Cracker_Guide_2.1_

pum;rdwfquf ]Cracker vrf;nTef} trnf&aom þpmtkyfudk cracking (reverse engineering) ESifhywfoufjyD; tuRrf;w0if r&Sdao;aom 0goem&Sifrsm;twGuf &nf&G,fjyD; xkwfa0jcif;jzpfygonf/ Reverse engineering \ bmomcGJwpfckjzpfaom cracking ynm&yfonf tvGefyifeufeJ us,fjyefUvSonfhtwGuf avhvmp&m taMumif;t&mrsm; vGefpGmrsm;jym;vSygonf/ xdkUaMumifh þpmtkyfwGif cracking udk pwifavhvmaomolrsm; odoifhodxkdufaom tajccHtcsufrsm;udkom OD;pm;ay;í &Sif;jyxm;ygonf/

Cracking ynm&yfonf uRefawmfwdkYEkdifiHwGif acwfpm;jcif; r&SdvSao;yg/ tb,fhaMumifhqdkaomf jynf wGif;wGif y&dk*&rfa&;om;jcif; twwfynmonfyif wGifus,frIr&Sdjcif;aMumifhjzpfonf/ Cracking onf y&dk*&rf a&;om;jcif;ESifh qefUusifzufjzpfonfhtjyif y&dk*&rfa&;om;jcif; oabmw&m;udk em;vnfEdkifrSom avhvmEdkif aom ynm&yfjzpfjcif;aMumifhwpfaMumif;? tvkyftudkiftcGifhtvrf; &&Sd&efvG,fulaom uGefysLwmbmom&yfrsm; udkom avhvmvdkufpm;Mujcif;aMumihfwpfaMumif;? pirate version aqmhzf0Jvfrsm;udk aps;EIef;csdKompGmjzifh vG,f vifhwul 0,f,l&&SdEdkifjcif;aMumifhwpfaMumif; cracking ynm&yfudk avhvmrIenf;yg;cJhMuonf/

,aeU tdkifwDavmuudk MunfhrnfqdkvQif aqmhzf0Jvfrsm; yvlysHí xGufay:vmMuonfudk awGU&ayrnf/ xdkUtwl y&dk*&rfoHk;pGJol awmfawmfrsm;rsm;onfvnf; aqmhzf0Jvfxkwfvkyfolrsm;tay: tvGeftrif; ,HkMunf tm;xm;aeMuonfudk awGUjrifae&ygonf/ xkwfvkyfolrsm;udk,fwdkifuyif y&dk*&rfrm (developer) rsm;\ uk'f wdkif;udk rppfaq;EdkifaomaMumifhvnf;aumif;? a&;om;aom y&kd*&rfrmrsm;\ r&dk;om;rIrsm;aMumifhvnf;aumif;? malicious uk'frsm; a&;om;xnfhoGif;olrsm;aMumifhvnf;aumif; aps;uGufwGif&Sdaom y&dk*&rfrsm;tm; ,HkMunf vufcHEdkif&ef cJ,Of;vmayonf/ aemufxyfjyóemwpfckrSm uRefawmfwdkUEdkifiHwGif aqmhzf0Jvftawmfrsm;rsm;udk 0,froHk;Edkifjcif;jzpfonf/ Warez zdk&rfrsm;rSvnf; uRefawmfwdkUvdktyfaom aqmhzf0Jvfwdkif;\ serial udk share ray;Edkifyg/

trSeftwdkif; 0efcH&vQif cracking ynm&yfudk w&m;0ifa&;om;azmfjycGifhr&Sdyg/ xdkUaMumifh cracking ESifhywfoufaom pmtkyfrsm;udk pmtkyfwdkufwGifjzpfap? tGefvdkif;wGifjzpfap 0,f,lEdkifjcif; vHk;0r&Sdyg/ odkUaomf vnf; cracking ynm&yfonf t&Sdeft[kefjrifhpGm us,fjyefUvsuf&Sdygonf/ om"ujy&vQif ta&SUawmiftm&S EdkifiHwpfckjzpfaom AD,uferfEdkifiHonfyif cracking ynm&yfwGif EdkifiHwumESifh &ifabmifwef;aeygonf/ xdktcsdefwGif uRefawmfwdkUEdkifiHü olrsm;a&;om;xm;aom patch zdkifrsm;udkyif aumif;aumif;toHk;rcswwfao; aomolrsm; trsm;tjym; &Sdaeygao;onf/ þpmtkyfu pmzwfolwdkUudk rsufpdyGifh? em;yGifhjzpfaprnf[k ,HkMunf ygonf/

þpmtkyfxGuf&Sdjcif;tay: tcsdKUu MudKqdkouJhodkU tcsdKUu tjrifMunfvifjcif;r&Sdyg/ tjrifrMunfvif oltrsm;pkrSm vuf&SdtcsdefwGif aqmhzf0Jvfrsm;a&mif;csvQuf&Sdaom developer rsm;jzpfygonf/ pmtkyfwGif azmfjy xm;onfh oifcef;pmtrsm;pkrSm EdkifiHwumwGif vuf&Sda&mif;csvQuf&Sdaom aqmhzf0Jvfrsm;\ tm;enf;csufrsm;rS wqifh aqmhzf0Jvfrsm;udk tcrJhoHk;pGJEdkifyHkrsm; jzpfygonf/ jynfwGif;jzpfaqmhzf0Jvfrsm;taMumif;udk þpmtkyfwGif wpfvHk;wpfyg'rQ aqG;aEG;xm;jcif;rjyKonfhtwGuf ¤if;wdkU\tusdK;pD;yGm;udk vHk;vHk;MuD;rxdcdkuf[k ,HkMunfyg onf/ (jynfwGif;jzpf aqmhzf0Jvfrsm;ESifhywfoufjyD; rnfonfhtcgrQ crack vkyfjyrnfr[kwfyg/ þpmtkyfudk a&;om;onfjzpfap? ra&;om;onfjzpfap xdkaqmhzf0Jvfrsm; crack vkyfjcif;cHae&rnfomjzpfonf/) þpmtkyfudk zwf&IjyD;jzpfay:vmaom aumif;arG? qdk;arGtm;vHk;wdkUonf pmzwfolrsm;\ cH,lcsufoufoufrQomjzpfygonf/

Cracking udk avhvmjcif;jzifh wpfpHkwpf&mrQ tusdK;r,kwfEdkif[k ,HkMunfygonf/ yxrqHk;tcsuftae jzifh malware jyóemjzpfygonf/ ,aeUvli,fy&dk*&rfrmtcsdKUonf Adkif;&yfpfESifh x&dk*sefzefwD;jcif;? aqmhzf0Jvf rsm;wGif malicious uk'frsm;xnfhoGif;jcif;jzifh rormrIrsm;udk usL;vGefvQuf&Sdygonf/ Cracking ynm&yfudk wwfajrmufxm;vQif Adkif;&yfpfESifh x&dk*sefwdkU\ oabmobm0? tvkyfvkyfyHkwdkUudkavhvmEdkifjyD; aqmhzf0Jvfrsm;rS malicious uk'frsm;udkz,f&Sm;jcif;jzifh xdkjyóemrsm;udk &mEIef;jynfh ajz&Sif;ay;Edkifygonf/ 'kwd,jyóemwpfck rSm y&dk*&rftvkyfvkyfaepOf error wufonhfjyóem jzpfygonf/ MuD;rm;vSaomaqmhzf0Jvfrsm;wGif bug rsm;udk tvG,fwul &SmazGawGU&SdEdkifrnfr[kwfyg/ xdk bug rsm;udk exception rsm;&Smjcif;jzihfjzpfap? offset udk&Smíjzpf ap cracking ynm&yfu vG,fvifhwul ajz&Sif;Edkifygonf/ wwd,tm;omcsufwpfckrSm rdrdra&;wwfao;aom aqmhzf0Jvfwpfckudk a&;om;vdkygu a&;jyD;om;aqmhzf0Jvfwpfckudk crack vkyfjcif;jzifh xdkaqmhzf0Jvf\ a&;om;yHk? a&;om;enf;udk Munfh&IEdkifjcif;jzpfonf/ þenf;tm;jzifh rdrd\ y&dk*&rfa&;om;jcif;pGrf;&nf wdk;wufvmap&ef cracking u ulnDay;Edkifygonf/ aemufwpfcsufrSm crack vkyfjcif;tqifhqifhudk em;vnfwwfuRrf;oGm;ygu rdrd\aqmhzf0Jvfudk tjcm;olrsm; crack rvkyfEdkifap&ef wm;qD;Edkifjcif;jzpfygonf/

þae&mwGif ajymMum;vdkonfrSm cracking udkavhvm&eftwGuf pmzwfolonf y&dk*&rfbmompum; ESifhywfoufí C (odkU) Assembly wGif tuRrf;w0if&Sdjcif;? odkUwnf;r[kwf tjcm;y&dk*&rfbmompum; wpfckckwGif uRrf;usifpGm wwfajrmufjyD;jzpf&ygrnf/ (C ESifh Assembly bmompum;wdkUudk þpmtkyfwGif wpfygwnf; xnfhoGif;&Sif;jyxm;ygonf/) þodkUqdk&jcif;rSm C ESifh Assembly wdkUonf low-level y&dk*&rf bmompum;rsm;jzpfjyD; tjcm;bmompum;rsm;rSm high-level rsm;jzpfMuíjzpfonf/

xyfrHí tMuHjyKvdkonfrSm "gwfyHkrsm;^&kyfyHkrsm;udk Munfvifjywfom;pGm Munfh&IvdkvQif Acrobat reader rS "gwfyHkrsm;udk Microsoft Paint odkUul;wifjyD; Munfhh&I&efjzpfjyD;? pmom;rsm;udk zwf&I&mwGif Acrobat reader \ 125% view (odkU) xdkxufydkaom &mcdkifEIef;jzifh zwf&I&efjzpfygonf/ odkUrSom &kyfyHkrsm;onf Munfvif&Sif;vif;jyD; pmom;rsm;onf jywfom;aeygvdhrfrnf/ þpmtkyfudk zwf&I&ef Acrobat reader \ Version onf tedrfhqHk; 8.0 jzpf&ygrnf/

þpmtkyfudk xkwfa0&mwGif Version tjrJwrf;ajymif;vJrI &Sdaeygonf/ Version jrifhvmonfESifhtrQ trSm;rsm; ydkrdkenf;yg;vmjyD; xyfavmif;jznfhpGufcsufrsm;? yg0ifonfhtcef;rsm;vnf; ydkrdkrsm;jym;vmygonf/ Oyrmajym&vQif Version 1.0 wGif tcef;(12)cef;omyg&Sdaomfvnf; ,ck Version 2.1 wGif tcef;(30)cef; txdwdk;csJUyg0ifvmjyDjzpfygonf/ tcef;tcsdKUwGifvnf; xyfavmif;jznfhpGufcsufrsm; xnfhoGif;xm;onfhtwGuf owdjyKí jyefvnfzwf&Iapvdkygonf/ Oyrmqdk&vQif Version 1.2 wGif ]tcef;(12) - Packer (Protector) rsm;} tcef;ü Fish Packer taMumif;udk topfxnfhoGif;aqG;aEG;xm;ygonf/ uRefawmf cracking udkpwif avhvmjzpfonfrSm 2008ckESpfwGifrSjzpfjyD; cracking udkavhvm&if; ]Cracker vrf;nTef} pmtkyfrsm;udk a&;om; cJhonfhtwGuf tapmydkif;xGuf&Sdonfh version rsm;wGif tm;enf;csufrsm;pGm&Sdygonf/

vlopfwef; cracker rsm;udk þae&mrS tMuHjyKvdkonfh tcsufwpfcsuf&Sdygonf/ oifhtaeESifh pmtkyfrS tcef;rsm;udk tpOfvdkufzwfp&mrvdkyg/ wpfvHk;rusef em;vnfatmifzwfp&mrvdkyg/ tcef;(1?2)wdkUudk aus nufatmifzwfyg/ tcef;(3?5)wdkUudk tMurf;zsif;zwfyg/ tcef;(4?6)wdkUudk em;vnfatmifzwfyg/ tcef;(7?8) wdkUudk acwå rzwfbJxm;yg/ tcef;(9)udk tvGwf&atmifvkyfyg? avhusifhyg/ tcef;(9)udk vHk;0em;vnfoGm; vQif tcef;(10?12)wdkUudk qufvufavhusifhyg/ xdktcg tcsdefwdktwGif; cracking ESifhywfoufí tajccH vHkavmufoGm;jyDjzpfygonf/ xdkUaemuf useftcef;rsm;udk oifESpfoufovdk avhvmEdkifjyDjzpfygonf/ vlopfwef; cracker rsm;twGuf rjzpfrae zwf&Ioifhaom tjcm;oifcef;pmrsm;rSm Lena151 a&;om;aom Reversing Tutorials (1-40) jzpfygonf/ þoifcef;pmrsm;rSty usefoifcef;pm awmfawmfrsm;rsm;onf vlopfwef; cracker rsm;twGuf cracking tajccH&&Sd&ef tvSrf;a0;aeygvdrhfrnf/

þpmtkyfa&;om;jcif;ESifhywfoufí tenf;i,f&Sif;jyvdkygonf/ pmzwfoltcsdKUu oifcef;pmtm;vHk;udk uRefawmfa&;om;xm;onf[kxifaeygonf/ þpmtkyf&Sd tcef;trsm;pkudk wdkuf&dkufbmomjyefygonf/ odkUaomf Lena151 \ oifcef;pmrsm;ukd bmomjyef&mwGif emrfpm;rsm;udk ajymif;oHk;xm;ygonf/ tb,faMumifhqdkaomf Lena151 onf trsdK;orD;wpfOD; jzpfaeaomaMumifhjzpfonf/ tcsdKUudkrl wdkuf&dkufbmomjyefvQif pmzwfolrsm; em;vnfEdkif&efcufaomaMumifh qDavsmfatmifbmomjyefygonf/ rvdktyfonfhtydkif;rsm;? ta&;rMuD;onfhtydkif; rsm;? (AD,uferfbmompum;udk Google rSwqifhbmomjyefxm;aom) bmomjyef&cufonfh tydkif;rsm;udkrl bmomjyefjcif; r&Sdyg/ pmtkyfwGif yg0ifaomtcef;tm;vHk;udk bmomjyefjcif; r&Sdyg/ tcsdKUrSm uRefawmfudk,fwdkif a&;om;xm;jcif;jzpfygonf/ (Oyrm – tajccH C bmompum;? Olly Debug Script)/ xdkUaMumifh xdkoifcef; pmrsm;ESifhywfoufaom usLwdk&D&,frsm;udk tGefvdkif;wGif &SmazGawGU&SdEdkifrnfr[kwfyg/ &nfnTef;udk;um;aom pmtkyfpmwrf;rsm;pm&if;udkvnf; pmtkyf\aemufqufwGJwGif azmfjyxm;ygonf/ t&Iyft&Sif;jyóemrsm; jzpfrnf pdk;aomaMumifh jrefrmrsm;a&;om;xm;aom rnfonfhpmtkyfpmwrf;udkrQ ul;,ludk;um;xm;jcif; r&SdaMumif; þ ae&mrS ajymMum;vdkygonf/

t&dk;om;qHk; 0efcH&vQif pma&;oludk,fwdkifyif cracking ESifhywfoufvQif pwifavhvmoltqifhxuf ausmfvGef&HkrQomjzpfí þpmtkyfonf Beginner-to-Beginner Guide rQom jzpfygaMumif;ESifh trSm;rsm;awGU&Sd ygu em;vnfcGifhvTwfapvdkygaMumif; ...

atmufwdkbm 4? 2010/

rhythm

(Myanmar Cracking Team)

þpmtkyfjzifh uG,fvGefolrdbESpfyg;jzpfaom AdkvfMuD;vSydk(jidrf;)ESifha':tkef;wifwdkUtm; uefawmhtyfygonf/

tMuHjyKpmrsm;âr;jref;csufrsm; ay;ydkUvdkygu [email protected] odkU ay;ydkUEdkif ygonf/

rmwdum pmrsufESm

pum;rdwfquf 3

tcef;(1) Cracker rsm;odxm;oifhaomtcsufrsm; 6

tcef;(2) tajccH C bmompum; 9

tcef;(3) tajccH Assembly bmompum; 27

tcef;(4) aqmhzf0Jvf protection 51

tcef;(5) Cracker wpfOD;twGufvdktyfaom tool rsm; 58

tcef;(6) Olly Debugger rdwfquf 64

tcef;(7) IDA Pro Advanced 5.2 rdwfquf 72

tcef;(8) PE Header 87

tcef;(9) Teleport Pro 1.61 y&dk*&rfESifh yxrqHk;tMudrf crack vkyfjcif; 121

tcef;(10) Patch vkyfjcif; (Beginner/Intermediate/Advanced) 135

tcef;(11) Cracker rsm; owdxm;oifhaom Windows API rsm; 156

tcef;(12) y&dk*&rf\ resource rsm;udk toHk;jyKí crack vkyfjcif; 168

tcef;(13) Packer (Protector) rsm; 176

tcef;(14) IAT ESifh API Redirection 201

tcef;(15) Visual Basic jzifh a&;om;xm;aom y&dk*&rfrsm;udk crack vkyfjcif; 223

tcef;(16) Delphi jzifh a&;om;xm;aom y&dk*&rfrsm;udk crack vkyfjcif; 252

tcef;(17) Java jzifh a&;om;xm;aom y&dk*&rfrsm;udk crack vkyfjcif; 260

tcef;(18) Visual Dot.net jzifh a&;om;xm;aom y&dk*&rfrsm;udk crack vkyfjcif; 276

tcef;(19) rdkbdkif;zkef; application rsm;udk crack vkyfjcif; 305

tcef;(20) Loader oDtkd&DESifh patch zdkifzefwD;jcif; 311

tcef;(21) Crypto uk'frsm;udk avhvmjcif; 319

tcef;(22) Polymorphic uk'frsm;udk avhvmjcif; 342

tcef;(23) Registration number udk tGefvdkif;wGif ppfaq;jcif;tm; z,f&Sm;jcif; 359

tcef;(24) Themida tm;avhvmjcif; 382

tcef;(25) CRC qdkonfrSm ---

tcef;(26) Thread rsm;pGm&Sdaom application rsm;udk crack vkyfjcif; ---

tcef;(27) CD-ROM Protection taMumif;odaumif;p&mrsm; ---

tcef;(28) Flashy x&dk*sefESifh Windows Registry 409

tcef;(29) Olly Debug Script 416

tcef;(30) Anti-Unpacking enf;vrf;rsm; 428

Cracking qdkif&ma0g[m&rsm; 446

Cracking qdkif&m tifwmeuf 0ufbfqdkufrsm; 455

References 458

rSwfcsuf/ / teDa&mifjzihfjyxm;aomtcef;rsm; a&;om;í rjyD;ao;yg/

tcef;(1) - Cracker rsm; odxm;oifhaom tcsufrsm; - 6 -

tcef;(1) - Cracker rsm; odxm;oifhaom tcsufrsm; 'D ]Cracker vrf;nTef} pmtkyfrSm uRefawmfhtaeeJU yxrqHk; &Sif;jycsifwmu cracker trnfcHxm;wJh uRefawmfwkdU[m b,fvdkvlrsdK;awGvJ? bmaMumifh crack wJhtvkyfudk uRefawmfwdkU vkyfaeMuwmvJqdkwJh ar;cGef; awG jzpfygw,f/ Cracker ppfppfwpfa,muf&JU vkyfief;wm0efawGuawmh y&dk*&rfawG b,fvdktvkyfvkyfovJ? toHk;trsm;qHk; protection trsdK;tpm;awGubmawGvJqdkwmudk avhvmwmjzpfjyD; uk'fawGudk b,fvkda&;&rvJ qdkwmudk pOf;pm;qHk;jzwfwmjzpfygw,f/ wcgw&HrSmawmh emrnfMuD;csifvdkU crack MuwmjzpfjyD;? wcgw&H rSmawmh aqmhzf0JvftopfawGudk prf;oyfcsifvdkU crack Muwmjzpfygw,f/ 'Dae&mrSm jzwfajymvdkwmuawmh y&dk*&rfwpfyk'fudk crack vkyfwmeJU crack vkyfxm;wJh^vkyfjyD;om; y&dk*&rfawGudk toHk;jyKwm[m &mZ0wfrIjzpf jyD; Oya'udk csdK;azmuf&m a&mufygw,f/ (jrefrmEdkifiHtygt0if 0ifaiGenf;EdkifiHtcsdKUrSmawmh crack vkyfjyD;om; y&dk*&rfawGudk &mcdkifEIef;tjynfheD;yg; w&m;r0if oHk;pGJaeMuqJyg/) 'gaMumifhrdkU MudKuf&ifyJjzpfjzpf? aiGydkaiGvQH &Sd&ifyJjzpfjzpf aqmhzf0JvfawGudk 0,foHk;oifhygw,f/ 'grSr[kwf&ifawmh trial version awGudkom toHk;jyKyg/

Cracker wpfa,muf&JU t"duvkyfief;wm0efuawmh taMumif;t&mtopfawGudk avhvmvdkpdwf tjrJ jzpfzdkUeJU tjcm;olawG&JUtvkyfudk tav;xm;zdkUyJjzpfygw,f/ bmaMumifh tav;xm;cdkif;&ovJqdk&if y&dk*&rfrm awG[mvnf; vlom;awGyJ jzpfMuygw,f/ (qdkvdkwmu oifhtaeeJU y&dk*&rfrmawG&JU MudK;pm;tm;xkwfrIawG uae tjrwfrxkwfcsifygeJU/)

Cracker ppfppfr[kwfwJh 'kp&dkufurÇmxJu cracker awGuawmh yHkrSef cracker awGvkyfaeMu tvkyfudk vkyfudkifMuayr,fh olwdkUrSm udk,fusifhw&m;eJU &nfrSef;csuf r&SdMuygbl;/ olwdkU[m olwdkUtusdK; tjrwftwGuf aqmhzf0JvfawGudk cdk;,la&mif;cszdkUom odygw,f/ 'DvdkvlrsdK;awGudk cracker vdkU rac:a0:ygbl;/ 'gaMumifhrkdU aqmhzf0Jvfwpfckudk crack vkyfEdkifwdkif; cracker rjzpfygbl;/

Cracker awGeJU developer (y&dk*&rfrm) awGMum; uGJjym;csufuawmh developer awG[m olwdkU&JU uk'fawGudk twwfEdkifqHk; vQdKU0Sufxm;MujyD; cracker awG&JU tpGrf;udkvJ avQmhwGufxm;Muygw,f/ wpfOD;eJU wpfOD;vJ ynmzvS,fcJygw,f/ Cracker awGuawmh 'Dvdkr[kwfygbl;/ olwdkU[m olwdkUawGU&Sdxm;wJh enf; ynmtopfawGudk zdk&rfawGrSm tcrJhjzefUjzL;jcif;? aqG;aEG;jcif;awGudk jyKvkyfMujyD; cracker wpfa,muf[m crack vkyfzdkU&m cufcJvSwJh aqmhzf0JvfawGukd crack vkyfjyEdkifcJh&if olUudk tjcm; cracker awGu txifMuD; av;pm;wmukdom cH,lcsifMuwmjzpfygw,f/ 'gaMumifhvJ cracking todkif;t0dkif;[m t&Sdeft[kefeJU MuD;rm; us,fjyefUaewm jzpfygw,f/ (pum;csyf/ / 'Dae&mrSm ]y&dk*&rfrm}qdkwJh toHk;tEIef;eJUywfoufjyD; tenf;i,f aqG;aEG;vdkygw,f/ y&dk*&rf a&;om;wJholwdkif;udk y&dk*&rfrmvdkU rac:a0:ygbl;/ y&dk*&rfa&;om;jcif;udk ESpfq,feJUcsDjyD; wpdkufrwfrwfvkyf vmolawG? y&dk*&rfa&;om;jcif;udk ]xHk;vdkacs? a&vdkaeSmuf} uRrf;usifolawGudkom y&dk*&rfrmvdkU ac:a0:wmjzpf ygw,f/ 'ghjyif ]cracker} qdkwJh toHk;tEIef;udkvJ em;vnfrIvGJaewmawGU&ygw,f/ Windows XP ray:cif wkef;u olwpfyg;&JU OS xJudk w&m;r0if0ifa&mufwJh? tcsuftvufawGcdk;,lwJh hacker tao;pm;awGudk cracker vdkUac:a0:Muygw,f/ 'DaeUacwfrSmawmh cracker qdkwJhtoHk;tEIef;[m aqmzhf0Jvf protection awGudk z,f&Sm;jcif;eJUywfoufjyD; txl;jyKavhvmwJholawG? reverse engineer awGudkom &nfnTef;ygw,f/)

aqmhzf0JvfawGudk bmaMumifh crack vkyfMuovJqdkwmuawmh crack vkyfjcif;tm;jzifh y&dk*&rfawG&JU tvkyfvkyfyHk? uGefysLwmwpfvHk;&JU tvkyfvkyfyHk? y&dkqufqm&JU twGif;ydkif;pepfeJU vlawG&JU pOf;pm;awG;ac:yHkawG udk tao;pdwfodvmygw,f/ taMumif;trsdK;rsdK;aMumifh cracking avmuuae pGefUcGmcJhr,fqdk&ifawmif t&if u oifodxm;wmeJU tckoifodxm;wmawGudk EdIif;,SOfMunfhvdkufyg/ todcsif; tvGefuGmjcm;aewm owdjyKrd ygvdrfhr,f/ vlawG&JUtjrifrSmawmh crack vkyfwm[m w&m;r0ifbl;vdkU xifaeygw,f/ 'Dtjrif[m rSm;aeyg w,f/ y&dk*&rfwpfckudk b,fvdka&;xm;ovJqdkwmudk avhvm&HkoufoufomjzpfjyD;? crack vkyfxm;jyD;om; aqmhzf0Jvfudk jzefUjzL;zdkU (tcrJhjzefUjzL;jcif;tygt0if) rMudK;pm;cJh&if? crack vkyfxm;jyD;om; aqmhzf0Jvfudk roHk; pGJcJh&ifawmh &mZ0wfrIrajrmufygbl;/ Oya'eJUjidpGef;jcif; r&Sdygbl;/ (rSwfcsuf/ /'Dpmtkyfa&;om;aepOf twGif;rSm awmh jrefrmEdkifiHrSm cracked aqmhzf0JvfawG jzefUjzL;a&mif;cs?oHk;pGJolawG[m Oya'eJUjidpGef;jcif; r&Sdao;ygbl;/)

Cracker aumif;wpfa,muf jzpfzdkUtwGuf atmufygtajccHpnf;rsOf;rsm;udk em;vnfxm;zdkU vdkygw,f/

(1) oifhtaeeJU aqmhzf0Jvfwdkif;udk crack vkyfvdkU&rSm r[kwfygbl;/ 'Dtcsufudkawmh trSwf&aeyg/ bmaMumifh vJqdkawmh oif[m OmPfMuD;&Sif r[kwfvdkUyg/ t&m&mudk odaezdkUqdkwm rjzpfEdkifygbl;/

(2) aqmhzf0Jvfwdkif;udk crack vkyfvdkU&ygw,f/ wpfcsdefcsdefrSmawmh aqmhzf0Jvfwdkif;[m crack vkyfvdkU &vmrSm yg/ erlemajym&r,fqdk&if ASProtect 1.3 udk awGUpwkef;u crack vkyfvdkU rjzpfEdkifbl;vdkU xifcJhMuygw,f/ wpfESpf? ESpfESpfavmufvJMumawmh vlopfwef; 0goem&Sifav;awGuawmif tvG,fwul crack vkyfEdkifvm MuwmawGU&ygw,f/ (Word to PDF Converter 3.0 aqmhzf0Jvf[m ASProtect 1.3 eJU protect vkyfxm;wm jzpfygw,f/)


(3) oifh&JU tawGUtMuHKA[kokwawGudk rQa0yg/ wu,fvdkU oifhtaeeJU xl;jcm;wJhvSnhfuGufav;awG awGU&SdcJh r,fqdk&if tjcm;olawGudk ajymjyyg/ usLwdk&D&,fawG? aqmif;yg;awG? crackme awG a&;om;yg/ Cracking eJU ywfoufjyD; aemifvmr,fhrsdK;qufopf cracker awGudk ulnDEdkifzdkU oifwwfEdkifoavmuf vkyfay;yg/

(4) Cracking eJU ywfoufwJh usLwdk&DawG rsm;rsm;zwfay;yg/ pnf;rsOf; (1) rSm ajymxm;ovdk uRefawmfwdkU[m taumif;qHk;awG r[kwfygbl;/ 'gayr,fh uRefawmfwdkU rodwJht&mawGudk tjcm;olawGu odaeMuygw,f/ olwdkUrodwmawGudkvJ uRefawmfwdkU odaeMuwm &Sdygw,f/ 'gaMumifh usLwdk&D&,fawGudk pOfqufrjywf zwf ay;yg/

(5) uk'fawGudk avhvmyg/ oifhtaeeJU &IyfaxG;wJhy&dk*&rfwpfyk'f[m b,fvdktvkyfovJqdkwm? olUudk b,fvdk a&;xm;wmvJqdkwmod&if olUudk crack vkyfzdkU vG,fvmygvdrfhr,f/

(6) vltrsm;pk oHk;aeMuwJh tool awGudk odyfroHk;ygeJU/ Tool ajymif;oHk;Edkif&if ydkaumif;ygw,f/ 'grSom shareware awGudka&;aewJh y&dk*&rfrmawGu oifh tool udk 0dkif;jyD;wdkufckdufwmudk rcH&rSmyg/ Tool wpfckudk &SmjyD; avhvmyg/ uRrf;usifatmifvkyfyg/ oifudk,fwkdif tool wpfckjzpfygap/

(7) Cracking tzGJUtpnf;awGeJU qufoG,fyg/ ,m,Dtoif;0iftaeeJUjzpfygap toif;0ifyg/ 'Dtcg olwdkU [m oifhudktultnDay;Muygvdrfhr,f/ oifuvJ tjcm;olawGudk tultnDay;aumif;ay;Edkifygvdrfhr,f/ aemuf qHk;rSmawmh oifavhvmaewJh protection awGtaMumif; aumif;aumif; odvmygvdrfhr,f/

(8) tjrJwrf; topfjzpfaeygap/ 'Dtcsuf[m tvGefta&;MuD;ygw,f/ oif[m aemufqHk;xkwf tool awGudk oHk;jyD; aemufqHk;ay:awGtaMumif; avhvmae&ygr,f/ Shareware a&;olawG&JUpm&if;udk oifh&JUtD;ar;vfrSm aygif;xm;jyD; olwdkUeJU tquftoG,fvkyfyg/ olwdkUawG&JU enf;ynmawGudkavhvmyg/ olwdkUawGxJu wpf a,mufavmuf eD;eD;jzpfatmif vkyfyg/

(9) udk,fwdkif &SmazGavhvmyg/ awGU&Sdcsuf^vSnfhuGuf topftqef;awGudk udk,fhbmomodatmifvkyfyg/ pmtkyf pmwrf;rzwfbJ rdrdbmom ajz&Sif;EdkifzdkUvkyfyg/ topftqef;awG awGU&Sd&ifvJ tjcm;olawGudk oifMum;ay;zdkU rarhygeJU/ udk,fwdkifavhvmjcif;uawmh taumif;qHk;ygyJ/

(10) aqmhzf0Jvfa&;om;olawG&JU y&dk*&rfawGudk tvGJoHk;pm;rvkyfygeJU/ olwdkUawG[m olwdkU&JUaqmhzf0JvfawG jzpfvmatmif? atmifjrifvmatmif cufcufcJcJ MudK;pm;xm;&wmyg/ tjcm;olawG a&;xm;wJh crack/ keygen/ serial awGudkvJ tvGJoHk;pm; rvkyfygeJU/ 'guawmh w&m;rQwrIr&Sd? roifhawmfvdkUyg/

(11) uk'fawGrsm;rsm;a&;yg/ pmrsm;rsm;zwfyg/ Crack rsm;rsm;vkyfyg/ usLwdk&D&,f rsm;rsm;a&;yg/ Cracker aumif;wpfa,muf jzpfvmygvdrfhr,f/

Cracking udk yxrqHk; pwifavhvmawmhr,fqdk&if oifhtaeeJU y&kd*&rfa&;om;jcif;eJU ywfoufwJh tawGUtMuHK r&SdbJeJU vHk;0(vHk;0) rjzpfEdkifygbl;/ aqmhzf0Jvfawmfawmfrsm;rsm;udk Visual C++? Borland Delphi eJU Dot.net y&dk*&rfbmompum;awGeJU a&;om;xm;wm jzpfygw,f/ ('Dbmompum;awGeJU a&;om; xm;wmjzpfwJhtwGuf oifhtaeeJU 'Dy&dk*&rfbmompum;awGudk uRrf;usifwwfajrmuf&r,fvdkU qdkvdkwmr[kwf ygbl;)/ Cracking vkyf&mrSm em;vnf&vG,fulzdkUtwGuf tultnDtay;EdkifqHk; bmompum;ESpfckuawmh C eJU Assembly wdkUyg/ C [m Assembly xufpm&if ydkrkdvG,fulwJhtwGuf C udk t&ifavhvmvdkufyg/ oifhOmPf &nfay:rlwnfjyD; tenf;qHk; 21&ufawmh Mumygvdrfhr,f/ 'DvdkavhvmjyD;rS crack vkyfzdkU MudK;pm;yg/ aemufwpf ckuawmh Assembly bmompum;yg/ Assembly vdkUajymvdkuf&if vlawmfawmfrsm;rsm;u 16-bits acwfwkef; u assembler awGudkyJ jrifjrifaewwfMuygw,f/ oifavhvm&r,fh Assembly bmompum;uawmh 32-bits Assembly bmompum;yJ jzpfygw,f/

Cracking tajccHuawmh compile vkyfxm;wJh uGefysLwm binary uk'fawG (odkU) machine uk'fawG udk avhvmzdkU jzpfygw,f/ y&dk*&rfawGudk uGefysLwmacwfOD;u vufcsnf;oufouf a&;cJhMuwmyg/ 'Dwkef;u compiler qdkwm r&Sdao;ygbl;/ y&dk*&rfa&;wJh vkyfief;pOfuvJ t&rf;&IyfaxG;jyD; t&rf;yJ trSm;rsm;vSygw,f/ 'gaMumifhrdkUvJ olwdkU[m vlom;pum;uae uGefysLwmbmompum;tjzpf ajymif;vJay;Edkifr,fh compiler udk wDxGifcJhMuwmyg/ 'DaeUrSmawmh y&dk*&rfawG[m compile vkyfxm;wm (odkU) assemble vkyfxm;wmawG jzpfyg w,f/ 'Duk'fawGudk disassembler wpfcktoHk;jyKjyD; binary uk'ftaeeJU jyefazmf&r,fqdk&if atmufygtwdkif; awGU&rSmyg/

100100100101010010101010010100001100111001

Binary qdkwm ESpfvDpepfjzpfjyD; 0 eJU 1 udk tajccHygw,f/ 'gayr,fh 'Dvdkazmfjywm[m zwf&I&cufcJwJh twGuf 16vDpepfjzpfwJh hexadecimal pepfudk xGifMuygw,f/ Hexadecimal pepfrSmawmh 0 uae 9 txd? A (10) uae F (15) txd yg&Sdygw,f/ HEX uk'ftcsdKUudk azmfjyvdkufygw,f/

817D 0C 10010000 (HEX)

10000001011111010000110000010000000000010000000000000000 (BIN)


HEX uk'fawG[m toHk;rsm;vSygw,f/ bmaMumifhvJqdkawmh Intel xkwf CPU awG&JU mnemonic rSmygwJh opcode awGudk HEX uk'fawGeJU azmfjyvdkUyg/

JNZ 00002A; 'Dae&mrSm JNZ mnemonic twGuf opcode [m 75h (117d) jzpfygw,f/

PUSH 0C8; 'Dae&mrSm PUSH mnemonic twGuf opcode [m 68h (104d) jzpfygw,f/

Assembly bmompum; tao;pdwfudkawmh ]tajccH Assembly bmompum;} oifcef;pmrSm zwf&I avhvmyg/

'DaeUacwfrSmawmh vlodtrsm;qHk;eJU toHk;trsm;qHk; operating system uawmh Microsoft Windows platform awGjzpfwJh Windows 98? Windows NT? Windows 2003? Windows XP? Windows Vista? Windows 7 pwmawG jzpfygw,f/ 'D OS awGtm;vHk;[m tajccHtm;jzifhawmh Win32 API (Application Programming Interface) udk toHk;jyKMuwmcsif; wlygw,f/ (DOS acwfwkef;uawmh uGefysLwm[mh'f0JvfawGeJU qufoG,fEdkifzdkU interrupt awGudk toHk;jyKcJh&ygw,f/) axmifeJUcsDwJh API function awG[m DLL (Dynamic Link Library) zdkifawGtaeeJU Windows rSm wcgwnf;ygvmMuygw,f/ Oyrm jy&&if kernel32.dll? GDI32.dll zdkif pwmawGyg/ Cracking vkyfr,fqdk&if 'D .dll zdkifawGeJU API function awGudk em;vnfxm;&ygr,f/

oif[m Unix/ Linux avmuu vmwmqdk&ifawmh executable zdkifawG tvkyfvkyfEdkifzdkU ELF format &Sdwm owdxm;rdrSmyg/ Windows rSmawmh PE format udk toHk;jyKygw,f/ PE udk toHk;jyKwJh zdkif trsdK;tpm;awGuawmh .exe? .dll? .ocx? .sys? .cpl? .scr zdkifawGyJ jzpfygw,f/ Cracking vkyfr,fqdk&if 'DzdkifawGtaMumif;udk twGif;usus odxm;&ygr,f/

vlopfwef; cracker awGtwGuf cracking eJUywfoufjyD; pdwf0ifpm;p&m taMumif;t&mawGuawmh protect vkyfxm;wJh shareware awGjzpfygw,f/ 'gayr,fh tqifhjrifh cracker awG pdwf0ifpm;wmuawmh PE zdkifawGudk packed/unpacked vkyfjcif;? tJ'DzdkifawGrSm function awGudk aygif;jcif;^jyKjyifjcif;? (z,f&Sm;xm;wJh) tcdk;cHxm;&wJhuk'fawGudk jyef&Smjcif;eJU cracking tool awGudk a&;om;jcif;wdkU jzpfygw,f/ 'gaMumifhrdkUvJ vlopfwef; cracker awG[m shareware awGrSmygvmwJh nag awGudk zsufjcif;? serial &Smjcif;awGudkom t"du vkyfaqmifMujyD; aqmhzf0JvfawGudk register vkyfMuygw,f/ b,fae&mrSm protect vkyfxm;w,f? b,fvdk protect vkyfxm;w,fqdkwmudk avhvmjyD; registrated version (cracked version) udkoHk;pGJMuwm olwdkU twGufawmh tMuD;rm;qHk; atmifjrifrIawGyJ jzpfygw,f/ 'DvdkrvkyfcifrSm cracker tm;vHk;[m protect vkyfxm; wJhaqmhzf0Jvf(y&dk*&rf)udk crack vkyfEdkifzdkU tenf;qHk; tool wpfckawmh oHk;&ygw,f/ 'D tool udkawmh debugger (odkU) decompiler (odkU) disassembler vdkU ac:ygw,f/

Debugger awGoHk;&wJh t"du&nf&G,fcsufuawmh y&dk*&rf tvkyfvkyfpOfrSm rdrdMudKufwJhae&mrSm cP &yfxm;jyD; uk'fawGudk jyifEdkifzdkU jzpfygw,f/ bmaMumifhvJqdkawmh y&dk*&rfawGudk debug vkyfcsdefrSm tvGefrsm; jym;vSwJh uk'fawG xGufvmygw,f/ 'Duk'fwdkif;udk avhvmzdkU uRefawmfwdkUrSm tcsdefr&Sdygbl;/ 'gaMumifh vdktyf wJhae&m^ owfrSwfxm;wJhae&mrSm &yfwefUEdkifzdkU debugger udk toHk;jyK&jcif; jzpfygw,f/ toHk;rsm;vSwJh debugger/ disassmebler awGuawmh Olly? IDA Pro eJU W32dasm wdkU jzpfygw,f/ Olly [m tcrJh oHk;pGJ vdkU&wJhaqmhzf0JvfjzpfjyD; oHk;pGJolrsm;jym;vSygw,f/ 'gaMumifhrdkU tqifhjrifh cracker awG&JU oifcef;pmydkUcscsuf awmfawmfrsm;rsm;[m Olly udk erlemxm;jyD; &Sif;jywm jzpfygw,f/

y&kd*&rfwpfckudk crack vkyfzdkU MudK;pm;awmhr,fqdk&if 'Dy&dk*&rfudk b,fbmompum;eJU a&;om;xm;wm vJqdkwmodatmif yxrqHk; MudK;pm;oifhygw,f/ 'DtwGuf PEiD (odkU) CFF explorer pwJh tool awGvdkyg w,f/ 'D tool awGeJU udk,f crack vkyfcsifwJhaqmhzf0Jvfudk b,fbmompum;eJU a&;xm;wmvJqdkwm t&ifod atmifvkyf&ygw,f/ aqmhzf0Jvfudk Visual Basic eJU a&;xm;wmqdk&ifawmh Olly tpm; VB Decompiler udk toHk;jyKwm ydkoifhawmfygw,f/ tvm;wlygyJ? Dot.net eJU a&;xm;wmqdk&if Dot.net reflector udk oHk;wm ydkjyD;oifhawmfvG,fulygw,f/ usefwJh y&dk*&rfbmompum;awGtwGufuawmh Olly eJU debug vkyfEdkifygw,f/ (wu,fvdkU y&dk*&rfawGudk pack vkyfxm;&ifawmh t&if unpack vkyfjyD;rS crack vkyf&rSmjzpfygw,f/)

b,fvdk crack &rvJqdkwJhar;cGef;udk ar;cJhr,fqdk&ifawmh enf;vrf;awG trsm;MuD;&Sdw,fvdkUyJ ajym&rSm jzpfygw,f/ rwlnDwJhjyóemwdkif;twGuf taumif;qHk;ajz&Sif;rIenf;vrf;udk &SmazG&wmuawmh cracker tay: rSmyJ rlwnfygw,f/

xl;cRefwJh cracker aumif;wpfa,mufjzpfzdkUtwGufuawmh tifwmeufudk tcsdefrsm;rsm; toHk;jyKay;&yg r,f/ tifwmeufuae tool topfawG? usLwdk&D&,ftopfawG download vkyfyg/ zdk&rfawG awmfawmfrsm;rsm; rSm toif;0ifyg? aqG;aEG;yg? ar;jref;yg/ aqmhzf0Jvftopfqef;awGudk crack vkyfMunfhyg/ olrsm;a&;xm;wJh usLwdk&D&,fawGudk em;vnfatmifzwfyg/ Crack vkyfxm;jyD;om;zdkifawGudkavhvmyg/ rdrdudk,fwkdif usLwdk&D&,f awG a&;om;&rSmjzpfygw,f/

tcef;(2) - tajccH C bmompum; - 9 -

tcef;(2) - tajccH C bmompum; Cracker aumif;wpfa,mufjzpfzdkUtwGuf y&dk*&rfbmompum;wpfckckudk uRrf;uRrf;usifusif wwf ajrmufxm;&rSm jzpfwJhtwGuf 'Dtcef;rSm uRefawmfhtaeeJU C y&dk*&rfbmompum;udk xnfhoGif;&Sif;jyrSm jzpfygw,f/ bmaMumifh tjcm;bmompum;udk ra&G;cs,f&ygovJvdkU ar;cGef;xkwfEdkifygw,f/ C++ qdk&if ydkraumif;Edkifbl;vm;? Visual C++ qdk&if ydkjyD;rjynfhpHkbl;vm;vdkU oifhtaeeJU xifaumif;xifEdkifygw,f/ 'Dt ar;twGuf tajzuawmh C y&dk*&rfbmompum;[m tajccHtusqHk;eJU t&dk;t&Sif;qHk; jzpfvdkUyg/ C++ [m C bmompum;udk tvSay:t,Ofqifhatmif vkyfay;wmyJ &Sdygw,f/ tajccHtusqHk; vkyfaqmifcsufawGudk C uom vkyfaqmifaejcif;jzpfygw,f/ Visual C++ uawmh Windows udk tajccHjyD; wnfaqmufxm;wm aMumifh rvdktyfyJ uk'fawG[m&SnfaejyD; cracking udk pwifavhvmaewJh oifhtzdkU &IyfaxG;aerSm jzpfygw,f/ C &JU tjcm;y&dk*&rfbmompum;awGtay: vTrf;rdk;EdkifwJhtcsufawGuawmh operator awG pHkvifjcif;? system eJU ywfoufwJh function tpHktvifyg0ifjcif;eJU y&dk*&rfa&;om;&mwGif tvGef&dk;&Sif;jcif;? y&dk*&rfa&;om;jcif;\ tESpfom&udk azmfjyEdkifjcif;? Visual C++ udk tqifhjrSifh avhvmEdkifap&eftwGuf taxmuftuljyKjcif;wdkU jzpfygw,f/ 'Doifcef;pmrSmawmh C &JU aemufcHordkif;aMumif;eJU jzpfay:vmyHkawGudk aqG;aEG;rSmr[kwfbJ C eJU y&dk*&rfawGudk b,fvdka&;om;&rvJqdkwmudkom &Sif;jyrSmjzpfygw,f/ 'Dae&mrSm C eJU aps;uGuf0ifaqmhzf0Jvf awG b,fvdkzefwD;rvJqdkwmudk aqG;aEG;rSmr[kwfbJ cracking vkyf&mrSm taxmuftuljyKEdkifr,fh C &JU vkyfaqmifcsuf tydkif;awGudkom aqG;aEG;rSmjzpfygw,f/ 'gaMumifh graphics eJY ywfoufwJhtydkif;udk raqG;aEG; bJ jzKwfcsefcJhygw,f/ (rSwf&ef/ / Graphics ydkif;[m DOS udk tajccHwJh 16-bits pepfjzpfwJhtwGuf rsuf arSmufacwfrSm b,folrStoHk;rjyKMuawmhygbl;)/ 'ghtjyif structure ydkif;udkvJ cracking vkyf&mrSm toHk; r0ifvSwJhtwGuf csefvSyfxm;cJhygw,f/ (rSwf&ef/ / Structure ydkif;udk C++ wGif tvGeftqifhjrifhaom vkyfaqmifcsufrsm;yg0ifonfh class jzifh tpm;xdk;vdkufjyDjzpfygw,f)/ C udk pdwf0ifpm;vdkU xyfrHavhvmcsif&if awmh Ivor Horton a&;om;wJh ]Beginning C - From Novice to Professional} pmtkyfudkzwf&IygvdkU wdkufwGef;csifygw,f/ b,fbmom&yfudkyJ avhvmavhvm tao;pdwfodcsif&ifawmh pmtkyfrsm;rsm;zwfygvdkU tMuHjyKvdkygw,f/ bmaMumifhvJqdkawmh pma&;q&mawG[m wpfa,mufeJUwpfa,muf &Sif;jyyHkcsif;? awG;ac:yHk csif; rwlnDMuvdkUyg/

txl;owday;ajymMum;vdkwmu C y&dk*&rfbmompum;[m DOS udk tajcjyKjyD; wDxGifxm;wmjzpfwJh twGuf C eJU a&;vdkufwJhy&dk*&rfawG[m y&dkqufqmudk &mcdkifEIef;tjynfh tvkyfvkyfapygw,f/ 'gaMumifh Windows 98 aemufydkif;xGuf&SdwJh Windows awGeJU o[Zmw rjzpfawmhygbl;/ 'gaMumifh y&dk*&rfa&;&mrSm uRefawmfwdkUtaeeJU Turbo C 2.0 (DOS version) udk ra&G;cs,fbJ Borland C++ 5.02 (Windows version) udkyJ toHk;jyKrSmjzpfygw,f/ MudKwifowday;&wmuawmh Borland C++ 5.02 rSm y&dk*&rfa&;om; rSmjzpfwJhtwGuf C++ eJU y&dk*&rfawGa&;aew,f xifrSmpdk;vdkUyg/ C bmompum; oufoufeJUom y&dk*&rfawG a&;rSmjzpfygw,f/ 'gaMumifh Borland C++ 5.02 udk t&if install vkyfzdkU rarhygeJU/ jyD;&if Start menu All Programs Borland C++ 5.02 Borland C++ udk zGifhvdkufyg/ 'gqdk y&dk*&rf pwifa&;om;vdkU &ygjyD/

(1) yxrqHk; C y&dk*&rf

yHk(1)rSm jyxm;wJhtwkdif; C++ compiler rSm uk'fawGudk &dkufxnfhvdkufyg/ 'Dy&dk*&rfuk'fawGudk source code vdkU ac:a0:ygw,f/

yHk(1)


Ctrl + F9 (Run) udk ESdyfvdkuf&ifawmh compiler u uRefawmfwdkU a&;xm;wJh source uk'fudk exe uk'ftjzpfajymif;ay;rSm jzpfygw,f/ (wu,fawmh source uk'fudk compiler u assembly uk'ftjzpfajymif; ay;jyD; assembly uk'fudk assembler u exe uk'ftjzpfajymif;vJay;wm jzpfygw,f/)

yHk(2)

yHk(1)uuk'fudk run vdkuf&if yHk(2)twdkif; jrif&rSmyg/ 'Dy&dk*&rfav;[m wu,fawmh bmtvkyfrS aumif;aumif;vkyfrSm r[kwfygbl;/ uGefysLwmzefom;jyifrSm ]Welcome to Cracking World} qdkwJhpmwef;udk jyoay;&HkygyJ/ aumif;ygjyD? y&dk*&rftvkyfvkyfyHkudk tao;pdwf MunfhvdkufMu&atmif/

(1) yxrpmaMumif;u include qdkwmuawmh keyword wpfckjzpfygw,f/ uRefawmfwdkUtoHk;jyKr,fh header zdkifawGudk C:\BC5\ atmufu include qdkwJh zdk'gatmufrSm xm;&Sdr,fhtaMumif; uGefysLwmukd ajymMum;wmyg/ <stdio.h> qdkwmuawmh include zdk'gatmufu stdio qdkwJhtrnfeJU header zdkifudk toHk;jyKygr,fvdkU ajymwmyg/ (<stdio.h>tpm; "stdio.h" qdk&ifawmh C++ compiler tvkyfvkyfaewJh? wlnDwJhzdk'gatmufu stdio qdkwJhtrnfeJU header zdkifudk toHk;jyKygr,fvdkU ajymwmyg/) stdio &JU t&Snfaumufuawmh STandarD Input/Output jzpfygw,f/ 'D header zdkifawG&JU trnf[m t"dyÜm,f&SdvSygw,f/ tcsuftvufawGudk toGif; txkwfvkyfr,fqdkwJhtaMumif; uGefysLwmudk compiler u yPmrMudKajymxm;wm jzpfygw,f/ bmawGudk toGif;txkwfvkyfr,fqdkwmudkawmh twdtusajymjcif; r&Sdao;ygbl;/ conio &JU t&Snfaumufuawmh CONsole Input/Output jzpfygw,f/ conio eJU stdio [m oabmw&m;csif;wlygw,f/ conio u pmom;awG udk ta&mifawGeJU jyEdkifwmav;yJ enf;enf;uGmygw,f/

(2) int main() qdkwmuawmh y&dk*&rfuk'fawG a&;xnfh&r,fh t"duae&mjzpfjyD; oifa&;xnfhcsifwJhuk'fawGudk 'D main() function xJu { } xJrSm a&;&rSmjzpfygw,f/ printf() qdkwmuawmh function wpfckjzpfjyD; udk,fazmfjyapcsifwJh taMumif;t&m? tcsuftvufawGudk uGefysLwmzefom;jyifrSm jyoay;ygw,f/ printf() udk oHk;r,fqdk&if stdio.h zdkifudk aMunmay;&rSm jzpfygw,f/

(3) getch() uawmh 'GET CHaracter' &JU twdkaumufyg/ uGefysLwmuD;bkwfuae &dkufr,fhpmvHk;wpfvHk;udk vufcHwmyg/ 'gayr,fh &dkufxnfhwJh pmvHk;udkawmh zefom;jyifrSm jyrSmr[kwfygbl;/ bmaMumifh 'D function udk oHk;&wmvJqdk&if y&dk*&rf[m printf() udkvkyfaqmifjyD;&if csufcsif;jyD;qHk;oGm;rSmrdkU y&dk*&rfudk cP&yfxm;csifvdkU olUudkoHk;&wmyg/ uD;bkwfuae ESpfouf&m key wpfckckudk ESdyfvdkuf&if getch() &JUvkyfaqmifcsuf jyD;oGm;rSmyg/ getch() udk oHk;r,fqdk&if conio.h zdkifudk aMunmay;&rSm jzpfygw,f/

(4) return uawmh main() function eJU oufqdkifygw,f/ ol[m y&dk*&rfuk'fudk atmifjrifpGm vkyfaqmifEdkifcJh jyDjzpfwJhtaMumif; y&dk*&rfqD taMumif;jyefygw,f/

(2) 'kwd,ajrmuf C y&dk*&rf

yHk(3)

#include <stdio.h> /* 2nd C Program */ #include <conio.h> /* print Fahrenheit-Celsius table for fahr = 0, 20, … , 300 */ int main() { int fahr, celsius; int lower, upper, step; lower = 0; /* lower limit of temperature scale */ upper = 300; /* upper limit */ step = 20; /* step size */ fahr = lower; while (fahr <= upper) { celsius = 5 * (fahr - 32) / 9; printf("%d\t%d\n", fahr, celsius); fahr = fahr + step; } getch(); return 0; }


yHk(3)rSm jrif&wmuawmh zm&if[dkufeJU pifwD*&dwfwefzdk;awGudk yHkaoenf;toHk;jyKjyD; wGufcsufay;wJh y&dk*&rfuk'feJU xGuf&SdvmwJhtajzyg/ b,fzufuwefzdk; (0? 20? 40? 60? ponfjzifh)awGu zm&if[dkufwefzdk; awGjzpfjyD; nmzufuwefzdk; (-17? -6? 4? 15? ponfjzifh)awGuawmh pifwD*&dwfwefzdk;awG jzpfygw,f/ y&dk*&rftvkyfvkyfyHkudk tao;pdwf MunfhMuygr,f/

(1) /* … */ oauFwudkawmh comment vdkUac:ygw,f/ wu,fvdkU y&dk*&rfeJU oufqdkifwJh taMumif;t&m awGudk rSwfcsufay;csif&if comment oHk;ygw,f/ 'DvdkrSwfcsufay;xm;awmh 'Dy&dk*&rfudk bmtwGufa&;w,f? b,fvdka&;xm;wmvJqdkwm tvG,fwul em;vnfEdkifygvdrfhr,f/ tjrJwrf; /* eJU pjyD; */ eJU tqHk;owf&yg w,f/ C++ rSmqdk&ifawmh /* … */ tpm; \\ udk oHk;ygw,f/

(2) int qdkwmuawmh integer (udef;jynfh)udk qdkvdkwmyg/ uRefawmfwdkUxkwfr,fhtajzudk 'órudef;eJU rxGuf apcsif&if int udktoHk;jyKygw,f/ fahr? celsius? lower? upper eJU step wdkUudkawmh identifier vdkU ac:a0:yg w,f/ (Identifier acgif;pOfatmufwGif Munfhyg/)

(3) lower = 0; qdkwmuawmh yxrqHk;tajzxkwfapcsifwJh zm&if[dkuf'D*&D[m oknvdkU owfrSwfvdkufwmyg/ tjrifhqHk;zm&if[dkufuawmh 300 jzpfygw,f/ (rSwf&ef/ / main() function xJwGif pmaMumif;wpfaMumif;jyD; wdkif; semi-colon (;) jzifh tqHk;owfay;&onf)/ step &JUqdkvdk&if;uawmh zm&if[dkufwefzdk; wpfckeJUwpfck[m 20'D*&Djcm;r,fvdkU qdkvdkwmyg/

(4) while(fahr<=upper){ … }uawmh zm&if[dkufwefzdk;[m tjrifhqHk;wefzdk;jzpfwJh 300'D*&Dxuf i,faepOf twGif;jzpfap? wlnDaepOftwGif;jzpfap xJrSm&SdwJhuk'fawGudk tvkyfvkyfaeygvdkU qdkvdkwmyg/

(5) celsius = 5 * (fahr - 32) / 9; uawmh pifwD*&dwfwefzdk;udk &Smay;wJhyHkaoenf; jzpfygw,f/

(6) printf() function uawmh zm&if[dkufeJU pifwD*&dwfwdkU&JU wefzdk;awGudk tajzxkwfay;rSmyg/ %d udkawmh udef;jynfhawGeJU ywfoufjyD; tajzxkwfwJhtcgrSm oHk;ygw,f/ \t (tab) uawmh tajzwpfckeJUwpfckMum; tab key tuGmta0;wpfckpm (vufr0uf) jcm;ay;ygvdkU qdkvdkygw,f/ \n (new line) uawmh uGefysLwmzefom; jyif&JU aemufwpfaMumif;udk oGm;ygvdkU qdkvdkygw,f/

(7) zm&if[dkufwefzdk;udk 20aygif;ygw,f/ jyD;&if while loop qDjyefoGm;ygw,f/ pifwD*&dwfwefzdk;udk wGufcsuf jyD; tajzxkwfygw,f/ 'DvdkeJU zm&if[dkufwefzdk;[m 300xufrMuD;rcsif; while loop udkyJ aqmif&Gufygw,f/ 300xufMuD;oGm;&ifawmh getch() function udk vkyfrSmjzpfygw,f/ jyD;&ifawmh y&dk*&rf&JU vkyfaqmifcsufjyD;qHk; oGm;rSm jzpfygw,f/

(3) Data type

trsdK;tpm; yrmP

unsigned char 0 rS 255 xd

char 0 rS 255 xd

short int -32,768 rS 32,767 xd

unsigned int 0 rS 65,535 xd

int -32,768 rS 32,767 xd

unsigned long 0 rS 4,294,967,295 xd

enum -32,768 rS 32,767 xd

long -2,147,483,648 rS 2,147,483,647 xd

float 3.4 x 10P

-38P rS 1.7 x 10P

+38P xd

double 1.7 x10P

-308 PrS 3.4 x10P

+308P xd

long double 3.4 x 10P

-4932P rS 1.1 x 10P

+4932 Pxd

Data type qdkwmuawmh rdrdtoHk;jyKr,fh identifier (variable) awGudk a'wmtrsdK;tpm; owfrSwf ay;wmyg/ ukd,faMunmr,fh variable [m pmvHk;vm;? 'órudef;vm;? udef;jynfhvm;qdkwm aumif;aumif;od xm;&ygr,f/ Oyrm pmvHk;awGeJUywfoufvm&if? (string) pmom;awGeJUywfoufvm&if char vdkU aMunmay;& ygr,f/ udef;jynfhawGqdk&if int vdkU aMunm&ygw,f/ 'órudef;awGtwGufqdk&if float eJU double udk toHk;jyKvdkU&ygw,f/

Variable wpfckudk char vdkU aMunm&if uGefysLwm&JU rSwfOmPfrSm 1 byte ae&m,lrSm jzpfygw,f/ 1 byte [m 8-bits eJU nDjyD; ydkjyD;&Sif;vif;atmif ESpfvDpepfeJUjy&&ifawmh atmufygZ,m;uGuftwdkif; awGUjrif&rSm yg/


1 1 1 1 1 1 1 1

Z,m;&JU tuGufi,fwpfckpD[m 1 bit udk udk,fpm;jyKjyD; olUxJrSm 1 (odkU) 0 qdkwJh wefzdk;ESpfckudkyJ xnfh xm;Edkifygw,f/ ESpfvDpepfudk,fpm;jyKwJhtwGuf olUxJrSmtrsm;qHk;xnfhEdkifwJh ta&twGuf[m 0 uae 255 xd 256 rsdK;xdyJjzpfygw,f/ 11111111 = 2P

8P = 256 {0 rS 255 xd } (oknwefzdk;udkyg xnfhwGufjcif;jzpfonf/)

char eJU ywfoufwJh erlemawGudk avhvmMunfhygr,f/

char variable_name; // character pmvHk;wpfvHk;jzifhom tvkyfvkyfonf/

char variable_name [20]; // string pmvHk; 20jzifh tvkyfvkyfEdkifonf/

char * variable; // pointer string pmvHk;a& tuefUtowfrJh tvkyfvkyfEdkifonf/

char udk zdkifawGxJu tcsuftvufawGudk toGif;txkwfvkyf&mrSm jzpfjzpf? database y&dk*&rfawGudk a&;&mrSmyJjzpfjzpf? password eJUqdkifwJh y&dk*&rfawGudk a&;&mrSmyJjzpfjzpf toHk;trsm;qHk; jzpfygw,f/

int udk oHk;&ifawmh uGefysLwm&JUrSwfOmPfrSm 2 bytes ae&m,lygw,f/ 'gaMumifh olUxJrSm odrf;qnf; xm;EdkifwJh *Pef;wefzdk;uawmh 2 bytes = 16 bits = 2P

16P = 65536 xdjzpfygw,f/ int &JU toHk;jyKyHkawG

uawmh -

signed int variable_name; // 2 bytes -32,768 rS 32,767 xd

unsigned int variable_name; // 2 bytes 0 rS 65,535 xd

short int variable_name; // 2 bytes -32,768 rS 32,767 xd

long int variable_name; // 4 bytes -2,147,483,648 rS 2,147,483,647 xd

unsigned long int variable_name; // 4 bytes 0 rS 4,294,967,295 xd

signed eJU short udk xnfhjyD;raMunmay;vJ &ygw,f/ wu,fvdkU int variable_name; vdkUyJ aMunmxm;&if compiler u signed short int variable_name; vdkU em;vnfygw,f/ C y&dk*&rfa&;&mrSm bmaMumifh signed/ unsigned eJU short/ long awG aMunmae&ovJqdkwJh taMumif;&if;&Sdygw,f/ 'Djyóem u DOS acwfwkef;u MuHKawGUcJh&wmyg/ tJ'Dtcsdefwkef;u RAM awG&JU yrmP[m tckacwfrSmvdk 1GB awG? 4GB awG r[kwfygbl;/ 64KB? 128KB avmufom&Sdygw,f/ DOS &JU uefUowfcsufuvJ 1MB xuf MuD;wJh C y&dk*&rfawGudk toHk;jyKcGifhray;ygbl;/ 'gaMumifh y&dk*&rfrmawG[m olwdkU&JU y&dk*&rfudk uGefysLwm rSwfOmPfxJrSm ae&m,lrIenf;atmif twwfEdkifqHk; MuHpnfMu&ygw,f/ 'gaMumifhvJ rvdktyf&if twwfEdkifqHk; rSwfOmPfacRwmEdkifzdkU long tpm; short udk toHk;jyKMuygw,f/ qdkvdkwmu y&dk*&rfu wGufcsufvdkU&&SdwJh tajz[m 40000 eJU 50000 0ef;usifMum;yJ &Sdr,fqdk&if oifhtaeeJU 'D variable udk b,fvdkaMunmoifhw,f xifygovJ/ unsigned int variable_name; vm;? long int variable_name; vm;/ 'Dar;cGef;u variable wpfckxJtwGufqdk&if odyfta&;rMuD;ayr,fh variable awG aomif;eJUcsDvmcJh&if pOf;pm;zdkU vdkvmygjyD/ int variable_name [200] [100]; qdk&ifaum/ oifbmudk a&G;cs,frSmygvJ/ Variable ta&twGuf 20000 udk udkifwG,fajz&Sif;csdefrSmawmh ta&;MuD;vmygjyD/ long int vdkU aMunm&if uGefysLwm&JUrSwfOmPfrSm 200 x 100 = 20000 x 4 bytes = 80KB ae&m,lygvdrfhr,f/ oifh&JU RAM [m 64KB yJ &Sdr,fqdkygawmh/ 'Dy&dk*&rf[m stack overflow jzpfjyD; tvkyfvkyfrSm r[kwfygbl;/ (rSwfcsuf/ / 'DaeUacwfrSmawmh uGefysLwmrSwfOmPfrSm ae&mb,favmuf,l,l pdwfylp&mr&Sdawmhygbl;/)

float uawmh 'órudef;awGudk udkifwG,fajz&Sif;&mrSm toHk;jyKjyD; rSwfOmPfrSm 4 bytes ae&m,lyg w,f/ double udkvJ 'órudef;awGudk udkifwG,fajz&Sif;&mrSm toHk;jyKjyD; rSwfOmPfrSm 8 bytes ae&m,lyg w,f/ 'ór 15ae&mpmwduszdkUvdkwJh odyÜHqdkif&mwGufcsufrIawGrSm toHk;rsm;ygw,f/ long double uawmh double eJU wlygw,f/ rSwfOmPfrSm 10 bytes ae&mpmae&m,lygw,f/

(4) Identifier

rdrdMudKufESpfouf&m ay;wJh variable awG&JUtrnfudk identifier vdkU ac:ygw,f/ Identifier awGudk trnfay;csdefrSm atmufygpnf;rsOf;awGudk vdkufem&ygw,f/

(1) Identifier \tponf pmvHk; (A-Z, a-z) (odkU) underscore om jzpf&rnf/

(2) Underscore (_) oauFwrSty useftxl;tu©&mrsm; roHk;&/

(3) Identifier \ pmvHk;ta&twGufonf 255vHk;xuf rydk&/

(4) Keyword rsm;udk identifier tjzpf raMunm&/ (Oyrm ScaseS? Sreturn S)

(5) MY_Variable123 eJU my_Variable123 wdkUonf rwlnDMuyg/ pmvHk;tMuD;tao; uGJjym;rI&Sdonf/


atmufyg identifier rsm;uawmh rSefuefwJhyHkpHawG jzpfygw,f -

int get_result_from_program;

int x123;

atmufyg identifier rsm;uawmh rSm;,Gif;wJhyHkpHawG jzpfygw,f -

int 123data;

int while;

int base@location;

int get-result-from-program;

(5) wwd,ajrmuf C y&dk*&rf

yHk(4)

'Dwwd,ajrmuf y&dk*&rf[m 'kwd,y&dk*&rfeJU oabmcsif;wlygw,f/ bmaMumifh 'Dae&mrSm xyfxnfh oGif;&ovJqdk&if format specifier taMumif;udk &Sif;jycsifvdkUyg/ Format specifier udk printf() function eJUwGJoHk;jyD; % eJU pavh&Sdygw,f/ toHk;jyKvdkU&wJh format specifier trsdK;tpm;awGuawmh flag character? width specifier? precision specifier? input size modifier eJU conversion type character wdkU jzpfygw,f/ 'Dae&mrSmawmh toHk;0ifr,fh? toHk;rsm;r,fh format specifier awGudkyJ &Sif;jyrSm jzpfygw,f/

%d udef;jynhf (integer) taeeJU jyocsif&if oHk;ygw,f/

%o &SpfvDpepf (octal) eJU jyocsif&if oHk;ygw,f/

%u unsigned integer taeeJU jyocsif&if oHk;ygw,f/

%x 16vDpepf (hexadecimal)udk pmvHk;ao;eJU jyygw,f/

%X 16vDpepf (hexadecimal)udk pmvHk;MuD;eJU jyygw,f/

%f 'órudef;eJU tajzxkwfay;ygw,f/

%e Exponential eJU tajzxkwfay;ygw,f/

%E xyfudef;eJU tajzxkwfay;ygw,f/

%c Character taeeJU tajzxkwfay;ygw,f/ %s String taeeJU tajzxkwfay;ygw,f/ %l long taeeJU tajzxkwfay;ygw,f/ %lf double taeeJU tajzxkwfay;ygw,f/ %L long double taeeJU tajzxkwfay;ygw,f/

#include <stdio.h> /* 3rd C Program */ #include <conio.h> /* print Fahrenheit-Celsius table for fahr = 0, 20, … , 300 */ int main() { float fahr, celsius; float lower, upper, step; lower = 0; /* lower limit of temperature scale */ upper = 300; /* upper limit */ step = 20; /* step size */ fahr = lower; while (fahr <= upper) { celsius = 5.0 * (fahr - 32.0) / 9.0; printf("%7.0f %10.3f\n", fahr, celsius); fahr = fahr + step; } getch(); return 0; }


yHk(4)u printf("%7.0f %10.3f\n", fahr, celsius); udk Munfhvdkufyg/ %7.0f rSm 7 qdkwmuawmh b,fuae pmvHk; 7 vHk;pm ae&m,lr,fvdkU ajymwmyg/ f uawmh 'órudef;awGudk tajzxkwfwmyg/ %10.3f rSmawmh 10 u yxrpmom;uae 10ae&mpmae&m,lr,fvdkU ajymwmjzpfjyD; .3 uawmh 'ór 3 ae&meJU jyay;ygvdkU qdkvdkjcif;jzpfygw,f/ aemufwpfckuawmh escape sequence taMumif;jzpfygw,f/ toHk;rsm;qHk; awGuawmh \t eJU \n wdkU jzpfygw,f/ \t uawmh tab key wpfae&mpmae&m,lr,fvdkU ajymwmjzpfjyD; \n uawmh aemufwpfaMumif;udk qif;r,fvdkU ajymwmyg/

(6) keyword

C bmompum;rSm toHk;jyKvQuf&SdwJh keyword awGuawmh atmufygtwdkif; jzpfygw,f -

auto break case char const

default do double else enum

extern far float for goto

huge if int long near

register return short signed sizeof

static struct switch typedef union

unsigned void volatile while

Identifier awGudkaMunm&mrSm keyword awGudk variable trnfay;vdkUr&ygbl;/ Keyword wdkif;rSm olU&JUvkyfaqmifcsuftoD;oD; &SdvkdUyg/ ta&;ygtoHk;rsm;wJh keyword awG&JU vkyfaqmifcsufawGukd oD;jcm; acgif;pOfawGeJU aqG;aEG;rSm jzpfygw,f/

(7) if statement

if statement udk tajctaewpf&yf&yf[m rSefovm;^rSm;ovm; qHk;jzwfcdkif;wJhtcgrSm toHk;jyKyg w,f/ wcgw&HrSm else keyword eJU wGJoHk;wmvJ&Sdygw,f/ olU&JU jzpfEdkifwJhyHkpHtcsdKUuawmh 'Dvdkyg ...

(1) if(condition) statement; (2) if(condition) statement; else statement; (3) if(condition1) statement; else if(condition2) statement; … else statement; (4) if(condition1) statement; if(condition2) statement; …

(1) yxryHkpHudkawmh tajctaewpfckck[m rSef̂ rrSef qHk;jzwfwJhtcgrSm toHk;jyKygw,f/

(2) 'kwd,yHkpHuawmh tajctaeESpfckteuf wpfckck[m vHk;0rSefudkrSef&r,fh tajctaerSm toHk;jyKygw,f/

(3) wwd,yHkpHuawmh tajctaeoHk;ck(odkU)oHk;ckxufydkwJhtxJu wpfckck[m vHk;0rSefudkrSef&r,fh tajctaerSm toHk;jyKygw,f/

(4) pwkw¬yHkpHuawmh tajctaetm;vHk;[m rSefcsifrSef^rSm;csifrSm; jzpfEdkifwJhtajctaerSm oHk;ygw,f/

(8) pwkw¬ajrmuf C y&dk*&rf

yHk(5)


yHk(5)u uk'fawGudk run vdkuf&if yHk(6)twdkif;awGU&rSmyg/

yHk(6)

'Dy&dk*&rf[m uD;bkwfuae oif&dkufxnfhvdkufwJh *Pef;[m taygif;vm;? tEIwfvm;? oknvm;qdkwm ppfaq;ay;rSm jzpfygw,f/ yHk(6)/ if statement udk oHk;jyD;a&;xm;wJh &dk;&Sif;vSwJh y&dk*&rfav;yg/ 'Dae&mrSm topfxyfwdk;vmwmuawmh scanf() function yg/ olUtaMumif;udk tao;pdwfodcsif&ifawmh scanf ae&mrSm mouse cursor udkxm;jyD; Ctrl+F1 udk ESdyfvdkufyg/ olUudk b,fvdktoHk;jyK&rvJqdkwJh Help ay:vmygvdrfhr,f/ yHk(7)/ tjcm; function awGudkvJ Ctrl+F1 EdSyfjyD; tao;pdwf MunfhvdkU&ygw,f/

yHk(7)

scanf() function udk uD;bkwfuae &dkufxnfhr,fh *Pef;? pmom;awGudkzwfzdkU toHk;jyKygw,f/ 'Derlemy&dk*&rfrSm uRefawmfwdkUzwfr,fht&muawmh udef;jynfh*Pef;(%d) wpfck jzpfygw,f/ number_check &JUa&SUrSm address sign (&) av;ygwm rarhygeJU/

Function awGtaMumif;odcsif&ifawmh Help udkrsm;rsm;zwfyg/ Help rSm ygvmwJh example awGudk avhvmyg/ Example awGudk run Munfhyg/

(9) switch statement

if statement eJU oabmw&m;csif;wlwJh tjcm;wpfckuawmh switch statement jzpfygw,f/ olU&JU toHk;jyK&r,fhyHkpHuawmh 'Dvdkyg ...

switch(expression){ case constant_expression1: statement; case constant_expression2: statement; default: : statement; }

(10) 5ckajrmuf C y&dk*&rf

#include<stdio.h> #include<conio.h> #include<stdlib.h> int main() { /* Copyright © Myo Myint Htike, 2009 */ int menu; printf("Choose 1 to print \"Welcome!\" text. \n"); printf("Choose 2 to print \"Sorry!\" text. \n"); printf("Choose any number to exit!\n"); printf("Please enter a number: "); scanf("%d", &menu); switch(menu){ case 1: printf("Wecome!."); break; case 2 : printf("Sorry!"); break; default: exit(0); } getch(); return 0; }


'Dy&dk*&rfuawmh switch statement udk b,fvdktoHk;jyK&rvJqdkwm jyowJh erlemy&dk*&rfyg/ b,fvdk tvkyfvkyfovJqdkwmuawmh vufawGUprf;Munfhvdkufyg/ 'Dae&mrSm &Sif;jycsifwmuawmh exit() function yg/ exit() &JU t"dyÜm,fuawmh ]exit functions} yg/ qdkvdkcsifwmu teD;pyfqHk; function uaexGufr,fvdkU qdkvdkwmyg/ olUudkoHk;r,fqkd&ifawmh stdlib.h <STandarD LIBrary> udk aMunmay;&ygr,f/ switch statement udkawmh toHk;enf;vSwJhtwGuf ravhvmvJ &ygw,f/

(11) while loop

'Dwpfcgawmh loop awGtaMumif; avhvmMunfhygr,f/ Cracking vkyf&mrSm toHk;rsm;qHk;uawmh loop awGyg/ Loop awG[m tvkyfwpfckudk owfrSwfxm;wJh tajctaewpfcktwGif;rSm Mudrfzefrsm;pGm vkyfay;yg w,f/ toHk;trsm;qHk; loop awGuawmh for loop eJU while loop wdkUyg/ while loop &JU toHk;jyKrIyHkpHuawmh atmufygtwdkif; jzpfygw,f/

while(condition) statement;

while loop eJUywfoufwJh erlemy&dk*&rfudkawmh ra&;jyawmhygbl;/ bmaMumifhvJqdkawmh 'kwd, ajrmuf C y&dk*&rfrSm while loop &JU tvkyfvkyfyHkudk &Sif;jyjyD;vdkUyg/ while loop uae cGJxGufoGm;jyD; while loop eJUwlwJh aemuf loop wpfckuawmh do{ } while loop yg/ toHk;enf;wJhtwGuf r&Sif;jyawmhygbl;/

(12) for loop

for loop &JU toHk;jyKrIyHkpHuawmh atmufygtwdkif; jzpfygw,f/

for(expression1; condition; expression2) statement;

for loop &JU tvkyfvkyfyHkuawmh yxrqHk; expression1 udk initialize vkyfygw,f/ jyD;awmh condition [m rSefovm;? rSm;ovm; ppfygw,f/ rSef&ifawmh statement qDudk oGm;ygw,f/ jyD;awmh expression2 udk vkyfygw,f/ expression2 udk vkyfaqmifjyD;wJhtcgrSm expression1 qDjyefa&mufvmygw,f/ jyD;awmh condition udk rSef^rrSef xyfppfygw,f/ Condition [m rSefaeoa&GU statement udk aqmif&GufaerSm jzpfjyD; rSm;wJhtcgusrSom loop [m jyD;qHk;rSmjzpfygw,f/


yHk(8)

yHk(8)uawmh rodudef; 3vHk;&SmwJhykpäm jzpfygw,f/ x? y eJU z udk &Smay;&rSmyg/ for loop oHk;jyD; ajz&Sif; xm;wmyg/ 'Dy&dk*&rfudk aocsmMunfhr,fqdk&if bmocsFmnDrQjcif;rS roHk;bJ ajz&Sif;oGm;wm awGU&rSmyg/ 'Denf; [m cracking vkyfwJhtcg password awGudk cefUrSef;&mrSm awmfawmftoHk;0ifvSygw,f/ y&dk*&rftvkyfvkyfyHk udk MunfhvdkufMu&atmif/

(1) yxrqHk; uRefawmfwdkU &SmcsifwJh rodudef; 3vHk;udk udef;jynfhawGtjzpfaMunmygw,f/ (rSwfcsuf/ / rod udef;ykpämwdkif;&JU tajzawG[m tjrJwrf; udef;jynfhjzpfaerSmawmh r[kwfygbl;/ udef;jynfheJU &SmvdkUr&&if float vdkU aMunmyg/)

#include<stdio.h> #include<conio.h> int main() { /* Copyright © Myo Myint Htike, 2009 */ int x, y, z; /* Declare 3 unknown variables */ for(x=0; x<10; x++) // for(1; 2; 14) After 14, then go to 1 for(y=0; y<10; y++) // for(3; 4; 12) 3=13 for(z=0; z<10; z++) // for(5; 6; 10) 5=11 if(2*x+3*y-4*z == -3) // if 7 = true then do 8, else go to 10 if(4*x-2*y+z == 6) // if 8 = true then do 9 if(x-3*y-2*z == -15) // if 9 = true then print x, y, z printf(" x= %d\n y= %d\n z= %d",x,y,z); getch(); return 0; }


(2) for loop udk pwifygw,f/ for loop &JUtvkyfvkyfyHkudk aocsmem;vnfatmifMunfhyg/ yxrqHk; x &JUwefzdk; udk oknvdkUowfrSwfygw,f/ jyD;awmh x [m 10 xuf i,f^ri,f ppfygw,f/ i,fcJh&if aemufwpfaMumif;udk qif;oGm;ygw,f/ y &JUwefzdk;udk oknvdkUowfrSwfygw,f/ jyD;awmh y [m 10 xuf i,f^ri,f ppfygw,f/ i,fcJh&if aemufwpfaMumif;udk qif;oGm;ygw,f/ z &JUwefzdk;udk oknvdkUowfrSwfygw,f/ jyD;awmh z [m 10 xuf i,f^ri,f ppfygw,f/ i,fcJh&if aemufwpfaMumif;udk qif;oGm;ygw,f/ 'DwpfcgrSm (x=0, y=0, z=0)udk 2x+3y-4z rSm tpm;oGif;jyD; -3 eJU nD^rnD ppfygw,f/ nDcJh&if aemufwpfaMumif;udk qif;oGm;rSm jzpfygw,f/ rnDcJh&ifawmh z &JU wefzdk;rSm wpfaygif;rSm jzpfygw,f/ 'Dwpfcg z=0 uae z=1 jzpfvmygw,f/ z [m 10 xuf i,f^ri,f xyfppfygw,f/ i,fcJh&if aemufwpfaMumif;udk qif;oGm;ygw,f/ 'DwpfcgrSm (x=0, y=0, z=1)udk 2x+3y-4z rSm tpm;oGif;jyD; -3 eJU nD^rnD xyfppfygw,f/ nDcJh&if aemufwpfaMumif;udk qif;oGm;rSm jzpfygw,f/ rnDcJh&ifawmh z &JU wefzdk;rSm wpfaygif;rSm jzpfygw,f/ 'DvdkeJU x,y,z wefzdk;toD;oD;udk wpfaygif; oGm;jyD; nDrQjcif; 3aMumif;rSm nD^rnD ppfrSm jzpfygw,f/ ppfr,fhta&twGufuawmh wpfMudrfuae tMudrfwpf axmiftwGif; jzpfygw,f/ wu,fvdkU nDcJh&ifawmh printf() function udk oHk;jyD; x,y,z wdkU&JUwefzdk;awGudk tajzxkwfay;rSm jzpfygw,f/

(3) x++ qdkwmuawmh x = x+1; eJUwlygw,f/ (Operator acgif;pOfatmufwGif Munfhyg/)

(14) operator

Operator awGudk atmufygtwdkif; wl&mtkyfpkzGJUEdkifygw,f/

(u) Arithmetic operator

(c) Unary operator

(*) Relational operator

(C) Assignement operator

(i) Logical operator

(p) Conditional operator

(q) Bitwise operator

(u) Arithmetic operator

Arithmetic operator awGuawmh atmufygtwdkif;jzpfygw,f-

+ (addition) Variable rsm; aygif;&mwGiftoHk;jyKonf/

- (subtraction) Variable rsm; EIwf&mwGiftoHk;jyKonf/

* (multiplication) Variable rsm; ajrSmuf&mwGiftoHk;jyKonf/

/ (division) Variable rsm; pm;&mwGiftoHk;jyKonf/

% (modulus) t<uif;&Sm&mwGifoHk;onf/

(c) Unary operator

Unary operator awGuawmh atmufygtwdkif;jzpfygw,f-

i++; (postincrement) Variable wefzdk;tm; wpfaygif;ay;onf/

i--; (postdecrement) Variable wefzdk;tm; wpfEIwfay;onf/

++i; (preincrement) Variable wefzdk;tm; wpfaygif;ay;onf/

--i; (predecrement) Variable wefzdk;tm; wpfEIwfay;onf/

yHkrSeftm;jzifhawmh olwdkUudk increment operator eJU decrement operator vdkU ac:a0:Muygw,f/ 'Dae&mrSm owdxm;zdkUuawmh i++ eJU ++i wdkU uGJjym;rIudkyg/ atmufygtwdkif;aMunmr,fqdk&ifawmh olwdkU&JU t"dyÜm,fu wlygw,f/

int i=0, j=0; i++; ++j;

'Dae&mrSm i eJU j wdkU&JUwefzdk;[m wlrSmjzpfjyD; 1 qdkwJh tajzxGufrSmyg/ aemufxyfyHkpHwpfrsdK;udk Munfhyg r,f/

int i=0, j=0, x=0, y=0; x = x+(i++); y = y+(++j);


'Dvdkqdk&ifawmh x &JUwefzdk;u oknjzpfaejyD; y &JUwefzdk;uawmh 1 jzpfvmrSmyg/ qdkvdkcsifwmuawmh i++ vdkUaMunmcJh&if i &JUvuf&Sdwefzdk;udk x rSmaygif;jyD;rS i &JUwefzdk;udk wpfaygif;rSmjzpfygw,f/ 'gaMumifh i++ udk postincrement vdkUac:wmyg/

(*) Relational operator

Relational operator udkawmh if statement? for loop? while loop pwmawGeJU wGJoHk;jyD; tajctae wpf&yf&yfudk EdIif;,SOf&mrSm? variable awGudk EdIif;,SOf&mrSm toHk;jyKygw,f/

== (equal) Variable wefzdk;ESpfckudk wlrwlppfygw,f/ wl&if tvkyfvkyfygw,f/

!= (not equal) Variable wefzdk;ESpfckudk wlrwlppfygw,f/ rwl&if tvkyfvkyfygw,f/

> (greater than) Variable wefzdk;[m MuD;rMuD;ppfygw,f/ MuD;&if tvkyfvkyfygw,f/

< (less than) Variable wefzdk;[m i,fri,fppfygw,f/ i,f&if tvkyfvkyfygw,f/

>= (greater or equal) Variable wefzdk;[m MuD;&if (odkU) nD&if tvkyfvkyfygw,f/

<= (less than or equal) Variable wefzdk;[m i,f&if (odkU) nD&if tvkyfvkyfygw,f/

(C) Assignement operator

Assignment operator awGudk wpfckckeJU nDay;&mrSm toHk;jyKjyD; olwdkUawGuawmh ...

= *= /= %= += -=

<<= >>= &= ^= |= toHk;jyKyHkawGuawmh atmufygtwdkif; jzpfygw,f/

x = y +10; // x = y + 10; x *= 10; // x = x * 10; x /= 10; // x = x / 10; x << = 3; // x = x << 3; x ^ = 30; // x = x ^ 30;

(i) Logical operator

Logical operator awGuawmh atmufygtwdkif; jzpfygw,f -

&& (AND) tajctaeESpfckpvHk;rSef&if tvkyfvkyfygw,f/|| (OR) tajctaeESpfckteuf wpfckrSef&if tvkyfvkyfygw,f/ ! (NOT) tajctaerSm;&if tvkyfvkyfygw,f/

toHk;jyKyHkawGuawmh atmufygtwdkif; jzpfygw,f/

int x=0; scanf("%d",&x); if( x>0 && x<40) printf ("Fail"); if( x>75 || x == 75) printf ("Credit"); if(!x) printf("The value of x is zero.");

(p) Conditional operator

Conditional operator yHkpHuawmhh atmufygtwdkif; jzpfygw,f -

logical-OR-expression ? expression : conditional-expression toHk;jyKyHkuawmh atmufygtwdkif; jzpfygw,f/

z = (a > b) ? a: b; /* z = max (a,b) */

a eJU b eJUxJu MuD;wJhwefzdk;udk ,lwJh 'DOyrmav;udk aemufwpfrsdK;jyefa&;&r,fqdk&if ...

if (a>b) z = a; else z = b; 'Dae&mrSm z wefzdk;[m b,fvdkyJjzpfjzpf trsm;qHk;jzpfaerSm jzpfygw,f/

(q) Bitwise operator

Bitwise operator awGuawmh atmufygtwdkif; jzpfygw,f/


& (Bitwise AND) | (Bitwise inclusive OR) ^ (Bitwise exclusive OR)(XOR) ~ (Bitwise complement) (NOT) >> (Bitwise shift right) << (Bitwise shift left)

toHk;jyKyHkuawmh atmufygtwdkif; jzpfygw,f/

AND OR XOR NOTSource Bit 001100 1100110 1Destination Bit 010101 010101X X&v'f 000101 1101101 0

>> uawmh assembly bmompum;&JU SHR instruction eJUwljyD;? << uawmh assembly bmompum;&JU SHR instruction eJUwlygw,f/ SHL eJU SHR [m register^rSwfOmPfae&mu bit awGudk b,f^nmrSae owfrSwfxm;wJh bit ta&twGufudk a&wGufjyD; a&TUvdkufwmjzpfygw,f/ erlemMunfhyg/

int x = 0xBEEF; // x = 1011111011101111 (binaray) x = x >> 4; // x = 0000101111101110 printf("x = %X", x); // x = BEE

ydkjyD;em;vnfapzdkU aemuferlemwpfckMunfhyg/

int x = 0xDEAD; // x = 1101111010101101 (bin) x = (x >> 5) & ~ (~0 << 3); // printf("x = %X", x); // x = 5 (101)

'Duk'fudk run vdkuf&ifawmh 5 qdkwJhtajz&rSmyg/ b,fvdk&ovJqdkwmawmh udk,fhbmomudk,f wGufMunfh yg/ Hexadecimal uae binary? binary uae hexadecimal b,fvdkajymif;&rvJqdkwmudkawmh calculator (calc.exe) eJU wGufcsufEdkifygw,f/

(15) Function

Function qdkwmuawmh vkyfaqmifcsufawGudk pkpnf;ay;xm;wJht&mwpfckjzpfjyD;? function wpfckrSm yg0if&r,fh t*Fg&yfawGuawmh return type? function name? parameter list eJU uk'fa&;om;r,fh function body wdkUjzpfygw,f/ Compiler rSm toifhygvmwJh function eJU rdrdudk,fwdkifzefwD;xm;wJh function qdkjyD; function ESpfrsdK;ESpfpm; cGJjcm;Edkifygw,f/ Compiler rSmygvmwJh function awGuawmh printf()? scanf() pwJh function awGjzpfygw,f/ olwdkUudk toHk;jyKawmhr,fqdk&if header file awG aMunmay;&ygw,f/ 'Dae&mrSm awmh built-in function awGtaMumif;udk &Sif;jyrSm r[kwfygbl;/


yHk(9)

'Dy&dk*&rfuawmh 2 eJU -3 wdkU&JU xyfudef;wefzdk; q,fck (2P

0P, 2P

1P, 2P

2P, 2P

3P, 2P

4P, ..)udk &Smay;wmyg/

1/ int power (int m, int n); qdkwmuawmh uRefawmfwdkUzefwD;xm;wJh function udk toHk;jyKr,fvdkU aMunm wmyg/ 'DvdkaMunmxm;wJhtwGuf main() function &JUtwGif;xJrSmyJjzpfjzpf? tjyifrSmyJjzpfjzpf MudKufwJhae&mu ae power() function udk ac:oHk;vdkU &ygjyD/ bmaMumifh power() function udk MudKufwJhae&muae ac:oHk;vdkU&wmvJqdkawmh olU&JU scope aMumifhyg/ wu,fawmh main() function &JU tjyifrSm int power (int

#include<stdio.h> #include<conio.h> int power (int m, int n); int main() { int i; for (i=0; i<10; ++i) printf("%d %d %d\n", i, power(2,i), power(-3,i)); getch(); return 0; } int power (int base, int n) { int i, p; p = 1; for (i = 1; i <= n; ++i) p = p * base; return p; }


m, int n); vdkUa&;wm[m extern int power (int m, int n); vdkU a&;wmeJU twlwlygyJ/ 'Dae&mrSm extern [m keyword wpfckjzpfjyD; olUudk storage class vdkUvJ ac:a0:ygw,f/

2/ Storage class 4rsdK;&Sdygw,f/ auto? extern? static eJU register wdkUyg/ Function wpfck&JUtwGif;rSm bmrSa&;xm;jcif;r&SdbJ int? float? char vdkU&dk;&dk;wef;wef; aMunmxm;wJh data type awGtm;vHk;[m auto awG ygyJ/ Function awG&JUtjyifbufrSm bmrSa&;xm;jcif;r&SdbJ int? float? char vdkU&dk;&dk;wef;wef; aMunmxm;wJh data type awGtm;vHk;[m extern jzpfygw,f/ static eJU register wdkUuawmh toHk;enf;wJhtwGuf r&Sif;jy awmhygbl;/ wu,fvdkU function awGrSm return jyefydkUp&m wefzdk;wpfckckr&SdcJh&if void vdkU aMunm&ygr,f/

(17) Array

Array qdkwmuawmh wlnDwJh data type awGudk pkpnf;ay;wJh variable wpfckyg/ wu,fvdkU rwlnDwJh data type awGudk pkpnf;csif&ifawmh struct qdkwJh keyword udk toHk;jyK&rSmyg/ One dimensional array wpfckudk aMunmyHkuawmh atmufygtwdkif;yg/

int myanmar[60];

int myanmar[60]; [m ausmif;om;ta,mufajcmufq,f&JU jrefrmpm&rSwfudk odrf;qnf;r,fvdkU aMu nmwmyg/ wu,fvdkU array taeeJUom raMunmcJh&if uRefawmfwdkUtaeeJU int myanmar1, myanmar2, myanmar3; ponfjzifh aMunm&rSmjzpfygw,f/ 'gqdk y&dk*&rf[m &Snfvsm;jyD; &IyfaxG;vmEdkifygw,f/ ydkjyD; &Sif;vif;atmif aemufwpfckxyfMunfhygr,f/

int exam_result [60] [6];

'DyHkpHuawmh ausmif;om;ta,mufajcmufq,f&JU bmom&yfajcmufck&v'fudk odrf;qnf;r,fvdkU aMu nmwmyg/ Two dimensional array wpfckjzpfygw,f/ 'Dae&mrSm &Sif;jyvdkwmuawmh exam_result [m array &JUtrnfjzpfjyD;? 60 eJU 6 uawmh array element jzpfygw,f/ Array element udk wpfcgw&H array index vdkUvJ ac:a0:ygw,f/ Array element [m tjrJwrf; 0 eJUpavh&SdjyD; tqHk;uawmh size-1 jzpfygw,f/

wu,fvdkU char udk array taeeJU aMunmr,fqdk&if character tpm; string jzpfoGm;aMumif; ]Data type} acgif;pOfatmufrSm &Sif;jywm trSwf&yg/ 'gudk xyfMunfhygr,f/

char my_string [11] = "I Love You."; int i; for(i=0; i<11; i++) printf("%c", my_string[i]);

'Duk'fudk run vdkuf&if 'I Love You.' qdkwJhpmom;udk jrif&rSmyg/ wu,fvdkU for(i=0; i<11; i++) ae&mrSm for(i=1; i<12; i++) vdkUjyifvdkuf&if tajzuawmh ' Love You. ' jzpfrSmyg/ Full stop (.) &JUaemufrSm space ( )udk awGU&rSmyg/ Array wpfck[m tjrJwrf; null terminator (\0) eJU qHk;avh&Sdygw,f/ wu,fvdkU 12 ae&mrSm 19 vkdUjyifvdkuf&if random pmvHk;awGxGufvmygvdrfhr,f/

(18) Pointer

Pointer qdkwm variable wpfck&JU address udkodrf;xm;wJh variable wpfckyg/ Pointer udk C bmom pum;rSm awmfawmfav; oHk;pGJwmawGU&ygw,f/ Pointer eJU array [mvJ awmfawmfav; qufpyfrI&Sdygw,f/ ydkjyD;&Sif;vif;atmif erlemwpfckudk Munfhygr,f/

int x = 1, y = 2, z[10]; // MOV DWORD PTR SS:[EBP-4], 1 (EBP udk 12FF8C vdkU ,lqygr,f/) int *ip; // ip udk pointer taeeJUaMunmygw,f/ ip = &x; // LEA EAX, DWORD PTR SS:[EBP-4] (ip [m x wefzdk;udk odrf;xm;wJh (load effective) address ae&mudkjyygr,f/ 12FF88 yg/) y = *ip; // MOV EDX, DWORD PTR DS:[EAX] (y wefzdk;[m 1 jzpfvmygw,f/) *ip = 0; // MOV DWORD PTR DS:[EAX], 0 (ip wefzdk;[m 0 jzpfvmygw,f/) ip = &z[0]; // LEA EAX, DWORD PTR SS:[EBP-2C] (ip [m z[0] wefzdk;udk odrf;xm;wJh (load effective) address ae&mudkjyygr,f/ 12FF60 yg/) printf("%d %d %X %X", x, y, *ip, ip); // PUSH DWORD PTR SS:[EBP-4], PUSH EDX, PUSH DWORD PTR DS:[EAX], PUSH EAX ('gaMumifh tajz[m 0 1 0 12FF60 jzpfygw,f/)

Unary operator wpfckjzpfwJh & uawmh object &JU address udk jyygw,f/ & operator [m rSwfOmPfxJrSm variable eJU array element udkyJ point vkyfEdkifygw,f/ Expression? constant awGeJU register variable awGudkawmh point vkyfEdkifjcif; r&Sdygbl;/

Unary operator (*) udkawmh indirection (odkU) dereferencing operator vdkU ac:ygw,f/ Pointer tjzpftoHk;jyKcsdefrSm pointer u point vkyfwJh object udk &,lEdkifygw,f/



yHk(10)

'Dy&dk*&rfuawmh oif&dkufxnfhvdkufwJhpmom;rSm yg0ifwJh pmvHk;ta&twGufudk azmfjyjyD; owfrSwfxm; wJh pmom;eJU udkufnD^rnD ppfay;ygw,f/ 'Dy&dk*&rfrSm pointer eJU array awGudk wGJoHk;wm owdjyKrdrSmyg/

(20) String

'DwpfcgrSmawmh string awGtaMumif;udk tenf;i,f avhvmMuygr,f/ String eJU ywfoufwJh function awGudk toHk;jyKr,fqdk&if <string.h> udk aMunmay;&ygr,f/ String function tcsdKUuawmh atmufazmfjyygtwdkif;jzpfygw,f/

strcpy(str1,str2) str2 rSpmom;rsm;udk str1 xJodkU ul;xnfhay;jcif;/

strncpy(str1,str2,length) str2 rS owfrSwfxm;aomta&twGuftwdkif; pmom;rsm;udk str1 xJodkU ul;xnfhay;jcif;/

strcmp(str1,str2) str2 ESifh str1 wdkUudk EIdif;,SOfjcif;/

strcmpi(str1,str2) str2 ESifh str1 wdkUudk EIdif;,SOfjcif;/ (pmvHk;tMuD;tao;udk vspfvsL&I)

strlen(str) str \pmvHk;ta&twGufudk jyjcif;/

strcat(str1,str2) str2 ESifh str1 udk aygif;jyjcif;/ &v'fudk str1 wGif odrf;onf/

yHk(10)u y&dk*&rft&qdk&if strlen() function udk rdrdbmom rdrdzefwD;oGm;wm awGU&rSmyg/ wu,f awmh 'Dy&dk*&rfu pointer awGtaMumif; &Sif;jycsifvdkU strlen() function udk udk,fhbmomudk,f a&;oGm;wmyg/ uRefawmfwdkUtaeeJU string eJUywfoufwJh function awmfawmfrsm;rsm;udk udk,fwdkifa&;p&m rvdkygbl;/ <string.h> udk aMunmjyD; toifh,loHk;&HkygyJ/ ydkjyD; &Sif;vif;atmif 9ckajrmuf y&dk*&rfudk Munfhyg/ strcmpi() function udk wcgwnf; ,loHk;xm;wm awGU&rSmyg/

#include<stdio.h> #include<conio.h> int strlen(char *string); int strcmp(char *string1, char *string2); int main() { char get_string[100]; int length; char *comp_str = "My Love"; gets(get_string); length = strlen(get_string); printf("String Length = %d", length); if( (strcmp(get_string, comp_str)) !=0) printf("\n\"%s\" and \"%s\" are not equal.", get_string, comp_str); getch(); return 0; }

/* strlen: return length of string s */ int strlen(char *s) { int n; for (n = 0; *s != '\0'; s++) n++; return n; } \\ strcmp: return <0 if s<t, 0 if s==t, >0 if s>t int strcmp(char *s, char *t) { for ( ; *s == *t; s++, t++) if (*s == '\0') // if null-terminated string return 0; return *s - *t; }



yHk(11)

'Dy&dk*&rfuawmh jrefrmy&dk*&rfrmawmfawmfrsm;rsm; a&;avh&SdMuwJh password y&dk*&rfyg/ uD;bkwfu ae password wpfckudk &dkufxnfhckdif;ygw,f/ Password [m rrSefbl;qdk&if aemufxyf password &dkufxnfh cdkif;ygw,f/ rSef&ifawmh owfrSwfxm;wJh function udk tvkyfvkyfapygw,f/ 'Dy&dk*&rfrSm tm;enf;csuftrsm; MuD;&Sdygw,f/ Debugger awGudk vspfvsL&Ixm;cJhr,fqdk&ifawmh 'Dy&dk*&rfa&;xm;wm[m awmfawmfynmom; ygw,fvdkU ajymvdkU&ygw,f/ Function udk recursion oHk;jyD; y&dk*&rfudk uspfvspfatmif vkyfxm;wmyg/ (Recursion qdkwmuawmh function wpfckudk tMudrfMudrfjyefac:oHk;jcif;vdkU t"dyÜm,f&ygw,f/)

(22) File I/O

'DwpfcgrSmawmh zdkifwpfckuaetcsuftvufawGudk b,fvdkzwf&I&rvJqdkwJh zdkifeJUywfoufwJh function tcsdKUudk avhvmMunfhygr,f/ zdkifeJUywfoufwJh function awGudk toHk;jyKr,fqdk&if <stdio.h> udk aMunmay; &ygr,f/ File function tcsdKUuawmh atmufazmfjyygtwdkif;jzpfygw,f/

fopen(filename,mode) zdkifudka&;&ef(odkU)zwf&efzGifhjcif;/

fclose(filename) zdkifudkydwfjcif;/ feof(filepointer) zdkif\tqHk;odkUa&mufra&mufpHkprf;jcif;/ fscanf(filepointer,format) zdkifrStcsuftvufrsm;zwfjcif;/

zdkif function awmfawmfrsm;rsm;[m omref input/output vkyfwJh function awmfawmfrsm;rsm;eJU vkyfaqmifyHkcsif;wlygw,f/ uGJjym;wmav;wpfcku file function awGrSm b,fzdkifuae tcsuftvufawGudk &,lr,fvdkU ajymay;&wmav;yJ ydkygw,f/

(23) aemufqHk; C y&dk*&rf

'Dwpfcg cracker test y&dk*&rfrSmyg&SdwJh jyóemav;wpfckudk ajz&Sif;wJh y&dk*&rfav; a&;Munfhygr,f/

yHk(12)

#include<stdio.h> #include<conio.h> #include<string.h> void Password(); int main() { Password(); getch(); return 0; } void Password(void) { /* Copyright © Myo Myint Htike, 2009 */ char password[80]; printf("\nEnter Password:"); gets(password); if(strcmpi(password,"PASSWORD")==0) printf("\nYou really did it. Congratulations!"); else{ printf("\nTry again!\n"); Password(); } }


043B374 PUSH EBP 0043B375 MOV EBP,ESP 0043B377 ADD ESP,-10 0043B37A PUSH EBX 0043B37B PUSH ESI 0043B37C PUSH EDI 0043B37D XOR ECX,ECX 0043B37F MOV [LOCAL.4],ECX 0043B382 MOV [LOCAL.1],EAX 0043B385 XOR EAX,EAX 0043B387 PUSH EBP 0043B38D PUSH DWORD PTR FS:[EAX] 0043B390 MOV DWORD PTR FS:[EAX],ESP 0043B393 XOR EBX,EBX 0043B395 XOR ESI,ESI 0043B397 MOV [LOCAL.2],10 0043B39E LEA EDX,[LOCAL.4] 0043B3A1 MOV EAX,[LOCAL.1] 0043B3A4 MOV EAX,DWORD PTR DS:[EAX+294] 0043B3AF MOV EAX,[LOCAL.4] 0043B3B7 TEST EAX,EAX 0043B3B9 JLE SHORT Cracker_.0043B3F5 0043B3BB MOV [LOCAL.3],EAX 0043B3BE MOV EDI,1 0043B3C3 LEA EDX,[LOCAL.4] 0043B3C6 MOV EAX,[LOCAL.1] 0043B3C9 MOV EAX,DWORD PTR DS:[EAX+294] 0043B3D4 MOV EAX,[LOCAL.4] 0043B3D7 MOVZX EAX,BYTE PTR DS:[EAX+EDI-1] 0043B3DC LEA EDX,DWORD PTR DS:[EDI+ESI] 0043B3DF ADD EAX,EDX 0043B3E1 MOV ESI,EAX 0043B3E3 ADD EBX,EBX 0043B3E5 XOR EBX,ESI 0043B3E7 MOV EAX,ESI 0043B3E9 CDQ 0043B3EA IDIV EDI 0043B3EC INC EDX 0043B3ED ADD EBX,EDX 0043B3EF INC EDI 0043B3F0 DEC [LOCAL.3] 0043B3F3 JNZ SHORT Cracker_.0043B3C3 0043B3F5 DEC [LOCAL.2] 0043B3F8 JNZ SHORT Cracker_.0043B39E 0043B3FA CMP ESI,3810 0043B400 JNZ SHORT Cracker_.0043B40A 0043B402 CMP EBX,402A4FE7 0043B408 JE SHORT Cracker_.0043B424 0043B40A MOV EAX,Cracker_.0043B4AC ; ASCII "Sorry, not the right one - try again !" 0043B40F CALL Cracker_.004338AC 0043B414 MOV EAX,[LOCAL.1] 0043B417 MOV EAX,DWORD PTR DS:[EAX+294] 0043B41D MOV EDX,DWORD PTR DS:[EAX] 0043B41F CALL DWORD PTR DS:[EDX+78] 0043B422 JMP SHORT Cracker_.0043B47D 0043B424 MOV EAX,EBX 0043B426 SUB EAX,ESI 0043B428 CMP EAX,402A17D7 0043B42D JE SHORT Cracker_.0043B449

yHk(13)


ay;xm;csufuawmh yHk(12)rSm jyxm;wJhtwdkif; jzpfygw,f/ pum;vHk;wpfvHk;udk cefUrSef;cdkif;wm jzpfyg w,f/ Cracker test y&dk*&rf[m cracker awG&JU t&nftcsif;udk prf;oyfzdkU a&;xm;wJhy&dk*&rfjzpfjyD; tqifh(8) qifh(very very easy? very easy? easy? not entirely easy? somewhat harder? hard? very hard? very very hard) yg0ifygw,f/ oifjrifae&wJh tqifhuawmh tqifh(3) (easy level) jzpfygw,f/ 'Dy&dk*&rfudk Olly debugger eJU ppfwJhtcsdefrSm awGU&wJhuk'fuawmh yHk(13)rSm jrif&wJhtwdkif; jzpfygw,f/ yHk(13)rSm jrif& wJhuk'fudk ajz&Sif;zdkUqdkwm oifb,favmufyJawmfaeygap vufeJUcswGufzdkU? calculator eJU wGufzdkUqdkwm vHk;0 (vHk;0) rjzpfEdkifygbl;/ 'gaMumifh y&kd*&rfa&;jyD; ajz&Sif;zdkU MudK;pm;wmyg/ C eJU y&dk*&rfa&;wJhtcg yHk(14)twdkif; awGUjrif&ygw,f/

#include <conio.h> // Compiled by Borland C++. #include <stdio.h> // Coded by Myo Myint Htike. #include <string.h> // Date - 2009 March 13 #include <stdlib.h> #include <math.h> int main() { FILE *fileread = fopen("english.dic","a+"); char password[50]; int EDI, i, j, EDX=0, EAX=0, ESI=0, EBX=0; while(!feof(fileread)){ int character_count=0; div_t div_result; fscanf(fileread,"%s",password); printf("%s\n",password); character_count = strlen(password); EDX=0; ESI=0; EDI=0; EBX=0; EDX=1; for(i=0;i<16;i++){ // for loop 1 EDI=1; for(j=0; j<character_count; j++){ EAX = password[j]; EDX = ESI+EDI; EAX = EAX + EDX; ESI = EAX; EBX = EBX + EBX; EBX = EBX ^ ESI; EAX = ESI; div_result = div( EAX, EDI ); EDX = div_result.rem ; EDX++; EBX= EBX +EDX; EDI++; } // end of for loop 2 } // end of for loop 1 if(ESI== 0x3810 && EBX == 0x402A4FE7){ printf("Word is = %s\n", password); // Ans: firmware getch(); } // end of if statement } // end of while loop fclose(fileread); getch(); return 0; }

yHk(14)


yHk(14)rSm a&;jyxm;wJh source uk'f&JU tvkyfvkyfyHkudk wpfaMumif;csif;em;vnfatmifMunfhyg/ 'Dy&dk*&rf &JUtvkyfvkyfyHkudk taotcsm em;vnfw,fqdk&ifawmh C bmompum;eJUywfoufjyD; uRefawmf&Sif;jywmtm;vHk; oifem;vnfoGm;jyDvdkU ,HkMunfvdkufyg/ wu,fvdkU em;rvnfao;&ifawmh oifcef;pmudk jyefzwfvdkufygOD;/

1/ <stdlib.h> header file udk aMunmxm;wmuawmh div_t twGufyg/

2/ FILE *fileread = fopen("english.dic","a+"); qdkwmuawmh english.dic zdkifudk zwfr,fvdkU ajymwm yg/ qdkvdkwmuawmh uRefawmfwdkU&SmaewJh password (word) [m 'D english.dic zdkifxJrSmjzpfygw,f/ Dictionary (.dic) zdkifawG[m password awGudk wdkufqdkifppfaq;&mrSm cracker awG toHk;jyKMuwJhzdkifawGjzpf jyD; 'DzdkifawGxJrSm t*Fvdyftbd"mefxJu pum;vHk;aygif; odef;csDyg0ifygw,f/ pum;vHk;pHkav tajzudk &SmawGUzdkU eD;pyfavjzpfygw,f/ 'D dictionary (.dic) zdkifawGudk tifwmeufuae download vkyf,lyg/ Cracker wpf a,mufrSmawmh t*Fvdyftbd"meftjyif vufwif? jyifopf? tDwvD? aq;ynmtbd"mefpwJh tbd"mefaygif;pHk &Sdxm;oifhygw,f/

3/ char password[50]; uawmh zwfr,fhpmvHk;ta&twGuf[m tvHk; 50 trsm;qHk;&Sdr,fvdkU aMunmay;wm yg/ tvHk; 50 xufydk&SnfwJh t*Fvdyfpum;vHk;udk oifjrifzl;ygovm;/ jrifzl;&ifawmh 50 tpm; 200 vdkU ajymif; vdkufyg/ 200 xufydk&SnfwJh t*Fvdyfpum;vHk;awmh r&Sdavmufawmhbl;vdkU xifygw,f/ ☺☺☺☺☺

4/ while(!feof(fileread)){ } uawmh english.dic zdkifudk zwfwm aemufqHk;pum;vHk;jyD;vdkU zdkiftqHk;udkr a&mufrcsif;vdkU qdkvdkwmyg/ english.dic zdkifxJu &SdorQpum;vHk; tukefzwfr,fvdkU ajymwmyg/

5/ fscanf(fileread,"%s", password); udk toHk;jyKjyD; english.dic zdkifxJu yxrpum;vHk;udk zwfygw,f/ yxrpum;vHk;udkk aaron vdkU ,lqMunfhvdkufMu&atmif/ 'gqdk password = "aaron" jzpfoGm;ygjyD/ password udk printf() function oHk;jyD; zefom;jyifrSm jyapygw,f/ printf() function udk roHk;vJ&ygw,f/ roHk;&if awmh tvkyfvkyfwJhEIef; ydkrdkjrefqefvmrSmjzpfygw,f/

6/ character_count = strlen(password); uawmh password pum;vHk;&JU pmvHk;ta&twGufudk wGufcsuf ygw,f/ aaron jzpfwJhtwGuf 5vHk;jzpfygw,f/

7/ for(j=0; j<character_count; j++){ } uawmh password pum;vHk;&JU pmvHk;ta&twGufay:rlwnfjyD; ajymif;vJaerSmyg/ 'Dae&mrSm 5vHk;jzpfwJhtwGuf for(j=0; j< 5; j++) jzpfrSmyg/

8/ EAX = password[j]; udk owdjyKyg/ EAX udk uRefawmfwdkU integer (int) vdkU aMunmxm;ygw,f/ password udkawmh character string (char [ ]) taeeJU aMunmxm;ygw,f/ vuf&SdtcsdefrSm C++ compiler uem;vnfaewmuawmh password[5] = "aaron"; jzpfjyD; EAX = password[0] = 'a' = 0x61; jzpfygw,f/ 'Dae&mrSm rSwfxm;zdkUu "a" eJU 'a' [m rwlygbl;/ "a" vdkUa&;&if string udk nTef;wmjzpfjyD;? 'a' vdkUa&;&ifawmh character udk nTef;wmjzpfygw,f/ Character rSmawmh pmvHk;wpfvHk;wnf;omyg0ifEdkifjyD;? string rSmawmh pmvHk;wpfvHk; (odkU) wpfvHk;xufydkrdkyg0ifygw,f/

9/ EDX = ESI + EDI; udkawmh em;vnfrSmyg/ ESI eJU EDI wdkU&JUwefzdk;awGudk &dk;&dk;wef;wef; aygif;wmyg/ EDX = ESI + EDI = 0 + 1 = 1 jzpfygw,f/

10/ EAX = EAX + EDX; udk ajz&Sif;&if EAX = 0x61 + 1 = 0x62 &ygw,f/

11/ 'gaMumifh ESI &JUwefzdk;[m 0x62 jzpfygw,f/

12/ EBX = EBX + EBX; uawmh EBX = 0 + 0 = 0 jzpfygw,f/

13/ EBX = EBX ^ ESI; uawmh EBX = 0 ^ 0x62 = 0x62 jzpfygw,f/

14/ EAX &JUwefzdk;[m ESI &JUwefzdk;eJU nDwJhtwGuf 0x62 jzpfygw,f/

15/ div_result = div(EAX, EDI); uawmh EAX udk EDI eJUpm;wmyg/ EAX = 0x62 / 1 = 0x62 jzpfygw,f/

16/ EDX = div_result.rem; t& pm;vdkU&wJht<uif;udk EDX rSm odrf;ygw,f/ 'gaMumifh EDX &JUwefzdk;[m 0 jzpfoGm;ygw,f/

17/ EDX++; vdkUa&;xm;wmaMumifh EDX &JUwefzdk;rSm wpfaygif;ygw,f/ 'DtcsdefrSm EDX &JUwefzdk;[m 1 jyefjzpfvmygw,f/

18/ EBX = EBX + EDX; uawmh EBX = 0x62 + 1= 0x63 jzpfvmygw,f/

19/ EDI++; t& EDI udk wpfaygif;wmaMumifh EDI [m 2 jzpfvmygw,f/

20/ jyD;&if for(j=0; j<5; j++) u j++ udkvkyfwmaMumifh j=0 tpm; j=1 jzpfvmjyD; aemufwpfMudrf for loop udk xyfvkyfapjyefygw,f/ 'DvdkeJU for(j=0; j<5; j++)udk 5Mudrf? for(i=0;i<16;i++) udk 16Mudrf? pkpkaygif;


tMudrf 80 loop ywfjyD;wJhtcgrSm &vmwJhtajzuawmh ESI = 0x2200 eJU EBX = 0xBFC8757F wdkU jzpfygw,f/

21/ ESI eJU EBX wdkU&JUtajz[m 0x3810? 0x402A4FE7 wdkUeJUnD^rnDppfjyD; nDcJh&if tajzrSefudkxkwfay;yg w,f/ (rSwf&ef/ / aaron tpm; firmware udk y&dk*&rfuzwfcsdefrSm for(j=0; j<character_count; j++){ } u for(j=0; j<8; j++) jzpfvmygw,f/ 'DvdkeJU for(j=0; j<8; j++)udk 8Mudrf? for(i=0;i<16;i++) udk 16Mudrf? pkpkaygif; 128Mudrf loop ywfjyD;wJhtcgrSm &vmwJhtajzuawmh ESI = 0x3810 eJU EBX = 0x402A4FE7 wdkU jzpfygw,f/)

22/ owdjyKapcsifwJhtcsufuawmh a = 0x61? b = 0x62? c = 0x63? ... ? z = 0x7A ponfjzifhjzpfjyD; A = 0x41? B = 0x42? C = 0x43? ... ? Z = 0x5A ponfjzifhjzpfygw,f/

tcef;(3) - tajccH Assembly bmompum; - 27 -

tcef;(3) - tajccH Assembly bmompum; (1) ed'gef;

wu,fawmh Assembly bmompum;qdkwm uGefysLwmu em;vnfEdkifwJh ESpfvDuk'fawGudk tpm;xkd;zdkU zefwD;xkwfvkyfxm;wmyg/ t&ifwkef;u high-level bmompum;awG ray:cifrSm y&dk*&rfawGudk Assembly eJU a&;cJhMuwmyg/ Assembly uk'fawG[m y&dkqufqmtvkyfvkyfEdkifatmif instruction awGudk wdkuf&dkufazmfjy ay;ygw,f/ Oyrmjy&&if -

ADD EAX, EDX

'D instruction [m *Pef;wefzdk;ESpfckudk aygif;ay;ygw,f/ EAX eJU EDX udkawmh register vdkU ac:ygw,f/ olwdkUawGrSm wefzdk;awGyg0ifEdkifjyD; 'gawGudk y&dkqufqmxJrSm odrf;xm;wm jzpfygw,f/ 'Duk'fudk 16vDpepfuk'f(hexcode) jzpfwJh 66 03 C2 tjzpf ajymif;vdkufygw,f/ y&dkqufqm[m 'Duk'fawGudkzwfjyD; oleJUudkufnDwJh instruction udk tvkyfvkyfwmyg/ C vdk highlevel bmompum;awG[m olwdkU&JU udk,fydkif bmompum;awGudk Assembly tjzpfajymif;ygw,f/ Assembly u 'Duk'fawGudk ESpfvDuk'ftaeeJU ajymif;wm jzpfygw,f/

C uk'f >> Compiler > > Assembly uk'f >>Assembler>> Raw output (hex)a = a + b; ADD EAX, EDX 66 03 C2

'Dae&mrSm Assembly uk'f[m &dk;&dk;&Sif;&Sif;av;jzpfaewm owdjyKrdrSmyg/ Output uawmh C uk'fay: rlwnfaeygw,f/

(2) bmaMumifh Assembly udk toHk;jyKwmvJ/

Assembly rSm y&dk*&rfa&;&wm[m cufcJw,fqdk&if C (odkU) tjcm;wpfckcktpm; Assembly udk bmvdkU toHk;jyKMuygovJ/ tajzuawmh &Sif;ygw,f/ Assembly y&dk*&rfawG[m ao;i,fjyD; jrefqefvdkU jzpfygw,f/ OmPf&nfwkvdk y&dk*&rfbmompum;awGrSm compiler awG[m uk'fudkxkwfay;EdkifzdkU cufcJvSyg w,f/ Compiler awG[m b,favmufyifaumif;vmapumrl tjrefqHk;eJU t&G,ftpm;tao;qHk;jzpfzdkU Assembly uk'fudkxkwfay;EdkifzdkU vkyf&ygw,f/ uk'fawGudk udk,fwdkifa&;om;Edkifr,fqdk&ifawmh ao;i,fjyD;jref qefwJhuk'fudk xkwfay;EdkifrSmyg/ 'gayr,fh 'DvdkvkyfEdkifzdkUu high-level bmompum;awGxufpm&if ydkrdkcufcJygw,f/

tcsdKU high-level bmompum;awGrSm&SdwJh uGJvGJcsufuawmh olwdkU[m tvkyfvkyfaecsdefrSm tcsdKUaom vkyfaqmifcsufawGtwGuf DLL zdkifawGudk oHk;pGJ&ygw,f/ Oyrmjy&&if Visual C++ rSm olU&JU pHowfrSwfxm; wJh C function awGyg0ifwJh msvcrt.dll zdkif&Sdygw,f/ 'g[m rsm;aomtm;jzifhawmh tqifajyaeayr,fh wcg w&HrSmawmh DLL version eJUywfoufjyD; 'ku©a&muf&ygw,f/ 'gaMumifhrdkU oHk;pGJolawG[m 'DzdkifawGudk uGefysLwmxJrSm tjrJwrf; xm;xm;&ygw,f/ Visual C++ twGufawmh 'g[m odyfjyóem r&SdvSygbl;/ olU&JUzdkifawG[m Windows rSm wcgwnf;ygvmwm rsm;ygw,f/ Visual Basic usawhm olU&JUbmompum;udk Assmebly uk'ftaeeJU rajymif;vJay;Edkifygbl;/ (Version 5 eJU txufuawmh tenf;i,fjyKvkyfay;Edkif ayr,fhvJ tjynfht0awmh r[kwfygbl;/) olwdkU[m Visual Basic Virtual Machine jzpfwJh msvbvm50.dll zdkifudk rSDckdae&ygw,f/ VB rSm a&;wJhuk'fawG[m 'D DLL zdkifudk tMudrfrsm;pGm ac:oHk;wmawGU&ygw,f/ 'gaMumifh VB y&dk*&rfawG[m aES;ae&wmyg/ Assembly uawmh tjrefqHk;bmompum;yg/ ol[m Windows pepf&JU DLL zdkifawG jzpfwJh kernel32.dll? user32.dll pwmawGudkyJ oHk;vdkUyg/

vltrsm;pku Assembly bmompum;eJU y&dk*&rfa&;zdkU&m rjzpfEdkifbl;vdkU em;vnfrIvGJaeMuygw,f/ aocsmwmuawmh cufw,fqdkwm[kwfygw,f? 'gayr,fh rjzpfEdkifbl;qdkwmuawmh r[kwfygbl;/ ya&m*suf MuD;MuD;rm;rm;udk Assembly eJUa&;zdkU&m wu,fhudk cufygw,f/ y&dk*&rftao;pm;av;awGa&;wmyJjzpfjzpf? tjcm;y&dk*&rfbmompum;awGeJU a&;xm;wJh y&dk*&rfawGuae ac:oHk;wJhtcg jrefapzdkU DLL zdkifawGudk a&;om; wJhtcgrSmom Assembly udk oHk;Muwm rsm;ygw,f/ tvm;wlyJ DOS eJU Windows y&dk*&rfawGrSm MuD;MuD;rm;rm;uGJvGJrIawG &Sdygw,f/ DOS y&dk*&rfawG[m function tjzpf interrupt awGudk oHk;ygw,f/ Windows rSmawmh Application Programming Interface vdkUac:wJh API yg/ 'D interface rSm y&dk*&rfawG twGufvdktyfwJh function awG yg0ifygw,f/ DOS y&dk*&rfawGrSmawmh interrupt awGrSm interrupt eHygwfwpfckeJU function eHygwfwpfck &Sdygw,f/ Windows rSmawmh API funtion awGrSm trnfawG(Oyrm - MessageBox, CreateWindowEx) &Sdygw,f/ oifhtaeeJU DLL awGudk import vkyf,lEdkifygw,f/ 'gawG [m Assembly rSmawmh tvGefvG,fulvSygw,f/


(3) Assembly tajccH

(3.1) Opcodes

Assembly y&dk*&rfawGudk opcode awGeJU zefwD;xm;wmyg/ Opcode qdkwmuawmh y&dkqufqmu em;vnfEdkifwJh instruction wpfckyg/ Oyrm -

ADD

ADD instruction [m *Pef;wefzdk;ESpfckudk aygif;ay;wmyg/ Opcode trsm;pkrSm operand awG&Sdyg w,f/

ADD EAX, EDX (destination, source)

ADD rSm operand ESpfck &Sdygw,f/ 'Daygif;jcif;tydkif;rSm source wpfckeJU destination wpfck&Sdyg w,f/ ol[m source xJuwefzdk;udk destination wefzdk;xJ aygif;xnfhay;wmyg/ jyD;&if &v'fudk destination xJrSm odrf;xm;ay;ygw,f/ Operand awG[m trsdK;rsdK;jzpfEdkifygw,f/ (Oyrm - register? rSwfOmPfae&m? vufiif;wefzdk;)

(3.2) Registers

Register yrmPtcsdKUuawmh 8-bit? 16-bit eJU 32-bit wdkU (MMX y&dkqufqmawGrSm 'DxufydkEdkif ygw,f) jzpfygw,f/ 16-bit y&dk*&rfawGrSm toHk;jyKEdkifwmuawmh 16-bit registers eJU 8-bit registers awGjzpfygw,f/ 32-bit y&dk*&rfawGrSmawmh 32-bit registers awGudkvnf; toHk;jyKEdkifygw,f/

tcsdKU register awG[m tjcm; register awG&JU tpdwftydkif; jzpfygw,f/ Oyrm - wu,fvdkU EAX rSm EA7823BBh wefzdk;udk xnfhxm;r,fqdk&if tjcm; register awGrSm &SdEdkifwJh wefzdk;awGuawmh -

