZ [m jump jzpfygvdrfhr,f/
STACK OPCODES
Stack opcodeawG taMumif;rajymjycifrSm stack qdkwmbmvJqdkwm t&if&Sif;jyyghr,f/ Stack qdkwm
rSwfOmPfxJu ae&mwpfckjzpfjyD; stack pointer register jzpfwJh ESP eJY nTefjyygw,f/ Stack [m ,m,D
wefzdk;awGxm;zdkY ae&mwpfck jzpfygw,f/ olUrSm wefzdk;awGudkxm;zdkYeJY jyef&,lzkYd PUSH eJY POP qdkwJh
instruction ESpfck&Sdygw,f/ PUSH uawmh stack xJudk wefzdk;wpfcvk mxnfhjyD; POP uawmh xyfrHqGJxkwf
wmyg/ Stack xJudk aemufqHk;vmxnfhwmudk t&ifxkwf,lygw,f/ wefzdk;wpfckudk stack rSm vmxm;&if
stack pointer [m avsmhenf;vmygw,f/ z,f&Sm;csdefrSmawmh stack pointer wdk;vmygw,f/
OyrmudkMunfhyg/
(1) mov ecx, 100
(2) mov eax, 200
(3) push ecx ; ECX udk odrf;ygw,f/
(4) push eax
(5) xor ecx, eax
(6) add ecx, 400
(7) mov edx, ecx
tcef;(3) - tajccH Assembly bmompum; - 58 -
Offset 1203 1204 1205 1206 1207 1208 1209 120A 120B
Value 00 00 60 45 00 00 00 00 00
ESP
mov cx, FFFFh
push cx
Offset 1203 1204 1205 1206 1207 1208 1209 120A 120B
Value FF FF 60 45 00 00 00 00 00
ESP
pop edx
Offset 1203 1204 1205 1206 1207 1208 1209 120A 120B
Value FF FF 60 45 00 00 00 00 00
ESP
ckcsdefrSm EDX [m 4560FFFFh jzpfaeygjyD/
CALL & RET
Call wpfck[m tcsdKUuk'fawGqD ausmfvTm;EdkifjyD; RET‐instruction udkawGUwJhtcg csufcsif;yJjyefa&muf
vmygw,f/ oifhtaeeJY olwakYd wGudk tjcm;y&kd*&rfbmompum;awGrSm function awGtjzpf? subroutine
awGtjzpf awGUEdkifygw,f/ Oyrm -
; ..code..
call 0455659
; ..more code..
tcef;(3) - tajccH Assembly bmompum; - 59 -
; Code at 455659:
add eax, 500
mul eax, edx
ret
CALL instruction tvkyfvkyfwJhtcgrSm y½dqk ufqm[m 455659 rSm&SdwJhuk'fqD ausmfoGm;jyD; RET
ra&mufrDxd instruction awGudk tvkyfvkyfygw,f/ jyD;awmh CALL tjyD;u instruction awGqD jyefvSnfh
ygw,f/ CALL u jump jzpfoGm;wJhuk'fudkawmh procedure vdkY ac:ygw,f/ CALL [m EIP (aemufnTef
Mum;csufudk tvkyfvkyfaprnfh pointer)udk stack ay: push vkyfygw,f/ jyD;awmh RET‐instruction u pop
jyefvkyfay;ygw,f/ oifhtaeeJY CALL twGuf argument awG owfrSwfvkY&d ygw,f/ 'gudk PUSH eJY jyKvkyf
Edkifygw,f/
push something
push something2
call procedure
CALL twGif;rSmawmh argument awGudk stack xJuzwfjyD;toHk;jyKEdkifygw,f/ Local variables
(qdkvdkwmu procedure xJtwGif;rSmomvdkwJh a'wmrsm;) awGudkvJ stack xJrSmxm;odkv&kYd ygw,f/ uRefawmfh
taeeJY 'gawGudk tao;pdwfaqG;aEG;rSm r[kwfygbl;/ bmvdv kY Jqdkawmh 'gawGudk masm (Macro Assembler)
eJY tasm (Turbo Assembler) rSm tvG,fwulvkyfEdkifvykY d g/ oifhtaeeJY procedure awGudk jyKvkyfEdkifw,f
qdkwmeJY olwkYdawG[m parameter awGudkoHk;wm trSwf&&if awmfygjyD/ ta&;MuD;wmwpfcsuf uawmh -
Procedure wpfck&JU return value udk xnfhxm;zdkY EAX udk tjrJwrf;eD;yg; toHk;jyKygw,f/
'gawG[m windows function awGtwGufvJ rSefuefygw,f/ trSefrSmawmh oifh&JUudk,fydkif
procedure rSmawmh tjcm;b,f register udkrqdk toHk;jyKEdkifygw,f/ 'gayr,fh EAX uawmh pHwpfckjzpf
ygw,f/ pum;rpyf instruction wpfck&JU oHk;EHI;yHkudk &Sif;jyvdkygw,f/
lea edi, namebuffer ; EDI [m rdr½ d dkufxnfhvdkufwJh trnfxm;okd&m address jzpfygw,f/
mov eax, dword ptr ds:[edi] ; EAX xJudk pmvHk;av;vHk; oGm;xm;wmyg/ bmaMumifhvJqdkawmh DWORD
(4 bytes) [m pmvHk; av;vHk;eJY nDvkYdyg/
(10) Windows ESifhywfoufaom Assmebly bmompum; tajccH
(10.1) API
Windows rSmy½d* k &rfa&;om;jcif;&JU tajccHtusqHk;tcsufuawmh Windows API (Application
Programming Interface) awGay:rlwnfaeygw,f/ API qdkwm OS ujznfhpGrf;ay;EdkifwJh function awGudk
pkpnf;ay;xm;wmyg/ Windows y½d*k &rfwdkif;[m 'D function awGudk toHk;jyKygw,f/ 'D function awG[m
Windows pepf&JU dll zdkifawGjzpfwJh kernel? user? gdi? shell? advapi pwJh zdkifawGxJrSm &Sdygw,f/ Function
ESpfrsdK;ESpfpm;&Sdygw,f/ ANSI eJY Unicode yg/ 'gawGuawmh string awGudk odrf;qnf;udkifwG,f&mrSm toHk;jyK
wJhenf;vrf;ESpfck jzpfygw,f/ ANSI eJq Y dk&ifawmh pmvHk;wdkif;udk oauFw(ASCII uk'f)taeeJY azmfjyjyD; string
&JUtqHk;udkazmfjyzdkY \0 (null‐terminated)udk toHk;jyKygw,f/ Unicode uawmh widechar ykHpHudk toHk;jyKjyD;
oauFwwpfckpDtwGuf pmvHk;ESpfvHk;toHk;jyKygw,f/ oluawmh w&kwf? jrefrmbmompum;awGvdk
pmvHk;a&ydkrdkvdktyfwJh bmompum;awGrSmtoHk;jyKygw,f/ Widechar string awG[m \20 eJY tqHk;owfavh
&Sdygw,f/ Windows uawmh ANSI function jzpfjzpf? Unicode function jzpfjzpf vufcHygw,f/ Oyrm
jy&&if -
MessageBoxA (ANSI)
MessageBoxW (W = widechar (unicode))
dkY awmh ANSI udk toHk;jyKrSm jzpfygw,f/
uRefawmfwu
tcef;(3) - tajccH Assembly bmompum; - 60 -
.486
.model flat, stdcall
option casemap:none
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\gdi32.lib
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\gdi32.inc
include \masm32\include\windows.inc
.data
blahblah
.code
start:
blahblah
end start
'guawmh windows assembly source file (.asm) twGuf tajccH frame wpfckyg/
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\windows.inc
.data
MsgText db "Hello world!", 0
MsgTitle db "This is a messagebox", 0
.code
start:
invoke MessageBox, NULL, ADDR MsgText, ADDR MsgTitle, MB_OKCANCEL or MB_ICONQUESTION
invoke ExitProcess, NULL
end start
'Duk'fawGudk assemble (Go All) vkyfvdkuf&if awGU&rSmawmh yHk(1)twdkif; jzpfygw,f/
yHk(1)
y½d*k &rftvkyfvkyfyHkudk &Sif;&&ifawmh ...
1/ MessageBox &JU toHk;jyKyHkuawmh 'Dvdkyg/ (Win32.hlp udk Munfhyg/)
int MessageBox(
HWND hWnd, // handle of owner window
LPCTSTR lpText, // address of text in message box
LPCTSTR lpCaption, // address of title of message box
UINT uType // style of message box
);
zefwD;r,fh message box &JU owner window udk owfrSwfygw,f/ wu,fvkY d 'D
hWnd
parameter [m NULL jzpfcJh&if message box rSm owner window &SdrSmr[kwfygbl;/
Ø MsgText uawmh yxr string &JU offset udk odrf;ygw,f/ MsgTitle uawmh 'kwd, string udk
h aeeJY MessageBox function udk oHk;vd&kY ygjyD/
odrf;ygw,f/ ckcsdefrSmawmh oift
invoke MessageBox, NULL, offset MsgText, offset MsgTitle, NULL
Ø invoke udk toHk;jyKxm;wmaMumifh oift
h aeeJY (ydkrdkpdwfcs&atmif) offset tpm; ADDR udk
toHk;jyKEdkifygw,f/
invoke MessageBox, NULL, ADDR MsgText, ADDR MsgTitle, NULL
Ø uRefawmfwtdkY aeeJY aemufqHk; parameter udk bmrSrowfrSwfcJhayr,fh aumif;aumif;MuD; tvkyfvkyf
ygw,f/ bmaMumifhvJqdkawmh MB_OK (OK button eJY message box) u 0 (NULL) eJY nDvkYd yg/
'gayr,fh oift h aeeJY tjcm;b,fyHkpHudkrqdk toHk;jyKvdkY&ygw,f/
yHk(2)
4/ uType &JU t"dyÜm,fuawmh yHk(2)eJY yHk(3) twdkif; jzpfygw,f/
yHk(3)
tcef;(3) - tajccH Assembly bmompum; - 64 -
yHk(4)
jyD;&if button ESpfckudk zefwD;jyD; button awGrSm 'Say Hello' eJY 'Exit' vdkY jyifvdkufyg/ yHk(5)/
yHk(5)
tcef;(3) - tajccH Assembly bmompum; - 65 -
'gqdk F12 udkESdyfjyD; uRefawmfwzkY d efwD;xm;wJh dialog box udk uk'ftaeeJY MunfhvdkufMu&atmif/
;This Resource Script was generated by WinAsm Studio.
#define IDD_DLG1001 1001
#define IDC_EDIT1002 1002
#define IDC_BUTTON1003 1003
#define IDC_BUTTON1004 1004
IDD_DLG1001 DIALOGEX 0,0,170,72
CAPTION "Simple Dialog Box Program"
FONT 8,"MS Sans Serif"
STYLE 0x10cc0000
EXSTYLE 0x00000000
BEGIN
CONTROL "",IDC_EDIT1002,"Edit",0x50010080,10,9,121,19,0x00000200
CONTROL "Say Hello",IDC_BUTTON1003,"Button",0x50010000,17,46,51,16,0x00000000
CONTROL "Exit",IDC_BUTTON1004,"Button",0x50010000,102,46,50,16,0x00000000
END
dkY aeeJY Dialog Box template eJyY wfoufwJhuk'fawGudk a&;EdkifatmifvkY d dialogbox?
uRefawmfwt
editbox? button wdkYeyJY wfoufwJh trnfawGeJY control ID awGudk odxm;zdkY vdkygw,f/ 'gudk resource script
&JU tay:yxrqHk; 4aMumif;rSm awGUEdkifygw,f/ jyD;&if dialogbox.asm udka&G;jyD; atmufyguk'fawGudk ½du
k fxnfh
vdkufyg/
option casemap:none
include WINDOWS.INC
include user32.inc
include kernel32.inc
includelib USER32.LIB
includelib KERNEL32.LIB
DlgProc proto :DWORD,:DWORD,:DWORD,:DWORD
.data
Message db "Hello World", 0
.data?
hInstance HINSTANCE ?
.code
start:
invoke GetModuleHandle, NULL
mov hInstance, eax
invoke DialogBoxParam, hInstance, 1001, NULL, addr DlgProc, NULL
invoke ExitProcess, eax
Å DlgProc proc hWnd: HWND, uMsg: UINT, wParam: WPARAM, lParam: LPARAM
.if uMsg = = WM_COMMAND
mov eax, wParam
.if eax = = 1003
invoke SetDlgItemText, hWnd, 1002, ADDR Message
.elseif eax = = 1004
invoke SendMessage, hWnd, WM_CLOSE, 0, 0
.endif
.elseif uMsg = = WM_CLOSE
invoke EndDialog, hWnd, 0
.endif
xor eax, eax
Ret
DlgProc EndP
end start
yHk(6)
'Duk'fawGudk exe zdkiftjzpfajymif;vdkuf&if yHk(7)twdki;f awGU&rSmyg/
tcef;(3) - tajccH Assembly bmompum; - 66 -
yHk(7)
(12) Keygen y½dk*&rf a&;om;jcif;
'Doifcef;pmuawmh cracker awGtwGuf tvGefta&;MuD;ygw,f/ bmaMumifhvJqdkawmh cracker awG
twGuf keygen [m r&Sdrjzpf toHk;vdkvkYdyg/ Keygen &SdrSom rdrdESpfouf&m oHk;pGJoltrnfeo
JY ufqdkifwJh
registration uk'fudk xkwfay;EdkifvkYyd g/ erlem keygen tcsdKUudk Munfhyg/ yHk(8)/
yHk(8)
aumif;jyD? keygen udk pa&;MunfhvdkufMu&atmif/ WinAsm Studio udzk GifhvdkufjyD; atmufygyHktwdkif;
jrif&atmif vkyfvdkufyg/ yHk(9)/ Edit control ESpfck? static text ESpfck? button oH;k ck &Sd&ygr,f/
yHk(9)
tcef;(3) - tajccH Assembly bmompum; - 67 -
5 uae okntxd routine [m ajcmufMudrfwdwd tvkyfvkyf(EIwf) oGm;rSmyg/) ESI rSmawmh NameBuffer &JU
yxrpmvHk;&JU address ygvmrSmjzpfjyD; ECX=0 jzpfcsdefrSmawmh ESI+ECX [m yxrpmvHk;udknTefrSmjzpfjyD;
ECX=5 jzpfcsdefrSmawmh ESI+ECX [m aemufqHk;pmvHk;udk nTefrSmyg/ yxr mov instruction uawmh
NameBuffer xJrSm&SdwJhaemufqHk;pmvHk;udk EDX register &JU aemufydkif;jzpfwJh DL xJudk ul;xnfhvdkufygw,f/
'kwd, mov instruction uawmh &&SdvmwJh 'DpmvHk;udk SerialBuffer &JU yxrpmvHk;ae&mxJudk ul;xnfhyg
w,f/ (EDI rSm odrf;wmyg/) 'Dvked JY pmvHk;awGudk ajymif;jyefvSnjfh yD; xnfhvm&mrSm ECX [m oknra&mufcif
txd logical OR udk aqmif&GufjyD; zero flag udkowfrSwfygw,f/ Zero flag rjzpf&ifawmh @@ udka&muf
oGm;jyD; routine udk xyfvkyfrSmjzpfygw,f/
h aeeJY API function awGudkoHk;jyD; jyD;jynfhpHkwJh routine awGa&;
- 'guawmh ½d;k &Sif;vSwJh a&;enf;yg/ oift
om;Edkifygw,f/
jyD;awmh uRefawmfw&kY d JU keygen y½d*k &rfxJudk "mwfyHkawG^toHawGxnfhMunfhEdkifygw,f/
tcef;(4) - aqmhzf0Jvf protection - 71 -
yHk(1)
'Denf;udktoHk;jyKjcif;&JU tusdK;aus;Zl;wpfckuawmh tjcm;enf;awGudk toHk;jyKwmxufpm&if xnfhvdkuf
wJha'wmawGudk memory rSm rodrf;qnf;bJ tjcm;enf;awGeJY XOR vkyfjcif; (odrkY [kwf) jyefvnfwGufcsuf
jcif; jyKvkyfygvdrfhr,f/ rSefuefwJh registration number udk jyefvnfwGufcsufjyD; &&SdvmwJ&h v'fawGudk
jyefvnfEdIif;,SOfygvdrfhr,f/ wu,fawmh registration number rSefudk &v'fawGuae jyefvnf&&SdzdkY cufcJ
atmifjyKvkyfjcif;jzifh oifhtaeeJY cracker awG em;vnfzdkYrvG,fulwJh &IyfaxG;vSwJh wGufcsufrIawGudk ydkrdkjyKvkyf
&ygr,f/
(1.2) Registration number onf xnfhoGif;aoma'wmay:rlwnfí ajymif;vJjcif;?
'Denf;uawmh rMumcP toHk;jyKavh&SdMuwJhenf;yg/ 'Denf;rSmawmh registration number udk r½du k f
xnfhcif trnf (odkY) ukrPÜ Dtrnf (od)kY tjcm;tcsuftvufawGudk t&ifjznfh&rSmyg/ jznfhoGif;vdkufwJh a'wm
awGay:rlwnfjyD; registration number uajymif;vJaerSmyg/ yHk(2)/
yHk(2)
y½d*k &rfrm[m ydktawGUtMuHK? t&nftcsif;&Sdav cracker awGtwGuf protection udk zsufqD;zdkY
ydkrdkcufcJatmif vkyfEdkifavygyJ/ bmyJjzpfjzpf b,fvdk&IyfaxG;wJh wGufcsufrIenf;pepfawGoHk;oHk; cracker awG
taeeJYuawmh rSefuefwJh registration number udk&&SdzkYd y½d*k &rfuk'fawGudk aemufa,mifcHMuOD;rSmygyJ/
(1.3) Registration number onf oHk;pGJol\ uGefysLwmay:rlwnfí ajymif;vJjcif;?
'Denf;uawmh cracker awGtwGuf rtDromjzpfapwJh trsdK;tpm;yg/ *&krxm;wJh cracker qdk&if
aMumifawmifaMumifoGm;Edkifavmufygw,f/ bmvdkYvJqdkawmh olw[ Yd GefysLwmrSm b,fvdkyJ register
Y dk m olwku
vkyfvkyf vkyfvdkYr&vdkYyg/ bmaMumifhvJqdkawmh registration number [m (Oyrm - hard drive &JY serial
number ay:rlwnfjyD;) ajymif;vJaevdkYyg/ yHk(3)/ (ta&;tMuD;qHk;u registration number udk ppfaq;wJh
routine udk owdxm;jyD; azsmufxm;zdkYyg/ wu,fvdkY routine udk awGYoGm;vd& kY Sd&if vG,fvifhwul rlaoeHygwf
ajymif;jyD; y½dk*&rfudk b,fpufrSmrqdk wlnDwJh registration number eJY register vkyfEidk fvdkYyg/)
tcef;(4) - aqmhzf0Jvf protection - 73 -
yHk(3)
(1.4) Registration number udk Visual basic odkYr[kwf Delphi y½dk*&rfrsm;jzifh jyKvkyfMujcif;
Visual Basic (VB) rSma&;xm;wJh registration number udk crack vkyf&wm[m rvG,u f v
l Sygbl;/
bmvdv kY Jqdkawmh y½d*k &rf bmompum;udk,fwdkifudku high level jzpfaevdykY gyJ/ uRefawmfwt
dkY aeeJY crack
kYd wGuf debugger (disassembler) awGudk oHk;&wmjzpfwJhtwGuf high level jzpfvmavav debugger
vkyfzt
u assembly uk'ftjzpfajymif;ay;&wm cufavavygyJ/ 'gaMumifh VB eJaY &;xm;wJh y½d*k &rfawGudk debugger
awGu bmomjyefay;jyD; xGufvmwJh assembly uk'f[m vlopfwef; cracker awG em;vnfzkYd cufcJvSygw,f/
VB y½d*
k &rfawGudk 'Dvdktkyfpk (3)pk cGJjcm;Edkifygw,f/
(1.4.1) VB4?
(1.4.2) VB5 ESifhtxuf?
(1.4.3) VB5 ESifhtxuf? (packed code (p-code) tjzpf compile vkyfxm;aom)
(1.4.1) VB4
oHk;pGJolawmfawmfrsm;rsm;twGuf rodomvSayr,fh VB4 [m y½d*k &rfawGxJrSmawmh pdwfcs&rI tvGef
enf;ygw,f/ tawGUtMuHK&SdwJh cracker taeeJu Y awmh registration number udk 5rdepftwGif; &SmawGU
Edkifygw,f/ yHk(4)/ bmaMumifhvJqdkawmh VB4 y½d*k &rfawG[m rsm;aomtm;jzifh ½du
k foGif;vdkufwJh registration
number eJY MudKwifowfrSwfxm;wJh registration number udk EdIif;,SOfzkYd vb40016.dll (od)kY vb40032.dll
zdkifudk toHk;jyKvdkyY g/
yHk(4)
(1.4.2) VB5 ESifhtxuf
VB5 eJY umuG,x
f m;wJh y½d*k &rfudk crack vkyf&wm[m VB4 eJEY dIif;,SOf&if tawmfav;ydkcufvmyg
w,f/ Cracker awmfawmfrsm;rsm;[m VB5 udk debugger awGeJY debug vkyfzkYd odyfjyD;pdwfrygMuygbl;/
tcef;(4) - aqmhzf0Jvf protection - 74 -
yHk(5)
(2) tcsdef? tMudrfuefYowfcsufxm;jcif;
tcsdefuefo Y wfcsuf&w
Sd Jh y½dk*&rfawG[m oHk;pGzJ kYdcGifhjyKxm;wJh umvausmfvGefjcif; &Sd^r&Sd ppfaq;yg
Y muG,fwm[m odyfjyD;awmh xda&mufrrI &SdvSygbl;/ bmvdkYvJqdkawmh cracker wpfa,muf
w,f/ 'Dvdkenf;eJu
tcef;(4) - aqmhzf0Jvf protection - 75 -
yHk(6)
tcsdefuefo
Y wfcsufudk enf;rsdK;pHkeJY a&;om;avh&SdMuygw,f/ jzpfEdkifwmawGuawmh-
(2.1) rSefuefaom registration number xnfhjcif;jzifh tcsdefuefo
Y wfcsufudk z,f&Sm;jcif;?
(2.2) Registration zdkifxnfhjcif;jzifh tcsdefuefo
Y wfcsufudk z,f&Sm;jcif;?
Y wfcsufudk z,f&Sm;jcif;jzifh full version udk roHk;pGJEdkifjcif;? (0,f,lrSom tjynft
(2.3) tcsdefuefo h 0 oHk;pGJEdkif
jcif;)
(2.4) tcsdefuefo Y wfcsufudk Visual Basic jzifha&;om;jcif;?
(2.5) oHk;pGJrIuefo
Y wfcsufudk oHk;pGJonfhtMudrfta&twGufESifhom owfrSwfjcif;/
(2.1) rSefuefaom registration number xnfhjcif;jzifh tcsdefuefYowfcsufudk z,f&Sm;jcif;?
'Denf;[m registration number enf;eJY twlwlygyJ/ rSefuefwJh registration number udk xnfhay;
Y wfcsufudk z,f&Sm;ay;EdkifrSmyg/ yHk(7)/ uGJjym;wmwpfckuawmh rSefuefwJh registration
vdkuf&HkeJY tcsdefuefo
number rxnfhoGif;Edkif&if cGifhjyKxm;wJh tcsdefumvausmfoGm;wJhtcg y½d*&rfk udk vHk;0oHk;pGJvkY d r&atmif jyKvkyf
vdkufwmygyJ/
owdjyK&rSmuawmh 'Dvdky½d*k &rfudk a&;om;r,fqdk&if yxrqHk; y½d*k &rfudk pwifoHk;pGJwJYaeUudk registry
(odrkY [kwf) zdkifwpfzdkifrSm taotcsmrSwfxm;zdkYygyJ/ 'DvdkrSr[kwf&ifawmh oHk;pGJolu olUuGefysLwm&JU &ufpGJudk
aemufqkwfvdkuf&eHk JY uefo Y wfcsufudk ausmfvTm;oGm;ygvdrfhr,f/
yHk(7)
tcef;(4) - aqmhzf0Jvf protection - 76 -
yHk(8)
y½d*k &rfa&;om;wJhtcgrSm registration zdkifudk y½d*k &rf&JU directory atmufrSm &Sd^r&SdeJY zdkifxJrSm
rSefuefwJh a'wmawG yg^ryg ppfaq;wJh function awG ra&;rdygapygeJ/Y
(2.3) tcsdefuefYowfcsufudk z,f&Sm;&Hkjzifh full version udk roHk;pGJEdkifjcif;? (0,f,lrSom tjynfht0
oHk;pGJEdkifjcif;)
Demo version y½d* k &rfawGuawmh 'Denf;udk toHk;rsm;ygw,f/ 'Dvdky½d*k &rfawGrSmqdk registration
number ½dkufxnfhvdkYr&ygbl;/ oufwrf;ukefoGm;&if y½d*k &rfudk vHk;0oHk;pGJvkY d r&awmhygbl;/ oHk;pGJcsif&if
y½d*k &rfudk rjzpfrae 0,f&ygawmhr,f/ Oyrm – POPCAP *drf;rsm;/ yHk(9)/
yHk(9)
Cracker awGuawmh tcsdefuefo
Y wfcsuf routine udk&SmjyD; y½d*k &rfuk'fukd wkdu½f dkuf ausmfvdkufyg
w,f/ 'gaMumifh y½d*k &rf[m oufwrf;ukef^rukef ppfaq;raeawmhyJ olUvkyfjrJtvkyfudk vkyfygawmhw,f/
(2.4) tcsdefuefYowfcsufudk Visual Basic jzifha&;om;jcif;?
'Denf;udk ckacwfrSm us,fjyefYpGm toHk;rjyKMuawmhygbl;/
(2.5) oHk;pGJrIuefYowfcsufudk oHk;pGJonfhtMudrfta&twGufESifhom owfrSwfjcif;/
'Denf;[m tjcm;tcsdefuefYowfcsufenf;awGeJY tajccHtm;jzifh twlwlygyJ/ 'gayr,fh olu oHk;pGJwJh
aeUudk a&wGufwJhtpm; oHk;pGJwJhtMudrfudkom a&wGufjcif;yg/ 'Dvdka&wGufjcif;u cracker awGudk taESmifh
tcef;(4) - aqmhzf0Jvf protection - 77 -
t,Suf awmfawmfay;ygw,f/ bmvdv kY Jqdkawmh y½d*k &rf[m &ufpGJudk pHkprf;aep&m rvdkawmhbJ oHk;pGJwJhtMudrf
ta&twGufudkom registry (od)kY zdkifwpfckckrSm odrf;qnf;&efvdkvdkYyg/
(3) Key zdkifrsm; toHk;jyKjcif;
'Denf;uawmh rsm;aomtm;jzifh key zdkifudk aqmhzf0Jvfudk install vkyfxm;wJh directory atmufrSm
xm;&Sdygw,f/ y½d*k &rf[m 'DzdkifxJrSmygwJh taMumif;t&mawGudk zwf&Ippfaq;ygw,f/ wu,fvo Y dk m key
zdkif[m rSefuefcJhr,fqdk&if y½d*k &rf[m registered version tjzpf aqmif&Gufygw,f/ wu,fvo kY d m key
zdkif[m aysmufysuf^rSm;,Gif;aer,fqdk&if y½d*k &rf[m unregistered version uJhokYdaqmif&Gufjcif; (od)kY vHk;0
tvkyrf vkyfbJ aeygvdrfhr,f/ key zdkifxJrSm oHk;pGJoel JY ywfoufwJh tcsuftvufawG? 0SufpmawGyg0ifaumif;
ygaeygvdrfhr,f/
'DvdktrsdK;tpm;udk (2)ydkif;cGJjyD;avhvmEdkifygw,f-
(3.1) rSefuefaomzdkifudk toHk;rjyKygu tcsdKUaomt*Fg&yfrsm;udk toHk;rjyKEdkifatmif wm;jrpfxm;jcif;?
(3.2) rSefuefaomzdkifudk toHk;rjyKygu y½d*k &rfudk tcsdefuefoY wfcsuf xm;&Sdjcif;/
(3.1) rSefuefaomzdkifudk toHk;rjyKygu tcsdKUaomt*Fg&yfrsm;udk toHk;rjyKEdkifatmif wm;jrpfxm;jcif;
'Denf;uawmh tvGefaumif;wJhenf;yg/ Cracker awGuawmh 'Denf;udk rMudKufMuygbl;/ 'gayr,fhvJ
tjcm;enf;awGvdkyJ 'Denf;[mvJ z,f&Sm;cHEdkif&ygw,f/ 'Denf;rSmawmh rSefuefwJh key zdkifudk toHk;rjyK&if tcsdKU
t*Fg&yfawGudk toHk;rjyKEdkifatmif wm;jrpfxm;ygw,f/ qdk;wmu 'Denf;rSm y½d*&rf k [m key zdkifudk vdkuf&SmjyD;
rSefuefrI&Sd^r&Sd vdkufppfwmyJjzpfw,f/ yHk(10)/ 'gaMumifh cracker [m 'D routine udk vdu k f&SmvdkufjyD; y½d*k &rf
udkvSnfhpm;jcif; (od)kY registration zdkif&JU wnfaqmufyHkudk routine xJrSm avQmhcsvdkufygw,f/
yHk(10)
wu,fvdkY oif[m 'Denf;udk toHk;jyKr,fqdk&if registration zdkifudk encode vkyfzdkYvdkygw,f/ 'grSom
cracker [m registration zdkifudk vG,fvifhwul rzefwD;EdkifrSm jzpfygw,f/
(3.2) rSefuefaomzdkifudk toHk;rjyKygu y½dk*&rfudk tcsdefuefYowfcsuf xm;&Sdjcif;/
Antivirus ukrÜPDtrsm;pkuawmh 'Denf;udk toHk;jyKMuygw,f/ rSefuefwJh registration zdkifudk toHk;
rjyK&if y½d*k &rf[m unregistered jzpfjyD; tcsdefuefo
Y wfcsuf &SdrSmjzpfygw,f/
tcef;(4) - aqmhzf0Jvf protection - 78 -
yHk(11)
(4.2) y½dk*&rf\ vkyfaqmifcsuftcsdKUudk hardware key rygvQif toHk;jyKcGifh ray;jcif;/
'Denf;uawmh tvGef ½d;k &Sif;ygw,f/ hardware key wyfxm;csdefrSm y½d*k &rfu tvkyfvkyfjyD; rwyf
xm;csdefrSm y½dk*&rf&JU tcsdKUvkyfaqmifrIawG tvkyfrvkyfygbl;/ bmvdvJ
kY qdkawmh y½d*k &rf&JY tcsdKUaomvkyf
aqmifcsufawGudk hardware key xJrSm wcgwnf; xnfhoGif;xm;vdkYyg/ 'Denf;uawmh tvGefyJ aumif;rGefvS
ygw,f/ Key awGtwGif;rSm rSwfOmPfxJ function awGudk decode vkyfzkYd uk'fawGawmif ygwwfygw,f/
Encoding uom aumif;aecJhr,fqdk&if protection udk key rygbJ z,f&Sm;zdkYqdkwm rjzpfEdkifygbl;/
HASP key
HASP (Hardware Against Software Piracy) key udk Aladdin Knowledge Systems
uxkwfvkyNf yD; aqmhzf0JvfxkwfvkyfjzefYcsDol 3aomif;ausmfu HASP tm;toHk;jyKvQuf&ySd gw,f/ 2010ckESpf
rSmawmh Safenet eJYaygif;oGm;cJhygw,f/ HASP [m aqmhzf0Jvfudk install vkyfcsdefrSm hardware key eJY
csdwfqufvkY&d atmif olU&JU udk,fydkif driver awGudk install vkyfygw,f/
tcef;(4) - aqmhzf0Jvf protection - 79 -
yHk(12)
Sentinel key
Rainbow Technology (www.rainbow.com) uxkwfvkyfygw,f/ ,cktcg Rainbow tm;
Safenet (,ck Gemalto) rS 2003ckESpfwGif vTJajymif;,lvdkufygw,f/ Sentinel [m HASP eJY tvGefwlyg
w,f/ tpydkif;rSmawmh Sentinel key udk Parallel port toGifeJY xkwfvkyfMuNyD; aemufydkif;rSmawmh USB stick
taejzifh xkwfvkyfMuygw,f/ yHk(13)/ aqmhzf0Jvfvdkifpifrsm;udk pdwfBudKufpDrHcefYcGJEdkifzdkYtwGuf LDK
(Licensing Development Kit) rsm;yg wpfcgwnf; a&mif;csay;ygw,f/ 35oef;ausmfaom application
rsm;udk Sentinel eJY protect vkyfxm;Muygw,f/ Sentinel key eJY application udk csdwfquf&mwGif 128-bit
AES pm0Sufpepfudk toHk;jyKygw,f/
yHk(13)
tcef;(5) - Cracker wpfOD;twGuf vdktyfaom tool rsm; - 81 -
http://members.cox.net/w32dasm/
(1.3) Freeware tool rsm;
IDA 3.7
IDA 3.7 uawmh DOS GUI tool jzpfNyD; IDA Pro vdkygyJ/ olU&JUuefUowfcsufuawmh Z80? 6502?
Intel 8051? Intel i860? PDP-11 eJY x86 intsruction xkwfay;wJhtydkif;rSmawmh 486 y½dq
k ufqmtxdyJ
&ygw,f/
http://www.simtel.net
IDA Pro Freeware 4.9
IDA Pro eD;eD;awmh pGrf;aqmifay;ygw,f/ 'gayr,fh Intel uxkwfwJh x86 y½dq
k ufqmawGtwGufyJ
assembly uk'fxkwfay;EdkiNf yD; Windows rSmom tvkyfvkyfygw,f/ Disassemble instruction awGuawmh
2003rwdkifrDxGuf&SdwJh y½dq
k ufqmawGtwGufom jzpfygw,f/
http://www.themel.com
IDA Pro Freeware 4.3
xGuNf yD;om; version awGxufawmh GUI aumif;vmygw,f/
http://www.datarescue.be
BORG Disassembler
BORG uawmh GUI eJjY zpfNyD; taumif;qHk; Win32 disassembler jzpfygw,f/
http://www.caesum.com
HT Editor
HT Editor uawmh Intel x86 instruction awGudk analyze vkyfwJh disassembler jzpfygw,f/
aemufqHk;xkwf version uawmh Windows rSm tvkyfvkyfEdkifwJh console GUI y½d*k &rfjzpfygw,f/
http://the.sourceforge.net
diStorm64
disStorm uawmh open-source jzpfNyD; 80x86 eJY AMD64 y½dq
k ufqmawGtwGuf jzpfygw,f/
http://ragestorm.net
(1.4) Disassembler ESifhywfoufonfhodrSwfzG,f&mrsm;
uk'fESifha'wmudk oD;jcm;jzpfapjcif;
a'wmeJY (uk'f)awG[m exe zdkifxJrSm binary a'wmtaeeJY odrf;qnf;xm;wmaMumifh 'Dae&mrSm
ar;cGef;xkwfzkYd jzpfvmygw,f/ Disassembler [m uk'fvm;? a'wmvm; b,fvdkajymEdkiyf govJ/ zwfvdkufwJh
pmvHk;wpfvHk;[m variable wpfckvm;? 'grSr[kwf instruction wpfck&JU tpdwftydkif;jzpfygovm;/
wu,fvo kYd m a'wmawGudk exe zdkif&JU .data section rSmyJxm;&if? uk'fawGudkvJ .code section rSmyJ
xm;&if jyoemr&Sdygbl;/ a'wmawGudk .code section xJ wdku½f dkufxnfhoGif;Edkifovkd (Oyrm... jump address
tables eJY constant strings)? exe uk'fawGudkvJ .data section xJrSm odrf;qnf;xm;Edkifygw,f/ (pepftopf
awGrSmawmh 'Dudpuö dk vHNk cHKa&;taMumif;jycsufeJY wm;qD;zdkY BudK;pm;aeygw,f/)
Disassembler awmfawmfrsm;rsm;uawmh oH;k pGJolawGudk uk'fjzpfap? a'wmjzpfap uk'f segment
awGudk ajymif;vJEdkifzkYd a&G;cs,fcGifhay;xm;ygw,f/ 'gayr,fh tcsdKU disassembler awGuawmh oD;jcm;jzpfapzdkY
tvkdtavsmuf jyKvkyfygvdrfhr,f/
tcef;(5) - Cracker wpfOD;twGuf vdktyfaom tool rsm; - 83 -
PE Tools
PE scanner uawmh udk,f debug vkyfcsifwJh exe y½d* k &rfudk b,fy½d*k &rfbmompum;eJY a&;xm;
w,f? b,f protector awGeJY umuG,fxm;w,fqdkwm ppfaq;ay;ygw,f/ 'ghtjyif tcsdKU tool awG[m PE
header udkvnf;wnf;jzwfEdkifygao;w,f/ PE tool awGuawmh Lord PE? ProtectionID? PE Browse? PE
Detective? PE Disassembler? PE Explorer? PE Insight? PE Optimizer? PE Rebuilder? PE Tools? PE
Viewer? PEditor? PEiD? Stud PE? WPE eJY CFF Explorer wdkYjzpfygw,f/ toHk;trsm;qHk;uawmh Lord
PE? ProtectionID? PEiD eJY CFF Explorer wdjkY zpfygw,f/ ProtectionID &JU database udk ESpfpOf update
vkyfavh&SdNyD; ProtectionID upHkprf;ay;wJh&v'f[m rSm;cJygw,f/
yHk(1)
(2) Disassembler Window
yHk(2)
tcef;(6) - Olly Debugger rdwfquf - 91 -
Disassembler window rSm Address? Hex dump? Disassembly eJY Comment qdkjyD; aumfvH
4ck&Sdygw,f/ yHk(2)/
Address — address aumfvH rSm memory ay:ul;wifr,fh command &JU virtual address yg0ifygw,f/
Column udk ESpfcsufEdSyfvdkuf&ifawmh address awGtpm; vuf&Sd address uae pwifa&wGufay;r,fh offset
awGtjzpf ajymif;vJoGm;rSm jzpfygw,f/ ($, $‐2, $+4,… )
Hex dump — uk'faumfvHrSm uk'fawGudk operand wefzdk;taeeJY awGUjrif&ygvdrfhr,f/ 'ghjyif aumfvH[m
oift
h aeeJY y½d*k &rf&JUtvkyfvkyfyHkudk em;vnfapEdkifzkY d oauFwtrsdK;rsdK;udk jznfhpGrf;ay;ygw,f/ om"utm;jzifh
oauFwawG[m command awGudk b,fae&mudk jump (>) vkyf&r,f? jyD;awmh tay:^atmuf ( ˆ ? ˇ) jump
vkyfr,fqdkwm owfrSwfygw,f/ 'DaumfvHudk ESpfcsufEdSyfcJhr,fqdk&if yxraumfvHrSm&SdwJh address [m
teDa&mif highlight eJY jyaeygr,f/ qdkvdkwmu oift h aeeJY tJ'D command (address) ae&mudk breakpoint
tjzpfowfrSwfvdkufwmygyJ/ 'Dae&ma&muf&if y&kd*&rftvkyfvkyfwm cP&yfay;ygvdkY cdkif;vdkufwmyg/
Disassembly — 'DaumfvHrSmawmh command twGuf Assembly &JU mnemonics awGyg0ifrSm jzpfyg
w,f/ Command udk ESpfcsufEdSyfcJhr,fqdk&if Assembly command udk wnf;jzwfEdkifzkY d window wpfck
ay:vmrSmjzpfygw,f/ tJ'Dae&mrSm oifth aeeJY command udk MudKufovdk jyifqifEdkifygw,f/ jyifqifjyD;om;
command udak wmh rMumrD debug vkyf&mrSm toHk;jyKygvdrfhr,f/ 'Dhtjyif jyKjyifxm;wJh y½d*k &rfpmom; (uk'f)
awGudk executable module tjzpf ajymif;vJay;Edkifygw,f/ 'g[m cracker twGufawmh tMuD;rm;qHk;
tcGit
fh a&;wpf&yf jzpfygw,f/
Comment — 'DaumfvHrSmawmh command eJy Y wfoufwJh tjcm;tcsuftvufawG yg0ifygw,f/ 'Dae&mrSm
y½d*k &rf[m API functions eJY library functions awG&JU trnfawGudk pdppfygw,f/ 'DaumfvHudk ESpfcsufEyfdS cJh
r,fqdk&if oifth aeeJY Assembly uk'f&JU vdkif;toD;oD;rSm&SdwJh comment awGrSm oifMudKufwmudk trSwft
om; vkyfEdkifygw,f/
(3) The Data Window
'D window rSmawmh Address? Hex dump eJY ASCII (Unicode) qdkjyD; aumfvH 3ck ygygw,f/
'kwd,eJY wwd,aumfvHawGuawmh interpret vkyfwJhtcg ajymif;vJoGm;Edkifygw,f/ qdkvdkwmu cell xJrSm&SdwJh
pmom;awGudk Unicode tjzpfajymif;vJwJhtcg Hex dump aumfvHae&mrSm ASCII aumfvHa&muf&SdvmjyD;
Hex dump aumfvH aysmufoGm;rSmjzpfygw,f/ yHk(3)/
yHk(3)
(4) The Registers Window
yHk(4)
tcef;(6) - Olly Debugger rdwfquf - 92 -
Registers window rSmawmh taxGaxGoHk; registers & FPU registers? taxGaxGoHk; registers & MMX
registers eJY taxGaxGoHk; registers & 3DNow registers qdkjyD; registers tkyfpk 3 pkyg0ifEdkifygw,f/
ESpfcsufEdSyfcJhr,fqdk&ifawmh (EIP rSty) oufqdkif&m register awGudk wnf;jzwfvkYd &ygw,f/ jrm;awG (<)
tay:ESdyfcJh&if registers window ajymif;vJaerSm jzpfygw,f/ yHk(4)/
(5) The Stack Window
Stack window uawmh stack xJrSm&SdwJht&mawGudk jyygw,f/ yxraumfvH (Address) uawmh
stack xJrSm&SdwJh cell address udk jyygw,f/ 'kw, d aumfvH (Value) uawmh cell xJrSmygwmawGudk jyyg
w,f/ wwd,aumfvH (Comment) rSmawmh cell wefzdk;eJYywfoufwJh jzpfEdkifwJh comment awGyg0ifyg
w,f/ yHk(5)/ VB y½d*k &rfawG? Delphi y½d*k &rfawGudk crack vkyf&mrSm toHk;0ifvSygw,f/
yHk(5)
(6) tjcm; Windows rsm;
OllyDbg eJY pwifvkyfudkifawmhr,fqdk&if rSwfom;xm;oifhwmuawmh –
(u) b,f window rSmrqdk right click EdSyfcJhr,fqdk&if oufqdkif&m window &JU menu ay:vmygvdrfhr,f/ 'D
menu [m window ay:rlwnfjyD; uGJjym;aeygw,f/ 'D menu awGudk taotcsmavhvmzdkY tMuHjyKvdkygw,f/
(c) Window xJrSmygwJth &mawG[m wpfckudkwpfck trSDo[J jyKaeygw,f/ Oyrmjy&&if? register awGudk
Munfhvdkufyg/ taxGaxGoHk; register xJuwpfckudk right click ESdyfMunfhvdkuf&if data area (follow in
dump) eJY stack area (follow in stack) rSm&SdwJh address awGvdkyJ olUxJrSm&SdwJht&mawGudk interpret
vkyfv&kYd ygw,f/
(7) Debug Execution
Debugging qdkwm y½d* k &rfwpfyk'fudk mode toD;oD;rSm tvkyv
f kyfapjyD; cGJjcrf;pdwfjzm pdppfwmyg/
'Dae&mrSm execution mode awGtaMumif; &Sif;jycsifygw,f/ Execute vkyfr,fhuk'fudk debugger rSm
xnfhoGif;xm;jyD;jyDvkYd rSwf,lvdkuyf g/ Disassembler window [m Assembly uk'fudk jyoygw,f/ y½d*k &rf
udk execute vkyf&mrSm t"dutusqHk; mode awGuawmh –
(u) Procedure (tcsdKU y½d*k &rfbmompum;wGif procedure udk subroutine (od)kY function [k ac:a0:
onf/) xJudk0ifrppfbJ ausmfvTm;oGm;wJh Step-by-step execution udk (step over) vdakY c:ygw,f/ F8 udk
ESdyfxm;csdefrSm vuf&Sd Assembly command udk tvkyv f kyaf pygw,f/ Command awGudk tpDtpOfwus
execute vkyfjcif;jzifh tjcm; window (Register? Data? Stack) 3ck b,fvkd ajymif;vJoGm;ovJqdkwm jrifEdkif
ygw,f/ 'D mode &JU wduswJht*Fg&yfuawmh wu,fvkY d aemuf command [m call procedure (CALL)
udkom tvkyfvkyfcJhr,fqdk&if procedure taeeJY zefwD;xm;wJh command tm;vHk;[m instruction wpfckwnf;
taeeJo Y m tvdktavsmuf execute vkyfrSmjzpfygw,f/ qdkvdkwmu call procedure (CALL) xJrSm&SdwJh
uk'fawGudk wpfaMumif;csif; ppfawmhrSm r[kwfygbl;/
tcef;(6) - Olly Debugger rdwfquf - 93 -
(c) Procedure awGxJ 0ifa&mufvkyfEdkifwJh Step-by-step execution udk (step into) vdakY c:ygw,f/ 'D
mode rSm execute vkyfr,fqdk&ifawmh F7 udk ESdyfxm;&ygr,f/ jyD;cJhwJh mode eJY uGmjcm;csufuawmh CALL
command udk ac:,ltoHk;jyKcJhr,fqdk&if instruction tm;vHk;[m tpDtpOfwus execute vkyfrSm jzpfygw,f/
ckeuajymcJhwJhenf;vrf;awG (step over & step into) tpm; animation udk toHk;jyKjyD; tpm;xdk;Edkif
ygw,f/ mode toD;oD;twGuf <Ctrl>+<F8> eJY <Ctrl>+<F7> udk toHk;jyKEdkifygw,f/ 'D keyboard
shortcuts toD;oD;udk ESdyfjyD;csdefrSmawmh step over & step into command awG[m instruction
wpfckjyD;wpfckudk tcsdeftenf;i,f apmifhqdkif;jyD;vkyfygvdrfhr,f/ Instruction toD;oD;udk execute vkyfjyD;csdefrSm
awmh debugger window [m refresh vkyfay;rSmjzpfwJhtwGuf oift h aeeJY ajymif;vJoGm;wmawGudk
ajc&mcHEdkifrSm jzpfygw,f/
b,ftcsdefrSmrqdk <Esc> key udk ESdyfcJhr,fqdk&if execute vkyfwmudk cP&yfay;rSmyg/ tvm;wlygyJ?
breakpoint udkawGU&ifvJ tvkyv f kyaf ewm&yfoGm;rSmyg/ jyD;awmh debug vkycf Hae&wJh y½d*k &rfuvJ exception
wpfckudk xkwfay;rSm jzpfygw,f/
Step-by-step program execution &JY tjcm;enf;wpfckuawmh trace mode ygbJ/ Trace mode [m
animation eJY wlygw,f/ 'gayr,fh 'DtcsdefrSm debugger window [m tqifhwdkif;rSmawmh refresh vkyfrSm
r[kwfygbl;/ step over eJY step into wdkYeq
JY dkifwJh tracing vdkufwJh enf;vrf; 2ckudkawmh <Ctrl>+<F12> and
<Ctrl>+<F11> key awGESdyfjyD; toHk;jyKEdkifygw,f/ Tracing rSmvnf; &yfcsif&ifawmh animation rSmoHk;wJh
enf;vrf;awGtoHk;jyKjyD; &yfwefUEdkifygw,f/ command toD;oD;udk execute vkyfjyD;csdefrSmawmh olU&JU
execution eJqY dkifwJh owif;tcsuftvufawGudk t"duuswJh tracing buffer xJudk ul;wifvdkufygw,f/
tJ'gudk View menu u Run trace command udk toHk;jyKjyD; Munf½h IEdkifygw,f/ qE´&Sd&ifawmh tracing
buffer xJrSm&SdwJh[mawGudk pmom;zdkiftaeeJY odrf;qnf;xm;Edkifygw,f/ tvm;wlyJ b,ftcsdefrSm tracing
vdkufwm&yfcsifovJqdkawm condition awGeJY t"dyÜm,fzGifhxm;Edkifygw,f/ (set trace condition) - <Ctrl>+
<T>/ yHk(6)/
yHk(6)
tcef;(6) - Olly Debugger rdwfquf - 94 -
yHk(7)
tcef;(6) - Olly Debugger rdwfquf - 95 -
(u) EAX = = 1 — 'guawmh EAX register [m wpfjzpfcJh&if debugger udk execute vkyfwm&yfapzdkY
trdefUay;wmyg/
(c) EAX = 0 and ECX > 10 — 'guawmh EAX register [m oknjzpfjyD; ECX register [m
wpfq,fxufMuD;cJh&if debugger tvkyv
f kyfaewm&yfapzdkY trdefUay;wmyg/
(*) [STRING 427010] == 'Error' — 'guawmh virtual address (VA) 427010h rSm 'Error' qdkwJh
pmom;udk awGUcJU&if debugger udk execute vkyfwm&yfapzdkY trdefUay;wmyg/ 'DvdkvJa&;vd&kY ygw,f/ EAX =
= 'Error'/ 'gqdk EAX xJrSm&SdwJht&mtm;vHk;udk pointer uae pmom;tjzpfajymif;vJay;rSmyg/
(C) [427070] = 1231 — 'guawmh VA 427070h xJrSm&SdwJht&m[m 1231h eJY nDcJhr,fqdk&if breakpoint
udk owfrSwfrSmyg/
(i) [[427070]] = 1231 — 'guawmh address udk oG,f0dkuf toHk;jyKjcif;yg/ ajym&r,fqdk&if VA 427070h
xJrSm tjcm; VA wpfckygjyD; tJ'D VA xJrSm&SdwJht&m[m 1231h eJY nDrnDppfjyD; breakpoint udk owfrSwf
wmyg/
(8.3) Conditional Breakpoints with a Log
oluawmh conditional breakpoints &JU tydkvkyfief;pOf extension wpfckom jzpfygw,f/
Conditional logging breakpoint udk owfrSwfzdkY <Shift>+<F4> key udk EdSyfEdkifygw,f/ b,ftcsdefrSmrqdk
'Dvdk breakpoint udk toHk;jyKcJhr,fqdk&if tJ'DjzpfpOfudk log zdkiftaeeJY rSwfwrf;wifxm;ygw,f/ Log xJrSmygwJh
t&mawGudk jyefMunfhcsifw,fqdk&if <Alt>+<L> key udk ESdyfjyD;aomfvnf;aumif;? View menu rS Log
command udk ESdyfjyD;aomfvnf;aumif; Munf½h IEdkifygw,f/ yHk(8)/
yHk(8)
(8.4) Breakpoint to Windows Messages
Window function qD (twdtusajym&&if window class function qD) messages awG a&mufvm
wmaMumifh tcsdKU windows message rSm breakpoint udk owfrSwfEdkifzkY d application window [m yGifhaezdkY
vdkygw,f/ wenf;ajym&&if windowing application awG[m execution vkyfzt kYd wGuf pwif&ygw,f/
&Sif;vif;vG,fual pzdkY ½dk;&Sif;vSwJh application wpfckudk window wpfckeJYtwl debugger xJudk oGif;vdkuf
ygw,f/ 'D application udk pwifzkt Yd wGuf <Ctrl>+<F8> udEk Sdyfyg/ 'D application window [m wpf
puúeafY vmuf MumjyD;wJhtcgrSm touf0ifygw,f/ y½d*k &rf&JU wpfpdwfwpfa'oudk qufwdkuf execute vkyfae
tcef;(6) - Olly Debugger rdwfquf - 96 -
yHk(9)
yHk(9)rSmjyxm;wJh window [m investigator udk window descriptor? olU&JUtrnf? olU&JU identifier
eJY ta&;MuD;qHk;jzpfwJh window procedure &JU address (ClsProc) awG &SmazGapEdkifygw,f/ Window
procedure &JU address eJY ywfoufwJh tcsuftvufawGu investigator udk window function awG &SmEdkif
apwJhtjyif omref breakpoint a&m? conditional breakpoint yg owfrSwfEdkifygw,f/ bmyJjzpfjzpf window
functions awGeJY tvkyfvkyfwJhtcg window message awG&SdwJhae&mrSm breakpoint awG owfrSwfwm
taumif;qHk;yg/ 'gaMumifh yHk(9)rSmjyxm;wJh window udEk SdyfvdkufjyD; context menu u Message
breakpoint on ClassProc udk a&G;vdkufyg/ aemufxyf window wpfckay:vmrSmjzpfjyD; tJ'DrSm atmufyg
breakpoint parameter awGudk owfrSwfEdkifrSmjzpfygw,f/ yHk(10)/
yHk(10)
(u) Drop‐down list rS message udk a&G;yg/ atmufygwdu
kY dk rSwfom;yg/
(1) Message tpm; event udk a&G;cs,fvv dkY nf; &ygw,f/ tJ'D event awG[m window (od)kY
keyboard event awGudk zefwD;^zsufqD;jcif;uJhokYad om message aygif;rsm;pGmjzpfEdkifygw,f/
(2) rdrdbmom rdrdowfrSwfEdkifwJh message awGudkvnf; a&G;cs,fEdkifygw,f/
(c) b,f message awG[m olwx kYd Ju b,folUqDuae a&mufvmovJqdkwmudk qHk;jzwfEdkifapzdkY trace
vdkufr,fh window awGudk pm&if;jyKpkyg/ ay;xm;wJh window? ay;xm;wJh title eJY window tm;vHk;? (od)kY
window tm;vHk; yg0ifygw,f/
(*) Breakpoint b,fESpfMudrf touf0ifw,fqdkwm odapzdkY counter udk owfrSwfxm;yg/
tcef;(6) - Olly Debugger rdwfquf - 97 -
yHk(11)
(8.6) Breakpoints at the Memory Area
OllyDbg debugger u memory area rSm breakpoint wpfckwnf;udk owfrSwfzdkY vufcHygw,f/
'DvdkvkyfzkYd disassembler window (od)kY data window udk a&G;cs,fyg/ 'Dhaemuf context menu rS
Breakpoint | Memory on access (od)kY Breakpoint | Memory on write command awGudk
a&G;cs,fEdkifygw,f/
yHk(12)
tcef;(6) - Olly Debugger rdwfquf - 98 -
yHk(13)
(9) tjcm;pGrf;aqmifEdkifrIrsm;
(9.1) Watch expressions Window
OllyDbg u expression awGudk apmifhMunfhzkY d special window wpfckudk ay;xm;ygw,f/
Conditional breakpoint awGtaMumif; &Sif;jycJhwkef;u expression awGtaMumif;ygvmcJhwmudk trSwf&yg/
Memory cell awGeJY register awGyg0ifwJh ½IyfaxG;vSwJh expression awGudk toHk;jyKzdq
kY dkwm jzpfEdkifygw,f/ 'D
expression awGudk vkdtyfovdk ½Iyaf xG;apvdkY &ygw,f/ Watch expressions window udk zGifhzku Yd awmh
View | Watches command udk toHk;jyKyg/ Watch expressions window yGifhvmcsdefrSmawmh right click
tcef;(6) - Olly Debugger rdwfquf - 99 -
ESdyfjyD; Add Watches command udk a&G;cs,fyg/ 'gjyD;&ifawmh debugger u apmifhMunfhay;r,fh expression
wpfckudk owfrSwfEdkifygw,f/ aemufwpfrsdK;ajym&&ifawmh olU&JU HEX wefzdk;udk jyoygw,f/ yHk(14)rSm
expression 4ckyg0ifwJh Watch expressions window udk jyoxm;wmjzpfjyD; b,f processor &JU
command udkrqdk execute vkyjf cif;jzihf wefzdk;awGudk apmifhMunfah ejyD;jyoygw,f/
yHk(14)
tcsuftvufrsm;udk &SmazGjcif;
OllyDbg rSm MudKufwJhowif;tcsuftvuf (ASCII? UNICODE? HEX )awGudk <Ctrl>+<B>
key ESdyfjyD; &SmazGEdkifygw,f/ yHk(15)/ Command wpfckcsif;udk &Smr,fqdk&if <Ctrl>+<F> key? command
awGaygif;xm;wmudk &Smr,fqdk&if <Ctrl>+<S> key udk toHk;jyKEdkifygw,f/ <Ctrl>+<L> key (Next)
uawmh aemufqHk; &SmcJhwJh[mudyk J xyf&Smay;wmyg/
yHk(15)
Executable Module udk jyifqifodrf;qnf;jcif;
OllyDbg rSm uRefawmfwkY d jyifcJhwJhuk'fawGudk odrf;qnf;jyD; executable y½d*
k &rftopftjzpf odrf;
qnf;Edkifygw,f/ 'Dvdkvkyfcsif&if Copy to execution | Selection (od)kY Copy to execution | All
modifications command udk a&G;vdkuf&HkygyJ/ jyD;&if udk,fxm;csifwJhae&mrSm udk,fMudKufwJh zdkiftrnfopf
ay;jyD; odrf;qnf;vdkuf&HkygyJ/
tcef;(7) – IDA Pro Advanced 5.2 rdwfquf - 101 -
yHk(1)
IDA Pro debugger eJY tvkyfvkyfr,fqdk&ifawmh 'Dy½d*k &rfudk udkifwG,fzkY d t"duenf;vrf; (3)ck&Sd
w,fqdkwm rarygeJ/Y olwakYd wGuawmh menu command? toolbar button eJY hotkey awGyJjzpfygw,f/ IDA
&JUvkyfaqmifcsufwdkif;twGufawmh hotkey awG&SdrSmr[kwfayr,fh toHk;trsm;qHk;vkyfaqmifcsufawGtwGuf
awmh hotkey awG&ySd gw,f/ Oyrmjy&r,fqdk&if ... wu,fvkY d tcsdKU data block awGu oifhudk oHo,jzpf
apw,fqdk&if C key udkESdyNf yD; (uk'ftwGuf twdkaumuf) 'gudk uk'ftjzpfajymif;Edkifygw,f/ aemufwpfcku
awmh wu,fvkYd Assembly command awG&JU tcsdKU block awG[m t"dyÜm,f&SdyHkray:bl;qdk&if oifhtaeeJY
'gudk D key ESdyNf yD; (a'wmtwGuf twdkaumuf) a'wmtjzpf ajymif;Edkifygw,f/
IDA Pro [m atmufyg configuration zdkifawGudk toHk;jyKygw,f ...
lda.cfg – yHkrSef configuration zdki/f
idatui.cfg – console y½d*
k &rfrsm;twGuf configuration zdki/f
tcef;(7) – IDA Pro Advanced 5.2 rdwfquf - 103 -
yHk(2)
tcef;(7) – IDA Pro Advanced 5.2 rdwfquf - 104 -
yHk(3)
- Rename DLL entries – wu,fvkYd 'D flag udkrowfrSwfxm;&if IDA u ordinal awGeJY import
vkyfxm;wJh function awGtwGuf xyfavmif; comment awGudkjznfhqnf;ay;ygw,f/ 'DvdkrSr[kwf&ifawmh
disassembler u function awGudktrnfajymif;vdkufrSm jzpfygw,f/
- Manual load – wu,fvkYd 'D flag udk a&G;xm;&ifawmh disassembler u ul;wifaewJh process &JU
tqifhwdkif;twGuf oHk;pGJoludk wdkifyifar;jref;aerSmjzpfygw,f/
- Fill segment gaps – oluawmh NE module awGtwGufom ta&;BuD;wJh flag jzpfNyD; disassmbler udk
intersegment ae&mudkjznfhqnf;ay;zdkY nTefMum;rSmjzpfygw,f/ 'gaMumifh BuD;rm;wJh segment wpfckudkzefwD;
&ygw,f/
- Make imports segment – 'D flag udkowfrSwfcsdefrSmawmh import vkyfxm;wJh tcsuftvufawGeJY
qdkifwJh .idata section udkom bmomjyefay;zdkY disassembler udkcdkif;ygw,f/
tcef;(7) – IDA Pro Advanced 5.2 rdwfquf - 105 -
- Don't align segments – Segment awGudk n§zd kYd disassembler udkcdkif;ygw,f/ pdppfpOf;pm;wkef;
tqifhrSmawmh 'D flag udk module awGtwGuftoHk;jyKjcif; r&Sdygbl;/
- Kernel options1 – Flag awGejJY ywJh 'D window uawmh oHk;pGJoludk exe uk'fawG analyze vkyfwJhtcgrSm
ESpfouf&mudka&G;cs,fEdkifzkY d jyoygw,f/
Create offsets and segments using fixup info udk toHk;jyKjcif;jzifh oifhtaeeJY uk'f analysis
jzpfpOfxJu relocations table uae tcsuftvufawGudk toHk;jyKzdkY disassembler udk cdkif;Edkif
ygw,f/
Mark typical code sequence as code uawmh analysis jzpfpOfxJu yHkrSefy½dq
k ufqm
command sequence udktoHk;jyKzdkY disassembler udkckdif;ygw,f/
Delete instructions with no xrefs uawmh cross-reference vHk;0r&SdwJh y½dq
k ufqm
instruction awGudk vspfvsL½Icdkif;ygw,f/
Trace execution flow uawmh trace vkdufzc kYd GifhjyKygw,f/ 'grSom oifhtaeeJY y½dq
k ufqm
instruction awGudk &SmawGUEdkifrSmjzpfygw,f/
Create functions if call is present uawmh call awGeJY function awGudk rSwfxm;apzdkY
disassembler udkcdkif;ygw,f/
Analyze and create all xrefs uawmh t"duxm;a&G;cs,f&r,fht&mwpfckjzpfNyD; analysis xJu
cross-reference awGudk disassembler tm;toHk;jyKapygw,f/
Use FLIRT signatures uawmh signature awGtoHk;jyKNyD; library function awGudk rSwfrdapzdkY
twGuf Fast Library Identification and Recognition Technology (FLIRT) udktoHk;jyKapzdkY
disassembler udkckdif;ygw,f/
Create function if data xref data à code32 exists uawmh a'wm{&d,mxJrSm&SdwJh uk'ef JY
ywfoufwJh reference awGudk ppfaq;zdkY disassembler udkcdkif;ygw,f/
Rename jump function as j_ uawmh j_somewhere vdk jmp somewhere command
rQomygwJh ½d;k &Sif;vSwJh function awGudk trnfay;zdkjY zpfygw,f/
Rename empty function as nullsub_ uawmh nullsub_ vdk RET command wpfckygwJh
function awGudk trnfay;zdkYjzpfygw,f/
Create stack variables uawmh function awG&JU local variable awGeJY parameter awGudk zefwD;
(t"dyÜm,fzGifh)zdkjY zpfygw,f/
Trace stack pointer uawmh ESP register &JUwefzdk;udk trace vkdufzkYjd zpfygw,f/
Create ASCII string if data xref exists uawmh ASCII string tjzpf reference vkyfxm;wJh
data item udk olU&JUt&G,ftpm;[m wduswJhwefzdk;wpfckxufausmfvGefjcif;&Sd^r&Sd pOf;pm;EdkifzdkY jzpfyg
w,f/
Convert 32-bit instruction operand to offset uawmh address wpfckvdk y½dq k ufqm
instruction xJu wdku½ f dkuf data item wpfckudkpOf;pm;EdkifzdkY disassembler udck kdif;apNyD; BudKwifowf
rSwfxm;wJh interval xJudk olU&JUwefzdk;a&mufoGm;apygw,f/
tcef;(7) – IDA Pro Advanced 5.2 rdwfquf - 106 -
Create offset if data xref to seg32 exists uawmh address awGvdk a'wm{&d,mxJrSm
odrf;qnf;xm;wJhwefzdk;awGudk pOf;pm;zdkY disassembler udkckdif;apNyD; BudKwifowfrSwfxm;wJh interval
xJudk olU&JUwefzdk;a&mufoGm;apygw,f/
make final analysis pass uawmh analysis vkyfwJhaemufqHk;tqifhudk vkyfaqmifNyD;csdefrSm
rpHk;prf;EdkifwJh byte awGtm;vHk;udk a'wm (od)kY instruction awGtjzpf ajymif;vJzkY d disassembler
udkcdkif;ygw,f/
– Kernel options2 – aemufxyf flag awGejJY ywJh 'D window uawmh oHk;pGJoludk exe uk'fawG analyze
vkyfwJhtcgrSm ESpfouf&mudka&G;cs,fEdkifzkY d jyoygw,f/
Locate and create jump tables udk jump table &JUt&G,ftpm;eJY address taMumif;
aumufcsufcsEdkifzdkY disassembler udkcdkif;ygw,f/
wu,fvkYd Coagulate data in the final pass flag udyk dwfxm;r,fqdk&if analysis &JU aemufqHk;
tqifhrSm code segment &JU byte awGudkom ajymif;vJay;rSmjzpfygw,f/ (Make final analysis
pass flag udkMunfhyg/)
Automatically hide library function uawmh FLIRT udktoHk;jyKNyD; pHkprf;xm;wJh library
function awGudk azsmufxm; (collapse) zdt
kY wGufoHk;ygw,f/
Propagate stack argument information uawmh aemufxyf call awG&SdvmcJh&if (tjcm;
function rSac:oHk;aom function wpfckuJho)kYd call &JU stack parameter eJYywfoufwJh tcsuf
tvufawGudk odrf;qnf;zdkY disassembler udkcdkif;ygw,f/
Propagate register argument information uawmh aemufxyf call awG&SdvmcJh&if (tjcm;
function rSac:oHk;aom function rsm;uJho)kYd call &JU register parameter eJy
Y wfoufwJh tcsuf
tvufawGudk odrf;qnf;zdkY disassembler udkcdkif;ygw,f/
Check for Unicode strings uawmh Unicode string awG&Sd^r&Sd y½d*
k &rfudk ppfaq;EdkifzkYd
jzpfygw,f/
Comment anonymous library functions uawmh wduswJh library function wpfckudk pHkprf;
&&SdwJhtcg library trnfeJY signature awGudktoHk;jyKNyD; trnfrod library function awGudk trSwf
tom;vkyfxm;zdkY disassembler udkcdkif;ygw,f/
Multiple copy library function recognition uawmh y½d*k &rfwGif;rSm&SdwJh wlnDwJh function &JU
copy tajrmuftrsm;udk rSwfxm;apzdkjY zpfygw,f/
Create function tails uawmh function tails udk&SmazGay;zdjkY zpfNyD; 'gawGudk function t"dyÜm,f
zGifhqdkcsufrSm vmaygif;rSmjzpfygw,f/
– Processor options – 'guawmh flag awGa&G;cs,fEdkifwJh window udkac:oHk;wJh button wpfckjzpfygw,f/
Convert immediate operand of "push" to offset uawmh PUSH command xJrSm&SdwJh
wdku½f dkuf operand udk offset wpfck (address wpfck)tjzpf ajymif;vJay;EdkifpGrf;udk nTefjyygw,f/
Convert db 90h after "jmp" to "nop" uawmh JMP command aemufu uyfygvmwJh 90H
byte awGudk NOP command awGtjzpf bmomjyefay;zdjkY zpfygw,f/
tcef;(7) – IDA Pro Advanced 5.2 rdwfquf - 107 -
Convert immediate operand of "mov reg, …" to offset uawmh MOV reg, …
command (reg uawmh register udkqdkvdkwmyg/) xJrSm&SdwJh wdku½f dkuf operand udk offset wpfck
(address wpfck)tjzpf ajymif;vJay;EdkifpGrf;udk nTefjyygw,f/
Convert immediate operand of "mov memory, …" to offset uawmh MOV mem, …
command xJrSm&SdwJh wdkuf½u
dk f operand udk offset wpfck (address wpfck)tjzpf ajymif;vJay;Edkif
pGrf;udk nTefjyygw,f/
Disassemble zero opcode instructions uawmh atmufyg instruction (00 00: ADD
[EAX], AL) udk disassemble vkyfcdkif;ygw,f/ yHkrSefqdk&ifawmh olUudk ra&G;cs,fygbl;/ yHk(4)/
Advanced analysis of Borland's RTTI (RTTI qdkwmuawmh run-time type information
udk ajymwmyg/)uawmh IDA Pro udk RTTI structure awGudk ppfaq;zdkYeJY zefwD;zdkYcdkif;ygw,f/
Check "unknown_libname" for Borland's RTTI uawmh RTTI structure awG&SdwJhtcg
unknown_libname trSwftom;eJt
Y rnfawGudk ppfaq;zdckY dkif;wmjzpfygw,f/
Advanced analysis of catch/finally block after function uawmh catch/finally pwJh
exception proceffing block awGudk&Smcdkif;wmjzpfygw,f/
yHk(4)
Allow references with different segment bases uawmh owfrSwfxm;wJh address u
odrf;qnf;xm;wJhwefzdk;[m character wpfvHk;r[kwfcJh&ifawmif character awGeq JY dkifwJh reference
awGudkowfrSwfcdkif;ygw,f/ (character uk'fwpfcktjzpf razmfjycdkif;wmjzpfygw,f/)
Don't display reduntant instruction prefixes uawmh listing udk zwf&I&wm tqifajyapzdkY
command prefix tcsdKUudk azsmufxm;zdjkY zpfygw,f/
Interpret int 20 as VxDcall uawmh INT 20H udk VxDcall/jump tjzpf bmomjyefcdkif;wm
jzpfygw,f/
tcef;(7) – IDA Pro Advanced 5.2 rdwfquf - 108 -
Enable FPU emulation instructions uawmh INT 3H wdv kY dk command awGudk arithmetic
coprocessor command awG&JU emulation awGtjzpf bmomjyefapzdjkY zpfygw,f/
Explicit RIP-addressing udk owfrSwfr,fqdk&ifawmh y½d*k &rfrSm relative instruction pointer
(RIP) addressing udkoHk;r,fvkYd ,lqrSmjzpfygw,f/ 'D flag ukdawmh 64-bit y½dq
k ufqmawGtwGuf
qkd&if a&G;cs,fay;xm;&rSmjzpfygw,f/
– System DLL directory – oluawmh IDA Pro u&Sm&r,fh DLL zdkifawG&Sd&m directory udk owfrSwf
wmjzpfygw,f/ oufqdkif&m library awGeJq
Y dkifwJh .ids zdkifawGuawmh cRif;csufjzpfygw,f/
(4) Disassembler Window
IDA Pro rSmawmh tvkyfawmfawmfrsm;rsm;udk disassembler window xJrSm vkyfaqmifMuwm jzpfyg
w,f/ 'gaMumifh 'D window taMumif;udk tao;pdwfodzv kY d dkygw,f/ 'Dae&mrSm axmufjycsifwmu
awmh 'D disassembler &JU developer awG[m disassemble vkyfxm;wJh function eJY olUudk&SmazGwJh
enf;vrf;awGudk azmfjyEdkifzdkY tav;teufxm; pOf;pm;cJhw,fqdkwJhtcsufjzpfygw,f/
Hiding functions – Disassembler window rSm function awGudk tusOf;csHK;yHkpH (hide) (od)kY
tus,fcsJUyHkpH (unhide) wdkYejJY yEdik fygw,f/ tusOf;csHK;yHkpHrSmawmh function udk pmaMumif;wpfaMumif;
wnf;eJY jywmyg/ 'DtoHk;0ifwJht*Fg&yfu oifhudk disassemble vkyfxm;wJhuk'fawGudk vG,fulpGmzwf&I
apEdkifzkYd taxmuftul jzpfaprSmyg/ Function awGudk tusOf;csHK;^tus,fcsJUzdkY numeric keypad u
(+)/(-) key awGudk toHk;jyK&ygr,f/ 'grSr[kwf&ifawmh View menu u Hide/Unhide udk a&G;Edkif
ygw,f/
Indicating functions – yHk(5)uawmh disassmebler window udkjywmjzpfygw,f/ 'D window &JU
b,fzuftusqHk;tydkif;udk owdxm;NyD;Munfhyg/ 'Dtydkif;uawmh listing udkMunf&h I&SmazG&mrSm ½d;k &Sif;
apzdkYjzpfygw,f/ Command awGudk tpufuav;awGejJY yxm;ygw,f/ wu,fvkY d pmaMumif;rSm
tpufwpfpufryg&ifawmh rSwfcsufwpfckyg0ifwJh string vdkY t"dyÜm,f&ygw,f/ wu,fvkY d oHk;pGJolu
'Dtpufae&mrSm mouse eJYESdyfvdkufr,fqdk&ifawmh IDA Pro u 'D address ae&mrSm breakpoint
owfrSwfygw,f/ Jump awGudkawmh tpuf(od)kY wpfqufwnf;rsOf;aMumif;awGeJY jyygw,f/ wpfquf
wnf;rsOf;awGuawmh unconditonal jump (JMP) awGudknTef;wmjzpfNyD; tpufawGeJY rsOf;awGuawmh
condtional jump (JE, JNZ) awGudkqdkvdkwmjzpfygw,f/
yHk(5)
tcef;(7) – IDA Pro Advanced 5.2 rdwfquf - 109 -
Using Special Comments – y½d* k &rfwpfcktwGif;u address awGrSm b,f jump awGudk
(conditional jump ESifh unconditional jump odrkY [kwf CALL command) vkyfaqmifw,f?
nTef;w,fqdkwJh txl;rSwfcsufawG yg0ifygw,f/ wu,fvkY d reference u owfrSwfxm;wJh address
qD jump vkyfw,fvkYd t"dyÜm,f&&if rSwfcsufawG[m CODE XREF eJpY avh&Sdygw,f/ wu,fvkY d 'D
command [m a'wmtjzpf refernce vkyfcHxm;&w,fqdk&ifawmh (Oyrm –MOV EAX, OFFSET
L1) DATA XREF eJp Y ygw,f/ 'DrSwfcsufawGudkawmh cross-reference awGvkdUac:NyD; cross-
refernce trSwftom;aemufrSm colon vdkufygw,f/ olUaemufu address awGuawmh 'D refernce
awGpjzpf&m function (od)kY section &JUtpudkjywmjzpfygw,f/ 'D address ukd mouse eJY ESdyfjcif;
tm;jzifh owfrSwfxm;wJh instruction &Sd&mudknTef;wJh uk'ftydkif;tpudk pop-up window taeeJY
ac:,lEdkifygw,f/ Address rSmawmh <↑><↓> tu©&mawGyg0ifrSmjzpfNyD; 'D instruction udk refernce
vkyf&m uk'f&SdwJhpmaMumif;udk owfrSwfygw,f/ Reference pwifwJh pmaMumif;&Sd&mudk wef;oGm;csif
w,fqdk&ifawmh address ae&mrSm double-click ESdyfNyD;oGm;vd&kY ygw,f/ owfrSwfxm;wJh pmaMumif;
twGuf reference ta&twGuf[m 4ckxufenf;aer,fqdk&if olwu kY d dk pm&if;om jyKpkygw,f/ 'DvdkrS
r[kwf&ifawmh reference awGudk tpufawGejJY yrSmjzpfygw,f/ wu,fvkY d 'D address awGxJu
wpfckudk right-click ESdyNf yD; Jump to cross reference udka&G;vdkuf&if vdktyfwJh item &Sd&mudk
wef;oGm;Edkifygw,f/ yHk(6)/ 'gNyD;&ifawmh yHk(7)twdkif; address awGtm;vHk; pm&if;ay:vmygvdrfhr,f/
yHk(7)u oifoGm;csifwJh address udka&G;NyD; OK ukdESdyfvdkufyg/
yHk(6)
yHk(7)
Designating an address – Disassembler window xJu listing uawmh address wpfckudk
owfrSwfwJh enf;vrf;rsdK;pHkudk jyygw,f/ Oyrmtm;jzifh? wu,fvY dk API function wpfcek JY ywfouf
vmcJh&ifawmh 'D function &JUtrnfudk wduspGmowfrSwfygw,f/ 'Dtjyif IDA Pro u rsm;aomtm;
jzifh string awGeyJY wfoufvm&ifawmh pHkprf;od&Sdxm;wJh string awGudk reference awG&JUtrnfawG
tjzpf tajccHxm;ay;ygw,f/ erlemjy&r,fqkd&ifawmh You are wrong! qdkwJh pmom;ygwJh string
udk IDA u reference tjzpfowfrSwf&mrSmawmh 'D string udk aYouAreWrong tjzpfajymif;vdkufyg
w,f/ "a" eJpY wJh 'D prefix awGudk IDA Pro u ASCII string awGtjzpf,lqygw,f/ yHk(8)/
tjcm;trnfawGtm;vHk;uawmh prefix eJY address wpfckay:rlwnf NyD; function trnfawG (od)kY
tcef;(7) – IDA Pro Advanced 5.2 rdwfquf - 110 -
yHk(8)
yHk(9)
tcef;(7) – IDA Pro Advanced 5.2 rdwfquf - 111 -
Using the context menu – Disassembler window eJY tvkyfwGJvkyfr,fqdk&if window wpfckrSm
right-click ESdyf&ifay:vmwJh context menu awGeJY tom;usae&rSmjzpfygw,f/ tcsdKU menu awG
uawmh oifa&G;wJhtydkif;udkrlwnfNyD; uGJjym;aerSmjzpfygw,f/ Oyrm function trnfawG? instruction
awG? rSwfcsufawGeJY a&G;xm;wJh block wdt kY wGuf listing rSmjzpfygw,f/ tcsdKU menu item awG
uawmh debugger wpfckuJhoakYd om IDA Pro &JUvkyfaqmifcsufawGeJY ywfoufaeygw,f/ (Run to
cursor? Add breakpoint ESifh Add execution trace)/ txl;ojzifh Rename menu udk
owdjyKapvdkygw,f/ 'D item u oifhudk command &JU operand awGudk wnf;jzwfapEdkifvykY d g/
Navigating a listing – ta&;BuD;qHk;udpö&yfuawmh listing udk &SmazGjyojcif;yJjzpfygw,f/
Crossreference u nTefjywJhae&mawGudk wef;oGm;Edkifygw,f/ aemufwpfenf;udkvJ (cross-
reference ae&mrSm double-click ESdyfjcif;jzifh) return jyefvmapzdtkY wGuf toHk;jyKEdkifygw,f/ (Oyrm?
conditional jump qDo?kYd CALL command qDod?kY odr kY [kwf MOV EAX, OFFSET address
uJhoakYd om command wpfckxJrS address qDo)kYd / odxm;&rSmuawmh IDA Pro [m oifh&JU jump
awGtm;vHk;udk rSwfxm;wmjzpfwJhtwGuf BudKufwJhtcsdefrSm BudKufwJhae&mudk button
awGoHk;NyD; a&SUwdk;? aemufqkwfv&kY d ygw,f/
(5) tjcm; Window rsm;
- Hex View – 'D window rSm ul;wifxm;wJh module &JU hex dump awGyg0ifNyD; 'D dump awGudk
ASCII pmvHk;awGeJjY yygw,f/ 'D window [m disassembler window eJy Y wfoufwJht&ef window
JY G,fulpGm synchronize vkyfEdkifygw,f/ 'Dvdkvkyfcsifw,fqdk&ifawmh yHk(10)twdkif; hex
wpfckjzpfwmrdkY olev
window &JU wpfae&m&mrSm right-click ESy d Nf yD; Synchronize with à IDA View udka&G;&ygr,f/
yHk(10)
'gqdkyHk(11)twdkif; VA 0040B440 &Sd&m IDA View udkwef;a&mufvmrSmjzpfygw,f/ qdkvdkwmu
awmh HEX pmvHk; 5E [m POP ESI eJn Y Dw,fqdkwJhtaMumif;yg/
yHk(11)
- Exports – 'D window rSmawmh export vkyfxm;wJh function awGpm&if; yg0ifygw,f/ 'g[m DLL
JY GJvkyf&mrSm toHk;0ifygw,f/ omref exe module awGtwGuf start function vdt
awGew kY rnf&wJh element
wpfckwnf;jyrSmyg/ yHk(12)/
tcef;(7) – IDA Pro Advanced 5.2 rdwfquf - 112 -
yHk(12)
- Imports – 'D window rSmawmh import vkyfxm;wJh function awGeJY module awGpm&if; yg0ifygw,f/
Import vkyfxm;wJh function udk double-click ESdyfr,fqdk&ifawmh disassembler window qDa&mufoGm;rSm
jzpfNyD; entry point taeeJY awGU&SdrSmjzpfygw,f/ 'gaMumifhrkY d y½d*k &rfxJu 'D function eJyY wfoufwJh cross-
reference awGtm;vHk;udk oifhtaeeJY vG,fulpGm &SmawGUEdkifrSmjzpfygw,f/ yHk(13^14)/
yHk(13)
yHk(14)
- Names – 'D window rSmawmh import vkyfxm;wmawGtm;vHk;eJY library function awGyg0ifygw,f/
IDA Pro uodxm;wJh variable awGeJY lable awG&JUtrnfawGvnf; yg0ifygw,f/ trnftoD;oD;&JU b,fzuf
jcrf;rSm&SdwJhpmvHk;(t½kyf)uawmh trnftrsdK;tpm;jzpfygw,f/ yHk(15)/
yHk(15)
L – Library function
F – Regular functions and API functions
C – Instructuion (label)
A – ASCII string
tcef;(7) – IDA Pro Advanced 5.2 rdwfquf - 113 -
D – Data
I – Imported function
trnf&Sd&mudk double-click ESdyfjcif;jzifh 'Dtrnfudkac:oHk;wJh y½d*k &rf&JUwnfae&mudk wef;a&mufoGm;
rSm jzpfygw,f/ wu,fvkY d trnfopfudk zefwD;csifw,fqdk&if ajymif;csifwJh address &Sd&mae&mrSm Insert key
udkESdyNf yD; ajymif;vd&kY ygw,f/ yHk(16)/
yHk(16)
½dkufxnfhvdkufwJhtrnfuawmh disassembler window rSmvJay:aerSmjzpfygw,f/ yHk(17)/
yHk(17)
- Functions – 'D window rSmawmh library function awGeJY import vkyfxm;wJh user function awG
tygt0if IDA Pro uodxm;wJh function awGpm&if;udk jyrSmjzpfygw,f/ yHk(18)/
yHk(18)
- Strings – 'D window rSmawmh disassembler u&SmawGUxm;wJh string awGtm;vHk;yg0ifrSmjzpfygw,f/
yHk(19)/
yHk(19)
String wpfckudk double-click ESdyfNyD;Munfhr,fqdk&if 'D string udk aMunmxm;wJhae&mudk wef;a&muf
oGm;rSmjzpfygw,f/ omreftm;jzifhawmh 'D window rSm C pwdkif string awGudkomjyoygw,f/ tjcm; string
trsdK;tpm;awGudk jyocsifw,fqdk&ifawmh 'D window rSm right-click ESdyNf yD; Setup command uaea&G;ay;
vd&kY ygw,f/ yHk(20)/
tcef;(7) – IDA Pro Advanced 5.2 rdwfquf - 114 -
yHk(20)
- Structures – 'D window rSmawmh disassembler u&SmawGUxm;wJh structure awGtm;vHk;yg0ifrSmjzpfyg
w,f/ yHk(21)/ Structure topfwpfckudk xyfxnhfcsif&ifawmh Insert key udkESdyNf yD;xnfhv&kYd ygw,f/
yHk(21)
- Enums – 'D window uawmh y½d*k &rfwGif;rSm pHkprf;vdakY wGU&Sdxm;wJh enumeration awGtm;vHk;udk jyozdkY
&nf&G,fygw,f/
'Dhtjyif disassembler u tjcm; window awGudkvJ toHk;jyKEdkiyf gw,f/ txl;ojzifh Library
window jzpfygw,f/ tGefvdkif; help pepfrSmawmh 'D window udk signatures window vdakY c:ygw,f/ 'D
window rSmawmh library function awGudkod&SdapzdkY toHk;jyKwJh signature pm&if;udk jyoygw,f/ yHk(22)/
yHk(22)rSmjrif&wmuawmh function signature awGyg0ifwJhzdkiftrnf? 'D signature awGukdtoHk;jyKNyD; awGU&Sx d m;
wJh function ta&twGuf? 'D signature awGudktoHk;csxm;wJh function awGeq JY dkifwJh trnfwjkYd zpfygw,f/
yHk(22)
wu,fvkYd vdktyfwJh signature zdkifawGudk xyfxnfhcsifw,fqdk&ifawmh Insert key udkESdyNf yD; ESpfouf
&mudk xnfhoGif;Edkifygw,f/ yHk(23)/ 'Dzdkif&JU signature awGudkawmh function topfawGudk odapzdkt Y wGuf
csufcsif;toHk;jyKrSm jzpfygw,f/
tcef;(7) – IDA Pro Advanced 5.2 rdwfquf - 115 -
yHk(23)
(6) Menu ESifh toolbar
IDA &JU menu eJY toolbar awGtaMumif;udkawmh tMurf;zsif;yJ &Sif;jyoGm;rSmjzpfygw,f/
File menu &JU item awGuawmh atmufygtwdkif;jzpfygw,f –
Open – Disassemble vkyfr,fh exe module udk zGifhzjdkY zpfygw,f/
Load – zdkiftrsdK;rsdK;udk zGifhzjkY d zpfygw,f/ Reload the input uawmh disassemble vkyfxm;wJh
module udk jyefzGifhzjdkY zpfygw,f/ Additional binary file uawmh database xJudk aemufxyf
binary file wpfck vmul;wifrSmjzpfygw,f/ IDS file uawmh owfrSwfxm;wJh import library &JU
function awGeJYywfoufwJhtcsuftvufawGyg0ifwJh IDS (intrusion-detection system) zdkifudkzGifhzkY d
jzpfygw,f/ (IDS directory xJrSm&SdwJh IDS zdkifawGtm;vHk;udk tvdktavsmuful;wifrSm jzpfygw,f/)
PDB file qdk&ifawmh debug tcsuftvufawGygwJh PDB zdkifudk ul;wifrSmjzpfygw,f/ DBG file
qdk&ifvJ debug tcsuftvufawGygwJhzdkifudk ul;wifrSmjzpfygw,f/ FLIRT signature file qd&k if
awmh signature zdkifawGudkul;wifNyD; toHk;csrSmjzpfygw,f/ (yH-k 22 rSmjrif&wJh signature window
xJrSm wlnDwJhvkyfaqmifcsufudk vkyfaqmifrSmjzpfygw,f/) Parse C header file uawmh
structure topfawGeJY enumeration topfawGudk aemufxyfaMunmzdt kY wGuf header zdik fuae
trsdK;tpm; t"dyÜm,fzGifhqdkcsufudk zwf½Iwmjzpfygw,f/ (Enums ESifh Structures window rsm;
taMumif;wGif Munfhyg/)
Produce File – Disassemble vkyfxm;wJhuk'fay:rlwnfNyD; zdkiftopftrsdK;rsdK;udk
zefwD;ay;ygw,f/ .map udkawmh debugger awGu toHk;jyKEdkifygw,f/ .asm uawmh Assembly
zdkifjzpfNyD; .lst uawmh IDA View rSmjrif&wJhuk'fawGudk odrf;ay;wmjzpfygw,f/ .inc? .exe? .dif. ?
html pwJh zdkifawGtae eJv Y J odrf;ay;Edkifygw,f/ Hex-Rays Decompiler udk install
vkyfxm;r,fqdk&ifawmh disassemble vkyfxm;wJh exe zdkifawGudk .c (C source code) zdkiftjzpf
decompile vkyfay;Edkifygw,f/ yHk(24)/
if ( LCData ) {
lstrcpyA(v5, &LCData);
v7 = LoadLibraryExA(ValueName, 0, 2u);
v3 = v7;
if ( !v7 )
{
v14 = 0;
lstrcpyA(v5, &LCData);
v3 = LoadLibraryExA(ValueName, 0, 2u);
}
}
yHk(24)
IDC file – Scritp zdkifawGudk ul;wifzkYed JY tvkyfvkyfapzdkYjzpfygw,f/
tcef;(7) – IDA Pro Advanced 5.2 rdwfquf - 116 -
IDC command – Script awGudk csufcsif; execute vkyfEdkifzkYd window udk ac:oHk;wmjzpfygw,f/
Save… – vuf&Sd disassemble vkyfaewJh database udk .idb extension eJo
Y drf;qnf;wm jzpfyg
w,f/
Save as… – vuf&Sd disassemble vkyfaewJh database udk owfrSwfxm;wJhtrnfeJY odrf;wm
jzpfygw,f/
Close – Disassemble vkyfaewJh database udkodrf;NyD; disassemble vkyfxm;wJhzdkifudk ydwfwmyg/
Edit menu &JU item awGuawmh atmufygtwdkif;jzpfygw,f –
Copy – a&G;cs,fxm;wJht&mudk clipboard qDul;wifygw,f/
CODE – Block udk exe uk'ftjzpfajymif;vJygw,f/
DATA – a&G;cs,fxm;wJh block udk a'wmtjzpfajymif;vJygw,f/
Struct var… – Block udk a&G;xm;wJh structure tjzpfajymif;ygw,f/
Strings – String tjzpfajymif;vJygw,f/ (String trsdK;tpm;udkawmh submenu uae
a&G;cs,fEdkifygw,f/)
Array – BudKwifowfrSwfxm;wJh parameter awGeJY array tjzpf ajymif;vJay;ygw,f/
Undefine – BudKwifrowfrSwf&ao;wJh structure wpfck&JUa'wmtjzpf a&G;xm;wJh block
udk trSwftom;vkyfygw,f/
Name – trnfajymif;wmjzpfygw,f/
Operand type – Operand trsdK;tpm;udk owfrSwfwmjzpfygw,f/
Comments – rSwfcsufawG xnfhoGif;zdkjY zpfygw,f/
Segments – Segment awGudk udkifwG,fEdkifzjkY d zpfygw,f/
Structs – Structure awGudk udkifwG,fEdkifzjkY d zpfygw,f/
Functions – Function awGudk udkifwG,fEdkifzjkY d zpfygw,f/
Other – Alignment directive udkowfrSwfjcif;? instruction rsm;(od)kY a'wmrsm;udk
½dkufxnfhjcif;? ta&mifwpfa&mifjzifhjyjcif;pwJh tjcm;vkyfaqmifcsufawGudk aqmif&Gufwm
jzpfygw,f/
Plugins – tjcm; plug-in module awGudk toHk;jyKzdkYjzpfygw,f/
tcef;(7) – IDA Pro Advanced 5.2 rdwfquf - 117 -
yHk(25)
Jump menu &JU item awGuawmh disassemble vkyfxm;wJhuk'fawGxJu jump trsdK;rsdK;twGuf
&nf&G,fwmjzpfygw,f/ Oyrm – owfrSwfxm;wJh address qD jump vkyfjcif;? owfrSwfxm;wJh function qD
jump vkyfjcif; (olUudkawmh list uae a&G;cs,fEdkifygw,f)? y½d*k &rf&JU entry point (EP) qD jump vkyfjcif;?
owfrSwfxm;wJh label qD jump vkyfjcif;/ yHk(25)/
Search menu &JU item awGuawmh disassemble vkyfxm;wJhpmom;xJrSm&SdwJh &SmazGwJhvkyfaqmif
csuftrsdK;rsdK;twGuf &nf&G,fygw,f/ Oyrm – pmom;udk&Smjcif;? aemufxyf a'wm block udk&Smjcif;? aemuf
xyf Assembly instruction udk&Smjcif;? aemufxyf byte sequence udk&Smjcif;/ yHk(26)/
yHk(26)
View menu &JU item awGudk toHk;jyKNyD; IDA Pro &JU jrifuGif;awGudk ESpfouf&mxm;vd& kY ygw,f/
Window topfawGudk xyfzGifhjcif; (Open Subviews)? toolbar awGudk zefwD;jcif;ESifh zsufjcif; Toolbars)?
function awGudk azsmufjcif;^jyefazmfjcif; (hide/unhide) wdjkY yKvkyfEdkifygw,f/
Debugger menu u command awGuawmh oifhudk IDA Pro &JU trsdK;rsdK;aom debugging
pGrf;aqmif&nfudk jyorSmjzpfygw,f/ 'gawGuawmh breakpoint rsm;udkudkifwG,fjcif; (Breakpoints)? watch
rsm;udkudkifwG,fjcif; (Watches)? trace vdkufjcif; (Tracing)? register trsdK;rsdK;xJrS wefzdk;rsm;udk Munfhjcif;
(General registers? Segment register? FPU register) wdjkY zpfygw,f/
Option menu uawmh IDA Pro &JU setting awGudk ajymif;vJzt
kY d wGufjzpfNyD; tapmydkif;rSm uRefawmf
&Sif;jycJhwJhtwdkif;jzpfygw,f/
Windows menu &JU item awGudktoHk;jyKNyD; IDA Pro &JU window awGudk udkifwG,fEdkifygw,f/
Help menu item awGuawmh oifhudk enf;ynmydkif;qdkif&m taxmuftulawGay;rSmyg/
(7) Built-In IDA Pro y½dk*&rfbmompum;
tcef;(7) – IDA Pro Advanced 5.2 rdwfquf - 118 -
IDA Pro disassembler rSmawmh built-in y½d* k &rfbmompum;wpfckygvmygw,f/ 'gaMumifh y½d*k &rf
kYd dk disassemble vkyfxm;wJhuk'fawGtjzpf jyefvnfppfaq;
i,fav;awGudk udk,fwdkifa&;om;EdkiNf yD; olwu
Munfh&IEdkifrSmjzpfygw,f/
IDA Pro rSm wcgwnf;ygvmwJh y½d*k &rfbmompum;[m C (ANSI C) bmompum;eJY awmfawmf
av;qifygw,f/ 'gaMumifhvJ 'Dbmompum;&JUtrnf[m IDC (Interactive Disassembler C) jzpfaewmyg/
IDC subdirectory atmufrSm 'Dbmompum;eJYywfoufwJh erlemy½d*k &rfawG yg&Sdygw,f/ IDA Pro uawmh
'Dy½d*k &rfawGudk disassemble vkyfxm;wJhpmom;awGtjzpf analyze vkyfzt
kYd wGuf toHk;jyKwmjzpfygw,f/
'Dy½d*k &rfawGtm;vHk;udk analyze vkyf&wm vG,fulygw,f/ 'gaMumifh oifhtaeeJY IDC bmompum;udk
avhvmzdt
kY wGuf olwkYdawGudk toHk;jyKEdkifygw,f/
IDC command awGudk execute vkyfzkYd enf;vrf;ESpfck&Sdygw,f/
1/ yxrenf;vrf;uawmh command window udktoHk;jyKvdjkY zpfygw,f/ Command window udkac:oHk;zdkY
File | IDC command udka&G;NyD;aomfvnf;aumif;? Shift + F2 udkESdyfjcif;jzifhaomfvnf;aumif;
toHk;jyKEdkif ygw,f/ Command window uawmh yHk(27)twdkif;jzpfygw,f/ 'D window rSm IDC command
awGudk wnf;jzwfEdkifygw,f/ tm;vHk;NyD;pD;&ifawmh OK button udkESdyfvdku½f HkygyJ/ IDA Pro uawmh 'D
command awGudk bmomjyefNyD; execute vkyfzBkYd udK;pm;rSmjzpfygw,f/ 'gaMumifh 'D window udktoHk;jyKNyD;
½dk;&Sif;vSwhJ y½d*k &rfawGudk IDC bmompum;eJY a&;om;EdkifrSmjzpfygw,f/
2/ ydNk yD;tajccHuswJhcsOf;uyfenf;uawmh .IDC extension trnfeJY IDC uk'fawGyg0ifwJhzdkifawG zefwD;zdykY g/
y½d*k &rfwpfckudkzGifhzkY d File menu u Idc file udka&G;&ygr,f/ 'Dae&mrSmawmh y½dk*&rfudk compile vkyNf yD;
csufcsif; execute vkyfrSmjzpfygw,f/ 'Dhtjyif yHk(28)twdkif; aemufxyf window wpfckxyfay:vmrSmjzpfNyD;
y½d*k &rfuk'fudkwnf;jzwfzkYed JY y½d*k &rfudk execute vkyfzkYd button awGyg&SdrSmjzpfygw,f/
IDC rSm y½d*
k &rfa&;r,fqdk&if tenf;qHk;awmh atmufygtcsufawG yg0if&rSmjzpfygw,f/
#include <idc.idc>
static main(void)
{
// Your Code here;
}
yHk(27)
tcef;(7) – IDA Pro Advanced 5.2 rdwfquf - 119 -
yHk(28)
ed*Hk;csKyftaeeJY IDA Pro taMumif; twGif;ususodcsif&if Chris Eagle a&;om;wJh ]The IDA Pro
Book – The Unofficial Guide to the World's Most Popular Disassembler} pmtkyfudkzwf½IzkYd
tBuHay;vdkygw,f/
tcef;(8) - PE Header - 121 -
tcef;(8) - PE Header
(1) PE zdkifzGJUpnf;yHk
Portable Executable (PE) qdkwm 32‐bit eJY 64‐bit Windows OS awGrSm toHk;jyKaeMuwJh
executable (EXE) zdkif? object (DLL) zdkifawGtwGuf zdkifyHkpHwpfck jzpfygw,f/ Portable qdkwJhtoHk;tEIef;
udku 32‐bit eJY 64‐bit Windows OS awGMum; tjyeftvSef vG,fvifhwul toHk;jyKEdkifwmudk &nfnTef;wm
yg/ PE yHkpHqdkwm tajccHtm;jzifhawmh wrap vkyfxm;wJh executable code awGudk pDrHzkYd Windows OS
loader twGuf vdktyfwo Jh wif;tcsuftvufawGudk encapsulate vkyfay;wJh data structure wpfckyg/ tJ'DrSm
link vkyfzkt
Yd wGuf dynamic library reference awG? API udk export eJY import vkyfzkYd table awG? resource
management data awGeJY TLS data awGyg0ifygw,f/ 'DyHkpHudk pdwful;xkwfvkyfcJhwmuawmh Microsoft
jzpfNyD; VAX/VMS rSmoHk;wJh COFF zdkifyHkpHuae erlem,lcJhwmjzpfygw,f/
"Portable Executable" vdkY a½G;cs,fvdkuf&wmuawmh intent [m Windows tm;vHk;twGuf tajccH
tusqHk;zdkifyHkpHjzpfNyD; CPU wdkif;rSm tvkyfvkyfEdkifvkYyd g/ ajym&&ifawmh Windows NT rsdK;quf? Windows 95
rsdK;qufeJY Windows CE wdrkY Sm toHk;jyKEdkifvkdUyg/ Microsoft compiler awGu xkwfay;wJh OBJ
zdkifawGuawmh COFF (Common Object File Format) yHkpHjzpfNyD; encoding vkyf&mrSm 8vDpepfudk toHk;jyK
ygw,f/ 64-bit Windows awGrSmawmh PE yHkpHudk tenf;i,fjyKjyifay;zdkY vdkygw,f/ yHk(1)rSm jyxm;wmu
awmh PE zdkifwpfckrSmyg0ifwJh tajccHzGJUpnf;wnfaqmufyHk jzpfygw,f/
DOS MZ Header
DOS Stub
PE header
Section Table
Section 1
Section 2
Section …
Section n
yHk(1)
PE zdkifrSm tenf;qHk;awmh section ESpfck&Sdygw,f/ wpfckuawmh uk'fawGtwGufjzpfNyD;? aemufwpfcku
awmh a'wmawGtwGuf jzpfygw,f/ Windows NT &JU application wpfckrSmawmh 9ckavmuf&Sdygw,f/
olwakYd wGuawmh .text? .bss? .rdata? .data? .rsrc? .edata? .idata? .pdata eJY .debug wdkY jzpfygw,f/ tcsKdU
application awGuawmh 'D section awGtm;vHk;rvdkygbl;/ tcsdKUuawmh olwkY&d JUvdktyfcsufey JY wfoufNyD;
'DxufydkwmvJ jzpfEdkifygw,f/
zdkifwpfckrSm tawGUrsm;wJh section awGuawmh ...
- executable code section .text (Microsoft)? CODE (Borland)
- data section .data, .rdata, .bss (Microsoft)? DATA, BSS (Borland)
tcef;(8) - PE Header - 122 -
yHk(2)
Virtual memory &JU vkyfaqmifcsufuawmh aqmhzf0JvfawGu physical memory udw k dku½f dkuf
oHk;pGJapr,fhtpm; y½dq k ufqmeJY OS ESpfckMum; rjrif&wJhtvTmwpfckudk zefwD;vdkufwmyg/ rSwfOmPfeJY csdwf
qufzBkYd udK;pm;vdkufwkdif; y&kdqufqm[m b,f process uae b,f physical memory address udk
wu,foHk;pGJr,fqdkwmudk page table eJY n§Ed diI f;ygw,f/ rSwfOmPfu pmvHk;toD;oD;twGuf table entry
wpfck&SdzqkYd dkwm vufawGUrSmawmh rjzpfEdkifygbl;/ (page table [m physical memory pkpkaygif;xuf BuD;ae
tcef;(8) - PE Header - 123 -
IMAGE_DOS_HEADER STRUCT
e_magic WORD ?
e_cblp WORD ?
e_cp WORD ?
e_crlc WORD ?
e_cparhdr WORD ?
e_minalloc WORD ?
e_maxalloc WORD ?
e_ss WORD ?
e_sp WORD ?
tcef;(8) - PE Header - 124 -
e_csum WORD ?
e_ip WORD ?
e_cs WORD ?
e_lfarlc WORD ?
e_ovno WORD ?
e_res WORD 4 dup (?)
e_oemid WORD ?
e_oeminfo WORD ?
e_res2 WORD 10 dup (?)
e_lfanew DWORD ?
IMAGE_DOS_HEADER ENDS
PE zdkifxJrSm&SdwJh DOS header &JU magic ydkif;rSmyg0ifwmuawmh 4Dh? 5Ah wefzdk; (MS-DOS &JU
rlvyHkpHjyKolawGxJuwpfOD;jzpfwJh Mark Zbikowsky udkudk,fpm;jyKwJh MZ pmvHk;) jzpfNyD;? ol[m rSefuefwJh
DOS header jzpfaMumif; oabmaqmifygw,f/ MZ [m yxrqHk; pmvHk;ESpfvHk;jzpfNyD; hex editor eJz Y Gifhxm;
wJh b,f PE zdkifrSmrqdk awGYjrifEdkifygw,f/
lfanew [m DWORD wpfckjzpfNyD; DOS header &JU tqHk;eJY DOS stub rpcifMum;rSm wnf&Sdyg
w,f/ olUrSmy½dk*&rftpeJyY wfoufwhJ PE header &JU offset yg0ifygw,f/ Windows loader u 'D offset udk
&SmazGygw,f/ 'gaMumifhrv kY d J DOS stub udk ausmfEdkiNf yD; PE header qDwdku½f dkufoGm;Edkifwmyg/ (rSwf&ef/ /
DWORD (double word) = 4bytes (od)kY 32bit? WORD = 2bytes (od)kY 16bit/ wcgw&HrSm DWORD
udk dd vdv
kY J jrif&Edkifygw,f/ dw uawmh WORD jzpfNyD; byte twGufuawmh db yg/ yHk(3)/
yHk(3)
DOS header udkawmh PE zdkif&JU yxrqHk; 64 bytes tjzpfawGU&aMumif; ajymcJhygw,f/ qdkvdkwmu
yHk(3)&JU yxrqHk; 4aMumif; (offset 0000 uae offset 0030 xd)jzpfygw,f/ DOS stub rpcif aemufqHk;
DWORD rSm yg0ifwmuawmh 00h 01h 00h 00h jzpfygw,f/ aemufqHk;pmvHk;uae ajymif;jyefjyefpD&if
jzpfvmrSmuawmh 00 00 01 00h jzpfNyD;? PE header pwifr,fhae&mjzpfygw,f/ PE header [mvnf;
olUoauFwjzpfwJh 50h, 45h, 00h, 00h eJY pwifygw,f/ ("PE" qdkwJhpmvHk;aemufrSm oknawGvdkufygw,f/)
wu,fvo kYd m PE header &JU oauFwae&mrSm PE tpm; NE vdakY wGU&if 'Dzdkif[m 16-bit Windows
rSmtvkyfvkyfwJh NE zdkifjzpfygw,f/ tvm;wl LE vdkYawGU&if Windows 3.x virtual device driver (VxD)
jzpfNyD;? LX vdakY wGU&if OS/2 2.0 zdkifjzpfygw,f/
(3) PE Header
PE header uawmh IMAGE_NT_HEADERS vdkYac:wJh structure wpfckjzpfygw,f/ 'D structure
rSm Windows loader u r&SdrjzpfvdktyfwJh tcsuftvufawGyg0ifygw,f/ IMAGE_NT_HEADERS rSm
member 3ckyg0ifNyD; olwkYdudk windows.inc rSm t"dyÜm,fzGifhqdkxm;NyD;jzpfygw,f/
tcef;(8) - PE Header - 125 -
IMAGE_NT_HEADERS STRUCT
Signature DWORD ?
FileHeader IMAGE_FILE_HEDER <>
OptionalHeader IMAGE_OPTIONAL_HEADER32 <>
IMAGE_NT_HEADERS END
- Signature uawmh DWORD jzpfNyD; olUrSmyg0ifwmuawmh 50h, 45h, 00h, 00h qdkwJh wefzdk;
(oknawGvdkufwJh ]PE}) jzpfygw,f/
- FileHeader uawmh PE zdkif&JU aemufxyf 20bytes jzpfNyD; zdkif&JU physical layout eJY *kPfowdåawG
yg0ifygw,f/ (Oyrm - section ta&twGuef JY exe zdkif[kwf^r[kw)f
- OptionalHeader uawmh aemufxyf 224bytes jzpfNyD; PE zdkiftwGif;u logical layout eJY
ywfoufwJhtaMumif;awG yg0ifygw,f/ (Oyrm- AddressOfEntryPoint)/ olU&JUt½G,ftpm;udk ay;Edkifwm
uawmh FileHeader &JU member wpfckuyg/ 'D member awG&JU structure udkvnf; windows.inc rSm
t"dyÜm,fzGifhqdkxm;NyD;jzpfygw,f/
FileHeader udk atmufygtwdkif;azmfjyEdkifygw,f/
IMAGE_FILE_HEADER STRUCT
Machine WORD 014C (Intel 386)
NumberOfSections WORD 0005
TimeDateStamp DWORD 846C26F0
PointerToSymbolTable DWORD 00000000
NumberOfSymbols DWORD 00000000
SizeOfOptionalHeader WORD 00E0
Characteristics WORD 818E (File is exe)
IMAGE_FILE_HEADER ENDS
'DxJuawmfawmfrsm;rsm;udkawmh uRefawmfwkY d toHk;jyKrSmr[kwfygbl;/ 'gayr,fh NumberOfSections
udkawmh PE zdkix f Ju section awGudk zsufcsif&ifyJjzpfjzpf? xyfxnfhcsif&ifyJjzpfjzpf toHk;jyK&ygw,f/
Characteristics rSmawmh flag awGyg0ifNyD; olw[
kYd m PE zdkiu f dk executable zdkif(od)kY DLL zdkifvm;qdkwmudk
ajymay;Edkifygw,f/ PE header &JUtpuae 7ckajrmufpmvHk;[m NumberOfSections ygyJ/ Section b,fESpf
ckygovJqdkwm ajymygw,f/ yHk(4)/
yHk(4)
yHk(4)t& uRefawmfwkYd zGifhxm;wJh PE zdkifrSm section 5ck&Sdaewm awGU&ygw,f/ PE browse eJY Lord
PE wdu
kY dk toHk;jyKxm;ygw,f/
OptionalHeader uawmh 224bytes ae&m,lygw,f/ aemufqHk; 128bytes rSmawmh DataDirectory
yg0ifygw,f/
tcef;(8) - PE Header - 126 -
IMAGE_OPTIONAL_HEADER32 STRUCT
Magic WORD 010B (PE32)
MajorLinkerVersion BYTE 02
MinorLinkerVersion BYTE 19
SizeOfCode DWORD 00000600
SizeOfInitializedData DWORD 00001800
SizeOfUninitializedData DWORD 00000000
AddressOfEntryPoint DWORD 00001000 (CODE)
BaseOfCode DWORD 00001000
BaseOfData DWORD 00002000
ImageBase DWORD 00400000
SectionAlignment DWORD 00001000
FileAlignment DWORD 00000200
MajorOperatingSystemVersion WORD 0001
MinorOperatingSystemVersion WORD 0000
MajorImageVersion WORD 0000
MinorImageVersion WORD 0000
MajorSubsystemVersion WORD 0003
MinorSubsystemVersion WORD 000A
Win32VersionValue DWORD 00000000
SizeOfImage DWORD 00006000
SizeOfHeaders DWORD 00000400
CheckSum DWORD 00000000
Subsystem WORD 0002 (Windows GUI)
DllCharacteristics WORD 0000
SizeOfStackReserve DWORD 00100000
SizeOfStackCommit DWORD 00002000
SizeOfHeapReserve DWORD 00100000
SizeOfHeapCommit DWORD 00000000
LoaderFlags DWORD 00000000
NumberOfRvaAndSizes DWORD 00000010
DataDirectory IMAGE_DATA_DIRECTORY
IMAGE_OPTIONAL_HEADER32 ENDS
FileAlignment - zdkixf JwGif section rsm;udk alignment csxm;rI/ erlemjy&&if wu,fvkY d 'D field xJu
wefzdk;[m 512 (200h) jzpf&if section wdkif;[m 512bytes &JUajr§mufazmfudef;*Pef;awGeJY pwif&ygr,fvkYd
qdkvdkwmyg/ wu,fvkYd yxrqHk; section [m offset 200h rSm&SNd yD; olU&JUt½G,ftpm;[m 10bytes yJ&Sdch&J if
awmif aemuf section [m 400h rSm prSmyg/ 512 eJY 1024 Mum;u vGwfaewJh offset ae&mawGudkawmh toHk;
jyKrSm r[kwfygbl;/
SizeOfImage - rSwfOmPfxJu PE image &JU pkpkaygif;t½G,ftpm;jzpfygw,f/ SectionAlignment t&
align vkyfxm;wJh header tm;vHk;eJY section tm;vHk;&JUaygif;v'fjzpfygw,f/
SizeOfHeaders - section table eJY header tm;vHk;wd& kY JU t½G,ftpm;yJ jzpfygw,f/ jcHKajym&&if 'Dwefzdk;[m
zdkift½G,ftpm;xJuae zdkifxJrSm&SdwJh section tm;vHk;aygif;xm;wJh t½G,ftpm;udk EIwfjcif;eJY nDrQygw,f/
DataDirectory - IMAGE_DATA_DIRECTORY structure 16 ck&SdwJh array wpfckjzpfNyD; wpfckpD[m
import address table (IAT) vdk PE zdkifxJu ta&;BuD;wJh data structure wpfckpeD JY qufEG,faeygw,f/
yHk(5)rSm azmfjyxm;wmuawmh PE header &JU zGJUpnf;yHkudk hexeditor eJY Munfhxm;wmyg/ owdjyK&rSm
uawmh DOS header eJY PE header &JU b,ftpdwftydkif;rqdk hexeditor rSmMunfh&if t½G,ftpm;eJY
yHkoP²mefawG[m wlnDaerSmyg/ DOS STUB uawmh t½G,ftpm; ajymif;vJEdkifygw,f/
yHk(5)
tcef;(8) - PE Header - 128 -
PE header taMumif;udk Olly rSmvJ tao;pdwf MunfhvkY&d ygw,f/ Olly debugger udk zGifhNyD; Alt +
M udkESdyfyg/ yHk(6)twdkif; jrif&ygr,f/
yHk(6)
yHk(6)u PE header qdkwJh pmom;ae&mudk right-click ESdyNf yD; Dump in CPU udk a½G;&if yHk(7)twdkif;
jrif&rSm jzpfygw,f/
yHk(7)
yHk(7)u hex window rSm right-click ESdyNf yD; special u PE header udk a½G;vdkuf&ifawmh yHk(8)
twdkif; jrif&rSmyg/
yHk(8)
tcef;(8) - PE Header - 129 -
VirtualAddress uawmh data structure &JU relative virtual address (RVA) jzpfygw,f/ isize
uawmh byte eJYjywJh data structure &JU t½G,ftpm;jzpfygw,f/
windows.inc rSm aMunmxm;wJh directory 16 ck&JUtrnfawGuawmh atmufygtwdkif; jzpfygw,f -
IMAGE_DIRECTORY_ENTRY_EXPORT equ 0 (export symbols)
IMAGE_DIRECTORY_ENTRY_IMPORT equ 1 (import symbols)
IMAGE_DIRECTORY_ENTRY_RESOURCE equ 2 (resources)
IMAGE_DIRECTORY_ENTRY_EXCEPTION equ 3 (exception)
IMAGE_DIRECTORY_ENTRY_SECURITY equ 4 (security)
IMAGE_DIRECTORY_ENTRY_BASERELOC equ 5 (base relocation)
IMAGE_DIRECTORY_ENTRY_DEBUG equ 6 (debug)
IMAGE_DIRECTORY_ENTRY_COPYRIGHT equ 7 (copyright string)
IMAGE_DIRECTORY_ENTRY_GLOBALPTR equ 8 (unknown)
IMAGE_DIRECTORY_ENTRY_TLS equ 9 (thread local storage)
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG equ 10 (load configuration)
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT equ 11 (bound import)
IMAGE_DIRECTORY_ENTRY_IAT equ 12 (import address table)
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT equ 13 (delay import)
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR equ 14 (COM descriptor)
IMAGE_NUMBEROF_DIRECTORY_ENTRIES equ 16
yHk(9)
tcef;(8) - PE Header - 130 -
yHk(10)
yHk(10)udkMunfhr,fqdk&if import directory udk yef;a&mifeJY jyxm;ygw,f/ yxrqHk; 4bytes uawmh
40000h (ajymif;jyefpDwmjzpfygw,f) jzpfygw,f/ Import directory &JU t½G,ftpm;uawmh 1CDCh bytes
jzpfygw,f/ PE header &JUtpuae DWORD 80bytes [m tNrJwrf; import directory &JU RVA
yJjzpfygw,f/ t0ga&mifuawmh resource directory jzpfNyD;? c&rf;a&mifuawmh TLS directory jzpfygw,f/
wduswJh directory wpfckudk xm;&SdztkY d wGuf oifhtaeeJY data directory uaepNyD; virtual address
udkwGufcsuf&ygr,f/ 'Dhaemufawmh b,f directory [m b,f section xJrSm&Sdw,fqdkwm odEdkifzkY d virtual
address udk toHk;jyKyg/ b,f section xJrSm b,f directory awGygovJqdkwm odwmeJY wduswJh offset udk
&SmEdkifzkYd 'D section &JU section header udk toHk;jyKyg/
(5) Section Table
Section table uawmh PE header aemufrSm uyfvdkufvmwmyg/ ol[m IMAGE_SECTION_
HEADER structure yHkpH array wpfckjzpfNyD; member toD;oD;rSm attribute eJY virtual offset pwJh PE
zdkifxJu section toD;oD;&JUtaMumif;tcsufawGyg0ifygw,f/ Section ta&twGufudkazmfjyEdkiw f mu file
header &JU 'kwd, member jzpfw,fqdkwm trSwf&yg/ (PE header &JUtprS 6bytes pmae&m)/ wu,fvkY d
om PE zdkifrSm section 8ck&Sdw,fqdk&if table xJu 'D structure xJrSmvJ tyGm; 8 ck&SdrSmyg/ Header
structure toD;oD;[m 40bytes &SNd yD; windows.inc rSm 'DvdkaMunmxm;ygw,f/
IMAGE_SECTION_HEADER STRUCT
Name1 BYTE IMAGE_SIZEOF_SHORT_NAME dup (?)
union Misc
PhysicalAddress DWORD ?
VirtualSize DWORD ?
ends
VirtualAddress DWORD ?
SizeOfRawData DWORD ?
PointerToRawData DWORD ?
PointerToRelocations DWORD ?
PointerToLinenumbers DWORD ?
NumberOfRelocations WORD ?
NumberOfLinenumbers WORD ?
Characteristics DWORD ?
IMAGE_SECTION_HEADER ENDS
IMAGE_SIZEOF_SHORT_NAME equ 8
tcef;(8) - PE Header - 131 -
yHk(11)
yHk(11)u tpdrf;a&mifeJY jyxm;wmuawmh PointerToRawData yg/ ydNk yD;&Sif;vif;atmif yHk(12)twdkif;
LordPE eJY Munfhygr,f/
yHk(12)
Section header tNyD;rSmawmh section awGudk &Smygw,f/ Disk ay:uzdkifxJrSmawmh section toD;
oD;[m offset wpfckuaepwifygw,f/ qdkvdkwmu Optional header rSmawGU&wJh FileAlignment wefzdk;&JU
ajrSmufazmfudef;tcsdKUuaejzpfygw,f/ Section toD;oD;&JU a'wmawGMum;rSmawmh oknawGjzpfaerSmyg/
RAM ay:udkul;wifcsdefrSm section awG[m page boundary ay:rSmyJtNrJwrf; pwifMuygw,f/
'gaMumifhrkYd section toD;oD;&JU yxrqHk; byte [m memory page eJY oufqdkifwmyg/ x86 CPU &JU page
awGuawmh 4kB eJY align vkyfxm;NyD; IA-64 uawmh 8kB eJY align vkyfxm;ygw,f/ 'D alignement
wefzdk;udkawmh OptionalHeader rSmvdkyJ SectionAlignment xJrSm odrf;xm;ygw,f/
Oyrmjy&&if? wu,fvkY d optional header [m file offset 981 rSmqHk;NyD; FileAlignment [m 512
jzpfr,fqdk&if yxrqHk; section [m byte 1024 rSm pygvdrfhr,f/ rSwfxm;&rSmuawmh oifhtaeeJY section
awGudk PointerToRawData (od)kY VirtualAddress uae &SmEdkifygw,f/ 'gaMumifh alignment awGeJY
tjiif;yGm;aep&m rvdkawmhygbl;/
(6) PE File Sections
Section awGrSm yg0ifwmuawmh uk'f? a'wm? resource eJY tjcm;tcsuftvufwjkYd zpfygw,f/
Section toD;oD;rSm header wpfckeJY body (raw data)wpfckyg0ifygw,f/ Section table xJrSm section
header awGyg0ifayr,fh section body awGrSm tMurf;zsif; zdkifzGJUpnf;yHk ryg&Smygbl;/ a'wmawGudk decipher
jyefazmfzdkY header rSm vHkavmufwJhtcsuftvufawGeJY jynfhpHkaeoa½GU linker u olwu kYd dk pkpnf;csif&if pkpnf;
Edkifygw,f/
Windows NT application wpfckrSm BudKwifowfrSwfxm;wJh section trnf 9 ckavmuf&Sdygw,f/
olwakYd wGuawmh .text? .bss? .data? .rdata? .rsrc? .edata? .idata? .pdata eJY .debug wdjkY zpfygw,f/ tcsdKU
application awGrSmawmh 'D section awGtm;vHk;rvdkygbl;/ tcsdKUawGrSmawmh 'DxufyNdk yD;vdktyfEdkifygw,f/
tcef;(8) - PE Header - 133 -
yHk(13)
'D tool udk dialog box awGMunfh&mrSm toHk;rsm;vSygw,f/ tcsdKU shareware application awGrSm
ygwJh nag screen awGudk ResHacker oHk;NyD; vG,fulpGmzsufypfEdkifygw,f/
(6.4) Export data section
.edata section rSmawmh application (od)kY DLL twGufvdktyfwJh export directory yg0ifygw,f/
olUrSm export vkyfxm;wJh function awG&JU address awGeJY trnfawGyg0ifygw,f/ 'gudkawmh aemufydkif;usrS
tao;pdwf &Sif;jyygr,f/
(6.5) Import data section
.idata section rSmawmh Import Directory eJY Import Address Table tygt0if import vkyfxm;
wJh function awGeJYywfoufwJh tcsuftvufrsdK;pHk yg0ifygw,f/ olUudkvJ aemufrSyJ tao;pdwf aqG;aEG;rSm
jzpfygw,f/
tcef;(8) - PE Header - 134 -
IMAGE_EXPORT_DIRECTORY STRUCT
Characteristics DWORD ?
TimeDateStamp DWORD ?
MajorVersion WORD ?
MinorVersion WORD ?
nName DWORD ?
nBase DWORD ?
NumberOfFunctions DWORD ?
NumberOfNames DWORD ?
AddressOfFunctions DWORD ?
AddressOfNames DWORD ?
AddressOfNameOrdinals DWORD ?
IMAGE_EXPORT_DIRECTORY ENDS
nName - Module &JU internal trnfjzpfygw,f/ 'D field [m vkdtyfygw,f/ bmaMumifhvJqdkawmh zdkif
trnfudk oHk;pGJolu ajymif;vJEdkifvkYyd g/ 'Dvkdajymif;cJhr,fqdk&if PE loader u 'D internal trnfudk toHk;jyKyg
vdrfhr,f/
nBase - Starting ordinal number (index awGudk function &JU address array tjzpf&Sdaezdv
kY dkygw,f/)
NumberOfFunctions - Module u export vkyfxm;wJh function pkpkaygif; (oauFwawGtjzpfvJ
&nfnTef; avh&Sdygw,f)
NumberOfNames - trnft& export vkyfxm;wJh oauFw*Pef;/ 'Dwefzdk;[m module xJrSm&SdwJh
function/symbol tm;vHk;&JU*Pef; r[kwfygbl;/ 'D*Pef;twGuf oifhtaeeJY NumberOfFunctions udk
ppfaq;zdv kY dktyfygw,f/ ol[m 0 jzpfEdkifygw,f/ 'Dae&mrSmawmh module udk ordinal taeeJo Y m export
vkyfEdkifygw,f/ wu,fvkY d yxrudpörSm export vkyfr,fh function/symbol omr&SdcJh&if? data directory xJu
export table &JU RVA [m oknjzpfygvdrfhr,f/
AddressOfFunctions - Module/Export Address Table (EAT) xJrSm&SdwJh function awG&JU RVA
Y dkifwJh pointer awG&JU array wpfckudk nTefjywJh RVA wpfck/ Module xJrSm&SdwJh function awGtm;vHk;eJY
eJq
qdik fwJh RVA awGudkawmh array wpfckrSm odrf;qnf;xm;NyD;? 'D field [m array &JU head udk nTefjyaeygw,f/
AddressOfNames - Module/Export Name Table (ENT)xJrSm&SdwJh function trnfawGeq
JY dkifwJh RVA
awG&JU array udk nTefjyaewJh RVA wpfck/
AddressOfNameOrdinals - trnf&NSd yD;om; function/Export Ordinal Table (EOT) awG&JU ordinal
awGyg0ifwJh 16-bit array wpfckudk nTefjyaewJh RVA wpfck/
yHk(14)
tcef;(8) - PE Header - 137 -
yHk(15)
Oyrmjy&&if? wu,fvkY d DLL wpfck[m function 40avmufudk export vkyfr,fqdk&if? AddressOf
Functions (EAT) u nTef;r,fh array xJrSm member 40avmufawmh&Sd&ygr,f/ NumberOfFunctions
field rSmvJ wefzdk;40avmuf &Sd&ygr,f/
Function wpfck&JU address udk olU&JU trnfuae&SmzdkYqdk&if OS u yxrqHk; Export Directory
xJu NumberOfFunctions eJY NumberOfNames wd&kY JUwefzdk;udk &&Sdxm;&ygr,f/ aemufwpfqifhuawmh
AddressOfNames (ENT) eJY AddressOfNameOrdinals (EOT) u nTefjywJh array [m function
trnfudk &Smygw,f/ wu,fvkY d ENT xJrSm trnfudk&SmawGUcJh&if EOT xJrSm&SdwJh associated element xJu
wefzdk;udk extract vkyNf yD; EAT twGuf index tjzpftoHk;jyKygw,f/
Oyrmjy&&if uRefawmfwkY&d JU function 40&SdwJh DLL xJrSm functionX udk &SmazGMunfhygr,f/ wu,f
vdkY ENT &JU 39ckajrmuf element xJu uRefawmfwkYd functionX &JUtrnf(tjcm; pointer rS oG,f0kduNf yD;)udk
kY d aeeJY ENT xJu 39ckajrmuf element xJrSmMunfNh yD; wefzdk; 5 udk awGUygw,f/
&SmcsdefrSm? uRefawmfwt
'Dhaemuf functionX &JU RVA udk&SmzdkY uRefawmfwkYd Munfh&rSmu EAT &JU 5ckajrmuf element rSmjzpfygw,f/
wu,fvkYd function wpfck&JU ordinal &SNd yD;om;jzpfr,fqdk&if? oifhtaeeJY EAT qD wdku½f dkufoGm;jcif;
jzifh olU&JU address udk &SmazGEdkifygw,f/ Function &JUtrnfudktoHk;jyKjcif;xuf ordinal uae function
wpfck&JU address udk&,ljcif;[m ydNk yD;vG,fulvsifjrefayr,fhvJ qdk;usdK;uawmh module udkxdef;odrf;zdkY&m cufcJ
vSygw,f/ wu,fvkdU DLL udk upgrade/update vkyfNyD; function awG&JU ordinal awG[mvJ ajymif;vJr,f
qdk&if? DLL ay:rSDcdkaewJh tjcm; y½d*k &rfawGvJ ysufukefygvdrfhr,f/
tcef;(8) - PE Header - 138 -
Hint - Hint rSmawmh function wnf&Sd&m DLL &JU Export Address Table eJq Y dkifwJh index yg0ifygw,f/
'gudkawmhh PE Loader u toHk;jyKzdkY jzpfygw,f/ 'gaMumifhrkY d DLL &JU Export Address Table xJu
function udk tjrefMunf½ h IEdkifwmyg/ 'D index rSm&SdwJh trnfudk BudK;pm;wJhtcg? wu,fvkYd ol[m match
rjzpfcJhbl;qdk&if binary search [m trnfudk&SmazG NyD;ajrmufNyDjzpfygw,f/ 'Dwefzdk;[m r&Sdrjzpfawmh r[kwfyg
bl;/ tcsdKU linker awGuawmh 'Dae&mrSm oknvdkY owfrSwfMuygw,f/
Name1 - Name1 rSmawmh import vkyfxm;wJh function &JUtrnfyg0ifygw,f/ trnfuawmh null-
terminated (\0) ASCII string jzpfygw,f/ rSwfxm;&rSmu Name1 &JU t½G,ftpm;udk byte taeeJY
t"dyÜm,fzGifhxm;wmjzpfygw,f/ 'gayr,fh ol[m wu,fwrf;rSmawmh variable t½G,ftpm;&SdwJh field wpfck
jzpfygw,f/ Structure wpfckxJrSm variable t½G,ftpm;&SdwJh field wpfckudk azmfjyEdkifzkY d enf;vrf;r&SdvkYyd g/
ta&;tBuD;qHk;tydik f;awGuawmh import vkyfxm;wJh DLL trnfawGeJY IMAGE_THUNK_
DATA structure &JU array awGyJ jzpfygw,f/ IMAGE_THUNK_DATA structure toD;oD;[m DLL
uae import vkyfxm;wJh function wpfckqDeJY qufEG,faeygw,f/ OriginalFirstThunk eJY FirstThunk u
nTefjywJh array awG[m wjydKifwnf; run EdkiNf yD; null DWORD eJY tqHk;owfygw,f/ Import vkyfxm;wJh
tcef;(8) - PE Header - 141 -
yHk(16)
tcef;(8) - PE Header - 142 -
'guawmh Windows loader u read-only section xJrSm&Sdcsdef IAT udk overwrite vkyfzdkY
b,fvdkpGrf;aqmifEdkifw,fqdkwJhtaMumif;yJ jzpfygw,f/ Load vkyfwJhtcsdefrSmawmh system u read/write
vkyfzdkY import awGyg0ifwJh page awG&JU attribute awGudk ,m,Dtm;jzifh owfrSwfygw,f/ wpfBudrfrSmawmh
import table u page awGudk initialize vkyfjcif;[m olwdkY&JU rlv protected vkyfxm;wJh attribute
awGjzpfapzdkY aESmifhaES;apygw,f/
Import vkyfxm;wJh function awG&JU call awG[m IAT xJu function pointer uwpfqifh
tvkyv f kyfMuwmyg/ yHkpH 2rsdK;taeeJY vkyEf dkifygw,f/ wpfckuawmh aemufwpfckxufyNdk yD; toHk;0ifygw,f/
OyrmtaeeJY FirstThunk array &JU entry awGxJuwpfckudk &nfnTef;wJh address 00405030 udk pOf;pm;Munfh
vdkufMu&atmif/ olUudk loader u user32.dll xJu GetMessage &JU address eJYtwl overwrite vkyfxm;
ygw,f/
GetMessage udkac:oHk;zdkY toifhawmfqHk;enf;vrf;uawmh atmufygtwdkif;jzpfygw,f/
0040100C CALL DWORD PTR [00405030]
'Denf;uawmh odyftqifrajyygbl;/
0040100C CALL [00402200]
…
…
00402200 JMP DWORD PTR [00405030]
qdkvdk&if;uawmh 'kwd,enf;uvJ &v'ftwlwlygyJ/ 'gayr,fh xyfxnfh&r,fhuk'fpmvHk;[m 5vHk;ydkvm
rSmjzpfNyD; tydk jump aMumifh execute vkyf&mrSmvJ ydkMumrSmjzpfygw,f/
bmaMumifh import vkyfxm;wJh function awGudk 'Dvdkenf;eJY jyKvkyfMuwmygvJ... Compiler uawmh
wlnDwJh module xJrmS &SdwJh ordinary function awGeJY import vkyfxm;wJh function awGudk cGJjcm;aerSm
r[kwfbJ ESpfckvHk;twGuf wlnDwJh output udkomxkwfay;rSm jzpfygw,f/ CALL [XXXXXXXX]
[XXXXXXXX] ae&mrSmawmh u aemufydkif;rSm jznfhay;r,fh wu,fhuk'f address wpfck&Sd&rSmjzpfygw,f/
(pointer r[kwfygbl;)/ Linker uawmh import vkyfxm;wJh function &JU address udk odrSmr[kwfygbl;/
'gaMumifhrkYd uk'f&JU tpm;xdk; chunk wpfckudk toHk;jyK&rSmjzpfygw,f/ tay:u JMP stub rSm jrifEdkifygw,f/
Compiler udk DLL xJJrSm&SdwJh function &Sd&majymjyEdkifzkY d oifhawmfwJhyHkpHuawmh _declspec
(dllimport) modifier toHk;jyKNyD; &&SdEdkifygw,f/ 'DhaemufrSmawmh ol[m CALL DWORD PTR
[XXXXXXXX] udkxkwfay;rSmjzpfygw,f/
wu,fvkYd exe udk compiler vkyfcsdefrSm _declspec(dllimport) udk toHk;rjyKcJhbl;qdk&if uk'fawGxJu
ae&mtcsdKUrSm import vkyfxm;wJh function awGtwGuf twlwuGpkpnf;xm;wJh jump stub awG &SdkaerSmyg/
olUudkawmh transfer area (od)kY trampoline (od)kY jump thunk table pwJh trnftrsdK;rsdK;eJY odMuygw,f/
(8.2) Ordinal oufoufjzifh function rsm;tm; export vkyfjcif;
Export section wkef;u aqG;aEG;cJhovdkyJ tcsdKU function awGudk ordinal oufoufeo
JY m export
vkyfMuygw,f/ 'Dae&mrSmawmh caller's module xJrSm 'D function twGuf IMAGE_IMPORT_BY_
NAME &SdrSmr[kwfygbl;/ 'Dtpm; 'D function twGuf function &JU ordinal yg0ifwJh IMAGE_THUNK_
DATA yJ&SdrSmyg/
exe zdkifudk ul;rwifcif? MSB (most significant bit) (od)kY high bit udkMunfhjcif;tm;jzifh
IMAGE_THUNK_DATA wpfckrSm ordinal wpfck (od)kY RVA wpfckyg0ifjcif;&Sd^r&Sd oifhtaeeJY ajymEdkif
ygw,f/ wu,fvo kYd m owfrSwfcJh&if lower 31 bits udk ordinal wefzdk;wpfcktaeeJY ,lrSmjzpfygw,f/
tcef;(8) - PE Header - 143 -
'D structure eJY NyD;cJhwJh structure ESpfckudk EdIif;,SOfvdkuf&if aemufqHk; member jzpfwJh Reserved
rSwyg; usefwmawGtm;vHk; wlwmawGU&rSmyg/ tjcm; DLL udk forward vkyfwJh function wpfcek yJY wfoufNyD;
bind vkyfcsdefrSm 'D forward vkyfxm;wJh DLL &JU rSefuefrIudk ul;wifwJhtcsdefrSmvJ ppfaq;&ygr,f/ IMAGE
_BOUND_FORWARDER_REF rSm forward vkyfxm;wJh DLL awG&JU tao;pdwftcsuftvufawG
yg&Sdygw,f/
Oyrmjy&&if kernel32.dll xJu function wpfckjzpfwJh HeapAlloc [m ntdll.dll xJu RtlAllocate
Heap udk forward vkyfw,fv, kYd lqMuygpd/kY wu,fvkYd uRefawmfwukYd HeapAlloc udk import vkyfxm;wJh
application wpfckudk zefwD;vdkuNf yD; application rSm bind.exe udk toHk;jyKvdkufr,fqdk&if ntdll.dll &JU
IMAGE_BOUND_FORWARDER_REF uajc&mcHr,fh kernel32.dll twGuf IMAGE_BOUND_
IMPORT_DESCRIPTOR wpfck&Sdvmygr,f/
owdjyK&ef/ / Function awG&JUtrnfawG[m 'D structure awGxJrSm yg0ifrSmr[kwfygbl;/ bmaMumifhvJqdkawmh
loader u b,f function awGudk IMAGE_IMPORT_DESCRIPTOR uae bound vkyfr,fqdkwm
odxm;vdykY g/
(9) Loader
'Dtcef;uawmh r&Sdrjzpfawmh r[kwfayr,fh OS &JU tvkyfvkyfyHkudk eufeufeJeJodvdkolrsm;twGuf &nf
½G,fygw,f/ NyD;cJhwJh tcef;i,f(7)eJY tcef;i,f(8)wdb
kY ,fvdkqufEG,frI&SdovJqdkwmudkvJ &Sif;jycsifwmyg/
(9.1) Loader ubmvkyfovJ/
Executable zdkifwpfck tvkyfvkyfcsdefrSm Windows loader u process twGuf virtual address
vGwfwpfckudk zefwD;vdkuNf yD; executable module udk disk uae process &JU address vGwfxJ ae&mcsxm;
vdkufygw,f/ Loader u image udk toifhawmfqHk; base address rSm ul;wifzBkYd udK;pm;NyD; rSwfOmPfxJrSm
Section awGudk ae&mcsxm;ygw,f/ Loader u section table udk ausmfvTm;NyD;? base address rSm section
&JU RVA udkaygif;NyD; wGufcsufv&kYd vmwJh address rSm section toD;oD;udk ae&mcsygw,f/ Page attribute
awGudkawmh section &JU characteristic vdktyfcsuft& owfrSwfwmjzpfygw,f/ rSwfOmPfxJrSm section awGudk
ae&mcsxm;NyD;aemufrSmawmh load address [m ImageBase xJrSm&SdwhJ toihfawmfqHk; base address eJn Y D^
rnD loader u base relocation udkaqmif½Gufygw,f/
'DhaemufrSmawmh import table udkppfaq;NyD; vdktyfwJh DLL awGudk process &JU address ae&mvGwfxJ
map vkyf,lygw,f/ DLL module awGtm;vHk;udk ae&mcsxm;NyD;aemufrSmawmh loader u DLL toD;oD;&JU
export section udkppfaq;NyD; import vkyfxm;wJh wu,fh function address udk nTefjyEdkifzkY d IAT udk jyifyg
w,f/ wu,fvkYd oauFwr&SdcJh&if (tvGefjzpfcJygw,f) loader u error jyrSmyg/
Cracking vkyf&mrSm pdwf0ifpm;zdakY umif;wmawGuawmh DLL awGudk ul;wifNyD; import awGudk
ajz&Sif;&wmjzpfygw,f/ 'DjzpfpOfawG[m ½IyfaxG;vSNyD; Microsoft u a&;om;xkwfa0jcif;r&SdwJh ntdll.dll
xJrSm&SdwJh (forward vkyfxm;wJh) trsdK;rsdK;aom function awGeJY routine awGoHk;NyD;ajz&Sif;&ygw,f/ uRefawmf
tapmydkif;u ajymcJhovdkyJ Function forwarding qdkwm bHkjzpfwJh Win32 API set wpfckudk vSpf[jyozdkYeJY
rwlnDwJh OS awGMum; low-level function awGuGJjym;jcm;em;rIudk zHk;uG,fzdkY toHk;jyKwJh Microsoft &JU enf;
tcef;(8) - PE Header - 145 -
yHk(17)
Exe zdkiu f dk load vkyfwJhtcgrSm wGJvsufygvmMuwJh API trsdK;rsdK;[m kernel32.dll &JU
LoadLibraryExW function rSm vma&mufpkqHkvmMuNyD; ntdll.dll &JU LdrpLoadDll function qD
OD;wnfoGm;ygw,f/ 'D function [m atmufygvkyfaqmifcsufawGudk aqmif½GufwJh LdrpCheckForLoader
Dll? LdrpMapDll? LdrpWalkImportDescriptor? LdrpUpdateLoadCount? LdrpRunInitialize
Routines eJY LdrpClearLoadInProgress pwJh subroutine 6 ckudk wdku½
f dkufac:,loHk;pGJygw,f/
1/ Module udk ul;wifxm;NyD; jzpf^rjzpf od&atmif ppfygw,f/
2/ Module eJY taxmuftyHhjzpfapr,fh tcsuftvufawGudk rSwfOmPfrSm ae&mcsygw,f/
3/ Module &JU import descriptor table qD oGm;ygw,f/ ('Dwpfckudk import vkyfaecsdefrSm tjcm; module
awGudk &Smygw,f/)
4/ 'D DLL aMumifyh gvmwJh tjcm;[mawGvdkyJ module &JU load count udk update vkyfygw,f/
tcef;(8) - PE Header - 146 -
yHk(18)
DLL wpfck[m cascade taeeJYcsdwfxm;wJh tjcm; module awGudk import vkyfEdkifygw,f/ Loader
[m load vkyfzkYd vdktyfwmawGeJY oleyJY wfoufwJh dependency awGudk od&Sdppfaq;EdkifzdkY module toD;oD;
uwqifh loop ywfzv kYd kdygvdrfhr,f/ 'gaMumifh LdrpWalkImportDescriptor yg0ifvm&jcif; jzpfygw,f/
olUrSm subroutine ESpfck&Sdygw,f/ LdrpLoadImportModule eJY LdrpSnapIAT wdjkY zpfygw,f/ yxrqHk;
Bound Imports Descriptor eJY yHkrSef Import Descriptor table awGudk ae&mcsxm;zdkY RtlImageDirectory
EntryToData qD call ESpfcek JY pwifygw,f/ rSwfxm;zdkYu loader [m bound imports awGudk yxrqHk;ppf
aq;wmyg/ Import directory r&Sdayr,fhvJ bound import awG&SdwJhtwGuf application u run wmjzpfyg
w,f/
aemufwpfckjzpfwh J LdrpLoadImportModule uawmh Import directory xJrSm&SdwJh DLL
toD;oD;twGuf Unicode string wpfckudk wnfaqmufygw,f/ 'DhaemufrSmawmh olwakY d wGudk ul;wifNyD;^rNyD;
odEdkifatmifvkYd LdrpCheckForLoadedDll udk toHk;csygw,f/
aemufwpfckjzpfwJh LdrpSnapIAT routine uawmh Import directory xJrSm&SdwJh DLL reference
awGtm;vHk;udk -1 wefzdk;jzpfaejcif;&S^d r&Sd ppfaq;ygw,f/ (qdkvdkwmu xyfNyD; bound import awGudk yxrqHk;
ppfaq;ygw,f/) 'Dhaemuf IAT &JU memory prtotection udk PAGE_READWRITE tjzpf ajymif;vJNyD;
LdrpSnapThunk subroutine qDroGm;cif IAT xJrSm&SdwJh entry toD;oD;udk ppfaq;zdkY qufvufvkyfaqmif
ygw,f/
LdrpSnapThunk uawmh olU&JU address udkae&mcsxm;zdkY function wpfck&JU ordinal udk toHk;jyKNyD;
'gudk forward vkyfxm;jcif;&Sd^r&Sd qHk;jzwfygw,f/ 'grSr[kwf&ifawmh ol[m ordinal udk tjrefae&mcsxm;Edkif
kY wGuf export table ay:u binary search wpfckudk toHk;jyKwJh LdrpNameToOrdinal udk ac:oHk;yg
zdt
w,f/ wu,fvkdU function udk rawGUbl;qdk&if STATUS_ENTRYPOINT_NOT_FOUND udk jyefyNkYd yD;?