EAX EA 78 23 BB

AX EA 78 23 BB

AH EA 78 23 BB

AL EA 78 23 BB

AX, AH eJU AL wdkUuawmh EAX &JU tpdwftydkif;awGyg/ EAX [m 32-bit register wpfckyg/ (80386 txuf y&dkqufqmawGrSmyJ toHk;jyKEdkifygw,f/) AX rSm EAX &JU atmufydkif; 16-bit ygjyD; AH rSmawmh AX &JU txufydkif;pmvHk;yg0ifygw,f/ AL rSmawmh AX &JU atmufydkif;pmvHk;yg0ifygw,f/ 'gaMumifh AX [m 16-bit jzpfjyD; AL eJU AH uawmh 8-bit yg/ atmufrSmjyxm;wJh Oyrmuawmh register awG&JU wefzdk;awGyg/

eax = EA7823BB (32-bit)

ax = 23BB (16-bit)

ah = 23 (8-bit)

al = BB (8-bit) 100100011010001010110

Register awGudk toHk;jyKyHkuawmh -

low-level bmompum; high-level bmompum;

mov eax, 12345678h EAX = 12345678h (305419896)

mov cl, ah CL = 56h (86)

sub cl, 10 CL = CL - 10

mov al, cl AL = CL

tay:rSma&;xm;wJhuk'fudk enf;enf;avmuf ppfaq;MunfhvdkufMu&atmif/ MOV instruction [m wefzdk;wpfckudk register wpfck? rSwfOmPf (odkU) vufiif;wefzdk;wpfckuae tjcm; register wpfckqDudk a&TYay; Edkifygw,f/ 'Dhaemuf AH &JUwefzdk; (EAX &JU b,fzufrS 4vHk;ajrmuf)udk CL (ECX register &JU atmufqHk; tydkif;)xJ ul;ydkUvdkufygw,f/ jyD;awmh CL xJuae 10 EIwfvdkufjyD; AL (EAX &JU atmufqHk;tydkif;)xJudk jyefxnfhvdkufygw,f/

Register trsdK;tpm;uawmh trsm;MuD;&Sdygw,f/


(3.2.1) taxGaxGoHk; register rsm;

EAX (Accumulator) ocsFmqdkif&mudpörsm;ESifh string rsm;udk odrf;qnf;&efoHk;onf/

EBX (Base) stack rsm;ESifh csdwfquf&mwGif oHk;onf/

ECX (Counter) *Pef;rsm;aygif;&mwGif oHk;onf/

EDX (Data) trsm;tm;jzifh ocsFmpm;v'frS t<uif;udk odrf;qnf;onf/

olwdkUrSm trnftrsdK;rsdK; &Sdayr,fh MudKufovdk toHk;jyKEdkifygw,f/

(3.2.2) Segment register rsm;

Segment register vdkU ac:wmuawmh rSwfOmPf&JU segment udk toHk;jyKvdkUyg/ oifhtaeeJU 'gawG udk Windows rSmawmh odxm;p&m vdkrSmr[kwfygbl;/ bmaMumifhvJqdkawmh Windows rSm flat rSwfOmPfpepf &SdvdkUyg/ DOS rSmawmh rSwfOmPfudk 64KB &SdwJh segment awGtjzpf ydkif;vdkufygw,f/ 'gaMumifhrdkU oifhtae eJU rSwfOmPf&JU address udk owfrSwfcsif&if segment eJU offset udk atmufygtwdkif; (0172:0500 (segment:offset)) owfrSwf&ygr,f/ Windows rSmawmh segment &JU t&G,ftpm;[m 4GB awmif &Sdyg w,f/ 'gaMumifhrdkU Windows rSm segment awGudk rvdkwmyg/ Segment awG[m tjrJwrf; 16-bit register awG jzpfygw,f/

olwdkUrSm trnftrsdK;rsdK; &Sdayr,fh MudKufovdk toHk;jyKEdkifygw,f/

CS (Code segment) uk'frsm;udk odrf;qnf;xm;aom rSwfOmPftuefU

DS (Data Segment) tcsuftvufrsm;udk odrf;qnf;xm;aom rSwfOmPftuefU

ES (Extra Segment) AGD'D,dkudpö&yfrsm;twGuf toHk;rsm;onf/

SS (Stack Segment) Routine rsm;rS ay;ydkUaom address rsm;udk odrf;qnf;&ef toHk;jyKaom register

FS (286+) taxGaxGoHk; segment

GS (386+) taxGaxGoHk; segment

(3.2.3) Pointer/Index register rsm;

wu,fawmh oifhtaeeJU pointer register awGudk olwdkU&JUrlvwefzdk;udk rajymif;vJoa&GUawmh taxG axGoHk; register awGtjzpf (EIP rSwyg;) toHk;jyKEdkifygw,f/ Pointer register vdkU ac:&wJhtaMumif;&if;u awmh olwdkUawG[m rMumcPqdkovdk rSwfOmPf&JU address udk odrf;qnf;avh&SdvdkUyg/ tcsdKU opcode (movb, scasb,..) awG[m olwdkUudk toHk;jyKMuygw,f/

esi (source index) string/array \ source udk owfrSwf&mwGifoHk;onf/

edi (destination index) string/array \ destination udk owfrSwf&mwGifoHk;onf/ eip (instruction pointer)

aemuf instruction \ address udk odrf;xm;aomaMumifh wdkuf&dkuf ajymif;vJí r&yg/ (]Olly Debugger} tcef;wGif Munfhyg/)

(3.2.4) Stack register rsm;

Stack register ESpfck &Sdygw,f/ ESP eJU EBP yg/ ESP uawmh rSwfOmPfxJrSm vuf&Sd stack &JU ae&mudk odrf;xm;ygw,f/ EBP udkawmh function awGrSm local variable awGeJU oufqdkifwJh pointer tjzpf toHk;jyKygw,f/

esp (stack pointer) stack rS wdusaom ae&mwpfckudk nTefjyonf/

ebp (base pointer) stack udpörsm;aqmif&Guf&ef stack pointer ESifh wGJokH;onf/

(4.0) rSwfOmPf

'Dtcef;rSmawmh Windows rSm rSwfOmPfawGudk b,fvdkudkifwG,f&rvJ qdkwm&Sif;jyyghr,f/

(4.1) DOS & Win 3.xx

DOS eJU Windows 3.xx rSm awGU&wJh 16-bit y&dk*&rfawGrSm rSwfOmPfudk segment awGeJU cGJjcm;xm;ygw,f/ 'D segment awG[m t&G,ftpm;tm;jzifh 64KB &Sdygw,f/ rSwfOmPfudkac:oHk;zdkU segment pointer eJU offset pointer wdkUvdkygw,f/ Segment pointer u b,f segment udk toHk;jyKr,fqdkwm nTefjyjyD; offset pointer uawmh segment xJu olU&JUae&mudk nTefjyygw,f/ atmufygyHkudk Munfhyg/


rSwfOmPf

SEGMENT 1 (64kb)

SEGMENT 2 (64kb)

SEGMENT 3 (64kb)

SEGMENT 4(64kb) ponfjzifh

rSwfxm;&rSmu ckuRefawmf&Sif;jyaewm[m 16-bit y&dk*&rfawGtwGuf jzpfygw,f/ tay:uZ,m;u awmh rSwfOmPfwpfckvHk;udk 64KB qD segment awGcGJvdkufwmyg/ olUrSm trsm;qHk;taeeJU 65536 segment &Sdygw,f/ tJ'DxJu segment wpfckudk xyfMunfhvdkufMu&atmif/

SEGMENT 1(64kb) Offset 1 Offset 2 Offset 3 Offset 4 Offset 5 and so on

Segment xJu ae&mwpfckudk nTef;csifw,fqdk&ifawmh offset udk toHk;jyKygw,f/ Offset qdkwm segment xJu ae&mwpfckyg/ Segment wpfckrSm trsm;qHk;taeeJU offset 65536 ck&Sdygw,f/ rSwfOmPfxJu segment udk azmfjycsif&ifawmh -

SEGMENT:OFFSET

Oyrmjy&&if -

0030:4012

qdkvdkwmuawmh segment u 0030 jzpfjyD; offset u 4012 jzpfygw,f/ tJ'D address [m bmvJ qdkwm odcsif&ifawmh yxrqHk; segment 30 qDudk oGm;&rSmjzpfjyD; 'D segment xJu offset 4012 udk &Sm&rSm jzpfygw,f/ acgif;pOf(3)rSmwkef;u uRefawmfwdkU segment eJU pointer register taMumif;avhvmcJhMuyg w,f/ Segment register trsdK;tpm;awGuawmh -

CS (Code segment) DS (Data Segment) ES (Extra Segment) SS (Stack Segment) FS (286+) GS (386+)

ay;xm;wJhtrnfawG[m olwdkU&JU vkyfaqmifcsufudk,fpDudk azmfjyygw,f/ CS rSm vuf&Sdtvkyfvkyf aewJhuk'f &Sdaeygw,f/ DS uawmh vuf&Sd segment twGuf tcsuftvufawGudk &,lay;zdkU jzpfygw,f/ Stack uawmh SS udk nTef;ygw,f/ ES? FS eJU GS uawmh taxGaxGoHk; register awGjzpfjyD; b,f segment twGufrqdk oHk;Edkifygw,f/ Pointer register awGrSmawmh rsm;aomtm;jzifhawmh offset wpfckudk xnfhxm;avh &Sdygw,f/ 'gayr,fh taxGaxGoHk; register awGjzpfwJh AX? BX? CX eJU DX rSmvnf; 'DtwGuf toHk;jyKEdkif ygw,f/ IP u (CS xJrS) vuf&SdtvkyfvkyfaewJh instruction &JU offset udk nTefjyygw,f/

atmufrSmjyxm;wJhyHkuawmh crack vkyfwJhtcgrSm Olly debugger rSmjrif&wJh register awG&JU tvkyfvkyfaeyHkyg/

SP uawmh (SS xJu) vuf&Sd stack ae&m&JU offset udk xnfhxm;ygw,f/

(4.2) 32-bit Windows

16-bit wkef;u y&dk*&rfawG a&;om;&mrSm segment awG[m r&Sdrjzpfvdktyfygw,f/ uHaumif;axmuf rpGmeJU 32-bit windows (95 ESifhtxuf) rSmawmh 'Djyóemudk ajz&Sif;EdkifcJhygw,f/ Segment awG &Sdaeayr,fh


uRefawmfwdkUtaeeJU tav;xm;p&m rvdkawmhygbl;/ bmvdkUvJqdkawmh olwdkUawG[m 64KB r[kwfawmhyJ 4GB jzpfaevdkUyg/ wu,fvdkU segment register awGxJuwpfckudk ajymif;vJzdkU MudK;pm;cJhr,fqdk&if Windows eJU jyóem wufaumif;wufygvdrfhr,f/ olwdkUrSm offset awGyJ&SdjyD; ckcsdefrSmawmh olwdkUawG[m 32-bit awG jzpfygw,f/ 'gaMumifh olwdkU&JUtwdkif;twm[m oknuae 4,294,967,295 xdjzpfvmygw,f/ rSwfOmPfxJu b,fae&mrqdk offset eJUyJ nTefjyEdkifygw,f/ 'g[m 16-bit xufpm&if 32-bit &JU taumif;qHk; tusdK;aus;Zl; awGxJu wpfckjzpfygw,f/ 'gaMumifhrdkU oifhtaeeJU segment register awGudk ckcsdefrSm arhxm;vdkU &EdkifjyD; tjcm; register awGudk ydkrdk*&kpdkufvdkU &jyDjzpfygw,f/

(5.0) Opcodes

Opcode awG[m y&dkqufqmtwGuf instruction awGjzpfygw,f/ Opcode awG[m wu,fawmh 16vDpepfuk'frlMurf;&JU ]zwfvdkU&wJhpmom;} yHkpHawGyg/ 'DtwGufaMumifh assembler [m y&dk*&rfbmompum; awGrSm tedrfhqHk;tqifh jzpfaewmjzpfjyD; assembler rSma&;wJhb,ft&mrqdk 16vDpepfuk'ftjzpf wdkuf&dkuf ajymif;vJwm jzpfygw,f/

'Dtcef;rSmawmh wGufcsufrI? bitwise ydkif;eJUqdkifwJh opcode tcsdKUudk aqG;aEG;rSmjzpfygw,f/ tjcm; opcode awGjzpfwJh jump instruction? compare opcode pwmawGudkawmh aemuftcef;usrS aqG;aEG;rSm jzpfygw,f/

(5.1) tajccH opcodes wGufcsufrI

MOV

'D instruction udkawmh wefzdk;wpfckudk wpfae&muae aemufwpfae&mudk a&TUzdkU (ul;zdkU) toHk;jyKyg w,f/ 'D ]ae&m} qdkwJh toHk;tEIef;rSm register wpfckaomfvnf;aumif;? rSwfOmPfae&mwpfckaomfvnf;aumif;? vufiif;wefzdk; (rlvwefzdk;) wpfckaomfvnf;aumif; jzpfEdkifygw,f/ mov instruction &JU yHkpHuawmh -

mov destination, source;

oifhtaeeJU register wpfcku wefzdk;wpfckudk aemufwpfckqD a&TUEdkifygw,f/ (rSwf&ef/ / instruction [m wu,fawmh olU&JUtrnf ]move} tpm; wefzdk;udk aemufwpfae&mqDudk yGm;ay;vdkufwmyg/)

mov edx, ecx;

txufrSmjycJhwJh instruction [m ECX rSm&SdwJh[mawGudk EDX qD ul;ay;vdkufwmyg/ Source eJU destination &JU t&G,ftpm;[m wlnD&ygr,f/ atmufrSmazmfjyxm;wJh instruction uawmh rSefuefrI r&Sdygbl;/

mov al, ecx; // yHkpHtrSm;

'D opcode [m DWORD (32-bit) yrmP&SdwJh wefzdk;wpfckudk byte(8-bit) yrmPavmufom&SdwJh register ae&mwpfckxJudk xnfhzdkUMudK;pm;aewmyg/ 'gudkawmh mov instruction u vkyfay;Edkifjcif; r&Sdygbl;/ (tjcm; instruction awGuawmh vkyfay;Edkifygw,f/) 'gayr,fh atmufu instruction awGudkawmh mov instruction rSm toHk;jyKvdkU&ygw,f/ bmaMumifhvJqdkawmh source eJU destination [m t&G,ftpm; uGJjym;rI r&SdvdkUyg/

mov al, bl; mov cl, dl; mov cx, dx; mov ecx, ebx;

rSwfOmPf&JUwnf&mudk offset wpfckeJU nTefjyygw,f/ rSwfOmPf&JU wduswJhae&mwpfckuae wefzdk; wpfckudk&,ljyD; register wpfckxJrSm tJ'Dwefzdk;udk vmxm;vdkU &ygw,f/ atmufygZ,m;udk Oyrmtjzpf,lyg/

offset 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F 40 41 42 data 0D 0A 50 32 44 57 25 7A 5E 72 EF 7D FF AD C7

(tuefUwpfckpDonf (byte) pmvHk;wpfvHk;udk udk,fpm;jyKonf/ )

'Dae&mrSm offset wefzdk;[m pmvHk;wpfvHk;udk udk,fpm;jyKaeayr,fhvJ ol[m 32-bit yg/ Oyrmtjzpf 3A udk Munfhyg/ ol[mvnf; 32-bit (0000003Ah) wefzdk;jzpfygw,f/ ae&mydk&atmifvdkU tcsdKUoHk;aeMu r[kwfwJh wefzdk;enf; offset awGudk toHk;jyKwmyg/ wefzkd;tm;vHk;uawmh hexcode awG jzpfygw,f/

tay:Z,m;u offset 3A ae&mudk Munfhvdkufyg/ 'D offset rSm&SdwJh a'wmuawmh 25? 7A? 5E? 72? EF ponfwdkU jzpfygw,f/ Offset 3A rSm xm;zdkUwefzdk;udk mov instruction eJU register wGJoHk;&r,fhyHkpH uawmh -


mov eax, dword ptr [0000003Ah];

Instruction mov eax, dword ptr [0000003Ah] qdkvdkwmuawmh - 32-bit t&G,ftpm;&SdwJh DWORD wefzdk;wpfckudk EAX register xJu 3Ah ae&mrSm xm;ygw,f/ 'D instruction udk tvkyfvkyfjyD; aemufrSmawmh EAX rSm 725E7A25h wefzdk; a&mufvmygw,f/ rSwfOmPfxJrSm &SdaewJht&m (25 7A 5E 72) awG[m ajymif;jyeftaetxm;eJU&Sdaewm owdjyKrdrSmyg/ 'g[m bmaMumifhvJqdkawmh rSwfOmPfxJrSm odrf;xm; wJhwefzdk;awGudk endian enf;eJU pDxm;vdkUyg/ qdkvdkwmu nmzuftusqHk;pmvHk;[m significant tjzpfqHk; pmvHk;yg/ pmvHk;awGpDwJh tpDtpOfuawmh ajymif;jyefyg/ Oyrmtenf;i,feJU &Sif;jy&ifawmh em;vnfrSmyg/

DWORD (32-bit) wefzdk; 10203040h udk rSwfOmPfrSm odrf;qnf;yHkuawmh - 40 30 20 10 (wefzdk;wpfckpD [m pmvHk;wpfvHk; (8-bit) udk udk,fpm;jyKygw,f/) WORD (16-bit) wefzdk; 4050h udk rSwfOmPfrSm odrf;qnf;yHkuawmh - 50 40 ydkrdk&Sif;vif;atmif xyfMunfhMuygr,f/

mov cl, byte ptr [34h] ; cl = 0Dh (tay:Z,m;udk Munfhyg/ ) mov dx, word ptr [3Eh] ; dx = 7DEFh (tay:Z,m;udk Munfhyg/ ajymif;jyefpDwm owd&yg/ )

t&G,ftpm;uawmh wcgw&HrSm ta&;rMuD;vSygbl;/

mov eax, [00403045h];

bmaMumifhvJqdkawmh EAX [m 32-bit register wpfckjzpfygw,f/ Assembler u rSwfOmPf&JU 00403045h ae&muae 32-bit wefzdk;udk ,l&r,fvdkU rSwf,lxm;ygw,f/

Immediate value (vufiif;wefzdk;)awGudkvJ toHk;jyKEdkifygw,f/

mov edx, 5006;

'guawmh EDX xJrSm 5006 qdkwJh wefzdk;wpfckudk xnfhxm;wmyg/ av;axmifhuGif;&JU qdkvdkcsufu awmh av;axmifhuGif;xJu rSwfOmPfwnf&Sd&mrS wefzdk;wpfckudk &,lzdkU toHk;jyKwmyg/

mov eax, 403045h ; eax = 403045h mov cx, [eax] ; EAX rSwfOmPfae&m (403045) wGif&Sdaom WORD t&G,ftpm;&Sdwefzdk;udk register CX wGif xnfhxm;onf/

mov cx, [eax] rSm y&dkqufqm[m EAX xJrSm xnfhxm;wJhwefzdk; (rSwfOmPfwnfae&m) b,f avmufvJqdkwm t&ifMunfhygw,f/ jyD;rSom rSwfOmPfxJu tJ'Dae&mrSm wefzdk;b,favmuf&SdovJqdkwm qHk;jzwfjyD; 'D WORD (16-bit, tb,faMumifhqdkaomf CX onf 16-bit register jzpfaomaMumifh) udk CX xJxnfhvdkuf ygw,f/

ADD, SUB, MUL, DIV

Opcode awmfawmfrsm;rsm;[m wGufcsufrIawG jyKvkyfMuygw,f/ oifhtaeeJU olwdkU&JUtrnfawmfawmf rsm;rsm;udk cefUrSef;vdkU&ygw,f/ ADD (aygif;jcif;)? SUB (EIwfjcif;)? MUL (ajrSmufjcif;)? DIV (pm;jcif;) ponfjzifh/

ADD opcode rSm atmufygyHkpHtwdkif;&Sdygw,f/

add destination, source

wGufcsufrI jyKvkyfyHku 'Dvdkyg/ destination = destination + source / atmufygyHkpHawGudk cGifhjyKyg w,f/

Destination Source Example Register Register add ecx, edx Register Memory add ecx, dword ptr [104h] / add ecx, [edx] Register Immediate value add eax, 102 Memory Immediate value add dword ptr [401231h], 80 Memory Register add dword ptr [401231h], edx

'D instruction [m tvGef&dk;&Sif;ygw,f/ ol[m source &JUwefzdk;ukd&,ljyD; destination wefzdk;qDoGm; aygif;wmyg/ jyD;&if &v'fudk destination xJrSm xm;ygw,f/ tjcm;ocsFmqdkif&m instruction awGuawmh -

sub destination, source (destination = destination - source) mul destination, source (destination = destiantion * source) div source (eax = eax / source, edx = remainer


EIwfjcif;[m aygif;jcif;eJU twlwlygyJ/ ajrSmufjcif;uawmh dest = dest * source/ pm;jcif;uawmh enf;enf;av; xl;jcm;ygw,f/ bmaMumifhvJqdkawmh register awG[m udef;jynfhwefzdk;awG jzpfaevdkUyg (qdkvdk wmu 'orudef;awG r[kwfygbl;)/ pm;vdkU&wJh&v'fudk pm;v'feJU t<uif;qdkjyD; cGJvdkufygw,f/ Oyrmjy&&if -

28/6 pm;v'f=4, t<uif;=4 30/9 pm;v'f=3, t<uif;=3 97/10 pm;v'f=9, t<uif;=7 18/6 pm;v'f=3, t<uif;=0

ckcsdefrSmawmh source &JU t&G,ftpm;ay:rlwnfjyD; pm;v'fudk EAX (EAX &JU tpdwftydkif;wpfck)rSm odrf;jyD;? t<uif;udk EDX (EDX &JU tpdwftydkif;wpfck)rSm odrf;qnf;ygw,f/

Source t&G,ftpm; pm;jcif; pm;v'f t<uif;

BYTE (8-bits) ax / source AL AH

WORD (16-bits) dx:ax* / source AX DX

DWORD (32-bits) edx:eax* / source EAX EDX

* Oyrm/ tu,fí DX = 2030h? AX = 0040h? DX:AX = 20300040h/ DX:AX onf DWORD wefzdk;jzpfjyD; DX onf tjrifhydkif; WORD jzpfjyD; AX onf tedrfhydkif; WORD jzpfonf/ EDX:EAX uawmh QuadWORD wefzdk; (64-bit) jzpfjyD; tjrifhydkif;uawmh EDX jzpfjyD; tedrfhydkif;uawmh EAX jzpfygw,f/

DIV opcode &JU source ae&mrSm jzpfEdkifwmuawmh -

• 8-bit register (AL, AH, CL,...)

• 16-bit register (AX, DX, ...)

• 32-bit register (EAX, EDX, ECX, ...)

• 8-bit rSwfOmPfwefzdk; (BYTE PTR [xxxx])

• 16-bit rSwfOmPfwefzdk; (WORD PTR [xxxx])

• 32-bit rSwfOmPfwefzdk; (DWORD PTR [xxxx])

Source uawmh vufiif;wefzdk; rjzpfEdkifygbl;/ bmaMumifhvJqdkawmh y&dkqufqmu source operand &JU t&G,ftpm;udk rqHk;jzwfEdkifvdkUyg/

BITWISE OPERATIONS

'D instruction awGrSmawmh 'NOT' instruction rSwwyg; source aum? destination yg vdkygw,f/ Destination rSm&SdwJh bit toD;oD;udk source rSm&SdwJh bit awGeJU EdIif;,SOfygw,f/ Instruction ay:rlwnfjyD; destination bit rSm 0 (odkU) 1 udk xm;ygw,f/

Instruction AND OR XOR NOTSource Bit 001100 1100110 1Destination Bit 010101 010101X X&v'f 000101 1101101 0

Oyrm -

mov ax, 3406; mov dx, 13EAh; xor ax, dx; ax = 3406 (dec) = 0000110101001110 (bin) dx = 13EA (hex) = 0001001111101010 (bin)

Source 0001001111101010 (dx) Destination 0000110101001110 (ax) &v'f 0001111010100101 (dx)

'D instruction jyD;wJhaemufrSmawmh dx = 0001111010100101 [7845 (dec), 1EA5 (hex)]

aemufOyrmwpfck

mov ecx, FFFF0000h;


not ecx;

FFFF0000 = 11111111111111110000000000000000 (bin) (16 1's, 16 0's)

oifhtaeeJU bit wdkif;udk ajymif;jyefvkyf&if? &vmrSmuawmh

00000000000000001111111111111111 (16 0's, 16 1's) = 0000FFFF (hex)

'gaMumifhrdkU NOT operation jyD;wJhaemufrSm ECX &JUwefzdk;uawmh 0000FFFFh jzpfygw,f/

IN/DECREMENTS

t&dk;&Sif;qHk; instruction ESpfckuawmh DEC eJU INC yg/ 'D instruction awG[m rSwfOmPfwnf&m (odkU) register udk wpfaygif;ay;ÊIwfay;ygw,f/ &dk;&dk;av;a&;&Hkyg...

inc reg -> reg = reg + 1

dec reg -> reg = reg - 1

inc dword ptr [103405] -> [103405] rSm&SdaewJh wefzdk;udk wpfaygif;ay;rSmyg/

dec dword ptr [103405] -> [103405] rSm&SdaewJh wefzdk;udk wpfEIwfay;rSmyg/

NOP

'D instruction uawmh vHk;vHk;MuD;udk bmrSrvkyfygbl;/ bmrSrvkyfEdkifvdkU toHk;r0ifbl;vdkUawmh rxif ygeJU/ Crack vkyf&mrSm olUudk toHk;rsm;vSygw,f/ toHk;0ifqHk;ae&muawmh uk'fawGudk patch vkyfwJhae&mrSm jzpfygw,f/

Bit Rotation and Shifting

rSwf&ef/ / atmufrSmazmfjyxm;wJh Oyrmawmfawmfrsm;rsm;[m 8-bit *Pef;awGudkyJ oHk;ygw,f/ 'gayr,fh ydk&Sif; atmif yHkawGeJU jyygr,f/

Shift functions

SHL destination, count

SHR destination, count

SHL eJU SHR [m register^rSwfOmPfae&mu bit awGudk b,f^nmrSae a&wGufjyD; a&TUvdkufwmjzpfygw,f/

Oyrm

; 'Dae&mrSm al = 01011011 (bin) vdkU ,lqMunfhygr,f/

shr al, 3 ; al = 00001011

qdkvdkwmuawmh AL register xJu bit awGudk nmzuf 3ae&mpm a&TUvdkufwmyg/ 'gaMumifh AL [m 00001011 jzpfvmygw,f/ b,fzuftjcrf;u bit awGudk oknawGeJU tpm;xdk;vdkufjyD; nmzufu bit awGudkawmh a&TUz,f&Sm;vdkufwmyg/ a&TUz,fvdkufwJh aemufqHk; bit udkawmh carry-flag xJrSm odrf;xm;ygw,f/ Carry-bit qdkwm y&dkqufqm&JU Flag register xJu bit wpfckyg/ ol[m wdkuf&dkufudkifwG,fEdkifwJh ('Dvdkvkyf zdkU opcode awG&Sdaomfvnf;) EAX^ ECX vdk register wpfckr[kwfygbl;/ 'gayr,fh olU&JUtajz[m instruction &JU&v'fay: rlwnfaeygw,f/ 'gudkaemufydkif;rSm &Sif;jyygr,f/ oifhtaeeJU rSwfxm;&rSmwpfck uawmh carry qdkwm flag register xJu bit wpfckjzpfjyD; tzGifh^tydwf vkyfEdkifw,fqdkwmudkyg/ 'D bit [m a&TUz,fcHvdkuf&wJh aemufqHk; bit eJU wlnDygw,f/

shl u shr eJUwlygw,f/ 'gayr,fh olu b,fzufudk a&TUwmyg/

; 'Dae&mrSm bl = 11100101 (binary) vdkU ,lqMunfhygr,f/

shl bl, 2;

Instruction jyD;wJhaemufrSmawmh BL [m 10010100 (bin) jzpfvmygw,f/ aemufqHk; bit ESpfckrSm awmh oknawGeJU jznfhvdkufygw,f/ Carry bit uawmh 1 jzpfygw,f/ bmaMumifhvJqdkawmh aemufqHk;a&TUz,fcH vdkuf&wJh bit u 1 jzpfaevdkUyg/

'DhaemufrSmawmh tjcm; opcode ESpfck &Sdygao;w,f/

SAL destination, count (Shift Arithmetic Left)

SAR destination, count (Shift Arithmetic Right)


SAL u SHL eJUwlygw,f/ 'gayr,fh SAR uawmh SHR eJU rwlygbl;/ SAR u oknawGeJU a&TUz,fwm r[kwfayr,fh MSB (most significant bit) udk ul;ydkUygw,f/ Oyrm -

al = 10100110 sar al, 3 al = 11110100 sar al, 2 al = 11111101 bl = 00100110 sar bl, 3 bl = 00000010

Rotation functions

rol destination, count ; b,fodkU vSnfhonf/ ror destination, count ; nmodkU vSnfhonf/ rcl destination, count ; Carry rSwqifh b,fodkU vSnfhonf/ rcr destination, count ; Carry rSwqifh nmodkU vSnfhonf/

vSnhfwm[m a&TYovdkygyJ/ uGJjym;wmuawmh a&TUz,fcHvdkuf&wJh bit awGudk tjcm;zufudk xyfa&TUvdkuf wmygyJ/

Oyrm/ / ror (rotate right)

Bit 7 Bit 6 Bit 5 Bit 4 Bit 3 Bit 2 Bit 1 Bit 0 rvSnfhrD 1 0 0 1 1 0 1 1 Rotate, count= 3 1 0 0 1 1 0 1 1 (a&TUz,f) &v'f 1 1 0 1 0 0 1 1

tay:yHkrSm jrif&wJhtwdkif; bit awGudkvSnfhvdkufygw,f/ qdkvdkwmu wGef;xkwfcHvdkuf&wJh bit wdkif;[m xyfrHjyD; tjcm;zufudk a&TUcH&ygw,f/ a&TUjcif;rSmvdkyJ carry bit awG[m aemufqHk;a&TUz,fcH&wJh bit udk odrf;xm;ygw,f/ RCL eJU RCR uawmh ROL eJU RCR wdkUeJU wpfyHkpHwnf;yg/ olwdkU&JUtrnfawGudk,f wdkifu ajymjywmuawmh olwdkU[m aemufqHk;a&TUz,fvdkufwJh bit udk nTefjyEdkifzdkU carry bit udk toHk;jyKMuyg w,f/ ROL eJU ROR uvJ twlwlyJrdkU olwdkUtcsif;csif; uGJjym;rI r&SdMuygbl;/

Exchange

XCHG instruction uawmh vHk;vHk;MuD;udk &dk;&Sif;vSygw,f/ ol[m register ESpfck (odkU) register wpfckeJU rSwfOmPfae&mwpfckudk vJvS,fay;Edkifygw,f/

eax = 237h ecx = 978h xchg eax, ecx eax = 978h ecx = 237h

(6.0) zdkifpepf

Assembly source zdkifawGudk section awGtaeeJU cGJxm;ygw,f/ Section awGuawmh code? data? uninitialized data? constants? resource eJU relocations wdkU jzpfygw,f/ Resource sections udk resource zdkifu xkwfay;wm jzpfygw,f/ (aemufydkif;wGifMunfhyg/) Relocation section uawmh uRefawmfwdkU twGuf ta&;rMuD;ygbl;/ (olUrSm y&dk*&rfudk rSwfOmPf&JUtjcm;wae&mrSm ul;wifay;zdkU PE loader twGuf tcsuftvufawG ygaumif;ygygvdrfhr,f/) ta&;MuD;wJh section awGuawmh code? data? uninitialized data eJU constants wdkUyg/ Code section rSmygwmuawmh oifxifxm;wJhtwdkif; uk'fawGyg/ Data sections rSmawmh zwfvdkU&â&;vdkU&wJh a'wmawG yg0ifygw,f/ Data section wpfckvHk;[m exe zdkifrSmyg0ifjyD; a'wm awGeJU tpysdK;avh &Sdygw,f/

Unitialized data twGufuawmh tpydkif;rSm bmrSrygygbl;/ exe zdkifukd,fwdkifrSmawmif rygygbl;/ oluawmh Windows twGuf oD;oefUz,fxm;wJh rSwfOmPfwpfpdwfwpfa'oom jzpfygw,f/ 'D section rSm a&;vdkU? zwfvdkU&ygw,f/ Constants uawmh data section eJU wlygw,f/ 'gayr,fh zwfvdkUyJ&ygw,f/ 'D section udk constant twGufyJ toHk;jyKEdkifaomfvnf; ol[m include zdkifxJrSm constant awGudk aMunmxm; &ifawmh ydkrdkvG,fuljyD;jrefqefvmygw,f/ 'DhaemufolwdkUudk vufiif;wefzdk;tjzpf oHk;&Hkyg/


(6.1) Section indicators

oifh&JU source zdkifawGrSm oifhtaeeJU section awGudk t"dyÜm,fzGifhxm;&ygr,f/

.code ; code section [m 'Dae&mu pygw,f/

.data ; data section [m 'Dae&mu pygw,f/

.data? ; unitialized data [m 'Dae&mu pygw,f/

.const ; constants section [m 'Dae&mu pygw,f/

tvkyfvkyfwJhzkdifawG (*.exe, *.dll, ...) [m Win32 rSmawmh PE (portable executable) yHkpHeJUyg/ ta&;MuD;wJh taMumif;t&mtcsdKUuvGJvdkU usefwmawGudk 'Dae&mrSm tao;pdwfaqG;aEG;rSm r[kwfygbl;/ (PE header tcef;wGif tao;pdwf aqG;aEG;ygrnf/) Section awGudk PE header rSm 0daootcsdKUeJU MudKwif teufzGifhxm;ygw,f/ tJ'gawGuawmh section name? RVA? offset? raw size? virtual size eJU flags wdkU jzpfygw,f/ RVA (relative virtual address) uawmh section udk ul;wifay;r,fh rSwfOmPfxJu qufEG,fwJhae&m jzpfygw,f/ 'Dae&mrSm relative qdkwJht"dyÜm,fu y&dk*&rftvkyfvkyfcsdefrSm rSwfOmPfxJrSm&SdwJh base address eJU qufEG,faewmudk ajymwmyg/ 'D address [m PE-header rSmvJ &Sdaeayr,fh PE-loader uyJ ajymif;vJay;Edkifygw,f (relocation-section udk toHk;jyKjyD;)/ Offset uawmh exe zdkifxJu yxrqHk; a'wm&Sd&m raw offset omjzpfygw,f/ Virtual size uawmh rSwfOmPfrSmjzpfvmr,fh t&G,ftpm; jzpfyg w,f/ Flag awGuawmh zwfzdkUâ&;zdkU^tvkyfvkyfzdkU pwmawGtwGuf flag awG jzpfygw,f/

(6.2) erlem y&dk*&rf

'guawmh erlemy&dk*&rfyg/

.data Number1 dd 12033h Number2 dw 100h,200h,300h,400h Number3 db "blabla",0 .data? Value dd ? .code mov eax, Number1 mov ecx, offset Number2 add ax, word ptr [ecx+4] mov Value, eax

'Dy&dk*&rf[m aumif;aumif; assemble vkyfrSmr[kwfygbl;/ 'gayr,fh udpör&Sdygbl;/ oifh&JU assembly

y&dk*&rfrSm section xJrSmxm;&SdwJht&mwdkif;[m y&dk*&rfudk rSwfOmPfxJul;wifcsdefrSm exe zdkifxJ a&mufoGm;rSm jzpfygw,f/ tay:rSmjyxm;wJh data section rSm label 3ck&Sdygw,f/ Number1? Number2 eJU Number3 yg/ 'D label awG[m y&dk*&rfxJu olwdkU&Sd&mae&m&JU offset udk odrf;xm;ygw,f/ 'gaMumifhrdkU oifh&JUy&dk*&rfxJrSm ae&mwpfckudk nTefjyzdkU olwdkUudk toHk;jyKEdkifygw,f/ DD uawmh tJ'Dae&mrSm wdkuf&dkufyJ DWORD wefzdk; wpfckudk xm;ygw,f/ DW uawmh word jzpfjyD; DB u byte jzpfygw,f/ DB eJUqdk&if oifhtaeeJU string

awGudk toHk;jyKEdkifygw,f/ 'gaMumifhrdkU string qdkwm byte wefzdk;awGwGJxm;wJh tpkwpfck jzpfygw,f/

OyrmtaeeJU jy&&if -

33,20,01,00,00,01,00,02,00,03,00,04,62,6c,61,62,6c,61,00 (all hex numbers)

(wefzdk;wdkif;[m byte wpfckpD jzpfygw,f/)

uRefawmfhtaeeJU *Pef;tcsdKUudk ta&mifjc,fxm;ygw,f/ Number1 u byte 33 &Sd&m rSwfOmPfae&m udk jyoygw,f/ Number 2 uawmh teDa&mif 00 &Sd&mjzpfjyD; Number3 uawmh tpdrf;a&mif 62 &Sd&mae&m jzpfygw,f/ 'gudk oifhtaeeJU y&dk*&rfrSmoHk;&if ...

mov ecx, Number1 wu,fqdkvdkwmuawmh

mov ecx, dword ptr [rSwfOmPfxJrS dword 12033h wnf&Sd&mae&m]

'gayr,fh 'Dwpfck

mov ecx, offset Number1 qdkvdkwmuawmh ...

mov ecx, rSwfOmPfxJrS dword 12033h wnf&Sd&mae&m


yxrOyrmrSm? ECX [m Number1 &JU rSwfOmPfae&mrSm&SdwJh wefzdk;wpfckudk &&Sdygvdrfhr,f/ 'kwd, wpfckrSmawmh ECX [m rSwfOmPfae&m (offset) jzpfvmygvdrfhr,f/ atmufuOyrmESpfckrSm wlnDwJhtusdK;ESpfck &Sdygw,f/

(1)

mov ecx, Number1 (2)

mov ecx, offset Number1

mov ecx, dword ptr [ecx] (odkUr[kwf mov ecx, [ecx])

tck Oyrmudk jyefMunfhMuygr,f/

.data Number1 dd 12033h Number2 dw 100h,200h,300h,400h Number3 db "blabla",0 .data? Value dd ? .code mov eax, Number1 mov ecx, offset Number2 add ax, word ptr [ecx+4] mov Value, eax

Label wefzdk;udk Number1? Number2 eJU Number3 wdkUvdk toHk;jyKEdkifygw,f/ 'gayr,fh ppcsif;rSm awmh olUrSm oknyg0ifaeygvdrfhr,f/ bmaMumifhvJqdkawmh ol[m unitialized data section xJrSm &SdvdkUyg/ 'g&JU tusdK;aus;Zl;uawmh .data? rSm oifaMunmcJhwmawGtm;vHk;[m executable rSm &SdrSmr[kwfygbl;/ rSwfOmPfrSmom &SdrSmyg/

.data? ManyBytes1 db 5000 dup (?) .data ManyBytes2 db 5000 dup (0)

(5000 dup = udk,fyGm; 5000. Value db 4,4,4,4,4,4,4 = Value db 7 dup (4).)

ManyBytes1 [m oludk,fwdkif zdkifxJrSm &SdrSmr[kwfygbl;/ rSwfOmPfrSm pmvHk;a& 5000 csefvSyfxm; wmyg/ 'gayr,fh ManyBytes2 uawmh executable xJrSm&SdjyD; zdkifudk 5000 bytes MuD;atmif vkyfygw,f/ oifh&JUzdkifrSm oknawG tvHk; 5000 ygvmrSmrdkU 'g[m toHk;awhmr0ifvSygbl;/

Code section uawmh assemble vkyfcH&&HkoufoufjzpfjyD;( raw code odkUajymif;jcif;) executable

xJrSmxm;ygw,f/ (trSefawmh ul;wifcsdefrSm rSwfOmPfxJrSmjzpfygw,f/)

(7.0) Conditional Jumps

Code section rSmawmh label udk 'Dvdk toHk;jyKvdkU &ygw,f/

.code mov eax, edx sub eax, ecx cmp eax, 2 jz loc1 xor eax, eax jmp loc2 loc1: xor eax, eax inc eax loc2:

(xor eax, eax rSm eax = 0 vdkU qdkvdkwmyg/)

uk'fudk ppfMunfhvdkufMu&atmif/

mov eax, edx ; EAX xJrSm EDX udk xm;wmyg/ sub eax, ecx ; EAX xJu ECX udk EIwfygw,f/


cmp eax, 2; EAX udk 2 eJU EdIif;,SOfygw,f/

Cmp u instruction topfjzpfygw,f/ Cmp [m 'compare' vdkU t"dyÜm,f&ygw,f/ ol[m wefzdk; ESpfck (reg, mem, imm)udk EdIif;,SOfjyD; olwdkUESpfck[m nDcJh&if Z-flag udk owfrSwfygw,f/ Zero-flag [m carry vdkyJ flag register xJu bit wpfckjzpfygw,f/

jz loc1;

'Dwpfck[mvnf; topfwpfckjzpfygw,f/ oluawmh conditional jump yg/ Jz = jump if zero / qdkvdkwmu zero flag udk owfrSwfvdkufcsdefrSm ausmfoGm;ygw,f/ loc1 uawmh rSwfOmPfxJu offset twGuf label wpfckyg/ tJ'DrSm instructions 'xor eax, eax | inc eax' pygw,f/ 'gaMumifhrdkU jz loc1 [m wu,fvdkU zero flag udk owfrSwfvdkuf&if loc1 rSm&SdwJh instruction qD ausmfoGm;rSmyg/

cmp eax, 2 ; EAX=2 jzpf&if zero flag udk owfrSwfrSmyg/ jz loc1 ; zero flag udk owfrSwfvdkuf&if loc1 qD ausmfoGm;ygr,f/ = EAX [m 2 eJU nDcJh&if loc1 rSm&SdwJh instruction qD ausmfoGm;ygr,f/

aemufwpfckuawmh jmp loc2 yg/ ol[mvnf; jump wpfckyg/ 'gayr,fh oluawmh unconditional jump yg/ olu tjrJwrf;ausmfvTm;ygw,f/ tay:uuk'fudk C bmompum;eJU twdtus jyefa&;jy&&if -

if ((edx‐ecx)==2) { eax = 1; } else { eax = 0; }

BASIC y&dk*&rfbmompum;eJU a&;jy&&ifawmh

IF (edx‐ecx)=2 THEN EAX = 1 ELSE EAX = 0 END IF

(7.1) Flag register

Flag register rSm wGufcsufrIeJU tjcm;tjzpftysufrsm;ay:rlwnfjyD; owfrSwfjcif;^rowfrSwfjcif; jyKvkyfwJh flag awG &Sdygw,f/ uRefawmfhtaeeJU 'gawGtukefvHk;udk aqG;aEG;rSm r[kwfygbl;/ ta&;MuD;wmtcsdKU udkyJ aqG;aEG;rSm jzpfygw,f/

ZF (Zero flag)

wGufcsufrI&v'f[m oknjzpfcJh&if 'D flag udk owfrSwfygw,f/ (EdIif;,SOfw,fqdkwm wu,fawmh EIwfjcif;wpfrsdK;om jzpfygw,f/ &v'fudk odrf;qnf;rI r&Sdayr,fh flag awGudkawmh owfrSwfygw,f/)

SF (Sign flag)

wu,fvdkU 'D flag udk oHk;cJh&if wGufcsufrIu &&SdvmwJhaemufqHk;udef;[m tEIwfjzpfygw,f/

CF (Carry flag)

wGufcsufrIjyD;wJhaemufrSmawmh xJrSm b,fzuftusqHk; bit yg0ifvmygw,f/

OF (Overflow flag)

wGufcsufwJhtcg ausmfvGefwGufcsufrdwmudk ajymwmyg/ qdkvdkwmu &v'f[m destination xJrSm rawmfwm (rqefUwm)udk ajymwmyg/

'ghjyif tjcm; flags (Parity, Auxiliary, Trap, Interrupt, Direction, IOPL, Nested Task, Resume & Virtual Mode) awGvnf; &Sdygao;w,f/ 'gayr,fh uRefawmfwdkU toHk;jyKrSm r[kwfwJhtwGuf 'gawGudk &Sif;jyawmhrSm r[kwfygbl;/


(7.2) Jump series

atmufrSmazmfjyxm;wmuawmh conditional jump eJUywfoufwm tukefyg/ olwdkUawG[m flag awG&JU tajctaeay:rlwnfjyD; jump vkyfMuwmyg/ 'gayr,fh awmfawmfrsm;rsm;rSm &Sif;vif;vG,fulwJhtrnf awG &Sdygw,f/ oifhtaeeJU b,f jump udk owfrSwfoHk;pGJw,fqdkwm odp&m rvdkygbl;/ 'Jump if greater or equal' (jge) twGuf Oyrmjy&&if 'Sign flag = Overflow flag' jzpfygw,f/ aemufwpfckuawmh 'Jump if zero' vdkUawGU&if 'Jump if Zero flag = 1' vdkU odxm;&ygr,f/

Z,m;zwfenf;

'Jump if above' - &JU qdkvkdcsufuawmh

cmp x, y; // x eJU y udk EdIif;,SOfygw,f/

// wu,fvdkU x [m y xufMuD;&if jump vkyfygr,f/

Opcode Meaning Condition JA Jump if above CF=0 & ZF=0 JAE Jump if above or equal CF=0 JB Jump if below CF=1 JBE Jump if below or equal CF=1 or ZF=1 JC Jump if carry CF=1 JCXZ Jump if CX=0 register CX=0 JE (is the same as JZ) Jump if equal ZF=1 JG Jump if greater (signed) ZF=0 & SF=OF JGE Jump if greater or equal (signed) SF=OF JL Jump if less (signed) SF != OF JLE Jump if less or equal (signed) ZF=1 or SF!=OFJMP Unconditional Jump - JNA Jump if not above CF=1 or ZF=1 JNAE Jump if not above or equal CF=1 JNB Jump if not below CF=0 JNBE Jump if not below or equal CF=1 & ZF=0 JNC Jump if not carry CF=0 JNE Jump if not equal ZF=0 JNG Jump if not greater (signed) ZF=1 or SF!=OFJNGE Jump if not greater or equal (signed) SF!=OF JNL Jump if not less (signed) SF=OF JNLE Jump if not less or equal (signed) ZF=0 & SF=OF JNO Jump if not overflow (signed) OF=0 JNP Jump if no parity PF=0 JNS Jump if not signed (signed) SF=0 JNZ Jump if not zero ZF=0 JO Jump if overflow (signed) OF=1 JP Jump if parity PF=1 JPE Jump if parity even PF=1 JPO Jump if paity odd PF=0 JS Jump if signed (signed) SF=1 JZ Jump if zero ZF=1

Jump instruction tm;vHk;rSm operand wpfckomvdkygw,f/ 'guawmh jump vkyfr,fhae&m&JU offset yg/ Z,m;udk taotcsmMunfhr,fqdk&if unconditional jump (JMP) wpfckudkawGUrSmyg/ oluawmh wpfckckeJU EdIif;,SOfwJhtvkyfudk vkyfrSmr[kwfygbl;/ Jump wef;vkyfrSmyg/


(8.0) *Pef;rsm;taMumif; waphwapmif;

y&dk*&rfbmompum; awmfawmfrsm;rsm;rSm udef;jynfheJU 'orudef; toHk;jyKwm[m variable aMunmrI tay:rlwnfygw,f/ Assembler rSmawmh 'gawG[m vHk;vHk;uGJjym;ygw,f/ 'orudef;awG wGufcsufrIudk txl; opcode awGeJUjyKvkyf&ygw,f/ 'gudk FPU (floating point unit) vdkUac:wJh tydky&dkqufqmu jyKvkyf ay;ygw,f/ 'orudef;eJUywfoufwJh instruction awGtaMumif;udk aemufydkif;rSm aqG;aEG;ygr,f/ yxrawmh udef;jynfhawGtaMumif; aqG;aEG;ygr,f/ C rSm signed eJU unsigned *Pef;qdkjyD; ESpfrsdK;&Sdygw,f/ Signed

qdkwmuawmh taygif;^tEIwfoauFw&SdwJh *Pef;awGudk ac:wmyg/ Unsigned uawmh tjrJwrf; taygif;yg/ atmufuZ,m;rSm uGJjym;rIav;awG MunfhvdkufMu&atmif/ (xyfajym&r,fqdk&if 'Dae&mrSm byte eJU Oyrmjyxm; wmyg/ tjcm;t&G,ftpm;qdkvJ tvkyfvkyfyHk wlygw,f/)

wefzdk; 00 01 02 03 ... 7F 80 ... FC FD FE FF Unsigned 00 01 02 03 ... 7F 80 ... FC FD FE FF Signed 00 01 02 03 ... 7F -80 ... -04 -03 -02 -01

'gaMumifhrdkU signed *Pef;qdk&if pmvHk;udk tydkif;ESpfydkif; cGJvdkufygw,f/ taygif;wefzdk;twGuf 0 uae 7F xd? tEIwfwefzdk;twGuf 80 uae FF xd jzpfygw,f/ wefzdk;twGufqdk&ifvnf; twlwlygyJ/ taygif; = 0 - 7FFFFFFFh? tEIwf = 80000000 - FFFFFFFFh / oif*&kjyKrdovdkyJ tEIwf*Pef;awGMu&if significant bit udk owfrSwfygw,f/ bmaMumifhvJqdkawmh olwdkU[m 80000000h xufMuD;vdkUyg/ 'D bit udk sign bit vdkU ac:ygw,f/

(8.1) Signed vm;? unsigned vm;/

oifa&m? y&dkqufqmyg wefzdk;wpfck[m signed vm;? unsigned vm; rodEdkifygbl;/ owif;aumif; wpfckuawmh taygif;eJU tEIwfrSm *Pef;wpfck[m signed jzpfjzpf? unsigned jzpfjzpf ta&;rMuD;ygbl;/

wGufyg/ / -4 + 9

FFFFFFFC + 00000009 = 00000005. (rSefygw,f/)

wGufyg/ / 5 - (-9)

00000005 - FFFFFFF7 = 0000000E (olvJyJ rSefygw,f/) ( 5 - -9 = 14)

owif;qdk;wpfckuawmh olwdkU[m ajrSmufjcif;? pm;jcif;eJU EdIif;,SOfjcif;wdkUrSm rrSefygbl;/ 'gaMumifhrdkU signed *Pef;awGtwGuf txl; mul eJU div opcode awG &Sdygw,f/

imul ESifh idiv

mul xufpm&if imul rSm &SdwJh tm;omcsufuawmh olUrSm vufiif;wefzdk;awGudk oHk;Edkifygw,f/

imul src imul src, immed imul dest,src, 8‐bit immed imul dest,src idiv src

olwdkUawG[m mul? div wdkUeJUwlayr,fh olwdkUawG[m signed wefzdk;awGeJUom wGufcsufygw,f/ EdIif;,SOf&mrSmvJ unsigned *Pef;awGeJU wlnDpGmtoHk;jyKEdkifayr,fh flag awGudk owfrSwfwmawmh uGJjym;yg w,f/ 'gaMumifhrdkU signed eJU unsigned *Pef;awGtwGuf uGJjym;wJh jump instruction awG &Sdae&wmyg/

cmp ax, bx ja offset

JA [m unsigned jump yg/ (Jump if above)/ ax = FFFFh (FFFFh unsigned, -1 signed) eJU bx = 0005h (5 unsigned, 5 signed) wdkUudk pOf;pm;Munhfyg/ FFFFh [m (unsigned) wefzdk;tm;jzifh 0005 xuf jrifhwmaMumifh JA instruction [m ausmfvTm;rSmyg/ 'gayr,fh JG instruction udkawmh signed jump

tjzpf oHk;ygw,f/

cmp ax, bx jg somewhere

JG instruction uawmh jump jzpfrSm r[kwfygbl;/ bmaMumifhvJqdkawmh -1 [m 5 xuf rMuD;vdkUyg/

rSwfxm;&rSmuawmh -

*Pef;wpfck[m signed/ unsigned jzpfw,fqdkwmuawmh oifhtaeeJU 'D*Pef;udk udkifwG,frItay:yJ rlwnfygw,f/


(9.0) aemufxyf opcode rsm;

'guawmh aemufxyf opcode tcsdKU jzpfygw,f/

TEST

TEST [m logical AND vkyfaqmifcsufudk aqmif&GufjyD; dest eJU src qdkwJh ESpfck&SdjyD; &v'fay: rlwnfjyD; flag register udk owfrSwfygw,f/ &v'fudkawmh udk,fwdkifrodrf;ygbl;/ TEST udk toHk;jyKwJhae&m uawmh Oyrmjyxm;wJhtwdkif; register wpfckxJu bit wpfckudk prf;oyfzdkUjzpfygw,f/

test eax, 100b ; (b u ESpfvDpepf&JU twdkaumufyg/ ) jnz bitset

wu,fvdkU EAX xJu wwd,ajrmuf bit (nmzufrSonf)udk owfrSwfa&G;cs,fvdkuf&if JNZ [m jump jzpfygvdrfhr,f/ TEST &JU trsm;qHk;toHk;jyKrIuawmh register wpfck[m oknjzpf^rjzpf prf;oyfwJh tcgrSm jzpfygw,f/

test ecx, ecx jz somewhere

ECX [m oknjzpfcJh&if JZ [m jump jzpfygvdrfhr,f/

STACK OPCODES

Stack opcodeawG taMumif;rajymjycifrSm stack qdkwmbmvJqdkwm t&if&Sif;jyyghr,f/ Stack qdkwm rSwfOmPfxJu ae&mwpfckjzpfjyD; stack pointer register jzpfwJh ESP eJU nTefjyygw,f/ Stack [m ,m,D wefzdk;awGxm;zdkU ae&mwpfck jzpfygw,f/ olUrSm wefzdk;awGudkxm;zdkUeJU jyef&,lzdkU PUSH eJU POP qdkwJh instruction ESpfck&Sdygw,f/ PUSH uawmh stack xJudk wefzdk;wpfckvmxnfhjyD; POP uawmh xyfrHqGJxkwf wmyg/ Stack xJudk aemufqHk;vmxnfhwmudk t&ifxkwf,lygw,f/ wefzdk;wpfckudk stack rSm vmxm;&if stack pointer [m avsmhenf;vmygw,f/ z,f&Sm;csdefrSmawmh stack pointer wdk;vmygw,f/

OyrmudkMunfhyg/

(1) mov ecx, 100 (2) mov eax, 200 (3) push ecx ; ECX udk odrf;ygw,f/ (4) push eax (5) xor ecx, eax (6) add ecx, 400 (7) mov edx, ecx (8) pop ebx (9) pop ecx &Sif;vif;csuf

1: ECX wGif 100 udk vmxm;onf/ 2: EAX wGif 200 udk vmxm;onf/ 3: push ecx (=100) (stack rSm yxrqHk;vmxm;wmyg/) 4: push eax (=200) (stack rSm aemufqHk;vmxm;wmyg/) 5/6/7: ECX eJU ywfoufwJhvkyfaqmifcsufawG vkyfygw,f/ ECX &JU wefzdk;awG ajymif;vJaeygw,f/ 8: pop ebx: EBX [m 200 jzpfvmygw,f/ (aemufqHk;vmxm;vdkUyg/ t&ifqHk;xkwf,lygw,f/) 9: pop ecx: ECX [m 100 jzpfvmygw,f/ (yxrqHk;vmxm;vdkUyg/ aemufqHk;xkwf,lygw,f/)

PUSH/POP vkyfjcif;jzifh rSwfOmPfxJrSm bmawGjzpfysufaevJqdkwmMunfhzdkU atmufygZ,m;udk Munfh yg/

Offset 1203 1204 1205 1206 1207 1208 1209 120A 120B Value 00 00 00 00 00 00 00 00 00 ESP

('Dae&mrSm stack [m yxrqHk; oknawG jznfhoGm;ygw,f/ 'gayr,hf wu,fhwu,frSmawmh 'Dvdk r[kwfygbl;/ ESP [m ESP nTefjywJh offset udk &nf&G,fygw,f/)

mov ax, 4560h

push ax


Offset 1203 1204 1205 1206 1207 1208 1209 120A 120B Value 00 00 60 45 00 00 00 00 00 ESP

mov cx, FFFFh

push cx

Offset 1203 1204 1205 1206 1207 1208 1209 120A 120B Value FF FF 60 45 00 00 00 00 00 ESP

pop edx

Offset 1203 1204 1205 1206 1207 1208 1209 120A 120B Value FF FF 60 45 00 00 00 00 00 ESP

ckcsdefrSm EDX [m 4560FFFFh jzpfaeygjyD/

CALL & RET

Call wpfck[m tcsdKUuk'fawGqD ausmfvTm;EdkifjyD; RET-instruction udkawGUwJhtcg csufcsif;yJjyefa&muf vmygw,f/ oifhtaeeJU olwdkUawGudk tjcm;y&kd*&rfbmompum;awGrSm function awGtjzpf? subroutine

awGtjzpf awGUEdkifygw,f/ Oyrm -

; ..code.. call 0455659 ; ..more code.. ; Code at 455659: add eax, 500 mul eax, edx ret

CALL instruction tvkyfvkyfwJhtcgrSm y&dkqufqm[m 455659 rSm&SdwJhuk'fqD ausmfoGm;jyD; RET

ra&mufrDxd instruction awGudk tvkyfvkyfygw,f/ jyD;awmh CALL tjyD;u instruction awGqD jyefvSnfh ygw,f/ CALL u jump jzpfoGm;wJhuk'fudkawmh procedure vdkU ac:ygw,f/ CALL [m EIP (aemufnTef Mum;csufudk tvkyfvkyfaprnfh pointer)udk stack ay: push vkyfygw,f/ jyD;awmh RET-instruction u pop

jyefvkyfay;ygw,f/ oifhtaeeJU CALL twGuf argument awG owfrSwfvdkU&ygw,f/ 'gudk PUSH eJU jyKvkyf Edkifygw,f/

push something push something2 call procedure

CALL twGif;rSmawmh argument awGudk stack xJuzwfjyD;toHk;jyKEdkifygw,f/ Local variables (qdkvdkwmu procedure xJtwGif;rSmomvdkwJh a'wmrsm;) awGudkvJ stack xJrSmxm;odkvdkU&ygw,f/ uRefawmfh taeeJU 'gawGudk tao;pdwfaqG;aEG;rSm r[kwfygbl;/ bmvdkUvJqdkawmh 'gawGudk masm (Macro Assembler) eJU tasm (Turbo Assembler) rSm tvG,fwulvkyfEdkifvdkUyg/ oifhtaeeJU procedure awGudk jyKvkyfEdkifw,f qdkwmeJU olwdkUawG[m parameter awGudkoHk;wm trSwf&&if awmfygjyD/ ta&;MuD;wmwpfcsuf uawmh -

Procedure wpfck&JU return value udk xnfhxm;zdkU EAX udk tjrJwrf;eD;yg; toHk;jyKygw,f/

'gawG[m windows function awGtwGufvJ rSefuefygw,f/ trSefrSmawmh oifh&JUudk,fydkif procedure rSmawmh tjcm;b,f register udkrqdk toHk;jyKEdkifygw,f/ 'gayr,fh EAX uawmh pHwpfckjzpf ygw,f/ pum;rpyf instruction wpfck&JU oHk;EHI;yHkudk &Sif;jyvdkygw,f/

lea edi, namebuffer ; EDI [m rdrd&dkufxnfhvdkufwJh trnfxm;okd&m address jzpfygw,f/ mov eax, dword ptr ds:[edi] ; EAX xJudk pmvHk;av;vHk; oGm;xm;wmyg/ bmaMumifhvJqdkawmh DWORD

(4 bytes) [m pmvHk; av;vHk;eJU nDvdkUyg/

(10.0) Windows ESifh ywfoufaom Assmebly bmompum; tajccH

(10.1) API

Windows rSmy&dk*&rfa&;om;jcif;&JU tajccHtusqHk;tcsufuawmh Windows API (Application Programming Interface) awGay:rlwnfaeygw,f/ API qdkwm OS ujznfhpGrf;ay;EdkifwJh function awGudk pkpnf;ay;xm;wmyg/ Windows y&dk*&rfwdkif;[m 'D function awGudk toHk;jyKygw,f/ 'D function awG[m


Windows pepf&JU dll zdkifawGjzpfwJh kernel? user? gdi? shell? advapi pwJh zdkifawGxJrSm &Sdygw,f/ Function ESpfrsdK;ESpfpm;&Sdygw,f/ ANSI eJU Unicode yg/ 'gawGuawmh string awGudk odrf;qnf;udkifwG,f&mrSm toHk;jyK wJhenf;vrf;ESpfck jzpfygw,f/ ANSI eJUqdk&ifawmh pmvHk;wdkif;udk oauFw(ASCII uk'f)taeeJU azmfjyjyD; string &JUtqHk;udkazmfjyzdkU \0 (null-terminated)udk toHk;jyKygw,f/ Unicode uawmh widechar ykHpHudk toHk;jyKjyD; oauFwwpfckpDtwGuf pmvHk;ESpfvHk;toHk;jyKygw,f/ oluawmh w&kwf? jrefrmbmompum;awGvdk pmvHk;a&ydkrdkvdktyfwJh bmompum;awGrSmtoHk;jyKygw,f/ Widechar string awG[m \20 eJU tqHk;owfavh &Sdygw,f/ Windows uawmh ANSI function jzpfjzpf? Unicode function jzpfjzpf vufcHygw,f/ Oyrm jy&&if -

MessageBoxA (ANSI) MessageBoxW (W = widechar (unicode))

uRefawmfwdkUuawmh ANSI udk toHk;jyKrSm jzpfygw,f/

(10.2) DLL zdkifrsm;udk qGJ,loGif;jcif;

Windows API &JU function awGudk toHk;jyKzdkU DLL zdkifawGudk import vkyfzdkUvdkygw,f/ 'gawGudk import libraries (.lib) awGeJU jyKvkyfEdkifygw,f/ 'D lib awG[m r&Sdrjzpfvdktyfygw,f/ bmaMumifhvJqdkawmh olwdkU[m Windows pepfudk DLL awG ,m,Dul;,loHk;pGJzdkU cGifhjyKvdkUyg/ (qdkvdkwmu rSwfOmPfu dynamic base addresse rSm)/ 'gudk includelib oHk;jyD; library wpfckudk xnfhoGif;Edkifygw,f/

includelib C:\masm32\lib\kernel32.lib (odkUr[kwf) includelib \masm32\lib\kernel32.lib (odkUr[kwf) includelib kernel32.lib

'gqdk kernel32.lib udk xnfhoGif;toHk;jyKawmhrSmyg/ 'Dae&mrSm include library wpfckwnf;uom ta&;MuD;wm r[kwfygbl;/ include file (.inc) uvJ vdkygw,f/ 'gawGudkawmh l2inc y&dk*&rfoHk;jyD; library awGuae tvdktavsmuf xkwfay;aewmyg/ include file wpfckudk a&;jy&r,fqdk&ifawmh 'Dvdkyg/

include \masm32\include\kernel32.inc

include file xJrSm DLL xJu function awGtwGuf prototype awGudk t"dyÜm,fzGifhxm;jyD;jzpfwm aMumifh oifhtaeeJU invoke udk toHk;jyKjyD; oHk;pGJvdkU&ygjyD/

kernel32.inc: ... MessageBoxA proto stdcall :DWORD, :DWORD, :DWORD, :DWORD MessageBox textequ <MessageBoxA> ...

include file xJrSm ANSI function awGeJU wu,fh function trnfeJU wxyfwnf;usatmifvkyfxm; wJh 'A' rygwJh function awGudk t"dyÜm,fzGifhxm;wm jrif&rSmyg/ oifhtaeeJU MessageBoxA tpm; MessageBox udk oHk;Edkifygw,f/ oHk;pGJr,fh function awGtwGuf include library eJU include file awGudk aMunmowfrSwfjyD;oGm;&ifawmh 'D function awGudk toHk;jyKvdkU &ygjyD/

invoke MessageBox, NULL, ADDR MsgText, ADDR MsgTitle, NULL

(10.3) Windows include file

Windows rSm txl; include file wpfckjzpfwJh windows.inc zdkif&Sdygw,f/ tJ'DzdkifxJrSm Windows API twGufvdktyfwJh constant eJU structure tm;vHk;yg0ifygw,f/ Oyrmjy&&if message box rSm yHkpHtrsdK;rsdK; &Sdygw,f/ Function &JU av;ckajrmuf parameter uawmh pwdkifyg/ NULL u MB_OK udk qdkvdkjyD; ol[m OK button jzpfygw,f/ Windows include file rSm 'DvdkpwdkifrsdK;awGtwGuf t"dyÜm,fzGifhqdkcsufawG yg0ifyg w,f/

MB_OK = 0 MB_OKCANCEL = ... MB_YESNO = ...

'Dvdk t"dyÜm,fzGifhxm;vdkUvJ 'DtrnfawGudk oifhtaeeJU constant taeeJU oHk;vdkU&aewmyg/

invoke MessageBox, NULL, ADDR MsgText, ADDR MsgTitle, MB_YESNO

'DOyrmtwGuf include file udk aMunmr,fqdk&ifawmh 'DvkdaMunm&ygr,f/

include \masm32\include\windows.inc

(10.4) Frame


erlem frame wpfckudk MunfhMunfhygr,f/

.486

.model flat, stdcall option casemap:none includelib \masm32\lib\kernel32.lib includelib \masm32\lib\user32.lib includelib \masm32\lib\gdi32.lib include \masm32\include\kernel32.inc include \masm32\include\user32.inc include \masm32\include\gdi32.inc include \masm32\include\windows.inc .data blahblah .code start: blahblah end start

'guawmh windows assembly source file (.asm) twGuf tajccH frame wpfckyg/

.486 Assembler udk y&dkqufqm (odkUr[kwf tjrifh)twGuf awGxkwfay;zdkU ajymyg w,f/ oifhtaeeJU .386 udk toHk;jyKEdkifayr,fhvJ .486 uawmh rsm;aom tm;jzifh aumif;aumif; tvkyfvkyfavh&Sdygw,f/

.model flat, stdcall

Flat rSwfOmPfudk toHk;jyKwmyg/ stdcall udk toHk;jyKygw,f/ qdkvdkwmu function awGtwGuf parameter awGudk nmzufuae b,fzufudk push vkyfygw,f/ (aemufqHk;udk yxrqHk; push vkyfygw,f) jyD;oGm;csdefrSmawmh function [m stack udk jyefjyKjyifay;&ygr,f/ 'g[m Windows API function eJU DLL awGtm;vHk;eD;yg;twGuf pHyg/

option casemap:none Label twGufpmvHk;awG[m tMuD;tao; cGJjcm;rI&Sd^r&Sd pdppfygw,f/ windows.inc zdkif aumif;aumif; tvkyfvkyfEdkifzdkU olUudk 'none' vdkU ay;&ygr,f/

includelib tay:rSm aqG;aEG;jyD;jzpfygw,f/

include tay:rSm aqG;aEG;jyD;jzpfygw,f/

.data data section \tp

.code code section \tp

start: end start

Label [m y&dk*&rf&JUtpudk nTefjyygw,f/ 'start' vdkUawmh ac:zdkUrvdkygbl;/ oifhtaeeJU MudKufwJhemrnf ay;Edkifygw,f/ tqHk;us&ifawmh 'end' statement udk oHk;zdkUawmh vdkygw,f/

aumif;jyD? uRefawmfwdkU yxrqHk;y&dk*&rfwpfyk'fudk a&;Munfhygr,f/ 'Dae&mrSm assemble vkyfzdkU uRefawmfwdkUoHk;r,fh aqmhzf0JvfESpfckuawmh WinAsm Studio 5.1.5 eJU Macro Assembler 3.2.7 wdkU jzpfygw,f/ .486 .model flat, stdcall option casemap:none includelib \masm32\lib\kernel32.lib includelib \masm32\lib\user32.lib include \masm32\include\kernel32.inc include \masm32\include\user32.inc include \masm32\include\windows.inc .data MsgText db "Hello world!", 0 MsgTitle db "This is a messagebox", 0 .code start: invoke MessageBox, NULL, ADDR MsgText, ADDR MsgTitle, MB_OKCANCEL or MB_ICONQUESTION invoke ExitProcess, NULL


end start

'Duk'fawGudk assemble (Go All) vkyfvdkuf&if awGU&rSmawmh yHk(1)twdkif; jzpfygw,f/

yHk(1)

y&dk*&rftvkyfvkyfyHkudk &Sif;&&ifawmh ...

1/ MessageBox &JU toHk;jyKyHkuawmh 'Dvdkyg/ (Win32.hlp udk Munfhyg/)

int MessageBox( HWND hWnd, // handle of owner window LPCTSTR lpText, // address of text in message box LPCTSTR lpCaption, // address of title of message box UINT uType // style of message box );

hWnd zefwD;r,fh message box &JU owner window udk owfrSwfygw,f/ wu,fvdkU 'D parameter [m NULL jzpfcJh&if message box rSm owner window &SdrSmr[kwfygbl;/

lpText Message taeeJU jyr,fh \0 eJU qHk;wJh string udk nTef;ygw,f/

lpCaption acgif;pOftwGuf vdktyfwJh \0 eJU qHk;wJh string udk nTef;ygw,f/ wu,fvdkU 'Dae&mrSm NULL vdkU oHk;cJh&if default acgif;pOfudk toHk;jyKrSm jzpfygw,f/

uType Dialog box &JU yHkpHudk azmfjy&rSmjzpfjyD; aygif;pyfxm;wJh flag awGyg0ifvmEdkifygw,f/

2/

hWnd uawmh NULL jzpfaerSmyg/ bmaMumifhvJqdkawmh uRefawmfwdkUy&dk*&rfrSm window r&SdvdkUyg/

lpText uawmh uRefawmfwdkUpmom;&JU pointer yg/ qdkvdkwmu 'D parameter [m uRefawmfwdkUowfrSwfcsif wJhpmom;&Sd&m rSwfOmPf&JU offset wpfckjzpfygw,f/

lpCaption uawmh acgif;pOf&JUpmom;&Sd&m offset jzpfygw,f/

uType uawmh MB_OK? MB_OKCANCEL? MB_ICONERROR wdkUvdk wefzdk;awG aygif;pyfxm;wm jzpfygw,f/

3/

MessageBox twGuf string ESpfckudk MudKwifowfrSwfygw,f/

.data MsgText db "Hello world!",0 MsgTitle db "This is a messagebox",0

.data uawmh data section &JU tpudk nTefjyygw,f/ db uawmh byte jzpfjyD; \0 eJU tqHk;owfatmif vdkU 0 udk xnfhxm;wmjzpfygw,f/ aemufwpfaMumif;uae ay:apcsif&ifawmh ... (13 = Carriage Return, 10= Line Feed)

.data MsgText db "Hello world!",13,10 db "I'm a messagebox",13,10 db "Hello again!",0

MsgText uawmh yxr string &JU offset udk odrf;ygw,f/ MsgTitle uawmh 'kwd, string udk odrf;ygw,f/ ckcsdefrSmawmh oifhtaeeJU MessageBox function udk oHk;vdkU&ygjyD/

invoke MessageBox, NULL, offset MsgText, offset MsgTitle, NULL

invoke udk toHk;jyKxm;wmaMumifh oifhtaeeJU (ydkrdkpdwfcs&atmif) offset tpm; ADDR udk toHk;jyKEdkifygw,f/

invoke MessageBox, NULL, ADDR MsgText, ADDR MsgTitle, NULL


uRefawmfwdkUtaeeJU aemufqHk; parameter udk bmrSrowfrSwfcJhayr,fh aumif;aumif;MuD; tvkyfvkyf ygw,f/ bmaMumifhvJqdkawmh MB_OK (OK button eJU message box) u 0 (NULL) eJU nDvdkU yg/ 'gayr,fh oifhtaeeJU tjcm;b,fyHkpHudkrqdk toHk;jyKvdkU&ygw,f/

yHk(2)

4/

uType &JU t"dyÜm,fuawmh yHk(2)eJU yHk(3) twdkif; jzpfygw,f/

yHk(3)

(10.5) Win32 API

Windows API rSm Windows twGufvdktyfwJh y&dk*&rfawGzefwD;EdkifzdkU data type awG? constant awG? function awGeJU structure awGyg0ifygw,f/ uRefawmfwdkUtoHk;jyKcJhwJh ExitProcess tygt0if API function awmfawmfrsm;rsm;udk t"du DLL zdkif3ckjzpfwJh kernel32.dll? gdi32.dll eJU user32.dll wdkUrSm xm;&Sd wmyg/

KERNEL32.DLL - Low level kernel services GDI32.DLL - Graphics Device Interface: yHkqGJjcif;ESifh yHkESdyfjcif;/ USER32.DLL - User Interface controls? windows ESifh messaging services

BOOL SetWindowText( HWND hWnd, // handle of window or control

LPCTSTR lpString // address of string);

'guawmh C yHkpHa&;xm;wmyg/ yHkpHtaeeJU jyefa&;jy&&if -

PUSH lpString; PUSH hWnd; CALL SetWindowText;

(11) &dk;&Sif;aom Dialog Box y&dk*&rf a&;om;jcif;

'DwpfcgrSmawmh Windows &JU zGJUpnf;wnfaqmufyHkudkausmfvdkufjyD; vufawGUy&dk*&rfa&;Munfhygr,f/ (tcgtcGifhoifhcJh&ifawmh &Sif;jyygr,f/) WinAsm Studio &JU File menu u New Project udk a&G;vdkufyg/ Project u Add new Rc udk a&G;vdkufyg/ jyD;&if Add New Dialog udka&G;yg/ 'DaemufrSmawmh caption

wpfck? button ESpfckeJU editbox wpfckudk zefwD;vdkufyg/ jyD;&if screen atmufajcem;u Resources tab udk a&G;yg/ Caption box ukd ESpfcsufESdyfjyD; 'Simple Dialog Box Program' vdkU &dkufyg/ jyD;&if toolbox u edit button udka&G;jyD; yHk(4)twdkif; qGJyg/


yHk(4)

jyD;&if button ESpfckudk zefwD;jyD; button awGrSm 'Say Hello' eJU 'Exit' vdkU jyifvdkufyg/ yHk(5)/

yHk(5)

'gqdk F12 udkESdyfjyD; uRefawmfwdkUzefwD;xm;wJh dialog box udk uk'ftaeeJU MunfhvdkufMu&atmif/

;This Resource Script was generated by WinAsm Studio. #define IDD_DLG1001 1001 #define IDC_EDIT1002 1002 #define IDC_BUTTON1003 1003 #define IDC_BUTTON1004 1004 IDD_DLG1001 DIALOGEX 0,0,170,72 CAPTION "Simple Dialog Box Program" FONT 8,"MS Sans Serif" STYLE 0x10cc0000 EXSTYLE 0x00000000 BEGIN CONTROL "",IDC_EDIT1002,"Edit",0x50010080,10,9,121,19,0x00000200 CONTROL "Say Hello",IDC_BUTTON1003,"Button",0x50010000,17,46,51,16,0x00000000 CONTROL "Exit",IDC_BUTTON1004,"Button",0x50010000,102,46,50,16,0x00000000 END

uRefawmfwdkUtaeeJU Dialog Box template eJUywfoufwJhuk'fawGudk a&;EdkifatmifvdkU dialogbox? editbox? button wdkUeJUywfoufwJh trnfawGeJU control ID awGudk odxm;zdkU vdkygw,f/ 'gudk resource script &JU tay:yxrqHk; 4aMumif;rSm awGUEdkifygw,f/ jyD;&if dialogbox.asm udka&G;jyD; atmufyguk'fawGudk &dkufxnfhvdkufyg/

option casemap:none include WINDOWS.INC include user32.inc include kernel32.inc includelib USER32.LIB includelib KERNEL32.LIB DlgProc proto :DWORD,:DWORD,:DWORD,:DWORD .data Message db "Hello World", 0 .data? hInstance HINSTANCE ? .code start: invoke GetModuleHandle, NULL mov hInstance, eax invoke DialogBoxParam, hInstance, 1001, NULL, addr DlgProc, NULL invoke ExitProcess, eax ⊕ DlgProc proc hWnd: HWND, uMsg: UINT, wParam: WPARAM, lParam: LPARAM .if uMsg = = WM_COMMAND mov eax, wParam .if eax = = 1003 invoke SetDlgItemText, hWnd, 1002, ADDR Message


.elseif eax = = 1004 invoke SendMessage, hWnd, WM_CLOSE, 0, 0 .endif .elseif uMsg = = WM_CLOSE invoke EndDialog, hWnd, 0 .endif xor eax, eax Ret DlgProc EndP end start

yHk(6)

'Duk'fawGudk exe zdkiftjzpfajymif;vdkuf&if yHk(7)twdkif; awGU&rSmyg/

yHk(7)

(12) Keygen y&dk*&rf a&;om;jcif;

'Doifcef;pmuawmh cracker awGtwGuf tvGefta&;MuD;ygw,f/ bmaMumifhvJqdkawmh cracker awG twGuf keygen [m r&Sdrjzpf toHk;vdkvdkUyg/ Keygen &SdrSom rdrdESpfouf&m oHk;pGJoltrnfeJUoufqdkifwJh registration uk'fudk xkwfay;EdkifvdkUyg/ erlem keygen tcsdKUudk Munfhyg/ yHk(8)/

yHk(8)

aumif;jyD? keygen udk pa&;MunfhvdkufMu&atmif/ WinAsm Studio udkzGifhvdkufjyD; atmufygyHktwdkif; jrif&atmif vkyfvdkufyg/ yHk(9)/ Edit control ESpfck? static text ESpfck? button oHk;ck &Sd&ygr,f/

yHk(9)


Static text ESpfckudk SS_CENTERIMAGE vdkU ajymif;ay;jyD; Serial editbox udk ES_READONLY vdkU ajymif;yg/ Dialogbox udkawmh DS_CENTER vdkU ajymif;jyD; keygen.rc udk odrf; qnf;yg/ jyD;&ifawmh keygen.asm rSm uk'fawGudk atmufygtwdkif; &dkufxnfhyg/ Main body rSm &dkufxnfh&rSm uawmh -0001

0001 .386 0002 .model flat, stdcall 0003 option casemap:none 0004 include windows.inc 0005 include kernel32.inc 0006 include user32.inc 0007 includelib kernel32.lib 0008 includelib user32.lib 0009 0010 DlgProc proto :DWORD,:DWORD,:DWORD,:DWORD 0011 0012 .data? 0013 hInstance HINSTANCE ? 0014 NameBuffer db 32 dup(?) 0015 SerialBuffer db 32 dup(?) 0016 0017 .const 0018 IDD_KEYGEN equ 1001 0019 IDC_NAME equ 1002 0020 IDC_SERIAL equ 1003 0021 IDC_GENERATE equ 1004 0022 IDC_COPY equ 1005 0023 IDC_EXIT equ 1006 0024 ARIcon equ 2001 0025 0026 .code 0027 start: 0028 invoke GetModuleHandle, NULL 0029 mov hInstance, eax 0030 invoke DialogBoxParam, hInstance, IDD_KEYGEN, NULL, addr DlgProc, NULL 0031 invoke ExitProcess, eax

yHk(10)

'Dhaemuf uyfvdkufvmrSmuawmh Dialog procedure yJjzpfygw,f/

0033 DlgProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM 0034 .if uMsg == WM_INITDIALOG 0035 invoke LoadIcon, hInstance, ARIcon 0036 invoke SendMessage, hWnd, WM_SETICON, 1, eax 0037 invoke GetDlgItem, hWnd, IDC_NAME 0038 invoke SetFocus, eax 00399 .elseif uMsg == WM_COMMAND 0040 mov eax, wParam 0041 .if eax == IDC_GENERATE 0042 invoke GetDlgItemText, hWnd, IDC_NAME, addr NameBuffer, 32 0043 call Generate 0044 invoke SetDlgItemText, hWnd, IDC_SERIAL, addr SerialBuffer 0045 .elseif eax == IDC_COPY 0046 invoke SendDlgItemMessage, hWnd, IDC_SERIAL, EM_SETSEL, 0, ‐1 0047 invoke SendDlgItemMessage, hWnd, IDC_SERIAL, WM_COPY, 0, 0 0048 .elseif eax == IDC_EXIT 0049 invoke SendMessage, hWnd, WM_CLOSE, 0, 0 0050 .endif 0051 .elseif uMsg == WM_CLOSE 0052 invoke EndDialog, hWnd, 0 0053 .endif 0054 xor eax, eax 0055 Ret 0056 DlgProc EndP

yHk(11)

jyD;&ifawmh serial number udk xkwfay;r,fh Generate procedure udk a&;&ygr,f/

0058 Generate proc 0059 invoke lstrlen, addr NameBuffer 0060 test eax, eax


0061 jle NOINPUT 0062 mov ecx, eax 0063 mov esi, offset NameBuffer 0064 mov edi, offset SerialBuffer 00655 @@: 0066 dec ecx 0067 mov dl, BYTE ptr [esi+ecx] 0068 mov BYTE ptr[edi], dl 0069 inc edi 0070 or ecx, ecx 0071 ja @b 0072 NOINPUT: 0073 Ret 0074 Generate EndP 0075 end start

yHk(12)

ckcsdefupjyD; yHk(10^11^12)rSm jyxm;wJhuk'fawGudk avhvmMunfhygr,f/

- pmaMumif;a& 14eJU 15rSmawGU&wmuawmh uninitialized string awGjzpfjyD; y&dk*&rfoHk;pGJolu &dkufxnfhwJh trnfeJU wGufcsuf&&Sdvmr,fh serial udk odrf;zdkU jzpfygw,f/

- Generate function uawmh OyrmtaeeJU jyxm;wJh routine wpfckyg/ Name editbox rSm &dkufxnfhvdkufwJh pmom;udk ajymif;jyefjyefpDay;wmyg/ lstrlen uawmh Name editbox rSm pmvHk;b,fESpfvHk;&dkufxnfhovJqdkwm ppfygw,f/ &dkufxnfhvdkufwJh pmom;awGudk NameBuffer rSmxm;jyD; pmvHk;ta&twGufudkawmh EAX rSmxnfh ygw,f/ wu,fvdkUbmpmvHk;rS r&dkufxnfhcJh&ifawmh NOINPUT qDa&mufoGm;rSmyg/

- wu,fvdkU &dkufxnfhvdkufwJhpmvHk;ta&twGuf[m oknxufMuD;cJh&ifawmh EAX xJupmvHk;ta&twGufudk mov instruction oHk;jyD; ECX xJxnfhrSm jzpfygw,f/ ECX [m pmvHk;awGudk a&wGuf&mrSm oHk;ygw,f/ NameBuffer eJU SerialBuffer wdkU&JU rSwfOmPf address awGudkawmh ESI eJU EDI qDrSm odrf;ygw,f/ 'D register ESpfckudkawmh string awGudk udkifwG,fwJhtcg source eJU destination udk nTef;zdkUtwGuf toHk;jyKyg w,f/

- @@ uawmh trnfrJh label udk aMunm&mrSmoHk;ygw,f/ Routine t&SnfMuD;awGrSmawmh ESpfouf&m label trsdK;rsdK;udk toHk;jyKMuayr,fh jump tao;pm;av;awGeJU loop tao;pm;av;awGtwGufudkawmh label trnf odyfrwyfMuygbl;/ wu,fvdkU label ae&mrSm @f vdkUwyf&if teD;pyfqHk;a&SU label qDa&mufrSmjzpfjyD; @b

qdk&ifawmh teD;pyfqHk; label qDaemufjyefqkwfrSm jzpfygw,f/

- String udk ajymif;jyefvkyfay;wJh routine av;&JU tvkyfvkyfyHkuawmh 'Dvdkyg/ yxrqHk; counter jzpfwJh ECX udk wpfEIwfvdkufygw,f/ 'gaMumifhvJ aemufqHk;tMudrf loop rSm wpftpm; okneJUtqHk;owfwmyg/ (qdkvdkwm u? wu,fvdkU Name string &JUpmvHk;ta&twGuf[m ajcmufvHk;&Sdr,fqdk&if ECX [mcsufcsif;yJ 5 jzpfoGm;jyD; 5 uae okntxd routine [m ajcmufMudrfwdwd tvkyfvkyf(EIwf) oGm;rSmyg/) ESI rSmawmh NameBuffer &JU yxrpmvHk;&JU address ygvmrSmjzpfjyD; ECX=0 jzpfcsdefrSmawmh ESI+ECX [m yxrpmvHk;udknTefrSmjzpfjyD; ECX=5 jzpfcsdefrSmawmh ESI+ECX [m aemufqHk;pmvHk;udk nTefrSmyg/ yxr mov instruction uawmh NameBuffer xJrSm&SdwJhaemufqHk;pmvHk;udk EDX register &JU aemufydkif;jzpfwJh DL xJudk ul;xnfhvdkufygw,f/ 'kwd, mov instruction uawmh &&SdvmwJh 'DpmvHk;udk SerialBuffer &JU yxrpmvHk;ae&mxJudk ul;xnfhyg w,f/ (EDI rSm odrf;wmyg/) 'DvdkeJU pmvHk;awGudk ajymif;jyefvSnfhjyD; xnfhvm&mrSm ECX [m oknra&mufcif txd logical OR udk aqmif&GufjyD; zero flag udkowfrSwfygw,f/ Zero flag rjzpf&ifawmh @@ udka&muf oGm;jyD; routine udk xyfvkyfrSmjzpfygw,f/

- 'guawmh &dk;&Sif;vSwJh a&;enf;yg/ oifhtaeeJU API function awGudkoHk;jyD; jyD;jynfhpHkwJh routine awGa&; om;Edkifygw,f/

jyD;awmh uRefawmfwdkU&JU keygen y&dk*&rfxJudk "mwfyHkawG^toHawGxnfhMunfhEdkifygw,f/

tcef;(4) - aqmhzf0Jvf protection - 51 -

tcef;(4) - aqmhzf0Jvf protection

(þoifcef;pmudk a&;om;&mwGif y&dk*&rfrmwpfa,muf tjrifjzifh a&;om;xm;jcif;om jzpfonf/ y&dk*&rfrmrsm; u ¤if;wdkU\aqmhzf0Jvfudk rnfonfhenf;rsm;jzifh protect vkyfxm;onfudk aqG;aEG;jcif;jzpfygonf/ rnfodkU crack vkyf&rnfudk þtcef;wGif vHk;0aqG;aEG;rnf r[kwfyg/) 'Dwpfcgoifcef;pmuawmh crack vkyf&mrSm rjzpfraeMuHKawGU&r,fh aqmhzf0Jvf protection taMumif; jzpfygw,f/ oifem;vnfxm;&rSmu z,f&Sm;vdkUr&wJh^z,f&Sm;zdkUrjzpfEdkifwJh protection qdkwm r&Sdao;bl;qdkwJh tcsufudkyg/ (pum;csyf/ / wpfcgu rdkbdkif;aqmhzf0Jvfa&mif;csjcif; pme,fZif;&Sif;vif;yGJwpfckrSm jrefrmy&dk*&rf rmwpfa,mufu olwdkUaqmhzf0Jvfudk b,fvdkrS crack vkyfvdkUr&EdkifwJhtaMumif; &Sif;jyzl;ygw,f/ urÇmhtawmf qHk; cracker wpfOD;jzpfwJh Lena151 uawmh b,fvdkrS crack vkyfzdkUrjzpfEdkifwJh aqmhzf0Jvfwpfckudk ola&;zl; aMumif;? 'gayr,fh oludk,fwdkifyif jyefjyD; crack vkyfEdkifaMumif; 0efcHcJhzl;ygw,f)/

'Dtcef;rSm oHk;EHI;r,fh protection qdkwm pack vkyfjyD; protect vkyfwmudk ajymcsifwm r[kwfygbl;/ (pack vkyfjyD; protect vkyfwJhenf;udkawmh ]Packer (Protector) rsm;} tcef;a&mufrS aqG;aEG;rSm jzpfygw,f/) 0g&ifhy&dk*&rfrmawGuvGJvdkU usefy&dk*&rfrm awmfawmfrsm;rsm;[m olwdkU&JU aqmhzf0JvfawGudk protection vkyf xm;&mrSm tm;enf;rI? csdKU,Gif;csufav;awG &SdMuygw,f/ Protection udk rSefuefpGm a&;om;jcif; rjyKcJhEdkif&if olwdkU&JUy&dk*&rfawGrSm jyoemay:vmrSm aMumufwJhtwGuf protection ydkif;ukd cufcJeufeJatmif ra&;Muygbl;/ (Oyrm - My Driver 3.11 qdk&if registration uk'fudk rSefuefpGm &dkufxnfhayr,fhvJ registration vkyfaqmif csuf[m cPom atmifjrifygw,f/ 0,foHk;oludk,fwdkifyif tMudrfMudrf register vkyfae&ygw,f/) 'gaMumifhrdkU olwdkU&JU y&dk*&rfawGudk vG,fulpGmyif protect vkyfxm;jyD; tcsdKUqdk protection rvkyfxm;oavmuf &Sdygw,f/ (jrefrmEdkifiHu aqmhzf0JvfawGrSmqdk protect vkyfxm;wm vufcsdK;a&wGufvdkU&ygw,f/)

Protection trsdK;tpm;awGtaMumif; odrSom crack vkyfwm vG,fulatmifjrifrSmyg/ EdkifiHwumrSm y&dk*&rfrmawG t"dutoHk;jyKaeMuwJh aqmhzf0Jvf protection trsdK;tpm; 4rsdK;&Sdygw,f/ tJ'gawGuawmh-

(1) Registration number rsm;toHk;jyKjcif;

(2) tcsdef? tMudrfuefUowfcsufxm;jcif;

(3) Key zdkifrsm; toHk;jyKjcif;

(4) Hardware key (Dongle) rsm;toHk;jyKjcif; wdkYjzpfygw,f/

(1) Registration number rsm;toHk;jyKjcif;

Registration number rsm;toHk;jyKjcif;eJU ywfoufjyD; (5)rsdK; xyfjyD;cGJjcm;Edkifygw,f/

(1.1) Registration number tm; rlaoxm;jcif;?

(1.2) Registration number onf xnfhoGif;aoma'wmay:rlwnfí ajymif;vJjcif;?

(1.3) Registration number onf oHk;pGJol\ uGefysLwmay:rlwnfí ajymif;vJjcif;?

(1.4) Registration number udk Visual Basic odkUr[kwf Delphi y&dk*&rfrsm;jzifh jyKvkyfMujcif;?

(1.5) Registration number udk tGefvdkif;wGif ppfaq;jcif;wdkU jzpfygw,f/

(1.1) Registration number tm; rlaoxm;jcif;?

'Denf;udktoHk;jyKxm;wJh y&dk*&rfqdk&if oHk;pGJolwpfOD;[m registration number udk &dkufxnfhzdkU vdkyg w,f/ Registration number udk rlaoxm;wmaMumifh cracking vkyfwJholwpfa,muf[m registration number udk debug vkyfjyD; tvG,fwul &SmazGawGU&SdEdkifygw,f/ yHk(1)/

yHk(1)


'Denf;udktoHk;jyKjcif;&JU tusdK;aus;Zl;wpfckuawmh tjcm;enf;awGudk toHk;jyKwmxufpm&if xnfhvdkuf wJha'wmawGudk memory rSm rodrf;qnf;bJ tjcm;enf;awGeJU XOR vkyfjcif; (odkUr[kwf) jyefvnfwGufcsuf jcif; jyKvkyfygvdrfhr,f/ rSefuefwJh registration number udk jyefvnfwGufcsufjyD; &&SdvmwJh&v'fawGudk jyefvnfEdIif;,SOfygvdrfhr,f/ wu,fawmh registration number rSefudk &v'fawGuae jyefvnf&&SdzdkY cufcJ atmifjyKvkyfjcif;jzifh oifhtaeeJU cracker awG em;vnfzdkYrvG,fulwJh &IyfaxG;vSwJh wGufcsufrIawGudk ydkrdkjyKvkyf &ygr,f/

(1.2) Registration number onf xnfhoGif;aoma'wmay:rlwnfí ajymif;vJjcif;?

'Denf;uawmh rMumcP toHk;jyKavh&SdMuwJhenf;yg/ 'Denf;rSmawmh registration number udk r&dkuf xnfhcif trnf (odkY) ukrÜPDtrnf (odkU) tjcm;tcsuftvufawGudk t&ifjznfh&rSmyg/ jznfhoGif;vdkufwJh a'wm awGay:rlwnfjyD; registration number uajymif;vJaerSmyg/ yHk(2)/

yHk(2)

y&dk*&rfrm[m ydktawGUtMuHK? t&nftcsif;&Sdav cracker awGtwGuf protection udk zsufqD;zdkY ydkrdkcufcJatmif vkyfEdkifavygyJ/ bmyJjzpfjzpf b,fvdk&IyfaxG;wJh wGufcsufrIenf;pepfawGoHk;oHk; cracker awG taeeJYuawmh rSefuefwJh registration number udk&&SdzdkU y&dk*&rfuk'fawGudk aemufa,mifcHMuOD;rSmygyJ/

(1.3) Registration number onf oHk;pGJol\ uGefysLwmay:rlwnfí ajymif;vJjcif;?

'Denf;uawmh cracker awGtwGuf rtDromjzpfapwJh trsdK;tpm;yg/ *&krxm;wJh cracker qdk&if aMumifawmifaMumifoGm;Edkifavmufygw,f/ bmvdkYvJqdkawmh olwdkU[m olwdkUuGefysLwmrSm b,fvdkyJ register vkyfvkyf vkyfvdkYr&vdkUyg/ bmaMumifhvJqdkawmh registration number [m (Oyrm - hard drive &JY serial number ay:rlwnfjyD;) ajymif;vJaevdkYyg/ yHk(3)/ (ta&;tMuD;qHk;u registration number udk ppfaq;wJh routine udk owdxm;jyD; azsmufxm;zdkYyg/ wu,fvdkY routine udk awGYoGm;vdkU&Sd&if vG,fvifhwul rlaoeHygwf ajymif;jyD; y&dk*&rfudk b,fpufrSmrqdk wlnDwJh registration number eJU register vkyfEdkifvdkYyg/)

yHk(3)

(1.4) Registration number udk Visual basic odkUr[kwf Delphi y&dk*&rfrsm;jzifh jyKvkyfMujcif;

Visual Basic (VB) rSma&;xm;wJh registration number udk crack vkyf&wm[m rvG,fulvSygbl;/ bmvdkUvJqdkawmh y&dk*&rf bmompum;udk,fwdkifudku high level jzpfaevdkUygyJ/ uRefawmfwdkUtaeeJU crack vkyfzdkUtwGuf debugger (disassembler) awGudk oHk;&wmjzpfwJhtwGuf high level jzpfvmavav debugger u assembly uk'ftjzpfajymif;ay;&wm cufavavygyJ/ 'gaMumifh VB eJUa&;xm;wJh y&dk*&rfawG


udk debugger awGu bmomjyefay;jyD; xGufvmwJh assembly uk'f[m vlopfwef; cracker awG em;vnfzdkU cufcJvSygw,f/

VB y&dk*&rfawGudk 'Dvdktkyfpk (3)pk cGJjcm;Edkifygw,f/

(1.4.1) VB4?

(1.4.2) VB5 ESifhtxuf?

(1.4.3) VB5 ESifhtxuf? (packed code (p-code) tjzpf compile vkyfxm;aom)

(1.4.1) VB4

oHk;pGJolawmfawmfrsm;rsm;twGuf rodomvSayr,fh VB4 [m y&dk*&rfawGxJrSmawmh pdwfcs&rI tvGef enf;ygw,f/ tawGUtMuHK&SdwJh cracker taeeJUuawmh registration number udk 5rdepftwGif; &SmawGU Edkifygw,f/ yHk(4)/ bmaMumifhvJqdkawmh VB4 y&dk*&rfawG[m rsm;aomtm;jzifh &dkufoGif;vdkufwJh registration number eJU MudKwifowfrSwfxm;wJh registration number udk EdIif;,SOfzdkU vb40016.dll (odkU) vb40032.dll zdkifudk toHk;jyKvdkUyg/

yHk(4)

(1.4.2) VB5 ESifhtxuf

VB5 eJU umuG,fxm;wJh y&dk*&rfudk crack vkyf&wm[m VB4 eJUEdIif;,SOf&if tawmfav;ydkcufvmyg w,f/ Cracker awmfawmfrsm;rsm;[m VB5 udk debugger awGeJU debug vkyfzdkU odyfjyD;pdwfrygMuygbl;/ bmvdkUvJqdkawmh uk'fawG[m zwfzdkUeJU em;vnfEdkifzdkU cufvdkUyg/ jyD;awmh ajc&maumufzdkYvnf; cufvdkYyg/ y&dk*&rfawGudk crack vkyfzdkY olwdkY&JYenf;vrf;awGuawmh oHk;pGJolwpfOD;wnf;oHk;EdkifwJh registration number udkomxkwfay;jcif; (keygen rsm; ra&;om;jcif;udk qdkvdkygonf/) eJU vlwdkif;rdrdESpfouf&m registration number udk xnfhoGif;Edkifatmif y&dk*&rfuk'fudk jyKjyifrGrf;rHjcif;wdkUom jyKvkyfMuygonf/ tawmfqHk; cracker awGuom keygen awGudk a&;om;Muygw,f/ Cracker awGMum;rSmawmh VB5 y&dk*&rfawG[m rausmfMum; vSygbl;/ bmvdkYvJqdkawmh keygen awGa&;zdkU cufcJvdkUyg/

'gqdk&if EdkifiHwumu y&dk*&rfrmawG[m olwdkU&JU y&dk*&rfawGudk VB eJU bmvdkUra&;MuygovJ/ uRefawmf a&SUrSmwifjycJhwmu VB y&dk*&rfawGudk debugger awGeJU uk'fjyefazmfwJhenf;yg/ Debugger awGeJU uk'fjyefazmf&wm[m tvGefcufcJvSwJhtwGuf 'DjyoemawGudk ajz&Sif;EdkifzdkU taumif;qHk;enf;awGukd cracker awGu &SmazGawGU&SdvmMuygw,f/ 'Denf;uawmh Smart Check eJU VB Decompiler tool awG&JU tultnDeJU uk'fawGudk jyefazmfMuvmwmyg/ 'DtcgrSm jyefazmfvdkU&wJhuk'f[m b,favmufxdawmif vG,fulvmovJqdk awmh compile rvkyfcif rl&if; soucre uk'ftxdeD;eD;wlwJhuk'fudk &atmiftxd jyefazmfvmEdkifygw,f/ 'Dvdk tool awGudkawmh debugger vdkU rac:a0:bJ decompiler vdkUom ac:a0:Muygw,f/ 'D tool awG[m VB6 txd aumif;aumif; decompile vkyfEdkifygw,f/ 'D tool awG ay:csdefupjyD; VB eJUa&;om;aeMuwJhy&dk*&rfrmawG 'ku©a&mufukefMujyD; Microsoft uvJ VB bmompum;udk qufvuftqifhjrifha&mif;csjcif; r&Sdawmhygbl;/ 'gaMumifhrdkU VB [m version 6 rSmyJ &yfwefUaecJh&ygw,f/ oleJUtwl a&mif;cscJhwJh Visual C++ uawmh vuf&SdrSm version 9 txd xGuf&SdaejyD; toHk;trsm;qHk; jzpfaevsuf&Sdygw,f/

VB y&dk*&rfawGudk b,folrS ra&;MuawmhbJ bmaMumifh &Sif;jyaewmvJvdkU oifhtaeeJU xifaumif; xifaeygvdrfhr,f/ EdkifiHwumrSm VB y&dk*&rfawG[m 2001ckESpfem;avmufrSm ed*Hk;csKyfoGm;cJhayr,fh jrefrmEdkifiH rSmawmh vuf&Sd 2009ckESpfxd aqmhzf0JvfawG&JU 50&mcdkifEIef;ausmfudk VB eJU a&;om;aeMuwkef;ygbJ/ wu,f vdkU jynfwGif;jzpfy&dk*&rfawGudk avhvmcsif&if avhvmEdkifvdkU&atmifjzpfygw,f/

(1.5) Registration number udk tGefvdkif;wGif ppfaq;jcif;

tcsdKUy&dk*&rfawG[m registration number udk awmfwnfhrSefuefpGm toHk;jyKapzdkU aemufqHk;ay: enf; ynmawGudk toHk;jyKvmMuygw,f/ Registration number udk &dkufoGif;vdkuf&if y&dk*&rfu tJ'gudk ppfaq;zdkU twGuf tifwmeufuwqifh ydkYvdkufygw,f/ qmAmu tJ'Duk'f rSefrrSefudk prf;oyfjyD; taMumif;jyefygw,f/ y&dk*&rfuawmh rSefuefpGm register vkyfxm;jcif; &Sd^r&Sd ppfaq;ygw,f/ yHk(5)/ 'DvdktrsdK;tpm;awGeJU umuG,f jcif;[m vG,fulvGef;vSwJhtwGuf tawGUtMuHK&SdwJh cracker awGuawmh tvG,fwul z,f&Sm;ypfEdkifygw,f/


yHk(5)

(2) tcsdef? tMudrfuefUowfcsufxm;jcif;

tcsdefuefUowfcsuf&SdwJh y&dk*&rfawG[m oHk;pGJzdkUcGifhjyKxm;wJh umvausmfvGefjcif; &Sd^r&Sd ppfaq;yg w,f/ 'Dvdkenf;eJUumuG,fwm[m odyfjyD;awmh xda&mufrIr&SdvSygbl;/ bmvdkYvJqdkawmh cracker wpfa,muf [m tcsdefuefUowfcsufudk z,f&Sm;vdkuf&HkeJU y&kd*&rfudk vGwfvyfpGmtoHk;jyKEdkifvdkUyg/ yHk(6)/ Unregistered version awGrSm oHk;pGJEdkifpGrf;yrmPudk uefUowfjcif;u ydkjyD; tqifajyygvdrfhr,f/ y&dk*&rf&JU vkyfaqmifEdkifpGrf; tukefvHk;udk oHk;pGJcsif&ifawmh registered version udk 0,f,lapjcif;eJY oHk;pGJoludk zdtm;ay;EdkifrSmyg/

yHk(6)

tcsdefuefUowfcsufudk enf;rsdK;pHkeJY a&;om;avh&SdMuygw,f/ jzpfEdkifwmawGuawmh-

(2.1) rSefuefaom registration number xnfhjcif;jzifh tcsdefuefUowfcsufudk z,f&Sm;jcif;?

(2.2) Registration zdkifxnfhjcif;jzifh tcsdefuefUowfcsufudk z,f&Sm;jcif;?

(2.3) tcsdefuefUowfcsufudk z,f&Sm;jcif;jzifh full version udk roHk;pGJEdkifjcif;? (0,f,lrSom tjynfht0 oHk;pGJEdkif jcif;)

(2.4) tcsdefuefUowfcsufudk Visual Basic jzifha&;om;jcif;?

(2.5) oHk;pGJrIuefUowfcsufudk oHk;pGJonfhtMudrfta&twGufESifhom owfrSwfjcif;/

(2.1) rSefuefaom registration number xnfhjcif;jzifh tcsdefuefUowfcsufudk z,f&Sm;jcif;?

'Denf;[m registration number enf;eJU twlwlygyJ/ rSefuefwJh registration number udk xnfhay; vdkuf&HkeJY tcsdefuefUowfcsufudk z,f&Sm;ay;EdkifrSmyg/ yHk(7)/ uGJjym;wmwpfckuawmh rSefuefwJh registration number rxnfhoGif;Edkif&if cGifhjyKxm;wJh tcsdefumvausmfoGm;wJhtcg y&dk*&rfudk vHk;0oHk;pGJvdkY r&atmif jyKvkyf vdkufwmygyJ/

owdjyK&rSmuawmh 'Dvdky&dk*&rfudk a&;om;r,fqdk&if yxrqHk; y&dk*&rfudk pwifoHk;pGJwJYaeUudk registry (odkUr[kwf) zdkifwpfzdkifrSm taotcsmrSwfxm;zdkYygyJ/ 'DvdkrSr[kwf&ifawmh oHk;pGJolu olUuGefysLwm&JU &ufpGJudk aemufqkwfvdkuf&HkeJU uefUowfcsufudk ausmfvTm;oGm;ygvdrfhr,f/


yHk(7)

(2.2) Registration zdkifxnfhjcif;jzifh tcsdefuefUowfcsufudk z,f&Sm;jcif;?

'Denf;uawmh odyfoHk;avhoHk;xr&SdwJh tHhtm;oifhp&menf;yg/ pOf;pm;oifhwJhtcsufuawmh registration zdkifudk tifwmeufuae rydkYrdzdkYygyJ/ Cracker awG[m tcsdefuefUowfcsufudk a&;xm;wJh routine udk t"d uxm;&SmazGygvdrfhr,f/ 'gaMumifh oif[m 'D&efuumuG,fEdkifatmif routine udk vHkjcHKrI&Sdatmif aqmif&Guf &ygr,f/ Cracker wpfa,muf[m rSefuefwJh registration zdkifudk zefwD;cJygw,f/ yHk(8)/ bmvdkUvJqdkawmh 'DvdkvkyfzdkU tawmfav;cufvdkYyg/ olUtwGufydkvG,fwmu y&dk*&rfxJrSmygwJh tcsdefuefUowfcsuf routine udk z,f&Sm;jcif;yJ jzpfygw,f/

<IDA Pro key file v5.1>

rhythm, 1 user, professional edition, 3/2009

#d@*â€RA®ÉÓ™j±Ê¦§-°ČkyĆ0-ă

yHk(8)

y&dk*&rfa&;om;wJhtcgrSm registration zdkifudk y&dk*&rf&JU directory atmufrSm &Sd^r&SdeJU zdkifxJrSm rSefuefwJh a'wmawG yg^ryg ppfaq;wJh function awG ra&;rdygapygeJU/

(2.3) tcsdefuefUowfcsufudk z,f&Sm;&Hkjzifh full version udk roHk;pGJEdkifjcif;? (0,f,lrSom tjynfht0 oHk;pGJEdkifjcif;)

Demo version y&dk*&rfawGuawmh 'Denf;udk toHk;rsm;ygw,f/ 'Dvdky&dk*&rfawGrSmqdk registration number &dkufxnfhvdkYr&ygbl;/ oufwrf;ukefoGm;&if y&dk*&rfudk vHk;0oHk;pGJvdkU r&awmhygbl;/ oHk;pGJcsif&if y&dk*&rfudk rjzpfrae 0,f&ygawmhr,f/ Oyrm – POPCAP *drf;rsm;/ yHk(9)/

yHk(9)

Cracker awGuawmh tcsdefuefUowfcsuf routine udk&SmjyD; y&dk*&rfuk'fukd wkduf&dkuf ausmfvdkufyg w,f/ 'gaMumifh y&dk*&rf[m oufwrf;ukef^rukef ppfaq;raeawmhyJ olUvkyfjrJtvkyfudk vkyfygawmhw,f/

(2.4) tcsdefuefUowfcsufudk Visual Basic jzifha&;om;jcif;?

'Denf;udk ckacwfrSm us,fjyefUpGm toHk;rjyKMuawmhygbl;/

(2.5) oHk;pGJrIuefUowfcsufudk oHk;pGJonfhtMudrfta&twGufESifhom owfrSwfjcif;/

'Denf;[m tjcm;tcsdefuefUowfcsufenf;awGeJU tajccHtm;jzifh twlwlygyJ/ 'gayr,fh olu oHk;pGJwJh aeUudk a&wGufwJhtpm; oHk;pGJwJhtMudrfudkom a&wGufjcif;yg/ 'Dvdka&wGufjcif;u cracker awGudk taESmifh


t,Suf awmfawmfay;ygw,f/ bmvdkUvJqdkawmh y&dk*&rf[m &ufpGJudk pHkprf;aep&m rvdkawmhbJ oHk;pGJwJhtMudrf ta&twGufudkom registry (odkU) zdkifwpfckckrSm odrf;qnf;&efvdkvdkYyg/

(3) Key zdkifrsm; toHk;jyKjcif;

'Denf;uawmh rsm;aomtm;jzifh key zdkifudk aqmhzf0Jvfudk install vkyfxm;wJh directory atmufrSm xm;&Sdygw,f/ y&dk*&rf[m 'DzdkifxJrSmygwJh taMumif;t&mawGudk zwf&Ippfaq;ygw,f/ wu,fvdkUom key zdkif[m rSefuefcJhr,fqdk&if y&dk*&rf[m registered version tjzpf aqmif&Gufygw,f/ wu,fvdkUom key zdkif[m aysmufysuf^rSm;,Gif;aer,fqdk&if y&dk*&rf[m unregistered version uJhodkUaqmif&Gufjcif; (odkU) vHk;0 tvkyfrvkyfbJ aeygvdrfhr,f/ key zdkifxJrSm oHk;pGJoleJU ywfoufwJh tcsuftvufawG? 0SufpmawGyg0ifaumif; ygaeygvdrfhr,f/

'DvdktrsdK;tpm;udk (2)ydkif;cGJjyD;avhvmEdkifygw,f-

(3.1) rSefuefaomzdkifudk toHk;rjyKygu tcsdKUaomt*Fg&yfrsm;udk toHk;rjyKEdkifatmif wm;jrpfxm;jcif;?

(3.2) rSefuefaomzdkifudk toHk;rjyKygu y&dk*&rfudk tcsdefuefUowfcsuf xm;&Sdjcif;/

(3.1) rSefuefaomzdkifudk toHk;rjyKygu tcsdKUaomt*Fg&yfrsm;udk toHk;rjyKEdkifatmif wm;jrpfxm;jcif;

'Denf;uawmh tvGefaumif;wJhenf;yg/ Cracker awGuawmh 'Denf;udk rMudKufMuygbl;/ 'gayr,fhvJ tjcm;enf;awGvdkyJ 'Denf;[mvJ z,f&Sm;cHEdkif&ygw,f/ 'Denf;rSmawmh rSefuefwJh key zdkifudk toHk;rjyK&if tcsdKU t*Fg&yfawGudk toHk;rjyKEdkifatmif wm;jrpfxm;ygw,f/ qdk;wmu 'Denf;rSm y&dk*&rf[m key zdkifudk vdkuf&SmjyD; rSefuefrI&Sd^r&Sd vdkufppfwmyJjzpfw,f/ yHk(10)/ 'gaMumifh cracker [m 'D routine udk vdkuf&SmvdkufjyD; y&dk*&rf udkvSnfhpm;jcif; (odkU) registration zdkif&JU wnfaqmufyHkudk routine xJrSm avQmhcsvdkufygw,f/

yHk(10)

wu,fvdkY oif[m 'Denf;udk toHk;jyKr,fqdk&if registration zdkifudk encode vkyfzdkYvdkygw,f/ 'grSom cracker [m registration zdkifudk vG,fvifhwul rzefwD;EdkifrSm jzpfygw,f/

(3.2) rSefuefaomzdkifudk toHk;rjyKygu y&dk*&rfudk tcsdefuefUowfcsuf xm;&Sdjcif;/

Antivirus ukrÜPDtrsm;pkuawmh 'Denf;udk toHk;jyKMuygw,f/ rSefuefwJh registration zdkifudk toHk; rjyK&if y&dk*&rf[m unregistered jzpfjyD; tcsdefuefUowfcsuf &SdrSmjzpfygw,f/

(4) Hardware key (Dongle) rsm;toHk;jyKjcif;

Hardware key awGeJU umuG,fjcif;[m tjcm;enf;vrf;wpfckjzpfjyD; toHk;vJenf;vSygw,f/ cdk;ul; wmudk umuG,fwJhypönf;jzpfwJh dongle udk uGefysLwm&JY I/O aygufrSm wyfqifjyD; toHk;jyKr,fh y&dk*&rfudkvJ run xm;&ygr,f/

olUrSmawmh umuG,fjcif; (2)rsdK; &Sdygw,f/

(4.1) Hardware key rygbJ y&dk*&rfudk rpwifEdkifjcif;?