tcef;(8) - PE Header - 147 -
r[kwf&ifawmh API &JU entry point &SdwJh IAT xJrSm entry udk tpm;xkd;NyD; memory protection udk restore
jyefvkyfwJh LdrpSnapIAT qD jyefoGm;ygw,f/ ol[m vkyfief;tprSmwif ajymif;vJoGm;NyD; IAT yg0ifwJh
memory block ay:rSm cache refresh jyKvkyfEdkifzt kYd wGuf NtFlushInstructionCache udak c:oHk;NyD;
LdrpWalkImportDescriptor qD jyefoGm;ygw,f/
'g[m Windows version awGMum; wpfrlxl;jcm;wJh uGJjym;jcm;em;rIjzpfygw,f/ Windows 2000
rSmawmh exe zdkifudk ul;rwifcif ntdll.dll udk bound import taeeJaY &m? yHkrSef import directory taeeJaY &m
ul;wifzkYd twif;awmif;qdkygw,f/ Windows 9x eJY Windows XP rSmawmh import awGrygvJ application
udk tvkyfvkyfapEdkifygw,f/ Loader u rSwfOmPfxJrSm&SdwJh wu,fh address wpfckudk wGufcsufEdkifzdkYeJY API
wpfck[m forward vkyfxm;cH&jcif;&Sd^r&Sd odEdkifatmifvdkY import vkyfxm;wJh API wdkif;udk ppfaq;&rSmjzpfyg
w,f/ Import vkyfxm;wJh DLL toD;oD;rSm aemufxyf module awGygvmEdkiNf yD; process uvJ dependen-
cy awGtm;vHk;udk ppfaq;NyD;pD;onfhwdkifatmif xyfcgxyfcg vkyfaqmifae&rSmjzpfygw,f/
(10) PE zdkiftwGif;odkY uk'fxnfhjcif;
Cracker awGtaeeJY protection scheme wpfckudk crack vkyfzkYe
d JY vkyfaqmifcsuftopfawG xnfh
oGif;Edkizf kYd y½d*k &rfxJudk uk'fawGxnfhoGif;zdkY tajctaeawG wcgw&HrSm BuHKwwfygw,f/ zdkifxJudk uk'fxnfh
oGif;wJh t"duenf;vrf;BuD; 3ckuawmh -
1/ oifh&JUuk'ftwGuf vHkavmufwJhae&mvGwf&cSd &Jh if &SNd yD;om; section wpfckxJrSm uk'fudka&;xnfhygw,f/
2/ wu,fvkYd vHkavmufwJhae&mr&SdcJh&if &SNd yD;om; section udk ae&mxyfcsJUygw,f/
3/ Secion topfwpfckudk xyfaygif;ygw,f/
(10.1) &SdNyD;om; section twGif; uk'fxnfhjcif;
uRefawmfwt dkY aeeJY &SNd yD;om; section xJudk uk'fawGaygif;xnhfcsifw,fqdk&if CODE section xJrSm
aygif;xnfhwm[m t½d;k &Sif;qHk;enf;ygyJ/ CODE section xJrSm 00 awGeJY jynfhaewJhae&mudk vdkuf&SmMunfh
vdkuf&atmif/ 'gudk ]cave} t,ltqvdakY c:ygw,f/ oifhawmfwJh cave wpfckudk&SmEdkifzkY d CODE section udk
LordPE eJY MunfhMu&atmif/
yHk(19)
'Dae&mrSm uRefawmfwkY d jrif&wmuawmh VirtualSize (00029E88) u SizeOfRawData (0002A0
00) xuf enf;enf;av;i,faewm awGU&ygw,f/ SizeOfRawData qdkwmuawmh oifh&JU hard disk ay:rSm
zdkifudk ae&mcsxm;wJhtcg ,lr,fhae&myrmPukd ajymjcif;jzpfygw,f/ rSwfxm;&rSmu 'Dzdkif&JU VirtualSize u
hard disk ay:rSm ae&m,lr,fh t½G,ftpm;xuf i,faeygw,f/ 'gu bmaMumifhjzpf&wmvJqdkawmh compiler
awG[m rMumcPqdkovdk wlnDwJhe,fedrdwfay:u section wpfcek JY ndSzkYd t½G,ftpm;udk teD;pyfqHk;jzpfatmif
,l&vdkYyg/ Hex editor eJY Munfh&ifawmh CODE section &JUtqHk; (DATA section rpwifcif) udk yHk(20)
twdkif; awGU&rSmyg/
tcef;(8) - PE Header - 148 -
yHk(20)
'Dae&mvGwfawGudk toHk;rjyKovdk rSwfOmPfxJudkvJ ul;rwifygbl;/ uRefawmfwtaeeJ dkY Y aocsmatmif
vkyf&rSmu uRefawmfwdkY xnfhoGif;r,fh uk'fawGudk rSwfOmPfxJul;atmif vkyfzkYyd gyJ/ uRefawmfwt kY d aeeJY 'Dvdk
jzpfatmif size attribute udk ajymif;ay;&ygr,f/ ckcsdefrSmawmh 'D section &JU virtual size u 29E88 omjzpfyg
w,f/ bmaMumifhvJqdkawmh compiler u 'DavmufyJ vdktyfvykY d g/ uRefawmfwt kYd aeeJaY wmh 'Dxufenf;enf;
av; ydkvdktyfygw,f/ 'gaMumifhvJ LordPE rSm CODE section &JU virtual size udk 29FFF vdkY jyifvdkufyg
r,f/ ('g[m uRefawmfwdkY jyifEdkifwJh tjrifhqHk;t½G,ftpm;jzpfygw,f/ RawSize uawmh 2A000 jzpfygw,f/)
'DvdkjyKvkyfzkYd CODE qdkwJhpmom;ay:rSm right-click ESdyNf yD; edit section header udk a½G;yg/ VirtualSize
ae&mrSm 29FFF vdjkY yifNyD; zdkifudk odrf;qnf;vdkufyg/
'DwpfcgrSmawmh uRefawmfwkY d patch vkyfr,fhuk'fudk odrf;qnf;zdkY oifhawmfwJhae&mwpfckudk jyKvkyfvkY d
NyD;ygNyD/ uRefawmfwkYd jyifcJhwmu Section Table xJu CODE section twGuf VirtualSize DWORD
wefzdk;jzpfygw,f/ 'gudk uRefawmfwt kY d aeeJY hexeditor rSm udk,fwdkifjyifvJ &ygw,f/
dkY wGuf erlem assembly stub av;a&;Munfhygr,f/ yxrqHk;vkyf&
'DxufyNdk yD; &Sif;vif;atmifjyEdkifzt
rSmu LordPE rSmawGUcJhwJh entry point wefzdk; 0002ADB4 eJY ImageBase wefzdk; 400000 udk rSwfom;yg/
'gaMumifh Olly [m application udk ul;wifcsdefrSmawmh entry point [m 0042ADB4 jzpfrSmyg/ uRefawmf
wdtkY aeeJY atmufyguk'fawGudk aygif;xnfNh yD; entry point udk yxrqHk;uk'f&Sd&m 42AF00 udk ajymif;ygr,f/
MOV EAX, 0042ADB4 ; Load in EAX the Original Entry Point (OEP)
JMP EAX ; Jump to OEP
uRefawmfwtdkY aeeJY 'Duk'fawGudk tay:rSmjrif&wJh hexeditor xJu 0002A300h ae&mrSm xm;&rSmjzpf
ygw,f/ Olly rSmtoHk;jyKzdkYtwGuf 'D raw offset udk RVA ajymif;r,fqdk&ifawmh 'D yHkaoenf;av;udk oHk;&rSm
yg/
RVA = raw offset - raw offset of section + virtual offset of section + ImageBase
= 2A300h - 400h + 1000h + 400000h = 42AF00h
'gaMumifh Olly udkzGiNfh yD; uRefawmfwkYd jyif&r,fhae&mudk wdku½f dkufoGm;EdkifzkYd Ctrl + G udkESdyfyg/ NyD;&if
42AF00 udk ½du
k fxnfNh yD; uk'½f dkufxnfhr,fhae&moGm;yg/ NyD;&if yHk(21)twdkif; jyifyg/
yHk(21)
tcef;(8) - PE Header - 149 -
yHk(22)
Hexeditor rSmMunfhvdkuf&if yHk(23)twdkif; awGU&rSmjzpfNyD; ae&mvGwfawG trsm;BuD; usefao;wmawGU&
rSmyg/
yHk(23)
(&SNd yD;om; section udkcsJUjcif;eJY section topfwdk;jcif;wdkYudk pmtkyfxlrnfpdk;í razmfjyawmhyg/ tao;pdwfodvdk
vQif ARTeam rS Goppit a&;om;aom PE File Format udk zwf½IygvdkY tBuHay;vdkygw,f/)
(11) PE header jyóemrsm;ajz&Sif;jcif;
PE header udk avhvmcJhwmawmh [kwfygNyD/ bmaMumifh PE header udk'Davmuftao;pdwfavhvm&
wmvJvkYd oifhtaeeJY Za0Z0gjzpfaeygvdrfhr,f/ 'gaMumifhrkY d y½d*k &rfwpfyk'fudk vufawGUMunfhMuygr,f/ 'Dy½dk
*&rf (RegisterMe.oops.exe)udk Lena151 &JU oifcef;pm(3)rSm download vkyf,lEdkifygw,f/ y½d*k &rfudk
Olly rSmzGifhNyD;ppfMunfhvdkuf&if yHk(24)twdkif;awGU&ygw,f/
yHk(24)
Data (dump) window udkMunfhvdkuf&ifvJ yHk(25)twdkif; bmpmom;rSr&Sdwm awGU&rSmyg/
yHk(25)
tcef;(8) - PE Header - 150 -
yHk(26)
yHk(26)udk Munfhvdkuf&if section awG aysmufaewm owdxm;rdrSmyg/ PE header wpfckwnf;&Sdaeyg
w,f/ uRefawmfwdkY t&ifjrifaeusjzpfwJh uk'f? a'wm pwmawG[m b,fa&mufoGm;ygvJ/ Header &JU yrmP
uvJ 5000 awmif jzpfaeygw,f/ rsm;aomtm;jzifh header &JU yrmP[m 1000 yJ &Sdw,fvkYd &Sif;jyzl;wm
trSwf&yg/
tckawmh enf;enf;avmuf &Sif;jyzdakY wmh vdkvmygNyD/ t"duajymif;vJrIawG rvkyfbJ PE header udkyJ
enf;enf;av; ajymif;vJvdkufwJhudpö/ (twdtusajym&&ifawmh Adkif;&yfpf? protector tcsdKU ponfwkdUyJ 'Dvdkvkyf
Edkifwmyg/) &v'ftaeeJY y½dk*&rf[m Windows XP rSm aumif;aumif;tvkyfvkyfaeayr,fh Olly uawmh
'Dajymif;vJxm;wJt
h &mawGtwGuf (t&m&mwdkif;udk &SmzdBkY udK;pm;&wJhtwGuf wcPavmufawmh tvky½f IyfEdkifyg
w,f/) awmfawmf OD;aESmufajcmufoGm;ygw,f/ Header udk MunfhvdkuMf u&atmif/ yHk(27)/
yHk(27)
yHk(26)&JU VA 00400000 ae&mudk ESpfcsufESdyfvdkuf&if yHk(27)twdkif; jrif&rSmyg/ Mouse eJY atmufudk
scroll enf;enf;qGJMunfhvdkufyg/
yHk(28)
yHk(29)
tcef;(8) - PE Header - 151 -
yHk(30)
yHk(30)rSm jyxm;wJhtwdkif; dump window rSm right‐click EdSyNf yD; Go to u Expression udk
oGm;vdkufyg/
yHk(31)
NyD;&if yHk(31)rSm jyxm;wJhtwdkif; 4000DC udk ½du
k fxnfhvdkufyg/ NyD;&if wnf;jzwfEdkifzkY d right‐click
EdSyNf yD; view executable file udk a½G;vdkufyg/ yHk(32)twdkif; jrif&ygvdrfhr,f/
yHk(32)
yHk(32)udk right‐click ESdyNf yD; binary menu rS edit udk a½G;yg/ yHk(33)twdkif; jrif&ygvdrfhr,f/
tcef;(8) - PE Header - 152 -
yHk(33)
ckcsdefupNyD; oift h aeeJY pwifwnf;jzwfvkY&d ygNyD/ (wu,fvkYd oift h aeeJY opcodes awGudk rSwfrd
ao;w,fqdk&ifaygh/)/ jzwfajym&&ifawmh memory module rSm wnf;jzwfwmu ydkvG,fayr,fh uRefawmfu
'Denf;udk jycsifvykY d g/ tm;vHk;udk wnf;jzwfNyD;&ifawmh yHk(34)twdkif; jrif&rSmyg/
yHk(34)
yHk(34)rSm jrif&wmuawmh uRefawmfwdkY wnf;jzwf&r,fht&mawGudk wnf;jzwftNyD;yg/ 'gNyD;&ifawmh
right‐click ESdyNf yD; Save file udak ½G;vdkufyg/ NyD;&if Olly eJY odrf;vdkufwzJh dkifudk jyefMunfhvdkufyg/ yHk(35)
twdkif; jrif&ygvdrfhr,f/
yHk(35)
yHk(35)rSmawmh t&ifuaysmufaewJh section awGudk jyefjrif&wm awGU&ygvdrfhr,f/ rSwfxm;oifhwJh
tcsufwpfcsufuawmh yHk(26)rSm jrifcJh&wJh header &JU t½G,ftpm; (5000) qdkwm section tm;vHk;aygif;eJY
header wdu kY dk aygif;xm;NyD;&vmwJh yrmPyg/
yHk(36)
tcef;(8) - PE Header - 153 -
yHk(37)
yHk(37)rSmjrif&wJhtwdkif; bmuk'frSay:vmjcif;r&SdbJ y½d*k &rf run (hang) aewmawGU&ygw,f/ Task
manager udkMunfhvdkuf&ifawmh yHk(38)rSmjyxm;wJhtwdkif;awGU&ygw,f/
yHk(38)
UnpackMe#5.exe udk rzGifhcifwkef;u task manager &JU page file oHk;pGJrI[m 149MB yJ&Sdygw,f/
87KB yJ&SdwJh UnpackMe#5.exe y½d*
k &rfudkzGifhvdkufwJhtcsdefrSm bmaMumifh page file udktvGeftuRH oHk;pGJ&yg
ovJ/ PE header rSm jyóemwpfckckwufaeyHk&ygw,f/ 'ghaMumifh UnpackMe#5.exe udk PE Tools 1.5
eJzY GifhMunfhMu&atmif/ yHk(39)/
tcef;(8) - PE Header - 154 -
yHk(39)
Tools menu u PE Editor udka½G;NyD; UnpackMe#5.exe udkzGifhvdkuf&if yHk(39)twdkif; jrif&ygw,f/
yHk(39)u Optional Header button udka½G;vdkuf&if yHk(40)twdkif;jrif&ygr,f/
yHk(40)
tcef;(8) - PE Header - 155 -
Size Of Init Dat udk 3FA00? Size of UnInit Data udk 0? Base Of Code udk 3E000 ? Base of
Data udk 13000? Number Of Rva and Sizes udk 10? Size of Heap Commit udk 1000? Size of Heap
Reserver udk 100000? Size of Stack Commit udk 1000? Size of Stack Reserve udk 100000 vdjkY yifNyD;
zdkifudkodrf;vdkufyg/ odrf;vdkufwJhzdkifudk Olly rSmzGifhvdkufyg/ yHk(41)twdkif;jrif&ygr,f/
yHk(41)
yHk(41)u OK button udka½G;ay;vdkuf&ifawmh yHk(42)twdkif;jrif&ygr,f/
yHk(42)
yHk(41)u error message udkjrif&wmuawmh code section &JUwefzdk; rSm;aevdkjY zpfygw,f/ Olly u
error message jyayr,fh y½d*k &rfudk rSefuefpGmtvkyfvkyfrSmjzpfwJhtwGuf pdwfylp&mawmh r&Sdygbl;/ 'D error
rwufapcsif&ifawmh code section &JUwefzdk;udk memory map (Alt+M) rSmMunfhvdkufyg/ yHk(43)/
yHk(43)
'gaMumifhrkYd yHk(40)u Base Of Code rSmjyifcJhwJh 3E000 wefzdk;tpm; 1000 jzpf&rSmyg/ 'Dwefzdk;udk
PE editor wpfckckrSmjyifvdkuNf yD; zdkifudkodrf;vdkufr,fqdk&if bm error rS jyawmhrSm r[kwfygbl;/
(12) PE header wGif toHk;jyKaom a0g[m&rsm;
(ReverseMe.exe ESifh prf;oyfxm;jcif; jzpfygonf/)
(1) TimeDateStamp 3/17/2000, 1:04:06 AM (38D1291E)
TimeDateStamp qdkwm zdkifudk zefwD;cJhwJhtcsdefudk &nfnTef;ygw,f/ Olly rSmawmh Hex *Pef;eJY
jyygw,f/ ReverseMe y½d*k &rftwGufuawmh 38D1291E jzpfygw,f/ tcsdKU PE Viewer awGrSm Hex eJY
rjybJ ½dk;½dk;yHkpeH JyY J jyygw,f/ Oyrm - 3/17/2000, 1:04:06 AM/ 'Dwefzdk;[m 1970? Zefe0g&D 1 upwifcJhwJh
*&if;epfpHawmfcsdef&JU puúefYta&twGufjzpfNyD; zdkifrSmtvdktavsmufygvmwJhaeYpGJ^tcsdefawGxuf ydkNyD;wdusyg
w,f/ udk,fwdkifwGufcsufcsif&ifawmh 16vDpepf 38D1291E udk q,fvDpepfoakYd jymif;yg/ puúefYaygif;
953231646 &vmygr,f/ puúejfY zpfaewJhtwGuf em&DoakY d jymif;ygr,f/ 3600 eJY pm;wJhtcg 264786 &vmyg
tcef;(8) - PE Header - 156 -
w,f/ 'gudk&ufzGJUzdkY 24eJYpm;NyD; ckESpfzGJUzdkY 365eJY pm;ygr,f/ 'gqdk ESpf30 &vmygw,f/ 'gu tMurf;zsif;wGuf
csufwmyg/ uRefawmfwkY d &vmwJhtajzudk b,frSmoGm;aygif;&rvJqdkawmh ckeuqdkcJhwJh 1970? Zefe0g&D 1 &uf
rSmyg/ wdwdususwGufcsufvmcJhr,fqdk&if tajzrSefu 2000? rwf 17 qdkwJhtajzxGufrSmyg/
(2) Machine FILE_MACHINE_I386
'Dzdkifudk toHk;jyKr,fh uGefysLwm&JU y½dq
k ufqmtrsdK;tpm;yg/ toHk;rsm;wJhwefzdk;awGuawmh -
FILE_MACHINE_I386
Intel 80386 (od)kY aemufydkif;armf',frsm;ESifh o[Zmwjzpfaomy½dq
k ufqmrsm;/
FILE_MACHINE_AMD64
x64
FILE_MACHINE_IA64
Intel Itanium y½dq
k ufqmtkyfpkrsm;/
(3) Characteristics 0x10f (zdkif&JU0daooudk jyowJh flag awGyg/)
FILE_RELOCS_STRIPPED 0x1
(0x1 om jzpfcJhr,fqdk&if zdkifrSm base relocation rygygbl;/ 'ghaMumihf loader [m olU&JU base address rSmyJ
&Sd&rSmyg/ wu,fvkY d base address omr&SdcJhbl;qdk&if loader [m error jzpfaMumif;jyrSmyg/ Linker &JU yHkrSef
tvkyfuawmh EXE zdkifuae base relocaion udk z,fzdkYyg/)
FILE_EXECUTABLE_IMAGE 0x2
('guawmh image zdkif[m rSefuefaMumif;eJY tvkyfvkyfEdkifaMumif; jywmyg/ wu,fvkY d 'D flag om r&Sdbl;qdk
&if olu linker error jzpfaMumif; jyrSmyg/)
FILE_LINE_NUMS_STRIPPED 0x4
(COFF vdkif;awG z,f&Sm;cHvdkuf&wmyg/)
FILE_LOCAL_SYMS_STRIPPED 0x8
(Local oauFwawGtwGuf COFF oauFwZ,m;&JU entry awG z,f&Sm;cHvdkuf&wmyg/)
FILE_32BIT_MACHINE 0x100
(uGefysLwm[m 32‐bit enf;ynmudk tajccHxm;wmyg/)
(4) Subsystem SUBSYSTEM_WINDOWS_GUI
'D image udk tvkyfvkyfzt
kYd wGuf vdktyfwJh pepfcGJawGjzpfygw,f/ jzpfEdkifwJh wefzdk;awGuawmh -
SUBSYSTEM_NATIVE
Device driver rsm;ESifh Window \ rlv process rsm;/
SUBSYSTEM_WINDOWS_GUI
Window \ GUI
SUBSYSTEM_WINDOWS_CUI
Window \ pmvHk;pepfcGJ/
SUBSYSTEM_POSIX_CUI
Posix pmvHk;pepfcGJ/
tcef;(8) - PE Header - 157 -
SUBSYSTEM_WINDOWS_CE_GUI
Windows CE
SUBSYSTEM_EFI_APPLICATION
Extensible Firmware Interface (EFI) application.
SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER
Boot services yg0ifaom EFI driver/
SUBSYSTEM_EFI_RUNTIME_DRIVER
Run-time services yg0ifaom EFI driver/
SUBSYSTEM_EFI_ROM
EFI \ ROM image/
(5) LinkerVersion 5.12
zdkiftjzpf wnfaqmufzkY d toHk;jyKwJh linker &JU version/ Microsoft linker uaejzpfvmwJh PE
zdkifawGtwGufawmh 'D version eHygwf[m Visual Studio &JU version eHygwfeJY oufqdkifygw,f/
(6) SizeOfImage 20480 (0x5000)
zdkifudk rSwfOmPfxJokY d ul;wifvdkufaomtcg system rS oD;oefzY ,fxm;&efvdkaom rSwfOmPfyrmP/
'Dae&m[m section alignment &JU qwdk;udef;wpfck jzpf&ygr,f/
(7) SizeOfCode 1024 (0x400)
Code section &JU t½G,fyrmP (Byte jzifh jyonf/)? (od)kY tu,fí code section ajrmufjrm;pGm
&SdcJhygu xkd section tm;vHk;\ aygif;v'f/
(8) SizeOfInitializedData 2560 (0xa00)
Initialized data section &JU t½G,fyrmP (Byte jzifh jyonf/)? (od)kY tu,fí initialized data
section ajrmufjrm;pGm&SdcJhygu xkd section tm;vHk;\ aygif;v'f/
(9) SizeOfUninitializedData 0 (0x0)
Unnitialized data section &JU t½G,y f rmP (Byte jzifh jyonf/)? (od)kY tu,fí uninitialized
data section ajrmufjrm;pGm&SdcJhygu xkd section tm;vHk;\ aygif;v'f/
(10) ImageBase 0x400000
Image \ yxrqHk;pmvHk;udk rSwfOmPfxJokY d ul;wifvdkufcsdefü ¤if;\ address/ xdkwefzdk;onf 64K
bytes \qwdk;udef; jzpfonf/ DLL zdkifrsm;twGuf yHkaowefzdk;rSm 0x10000000 jzpfonf/ 32‐bit
application rsm;twGuf yHkaowefzdk;rSm 0x00400000 jzpfonf/
(11) BaseOfCode 0x401000
Code section \tpodkY nTefjyonf/ Image base eSifh qufET,frI&Sdonf/
(12) BaseOfData 0x402000
Data section \tpodkY nTefjyonf/ Image base eSifh qufET,frI&Sdonf/
(13) AddressOfEntryPoint 0x401000
tcef;(8) - PE Header - 158 -
Entry point function odkY nTefjyonf/ Image base address eSifh qufET,frI&Sdonf/ entry point
function onf DLL zdkifrsm;twGuf r&Sdvnf;&ayonf/ Entry point r&SdvQif þwefzdk;onf okn jzpfaeay
rnf/
(14) FileAlignment 512 (0x200)
Image zdkifxJ&Sd section rsm;\ raw a'wm alignment/ Byte jzifhjyonf/ wefzdk;onf 2 \ qwkd;
udef;rsm;jzpfNyD; 512 ESifh 64K Mum;(tptqHk;) jzpf&rnf/ yHkaowefzdk;rSm 512 jzpfonf/ tu,fí Section
Alignment onf system \ page t½G,ftpm;xufi,faeygu þwefzdk;onf SectionAlignment ESifh
wlnDaeoifhonf/
(15) SectionAlignment 4096 (0x1000)
Section rsm;\ Alignment udk rSwfOmPfwGif; ul;wifonf/ Byte jzifhjyonf/ þwefzdk;onf File
Alignment ESifh nD&rnf (od)kY BuD;&rnf/ yHkaowefzdk;onf system \ page t½G,ftpm; jzpfonf/
(16) OperatingSystemVersion 4.0
(17) SubsystemVersion 4.0
(18) ImageVersion 0.0
(19) CheckSum 46233 (0xb499)
Image \ wGufcsufxm;aomwefzdk;/ (a'wmrsm;udk odrf;qnf;&mwGif trSm;rsm;awGUBuHKjcif;&Sd^r&Sd ppf
aq;&ef toHk;jyKaom wGufcsufxm;onfhwefzdk;/ a'wmrsm;udk odrf;qnf;NyD;aomf ¤if;enf;vrf;udkyif toHk;jyKí
checksum udk wGufcsufygonf/ checksum ESpfck rwlnDcJhaomf error udkjyí a'wmudk aemufwpfBudrf jyef
vnfodrf;qnf;ygonf/ Checksum rsm;onf error wdkif;udk rppfaq;Edkifyg/ Checksum wdo kY nf error
jzpfaeaoma'wmrsm;udk rjyifqifay;Edkifyg/) Checksum rsm;onf kernel-mode driver rsm;ESifh tcsdKUaom
system DLL rsm;twGuf vdktyfonf/ wenf;qdkaomf þae&mwGif oknjzpfí &ygonf/
(20) SizeOfStackReserve 1048576 (0x100000)
EXE zdkifrsm;wGif process xJ&Sd yxrqHk; thread \ BuD;xGm;vmEdkifaom tjrifhqHk;t½G,fyrmP/
'DrSwfOmPftm;vHk;udkawmh OD;qHk;ajymif;ay;rSm r[kwfygbl;/
(21) SizeOfStackCommit 4096 (0x1000)
EXE zdkifrsm;wGif stack xJokYd yxrOD;qHk;ajymif;ay;rnfh rSwfOmPfyrmP/
(22) SizeOfHeapReserve 1048576 (0x100000)
EXE zdkifrsm;wGif process heap &JU OD;qHk;oD;oefzY ,fxm;r,ft½G,ftpm;/
(23) SizeOfHeapCommit 4096 (0x1000)
EXE zdkifrsm;wGif heap xJokYd yxrOD;qHk;ajymif;ay;rnfh rSwfOmPfyrmP/
(24) LoaderFlags 0 (0x0)
(toHk;rjyKawmhyg/)
(25) Win32VersionValue 0 (0x0)
(toHk;rjyKawmhyg/)
(26) PointerToRawData
tcef;(8) - PE Header - 159 -
(i) .tls – Thread-local storage section. The section contains data for supporting thread
local storage variables delcared with__declspec(thread). This includes the initial value of the
data, as well as additional variables needed by the runtime.
(i) .xdata – Exception information section
(13) erlem PE signature rsm;
(13.1) ASPack v2.12
60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01
00401000: 60 PUSHAD
00401001: E8030000000 CALL 00401009H
00401006: E9EB045D45 JMP 459D14F6H
0040100B: 55 PUSH EBP
0040100C: C3 RET
0040100D: E801003E00 CALL 007E1013H
(13.2) Armadillo v1.xx ‐ v2.xx
55 8B EC 53 8B 5D 08 56 8B 75 0C 57 8B 7D 10 85 F6
00401000: 55 PUSH EBP
00401001: 8BEC MOV EBP, ESP
00401003: 53 PUSH EBX
00401004: 8B5D08 MOV EBX, [EBP+08H]
00401007: 56 PUSH ESI
00401008: 8B750C MOV ESI, [EBP+0CH]
0040100B: 57 PUSH EDI
0040100C: 8B7D1O MOV EDI, [EBP+10H]
0040100F: 85F6 TEST ESI, ESI
tcef;(9) - Teleport Pro 1.61 y½d*k &rfESifh yxrqHk;tBudrf crack vkyfjcif; - 163 -
yHk(1)
yHk(1)rSm jrif&wmuawmh unregistered version jzpfwJhtaMumif;yg/ 'gaMumifh register vkyfMunfhyg
r,f/ Help menu u Register udk a&G;vdkufyg/ yHk(2)twdkif; jrif&ygr,f/
yHk(2)
tcef;(9) - Teleport Pro 1.61 y½d*k &rfESifh yxrqHk;tBudrf crack vkyfjcif; - 164 -
yHk(2)u Your name ae&mrSm Myanmar Cracking Team vdkY½du k fxnfNh yD; Registration code
ae&mrSm 4780610 (BABE16)vdkY ½dkufMunfhygr,f/ 'gqdk yHk(3)twdkif; awGU&ygr,f/
yHk(3)
yHk(3)rSm jrif&wmuawmh uRefawmfwkY½d du k fxnfhvdkufwJh registration uk'f[mrSm;aewJhtaMumif;ajymwJh
MessageBox yg/ (rSwf&ef/ / tcsdKUy½d*k &rfawGrSm vSnfhuGufav;awG&Sdygw,f/ 'gubmvJqdkawmh regis-
tration uk'fu½ dk dkufxnfhvdkufwJhtcg rSefw,f^rSm;w,frajymbJ y½d*k &rfudk jyefzGifhcdkif;wmjzpfygw,f/ tcsdKU
y½d*k &rfawGqdk bm MessageBox rSawmif ay:rvmygbl;/ bmaMumifhvJqdkawmh 'Dvdky½d*k &rfawGu oif½dkuf
xnfhvdkufwJh registration uk'fukcd sufcsif;rppfvkYyd g/ Registry xJrSm (od)kY zdkifwpfzdkifrSm oif½dkufxnfh
vdkufwJhuk'fudkodrf;xm;NyD; aemufwpfBudrf y½d*k &rfudkzGiNfh yD;tvkyfvkyfwJhtcgrS uk'fudkppfaq;wmjzpfygw,f/) 'D
Message Box rSmjrif&wJh We're sorry! qdkwJhpmom;udk pm&GufvGwfwpf&GufrSm rSwfom;xm;yg/ toHk;0if
vmygvdrfhr,f/
aumif;NyD? y½d*k &rfudkydwfvdkuNf yD; b,fbmompum;eJY a&;xm;ovJqdkwm ppfMunfhygr,f/ Program
files\Teleport Pro zdk'gatmufu pro.exe zdkifudk right-click ESdyNf yD; PEiD eJY ppfMunfhvdkufyg/ yHk(4)/
yHk(4)
yHk(4)t&qdk&ifawmh 'Dy½d*k &rfudk Visual C++ 6.0 eJY a&;xm;wmjzpfygw,f/ 'Davmufqdk uRefawmf
kY wGuf vHkavmufygNyD/ pro.exe udk Olly rSm zGifhygr,f/ yHk(5)/
wdt
yHk(5)
tcef;(9) - Teleport Pro 1.61 y½d*k &rfESifh yxrqHk;tBudrf crack vkyfjcif; - 165 -
yHk(5)rSmjrif&wmuawmh y½d*k &rf&JU entry point ae&myg/ (rSwfcsuf/ / Visual C++ jzifha&;xm;aom
y½d*k &rfrsm;onf yHk(5)wGifjyxm;onfhtwdkif; kernel32.GetVersion \tay:zuf&Sd PUSH EBP uk'f&Sd&m
virtual address onf entry point jzpfonf/) 'Dy½d*k &rfudk enf;(2)enf;eJY crack vkyfjyrSmjzpfygw,f/
yxrenf;uawmh SND Team u nick123b oHk;wJhenf;jzpfygw,f/ 'kwd,enf;uawmh ARTeam u
ThunderPwr oHk;wJhenf;jzpfygw,f/ tjcm;enf;awGudkawmh tvsOf;oifhwJhtcef;rSm azmfjyoGm;rSmjzpfygw,f/
(2) yxrenf; (nick123b@SND Team)
yHk(2)rSm register vkyfwkef;u yHk(3)twdkif; error message ay:vmwmrSwfrdr,fxifygw,f/ 'D
message pmom;udk Olly rSm&SmMunfv h dkufMu&atmif/ yHk(5)rSm right-click ESdyNf yD; Search for u All
referenced text strings udak &G;vdkufyg/ 'gqdk &Smxm;wJh text string awGygwJh window wpfckay:vmyg
r,f/
yHk(6)
ay:vmwJh window rSm yHk(6)twdkif; uRefawmfwkY d &SmcsifwJhpmom;udk ½du
k fxnfNh yD; OK udkESdyfvdkufyg/
'gayr,fh uRefawmfwkY&d SmwJh pmom;udk Olly eJ&Y SmwmrawGUygbl;/ bmaMumifhvJqdkawmh 'Dy½d*k &rfudk a&;om;
cJhwJh y½d*k &rfrmu We're sorry! pmom;udk .text section rSm ra&;om;bJ yHk(7)rSm jyxm;ovdk .data section
rSma&;om;xm;vdkY Olly u &SmrawGUEdkifwmyg/ (omreftm;jzifh y½d*k &rfrsm;\ 80%ausmfonf .text section
(code section) wGifom a&;om;Muygonf/)
yHk(7)
yHk(8)
yHk(8)udkMunfhvdkufawmh uRefawmfw&kY d SmaewJh message udkawGU&ygw,f/ yHk(7^8)wdkYudk PE Explorer
1.99 (www.heaventools.com) rSm zGifhMunfhxm;wmjzpfygw,f/
yHk(6)twdkif; text string udk&Smwm &SmrawGUvdkY oifhtaeeJY acgif;awmfawmfajcmufaeavmufNyD xifyg
w,f/ 'D message udk&SmawGUrSom uRefawmfwt kY d aeeJY serial a&;xm;wJh registration routine udkawGUNyD;
serial udk &SmazGEdkifrSm jzpfygw,f/ aumif;NyD? nick123b &JUenf;eJY serial udk &SmMunfhMu&atmif/
Olly rSm Ctrl + N (View Names) udk ESdyfvdkufyg/ yHk(9)twdkif; API awGudk jrif&ygr,f/
tcef;(9) - Teleport Pro 1.61 y½d*k &rfESifh yxrqHk;tBudrf crack vkyfjcif; - 166 -
yHk(9)
yHk(9)rSm jyxm;wJhtwdkif; USER32.GetWindowTextA rSm right-click ESdyNf yD; Find references to
import (Enter key) udk a&G;vdkufyg/ yHk(10)twdkif; jrif&ygr,f/ (GetWindowTextA taMumif; tao;pdwf
udk ]Cracker rsm; owdxm;oifhaom Windows API rsm;} tcef;wGif zwf½Iyg/)
yHk(10)
yHk(10)rSm jrif&wJhtwdkif; right-click ESyd Nf yD; Set breakpoint on every command udk a&G;vdkuf
yg/
yHk(11)
yHk(11)twdkif; GetWindowTextA udk breakpoint rowfrSwfcif pro.exe udk yHk(12)twdkif; Olly rSm
register vkyfaewm aocsmygap/ (qdkvdkwmu Teleport Pro udk Olly eJYzGifhNyD; register vkyfcdkif;wmyg/
yHk(12)rSm OK udkrESdyfcif yHk(9^10^11)rSm jrif&wJhtwdkif; breakpoint owfrSwfwm jzpfygw,f/)
yHk(12)
tcef;(9) - Teleport Pro 1.61 y½d*k &rfESifh yxrqHk;tBudrf crack vkyfjcif; - 167 -
yHk(13)
yHk(13)twdkif;jrif&wJhtcg yHk(14)udk jrif&wJhtxd F8 (step over) udkESdyfyg/
yHk(14)
yHk(14)udkMunfhyg/ CALL 0042F675 rSm registration key wGufcsufjcif;udk vkyfaqmifygw,f/
'DhaemufrSmawmh EAX xJrSm&SdwJhwefzdk;wpfcek JY ESI xJrSm&Sw
d Jhwefzdk;wpfckwu
kYd dk nD?rnD ppfygw,f/ wu,fvkY d
wefzdk;ESpfckrnDcJh&if BadBoy message qDa&mufoGm;rSmjzpfygw,f/ 'gaMumifh "JNZ 042ECDB" qdkwJhae&m
a&muf&if F8 ESdyfvmwm &yfvdkufyg/ NyD;awmh Registers (FPU) window udkMunfhvdkufyg/ yHk(15)/
yHk(15)
yHk(15)&JU EAX register xJrSm uRefawmfwv kY d dkcsifwJh serial a&mufaeygNyD/ rSwfxm;&rSmu 'D serial
[m ECX register xJrSm&SdwJh "Myanmar Cracking Team" qdkwJh user twGufomjzpfygw,f/
bmaMumifhvq J dkawmh uRefawmfwukY d yHk(12)rSm jyxm;wJhtwdkif; user name ae&mrSm "Myanmar Cracking
Team" vdkY ½dkufxnfhcJhvy
dkY g/
wu,fawmh yHk(15)u EAX register xJrSm&SdwJh serial [m hexadecimal *Pef;omjzpfygw,f/
258680D9 ae&mudk ESpfcsufESdyfvdkufyg/ NyD;&if 629571801 udkul;,lvdkufyg/ yHk(16)/ 629571801 uom
serial tppftrSefjzpfygw,f/
tcef;(9) - Teleport Pro 1.61 y½d*k &rfESifh yxrqHk;tBudrf crack vkyfjcif; - 168 -
yHk(16)
'gqdk uRefawmfwkY d vdkcsifwJh serial udk &&SNd yDjzpfwJhtwGuf Olly udkydwfvkY&d ygNyD/ Teleport Pro
y½d*k &rfudk jyefzGifhvdkufyg/ NyD;&if Help menu u Register … udka&G;NyD; register vkyfzkYd jyifqifyg/
yHk(17)
yHk(17)twdkif; Name eJY Registration Code udkjznfNh yD;&if OK udkESdyfvdkufyg/ yHk(18)twdkif; jrif&yg
r,f/
yHk(18)
ydkaocsmoGm;atmif Help menu u Register … udkxyfESdyfMunfhyg/ uRefawmfwkY d aemufwpfBudrf
register vkyfp&mrvdkawmhwm jrif&rSmyg/ yHk(19)/
yHk(19)
tcef;(9) - Teleport Pro 1.61 y½d*k &rfESifh yxrqHk;tBudrf crack vkyfjcif; - 169 -
yHk(20)
'gqdk yxrenf;eJY uRefawmfw&kYd JU serial &Smjcif;tvkyNf yD;oGm;ygNyD/ 'Dvdkenf;eJY serial &Smwmudk
t*Fvdyfvdkawmh serial fishing (Serial zrf;jcif;)vdakY c:ygw,f/ Cracking avmurSmawmh serial fishing
enf;[m tcsdefukefoufomNyD; vG,fulvSwJhtwGuf toHk;rsm;vSygw,f/
(3) 'kwd,enf; (ThunderPwr@ARTeam)
'kwd,enf;uawmh yHk(21)rSmjrif&wJh MessageBox &Sd&mae&mudkt&if&SmNyD; registration routine udk
&SmazGwJhenf;jzpfygw,f/ (rSwfcsuf/ / a&SUydkif;u GetWindowTextA() API rSmowfrSwfxm;wJh breakpoint
awGudk z,f&Sm;NyD;aMumif; aocsmygap/)
Teleport Pro [m register vkyfwm atmifjrifoGm;&if aemufwpfBudrf register xyfvkyfvkYd r&awmh
ygbl;/ 'gaMumifh registry editor (regedit.exe) udkzGifhNyD; HKLM eJY HKCU wkdY&JU Software directory
atmufu Tennyson Maxwell directory key udkzsufypfvkdufyg/
yHk(21)
Olly rSm pro.exe udkzGiNfh yD; F9 (Run) udkESdyfyg/ 'gqdk Teleport Pro y½d*
k &rfyGifhvmwm jrif&ygr,f/
y½d*k &rf&JU Help menu u Register udkESdyNf yD; register vkyfMunfhyg/ yHk(21)twdkif; BadBoy MessageBox
udkjrif&ygr,f/ 'Dtcg Olly qDjyefoGm;NyD; F12 (Pause) udkESdyfyg/ F12 udkESdyf&wJhtaMumif;&if;uawmh y½d*k &rf
tvkyfvkyfwm cP&yfapcsifvykY d g/ NyD;&if Olly &JU stack window rSm scroll qGNJ yD; Munfhvdkufyg/ yHk(22)
twdkif; jrif&ygr,f/
tcef;(9) - Teleport Pro 1.61 y½d*k &rfESifh yxrqHk;tBudrf crack vkyfjcif; - 170 -
yHk(22)
yHk(22)udk Munfhyg/ VA 0049112C uawmh "We're sorry! …" pmom;udk odrf;qnf;xm;wJh virtual
address yg/ VA 004542CD uawmh yHk(21)u MessageBox API udkvkyfaqmifNyD;csdef a&muf&Sdr,fh
ae&myg/ ckcsdefrSm uRefawmfhtaeeJY pdwf0ifpm;wJh virtual address [m 004542CD jzpfygw,f/ bmaMumifhvJ
qdkawmh 'D address uae registration routine &Sd&mae&mudk ajc&mcHrSmrdkv
Y ykYd g/
yHk(23)
Registration routine udk ajc&mcHzkY d yHk(23)u highlight jzpfaewJhae&mrSm right-click ESdyfNyD; Follow
in Disassembler udka&G;yg/ yHk(24)twdkif; jrif&ygr,f/
yHk(24)
yHk(24)u 004542CD ae&mrSm breakpoint owfrSwNf yD; F9 udkESdyfr,fqdk&ifawmh aemufwpfcg
register vkyfwJhtcg 'Dae&mudk wef;a&mufvmrSm jzpfygw,f/ yHk(25)/
yHk(25)
'DtcgrSm yHk(24)eJrY wlwmuawmh pro.004541C4 [m text string awGeJY jzpfvmygw,f/
tcef;(9) - Teleport Pro 1.61 y½d*k &rfESifh yxrqHk;tBudrf crack vkyfjcif; - 171 -
yHk(26)
yHk(25)uuk'fawGudk F8 ESdyNf yD; uk'fawGppfvmwJhtcg yHk(25)u CALL udk vkyfaqmifNyD;wmeJY yHk(26)
&Sd&mudk a&mufvmrSmyg/ 'DwpfcgrSmawmh serial udk EAX register xJrSm b,fvdkrS&SmawGUawmhrSm r[kwfygbl;/
bmaMumihfvJqdkawmh y½d*k &rfu serial rSef^rrSefudk ppfaq;NyD;vdkY error message udkxkwfay;vdkufwmaMumifh
jzpfygw,f/ 'gaMumifhrkY d serial udkvdkcsif&if uRefawmfwt kY d aeeJY VA 0042ECCA ae&mrSm breakpoint
owfrSwNf yD; y½d*k &rfudk aemufwpfBudrf register vkyfzkYdvdkygw,f/ 'D breakpoint udka&mufwJhtcg uRefawmf
wd&kY SmaewJh serial udk EAX register xJuae ul;,lv&kYd ygNyD/ aemufxyfpdwf0ifpm;p&maumif;wmuawmh
yHk(22)u RETURN to pro.0042ED10 from pro.004542AB yg/ (Assembly oifcef;pmwkef;u CALL
wpfck[m olaemufxyfvkyfr,fh instruction &Sd&m address (EIP) udk stack rSmodrf;qnf;w,fvakYd jymcJhwmudk
trSwf&yg/ aemufxyfajymcJhao;wmuawmh CALL wpfckudkvkyfaqmifNyD;csdefrSm return value udk EAX rSm
tNrJwrf;eD;yg; odrf;qnf;w,fqdkwJhtaMumif;yg/)
(4) Teleport Pro y½dk*&rftwGuf keygen a&;om;jcif;
kY d aeeJY serial zrf;NyD; Teleport Pro udk register vkyNf yD;oGm;ygNyD/ 'gayr,fh
a&SUydkif;rSm uRefawmfwt
trnfu "Myanmar Cracking Team" jzpfaeygw,f/ wu,fvkY d oifhtrnfeJY register vkyfcsif&if?
oifhrdwfaqG^cspfoltrnfeJY register vkyfcsif&if Olly eJY serial xyf&Sm&r,fqdk&if tcsdefukefvlyef;ygw,f/
'gaMumifhrkYd keygen a&;zdkYvdktyfvmygw,f/ "Myanmar Cracking Team" trnfeJY serial &Sm&mrSm
629571801 qdNk yD;&vmygw,f/ b,fvdk&vmrSef; oifhtaeeJY 0g;wm;wm;jzpfaerSm aocsmygw,f/ 'gaMumifh
serial key xkwfay;wJh routine udk taotcsm avhvmMunfhygr,f/ yHk(27)/
yHk(27)
'Dae&mrSm yHk(27)u CALL 0042F675 [m serial key udkxkwfay;wJh routine jzpfw,fqdkwm
oifhtaeeJY &dyfrdrSmyg/ bmaMumifhvJqdkawmh 'D CALL udk vkyfaqmifNyD;csdefrSm uRefawmfwkY d ½dkufxnfhwJh serial
tcef;(9) - Teleport Pro 1.61 y½d*k &rfESifh yxrqHk;tBudrf crack vkyfjcif; - 172 -
eJY wGufcsufvkY&d vmwJh serial udk y½d*k &rfu EdIif;,SOfvkyYd g/ 'D CALL ae&mrSm breakpoint owfrSwfvdkuNf yD;
y½d*k &rfudk (Ctrl+F2) jyefpwifvdkufyg/ NyD;&if F9 udkESdyNf yD; y½d*k &rfudk run yg/ Register vkyfyg/ 'gqdk&if
breakpoint owfrSwfxm;wJh VA 0042ECC2 ae&mudk a&mufvmygr,f/ VA 0042ECC2 ae&mudk
a&mufvm&if F7 (step into) udkESdyNf yD; CALL xJudk 0ifMunfhygr,f/ yHk(28)/
yHk(28)
Serial key udkxkwfay;wJh routine av;uawmh yHk(28)rSm jyxm;oavmufygbJ/ VA 0042F691
k fxnfhvdkufwJh user trnf[m pmvHk;a& 5vHk;xufenf;^renf; ppfaq;wm
xdu pdwf0ifpm;p&mr&Sdygbl;/ ½du
yJ&Sdygw,f/ 5vHk;xufrsm;&ifawmh VA 0042F694 upNyD; serial wGufcsufjcif;vkyfief;pOfudk pwifrSm
jzpfygw,f/ avhvmMunfhvdkuf&atmif/
1/ EBX eJY ESI wdu
kY dk variable taeeJY aMunmygw,f/
2/ ESI = 5DFEE4A4 vdkY initialize vkyfygw,f/
3/ EBX wefzdk;udk oknjzpfatmifvkyfygw,f/
4/ TEST uawmh jump (JE) jzpf^rjzpf flag wefzdk;udk owfrSwfwmjzpfygw,f/
5/ EDI xJuwefzdk;awGudk ECX xJajymif;xnfhwmyg/ (Stack rSm aemufqHk;oGif;wmudk t&ifxkwf,l&yg
w,f/)
6/ EAX wefzdk;xJu 4 EIwfygw,f/ (EAX xJrSm ckeu uRefawmfwkY d ½dkufxnfhvdkufwJh user trnfeJY
ywfoufwJh pmvHk;ta&twGuf &Sdygw,f/ "Myanmar Cracking Team" jzpfwJhtwGuf 21vHk;yg/)
7/ EBX eJY EAX wdkY EdIif;,SOfygw,f/
8/ wu,fvkYd EBX [m EAX xufri,fcJh&if jump jzpfrSmjzpfygw,f/ (ckcsdefrSmawmh EAX u 17 jzpfNyD;?
EBX u oknjzpfygw,f/)
9/ ESI wefzdk;eJY user trnfu yxrpmvHk; 4vHk;&JU Unicode (Hex) wefzdk;wdu
kY dk XOR vkyfrSmjzpfygw,f/
(ckcsdefrSmawmh ESI wefzdk;u 5DFEE4A4 jzpfNyD;? DS:[EBX+EDI] wefzdk;u 6E61794D jzpfygw,f/)
tcef;(9) - Teleport Pro 1.61 y½d*k &rfESifh yxrqHk;tBudrf crack vkyfjcif; - 173 -
invoke GetModuleHandleA,NULL
mov hInstance ,eax ; save handle for later use
.ELSEIF message==WM_COMMAND
mov eax,wParam
.IF ax==BTN_GENERATE ; "Generate" button presssed
; check name is ok, not too long & not too short
invoke GetDlgItemTextA,handle,IDC_NAME,ADDR namebuffer,Max_Buffer
.if eax == 0
invoke SetDlgItemTextA,handle,IDC_SERIAL, addr NoName
.elseif eax > MaxNameLength ; max namr length
tcef;(9) - Teleport Pro 1.61 y½d*k &rfESifh yxrqHk;tBudrf crack vkyfjcif; - 175 -
.endif
.ELSEIF ax==BTN_CLOSE ; "Close" button pressed
jmp @close
.ELSEIF ax==BTN_ABOUT ; "About" button pressed
invoke MessageBox,handle,SADD(About_Text),
SADD(" ",34,"Myanmar Cracking Team",34),
MB_OK or MB_ICONINFORMATION
.ELSEIF ax==IDC_NAME ; name character enetered
; check name ok, not too long & not too short
invoke GetDlgItemTextA,handle,IDC_NAME,ADDR namebuffer,Max_Buffer
.if eax == 0
invoke SetDlgItemTextA,handle,IDC_SERIAL, addr NoName
.elseif eax > MaxNameLength ; max namr length
invoke SetDlgItemTextA,handle,IDC_SERIAL,addr NameTooLong
.elseif eax < MinNameLength ; minimum name length
invoke SetDlgItemTextA,handle,IDC_SERIAL, addr NameTooShort
.elseif
invoke SetDlgItemTextA,handle,IDC_SERIAL, addr NameOK
.endif
.ELSEIF ax==BTN_COPY ; "Copy" button pressed
invoke ClipboardCopy
.ENDIF
DialogProc endp
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
; Copy generated serial to the clipboard
; This function is not really necessary in a simple keygen but code is short
; and does not need any modification.
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
ClipboardCopy proc
pushad
end main
yHk(29)
Assembly eJY keygen a&;wm tqifajyygovm;/ rajybl;qdk&ifawmh C bmompum;eJY keygen
a&;enf;udk &Sif;jyygr,f/
#include <conio.h>
#include <stdio.h> // C Console Application
#include <string.h> // Compiler - Borland C++ 5.02
#include <memory.h> // Copyright © by Myo Myint Htike, September 14 2009
unsigned long StringtoHex(const char *string);
int main()
{
char User_Name[30] = {0};
char Read_4_Bytes[4] = {0};
unsigned long index = 0, ESI = 0x5DFEE4A4, EAX;
unsigned long string_length;
printf("Teleport Pro 1.3x - 1.6x Keygen ");
printf("\n========================\n\n");
printf("\nYour Name : ");
scanf("%[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ ] ",User_Name);
string_length = strlen(User_Name);
if(string_length < 5 || string_length > 30)
printf("Name must be 5->30 characters.\n");
while(index < string_length-4){
memmove(&Read_4_Bytes, &User_Name[index], 4);
strrev(Read_4_Bytes);
EAX = StringtoHex(Read_4_Bytes);
ESI = ESI ^ EAX;
index++;
}
printf("\nRegistration Code : %d\n",ESI);
getch();
return 0;
}
unsigned long StringtoHex(const char *string)
{
unsigned long hex_value = 0, index = 0;
const char *character_read = string;
while(*character_read){
hex_value = (hex_value*0x100) +(unsigned long)character_read[index];
character_read++;
}
return hex_value;
}
yHk(31)
6.2/ strrev(Read_4_Bytes);
Myan qdkwJh string udk ajymif;jyefvSefygw,f/ 'gaMumifh Myan [m nayM jzpfvmygw,f/
bmaMumifh strrev() function udkoHk;&ovJqdk&if y½d*k &rf[m endian enf;eJY a'wmawGudk zwfvjkY d zpfygw,f/
6.3/ EAX = StringtoHex(Read_4_Bytes);
StringtoHex() function uawmh ajymif;jyefvSefxm;wJh string awGudk XOR vkyfzt kYd wGuf
*Pef;tjzpfajymif;vJwmjzpfygw,f/ 'D function udkvkyfaqmifNyD;csdefrSmawmh EAX [m 6E61794D
jzpfvmygw,f/
6.3.1/ while(*character_read){
hex_value = (hex_value*0x100) +(unsigned long)character_read[index];
character_read++;
}
tcef;(9) - Teleport Pro 1.61 y½d*k &rfESifh yxrqHk;tBudrf crack vkyfjcif; - 179 -
yHk(32)
zwfvdkufwJhpmvHk; n udk *Pef;tjzpfajymif;ygw,f/ hex_value wefzdk;[m 'DtcsdefrSm 6E16(11010)
jzpfvmygr,f/ character_read wefzdk;udk wpfaygif;vdkufwJhtwGuf character_read[1] jzpfvmNyD; a udk
zwfygw,f/ 'Dtcg hex_value = (6E*0x100) + 61 = 6E61 jzpfvmygw,f/ 'DvdkeJY 00 (\0) udk rawGUrcsif;
aemufxyfpmvHk;awGzwfaerSmjzpfygw,f/ aemufqHk;rSmawmh hex_value [m 6E61794D jzpfvmygw,f/
6E61794D wefzdk;udk EAX qD jyefyykYd gw,f/
6.4/ ESI = ESI ^ EAX;
EAX (6E61794D) eJY ESI (5DFEE4A4) wdu
kY dk XOR vkyfygw,f/ &&SdvmwJh 339F9DE9
wefzdk;udk ESI rSmodrf;ygw,f/
6.5/ index++;
index wefzdk;udk wpfaygif;vdkufwJhtwGuf aemufwpfBudrf while loop udkvkyfaqmifcsdefrSm ...
while(index < string_length-4){ // while(1<17){
memmove(&Read_4_Bytes, &User_Name[index], 4); // Read_4_Bytes = "yanm";
strrev(Read_4_Bytes); // Read_4_Bytes = "mnay";
EAX = StringtoHex(Read_4_Bytes); // EAX = 6D6E6179;
ESI = ESI ^ EAX; // ESI = 339F9DE9 ^ 6D6E6179 = 5EF1FC90;
index++; // index = 2;}
}
// while (2<17){ ..................}
// while (3<17){ ..................}
// while (4<17){ ..................}
// ......................................etc
while(index < string_length-4){ // while(16<17){
memmove(&Read_4_Bytes, &User_Name[index], 4); // Read_4_Bytes = " Tea";
strrev(Read_4_Bytes); // Read_4_Bytes = "aeT ";
EAX = StringtoHex(Read_4_Bytes); // EAX = 61655420;
ESI = ESI ^ EAX; // ESI = 44E3D4F9 ^ 61655420 = 258680D9 16;
index++; // index = 17;}
}
yHk(1)
'Dtcef;rSmawmh patch vkyfjcif;udk tydkif;(3)ydkif;cGNJ yD; aqG;aEG;rSmjzpfygw,f/ yxrydkif;uawmh vlopf
wef; cracker awG vkyfavhvkyfx&SdwJh patch vkyfenf;jzpfNyD; tydkif;(2)uawmh tv,ftvwftqifh? tydkif;(3)
uawmh tqifhjrifh cracker awG vkyfavhvkyfx&SdwJh patch vkyfenf;jzpfygw,f/
(1) Beginner tqifh patch vkyfjcif; (Plain Stupid Method)
'Dacgif;pOfatmufrSmawmh vlopfwef;awG vkyfavhvkyfx&SdwJh patch vkyfenf;awGudk toHk;jyKNyD; crack
vkyfMunfhrSm jzpfygw,f/ Patch vkyfMunfhzkYad ½G;xm;wJh y½d*k &rfuawmh Exe password aqmhzf0Jvfudk
toHk;jyKNyD; protect vkyfxm;wJh calculator (calc.exe) y½d*k &rfjzpfygw,f/ Calculator y½d*k &rfudk Microsoft
Windows &JU system32 folder atmufrSm tvG,fwulawGUEdkifygw,f/ Exe password aqmhzf0Jvfudkawmh
www.salfeld.com rSm download vkyf,lEdkifygw,f/ Exe password aqmhzf0Jvf[m udk,froHk;apcsifwJh
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 182 -
yHk(2)
yHk(2)rSm jrif&wJhtwdkif; uRefawmfw&kY d JU calc.exe y½d*k &rfudk "DEADBEEF" qdkwJh password ay;NyD;
umuG,fvdkufygr,f/ 'gqdk icon ½kyfav;ajymif;oGm;wm awGU&ygr,f/ yHk(3)/
yHk(3)
Password eJY umuG,fxm;wJh calc.exe zdkifudk zGifhMunfhygr,f/ 'gqdk yHk(4)twdik f; password
awmif;wJh dialog box wpfckay:vmrSmyg/
yHk(4)
Password udk rSefuefpGmr½dkufxnhfEdkif&ifawmh yHk(5)twdkif; jrif&rSmyg/
yHk(5)
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 183 -
yHk(6)
yHk(6)rSm right-click ESdyNf yD; Search for u All referenced text strings udk a½G;yg/ Window
topfwpfck ay:vmygvdrfhr,f/ 'D window rSm right-click ESdyNf yD; Search for text udka½G;yg/ yHk(7)twdkif;
jrif&ygr,f/
yHk(7)
yHk(7)rSm uRefawmfwkY&d SmcsifwJh "Password is incorrect…" pmom;udk ½du
k fxnfNh yD; OK udka½G;vdkuf
yg/ yHk(8)twdkif; jrif&ygr,f/
yHk(8)
yHk(8)u hightlight jzpfaewJhae&mudk mouse eJY ESpfcsufESdyfvdkufyg/ yHk(9)twdkif; awGUygr,f/
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 184 -
yHk(9)
yHk(9)udk aocsmMunfhyg/ yHk(5)u error message udjk ywJh routine (VA 0054C8AC) udk awGU&yg
r,f/ wu,fawmh error message routine udkvkyfaqmifwm[m CALL calc.00435C4C udkrausmfEdkifwm
aMumifhyg/ VA 0054C87C u JNZ instruction uvJ CALL calc.00435C4C udkausmfEdkifjcif; r&Sdygbl;/
yHk(10)/
yHk(10)
yHk(10)t&qdk&ifawmh CALL calc.00435C4C udkausmfEdkifwm VA 0054C873 u JE instruction
yJjzpfygw,f/ 'gaMumifh 'D VA 0054C86E ae&mrSm breakpoint owfrSwfNyD; F9 udkESdyfyg/ yHk(11)twdkif;
jrif&ygr,f/
yHk(11)
yHk(11)u textbox xJrSm "Cracker" vdkY½du
k fxnfhvdkufyg/ uRefawmfwkY d breakpoint owfrSwfxm;wJh
ae&mudk wef;a&mufvmygr,f/ yHk(12)/
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 185 -
yHk(12)
yHk(12)u VA 0054C86E ae&mudka&muf&if register windows udkwpfcsufMunfhygr,f/ yHk(13)/
yHk(13)
yHk(13)udk Munfhvdkuf&if EAX register xJrSm "pFTZ^UC" pmom;&SNd yD; EDX register xJrSm "wqt}
wutt" pmom;&Sdaewm awGU&ygr,f/ wu,fawmh "wqt}wutt" qdkwm yHk(2)rSm uRefawmfwdkY½u dk fxnhfcJhwJh
password udk encrypt vkyfxm;wJhpmom;jzpfygw,f/ "pFTZ^UC" uawmh "Cracker" udk encrypt vkyfxm;
wmyg/ yHk(12)rSmjrif&wJh VA 0054C86E u CALL routine uawmh "pFTZ^UC" eJY "wqt}wutt" udk
nDrnDppfwmyg/ wu,fvkYn d &D if error message udkausmfoGm;rSmyg/ 'gqdk uRefawmfwkY d patch vkyfMunfhMuyg
r,f/ trSefuawmh CALL calc.004046A0 ae&mrSm NOP instruction eJYtpm;xdk;NyD; JE SHORT
calc.0054C8D7 ae&mrSmawmh JMP SHORT calc.0054C8D7 eJt Y pm;xdk;&rSmyg/ 'gayr,fh 'Dae&mrSmawmh
uRefawmfhtaeeJY JE udk JMP vdjkY yifwmwpfckyJ vkyfygr,f/ (rSwfcsuf/ / NOP (No operation) vdjkY yifwm
uawmh password ESpfckudk rppfapwmjzpfygw,f/ JMP instruction uawmh error message udk twif;
ausmfcdkif;wmjzpfygw,f/) jyifvdkuf&ifawmh yHk(14)twdkif; jrif&ygr,f/
yHk(14)
yHk(14)twdkif; jyifNyD;&ifawmh right-click ESdyNf yD; Copy to executable u All modification udkESdyfNyD;
zdkifudk odrf;vdkufyg/ Patch vkyfxm;NyD;om;zdkifudk tvkyfvkyf^rvkyfod&atmif zdkifudkzGiMfh unfv h dkufyg/ ay:vmwJh
password dialogbox rSm BudKufwJh password ud½ k dkufxnfhvdkufyg/ y½d*k &rfyGifhvmygvdrfhr,f/
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 186 -
yHk(15)
yHk(16)
PEiD uawmh PE zdkifawGrSmtoHk;rsm;vSwJh packer? cryptor eJY compiler trsdK;tpm;awGudk
pHkprf;ay;wJh tool wpfckjzpfygw,f/ PEiD &JU plugin wpfckjzpfwJh Krypto Analyser udk avhvmMunfhygr,f/
'D plugin av;[m module awGtwGif;rSm&SdwJh odNyD;om; crypto algorithm awGudk plugin u Krypto
oauFwawGeJY EdIif;,SOfjcif;tm;jzifh &SmazGygw,f/
yHk(1)udk Munfhr,fqdk&if MrBills qdkwJh aqmhzf0Jvf[m pack vkyfxm;jcif;r&SdbJ olUudk Visual C++
7.0 eJY a&;om;xm;wmudk awGU&ygr,f/ MrBills &JU version uawmh 2.1.0.1 jzpfygw,f/
yHk(17)
yHk(17)u Plugins rS Krypto Analyser udk a½G;vdkuf&if yHk(18)twdkif; jrif&rSmyg/
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 187 -
yHk(18)
yHk(18)udk Munfhr,fqdk&if toHk;jyKxm;wJh crypto algorithm awGuadk wGU&ygw,f/ CRC check
taMumif;udk aemufydkif;oifcef;pmawGrSm aqG;aEG;rSm jzpfygw,f/ aumif;ygNyD? PEiD udk ydwfvdkufygr,f/
yHk(16)udk Munfhvdkufyg/ uRefawmfwkY d y½d*k &rfudk run (F9) Munfhygr,f/ 'gqdk yHk(19)twdkif; awGU&yg
r,f/
yHk(19)
yHk(19)rSm jrif&wJhtwdkif; uRefawmfwkY d register rvkyf&ao;ygbl;/ About udkESdyfvdkufyg/
yHk(20)
About udE k Sdyfvdkuf&if yHk(20)twdkif; jrif&ygr,f/ 'DrSmawmh uRefawmfwY dk vkyfp&mbmrSr&Sdbl;vdkY xifyg
w,f/ Register... udak ½G;vdkufyg/ yHk(21)twdkif; jrif&ygr,f/
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 188 -
yHk(21)
yHk(21)t&qdk&if uRefawmfwkY d register vkyfzv
kYd dkygNyD/ bmaMumifhvJqdkawmh register rvkyf&if tcsdKU
aomvkyfaqmifcsufawG tvkyfrvkyfbl;vdkY ajymaevdkYyg/ uRefawmfwY dk prf;NyD; register vkyfMunfhMuygr,f/
yHk(22)/
yHk(22)
uRefawmfwdkY uHraumif;ygbl;/ yHk(23)udkyJ jrif&ygw,f/
yHk(23)
yHk(9)[m uRefawmfwkY d patch vkyf&r,fhae&myg/ uRefawmfhtaeeJY t&iftcef;awGrSm text string awGudk
b,fvdk&Sm&rvJqdkwm &Sif;jycJNh yD;ygNyD/ 'DaeUtzdkYrSmvJ uRefawmfwv
kY d dkcsifwm&zdkY 'Denf;vrf;udk toHk;jyK&OD;rSmyg/
'gaMumifh 'D text string awGxJu ta&;BuD;r,fxifwJhpum;vHk;udk rSwfom;vdkufyg/ aumif;ygNyD? uRefawmfwkYd
uk'fawGudk avhvmvdkufMu&atmif/ Olly qD jyefoGm;vdkufyg/ yHk(10)/
yHk(24)
Text string awGudk &SmzdkY yHk(24)rSm right‐click ESdyfvdkufyg/ NyD;&if Search for u All referenced
text strings udk a½G;vdkufyg/ 'gqdk text string window ay:vmygvdrfhr,f/ Text string window rSm
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 189 -
yHk(25)
'gqdk uRefawmfwkY d &SmaewJh text udk &SmawGUygNyD/ yHk(26)/
yHk(26)
'gaMumifh text &Sd&m VA 004299BD ae&mudk ESpfcsufESdyfvdkufyg/ yHk(27)twdkif; jrif&ygr,f/
yHk(27)
yHk(13)u VA 004299BD [m "You have entered an ..." udk messagebox rSma&;zdkY
jyifqifaewmyg/ atmufudk scroll enf;enf;qGNJ yD;Munfhvdkuf&if yHk(28)twdkif; jrif&rSmyg/
yHk(28)
uRefawmfwv dkY dkcsifwJhtajzu VA 004299F3 rSmyg/ VA 004299BD u BadBoy message jzpfNyD;
FVA 004299F3 uawmh GoodBoy message jzpfygw,f/ yHk(27)u JNZ [m VA 004299F1 qD jump
jzpfapwmawGU&ygw,f/ vufawGUrSmawmh JNZ [m VA 004299F1 qD jump rjzpfygbl;/ 'gaMumifhvJ
"You have entered an invalid email ..." qdkwJh BadBoy message udk jrif&wmyg/ wu,fvkY d JNZ
ae&mrSm JMP vdkY ajymif;cJhr,fqdk&if .........
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 190 -
yHk(29)
yHk(29)u TEST AL, AL udk Munfhvdkufyg/ AL [m GoodBoy vm;? BadBoy vm;qdkwm qHk;jzwf
ygw,f/ AL udk VA 004299AD u CALL function xJrSm owfrSwfxm;wm jzpfEdkifygw,f/ bmaMumifhvJ
qdkawmh wpfckckurdk EdIif;,SOfcif CALL function xJrSmEdIif;,SOfzt
dkY wGuf owfrSwfwm[m ydNk yD;aumif;EdkifvykYd g/
'g[m registration ppfaq;csuf jzpfygw,f/ 'Dae&mrSm rSwfcsufjyKvdkwmuawmh ... uRefawmfwt Y dk aeeJY 'D
CALL function xJrSm AL udk b,fvdkowfrSwfxm;ovJqdkwmudk ppfaq;zdv kY dkvmNyDqdkwmudkyg/
'gaMumifh VA 004299AD ae&mudk breakpoint owfrSwfvdkufygr,f/ qufvdkufMu&atmif/
uRefawmfwtdkY aeeJY serial [m rSefuefjcif; &Sd^r&Sd ppfaq;wJh&v'fudk awGU&Sdxm;ygw,f/ TEST AL, AL
txufu CALL xJrSm&v'fudk owfrSwfxm;csdefrSm AL [m 'Dwefzdk;udk odrf;xm;ygw,f/ &v'fu taygif;
oabmaqmifcJh&if y½d*k &rfudk register vkyfzkYd Goodboy message &Sd&m VA 004299F1 udk a&mufvmrSmyg/
'grSr[kwf&ifawmh jump rjzpfEdkifovdk Badboy message vJ&&SdrSmyg/
tESpfcsKyf/ / JNZ aMumifh register vkyfzt
kYd wGuf AL [m okneJn
Y DaevdkY r&ygbl;/
VA 004299AD &JU tay:udk scroll enf;enf;avmuf qGJMunfhvdkufMu&atmif/ yHk(30)/
yHk(30)
yHk(30)u text awG[m uRefawmfwt
kY d wGuf bmrSta&;rygygbl;/ About box rSm ay:wJph mawGyg/
Registration udk jyef run MunfhvdkufMu&atmif/ CALL xJrSm bmawG&SdovJqdkwm odEdkifzkY d VA
004299AD rSm breakpoint owfrSwfxm;ygw,f/
rSwfcsuf/ / Plain stupid method onf BadBoy udk ausmfvTm;Edkif&ef conditional jump rsm;tm; patch
vkyfjcif;omjzpfygonf/ rsm;aomtm;jzifh xdkenf;onf aqmhzf0Jvfrsm;udk register vkyf&eftwGuf vHkavmufjcif;
r&Sday/
'gaMumifhrkYd ckcsdefrSm uRefawmfwtkY d aeeJY CALL xJudk xJxJ0if0if 0ifa&mufNyD; register jzpf^rjzpf
qHk;jzwfwJh AL udk patch vkyfzkYd BudK;pm;rSmyg/
uRefawmfwdkY yHk(31)twdkif; register xyfvkyfMunfhvdkufMu&atmif/ F9 udEk Sdyfyg/
yHk(31)
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 191 -
yHk(32)
F7 udk ESdyNf yD; CALL xJ 0ifMunfhMu&atmif/ 'gqdk uRefawmfwkY d CALL xJ a&mufvmygNyD/ yHk(33)/
yHk(33)
aemufxyf bmqufjzpfrvJqdkwm od&atmifawmh F8 udkyJ ESdyfMuygr,f/ 'Dae&mrSm AL wefzdk;ajymif;
oGm;wmawGudk apmifhMunfhzkYv
d dkwJhtaMumif; ajymyg&ap/ yHk(34)/
yHk(34)
rMumcifrSm ta&;BuD;wmawGudk awGU&awmhrSmyg/ yHk(35)u VA 0040715A ae&mrSm TEST AL, AL
udkawGUygovm;/
yHk(35)
NyD;awmh VA 0040715E u [5076A0]/ 'Dhaemuf VA 00407163 u JNZ? VA 00407170 u
TEST AL, AL? VA 00407174 u [5076A0]/ VA 00407155 u CALL udk taotcsmMunfhyg/
bmrsm;awGUjrifygovJ/ AL udk VA 00407155 u CALL xJrSm owfrSwNf yD;oGm;yHk&ygw,f/ 'gaMumifh
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 192 -
CALL xJrSm bmqufjzpfrvJqdkwm odEdkifzkY d Enter key udk ESdyfvkdufyg/ rSwfxm;&rSmu Enter key udk
ESdyfjcif;tm;jzifh uk'fawGudk ajc&mcHEdkifygw,f/ 'gayr,fh uk'fawGudkawmh run rSm r[kwfygbl;/ uk'fawGudk run
p&mrvdkbJ CALL txJrSm&SdwJh uk'fudkMunfhw,fvdkY qdkvdkwmyg/ 'gaMumifh instruction pointer &JUwnfae&m
uvJ Enter key acgufwJh VA rSmyJ &SdrSmyJ/ yHk(36)/
yHk(36)
VA 00407155 u CALL ae&mrSm Enter key udk ESdyfvkdufwJhtcg yHk(37)twdkif; jrif&ygw,f/
yHk(37)
MunfhvdkufMu&atmif/ VA 00407007 u MOV BL, AL/ VA 00407011 u MOV AL, BL/
AL xJudk BL xJuwefzdk;awGjyefa&TUw,f/ yxrqHk; AL xJuwefzdk;udk BL xJrSmxm;w,f/ VA 00407009
u CALL [m BL (& AL) tay: bmrStusdK;oufa&mufrrI &Sdwm oift h aeeJY em;vnfrSmyg/ 'gayr,fh AL
&JUwefzdk;udk VA 00406FF9 u CALL rSm qHk;jzwfxm;ygw,f/ aumif;NyD/ AL udk VA 00406FF9 u
CALL 00406F4B xJrSm owfrSwfxm;wmrdkY 'D CALL ae&mudk breakpoint owfrSwfvdkufMu&atmif/
kY d m CALL awG trsm;BuD;awGUae&wmudkyg/ tvm;wl trSwf
owdjyK&rSmu ckcsdefrSm uRefawmfw[
xm;&rSmu uRefawmfw[ kY d m CALL xJrSm bm&Sdw,fqdkwmodEdkifzkYd CALL ae&mrSm Enter key udk ESdyfcJhw,f
qdkwmudkyg/ AL udk VA 00406FF9 u CALL xJrSm owfrSwfxm;^rxm; ppfaq;zdkY uRefawmfwkYd break-
point owfrSwfxm;wJh ae&mqDa&mufatmif F9 udE k Sdyfygr,f/ 'gqdk uRefawmfwkY d breakpoint owfrSwfxm;wJh
ae&mudk a&mufvmygNyD/ yHk(38)/
yHk(38)
aemuftqifhudk em;vnfzkY d oift
h wGuf t&rf;ta&;BuD;ygw,f/
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 193 -
yHk(39)
yHk(39)rSm jrif&wJhtwdkif;qdk&ifawmh AL [m oknrjzpfygbl;/ 'gaMumifhvJ TEST AL, AL u
kYd JhtcsdefrSm AL [m oknrjzpfEdkifwmyg/ tck CALL udk run zdkY F8 udEk Sdyfyg/ AL wefzdk;
wefzdk;wpfck jyefyw
ajymif;oGm;wmudk awGU&ygr,f/ yH(k 40)/
yHk(40)
'gaMumifh VA 00406FF9 u CALL xJrSm AL wefzdk;udk oknvdkY owfrSwfvdkufygw,f/
Registration atmifjrifjcif; r&Sdygbl;/ bmawG qufjzpfrvJod&atmif F8 udk ESdyfyg/
aemufxyfxyfrSwf&rSmu aemuftqifhawGrSm AL eJY BL &JUwefzdk;awG b,fvdkajymif;oGm;rvJqdkwm
udkyg/
yHk(41)
yHk(41)u MOV BL, AL udk execute vkyfvdkuf&if BL &JUwefzdk;[mvnf; oknjzpfoGm;rSmyg/ bmvdkY
vJqdkawmh AL u oknjzpfaevdykY g/ yHk(42)/
yHk(42)
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 194 -
yHk(43)
yHk(43)u VA 00407009 rSm&SdwJh CALL udk execute vkyNf yD;csdefrSmawmh AL &JU wefzdk;[m 1 vdkY
ajymif;oGm;wm awGU&ygw,f/ VA 00407011 u MOV AL, BL udk Munfhyg/ BL xJu[mudk bmvdkY AL
rSm vmxm;&wmygvJ/
INFO: : wu,fvkYd y½d*
k &rf[m EAX register eJt
Y wl tvkyfvkyfzkdUvdkr,fqdk&if olUwefzdk;udk tjcm; register
xJrSm ,m,DoGm;xm;ygvdrfhr,f/
uRefawmf aemufwpfBudr&f Sif;jyygOD;r,f/ 'grSom oifhtaeeJY y½d*k &rf b,fvdktvkyv
f kyfw,fqkdwJh
t&omudk cHpm;&rSmjzpfw,f/
yHk(44)
yHk(44)rSmawmh AL &JU wefzdk;[m BL aMumifh oknjyefjzpfoGm;ygw,f/ 'gaMumifh VA 00407009 u
CALL [m AL eJY BL tay: bmoufa&mufrIrS r&Sdbl;vdakY jymcJhwJh uRefawmhf&JU aumufcsufawG[m rSefaeNyD
aygh/ AL &JU tajctaeudk owfrSwfwm[m VA 00406FF9 u CALL rSmyg/ aemufqHk;taeeJY uRefawmf
wd&kY JU t&if CALL (Enter key udrk ESdyfcif CALL udk qdkvdkwmyg/)qDoGm;EdkifzkY d F8 (od)kY F7 udkESdyfvdkufyg/
yHk(45)twdkif; jrif&ygvdrfhr,f/
yHk(45)
TEST AL, AL u jyefvmcsdefrSm AL &JU wefzdk;[m oknrjzpfwm trSwf&rSmyg/ (JNZ onf
register vkyfjcif;jzpf^rjzpf)
'Dae&mrSm AL [mbmjzpfrvJqdkwm avhvmvdkufMu&atmif/ F8 udEk SdyfvdkufwJhtcg AL &JU wefzdk;[m
oknyJ jzpfaewkef;yg/ yHk(32)/
AL udk pointer ([5076A0]) xJ xm;wJhtcgrSmawmh ....