(4.2) y&dk*&rf\ vkyfaqmifcsuftcsdKUudk hardware key rygvQif toHk;jyKcGifh ray;jcif;/

HASP eJU Sentinel uawmh toHk;rsm;qHk; hardware key awGyg/ taumif;qHk;awGvdkUvJ ajymvdkU &ygw,f/


(4.1) Hardware key rygbJ y&dk*&rfudk rpwifEdkifjcif;?

tcsdKU hardware key awGuawmh awmfawmf&dk;&Sif;ygw,f/ y&dk*&rfu a'wmudk hardware key

wyfxm;wJh port qD ydkUvdkufygw,f/ jyD;awmh taMumif;jyefwmudk apmifhygw,f/ wu,fvdkU bmrSrwHkUjyefcJhbl; qdk&ifawmh error message ay:vmygvdrfhr,f/ yHk(11)/

ydkjyD;tqifhjrifhwJh hardware key awGuawmh ydkUvdkufwJh a'wmudk encode vkyfvdkufygw,f/ 'grSr[kwf hardware key awGrSm EPROM awG ygvmEdkifygw,f/ jyD;&if hardware key awGrSm y&dk*&rf&JY wpfpdwfwpfa'oudk yg0ifxnfhoGif;vmEdkifygw,f/ 'gqdk&if cracker awGrSm y&dk*&rf&SdcJh&ifawmif hardware key r&SdvdkU protection udk rz,f&Sm;Edkifoavmuf eD;eD;yg/

yHk(11)

(4.2) y&dk*&rf\ vkyfaqmifcsuftcsdKUudk hardware key rygvQif toHk;jyKcGifh ray;jcif;/

'Denf;uawmh tvGef &dk;&Sif;ygw,f/ hardware key wyfxm;csdefrSm y&dk*&rfu tvkyfvkyfjyD; rwyf xm;csdefrSm y&dk*&rf&JU tcsdKUvkyfaqmifrIawG tvkyfrvkyfygbl;/ bmvdkUvJqdkawmh y&dk*&rf&JY tcsdKUaomvkyf aqmifcsufawGudk hardware key xJrSm wcgwnf; xnfhoGif;xm;vdkYyg/ 'Denf;uawmh tvGefyJ aumif;rGefvS ygw,f/ Key awGtwGif;rSm rSwfOmPfxJ function awGudk decode vkyfzdkU uk'fawGawmif ygwwfygw,f/

Encoding uom aumif;aecJhr,fqdk&if protection udk key rygbJ z,f&Sm;zdkYqdkwm rjzpfEdkifygbl;/

HASP key

HASP key udk Aladdin Knowledge Systems uxkwfvkyfygw,f/ HASP [m aqmhzf0Jvfudk install vkyfcsdefrSm hardware key eJY csdwfqufvdkU&atmif olU&JUudk,fydkif driver awGudk install vkyfygw,f/

yHk(12)

Sentinel key

Rainbow Technology (www.rainbow.com) rS xkwfvkyfygw,f/ Sentinel [m HASP eJU tvGefwlygw,f/ yHk(13)/

yHk(13)

tcef;(5) - Cracker wpfOD;twGuf vdktyfaom tool rsm; - 58 -

tcef;(5) - Cracker wpfOD;twGuf vdktyfaom tool rsm; Cracking vkyf&mrSm txl;wDxGifxkwfvkyfxm;wJh tool awGvdktyfygw,f/ 'D tool awG[m omreftm; jzifhawmh uGefysKwmoHk;pGJolawmfawmfrsm;rsm;eJU &if;ESD;uRrf;0ifrSm r[kwfygbl;/ (aqmhzf0Jvfa&;om;olawGawmif tuRrf;0ifcsifrS 0ifEdkifrSm jzpfygw,f/) 'D tool awGudk tcrJhay;wm&Sdovdk? a&mif;cswmvJ&Sdygw,f/ (rsm;aom tm;jzifh tcrJhay;avh&Sdygw,f/)/ 'D tool awGeJU &if;ESD;uRrf;0ifrSom xl;cRefwJh cracker aumif;wpfa,muf jzpfvmrSm jzpfygw,f/ Tool awGudk atmufygtwdkif; 5rsdK;ydkif;jcm;jyD; aqG;aEG;rSm jzpfygw,f/ (rSwfcsuf/ / azmfjyyg tool rsm;tm;vHk;onf Windows pepfoHk; OS rsm;twGufom jzpfygonf/ usef OS rsm;twGuf tool rsm;udk csefvSyfxm;ygonf/)

(u) Disassemblers

(c) Decompilers

(*) Debuggers

(C) Hex Editors

(i) tjcm; tool rsm;

(u) Disassemblers

(1) Disassemblers qdkwmbmvJ/

Disassmebler qdkwm assembler &JU qefUusifzuf jzpfygw,f/ Assembler u assembly bmom pum;eJU a&;xm;wJhuk'fawGudk ESpfvDpepfoHk; machine uk'ftjzpfajymif;csdefrSm? disassembler uawmh ESpfvD uk'fawGudk assembly opcode uk'ftjzpf jyefzefwD;zdkU MudK;yrf;wmyg/

Assembly bmompum;awGrSmawmh toHk;jyKwJh y&dkqufqmay:rlwnfjyD; rwlnDwJh instruction uk'f awG&Sdygw,f/ Disassembly vkyfief;pOfuawmh &dk;&Sif;vSygw,f/ Hex uk'fawGudkvdkufzwfjyD; oleJUudkufnDwJh opcode uk'ftjzpf bmomjyefay;ygw,f/ Oyrm 55 (1010101) qdk&if PUSH EBP qdkwJh instruction rSef; disassembler uodygw,f/

Disassmebler awmfawmfrsm;rsm;uawmh assembly instruction udkxkwfay;&mrSm Intel (odkU) AT & T (odkU) HLA taeeJU xkwfay;Edkifygw,f/

(2) Professional tool rsm;

IDA Pro 5.6

IDA Pro uawmh aps;MuD;vSwJh tool wpfckjzpfygw,f/ Cracker awGtwGuftvGefaumif;rGefwJh tool wpfckjzpfjyD; yg0ifwJh feature awGuvJ tvGefrsm;jym;vSygw,f/ IDA Pro &JU Professional edition twGuf $1059 usygw,f/ Download vkyfEdkifwJh link uawmh atmufygtwdkif;jzpfygw,f/

http://www.datarescue.com/idabase/

PE Explorer

PE Explorer uawmh toHk;jyK&wm? &SmazG&wm vG,fulrIudk t"duxm;ygw,f/ IDA Pro wdkUvdk feature awGjynfhraeayr,fh $75 qdkwJhaps;EIef;uawmh oifhwifhygw,f/

http://www.heaventools.com

W32DASM

W32DASM uawmh Windows twGuf taumif;qHk; 16/32 bit disassembler jzpfygw,f/

http://members.cox.net/w32dasm/

(3) Freeware tool rsm;

IDA 3.7

IDA 3.7 uawmh DOS GUI tool jzpfjyD; IDA Pro vdkygyJ/ olU&JUuefUowfcsufuawmh Z80? 6502? Intel 8051? Intel i860? PDP-11 eJU x86 intsruction xkwfay;wJhtydkif;rSmawmh 486 y&dkqufqmtxdyJ &ygw,f/

http://www.simtel.net

IDA Pro Freeware 4.9


IDA Pro eD;eD;awmh pGrf;aqmifay;ygw,f/ 'gayr,fh Intel uxkwfwJh x86 y&dkqufqmawGtwGufyJ assembly uk'fxkwfay;EdkifjyD; Windows rSmom tvkyfvkyfygw,f/ Disassemble instruction awGuawmh 2003rwdkifrDxGuf&SdwJh y&dkqufqmawGtwGufom jzpfygw,f/

http://www.themel.com

IDA Pro Freeware 4.3

xGufjyD;om; version awGxufawmh GUI aumif;vmygw,f/

http://www.datarescue.be

BORG Disassembler

BORG uawmh GUI eJUjzpfjyD; taumif;qHk; Win32 disassembler jzpfygw,f/

http://www.caesum.com

HT Editor

HT Editor uawmh Intel x86 instruction awGudk analyze vkyfwJh disassembler jzpfygw,f/ aemufqHk;xkwf version uawmh Windows rSm tvkyfvkyfEdkifwJh console GUI y&dk*&rfjzpfygw,f/

http://the.sourceforge.net

diStorm64

disStorm uawmh open-source jzpfjyD; 80x86 eJU AMD64 y&dkqufqmawGtwGuf jzpfygw,f/

http://ragestorm.net

(4) Disassembler ESifhywfoufonfhodrSwfzG,f&mrsm;

uk'fESifha'wmudk oD;jcm;jzpfapjcif;

a'wmeJU (uk'f)awG[m exe zdkifxJrSm binary a'wmtaeeJU odrf;qnf;xm;wmaMumifh 'Dae&mrSm ar;cGef;xkwfzdkU jzpfvmygw,f/ Disassembler [m uk'fvm;? a'wmvm; b,fvdkajymEdkifygovJ/ zwfvdkufwJh pmvHk;wpfvHk;[m variable wpfckvm;? 'grSr[kwf instruction wpfck&JU tpdwftydkif;jzpfygovm;/

wu,fvdkUom a'wmawGudk exe zdkif&JU .data section rSmyJxm;&if? uk'fawGudkvJ .code section rSmyJ xm;&if jyoemr&Sdygbl;/ a'wmawGudk .code section xJ wdkuf&dkufxnfhoGif;Edkifovkd (Oyrm... jump address tables eJU constant strings)? exe uk'fawGudkvJ .data section xJrSm odrf;qnf;xm;Edkifygw,f/ (pepftopf awGrSmawmh 'Dudpöudk vHkjcHKa&;taMumif;jycsufeJU wm;qD;zdkU MudK;pm;aeygw,f/)

Disassembler awmfawmfrsm;rsm;uawmh oHk;pGJolawGudk uk'fjzpfap? a'wmjzpfap uk'f segment awGudk ajymif;vJEdkifzdkU a&G;cs,fcGifhay;xm;ygw,f/ 'gayr,fh tcsdKU disassembler awGuawmh oD;jcm;jzpfapzdkU tvkdtavsmuf jyKvkyfygvdrfhr,f/

exe y&dk*&rfuae uk'feJUa'wmawGudk cGJjcm;jcif;&JUa,bl,sjyóemuawmh y&dk*&rf&yfwefUrIjyóemeJU tvm;oP²mefwlygw,f/ tusdK;quftaeeJUuawmh disassembler [m y&dk*&rftm;vHk;twGuf uk'feJU a'wm awGudk rSefuefpGm cGJjcm;ay;EdkifzdkUqdkwm rjzpfEdkifygbl;/ Rice &JUoDtdk&rft& y&dk*&rfawG&JU*kPfowådeJU ywfouf jyD; pdwf0ifpm;p&maumif;wJh ar;cGef;tm;vHk;[m tqHk;tjzwfray;Edkifayr,fhvJ cracking ynm&yf[m 'Dvdk oDtkd&Dydkif;qdkif&m uefUowfcsufawGeJU jynfhESufaeygw,f/

tcsuftvufrsm; qHk;&HI;jcif;

y&dk*&rfudk compile vkyfcsdefrSm tcsuftvufawmfawmfrsm;rsm; aysmufqHk;ukefygw,f/ yHkrSeftm;jzifh C uk'ftwGufqdk&if local variable trnfawG[m tzwfq,fr&atmif aysmufqHk;ukefygw,f/ Compilation udk debug option eJUwGJjyD; vkyfr,fqdk&if function awG&JUtrnfawG? variable awG&JU trnfawG[m image wpfckxJrSm &Sdaumif;&SdEdkifygw,f/ 'gayr,fhvJ 'DoauFwZ,m;awGudk stripping vdkUac:wJh process wpfcku y,fzsufwm cH&Edkifygw,f/ taumif;pm; compiler awGuawmh jyefazmfay;Edkifaumif; ay;ygvdrhfr,f/ uk'fawG xJu comment tm;vHk;udkawmh compiler u vspfvsL&Iygw,f/ 'gayr,fh olUae&meJUola&;xm;wJhuk'fawG? inline function wpfcktjzpfa&;xm;wJhuk'fawG? C-preprocessor macro tjzpfa&;xm;wJhuk'fawGMum;u uGJjym;jcm;em;rIudkawmh tqHk;tjzwfay;EdkifzdkU rjzpfEdkifygbl;/ udpöawmfawmfrsm;rsm;rSmawmh function (odkU) variable awG&JU lexicographical scope udkqHk;jzwfzdkUqdkwm rjzpfEdkifygbl;/ wu,fvdkUom file1.c eJU file2.c vkdUac:wJhzdkifESpfckudk twl compile vkyf? link vkyfr,fqdk&if source zdkifawGMum;u delineation [m linking tqifhrSmyJ aysmufuG,foGm;rSmyg/


(c) Decompilers

Disassembler eJU tvm;wlwJh decompiler awGuawmh exe uk'fawGudk high-level bmompum; uk'ftaeeJU jyefxkwfay;wmjzpfygw,f/ rMumcPqdkovdkyJ high-level bmompum;[m C jzpfaeygw,f/ bmaMumifhvJqdkawmh C [m decompilation vkyf&mrSm vG,fulacsmarGUapzdkU awmfawmfav; &dk;&Sif;jyD; a&S;us vGef;ygw,f/ Decompilation vkyf&mrSmvJ olUtm;enf;csufeJUol jzpfygw,f/ bmaMumifhvJqdkawmh compila-tion vkyfuwnf;uudk tcsuftvufawmfawmfrsm;rsm;[m aysmufqHk;oGm;vdkU jzpfygw,f/ 'gawGudk decompi-lation u jyefjyD;azmfay;EdkifrSm r[kwfygbl;/ Decompilation enf;ynm[m rzGHjzdK;ao;ygbl;/ 'gayr,fh &v'f uawmh aumif;aew,fvdkU ajym&rSmyg/

Decompilation vkyfEdkif^rvkyfEdkif

Compiler taumif;pm;awG ay:aewJhacwfrSm ]decompilation vkyfzdkU jzpfEdkifao;vm;} vdkU tar;cHcJh &&if obm0usrSm r[kwfygbl;/ tajzuawmh rsm;aomtm;jzifh vkyfvdkU&w,fvdkU ajz&rSmjzpfygw,f/ bmyJ ajymajym trSm;r&SdwJh taumif;qHk; decompiler uawmh ,aeUxdawmh ray:ao;bl;vdkU ajym&rSmjzpfygw,f/ vuf&Sd decompiler awGuawmh cracker awGtwGuf tultnD&&Hkoufoufavmufom &Sdygao;w,f/

Decompiler rsm;

DCC Decompiler

DCC uawmh decompilation vkyf&mrSm taumif;qHk;jzpfayr,fh vuf&SdrSmawmh zdkiftao;pm;av;awG udkyJ vufcHygw,f/

http://www.itee.uq.edu.au/~cristina/dcc.html

Boomerang Decompiler Project

Boomerang decompiler udkawmh tpGrf;xufwJh decompiler jzpfatmifjyKvkyfaejyD; ,cktxdawmh C uk'ftaeeJUyJ decompile vkyfEdkifygao;w,f/

http://boomerang.sourceforge.net

Reverse Engineering Compiler

REC uawmh tpGrf;xufwJh decompiler jzpfjyD; assembly uk'fawGudk C yHkoP²mefuk'ftaeeJU decompile vkyfay;ygw,f/ xGuf&SdvmwJhuk'f[m C eJU assembly ESpfrsdK;jzpfaejyD; assembly oufoufxuf pm&ifawmh ydkjyD;zwf&wm tqifajyygw,f/

http://www.backerstreet.com/rec/rec.htm

ExeToC

ExeToC uawhm &v'faumif;awG&SdwJh decompiler wpfckjzpfygw,f/

http://sourceforge.net/projects/exetoc

code-dump

code-dump uawmh PowerPC (PPC) Objective-C decompiler jzpfygw,f/

http://sourceforge.net/projects/code-dump

(*) Debuggers

Debugger awGuawmh cracker awG&JU taumif;qHk;rdwfaqGjzpfjyD; oHk;pGJolawG[m y&dk*&rfuk'fawGudk wpfqifhcsif; tvkyfvkyfEdkifatmif cGifhjyKygw,f/ jyD;awmh wefzdk;trsdK;rsdK;eJU vkyfaqmifcsuftrsdK;rsdK;wkdUudk ppfaq; Edkifygw,f/

tqifhjrifh debugger awGrSmawmh rMumcPqdkovdkyJ tajccH disassembler wpfck? HEX uk'fawG wnf;jzwfzdkUeJU assemble jyefvkyfzdkU t*Fg&yfawG tenf;qHk; yg0ifavh&Sdygw,f/ Debugger awG[m oHk;pGJol awGudk instruction? function call eJU rSwfOmPfae&mawGrSm breakpoint owfrSwfvdkU&atmif vkyfay;ygw,f/

Windows Debugger rsm;

OllyDbg

OllyDbg uawhm tpGrf;xufwJh Windows debugger jzpfjyD; olUrSm disassembly eJU assembly engine wcgwnf;yg0ifygw,f/ tvGefrsm;jym;wJh feature awGyg0ifjyD; wefzdk;uawmh tcrJhjzpfygw,f/ Patching? disassembling eJU debugging vkyfzdkUtwGuf tvGeftoHk;0ifvSygw,f/

http://www.ollydbg.de/


SoftICE

SoftICE udk local kernel debugging twGuf toHk;jyKEdkifygw,f/ 'g[m tvGef&Sm;yg;vSwJh feature wpfckjzpfjyD; tvGefwefzdk;&SdvSygw,f/ SoftICE [m 2006? {jyDrSmawmh aps;uGufrSm t0,fvdkufygw,f/

WinDBG

WinDBG uawhm MicroSoft u tcrJhay;wJh aqmhzf0Jvftpdwftydkif;wpfckjzpfjyD; user-mode debugging rS remote kernel-mode debugging twGuf toHk;jyKEdkifygw,f/ WinDBG [m emrnfMuD; Visual Studio Debugger eJU rwlayr,fh GUI aumif;aumif;eJU vmygw,f/ 32-bit eJU 64-bit version awGtaeeJU xGuf&Sdygw,f/ Windows toD;oD;twGuf signature oD;oefU download vkyfzdkUvkdygw,f/

http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx

IDA Pro

DataRescue uxkwfvkyfjyD; y&dkqufqmrsdK;pHk? OS rsdK;pHkrSm tvkyfvkyfEdkifygw,f/

http://www.datarescue.com

(C) Hex Editors

Hex editor awGuawmh cracking vkyf&mrSm emrnfMuD;wJh tool awGr[kwfayr,fh binary source file awGudk Munfh&mrSm? wdkuf&dkufwnf;jzwf&mrSmawmh toHk;0ifvSygw,f/ Hex editor awG[m debugger? decompiler? disassembler awGeJUrMunfhEdkifwJh png vdk? jpg vdk zdkiftrsdK;tpm;awGudk Munfh&mrSmawmh tvGef toHk;0ifygw,f/ Hex editor awGtrsm;MuD;&Sdayr,fh toHk;trsm;qHk; tool awGudk azmfjyvdkufygw,f/

Windows Hex Editor rsm;

Cygnus Hex Editor FREE EDITION

tvGefjrefjyD; oHk;&vG,fulwJh tool jzpfygw,f/

http://www.softcircuits.com/cygnus/fe/

WinHex

zdkifeJU disk awGwnf;jzwfzdkU xkwfvkyfxm;wJh tool jzpfjyD; uGefysLwmrIcif;qdkif&meJU tcsuftvufjyef vnf&SmazGa&;twGuf tqifhjrifhwJh pGrf;aqmif&nfrsm;ydkifqkdifygw,f/ (tpdk;&ydkif;qdkif&mESifh wyfrawmfwdkUwGif vnf; toHk;jyKonf/)

http://www.x-ways.net/index-m.html

HexEdit

tpGrf;xufvSjyD; binary zdkifawGeJU disk awGudk wnf;jzwfEdkifygw,f/ Free version rSmawmh source uk'fudk tcrJh&&SdEdkifjyD; shareware version vJ&Sdygw,f/

http://www.hexedit.com/

FlexHex

FAT32 zdkifawGxuf &IyfaxG;vSwJh NTFS zdkifawGtwGuf tjynfht0 toHk;jyKEdkifygw,f/ FlexHex [m sparse zdkifawGeJU b,f NTFS volume &JUzdkifawGeJU ywfoufwJh alternate data stream udkvnf; vufcH ygw,f/ OLE compound zdkifawG? flash card awGeJU tjcm; physical drive trsdK;tpm;awGtwGufvnf; toHk;jyKEdkifygw,f/

http://www.heaventools.com/flexhex-hex-editor.htm

(i) tjcm; tool rsm;

'Dacgif;pOfatmufrSmawmh tool wpfckcsif;taMumif;udk tao;pdwf aqG;aEG;awmhrSm r[kwfygbl;/

SysInternals Tools

SysInternals uxkwfwJh tool awGrSm taumif;qHk; utility awGyg0ifjyD; olwdkUxJutrsm;pk[m vHkjcHKa&;qdkif&muRrf;usifolawG? network administrator awGeJU cracker awGtwGuf tvGeftoHk;0ifvSyg w,f/ txl;toHk;jyKoifhwJh utility awGuawmh Process Monitor? FileMon? TCPView? RegMon eJU Process Explorer wdkU jzpfygw,f/

API Monitors

API monitor tool awGuawmh process (odkU) y&dk*&rfwpfck[m Win32 API &JU b,f function awGudk ac:oHk;aew,fqdkwmudk apmifhMunfhay;wmyg/ 'gawG[m cracker awGtwGuf tvGefta&;ygvSygw,f/


Rohitab &JU API Monitor? Vitaly Evseenko &JU API Spy32? www.nektra.com &JU Spy Studio wdkUudk toHk;jyKEdkifygw,f/

PE Tools

PE scanner uawmh udk,f debug vkyfcsifwJh exe y&dk*&rfudk b,fy&dk*&rfbmompum;eJU a&;xm; w,f? b,f protector awGeJU umuG,fxm;w,fqdkwm ppfaq;ay;ygw,f/ 'ghtjyif tcsdKU tool awG[m PE header udkvnf;wnf;jzwfEdkifygao;w,f/ PE tool awGuawmh Lord PE? PE Browse? PE Detective? PE Disassembler? PE Explorer? PE Insight? PE Optimizer? PE Rebuilder? PE Tools? PE Viewer? PEditor? PEiD? Stud PE? WPE eJU CFF Explorer wdkUjzpfygw,f/ toHk;trsm;qHk;uawmh Lord PE? PEiD eJU CFF Explorer wdkUjzpfygw,f/

yHk(1) PEiD jzifh ppfaq;xm;yHk

Keygenning Tools

y&dk*&rfudk patch rvkyfbJ keygen yJa&;r,fqdk&if rdrdbmoma&;&wmrsm;ygw,f/ udk,fwdkif tptqHk; ra&;csif&ifawmh olrsm;vkyfjyD;om; template ae&mrSm rdrduk'fudk xnfhjyD; keygen y&dk*&rfudk tvG,fwul a&;om;Edkifygw,f/

NFO Editors

NFO editor awGuawmh patch (odkU) serial zdkifawGeJUtwl a&mxnfhay;zdkU .nfo zdkifzefwD;&mrSm toHk;jyKygw,f/ .nfo zdkifawGrSm a&;om;avh&Sdwmuawmh cracker trnf? serial trSwf? cracking team trnf? crack zdkiftrsdK;tpm;wdkU jzpfygw,f/

Patch File Maker

Crack zdkifawGudk oHk;pGJolawGxHay;r,fhtpm; t&G,fao;i,fzdkUtwGuf cracker awG[m patch zdkifawG udk udk,fwdkifa&;om;avh&Sdygw,f/ Patch file maker awG[m owfrSwfxm;wJh y&dk*&rf&JU offset ae&mudk jyifqifjcif;? Windows registry &JU owfrSwfxm;wJh key udk jyifjcif;wdkUudk jyKvkyfygw,f/ toHk;trsm;qHk; patch making tool awGuawmh uPPP eJU Diablo Universal Patcher (dUP) wdkUjzpfygw,f/ 'D tool awGeJU oufqdkifwJh template awGudkawmh www.tuts4you.com rSm tcrJh download vkyfEdkifygw,f/

yHk(2) erlem patch zdkif


Resource Editors

Resource editor uawmh pmom;awG? &kyfyHkawGudk jyifzdkU&meJU resource topfawGudk xyfxnfh&mrSm t"dutoHk;jyKygw,f/ toHk;trsm;qHk; resource editor awGuawmh Exe Scope? Resource Editor? Resource Hacker? Restorator? Window Hack eJU XN Resource Editor wdkU jzpfygw,f/

yHk(3) System properties udk resource editor jzifh jyefjyifxm;yHk

Compilers

Compiler awGuawmh cracking qdkif&mjyoemawGajz&Sif;&mrSm toHk;jyKzdkU jzpfygw,f/ oifESpfouf&m y&dk*&rfbmompum;ay:rlwnfjyD; compiler trsdK;tpm;uGJjym;oGm;ygvdrfhr,f/

Dictionary Files

Dictionary zdkifawGuawmh password awGudk jyefazmf&mrSm toHk;jyKzdkU jzpfygw,f/ pmvHk;pHkav password jyef&Sm&mrSm ydkvG,favjzpfygw,f/

Password Recovery Tools

Password revovery tool awGudk password jyefazmf&mrSm toHk;0ifvSygw,f/ emrnfMuD; tool awGuawmh Elcomsoft Password Recovery eJU Passware Kit Enterprise wdkUjzpfygw,f/ 'D tool awGudk toHk;jyKjyD; e-mail? internet? MS Word? MS Excel? MS Access? MS Powerpoint? Windows password tp&SdwmawGudk jyefvnfazmf,lEdkifygw,f/

csefvSyfxm;cJhaom Tool rsm;

wu,fawmh tao;pdwfr&Sif;jyyJ csefvSyfxm;cJhwJh tool awGtrsm;MuD; &Sdygw,f/ 'gawGuawmh Visual Basic y&dk*&rfawGudk decompile vkyfwJhtcgtoHk;jyKwJh tool awGjzpfwJh SmartCheck eJU VB Decompiler? Delphi y&dk*&rfawGtwGuf DeDe? Foxpro y&dk*&rfawGtwGuf UnFox All? Java y&dk*&rfawGtwGuf Java Decompiler eJU DJ Java Decompiler? Flash (SWF) zdkifawGtwGuf Sothink SWF Decompiler? MSI zdkifawGtwGuf MSI Unpacker? Dot.Net y&dk*&rfawGtwGuf Crack.NET ? DisSharp eJU RedGate DotNet Reflector wdkUjzpfygw,f/ Packer/unpacker awGtaMumif;udkawmh ]Packer (protector) rsm;} acgif;pOfatmufrSm aqG;aEG;rSm jzpfygw,f/

tcef;(6) - Olly Debugger rdwfquf - 64 -

tcef;(6) - Olly Debugger rdwfquf 'Dtcef;rSm uRefawmfwdkUavhvmMu&rSmu cracking tool wpfckjzpfwJh OllyDbg taMumif;yg/ Cracker awGtwGufuawmh Oleh Yuschuk a&;om;wJh OllyDbg [m taumif;qHk; usermode debugger yg/ olUrSm tvGeftpGrf;xufvSwJh disassembler ygvmygw,f/ tcsdKUaom beginner awG[m cracking pwifvkyfaqmifzdkU MudK;yrf;MuwJhtcg Numega SoftICE vdk tvGef&IyfaxG;vSwJh tools awGeJU pwifMuwm awGU&ygw,f/ ta&;MuD;wJh kernel-mode uk'fawGudk crack vkyfwmr[kwf&ifawmh OllyDbg &Sd&ifyJ vHkavmufaeygjyD/ OllyDbg &JU tMuD;rm;qHk;pGrf;tm;uawmh uk'fawGudk cGJjcrf;pdwfjzmEdkifwJh olU&JUt*Fg&yfawG ygyJ/ Oyrmajym&&if procedure &JU parameters awG? loops awGudk pdppfjcif;eJU constant? array? string awGpHkprf;jcif;wdkUudk aumif;pGmvkyfay;Edkifygw,f/ aemufjyD; plugin ajrmufjrm;pGmudkvJ tcrJh &&SdEdkifygw,f/ 'Dvdk feature awGudk oleJUrsdK;wlwJhtjcm; debugger awGrSm rawGUEdkifygbl;/ 'D debugger [m 80x86 EG,f0if y&dkqufqmtm;vHk;eJU tvkyfvkyfEdkifwJhtjyif awmfawmfrsm;rsm;udkvnf; rSefuefpGmbmomjyefEdkifygw,f/ wu,f awmh Olly [m debugger tm;vHk;&JU taumif;qHk; disassembly pGrf;aqmif&nfawG ydkifqdkifxm;w,f (IDA Pro rSty) vdkU ajymr,fqkd&if vGefr,f rxifygbl;/

Debugger Window

OllyDbg &JU t"dutusqHk; main window udk yHk(1)rSm jyxm;ygw,f/ 'ghtjyif main menu eJU toolbar yg0ifygw,f/ Main window rSm informational pane 4ck yg0ifygw,f/ tJ'gawGuawmh disassembler window (tay:b,f)? data window (atmufb,f)? registers window (tay:nm)? stack window (atmufnm)/ 'ghtjyif tjcm; window awGvnf;&Sdygao;w,f/ toHk;jyKEdkifwJh windows pm&if;udkawmh View menu rSm MunfhEdkifygw,f/ 'D windows awGxJu tcsdKUudkyJ &Sif;vif;azmfjyrSmjzpfjyD; usefwJh[mawGudktoHk;jyKzdkU oifpdwf0ifpm;cJh&if udk,fwdkifyJ avhvmMunfhyg/

yHk(1)

Disassembler Window

Disassembler window rSm Address? Hex dump? Disassembly eJU Comment qdkjyD; aumfvH 4ck&Sdygw,f/ yHk(2)/

yHk(2)

Address — address aumfvH rSm memory ay:ul;wifr,fh command &JU virtual address yg0ifygw,f/ Column udk ESpfcsufEdSyfvdkuf&ifawmh address awGtpm; vuf&Sd address uae pwifa&wGufay;r,fh offset awGtjzpf ajymif;vJoGm;rSm jzpfygw,f/ ($, $-2, $+4,… )

Hex dump — uk'faumfvHrSm uk'fawGudk operand wefzdk;taeeJY awGUjrif&ygvdrfhr,f/ 'ghjyif aumfvH[m oifhtaeeJU y&dk*&rf&JUtvkyfvkyfyHkudk em;vnfapEdkifzdkU oauFwtrsdK;rsdK;udk jznfhpGrf;ay;ygw,f/ om"utm; jzifh oauFwawG[m command awGudk b,fae&mudk jump (>) vkyf&r,f? jyD;awmh tay:âtmuf ( ˆ ? ˇ) jump vkyfr,fqdkwm owfrSwfygw,f/ 'DaumfvHudk ESpfcsufEdSyfcJhr,fqdk&if yxraumfvHrSm&SdwJh address [m


teDa&mif highlight eJU jyaeygr,f/ qdkvdkwmu oifhtaeeJU tJ'D command (address) ae&mudk breakpoint tjzpfowfrSwfvdkufwmygyJ/ 'Dae&ma&muf&if y&kd*&rftvkyfvkyfwm cP&yfay;ygvdkU cdkif;vdkufwmyg/

Disassembly — 'DaumfvHrSmawmh command twGuf Assembly &JU mnemonics awGyg0ifrSm jzpfyg w,f/ Command udk ESpfcsufEdSyfcJhr,fqdk&if Assembly command udk wnf;jzwfEdkifzdkU window wpfck ay:vmrSmjzpfygw,f/ tJ'Dae&mrSm oifhtaeeJU command udk MudKufovdk jyifqifEdkifygw,f/ jyifqifjyD;om; command udkawmh rMumrD debug vkyf&mrSm toHk;jyKygvdrfhr,f/ 'Dhtjyif jyKjyifxm;wJh y&dk*&rfpmom; (uk'f) awGudk executable module tjzpf ajymif;vJay;Edkifygw,f/ 'g[m cracker twGufawmh tMuD;rm;qHk; tcGifhta&;wpf&yf jzpfygw,f/

Comment — 'DaumfvHrSmawmh command eJUywfoufwJh tjcm;tcsuftvufawG yg0ifygw,f/ 'Dae&mrSm y&dk*&rf[m API functions eJU library functions awG&JU trnfawGudk pdppfygw,f/ 'DaumfvHudk ESpfcsufEdSyfcJh r,fqdk&if oifhtaeeJU Assembly uk'f&JU vdkif;toD;oD;rSm&SdwJh comment awGrSm oifMudKufwmudk trSwft om; vkyfEdkifygw,f/

The Data Window 'D window rSmawmh Address? Hex dump eJU ASCII (Unicode) qdkjyD; aumfvH 3ck ygygw,f/ 'kwd,eJU wwd,aumfvHawGuawmh interpret vkyfwJhtcg ajymif;vJoGm;Edkifygw,f/ qdkvdkwmu cell xJrSm&SdwJh pmom;awGudk Unicode tjzpfajymif;vJwJhtcg Hex dump aumfvHae&mrSm ASCII aumfvHa&muf&SdvmjyD; Hex dump aumfvH aysmufoGm;rSmjzpfygw,f/ yHk(3)/

yHk(3)

The Registers Window

Registers window rSmawmh taxGaxGoHk; registers & FPU registers? taxGaxGoHk; registers & MMX registers eJU taxGaxGoHk; registers & 3DNow registers qdkjyD; registers tkyfpk 3 pkyg0ifEdkifygw,f/ ESpfcsufEdSyfcJhr,fqdk&ifawmh (EIP rSty) oufqdkif&m register awGudk wnf;jzwfvdkU &ygw,f/ jrSm;awG (<) tay:ESdyfcJh&if registers window ajymif;vJaerSm jzpfygw,f/ yHk(4)/

yHk(4)

The Stack Window

Stack window uawmh stack xJrSm&SdwJht&mawGudk jyygw,f/ yxraumfvH (Address) uawmh stack xJrSm&SdwJh cell address udk jyygw,f/ 'kwd,aumfvH (Value) uawmh cell xJrSmygwmawGudk jyyg w,f/ wwd,aumfvH (Comment) rSmawmh cell wefzdk;eJYywfoufwJh jzpfEdkifwJh comment awGyg0ifyg w,f/ yHk(5)/ VB y&dk*&rfawG? Delphi y&dk*&rfawGudk crack vkyf&mrSm toHk;0ifvSygw,f/

yHk(5)


tjcm; Windows rsm;

OllyDbg eJU pwifvkyfudkifawmhr,fqdk&if rSwfom;xm;oifhwmuawmh –

(u) b,f window rSmrqdk right click EdSyfcJhr,fqdk&if oufqdkif&m window &JU menu ay:vmygvdrfhr,f/ 'D menu [m window ay:rlwnfjyD; uGJjym;aeygw,f/ 'D menu awGudk taotcsmavhvmzdkU tMuHjyKvdk ygw,f/

(c) Window xJrSmygwJht&mawG[m wpfckudkwpfck trSDo[J jyKaeygw,f/ Oyrmjy&&if? register awGudk Munfhvdkufyg/ taxGaxGoHk; register xJuwpfckudk right click ESdyfMunfhvdkuf&if data area (follow in

dump) eJU stack area (follow in stack) rSm&SdwJh address awGvdkyJ olUxJrSm&SdwJht&mawGudk interpret vkyfvdkU&ygw,f/

Debug Execution

Debugging qdkwm y&dk*&rfwpfyk'fudk mode toD;oD;rSm tvkyfvkyfapjyD; cGJjcrf;pdwfjzm pdppfwmyg/ 'Dae&mrSm execution mode awGtaMumif; &Sif;jycsifygw,f/ Execute vkyfr,fhuk'fudk debugger rSm xnfhoGif;xm;jyD;jyDvdkU rSwf,lvdkufyg/ Disassembler window [m Assembly uk'fudk jyoygw,f/ y&dk*&rf udk execute vkyf&mrSm t"dutusqHk; mode awGuawmh –

(u) Procedure (tcsdKU y&dk*&rfbmompum;wGif procedure udk subroutine (odkU) function [k ac:a0: onf/) xJudk0ifrppfbJ ausmfvTm;oGm;wJh Step-by-step execution udk (step over) vdkUac:ygw,f/ F8 udk ESdyfxm;csdefrSm vuf&Sd Assembly command udk tvkyfvkyfapygw,f/ Command awGudk tpDtpOfwus execute vkyfjcif;jzifh tjcm; window (Register? Data? Stack) 3ck b,fvkd ajymif;vJoGm;ovJqdkwm jrifEdkif ygw,f/ 'D mode &JU wduswJht*Fg&yfuawmh wu,fvdkU aemuf command [m call procedure (CALL)

udkom tvkyfvkyfcJhr,fqdk&if procedure taeeJY zefwD;xm;wJh command tm;vHk;[m instruction wpfckwnf; taeeJUom tvdktavsmuf execute vkyfrSmjzpfygw,f/ qdkvdkwmu call procedure (CALL) xJrSm&SdwJh uk'fawGudk wpfaMumif;csif; ppfawmhrSm r[kwfygbl;/

(c) Procedure awGxJ 0ifa&mufvkyfEdkifwJh Step-by-step execution udk (step into) vdkUac:ygw,f/ 'D mode rSm execute vkyfr,fqdk&ifawmh F7 udk ESdyfxm;&ygr,f/ jyD;cJhwJh mode eJU uGmjcm;csufuawmh CALL command udk ac:,ltoHk;jyKcJhr,fqdk&if instruction tm;vHk;[m tpDtpOfwus execute vkyfrSm jzpfygw,f/

ckeuajymcJhwJhenf;vrf;awG (step over & step into) tpm; animation udk toHk;jyKjyD; tpm;xdk;Edkif ygw,f/ mode toD;oD;twGuf <Ctrl>+<F8> eJU <Ctrl>+<F7> udk toHk;jyKEdkifygw,f/ 'D keyboard shortcuts toD;oD;udk ESdyfjyD;csdefrSmawmh step over & step into command awG[m instruction wpfckjyD;wpfckudk tcsdeftenf;i,f apmifhqdkif;jyD;vkyfygvdrfhr,f/ Instruction toD;oD;udk execute vkyfjyD;csdefrSm awmh debugger window [m refresh vkyfay;rSmjzpfwJhtwGuf oifhtaeeJU ajymif;vJoGm;wmawGudk ajc&mcHEdkifrSm jzpfygw,f/

b,ftcsdefrSmrqdk <Esc> key udk ESdyfcJhr,fqdk&if execute vkyfwmudk cP&yfay;rSmyg/ tvm;wlygyJ? breakpoint udkawGU&ifvJ tvkyfvkyfaewm&yfoGm;rSmyg/ jyD;awmh debug vkyfcHae&wJh y&dk*&rfuvJ exception wpfckudk xkwfay;rSm jzpfygw,f/

Step-by-step program execution &JY tjcm;enf;wpfckuawmh trace mode ygbJ/ Trace mode [m animation eJU wlygw,f/ 'gayr,fh 'DtcsdefrSm debugger window [m tqifhwdkif;rSmawmh refresh vkyfrSm r[kwfygbl;/ step over eJU step into wdkUeJUqdkifwJh tracing vdkufwJh enf;vrf; 2ckudkawmh <Ctrl>+<F12> and <Ctrl>+<F11> key awGESdyfjyD; toHk;jyKEdkifygw,f/ Tracing rSmvnf; &yfcsif&ifawmh animation rSmoHk;wJh enf;vrf;awGtoHk;jyKjyD; &yfwefUEdkifygw,f/ command toD;oD;udk execute vkyfjyD;csdefrSmawmh olU&JU execution eJUqdkifwJh owif;tcsuftvufawGudk t"duuswJh tracing buffer xJudk ul;wifvdkufygw,f/ tJ'gudk View menu u Run trace command udk toHk;jyKjyD; Munfh&IEdkifygw,f/ qE´&Sd&ifawmh tracing buffer xJrSm&SdwJh[mawGudk pmom;zdkiftaeeJU odrf;qnf;xm;Edkifygw,f/ tvm;wlyJ b,ftcsdefrSm tracing vdkufwm&yfcsifovJqdkawm condition awGeJU t"dyÜm,fzGifhxm;Edkifygw,f/ (set trace condition) - <Ctrl>+ <T> / yHk(6)/ Trace vdkufwm[m serial fishing rSmawmh t&rf;ta&;ygygw,f/ Serial wpfckudk b,fvdkwGufxkwfoGm;wmvJqdkwm Run Trace window rSmjrifae&vdkUyg/ Condition wpfckck rowfrSwf xm;&ifawmh vuf&Sd EIP uae owfrSwfxm;wJh breakpoint ae&mtxd trace vkdufaerSmjzpfygw,f/ uk'fawGtrsm;MuD;udk trace rvdkufrdzdkUawmh owdjyK&ygvdrfhr,f/


yHk(6)

Trace mode twGuf atmufyg condition awGudk owfrSwfEdkifygw,f –

(u) Break vkyfwJhtcg ae&m,lr,fh address awG&JU range?

(c) tajctaeowfrSwfcsufrsm; (EAX>100000 uJhodkUaom)/ wu,fvdkU EAX>100000 tajztaeom rSefuefcJhr,fqdk&if trace vkdufwm &yfoGm;rSmjzpfygw,f/

(*) Trace vdkufaecsdefrSm &yfwefYr,hf tcsdKU command awG&JU ta&twGuf/

Procedure u return udk rawGUcifxdom uk'fudk execute vkyfapzdkY debugger udk ckdif;apzdkU jzpfEdkif ygw,f/ (execute till return)/ aemufwpfrsdK;ajym&&if vuf&Sd procedure &JU uk'ftm;vHk;udkom execute

vkyfrSm jzpfygw,f/ <Ctrl>+<F9> key udk toHk;jyKygw,f/

aemufqHk;taeeJU wu,fvdkU tracing vdkufaecsdefrSm wpfae&m&ma&mufvdkU oifhtaeeJY e,fuRHoGm;jyD xifjyD; jyefxGufcJhcsif&ifawmh (execute till user code) command oHk;jyD; xGufvdkU&ygw,f/ 'grSr[kwf <Alt>+<F9> key udk toHk;jyKEdkifygw,f/

Breakpoints

Breakpoint qdkwmuawmh wu,ftpGrf;xufvSwJh debugging tool wpfckyg/ Breakpoint awG[m oifhudk y&dk*&rf&JUtvkyfvkyfyHkudk t&Sif;vif;qHk; em;vnfapEdkifygw,f/ owfrSwfxm;wJh tcsdefrSm&SdwJh registers? stack eJU data awG&JU taetxm;udk rSwfom;ay;ygw,f/

Ordinary Breakpoints

Ordinary breakpoint awGudkawmh a&G;cs,fxm;wJh command awGeJU owfrSwfygw,f/ <F2> key udk ESdyfjcif;jzifhaomfvnf;aumif;? (Hex dump) window ay:rSm ESpfcsufESdyfjcif;jzifhaomfvnf;aumif; toHk;jyK Edkifygw,f/ &v'ftaeeJUuawmh yxraumfvHrSm&SdwJh address [m teDa&mifajymif;oGm;wmygyJ/ 'ghjyif register? variable? stack awG&JU tajctaeudkvnf; ppfaq;Edkifygw,f/ <F2> key udk aemufwpfMudrfESdyf &ifawmh breakpoint udk z,f&Sm;jyD;om; jzpfrSmyg/ 'D breakpoint udk b,fvdktcsdefrSm toHk;rsm;ovJqdkawmh Windows API function awGudk apmifhMunfhwJhtcsdefrSm jzpfygw,f/

Conditional Breakpoints

Conditional breakpoint awGudkawmh <Shift>+<F2> key ESdyfjyD; toHk;jyKEdkifygw,f/ <Shift>+ <F2> key wGJudkESdyfvdkuf&if yHk(7)rSm jyxm;wJhtwdkif; combo box ay:vmrSmyg/ combo box xJrSm udk,fESpf ouf&m condition wpfckudk xnfhoGif;xm;Edkifygw,f/ wu,fvdkU tJ'D condition [m rSefuefcJhr,fqdk&if awmh command awGudk execute vkyfwm &yfoGm;rSmyg/ Debugger [m condition awGtrsm;MuD;ygwJh &IyfaxG;vSwJh azmfjycsufawGudkawmif em;vnfygw,f/ 'D[mawGuawmh OyrmawGyg -


yHk(7)

(u) EAX = = 1 — 'guawmh EAX register [m wpfjzpfcJh&if debugger udk execute vkyfwm&yfapzdkU trdefUay;wmyg/

(c) EAX = 0 and ECX > 10 — 'guawmh EAX register [m oknjzpfjyD; ECX register [m wpfq,fxufMuD;cJh&if debugger tvkyfvkyfaewm&yfapzdkU trdefUay;wmyg/

(*) [STRING 427010] == 'Error' — 'guawmh virtual address (VA) 427010h rSm 'Error' qdkwJh pmom;udk awGUcJU&if debugger udk execute vkyfwm&yfapzdkU trdefUay;wmyg/ 'DvdkvJa&;vdkU&ygw,f/ EAX = = 'Error'/ 'gqdk EAX xJrSm&SdwJht&mtm;vHk;udk pointer uae pmom;tjzpfajymif;vJay;rSmyg/

(C) [427070] = 1231 — 'guawmh VA 427070h xJrSm&SdwJht&m[m 1231h eJU nDcJhr,fqdk&if breakpoint udk owfrSwfrSmyg/

(i) [[427070]] = 1231 — 'guawmh address udk oG,f0dkuf toHk;jyKjcif;yg/ ajym&r,fqdk&if VA 427070h xJrSm tjcm; VA wpfckygjyD; tJ'D VA xJrSm&SdwJht&m[m 1231h eJU nDrnDppfjyD; breakpoint udk owfrSwf wmyg/

Conditional Breakpoints with a Log

oluawmh conditional breakpoints &JU tydkvkyfief;pOf extension wpfckom jzpfygw,f/ Conditional logging breakpoint udk owfrSwfzdkU <Shift>+<F4> key udk EdSyfEdkifygw,f/ b,ftcsdefrSmrqdk 'Dvdk breakpoint udk toHk;jyKcJhr,fqdk&if tJ'DjzpfpOfudk log zdkiftaeeJU rSwfwrf;wifxm;ygw,f/ Log xJrSmygwJh t&mawGudk jyefMunfhcsifw,fqdk&if <Alt>+<L> key udk ESdyfjyD;aomfvnf;aumif;? View menu rS Log command udk ESdyfjyD;aomfvnf;aumif; Munfh&IEdkifygw,f/ yHk(8)/

yHk(8)

Breakpoint to Windows Messages

Window function qD (twdtusajym&&if window class function qD) messages awG a&mufvm wmaMumifh tcsdKU windows message rSm breakpoint udk owfrSwfEdkifzdkU application window [m yGifhaezdkUvdkygw,f/ wenf;ajym&&if windowing application awG[m execution vkyfzdkUtwGuf pwif&yg w,f/ &Sif;vif;vG,fulapzdkU &dk;&Sif;vSwJh application wpfckudk window wpfckeJYtwl debugger xJudk oGif;vdkufygw,f/ 'D application udk pwifzdkUtwGuf <Ctrl>+<F8> udk ESdyfyg/ 'D application window [m wpfpuúefUavmuf MumjyD;wJhtcgrSm touf0ifygw,f/ y&dk*&rf&JU wpfpdwfwpfa'oudk qufwdkuf execute

vkyfaecsdefrSmawmh owdxm;ay;yg/ Window function qDa&mufzdkU application u pHkprf;jyD; zefwD;xm;wJh windows pm&if;udk ac:,lzdkUvdkygw,f/ 'gudk View menu u Windows udk toHk;jyKEdkifygw,f/ yHk(9)/


yHk(9)

yHk(9)rSmjyxm;wJh window [m investigator udk window descriptor? olU&JUtrnf? olU&JU identifier eJU ta&;MuD;qHk;jzpfwJh window procedure &JU address (ClsProc) awG &SmazGapEdkifygw,f/ Window

procedure &JU address eJY ywfoufwJh tcsuftvufawGu investigator udk window function awG &SmEdkif apwJhtjyif omref breakpoint a&m? conditional breakpoint yg owfrSwfEdkifygw,f/ bmyJjzpfjzpf window

functions awGeJU tvkyfvkyfwJhtcg window message awG&SdwJhae&mrSm breakpoint awG owfrSwfwm taumif;qHk;yg/ 'gaMumifh yHk(9)rSmjyxm;wJh window udkESdyfvdkufjyD; context menu u Message breakpoint on ClassProc udk a&G;vdkufyg/ aemufxyf window wpfckay:vmrSmjzpfjyD; tJ'DrSm atmufyg breakpoint parameter awGudk owfrSwfEdkifrSmjzpfygw,f/ yHk(10)/

(u) Drop-down list rS message udk a&G;yg/ atmufygwdkUudk rSwfom;yg/

(1) Message tpm; event udk a&G;cs,fvdkUvnf; &ygw,f/ tJ'D event awG[m window (odkU) keyboard event awGudk zefwD;^zsufqD;jcif;uJhodkUaom message aygif;rsm;pGmjzpfEdkifygw,f/

(2) rdrdbmom rdrdowfrSwfEdkifwJh message awGudkvnf; a&G;cs,fEdkifygw,f/

(c) b,f message awG[m olwdkUxJu b,folUqDuae a&mufvmovJqdkwmudk qHk;jzwfEdkifapzdkU trace

vdkufr,fh window awGudk pm&if;jyKpkyg/ ay;xm;wJh window? ay;xm;wJh title eJY window tm;vHk;? (odkU) window tm;vHk; yg0ifygw,f/

(*) Breakpoint b,fESpfMudrf touf0ifw,fqdkwm odapzdkU counter udk owfrSwfxm;yg/

(C) Breakpoint touf0ifcsdefrSm y&dk*&rftvkyfvkyfwmudk &yfoifh^ r&yfoifhqdkwm owfrSwfyg/

(i) Breakpoint touf0ifcsdefrSm record udk log xJ b,fvdka&;&rvJqdkwm owfrSwfxm;yg/

yHk(10)

Breakpoints to the Import Functions

Debug vkyfzdkY module xJudk import tvkyfcH&wJh trnfpm&if;udk vdkcsif&ifawmh <Ctrl>+<N> udk ESdyfyg/ yHk(11)/ 'DhaemufrSm window udk right click ESdyfjyD; atmufygwdkUudkvnf; jyKvkyfEdkifygw,f-

(u) Import vkyfxm;wJh function udk ac:,ltoHk;jyKcsdefrSm breakpoint udk owfrSwfEdkifygw,f/ (Toggle breakpoint on import)

(c) Import vkyfxm;wJh function udk ac:,ltoHk;jyKcsdefrSm conditional breakpoint udk owfrSwfEdkifyg w,f/ (Conditional breakpoint on import)


(*) Import vkyfxm;wJh function udk ac:,ltoHk;jyKcsdefrSm conditional breakpoint udk log vkyfjyD; owfrSwfEdkifygw,f/ (Conditional log breakpoint on import)

(C) owfrSwfxm;wJh trnfeJYqdkifwJh tcsdwftqufwdkif;rSm breakpoint udk owfrSwfEdkifygw,f/ (Set breakpoint on every reference) {'D command u Find references to import (Enter key) eJU wlyg w,f/ jcm;em;csufu Find references to import u breakpoint udk udk,fvdkcsifrS xyfrHa&G;cs,f&wmyg/}

(i) ay;xm;wJhJh trnfeJYqufEG,faewJh reference wdkif;rSm log vkyfjyD; breakpoint udk owfrSwfEdkifygw,f/ Set log breakpoint on every reference)

(p) Breakpoint tm;vHk;udk z,f&Sm;wmyg/ (Remove all breakpoints)

yHk(11)

Breakpoints at the Memory Area

OllyDbg debugger u memory area rSm breakpoint wpfckwnf;udk owfrSwfzdkY vufcHygw,f/ 'DvdkvkyfzdkU disassembler window (odkU) data window udk a&G;cs,fyg/ 'Dhaemuf context menu rS Breakpoint | Memory on access (odkU) Breakpoint | Memory on write command awGudk a&G;cs,fEdkifygw,f/ 'gjyD;&ifawmh rMumcifuowfrSwfvdkufwJh breakpoint udk toHk;jyKzdkU toifhjzpfaerSmyg/ Breakpoint yxrwpfrsdK;uawmh (on access) uk'feJU a'wmawGtwGuf jzpfEdkifayr,fh 'kwd, breakpoint wpfrsdK;uawmh (on write) uk'fawGtwGufom jzpfEdkifygw,f/ Breakpoint awGudk context menu rS Breakpoint | Remove memory breakpoint udk a&G;cs,fjcif;jzifh z,f&Sm;Edkifygw,f/ yHk(12)/

yHk(12)

Breakpoints in the Memory Window

Memory window (Alt + M) uawmh debug vkyfxm;wJh y&dk*&rftwGuf (odkU) olUbmom olUenf; olU[efeJY debug vkyfxm;wJh y&dk*&rfawGu oD;oefUcsefxm;wJh memory block awGudk jyoygw,f/ 'D window rSm breakpoint wpfckudk owfrSwfzdkYom jzpfEdkifygw,f/ 'DvdkvkyfzdkU right-click rS Set memory breakpoint on access udk (odkU) Set memory breakpoint on write udk a&G;cs,fyg/ Breakpoint udk z,f&Sm;csif&ifawmh Remove memory breakpoint udk a&G;Edkifygw,f/

Hardware Breakpoints

omref breakpoint awGudkawmh INT 3 interrupt vector twGuf toHk;jyKygw,f/ 'Dvdk breakpoint awGudk toHk;jyKjcif;u y&dk*&rfudk tvkyfvkyfcdkif;&mrSm aES;oGm;apygw,f/ b,fvdkyJqdkygap? Intel Pentium microprocessor awGuawmh debug registers (DR0-DR3) 4ckudk jznfhpGrf;ay;xm;ygw,f/ 'D register awGrSm breakpoint 4ckeJU vuf&Sdy&dk*&rf&JU virtual address wdkU yg0ifEdkifygw,f/ Command wpfcku toHk;jyKxm;wJh address [m 'D register wpfckwpfavawGxJu address eJUnDaecsdefrSm? processor [m debugger rSm &Sdxm;wJh exception wpfckudk xkwfvdkufygw,f/ Hardware breakpoint awGuawmh debug

vkyfxm;wJh y&dk*&rf&JU tvkyfvkyfyHkudkawmh aES;auG;aprSmr[kwfygbl;/ bmyJjzpfjzpf? olwdkUxJu 4ckrQom jzpfyg w,f/ Hardware breakpoint wpfckudk owfrSwfr,fqdk&ifawmh disassembler window udk oGm;yg/ jyD;&if context menu u Breakpoint | Hardware on execution commandudk a&G;yg/ 'grSr[kwf&if main menu u Breakpoint | Hardware on access (odkU) Breakpoint | Hardware on write command


udk toHk;jyKEdkifygw,f/ Hardware breakpoint awGudk zsufcsif&ifawmh context menu u Breakpoint | Remove hardware breakpoints command udk toHk;jyKyg/ yHk(13)/

yHk(13)

tjcm;pGrf;aqmifEdkifrIrsm;

Watch expressions Window

OllyDbg u expression awGudk apmifhMunfhzdkU special window wpfckudk ay;xm;ygw,f/ Conditional breakpoint awGtaMumif; &Sif;jycJhwkef;u expression awGtaMumif;ygvmcJhwmudk trSwf&yg/ Memory cell awGeJU register awGyg0ifwJh &IyfaxG;vSwJh expression awGudk toHk;jyKzdkUqdkwm jzpfEdkifygw,f/ 'D expression awGudk vkdtyfovdk &IyfaxG;apvdkU &ygw,f/ Watch expressions window udk zGifhzdkUuawmh View | Watches command udk toHk;jyKyg/ Watch expressions window yGifhvmcsdefrSmawmh right click

ESdyfjyD; Add Watches command udk a&G;cs,fyg/ 'gjyD;&ifawmh debugger u apmifhMunfhay;r,fh expression wpfckudk owfrSwfEdkifygw,f/ aemufwpfrsdK;ajym&&ifawmh olU&JU HEX wefzdk;udk jyoygw,f/ yHk(14)rSm expression 4ckyg0ifwJh Watch expressions window udk jyoxm;wmjzpfjyD; b,f processor &JU command udkrqdk execute vkyfjcif;jzihf wefzdk;awGudk apmifhMunfhaejyD;jyoygw,f/

yHk(14)

tcsuftvufrsm;udk &SmazGjcif;

OllyDbg rSm MudKufwJhowif;tcsuftvuf (ASCII? UNICODE? HEX )awGudk <Ctrl>+<B> key ESdyfjyD; &SmazGEdkifygw,f/ yHk(15)/ Command wpfckcsif;udk &Smr,fqdk&if <Ctrl>+<F> key? command awGaygif;xm;wmudk &Smr,fqdk&if <Ctrl>+<S> key udk toHk;jyKEdkifygw,f/ <Ctrl>+<L> key (Next) uawmh aemufqHk; &SmcJhwJh[mudkyJ xyf&Smay;wmyg/

yHk(15)

Executable Module udk jyifqifodrf;qnf;jcif;

OllyDbg rSm uRefawmfwdkU jyifcJhwJhuk'fawGudk odrf;qnf;jyD; executable y&dk*&rftopftjzpf odrf; qnf;Edkifygw,f/ 'Dvdkvkyfcsif&if Copy to execution | Selection (odkU) Copy to execution | All modifications command udk a&G;vdkuf&HkygyJ/ jyD;&if udk,fxm;csifwJhae&mrSm udk,fMudKufwJh zdkiftrnfopf ay;jyD; odrf;qnf;vdkuf&HkygyJ/

tcef;(7) – IDA Pro Advanced 5.2 rdwfquf - 72 -

tcef;(7) - IDA Pro Advanced 5.2 rdwfquf IDA Pro uawmh exe uk'fawGudk ppfaq;&mrSm taumif;qHk; tool wpfckjzpfygw,f/ jyD;cJhwJhtcef;rSm avhvmcJhwJh Olly debugger uawmh oHk;pGJolawGtwGuf vG,fulpGm toHk;jyKEdkifayr,fhvJ olU&JUuefUowfcsuf uawmh PE uk'fawGudkom ppfaq;ay;Edkifygw,f/ IDA Pro uawmh DOS^WindowsÛnix^Macintosh^ Java^.Net^Console y&dk*&rfawGtjyif tjcm; OS rSma&;xm;wJh y&dk*&rfawGudkyg ppfaq;ay;Edkifygw,f/ 'Dht jyif Palm OS eJU mobile OS rSma&;om;xm;wJh y&dk*&rfawGudkyg ppfaq;ay;Edkifygw,f/ IDA [m Olly vdkawmh uk'feJUywfoufwJh aumufcsufcswmawG? ,lqcsufawG jyKvkyfrSmr[kwfygbl;/ 'gaMumifh oifudk,fwdkif q&mrulbJ uk'fawGudk avhvm&rSmjzpfygw,f/ vdktyfwJh parameter awGudk udk,fwdkifjyKjyif&rSmjzpfygw,f/ IDA rSm wpfcgwnf;ygvmwJh y&dk*&rfbmompum;[m C eJUzGJUpnf;wnfaqmufyHk oabmw&m;csif;wlwJh twGuf oifhtwGuf taxmuftuljzpfaprSmyg/

IDA uawmh Interactive DisAssembler &JUtwdkaumufjzpfygw,f/ IDA &JU About window udk Munfhvdkufr,fqdk&if yxrqHk;trsdK;orD;y&dk*&rfrmjzpfwJh Augusta Ada Byron &JU &kyfyHkav;udk awGU&rSmyg/ yxrqHk;odxm;zdkUvdkwmuawmh IDA package rSm idaw.exe (console) eJU idag.exe (GUI) qdkjyD; y&dk*&rf ESpfrsdK;yg&Sdygw,f/ 'Dae&mrSm t"duxm;jyD; &Sif;jyrSmuawmh idag.exe (GUI) trsdK;tpm;udkjzpfygw,f/

(1) Virtual memory taMumif;

wu,fvdkU oifhtaeeJU exe module wpfckudk IDA rSmzGifhr,fqdk&if tJ'Dzdkif&SdwJh directory atmufrSm zdkifESpfckudk zefwD;rSmjzpfygw,f/ 'DzdkifESpfckuawmh ID0 eJU ID1 qdkwJh extension awGygwJh t&ef virtual memory zdkifawGjzpfygw,f/ 'DzdkifawGudk intermediate data awGodrf;qnf;zdkU IDA Pro u toHk;jyKwmyg/ wu,fvdkU oifhtaeeJU vuf&Sd exe zdkifudk ydwfvdkuf&ifyJjzpfjzpf? aemufwpfzdkifudk zGifh&ifyJjzpfjzpf 'DzdkifESpfzdkif[m aysmufoGm;rSmjzpfygw,f/ 'DzdkifawGuawmh exe module eJU trnfwlrSmjzpfjyD; .ID1 extension eJUzdkifuawmh exe module &JU image udkul;wifzdkUtwGuf toHk;jyKwmjzpfygw,f/ 'D image [m Windows OS &JU 32-bit flat memory model xJudk ul;wifwJh image eJU wpfxyfwnf;jzpfygw,f/ 'gaMumifhvJ OS u execute vkyfwJh module eJUppfaq;wJhtydkif;rSm wpfxyfwnf;usapzdkU jzpfEdkifwmyg/ 'DtcsufuyJ IDA udk wrlxl;apwJh debugger jzpfapwmyg/ Address toD;oD;twGuf zdkif[m 32-bit wpfckudk odrf;qnf;xm;wmjzpfjyD; 8-bit cell wpfckuawmh owfrSwfxm;wJh address eJUwlnDjyD;? 24-bit attribute wpfckuawmh 'D cell eJUywfoufwJh t*Fg&yfawGudk t"dyÜm,fzGifhqdkwmjzpfygw,f/ txl;ojzifh 'D attribute [m instruction wpfckeJUywfoufwJh owfrSwfxm;wJh memory cell udka&m? a'wmudkyg owfrSwfEdkifygw,f/ 'Dtjyif 'D attribute [m string xJrSm&SdwJh comment? cross-reference? label wdkUvdk tjcm; object awGudka&m owfrSwfEdkifygw,f/

IDA Pro u toHk;jyKwJh virtual memory eJUwGJvkyfwJh mechanism uawmh Windows OS utoHk; jyKwJh mechanism eJUwlnDygw,f/ oD;oefU cell wpfckudk&,lcsdefrSm 'D cell yg0ifwJh page wpfckvHk;udk rlv rSwfOmPf (buffer)xJ oGif;,lygw,f/ wu,fvdkU memory cell udk jyKjyifvdkufwJhtcgrSmawmh virtual memory page wpfckvHk;udk jyefa&;cH&rSmyg/ IDA Pro uawmh memory page awG&JU tpdwftydkif;udk RAM xJrSmudkifwG,fygw,f/ jyKjyifxm;wJh cell awGudkawmh tcgtm;avsmfpGm disk qDqGJ,lrSmyg/ Page wpfckudk ul;wifzdkU vdktyfcsdefrSm page buffer ujynfhaecJh&if? IDA Pro u yxrqHk;jyifxm;cH&wJh page udkawGUzdkU buffer udk&SmrSmjzpfjyD; 'gudk disk qD qGJ,lrSmjzpfygw,f/ jyD;&ifawmh vdktyfwJh page udk ae&mvGwfqD ul;wif rSmjzpfygw,f/

ul;wif&r,fh module &JU image udkodrf;qnf;jcif;tjyif IDA pro [m label? function trnfawGeJU comment wdkUvdktcsuftvufawGtwGuf rSwfOmPfudk vdktyfygw,f/ 'DtcsuftvufawGudkawmh .ID0 extension &SdwJhzdkifxJrSm odrf;wmjzpfygw,f/ w&m;0ifxkwfa0wJh pmtkyfpmwrf;awGrSmawmh 'DrSwfOmPfudk btree twGufrSwfOmPfvdkU oHk;Muygw,f/

(2) y&dk*&rf\ GUI

exe y&dk*&rfwpfckudk IDA rSmzGifhr,fqdk&ifawmh yHk(1)twdkif; jrif&rSmjzpfygw,f/ zGifhxm;wJhy&dk*&rfudk ppfaq;jyD;oGm;&ifawmh y&dk*&rf&JU b,fzufaxmifhrSm "The initial autoanalysis is finished" qdkwJhpmom;udk jyrSmjzpfygw,f/

IDA Pro &JU main window rSm tab awGtrsm;MuD;awGU&rSmjzpfygw,f/ yHkrSefqdk&ifawmh tab 8ck&SdrSm jzpfayr,fh 'DxufvJydkEdkifygw,f/ oifhtaeeJU tab topfawGudk aygif;csif&ifawmh Views menu u Open subviews udka&G;jyD; xyfwdk;vdkU&ygw,f/ IDA View eJU Hex View uawmh aemufxyf xyfyGm;vdkU&yg w,f/ 'gaMumifh oifhtaeeJU uk'f? a'wm section awGudk rwlnDwJh window awGeJU MunfhvdkUrSmjzpfygw,f/ wu,fvdkU aemufxyf window awG xyfwdk;vmr,fqdk&ifawmh IDA View-A? IDA View-B? IDA View-C ponfjzifh jzpfvmrSmjzpfygw,f/


t"dutusqHk; window uawmh IDA View jzpfygw,f/ 'D window [m exe uk'fawGudk analysis

vkyfjyD;awmh &vmwJh&v'fawGudk jywmrdkUvdkUyg/ yHk(1)/

yHk(1)

IDA Pro debugger eJU tvkyfvkyfr,fqdk&ifawmh 'Dy&dk*&rfudk udkifwG,fzdkU t"duenf;vrf; (3)ck&Sd w,fqdkwm rarygeJU/ olwdkUawGuawmh menu command? toolbar button eJU hotkey awGyJjzpfygw,f/ IDA &JUvkyfaqmifcsufwdkif;twGufawmh hotkey awG &SdrSmr[kwfayr,fh toHk;trsm;qHk;vkyfaqmifcsufawG twGufawmh hotkey awG&Sdygw,f/ Oyrmjy&r,fqdk&if ... wu,fvdkU tcsdKU data block awGu oifhudk oHo,jzpfapw,fqdk&if C key udkESdyfjyD; (uk'ftwGuf twdkaumuf) 'gudk uk'ftjzpfajymif;Edkifygw,f/ aemuf wpfckuawmh wu,fvdkU Assembly command awG&JU tcsdKU block awG[m t"dyÜm,f&SdyHkray:bl;qdk&if oifhtaeeJU 'gudk D key ESdyfjyD; (a'wmtwGuf twdkaumuf) a'wmtjzpf ajymif;Edkifygw,f/

IDA Pro [m atmufyg configuration zdkifawGudk toHk;jyKygw,f ...

lda.cfg – yHkrSef configuration zdkif

idatui.cfg – console y&dk*&rfrsm;twGuf configuration zdkif

idagui.cfg – GUI y&dk*&rfrsm;twGuf configuration zdkif

Configuration zdkifawG[m IDA main directory &JU CFG subdirectory atmufrSm&Sd&rSm jzpfygw,f/

(3) exe uk'fudk ul;wifjcif;

wu,fvdkUomoifhtaeeJU exe module wpfckudk IDA rSmzGifhr,fqdk&ifawmh yHk(2)twdkif;jrif&rSmyg/ 'D window udktoHk;jyKjyD; oifhtaeeJU zGifhaewJh process eJU ueOD; analysis udk ajymif;vJvdkU&ygw,f/ 'D window [m aemufydkif;rSm &Sif;jyr,fh configuration setting awGtrsm;MuD;udk ay;pGrf;Edkifygw,f/

udpöawmfawmfrsm;rsm;rSmawmh IDA u toifhawmfqHk; setting udk tMuHjyKjyD; oHk;pGJolu bmrSajymif; vJay;zdkU vdktyfrSmr[kwfygbl;/ oifhtaeeJU OK button udkESdyfay;zdkUyJ vdktyfygw,f/ atmufyg option awG udk wcgw&HrSmomtoHk;jyKayr,fh tusOf;csKyfazmfjyay;vdkufygw,f/

- Load file (directory/name) as – 'Dae&mrSmawmh oifzGifhvdkufwJhy&dk*&rfzdkifudk IDA &JU vuf&Sd version u odxm;wJh zdkif format (PE odkUr[kwf ELF)pm&if;awGeJUwdkufppfjyD; jzpfEdkifwJhpm&if;udkjywmjzpfygw,f/ 'D window rSmjrif&wJh tjcm; option awGuawmh oifzGifhwJhy&dk*&rftrsdK;tpm; ay:rlwnfjyD; ajymif;vJaerSm jzpfygw,f/ Oyrmjy&&ifawmh ... PE module &JU MS-DOS stub udk disassemble vkyfr,fqdkygpdkU/ 'DvdkvkyfzdkUtwGuf pm&if;xJu MS-DOS executable option udka&G;&rSmjzpfygw,f/ wu,fvdkY y&dkqufqm trsdK;tpm;udk ajymif;csifw,fqdk&ifvJ Set button udka&G;jyD; ajymif;vdkU&ygw,f/ uRefawmfhtaeeJU xyfajymcsif wmuawmh module awGudk ppfwJhtcgrSm IDA u toifhawmfqHk;udka&G;jyD; pm&if;jyKpka&G;cs,f ay;xm;wm jzpfygw,f/ 'Dae&mrSm IDA u PE module udk yHkrSef PE module tjzpfa&m? MS-DOS y&dk*&rftjzpfa&m? binary zdkiftjzpfa&m bmomjyefay;Edkifygw,f/ wu,fvdkU oifhtaeeJU .net y&dk*&rfwpfckudk zGifhMunfh&ifyJ jzpfjzpf? Linux y&dk*&rfwpfyk'fudk zGifhMunfh&ifyJjzpfjzpf jyowJhpm&if; uGmjcm;oGm;rSmjzpfygw,f/


yHk(2)

- Processor type – Drop-down list wpfckjzpfjyD; a&G;cs,fxm;wJh module udk compile vkyfxm;wJh y&dkqufqmtrsdK;tpm;udk a&G;cs,fcGifhjyKygw,f/

- Loading segment & Loading offset – oluawmh module udk owfrSwfxm;wJh offset &SdwJh segment rSm ul;wifay;Edkifygw,f/ 'g[m MS-DOS module awGtwGufa&m? binary zdkifawGtwGufyg oHk;0ifyg vdrfhr,f/ 'D parameter awGudkawmh PE module awGtwGuf toHk;rjyKMuygbl;/

- Enabled – 'guawmh Analysis tkyfpku flag wpfckjzpfjyD; uk'fudk ueOD; analysis vkyfjcif;rS a&SmifMuOf EdkifzdkU uncheck vkyfEdkifygw,f/ wu,fvdkU olUudka&G;xm;&ifawmh zdkifudkul;wifjyD;wmeJU analyze vkyfawmhrSm jzpfygw,f/

- Indicator enabled – vkyfaqmif&r,fh analysis process indication udkowfrSwfwmjzpfygw,f/

- Create segments – olUudkawmh PE module awGtwGuf toHk;jyKjcif;r&Sdygbl;/ 'D flag udk toHk;jyK&if awmh IDA uvdktyfwJh segment awGudk zefwD;rSmjzpfygw,f/

- Load resources – wu,fvdkU 'D flag udkowfrSwfxm;r,fqdk&ifawmh PE module &JU resource awGudk ul;wifrSmjzpfygw,f/ Binary module awGtwGufuawmh 'D flag udk Load as code segment vdkUac:jyD; toHk;jyKygw,f/ Oyrmjy&&if .com y&dk*&rfawGtwGufjzpfygw,f/ yHk(3)/

yHk(3)

- Rename DLL entries – wu,fvdkU 'D flag udkrowfrSwfxm;&if IDA u ordinal awGeJU import vkyfxm;wJh function awGtwGuf xyfavmif; comment awGudkjznfhqnf;ay;ygw,f/ 'DvdkrSr[kwf&ifawmh disassembler u function awGudktrnfajymif;vdkufrSm jzpfygw,f/


- Manual load – wu,fvdkU 'D flag udk a&G;xm;&ifawmh disassembler u ul;wifaewJh process &JU tqifhwdkif;twGuf oHk;pGJoludk wdkifyifar;jref;aerSmjzpfygw,f/

- Fill segment gaps – oluawmh NE module awGtwGufom ta&;MuD;wJh flag jzpfjyD; disassmbler udk intersegment ae&mudkjznfhqnf;ay;zdkU nTefMum;rSmjzpfygw,f/ 'gaMumifh MuD;rm;wJh segment wpfckudkzefwD; &ygw,f/

- Make imports segment – 'D flag udkowfrSwfcsdefrSmawmh import vkyfxm;wJh tcsuftvufawGeJU qdkifwJh .idata section udkom bmomjyefay;zdkU disassembler udkcdkif;ygw,f/

- Don't align segments – Segment awGudk nSdzdkU disassembler udkcdkif;ygw,f/ pdppfpOf;pm;wkef; tqifhrSmawmh 'D flag udk module awGtwGuftoHk;jyKjcif; r&Sdygbl;/

- Kernel options1 – Flag awGeJUjywJh 'D window uawmh oHk;pGJoludk exe uk'fawG analyze vkyfwJhtcgrSm ESpfouf&mudka&G;cs,fEdkifzdkU jyoygw,f/

Create offsets and segments using fixup info udk toHk;jyKjcif;jzifh oifhtaeeJU uk'f analysis jzpfpOfxJu relocations table uae tcsuftvufawGudk toHk;jyKzdkU disassembler udk cdkif;Edkif ygw,f/

Mark typical code sequence as code uawmh analysis jzpfpOfxJu yHkrSefy&dkqufqm command sequence udktoHk;jyKzdkU disassembler udkckdif;ygw,f/

Delete instructions with no xrefs uawmh cross-reference vHk;0r&SdwJh y&dkqufqm instruction awGudk vspfvsL&Icdkif;ygw,f/

Trace execution flow uawmh trace vkdufzdkUcGifhjyKygw,f/ 'grSom oifhtaeeJU y&dkqufqm instruction awGudk &SmawGUEdkifrSmjzpfygw,f/

Create functions if call is present uawmh call awGeJU function awGudk rSwfxm;apzdkU disassembler udkcdkif;ygw,f/

Analyze and create all xrefs uawmh t"duxm;a&G;cs,f&r,fht&mwpfckjzpfjyD; analysis xJu cross-reference awGudk disassembler tm;toHk;jyKapygw,f/

Use FLIRT signatures uawmh signature awGtoHk;jyKjyD; library function awGudk rSwfrdapzdkU twGuf Fast Library Identification and Recognition Technology (FLIRT) udktoHk;jyKapzdkU disassembler udkckdif;ygw,f/

Create function if data xref data -> code32 exists uawmh a'wm{&d,mxJrSm&SdwJh uk'feJU ywfoufwJh reference awGudk ppfaq;zdkU disassembler udkcdkif;ygw,f/

Rename jump function as j_ uawmh j_somewhere vdk jmp somewhere command rQomygwJh &dk;&Sif;vSwJh function awGudk trnfay;zdkUjzpfygw,f/

Rename empty function as nullsub_ uawmh nullsub_ vdk RET command wpfckygwJh function awGudk trnfay;zdkUjzpfygw,f/

Create stack variables uawmh function awG&JU local variable awGeJU parameter awGudk zefwD; (t"dyÜm,fzGifh)zdkUjzpfygw,f/

Trace stack pointer uawmh ESP register &JUwefzdk;udk trace vkdufzdkUjzpfygw,f/

Create ASCII string if data xref exists uawmh ASCII string tjzpf reference vkyfxm;wJh data item udk olU&JUt&G,ftpm;[m wduswJhwefzdk;wpfckxufausmfvGefjcif;&Sd^r&Sd pOf;pm;EdkifzdkU jzpfyg w,f/

Convert 32-bit instruction operand to offset uawmh address wpfckvdk y&dkqufqm instruction xJu wdkuf&dkuf data item wpfckudkpOf;pm;EdkifzdkU disassembler udkckdif;apjyD; MudKwifowf rSwfxm;wJh interval xJudk olU&JUwefzdk;a&mufoGm;apygw,f/

Create offset if data xref to seg32 exists uawmh address awGvdk a'wm{&d,mxJrSm odrf;qnf;xm;wJhwefzdk;awGudk pOf;pm;zdkU disassembler udkckdif;apjyD; MudKwifowfrSwfxm;wJh interval xJudk olU&JUwefzdk;a&mufoGm;apygw,f/


make final analysis pass uawmh analysis vkyfwJhaemufqHk;tqifhudk vkyfaqmifjyD;csdefrSm rpHk;prf;EdkifwJh byte awGtm;vHk;udk a'wm (odkU) instruction awGtjzpf ajymif;vJzdkU disassembler udkcdkif;ygw,f/

- Kernel options2 – aemufxyf flag awGeJUjywJh 'D window uawmh oHk;pGJoludk exe uk'fawG analyze vkyfwJhtcgrSm ESpfouf&mudka&G;cs,fEdkifzdkU jyoygw,f/

Locate and create jump tables udk jump table &JUt&G,ftpm;eJU address taMumif; aumufcsufcsEdkifzdkU disassembler udkcdkif;ygw,f/

wu,fvdkU Coagulate data in the final pass flag udkydwfxm;r,fqdk&if analysis &JU aemufqHk; tqifhrSm code segment &JU byte awGudkom ajymif;vJay;rSmjzpfygw,f/ (Make final analysis pass flag udkMunfhyg/)

Automatically hide library function uawmh FLIRT udktoHk;jyKjyD; pHkprf;xm;wJh library function awGudk azsmufxm; (collapse) zdkUtwGufoHk;ygw,f/

Propagate stack argument information uawmh aemufxyf call awG&SdvmcJh&if (tjcm; function rSac:oHk;aom function wpfckuJhodkU) call &JU stack parameter eJUywfoufwJh tcsuf tvufawGudk odrf;qnf;zdkU disassembler udkcdkif;ygw,f/

Propagate register argument information uawmh aemufxyf call awG&SdvmcJh&if (tjcm; function rSac:oHk;aom function rsm;uJhodkU) call &JU register parameter eJUywfoufwJh tcsuf tvufawGudk odrf;qnf;zdkU disassembler udkcdkif;ygw,f/

Check for Unicode strings uawmh Unicode string awG&Sd^r&Sd y&dk*&rfudk ppfaq;EdkifzdkU jzpfygw,f/

Comment anonymous library functions uawmh wduswJh library function wpfckudk pHkprf; &&SdwJhtcg library trnfeJU signature awGudktoHk;jyKjyD; trnfrod library function awGudk trSwf tom;vkyfxm;zdkU disassembler udkcdkif;ygw,f/

Multiple copy library function recognition uawmh y&dk*&rfwGif;rSm&SdwJh wlnDwJh function &JU copy tajrmuftrsm;udk rSwfxm;apzdkUjzpfygw,f/

Create function tails uawmh function tails udk&SmazGay;zdkUjzpfjyD; 'gawGudk function t"dyÜm,f zGifhqdkcsufrSm vmaygif;rSmjzpfygw,f/

- Processor options – 'guawmh flag awGa&G;cs,fEdkifwJh window udkac:oHk;wJh button wpfckjzpfygw,f/

Convert immediate operand of "push" to offset uawmh PUSH command xJrSm&SdwJh wdkuf&dkuf operand udk offset wpfck (address wpfck)tjzpf ajymif;vJay;EdkifpGrf;udk nTefjyygw,f/

Convert db 90h after "jmp" to "nop" uawmh JMP command aemufu uyfygvmwJh 90H byte awGudk NOP command awGtjzpf bmomjyefay;zdkUjzpfygw,f/

Convert immediate operand of "mov reg, …" to offset uawmh MOV reg, … command (reg uawmh register udkqdkvdkwmyg/) xJrSm&SdwJh wdkuf&dkuf operand udk offset wpfck (address wpfck)tjzpf ajymif;vJay;EdkifpGrf;udk nTefjyygw,f/

Convert immediate operand of "mov memory, …" to offset uawmh MOV mem, … command xJrSm&SdwJh wdkuf&dkuf operand udk offset wpfck (address wpfck)tjzpf ajymif;vJay;Edkif pGrf;udk nTefjyygw,f/

Disassemble zero opcode instructions uawmh atmufyg instruction (00 00: ADD [EAX], AL) udk disassemble vkyfcdkif;ygw,f/ yHkrSefqdk&ifawmh olUudk ra&G;cs,fygbl;/ yHk(4)/

Advanced analysis of Borland's RTTI (RTTI qdkwmuawmh run-time type information udk ajymwmyg/)uawmh IDA Pro udk RTTI structure awGudk ppfaq;zdkUeJU zefwD;zdkUcdkif;ygw,f/

Check "unknown_libname" for Borland's RTTI uawmh RTTI structure awG&SdwJhtcg unknown_libname trSwftom;eJUtrnfawGudk ppfaq;zdkUcdkif;wmjzpfygw,f/

Advanced analysis of catch/finally block after function uawmh catch/finally pwJh exception proceffing block awGudk&Smcdkif;wmjzpfygw,f/


yHk(4)

Allow references with different segment bases uawmh owfrSwfxm;wJh address u odrf;qnf;xm;wJhwefzdk;[m character wpfvHk;r[kwfcJh&ifawmif character awGeJUqdkifwJh reference awGudkowfrSwfcdkif;ygw,f/ (character uk'fwpfcktjzpf razmfjycdkif;wmjzpfygw,f/)

Don't display reduntant instruction prefixes uawmh listing udk zwf&I&wm tqifajyapzdkU command prefix tcsdKUudk azsmufxm;zdkUjzpfygw,f/

Interpret int 20 as VxDcall uawmh INT 20H udk VxDcall/jump tjzpf bmomjyefcdkif;wm jzpfygw,f/

Enable FPU emulation instructions uawmh INT 3?H wdkUvdk command awGudk arithmetic coprocessor command awG&JU emulation awGtjzpf bmomjyefapzdkUjzpfygw,f/

Explicit RIP-addressing udk owfrSwfr,fqdk&ifawmh y&dk*&rfrSm relative instruction pointer (RIP) addressing udkoHk;r,fvdkU ,lqrSmjzpfygw,f/ 'D flag ukdawmh 64-bit y&dkqufqmawGtwGuf qkd&if a&G;cs,fay;xm;&rSmjzpfygw,f/

- System DLL directory – oluawmh IDA Pro u&Sm&r,fh DLL zdkifawG&Sd&m directory udk owfrSwf wmjzpfygw,f/ owfqdkif&m library awGeJUqdkifwJh .ids zdkifawGuawmh cRif;csufjzpfygw,f/

(4) Disassembler Window

IDA Pro rSmawmh tvkyfawmfawmfrsm;rsm;udk disassembler window xJrSm vkyfaqmifMuwm jzpfyg w,f/ 'gaMumifh 'D window taMumif;udk tao;pdwfodzdkUvdkygw,f/ 'Dae&mrSm axmufjycsifwmuawmh 'D disassembler &JU developer awG[m disassemble vkyfxm;wJh function eJU olUudk&SmazGwJhenf;vrf;awGudk azmfjyEdkifzdkU tav;teufxm; pOf;pm;cJhw,fqdkwJhtcsufjzpfygw,f/

Hiding functions – Disassembler window rSm function awGudk tusOf;csHK;yHkpH (hide) (odkU) tus,fcsJYyHkpH (unhide) wdkUeJUjyEdkifygw,f/ tusOf;csHK;yHkpHrSmawmh function udk pmaMumif;wpfaMumif; wnf;eJU jywmyg/ 'DtoHk;0ifwJht*Fg&yfu oifhudk disassemble vkyfxm;wJhuk'fawGudk vG,fulpGmzwf&I apEdkifzdkU taxmuftul jzpfaprSmyg/ Function awGudk tusOf;csHK;^tus,fcsJUzdkU numeric keypad u (+)/(-) key awGudk toHk;jyK&ygr,f/ 'grSr[kwf&ifawmh View menu u Hide/Unhide udk a&G;Edkif ygw,f/

Indicating functions – yHk(5)uawmh disassmebler window udkjywmjzpfygw,f/ 'D window &JU b,fzuftusqHk;tydkif;udk owdxm;jyD;Munfhyg/ 'Dtydkif;uawmh listing udkMunfh&I&SmazG&mrSm &dk;&Sif; apzdkUjzpfygw,f/ Command awGudk tpufuav;awGeJUjyxm;ygw,f/ wu,fvdkU pmaMumif;rSm tpufwpfpufryg&ifawmh rSwfcsufwpfckyg0ifwJh string vdkU t"dyÜm,f&ygw,f/ wu,fvdkU oHk;pGJolu 'Dtpufae&mrSm mouse eJUESdyfvdkufr,fqdk&ifawmh IDA Pro u 'D address ae&mrSm breakpoint owfrSwfygw,f/ Jump awGudkawmh tpuf(odkU) wpfqufwnf;rsOf;aMumif;awGeJU jyygw,f/


wpfqufwnf;rsOf;awGuawmh unconditonal jump (JMP) awGudknTef;wmjzpfjyD; tpufawGeJU rsOf;awGuawmh condtional jump (JE, JNZ) awGudkqdkvdkwmjzpfygw,f/

yHk(5)

Using Special Comments – y&dk*&rfwpfcktwGif;u address awGrSm b,f jump awGudk (conditional jump ESifh unconditional jump odkUr[kwf CALL command) vkyfaqmifw,f? nTef;w,fqdkwJh txl;rSwfcsufawG yg0ifygw,f/ wu,fvdkU reference u owfrSwfxm;wJh address qD jump vkyfw,fvdkU t"dyÜm,f&&if rSwfcsufawG[m CODE XREF eJUpavh&Sdygw,f/ wu,fvdkU 'D command [m a'wmtjzpf refernce vkyfcHxm;&w,fqdk&ifawmh (Oyrm –MOV EAX, OFFSET L1) DATA XREF eJUpygw,f/ 'DrSwfcsufawGudkawmh cross-refernce awGvkdUac:jyD; cross-refernce trSwftom;aemufrSm colon vdkufygw,f/ olUaemufu address awGuawmh 'D refernce awGpjzpf&m function (odkU) section &JUtpudkjywmjzpfygw,f/ 'D address ukd mouse eJU ESdyfjcif; tm;jzifh owfrSwfxm;wJh instruction &Sd&mudknTef;wJh uk'ftydkif;tpudk pop-up window taeeJU

ac:,lEdkifygw,f/ Address rSmawmh <↑><↓> tu©&mawGyg0ifrSmjzpfjyD; 'D instruction udk refernce vkyf&m uk'f&SdwJhpmaMumif;udk owfrSwfygw,f/ Reference pwifwJh pmaMumif;&Sd&mudk wef;oGm;csif w,fqdk&ifawmh address ae&mrSm double-click ESdyfjyD;oGm;vdkU&ygw,f/ owfrSwfxm;wJh pmaMumif; twGuf reference ta&twGuf[m 4ckxufenf;aer,fqdk&if olwdkUudk pm&if;om jyKpkygw,f/ 'DvdkrS r[kwf&ifawmh reference awGudk tpufawGeJUjyrSmjzpfygw,f/ wu,fvdkU 'D address awGxJu wpfckudk right-click ESdyfjyD; Jump to cross reference udka&G;vdkuf&if vdktyfwJh item &Sd&mudk wef;oGm;Edkifygw,f/ yHk(6)/ 'gjyD;&ifawmh yHk(7)twdkif; address awGtm;vHk; pm&if;ay:vmygvdrfhr,f/ yHk(7)u oifoGm;csifwJh address udka&G;jyD; OK ukdESdyfvdkufyg/

yHk(6)

yHk(7)


Designating an address – Disassembler window xJu listing uawmh address wpfckudk owfrSwfwJh enf;vrf;rsdK;pHkudk jyygw,f/ Oyrmtm;jzifh? wu,fvdkU API function wpfckeJU ywfouf vmcJh&ifawmh 'D function &JUtrnfudk wduspGmowfrSwfygw,f/ 'Dtjyif IDA Pro u rsm;aomtm; jzifh string awGeJUywfoufvm&ifawmh pHkprf;od&Sdxm;wJh string awGudk reference awG&JUtrnfawG tjzpf tajccHxm;ay;ygw,f/ erlemjy&r,fqkd&ifawmh You are wrong! qdkwJh pmom;ygwJh string udk IDA u reference tjzpfowfrSwf&mrSmawmh 'D string udk aYouAreWrong tjzpfajymif;vdkufyg w,f/ "a" eJUpwJh 'D prefix awGudk IDA Pro u ASCII string awGtjzpf,lqygw,f/ yHk(8)/ tjcm;trnfawGtm;vHk;uawmh prefix eJU address wpfckay:rlwnf jyD; function trnfawG (odkU) data address awGudkowfrSwfygw,f/ yHk(9)rSmjrif&wJhtwdkif; atmufyg prefix awGudk oifhtaeeJU MuHKawGU&Edkifygw,f –

sub_ – Function

locret_ – Address of the return instruction

loc_ – Instruction address

off_ – Data specifying the address (offset)

seg_ – Data specifying the segment address

asc_ – Address if an ASCII string

byte_ – Byte address

word_ – Word address

dword_ – Double word address

qword_ – Address of a 64-bit value

flt_ – Address of a 32-bit floating-point number

dbl_ – Address of a 64-bit floating-point number

tbyte_ – Address of an 80-bit floating-point number

stru_ – Structure address

algn_ – Alignment directive

unk_ – Address of an univestigated area

yHk(8)

yHk(9)


Using the context menu – Disassembler window eJU tvkyfwGJvkyfr,fqdk&if window wpfckrSm right-click ESdyf&ifay:vmwJh context menu awGeJU tom;usae&rSmjzpfygw,f/ tcsdKU menu awG uawmh oifa&G;wJhtydkif;udkrlwnfjyD; uGJjym;aerSmjzpfygw,f/ Oyrm function trnfawG? instruction awG? rSwfcsufawGeJU a&G;xm;wJh block wdkUtwGuf listing rSmjzpfygw,f/ tcsdKU menu item awG uawmh debugger wpfckuJhodkUaom IDA Pro &JUvkyfaqmifcsufawGeJU ywfoufaeygw,f/ (Run to cursor? Add breakpoint ESifh Add execution trace)/ txl;ojzifh Rename menu udk owdjyKapvdkygw,f/ 'D item u oifhudk command &JU operand awGudk wnf;jzwfapEdkifvdkUyg/

Navigating a listing – ta&;MuD;qHk;udpö&yfuawmh listing udk &SmazGjyojcif;yJjzpfygw,f/ Crossreference u nTefjywJhae&mawGudk wef;oGm;Edkifygw,f/ aemufwpfenf;udkvJ (cross-reference ae&mrSm double-click ESdyfjcif;jzifh) return jyefvmapzdkUtwGuf toHk;jyKEdkifygw,f/ (Oyrm? conditional jump qDodkU? CALL command qDodkU? odkUr[kwf MOV EAX, OFFSET address uJhodkUaom command wpfckxJrS address qDodkU)/ odxm;&rSmuawmh IDA Pro [m oifh&JU jump awGtm;vHk;udk rSwfxm;wmjzpfwJhtwGuf MudKufwJhtcsdefrSm MudKufwJhae&mudk button awGoHk;jyD; a&SUwdk;? aemufqkwfvdkU&ygw,f/

(5) tjcm; Window rsm;

- Hex View – 'D window rSm ul;wifxm;wJh module &JU hex dump awGyg0ifjyD; 'D dump awGudk ASCII pmvHk;awGeJUjyygw,f/ 'D window [m disassembler window eJUywfoufwJht&ef window wpfckjzpfwmrdkU oleJUvG,fulpGm synchronize vkyfEdkifygw,f/ 'Dvdkvkyfcsifw,fqdk&ifawmh yHk(10)twdkif; hex window &JU wpfae&m&mrSm right-click ESdyfjyD; Synchronize with IDA View udka&G;&ygr,f/

yHk(10)

'gqdkyHk(11)twdkif; VA 0040B440 &Sd&m IDA View udkwef;a&mufvmrSmjzpfygw,f/ qdkvdkwmu awmh HEX pmvHk; 5E [m POP ESI eJUnDw,fqdkwJhtaMumif;yg/

yHk(11)

- Exports – 'D window rSmawmh export vkyfxm;wJh function awGpm&if; yg0ifygw,f/ 'g[m DLL awGeJUwGJvkyf&mrSm toHk;0ifygw,f/ omref exe module awGtwGuf start function vdkUtrnf&wJh element wpfckwnf;jyrSmyg/ yHk(12)/

yHk(12)

- Imports – 'D window rSmawmh import vkyfxm;wJh function awGeJU module awGpm&if; yg0ifygw,f/ Import vkyfxm;wJh function udk double-click ESdyfr,fqdk&ifawmh disassembler window qDa&mufoGm;rSm jzpfjyD; entry point taeeJU awGU&SdrSmjzpfygw,f/ 'gaMumifhrdkU y&dk*&rfxJu 'D function eJUywfoufwJh cross-reference awGtm;vHk;udk oifhtaeeJU vG,fulpGm &SmawGUEdkifrSmjzpfygw,f/ yHk(13^14)/


yHk(13)

yHk(14)

- Names – 'D window rSmawmh import vkyfxm;wmawGtm;vHk;eJU library function awGyg0ifygw,f/ IDA Pro uodxm;wJh variable awGeJU lable awG&JUtrnfawGvnf; yg0ifygw,f/ trnftoD;oD;&JU b,fzuf jcrf;rSm&SdwJhpmvHk;(t&kyf)uawmh trnftrsdK;tpm;jzpfygw,f/ yHk(15)/

L – Library function

F – Regular functions and API functions

C – Instructuion (label)

A – ASCII string

D – Data

I – Imported function

yHk(15)

trnf&Sd&mudk double-click ESdyfjcif;jzifh 'Dtrnfudkac:oHk;wJh y&dk*&rf&JUwnfae&mudk wef;a&mufoGm; rSm jzpfygw,f/ wu,fvdkU trnfopfudk zefwD;csifw,fqdk&if ajymif;csifwJh address &Sd&mae&mrSm Insert key udkESdyfjyD; ajymif;vdkU&ygw,f/ yHk(16)/

yHk(16)

&dkufxnfhvdkufwJhtrnfuawmh disassembler window rSmvJay:aerSmjzpfygw,f/ yHk(17)/

yHk(17)


- Functions – 'D window rSmawmh library function awGeJU import vkyfxm;wJh user function awG tygt0if IDA Pro uodxm;wJh function awGpm&if;udk jyrSmjzpfygw,f/ yHk(18)/

yHk(18)

- Strings – 'D window rSmawmh disassembler u&SmawGUxm;wJh string awGtm;vHk;yg0ifrSmjzpfygw,f/ yHk(19)/

yHk(19)

String wpfckudk double-click ESdyfjyD;Munfhr,fqdk&if 'D string udk aMunmxm;wJhae&mudk wef;a&muf oGm;rSmjzpfygw,f/ omreftm;jzifhawmh 'D window rSm C pwdkif string awGudkomjyoygw,f/ tjcm; string trsdK;tpm;awGudk jyocsifw,fqdk&ifawmh 'D window rSm right-click ESdyfjyD; Setup command uaea&G;ay; vdkU&ygw,f/ yHk(20)/

yHk(20)

- Structures – 'D window rSmawmh disassembler u&SmawGUxm;wJh structure awGtm;vHk;yg0ifrSmjzpfyg w,f/ yHk(21)/ Structure topfwpfckudk xyfxnhfcsif&ifawmh Insert key udkESdyfjyD;xnfhvdkU&ygw,f/

yHk(21)

- Enums – 'D window uawmh y&dk*&rfwGif;rSm pHkprf;vdkUawGU&Sdxm;wJh enumeration awGtm;vHk;udk jyozdkU &nf&G,fygw,f/

'Dhtjyif disassembler u tjcm; window awGudkvJ toHk;jyKEdkifygw,f/ txl;ojzifh Library window jzpfygw,f/ tGefvdkif; help pepfrSmawmh 'D window udk signatures window vdkUac:ygw,f/ 'D window rSmawmh library function awGudkod&SdapzdkU toHk;jyKwJh signature pm&if;udk jyoygw,f/ yHk(22)/


yHk(22)rSmjrif&wmuawmh function signature awGyg0ifwJhzdkiftrnf? 'D signature awGukdtoHk;jyKjyD; awGU&Sdxm; wJh function ta&twGuf? 'D signature awGudktoHk;csxm;wJh function awGeJUqdkifwJh trnfwdkUjzpfygw,f/

yHk(22)

wu,fvdkU vdktyfwJh signature zdkifawGudk xyfxnfhcsifw,fqdk&ifawmh Insert key udkESdyfjyD; ESpfouf &mudk xnfhoGif;Edkifygw,f/ yHk(23)/ 'Dzdkif&JU signature awGudkawmh function topfawGudk odapzdkUtwGuf csufcsif;toHk;jyKrSm jzpfygw,f/

yHk(23)

(6) Menu ESifh toolbar

IDA &JU menu eJU toolbar awGtaMumif;udkawmh tMurf;zsif;yJ &Sif;jyoGm;rSmjzpfygw,f/

File menu &JU item awGuawmh atmufygtwdkif;jzpfygw,f –

Open – Disassemble vkyfr,fh exe module udk zGifhzdkUjzpfygw,f/

Load – zdkiftrsdK;rsdK;udk zGifhzdkUjzpfygw,f/ Reload the input uawmh disassemble vkyfxm;wJh module udk jyefzGifhzdkUjzpfygw,f/ Additional binary file uawmh database xJudk aemufxyf binary file wpfck vmul;wifrSmjzpfygw,f/ IDS file uawmh owfrSwfxm;wJh import library &JU function awGeJUywfoufwJhtcsuftvufawGyg0ifwJh IDS (intrusion-detection system) zdkifudkzGifhzdkUjzpfygw,f/ (IDS directory xJrSm&SdwJh IDS zdkifawGtm;vHk;udk tvdktavsmuful;wifrSm jzpfygw,f/) PDB file qdk&ifawmh debug tcsuftvufawGygwJh PDB zdkifudk ul;wifrSmjzpfygw,f/ DBG file qdk&ifvJ debug tcsuftvufawGygwJhzdkifudk ul;wifrSmjzpfygw,f/ FLIRT signature file qdk&ifawmh signature zdkifawGudkul;wifjyD; toHk;csrSmjzpfygw,f/ (yHk-22 rSmjrif&wJh signature window xJrSm wlnDwJhvkyfaqmifcsufudk vkyfaqmifrSmjzpfygw,f/) Parse C header file uawmh structure topfawGeJU enumeration topfawGudk aemufxyfaMunmzdkUtwGuf header zdkifuae trsdK;tpm;t"dyÜm,fzGifhqdkcsufudk zwf&Iwmjzpfygw,f/ (Enums ESifh Structures window rsm; taMumif;wGifMunfhyg/)

Produce File – Disassemble vkyfxm;wJhuk'fay:rlwnfjyD; zdkiftopftrsdK;rsdK;udk zefwD;ay;ygw,f/ .map udkawmh debugger awGu toHk;jyKEdkifygw,f/ .asm uawmh Assembly zdkifjzpfjyD; .lst uawmh IDA View rSmjrif&wJhuk'fawGudk odrf;ay;wmjzpfygw,f/ .inc? .exe? .dif. ? html pwJh zdkifawGtae eJUvJ odrf;ay;Edkifygw,f/ Hex-Rays Decompiler udk install vkyfxm;r,fqdk&ifawmh disassemble vkyfxm;wJh exe zdkifawGudk .c (C source code) zdkiftjzpf decompile vkyfay;Edkifygw,f/ yHk(24)/

if ( LCData ) { lstrcpyA(v5, &LCData); v7 = LoadLibraryExA(ValueName, 0, 2u); v3 = v7; if ( !v7 ) { v14 = 0; lstrcpyA(v5, &LCData); v3 = LoadLibraryExA(ValueName, 0, 2u); } }

yHk(24)

IDC file – Scritp zdkifawGudk ul;wifzdkUeJU tvkyfvkyfapzdkUjzpfygw,f/


IDC command – Script awGudk csufcsif; execute vkyfEdkifzdkU window udk ac:oHk;wmjzpfygw,f/

Save… – vuf&Sd disassemble vkyfaewJh database udk .idb extension eJUodrf;qnf;wm jzpfyg w,f/

Save as… – vuf&Sd disassemble vkyfaewJh database udk owfrSwfxm;wJhtrnfeJU odrf;wm jzpfygw,f/

Close – Disassemble vkyfaewJh database udkodrf;jyD; disassemble vkyfxm;wJhzdkifudk ydwfwmyg/

Edit menu &JU item awGuawmh atmufygtwdkif;jzpfygw,f –

Copy – a&G;cs,fxm;wJht&mudk clipboard qDul;wifygw,f/

CODE – Block udk exe uk'ftjzpfajymif;vJygw,f/

DATA – a&G;cs,fxm;wJh block udk a'wmtjzpfajymif;vJygw,f/

Struct var… – Block udk a&G;xm;wJh structure tjzpfajymif;ygw,f/

Strings – String tjzpfajymif;vJygw,f/ (String trsdK;tpm;udkawmh submenu uae a&G;cs,fEdkifygw,f/)

Array – MudKwifowfrSwfxm;wJh parameter awGeJU array tjzpf ajymif;vJay;ygw,f/

Undefine – MudKwifrowfrSwf&ao;wJh structure wpfck&JUa'wmtjzpf a&G;xm;wJh block udk trSwftom;vkyfygw,f/

Name – trnfajymif;wmjzpfygw,f/

Operand type – Operand trsdK;tpm;udk owfrSwfwmjzpfygw,f/

Comments – rSwfcsufawG xnfhoGif;zdkUjzpfygw,f/

Segments – Segment awGudk udkifwG,fEdkifzdkUjzpfygw,f/

Structs – Structure awGudk udkifwG,fEdkifzdkUjzpfygw,f/

Functions – Function awGudk udkifwG,fEdkifzdkUjzpfygw,f/

Other – Alignment directive udkowfrSwfjcif;? instruction rsm;(odkU) a'wmrsm;udk &dkufxnfhjcif;? ta&mifwpfa&mifjzifhjyjcif;pwJh tjcm;vkyfaqmifcsufawGudk aqmif&Gufwm jzpfygw,f/

Plugins – tjcm; plug-in module awGudk toHk;jyKzdkUjzpfygw,f/

Jump menu &JU item awGuawmh disassemble vkyfxm;wJhuk'fawGxJu jump trsdK;rsdK;twGuf &nf&G,fwmjzpfygw,f/ Oyrm – owfrSwfxm;wJh address qD jump vkyfjcif;? owfrSwfxm;wJh function qD jump vkyfjcif; (olUudkawmh list uae a&G;cs,fEdkifygw,f)? y&dk*&rf&JU entry point (EP) qD jump vkyfjcif;? owfrSwfxm;wJh label qD jump vkyfjcif;/ yHk(25)/

yHk(25)

Search menu &JU item awGuawmh disassemble vkyfxm;wJhpmom;xJrSm&SdwJh &SmazGwJhvkyfaqmif csuftrsdK;rsdK;twGuf &nf&G,fygw,f/ Oyrm – pmom;udk&Smjcif;? aemufxyf a'wm block udk&Smjcif;? aemuf xyf Assembly instruction udk&Smjcif;? aemufxyf byte sequence udk&Smjcif;/ yHk(26)/


yHk(26)

View menu &JU item awGudk toHk;jyKjyD; IDA Pro &JU jrifuGif;awGudk ESpfouf&mxm;vdkU&ygw,f/ Window topfawGudk xyfzGifhjcif; (Open Subviews)? toolbar awGudk zefwD;jcif;ESifh zsufjcif; Toolbars)? function awGudk azsmufjcif;^jyefazmfjcif; (hide/unhide) wdkUjyKvkyfEdkifygw,f/

Debugger menu u command awGuawmh oifhudk IDA Pro &JU trsdK;rsdK;aom debugging pGrf;aqmif&nfudk jyorSmjzpfygw,f/ 'gawGuawmh breakpoint rsm;udkudkifwG,fjcif; (Breakpoints)? watch rsm;udkudkifwG,fjcif; (Watches)? trace vdkufjcif; (Tracing)? register trsdK;rsdK;xJrS wefzdk;rsm;udk Munfhjcif; (General registers? Segment register? FPU register) wdkUjzpfygw,f/

Option menu uawmh IDA Pro &JU setting awGudk ajymif;vJzdkUtwGufjzpfjyD; tapmydkif;rSm uRefawmf &Sif;jycJhwJhtwdkif;jzpfygw,f/

Windows menu &JU item awGudktoHk;jyKjyD; IDA Pro &JU window awGudk udkifwG,fEdkifygw,f/

Help menu item awGuawmh oifhudk enf;ynmydkif;qdkif&m taxmuftulawGay;rSmyg/

(7) Built-In IDA Pro y&dk*&rfbmompum;

IDA Pro disassembler rSmawmh built-in y&dk*&rfbmompum;wpfckygvmygw,f/ 'gaMumifh y&dk*&rf i,fav;awGudk udk,fwdkifa&;om;EdkifjyD; olwdkUudk disassemble vkyfxm;wJhuk'fawGtjzpf jyefvnfppfaq; Munfh&IEdkifrSmjzpfygw,f/

IDA Pro rSm wcgwnf;ygvmwJh y&dk*&rfbmompum;[m C (ANSI C) bmompum;eJU awmfawmf av;qifygw,f/ 'gaMumifhvJ 'Dbmompum;&JUtrnf[m IDC (Interactive Disassembler C) jzpfaewmyg/ IDC subdirectory atmufrSm 'Dbmompum;eJUywfoufwJh erlemy&dk*&rfawG yg&Sdygw,f/ IDA Pro uawmh 'Dy&dk*&rfawGudk disassemble vkyfxm;wJhpmom;awGtjzpf analyze vkyfzdkUtwGuf toHk;jyKwmjzpfygw,f/ 'Dy&dk*&rfawGtm;vHk;udk analyze vkyf&wm vG,fulygw,f/ 'gaMumifh oifhtaeeJU IDC bmompum;udk avhvmzdkUtwGuf olwdkUawGudk toHk;jyKEdkifygw,f/

IDC command awGudk execute vkyfzdkU enf;vrf;ESpfck&Sdygw,f/

1/ yxrenf;vrf;uawmh command window udktoHk;jyKvdkUjzpfygw,f/ Command window udkac:oHk;zdkU File | IDC command udka&G;jyD;aomfvnf;aumif;? Shift + F2 udkESdyfjcif;jzifhaomfvnf;aumif; toHk;jyKEdkif ygw,f/ Command window uawmh yHk(27)twdkif;jzpfygw,f/ 'D window rSm IDC command awGudk wnf;jzwfEdkifygw,f/ tm;vHk;jyD;pD;&ifawmh OK button udkESdyfvdkuf&HkygyJ/ IDA Pro uawmh 'D command awGudk bmomjyefjyD; execute vkyfzdkUMudK;pm;rSmjzpfygw,f/ 'gaMumifh 'D window udktoHk;jyKjyD; &dk;&Sif;vSwJ hy&dk*&rfawGudk IDC bmompum;eJU a&;om;EdkifrSmjzpfygw,f/

2/ ydkjyD;tajccHuswJhcsOf;uyfenf;uawmh .IDC extension trnfeJU IDC uk'fawGyg0ifwJhzdkifawG zefwD;zdkUyg/ y&dk*&rfwpfckudkzGifhzdkU File menu u Idc file udka&G;&ygr,f/ 'Dae&mrSmawmh y&dk*&rfudk compile vkyfjyD; csufcsif; execute vkyfrSmjzpfygw,f/ 'Dhtjyif yHk(28)twdkif; aemufxyf window wpfckxyfay:vmrSmjzpfjyD; y&dk*&rfuk'fudkwnf;jzwfzdkUeJU y&dk*&rfudk execute vkyfzdkU button awGyg&SdrSmjzpfygw,f/

IDC rSm y&dk*&rfa&;r,fqdk&if tenf;qHk;awmh atmufygtcsufawG yg0if&rSmjzpfygw,f/

#include <idc.idc> static main(void) { // Your Code here; }


yHk(27)

yHk(28)

ed*Hk;csKyftaeeJU IDA Pro taMumif; twGif;ususodcsif&if Chris Eagle a&;om;wJh ]The IDA Pro Book – The Unofficial Guide to the World's Most Popular Disassembler} pmtkyfudkzwf&IzdkU tMuHay;vdkygw,f/

tcef;(8) - PE Header - 87 -

tcef;(8) - PE Header

(1) PE zdkifzGJUpnf;yHk

Portable Executable (PE) qdkwm 32-bit eJU 64-bit Windows OS awGrSm toHk;jyKaeMuwJh executable (EXE) zdkif? object (DLL) zdkifawGtwGuf zdkifyHkpHwpfck jzpfygw,f/ Portable qdkwJhtoHk;tEIef; udku 32-bit eJU 64-bit Windows OS awGMum; tjyeftvSef vG,fvifhwul toHk;jyKEdkifwmudk &nfnTef;wm yg/ PE yHkpHqdkwm tajccHtm;jzifhawmh wrap vkyfxm;wJh executable code awGudk pDrHzdkU Windows OS loader twGuf vdktyfwJhowif;tcsuftvufawGudk encapsulate vkyfay;wJh data structure wpfckyg/ tJ'DrSm link vkyfzdkUtwGuf dynamic library reference awG? API udk export eJU import vkyfzdkU table awG? resource management data awGeJU TLS data awGyg0ifygw,f/ 'DyHkpHudk pdwful;xkwfvkyfcJhwmuawmh Microsoft jzpfjyD; VAX/VMS rSmoHk;wJh COFF zdkifyHkpHuae erlem,lcJhwmjzpfygw,f/

"Portable Executable" vdkU a&G;cs,fvdkuf&wmuawmh intent [m Windows tm;vHk;twGuf tajccH tusqHk;zdkifyHkpHjzpfjyD; CPU wdkif;rSm tvkyfvkyfEdkifvdkUyg/ ajym&&ifawmh Windows NT rsdK;quf? Windows 95 rsdK;qufeJU Windows CE wdkUrSm toHk;jyKEdkifvkdUyg/ Microsoft compiler awGu xkwfay;wJh OBJ zdkifawGuawmh COFF (Common Object File Format) yHkpHjzpfjyD; encoding vkyf&mrSm 8vDpepfudk toHk;jyK ygw,f/ 64-bit Windows awGrSmawmh PE yHkpHudk tenf;i,fjyKjyifay;zdkU vdkygw,f/ yHk(1)rSm jyxm;wmu awmh PE zdkifwpfckrSmyg0ifwJh tajccHzGJUpnf;wnfaqmufyHk jzpfygw,f/

yHk(1)

PE zdkifrSm tenf;qHk;awmh section ESpfck&Sdygw,f/ wpfckuawmh uk'fawGtwGufjzpfjyD;? aemufwpfcku awmh a'wmawGtwGuf jzpfygw,f/ Windows NT &JU application wpfckrSmawmh 9ckavmuf&Sdygw,f/ olwdkUawGuawmh .text? .bss? .rdata? .data? .rsrc? .edata? .idata? .pdata eJU .debug wdkU jzpfygw,f/ tcsKdU application awGuawmh 'D section awGtm;vHk;rvdkygbl;/ tcsdKUuawmh olwdkU&JUvdktyfcsufeJUywfoufjyD; 'DxufydkwmvJ jzpfEdkifygw,f/

zdkifwpfckrSm tawGUrsm;wJh section awGuawmh ...

- executable code section .text (Microsoft)? CODE (Borland)

- data section .data, .rdata, .bss (Microsoft)? DATA, BSS (Borland)

- resources section .rsrc

- export data section .edata

- import data section .idata

- debug information section .debug

Section trnfawG[m wu,fawmh ta&;rygvSygbl;/ OS uvJ 'DtrnfawGudk vspfvsL&Ixm;yg w,f/ ta&;MuD;wJhtcsufuawmh disk ay:rSm&SdwJh PE zdkifwpfck&JU zGJUpnf;yHk[m rSwfOmPfay:ul;wifvdkufcsdef rSm&SdwJh tajctaeeJU wpfyHkpHwnf;ygbJ/ 'gaMumifhrdkU wu,fvdkU oifhtaeeJU tcsuftvufawGudk disk ay:u zdkifrSmae&mcsxm;cJhr,fqdk&if?zdkifudkrSwfOmPfay:ul;wifvdkufcsdefrSmvJ'DtcsuftvufawGudk &SmazGvdkU&&ygr,f/ b,fvdkyJjzpfygap olUudk rSwfOmPfay: wpfyHkpHwnf; ul;wifvdkufwm r[kwfygbl;/ Windows loader u b,ftydkif;awGudk ae&mcsxm;ay;zdkUvdkovJ? b,ftydkif;awGudk csefxm;cJh&rvJqdkwmudk qHk;jzwfygao;w,f/

DOS MZ Header

DOS Stub

PE header

Section Table

Section 1

Section 2

Section …

Section n


vHk;0ae&mcsxm;p&mrvkdwJh tcsuftvufawGudkawmh ae&mcsxm;ay;r,fh b,f section tydkif;udkrqdk ausmf vGefjyD; zdkif&JUaemufqHk;rSm ae&mcsxm;ygw,f/ (Oyrm - debug information)

rSwfOmPfay: ul;wifvdkufcsdefrSmeJU disk ay:rSm&SdwJh zdkif&JU item wpfckwnfae&mwdkU[m uGJjym;avh&Sdyg w,f/ bmaMumifhvJqdkawmh Windows utoHk;jyKwJh page udktajcjyKwJh virtual memoy management pepfaMumifh jzpfygw,f/ Section awGudk RAM ay:ul;wifvdkufwJhtcg olwdkU[m 4KB &SdwJh memory page awGeJU udkufnDatmifae&jyD; section toD;oD;[m page topfu pwif&ygw,f/ Virtual memoy uawmh yHk(2)twdkif; jzpfygw,f/

yHk(2)

Virtual memory &JU vkyfaqmifcsufuawmh aqmhzf0JvfawGu physical memory udkwdkuf&dkuf oHk;pGJapr,fhtpm; y&dkqufqmeJU OS ESpfckMum; rjrif&wJhtvTmwpfckudk zefwD;vdkufwmyg/ rSwfOmPfeJU csdwf qufzdkUMudK;pm;vdkufwkdif; y&kdqufqm[m b,f process uae b,f physical memory address udk wu,foHk;pGJr,fqdkwmudk page table eJU nSdEdIif;ygw,f/ rSwfOmPfu pmvHk;toD;oD;twGuf table entry wpfck&SdzdkUqdkwm vufawGUrSmawmh rjzpfEdkifygbl;/ (page table [m physical memory pkpkaygif;xuf MuD;ae ygw,f/) 'gaMumifh y&dkqufqmawG[m rSwfOmPfudk page awGtjzpf ydkif;jcm;&wmjzpfygw,f/ 'g&JU tusdK; &v'fawGuawmh -

(1) ajrmufjrm;vSpGmaom address space awGudk zefwD;Edkifygw,f/ Address space qdkwmuawmh rSwfOmPf eJU access vkyfzdkUom cGifhjyKxm;wJh oD;jcm; page wpfckjzpfygw,f/ qdkvdkwmuawmh vuf&Sd y&dk*&rf (odkU) process eJUom oufqdkifygw,f/ aocsmwmu y&dk*&rfawG[m wpfckeJUwpfck oD;jcm;pD&SdaeMuwmyg/ 'gaMumifh rdkUvJ y&dk*&rfwpfckrSm crash jzpfcJh&if tjcm;y&dk*&rfwpfck&JU address space udk taESmifht,Sufrjzpfapwmyg/

(2) rSwfOmPfudk b,fvdk access vkyf&rvJqdkwJh pnf;rsOf;awGtwGuf y&dkqufqmudk twif;tMuyfvkyfcdkif; Edkifygw,f/ PE zdkifawGrSm section awGudk vdktyfygw,f/ bmaMumifhvJqdkawmh zdkifxJu e,fy,ftrsdK;rsdK;udk module wpfck ul;wifvdkufcsdefwdkif; memory manager u rwlnDpGm oabmxm;vdkUyg/ ul;wifcsdefrSm section header xJu olwdkU&JU setting awGtay: tajccHwJh section trsdK;rsdK;twGuf memory manager [m memory page awGay:rSm access vkyfEdkifwJhtcGifhtmPmudk owfrSwfygw,f/ 'Dtcsufu owfrSwfxm;wJh section [m zwfvdkU&wmvm;? a&;vdkU&wmvm;? execute vkyfvdkU&wmvm; qHk;jzwfygw,f/ Section toD; oD;[m xHk;pHtwdkif;yJ fresh page wpfckuaepoifhw,fvdkU qdkvdkjcif;jzpfygw,f/

bmyJjzpfjzpf Windows twGuf page size uawmh 4096 bytes (1000h) jzpfygw,f/ Disk ay:u page t&G,ftpm;twdkif; exe uk'fudk nSd,lr,fqdk&ifawmh tv[ójzpfukefrSmyg/ bmaMumifhvJqdkawmh vdktyf wmxufydkjyD; t&G,ftpm;MuD;rm;aprSm jzpfvdkUyg/ 'gaMumifhrdkUvJ PE header rSmrwlnDwJh alignment field ESpfck &Sdygw,f/ olwdkUawGuawmh section alignment eJU file alignment yg/ Section alignment qdkwm uawmh tay:rSmqdkxm;wJhtwdkif; rSwfOmPfxJrSm section awGudk b,fvdknSd,lrvJqdkwm jzpfygw,f/

(3) PE zdkifawGudk windows loader u rSwfOmPfxJudk ul;wifvdkufcsdefrSm &SdaewJhtaetxm;udk module vdkU ac:ygw,f/ zdkifawGudk ae&mcsxm;jcif;pwifwJh yxrqHk; address udk HMODULE vdkUac:ygw,f/ rSwfOmPf


xJrSm&SdwJh module wpfck[m exe zdkifuae process wpfcku vdktyfwJh uk'f? a'wmeJU resource awGtm;vHk;udk azmfjyEdkifygw,f/ PE zdkif&JU tjcm;tydkif;awGudk zwf&IvdkU&ayr,fh rSwfOmPfxJrSmawmh ae&mcsay;jcif; r&Sdygbl;/ (Oyrm - relocation)

(2) DOS Header

PE zdkifawG[m DOS header eJU pavh&SdjyD; zdkif&JU yxrqHk; 64 bytes tjzpfawGU&ygw,f/ y&dk*&rf[m DOS uaepwiftvkyfvkyf&wmjzpfygw,f/ 'gaMumifh DOS u rSefuefwJh executable zdkifjzpfaMumif; todt rSwfjyKrSom header aemufrSm odrf;qnf;xm;wJh DOS stub udk tvkyfvkyfrSm jzpfygw,f/ DOS stub uawmh yHkrSeftm;jzifh 'This program must be run under Microsoft Windows' qdkwJhpmom;udk xkwfay;avh&SdjyD; oludk,fwdkifawmif DOS y&dk*&rfjzpfEdkifygw,f/ Windows application awGudk build vkyfcsdefrSm linker u oifh&JU exe zdkifxJudk winstub.exe vdkUac:wJh stub y&dk*&rfudk link csdwfay;vdkufwm jzpfygw,f/

DOS header [m structure wpfckjzpfjyD; windows.inc (odkU) winnt.h zdkifawGrSm olUudk t"dyÜm,fzGifh qdkxm;ygw,f/ (wu,fvdkU oifhrSm assembler (odkU) compiler udk install vkyfjyD;om;&SdcJh&if olwdkUawGudk \include\ directory atmufrSm&SmEdkifygw,f/ DOS header rSm member ta&twGuf 19 ck&SdjyD; magic eJU lfanew uawmh pdwf0ifpm;p&maumif;ygw,f/

IMAGE_DOS_HEADER STRUCT e_magic WORD ? e_cblp WORD ? e_cp WORD ? e_crlc WORD ? e_cparhdr WORD ? e_minalloc WORD ? e_maxalloc WORD ? e_ss WORD ? e_sp WORD ? e_csum WORD ? e_ip WORD ? e_cs WORD ? e_lfarlc WORD ? e_ovno WORD ? e_res WORD 4 dup (?) e_oemid WORD ? e_oeminfo WORD ? e_res2 WORD 10 dup (?) e_lfanew DWORD ? IMAGE_DOS_HEADER ENDS

PE zdkifxJrSm&SdwJh DOS header &JU magic ydkif;rSmyg0ifwmuawmh 4Dh? 5Ah wefzdk; (MS-DOS &JU rlvyHkpHjyKolawGxJuwpfOD;jzpfwJh Mark Zbikowsky udkudk,fpm;jyKwJh MZ pmvHk;) jzpfjyD;? ol[m rSefuefwJh DOS header jzpfaMumif; oabmaqmifygw,f/ MZ [m yxrqHk; pmvHk;ESpfvHk;jzpfjyD; hex editor eJUzGifhxm; wJh b,f PE zdkifrSmrqdk awGYjrifEdkifygw,f/

lfanew [m DWORD wpfckjzpfjyD; DOS header &JU tqHk;eJU DOS stub rpcifMum;rSm wnf&Sdyg w,f/ olUrSmy&dk*&rftpeJUywfoufwJh PE header &JU offset yg0ifygw,f/ Windows loader u 'D offset udk &SmazGygw,f/ 'gaMumifhrdkUvJ DOS stub udk ausmfEdkifjyD; PE header qDwdkuf&dkufoGm;Edkifwmyg/ (rSwf&ef/ / DWORD (double word) = 4bytes (odkU) 32bit? WORD = 2bytes (odkU) 16bit/ wcgw&HrSm DWORD udk dd vdkUvJ jrif&Edkifygw,f/ dw uawmh WORD jzpfjyD; byte twGufuawmh db yg/ yHk(3)/

yHk(3)

DOS header udkawmh PE zdkif&JU yxrqHk; 64 bytes tjzpfawGU&aMumif; ajymcJhygw,f/ qdkvdkwmu yHk(3)&JU yxrqHk; 4aMumif; (offset 0000 uae offset 0030 xd)jzpfygw,f/ DOS stub rpcif aemufqHk;


DWORD rSm yg0ifwmuawmh 00h 01h 00h 00h jzpfygw,f/ aemufqHk;pmvHk;uae ajymif;jyefjyefpD&if jzpfvmrSmuawmh 00 00 01 00h jzpfjyD;? PE header pwifr,fhae&mjzpfygw,f/ PE header [mvnf; olUoauFwjzpfwJh 50h, 45h, 00h, 00h eJU pwifygw,f/ ("PE" qdkwJhpmvHk;aemufrSm oknawGvdkufygw,f/)

wu,fvdkUom PE header &JU oauFwae&mrSm PE tpm; NE vdkUawGU&if 'Dzdkif[m 16-bit Windows rSmtvkyfvkyfwJh NE zdkifjzpfygw,f/ tvm;wl LE vdkUawGU&if Windows 3.x virtual device driver (VxD) jzpfjyD;? LX vdkUawGU&if OS/2 2.0 zdkifjzpfygw,f/

(3) PE Header

PE header uawmh IMAGE_NT_HEADERS vdkUac:wJh structure wpfckjzpfygw,f/ 'D structure rSm Windows loader u r&SdrjzpfvdktyfwJh tcsuftvufawGyg0ifygw,f/ IMAGE_NT_HEADERS rSm member 3ckyg0ifjyD; olwdkUudk windows.inc rSm t"dyÜm,fzGifhqdkxm;jyD;jzpfygw,f/

IMAGE_NT_HEADERS STRUCT Signature DWORD ? FileHeader IMAGE_FILE_HEDER <> OptionalHeader IMAGE_OPTIONAL_HEADER32 <> IMAGE_NT_HEADERS END

- Signature uawmh DWORD jzpfjyD; olUrSmyg0ifwmuawmh 50h, 45h, 00h, 00h qdkwJh wefzdk; (oknawGvdkufwJh ]PE}) jzpfygw,f/

- FileHeader uawmh PE zdkif&JU aemufxyf 20bytes jzpfjyD; zdkif&JU physical layout eJU *kPfowdåawG yg0ifygw,f/ (Oyrm - section ta&twGufeJU exe zdkif[kwf^r[kwf)

- OptionalHeader uawmh aemufxyf 224bytes jzpfjyD; PE zdkiftwGif;u logical layout eJU ywfoufwJhtaMumif;awG yg0ifygw,f/ (Oyrm- AddressOfEntryPoint)/ olU&JUt&G,ftpm;udk ay;Edkifwm uawmh FileHeader &JU member wpfckuyg/ 'D member awG&JU structure udkvnf; windows.inc rSm t"dyÜm,fzGifhqdkxm;jyD;jzpfygw,f/

FileHeader udk atmufygtwdkif;azmfjyEdkifygw,f/

IMAGE_FILE_HEADER STRUCT Machine WORD 014C (Intel 386) NumberOfSections WORD 0005 TimeDateStamp DWORD 846C26F0 PointerToSymbolTable DWORD 00000000 NumberOfSymbols DWORD 00000000 SizeOfOptionalHeader WORD 00E0 Characteristics WORD 818E (File is exe) IMAGE_FILE_HEADER ENDS

'DxJuawmfawmfrsm;rsm;udkawmh uRefawmfwdkU toHk;jyKrSmr[kwfygbl;/ 'gayr,fh NumberOfSections udkawmh PE zdkifxJu section awGudk zsufcsif&ifyJjzpfjzpf? xyfxnfhcsif&ifyJjzpfjzpf toHk;jyK&ygw,f/ Characteristics rSmawmh flag awGyg0ifjyD; olwdkU[m PE zdkifudk executable zdkif(odkU) DLL zdkifvm;qdkwmudk ajymay;Edkifygw,f/ PE header &JUtpuae 7ckajrmufpmvHk;[m NumberOfSections ygyJ/ Section b,fESpf ckygovJqdkwm ajymygw,f/ yHk(4)/

yHk(4)

yHk(4)t& uRefawmfwdkU zGifhxm;wJh PE zdkifrSm section 5ck&Sdaewm awGU&ygw,f/ PE browse eJU Lord PE wdkUudk toHk;jyKxm;ygw,f/

OptionalHeader uawmh 224bytes ae&m,lygw,f/ aemufqHk; 128bytes rSmawmh DataDirectory yg0ifygw,f/


IMAGE_OPTIONAL_HEADER32 STRUCT Magic WORD 010B (PE32) MajorLinkerVersion BYTE 02 MinorLinkerVersion BYTE 19 SizeOfCode DWORD 00000600 SizeOfInitializedData DWORD 00001800 SizeOfUninitializedData DWORD 00000000 AddressOfEntryPoint DWORD 00001000 (CODE) BaseOfCode DWORD 00001000 BaseOfData DWORD 00002000 ImageBase DWORD 00400000 SectionAlignment DWORD 00001000 FileAlignment DWORD 00000200 MajorOperatingSystemVersion WORD 0001 MinorOperatingSystemVersion WORD 0000 MajorImageVersion WORD 0000 MinorImageVersion WORD 0000 MajorSubsystemVersion WORD 0003 MinorSubsystemVersion WORD 000A Win32VersionValue DWORD 00000000 SizeOfImage DWORD 00006000 SizeOfHeaders DWORD 00000400 CheckSum DWORD 00000000 Subsystem WORD 0002 (Windows GUI) DllCharacteristics WORD 0000 SizeOfStackReserve DWORD 00100000 SizeOfStackCommit DWORD 00002000 SizeOfHeapReserve DWORD 00100000 SizeOfHeapCommit DWORD 00000000 LoaderFlags DWORD 00000000 NumberOfRvaAndSizes DWORD 00000010 DataDirectory IMAGE_DATA_DIRECTORY IMAGE_OPTIONAL_HEADER32 ENDS

AddressOfEntryPoint - PE loader u PE zdkifudk run zdkUtoifhjzpfcsdefrSm yxrqHk;tvkyfvkyfr,fh instruction &Sd&m RVA/ oifhtaeeJU oifMudKufESpfouf&m instruction udk tvkyfvkyfapcsif&ifawmh RVA udk ajymif;wmyJjzpfjzpf? instruction udk jyifwmyJjzpfjzpf jyKvkyfEdkifygw,f/ Packer awGuawmh rsm;aomtm;jzifh olwdkU&JU decompression stub &Sd&mudk nTef;MuwmjzpfwJhtwGuf y&dk*&rfudk execute vkyfwJhtcgrSm rlv entry point (OEP) &Sd&mudk ausmfvTm;jcif;jzpfygw,f/ Starforce enf;ynmeJU protect vkyfxm;wJh zdkifawG[m disk ay:rSm wnf&SdcsdefrSm .CODE section qdkwm r&Sdygbl;/ Execute vkyfcsdefrSom virtual memory xJudk a&mufvmwmyg/ olUudk virtual address eJU azmfjyygw,f/

ImageBase - PE zdkifawGtwGuf preferred load address yg/ Oyrmajym&&if wu,fvdkU 'D field xJrSm yg0ifwJhwefzdk;[m 400000h jzpfcJhr,fqdk&if? PE loader u 400000h upwJh virtual address ae&mxJ zdkifudk ul;wifzdkU MudK;pm;ygvdrfhr,f/ 'Preferred' qdkwJhtoHk;tEHI;&JU qdkvdkcsufuawmh tjcm; module wpfckckudk 'D address range rSm awGU&r,fqdk&if PE loader [m 'D address rSm zdkifudk ul;wifay;rSm r[kwfygbl;/ 99&m cdkifEIef;avmufuawmh 400000h jzpfygw,f/ Microsoft Visual C++ x.x Method2 [Debug] eJU compile vkyfxm;wJh zdkifawGtwGufawmh 1000000h jzpfygw,f/

SectionAlignment - rSwfOmPfxJwGif section rsm;udk alignment csxm;rI/ erlemjy&&if wu,fvdkU 'D field xJuwefzdk;[m 4096 (1000h) jzpf&if section wdkif;[m 4096bytes &JUajrSmufazmfudef;*Pef;awGeJU pwif&yg r,fvdkUqdkvdkwmyg/ wu,fvdkU yxrqHk; section [m 401000h rSm&SdjyD; olU&JUt&G,ftpm;[m 10bytes yJ&SdcJh &ifawmif aemuf section [m 402000h rSm prSmyg/ 401000h eJU 402000h Mum;u vGwfaewJh address ae&mawGudkawmh rsm;om;tm;jzifh toHk;jyKrSm r[kwfygbl;/

FileAlignment - zdkifxJwGif section rsm;udk alignment csxm;rI/ erlemjy&&if wu,fvdkU 'D field xJu wefzdk;[m 512 (200h) jzpf&if section wdkif;[m 512bytes &JUajrSmufazmfudef;*Pef;awGeJU pwif&ygr,fvdkU qdkvdkwmyg/ wu,fvdkU yxrqHk; section [m offset 200h rSm&SdjyD; olU&JUt&G,ftpm;[m 10bytes yJ&SdcJh&if awmif aemuf section [m 400h rSm prSmyg/ 512 eJU 1024 Mum;u vGwfaewJh offset ae&mawGudkawmh toHk; jyKrSm r[kwfygbl;/

SizeOfImage - rSwfOmPfxJu PE image &JU pkpkaygif;t&G,ftpm;jzpfygw,f/ SectionAlignment t& align vkyfxm;wJh header tm;vHk;eJU section tm;vHk;&JUaygif;v'fjzpfygw,f/

SizeOfHeaders - section table eJU header tm;vHk;wdkU&JU t&G,ftpm;yJ jzpfygw,f/ jcHKajym&&if 'Dwefzdk;[m zdkift&G,ftpm;xJuae zdkifxJrSm&SdwJh section tm;vHk;aygif;xm;wJh t&G,ftpm;udk EIwfjcif;eJU nDrQygw,f/


DataDirectory - IMAGE_DATA_DIRECTORY structure 16 ck&SdwJh array wpfckjzpfjyD; wpfckpD[m import address table (IAT) vdk PE zdkifxJu ta&;MuD;wJh data structure wpfckpDeJU qufEG,faeygw,f/

yHk(5)rSm azmfjyxm;wmuawmh PE header &JU zGJUpnf;yHkudk hexeditor eJU Munfhxm;wmyg/ owdjyK&rSm uawmh DOS header eJU PE header &JU b,ftpdwftydkif;rqdk hexeditor rSmMunfh&if t&G,ftpm;eJU yHkoP²mefawG[m wlnDaerSmyg/ DOS STUB uawmh t&G,ftpm; ajymif;vJEdkifygw,f/

yHk(5)

PE header taMumif;udk Olly rSmvJ tao;pdwf MunfhvdkU&ygw,f/ Olly debugger udk zGifhjyD; Alt + M udkESdyfyg/ yHk(6)twdkif; jrif&ygr,f/

yHk(6)

yHk(6)u PE header qdkwJh pmom;ae&mudk right-click ESdyfjyD; Dump in CPU udk a&G;&if yHk(7)twdkif; jrif&rSm jzpfygw,f/

yHk(7)


yHk(7)u hex window rSm right-click ESdyfjyD; special u PE header udk a&G;vdkuf&ifawmh yHk(8) twdkif; jrif&rSmyg/

yHk(8)

(4) Data Directory

DataDirectory taMumif; xyfajym&r,fqdk&ifawmh DataDirectory qdkwm OptionalHeader &JU aemufqHk; 128bytes yJjzpfygw,f/ OptionalHeader qdkwmuvJ PE header jzpfwJh IMAGE_NT_ HEADERS &JU aemufqHk; member jzpfygw,f/

a&SUrSmajymcJhovdk DataDirectory [m 16 ck&SdwJh IMAGE_DATA_DIRECTORY &JU array wpfck jzpfjyD; structure wpfckpD[m PE zdkifxJu ta&;MuD;wJh data structure wpfckpDeJU qufEG,faeygw,f/ Array toD;oD;[m import table vdk MudKwifowfrSwfxm;whJ item wpfckpDudk &nfnTef;ygw,f/ Structure rSm member ESpfck&SdjyD; wpfcku wnfae&meJU aemufwpfcku t&G,ftpm;udk jyygw,f/

IMAGE_DATA_DIRECTORY STRUCT VirtualAddress DWORD ? isize DWORD ? IMAGE_DATA_DIRECTORY ENDS

VirtualAddress uawmh data structure &JU relative virtual address (RVA) jzpfygw,f/ isize uawmh byte eJUjywJh data structure &JU t&G,ftpm;jzpfygw,f/

windows.inc rSm aMunmxm;wJh directory 16 ck&JUtrnfawGuawmh atmufygtwdkif; jzpfygw,f -


IMAGE_DIRECTORY_ENTRY_EXPORT equ 0 (export symbols) IMAGE_DIRECTORY_ENTRY_IMPORT equ 1 (import symbols) IMAGE_DIRECTORY_ENTRY_RESOURCE equ 2 (resources) IMAGE_DIRECTORY_ENTRY_EXCEPTION equ 3 (exception) IMAGE_DIRECTORY_ENTRY_SECURITY equ 4 (security) IMAGE_DIRECTORY_ENTRY_BASERELOC equ 5 (base relocation) IMAGE_DIRECTORY_ENTRY_DEBUG equ 6 (debug) IMAGE_DIRECTORY_ENTRY_COPYRIGHT equ 7 (copyright string) IMAGE_DIRECTORY_ENTRY_GLOBALPTR equ 8 (unknown) IMAGE_DIRECTORY_ENTRY_TLS equ 9 (thread local storage) IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG equ 10 (load configuration) IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT equ 11 (bound import) IMAGE_DIRECTORY_ENTRY_IAT equ 12 (import address table) IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT equ 13 (delay import) IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR equ 14 (COM descriptor) IMAGE_NUMBEROF_DIRECTORY_ENTRIES equ 16

LordPE rSm erlem exe zdkifwpfckudkMunfhr,fqdk&if yHk(9)twdkif; jrif&rSmyg/

yHk(9)

yHk(9)udk Munfhr,fqdk&if tjyma&mif highlight jc,fxm;wJh 4ckrSty usefwJhtoHk;rjyKwJhtuGufae&m awGrSm oknawGeJU jynhfaewm awGU&rSmyg/

yHk(10)

yHk(10)udkMunfhr,fqdk&if import directory udk yef;a&mifeJU jyxm;ygw,f/ yxrqHk; 4bytes uawmh 40000h (ajymif;jyefpDwmjzpfygw,f) jzpfygw,f/ Import directory &JU t&G,ftpm;uawmh 1CDCh bytes jzpfygw,f/ PE header &JUtpuae DWORD 80bytes [m tjrJwrf; import directory &JU RVA yJjzpfygw,f/ t0ga&mifuawmh resource directory jzpfjyD;? c&rf;a&mifuawmh TLS directory jzpfygw,f/

wduswJh directory wpfckudk xm;&SdzdkUtwGuf oifhtaeeJU data directory uaepjyD; virtual address udkwGufcsuf&ygr,f/ 'Dhaemufawmh b,f directory [m b,f section xJrSm&Sdw,fqdkwm odEdkifzdkU virtual


address udk toHk;jyKyg/ b,f section xJrSm b,f directory awGygovJqdkwm odwmeJU wduswJh offset udk &SmEdkifzdkU 'D section &JU section header udk toHk;jyKyg/

(5) Section Table

Section table uawmh PE header aemufrSm uyfvdkufvmwmyg/ ol[m IMAGE_SECTION_ HEADER structure yHkpH array wpfckjzpfjyD; member toD;oD;rSm attribute eJU virtual offset pwJh PE zdkifxJu section toD;oD;&JUtaMumif;tcsufawGyg0ifygw,f/ Section ta&twGufudkazmfjyEdkifwmu file header &JU 'kwd, member jzpfw,fqdkwm trSwf&yg/ (PE header &JUtprS 6bytes pmae&m)/ wu,fvdkU om PE zdkifrSm section 8ck&Sdw,fqdk&if table xJu 'D structure xJrSmvJ tyGm; 8 ck&SdrSmyg/ Header structure toD;oD;[m 40bytes &SdjyD; windows.inc rSm 'DvdkaMunmxm;ygw,f/

IMAGE_SECTION_HEADER STRUCT Name1 BYTE IMAGE_SIZEOF_SHORT_NAME dup (?) union Misc PhysicalAddress DWORD ? VirtualSize DWORD ? ends VirtualAddress DWORD ? SizeOfRawData DWORD ? PointerToRawData DWORD ? PointerToRelocations DWORD ? PointerToLinenumbers DWORD ? NumberOfRelocations WORD ? NumberOfLinenumbers WORD ? Characteristics DWORD ? IMAGE_SECTION_HEADER ENDS IMAGE_SIZEOF_SHORT_NAME equ 8

'D structure xJu member wdkif;[m toHk;r0ifvSwJhtwGuf wu,fta&;MuD;wJh member awGtaMumif;udkom &Sif;jyygr,f/

Name1 - ('D field [m 8bytes &Sdygw,f) trnf[m label wpfckrQomjzpfjyD; uGufvyftaeeJU xm;&ifawmif &ygw,f/ owdxm;&rSmu ol[m ASCII string r[kwfwJhtwGuf \0 (null terminator) eJU tqHk;owfp&m rvkdygbl;/

VirtualSize - (DWORD union) Section xJrSm&SdwJh a'wmawG&JU wu,fht&G,ftpm;jzpfjyD; byte eJU jyygw,f/ ol[m disk ay:rSm&SdwJh section &JU t&G,ftpm; (SizeOfRawData) xuf enf;aumif;enf;Edkif ygw,f/ wu,fvdkU 'Dwefzdk;[m SizeOfRawData xuf MuD;aeygu section rSm oknawGeJU jynfhaerSmjzpfyg w,f/

VirtualAddress- Section &JU RVA jzpfygw,f/ PE loader [m rSwfOmPfxJ section udk map vkyfcsdefrSm 'D field xJu wefzdk;udk ppfaq;jyD; toHk;jyKygw,f/ 'gaMumifhrdkU wu,fvdkU 'D field xJu wefzdk;[m 1000h jzpfr,fqdk&if PE zdkif[m 400000h rSm pwifjyD; section uawmh 401000h rSm prSmyg/

SizeOfRawData - Disk ay:u zdkifxJrSm&SdwJh section &JUa'wmt&G,ftpm;jzpfygw,f/ Module header rS FileAlignment \ qwdk;udef;jzpfjyD;? wu,fvdkU olUwefzdk;[m virtual size xufi,fae&if section &JU usefwJhtydkif;awG[m okneJU jynfhaerSm jzpfygw,f/ Section rSm uninitialized a'wmawG oufoufyJ &Sdcsdef rSm 'Dae&m[m oknjzpf&ygr,f/

PointerToRawData - (Raw Offset) - PointerToRawData [m tvGeftoHk;0ifvSygw,f/ bmaMumifhvJ qdkawmh ol[m zdkif&JUtpuae section &JUa'wmawGxd&SdwJh offset jzpfaevdkUyg/ wu,fvdkU ol[moknjzpfcJh&if zdkifxJrSm section &JUa'wmawG ygrSmr[kwfygbl;/ ol[m module header u FileAlignment &JU qwdk;udef; jzpf&ygr,f/ Section rSm unintialized a'wmawGoufoufyJ&SdcsdefrSm 'Dae&m[m oknjzpf&ygr,f/ PE loader uawmh 'D field xJrSm&SdwJhwefzdk;udktoHk;jyKjyD; zdkifxJub,f section rSm a'wmawG&SdovJqdkwm &Smygvdrfhr,f/

Characteristics - section rSmyg0ifwJh exe uk'f? initialized data? uninitialized data pwmawGudk a&;jcif;^ zwfjcif;pwJh flag awGyg0ifygw,f/

FLAG EXPLANATION 00000008 Section should not be padded to next boundary 00000020 Section contains code 00000040 Section contains initialised data (which will become initialised with real values before the file is launched) 00000080 Section contains unitialised data (which will be initialised as 00 byte values before launch) 00000200 Section contains comments for the linker 00000800 Section contents will not become part of image 00001000 Section contents comdat (Common Block Data)


00008000 Section contents cannot be accessed relative to GP 1-800000 Boundary alignment settings 01000000 Section contains extended relocations 02000000 Section can be discarded (e.g. .reloc) 04000000 Section is not cacheable 08000000 Section is pageable 10000000 Section is shareable 20000000 Section is executable 40000000 Section is readable 80000000 Section is writable

PE header rSmwkef;u section 5ckawGUcJh&wJh uRefawmfwdkU&JUy&dk*&rfudk hexeditor eJU Munfhvdkuf&if yHk(11)twdkif; jrif&rSmyg/

yHk(11)

yHk(11)u tpdrf;a&mifeJU jyxm;wmuawmh PointerToRawData yg/ ydkjyD;&Sif;vif;atmif yHk(12)twdkif; LordPE eJU Munfhygr,f/

yHk(12)

Section header tjyD;rSmawmh section awGudk &Smygw,f/ Disk ay:uzdkifxJrSmawmh section toD; oD;[m offset wpfckuaepwifygw,f/ qdkvdkwmu Optional header rSmawGU&wJh FileAlignment wefzdk;&JU ajrSmufazmfudef;tcsdKUuaejzpfygw,f/ Section toD;oD;&JU a'wmawGMum;rSmawmh oknawGjzpfaerSmyg/

RAM ay:udkul;wifcsdefrSm section awG[m page boundary ay:rSmyJtjrJwrf; pwifMuygw,f/ 'gaMumifhrdkU section toD;oD;&JU yxrqHk; byte [m memory page eJU oufqdkifwmyg/ x86 CPU &JU page awGuawmh 4kB eJU align vkyfxm;jyD; IA-64 uawmh 8kB eJU align vkyfxm;ygw,f/ 'D alignement wefzdk;udkawmh OptionalHeader rSmvdkyJ SectionAlignment xJrSm odrf;xm;ygw,f/

Oyrmjy&&if? wu,fvdkU optional header [m file offset 981 rSmqHk;jyD; FileAlignment [m 512 jzpfr,fqdk&if yxrqHk; section [m byte 1024 rSm pygvdrfhr,f/ rSwfxm;&rSmuawmh oifhtaeeJU section awGudk PointerToRawData (odkU) VirtualAddress uae &SmEdkifygw,f/ 'gaMumifh alignment awGeJU tjiif;yGm;aep&m rvdkawmhygbl;/

(6) PE File Sections

Section awGrSm yg0ifwmuawmh uk'f? a'wm? resource eJU tjcm;tcsuftvufwdkUjzpfygw,f/ Section toD;oD;rSm header wpfckeJU body (raw data)wpfckyg0ifygw,f/ Section table xJrSm section header awGyg0ifayr,fh section body awGrSm tMurf;zsif; zdkifzGJUpnf;yHk ryg&Smygbl;/ a'wmawGudk decipher jyefazmfzdkU header rSm vHkavmufwJhtcsuftvufawGeJU jynfhpHkaeoa&GU linker u olwdkUudk pkpnf;csif&if pkpnf; Edkifygw,f/

Windows NT application wpfckrSm MudKwifowfrSwfxm;wJh section trnf 9 ckavmuf&Sdygw,f/ olwdkUawGuawmh .text? .bss? .data? .rdata? .rsrc? .edata? .idata? .pdata eJU .debug wdkUjzpfygw,f/ tcsdKU application awGrSmawmh 'D section awGtm;vHk;rvdkygbl;/ tcsdKUawGrSmawmh 'DxufydkjyD;vdktyfEdkifygw,f/


(6.1) Executable code section

Windows NT rSmawmh code segment tm;vHk;[m .text (odkU) CODE vdkU ac:wJh section wpfckwnf;rSmyJ &Sdygw,f/ Windows NT u virtual memory pDrHcefUcGJrIpepfudktoHk;jyKjyD;? MuD;rm;wJh code secton wpfck&Sdjcif;u OS twGufa&m? application developer twGufyg pDrHcefUcGJ&mrSm vG,fulapygw,f/ 'D secton rSm tapmydkif;uazmfjycJhwJh entry point eJU IAT &Sd&mudkjywJh jump thunk table wdkUyg0ifygw,f/

(6.2) Data section

.bss section u function wpfck(odkU) source module xJu static tjzpfaMunmxm;wJh variable tm;vHk;tygt0if application twGuf uninitialized data awGudk udk,fpm;jyKygw,f/

.rdata uawmh literal string? constant eJU debug directory information wdkUvdk read-only a'wmawGudk udk,fpm;jyKygw,f/

tjcm; variable awGtm;vHk; (stack wGifawGU&aom automatic variable rSwyg;)udkawmh .data section rSm odrf;wmjzpfygw,f/

(6.3) Resource section

.rsrc section rSmawmh module wpfckeJU ywfoufwJh resource tcsuftvufawGyg0ifygw,f/ yxr qHk; 16bytes uawmh tjcm; section trsm;pkvdkyJ header tjzpfyg0ifygw,f/ 'gayr,fh 'D section &JUa'wm awGudk resource editor toHk;jyKjyD;Munhfr,fqdk&if resource tree taeeJUzGJUpnf;xm;wm jrif&rSmyg/ ResHacker uawmh tcrJh&&SdEdkifwJh tool wpfckjzpfjyD; resource awGudk topfxnfhjcif;? zsufjcif;? jyKjyifjcif; jyKvkyfEdkifygw,f/ yHk(13)/

yHk(13)

'D tool udk dialog box awGMunfh&mrSm toHk;rsm;vSygw,f/ tcsdKU shareware application awGrSm ygwJh nag screen awGudk ResHacker oHk;jyD; vG,fulpGmzsufypfEdkifygw,f/

(6.4) Export data section

.edata section rSmawmh application (odkU) DLL twGufvdktyfwJh export directory yg0ifygw,f/ olUrSm export vkyfxm;wJh function awG&JU address awGeJU trnfawGyg0ifygw,f/ 'gudkawmh aemufydkif;usrS tao;pdwf &Sif;jyygr,f/

(6.5) Import data section

.idata section rSmawmh Import Directory eJU Import Address Table tygt0if import vkyfxm; wJh function awGeJUywfoufwJh tcsuftvufrsdK;pHk yg0ifygw,f/ olUudkvJ aemufrSyJ tao;pdwf aqG;aEG;rSm jzpfygw,f/

(6.6) Debug inforamtion section

Debug information udkawmh .debug section rSm yxrqHk;xm;&Sdygw,f/ PE zdkif[m oD;jcm;pD&SdwJh debug zdkifawGudk vufcHygw,f/ (omreftm;jzifhawmh .dbg extension eJU jzpfygw,f/) Debug section rSm debug information awGyg0ifayr,fh debug directory awGuawmh tapmydkif;uajymcJhwJh .rdata section rSm &SdMuwmyg/ Debug directory toD;oD;[m .debug section rSm&SdwJh debug information udkyJ jyefnTef;Mu ygw,f/


(6.7) Base Relocation section

Linker u exe zdkifwpfckudk zefwD;vdkufcsdefrSm rSwfOmPfxJu b,fae&may: zdkifudk map-in vkyfrvJ qdkwmudk cefUrSef;ygw,f/ 'gudktajccHjyD; linker u exe zdkifxJudk uk'feJU a'wmwdkU&JU wu,fh address awG vmxm;ygw,f/ wu,fvdkUom loader [m linker u ,lqvdkufwJh base address rSm&SdwJhzdkifudkom ul;wif Edkifr,fqkd&if .reloc section a'wmudk vdkrSmr[kwfwJhtjyif vspfvsL&IcH&rSmyg/

.reloc section rSm&SdwJh entry awGudk base relocation vkdUac:ygw,f/ bmaMumifhvJqdkawmh olwdkUudk toHk;jyKrI[m loaded image &JU base address ay:rlwnfvdkUyg/ Base relocation awGuawmh image xJu location awGudkpkpnf;xm;wmjzpfjyD; olwdkUxJudkaygif;xnfhzdkU wefzdk;wpfckawmhvdkygvdrfhr,f/ Base relocation &JU yHkpHuawmh enf;enf;av; xl;qef;aeygw,f/ Base relocation entry awGudk chunk wGJawGtaeeJU package vkyfxm;wmyg/ Chunk toD;oD;[m image xJu 4KB page wpfcktwGuf relocation vdkU azmfjy wmyg/

Base relocation b,fvdktvkyfvkyfovJqdkwmod&atmif OyrmwpfckMunfh&atmif/ Exe zdkifwpfckudk base address 0x10000 eJU csdwfxm;w,fvdkU ,lqMuygpdkU/ Image xJu offset 0x2134 [m string &JU address ygwJh pointer wpfckjzpfygw,f/ String [m physical address 0x14002 u pygw,f/ 'gaMumifh pointer rSm 0x14002 wefzdk;yg0ifygw,f/ zdkifudk load vkyfcsdefrSm loader u physical address 0x60000 rSmpwifwJh image udk map vkyfzdkUvdkaMumif; qHk;jzwfygw,f/ Linker u,lqxm;wJh base load address eJU wu,fh load address wdkUMum; jcm;em;csufudk delta vdkUac:ygw,f/ 'Dae&mrSmawmh delta [m 0x50000 jzpfygw,f/ Image wpfckvHk;[m rSwfOmPfxJrSm 0x50000bytes rsm;aewmaMumifh string [m cktcgrSmawmh address 0x64002 rSm jzpfygw,f/ Pointer uae string udknTef;jcif;[m ckcsdefrSmawmh rrSefawmhygbl;/ exe zdkifrSm string &Sd&mudknTef;wJh pointer &JU rSwfOmPfwnfae&mtwGuf base relocation wpfckyg0ifygw,f/ Base relocation udk qHk;jzwfzdkU loader u base relocation address rSm&SdwJhrl&if;wefzdk;rSm delta wefzdk;udk vmaygif;ygw,f/ 'Dae&mrSmawmh loader u rl&if; pointer wefzdk;jzpfwJh 0x14002 rSm 0x50000 udk vmaygif; rSmjzpfjyD; &v'fjzpfwJh 0x64002 udkawmh pointer &JUrSwfOmPfxJjyefodrf;rSm jzpfygw,f/

(7) Export Sections

'D section uawmh DLL awGeJU t"duywfoufygw,f/ atmufrSmazmfjyxm;wJh pmydk'fawGuawmh Win32 Programmer's Reference ujzpfjyD; DLL taMumif;udk &Sif;jyxm;wmjzpfygw,f/

In Microsoft® Windows® dynamic-link libraries (DLL) are modules that contain functions and data. A DLL is loaded at runtime by its calling modules (.EXE or DLL). When a DLL is loaded it is mapped into the address space of the calling process. DLLs can define two kinds of functions: exported and internal. The exported functions can be called by other modules. Internal functions can only be called from within the DLL where they are defined. Although DLLs can export data its data is usually only used by its functions. DLLs provide a way to modularize applications so that functionality can be updated and reused more easilly. They also help reduce memory overhead when several applications use the same functionality at the same time because although each application gets its own copy of the data they can share the code. The Microsoft® Win32® application programming interface (API) is implemented as a set of dynamic-link libraries so any process using the Win32 API uses dynamic linking.

Funtion awGudk DLL wpfcku trnftaeeJUaomfvnf;aumif;? oridianl taeeJUaomfvnf;aumif; enf;ESpfrsdK;eJU export vkyfEdkifygw,f/ Ordinal qdkwmuawmh 16-bit (WORD) *Pef;wpfckjzpfjyD; function wpfckudk wduswJh DLL wpfckrSm xl;jcm;pGm owfrSwfxm;wmyg/ Ordinal enf;eJU export vkyfjcif;udk aemuf ydkif;rSm aqG;aEG;ygr,f/

wu,fvdkU function wpfckudk trnft& export vkyfr,fqdk&if? tjcm; DLL awG (odkU) exe awGu function udk ac:oHk;csdefrSm olwdkU[m GetProcAddress rSm&SdwJh olU&JUtrnfa&m? ordinal yg toHk;jyKygw,f/ GetProcAddress function [m export vkyfxm;wJh DLL &JU address ukdjyefydkUay;ygw,f/ Win32 Programmer's Reference uawmh GetProcAddress &JU tvkyfvkyfyHkudk atmufygtwdkif; &Sif;jyxm;ygw,f/ (wu,fawmh 'Dxufydk&Sdayr,fhvJ Microsoft u azmfjyjcif;r&Sdygbl;/) 'Dae&mrSm highlight jc,fxm;wmawGudk owdxm;jyD; zwfapcsifygw,f/

GetProcAddress The GetProcAddress function returns the address of the specified exported dynamic-link library (DLL) function. FARPROC GetProcAddress( HMODULE hModule, // handle to DLL module LPCSTR lpProcName // name of function ); Parameters


hModule Identifies the DLL module that contains the function. The LoadLibrary or GetModuleHandle function returns this handle. lpProcName Points to a null-terminated string containing the function name, or specifies the function's ordinal value. If this parameter is an ordinal value, it must be in the low-order word; the high-order word must be zero. Return Values If the function succeeds, the return value is the address of the DLL's exported function. If the function fails, the return value is NULL. To get extended error information, call GetLastError. Remarks The GetProcAddress function is used to retrieve addresses of exported functions in DLLs. The spelling and case of the function name pointed to by lpProcName must be identical to that in the EXPORTS statement of the source DLL's module-definition (.DEF) file. The lpProcName parameter can identify the DLL function by specifying an ordinal value associated with the function in the EXPORTS statement. GetProcAddress verifies that the specified ordinal is in the range 1 through the highest ordinal value exported in the .DEF file. The function then uses the ordinal as an index to read the function's address from a function table. If the .DEF file does not number the functions consecutively from 1 to N (where N is the number of exported functions), an error can occur where GetProcAddress returns an invalid, non-NULL address, even though there is no function with the specified ordinal. In cases where the function may not exist, the function should be specified by name rather than by ordinal value. See Also FreeLibrary, GetModuleHandle, LoadLibrary

GetProcAddress u 'gudk bmaMumifhvkyfEdkifwmvJqdkawmh export vkyfxm;wJh function &JU trnf awGeJU address awGudk Export Directory xJu structure wpfckrSm odrf;qnf;xm;vdkUyg/ uRefawmfwdkUtae eJU Export Directory udk &SmazGEdkifygw,f/ bmaMumifhvJqdkawmh ol[m data directory xJu yxrqHk; element jzpfjyD; oleJUywfoufwJh RVA [m PE header tp&JU offset 78h ae&mrSm &SdvdkUyg/

Export structure udk IMAGE_EXPORT_DIRECTORY vdkUac:ygw,f/ olUrSm member tae eJU 11 ck&SdjyD; tcsdKUuawmh ta&;rMuD;ygbl;/

IMAGE_EXPORT_DIRECTORY STRUCT Characteristics DWORD ? TimeDateStamp DWORD ? MajorVersion WORD ? MinorVersion WORD ? nName DWORD ? nBase DWORD ? NumberOfFunctions DWORD ? NumberOfNames DWORD ? AddressOfFunctions DWORD ? AddressOfNames DWORD ? AddressOfNameOrdinals DWORD ? IMAGE_EXPORT_DIRECTORY ENDS

nName - Module &JU internal trnfjzpfygw,f/ 'D field [m vkdtyfygw,f/ bmaMumifhvJqdkawmh zdkif trnfudk oHk;pGJolu ajymif;vJEdkifvdkUyg/ 'Dvkdajymif;cJhr,fqdk&if PE loader u 'D internal trnfudk toHk;jyKyg vdrfhr,f/

nBase - Starting ordinal number (index awGudk function &JU address array tjzpf&SdaezdkUvdkygw,f/)

NumberOfFunctions - Module u export vkyfxm;wJh function pkpkaygif; (oauFwawGtjzpfvJ &nfnTef; avh&Sdygw,f)

NumberOfNames - trnft& export vkyfxm;wJh oauFw*Pef;/ 'Dwefzdk;[m module xJrSm&SdwJh function/symbol tm;vHk;&JU*Pef; r[kwfygbl;/ 'D*Pef;twGuf oifhtaeeJU NumberOfFunctions udk ppfaq;zdkUvdktyfygw,f/ ol[m 0 jzpfEdkifygw,f/ 'Dae&mrSmawmh module udk ordinal taeeJUom export vkyfEdkifygw,f/ wu,fvdkU yxrudpörSm export vkyfr,fh function/symbol omr&SdcJh&if? data directory xJu export table &JU RVA [m oknjzpfygvdrfhr,f/

AddressOfFunctions - Module/Export Address Table (EAT) xJrSm&SdwJh function awG&JU RVA eJUqdkifwJh pointer awG&JU array wpfckudk nTefjywJh RVA wpfck/ Module xJrSm&SdwJh function awGtm;vHk;eJU qdkifwJh RVA awGudkawmh array wpfckrSm odrf;qnf;xm;jyD;? 'D field [m array &JU head udk nTefjyaeygw,f/

AddressOfNames - Module/Export Name Table (ENT)xJrSm&SdwJh function trnfawGeJUqdkifwJh RVA awG&JU array udk nTefjyaewJh RVA wpfck/


AddressOfNameOrdinals - trnf&SdjyD;om; function/Export Ordinal Table (EOT) awG&JU ordinal awGyg0ifwJh 16-bit array wpfckudk nTefjyaewJh RVA wpfck/

yHk(14)

'gaMumifhrdkU IMAGE_EXPORT_DIRECTORY structure [m array oHk;ckeJU ASCII string table wpfckudk nTefaeygw,f/ ta&;tMuD;qHk; array uawmh EAT jzpfjyD;? ol[m export vkyfxm;wJh function awG&JU address awGyg0ifwJh function pointer awG&JU array wpfckjzpfygw,f/ tjcm; array ESpfck (EAT eJU EOT)uawmh assending tpDtpOfeJU tjydKif run EdkifjyD; function trnfay:rlwnfygw,f/ 'gaMumifhrdkU function wpfck&JU trnftwGuf binary search udk aqmif&GufEdkifwmjzpfjyD; tjcm; array wpfckrSmawGU&SdwJh olU&JU ordinal rSm tajzxkwfygvdrfhr,f/ Ordinal uawmh &dk;&dk;wef;wef; index wpfckjzpfjyD; 'D function twGuf EAT jzpfygw,f/

EOT array [m trnfawGeJU address awGMum; linkage wpfcktjzpfwnf&SdwmaMumifh olUrSm ENT array xuf element ydkjyD;yg0ifEdkifrSm r[kwfygbl;/ qdkvdkwmu trnftoD;oD;rSm associated address wpfckom&SdEdkifvdkUyg/ ajymif;jyefqdk&ifawmh rrSefygbl;? address wpfckrSm associate vkyfxm;wJh trnftajrmuf tjrm;&SdvdkUyg/ wu,fvdkU alias awGeJU function awG[m wlnDwJh address udkyJ &nfnTef;Mur,fqdk&if? 'Dh aemufrSm ENT uvJ EOT xuf element awGydk&Sdvmygvdrfhr,f/

yHk(15)

Oyrmjy&&if? wu,fvdkU DLL wpfck[m function 40avmufudk export vkyfr,fqdk&if? AddressOf Functions (EAT) u nTef;r,fh array xJrSm member 40avmufawmh&Sd&ygr,f/ NumberOfFunctions field rSmvJ wefzdk;40avmuf &Sd&ygr,f/


Function wpfck&JU address udk olU&JU trnfuae&SmzdkUqdk&if OS u yxrqHk; Export Directory xJu NumberOfFunctions eJU NumberOfNames wdkU&JUwefzdk;udk &&Sdxm;&ygr,f/ aemufwpfqifhuawmh AddressOfNames (ENT) eJU AddressOfNameOrdinals (EOT) u nTefjywJh array [m function trnfudk &Smygw,f/ wu,fvdkU ENT xJrSm trnfudk&SmawGUcJh&if EOT xJrSm&SdwJh associated element xJu wefzdk;udk extract vkyfjyD; EAT twGuf index tjzpftoHk;jyKygw,f/

Oyrmjy&&if uRefawmfwdkU&JU function 40&SdwJh DLL xJrSm functionX udk &SmazGMunfhygr,f/ wu,f vdkU ENT &JU 39ckajrmuf element xJu uRefawmfwdkU functionX &JUtrnf(tjcm; pointer rS oG,f0kdufjyD;)udk &SmcsdefrSm? uRefawmfwdkUtaeeJU ENT xJu 39ckajrmuf element xJrSmMunfhjyD; wefzdk; 5 udk awGUygw,f/ 'Dhaemuf functionX &JU RVA udk&SmzdkU uRefawmfwdkU Munfh&rSmu EAT &JU 5ckajrmuf element rSmjzpfygw,f/

wu,fvdkU function wpfck&JU ordinal &SdjyD;om;jzpfr,fqdk&if? oifhtaeeJU EAT qD wdkuf&dkufoGm;jcif; jzifh olU&JU address udk &SmazGEdkifygw,f/ Function &JUtrnfudktoHk;jyKjcif;xuf ordinal uae function wpfck&JU address udk&,ljcif;[m ydkjyD;vG,fulvsifjrefayr,fhvJ qdk;usdK;uawmh module udkxdef;odrf;zdkU&m cufcJ vSygw,f/ wu,fvkdU DLL udk upgrade/update vkyfjyD; function awG&JU ordinal awG[mvJ ajymif;vJr,f qdk&if? DLL ay:rSDcdkaewJh tjcm; y&dk*&rfawGvJ ysufukefygvdrfhr,f/

(7.1) Ordinal oufoufjzifh export vkyfjcif;

NumberOfFunctions uawmh tenf;qHk; NumberOfNames eJU nD&ygr,f/ bmyJjzpfjzpf wpfcg w&HrSmawmh NumberOfNames [m NumberOfFunctions xufenf;aeygvdrfhr,f/ Function wpfck[m ordinal oufoufeJUom export vkyfcH&r,fqdk&if ENT eJU EOT ESpfckpvHk;rSm entry awG&SdrSm r[kwfygbl;/ olUrSm trnfwpfckawmif &SdrSmr[kwfygbl;/ trnfr&SdwJh function awGudk ordinal oufoufeJUom export vkyfEdkifrSm jzpfygw,f/

Oyrmjy&&if? wu,fvdkU function 70&SdjyD; ENT xJrSm entry 40yJ&Sdr,fqdk&if? module xJrSm ordinal oufoufeJU export vkyfxm;wJh function 30yJ&Sdw,fvdkU qdkvdkwmyg/ cktcgrSmawmh 'D function awG[m bmawGvJqdkwm b,fvdkavhvmprf;ppf&ygrvJ/ 'Dudpö[m rvG,fvSygbl;/ oifhtaeeJU exclusion eJU prf;ppf oifhygw,f/ qdkvdkwmu EAT xJu entry awG[m ordinal oufoufeJU export vkyfxm;wJh function awG&JU RVA awGyg0ifwJh EOT uae reference vkyfxm;jcif;r&SdvdkUyg/

y&dk*&rfrmuawmh .def zdkifxJrSm&SdwJh starting ordinal *Pef;udk owfrSwfEdkifygw,f/ Oyrmajym&&if? yHk(15)u table [m 200 rSmpwifEdkifygw,f/ Array xJu yxrqHk; vGwfaewJh entry 200pmtwGufvdktyf csufudk wm;qD;zdkU&mtwGuf nBase member rSm starting wefzdk;udkxnfhxm;jyD;? loader u EAT &JU rSefuef wJh index udk&&SdEdkifzdkUtwGuf olUqDuae ordinal *Pef;udk subtract vkyfygw,f/

(7.2) Export Forwarding

wcgw&HrSmawmh function awG[m wduswJh DLL wpfckuae export vkyfyHkay:aeayr,fh wu,fwrf; olwdkU&Sdaewmu vkH;vHk;MuD;uGJjym;jcm;em;aewJh DLL wpfckrSmyg/ 'gudk export forwarding vdkU ac:ygw,f/ Oyrmjy&&if? WinNT? Win2k eJU XP wdkUrSm kernel32.dll &JU function jzpfwJh HeapAlloc [m ntdll.dll u export vkyfxm;wJh RtlAllocHeap function taeeJU forward vkyfcHxm;&wmyg/ ntdll.dll rSmvJ Windows kernel eJU wdkuf&dkuf interface jzpfwJh native API yg0ifygw,f/ Forward vkyfjcif;udk .DEF zdkifxJrSm&SdwJh txl; instruction wpfcku link vkyfwJhtcsdefrSm aqmif&Gufwmjzpfygw,f/

Forward vkyfjcif;[m bHkjzpfwJh Win32 API set wpfckudk vSpf[jyozdkUeJU Windows NT eJU Windows 98 wdkUMum; internal API set wdkU&JU ta&;ygwJh low-level qdkif&muGJjym;jcm;em;rIudk zHk;uG,fzdkU toHk;jyKwJh Microsoft &JU enf;vrf;wpf&yfjzpfygw,f/

Application awGudkawmh native API set xJrSm&SdwJh call function awGtaeeJU ,lqvdkUr&ygbl;/ bmaMumifhvJqdkawmh Windows 9x eJU Windows 2k/XP wdkU&JU internal API set awGMum; o[ZmwjzpfrIudk azmufzsuf&mMuvdkUyg/ 'gaMumifhrdkUvJ pack vkyfxm;wJh exe zkdifawGudk unpack vkyfwJhtcg? OS wpfckrSm olwdkU&JU import awGudk udk,fwdkif reconstruct vkyfwJhtcg tjcm; OS wpfckrSm tvkyfrvkyfEdkifwmyg/ 'g[m forwarding pepfaMumifhaomfvnf;aumif;? tjcm;tcsuftvufawG ajymif;vJjcif;aMumihfaomfvnf; aumif; jzpfEdkifygw,f/

oauFw (function)wpfckudk forward vkyfcsdefrSm olU&JU RVA [m vuf&Sd module xJrSm&SdwJh uk'f^ a'wm address rjzpfEdkifygbl;/ EAT table rSm DLL &JU ASCII string eJUqdkifwJh pointer wpfckyg0if&r,hf tpm; forward vkyfr,fh function trnfyJ yg0ifygw,f/ a&SUOyrmrSmawmh ol[m ntdll.dll &JU RtlAlloc Heap jzpfygvdrfhr,f/


wu,fvdkU function wpfcktwGuf EAT entry [m Export section (qdkvdkwmu ASCII string) xJrSm&SdwJh address wpfckudk point vkyfjyDqdk&if oifhtaeeJU 'D function udk forward vkyfxm;w,fqdkwm odxm;&ygr,f/

(8) Import Sections

Import section (.idata) rSmawmh DLL uae import vkyfxm;wJh function awGtm;vHk;&JU tcsuftvufawGyg0ifygw,f/ 'D tcsuftvufawGudk rsm;pGmaom data structure awGrSm odrf;qnf;xm;wm yg/ olwdkUxJu ta&;tMuD;qHk;uawmh aemufydkif;rSmaqG;aEG;r,hf Import Directory eJU Import Address Table wdkUjzpfygw,f/ tcsdKU executable zdkifawGrSm Bound_Import eJU Delay_Import directory wdkUvJ &SdEdkifygw,f/ Delay_Import uawmh uRefawmfwdkUtwGuf odyfta&;rMuD;ygbl;/ 'gayr,fh Bound_Import directory udkawmh aemufydkif;rSm aqG;aEG;rSm jzpfygw,f/

Windows loader &JUwm0efuawmh application u toHk;jyKwJh DLL awGxJutm;vHk;udk load vkyfzdkUeJU olwdkUudk process address space tjzpf map vkyfay;zdkU jzpfygw,f/ 'ghjyif trsdK;rsdK;aom DLL awGxJrSm&SdwJh import vkyfxm;wJh function awGtm;vHk;&JU address awGudk &SmazGzdkUvJjzpfjyD; load vkyfcH&wJh tcsdefrSm executable twGuf toHk;jyKvdkU&atmifvJ vkyfay;ygw,f/

DLL wpfckxJu function awG&JU address awG[m static rjzpfygbl;/ 'gayr,fh DLL twGuf updated version awGxGufvmcsdefrSmawmh ajymif;vJukefygw,f/ 'gaMumifh application awGudk taotcsma&; om;xm;wJh function address awG toHk;jyKjyD; wnfaqmufvdkU r&Edkifawmhygbl;/ 'DhtwGufaMumifh run aecsdefrSm executable zdkifwpfck&JUuk'fawGudk Mudrfzefrsm;pGm ajymif;vJrIvkyfp&mrvdkwJh mechanism wpfckudk zefwD;zdkUvdktyfvmygw,f/ 'gudk Import Address Table (IAT) wpfcktoHk;jyKjyD; ajz&Sif;Edkifygw,f/ 'g[m windows loader u DLL tjzpf load vkyfcsdefrSm jznfhqnf;ay;wJh function address awGeJUqdkifwJh pointer awG&JU table wpfckomjzpfygw,f/

Pointer table wpfckudk toHk;jyKjcif;jzifh loader [m uk'fxJu b,fae&mrSmrqdk olwdkUudkk ac:,loHk;wJh tcgrSm import vkyfxm;wJh function awG&JU address awGudk ajymif;vJzdkU vdkawmhrSmr[kwfygbl;/ vkyf&rSmu import table xJu ae&mwpfckrSm rSefuefwJh address udk aygif;&rSmjzpfygw,f/

(8.1) Import Directory

Import Directory qdkwm wu,fawmh IMAGE_IMPORT_DESCRIPTOR structure &JU array wpfckomjzpfygw,f/ Structure wdkif;[m 20bytes jzpfjyD; uRefawmfwdkU PE zdkifu b,f function awGudk import vkyfxm;w,fqdkwJh DLL eJUywfoufwJhtaMumif;awG yg0ifygw,f/Oyrmjy&&if wu,fvdkU uRefawmf wdkU PE zdkifu rwlnDwJh DLL zdkif 10cku function awGudk import vkyfcJhr,fqdk&if 'D array xJrSm IMAGE_ IMPORT_DESCRIPTOR 10ck&SdaerSm jzpfygw,f/ 'D array xJu structure ta&twGufudk nTefjywJh field awmh &SdrSmr[kwfygbl;/ 'Dtpm; aemufqHk; structure rSm oknawGeJUjynfhaewJh filed awGyJ &SdaerSmyg/

Export Directory rSmvdkyJ oifhtaeeJU Import Directory b,fae&mrSm &SdovJqdkwm &SmazGEdkifyg w,f/ (PE header tp&JU 80 bytes jzpfygw,f/) yxrqHk;eJU aemufqHk; member awGuawmh ta&;MuD;qHk; jzpfygw,f/

IMAGE_IMPORT_DIRECTORY STRUCT union Characteristics DWORD ? OriginalFirstThunk DWORD ? ends TimeDateStamp DWORD ? ForwardChain DWORD ? Name1 DWORD ? FirstThunk DWORD ? IMAGE_IMPORT_DIRECTORY ENDS

yxrqHk; member jzpfwJh OriginalFirstThunk uawmh DWORD union jzpfygw,f/ flag tpHkvnf;jzpfEdkifygw,f/ bmyJjzpfjzpf Microsoft uawmh olU&JU t"dyÜm,fukd ajymif;vJcJhjyD; WINNT.H udk update vkyfzdkU b,fawmhrS pdk;&drfp&mr&Sdygbl;/ 'D field rSm wu,fwrf;yg0ifwmuawmh IMAGE_THUNK_ DATA structure awGxJu array wpfck&JU RVA yJjzpfygw,f/

TimeDateStamp udkawmh oknvdkU owfrSwfygw,f/ (olUrSm -1 jzpfcJh&if)/ ForwarderChain member udkawmh pwdkifa[mif; binding twGuf toHk;jyKwmjzpfjyD; 'Dae&mrSm pOf;pm;rSmr[kwfygbl;/

Name1 rSmawmh DLL &JU ASCII trnfeJUqdkifwJh pointer (RVA) wpfckyg0ifygw,f/


aemufqHk; member jzpfwJh FirstThunk rSmvnf; DWORD t&G,ftpm;&SdwJh IMAGE_THUNK_ DATA structure array wpfck&JU RVA yg0ifygw,f/ yxrqHk; array &JU duplicate wpfckvnf;jzpfygw,f/ wu,fvdkU azmfjyyg function [m bound import jzpfw,fqdk&if 'DhaemufrSmawmh FirstThunk rSm IMAGE _THUNK_DATA eJUqdkifwJh RVA tpm; function &JU wu,fh address yg0ifrSmyg/ 'D structure awGudk atmufygtwdkif; t"dyÜm,fzGifhEdkifygw,f/

IMAGE_THUNK_DATA32 STRUCT union u1 ForwarderString DWORD ? Function DWORD ? Ordinal DWORD ? AddressOfData DWORD ? ends IMAGE_THUNK_DATA32 ENDS

IMAGE_THUNK_DATA toD;oD;[m DWORD union wpfckjzpfygw,f/ Disk ay:u zdkifxJrSmawmh olUrSm import vkyfxm;wJh function &JU ordinal a&m? IMAGE_IMPORT_BY_NAME structure eJUqdkifwJh RVA wpfckygyg0ifygw,f/ wpfMudrfrSmawmh FirstThunk u nTefjyaewJhwpfck[m import vkyfxm;wJh function awG&JU address awGeJU overwrite tvkyfcH&jyD; ol[m Import Address Table jzpfvmygw,f/

IMAGE_IMPORT_BY_NAME udkawmh atmufygtwdkif; a&;om;Edkifygw,f/

IMAGE_IMPORT_BY_NAME STRUCT Hint WORD ? Name1 BYTE ?

IMAGE_IMPORT_BY_NAME ENDS

Hint - Hint rSmawmh function wnf&Sd&m DLL &JU Export Address Table eJUqdkifwJh index yg0ifygw,f/ 'Dudkawmhh u toHk;jyKzdkU jzpfygw,f/ 'gaMumifhrdkU DLL &JU Export Address Table xJu function udk tjrefMunfh&IEdkifwmyg/ 'D index rSm&SdwJh trnfudk MudK;pm;wJhtcg? wu,fvdkU ol[m match rjzpfcJhbl;qdk&if binary search [m trnfudk&SmazG jyD;ajrmufjyDjzpfygw,f/ 'Dwefzdk;[m r&Sdrjzpfawmh r[kwfygbl;/ tcsdKU linker awGuawmh 'Dae&mrSm oknvdkU owfrSwfMuygw,f/

Name1 - Name1 rSmawmh import vkyfxm;wJh function &JUtrnfyg0ifygw,f/ trnfuawmh null-terminated (\0) ASCII string jzpfygw,f/ rSwfxm;&rSmu Name1 &JU t&G,ftpm;udk byte taeeJU t"dyÜm,fzGifhxm;wmjzpfygw,f/ 'gayr,fh ol[m wu,fwrf;rSmawmh variable t&G,ftpm;&SdwJh field wpfck jzpfygw,f/ Structure wpfckxJrSm variable t&G,ftpm;&SdwJh field wpfckudk azmfjyEdkifzdkU enf;vrf;r&SdvdkUyg/

ta&;tMuD;qHk;tydkif;awGuawmh import vkyfxm;wJh DLL trnfawGeJU IMAGE_THUNK_ DATA structure &JU array awGyJ jzpfygw,f/ IMAGE_THUNK_DATA structure toD;oD;[m DLL uae import vkyfxm;wJh function wpfckqDeJU qufEG,faeygw,f/ OriginalFirstThunk eJU FirstThunk u nTefjywJh array awG[m wjydKifwnf; run EdkifjyD; null DWORD eJU tqHk;owfygw,f/ Import vkyfxm;wJh DLL toD;oD;twGuf olwdkUawG[m IMAGE_THUNK_DATA structure &JU oD;jcm;pD&SdaewJh array twGJawGjzpfygw,f/

'grSr[kwf 'gudkxm;zdkU tjcm;enf;vrf;uawmh ajrmufrsm;vSpGmaom IMAGE_IMPORT_BY_ NAME structure awGyJjzpfygw,f/ oifhtaeeJU array ESpfckudk zefwD;Edkifygw,f/ jyD;awmh olwdkUudk IMAGE _IMPORT_BY_NAME structure awG&JU RVA awGeJU jznfhqnf;&rSmjzpfygw,f/ 'gaMumifh array ESpfckvHk; rSm wlnDwJhwefzdk;awG yg0ifae&ygr,f/ (qdkvdkwmu wduswJh duplicate)/ tcktcgrSmawmh oifhtaeeJU yxr qHk; array &JU RVA udk OriginalFirstThunk eJU nDay;&rSmjzpfjyD; 'kwd, array &JU RVA udkawmh First Thunk eJUnDay;&rSmjzpfygw,f/

OriginalFirstThunk eJU FirstThunk xJrSm&SdwJh element ta&twGufuawmh DLL uae import vkyfxm;wJh function ta&twGufay: rlwnfygw,f/ Oyrmjy&&if? wu,fvdkU PE zdkifu user32.dll uae function q,fckudk import vkyfr,fqdk&if IMAGE_IMPORT_DESCRIPTOR structure xJrSm&SdwJh Name1 rSm user32.dll string &JU RVA yg0ifrSmjzpfjyD;? array toD;oD;rSm IMAGE_THUNK_DATA q,fck&SdrSmjzpfygw,f/

tjydKif&SdaewJh array ESpfckudkawmh trnftrsdK;rsdK;uae ac:,loHk;rSmjzpfayr,fh toHk;trsm;qHk;uawmh Import Address Table (FirstThunk u point vkyfwJh wpfcktwGuf) eJU Import Name Table (odkU) Import Lookup Table (OriginalFirstThunk u point vkyfwJh wpfcktwGuf)wdkU jzpfygw,f/


bmaMumifh IMAGE_IMPORT_BY_NAME structure eJUqdkifwJh pointer &JU parallel array ESpfck&Sd&wmygvJ/ Import Name Table awGudkawmh oD;oefUz,fxm;jyD; b,fawmhrS modify vkyfrSmr[kwf ygbl;/ Import Address Table awGudk loader u wu,fh function address awGeJU overwrite vkyfvdkufwm yg/ Import Name Table awGxJrSm&SdwJh RVA awG&JU array awGuawmh rajymif;vJbJusefaerSmyg/ 'gaMumifh wu,fvdkU import vkyfxm;wJh function awG&JUtrnfudk &SmazGzdkU vkdtyfcsufujrifhrm;vm&if? PE loader u olwdkUudk&SmazGae&OD;rSmyg/

IAT udk Data Directory xJu entry number 12 u point vkyfaomfvnf; tcsdKU linker awGu 'D directory entry udk owfrSwfjcif;r&Sdygbl;/ Application uawmh run aerSmjzpfygw,f/ Loader uawmh 'gudk import resolution vkyfcsdeftwGif;rSm IAT awGudk read-write tjzpf ,m,DrSwfom;zdkUtwGufom toHk;jyKwmjzpfjyD; olrygvJ import awGudk ajz&Sif;EdkifrSm jzpfygw,f/

'guawmh Windows loader u read-only section xJrSm&Sdcsdef IAT udk overwrite vkyfzdkU b,fvdkpGrf;aqmifEdkifw,fqdkwJhtaMumif;yJ jzpfygw,f/ Load vkyfwJhtcsdefrSmawmh system u read/write vkyfzdkU import awGyg0ifwJh page awG&JU attribute awGudk ,m,Dtm;jzifh owfrSwfygw,f/ wpfMudrfrSmawmh import table u page awGudk initialize vkyfjcif;[m olwdkU&JU rlv protected vkyfxm;wJh attribute awGjzpfapzdkU aESmifhaES;apygw,f/

yHk(16)

Import vkyfxm;wJh function awG&JU call awG[m IAT xJu function pointer uwpfqifh tvkyfvkyfMuwmyg/ yHkpH 2rsdK;taeeJU vkyfEdkifygw,f/ wpfckuawmh aemufwpfckxufydkjyD; toHk;0ifygw,f/ OyrmtaeeJU FirstThunk array &JU entry awGxJuwpfckudk &nfnTef;wJh address 00405030 udk pOf;pm;Munfh vdkufMu&atmif/ olUudk loader u user32.dll xJu GetMessage &JU address eJUtwl overwrite vkyfxm; ygw,f/

GetMessage udkac:oHk;zdkU toifhawmfqHk;enf;vrf;uawmh atmufygtwdkif;jzpfygw,f/

0040100C CALL DWORD PTR [00405030] 'Denf;uawmh odyftqifrajyygbl;/

0040100C CALL [00402200]

…

…

00402200 JMP DWORD PTR [00405030] qdkvdk&if;uawmh 'kwd,enf;uvJ &v'ftwlwlygyJ/ 'gayr,fh xyfxnfh&r,fhuk'fpmvHk;[m 5vHk;ydkvm rSmjzpfjyD; tydk jump aMumifh execute vkyf&mrSmvJ ydkMumrSmjzpfygw,f/

bmaMumifh import vkyfxm;wJh function awGudk 'Dvdkenf;eJU jyKvkyfMuwmygvJ... Compiler uawmh wlnDwJh module xJrSm&SdwJh ordinary function awGeJU import vkyfxm;wJh function awGudk cGJjcm;aerSm r[kwfbJ ESpfckvHk;twGuf wlnDwJh output udkomxkwfay;rSm jzpfygw,f/ CALL [XXXXXXXX]


[XXXXXXXX] ae&mrSmawmh u aemufydkif;rSm jznfhay;r,fh wu,fhuk'f address wpfck&Sd&rSmjzpfygw,f/ (pointer r[kwfygbl;)/ Linker uawmh import vkyfxm;wJh function &JU address udk odrSmr[kwfygbl;/ 'gaMumifhrdkU uk'f&JU tpm;xdk; chunk wpfckudk toHk;jyK&rSmjzpfygw,f/ tay:u JMP stub rSm jrifEdkifygw,f/

Compiler udk DLL xJJrSm&SdwJh function &Sd&majymjyEdkifzdkU oifhawmfwJhyHkpHuawmh _declspec (dllimport) modifier toHk;jyKjyD; &&SdEdkifygw,f/ 'DhaemufrSmawmh ol[m CALL DWORD PTR [XXXXXXXX] udkxkwfay;rSmjzpfygw,f/

wu,fvdkU exe udk compiler vkyfcsdefrSm _declspec(dllimport) udk toHk;rjyKcJhbl;qdk&if uk'fawGxJu ae&mtcsdKUrSm import vkyfxm;wJh function awGtwGuf twlwuGpkpnf;xm;wJh jump stub awG &SdkaerSmyg/ olUudkawmh transfer area (odkU) trampoline (odkU) jump thunk table pwJh trnftrsdK;rsdK;eJU odMuygw,f/

(8.2) Ordinal oufoufjzifh function rsm;tm; export vkyfjcif;

Export section wkef;u aqG;aEG;cJhovdkyJ tcsdKU function awGudk ordinal oufoufeJUom export vkyfMuygw,f/ 'Dae&mrSmawmh caller's module xJrSm 'D function twGuf IMAGE_IMPORT_BY_ NAME &SdrSmr[kwfygbl;/ 'Dtpm; 'D function twGuf function &JU ordinal yg0ifwJh IMAGE_THUNK_ DATA yJ&SdrSmyg/

exe zdkifudk ul;rwifcif? MSB (most significant bit) (odkU) high bit udkMunfhjcif;tm;jzifh IMAGE_THUNK_DATA wpfckrSm ordinal wpfck (odkU) RVA wpfckyg0ifjcif;&Sd^r&Sd oifhtaeeJU ajymEdkif ygw,f/ wu,fvdkUom owfrSwfcJh&if lower 31 bits udk ordinal wefzdk;wpfcktaeeJU ,lrSmjzpfygw,f/ wu,fvdkU rowfrSwfbJ zsufvdkufr,fqdk&if wefzdk;uawmh IMAGE_IMPORT_BY_NAME eJUqdkifwJh RVA wpfckjzpfrSmyg/ Microsoft uawmh DWORD MSB jzpfwJh IMAGE_ORDINAL_FLAG32 twGuf toifhygjyD;om; constant wpfckudk owfrSwfay;xm;ygw,f/ olUrSmawmh 80000000h wefzdk;&Sdygw,f/

Oyrmjy&&if? wu,fvdkU function wpfckudk ordinal oufoufeJU export vkyfvdkuf&if olU&JU ordinal [m 1234h jzpfjyD;? 'D function twGuf IMAGE_THUNK_DATA uawmh 80001234h jzpfrSmyg/

(8.3) Bound Import

Loader u PE zdkifwpfckudk rSwfOmPfxJul;wifwJhtcgrSm ol[m import table udk ppfaq;jyD; vdktyfwJh DLL awGudk process &JU address ae&mvGwfawGqD ul;wifygw,f/ 'DhaemufrSmawmh ol[m FirstThunk u nTefjywJh array qDa&mufvmjyD;? import vkyfxm;wJh function awG&JU wu,fh address awGeJU IMAGE_THUNK_DATA awGudk tpm;xdk;ygw,f/ wu,fvdkU y&dk*&rfrm[m wenf;enf;eJU function awG&JU address awGudk rSefuefpGmwGufcsufEdkifr,fqdk&if? PE loader u PE zdkifudk run wJhtcsdefwdkif;rSm IMAGE_THUNK_DATA awGudk jyKjyifp&m rvkdawmhygbl;/ bmaMumifhvJqdkawmh address rSef[m tJ'DrSm&SdaevdkYyg/

Bind.exe qdkwJh utility wpfckuawmh Microsoft &JU compiler awGeJU ygvmjyD; PE zdkif&JU IAT (FirstThunk array) udk ppfjyD; IMAGE_THUNK_DATA awGudk import vkyfxm;wJh function awG&JU address awGeJU tpm;xdk;ygw,f/ zdkifudkul;wifcsdefrSm PE loader u address awGrSefuefjcif;&Sd^r&Sd ppfaq;oifhygw,f/ wu,fvdkU DLL version awG[m PE zdkifxJu[mawGeJU rudkufnDbl;qdk&if (odkU) DLL awGudk jyefvnfae&mcsxm;ay;zdkU vdkr,fqdk&if? PE loader u bound address awG[m oHk;r&awmhbl;qdkwm odjyD; address opfudkwGufcsufzdkU Import Name Table (OriginalFirstThunk array) qDoGm;ygw,f/

'gaMumifhrdkUzdkifudkul;wifzdkU INT udkrvdkayrJh INT r&SdcJh&if exe zdkifawGudk bound vkyfvdkUr&ygbl;/ Borland &JU linker jzpfwJh TLINK [m INT udk zefwD;ray;EdkifwJhtwGuf Borland u xkwfay;wJhzdkifawG[m bound vkyfvdkUr&ygbl;/ INT aysmufqHk;jcif;&JU aemufxyftusdK;qufudkawmh aemuftcef;usrSyJ aqG;aEG;yg r,f/

(8.4) Bound Import_Import Directory

Loader u bound address awGrSef^rrSefqHk;jzwfzdkU toHk;jyKwJh tcsuftvufawGudk IMAGE_ BOUND_IMPORT_DESCRIPTOR structure xJrSm xm;&Sdwmjzpfygw,f/ Bound executable wpfckrSm yg0ifwmuawmh 'D structure awG&JUpm&if;jzpfjyD; import vkyfxm;wJh DLL toD;oD;twGuf wpfckuawmh bound vkyfxm;jyD;jzpfygw,f/

IMAGE_BOUND_IMPORT_DESCRIPTOR STRUCT TimeDateStamp DWORD ? OffsetModuleName WORD ? NumberOfModuleForwarderRefs WORD ? IMAGE_BOUND_IMPORT_DESCRIPTOR ENDS


TimeDateStamp member [m export vkyfaewJh DLL FileHeader &JU TimeDateStamp eJY udkufnD&ygr,f/ wu,fvdkU rudkufnD&if loader u binary [m rSm;,Gif;aewJh DLL udk bound vkyfaew,f vdkU,lqjyD; imort pm&if;udk jyefjyD; patch vkyfygvdrfhr,f/ 'gawG[m export vkyfaewJh DLL version rudkuf nD&if (odkU)rSwfOmPfxJrSm jyefvnfae&mcsxm;zdkUvdk&if jzpfwmyg/

OffsetModuleName member rSmyg0ifwmuawmh yxr IMAGE_BOUND_IMPORT_ DESCRIPTOR uae okneJUqHk;wJh ASCII xJrSm&SdwJh DLL &JUtrnfxd offset (RVA r[kwfygbl;) jzpfyg w,f/

NumberOfModuleForwarderRefs member rSmawmh IMAGE_BOUND_FORWARDER_ REF structure awG&JUa&twGufjzpfygw,f/

IMAGE_BOUND_FORWARDER_REF STRUCT TimeDateStamp DWORD ? OffsetModuleName WORD ? Reserved WORD ? IMAGE_BOUND_FORWARDER_REF ENDS

'D structure eJU jyD;cJhwJh structure ESpfckudk EdIif;,SOfvdkuf&if aemufqHk; member jzpfwJh Reserved rSwyg; usefwmawGtm;vHk; wlwmawGU&rSmyg/ tjcm; DLL udk forward vkyfwJh function wpfckeJUywfoufjyD; bind vkyfcsdefrSm 'D forward vkyfxm;wJh DLL &JU rSefuefrIudk ul;wifwJhtcsdefrSmvJ ppfaq;&ygr,f/ IMAGE _BOUND_FORWARDER_REF rSm forward vkyfxm;wJh DLL awG&JU tao;pdwftcsuftvufawG yg&Sdygw,f/

Oyrmjy&&if kernel32.dll xJu function wpfckjzpfwJh HeapAlloc [m ntdll.dll xJu RtlAllocate Heap udk forward vkyfw,fvdkU,lqMuygpdkU/ wu,fvdkU uRefawmfwdkUu HeapAlloc udk import vkyfxm;wJh application wpfckudk zefwD;vdkufjyD; application rSm bind.exe udk toHk;jyKvdkufr,fqdk&if ntdll.dll &JU IMAGE_BOUND_FORWARDER_REF uajc&mcHr,fh kernel32.dll twGuf IMAGE_BOUND_ IMPORT_DESCRIPTOR wpfck&Sdvmygr,f/

owdjyK&ef/ / Function awG&JUtrnfawG[m 'D structure awGxJrSm yg0ifrSmr[kwfygbl;/ bmaMumifhvJqdkawmh loader u b,f function awGudk IMAGE_IMPORT_DESCRIPTOR uae bound vkyfr,fqdkwm odxm;vdkUyg/

(9) Loader

'Dtcef;uawmh r&Sdrjzpfawmh r[kwfayr,fh OS &JU tvkyfvkyfyHkudk eufeufeJeJodvdkolrsm;twGuf &nf &G,fygw,f/ jyD;cJhwJh tcef;i,f(7)eJU tcef;i,f(8)wdkUb,fvdkqufEG,frI&SdovJqdkwmudkvJ &Sif;jycsifwmyg/

(9.1) Loader ubmvkyfovJ/

Executable zdkifwpfck tvkyfvkyfcsdefrSm Windows loader u process twGuf virtual address vGwfwpfckudk zefwD;vdkufjyD; executable module udk disk uae process &JU address vGwfxJ ae&mcsxm; vdkufygw,f/ Loader u image udk toifhawmfqHk; base address rSm ul;wifzdkUMudK;pm;jyD; rSwfOmPfxJrSm Section awGudk ae&mcsxm;ygw,f/ Loader u section table udk ausmfvTm;jyD;? base address rSm section &JU RVA udkaygif;jyD; wGufcsufvdkU&vmwJh address rSm section toD;oD;udk ae&mcsygw,f/ Page attribute awGudkawmh section &JU characteristic vdktyfcsuft& owfrSwfwmjzpfygw,f/ rSwfOmPfxJrSm section awGudk ae&mcsxm;jyD;aemufrSmawmh load address [m ImageBase xJrSm&SdwJh toihfawmfqHk; base address eJUnD̂ rnD loader u base relocation udkaqmif&Gufygw,f/

'DhaemufrSmawmh import table udkppfaq;jyD; vdktyfwJh DLL awGudk process &JU address ae&mvGwfxJ map vkyf,lygw,f/ DLL module awGtm;vHk;udk ae&mcsxm;jyD;aemufrSmawmh loader u DLL toD;oD;&JU export section udkppfaq;jyD; import vkyfxm;wJh wu,fh function address udk nTefjyEdkifzdkU IAT udk jyifyg w,f/ wu,fvdkU oauFwr&SdcJh&if (tvGefjzpfcJygw,f) loader u error jyrSmyg/

Cracking vkyf&mrSm pdwf0ifpm;zdkUaumif;wmawGuawmh DLL awGudk ul;wifjyD; import awGudk ajz&Sif;&wmjzpfygw,f/ 'DjzpfpOfawG[m &IyfaxG;vSjyD; Microsoft u a&;om;xkwfa0jcif;r&SdwJh ntdll.dll xJrSm&SdwJh (forward vkyfxm;wJh) trsdK;rsdK;aom function awGeJU routine awGoHk;jyD;ajz&Sif;&ygw,f/ uRefawmf tapmydkif;u ajymcJhovdkyJ Function forwarding qdkwm bHkjzpfwJh Win32 API set wpfckudk vSpf[jyozdkUeJU rwlnDwJh OS awGMum; low-level function awGuGJjym;jcm;em;rIudk zHk;uG,fzdkU toHk;jyKwJh Microsoft &JU enf; vrf;wpf&yfjzpfygw,f/ GetProcesAddress vdk &if;ESD;uRrf;0ifaewJh kernel32 function awmfawmfrsm;rsm; [m wu,fvkyf&wJh LdrGetProcAddress vdk ntdll.dll udk export vkyfcsdefrSmjzpfaewJh &dk;&Sif;vSwJh wrapper awGomjzpfygw,f/


'gawGudk vufawGUusus jrifcsif&ifawmh oifhtaeeJU Win Debugger 6.x eJU windows symbol package (Microsoft uae tcrJh&,lEdkifygw,f)udk install vkyfzdkUvdkygw,f/ 'grSr[kwf&ifawmh SoftIce 4.x vdk kernel-mode debugger udk install vkyfzdkUvdkygw,f/ oifhtaeeJU Olly rSmawmh Microsoft symbolserver udk toHk;jyKr,fvdkU configure vkyfxm;&if 'D function awGudk Munfh&HkoufoufMunfhvdkU&rSm yg/ 'DvdkrSr[kwf&ifawmh oifjrif&rSmu function trnfawGrygwJh pointer awGeJU memory address awGyg/ bmyJjzpfjzpf Olly uawmh user-mode debugger jzpfjyD; oifh&JY application udk load vkyfjyD;csdefrSm bmawG jzpfysufaewmudkom jyygvdrfhr,f/ Loading process udkMunfhEdkifzdkU oifhudk cGifhjyKrSmawmh r[kwfygbl;/ Win Debugger &JUvkyfaqmifcsufawGu Olly eJU EdIif;,SOfr,fqdk&if bmrSrajymyavmufayr,fh OS eJU wom;wnf; jzpfjyD; loading process udk jyoygvdrfhr,f/ yHk(17)/

yHk(17)

Exe zdkifudk load vkyfwJhtcgrSm wGJvsufygvmMuwJh API trsdK;rsdK;[m kernel32.dll &JU LoadLibraryExW function rSm vma&mufpkqHkvmMujyD; ntdll.dll &JU LdrpLoadDll function qD OD;wnfoGm;ygw,f/ 'D function [m atmufygvkyfaqmifcsufawGudk aqmif&GufwJh LdrpCheckForLoader Dll? LdrpMapDll? LdrpWalkImportDescriptor? LdrpUpdateLoadCount? LdrpRunInitialize Routines eJU LdrpClearLoadInProgress pwJh subroutine 6 ckudk wdkuf&dkufac:,loHk;pGJygw,f/

1/ Module udk ul;wifxm;jyD; jzpf^rjzpf od&atmif ppfygw,f/

2/ Module eJU taxmuftyHhjzpfapr,fh tcsuftvufawGudk rSwfOmPfrSm ae&mcsygw,f/

3/ Module &JU import descriptor table qD oGm;ygw,f/ ('Dwpfckudk import vkyfaecsdefrSm tjcm; module awGudk &Smygw,f/)

4/ 'D DLL aMumifhygvmwJh tjcm;[mawGvdkyJ module &JU load count udk update vkyfygw,f/

5/ Module udk initialize vkyfygw,f/

6/ ul;wifjyD;aMumif;jywJh tcsdKU flag awGudk &Sif;vif;ygw,f/


yHk(18)

DLL wpfck[m cascade taeeJUcsdwfxm;wJh tjcm; module awGudk import vkyfEdkifygw,f/ Loader [m load vkyfzdkU vdktyfwmawGeJU oleJUywfoufwJh dependency awGudk od&Sdppfaq;EdkifzdkU module toD;oD; uwqifh loop ywfzdkUvkdygvdrfhr,f/ 'gaMumifh LdrpWalkImportDescriptor yg0ifvm&jcif; jzpfygw,f/ olUrSm subroutine ESpfck&Sdygw,f/ LdrpLoadImportModule eJU LdrpSnapIAT wdkUjzpfygw,f/ yxrqHk; Bound Imports Descriptor eJU yHkrSef Import Descriptor table awGudk ae&mcsxm;zdkU RtlImageDirectory EntryToData qD call ESpfckeJU pwifygw,f/ rSwfxm;zdkUu loader [m bound imports awGudk yxrqHk;ppf aq;wmyg/ Import directory r&Sdayr,fhvJ bound import awG&SdwJhtwGuf application u run wmjzpfyg w,f/

aemufwpfckjzpfwJh LdrpLoadImportModule uawmh Import directory xJrSm&SdwJh DLL toD;oD;twGuf Unicode string wpfckudk wnfaqmufygw,f/ 'DhaemufrSmawmh olwdkUawGudk ul;wifjyD;^rjyD; odEdkifatmifvdkU LdrpCheckForLoadedDll udk toHk;csygw,f/

aemufwpfckjzpfwJh LdrpSnapIAT routine uawmh Import directory xJrSm&SdwJh DLL reference awGtm;vHk;udk -1 wefzdk;jzpfaejcif;&Sd^r&Sd ppfaq;ygw,f/ (qdkvdkwmu xyfjyD; bound import awGudk yxrqHk; ppfaq;ygw,f/) 'Dhaemuf IAT &JU memory prtotection udk PAGE_READWRITE tjzpf ajymif;vJjyD; LdrpSnapThunk subroutine qDroGm;cif IAT xJrSm&SdwJh entry toD;oD;udk ppfaq;zdkU qufvufvkyfaqmif ygw,f/

LdrpSnapThunk uawmh olU&JU address udkae&mcsxm;zdkU function wpfck&JU ordinal udk toHk;jyKjyD; 'gudk forward vkyfxm;jcif;&Sd^r&Sd qHk;jzwfygw,f/ 'grSr[kwf&ifawmh ol[m ordinal udk tjrefae&mcsxm;Edkif zdkUtwGuf export table ay:u binary search wpfckudk toHk;jyKwJh LdrpNameToOrdinal udk ac:oHk;yg w,f/ wu,fvkdU function udk rawGUbl;qdk&if STATUS_ENTRYPOINT_NOT_FOUND udk jyefydkUjyD;? r[kwf&ifawmh API &JU entry point &SdwJh IAT xJrSm entry udk tpm;xkd;jyD; memory protection udk restore jyefvkyfwJh LdrpSnapIAT qD jyefoGm;ygw,f/ ol[m vkyfief;tprSmwif ajymif;vJoGm;jyD; IAT yg0ifwJh memory block ay:rSm cache refresh jyKvkyfEdkifzdkUtwGuf NtFlushInstructionCache udkac:oHk;jyD; LdrpWalkImportDescriptor qD jyefoGm;ygw,f/

'g[m Windows version awGMum; wpfrlxl;jcm;wJh uGJjym;jcm;em;rIjzpfygw,f/ Windows 2000 rSmawmh exe zdkifudk ul;rwifcif ntdll.dll udk bound import taeeJUa&m? yHkrSef import directory taeeJUa&m ul;wifzdkU twif;awmif;qdkygw,f/ Windows 9x eJU Windows XP rSmawmh import awGrygvJ application udk tvkyfvkyfapEdkifygw,f/ Loader u rSwfOmPfxJrSm&SdwJh wu,fh address wpfckudk wGufcsufEdkifzdkUeJU API wpfck[m forward vkyfxm;cH&jcif;&Sd^r&Sd odEdkifatmifvdkU import vkyfxm;wJh API wdkif;udk ppfaq;&rSmjzpfyg w,f/ Import vkyfxm;wJh DLL toD;oD;rSm aemufxyf module awGygvmEdkifjyD; process uvJ dependen-cy awGtm;vHk;udk ppfaq;jyD;pD;onfhwdkifatmif xyfcgxyfcg vkyfaqmifae&rSmjzpfygw,f/


(10) PE zdkiftwGif;odkU uk'fxnfhjcif;

Cracker awGtaeeJU protection scheme wpfckudk crack vkyfzdkUeJU vkyfaqmifcsuftopfawG xnfh oGif;EdkifzdkU y&dk*&rfxJudk uk'fawGxnfhoGif;zdkU tajctaeawG wcgw&HrSm MuHKwwfygw,f/ zdkifxJudk uk'fxnfh oGif;wJh t"duenf;vrf;MuD; 3ckuawmh -

1/ oifh&JUuk'ftwGuf vHkavmufwJhae&mvGwf&SdcJh&if &SdjyD;om; section wpfckxJrSm uk'fudka&;xnfhygw,f/

2/ wu,fvdkU vHkavmufwJhae&mr&SdcJh&if &SdjyD;om; section udk ae&mxyfcsJUygw,f/

3/ Secion topfwpfckudk xyfaygif;ygw,f/

(10.1) &SdjyD;om; section twGif; uk'fxnfhjcif;

uRefawmfwdkUtaeeJU &SdjyD;om; section xJudk uk'fawGaygif;xnhfcsifw,fqdk&if CODE section xJrSm aygif;xnfhwm[m t&dk;&Sif;qHk;enf;ygyJ/ CODE section xJrSm 00 awGeJU jynfhaewJhae&mudk vdkuf&SmMunfh vdkuf&atmif/ 'gudk ]cave} t,ltqvdkUac:ygw,f/ oifhawmfwJh cave wpfckudk&SmEdkifzdkU CODE section udk LordPE eJU MunfhMu&atmif/

yHk(19)

'Dae&mrSm uRefawmfwdkU jrif&wmuawmh VirtualSize (00029E88) u SizeOfRawData (0002A0 00) xuf enf;enf;av;i,faewm awGU&ygw,f/ SizeOfRawData qdkwmuawmh oifh&JU hard disk ay:rSm zdkifudk ae&mcsxm;wJhtcg ,lr,fhae&myrmPukd ajymjcif;jzpfygw,f/ rSwfxm;&rSmu 'Dzdkif&JU VirtualSize u hard disk ay:rSm ae&m,lr,fh t&G,ftpm;xuf i,faeygw,f/ 'gu bmaMumifhjzpf&wmvJqdkawmh compiler awG[m rMumcPqdkovdk wlnDwJhe,fedrdwfay:u section wpfckeJU ndSzdkU t&G,ftpm;udk teD;pyfqHk;jzpfatmif ,l&vdkUyg/ Hex editor eJU Munfh&ifawmh CODE section &JUtqHk; (DATA section rpwifcif) udk yHk(20) twdkif; awGU&rSmyg/

yHk(20)

'Dae&mvGwfawGudk toHk;rjyKovdk rSwfOmPfxJudkvJ ul;rwifygbl;/ uRefawmfwdkUtaeeJU aocsmatmif vkyf&rSmu uRefawmfwdkU xnfhoGif;r,fh uk'fawGudk rSwfOmPfxJul;atmif vkyfzdkUygyJ/ uRefawmfwdkUtaeeJU 'Dvdk jzpfatmif size attribute udk ajymif;ay;&ygr,f/ ckcsdefrSmawmh 'D section &JU virtual size u 29E88 omjzpfyg w,f/ bmaMumifhvJqdkawmh compiler u 'DavmufyJ vdktyfvdkUyg/ uRefawmfwdkUtaeeJUawmh 'Dxufenf;enf; av; ydkvdktyfygw,f/ 'gaMumifhvJ LordPE rSm CODE section &JU virtual size udk 29FFF vdkU jyifvdkufyg r,f/ ('g[m uRefawmfwdkU jyifEdkifwJh tjrifhqHk;t&G,ftpm;jzpfygw,f/ RawSize uawmh 2A000 jzpfygw,f/) 'DvdkjyKvkyfzdkU CODE qdkwJhpmom;ay:rSm right-click ESdyfjyD; edit section header udk a&G;yg/ VirtualSize ae&mrSm 29FFF vdkUjyifjyD; zdkifudk odrf;qnf;vdkufyg/

'DwpfcgrSmawmh uRefawmfwdkU patch vkyfr,fhuk'fudk odrf;qnf;zdkU oifhawmfwJhae&mwpfckudk jyKvkyfvdkU jyD;ygjyD/ uRefawmfwdkU jyifcJhwmu Section Table xJu CODE section twGuf VirtualSize DWORD wefzdk;jzpfygw,f/ 'gudk uRefawmfwdkUtaeeJU hexeditor rSm udk,fwdkifjyifvJ &ygw,f/

'DxufydkjyD; &Sif;vif;atmifjyEdkifzdkUtwGuf erlem assembly stub av;a&;Munfhygr,f/ yxrqHk;vkyf& rSmu LordPE rSmawGUcJhwJh entry point wefzdk; 0002ADB4 eJU ImageBase wefzdk; 400000 udk rSwfom;yg/ 'gaMumifh Olly [m application udk ul;wifcsdefrSmawmh entry point [m 0042ADB4 jzpfrSmyg/ uRefawmf wdkUtaeeJU atmufyguk'fawGudk aygif;xnfhjyD; entry point udk yxrqHk;uk'f&Sd&m 42AF00 udk ajymif;ygr,f/

MOV EAX, 0042ADB4 ; Load in EAX the Original Entry Point (OEP)


JMP EAX ; Jump to OEP

uRefawmfwdkUtaeeJU 'Duk'fawGudk tay:rSmjrif&wJh hexeditor xJu 0002A300h ae&mrSm xm;&rSmjzpf ygw,f/ Olly rSmtoHk;jyKzdkUtwGuf 'D raw offset udk RVA ajymif;r,fqdk&ifawmh 'D yHkaoenf;av;udk oHk;&rSm yg/

RVA = raw offset - raw offset of section + virtual offset of section + ImageBase

= 2A300h - 400h + 1000h + 400000h = 42AF00h

'gaMumifh Olly udkzGifhjyD; uRefawmfwdkU jyif&r,fhae&mudk wdkuf&dkufoGm;EdkifzdkU Ctrl + G udkESdyfyg/ jyD;&if 42AF00 udk &dkufxnfhjyD; uk'f&dkufxnfhr,fhae&moGm;yg/ jyD;&if yHk(21)twdkif; jyifyg/

yHk(21)

'DhaemufrSmawmh jyifxm;wJhuk'fawGudk odrf;qnf;zdkU right-click ESdyfjyD; Copy to executable u All modification udka&G;yg/ 'Dtcg ay:vmwJh message box rSm Copy udka&G;vdkuf&if window wpfcktopfyGifh vmygr,f/ 'D window rSm right-click ESdyfjyD; Save file udk a&G;jyD; MudKufESpfouf&mtrnfeJU odrf;vdkufyg/ zdkifudkodrf;jyD;oGm;&if LordPE rSm Entry point udk 0002AF00 vdkUajymif;jyD; zdkifudkodrf;qnf;vdkufyg/ Application tvkyfrvkyfprf;Munfhyg/ jyD;&if odrf;xm;wJhzdkifudk Olly rSm jyefzGifhMunfhyg/ Entry point ajymif; aewm awGU&ygr,f/

yHk(22)

Hexeditor rSmMunfhvdkuf&if yHk(23)twdkif; awGU&rSmjzpfjyD; ae&mvGwfawG trsm;MuD; usefao;wmawGU& rSmyg/

yHk(23)

(&SdjyD;om; section udkcsJUjcif;eJU section topfwdk;jcif;wdkUudk pmtkyfxlrnfpdk;í razmfjyawmhyg/ tao;pdwfodvdk vQif ARTeam rS Goppit a&;om;aom PE File Format udk zwf&IygvdkU tMuHay;vdkygw,f/)

(11) PE header jyóemrsm;ajz&Sif;jcif;

PE header udk avhvmcJhwmawmh [kwfygjyD/ bmaMumifh PE header udk'Davmuftao;pdwfavhvm& wmvJvdkU oifhtaeeJU Za0Z0gjzpfaeygvdrfhr,f/ 'gaMumifhrdkU y&dk*&rfwpfyk'fudk vufawGUMunfhMuygr,f/ 'Dy&dk *&rf (RegisterMe.oops.exe)udk Lena151 &JU oifcef;pm(3)rSm download vkyf,lEdkifygw,f/ y&dk*&rfudk Olly rSmzGifhjyD;ppfMunfhvdkuf&if yHk(24)twdkif;awGU&ygw,f/

yHk(24)


Data (dump) window udkMunfhvdkuf&ifvJ yHk(25)twdkif; bmpmom;rSr&Sdwm awGU&rSmyg/

yHk(25)

aumif;jyD/ oifhtaeeJUem;vnfxm;&rSmu tcsdKUAdkif;&yfpf (protector awGtygt0if)awG[m debug vkyfvdkUr&Edkifatmif PE header xJrSm vSnfhpm;rIav;awG vkyfxm;wwfygw,f/ 'gaMumifh PE header udk enf;enf;avmuf MunfhvdkufMu&atmif/ Alt+M (Memory map) udkESdyfvdkufyg/ yHk(26)/

yHk(26)

yHk(26)udk Munfhvdkuf&if section awG aysmufaewm owdxm;rdrSmyg/ PE header wpfckwnf;&Sdaeyg w,f/ uRefawmfwdkU t&ifjrifaeusjzpfwJh uk'f?a'wm pwmawG[m b,fa&mufoGm;ygvJ/ Header &JU yrmP uvJ 5000 awmif jzpfaeygw,f/ rsm;aomtm;jzifh header &JU yrmP[m 1000 yJ &Sdw,fvdkU &Sif;jyzl;wm trSwf&yg/

tckawmh enf;enf;avmuf &Sif;jyzdkUawmh vdkvmygjyD/ t"duajymif;vJrIawG rvkyfbJ PE header udkyJ enf;enf;av; ajymif;vJvdkufwJhudpö/ (twdtusajym&&ifawmh Adkif;&yfpf? protector tcsdKU ponfwkdUyJ 'Dvdkvkyf Edkifwmyg/) &v'ftaeeJU y&dk*&rf[m Windows XP rSm aumif;aumif;tvkyfvkyfaeayr,fh Olly uawmh 'Dajymif;vJxm;wJht&mawGtwGuf (t&m&mwdkif;udk &SmzdkUMudK;pm;&wJhtwGuf wcPavmufawmh tvkyf&IyfEdkifyg w,f/) awmfawmf OD;aESmufajcmufoGm;ygw,f/ Header udk MunfhvdkufMu&atmif/ yHk(27)/

yHk(27)

yHk(26)&JU VA 00400000 ae&mudk ESpfcsufESdyfvdkuf&if yHk(27)twdkif; jrif&rSmyg/ Mouse eJU atmufudk scroll enf;enf;qGJMunfhvdkufyg/

yHk(28)

yHk(28)&JU SizeofCode [m 40000400 tpm; 400 jzpf&rSmyg/ 'g[m VA 004000DC rSmyg/ aemufydkif;rSm ajymif;&rSmrdkU rSwfxm;vdkufyg/ SizeofInitializedData uawmh 400004A00 tpm; A00 jzpf& rSmyg/

BaseofCode uawmh 40001000 tpm; 1000 jzpf&rSmyg/ BaseofData uawmh 40002000 tpm; 2000 jzpf&rSmyg/ atmufudk scroll enf;enf;qGJvdkufyg/ yHk(29)/

yHk(29)


NumberOfRvaAndSizes uawmh 40000004 tpm; 00000010 jzpf&rSmyg/ Export Table address uawmh 500000 tpm; okn jzpf&rSmyg/ Export Table size uvnf; 500000 tpm; okn jzpf&rSmyg/

uRefawmfhtaeeJU 'DtwGuf Olly xuf aumif;wJh tool awG &Sdw,fvdkU rSwfcsufay;csifygw,f/ 'gudk aemufydkif;rSmaqG;aEG;ygr,f/ ckcsdefupjyD; ckeu uRefawmfajymcJhwJh*Pef;awGudk wnf;jzwfMu&atmif/ uRefawmf uawmh 'gawGudk Olly &JU dump window rSmyJvkyfrSmyg/

(rSwfcsuf/ / oifhtaeeJU ajymif;csifwJh[mawGudk binary *Pef;ajymif;vdkuf&HkeJU wnf;jzwfvdkY&ygw,f/ endian awGudkawmh rarhygeJU/ aemufwpfMudrfxyfajymygr,f/ 'DvdkvkyfzdkU tool awG trsm;MuD;&Sdygw,f/ bmyJ jzpfjzpf uRefawmfhtaeeJUuawmh oifbmvkyfaeovJqdkwm em;vnfzdkUom ta&;MuD;w,fvdkUxifygw,f/

yHk(30)

yHk(30)rSm jyxm;wJhtwdkif; dump window rSm right-click EdSyfjyD; Go to u Expression udk oGm;vdkufyg/

yHk(31)

jyD;&if yHk(31)rSm jyxm;wJhtwdkif; 4000DC udk &dkufxnfhvdkufyg/ jyD;&if wnf;jzwfEdkifzdkU right-click EdSyfjyD; view executable file udk a&G;vdkufyg/ yHk(32)twdkif; jrif&ygvdrfhr,f/

yHk(32)

yHk(32)udk right-click ESdyfjyD; binary menu rS edit udk a&G;yg/ yHk(33)twdkif; jrif&ygvdrfhr,f/

yHk(33)

ckcsdefupjyD; oifhtaeeJU pwifwnf;jzwfvdkU&ygjyD/ (wu,fvdkU oifhtaeeJU opcodes awGudk rSwfrd ao;w,fqdk&ifaygh/)/ jzwfajym&&ifawmh memory module rSm wnf;jzwfwmu ydkvG,fayr,fh uRefawmfu 'Denf;udk jycsifvdkUyg/ tm;vHk;udk wnf;jzwfjyD;&ifawmh yHk(34)twdkif; jrif&rSmyg/


yHk(34)

yHk(34)rSm jrif&wmuawmh uRefawmfwdkU wnf;jzwf&r,fht&mawGudk wnf;jzwftjyD;yg/ 'gjyD;&ifawmh right-click ESdyfjyD; Save file udka&G;vdkufyg/ jyD;&if Olly eJU odrf;vdkufwJhzdkifudk jyefMunfhvdkufyg/ yHk(35) twdkif; jrif&ygvdrfhr,f/

yHk(35)

yHk(35)rSmawmh t&ifuaysmufaewJh section awGudk jyefjrif&wm awGU&ygvdrfhr,f/ rSwfxm;oifhwJh tcsufwpfcsufuawmh yHk(26)rSm jrifcJh&wJh header &JU t&G,ftpm; (5000) qdkwm section tm;vHk;aygif;eJU header wdkUudk aygif;xm;jyD;&vmwJh yrmPyg/

PE header jyóemudk Olly eJUajz&Sif;&wm vuf0ifygw,f/ 'gaMumifh PE tool wpfckckudk toHk;jyKjyD; ajz&Sif;Munfhygr,f/ 'DtwGufa&G;cs,fxm;wJh y&dk*&rfuawmh Lena151 &JU oifcef;pm(37)u UnpackMe#5 .exe y&dk*&rfyg/ 'Dy&dk*&rfudk PEiD eJUppfMunfh&mrSmawmh yHk(36)twdkif; awGU&ygw,f/

yHk(36)

wu,fawmh UnpackMe#5 .exe udk Visual C++ eJUa&;om;xm;wm r[kwfygbl;/ Protector wpfck cku Visual C++ eJUa&;om;xm;w,fvdkUxif&atmif vSnfhpm;xm;wmjzpfygw,f/ Protector awGtaMumif;udk aqG;aEG;rSmr[kwfwJhtwGuf 'Dtcsufudk avmavmq,f arhxm;vdkufyg/

aumif;jyD? PE header eJUywfoufjyD; bmawGvSnfhpm;xm;ovJqdkwm od&atmif y&dk*&rfudk Olly rSm zGifhMunfhvdkufyg/ yHk(37)/

yHk(37)


yHk(37)rSmjrif&wJhtwdkif; bmuk'frSay:vmjcif;r&SdbJ y&dk*&rf run (hang) aewmawGU&ygw,f/ Task manager udkMunfhvdkuf&ifawmh yHk(38)rSmjyxm;wJhtwdkif;awGU&ygw,f/

yHk(38)

UnpackMe#5.exe udk rzGifhcifwkef;u task manager &JU page file oHk;pGJrI[m 149MB yJ&Sdygw,f/ 87KB yJ&SdwJh UnpackMe#5.exe y&dk*&rfudkzGifhvdkufwJhtcsdefrSm bmaMumifh page file udktvGeftuRH oHk;pGJ&yg ovJ/ PE header rSm jyóemwpfckckwufaeyHk&ygw,f/ 'ghaMumifh UnpackMe#5.exe udk PE Tools 1.5 eJUzGifhMunfhMu&atmif/ yHk(39)/

yHk(39)

Tools menu u PE Editor udka&G;jyD; UnpackMe#5.exe udkzGifhvdkuf&if yHk(39)twdkif; jrif&ygw,f/

yHk(39)u Optional Header button udka&G;vdkuf&if yHk(40)twdkif;jrif&ygr,f/


yHk(40)

Size Of Init Dat udk 3FA00? Size of UnInit Data udk 0? Base Of Code udk 3E000 ? Base of Data udk 13000? Number Of Rva and Sizes udk 10? Size of Heap Commit udk 1000? Size of Heap Reserver udk 100000? Size of Stack Commit udk 1000? Size of Stack Reserve udk 100000 vdkUjyifjyD; zdkifudkodrf;vdkufyg/ odrf;vdkufwJhzdkifudk rSmzGifhvdkufyg/ yHk(41)twdkif;jrif&ygr,f/

yHk(41)

yHk(41)u OK button udka&G;ay;vdkuf&ifawmh yHk(42)twdkif;jrif&ygr,f/

yHk(42)

yHk(41)u error message udkjrif&wmuawmh code section &JUwefzdk; rSm;aevdkUjzpfygw,f/ Olly u error message jyayr,fh y&dk*&rfudk rSefuefpGmtvkyfvkyfrSmjzpfwJhtwGuf pdwfylp&mawmh r&Sdygbl;/ 'D error rwufapcsif&ifawmh code section &JUwefzdk;udk memory map (Alt+M) rSmMunfhvdkufyg/ yHk(43)/

yHk(43)

'gaMumifhrdkU yHk(40)u Base Of Code rSmjyifcJhwJh 3E000 wefzdk;tpm; 1000 jzpf&rSmyg/ 'Dwefzdk;udk PE editor wpfckckrSmjyifvdkufjyD; zdkifudkodrf;vdkufr,fqdk&if bm error rS jyawmhrSm r[kwfygbl;/


(12) PE header wGif toHk;jyKaom a0g[m&rsm;

(ReverseMe.exe ESifh prf;oyfxm;jcif; jzpfygonf/)

(1) TimeDateStamp 3/17/2000, 1:04:06 AM (38D1291E)

TimeDateStamp qdkwm zdkifudk zefwD;cJhwJhtcsdefudk &nfnTef;ygw,f/ Olly rSmawmh Hex *Pef;eJY jyygw,f/ ReverseMe y&dk*&rftwGufuawmh 38D1291E jzpfygw,f/ tcsdKU PE Viewer awGrSm Hex eJY rjybJ &dk;&dk;yHkpHeJUyJ jyygw,f/ Oyrm - 3/17/2000, 1:04:06 AM/ 'Dwefzdk;[m 1970? Zefe0g&D 1 upwifcJhwJh *&if;epfpHawmfcsdef&JU puúefUta&twGufjzpfjyD; zdkifrSmtvdktavsmufygvmwJhaeUpGJ^tcsdefawGxuf ydkjyD;wdusyg w,f/ udk,fwdkifwGufcsufcsif&ifawmh 16vDpepf 38D1291E udk q,fvDpepfodkUajymif;yg/ puúefUaygif; 953231646 &vmygr,f/ puúefUjzpfaewJhtwGuf em&DodkUajymif;ygr,f/ 3600 eJU pm;wJhtcg 264786 &vmyg w,f/ 'gudk&ufzGJUzdkU 24eJUpm;jyD; ckESpfzGJUzdkU 365eJU pm;ygr,f/ 'gqdk ESpf30 &vmygw,f/ 'gu tMurf;zsif;wGuf csufwmyg/ uRefawmfwdkU &vmwJhtajzudk b,frSmoGm;aygif;&rvJqdkawmh ckeuqdkcJhwJh 1970? Zefe0g&D 1 &uf rSmyg/ wdwdususwGufcsufvmcJhr,fqdk&if tajzrSefu 2000? rwf 17 qdkwJhtajzxGufrSmyg/

(2) Machine FILE_MACHINE_I386 'Dzdkifudk toHk;jyKr,fh uGefysLwm&JU y&dkqufqmtrsdK;tpm;yg/ toHk;rsm;wJhwefzdk;awGuawmh -

FILE_MACHINE_I386

Intel 80386 (odkU) aemufydkif;armf',frsm;ESifh o[Zmwjzpfaomy&dkqufqmrsm;/

FILE_MACHINE_AMD64

x64

FILE_MACHINE_IA64

Intel Itanium y&dkqufqmtkyfpkrsm;/

(3) Characteristics 0x10f (zdkif&JU0daooudk jyowJh flag awGyg/)

FILE_RELOCS_STRIPPED 0x1

(0x1 om jzpfcJhr,fqdk&if zdkifrSm base relocation rygygbl;/ 'ghaMumihf loader [m olU&JU base address rSmyJ &Sd&rSmyg/ wu,fvdkU base address omr&SdcJhbl;qdk&if loader [m error jzpfaMumif;jyrSmyg/ Linker &JU yHkrSef tvkyfuawmh EXE zdkifuae base relocaion udk z,fzdkYyg/)

FILE_EXECUTABLE_IMAGE 0x2

('guawmh image zdkif[m rSefuefaMumif;eJU tvkyfvkyfEdkifaMumif; jywmyg/ wu,fvdkU 'D flag om r&Sdbl;qdk &if olu linker error jzpfaMumif; jyrSmyg/)

FILE_LINE_NUMS_STRIPPED 0x4

(COFF vdkif;awG z,f&Sm;cHvdkuf&wmyg/)

FILE_LOCAL_SYMS_STRIPPED 0x8

(Local oauFwawGtwGuf COFF oauFwZ,m;&JU entry awG z,f&Sm;cHvdkuf&wmyg/)

FILE_32BIT_MACHINE 0x100

(uGefysLwm[m 32-bit enf;ynmudk tajccHxm;wmyg/)

(4) Subsystem SUBSYSTEM_WINDOWS_GUI

'D image udk tvkyfvkyfzdkUtwGuf vdktyfwJh pepfcGJawGjzpfygw,f/ jzpfEdkifwJh wefzdk;awGuawmh -

SUBSYSTEM_NATIVE

Device driver rsm;ESifh Window \ rlv process rsm;/

SUBSYSTEM_WINDOWS_GUI

Window \ GUI

SUBSYSTEM_WINDOWS_CUI

Window \ pmvHk;pepfcGJ/

SUBSYSTEM_POSIX_CUI

Posix pmvHk;pepfcGJ/


SUBSYSTEM_WINDOWS_CE_GUI

Windows CE

SUBSYSTEM_EFI_APPLICATION

Extensible Firmware Interface (EFI) application.

SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER

Boot services yg0ifaom EFI driver/

SUBSYSTEM_EFI_RUNTIME_DRIVER

Run-time services yg0ifaom EFI driver/

SUBSYSTEM_EFI_ROM

EFI \ ROM image/

(5) LinkerVersion 5.12

zdkiftjzpf wnfaqmufzdkU toHk;jyKwJh linker &JU version/ Microsoft linker uaejzpfvmwJh PE zdkifawGtwGufawmh 'D version eHygwf[m Visual Studio &JU version eHygwfeJU oufqdkifygw,f/

(6) SizeOfImage 20480 (0x5000)

zdkifudk rSwfOmPfxJodkU ul;wifvdkufaomtcg system rS oD;oefUz,fxm;&efvdkaom rSwfOmPfyrmP/ 'Dae&m[m section alignment &JU qwdk;udef;wpfck jzpf&ygr,f/

(7) SizeOfCode 1024 (0x400)

Code section &JU t&G,fyrmP (Byte jzifh jyonf/)? (odkU) tu,fí code section ajrmufjrm;pGm &SdcJhygu xkd section tm;vHk;\ aygif;v'f/

(8) SizeOfInitializedData 2560 (0xa00)

Initialized data section &JU t&G,fyrmP (Byte jzifh jyonf/)? (odkU) tu,fí initialized data section ajrmufjrm;pGm&SdcJhygu xkd section tm;vHk;\ aygif;v'f/

(9) SizeOfUninitializedData 0 (0x0)

Unnitialized data section &JU t&G,fyrmP (Byte jzifh jyonf/)? (odkU) tu,fí uninitialized data section ajrmufjrm;pGm&SdcJhygu xkd section tm;vHk;\ aygif;v'f/

(10) ImageBase 0x400000

Image \ yxrqHk;pmvHk;udk rSwfOmPfxJodkU ul;wifvdkufcsdefü ¤if;\ address/ xdkwefzdk;onf 64K bytes \qwdk;udef; jzpfonf/ DLL zdkifrsm;twGuf yHkaowefzdk;rSm 0x10000000 jzpfonf/ 32-bit application rsm;twGuf yHkaowefzdk;rSm 0x00400000 jzpfonf/

(11) BaseOfCode 0x401000

Code section \tpodkU nTefjyonf/ Image base eSifh qufET,frI&Sdonf/

(12) BaseOfData 0x402000

Data section \tpodkU nTefjyonf/ Image base eSifh qufET,frI&Sdonf/

(13) AddressOfEntryPoint 0x401000

Entry point function odkU nTefjyonf/ Image base address eSifh qufET,frI&Sdonf/ entry point function onf DLL zdkifrsm;twGuf r&Sdvnf;&ayonf/ Entry point r&SdvQif þwefzdk;onf okn jzpfaeay rnf/

(14) FileAlignment 512 (0x200)

Image zdkifxJ&Sd section rsm;\ raw a'wm alignment/ Byte jzifhjyonf/ wefzdk;onf 2 \ qwkd; udef;rsm;jzpfjyD; 512 ESifh 64K Mum;(tptqHk;) jzpf&rnf/ yHkaowefzdk;rSm 512 jzpfonf/ tu,fí Section Alignment onf system \ page t&G,ftpm;xufi,faeygu þwefzdk;onf SectionAlignment ESifh wlnDaeoifhonf/

(15) SectionAlignment 4096 (0x1000)

Section rsm;\ Alignment udk rSwfOmPfwGif; ul;wifonf/ Byte jzifhjyonf/ þwefzdk;onf File Alignment ESifh nD&rnf (odkU) MuD;&rnf/ yHkaowefzdk;onf system \ page t&G,ftpm; jzpfonf/


(16) OperatingSystemVersion 4.0

(17) SubsystemVersion 4.0

(18) ImageVersion 0.0

(19) CheckSum 46233 (0xb499)

Image \ wGufcsufxm;aomwefzdk;/ (a'wmrsm;udk odrf;qnf;&mwGif trSm;rsm;awGUMuHKjcif;&Sd^r&Sd ppf aq;&ef toHk;jyKaom wGufcsufxm;onfhwefzdk;/ a'wmrsm;udk odrf;qnf;jyD;aomf ¤if;enf;vrf;udkyif toHk;jyKí checksum udk wGufcsufygonf/ checksum ESpfck rwlnDcJhaomf error udkjyí a'wmudk aemufwpfMudrf jyef vnfodrf;qnf;ygonf/ Checksum rsm;onf error wdkif;udk rppfaq;Edkifyg/ Checksum wdkUonf error jzpfaeaoma'wmrsm;udk rjyifqifay;Edkifyg/) Checksum rsm;onf kernel-mode driver rsm;ESifh tcsdKUaom system DLL rsm;twGuf vdktyfonf/ wenf;qdkaomf þae&mwGif oknjzpfí &ygonf/

(20) SizeOfStackReserve 1048576 (0x100000)

EXE zdkifrsm;wGif process xJ&Sd yxrqHk; thread \ MuD;xGm;vmEdkifaom tjrifhqHk;t&G,fyrmP/ 'DrSwfOmPftm;vHk;udkawmh OD;qHk;ajymif;ay;rSm r[kwfygbl;/

(21) SizeOfStackCommit 4096 (0x1000)

EXE zdkifrsm;wGif stack xJodkU yxrOD;qHk;ajymif;ay;rnfh rSwfOmPfyrmP/

(22) SizeOfHeapReserve 1048576 (0x100000)

EXE zdkifrsm;wGif process heap &JU OD;qHk;oD;oefUz,fxm;r,ft&G,ftpm;/

(23) SizeOfHeapCommit 4096 (0x1000)

EXE zdkifrsm;wGif heap xJodkU yxrOD;qHk;ajymif;ay;rnfh rSwfOmPfyrmP/

(24) LoaderFlags 0 (0x0) (toHk;rjyKawmhyg/)

(25) Win32VersionValue 0 (0x0) (toHk;rjyKawmhyg/)

(26) PointerToRawData

Module zdkifxJrSm&SdwJh yxrqHk; page &JU page udknTef;wJh zdkif pointer/ ol[m module header u FileAlignment &JU qwdk;udef; jzpf&ygr,f/ Section rSm uninitialized a'wmawGoufoufyJ &SdcsdefrSm 'Dae &m[m oknjzpf&ygr,f/

(27) VirtualAddress

rSwfOmPfxJudk ul;wifvdkufaomtcg image base ESifh qufEG,fonfh section \ yxrqHk;aom pmvHk; address jzpfonf/

(28) VirtualSize

rSwfOmPfxJudk ul;wifvdkufaomtcg section \ pkpkaygif;yrmP/ tu,fíom þwefzdk;onf Size OfRawData xuf MuD;aeygu section onf oknjzifh jynfhaernfjzpfonf/

(29) SizeOfRawData

Disk ay:&Sd initialized a'wm\ t&G,ftpm;/ olonf module header rS FileAlignment \ qwdk;udef;jzpfonf/ tu,fí þwefzdk;onf Virtual Size xufi,faeygu section \ usefaomtydkif;rsm; onf oknrsm;jzifh jynfhaernf/ Section rSm uninitialized a'wmawGoufoufyJ &SdcsdefrSm 'Dae&m[m okn jzpf&ygr,f/

(30) Data Directory

Exe zdkifrsm;\ ta&;MuD;aomtydkif;rsm;udk nTefjyaeaom 16ckaom IMAGE_DATA_DIRECTO RY \ array wpfck/ 'D array [m loader udk oGm;av&mwavQmuf emrnfrsm;udk EdIif;,SOfjyD; image section toD;oD;udk tMudrfMudrfywfp&mrvkdbJ image &JU wduswJh section awGudk vsifvsifjrefjref &SmazGay; apEdkifygw,f/ (Oyrm- import vkyfxm;wJh function Z,m;)

(a) Load Configuration

twGif;ydkif;pepf&JYppfaq;csufeJU jyoemajz&Sif;jcif;t*Fg&yfawGudk xdef;csKyfxm;wJh IMAGE_LOAD_ CONFIG_DIRECTORY zGJUpnf;yHkudk nTefjyygw,f/


(b) IAT (Import Address Table)

yxrqHk; Import Address Table (IAT) &JUtpudk nTefjyygw,f/ Import vkyfxm;wJh DLL toD; oD;twGuf IAT awG[m rSwfOmPfxJrSm tpDt&Day:vmygw,f/ Size field uawmh IAT tm;vHk;&JU pkpkaygif; yrmPudk jyygw,f/ Loader [m 'D address eJY t&G,ftpm;udk import resolution umvrSm IAT awGudk readwrite tjzpf ,m,DrSwfom;zdkU toHk;jyKygw,f/

(c) TLS Table

Thread Local Storage &JU initialization section udk nTefjyygw,f/ TLS section rSm declspec (thread) eJU aMunmxm;wJh thread &JU local variables awG yg0ifxm;ygw,f/ 'D variable awG oHk;csdefrSm compiler u olwdkUudk .tls vdkUtrnf&wJh section rSm oGm;xm;ygw,f/ 'Dae&mrSm run aecsdefrSm vkdtyfr,fh tydk variable awGtjyif a'wm&JU ueOD;wefzdk;awGvnf; yg0ifygw,f/

(d) Base Relocation Table

Base relocation information udk nTefjyygw,f/

(e) Debug Directory

IMAGE_DEBUG_DIRECTORY zGJUpnf;yHk&JY array wpfckudk nTefjyygw,f/ olwdkUtoD;oD;[m image twGuf debug information tcsdKUudk azmfjyygw,f/

(f) Bound Import Table

IMAGE_BOUND_IMPORT_DESCRIPTOR awG&JY array wpfckudk nTefjyygw,f/

(g) Resource Table

Resources awGudk nTefjyygw,f/

(h) Delay Import Tables

Visual C++ u DELAYIMP.H rSm teufzGifhxm;wJh ClmgDelayDescr zGJUpnf;yHk&JU array wpfckjzpfwJh Delayload information udk nTefjyygw,f/ olwdkUxJrSmawGU&wJh API udk yxrtMudrf ac:,l roHk;rcsif; Delayloaded DLL awGudk ul;rwifygbl;/ Windows rSm delay loading DLL awGeJY ywfouf jyD; vHk;vHk;vsm;vsm; ,HkMunf&avmufwJhtcsuf r&Sdbl;qdkwJhtcsufudk rSwfom;zdkU ta&;MuD;ygw,f/

SCN_CNT_INITIALIZED_DATA - Section rSm initialized a'wmawG yg0ifygw,f/

SCN_MEM_READ - Section udk zwfvdkU&ygw,f/

SCN_MEM_WRITE - Section udk a&;vdkU&ygw,f/

SCN_CNT_CODE - Section rSm execute vkyfvdkU&wJhuk'f yg0ifygw,f/

SCN_MEM_EXECUTE - Section udkuk'ftjzpf execute vkyfvdkU&ygw,f/

SCN_MEM_DISCARDABLE - Section udk vdktyfovdk z,f&Sm;Edkifygw,f/

SCN_MEM_SHARED - 'D section &JUa'wmawGyg0ifwJh physical page awGudkawmh 'D executable udk ul;wifr,fh process tm;vHk;Mum; share ay;rSmyg/ 'gaMumifh process wdkif;[m 'D section rSm&SdwJh a'wm twGuf wlnDwduswJhwefzdk;udk jrif&rSmyg/ Process wpfck&JU Oyar,stm;vHk;Mum; share ay;zdkU global variable awG jyKvkyfzdkUawmh toHk;0ifygw,f/

(i) .arch – Alpha architecture information section

(i) .bss – Uninitialized data section

(i) .crt – Data added for supporting the C++ runtime (CRT). A good example is the function pointers that are used to call the constructors and destructors of static C++ objects.

(i) .data – Initialized data section

(i) .debug – Debug information section. A debug section exists only when debug information is mapped in the address space. The default for the linker is that debug information is not mapped into the address space of the image.

(i) .didat – Delayload import data. Found in executables built in nonrelease mode. In release mode, the delayload data is merged into another section.

(i) .edata – Export tables section

(i) .idata – Import tables section


(i) .pdata – Exception information section

(i) .rdata – Read-only initialized data section

(i) .reloc – Image relocations section

(i) .rsrc – Resource directory section

(i) .text – Executable code section

(i) .tls – Thread-local storage section. The section contains data for supporting thread local storage variables delcared with__declspec(thread). This includes the initial value of the data, as well as additional variables needed by the runtime.

(i) .xdata – Exception information section

(13) erlem PE signature rsm;

(13.1) ASPack v2.12

60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00401000: 60 PUSHAD

00401001: E8030000000 CALL 00401009H

00401006: E9EB045D45 JMP 459D14F6H

0040100B: 55 PUSH EBP

0040100C: C3 RET

0040100D: E801003E00 CALL 007E1013H

(13.2) Armadillo v1.xx - v2.xx

55 8B EC 53 8B 5D 08 56 8B 75 0C 57 8B 7D 10 85 F6 00401000: 55 PUSH EBP

00401001: 8BEC MOV EBP, ESP

00401003: 53 PUSH EBX

00401004: 8B5D08 MOV EBX, [EBP+08H]

00401007: 56 PUSH ESI

00401008: 8B750C MOV ESI, [EBP+0CH]

0040100B: 57 PUSH EDI

0040100C: 8B7D1O MOV EDI, [EBP+10H]

0040100F: 85F6 TEST ESI, ESI

tcef;(9) - Teleport Pro 1.61 y&dk*&rfESifh yxrqHk;tMudrf crack vkyfjcif; - 121 -

tcef;(9) - Teleport Pro 1.61 y&dk*&rfESifh yxrqHk;tMudrf crack vkyfjcif; uRefawmfwdkU[m a&SUtcef;awGrSm cracking eJUywfoufwJh tajccHtkwfjrpfawGudk avhvmcJhygw,f/ 'gaMumifh oifhtaeeJU C? Assembly bmompum;awGudk wD;rdacgufrd&Sdxm;jyDvdkU xifygw,f/ aqmhzf0JvfawG udkvJ b,fvdkenf;eJU umuG,fxm;ovJqdkwmudkvJ odoGm;avmufygjyD/ Cracker wpfa,mufrSm &Sdoifh&Sdxdkuf wJh tool awGtaMumif;udkvJ avhvmjyD;jzpfwJhtjyif 'DtxJu tool wpfckjzpfwJh Olly debugger taMumif;udkvJ tMurf;zsif; em;vnfaeavmufygjyD/ tqHk;pGef ajym&&if cracking avmurSm em;vnf&cufw,fqdkwJh PE header taMumif;udkawmif oifavhvmjyD;oGm;ygjyD/ bmyJajymajym oifavhvmcJhwm[m oDtdk&Doufoufom jzpfygw,f/ vufawGUrygwJhoDtdk&D? oDtdk&DrygwJhvufawGU[m jyD;jynfhpHkjcif;? tESpfom&jynfh0jcif; r&SdwJh twGuf udk,fwdkifvufawGU crack vkyfMunfhrSom cracking oabmw&m;awGudk aumif;aumif; em;vnf vmrSmjzpfygw,f/ 'gaMumifh yxrqHk; crack vkyfjcif;tjzpf pD;yGm;jzpfaqmhzf0JvfwpfckjzpfwJh Teleport Pro 1.61 udk crack vkyfMunfhMuygr,f/ oifhtaeeJU update rjzpfawmhwJh y&dk*&rfudk erlemxm;jyD; bmaMumifh crack vkyfjy&wmvJvdkU oHo,0ifygvdrfhr,f/ (uRefawmfwdkUtaeeJU aqmhzf0JvfawGudk crack vkyfaewm[m aiGaMu;twGuf r[kwfygbl;/ ynm&yfwpfcktaeeJUom avhvmaejcif;jzpfygw,f/ 'gaMumifhrdkU crack vkyfxm; jyD;om; aqmhzf0JvfawGudk w&m;r0if jzefUcsDâ&mif;cscJh&if jzpfay:vmrJh &v'fawG[m oifhwm0efomjzpfyg aMumif; ...)

(1) y&dk*&rftvkyfvkyfyHkudk avhvmjcif;

uRefawmfwdkUtaeeJU aqmhzf0Jvfwpfckudk crack rvkyfcifodxm;&r,fh t"dutcsufuawmh 'Daqmhzf0Jvf udk b,fy&dk*&rfbmompum;eJU a&;xm;ovJqdkwm t&ifodatmifvkyfzdkUyg/ 'grSom a&SUqufbmvkyf&rvJqdk wm qHk;jzwfEdkifrSmjzpfygw,f/ aumif;jyD? Teleport Pro udk www.tenmax.com uae download vkyfjyD; install vkyfvdkufyg/ Help menu u About ... udka&G;vdkuf&if yHk(1)twdkif; awGU&ygr,f/

yHk(1)

yHk(1)rSm jrif&wmuawmh unregistered version jzpfwJhtaMumif;yg/ 'gaMumifh register vkyfMunfhyg r,f/ Help menu u Register udk a&G;vdkufyg/ yHk(2)twdkif; jrif&ygr,f/

yHk(2)

yHk(2)u Your name ae&mrSm Myanmar Cracking Team vdkU&dkufxnfhjyD; Registration code ae&mrSm 4780610 (BABE16)vdkU &dkufMunfhygr,f/ 'gqdk yHk(3)twdkif; awGU&ygr,f/

yHk(3)


yHk(3)rSm jrif&wmuawmh uRefawmfwdkU&dkufxnfhvdkufwJh registration uk'f[mrSm;aewJhtaMumif;ajymwJh MessageBox yg/ (rSwf&ef/ / tcsdKUy&dk*&rfawGrSm vSnfhuGufav;awG&Sdygw,f/ 'gubmvJqdkawmh regis-tration uk'fudk&dkufxnfhvdkufwJhtcg rSefw,f^rSm;w,frajymbJ y&dk*&rfudk jyefzGifhcdkif;wmjzpfygw,f/ tcsdKU y&dk*&rfawGqdk bm MessageBox rSawmif ay:rvmygbl;/ bmaMumifhvJqdkawmh 'Dvdky&dk*&rfawGu oif&dkuf xnfhvdkufwJh registration uk'fudkcsufcsif;rppfvdkUyg/ Registry xJrSm (odkU) zdkifwpfzdkifrSm oif&dkufxnfh vdkufwJhuk'fudkodrf;xm;jyD; aemufwpfMudrf y&dk*&rfudkzGifhjyD;tvkyfvkyfwJhtcgrS uk'fudkppfaq;wmjzpfygw,f/) 'D Message Box rSmjrif&wJh We're sorry! qdkwJhpmom;udk pm&GufvGwfwpf&GufrSm rSwfom;xm;yg/ toHk;0if vmygvdrfhr,f/

aumif;jyD? y&dk*&rfudkydwfvdkufjyD; b,fbmompum;eJU a&;xm;ovJqdkwm ppfMunfhygr,f/ Program files\Teleport Pro zdk'gatmufu pro.exe zdkifudk right-click ESdyfjyD; PEiD eJU ppfMunfhvdkufyg/ yHk(4)/

yHk(4)

yHk(4)t&qdk&ifawmh 'Dy&dk*&rfudk Visual C++ 6.0 eJU a&;xm;wmjzpfygw,f/ 'Davmufqdk uRefawmf wdkUtwGuf vHkavmufygjyD/ pro.exe udk Olly rSm zGifhygr,f/ yHk(5)/

yHk(5)

yHk(5)rSmjrif&wmuawmh y&dk*&rf&JU entry point ae&myg/ (rSwfcsuf/ / Visual C++ jzifha&;xm;aom y&dk*&rfrsm;onf yHk(5)wGifjyxm;onfhtwdkif; kernel32.GetVersion \tay:zuf&Sd PUSH EBP uk'f&Sd&m virtual address onf entry point jzpfonf/) 'Dy&dk*&rfudk enf;(2)enf;eJU crack vkyfjyrSmjzpfygw,f/ yxrenf;uawmh SND Team u nick123b oHk;wJhenf;jzpfygw,f/ 'kwd,enf;uawmh ARTeam u ThunderPwr oHk;wJhenf;jzpfygw,f/ tjcm;enf;awGudkawmh tvsOf;oifhwJhtcef;rSm azmfjyoGm;rSmjzpfygw,f/

(2) yxrenf; (nick123b@SND Team)

yHk(2)rSm register vkyfwkef;u yHk(3)twdkif; error message ay:vmwmrSwfrdr,fxifygw,f/ 'D message pmom;udk Olly rSm&SmMunfhvdkufMu&atmif/ yHk(5)rSm right-click ESdyfjyD; Search for u All referenced text strings udk a&G;vdkufyg/ 'gqdk &Smxm;wJh text string awGygwJh window wpfckay:vmygr,f/

yHk(6)


ay:vmwJh window rSm yHk(6)twdkif; uRefawmfwdkU &SmcsifwJhpmom;udk &dkufxnfhjyD; OK udkESdyfvdkufyg/ 'gayr,fh uRefawmfwdkU&SmwJh pmom;udk Olly eJU&SmwmrawGUygbl;/ bmaMumifhvJqdkawmh 'Dy&dk*&rfudk a&;om; cJhwJh y&dk*&rfrmu We're sorry! pmom;udk .text section rSm ra&;om;bJ yHk(7)rSm jyxm;ovdk .data section rSma&;om;xm;vdkU Olly u &SmrawGUEdkifwmyg/ (omreftm;jzifh y&dk*&rfrsm;\ 80%ausmfonf .text section (code section) wGifom a&;om;Muygonf/)

yHk(7)

yHk(8)

yHk(8)udkMunfhvdkufawmh uRefawmfwdkU&SmaewJh message udkawGU&ygw,f/ yHk(7^8)wdkUudk PE Explorer 1.99 (www.heaventools.com) rSm zGifhMunfhxm;wmjzpfygw,f/

yHk(6)twdkif; text string udk&Smwm &SmrawGUvdkU oifhtaeeJU acgif;awmfawmfajcmufaeavmufjyD xifyg w,f/ 'D message udk&SmawGUrSom uRefawmfwdkUtaeeJU serial a&;xm;wJh registration routine udkawGUjyD; serial udk &SmazGEdkifrSm jzpfygw,f/ aumif;jyD? nick123b &JUenf;eJU serial udk &SmMunfhMu&atmif/

Olly rSm Ctrl + N (View Names) udk ESdyfvdkufyg/ yHk(9)twdkif; API awGudk jrif&ygr,f/

yHk(9)

yHk(9)rSm jyxm;wJhtwdkif; USER32.GetWindowTextA rSm right-click ESdyfjyD; Find references to import (Enter key) udk a&G;vdkufyg/ yHk(10)twdkif; jrif&ygr,f/ (GetWindowTextA taMumif; tao;pdwf udk ]Cracker rsm; owdxm;oifhaom Windows API rsm;} tcef;wGif zwf&Iyg/)

yHk(10)

yHk(10)rSm jrif&wJhtwdkif; right-click ESdyfjyD; Set breakpoint on every command udk a&G;vdkuf yg/

yHk(11)


yHk(11)twdkif; GetWindowTextA udk breakpoint rowfrSwfcif pro.exe udk yHk(12)twdkif; Olly rSm register vkyfaewm aocsmygap/ (qdkvdkwmu Teleport Pro udk Olly eJUzGifhjyD; register vkyfcdkif;wmyg/ yHk(12)rSm OK udkrESdyfcif yHk(9^10^11)rSm jrif&wJhtwdkif; breakpoint owfrSwfwm jzpfygw,f/)

yHk(12)

yHk(11)twdkif; breakpoint owfrSwfjyD;oGm;&ifawmh yHk(12)u OK udkESdyfvdkufyg/ yHk(13)twdkif; Get WindowTextA() API &Sd&m breakpoint qD wef;a&mufoGm;ygvdrfhr,f/

yHk(13)

yHk(13)twdkif;jrif&wJhtcg yHk(14)udk jrif&wJhtxd F8 (step over) udkESdyfyg/

yHk(14)

yHk(14)udkMunfhyg/ CALL 0042F675 rSm registration key wGufcsufjcif;udk vkyfaqmifygw,f/ 'DhaemufrSmawmh EAX xJrSm&SdwJhwefzdk;wpfckeJU ESI xJrSm&SdwJhwefzdk;wpfckwdkUudk nD?rnD ppfygw,f/ wu,fvdkU wefzdk;ESpfckrnDcJh&if BadBoy message qDa&mufoGm;rSmjzpfygw,f/ 'gaMumifh "JNZ 042ECDB" qdkwJhae&m a&muf&if F8 ESdyfvmwm &yfvdkufyg/ jyD;awmh Registers (FPU) window udkMunfhvdkufyg/ yHk(15)/

yHk(15)

yHk(15)&JU EAX register xJrSm uRefawmfwdkUvdkcsifwJh serial a&mufaeygjyD/ rSwfxm;&rSmu 'D serial [m ECX register xJrSm&SdwJh "Myanmar Cracking Team" qdkwJh user twGufomjzpfygw,f/


bmaMumifhvJqdkawmh uRefawmfwdkUu yHk(12)rSm jyxm;wJhtwdkif; user name ae&mrSm "Myanmar Cracking Team" vdkU &dkufxnfhcJhvdkUyg/

yHk(16)

wu,fawmh yHk(14)u EAX register xJrSm&SdwJh serial [m hexadecimal *Pef;omjzpfygw,f/ 258680D9 ae&mudk ESpfcsufESdyfvdkufyg/ jyD;&if 629571801 udkul;,lvdkufyg/ yHk(17)/ 629571801 uom serial tppftrSefjzpfygw,f/

yHk(17)

'gqdk uRefawmfwdkU vdkcsifwJh serial udk &&SdjyDjzpfwJhtwGuf Olly udkydwfvdkU&ygjyD/ Teleport Pro y&dk*&rfudk jyefzGifhvdkufyg/ jyD;&if Help menu u Register … udka&G;jyD; register vkyfzdkU jyifqifyg/

yHk(18)

yHk(18)twdkif; Name eJU Registration Code udkjznfhjyD;&if OK udkESdyfvdkufyg/ yHk(19)twdkif; jrif&ygr,f/

yHk(19)

ydkaocsmoGm;atmif Help menu u Register … udkxyfESdyfMunfhyg/ uRefawmfwdkU aemufwpfMudrf register vkyfp&mrvdkawmhwm jrif&rSmyg/ yHk(20)/


yHk(20)

Help menu u About Teleport Pro … udka&G;jyD; Munfhvdkuf&ifawmh yHk(21)twdkif; jrif&rSmyg/

yHk(21)

'gqdk yxrenf;eJU uRefawmfwdkU&JU serial &Smjcif;tvkyfjyD;oGm;ygjyD/ 'Dvdkenf;eJU serial &Smwmudk t*Fvdyfvdkawmh serial fishing (Serial zrf;jcif;)vdkUac:ygw,f/ Cracking avmurSmawmh serial fishing enf;[m tcsdefukefoufomjyD; vG,fulvSwJhtwGuf toHk;rsm;vSygw,f/

(3) 'kwd,enf; (ThunderPwr @ARTeam)

'kwd,enf;uawmh yHk(22)rSmjrif&wJh MessageBox &Sd&mae&mudkt&if&SmjyD; registration routine udk &SmazGwJhenf;jzpfygw,f/ (rSwfcsuf/ / a&SUydkif;u GetWindowTextA() API rSmowfrSwfxm;wJh breakpoint awGudk z,f&Sm;jyD;aMumif; aocsmygap/)

Teleport Pro [m register vkyfwm atmifjrifoGm;&if aemufwpfMudrf register xyfvkyfvdkU r&awmh ygbl;/ 'gaMumifh registry editor (regedit.exe) udkzGifhjyD; HKLM eJU HKCU wkdY&JU Software directory atmufu Tennyson Maxwell directory key udkzsufypfvkdufyg/

yHk(22)

Olly rSm pro.exe udkzGifhjyD; F9 (Run) udkESdyfyg/ 'gqdk Teleport Pro y&dk*&rfyGifhvmwm jrif&ygr,f/ y&dk*&rf&JU Help menu u Register udkESdyfjyD; register vkyfMunfhyg/ yHk(22)twdkif; BadBoy MessageBox udkjrif&ygr,f/ 'Dtcg Olly qDjyefoGm;jyD; F12 (Pause) udkESdyfyg/ F12 udkESdyf&wJhtaMumif;&if;uawmh y&dk*&rf tvkyfvkyfwm cP&yfapcsifvdkUyg/ jyD;&if Olly &JU stack window rSm scroll qGJjyD; Munfhvdkufyg/ yHk(23) twdkif; jrif&ygr,f/


yHk(23)

yHk(23)udk Munfhyg/ VA 0049112C uawmh "We're sorry! …" pmom;udk odrf;qnf;xm;wJh virtual address yg/ VA 004542CD uawmh yHk(22)u MessageBox API udkvkyfaqmifjyD;csdef a&muf&Sdr,fh ae&myg/ ckcsdefrSm uRefawmfhtaeeJU pdwf0ifpm;wJh virtual address [m 004542CD jzpfygw,f/ bmaMumifhvJ qdkawmh 'Daddress uae registration routine &Sd&mae&mudk ajc&mcHrSmrdkUvdkUyg/

yHk(24)

Registration routine udk ajc&mcHzdkU yHk(24)u highlight jzpfaewJhae&mrSm right-click ESdyfjyD; Follow in Disassembler udka&G;yg/ yHk(25)twdkif; jrif&ygr,f/

yHk(25)

yHk(25)u 004542CD ae&mrSm breakpoint owfrSwfjyD; F9 udkESdyfr,fqdk&ifawmh aemufwpfcg register vkyfwJhtcg 'Dae&mudk wef;a&mufvmrSm jzpfygw,f/ yHk(26)/

yHk(26)

'DtcgrSm yHk(25)eJUrwlwmuawmh pro.004541C4 [m text string awGeJU jzpfvmygw,f/

yHk(27)


yHk(26)uuk'fawGudk F8 ESdyfjyD; uk'fawGppfvmwJhtcg yHk(26)u CALL udk vkyfaqmifjyD;wmeJU yHk(27) &Sd&mudk a&mufvmrSmyg/ 'DwpfcgrSmawmh serial udk EAX register xJrSm b,fvdkrS&SmawGUawmhrSm r[kwfygbl;/ bmaMumihfvJqdkawmh y&dk*&rfu serial rSef^rrSefudk ppfaq;jyD;vdkU error message udkxkwfay;vdkufwmaMumifh jzpfygw,f/ 'gaMumifhrdkU serial udkvdkcsif&if uRefawmfwdkUtaeeJU VA 0042ECCA ae&mrSm breakpoint owfrSwfjyD; y&dk*&rfudk aemufwpfMudrf register vkyfzdkUvdkygw,f/ 'D breakpoint udka&mufwJhtcg uRefawmf wdkU&SmaewJh serial udk EAX register xJuae ul;,lvdkU&ygjyD/ aemufxyfpdwf0ifpm;p&maumif;wmuawmh yHk(23)u RETURN to pro.0042ED10 from pro.004542AB yg/ (Assembly oifcef;pmwkef;u CALL wpfck[m olaemufxyfvkyfr,fh instruction &Sd&m address (EIP) udk stack rSmodrf;qnf;w,fvdkUajymcJhwmudk trSwf&yg/ aemufxyfajymcJhao;wmuawmh CALL wpfckudkvkyfaqmifjyD;csdefrSm return value udk EAX rSm tjrJwrf;eD;yg; odrf;qnf;w,fqdkwJhtaMumif;yg/)

(4) Teleport Pro y&dk*&rftwGuf keygen a&;om;jcif;

a&SUydkif;rSm uRefawmfwdkUtaeeJU serial zrf;jyD; Teleport Pro udk register vkyfjyD;oGm;ygjyD/ 'gayr,fh trnfu "Myanmar Cracking Team" jzpfaeygw,f/ wu,fvdkU oifhtrnfeJU register vkyfcsif&if? oifhrdwfaqG^cspfoltrnfeJU register vkyfcsif&if Olly eJU serial xyf&Sm&r,fqdk&if tcsdefukefvlyef;ygw,f/ 'gaMumifhrdkU keygen a&;zdkUvdktyfvmygw,f/ "Myanmar Cracking Team" trnfeJU serial &Sm&mrSm 629571801 qdkjyD;&vmygw,f/ b,fvdk&vmrSef; oifhtaeeJU 0g;wm;wm;jzpfaerSm aocsmygw,f/ 'gaMumifh serial key xkwfay;wJh routine udk taotcsm avhvmMunfhygr,f/ yHk(28)/

yHk(28)

'Dae&mrSm yHk(28)u CALL 0042F675 [m serial key udkxkwfay;wJh routine jzpfw,fqdkwm oifhtaeeJU &dyfrdrSmyg/ bmaMumifhvJqdkawmh 'D CALL udk vkyfaqmifjyD;csdefrSm uRefawmfwdkU &dkufxnfhwJh serial eJU wGufcsufvdkU&vmwJh serial udk y&dk*&rfu EdIif;,SOfvdkUyg/ 'D CALL ae&mrSm breakpoint owfrSwfvdkufjyD; y&dk*&rfudk (Ctrl+F2) jyefpwifvdkufyg/ jyD;&if F9 udkESdyfjyD; y&dk*&rfudk run yg/ Register vkyfyg/ 'gqdk&if breakpoint owfrSwfxm;wJh VA 0042ECC2 ae&mudk a&mufvmygr,f/ VA 0042ECC2 ae&mudk a&mufvm&if F7 (step into) udkESdyfjyD; CALL xJudk 0ifMunfhygr,f/ yHk(29)/

yHk(29)

Serial key udkxkwfay;wJh routine av;uawmh yHk(29)rSm jyxm;oavmufygbJ/ VA 0042F691 xdu pdwf0ifpm;p&mr&Sdygbl;/ &dkufxnfhvdkufwJh user trnf[m pmvHk;a& 5vHk;xufenf;^renf; ppfaq;wm


yJ&Sdygw,f/ 5vHk;xufrsm;&ifawmh VA 0042F694 upjyD; serial wGufcsufjcif;vkyfief;pOfudk pwifrSm jzpfygw,f/ avhvmMunfhvdkuf&atmif/

1/ EBX eJU ESI wdkUudk variable taeeJU aMunmygw,f/

2/ ESI = 5DFEE4A4 vdkU initialize vkyfygw,f/

3/ EBX wefzdk;udk oknjzpfatmifvkyfygw,f/

4/ TEST uawmh jump (JE) jzpf^rjzpf flag wefzdk;udk owfrSwfwmjzpfygw,f/

5/ EDI xJuwefzdk;awGudk ECX xJajymif;xnfhwmyg/ (Stack rSm aemufqHk;oGif;wmudk t&ifxkwf,l&yg w,f/)

6/ EAX wefzdk;xJu 4 EIwfygw,f/ (EAX xJrSm ckeu uRefawmfwdkU &dkufxnfhvdkufwJh user trnfeJU ywfoufwJh pmvHk;ta&twGuf &Sdygw,f/ "Myanmar Cracking Team" jzpfwJhtwGuf 21vHk;yg/)

7/ EBX eJU EAX wdkU EdIif;,SOfygw,f/

8/ wu,fvdkU EBX [m EAX xufri,fcJh&if jump jzpfrSmjzpfygw,f/ (ckcsdefrSmawmh EAX u 17 jzpfjyD;? EBX u oknjzpfygw,f/)

9/ ESI wefzdk;eJU user trnfu yxrpmvHk; 4vHk;&JU Unicode (Hex) wefzdk;wdkUudk XOR vkyfrSmjzpfygw,f/ (ckcsdefrSmawmh ESI wefzdk;u 5DFEE4A4 jzpfjyD;? DS:[EBX+EDI] wefzdk;u 6E61794D jzpfygw,f/)

10/ EBX wefzdk;udk 1 aygif;ygw,f/

11/ 'DvdkeJU "Myanmar Cracking Team" qdkwJhpmvHk;awGudk ukefatmifzwf? XOR vkyfjyD; &vmwJhaemufqHk; tajzudk EAX rSm odrf;ygw,f/