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 195 -
yHk(46)
Pointer &JU wefzdk;[m oknjzpfaeygao;w,f/ yHk(46)/ Register rvkyfxm;csdefrSmawmh jump rjzpf
Edkifygbl;/
aumif;NyD/ Register vkyfxm;jcif;&Sd^r&Sdukd VA 0040715E u pointer ([5076A0]) xJrSm xdef;
odrf;xm;w,fqdkwm em;vnfygovm;/ tvm;wl VA 00407174 u pointer ([5076A0]) rSma&myg/
yHk(45)/
VA 0040716B u CALL [m uRefawmfwkYd register rvkyfxm;csdefrSmom tvkyfvkyfEdkifygw,f/
ol[m unregistered string awGujdk yowJh CALL jzpfEdkifygw,f/ F8 udk qufESdyfMunfhygr,f/ VA 0040
715E u AL eJY ywfoufwJhtvkyfawGudk aemufydkif;usrS qufvkyfMuygr,f/ tvm;wl VA 00407174 u
AL udka&myg/
tck&Sif;jyaewm[m oifth wGuf t&rf;aES;ae&ifawmh aqm&D;yg/ 'gawGtm;vHk;[m cracking eJY
tenf;i,fom ywfoufzl;MuwJh vlopfwef;awGtwGuf ½IyfaxG;aevdrfhr,fvkYd xifxm;vdkYyg/ 'gaMumifh 'gawG
tm;vHk;udk uRefawmfhtaeeJY tao;pdwfaqG;aEG;ay;aewmyg/ 'gayr,fh 'gawGtm;vHk;udk cifAsm;taeeJY em;vnf
NyDvkYd ,lqwJhaemufrSmawmh aemufvmr,fhoifcef;pmawGrSm uRefawmfhtaeeJY tjrefoGm;zdkY uwdjyKygw,f/
F8 ukd ESdyfvmcJhyg/
yHk(47)
yHk(47)u JMP udkawmh&Sif;r,fvx
kYd ifygw,f/ JMP ae&mudk F8ESdyfr,fqdk&ifyHk(35)twdkif;jrif&ygr,f/
yHk(48)
VA 00407076 rSm aemufxyf pointer ([5076A1]) wpfckawGU&ygw,f/ Pointer awGtaMumif;
&Sif;r,fvxdkY ifygw,f/ VA 0040707D u JNZ [m uRefawmfwdkY register rvkyfxm;&if jump jzpfygr,f/
aumif;NyD/ F8 udkomESdyfvmcJhyg/ uRefawmfwkY d atmifjrifpGm register vkyfEdkifcJhjcif; &Sd^r&Sd yHk(49)rSmawGU&yg
w,f/
yHk(49)
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 196 -
yHk(50)
'gaMumifh register rjzpfygbl;/ bmqufjzpfrvJqdkwm qufMunfhMu&atmif/
yHk(51)
'gqdk yHk(51)twdkif; jrif&ygw,f/ ckcsdefrSm uRefawmfwkY d &SmaewJh CALL udk odygNyD/
aumif;NyD/ yHk(51)rSm OK udka½G;NyD; Olly udk aemufwpfBudrf jyefpvdkufyg/ owdjyK&rSmu breakpoint
window rSm VA 004299AD u breakpoint wpfckwnf;om &Sdygap/ y½d*k &rfudk run (F9) vdkufyg/ NyD;&if
yHk(31) twdkif; register xyfvkyfyg/ 'gqdk yHk(52)twdkif; uRefawmfwkY d owfrSwfxm;wJhae&mudk wef;a&mufvm
ygr,f/
yHk(52)
dkY aeeJY rSefuefwJh CALL udk &SmEdkifzdkY F7 udEk SdyNf yD; VA 004299AD u CALL xJudk
uRefawmfwt
0ifygr,f/
yHk(53)
VA 00407155 u CALL udk t&ifu uRefawmfwkY d 0ifa&mufcJhwm trSwf&rSmyg/ VA 00407155
a&muf&if F7 udk ESdyfyg/ yHk(54)twdkif; jrif&ygr,f/
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 197 -
yHk(54)
VA 00406FF9 u CALL a&mufonftxd F8 udk ESdyfvmcJhyg/
yHk(55)
yHk(55)u MOV BL, AL udk rSwfrdr,fxifygw,f/ ckcsdefrSmawmh VA 00406FF9 u CALL [m
uRefawmfwdkY oGm;&r,fh CALL vdkY qHk;jzwfxm;ygw,f/ 'gaMumifh F7 udEk SdyNf yD; CALL xJ0ifygr,f/
yHk(56)twdkif; jrif&ygr,f/
yHk(56)
AL udk b,frSm owfrSwfxm;ovJqdkwm &SmMunfhygr,f/ atmufudk scroll qGJvmcJhyg/ uk'fawG
awmfawmfrsm;rsm;udk awGUygw,f/ yxrqHk;tBudrfjzpfvkYd xJxJ0if0if&SmzdkY rpOf;pm;awmhygbl;/ uRefawmfhtaeeJY
serial rSef^rSepf pfaq;wJhae&mwpfckudk oHo,0ifrdygw,f/ 'gayr,fh 'gudak emufydkif;usrSyJ ajymygr,f/ ckawmh
AL udk patch vkyfzy kYd J BudK;pm;ygr,f/ wu,fawmh uRefawmfhtaeeJY uk'fawGudk wpfckrusef vdkufvHppfaq;
&rSmyg/ 'gudk Advanced Level Patching vdkY ac:ygw,f/
yHk(57)
ckawmh VA 00406FC5 u BL udk ajymif;zdBkY udK;pm;ygr,f/ yHk(58)/
yHk(58)
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 198 -
yHk(59)
F9 udk ESdyNf yD; bmqufjzpfrvJqdkwm Munfhygr,f/ yHk(60)/
yHk(60)
yHk(60)u OK udk ESdyfvkduf&if yHk(61)u [Unregistered] qdkwpJh mom; aysmufoGm;wm awGU&rSmyg/
yHk(61)
yHk(61)udkMunfh&if aemufwpfBudrf register vkyfp&mrvdkawmhwm awGU&rSmyg/
yHk(62)
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 199 -
yHk(63)
upm;cGifhoufwrf;ukefoGm;NyDjzpfwJhtwGuf register vkyf&awmhrSmyg/ Register vkyfMunfh&ifawmh
yHk(64)twdkif; jrif&ygw,f/
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 200 -
yHk(64)
y½d*k &rf&JU oabmobm0udk odoGm;NyDrdkY Olly rSmuk'fawGudk zGifhMunfh&atmif/ yHk(65)/
yHk(65)
yHk(65)uawmh WinNoah.exe &JU EP &Sd&mjzpfygw,f/ yHk(64)u Badboy message udk&SmMunfh&
atmif/ yHk(66)/
yHk(66)
Search uae text string (Badboy message) awGudk&SmwJhtcg yHk(66)twdkif;jrif&ygw,f/ 'Dae&m
awGrSm breakpoint owfrSwNf yD; double-click ESdyfvdkufyg/ yHk(67)/
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 201 -
yHk(67)
yHk(67)rSmjrif&wmuawmh BadBoy udkac:oHk;wJh CALL &JUtpjzpfNyD; VA 0041A315 eJY VA
0041E853 wdu kY ae 'D CALL udk ac:oHk;Muwmjzpfygw,f/ VA 0041A315 eJY VA 0041E853 &Sd&mudk
MunfhvdkufMu&atmif/ yHk(68)/
yHk(68)
yHk(68)udk aocsmMunfhr,fqdk&if BadBoy CALL awGqDra&mufcifrSm CALL DWORD PTR
DS:[EAX+40]; qDt&ifoGm;NyD; registration vkyfaqmifcsufatmifjrifjcif;&Sd^r&Sd ppfaq;wmawGU&ygw,f/
ppfvmvdkY&wJh&v'fudk AL rSmodrf;ygw,f/ NyD;&if BadBoy udkausmfjcif;&Sd^r&Sdppfygw,f/ 'gqdk BadBoy udk
ausmfEdkifzdkY JNZ ae&mrSm JMP vdakY jymif;Munfhygr,f/ NyD;&ifawmh jyifxm;wJhuk'fudk odrf;qnf;vdkufNyD; y½dk
*&rfudk jyefzGifhMunfhvu dk fyg/ ESpfouf&mtrnfeJY ESpfouf&muk'fudk ½du k fxnhfvdkuf&if 'D*drf;udk upm;vd&kY wm
awGU&ygw,f/ 'gayr,fh 'D*drf;[m register vkyfwJhtcsdefrSmyJ registered jzpfygw,f/ tNrJwrf; registered
jzpfjcif;r&Sdygbl;/ 'gqdk&if aemufxyfxyfjyifzY dk vdktyfaeygNyD/ Olly rSmaemufxyf&SmvdkufMu&atmif/ yHk(69)/
yHk(69)
yHk(69)u string awG&Sd&mudkMunfhvdkufMu&atmif/ yHk(70)/
yHk(70)
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 202 -
yHk(71)
yHk(71)rSmjrif&wmuawmh uRefawmfwadkY emufqHk; owfrSwfvdkufwJh breakpoint av;ckxJu wpfckrSm
vm&yfwmjzpfygw,f/ 'Dae&mudk register vkyfrSoma&mufrSmjzpfygw,f/ Registered jzpfxm;wJholwpfa,muf
[m aemufxyf register vkyfzrkYd vdkawmhwJhtwGuf 'Dae&mrSm Click Here to Register Now. tpm; Click
Here to Play. jzpfae&rSmyg/ 'Dae&mudk ausmfEdkifr,fqdk&if register vkyfp&mrvkdawmhbl;vdkY xifygw,f/
'gaMumifh yHk(71)u JE ae&mwdkif;rSm JMP vdjkY yifNyD; y½dk*&rfudk odrf;vdkufyg/ odrf;xm;wJh y½d*k &rfudk zGifhMunhf
&ifawmh yHk(63)twdkif; jrifae&OD;rSmjzpfNyD; registered rjzpfygbl;/ 'gaMumifhrv kY d J conditional jump awGudk
jump vkyfwdkif;vJ registered rjzpfbl;vdkY uRefawmfajymcJhwmyg/
aumif;NyD/ yHk(71)u VA 4203E7 (CALL DWORD PTR DS:[EDX+10]) ae&mrSm breakpoint
owfrSwNf yD; b,f CALL udkac:oHk;w,fqdkwm MunfhMu&atmif/ yHk(72)/
yHk(72)
MOV ECX, DWORD PTR DS:[ESI+50]; // ECX= DS[00B78E70] = VA 49C518
CMP BYTE PTD DS:[ECX+328], BL; // DS[49C518+328] = 49C840, BL = 0
VA 00498C40 &JU data window rSm bmwefzdk;&SdovJqdkwm MunhfvkdufMu&atmif/ yHk(73)/
yHk(73)
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 203 -
yHk(74)
VA 420419: CMP BYTE PTD DS:[ECX+328], BL; // DS[49C518+328] = 49C840, BL = 0
VA 420419 u DS[49C840] u byte wefzdk;eJY BL &JUwefzdk;udk aemufwpfBudrfEdIif;,SOfwJhtcg
nDcJh&if VA 420424 udka&mufvmrSmjzpfygw,f/ 'DvkdeJY EdIif;,SOfvmwJhtcgrSm VA 00420431 u CALL udk
ausmfoGm;Edkifwm awGU&ygw,f/ 'gqdkbmaMumifh *drf;udkupm;vdkrY &wmygvJ/ wu,fawmh VA 00420431 u
CALL ausmfEdkifjcif;[m tNrJwrf;r[kwfvy dkY g/ NyD;&if BL &JUwefzdk;udk dump window &JU VA 00420431 u
byte wefzdk;eJY ESpBf udrfEdIif;,SOfwm awGU&ygw,f/ 'gaMumifh 'Dae&mrSm okntpm; 1 vdakY jymif;NyD; y½d*
k &rfudk run
(F9) Munfhyg/ yHk(75)/
yHk(75)
F9 udkESdyNf yD;Munfhr,fqdk&ifawmh yHk(76)twdkif;wefzdk;awG ajymif;vJoGm;wmawGU&ygw,f/
yHk(76)
yHk(74)u VA 4203E7 rSm&SdwJh brekapoint udkjzKwfNyD; F9 udkEdSyfvdkufyg/
yHk(77)
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 204 -
yHk(78)
yHk(78)rSm right-click ESdyNf yD; ESpfouf&mtrnfeJY zdkifudkodrf;vdkufyg/ NyD;&if uRefawmfwkY d odrf;xm;wJh
zdkifudk jyefzGifhMunfhvdkufMu&atmif/
yHk(79)
wpfckckawmh xyfrSm;aeNyDxifygw,f/ yxrtBudrf uk'fjyifNyD; run wkef;u yHk(77)twdkif; jrif&yg
w,f/ ckzdkiftaeeJo Y drf;NyD;csdefrSmawmh yHk(79)twdkif; jrifae&ygw,f/ 'gaMumifh uk'fjyifNyD; odrf;vdkufwJhzdkifudk
Olly rSm jyefzGifhMunfhvdkufMu&atmif/ yHk(80)/
yHk(80)
Dump window &JU VA 0049C840 rSmawmh uRefawmfwkY d odrf;xm;wJhtwdkif;yJ&Sdygw,f/ 'Dae&mudk
apmifhMunfhzkYad wmh vdkaeNyDxifygw,f/
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 205 -
yHk(81)
'gaMumifh 'Dae&mrSm yHk(81)twdkif; hardware breakpoint owfrSwNf yD; apmifhMunfhygr,f/ Dump
window rSm right-click ESdyNf yD; Breakpoint u Hardware, on write à Byte udka½G;vdkufyg/ NyD;&ifawmh
F9 udkESdyNf yD; bmawGajymif;vJoGm;ovJqdkwm apmifhMunfhv&
kY d ygNyD/
yHk(82)
w&m;cHawmh awGUygNyD/ VA 0042ABFE u MOV BYTE PTR SS:[EBP+328], BL udk execute
vkyNf yD;csdefrSm dump window u VA 0049C840 &JU byte wefzdk;ajymif;oGm;wmjzpfygw,f/ F9 ukdxyfEdSyfyg/
yHk(83)
yHk(83)rSmjrif&wJhtwdkif; AL uvJ oknwefzdk;udk vmajymif;ygw,f/ aumif;NyD? 'Dae&mESpfckrSm 1 vdkY
jyifvdkuNf yD; zdkifudkodrf;vdkufr,fqdk&ifaum/ 'gqdk&ifawmh yHk(84)twdkif; jrif&rSmjzpfygw,f/
yHk(84)
ed*Hk;csKyftaeeJaY jym&&if Noah's Ark udk registered jzpfapzdkY uRefawmfwt
dkY aeeJY atmufygae&mESpfck
rSm uk'fawGudk jyifay;cJh&ygw,f -
1/ VA 0042ABFE u MOV BYTE PTR SS:[EBP+328], BL udk MOV BYTE PTR
SS:[EBP+328], 1/
tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 206 -
yHk(85)
tcef;(11) - uPPP jzifh patch zdkifzefwD;jcif; - 208 -
yHk(1)
yHk(1)rSmjrif&wmu c&ufvkyfr,fh application eJyY wfoufwJh tcsuftvufawGyg/ 'ghjyif aqmhzf0Jvf
udk crack vkyfol? crack vkyfwJhaeYpGJwdkYudkyg xnfhoGif;Edkifygw,f/
yHk(2)
tcef;(11) - uPPP jzifh patch zdkifzefwD;jcif; - 209 -
yHk(3)
yHk(3)uawmh udk,fay:apcsifwJh template av;awGeJY qdkifygw,f/ ESpfouf&m font? ESpfouf&m"mwfyHk?
ESpfouf&mwD;vHk;? ESpfouf&m icon wdkYudk a&G;cs,fEdkifygw,f/ 'DavmufodNyD;oGm;NyDqdkawmh patch zdkifudk
pwifzefwD;vdkufMu&atmif/
yxrqHk; Olly rSm patch vkyf&r,fh ae&mudk &SmMu&atmif/ (IDM 6.0.8 Build 3 eJY erlem
jyxm;jcif; jzpfygw,f/)
yHk(4)
TEST EDI, EDI (85 FF) ae&mudk XOR EDI, EDI (33 FF) eJY tpm;xdk;ygr,f/ 'grSom EDI
wefzdk;[m oknjzpfoGm;NyD; "Internet Download Manager has been registered with a fake Serial
Number. IDM is exiting..." qdw k Jh MessageBox udk ausmfvTm;EdkifrSm jzpfygw,f/ 'gayr,fh oifhtaeeJY
rSwfxm;&rSmu y½d*k &rfuk'fawGxJrSm TEST EDI, EDI [m trsm;MuD;ygygw,f/ uRefawmfwdkY a&G;cJhwmu
Seek & Replace method jzpfwJhtwGuf TEST EDI, EDI wdkif;udk XOR EDI, EDO wdkif;eJY
tpm;xdk;r,fqdk&if y½d*k &rf[m crash jzpfygvdrfhr,f/ 'gaMumifh ydkNyD;wduswJh tcsuftvufawGudk ay;&ygr,f/
'gaMumifh 8B F8 83 C4 04 85 FF 74 0A udk 8B F8 83 C4 04 33 FF 74 0A eJY tpm;xkd;ygr,f/
aemufxyf patch vkyf&r,fh wpfae&muawmh yHk(5)rSm jrif&wJhtwdkif; jzpfygw,f/
tcef;(11) - uPPP jzifh patch zdkifzefwD;jcif; - 210 -
yHk(5)
IDM [m "Internet Download Manager has been registered with a fake Serial Number.
IDM is exiting..." udk encrypt vkyfxm;NyD; wu,fvdkY uRefawmfwdkY&JU serial [m tGefvdkif;u olY&JU database
xJrSm r&SdcJh&if nag pmwef;ay:NyD; y½d*k &rfudk ydwfrSmjzpfygw,f/ 'Dae&mudk ausmfvTm;&rSmjzpfygw,f/ JE
00444532 (74 6D) ae&mudk JMP 00444532 (EB 6D) eJY tpm;xdk;ygr,f/ PUSH 0 (6A 00) ae&mrSm
JMP 4444C3 eJY tpm;xdk;ygr,f/ 'gaMumifh 74 6D 6A 00 ae&mrSm EB 6D EB FC eJY tpm;xdk; ygr,f/
jyD;&ifawmh yHk(6)twdkif; tpm;xdk;zdkY vkyf&ygr,f/
yHk(6)
74 6D 6A 00 twGuf tpm;xdk;r,fh EB 6D EB FC twGufqdk&ifvnf; yHk(6)twdkif;vkyfNyD; Add to
list udk a&G;ay;&ygr,f/ 'gqdk IDMan.exe udk patch vkyfwm NyD;ygNyD/ Registry udk patch vkyfzdkYyJ
usefygw,f/
tcef;(11) - uPPP jzifh patch zdkifzefwD;jcif; - 211 -
yHk(7)
yHk(7)rSmjrif&wJhtwdkif; zdkifudk odrf;qnf;NyD; yHk(1)u Create Patch button udk a&G;vdkufr,fqdk&if
uRefawmfwdkY vdkcsifwJh IDM patch zdkifudk &&SdNyD jzpfygw,f/ yHk(8)/
yHk(8)
(2) FlyHelp 6.1 twGuf patch zdkif zefwD;jcif;
'DwpfcgrSmawmh yxrydkif;wkef;u aqG;aEG;zdkY usefcJhwJh File Drop eJY Offset Patch wdkYudk aqG;aEG;rSm
jzpfygw,f/
yxrqHk;taeeJY uPPP udkzGifhNyD; Project à New vkyfNyD; vdktyfwJhtcsuftvufawGudk ½du
k fxnfhyg
r,f/ (tydkif;(1)rSm aqG;aEG;NyD;jzpfvdkY xyfrH raqG;aEG;awmhygbl;)
yHk(9)
tcef;(11) - uPPP jzifh patch zdkifzefwD;jcif; - 212 -
yHk(10)
'Dae&mrSm toHk;jyKr,fh enf;vrf;awGuawmh File Drop eJY Offset Patch wdkYjzpfygw,f/ Offset
patch udk a&G;vdkufwJhtwGuf patch zdki[ f m taojzpfoGm;ygw,f/ qdkvdkwmu FlyHelp &JU aqmhzf0Jvf
version ajymif;oGm;&if patch zdkifu tvkyfvkyfawmhrSm r[kwfygbl;/
wwd,tqifhtaeeJY Offset Patch button udkEySd fNyD; udk,f patch vkyfr,fh offset eJY byte awGudk
EdIif;,SOfygr,f/ yHk(11)/ 'Dae&mrSm offset patch vkyfr,fh zdkifawGuawmh FSWebHelpLib.dll eJY HtmlView
Edit.dll wdkYjzpfygw,f/
yHk(11)
yHk(11)twdkif; rEdIif;,SOfcifrSm rl&if; HtmlViewEdit.dll zdkifudk emrnfajymif;xm;vdkY r&ygbl;/ Crack
vkyfxm;NyD;om; HtmlViewEdit(CRACKED).dll zdkifuvnf; toifh&Sdxm;&ygr,f/ EdIif;,SOfNyD;&if save
vkyfyg/ FSWebHelpLib.dll twGufvnf; tvm;wl jyKvkyfyg/ ('Dwpfcg aqmhzf0Jvfudkawmh udk,fwdkif crack
vkyf&rSm jzpfygw,f/ Crack vkyfenf;udkawmh r&Sif;jyawmhygbl;/)
aemufwpfqifhtaeeJY vkyf&rSmuawmh uRefawmfwdkY crack vkyfxm;wJh zdkifudk C:\Program Files\Fly
Help zdk'gatmuf oGm;xm;zdkYyJ jzpfygw,f/
tcef;(11) - uPPP jzifh patch zdkifzefwD;jcif; - 213 -
yHk(12)
owdjyK&rSmuawmh Fly_Help.exe qdkwm FlyHelp.exe u arG;xkwfay;vdkufwJh child y½d*k &rfjzpfNyD;
'Dy&d*&rfudk FlyHelp.exe udkzGihfcsdefMurS xkwfoHk;wmyg/ usefwJhtcsdefrSm jyefzsufygw,f/ 'gaMumifh uRefawmf
wdkYtaeeJY crack vkyfxm;wJh uRefawmfwdkY zdkiu f dk rl&if; Fly_Help.exe eJY tpm;rxdk;EdkifatmifvdkY READ
ONLY/HIDDEN/SYSTEM wdkYudk a&G;cs,fay;xm;&wm jzpfygw,f/
aemufwpfqifhuawmh udk,fMudKufwJh template/theme udk a&G;cs,fwJhtydkif; jzpfygw,f/
yHk(13)
'gqdk&ifawmh patch vkyfzdkY jyifqifwJhtydkif; NyD;ygNyD/ yHk(9)u Create Patch button udk ESdyfvdkuf&HkygyJ/
'Dtcg yHk(14)rSmjrif&wJhtwdkif; jyD;jynfhpHkwJh patch zdkifwpfckudk &&SdvmrSmjzpfygw,f/
yHk(14)
tcef;(12) - Cracker rsm; owdxm;oifhaom Windows API rsm; - 215 -
Kernel API rsm;/ / BASE API vdkv Y Jac:a0:NyD; olwakY d wG[m kernel32.dll xJrSm&Sdygw,f/ olUrSm
zdkiftoGif;^txkwf? rSwfOmPfpDrHcefYcGJrI? object pDrHcefYcGJrI? process eJY thread pDrHcefYcGJrIpwJh GUI ryg0ifwJh
service awGtm;vHk;yg0ifygw,f/ kernel32.dll [m service trsdK;rsdK;udk vkyfaqmifEdkifzkY d low-level native
API jzpfwJh ntdll.dll udkac:oHk;ygw,f/ Kernel API awGudk zdkifawG? synchronization object awGpwJh
kernel-level object awGeJY wGJvkyf&mrSm? zefwD;&mrSm toHk;jyKygw,f/
GDI API rsm;/ / GDI API awGuawmh GDI32.dll xJrSm&SNd yD; rsOf;wpfaMumif;qGJjcif;? bitmap
wpfck udkjyojcif;pwJh graphics eJq Y dkifwJh service awGyg0ifygw,f/ rlvuawmh GDI awGudk kernel
module wpfckjzpfwJh WIN32K.sys rSm prf;oyfoHk;pGJcJhygw,f/ Device context? brush? pen pwJh graphic
qGJjcif;rSm toHk;jyKzdkY GDI [m GDI object awGudkt"duxm;ygw,f/ bmaMumifhvJqdkawmh 'D object awGudk
kernel &JU object manager u rudkifwG,fEdkifvkYyd g/
USER API rsm;/ / User32.dll rSmyg0ifNyD; window-management? menu? dialog box? user-
interface control pwJh higer-level GUI service awGyg0ifygw,f/ GUI object awGtm;vHk;udk USER u
GDI call awGoHk;NyD; qGJwmjzpfygw,f/ USER API awG[m kernel &JU object manager u
rudkifwG,fEdkifwJh window awG? menu awGvdk user interace eJq Y dkifwJh object awGudk t"duxm;
udkifwG,fygw,f/
'Dtcef;rSmawmh cracking vkyf&mrSm owdxm;NyD;apmifhMunfh&r,fh API function awGtaMumif;udk
avhvmrSmjzpfygw,f/ API function awGtaMumif;udk tao;pdwfodxm;jcif;tm;jzihf crack vkyf&mrSm vG,ful
vmrSmjzpfygw,f/ 'DapmifhMunfh&r,fh API function awGuawmh atmufygtwdkif;jzpfygw,f -
Dialog Box rsm;ESifhywfoufonfhtcg
DialogBoxParamA
GetDlgItem
GetDlgItemInt
GetDlgItemText
GetWindowText
GetWindowWord
MessageBox rsm;ESifhywfoufonfhtcg
MessageBeep
MessageBoxA
MessageBoxEx
SendMessage
SendDlgItemMessage
Registry ESifhywfoufonfhtcg
RegCreateKey
RegDeleteKey
RegQueryValue
RegQueryValueEx
RegCloseKey
RegOpenKey
zdkifrStcsuftvufrsm;zwfjcif;^a&;jcif;jyKaomtcg
ReadFile
WriteFile
CreateFile
INI zdkifrStcsuftvufrsm;zwfjcif;jyKaomtcg
GetPrivateProfileString
GetPrivateProfileInt
tcef;(12) - Cracker rsm; owdxm;oifhaom Windows API rsm; - 217 -
WritePrivateProfileString
tjcm;ae&mrS tcsuftvufrsm;udkzwfjcif;jyKaomtcg
LoadString
lstrcmp
MultiByteToWideChar
WideCharToMultiByte
wsprintf
tcsdef?&ufpGJwdkYESifhywfoufonfhtcg
GetFileTime
GetLocalTime
GetSystemTime
GetSystemTimeAsFileTime
SetTimer
SystemTimeToFileTime
NAG-window udk&Smvdkonfhtcg
CreateWindowEx
ShowWindow
UpdateWindow
MessageBox rSpmom;rsm;udk&Smvdkaomtcg
SendDlgItemMessage
SendMessage
SetDlgItemText
SetWindowText
Registration eJy
Y wfoufwJh routine awGudkppfaq;wJhtcgrSmawmh atmufyg API rsm;udk t"duxm;
&SmazGzv
kYd dkygw,f -
GetdlgItemText
GetWindowText
lstrcmp
GetPrivateProfileString
GetPrivateProfileInt
RegQueryValueEx
WritePrivateProfileString
WritePrivateProfileInt
(1) CreateProcess
CreateProcess uawmh process topfwpfckudk zefwD;wmjzpfygw,f/ Process topfu owfrSwf
xm;wJh exe zdkifudk execute vkyfwmjzpfygw,f/
BOOL CreateProcess(
LPCTSTR lpApplicationName, // pointer to name of executable module
LPTSTR lpCommandLine, // pointer to command line string
LPSECURITY_ATTRIBUTES lpProcessAttributes, // pointer to process security attributes
LPSECURITY_ATTRIBUTES lpThreadAttributes, // pointer to thread security attributes
BOOL bInheritHandles, // handle inheritance flag
DWORD dwCreationFlags, // creation flags
LPVOID lpEnvironment, // pointer to new environment block
LPCTSTR lpCurrentDirectory, // pointer to current directory name
LPSTARTUPINFO lpStartupInfo, // pointer to STARTUPINFO
LPPROCESS_INFORMATION lpProcessInformation // pointer to PROCESS_INFORMATION
);
tcef;(12) - Cracker rsm; owdxm;oifhaom Windows API rsm; - 218 -
yHk(1)
yHk(1)u textbox ae&mrSm password tjzpf "Myo Myint Htike" vdkY½du k fcJhygw,f/ Password
ud½k dkufxnfNh yD;&if GetdlgItemText rSm breakpoint owfrSwfvdkufyg/ NyD;&if OK udkESdyfvdkufyg/ yHk(2)/
tcef;(12) - Cracker rsm; owdxm;oifhaom Windows API rsm; - 219 -
yHk(2)
yHk(2)udkMunfhyg/ Password textbox utrsm;qH;k zwfEdkifwJh pmvHk;ta&twGuf[m 17vHk;yJ &Sdygw,f/
'gudk Resource Hacker aqmhzf0JvfeMJY unfh&if atmufygtwdkif; awGU&rSmjzpfygw,f/
DLG_REGIS DIALOG 20, 20, 142, 81
STYLE DS_MODALFRAME | WS_VISIBLE | WS_CAPTION | WS_SYSMENU
CAPTION "Enter Password"
LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
FONT 10, "Book Antiqua"
{
CONTROL "Textbox", 1000, EDIT, ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE |
WS_BORDER | WS_TABSTOP, 45, 22, 66, 11
CONTROL "OK", 1002, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP,
18, 55, 42, 15
CONTROL "Cancel", 1003, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE |
WS_TABSTOP, 80, 55, 42, 15
CONTROL "Password:", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 7, 23, 34,
10
}
yHk(3)
yHk(2)rSmawGU&wJh ControlID &JUwefzdk; 3E8h (1000d) uawmh yHk(3)rSmjrif&wJhtwdkif; Textbox
control udkqdkvdkjcif;jzpfygw,f/ 'gaMumifh oifhtaeeJY Password dialog box udk&SmzdkY GetWindowText
rSm breakpoint rowfrSwfcsif&if PUSH 3E8h eJ&Y Smvdk&Y ygw,f/
Buffer uawmh oif½dkufxnhfvdkufwJh pmom;udk oGm;xm;r,fh dump window u virtual address
ae&myg/
GetdlgItemText [m WM_GETTEXT message udk control qDyy
kYd gw,f/ SetdlgItemText
uawmh GetdlgItemText eJY qefu
Y sifzufjzpfygw,f/
(4) GetDlgItem
GetDlgItem uawmh dialog box wpfckrSm&SdwJh control wpfck&JU pointer udk zwfygw,f/
The GetDlgItem function retrieves the handle of a control in the specified dialog box.
HWND GetDlgItem(
HWND hDlg, // handle of dialog box
int ControlID // identifier of control
);
(5) lstrcmp
lstrcmp uawmh string ESpfckudk EdIif;,SOfygw,f/ wu,fvkY d string ESpfck[m nDcJh&if vkyfaqmifcsuf
atmifjrifaprSmjzpfygw,f/
int lstrcmp(
LPCTSTR lpString1, // address of first string
LPCTSTR lpString2 // address of second string
);
string ESpfckudk EdIif;,SOf&mrSm pmvHk;tBuD;^tao; uGJjym;rI&Sdygw,f/ yHk(4)/ API awGaemufrSm A
ygcJh&if 'D API [m ANSI pmvHk;awGeo JY ufqdkiNf yD; W ygcJh&ifawmh UNICODE pmvHk;awGeJY oufqdkifyg
w,f/
tcef;(12) - Cracker rsm; owdxm;oifhaom Windows API rsm; - 220 -
yHk(4)
(6) GetPrivateProfileString
GetPrivateProfileString uawmh initialization (*.ini) zdkifwpfckxJrSm&SdwJh section uae string
wpfckudk zwfygw,f/ Win32 udktajccHwJh application awG[m registry xJrSm initialization eJY ywfoufwJh
tcsuftvufawGudk odrf;qnf;avh&Sdygw,f/
DWORD GetPrivateProfileString(
LPCTSTR lpAppName, // points to section name
LPCTSTR lpKeyName, // points to key name
LPCTSTR lpDefault, // points to default string
LPTSTR lpReturnedString, // points to destination buffer
DWORD nSize, // size of destination buffer
LPCTSTR lpFileName // points to initialization filename
);
(5) wu,fvkYd lpappName uowfrSwfvdkufwJh section trnf r&SdcJhbl;qdk&if myfile.ini atmuf rSmawmh
trnfrJhwefzdk;wpfckawmh &Sdygvdrfhr,f/ 'Dwefzdk;[m section twGuf oif&SmaewJh key &JUae&m&SdwJh registry
xJu default ae&mwpfckudk owfrSwfygw,f/
(6) wu,fvkYd myfile.ini zdkiftwGuf subkey vkH;0r&SdcJhbl;qdk&if? section trnftwGuf entry vHk;0
r&Sdbl;qdk&if disk ay:rSm&SdwJh wu,fh myfile.ini zdkifudk&SmNyD; olUrSmygwJh tcsuftvufawGudk zwf&rSmjzpfyg
w,f/
Registry xJuwefzdk;awGudk MunfhwJhtcg awGU&r,hf prefix awG&JU t"dyÜm,fuawmh atmufygtwdkif;
jzpfygw,f/
! - 'DpmvHk;uawmh tcsuftvufawGudk registry rSma&m disk ay:u myfile.ini zdkifay:rSm a&;rSmjzpfygw,f/
# - 'DpmvHk;uawmh Windows 3.1 .ini zdkie
f JY t"duoufqdkifygw,f/
@ - 'DpmvHk;uawmh registry xJrSm vdkcsifwJh a'wmrawGUcJh&if disk ay:u .ini zdkifqDuae a'wmawGzwfwm
udk wm;qD;wmyg/
USR: - oluawmh HKEY_CURRENT_USER ukdqdkvdkwmyg/
SYS: - oluawmh HKEY_LOCAL_MACHINE\SOFTWARE ukdqdkvdkwmyg/
(7) GetPrivateProfileInt
GetPrivateProfileInt uawmh initialization (*.ini) zdkifwpfckxJrSm&SdwJh section uae udef;jynfh
wpfckudk zwfygw,f/
UINT GetPrivateProfileInt(
LPCTSTR lpAppName, // address of section name
LPCTSTR lpKeyName, // address of key name
INT nDefault, // return value if key name is not found
LPCTSTR lpFileName // address of initialization filename
);
(8) RegQueryValueEx
RegQueryValueEx uawmh registry key wpfck&JU trsdK;tpm;eJY wefzdk;wdu
kY dkzwfNyD; register
vkyfxm;jcif; &Sd^r&Sd ppfaq;ygw,f/
LONG RegQueryValueEx(
HKEY hKey, // handle of key to query
LPTSTR lpValueName, // address of name of value to query
LPDWORD lpReserved, // reserved
LPDWORD lpType, // address of buffer for value type
LPBYTE lpData, // address of data buffer
LPDWORD lpcbData // address of data buffer size
);
(9) WritePrivateProfileString
GetPrivateProfileString uawmh WritePrivateProfileString eJq
Y efu
Y sifbufjzpfygw,f/
BOOL WritePrivateProfileString(
LPCTSTR lpAppName, // pointer to section name
LPCTSTR lpKeyName, // pointer to key name
LPCTSTR lpString, // pointer to string to add
LPCTSTR lpFileName // pointer to initialization filename
);
// Test
GetPrivateProfileString (TEXT("Section1"), TEXT("FirstKey"), TEXT("Error: GPPS failed"),
inBuf, 80, TEXT("appname.ini"));
_tprintf (TEXT("Key: %s\n"), inBuf);
// Close the keys
lRetCode = RegCloseKey( hKey1 );
if( lRetCode != ERROR_SUCCESS )
{
printf("Error in RegCloseKey (%d).\n", lRetCode);
return(0);
}
lRetCode = RegCloseKey( hKey2 );
if( lRetCode != ERROR_SUCCESS )
{
printf("Error in RegCloseKey (%d).\n", lRetCode);
return(0);
}
return(1);
}
yHk(5)
(10) CreateWindowEx
CreateWindowEx uawmh overlapped (od)kY pop-up (od)kY child window awGrSm pwdkifawG
xyfavmif;xnfNh yD; zefwD;ay;wmjzpfygw,f/ 'DvdkrS r[kwf&ifawmh CreateWindow eJw
Y laerSm jzpfygw,f/
HWND CreateWindowEx(
DWORD ExtStyle, // extended window style
LPCTSTR ClassName, // pointer to registered class name
LPCTSTR WindowName, // pointer to window name
DWORD WindowStyle, // window style
int x, // horizontal position of window
int y, // vertical position of window
int Width, // window width
int Height, // window height
HWND hWndParent, // handle to parent or owner window
HMENU hMenu, // handle to menu, or child-window identifier
HINSTANCE hInstance, // handle to application instance
LPVOID lParam // pointer to window-creation data
);
CreateWindowEx eJt
Y wl ShowWindow? UpdateWindow API awG wGJoHk;ygw,f/
(11) CreateFile
CreateFile uawmh zdkifwpfckudk &SmazG? zefwD;&mrSm toHk;jyKygw,f/
HANDLE CreateFile(
LPCTSTR FileName, // pointer to name of the file
DWORD DesiredAccess, // access (read-write) mode
DWORD Mode, // share mode
LPSECURITY_ATTRIBUTES pSecurity, // pointer to security attributes
DWORD dwCreationDistribution, // how to create
DWORD Attributes, // file attributes
HANDLE hTemplateFile // handle to file with attributes to copy
);
CreateFile rSm owdjyKoifhwmuawmh Mode parameter udkyg/ Mode [m zdkifwpfck&SdcJh&if (od)kY
r&SdcJh&if b,fvdkvkyfaqmif&rvJqdkwm qHk;jzwfygw,f/ yHk(6)/
yHk(6)
tcef;(12) - Cracker rsm; owdxm;oifhaom Windows API rsm; - 225 -
KeygenMe wpfck&JU dialog box wpfckudk Resource Hacker eJMY unfh&if atmufygtwdkif; awGU&yg
w,f/
1 DIALOGEX 0, 0, 225, 142
STYLE DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_VISIBLE |
WS_CAPTION | WS_SYSMENU
EXSTYLE WS_EX_STATICEDGE
CAPTION " :: Ziggy's KeyGenMe #0 ::"
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
FONT 7, "MS SANS SERIF"
{
CONTROL 10, -1, STATIC, SS_BITMAP | SS_REALSIZEIMAGE | SS_SUNKEN | WS_CHILD |
WS_VISIBLE, 65535, 104, 200, 200
CONTROL "Name", 1002, EDIT, ES_CENTER | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 35, 30, 186, 10 ,
0x00020000
CONTROL "Serial", 1003, EDIT, ES_CENTER | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 35, 47, 186, 10 ,
0x00020000
CONTROL "Register", 1005, BUTTON, BS_PUSHBUTTON | BS_CENTER | BS_VCENTER | WS_CHILD |
WS_VISIBLE | WS_TABSTOP, 59, 62, 50, 12 , 0x00020000
CONTROL "About", 1007, BUTTON, BS_PUSHBUTTON | BS_CENTER | BS_VCENTER | WS_CHILD |
WS_VISIBLE | WS_TABSTOP, 158, 62, 30, 12 , 0x00020000
CONTROL "Close", 1004, BUTTON, BS_PUSHBUTTON | BS_CENTER | BS_VCENTER | WS_CHILD |
WS_VISIBLE | WS_TABSTOP, 191, 62, 30, 12 , 0x00020000
CONTROL "Appname", 1001, STATIC, SS_CENTER | SS_SUNKEN | WS_CHILD | WS_VISIBLE |
WS_GROUP, 35, 5, 186, 10 , 0x00020000
CONTROL " ", 1009, STATIC, SS_CENTER | WS_CHILD | WS_VISIBLE | WS_GROUP, 35, 19, 186, 10
tcef;(12) - Cracker rsm; owdxm;oifhaom Windows API rsm; - 226 -
yHk(7)
yHk(7)rSm DlgProc uawmh ta&;BuD;qHk; jzpfygw,f/ bmaMumifhvJqdkawmh dialog eJyY wfoufwJh
procedure &Sd&m virtual address (00401032) jzpfvy dkY g/ pTemplate uawmh dialog trnfjzpfygw,f/
yHkrSefqdk&ifawmh API wpfckudk vkyfaqmifNyD;wmeJY aemuf API udkvkyfaqmifrSmyg/ yHk(7)rSmawmh 00401041
udkvkyfaqmifNyD;csdefrSm 00401046 qDa&mufrvmbJ 0040104D qDa&mufvmrSmjzpfygw,f/
(13) ShowWindow
ShowWindow uawmh owfrSwfxm;wJh window udk jyozdkYjzpfygw,f/
BOOL ShowWindow(
HWND hWnd, // handle of window
int nCmdShow // show state of window
);
(14) MessageBox
MessageBox udkawmh cracking vkyf&mrSm rMumcP jrif&rSmjzpfygw,f/ MessageBox u
message box wpfckudk zefwD;jyorSmjzpfygw,f/ Message box wpfckrSm BudKwifowfrSwfxm;wJh icon awG?
button awG? pmom;awGeJY acgif;pOfawGyg0ifrSmjzpfygw,f/
int MessageBoxA(
HWND hOwner // handle of owner window
LPCTSTR Text, // address of text in message box
LPCTSTR Title, // address of title of message box
UINT Style // style of message box
);
yHk(8)
tcef;(12) - Cracker rsm; owdxm;oifhaom Windows API rsm; - 227 -
Style qdkwmuawmh message box rSm azmfjycsifwJh button awG? icon awGudk qdkvdkwmyg/ yHk(8)u
Oyrmt&qdk&ifawmh message box rSm OK button wpfckwnf;ygrSmyg/ bm icon rS rygygbl;/ (Message
Box taMumif; tao;pdwfudk ]tajccH Assembly bmompum;} tcef;rSm tus,faqG;aEG;NyD;jzpfygw,f/)
'Dae&mrSm owdxm;apvdkwmuawmh hOwner yg/ wu,fvkYd message box wpfckudk zefwD;csdefrSm
dialog box wpfck[m &SdaecJh&if hOwner udk dialog box &JU handle taeeJY toHk;jyK&ygw,f/ wu,fvkY d
hOwner ae&mrSm 1 jzpfae&ifawmh 'D message box udk jyoEdkifrSm r[kwfygbl;/
(15) SendMessage
SendMessage uawmh message wpfckudk window wpfckqD (od)kY window awGqDay;ydky Y gw,f/
Function [m owfrSwfxm;wJh window twGuf window procedure udkac:oHk;NyD; window procedure u
message udkvkyfaqmifNyD;csdefrSm return jyefjcif; r&Sdygbl;/ PostMessage uawmh thread wpfck&JU message
queue qD message csxm;NyD; csufcsif; jyefygw,f/
LRESULT SendMessage(
HWND hWnd, // handle of destination window
UINT Msg, // message to send
WPARAM wParam, // first message parameter
LPARAM lParam // second message parameter
);
(16) SendDlgItemMessage
SendDlgItemMessage uawmh dialog box wpfckxJrSm&SdwJh control qD message wpfckudk ay;ydkY
ygw,f/
LONG SendDlgItemMessage(
HWND hDlg, // handle of dialog box
int nIDDlgItem, // identifier of control
UINT Msg, // message to send
WPARAM wParam, // first message parameter
LPARAM lParam // second message parameter
);
(17) ReadFile
ReadFile uawmh zdkifwpfckuae vdkcsifwJhtcsuftvufawGudk zwfygw,f/ pzwfr,hfae&mudkawmh
file pointer unTefjyygw,f/
BOOL ReadFile(
HANDLE hFile, // handle of file to read
LPVOID Buffer, // address of buffer that receives data
DWORD BytesToRead, // number of bytes to read
LPDWORD pBytesRead, // address of number of bytes read
LPOVERLAPPED pOverlapped // address of structure for data
);
Buffer uawmh zwfvdkufwJhpmvHk;udk xm;r,fhae&myg/ pBytesRead uawmh zwfvdkufwJh pmvHk;
ta&twGufyg/ BytesToRead uawmh trsm;qHk;zwfr,hf pmvHk;ta&twGufjzpfygw,f/ yHk(9)/
yHk(9)
tcef;(12) - Cracker rsm; owdxm;oifhaom Windows API rsm; - 228 -
(18) WriteFile
WriteFile uawmh zdkifxJrSm xm;csifwJhtcsuftvufawG oGm;a&;ygw,f/
BOOL WriteFile(
HANDLE hFile, // handle to file to write to
LPCVOID Buffer, // pointer to data to write to file
DWORD BytesToWrite, // number of bytes to write
LPDWORD pBytesWritten, // pointer to number of bytes written
LPOVERLAPPED pOverlapped // pointer to structure needed for overlapped I/O
);
(19) GetSystemTime
GetSystemTime uawmh vuf&Sd OS &JU &ufpeGJ JYtcsdefudk zwfygw,f/ tcsdefudkawmh UTC
(Coordinated Universal Time) eJaY zmfjyygw,f/
VOID GetSystemTime(
LPSYSTEMTIME lpSystemTime // address of system time structure
);
(20) GetFileTime
GetFileTime uawmh zdkifudkzefwD;cJhwJh? aemufqHk;jyKjyifcJhwJh &ufpGJetcsd
JY efudk zwfygw,f/
BOOL GetFileTime(
HANDLE hFile, // identifies the file
LPFILETIME lpCreationTime, // address of creation time
LPFILETIME lpLastAccessTime, // address of last access time
LPFILETIME lpLastWriteTime // address of last write time
);
(21) SetTimer
SetTimer uawmh owfrSwfxm;wJh tcsdefwpfckygwJh timer wpfckudk owfrSwfwmjzpfygw,f/
UINT SetTimer(
HWND hWnd, // handle of window for timer messages
UINT TimerID, // timer identifier
UINT Timeout, // time-out value
TIMERPROC Timerproc // address of timer procedure
);
yHk(9)
hWnd uawmh timer eJw Y GJzufxm;wJh TPUtilWindow udkajymwmyg/ 'D window udk ac:,loHk;wJh
thread uomydkifqdkifygw,f/ wu,fvkY d hWnd om NULL jzpfcJh&if timer u b,f window eJr Y S wGJzuf
rSmr[kwfbJ TimerID udkvJ vspfvsL½IrSm jzpfygw,f/
TimerID uawmh oknr[kwfwJh timer identifier wefzdk;wpfckudk owfrSwfygw,f/
Timeout uawmh time-out jzpfr,fhtcsdefjzpfNyD; rDvDpuúefYeJY jyygw,f/ Timerproc uawmh timeout
jzpfwJhtcg tcsufay;r,fh? vkyfaqmifr,fh function &Sd&mudk jyygw,f/
KillTimer uawmh TimerID udkzsufqD;wJh API jzpfygw,f/
tcef;(13) - y½d*k &rf\ resource rsm;toHk;jyKí crack vkyfjcif; - 230 -
yHk(1)
Active Desktop Calendar udk www.xemico.com uae download vkyNf yD; install vkyfvdkufyg/
yHk(2)
tcef;(13) - y½d*k &rf\ resource rsm;toHk;jyKí crack vkyfjcif; - 231 -
yHk(3)
aumif;NyD? Help menu u Registration udka½G;NyD; register vkyfMunfhMuygr,f/ yHk(4)/
yHk(4)
yHk(4)u Register button udka½G;vdkuf&ifawmh yHk(5)twdkif;jrif&rSmyg/
yHk(5)
'Davmufqdk&ifawmh &ygNyD/ y½d*k &rfudk patch vkyfMunfhMuygr,f/ Patch rvkyfcifrSm ADC y½d*k &rfudk
Resource Hacker aqmzhf0Jvef JY t&ifMunfhygr,f/ yHk(6)/
yHk(6)
tcef;(13) - y½d*k &rf\ resource rsm;toHk;jyKí crack vkyfjcif; - 232 -
Resource Hacker y½d* k &rf[m yHk(6)twdkif; y½d*k &rfwpfcku toHk;jyKwJh resource awGudk jyoay;yg
w,f/ y½d*k &rfwdkif;rSm .rscr section &Sdw,fqdkwm jyeftrSwf&yg/ omreftm;jzifhawmh Resource Hacker
aqmhzf0Jvf[m y½d*k &rfawG&JU resource udk MudKufESpfoufovdk jyifay;Edkifygw,f/ yHk(7)/
yHk(7)
rSwfxm;&rSmuawmh Resource Hacker aqmhzf0Jvf[m resource awGudkom jyifay;Edkifygw,f/ y½dk
*&rfwpfckudk register atmifjrifEdkifatmif vkyfay;Edkifjcif; r&Sdygbl;/ 'gaMumifh uRefawmfwt Y dk aeeJY Resource
Hacker udk Olly Debugger eJY wGJoHk;&rSmyg/ yHk(3?4?5)wdu kY dk jyefMunfhyg/ olwkaYd wG[m dialog awGjzpfyg
w,f/ 'D dialog awGtaMumif; Resource Hacker rSm tao;pdwfMunfhvdkufMu&atmif/ yHk(6)u dialog
pmom;udk ESdyfvdkufyg/ yHk(8)twdkif; jrif&ygr,f/
yHk(8)
yHk(8)u 100 qdkwJhpmom;udk aocsmMunfhyg/ ol[m dialog trnfjzpfygw,f/ y½dk*&rf[m dialog
function udkac:roHk;cif dialog trnfudk stack ay:ul;wifygw,f/
yHk(9)
yHk(9)u 207 qdkwJhpmom;uawmh yHk(4)u registration box udkay:apwJh dialog jzpfygw,f/
tcef;(13) - y½d*k &rf\ resource rsm;toHk;jyKí crack vkyfjcif; - 233 -
yHk(10)
yHk(10)u 208 qdkwJhpmom;uawmh yHk(5)u BadBoy MessageBox udak y:apwJh dialog yg/
aumif;NyD/ ADC y½d*k &rfudk Olly rSmzGifhygr,f/ yHk(11)/
yHk(11)
yHk(11)twdkif; jrif&wJhtcgrSm ckeu uRefawmfwMkY d unfhcJhwJh dialog trnfawGudk Olly rSm &SmMunfhvdkuf
Mu&atmif/ Olly rSm right-click ESdyNf yD; Search for u All commands udk a½G;vdkufyg/ yxrqHk;
registration vkyfwJh dialog (2007d = 00CFh)udk t&if&SmMunfhvdkufMu&atmif/ yHk(12)/
yHk(12)
yHk(12)rSm Find button udka½G;vdkuf&if yHk(13)twdkif; jrif&rSmyg/
yHk(13)
yHk(13)rSmjrif&wJh command wdkif;udk breakpoint owfrSwfygr,f/ Breakpoint owfrSwNf yD;&if F9
udkESdyNf yD; y½d*k &rfudk run vdkufyg/ NyD;&if Help menu u Registration udka½G;vdkufyg/ yHk(14)twdkif; awGUyg
r,f/
tcef;(13) - y½d*k &rf\ resource rsm;toHk;jyKí crack vkyfjcif; - 234 -
yHk(14)
yHk(14)u uRefawmfwakYd &mufaewJh VA 0045EEC0 ae&muawmh registration dialog &Sd&m CALL
yg/ VA 0045EEA0 uawmh registration dialog &Sd&m CALL tpyg/ 'D CALL ukd b,f virtual
address uaeac:oHk;w,fqdkwm odcsif&if stack window rSm oGm;Munfhvdkufyg/ yHk(15)/
yHk(15)
yHk(15)t&qdk&ifawmh VA 0045EEA0 udkvkyfaqmifNyD;&if VA 00434E86 qDujdk yefoGm;r,fvkYd
ajymxm;ygw,f/ [kwf^r[kwfod&atmif right-click ESdyNf yD; Follow in Disassembler udka½G;vdkufyg/ yHk(16)
twdkif; jrif&ygr,f/
yHk(16)
wu,fawmh VA 0045EEA0 u CALL udk VA 00434E81 u ac:oHk;xm;wmyg/ 'Davmufqdk
em;vnfavmufNyDxifygw,f/ yHk(14)udk jyefMunfhvdkufyg/ yHk(14)twdkif;qdk&ifawmh dialog trnfudk stack
ay:pul;wifygNyD/ bmqufjzpfrvJqdkwmod&atmif F9 udkESdyfvdkufyg/ yHk(17)twdkif; jrif&ygr,f/
yHk(17)
yHk(17)twdkif; jrif&&ifawmh register rvkyaf o;ygbl;/ yHk(10)rSmjrif&wJh dialog (208d = D0h)
udk&SmzdkY usefao;vdykY g/ yHk(12)twdkif; PUSH 0D0h vd½kY dkufxnfNh yD; command wdkif;udk breakpoint
owfrSwfygr,f/ 'Dwpfcgawmh xl;xl;jcm;jcm; command wpfckyJawGUygw,f/ yHk(18)/
tcef;(13) - y½d*k &rf\ resource rsm;toHk;jyKí crack vkyfjcif; - 235 -
yHk(18)
yHk(18)&JU VA0045F0D3 ae&mu JE [m register vkyfwmatmifjrif^ratmifjrifudk qHk;jzwfNyD;
ratmifjrifcJh&if VA 0045F239 qDa&mufvmrSmyg/ 'gaMumifhvJ BadBoy DialogBox ay:vmwmyg/
'Duk'fudk JE tpm; NOP vkdUjyifvdkuf&ifawmh oifbmuk'½f dkufxnfhxnfh register vkyfwmatmifjrifygNyD/
yHk(19)/ 'gqdk uRefawmfwkY d jyifvdkufwJhuk'fawGudk ESpfouf&mzdkiftrnfeJY odrf;qnf;vdkufyg/
yHk(19)
ydNk yD;aocsmapcsif&ifawmh yHk(20)twdkif; registry editor (regedit.exe) rSmMunfv
h dkufyg/
yHk(20)
f dk jyefzGiNfh yD; Help menu u About Active Desktop Calendar udkMunfhvdkuf&if
odrf;vdkufwzJh dkiu
awmh yHk(21)twdkif; jyaewkef;yg/
yHk(21)
tcef;(13) - y½d*k &rf\ resource rsm;toHk;jyKí crack vkyfjcif; - 236 -
'ghaMumifh 'D dialog (2007d = 0064h) &Sd&m virtual address rSmvJ breakpoint owfrSwNf yD; run
(F9) Munfhygr,f/ y½d*k &rf run aepOfwavQmufrSm PUSH 64 &Sd&m breakpoint wdkif;rSm cP&yfygvdrfhr,f/
rqdkifbl;qdk&if breakpoint udjk yefjzKwfyg/ (About Dialog udkac:oHk;wJh PUSH 64 breakpoint rSwyg;)
'Dvedk JY rqdkifwJh breakpoint awGjzKwfvmwm y½kd*&rf menu ay:vm&if Help menu u About ADC udk
a½G;yg/ 'Dwpfcg uRefawmfwkY&d SmaewJh About Dialog breakpoint &Sd&ma&mufvmygNyD/ yHk(22)/
yHk(22)
yHk(22)u VA 00401C60 uawmh routine &JUtp jzpfygw,f/ olUudkb,fu ac:oHk;ovJqdkwm
odcsif&ifawmh stack window rSm right-click ESdyfNyD; Follow in disassmeble udka½G;vdkufyg/ yHk(23)twdkif;
jrif&ygr,f/
yHk(23)
yHk(23)rSmjyxm;wJhtwdkif; VA 00401C60 udk VA 00401D48 u ac:oHk;wmyg/ F9 udk ESdyfvdkuf&if
awmh yHk(21)twdkif; awGU&ygr,f/ bmaMumifh "This is an unlicensed copy" qdkwJhpmom;ay:wmvJqdkwm
od&atmif About DialogBox (100d) udk Resource Hacker eJY jyefMunfhvdkufyg/ yHk(24)/
yHk(24)
yHk(24)udk Munfhvdkuf&ifvJ olUrSmvJ stack ay:ul;wifwJh *Pef; (1044d = 414h) &Sdwm awGU&rSmyg/
'Dae&mudk ausmfEdkif&if bmjzpfrvJqdkwm qufMunfhygr,f/ PUSH 414h udk&SmNyD; breakpoint owfrSwfyg
r,f/ NyD;&if Olly rSm y½d*k &rfudk jyefpNyD; Help menu u About ADC udk a½G;vdkufyg/ NyD;&if PUSH 414h
tcef;(13) - y½d*k &rf\ resource rsm;toHk;jyKí crack vkyfjcif; - 237 -
yHk(25)
&Sif;vif;csuf/
413 = DeskLook Verson x.y
414 = This is an unlicensed copy.
415 = User
416 = Registration Code
417 = This is an unlicensed copy.