'gudk Assembly uk'ftaeeJU jyefa&;&ifawmh atmufygtwdkif;awGU&rSmyg/ 'guawmh uk'ftjynfhtpHk r[kwfygbl;/ Serial key xkwfay;wJh ae&mav;udkyJ a&;xm;jcif;jzpfygw,f/ a&;om;xm;wJh y&dk*&rfrmu awmh SND Team u Ziggy jzpfygw,f/

invoke lstrlenA, addr namebuffer ;get the length of the name string mov ecx, eax ;copy length of name string in eax to ecx sub ecx, 4 ;loop counter ecx = name string length - 4 lea edi, namebuffer ;edi = address to name string mov esi, 05DFEE4A4h ;esi = starting code value = 04E6AF4BC hex L005: ; Ripped code from Ziggy's KeygenMe mov eax, dword ptr ds:[edi] ;load 4 name string ascii characters in eax xor esi, eax ;exclusive or eax with the new edx value - result in esi inc edi ;point to next group of 4 name chars dec ecx ;decrement the loop counter jnz L005 ;jump back if ecx loop counter not = zero

Assembly eJU keygen a&;om;enf;udkawmh ]tajccH Assembly bmompum;} tcef;rSm &Sif;jyjyD; jzpfwJhtwGuf xyfrHr&Sif;jyawmhygbl;/ Keygen eJU ywfoufjyD;ajymvdkwmuawmh uRefawmfwdkUtaeeJU keygen awG&JU GUI udk udk,fwdkifa&;p&mrvkdygbl;/ a&;xm;jyD;om; keygen template awGudk toifh,loHk; &Hkyg/ Serial key awGudk xkwfay;r,fh registration routine udkom a&;ay;zdkUvdktyfygw,f/

; ; Ziggy April 2005 ; ; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««« ; Notes ; ; - Requires MASM32 V8 ; - Requires linking with matching resource file ; ; ; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««« .586p .mmx .model flat, stdcall option casemap :none include \masm32\include\windows.inc include \masm32\include\user32.inc include \masm32\include\kernel32.inc include \masm32\include\masm32.inc include \masm32\macros\macros.asm includelib \masm32\lib\user32.lib


includelib \masm32\lib\kernel32.lib includelib \masm32\lib\masm32.lib ; Prototypes DialogProc PROTO :DWORD,:DWORD,:DWORD,:DWORD ClipboardCopy PROTO KeygenProc PROTO .const DIALOG_1 equ 1 ;identifier in resource file IDC_APPNAME equ 1001 IDC_NAME equ 1002 IDC_SERIAL equ 1003 BTN_CLOSE equ 1004 BTN_GENERATE equ 1005 BTN_COPY equ 1006 BTN_ABOUT equ 1007 ; may need to edit these constants MinNameLength equ 5 ; Should be consistent with .data NameTooShort MaxNameLength equ 30 ; Maximum length of name string ; edit about text as needed About_Text equ " ",13,10,"Keygenned by Ziggy ",13,10,10,\ "30 July 2008",13,10,13,10 Max_Buffer equ 100 ; set to at least maximum length of name or serial ; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««« .data ; edit app name as needed Appname db "Myanmar Cracking Team proudly presents:",0 ; following data not required if name not used to derive serial NoName db 'No Name Entered',0 NameTooLong db 'Name is too long',0 NameTooShort db 'Name must be at least 5 characters',0 ; edit to match MinNameLength NameOK db 'Press "Generate"',0 namebuffer dd Max_Buffer dup (00) ;buffer for entered name genedserial dd Max_Buffer dup (00) ;buffer for genedserial tempbuffer dd Max_Buffer dup (00) ;scratch buffer fixedstring db " ",0 decimalformat db "%d",0 ; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««« .data? hInstance dd ? ;Module handle handle dd ? ;Dialog handle hIcon dd ? ;caption bar icon handle ; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««« .code main : invoke GetModuleHandleA,NULL mov hInstance ,eax ; save handle for later use ;mov hIcon, FUNC(LoadIcon, hInstance,2) ; get the icon 2 resource ; setup the dialog processing invoke DialogBoxParamA,hInstance,DIALOG_1,NULL, addr DialogProc,NULL invoke ExitProcess,NULL ; terminate after dialog is closed ; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««« ; Main Dialog Processing DialogProc Proc hwnd:dword, message:dword, wParam:dword, lParam:dword pushad mov eax,hwnd mov handle,eax ;save dialogbox handle, to use in other procedures .IF message==WM_INITDIALOG invoke SetDlgItemTextA,handle,IDC_APPNAME, addr Appname ;show the appname in dialog box invoke SendMessage, handle,WM_SETICON,ICON_BIG,hIcon ; set icon on caption bar .ELSEIF message==WM_COMMAND mov eax,wParam .IF ax==BTN_GENERATE ; "Generate" button presssed ; check name is ok, not too long & not too short invoke GetDlgItemTextA,handle,IDC_NAME,ADDR namebuffer,Max_Buffer .if eax == 0 invoke SetDlgItemTextA,handle,IDC_SERIAL, addr NoName .elseif eax > MaxNameLength ; max namr length


invoke SetDlgItemTextA,handle,IDC_SERIAL,addr NameTooLong .elseif eax < MinNameLength ; minimum name length invoke SetDlgItemTextA,handle,IDC_SERIAL, addr NameTooShort .elseif ;Invoke Keygen algo on 'generate' and name ok Invoke KeygenProc ; do the business .endif .ELSEIF ax==BTN_CLOSE ; "Close" button pressed jmp @close .ELSEIF ax==BTN_ABOUT ; "About" button pressed invoke MessageBox,handle,SADD(About_Text), SADD(" ",34,"Myanmar Cracking Team",34), MB_OK or MB_ICONINFORMATION .ELSEIF ax==IDC_NAME ; name character enetered ; check name ok, not too long & not too short invoke GetDlgItemTextA,handle,IDC_NAME,ADDR namebuffer,Max_Buffer .if eax == 0 invoke SetDlgItemTextA,handle,IDC_SERIAL, addr NoName .elseif eax > MaxNameLength ; max namr length invoke SetDlgItemTextA,handle,IDC_SERIAL,addr NameTooLong .elseif eax < MinNameLength ; minimum name length invoke SetDlgItemTextA,handle,IDC_SERIAL, addr NameTooShort .elseif invoke SetDlgItemTextA,handle,IDC_SERIAL, addr NameOK .endif .ELSEIF ax==BTN_COPY ; "Copy" button pressed invoke ClipboardCopy .ENDIF .ELSEIF message==WM_CLOSE ; dialog closed @close: invoke EndDialog,handle,NULL popad xor eax,eax ret .ELSE popad mov eax,FALSE ret .ENDIF popad xor eax,eax ret DialogProc endp ; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««« ; Copy generated serial to the clipboard ; This function is not really necessary in a simple keygen but code is short ; and does not need any modification. ; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««« ClipboardCopy proc pushad invoke GetDlgItemText, handle, IDC_SERIAL, addr genedserial, SIZEOF genedserial .if eax != 0 invoke OpenClipboard, handle .if eax invoke GlobalAlloc, GMEM_MOVEABLE or GMEM_DDESHARE, SIZEOF genedserial .if eax != NULL push eax push eax invoke GlobalLock, eax mov edi, eax mov esi, OFFSET genedserial mov ecx, SIZEOF genedserial rep movsb pop eax invoke GlobalUnlock, eax invoke EmptyClipboard pop eax


invoke SetClipboardData, CF_TEXT, eax .endif .endif invoke CloseClipboard .endif popad ret ClipboardCopy endp ; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««« ; your Key Generator Code goes in this procedure ; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««« KeygenProc PROC nop ; these nops make the Keygen procedure easy to find in Olly nop ; when debugging the keygen. nop ; comment these out on final assembly nop nop nop nop nop ;[[[[[[[[[[[[[[[[[ Your keygen code goes in here to replace the example invoke lstrlenA, addr namebuffer ;** get the length of the name string mov ecx, eax ;** copy length of name string in eax to ecx sub ecx, 4 ;** loop counter ecx = name string length - 4 lea edi, namebuffer ;** edi = address to name string mov esi, 05DFEE4A4h ;** edx = starting code value = 04E6AF4BC hex L005: mov eax, dword ptr ds:[edi] ;** load 4 name string ascii characters in eax xor esi, eax ;** exclusive or eax with the new edx value - result in edx inc edi ;** point to next group of 4 name chars dec ecx ;** decrement the loop counter jnz L005 ;** jump back if ecx loop counter not = zero invoke wsprintf, addr tempbuffer, addr decimalformat, edx invoke lstrcpyA, addr genedserial, addr fixedstring invoke lstrcatA, addr genedserial, addr tempbuffer ;]]]]]]]]]]]]]]]]]] invoke SetDlgItemTextA,handle,IDC_SERIAL, addr genedserial ; display serial ret KeygenProc ENDP ; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««« end main

'D assembly uk'fawGudk assemble vkyfvdkuf&if yHk(30)twdkif; awGU&rSmyg/

yHk(30)

Assembly eJU keygen a&;wm tqifajyygovm;/ rajybl;qdk&ifawmh C bmompum;eJU keygen a&;enf;udk &Sif;jyygr,f/

#include <conio.h> #include <stdio.h> // C Console Application #include <string.h> // Compiler - Borland C++ 5.02 #include <memory.h> // Copyright © by Myo Myint Htike, September 14 2009 unsigned long StringtoHex(const char *string); int main() { char User_Name[30] = {0}; char Read_4_Bytes[4] = {0}; unsigned long index = 0, ESI = 0x5DFEE4A4, EAX; unsigned long string_length;


printf("Teleport Pro 1.3x - 1.6x Keygen"); printf("\n========================\n\n"); printf("\nYour Name : "); scanf("%[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ ]",User_Name); string_length = strlen(User_Name); if(string_length < 5 || string_length > 30) printf("Name must be 5->30 characters.\n"); while(index < string_length-4){ memmove(&Read_4_Bytes, &User_Name[index], 4); strrev(Read_4_Bytes); EAX = StringtoHex(Read_4_Bytes); ESI = ESI ^ EAX; index++; } printf("\nRegistration Code : %d\n",ESI); getch(); return 0; } unsigned long StringtoHex(const char *string) { unsigned long hex_value = 0, index = 0; const char *character_read = string; while(*character_read){ hex_value = (hex_value*0x100) +(unsigned long)character_read[index]; character_read++; } return hex_value; }

y&dk*&rf&JU tvkyfvkyfyHkuawmh -

1/ unsigned long StringtoHex(const char *string);

'guawmh udk,fydkif function wpfckudk toHk;jyKr,fvkdU MudKwifaMunmwmyg/

2/ char User_Name[30] = {0}, char Read_4_Bytes[5] = {0};

User name twGuf pmvHk;a& (30)zwfrSmjzpfygw,f/ 'DpmvHk;awGudk zwfjyD;xm;r,fh buffer ae&mudk 00 ('\0') awGeJU jznfhvdkufwmyg/ Read_4_Bytes[4] uvJ 'DvdkygyJ/

3/ unsigned long index = 0, ESI = 0x5DFEE4A4, EAX;

XOR vkyfr,fh ESI wefzdk;udk 0x5DFEE4A4 vdkU initialize vkyfygw,f/

4/ scanf("%[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ ]",User_Name);

Registration vkyfr,fh user name udkawmif;wmyg/ %s eJU zwf&if&ayr,fh user trnfrSm rvdktyfwJhoauFwawG (space rSty) ygvmrSm pdk;&drfwJhtwGuf uefUowfvdkufwmjzpfygw,f/ 'gaMumifh keyboard uae trnf&dkufxnfhwJhtcgrSm a-z? A-Z eJU space wdkUom &dkufxnfhvdkU&rSmjzpfygw,f/ Myanmar Cracking Team vdkU &dkufxnfhygr,f/

5/ string_length = strlen(User_Name);

&dkufxnfhvdkufwJh user name udk b,fESpfvHk;vJqdkwm wGufcsufygw,f/ Myanmar Cracking Team jzpfwJhtwGuf 21vHk;jzpfygw,f/ wu,fvdkU user name [m 5vHk;xufenf;ae&ifyJjzpfjzpf? tvHk;30xuf rsm;ae&ifyJjzpfjzpf serial trSm;udkyJ xkwfay;rSmjzpfygw,f/

6/ while(index < string_length-4){

string_length xJu 4EIwfwmjzpfwJhtwGuf string_length wefzdk;topf[m 17jzpfvmygr,f/ index wefzdk;uawmh ckcsdefrSm oknjzpfaeygr,f/ 'gaMumifh while loop udk 17Mudrfvkyfaqmifygr,f/

6.1/ memmove(&Read_4_Bytes, &User_Name[index], 4);

memmove() function uawmh &User_Name[0] = VA 12FF68 rSmpwJh 4D 79 61 6E (Myan) pwJh pmvHk;4vHk;udk &Read_4_Bytes = VA 12FF88 rSm oGm;xm;apwmjzpfygw,f/ yHk(31)/

yHk(31)


6.2/ strrev(Read_4_Bytes);

Myan qdkwJh string udk ajymif;jyefvSefygw,f/ 'gaMumifh Myan [m nayM jzpfvmygw,f/ bmaMumifh strrev() function udkoHk;&ovJqdk&if y&dk*&rf[m endian enf;eJU a'wmawGudk zwfvdkUjzpfygw,f/

6.3/ EAX = StringtoHex(Read_4_Bytes);

StringtoHex() function uawmh ajymif;jyefvSefxm;wJh string awGudk XOR vkyfzdkUtwGuf *Pef;tjzpfajymif;vJwmjzpfygw,f/ 'D function udkvkyfaqmifjyD;csdefrSmawmh EAX [m 6E61794D jzpfvmygw,f/

6.3.1/ while(*character_read){ hex_value = (hex_value*0x100) +(unsigned long)character_read[index]; character_read++; } character_read u VA 12FF88 rSm&SdwJh yxrpmvHk; n udk zwfygw,f/ rSwfxm;&rSmuawmh *character_read [m character_read[0] eJUnDjyD; character wpfvHk;udkzwfygw,f/

yHk(32)

zwfvdkufwJhpmvHk; n udk *Pef;tjzpfajymif;ygw,f/ hex_value wefzdk;[m 'DtcsdefrSm 6E16(11010) jzpfvmygr,f/ character_read wefzdk;udk wpfaygif;vdkufwJhtwGuf character_read[1] jzpfvmjyD; a udk zwfygw,f/ 'Dtcg hex_value = (6E*0x100) + 61 = 6E61 jzpfvmygw,f/ 'DvdkeJU 00 (\0) udk rawGUrcsif; aemufxyfpmvHk;awGzwfaerSmjzpfygw,f/ aemufqHk;rSmawmh hex_value [m 6E61794D jzpfvmygw,f/ 6E61794D wefzdk;udk EAX qD jyefydkUygw,f/

6.4/ ESI = ESI ^ EAX;

EAX (6E61794D) eJU ESI (5DFEE4A4) wdkUudk XOR vkyfygw,f/ &&SdvmwJh 339F9DE9 wefzdk;udk ESI rSmodrf;ygw,f/

6.5/ index++;

index wefzdk;udk wpfaygif;vdkufwJhtwGuf aemufwpfMudrf while loop udkvkyfaqmifcsdefrSm ...

while(index < string_length-4){ // while(1<17){ memmove(&Read_4_Bytes, &User_Name[index], 4); // Read_4_Bytes = "yanm"; strrev(Read_4_Bytes); // Read_4_Bytes = "mnay"; EAX = StringtoHex(Read_4_Bytes); // EAX = 6D6E6179; ESI = ESI ^ EAX; // ESI = 339F9DE9 ^ 6D6E6179 = 5EF1FC90; index++; // index = 2;} } // while (2<17){ ..................} // while (3<17){ ..................} // while (4<17){ ..................} // ......................................etc while(index < string_length-4){ // while(16<17){ memmove(&Read_4_Bytes, &User_Name[index], 4); // Read_4_Bytes = " Tea"; strrev(Read_4_Bytes); // Read_4_Bytes = "aeT "; EAX = StringtoHex(Read_4_Bytes); // EAX = 61655420; ESI = ESI ^ EAX; // ESI = 44E3D4F9 ^ 61655420 = 258680D916; index++; // index = 17;} }

7/ printf("\nRegistration Code : %d\n",ESI);

XOR vkyfjyD; aemufqHk;&vmwJhtajz (258680D916 = 62957180110)udk xkwfygw,f/ 629571801 uawmh Myanmar Cracking Team twGuf registration code jzpfygw,f/

'guawmh keygen tvkyfvkyfyHk tao;pdwfyg/

aemufqHk;taeeJU ajymjycsifwmuawmh registration routine udk tjrJwrf; exe zdkifxJrSm a&;xm;wm r[kwfygbl;/ Kaspersky Internet Security 7.0 qdk&if olU&JU registration routine udk lic.ppl (wu,f awmh .ppl vdkU zdkiftrsdK;tpm; owfrSwfxm;ayr,fh .dll zdkifomjzpfygw,f/)rSma&;xm;jyD; Xilisoft uxkwfwJh aqmhzf0JvfawGrSmawmh UILib71.dll zdkif (odkU) UILib8_MFCDll.dll (odkU) imfc0.dll zdkifrSm a&;xm;wm jzpfwJhtaMumif; ajymMum;&if;eJU ed*Hk;csKyfyg&ap/

tcef;(10) – Patch vkyfjcif; (Beginner/Intermediate/Advanced) - 135 -

tcef;(10) - Patch vkyfjcif; (Beginner/Intermediate/Advanced)

tcef;(9)rSm uRefawmfwdkUavhvmcJhwmuawmh registration routine xJuae serial key udk &SmazGwmjzpfygw,f/ 'gayr,fh y&dk*&rfwdkif;&JU serial key udk&SmazG&wm[m wu,fawmh rvG,fvSygbl;/ tcsdefukef vlyef;ygw,f/ 'gaMumifh tcsdKU cracker awGu tcsdefwdktwGif; Full version (registered version) udkoHk;vdkU&atmif y&dk*&rfudk patch vkyfwJhenf;eJU crack Muygw,f/ y&dk*&rf&JU vdktyfwJhuk'ftcsdKUudk jyifwmudk patch vkyfw,fvdkUac:ygw,f/ Patch vkyfxm;wJhzdkifawGudk y&kd*&rf install vkyfxm;wJh folder atmufrSmoGm;jyD; rl&if;zdkifeJU tpm;xdk;&ygw,f/ yHk(1)rSm jrif&wmuawmh BookWorm *drf;y&dk*&rfudk patch vkyfxm;jyD;taetxm; jzpfygw,f/ 'Dy&dk*&rfrSm serial &Sm&wm[m Teleport Pro rSmvdk rvG,fvSygbl;/ tcsdefawmfawmf,l&rSm jzpfygw,f/ 'ghaMumifh 'Dy&dk*&rfrSm registered vkyfxm;jcif;&Sd^r&SdppfwJh routine udkzsuf jcif;? upm;csdefppfwJh routine udkzsufjcif;? rdepf60uefUowfcsufudkzsufjcif;wdkU jyKvkyfxm;ygw,f/ 'ghjyif "Myanmar Cracking Team proudly PRESENTS…" qdkwJhpmom;udk xyfxnfhxm;jyD;? Trial Version qdkwJht&kyfudk Registered Version qdkwJht&kyfeJU tpm;xdk;xm;ygw,f/

yHk(1)

'Dtcef;rSmawmh patch vkyfjcif;udk tydkif;(3)ydkif;cGJjyD; aqG;aEG;rSmjzpfygw,f/ yxrydkif;uawmh vlopf wef; cracker awG vkyfavhvkyfx&SdwJh patch vkyfenf;jzpfjyD; tydkif;(2)uawmh tv,ftvwftqifh? tydkif;(3) uawmh tqifhjrifh cracker awG vkyfavhvkyfx&SdwJh patch vkyfenf;jzpfygw,f/

(1) Beginner tqifh patch vkyfjcif; (Plain Stupid Method)

'Dacgif;pOfatmufrSmawmh vlopfwef;awG vkyfavhvkyfx&SdwJh patch vkyfenf;awGudk toHk;jyKjyD; crack vkyfMunfhrSm jzpfygw,f/ Patch vkyfMunfhzdkUa&G;xm;wJh y&dk*&rfuawmh Exe password aqmhzf0Jvfudk toHk;jyKjyD; protect vkyfxm;wJh calculator (calc.exe) y&dk*&rfjzpfygw,f/ Calculator y&dk*&rfudk Microsoft Windows &JU system32 folder atmufrSm tvG,fwulawGUEdkifygw,f/ Exe password aqmhzf0Jvfudkawmh www.salfeld.com rSm download vkyf,lEdkifygw,f/ Exe password aqmhzf0Jvf[m udk,froHk;apcsifwJh y&dk*&rfawGudk tjcm;olawG rzGifhEdkifatmif password eJU umuG,frIay;EdkifwJh aqmhzf0Jvfwpfckjzpfygw,f/ oifhtaeeJU 'Dy&dk*&rfudkzGifhcsif&if rSefuefwJh password udk &dkufxnfhEdkif&ygr,f/ aumif;jyD? patch rvkyfcif yxrqHk;vkyf&rSmuawmh Exe password udkzGifhjyD; calculator (calc.exe) y&dk*&rfudk password ay;zdkUyg/ yHk(2)/


yHk(2)

yHk(2)rSm jrif&wJhtwdkif; uRefawmfwdkU&JU calc.exe y&dk*&rfudk "DEADBEEF" qdkwJh password ay;jyD; umuG,fvdkufygr,f/ 'gqdk icon &kyfav;ajymif;oGm;wm awGU&ygr,f/ yHk(3)/

yHk(3)

Password eJU umuG,fxm;wJh calc.exe zdkifudk zGifhMunfhygr,f/ 'gqdk yHk(4)twdkif; password awmif;wJh dialog box wpfckay:vmrSmyg/

yHk(4)

Password udk rSefuefpGmr&dkufxnhfEdkif&ifawmh yHk(5)twdkif; jrif&rSmyg/

yHk(5)

'gqdk uRefawmfwdkUtaeeJU 'Dzdkifudk password rodbJzGifhvdkUr&wmawmh aocsmoGm;ygjyD/ yHkrSeftm;jzifh awmh 'D password udkod&Sd&atmif vkyf&rSmjzpfayr,fh 'Dtcef;u patch vkyfenf;udkom aqG;aEG;rSmjzpfwJh twGuf patch vkyfzdkU MudK;pm;MunfhMu&atmif/ yHk(5)rSm jrif&wJh "Password is incorrect…" pmom;udk pm&GufvGwfwpfckrSm rSwfxm;yg/ Olly rSm calc.exe zdkifudkzGifhyg/ yHk(6)twdkif; jrif&ygr,f/

yHk(6)


yHk(6)rSm right-click ESdyfjyD; Search for u All referenced text strings udk a&G;yg/ Window topfwpfck ay:vmygvdrfhr,f/ 'D window rSm right-click ESdyfjyD; Search for text udka&G;yg/ yHk(7)twdkif; jrif&ygr,f/

yHk(7)

yHk(7)rSm uRefawmfwdkU&SmcsifwJh "Password is incorrect…" pmom;udk &dkufxnfhjyD; OK udka&G;vdkuf yg/ yHk(8)twdkif; jrif&ygr,f/

yHk(8)

yHk(8)u hightlight jzpfaewJhae&mudk mouse eJU ESpfcsufESdyfvdkufyg/ yHk(9)twdkif; awGUygr,f/

yHk(9)

yHk(9)udk aocsmMunfhyg/ yHk(5)u error message udkjywJh routine (VA 0054C8AC) udk awGU&yg r,f/ wu,fawmh error message routine udkvkyfaqmifwm[m CALL calc.00435C4C udkrausmfEdkifwm aMumifhyg/ VA 0054C87C u JNZ instruction uvJ CALL calc.00435C4C udkausmfEdkifjcif; r&Sdygbl;/ yHk(10)/

yHk(10)


yHk(10)t&qdk&ifawmh CALL calc.00435C4C udkausmfEdkifwm VA 0054C873 u JE instruction yJjzpfygw,f/ 'gaMumifh 'D VA 0054C86E ae&mrSm breakpoint owfrSwfjyD; F9 udkESdyfyg/ yHk(11)twdkif; jrif&ygr,f/

yHk(11)

yHk(11)u textbox xJrSm "Cracker" vdkU&dkufxnfhvdkufyg/ uRefawmfwdkU breakpoint owfrSwfxm;wJh ae&mudk wef;a&mufvmygr,f/ yHk(12)/

yHk(12)

yHk(12)u VA 0054C86E ae&mudka&muf&if register windows udkwpfcsufMunfhygr,f/ yHk(13)/

yHk(13)

yHk(13)udk Munfhvdkuf&if EAX register xJrSm "pFTZÛC" pmom;&SdjyD; EDX register xJrSm "wqt} wutt" pmom;&Sdaewm awGU&ygr,f/ wu,fawmh "wqt}wutt" qdkwm yHk(2)rSm uRefawmfwdkU&dkufxnhfcJhwJh password udk encrypt vkyfxm;wJhpmom;jzpfygw,f/ "pFTZÛC" uawmh "Cracker" udk encrypt vkyfxm; wmyg/ yHk(12)rSmjrif&wJh VA 0054C86E u CALL routine uawmh "pFTZÛC" eJU "wqt}wutt" udk nDrnDppfwmyg/ wu,fvdkUnD&if error message udkausmfoGm;rSmyg/ 'gqdk uRefawmfwdkU patch vkyfMunfhMuyg r,f/ trSefuawmh CALL calc.004046A0 ae&mrSm NOP instruction eJUtpm;xdk;jyD; JE SHORT calc.0054C8D7 ae&mrSmawmh JMP SHORT calc.0054C8D7 eJUtpm;xdk;&rSmyg/ 'gayr,fh 'Dae&mrSmawmh uRefawmfhtaeeJU JE udk JMP vdkUjyifwmwpfckyJ vkyfygr,f/ (rSwfcsuf/ / NOP (No operation) vdkUjyifwm uawmh password ESpfckudk rppfapwmjzpfygw,f/ JMP instruction uawmh error message udk twif; ausmfcdkif;wmjzpfygw,f/) jyifvdkuf&ifawmh yHk(14)twdkif; jrif&ygr,f/


yHk(14)

yHk(14)twdkif; jyifjyD;&ifawmh right-click ESdyfjyD; Copy to executable u All modification udkESdyfjyD; zdkifudk odrf;vdkufyg/ Patch vkyfxm;jyD;om;zdkifudk tvkyfvkyf^rvkyfod&atmif zdkifudkzGifhMunfhvdkufyg/ ay:vmwJh password dialogbox rSm MudKufwJh password udk&dkufxnfhvdkufyg/ y&dk*&rfyGifhvmygvdrfhr,f/

(2) Intermediate tqifh patch vkyfjcif;

'DwpfcgrSmawmh cracking eJUywfoufjyD; tv,ftvwftqifh patch vkyfjcif;udk prf;oyfMunfhygr,f/ b,folUudkrS xdcdkufrIr&SdapbJ avhvmprf;oyfzdkU a&G;cs,fxm;wJh y&dk*&rfuawmh MrBills yJjzpfygw,f/ 'Dy&dk*&rfudk tifwmeufrSm vHk;0rawGUEdkifawmhygbl;/ ukrÜPDudka&mif;csjyD;jzpfovdk y&dk*&rf[mvJ qufxGufvm jcif;r&Sdawmhygbl;/ aemufjyD; 'Daqmhzf0JvfudkvJ tjcm;olawG crack vkyfjyD;oGm;Muwm awGU&ygw,f/ MrBills udk SND Team &JU download section rSm tcrJh download &,lEdkifygw,f/ Lena &JU reversing tutorial (7) rSm MrBills udkwpfcgwnf; xnfhoGif;ay;xm;wm awGU&rSmyg/

y&dk*&rftaMumif;udk odapzdkU y&dk*&rfudk Olly eJU PEiD wdkUrSm zGifhMunfhMuygr,f/ yHk(15)ESifh yHk(16)/

yHk(15)

yHk(16)

PEiD uawmh PE zdkifawGrSmtoHk;rsm;vSwJh packer? cryptor eJU compiler trsdK;tpm;awGudk pHkprf;ay;wJh tool wpfckjzpfygw,f/ PEiD &JU plugin wpfckjzpfwJh Krypto Analyser udk avhvmMunfhygr,f/ 'D plugin av;[m module awGtwGif;rSm&SdwJh odjyD;om; crypto algorithm awGudk plugin u Krypto oauFwawGeJU EdIif;,SOfjcif;tm;jzifh &SmazGygw,f/ yHk(1)udk Munfhr,fqdk&if MrBills qdkwJh aqmhzf0Jvf[m pack vkyfxm;jcif;r&SdbJ olUudk Visual C++ 7.0 eJU a&;om;xm;wmudk awGU&ygr,f/ MrBills &JU version uawmh 2.1.0.1 jzpfygw,f/

yHk(17)


yHk(17)u Plugins rS Krypto Analyser udk a&G;vdkuf&if yHk(18)twdkif; jrif&rSmyg/

yHk(18)

yHk(18)udk Munfhr,fqdk&if toHk;jyKxm;wJh crypto algorithm awGudkawGU&ygw,f/ CRC check taMumif;udk aemufydkif;oifcef;pmawGrSm aqG;aEG;rSm jzpfygw,f/ aumif;ygjyD? PEiD udk ydwfvdkufygr,f/

yHk(16)udk Munfhvdkufyg/ uRefawmfwdkU y&dk*&rfudk run (F9) Munfhygr,f/ 'gqdk yHk(19)twdkif; awGU&yg r,f/

yHk(19)

yHk(19)rSm jrif&wJhtwdkif; uRefawmfwdkU register rvkyf&ao;ygbl;/ About udkESdyfvdkufyg/

yHk(20)

About udkESdyfvdkuf&if yHk(20)twdkif; jrif&ygr,f/ 'DrSmawmh uRefawmfwdkU vkyfp&mbmrSr&Sdbl;vdkU xifyg w,f/ Register... udka&G;vdkufyg/ yHk(21)twdkif; jrif&ygr,f/

yHk(21)


yHk(21)t&qdk&if uRefawmfwdkU register vkyfzdkUvdkygjyD/ bmaMumifhvJqdkawmh register rvkyf&if tcsdKU aomvkyfaqmifcsufawG tvkyfrvkyfbl;vdkY ajymaevdkYyg/ uRefawmfwdkU prf;jyD; register vkyfMunfhMuygr,f/ yHk(22)/

yHk(22)

uRefawmfwdkU uHraumif;ygbl;/ yHk(23)udkyJ jrif&ygw,f/

yHk(23)

yHk(9)[m uRefawmfwdkU patch vkyf&r,fhae&myg/ uRefawmfhtaeeJU t&iftcef;awGrSm text string awGudk b,fvdk&Sm&rvJqdkwm &Sif;jycJhjyD;ygjyD/ 'DaeUtzdkUrSmvJ uRefawmfwdkUvdkcsifwm&zdkU 'Denf;vrf;udk toHk;jyK& OD;rSmyg/ 'gaMumifh 'D text string awGxJu ta&;MuD;r,fxifwJhpum;vHk;udk rSwfom;vdkufyg/ aumif;ygjyD? uRefawmfwdkUuk'fawGudk avhvmvdkufMu&atmif/ Olly qD jyefoGm;vdkufyg/ yHk(10)/

yHk(24)

Text string awGudk &SmzdkU yHk(24)rSm right-click ESdyfvdkufyg/ jyD;&if Search for u All referenced text strings udk a&G;vdkufyg/ 'gqdk text string window ay:vmygvdrfhr,f/ Text string window rSm right-click ESdyfjyD; uRefawmfwdkU&SmcsifwJh text udk &Smygr,f/ yHk(25)/ r&SmcifrSm owday;vdkwmuawmh text string window &JU tay:qHk;xda&mufatmif scroll vkyfjyD;rS right-click ESdyfzdkUyg/

yHk(25)

'gqdk uRefawmfwdkU &SmaewJh text udk &SmawGUygjyD/ yHk(26)/

yHk(26)


'gaMumifh text &Sd&m VA 004299BD ae&mudk ESpfcsufESdyfvdkufyg/ yHk(27)twdkif; jrif&ygr,f/

yHk(27)

yHk(13)u VA 004299BD [m "You have entered an ..." udk messagebox rSma&;zdkU jyifqifaewmyg/ atmufudk scroll enf;enf;qGJjyD;Munfhvdkuf&if yHk(28)twdkif; jrif&rSmyg/

yHk(28)

uRefawmfwdkUvdkcsifwJhtajzu VA 004299F3 rSmyg/ VA 004299BD u BadBoy message jzpfjyD; FVA 004299F3 uawmh GoodBoy message jzpfygw,f/ yHk(27)u JNZ [m VA 004299F1 qD jump jzpfapwmawGU&ygw,f/ vufawGUrSmawmh JNZ [m VA 004299F1 qD jump rjzpfygbl;/ 'gaMumifhvJ "You have entered an invalid email ..." qdkwJh BadBoy message udk jrif&wmyg/ wu,fvdkU JNZ ae&mrSm JMP vdkU ajymif;cJhr,fqdk&if .........

yHk(29)

yHk(29)u TEST AL, AL udk Munfhvdkufyg/ AL [m GoodBoy vm;? BadBoy vm;qdkwm qHk;jzwf ygw,f/ AL udk VA 004299AD u CALL function xJrSm owfrSwfxm;wm jzpfEdkifygw,f/ bmaMumifhvJ qdkawmh wpfckckudkrEdIif;,SOfcif CALL function xJrSmEdIif;,SOfzdkUtwGuf owfrSwfwm[m ydkjyD;aumif;EdkifvdkUyg/ 'g[m registration ppfaq;csuf jzpfygw,f/ 'Dae&mrSm rSwfcsufjyKvdkwmuawmh ... uRefawmfwdkUtaeeJU 'D CALL function xJrSm AL udk b,fvdkowfrSwfxm;ovJqdkwmudk ppfaq;zdkUvdkvmjyDqdkwmudkyg/

'gaMumifh VA 004299AD ae&mudk breakpoint owfrSwfvdkufygr,f/ qufvdkufMu&atmif/ uRefawmfwdkUtaeeJU serial [m rSefuefjcif; &Sd^r&Sd ppfaq;wJh&v'fudk awGU&Sdxm;ygw,f/ TEST AL, AL txufu CALL xJrSm&v'fudk owfrSwfxm;csdefrSm AL [m 'Dwefzdk;udk odrf;xm;ygw,f/ &v'fu taygif; oabmaqmifcJh&if y&dk*&rfudk register vkyfzdkU Goodboy message &Sd&m VA 004299F1 udk a&mufvmrSmyg/ 'grSr[kwf&ifawmh jump rjzpfEdkifovdk Badboy message vJ&&SdrSmyg/

tESpfcsKyf/ / JNZ aMumifh register vkyfzdkUtwGuf AL [m okneJUnDaevdkU r&ygbl;/

VA 004299AD &JU tay:udk scroll enf;enf;avmuf qGJMunfhvdkufMu&atmif/ yHk(30)/

yHk(30)

yHk(30)u text awG[m uRefawmfwdkUtwGuf bmrSta&;rygygbl;/ About box rSm ay:wJhpmawGyg/

Registration udk jyef run MunfhvdkufMu&atmif/ CALL xJrSm bmawG&SdovJqdkwm odEdkifzdkU VA 004299AD rSm breakpoint owfrSwfxm;ygw,f/

rSwfcsuf/ / Plain stupid method onf BadBoy udk ausmfvTm;Edkif&ef conditional jump rsm;tm; patch vkyfjcif;omjzpfygonf/ rsm;aomtm;jzifh xdkenf;onf aqmhzf0Jvfrsm;udk register vkyf&eftwGuf vHkavmufjcif; r&Sday/


'gaMumifhrdkU ckcsdefrSm uRefawmfwdkUtaeeJU CALL xJudk xJxJ0if0if 0ifa&mufjyD; register jzpf^rjzpf qHk;jzwfwJh AL udk patch vkyfzdkU MudK;pm;rSmyg/

uRefawmfwdkU yHk(31)twdkif; register xyfvkyfMunfhvdkufMu&atmif/ F9 udkESdyfyg/

yHk(31)

"Register Now" button udk ESdyfvdkufwJhtcgrSm ckeu uRefawmfwdkU breakpoint owfrSwfvdkufwJh VA 004299AD ae&mudk a&mufvmygw,f/ yHk(32)/

yHk(32)

F7 udk ESdyfjyD; CALL xJ 0ifMunfhMu&atmif/ 'gqdk uRefawmfwdkU CALL xJ a&mufvmygjyD/ yHk(33)/

yHk(33)

aemufxyf bmqufjzpfrvJqdkwm od&atmifawmh F8 udkyJ ESdyfMuygr,f/ 'Dae&mrSm AL wefzdk;ajymif; oGm;wmawGudk apmifhMunfhzdkUvdkwJhtaMumif; ajymyg&ap/ yHk(34)/

yHk(34)

rMumcifrSm ta&;MuD;wmawGudk awGU&awmhrSmyg/ yHk(35)u VA 0040715A ae&mrSm TEST AL, AL udkawGUygovm;/

yHk(35)


jyD;awmh VA 0040715E u [5076A0]/ 'Dhaemuf VA 00407163 u JNZ? VA 00407170 u TEST AL, AL? VA 00407174 u [5076A0]/ VA 00407155 u CALL udk taotcsmMunfhyg/ bmrsm;awGUjrifygovJ/ AL udk VA 00407155 u CALL xJrSm owfrSwfjyD;oGm;yHk&ygw,f/ 'gaMumifh CALL xJrSm bmqufjzpfrvJqdkwm odEdkifzdkU Enter key udk ESdyfvkdufyg/ rSwfxm;&rSmu Enter key udk ESdyfjcif;tm;jzifh uk'fawGudk ajc&mcHEdkifygw,f/ 'gayr,fh uk'fawGudkawmh run rSm r[kwfygbl;/ uk'fawGudk run p&mrvdkbJ CALL txJrSm&SdwJh uk'fudkMunfhw,fvdkU qdkvdkwmyg/ 'gaMumifh instruction pointer &JU wnfae &muvJ Enter key acgufwJh VA rSmyJ &SdrSmyJ/ yHk(36)/

yHk(36)

VA 00407155 u CALL ae&mrSm Enter key udk ESdyfvkdufwJhtcg yHk(37)twdkif; jrif&ygw,f/

yHk(37)

MunfhvdkufMu&atmif/ VA 00407007 u MOV BL, AL/ VA 00407011 u MOV AL, BL/ AL xJudk BL xJuwefzdk;awGjyefa&TUw,f/ yxrqHk; AL xJuwefzdk;udk BL xJrSmxm;w,f/ VA 00407009 u CALL [m BL (& AL) tay: bmrStusdK;oufa&mufrIr&Sdwm oifhtaeeJU em;vnfrSmyg/ 'gayr,fh AL &JUwefzdk;udk VA 00406FF9 u CALL rSm qHk;jzwfxm;ygw,f/ aumif;jyD/ AL udk VA 00406FF9 u CALL 00406F4B xJrSm owfrSwfxm;wmrdkU 'D CALL ae&mudk breakpoint owfrSwfvdkufMu&atmif/

owdjyK&rSmu ckcsdefrSm uRefawmfwdkU[m CALL awG trsm;MuD;awGUae&wmudkyg/ tvm;wl trSwf xm;&rSmu uRefawmfwdkU[m CALL xJrSm bm&Sdw,fqdkwmodEdkifzdkU CALL ae&mrSm Enter key udk ESdyfcJhw,f qdkwmudkyg/ AL udk VA 00406FF9 u CALL xJrSm owfrSwfxm;^rxm; ppfaq;zdkU uRefawmfwdkU break-point owfrSwfxm;wJh ae&mqDa&mufatmif F9 udkESdyfygr,f/ 'gqdk uRefawmfwdkU breakpoint owfrSwfxm;wJh ae&mudk a&mufvmygjyD/ yHk(38)/

yHk(38)

aemuftqifhudk em;vnfzdkU oifhtwGuf t&rf;ta&;MuD;ygw,f/

(1) AL &JU wefzdk;udk rSwfom;yg/

(2) AL &JU wefzdk;udk owfrSwfw,fvdkU oHo,&SdwJh CALL udk execute vkyf&rSmjzpfygw,f/

(3) 'D CALL udk F7 ESdyfyg/

(4) AL eJU ywfoufwJh tcsuftvufawGudk xyf&Smyg/


yHk(39)

yHk(39)rSm jrif&wJhtwdkif;qdk&ifawmh AL [m oknrjzpfygbl;/ 'gaMumifhvJ TEST AL, AL u wefzdk;wpfck jyefydkUwJhtcsdefrSm AL [m oknrjzpfEdkifwmyg/ tck CALL udk run zdkU F8 udkESdyfyg/ AL wefzdk; ajymif;oGm;wmudk awGU&ygr,f/ yHk(40)/

yHk(40)

'gaMumifh VA 00406FF9 u CALL xJrSm AL wefzdk;udk oknvdkU owfrSwfvdkufygw,f/ Registration atmifjrifjcif; r&Sdygbl;/ bmawG qufjzpfrvJod&atmif F8 udk ESdyfyg/

aemufxyfxyfrSwf&rSmu aemuftqifhawGrSm AL eJU BL &JUwefzdk;awG b,fvdkajymif;oGm;rvJqdkwm udkyg/

yHk(41)

yHk(41)u MOV BL, AL udk execute vkyfvdkuf&if BL &JUwefzdk;[mvnf; oknjzpfoGm;rSmyg/ bmvdkY vJqdkawmh AL u oknjzpfaevdkUyg/ yHk(42)/

yHk(42)

yHk(43)

yHk(43)u VA 00407009 rSm&SdwJh CALL udk execute vkyfjyD;csdefrSmawmh AL &JU wefzdk;[m 1 vdkU ajymif;oGm;wm awGU&ygw,f/ VA 00407011 u MOV AL, BL udk Munfhyg/ BL xJu[mudk bmvdkU AL rSm vmxm;&wmygvJ/

INFO: : wu,fvdkU y&dk*&rf[m EAX register eJUtwl tvkyfvkyfzkdUvdkr,fqdk&if olUwefzdk;udk tjcm; register xJrSm ,m,DoGm;xm;ygvdrfhr,f/

uRefawmf aemufwpfMudrf&Sif;jyygOD;r,f/ 'grSom oifhtaeeJU y&dk*&rf b,fvdktvkyfvkyfw,fqkdwJh t&omudk cHpm;&rSmjzpfw,f/


yHk(44)

yHk(44)rSmawmh AL &JU wefzdk;[m BL aMumifh oknjyefjzpfoGm;ygw,f/ 'gaMumifh VA 00407009 u CALL [m AL eJU BL tay: bmoufa&mufrIrS r&Sdbl;vdkUajymcJhwJh uRefawmhf&JU aumufcsufawG[m rSefaejyD aygh/ AL &JU tajctaeudk owfrSwfwm[m VA 00406FF9 u CALL rSmyg/ aemufqHk;taeeJU uRefawmf wdkU&JU t&if CALL (Enter key udkrESdyfcif CALL udk qdkvdkwmyg/)qDoGm;EdkifzdkU F8 (odkU) F7 udkESdyfvdkufyg/ yHk(45)twdkif; jrif&ygvdrfhr,f/

yHk(45)

TEST AL, AL u jyefvmcsdefrSm AL &JU wefzdk;[m oknrjzpfwm trSwf&rSmyg/ (JNZ onf register vkyfjcif;jzpf^rjzpf)

'Dae&mrSm AL [mbmjzpfrvJqdkwm avhvmvdkufMu&atmif/ F8 udkESdyfvdkufwJhtcg AL &JU wefzdk;[m oknyJ jzpfaewkef;yg/ yHk(32)/

AL udk pointer ([5076A0]) xJ xm;wJhtcgrSmawmh ....

yHk(46)

Pointer &JU wefzdk;[m oknjzpfaeygao;w,f/ yHk(46)/ Register rvkyfxm;csdefrSmawmh jump rjzpf Edkifygbl;/

aumif;jyD/ Register vkyfxm;jcif;&Sd^r&Sdukd VA 0040715E u pointer ([5076A0]) xJrSm xdef; odrf;xm;w,fqdkwm em;vnfygovm;/ tvm;wl VA 00407174 u pointer ([5076A0]) rSma&myg/ yHk(45)/

VA 0040716B u CALL [m uRefawmfwdkU register rvkyfxm;csdefrSmom tvkyfvkyfEdkifygw,f/ ol[m unregistered string awGudkjyowJh CALL jzpfEdkifygw,f/ F8 udk qufESdyfMunfhygr,f/ VA 0040 715E u AL eJU ywfoufwJhtvkyfawGudk aemufydkif;usrS qufvkyfMuygr,f/ tvm;wl VA 00407174 u AL udka&myg/

tck&Sif;jyaewm[m oifhtwGuf t&rf;aES;ae&ifawmh aqm&D;yg/ 'gawGtm;vHk;[m cracking eJU tenf;i,fom ywfoufzl;MuwJh vlopfwef;awGtwGuf &IyfaxG;aevdrfhr,fvdkU xifxm;vdkYyg/ 'gaMumifh 'gawG tm;vHk;udk uRefawmfhtaeeJU tao;pdwfaqG;aEG;ay;aewmyg/ 'gayr,fh 'gawGtm;vHk;udk cifAsm;taeeJU em;vnf jyDvdkU ,lqwJhaemufrSmawmh aemufvmr,fhoifcef;pmawGrSm uRefawmfhtaeeJU tjrefoGm;zdkU uwdjyKygw,f/

F8 ukd ESdyfvmcJhyg/

yHk(47)


yHk(47)u JMP udkawmh &Sif;r,fvdkUxifygw,f/ JMP ae&mudk F8 ESdyfr,fqdk&if yHk(35)twdkif; jrif&yg w,f/

yHk(48)

VA 00407076 rSm aemufxyf pointer ([5076A1]) wpfckawGU&ygw,f/ Pointer awGtaMumif; &Sif;r,fvdkUxifygw,f/ VA 0040707D u JNZ [m uRefawmfwdkU register rvkyfxm;&if jump jzpfygr,f/ aumif;jyD/ F8 udkomESdyfvmcJhyg/ uRefawmfwdkU atmifjrifpGm register vkyfEdkifcJhjcif; &Sd^r&Sd yHk(49)rSmawGU&yg w,f/

yHk(49)

aumif;jyD? uRefawmfwdkU[m bmvdkU BadBoy qDa&mufvm&ovJqdkwm &Sif;rSmyg/ yHk(49)/ VA 004299B9 u JNZ [m jump rjzpfygbl;/ yHk(50)/

yHk(50)

'gaMumifh register rjzpfygbl;/ bmqufjzpfrvJqdkwm qufMunfhMu&atmif/

yHk(51)

'gqdk yHk(51)twdkif; jrif&ygw,f/ ckcsdefrSm uRefawmfwdkU &SmaewJh CALL udk odygjyD/

aumif;jyD/ yHk(51)rSm OK udka&G;jyD; Olly udk aemufwpfMudrf jyefpvdkufyg/ owdjyK&rSmu breakpoint window rSm VA 004299AD u breakpoint wpfckwnf;om &Sdygap/ y&dk*&rfudk run (F9) vdkufyg/ jyD;&if yHk(31) twdkif; register xyfvkyfyg/ 'gqdk yHk(52)twdkif; uRefawmfwdkU owfrSwfxm;wJhae&mudk wef;a&mufvm ygr,f/

yHk(52)

uRefawmfwdkUtaeeJU rSefuefwJh CALL udk &SmEdkifzdkU F7 udkESdyfjyD; VA 004299AD u CALL xJudk 0ifygr,f/


yHk(53)

VA 00407155 u CALL udk t&ifu uRefawmfwdkU 0ifa&mufcJhwm trSwf&rSmyg/ VA 00407155 a&muf&if F7 udk ESdyfyg/ yHk(54)twdkif; jrif&ygr,f/

yHk(54)

VA 00406FF9 u CALL a&mufonftxd F8 udk ESdyfvmcJhyg/

yHk(55)

yHk(55)u MOV BL, AL udk rSwfrdr,fxifygw,f/ ckcsdefrSmawmh VA 00406FF9 u CALL [m uRefawmfwdkU oGm;&r,fh CALL vdkU qHk;jzwfxm;ygw,f/ 'gaMumifh F7 udkESdyfjyD; CALL xJ0ifygr,f/ yHk(56)twdkif; jrif&ygr,f/

yHk(56)

AL udk b,frSm owfrSwfxm;ovJqdkwm &SmMunfhygr,f/ atmufudk scroll qGJvmcJhyg/ uk'fawG awmfawmfrsm;rsm;udk awGUygw,f/ yxrqHk;tMudrfjzpfvdkU xJxJ0if0if&SmzdkU rpOf;pm;awmhygbl;/ uRefawmfhtaeeJU serial rSef^rSefppfaq;wJhae&mwpfckudk oHo,0ifrdygw,f/ 'gayr,fh 'gudkaemufydkif;usrSyJ ajymygr,f/ ckawmh AL udk patch vkyfzdkUyJ MudK;pm;ygr,f/ wu,fawmh uRefawmfhtaeeJU uk'fawGudk wpfckrusef vdkufvHppfaq; &rSmyg/ 'gudk Advanced Level Patching vdkU ac:ygw,f/

yHk(57)

ckawmh VA 00406FC5 u BL udk ajymif;zdkUMudK;pm;ygr,f/ yHk(58)/


yHk(58)

oifuawmh tjcm;wpfckckjzpfr,fvdkU xifaeygvdrfhr,f/ VA 00406FC5 ae&mrSm uRefawmfu MOV AL, 1 (odkU) INC AL vdkU ajymif;ypfvdkufvdrfhr,fvdkU oifhtaeeJU xifxm;ygvdrfhr,f/

'Dae&mrSm uRefawmf &Sif;jyyg&ap/ y&dk*&rf pwifcsdefwdkif;rSm 'Dae&muuk'fudk execute vkyfygw,f/ 'gayr,fh y&dk*&rf[m AL == 1 eJU pwifygw,f/ (register vkyfxm;&if)/ twdtusajym&&ifawmh y&dk*&rfudk wu,f register vkyfxm;jcif;r&Sd&if y&dk*&rf[m unregister jzpfapygw,f/ 'gaMumifhvJ uRefawmfwdkU t&if wkef;uvkyfcJhovdk VA 004299AD u JNZ ae&mrSm JMP vdkUajymif;cJhcsdefrSm y&dk*&rf[m cPwmom register jzpfoGm;jyD; aemufwpfcsdef y&dk*&rfudk jyefpcsdefrSm unregister jzpfoGm;jcif; jzpfygw,f/

atmufazmfjyyguk'fawGudk oifudk,fwdkif prf;oyfapcsifygw,f/

MOV AL, 1 (odkU)

MOV BL, 1 (odkU) NOP

tm;vkH;uawmh y&dk*&rfudk register jzpfapygvdrfhr,f/ bmyJjzpfjzpf 'gawGtm;vHk;udk em;rvnfao;vJ ta&;rMuD;ao;ygbl;/ aemufydkif;tcef;awGMu&if &Sif;oGm;rSmyg/ ckcsdefrSmawmh uRefawmfu MOV BL, 1 udk assemble vkyfw,fvdkUyJ ,lqvdkufMu&atmif/

uRefawmfwdkUtaeeJU BL udk b,fae&mrSm owfrSwfxm;ovJqdkwm od&atmif VA 00406FBC u CALL xJudk 0ifjyD;avhvmzdkU vdktyfygw,f/ 'gayr,fh avmavmq,fawmh 'DavmufeJUyJ awmfMuygawmh/ yHk(59)/

yHk(59)

F9 udk ESdyfjyD; bmqufjzpfrvJqdkwm Munfhygr,f/ yHk(60)/

yHk(60)

yHk(60)u OK udk ESdyfvkduf&if yHk(61)u [Unregistered] qdkwJhpmom; aysmufoGm;wm awGU&rSmyg/

yHk(61)

yHk(61)udkMunfh&if aemufwpfMudrf register vkyfp&mrvdkawmhwm awGU&rSmyg/

yHk(62)

'gqdk&ifawmh intermediate tqifh patch vkyfjcif;uawmh atmifjrifpGm jyD;qHk;oGm;ygjyD/ Patch vkyfjyD;om;zdkifudk ESpfouf&mtrnfeJU odrf;vdkufyg/ ☻☻☻


(3) Advanced tqifh patch vkyfjcif;

yHkrSeftm;jzifhawmh plain stupid patch vkyfwJhenf;? intermediate patch vkyfwJhenf;awGeJU register vkyfwm tqifajyEdkifayr,fh tjrJwrf;awmh rjzpfEdkifygbl;/ 'gaMumifh 'DwpfcgrSm advanced tqifh patch vkyf MunfhMurSmjzpfygw,f/

INFO: : Plain stupid patch uawmh JE wdkUvdk conditional jump awGudk tjrJwrf; jump jzpfapatmif vkyfwJhenf;jzpfygw,f/ Intermediate patch uawmh CALL xJu AL wefzdk;udk 1 jzpfatmifvkyfjyD; jyefxGuf vmcsdefrSm register jzpfapwmyg/ Plain stupid method udk &dk;&Sif;pGm bmomjyef&r,fqdk&ifawmh ]Register rjzpfaomfvnf; BadBoy udkausmfvTm;jcif;} jzpfygw,f/

INFO: : Intermediate patch uawmh MOV AL, BYTE PTR DS:[EAX+24] wdkUvdkuk'fawGudkawGU&if MOV AL, 0 vdkUajymif;rSmjzpfjyD; olUudk bmomjyef&r,fqdk&ifawmh ]vdktyfwJhtydkif;twGuf register jzpfap jcif;} jzpfygw,f/

INFO: : Advanced patch uawmh b,fae&mrSm pointer wefzdk;udk owfrSwfovJqdkwmukd xJxJ0if0if avhvmwmjzpfjyD; pointer twGuf setting ukdom patch vkyfwmjzpfygw,f/

'Doifcef;pmtwGuf avhvmzdkU&nf&G,fxm;wJh y&dk*&rfuawmh Noah's Ark Deluxe 1.1 jzpfjyD; www.popcap.com rSm tcrJh download vkyf,lEdkifygw,f/ y&dk*&rf (WinNoah.exe)udk zGifhvdkuf&ifawmh yHk(63)twdkif;jrif&rSmyg/

yHk(63)

upm;cGifhoufwrf;ukefoGm;jyDjzpfwJhtwGuf register vkyf&awmhrSmyg/ Register vkyfMunfh&ifawmh yHk(64)twdkif; jrif&ygw,f/

yHk(64)


y&dk*&rf&JU oabmobm0udk odoGm;jyDrdkU Olly rSmuk'fawGudk zGifhMunfh&atmif/ yHk(65)/

yHk(65)

yHk(65)uawmh WinNoah.exe &JU EP &Sd&mjzpfygw,f/ yHk(64)u Badboy message udk&SmMunfh& atmif/ yHk(66)/

yHk(66)

Search uae text string (Badboy message) awGudk&SmwJhtcg yHk(66)twdkif;jrif&ygw,f/ 'Dae&m awGrSm breakpoint owfrSwfjyD; double-click ESdyfvdkufyg/ yHk(67)/

yHk(67)

yHk(67)rSmjrif&wmuawmh BadBoy udkac:oHk;wJh CALL &JUtpjzpfjyD; VA 0041A315 eJU VA 0041E853 wdkUuae 'D CALL udk ac:oHk;Muwmjzpfygw,f/ VA 0041A315 eJU VA 0041E853 &Sd&mudk MunfhvdkufMu&atmif/ yHk(68)/

yHk(68)

yHk(68)udk aocsmMunfhr,fqdk&if BadBoy CALL awGqDra&mufcifrSm CALL DWORD PTR DS:[EAX+40]; qDt&ifoGm;jyD; registeration vkyfaqmifcsufatmifjrifjcif;&Sd^r&Sd ppfaq;wmawGU&ygw,f/ ppfvmvdkU&wJh&v'fudk AL rSmodrf;ygw,f/ jyD;&if BadBoy udkausmfjcif;&Sd^r&Sdppfygw,f/ 'gqdk BadBoy udk ausmfEdkifzdkU JNZ ae&mrSm JMP vdkUajymif;Munfhygr,f/ jyD;&ifawmh jyifxm;wJhuk'fudk odrf;qnf;vdkufjyD; y&dk *&rfudk jyefzGifhMunfhvdkufyg/ ESpfouf&mtrnfeJU ESpfouf&muk'fudk &dkufxnhfvdkuf&if 'D*drf;udk upm;vdkU&wm awGU&ygw,f/ 'gayr,fh 'D*drf;[m register vkyfwJhtcsdefrSmyJ registered jzpfygw,f/ tjrJwrf; registered jzpfjcif;r&Sdygbl;/ 'gqdk&if aemufxyfxyfjyifzdkU vdktyfaeygjyD/ Olly rSmaemufxyf&SmvdkufMu&atmif/ yHk(69)/


yHk(69)

yHk(69)u string awG&Sd&mudkMunfhvdkufMu&atmif/ yHk(70)/

yHk(70)

yHk(70)uawmh register vkyfxm;jcif;&Sd^r&SdppfwJh CALL &JUtpjzpfjyD; olUudk ac:oHk;wJh VA awGu awmh 41A158? 41A479? 41D469 eJU 420431 wdkUjzpfygw,f/ 'Dae&mawGrSm breakpoint owfrSwfjyD; y&dk*&rfudk run (F9) Munfhvdkufyg/ yHk(63)twdkif;jrif&ygr,f/ yHk(63)u Click Here to Register Now. udka&G;vdkuf&if yHk(71)twdkif; jrif&ygw,f/

yHk(71)

yHk(71)rSmjrif&wmuawmh uRefawmfwdkUaemufqHk; owfrSwfvdkufwJh breakpoint av;ckxJu wpfckrSm vm&yfwmjzpfygw,f/ 'Dae&mudk register vkyfrSoma&mufrSmjzpfygw,f/ Registered jzpfxm;wJholwpfa,muf [m aemufxyf register vkyfzdkUrvdkawmhwJhtwGuf 'Dae&mrSm Click Here to Register Now. tpm; Click Here to Play. jzpfae&rSmyg/ 'Dae&mudk ausmfEdkifr,fqdk&if register vkyfp&mrvkdawmhbl;vdkU xifygw,f/ 'gaMumifh yHk(71)u JE ae&mwdkif;rSm JMP vdkUjyifjyD; y&dk*&rfudk odrf;vdkufyg/ odrf;xm;wJh y&dk*&rfudk zGifhMunhf &ifawmh yHk(63)twdkif; jrifae&OD;rSmjzpfjyD; registered rjzpfygbl;/ 'gaMumifhrdkUvJ conditional jump awGudk jump vkyfwdkif;vJ registered rjzpfbl;vdkU uRefawmfajymcJhwmyg/

aumif;jyD/ yHk(71)u VA 4203E7 (CALL DWORD PTR DS:[EDX+10]) ae&mrSm breakpoint owfrSwfjyD; b,f CALL udkac:oHk;w,fqdkwm MunfhMu&atmif/ yHk(72)/

yHk(72)

MOV ECX, DWORD PTR DS:[ESI+50]; // ECX= DS[00B78E70] = VA 49C518

CMP BYTE PTD DS:[ECX+328], BL; // DS[49C518+328] = 49C840, BL = 0

VA 00498C40 &JU data window rSm bmwefzdk;&SdovJqdkwm MunhfvkdufMu&atmif/ yHk(73)/


yHk(73)

yHk(73)rSmjrif&wJhtwdkif; DS[49C840] u byte wefzdk;eJU BL &JUwefzdk;udk EdIif;,SOfwJhtcg nDcJh&if VA 420416 udka&mufvmrSmjzpfygw,f/ yHk(74)/

yHk(74)

VA 420419: CMP BYTE PTD DS:[ECX+328], BL; // DS[49C518+328] = 49C840, BL = 0

VA 420419 u DS[49C840] u byte wefzdk;eJU BL &JUwefzdk;udk aemufwpfMudrfEdIif;,SOfwJhtcg nDcJh&if VA 420424 udka&mufvmrSmjzpfygw,f/ 'DvkdeJU EdIif;,SOfvmwJhtcgrSm VA 00420431 u CALL udk ausmfoGm;Edkifwm awGU&ygw,f/ 'gqdkbmaMumifh *drf;udkupm;vdkUr&wmygvJ/ wu,fawmh VA 00420431 u CALL ausmfEdkifjcif;[m tjrJwrf;r[kwfvdkUyg/ jyD;&if BL &JUwefzdk;udk dump window &JU VA 00420431 u byte wefzdk;eJU ESpfMudrfEdIif;,SOfwm awGU&ygw,f/ 'gaMumifh 'Dae&mrSm okntpm; 1 vdkUajymif;jyD; y&dk*&rfudk run (F9) Munfhyg/ yHk(75)/

yHk(75)

F9 udkESdyfjyD;Munfhr,fqdk&ifawmh yHk(76)twdkif;wefzdk;awGajymif;vJoGm;wmawGU&ygw,f/

yHk(76)

yHk(74)u VA 4203E7 rSm&SdwJh brekapoint udkjzKwfjyD; F9 udkEdSyfvdkufyg/

yHk(77)


F9 udkESdyfvdkufwJhtcgrSmawmh yHk(77)twdkif;jrif&rSmjzpfygw,f/ 'gqdk dump window &JU VA 0049C840 rSm 1 vdkUjyifzdkUqHk;jzwfcJhwm rSefoGm;ygw,f/ y&dk*&rfudk Ctrl+F2 (restart) ESdyfjyD; jyefzGifhvdkufyg/ Dump window &JU VA 0049C840 rSm 1 vdkUjyifvdkufyg/ jyD;&ifawmh dump window rSm right-click ESdyfjyD; Copy to executable file udka&G;wJhtcg yHk(78)twdkif; jrif&ygr,f/

yHk(78)

yHk(78)rSm right-click ESdyfjyD; ESpfouf&mtrnfeJU zdkifudkodrf;vdkufyg/ jyD;&if uRefawmfwdkU odrf;xm;wJh zdkifudk jyefzGifhMunfhvdkufMu&atmif/

yHk(79)

wpfckckawmh xyfrSm;aejyDxifygw,f/ yxrtMudrf uk'fjyifjyD; run wkef;u yHk(77)twdkif; jrif&yg w,f/ ckzdkiftaeeJUodrf;jyD;csdefrSmawmh yHk(79)twdkif; jrifae&ygw,f/ 'gaMumifh uk'fjyifjyD; odrf;vdkufwJhzdkifudk Olly rSm jyefzGifhMunfhvdkufMu&atmif/ yHk(80)/

yHk(80)

Dump window &JU VA 0049C840 rSmawmh uRefawmfwdkU odrf;xm;wJhtwdkif;yJ&Sdygw,f/ 'Dae&mudk apmifhMunfhzdkUawmh vdkaejyDxifygw,f/

yHk(81)

'gaMumifh 'Dae&mrSm yHk(81)twdkif; hardware breakpoint owfrSwfjyD; apmifhMunfhygr,f/ Dump window rSm right-click ESdyfjyD; Breakpoint u Hardware, on write Byte udka&G;vdkufyg/ jyD;&ifawmh F9 udkESdyfjyD; bmawGajymif;vJoGm;ovJqdkwm apmifhMunfhvdkU&ygjyD/


yHk(82)

w&m;cHawmh awGUygjyD/ VA 0042ABFE u MOV BYTE PTR SS:[EBP+328], BL udk execute vkyfjyD;csdefrSm dump window u VA 0049C840 &JU byte wefzdk;ajymif;oGm;wmjzpfygw,f/ F9 ukdxyfEdSyfyg/

yHk(83)

yHk(83)rSmjrif&wJhtwdkif; AL uvJ oknwefzdk;udk vmajymif;ygw,f/ aumif;jyD 'Dae&mESpfckrSm 1 vdkUjyifvdkufjyD; zdkifudkodrf;vdkufr,fqdk&ifaum/ 'gqdk&ifawmh yHk(84)twdkif; jrif&rSmjzpfygw,f/

yHk(84)

ed*Hk;csKyftaeeJUajym&&if Noah's Ark udk registered jzpfapzdkU uRefawmfwdkUtaeeJU atmufygae&mESpfck rSm uk'fawGudk jyifay;cJh&ygw,f -

1/ VA 0042ABFE u MOV BYTE PTR SS:[EBP+328], BL udk MOV BYTE PTR

SS:[EBP+328], 1?

2/ VA 0042D6B8 u MOV BYTE PTR SS:[EBP+328], AL udk MOV BYTE PTR

SS:[EBP+328], 1/

oifhudk 'DvdkjyifzdkUajymcJhayr,fh uRefawmfuawmh yHk(85)twdkif; aemufwpfrsdK;jyifcJhygw,f/ OmPf&Sdovdk

MudKufovdkjyifEdkifygw,f/ ☺ ☺ ☺ ☺

yHk(85)

tcef;(11) - Cracker rsm; owdxm;oifhaom Windows API rsm; - 156 -

tcef;(11) - Cracker rsm; owdxm;oifhaom Windows API rsm; INFO: : API (Application Programming Interface) qdkwmuawmh function awGudkpkpnf;xm;wJht&m jzpfjyD; y&dk*&rfawGeJU OS Mum;qufoG,f&mrSm toHk;jyKygw,f/ Win32 API qdkwmuawmh function awG trsm;MuD;pkpnf;xm;wmjzpfjyD; Windows application awGtwGuf low-level programming interface jzpfygw,f/ Microsoft u Win32 API &JU t*Fg&yfawGtrsm;pkyg0ifwJh high-level interface awGudk rdwf qufcJhygw,f/ 'D interface awGxJu txif&Sm;qHk;uawmh MFC (Microsoft Foundation Classes) jzpfjyD; Windows eJUqufoG,fzdkU C++ object awGudktoHk;jyKygw,f/ wu,fwrf;awmh MFC u OS udk ac:oHk;zdkU Win32 API udktoHk;jyK&wmjzpfygw,f/ tckacwfrSm emrnfMuD;aewJh .Net Framework [mvJ OS &JU service awGudkoHk;pGJEdkifzdkU System qdkwJh class udkoHk;pGJw,fqdkayr,fh ol[mvJaemufqHk;awmh Win32 API udkac:oHk;&wmygyJ/ Win32 API rSm tMurf;zsif;tm;jzifh API 2000ausmfyg0ifjyD; Kernel ? USER eJU GDI qdkjyD; tkyfpk3ckcGJEdkifygw,f/ aemufwpfckuawmh native API yg/ Native API uawmh Windows NT pepf twGuf interface wpfckjzpfygw,f/ Windows NT rSmawmh Win32 API [m native API &JU tay:vTmrSm &Sdygw,f/ NT kernel rSm GUI eJUywfoufjyD; bmrSvkyfp&mr&SdwJhtwGuf native API rSm graphics eJU ywfoufwJh b,fvkyfief;rSryg0ifygbl;/ 'gaMumifhrdkU vkyfaqmifcsuft&ajym&&if native API [m Windows kernel eJUcsdwfquf&mrSm t"duusjyD; memory manager? I/O system? object manager? process? thread wdkUeJU csdwfquftoHk;jyKygw,f/ Application y&dk*&rfawG[m native API awGudk b,fawmhrS wdkuf&dkufac: roHk;ygbl;/ oHk;cJh&ifawmh Windows 98 eJU o[ZmwjzpfrIudk csdK;aygufapygvdrfhr,f/ Microsoft uvJ native API awGeJUywfoufjyD; tcsuftvufawG rQa0jcif;r&SdwJhtwGuf Application y&dk*&rfawG[m OS eJU qufoG,fzdkUtwGuf Win32 API awGudkyJ oHk;ae&OD;rSmjzpfygw,f/ Win32 API twGuf erlem DLL zdkifawG uawmh kernel32.dll? user32.dll? gdi32.dll wdkUjzpfjyD; native API twGuf erlem DLL zdkifuawmh ntdll.dll jzpfygw,f/ native API awG&JU xl;jcm;csufuawmh olwdkU&JU function trnfawGa&SUrSm Nt (Nt CreateFile) eJU Zw (ZwCreateFile) pavh&Sdjcif;yg/

yHk(1) Win32 API rsm; kernel ESifhywfoufqufEG,faeyHk

Kernel API rsm;/ / BASE API vdkUvJac:a0:jyD; olwdkUawG[m kernel32.dll xJrSm&Sdygw,f/ olUrSm zdkiftoGif;^txkwf? rSwfOmPfpDrHcefUcGJrI? object pDrHcefUcGJrI? process eJU thread pDrHcefUcGJrIpwJh GUI ryg0ifwJh service awGtm;vHk;yg0ifygw,f/ kernel32.dll [m service trsdK;rsdK;udk vkyfaqmifEdkifzdkU low-level native


API jzpfwJh ntdll.dll udkac:oHk;ygw,f/ Kernel API awGudk zdkifawG? synchronization object awGpwJh kernel-level object awGeJU wGJvkyf&mrSm? zefwD;&mrSm toHk;jyKygw,f/

GDI API rsm;/ / GDI API awGuawmh GDI32.dll xJrSm&SdjyD; rsOf;wpfaMumif;qGJjcif;? bitmap wpfck udkjyojcif;pwJh graphics eJUqdkifwJh service awGyg0ifygw,f/ rlvuawmh GDI awGudk kernel module wpfckjzpfwJh WIN32K.sys rSm prf;oyfoHk;pGJcJhygw,f/ Device context? brush? pen pwJh graphic qGJjcif;rSm toHk;jyKzdkU GDI [m GDI object awGudkt"duxm;ygw,f/ bmaMumifhvJqdkawmh 'D object awGudk kernel &JU object manager u rudkifwG,fEdkifvdkUyg/

USER API rsm;/ / User32.dll rSmyg0ifjyD; window-management? menu? dialog box? user-interface control pwJh higer-level GUI service awGyg0ifygw,f/ GUI object awGtm;vHk;udk USER u GDI call awGoHk;jyD; qGJwmjzpfygw,f/ USER API awG[m kernel &JU object manager u rudkifwG,fEdkifwJh window awG? menu awGvdk user interace eJUqdkifwJh object awGudk t"duxm; udkifwG,fygw,f/

'Dtcef;rSmawmh cracking vkyf&mrSm owdxm;jyD;apmifhMunfh&r,fh API function awGtaMumif;udk avhvmrSmjzpfygw,f/ API function awGtaMumif;udk tao;pdwfodxm;jcif;tm;jzihf crack vkyf&mrSm vG,ful vmrSmjzpfygw,f/ 'DapmifhMunfh&r,fh API function awGuawmh atmufygtwdkif;jzpfygw,f -

Dialog Box rsm;ESifhywfoufonfhtcg DialogBoxParamA GetDlgItem GetDlgItemInt GetDlgItemText GetWindowText GetWindowWord MessageBox rsm;ESifhywfoufonfhtcg MessageBeep MessageBoxA MessageBoxEx SendMessage SendDlgItemMessage Registry ESifhywfoufonfhtcg RegCreateKey RegDeleteKey RegQueryValue RegQueryValueEx RegCloseKey RegOpenKey zdkifrStcsuftvufrsm;zwfjcif;â&;jcif;jyKaomtcg ReadFile WriteFile CreateFile INI zdkifrStcsuftvufrsm;zwfjcif;jyKaomtcg GetPrivateProfileString GetPrivateProfileInt WritePrivateProfileString tjcm;ae&mrS tcsuftvufrsm;udkzwfjcif;jyKaomtcg LoadString lstrcmp MultiByteToWideChar WideCharToMultiByte wsprintf tcsdef?&ufpGJwdkUESifhywfoufonfhtcg GetFileTime GetLocalTime GetSystemTime GetSystemTimeAsFileTime SetTimer SystemTimeToFileTime NAG-window udk&Smvdkonfhtcg CreateWindowEx


ShowWindow UpdateWindow MessageBox rSpmom;rsm;udk&Smvdkaomtcg SendDlgItemMessage SendMessage SetDlgItemText SetWindowText

Registration eJUywfoufwJh routine awGudkppfaq;wJhtcgrSmawmh atmufyg API rsm;udk t"duxm; &SmazGzdkUvdkygw,f -

GetdlgItemText GetWindowText lstrcmp GetPrivateProfileString GetPrivateProfileInt RegQueryValueEx WritePrivateProfileString WritePrivateProfileInt

(1) CreateProcess

CreateProcess uawmh process topfwpfckudk zefwD;wmjzpfygw,f/ Process topfu owfrSwf xm;wJh exe zdkifudk execute vkyfwmjzpfygw,f/

BOOL CreateProcess( LPCTSTR lpApplicationName, // pointer to name of executable module LPTSTR lpCommandLine, // pointer to command line string LPSECURITY_ATTRIBUTES lpProcessAttributes, // pointer to process security attributes LPSECURITY_ATTRIBUTES lpThreadAttributes, // pointer to thread security attributes BOOL bInheritHandles, // handle inheritance flag DWORD dwCreationFlags, // creation flags LPVOID lpEnvironment, // pointer to new environment block LPCTSTR lpCurrentDirectory, // pointer to current directory name LPSTARTUPINFO lpStartupInfo, // pointer to STARTUPINFO LPPROCESS_INFORMATION lpProcessInformation // pointer to PROCESS_INFORMATION );

lpProcessInformation uawmh process eJUoufqdkifwJh tcsuftvufawGudk xm;&Sd&m pointer (Oyrm - 0x12F7C8) jzpfygw,f/ lpCommandLine uawmh execute vkyfr,fh command line &Sd&m pointer (Oyrm - 0x12F758) jzpfygw,f/

0012F7C8 = lpProcessInformation = "jexepackboot ER \"C:\\Program Files\\VisualRoute\\ VisualRoute.exe\" 0012F758 = lpCommandLine = "java -mx256m jexepackboot ER \"C:\\Program Files\\ VisualRoute\\VisualRoute.exe\" \"C:\\DOCUME~1\\MYOMYI~1\\LOCALS~1\\Temp\\ X2C123E0\" "

'Derlem API rSm VisualRoute.exe u X2C123E0 zdk'gatmufuzdkifawGudk execute vkyfjyD; register vkyfxm;jcif;&Sd^r&Sd ppfwmjzpfygw,f/

(2) GetWindowText

GetWindowText uawmh window &JU title bar wpfckcku pmom;awGudk buffer wpfckxJul;xnfh ygw,f/ wu,fvdkUom window [m control wpfckomjzpfcJhr,fqdk&if control &JU pmom;awGudk ul;ygw,f/

Oyrmjy&&if – Textbox xJrSm oif&dkufxnfhvdkufwJhpmom;awGudk buffer xJul;rSmjzpfygw,f/

int GetWindowText( HWND hWnd, // handle of window or control with text LPTSTR Buffer, // address of buffer for text int Count // maximum number of characters to copy );

hWnd uawmh window (odkU) control rSm pmom;awGyg^ryg ppfygw,f/ Buffer uawmh pmom;awG xm;r,fhae&mudk nTefjyygw,f/ Count uawmh trsm;qHk;ul;EdkifwJh pmvHk;ta&twGufjzpfygw,f/

(3) GetdlgItemText

GetdlgItemText uawmh dialog box wpfckxJrSm&SdwJh eJUywfoufwJh pmom; (odkU) title udk zwfyg w,f/


UINT GetDlgItemText( HWND hDlg, // handle of dialog box int ControlID, // identifier of control LPTSTR Buffer, // address of buffer for text int Count // maximum size of string );

yHk(1)u erlem dialog box wpfckudkMunfhygr,f/

yHk(1)

yHk(1)u textbox ae&mrSm password tjzpf "Myo Myint Htike" vdkU&dkufcJhygw,f/ Password udk&dkufxnfhjyD;&if GetdlgItemText rSm breakpoint owfrSwfvdkufyg/ jyD;&if OK udkESdyfvdkufyg/ yHk(2)/

yHk(2)

yHk(2)udkMunfhyg/ Password textbox utrsm;qHk;zwfEdkifwJh pmvHk;ta&twGuf[m 17vHk;yJ &Sdygw,f/ 'gudk Resource Hacker aqmhzf0JvfeJUMunfh&if atmufygtwdkif; awGU&rSmjzpfygw,f/

DLG_REGIS DIALOG 20, 20, 142, 81 STYLE DS_MODALFRAME | WS_VISIBLE | WS_CAPTION | WS_SYSMENU CAPTION "Enter Password" LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL FONT 10, "Book Antiqua" { CONTROL "Textbox", 1000, EDIT, ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 45, 22, 66, 11 CONTROL "OK", 1002, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 18, 55, 42, 15 CONTROL "Cancel", 1003, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 80, 55, 42, 15 CONTROL "Password:", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 7, 23, 34, 10 }

yHk(3)

yHk(2)rSmawGU&wJh ControlID &JUwefzdk; 3E8h (1000d) uawmh yHk(3)rSmjrif&wJhtwdkif; Textbox control udkqdkvdkjcif;jzpfygw,f/ 'gaMumifh oifhtaeeJU Password dialog box udk&SmzdkU GetWindowText rSm breakpoint rowfrSwfcsif&if PUSH 3E8h eJU&SmvdkU&ygw,f/

Buffer uawmh oif&dkufxnhfvdkufwJh pmom;udk oGm;xm;r,fh dump window u virtual address ae&myg/

GetdlgItemText [m WM_GETTEXT message udk control qDydkUygw,f/ SetdlgItemText uawmh GetdlgItemText eJU qefUusifzufjzpfygw,f/

(4) GetDlgItem

GetDlgItem uawmh dialog box wpfckrSm&SdwJh control wpfck&JU pointer udk zwfygw,f/

The GetDlgItem function retrieves the handle of a control in the specified dialog box. HWND GetDlgItem( HWND hDlg, // handle of dialog box int ControlID // identifier of control );


(5) lstrcmp

lstrcmp uawmh string ESpfckudk EdIif;,SOfygw,f/ wu,fvdkU string ESpfck[m nDcJh&if vkyfaqmifcsuf atmifjrifaprSmjzpfygw,f/

int lstrcmp( LPCTSTR lpString1, // address of first string LPCTSTR lpString2 // address of second string );

string ESpfckudk EdIif;,SOf&mrSm pmvHk;tMuD;^tao; uGJjym;rI&Sdygw,f/ yHk(4)/ API awGaemufrSm A ygcJh&if 'D API [m ANSI pmvHk;awGeJUoufqdkifjyD; W ygcJh&ifawmh UNICODE pmvHk;awGeJU oufqdkifyg w,f/

yHk(4)

(6) GetPrivateProfileString

GetPrivateProfileString uawmh initialization (*.ini) zdkifwpfckxJrSm&SdwJh section uae string wpfckudk zwfygw,f/ Win32 udktajccHwJh application awG[m registry xJrSm initialization eJY ywfoufwJh tcsuftvufawGudk odrf;qnf;avh&Sdygw,f/

DWORD GetPrivateProfileString( LPCTSTR lpAppName, // points to section name LPCTSTR lpKeyName, // points to key name LPCTSTR lpDefault, // points to default string LPTSTR lpReturnedString, // points to destination buffer DWORD nSize, // size of destination buffer LPCTSTR lpFileName // points to initialization filename );

GetPrivateProfileString [m key wpfcktwGuf initialization zdkifudk&SmazGwmjzpfygw,f/ 'D key [m section heading udkowfrSwfwJh lpAppName atmufu lpKeyName jzpfygw,f/ wu,fvdkU key udkawGUcJhr,fqdk&if? function [m oufqdkif&m string udk buffer qDul;rSmjzpfygw,f/ wu,fvdkU key r&SdcJhbl;qdk&ifawmh function [m lpDefault uowfrSwfvdkufwJh pmvHk;udk ul;rSmyg/

Initialization zdkifwpfckxJu section [m atmufygyHkpH&Sdygw,f...

[section] key = string . .

wu,fvdkU lpAppName rSm Avmjzpfae&ifawmh GetPrivateProfileString u zdkifxJrSm&SdwJh section trnfawGtm;vHk;udk buffer xJul;ygw,f/ wu,fvdkU lpKeyName rSm Avmjzpfae&ifawmh function u section xJrSm&SdwJh key trnfawGtm;vHk;udk buffer xJul;ygw,f/

WIN.ini zdkifxJu string wpfckudk &,lvdk&ifawmh GetProfileString udktoHk;jyKygw,f/ wu,f awmh GetPrivateProfileString [m *.ini zdkifawGqDu string awGudkzwfr,fhtpm; registry xJu tcsuftvufawGudk zwfwmjzpfygw,f/

Oyrmjy&&if –

(1) Registry xJrSm ini zdkif&JUtrnfudkMunfhyg/ (Oyrm - myfile.ini )

HKEY_LOCAL_MACHINE\Software\Microsoft\

Windows NT\CurrentVersion\IniFileMapping\myfile.ini

(2) lpappName u owfrSwfvdkufwJh section trnfudk&Smyg/ 'Dtrnfuawmh myfile.ini zdkifatmuf (odkU) myfile.ini zdkif&JU subkey wpfckatmufrSm&SdEdkifygw,f/ (odkU) r&SdEdkifygbl;/

(3) lpappName uowfrSwfvdkufwJh section trnf[m myfile.ini zdkifatmufrSm wefzdk;wpfck&SdcJh&if? oifhtaeeJU registry xJrSmowfrSwfxm;wJhwefzdk;awGuae section twGuf key awGudk&Sm&rSmyg/

(4) wu,fvdkUom lpappName uowfrSwfvdkufwJh section trnf[m myfile.ini zdkif&JU subkey wpfckjzpfcJhr,fqdk&ifawmh 'D subkey atmufrSm section twGuf key awGudk&Sm&rSmyg/


(5) wu,fvdkU lpappName uowfrSwfvdkufwJh section trnf r&SdcJhbl;qdk&if myfile.ini atmufrSmawmh trnfrJhwefzdk;wpfckawmh &Sdygvdrfhr,f/ 'Dwefzdk;[m section twGuf oif&SmaewJh key &JUae&m&SdwJh registry xJu default ae&mwpfckudk owfrSwfygw,f/

(6) wu,fvdkU myfile.ini zdkiftwGuf subkey vkH;0r&SdcJhbl;qdk&if? section trnftwGuf entry vHk;0 r&Sdbl;qdk&if disk ay:rSm&SdwJh wu,fh myfile.ini zdkifudk&SmjyD; olUrSmygwJh tcsuftvufawGudk zwf&rSmjzpfyg w,f/

Registry xJuwefzdk;awGudk MunfhwJhtcg awGU&r,hf prefix awG&JU t"dyÜm,fuawmh atmufygtwdkif; jzpfygw,f/

! - 'DpmvHk;uawmh tcsuftvufawGudk registry rSma&m disk ay:u myfile.ini zdkifay:rSm a&;rSmjzpfygw,f/

# - 'DpmvHk;uawmh Windows 3.1 .ini zdkifeJU t"duoufqdkifygw,f/

@ - 'DpmvHk;uawmh registry xJrSm vdkcsifwJh a'wmrawGUcJh&if disk ay:u .ini zdkifqDuae a'wmawG

zwfwmudk wm;qD;wmyg/

USR: - oluawmh HKEY_CURRENT_USER ukdqdkvdkwmyg/

SYS: - oluawmh HKEY_LOCAL_MACHINE\SOFTWARE ukdqdkvdkwmyg/

(7) GetPrivateProfileInt

GetPrivateProfileInt uawmh initialization (*.ini) zdkifwpfckxJrSm&SdwJh section uae udef;jynfh wpfckudk zwfygw,f/

UINT GetPrivateProfileInt( LPCTSTR lpAppName, // address of section name LPCTSTR lpKeyName, // address of key name INT nDefault, // return value if key name is not found LPCTSTR lpFileName // address of initialization filename );

(8) RegQueryValueEx

RegQueryValueEx uawmh registry key wpfck&JU trsdK;tpm;eJU wefzdk;wdkUudkzwfjyD; register vkyfxm;jcif; &Sd^r&Sd ppfaq;ygw,f/

LONG RegQueryValueEx( HKEY hKey, // handle of key to query LPTSTR lpValueName, // address of name of value to query LPDWORD lpReserved, // reserved LPDWORD lpType, // address of buffer for value type LPBYTE lpData, // address of data buffer LPDWORD lpcbData // address of data buffer size );

(9) WritePrivateProfileString

GetPrivateProfileString uawmh WritePrivateProfileString eJUqefUusifbufjzpfygw,f/

BOOL WritePrivateProfileString( LPCTSTR lpAppName, // pointer to section name LPCTSTR lpKeyName, // pointer to key name LPCTSTR lpString, // pointer to string to add LPCTSTR lpFileName // pointer to initialization filename );

erlemy&dk*&rfudk compiler rSm run Munfhvdkuf&if &Sif;oGm;rSmyg/

#include "stdafx.h" // Compiler - Visual C++ 8.0, Win32 Console Application #include <windows.h> #include <tchar.h> #include <stdio.h> int main() { TCHAR inBuf[80]; HKEY hKey1, hKey2; DWORD dwDisposition; LONG lRetCode; TCHAR szData[] = TEXT("USR:App Name\\Section1");


// Create the .ini file key. lRetCode = RegCreateKeyEx ( HKEY_LOCAL_MACHINE, TEXT("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\IniFileMapping\\appname.ini"), 0, NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE, NULL, &hKey1, &dwDisposition); if (lRetCode != ERROR_SUCCESS) { printf ("Error in creating appname.ini key (%d).\n", lRetCode); return (0) ; } // Set a section value lRetCode = RegSetValueEx ( hKey1, TEXT("Section1"), 0, REG_SZ, (BYTE *)szData, sizeof(szData)); if (lRetCode != ERROR_SUCCESS) { printf ("Error in setting Section1 value\n"); // Close the key lRetCode = RegCloseKey( hKey1 ); if( lRetCode != ERROR_SUCCESS ) { printf("Error in RegCloseKey (%d).\n", lRetCode); return (0) ; } } // Create an App Name key lRetCode = RegCreateKeyEx ( HKEY_CURRENT_USER, TEXT("App Name"), 0, NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE, NULL, &hKey2, &dwDisposition); if (lRetCode != ERROR_SUCCESS) { printf ("Error in creating App Name key (%d).\n", lRetCode); // Close the key lRetCode = RegCloseKey( hKey2 ); if( lRetCode != ERROR_SUCCESS ) { printf("Error in RegCloseKey (%d).\n", lRetCode); return (0) ; } } // Force the system to read the mapping into shared memory // so that future invocations of the application will see it // without the user having to reboot the system WritePrivateProfileStringW( NULL, NULL, NULL, L"appname.ini" ); // Write some added values WritePrivateProfileString (TEXT("Section1"), TEXT("FirstKey"), TEXT("It all worked out OK."), TEXT("appname.ini")); WritePrivateProfileString (TEXT("Section1"), TEXT("SecondKey"), TEXT("By golly, it works!"), TEXT("appname.ini")); WritePrivateProfileString (TEXT("Section1"), TEXT("ThirdKey"), TEXT("Another test..."), TEXT("appname.ini")); // Test GetPrivateProfileString (TEXT("Section1"), TEXT("FirstKey"), TEXT("Error: GPPS failed"), inBuf, 80, TEXT("appname.ini")); _tprintf (TEXT("Key: %s\n"), inBuf); // Close the keys lRetCode = RegCloseKey( hKey1 ); if( lRetCode != ERROR_SUCCESS ) { printf("Error in RegCloseKey (%d).\n", lRetCode); return(0); } lRetCode = RegCloseKey( hKey2 ); if( lRetCode != ERROR_SUCCESS ) { printf("Error in RegCloseKey (%d).\n", lRetCode); return(0); } return(1); }

y&dk*&rf&JU tvkyfvkyfyHkuawmh 'Dvdkyg ...


(1) HKEY_LOCAL_MACHINE rSm appname.ini qdkwJh key udkzefwD;ygw,f/

(2) RegSetValueEx() oHk;jyD; Section1 &JUwefzdk;udk "USR:App Name\Section1" vdkUowfrSwfygw,f/

(3) HKEY_CURRENT_USER rSm "App Name" qdkwJh key udkzefwD;ygw,f/

(4) WritePrivateProfileString udkoHk;jyD; HKEY_LOCAL_MACHINE atmufu appname.ini zdkif&Sd^r&Sd zwfygw,f/

(5) appname.ini zdkifudk awGUwJhtcg Section1 key udkzwfygw,f/ Section1 [m HKEY_CURRENT_ USER atmufu App Name\Section1 udknTef;wJhtwGuf registry editor u HKCU atmufrSm App Name\Section1 subkey udk tvdktavsmufzefwD;ygw,f/ 'Dvdk zefwD;jyD;wJhaemufrSmawmh FirstKey udk zefwD;jyD; "It all worked out OK." udka&;ygw,f/

(6) appname.ini zdkifudk awGUwJhtcg Section1 key udkzwfygw,f/ Section1 [m HKEY_CURRENT_ USER atmufu App Name\Section1 udknTef;wJhtwGuf registry editor u HKCU atmufrSm App Name\Section1 subkey udk tvdktavsmufzefwD;ygw,f/ 'Dvdk zefwD;jyD;wJhaemufrSmawmh SecondKey udk zefwD;jyD; "By golly, it works!" udka&;ygw,f/

(7) appname.ini zdkifudk awGUwJhtcg Section1 key udkzwfygw,f/ Section1 [m HKEY_CURRENT_ USER atmufu App Name\Section1 udknTef;wJhtwGuf registry editor u HKCU atmufrSm App Name\Section1 subkey udk tvdktavsmufzefwD;ygw,f/ 'Dvdk zefwD;jyD;wJhaemufrSmawmh ThirdKey udk zefwD;jyD; "Another test..." udka&;ygw,f/

(8) aemufwpfckuawmh GetPrivateProfileString udkoHk;jyD; HKLM atmufu Section1 nTef;wJhae&mudk oGm;jyD; FirstKey udk&Smygw,f/ wu,fvdkU rawGUcJh&ifawmh buffer xJrSm GetPrivateProfileString u tvdktavsmuf owfrSwfvdkufwJh "Error: GPPS failed" pmom;udkjyrSmjzpfygw,f/ FirstKey udkawGUcJh&if awmh FirstKey rSmodrf;xm;wJh "It all worked out OK." pmom;udkjyrSmjzpfygw,f/

rSwf&ef/ / wu,fvdkU "USR:App Name\Section1"ae&mrSm "!USR:App Name\Section1" vdkU jyifvdkuf &ifawmh C:\Windows atmufrSm appname.ini zdkifudkzefwD;jyD; HKCU atmufrSma&;r,fhpmom;awGudk appname.ini rSmvJa&;rSmjzpfygw,f/ yHk(5)/ 'grsdK;udkawmh zdkifwpfck&JU registration setting awGudk vlrod? olroda&;vdkwJhtcg toHk;rsm;ygw,f/ ☺☺☺

yHk(5)

(10) CreateWindowEx

CreateWindowEx uawmh overlapped (odkU) pop-up (odkU) child window awGrSm pwdkifawG xyfavmif;xnfhjyD; zefwD;ay;wmjzpfygw,f/ 'DvdkrS r[kwf&ifawmh CreateWindow eJUwlaerSm jzpfygw,f/

HWND CreateWindowEx( DWORD ExtStyle, // extended window style LPCTSTR ClassName, // pointer to registered class name LPCTSTR WindowName, // pointer to window name DWORD WindowStyle, // window style int x, // horizontal position of window int y, // vertical position of window int Width, // window width int Height, // window height HWND hWndParent, // handle to parent or owner window HMENU hMenu, // handle to menu, or child-window identifier HINSTANCE hInstance, // handle to application instance LPVOID lParam // pointer to window-creation data );

CreateWindowEx eJUtwl ShowWindow? UpdateWindow API awG wGJoHk;ygw,f/

(11) CreateFile

CreateFile uawmh zdkifwpfckudk &SmazG? zefwD;&mrSm toHk;jyKygw,f/


HANDLE CreateFile( LPCTSTR FileName, // pointer to name of the file DWORD DesiredAccess, // access (read-write) mode DWORD Mode, // share mode LPSECURITY_ATTRIBUTES pSecurity, // pointer to security attributes DWORD dwCreationDistribution, // how to create DWORD Attributes, // file attributes HANDLE hTemplateFile // handle to file with attributes to copy );

CreateFile rSm owdjyKoifhwmuawmh Mode parameter udkyg/ Mode [m zdkifwpfck&SdcJh&if (odkU) r&SdcJh&if b,fvdkvkyfaqmif&rvJqdkwm qHk;jzwfygw,f/ yHk(6)/

yHk(6)

Mode &JUwefzdk;awGuawmh atmufyg 5ckxJu wpfckckjzpfEdkifygw,f ... -

CREATE_NEW - zdkiftopfwpfckudk zefwD;ygw,f/ wu,fvdkU zdkif[m &SdaecJh&if function [m fail jzpfoGm;rSmyg/ Fail jzpfoGm;&if EAX &JUwefzdk;[m FFFFFFFF (-1) jzpfoGm;ygr,f/ wu,fvdkU 'Dwefzdk;udk jyifcsif&if Mode ae&mrSm PUSH 1; vdkUjyifvdkuf&Hkyg/

CREATE_ALWAYS - zdkiftopfwpfckudk zefwD;ygw,f/ wu,fvdkU zdkif[m &SdaecJh&if &SdjyD;om;zdkifudk overwrite vkyfjyD; zdkiftopfwpfckudk zefwD;rSmjzpfygw,f/

OPEN_EXISTING - &SdjyD;om;zdkifudk zGifhygw,f/ zdkifr&SdcJh&ifawmh function &JUvkyfaqmifcsuf atmifjrifrSm r[kwfygbl;/ 'gqdk EAX &JUwefzdk;[m FFFFFFFF (-1) jzpfoGm;ygr,f/

OPEN_ALWAYS - zdkif&SdcJh&if zdkifudkzGifhygw,f/ zdkifr&SdcJh&ifawmh CREATE_NEW udkoHk;jyD; zdkiftopf wpfckudk zefwD;ygw,f/

TRUNCATE_EXISTING - zdkifudk zGifhvdkufjyD; zdkifxJrSm&SdwJh t&mtm;vHk;udk zsufypfygw,f/ zdkifr&SdcJh&if awmh EAX &JUwefzdk;[m FFFFFFFF (-1) jzpfygr,f/

(12) DialogBoxParamA

DialogBoxParamA uawmh modal dialog box wpfckudk zefwD;&mrSm toHk;jyKygw,f/ Dialog box udkrjycifrSm function [m dialog box eJUoufqdkifwJh procedure udk initialize vkyfygw,f/

int DialogBoxParamA( HINSTANCE hInst, // handle to application instance LPCTSTR pTemplate, // identifies dialog box template HWND hOwner, // handle to owner window DLGPROC DlgPro, // pointer to dialog box procedure LPARAM lParam // initialization value );

KeygenMe wpfck&JU dialog box wpfckudk Resource Hacker eJUMunfh&if atmufygtwdkif; awGU&yg

w,f/

1 DIALOGEX 0, 0, 225, 142 STYLE DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU EXSTYLE WS_EX_STATICEDGE CAPTION " :: Ziggy's KeyGenMe #0 ::" LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US FONT 7, "MS SANS SERIF" { CONTROL 10, -1, STATIC, SS_BITMAP | SS_REALSIZEIMAGE | SS_SUNKEN | WS_CHILD | WS_VISIBLE, 65535, 104, 200, 200 CONTROL "Name", 1002, EDIT, ES_CENTER | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 35, 30, 186, 10 , 0x00020000 CONTROL "Serial", 1003, EDIT, ES_CENTER | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 35, 47, 186, 10 , 0x00020000 CONTROL "Register", 1005, BUTTON, BS_PUSHBUTTON | BS_CENTER | BS_VCENTER | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 59, 62, 50, 12 , 0x00020000 CONTROL "About", 1007, BUTTON, BS_PUSHBUTTON | BS_CENTER | BS_VCENTER | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 158, 62, 30, 12 , 0x00020000


CONTROL "Close", 1004, BUTTON, BS_PUSHBUTTON | BS_CENTER | BS_VCENTER | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 191, 62, 30, 12 , 0x00020000 CONTROL "Appname", 1001, STATIC, SS_CENTER | SS_SUNKEN | WS_CHILD | WS_VISIBLE | WS_GROUP, 35, 5, 186, 10 , 0x00020000 CONTROL " ", 1009, STATIC, SS_CENTER | WS_CHILD | WS_VISIBLE | WS_GROUP, 35, 19, 186, 10 CONTROL "Name", 4, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 6, 30, 26, 10 CONTROL "Serial", 5, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 6, 47, 26, 10 CONTROL 3, 1, STATIC, SS_ICON | WS_CHILD | WS_VISIBLE, 6, 4, 35, 35 CONTROL "Registered to : ", 5, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 6, 80, 50, 10 CONTROL " ", 1008, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 54, 80, 150, 10 CONTROL " ", 1010, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 54, 90, 180, 10 }

'gudk Olly rSmMunfhr,fqdk&ifawmh yHk(7)twdkif; jrif&ygw,f/

yHk(7)

yHk(7)rSm DlgProc uawmh ta&;MuD;qHk; jzpfygw,f/ bmaMumifhvJqdkawmh dialog eJUywfoufwJh procedure &Sd&m virtual address (00401032) jzpfvdkUyg/ pTemplate uawmh dialog trnfjzpfygw,f/ yHkrSefqdk&ifawmh API wpfckudk vkyfaqmifjyD;wmeJU aemuf API udkvkyfaqmifrSmyg/ yHk(7)rSmawmh 00401041 udkvkyfaqmifjyD;csdefrSm 00401046 qDa&mufrvmbJ 0040104D qDa&mufvmrSmjzpfygw,f/

(13) ShowWindow

ShowWindow uawmh owfrSwfxm;wJh window udk jyozdkUjzpfygw,f/

BOOL ShowWindow( HWND hWnd, // handle of window int nCmdShow // show state of window );

(14) MessageBox

MessageBox udkawmh cracking vkyf&mrSm rMumcP jrif&rSmjzpfygw,f/ MessageBox u message box wpfckudk zefwD;jyorSmjzpfygw,f/ Message box wpfckrSm MudKwifowfrSwfxm;wJh icon awG? button awG? pmom;awGeJU acgif;pOfawGyg0ifrSmjzpfygw,f/

int MessageBoxA( HWND hOwner // handle of owner window LPCTSTR Text, // address of text in message box LPCTSTR Title, // address of title of message box UINT Style // style of message box );

MessageBox &JU tvkyfvkyfyHkudk em;vnfapEdkifzdkU yHk(8)udkMunfhyg/

yHk(8)

Style qdkwmuawmh message box rSm azmfjycsifwJh button awG? icon awGudk qdkvdkwmyg/ yHk(8)u Oyrmt&qdk&ifawmh message box rSm OK button wpfckwnf;ygrSmyg/ bm icon rS rygygbl;/ (Message Box taMumif; tao;pdwfudk ]tajccH Assembly bmompum;} tcef;rSm tus,faqG;aEG;jyD;jzpfygw,f/)

'Dae&mrSm owdxm;apvdkwmuawmh hOwner yg/ wu,fvdkU message box wpfckudk zefwD;csdefrSm dialog box wpfck[m &SdaecJh&if hOwner udk dialog box &JU handle taeeJU toHk;jyK&ygw,f/ wu,fvdkU hOwner ae&mrSm 1 jzpfae&ifawmh 'D message box udk jyoEdkifrSm r[kwfygbl;/


(15) SendMessage

SendMessage uawmh message wpfckudk window wpfckqD (odkU) window awGqDay;ydkUygw,f/ Function [m owfrSwfxm;wJh window twGuf window procedure udkac:oHk;jyD; window procedure u message udkvkyfaqmifjyD;csdefrSm return jyefjcif; r&Sdygbl;/ PostMessage uawmh thread wpfck&JU message queue qD message csxm;jyD; csufcsif; jyefygw,f/

LRESULT SendMessage( HWND hWnd, // handle of destination window UINT Msg, // message to send WPARAM wParam, // first message parameter LPARAM lParam // second message parameter );

(16) SendDlgItemMessage

SendDlgItemMessage uawmh dialog box wpfckxJrSm&SdwJh control qD message wpfckudk ay;ydkU ygw,f/

LONG SendDlgItemMessage( HWND hDlg, // handle of dialog box int nIDDlgItem, // identifier of control UINT Msg, // message to send WPARAM wParam, // first message parameter LPARAM lParam // second message parameter );

(17) ReadFile

ReadFile uawmh zdkifwpfckuae vdkcsifwJhtcsuftvufawGudk zwfygw,f/ pzwfr,hfae&mudkawmh file pointer unTefjyygw,f/

BOOL ReadFile( HANDLE hFile, // handle of file to read LPVOID Buffer, // address of buffer that receives data DWORD BytesToRead, // number of bytes to read LPDWORD pBytesRead, // address of number of bytes read LPOVERLAPPED pOverlapped // address of structure for data );

Buffer uawmh zwfvdkufwJhpmvHk;udk xm;r,fhae&myg/ pBytesRead uawmh zwfvdkufwJh pmvHk; ta& twGufyg/ BytesToRead uawmh trsm;qHk;zwfr,hf pmvHk;ta&twGufjzpfygw,f/ yHk(9)/

yHk(9)

(18) WriteFile

WriteFile uawmh zdkifxJrSm xm;csifwJhtcsuftvufawG oGm;a&;ygw,f/

BOOL WriteFile( HANDLE hFile, // handle to file to write to LPCVOID Buffer, // pointer to data to write to file DWORD BytesToWrite, // number of bytes to write LPDWORD pBytesWritten, // pointer to number of bytes written LPOVERLAPPED pOverlapped // pointer to structure needed for overlapped I/O );

(19) GetSystemTime

GetSystemTime uawmh vuf&Sd OS &JU &ufpGJeJUtcsdefudk zwfygw,f/ tcsdefudkawmh UTC (Coordinated Universal Time) eJUazmfjyygw,f/

VOID GetSystemTime( LPSYSTEMTIME lpSystemTime // address of system time structure );


(20) GetFileTime

GetFileTime uawmh zdkifudkzefwD;cJhwJh? aemufqHk;jyKjyifcJhwJh &ufpGJeJUtcsdefudk zwfygw,f/

BOOL GetFileTime( HANDLE hFile, // identifies the file LPFILETIME lpCreationTime, // address of creation time LPFILETIME lpLastAccessTime, // address of last access time LPFILETIME lpLastWriteTime // address of last write time );

(21) SetTimer

SetTimer uawmh owfrSwfxm;wJh tcsdefwpfckygwJh timer wpfckudk owfrSwfwmjzpfygw,f/

UINT SetTimer( HWND hWnd, // handle of window for timer messages UINT TimerID, // timer identifier UINT Timeout, // time-out value TIMERPROC Timerproc // address of timer procedure );

SetTimer erlemwpfckudk Olly rSmMunfh&if atmufygtwdkif; awGU&rSmjzpfygw,f/ yHk(9)/

yHk(9)

hWnd uawmh timer eJUwGJzufxm;wJh TPUtilWindow udkajymwmyg/ 'D window udk ac:,loHk;wJh thread uomydkifqdkifygw,f/ wu,fvdkU hWnd om NULL jzpfcJh&if timer u b,f window eJUrS wGJzuf rSmr[kwfbJ TimerID udkvJ vspfvsL&IrSm jzpfygw,f/

TimerID uawmh oknr[kwfwJh timer identifier wefzdk;wpfckudk owfrSwfygw,f/

Timeout uawmh time-out jzpfr,fhtcsdefjzpfjyD; rDvDpuúefUeJU jyygw,f/ Timerproc uawmh timeout jzpfwJhtcg tcsufay;r,fh? vkyfaqmifr,fh function &Sd&mudk jyygw,f/

KillTimer uawmh TimerID udkzsufqD;wJh API jzpfygw,f/

tcef;(12) - y&dk*&rf\ resource rsm; toHk;jyKí crack vkyfjcif; - 168 -

tcef;(12) - y&dk*&rf\ resource rsm; toHk;jyKí crack vkyfjcif; 'Dtcef;rSmawmh y&dk*&rf&JU resource awGudk toHk;jyKjyD; crack vkyfMunfhrSmjzpfygw,f/ 'Denf;udk bmaMumifh toHk;jyK&ovJqdkawmh crack vkyf&mrSm ydkrdkvsifjrefapvdkUyg/ 'Dwpfcg crack vkyfMunfhzdkU a&G;cs,f xm;wJh y&dk*&rfuawmh Active Desktop Calendar Version 5.95 jzpfygw,f/ Active Desktop Calendar qdkwmuawmh oifh&JU desktop rSm yHk(1)twdkif; jyu©'defeJU oifvkyfudkifr,fhtvkyf^vkyfjyD;om;tvkyfawGudk rSwf ay;r,fh aqmhzf0Jvfwpfckjzpfygw,f/

yHk(1)

Active Desktop Calendar udk www.xemico.com uae download vkyfjyD; install vkyfvdkufyg/

yHk(2)

ADC udk zGifhvdkufwJhtcgrSmawmh yHk(2)twdkif; register rvkyf&ao;aMumif; awGU&rSmyg/ Help menu u About Active Desktop Calendarudk a&G;Munfhvdkuf&ifawmh yHk(3)twdkif; awGU&rSmyg/


yHk(3)

aumif;jyD? Help menu u Registration udka&G;jyD; register vkyfMunfhMuygr,f/ yHk(4)/

yHk(4)

yHk(4)u Register button udka&G;vdkuf&ifawmh yHk(5)twdkif;jrif&rSmyg/

yHk(5)

'Davmufqdk&ifawmh &ygjyD/ y&dk*&rfudk patch vkyfMunfhMuygr,f/ Patch rvkyfcifrSm ADC y&dk*&rfudk Resource Hacker aqmzhf0JvfeJU t&ifMunfhygr,f/ yHk(6)/

yHk(6)

Resource Hacker y&dk*&rf[m yHk(6)twdkif; y&dk*&rfwpfcku toHk;jyKwJh resource awGudk jyoay;yg w,f/ y&dk*&rfwdkif;rSm .rscr section &Sdw,fqdkwm jyeftrSwf&yg/ omreftm;jzifhawmh Resource Hacker aqmhzf0Jvf[m y&dk*&rfawG&JU resource udk MudKufESpfoufovdk jyifay;Edkifygw,f/ yHk(7)/


yHk(7)

rSwfxm;&rSmuawmh Resource Hacker aqmhzf0Jvf[m resource awGudkom jyifay;Edkifygw,f/ y&dk *&rfwpfckudk register atmifjrifEdkifatmif vkyfay;Edkifjcif; r&Sdygbl;/ 'gaMumifh uRefawmfwdkUtaeeJU Resource Hacker udk Olly Debugger eJU wGJoHk;&rSmyg/ yHk(3?4?5)wdkUudk jyefMunfhyg/ olwdkUawG[m dialog awGjzpfyg w,f/ 'D dialog awGtaMumif; Resource Hacker rSm tao;pdwfMunfhvdkufMu&atmif/ yHk(6)u dialog pmom;udk ESdyfvdkufyg/ yHk(8)twdkif; jrif&ygr,f/

yHk(8)

yHk(8)u 100 qdkwJhpmom;udk aocsmMunfhyg/ ol[m dialog trnfjzpfygw,f/ y&dk*&rf[m dialog function udkac:roHk;cif dialog trnfudk stack ay:ul;wifygw,f/

yHk(9)

yHk(9)u 207 qdkwJhpmom;uawmh yHk(4)u registration box udkay:apwJh dialog jzpfygw,f/

yHk(10)

yHk(10)u 208 qdkwJhpmom;uawmh yHk(5)u BadBoy MessageBox udk ay:apwJh dialog yg/ aumif;jyD/ ADC y&dk*&rfudk Olly rSm zGifhygr,f/ yHk(11)/

yHk(11)

yHk(11)twdkif; jrif&wJhtcgrSm ckeu uRefawmfwdkUMunfhcJhwJh dialog trnfawGudk Olly rSm &SmMunfhvdkuf Mu&atmif/ Olly rSm right-click ESdyfjyD; Search for u All commands udk a&G;vdkufyg/ yxrqHk; registration vkyfwJh dialog (2007d = 00CFh)udk t&if&SmMunfhvdkufMu&atmif/ yHk(12)/


yHk(12)

yHk(12)rSm Find button udka&G;vdkuf&if yHk(13)twdkif; jrif&rSmyg/

yHk(13)

yHk(13)rSmjrif&wJh command wdkif;udk breakpoint owfrSwfygr,f/ Breakpoint owfrSwfjyD;&if F9 udkESdyfjyD; y&dk*&rfudk run vdkufyg/ jyD;&if Help menu u Registration udka&G;vdkufyg/ yHk(14)twdkif; awGUyg r,f/

yHk(14)

yHk(14)u uRefawmfwdkUa&mufaewJh VA 0045EEC0 ae&muawmh registration dialog &Sd&m CALL yg/ VA 0045EEA0 uawmh registration dialog &Sd&m CALL tpyg/ 'D CALL ukd b,f virtual address uaeac:oHk;w,fqdkwm odcsif&if stack window rSm oGm;Munfhvdkufyg/ yHk(15)/

yHk(15)

yHk(15)t&qdk&ifawmh VA 0045EEA0 udkvkyfaqmifjyD;&if VA 00434E86 qDudkjyefoGm;r,fvdkU ajymxm;ygw,f/ [kwf^r[kwfod&atmif right-click ESdyfjyD; Follow in Disassembler udka&G;vdkufyg/ yHk(16) twdkif; jrif&ygr,f/

yHk(16)

wu,fawmh VA 0045EEA0 u CALL udk VA 00434E81 u ac:oHk;xm;wmyg/ 'Davmufqdk em;vnfavmufjyDxifygw,f/ yHk(14)udk jyefMunfhvdkufyg/ yHk(14)twdkif;qdk&ifawmh dialog trnfudk stack ay:pul;wifygjyD/ bmqufjzpfrvJqdkwmod&atmif F9 udkESdyfvdkufyg/ yHk(17)twdkif; jrif&ygr,f/

yHk(17)


yHk(17)twdkif; jrif&&ifawmh register rvkyfao;ygbl;/ yHk(10)rSmjrif&wJh dialog (208d = D0h) udk&SmzdkU usefao;vdkUyg/ yHk(12)twdkif; PUSH 0D0h vdkU &dkufxnfhjyD; command wdkif;udk breakpoint owfrSwfygr,f/ 'Dwpfcgawmh xl;xl;jcm;jcm; command wpfckyJawGUygw,f/ yHk(18)/

yHk(18)

yHk(18)&JU VA0045F0D3 ae&mu JE [m register vkyfwmatmifjrif^ratmifjrifudk qHk;jzwfjyD; ratmifjrifcJh&if VA 0045F239 qDa&mufvmrSmyg/ 'gaMumifhvJ BadBoy DialogBox ay:vmwmyg/ 'Duk'fudk JE tpm; NOP vkdUjyifvdkuf&ifawmh oifbmuk'f&dkufxnfhxnfh register vkyfwmatmifjrifygjyD/ yHk(19)/ 'gqdk uRefawmfwdkU jyifvdkufwJhuk'fawGudk ESpfouf&mzdkiftrnfeJU odrf;qnf;vdkufyg/

yHk(19)

ydkjyD;aocsmapcsif&ifawmh yHk(20)twdkif; registry editor (regedit.exe) rSmMunfhvdkufyg/

yHk(20)

odrf;vdkufwJhzdkifudk jyefzGifhjyD; Help menu u About Active Desktop Calendar udkMunfhvdkuf&if awmh yHk(21)twdkif; jyaewkef;yg/

yHk(21)

'ghaMumifh 'D dialog (2007d = 0064h) &Sd&m virtual address rSmvJ breakpoint owfrSwfjyD; run (F9) Munfhygr,f/ y&dk*&rf run aepOfwavQmufrSm PUSH 64 &Sd&m breakpoint wdkif;rSm cP&yfygvdrfhr,f/ rqdkifbl;qdk&if breakpoint udkjyefjzKwfyg/ (About Dialog udkac:oHk;wJh PUSH 64 breakpoint rSwyg;) 'DvdkeJU rqdkifwJh breakpoint awGjzKwfvmwm y&kd*&rf menu ay:vm&if Help menu u About ADC udk a&G;yg/ 'Dwpfcg uRefawmfwdkU&SmaewJh About Dialog breakpoint &Sd&ma&mufvmygjyD/ yHk(22)/


yHk(22)

yHk(22)u VA 00401C60 uawmh routine &JUtp jzpfygw,f/ olUudkb,fu ac:oHk;ovJqdkwm odcsif&ifawmh stack window rSm right-click ESdyfjyD; Follow in disassmeble udka&G;vdkufyg/ yHk(23)twdkif; jrif&ygr,f/

yHk(23)

yHk(23)rSmjyxm;wJhtwdkif; VA 00401C60 udk VA 00401D48 u ac:oHk;wmyg/ F9 udk ESdyfvdkuf&if awmh yHk(21)twdkif; awGU&ygr,f/ bmaMumifh "This is an unlicensed copy" qdkwJhpmom;ay:wmvJqdkwm od&atmif About DialogBox (100d) udk Resource Hacker eJU jyefMunfhvdkufyg/ yHk(24)/

yHk(24)

yHk(24)udk Munfhvdkuf&ifvJ olUrSmvJ stack ay:ul;wifwJh *Pef; (1044d = 414h) &Sdwm awGU&rSmyg/ 'Dae&mudk ausmfEdkif&if bmjzpfrvJqdkwm qufMunfhygr,f/ PUSH 414h udk&SmjyD; breakpoint owfrSwfyg r,f/ jyD;&if Olly rSm y&dk*&rfudk jyefpjyD; Help menu u About ADC udk a&G;vdkufyg/ jyD;&if PUSH 414h &Sd&m breakpoint qDa&mufatmif F9 ESdyfvmcJhyg/ aemufqHk;awmh yHk(25)twdkif; breakpoint &Sd&mudk a&mufvm ygr,f/

yHk(25)

&Sif;vif;csuf/

413 = DeskLook Verson x.y

414 = This is an unlicensed copy.


415 = User

416 = Registration Code

417 = This is an unlicensed copy.

3FD = Buy &Online Now!

yHk(26)

yHk(25)u VA 00401DE2 uae yHk(26)u VA 00401EAC xd F8 ESdyfvmcJhyg/ uRefawmfwdkUtaeeJU VA 00401EAC u JE rSm NOP vdkUajymif;vdkufyg/ jyD;&if ESpfouf&mtrnfeJU zdkifudkodrf;vdkufyg/ odrf;vdkuf wJhzdkifudk zGifhjyD; Help menu u About ADC udka&G;vdkufyg/ yHk(27)twdkif; awGU&ygr,f/

yHk(27)

aemufwpfqifhuawmh splash screen rSmay:vmwJh "unregistered" qdkwJhpmom;udk aysmufapzdkUyg/ VA 004013E4 u JNZ ae&mrSm JMP vdkUjyifvdkufjyD; zdkifudkodrf;vdkufyg/ yHk(28)/

yHk(28)

yHk(28)&JU VA 004013DD u CALL [m register jzpf^rjzpfppfwJh routine qdkwm oifhtaeeJU em;vnfr,fxifygw,f/ aumif;jyD/ y&dk*&rfudk jyefzGifhMunfhvdkufyg/ yHk(29)twdkif; awGU&ygr,f/

yHk(29)


ed*Hk;csKyftaeeJU ajym&&if Active Desktop Calendar udk atmifjrifpGm register vkyfEdkifatmifvdkU uRefawmfwdkUtaeeJU ae&m3ckrSm uk'fawGudk jyifcJhygw,f/

(1) VA 004013E4 u JNZ ae&mrSm JMP (Splash Screen)

(2) VA 00401EAC u JE rSm NOP (About Dialog)

(3) VA0045F0D3 ae&mu JE rSm NOP (Registration Dialog)

'DvdkjyifcJh&mrSm uRefawmfawmfwdkUtaeeJU Resource Hacker y&dk*&rf&JUtultnDudk&,ljyD; tvG,fwul jyifcJhwmyg/ (rSwfxm;&rSmuawmh Delphi eJU a&;om;xm;wJh y&dk*&rfawGudk crack vkyfr,fqdk&ifawmh Resource Hacker aqmhzf0JvfudktoHk;jyKjyD; crack rvkyfwm taumif;qHk;ygyJ/ Delphi y&dk*&rfawGudk b,fvdk crack vkyf&rvJqdkwmudk ]tcef;(16) - Delphi jzifh a&;om;xm;aom y&dk*&rfrsm;udk crack vkyfjcif;}rSm tao;pdwfaqG;aEG;ygr,f/)

tcef;(13) - Packer (Protector) rsm; - 176 -

tcef;(13) - Packer (Protector) rsm; 'Dtcef;rSmawmh cracking avmurSm tawGUtrsm;qHk;jzpfwJh packer (protector) awGtaMumif;udk aqG;aEG;rSmjzpfygw,f/ tESpfcsKyfajym&&ifawmh pack vkyfw,fqdkwm exe zdkifudk compress vkyfjcif;? execute vkyfEdkifzdkU decompress jyefvkyfjcif;eJU execution pwifjcif;wdkUudk vkyfaqmifay;&r,fh decompression stub udk xnfhoGif;pOf;pm;&wJh vkyfief;pOfyJjzpfygw,f/ Compress vkyfw,fqdkwmuawmh zdkifwpfckudk compress vkyfwJh b,fenf;vrf;udkrqdkac:qdkwmjzpfjyD; exe zdkifwpfckxJrSm compress vkyfxm;wJhuk'fawGeJUtwl vdktyfwJh decompression uk'fawGudkyg aygif;pyfxm;&Sdwmjzpfygw,f/ Execute vkyfcsdefrSmawmh rlv exe uk'fudk jyefjyD; unpack vkyfygw,f/ tusdK;oufa&mufrIuawmh rlvu compress rvkyfxm;csdefrSm&SdwJh exe zdkifeJU tvkyfvkyfwmtwlwlygyJ/ Compress vkyfxm;wJhzdkif&JU t*Fg&yfawGuawmh -

(1) zdkifpepftwGif; ae&m,lrIenf;jcif;

(2) zdkifpepfrS rSwfOmPfodkU a'wmrsm;a&TYYajymif;&mwGif tcsdef,lrIenf;jcif;

(3) Execute rpwifcif compress rvkyfxm;aomzdkifxufpmvQif a'wmrsm;tm; dexompress vkyf&onfh twGuf tcsdefydkukefjcif; wdkUjzpfygw,f/

Compress vkyfxm;wJh exe zdkifqdkwm exe zdkifwpfckudk archive wpfcktaeeJU jyKvkyfxm;ovdkygyJ/ (WinRAR uJhodkUaom aqmhzf0JvfrsdK;jzifh archive vkyfxm;jcif;rsdK;) rwlwmuawmh compress vkyfxm;wJh a'wmawGudk,fwdkifu exe zdkifjzpfaewmyg/

DOS? Windows eJU tjcm; OS awGtwGuf exe compressor trsdK;rsdK;&SdjyD; command line taeeJU aomfvnf;aumif;? GUI version taeeJUaomfvnf;aumif; xGuf&Sdygw,f/

zdkifawGudk pack vkyfwJhtcg tusdK;eJU tjypfawG&Sdygw,f/ tusdK;awGuawmh -

(1) oifh&JUzdkifudk tifwmeufrSm wifxm;wJhtcgrSm download vkyfoltwGuf vsifjrefpGm download vkyfapEdkif jcif;?