3FD = Buy &Online Now!
yHk(26)
yHk(25)u VA 00401DE2 uae yHk(26)u VA 00401EAC xd F8 ESdyfvmcJhyg/ uRefawmfwdt kY aeeJY
VA 00401EAC u JE rSm NOP vdakY jymif;vdkufyg/ NyD;&if ESpfouf&mtrnfeJY zdkifudkodrf;vdkufyg/ odrf;vdkuf
wJhzdkifudk zGifhNyD; Help menu u About ADC udka½G;vdkufyg/ yHk(27)twdkif; awGU&ygr,f/
yHk(27)
tcef;(13) - y½d*k &rf\ resource rsm;toHk;jyKí crack vkyfjcif; - 238 -
yHk(28)
yHk(28)&JU VA 004013DD u CALL [m register jzpf^rjzpfppfwJh routine qdkwm oifhtaeeJY
em;vnfr,fxifygw,f/ aumif;NyD/ y½d*k &rfudk jyefzGifhMunfhvdkufyg/ yHk(29)twdkif; awGU&ygr,f/
yHk(29)
ed*Hk;csKyftaeeJY ajym&&if Active Desktop Calendar udk atmifjrifpGm register vkyfEdkifatmifvkYd
uRefawmfwt dkY aeeJY ae&m3ckrSm uk'fawGudk jyifcJhygw,f/
(1) VA 004013E4 u JNZ ae&mrSm JMP (Splash Screen)
(2) VA 00401EAC u JE rSm NOP (About Dialog)
(3) VA0045F0D3 ae&mu JE rSm NOP (Registration Dialog)
'DvdkjyifcJh&mrSm uRefawmfawmfwt kYd aeeJY Resource Hacker y½d*k &rf&JUtultnDudk&,lNyD; tvG,fwul
jyifcJhwmyg/ (rSwfxm;&rSmuawmh Delphi eJY a&;om;xm;wJh y½d*k &rfawGudk crack vkyfr,fqdk&ifawmh
Resource Hacker aqmhzf0Jvfut dk oHk;jyKNyD; crack rvkyfwm taumif;qHk;ygyJ/ Delphi y½d*k &rfawGudk b,fvdk
crack vkyf&rvJqdkwmudk ]tcef;(17) - Delphi jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif;}rSm
tao;pdwfaqG;aEG;ygr,f/)
tcef;(14) - Packer (Protector) rsm; - 240 -
(original entry point) qdkwmuawmh decompression stub vkyfaqmifjyD;csdefrSmawGU&wJh rlv entry point
udak c:qdkwmjzpfygw,f/ (unpack/unprotect rvkyaf o;cifrSm&SdwzJh kdifawG&JU entry point udkqdkvdkwmyg/)
Protector/packer awG[m y½d*k &rfudk rSwfOmPfrSm unpack vkyfMuwmjzpfygw,f/ 'DtcsdefrSm y½d*k &rf
qD command awGay;EdkifzkYd OEP &Sd&mudk jump vkyfwmjzpfjyD; rlvy½d*k &rfudk&&SdEdkifzdkY uRefawmfwt
dkY aeeJY
y½d*k &rfudk dump vkyf,&l rSmjzpfygw,f/ 'Dvdk dump vkyf,lEdkiw
f Jh t"duenf;vrf; (3)&yfuawmh -
(1) uk'fudk ajc&mcHygw,f/ (F8 udkESdyfjcif;jzifh)
(2) ESP register udk toHk;jyK&ygw,f/
(3) Compressor uxkwfay;wJh exception awGudk toHk;jyK&ygw,f/
'Dtcef;rSmawmh uRefawmfwkYt d aeeJY ½dk;&Sif;vSwJh packer av;oHk;jyD; pack vkyfxm;wJh erlemy½d*k &rf
wpfckudk enf;vrf;ESpfrsdK;oHk;jyD; unpack vkyfMunfhygr,f/ yxrenf;uawmh pack vkyfxm;wJh exe zdkifudk
unpack vkyfjyD; patch vkyfwJhenf;jzpfjyD;? 'kw, d enf;uawmh inline-patch vkyfwJhenf;jzpfygw,f/ 'Dae&mrSm
uRefawmfwo dkY Hk;r,fh tool uawmh UPX 2.03 (Ultimate Packer for eXecutables) jzpfjyD;
http://upx.sourceforge.net rSm tcrJh&&SdEdkifygw,f/
HTU UTH
yHk(1)
tcef;(14) - Packer (Protector) rsm; - 242 -
Start menu u Run .. ae&mrSm cmd vd½ kY dkufxnhfjyD; Command prompt ukd zGifhyg/ bmaMumifh
command prompt udk toHk;jyK&ovJqdkawmh UPX aqmhzf0Jvf[m command-line utility jzpfaevdkYyg/
yHk(2)
yHk(2)rSmjrif&wJhtwdkif; command prompt rSm upx calc.exe vd½kY dkufxnfhjyD; Enter key ESdyfvdkuf&if
uRefawmfw&dkY JU y½d*k &rfav;udk UPX eJY pack vkyfjyD;oGm;ygjyD/ 'DwpfcgrSm pack vkyfxm;wJh calc.exe zdkifudk
PEiD eJY jyefjyD;ppfMunfhygr,f/ yHk(3)/
yHk(3)
yHk(3)t&awmh calc.exe udk UPX 0.89-2.9 eJY pack vkyfxm;ygw,fvkdY ajymygw,f/ Version
twdtusudkawmh ajymEdkifjcif; r&Sdygbl;/ twdtusodcsif&ifawmh ProtectionID 6.x udktoHk;jyK&ygr,f/
tcef;(14) - Packer (Protector) rsm; - 243 -
yHk(5)
ckeu pack vkyfxm;wJhzdkifudk LordPE eJzY GifhjyD; pack rvkyfxm;ao;wJhzdkifeJY EdIif;,SOfMunfhr,fqdk&if
PE header twGif;ajymif;vJrIawGudk yHk(6) twdkif; awGU&rSmyg/ (LordPE u compare button udkESdyfyg/)
yHk(6)
tcef;(14) - Packer (Protector) rsm; - 245 -
yHk(7)
yH(k 7)rSm Yes vdkY ay;vdkuf&if yHk(8)twdkif; entry point &Sd&mudk a&mufvmygvdrfhr,f/
yHk(8)
UPX u uRefawmfwkYd application udk compress vkyfvdkufjyD; decompression algorithm yg0ifwJh
stub eJY uk'fawGudk tpm;xdk;csJUxGifvdkufwmyg/ Application &JU entry point ae&m[mvJ stub &JU tpae&m
taeeJY ajymif;vJjcif;cH&jyD; stub u olUtvkyfudkvkyfjyD;csdefrSmawmh execution u tck (UPX u olUbmomol
unpack vkyfjcif;) unpacked vkyfvdkuw f Jhy½d*k &rfudkpwifzkY d rlv entry point(OEP) &Sd&mudk jump vkyfyg
w,f/ rSwfxm;zdu kY stub u uRefawmfwdkY application udk decompress vkyfwm[m rSwfOmPfxJrSmjzpfjyD;
pack vkyfxm;wJh application &JU unpacked copy udk&zdkY rSwfOmPfae&mudk zdkiftjzpf dump vkyfwmjzpfyg
w,f/ bmyJjzpfjzpf application uawmh csufcsif; run rSm r[kwfao;ygbl;/ bmaMumifhvJqdkawmh dump
vkyfxm;wJhzdkifrSmvJ olU&JU section awG[m file alignment wefzdk;xuf rSwfOmPf&JU page boundary awGudk
align vkyfxm;&rSmrdv kY kdyY g/ Entry point uvJ decompression stub udk point vkyfaewkef;&SdaerSmjzpfjyD;
import directory uvJ rSm;aewmjzpfwJhtwGuf jyifqifzkY d vdktyfaevdykY g/
rSwfxm;&rSmuawmh Olly xJu uRefawmfwk&Yd JU entry point [m yxrqHk; instruction jzpfwJh
PUSHAD rSm&Sdygw,f/ PUSHAD qdkwmuawmh "PUSH all Double" udk qdkvdkwmjzpfjyD; CPU udk stack
ay:rSm&SdwJh EAX uaetpcsDjyD; EDI rSmtqHk;owfwJh 32bit (DOWRD) register tm;vHk;xJrSmygwJht&m
tm;vHk;udk odrf;xm;ay;zdkY nTefMum;ygw,f/ taotcsmMunfhr,fqdk&if stub [m OEP qDroGm;cifrSm
PUSHAD instruction eJY POPAD instruction Mum;uuk'fawGudk vkyfaqmifoGm;wm awGU&ygvdrfhr,f/
POPAD [m stack uae register xJrSm&Sdwt Jh &mtm;vHk;udk ul;ygw,f/ qdkvdkwmuawmh stub u t&mtm;
vHk;udk jyef restore vkyfjyD; application u run wmrwdkifcif trace rvkyfbJ xGufoGm;ygw,f/
avmavmq,fawmh yxrqHk; instruction jzpfwJh PUSHAD taetxm;rSm&Sdaewkef;rSm aemufqHk;
POPAD instruction udk access rvkyfao;oa&GU stack xJrSm&SdwJh t&mtm;vHk;udk rxdbJxm;oifhygw,f/
tcef;(14) - Packer (Protector) rsm; - 246 -
wu,fvkYd uRefawmfwu kYd PUSHAD taetxm;rSm&Sdaewkef; stack &JU yxrqHk; 4bytes ae&mrSm Hardware
breakpoint udkxm;r,fqdk&if Olly u wlnDwJh 4bytes udk POPAD u access vkyfcsdefrSm
&yfoGm;rSmjzpfygw,f/ 'gqdk&if uRefawmfwk&Y d JU entry point qDudk a&mufr,fh jmp instruction &Sd&m virtual
address udak wGUrSm jzpfygw,f/
'gaMumifhrkYd yHk(8)&JU PUSHAD instruction &Sd&mudkoGm;jyD; F7 udkESdyfygr,f/ jyD;&if brakpoint
owfrSwfzv kYd kyfygr,f/ ESP (stack pointer) xJrSm stack &JUxdyfydkif;wnfae&m tjrJyg0ifavh&Sdygw,f/ ESP
ae&mrSm right-click ESdyfjyD; Follow in Dump udka&G;yg/
yHk(9)
jyD;&if stack &JU yxrqHk; DWORD (pmvHk;4vHk;)udk a&G;yg/ jyD;&if right-click ESdyfjyD; Breakpoint u
Hardware, on access &JU Dword udak &G;yg/ yHk(10)/
yHk(10)
owfrSwfjyD;oGm;&ifawmh F9 udkESdyfyg/ 'gqdk breakpoint &Sd&mwef;a&mufvmygr,f/ yHk(11)/
yHk(11)
yHk(11)udk Munfhvdkuf&if PUSHAD uae POPAD xduk'fawGudk vkyfaqmifjyD;wm awGU&rSmyg/
yHk(11)u VA 01020E5B u JMP ae&m[m uRefawmfwkY d &SmaewJh^vdkcsifwJh entry point ae&mjzpfygw,f/
JMP xxx.xxxxxxxx udka&mufatmif VA 01020E5B ae&mrSm breakpoint owfrSwfjyD; F9 udkESdyfvdkufyg/
yHk(12)twdkif; entry point &Sd&mae&mudk a&mufvmrSmjzpfygw,f/ OEP xJuae ImageBase wefzdk;
tcef;(14) - Packer (Protector) rsm; - 247 -
1000000h udk EIwfvdkuf&if RVA wefzdk; 20E5Bh &ygw,f/ 'Dwefzdk;udk rSwfxm;yg/ aemufydkif;rSm toHk;0if
vmygvdrfhr,f/
yHk(12)
UPX eJY ywfoufwJh vQdKU0Sufcsufav;wpfckuawmh Olly &JU CPU window atmufqHk;udkoGm;yg/
yHk(13)twdkif; 00 awGeJY jynfhaewJh DB uk'fawGudk awGU&ygvdrfhr,f/
yHk(13)
jyD;&if yHk(14)twdkif; JMP instruction &Sd&mtxd tay:udk scroll qGJvmcJhyg/ jyD;&if 'D virtual
address udk breakpoint taeeJo Y wfrSwfjyD; F9 udk ESdyfvdkufr,fqdk&if JMP instruction &Sd&mudk
a&mufvmygr,f/ 'DhaemufrSmawmh F8/F7 udk ESdyfr,fqdk&if uRefawmfwkY d &SmaewJh EP ae&mudk a&mufvmrSmyg/
yHk(14)
INFO: : ½dk;&Sif;jyD; wlnDwJh PUSHAD/POPAD mechanism udkoHk;wJh tjcm; packer awGuvJ OEP
&JUwefzdk;udk RET instruction vdkufwJh stack &JUxdyfqHk;ay:xm;zdkY PUSH instruction udt
k oHk;jyKjcif;jzifh OEP
qD jump vkyfEdkifygw,f/ CPU uawmh 'g[m function call wpfckuae jyefvmwmvdx kY ifjyD; return
address udk stack &JUxdyfqHk;ay:rSm csefxm;ygw,f/
uRefawmfwt dkY aeeJY OEP udk&SmawGUwJhtcg Olly &JU plug-in wpfckjzpfwJh OllyDump udk toHk;jyKjyD;
dump vkyfMunfhygr,f/ Olly &JU Plugins uae OllyDump udka&G;vdkufjyD; Dump debugged process udk
ESdyfvdkufyg/ yHk(15)twdkif; jrif&ygr,f/
tcef;(14) - Packer (Protector) rsm; - 248 -
yHk(15)
pdwf0ifpm;p&maumif;wJht&mav;awGudk jyocsifvkY d yHk(15)u Fix Raw Size … eJY Rebuild Import
kY kd ra&G;bJ jzKwfxm;vdkuyf g/ jyD;&if Dump button udkESdyfjyD; packed_dumped.exe trnfeJY zdkifudk
wdu
odrf;vdkufyg/ yHk(16)/
yHk(16)
yHk(16)u uRefawmfwkYd dump vkyfjyD; odrf;xm;cJhwJhzdkifudk jyefzGifhMunfh&if yHk(17)twdkif; error wufae
wm jrif&rSmyg/
yHk(17)
bmvdkY error wufae&wmvJqdkawmh uRefawmfw&kY d JU dump vkyfxm;wJhzdkifu olU&JU icon aysmufaewm
twGuaf Mumifhyg/ 'g[m zdkif&JUt&G,ftpm;MuD;vmvdykY g/ Application udk LordPE rSmzGifhjyD; section awG
ae&mrSm Munfhvdkufyg/ yHk(18)/
tcef;(14) - Packer (Protector) rsm; - 249 -
yHk(18)
RawOffset eJY RawSize wd& kY JUwefzdk;awG[m rSm;aeygw,f/ 'gaMumifhrkY d application udk tvkyfvkyf
apzdkY section toD;oD;&JU Raw wefzdk;awGudk Virtual wefzdk;awGeJY vkdun f Day;&ygr,f/ RawOffset ae&mrSm
VirtualAddress &JUwefzdk;udkxnfhjyD; RawSize ae&mrSm VirtualSize &JUwefzdk;udkxnfhygr,f/ 'Dvdkenf;eJY
section 3ckpvHk;rSmjyifjyD; zdkifudkodrf;vdkufyg/ (rSwfcsuf/ / wu,fvkYd OllyDump &JU "Fix Raw size &
Offset of Dump Image" checkbox udka&G;vdkuf&ifawmh 'Dvdkvkdufjyifp&mvdkrSm r[kwfygbl;/) 'gqdk&if
yHk(19)twdkif; jrif&ygjyD/
yHk(19)
'gayr,fh 0rf;enf;p&maumif;wmuawmh packed_dumped.exe zdkifudk zGifhvdkufwJhtcgrSm zdkifu
tvkyfrvkyfbJ yHk(20)twdkif; jrif&wmygyJ/
yHk(20)
rpdk;&drfygeJ/Y 'gubmaMumifhvJqdkawmh import awGudk reconstruct (rebuild) vkyfzv kYd dkvdykY g/ ]PE
header} tcef;rSm&Sif;jycJhovdk process wpfckudktoHk;jyKjyD; import awGudk udk,fwdkifvkyfvkY d &ygw,f/ bmyJ
jzpfjzpf udk,fwdkifjyKvkyfr,fqdk&ifawmh import vkyfxm;wJh function awGtrsm;MuD;&SdjyD;? import data awG
b,fvdkysufpD;oGm;wJhenf;vrf;awGay:rlwnfjyD; tcsdeftrsm;MuD;ukefrSmjzpfygw,f/ 'gudk tvkdtavsmufajz&Sif;
EdkifzdkY uRefawmfwt kYd aeeJY MackT &JU ImpRec 1.6 udk toHk;jyK&ygvdrfhr,f/
ImpRec 1.6 udk toHk;jyKawmhr,fqdk&if import awGudk&SmEdkifzkY d pack vkyfxm;wJhzdkifudk process taeeJY
attach vkyfxm;&ygr,f/ atmufygtwdkif; vkyfaqmifyg/
1/ yHk(21)twdkif; pack vkyfxm;wJh y½d*k &rfudk (packed.exe [m Olly rSm yGifhaewmaocsmygap)a&G;yg/
2/ OEP ae&mrSm virtual address 12475 udk ½du
k fxnhyf g/
tcef;(14) - Packer (Protector) rsm; - 250 -
yHk(21)
3/ jyD;&if IAT AutoSearch udk a&G;yg/ yHk(22)twdkif; jrif&ygr,f/ OK udEk Sdyyf g/
yHk(22)
4/ yHk(21)u Get Imports button udkESdyfyg/ yHk(23)twdkif; jrif&ygr,f/
yHk(23)
5/ Show Invalid button udk a&G;jyD; import awG rSef^rrSef ppfMunhfyg/ tm;vHk;rSefuefaeygw,f/
tcef;(14) - Packer (Protector) rsm; - 251 -
yHk(24)
7/ y½d*k &rfudkydwfjyD; aemufqHk;odrf;qnf;vdkufwJh packed_dumped_.exe udkzGifhMunfhyg/ aumif;aumif;tvkyf
vkyfwmudk awGU&rSmyg/
ImpRec u uRefawmfwkYd dump vkyfxm;wJh exe zdkifudk jyifqifjyD; odrf;qnf;vdkufwmyg/ wu,fvkY d
'Dzdkifudk PEiD rSmzGifhjyD;Munfhvdkuf&if unpack vkyfxm;jyD;om;zdkif(packed_dumped_.exe) &JUt&G,ftpm;[m
pack rvkyfcif rlvzdki(f calc.exe)xuf MuD;aewmawGU&jyD; "makct" eJY "newIID"vdkYac:wJh section ESpfck
ydkvmwmawGU&ygw,f/ "makct" section rSm ImpRec u import vkyfxm;wJh a'wmtopfawGudk xm;&Sdwm
jzpfygw,f/
yHk(25)
PEiD eJY packed_dumped_.exe zdkifudk jyefppfMunfh&if yHk(26)twdkif; awGU&rSmyg/
yHk(26)
tcef;(14) - Packer (Protector) rsm; - 252 -
tck &Sif;jycJhwmuawmh ½d;k &Sif;vSwJh packer eJY pack vkyfxm;wmudk unpack jyefvkyfwmjzpfygw,f/
tqifhjrifh packer awGuawmh pack vkyfcsdefrSm zdkifxJudk protection enf;vrf;rsdK;pHkxnfhvdkufygw,f/ erlem
taeeJY ajym&&if anti-debugging eJY anti-tampering vSnfhpm;rIawG? uk'ef JY IAT wdu kY dk encrypt vkyfjcif;?
stolen bytes? API redirection ponfjzifhjzpfygw,f/ aemufydkif;tcef;awGrSm 'gawGudk aqG;aEG;ay;ygr,f/
(3) Inline-patch enf;jzifh patch vkyfjcif;
wu,fvkYd pack vkyfxm;wJh zdkifudk patch vkyfzkrYd jzpfraevdktyfcJhr,fqdk&if inline-patch enf;vrf;udk
toHk;jyKjyD; 'Dzdkifudk unpack rvkyfbJ patch vkyfv&kYd ygw,f/ 'guawmh loader u decompression stub udk
aqmif&Gujf yD;csdef rSwfOmPfxJrSm uk'fu0dk ifjyifjyD; aemufqHk;rSmawmh application udk tvkyfvkyEf dkiaf pzdkY OEP qD
qufoGm;apjcif;jzpfygw,f/ aemufwpfrsdK;ajym&&if rSwfOmPfxJrSm application udk unpack rvkyf&ao;cif
jyifxm;wJh (patch) vkyfxm;wJhuk'fqD ausmfvTm;a&muf&jSd cif;jzpfjyD;? aemufqHk;rSmawmh OEP qD jyefvnfausmf
vTm;a&muf&Sdvmwm jzpfygw,f/
'gudk &Sif;&Sif;vif;vif;odEdkifatmifvkY d uRefawmfwt kYd aeeJY pack vkyfxm;wJh calc.xe zdkifxJudk
MessageBox wpfce k JYywfoufwJhuk'fawGudk xnfhoGif;rSmjzpfygw,f/ jyD;&if rSwfOmPfxJrSm application [m
b,ftcsderf Sm unpack vkyfjyD;jzpfrvJqdkwm od&atmifvkyyf gr,f/ MessageBox u OK udkESdyfvdkuf&if OEP
udk a&muf&SdaprSmjzpfjyD; application [mvJyHkrSeftwdkif; tvkyfvkyfrSm jzpfygw,f/
yxrqHk; vkyf&rSmuawmh pack vkyfxm;wJhzdkifxJ xnfhoGif;r,fhuk'ftwGuf ae&mvGwfudk &SmazGzY dk
calc.exe udk hexeditor wpfce k JY zGifh&rSmjzpfygw,f/ yHk(27)/ Section wpfck&JUtqHk;u ae&mvGwfawG[m
uk'x f nfhoGif;zdkY taumif;qHk;jzpfjyD; wu,fvkY d ae&mvGwfawGvdktyfcJhOD;r,fqdk&ifawmif uRefawmfwt kYd aeeJY ]PE
zdkif twGif;odkY uk'frsm;aygif;xnhfjcif;} tcef;uenf;vrf;twdkif; section udx k yfcsJUvd&kY ygw,f/ UPX eJY
pack vkyfxm;wJh zdkifawGrSm ae&mvGwf&Sm&wm awmfawmfav;cufcJvSygw,f/ 'ghaMumifhvJ UPX eJY pack
vkyfxm;wJhzdkifawG&JU t&G,ftpm;[m awmfawmfav; i,faewmjzpfygw,f/
yHk(27)
yHk(27)twdkif; WinHex rSmjyifjyD; packed(inline).exe qdkwJhtrnfeJY zdkifuodk drf;vdkufygr,f/ jyD;&if
Olly rSm packed(inline).exe zdkifudk zGifhygr,f/ uRefawmfwkY d ½dkufcJhwJh Unpacked… qdkwJhpmom;udk &SmzdkY
Olly &JU Hex window rSm right-click ESdyfjyD; Search for u Binary sting udka&G;yg/
yHk(28)
jyD;&if yHk(29)twdkif; Unpacked… qdkwJhpmom;udk &Smygw,f/
tcef;(14) - Packer (Protector) rsm; - 253 -
yHk(29)
'gqdk&if uRefawmfwkY&d SmaewJhpmom;awGudk yHk(30)twdkif; awGU&rSmyg/
yHk(30)
Unpacked… pmom;&Sd&m virtual address uawmh 010233C0 jzpfjyD; Myanmar Crackers …
pmom;&Sd&m virtual address uawmh 010233D0 jzpfygw,f/ 'D virtual address awGudk rSwfxm;&rSmjzpf
ygw,f/ jyD;&if Olly u udEk SdyfjyD; VA 010233C0 &Sd&mudk wef;oGm;Munfhygr,f/ yHk(31)/
yHk(31)
yHk(31)u highlight vkyfxm;wJh uk'fawG[m uRefawmfwkY d ½dkufxnfhxm;wJh pmom;awGjzpfygw,f/ VA
010233E0 upjyD; MessageBoxA eJy Y wfoufwJh tjcm;uk'fawGudk ½du k fxnfhMuygr,f/
yHk(32)uawmh MessageBoxA eJyY wfoufwJhuk'fawGudk ½du
k fxnfhtjyD; jrif&wJhyHkyg/
tcef;(14) - Packer (Protector) rsm; - 254 -
yHk(32)
jyD;&if Olly &JU plugin wpfckjzpfwJh Analyze This! udkESdyfjyD; uk'fawGudk analyze vkyfvdkufyg/ yHk(33)
twdkif; ajymif;vJoGm;wm jrif&ygr,f/
yHk(33)
yHk(32)udk Analyze This! eJY analyze vkyfwJhtcgrSm yHk(33)rSm highlight jc,fxm;wJhtwdkif; rjrif&
&ifawmh oif patch vkyfvdkufwJh y&kd*&rf[m error jyygvdrfhr,f/
yHk(34)
aumif;jyD? uRefawmfwjkY d yifxm;cJhwJh uk'fawGudk zdkiftaeeJY odrf;qnf;Muygr,f/ yHk(34)twdkif; jyifxm;
wJh uk'fawGygatmif highlight jc,fvdkufyg/ jyD;&if right-click ESdyfjyD; Copy to executable file udk a&G;vdkuf
yg/ yHk(35)twdkif; jrif&ygvdrfhr,f/
yHk(35)
tcef;(14) - Packer (Protector) rsm; - 255 -
yHk(35)rSm right-click ESdyfjyD; Save file udk a&G;vdkufyg/ rdrdpdwfMudKuftrnfeJY zdkifuo dk drf;qnf;vdkuf
yg/ jyD;&if Olly udkydwfvdkufjyD; uRefawmfwkY d odrf;qnf;vdkufwJhzdkifudk zGifhvdkufyg/ t&ifutwdkif;yJ bmrS
xl;jcm;rIr&Sdygbl;/ bmaMumifhvJqdkawmh uRefawmfwt kY d aeeJY MessageBoxA &Sd&mudk nTefjyrIray;vdkufcJhvykY d g/
Olly rSm aemufqHk;odrf;xm;wJhzdkifudk xyfzGifhvu dk fyg/ udkESdyfjyD; VA 01020E5B &Sd&mudk wef;oGm;Munfhyg
r,f/ yHk(36)/
yHk(36)
yHk(36)u JMP 01012475 ae&mrSm uRefawmfw&kY d JU MessageBoxA &Sd&m virtual address jzpfwJh
010233E0 udk ½du
k fxnfhay;&ygr,f/ yHk(37)/
yHk(37)
d drf;vdkufyg/ Olly udk ydwfvdkufjyD; zdkifudk run Munfhyg/ yHk(37)twdkif;
jyD;&if MudKufwJhtrnfeJY zdkifuko
jrif&ygvdrfhr,f/ OK ukdESdyfvdkuf&ifawmh calculator y½dk*&rfqD a&mufoGm;rSm jzpfygw,f/
yHk(38)
tckuRefawmf&Sif;jycJhwmuawmh unpack rvkyfbJ pack vkyfxm;wJhzdkifxJrSm uk'fawGudk 0ifjyifjcif;
(inline-patching) taMumif;yJjzpfygw,f/ 'D MessageBox av;udkxnhfzkYd bmaMumifh 'Davmufcuf&ovJvkY d
oifhtaeeJxY ifaeygvdrfhr,f/ rSefygw,f/ Pack rvkyfxm;wJzh dkifawGrSm 'Dudpu
ö t&rf;vG,fygw,f/ Message
Box &Sd&mae&mudk entry point address ajymif;ay;vdkuf&HkygyJ/ jyD;&if olUrSmu ae&mvGwfawGtrsm;MuD; &Sdyg
w,f/ qdkvdkcsifwm MessageBox rajymeJ?Y textbox uae password awGppfwJh txda&;ay;vd&kY atmif ae&m
vGwaf wGu aygvGef;ygw,f/ Inline-patching eJY xnhfoGif;wJh MessageBox &Sd&mudk wef;a&mufatmif zdkif&JU
entrypoint udk VA 01020CD0 tpm; VA 010233E0 vdkY ajymif;Munfhvdkufyg/ yHk(38)u MessageBox
awmh ay:vmEdkifayr,fh calculator y½d*k &rfudk tvkyfvkyfrSmr[kwfygbl;/ bmaMumifhygvJ? UPX &JU decom-
pression stub udk ausmfvTm;xm;vdkY jzpfygw,f/
tcef;(14) - Packer (Protector) rsm; - 256 -
UPX eJyY wfoufwJh oifcef;pmuawmh 'DavmufygyJ/ oifhtaeeJY unpacking eJyY wfoufwJh oDtdk&D
awG tenf;i,fem;vnfavmufjyDvkY d xifygw,f/ uRefawmfhtaeeJY unpacking eJYywfoufjyD; 'DrSmyJ&yfxm;
csifayr,fh tqifhjrifh packer awGtaMumif; ydkem;vnfEdkifapzdkY ActiveMARK taMumif;udk jznfhpGufaqG;aEG;
ygr,f/
(4) ActiveMark 5.0 jzifh pack vkyfxm;aomzdkiftm; unpack vkyfjcif;
Trymedia [m RealNetworks &JU tpdwftydkif;wpfckjzpfjyD; ActiveMark qdkwmuawmh Trymedia
&JU pack/protect vkyfwJhenf;ynmwpf&yfjzpfygw,f/ Trygames uawmh Trymedia &JU wpfpdwfwpfydkif;jzpfjyD;
Trymedia &JU *drf;awGudk download ydkif;qdkif&mudp?ö trial qdkif&mudpöeJY a&mif;csjcif;udpw
ö u
kYd dk vkyfaqmifyg
w,f/
PopCap Games (www.popcap.com) u a&mif;cswJh*drf;rsm;? Infogrames (www.infogrames.
HTU UTH HTU
MARK eJY protect vkyfxm;wJh *drf;awGrSm registration r&Sdygbl;/ bmaMumifhvJqdkawmh 'D*drf;awG[m olwkY&d JU
owfrSwfxm;wJhtcsdeftwGif;rSm full version taeeJY upm;Edkiw f Jh demo *drf;awGjzpfaevdykY g/ owfrSwfcsdefukef
oGm;&ifawmh upm;vdkY&awmhrSmr[kwfygbl;/ upm;cGifhjyKwJt h csdefuvJ rsm;aomtm;jzifhawmh rdepf60yJ jzpfyg
w,f/ 'Doifcef;pmtwGuf Monopoly 3 udk unpack vkyfzkYd yxrqH;k pOf;pm;rdygw,f/ bmaMumifhvJqdkawmh
Monopoly 3 eJY ywfoufwJh crack zdkifudk tifwmeufrSm rawGUrdvy kY d g/ Share ay;xm;wJh crack zdkifawGuvJ
tvkyfrvkyfMuygbl;/ 'gayr,fh olU&JUzdkift&G,ftpm;u 258Mbytes jzpfaeawmh oifhtaeeJY tifwmeufuae
download vkyfzt kYd cuftcJ&SdEdkifygw,f/ 'ghaMumifhrkY d PopCap Games ua&mif;cswJh Zuma deluxe udkyJ
unpack vkyfzkYd a&G;cs,fvdkufygawmhw,f/ Zuma udk www.popcap.com uae download vkyf,ljyD; install
HTU UTH
vkyfyg/
jyD;&if zuma.exe udk PEiD eJY ppfaq;Munfhyg/ yH(k 39)/
yHk(39)
yHk(39)t&qdk&ifawmh zuma.exe [m ActiveMARK 5.x eJY protect vkyfxm;wmaocsmygw,f/
y½d*k &rf&JU oabmobm0udk taotcsmod&atmif Zuma udk zGifhMunfhvdkufyg/ yHk(40)/
yHk(40)
tcef;(14) - Packer (Protector) rsm; - 257 -
yHk(41)
'Dhaemuf yHk(42)rSm jrif&wJhtwdkif; zuma.exe udk Attach vkyfyg/
yHk(42)
Attach vkyfjyD; zGifhwJhtcgrSm yH(k 43)rSm jrif&wJhtwdkif; VA 7C901231 rSm &yfoGm;rSmyg/ wu,fawmh
ntdll.dll zdkif&JU DbgBreakPoint API function aMumifh &yfoGm;&wmyg/ DbgBreakPoint [m Win32 API
r[kwfwJhtwGuf help zdkifrSm oleyJY wfoufjyD; bmrS&Sif;jyxm;rSm r[kwfygbl;/
yHk(43)
Olly rSm Alt+M udE
k SdyfjyD; memory map udk Munfhygr,f/ yHk(44)/
tcef;(14) - Packer (Protector) rsm; - 258 -
yHk(44)
yHk(44)u highlight jzpfaewJhae&muawmh second layer entry point &Sd&mae&myg/ 'Dae&mrSm right-
click ESdyfjyD; View in disassembler udk a&G;vdkufyg/ (od)kY Enter key udkESdyfyg/ yHk(45)twdkif; jrif&ygr,f/
yHk(45)
yHk(45)u highlight jzpfaewJhae&m (VA 005AE000)rSm right-click ESdyfjyD; Search for u All
intermodular calls udk a&G;cs,fyg/ yHk(46)twdkif; jrif&ygr,f/
yHk(46)
yHk(46)twdkif; jrif&wJhtcgrSm getversion vdkY ½dkufxnfhyg/ GetVersion function udk &Smcsifwmyg/
GetVersion API udk awGUwJhtcg right-click ESdyfjyD; Follow in disassembler udka&G;yg/ yHk(47)twdkif; jrif&
ygr,f/
yHk(47)
tcef;(14) - Packer (Protector) rsm; - 259 -
yHk(48)
yHk(48)rSm jrif&wJhtwdkif; Break on new module (DLL) udk a&G;ay;yg/ jyD;&if OK udkESdyfyg/
'DwpfcgrSmawmh zuma.exe udk attach rvkyfawmhygbl;/ Olly uae wpfcgwnf; zGifhygr,f/ yHk(49)/
yHk(49)
yHk(49)uawmh zuma.exe &JU entry point ae&myg/ 'gjyD;&ifawmh uRefawmfwkY d owfrSwfxm;wJh
hardware breakpoint ae&mxda&mufatmif F9 udk ESdyfvmcJhyg/ b,f module awGudk tvkyfvkyfaewmvJ
qdkwm yHk(50)twdkif; jrifae&ygvdrfhr,f/
yHk(50)
F9 udk qufwdkuEf Sdyfvmwm aemufqHk;awmh yHk(51)twdkif; uRefawmfwkY d owfrSwfxm;wJh breakpoint
ae&mudk a&mufvmygw,f/ MudKajymcsifwmuawmh uk'fawGudk analyze rvkyfxm;ygeJ/Y Analyze vkyfxm;r,f
qdk&if VA 00696E58 u PUSH EBP ae&mrSm DB 00 vdykY J ay:aerSmyg/
yHk(51)
tcef;(14) - Packer (Protector) rsm; - 260 -
yHk(52)
yHk(52)u dump button udka&G;jyD; zdkifudk dumped.exe qdkwJhtrnfeJY odrf;vdkufyg/ UPX rSm dump
vkyfwkef;uvdkyJ dumped.exe zdkifudkzGifhvdkuf&if tvkyfvkyfrSm r[kwfygbl;/ 'ghaMumifh ImpREC udk zGifhjyD;
import awGudk jyif&ygr,f/ ImpREC (Import Reconstruction) udk oHk;&wJhtaMumif;&if;uawmh dumped
zdkifxJrSm&SdwJh aysmufaewJh function awGudk &Smzd^kY jyifz^kYd topfaygif;xnhfzkYd jzpfygw,f/ 'gawGudk rjyKjyifbJeJY
awmh oifh&JU dump zdkif[m rSefuefwJh PE zdkifjzpfvmrSm r[kwfygbl;/
tcef;(14) - Packer (Protector) rsm; - 261 -
yHk(53)
yHk(53)t& vkyfaqmif&r,fh vkyfaqmifcsufawGuawmh ...
1/ Olly eJY zGifhxm;wJh zuma.exe udk active process taeeJY attach vkyfyg/
2/ Olly rSm zGifhMunfhwkef;u awGU&SdcJhwJh OEP (VA 00696E58) wefzdk;xJuae ImpREC rSmawGU&wJh
imagebase (VA 00400000) udk EIwfjyD;&&SdvmwJh (296E58) wefzdk;udk OEP tuGufrSm ½du
k fxnfhyg/
3/ OEP wefzdk;udk ½du
k fxnhfjyD;ygu IAT AutoSearch udk a&G;yg/ yHk(54)twdkif; jrif&ygr,f/
yHk(54)
4/ yHk(54)udk OK ay;jyD; Get Imports button udkESdyfyg/
5/ Import function awG rSef^rrSef odEdkifatmif Show Invalid button udk ESdyfjyD;Munfhyg/ 'Dae&mrSmawmh
tm;vHk;rSefaewm awGU&ygw,f/
6/ 'gaMumifhrkY d uRefawmfwdkY dump vkyfxm;wJh dumped.exe zdkief JY zuma.exe zdkifudkEdIif;,SOfjyD; import awGudk
EdIif;,SOfEdkifatmifvkY d Fix Dump button udk a&G;yg/ yHk(55)twdkif; bmtrSm;rSr&SdbJ dumped_.exe
qdkwJhtrnfeJY zdkifudk odrf;qnf;oGm;wm awGU&rSmyg/
tcef;(14) - Packer (Protector) rsm; - 262 -
yHk(55)
'gqdk uRefawmfw&kY d JU dump zdkifudk jyifqifwmjyD;oGm;jyD jzpfwJhtwGuf ImpREC udkydwfvdkujf yD;
dumped_.exe zdkifudk zGifhMunfhyg/ bm error rSrjyawmhovdk dumped_.exe uvJ tvkyfvkyfwm rawGU&yg
bl;/ UPX udk unpack vkyfwkef;u 'DtqifhjyD;wJhtcsdefrSm unpack vkyfwJhudpö jyD;oGm;ygjyD/ ActiveMARK
rSmawmh tckrSprSmyg/ 'ghaMumifh WinHex udkzGifhjyD;uk'fawGudk jyifMuygr,f/
WinHex rSm dump vkyjf yD;jyifxm;wJh dumped_.exe zdkie f JY pack vkyfxm;wJh rlv zuma.exe zdkifudk
zGifhyg/ Exe xJygvmwJh overlay data awG&JUyxrqHk; byte twGuf rlvzdkif&JUuk'fawGuae bmudk uRefawmfwkY d
&SmoifhygovJ/ TMSAMVOH qdkwJh ASCII string udk&SmwJhenf;uawmh tvG,fqHk;ygyJ/ r&SmcifrSm
'Dxufyk&d Sif;atmifvdkY zuma.exe udk LordPE rSmzGijfh yD; section awGudk MunfhvdkufMu&atmif/ yHk(56)/
yHk(56)
yHk(56)u highlight jc,fxm;wJh *Pef;awGudk Munfhvdkufyg/ 'g[m uRefawmfwkY d executable zdkif&JU
aemufqHk; section xJu *Pef;awG jzpfygw,f/ olwkYu d dk Raw offset eJY Raw size vdkY odxm;Muygw,f/
Windows loader u exe zdkifudk rSwfOmPfxJ ul;wifwm[m RawOffset (0012BA00) eJY RawSize
(00000200) aygif;vdkY&wJhwefzdk;jzpfwJh 0012BC00h xdomjzpfygw,f/ Zuma.exe zdkif&JU 'D address tpu
ae csJUxGifxm;wJh data block wpfckvk;H udu k l;,ljyD; dumped_.exe zdkif&JUtqHk;rSm paste oGm;vkyf&rSmjzpfyg
w,f/ 'grSom dumped_.exe [m yHkrSeftvkyfvkyfrSm jzpfygw,f/
WinHex &JU Position menu u Go To Offset udka&G;jyD; uRefawmfwdkY oGm;csifwJh offset
0012BC00 udk ½du
k fxnfhygr,f/ yHk(57)/
tcef;(14) - Packer (Protector) rsm; - 263 -
yHk(57)
0012BC00 udk ½du
k fxnfhjyD; OK udkESdyfvdkuf&if yHk(58)twdkif; jrif&rSmyg/
yHk(58)
yHk(58)rSm jrif&wJh yxrqHk;pmvHk;rSm right-click ESdyfjyD; Beginning of block udk a&G;yg/ yHk(59)/
yHk(59)
jyD;&if zdkif&JU atmufqHk;xda&mufatmif scroll qGJyg/ jyD;&if yHk(60)rSmawGU&wJhtwdkif; aemufqHk;pmvHk;rSm
right-click ESdyfjyD; End of block udk a&G;cs,fyg/
yHk(60)
tcef;(14) - Packer (Protector) rsm; - 264 -
yHk(61)
a&G;cs,fxm;wJh Hex wefzdk;awGudk ul;zdv
kY kyfMuygr,f/ Right-click ESdyfjyD; Edit udk a&G;cs,fyg/ jyD;&if
yHk(62)rSm jrif&wJhtwdkif; Copy Block u Hex Values udk a&G;cs,fyg/
U U U U
yHk(62)
tckvkyf&rSmuawmh ul;xm;wJh Hex wefzdk;awGudk paste vkyfzkYjd zpfygw,f/ WinHex &JU dumped_
.exe tab udak &G;jyD; zdkif&JUtqHk;udkoGm;yg/ aemufqHk;pmvHk;&JUae&mrSm right-click ESdyfjyD; Edit udak &G;cs,fyg/
jyD;&if yHk(63)rSm jyxm;wJhtwdkif; Clipboard Data u Paste udk a&G;cs,fyg/
U U U U
yHk(63)
'DtcgrSm yHk(64)twdkif; paste vkyfrSmvm;vdkY ar;ygvdrfhr,f/
tcef;(14) - Packer (Protector) rsm; - 265 -
yHk(64)
Yes button udk a&G;vdkufwJhtcgrSm zuma.exe u Hex wefzdk;awG dumped_.exe zdkifxJudk a&mufvm
ygvdrfhr,f/ dumped_.exe zdkifuodk drf;jyD; WinHex uaexGufvdkufyg/
'Dtcg dumped_.exe udk zGifhvdkuf&if yHk(40)twdkif; jrif&rSmyg/ (ae&mtcuftcJaMumifh yHkudk xyfrHr
Jh kyfief;pOf atmifjrifpGmjyD;qHk;oGm;ygjyD/ ☻☻
azmfjyawmhygbl;/) 'gqdk&ifawmh uRefawmfw&kYd JU dump vkyfwv
'gayr,fh tcsdefuefUowfcsufudkawmh z,f&Sm;Edkifjcif; r&Sdao;ygbl;/ 'ghaMumifh patch vkyfzdkY MudK;pm;&
ygOD;r,f/
(5) Dump vkyfxm;aomzdkiftm; patch vkyfjcif;
Dump vkyfxm;wJhzdkifudk patch vkyfzt
dkY wGuf dumped_.exe udk Olly rSm zGifhyg/ yHk(65)/
yHk(65)
yHk(65)twdkif;jrif&wJhtcg right-click ESdyfjyD; Search for u All referenced text string udak &G;yg/
'DhaemufrSmawmh yHk(66)rSm jyxm;wJhtwdkif; browser qdkwJh pmom;udk &Smygr,f/
yHk(66)
yHk(66)udk OK ay;wJhtcg yHk(67)twdkif; awGY&rSmyg/
yHk(67)
yHk(67)&JU highlight jc,fxm;wJhae&mrSm right-click ESdyfjyD; Follow in disassembler udk a&G;vdkuf&if
yHk(68)twdkif; jrif&rSmyg/ 'g[m browser pmvHk;ygwJh routine &JUtpeJY tqHk;jzpfygw,f/
yHk(68)
tcef;(14) - Packer (Protector) rsm; - 266 -
yHk(68)u VA 005F41A8 rSm right-click ESdyfjyD; Copy u To clipboard udk a&G;jyD; notepad
zdkifwpfckrSm paste vkyfyg/ 005F41A8 MOV EAX,dumped_.006A691C tpm; 005F41A8 browser
retn4 vdkY ajymif;yg/ jyD;&if yHk(66)uae dialog? timer? timeout pmom;awGudk&SmjyD; browse pmom;wkef;u
vkyfcJhovdkyJ routine &JU tp virtual address awGudk rSwfom;xm;ay;yg/ (rSwfcsuf/ / yHk(68)rSm teDawG
jyxm;wmu breakpoint owfrSwfzkYd r[kwfygbl;/ jrifomatmif jyxm;wmyg/)
xl;jcm;wmuawmh LoadStatePool pmom;yg/ pmom;udk &Smwmuawmh rxl;ygbl;/ 'gayr,fh 'Dpm
om;&Sd&mae&mudk breakpoint owfrSwfjyD; y½d*k &rfudk jyefp&wmyJ xl;ygw,f/ dumped_.exe udk Olly eJY
jyefzGifhwJhtcgrSm uRefawmfwkY d owfrSwfxm;wJh breakpoint ae&ma&muf&if yHk(69)twdkif; jrif&ygw,f/
yHk(69)
'Dwpfcgvkyf&rSmu yHk(70)twdkif; stack window udkoGm;jyD; highlight jzpfaewJhae&mrSm right-click
eSdyfyg/ jyD;&if Follow in disassembler udk a&G;ay;yg/ yHk(71)twdkif; jrif&ygr,f/
yHk(70)
yHk(71)u highlight jzpfaewJhae&m&JU virtual address udk rSwfxm;yg/
yHk(71)
'gqdk browser? dialog? timer? timeout eJY LoadStatePool wdekY JY ywfoufwJh virtual address
tm;vHk;ud&k ygjyD/ 'D virtual address awGrSm bmawGjyif&rvJqdkwmuawmh yHk(72)twdkif; jzpfygw,f/
yHk(72)
yHk(72)u virtual address awGrSm retn 4? retn 0c eJY retn toD;oD;udk tpm;xd;k yg/ jyD;&if patch
vkyfxm;wJhzdkifudk MudKufwJhtrnfeJY odrf;vdkufyg/ 'gqdk&if uRefawmfw&dkY JU Zuma Deluxe 1.0 udk MudKufESpfouf
ovdkupm;vd&kY ygjyD/
(6) Pack vkyfxm;aom trnfrodzdkiftm; unpack vkyfjcif;
tcef;(14) - Packer (Protector) rsm; - 267 -
'DwpfcgrSmawmh Fish Packer 1.04 eJY pack vkyfxm;wJh calc(Fish).exe zdkifwpfckudk unpack
vkyfMunfhygr,f/ uRefawmfw&kY d JUzdkifudk bmeJY pack vkyfxm;ovJqdkwm PEiD eJY ppfMunfhygr,f/ yH(k 73)/
yHk(73)
yHk(73)rSmjrif&wJhtwdkif; PEiD u tajzay;Edkifjcif; r&Sdygbl;/ CFF Explorer eJYppfawmhvJ 'Dtwdkif;
ygyJ/ uRefawmfudk,fwdkif Fish Packer 1.04 eJY pack vkyfxm;vdo kY m Fish Packer eJY pack vkyfxm;wJh
zdkifrSef;odwmyg/ aumif;jyD? 'Dzkdifudk unpack vkyfMunfhygr,f/ Unpack vkyfr,fh calc(Fish).exe zdkifudk Olly
rSmzGifhvdkufyg/ (Protection ID eJq Y dk&ifawmh Fish Packer 1.04 eJY pack vkyfxm;aMumif;jyrSmjzpfjyD;
Protection ID eJp Y pfaq;xm;wJh &v'fawG[m rSm;cJygw,f/ 'gayr,fh Protection ID [m protect/pack
vkyfxm;wJhzdkifawGudkom ppfaq;ay;EdkifwJh tm;enf;csuf&Sdygw,f/)
yHk(74)
Olly u yHk(74)rSmjrif&wJhtwdkif; PE zdkifr[kwfbl;vdkYajymaeygw,f/
yHk(75)
yHk(74)u OK button udka&G;vdkufwJhtcg yHk(75)twdkif; jrif&ygw,f/
yHkrSeftm;jzifh Olly eJYzGifh&if entry point &Sd&mudka&muf&r,fhtpm; ntdll.dll module xJa&mufaewm
awGU&ygr,f/ pdwfrysufygeJY? uRefawmfwkYrd Sm enf;vrf;&Sdygw,f/ Alt+M udkESdyfjyD; Memory Map udk
ac:vdkufyg/ yHk(76)/
yHk(76)
tcef;(14) - Packer (Protector) rsm; - 268 -
yHk(77)
yHk(77)rSm uRefawmfwpkY d dwf0ifpm;wmuawmh entry point &Sd&m address (10257D7) yg/ 'D address
udk&wJhtcg Olly &JU Disassembler window rSm Ctrl+G ESdyfjyD; entry point(10257D7) &Sd&mudkoGm;vdkufyg/
yHk(78)/
yHk(78)
yHk(78)u VA 10257D7 ae&mrSm breakpoint owfrSwfjyD; F9 (Run) udkESdyfvdkufyg/ 'Dtcg
breakpoint &Sd&mudkwef;a&mufvmygvdrfhr,f/ yHk(79)/
yHk(79)
'gu omrefvky½f dk;vkyfpOf unpack vkyzf kYd tpysdK;wmjzpfygw,f/ uRefawmfuawmh 'Denf;udk rMudKuf
ygbl;/ 'gaMumifh Olly Advanced plugin udk toHk;jyKygr,f/ yHk(80)/
yHk(80)
yHk(80)twdkif; Plugins menuàOlly AdvancedàKill NumOfRva Bug udka&G;ay;jyD; y½d*k &rfudk
Olly eJjY yefzGiv
fh dkufr,fqdk&if yHk(74)uae yHk(78)tqifhawGudkodp&mrvdkawmhbJ yHk(79)qD wdku½f dkufa&mufvmyg
vdrfhr,f/ ☻☻☻
tcef;(14) - Packer (Protector) rsm; - 269 -
yHk(81)
yHk(81)udkMunfh&if calc(Fish).exe rSm section ESpfck&SdaewmawGU&ygr,f/ yHk(76)rSmwkef;uawmh rjrifcJh
&ygbl;/ .MCTeam uawmh compress vkyfxm;wJu h k'?f import awGeJY resource awG&SdwJh section
wpfckjzpfjyD; uawmh Fish Packer u uncompress vkyfxm;jyD;om;uk'fawGvmxm;r,fh? tvG,af jym
&&if uRefawmfwkY d dump vkyf&r,fh code section jzpfygw,f/ (rSwf&ef/ / UPX eJY pack vkyfxm;wJh
zdkifawGrSmqdk&if UPX0 [m code awGvmxm;r,fh code section jzpfjyD;? UPX1 uawmh compress
vkyfxm;wJhuk'fawG&Sd&m SFX section jzpfygw,f/)
yHk(81)u ae&mrSm right-click ESdyfjyD; Set breakpoint-on-access (F2) udka&G;yg/ jyD;&if F9
udkESdyfyg/ yHk(82)twdkif;jrif&ygr,f/
yHk(82)
yHk(82)rSmjrif&wmuawmh Fish Packer [m compress vkyfxm;wJhuk'fawGudk section
rSmae&mcsxm;jyD; 'Duk'fawG pzwfygjyD/ yHk(83)twdkif; jrif&wJhtxd F8 udkESdyfvmcJhyg/
0100018B 74 1A JE SHORT calc(Fish).010001A7 ; Decompression Stub
0100018D 8A07 MOV AL,BYTE PTR DS:[EDI]
0100018F 47 INC EDI
01000190 2C E8 SUB AL,0E8
01000192 3C 01 CMP AL,1
01000194 77 F7 JA SHORT calc(Fish).0100018D
01000196 8B07 MOV EAX,DWORD PTR DS:[EDI]
01000198 38D0 CMP AL,DL
0100019A 75 F1 JNZ SHORT calc(Fish).0100018D
0100019C 32C0 XOR AL,AL
0100019E 0FC8 BSWAP EAX
010001A0 01E8 ADD EAX,EBP
010001A2 29F8 SUB EAX,EDI
010001A4 AB STOS DWORD PTR ES:[EDI]
010001A5 E2 E6 LOOPD SHORT calc(Fish).0100018D
010001A7 AD LODS DWORD PTR DS:[ESI]
010001A8 85C0 TEST EAX,EAX
010001AA 74 37 JE SHORT calc(Fish).010001E3
010001AC 89C7 MOV EDI,EAX
010001AE 033B ADD EDI,DWORD PTR DS:[EBX]
010001B0 56 PUSH ESI ; module name (eg., kernel32.dll)
010001B1 FF53 0C CALL DWORD PTR DS:[EBX+C] ; kernel32.LoadLibraryA
010001B4 89C5 MOV EBP,EAX
010001B6 AC LODS BYTE PTR DS:[ ESI]
tcef;(14) - Packer (Protector) rsm; - 270 -
yHk(84)
yHk(84)twdkif;jrif&wJhtcg F8 ESpfcgESdyfvdkufyg/ yHk(85)twdkif;jrif&ygr,f/
yHk(85)
yHk(85)twdkif; jrif&wJhtcgrSmawmh EBX xJbmaMumifh 0F6EB61? 6890 eJY 90C3 wdkY ul;xnfh&wm
vJqdkwm em;vnfavmufjyDvx kY d ifygw,f/ PUSH + RETN [m JMP eJn
Y DwmaMumifh yHk(85)rSm F8 ESdyfcJh&if
uRefawmfwv dkY dkcsifwJh OEP qDa&mufjyDjzpfygw,f/ yHk(86)/☻☻☻
tcef;(14) - Packer (Protector) rsm; - 271 -
yHk(86)
yHk(86)twdkif; jrif&&ifawmh dump vkyfv&kYd jyDjzpfygw,f/ yHk(87)/
yHk(87)
tcef;(15) - IAT ESifh API Redirection - 273 -
yHk(1)
yH(k 1)uawmh ReverseMe.exe udk Olly rSmzGiNfh yD;wJhtcg jrif&wJhyHkyg/ VA 00401002 uawmh API
&Sd&m CALL udkac:oHk;wmyg/ 'D CALL uawmh kernel32.dll xJrSm&SdwJh GetModuleHandleA function
udkac:oHk;wmjzpfygw,f/
yHk(2)
yHk(2)udkMunfhvdkuf&if tvm;wl CALL awGawGUrSmyg/ VA 0040104D uvJ kernel32.dll xJu
ExitProcess function udkac:oHk;wJh CALL jzpfygw,f/
yHk(3)
ExitProcess function &Sd&mae&mrSm ESpfcsufESdyfvdkuf&ifawmh yHk(3)twdkif;awGU&rSmyg/ olUudkMunfh&wm
uvJ tjcm; CALL awGvdkygyJ/ Olly uawmh 'g[m API wpfckudk ac:oHk;rSef;odygw,f/ ydNk yD;oJoJuGJuGJ
odEdkifatmifvkYd VA 0040104D ae&mudka&G;NyD; Enter key (Follow Call) udkESdyfvdkufyg/ yHk(4)twdkif;
jrif&ygr,f/
yHk(4)
tcef;(15) - IAT ESifh API Redirection - 275 -
yHk(5)
wu,fawmh loader u data segment xJu DWORD wefzdk;wpfckqDudk jump vkyfoGm;wm
jzpfygw,f/ 'gaMumifhrkY d 'Dwefzdk;udkodEdkifatmifvkY d DWORD wefzdk;udkajc&mcHMunfhygr,f/ Dump window rSm
Ctrl+G ESdyNf yD; ay:vmwJhtuGuaf e&mrSm VA 402004 vdkY½du k fxnfNh yD; OK udka&G;vdkuf&ifawmh yHk(6) twdkif;
jrif&rSmyg/
yHk(6)
yHk(6)uawmh oufqdkif&m DLL xJrSm&SdaewJh API awG&UJ address awGeJt
Y wl&SdaewJh IAT awG&Sd&m
ae&myg/ uRefawmfwkY d erlemxm;wmuawmh ExitProcess API udkyg/
yHk(7)
'gaMumifhrvkYd J VA 00402004 udkMunfhvdkuf&if yHk(7)twdkif;jrifae&ygw,f/ Highlight vkyfxm;wJh
ae&muawmh uRefawmfwkY d API &Sd&mae&myg/ 7C81CAA2 uawmh API &Sd&m address yg/ (Endian enf;eJY
pDwmtrSwf&yg/) olUaemufrSmawmh DWORD wefzdk;wpfck(oknawG) uyfvdkufaewmawGUrSmyg/ 'DoknawG
aemufu DWORD wefzdk;awGuawmh aemuf DLL xJu API awGudk&nfnTef;ygw,f/ 'D DLL [m
user32.dll jzpfygw,f/ DWORD wefzdk;awGudkMunfhvdkuf&if 7xxxxxxx awGeJYpwm owdxm;rdrSmyg/ ydNk yD;
&Sif;vif;atmifvkYd 'gawGudk IAT xJrSmMunfhvdkufMu&atmif/ yHk(4)udkxyfMunfhvdkufyg/ kernel32.dll zdkifxJu
API ESpfckudk import vkyfxm;wmawGUrSmyg/ rSwfxm;&rSmuawmh IAT eJY imports table wd[ kY m rwlbl;
qdkwmudkyg/
Info: : Imports table rSm oifhy½d*k &rftwGuf API awGudk link csdwfEdkifatmif Windows u vdktyfwJhtcsuf
tvufawGtm;vHk;&Sdygw,f/ Imports table rSm tvGe½f dk;&Sif;vSwJh structure wpfck&Sdygw,f/ Import
vkyfxm;wJh DLL toD;oD;twGuf header wpfckpD&Sdygw,f/ olw&kYd JUtqHk;udk rSwfom;EdkifatmifvkY d vHk;vHk;BuD;
tcef;(15) - IAT ESifh API Redirection - 276 -
(1) RVA eJY import table wd&kY JUt&G,ftpm;[m import awGtwGuf data directory twGif; owfrSwf
kY dkygw,f/ 'grSr[kwf&ifawmh Windows [m olUudkr&SmEdkifjzpfNyD; IAT udk taMumif;Mum;EdkifrSm
xnfhoGif;zdv
r[kwfygbl;/
(2) DLL toD;oD;udk IMAGE_IMPORT_DESCRIPTOR wpfckeaJY Munmyg/ Import table udk
vHk;0bmrSr&SdwJhwpfcket
JY qHk;owfyg/
(3) IMAGE_IMPORT_DESCRIPTOR rSm OriginalFirstThunk? FirstThunk eJY Name wdkYaumif;pGm
&Sdygap/ TimeDateStamp eJY ForwarderChain wdkYuawmh okntjzpfxm;vJ&ygw,f/ OriginalFirst
Thunk udkvJ okntjzpfxm;Edkifygw,f/
oDtkd&DawGudk qufwdkuf&Sif;jyvmwJhtwGuf oifhtaeeJY ½IyfaxG;aeavmufNyDvdkY xifygw,f/ 'gaMumifh
ydNk yD;em;vnfEdkifapzdkY ReverseMe.exe eJw
Y GJMunfhvdkufMu&atmif/ ReverseMe.exe udk Olly rSm zGifhxm;yg/
Windows loader u yxrqHk;zwfwmuawmh y½d*k &rf&JU header udkyg/ IAT udkwnfaqmufzdkY
twGuf RVA 3C (400000 +3C = 40003C) ae&mrSmzwfwmyg/ yHk(8)/
yHk(8)
yHk(8)t&qdk&ifawmh PE header &Sd&mae&m[m VA 004000C0 jzpfygw,f/ VA 004000C0 &Sd&mudk
oGm;vdkuf&ifawmh yHk(9)twdkif; jrif&rSmjzpfygw,f/
yHk(9)
IAT &JU RVA wefzdk;udkawmh PE header &Sd&m&JU address wefzdk;rSm 80h aygif;NyD; &&SdvmwJhwefzdk;
VA 400140 ae&mrSm odrf;xm;jcif;jzpfygw,f/ (exe wdkif;twGuf 'Dae&mrSmtjrJ &Sdygw,f/) yHk(10)/
yHk(10)
yHk(10)t&qdk&ifawmh import table &Sdwmuawmh RVA 2050 rSmyg/
Info: : Import Table Address qdkwmuawmh import table &Sd&mae&mudk &Sm&r,fh address yg/ 'gudk IAT
eJY ra&maxG;apygeJ/Y olwkYdESpfck[m vHk;0uGJjym;jcm;em;ygw,f/
tcef;(15) - IAT ESifh API Redirection - 278 -
rSwf&ef/ / Import Table Address udk Olly rSm&Smwmuawmh bmjyóemrSr&Sdygbl;/ Olly [m header
eJyY wfoufNyD;tcsuftvuf tjynfhtpHkudkay;ygw,f/ wu,fwrf; oifhtaeeJY vkyf&rSmuvJ Import Table
Address udk&SmzdkYyg/ bmyJjzpfjzpf tajccHudkodxm;NyD; udk,fbmvkyfaew,fqdkwmudk odxm;wm taumif;qHk;
vdkY uRefawmfhtaeeJYjrifwJhtwGuf tao;pdwf&Sif;jyae&wmyg/
aumif;NyD; Import Table Address &Sd&mudkMunfhvdkufMu&atmif/ yHk(11)/
yHk(11)
uRefawmfwtdkY apmydkif;u &SmawGUxm;wJh IAT awG&Sd&maemufrmS Import Table Address &Sdaewm
awGY&ygw,f/ Disassembler window &JU VA 00402050 udkoGm;vdkufyg/ yHk(12)/
yHk(12)
kY d wGuf bmrSxl;jcm;rIrjzpfapygbl;/ Analyze This! udka&G;NyD;
yHk(12)rSmjrif&wmuawmh uRefawmfwt
analyze vkyfvdkufyg/ yHk(13)/
yHk(13)
yHk(13)rSmjrif&wmuawmh IMAGE_IMPORT_DESCRIPTOR array &Sd&mtydkif;jzpfygw,f/ yxr
eJY 'kwd,uawmh DLL toD;oD;twGuf IMAGE_IMPORT_DESCRIPTOR awGjzpfygw,f/ wwd,
ajrmufuawmh tqHk;owf IMAGE_IMPORT_DESCRIPTOR jzpfygw,f/ IMAGE_IMPORT_
DESCRIPTOR wdkif;rSm DWORD wefzdk; 5ckpD&SdMuygw,f/
yHk(13)rSmawGU&wJh yxrqHk; DWORD (00002098) uawmh OriginalFirstThunk jzpfygw,f/
ol[m loader udk vuf&Sd DLL uae import vkycf H&r,fh API awG&JUtrnfawGudk b,fae&mrSm&Smr,fqdkwJh
tcsuftvufawGay;ygw,f/ wu,fvkY d IMAGE_BASE + 2098 &Sd&mudkoGm;cJhr,fqdk&if uRefawmfwkY d taeeJY
import vkyfr,fh API trnfawGudk awGUrSmyg/ (aemufydkif;wGifMunfhyg/)
'kwd, DWORD (00000000) uawmh TimeDateStamp jzpfNyD; uRefawmfwt
kYd wGuf vHk;0toHk;
r0ifygbl;/ rsm;aomtm;jzifhawmh tm;vHk;[m oknawGjzpfaewwfygw,f/
wwd, DWORD (00000000) uawmh ForwarderChain jzpfNyD; uRefawmfwt
kYd wGuf vHk;0toHk;
r0ifygbl;/ rsm;aomtm;jzifhawmh tm;vHk;[m oknawGjzpfaewwfygw,f/
tcef;(15) - IAT ESifh API Redirection - 279 -
yHk(14)
yHk(14)t&qdk&ifawmh API function 16ckudk vkyfxm;aMumif; awGU&ygw,f/ bmaMumifhajymEdkifwmvJ
qdkawmh 7xxxxxxx eJpY wJh address 16ckawGU&vdkYyg/ 'kwd,ajrmuf DLL (kernel32.dll) twGufvJ 'Denf;
twdkif;ygyJ/
yHk(15)
IAT xJrSm&SdwJh address awG[m yHk(16)twdkif; 402000 uaepwm awGU&ygr,f/
yHk(16)
aemufqHk;wpfck&JU DWORD wefzdk;5ckvHk;uawmh oknawGcsnf;jzpfaewm owdjyKrdrSmyg/ yHk(17)/
yHk(17)
Dump window rSmMunfhvdkuf&ifawmh yHk(18)twdkif; awGU&ygr,f/
yHk(18)
Import table &JU 'kwd,ydkif;uawmh DWORD awG&JU array awGjzpfygw,f/ yHk(19)/
tcef;(15) - IAT ESifh API Redirection - 280 -
yHk(19)
DWORD awG&JU array awGudkawmh IMAGE_IMPORT_DESCRIPTOR awG&JU OriginalFirst
Thunk awGu point vkyfwmjzpfygw,f/ 'D array awG&JU DWORD toD;oD;[m import vkyfxm;wJh
function wpfce
k JY oufqdkifygw,f/ DWORD awG&JU array awGudk ydkif;jcm;xm;wm? tqHk;owfxm;wm
uawmh oknawGejJY ynfhaewJh DWORD wpfckujzpfygw,f/
yHk(20)rSmjrif&wmuawmh import table &JU wwd,ydkif;(aemufqHk;ydkif;)jzpfygw,f/
yHk(20)
yHk(20)rSmjrif&wJh pmom;awG (BeginPaint,.. ) uawmh import vkyfxm;wJh function awGeJY DLL
awGjzpfygw,f/ olUrSmawmh xHk;pHtwdkif;pDrSmawmh r[kwfygbl;/ DLL trnf[m function awGaemufu (od)kY
a&SUupDwmjzpfEdkifygw,f/
4021D8 rSm user32.dll &SdwmawGU&r,fvt
kY d apmydkif;u ajymcJhygw,f/ yHk(21)/
yHk(21)
wu,fawmh uk'fxJrSmvJ oyf&yfaumif;rGefpGmwnfaqmufxm;wJh IAT udkawGUEdkifygw,f/ yHk(22)/
yHk(22)
tcef;(15) - IAT ESifh API Redirection - 281 -
yHk(23)
yHk(23)udkMunfhyg/ Import vkyfxm;wJh function awGtm;vHk;&JUtrnfaemufrSm DLL trnfawGeJY
tqHk;owfxm;wm awGU&rSmyg/
'Davmufqdk&if import awGudk udk,fwdkifjyefwnfaqmufzkY d todynmvHkavmufNyDvkYd xifygw,f/
bmyJjzpfjzpf owif;aumif;wpfckuawmh import awGudk tvdktavsmufjyefwnfaqmufay;EdkifwJh tool aumif;
awG&Sdw,fqdkwJhtcsufyg/ wu,fawmh aqmhzf0JvfawGu DLL ajrmufjrm;pGmuae API awG tajrmuftjrm;ukd
import vkyfxm;cJhr,fqdk&if import awGudk udk,fwdkifjyefvnfwnfaqmuf&wm[m tcsdeftawmfMum,l&NyD;
pdw½f Iyfp&mvJaumif;vSygw,f/ Tool awGudk toHk;jyKr,fqdk&ifawmh uRefawmfwktY d aeeJY API tm;vHk;eD;yg;udk
jyef recover vkyfEdkifrSmyg/ ckodxm;wJhtodeJY unpack vkyfxm;wJhzdkiftcsdKUudk b,fvdkjyifMurvJqdkwm
MunfhvdkufMu&atmif/
aumif;NyD FSG2.0 eJY pack vkyfxm;wJhzdkifwpfckudk unpack vkyfMunfhygr,f/ (oifhtaeeJY 'Dzdkifudk
unpack vkyfcsifw,fqdk&ifawmh Lena151 &JU oifcef;pm(21)udk download vkyf,lyg/ 'grSr[kwf&ifawmh
ESpfouf&m zdkifwpfckudk FSG eJY pack vkyfMunfhvdkufyg/ oabmw&m;csif;uawmh twlwlygyJ/)
yHk(24)
UnpackMe_FSG2.0.exe zdkifudk Olly rSmzGifhwJhtcg yHk(24)twdkif; awGU&ygw,f/ yHk(24)udkMunfh
vdkuf&if entry point &Sd&m[m enf;enf;av;vGJaewmawGU&ygw,f/ exe zdkifwdkif;&JU entry point [m tjrJwrf;
401000 uaepw,fvkYd ajymcJzh l;wm trSwf&ygovm;/ 'Dy½d*k &rfrSm 400154 uaepygw,f/ 'gqdk 'D address
[m PE header xJa&mufaewm aocsmygw,f/
FSG udk trace vkdufjcif;jzifh unpack vkyf&ygw,f/ wu,fvkY d oifhtaeeJY atmufudkenf;enf;av;
scroll qGNJ yD;Munfhr,fqdk&if unpack vkyfwJh stub uk'f&JUtqHk;udk awGUygvdrfhr,f/ wu,fvkY d oifhtaeeJY trace
vdkufMunfhvkduf&if vnfaewJhbD;vdk ywfcsmvnfaewm owdjyKrdygvdrfhr,f/ rMumrDrSmawmh uk'f[m t"du
y½d*k &rfqD jump vkyfoGm;wm awGU&ygvdrfhr,f/ taotcsmMunfhr,fqdk&ifawmh jump wpfcku 'D stub xJu
ae ausmfxGufoGm;wmawGU&rSmyg/ MunfhvdkufMu&atmif/
tcef;(15) - IAT ESifh API Redirection - 282 -
yHk(25)
yHk(25)twdkif; VA 004001D1 ae&mrSm breakpoint owfrSwfMunfhvdkuf&atmif/ NyD;&if F9 (Run)
udkESdyfvdkufyg/ Breakpoint &Sd&ma&mufvmygvdrfhr,f/ yHk(26)/
yHk(26)
yHk(26)rSmjrif&wJhtwdkif; JMP [m y½d*k &rf&JU OEP (VA 00404000) &Sd&mqD jump vkyfrSmjzpfygw,f/
yHk(27)/
yHk(27)
yHk(27)rSm right-click ESdyNf yD; Analysis u Remove analysis from module udka&G;vdkuf&if
yHk(28)twdkif; awGU&rSmyg/
yHk(28)
yHk(28)twdkif;jrif&&ifawmh uRefawmfw&dkY JU zdkifudk dump vkyfygr,f/ Right-click ESdyNf yD; Dump
debugged process udka&G;vdkufyg/ yHk(29)twdkif; jrif&ygr,f/
uRefawmfwt dkY aeeJY yHkrSefenf;vrf;twdkif; dump vkyfv&kYd ygw,f/ bmyJjzpfjzpf yHk(29)rSmawmh
"Rebuild Import" udk uncheck vkyfzakYd wmh vdkygvdrfhr,f/ bmaMumifhygvJ/ FSG [m import awGudk
zsufypfvdkufwmjzpfNyD; Ollydump plugin u vHk;vHk;BuD; wvGJwacsmfvkyfrSmrdvkY kdyY g/ 'gaMumifh uRefawmfwkY d
taeeJY jyefjyifwmtcsdKUawmh vkyf&ygvdrfhr,f/ oifhtaeeJY checkbox udka&G;ay;vdakY wmh &ygw,f/ 'gayr,fh
dump zdkifu tvkyfvkyfrSmawmh r[kwfygbl;/ wu,fvkY d xJxJ0if0ifavhvmNyD;wJhaemufrSmawmh 'gudk&Sif;oGm;
rSmyg/
tcef;(15) - IAT ESifh API Redirection - 283 -
yHk(29)
yHk(29)u "Rebuild Import" checkbox udkjzKwfvdkuNf yD; Dump button udka&G;yg/ NyD;&if dump.exe
trnfeJY zdkifudkodrf;qnf;vdkufyg/
wu,fawmh tjcm; tool awGev
JY J dump vkyfvkYd&ygw,f/ Oyrm - LordPE? PE Tools/ yHk(30)/
yHk(30)
bmyJjzpfjzpf dump vkyfxm;wJhzdkifESpfckpvHk;uawmh tvkyfvkyfrSmr[kwfygbl;/ bmaMumifhvJqdkawmh
FSG u import awGudk zsufxm;vdy kY g/ 'gaMumifhrkY d import awGjyefwnfaqmufzkY d vdkvmygNyD/ Import awGudk
jyefwnfaqmufEdkifwJh tool awGtrsm;BuD;&Sdayr,fh uRefawmfhtaeeJY ImpRec 1.7 udkyJ oHk;ygr,f/ ImpRec
udkzGiNfh yD; process (UnpackMe_FSG2.0.exe) udk attach vkyfyg/
yHk(31)
UnpackMe_FSG2.0.exe zdkifudk attach vkyNf yD;csdefrSmawmh OEP wefzdk;udkjyifzv
dkY dkygw,f/ ImpRec
u vuf&Sd process &JU EP udkyJodxm;ygw,f/ 'gaMumifh OEP ae&mrSm 4000 vdjkY yifvdkufyg/ NyD;&ifawmh
AutoSearch button ukda&G;vdkufyg/
tcef;(15) - IAT ESifh API Redirection - 284 -
yHk(32)
IAT &dS&mudk&Smwmawmh tqifajyygNyD/ yHk(31)u RVA ae&mrSm 11E8 udkxm;NyD; dump vkyfr,f
qdk&ifawmh oihf&JUjyifxm;wJh dump zdkif[m tvkyfvkyfrSmr[kwfygbl;/ uRefawmf'gudkb,fvdkodvJvY dk oifhtae
Y ifaumif;xifygvdrfhr,f/ wu,fawmh prf;oyfNyD;oGm;vdykY g/ RVA udk tao;pdwfavhvmMunfhvdkufMu
eJx
&atmif/ Olly &JU dump window rSm 4011E8 vdkY½du k fxnfNh yD; bmawGU&rvJqdkwmMunfhvdkufMu&atmif/
yHk(33)/
yHk(33)
wu,fawmh VA 4011E8 rSm&SdwmawGuawmh DLL wpfck&JU import awGyg/ tay:udk scroll
enf;enf;qGNJ yD;Munfhvdkuf&if aemufxyf import awGudkawGU&OD;rSmyg/ yHk(34)/
yHk(34)
dkY aeeJY DLL (user32.dll/kernel32.dll) zdkiEf Spfck&JU import awGu&dk Sd&m&SmzdykY v
uRefawmfwt J kdwmyg/
VA 4011E8 qdk&if DLL (kernel32.dll) zdkifwpfck&JU import (API) awGudkyJ ImpRec u&SmawGUrSmyg/ ☺☺
wu,fawmh ImpRec [m tvSnfhpm;cHvdkuf&wmyg/ 'gaMumifhrkY d VA 4011E8 ae&mrSm VA 401198 vdkY
dkY dktyfygw,f/ 'grSom ImpRec u user32.dll zdkif&JU import awGudk &SmawGUrSmyg/
jyifzv
yHk(35)
yHk(35)twdkif; RVA udkjyifvdkuNf yD; Get Imports button udkESdyfvdku&f if yHk(36)twdkif; awGU&ygr,f/
(Size udkvJ 100 vdjkY yifvdkuf&if ydkaumif;ygr,f/ 'grSom ImpRec uydNk yD;pdppfEdkifrSmyg/)
tcef;(15) - IAT ESifh API Redirection - 285 -
yHk(36)
ImpRec u Thunk ESpfckudk awGUygw,f/ bmyJjzpfjzpf ESpfckpvHk;[m rSm;aeygw,f/ bmawGrSm;ae
w,fqdkwmod&atmif taygif;oauFwav;udka&G;vdkufyg/ rSm;aewJhae&mawGuawmh RVA 2118 rSmyg/
yHk(34)udjk yefMunfhvdkuf&if RVA 2118 rSm FFFFFFFF udkawGUrSmyg/ aemufwpfckuawmh RVA 11B8 rSmyg/
yHk(37)/
yHk(37)
wu,fawmh yHk(36^37)rSm jrif&wJh address awG[m wu,fr&Sdygbl;/ FSG u cracker awGudk
t½l;vkycf sifvkYd wrifxnfhoGif;xm;wmyg/ 'gaMumifhrvkdtyfwJh 'D address awGudk zsufxkwfypfzv
kY d dkygw,f/
yHk(38)
yHk(38)twdkif; rvdkwJh thunk awGrSm right-click ESdyNf yD; Cut thunk(s) udka&G;vdkufyg/ NyD;&if
aemufqHk;vkyf&rSmuawmh dump vkyfxm;wJhzdkifudk jyifzkyY d g/
tcef;(15) - IAT ESifh API Redirection - 286 -
yHk(39)
yHk(39)u Fix Dump button udkESdyNf yD; Olly rSm dump vkyNf yD;odrf;xm;wJh dump.exe zdkifudka&G;ay;yg/
ImpRec u dump_.exe qdkwJhtrnfezJY dkifudk odrf;ay;ygvdrfhr,f/ yHk(40)/
yHk(40)
dump_.exe zdkifudkzGifhvdkuf&ifawmh yHk(41)twdkif; awGU&rSmyg/
yHk(41)
dump_.exe zdkifudk Olly rSmzGiNfh yD;Munfhvdkuf&if yHk(42)twdkif; jrif&ygvdrfhr,f/
yHk(42)
(1) API Redirection
tckqdk import awGudk b,fvjdk yefwnfaqmuf&rvJqdkwm tMurf;zsif;avhvmNyD;ygNyD/ 'gayr,hf
tqifhjrifh packer awGudk unpack vkyfcsdefrSmawmh 'DavmuftodeJY rvHkavmufawmhygbl;/ IAT awGuae
wu,fjyefwnfaqmufzv d kyfcJhwJh import table udk
kY d dkvmygNyD/ bmaMumifhvJqdkawmh a&SUydkif;rSm uRefawmfwkYv
jyefvnfwnfaqmufwm[m t&ifae&ma[mif;u IAT udkyJ nTefjyaewkef;rdykY g/ 'ghaMumifhrkYd pack vkyfxm;wJh
zdkifwpfckudk unpack vkyfjy&if;eJY API redirection taMumif;udk avhvmMuygr,f/ 'Dae&mrSm bm packer
udktoHk;jyKNyD; pack vkyfxm;w,fqdkwmawmh rpHkprf;awmhygbl;/ Pack vkyfxm;wJhzdkifudk Lena151 &JU
oifcef;pm(22)rSm download vkyf,lEdkifygw,f/
tcef;(15) - IAT ESifh API Redirection - 287 -
INFO: : API redirection qdkwmuawmh packer^protector trsm;pku IAT (okdUr[kwf import table)udk
(wpfpdwfwpfa'o odrkY [kwf vHk;0)zsufqD;ypfvdkufwJh vkyfaqmifcsufwpfckjzpfayr,fh IAT xJrSm redirect
tvkyfcH&wJh API toD;oD;&JU oufqdkif&muk'ef q
JY dkifwJh pointer wpfckudk a&;vdkufygw,f/ qdvk dkwmuawmh
packer [m pack^protect vkyfxm;wJhy½d*k &rftwGuf system &JU DLL awGxu J API &JU address udak y;Edkif
zdkY owdxm;&rSmjzpfygw,f/ API redirection vkyfxm;wJh y½d*k &rfawmfawmfrsm;rsm;[m anti-virus aqmhzf0Jvf
awGeJY jyóemwufavh&Sdwmudkawmh rSwfxm;&rSmjzpfygw,f/
(2) Pack vkyfxm;aomzdkifudk unpack vkyfjcif;
Pack vkyfxm;wJhzdkif (API Redirection Tutorial.exe) udk Olly rSmzGifhMunfhvdkuf&ifawmh yHk(43)
twdkif; awGU&rSmjzpfygw,f/
yHk(43)
yHk(43)rSmjrif&wmuawmh t&if pack vkyfxm;wJhzdkifawGvdkygyJ/ bmrSxl;jcm;rIr&Sdygbl;/ VA 0044CB
59 &Sd&mqDa&mufatmif F8 (Step over) udkESdyfvdkufyg/ VA 0044CB59 a&muf&if Register window udk
Munfhvdkufyg/ yHk(44)/
yHk(44)
yHk(44)u ESP register rSm right-click ESdyfNyD; Follow in Dump udka&G;vdkufyg/ yHk(45)twdkif; jrif&
ygr,f/
yHk(45)
yHk(45)u highlight aewJh DWORD (38 07 91 7C) rSm right-click ESdyNf yD; breakpoint u
Hardware on access à Dword udka&G;vdkufyg/ yHk(46)/
tcef;(15) - IAT ESifh API Redirection - 288 -
yHk(46)
yHk(46)twdkif; breakpoint owfrSwNf yD;oGm;&ifawmh F9 (Run) udkEdSyfvdkufyg/ yHk(47)twdkif; hardware
breakpoint &Sd&mudk a&mufoGm;ygr,f/
yHk(47)
CALL EAX qD F8 (Step over) eJo Y Gm;NyD; CALL EAX &Sd&ma&mufwJhtcg F7 (Step into)udk
ESdyfvdkuf&ifawmh yHk(48)twdkif; OEP &Sd&mudk a&mufoGm;rSmyg/
yHk(48)
'gqdk&ifawmh y½kd*&rfudk unpack vkyfzkYd Dump debugged process udka&G;vdkufyg/ yHk(49)/
yHk(49)
yHk(49)u Rebuild Import checkbox udkjzKwfvkdufyg/ Dump button udka&G;NyD; dump.exe trnfeJY
odrf;vdkufyg/ NyD;&if tvkyfvkyf^rvkyfod&atmif dump.exe udkzGifhMunfhvdkufyg/ bmrSay:rvmygbl;/ LLL
'gqdk Import awGeyJY wfoufNyD; jyóemwpfckckwufaewmawmh aocsmaeygNyD/ 'gaMumifhrkYd ImpRec
1.7 udkzGiNfh yD; dump.exe udkjyifzkYd BudK;pm;Munfhygr,f/ yHk(50)/
tcef;(15) - IAT ESifh API Redirection - 289 -
yHk(50)
yHk(50)udkjrif&if bmvkyf&r,fqdkwm oifem;vnfrSmjzpfygw,f/
(1) API Redirection Tutorial.exe udk attach vkyfyg/
(2) OEP wefzdk;ud½k dkufxnfNh yD; IAT AutoSearch button udEk Sdyfyg/
(3) Get Imports button udka&G;cs,fyg/ Import vkyfxm;wJh function ta&twGuf 618 ck&SdwmawGU&ygr,f/
(4) Show Invalid button udka&G;NyD; invalid jzpfaewJh function awGudkMunfhvdkuf&ifawmh yHk(51)twdkif;jrif&
ygr,f/
yHk(51)
yHk(51)rSmjrif&wJhtwdkif; ImpRec [m IAT xJu API wdkif;&JU address awGudk&SmrawGUygbl;/
'ghaMumifhrkdU 'Dae&mrSmaumufcsufcsvdkwmu API awGtm;vHk;udk &SmrawGUbJ dump vkyfwm[m tusdK;r&Sdyg
bl;/ (Dump vkyfxm;wJhzdkif[m crash jzpfygvdrfhr,f/) rsm;aomtm;jzifhawmh 'D pointer awG[m r&SdwJh
tcef;(15) - IAT ESifh API Redirection - 290 -
yHk(52)
yHk(52)udkMunfhvdkuf&if 00458C35 &Sd&m[m wu,fhuk'fawG&Sd&mae&mjzpfaeygw,f/ Olly &JU memory
map rSmMunfhvdkuf&ifvJ packer &JU SFX section rSm&SdaewmawGU&ygw,f/ yHk(53)/
yHk(53)
Olly rSm 00458C35 &Sd&mudkMunfhvkduf&if yHk(54)twdkif;jrif&ygw,f/
yHk(54)
yHk(54)uuk'fawGuawmh API address (FindClose function) udkwGuaf y;wmjzpfygw,f/ 'gayr,fh
udprö &Sdygbl;/ uRefawmfwtkY d aeeJY section tm;vHk;udk dump vkyfr,fqdk&if API address awGudkwGufay;wJh
'Duk'fawGvJygvmrSmjzpfygw,f/ [kwfr[kwo f d&atmif prf;MunfhMu&atmif/ Olly udk Ctrl+F2(Restart)ESdyNf yD;
jyefpvdkufyg/
(3) Redirection udkz,f&Sm;jcif;
API Redirection Tutorial.exe udk Olly rSmjyefzGiv
fh dkuNf yD; VA 00458C35 &Sd&mudkoGm;Munfhvdkuf
yg/ yHk(55)/
tcef;(15) - IAT ESifh API Redirection - 291 -
yHk(55)
yHk(55)rSmjrif&wJhtwdkif; VA 00458C35 ae&mrSm bmrSr&Sdygbl;/
INFO: : wu,fawmh y½dk*&rf run aecsdefrSom unpacking stub u 'Dae&mrSm redirect vkyfr,fhuk'fudk
vma&;wmjzpfygw,f/ 'gaMumihfvJ OEP &Sw d Jah e&muae dump vkyw
f kef;u 'Dae&mrSm redirect vkyfxm;wJh
uk'fawGa&mufaevdkY API awGaysmufoGm;&wmjzpfw,f/ dump vkyfxm;wJhy½d*k &rfuvJ aumif;aumif;tvkyf
vkyfrSm r[kwfygbl;/
aumif;NyD? ImpRec udkjyefMunfh&atmif/ yHk(56)/
yHk(56)
yHk(56)udkMunfh&if API &Sd&mudk redirect vkyfwJh uk'f&Sd&m[m 00458C35 rSmjzpfNyD; 'D address udk
RVA 00438040 rSmowfrSwfvdkufwmjzpfygw,f/ yHk(57)/
yHk(57)
yHk(57)rSmjrif&wJhtwdkif; VA 00438040 u DWORD wefzdk;udkMunfhvdkufyg/ IAT udk 'Dae&mrSm
wnfaqmufwmjzpfayr,fh usefwJh API awGuawmh 'DtcsdefrSm packer &JUrlvuk'f&Sd&mudk redirect vkyfaeMu
wkef;ygyJ/ (Oyrm – 206C8BA9) 'gaMumifhrkYd IAT ukd b,ftcsdef? b,fae&mrSm b,fvdkzefwD;NyD; b,fvdka&;
ovJqdkwmod&atmif yHk(57)udk apmifhMunfhMu&atmif/ 'DxufyNdk yD; wdwdususajym&&ifawmh tjcm; redirect
vkyfxm;wJh API awGa&mygygw,f/
INFO: : y½d*k &rfwpfck[m exe xJu import awGtm;vHk;udk&,lEdkifzkt
Yd wGuf API ESpfckomvdkygw,f/ 'D API
ESpfckuawmh LoadLibraryA eJY GetProcAddress wdkjY zpfygw,f/ Win32.hlp rSm&Sif;jyxm;wmuawmh –
LoadLibray() function [m exe module udak c:oHk;wJh process &JU address ae&mvGwfrSm ae&mcs
xm;ygw,f/
tcef;(15) - IAT ESifh API Redirection - 292 -
HINSTANCE LoadLibrary (
LPCTSTR lpLibFileName
);
'Dae&mrSmawmh lpLibFileName u exe module zdkiftrnf&JU address jzpfygw,f/ wu,fvo kY d m
function [m atmifjrifpGmvkyfaqmifEdkifcJh&ifawmh return jyefyw
kYd Jhwefzdk;[m module eJq f Jh handle wpfck
Y dkiw
jzpfygw,f/
GetProcAddress() function uawmh export vkyfxm;wJh DLL function &JU address udk return
jyefyydkY gw,f/
FARPROC GetProcAddress(
HMODULE hModule,
LPCSTR lpProcName
);
'Dae&mrSmawmh hModule u DLL module eJq Y dkifwJh handle jzpfNyD; lpProcName uawmh function
&JUtrnfjzpfygw,f/ wu,fvkY d function [m atmifjrifpGmvkyfaqmifEdkifcJh&ifawmh return jyefywkYd Jh wefzdk;[m
DLL &JU export vkyfxm;wJh function &JU address jzpfygw,f/
aemufwpfrsdK;&Sif;jy&&ifawmh yxrqHk; LoadLibrary udk DLL zdkifwpfckckudk ul;wifzakY d c:oHk;NyD;aemuf
kY d Jh handle eJYwuG oifac:oHk;vdkwJh import vkyfxm;wJh API toD;oD;&JU address udk&&SdEdkif
rSmawmh jyefyw
ygw,f/
aumif;NyD? VA 00438040 u DWORD wefzdk;ae&mrSmbmawGjzpfovJqdkwmapmifhMunfhzY dk yHk(58)
twdkif; breakpoint owfrSwfMuygr,f/
yHk(58)
NyD;&ifawmh F9(Run) udkESdyNf yD; VA 00438040 ae&mudkapmifhMunfhyg/ yHk(59)/
yHk(59)
yHk(59)udkMunfh&if VA 00451B38 a&mufawmh DWORD (84B3D4CF) wefzdk;ajymif;oGm;wmawGU
rSmyg/ 'gayr,fh 'Dwefzdk;u uRefawmfwpdkY dwf0ifpm;wJhwefzdk;r[kwfygbl;/ F9 udkxyfESdyfyg/ VA 00451B56 u
DWORD (3963D4CF) wefzdk;udkvJ pdwfr0ifpm;ygbl;/ aemufxyf F9 udkxyfESdyfyg/ VA 0045BC2A u
tcef;(15) - IAT ESifh API Redirection - 293 -
yHk(60)
yHk(60)u DWORD (7C80EFD7)udkawmh pdwf0ifpm;ygw,f/ Registers window udkMunfhvdkufyg/
yHk(61)
yHk(60)u EAX register rSm FindClose() API &Sd&m address wefzdk;udk xm;vdkufyHkygyJ/ JJJ
yHk(62)
yHk(62)uawmh DWORD (7C80EFD7) wefzdk;ajymif;oGm;wJhae&m (hardware breakpoint owfrSwf
xm;wJhae&m)udk a&muf&Sdaewmyg/ b,fvdkyJjzpfjzpf packer [m IAT xJu API twGuf rSefuefwJh address
udk yxrqHk;a&;om;cJhygw,f/ aemufydkif;rSmawmh 'D address wefzdk;[m ajymif;vJoGm;ygw,f/ b,fae&mrSm
ajymif;vJw,fqdkwmod&atmif F8 udEk SdyfvmcJhyg/
INFO: : yHk(60)udkMunfh&if VA 0043803C rSm DWORD (7C80BAF1) wefzdk;wpfckowfrSwfxm;wm
awGU&rSmyg/ wu,fvkY d packer &JUtvkyfvkyfyHkudk taotcsmapmifhMunfhr,fqdk&if packer u wpfcsdefrSm DLL
dk mzwfNyD; yxrqHk; IAT xJu rSefuefwJh API address udka&;NyD; 'D API [m redirect
zdkifwpfckuo
vkyfxm;jcif;&Sd^r&Spd pfaq;wmjzpfygw,f/ NyD;rSom aemuf DLL udkzwfNyD; 'Denf;twdkif;ppfaq;wmjzpfygw,f/
bmyJjzpfjzpf yHk(60)u VA 00438040 ae&mudk rsufpd&Sif&Sief JY Munfhxm;NyD; F8 udkESdyfvmcJhyg/ yHk(63)
tcef;(15) - IAT ESifh API Redirection - 294 -
yHk(63)
yH(k 63)udkMunfhvdkufyg/ VA 004536F5 u CALL 00453E90 udkvkyfaqmifNyD;wmeJY DWORD
(00458C35) wefzdk;ajymif;oGm;ygw,f/ aocsmwmuawmh CALL 00453E90 xJrSm API &JU address udk
packer &JUuk'fqD redirect vkyfcHvdkuf&wmjzpfygw,f/ 'gaMumifh 'D CALL xJudk 0ifMunfhvdkufMu&atmif/
y½d*k &rfudk Olly rSmjyefzGifhvdkufyg/ (Ctrl+F2)/ NyD;&ifawmh yHk(62)u VA 4536A6 &Sd&mqDa&mufatmif F9 udk
f mvdkufyg/ 'DhaemufrSmawmh yHk(63)u VA 4536F0 &Sd&m CALL qD F8 udkESdyv
4BudrEf Sdyv f mvdkufyg/ CALL
qDa&muf&ifawmh F7 (Step into) udkESdyfvdkufyg/ yHk(64)twdkif; jrif&ygr,f/ (rSwfxm;&rSmu yHk(63)&JU VA
4536DF u JE 4536F8 [m CALL 00453E90 udkausmfvTm;Edkifw,fqdkwmudkyg/)
yHk(64)
yHk(64)uawmh API address udk redirect vkyfxm;jcif;&Sd^r&SdppfwJh CALL &Sd&muk'fjzpfygw,f/
00438040 u DWORD wefzdk;udkapmifhMunfhxm;yg/ yHk(65)/
yHk(65)
00438040 u DWORD (7C80EFD7) wefzdk;udkapmifhMunfhxm;&if;eJY F8 ESdyfvmcJhyg/
tcef;(15) - IAT ESifh API Redirection - 295 -
yHk(66)
yHk(66)rSmjrif&wJhtwdkif; VA 00453EF4 udka&mufwmeJY 00438040 u DWORD (00458C35)
wefzdk;ajymif;oGm;wm awGU&ygw,f/ wu,fawmh 'Dvdkwefzdk;ajymif;apzdkY packer u VirtualProtect() API
udktoHk;jyKcJhwmyg/
yHk(67)
NyD;awmh page access udk yHkrSeftwdkif;owfrSwfEdkifzkY d VirtualProtect udkxyfac:NyD; toHk;jyKcJhygw,f/
INFO: : VirtualProtect() function [m ac:,ltoHk;jyKaewJh process &JU virtual address ae&mvGwfxJu
page awG&JUe,fy,fwpfckay:u access protection udkajymif;vJay;ygw,f/ 'D function [m Virtual-
ProtectEx eJYawmhrwlygbl;/ VirtualProtectEx uawmh b,f process &JU access protection udkrqdk
ajymif;vJay;Edkifygw,f/ oifhtaeeJu Y awmh access protection wefzdk;udk page ppfppfawGrSmom owfrSwf
Edkifygw,f/ wu,fvkY d owfrSwfxm;wJhe,fy,ftwGif;rSm&SdwJh b,f page awGrqdk&JU tajctaeawGudk a&;rSwf
xm;jcif;r&Sd&ifawmh function [m atmifjrifpGmvkyfaqmifEdkifjcif;r&SdbJ page awG&JU access protection udk
jyKjyifEkid fjcif;r&SdbJ return jyefvmrSmjzpfygw,f/ VirtualProtect function [m ac:,ltoHk;jyKaewJh process
xJrSm&SdwJh rSwfOmPf&JU access protection udk ajymif;vJwmjzpfNyD; VirtualProtectEx function uawmh
owfrSwfxm;wJh process xJrSm&SdwJh rSwfOmPf&JU access protection udk ajymif;vJwmjzpfygw,f/
yHk(68)
yHk(68)udkMunfhyg/ VA 00453ED5 u PUSH EAX ae&mrSm bmawGajymif;vJoGm;ygovJ/ 438040
[m page e,fy,f&JU base address access jzpfygw,f/
'Dwefzdk;udk rlvtajctaetwdkif; jyefjzpfatmif VA 00453F02 rSm&SdwJh VirtualProtect() API u
aqmif&Gufwmjzpfygw,f/ VA 00453ED0 u PUSH 4 udkMunfhyg/ 4 bytes jzpfygw,f/
'Davmufqdk&if oihftaeeJY tawmfem;vnfoGm;NyDvkYd ,lqrdwJhtwGuf uRefawmfhtaeeJY redirection
twGuftajzudk &SmMunfhcsifygw,f/ Conditional jump awGudkMunfhyg/ yHk(69)/
tcef;(15) - IAT ESifh API Redirection - 296 -
yHk(69)
yHk(69)rSmjrif&wJh VA 00453EC8 u JE 00453F0F [m VirtualProtect() function ESpfckvHk;udk
ausmfvTm;Edkifwm owdjyKrdygovm;/ 'Dae&mrSm JMP 00453F0F vdjkY yifvdkufr,fqdk&if ...
wu,fvkYd vkdUjyifNyD; assemble vkyfvdkufr,fqdk&if API [m packer &JUuk'fqD redirect vkyfcH&awmh
rSmr[kwfayr,fh ck address uawmh IAT xJrSm &SdaeOD;rSmyg/ 'gayr,fh tjcm;enf;vrf;awG&Sdao;wJhtwGuf
'gudk aemufraS jymif;MunfhMu&atmif/ yHk(69)twdkif; F8 udkESdyfvmcJhyg/ VirtualProtect() uolU&JU
rlvwefzdk;udk b,fvdkjyef restore vkyfr,fqdkwm jyygr,f/
VA 453EF7 u PUSH ECX uawmh rlv access 0daooawG&SdwJh address yg/ PUSH EDX
uawmh characteristics yg/ yHk(70)/
yHk(70)
40 uawmh initialized data yg/ PUSH 4 uawmh 4 bytes yg/ PUSH EAX uawmh VA 438040
rSmjzpfygw,f/ F8 udkqufESdyfoGm;r,fqdk&if yHk(71)twdkif;awGUrSmyg/
yHk(71)
tcef;(15) - IAT ESifh API Redirection - 297 -
yHk(72)
Redirection jyóemudk ajz&Sif;zdt kY wGuf uRefawmfwt
kYd aeeJY enf;vrf;2ckudk toHk;jyKEdkifygw,f/
yxrenf;vrf;uawmh yHk(71)u VA 4536DF ae&mrSm JMP 4536F8 vdakY jymif;&rSmjzpfNyD; 'kwd,enf;u
awmh VA 4536F0 ae&mrSm NOP vdakY jymif;&rSmjzpfygw,f/
'gaMumifhrkYd VA 4536DF rSm right-click ESdyNf yD; Breakpoint u Hardware, on execution udk
a&G;yg/
yHk(73)
aemufxyfvkyf&rSmuawmh uRefawmfwdkY y½d*k &rf&JU OEP &Sd&m VA 4331B8 udkoGm;NyD; yHk(73)twdkif;
Breakpoint (Hardware, on execution) udkowfrSwfzkYy d g/ NyD;&ifawmh uRefawmfwtkY d &ifowfrSwfcJhwJh
hardware breakpoint awGudk zsufvdkufyg/ 'gqd&k if yHk(74)twdkif; topfowfrSwfvdkufwJh hardware break-
point ESpfckyJ usefygawmhr,f/
yHk(74)
y½d*k &rfudk Olly rSmjyefzGifhvdkuNf yD; F9 udkESdyfvdkufyg/ yHk(75)twdkif;jrif&ygr,f/
tcef;(15) - IAT ESifh API Redirection - 298 -
yHk(75)
yHk(75)twdkif;jrif&wJhtcg VA 4536DF u JE 4536F8 ae&mrSm JMP 4536F8 vdjkY yifNyD; VA
4536DF rSmowfrSwfxm;wJh hardware breakpoint udkjzKwfvdkufyg/ 'gqdk&ifawmh OEP rSmowfrSwfxm;wJh
hardware breakpoint wpfckomusefawmhrSmjzpfygw,f/ NyD;&if F9 udkESdyfvdkufyg/ yHk(76)rSmjrif&wJhtwdkif;
y½d*k &rf&JU OEP &Sd&mudka&mufoGm;rSmjzpfygw,f/
yHk(76)
'DtcsdefrSm Dump window udkMunfhvdkufyg/ yHk(77)twdkif;jrif&ygr,f/ JJJ
yHk(77)
yHk(77)u API awG&JU wu,fh address awGudk jrif&wmuawmh pdwfcsrf;omp&mygyJ/ 'gqdk&ifawmh
yHk(76)u Disassembly window rSm right-click ESdyfNyD; Dump debugged process udka&G;yg/ yHk(78)/
tcef;(15) - IAT ESifh API Redirection - 299 -
yHk(78)
Dump button udka&G;NyD; y½d*
k &rfudk Redirection_Fix.exe trnfeo JY drf;vdkufyg/ 'DwpfcgrSmawmh
Rebuild Import checkbox udka&G;xm;vd& kY ygw,f/ odrf;vdkufwJhzdkifudk jyefzGifhMunfhvdkufyg/ yHk(79)twdkif;
jrif&ygr,f/
yHk(79)
Redirection_Fix.exe zdkifu aumif;aumif; tvkyfvkyfayr,fh zdkif&JUt&G,ftpm;u enf;enf;av;BuD;
aewmawGU&ygw,f/ 'gaMumifhrkY d rvdktyfwJh section awGudk z,f&Sm;ypfygr,f/ LordPE udkzGiNfh yD; section
awGudkzsufzjkYd yifyg/ yHk(80)/
yHk(80)
yHk(80)rSmjrif&wJhtwdkif; wipe section header udka&G;NyD; section (4/5/6) udkzsufypfvdkuyf g/ yHk(81)/
tcef;(15) - IAT ESifh API Redirection - 300 -
yHk(81)
NyD;&if zdkifudkodrf;vdkuNf yD; PEiD rSm zGifhvdkufyg/ yHk(82)/
yHk(82)
PEiD &JU plug-in wpfckjzpfwJh Rebuild PE udka&G;NyD; yHk(82)u Rebuild button udka&G;vdkuf&ifawmh
y½d*k &rf[m 72.65% txd zdkift&G,ftpm; ao;oGm;rSmjzpfygw,f/ yHk(83)/
yHk(83)
'gqdk&ifawmh pack vkyfxm;wJh exe zdkifudk unpack vkyf&mrSm MuHKawGU&wJh API redirection jyóem
udk ajz&Sif;vdkYNyD;pD;oGm;NyDjzpfygw,f/
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 302 -
yHk(1)
yHk(2)
xyfajym&&if uRefawmfhtaeeJY y½d*k &rfawGudkzGifh&if 'Dy½dk*&rfukd bmeJYa&;xm;ovJ^bmeJY pack vkyf
xm;ovJqdkwmod&atmif PEiD eJY yxrqHk; zGifhavh&Sdygw,f/ (oift h aeeJY RDG Packer (od)kY CFF
Explorer wdkYev
JY J zGifhEdkifygw,f/)
yHk(1)rSm highlight taeeJjY rif&wmuawmh y½d*k &rf&JU EP yg/ yHk(2)uawmh 'Dy½d*k &rfudk Visual Basic
eJY a&;xm;aMumif;jywmyg/ tck uRefawmfajymcsifwmuawmh Visual Basic taMumif;yg/
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 303 -
INFO: : Visual Basic qdkwm DOS acwfpm;wkef;u ay:cJhwJh BASIC bmompum;uae ay:xGufvmwJh
high‐level languagewpfckyg/ BASIC &JUt&Snfaumufuawmh Beginners' All‐purpose Symbolic
Instruction Code jzpfygw,f/ Visual Basic [m visual jzpfjyD; events driven y½d* k &rfbmompum;vJ
jzpfygw,f/ y½d*k &rfa&;om;jcif;udkvJ visual environment rSmwif vkyfEdkifygw,f/ y½d*k &rfrmawG[m object
awGudk MudKufovdk click Edkifygw,f/ vkyfaqmifcsuf(event)awGudk wkefUjyefzkYd&mtwGuf object toD;oD;udk
oyfoyfa&;om;&ygw,f/ 'gaMumifhrv kY d J Visual Basic y½d*k &rf[m subprogram ajrmufjrm;pGmeJY zGJUpnf;xm;
jcif; jzpfygw,f/ Subprogram wpfckpDrSm olwkY&d JU udk,fydkifuk'fawG &Sdygw,f/ Subprogram awG[m oD;jcm;pD
tvkyfvkyfEdkifygw,f/ jyD;&if wpfcsdefwnf;rSmyJ olwkYad wG[m tcsif;csif; csdwfquftoHk;jyKEdkifygw,f/
INFO: : Visual Basic application awG[m jynfhpHkpGm compiled vkyfxm;wJh application awG jzpfayr,fhvJ
olw&kYd JU tjyKtrlawGu OllyDbg &JU tvkyfawGudk ½IyfaxG;apygw,f/ OllyDbg [m compiled language
awGtwGuf debugger jzpfayr,fhvJ VB udk udkifwG,fzkY&d mrSmawmh tvSrf;a0;aeygao;w,f/ C/C++ twGuf
qdk&ifawmh ydkaumif;wm awGU&ygw,f/ VB [m bmompum;t&aomfvnf;aumif;? y½d*k &rfrmawG&JU tjrifrSm
aomfvnf;aumif; aumif;rGefoifhawmfygw,f/
INFO: : VB y½d* k &rfawG[m external DLL (VB 6.0 rSmawmh MSVBVM60.dll jzpfygw,f/ tjcm;
version awGvJ tvm;wlzdkifawG &Sdygvdrfhr,f/) zdkifay:rSm rSDcdkae&ygw,f/ 'D DLL zdkif[m API eJY event
tm;vHk;udk udkifwG,fygw,f/ 'gaMumifhrkY d VB API tm;vHk;[m DLL xJrSm xnfhoGif;prf;oyfcHae&ygw,f/
Exe uk'f[mvJ 'DzdkifxJrSmyJ tcsdefwdkif;eD;eD; tvkyfvkyfae&ygw,f/ 'g[m cracking vkyfcsdefrSm tvGefta&;
MuD;vSygw,f/ Call stack [m Olly rSmawmh wu,fhudk MuHKawmifhMuHKcJ tultnDygyJ/ bmaMumifhvJqdkawmh
application [m awmufavQmufeD;yg; VB &JU wduswJh DLL zdkifxJrSm &SdaevdkYyg/ pum;rpyfajym&&ifawmh
application [m rsm;aomtm;jzifhawmh event handler awGjzpfjyD; event awG? message awGudk taMumif;
jyefzdkY DLL rS callback awGtjzpf toHk;jyKMuygw,f/ VB application &JU usefwJhtydkif;uawmh resource
awG? variable awGeJY event‐handler awGeJY qufpyfzt kYd oHk;jyKwJh function awGyJ jzpfygw,f/
INFO: : VB [m stack‐based jzpfygw,f/ qdkvdkwmu ol[m olU&JUvkyfaqmifcsuftm;vH;k twGuf system
stack udk toHk;jyKvdkYyg/ 'g[m register udk toHk;jyKwJh? function call vkyfaqmifcsuf aqmif½Gufzdt
kY wGuf
stack udk t"duxm;toHk;jyKwJh tjcm;bmompum;awGeJY rwlnDwJhtcsuf jzpfygw,f/ VB eJY zefwD;xm;wJh
application awG[m interpreted (od)kY p‐code executable tjzpf compile vkyfygw,f/ Run aecsdefrSm
instruction awGudk run‐time DLL u translate (od)kY interpret vkyfygw,f/ wu,fvkY d toHk;jyKcJh&if
p‐code engine [m opcode awGudk process vkyfwJh ½d;k ½dk; machine omjzpfygw,f/ P-code instruction
awGu toHk;jyKwJh operand tm;vHk;udkawmh stack rSmyJ odrf;qnf;xm;wmyg/
oifth aeeJY Olly rSm call stack udk Munfhcsifw,fqdk&if (Alt+K) udk ESdyfjyD; Munfhv&kY d ygw,f/ yHk(3)
uawmh (system) stack yg/
yHk(3)
INFO: : DLL (dynamic link library) [m y½d* k &rfi,fav;awGudk pkpnf;xm;jcif; jzpfygw,f/ olwu kY d dk
y½d*k &rfwpfck tvkyfvkyfaecsdefrSm tJ'Dy½d*k &rfu vdktyfwJhtcsdefrSm ac:oHk;ygw,f/ rsm;aomtm;jzifhawmh exe
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 304 -
zdkifawGudk device awGeJY csdwfqufEdkifapygw,f/ (Oyrm - print xkwfcsifwJhtcsdefrSm printer eJY csdwfqufay;
ygw,f/)
INFO: : Oyrmwpfckjy&if oif&h JU harddisk rSm ae&mvGwfvdktyfwJhtcsdefrSmyg/ y½d*k &rfawG[m parameter
awGtjynfhyg&SdwJh function eJY call function yg0ifwJh DLL zdkifudk ac:,loHk;pGJEdkifygw,f/ DLL zdkifxJrSmyg
0ifwJh function awGudk xyfa&;p&mrvdktyfawmhwJhtwGuf exe zdkifawG[m zdkift½G,ftpm; ao;i,faewmyg/
INFO: : DLL zdkifawG[m exe zdkifawGet JY wl RAM xJudk ul;wifp&mrvdkwJhtwGuf RAM rSm ae&macR
wmEdkifygw,f/ DLL udk vdktyfvakYd c:oHk;rSom RAM ay:a&mufvmrSm jzpfygw,f/ Oyrmjy&r,fqdk&if
h aeeJY Microsoft Word rSm pmpDpm½du
oift k f vkyfaewJhtcsdefrSm printer eJY ywfoufwJh DLL zdkif[m tvkyf
vkyfrSm r[kwfygbl;/ Print xkwfwJhtcsdefrSom printer eJY ywfoufwJh DLL zdkifudk ac:,loHk;pGJrSmyg/
INFO: : jcHKMunhf&&ifawmh DLL qdkwm executable zdkifwpfckjzpfygw,f/ 'gayr,fh olUwpfzdkifwnf;qdk&if
awmh bmtvkyfrS rvkyfygbl;/ EXE zdkifawGu ac:oHk;rSom tvkyfvkyfygw,f/ 'gaMumifh exe zdkifawGrSm b,f
DLL udk oHk;pGJrvJqdkwm parameter awGeJY aMunmay;zdkY vdktyfygw,f/
h aeeJY VB [m udkifwG,fzkY&d m tvGefcufcJvSr,fh bmompum;vdkY xifaumif;xif
ckcsdefrSmawmh oift
aeygvdrfhr,f/ wu,fawmh oifxifaewm vGaJ eygw,f/ uRefawmfwkYrd Sm tvGeftoHk;0ifvSwJh tool awG&Sdyg
w,f/ aemufydkif;rSm 'gud&k Sif;jyygr,f/ bmyJjzpfjzpf Olly udk VB eJY ywfoufjyD; bmrS toHk;r0ifbl;vdkaY wmh
rxifvdkufygeJ/Y wu,fwrf;rSmawmh bmompum;toD;oD;[m assembly tjzpf translate tvkyfcH&wmygyJ/
tck y½d*k &rf&JU oabmobm0udk aqG;aEG;ygr,f/ uRefawmfhtaeeJY y½d*k &rfeyJY wfoufjyD; rSwfcsufjyK
xm;wmuawmh ... y½d*k &rfudk install vkyfjyD; yxrqHk;tMudrf y½d*k &rfpwifcsdefrSm y½d*k &rf[m oifu
h GefysLwm
twGuf vdktyfwmawGudkwGufcsufjyD; key wpfckudk twdtusowfrSwfvdkufygw,f/ 'g[m rlrrSefayr,fh
uRefawmfwu dkY dk tawmfav;aumif;wJh hint udk ay;ygw,f/ qdkvdkwmu y½dk*&rf[m uk'fudk wpfckckuae owf
rSwfvdkufygw,f/ (Oyrm - harddisk ID) jyD;&if 'Duk'fudk wpfae&m&mrSm odrf;ygvdrfhr,f/ 'grSom y½d*k &rfudk
pwifcsdefrSm register vkyfxm;jcif; &Sd^r&Sd ppfEdkifrSmyg/
(2) Serial udk&SmazGjcif;
y½d*k &rf[m olpwufvmcsif;rSm register vkyfxm;jcif; &Sd^r&Sd ppfaq;zdkY vdkygw,f/ VB rSmawmh
DLL xJu API rSm jyKvkyMf uygw,f/ 'Dae&mrSm ta&;MuD;wmawGuawmh ...
(1) __vbaVarTstEq
(2) __vbaVarTstNe
(3) __vbaVarCmpEq
(4) __vbaStrCmp
(5) __vbaStrComp
(6) __vbaStCompVar
trSwfpOf(1?2?3)udkawmh ydkjyD; toHk;rsm;ygw,f/ 'gaMumifh yxrqHk; API jzpfwJh __vbaVarTstEq udk
prf;MunfhvdkufMu&atmif/
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 305 -
yHk(4)
ck yHk(4)rSm jrifae&wmuawmh entry point ae&myg/ Name module udk jrif&zdkY Ctrl+N udk
ESdyfvdkufyg/ yHk(5)/ jyD;&if &Sm&wmydkjrefatmifvdkY keyboard uae vbavartst vdkY ½dkufvdkufyg/ vbaVarTstEq
&Sd&mqD wef;a&mufvmygvdrfhr,f/
yHk(5)
yHk(5)udk Munfhr,fqdk&if uRefawmfw&dkY SmaewJh API awG[m MSVBVM60.dll zdkifxJrSm&Sdaewm
owdjyKrdrSmyg/ vbaVarTstEq udk BP owfrSwfMuygr,f/ vbaVarTstEq udk right‐click ESdyfjyD; Set
breakpoint on every reference udk a½G;vdkufyg/ Olly u breakpoint 88 ckawmif owfrSwfvdkufygw,f/
yHk(6)
jyD;&if run (F9) udk ESdyfyg/
yHk(7)
Olly [m yxrqHk;awGU&wJh vbaVarTstEq BP &Sd&mrSm &yfaeygvdrfhr,f/ 'Duk'frSmawmh bmrSr,fr,f
&&r&Sdwm awGU&ygw,f/ y½dk*&rf&JU oabmobm0udk odEdkifatmifvdkY F8 udEk SdyfjyD; avhvmMunfhygr,f/
yHk(8)
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 306 -
yHk(9)
yHk(9)u VA 005BBFC0 rSm jrif&wJh oeiu‐564‐oqei‐97 [m uRefawmfwkYd &SmaewJh serial vm;vdkY
oHo,&Sdygw,f/ enf;enf;avmuf qufMunfhygr,f/ yHk(10)/
yHk(10)
oeiu‐564‐oqei‐97 udk prf;MunfhvdkufMu&atmif/ Breakpoint awGtm;vHk;udk yxrqHk; z,f&Sm;vdkuf
yg/ (Ctrl + N udEk SdyfjyD; Remove all breakpoints udk a½G;yg/)
(3) Register jyKvkyfjcif;
Breakpoint tm;vHk;udk z,f&Sm;jyD; y½d*k &rfudk run (F9) vdkufyg/ yHk(11)twdkif; jrif&ygr,f/
yHk(11)
yHk(11)rSm register vkyfzt
kYd wGuf trnfrawmif;ygbl;/ wduswJh key wpfckom vkdygw,f/ 'D key udk
y½d*k &rf install pvkyfwkef;uwnf;u wGufcsufowfrSwfjyD; jzpfygw,f/ Register vkyfMunfhygr,f/
yHk(12)
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 307 -
yHk(13)
yHk(13)twdkif; registration atmifjrifaMumif; jrif&ygw,f/ 'gudb
k ,fvdkxifygovJ/ y½d*k &rfudkydwfjyD;
jyefpMunfhvdkufMu&atmif/
(4) Registration tm; prf;oyfjcif;
y½d*k &rfudk jyefpzdkY Olly rSm Ctrl+F2 udk ESdyfvdkufyg/ jyD;&if F9 udk ESdyfyg/ 'Dwpfcg y½d*k &rfwufvm
csdefrSm bm nagscreen udkrS rjrif&awmhygbl;/ Help menu u About udk a½G;vdkufawmhvJ tqifajyoGm;
ygjyD/ yHk(14)/
yHk(14)
'gaMumifh 'Dy½d*k &rfudk SmartCheck rSm ppfaq;MunfhMu&atmif/
(5) SmartCheck \ setting tm; jyifjcif;
'Dwpfcgawmh Numega &JU SmartCheck udk prf;MunfhMuygr,f/ SmartCheck udk VB y½d*k &rfawG
crack vkyfzdkYeJY debug vkyfzkYd txl;jyKvkyfxm;wmyg/ 'gayr,fh olU&JU setting tcsdKUudkawmh tenf;i,f jyif
ay;&ygr,f/ SmartCheck rSm PC to Answering Machine 2.0.8.2 udk zGifhvdkufyg/ zGifhjyD;oGm;&if
Program menu u Settings ... udk a½G;vdkufyg/ yHk(15)/
yHk(15)
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 308 -
yHk(15)u Leaks udk uncheck vkyfvdkufyg/ Save these settings ... udk a½G;yg/ jyD;&if Advanced
udk a½G;vdkufyg/
yHk(16)
yHk(16)rSm jrif&wJhtwdkif; a½G;ay;yg/
yHk(17)
aemufqHk;a½G;ay;&rSmu yHk(17)twdkif; jzpfygw,f/ 'gqdk setting udk jyifqifwJhtydkif; jyD;ygjyD/ PC to
Answering Machine 2.0.8.2 udk SmartCheck rSm run Munhfygr,f/ Run jyD;oGm;wJhtcg View menu
uae Event Summary udk a½G;vdkufyg/ yHk(18)/
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 309 -
yHk(18)
Event Summary window u uRefawmfwu
dkY dk toHk;0ifwJh tcsuftvufawG ay;ygw,f/
yHk(19)
View menu u Specific Events u uRefawmfwu
kYd dk ESpfouf&m events udkyJjyozdkY a½G;cs,fcGifh
ay;xm;ygw,f/
yHk(20)
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 310 -
yHk(21)
wu,fhuk'f pwifwmuawmh yHk(21)rSmyg/
yHk(22)
yHk(22)udkMunfhvdkuf&if event aygif; 24734 awmif &Sw
d mawGU&ygw,f/ uawmh end program
yg/ 'gomrESdyfxm;bl;qdk&ifawmh event aygif; 1.5 oef;avmufawmif xGufvmygvdrfhr,f/ avmavmq,f
uRefawmfwt f dkwmu PC to Answering Machine 2.0.8.2 y½d*k &rf&JU tpydkif; tvkyfvkyfyHkudk ajc&mcH
dkY wGuv
zdykY g/
yHk(23)
yHk(23)u pmaMumif;eHygwfudk Munhfr,fqdk&if pmaMumif;awG tukefrjyao;wm owdxm;rdrSmyg/ 'gu
bmvdv d Show Errors and Specific Events
kY Jqdkawmh uRefawmfwkYu udkyJ a½G;xm;vdykY g/
yHk(24)
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 311 -
Show Errors and Specific Events udk a½G;vdkufr,fqdk&if yHk(24)twdkif; jrif&rSmyg/ uRefawmfwdkY
odxm;wmu y½d*k &rf pwifwifjcif;rSm wduswJh key wpfckudk ppfw,fqw dk mudkyg/ 'gudk ½d;k ½dk;av;yJ API
ae&mrSm &SmMunfhvdkuf&atmif/ yHk(25)/
yHk(25)
yHk(25)twdkif; &Smr,fqdk&if yHk(26)twdkif; awGUrSmyg/
yHk(26)
yHk(26)rSm jrif&wJhtwdkif; yxrqHk;awGUwJh API udk a&mufvmygw,f/ 'Dae&mrSm uRefawmfwt
dkY aeeJY
API awGudk tao;pdwfavhvmrSm r[kwfygbl;/ aemufydkif;usrSyJ avhvmygr,f/ oHo,0ifp&maumif;wmu
pmaMumif;a& 2549 rSmyg/
yHk(27)
'gaMumifh tao;pdwf Munfhv&kY d atmif taygif;&kyfav;udk ESdyfjyD; Munfhygw,f/ 'gayr,fh bmrSrxl;
jcm;ygbl;/ pmaMumif;a& 2549 udk ESpfcsufESdyfjyD; Details window rSm MunfhwJhtcgrSmawmh yHk(28)twdkif;
jrif&ygw,f/
yHk(28)
yHk(28)rSm jrif&wmuawmh uRefawmfwdkY &SmaewJh serial yg/ SmartCheck [m omref registration
key udk &SmwJhae&mrSmawmh t&rf;vG,fuwl m awGY&ygw,f/
INFO: : tcsdKU VB y½d* k &rfawGrSm anti‐SmartCheck enf;awG xnfhoGif;xm;wmawGU&ygw,f/ olwakY d wG
[m rsm;aomtm;jzifh NuMega SmartCheck qdkwJh pmom;udk ppfaq;wm jzpfygw,f/ uRefawmfhqDrSmawmh
'Djyóemr&Sdygbl;/ bmvdkYvJqdkawmh uRefawmfu Repair 0.6 udo k Hk;jyD; SmartCheck udk jyifxm;vdykY g/
Repair 0.6 u usefwJh tool awGudkvJ jyifEdkifygw,f/
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 312 -
yHk(29)
yHk(29)rSm jrif&wmuawmh nag screen jzpfygw,f/ 'gudk b,fvzdk ,f&Sm;&r,fqdkwm aemufrS
&Sif;jyyghr,f/ yxrqHk;uawmh ReverseMe y½d*k &rfudk b,fvdk register vkyf&rvJqdkwmyJ prf;Munfhygr,f/
yHk(30)
yHk(30)rSm jrif&wJh Form1_Load [m tvGefta&;MuD;ygw,f/ MessageBox [m yHk(1)u nag
screen udk jzpfapw,fqdkwm owdjyKrdygovm;/ Registration vkyfaqmifcsuf[m 'D Form1_Load jyD;&if
vmawmhrSmyg/ yHk(29)u OK udk ESdyfvdkufyg/ yHk(31)twdkif; jrif&ygr,f/
yHk(31)
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 313 -
yHk(31)u Regcode textbox ae&mrSm 123456 vdkY ½dkufxnfhMunfhygr,f/ 'gqdk yHk(32)twdkif; jrif&rSm
yg/
yHk(32)
'ghtjyif yHk(30)ae&mrSm yHk(33)twdkif; event topfxyfwdk;vmygw,f/
yHk(33)
uRefawmfwt dkY aeeJY View u Show All Events udk a½G;vdkuf&if event tm;vHk;udk jrif&rSmyg/
Show All Events udk ra½G;cifrSm udk,fMunfhcsifwJh event udk t&ifa½G;xm;ay;&ygr,f/ 'grSr[kwf&if event
awGrsm;vGef;wJhtwGuf udk,f&SmcsifwJh event udk &SmvdkYawGUEdkifrSm r[kwfygbl;/ rsm;aomtm;jzifhawmh xxxxxx_
click vdkY a&;xm;&if xxxxxx [m button &JU trnfudk qdkvdkwm rsm;ygw,f/ y½d*k &rfrmawGuawmh button
awG&JUtrnfudk ajymif;avhr&Sdygbl;/ commandX vdykY J xm;xm;avh&Sdygw,f/ X uawmh eHygwfjzpfjyD; wpfu
ae pwifavh&Sdygw,f/
yHk(33)u Command1_Click ae&mrSm serial rSef^rrSefppfwmudk em;vnfygovm;/ 'gaMumifh 'Dae
d fMu&atmif/ avmavmq,fawmh Tut.ReverseMe1.exe y½d*k &rfudk rvdkawmhwJh
&mudk aoaocsmcsmMunhfvku
twGuf cPydwfxm;vdkufMu&atmif/ pum;rpyfajym&&if yHk(33)u uRefawmfwjY dk rifae&wm[m event tusOf;
csKyfrQom jzpfygw,f/
yHk(33)u Command1_Click &JU b,fzufu taygif;t&kyfav;udk ESdyfvdkufyg/ yHk(34)/
yHk(34)
yHk(34)uvJ uRefawmfwu Jh csuftvufawG ray;ygbl;/ MsgBox qdkwpJh mom;udk a½G;
kYd dk vHkavmufwt
vdkuf&ifawmh yHk(35)twdkif; jrif&rSmyg/
yHk(35)
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 314 -
yHk(36)
wu,fawmh bmrSrcufygbl;/ uRefawmfwt
dkY aeeJY tm;vHk;udk jrifae&ygw,f/
__vbaStrCmp udk string awG EdIif;,SOfzt
kYd wGuf oHk;ygw,f/
Oyrm/ / __vbaStrCmp(String: "xxxxxx", String: "yyyyyy") returns DWORD:0
'gayr,fh yHk(36)rSmawmh DWORD &JU wefzdk;[m FFFFFFFF jzpfaeygw,f/ bmvdv kY Jqdkawmh
string ESpfck[m rwlnDvy kY d g/ yHk(31)u Regcode textbox ae&mrSm uRefawmfu 123456 vdkY ½dkufxnfhcJhvkYd
yg/ 'gqdk uRefawmfw½kY d dkufxnfhcJhwJh serial twkudk bmeJY EdIif;,SOfcJhwmygvJ/ yHk(37)/
yHk(37)
aumif;jyD/ 123456 eJY EdIif;,SOfcJhwmuawmh I'mlena151 yg/
ckeu I'mlena151 [m BadBoy Message ray:cifrSm EdIif;,SOfcJhwm jzpfygw,f/ aumif;jyD/ Serial
kY d aeeJY tJ'D serial udk prf;MunfhvdkufMu&atmif/
[m bmvJqdkwm odjyD;oGm;wJah emufrSm uRefawmfwt
yHk(38)
yHk(38)twdkif; I'mlena151 vdkY ½dkufxnfhvdkufwJhtcg registration atmifjrifwJhtaMumif; ajymwJh
messagebox ay:vmygw,f/ pum;rpyfajym&&if uRefawmfwkY d ½du k fxnfhvdkufwJh serial [m bmwGufcsufrIrS
rygbJ vG,fvifhwul&vmwmyg/
uRefawmfwt dkY aeeJY nag screen udk &Sif;zdv
kY dkygao;w,f/ SmartCheck [m VB rSm a&;xm;wJh
serial udk &Smzdt
kY wGufawmh aumif;ygw,f/ 'gayr,fh nag udk z,f&Sm;zdt kY wGufawmh uRefawmfwkYrd Sm 'Dxuf
aumif;wJh tool awG &Sdygw,f/ VB decompiler tool awG jzpfygw,f/ Oyrmajym&&if VB Decompiler
Lite (od)kY Pro/ uRefawmfuawmh VB Decompiler Pro 9.2 udk oHk;ygw,f/
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 315 -
yHk(39)
'guawmh VB Decompiler rSm uRefawmfw&kYd JU Tut.ReverseMe1.exe y½dk*&rfudk decompile
vkyfxm;wm jzpfygw,f/
INFO: : Compiler qdkwmuawmh rl&if;uk'fawGudk exe uk'ftjzpfajymif;vJay;wJh y½d*k &rfyg/ Decompiler
uawmh exe uk'fawGudk&,ljyD; rl&if;uk'ftjzpf jyefvnfajymif;ay;wmyg/ Decompiler [m txl;jyKvkyfxm;wJh
disassembler wpfrsdK;om jzpfygw,f/ Disassembler u exe uk'fawGudk assembley uk'ftjzpf ajymif;ay;
csdefrSm decompiler awGuawmh uk'fawGudk high‐level bmompum;jzpfwJh C/C++ (od)kY VB bmompum;
tjzpf ajymif;ay;ygw,f/
yHk(39)udk Munfhvdkuf&if VB Decompiler [m olUtvkyfuo
dk l aumif;aumif;vkyfxm;jyDvkY d xifyg
w,f/
uRefawmfwt dkY aeeJY uk'fawGudk t&ifavhvmMunfhygr,f/ yHk(39)&JU Form1 ab;em;u taygif;&kyf
av;udk ESdyfvdkufyg/
yHk(40)
uRefawmfhtjrifawmh y½d*k &rfbmpum;eJY tuRrf;w0if r&SdwJholawmif em;vnfr,fvkY d xifygw,f/
yHk(40)rSm jrif&wJh mnuabout u About box yg/ mnuexit uawmh Exit yg/ Command2 uawmh Nag
button udk ESdyfwJhtcgrSmay:wmyg/ Form_Load uawmh nag yg/ Command1 uawmh Register button
udk ESdyfwJhtcgrSm ay:wmyg/ 'gqdk nag udk ay:apwJh routine [m VA b,frSm pay:ovJ MunfhMu&atmif/
Form_Load rSmaum Command2 rSmyg nag [m VA 402C17 rSm pay:w,fvkY d qdkxm;ygw,f/ [kwf^
r[kwf ESpfcsufESdyfjyD; Munfhv&kY d ygw,f/ Form_Load udk double click ESdyfyg/
yHk(41)
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 316 -
yHk(42)
yHk(42)uawmh nag screen &JU tqHk;yg/ VA 402C17 uawmh nag routine &JU tpyg/ aumif;jyD/
Tut.Reverse Me1.exe udk uRefawmfwdkY debugger rSm zGifhvdkufMu&atmif/ yHk(43)/
yHk(43)
jyD;&if uRefawmfwkY d oGm;csifwJh VA udk wef;a&mufEdkifatmifvdkY tool bar u udk ESdyfyg/
yHk(44)twdkif; jrif&ygr,f/
yHk(44)
VA 402C17 udk ½du
k fvdkufyg/ yHk(45)twdkif; jrif&ygr,f/
yHk(45)
yHk(45)rSm jrif&wmuawmh nag screen &JU tpyg/ VA 402C17 rSm breakpoint owfrSwfvdkufyg/
jyD;&if run (F9) udk EdSyfyg/
yHk(46)
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 317 -
yHk(46)rSm 'D nag screen jyD;&if b,fuadk &mufr,fqdkwm jyaeygw,f/ VA 402C17 u PUSH
EBP ae&mrSm RET vdkY jyifvdkufygr,f/ 'gqdk uRefawmfwkY d nag &JU tptpm; tqHk;udk a&mufvmovdk
jzpfoGm;ygr,f/ jyD;&if run (F9) udk EdSyfyg/
yHk(47)
Nag ray:bJ yHk(47)om ay:vmygw,f/ aocsmatmifvkY d yHk(47)u Nag? udk ESdyfMunfhygr,f/ bmrS
ay:rvmygbl;/ Nag screen aysmufoGm;ygjyD/
(8) CrackersConvert
'Dwpfcg avhvmrSmuawmh CrackersConvert y½d*k &rfjzpfygw,f/ 'DwpfMudrfrSmawmh uRefawmfhtaeeJY
y½d*k &rf&JU oabmobm0awGudk avhvmaeawmhrSm r[kwfygbl;/ oifbmom h SmartCheck zGifhjyD; avhvmxm;
&rSmjzpfygw,f/ uRefawmfuawmh About &Sd&m wef;oGm;rSm jzpfygw,f/ About uae register button udk
ESdyf&if yHk(48)twdkif; registration box jrif&rSmyg/
yHk(48)
'ghjyif register button udk ESdyfvdkufwJhtcgrSm yHk(49)twdkif; jrif&ygw,f/
yHk(49)
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 318 -
INFO: : oift h aeeJY MudKufwJh registration code udk xnfhoGif;Edkifygw,f/ uRefawmf bmvdkY 47806 vdkY
k awG[m registration
½dkufoGif;w,fqdkwm tHhMoaumif; thHMoaeygvdrfhr,f/ aumif;jyD? rsm;aomtm;jzifh y½d*&rf
code udk rEdIif;,SOfcifrSm hex code tjzpf ajymif;avh&Sdygw,f/ 47806 udk hex code taeeJY ajymif;vdkuf&if
BABE jzpfoGm;ygw,f/ rSwf&vG,fwmaygh/
yHk(50)
yHk(48)u Validate udk ESdyfvdkuf&if yHk(50)twdkif; jrif&rSmyg/ uRefawmfwt
Y dk aeeJY uRefawmfwdkY &Smae
wmudk awGUjyDjzpfwJhtwGuf CrackersConvert y½d*k &rfudk ydwfvdkufygr,f/
yHk(51)
kY d aeeJY uk'fawGudk avhvmzdkY Overview window u yHk(51)twdkif;
avmavmq,fawmh uRefawmfwt
Munfhvdkuf&atmif/
Len(String: "rhythm") returns LONG:6
&Sif;vif;csuf/ / "rhythm" \ string tvsm;(pmvHk;ta&twGuf)onf 6vHk;jzpfonf/
Mid(VARIANT:String:"abcdefg",long:1,VARIANT:Integer:1)
&Sif;vif;csuf/ / "abcdefg" \ yxrqHk;ae&mrSpwifjyD; yxrpmvHk;udk &,lonf/
Mid(VARIANT:String:"rhythm",long:1,VARIANT:Integer:5)
&Sif;vif;csuf/ / 'Dae&mrSmawmh yxrqHk;ae&muae pmvHk;5vHk;p,lygw,f/ ("rhyth")
Asc(String:"T") returns Integer:84
&Sif;vif;csuf/ / "T" \ q,fvDwefzdk;jzpfaom 84 udk &,lonf/
Asc(String:"r") returns Integer:114
&Sif;vif;csuf/ / 'Dae&mrSmawmh "r" \ q,fvDwefzdk;jzpfaom 114 udk &,lygw,f/
Len(String: "47806") returns LONG:5
&Sif;vif;csuf/ / "47806" \ string tvsm;(pmvHk;ta&twGuf) onf 5vHk;jzpfonf/
yHk(51)&JU atmufqHk;pmaMumif;uawmh BadBoy yg/
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 319 -
yHk(52)
yHk(52)udk Munfhyg/ wu,fawmh bmrSrcufygbl;/
__vbaVarMul(VARIANT:String:''114", VARIANT:Integer:20) returns DWORD:13F474
ckeu uRefawmfhemrnf&JU yxrpmvHk;udk 20eJY ajrSmufygw,f/
__vbaVarMul(VARIANT:String:''1", VARIANT: String:''2") returns ..
&Sif;vif;csuf/ / 1 ukd 2 jzifh ajrSmufonf/
__vbaVarMove(VARIANT:Double:2280,VARIANT:Empty) returns DWORD:13F48C
&v'fuawmh 2280 jzpfygw,f/
__vbaVarCat(VARIANT:String:"REG‐"VARIANT:Double:2280) returns DWORD:13F474
jyD;&if REG‐2280 jzpfapzdkY REG‐ eJY aygif;ygw,f/
__vbaVarCat(VARIANT:String:"REG‐2280"VARIANT:String:"‐CODE") returns
DWORD:13F464
jyD;&if REG‐2280‐CODE jzpfapzdkY CODE eJY aygif;ygw,f/
__vbaVarTstEq(VARIANT:String:"47806",VARIANT:String:"REG‐2280‐CODE") returns
DWORD:0
jyD;rS uRefawmfwkY d ½dkufxnfhvdkufwJh serial eJY EdIif;,SOfygw,f/
__vbaVarTstEq(VARIANT:****,VARIANT:****) returns DWORD:0
&Sif;vif;csuf/ / __vbaVarTstEq ukd variants awG EdIif;,SOfzkYd toHk;jyKygw,f/ wu,fvkYd olwakYd wG[m
nDcJh&if DWORD &JU wefzdk;[m oknjzpfjyD; rnDcJh&ifawmh FFFFFFFF jzpfygr,f/ 'gaMumifh EAX [m
FFFFFFFF jzpfwmyg/ __vbaVarCmpEq eJY qifygw,f/
kY d dktyfwJh serial ud&k ygjyD/ User name u rhythm jzpfjyD; serial uawmh
'gqdk uRefawmfwv
REG‐2280‐CODE jzpfygw,f/
yHk(53)
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 320 -
yHk(54)
'gqdk uRefawmfwkY d register vkyfwm atmifjrifygjyD/ yHk(54)/
INFO: : y½d*
k &rf[m registration a'wmawGudk cconv.$$$ zdkifeJY cconv.ccc zdkifrSm a&;ygw,f/ jyD;&if
y½d*k &rfpwifcsdefrSm 'DtcsuftvufawGeJY udkufnD^rnDppfygw,f/
aumif;jyD? aemufxyf ReverseMe y½d*k &rfwpfyk'fudk avhvmMunfh&atmif/
(9) ReverseMe2
yHk(55)
ReverseMe2 udk Olly rSm zGifhxm;wm yHk(55)rSm awGUrSmyg/ oift h aeeJY SmartCheck rSm rzGifhbJ
Olly rSm bmaMumifhzGio
fh vJqdkwm ar;csifygvdrfhr,f/ trSefuawmh ReverseMe2 udk SmartCheck rSm t&if
zGifhcJhygw,f/ 'gayr,fh zGifhvrkY d &ygbl;/ SmartCheck y½d*k &rf[m ReverseMe2 udk zGifhvdkufwmeJY tvdkvdk
ydwfoGm;ygw,f/ 'gaMumifh bmjzpfwmvJqdkwm od&atmif Olly rSm vmzGifhwmyg/ ReverseMe2 y½d*k &rfrSm
Anti‐SmartCheck vSnfhpm;rIav;rsm; vkyfxm;ovm;vdkY xifrdvy kYd g/ ReverseMe2 [m SmartCheck udk
owdjyKrdvdkufwmeJY SmartCheck udk csufcsif;ydwfzdkY MudK;pm;vdykY g/ b,fvdk ajz&Sif;rvJqdkwm MunfhvdkufMu&
atmif/
Debugger window rSm right‐click ESdyfjyD; Search for rS All reference text strings udk
a½G;vdkufyg/ yHk(56)twdkif; jrif&ygr,f/ ReverseMe2 [m SmartCheck udk&Smwm [kwf^r[kwf Munfhvdkuf
Mu&atmif/
yHk(56)
yHk(56)u VA 00404525 rSm NuMega SmartCheck qdkwJhpmom;udk awGU&ygw,f/ VA
00404525 udk double click ESdyfjyD; uk'fukd avhvmMunfhvdkuf&atmif/ yHk(57)/
yHk(57)
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 321 -
yHk(58)
yHk(58)twdkif; jrif&wJhtcg udk,fajymif;csifwJh pmvHk;udka½G;jyD; keyboard u udk,fMudKufwJh pmom;½du
k f
xnfh&HkygyJ/
yHk(59)
yHk(58)u 4D (M) ae&mudk a½G;xm;jyD; keyboard u B udk ESdyfvdkufwJhtcg yHk(59)twdkif; jrif&ygw,f/
yHk(60)
yHk(59)rSm OK udk ESdyfvdkufwJhtcg yHk(60)twdkif; jrif&ygw,f/ tvm;wlyJ 43(C) qdkwJh pmvHk;ae&mrSm
tjcm;pmvHk;eJY tpm;xkd;ygr,f/
yHk(61)
jyD;&if right‐click ESdyfjyD; Copy to executable file udk a½G;yg/ yHk(62)udk jrif&ygr,f/
yHk(62)
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 322 -
yHk(62)rSm right‐click ESdyfjyD; Save file udk a½G;vdkufyg/ jyD;awmh udk,fMudKufwJhtrnfeJY zdkifuo
dk drf;
vdkufyg/ 'Dwpfcgawmh uRefawmfwkY d odrf;vdkufwJhzdkifudk SmartCheck rSm zGifhvkY&d ygjyD/ bmjyóemrS r&Sdygbl;/
yHk(63) twdkif; jrif&ygjyD/
yHk(63)
'D anti‐anti enf;ynmudk SmartCheck tjyif tjcm; tool awGjzpfwJh Olly? ImpRec eJY LordPE
wdrkY SmvJ toHk;jyKEdkifygw,f/ ReverseMe2 udk register vkyfMunfhMu&atmif/
yHk(64)
uRefawmfwt dkY aeeJY User name eJY Registration code udk ½du k fxnfhayr,fhvJ Register button [m
disable jzpfaeygw,f/ 'gaMumifh uRefawmfwkY d register vkyfr& jzpfaeygw,f/ 'D ReverseMe y½d* k &rf[m
½dkufoGif;wJh pmvHk;wpfvHk;csif;udk rSef^rrSef vdkufppfaq;aeyHk&ygw,f/ yHk(65)/
yHk(65)
'gaMumifh uRefawmfwt
kY d aeeJY bmudkMunfhzkYd vdkaeygovJ/ yHk(65)udk tao;pdwf avhvmMunfhygr,f/
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 323 -
yHk(66)
'Dae&mrSm y½d*k &rfu pmvHk;tcsdKUudk vdkufwGufaewm awGU&ygw,f/ 'gayr,fh yHk(66)u Text2.Text
udk xJxJ0if0if avhvmMunhfawmh bmrSrawGY&ygbl;/
yHk(67)
'gqdk yHk(67)udk pOf;pm;MunfhvdkuMf u&atmif/ ReverseMe y½d*k &rfu y½d*k &rf pwifcsdefrSm register
rvkyfxm;ao;aMumif; odygw,f/
yHk(68)
yHk(68)u Text3.Text ß "UNREGISTERED" (String) udk tao;pdwf avhvmMunfh&atmif/
AppActivate(VARIANT:String:"NuSega S...", VARIANT:Missing) fails qdkwJh pmom;u
awmh NuSega S... qdkwJhpmom;udk &SmrawGUygbl;vdkY qdkvdkwmyg/ jyD;&if "Text3.Text ß "UNREGISTER-
ED" (String) qdkwJh pmom;udk MunfhvdkufMu&atmif/ uRefawmfw&dkY JU &SmazGjcif;vkyfief;pOf[m 'D UNREGIS-
TERED string rwdkifciftxdomjzpfr,fqdkwm oift h aeeJY em;vnfxm;r,fvkYd xifygw,f/
yHk(69)
yHk(69)udk Munfhvdkufyg/ __vbaVarTstEq(..) u wpfckckudk EdIif;,SOfovdkygyJ/ __vbaVarTstEq(..)
udka½G;vdkufwJhtcg yHk(70)twdkif; jrif&ygr,f/
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 324 -
yHk(70)
odyfr&Sif;ao;ygbl;/ tao;pdwf avhvmMunfhygr,f/
yHk(71)
yHk(71)u Dir(VARIANT:String:"reginfo....",FLAGS:00000000) udk a½G;vdkuf&if yHk(72)twdkif;
jrif&ygr,f/
yHk(72)
ReverseMe [m reginfo.key qdkwJhzdkifudk &SmazGygw,f/ __vbaVarTstEq(..) [m reginfo.key
zdkif&Sd^r&Sdukd prf;oyfwmyg/ r&SdcJh&if UNREGISTERED qdkwJh pmom;udk main window rSmjyjyD; register
vkyfvrkYd &ygbl;/ qdkvdkwmu uRefawmfwt kY d aeeJY reginfo.key zdkifudk vdktyfvmygw,f/ 'gaMumifh reginfo.
key zdkifuz dk efwD;vdkufygr,f/ Notepad udzk GifhjyD; zdkifudk reginfo.key trnfeJY odrf;vdkufyg/ jyD;&if Reverse
Me2 zdkifudk SmartCheck rSm jyefvmppfMunfhyg/
yHk(73)
'gqdk yHk(74)twdkif; jrif&ygr,f/ Register vkyfMunfhygr,f/
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 325 -
yHk(74)
aumif;jyD/ ckcsdefxdawmh register vkyfvrkYd &ao;ygbl;/ SmartCheck rSm bmawGrsm;ajymif;vJoGm;
ovJvkYd MunfhMuygr,f/
yHk(75)
yHk(75)u UNREGISTERED qdkwJhpmom;ae&mrSm Key File found qdkwJhpmom;wdk;vmwm awGUrSm
yg/ aumif;jyD/ 'Dwpfcg serial udpk pfwu
Jh k'fawGudk jyefavhvmMunfhygr,f/
yHk(76)
Left(VARIANT:String:"rhythm",long:1)
&Sif;vif;csuf/ / trnf&JU yxrqHk;pmvHk;udk ,lygw,f/
Asc(String:"r") returns Integer:114
&Sif;vif;csuf/ / ASCII "r" udk udef;jynfhwefzdk; 114 tjzpf ajymif;vJygw,f/
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 326 -
yHk(77)
yHk(77)rSm ckeu *Pef;awG vmaygif;wmudk awGUae&ygw,f/ ta&;MuD;wmu Mid(VARIANT:
String:"11410412...", long:2, VARIANT:Integer:10) pmaMumif;yg/ y½d*k &rf[m 'kwd,pmvHk;uae 10
vHk;ajrmuf pmvHk;txdom ,lygw,f/ 'gqdk ,l&r,fh*Pef;awGu 1410412111 om jzpfygw,f/
yHk(78)
jyD;&if yHk(78)udk qufMunfhyg/
__vbaVarSub(..) uawmh wpfckckudk EIwfwmyg/ jyD;&if __vbaVarTstEq(..) uwpfckckudk EdIif;,SOfyg
w,f/ 'gaMumifh uRefawmfwkYt
d aeeJY tao;pdwfMunfhzkYd vdkvmygjyD/ taygif;&kyfav;udk ESdyfvdkufyg/
yHk(79)
yHk(79)udk Munfhvdkufawmh __vbaVarSub(..) [m __vbaVarTstEq(..) eJY bmrSrqdkifwm awGU&yg
w,f/ ☻☻☻
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 327 -
yHk(80)
'gayr,fh yHk(52)u __vbaVarTstEq(..) rSm wu,fh serial tppfudk EdIif;,SOfzt
kY d wGuf double.dbval
tjzpfajymif;vdkufwm awGU&ygw,f/ wu,fawmh 1410412111 ukd EdIif;,SOfzkt Yd wGuf ajymif;vdkufwmyg/
'gaMumifh wu,fh serial tppf[m .... ☻☻☻
yHk(81)
y½dk*&rf[m uRefawmfwkYd ½dkufxnfhvdkufwtJh rnf&JU yxrqHk; 5vHk;udk ASCII tjzpfajymif;ygw,f/
jyD;&if tJ'DpmvHk;awGudk jyefqufygw,f/ 'Dhaemuf serial zefwD;zdkY qufxm;wJph mvHk;&JU 2vHk;ajrmufuae 10vHk;
ajrmuftxd ,lygw,f/ uJ? serial udk MudK;pm;MunfhvdkufMu&atmif/
yHk(82)
uRefawmfwdkY serial [m rSefzrkYd sm;ygw,f/ bmvdv
kY Jqdkawmh Register button [m enable jyefjzpf
vmvdykY g/
yHk(83)
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 328 -
yHk(84)
yHk(84)twdkif; zGifhjyD;oGm;wJhtcg ReverseMe2 &JU oabmobm0udk odEdkifatmifvkY d Form_Load udk
ESpfcsufEdSyfjyD; scroll vkyfMunfhyg/ yHk(85)twdkif; jrif&ygr,f/
yHk(85)
Command1_Click udk ESpfcsufEdSyfjyD; scroll vkyfMunfhyg/ yHk(86)/
yHk(86)
'Dae&mrSm uRefawmfhtaeeJY Veoveo y½d*k &rfudk rdwfqufcsifygw,f/ 'D tool [m b,f button udkrqdk
enable/disable vkyfEdkifygw,f/ Munfhyg/
yHk(87)
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 329 -
yHk(88)
yHk(88)twdkif; Veoveo udk right-click ESdyfjyD; Enable Buttons (auto) udk a½G;vdkufyg/
yHk(89)
yHk(89)udk Munfhvdkuf&if Register button [m enable jzpfaeygjyD/ b,favmufvG,fovJqdkwm
awGrY Smyg/ wu,fawmh Register button [m enable jzpfvJ uRefawmfwkY d register vkyfvkY&d rSm r[kwfygbl;/
bmvdv kY Jqdkawmh serial rSef^rrSefudk y½d*k &rfu ppfvydkY g/
(10) VB P-code y½dk*&rfrsm;udk crack vkyfjcif;
INFO: : P-code qdkwmuawmh execution vkyfcsdefrSom interpret tvkyfcH&wJh uk'fjzpfygw,f/ P-code
k ufqmawGu bmomrjyefEdkifwJh low-level uk'fawGtjzpfjrifEdkifygw,f/
awGudk uRefawmfw&dkY JU rdkufu½dyk ½dq
Java y½d* k &rfawGtvkyfvkyfapzdkY virtual machine vdkovdkyJ VB p-code awG tvkyfvkyfapzdkY virtual
machine vdkygw,f/ Virtual machine &SdrSom olu p-code awGudk native code awGtjzpf ajymif;vJay;
EdkifrSmjzpfygw,f/ VB rSmawmh olU&JU virtual machine [m MSVBVM50.DLL eJY MSVBVM60.DLL
zdkifawGrSm &SdaeMuygw,f/ 'D DLL zdkifawGrSm VB application awGu toHk;jyKaewJh API tm;vHk;&Sdygw,f/
Oyrmjy&&if Windows API MessageBox() &JU vkyfaqmifcsufew JY lwJh rtcMsgBox yg/ ta&;MuD;wJh
function awGeJY toHk;enf;wJh function awGudk p-code taeeJY compile vkyfoifhjyD; rMumcPoHk;avh&SdwJh
function awGudkawmh native code taeeJy Y J compile vkyfoifhygw,f/ P-code udk toHk;jyK&if vHkjcHKrI&Sdwm
rSefayr,fh y½d*k &rf vkyfaqmifcsufudkawmh aES;auG;apygw,f/ P-code awG[m rsm;aomtm;jzifh stack ay:rSmyJ
tvkyv f kyfavh&Sdygw,f/ 'gaMumifh instruction trsm;pk[m stack uae olw&kYd JU operand awGudk&,ljyD;
&vmwJh result udkvJ stack rSmyJ vmxm;ygw,f/ C/C++ y½d*k &rfawGrSmawmh p-code taeeJY compile
vkyfcsif&if #pragma udk toHk;jyKjyD; link vkyfcsdefrSm exe zdkifxJ 9KB avmuf&SdwJh run-time engine av;
wpfckudkxnfhoGif;ay;vdkufygw,f/ tcsdKU debugger awG[m p-code udk debug rvkyfEkdiw f Jh tm;enf;csuf
tcsdKU&Sdygw,f/
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 330 -
P-code taMumif;udk tao;pdwfod&SdEdkifzt kY d wGuf p-code eJY pack vkyfxm;wJh Engineering Power
Tools udk crack vkyfMunfhMu&atmif/ Engineering Power Tools 2.0.4 udk http://www.pwr-tools.com/
uae download vkyfjyD; install vkyfvdkufyg/ jyD;&if ept-2002.exe udk Olly eJY zGifhMunfhyg/
yHk(90)
yHk(90)rSm jrif&wJhtwdkif;qdk&if Olly u p-code zdkifawGudk debug vkyf&mrSm odyfjyD;taxmuftul
rjyKwmawGU&rSmyg/ A[kokwtaeeJaY jym&&if yHk(90)u ThunRTMain qdkwm VB &JU main() function udk
qdkvdkwmjzpfygw,f/ wu,fvkY d VB zdkifawGudk packer wpfckcek JY pack vkyfxm;cJh&if oifhtaeeJY ThunRT
Main ud& k SmjyD; tJ'Duae dump vky, f l&rSmjzpfygw,f/
ept-2002.exe zdkifudk Olly tpm; P32Dasm 2.5 rSmzGifhMunfhyg/ yHk(91)twdkif; jrif&ygr,f/
File: C:\Program Files\Engineering Power Tools - Plus Edition v2.0.4\ept-2002(ori).exe
P32Dasm v2.5
VB6 Application detected ... PCode
MAINFORM Events:
191. plus_options_show
192. plus_options_hide
193. plus_options_enable
Page_Setup Events:
2. Setup_calc
Pneumatic_cylinders Events:
11. metric_calc
12. inch_loader
13. metric_loader
Shear_Keys Events:
24. option_set
Volumes_of_Solids Events:
52. sphere_calc
53. spherical_sector_calc
54. spherical_segment_calc
55. spherical_zone_calc
56. spherical_wedge_calc
57. hollow_cylinder_calc
58. hollow_sphere_calc
59. torus_calc
Hydraulic_cylinders Events:
12. metric_calc
13. inch_loader
14. metric_loader
Splash Events:
37. pchk
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 331 -
shape_generator Events:
1. generate_rectangular_tubing
2. generate_circle
8. generate_hollow_circle
GearCalc Events:
17. metric_gear_calc
Beam_Calc Events:
9. Selector
10. selector_SI
Psychro_2 Events:
1. log10
2. calc_vapor_pressure
3. calc_vapor_pressure_2
4. calc_dewpoint
5. calc_enthalpy
6. calc_relative_humidity
7. calc_specific_volume
8. calc_humidity_ratio
9. calc_humidity_ratio_2
10. calc_atmospheric_pressure
11. calc_wet_bulb
15. calc_rh
17. calc_dp
Structural_Tubing Events:
12. combo_loader
Enclosure_Cooling Events:
15. Solve_Open_SI
16. Solve_Closed_SI
Duct_Size Events:
26. calc3
Plate_Deflection Events:
10. solve_SI
yHk(91)
y½d*k &rf&JU oabmobm0udk od&SdEdkiaf tmif ept-2002.exe udkzGiv
fh dkuyf g/ yHk(92)/
yHk(92)
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 332 -
yHk(93)
yHk(93)rSm awGUjrifcsuft&awmh uRefawmfwt dkY aeeJY Standard Edition (od)kY Plus Edition udk
toHk;jyKEdkifr,fvkYd qdkygw,f/ yHk(93)udk OK ay;vdkuf&ifawmh yHk(94)twdkif; jrif&ygr,f/
yHk(94)
yHk(94)uawmh uRefawmfwkY d ½dkufxnfhvdkufwJh rrSefbl;vdkY ajymygw,f/
yHk(95)
'gaMumifh yHk(95)rSmjrif&wJhtwdkif; tcsdKU function awGudk toHk;rjyKEdkifygbl;/ tck y½d*k &rf&JU oabm
obm0udk od&SdoGm;jyDrkY d P32Dasm udkjyefoGm;Muygr,f/ P32Dasm u References à Procedures udka½G;
vdkufyg/ yHk(96)/
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 333 -
yHk(96)
yHk(96)rSmjrif&wmuawmh y½d*k &rfrSmygwJh procedures pm&if;yg/
yHk(97)
Engineering Power Tool udkzGifhzGifhcsif; splash screen rSm register jzpf^rjzpfudk ppfaq;wm owd
jyKrdygovm;/ 'gaMumifh yHk(97)u 73.22 Form.Load() udka½G;vdkuf&if yHk(98)qD a&mufvmygvdrfhr,f/
Splash 73.22 Form.Load()
0016DF88: 6C ILdRf param_8
0016DFF4: 1B LitStr: "http://www.pwr-tools.com"
0016DFF7: 21 FLdPrThis
0016E18C: 1B LitStr: "\pwrtools.ini"
0016E18F: 2A ConcatStr
0016E21D: 1B LitStr: "USER NAME = "
0016E220: FB30 EqStr =
0016E26F: 23 FStStrNoPop var_108
0016E272: 1B LitStr: "REGISTRATION = "
0016E275: FB30 EqStr =
0016E277: C4 AndI4 And
0016E2C7: 1B LitStr: "REGISTRATION CODE = "
0016E2CA: FB30 EqStr =
0016E319: 23 FStStrNoPop var_108
0016E31C: 1B LitStr: "PASSWORD = "
0016E31F: FB30 EqStr =
0016E371: 1B LitStr: "SOFTWARE KEY = "
0016E374: FB30 EqStr =
0016E3BA: 3A LitVarStr: "<No Value>"
0016E3BF: 25 PopAdLdVar
0016E3C0: 1B LitStr: "User Name"
0016E3C3: 1B LitStr: "Settings"
0016E3C6: 1B LitStr: "EPTools"
0016E3C9: 0B ImpAdCallI2 GetSetting()
0016E3CE: FDB7 ImpAdStStr
0016E3D2: 3A LitVarStr: "<No Value>"
0016E3D7: 25 PopAdLdVar
0016E3D8: 1B LitStr: "Registration Code"
0016E3DB: 1B LitStr: "Settings"
0016E3DE: 1B LitStr: "EPTools"
0016E3E1: 0B ImpAdCallI2 GetSetting()
tcef;(16) -Visual Basic jzifh a&;om;xm;aom y½d*k &rfrsm;udk crack vkyfjcif; - 334 -
yHk(101)
yHk(101)rSm hightlight jzpfaewJhae&mawGudk NOP eJt
Y pm;xdk;ygr,f/ P-code rSmawmh NOP eJw
Y lwJh
opcode u 90 r[kwfygbl;/ 21 (FLdPrThis) jzpfygw,f/ yHk(102)/
yHk(102)
yHk(102)twdkif;jyifjyD;&ifawmh uRefawmfwkY d patch vkyfcJhwJhzdkifudk odrf;vdkY&jyDjzpfygw,f/ jyD;&if
uRefawmfwdkY patch vkyfxm;zdkifudk run Munfhyg/ yHk(103)twdkif; jrif&ygr,f/
yHk(103)
uRefawmfuawmh regname.reg zdkifxJrSm yHk(104) twdkif;jyifjyD; registry xJudk merge vkyfvdkufyg
w,f/ bmaMumifhjyif&ovJqdkwmuawmh yHk(98)uuk'fudk Munfhvdkuf&if &Sif;rSmyg/
REGEDIT4
[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\EPTools\Settings]
"User Name"="Myanmar Cracking Team"
"Registration Code"="Don't Hate the Crackers! Hate the C0dez."