(2) oifh&JUaqmhzf0Jvfudk vlopfwef; cracker awG crack rvkyfEdkifatmif umuG,fxm;Edkifjcif; (Cracker awG[m crack vkyfzdkU OD;pGm unpack vkyf&rSmjzpfygw,f/) wdkUjzpfygw,f/

t"duqdk;usdK;uawmh anti-virus awGeJU ywfoufygw,f/ Anti-virus awmfawmfrsm;rsm;[m pack vkyfxm;wJhzdkiftcsdKUudk virus (odkU) trojan vdkUjrifaeMuygw,f/ (txl;ojzifh McAfee anti-virus)

Protector qdkwmuawmh wu,fwrf;ajym&&if &dk;&Sif;vSwJh packer wpfckygyJ/ Protector awGuawmh &dk;&Sif;vSwJh packer awGxufpm&if uk'fawGudk ydkjyD;pdppfcGJjcm;ygw,f/ Protector awG&JU ta&;MuD;wJhtjypftcsdKU uawmh protect vkyfxm;wJhzdkif&JU t&G,ftpm;ygyJ/ Packer awGu pack vkyfxm;wJh zdkifawGt&G,ftpm;awGudk ao;i,fatmifvkyfaecsdefrSm protector awGuawmh cracker awG&efuumuG,fEdkifapzdkU uk'fawGudk tvGeftrif; xnfhoGif;aeMuygw,f/ 'gaMumifhrdkUvJ protect vkyfxm;wJhtcsdKUzdkifawG(ao;i,faomzdkifrsm;)qdk rlvzdkifxuf 600% MuD;aewmawGU&ygw,f/ omref packer awGuawmh rlvzdkif&JUt&G,ftpm;udk tenf;qHk; 30% avmuf avQmhcsEdkifygw,f/

aemufxyfta&;MuD;wJhtcsufuawmh tcsdKUy&dk*&rfrmawG[m olwdkU&JU malicious uk'fawG (virus? worm)udkzHk;uG,fzdkU protect vkyfxm;wJhzdkifawGudk toHk;jyKMuygw,f/ 'Dvdk protect vkyfxm;rSom anti-virus aqmhzf0JvfawGu csufcsif; pHkprf;rod&SdEdkifrSm jzpfygw,f/ 'ghaMumifhvJ oifhtaeeJU protector awGtaMumif;udk aemaMuaeatmif odxm;&rSmjzpfjyD; olwdkUudk b,fvdk unpack vkyf&rvJqdkwm avhvmae&rSmjzpfygw,f/

Protector awG? packer awGeJUywfoufvm&if aemufxyfrSwfxm;&rSmuawmh entry point (EP) qdkwm pack/protect vkyfxm;wJh y&dk*&rfudk Olly eJUzGifhwJhtcg yxrqHk;awGU&wJh virtual address jzpfjyD; OEP (original entry point) qdkwmuawmh decompression stub vkyfaqmifjyD;csdefrSmawGU&wJh rlv entry point udkac:qdkwmjzpfygw,f/ (unpack/unprotect rvkyfao;cifrSm&SdwJhzdkifawG&JU entry point udkqdkvdkwmyg/)

Protector/packer awG[m y&dk*&rfudk rSwfOmPfrSm unpack vkyfMuwmjzpfygw,f/ 'DtcsdefrSm y&dk*&rf qD command awGay;EdkifzdkU OEP &Sd&mudk jump vkyfwmjzpfjyD; rlvy&dk*&rfudk&&SdEdkifzdkU uRefawmfwdkUtaeeJU y&dk*&rfudk dump vkyf,l&rSmjzpfygw,f/ 'Dvdk dump vkyf,lEdkifwJh t"duenf;vrf; (3)&yfuawmh -

(1) uk'fudk ajc&mcHygw,f/ (F8 udkESdyfjcif;jzifh)

(2) ESP register udk toHk;jyK&ygw,f/

(3) Compressor uxkwfay;wJh exception awGudk toHk;jyK&ygw,f/


'Dtcef;rSmawmh uRefawmfwdkUtaeeJU &dk;&Sif;vSwJh packer av;oHk;jyD; pack vkyfxm;wJh erlemy&dk*&rf wpfckudk enf;vrf;ESpfrsdK;oHk;jyD; unpack vkyfMunfhygr,f/ yxrenf;uawmh pack vkyfxm;wJh exe zdkifudk unpack vkyfjyD; patch vkyfwJhenf;jzpfjyD;? 'kwd,enf;uawmh inline-patch vkyfwJhenf;jzpfygw,f/ 'Dae&mrSm uRefawmfwdkUoHk;r,fh tool uawmh UPX 2.03 (Ultimate Packer for eXecutables) jzpfjyD; HTUhttp://upx.sourceforge.net UTH rSm tcrJh&&SdEdkifygw,f/

UPX aqmhzf0Jvf[m exe zdkifawGudk t&G,ftpm;ao;i,fatmif vkyfwJhae&mrSm emrnfMuD;vSjyD; tqifh jrifhwJh protection enf;vrf;awGoHk;xm;jcif; r&Sdygbl;/ uRefawmfqdkvdkwJh UPX uawmh Marcus eJU Laszlo wdkUa&;xm;wJh UPX aqmhzf0Jvfudk ajymwmyg/ yxrqHk; UPX eJU pack vkyfjyD;rS unpack vkyfMunfhygr,f/ (pum;rpyfajymcsifwmuawmh jrefrmaqmhzf0Jvfawmfawmfrsm;rsm;udk b,f packer eJUrS protect (pack) vkyfxm;jcif;r&Sdovdk? pack vkyfxm;cH&wJh aqmhzf0Jvfawmfawmfrsm;[mvJ UPX eJU pack vkyfxm;Muwmjzpfyg w,f/) UPX packed zdkifawGudk unpack vkyfEdkifwJh tool awmfawmfrsm;rsm;udk tifwmeufrSm tcrJh&&SdEdkif&JUom; eJU uRefawmfwdkUu bmaMumifhtcsdefukefcHjyD; udk,fwdkif unpack vkyfzdkU MudK;pm;ae&ovJvdkU oifhtaeeJU oHo, 0ifaumif;0ifaeygvdrfhr,f/ tifwmeufrSm aMumfjimxm;wJh b,f unpacker tool awGudkrS r,HkMunfygeJU/ 'D unpacker awG[m UPX packed zdkifawGudk wu,f unpack vkyfaumif;vkyfay;Edkifayr,fh exe zdkifawGrSm vHkjcHKa&;qdkif&mtcsuftvufawGudk cdk;,lwJh rqdkifwJhuk'fawGudkyg tydkxnfhoGif;wwfMuygw,f/

(1) UPX jzifh pack vkyfjcif;

'Dae&mrSm pack vkyfzdkU uRefawmfwdkU toHk;jyKr,fh y&dk*&rfav;uawmh Windows rSm wcgwnf;ygvm wJh calculator (calc.exe) y&dk*&rfav;jzpfygw,f/ Windows &JU System32 folder atmufrSm tvG,fwul &SmEdkifygw,f/ Pack rvkyfcifrSm PEiD udkoHk;jyD; calc.exe udk bmy&dk*&rfbmompum;eJU a&;xm;wmvJqdkwm Munfhygr,f/ yHk(1)/

yHk(1)

Start menu u Run .. ae&mrSm cmd vdkU&dkufxnhfjyD; Command prompt ukd zGifhyg/ bmaMumifh command prompt udk toHk;jyK&ovJqdkawmh UPX aqmhzf0Jvf[m command-line utility jzpfaevdkUyg/

yHk(2)

yHk(2)rSmjrif&wJhtwdkif; command prompt rSm upx calc.exe vdkU&dkufxnfhjyD; Enter key ESdyfvdkuf&if uRefawmfwdkU&JU y&dk*&rfav;udk UPX eJU pack vkyfjyD;oGm;ygjyD/ 'DwpfcgrSm pack vkyfxm;wJh calc.exe zdkifudk PEiD eJU jyefjyD;ppfMunfhygr,f/ yHk(3)/


yHk(3)

yHk(3)t&awmh calc.exe udk UPX 0.89-2.9 eJU pack vkyfxm;ygw,fvkdU ajymygw,f/ Version twdtusudkawmh ajymEdkifjcif; r&Sdygbl;/ twdtusodcsif&ifawmh ProtectionID 6.x udktoHk;jyK&ygr,f/

yHk(4) Pack vkyfxm;aomzdkifudk jzifhppfaq;xm;yHk

yHk(4)udkMunfhvdkuf&if .rsrc section om olU&JUrlvtrnfrajymif;bJusef&pfjyD; usefwJh section awGtm; vHk; trnfajymif;ukefygw,f/ Pack rvkyfcif calc.exe udk PEiD &JU section viewer eJU Munfhxm;wmt& awhm yHk(5)twdkif;jrif&ygw,f/ Pack vkyfjyD;csdefrSmawmh .text section? .data section? .rsrc section awGt pm; UPX0? UPX1 eJU .rsrc section awGjzpfvmygw,f/ Section trnfawGtm;vHk;ajymif;oGm;jyD; .rsrc section u bmvdkUtrnfrajymif;vJbJ usef&pfwmygvJ/ 'Dtcsufu pdwf0ifpm;zdkUaumif;ygw,f/ tjzpfrSefu 'Dvdkyg/ Windows 95 acwfwkef;u oleaut32.dll zdkif&JU LoadTypeLibEx function rSm bug wpfck&SdcJhyg w,f/ 'guawmh rsrc qdkwJhpmom;udk&SmjyD; resource section udk tvkyfvkyfapzdkUjzpfygw,f/ 'gaMumifhrdkU wu,fvdkU 'D section udktrnfajymif;vJcJhr,fqdk&if error wufvmrSmyg/ 'D bug udk jyifqifxm;jyD;jzpfayr,fh vJ Windows eJU jyoemwufrSmpdk;&drfwJhtwGuf packer awmfawmfrsm;rsm;[m .rsrc section udk trnfajymif; jcif; odyfrvkyfMuygbl;/


yHk(5)

ckeu pack vkyfxm;wJhzdkifudk LordPE eJUzGifhjyD; pack rvkyfxm;ao;wJhzdkifeJU EdIif;,SOfMunfhr,fqdk&if PE header twGif;ajymif;vJrIawGudk yHk(6) twdkif; awGU&rSmyg/ (LordPE u compare button udkESdyfyg/)

yHk(6)

(2) UPX jzifh pack vkyfxm;aomzdkiftm; unpack vkyfjcif;

'DwpfcgrSmawmh pack vkyfxm;wJhzdkifudk unpack vkyfMunfhygr,f/ Pack vkyfxm;wJhzdkifudk Olly rSmzGifhr,fqdk&if yHk(7)twdkif; Olly u compress vkyfxm;wJhzdkifvm;vdkU ar;ygvdrfhr,f/

yHk(7)

yHk(7)rSm Yes vdkU ay;vdkuf&if yHk(8)twdkif; entry point &Sd&mudk a&mufvmygvdrfhr,f/


yHk(8)

UPX u uRefawmfwdkU application udk compress vkyfvdkufjyD; decompression algorithm yg0ifwJh stub eJU uk'fawGudk tpm;xdk;csJUxGifvdkufwmyg/ Application &JU entry point ae&m[mvJ stub &JU tpae&m taeeJU ajymif;vJjcif;cH&jyD; stub u olUtvkyfudkvkyfjyD;csdefrSmawmh execution u tck (UPX u olUbmomol unpack vkyfjcif;) unpacked vkyfvdkufwJhy&dk*&rfudkpwifzdkU rlv entry point(OEP) &Sd&mudk jump vkyfyg w,f/ rSwfxm;zdkUu stub u uRefawmfwdkU application udk decompress vkyfwm[m rSwfOmPfxJrSmjzpfjyD; pack vkyfxm;wJh application &JU unpacked copy udk&zdkU rSwfOmPfae&mudk zdkiftjzpf dump vkyfwmjzpfyg w,f/ bmyJjzpfjzpf application uawmh csufcsif; run rSm r[kwfao;ygbl;/ bmaMumifhvJqdkawmh dump vkyfxm;wJhzdkifrSmvJ olU&JU section awG[m file alignment wefzdk;xuf rSwfOmPf&JU page boundary awGudk align vkyfxm;&rSmrdkUvdkUyg/ Entry point uvJ decompression stub udk point vkyfaewkef;&SdaerSmjzpfjyD; import directory uvJ rSm;aewmjzpfwJhtwGuf jyifqifzdkU vdktyfaevdkUyg/

rSwfxm;&rSmuawmh Olly xJu uRefawmfwdkU&JU entry point [m yxrqHk; instruction jzpfwJh PUSHAD rSm&Sdygw,f/ PUSHAD qdkwmuawmh "PUSH all Double" udk qdkvdkwmjzpfjyD; CPU udk stack ay:rSm&SdwJh EAX uaetpcsDjyD; EDI rSmtqHk;owfwJh 32bit (DOWRD) register tm;vHk;xJrSmygwJht&m tm;vHk;udk odrf;xm;ay;zdkU nTefMum;ygw,f/ taotcsmMunfhr,fqdk&if stub [m OEP qDroGm;cifrSm PUSHAD instruction eJU POPAD instruction Mum;uuk'fawGudk vkyfaqmifoGm;wm awGU&ygvdrfhr,f/ POPAD [m stack uae register xJrSm&SdwJht&mtm;vHk;udk ul;ygw,f/ qdkvdkwmuawmh stub u t&mtm; vHk;udk jyef restore vkyfjyD; application u run wmrwdkifcif trace rvkyfbJ xGufoGm;ygw,f/

avmavmq,fawmh yxrqHk; instruction jzpfwJh PUSHAD taetxm;rSm&Sdaewkef;rSm aemufqHk; POPAD instruction udk access rvkyfao;oa&GU stack xJrSm&SdwJh t&mtm;vHk;udk rxdbJxm;oifhygw,f/ wu,fvdkU uRefawmfwdkUu PUSHAD taetxm;rSm&Sdaewkef; stack &JU yxrqHk; 4bytes ae&mrSm Hardware breakpoint udkxm;r,fqdk&if Olly u wlnDwJh 4bytes udk POPAD u access vkyfcsdefrSm &yfoGm;rSmjzpfygw,f/ 'gqdk&if uRefawmfwdkU&JU entry point qDudk a&mufr,fh jmp instruction &Sd&m virtual address udkawGUrSm jzpfygw,f/

'gaMumifhrdkU yHk(8)&JU PUSHAD instruction &Sd&mudkoGm;jyD; F7 udkESdyfygr,f/ jyD;&if brakpoint owfrSwfzdkUvkyfygr,f/ ESP (stack pointer) xJrSm stack &JUxdyfydkif;wnfae&m tjrJyg0ifavh&Sdygw,f/ ESP ae&mrSm right-click ESdyfjyD; Follow in Dump udka&G;yg/

yHk(9)

jyD;&if stack &JU yxrqHk; DWORD (pmvHk;4vHk;)udk a&G;yg/ jyD;&if right-click ESdyfjyD; Breakpoint u Hardware, on access &JU Dword udka&G;yg/ yHk(10)/


yHk(10)

owfrSwfjyD;oGm;&ifawmh F9 udkESdyfyg/ 'gqdk breakpoint &Sd&mwef;a&mufvmygr,f/ yHk(11)/

yHk(11)

yHk(11)udk Munfhvdkuf&if PUSHAD uae POPAD xduk'fawGudk vkyfaqmifjyD;wm awGU&rSmyg/ yHk(11)u VA 01020E5B u JMP ae&m[m uRefawmfwdkU &SmaewJh^vdkcsifwJh entry point ae&mjzpfygw,f/ JMP xxx.xxxxxxxx udka&mufatmif VA 01020E5B ae&mrSm breakpoint owfrSwfjyD; F9 udkESdyfvdkufyg/ yHk(12)twdkif; entry point &Sd&mae&mudk a&mufvmrSmjzpfygw,f/ OEP xJuae ImageBase wefzdk; 1000000h udk EIwfvdkuf&if RVA wefzdk; 20E5Bh &ygw,f/ 'Dwefzdk;udk rSwfxm;yg/ aemufydkif;rSm toHk;0if vmygvdrfhr,f/

yHk(12)

UPX eJU ywfoufwJh vQdKU0Sufcsufav;wpfckuawmh Olly &JU CPU window atmufqHk;udkoGm;yg/ yHk(13)twdkif; 00 awGeJU jynfhaewJh DB uk'fawGudk awGU&ygvdrfhr,f/

yHk(13)

jyD;&if yHk(14)twdkif; JMP instruction &Sd&mtxd tay:udk scroll qGJvmcJhyg/ jyD;&if 'D virtual address udk breakpoint taeeJUowfrSwfjyD; F9 udk ESdyfvdkufr,fqdk&if JMP instruction &Sd&mudk a&mufvmygr,f/ 'DhaemufrSmawmh F8/F7 udk ESdyfr,fqdk&if uRefawmfwdkU &SmaewJh EP ae&mudk a&mufvmrSmyg/

yHk(14)


INFO: : &dk;&Sif;jyD; wlnDwJh PUSHAD/POPAD mechanism udkoHk;wJh tjcm; packer awGuvJ OEP &JUwefzdk;udk RET instruction vdkufwJh stack &JUxdyfqHk;ay:xm;zdkU PUSH instruction udktoHk;jyKjcif;jzifh OEP qD jump vkyfEdkifygw,f/ CPU uawmh 'g[m function call wpfckuae jyefvmwmvdkUxifjyD; return address udk stack &JUxdyfqHk;ay:rSm csefxm;ygw,f/

uRefawmfwdkUtaeeJU OEP udk&SmawGUwJhtcg Olly &JU plug-in wpfckjzpfwJh OllyDump udk toHk;jyKjyD; dump vkyfMunfhygr,f/ Olly &JU Plugins uae OllyDump udka&G;vdkufjyD; Dump debugged process udk ESdyfvdkufyg/ yHk(15)twdkif; jrif&ygr,f/

yHk(15)

pdwf0ifpm;p&maumif;wJht&mav;awGudk jyocsifvdkU yHk(15)u Fix Raw Size … eJU Rebuild Import wdkUudk ra&G;bJ jzKwfxm;vdkufyg/ jyD;&if Dump button udkESdyfjyD; packed_dumped.exe trnfeJU zdkifudk odrf;vdkufyg/ yHk(16)/

yHk(16)

yHk(16)u uRefawmfwdkU dump vkyfjyD; odrf;xm;cJhwJhzdkifudk jyefzGifhMunfh&if yHk(17)twdkif; error wufae wm jrif&rSmyg/

yHk(17)

bmvdkU error wufae&wmvJqdkawmh uRefawmfwdkU&JU dump vkyfxm;wJhzdkifu olU&JU icon aysmufaewm twGufaMumifhyg/ 'g[m zdkif&JUt&G,ftpm;MuD;vmvdkUyg/ Application udk LordPE rSmzGifhjyD; section awG ae&mrSm Munfhvdkufyg/ yHk(18)/

yHk(18)


RawOffset eJU RawSize wdkU&JUwefzdk;awG[m rSm;aeygw,f/ 'gaMumifhrdkU application udk tvkyfvkyf apzdkU section toD;oD;&JU Raw wefzdk;awGudk Virtual wefzdk;awGeJU vkdufnDay;&ygr,f/ RawOffset ae&mrSm VirtualAddress &JUwefzdk;udkxnfhjyD; RawSize ae&mrSm VirtualSize &JUwefzdk;udkxnfhygr,f/ 'Dvdkenf;eJU section 3ckpvHk;rSmjyifjyD; zdkifudkodrf;vdkufyg/ (rSwfcsuf/ / wu,fvdkU OllyDump &JU "Fix Raw size & Offset of Dump Image" checkbox udka&G;vdkuf&ifawmh 'Dvdkvkdufjyifp&mvdkrSm r[kwfygbl;/) 'gqdk&if yHk(19)twdkif; jrif&ygjyD/

yHk(19)

'gayr,fh 0rf;enf;p&maumif;wmuawmh packed_dumped.exe zdkifudk zGifhvdkufwJhtcgrSm zdkifu tvkyfrvkyfbJ yHk(20)twdkif; jrif&wmygyJ/

yHk(20)

rpdk;&drfygeJU/ 'gubmaMumifhvJqdkawmh import awGudk reconstruct (rebuild) vkyfzdkUvdkvdkUyg/ ]PE header} tcef;rSm&Sif;jycJhovdk process wpfckudktoHk;jyKjyD; import awGudk udk,fwdkifvkyfvdkU &ygw,f/ bmyJ jzpfjzpf udk,fwdkifjyKvkyfr,fqdk&ifawmh import vkyfxm;wJh function awGtrsm;MuD;&SdjyD;? import data awG b,fvdkysufpD;oGm;wJhenf;vrf;awGay:rlwnfjyD; tcsdeftrsm;MuD;ukefrSmjzpfygw,f/ 'gudk tvkdtavsmufajz&Sif; EdkifzdkU uRefawmfwdkUtaeeJU MackT &JU ImpRec 1.6 udk toHk;jyK&ygvdrfhr,f/

ImpRec 1.6 udk toHk;jyKawmhr,fqdk&if import awGudk&SmEdkifzdkU pack vkyfxm;wJhzdkifudk process taeeJU attach vkyfxm;&ygr,f/ atmufygtwdkif; vkyfaqmifyg/

1/ yHk(21)twdkif; pack vkyfxm;wJh y&dk*&rfudk (packed.exe [m Olly rSm yGifhaewmaocsmygap)a&G;yg/

2/ OEP ae&mrSm virtual address 12475 udk &dkufxnhfyg/

yHk(21)


3/ jyD;&if IAT AutoSearch udk a&G;yg/ yHk(22)twdkif; jrif&ygr,f/ OK udkESdyfyg/

yHk(22)

4/ yHk(21)u Get Imports button udkESdyfyg/ yHk(23)twdkif; jrif&ygr,f/

yHk(23)

5/ Show Invalid button udk a&G;jyD; import awG rSef^rrSef ppfMunhfyg/ tm;vHk;rSefuefaeygw,f/

6/ Fix Dump button udk ESdyfjyD; uRefawmfwdkU aemufqHk;odrf;xm;wJh packed_dumped.exe zdkifudkzGifhyg/ yHk(24)twdkif; jrif&ygr,f/ wu,fvdkU jyóem&Sd&ifawmh section udk aygif;xnfhvdkUr&ygbl;vdkU error wufvm ygr,f/

yHk(24)

7/ y&dk*&rfudkydwfjyD; aemufqHk;odrf;qnf;vdkufwJh packed_dumped_.exe udkzGifhMunfhyg/ aumif;aumif;tvkyf vkyfwmudk awGU&rSmyg/

ImpRec u uRefawmfwdkU dump vkyfxm;wJh exe zdkifudk jyifqifjyD; odrf;qnf;vdkufwmyg/ wu,fvdkU 'Dzdkifudk PEiD rSmzGifhjyD;Munfhvdkuf&if unpack vkyfxm;jyD;om;zdkif(packed_dumped_.exe) &JUt&G,ftpm;[m pack rvkyfcif rlvzdkif(calc.exe)xuf MuD;aewmawGU&jyD; "makct" eJU "newIID"vdkUac:wJh section ESpfck ydkvmwmawGU&ygw,f/ "makct" section rSm ImpRec u import vkyfxm;wJh a'wmtopfawGudk xm;&Sdwm jzpfygw,f/

yHk(25)

PEiD eJU packed_dumped_.exe zdkifudk jyefppfMunfh&if yHk(26)twdkif; awGU&rSmyg/


yHk(26)

tck &Sif;jycJhwmuawmh &dk;&Sif;vSwJh packer eJU pack vkyfxm;wmudk unpack jyefvkyfwmjzpfygw,f/ tqifhjrifh packer awGuawmh pack vkyfcsdefrSm zdkifxJudk protection enf;vrf;rsdK;pHkxnfhvdkufygw,f/ erlem taeeJU ajym&&if anti-debugging eJU anti-tampering vSnfhpm;rIawG? uk'feJU IAT wdkUudk encrypt vkyfjcif;? stolen bytes? API redirection ponfjzifhjzpfygw,f/ aemufydkif;tcef;awGrSm 'gawGudk aqG;aEG;ay;ygr,f/

(3) Inline-patch enf;jzifh patch vkyfjcif;

wu,fvdkU pack vkyfxm;wJh zdkifudk patch vkyfzdkUrjzpfraevdktyfcJhr,fqdk&if inline-patch enf;vrf;udk toHk;jyKjyD; 'Dzdkifudk unpack rvkyfbJ patch vkyfvdkU&ygw,f/ 'guawmh loader u decompression stub udk aqmif&GufjyD;csdef rSwfOmPfxJrSm uk'fudk0ifjyifjyD; aemufqHk;rSmawmh application udk tvkyfvkyfEdkifapzdkU OEP qD qufoGm;apjcif;jzpfygw,f/ aemufwpfrsdK;ajym&&if rSwfOmPfxJrSm application udk unpack rvkyf&ao;cif jyifxm;wJh (patch) vkyfxm;wJhuk'fqD ausmfvTm;a&muf&Sdjcif;jzpfjyD;? aemufqHk;rSmawmh OEP qD jyefvnfausmf vTm;a&muf&Sdvmwm jzpfygw,f/

'gudk &Sif;&Sif;vif;vif;odEdkifatmifvdkU uRefawmfwdkUtaeeJU pack vkyfxm;wJh calc.xe zdkifxJudk MessageBox wpfckeJUywfoufwJhuk'fawGudk xnfhoGif;rSmjzpfygw,f/ jyD;&if rSwfOmPfxJrSm application [m b,ftcsdefrSm unpack vkyfjyD;jzpfrvJqdkwm od&atmifvkyfygr,f/ MessageBox u OK udkESdyfvdkuf&if OEP udk a&muf&SdaprSmjzpfjyD; application [mvJyHkrSeftwdkif; tvkyfvkyfrSm jzpfygw,f/

yxrqHk; vkyf&rSmuawmh pack vkyfxm;wJhzdkifxJ xnfhoGif;r,fhuk'ftwGuf ae&mvGwfudk &SmazGzdkU calc.exe udk hexeditor wpfckeJU zGifh&rSmjzpfygw,f/ yHk(27)/ Section wpfck&JUtqHk;u ae&mvGwfawG[m uk'fxnfhoGif;zdkU taumif;qHk;jzpfjyD; wu,fvdkU ae&mvGwfawGvdktyfcJhOD;r,fqdk&ifawmif uRefawmfwdkUtaeeJU ]PEzdkif twGif;odkU uk'frsm;aygif;xnhfjcif;} tcef;uenf;vrf;twdkif; section udkxyfcsJUvdkU&ygw,f/ UPX eJU pack vkyfxm;wJh zdkifawGrSm ae&mvGwf&Sm&wm awmfawmfav;cufcJvSygw,f/ 'ghaMumifhvJ UPX eJU pack vkyfxm;wJhzdkifawG&JU t&G,ftpm;[m awmfawmfav; i,faewmjzpfygw,f/

yHk(27)

yHk(27)twdkif; WinHex rSmjyifjyD; packed(inline).exe qdkwJhtrnfeJU zdkifudkodrf;vdkufygr,f/ jyD;&if Olly rSm packed(inline).exe zdkifudk zGifhygr,f/ uRefawmfwdkU &dkufcJhwJh Unpacked… qdkwJhpmom;udk &SmzdkU Olly &JU Hex window rSm right-click ESdyfjyD; Search for u Binary sting udka&G;yg/

yHk(28)


jyD;&if yHk(29)twdkif; Unpacked… qdkwJhpmom;udk &Smygw,f/

yHk(29)

'gqdk&if uRefawmfwdkU&SmaewJhpmom;awGudk yHk(30)twdkif; awGU&rSmyg/

yHk(30)

Unpacked… pmom;&Sd&m virtual address uawmh 010233C0 jzpfjyD; Myanmar Crackers … pmom;&Sd&m virtual address uawmh 010233D0 jzpfygw,f/ 'D virtual address awGudk rSwfxm;&rSmjzpf ygw,f/ jyD;&if Olly u udkESdyfjyD; VA 010233C0 &Sd&mudk wef;oGm;Munfhygr,f/ yHk(31)/

yHk(31)

yHk(31)u highlight vkyfxm;wJh uk'fawG[m uRefawmfwdkU &dkufxnfhxm;wJh pmom;awGjzpfygw,f/ VA 010233E0 upjyD; MessageBoxA eJUywfoufwJh tjcm;uk'fawGudk &dkufxnfhMuygr,f/

yHk(32)uawmh MessageBoxA eJUywfoufwJhuk'fawGudk &dkufxnfhtjyD; jrif&wJhyHkyg/

yHk(32)

jyD;&if Olly &JU plugin wpfckjzpfwJh Analyze This! udkESdyfjyD; uk'fawGudk analyze vkyfvdkufyg/ yHk(33) twdkif; ajymif;vJoGm;wm jrif&ygr,f/


yHk(33)

yHk(32)udk Analyze This! eJU analyze vkyfwJhtcgrSm yHk(33)rSm highlight jc,fxm;wJhtwdkif; rjrif& &ifawmh oif patch vkyfvdkufwJh y&kd*&rf[m error jyygvdrfhr,f/

yHk(34)

aumif;jyD? uRefawmfwdkUjyifxm;cJhwJh uk'fawGudk zdkiftaeeJU odrf;qnf;Muygr,f/ yHk(34)twdkif; jyifxm; wJh uk'fawGygatmif highlight jc,fvdkufyg/ jyD;&if right-click ESdyfjyD; Copy to executable file udk a&G;vdkuf yg/ yHk(35)twdkif; jrif&ygvdrfhr,f/

yHk(35)

yHk(35)rSm right-click ESdyfjyD; Save file udk a&G;vdkufyg/ rdrdpdwfMudKuftrnfeJU zdkifudkodrf;qnf;vdkuf yg/ jyD;&if Olly udkydwfvdkufjyD; uRefawmfwdkU odrf;qnf;vdkufwJhzdkifudk zGifhvdkufyg/ t&ifutwdkif;yJ bmrS xl;jcm;rIr&Sdygbl;/ bmaMumifhvJqdkawmh uRefawmfwdkUtaeeJU MessageBoxA &Sd&mudk nTefjyrIray;vdkufcJhvdkUyg/ Olly rSm aemufqHk;odrf;xm;wJhzdkifudk xyfzGifhvdkufyg/ udkESdyfjyD; VA 01020E5B &Sd&mudk wef;oGm;Munfhyg r,f/ yHk(36)/

yHk(36)

yHk(36)u JMP 01012475 ae&mrSm uRefawmfwdkU&JU MessageBoxA &Sd&m virtual address jzpfwJh 010233E0 udk &dkufxnfhay;&ygr,f/ yHk(37)/

yHk(37)


jyD;&if MudKufwJhtrnfeJU zdkifudkodrf;vdkufyg/ Olly udk ydwfvdkufjyD; zdkifudk run Munfhyg/ yHk(37)twdkif; jrif&ygvdrfhr,f/ OK ukdESdyfvdkuf&ifawmh calculator y&dk*&rfqD a&mufoGm;rSm jzpfygw,f/

yHk(38)

tckuRefawmf&Sif;jycJhwmuawmh unpack rvkyfbJ pack vkyfxm;wJhzdkifxJrSm uk'fawGudk 0ifjyifjcif; (inline-patching) taMumif;yJjzpfygw,f/ 'D MessageBox av;udkxnhfzdkU bmaMumifh 'Davmufcuf&ovJvdkU oifhtaeeJUxifaeygvdrfhr,f/ rSefygw,f/ Pack rvkyfxm;wJhzdkifawGrSm 'Dudpöu t&rf;vG,fygw,f/ Message Box &Sd&mae&mudk entry point address ajymif;ay;vdkuf&HkygyJ/ jyD;&if olUrSmu ae&mvGwfawGtrsm;MuD; &Sdyg w,f/ qdkvdkcsifwm MessageBox rajymeJU? textbox uae password awGppfwJh txda&;ay;vdkU&atmif ae&m vGwfawGu aygvGef;ygw,f/ Inline-patching eJU xnhfoGif;wJh MessageBox &Sd&mudk wef;a&mufatmif zdkif&JU entrypoint udk VA 01020CD0 tpm; VA 010233E0 vdkU ajymif;Munfhvdkufyg/ yHk(38)u MessageBox awmh ay:vmEdkifayr,fh calculator y&dk*&rfudk tvkyfvkyfrSmr[kwfygbl;/ bmaMumifhygvJ? UPX &JU decom-pression stub udk ausmfvTm;xm;vdkU jzpfygw,f/

UPX eJUywfoufwJh oifcef;pmuawmh 'DavmufygyJ/ oifhtaeeJU unpacking eJUywfoufwJh oDtdk&D awG tenf;i,fem;vnfavmufjyDvdkU xifygw,f/ uRefawmfhtaeeJU unpacking eJUywfoufjyD; 'DrSmyJ&yfxm; csifayr,fh tqifhjrifh packer awGtaMumif; ydkem;vnfEdkifapzdkU ActiveMARK taMumif;udk jznfhpGufaqG;aEG; ygr,f/

(4) ActiveMark 5.0 jzifh pack vkyfxm;aomzdkiftm; unpack vkyfjcif;

Trymedia [m RealNetworks &JU tpdwftydkif;wpfckjzpfjyD; ActiveMark qdkwmuawmh Trymedia &JU pack/protect vkyfwJhenf;ynmwpf&yfjzpfygw,f/ Trygames uawmh Trymedia &JU wpfpdwfwpfydkif;jzpfjyD; Trymedia &JU *drf;awGudk download ydkif;qdkif&mudpö? trial qdkif&mudpöeJU a&mif;csjcif;udpöwdkUudk vkyfaqmifyg w,f/

PopCap Games ( HTUwww.popcap.comUTH) u a&mif;cswJh*drf;rsm;? Infogrames (HTUwww.infogrames. comUTH) u a&mif;cswJh*drf;awmfawmfrsm;rsm;[m ActiveMARK eJU protect vkyfxm;Muwmjzpfygw,f/ Active MARK eJU protect vkyfxm;wJh *drf;awGrSm registration r&Sdygbl;/ bmaMumifhvJqdkawmh 'D*drf;awG[m olwdkU&JU owfrSwfxm;wJhtcsdeftwGif;rSm full version taeeJU upm;EdkifwJh demo *drf;awGjzpfaevdkUyg/ owfrSwfcsdefukef oGm;&ifawmh upm;vdkU&awmhrSmr[kwfygbl;/ upm;cGifhjyKwJhtcsdefuvJ rsm;aomtm;jzifhawmh rdepf60yJ jzpfyg w,f/ 'Doifcef;pmtwGuf Monopoly 3 udk unpack vkyfzdkU yxrqHk;pOf;pm;rdygw,f/ bmaMumifhvJqdkawmh Monopoly 3 eJU ywfoufwJh crack zdkifudk tifwmeufrSm rawGUrdvdkUyg/ Share ay;xm;wJh crack zdkifawGuvJ tvkyfrvkyfMuygbl;/ 'gayr,fh olU&JUzdkift&G,ftpm;u 258Mbytes jzpfaeawmh oifhtaeeJU tifwmeufuae download vkyfzdkUtcuftcJ&SdEdkifygw,f/ 'ghaMumifhrdkU PopCap Games ua&mif;cswJh Zuma deluxe udkyJ unpack vkyfzdkU a&G;cs,fvdkufygawmhw,f/ Zuma udk HTUwww.popcap.comUTH uae download vkyf,ljyD; install vkyfyg/

jyD;&if zuma.exe udk PEiD eJU ppfaq;Munfhyg/ yHk(39)/

yHk(39)


yHk(39)t&qdk&ifawmh zuma.exe [m ActiveMARK 5.x eJU protect vkyfxm;wmaocsmygw,f/ y&dk*&rf&JU oabmobm0udk taotcsmod&atmif Zuma udk zGifhMunfhvdkufyg/ yHk(40)/

yHk(40)

aumif;jyD? uRefawmfwdkU Zuma udk unpack vkyfMunfhMuygr,f/

(4) ActiveMark 5.0 jzifh pack vkyfxm;aomzdkiftm; dump vkyfjcif;

yxrqHk; zuma.exe udk zGifhxm;yg/ Olly udk zGifhyg/ Open menu u Attach udk a&G;cs,fyg/

yHk(41)

'Dhaemuf yHk(42)rSm jrif&wJhtwdkif; zuma.exe udk Attach vkyfyg/

yHk(42)

Attach vkyfjyD; zGifhwJhtcgrSm yHk(43)rSm jrif&wJhtwdkif; VA 7C901231 rSm &yfoGm;rSmyg/ wu,fawmh ntdll.dll zdkif&JU DbgBreakPoint API function aMumifh &yfoGm;&wmyg/ DbgBreakPoint [m Win32 API r[kwfwJhtwGuf help zdkifrSm oleJUywfoufjyD; bmrS&Sif;jyxm;rSm r[kwfygbl;/


yHk(43)

Olly rSm Alt+M udkESdyfjyD; memory map udk Munfhygr,f/ yHk(44)/

yHk(44)

yHk(44)u highlight jzpfaewJhae&muawmh second layer entry point &Sd&mae&myg/ 'Dae&mrSm right-click ESdyfjyD; View in disassembler udk a&G;vdkufyg/ (odkU) Enter key udkESdyfyg/ yHk(45)twdkif; jrif&ygr,f/

yHk(45)

yHk(45)u highlight jzpfaewJhae&m (VA 005AE000)rSm right-click ESdyfjyD; Search for u All intermodular calls udk a&G;cs,fyg/ yHk(46)twdkif; jrif&ygr,f/

yHk(46)

yHk(46)twdkif; jrif&wJhtcgrSm getversion vdkU &dkufxnfhyg/ GetVersion function udk &Smcsifwmyg/ GetVersion API udk awGUwJhtcg right-click ESdyfjyD; Follow in disassembler udka&G;yg/ yHk(47)twdkif; jrif& ygr,f/

yHk(47)


yHk(47)u PUSH EBP ae&mrSm right-click ESdyfjyD; Breakpoint u Hardware, on execution udka&G;yg/ jyD;&if Olly u udkESdyfjyD; zuma.exe udk cPydwfvdkufyg/

Olly &JU Option menu uae Debugging options udka&G;vdkufyg/ yHk(48)twdkif; jrif&ygr,f/

yHk(48)

yHk(48)rSm jrif&wJhtwdkif; Break on new module (DLL) udk a&G;ay;yg/ jyD;&if OK udkESdyfyg/

'DwpfcgrSmawmh zuma.exe udk attach rvkyfawmhygbl;/ Olly uae wpfcgwnf; zGifhygr,f/ yHk(49)/

yHk(49)

yHk(49)uawmh zuma.exe &JU entry point ae&myg/ 'gjyD;&ifawmh uRefawmfwdkU owfrSwfxm;wJh hardware breakpoint ae&mxda&mufatmif F9 udk ESdyfvmcJhyg/ b,f module awGudk tvkyfvkyfaewmvJ qdkwm yHk(50)twdkif; jrifae&ygvdrfhr,f/

yHk(50)

F9 udk qufwdkufESdyfvmwm aemufqHk;awmh yHk(51)twdkif; uRefawmfwdkU owfrSwfxm;wJh breakpoint ae&mudk a&mufvmygw,f/ MudKajymcsifwmuawmh uk'fawGudk analyze rvkyfxm;ygeJU/ Analyze vkyfxm;r,f qdk&if VA 00696E58 u PUSH EBP ae&mrSm DB 00 vdkUyJ ay:aerSmyg/

yHk(51)

yHk(51)u VA 00696E58 [m uRefawmfwdkU&SmaewJh OEP yJjzpfygw,f/ tckuRefawmfwdkU debug vkyfxm;wJh process udk dump vkyfzdkU MudK;pm;Muygr,f/ Olly &JU plug-in wpfckjzpfwJh OllyDump udk a&G;vdkufyg/ yHk(52)/


yHk(52)

yHk(52)u dump button udka&G;jyD; zdkifudk dumped.exe qdkwJhtrnfeJU odrf;vdkufyg/ UPX rSm dump vkyfwkef;uvdkyJ dumped.exe zdkifudkzGifhvdkuf&if tvkyfvkyfrSm r[kwfygbl;/ 'ghaMumifh ImpREC udk zGifhjyD; import awGudk jyif&ygr,f/ ImpREC (Import Reconstruction) udk oHk;&wJhtaMumif;&if;uawmh dumped zdkifxJrSm&SdwJh aysmufaewJh function awGudk &SmzdkU^jyifzdkU^topfaygif;xnhfzdkU jzpfygw,f/ 'gawGudk rjyKjyifbJeJU awmh oifh&JU dump zdkif[m rSefuefwJh PE zdkifjzpfvmrSm r[kwfygbl;/

yHk(53)

yHk(53)t& vkyfaqmif&r,fh vkyfaqmifcsufawGuawmh ...

1/ Olly eJU zGifhxm;wJh zuma.exe udk active process taeeJU attach vkyfyg/

2/ Olly rSm zGifhMunfhwkef;u awGU&SdcJhwJh OEP (VA 00696E58) wefzdk;xJuae ImpREC rSmawGU&wJh imagebase (VA 00400000) udk EIwfjyD;&&SdvmwJh (296E58) wefzdk;udk OEP tuGufrSm &dkufxnfhyg/


3/ OEP wefzdk;udk &dkufxnhfjyD;ygu IAT AutoSearch udk a&G;yg/ yHk(54)twdkif; jrif&ygr,f/

yHk(54)

4/ yHk(54)udk OK ay;jyD; Get Imports button udkESdyfyg/

5/ Import function awG rSef^rrSef odEdkifatmif Show Invalid button udk ESdyfjyD;Munfhyg/ 'Dae&mrSmawmh tm;vHk;rSefaewm awGU&ygw,f/

6/ 'gaMumifhrdkU uRefawmfwdkU dump vkyfxm;wJh dumped.exe zdkifeJU zuma.exe zdkifudkEdIif;,SOfjyD; import awGudk EdIif;,SOfEdkifatmifvdkU Fix Dump button udk a&G;yg/ yHk(55)twdkif; bmtrSm;rSr&SdbJ dumped_.exe qdkwJhtrnfeJU zdkifudk odrf;qnf;oGm;wm awGU&rSmyg/

yHk(55)

'gqdk uRefawmfwdkU&JU dump zdkifudk jyifqifwmjyD;oGm;jyD jzpfwJhtwGuf ImpREC udkydwfvdkufjyD; dumped_.exe zdkifudk zGifhMunfhyg/ bm error rSrjyawmhovdk dumped_.exe uvJ tvkyfvkyfwm rawGU&yg bl;/ UPX udk unpack vkyfwkef;u 'DtqifhjyD;wJhtcsdefrSm unpack vkyfwJhudpö jyD;oGm;ygjyD/ ActiveMARK rSmawmh tckrSprSmyg/ 'ghaMumifh WinHex udkzGifhjyD;uk'fawGudk jyifMuygr,f/

WinHex rSm dump vkyfjyD;jyifxm;wJh dumped_.exe zdkifeJU pack vkyfxm;wJh rlv zuma.exe zdkifudk zGifhyg/ Exe xJygvmwJh overlay data awG&JUyxrqHk; byte twGuf rlvzdkif&JUuk'fawGuae bmudk uRefawmfwdkU &SmoifhygovJ/ TMSAMVOH qdkwJh ASCII string udk&SmwJhenf;uawmh tvG,fqHk;ygyJ/ r&SmcifrSm 'Dxufydk&Sif;atmifvdkU zuma.exe udk LordPE rSmzGifhjyD; section awGudk MunfhvdkufMu&atmif/ yHk(56)/

yHk(56)

yHk(56)u highlight jc,fxm;wJh *Pef;awGudk Munfhvdkufyg/ 'g[m uRefawmfwdkU executable zdkif&JU aemufqHk; section xJu *Pef;awG jzpfygw,f/ olwdkUudk Raw offset eJU Raw size vdkU odxm;Muygw,f/ Windows loader u exe zdkifudk rSwfOmPfxJ ul;wifwm[m RawOffset (0012BA00) eJU RawSize (00000200) aygif;vdkU&wJhwefzdk;jzpfwJh 0012BC00h xdomjzpfygw,f/ Zuma.exe zdkif&JU 'D address tpu ae csJUxGifxm;wJh data block wpfckvHk;udkul;,ljyD; dumped_.exe zdkif&JUtqHk;rSm paste oGm;vkyf&rSmjzpfyg w,f/ 'grSom dumped_.exe [m yHkrSeftvkyfvkyfrSm jzpfygw,f/

WinHex &JU Position menu u Go To Offset udka&G;jyD; uRefawmfwdkU oGm;csifwJh offset 0012BC00 udk &dkufxnfhygr,f/ yHk(57)/


yHk(57)

0012BC00 udk &dkufxnfhjyD; OK udkESdyfvdkuf&if yHk(58)twdkif; jrif&rSmyg/

yHk(58)

yHk(58)rSm jrif&wJh yxrqHk;pmvHk;rSm right-click ESdyfjyD; Beginning of block udk a&G;yg/ yHk(59)/

yHk(59)

jyD;&if zdkif&JU atmufqHk;xda&mufatmif scroll qGJyg/ jyD;&if yHk(60)rSmawGU&wJhtwdkif; aemufqHk;pmvHk;rSm right-click ESdyfjyD; End of block udk a&G;cs,fyg/

yHk(60)

'gqdk&if yHk(61)twdkif; Hex wefzdk;tm;vHk;udk a&G;cs,fjyD;oGm;ygjyD/

yHk(61)


a&G;cs,fxm;wJh Hex wefzdk;awGudk ul;zdkUvkyfMuygr,f/ Right-click ESdyfjyD; Edit udk a&G;cs,fyg/ jyD;&if yHk(62)rSm jrif&wJhtwdkif; UCUopy Block u UHUex Values udk a&G;cs,fyg/

yHk(62)

tckvkyf&rSmuawmh ul;xm;wJh Hex wefzdk;awGudk paste vkyfzdkUjzpfygw,f/ WinHex &JU dumped_ .exe tab udka&G;jyD; zdkif&JUtqHk;udkoGm;yg/ aemufqHk;pmvHk;&JUae&mrSm right-click ESdyfjyD; Edit udka&G;cs,fyg/ jyD;&if yHk(63)rSm jyxm;wJhtwdkif; ClipUbUoard Data u UPUaste udk a&G;cs,fyg/

yHk(63)

'DtcgrSm yHk(64)twdkif; paste vkyfrSmvm;vdkU ar;ygvdrfhr,f/

yHk(64)

Yes button udk a&G;vdkufwJhtcgrSm zuma.exe u Hex wefzdk;awG dumped_.exe zdkifxJudk a&mufvm ygvdrfhr,f/ dumped_.exe zdkifudkodrf;jyD; WinHex uaexGufvdkufyg/

'Dtcg dumped_.exe udk zGifhvdkuf&if yHk(40)twdkif; jrif&rSmyg/ (ae&mtcuftcJaMumifh yHkudk xyfrHr azmfjyawmhygbl;/) 'gqdk&ifawmh uRefawmfwdkU&JU dump vkyfwJhvkyfief;pOf atmifjrifpGmjyD;qHk;oGm;ygjyD/ ☻☻ 'gayr,fh tcsdefuefUowfcsufudkawmh z,f&Sm;Edkifjcif; r&Sdao;ygbl;/ 'ghaMumifh patch vkyfzdkU MudK;pm;& ygOD;r,f/ (5) Dump vkyfxm;aomzdkiftm; patch vkyfjcif;

Dump vkyfxm;wJhzdkifudk patch vkyfzdkUtwGuf dumped_.exe udk Olly rSm zGifhyg/ yHk(65)/

yHk(65)

yHk(65)twdkif;jrif&wJhtcg right-click ESdyfjyD; Search for u All referenced text string udka&G;yg/ 'DhaemufrSmawmh yHk(66)rSm jyxm;wJhtwdkif; browser qdkwJh pmom;udk &Smygr,f/


yHk(66)

yHk(66)udk OK ay;wJhtcg yHk(67)twdkif; awGY&rSmyg/

yHk(67)

yHk(67)&JU highlight jc,fxm;wJhae&mrSm right-click ESdyfjyD; Follow in disassembler udk a&G;vdkuf&if yHk(68)twdkif; jrif&rSmyg/ 'g[m browser pmvHk;ygwJh routine &JUtpeJU tqHk;jzpfygw,f/

yHk(68)

yHk(68)u VA 005F41A8 rSm right-click ESdyfjyD; Copy u To clipboard udk a&G;jyD; notepad zdkifwpfckrSm paste vkyfyg/ 005F41A8 MOV EAX,dumped_.006A691C tpm; 005F41A8 browser retn4 vdkU ajymif;yg/ jyD;&if yHk(66)uae dialog? timer? timeout pmom;awGudk&SmjyD; browse pmom;wkef;u vkyfcJhovdkyJ routine &JU tp virtual address awGudk rSwfom;xm;ay;yg/ (rSwfcsuf/ / yHk(68)rSm teDawG jyxm;wmu breakpoint owfrSwfzdkU r[kwfygbl;/ jrifomatmif jyxm;wmyg/) xl;jcm;wmuawmh LoadStatePool pmom;yg/ pmom;udk &Smwmuawmh rxl;ygbl;/ 'gayr,fh 'Dpm om;&Sd&mae&mudk breakpoint owfrSwfjyD; y&dk*&rfudk jyefp&wmyJ xl;ygw,f/ dumped_.exe udk Olly eJU jyefzGifhwJhtcgrSm uRefawmfwdkU owfrSwfxm;wJh breakpoint ae&ma&muf&if yHk(69)twdkif; jrif&ygw,f/

yHk(69)

'Dwpfcgvkyf&rSmu yHk(70)twdkif; stack window udkoGm;jyD; highlight jzpfaewJhae&mrSm right-click eSdyfyg/ jyD;&if Follow in disassembler udk a&G;ay;yg/ yHk(71)twdkif; jrif&ygr,f/

yHk(70)

yHk(71)u highlight jzpfaewJhae&m&JU virtual address udk rSwfxm;yg/

yHk(71)


'gqdk browser? dialog? timer? timeout eJU LoadStatePool wdkUeJU ywfoufwJh virtual address tm;vHk;udk&ygjyD/ 'D virtual address awGrSm bmawGjyif&rvJqdkwmuawmh yHk(72)twdkif; jzpfygw,f/

yHk(72)

yHk(72)u virtual address awGrSm retn 4? retn 0c eJU retn toD;oD;udk tpm;xdk;yg/ jyD;&if patch vkyfxm;wJhzdkifudk MudKufwJhtrnfeJU odrf;vdkufyg/ 'gqdk&if uRefawmfwdkU&JU Zuma Deluxe 1.0 udk MudKufESpfouf ovdkupm;vdkU&ygjyD/

(6) Pack vkyfxm;aom trnfrodzdkiftm; unpack vkyfjcif;

'DwpfcgrSmawmh Fish Packer 1.04 eJU pack vkyfxm;wJh calc(Fish).exe zdkifwpfckudk unpack vkyfMunfhygr,f/ uRefawmfwdkU&JUzdkifudk bmeJU pack vkyfxm;ovJqdkwm PEiD eJU ppfMunfhygr,f/ yHk(73)/

yHk(73)

yHk(73)rSmjrif&wJhtwdkif; PEiD u tajzay;Edkifjcif; r&Sdygbl;/ CFF Explorer eJUppfawmhvJ 'Dtwdkif; ygyJ/ uRefawmfudk,fwdkif Fish Packer 1.04 eJU pack vkyfxm;vdkUom Fish Packer eJU pack vkyfxm;wJh zdkifrSef;odwmyg/ aumif;jyD? 'Dzkdifudk unpack vkyfMunfhygr,f/ Unpack vkyfr,fh calc(Fish).exe zdkifudk Olly rSmzGifhvdkufyg/ (Protection ID eJUqdk&ifawmh Fish Packer 1.04 eJU pack vkyfxm;aMumif;jyrSmjzpfjyD; Protection ID eJUppfaq;xm;wJh &v'fawG[m rSm;cJygw,f/ 'gayr,fh Protection ID [m protect/pack vkyfxm;wJhzdkifawGudkom ppfaq;ay;EdkifwJh tm;enf;csuf&Sdygw,f/)

yHk(74)

Olly u yHk(74)rSmjrif&wJhtwdkif; PE zdkifr[kwfbl;vdkUajymaeygw,f/

yHk(75)

yHk(74)u OK button udka&G;vdkufwJhtcg yHk(75)twdkif; jrif&ygw,f/


yHkrSeftm;jzifh Olly eJUzGifh&if entry point &Sd&mudka&muf&r,fhtpm; ntdll.dll module xJa&mufaewm awGU&ygr,f/ pdwfrysufygeJU? uRefawmfwdkUrSm enf;vrf;&Sdygw,f/ Alt+M udkESdyfjyD; Memory Map udk ac:vdkufyg/ yHk(76)/

yHk(76)

yHk(76)u highlight jzpfaewJh PE header pmom;ae&mrSm ESpfcsufEdSyfvdkufjyD; PE signature &Sd&mudk oGm;Munfhvdkufyg/ yHk(77)/

yHk(77)

yHk(77)rSm uRefawmfwdkUpdwf0ifpm;wmuawmh entry point &Sd&m address (10257D7) yg/ 'D address udk&wJhtcg Olly &JU Disassembler window rSm Ctrl+G ESdyfjyD; entry point(10257D7) &Sd&mudkoGm;vdkufyg/ yHk(78)/

yHk(78)

yHk(78)u VA 10257D7 ae&mrSm breakpoint owfrSwfjyD; F9 (Run) udkESdyfvdkufyg/ 'Dtcg breakpoint &Sd&mudkwef;a&mufvmygvdrfhr,f/ yHk(79)/

yHk(79)

'gu omrefvkyf&dk;vkyfpOf unpack vkyfzdkU tpysdK;wmjzpfygw,f/ uRefawmfuawmh 'Denf;udk rMudKuf ygbl;/ 'gaMumifh Olly Advanced plugin udk toHk;jyKygr,f/ yHk(80)/

yHk(80)

yHk(80)twdkif; Plugins menu Olly Advanced Kill NumOfRva Bug udka&G;ay;jyD; y&dk*&rfudk Olly eJUjyefzGifhvdkufr,fqdk&if yHk(74)uae yHk(78)tqifhawGudkodp&mrvdkawmhbJ yHk(79)qD wdkuf&dkufa&mufvmyg vdrfhr,f/ ☻☻☻


yHk(79)twdkif; jrif&csdefrSm Alt + M (memory map) udkESdyfMunfhvdkufyg/ yHk(76)eJUrwlwm awGU&yg r,f/ yHk(81)/

yHk(81)

yHk(81)udkMunfh&if calc(Fish).exe rSm section ESpfck&SdaewmawGU&ygr,f/ yHk(76)rSmwkef;uawmh rjrifcJh &ygbl;/ .MCTeam uawmh compress vkyfxm;wJhuk'f? import awGeJU resource awG&SdwJh section wpfckjzpfjyD; uawmh Fish Packer u uncompress vkyfxm;jyD;om;uk'fawGvmxm;r,fh? tvG,fajym &&if uRefawmfwdkU dump vkyf&r,fh code section jzpfygw,f/ (rSwf&ef/ / UPX eJU pack vkyfxm;wJh zdkifawGrSmqdk&if UPX0 [m code awGvmxm;r,fh code section jzpfjyD;? UPX1 uawmh compress vkyfxm;wJhuk'fawG&Sd&m SFX section jzpfygw,f/)

yHk(81)u ae&mrSm right-click ESdyfjyD; Set breakpoint-on-access (F2) udka&G;yg/ jyD;&if F9 udkESdyfyg/ yHk(82)twdkif;jrif&ygr,f/

yHk(82)

yHk(82)rSmjrif&wmuawmh Fish Packer [m compress vkyfxm;wJhuk'fawGudk section rSmae&mcsxm;jyD; 'Duk'fawG pzwfygjyD/ yHk(83)twdkif; jrif&wJhtxd F8 udkESdyfvmcJhyg/

0100018B 74 1A JE SHORT calc(Fish).010001A7 ; Decompression Stub 0100018D 8A07 MOV AL,BYTE PTR DS:[EDI] 0100018F 47 INC EDI 01000190 2C E8 SUB AL,0E8 01000192 3C 01 CMP AL,1 01000194 77 F7 JA SHORT calc(Fish).0100018D 01000196 8B07 MOV EAX,DWORD PTR DS:[EDI] 01000198 38D0 CMP AL,DL 0100019A 75 F1 JNZ SHORT calc(Fish).0100018D 0100019C 32C0 XOR AL,AL 0100019E 0FC8 BSWAP EAX 010001A0 01E8 ADD EAX,EBP 010001A2 29F8 SUB EAX,EDI 010001A4 AB STOS DWORD PTR ES:[EDI] 010001A5 E2 E6 LOOPD SHORT calc(Fish).0100018D 010001A7 AD LODS DWORD PTR DS:[ESI] 010001A8 85C0 TEST EAX,EAX 010001AA 74 37 JE SHORT calc(Fish).010001E3 010001AC 89C7 MOV EDI,EAX 010001AE 033B ADD EDI,DWORD PTR DS:[EBX] 010001B0 56 PUSH ESI ; module name (eg., kernel32.dll) 010001B1 FF53 0C CALL DWORD PTR DS:[EBX+C] ; kernel32.LoadLibraryA 010001B4 89C5 MOV EBP,EAX 010001B6 AC LODS BYTE PTR DS:[ESI] 010001B7 84C0 TEST AL,AL 010001B9 75 FB JNZ SHORT calc(Fish).010001B6 010001BB AD LODS DWORD PTR DS:[ESI] 010001BC 85C0 TEST EAX,EAX 010001BE 74 E7 JE SHORT calc(Fish).010001A7 010001C0 83EE 04 SUB ESI,4 010001C3 AD LODS DWORD PTR DS:[ESI] 010001C4 A9 00000080 TEST EAX,80000000 010001C9 75 0B JNZ SHORT calc(Fish).010001D6 010001CB 83EE 04 SUB ESI,4 010001CE 56 PUSH ESI ; module name (eg., kernel32.dll) 010001CF 55 PUSH EBP ; function name (eg., GetVersion()) 010001D0 FF53 10 CALL DWORD PTR DS:[EBX+10] ; kernel32.GetProcAddress 010001D3 AB STOS DWORD PTR ES:[EDI]


010001D4 EB E0 JMP SHORT calc(Fish).010001B6 010001D6 25 FFFFFF7F AND EAX,7FFFFFFF 010001DB 50 PUSH EAX 010001DC 55 PUSH EBP 010001DD FF53 10 CALL DWORD PTR DS:[EBX+10] ; kernel32.GetProcAddress 010001E0 AB STOS DWORD PTR ES:[EDI] 010001E1 EB D8 JMP SHORT calc(Fish).010001BB 010001E3 5F POP EDI ; POP ESP, so calc(Fish).010257DF 010001E4 C70361EBF600 MOV DWORD PTR DS:[EBX], 0F6EB61 ; POPAD & JMP , EBX = 010257DF 010001EA 66:C743F89068 MOV WORD PTR DS:[EBX-8], 6890 010001F0 66:C743FEC390 MOV WORD PTR DS:[EBX-2], 90C3 010001F6 C3 RETN

yHk(83)

yHk(83)rSmawmh tvkyfvkyfyHk tao;pdwfudk jyxm;ygw,f/ yxrqHk; decompresion stub udktoHk;jyKjyD; uk'fawGudk decompress vkyfygw,f/ jyD;awmh LoadLibraryA() udktoHk;jyKjyD; import vkyfr,fh DLL zdkifawGudk ac:ygw,f/ GetProcAddress udkoHk;jyD; import function awG&JU address udk&,lygw,f/ 'Dhaemuf rSmawmh EBX xJudk 0F6EB61 opcode awGvmxm;ygw,f/ 61 uawmh POPAD jzpfjyD;? EBF6 uawmh JMP xxx jzpfygw,f/ (Endian eJUpDwm owdjyKyg/) POP uawmh ESP xJua'wmawGudk jyefxkwf ,lwmyg/ Stack xJrSm aemufqHk;xnfhoGm;wmuawmh EBX eJUywfoufwJha'wmawGyg/ 'gaMumifh VA 010001F6 (RETN) udk vkyfaqmifjyD;csdefrSm VA 010257DF udkppfaq;rSmjzpfygw,f/ yHk(84)/

yHk(84)

yHk(84)twdkif;jrif&wJhtcg F8 ESpfcgESdyfvdkufyg/ yHk(85)twdkif;jrif&ygr,f/

yHk(85)

yHk(85)twdkif; jrif&wJhtcgrSmawmh EBX xJbmaMumifh 0F6EB61? 6890 eJU 90C3 wdkU ul;xnfh&wm vJqdkwm em;vnfavmufjyDvdkUxifygw,f/ PUSH + RETN [m JMP eJUnDwmaMumifh yHk(85)rSm F8 ESdyfcJh&if uRefawmfwdkUvdkcsifwJh OEP qDa&mufjyDjzpfygw,f/ yHk(86)/☻☻☻

yHk(86)

yHk(86)twdkif; jrif&&ifawmh dump vkyfvdkU&jyDjzpfygw,f/ yHk(87)/

yHk(87)

tcef;(14) - IAT ESifh API Redirection - 201 -

tcef;(14) - IAT ESifh API Redirection

'Dtcef;rSmawmh pack vkyfxm;wJhzdkifawGudk unpack vkyf&mrSm rjzpfraeMuHKawGU&r,fh IAT (Import Address Table) taMumif;udkaqG;aEG;rSmjzpfygw,f/ jyD;cJhwJhtcef;rSmwkef;u IAT taMumif;udk raqG;aEG;jzpfchJ bJJ IAT awGudkjyif&mrSm ImpRec 1.7 udktoHk;jyKjyD;jyifcJhygw,f/ aemufydkif;rSmvJ IAT awGuawGUaeOD;rSmrdkU IAT awGtaMumif;udk xnfhoGif;aqG;aEG;zdkU qHk;jzwfcJhwmjzpfygw,f/

Info: : Microsoft Windows awG[m wpfckeJUwpfck rwlnDMuovdk olwdkU&JU API function awGrSmvJ rwlnDwJh address awG&SdMuygw,f/ bmaMumifhvJqdkawmh DLL zdkifawG&JU rwlnDwJh wnfaqmufyHkaMumifhyg/ Application wpfckpwifcsdefrSm olUrSm function awGtm;vHk;&JU pm&if;wpfck&Sdygw,f/ 'g[m rlvwkef;uawmh application &JUtpdwftydkif;wpfck r[kwfygbl;/ 'D function awGudk import awGvdkUac:a0:jyD; olwdkU[m operating system &JU DLL zdkifxJrSm&Sdwmyg/ 'gayr,fh application uawmh b,fae&mrSm&SdovJqdkwm rod&Smygbl;/ Win32 exe zdkifjzpfwJh application wdkif;rSm IAT qdkwm&Sdygw,f/ 'D IAT [m y&dk*&rfxJrSmyJ &Sdygw,f/ Application wpfcku Windows &JU API function wpfckudkac:oHk;wJhtcgrSm IAT udk lookup table tjzpftoHk;jyKygw,f/ 'gaMumifh y&dk*&rftvkyfrvkyfcif y&dk*&rfu ac:oHk;zdkU&mtwGuf? IAT wpfckudk wnfaqmufzdkU&mtwGuf Windows loader [m API toD;oD;&JU address toD;oD;udk&Sm&rSmjzpfygw,f/ y&dk*&rftvkyfvkyfaewJhtcsdefrSmawmh API wpfckudk ac:oHk;csifcJh&if IAT xJrSmMunfhjyD; DLL xJoGm;zdkUvdkwJh address udk csufcsif;&SmazGygw,f/ exe zdkifwpfckudk pack vkyfxm;^ protect vkyfxm;csdefrSm cracker awG[m 'Dzdkifudk unpack vkyf&ygw,f/ 'D unpack vkyfxm;wJhzdkifudk rlvzdkiftwdkif;jzpf&atmifvkyf&ygr,f/ bmaMumifh vJqdkawmh packer/protector awmfawmfrsm;rsm;u IAT udk zsufypfMuvdkUyg/ 'gaMumifhrdkUvJ exe zdkifudk aumif;rGefpGm tvkyfvkyfapcsif&ifawmh IAT udk jyefwnfaqmufzdkU? jyefjyifzdkUvdkygw,f/ Import awGudk jyefvnfwnfaqmufwm[m IAT udk jyefvnfwnfaqmufwmjzpfygw,f/ IAT udkjyefvnfwnfaqmufzdkU twGuf IAT taMumif;udk tao;pdwfodzdkU vdkvmygjyD/

Info: : exe zdkifwpfckudk yxrqHk; ul;wifvdkufwJhtcsdefrSm Windows loader [m zdkifxJrSm&SdwJh PE structure udkzwfzdkUeJU executable image udk rSwfOmPfay:ul;wifzdkU wm0ef&Sdygw,f/ Application utoHk;jyKwJh DLL awGtm;vHk;udk ul;wifwmjzpfjyD; olwdkUudk process &JUae&mvGwfawGtjzpf ae&mcsxm;wmjzpfygw,f/ exe zdkif[m DLL toD;oD;uvdktyfwJh function awGtm;vHk;udk pm&if;jyKpkygw,f/ Function address awG[m yHkaor[kwfwmaMumifh run aecsdefrSm compile vkyfxm;wJhuk'fawGtm;vHk;udk ajymif;vJzdkUrvkdtyfbJ 'D variable awGudkajymif;vJay;EdkifwJh mechanism wpfckvdktyfygw,f/ 'gudk IAT toHk;jyKjyD; ajz&Sif;Edkifygw,f/ IAT qdkwmuawmh DLL zdkifawGudk ul;wifxm;csdefrSm Windows loader u jznfhpGufwJh function pointer awG&JUZ,m;wpfckjzpfygw,f/ Application wpfckudk yxrqHk; compile vkyfpOfu IAT udkyHkpHjyKoGif;cJhwm jzpfwJhtwGuf b,f API CALL awGurS cufcJpGma&;om;xm;wJh wdkuf&dkuf address awGudk toHk;rjyKMuay r,fhvJ function pointer uwqifh tvkyfvkyfMuygw,f/ 'D pointer table udk enf;vrf;rsdK;pHkeJU &,lEdkif ygw,f/ erlemtm;jzifhawmh CALL [pointer address] uaewdkuf&dkufaomfvnf;aumif;? JMP thunk table rSaomfvnf;aumif;jzpfygw,f/ Pointer table udktoHk;jyKjcif;tm;jzifh loader [m API call udktoHk;jyKzdkU vdktyfwJh uk'fxJrSm&SdwJh ae&mawGtm;vHk;udkjyifzdkU rvdkawmhygbl;/ vkyfzdkUvdkwmuawmh pointer udk table xJu ae&mwpfckrSm aygif;ay;zdkUyg/

Info: : Pack vkyfxm;wJh exe zdkifawGrSmqdk&if olwdkUawG[m zdkifudkao;i,fapzdkU IAT awGudktjrJwrf; &IyfaxG; apatmif vkyfxm;ygw,f/ 'g[m cracker awGudk unpack vkyfzdkUydkrdkcufcJapygw,f/ Pack vkyfxm;wJh y&dk*&rfawGudk pHtjzpfowfrSwfxm;wJh compiler awGeJUxkwfMuwmjzpfjyD; 'Djyifxm;wJh mechanism udktvkyf vkyfapzdkU yHkpHjyKxm;ygw,f/ wu,fvdkU packer wpfck[m import table mechanism udkzsufqD;ypfcJh&ifvJ (qdkvdkwmu packer/protector [m ul;wifr,fh DLL eJU function awG&,feJU pointer awGudk b,fae&mrSm xm;rvJqdkwmudk wGufcsuf&rSmjzpfygw,f/) rlvy&dk*&rftaeeJUuawmh decompression stub udkvkyfaqmifjyD;? routine awGudk restore vkyfjyD;csdefrSm yHkrSeftvkyfvkyfaeOD;rSmjzpfygw,f/ tzsufcHxm;&wJh import table wpfckudk b,fvdk restore vkyf&rvJqdkwmudk em;vnfEdkifzdkU uRefawmfwdkUtaeeJU import table udkb,fvdkae&m csxm;ovJ? Windows loader u 'gudk parse vkyfzdkUbmawGjyKvkyfovJqdkwmudk t&ifodxm;zdkUvdkygw,f/

'Dae&mrSm IAT eJUywfoufjyD; erlemjyr,fhy&dk*&rfav;uawmh Lena151 &JU oifcef;pm(3)u Reverse Me.exe y&dk*&rfyJjzpfygw,f/ www.tuts4you.com rSm download vkyf,lvdkufyg/

yHk(1)


yHk(1)uawmh ReverseMe.exe udk Olly rSmzGifhjyD;wJhtcg jrif&wJhyHkyg/ VA 00401002 uawmh API &Sd&m CALL udkac:oHk;wmyg/ 'D CALL uawmh kernel32.dll xJrSm&SdwJh GetModuleHandleA function udkac:oHk;wmjzpfygw,f/

yHk(2)

yHk(2)udkMunfhvdkuf&if tvm;wl CALL awGawGUrSmyg/ VA 0040104D uvJ kernel32.dll xJu ExitProcess function udkac:oHk;wJh CALL jzpfygw,f/

yHk(3)

ExitProcess function &Sd&mae&mrSm ESpfcsufESdyfvdkuf&ifawmh yHk(3)twdkif;awGU&rSmyg/ olUudkMunfh&wm uvJ tjcm; CALL awGvdkygyJ/ Olly uawmh 'g[m API wpfckudk ac:oHk;rSef;odygw,f/ ydkjyD;oJoJuGJuGJ odEdkifatmifvdkU VA 0040104D ae&mudka&G;jyD; Enter key (Follow Call) udkESdyfvdkufyg/ yHk(4)twdkif; jrif&ygr,f/

yHk(4)

'gqdk yHk(4)twdkif; jump (thunk) table &Sd&mqDa&mufvmygjyD/ 'gaMumifhrdkUvJ Olly u VA 0040104D [m API CALL wpfckudkac:roHk;cif tMudK CALL wpfckjzpfaMumif; odwmyg/ Application &JU b,fae&mrSmrqdk ExitProcess API udkac:oHk;csifw,fqdk&if 'D address (0040104D) udkyJ toHk;jyK&rSm jzpfygw,f/ 'grSom Windows loader u rSefuefwJh address udk&Smwm vG,fulaprSmyg/ 'gqdk VA 0040120E uaum b,f instruction udktvkyfvkyfapwmvJqdkwmodEdkifatmifvdkU tJ'Dae&mrSm Enter key udkESdyfvdkufyg/ yHk(5)twdkif;jrif&ygr,f/

yHk(5)

wu,fawmh loader u data segment xJu DWORD wefzdk;wpfckqDudk jump vkyfoGm;wm jzpfygw,f/ 'gaMumifhrdkU 'Dwefzdk;udkodEdkifatmifvdkU DWORD wefzdk;udkajc&mcHMunfhygr,f/ Dump window rSm Ctrl+G ESdyfjyD; ay:vmwJhtuGufae&mrSm VA 402004 vdkU&dkufxnfhjyD; OK udka&G;vdkuf&ifawmh yHk(6) twdkif; jrif&rSmyg/

yHk(6)


yHk(6)uawmh oufqdkif&m DLL xJrSm&SdaewJh API awG&JU address awGeJUtwl&SdaewJh IAT awG&Sd&m ae&myg/ uRefawmfwdkU erlemxm;wmuawmh ExitProcess API udkyg/

yHk(7)

'gaMumifhrdkUvJ VA 00402004 udkMunfhvdkuf&if yHk(7)twdkif;jrifae&ygw,f/ Highlight vkyfxm;wJh ae&muawmh uRefawmfwdkU API &Sd&mae&myg/ 7C81CAA2 uawmh API &Sd&m address yg/ (Endian enf;eJU pDwmtrSwf&yg/) olUaemufrSmawmh DWORD wefzdk;wpfck(oknawG) uyfvdkufaewmawGUrSmyg/ 'DoknawG aemufu DWORD wefzdk;awGuawmh aemuf DLL xJu API awGudk&nfnTef;ygw,f/ 'D DLL [m user32.dll jzpfygw,f/ DWORD wefzdk;awGudkMunfhvdkuf&if 7xxxxxxx awGeJUpwm owdxm;rdrSmyg/ ydkjyD; &Sif;vif;atmifvdkU 'gawGudk IAT xJrSmMunfhvdkufMu&atmif/ yHk(4)udkxyfMunfhvdkufyg/ kernel32.dll zdkifxJu API ESpfckudk import vkyfxm;wmawGUrSmyg/ rSwfxm;&rSmuawmh IAT eJU imports table wdkU[m rwlbl; qdkwmudkyg/

Info: : Imports table rSm oifhy&dk*&rftwGuf API awGudk link csdwfEdkifatmif Windows u vdktyfwJhtcsuf tvufawGtm;vHk;&Sdygw,f/ Imports table rSm tvGef&dk;&Sif;vSwJh structure wpfck&Sdygw,f/ Import vkyfxm;wJh DLL toD;oD;twGuf header wpfckpD&Sdygw,f/ olwdkU&JUtqHk;udk rSwfom;EdkifatmifvdkU vHk;vHk;MuD; udk bmrSr&SdwJh tydkwpfckvJ&Sdygao;w,f/ Header toD;oD;rSmawmh DLL twGuftcsuftvufawGtm;vHk; yg0ifygw,f/ ReverseMe.exe y&kd*&rftwGufqdk&ifawmh user32.dll eJU kernel32.dll u API awGudk import vkyfr,fqdk&if oifhtaeeJU header 3ckudk&SmawGUrSmyg/ wpfckuawmh kernel32.dll twGufjzpfjyD; wpfck uawmh user32.dll twGufjzpfygw,f/ tydkwpfckuawmh imports table &JUtqHk;udk rSwfom;zdkUjzpfygw,f/ Windows loader [m header toD;oD;uae tcsuftvufawGudkzwfjyD; 'DtcsuftvufawGudk IAT jznfhpGuf&mrSmtoHk;jyKygw,f/ IAT qdkwmuawmh DLL toD;oD;twGuf IAT awGzGJUpnf;xm;wmudk ajymwm yg/ DLL toD;oD;twGuf header udkawmh IMPORT_IMAGE_DIRECTORY vdkY ac:ygw,f/ IMAGE qdkwJhpum;vHk;uawmh rSwfOmPfxJrSmvkyfwJhudpö&yfawGudk &nfnTef;wmjzpfjyD; offset awGtm;vHk;[m RVA awG jzpfygw,f/ olUrSm atmufyg structure &Sdygw,f/

IMAGE_IMPORT_DESCRIPTOR:

OriginalFirstThunk

TimeDateStamp

ForwarderChain

Name

FirstThunk

Info: : Windows loader u IMPORT_IMAGE_DESCRIPTOR udkzwfcsdefrSm ol[m DLL udk t&if ppfaq;ygw,f/ aemufrSom loader [m 'D DLL udk ul;wifwmjzpfjyD; IAT udkwnfaqmufzdkU pwifygw,f/ udkwnfaqmuf&wm[m enf;enf;av; vuf0ifygw,f/ Loader u yxrqHk; OriginalFirstThunk udk ppfaq;wmjzpfayr,fh 'DtcsuftvufawGudk jyóemMuHKrSom toHk;jyKwmjzpfygw,f/ aemufwpfckuawmh FirstThunk unTefjywJh trnftoD;oD;twGuf ol[m pointer udk API &JU address eJUtpm;xdk;wm jzpfyg w,f/ wu,fvdkU tcsdKUaomtaMumif;awGt& API udk&SmrawGUcJh&ifawmh OriginalFirstThunk qDoGm;jyD; tJ'D uae tcsuftvufawG&,lzdkU MudK;pm;ygw,f/ 'DaemufqHk;jzpfEdkifajcu tvkyfrvkyfcJh&ifawmh crash jzpfyg w,f/ 'gaMumifh rSwfOmPfxJrSm FirstThunk xJu pointer awGtm;vHk;rSm API awG&JUtrnfawGeJUqdkifwJh RVA awGtpm; vuf&Sd DLL uae API awGudknTef;wJh address awGyg0ifae&wmyg/ rSwfxm;&rSmuawmh rSwfOmPfxJrSm exe udk ae&mcsxm;jyD;wJhaemufrSmawmh IAT wnfaqmufjcif;[m jyD;pD;ygjyD/

Info: : Loader [m FirstThunk xJu API trnftoD;oD;udkzwfjyD; olU&JU address udk&SmazGygw,f/ wu,fvdkU address udk&SmawGUcJh&if trnfae&mrSm address eJUtpm;xdk;vdkufjyD; 'DvdkrSr[kwf&ifawmh OriginalFirstThunk qDoGm;jyD; xyfMudK;pm;ygw,f/ 'gaMumifhrdkU OriginalFirstThunk [m FirstThunk &JU backup wpfckjzpfjyD; jyoemMuHKwJhtcgrSm toHk;jyKygw,f/ FirstThunk uawmh uRefawmfwdkU import vkyfzdkU vdktyfwJh API awG&JUtrnfeJU ywfoufwJh pointer awGyg0ifwJh array wpfckjzpfygw,f/ wu,fvdkU ul;wif vdkufwJh process [m rSefuefpGm tvkyfvkyfEdkifjyDqdk&ifawmh FirstThunk eJUqdkifwJh pointer awGtm;vHk;[m


API awG&JU address awGeJU overwrite vkyfwmcH&jyD; 'D address awGudkawmh IAT vdkUac:ygw,f/ y&dk*&rfu CALL awGtm;vHk;[m IAT &Sd&mqD redirect vkyfjcif;cH&ygw,f/ Loader u IAT tjzpfa&;om;xm;wJh address awGjzpfEdkifwmuawmh -

(1) API &JU wu,fh address?

(2) API qD jump vkyfrI?

(3) push RVA API

Info: : Import table udk tjynfht0rSefuefapEdkifzdkUtwGuf -

(1) RVA eJU import table wdkU&JUt&G,ftpm;[m import awGtwGuf data directory twGif; owfrSwf xnfhoGif;zdkUvdkygw,f/ 'grSr[kwf&ifawmh Windows [m olUudkr&SmEdkifjzpfjyD; IAT udk taMumif;Mum;EdkifrSm r[kwfygbl;/

(2) DLL toD;oD;udk IMAGE_IMPORT_DESCRIPTOR wpfckeJUaMunmyg/ Import table udk vHk;0bmrSr&SdwJhwpfckeJUtqHk;owfyg/

(3) IMAGE_IMPORT_DESCRIPTOR rSm OriginalFirstThunk? FirstThunk eJU Name wdkUaumif;pGm &Sdygap/ TimeDateStamp eJU ForwarderChain wdkUuawmh okntjzpfxm;vJ&ygw,f/ OriginalFirst Thunk udkvJ okntjzpfxm;Edkifygw,f/

oDtkd&DawGudk qufwdkuf&Sif;jyvmwJhtwGuf oifhtaeeJU &IyfaxG;aeavmufjyDvdkU xifygw,f/ 'gaMumifh ydkjyD;em;vnfEdkifapzdkU ReverseMe.exe eJUwGJMunfhvdkufMu&atmif/ ReverseMe.exe udk Olly rSm zGifhxm;yg/

Windows loader u yxrqHk;zwfwmuawmh y&dk*&rf&JU header udkyg/ IAT udkwnfaqmufzdkU twGuf RVA 3C (400000 +3C = 40003C) ae&mrSmzwfwmyg/ yHk(8)/

yHk(8)

yHk(8)t&qdk&ifawmh PE header &Sd&mae&m[m VA 004000C0 jzpfygw,f/ VA 004000C0 &Sd&mudk oGm;vdkuf&ifawmh yHk(9)twdkif; jrif&rSmjzpfygw,f/

yHk(9)

IAT &JU RVA wefzdk;udkawmh PE header &Sd&m&JU address wefzdk;rSm 80h aygif;jyD; &&SdvmwJhwefzdk; VA 400140 ae&mrSm odrf;xm;jcif;jzpfygw,f/ (exe wdkif;twGuf 'Dae&mrSmtjrJ &Sdygw,f/) yHk(10)/

yHk(10)

yHk(10)t&qdk&ifawmh import table &Sdwmuawmh RVA 2050 rSmyg/

Info: : Import Table Address qdkwmuawmh import table &Sd&mae&mudk &Sm&r,fh address yg/ 'gudk IAT eJU ra&maxG;apygeJU/ olwdkUESpfck[m vHk;0uGJjym;jcm;em;ygw,f/


rSwf&ef/ / Import Table Address udk Olly rSm&Smwmuawmh bmjyóemrSr&Sdygbl;/ Olly [m header eJUywfoufjyD;tcsuftvuf tjynfhtpHkudkay;ygw,f/ wu,fwrf; oifhtaeeJU vkyf&rSmuvJ Import Table Address udk&SmzdkUyg/ bmyJjzpfjzpf tajccHudkodxm;jyD; udk,fbmvkyfaew,fqdkwmudk odxm;wm taumif;qHk; vdkU uRefawmfhtaeeJUjrifwJhtwGuf tao;pdwf&Sif;jyae&wmyg/

aumif;jyD; Import Table Address &Sd&mudkMunfhvdkufMu&atmif/ yHk(11)/

yHk(11)

uRefawmfwdkUtapmydkif;u &SmawGUxm;wJh IAT awG&Sd&maemufrSm Import Table Address &Sdaewm awGY&ygw,f/ Disassembler window &JU VA 00402050 udkoGm;vdkufyg/ yHk(12)/

yHk(12)

yHk(12)rSmjrif&wmuawmh uRefawmfwdkUtwGuf bmrSxl;jcm;rIrjzpfapygbl;/ Analyze This! udka&G;jyD; analyze vkyfvdkufyg/ yHk(13)/

yHk(13)

yHk(13)rSmjrif&wmuawmh IMAGE_IMPORT_DESCRIPTOR array &Sd&mtydkif;jzpfygw,f/ yxr eJU 'kwd,uawmh DLL toD;oD;twGuf IMAGE_IMPORT_DESCRIPTOR awGjzpfygw,f/ wwd, ajrmufuawmh tqHk;owf IMAGE_IMPORT_DESCRIPTOR jzpfygw,f/ IMAGE_IMPORT_ DESCRIPTOR wdkif;rSm DWORD wefzdk; 5ckpD&SdMuygw,f/

yHk(13)rSmawGU&wJh yxrqHk; DWORD (00002098) uawmh OriginalFirstThunk jzpfygw,f/ ol[m loader udk vuf&Sd DLL uae import vkyfcH&r,fh API awG&JUtrnfawGudk b,fae&mrSm&Smr,fqdkwJh tcsuftvufawGay;ygw,f/ wu,fvdkU IMAGE_BASE + 2098 &Sd&mudkoGm;cJhr,fqdk&if uRefawmfwdkU taeeJU import vkyfr,fh API trnfawGudk awGUrSmyg/ (aemufydkif;wGifMunfhyg/)

'kwd, DWORD (00000000) uawmh TimeDateStamp jzpfjyD; uRefawmfwdkUtwGuf vHk;0toHk; r0ifygbl;/ rsm;aomtm;jzifhawmh tm;vHk;[m oknawGjzpfaewwfygw,f/

wwd, DWORD (00000000) uawmh ForwarderChain jzpfjyD; uRefawmfwdkUtwGuf vHk;0toHk; r0ifygbl;/ rsm;aomtm;jzifhawmh tm;vHk;[m oknawGjzpfaewwfygw,f/

pwkw¬ DWORD (000021D8) uawmh IMAGE_IMPORT_DESCRIPTOR eJUoufqdkifwJh DLL &JUtrnf&Sd&m RVA jzpfygw,f/ uRefawmfwdkU&JU erlemy&dk*&rfrSmawmh 4021D8 rSm user32.dll &SdwmawGUrSmyg/ (rMumcifawGUrSmyg/)

aemufqHk; DWORD (0000200C) uawmh FirstThunk jzpfygw,f/ Import vkyfxm;wJh function awGtm;vHk;twGuf address awGtm;vHk;udk &SmEdkifzdkUtwGuf IAT &Sd&mudk nTefjyygw,f/ (Disk ay:rSm r[kwfayr,fh wpfMudrfrSm exe zdkifudk rSwfOmPfxJ ul;wifjyD;csdefrSmawmh [kwfygw,f/)

uRefawmfwdkU&JU erlemy&dk*&rfrSmawmh oifhtaeeJU user32.dll uae import vkyfxm;wJh API awGt wGuf IAT xJrSm&SdwJh address awGtm;vHk;udk vG,fulpGm&SmEdkifygw,f/ yHk(14)udkMunfhyg/ 40200C uaepwm awGU&ygr,f/


yHk(14)

yHk(14)t&qdk&ifawmh API function 16ckudk vkyfxm;aMumif; awGU&ygw,f/ bmaMumifhajymEdkifwmvJ qdkawmh 7xxxxxxx eJUpwJh address 16ckawGU&vdkUyg/ 'kwd,ajrmuf DLL (kernel32.dll) twGufvJ 'Denf; twdkif;ygyJ/

yHk(15)

IAT xJrSm&SdwJh address awG[m yHk(16)twdkif; 402000 uaepwm awGU&ygr,f/

yHk(16)

aemufqHk;wpfck&JU DWORD wefzdk;5ckvHk;uawmh oknawGcsnf;jzpfaewm owdjyKrdrSmyg/ yHk(17)/

yHk(17)

Dump window rSmMunfhvdkuf&ifawmh yHk(18)twdkif; awGU&ygr,f/

yHk(18)

Import table &JU 'kwd,ydkif;uawmh DWORD awG&JU array awGjzpfygw,f/ yHk(19)/

yHk(19)

DWORD awG&JU array awGudkawmh IMAGE_IMPORT_DESCRIPTOR awG&JU OriginalFirst Thunk awGu point vkyfwmjzpfygw,f/ 'D array awG&JU DWORD toD;oD;[m import vkyfxm;wJh function wpfckeJU oufqdkifygw,f/ DWORD awG&JU array awGudk ydkif;jcm;xm;wm? tqHk;owfxm;wm uawmh oknawGeJUjynfhaewJh DWORD wpfckujzpfygw,f/

yHk(20)rSmjrif&wmuawmh import table &JU wwd,ydkif;(aemufqHk;ydkif;)jzpfygw,f/

yHk(20)


yHk(20)rSmjrif&wJh pmom;awG (BeginPaint,.. ) uawmh import vkyfxm;wJh function awGeJU DLL awGjzpfygw,f/ olUrSmawmh xHk;pHtwdkif;pDrSmawmh r[kwfygbl;/ DLL trnf[m function awGaemufu (odkU) a&SUupDwmjzpfEdkifygw,f/

4021D8 rSm user32.dll &SdwmawGU&r,fvdkUtapmydkif;u ajymcJhygw,f/ yHk(21)/

yHk(21)

wu,fawmh uk'fxJrSmvJ oyf&yfaumif;rGefpGmwnfaqmufxm;wJh IAT udkawGUEdkifygw,f/ yHk(22)/

yHk(22)

yHk(22)udkMunfhvdkufr,fqdk&if kernel32.dll uae import vkyfxm;wJh API ESpfckeJU user32.dll uae import vkyfxm;wJh API awGMum;rSm DWORD wefzdk;wpfckeJU ydkif;jcm;xm;jyD; tqHk;rSmawmh oknawGeJU DWORD wefzdk;wpfcku ydkif;jcm;xm;wmawGU&ygw,f/

yHk(23)

yHk(23)udkMunfhyg/ Import vkyfxm;wJh function awGtm;vHk;&JUtrnfaemufrSm DLL trnfawGeJU tqHk;owfxm;wm awGU&rSmyg/

'Davmufqdk&if import awGudk udk,fwdkifjyefwnfaqmufzdkU todynmvHkavmufjyDvdkU xifygw,f/ bmyJjzpfjzpf owif;aumif;wpfckuawmh import awGudk tvdktavsmufjyefwnfaqmufay;EdkifwJh tool aumif; awG&Sdw,fqdkwJhtcsufyg/ wu,fawmh aqmhzf0JvfawGu DLL ajrmufjrm;pGmuae API awG tajrmuftjrm;ukd import vkyfxm;cJhr,fqdk&if import awGudk udk,fwdkifjyefvnfwnfaqmuf&wm[m tcsdeftawmfMum,l&jyD; pdwf&Iyfp&mvJaumif;vSygw,f/ Tool awGudk toHk;jyKr,fqdk&ifawmh uRefawmfwdkUtaeeJU API tm;vHk;eD;yg;udk jyef recover vkyfEdkifrSmyg/ ckodxm;wJhtodeJU unpack vkyfxm;wJhzdkiftcsdKUudk b,fvdkjyifMurvJqdkwm MunfhvdkufMu&atmif/

aumif;jyD FSG2.0 eJU pack vkyfxm;wJhzdkifwpfckudk unpack vkyfMunfhygr,f/ (oifhtaeeJU 'Dzdkifudk unpack vkyfcsifw,fqdk&ifawmh Lena151 &JU oifcef;pm(21)udk download vkyf,lyg/ 'grSr[kwf&ifawmh ESpfouf&m zdkifwpfckudk FSG eJU pack vkyfMunfhvdkufyg/ oabmw&m;csif;uawmh twlwlygyJ/)

yHk(24)


UnpackMe_FSG2.0.exe zdkifudk Olly rSmzGifhwJhtcg yHk(24)twdkif; awGU&ygw,f/ yHk(24)udkMunfh vdkuf&if entry point &Sd&m[m enf;enf;av;vGJaewmawGU&ygw,f/ exe zdkifwdkif;&JU entry point [m tjrJwrf; 401000 uaepw,fvdkU ajymcJhzl;wm trSwf&ygovm;/ 'Dy&dk*&rfrSm 400154 uaepygw,f/ 'gqdk 'D address [m PE header xJa&mufaewm aocsmygw,f/

FSG udk trace vkdufjcif;jzifh unpack vkyf&ygw,f/ wu,fvdkU oifhtaeeJU atmufudkenf;enf;av; scroll qGJjyD;Munfhr,fqdk&if unpack vkyfwJh stub uk'f&JUtqHk;udk awGUygvdrfhr,f/ wu,fvdkU oifhtaeeJU trace vdkufMunfhvkduf&if vnfaewJhbD;vdk ywfcsmvnfaewm owdjyKrdygvdrfhr,f/ rMumrDrSmawmh uk'f[m t"du y&dk*&rfqD jump vkyfoGm;wm awGU&ygvdrfhr,f/ taotcsmMunfhr,fqdk&ifawmh jump wpfcku 'D stub xJu ae ausmfxGufoGm;wmawGU&rSmyg/ MunfhvdkufMu&atmif/

yHk(25)

yHk(25)twdkif; VA 004001D1 ae&mrSm breakpoint owfrSwfMunfhvdkuf&atmif/ jyD;&if F9 (Run) udkESdyfvdkufyg/ Breakpoint &Sd&ma&mufvmygvdrfhr,f/ yHk(26)/

yHk(26)

yHk(26)rSmjrif&wJhtwdkif; JMP [m y&dk*&rf&JU OEP (VA 00404000) &Sd&mqD jump vkyfrSmjzpfygw,f/ yHk(27)/

yHk(27)

yHk(27)rSm right-click ESdyfjyD; Analysis u Remove analysis from module udka&G;vdkuf&if yHk(28)twdkif; awGU&rSmyg/

yHk(28)

yHk(28)twdkif;jrif&&ifawmh uRefawmfwdkU&JU zdkifudk dump vkyfygr,f/ Right-click ESdyfjyD; Dump debugged process udka&G;vdkufyg/ yHk(29)twdkif; jrif&ygr,f/

uRefawmfwdkUtaeeJU yHkrSefenf;vrf;twdkif; dump vkyfvdkU&ygw,f/ bmyJjzpfjzpf yHk(29)rSmawmh "Rebuild Import" udk uncheck vkyfzdkUawmh vdkygvdrfhr,f/ bmaMumifhygvJ/ FSG [m import awGudk zsufypfvdkufwmjzpfjyD; Ollydump plugin u vHk;vHk;MuD; wvGJwacsmfvkyfrSmrdkUvdkUyg/ 'gaMumifh uRefawmfwdkU taeeJU jyefjyifwmtcsdKUawmh vkyf&ygvdrfhr,f/ oifhtaeeJU checkbox udka&G;ay;vdkUawmh &ygw,f/ 'gayr,fh dump zdkifu tvkyfvkyfrSmawmh r[kwfygbl;/ wu,fvdkU xJxJ0if0ifavhvmjyD;wJhaemufrSmawmh 'gudk&Sif;oGm; rSmyg/


yHk(29)

yHk(29)u "Rebuild Import" checkbox udkjzKwfvdkufjyD; Dump button udka&G;yg/ jyD;&if dump.exe trnfeJU zdkifudkodrf;qnf;vdkufyg/

wu,fawmh tjcm; tool awGeJUvJ dump vkyfvdkU&ygw,f/ Oyrm - LordPE? PE Tools/ yHk(30)/

yHk(30)

bmyJjzpfjzpf dump vkyfxm;wJhzdkifESpfckpvHk;uawmh tvkyfvkyfrSmr[kwfygbl;/ bmaMumifhvJqdkawmh FSG u import awGudk zsufxm;vdkUyg/ 'gaMumifhrdkU import awGjyefwnfaqmufzdkU vdkvmygjyD/ Import awGudk jyefwnfaqmufEdkifwJh tool awGtrsm;MuD;&Sdayr,fh uRefawmfhtaeeJU ImpRec 1.7 udkyJ oHk;ygr,f/ ImpRec udkzGifhjyD; process (UnpackMe_FSG2.0.exe) udk attach vkyfyg/

yHk(31)

UnpackMe_FSG2.0.exe zdkifudk attach vkyfjyD;csdefrSmawmh OEP wefzdk;udkjyifzdkUvdkygw,f/ ImpRec u vuf&Sd process &JU EP udkyJodxm;ygw,f/ 'gaMumifh OEP ae&mrSm 4000 vdkUjyifvdkufyg/ jyD;&ifawmh AutoSearch button ukda&G;vdkufyg/

yHk(32)

IAT &dS&mudk&Smwmawmh tqifajyygjyD/ yHk(31)u RVA ae&mrSm 11E8 udkxm;jyD; dump vkyfr,f qdk&ifawmh oihf&JUjyifxm;wJh dump zdkif[m tvkyfvkyfrSmr[kwfygbl;/ uRefawmf'gudkb,fvdkodvJvdkU oifhtae eJUxifaumif;xifygvdrfhr,f/ wu,fawmh prf;oyfjyD;oGm;vdkUyg/ RVA udk tao;pdwfavhvmMunfhvdkufMu &atmif/ Olly &JU dump window rSm 4011E8 vdkU&dkufxnfhjyD; bmawGU&rvJqdkwmMunfhvdkufMu&atmif/ yHk(33)/


yHk(33)

wu,fawmh VA 4011E8 rSm&SdwmawGuawmh DLL wpfck&JU import awGyg/ tay:udk scroll enf;enf;qGJjyD;Munfhvdkuf&if aemufxyf import awGudkawGU&OD;rSmyg/ yHk(34)/

yHk(34)

uRefawmfwdkUtaeeJU DLL (user32.dll/kernel32.dll) zdkifESpfck&JU import awGudk&Sd&m&SmzdkUyJvkdwmyg/ VA 4011E8 qdk&if DLL (kernel32.dll) zdkifwpfck&JU import (API) awGudkyJ ImpRec u&SmawGUrSmyg/ ☺☺ wu,fawmh ImpRec [m tvSnfhpm;cHvdkuf&wmyg/ 'gaMumifhrdkU VA 4011E8 ae&mrSm VA 401198 vdkU jyifzdkUvdktyfygw,f/ 'grSom ImpRec u user32.dll zdkif&JU import awGudk &SmawGUrSmyg/

yHk(35)

yHk(35)twdkif; RVA udkjyifvdkufjyD; Get Imports button udkESdyfvdkuf&if yHk(36)twdkif; awGU&ygr,f/ (Size udkvJ 100 vdkUjyifvdkuf&if ydkaumif;ygr,f/ 'grSom ImpRec uydkjyD;pdppfEdkifrSmyg/)

yHk(36)

ImpRec u Thunk ESpfckudk awGUygw,f/ bmyJjzpfjzpf ESpfckpvHk;[m rSm;aeygw,f/ bmawGrSm;ae w,fqdkwmod&atmif taygif;oauFwav;udka&G;vdkufyg/ rSm;aewJhae&mawGuawmh RVA 2118 rSmyg/ yHk(34)udkjyefMunfhvdkuf&if RVA 2118 rSm FFFFFFFF udkawGUrSmyg/ aemufwpfckuawmh RVA 11B8 rSmyg/ yHk(37)/

yHk(37)


wu,fawmh yHk(36^37)rSm jrif&wJh address awG[m wu,fr&Sdygbl;/ FSG u cracker awGudk t&l;vkyfcsifvdkU wrifxnfhoGif;xm;wmyg/ 'gaMumifhrvkdtyfwJh 'D address awGudk zsufxkwfypfzdkUvdkygw,f/

yHk(38)

yHk(38)twdkif; rvdkwJh thunk awGrSm right-click ESdyfjyD; Cut thunk(s) udka&G;vdkufyg/ jyD;&if aemufqHk;vkyf&rSmuawmh dump vkyfxm;wJhzdkifudk jyifzdkUyg/

yHk(39)

yHk(39)u Fix Dump button udkESdyfjyD; Olly rSm dump vkyfjyD;odrf;xm;wJh dump.exe zdkifudka&G;ay;yg/ ImpRec u dump_.exe qdkwJhtrnfeJUzdkifudk odrf;ay;ygvdrfhr,f/ yHk(40)/

yHk(40)

dump_.exe zdkifudkzGifhvdkuf&ifawmh yHk(41)twdkif; awGU&rSmyg/

yHk(41)

dump_.exe zdkifudk Olly rSmzGifhjyD;Munfhvdkuf&if yHk(42)twdkif; jrif&ygvdrfhr,f/

yHk(42)


(1) API Redirection

tckqdk import awGudk b,fvdkjyefwnfaqmuf&rvJqdkwm tMurf;zsif;avhvmjyD;ygjyD/ 'gayr,hf tqifhjrifh packer awGudk unpack vkyfcsdefrSmawmh 'DavmuftodeJU rvHkavmufawmhygbl;/ IAT awGuae wu,fjyefwnfaqmufzdkUvdkvmygjyD/ bmaMumifhvJqdkawmh a&SUydkif;rSm uRefawmfwdkUvkyfcJhwJh import table udk jyefvnfwnfaqmufwm[m t&ifae&ma[mif;u IAT udkyJ nTefjyaewkef;rdkUyg/ 'ghaMumifhrdkU pack vkyfxm;wJh zdkifwpfckudk unpack vkyfjy&if;eJU API redirection taMumif;udk avhvmMuygr,f/ 'Dae&mrSm bm packer udktoHk;jyKjyD; pack vkyfxm;w,fqdkwmawmh rpHkprf;awmhygbl;/ Pack vkyfxm;wJhzdkifudk Lena151 &JU oifcef;pm(22)rSm download vkyf,lEdkifygw,f/

INFO: : API redirection qdkwmuawmh packer^protector trsm;pku IAT (okdUr[kwf import table)udk (wpfpdwfwpfa'o odkUr[kwf vHk;0)zsufqD;ypfvdkufwJh vkyfaqmifcsufwpfckjzpfayr,fh IAT xJrSm redirect tvkyfcH&wJh API toD;oD;&JU oufqdkif&muk'feJUqdkifwJh pointer wpfckudk a&;vdkufygw,f/ qdkvdkwmuawmh packer [m pack^protect vkyfxm;wJhy&dk*&rftwGuf system &JU DLL awGxJu API &JU address udkay;Edkif zdkU owdxm;&rSmjzpfygw,f/ API redirection vkyfxm;wJh y&dk*&rfawmfawmfrsm;rsm;[m anti-virus aqmhzf0Jvf awGeJU jyóemwufavh&Sdwmudkawmh rSwfxm;&rSmjzpfygw,f/

(2) Pack vkyfxm;aomzdkifudk unpack vkyfjcif;

Pack vkyfxm;wJhzdkif (API Redirection Tutorial.exe) udk Olly rSmzGifhMunfhvdkuf&ifawmh yHk(43) twdkif; awGU&rSmjzpfygw,f/

yHk(43)

yHk(43)rSmjrif&wmuawmh t&if pack vkyfxm;wJhzdkifawGvdkygyJ/ bmrSxl;jcm;rIr&Sdygbl;/ VA 0044CB 59 &Sd&mqDa&mufatmif F8 (Step over) udkESdyfvdkufyg/ VA 0044CB59 a&muf&if Register window udk Munfhvdkufyg/ yHk(44)/

yHk(44)

yHk(44)u ESP register rSm right-click ESdyfjyD; Follow in Dump udka&G;vdkufyg/ yHk(45)twdkif; jrif& ygr,f/

yHk(45)

yHk(45)u highlight aewJh DWORD (38 07 91 7C) rSm right-click ESdyfjyD; breakpoint u Hardware on access Dword udka&G;vdkufyg/ yHk(46)/

yHk(46)


yHk(46)twdkif; breakpoint owfrSwfjyD;oGm;&ifawmh F9 (Run) udkEdSyfvdkufyg/ yHk(47)twdkif; hardware breakpoint &Sd&mudk a&mufoGm;ygr,f/

yHk(47)

CALL EAX qD F8 (Step over) eJUoGm;jyD; CALL EAX &Sd&ma&mufwJhtcg F7 (Step into)udk ESdyfvdkuf&ifawmh yHk(48)twdkif; OEP &Sd&mudk a&mufoGm;rSmyg/

yHk(48)

'gqdk&ifawmh y&kd*&rfudk unpack vkyfzdkU Dump debugged process udka&G;vdkufyg/ yHk(49)/

yHk(49)

yHk(49)u Rebuild Import checkbox udkjzKwfvkdufyg/ Dump button udka&G;jyD; dump.exe trnfeJU odrf;vdkufyg/ jyD;&if tvkyfvkyf^rvkyfod&atmif dump.exe udkzGifhMunfhvdkufyg/ bmrSay:rvmygbl;/

'gqdk Import awGeJUywfoufjyD; jyóemwpfckckwufaewmawmh aocsmaeygjyD/ 'gaMumifhrdkU ImpRec 1.7 udkzGifhjyD; dump.exe udkjyifzdkU MudK;pm;Munfhygr,f/ yHk(50)/

yHk(50)


yHk(50)udkjrif&if bmvkyf&r,fqdkwm oifem;vnfrSmjzpfygw,f/

(1) API Redirection Tutorial.exe udk attach vkyfyg/

(2) OEP wefzdk;udk&dkufxnfhjyD; IAT AutoSearch button udkESdyfyg/

(3) Get Imports button udka&G;cs,fyg/ Import vkyfxm;wJh function ta&twGuf 618 ck&SdwmawGU&ygr,f/

(4) Show Invalid button udka&G;jyD; invalid jzpfaewJh function awGudkMunfhvdkuf&ifawmh yHk(51)twdkif;jrif& ygr,f/

yHk(51)

yHk(51)rSmjrif&wJhtwdkif; ImpRec [m IAT xJu API wdkif;&JU address awGudk&SmrawGUygbl;/ 'ghaMumifhrkdU 'Dae&mrSmaumufcsufcsvdkwmu API awGtm;vHk;udk &SmrawGUbJ dump vkyfwm[m tusdK;r&Sdyg bl;/ (Dump vkyfxm;wJhzdkif[m crash jzpfygvdrfhr,f/) rsm;aomtm;jzifhawmh 'D pointer awG[m r&SdwJh uk'fawGqD nTef;Muwmjzpfygw,f/ 'DvdktajctaersdK;rSmqdk&ifawmh uRefawmfwdkUtaeeJU Cut thunk(s) udk a&G;vkduf&if tqifajyoGm;wmawGU&ygw,f/ (tcsdKU packer awG[m cracker awGudk pdwftaESmifht,Suf jzpfatmif r&SdwJh address awGudk wrifxnfhoGif;Muwmyg/)

'gayr,hf 'Dwpfcg yHk(51)rSmjrif&wJh address (00458C35) uawmh uk'fawGxJrSmjzpfaeygw,f/ tjcm; invalid aewJh API 12ckudkMunfhvdkuf&ifvJ wu,f&SdaewJh address awGjzpfaeygw,f/ 'gaMumifh yHk(51)u 00458C35 ae&mudk right-click ESdyfjyD; Disassemble/ Hex View udka&G;vdkufyg/ yHk(52)/

yHk(52)

yHk(52)udkMunfhvdkuf&if 00458C35 &Sd&m[m wu,fhuk'fawG&Sd&mae&mjzpfaeygw,f/ Olly &JU memory map rSmMunfhvdkuf&ifvJ packer &JU SFX section rSm&SdaewmawGU&ygw,f/ yHk(53)/

yHk(53)

Olly rSm 00458C35 &Sd&mudkMunfhvkduf&if yHk(54)twdkif;jrif&ygw,f/

yHk(54)


yHk(54)uuk'fawGuawmh API address (FindClose function) udkwGufay;wmjzpfygw,f/ 'gayr,fh udpör&Sdygbl;/ uRefawmfwdkUtaeeJU section tm;vHk;udk dump vkyfr,fqdk&if API address awGudkwGufay;wJh 'Duk'fawGvJygvmrSmjzpfygw,f/ [kwfr[kwfod&atmif prf;MunfhMu&atmif/ Olly udk Ctrl+F2(Restart)ESdyfjyD; jyefpvdkufyg/

(3) Redirection udkz,f&Sm;jcif;

API Redirection Tutorial.exe udk Olly rSmjyefzGifhvdkufjyD; VA 00458C35 &Sd&mudkoGm;Munfhvdkuf yg/ yHk(55)/

yHk(55)

yHk(55)rSmjrif&wJhtwdkif; VA 00458C35 ae&mrSm bmrSr&Sdygbl;/

INFO: : wu,fawmh y&dk*&rf run aecsdefrSom unpacking stub u 'Dae&mrSm redirect vkyfr,fhuk'fudk vma&;wmjzpfygw,f/ 'gaMumihfvJ OEP &SdwJhae&muae dump vkyfwkef;u 'Dae&mrSm redirect vkyfxm;wJh uk'fawGa&mufaevdkU API awGaysmufoGm;&wmjzpfw,f/ dump vkyfxm;wJhy&dk*&rfuvJ aumif;aumif;tvkyf vkyfrSm r[kwfygbl;/

aumif;jyD? ImpRec udkjyefMunfh&atmif/ yHk(56)/

yHk(56)

yHk(56)udkMunfh&if API &Sd&mudk redirect vkyfwJh uk'f&Sd&m[m 00458C35 rSmjzpfjyD; 'D address udk RVA 00438040 rSmowfrSwfvdkufwmjzpfygw,f/ yHk(57)/

yHk(57)

yHk(57)rSmjrif&wJhtwdkif; VA 00438040 u DWORD wefzdk;udkMunfhvdkufyg/ IAT udk 'Dae&mrSm wnfaqmufwmjzpfayr,fh usefwJh API awGuawmh 'DtcsdefrSm packer &JUrlvuk'f&Sd&mudk redirect vkyfaeMu wkef;ygyJ/ (Oyrm – 206C8BA9) 'gaMumifhrdkU IAT ukd b,ftcsdef? b,fae&mrSm b,fvdkzefwD;jyD; b,fvdka&; ovJqdkwmod&atmif yHk(57)udk apmifhMunfhMu&atmif/ 'DxufydkjyD; wdwdususajym&&ifawmh tjcm; redirect vkyfxm;wJh API awGa&mygygw,f/

INFO: : y&dk*&rfwpfck[m exe xJu import awGtm;vHk;udk&,lEdkifzdkUtwGuf API ESpfckomvdkygw,f/ 'D API ESpfckuawmh LoadLibraryA eJU GetProcAddress wdkUjzpfygw,f/ Win32.hlp rSm&Sif;jyxm;wmuawmh –

LoadLibray() function [m exe module udkac:oHk;wJh process &JU address ae&mvGwfrSm ae&mcs xm;ygw,f/

HINSTANCE LoadLibrary (

LPCTSTR lpLibFileName

);


'Dae&mrSmawmh lpLibFileName u exe module zdkiftrnf&JU address jzpfygw,f/ wu,fvdkUom function [m atmifjrifpGmvkyfaqmifEdkifcJh&ifawmh return jyefydkUwJhwefzdk;[m module eJUqdkifwJh handle wpfck jzpfygw,f/

GetProcAddress() function uawmh export vkyfxm;wJh DLL function &JU address udk return jyefydkUygw,f/

FARPROC GetProcAddress(

HMODULE hModule,

LPCSTR lpProcName

);

'Dae&mrSmawmh hModule u DLL module eJUqdkifwJh handle jzpfjyD; lpProcName uawmh function &JUtrnfjzpfygw,f/ wu,fvdkU function [m atmifjrifpGmvkyfaqmifEdkifcJh&ifawmh return jyefydkUwJh wefzdk;[m DLL &JU export vkyfxm;wJh function &JU address jzpfygw,f/

aemufwpfrsdK;&Sif;jy&&ifawmh yxrqHk; LoadLibrary udk DLL zdkifwpfckckudk ul;wifzdkUac:oHk;jyD;aemuf rSmawmh jyefydkUwJh handle eJUwuG oifac:oHk;vdkwJh import vkyfxm;wJh API toD;oD;&JU address udk&&SdEdkif ygw,f/

aumif;jyD? VA 00438040 u DWORD wefzdk;ae&mrSmbmawGjzpfovJqdkwmapmifhMunfhzdkU yHk(58) twdkif; breakpoint owfrSwfMuygr,f/

yHk(58)

jyD;&ifawmh F9(Run) udkESdyfjyD; VA 00438040 ae&mudkapmifhMunfhyg/ yHk(59)/

yHk(59)

yHk(59)udkMunfh&if VA 00451B38 a&mufawmh DWORD (84B3D4CF) wefzdk;ajymif;oGm;wmawGU rSmyg/ 'gayr,fh 'Dwefzdk;u uRefawmfwdkUpdwf0ifpm;wJhwefzdk;r[kwfygbl;/ F9 udkxyfESdyfyg/ VA 00451B56 u DWORD (3963D4CF) wefzdk;udkvJ pdwfr0ifpm;ygbl;/ aemufxyf F9 udkxyfESdyfyg/ VA 0045BC2A u DWORD (00040EDC) wefzdk;uvJ pdwf0ifpm;p&mraumif;jyefygbl;/ aemufxyf F9 udkxyfESdyfvkduf&ifawmh yHk(60)twdkif;jrif&ygr,f/

yHk(60)

yHk(60)u DWORD (7C80EFD7)udkawmh pdwf0ifpm;ygw,f/ Registers window udkMunfhvdkufyg/

yHk(61)


yHk(60)u EAX register rSm FindClose() API &Sd&m address wefzdk;udk xm;vdkufyHkygyJ/ ☺☺☺

yHk(62)

yHk(62)uawmh DWORD (7C80EFD7) wefzdk;ajymif;oGm;wJhae&m (hardware breakpoint owfrSwf xm;wJhae&m)udk a&muf&Sdaewmyg/ b,fvdkyJjzpfjzpf packer [m IAT xJu API twGuf rSefuefwJh address udk yxrqHk;a&;om;cJhygw,f/ aemufydkif;rSmawmh 'D address wefzdk;[m ajymif;vJoGm;ygw,f/ b,fae&mrSm ajymif;vJw,fqdkwmod&atmif F8 udkESdyfvmcJhyg/

INFO: : yHk(60)udkMunfh&if VA 0043803C rSm DWORD (7C80BAF1) wefzdk;wpfckowfrSwfxm;wm awGU&rSmyg/ wu,fvdkU packer &JUtvkyfvkyfyHkudk taotcsmapmifhMunfhr,fqdk&if packer u wpfcsdefrSm DLL zdkifwpfckudkomzwfjyD; yxrqHk; IAT xJu rSefuefwJh API address udka&;jyD; 'D API [m redirect vkyfxm;jcif;&Sd^r&Sdppfaq;wmjzpfygw,f/ jyD;rSom aemuf DLL udkzwfjyD; 'Denf;twdkif;ppfaq;wmjzpfygw,f/

bmyJjzpfjzpf yHk(60)u VA 00438040 ae&mudk rsufpd&Sif&SifeJU Munfhxm;jyD; F8 udkESdyfvmcJhyg/ yHk(63)

yHk(63)

yHk(63)udkMunfhvdkufyg/ VA 004536F5 u CALL 00453E90 udkvkyfaqmifjyD;wmeJU DWORD (00458C35) wefzdk;ajymif;oGm;ygw,f/ aocsmwmuawmh CALL 00453E90 xJrSm API &JU address udk packer &JUuk'fqD redirect vkyfcHvdkuf&wmjzpfygw,f/ 'gaMumifh 'D CALL xJudk 0ifMunfhvdkufMu&atmif/ y&dk*&rfudk Olly rSmjyefzGifhvdkufyg/ (Ctrl+F2)/ jyD;&ifawmh yHk(62)u VA 4536A6 &Sd&mqDa&mufatmif F9 udk 4MudrfESdyfvmvdkufyg/ 'DhaemufrSmawmh yHk(63)u VA 4536F0 &Sd&m CALL qD F8 udkESdyfvmvdkufyg/ CALL qDa&muf&ifawmh F7 (Step into) udkESdyfvdkufyg/ yHk(64)twdkif; jrif&ygr,f/ (rSwfxm;&rSmu yHk(63)&JU VA 4536DF u JE 4536F8 [m CALL 00453E90 udkausmfvTm;Edkifw,fqdkwmudkyg/)

yHk(64)


yHk(64)uawmh API address udk redirect vkyfxm;jcif;&Sd^r&SdppfwJh CALL &Sd&muk'fjzpfygw,f/ 00438040 u DWORD wefzdk;udkapmifhMunfhxm;yg/ yHk(65)/

yHk(65)

00438040 u DWORD (7C80EFD7) wefzdk;udkapmifhMunfhxm;&if;eJU F8 ESdyfvmcJhyg/

yHk(66)

yHk(66)rSmjrif&wJhtwdkif; VA 00453EF4 udka&mufwmeJU 00438040 u DWORD (00458C35) wefzdk;ajymif;oGm;wm awGU&ygw,f/ wu,fawmh 'Dvdkwefzdk;ajymif;apzdkU packer u VirtualProtect() API udktoHk;jyKcJhwmyg/

yHk(67)

jyD;awmh page access udk yHkrSeftwdkif;owfrSwfEdkifzdkU VirtualProtect udkxyfac:jyD; toHk;jyKcJhygw,f/

INFO: : VirtualProtect() function [m ac:,ltoHk;jyKaewJh process &JU virtual address ae&mvGwfxJu page awG&JUe,fy,fwpfckay:u access protection udkajymif;vJay;ygw,f/ 'D function [m Virtual-ProtectEx eJUawmhrwlygbl;/ VirtualProtectEx uawmh b,f process &JU access protection udkrqdk ajymif;vJay;Edkifygw,f/ oifhtaeeJUuawmh access protection wefzdk;udk page ppfppfawGrSmom owfrSwf Edkifygw,f/ wu,fvdkU owfrSwfxm;wJhe,fy,ftwGif;rSm&SdwJh b,f page awGrqdk&JU tajctaeawGudk a&;rSwf xm;jcif;r&Sd&ifawmh function [m atmifjrifpGmvkyfaqmifEdkifjcif;r&SdbJ page awG&JU access protection udk jyKjyifEdkifjcif;r&SdbJ return jyefvmrSmjzpfygw,f/ VirtualProtect function [m ac:,ltoHk;jyKaewJh process xJrSm&SdwJh rSwfOmPf&JU access protection udk ajymif;vJwmjzpfjyD; VirtualProtectEx function uawmh owfrSwfxm;wJh process xJrSm&SdwJh rSwfOmPf&JU access protection udk ajymif;vJwmjzpfygw,f/

yHk(68)

yHk(68)udkMunfhyg/ VA 00453ED5 u PUSH EAX ae&mrSm bmawGajymif;vJoGm;ygovJ/ 438040 [m page e,fy,f&JU base address access jzpfygw,f/


'Dwefzdk;udk rlvtajctaetwdkif; jyefjzpfatmif VA 00453F02 rSm&SdwJh VirtualProtect() API u aqmif&Gufwmjzpfygw,f/ VA 00453ED0 u PUSH 4 udkMunfhyg/ 4 bytes jzpfygw,f/

'Davmufqdk&if oihftaeeJU tawmfem;vnfoGm;jyDvdkU ,lqrdwJhtwGuf uRefawmfhtaeeJU redirection twGuftajzudk &SmMunfhcsifygw,f/ Conditional jump awGudkMunfhyg/ yHk(69)/

yHk(69)

yHk(69)rSmjrif&wJh VA 00453EC8 u JE 00453F0F [m VirtualProtect() function ESpfckvHk;udk ausmfvTm;Edkifwm owdjyKrdygovm;/ 'Dae&mrSm JMP 00453F0F vdkUjyifvdkufr,fqdk&if ...

wu,fvdkU vkdUjyifjyD; assemble vkyfvdkufr,fqdk&if API [m packer &JUuk'fqD redirect vkyfcH&awmh rSmr[kwfayr,fh ck address uawmh IAT xJrSm &SdaeOD;rSmyg/ 'gayr,fh tjcm;enf;vrf;awG&Sdao;wJhtwGuf 'gudk aemufrSajymif;MunfhMu&atmif/ yHk(69)twdkif; F8 udkESdyfvmcJhyg/ VirtualProtect() uolU&JU rlvwefzdk;udk b,fvdkjyef restore vkyfr,fqdkwm jyygr,f/

VA 453EF7 u PUSH ECX uawmh rlv access 0daooawG&SdwJh address yg/ PUSH EDX uawmh characteristics yg/ yHk(70)/

yHk(70)

40 uawmh initialized data yg/ PUSH 4 uawmh 4 bytes yg/ PUSH EAX uawmh VA 438040 rSmjzpfygw,f/ F8 udkqufESdyfoGm;r,fqdk&if yHk(71)twdkif;awGUrSmyg/

yHk(71)

yHk(71)rSmjrif&wJhtwdkif; F8 udkESdyfoGm;r,fqdk&ifawmh y&dk*&rfu JMP 45363B udka&mufwJhtcg tay: jyefwufoGm;jyD; aemuf API wpfck&JU address udkwGufrSmyg/ aemuf API wpfckuawmh lstrcmpi() function jzpfygw,f/ yHk(72)udk Munfhr,fqdk&if lstrcmpi() function udkzwfcsdefrSmawmh API address udk ajymif;vJjcif; r&SdwmawGU&ygw,f/ yHk(71)udk Munfhr,fqdk&if VA 4536DF u JE 004536F8 [m redirection CALL udk ausmfvTm;EdkifwmawGU&ygw,f/


yHk(72)

Redirection jyóemudk ajz&Sif;zdkUtwGuf uRefawmfwdkUtaeeJU enf;vrf;2ckudk toHk;jyKEdkifygw,f/ yxrenf;vrf;uawmh yHk(71)u VA 4536DF ae&mrSm JMP 4536F8 vdkUajymif;&rSmjzpfjyD; 'kwd,enf;u awmh VA 4536F0 ae&mrSm NOP vdkUajymif;&rSmjzpfygw,f/

'gaMumifhrdkU VA 4536DF rSm right-click ESdyfjyD; Breakpoint u Hardware, on execution udk a&G;yg/

yHk(73)

aemufxyfvkyf&rSmuawmh uRefawmfwdkU y&dk*&rf&JU OEP &Sd&m VA 4331B8 udkoGm;jyD; yHk(73)twdkif; Breakpoint (Hardware, on execution) udkowfrSwfzdkUyg/ jyD;&ifawmh uRefawmfwdkUt&ifowfrSwfcJhwJh hardware breakpoint awGudk zsufvdkufyg/ 'gqdk&if yHk(74)twdkif; topfowfrSwfvdkufwJh hardware break-point ESpfckyJ usefygawmhr,f/

yHk(74)

y&dk*&rfudk Olly rSmjyefzGifhvdkufjyD; F9 udkESdyfvdkufyg/ yHk(75)twdkif;jrif&ygr,f/

yHk(75)

yHk(75)twdkif;jrif&wJhtcg VA 4536DF u JE 4536F8 ae&mrSm JMP 4536F8 vdkUjyifjyD; VA 4536DF rSmowfrSwfxm;wJh hardware breakpoint udkjzKwfvdkufyg/ 'gqdk&ifawmh OEP rSmowfrSwfxm;wJh hardware breakpoint wpfckomusefawmhrSmjzpfygw,f/ jyD;&if F9 udkESdyfvdkufyg/ yHk(76)rSmjrif&wJhtwdkif; y&dk*&rf&JU OEP &Sd&mudka&mufoGm;rSmjzpfygw,f/


yHk(76)

'DtcsdefrSm Dump window udkMunfhvdkufyg/ yHk(77)twdkif;jrif&ygr,f/ ☺☺☺

yHk(77)

yHk(77)u API awG&JU wu,fh address awGudk jrif&wmuawmh pdwfcsrf;omp&mygyJ/ 'gqdk&ifawmh yHk(76)u Disassembly window rSm right-click ESdyfjyD; Dump debugged process udka&G;yg/ yHk(78)/

yHk(78)

Dump button udka&G;jyD; y&dk*&rfudk Redirection_Fix.exe trnfeJUodrf;vdkufyg/ 'DwpfcgrSmawmh Rebuild Import checkbox udka&G;xm;vdkU&ygw,f/ odrf;vdkufwJhzdkifudk jyefzGifhMunfhvdkufyg/ yHk(79)twdkif; jrif&ygr,f/

yHk(79)

Redirection_Fix.exe zdkifu aumif;aumif; tvkyfvkyfayr,fh zdkif&JUt&G,ftpm;u enf;enf;av;MuD; aewmawGU&ygw,f/ 'gaMumifhrdkU rvdktyfwJh section awGudk z,f&Sm;ypfygr,f/ LordPE udkzGifhjyD; section awGudkzsufzdkUjyifyg/ yHk(80)/


yHk(80)

yHk(80)rSmjrif&wJhtwdkif; wipe section header udka&G;jyD; section (4/5/6) udkzsufypfvdkufyg/ yHk(81)/

yHk(81)

jyD;&if zdkifudkodrf;vdkufjyD; PEiD rSm zGifhvdkufyg/ yHk(82)/

yHk(82)

PEiD &JU plug-in wpfckjzpfwJh Rebuild PE udka&G;jyD; yHk(82)u Rebuild button udka&G;vdkuf&ifawmh y&dk*&rf[m 72.65% txd zdkift&G,ftpm; ao;oGm;rSmjzpfygw,f/ yHk(83)/

yHk(83)

'gqdk&ifawmh pack vkyfxm;wJh exe zdkifudk unpack vkyf&mrSm MuHKawGU&wJh API redirection jyóem udk ajz&Sif;vdkUjyD;pD;oGm;jyDjzpfygw,f/

tcef;(15) -Visual Basic jzifh a&;om;xm;aom y&dk*&rfrsm;udk crack vkyfjcif; - 223 -

tcef;(15) - Visual Basic jzifh a&;om;xm;aom y&dk*&rfrsm;udk crack vkyfjcif; 'DwpfcgrSmawmh VB eJUa&;om;xm;wJh y&dk*&rfawGudk crack vkyfMunfhrSmjzpfygw,f/ jrefrmy&dk*&rfrm awG a&;om;xm;wJh y&dk*&rfawmfawmfrsm;rsm;[m VB eJU a&;om;xm;wmjzpfygw,f/ 'Dae&mrSm crack vkyfzdkU a&G;cs,fxm;wJh erlemy&dk*&rfuawmh PC to Answering Machine 2.0.8.2 jzpfygw,f/ toHk;jyKr,fh tool awGuawmh OllyDebug eJU SmartCheck wdkU jzpfygw,f/ Olly uawmh &if;ESD;jyD;om;jzpfvdkU bmrSrajym vdkayr,hf SmartCheck qdkwJhaqmhzf0JvftaMumif;udkawmh tenf;i,frdwfqufay;vdkygw,f/ NuMega Technologies' SmartCheck qdkwJh aqmhzf0JvfukrÜPDudk 1997rSm Compuware u &,lcJhygw,f/ Compuware [m SmartCheck udk 2001ckESpfavmufxdom development vkyfcJhygw,f/ 'Dhaemuf qufxkwf jcif;r&Sdawmhygbl;/ SmartCheck udk shareware tjzpfa&mif;cscJhygw,f/ ckcsdefrSmawmh tifwmeufrSm freeware tjzpfawGUEdkifygw,f/ Google udk toHk;jyKjyD; &SmEdkifygw,f/ tck uRefawmfoHk;aewmuawmh 6.20 jzpfygw,f/

(1) y&dk*&rf\ oabmobm0

PC to Answering Machine y&dk*&rfudk Olly rSma&m PEiD rSmyg zGifhvdkufyg/ yHk(1)/

yHk(1)

yHk(2)

xyfajym&&if uRefawmfhtaeeJU y&dk*&rfawGudkzGifh&if 'Dy&dk*&rfukd bmeJUa&;xm;ovJ^bmeJU pack vkyf xm;ovJqdkwmod&atmif PEiD eJU yxrqHk; zGifhavh&Sdygw,f/ (oifhtaeeJU RDG Packer (odkU) CFF Explorer wdkUeJUvJ zGifhEdkifygw,f/)

yHk(1)rSm highlight taeeJUjrif&wmuawmh y&dk*&rf&JU EP yg/ yHk(2)uawmh 'Dy&dk*&rfudk Visual Basic eJU a&;xm;aMumif;jywmyg/ tck uRefawmfajymcsifwmuawmh Visual Basic taMumif;yg/

INFO: : Visual Basic qdkwm DOS acwfpm;wkef;u ay:cJhwJh BASIC bmompum;uae ay:xGufvmwJh high-level languagewpfckyg/ BASIC &JU t&Snfaumufuawmh Beginners' All-purpose Symbolic Instruction Code jzpfygw,f/ Visual Basic [m visual jzpfjyD; events driven y&dk*&rfbmompum;vJ jzpfygw,f/ y&dk*&rfa&;om;jcif;udkvJ visual environment rSmwif vkyfEdkifygw,f/ y&dk*&rfrmawG[m object awGudk MudKufovdk click Edkifygw,f/ vkyfaqmifcsuf(event)awGudk wkefUjyefUzdkU&mtwGuf object toD;oD;udk oyfoyfa&;om;&ygw,f/ 'gaMumifhrdkUvJ Visual Basic y&dk*&rf[m subprogram ajrmufjrm;pGmeJU zGJUpnf;xm; jcif; jzpfygw,f/ Subprogram wpfckpDrSm olwdkU&JU udk,fydkifuk'fawG &Sdygw,f/ Subprogram awG[m oD;jcm;pD tvkyfvkyfEdkifygw,f/ jyD;&if wpfcsdefwnf;rSmyJ olwdkUawG[m tcsif;csif; csdwfquftoHk;jyKEdkifygw,f/

INFO: : Visual Basic application awG[m jynfhpHkpGm compiled vkyfxm;wJh application awG jzpfayr,fhvJ olwdkU&JU tjyKtrlawGu OllyDbg &JU tvkyfawGudk &IyfaxG;apygw,f/ OllyDbg [m compiled language


awGtwGuf debugger jzpfayr,fhvJ VB udk udkifwG,fzdkU&mrSmawmh tvSrf;a0;aeygao;w,f/ C/C++ twGuf qdk&ifawmh ydkaumif;wm awGU&ygw,f/ VB [m bmompum;t&aomfvnf;aumif;? y&dk*&rfrmawG&JU tjrifrSm aomfvnf;aumif; aumif;rGefoifhawmfygw,f/

INFO: : VB y&dk*&rfawG[m external DLL (VB 6.0 rSmawmh MSVBVM60.dll jzpfygw,f/ tjcm; version awGvJ tvm;wlzdkifawG &Sdygvdrfhr,f/) zdkifay:rSm rSDcdkae&ygw,f/ 'D DLL zdkif[m API eJU event tm;vHk;udk udkifwG,fygw,f/ 'gaMumifhrdkU VB API tm;vHk;[m DLL xJrSm xnfhoGif;prf;oyfcHae&ygw,f/ Exe uk'f[mvJ 'DzdkifxJrSmyJ tcsdefwdkif;eD;eD; tvkyfvkyfae&ygw,f/ 'g[m cracking vkyfcsdefrSm tvGefta&; MuD;vSygw,f/ Call stack [m Olly rSmawmh wu,fhudk MuHKawmifhMuHKcJ tultnDygyJ/ bmaMumifhvJqdkawmh application [m awmufavQmufeD;yg; VB &JU wduswJh DLL zdkifxJrSm &SdaevdkYyg/ pum;rpyfajym&&ifawmh application [m rsm;aomtm;jzifhawmh event handler awGjzpfjyD; event awG? message awGudk taMumif; jyefzdkU DLL rS callback awGtjzpf toHk;jyKMuygw,f/ VB application &JU usefwJhtydkif;uawmh resource awG? variable awGeJU event-handler awGeJU qufpyfzdkUtoHk;jyKwJh function awGyJ jzpfygw,f/

INFO: : VB [m stack-based jzpfygw,f/ qdkvdkwmu ol[m olU&JUvkyfaqmifcsuftm;vHk;twGuf system stack udk toHk;jyKvdkUyg/ 'g[m register udk toHk;jyKwJh? function call vkyfaqmifcsuf aqmif&GufzdkUtwGuf stack udk t"duxm;toHk;jyKwJh tjcm;bmompum;awGeJU rwlnDwJhtcsuf jzpfygw,f/ VB eJU zefwD;xm;wJh application awG[m interpreted (odkU) p-code executable tjzpf compile vkyfygw,f/ Run aecsdefrSm instruction awGudk run-time DLL u translate (odkU) interpret vkyfygw,f/ wu,fvdkU toHk;jyKcJh&if p-code engine [m opcode awGudk process vkyfwJh &dk;&dk; machine omjzpfygw,f/ P-code instruction awGu toHk;jyKwJh operand tm;vHk;udkawmh stack rSmyJ odrf;qnf;xm;wmyg/

oifhtaeeJU Olly rSm call stack udk Munfhcsifw,fqdk&if (Alt+K) udk ESdyfjyD; MunfhvdkU&ygw,f/ yHk(3) uawmh (system) stack yg/

yHk(3)

INFO: : DLL (dynamic link library) [m y&dk*&rfi,fav;awGudk pkpnf;xm;jcif; jzpfygw,f/ olwdkUudk y&dk*&rfwpfck tvkyfvkyfaecsdefrSm tJ'Dy&dk*&rfu vdktyfwJhtcsdefrSm ac:oHk;ygw,f/ rsm;aomtm;jzifhawmh exe zdkifawGudk device awGeJU csdwfqufEdkifapygw,f/ (Oyrm - print xkwfcsifwJhtcsdefrSm printer eJU csdwfqufay; ygw,f/)

INFO: : Oyrmwpfckjy&if oifh&JU harddisk rSm ae&mvGwfvdktyfwJhtcsdefrSmyg/ y&dk*&rfawG[m parameter awGtjynfhyg&SdwJh function eJU call function yg0ifwJh DLL zdkifudk ac:,loHk;pGJEdkifygw,f/ DLL zdkifxJrSmyg 0ifwJh function awGudk xyfa&;p&mrvdktyfawmhwJhtwGuf exe zdkifawG[m zdkift&G,ftpm; ao;i,faewmyg/

INFO: : DLL zdkifawG[m exe zdkifawGeJU twl RAM xJudk ul;wifp&mrvdkwJhtwGuf RAM rSm ae&macR wmEdkifygw,f/ DLL udk vdktyfvdkUac:oHk;rSom RAM ay:a&mufvmrSm jzpfygw,f/ Oyrmjy&r,fqdk&if oifhtaeeJU Microsoft Word rSm pmpDpm&dkuf vkyfaewJhtcsdefrSm printer eJU ywfoufwJh DLL zdkif[m tvkyf vkyfrSm r[kwfygbl;/ Print xkwfwJhtcsdefrSom printer eJU ywfoufwJh DLL zdkifudk ac:,loHk;pGJrSmyg/

INFO: : jcHKMunhf&&ifawmh DLL qdkwm executable zdkifwpfckjzpfygw,f/ 'gayr,fh olUwpfzdkifwnf;qdk&if awmh bmtvkyfrS rvkyfygbl;/ EXE zdkifawGu ac:oHk;rSom tvkyfvkyfygw,f/ 'gaMumifh exe zdkifawGrSm b,f DLL udk oHk;pGJrvJqdkwm parameter awGeJU aMunmay;zdkU vdktyfygw,f/

ckcsdefrSmawmh oifhtaeeJU VB [m udkifwG,fzdkU&m tvGefcufcJvSr,fh bmompum;vdkU xifaumif;xif aeygvdrfhr,f/ wu,fawmh oifxifaewm vGJaeygw,f/ uRefawmfwdkUrSm tvGeftoHk;0ifvSwJh tool awG&Sdyg w,f/ aemufydkif;rSm 'gudk&Sif;jyygr,f/ bmyJjzpfjzpf Olly udk VB eJU ywfoufjyD; bmrS toHk;r0ifbl;vdkUawmh rxifvdkufygeJU/ wu,fwrf;rSmawmh bmompum;toD;oD;[m assembly tjzpf translate tvkyfcH&wmygyJ/

tck y&dk*&rf&JU oabmobm0udk aqG;aEG;ygr,f/ uRefawmfhtaeeJU y&dk*&rfeJUywfoufjyD; rSwfcsufjyK xm;wmuawmh ... y&dk*&rfudk install vkyfjyD; yxrqHk;tMudrf y&dk*&rfpwifcsdefrSm y&dk*&rf[m oifhuGefysLwm twGuf vdktyfwmawGudkwGufcsufjyD; key wpfckudk twdtusowfrSwfvdkufygw,f/ 'g[m rlrrSefayr,fh


uRefawmfwdkUudk tawmfav;aumif;wJh hint udk ay;ygw,f/ qdkvdkwmu y&dk*&rf[m uk'fudk wpfckckuae owf rSwfvdkufygw,f/ (Oyrm - harddisk ID) jyD;&if 'Duk'fudk wpfae&m&mrSm odrf;ygvdrfhr,f/ 'grSom y&dk*&rfudk pwifcsdefrSm register vkyfxm;jcif; &Sd^r&Sd ppfEdkifrSmyg/

(2) Serial udk &SmazGjcif;

y&dk*&rf[m olpwufvmcsif;rSm register vkyfxm;jcif; &Sd^r&Sd ppfaq;zdkU vdkygw,f/ VB rSmawmh DLL xJu API rSm jyKvkyfMuygw,f/ 'Dae&mrSm ta&;MuD;wmawGuawmh ...