yHk(104)
'gqdk&ifawmh yHk(105)twdkif; awGU&rSmjzpfygw,f/
yHk(105)
uRefawmf&Sif;jycJhwmuawmh key r&SmbJ udk,fhemrnfeJY register vkyfenf;ygyJ/ Key &Smcsifw,fqdk&if
awmh oifudk,fwdkif prf;oyfMunfzh kYd tMuHay;vdkygw,f/
tcef;(17) - Delphi jzifh a&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 338 -
yHk(1)
File Recovery Angel udkzGifhjyD; Help menu u About udka½G;vdkufwJhtcg yHk(1)twdkif; jrif&yg
w,f/ ysufaewJhzdk'gwpfckudk recovery vkyfzdkYMudK;pm;wJhtcg yHk(2)twdkif;jrif&ygw,f/
yHk(2)
zdkifawGtrsm;MuD;udk recovery vkyfzdkYMudK;pm;awmhvJ yHk(3)twdkif; jrif&jyefygw,f/
yHk(3)
tcef;(17) - Delphi jzifh a&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 339 -
yHk(4)
yHk(4)twdkif; PEiD eJYppfaq;csuft& awGU&Sdwmuawmh 'Dy½dk*&rfudk Delphi 4.0 (odkY) Delphi 5.0
eJYa&;om;xm;w,fqdkwJhtaMumif;yg/ Version twdtusudkawmh Delphi y½dk*&rfrmawGrSyJ linker version
udkMunfhjyD; cGJjcm;odygvdrfhr,f/ uRefawmfwdkYtwGufuawmh tMurf;zsif;od&ifyJ &ygjyD/
FileRecoveryAngel.exe zdkifudk Olly rSmzGifhjyD;Munfh&ifawmh entry point udk yHk(5)twdkif; awGU&yg
r,f/
yHk(5)
tvkyfvkyfyHkudk aocsmodEdkifatmifvdkY F9 (Run) udkESdyfvdkufyg/ jyD;&if Option menu u Register(R)
udka½G;jyD; register vkyfzdkYjyifqifyg/ yHk(6)/
yHk(6)
yHk(6)twdkif; Registration Name eJY Registration Key wdkYudk½dkufxnfhvdkufjyD; Register button
udka½G;vdkufyg/ yHk(7)twdkif; jrif&ygr,f/
tcef;(17) - Delphi jzifh a&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 340 -
yHk(7)
yHk(7)u "Register False" qdkwJhpmom;udkrSwfxm;jyD; Olly rSm text string taeeJY&Smvdkufyg/ jyD;&if 'D
text string &Sd&mudk vmvdkufyg/ yHk(8)/
yHk(8)
yHk(8)udk Munfhvdkuf&if 'D BadBoy message &Sd&m VA 00488FEA qD jump wpfckcku ausmfvTm;
a&muf&Sdvmwm awGYrSmyg/ avmavmq,fawmh 'D jump udk arhxm;vdkufyg/ yHk(7)twdkif; jrif&wJhtcgrSm F12
(Pause) udkESdyfjyD; y½dk*&rftvkyfvkyfwmudk cP&yfcdkif;vdkufyg/ jyD;&if Alt+K (Call Stack) udkESdyfjyD; Call
awGudk b,fuaeac:oHk;aeovJqdkwm Munfhvdkufyg/ yHk(9)/
yHk(9)
yHk(9)rSmjrif&ovdkyJ Olly [m Call awGeJYywfoufjyD;wduswJh tcsuftvufawGay;Edkifjcif; r&Sdygbl;/
'gaMumifhrdkY uRefawmfwdkYtaeeJY System Stack udkMunfhjyD; yHk(7)u error MessageBox udk b,fuae
ac:oHk;wmvJqdkwm Munfh&rSmjzpfygw,f/ (Delphi y½dk*&rfawGudk crack vkyf&mrSm Call Stack xuf System
Stack u ydkjyD;toHk;0ifygw,f/ Delphi y½dk*&rfawGudk crack vkyf&mrSm toHk;rsm;wJh aemufxyfenf;vrf;
uawmh FindWindowA API udk&Smwmyg/ bmaMumifhvJqdkawmh Delphi y½dk*&rfawG[m wduswJh class
trnf (odkY) title eJY yGihfaewJh window udk&Smavh&SdvdkYyg/)
yHk(10)
yHk(10)uawmh yHk(7)udk pause ay;xm;csdefrSm System Stack xJrSm jrif&wJhtaetxm;yg/
INFO: : Delphi uk'fawGudk Olly rSm disassemble vkyfwJhtcg jrif&wJhtaetxm;uawmh enf;enf;av;
xl;qef;aeygw,f/ (Comment eJY info awGu enf;aewmawGU&rSmyg/) bmaMumifhvJqdkawmh Olly udk call
awG backtrace vkyfcGifhrjyKvdkYyg/ Call Stack rSm [mvm[if;vif;jzpfaejyD; tcsuftvuftenf;i,fudkom
ay;Edkifygw,f/ 'gaMumifhrdkY Delphi y½dk*&rfawGrSm routine wpfckudk b,f call uaeac:oHk;wmvJ odcsif&if
System Stack udk toHk;jyK&ygw,f/ System Stack uae return address udkMunfhjyD; call &JUtpudk
vdkuf&Sm&wmuvJ tcsdefawmfawmfMumygw,f/ tvkyfodyfrjzpfygbl;/ tjcm;enf;vrf;wpfckawmh vdkaeygjyD/
bmaMumifhvJqdkawmh Olly u routine &JU wduswJh address tpudk rjyEdkifvdkYyg/
tcef;(17) - Delphi jzifh a&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 341 -
INFO: : Delphi [m global variable awGeJY local variable awGudk pointer tjzpf reference vkyfygw,f/
Global variable awGtwGuf [REG+Constant] udkoHk;jyD;? local variable awGtwGuf [REG-Constant]
udktoHk;jyKygw,f/ REG uawmh register udkqdkvdkwmyg/ qdkvdkwmuawmh Olly [m CALL DWORD
PTR DS:[EBX+100] qdk&if backtrace rvkyfEdkifygbl;/ 'gaMumifhrdkY EBX wefzdk;ajymif;wJhtcsdefrSm pointer
twGufwefzdk;[mvJajymif;oGm;jyD; Olly u 'D call udk backtrace rvkyfvdkufEdkifwmyg/ 'g[m Delphi y½dk*&rf
awGeJYMuHKwJhtcgrSm wu,fhjyóemawGjzpfygw,f/ tjcm;bmompum;awGrSmvJ 'DvdkrsdK; MuHKawGUEdkifayr,fh
Delphi rSmavmuf rawGU&ygbl;/
INFO: : 'g[m tenf;i,fawmh pdk;&drfp&maumif;ygw,f/ uRefawmfwdkY uHaumif;wJhtcsufuawmh Delphi
twGuf tool wpfck &xm;vdkYyg/ 'D tool uawmh DaFixer &JU DeDe yg/ DeDe [m Borland Delphi
y½dk*&rfawGtwGuf zefwD;xm;wJh disassembler wpfckjzpfygw,f/ DeDe [m Delphi^Builder wdkYeJY
compile vkyfxm;wJh exe zdkifawGudk analyze vkyf&mrSm tvGefjrefvSwJh y½dk*&rfwpfckjzpfjyD; 'Dzdkif&JU dfm
zdkifawGtm;vHk;udk jyefay;Edkifygw,f/ 'D dfm zdkifawGudk Delphi rSm zGifhjyD;wnf;jzwfEdkifygw,f/ DeDe [m
string awG? import vkyfxm;wJh function call awG? classes methods call awG? unit xJu component
awG? Try-Except? Try-Finally block awGeJY reference vkyfxm;wJh uk'fawGtm;vHk;udk xkwfay;Edkifygw,f/
oifhtaeeJY dfm zdkif? pas zdkifeJY dpr zdkifawGygwJh Delphi project zdk'gwpfckudkvJ zefwD;Edkifygw,f/ Tool
wdkif;rSm tm;enf;csuf&Sdygw,f/ DeDe [m debugger r[kwfwJhtwGuf DeDe rSm patch vkyfzdkYqdkwm rjzpf
Edkifygbl;/ bmyJjzpfjzpf Olly eJY wGJoHk;&ifawmh&ygw,f/ DeDe 3.50.04 build 1635 udk download vkyf&if
DOI eJY DSF zdkifawGygygap/ DeDe eJYywfoufwJh aqmif;yg;awGuawmh DeDe &JU dede_doc directory
atmufrSm&Sdygw,f/ (DSF = = DeDe Symbol File) (DOI == DeDe Offset Information File)
INFO: : DeDe &JU configuration eJYywfoufjyD; ta&;MuD;wJhtcsufuawmh exe zdkifwpfckudk process
rvkyfcifrSm rSefuefwJh symbol zdkifawGudk load vkyfwmtaumif;qHk;yg/ DOI/DSF zdkifawGrygvJ DeDe [m
tvkyfvkyfEdkifayr,fh call sequence awGudk ajz&Sif;&mrSm rSefuefpGmjzpfEdkifzdkY DOI/DSF zdkifawGu tvGefta&;
MuD;ygw,f/
yHk(11)
yHk(11)twdkif; DeDe &JU Options menu u Symbols udka½G;jyD; Delphi 5.0 eJYqdkifwJh vcl5.dsf
zdkifudka½G;cs,fvdkufyg/ Delphi 7.0 y½dk*&rfawGudk analyze vkyfr,fqdk&ifawmh vcl7.dsf zdkifudka½G;&rSmyg/
DOI tab udkESdyfjyD; D5.doi zdkifudka½G;cs,fyg/ jyD;&ifawmh yHk(12)u Process button udkESdyfyg/
yHk(12)
tcef;(17) - Delphi jzifh a&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 342 -
yHk(13)
No button oma½G;vdkufyg/ yHk(14)twdkif; jrif&ygr,f/
yHk(14)
yHk(14)u Procedures tab udkESdyfvdkufyg/ 'gqdk&if File Recovery Angel utoHk;jyKwJh procedure
awGudkjrif&ygr,f/ TFrmMain uawmh y½dk*&rf&JU t"dutusqHk; Main menu &Sd&m procedure yg/
TFrmAbout uawmh About menu udkESdyfvdkufwJhtcgjrif&r,fh Form (dialog box) yg/ TFrmRegister
uawmh uRefawmfwdkY&SmaewJh Registration Form yg/ TFrmRegister udka½G;vdkufyg/ nmzufrSmjrif&wm
uawmh Olly rSm b,fvdkrSrjrifEdkifwJh routine &JUtpawGyg/ ImgRegistereClick udka½G;vdkufyg/ yHk(15)
twdkif; awGU&ygr,f/
yHk(15)
VA 00488E34 uawmh Registration routine &JUtpjzpfygw,f/ atmufudkenf;enf;avmuf scroll
qGJMunfhvdkuf&ifawmh yHk(16)twdkif; jrif&rSmyg/
tcef;(17) - Delphi jzifh a&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 343 -
yHk(16)
yHk(16)uawmh registration key udkrSm;,Gif;½dkufoGif;wJhtcg jrif&wJh Bad message jzpfygw,f/
TFrmAbout udkawmh tcsdef&rSyJ oifhbmom avhvmMunfhyg/ wu,fawmh DeDe eJYywfoufwJh uRefawmf
wdkY&JUtvkyf[m yHk(14)rSmuwnf;u jyD;aeygjyD/ bmaMumifhvJqdkawmh registration routine &JU address
tpudkawGUvdkufvdkYyg/ Registration routine &JU address tpjzpfwJh VA 00488E34 udkrSwfxm;jyD; Olly rSm
Ctrl+G ESdyfjyD; ½dkufxnfhvdkufyg/ yHk(17)/
yHk(17)
ckqdk&if DeDe udk ydwfvdkY&ygjyD/ yHk(17)twdkif; registration routine &JUtpudka&mufwJhtcgrSm
registration key udkppfwJhae&mudk MunfhvdkufMu&atmif/ VA 00488E34 ae&mrSm breakpoint owfrSwfjyD;
register xyfvkyfMunfhyg/ yHk(18)/
yHk(18)
yHk(18)rSm Register button udka½G;vdkuf&ifawmh uRefawmfwdkY breakpoint owfrSwfxm;wJh VA
00488E34 ae&mudka&mufvmygr,f/ 'Dtcg yHk(19)u VA 00488EFA udka&mufwJhtxd F8 (Step Over)
udkESdyfvmcJhyg/
tcef;(17) - Delphi jzifh a&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 344 -
yHk(19)
yHk(19)u VA 00488EFA [m registration key udkxkwfay;wJh routine wpfckjzpfygw,f/
Registration form &JU Registration name tuGufu "Myanmar Cracking Team" twGuf vdktyfwJh
"CA75FC30F7AD6E7C969032F175560906F79B9EE94E93D2D4302B92" qdkwJh key udkxkwfay;
jyD; EAX rSmodrf;ygw,f/ VA 00488F13 rSm&SdwJh CALL uawmh EAX u key eJY EDX rSmodrf;xm;wJh
"4.10.1979" wdkYudk EdIif;,SOfygw,f/ rSefcJh&ifawmh registry &JU "IsRegister" rSm "On" qdkjyD;odrf;ay;rSm
jzpfygw,f/ rSm;cJh&ifawmh qufoGm;rSmjzpfjyD; VA 00488F3F a&muf&if BadBoy ("Register False!")
qDoGm;^roGm; xyfEdIif;,SOfrSmjzpfygw,f/ 'Davmufqdk&ifawmh oifhtaeeJY bmqufvkyf&rvJqdkwm odavmufjyD
xifygw,f/
Olly udkydwfjyD; File Recovery Angel udk oD;oefUzGifhvdkufyg/ jyD;&if Option menu u Register
(R) udka½G;jyD; register vkyfvdkufyg/ yHk(20)/
yHk(20)
yHk(20)u Register button udkESdyfvdkuf&ifawmh yHk(21)twdkif;jrif&rSmyg/
yHk(21)
Help menu u About udka½G;vdkuf&ifawmh yHk(22)twdkif;jrif&rSmyg/ wu,fawmh File Recovery
Angel y½dk*&rf[m registration name ae&mrSm pmvHk;b,favmuf½dkufxnfhxnfh 12vHk;xufydkrppfygbl;/
'gaMumifhrdkYvJ "Myanmar Cracking Team" tpm; "Myanmar Crac"vdkYyJjywmyg/
tcef;(17) - Delphi jzifh a&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 345 -
yHk(22)
rSwfxm;&rSmuawmh rSefuefwJh key udkr½kdufxnhfyJ VA 00488F46 u BadBoy qDoGm;wJh JE udk
NOP vdkYjyifr,fqdk&if register vkyfaqmifjcif; cPwmom atmifjrifygr,f/ bmaMumifhvJqdkawmh y½dk*&rf[m
pwiftvkyfvkyfwJhtcgrSm registry xJu "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Frareg" eJY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Unicode" ae&mESpfckatmufu Name eJY Unicodekey wdkYudkzwfjyD; rSef^rrSef
wdkufppfvdkYyg/ tao;pdwfodcsif&ifawmh yHk(23)u TFrmMain udkESdyfjyD; Munfh½IEdkifygw,f/
yHk(23)
yHk(23)u FormCreate [m Main menu udkzefwD;csdefrSm vkyfaqmifr,hfvkyfaqmifcsuf&Sd&m Virtual
address (00491A00) tpudkjyygw,f/ udk,fhbmomudk,f avhvmMunfhyg/
'DwpfcgrSmawmh uRefawmfhtaeeJY vSnfhuGufav;wpfckjycsifygw,f/ Teleport Pro 1.61 oifcef;pm
wkef;u oifhtaeeJY keygen a&;om;cJh&wmudk trSwf&aerSmyg/ Keygen routine udka&;&wm rcufayr,fh
usefwJhtydkif;awGa&;ae&wmaMumifh tcsdefawGukef&ygw,f/ uRefawmfhtaeeJYuawmh keygen a&;&wm tvGef
ysif;p&maumif;vSw,fvdkYxifygw,f/ 'gaMumifh keygen ra&;&bJJ key udktvdktavsmufxkwfay;EdkifwJh
vSnhfuGufav; oifhudk jyocsifygw,f/
yHk(24)
tcef;(17) - Delphi jzifh a&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 346 -
yHk(25)
yHk(25)udkMunfhyg/ VA 00489184 u "Register False!" qdkwJhpmom;udk EAX xJul;xnfhvdkufjyD;
serial ESpfckEdIif;,SOfwmrnDcJh&if Badboy message udkjyowmjzpfygw,f/ yHk(26)/
yHk(26)
"Register False!" qdkwJhpmom;tpm; uRefawmfwdkY½dkufxnfhvdkufwJh user name eJYywfoufwJh serial
udkjyEdkifr,fqdk&ifraumif;bl;vm;/ ☺☺☺☺☺☺☺☺☺☺
aumif;jyD? 'DvdkjyoEdkifzdkY enf;enf;MudK;pm;Munfhygr,f/ yHk(25)u VA 488FFB ae&mrSm MOV EAX,
489184 tpm; MOV EAX, DWORD PTR SS:[EBP-C] vdkYjyifjyD; zdkifudkodrf;qnf;vdkufyg/ (rSwfcsuf/ /
wu,fh serial tppftrSefudk stack xJrSmcPoGm;xm;wJhtaMumif; ajymcJhwmtrSwf&yg/) uk'fawG
udkjyifjyD;odrf;vdkufwJhzdkifudk zGifhjyD; register vkyfMunfhvdkufyg/ yHk(27)/
yHk(27)
'Dwpfcgawmh rhythm qdkwJhtrnfeJY register vkyfMunfhygr,f/
yHk(28)
tcef;(17) - Delphi jzifh a&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 347 -
yHk(29)
yHk(29)u register button udkESdyfvdkuf&if yHk(30)twdkif; jrif&rSmyg/
yHk(30)
Help menu u About udka½G;vdkuf&if yHk(31)twdkif; jrif&ygw,f/
yHk(31)
'DwpfcgrSmawmh Delphi y½dk*&rfwpfckudk Delphi debug zdkifwpfckuae tvG,fwul crack
vkyfvdkY&r,fh enf;vrf;wpfckudk &Sif;jyygr,f/ 'DtwGuf vdktyfwmuawmh Olly Debugger 2.0 udk
tenf;i,fjyKjyifxm;wJh SND 2.3 eJY Interactive Delphi Deconstructor wdkYjzpfygw,f/ a&G;cs,fxm;wJh
target zdkifuawmh Text to Speech Maker 2.6 jzpfygw,f/
tcef;(17) - Delphi jzifh a&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 348 -
INFO: : .map zdkif[m Borland Delphi eJY Borland C++ Builder wdkYu zefwD;vdkufwJh debug zdkif
jzpfygw,f/ Microsoft &JU debug zdkifawmh .dbg jzpfNyD; .map zdkif[m Microsoft debug tool jzpfwJh
windbg.exe eJY o[Zmwrjzpfygbl;/ Visual Studio uae zefwD;vdkufwJh debug zdkifuawmh .pdb
zdkifjzpfygw,f/ .map zkdifxJrSm ½dk;½dk;pmom;awG yg0ifNyD; 'Dpmom;awG[m function awG&JU oufqdkif&m offset
awGudk nTef;wmjzpfygw,f/ 'Doifcef;pmrSmoHk;r,f .map zdkifuawmh Delphi compiler uaexkwfay;wJh .map
zdkifr[kwfbJ decompiler awGuxkwfay;wJh .map zdkifomjzpfygw,f/
'Doifcef;pmrSm target zdkif&JU tvkyfvkyfyHk? oabmobm0awGudk r&Sif;jyawmhbJ vdk&if;udkom &Sif;jy
oGm;rSmjzpfygw,f/ IDR udkzGifhNyD; File menu u Load File Autodetect Version udka&G;yg/ NyD;&if Text
to Speech Maker.exe udk a&G;yg/ yHk(32) twdkif;jrifygvdrhfr,f/
yHk(32)
Yes button udka&G;vdkufyg/ yHk(33) twdkif;jrif&ygvdrfhr,f/
yHk(33)
yHk(33)udkMunhf&if target zdkifudk a&;om;xm;wJh Delphi compiler version udk od&SdEdkifygw,f/
Delphi 7 eJYa&;om;xm;jcif;jzpfygw,f/ 'ghtjyif function trnfawG? variable trnfawGudkvnf; awGY&SdEdkif
ygw,f/
uRefawmfwdkY&JU target zdkifudk SND 2.3 (Olly Debugger) rSm zGifhMunfh&ifawmh yHk(34)twdkif;
jrif&rSmjzpfygw,f/
tcef;(17) - Delphi jzifh a&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 349 -
yHk(34)
yHk(34)rSmjrif&wJh function trnfawG? variable trnfawG r&SdwmawGY&rSmyg/ Olly rSm function
trnfawG? variable trnfawGudk awGY&zdkY Delphi debug (.map) zdkifudk import vkyfzdkYvdkygw,f/ 'gaMumifhrdkY
IDR uae .map zdkifudk zefwD;ygr,f/ IDR &JU Tools menu uae MAP Generator udka&G;NyD; Text to
Speech Maker.map zdkifudkodrf;yg/ 'gqdk&if IDR udkydwfvdkY&ygNyD/ SND &JU toolbar u button udkESdyfyg/
yHk(35)/
jzwfajym&&if Delphi debug (.map) zdkifudk IDR wpfckwnf;uom xkwfay;Edkifwm r[kwfbJ IDA
Pro disassmebler uvnf; tvm;wlxkwfay;Ekdifygw,f/ uRefawmfuawmh IDR uxkwfay;wJh .map zdkifudk
ykdoabmusrdygw,f/ IDR u support ay;wJh Delphi version rsm;uawmh Delphi 2? Delphi 3? Delphi
4? Delphi 5? Delphi 6? Delphi 7? Delphi 2005? Delphi 2006? Delphi 2007? Delphi 2009? Delphi
2010? DelphiXE1? DelphiXE2 ESifh DelphiXE3 wdkYjzpfygw,f/
yHk(35)
NyD;&if uRefawmfwdkYodrf;xm;wJh Text to Speech Maker.map zdkifudka&G;cs,fay;yg/ yHk(36)twdkif;
jrif&ygvdrfhr,f/
yHk(36)
yHk(36)twdkif;qdk&if Text to Speech Maker.map zdkifuae label aygif; (6469)udk SND Olly xJ
uRefawmfwdkY atmifjrifpGm xnfhoGif;EkdifNyDjzpfovdk function trnfawGudkvnf; jrifaeygNyD/
aumif;NyD/ y½dk*&rfudk run vdkufyg/ (F9)/ yHk(37)rSmjrif&wJhtwdkif; registration dialog ay:vmrSmyg/
wu,fvdkY uRefawmfwdkYtaeeJY y½dk*&rfudk 0,froHk;bl;qdk&if yxrqHk;pmvHk;ta&twGuf (300)udkom y½dk*&rfu
toHzdkiftjzpf ajymif;vJay;rSmyg/
user name ae&mrSm rhythm vdkY½dkufNyD; registration code ae&mrSm 4101979 vdkY½dkufxnfhNyD; OK
button udkESdyfyg/
tcef;(17) - Delphi jzifh a&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 350 -
yHk(37)
uRefawmfwdkY½dkufxnfhwJh registration code [mrSm;wJhtwGuf yHk(38)twdkif; badboy message
udkjrif&ygr,f/ Invalid user name or registration code udkrSwfxm;yg/
yHk(38)
y½dk*&rfudk jyefpyg/ (Ctrl + F2) / uk'fwpfckckay: right-click ESdyfNyD; Search for uae All
reference strings udka&G;yg/ Search box ay:vmygvdrhfr,f/ tJ'DrSm Invalid user name or registration
code udk½dkufxnfhNyD; &Smyg/ yHk(39)twdkif; jrifawGY&ygvdrfhr,f/
yHk(39)
yHk(39)u highlight jzpfaewJhae&mudk ESpfcsufESdyfyg/ yHk(40)twdkif;jrif&ygr,f/
tcef;(17) - Delphi jzifh a&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 351 -
yHk(40)
yHk(40)udkMunhf&if VA 4D87CC [m TRegForm.BtnOKClick function jzpfw,fqdkwm awGY&
ygvdrfhr,f/ t&ifoifcef;pmwkef;uqdk&if 'Dvdk function trnfudk jrif&rSm r[kwfygbl;/ 'ghtjyif GetText()?
MessageBox() funtion awGudkvnf; awGYjrif&ygw,f/ y½dk*&rf&JU tMurf;zsif;vkyfaqmifcsufuawmh VA
004D87ED rSm user name udkawmif;cHNyD; VA 004D87FB rSm registration code udkawmif;cHygr,f/
'DESpfckudk wGufcsufay;rSmuawmh VA 004D880D u CALL 4DCB9C xJrSmjzpfygw,f/ wu,fvkdY user
name eJYudkufnDwJh registration code udk rSefuefpGm ½dkufxnfhEdkifcJhr,fqdk&ifawmh VA 004D8825 u Good
Guy qDa&mufoGm;rSmjzpfygw,f/ uRefawmfwdkYtaeeJY registration code rSefuefpGm r½dkufoGif;EkdifcJhvdkY VA
004D8848 u Bad Boy qDa&mufvmwmjzpfygw,f/
VA 004D880D u CALL 4DCB9C rSm breakpoint owfrSwfyg/ (F2)/ NyD;&if y½dk*&rfudk
breakpoint qDa&mufwJhtxd run vdkufyg/ (F9)/ F7 (Step Into) udkESdyfNyD; registration code
b,fvdkppfovJqdkwm MunhfvkdufMu&atmif/ yHk(42)/
rppfcifrSm Mum;jzwfaqG;aEG;vdkwmu Text To Speech Maker &JU registration code udk RSA
(Rivest, Shamir, Adleman) pm0SufpepfeJY 0Sufxm;wmjzpfygw,f/ pm0SufpepfrSm Symmetric eJY
Asymmetric qdkNyD; pm0Sufenf; (2)rsdK;&Sdygw,f/ Symmetric pm0Sufenf;vrf;awG trsdK;rsdK;&Sdayr,fhvnf;
Asymmetric enf;rSmawmh pm0Sufenf;[m t"dutm;jzifh (3)rsdK;om &Sdygw,f/ 'gawGuawmh RSA? DSA
(Digital Signature Algorithm) eJY ECDSA (Elliptic Curve Digital Signature Algorithm)
wdkYjzpfygw,f/ Symmetric enf;u public key udktoHk;jyKNyD; Asymmetric enf;uawm public key a&m?
private key ygtoHk;jyKygw,f/ Asymmetric enf;udktoHk;jyKjcif;u vHkNcHKpdwfcs&rI &Sdayr,fhvnf; pmvHk;a&
256 bytes udkom 0Sufay;EdkifwJh tm;enf;csuf&Sdygw,f/ Text To Speech Maker &JU registration code udk
RSA &JU public key enf;vrf;udktoHk;jyKNyD; 0Sufxm;ygw,f/
tcef;(17) - Delphi jzifh a&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 352 -
Text To Speech Maker &JU registration code udk RSA &JU public key enf;vrf;oHk;NyD; 0Sufxm;
w,fqdkwm uRefawmfwdkY b,fvdkodovJ/ aumif;NyD/ AT4RE team &JU Hash & Crypto Detector 1.4
udkzGifhNyD; Text To Speech Maker y½dk*&rfudkppfMunhfyg/ yHk(41)/
yHk(41)
yHk(41)udkMunfh&if RSA function tcsdKU&JUtrnfawGudk awGY&rSmyg/ Function trnfawGrSm FGInt
vdkYygaewm owdxm;rdrSmyg/ FGInt qdkwmu Fast Gigantic Intergers &JUtwdktaumufjzpfNyD; 'D function
awGudk Walied Othman u wDxGifcJhwmyg/ Function vkyfaqmifyHktao;pdwfudk avhvmvdkY&apzdkYtwGuf
pmtkyfeJYtwlyg&SdwJh DVD acGxJrSm wpfcgwnf;xnfhoGif;ay;vdkufygw,f/
yHk(40)u CALL 4DCB9C [m pm0Sufjcif;pepfudk vkyfaqmifay;wJh function jzpfaMumif; tay:rSm
ajymcJhNyD;ygNyD/ b,fvdk0SufovJqdkwmudkawmh yHk(42)rSmMunhfygr,f/ VA 004DCBED rSm awGY&wJh 65537
[m RSA &JU public key (exponential) yg/ RSA Exp Dec function t& RSA exponential wefzdk;[m
q,fvDpepfjzpfrSmyg/ VA 004DCBED rSm awGY&wJh 1868345906848137 47591218298111 uawmh
RSA &JU modulus jzpfygw,f/ VA 004DCBF2 u CALL 004D42BC uawmh Base10StringToFGInt
function udkac:oHk;xm;wJh routine wpfckjzpfygw,f/ VA 004D3E94 uawmh FGIntRSAEncrypt
function jzpfNyD; uRefawmf wdkY&JU user name udk 256 bytes taeeJY rSwfxm;NyD; 0SufvdkY&vmwJh registration
code udkawmh 64 bytes taeeJYjyorSmjzpfygw,f/ 'DtwGuf FGint ConvertBase256to64 function
udktoHk;jyKxm;ygw,f/ wu,fawmh VA 004DCC24 rSm software breakpoint owfrSwfNyD; y½dk*&rfudk run
vdkuf&ifudkyJ uRefawmfwdkYvdkcsifwJh registration code trSefudk &&SdEdkifrSm jzpfygw,f/ y½dk*&rfu tvdktavsmuf
wGufxkwfay;vdkufwJh registration code uawmh 0+yJdoyj+eGdp4xR jzpfygw,f/ 'Duk'fudk uRefawmf
wdkY½dkufxnfhvdkufwJh registration code jzpfwJh 4101979 eJY LStrCmp funtion udktoHk;jyKNyD; EdIif;,SOfrSm
jzpfygw,f/ String 2ck[mwlnDcJh&if BL register xJudk 1 wefzdk;odrf;NyD; rwlnDcJh&ifawmh EAX register udk
okn jzpfaprSmyg/ y½dk*&rf[m AL register wefzdk; oknjzpf? rjzpfudk ppfaq;NyD; oknjzpfcJh&if Badyboy
message jzpfwJh "Invalid user name or registration code!" udkjyrSmjzpfygw,f/
tcef;(17) - Delphi jzifh a&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 353 -
yHk(42)
tck&Sif;jyaewm[m ½IyfaxG;aew,fvdkY xifae&ifawmh registration code udk tvG,fwul wGufxkwf
ay;Edkifr,fh enf;vrf;udk pOf;pm;Muygr,f/
yHk(43)
tcef;(17) - Delphi jzifh a&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 354 -
http://www.x-ways.com/
(2.4) CFF Explorer (General PE File Explorer)
Assembly xJu metadata table awGeJY resource awGyg0ifwJh b,f PE zdkifrqdk&JU content awGudk
Munf½h &I mrSmawmh tawmfav;aumif;wJh tool wpfckjzpfygw,f/
http://www.ntcore.com
(2.5) SNS Remover (Strong Name Signature Remover)
tcsdKUaom .net assembly awG[m assembly awGudk zefwD;vdkufcsdefrSm tBuHtzefrvkyfEdkifatmif?
rjyKjyifEdkifatmifwm;qD;zdkY digital signature awGeJY sign vkyfxm;Muygw,f/ Strongly named assembly
xJu b,f byte udkrqdk jyifvdkufr,fqdk&if .net runtime u assembly udkpwifzYkd jiif;qefygvdrhfr,f/
'gayr,fh uRefawmfwdkY&JU SNS remover tool uawmh sign vkyfxm;wJh assembly uae signature field
udkz,f&Sm;Edkifygw,f/ 'Dae&mrSm ajymvdkwmuawmh uRefawmfwd&Yk UJ CFF explorer uvJ .net assembly uae
Strong Name signature udkz,f&Sm;EdkifNyD; PE zdkifudk jyefvnfwnfaqmufEdkifygw,f/ yHk(1)/ 'gayr,fh
uRefawmftaeeJY 'D tool av;udk ydkBudKufrdygw,f/
yHk(1)
http://www.pmode.com
(2.6) PEBrowse Professional (Disassembler/Debugger)
.net assembly awGukd disassemble vkyfEkdifwhJ^ debug vkyfEkdifwhJ debugger/disassembler wpfck
jzpfygw,f/ IL instruction awGeJY olwdkY&JUwu,fh byte awGudk jyoEdkifygw,f/ 'ghtjyif b,f JIT compiler
event udkrqdk break vkyfEdkifygw,f/ 'D debugger udktoHk;jyKNyD; .net IL instruction awGudk ajc&mcHEdkifyg
w,f/ NyD;&ifaemufuG,frSm bmawGjzpfaeovJqdkwm odEdkifygw,f/
http://www.smidgeonsoft.com
(2.7) .Net Generic Unpacker (.Net assembly Unpacker)
oifhtaeeJY .net assembly PE zdkifawGudk dump vkyfwhJtcgrSm 'D tool udk vdkygvdrfhr,f/ .Net
reactor vdk tcsdKUaom .net protection aqmhzf0JvfawGu oifhy½dk*&rf&JU .net assembly udk pack vkyfMuwm
jzpfNyD; MSIL r[kwfwJh PE zdkifudkxkwfay;ygvdrfhr,f/ rSwfOmPfxJrSm tvkyfvkyfwJhtcgrSom oifhzdkif&JU
assembly awGudk unpack jyefvkyfMuwmjzpfygw,f/ 'Denf;ynmudkawmh rlv assembly &JU uk'af wGukd
&,ljcif;rS umuG,fEdkifzdkY toHk;jyKMuwmjzpfygw,f/ 'gayr,fh oifhtaeeJY 'gudk ½dk;&Sif;vSwJh .net generic
unpacker oH;k NyD; ausmfvmT ;Edi
k yf gw,f/
http://www.ntcore.com
aemufqHk;taeeJY ajymvdkwmuawmh wcgw&HrSm Reflector [m tcsdKUaom procedure (odkY) function
awGudk oifhpdwfBudKufbmompum; (C#? VB? Delphi) tjzpf decompile rvkyfay;EdkifwJhtwGuf oifhtaeeJY
IL instruction awGudk &if;ESD;aezdkYvdktyfygw,f/ Native code awGudk crack vkyfzYkd Assembly
bmompum;udk avhvmwmxufpm&ifawmh IL uk'fawGudk avhvm&wm[m ydkrdkvG,fulNyD; vsifjrefpGmem;vnf
rSm jzpfygw,f/
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 359 -
(3) Opcode
'guawmh crack vkyf&mrSm ta&;BuD;qH;k tcsufjzpfygw,f/ oifjrifwJhtwdkif; .net application
awG[m olwdkY&JU y½dk*&rf instruction awGudk MSIL yHkpHeJYazmfjywmjzpfwJhtwGuf Visual Studio rSm compile
vkyfwhJtcg oifh&UJ source code awGudk native machine uk'ftjzpf ajymif;vJay;rSmr[kwfygbl;/ 'gayr,fh
JIT compiler udktoHk;jyKNyD; compile vkyfr,fqkd&ifawmh native code tjzpfajymif;vJay;rSm jzpfygw,f/ JIT
qdkwmuawmh just-in-time compiler udkajymwmjzpfNyD; oifhy½dk*&rfawG&JU tpdwftydkif; tcsdKUudk native code
tjzpfajymif;vJay;rSmjzpfNyD; vdktyfwJhtcg execute vkyfrSmjzpfygw,f/
Ildasm uxGufvmwJhuk'ftcsdKUudk avhvmMunfhvdkuf&atmif/
IL_0000: /* 02 | */ ldarg.0
Line number Actual byte(s) IL instruction
Opcode qdkwmuawmh Microsoft Intermediate Language (MSIL) instruction awGudk
azmfjyjcif; jzpfygw,f/ wu,fvdkY oif[m a&SYydkif;tcef;awGudk aMunufpGmem;vnfxm;w,fqdk&if atmufyg
instruction awG[m bmudkqdkvdkw,fqdkwm odaerSmyg/
JMP JNE JLE NOP CALL ponf ...
MSIL opcode awGuawmh Intel y½dq k ufqmawGtwGuf 'DZdkif;jyKxm;wJh native opcode awGeJY
rwlnDygbl;/ Oyrmjy&&if native code y½dk*&rfawGrSm CALL function &Sd&m offset udk oifodxm;NyD; 'D
CALL udt k vkyfrvkyaf pcsif&if y½dk*&rfukd hex editor rSmzGifhNyD; NOP (No OPertation) udk&nfpl;wJh 90
qdkwJh byte eJYtpm;xdk;&rSmjzpfygw,f/
MSIL rSmawmh 90 tpm; 00 eJaY zmfjyygw,f/ 'g[mta&;BuD;wJhtcsufjzpfwt hJ wGuf MSIL twGuf
vdktyfwJh opcode pm&if;udk azmfjyvdkufygw,f/ oifhtaeeJY .net y½dk*&rfawGukd crack vkyf&mrSm 'D opcode
awGtm;vHk;udk toHk;jyKp&mrvkdygbl;/ rsm;aomtm;jzifhawmh NOP eJY unregistered tajctaeawGudk ausmf
vTm;EdkifzdkY jump instruction awGudk trsm;qHk; toHk;jyK&rSmjzpfygw,f/
Opcode awGtaMumif;udk ydkrdkem;vnfapvdkwt
hJ wGuf bmomrjyefbJ rl&if;twdkif;azmfjyvdkufygw,f/
y½dk*&rfawGudk vufawGU crack wJhtcgMurSyJ vdktyfovdk bmomjyefay;rSmjzpfygw,f/ &Snfvsm;rSmpdk;wJh
twGuf toHk;rsm;wJh opcode awGudkyJ azmfjyvdkufygw,f/
Actual
Opcode Meaning
bytes
Computes the bitwise AND of two values and pushes the result onto the evaluation
And 5F
stack.
Beq Transfers control to a target instruction if two values are equal. 3B
Beq_S Transfers control to a target instruction (short form) if two values are equal. 2E
Transfers control to a target instruction if the first value is greater than or equal to the
Bge 3C
second value.
Transfers control to a target instruction (short form) if the first value is greater than or
Bge_S 2F
equal to the second value.
Transfers control to a target instruction if the the first value is greater than the second
Bge_Un 41
value, when comparing unsigned integer values or unordered float values.
Transfers control to a target instruction (short form) if if the the first value is greater
Bge_Un_S than the second value, when comparing unsigned integer values or unordered float 34
values.
Transfers control to a target instruction if the first value is greater than the second
Bgt 3D
value.
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 360 -
Transfers control to a target instruction (short form) if the first value is greater than the
Bgt_S 30
second value.
Transfers control to a target instruction if the first value is greater than the second
Bgt_Un 42
value, when comparing unsigned integer values or unordered float values.
Transfers control to a target instruction (short form) if the first value is greater than the
Bgt_Un_S 35
second value, when comparing unsigned integer values or unordered float values.
Transfers control to a target instruction if the first value is less than or equal to the
Ble 3E
second value.
Transfers control to a target instruction (short form) if the first value is less than or
Ble_S 31
equal to the second value.
Transfers control to a target instruction if the first value is less than or equal to the
Ble_Un 43
second value, when comparing unsigned integer values or unordered float values.
Transfers control to a target instruction (short form) if the first value is less than or
Ble_Un_S equal to the second value, when comparing unsigned integer values or unordered float 36
values.
Blt Transfers control to a target instruction if the first value is less than the second value. 3F
Transfers control to a target instruction (short form) if the first value is less than the
Blt_S 32
second value.
Transfers control to a target instruction if the first value is less than the second value,
Blt_Un 44
when comparing unsigned integer values or unordered float values.
Transfers control to a target instruction (short form) if the first value is less than the
Blt_Un_S 37
second value, when comparing unsigned integer values or unordered float values.
Transfers control to a target instruction when two unsigned integer values or unordered
Bne_Un 40
float values are not equal.
Transfers control to a target instruction (short form) when two unsigned integer values
Bne_Un_S 33
or unordered float values are not equal.
Brfalse_S Transfers control to a target instruction if value is false, a null reference, or zero. 2C
Brtrue Transfers control to a target instruction if value is true, not null, or nonzero. 3A
Transfers control to a target instruction (short form) if value is true, not null, or non-
Brtrue_S 2D
zero.
Compares two values. If the first value is less than the second, the integer value 1
Clt (int32) is pushed onto the evaluation stack; otherwise 0 (int32) is pushed onto the FF 04
evaluation stack.
Compares the unsigned or unordered values value1 and value2. If value1 is less than
Clt_Un value2, then the integer value 1 (int32) is pushed onto the evaluation stack; otherwise 0 FE 03
(int32) is pushed onto the evaluation stack.
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 361 -
Ldstr Pushes a new object reference to a string literal stored in the metadata. 72
Leave Exits a protected region of code, unconditionally tranferring control to a specific target DD
instruction.
Leave_S Exits a protected region of code, unconditionally tranferring control to a target DE
instruction (short form).
Mul Multiplies two values and pushes the result on the evaluation stack. 5A
Mul_Ovf Multiplies two integer values, performs an overflow check, and pushes the result onto D8
the evaluation stack.
Mul_Ovf_Un Multiplies two unsigned integer values, performs an overflow check, and pushes the D9
result onto the evaluation stack.
Neg Negates a value and pushes the result onto the evaluation stack. 65
Newobj Creates a new object or a new instance of a value type, pushing an object reference 73
(type O) onto the evaluation stack.
Nop Fills space if opcodes are patched. No meaningful operation is performed although a 00
processing cycle can be consumed.
Not Computes the bitwise complement of the integer value on top of the stack and pushes 66
the result onto the evaluation stack as the same type.
Or Compute the bitwise complement of the two integer values on top of the stack and 60
pushes the result onto the evaluation stack.
Pop Removes the value currently on top of the evaluation stack. 26
Rem Divides two values and pushes the remainder onto the evaluation stack. 5D
Rem_Un Divides two unsigned values and pushes the remainder onto the evaluation stack. 5E
Ret Returns from the current method, pushing a return value (if present) from the caller's 2A
evaluation stack onto the callee's evaluation stack.
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 362 -
cryptography udktoHk;jyKygw,f/ Digital signature wpfckudkzefw;D zdkY yxrqHk; 160-bit &SdwJh hash
wefzdk;wpfckeJY sign vkyfwmjzpfygw,f/ NyD;&ifawmh wduswJh private key wpfckoHk;NyD; encrypt vkyfygw,f/
Private key eJYoufqdkifwJh public key udk&Sdxm;wJh b,folrqdk author eJYywfoufwJhtcsuftvufawGudk
authenticate vkyfzdkY toHk;jyKEdkifNyD; data awGudk rajymif;vJxm;bl;qdk&ifawmh sign vkyfEdkifrSmyg/
'guawmh .net assembly awGudk jyKjyifajymif;vJjcif;rS umuG,fEdkifzdkY toHk;jyKMuwJh enf;vrf;wpf&yf
jzpfygw,f/ .net eJY zefwD;xm;wJh exe zdkifwpfckudk tvkyfvkyfapcsdefrSm y½dk*&rf[m string name signature
udkppfaq;ygvdrfhr,f/ wu,fvdkY &SdcJhr,fqdk&if digital signature udkppfaq;NyD;? ppfq;wmratmifjrif&ifawmh
'g[m assembly udkjyifxm;NyDqdkwmodvdkufNyD; y½dk*&rfudktvkyfvkyfapzdkY jiif;qefygvdrfhr,f/
oifhtaeeJY strong name signature b,fvdktvkyfvkyfovJqdkwJh tao;pdwftcsuftvufawGudk
tifwmeufrSm &SmazGEdkifygw,f/
(4) Entry Point Method (EPM) udk&Smjcif;
Entrypoint Method uawmh .net application pwifcsdefrSm ac:,loHk;wJh yxrqHk; Method jzpfNyD;?
'gudk Reflector (odkY) Ildasm rSmMunfhvdkY&zdkY ta&;BuD;ygw,f/ yHkrSef .net application wpfckrSmawmh 'DvdkyHkpH
&Sdygw,f -
Public Shared Sub Main()
Application.Run (New MainForm)
End Sub
'D Method &JUta&;ygyHkuawmh oifhtaeeJY y½dk*&rf&JUvkyfaqmifcsufawGudk y½dk*&rfpwifwJhtcsdefup
NyD; register vkyfwJh routine &Sd&ma&mufwJhtxd ajc&mcHEdkifygw,f/
'D Method uae aemufxyf&&SdEdkifwJhtusdK;aus;Zl;uawmh crack vkyfr,fh application &JU t"du
form tjzpfoHk;r,fh MainForm class udkavhvmqef;ppfEdkifwmygyJ/ wu,fvkdY oifhtaeeJY Application.run
udktaotcsmMunfhr,fqdk&if 'D function xJ t0if^txGufvkyfaewJh argument awG? argument wefzdk;
awGudk awGU&rSmyg/
Entrypoint RawData offset udk&SmzdkY oifhtaeeJY vkyfaqmif&rSmuawmh -
1/ Crack vkyfr,fh y½dk*&rfukd CFF explorer rSmzGihfyg/
2/ .NET directory node qDoGm;yg/
3/ *&pfuGufeJYjyxm;wJhwefzdk;awGxJu EntrypointToken row ud&k mS yg/
4/ 'D row twGuf aemufqHk; column wefzdk;udkMunfhyg/ 'Dwefzdk;[m DWORD jzpfNyD; entrypoint Method
&Sd&mqD uRefawmfwYkdudk vrf;nTefygvdrhfr,f/
'Dae&mrSmawmh token wefzdk;udk 060000028 vdkY,lqygr,f/ oifhtaeeJYawmh token wefz;kd [m
wpfrsdK;BuD;yJvkdY cHpm;ae&rSmyg/ ol[m table wpfckeJY table &JU index udkazmfjywJh DWORD wefzdk;wpfck
jzpfygw,f/ qdkvdkwmu table wpfckeJY 'D table xJu row wpfckudk nTefjywmyg/ Oyrmjy&&if uRefawmfwdkY&JU
token wefzdk;udk 060000028 jzpfw,fvdkY owfrSwfMunfhMuygpdkY/
06 000028
Table index Row index in that table
'Dae&mrSm uRefawmfwkdYajymajymaewJh table qdkwmuawmh Methods table udkajymwmyg/ oifhtaeeJY
CFF explorer rSmMunfhr,fqdk&if Metadata Streams node atmufu Tables node rSmMunfhEdkifygw,f/
Tables node a&muf&ifawmh yHk(2)twdkif; Method table &Sd&mudk&Smygr,f/
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 364 -
yHk(2)
Method table udk expand vkyfNyD; index 40 (28h) udk&Smygr,f/ 'gqdk yHk(3)twdkif; awGU&ygr,f/
yHk(3)
yHk(3)u ae&mudka½G;cs,fNyD; 'D method eJYqkdifwJt
h csuftvufawGudk Munfh½IvdkY&yg
w,f/ 'Dae&mrSm uRefawmfwdkYpdwft0ifpm;qHk;uawmh yxrqHk; row jzpfNyD; 'D method &JU RVA udkazmfjyyg
w,f/ aemufqHk; column uwefzdk;udk zwfvdkuf&ifawmh 0x4974 jzpfygw,f/
(5) EPM twGuf zdkif offset udk CFF explorer jzifh&Smjcif;
.net PE zdkifwpfckrSmawmh .text? .reloc? .rsrc pwJh section 3ck&Sdygw,f/ .text section rSmawmh
Import Table? Import Address Table eJY .Net Section wdYkyg0ifygw,f/ .net PE zdkifwpfckukd atmufyg
tcsuftvufrsm;yg0ifw,fvdkY ,lqMunfhvdkufMu&atmif/
.net PE zdkiftwGuf ImageBase 0x400000
.text section virtual address 0x002000
.text section Raw address 0x000200
EntryPoint Method VA 0x004974
'Dzikd fukd rSwfOmPfay:ul;wifvkdufwhJtcgrSm jrif&wmuawmh -
0x400000 0x402000 0x404974 RVA
ImageBase > > > .text > > > EP_Method
0x0 0x2000 0x4974 VA
'gaMumifhrdkY zdkifudk rSwfOmPfrSmae&mcsxm;wJhtcg ImageBase &JU 0x2000 byte tuGmrSm .text
section udk&Sm&rSmjzpfygw,f/ Method data udkawmh ImageBase &JU 0x4974 byte tuGmrSm&Sm&rSmjzpfyg
w,f/
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 365 -
yHk(4)
t&Sif;qHk;yHkpHeJYjy&&ifawmh-
EPM File Offset = [EntryPoint VA] – [Section.txt VA] + [Section.txt RawAddress]
'Dwefzdk; 3ckvHk;udk CFF Explorer uae&&SdEkdifygw,f/ CFF Explorer rSm Address converter
yg&SdNyD; oifhrSm RVA wefzdk;&Sdxm;NyDqdk&if b,f Method &JU file offset udkrqdkwGufcsufEdkifygw,f/
(6) Entry Point Method (EPM) udk Ildasm jzifh&Smjcif;
'guawmh vG,fulwJhtvkyfjzpfNyD; Entrypoint Method disassembly uae wu,fh byte twGJawG
udk odxm;&rSmjzpfygw,f/ 'Denf;ukdawmh EPM r[kwfwJh b,f Method twGufrqdk toHk;jyKEdkifygw,f-
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 366 -
yHk(5)
'gqdk&ifawmh wu,fh byte &Sd&m yxrqHk; offset udka&mufomG ;ygvdrhfr,f/ NyD;cJhwhJenf;vrf;wke;f u
oifa&muf&SdcJhwm[m Code byte rwdkifcifrSm&SdwJh Method Header byte udkyg/ .net Method wnfaqmuf
xm;yHkuawmh yHk(6)twdkif; jzpfygw,f/
yHk(6)
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 367 -
yHk(7)
(9) Patch vkyfjcif;tajccH
'DwpfcgrSmawmh .net application awGudk patch vkyfjcif;eJYywfoufNyD; avhvmMunfhvdkuf&atmif/
'Dwpfcg patch vkyfzdkYa½G;cs,fxm;wJh y½dk*&rfuawmh Dot_Net_ReverseMe_2.exe jzpfygw,f/ 'Dy½dk*&rfudk
www.tuts4you.com &JU download section uae download vkyf,lEkdifygw,f/ (oift h aeeJY 'Dy½dk*&rfav;
udk &Sdrxm;vJ ta&;rBuD;ygbl;/ &Sif;jywmudk em;vnfatmifMunfhzdkYom ta&;BuD;ygw,f/) yxrqHk; patch
vkyfr,fh y½dk*&rfudk PEiD eJYppfMunfhygr,f/ yHk(8)/
yHk(8)
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 369 -
yHk(9)
yHk(9)t&qdk&ifawmh uRefawmfwdkYtwGuf bmrSvkyfp&mr&Sdygbl;/ bmaMumifhvJqkdawmh serial ½dkufxnfh
p&m textbox wdkY? serial rSef^rrSefppfwhJ button wdkY rawGUvdkYyg/ 'gaMumifh a&;xm;wJhuk'fudkMunfhEdkifzdkY
y½dk*&rfudk Reflector eJYzGifhvdkufyg/ yHk(10)/
yHk(10)
'DtcgrSmawmh pdwf0ifpm;p&mawGudk awGU&ygNyD/ 'DtxJuwpfckuawmh IsRegistered qdkwJh boolean
class yg/ aemufwpfckuawmh CheckReg() function yg/ CheckReg() udk double-click ESdyfNyD;zGifhvdkuf&if
uRefawmfwdkY oHo,&Sdaewm rSefuefaMumif;awGU&ygr,f/ yHk(11)/
yHk(11)
'DwpfcgrSmawmh .ctor() taMumif;&Sif;jyrSmjzpfygw,f/ C++? Java? C# (odkY) b,f OOP (Object
Oriented Programming) bmompum;rSmrqdk olUrSmyg0ifwhJ class member awG&JUwefzdk;udk initialize
vkyfzdkY constructor wpfckyg0ifwJh class awG&Sdygw,f/ .net rSmawmh class constructor udkemrnfay;avh
r&Sdygbl;/ Constructor &JUtwdkaumufjzpfwJh .ctor() qdkwJhtrnfomxm;ygw,f/ IsRegistered qdkwJh
member variable [m y½dk*&rfudk register vkyfxm;jcif;&Sd^r&Sd qHk;jzwfygw,f/ uRefawmfwdkYtwGuf tcGifh
ta&;&&Sdapwmuawmh register jzpf^rjzpfudk constructor xJrSm initialize vkyfvdkYyg/ aumif;NyD? .ctor()
udkzGifhNyD; MunfhvdkufMu&atmif/ yHk(12)/
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 370 -
yHk(12)
wu,fawmh uRefawmfwdkYy½dk*&rfu unregistered jzpfaewm[m .ctor() xJu this.IsRegistered =
false; qdkwJh statement aMumifhjzpfygw,f/ 'Dae&mrSm false tpm; true vdkY jyifay;Edkifr,fqdk&if ... ☺☺☺
tckuRefawmfwdkY MunfhaewJh decompile vkyfxm;wJhuk'f[m C# bmompum;eJYjzpfygw,f/ yHk(12)udk
MSIL bmompum;eJY MunfhvdkufMu&atmif/ yHk(13)/
yHk(13)
yHk(13)uawmh bytecode taeeJY wdkuf½dkufbmomjyefwmyg/ .net y½dk*&rfawGudk patch vkyfzdkYqdk&if
awmh IL bmompum;taeeJYom Munfh&rSmjzpfygw,f/ wu,fawmh .net udk stack machine vdkYac:vdkY&yg
w,f/ bmaMumifhvJqdkawmh olUtvkyfawGudk register rSmxuf stack rSmvkyfvdkYyg/ Oyrmjy&&if A u
wefzdk;wpfckudk B udka&TUcsifw,fqdk&if A uwefzdk;udk stack ay: PUSH vkyfvdkuNf yD; stack uaerSwqifh B
ay: jyef POP vkyfay;wmjzpfygw,f/ tjcm;pepfawGrmS qdk&ifawmh A uae B udkwdkuf½dkufa&TYajymif;jcif; (odkY)
,m,Dxm;&SdzdkYtwGuf register wpfckudk toHk;jyKjcif;rsdK; jyKvkyfygw,f/
yHk(13)udk taotcsmem;vnfEdkifzdkY IL opcode awGtaMumif; em;vnfaezdkYvdkygw,f/ yHk(13)udk
Munfrh ,fqdk&if 'Duk'fESpfaMumif;twGuf stack udk tvGeftrif;toHk;jyKxm;wmawGU&rSmyg/ this.IsRegistered
= false; pmaMumif;twGufudkyJ atmufrSmjyxm;wJhtwdkif; stack eJYywfoufwJhpmaMumif; 3aMumif;avmuf
bmomjyefxm;wmawGU&ygw,f/
L_0000: ldarg.0
L_0001: ldc.i4.0
L_0002: stfld bool Dot_Net_ReverseMe_2.frmMain::IsRegistered
'D IL instruction awGudk IL reference toHk;jyKNyD; bmomjyef&r,fqdk&if ...
ldarg.0 Argument 0 udk stack ay: ul;wifonf/
ldc.i4.0 0 udk stack ay: I4 tjzpf PUSH vkyfonf/
stfld Object obj \ field wefzdk;udk val ESifhtpm;xdk;onf/
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 371 -
yHk(14)
wu,fawmh Method &Sd&m offset udk&Smenf;taMumif; uRefawmfwdkY avhvmNyD;ygNyD/ 'Dae&mrSmawmh
offset wefzdk;udk yHkaoenf;eJY rwGufcsufawmhbJ 02 16 7D 06 00 00 04 02 28 0E 00 00 0A qdw k hJ hex
byte twGJudkyJ hex editor wpfckckrSm ½dkufxnhfNyD; &SmMunfhygr,f/ yHk(15)/
yHk(15)
oifhtaeeJY BudKufwJh hex editor wpfckckudk toHk;jyKEdkifygw,f/ tckuRefawmftoHk;jyKxm;wmuawmh
WinHex 15.2 yg/ yHk(15)twdkif; ½dkufxnhfNyD;&Smvdkuf&if yHk(16)twdkif;jrif&ygr,f/
yHk(16)
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 372 -
yHk(16)t&qdk&ifawmh .ctor() &S&d m&JU offset tp[m 0x105C jzpfygw,f/ ydNk yD;aocsmapcsif&ifawmh
CFF explorer rSmMunfhEdkifygw,f/ yHk(16)u 16 ae&mrSm 17 vdkYjyifvdkufNyD; zdkifudkodrf;vdkufyg/ odrf;vdkufwJh
zkdifudk jyefzGifhMunhfvdkuf&ifawmh yHk(17)twdkif;awGU&rSmyg/
yHk(17)
'gqdk&ifawmh uRefawmfwYkd register vkyfwm atmifjrifoGm;ygNyD/ CheckReg() function udk b,fu
aeac:oHk;ovJqdkwm odcsif&ifawmh Reflector &JU CheckReg() function rSm right-click ESyd Nf yD; Callee
Graph (Ctrl+E) udka½G;NyD; MunfhvdkY&ygw,f/ yHk(18)/
yHk(18)
Patch vkyfNyD; odrf;vdkufwJhzdkif&JU .ctor() udk Reflector rSmMunfhvdkuf&ifawmh yHk(19)twdkif;jrif&yg
w,f/
yHk(19)
(10) NsPack jzifh pack vkyfxm;aom .net zdkiftm; unpack vkyfjcif;
yHkrSeftm;jzifhawmh omref pack vkyx
f m;wJh 32-bit PE zdkifawGrSmyJ unpack vkyfzdkY Olly udktoHk;jyKMu
wmjzpfygw,f/ 'DtcgrSmawmh .net zdkifawGudk Olly toHk;jyKNyD; unpack vkyfjyrSmjzpfygw,f/ Unpack vkyfzdkY
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 373 -
yHk(20)
PEiD eJYppfaq;Munhfvdkuf&ifawmh yHk(21)twdkif;awGU&ygw,f/
yHk(21)
aumif;NyD? y½dk*&rfudk Olly rSmzGifhvdkufyg/ yHk(22)/
yHk(22)
yHk(22)rSmjrif&wJhtwdkif; exe zdkif[m OEP rSm&yfwefUjcif;r&Sdovdk y½dk*&rf[m tvdktavsmuf run
aeygw,f/ uRefawmfwdkY bmvkyfoifhygovJ/ uRefawmfhtaeeJY tBuHjyKvdkwmuawmh unpack vkyfxm;wJhuk'f
awGudk rSwfOmPfxJrSm&SmzdkYyg/ 'gaMumifh owfrSwfxm;wJh string wpfckudk y½dk*&rf&JU resource xJrmS &Sm
Munfyh g/
&SmoifhwJh trnfawGuawmh button trnf? window caption eJY messagebox wdkYeJYqdkifwJh tcsuf
awGjzpfygw,f/ 'Dae&mrSm uRefawmfwdkY&SmMunfhrSmuawmh yHk(20)rSmjrif&wJh button1 yg/ Resource awGudk
exe/DLL zdi k fawGxJrmS unicode toGifeJY odrf;MuwmjzpfwJhtwGuf Alt+M udkESdyfNyD; button1 qdkwJhpmom;udk
unicode taeeJY &SmMunfhMu&atmif/ yHk(23)/
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 374 -
yHk(23)
yHk(23)twdkif;½dkufxnfhNyD;&Smvdkuf&if yHk(24)twdkif; awGU&ygr,f/
yHk(24)
yHk(24)udk Text Unicode (64 chars) eJYMunfhvdkuf&ifawmh yHk(25)twdkif;awGU&rSmyg/
yHk(25)
'Dae&mrSmajymvdkwmuawmh yHk(24?25)rSmjrifae&wJh virtual address awG[m oifuGefysLwmrSmjrif&wJh
*Pef;awGeYJ wlrmS r[kwfygbl;/ aemufNyD; ckuRefawmfwdkYa&muf&SdaewJhae&m[m resource section xJrSmr[kwf
ygbl;/ 'gaMumifhrdkY Alt+M ESdyfNyD; Ctrl+L eJY xyf&SmMunfhygr,f/ yHk(26)/
yHk(26)
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 375 -
yHk(27)
yHk(27)twdkif;qdk&ifawmh uRefawmfwdkY resource section xJajccsrdNyDqkdwm aocsmygw,f/
yHk(28)
aumif;NyD? yHk(27)udk HEX view taeeJYjyefMunfhNyD; tay:udk scroll enf;enf;qGJNyD;Munfhvdkuf&if
awmh yHk(28)rSm jrif&wJhtwdkif; PE header &Sd&mudk awGU&rSmyg/
yHk(29)
yH(k 28)u MZ &S&d m virtual address (00CD0000) udkrSwfom;NyD; LordPE u Dump Region
udka½G;cs,fNyD; Dump button udka½G;cs,fyg/ 'gqdk unpack vkyfwmatmifjrifomG ;NyDjzpfygw,f/ Dump
vkyxf m;wJh Region00CD0000-00CD2000.exe zdkifudk PEiD eJYppfMunfh&ifawmh Microsoft .net bmom
pum;eJYa&;om;xm;aMumif;jyrSmyg/
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 376 -
yHk(30)
yHk(30)rSmjrif&wJhtwdkif; user name eJY serial udk½dkufxnfhNyD; Check button udkESdyfvdkufcsdefrSmawmh
yHk(31)twdkif; jrif&ygw,f/
yHk(31)
'Davmufqkd uRefawmfwYkd odcsifwmawG od&NyDrdkY Crackme1.exe udk .NET reflector rSmzGifhMunfhyg
r,f/ yHk(32)/
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 377 -
yHk(32)
btnCheck_Click udk a½G;vdkufwJhtcgrSmawmh yHk(32)twdkif; jrif&wmjzpfygw,f/
'Doifcef;pmrSm uRefawmfwYkd pdw0f ifpm;wmu serial routine r[kwfygbl;/ aemufqHk;xkwfay;vdkufwJh
serial [m bmvJqdkwmudkom odcsifwmyg/ .NET reflector [m .net uk'fawGudk Munfh½I&mrSm taumif;qHk;
tool jzpfayr,fhvJ uk'fawGudkwnf;jzwfjcif;? debug vkyjf cif;wdkY jyKvkyfay;Edi
k fjcif; r&Sdygbl;/ 'gaMumifh Myo
Myint Htike qdkwJh user name eJYoufqdkifwJh serial udk&SmEdkifzdkY PEBrowse Professional Interactive 9.0
udktoHk;jyKMuygr,f/ 'D tool udk toHk;rjyKcifrSm setting awGu atmufygtwdkif; jzpf&ygr,f/ yHk(33^34)/
yHk(33)
yHk(34)
yHk(33^34)twdkif; setting awGudk jyifNyD;&ifawmh Ctrl+S udkESdyfNyD; debug vkyfzdkYpwifyg/ yHk(35)/
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 378 -
yHk(35)
yHk(35)&JU b,fzuftjcrf;rSm teDa&mifjzpfaewmu tvkyfvkyfaewmudk jywmyg/ uRefawmfwdkYtaeeJY
y½dk*&rfuk'fwpfaMumif;csif;pDukd ppfaerSm r[kwfygbl;/ uk'fawGudk ppfaq;wJh shortcut key awGuawmh Olly
eJYwlrSmr[kwfygbl;/ PEBrowse &JU key awGuawmh Run(F5)? Step over(F10)? Step into(F11) toD;oD;
jzpfygw,f/ aumif;NyD? uRefawmfwdYk ppfaq;csifwhJae&mudk tjrefa&mufzkdY breakpoint owfrSwMf u&atmif/
yHk(35)u .NET Methods udkESdyfNyD; btnCheck_Click udka½G;vdkufyg/ yHk(36)/
yHk(36)
yHk(36)uawmh serial routine udk IL bmompum;taeeJY jrif&wmyg/ IL_00B3 ae&mrSm F9 ESdyfNyD;
breakpoint owfrSwfygr,f/ 'gqd& k ifawmh uRefawmfwkdY breakpoint owfrSwfxm;wJhae&mudk yHk(37)twdkif;
jrif&rSmjzpfygw,f/
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 379 -
yHk(37)
Breakpoint owfrSwfNyD;oGm;&ifawmh F5 udkESdyfNyD; y½dk*&rfudk run yg/
yHk(38)
y½dk*&rfudk run wJhtcg yHk(38)twdkif; wpfckay:vmygvdrfhr,f/ F5 udkxyfESdyfyg/ 'gqdk yHk(39)twdkif;
y½dk*&rfwufvmygvdrfrh ,f/
yHk(39)
yHk(39)twdkif;jrif&wJhtcgrSm user name eJY serial udk½dkufxnfhNyD; check button udka½G;ay;yg/ yHk(40)
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 380 -
yHk(40)
yHk(40)rSm jrif&wmuawmh uRefawmfwdkY breakpoint owfrSwfxm;wJhae&mudk a&mufaewmyg/ > u
vuf&Sd assemble vkyfr,fhae&mudk jyoygw,f/
yHk(41)
yHk(41)uawmh register window jzpfygw,f/ Disassembly window rSm F10 udkESdyfNyD; uk'fawGudk
wpfaMumif;csif;ppfwJhtcgrSmawmh register window rSm bmawGajymif;vJoGm;w,fqdkwmudk owdxm;NyD;apmifh
Munfh&ygr,f/ yHk(42)twdkif; VA 0x40E89B0 xda&mufwJhtxd F10 udkESdyfvmcJhyg/
yHk(42)
yHk(42)rSm floating-point wefzdk;ESpfckudk EIdif;,SOfwm awGU&ygw,f/ Floating-point eJYywfoufwJh
mnemonics awGudkMunfhMu&atmif/
FILD load integer
FSTP store floating-point value and pop
FLD load floating-point value
FCOMIP compare floating-point, set %e flags, and pop
FSTP store floating-point value and pop
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 381 -
JPE uawmh Jump if Parity even jzpfNyD; flag (PF) wefz;kd 1 jzpf&if jump jzpfrSmjzpfygw,f/
JNZ uawmh Jump if Not Zero jzpfNyD; flag (ZF) wefzdk; 0 jzpf&if jump jzpfrSmjzpfygw,f/
yHk(43)
FCOMIP u floating-point wefz;kd ESpc f kukdEIdi;f ,SOfNyD; parity flag udkowfrSwfygw,f/ olEdIif;,SOf
wJh wefzdk;ESpfckuawmh 4458204637983 eJY 4101979 wdkYjzpfygw,f/ 'Dwefzdk;ESpfckudk EdIif;,SOfwJhtcgrSm rnD
wJhtwGuf parity flag wefzdk;udk oknvdkYowfrSwfygw,f/ Parity flag wefzdk; [m 0 vm;? 1 vm;odcsif&if
awmh register window rSm right-click ESdyfNyD; EFLAGS udka½G;&ygr,f/ yHk(44)/
yHk(44)
yHk(44)uawmh FCOMIP instruction udk vkyfaqmifNyD;csdejf zpfygw,f/ Parity flag [m 0
jzpfaeygw,f/ FSTP instruction udkokH;NyD; 4101979 wefzdk;udk odrf;ygw,f/ Parity flag [m 0 jzpfwJh
twGuf JPE 0x40E89C6 [m VA 0x40E89C6 qD jump rjzpfEkdifawmhygbl;/ JNZ 0x40E89C6 uawmh
1 rjzpfwJhtwGuf VA 0x40E89C6 qD VA 0x40E89C6 vkyfrSmjzpfygw,f/ yHk(45)/
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 382 -
yHk(45)
'gaMumifhvJ F5 ESdyfvdkufwJhtcsdefrSm uRefawmfwdkYrjrifcsifwJh BadBoy message udkjrif&wmyg/
yHk(46)/
yHk(46)
Myo Myint Htike qdkwJh user name twGuf serial textbox rSm uRefawmfwdkY½dkufxnfhvdkufwJh
4101979 udk Crackme1.exe u wGufcsufvdkY&vmwJh 4458204637983 wefzdk;eJY EdIif;,SOfwmjzpfygw,f/
'gaMumifh Myo Myint Htike qdkwJh user name twGuf serial textbox rSm uRefawmfwdkY trSefwu,f
½dkufxnfh&r,fh *Pef;[m ... ☻☻☻
aumif;NyD/ PEBrowse udkydwfvdkufyg/ Crackme1.exe udkoD;oefUzGifhNyD; yHk(47)twdkif; register
vkyfMunfhygr,f/
yHk(47)
'gqdk&ifawmh yHk(48)twdkif; jrif&rSmjzpfygw,f/
yHk(48)
.net y½dk*&rfawGrSm serial &Sm&wm t&rf;vG,fvGef;w,fvdkY xifrdygovm;/ ☻☻☻
'gqdk&ifawmh oifxifwm rSm;oGm;NyDjzpfygw,f/ bmaMumifhvJqdkwm &Sif;&Sif;vif;vif; od&atmifvdkY
y½dk*&rfwpfyk'fudk erlemjyygr,f/ yHk(49)/
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 383 -
yHk(49)
'Dy½dk*&rfudk b,fvkda&;xm;ovJqdkwm odEdkifatmifvdkY .NET reflector rSmppfMunfhygr,f/ yHk(50)/
yHk(50)
yHk(50)u udkESdyfvkduf&ifawmh yHk(51)twdkif; jrif&ygw,f/
public Registration()
{
this.components = null;
this.InitializeComponent();
this.pictureReg.Image = Image.FromFile("Picture/nag_close.png");
StringBuilder volumeName = new StringBuilder(0x100);
StringBuilder fs = new StringBuilder(0x100);
bool flag = false;
Environment.GetLogicalDrives();
flag = GetVolumeInformation("c:", volumeName, (uint) (volumeName.Capacity - 1), out this.serialNum, out
this.serialNumLength, out this.flags, fs, (uint) (fs.Capacity - 1));
for (int i = 0; i <= 13; i++)
{
this.serialNum = (((((2 * this.serialNum) / 7) - (12 * this.serialNum)) + (11 * this.serialNum)) - 0x239875) ^
this.serialNum;
}
this.textcode.Text = this.serialNum.ToString();
}
yHk(51)
yHk(51)uawmh registration dialog udka½G;vdkufcsdefrSm y½dk*&rfu initialize vkyfwmjzpfygw,f/
udkESdyfvkduf&ifawmh yHk(52)twdki;f jrif&ygw,f/
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 384 -
yHk(52)
yHk(51)uuk'fawGuawmh yHk(50)rSmjrif&wJh twGufjzpfygw,f/
wu,fawmh Windows Repair 1.0 y½d*k &rf[m uRefawmfwkdY harddisk u C: drive &JU serial number
udkzwfNyD; XOR vkyfygw,f/ XOR vkyfxm;wJhwefzdk;uawmh 3538139584 jzpfygw,f/ NyD;awmh uRefawmf
½dkufxnhfvdkufwJh 4101979 udk XOR vkyfNyD;&vmwJhwefzdk;wpfckeJY EdIi;f ,SOfwmjzpfygw,f/ wu,fvdkY serial
number [m rSefuefcJhr,fqdk&if reg.key zdkifrSm ½dkufxnfhvdkufwJh serial number udkodrf;rSmjzpfNyD; GoodBoy
message udk jyrSmjzpfygw,f/ uRefawmfhtaeeJY PEBrowse eJY serial-fishing vkyf&mrSm 3538139584
uk'ftwGuf HEX wefzdk; EAEF9EBE &vmygw,f/ 'Dwefzdk;udk decimal wefzdk;ajymif;NyD; registration
dialog rSm½dkufxnhfvdkufwJhtcgrSmawmh y½dk*&rfu serial rSm;aeygw,fvYkd ajymygw,f/ (wu,fawmh
uRefawmfwdkYudk jyowJh 3538139584 [m *Pef;r[kwfbJ pmom;awGjzpfaeygw,f/ PEBrowse [m
pmom;awGudk udkifwG,fEdkifjcif;r&Sdygbl;/ 'gaMumifh uRefawmfwdkY ½dkufxnhfwJh*Pef;wdkif;[m rSm;aewmjzpfyg
w,f/)
'gaMumifh 'DvdkjyóemrsdK; BuHKawGUcJhr,fqdk&ifawmh PEBrowse eJY serial &Smr,fhtpm; Visual
Studio.net eJY y½dk*&rfjyefa&;&rSm jzpfygw,f/ y½dk*&rfudk oD;oefUa&;p&mrvdkygbl;/ string strB = Convert.