(1) __vbaVarTstEq

(2) __vbaVarTstNe

(3) __vbaVarCmpEq

(4) __vbaStrCmp

(5) __vbaStrComp

(6) __vbaStCompVar

trSwfpOf(1?2?3)udkawmh ydkjyD; toHk;rsm;ygw,f/ 'gaMumifh yxrqHk; API jzpfwJh __vbaVarTstEq udk prf;MunfhvdkufMu&atmif/

yHk(4)

ck yHk(4)rSm jrifae&wmuawmh entry point ae&myg/ Name module udk jrif&zdkU Ctrl+N udk ESdyfvdkufyg/ yHk(5)/ jyD;&if &Sm&wmydkjrefatmifvdkU keyboard uae vbavartst vdkU &dkufvdkufyg/ vbaVarTstEq &Sd&mqD wef;a&mufvmygvdrfhr,f/

yHk(5)

yHk(5)udk Munfhr,fqdk&if uRefawmfwdkU&SmaewJh API awG[m MSVBVM60.dll zdkifxJrSm&Sdaewm owdjyKrdrSmyg/ vbaVarTstEq udk BP owfrSwfMuygr,f/ vbaVarTstEq udk right-click ESdyfjyD; Set breakpoint on every reference udk a&G;vdkufyg/ Olly u breakpoint 88 ckawmif owfrSwfvdkufygw,f/

yHk(6)

jyD;&if run (F9) udk ESdyfyg/

yHk(7)


Olly [m yxrqHk;awGU&wJh vbaVarTstEq BP &Sd&mrSm &yfaeygvdrfhr,f/ 'Duk'frSmawmh bmrSr,fr,f &&r&Sdwm awGU&ygw,f/ y&dk*&rf&JU oabmobm0udk odEdkifatmifvdkU F8 udkESdyfjyD; avhvmMunfhygr,f/

yHk(8)

VA 005BBD58 u CMP DI,SI [m pdwf0ifpm;zdkU aumif;ygw,f/ 'gayr,fh bmqufjzpfrvJqdkwm od&atmif jump vkyfMunfhygr,f/

yHk(9)

yHk(9)u VA 005BBFC0 rSm jrif&wJh oeiu-564-oqei-97 [m uRefawmfwdkU &SmaewJh serial vm;vdkU oHo,&Sdygw,f/ enf;enf;avmuf qufMunfhygr,f/ yHk(10)/

yHk(10)

oeiu-564-oqei-97 udk prf;MunfhvdkufMu&atmif/ Breakpoint awGtm;vHk;udk yxrqHk; z,f&Sm;vdkuf yg/ (Ctrl + N udkESdyfjyD; Remove all breakpoints udk a&G;yg/)

(3) Register jyKvkyfjcif;

Breakpoint tm;vHk;udk z,f&Sm;jyD; y&dk*&rfudk run (F9) vdkufyg/ yHk(11)twdkif; jrif&ygr,f/

yHk(11)

yHk(11)rSm register vkyfzdkUtwGuf trnfrawmif;ygbl;/ wduswJh key wpfckom vkdygw,f/ 'D key udk y&dk*&rf install pvkyfwkef;uwnf;u wGufcsufowfrSwfjyD; jzpfygw,f/ Register vkyfMunfhygr,f/

yHk(12)


oeiu-564-oqei-97 udk &dkufxnfhjyD; OK udk ESdyfvdkufyg/

yHk(13)

yHk(13)twdkif; registration atmifjrifaMumif; jrif&ygw,f/ 'gudkb,fvdkxifygovJ/ y&dk*&rfudkydwfjyD; jyefpMunfhvdkufMu&atmif/

(4) Registration tm; prf;oyfjcif;

y&dk*&rfudk jyefpzdkU Olly rSm Ctrl+F2 udk ESdyfvdkufyg/ jyD;&if F9 udk ESdyfyg/ 'Dwpfcg y&dk*&rfwufvm csdefrSm bm nagscreen udkrS rjrif&awmhygbl;/ Help menu u About udk a&G;vdkufawmhvJ tqifajyoGm; ygjyD/ yHk(14)/

yHk(14)

'gaMumifh 'Dy&dk*&rfudk SmartCheck rSm ppfaq;MunfhMu&atmif/

(5) SmartCheck \ setting tm; jyifjcif;

'Dwpfcgawmh Numega &JU SmartCheck udk prf;MunfhMuygr,f/ SmartCheck udk VB y&dk*&rfawG crack vkyfzdkUeJU debug vkyfzdkU txl;jyKvkyfxm;wmyg/ 'gayr,fh olU&JU setting tcsdKUudkawmh tenf;i,f jyif ay;&ygr,f/ SmartCheck rSm PC to Answering Machine 2.0.8.2 udk zGifhvdkufyg/ zGifhjyD;oGm;&if Program menu u Settings ... udk a&G;vdkufyg/ yHk(15)/

yHk(15)


yHk(15)u Leaks udk uncheck vkyfvdkufyg/ Save these settings ... udk a&G;yg/ jyD;&if Advanced udk a&G;vdkufyg/

yHk(16)

yHk(16)rSm jrif&wJhtwdkif; a&G;ay;yg/

yHk(17)

aemufqHk;a&G;ay;&rSmu yHk(17)twdkif; jzpfygw,f/ 'gqdk setting udk jyifqifwJhtydkif; jyD;ygjyD/ PC to Answering Machine 2.0.8.2 udk SmartCheck rSm run Munhfygr,f/ Run jyD;oGm;wJhtcg View menu uae Event Summary udk a&G;vdkufyg/ yHk(18)/

yHk(18)

Event Summary window u uRefawmfwdkUudk toHk;0ifwJh tcsuftvufawG ay;ygw,f/


yHk(19)

View menu u Specific Events u uRefawmfwdkUudk ESpfouf&m events udkyJjyozdkU a&G;cs,fcGifh ay;xm;ygw,f/

yHk(20)

yHk(20)udk owdxm;rdygovm;/ Sequence Numbers udk uRefawmf a&G;xm;ygw,f/ 'gav;[m awmfawmfav; toHk;0ifvSygw,f/ aemufydkif;rSm uk'fawG axmifeJUcsDjyD; Munfhp&m rvdkatmif tultnDay;wm awGU&ygvdrfhr,f/

wu,fvdkU uk'fawGtm;vHk;udk Munfhcsifw,fqdk&ifawmh View menu u Show All Events udk a&G;vdkufyg/

(6) SmartCheck wGif serial udk &Smjcif;

uRefawmfwdkUtaeeJU SmartCheck &JU setting udkvJ jyifjyD;jyDqdkawmh serial &Smjcif;tvkyfudk pwif vdkufMu&atmif/ Event awGudk MunfhvdkufwJhtcgrSm uRefawmfwdkUtwGuf toHk;r0ifwJhuk'fawGu rsm;aewm awGU&ygw,f/ yHk(21)twdkif; atmufudk enf;enf;av; scroll qGJjyD; MunfhvdkufMu&atmif/

yHk(21)

wu,fhuk'f pwifwmuawmh yHk(21)rSmyg/

yHk(22)

yHk(22)udkMunfhvdkuf&if event aygif; 24734 awmif &SdwmawGU&ygw,f/ uawmh end program yg/ 'gomrESdyfxm;bl;qdk&ifawmh event aygif; 1.5 oef;avmufawmif xGufvmygvdrfhr,f/ avmavmq,f uRefawmfwdkUtwGufvdkwmu PC to Answering Machine 2.0.8.2 y&dk*&rf&JU tpydkif; tvkyfvkyfyHkudk ajc&mcH zdkUyg/


yHk(23)

yHk(23)u pmaMumif;eHygwfudk Munhfr,fqdk&if pmaMumif;awG tukefrjyao;wm owdxm;rdrSmyg/ 'gu

bmvdkUvJqdkawmh uRefawmfwdkUu Show Errors and Specific Events udkyJ a&G;xm;vdkUyg/

yHk(24)

Show Errors and Specific Events udk a&G;vdkufr,fqdk&if yHk(24)twdkif; jrif&rSmyg/ uRefawmfwdkU odxm;wmu y&dk*&rf pwifwifjcif;rSm wduswJh key wpfckudk ppfw,fqdkwmudkyg/ 'gudk &dk;&dk;av;yJ API ae&mrSm &SmMunfhvdkuf&atmif/ yHk(25)/

yHk(25)

yHk(25)twdkif; &Smr,fqdk&if yHk(26)twdkif; awGUrSmyg/

yHk(26)

yHk(26)rSm jrif&wJhtwdkif; yxrqHk;awGUwJh API udk a&mufvmygw,f/ 'Dae&mrSm uRefawmfwdkUtaeeJU API awGudk tao;pdwfavhvmrSm r[kwfygbl;/ aemufydkif;usrSyJ avhvmygr,f/ oHo,0ifp&maumif;wmu pmaMumif;a& 2549 rSmyg/

yHk(27)

'gaMumifh tao;pdwf MunfhvdkU&atmif taygif;&kyfav;udk ESdyfjyD; Munfhygw,f/ 'gayr,fh bmrSrxl; jcm;ygbl;/ pmaMumif;a& 2549 udk ESpfcsufESdyfjyD; Details window rSm MunfhwJhtcgrSmawmh yHk(28)twdkif; jrif&ygw,f/

yHk(28)


yHk(28)rSm jrif&wmuawmh uRefawmfwdkU &SmaewJh serial yg/ SmartCheck [m omref registration key udk &SmwJhae&mrSmawmh t&rf;vG,fulwm awGY&ygw,f/

INFO: : tcsdKU VB y&dk*&rfawGrSm anti-SmartCheck enf;awG xnfhoGif;xm;wmawGU&ygw,f/ olwdkUawG [m rsm;aomtm;jzifh NuMega SmartCheck qdkwJh pmom;udk ppfaq;wm jzpfygw,f/ uRefawmfhqDrSmawmh 'Djyóemr&Sdygbl;/ bmvdkUvJqdkawmh uRefawmfu Repair 0.6 udkoHk;jyD; SmartCheck udk jyifxm;vdkUyg/ Repair 0.6 u usefwJh tool awGudkvJ jyifEdkifygw,f/

'gqdk&if PC to Answering Machine 2.0.8.2 udk crack vkyfwm[matmifjrifpGmeJU jyD;qHk;oGm;ygjyD/ 'Dvdkenf;eJU serial &Smwmudk serial fishing vkdUac:ygw,f/ tck uRefawmf&Sif;jycJhwmudk oifhtaeeJU aumif; aumif;em;vnfao;rSm r[kwfygbl;/ bmaMumifhvJqdkawmh serial fishing enf;[m y&dk*&rfuk'fudk tMurf;zsif; omavhvmjyD; debugger uxkwfay;wJh serial udkvdkuf&Sm&wmrdkUvdkUjzpfygw,f/ Serial udk ukd,fhbmomudk,f wGufcsuf,lwm r[kwfvdkUyg/ 'DwpfcgrSmawmh VB y&kd*&rfawGudk tqifhjrifhjrifh crack vkyfMunfhMuygr,f/ Crack vkyfzdkUa&G;xm;wJh y&dk*&rfawGuawmh ReverseMe y&dk*&rfESpfyk'feJU registration enf;eJU umuG,fxm; wJh freeware y&dk*&rfwpfyk'fjzpfwJh CrackersConvert 1.0 yg/ oifcef;pmudk rzwfcifrSm 'Dy&dk*&rf 3yk'fudk SND Team &JU website uae download vkyf,lyg/ SND Team &JU tifwmeufvdyfpmudk aemufqufwGJrSm azmfjyxm;ygw,f/ SND Team &JU download u@u Lena's Reversing Tutorial - 10 zdkifudk download vkyf,lyg/ 'DzdkifxJrSm vuf&SduRefawmf&Sif;jyr,fh oifcef;pmeJUtwl y&dk*&rf 3yk'fygvmrSm jzpfygw,f/ tcktcef; uawmh Lena151 &JU oifcef;pmudk bmomjyefjcif; jzpfygw,f/ Crack vkyf&mrSm vdktyfwJh tool awGuawmh OllyDebug? SmartCheck? VB Decompiler eJU Veoveo wdkUjzpfygw,f/ VB Decompiler uawmh freeware jzpfjyD; www.vb-decompiler.org rSm download vkyf,lEdkifygw,f/

aumif;jyD? uRefawmfwdkU&JU crack vkyfjcif;udk pvdkufMu&atmif/

(7) ReverseMe1

yxrqHk; crack vkyfMunfhrSmu ReverseMe1 y&dk*&rfyJ jzpfygw,f/ SmartCheck rSm Tut.Reverse Me1.exe zdkifudkzGifhjyD; run vdkufyg/ yHk(29)twdkif; jrif&ygr,f/

yHk(29)

yHk(29)rSm jrif&wmuawmh nag screen jzpfygw,f/ 'gudk b,fvdkz,f&Sm;&r,fqdkwm aemufrS &Sif;jyyghr,f/ yxrqHk;uawmh ReverseMe y&dk*&rfudk b,fvdk register vkyf&rvJqdkwmyJ prf;Munfhygr,f/

yHk(30)

yHk(30)rSm jrif&wJh Form1_Load [m tvGefta&;MuD;ygw,f/ MessageBox [m yHk(1)u nag screen udk jzpfapw,fqdkwm owdjyKrdygovm;/ Registration vkyfaqmifcsuf[m 'D Form1_Load jyD;&if vmawmhrSmyg/ yHk(29)u OK udk ESdyfvdkufyg/ yHk(31)twdkif; jrif&ygr,f/

yHk(31)


yHk(31)u Regcode textbox ae&mrSm 123456 vdkU &dkufxnfhMunfhygr,f/ 'gqdk yHk(32)twdkif; jrif&rSm yg/

yHk(32)

'ghtjyif yHk(30)ae&mrSm yHk(33)twdkif; event topfxyfwdk;vmygw,f/

yHk(33)

uRefawmfwdkUtaeeJU View u Show All Events udk a&G;vdkuf&if event tm;vHk;udk jrif&rSmyg/ Show All Events udk ra&G;cifrSm udk,fMunfhcsifwJh event udk t&ifa&G;xm;ay;&ygr,f/ 'grSr[kwf&if event awGrsm;vGef;wJhtwGuf udk,f&SmcsifwJh event udk &SmvdkUawGUEdkifrSm r[kwfygbl;/ rsm;aomtm;jzifhawmh xxxxxx_ click vdkU a&;xm;&if xxxxxx [m button &JU trnfudk qdkvdkwm rsm;ygw,f/ y&dk*&rfrmawGuawmh button awG&JUtrnfudk ajymif;avhr&Sdygbl;/ commandX vdkUyJ xm;xm;avh&Sdygw,f/ X uawmh eHygwfjzpfjyD; wpfu ae pwifavh&Sdygw,f/

yHk(33)u Command1_Click ae&mrSm serial rSef^rrSefppfwmudk em;vnfygovm;/ 'gaMumifh 'Dae &mudk aoaocsmcsmMunhfvdkufMu&atmif/ avmavmq,fawmh Tut.ReverseMe1.exe y&dk*&rfudk rvdkawmhwJh twGuf cPydwfxm;vdkufMu&atmif/ pum;rpyfajym&&if yHk(33)u uRefawmfwdkUjrifae&wm[m event tusOf; csKyfrQom jzpfygw,f/

yHk(33)u Command1_Click &JU b,fzufu taygif;t&kyfav;udk ESdyfvdkufyg/ yHk(34)/

yHk(34)

yHk(34)uvJ uRefawmfwdkUudk vHkavmufwJhtcsuftvufawG ray;ygbl;/ MsgBox qdkwJhpmom;udk a&G; vdkuf&ifawmh yHk(35)twdkif; jrif&rSmyg/

yHk(35)

yHk(35)uawmh BadBoy yg/ aumif;jyD? yHk(34)u Text1.Text udk a&G;vdkuf&ifaum/ 'Dtwdkif;qdk&if awmh bmrSrjrif&ygbl;/ View menu u Show All Events ( ) udk a&G;vdkufyg/ 'gqdk yHk(36)twdkif; jrif& rSmyg/

yHk(36)

wu,fawmh bmrSrcufygbl;/ uRefawmfwdkUtaeeJU tm;vHk;udk jrifae&ygw,f/


__vbaStrCmp udk string awG EdIif;,SOfzdkUtwGuf oHk;ygw,f/

Oyrm/ / __vbaStrCmp(String: "xxxxxx", String: "yyyyyy") returns DWORD:0

'gayr,fh yHk(36)rSmawmh DWORD &JU wefzdk;[m FFFFFFFF jzpfaeygw,f/ bmvdkUvJqdkawmh string ESpfck[m rwlnDvdkUyg/ yHk(31)u Regcode textbox ae&mrSm uRefawmfu 123456 vdkU &dkufxnfhcJhvdkU yg/ 'gqdk uRefawmfwdkU&dkufxnfhcJhwJh serial twkudk bmeJU EdIif;,SOfcJhwmygvJ/ yHk(37)/

yHk(37)

aumif;jyD/ 123456 eJU EdIif;,SOfcJhwmuawmh I'mlena151 yg/

ckeu I'mlena151 [m BadBoy Message ray:cifrSm EdIif;,SOfcJhwm jzpfygw,f/ aumif;jyD/ Serial [m bmvJqdkwm odjyD;oGm;wJhaemufrSm uRefawmfwdkUtaeeJU tJ'D serial udk prf;MunfhvdkufMu&atmif/

yHk(38)

yHk(38)twdkif; I'mlena151 vdkU &dkufxnfhvdkufwJhtcg registration atmifjrifwJhtaMumif; ajymwJh messagebox ay:vmygw,f/ pum;rpyfajym&&if uRefawmfwdkU &dkufxnfhvdkufwJh serial [m bmwGufcsufrIrS rygbJ vG,fvifhwul&vmwmyg/

uRefawmfwdkUtaeeJU nag screen udk &Sif;zdkUvdkygao;w,f/ SmartCheck [m VB rSm a&;xm;wJh serial udk &SmzdkUtwGufawmh aumif;ygw,f/ 'gayr,fh nag udk z,f&Sm;zdkUtwGufawmh uRefawmfwdkUrSm 'Dxuf aumif;wJh tool awG &Sdygw,f/ VB decompiler tool awG jzpfygw,f/ Oyrmajym&&if VB Decompiler Lite (odkU) Pro/ uRefawmfuawmh VB Decompiler Pro 5.0 udk oHk;ygw,f/

aumif;jyD/ VB Decompiler udk zGifhvdkufMu&atmif/

yHk(39)

'guawmh VB Decompiler rSm uRefawmfwdkU&JU Tut.ReverseMe1.exe y&dk*&rfudk decompile vkyfxm;wm jzpfygw,f/

INFO: : Compiler qdkwmuawmh rl&if;uk'fawGudk exe uk'ftjzpfajymif;vJay;wJh y&dk*&rfyg/ Decompiler uawmh exe uk'fawGudk&,ljyD; rl&if;uk'ftjzpf jyefvnfajymif;ay;wmyg/ Decompiler [m txl;jyKvkyfxm;wJh disassembler wpfrsdK;om jzpfygw,f/ Disassembler u exe uk'fawGudk assembley uk'ftjzpf ajymif;ay; csdefrSm decompiler awGuawmh uk'fawGudk high-level bmompum;jzpfwJh C/C++ (odkU) VB bmompum; tjzpf ajymif;ay;ygw,f/

yHk(39)udk Munfhvdkuf&if VB Decompiler [m olUtvkyfudkol aumif;aumif;vkyfxm;jyDvdkU xifyg w,f/


uRefawmfwdkUtaeeJU uk'fawGudk t&ifavhvmMunfhygr,f/ yHk(39)&JU Form1 ab;em;u taygif;&kyf av;udk ESdyfvdkufyg/

yHk(40)

uRefawmfhtjrifawmh y&dk*&rfbmpum;eJU tuRrf;w0if r&SdwJholawmif em;vnfr,fvdkU xifygw,f/ yHk(40)rSm jrif&wJh mnuabout u About box yg/ mnuexit uawmh Exit yg/ Command2 uawmh Nag button udk ESdyfwJhtcgrSmay:wmyg/ Form_Load uawmh nag yg/ Command1 uawmh Register button udk ESdyfwJhtcgrSm ay:wmyg/ 'gqdk nag udk ay:apwJh routine [m VA b,frSm pay:ovJ MunfhMu&atmif/ Form_Load rSmaum Command2 rSmyg nag [m VA 402C17 rSm pay:w,fvdkU qdkxm;ygw,f/ [kwf^ r[kwf ESpfcsufESdyfjyD; MunfhvdkU&ygw,f/ Form_Load udk double click ESdyfyg/

yHk(41)

yHk(41)t& qdk&ifawmh nag screen udk 'DrSm zefwD;xm;w,fqdkwmuawmh aocsmygjyD/ bmvdkUvJqdk awmh "Get rid of all Nags and find .." qdkwJU pmom;udk awGU&vdkUyg/

yHk(42)

yHk(42)uawmh nag screen &JU tqHk;yg/ VA 402C17 uawmh nag routine &JU tpyg/ aumif;jyD/ Tut.Reverse Me1.exe udk uRefawmfwdkU debugger rSm zGifhvdkufMu&atmif/ yHk(43)/

yHk(43)

jyD;&if uRefawmfwdkU oGm;csifwJh VA udk wef;a&mufEdkifatmifvdkU tool bar u udk ESdyfyg/ yHk(44)twdkif; jrif&ygr,f/

yHk(44)


VA 402C17 udk &dkufvdkufyg/ yHk(45)twdkif; jrif&ygr,f/

yHk(45)

yHk(45)rSm jrif&wmuawmh nag screen &JU tpyg/ VA 402C17 rSm breakpoint owfrSwfvdkufyg/ jyD;&if run (F9) udk EdSyfyg/

yHk(46)

yHk(46)rSm 'D nag screen jyD;&if b,fudka&mufr,fqdkwm jyaeygw,f/ VA 402C17 u PUSH EBP ae&mrSm RET vdkU jyifvdkufygr,f/ 'gqdk uRefawmfwdkU nag &JU tptpm; tqHk;udk a&mufvmovdk jzpfoGm;ygr,f/ jyD;&if run (F9) udk EdSyfyg/

yHk(47)

Nag ray:bJ yHk(47)om ay:vmygw,f/ aocsmatmifvdkU yHk(47)u Nag? udk ESdyfMunfhygr,f/ bmrS ay:rvmygbl;/ Nag screen aysmufoGm;ygjyD/

(8) CrackersConvert

'Dwpfcg avhvmrSmuawmh CrackersConvert y&dk*&rfjzpfygw,f/ 'DwpfMudrfrSmawmh uRefawmfhtaeeJU y&dk*&rf&JU oabmobm0awGudk avhvmaeawmhrSm r[kwfygbl;/ oifhbmom SmartCheck zGifhjyD; avhvmxm; &rSmjzpfygw,f/ uRefawmfuawmh About &Sd&m wef;oGm;rSm jzpfygw,f/ About uae register button udk ESdyf&if yHk(48)twdkif; registration box jrif&rSmyg/


yHk(48)

'ghjyif register button udk ESdyfvdkufwJhtcgrSm yHk(49)twdkif; jrif&ygw,f/

yHk(49)

INFO: : oifhtaeeJU MudKufwJh registration code udk xnfhoGif;Edkifygw,f/ uRefawmf bmvdkU 47806 vdkU &dkufoGif;w,fqdkwm tHhMoaumif; thHMoaeygvdrfhr,f/ aumif;jyD? rsm;aomtm;jzifh y&dk*&rfawG[m registration code udk rEdIif;,SOfcifrSm hex code tjzpf ajymif;avh&Sdygw,f/ 47806 udk hex code taeeJU ajymif;vdkuf&if BABE jzpfoGm;ygw,f/ rSwf&vG,fwmaygh/

yHk(50)

yHk(48)u Validate udk ESdyfvdkuf&if yHk(50)twdkif; jrif&rSmyg/ uRefawmfwdkUtaeeJU uRefawmfwdkU &Smae wmudk awGUjyDjzpfwJhtwGuf CrackersConvert y&dk*&rfudk ydwfvdkufygr,f/

yHk(51)

avmavmq,fawmh uRefawmfwdkUtaeeJU uk'fawGudk avhvmzdkU Overview window u yHk(51)twdkif; Munfhvdkuf&atmif/

Len(String: "rhythm") returns LONG:6

&Sif;vif;csuf/ / "rhythm" \ string tvsm;(pmvHk;ta&twGuf)onf 6vHk;jzpfonf/

Mid(VARIANT:String:"abcdefg",long:1,VARIANT:Integer:1)

&Sif;vif;csuf/ / "abcdefg" \ yxrqHk;ae&mrSpwifjyD; yxrpmvHk;udk &,lonf/

Mid(VARIANT:String:"rhythm",long:1,VARIANT:Integer:5)

&Sif;vif;csuf/ / 'Dae&mrSmawmh yxrqHk;ae&muae pmvHk;5vHk;p,lygw,f/ ("rhyth")

Asc(String:"T") returns Integer:84

&Sif;vif;csuf/ / "T" \ q,fvDwefzdk;jzpfaom 84 udk &,lonf/

Asc(String:"r") returns Integer:114

&Sif;vif;csuf/ / 'Dae&mrSmawmh "r" \ q,fvDwefzdk;jzpfaom 114 udk &,lygw,f/

Len(String: "47806") returns LONG:5

&Sif;vif;csuf/ / "47806" \ string tvsm;(pmvHk;ta&twGuf) onf 5vHk;jzpfonf/

yHk(51)&JU atmufqHk;pmaMumif;uawmh BadBoy yg/


Len(String: "47806") returns LONG:5 qdkwJh pmaMumif;[m serial &JU pmvHk;ta&twGufyJ ppfaq;wm owdxm;rdygovm;/ bmaMumifh serial udk rEdIif;,SOfygovJ/ uRefawmfwdkUtaeeJU BadBoy ra&mufciftxd serial udk b,frSmEdIif;,SOfovJqdkwm &SmMuygr,f/ Len(String: "47806") returns

LONG:5 ukd a&G;vdkufjyD; Show all events ( ) udk ESdyfvdkufyg/ yHk(52)twdkif; jrif&ygr,f/

yHk(52)

yHk(52)udk Munfhyg/ wu,fawmh bmrSrcufygbl;/

__vbaVarMul(VARIANT:String:''114", VARIANT:Integer:20) returns DWORD:13F474 ckeu uRefawmfhemrnf&JU yxrpmvHk;udk 20eJU ajrSmufygw,f/

__vbaVarMul(VARIANT:String:''1", VARIANT: String:''2") returns .. &Sif;vif;csuf/ / 1 ukd 2 jzifh ajrSmufonf/

__vbaVarMove(VARIANT:Double:2280,VARIANT:Empty) returns DWORD:13F48C

&v'fuawmh 2280 jzpfygw,f/

__vbaVarCat(VARIANT:String:"REG-"VARIANT:Double:2280) returns DWORD:13F474

jyD;&if REG-2280 jzpfapzdkU REG- eJU aygif;ygw,f/

__vbaVarCat(VARIANT:String:"REG-2280"VARIANT:String:"-CODE") returns DWORD:13F464

jyD;&if REG-2280-CODE jzpfapzdkU CODE eJU aygif;ygw,f/

__vbaVarTstEq(VARIANT:String:"47806",VARIANT:String:"REG-2280-CODE") returns DWORD:0

jyD;rS uRefawmfwdkU &dkufxnfhvdkufwJh serial eJU EdIif;,SOfygw,f/

__vbaVarTstEq(VARIANT:****,VARIANT:****) returns DWORD:0

&Sif;vif;csuf/ / __vbaVarTstEq ukd variants awG EdIif;,SOfzdkU toHk;jyKygw,f/ wu,fvdkU olwdkUawG[m nDcJh&if DWORD &JU wefzdk;[m oknjzpfjyD; rnDcJh&ifawmh FFFFFFFF jzpfygr,f/ 'gaMumifh EAX [m FFFFFFFF jzpfwmyg/ __vbaVarCmpEq eJU qifygw,f/

'gqdk uRefawmfwdkUvdktyfwJh serial udk&ygjyD/ User name u rhythm jzpfjyD; serial uawmh REG-2280-CODE jzpfygw,f/

yHk(53)

yHk(53)u Validate udk ESdyfvdkufyg/

yHk(54)


'gqdk uRefawmfwdkU register vkyfwm atmifjrifygjyD/ yHk(54)/

INFO: : y&dk*&rf[m registration a'wmawGudk cconv.$$$ zdkifeJU cconv.ccc zdkifrSm a&;ygw,f/ jyD;&if y&dk*&rfpwifcsdefrSm 'DtcsuftvufawGeJU udkufnD^rnDppfygw,f/

aumif;jyD? aemufxyf ReverseMe y&dk*&rfwpfyk'fudk avhvmMunfh&atmif/

(9) ReverseMe2

yHk(55)

ReverseMe2 udk Olly rSm zGifhxm;wm yHk(55)rSm awGUrSmyg/ oifhtaeeJU SmartCheck rSm rzGifhbJ Olly rSm bmaMumifhzGifhovJqdkwm ar;csifygvdrfhr,f/ trSefuawmh ReverseMe2 udk SmartCheck rSm t&if zGifhcJhygw,f/ 'gayr,fh zGifhvdkUr&ygbl;/ SmartCheck y&dk*&rf[m ReverseMe2 udk zGifhvdkufwmeJU tvdkvdk ydwfoGm;ygw,f/ 'gaMumifh bmjzpfwmvJqdkwm od&atmif Olly rSm vmzGifhwmyg/ ReverseMe2 y&dk*&rfrSm Anti-SmartCheck vSnfhpm;rIav;rsm; vkyfxm;ovm;vdkU xifrdvdkUyg/ ReverseMe2 [m SmartCheck udk owdjyKrdvdkufwmeJU SmartCheck udk csufcsif;ydwfzdkU MudK;pm;vdkUyg/ b,fvdk ajz&Sif;rvJqdkwm MunfhvdkufMu& atmif/

Debugger window rSm right-click ESdyfjyD; Search for rS All reference text strings udk a&G;vdkufyg/ yHk(56)twdkif; jrif&ygr,f/ ReverseMe2 [m SmartCheck udk&Smwm [kwf^r[kwf Munfhvdkuf Mu&atmif/

yHk(56)

yHk(56)u VA 00404525 rSm NuMega SmartCheck qdkwJhpmom;udk awGU&ygw,f/ VA 00404525 udk double click ESdyfjyD; uk'fukd avhvmMunfhvdkuf&atmif/ yHk(57)/

yHk(57)

ReverseMe [m NuMega SmartCheck qdkwJhpmom;udk&Smygw,f/ 'gaMumifhrdkU 'Dae&mrSm uRefawmfwdkUtaeeJU tjcm;pmom;udk ajymif;ygr,f/ tvG,fulqHk;enf;udk jyygr,f/ Debugger window u VA 00404525 rSm right-click ESdyfjyD; Follow in Dump u Immediate constant udk a&G;vdkufyg/

yHk(58)

yHk(58)twdkif; jrif&wJhtcg udk,fajymif;csifwJh pmvHk;udka&G;jyD; keyboard u udk,fMudKufwJh pmom;&dkuf xnfh&HkygyJ/


yHk(59)

yHk(58)u 4D (M) ae&mudk a&G;xm;jyD; keyboard u B udk ESdyfvdkufwJhtcg yHk(59)twdkif; jrif&ygw,f/

yHk(60)

yHk(59)rSm OK udk ESdyfvdkufwJhtcg yHk(60)twdkif; jrif&ygw,f/ tvm;wlyJ 43(C) qdkwJh pmvHk;ae&mrSm tjcm;pmvHk;eJU tpm;xkd;ygr,f/

yHk(61)

jyD;&if right-click ESdyfjyD; Copy to executable file udk a&G;yg/ yHk(62)udk jrif&ygr,f/

yHk(62)

yHk(62)rSm right-click ESdyfjyD; Save file udk a&G;vdkufyg/ jyD;awmh udk,fMudKufwJhtrnfeJU zdkifudkodrf; vdkufyg/ 'Dwpfcgawmh uRefawmfwdkU odrf;vdkufwJhzdkifudk SmartCheck rSm zGifhvdkU&ygjyD/ bmjyóemrS r&Sdygbl;/ yHk(63) twdkif; jrif&ygjyD/

yHk(63)

'D anti-anti enf;ynmudk SmartCheck tjyif tjcm; tool awGjzpfwJh Olly? ImpRec eJU LordPE wdkUrSmvJ toHk;jyKEdkifygw,f/ ReverseMe2 udk register vkyfMunfhMu&atmif/

yHk(64)


uRefawmfwdkUtaeeJU User name eJU Registration code udk &dkufxnfhayr,fhvJ Register button [m disable jzpfaeygw,f/ 'gaMumifh uRefawmfwdkU register vkyfr& jzpfaeygw,f/ 'D ReverseMe y&dk*&rf[m &dkufoGif;wJh pmvHk;wpfvHk;csif;udk rSef̂ rrSef vdkufppfaq;aeyHk&ygw,f/ yHk(65)/

yHk(65)

'gaMumifh uRefawmfwdkUtaeeJU bmudkMunfhzdkU vdkaeygovJ/ yHk(65)udk tao;pdwf avhvmMunfhygr,f/

yHk(66)

'Dae&mrSm y&dk*&rfu pmvHk;tcsdKUudk vdkufwGufaewm awGU&ygw,f/ 'gayr,fh yHk(66)u Text2.Text udk xJxJ0if0if avhvmMunhfawmh bmrSrawGY&ygbl;/

yHk(67)

'gqdk yHk(67)udk pOf;pm;MunfhvdkufMu&atmif/ ReverseMe y&dk*&rfu y&dk*&rf pwifcsdefrSm register rvkyfxm;ao;aMumif; odygw,f/

yHk(68)

yHk(68)u Text3.Text "UNREGISTERED" (String) udk tao;pdwf avhvmMunfh&atmif/

AppActivate(VARIANT:String:"NuSega S...", VARIANT:Missing) fails qdkwJh pmom;u awmh NuSega S... qdkwJhpmom;udk &SmrawGUygbl;vdkU qdkvdkwmyg/ jyD;&if "Text3.Text "UNREGISTER-ED" (String) qdkwJh pmom;udk MunfhvdkufMu&atmif/ uRefawmfwdkU&JU &SmazGjcif;vkyfief;pOf[m 'D UNREGIS-TERED string rwdkifciftxdomjzpfr,fqdkwm oifhtaeeJU em;vnfxm;r,fvdkU xifygw,f/


yHk(69)

yHk(69)udk Munfhvdkufyg/ __vbaVarTstEq(..) u wpfckckudk EdIif;,SOfovdkygyJ/ __vbaVarTstEq(..) udka&G;vdkufwJhtcg yHk(70)twdkif; jrif&ygr,f/

yHk(70)

odyfr&Sif;ao;ygbl;/ tao;pdwf avhvmMunfhygr,f/

yHk(71)

yHk(71)u Dir(VARIANT:String:"reginfo....",FLAGS:00000000) udk a&G;vdkuf&if yHk(72)twdkif; jrif&ygr,f/

yHk(72)

ReverseMe [m reginfo.key qdkwJhzdkifudk &SmazGygw,f/ __vbaVarTstEq(..) [m reginfo.key zdkif&Sd^r&Sdukd prf;oyfwmyg/ r&SdcJh&if UNREGISTERED qdkwJh pmom;udk main window rSmjyjyD; register vkyfvdkUr&ygbl;/ qdkvdkwmu uRefawmfwdkUtaeeJU reginfo.key zdkifudk vdktyfvmygw,f/ 'gaMumifh reginfo. key zdkifudkzefwD;vdkufygr,f/ Notepad udkzGifhjyD; zdkifudk reginfo.key trnfeJU odrf;vdkufyg/ jyD;&if Reverse Me2 zdkifudk SmartCheck rSm jyefvmppfMunfhyg/

yHk(73)

'gqdk yHk(74)twdkif; jrif&ygr,f/ Register vkyfMunfhygr,f/


yHk(74)

aumif;jyD/ ckcsdefxdawmh register vkyfvdkUr&ao;ygbl;/ SmartCheck rSm bmawGrsm;ajymif;vJoGm; ovJvdkU MunfhMuygr,f/

yHk(75)

yHk(75)u UNREGISTERED qdkwJhpmom;ae&mrSm Key File found qdkwJhpmom;wdk;vmwm awGUrSm yg/ aumif;jyD/ 'Dwpfcg serial udkppfwJhuk'fawGudk jyefavhvmMunfhygr,f/

yHk(76)

Left(VARIANT:String:"rhythm",long:1) &Sif;vif;csuf/ / trnf&JU yxrqHk;pmvHk;udk ,lygw,f/

Asc(String:"r") returns Integer:114

&Sif;vif;csuf/ / ASCII "r" udk udef;jynfhwefzdk; 114 tjzpf ajymif;vJygw,f/

Mid(VARIANT:String:"rhythm", long:2, VARIANT:Integer:1) &Sif;vif;csuf/ / trnf&JU 'kwd,pmvHk;udk ,lygw,f/

Asc(String:"h") returns Integer:104

&Sif;vif;csuf/ / ASCII "h" udk udef;jynfhwefzdk; 104 tjzpf ajymif;vJygw,f/

jyD;awmh wwd,?pwkxåpmvHk; ... pojzifh ajymif;vJygw,f/ jyD;awmh ckeu *Pef;awGtm;vHk;udk aygif;vdkufygw,f/ 114 + 104 + ../

Mid(VARIANT:String:"11410412...", long:2, VARIANT:Integer:10)

'Dwpfcg event tm;vHk;udk MunfhMunfhygr,f/ Show all events ( ) udk a&G;vdkufyg/


yHk(77)

yHk(77)rSm ckeu *Pef;awG vmaygif;wmudk awGUae&ygw,f/ ta&;MuD;wmu Mid(VARIANT: String:"11410412...", long:2, VARIANT:Integer:10) pmaMumif;yg/ y&dk*&rf[m 'kwd,pmvHk;uae 10 vHk;ajrmuf pmvHk;txdom ,lygw,f/ 'gqdk ,l&r,fh*Pef;awGu 1410412111 om jzpfygw,f/

yHk(78)

jyD;&if yHk(78)udk qufMunfhyg/

__vbaVarSub(..) uawmh wpfckckudk EIwfwmyg/ jyD;&if __vbaVarTstEq(..) uwpfckckudk EdIif;,SOfyg w,f/ 'gaMumifh uRefawmfwdkUtaeeJU tao;pdwfMunfhzdkU vdkvmygjyD/ taygif;&kyfav;udk ESdyfvdkufyg/

yHk(79)

yHk(79)udk Munfhvdkufawmh __vbaVarSub(..) [m __vbaVarTstEq(..) eJU bmrSrqdkifwm awGU&yg w,f/ ☻☻☻

yHk(80)

'gayr,fh yHk(52)u __vbaVarTstEq(..) rSm wu,fh serial tppfudk EdIif;,SOfzdkUtwGuf double.dbval tjzpfajymif;vdkufwm awGU&ygw,f/ wu,fawmh 1410412111 ukd EdIif;,SOfzdkUtwGuf ajymif;vdkufwmyg/ 'gaMumifh wu,fh serial tppf[m .... ☻☻☻

yHk(81)

y&dk*&rf[m uRefawmfwdkU &dkufxnfhvdkufwJhtrnf&JU yxrqHk; 5vHk;udk ASCII tjzpfajymif;ygw,f/ jyD;&if tJ'DpmvHk;awGudk jyefqufygw,f/ 'Dhaemuf serial zefwD;zdkU qufxm;wJhpmvHk;&JU 2vHk;ajrmufuae 10vHk; ajrmuftxd ,lygw,f/ uJ? serial udk MudK;pm;MunfhvdkufMu&atmif/


yHk(82)

uRefawmfwdkU serial [m rSefzdkUrsm;ygw,f/ bmvdkUvJqdkawmh Register button [m enable jyefjzpf vmvdkUyg/

yHk(83)

yHk(82)u Register button udk a&G;vdkufwJhtcgrSm yHk(83)twdkif; jrif&ygw,f/ Register vkyfwm atmifjrifoGm;ygjyD/

'Dwpfcg VB Decompiler udk zGifhvdkufyg/ bmaMumifhvJqdkawmh VB Decompiler &JU decompile pGrf;&nfudk jycsifvdkUyg/

yHk(84)

yHk(84)twdkif; zGifhjyD;oGm;wJhtcg ReverseMe2 &JU oabmobm0udk odEdkifatmifvdkU Form_Load udk ESpfcsufEdSyfjyD; scroll vkyfMunfhyg/ yHk(85)twdkif; jrif&ygr,f/

yHk(85)

Command1_Click udk ESpfcsufEdSyfjyD; scroll vkyfMunfhyg/ yHk(86)/

yHk(86)


'Dae&mrSm uRefawmfhtaeeJU Veoveo y&dk*&rfudk rdwfqufcsifygw,f/ 'D tool [m b,f button udkrqdk enable/disable vkyfEdkifygw,f/ Munfhyg/

yHk(87)

Register button [m disable jzpfaeygw,f/ Veoveo y&dk*&rfudk zGifhvdkufyg/

yHk(88)

yHk(88)twdkif; Veoveo udk right-click ESdyfjyD; Enable Buttons (auto) udk a&G;vdkufyg/

yHk(89)

yHk(89)udk Munfhvdkuf&if Register button [m enable jzpfaeygjyD/ b,favmufvG,fovJqdkwm awGYrSmyg/ wu,fawmh Register button [m enable jzpfvJ uRefawmfwdkU register vkyfvdkU&rSm r[kwfygbl;/ bmvdkUvJqdkawmh serial rSef^rrSefudk y&dk*&rfu ppfvdkUyg/

(10) VB P-code y&dk*&rfrsm;udk crack vkyfjcif;

INFO: : P-code qdkwmuawmh execution vkyfcsdefrSom interpret tvkyfcH&wJh uk'fjzpfygw,f/ P-code awGudk uRefawmfwdkU&JU rdkufu&dky&dkqufqmawGu bmomrjyefEdkifwJh low-level uk'fawGtjzpfjrifEdkifygw,f/ Java y&dk*&rfawGtvkyfvkyfapzdkU virtual machine vdkovdkyJ VB p-code awG tvkyfvkyfapzdkU virtual machine vdkygw,f/ Virtual machine &SdrSom olu p-code awGudk native code awGtjzpf ajymif;vJay; EdkifrSmjzpfygw,f/ VB rSmawmh olU&JU virtual machine [m MSVBVM50.DLL eJU MSVBVM60.DLL zdkifawGrSm &SdaeMuygw,f/ 'D DLL zdkifawGrSm VB application awGu toHk;jyKaewJh API tm;vHk;&Sdygw,f/ Oyrmjy&&if Windows API MessageBox() &JU vkyfaqmifcsufeJUwlwJh rtcMsgBox yg/ ta&;MuD;wJh function awGeJU toHk;enf;wJh function awGudk p-code taeeJU compile vkyfoifhjyD; rMumcPoHk;avh&SdwJh function awGudkawmh native code taeeJUyJ compile vkyfoifhygw,f/ P-code udk toHk;jyK&if vHkjcHKrI&Sdwm rSefayr,fh y&dk*&rf vkyfaqmifcsufudkawmh aES;auG;apygw,f/ P-code awG[m rsm;aomtm;jzifh stack ay:rSmyJ tvkyfvkyfavh&Sdygw,f/ 'gaMumifh instruction trsm;pk[m stack uae olwdkU&JU operand awGudk&,ljyD; &vmwJh result udkvJ stack rSmyJ vmxm;ygw,f/ C/C++ y&dk*&rfawGrSmawmh p-code taeeJU compile vkyfcsif&if #pragma udk toHk;jyKjyD; link vkyfcsdefrSm exe zdkifxJ 9KB avmuf&SdwJh run-time engine av; wpfckudkxnfhoGif;ay;vdkufygw,f/ tcsdKU debugger awG[m p-code udk debug rvkyfEkdifwJh tm;enf;csuf tcsdKU&Sdygw,f/


P-code taMumif;udk tao;pdwfod&SdEdkifzdkUtwGuf p-code eJU pack vkyfxm;wJh Engineering Power Tools udk crack vkyfMunfhMu&atmif/ Engineering Power Tools 2.0.4 udk http://www.pwr-tools.com/ uae download vkyfjyD; install vkyfvdkufyg/ jyD;&if ept-2002.exe udk Olly eJU zGifhMunfhyg/

yHk(90)

yHk(90)rSm jrif&wJhtwdkif;qdk&if Olly u p-code zdkifawGudk debug vkyf&mrSm odyfjyD;taxmuftul rjyKwmawGU&rSmyg/ A[kokwtaeeJUajym&&if yHk(90)u ThunRTMain qdkwm VB &JU main() function udk qdkvdkwmjzpfygw,f/ wu,fvdkU VB zdkifawGudk packer wpfckckeJU pack vkyfxm;cJh&if oifhtaeeJU ThunRT Main udk&SmjyD; tJ'Duae dump vkyf,l&rSmjzpfygw,f/

ept-2002.exe zdkifudk Olly tpm; P32Dasm 2.5 rSmzGifhMunfhyg/ yHk(91)twdkif; jrif&ygr,f/

File: C:\Program Files\Engineering Power Tools - Plus Edition v2.0.4\ept-2002(ori).exe P32Dasm v2.5 VB6 Application detected ... PCode MAINFORM Events: 191. plus_options_show 192. plus_options_hide 193. plus_options_enable Page_Setup Events: 2. Setup_calc Pneumatic_cylinders Events: 11. metric_calc 12. inch_loader 13. metric_loader Shear_Keys Events: 24. option_set Volumes_of_Solids Events: 52. sphere_calc 53. spherical_sector_calc 54. spherical_segment_calc 55. spherical_zone_calc 56. spherical_wedge_calc 57. hollow_cylinder_calc 58. hollow_sphere_calc 59. torus_calc Hydraulic_cylinders Events: 12. metric_calc 13. inch_loader 14. metric_loader Splash Events: 37. pchk shape_generator Events: 1. generate_rectangular_tubing 2. generate_circle 8. generate_hollow_circle GearCalc Events: 17. metric_gear_calc Beam_Calc Events: 9. Selector 10. selector_SI Psychro_2 Events: 1. log10


2. calc_vapor_pressure 3. calc_vapor_pressure_2 4. calc_dewpoint 5. calc_enthalpy 6. calc_relative_humidity 7. calc_specific_volume 8. calc_humidity_ratio 9. calc_humidity_ratio_2 10. calc_atmospheric_pressure 11. calc_wet_bulb 15. calc_rh 17. calc_dp Structural_Tubing Events: 12. combo_loader Enclosure_Cooling Events: 15. Solve_Open_SI 16. Solve_Closed_SI Duct_Size Events: 26. calc3 Plate_Deflection Events: 10. solve_SI

yHk(91)

y&dk*&rf&JU oabmobm0udk od&SdEdkifatmif ept-2002.exe udkzGifhvdkufyg/ yHk(92)/

yHk(92)

yHk(92)rSmjrif&wmuawmh UNREGISTERED qdkwJhpmwef;jzpfygw,f/ 'Dpmwef;udkESdyfvkduf&if yHk(93) twdkif;jrif&ygr,f/

yHk(93)

yHk(93)rSm awGUjrifcsuft&awmh uRefawmfwdkUtaeeJU Standard Edition (odkU) Plus Edition udk toHk;jyKEdkifr,fvdkU qdkygw,f/ yHk(93)udk OK ay;vdkuf&ifawmh yHk(94)twdkif; jrif&ygr,f/


yHk(94)

yHk(94)uawmh uRefawmfwdkU &dkufxnfhvdkufwJh rrSefbl;vdkU ajymygw,f/

yHk(95)

'gaMumifh yHk(95)rSmjrif&wJhtwdkif; tcsdKU function awGudk toHk;rjyKEdkifygbl;/ tck y&dk*&rf&JU oabm obm0udk od&SdoGm;jyDrdkU P32Dasm udkjyefoGm;Muygr,f/ P32Dasm u References Procedures udka&G; vdkufyg/ yHk(96)/

yHk(96)

yHk(96)rSmjrif&wmuawmh y&dk*&rfrSmygwJh procedures pm&if;yg/

yHk(97)

Engineering Power Tool udkzGifhzGifhcsif; splash screen rSm register jzpf^rjzpfudk ppfaq;wm owd jyKrdygovm;/ 'gaMumifh yHk(97)u 73.22 Form.Load() udka&G;vdkuf&if yHk(98)qD a&mufvmygvdrfhr,f/

Splash 73.22 Form.Load() 0016DF88: 6C ILdRf param_8 0016DFF4: 1B LitStr: "http://www.pwr-tools.com" 0016DFF7: 21 FLdPrThis 0016E18C: 1B LitStr: "\pwrtools.ini" 0016E18F: 2A ConcatStr 0016E21D: 1B LitStr: "USER NAME = " 0016E220: FB30 EqStr = 0016E26F: 23 FStStrNoPop var_108 0016E272: 1B LitStr: "REGISTRATION = " 0016E275: FB30 EqStr = 0016E277: C4 AndI4 And 0016E2C7: 1B LitStr: "REGISTRATION CODE = " 0016E2CA: FB30 EqStr = 0016E319: 23 FStStrNoPop var_108 0016E31C: 1B LitStr: "PASSWORD = " 0016E31F: FB30 EqStr = 0016E371: 1B LitStr: "SOFTWARE KEY = " 0016E374: FB30 EqStr =


0016E3BA: 3A LitVarStr: "<No Value>" 0016E3BF: 25 PopAdLdVar 0016E3C0: 1B LitStr: "User Name" 0016E3C3: 1B LitStr: "Settings" 0016E3C6: 1B LitStr: "EPTools" 0016E3C9: 0B ImpAdCallI2 GetSetting() 0016E3CE: FDB7 ImpAdStStr 0016E3D2: 3A LitVarStr: "<No Value>" 0016E3D7: 25 PopAdLdVar 0016E3D8: 1B LitStr: "Registration Code" 0016E3DB: 1B LitStr: "Settings" 0016E3DE: 1B LitStr: "EPTools" 0016E3E1: 0B ImpAdCallI2 GetSetting() 0016E3E6: FDB7 ImpAdStStr 0016E3EA: 3A LitVarStr: "<No Value>" 0016E3EF: 25 PopAdLdVar 0016E3F0: 1B LitStr: "Software Key" 0016E3F3: 1B LitStr: "Settings" 0016E3F6: 1B LitStr: "EPTools" 0016E3F9: 0B ImpAdCallI2 GetSetting() 0016E449: 7A ImpAdStI2 param_26 0016E44C: 1B LitStr: "Registered to: " 0016E44F: 76 ImpAdLdI4 0016E567: 04 FLdRfVar var_18C 0016E56A: FC22 CI4Var 0016E56C: 05 ImpAdLdRf 0016E56F: 4D CVarRef: var_AC 0016E574: 04 FLdRfVar var_98 0016E577: 0A ImpAdCallFPR4 Left() 0016E57C: 04 FLdRfVar var_98 0016E57F: FCF6 FStVar var_19C 0016E583: 04 FLdRfVar var_17C 0016E586: 04 FLdRfVar var_19C 0016E589: FB33 EqVarBool = 0016E58B: 1C BranchF 0016E60C 0016E58E: F4 LitI2_Byte: 255 0xFF (True) 0016E590: 7A ImpAdStI2 param_53 0016E593: 1B LitStr: "Show" 0016E596: 1B LitStr: "Plus Options" 0016E599: 1B LitStr: "Settings" 0016E59C: 1B LitStr: "EPTools" 0016E59F: 0A ImpAdCallFPR4 SaveSetting() 0016E5A4: F4 LitI2_Byte: 255 0xFF (True) 0016E5A6: 7A ImpAdStI2 param_26 0016E5A9: 1B LitStr: "Registered to: " 0016E5AC: 76 ImpAdLdI4 0016E5AF: 2A ConcatStr 0016E5B0: 23 FStStrNoPop var_108 0016E5B3: 21 FLdPrThis 0016E5B4: 0F VCallAd 0016E5B7: 19 FStAdFunc var_88 0016E5BA: 08 FLdPr var_88 0016E5F6: 0F VCallAd 0016E5F9: 19 FStAdFunc var_88 0016E5FC: 08 FLdPr var_88 0016E5FF: 0D VCallHresult PictureBox.Set_Visible() 0016E604: 1A FFree1Ad var_88 0016E607: 10 ThisVCallHresult 0016E60C: loc_0016E58B 0016E60C: loc_0016E4C7 0016E60C: loc_0016E4AF 0016E60C: 75 ImpAdLdI2 0016E60F: F4 LitI2_Byte: 0 0x0 (False) 0016E611: C6 EqI2 = 0016E612: 1C BranchF 0016E963 0016E615: F3 LitI2: 3800 0xED8 0016E618: EB CR8I2 Int(number) 0016E619: 37 PopFPR4 0016E963: loc_0016E612 0016E963: 13 ExitProcHresult

yHk(98)

yHk(98)uuk'fawGudk ppfaq;Munfhygr,f/ tcsdKUuk'fawGudk &SnfrSmpdk;vdkU jzwfcsefxm;cJhygw,f/


0016E589: EqVarBool = / / var_17C ESifh var_19C wdkUnDrnD ppfaq;onf/ CMP ESifhwlonf/

0016E58B: BranchF 0016E60C = / / nDcJhvQif 0016E60C odkUoGm;rnf/ BranchF (1C) onf JE ESifhwlonf/ BranchT (1D) onf JNE ESifhwlonf/ Branch (1E) onf JMP ESifhwlonf/

yHk(98)uuk'fawGudk ydkjyD;&Sif;&Sif;vif;vif;odEdkifatmifvdkU VB Decompiler rSmppfMunfhvdkufwJhtcg yHk(99)twdkif; jrif&ygr,f/

If ((Len(MemVar_5C103C) > 1) And (Len(MemVar_5C1038) > 1)) Then '56E60C For var_168 = 1 To CVar(Len(MemVar_5C1040)): var_148 = var_168 'Variant loc_56E4F8: var_110 = Mid$(MemVar_5C1040, CLng(var_148), 1) If (var_110 <> "-") Then '56E513 loc_56E510: var_138 = var_138 & var_110 End If Next var_168 'Variant loc_56E534: MemVar_5C10C4 = Unknown_503BF8(MemVar_5C1038) loc_56E53C: MemVar_5C10C4 = Unknown_4FD768() loc_56E555: var_17C = CVar(Unknown_516920(Unknown_50507C(var_138))) 'Variant If (var_17C = Left(MemVar_5C103C, CLng(Len(var_17C)))) Then '56E60C loc_56E590: MemVar_5C1046 = &HFF loc_56E59F: SaveSetting("EPTools","Settings","Plus Options","Show") loc_56E5A6: MemVar_5C1044 = &HFF loc_56E5BD: regbox.Text = "Registered to: " & MemVar_5C1038 loc_56E5D7: regbox.Forecolor = 0 loc_56E5EB: regbox.Fontbold = 0 loc_56E5FF: regpanel.Visible = 0 loc_56E607: Call Unknown_5000EC(MemVar_5C1044) loc_56E60C: ' Referenced from: 56E4AF End If End If

yHk(99)

P-code eJUywfoufwJh prefix tcsdKUuawmhatmufygtwdkif;jzpfygw,f/ yHk(100)/

Ad Address I# Integer Imp Import Ld Load Lit Literal (ie “Hi”, 2,8) Mem Memory R# Real Rf Reference St Store Str String V Virtual DOC Duplicate Opcode (Redirect to another opcode)

yHk(100)

wu,fawmh EPT u uRefawmfwdkU register vkyfxm;^rxm;udk registry xJuaezwfjyD; ppfaq;yg w,f/ Register rvkyfxm;&if offset 0016E60C qD ausmfoGm;rSmjzpfygw,f/

'gaMumifh uRefawmfwdkUtaeeJU 'D conditional jump awGudk NOP eJUtpm;xdk;zdkU vdkvmygjyD/ NOP eJUtpm;rxdk;cif VA 56E589 &Sd&mae&mudk Olly rSmzGifhMunfhygr,f/ yHk(101)/

yHk(101)

yHk(101)rSm hightlight jzpfaewJhae&mawGudk NOP eJUtpm;xdk;ygr,f/ P-code rSmawmh NOP eJUwlwJh opcode u 90 r[kwfygbl;/ 21 (FLdPrThis) jzpfygw,f/ yHk(102)/

yHk(102)

yHk(102)twdkif;jyifjyD;&ifawmh uRefawmfwdkU patch vkyfcJhwJhzdkifudk odrf;vdkU&jyDjzpfygw,f/ jyD;&if uRefawmfwdkU patch vkyfxm;zdkifudk run Munfhyg/ yHk(103)twdkif; jrif&ygr,f/


yHk(103)

uRefawmfuawmh regname.reg zdkifxJrSm yHk(104) twdkif;jyifjyD; registry xJudk merge vkyfvdkufyg w,f/ bmaMumifhjyif&ovJqdkwmuawmh yHk(98)uuk'fudk Munfhvdkuf&if &Sif;rSmyg/

REGEDIT4

[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\EPTools\Settings]

"User Name"="Myanmar Cracking Team"

"Registration Code"="Don't Hate the Crackers! Hate the C0dez."

yHk(104)

'gqdk&ifawmh yHk(105)twdkif; awGU&rSmjzpfygw,f/

yHk(105)

uRefawmf&Sif;jycJhwmuawmh key r&SmbJ udk,fhemrnfeJU register vkyfenf;ygyJ/ Key &Smcsifw,fqdk&if awmh oifudk,fwdkif prf;oyfMunfhzdkU tMuHay;vdkygw,f/ ☻☻☻

tcef;(16) - Delphi jzifh a&;om;xm;aom y&dk*&rfrsm;udk crack vkyfjcif; - 252 -

tcef;(16) - Delphi jzifh a&;om;xm;aom y&dk*&rfrsm;udk crack vkyfjcif;

jyD;cJhwJhtcef;rSmwkef;u Visual Basic eJUa&;om;xm;wJh y&dk*&rfawGudk b,fvdk crack &rvJqdkwm &Sif;jycJhygw,f/ 'DwpfcgrSmawmh Delphi y&dk*&rfawGzuf vSnfhvdkufMu&atmif/ aqmhzf0JvfawG awmfawmfrsm; rsm;udk Visual C++? Borland Delphi eJU Visual Dot.net wdkUeJUa&;om;xm;wJhtaMumif; ajymcJhzlk;wm trSwf&yg/ 'gaMumifhrdkUvJ Delphi y&dk*&rfawGudk b,fvdk crack &rvJqdkwm uRefawmfhtaeeJU &Sif;jyzdkU vdktyfvmjyDvdkU xifvdkUyg/ (wu,fawmh Delphi y&dk*&rfawG[m Visual C++ y&dk*&rfawGeJU oabmw&m; csif;qifygw,f/)

'Dwpfcg crack vkyfzdkUa&G;cs,fxm;wJh y&dk*&rfuawmh File Recovery Angel 1.13 jzpfygw,f/ 'Daqmhzf0Jvf[m oifzsufypfvkdufwJhzdkifawGudk jyefvnf&SmazG&mrSm taxmuftuljzpfapwJh y&dk*&rfwpfckjzpfjyD; toHk;jyK&wmuvJ tvGefvG,fulvSygw,f/ www.filerecoveryangel.com rSm tcrJh download vkyf,lEdkif ygw,f/

aumif;jyD? uRefawmfwdkUtaeeJU y&dk*&rfudk crack rvkyfcif y&kd*&rf&JU oabmobm0av;awG od& atmifvdkU File Recovery Angel udkzGifhvdkufyg/

yHk(1)

File Recovery Angel udkzGifhjyD; Help menu u About udka&G;vdkufwJhtcg yHk(1)twdkif; jrif&yg w,f/ ysufaewJhzdk'gwpfckudk recovery vkyfzdkUMudK;pm;wJhtcg yHk(2)twdkif;jrif&ygw,f/

yHk(2)

zdkifawGtrsm;MuD;udk recovery vkyfzdkUMudK;pm;awmhvJ yHk(3)twdkif; jrif&jyefygw,f/

yHk(3)

'D MessageBox awGuawmh oHk;pGJolawGudk 0,foHk;zdkU zdtm;ay;aewJh MessageBox awGyg/ aumif;jyD? 'Dy&dk*&rfudk bmeJUa&;xm;ovJqdkwm ppfMunfhMu&atmif/ yHk(4)/

yHk(4)


yHk(4)twdkif; PEiD eJUppfaq;csuft& awGU&Sdwmuawmh 'Dy&dk*&rfudk Delphi 4.0 (odkU) Delphi 5.0 eJUa&;om;xm;w,fqdkwJhtaMumif;yg/ Version twdtusudkawmh Delphi y&dk*&rfrmawGrSyJ linker version udkMunfhjyD; cGJjcm;odygvdrfhr,f/ uRefawmfwdkUtwGufuawmh tMurf;zsif;od&ifyJ &ygjyD/

FileRecoveryAngel.exe zdkifudk Olly rSmzGifhjyD;Munfh&ifawmh entry point udk yHk(5)twdkif; awGU&yg r,f/

yHk(5)

tvkyfvkyfyHkudk aocsmodEdkifatmifvdkU F9 (Run) udkESdyfvdkufyg/ jyD;&if Option menu u Register(R) udka&G;jyD; register vkyfzdkUjyifqifyg/ yHk(6)/

yHk(6)

yHk(6)twdkif; Registration Name eJU Registration Key wdkUudk&dkufxnfhvdkufjyD; Register button udka&G;vdkufyg/ yHk(7)twdkif; jrif&ygr,f/

yHk(7)

yHk(7)u "Register False" qdkwJhpmom;udkrSwfxm;jyD; Olly rSm text string taeeJU&Smvdkufyg/ jyD;&if 'D text string &Sd&mudk vmvdkufyg/ yHk(8)/

yHk(8)

yHk(8)udk Munfhvdkuf&if 'D BadBoy message &Sd&m VA 00488FEA qD jump wpfckcku ausmfvTm; a&muf&Sdvmwm awGYrSmyg/ avmavmq,fawmh 'D jump udk arhxm;vdkufyg/ yHk(7)twdkif; jrif&wJhtcgrSm F12 (Pause) udkESdyfjyD; y&dk*&rftvkyfvkyfwmudk cP&yfcdkif;vdkufyg/ jyD;&if Alt+K (Call Stack) udkESdyfjyD; Call awGudk b,fuaeac:oHk;aeovJqdkwm Munfhvdkufyg/ yHk(9)/

yHk(9)


yHk(9)rSmjrif&ovdkyJ Olly [m Call awGeJUywfoufjyD;wduswJh tcsuftvufawGay;Edkifjcif; r&Sdygbl;/ 'gaMumifhrdkU uRefawmfwdkUtaeeJU System Stack udkMunfhjyD; yHk(7)u error MessageBox udk b,fuae ac:oHk;wmvJqdkwm Munfh&rSmjzpfygw,f/ (Delphi y&dk*&rfawGudk crack vkyf&mrSm Call Stack xuf System Stack u ydkjyD;toHk;0ifygw,f/ Delphi y&dk*&rfawGudk crack vkyf&mrSm toHk;rsm;wJh aemufxyfenf;vrf; uawmh FindWindowA API udk&Smwmyg/ bmaMumifhvJqdkawmh Delphi y&dk*&rfawG[m wduswJh class trnf (odkU) title eJU yGihfaewJh window udk&Smavh&SdvdkUyg/)

yHk(10)

yHk(10)uawmh yHk(7)udk pause ay;xm;csdefrSm System Stack xJrSm jrif&wJhtaetxm;yg/

INFO: : Delphi uk'fawGudk Olly rSm disassemble vkyfwJhtcg jrif&wJhtaetxm;uawmh enf;enf;av; xl;qef;aeygw,f/ (Comment eJU info awGu enf;aewmawGU&rSmyg/) bmaMumifhvJqdkawmh Olly udk call awG backtrace vkyfcGifhrjyKvdkUyg/ Call Stack rSm [mvm[if;vif;jzpfaejyD; tcsuftvuftenf;i,fudkom ay;Edkifygw,f/ 'gaMumifhrdkU Delphi y&dk*&rfawGrSm routine wpfckudk b,f call uaeac:oHk;wmvJ odcsif&if System Stack udk toHk;jyK&ygw,f/ System Stack uae return address udkMunfhjyD; call &JUtpudk vdkuf&Sm&wmuvJ tcsdefawmfawmfMumygw,f/ tvkyfodyfrjzpfygbl;/ tjcm;enf;vrf;wpfckawmh vdkaeygjyD/ bmaMumifhvJqdkawmh Olly u routine &JU wduswJh address tpudk rjyEdkifvdkUyg/

INFO: : Delphi [m global variable awGeJU local variable awGudk pointer tjzpf reference vkyfygw,f/ Global variable awGtwGuf [REG+Constant] udkoHk;jyD;? local variable awGtwGuf [REG-Constant] udktoHk;jyKygw,f/ REG uawmh register udkqdkvdkwmyg/ qdkvdkwmuawmh Olly [m CALL DWORD PTR DS:[EBX+100] qdk&if backtrace rvkyfEdkifygbl;/ 'gaMumifhrdkU EBX wefzdk;ajymif;wJhtcsdefrSm pointer twGufwefzdk;[mvJajymif;oGm;jyD; Olly u 'D call udk backtrace rvkyfvdkufEdkifwmyg/ 'g[m Delphi y&dk*&rf awGeJUMuHKwJhtcgrSm wu,fhjyóemawGjzpfygw,f/ tjcm;bmompum;awGrSmvJ 'DvdkrsdK; MuHKawGUEdkifayr,fh Delphi rSmavmuf rawGU&ygbl;/

INFO: : 'g[m tenf;i,fawmh pdk;&drfp&maumif;ygw,f/ uRefawmfwdkU uHaumif;wJhtcsufuawmh Delphi twGuf tool wpfck &xm;vdkUyg/ 'D tool uawmh DaFixer &JU DeDe yg/ DeDe [m Borland Delphi y&dk*&rfawGtwGuf zefwD;xm;wJh disassembler wpfckjzpfygw,f/ DeDe [m Delphi^Builder wdkUeJU compile vkyfxm;wJh exe zdkifawGudk analyze vkyf&mrSm tvGefjrefvSwJh y&dk*&rfwpfckjzpfjyD; 'Dzdkif&JU dfm zdkifawGtm;vHk;udk jyefay;Edkifygw,f/ 'D dfm zdkifawGudk Delphi rSm zGifhjyD;wnf;jzwfEdkifygw,f/ DeDe [m string awG? import vkyfxm;wJh function call awG? classes methods call awG? unit xJu component awG? Try-Except? Try-Finally block awGeJU reference vkyfxm;wJh uk'fawGtm;vHk;udk xkwfay;Edkifygw,f/ oifhtaeeJU dfm zdkif? pas zdkifeJU dpr zdkifawGygwJh Delphi project zdk'gwpfckudkvJ zefwD;Edkifygw,f/ Tool wdkif;rSm tm;enf;csuf&Sdygw,f/ DeDe [m debugger r[kwfwJhtwGuf DeDe rSm patch vkyfzdkUqdkwm rjzpf Edkifygbl;/ bmyJjzpfjzpf Olly eJU wGJoHk;&ifawmh&ygw,f/ DeDe 3.50.04 build 1635 udk download vkyf&if DOI eJU DSF zdkifawGygygap/ DeDe eJUywfoufwJh aqmif;yg;awGuawmh DeDe &JU dede_doc directory atmufrSm&Sdygw,f/ (DSF = = DeDe Symbol File) (DOI == DeDe Offset Information File)

INFO: : DeDe &JU configuration eJUywfoufjyD; ta&;MuD;wJhtcsufuawmh exe zdkifwpfckudk process rvkyfcifrSm rSefuefwJh symbol zdkifawGudk load vkyfwmtaumif;qHk;yg/ DOI/DSF zdkifawGrygvJ DeDe [m tvkyfvkyfEdkifayr,fh call sequence awGudk ajz&Sif;&mrSm rSefuefpGmjzpfEdkifzdkU DOI/DSF zdkifawGu tvGefta&; MuD;ygw,f/

yHk(11)


yHk(11)twdkif; DeDe &JU Options menu u Symbols udka&G;jyD; Delphi 5.0 eJUqdkifwJh vcl5.dsf zdkifudka&G;cs,fvdkufyg/ Delphi 7.0 y&dk*&rfawGudk analyze vkyfr,fqdk&ifawmh vcl7.dsf zdkifudka&G;&rSmyg/ DOI tab udkESdyfjyD; D5.doi zdkifudka&G;cs,fyg/ jyD;&ifawmh yHk(12)u Process button udkESdyfyg/

yHk(12)

yHk(12)u Process button udkESdyfvdkuf&ifawmh yHk(13)twdkif; MessageBox awGay:vmygvdrfhr,f/

yHk(13)

No button oma&G;vdkufyg/ yHk(14)twdkif; jrif&ygr,f/

yHk(14)

yHk(14)u Procedures tab udkESdyfvdkufyg/ 'gqdk&if File Recovery Angel utoHk;jyKwJh procedure awGudkjrif&ygr,f/ TFrmMain uawmh y&dk*&rf&JU t"dutusqHk; Main menu &Sd&m procedure yg/ TFrmAbout uawmh About menu udkESdyfvdkufwJhtcgjrif&r,fh Form (dialog box) yg/ TFrmRegister uawmh uRefawmfwdkU&SmaewJh Registration Form yg/ TFrmRegister udka&G;vdkufyg/ nmzufrSmjrif&wm uawmh Olly rSm b,fvdkrSrjrifEdkifwJh routine &JUtpawGyg/ ImgRegistereClick udka&G;vdkufyg/ yHk(15) twdkif; awGU&ygr,f/

yHk(15)

VA 00488E34 uawmh Registration routine &JUtpjzpfygw,f/ atmufudkenf;enf;avmuf scroll qGJMunfhvdkuf&ifawmh yHk(16)twdkif; jrif&rSmyg/

yHk(16)


yHk(16)uawmh registration key udkrSm;,Gif;&dkufoGif;wJhtcg jrif&wJh Bad message jzpfygw,f/ TFrmAbout udkawmh tcsdef&rSyJ oifhbmom avhvmMunfhyg/ wu,fawmh DeDe eJUywfoufwJh uRefawmf wdkU&JUtvkyf[m yHk(14)rSmuwnf;u jyD;aeygjyD/ bmaMumifhvJqdkawmh registration routine &JU address tpudkawGUvdkufvdkUyg/ Registration routine &JU address tpjzpfwJh VA 00488E34 udkrSwfxm;jyD; Olly rSm Ctrl+G ESdyfjyD; &dkufxnfhvdkufyg/ yHk(17)/

yHk(17)

ckqdk&if DeDe udk ydwfvdkU&ygjyD/ yHk(17)twdkif; registration routine &JUtpudka&mufwJhtcgrSm registration key udkppfwJhae&mudk MunfhvdkufMu&atmif/ VA 00488E34 ae&mrSm breakpoint owfrSwfjyD; register xyfvkyfMunfhyg/ yHk(18)/

yHk(18)

yHk(18)rSm Register button udka&G;vdkuf&ifawmh uRefawmfwdkU breakpoint owfrSwfxm;wJh VA 00488E34 ae&mudka&mufvmygr,f/ 'Dtcg yHk(19)u VA 00488EFA udka&mufwJhtxd F8 (Step Over) udkESdyfvmcJhyg/

yHk(19)

yHk(19)u VA 00488EFA [m registration key udkxkwfay;wJh routine wpfckjzpfygw,f/ Registration form &JU Registration name tuGufu "Myanmar Cracking Team" twGuf vdktyfwJh "CA75FC30F7AD6E7C969032F175560906F79B9EE94E93D2D4302B92" qdkwJh key udkxkwfay; jyD; EAX rSmodrf;ygw,f/ VA 00488F13 rSm&SdwJh CALL uawmh EAX u key eJU EDX rSmodrf;xm;wJh "4.10.1979" wdkUudk EdIif;,SOfygw,f/ rSefcJh&ifawmh registry &JU "IsRegister" rSm "On" qdkjyD;odrf;ay;rSm jzpfygw,f/ rSm;cJh&ifawmh qufoGm;rSmjzpfjyD; VA 00488F3F a&muf&if BadBoy ("Register False!") qDoGm;^roGm; xyfEdIif;,SOfrSmjzpfygw,f/ 'Davmufqdk&ifawmh oifhtaeeJU bmqufvkyf&rvJqdkwm odavmufjyD xifygw,f/


Olly udkydwfjyD; File Recovery Angel udk oD;oefUzGifhvdkufyg/ jyD;&if Option menu u Register (R) udka&G;jyD; register vkyfvdkufyg/ yHk(20)/

yHk(20)

yHk(20)u Register button udkESdyfvdkuf&ifawmh yHk(21)twdkif;jrif&rSmyg/

yHk(21)

Help menu u About udka&G;vdkuf&ifawmh yHk(22)twdkif;jrif&rSmyg/ wu,fawmh File Recovery Angel y&dk*&rf[m registration name ae&mrSm pmvHk;b,favmuf&dkufxnfhxnfh 12vHk;xufydkrppfygbl;/ 'gaMumifhrdkUvJ "Myanmar Cracking Team" tpm; "Myanmar Crac"vdkUyJjywmyg/

yHk(22)

rSwfxm;&rSmuawmh rSefuefwJh key udkr&kdufxnhfyJ VA 00488F46 u BadBoy qDoGm;wJh JE udk NOP vdkUjyifr,fqdk&if register vkyfaqmifjcif; cPwmom atmifjrifygr,f/ bmaMumifhvJqdkawmh y&dk*&rf[m pwiftvkyfvkyfwJhtcgrSm registry xJu "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Frareg" eJU "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Unicode" ae&mESpfckatmufu Name eJU Unicodekey wdkUudkzwfjyD; rSef^rrSef wdkufppfvdkUyg/ tao;pdwfodcsif&ifawmh yHk(23)u TFrmMain udkESdyfjyD; Munfh&IEdkifygw,f/

yHk(23)

yHk(23)u FormCreate [m Main menu udkzefwD;csdefrSm vkyfaqmifr,hfvkyfaqmifcsuf&Sd&m Virtual address (00491A00) tpudkjyygw,f/ udk,fhbmomudk,f avhvmMunfhyg/


'DwpfcgrSmawmh uRefawmfhtaeeJU vSnfhuGufav;wpfckjycsifygw,f/ Teleport Pro 1.61 oifcef;pm wkef;u oifhtaeeJU keygen a&;om;cJh&wmudk trSwf&aerSmyg/ Keygen routine udka&;&wm rcufayr,fh usefwJhtydkif;awGa&;ae&wmaMumifh tcsdefawGukef&ygw,f/ uRefawmfhtaeeJUuawmh keygen a&;&wm tvGef ysif;p&maumif;vSw,fvdkUxifygw,f/ 'gaMumifh keygen ra&;&bJJ key udktvdktavsmufxkwfay;EdkifwJh vSnhfuGufav; oifhudk jyocsifygw,f/

yHk(24)

yHk(24)udk aocsmMunfhyg/ VA 00488EFA rSm oif&dkufxnhfvdkufwJh user trnfudkvdkufjyD; serial udkxkwfay;vdkufygw,f/ 'D serial udk stack segment xJrSmoGm;xm;wmjzpfygw,f/ jyD;awmh stack xJuae EAX qDajymif;a&TYvdkufjyD; EDX xJrSm&SdwJh oif&dkufxnhfvdkufwJh serial eJUEdIif;,SOfwmjzpfygw,f/ Serial ESpfck[m rnDcJh&ifawmh Badboy &Sd&mqD a&mufoGm;rSmjzpfygw,f/ yHk(25)/

yHk(25)

yHk(25)udkMunfhyg/ VA 00489184 u "Register False!" qdkwJhpmom;udk EAX xJul;xnfhvdkufjyD; serial ESpfckEdIif;,SOfwmrnDcJh&if Badboy message udkjyowmjzpfygw,f/ yHk(26)/

yHk(26)

"Register False!" qdkwJhpmom;tpm; uRefawmfwdkU&dkufxnfhvdkufwJh user name eJUywfoufwJh serial udkjyEdkifr,fqdk&ifraumif;bl;vm;/ ☺☺☺☺☺☺☺☺☺☺

aumif;jyD? 'DvdkjyoEdkifzdkU enf;enf;MudK;pm;Munfhygr,f/ yHk(25)u VA 488FFB ae&mrSm MOV EAX, 489184 tpm; MOV EAX, DWORD PTR SS:[EBP-C] vdkUjyifjyD; zdkifudkodrf;qnf;vdkufyg/ (rSwfcsuf/ / wu,fh serial tppftrSefudk stack xJrSmcPoGm;xm;wJhtaMumif; ajymcJhwmtrSwf&yg/) uk'fawG udkjyifjyD;odrf;vdkufwJhzdkifudk zGifhjyD; register vkyfMunfhvdkufyg/ yHk(27)/

yHk(27)

'Dwpfcgawmh rhythm qdkwJhtrnfeJU register vkyfMunfhygr,f/

yHk(28)


rhythm qdkwJhtrnfeJU register vkyfMunfhwJhtcg yHk(28)twdkif;jrif&ygw,f/ ☺☺☺☺☺☺☺

'Davmufqdk&ifawmh oifhtaeeJU &dyfrdavmufjyDxifygw,f/ yHk(28)rSmjrif&wJh key (0415BFA8C..) uawmh rhythm qdkwJh user name twGuf y&dk*&rfuwGufcsufjyD;xkwfay;vdkufwJh serial key jzpfygw,f/ 'D key udkrSwfxm;jyD; aemufwpfMudrf register vkyfwJhtcgrSm &dkufxnfhvdkuf&if registration vkyfief;atmifjrifpGm jyD;pD;oGm;rSmyg/ yHk(29)/

yHk(29)

yHk(29)u register button udkESdyfvdkuf&if yHk(30)twdkif; jrif&rSmyg/

yHk(30)

Help menu u About udka&G;vdkuf&if yHk(31)twdkif; jrif&ygw,f/

yHk(31)

tcef;(17) - Java jzifh a&;om;xm;aom y&dk*&rfrsm;udk crack vkyfjcif; - 260 -

tcef;(17) - Java jzifh a&;om;xm;aom y&dk*&rfrsm;udk crack vkyfjcif; 'DwpfcgrSmawmh Java eJUa&;xm;wJh y&dk*&rfawGudk crack Munfhygr,f/ Java y&dk*&rfawGudk crack &m

rSm tjcm;y&dk*&rfawGeJU oabmw&m;csif; rwlnDwJhtwGuf xnfhoGif;aqG;aEG;&jcif;jzpfygw,f/ Java y&dk*&rf awGudk crack rvkyfcif Java Virtual Machine (JVM) taMumif; tenf;i,fawmh odxm;zdkU vdkygvdrfhr,f/

(1) Java Virtual Machine (JVM)

Java bmompum;rSmawmh uk'fawG tqifajyaprIudk t"duxm;ygw,f/ Java source uk'fawG[m b,f OS rSmrqdk twlwljzpfjyD; javac command udktoHk;jyKjyD; compile vkyfygw,f/ Java source uk'fawG (.java extension ygaom &dk;&dk;pmom;zdkif)udk bytecode vdkUac:wJh intermediate language (IL) bmom pum;tjzpf compile vkyfwJhtcgrSm .class extension ygwJh zdkifwpfckudk &&SdrSmjzpfygw,f/ 'DxGufvmwJh byte code (odkU) class zdkifrSm JVM instruction awG? oauFwZ,m;wpfckeJU tjcm;tcsuftvufawG yg0ifrSm jzpfygw,f/

Bytecode awGuawmh OS wdkif;twGuf wlnDaerSmjzpfjyD; JVM &JUtvkyfvkyfyHkuawmh atmufyg twdkif; jzpfygw,f –

yHk(1)

JVM &JU architecture udkawmh atmufygtwdkif; &IjrifEdkifygw,f –

yHk(2)

JVM wdkif;rSmawmh class loader subsystem wpfckpD&SdjyD; ol[m class awGeJU interface awGudk ul;wifzkdUtwGuf mechanism wpfckjzpfygw,f/

Input File .java

Compiler (javac)

Output File .class

JVM

CPU

Software Developing

Software Execution

Copyright ©White Cracker (Myanmar Cracking Team)

Class loader subsystem

Execution Engine

Class files

Method area Heap Java stacks PC registers

Runtime data areas

Native method stack

Native method interface Native method libraries



JVM wdkif;rSm execution engine wpfckpDvJ&SdMujyD; ul;wifvdkufwJh class awG&JU Method awGxJrSm

ygwJh instruction awGudk execute vkyfay;wJh mechanism wpfckyg/ Execution engine xJudk a&muf&Sd vmcsdefrSmawmh oufqdkif&m CPU u em;vnfEdkifwJh bytecode awGtjzpf ajymif;vJay;rSmjzpfygw,f/

CPU awGvdkyJ JVM rSmvJ register tcsdKU&SdMuygw,f/ tm;vHk;[m 32-bits awGjzpfMuygw,f/

• pc – Program counter jzpfjyD; execute vkyfr,fh bytecode udknTefjyygw,f/

• optop – Operands stack &JUxdyfydkif;eJUqdkifwJh pointer wpfckjzpfjyD; ocsFmqdkif&mazmfjycsufrsm;udk wGufcsufzdkUtoHk;jyKygw,f/

• frame – vuf&Sd execute vkyfxm;wJh Method &JU execution environment eJUqdkifwJh pointer/ • vars – Execution wGif vuf&Sd Method &JU yxrqHk; local variable eJUqdkifwJh pointer/

JVM jzpfpOfwdkif;rSmawmh Method area wpfckeJU heap wpfck&SdMuygw,f/ 'D area awGudkawmh VM xJrSm run aeMuwJh thread awGtm;vHk;u rQa0oHk;pGJMuwmjzpfygw,f/ Thread toD;oD;rSm personal stack wpfckpD&SdMujyD;? 'D area udkawmh y&dk*&rftvkyfvkyf&mrSm toHk;jyKwJh parameter awGtm;vHk;udk PUSH vkyfzdkUeJU POP vkyfzdkU toHk;jyKwmjzpfygw,f/

JVM &JUvkyfaqmifcsufawG[m stack udktajccHwmjzpfygw,f/ Bytecode awGeJU Method awGqD parameter awGudkoGif;zdkUtwGuf olUudktoHk;jyKwmjzpfygw,f/ xGuf&SdvmwJh&v'fudkawmh olwdkU&JUaemufqHk; wpfckuaecsdwf,l&&Sdwmjzpfygw,f/

Java stack &JU stack frame uawmh Method wpfckeJUqdkifwJh wpfckwnf;aom call &JU tajctaeudk reflect vkyfygw,f/ iHkxm;wJh call awGtxJu frame awG[m 'D frame &JU xdyfydkif;rSm stack vkyfcHvm&yg w,f/

Stack &JU frame wdkif;rSmawmh area oHk;ckyg0ifygw,f – • Method call twGuf local call • Method twGuf execution environment • Operands stack

Local variable awGudkawmh vars register u index vkyfwJh 32-bit array wpfckrSm odrf;qnf;wm jzpfygw,f/

a'wmtrsdK;tpm; awmfawmfrsm;rsm;udkawmh array &JU cell wpfckomoHk;wmjzpfjyD; long eJU double trsdK;tpm;uawmh cell ESpfckvdktyfygw,f/

vuf&Sd stack &JUtcsuftvufudk xdef;odrf;zdkU frame wpfckxJrSm&SdwJh execution environment udktoHk;jyKwmjzpfygw,f/ olUrSm jyD;cJhwJh stack frame eJUqdkifwJh pointer wpfck? Method &JU call awGeJUqdkifwJh pointer wpfck? tjcm; pointer ESpfck(wpfckuawmh stack frame &JU atmufydkif;eJUqdkifjyD; aemufwpfckuawmh vuf&Sd stack frame &JU tay:ydkif;eJUqdkifygw,f/) &Sdygw,f/

Object awGtm;vHk;udkawmh heap memory area taeeJUodrf;qnf;wmjzpfjyD; run aecsdefrSm oG,f0dkuf addressing udktoHk;jyKjyD; handle wpfckuaewpfqifh point vkyfwmjzpfygw,f/ JVM udk t"dutm;jzifh stack rSmomawGUEdkifwmaMumifh wefzdk;awGudk odrf;qnf;zdkU tcsdKU register awGudk toHk;rjyKygbl;/ 'gaMumifhvJ bytecode awGudk toHk;jyK&wm[m &dk;&Sif;jyD;tqifacsmapwmyg/

JVM udk 'DxufydkjyD;avhvmr,fqdk&ifawmh atmufygwdkUudk awGU&Edkifygw,f – • Primitive trsdK;tpm;rsm;

- byte - 8 bits -128 +127 - short - 16 bits -32768 +32767 - int - 32 bits -2147483648 +2147483647 - long - 64 bits -9223372036854775808 +9223372036854775807 - float - 32 bits ±1.402398546E-45 ±3.40282347E+8 - double - 64 bits ±4.94065645841246544E-324 ±1.79769313486231570E+308

• Reference trsdK;tpm;rsm; (toHk;jyKaom object) - class - interface - array

(2) Java Cracking Tools Java y&dk*&rfawGudk crack &mrSm toHk;jyKwJh tool awGuawmh –


CCK (Class Construction Kit) (http://bcel.sourceforge.net/cck.html)

DJ Java Decompiler (http://www.neshkov.com/)

JAD Decompiler (http://www.kpdus.com/jad.html)

Java Decompiler (http://java.decompiler.free.fr)

JDebugtool (http://www.debugtools.com/)

Jode Decompiler (http://jode.sourceforge.net/) eJU

IDA Pro (http://www.datarescue.com/) wdkUjzpfygw,f/

Java y&dk*&rfawGudk crack vkyfzdkU&mtwGuf Java Development Kit 1.3.x eJUtxuf? Java Runtime Environment 1.6.x eJUtxuf wdkU&Sdxm;&rSmjzpfygw,f/

(u) CCK CCK uawmh Java class zdkifawGudk jyKjyifzefwD;&mrSm toHk;jyKwJh tool wpfckjzpfjyD; BCEL eJU

SWING wdkUudk toHk;jyKprf;oyfxm;wmjzpfygw,f/ Beta version jzpfwJhtwGuf bug tcsdKUawmh &Sdygao; w,f/

(c) DJ Java Decompiler Atanas Neshkov &JU DJ Java Decompiler uawmh Java class zdkifawGudk pmom;zdkif (odkU) tjcm;

zdkifawGtaeeJU decompile vkyfay;Edkifygw,f/ Oyrmjy&&if Java applet eJUa&;xm;wJh binary class zdkifawGudk rl&if; source uk'fzdkiftaeeJU jyefajymif;ay;Edkifygw,f/ DJ Java Decompiler udktoHk;jyKr,fqdk&if Java &Sdp&m rvdkygbl;/ Java zdkifawGudk decompile vkyf&mrSm taumif;qHk; tool wpfckjzpfygw,f/

(*) JDebugtool Stand-alone debugger wpfckjzpfjyD; Java eJUa&;om;xm;wmjzpfygw,f/ 'gaMumifh Jdebugtool

udktoHk;jyKr,fqdk&if JDK 1.6(Java 6) udk install vkyfxm;zdkUvdkygw,f/ JPDA (Java Platform Debugger Architecture) pHudkerlemxm;jyD; a&;om;xm;ygw,f/ Java y&dk*&rfawGudk debug vkyf&mrSmawmh taumif; qHk; tool wpfckjzpfygw,f/

(C) JAD Java class zdkifawGudk decompile vkyfwJh command-line tool wpfckjzpfjyD; toHk;&r,fhyHkpHuawmh

atmufygtwdkif;jzpfygw,f – jad example.class

'D command udk&dkufxnfhr,fqdk&ifawmh example1.jad qdkwJhzdkifudk vuf&Sd directory atmufrSm zefwD;ay;rSmjzpfygw,f/

(i) JODE JODE uawmh Java Optimizer and Decompiler &JUtwdkaumufyg/ Decompiler uawmh .class

zdkifawGudkzwfjyD; rlv .java zdkiftjzpfxkwfay;wmyg/ Comment awGeJU local variable awG&Jutrnfudkawmh xkwfay;Edkifjcif; r&Sdygbl;/ Optimizer uawmh .class zdkifawGtjzpf enf;vrf;trsdK;rsdK;eJU atmufygtwdkif; ajymif;vJay;Edkifygw,f – - Class? Method? field eJU local trnfawGudk obfuscate vkyfay;jcif;/

- Debugging ESifh oufqdkifaomtcsuftvufrsm; z,f&Sm;ay;jcif;/

- Dead uk'frsm; (class? field? Method)? constant field rsm;udkz,f&Sm;jcif;/

- Local variable rsm;\ allocation udk optimize vkyfjcif;/

(p) Java Decompiler

Emmanuel Dupuy &JU Java Decompiler uawmh .class zdkifawG? .jar zdkifawGudk decompile vkyfay;EdkifwJhaqhmzf0JvfwpfckjzpfjyD; .java source zdkiftaeeJU odrf;ay;Edkifygw,f/

(3) VisualRoute tm;avhvmjcif;

Java y&dk*&rfawGxJu crack vkyfzdkU a&G;cs,fxm;wJh y&dk*&rfuawmh VisualRoute 2007 jzpfygw,f/ udk www.visualroute.com rSm download vkyf,lEdkifygw,f/ VisualRoute u oifhuGefysLwm&JU IP address eJU oifodvdkwJh 0ufbfqdkuf (odkU) IP address Mum;rSm&SdwJh IP awG&JUwnf&Sd&mae&mudk ajryHkeJU jyo wm jzpfygw,f/ VisualRoute udk zGifhvdkuf&ifawmh yHk(3)twdkif; jrif&ygw,f/


yHk(3)

y&dk*&rf&JUtvkyfvkyfyHkudkMunfhr,fqdk&if VisualRoute u ,m,Dzdk'gwpfckudkzefwD;ygw,f/ zdk'g&JU trnfudk GetTickCount API oHk;jyD; wnfaqmufwmjzpfwJhtwGuf tcsdefrwlwmeJUtrQ zdk'gtrnfvJ ajymif; aerSmjzpfygw,f/

yHk(4)

jexepackboot.class zdkifudk CreateProcessA API oHk;jyD; zefwD;ygw,f/ jyD;awmh 'Dzdkifudk execute vkyfygw,f/ 'gaMumifh jexepackboot.class zdkifudk zefwD;jyD;csdefrSm tjcm;wpfae&mrSm ul;jyD;odrf;xm;vdkufyg/ 'Dzdkifudk ul;&r,fhae&muawmh – <root>:\Documents and Settings\<current_user>\<temp_settings>\Temp

yHk(5)

yHk(5)u CALL 0040108A udk execute vkyfjyD;csdefrSmawmh y&dk*&rfptvkyfvkyfygw,f/ F7 udkESdyfjyD; CALL xJudk 0ifMunfhcsdefrSmawmh yHk(6)twdkif; jrif&rSmjzpfygw,f/

yHk(6)


yHk(6)rSmjrif&wJhtwdkif; Java interpreter udktvkyfvkyfapzdkU CreateProcessA API udkac:oHk;yg

w,f/ CreateProcessA udk vkyfaqmifjyD;csdefrSm jexepackboot.class zdkif ysufoGm;ygw,f/ tjynfhtpHku awmh atmufygtwdkif;jzpfygw,f – java -mx256m jexepackboot ER \"C:\\Program Files\\VisualRoute\\VisualRoute.exe\" \"C:\\DOCUME~1\\MYOMYI~1\\LOCALS~1\\Temp\\X170A7F4\"

'DaemufrSmawmh WaitForSingleObject API udkoHk;jyD; y&dk*&rfu Java session jyD;wJhtcsdefxd apmihfqdkif;ygw,f/ yHk(7)/

yHk(7)

wu,fawmh 'g[m Windows Java wrapper wdkif;&JU zGJUpnf;yHkjzpfygw,f/ y&dk*&rfudk,fwdkifudku wrapper wpfckomjzpfjyD; zdkifudk unpack vkyfjyD; java class udkpwiftvkyfvkyfygw,f/

(4) Java cracking (uk'frsm;udk avhvmjcif;)

CreateProcessA udkvkyfaqmifjyD;wJhaemufrSmawmh wrapper [m tqHk;r&SdwJh loop wpfckxJrSm WaitForSingleObject API toGifeJU aemufqHk;usefaewJh thread udk JVM xJoGif;wJhtxd apmifhaerSm jzpfygw,f/

uRefawmfwdkUtaeeJU 'D loader zdkifudk external loader wpfckzefwD;jyD; patch vkyfvdkU&ygw,f/ (Oyrmajym&&if uRefawmfwdkUtaeeJU ,m,Dzdk'gudk emrnfaowpfckxm;wnfaqmufjyD; 'DtxJrSm patch vkyf xm;wJh class awGxm;ygr,f/ 'gayr,fh 'gawG[m tjrift&awmh rvkdtyfygbl;/ aemufydkif;us&if &Sif;oGm; rSmyg/)

avmavmq,fawmh jexepackboot.class udk DJ Java Decompiler eJU decompile vkyfMunfhyg r,f/ bmaMumifhvJqdkawmh class udk execute vkyfcsdefrSm aqmif&GufwJhvkyfaqmifcsufawGudk tao;pdwf odcsifvdkUyg/

yHkrSefqdk&ifawmh class wpfcktwGuf execute vkyfwJh yxrqHk; Method udkawmh class constructor u zefwD;wmjzpfygw,f/ (ol[m class trnfeJUwlwJh Method wpfckjzpfygw,f/) wu,fvdkU class udk wdkuf&dkufac:oHk;wmqdk&ifawmh (Oyrmjy&&if java.exe interpreter jzifh) main Method udk execute vkyfwm jzpfygw,f/ main Method udkMunfhr,fqdk&if yHk(8)twdkif;awGU&rSmyg/

public static void main(String args[]) { PQ = System.currentTimeMillis(); QQ = args[0].indexOf('D') >= 0; RQ("Java=" + System.getProperty("java.version")); jexepackboot jexepackboot1 = new jexepackboot(); // New instance of the current class int i = jexepackboot1.run(args); // Execute the Method run(String[ ] as) if(i != 0) System.exit(i); }

yHk(8)

uk'fuawmh &dk;&dk;av;ygyJ/ yxrqHk; function tcsdKUudkac:oHk;jyD; jexepackboot class &JU instance topfwpfckudk zefwD;ygw,f/ yxrqHk; execute vkyfwJh Method uawmh constructor jzpfjyD; EP object wpfckudk instanciate vkyfygw,f/ 'Dwpfck[m jexepackboot1 class eJUqufEG,faejyD; vuf&Sd jexepackboot class eJUqdkifwJh tjcm;[mawGeJUawmh bmrSvkyfrSmr[kwfygbl;/

class constructor rSmawmh type Properties &JU object EP topfwpfckyg0ifrSmjzpfygw,f/ yHk(9)/ Properties udk stream wpfcktaeeJU odrf;qnf;Edkifygw,f/ (odkU) stream wpfckuae ul;wifEdkifygw,f/


twdkcsHK;ajym&&ifawmh Properties object udk database trsdK;tpm;wpfcktjzpfjrifEdkifjyD; property

list xJu key toD;oD;eJU oleJUoufqdkifwJhwefzdk;awG[m string awGjzpfMuygw,f/

public jexepackboot( ) { // Create a new object EP of type Properties EP = new Properties(); }

yHk(9) Class constructor uk'f

Item awGudkawmh setProperty^getProperty object Method awGoHk;jyD; database xJudk push vkyfcHEdkif&ygw,f? database xJuae tzwfcHEdkif&ygw,f/ Java uk'ftcsdKUudk avhvmMunfh&atmif/ yHkrSef messagebox awGvdkyJ Java rSm messagebox awGudk toHk;jyKcsif&if swing class udktoHk;jyK&rSmjzpfygw,f/ swing udktoHk;jyKjyD; GUI udktajccHwJh Java y&dk*&rfawGzefwD;Edkifygw,f/ uRefawmfwdkY vkyfzdkUvdkwmuawmh class udk import vkyfjyD; Method wpfckudk ac:oHk;zdkUyg/ Oyrmjy&&if main Method xJa&muf&SdjyD; constructor udk execute vkyfcsdefrSm messagebox uae ajc&mcHEdkifygw,f/

zdkif&JUxdyfqHk;udkoGm;jyD; import command pm&if;udkMunfhyg/ yxrqHk;eJU aemufqHk; import awG &Sdudk &Sd&ygr,f/ yHk(10)/

import java.awt.*; // Also used for messagebox support, (AWT = Abstract Windowing Toolkit) import java.io.*; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.util.*; import java.util.zip.GZIPInputStream; import javax.swing.*; // Added for messagebox support

yHk(10)

tckcsdefrSmawmh pop-up message udkay:apcsifwJhae&mrSm ay:apzdkU uk'fxJrSm message box wpfckudk a&;Munfhygr,f/

Constructor udk ajc&mcHEdkifzdkU main Method xJrSma&;ygr,f/ yHk(11)/

public jexepackboot( ) { JOptionPane.showMessageDialog(null, "CLASS CONSTRUCTOR" , "Reversing info (jexepackboot)" , JOptionPane.INFORMATION_MESSAGE); // Create a new object EP of type Properties EP = new Properties(); } public static void main(String args[]) { JOptionPane.showMessageDialog(null, "MAIN METHOD - START" , "Reversing info (jexepackboot)", JOptionPane.INFORMATION_MESSAGE); PQ = System.currentTimeMillis(); QQ = args[0].indexOf('D') >= 0; RQ("Java=" + System.getProperty("java.version")); jexepackboot jexepackboot1 = new jexepackboot(); int i = jexepackboot1.run(args); if(i != 0){ JOptionPane.showMessageDialog(null, "MAIN METHOD - SYSTEM EXIT" , "Reversing info (jexepackboot)" , JOptionPane.INFORMATION_MESSAGE); System.exit(i); } JOptionPane.showMessageDialog(null, "MAIN METHOD - END" , "Reversing info (jexepackboot)", JOptionPane.INFORMATION_MESSAGE); }

yHk(11)

jexepackboot.java udk Java compiler (javac.exe) eJU compile vkyfjyD; Olly u VA 0x004021EB udka&mufwJhtcg Olly uzefwD;vdkufwJh rlv jexepackboot.class zdkifae&mrSm uRefawmfwdkU jyifxm;wJh jexe packboot.class zdkifeJUtpm;xdk;jyD; F9 udkESdyfyg/ yHk(12)twdkif; jrif&ygr,f/


yHk(12)

aumif;jyD/ y&dk*&rftvkyfvkyfyHkudk enf;enf;MunfhMuygr,f/ yHk(13)/

(1) VisualRoute.exe

(2) java -mx256n jexepackboot ER ...

(3) START (jexepackboot.class)

(4) jexepackboot jexepackboot1 = new jexepackboot();

(5) jexepackboot1 (constructor)

(6) int i = jexepackboot1.run(args);

(7) END (jexepackboot.class)

yHk(13)

jexepackboot1 class &JU constructor udk vkyfaqmifcsdefrSmawmh Properties() class topfwpfckudk zefwD;rSmjzpfygw,f/ jexepackboot class uaewqifh jexepackboot1 class &JU Method run(args) udk ac:oHk;csdefrSm bmawGjzpfw,fqdkwm aumif;aumif;em;vnfEdkifatmif 'D function udk tao;pdwfMunfhygr,f/

run Method &JU argument awGuawmh jexepackboot xJxnfhoGif;toHk;jyKwJh argument awGeJU twlwlyJjzpfygw,f/

Args[0] = ER Args[1] = <root>:\<prog_folder>\VisualRoute\VisualRoute.exe (full path of the main executable)

Args[2] = <root>:\DOCUME~1\<user>\<temp_set>\Temp\XE70DC8 (full path of the temporary folder)

run Method &JUtpydkif;udk Munfhvdkuf&if yHk(14)twdkif; jrif&rSmjzpfygw,f -

private int run(String as[]) { // install vkyfxm;aom java pepfudk ppfaq;onf/ if(!SQ()) return 9999; if(as.length < 3) return 10010; // command-line wGif E ygvmjcif; &Sd^r&Sd ppfaq;onf/ boolean flag = as[0].indexOf('E') >= 0; // command-line wGif R ygvmjcif; &Sd^r&Sd ppfaq;onf/ boolean flag1 = as[0].indexOf('R') >= 0; // file onf main executable ESifhqdkifaom pointer wpfckjzpfonf/ File file = new File(as[1]); // ,m,Dzdk'gvrf;aMumif;ukd string s taejzifh odrf;qnf;onf/ String s = as[2]; // "System properties key = jexepack.exe" udk item = <full path for VisualRoute.exe> ESifhtwl push vkyfonf/ UQ("exe", TQ = file.toString()); // "System properties key = jexepack.resdir" udk item = <,m,Dzdk'gvrf;aMumif;> ESifhtwl push vkyfonf/ UQ("resdir", s); // file1 onf ,m,Dzdk'gESifhqdkifaom pointer wpfckjzpfonf/ File file1 = new File(s);

yHk(14)

'Dae&mrSm UQ Method udkESpfcgac:oHk;wm awGU&rSmyg/ 'D Method rSm message box uk'fudk xnfhoGif;Munfhygr,f/

private void UQ(String s, String s1) { Properties properties = System.getProperties(); properties.put("jexepack." + s, s1); System.setProperties(properties);


String mybuffer = "key = jexepack." + s + "\nitem=" + s1; JOptionPane.showMessageDialog(null, mybuffer , "Reversing info (UQ method)" , JOptionPane.INFORMATION_MESSAGE); }

'Duk'fawGudk run vdkuf&ifawmh yHk(15)twdkif; jrif&rSmjzpfygw,f/

yHk(15)

tcsdKUaom tcsuftvufawGudk System properties database xJxnfhodrf;xm;jyD; file pointer ESpfckudkvJ initialize vkyfygw,f/

rSwf&ef/ / System class [m key/value twGJawGyg0ifwJh properties awGudk xdef;odrf;xm;ygw,f/ 'D key wGJawG[m vuf&SdtvkyfvkyfaewJh environment &JU attribute awGudk t"dyÜm,fzGifhqdkygw,f/ Runtime system yxrqHk;tMudrf pwifwJhtcgrSm system properties udk runtime environment eJUywfoufwJh tcsuftvufawG yg0ifEdkifapzdkU initialize vkyfygw,f/ tcsuftvufxJrSm yg0ifEdkifwmuawmh vuf&Sd user? Java runtime &JU vuf&Sd version awGjzpfjyD; zdkiftrnfwpfck&JU component awGudk oD;jcm;pDjzpfapatmif toHk;jyKwJh pmvHk;awmifyg0ifEdkifygw,f/

run Method &JUaemuf instruction wpfckuawmh IM function udkac:oHk;wmyg/

// VisualRoute.exe image udk byte array abyte0[] taeeJU ul;wifygw,f/ byte abyte0[] = IM(file);

IM function &JUvkyfaqmifyHkuawmh atmufygtwdkif;jzpfygw,f/

private byte[] IM(File file) { RandomAccessFile randomaccessfile = null; try { randomaccessfile = new RandomAccessFile(file, "r"); // zdkift&G,ftpm;udk &,ljyD; byte array topfwpfck\ t&G,ftpm;tjzpf owfrSwfonf/ byte abyte0[] = new byte[(int)randomaccessfile.length()]; // abyte0[] onf point vkyfcH&aomzdkifESifh t&G,ftpm;wlaom byte array wpfckjzpfonf/ yxrqHk; zdkifxJ&Sd t&mtm;vHk; udkzwfjyD; abyte0 array taejzifh ul;,lonf/ ¤if;aemuf t&G,ftpm;udk aocsmap&ef ppfaq;onf/ tu,fí zwfcJhaom a'wm\ t&G,ftpm;onf array t&G,ftpm;ESifh wlnDcJhvQif (zdkift&G,ftpm;ESifhwlnDcJhvQif) ul;,ljcif;vkyfief;pOfonf atmif jrifpGm jyD;qHk;jyDjzpfonf/ xdkUaemuf uRefawmfwdkUtaejzifh abyte0[] array udk abyte1[] trnf&Sdaom topfwpfcktaejzifh ul;,l EdkifjyDjzpfygonf/ if(abyte0.length == randomaccessfile.read(abyte0)) { byte abyte1[] = abyte0; // abyte1[] onf one dimensional byte array wpfcktwGuf reference wpfckjzpfonf/ return abyte1; } } catch(Exception _ex) { } finally { try { // tm;vHk; tqifajyoGm;jyDjzpfonfhtwGuf file stream udkydwfvdkU&jyDjzpfonf/ randomaccessfile.close(); }


catch(Exception _ex) { } } return null; }

run Method &JUaemuf instruction awGuawmh file image (overlay data extraction) eJUwGJvkyfwm jzpfygw,f/ yxrqHk;ppfaq;MunfhjyD;rS data extraction udkoGm;ygr,f/

private byte[] VQ(byte abyte0[], char c) { WQ = -1; // WQ udk -1 tjzpfowfrSwfonf/ tu,fí tm;vHk;tqifajycJhvQif þwefzdk;udk rajymif;vJEdkifyg/) for(int i = 0; i + 28 < abyte0.length; i += 16) if(BQ(abyte0, i) && abyte0[i + 15] == c) { int j = LQ(abyte0, i + 16); int k = LQ(abyte0, i + 20); long l = (long)j & 0xffffffffL | (long)k << 32; int i1 = LQ(abyte0, i + 24); int j1 = i + 16 + 8 + 4; if(j1 + i1 <= abyte0.length) { if(1L == l * UM(abyte0, j1, j1 + i1)) return FO(new String(abyte0, 0, j1, i1)); WQ = 10092; } } return null; }

for loop udkMunfhyg/ i wefzdk;udk oknvdkU initialize vkyfjyD; i wefzdk;rSm 28 udkaygif;ygw,f/ owfrSwfxm;wJh tajctaeeJU udkufnDaepOfrSmawmh i wefzdk;rSm aemufxyf 16 vmaygif;ygw,f/ ydk&Sif;vif; atmifvdkU PE header udkMunfhyg/ yHk(16)/

yHk(16)

PE header udkMunfhvdkuf&if VA [m 0x1C (28) uaepwmudk awGU&ygw,f/ for loop ywfaepOf twGif;rSm BQ Method udkppfaq;wmawGU&ygw,f/ BQ &JU argument [m data byte jzpfjyD; byte array uae 16 bytes twGJudk zwfygw,f/

private boolean BQ(byte abyte0[], int i) {

int j = 0; do

if(abyte0[i + j] != (char)(74 + (j * 3) / 2)) return false;

while(++j < 15); return true;

}

wu,fawmh BQ Method u zwfvkdufwJhpmvHk; 16vHk;wGJ[m "JKMNPQSTVWYZ\]_" [kwf^r[kwf ppfaq;wmyg/ HEX taeeJUjy&&if 4A 4B 4D 4E 50 51 53 54 56 57 59 5A 5C 5D 5F jzpfygw,f/ wu,fvdkUom taoowfrSwfxm;wJh 'D key wGJawGudkawGUcJh&if return jyefydkUwJh wefzdk;[m true jzpfjyD; 'DvdkrS r[kwf&ifawmh false wefzdk;udk return jyefydkUrSmjzpfygw,f/

VisualRoute.exe udk WinHex eJUMunfhr,fqdk&if 'Dvdkwefzdk;[m ae&m 3ae&mrSm&Sdaewm awGU&yg w,f/ yHk(17)/

yHk(17)


yHk(17)rSmjrif&wmawGudk Olly &JU dump window rSmMunfh&ifawmh 'Dvdkjrif&rSm r[kwfygbl;/ bm

aMumifhvJqdkawmh 00004600? 000067F0 eJU 00006860 wdkU[m disk ay:rSm&SdwJh physical address awG jzpfaevdkUyg/ Olly rSmjrifcsif&ifawmh oifhtaeeJU virtual address udkajymif;jyD; &SmzdkUvdkygr,f/

bmawGjzpfrvJqdkwm odEdkifzdkU LordPE rSmzGifhjyD; section awGudk MunfhMu&atmif/ yHk(18)/

yHk(18)

uRefawmfwdkU&JU tydka'wmawG[m disk ay:rSmom&SdjyD; 'g[m aemufqHk; section rSmawmif ryg&Sdyg bl;/ wu,fvdkU oifhtaeeJU Size of Image eJU Raw Size a'wmaygif;v'fwdkUudk EdIif;,SOfvdkufr,fqdk&if &Sif; oGm;rSmyg/

Raw offset + Raw Size

400 + 1A00 = 1E00

1E00 + 800 = 2200

2600 + 600 = 2C00

2C00 + 1A00 = 4600 (Raw Size a'wmaygif;v'f)

zdkift&G,ftpm;[m 0x7000 jzpfwmaMumifh Windows loader [m tcsdKUa'wmawGudk rSwfOmPfxJ ul;wifrSmr[kwfygbl;/

yHk(19)

twdtusajym&&if uRefawmfwdkU&JU overlay data [m 0x2A00 (0x7000 - 0x4600) jzpfygw,f/ VisualRoute.exe zdkifudk backup vkyfjyD; .rsrc section &JU Raw Size eJU Virtual Size wdkUudk yHk(20)twdkif; ajymif;ay;yg/

yHk(20)

yHk(20)twdkif; ajymif;jyD;&ifawmh zdkifudk save vkyfvdkufjyD; LordPE udkydwfvdkufyg/ uRefawmfwdkU backup vkyfxm;wJh VisualRoute.exe zdkifudk CFF explorer rSmzGifhMunfhyg/ yHk(21)/

yHk(21)


jyD;&if File Offset ae&mrSm 4600 vdkU&dkufxnfhyg/ yHkrSeftm;jzifhawmh CFF explorer rSmygvmwJh

Address converter u rSefuefwJh RVA eJU VA udk wGufxkwfay;Edkifygw,f/ yHk(21)udkMunfh&if RVA eJU VA [m yHkrSefr[kwfwJhwefzdk;awGudk jyaeygw,f/

yHk(20)twdkif; VisualRoute.exe udkjyifjyD;odrf;xm;wJhzdkifudk CFF explorer rSmzGifhMunfhjyD; File Offset ae&mrSm 4600 vdkU&dkufxnfhvdkufyg/ yHk(22)/

yHk(22)

'DwpfcgrSmawmh CFF explorer u virtual address udk rSefuefpGm wGufxkwfEdkifygjyD/ 'D address twdkif; Olly rSm Munfhvdkuf&atmif/ yHk(23)/

yHk(23)

rlv VirtualRoute.exe zdkifudk zGifhMunfh&ifawmh bmrSawGU&rSmr[kwfygbl;/ yHk(24)/

yHk(24)

Section &JU offset [m 1A00 (406A00 - 405000) uaepwifrSmjzpfygw,f/ Offset 000067F0 eJU 00006860 wdkUudk Olly rSmMunfh&ifvJ yHk(25)twdkif; jrif&rSmyg/

yHk(25)

'DjyKjyifxm;wJh VisualRoute.exe udkzGifhMunfhvdkuf&if yHk(26)twdkif; error wufwmawGU&ygr,f/

yHk(26)

'guawmh file integrity eJUywfoufjyD; CRC ppfaq;rIyg/ 'gudkawmh aemufMurSyJ avhvmygr,f/ tckawmh rlv VisualRoute.exe zdkifudk jyef restore vkyfvdkufyg/

Jexepack &JU BQ Method qD jyefoGm;vdkufMu&atmif/ uRefawmfwdkUtaeeJU overlay data udk tao;pdwfavhvmwJhtcgrSm VisualRoute.exe y&dk*&rf b,fvdktvkyfvkyfovJqdkwm odvmygw,f/ pdwf0if pm;p&maumif;wmudk awGUEdkifzdkU VQ function udkqufMunfhvdkufMu&atmif/

VQ function xJrSm LQ function udkESpfcgac:oHk;wm awGU&ygw,f/ LQ function uawmh uk'fawG udk decrypt vkyfay;wmjzpfjyD; aemufqHk;rSmawmh byte array wpfcktaeeJU jyefxm;ygw,f/


run Method xJudk jyefMunfh&atmif/

// VisualRoute.exe udk byte array abyte0[] taejzifh ul;wifonf/ byte abyte0[] = IM(file); // Image udkatmifjrifpGm ul;wifEdkifjcif;&Sd^r&Sd ppfaq;onf/ if(abyte0 == null) return 10011; // JKMNPQSTVWYZ\]_B udk overlay data tjzpf &Sd^r&Sd Munfhonf/ if(VQ(abyte0, 'B') == null) if(WQ > 0) return WQ; else return 10002; // JKMNPQSTVWYZ\]_V \ overlay data segment rS byte rsm;udk extract vkyfonf/ // Byte rsm;udk decrypt vkyfjyD; abyte1[] byte array taejzifh tm;vHk;udkjyefxm;onf/ byte abyte1[] = VQ(abyte0, 'V'); if(WQ > 0) return WQ; // decrypt vkyfxm;aoma'wmrsm;udk disk ay:&Sd Vdata.dat zdkifxJodkU dump vkyf,lonf/ writeByteArrayToDisk(abyte1, "Vdata.dat" , 0, 0, 0);

writeByteArrayToDisk function uawmh data array awGudk disk ay:odrf;qnf;EdkifzdkUtwGuf xnfhoGif;xm;wJh function wpfckjzpfygw,f/ Decrypt vkyfxm;wJh array udk disk ay: dump vkyf&jcif; uawmh decrypt vkyfxm;wJha'wmawGrSm bmawGygovJqdkwmudk avhvmEdkifzdkUjzpfygw,f/ yHk(27)rSmjrif&wm uawmh decrypt vkyfxm;wJh data stream awGjzpfygw,f/

yHk(27)

writeByteArrayToDisk function udkatmufygtwdkif; a&;om;xm;wmjzpfygw,f/

private void writeByteArrayToDisk(byte bytebuffer[], String fileName, int start, int numbytes, int mode) { // Programmer = ThunderPwr of ARTeam File file = new File(fileName); if (mode == 0) { try { // 0 rSonf aemufqHk; element xd byte array tm;vHk;udka&;onf/ FileOutputStream file_output = new FileOutputStream (file); DataOutputStream data_out = new DataOutputStream (file_output); for (int i = 0; i < bytebuffer.length; i++) { data_out.writeByte(bytebuffer[i]); } file_output.close(); } catch(IOException e) { System.out.println ("IO exception = " + e); } } else { try { // start + numbytes elements rS array section wpfckudka&;onf/ FileOutputStream file_output = new FileOutputStream (file); DataOutputStream data_out = new DataOutputStream (file_output); for (int i = start; i < start + numbytes; i++) { data_out.writeByte (bytebuffer[i]); } file_output.close(); catch (IOException e) { System.out.println ("IO exception = " + e); } } }

aemuf instruction awGuawmh EP Properties eJU oufqdkifygw,f/


// extract vkyfwm atmifjrifjcif; &Sd^r&Sd ppfaq;ygw,f/ 'DaemufrSmawmh array xJrSm&SdwJh string udk parsing vkyfjyD;awmh parse vkyfxm;wJh string udk EP properties xJrSm odrf;qnf;EdkifzdkU twGJ(key? item)wpfcktjzpf xm;&Sdygw,f/ // EP propertes [m local database eJUwlwm trSwf&yg/ if(abyte1 != null) { for(StringTokenizer stringtokenizer = new StringTokenizer(new String(abyte1, 0), "\n"); stringtokenizer.hasMoreTokens();) { String s3 = stringtokenizer.nextToken(); int j = s3.indexOf('='); if(j > 0) EP.put(s3.substring(0, j), s3.substring(j+1)); String key = s3.substring(0, j); // no need to add String item = s3.substring(j+1); // no need to add } }

EP properties xJ push vkyfcH&wJhwefzdk;tcsdKUudk key/item pair tjzpf atmufygtwdkif; azmfjyEdkifyg w,f/ *:\Program Files\VisualRoute\ zdk'gatmufu Vdata.dat zdkifudk zGifhMunfh&if atmufygtwdkif; awGU jrif&rSmyg/

packager = JexePack 5.5a main = vr target = JM mx = 256 windowed = yes execwd = *

Overlay section uae a'wmtcsdKUudk extract vkyfjyD;wJhaemufrSmawmh VQ function [m V pmvHk; eJUpwJh chunk udk&SmazGygw,f/ 'DhaemufrSmawmh decrypt vkyfjyD; abyte2[] taeeJU tcsuftvufawGudk odrf;qnf;ygw,f/ a'wmtm;vHk;udk YQ function eJU deflate vkyfrSmjzpfjyD; tqHk;rSmawmh ZQ function udktoHk;jyKjyD; disk ay:a&;rSmjzpfygw,f/ rSwfxm;&rSmu extract vkyfvdkufwJhzdkifudk ,m,Dzkd'gtaeeJU odrf; qnf;rSmjzpfygw,f/ yHk(28)/

yHk(28)

rSwfcsuf/ / JexePack qdkwmuawmh command-line tool wpfckjzpfjyD; resource (GIF/JPG/TXT/ponf) awGeJUtwlwuGjzpfwJh oifh&JU Java application udk compress vkyfxm;wJh 32-bits Windows exe zdkiftaeeJU ajymif;vJay;Edkifygw,f/ 'D exe zdkif[m Sun &JU Java Runtime Environment udktoHk;jyKjyD; tvkyfvkyfyg w,f/ Console zdkiftaeeJUa&m? Windows application taeeJUyg ajymif;ay;Edkifygw,f/

oifh&JU exe zdkif tvkyfvkyfaecsdefrSm? JexePack [m package wpfckwnf;taeeJU aygif;xm;wJhzdkifawG udk ,m,Dzdk'gwpfckrSm extract jyefvkyfjyD; java.class.path wpfckudk owfrSwfygw,f/ 'DhaemufrSmawmh oifh awmfwJh Java VM eJU oifh&JU Java y&dk*&rfudk tvkyfvkyfapygw,f/ y&dk*&rf jyD;qHk;csdefrSmawmh ,m,Dzdk'gudk zsufqD;&Sif;vif;vdkufygw,f/ JexePack udk atmufygvdyfpmrSm download vkyf,lEdkifygw,f/

http://www.duckware.com/jexepack/index.html

JexePack &JU t*Fg&yfawGuawmh -

Icon tygt0if oifh&JU application udk exe zdkifwpfckwnf;taeeJU pack vkyfay;Edkifygw,f/

Native exe [m system integration eJUywfoufjyD; ydkaumif;vmygw,f/ (icon? double-click? shortcuts? ponf)