ToString(num2); ae&matmufem;rSm this.textcode.Text = strB; vdkY jyifa&;vdkuf½HkygyJ/
ed*Hk;csKyftaeeJY ajymvdkwmuawmh tck serial &SmjycJhwm[m tvGef½dk;&Sif;vSwJh serial routine awGeJY
yg/ oifhtaeeJY a&mif;wef;0ifaqmhzf0JvfawGudk crack vkyfr,fqdk&ifawmh 'Dxuf tqaygif;&meJYcsDNyD; cufcJ
vSwJh serial routine awGeJY awGU&rSmjzpfygaMumif; ...
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 385 -
yHk(53)
wu,fawmh 'Dy½dk*&rfrmS xl;xl;axGaxG crack vkypf &mbmrSr&Sdygbl;/ 'gaMumifh useless qdkwJh
pmom;tpm; patched vdkYajymif;MunfhMu&atmif/ 'gudkawmh WinHex toHk;jyKNyD; jyifvdkY&ygw,f/ yHk(54)/
yHk(54)
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 386 -
yHk(55)
y½dk*&rfu SN udkppfwmaMumifh uk'fudkenf;enf;av;jyifvdkufwmeJY 'Dvdk error wufvmwmjzpfyg
w,f/ 'gaMumifh SN &SdwJhzdkifeJY SN r&SdwJhzdkif bmawGuGmvJqdkwm enf;enf;av;MunfhvdkufMu&atmif/ No
StrongName.exe zdkifeJY StrongName.exe zdkifwdkYudk CFF explorer rSm zGifhMunfhygr,f/ yHk(56?57)/
yHk(58)
'gaMumifh 'Dwefzdk;awGudk&SmNyD; patch vkyf&rSmjzpfygw,f/
MetaData Streams &JU Tables directory udk MunfhMu&atmif/ yHk(59)/
yHk(59)
Tables directory atmufu Assembly udkMunfhvdkuf&ifawmh yHk(60?61)twdkif; jrif&ygr,f/
yHk(62)
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 388 -
yHk(63)
yHk(63)&JU nmzufrSm&SdwJh Animate! button udkESdyfvdkuf&ifawmh b,fzufu task pane [maysmufomG ;
rSmjzpfygw,f/ aumif;NyD? uRefawmfwdkYtaeeJY 'gawGudk jyifzdkYvkdygr,f/ 'gayr,fh SN udk yxrqHk;z,f&Sm;&yg
r,f/ Navsight.dll zdkifxJu RSA1 qdkwJhpmom;udk WinHex rSm&SmNyD; olUrwdkifcifrmS &SdwJh 21ckajrmufeYJ
22ckajrmuf pmvHk;awG(80 0A)udk 00 00 vdkYajymif;vdkufyg/ yHk(64)/ (SN udkz,f&Sm;wJh 'Denf;uawmh
UnREalRCE {Persian Crackers} u Newbie_Cracker &JUenf;jzpfygw,f/)
yHk(64)
yHk(64)u Navsight.dll zdkifudk 80 0A tpm; 00 00 vdkYajymif;NyD; zdkifudkodrf;vdkufyg/ 'Dhaemuf
demo.exe zdkifudkzGifhMunfhwJhtcgrSmawmh yHk(65)twdkif; error wufaewm awGU&ygw,f/
yHk(65)
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 389 -
yHk(66)
yHk(66)u Navisight udkMunfhr,fqdk&ifawmh yHk(67)twdkif;jrif&ygr,f/
yHk(67)
'guawmh uRefawmfwdkY vdkcsifwJhtcsufyg/ PublicKeyOrToken udkMunfhyg/ oifhtaeeJY exe zdkif
wpfcktjzpf compile vkyfpOfrmS .NET compiler u module toD;oD;&JU PublicKey udk olUtrnfawGvdkyJ
odrf;xm;ay;wmjzpfNyD; vkdcsifwJh module &JU PublicKey udk&SmNyD;ppfaq;&mrSm reference wpfcktaeeJY
PublicKeyOrToken udktoHk;jyKwmyg/ 'gaMumifh 'Dae&mrSm 0 vdkYajymif;vdkuf&if yHk(65)u error message
ay:vmawmhrSm r[kwfygbl;/ Demo.exe zdkif&JU Offset 0x26324 ae&mrSm 0 vdkYjyifNyD; zdkifudk odrf;vdkufyg/
Demo.exe zdkif aumif;aumif; tvkyfvkyfwmawGU&rSmyg/
'gqdk Navsight.dll zdkifudk patch vkyfvdkY&NyDjzpfygw,f/ Navsight.dll zdkifudk IDA Pro eJY Reflector
wdkYrSmzGifhNyD; evaluation period udk&mS yg/
.method public static hidebysig bool '() // CODE XREF: sub_2840+72_p
// sub_33A0+77_p ...
{
.locals init (bool V0,
class System.String V1,
class System.String V2,
class System.String[] V3)
call bool '::'()
stloc.0
ldloc.0
brfalse.s loc_3272
call class [mscorlib]System.Reflection.Assembly
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 390 -
[mscorlib]System.Reflection.Assembly::GetExecutingAssembly()
callvirt class [mscorlib]System.Reflection.AssemblyName
[mscorlib]System.Reflection.Assembly::GetName()
callvirt class System.String [mscorlib]System.Reflection.AssemblyName::get_Name()
stloc.1
ldc.i4.5
newarr [mscorlib]System.String
stloc.3
ldloc.3
ldc.i4.0
ldstr "Your evaluation period for "
stelem.ref
ldloc.3
ldc.i4.1
ldloc.1
stelem.ref
ldloc.3
ldc.i4.2
ldstr " has expired. Product functionality will be limited."
yHk(68) IDA Pro jzifh zGifhxm;yHk
yHk(68)udkMunfhr,fqdk&if call function() aemufrSm brfalse udkawGU&ygw,f/ bmrSrvkyf&ao;cifrSm
function trnfawGudk&SmMunfhyg/ Function trnfawGudk obfuscation vkyfxm;wJhtwGuf rawGU&ygbl;/ 'D
DLL zdkifudk oif compile jyefNyD;vkyfEdkifygovm;/ Reflector rSmvJtMumBuD; vdkuf&SmNyD;wJhaemufrSm
yHk(69)twdkif; awGU&ygw,f/
yHk(69)
yHk(69)udkMunfhvdkufjyefawmhvJ function awGudk obfuscation vkyfxm;wmawGU&ygw,f/ trSefu
awmh flag wefzdk;[m 0 jzpf&ygr,f/ 'gqdk flag wefzdk; 0 udk return jyefydkYr,fh function ub,fae&mrSm
&SdaeygovJ/
yHk(68)u IDA Pro udkoGm;NyD; call bool '::'() ae&mudk ESdyfvdkufyg/ tenf;i,f½IyfaxG;wJhuk'fawGudk
awGU&ygr,f/ uRefawmfwdkYtaeeJY function &JU return wefzdk;ukd FALSE vdkYjyifvdkY&ygw,f/ 'gayr,fh
tEÅ&m,f&SdEdkifwJhuk'fawG yg^ryg odEdkifatmifvdkY atmufudkenf;enf; scroll qGJMunfhvdkufyg/
yHk(70)
'gudk Reflector rSmMunfhygr,f/ yHk(71)/
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 391 -
yHk(71)
DLL u registry xJrSm NETFramework key &Sd^r&Sp
d pfaq;NyD; &Scd &hJ if Demo.exe udk yxrqHk;
zGihfchJwhJ &ufpJGeYJtcsdefudk rSwfom;xm;NyD; vuf&dS&ufpJGeYJtcsdefukdwGufcsufNyD; EdIi;f ,SOfygw,f/ wu,fvdYk
vuf&dStcsdef[m yxrqH;k zGihfchJwJhtcsdefxuf &uf30 ydkaecJh&if return wefzdk;[m TRUE jzpfNyD;? 'DvdkrSr[kwf
&ifawmh FALSE jzpfrmS yg/ 'gaMumifh tEÅ&m,f&dSEkdifwhJuk'fawG? function awGr&Sdawmhbl;qdkrS uRefawmfwdkY
taeeJY return wefzdk;udk 0 vdkY patch vkyfvkdY&rSmjzpfygw,f/
Patch vkyfzkdYtwGuf function &JU offset tp&Sd&m 0x4784 qDomG ;NyD; 16 2A vdkYjyifNyD; zdkifudk odrf;yg
r,f/ bmaMumifh jyif&wmvJqkdwm od&atmif yHk(68)udk jyefMunfhyg/
IDA View opcode (CFF Explorer) Instruction (CFF Explorer)
call class [mscorlib]System.Reflection.Assembly 28 E7 00 00 0A call 0x0A0000E7
callvirt class [mscorlib]System.Reflection 6F E8 00 00 0A callvirt 0x0A0000E8
yHk(72)
yHk(72)uawmh Offset 0x4784 rSm 16 2A vdYk patch rvkyfcif IDA Pro eJY CFF explorer wdYkrmS
jrif&wmyg/
IDA View opcode (CFF Explorer) Instruction (CFF Explorer)
ldc.i4.0 16 ldc.i4.0
ret 2A ret
yHk(73)
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 392 -
yHk(73)uawmh Offset 0x4784 rSm 16 2A vdYk patch vkyftNyD; IDA Pro eJY CFF explorer wdkYrmS
jrif&wmyg/ ldc.i4.0 qdkwmuawmh stack ay: int32 wefzdk;wpfckudk okntaeeJY ul;wifvdkufwmyg/
qdkvdkwmuawmh call awGudk rppfapawmhyJ 0 wefzdk;udk return jyefydYkvkduw
f mjzpfygw,f/
jyifxm;wJh y½dk*&rfudk jyefzGifhcsdefrmS awmh expiration dialog aysmufoGm;rSmjzpfygw,f/
(13) .net y½dk*&rfwGif;odkY uk'foGif;jyifqifjcif;
'DwpfcgrSmawmh y½dk*&rfxJu rvdktyfwJhuk'fawGudk z,f&Sm;NyD; y½dk*&rfudk Full Version jzpfapr,fh
enf;vrf;udk ajymjyrSmjzpfygw,f/ 'ghtjyif topfxnfhoGif;csifwJhuk'ftcsdKUudk b,fvdkxnfhoGif;rvJqdkwmudkyg
&Sif;jyrSmjzpfygw,f/ 'Doifcef;pmtwGuf a&G;cs,fxm;wJh target zdkifuawmh Black Freelance Group &JU
iScore2010 y½dk*&rfjzpfygw,f/ y½dk*&rfudk toHk;jyKzdkY .net Framework 2.0 eJY SQL Server wdkYvdktyfrSm
jzpfygw,f/
aumif;NyD/ iScore2010 y½dk*&rfudk zGifhvdkufyg/ y½dk*&rfudk zGifhvdkufwJhtcg yHk(74)rSmjrif&wJhtwdkif;
notepad.exe y½dk*&rf yGifhvmwmudkyJ jrif&rSmyg/
yHk(74)
bmaMumifhvJqkdawmh iScore2010 y½dk*&rfu key.bin zdkifudk &SmNyD; rawGYcJh&if Notepad
udkzGifhcdkif;xm;vdkYjzpfygw,f/ wu,fvdkY key.bin zdkif[m&Sdaeayr,fhvnf; rSefuefwJh registration uk'fudk
zdkifxJrSmodrf;qnf;xm;wm r[kwf&if y½dk*&rfu error wufNyD;ydwfoGm;rSmjzpfygw,f/ 'Dawmh uRefawmfwdkY
taeeJY 'DjyóemawGudk y½dk*&rf&JU b,fae&mrSmjzpfaeovJqdkwm od&atmif pHkprf;zdkY vdkvmygNyD/
'Dvdkajc&mcHEdkifzdkYtwGuf WinAPIOverride 6.4.1 udktoHk;jyKygr,f/ WinAPIOverride [m .net
y½dk*&rfawG&JU tvkyfvkyfyHkudk ajc&mcHzdkYtwGuf tawmfav; aumif;rGefwJh tool wpfckjzpfygw,f/ wpfcgw&HrSm
y½dk*&rfuwGufxkwfay;vdkufwJh serial udkawmif azmfjyay;EdkifpGrf;&Sdygw,f/
WinAPIOverride udkzGifhvdkufyg/ yHk(75)/
yHk(75)
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 393 -
yHk(76)
yHk(76)rSmjrif&wJhtwdkif;qdk&if iScore2010 y½dk*&rf[m Program class atmufu Main() method
udk vkyfaqmifaeqJtcsdefrSm error wufoGm;yHk&ygw,f/ 'D Main() method udk tao;pdwfavhvmvdkY&atmif
iScore y½dk*&rfudk Reflector rSmzGifhygr,f/
[STAThread]
private static void Main()
{
int num;
string info = GetInfo("Win32_DiskDrive", "SerialNumber");
string str2 = GetInfo("Win32_NetworkAdapter", "MACAddress");
StringBuilder builder = new StringBuilder();
builder.Append(info);
BigInteger hash = GetHash(builder.ToString(), 0x40);
string[] strArray = str2.Split(new char[] { ':' });
StringBuilder builder2 = new StringBuilder();
StringBuilder builder3 = new StringBuilder();
StringBuilder builder4 = new StringBuilder();
for (num = 0; num < strArray.Length; num++)
{
if ((num % 2) == 0)
{
builder3.Append(strArray[num]);
}
else
{
builder4.Append(strArray[num]);
}
}
builder2.Append(builder3);
builder2.Append(builder4);
BigInteger integer2 = GetHash(builder2.ToString(), 0x40);
string str3 = hash.ToHexString();
string str4 = integer2.ToHexString();
int num2 = str3.Length + str4.Length;
StringBuilder builder5 = new StringBuilder();
int startIndex = 0;
int num4 = 0;
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 394 -
yHk(77)
yH(k 77)udkMunfhr,fqkd&if uRefawfm&Si;f jyxm;wm enf;enf;avmuf oabmaygufavmufNyD xifygw,f/
tMurf;zsif;ajym&&if yxrqHk;taeeJY key.bin zdkifudk&Smygw,f/ key.bin zdkifudkawGY&if zdkifxJrSm0Sufxm;wJh
pmom;udk Hard disk &JU serial eHygwfeYJ decrypt vkyfvdkufNyD; &vmwJh string (str10) udk MD5 hash
wefzdk;udk BigInteger uaeajymif;xm;wJh string (str7) wefzdk;wpfckeJY EdIif;,SOfygw,f/ String ESpfck[m
wlnDr,fqdk&if y½dk*&rfudk qufvuftvkyfvkyfaprSmjzpfNyD; rwlnDchJ&ifyjJ zpfjzpf? key.bin zdkifudk &SmrawGYcJh&ifyJ
jzpfjzpf notepad.exe y½dk*&rfukdyJ zGihfaprSmjzpfygw,f/
yHk(77) udk jyefMunhfyg/ str7 eJY str10 omnD&if y½dk*&rf[m Login form wpfckudk tvkyfvkyfaprSm
jzpfygw,f/ 'Dawmh uRefawmfwYkdtwGuf ta&;BuD;wmu EnableVisualStyles()? SetCompatibleText
RenderingDefault() eJY Run() method awGom jzpfygw,f/ usefwmuawmh rvdkwJh uk'fawGaygh/ y½d* k &rfudk
registration rppfapbJ tvkyfvkyfapzdkY jyifMu&atmif/
iScore2010 udk Reflector rSmzGihfyg/ yHk(78)/
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 395 -
yHk(78)
yHk(79)
yHk(79)twdkif; Reflexil udkwifNyD;&ifawmh yHk(78)u Main() method udk jyefoGm;vdkufyg/ NyD;&if Tool
menu u Reflexil v2.0 submenu udka&G;vdkufyg/ 'gqdk yHk(80)twkdif; jrif&ygr,f/
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 396 -
yHk(80)
yHk(81)
IL uk'fawGay: right-click ESdyfNyD; yHk(81)rSmjrif&wJhtwdkif; Replace all with code… udka&G;cs,f
vdkufyg/ ra&G;cs,fcifrSmawmh yHk(82)rSmjrif&wJh uk'foHk;aMumif;udk ul;vmcJhyg/
yHk(82)
NyD;&ifawmh yHk(83)rSmjrif&wJhtwdkif; jyifMu&atmif/
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 397 -
yHk(83)
yHk(83)utwdkif; jyifNyD;oGm;NyD; compile vkyfwJhtcsdefrSmawmh yHk(80? 81)rSmjrifcJh&wJh IL uk'fawG[m
yHk(84)twdkif; ajymif;vJoGm;rSm jzpfygw,f/
yHk(84)
h wdkif; odrf;zdkYjyifvdkufyg/ iScore ay:
'gqdk&ifawmh uRefawmfwdkY jyifvkdufwJhuk'fudk yHk(86)rSmjrif&wJt
right-click ESdyfNyD; Reflexil v2.0 menu u Save as… udka&G;vdkufyg/
h dkuf&ifawmh Notepad.exe y½dk*&rf yGifhrvmawmhbJ Login form qDwef;a&muf
odrf;xm;wJhzdkifudk zGifv
oGm;rSmjzpfygw,f/ rSefuefwJh user name eJY password udk½dkufoGif;r,fqdk&if y½dk*&rfudk oHk;pGJvdkY&ygNyD/
yHk(85)
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 398 -
yHk(86)
(14) .net y½dk*&rftm; keygen jyefvnfa&;om;jcif;
y½dk*&rfawGudk uk'fjyifwm? y½dk*&rfawGuae serial awGzrf;wm[m wpfBudrfwpfcgtwGufyJ aumif;yg
w,f/ y½dk*&rf&JU minor version ajymif;cJh&ifawmif aemufwpfBudrf uk'fjyifzdkY vdkvmygNyD/ wu,fvdkY serial
zrf;cJhw,fqdk&ifvJ 'D serial [m hardware ID ay:rlwnfchJ&if uGefysLwmwdkif;twGuf tvkyfvkyfrSm r[kwfyg
bl;/ Keygen a&;om;jcif;u oH;k pGJoltaeeJY y½dk*&rf&UJ major version rajymif;rcsif; toHk;jyKvdkY&aeOD;rSm
jzpfovdk wpfBudrfa&;NyD;wmeJY tBudrfaygif; ra&rwGufEkdiaf tmif vG,fvifhwul toHk;jyKaeEdkifrSmjzpfygw,f/
.net eJY keygen a&;jcif;u tjcm;aom y½dk*&rfbmompum;awGeJYrwlygbl;/ tvGefvG,fulvSygw,f/
rl&if;y½dk*&rfudk VB.net eJYyJa&;a&;? C# eJYyJa&;a&; uRefawmfwYkdtaeeJY rdrdBudKufEpS fouf&m .net bmompum;
wpfckckeJY jyefa&;om;Edkifygw,f/
'Doifcef;pmtwGufa&G;cs,fxm;wJh y½dk*&rfuawmh REteam u tKC &JU CrackMe#10 jzpfygw,f/
CrackMe#10 udkzGifhvkduf&if yHk(87)twdkif; jrif&ygr,f/
yHk(87)
CrackMe#10 zdkifudk Reflector rSmzGifhyg/ yHk(88)twdkif; jrif&ygr,f/
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 399 -
yHk(88)
yHk(88)rSm jrif&wmuawmh method eJY variable awGudk obfuscate vkyfxm;wJh taetxm;yg/
'Dtaetxm;udk uRefawmfwdkYtaeeJY keygen jyefa&;r,fqkd&if tawmftcufawGYrmS jzpfygw,f/ 'gaMumifh
obfuscate vkyfxm;wmudk deobfuscate vkyfzdkYvdktyfygw,f/
CrackME (1.0.0.0) ay: right-click ESdyfNyD; Reflexil v2.0 menu uae Obfuscator search …
udka&G;vdkufyg/ 'gqdk&if yHk(89)twdkif; jrif&ygr,f/
yHk(89)
yHk(89)rSm jrif&wJhtwdkif;qdk&if uRefawmfwdkY&JU CrackMe#10 zdkifudk SmartAssembly eJY obfuscate
vkyfxm;wmjzpfygw,f/ OK button udkESdyfNyD; clean vkyv f dkuf&if deobfuscate vkyfxm;wJh CrackME
#10.Cleaned.exe zdkifudk &vmrSmyg/ Deobfuscate vkyfxm;wJhzdkifudk Reflector rSmzGihfyg/ (rzGihfcifrmS
,cifuzGifhcJhwJh CrackME (1.0.0.0) ay: right-click ESdyfNyD; Close Assembly udka&G;xm;&ygr,f/)
yHk(90)
'Dtcg yHk(90)rSmjrif&wmuawmh yHk(88)eJY wlawmhrSm r[kwfygbl;/ Reflexil u deobfuscate
vkyfay;wJh method emrnfawG[m obfuscate vkyx f m;wJh method awGxufpm&if em;vnf&vG,fvmayr,fh
rlv method emrnfawGeJYawmh wpfxyfwnf;wlEdkifrSm r[kwfygbl;/ yHk(90)u ns7 class &JU Form_Main
method udkESdyfvdkuf&if yHk(91)twdkif; jrif&ygr,f/
public sealed class Form_Main : Form
{
public Form_Main()
{
base.Load += new EventHandler(this.Form_Main_Load);
base.Closing += new CancelEventHandler(this.Form_Main_Closing);
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 400 -
this.InitializeComponent();
}
yHk(92)
4.1/ byte[] bytes = Encoding.Default.GetBytes(this.Text_name.Text);
uRefawmfwdkY½dkufxnfhvdkufwJh user name udk byte array taeeJY atmufygtwdkif; odrf;qnf;vdkufyg
w,f-
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 402 -
bytes[0x0C] = {0x72, 0x68, 0x79, 0x74, 0x68, 0x6D, 0x20, 0x28, 0x4D, 0x43, 0x54, 0x29};
4.2/ string[] strArray = new string[(bytes.Length - 1) + 1];
string array wpfckjzpfwJh strArray udak MunmNyD; initialize vkyfygw,f/ 'gaMumifh strArray &JU
index wefzdk;[m 12 (0x0C) jzpfvmygw,f/
4.3/ int num4 = bytes.Length - 1;
num4 &JUwefz;kd [m 11 (0x0B) jzpfygr,f/
4.4/ for (int i = 0; i <= num4; i++) // num4 = 11
{
int num;
num += bytes[i]; // num = num + bytes[i]
strArray[i] = Conversions.ToString((int) (bytes[i] + num));
}
for loop udktoHk;jyKNyD; bytes[] array xJrSm&SdwJh wefzdk;awGudk num variable rSm&SdwJhwefzdk;eJYaygif;NyD;
&vmwJh&v'fudk string tjzpfajymif;vJNyD; strArray xJrSmodrf;qnf;rSm jzpfygw,f/ for loop udk (12)Budrf
jyKvkyfrSmjzpfayr,fh &SnfrSmpdk;vdkY yxr for loop eJY aemufqHk; for loop vkyfaqmifNyD;csdefrSm bmawGajymif;vJ
oGm;w,fqdkwmudkom &Sif;jyygr,f/
yxr for loop
for (int i = 0; i <= 11; i++)
{
int num;
num += bytes[i]; // num = 0 + bytes[0] = 0 + 0x72 = 0x7216 = 11410
strArray[i] = Conversions.ToString((int) (bytes[i] + num));
// strArray[0] = 0x72 + 0x72 = 0xE416 = 228 (string)
}
aemufqHk; for loop
for (int i = 11; i <= 11; i++)
{
int num;
num += bytes[i]; // num = 0 + bytes[0] = 0x3C8 + 0x29 = 0x3F116 = 100910
strArray[i] = Conversions.ToString((int) (bytes[i] + num));
// strArray[0] = 0x29 + 0x3F1 = 0x41A16 = 1050 (string)
}
4.5/ int num5 = strArray.Length - 1;
num5 &JUwefz;kd [m 11 (0x0B) jzpfygr,f/
4.6/ for (int j = 0; j <= num5; j++) // num5= 11
{
str = str + strArray[j];
}
for loop udktoHk;jyKNyD; strArray[] array xJrSm&SdwJhwefzdk;awGudk str xJrSm&SdwJhwefzdk;awGeJY aygif;yg
w,f/ for loop udk (12)Budrf jyKvkyfrSmjzpfayr,fh &SnfrSmpdk;vdkY yxr for loop eJY aemufqHk; for loop vkyf
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 403 -
a&mufvmygw,f/ 'Dwefzdk;udk SHA pm0SufpepfoH;k NyD; hash wefzdk;xkwfygw,f/ &&SdvmwJh hash wefzdk;u
awmh-
Hash[]={0xA0, 0x01, 0x84, 0xD9, 0x3A, 0xC5, 0x95, 0x20, 0xC1, 0x86, 0x83, 0x67,
0x1C, 0xC6, 0xF8, 0x00, 0x79, 0x51, 0x22, 0x45, 0xCB, 0x31, 0xAA, 0x72,
0x30, 0x10, 0x3C, 0x9E, 0xDA, 0x11, 0xA9, 0x28, 0x98, 0xC0, 0xF3, 0xD5,
0xD8, 0xA9, 0x6C, 0xA5, 0xAD, 0x82, 0xE9, 0xF9, 0x29, 0x0C, 0xA7, 0xEA,
0xD5, 0xDA, 0xD4, 0xA6, 0xB2, 0x89, 0xF0, 0xE6, 0xB1, 0x87, 0xCB, 0x0B,
0x1A, 0x08, 0x46, 0x82}
trSefawmh tqifh(4.7? 4.8)u rvdktyfygbl;/ bmaMumifhvJqdkawmh tqifh(4.9.1)eJY twlwlyJrdkY jzpfyg
w,f/
4.10/ if (expression.Length != this.Text_Key.Text.Length)
wGufcsufvYkd&vmwJh expression variable &JUpmom;rSmyg0ifwJh pmvHk;ta&twGufeJY uRefawmfwdkY
½dkufxnhfvdkufwJh key &JUpmvH;k ta&twGufudk wdkufppfygw,f/ wu,fvdkY rwlnDcJh&if "Invalid Key !, Try
again" udkjyygr,f/
expression = "oAGE2TrFlSDBhoNnHMb4AHlRIkXLMapyMBA8ntoRqSiYwPPV2Klspa2C6
fkpDKfq1drUprKJ8Oaxh8sLGghGgg=="
uRefawmfwdkY ½dkufxnfhvdkufaom key = "AnyPassword"
expression &JUpmom;rSmyg0ifwJh pmvHk;ta&twGuf[m (88)vHk;jzpfNyD; uRefawmfwdkY½dkufxnfhvdkufwJh
key uawmh pmvHk;a& (11)vHk;om &Sdygw,f/ 'Dawmh wlnDp&m taMumif;r&Sdygbl;/
4.11/ else if (Strings.Replace(expression, "A", "L", 1, -1, CompareMethod.Binary) !=
this.Text_Key.Text)
wGufcsufvYkd&vmwJh expression &JU pmom;awGxJrSm A qdkwhJpmvH;k ygvmcJh&if L pmvHk;eJY tpm;xdk;NyD;
&vmwJhwefzdk;[m uRefawmfwdkY½dkufxnfhvkdufwJh key eJY nD? rnD ppfaq;ygw,f/ rnD&if "Invalid Key !, Try
again" udkjyygr,f/
expression = "oLGE2TrFlSDBhoNnHMb4LHlRIkXLMapyMBL8ntoRqSiYwPPV2Klspa2C6
fkpDKfq1drUprKJ8Oaxh8sLGghGgg=="
4.12/ Interaction.MsgBox("Well Done... Now write the Keygen !!", MsgBoxStyle.
Information, null);
tay:utqifhawGtm;vHk;udk ausmfvTm;EkdifcJh&ifawmh oif[m cracker aumif;wpfa,muf jzpfygvdrhf
r,f/ oifhtaeeJY keygen udk pa&;vdkY&ygNyD/
Keygen ra&;om;cifrSm uRefawmfhtaeeJY axmufjyvdkwJhtcsuf wpfcsuf&Sdygw,f/ yxrtcsufu
tqif(h 4.7? 4.8)rSmawGYchJ&wJhu'k fukd uRefawmfwkdYtaeeJY rvdktyfygbl;/ ar;cGef;xkwfwJh y½dk*&rfrmtaeeJY rSm;
,Gif;NyD; tydkuk'fa&;oGif;xm;jcif;om jzpfygw,f/
aumif;NyD? keygen pa&;Mu&atmif/ C# eJYa&;om;xm;wJh keygen zdkiftwGuf source code awGudk
DVD acGxJrSmxnfhay;xm;ygw,f/ oifhtaeeJY uRefawmf &Si;f wmem;rvnfchJ&if acGxr
J mS ygwJh keygen zdkifudk
zGifhMunhfEdkifygw,f/
Keygen udk oifESpfouf&m y½dk*&rfbmompum;eJY a&;om;Ekdifygw,f/ 'gayr,fh uRefawmfuawmh C#
eJYyJ a&;om;csifygw,f/ bmaMumifhvJqdkawmh Reflector uxkwfay;vdkufwJh C# uk'fawGudk Visual Studio xJ
ul;,lNyD; uk'fawGudk vG,fvifhwul compile vkyfEkdifvdkYyJ jzpfygw,f/ uRefawmftoHk;jyKrSmuawmh Visual
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 405 -
yHk(93)
Name: aemufu TextBox udk Text_Name vdkYtrnfay;yg/ Key: aemufu TextBox udk
Text_Key vdkYtrnfay;yg/ Generate Button udk Generate vdkYtrnfay;vdkufyg/ NyD;&if Generate Button
ay:ESpfcsufESdyfNyD; Form1.cs zdkifxJrSm yHk(94)twdkif; jyifyg/
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using Microsoft.VisualBasic;
using Microsoft.VisualBasic.CompilerServices;
using System.Diagnostics;
using System.IO;
using System.Management;
using System.Security.Cryptography;
namespace tKC_Keygen
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
private byte[] SHA512(string text)
{
SHA512Managed managed = new SHA512Managed();
managed.ComputeHash(Encoding.Default.GetBytes(text));
return managed.Hash;
}
tcef;(18) – Visual Dot.net jzifha&;om;xm;aom y½dk*&rfrsm;udk crack vkyfjcif; - 406 -
yHk(95)
tcef;(19) – Android application rsm;udk crack vkyfjcif; - 408 -
yHk(1)
atmufqHk;u layer jzpfwhJ Linux Kernel layer rSm hardware tpdwftydkif;awGudk csdwfqufay;NyD;
Android &JUvHkNcHKa&;qdkif&mudpö&yfrsm;udkvnf; udkifwG,fygw,f/ Linux Kernel layer &JU tay:bufrSm&SdwJh
tcef;(19) – Android application rsm;udk crack vkyfjcif; - 409 -
layer rSmawmh Surface Manager? Media Framework? SQLite? WebKit eJY OpenGL wdkYvdk toHk;0ifwJh
library zdkifawG&Sdygw,f/ 'D library zdkifawGudk C eJY C++ wdkYeJY a&;om;xm;wmjzpfNyD; zdkiftrsm;pkuawmh Linux
uae ,lxm;wmjzpfygw,f/ Android eJY Linux wdYk&UJ t"duuGmjcm;csufuawmh Linux &JU vkyfaqmifrI
awmfawmfrsm;rsm;rSm toHk;jyKwJh libc library tpm; bionic vdkYac:wJh jyKjyifxm;wJh udk,fydkif library zdkifudk
toHk;jyKjcif;jzpfygw,f/ Android 4.0 eJYatmufuawmh Linux kernel 2.6.x udktajccHxm;NyD; aemufydkif;xkwf
version awGuawmh Linux kernel 3.x udktajccHxm;wm jzpfygw,f/ yHk(2)/
Android Version Code Name API Level Linux Kernel
1.5 Cupcake 3 2.6.27
1.6 Donut 4 2.6.29
2.0/1 Éclair 5-7 2.6.29
2.2.x Froyo 8 2.6.32
2.3.x Gingerbread 9, 10 2.6.35
3.x.x Honeycomb 11-13 2.6.36
4.0.x Ice Cream Sandwich 14, 15 3.0.1
4.1.x Jelly Bean 16 3.0.31
4.2.x Jelly Bean 17 3.4.0
4.3 Jelly Bean 18 3.4.39
4.4 Kit Kat 19, 20 3.10
5.x Lollipop 21, 22 3.16.1
6.0 Marshmallow 23 3.18.10
yHk(2)
Android rSm application awG[m Dalvik Virtual Machine (DVM) vdkYac:wJh virtual
environment wpfckatmufrSm tvkyfvkyfygw,f/ Android 4.4 uaepNyD;awmh Android Runtime (ART)
qdkNyD; tjcm; runtime environment wpfck rdwfqufvmygw,f/ oHk;pGJolawGtaeeJY DVM eJY ART udk
ESpfouf&moH;k pGJEkdifygw,f/ Dalvik Virtual Machine [m stack udktajccHwJhpepftpm; register
udktajccHwJhpepfjzpfwmuvGJvdkY t*Fg&yfawGuawmh Java Virtual Machine (JVM) eJYqifwlygw,f/
'gaMumifrh Ykd application toD;oD;[m Dalvik Virtual Machine atmufrSm olU&JUudk,fydkifjzpfpOfawGeJY
tvkyfvkyfrSm jzpfNyD; wu,fvdkY rwlnDwJh application oHk;ckudk tvkyfvkyfapcJh&if rwlnDwJh jzpfpOf oHk;ckudk
awGY&ygvdrfhr,f/ Dalvik Virtual Machine uawmh .dex (Dalvik EXecutable) zdkiftrsdK;tpm;awGudk
tvkyfvkyfapygw,f/
oifhrSm Android ypönf;wpfck (odkY) Android emulator wpfck&Sdr,fqdk&ifawmh Android SDK
eJYtwlygwJh adb qdkwJh utility udk toHk;jyKNyD; Android pepfudk uGeyf sLwmeJY csdwfquftoH;k jyKEdkifygw,f/ adb
shell udk oifvkyfaqmifapcsifwJh command awGeJY vkyfaqmifcsufawGudk device eJYcsdwfqufNyD; cdkif;apEdkifzdkYeJY
device qDu tcsuftvufawGudk &,lzdkY toHk;jyKEdkifygw,f/ Android rSm Linux eJYwlnDwmu oif
command awGtjzpftoHk;jyKvdkufwJh binary zdkifawG[m /system/bin eJY /system/xbin folder awGatmufrSm
wnf&SdwmygyJ/ Playstore uaeyJjzpfjzpf? tjcm;ae&mwpfckckuaeyJjzpfjzpf download vkyfNyD; install
vkyxf m;wJh application &JU a'wmawGudkawmh /data/data xJrmS ae&mcsrSmjzpfNyD; rlv installtion zdkifjzpfwJh
.apk zdkifudkawmh /data/app ae&mrSmodrf;qnf;xm;rSmjzpfygw,f/
APK qdkonfrSm ...
uRefawmfwdkY Windows application awGudk crack rvkycf ifrmS .exe zdkif&JU PE structure udk
tao;pdwfavhvmcJhMuwm owd&OD;rSmyg/ Android rSmawmh uRefawmfwYkd crack vkyf&r,fh application awGu
.apk zdkifawGjzpfygw,f/ 'Dawmh .apk zdkifawGtaMumif;udk xJxJ0if0if odxm;rS crack vkyfwJhtcg vG,fulrmS
jzpfygw,f/ Android Package (APK) qdkwmuawmh Android application awGtwGuf owfrSwfxm;wJh
tcef;(19) – Android application rsm;udk crack vkyfjcif; - 410 -
zdkif extension jzpfNyD; ol[m pkpnf;xm;wJh archive zdkifwpfckjzpfygw,f/ olUxJrSm application &JU vdktyfwJh
zdkifawG? folder awG yg0ifygw,f/ .apk zdkifwpfckckudk .zip vdkYajymif;vdkufNyD; WinRAR vdkaqmhzf0JvfeJY zip
jznfMunhfyg/ yHk(3)twdkif; jrif&ygr,f/
yHk(3)
(1) AndroidManifest.xml zdkif/ y½dk*&rfudk tvkyfvkyfapzdkY vdktyfwJh tedrfhqHk; Android version?
package trnf? activity rsm;pm&if;? application udktoHk;jyKzdkY vdktyfwJh permission awGvdk application eJY
qufEG,fwJhtcsuftvufawG yg0ifygw,f/ yHk(4)/
yHk(4)
(2) classses.dex zdkif/ Android application awG[m Java rSm compile vkyfMu&wmjzpfNyD; compile
vkyfNyD;csdefrSmawmh rlvuk'fawG[m .class zdkiaf wG jzpfukefygw,f/ 'Dah emufrmS awmh Android SDK
eJYtwlygvmwJh dx tool u .class zdkifawGudk Dalvik bytecode awGyg0ifwJh classes.dex zdkiftaeeJY
ajymif;vJay;vdkufwm jzpfygw,f/ .dex zdkifyHkpHtaeeJY compile vkyfcH&wJh class awGukd Dalvik virtual
machine uom em;vnfEdkifygw,f/
(3) META-INF folder/ Application &JU signature udkodrf;qnf;zdkY toHk;jyKwJh folder wpfckjzpfygw,f/
Developer awGrSm olwdkY&JU sign vkyfwJh key awG&SdMuNyD; olwdkY&JU application awGudk oD;jcm;pD sign vkyfMu
wmjzpfygw,f/ Sign vkyfxm;wJh application awGudkom device awGrSm install vkyfEdkifygw,f/ META-
INF folder atmufrSm zdkif(3)zdkif&SdNyD; 'DzdkifawGuawmh CERT.RSA? CERT.SF eJY MANIFEST.MF wdkYjzpf
ygw,f/ Sign vkyfzdkYtwGuf JDK (Java Development Kit)rSmygwJh jarsigner udktoHk;jyKwmjzpfygw,f/
CERT.RSA/ Application &JU certificate jzpfygw,f/ 'DzdkifxJrSm cert.sf &JU signature yg0ifygw,f/
Cert.rsa zdkif[m binary zdkifwpfckjzpfNyD; JDK rSmygvmwJh keytool eJYMunfh&if yHk(5)twdkif; jrifawGYEkdifygw,f/
C:\Program Files\Java\jdk1.8.0\bin>keytool -printcert -file cert.rsa
Owner: CN=SKW
Issuer: CN=SKW
Serial number: 5135b05d
tcef;(19) – Android application rsm;udk crack vkyfjcif; - 411 -
Valid frome: Tue Mar 05 15:14:13 MMT 2013 until: Sat Feb 27 15:14:13 MMT 2038
Certificate fingerprints:
MD5: 50:62:74:1A:9E:A6:03:BA:2E:D4:1C:EC:68:A2:90:CF
SHA1: 99:8C:B9:F2:10:D4:BB:95:54:82:73:51:EC:AC:CC:A0:0C:43:FE:9D
SHA256: 25:26:BC:57:CA:6F:B5:72:EF:D0:E2:37:7A:A3:E6:72:91:8A:C2:A6:C0:
CC:E9:FC:AE:DE:89:46:26:E0:55:18
Signature algorithm name: SHA1withRSA
Version: 3
yHk(5)
CERT.SF/ Resource awGeJY MANIFEST.MF zdkifxJrSm&SdwJh oufqdkif&mpmaMumif;awG&JU SHA-1
digest awGpm&if; jzpfygw,f/ yHk(6)/
Signature-Version: 1.0
Created-By: 6.1.14
SHA1-Digest-Manifest-Main-Attributes: /bBVP0g9zoHQO3en+J7s4EG8GQc=
SHA1-Digest-Manifest: ocu27qPLWdPaX0CQbcSwfK64qpk=
Name: manifest
SHA1-Digest: O7G9CwuzLuQVf29oMCsO9UlJV/k=
Name: AndroidManifest.xml
SHA1-Digest: Qg6UEnU2ue+uEr1qpVKoSjGAX10=
yHk(6)
MANIFEST.MF/ pm&if;zdkifjzpfygw,f/ Manifest.mf zdkifxJrSmvJ cert.sf zdkifxJuvdk SHA1 digest
awGygayr,fh cert.sf zdkifxJu SHA1 digest awG[m Manifest.mf zdkifxJu oufqdkif&m entry &JU pmaMumif;
(3)aMumif;(pmaMumif;vGwfwpfaMumif;yg0if/)udk hash vkyfNyD;wGufcsufxm;wJh digest awGomjzpfygw,f/
(4) res folder/ resources.arsc xJudk compile rvkyfvdkufwJh resource awGudk odrf;qnf;&mae&mjzpfyg
w,f/ olUxJrSm layout eJY menu awGtjzpftoHk;jyKr,fh .xml zdkifawGyg0ifygw,f/
(5) resources.arsc zdkif/ Resource awGudk compress vkyfxm;wJhzdkifjzpfygw,f/
(6) assets folder/ Application utoHk;jyKwJh jyifyu resource awG (jrefrm font zdkifuJhodkY resource rsm;)
jzpfNyD; AssetManager u&,ltoHk;jyKEdkifwJh application asset awGyg0ifygw,f/
(7) lib folder/ Process &JU aqmhzf0Jvf layer eJYywfoufwJh compile vkyfxm;wJhuk'fawGyg0ifwJh folder
jzpfygw,f/ 'D folder xJrSm atmufu folder awGyg0ifEdkifygw,f-
armeabi: ARM processor rsm;om/
armeabi-v7a: ARMv7 ESihftxuf processor rsm;om/
arm64-v8a: ARMv8 arm64 ESit
hf xuf processor rsm;om/
x86: x86 processor rsm;om/
x86_64: x86_64 processor rsm;om/
tcef;(19) – Android application rsm;udk crack vkyfjcif; - 412 -
yHk(7)
yH(k 7)u Path qdkwJhae&mudkESdyfNyD; variable wefzdk;udk yHk(8)twdkif; jyifyg/
yHk(8)
Java udkatmifjrifpGm install vkyaf qmifEkdijf cif; &S?d r&Sd ppfaq;csif&if command prompt udkzGifhNyD;
java -version vdkY½dkufxnfhMunfhyg/ oifh&JU Java version [m 1.x.x vdYk jy&ifawmh Java udk BudKufwJh
ae&muae ac:oHk;EdkifygNyD/
tcef;(19) – Android application rsm;udk crack vkyfjcif; - 413 -
Crack vkyfjcif;tusOf;csKyf
1/ zkef;xJwGif install vkyfxm;aom APK zdkifudk ,lyg/ odkYr[kwf Google Playstore? Verizon?
Amazon ponfwdkYrS download vkyf,lyg/
2/ Application udk zGifhNyD; protection ESihfywfoufaom vu©Pmrsm;udk &SmazGyg/ Oyrm - ]Trial
Version}? ]This application is not licensed.}/
3/ Application udk uGefysLwmodkY ul;yg/
4/ Apktool ESifh Baksmali wdkYoHk;NyD; uk'frsm;udk disassemble vkyfyg/ (tjcm; ESpfouf&m tool
rsm;udkvnf; toHk;jyKEkdifygw,f/)
5/ Smali jzifh dump vkyfxm;aomzdkifrsm;udk Sublime Text uJhodkYaom text editor wpfckckwGifzGifhNyD;
protection ESifhywfoufNyD; jyifvdk? ajymif;vdkonfrsm;udk jyKvkyfyg/
6/ uk'frsm;udk reassemble jyKvkyfNyD; APK udk update vkyfyg/ Smali tool u classes.dex
zdkiftopfudkom xkwfay;rSmjzpfNyD; oifhtaejzifh APK xJoYkd classes.dex zdkifudk udk,fwdkifxnfhay;&rSm
jzpfygw,f/
7/ jyKjyifxm;aom APK zdkifudk sign vkyfyg/ 'gudkawmh BudKufwJh tool eJY jyKvkyfEdkifygw,f/ APK
awGtm;vH;k [m private key wpfckudk toHk;jyKNyD; digital enf;eJY sign vkyf&rSmjzpfygw,f/ 'DvdkrS
r[kwf&ifawmh Android u tvkyfvkyfaprSm r[kwfygbl;/ wu,fvdkY sign vkyfxm;NyD;om; APK zdkifudk
jyefjyifcJhr,fqdk&ifawmif xyfNyD;awmh sign jyefvkyf&rSmjzpfygw,f/ 'gaMumifhrdkY crack vkyfxm;wJh (odkY)
jyKjyifxm;wJh APK wpfckudk install vkyfzdkYvdkvmcJh&if t&ifta[mif;udk OD;pGm uninstall vkyfzdkYvdkw,fqdkwmudk
owdjyK&ygr,f/
8/ sign vkyx f m;wJh APK zdik u
f kd zipalign vkyfyg/ Zipalign vkyfjcif;jzifh APK &JU tvkyfvkyfapwJh
tcsdefudk wdkawmif;apNyD; RAM udk tenf;qHk;oHk;pGJatmif jyKvkyfay;ygw,f/ Android Studio rSmawmh build
vkyfwJhtcsdefrSm APK udktvdktavsmuf zipalign vkyfay;rSmjzpfayr,fh jyKjyifxm;wJh APK qdk&ifawmh
rdrdbmom zipalign vkyf&rSmjzpfygw,f/ Zipalign udk sign vkyfNyD;rSom jyKvkyf&rSmjzpfygw,f/
yxrqHk;tBudrf Crack vkyf&efjyifqifjcif;
yHk(9)
tcef;(19) – Android application rsm;udk crack vkyfjcif; - 414 -
yHk(10)
yHk(10)udk Munfhr,fqdk&if classes.dex zdkifudk awGYrSmyg/ Android application awGudk crack
vkyf&mrSm ta&;BuD;qHk;zdkifjzpfygw,f/ Eclipse rSmyJjzpfjzpf? Android Studio rSmyJjJ zpfjzpf a&;vdkufwhJuk'f
awG[m 'D classes.dex zdkifxJrSmyJ &Sdygw,f/ classes.dex zdkifudk Hex editor wpfckckeJYMunhfr,fqdk&if
yxrqHk;awGY&wJh 8 bytes [m magic number jzpfNyD; check sum eJY SHA-1 signature pwmawGvnf;
yg0ifwmawGY&ygr,f/ Dex header? method ID awG? string ID awGtaMumif;udkawmh DEX protector awGeJY
umuG,fxm;wJh classes.dex zdkifawGudk jyefjznfwJhtcsdefrSmawmh tao;pdwfodxm;&rSmjzpfygw,f/
wu,fvdkY yHk(9)u Decompile classes checkbox udka&G;cJhr,fqdk&if yHk(11)twdkif; classes.dex
zdkifaysmufaewm jrif&rSmjzpfygw,f/ olUtpm; smali qdkwJh folder wpfck wd;k vmwmjrif&ygr,f/
yHk(11)
rSwfxm;&rSmu oifhtaeeJY uk'fawGudk patch vkyfNyD; jyifcsif&ifawmh Decompile classes checkbox
udka&G;cs,f&rSmjzpfygw,f/ 'grSom classes.dex zdkifudk .smali zdkiftaeeJY decompile/disassemble vkyfrmS jzpf
tcef;(19) – Android application rsm;udk crack vkyfjcif; - 415 -
yHk(12)
Apk u registration code udk ½dkufxnfhcdkif;NyD; rSef? rrSef ppfaq;ygw,f/ uk'frrSefcJh&if "Invalid
serial!" qdkwJh Badboy message udkjyrSmjzpfygw,f/
Crackme0_by_lohan tm; patch vkyfjcif;
Lohan &JU Crackme zdkif tvkyfvkyfyHkudk avhvmNyD;wJhaemufrmS "Invalid serial!" tpm; Goodboy
message ay:atmif BudK;pm;Munhfvkduf&atmif/ URET Android Reverser Toolkit udkzGifhyg/
yHk(13)
yHk(13)rSm Decompile classs checkbox udka&G;NyD; Decompile button udkESdyfvdkufyg/ yHk(14)twdkif;
decompile vkyfxm;wJh smali folder udkawGY&ygvdrfhr,f/
yHk(14)
smali folder udkzGifhMunfhr,fqdk&if yHk(15)twdkif; .smali zdkifawGudk jrif&ygvdrfhr,f/
tcef;(19) – Android application rsm;udk crack vkyfjcif; - 416 -
yHk(15)
yHk(15)u Main.smali zdkif[m Android IDE project zdkiftaeeJY compile rvkyfciftaexm;t&
ajymr,fqdk&if source [src] jzpfwJh Main.java zdkifjzpfNyD; R.smali uawmh IDE u tvdktavsmufxkwfay;wJh
R.java zdkifjzpfygw,f/ R$attr.smali? R.drawable.smali? R$layout.smali pwmawGuawmh R.java
zdkifxJu class awGudk oD;oefYzdkiftaeeJY cGJxkwfxm;wm jzpfygw,f/
Main.smali zdkifxJrSm uRefawmfwdkY &SmaewJh Goodboy message udk &SmawGYEdkifygw,f/ 'gayr,fh
uk'fawG[m Dalvik instruction awGjzpfwJhtwGuf oifhtaeeJY em;vnf&cufEdik fygw,f/ uRefawmfwdkY taeeJY
Dalvik uk'fawGtpm; Java uk'fawGtjzpf jrif&r,fqdk&if crack vkyfzdkY vG,fulrSmaocsmygw,f/ Smali
uk'fawGtpm; Java uk'fawGjrif&zdkY Java decompiler awmfawmfrsm;rsm; &Sdygw,f/ 'D decompiler awGxrJ mS rS
BytecodeViewer 2.9.8 udkawmh tBudKufqHk;yg/ yHk(16)/ bmaMumifhvJqdkawmh olUrSm Procyon? CFR? JD?
FernFlower eJY Krakatau wdkY wpfcgwnf; ygvmNyD;om;jzpfwJhtjyif tcsdKUaom ½dk;&Sif;wJh Java uk'ftcsdKUudk
compile jyefvkyfay;Edkifygw,f/
yHk(16)
yHk(16)uawmh BytecodeViewer eJYMunfhxm;wm jzpfygw,f/ b,fbuftpGefqHk;tuGufrSm
decompile vkyfNyD;om;zdkifawGudk jrif&rSmjzpfygw,f/ tv,futuGufuawmh Main.class zdkifudk Procyon
decompiler eJY decompile vkyfxm;wmjzpfNyD; nmbuftpGeq f ;kH tuGufuawmh Main.class udk Smali
decompiler eJY decompile vkyfxm;wmjzpfygw,f/
Main.class zdkifudk Procyon decompiler eJYjznfMunfhwJhtcg yHk(17)twkdif; jrif&ygr,f/
package com.lohan.crackme0;
import android.app.*;
import java.security.*;
import java.math.*;
import android.telephony.*;
import android.view.*;
import android.content.*;
import android.widget.*;
tcef;(19) – Android application rsm;udk crack vkyfjcif; - 417 -
import android.os.*;
yHk(17)
yHk(17)u Onclick() function udkMunhf&if Validate button udkESdyfwJhtcg uRefawmfwdkY½dkufxnfh
vdkufwJh serial udk validateSerial() function u ppfaq;vdkufwJh &v'f[m okneJY nDcJh&if "Invalid Serial!"
pmom;udk jyrSmjzpfygw,f/ rnDcJh&ifawmh "Thanks for purchasing!" pmom;udk jyrSmjzpfygw,f/ 'gaMumihf
'D&v'fukd okneJYrnDatmif jyifay;zdkYvkdtyfygw,f/ 'Dae&mudkjyifzdkYtwGuf yHk(15)u Main.smali udkzGifhyg/
tcef;(19) – Android application rsm;udk crack vkyfjcif; - 418 -
.line 55
.local v0, "btn":Landroid/widget/Button;
invoke-virtual {v0, v6}, Landroid/widget/Button;->setVisibility(I)V
.line 56
invoke-virtual {v1, v6}, Landroid/widget/EditText;->setVisibility(I)V
.line 57
const/high16 v4, 0x7f050000
invoke-virtual {p0, v4}, Lcom/lohan/crackme0/Main;->findViewById(I)Landroid/view/View;
move-result-object v3
check-cast v3, Landroid/widget/TextView;
.line 58
.local v3, "tv":Landroid/widget/TextView;
const-string v4, "PRO VERSION!"
invoke-virtual {v3, v4}, Landroid/widget/TextView;->setText(Ljava/lang/CharSequence;)V
goto :goto_0
.line 43
nop
:pswitch_data_0
.packed-switch 0x7f050001
:pswitch_0
.end packed-switch
.end method
.method public onCreate(Landroid/os/Bundle;)V
.locals 2
.param p1, "savedInstanceState" # Landroid/os/Bundle;
.prologue
.line 19
invoke-super {p0, p1}, Landroid/app/Activity;->onCreate(Landroid/os/Bundle;)V
.line 20
const/high16 v1, 0x7f030000
invoke-virtual {p0, v1}, Lcom/lohan/crackme0/Main;->setContentView(I)V
.line 22
const v1, 0x7f050001
invoke-virtual {p0, v1}, Lcom/lohan/crackme0/Main;->findViewById(I)Landroid/view/View;
move-result-object v0
check-cast v0, Landroid/widget/Button;
.line 23
.local v0, "button":Landroid/widget/Button;
invoke-virtual {v0, p0}, Landroid/widget/Button;->setOnClickListener(Landroid/view/View$OnClickListener;)V
.line 24
return-void
.end method
.method public validateSerial(Ljava/lang/String;)I
.locals 2
.param p1, "serial" # Ljava/lang/String;
.prologue
.line 67
:try_start_0
invoke-virtual {p0}, Lcom/lohan/crackme0/Main;->getMobileID()Ljava/lang/String;
move-result-object v1
invoke-static {v1}, Lcom/lohan/crackme0/Main;->generateHash(Ljava/lang/String;)Ljava/lang/String;
move-result-object v1
invoke-virtual {v1, p1}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
:try_end_0
.catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0
move-result v1
if-eqz v1, :cond_0
.line 68
tcef;(19) – Android application rsm;udk crack vkyfjcif; - 421 -
yHk(18)
yHk(15)u Main.smali udkzGifhwJhtcg yHk(18)twkdif; jrif&ygr,f/ uRefawmfa&SUrSmajymcJhovdkyJ smali
zdkifawGuae uk'f&UJ qdkvkd&if;udk em;vnfzdYk tcsdefay;zwf&ygvdrhfr,f/ yH(k 18)u .line 49 ae&mem;udkMunfhyg/
wu,fvdkY v4 &JUwefz;kd [m oknr[kwfchJ&if cond_0 udkvkyfaqmifygvdkY a&;xm;wm awGY&ygr,f/ cond_0
qdw k mu "Thanks for purchasing" &SdwJhae&mjzpfygw,f/
uRefawmfwdkYtaeeJY rSefuefwJh serial udk½dkufxnfhwmr[kwfbl;qdk&if validateSerial() function u
wdkufqdkifppfaq;wJh&v'fu jzpfp&mtaMumif;r&Sdygbl;/ 'Doifcef;pmrSm uRefawmfwdkYtaeeJY serial tppfudk
&SmMunfhrmS r[kwfygbl;/ udk,v f kdcsifwhJtajzudk&zdkY uk'fukdom jyifrSmjzpfygw,f/ 'gaMumifh if-nez v4,:cond_0
ae&mrSm if-eqz v4,:cond_0 vdkYjyifMunhfygr,f/ qkdvdkwmu wu,fvYkd okneJYnDcJh&if Goodboy messgae
qDoGm;ygvdkY jyifvdkufwmygyJ/ jyifrSmu yHk(15)rSmjrif&wJh Main.smali zdkifxJrSmyg/ jyifNyD;&ifawmh yHk(13)u
Compile button udkESdyfvdkufyg/ 'gqdk yHk(19)rSmjrif&wJhtwkdif; dist folder topfatmufrSm uRefawmfwdkYjyKjyif
vdkufwJh Crackme0_by _lohan.apk zdkifa&mufaewm jrif&ygr,f/
yHk(19)
Crackme0_by _lohan.apk zdkifudk zkef;xJudk ul;xnhfNyD; install vkyMf unhy
f g/ 'Dtcg "There was a
problem parsing the package" udkjrif&ygvdrfhr,f/ 'D error udjk rif&wJhtaMumif;uawmh uRefawmfwdkYtaeeJY
Crackme0_by _lohan.apk zdkifudk sign eJY zipalign rvkyfrdvdkYjzpfygw,f/ 'gaMumifhrdkY dist folder atmufu
jyKjyifxm;wJh APK zdkifudka&G;NyD; sign eJY zipalign vkyfMuygr,f/
tcef;(19) – Android application rsm;udk crack vkyfjcif; - 422 -
yHk(20)
sign vkyfr,fh APK zdkifudka&G;NyD; yHk(20)rSmjrif&wJh sign button udkESdyfyg/ 'gqd&
k if sign vkyNf yD;om;
Signed__Crackme0_by_lohan.apk zdkifukd &ygvdrhfr,f/ 'Dzdi k fudk zkef;xJjyeful;xnfhNyD; install vkyf
prf;oyfMunfhyg/ zdkifu aumif;rGefpGm tvkyfvkyfygvdrfhr,f/ zipalign udkawmh oifhtaeeJY rvkyfbJxm;Ekdifyg
w,f/ 'gayr,fh zdkift&G,ftpm; BuD;rm;wJh APK awGrSmqdk&ifawmh y½dk*&rf&JU vkyfaqmifcsuf jrefqefapzdkY
zipalign rjzpfrae vkyfoify
h gw,f/
yHk(21)
yHk(12)u EditText (TextBox) ae&mrSm BudKufwJhpmom;½dkufxnfhNyD; Validate button
udkESdyfcJhr,fqdk&if "Thanks for purchasing" qdkwJh message udk jyNyD; yHk(21)rSmjrif&wJhtwdkif; APK [m
PRO Version jzpfomG ;wmawGY&ygr,f/ 'Doifcef;pmudk csHKMunfh&if APK udk Pro version jzpfzkdYtwGuf
uRefawmfwdkYtaeeJY nez ae&mrSm eqz vdkY wpfckyJjyifvdkufwm owdjyKrdrSmyg/
Crackme0_by_lohan rS Serial udk&Smjcif;
a&SUoifcef;pmrSm uRefawmfwkdY avhvmcJhwmu APK wpfckudk Full version taeeJY tjrefqHk;
toHk;jyKvdkY&atmif uk'fudk b,fvdkjyKjyifrvJqkdwm jzpfygw,f/ 'Dwpfcgawmh uk'fukdrjyifbJ rSefuefwJh serial
wGufxkwfenf;udk avhvmMuygr,f/ 'DtwGuf vdktyfwmuawmh BytecodeViewer eJY Eclipse wdkYjzpfyg
w,f/ BytecodeViewer uawmh main.java udk b,fvdka&;om;xm;ovJqdkwm MunhfzdkYjzpfNyD; Eclipse
IDE uawmh Java eJY APK jyefvnfzefw;D zdYkjzpfygw,f/ Eclipse udk atmufuvifhrSm download
vkyf,lEkdifygw,f/
http://download.eclipse.org/eclipse/downloads/
'Doifcef;pmrSm Eclipse udk b,fvdktoHk;jyK&rvJqdkwm &Sif;jyrSm r[kwfbl;/ Eclipse eJYywfoufNyD;
a&;om;xm;wJhpmtkyfawG tGefvkdi;f rSm tvG,fwul download vkyf,lEkdifNyD; jrefrmvdka&;om;xm;wJh pmtkyf
aumif;awGvnf; tvG,fwul0,f,l&&SdaevdkYyg/ Android APK awGudk crack vkyrf ,fqkd&if Java udak wmh
tenf;i,f em;vnfxm;zdkY vdktyfygvdrhfr,f/ Eclipse rSma&;om;xm;wJh Android project zdkifudk DVD
acGxJrSmwpfcgwnf; xnfhay;vdkufygw,f/
aumif;NyD/ BytecodeViewer eJY decompile vkyfxm;wJh yHk(17)udk aocsmMunfhyg/ Registration
jzpfpOfukd tao;pdwfavhvmr,fqd&k if-
1/ APK u uRefawmfwu
Ykd kd serial wpfck ½dkufxnfhapygw,f/
2/ APK tvkyfvkyfaewJh rdkbdkif;zkef;&JU DeviceID (IMEI) udkvSrf;zwfygw,f/
3/ &vmwJh IMEI wefzdk;udk MD5 hash xkwfygw,f/
4/ &vmwJh MD5 hash wefzdk;udk 16vDpepf BigInteger wefzdk;ajymif;ygw,f/
tcef;(19) – Android application rsm;udk crack vkyfjcif; - 423 -
5/ uRefawmfw½Ykd dkufxnfhvdkufwJh serial eJY BigInteger wefzdk;wdkY nD? rnD qHk;jzwfNyD; rnDcJh&if
"Invalid Serial!" message udk jyorSmjzpfygw,f/
Android project zdkifu AndroidManifest.xml zdi k f? src folder atmufu
MainActivity.java zdkif? res\layout folder atmufu activity_main.xml zdi
k f? res\menu folder
atmufu activity_main.xml zdkifeJY res\values folder atmufu strings.xml zdkifwdkYudk jyifMunhf
ygr,f/
yxrqHk; AndroidManifest.xml zdkifrSm zkef;&JUtajctaeudk zwf½IvdkY&EdkifwJh permission &atmif
yHk(22)twkdif; jyifygr,f/
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="lohan.crackme"
android:versionCode="1"
android:versionName="1.0" >
<uses-sdk
android:minSdkVersion="11"
android:targetSdkVersion="15" />
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
<application
android:icon="@drawable/ic_launcher"
android:label="@string/app_name"
android:theme="@style/AppTheme" >
<activity
android:name=".MainActivity"
android:label="@string/title_activity_main" >
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
</application>
</manifest>
yHk(22)
res\values folder atmufu strings.xml zdkifrSm yHk(23)twkdif; jyifygr,f/
<resources>
<string name="app_name">CrackMe</string>
<string name="hello_world">Hello world!</string>
<string name="menu_settings">Settings</string>
<string name="title_activity_main">MainActivity</string>
<string name="ValidateButton">Generate</string>
<string name="IMEI">My IMEI: </string>
<string name="Serial">My Serial: </string>
</resources>
yHk(23)
res\layout folder atmufu activity_main.xml zdkifrSm yHk(24)twkdif; jyifygr,f/
<RelativeLayout xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
android:layout_width="match_parent"
android:layout_height="match_parent" >
tcef;(19) – Android application rsm;udk crack vkyfjcif; - 424 -
<Button
android:id="@+id/button1"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:layout_alignParentTop="true"
android:layout_centerHorizontal="true"
android:layout_marginTop="116dp"
android:onClick="Generate_Serial"
android:text="@string/ValidateButton" />
<EditText
android:id="@+id/edit_Text1"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:layout_below="@+id/button1"
android:layout_marginTop="54dp"
android:ems="10"
android:text="@string/IMEI" />
<EditText
android:id="@+id/edit_Text2"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:layout_alignParentLeft="true"
android:layout_below="@+id/edit_Text1"
android:ems="10"
android:text="@string/Serial" >
<requestFocus />
</EditText>
</RelativeLayout>
yHk(24)
res\ menu folder atmufu activity_main.xml zdkifrSm yHk(25)twkdif; jyifygr,f/
<menu xmlns:android="http://schemas.android.com/apk/res/android">
<item android:id="@+id/menu_settings"
android:title="@string/menu_settings"
android:orderInCategory="100"
android:showAsAction="never" />
</menu>
yHk(25)
src folder atmufu MainActivity.java zdkifrSm yHk(26)twkdif; jyifygr,f/
package lohan.crackme;
import java.math.BigInteger;
import java.security.MessageDigest;
import android.app.Activity;
import android.os.Bundle;
import android.telephony.TelephonyManager;
import android.view.View;
import android.widget.EditText;
import android.widget.TextView;
public class MainActivity extends Activity {
tcef;(19) – Android application rsm;udk crack vkyfjcif; - 425 -
@Override
protected void onCreate(Bundle savedIstanceState){
{
super.onCreate(savedIstanceState);
setContentView(R.layout.activity_main);
}
}
yHk(27)
Cracking qdkif&m tifwmeuf0ufbfqdkufrsm; - 426 -
Crraacckkiinngg q
C qdkidkif&f&mm t
tiifw
fwmmeeu
uf0f0u
ufb
fbfq
fqdku
dkufrfrssmm;;
(Link rsm;udk 2015? 'DZifbm 20 &ufwGif ppfaq;xm;jcif;jzpfygonf/)
(1) Cracking qkdif&m0ufbfqdkufrsm;
http://www.accessroot.com
http://www.tuts4you.com
http://ricardonarvaja.info
http://unpack.cn
http://www.aoreteam.com
http://www.mmcrackingteam.org
http://www.myanmarcrackingteam.net
http://www.at4re.com
http://www.team-rept.com
https://tsrh.ws/
http://www.cin1team.biz
http://teamreis.altervista.org/
http://portal.uret.ml/
http://forum.assassin.ir/
http://quequero.org/
http://exelab.ru
http://forum.exetools.com/
http://reversing.ro/
http://board.b-at-s.info/index.php
https://www.facebook.com/groups/reaonline/
http://www.ahteam.org
http://www.reteam.org
http://www.reversing.be
http://reversingtools.blogspot.com
http://www.crack8.com
http://tools.pediy.com/
http://www.wasm.ru
http://forum.reverse4you.org
http://www.woodmann.com
http://reng.ru/board/
http://www.openrce.org/
http://crackmes.de/
http://jasi2169.blogspot.com
(4) y½dk*&rfa&;om;jcif;qdkif&m0ufbfqdkufrsm;
http://www.codeproject.com
http://www.functionx.com
http://www.ucancode.com
http://www.dreamincode.net
http://www.codeguru.com
http://www.csharpkey.com/
http://www.hackchina.com
http://www.programmersheaven.com
http://stackoverflow.com/
http://blogs.technet.com/
http://www.flounder.com/
References
(01) Basic Rules of Cracking – ParaBytes
(02) Cracker Definition – Invoker
(03) A Little Guide for Wannabe Reverser – Zephyrous
(04) The C Programming Language – Brian W. Kernighan & Dennis M. Ritchie
(05) PC Assembly Language – Paul A. Carter
(06) Win32asm Tutorial – Thomax Bleeker
(07) Assembly for Beginners – The Cyborg
(08) Assembly Tutorials – Ralph
(09) Win32 Assembler Coding for Crackers 1.1 – Goppit
(10) Assembler : The Basics in Reversing – Lena151
(11) The Wikibook of Reverse Engineering
(12) CrackProof Your Software – Pavol Cerven
(13) Disassembling Code: IDA Pro and SoftICE – Vlad Pirogov
(14) RCE Emphasizing On Breaking Software Protection – tHE mUTABLE
(15) Portable Executable File Format – Goppit
(16) Basic Nag Removal + Header Problems – Lena151
(17) Indept Unpacking & Anti-Anti-Debugging, A Combination Packer & Protector – Lena151
(18) Serial Fishing Teleport Pro – nick123b
(19) Serial Fishing CD to MP3 Maker 1.15 – ThunderPwr
(20) KeygenMe Tutorial 1 – Ziggy
(21) Basic + Aesthetic Patching – Lena151
(22) Intermediate Level Patching, Kanal in PEiD – Lena151
(23) tElock + Advanced Patching – Lena151
(24) Win32 Programmer Reference – Microsoft
(25) Often Used APIs in Registration Schemes and Other – Lena151
(26) Reversing - Secrets of Reverse Engineering – Eldad Eilam
(27) Reversing Using the Program's Resources – Lena151
(28) ActiveMARK 5.xx (Dumping and Rebuilding) – SSIEvIN
(29) Unpacking Protections – Lena151
(30) Unpacking Advanced Packers – Lena151
(31) API Redirection – Lena151
References - 429 -