Package toGifajymif;xm;wJh class awGeJU resource awG[m compress vkyfcHxm;&wmjzpfwJh twGuf exe zdkif[m t&G,ftpm; tvGefao;aerSmjzpfygw,f/

wduswJh Java runtime version rSmtvkyfvkyfapEdkifygw,f/

JNI (Java Native Interface) DLL awGudk tjynfht0 vufcHygw,f/

Run aecsdefrSm class awGudk ul;wif&SmazGjcif;udk tjynfht0 ay;pGrf;Edkifygw,f/

JRE udk tvdktavsmuf install vkyfay;Edkifygw,f/


'DukrÜPDuyJ aemufxyfxkwfvkyfvdkufwJh tool uawmh Jobfuscate vdkUtrnf&jyD; VisualRoute.exe

rSm obfuscate vkyfxm;wmawGU&ygw,f/ 'gaMumifhvJ function awG&JUtrnfawG[m VQ? WQ ponfjzifh jzpfae&wmyg/ 'D tool taMumif;udk avhvmcsif&ifawmh atmufygvdyfpmrSm avhvmEdkifygw,f/

http://www.duckware.com/jexepack/index.html

run Method udk qufavhvmMunfh&atmif/

// "build" key item jzifh Properties rS extract vkyfonf/ // xdkUaMumifh rnfonfh key rQ build ESifhrnDcJhvQif s2 u null tjzpfowfrSwfrnfjzpfonf/ String s2 = EP.getProperty("build"); if(s2 != null) UQ("build", s2); if(!SQ()) return 9999; // zdkifa&;jcif; pwifonf/ if(flag) { RQ("extract=yes"); // JKMNPQSTVWYZ\]_Z udk&SmjyD; abyte2[] array taejzifh odrf;qnf;onf/ byte abyte2[] = VQ(abyte0, 'Z'); // tu,fí a'wmudk extract vkyfcJhaomf ¤if;udk disk ay:odrf;qnf;onf/ if(abyte2 != null && abyte2.length > 4) { Object obj = null; abyte2 = XQ(abyte2); int k = LQ(abyte2, 0); int l = LQ(abyte2, 4); abyte2 = YQ(abyte2, l, 8); // GZIP a'wm stream udk decompress vkyfonf/ int i1 = abyte2 != null ? ZQ(file1, abyte2, k) : 10034; if(i1 > 0) return i1; RQ("extracted=" + k); } else if (WQ > 0) return WQ; else return 10012; } // zdkifa&;jcif; jyD;qHk;onf/ if(!flag1) return 12345;

qufMunfhr,fqdk&ifawmh aemuf command awGu vr trnfeJU class udk&SmazGwmjzpfjyD; 'Dwpfckudk Class1 vdkUowfrSwfygw,f/ (vr.class udk extract vkyfjyD;jzpfonf/)

// "main" key onf "vr" item taMumif; jzpfonf/ // xdkUaemuf þ statement onf s1 udk "vr" ESifhnDapvdrfhrnf/ String s1 = EP.getProperty("main"); if(s1 == null) // s1 = vr return 10020; // ,cktcg vr class topfudk Class.forName(<class_name>) statement toHk;jyKjyD; zefwD;onf/ Object obj1 = null; int i = 0; Class class1 = null; try { class1 = Class.forName(s1); } catch(Throwable throwable) { obj1 = ((Object) (throwable)); i = 10024; } // Jz.Ky.Tx trnfESifh zdkiftopfwpfckudk ,m,Dzdk'gwGif zefwD;onf/ File file2 = new File(file1, "Jz.Ky.Tx");

tckcsdefrSmawmh daemon thread wpfckudk jexepackboot class &JU run Method eJU owfrSwfjyD; aemufrSmawmh ,m,Dzkd'gxJu jexepackboot.class zdkifudkzsufypfvdkufjyD; rMumao;cifu zefwD;vdkufwJh vr class udk as1 argument eJUwGJjyD; ac:oHk;ygw,f/


if(obj1 == null) { if(!QM(file2, new byte[100])) return 10013; String as1[] = new String[as.length - 3]; for(int j1 = 0; j1 < as1.length; j1++) as1[j1] = as[3 + j1]; // ,cktcsdefwGif jexepackboot udk daemon thread (cyclic) wpfcktaejzifh execute vkyfygvdrfhrnf/ Thread thread = new Thread(this); thread.setDaemon(true); thread.start(); // jexepackboot.class zdkifudk ,m,Dzkd'gxJrS zsufypfonf/ (new File(file1, getClass().getName() + ".class")).delete(); try { // topfwpfcktwGuf main Method udk execute vkyfonf/ RQ("main=" + s1); // s1 = vr Method method = class1.getMethod("main", new Class[] {java.lang.String[].class}); method.invoke(null, new Object[] { as1 }); }

'guawmh jexepackboot.class &JU tvkyfvkyfyHkyg/ wu,fawmh jexepackboot [m tjcm; class awGu target y&dk*&rfudk launch vkyfEdkifzdkUtwGuf MudKwifvkyfaqmifay;&wJh loader wpfckomjzpfygw,f/ zdkifawG extract vkyfjyD;csdefrSm message box ay:apcsif&ifawmh atmufygtwdkif; xnfhoGif;Edkifygw,f/ yHk(29)/

// zdkifa&;jcif; jyD;qHk;onf/ if(!flag1) return 12345; JOptionPane.showMessageDialog(null, "run Method, FILE WROTE \n patch the vr.class" , "Reversing info (jexepackboot)" , JOptionPane.INFORMATION_MESSAGE);

yHk(29)

'Denf;udk vr.class zdkiftwGuf patch vkyfcsdefrSm break vkyfEdkifzdkU toHk;jyKEdkifygw,f/

(5) Java cracking (uk'frsm;udk tao;pdwfavhvmjcif;)

'Dwpfcgawmh vr.class zdkifudk atmufygtwdkif; jyif&rSmjzpfygw,f/

import java.io.*; import java.util.Hashtable; import javax.swing.*; // xyfxnfh&ef public class vr extends ClassLoader { private Hashtable g_cl; private Object m_o; private String className = " vr " ; // yxrqHk;tMudrfrSmawmh vr jzpfygw,f/ public vr() { // Default constructor g_cl = new Hashtable(); } public vr(String buffer) { // Overload of the default constructor className = buffer; printClassName( " CONSTRUCTOR " + className); g_cl = new Hashtable(); }

public void printClassName(String functionName) { JOptionPane.showMessageDialog(null, functionName, "Reversing info ( "+getClass().getName()+" .class / " +className+")" , JOptionPane.INFORMATION_MESSAGE); }


vr class topfwpfckudk vr1 trnfeJU zefwD;ygr,f/

vr vr1 = new vr("vr1"); // vr1 jzifh tpm;xdk;onf/ vr1.equals(args); vr1.equals("bl_ver=1.01");

aemufxyf 'Dvdkxyfjyifygr,f/

public boolean equals(Object obj) { try { // Create a new instance of the class A printClassName("equals(loadClass(\"A\", true). newInstance() "); m_o = m_o != null ? m_o : loadClass("A", true).newInstance(); } catch(Exception exception) { exception.printStackTrace(); } boolean flag = m_o.equals(obj); // Call the method equals for the class A return flag; }

'DaemufrSmawmh argument A eJU loadClass method udkac:oHk;ygw,f/

'Dvdk jyifjyD;wJhtcg VisualRoute.exe udk Olly rSmjyefzGifhyg/ yHk(29)twdkif;jrif&csdefrSm vr.class zdkifudk patch vkyfxm;wJh vr.class zdkifeJUtpm;xdk;yg/ 'gqdk yHk(30)twdkif; jrif&rSmjzpfygw,f/

yHk(30)

tcef;(18) – Visual Dot.net jzifh a&;om;xm;aom y&dk*&rfrsm;udk crack vkyfjcif; - 276 -

tcef;(18) - Visual Dot.net jzifh a&;om;xm;aom y&dk*&rfrsm;udk crack vkyfjcif;

'Dwpfcg uRefawmfwdkUtaeeJU crack vkyfMunfhzdkU tvSnfhusvmwmuawmh .net y&dk*&rfawGudkyg/ .net y&dk*&rfawGudk crack vkyf&wm[m native API awGeJUa&;om;xm;wJh tjcm;y&dk*&rfawGudk crack vkyf&wm xuf trsm;MuD;vG,fulvmygw,f/ bmaMumifhvJqdkawmh y&dk*&rfudka&;om;xm;wJh source code awGudk MunfhvdkU&vdkUyg/ b,f function awGudk b,ftcsuftvufawGeJU ac:oHk;wmutp MunfhvdkU&wJhtwGuf cracker awGtwGuf crack vkyf&wm tvGefvG,fulvmygw,f/ bmyJjzpfjzpf crack rvkyfcifawmh .net &JU oabmobm0udk em;vnfapcsifwJhtwGuf .net eJUywfoufwJh tajccHoDtdk&DawGudk t&if&Sif;jyygr,f/

(1) .net qdkonfrSm ...

y&dk*&rfrmtrsm;pktwGufuawmh .net eJUywfoufwJhoabmw&m;awG[m ya[Vdwpfyk'fvdkygyJ/ .net qdkwmuawmh Microsoft &JU a&yef;tpm;qHk; pum;vHk;awGxJu wpfvHk;jzpfjyD; ASP.net utp Visual Studio.net tqHk;&SdwJh Microsoft &JU product awGrSm wGifus,fpGm toHk;jyKvsuf&Sdygw,f/ wu,fawmh .net y&dk*&rfawGudk machine code tjzpf wdkuf&dkuf compile vkyfvdkufwmr[kwfygbl;/ (C++ wdkUvdk bmom pum;awG[m machine code tjzpfwdkuf&dkuf compile vkyfcH&wmjzpfygw,f/) olwdkUudk IL vdkUac:wJh Intemediate Language tjzpf compile vkyfvdkufwmyg/ oif[m Java eJUywfoufcJhzl;r,fqdk&ifawmh .net Framework [m Java Virtual Machine vdkygyJ/ IL awGudk Java y&dk*&rfawGtjzpf compile vkyfay; vdkufwJh bytecode awGeJU EdIif;,SOfEdkifygw,f/ 'Dvdk bytecode awGtjzpfajymif;vJay;vdkufjcif;[m y&dk*&rf a&;om;jcif;&Iaxmifhuae Munfhr,fqdk&if aumif;usdK;ajrmufjrm;pGm (tvkyfvkyfwJhEIef; usqif;oGm;jcif;rSwyg;) jzpfapygw,f/ Java &JUtaMumif;jycsufuawmh 'DvdkjyKvkyfjcif;tm;jzifh rwlnDwJh OS awGrSm Java y&dk*&rfawG udktvkyfvkyfapEdkifjyD; rwlnDwJh y&dkqufqmtrsdK;rsdK;rSmawmif tvkyfvkyfapEdkifzdkUjzpfygw,f/ .net &JU t"du &nf&G,fcsufu 'DtwGuf r[kwfayr,fh 'DZdkif;ydkif;qdkif&m csOf;uyfrIuawmh wlnDygw,f/

.net y&dk*&rfrmawGtwGuf IL &JU t"dutm;omcsufuawmh compile vkyfxm;wJhy&dk*&rfawGrSm identifier (class name? function name? variable name) awG[m &SdaeMuwmjzpfygw,f/ (rSwfcsuf/ / C y&dk*&rfawGudk compile vkyfwJhtcgrSm local variable trnfawG[m tzwfqnfr&atmif qHk;&IH;oGm;aMumif; aqG;aEG;cJhzl;wm trSwf&yg/) 'Dtcsufu y&dk*&rfrmawGudk y&dk*&rfwpfck&JU rwlnDwJhtydkif;awGudk rwlnDwJh bmompum;awGeJU a&;om;vdkU&apygw,f/

Cracker awGtwGuf t"dutm;omcsufjzpfapwmuvJ 'DtcsufygyJ/ bmaMumifhvJqdkawmh .net y&dk*&rfawG[m olU&JU source udk bytecode eJUazmfjy&wmjzpfwJhtwGuf identifier awG[mvJ rysufr,Gif;&Sdae &wmyg/ tvm;wlyJ? IL [m wu,fhy&dkqufqmuk'fxufpm&if enf;enf;av; higher-level jzpfvmwJhtwGuf high-level bmompum;tjzpf vG,fulpGmjyefvnfwnfaqmufEdkifMuwmyg/ 'gudk odMuwJhtwGufaMumifh .net y&dk*&rfawGudk rlv .net source code tjzpfjyefazmfay;Edkifr,fh tool awGudkzefwD;EdkifMuwmjzpfygw,f/ 'Dvdk jyefazmfay;EdkifwJh tool aumif;av;wpfckudk Lutz Roeder ua&;om;cJhjyD; Reflector vdkUac:ygw,f/

(2) Tools

.net y&dk*&rfawG crack rvkyfcifrSm toHk;jyKr,fh tool av;awGtaMumif; aqG;aEG;ygr,f/ oifhtaeeJU 'D tool awGtm;vHk;udk wpfcsdefwnf;rSmawmh vdktyfrSm r[kwfygbl/ 'gayr,fh tool awGtm;vHk;&Sdxm;atmifawmh vkyfxm;&rSmjzpfygw,f/

(2.1) Relector (.net assembly decompiler)

Relector uawmh .net component awGtwGuf class browser wpfckjzpfygw,f/ 'D tool av;[m .net assembly xJrSmodrf;qnf;xm;wJh Meta data? IL instruction? resource? XML documention wdkUudk &Smay;Edkifygw,f/

http://www.aisto.com/roeder/dotnet/

(2.2) ILDasm (.net assembly decompiler)

MSIL Disassembler uawmh MSIL Assembler (Ilasm.exe) twGuf tool wpfckjzpfygw,f/ ILDasm.exe [m Microsoft intermediate language (MSIL) uk'fawGygwJh PE zdkifudk,ljyD; Ilasm.exe twGuf oifhawmfr,fh pmom;zdkiftjzpfzefwD;ay;ygw,f/

Reflector [m .net assembly udk IL uk'fawGtjzpf decompile vkyfay;Edkifayr,fh assembly xJu IL instruction awG&JU wu,fh byte awGudk jyojcif;r&Sdygbl;/ ILDasm rSmawmh IL instruction awGudk hex wefzdk;taeeJUjyoay;Edkifatmif a&G;cs,fvdkU&ygw,f/

Oyrmjy&&if - BLE instruction udkMunfhvdkufyg/ wu,fvdkUom yxrwefzdk;[m 'kwd,wefzdk;xuf enf;ae&if (odkU) nDae&if owfrSwfxm;wJh instruction qD jump jzpfrSmyg/ (Native code awGrSmwkef;uawmh


JLE eJUwlygw,f/) wu,fvdkU hex editor rSmMunfhvdkuf&if wu,fh byte [m 3E jzpfaewmawGU&rSmyg/ BLE instruction tpm; BGT instruction vdkUajymif;vdkuf&ifawmh yxrwefzdk;[m 'kwd,wefzdk;xufMuD;&if owfrSwfxm;wJh instruction qD jump jzpfrSmyg/ olUudkazmfjywmuawmh 3D yg/ wu,fvdkU 'Dae&mudk jyifcsif&if hex editor qDoGm;jyD; 3E tpm; 3D vdkUjyif&rSmyg/

aumif;jyD? ILDasm eJUppfxm;wJh procedure wpfckudkMunfhvdkufMu&atmif/

.method public specialname instance class Scroller.Scroller/Title get_Titles(object Index) cil managed // SIG: 20 01 12 0C 1C { // Method begins at RVA 0xcd7c // Code size 23 (0x17) .maxstack 2 .locals init (class Scroller.Scroller/Title V_0) IL_0000: /* 02 | */ ldarg.0 IL_0001: /* 7B | (04)00000D */ ldfld IL_0006: /* 03 | */ ldarg.1 IL_0007: /* 28 | (0A)00005C */ call object IL_000c: /* 6F | (0A)00005D */ callvirt instance object IL_0011: /* 74 | (02)000003 */ castclass Scroller.Scroller/Title IL_0016: /* 2A | */ ret } // end of method Scroller::get_Titles

'guawmh IL xJu uk'ftcsdKUyg/

IL_0000 : line eHygwf/ 02 : xdk line wGif&Sdaom IL instruction rsm;\ wu,fh byte/ ldarg.0 : IL instruction/

'gawGudkem;rvnfvdkU pdwfrysufygeJU/ aemufydkif;rSm tao;pdwfaqG;aEG;ay;ygr,f/

Byte awG? IL instruction awGjrif&wJh tm;omcsufuawmh CALL wpfckudk NOP ay;csifwmyJ jzpfjzpf? udk,f patch vkyfcsifwJhae&mudk jyifcsifwmyJjzpfjzpf tvG,fwuljyKjyifvdkU&ygw,f/ Offset udkwGuf csufzdkU RVA udktoHk;jyK&rSmjzpfygw,f/

Ildasm uawmh Visual Studio 200x udk install vkyfwJhtcgrSm wcgwnf;ygvmwmjzpfwJhtwGuf oD;oefU download vkyfp&mrvdkygbl;/

(2.3) WinHex (Hex editor)

b,f hex editor udkrqdk toHk;jyKEdkifayr,fh WinHex udkawmh tMudKufqHk;jzpfaevdkUyg/

http://www.x-ways.com/

(2.4) CFF Explorer (General PE File Explorer)

Assembly xJu metadata table awGeJU resource awGyg0ifwJh b,f PE zdkifrqdk&JU content awGudk Munfh&I&mrSmawmh tawmfav;aumif;wJh tool wpfckjzpfygw,f/

http://www.ntcore.com

(2.5) SNS Remover (Strong Name Signature Remover)

tcsdKUaom .net assembly awG[m assembly awGudk zefwD;vdkufcsdefrSm tMuHtzefrvkyfEdkifatmif? rjyKjyifEdkifatmifwm;qD;zdkU digital signature awGeJU sign vkyfxm;Muygw,f/ Strongly named assembly xJu b,f byte udkrqdk jyifvdkufr,fqdk&if .net runtime u assembly udkpwifzdkU jiif;qefygvdrfhr,f/ 'gayr,fh uRefawmfwdkU&JU SNS remover tool uawmh sign vkyfxm;wJh assembly uae signature field udkz,f&Sm;Edkifygw,f/ 'Dae&mrSm ajymvdkwmuawmh uRefawmfwdkU&JU CFF explorer uvJ .net assembly uae Strong Name signature udkz,f&Sm;EdkifjyD; PE zdkifudk jyefvnfwnfaqmufEdkifygw,f/ yHk(1)/ 'gayr,fh uRefawmftaeeJU 'D tool av;udk ydkMudKufrdygw,f/

yHk(1)

http://www.pmode.com


(2.6) PEBrowse Professional (Disassembler/Debugger)

.net assembly awGudk disassemble vkyfEdkifwJh^ debug vkyfEdkifwJh debugger/disassembler wpfck jzpfygw,f/ IL instruction awGeJU olwdkU&JUwu,fh byte awGudk jyoEdkifygw,f/ 'ghtjyif b,f JIT compiler event udkrqdk break vkyfEkdifygw,f/ 'D debugger udktoHk;jyKjyD; .net IL instruction awGudk ajc&mcHEdkifygw,f/ jyD;&ifaemufuG,frSm bmawGjzpfaeovJqdkwm odEdkifygw,f/

http://www.smidgeonsoft.com

(2.7) .Net Generic Unpacker (.Net assembly Unpacker)

oifhtaeeJU .net assembly PE zdkifawGudk dump vkyfwJhtcgrSm 'D tool udk vdkygvdrfhr,f/ .Net reactor vdk tcsdKUaom .net protection aqmhzf0JvfawGu oifhy&dk*&rf&JU .net assembly udk pack vkyfMuwm jzpfjyD; MSIL r[kwfwJh PE zdkifudkxkwfay;ygvdrfhr,f/ rSwfOmPfxJrSm tvkyfvkyfwJhtcgrSom oifhzdkif&JU assembly awGudk unpack jyefvkyfMuwmjzpfygw,f/ 'Denf;ynmudkawmh rlv assembly &JU uk'fawGudk &,ljcif;rS umuG,fEdkifzdkU toHk;jyKMuwmjzpfygw,f/ 'gayr,fh oifhtaeeJU 'gudk &dk;&Sif;vSwJh .net generic unpacker oHk;jyD; ausmfvTm;Edkifygw,f/

http://www.ntcore.com

aemufqHk;taeeJU ajymvdkwmuawmh wcgw&HrSm Reflector [m tcsdKUaom procedure (odkU) function awGudk oifhpdwfMudKufbmompum; (C#? VB? Delphi) tjzpf decompile rvkyfay;EdkifwJhtwGuf oifhtaeeJU IL instruction awGudk &if;ESD;aezdkUvdktyfygw,f/ Native code awGudk crack vkyfzdkU Assembly bmompum;udk avhvmwmxufpm&ifawmh IL uk'fawGudk avhvm&wm[m ydkrdkvG,fuljyD; vsifjrefpGmem;vnf rSm jzpfygw,f/

(3) Opcode

'guawmh crack vkyf&mrSm ta&;MuD;qHk;tcsufjzpfygw,f/ oifjrifwJhtwdkif; .net application awG[m olwdkU&JU y&dk*&rf instruction awGudk MSIL yHkpHeJUazmfjywmjzpfwJhtwGuf Visual Studio rSm compile vkyfwJhtcg oifh&JU source code awGudk native machine uk'ftjzpf ajymif;vJay;rSmr[kwfygbl;/ 'gayr,fh JIT compiler udktoHk;jyKjyD; compile vkyfr,fqdk&ifawmh native code tjzpfajymif;vJay;rSm jzpfygw,f/ JIT qdkwmuawmh just-in-time compiler udkajymwmjzpfjyD; oifhy&dk*&rfawG&JU tpdwftydkif; tcsdKUudk native code tjzpfajymif;vJay;rSmjzpfjyD; vdktyfwJhtcg execute vkyfrSmjzpfygw,f/

Ildasm uxGufvmwJhuk'ftcsdKUudk avhvmMunfhvdkuf&atmif/

IL_0000: /* 02 | */ ldarg.0 Line number Actual byte(s) IL instruction

Opcode qdkwmuawmh Microsoft Intermediate Language (MSIL) instruction awGudk azmfjyjcif; jzpfygw,f/ wu,fvdkU oif[m a&SYydkif;tcef;awGudk aMunufpGmem;vnfxm;w,fqdk&if atmufyg instruction awG[m bmudkqdkvdkw,fqdkwm odaerSmyg/

JMP JNE JLE NOP CALL ponf ...

MSIL opcode awGuawmh Intel y&dkqufqmawGtwGuf 'DZdkif;jyKxm;wJh native opcode awGeJU rwlnDygbl;/ Oyrmjy&&if native code y&dk*&rfawGrSm CALL function &Sd&m offset udk oifodxm;jyD; 'D CALL udktvkyfrvkyfapcsif&if y&dk*&rfudk hex editor rSmzGifhjyD; NOP (No OPertation) udk&nfpl;wJh 90 qdkwJh byte eJUtpm;xdk;&rSmjzpfygw,f/

MSIL rSmawmh 90 tpm; 00 eJUazmfjyygw,f/ 'g[mta&;MuD;wJhtcsufjzpfwJhtwGuf MSIL twGuf vdktyfwJh opcode pm&if;udk azmfjyvdkufygw,f/ oifhtaeeJU .net y&dk*&rfawGudk crack vkyf&mrSm 'D opcode awGtm;vHk;udk toHk;jyKp&mrvkdygbl;/ rsm;aomtm;jzifhawmh NOP eJU unregistered tajctaeawGudk ausmf vTm;EdkifzdkU jump instruction awGudk trsm;qHk; toHk;jyK&rSmjzpfygw,f/

Opcode awGtaMumif;udk ydkrdkem;vnfapvdkwJhtwGuf bmomrjyefbJ rl&if;twdkif;azmfjyvdkufygw,f/ y&dk*&rfawGudk vufawGU crack wJhtcgMurSyJ vdktyfovdk bmomjyefay;rSmjzpfygw,f/ &Snfvsm;rSmpdk;wJh twGuf toHk;rsm;wJh opcode awGudkyJ azmfjyvdkufygw,f/

Opcode Meaning Actual bytes

And Computes the bitwise AND of two values and pushes the result onto the evaluation stack. 5F

Beq Transfers control to a target instruction if two values are equal. 3B


Beq_S Transfers control to a target instruction (short form) if two values are equal. 2E

Bge Transfers control to a target instruction if the first value is greater than or equal to the second value. 3C

Bge_S Transfers control to a target instruction (short form) if the first value is greater than or equal to the second value. 2F

Bge_Un Transfers control to a target instruction if the the first value is greater than the second value, when comparing unsigned integer values or unordered float values. 41

Bge_Un_S Transfers control to a target instruction (short form) if if the the first value is greater than the second value, when comparing unsigned integer values or unordered float values.

34

Bgt Transfers control to a target instruction if the first value is greater than the second value. 3D

Bgt_S Transfers control to a target instruction (short form) if the first value is greater than the second value. 30

Bgt_Un Transfers control to a target instruction if the first value is greater than the second value, when comparing unsigned integer values or unordered float values. 42

Bgt_Un_S Transfers control to a target instruction (short form) if the first value is greater than the second value, when comparing unsigned integer values or unordered float values. 35

Ble Transfers control to a target instruction if the first value is less than or equal to the second value. 3E

Ble_S Transfers control to a target instruction (short form) if the first value is less than or equal to the second value. 31

Ble_Un Transfers control to a target instruction if the first value is less than or equal to the second value, when comparing unsigned integer values or unordered float values. 43

Ble_Un_S Transfers control to a target instruction (short form) if the first value is less than or equal to the second value, when comparing unsigned integer values or unordered float values.

36

Blt Transfers control to a target instruction if the first value is less than the second value. 3F

Blt_S Transfers control to a target instruction (short form) if the first value is less than the second value. 32

Blt_Un Transfers control to a target instruction if the first value is less than the second value, when comparing unsigned integer values or unordered float values. 44

Blt_Un_S Transfers control to a target instruction (short form) if the first value is less than the second value, when comparing unsigned integer values or unordered float values. 37

Bne_Un Transfers control to a target instruction when two unsigned integer values or unordered float values are not equal. 40

Bne_Un_S Transfers control to a target instruction (short form) when two unsigned integer values or unordered float values are not equal. 33

Br Unconditionally transfers control to a target instruction. 38

Brfalse Transfers control to a target instruction if value is false, a null reference (Nothing in Visual Basic), or zero. 39

Brfalse_S Transfers control to a target instruction if value is false, a null reference, or zero. 2C

Brtrue Transfers control to a target instruction if value is true, not null, or nonzero. 3A

Brtrue_S Transfers control to a target instruction (short form) if value is true, not null, or non-zero. 2D

Br_S Unconditionally transfers control to a target instruction (short form). 2B

Call Calls the method indicated by the passed method descriptor. 28

Clt Compares two values. If the first value is less than the second, the integer value 1 (int32) is pushed onto the evaluation stack; otherwise 0 (int32) is pushed onto the evaluation stack.

FF 04


Clt_Un Compares the unsigned or unordered values value1 and value2. If value1 is less than value2, then the integer value 1 (int32) is pushed onto the evaluation stack; otherwise 0 (int32) is pushed onto the evaluation stack.

FE 03

Jmp Exits current method and jumps to specified method. 27

Ldarg Loads an argument (referenced by a specified index value) onto the stack. FE 09Ldarga Load an argument address onto the evaluation stack. FF 0ALdarga_S Load an argument address, in short form, onto the evaluation stack. 0FLdarg_0 Loads the argument at index 0 onto the evaluation stack. 02Ldarg_1 Loads the argument at index 1 onto the evaluation stack. 03Ldarg_2 Loads the argument at index 2 onto the evaluation stack. 04Ldarg_3 Loads the argument at index 3 onto the evaluation stack. 05Ldarg_S Loads the argument (referenced by a specified short form index) onto the evaluation

stack. 0E

Ldc_I4 Pushes a supplied value of type int32 onto the evaluation stack as an int32. 20

Ldc_I4_0 Pushes the integer value of 0 onto the evaluation stack as an int32. 16Ldc_I4_1 Pushes the integer value of 1 onto the evaluation stack as an int32. 17Ldc_I4_2 Pushes the integer value of 2 onto the evaluation stack as an int32. 18Ldc_I4_3 Pushes the integer value of 3 onto the evaluation stack as an int32. 19Ldc_I4_4 Pushes the integer value of 4 onto the evaluation stack as an int32. 1ALdc_I4_5 Pushes the integer value of 5 onto the evaluation stack as an int32. 1BLdc_I4_6 Pushes the integer value of 6 onto the evaluation stack as an int32. 1CLdc_I4_7 Pushes the integer value of 7 onto the evaluation stack as an int32. 1DLdc_I4_8 Pushes the integer value of 8 onto the evaluation stack as an int32. 1ELdc_I4_M1 Pushes the integer value of -1 onto the evaluation stack as an int32. 15Ldc_I4_S Pushes the supplied int8 value onto the evaluation stack as an int32, short form. 1F

Ldstr Pushes a new object reference to a string literal stored in the metadata. 72Leave Exits a protected region of code, unconditionally tranferring control to a specific target

instruction. DD

Leave_S Exits a protected region of code, unconditionally tranferring control to a target instruction (short form).

DE

Mul Multiplies two values and pushes the result on the evaluation stack. 5AMul_Ovf Multiplies two integer values, performs an overflow check, and pushes the result onto

the evaluation stack. D8

Mul_Ovf_Un Multiplies two unsigned integer values, performs an overflow check, and pushes the result onto the evaluation stack.

D9

Neg Negates a value and pushes the result onto the evaluation stack. 65Newobj Creates a new object or a new instance of a value type, pushing an object reference

(type O) onto the evaluation stack.73

Nop Fills space if opcodes are patched. No meaningful operation is performed although a processing cycle can be consumed.

00

Not Computes the bitwise complement of the integer value on top of the stack and pushes the result onto the evaluation stack as the same type.

66

Or Compute the bitwise complement of the two integer values on top of the stack and pushes the result onto the evaluation stack.

60

Pop Removes the value currently on top of the evaluation stack. 26Rem Divides two values and pushes the remainder onto the evaluation stack. 5DRem_Un Divides two unsigned values and pushes the remainder onto the evaluation stack. 5E

Ret Returns from the current method, pushing a return value (if present) from the caller's evaluation stack onto the callee's evaluation stack.

2A

Rethrow Rethrows the current exception. FE 1AStind_I1 Stores a value of type int8 at a supplied address. 52Stind_I2 Stores a value of type int16 at a supplied address. 53Stind_I4 Stores a value of type int32 at a supplied address. 54Stloc Pops the current value from the top of the evaluation stack and stores it in a the local

variable list at a specified index.FE 0E

Sub Subtracts one value from another and pushes the result onto the evaluation stack. 59Sub_Ovf Subtracts one integer value from another, performs an overflow check, and pushes the

result onto the evaluation stack.DA


Sub_Ovf_Un Subtracts one unsigned integer value from another, performs an overflow check, and pushes the result onto the evaluation stack.

DB

Switch Implements a jump table. 45

Throw Throws the exception object currently on the evaluation stack. 7A

Xor Computes the bitwise XOR of the top two values on the evaluation stack, pushing the result onto the evaluation stack.

61

b,f assembly udkrqdk crack vkyf&mrSm &ifqdkifMuHKawGU&r,fh t[efUtwm;awGuawmh atmufyg twdkif;jzpfygw,f/ 'Dae&mrSm uRefawmfhtaeeJU tusOf;rQomazmfjyrSmjzpfjyD; tao;pdwfodcsif&ifawmh Google rSm&SmjyD; MunfhEdkifygw,f/

(u) Obfuscation

'guawmh IsLicensed function wdkUvdk Method eJU class trnfawGudk uRefawmfwdkUr&SmEdkifatmif zwfvdkUr&wJhpmvHk;awGtjzpf ajymif;vJay;wJhjzpfpOfudk qdkvdkwmyg/ Obfuscation [m oifhudk tcufawGUapEdkif ayr,fh obfuscate vkyfxm;wJhuk'fuaewpfqifh trace vkyf&wm 'Davmuf rcufvSygbl;/ tajzuawmh Reflector rSm bookmark awGxm;jcif;jzifhaomfvnf;aumif;? pm&GufvGwfwpf&GufrSm a&;rSwfjcif;jzifhaomf vnf;aumif; ajz&Sif;Edkifygw,f/ Cracking rSmawmh pdwf&SnfzdkUvdkygw,f/ pdwfr&Snf&ifawmh crack vkyfvdkU &rSmr[kwfygbl;/

(c) Encoded Strings

'guawmh awmfawmfav;qdk;ygw,f/ t&ifwkef;u Olly rSm string awG&Smwkef;u Search uae wqifh &SmvdkU&ygw,f/ 'D string awGuaewqifh function (CALL) awG b,fvdktvkyfvkyfw,fqdkwmudk Munfh&wm jzpfygw,f/ 'DrSmawmh "Invalid Serial Number" pwJh string awGudk jrif&rSmr[kwfygbl;/ String awGudk zHk;uG,fEdkifzdkU toHk;trsm;qHk;enf;vrf;uawmh olwdkUudk encode vkyfjyD; encoded stream udk binary .net resource tjzpfodrf;qnf;wmjzpfygw,f/ tcsdKU string awGudk vdktyfrSom encoded stream uae 'D string awGudk&,lzdkU function wpfckudkac:oHk;wmyg/ 'Denf;&JU tm;enf;csufuawmh y&dk*&rftvkyfvkyf wmjrefqefapzdkU decoding enf;vrf;udk jrefapay;&wmyg/ 'gaMumifhrdkU 'Denf;vrf;[m decode vkyfjcif;r&SdbJ toHk;jyKwmxuf? string awGr&SdcsdefrSmtoHk;jyKwmxuf trsm;MuD;aES;aevdkU r&ygbl;/ rsm;aomtm;jzifhawmh decoding function awG[m byte shifting enf;udktoHk;jyKjyD; string awGudk decode vkyfzdkU jyefpDwm jzpfygw,f/ 'gayr,fh olwdkUudk decode vkyfzdkUvG,fygw,f/ Decoder (decoding function) udk awGUwmeJU oifhtaeeJU string awGudk jyefazmfEdkifrSmjzpfjyD; oifudk,fwdkifawmif udk,fydkif decoder a&;om;EdkifrSmjzpfyg w,f/ aemufydkif;rSmawmh aps;uGuf0ifaqmhzf0JawGrSm toHk;jyKaeMuwJh decoding function awGudk b,fvdk crack vkyf&rvJqdkwmjyygr,f/

(*) Strong Name Signature

Digital signature [m digital document awG? text awG? data awGrSm authenticate vkyfzdkUjzpfjyD; tcsuftvufawGudk rrSefruefrjyKEdkifatmif wm;qD;ygw,f/ Digital signature wpfckudkzefwD;zdkU public key cryptography udktoHk;jyKygw,f/ Digital signature wpfckudkzefwD;zdkU yxrqHk; 160-bit &SdwJh hash wefzdk;wpfckeJU sign vkyfwmjzpfygw,f/ jyD;&ifawmh wduswJh private key wpfckoHk;jyD; encrypt vkyfygw,f/ Private key eJUoufqdkifwJh public key udk&Sdxm;wJh b,folrqdk author eJUywfoufwJhtcsuftvufawGudk authenticate vkyfzdkU toHk;jyKEdkifjyD; data awGudk rajymif;vJxm;bl;qdk&ifawmh sign vkyfEdkifrSmyg/

'guawmh .net assembly awGudk jyKjyifajymif;vJjcif;rS umuG,fEdkifzdkU toHk;jyKMuwJh enf;vrf;wpf&yf jzpfygw,f/ .net eJU zefwD;xm;wJh exe zdkifwpfckudk tvkyfvkyfapcsdefrSm y&dk*&rf[m string name signature udkppfaq;ygvdrfhr,f/ wu,fvdkU &SdcJhr,fqdk&if digital signature udkppfaq;jyD;? ppfq;wmratmifjrif&ifawmh 'g[m assembly udkjyifxm;jyDqdkwmodvdkufjyD; y&dk*&rfudktvkyfvkyfapzdkU jiif;qefygvdrfhr,f/

oifhtaeeJU strong name signature b,fvdktvkyfvkyfovJqdkwJh tao;pdwftcsuftvufawGudk tifwmeufrSm &SmazGEdkifygw,f/

(4) Entry Point Method (EPM) udk&Smjcif;

Entrypoint Method uawmh .net application pwifcsdefrSm ac:,loHk;wJh yxrqHk; Method jzpfjyD;? 'gudk Reflector (odkU) Ildasm rSmMunfhvdkU&zdkU ta&;MuD;ygw,f/ yHkrSef .net application wpfckrSmawmh 'DvdkyHkpH &Sdygw,f -

Public Shared Sub Main()

Application.Run (New MainForm)

End Sub


'D Method &JUta&;ygyHkuawmh oifhtaeeJU y&dk*&rf&JUvkyfaqmifcsufawGudk y&dk*&rfpwifwJhtcsdefup

jyD; register vkyfwJh routine &Sd&ma&mufwJhtxd ajc&mcHEdkifygw,f/

'D Method uae aemufxyf&&SdEdkifwJhtusdK;aus;Zl;uawmh crack vkyfr,fh application &JU t"du form tjzpfoHk;r,fh MianForm class udkavhvmqef;ppfEdkifwmygyJ/ wu,fvdkU oifhtaeeJU Application. run udktaotcsmMunfhr,fqdk&if 'D function xJ t0if^txGufvkyfaewJh argument awG? argument wefzdk; awGudk awGU&rSmyg/

Entrypoint RawData offset udk&SmzdkU oifhtaeeJU vkyfaqmif&rSmuawmh -

1/ Crack vkyfr,fh y&dk*&rfudk CFF explorer rSmzGifhyg/

2/ .NET directory node qDoGm;yg/

3/ *&pfuGufeJUjyxm;wJhwefzdk;awGxJu EntrypointToken row udk&Smyg/

4/ 'D row twGuf aemufqHk; column wefzdk;udkMunfhyg/ 'Dwefzdk;[m DWORD jzpfjyD; entrypoint Method &Sd&mqD uRefawmfwdkUudk vrf;nTefygvdrfhr,f/

'Dae&mrSmawmh token wefzdk;udk 060000028 vdkU,lqygr,f/ oifhtaeeJUawmh token wefzdk;[m wpfrsdK;MuD;yJvdkU cHpm;ae&rSmyg/ ol[m table wpfckeJU table &JU index udkazmfjywJh DWORD wefzdk;wpfck jzpfygw,f/ qdkvkdwmu table wpfckeJU 'D table xJu row wpfckudk nTefjywmyg/ Oyrmjy&&if uRefawmfwdkU&JU token wefzdk;udk 060000028 jzpfw,fvdkU owfrSwfMunfhMuygpdkU/

06 000028 Table index Row index in that table

'Dae&mrSm uRefawmfwdkUajymajymaewJh table qdkwmuawmh Methods table udkajymwmyg/ oifhtaeeJU CFF explorer rSmMunfhr,fqdk&if Metadata Streams node atmufu Tables node rSmMunfhEdkifygw,f/ Tables node a&muf&ifawmh yHk(2)twdkif; Method table &Sd&mudk&Smygr,f/

yHk(2)

Method table udk expand vkyfjyD; index 40 (28h) udk&Smygr,f/ 'gqdk yHk(3)twdkif; awGU&ygr,f/

yHk(3)

yHk(3)u ae&mudka&G;cs,fjyD; 'D method eJUqdkifwJhtcsuftvufawGudk Munfh&IvdkU&yg w,f/ 'Dae&mrSm uRefawmfwdkUpdwft0ifpm;qHk;uawmh yxrqHk; row jzpfjyD; 'D method &JU RVA udkazmfjyyg w,f/ aemufqHk; column uwefzdk;udk zwfvdkuf&ifawmh 0x4974 jzpfygw,f/

(5) EPM twGuf zdkif offset udk CFF explorer jzifh&Smjcif;

.net PE zdkifwpfckrSmawmh .text? .reloc? .rsrc pwJh section 3ck&Sdygw,f/ .text section rSmawmh Import Table? Import Address Table eJU .Net Section wdkYyg0ifygw,f/ .net PE zdkifwpfckudk atmufyg tcsuftvufrsm;yg0ifw,fvdkU ,lqMunfhvdkufMu&atmif/


.net PE zdkiftwGuf ImageBase 0x400000

.text section virtual address 0x002000

.text section Raw address 0x000200

EntryPoint Method VA 0x004974 'Dzdkifudk rSwfOmPfay:ul;wifvdkufwJhtcgrSm jrif&wmuawmh -

0x400000 0x402000 0x404974 RVA

ImageBase > > > .text > > > EP_Method

0x0 0x2000 0x4974 VA

'gaMumifhrdkU zdkifudk rSwfOmPfrSmae&mcsxm;wJhtcg ImageBase &JU 0x2000 byte tuGmrSm .text section udk&Sm&rSmjzpfygw,f/ Method data udkawmh ImageBase &JU 0x4974 byte tuGmrSm&Sm&rSmjzpfyg w,f/

aumif;jyD? .text section rSm ep_method udk&SmzdkU offset udkwGufcsufMunfh&atmif/

Offset = [EP_Method VA] – [.text section VA]

= 0x4974 – 0x2000

= 0x2974

'gaMumifh method data [m .text section data &JU 0x2974 rSmpygw,f/ wu,fvdkU .text section RawData Offset udktoHk;jyKcJh&if uRefawmfwdkUtaeeJU method twGuf RawData Offset udkvJ tvm;wl wGufcsufEdkifygw,f/

Method RawData Offset = .text section RawData Offset + 0x2974

= 0x200 + 0x2974

= 2B74

'gaMumifh zdkifxJrSm&SdwJh Method Offset [m 2B74 jzpfygw,f/

yHk(3)u ae&mudk right-click ESdyfjyD; Disassemble Method udka&G;vdkuf&if yHk(4) twdkif; jrif&ygw,f/

yHk(4)

t&Sif;qHk;yHkpHeJUjy&&ifawmh – EPM File Offset = [EntryPoint VA] – [Section.txt VA] + [Section.txt RawAddress]

'Dwefzdk; 3ckvHk;udk CFF Explorer uae&&SdEkdifygw,f/ CFF Explorer rSm Address converter yg&SdjyD; oifhrSm RVA wefzdk;&Sdxm;jyDqdk&if b,f Method &JU file offset udkrqdkwGufcsufEdkifygw,f/


(6) Entry Point Method (EPM) udk Ildasm jzifh&Smjcif;

'guawmh vG,fulwJhtvkyfjzpfjyD; Entrypoint Method disassembly uae wu,fh byte twGJawG udk odxm;&rSmjzpfygw,f/ 'Denf;ukdawmh EPM r[kwfwJh b,f Method twGufrqdk toHk;jyKEdkifygw,f –

.method public hidebysig static void Main() cil managed // SIG: 00 00 01 { .entrypoint .custom instance void [mscorlib]System.STAThreadAttribute::.ctor() = ( 01 00 00 00 ) // Method begins at RVA 0x4974 // Code size 26 (0x1a) .maxstack 8 IL_0000: /* 00 | */ nop IL_0001: /* 28 | (0A)000078 */ call void IL_0006: /* 00 | */ nop IL_0007: /* 16 | */ ldc.i4.0 IL_0008: /* 28 | (0A) 000079 */ call void IL_000d: /* 00 | */ nop IL_000e: /* 73 | (06) 00003D */ newobj instance IL_0013: /* 28 | (0A) 00007A */ call void IL_0018: /* 00 | */ nop IL_0019: /* 2A| */ ret } // end of method Form1::Main

'guawmh &dk;&Sif;vSwJh .net application wpfckuae,lxm;wJh EntryPoint Method twGuf disassembly jzpfjyD; 'D Method xJu IL instruction awGudkawGU&wmjzpfygw,f/ Hex editor wpfckrSm atmufygpmom;wGJawGudk &SmMunfhyg/

IL_0001 287800000A

IL_0008 287900000A

'gaMumifh &Sm&r,fh HEX twGJuawmh 00 28 78 00 00 0A 00 16 28 79 00 00 0A jzpfygw,f/ yHkrSeftm;jzifhawmh 10vHk;avmuf&Smvdkuf&if offset trSefudk&SmawGUzdkU vHkavmufjyDxifygw,f/ yHk(5)uawmh HEX twGJudk WinHex rSm &Smxm;wmjzpfygw,f/

yHk(5)

'gqdk&ifawmh wu,fh byte &Sd&m yxrqHk; offset udka&mufoGm;ygvdrfhr,f/ jyD;cJhwJhenf;vrf;wkef;u oifa&muf&SdcJhwm[m Code byte rwdkifcifrSm&SdwJh Method Header byte udkyg/ .net Method wnfaqmuf xm;yHkuawmh yHk(6)twdkif; jzpfygw,f/

yHk(6)

yxrenf;vrf;uawmh oifhudk > &Sd&mae&mqD a&mufapwmjzpfjyD; uk'fawG&Sd&m yxrqHk; byte qD a&mufapcsif&ifawmh header t&G,ftpm;wefzdk; 1 (tjrJwrf; 1 jzpfaerSm r[kwfygbl;/) udkaygif;ay;&rSm jzpfygw,f/ 'gaMumifh uRefawmfwdkU wGufcsufvdkU&wJhtajz[m 2B75 tpm; 2B74 jzpfae&wmyg/


(7) Entry Point Method node udk Ildasm Tree wGif&Smjcif;

Entrypoint Method twGuf decompilation udk oifhtaeeJUjrifcsifygovm;/ CFF explorer uae EntryPoint Method RVA udkodjyD;wJhaemufrSmawmh olU&JUuk'fudkMunhfzdkU tcsdefa&mufygjyD/

'DtwGuf ILDasm udka&m? Reflector udkyg toHk;jyKEdkifygw,f/ 'gayr,fh rSwfxm;&rSmu ILDasm [m .net Method awGtwGuf decompilation udk IL yHkpHtaeeJUom jyEdkifygw,f/ uHaumif;&ifawmh Reflector u EntryPoint Method uk'fudk oifhpdwfMudKuf .net bmompum;taeeJU decompile vkyfay;rSm jzpfygw,f/ 'grSr[kwf&ifawmh uk'fudk analyze vkyfzdkUuawmh ILDasm ay:rlwnfrSmjzpfygw,f/

ILDasm a&m? Reflector uyg assembly awGudk tree view taeeJUjyEdkifygw,f/ 'gayr,fh ILDasm uom oif decompile vkyfwJh Method wdkif;twGuf RVA wefzdk;udk ajymjyEdkifrSm jzpfygw,f/ ILDasm eJU ppfxm;wJhuk'ftcsdKUudk MunfhvdkufMu&atmif/

.method public hidebysig static void Main() cil managed // SIG: 00 00 01 { .entrypoint .custom instance void [mscorlib]System.STAThreadAttribute::.ctor() = ( 01 00 00 00 ) // Method begins at RVA 0x4974 // Code size 26 (0x1a) .maxstack 8 IL_0000: /* 00 | */ nop IL_0001: /* 28 | (0A)000078 */ call void IL_0006: /* 00 | */ nop IL_0007: /* 16 | */ ldc.i4.0 IL_0008: /* 28 | (0A) 000079 */ call void IL_000d: /* 00 | */ nop IL_000e: /* 73 | (06) 00003D */ newobj instance IL_0013: /* 28 | (0A) 00007A */ call void IL_0018: /* 00 | */ nop IL_0019: /* 2A| */ ret } // end of method Form1::Main

tcsdefawmfawmfrsm;rsm;rSmawmh oif[m obfuscated uk'fawGudkawGU&rSmjzpfjyD; ILDasm xJu b,f node [m EntryPoint Method qdkwm oifodEdkifrSm r[kwfygbl;/ wu,fvdkU &meJUcsDwJh? axmifeJUcsDwJh node awGawGY&if ydk&Sm&cufrSmyg/

CFF explorer uae EntryPoint Method RVA udk oifhtaeeJU odjyD;jzpfygvdrfhr,f/ cktcgrSmawmh EntryPoint Method node udk &Smjyygr,f/ ILDasm rSm b,f class rSmrqdk&SdwJh Method tcsdKUudk decompile vkyfjyD; olU&JU RVA wefzdk;udkMunfh&rSmjzpfygw,f/ wu,fvdkU 'Dwefzdk;[m EPM RVA xuf MuD;cJh&ifawmh higher-level node wpfckudk xyfMunfh&rSmjzpfygw,f/ Node awGtay:wufvmavav olU Method twGuf RVA wefzdk;enf;avavjzpfygw,f/ 'Dvdkenf;eJU wpfrdepf? ESpfrdepf&Smvdkuf&ifawmh ILDasm rSm EntryPoint Method node udk&SmawGUrSmjzpfygw,f/ (rSwfcsuf/ / 'Dvdk&Smr,fqdk&ifawmh ILDasm &JU View menu u Sort by name udka&G;rxm;rdapzdkU owdxm;&rSmjzpfygw,f/)

(8) Entry Point Method (EPM) udk PEBrowse Debugger jzifhwGJoHk;jcif;

Crack vkyfr,fh application twGuf CFF explorer uae EntryPoint token udkodjyD;wJhaemuf rSmawmh 'D token udk toHk;jyKjyD;awmh PEBrowse rSm EntryPoint Method udk&SmvdkU&ygw,f/ EPM udk JIT compiler u compile vkyfcsdefrSm breakpoint xm;jcif;jzihf .net application udk break vkyfvdkU&ygw,f/

'DtwGuf oifhtaeeJU vkyfaqmif&rSmuawmh – (1) Crack vkyfr,fh application udk PEBrowse rSmzGifhyg/ Library awGtm;vHk;eJU module awGtm;vHk;udk ul;wifjyD;wJhtxd apmifhyg/ (2) PEBrowse [m EPM udkac:oHk;wm rwdkifcifem;av;rSm &yfoGm;ygvdrfhr,f/ 'gaMumifh 'Dtcsdef[m node udk&SmzdkUeJU tJ'Dae&mrSm breakpoint owfrSwfzdkU taumif;qHk;ygyJ/

(3) Application udkul;wifcsdefrSm module xJrSm&SdwJh .net module awG[m teDa&mif icon awGeJUjzpfaeyg vdrfhr,f/ yHk(7)/ Methods node udkMunfhvkduf&ifawmh Method awGudk,fpDeJU class awGudkawGU&ygvdrfhr,f/

(4) Method wdkif;twGuf token awGudk olwdkU&JUtrnfab;rSm awGU&ygvdrfhr,f/ Oyrmjy&&if – button1_ Click twGuf token uawmh 06000005 jzpfygw,f/

(5) CFF explorer uae EPM udkodxm;jyD;jzpfwJhtwGufaMumifh oifhtaeeJU rSefuefwJh node udk 'Dae&mrSm &SmEdkifygw,f/ ILDasm u RVA rSmvdkyJ atmufudkqif;oGm;&if token wefzdk;wdk;oGm;ygvdrfhr,f/


(6) rSefuefwJh node udkawGU&ifawmh tJ'Dae&mrSm right-click ESdyfjyD; "Add Breakpoint" menu udka&G;vdkuf&Hk ygyJ/

yHk(7)

(9) Patch vkyfjcif;tajccH

'DwpfcgrSmawmh .net application awGudk patch vkyfjcif;eJUywfoufjyD; avhvmMunfhvdkuf&atmif/ 'Dwpfcg patch vkyfzdkUa&G;cs,fxm;wJh y&dk*&rfuawmh Dot_Net_ReverseMe_2.exe jzpfygw,f/ 'Dy&dk*&rfudk www.tuts4you.com &JU download section uae download vkyf,lEdkifygw,f/ (oifhtaeeJU 'Dy&dk*&rfav; udk &Sdrxm;vJ ta&;rMuD;ygbl;/ &Sif;jywmudk em;vnfatmifMunfhzdkUom ta&;MuD;ygw,f/) yxrqHk; patch vkyfr,fh y&dk*&rfudk PEiD eJUppfMunfhygr,f/ yHk(8)/

yHk(8)

y&dk*&rfudk .net bmompum;eJU a&;xm;wmaocsmygw,f/ aumif;jyD? y&dk*&rfudkzGifhvdkufwJhtcg yHk(9) twdkif;awGU&ygw,f/

yHk(9)

yHk(9)t&qdk&ifawmh uRefawmfwdkUtwGuf bmrSvkyfp&mr&Sdygbl;/ bmaMumifhvJqdkawmh serial &dkufxnfh p&m textbox wdkU? serial rSef^rrSefppfwJh button wdkU rawGUvdkUyg/ 'gaMumifh a&;xm;wJhuk'fudkMunfhEdkifzdkU y&dk*&rfudk Reflector eJUzGifhvdkufyg/ yHk(10)/

yHk(10)


'DtcgrSmawmh pdwf0ifpm;p&mawGudk awGU&ygjyD/ 'DtxJuwpfckuawmh IsRegistered qdkwJh boolean

class yg/ aemufwpfckuawmh CheckReg() function yg/ CheckReg() udk double-click ESdyfjyD;zGifhvdkuf&if uRefawmfwdkU oHo,&Sdaewm rSefuefaMumif;awGU&ygr,f/ yHk(11)/

yHk(11)

'DwpfcgrSmawmh .ctor() taMumif;&Sif;jyrSmjzpfygw,f/ C++? Java? C# (odkU) b,f OOP (Object Oriented Programming) bmompum;rSmrqdk olUrSmyg0ifwJh class member awG&JUwefzdk;udk initialize vkyfzdkU constructor wpfckyg0ifwJh class awG&Sdygw,f/ .net rSmawmh class constructor udkemrnfay;avh r&Sdygbl;/ Constructor &JUtwdkaumufjzpfwJh .ctor() qdkwJhtrnfomxm;ygw,f/ IsRegistered qdkwJh member variable [m y&dk*&rfudk register vkyfxm;jcif;&Sd^r&Sd qHk;jzwfygw,f/ uRefawmfwdkUtwGuf tcGifh ta&;&&Sdapwmuawmh register jzpf^rjzpfudk constructor xJrSm initialize vkyfvdkUyg/ aumif;jyD? .ctor() udkzGifhjyD; MunfhvdkufMu&atmif/ yHk(12)/

yHk(12)

wu,fawmh uRefawmfwdkUy&dk*&rfu unregistered jzpfaewm[m .ctor() xJu this.IsRegistered = false; qdkwJh statement aMumifhjzpfygw,f/ 'Dae&mrSm false tpm; true vdkU jyifay;Edkifr,fqdk&if ... ☺☺☺

tckuRefawmfwdkU MunfhaewJh decompile vkyfxm;wJhuk'f[m C# bmompum;eJUjzpfygw,f/ yHk(12)udk MSIL bmompum;eJU MunfhvdkufMu&atmif/ yHk(13)/

yHk(13)

yHk(13)uawmh bytecode taeeJU wdkuf&dkufbmomjyefwmyg/ .net y&dk*&rfawGudk patch vkyfzdkUqdk&if awmh IL bmompum;taeeJUom Munfh&rSmjzpfygw,f/ wu,fawmh .net udk stack machine vdkUac:vdkU&yg w,f/ bmaMumifhvJqdkawmh olUtvkyfawGudk register rSmxuf stack rSmvkyfvdkUyg/ Oyrmjy&&if A u wefzdk;wpfckudk B udka&TUcsifw,fqdk&if A uwefzdk;udk stack ay: PUSH vkyfvdkufjyD; stack uaerSwqifh B ay: jyef POP vkyfay;wmjzpfygw,f/ tjcm;pepfawGrSmqdk&ifawmh A uae B udkwdkuf&dkufa&TYajymif;jcif; (odkU) ,m,Dxm;&SdzdkUtwGuf register wpfckudk toHk;jyKjcif;rsdK; jyKvkyfygw,f/

yHk(13)udk taotcsmem;vnfEdkifzdkU IL opcode awGtaMumif; em;vnfaezdkUvdkygw,f/ yHk(13)udk Munfhr,fqdk&if 'Duk'fESpfaMumif;twGuf stack udk tvGeftrif;toHk;jyKxm;wmawGU&rSmyg/ this.IsRegistered = false; pmaMumif;twGufudkyJ atmufrSmjyxm;wJhtwdkif; stack eJUywfoufwJhpmaMumif; 3aMumif;avmuf bmomjyefxm;wmawGU&ygw,f/


L_0000: ldarg.0 L_0001: ldc.i4.0 L_0002: stfld bool Dot_Net_ReverseMe_2.frmMain::IsRegistered

'D IL instruction awGudk IL reference toHk;jyKjyD; bmomjyef&r,fqdk&if ...

ldarg.0 Argument 0 udk stack ay: ul;wifonf/

ldc.i4.0 0 udk stack ay: I4 tjzpf PUSH vkyfonf/

stfld Object obj \ field wefzdk;udk val ESifhtpm;xdk;onf/

'gudk Object-Oriented &JU pseudo uk'ftaeeJUjyefa&;jy&&ifawmh (arg0).IsRegistered = 0; eJUwlygw,f/ Register tajctaejzpfapzdkU jyefjyifa&;oifhwmuawmh (arg0).IsRegistered = 1; jzpfygw,f/ t"dyÜm,fuawmh 'kwd, instruction udk ldc.i4.1 vkdUajymif;oifhw,fvdkU qdkvdkjcif;jzpfygw,f/

'guawmh tajccHuswJh cracking jzpfygw,f/ ldc.i4.0 &JU bytecode udkMunfhyg/ 0x16 jzpfygw,f/ ldc.i4.1 &JU bytecode uawmh 0x17 jzpfygw,f/ 'gqdk uRefawmfwdkU bmudktpm;xdk;&rvJqdkwm odygjyD/ Reflector u uRefawmfwdkUudk uk'fawGomjyygw,f/ uRefawmfwdkUajymif;csifwJh byte &Sd&m address udkrjyyg bl;/ 'Dvdk byte/instruction awG&JU virtual address udkjyEdkifwJh tool udkawmh rawGUbl;ao;ygbl;/ 'gaMumifh .ctor() udk Reflector rSmMunfhr,fhtpm; ILDasm eJUajymif; Munfhvdkufygr,f/ yHk(14)/

yHk(14)

wu,fawmh Method &Sd&m offset udk&Smenf;taMumif; uRefawmfwdkU avhvmjyD;ygjyD/ 'Dae&mrSmawmh offset wefzdk;udk yHkaoenf;eJU rwGufcsufawmhbJ 02 16 7D 06 00 00 04 02 28 0E 00 00 0A qdkwJh hex byte twGJudkyJ hex editor wpfckckrSm &dkufxnhfjyD; &SmMunfhygr,f/ yHk(15)/

yHk(15)

oifhtaeeJU MudKufwJh hex editor wpfckckudk toHk;jyKEdkifygw,f/ tckuRefawmftoHk;jyKxm;wmuawmh WinHex 15.2 yg/ yHk(15)twdkif; &dkufxnhfjyD;&Smvdkuf&if yHk(16)twdkif;jrif&ygr,f/

yHk(16)

yHk(16)t&qdk&ifawmh .ctor() &Sd&m&JU offset tp[m 0x105C jzpfygw,f/ ydkjyD;aocsmapcsif&ifawmh CFF explorer rSmMunfhEdkifygw,f/ yHk(16)u 16 ae&mrSm 17 vdkUjyifvdkufjyD; zdkifudkodrf;vdkufyg/ odrf;vdkufwJh zkdifudk jyefzGifhMunhfvdkuf&ifawmh yHk(17)twdkif;awGU&rSmyg/


yHk(17)

'gqdk&ifawmh uRefawmfwdkU register vkyfwm atmifjrifoGm;ygjyD/ CheckReg() function udk b,fu aeac:oHk;ovJqdkwm odcsif&ifawmh Reflector &JU CheckReg() function rSm right-click ESdyfjyD; Callee Graph (Ctrl+E) udka&G;jyD; MunfhvdkU&ygw,f/ yHk(18)/

yHk(18)

Patch vkyfjyD; odrf;vdkufwJhzdkif&JU .ctor() udk Reflector rSmMunfhvdkuf&ifawmh yHk(19)twdkif;jrif&yg w,f/

yHk(19)

(10) NsPack jzifh pack vkyfxm;aom .net zdkiftm; unpack vkyfjcif;

yHkrSeftm;jzifhawmh omref pack vkyfxm;wJh 32-bit PE zdkifawGrSmyJ unpack vkyfzdkU Olly udktoHk;jyKMu wmjzpfygw,f/ 'DtcgrSmawmh .net zdkifawGudk Olly toHk;jyKjyD; unpack vkyfjyrSmjzpfygw,f/ Unpack vkyfzdkU a&G;cs,fxm;wJhy&dk*&rfuawmh NsPack eJU pack vkyfxm;wJh UnPackMe_NsPack3.6.exe zdkifjzpfygw,f/ y&dk*&rfudk zGifhMunfhvdkufyg/ yHk(20)/

yHk(20)

PEiD eJUppfaq;Munhfvdkuf&ifawmh yHk(21)twdkif;awGU&ygw,f/

yHk(21)


aumif;jyD? y&dk*&rfudk Olly rSmzGifhvdkufyg/ yHk(22)/

yHk(22)

yHk(22)rSmjrif&wJhtwdkif; exe zdkif[m OEP rSm&yfwefUjcif;r&Sdovdk y&dk*&rf[m tvdktavsmuf run aeygw,f/ uRefawmfwdkU bmvkyfoifhygovJ/ uRefawmfhtaeeJU tMuHjyKvdkwmuawmh unpack vkyfxm;wJhuk'f awGudk rSwfOmPfxJrSm&SmzdkUyg/ 'gaMumifh owfrSwfxm;wJh string wpfckudk y&dk*&rf&JU resource xJrSm&Sm Munfhyg/

&SmoifhwJh trnfawGuawmh button trnf? window caption eJU messagebox wdkUeJUqdkifwJh tcsuf awGjzpfygw,f/ 'Dae&mrSm uRefawmfwdkU&SmMunfhrSmuawmh yHk(20)rSmjrif&wJh button1 yg/ Resource awGudk exe/DLL zdkifawGxJrSm unicode toGifeJU odrf;MuwmjzpfwJhtwGuf Alt+M udkESdyfjyD; button1 qdkwJhpmom;udk unicode taeeJU &SmMunfhMu&atmif/ yHk(23)/

yHk(23)

yHk(23)twdkif;&dkufxnfhjyD;&Smvdkuf&if yHk(24)twdkif; awGU&ygr,f/

yHk(24)

yHk(24)udk Text � Unicode (64 chars) eJUMunfhvdkuf&ifawmh yHk(25)twdkif;awGU&rSmyg/

yHk(25)

'Dae&mrSmajymvdkwmuawmh yHk(24?25)rSmjrifae&wJh virtual address awG[m oifuGefysLwmrSmjrif&wJh *Pef;awGeJU wlrSmr[kwfygbl;/ aemufjyD; ckuRefawmfwdkUa&muf&SdaewJhae&m[m resource section xJrSmr[kwf ygbl;/ 'gaMumifhrdkU Alt+M ESdyfjyD; Ctrl+L eJU xyf&SmMunfhygr,f/ yHk(26)/


yHk(26)

yHk(26)rSm aemufxyf button1 wpfckudkawGU&jyefygjyD/ _CorExeMain udkawGUrdygovm;/ 'guawmh .net application awGrSmom&SdwJh wpfckwnf;aom API yg/ Unicode view taeeJUMunfhvdkuf&if yHk(27) twdkif; awGYygw,f/

yHk(27)

yHk(27)twdkif;qdk&ifawmh uRefawmfwdkU resource section xJajccsrdjyDqdkwm aocsmygw,f/

yHk(28)

aumif;jyD? yHk(27)udk HEX view taeeJUjyefMunfhjyD; tay:udk scroll enf;enf;qGJjyD;Munfhvdkuf&if awmh yHk(28)rSm jrif&wJhtwdkif; PE header &Sd&mudk awGU&rSmyg/

yHk(29)

yHk(28)u MZ &Sd&m virtual address (00CD0000) udkrSwfom;jyD; LordPE u Dump Region udka&G;cs,fjyD; Dump button udka&G;cs,fyg/ 'gqdk unpack vkyfwmatmifjrifoGm;jyDjzpfygw,f/ Dump vkyfxm;wJh Region00CD0000-00CD2000.exe zdkifudk PEiD eJUppfMunfh&ifawmh Microsoft .net bmom pum;eJUa&;om;xm;aMumif;jyrSmyg/


(11) .net y&dk*&rfrS serial zrf;jcif;

'DwpfcgrSmawmh .net eJU ywfoufwJh serial fishing taMumif;udk avhvmrSmjzpfygw,f/ Byte awGudk patch vkyfwm[m tjrJwrf;awmh tqifajyrSm r[kwfygbl;/ qdkvdkwmu rSefuefpGm register vkyfxm;jcif; &Sd^r&Sdudk enf;rsdK;pHkeJU rMumcPppfaq;avh&SdwJh y&dk*&rfawGtwGuf 'Denf;vrf;[m tqifajyrSm r[kwfygbl;/ 'gaMumifhrdkUvJ serial zrf;jcif;taMumif;udk aqG;aEG;&jcif; jzpfygw,f/ 'Doifcef;pmtwGuf vdktyfwJhy&dk*&rf uawmh Crackme1.exe jzpfjyD; www.accessroot.com rSm download vkyf,lEdkifygw,f/

'Dy&dk*&rfudk Visual Dot.net eJUa&;om;xm;wmudk odjyD;om;jzpfwmrdkU PEiD eJU rppfawmhygbl;/ Crackme1.exe udkzGifhjyD; y&dk*&rf&JU oabmobm0udk avhvmMunfhvdkufMu&atmif/ yHk(30)/

yHk(30)

yHk(30)rSmjrif&wJhtwdkif; user name eJU serial udk&dkufxnfhjyD; Check button udkESdyfvdkufcsdefrSmawmh yHk(31)twdkif; jrif&ygw,f/

yHk(31)

'Davmufqdk uRefawmfwdkU odcsifwmawG od&jyDrdkU Crackme1.exe udk .NET reflector rSmzGifhMunfhyg r,f/ yHk(32)/

yHk(32)

btnCheck_Click udk a&G;vdkufwJhtcgrSmawmh yHk(32)twdkif; jrif&wmjzpfygw,f/


'Doifcef;pmrSm uRefawmfwdkU pdwf0ifpm;wmu serial routine r[kwfygbl;/ aemufqHk;xkwfay;vdkufwJh

serial [m bmvJqdkwmudkom odcsifwmyg/ .NET reflector [m .net uk'fawGudk Munfh&I&mrSm taumif;qHk; tool jzpfayr,fhvJ uk'fawGudkwnf;jzwfjcif;? debug vkyfjcif;wdkU jyKvkyfay;Edkifjcif; r&Sdygbl;/ 'gaMumifh Myo Myint Htike qdkwJh user name eJUoufqdkifwJh serial udk&SmEdkifzdkU PEBrowse Professional Interactive 9.0 udktoHk;jyKMuygr,f/ 'D tool udk toHk;rjyKcifrSm setting awGu atmufygtwdkif; jzpf&ygr,f/ yHk(33^34)/

yHk(33)

yHk(34)

yHk(33^34)twdkif; setting awGudk jyifjyD;&ifawmh Ctrl+S udkESdyfjyD; debug vkyfzdkUpwifyg/ yHk(35)/

yHk(35)

yHk(35)&JU b,fzuftjcrf;rSm teDa&mifjzpfaewmu tvkyfvkyfaewmudk jywmyg/ uRefawmfwdkUtaeeJU y&dk*&rfuk'fwpfaMumif;csif;pDudk ppfaerSm r[kwfygbl;/ uk'fawGudk ppfaq;wJh shortcut key awGuawmh Olly eJUwlrSmr[kwfygbl;/ PEBrowse &JU key awGuawmh Run(F5)? Step over(F10)? Step into(F11) toD;oD; jzpfygw,f/ aumif;jyD? uRefawmfwdkU ppfaq;csifwJhae&mudk tjrefa&mufzdkU breakpoint owfrSwfMu&atmif/


yHk(35)u .NET Methods udkESdyfjyD; btnCheck_Click udka&G;vdkufyg/ yHk(36)/

yHk(36)

yHk(36)uawmh serial routine udk IL bmompum;taeeJU jrif&wmyg/ IL_00B3 ae&mrSm F9 ESdyfjyD; breakpoint owfrSwfygr,f/ 'gqdk&ifawmh uRefawmfwdkU breakpoint owfrSwfxm;wJhae&mudk yHk(37)twdkif; jrif&rSmjzpfygw,f/

yHk(37)

Breakpoint owfrSwfjyD;oGm;&ifawmh F5 udkESdyfjyD; y&dk*&rfudk run yg/

yHk(38)

y&dk*&rfudk run wJhtcg yHk(38)twdkif; wpfckay:vmygvdrfhr,f/ F5 udkxyfESdyfyg/ 'gqdk yHk(39)twdkif; y&dk*&rfwufvmygvdrfhr,f/

yHk(39)

yHk(39)twdkif;jrif&wJhtcgrSm user name eJU serial udk&dkufxnfhjyD; check button udka&G;ay;yg/ yHk(40)


yHk(40)

yHk(40)rSm jrif&wmuawmh uRefawmfwdkU breakpoint owfrSwfxm;wJhae&mudk a&mufaewmyg/ > u vuf&Sd assemble vkyfr,fhae&mudk jyoygw,f/

yHk(41)

yHk(41)uawmh register window jzpfygw,f/ Disassembly window rSm F10 udkESdyfjyD; uk'fawGudk wpfaMumif;csif;ppfwJhtcgrSmawmh register window rSm bmawGajymif;vJoGm;w,fqdkwmudk owdxm;jyD;apmifh Munfh&ygr,f/ yHk(42)twdkif; VA 0x40E89B0 xda&mufwJhtxd F10 udkESdyfvmcJhyg/

yHk(42)

yHk(42)rSm floating-point wefzdk;ESpfckudk EIdif;,SOfwm awGU&ygw,f/ Floating-point eJUywfoufwJh mnemonics awGudkMunfhMu&atmif/

FILD load integer FSTP store floating-point value and pop FLD load floating-point value FCOMIP compare floating-point, set %e flags, and pop FSTP store floating-point value and pop

JPE uawmh Jump if Parity even jzpfjyD; flag (PF) wefzdk; 1 jzpf&if jump jzpfrSmjzpfygw,f/ JNZ uawmh Jump if Not Zero jzpfjyD; flag (ZF) wefzdk; 0 jzpf&if jump jzpfrSmjzpfygw,f/


yHk(43)

FCOMIP u floating-point wefzdk;ESpfckudkEdIif;,SOfjyD; parity flag udkowfrSwfygw,f/ olEdIif;,SOf wJh wefzdk;ESpfckuawmh 4458204637983 eJU 4101979 wdkUjzpfygw,f/ 'Dwefzdk;ESpfckudk EdIif;,SOfwJhtcgrSm rnD wJhtwGuf parity flag wefzdk;udk oknvdkUowfrSwfygw,f/ Parity flag wefzdk; [m 0 vm;? 1 vm;odcsif&if awmh register window rSm right-click ESdyfjyD; EFLAGS udka&G;&ygr,f/ yHk(44)/

yHk(44)

yHk(44)uawmh FCOMIP instruction udk vkyfaqmifjyD;csdefjzpfygw,f/ Parity flag [m 0 jzpfaeygw,f/ FSTP instruction udkoHk;jyD; 4101979 wefzdk;udk odrf;ygw,f/ Parity flag [m 0 jzpfwJh twGuf JPE 0x40E89C6 [m VA 0x40E89C6 qD jump rjzpfEdkifawmhygbl;/ JNZ 0x40E89C6 uawmh 1 rjzpfwJhtwGuf VA 0x40E89C6 qD VA 0x40E89C6 vkyfrSmjzpfygw,f/ yHk(45)/

yHk(45)

'gaMumifhvJ F5 ESdyfvdkufwJhtcsdefrSm uRefawmfwdkUrjrifcsifwJh BadBoy message udkjrif&wmyg/ yHk(46)/

yHk(46)


Myo Myint Htike qdkwJh user name twGuf serial textbox rSm uRefawmfwdkU&dkufxnfhvdkufwJh

4101979 udk Crackme1.exe u wGufcsufvdkU&vmwJh 4458204637983 wefzdk;eJU EdIif;,SOfwmjzpfygw,f/ 'gaMumifh Myo Myint Htike qdkwJh user name twGuf serial textbox rSm uRefawmfwdkU trSefwu,f &dkufxnfh&r,fh *Pef;[m ... ☻☻☻

aumif;jyD/ PEBrowse udkydwfvdkufyg/ Crackme1.exe udkoD;oefUzGifhjyD; yHk(47)twdkif; register vkyfMunfhygr,f/

yHk(47)

'gqdk&ifawmh yHk(48)twdkif; jrif&rSmjzpfygw,f/

yHk(48)

.net y&dk*&rfawGrSm serial &Sm&wm t&rf;vG,fvGef;w,fvdkU xifrdygovm;/ ☻☻☻ 'gqdk&ifawmh oifxifwm rSm;oGm;jyDjzpfygw,f/ bmaMumifhvJqdkwm &Sif;&Sif;vif;vif; od&atmifvdkU

y&dk*&rfwpfyk'fudk erlemjyygr,f/ yHk(49)/

yHk(49)

'Dy&dk*&rfudk b,fvdka&;xm;ovJqdkwm odEdkifatmifvdkU .NET reflector rSmppfMunfhygr,f/ yHk(50)/

yHk(50)


yHk(50)u udkESdyfvkduf&ifawmh yHk(51)twdkif; jrif&ygw,f/

public Registration() { this.components = null; this.InitializeComponent(); this.pictureReg.Image = Image.FromFile("Picture/nag_close.png"); StringBuilder volumeName = new StringBuilder(0x100); StringBuilder fs = new StringBuilder(0x100); bool flag = false; Environment.GetLogicalDrives(); flag = GetVolumeInformation("c:", volumeName, (uint) (volumeName.Capacity - 1), out this.serialNum, out this.serialNumLength, out this.flags, fs, (uint) (fs.Capacity - 1)); for (int i = 0; i <= 13; i++) { this.serialNum = (((((2 * this.serialNum) / 7) - (12 * this.serialNum)) + (11 * this.serialNum)) - 0x239875) ^ this.serialNum; } this.textcode.Text = this.serialNum.ToString(); }

yHk(51)

yHk(51)uawmh registration dialog udka&G;vdkufcsdefrSm y&dk*&rfu initialize vkyfwmjzpfygw,f/

udkESdyfvkduf&ifawmh yHk(52)twdkif; jrif&ygw,f/

private void butOK_Click(object sender, EventArgs e){ string text; FileStream stream; BinaryWriter writer; long num2 = Convert.ToInt64(this.serialNum); long num4 = 0x1fca055L; for (int i = 0; i <= 30; i++) { num2 = (7L * num2) ^ (num4 + 0x23c1bcL); } string strB = Convert.ToString(num2); if (string.Compare(this.textregcode.Text, strB) == 0) { MessageBox.Show("Registered successfully!\r\nThank you for buying our product!", "Registration Successful!", MessageBoxButtons.OK, MessageBoxIcon.Asterisk); if (this.passControl != null) { this.passControl(this.textname); } base.Hide(); text = this.textname.Text; stream = new FileStream("reg.key", FileMode.Create); writer = new BinaryWriter(stream); try { writer.Write(this.serialNum); writer.Write(text); } finally { writer.Close(); stream.Close(); } Registry.SetValue(@"HKEY_CURRENT_USER\Software\Myanmar Cracking Team\Windows Repair", "UserName", text, RegistryValueKind.String); }

yHk(52)

yHk(51)uuk'fawGuawmh yHk(50)rSmjrif&wJh twGufjzpfygw,f/ wu,fawmh Windows Repair 1.0 y&dk*&rf[m uRefawmfwdkU harddisk u C: drive &JU serial number udkzwfjyD; XOR vkyfygw,f/ XOR vkyfxm;wJhwefzdk;uawmh 3538139584 jzpfygw,f/ jyD;awmh uRefawmf &dkufxnhfvdkufwJh 4101979 udk XOR vkyfjyD;&vmwJhwefzdk;wpfckeJU EdIif;,SOfwmjzpfygw,f/ wu,fvdkU serial number [m rSefuefcJhr,fqdk&if reg.key zdkifrSm &dkufxnfhvdkufwJh serial number udkodrf;rSmjzpfjyD; GoodBoy message udk jyrSmjzpfygw,f/ uRefawmfhtaeeJU PEBrowse eJU serial-fishing vkyf&mrSm 3538139584 uk'ftwGuf HEX wefzdk; EAEF9EBE &vmygw,f/ 'Dwefzdk;udk decimal wefzdk;ajymif;jyD; registration dialog rSm&dkufxnhfvdkufwJhtcgrSmawmh y&dk*&rfu serial rSm;aeygw,fvdkU ajymygw,f/ (wu,fawmh uRefawmfwdkUudk jyowJh 3538139584 [m *Pef;r[kwfbJ pmom;awGjzpfaeygw,f/


PEBrowse [m pmom;awGudk udkifwG,fEdkifjcif;r&Sdygbl;/ 'gaMumifh uRefawmfwdkU &dkufxnhfwJh*Pef;wdkif;[m rSm;aewmjzpfygw,f/)

'gaMumifh 'DvdkjyóemrsdK; MuHKawGUcJhr,fqdk&ifawmh PEBrowse eJU serial &Smr,fhtpm; Visual Studio.net eJU y&dk*&rfjyefa&;&rSm jzpfygw,f/ y&dk*&rfudk oD;oefUa&;p&mrvdkygbl;/ string strB = Convert. ToString(num2); ae&matmufem;rSm this.textcode.Text = strB; vdkU jyifa&;vdkuf&HkygyJ/

ed*Hk;csKyftaeeJU ajymvdkwmuawmh tck serial &SmjycJhwm[m tvGef&dk;&Sif;vSwJh serial routine awGeJU yg/ oifhtaeeJU a&mif;wef;0ifaqmhzf0JvfawGudk crack vkyfr,fqdk&ifawmh 'Dxuf tqaygif;&meJUcsDjyD; cufcJ vSwJh serial routine awGeJU awGU&rSmjzpfygaMumif; ...

(12) .net y&dk*&rfrS Strong Name Signature tm;z,f&Sm;jcif;

Strong Name Signature eJUywfoufjyD; tenf;i,fajym&r,fqdk&ifawmh StrongName wpfckrSm y&dk*&rfeJUywfoufwJh assembly &JU identity awGyg0ifjyD; olwdkUawGuawmh &dk;&Sif;vSwJhpmom;awGeJU trnf? version trSwf? culture wdkUtjyif public key wpfckeJU digital signature wpfckwdkU yg0ifEdkifygw,f/ 'gawGudk assembly zdkifwpfckuae oufqdkif&m private key udktoHk;jyKjyD; xkwfay;wmjzpfygw,f/ ('DzdkifrSm assembly manifest awGygjyD; tjyeftvSeftm;jzifh assembly manifest rSmvJ assembly udkjyKjyifay;wJh zdkifawGtm;vHk;&JU hash awGeJU trnfawGyg0ifygw,f/) Microsoft Visual Studio eJU .NET framework udktoHk;jyKMuwJh tjcm; tool awG[m StrongName awGudk assembly wpfcktaeeJU owfrSwfEdkifygw,f/

'Doifcef;pmrSm .net exe zdkifawGeJU .net DLL zdkifawGrSm&SdwJh &dk;&Sif;vSwJh StrongName (SN) awGudk b,fvdkz,f&Sm;&rvJqdkwm avhvmMurSmjzpfygw,f/

wpfckwnf;aom exe^DLL zdkifxJrSm&SdwJh SN awGudkz,f&Sm;zdkU enf;vrf;tcsdKU &SdMuygw,f ...

t&dk;&Sif;qHk;enf;vrf;uawmh y&dk*&rfudk IL uk'fawGtaeeJU decompile vkyfjyD; SN udkz,f&Sm;wmjzpf ygw,f/ SN z,f&Sm;jyD;&ifawmh ILASM.exe zdkifudk toHk;jyKjyD; compile jyefvkyfwmjzpfygw,f/ 'guawmh vHk;0ynmom;rygwJh enf;vrf;jzpfygw,f/ oifhtaeeJU pD;yGm;jzpfaqmhzf0JvfawGudk'Dvdkenf;oHk;jyD; jyef compile vkyfvdkU&r,fvdkU rxifvdkufygeJU/ bmaMumifhvJqdkawmh 'Dy&dk*&rfawGrSm uk'fawGeJU function trnfawGudk obfuscation vkyfxm;vdkUyg/

tjcm;enf;wpfckuawmh PE header udktoHk;jyKjyD; SN udk patch vkyfzdkUtwGuf toHk;0ifwJhtcsuf tvuftcsdKUudk &,lzdkUyg/ 'DvdkvkyfzdkUtwGuf oifhtaeeJU zdkifESpfzdkif vdkygw,f/ wpfckuawmh SN eJUjzpfjyD; aemufwpfckuawmh SN rygwJhzdkifjzpfygw,f/ jyD;&if olwdkU&JU PE header awGudk CFF explorer eJU EdIif;,SOf &rSmjzpfygw,f/

'Doifcef;pmtwGuf a&G;xm;wJh y&dk*&rfuawmh StrongName.exe jzpfjyD; www.tuts4you.com rSm download vkyf,lEkdifygw,f/ StrongName.exe y&dk*&rfudkzGifhvdkuf&ifawmh yHk(53)twdkif; jrif&rSmjzpfyg w,f/

yHk(53)

wu,fawmh 'Dy&dk*&rfrSm xl;xl;axGaxG crack vkyfp&mbmrSr&Sdygbl;/ 'gaMumifh useless qdkwJh pmom;tpm; patched vdkUajymif;MunfhMu&atmif/ 'gudkawmh WinHex toHk;jyKjyD; jyifvdkU&ygw,f/ yHk(54)/

yHk(54)

yHk(54)twdkif; jyifjyD;&ifawmh zdkifudkodrf;jyD; jyefzGifhvdkufyg/ yHk(55)/


yHk(55)

y&dk*&rfu SN udkppfwmaMumifh uk'fudkenf;enf;av;jyifvdkufwmeJU 'Dvdk error wufvmwmjzpfyg w,f/ 'gaMumifh SN &SdwJhzdkifeJU SN r&SdwJhzdkif bmawGuGmvJqdkwm enf;enf;av;MunfhvdkufMu&atmif/ No StrongName.exe zdkifeJU StrongName.exe zdkifwdkUudk CFF explorer rSm zGifhMunfhygr,f/ yHk(56?57)/

yHk(56) SN r&Sdaom No StrongName.exe zdkif

yHk(57) SN &Sdaom StrongName.exe zdkif

Flag ae&mu 1 qdkwmuawmh COMIMAGE_FLAGS_ILONLY jzpfjyD; 9 qdkwmuawmh COMIMAGE_FLAGS_ILONLY | COMIMAGE_FLAGS_STRONGNAMESIGNED vdkUqdkvkdwm yg/ yHk(58)/

yHk(58)

'gaMumifh 'Dwefzdk;awGudk&SmjyD; patch vkyf&rSmjzpfygw,f/

MetaData Streams &JU Tables directory udk MunfhMu&atmif/ yHk(59)/

yHk(59)


Tables directory atmufu Assembly udkMunfhvdkuf&ifawmh yHk(60?61)twdkif; jrif&ygr,f/

yHk(60) SN r&Sdaom No StrongName.exe zdkif

yHk(61) SN &Sdaom StrongName.exe zdkif

StrongName udk z,f&Sm;zdkU StrongName.exe zkdif&JU offset awGrSm atmufygtwdkif;jyifay;&ygr,f-

Offset 1018 – Flags – 01 Offset 1028 – StrongNameSignature RVA – 00 Offset 102C – StrongNameSignature Size – 00 Offset 1554 – Flags – 00 Offset 1558 – PublicKey – 00

wu,fvdkU DLL zdkifwpfckudk exe zdkifwpfckuae ac:,loHk;wmjzpfjyD; 'D DLL zdkifxJrSm registration routine udka&;om;xm;cJhr,fqdk&if uRefawmfwdkUtaeeJU DLL zdkifudk patch vkyf&rSmjzpfygw,f/ 'Dwpfcg erlemjyr,fh y&dk*&rfuawmh Divelements Limited uxkwfwJh Navsight yg/ Navsight aqmhzf0JvfrSm Demo.exe eJU Navsight.dll zdkifwdkUyg&Sdygw,f/

Demo.exe udkzGifhjyD; Show ExplorerBar Demonstration udka&G;r,fqdk&if yHk(62)twdkif;jrif&ygw,f/

yHk(62)

OK button udk ESdyfvdkuf&ifawmh yHk(63)twdkif;jrif&rSmjzpfygw,f/

yHk(63)


yHk(63)&JU nmzufrSm&SdwJh Animate! button udkESdyfvdkuf&ifawmh b,fzufu task pane [maysmufoGm;

rSmjzpfygw,f/ aumif;jyD? uRefawmfwdkUtaeeJU 'gawGudk jyifzdkUvdkygr,f/ 'gayr,fh SN udk yxrqHk;z,f&Sm;&yg r,f/ Navsight.dll zdkifxJu RSA1 qdkwJhpmom;udk WinHex rSm&SmjyD; olUrwdkifcifrSm&SdwJh 21ckajrmufeJU 22ckajrmuf pmvHk;awG(80 0A)udk 00 00 vdkUajymif;vdkufyg/ yHk(64)/ (SN udkz,f&Sm;wJh 'Denf;uawmh UnREalRCE {Persian Crackers} u Newbie_Cracker &JUenf;jzpfygw,f/)

yHk(64)

yHk(64)u Navsight.dll zdkifudk 80 0A tpm; 00 00 vdkUajymif;jyD; zdkifudkodrf;vdkufyg/ 'Dhaemuf demo.exe zdkifudkzGifhMunfhwJhtcgrSmawmh yHk(65)twdkif; error wufaewm awGU&ygw,f/

yHk(65)

enf;enf;avmuf pOf;pm;Munfh&atmif/ uRefawmfwdkU[m DLL zdkifuae SN udkz,f&Sm;cJhygw,f/ uRefawmfwdkU oHk;cJhwJhenf;uvJ taumif;qHk;yg/ 'gqdkbmvdkU jyóemwufae&wmygvJ/ SN udk aemufxyf ppfaq;rIawGrsm; xyf&SdaevdkUvm;/ wu,fvdkU SN udkppfaq;wmqdk&ifawmh DLL xJrSmawmh r[kwfavmufyg bl;/ exe zdkifxJrSmyJ jzpfygvdrfhr,f/ Error message jzpfwJh Could not load file with PublicKeyToken = 75b7... udkMunfhyg/ 'gudkppfaq;EdkifzdkU Demo.exe udk CFF explorer eJUzGifhjyD; .NET Directory rSm&SmMunfhyg/ yHk(66)/

yHk(66)

yHk(66)u Navisight udkMunfhr,fqdk&ifawmh yHk(67)twdkif;jrif&ygr,f/

yHk(67)

'guawmh uRefawmfwdkU vdkcsifwJhtcsufyg/ PublicKeyOrToken udkMunfhyg/ oifhtaeeJU exe zdkif wpfcktjzpf compile vkyfpOfrSm .NET compiler u module toD;oD;&JU PublicKey udk olUtrnfawGvdkyJ odrf;xm;ay;wmjzpfjyD; vkdcsifwJh module &JU PublicKey udk&SmjyD;ppfaq;&mrSm reference wpfcktaeeJU PublicKeyOrToken udktoHk;jyKwmyg/ 'gaMumifh 'Dae&mrSm 0 vdkUajymif;vdkuf&if yHk(65)u error message


ay:vmawmhrSm r[kwfygbl;/ Demo.exe zdkif&JU Offset 0x26324 ae&mrSm 0 vdkUjyifjyD; zdkifudk odrf;vdkufyg/ Demo.exe zdkif aumif;aumif; tvkyfvkyfwmawGU&rSmyg/

'gqdk Navsight.dll zdkifudk patch vkyfvdkU&jyDjzpfygw,f/ Navsight.dll zdkifudk IDA Pro eJU Reflector wdkUrSmzGifhjyD; evaluation period udk&Smyg/

.method public static hidebysig bool '() // CODE XREF: sub_2840+72_p // sub_33A0+77_p ... { .locals init (bool V0, class System.String V1, class System.String V2, class System.String[] V3) call bool '::'() stloc.0 ldloc.0 brfalse.s loc_3272 call class [mscorlib]System.Reflection.Assembly [mscorlib]System.Reflection.Assembly::GetExecutingAssembly() callvirt class [mscorlib]System.Reflection.AssemblyName [mscorlib]System.Reflection.Assembly::GetName() callvirt class System.String [mscorlib]System.Reflection.AssemblyName::get_Name() stloc.1 ldc.i4.5 newarr [mscorlib]System.String stloc.3 ldloc.3 ldc.i4.0 ldstr "Your evaluation period for " stelem.ref ldloc.3 ldc.i4.1 ldloc.1 stelem.ref ldloc.3 ldc.i4.2 ldstr " has expired. Product functionality will be limited."

yHk(68) IDA Pro jzifh zGifhxm;yHk

yHk(68)udkMunfhr,fqdk&if call function() aemufrSm brfalse udkawGU&ygw,f/ bmrSrvkyf&ao;cifrSm function trnfawGudk&SmMunfhyg/ Function trnfawGudk obfuscation vkyfxm;wJhtwGuf rawGU&ygbl;/ 'D DLL zdkifudk oif compile jyefjyD;vkyfEdkifygovm;/ Reflector rSmvJtMumMuD; vdkuf&SmjyD;wJhaemufrSm yHk(69)twdkif; awGU&ygw,f/

yHk(69)

yHk(69)udkMunfhvdkufjyefawmhvJ function awGudk obfuscation vkyfxm;wmawGU&ygw,f/ trSefu awmh flag wefzdk;[m 0 jzpf&ygr,f/ 'gqdk flag wefzdk; 0 udk return jyefydkUr,fh function ub,fae&mrSm &SdaeygovJ/

yHk(68)u IDA Pro udkoGm;jyD; call bool '::'() ae&mudk ESdyfvdkufyg/ tenf;i,f&IyfaxG;wJhuk'fawGudk awGU&ygr,f/ uRefawmfwdkUtaeeJU function &JU return wefzdk;ukd FALSE vdkUjyifvdkU&ygw,f/ 'gayr,fh tEÅ&m,f&SdEdkifwJhuk'fawG yg^ryg odEdkifatmifvdkU atmufudkenf;enf; scroll qGJMunfhvdkufyg/

yHk(70)


'gudk Reflector rSmMunfhygr,f/ yHk(71)/

yHk(71)

DLL u registry xJrSm NETFramework key &Sd^r&Sdppfaq;jyD; &SdcJh&if Demo.exe udk yxrqHk; zGifhcJhwJh &ufpGJeJUtcsdefudk rSwfom;xm;jyD; vuf&Sd&ufpGJeJUtcsdefudkwGufcsufjyD; EdIif;,SOfygw,f/ wu,fvdkU vuf&Sdtcsdef[m yxrqHk;zGifhcJhwJhtcsdefxuf &uf30 ydkaecJh&if return wefzdk;[m TRUE jzpfjyD;? 'DvdkrSr[kwf &ifawmh FALSE jzpfrSmyg/ 'gaMumifh tEÅ&m,f&SdEdkifwJhuk'fawG? function awGr&Sdawmhbl;qdkrS uRefawmfwdkU taeeJU return wefzdk;udk 0 vdkU patch vkyfvdkU&rSmjzpfygw,f/

Patch vkyfzdkUtwGuf function &JU offset tp&Sd&m 0x4784 qDoGm;jyD; 16 2A vdkUjyifjyD; zdkifudk odrf;yg r,f/ bmaMumifh jyif&wmvJqdkwm od&atmif yHk(68)udk jyefMunfhyg/

IDA View opcode (CFF Explorer) Instruction (CFF Explorer) call class [mscorlib]System.Reflection.Assembly 28 E7 00 00 0A call 0x0A0000E7 callvirt class [mscorlib]System.Reflection 6F E8 00 00 0A callvirt 0x0A0000E8

yHk(72)

yHk(72)uawmh Offset 0x4784 rSm 16 2A vdkU patch rvkyfcif IDA Pro eJU CFF explorer wdkUrSm jrif&wmyg/

IDA View opcode (CFF Explorer) Instruction (CFF Explorer) ldc.i4.0 16 ldc.i4.0 ret 2A ret

yHk(73)

yHk(73)uawmh Offset 0x4784 rSm 16 2A vdkU patch vkyftjyD; IDA Pro eJU CFF explorer wdkUrSm jrif&wmyg/ ldc.i4.0 qdkwmuawmh stack ay: int32 wefzdk;wpfckudk okntaeeJU ul;wifvdkufwmyg/ qdkvdkwmuawmh call awGudk rppfapawmhyJ 0 wefzdk;udk return jyefydkUvdkufwmjzpfygw,f/

jyifxm;wJh y&dk*&rfudk jyefzGifhcsdefrSmawmh expiration dialog aysmufoGm;rSmjzpfygw,f/

tcef;(19) – rdkbdkif;zkef; application rsm;udk crack vkyfjcif; - 305 -

tcef;(19) - rdkbdkif;zkef; application rsm;udk crack vkyfjcif;

'DwpfcgrSmawmh rdkbdkif;zkef; (smartphone) awGrSm toHk;jyKwJh application awGudk crack vkyfMunfhrSm jzpfygw,f/ MudKwifarwåm&yfcHvdkwmuawmh mobile cracking eJUywfoufwJh oifcef;pmrsm;uvJ &Sm;yg;wm uwpfaMumif;? uRefawmfhxHrSmvJ smartphone r&SdwJhtwGuf 'Doifcef;pmuawmh oifhtwGuf pdwfauseyfrI tjynfhay;EdkifrSm r[kwfwJhtaMumif;yg/ 'gaMumifh tm;enf;csuftrsm;MuD;&SdwJh 'Doifcef;pmudk onf;cHzwf&Iap vdkygw,f/

'DaeUacwf rdkbdkif;zkef; awmfawmfrsm;rsm;eJU smartphone awmfawmfrsm;rsm;[m zkef;tqifhwifrubJ uGefysLwmeD;eD;jzpfvmygw,f/ uGefysLwmawGvdkyJ uGef,ufcsdwfqufrIawGygvmMuygw,f/ (Bluetooth? WiFi? GSM? IR? USB)/ uGefysLwmawGvdkyJ vHkjcHKa&;qdkif&mpnf;rsOf;awG&SdjyD;? zkef;awGrSm aiGacs&wJhpepf wcgwnf;ygvmwmaMumifh oifhtaeeJU wu,fhaiGaMu;awGudk qHk;&IH;&Edkifygw,f/ rdkbdkif;zkef;&JU anti-malware eJUywfoufjyD; okawoejyKcJhwmuawmh F-Secure uyg/ rdkbdkif;zkef;awGrSmoHk;wJh Symbian application awGeJU ywfoufvdkU crack vkyfjyD; yxrqHk;wifjycJholuawmh ARTeam u Shub-Nigurrath jzpfygw,f/

'Doifcef;pmrSmawmh Symbian zkef;awGrSmoHk;wJh application awGudkom crack vkyfjyrSmjzpfygw,f/

yHk(1) Symbian smartphone zkef;rsm;

(1) Symbian OS qdkonfrSm ....

Symbian OS udk Nokia (47.9%) eJU SonyEricsson (15.6%) wdkUu smartphone awGrSm t"dutoHk;jyKcJhMujyD; 2008-ckESpf ESpfv,fydkif;avmufrSm open source tjzpfjyKvkyfzdkUtwGuf Nokia u Symbian Ltd. udk0,f,lcJhygw,f/ Symbian OS awG[m tapmydkif;u Psion vdkUac:wJh EPOC udk tajccH ygw,f/ 2001ckESpfrSmawmh EPOC uae Symbian v6 qdkjyD;jzpfvmygw,f/ Symbian &JU vuf&Sd major version uawmh 9 jzpfygw,f/ Symbian rSm OS eJU UI udkcGJjcm;xm;ygw,f/ OS uawmh Symbian u jzpfjyD; UI uawmh hardware a&mif;csolawGeJUoufqdkifygw,f/ 'gaMumifhrdkU Series60 (S60) [m Nokia ujzpfjyD; UIQ uawmh Sony Ericsson ujzpfygw,f/ MOAP uawmh Sharp/NTT DoCoMo u jzpfygw,f/ Symbian OS awGrSm ARM y&dkqufqmawGudk toHk;jyKMujyD; 'Dy&dkqufqmawG[m RISC (Reduced Instruction Set CPU) y&dkqufqmawGjzpfygw,f/ 'gaMumifhrdkUvdkU ARM CPU awGrSm instruction awGenf;yg;jyD; register awG rsm;jym;vmwJhtwGuf cracker awGtwGuf em;vnf&cufaprSm jzpfygw,f/

Symbian OS &JU tapmydkif; version awGrSmawmh EKA kernel udktoHk;jyKcJhMujyD; aemufydkif; version awGrSmawmh ERK2 kernel udkomtoHk;jyKcJhMuygw,f/ 'D kernel awG[m multi-processing? Multithreading eJU multi-tasking wdkUudk jyKvkyfay;EdkifpGrf;&Sdygw,f/ rSwfOmPfumuG,frIpepfvJ yg&Sdygw,f/ xl;jcm;csufuawmh olUrSm user wpfOD;wnf;pepfudk oHk;pGJygw,f/ 'gaMumifh user eJU admin cGJjcm;xm;wm r&SdovdkU login/logout pepfvJ r&Sdygbl;/

Symbian OS awG[m resource xuf API udktajccHygw,f/ Build vkyfcsdefrSmom assign vkyfEdkif jyD; run aecsdefrSmawmh ajymif;vJEdkifjcif;r&Sdygbl;/ DLL uk'fawGudkawmh application process &JU pGrf;aqmif &nfawGeJUtwl execute vkyfwmjzpfygw,f/ pGrf;aqmifrIawGudkawmh exe xJrSmyJ odrf;wmjzpfygw,f/ Symbian OS twGuf aqmzhf0JvfxkwfvkyfzdkU Mandatory Code Signing eJU xdef;csKyfygw,f/ Exe awGeJU library awGudk a'wmawGeJU oD;oefUcGJjcm;EdkifzdkU data caging udktoHk;jyKygw,f/ 'gaMumifh exe awG[m \sys\bin atmufrSm&SdjyD; process a'wmawGuawmh \private\<APP UID> atmufrSm&Sdwm jzpfygw,f/


Symbian zdkifpepfuawmh drive pmvHk;awG? directory awGeJU zdkifawGudk tajccHygw,f/

(1) C: - Flash RAM/ User eJUywfoufwJhtcsuftvufawG? user u install vkyfxm;wJh application awG&Sdygw,f/

(2) D: - TEMP RAM/ Application awGtwGuf ,m,Dzdkifxm;okdygw,f/

(3) E: - MMC/ "gwfyHkawGeJU application awGtwGuf removable disk jzpfygw,f/

(4) Z: - OS ROM/ OS zdkifawGtrsm;pkyg0ifwJh flash drive jzpfygw,f/

Drive wdkif;rSm system directory &Sdygw,f/ (1) Media topfwpfck xyfa&mufvmwdkif; directory udktvdktavsmufzefwD;rSmjzpfygw,f/

(2) System directory rSmawmh OS eJU application zdkifawGyg0ifwJh directory tree yg0ifygw,f/ C:\Windows eJU wlygw,f/

ta&;MuD;wJh directory awGuawmh - (1) System\Apps/ User awGjrifEdkifwJh application awG&Sdygw,f/

(2) System\Recogs/ Recognizer components

(3) System\Install/ Install vkyfxm;wJh application awGeJU ywfoufwJh uninstallation tcsuftvufrsm;/

(4) System\libs/ System eJU 3rd-party library rsm;/

Phone menu eJU button awGrSm&SdwJh application awGuawmh - (1) Z:\System\Apps\Menu\Menu.app - Phone main menu & application launching service

(2) Z:\System\Apps\AppInst\Appinst.app - Application installation

(3) Z:\System\Apps\AppMngr\AppMngr.app - Application uninstallation

(4) Z:\System\Apps\MMM\Mmm.app - Messaging application

(5) Z:\System\Apps\Phonebook\Phonebook.app - Phonebook

(6) Z:\System\Apps\BtUI\btui.app - Bluetooth control panel

Mobile application awGudkzefwD;&mrSm toHk;jyKwJh y&dk*&rfbmompum;uawmh Carbide.c++ jzpfjyD; developing process uawmh atmufygtwdkif;jzpfygw,f/

(2) Symbian Executable File Format

'DwpfcgrSmawmh Symbian OS rSmoHk;wJh application awG&JU zGJUpnf;wnfaqmufyHkudk avhvm Munfhygr,f/ Symbian OS rSm toHk;jyKwJh exe zdkifyHkpHuawmh E32 yHkpHjzpfygw,f/ 'Doifcef;pmrSm aqG;aEG; r,fh exe zdkifqdkwm ARM y&dkqufqmawGtwGufudk qdkvdk&if;jzpfygw,f/ Emulater awGtwGufudk raqG;aEG;

<app>.mmp Project file

<app>.rss Resource file

<app>.app <app>.ilk <app>.rsc <app>.dll Executable

<app>.aif Package

information file

Normal C++ Build Process

<app>. UID.cpp

Resource file

<app>.WINS <app>.MARM

Makefile

<app>.app <app>.ilk <app>.rsc <app>.dll Executable

Makefile

nmake

make SIS

<app> .sis

<app>.pkg List of

components

Normal EPOC Packaging Process



ygbl;/ bmaMumifhvJqdkawmh emulater &JU exe zdkifawG[m Windows &JU PE-COFF (Portable Executable Common Object File Format) udk toHk;jyKvdkUyg/

Symbian rSm toHk;jyKwJh executable zdkifawGjzpfwJh .app? .exe (odkU) .dll awGrSm E32 zdkifyHkpHqdkwJh txl;yHkpHwpfck&Sdygw,f/ Microsoft/Intel &JU PE (Portable Executable) (odkU) UNIX &JU ELF (Executable and Linking Format) wdkUeJU tenf;i,fuGJjym;ayr,fh tajccHtm;jzifh wlnDrI&Sdygw,f/ Symbian [m GCC compiler udktoHk;jyKwJhtwGuf wu,fawmh oifh&JU source code udk PE yHkpHtjzpf compile vkyfvdkufwmjzpfygw,f/ Symbian &JU build process usrSom PETRAN qdkwJh tool udktoHk;jyKjyD; oifh&JU PE zdkifudk E32 zdkiftjzpf ajymif;ay;vdkufwmjzpfygw,f/

E32 Header

Code Section

Text Section

Export Table

Import Table

BSS Section

Data Section

Import Section

Relocation Section

yHk(2) E32 zdkifyHkpH

tjcm;zdkifyHkpHawGrSmvdk E32 rSmvJ header uaepygw,f/ Header &JUaemufrSm uyfygvmwmawG uawmh atmufygtwdkif;jzpfygw,f -

o Code section - olUrSmawmh text section? export address table eJU import address table (IAT) qdkjyD; 3ydkif;yg0ifygw,f/ Text section rSmawmh source code &JU .obj zdkiftm;vHk; yg0ifygw,f/ usefwJh section ESpfckuawmh y&dk*&rfxJu import/export vkyfxm;wJh function awGudk jyygw,f/

o BSS section - olUrSmawmh initialize rvkyf&ao;wJha'wmawG yg0ifygw,f/ 'D section udk Symbian application awmfawmfrsm;rsm;rSmawmh toHk;rjyKMuygbl;/

o Data section - olUrSmawmh initialize vkyfjyD;om;a'wmawG yg0ifygw,f/ Symbian application awmfawmfrsm;rsm;[m .app? .dll zdkiftaeeJU vmwmaMumifh 'D section r&Sdwmursm;ygw,f/

o Import section - oifhy&dk*&rfu toHk;jyKxm;wJh imported function awGeJUoufqdkifwJh tcsuf tvufawG yg0ifygw,f/

o Relocation section - oifhy&dk*&rfudk Symbian loader u ul;wifwJhtcgrSm vdktyfwJh relocation table yg0ifygw,f/ E32 rSm t"dyÜm,fzGifhqdkxm;wJh header eJUywfoufwJh tcsuftvufawGuawmh atmufygtwdkif;

jzpfygw,f -

class E32ImageHeader { public: TUint32 iUid1; TUint32 iUid2; TUint32 iUid3; TUint32 iCheck; TUint iSignature; // 'EPOC' TCpu iCpu; // 0x1000 = X86, 0x2000 = ARM, 0x4000 = M*Core TUint iCheckSumCode; // sum of all 32 bit words in .text TUint iCheckSumData; // sum of all 32 bit words in .data TVersion iVersion; TInt64 iTime; TUint iFlags; // 0 = exe, 1 = dll, +2 = no call entry points TInt iCodeSize; // size of code, import address table, constant data and export dir TInt iDataSize; // size of initialized data TInt iHeapSizeMin; TInt iHeapSizeMax; TInt iStackSize; TInt iBssSize; TUint iEntryPoint; // offset into code of entry point


TUint iCodeBase; // where the code is linked for TUint iDataBase; // where the data is linked for TInt iDllRefTableCount; // filling this in enables E32ROM to leave space for it TUint iExportDirOffset; // offset into the file of the export address table TInt iExportDirCount; TInt iTextSize; // size of just the text section TUint iCodeOffset; // file offset to code section TUint iDataOffset; // file offset to data section TUint iImportOffset; // file offset to import section TUint iCodeRelocOffset; // relocations for code and const TUint iDataRelocOffset; // relocations for data TProcessPriority iPriority; // priority of this process };

iUid1? iUid2 eJU iUid3 wdkU[m identifier awGjzpfjyD;? yxr UID u oifh&JUy&dk*&rf[m .dll zdkifvm;? .exe zdkifvm;qdkwm cGJjcm;ay;Edkifygw,f/ .dll qdk&ifawmh 0x10000079 jzpfjyD; .exe qdk&ifawmh 0x1000007A jzpfygw,f/ 'kwd, UID uawmh object awGudkcGJjcm;ay;wmjzpfjyD; polymorphic interface DLL awG twGuf 0x100039CE jzpfjyD;? static interface (shared library) twGufuawmh 0x1000008d jzpfygw,f/ wwd, UID udkawmh y&dk*&rf identifier tjzpfjrifEdkifygw,f/ 'ghjyif 0x100000 uae 0xFFFFFF twGif;Mum;&SdwJh UID tcsdKUvJ&Sdygao;w,f/

iCheck uawmh yxr UID 3ck&JU checksum jzpfygw,f/ Symbian SDK rSm uidcrc.exe vdkU ac:wJh tool wpfck&SdjyD; yxr UID 3ckuae udkxkwfay;ygw,f/ Oyrmjy&&if atmufazmfjyyg command [m 0x1000079? 0x1000029CE? 0x00DD3103 pwJh UID awGtwGuf checksum udkxkwfay;ygvdrfhr,f/

C:\>uidcrc 0x10000079 0x100039CE 0x00DD3103 0x10000079 0x100039CE 0x00DD3103 0xAE035303

iSignature uawmh E32 zdkifeJUywfoufwJh signature jzpfjyD; EPOC wefzdk;jzpfygw,f/

iCPU uawmh y&dk*&rfawG&JU platform jzpfjyD;? ECpuX86 = 0x1000 qdk&if Intel y&dkqufqmawG twGufjzpfjyD; ECpuArm = 0x1000qdk&ifawmh y&dkqufqmawGtwGufjzpfygw,f/

iCheckSumCode uawmh code section &JU checksum jzpfygw,f/ Header zdkifxJu rSwfcsuft& qdk&ifawmh 'g[m .text section xJrSm&SdwJh 32-bit WORD awGtm;vHk;&JU aygif;v'f jzpfygw,f/ 'gayr,fh 'Dwefzdk;[m IAT eJU export table (=iCodeSize field) tygt0if code section xJrSm&SdwJh 32-bit WORD awGtm;vHk;&JU aygif;v'fvJjzpfEdkifygw,f/

iCheckSumData uawmh .text section xJrSm&SdwJh 32-bit WORD awGtm;vHk;&JU aygif;v'f jzpfyg w,f/ Symbian rSm uRefawmfwdkU y&dk*&rfawGudk build vkyfcsdefrSmawmh 'D checksum wefzdk;[m okn jzpfyg w,f/

iVersion uawmh E32 zdkifudkxkwfay;&mrSm toHk;jyKwJh PETRAN &JU version jzpfygw,f/ wu,f vdkU oifu UID 2.1 udktoHk;jyKw,fqdk&if version u 1.00 (175) jzpfrSmyg/

iTime uawmh y&dk*&rfudk build vkyfvdkufwJh &ufpGJeJUtcsdef (TimeDateStamp) jzpfygw,f/

iFlags uawmh .exe twGuf 0? .dll twGuf 1 eJU entry point udkac:oHk;jcif;r&SdwJhzdkifawGtwGufawmh +2 jzpfygw,f/

iCodeSize uawmh code section &JUt&G,ftpm;jzpfjyD; IAT? constant data eJU export address table wdkUyg0ifygw,f/

iDataSize uawmh initialize vkyfxm;wJh data section &JUt&G,ftpm;jzpfjyD; iCheckSumData rSmvdkyJ 'D field rSm oknjzpfaewm awGU&rSmyg/

usefwJh parameter awGuawmh rSwfcsufawGygvmjyD;jzpfvdkU r&Sif;jyawmhygbl;/ ydkjyD; &Sif;vif;pGm em;vnfEdkifzdkU example_app.app udk PETRAN eJU MunfhvdkufMu&atmif/ yHk(3)/

PETRAN - PE file preprocessor V01.00 (Build 175) Copyright (c) 1996-2001 Symbian Ltd. E32ImageFile 'example_app.app' // file name (not in E32 image header) V1.00(175) Time Stamp: 00e0be89,69063b40 // iVersion iTime EPOC Dll for ARM CPU // iCpu Entry points are not called // iFlags Uids: 10000079 100039ce 10008ace (7ec529db) // iUid1, iUid2, iUid3 and iCheck File Size: 00001368 // file size (not in E32 image header) Code Size: 00000ed8 // iCodeSize Data Size: 00000000 // iDataSize


Chk code/data: d4ad460a/00000000 // iCheckSumCode iCheckSumData Min Heap Size: 00001000 // iHeapSizeMin Max Heap Size: 00100000 // iHeapSizeMax Stack Size: 00002000 // iStackSize Code link addr: 10000000 // iCodeBase Data link addr: 00000000 // iDataBase Code reloc offset: 00001194 // iCodeRellocOffset Data reloc offset: 00000000 // iDataRellocOffset Dll ref table count: 4 // iDllRefTableCount Offset Size Relocs NumOfRelocs Code 00007c 000ed8 // iCodeOffset, iCodeSize 001194 0000e1 +000000 (entry pnt) // iCodeRellocOffset .. iEntryPoint Data 000000 000000 // iDataOffset iDataSize Bss 000000 // iBssSize Export 000f50 000004 (1 entries) // iExportDirOffset iExportDirCount Import 000f54 // iImportOffset Code (text size=00000d08) // iTextSize ... // here the dump of the text section 225 relocs ... // here the dump of the relocation section Idata Size=00000240 Offset of import address table (relative to code section): 00000d08 ... // here the import tables information

yHk(3)udk ydkjyD;&Sif;vif;apzdkU yHk(4)udkMunfhyg/

yHk(4)

yHk(4)&JU b,fzufjcrf;rSmawmh section toD;oD;&JU offset awGudkjrifEdkifygw,f/ Oyrmjy&&if - iCodeOffset (= 0x7C) [m code section &JU offset jzpfygw,f/ nmzufjcrf;uawmh section toD;oD;&JU t&G,ftpm; jzpfygw,f/ t&G,ftpm;awGeJUywfoufjyD;awmh tenf;i,f tcufawGU&ygw,f/ bmaMumifhvJ qdkawmh tcsuftvuftm;vHk;udk header xJrSm odrf;qnf;wm r[kwfvdkUyg/ E32ImageHeader &JU t&G,f tpm;udkawmh sizeof operator udktoHk;jyKjyD; tvG,fwulwGufcsufEdkifygw,f/ Text section? code section wdkU&JU t&G,ftpm;udk odzdkU&mvG,fygw,f/ bmaMumifhvJqdkawmh header xJrSm olwdkUeJUoufqdkifwJh tcsuf tvufawG&SdvdkUyg/ (iTextSize ESifh iCodeSize)/

Export table &JUt&G,ftpm;udk wGufcsuf&wmawmh tenf;i,fcufygw,f/ oifhtaeeJU iExportDir Count udk sizeof(UINT) eJU ajrSmufzdkUvdkygw,f/ bmaMumifhvJqdkawmh export vkyfxm;wJh function toD; oD;udk unsigned integer taeeJU odrf;qnf;vdkUyg/ Oyrmjy&&if - oifhrSm export vkyfxm;wJh function wpfck&Sdr,fqdk&if sizeof(UINT) eJUajrSmufwJhtcg 4 &vmrSmjzpfygw,f/

Import address table &JU t&G,ftpm;udk wGufcsuf&mrSmawmh Symbian rSm import table awGudk b,fvdkwnfaqmufxm;ovJqdkwmudk odxm;zdkUvdkygw,f/ tajccHtm;jzifhawmh oifhy&dk*&rfu import vkyf xm;wJh function ta&twGufudk odxm;zdkUvdkygw,f/ 114 vdkU ,lqMuygpdkU/ 114 udk&zdkU uRefawmfwdkU y&dk*&rfu import vkyfxm;wJh DLL zdkifawGxJrSm import vkyfxm;wJh function awGudk a&wGuf&rSmjzpfyg


w,f/ jyD;&if 'gudk sizeof(UINT) eJUajrSmufay;&rSmjzpfygw,f/ rSwfcsuf/ / Import vkyfxm;wJh function ta&twGufrSm wpfaygif;ay;zdkUvdkygw,f/ bmaMumifhvJqdkawmh import table &JUtqHk;rSm \0 oauFw&SdvdkUyg/

Import section &JUt&G,ftpm;jzpfwJh 0x0240 udkawmh import section &JU yxr 32-bits uae zwf,lEkdifygw,f/ oifhtaeeJU E32Image.h udkzGifhMunfhvdkuf&if E32ImportSection vdkUac:wJh structure wpfckudk &SmawGUrSmjzpfygw,f/

class E32ImportSection { public: TInt iSize; // size of this section // E32ImportBlock[iDllRefTableCount]; };

'D structure [m import section xJu yxr 32-bits jzpfygw,f/ iSize uawmh import section &JUt&G,ftpm;jzpfygw,f/

Import section vdkyJ relocation section &JUt&G,ftpm;udk relocation section &JU yxr 32-bits uae zwf,lEkdifygw,f/ 'DtcsuftvufawGudk odrf;qnf;xm;ay;wJh structure uawmh E32RelocSection jzpfjyD; field ESpfckeJUjzpfygw,f/

class E32RelocSection { public: TInt iSize; // size of this relocation section TInt iNumberOfRelocs; // number of relocations in this section };

'DOyrmrSmawmh iSize [m 0x01CC jzpfygw,f/ bmaMumifh sizeof(E32RelocSection) udk relocation section &JUt&G,ftpm;rSm aygif;ay;zdkUvdkygovJ/ bmaMumifhvJqdkawmh E32RelocSection.iSize rSm relocation header &JUt&G,ftpm;wefzdk; rygvdkUyg/ 'g[m import section eJUEdIif;pm&if enf;enf;av; uGJvGJaeygw,f/ bmaMumifhvJqdkawmh E32RelocSection.iSize [m import header xJrSmygjyD;om;jzpfaevdkU yg/ 'Davmufqdk&ifawmh E32 zdkifzGJUpnf;yHkudk em;vnfavmufjyDvdkUxifygw,f/

(rdkbdkif;zkef; application rsm;udk crack vkyfjcif;tm; aemuf version rsm;wGif qufvufazmfjyygrnf/)

tcef;(20) - Loader oDtdk&DESifh patch zdkifzefwD;jcif; - 311 -

tcef;(20) - Loader oDtdk&DESifh patch zdkifzefwD;jcif;

'DwpfcgrSmawmh loader eJYywfoufwJh oDtdk&DtcsdKUudk &Sif;jyjyD; loader zdkifeJU patch zdkifawGudk b,fvdk zefwD;ovJqdkwm &Sif;jyrSmjzpfygw,f/ owday;csifwmuawmh uRefawmfwdkU[m cracking eJUywfoufwJh tajccHtcsufawGudkom avhvmaejcif;jzpfwJhtwGuf loader udkb,fvdka&;om;&rvJqdkwmudk 'Dae&mrSm &Sif;jy rSmr[kwfygbl;/ Loader eJU patch zdkifawGudk aqmhzf0JvfawGoHk;jyD; b,fvdkzefwD;rvJqdkwmudkom t"duxm; aqG;aEG;rSmjzpfygw,f/ tao;pdwfodcsif&ifawmh ARTeam u Shub-Nigurrath eJU Thunderpwr wdkU a&;om;wJh "Cracking with loaders: theory, general approach and a framework" aqmif;yg;udk zwf&IzdkU tMuHjyKvdkygw,f/

Info: : Loader qdkwmuawmh process wpfckudkpwifwJh tao;pm; application wpfckjzpfjyD; unpack vkyfaewJh^ protect vkyfxm;wmudkjyefajzaewJh process (aqmhzf0Jvf)udk apmifhqdkif;ygw,f/ 'DhaemufrSmawmh y&dk*&rfxJu y&dk*&rfa&;om;ol csef&pfcJhwJhtrSm;awG^tm;enf;csufawGudkjyifqifEdkifzdkU rSwfOmPfxJu process udk patch vkyfwmjzpfygw,f/ tm;enf;csufwpfckuawmh loader awG[m y&dk*&rfawGudk tjrJwrf; pwiftvkyf vkyfEdkifapzdkUvdkygw,f/ yHkrSeftm;jzifhawmh loader awGeJU rl&if;y&kd*&rfawG[m wlnDwJh directory atmufrSm&Sd Muygw,f/ tm;omcsufwpfckuawmh loader awG[m y&dk*&rfudk unpackvkyfzdkU^ protect vkyfxm;wmudk jyefajzzdkUrvdkwmygyJ/ 'ghaMumifh cracking vkyf&mrSm tcsdefukefoufomapygw,f/ Loader eJU y&dk*&rfaygif;pyf xm;jcif;udk father-child process vdkUazmfjyavh&SdMuygw,f/ 'Dae&mrSm loader uawmh father jzpfygw,f/ bmaMumifhvJqdkawmh ol[m y&dk*&rfudk xdef;csKyfxm;vdkUyg/ rl&if;y&dk*&rfuawmh child jzpfygw,f/ bmaMumifh vJqdkawmh oluxdef;csKyfcH&vdkUyg/ Loader wpfckudkjyKvkyfzdkUqdkwm tvGefvG,fulvSygw,f/ GUI tool awGudk toHk;jyKvdkuf&HkygyJ/ uk'fawGawmifa&;om;p&mrvdkygbl;/ vdktyfwJhtcsuftvuf tenf;i,f&dkufxnfhay;&Hkyg/ t"duuawmh b,f address rSm b,fpmvHk;awGudk patch vkyfr,fqdkwmyg/ dUP eJU ABEL wdkUuawmh emrnfMuD; loader creator awGyg/ txl;owdjyKapcsifwJhtcsufuawmh patch vkyfzdkUapmifhqdkif;&r,fhtcsdefyg/ (rl&if;y&dk*&rfu rSwfOmPfxJrSm unpack vkyfaewJhtwGuf apmihfqdkif;ae&jcif;jzpfygw,f/) wu,fvdkU yxr wpfMudrfrSm patch vkyfwmratmifjrifcJh&ifawmh patch vkyfr,fhtcsdefudk wdk;ay;zdkUMudK;pm;&ygr,f/ aemufxyf txl; loader awG&Sdygao;w,f/ tcsdKUy&dk*&rfawG[m loader awGuae y&dk*&rfudk run aewmvm;ppfzdkUMudK;pm; Muygw,f/ wu,fvdkU loader awG&SdaMumif; pHkprf;od&SdcJh&if y&dk*&rfudk unpack vkyfwJhtcsdefrSm rSwfOmPfxJu virtual address ae&mawGudk ajymif;ypfvdkufygw,f/

'Dwpfcg crack vkyfMunfhr,fh aqmhzf0Jvfuawmh JSI Inc ua&mif;cswJh Windows NT Tips, Tricks, and Registry Hacks aqmzhf0Jvfjzpfygw,f/ Windows Registry eJUywfoufwJh vQdKU0Sufcsufaygif; wpfaomif;eD;yg;udk pkpnf;xm;wmjzpfjyD; 'Daqmhzf0Jvfudk www.jsiinc.com rSm tcrJh download vkyf,lvdkU &ygw,f/ aqmhzf0Jvf&JUaps;EIef;uawmh $4000 ausmfjzpfjyD; vdkifpiftaeeJU 0,froHk;Edkif&ifawmh 1997ckESpfu a&;om;cJhwJh pmrsufESm 100udkyJ tcrJhzwf&IEdkifygw,f/ y&dk*&rf&JUtrnfuawmh Jsittarh.exe jzpfygw,f/ wu,fawmh Jsittarh.exe [m HTML eJUa&;om;xm;wJhzdkifawGudk web compiler 1.3 toHk;jyKjyD; exe zdkif taeeJU compile vkyfxm;wmjzpfygw,f/ y&dk*&rf&JUtvkyfvkyfyHkudk MunfhvdkufMu&atmif/ yHk(1)/

yHk(1)


yHk(1)uawmh Windows Registry eJUywfoufwJhtcsuftvufawGudk jywmyg/ yHk(1)u 79nn udkESdyf Munfhvdkuf&if yHk(2)twdkif; jrif&ygw,f/

yHk(2)

yHk(2)u ESpfouf&mar;cGef;udk a&G;vdkufyg/ yHk(3)twdkif; password awmif;ygvdrfhr,f/

yHk(3)

yHk(3)twdkif; password &dkufxnhfvkdufjyD; OK button udkESdyfvdkuf&if bm MessageBox (Message) rSray:bJ yHk(1)udk jyefa&mufoGm;ygw,f/ 'guawmh y&kd*&rftvkyfvkyfyHkyg/ aumif;jyD? y&dk*&rfudk PEiD eJU ppfMunfhvdkufMu&atmif/ yHk(4)/

yHk(4)

PEiD eJU ppfaq;csuft&awmh PEtite 2.x vdkUjyygw,f/ Protection ID 6.2.3 uawmh PEtite 2.2 eJU protect vkyfxm;w,fvdkUajymygw,f/ Protection ID uawmh protector awGeJUywfoufjyD; ydkjyD;wduswJh tajzudk ay;Edkifygw,f/ 'gqdk&ifawmh y&dk*&rfudk unpack vkyfzdkUvdkvmygjyD/ y&dk*&rfudk Olly rSmzGifhyg/

yHk(5)


yHk(5)udkMunfhyg/ VA 004BA042 uawmh entrypoint jzpfygw,f/ 'Dae&mudk aoaocsmcsmMunfhxm; yg/ PUSHAD qdkwmuawmh DWORD wefzdk;tm;vHk;udk PUSH vkyfwJh instruction jzpfwJhtaMumif; ajymcJh zl;wm jyeftrSwf&yg/ 'gaMumifhrdkU hardware breakpoint owfrSwfEdkifzdkU VA 004BA05D u PUSH EAX &Sd&mudk F8 ESdyfjyD;oGm;vdkufyg/ VA 004BA05D a&muf&if register window &JU ESP register rSm right-click udkESdyfjyD; Follow in Dump udka&G;cs,fyg/ yHk(6)/

yHk(6)

yHk(6)twdkif; Follow in Dump udka&G;vdkuf&ifawmh yHk(7)twdkif;jrif&rSmyg/

yHk(7)

yHk(7)u highlight jzpfaewJh 38 07 91 7C rSm right-click ESdyfjyD; Breakpoint u Hardware, on access WORD udka&G;vdkufyg/ jyD;&ifawmh F9 (Run) udkESdyfvdkufyg/ yHk(8)twdkif; jrif&ygr,f/

yHk(8)

F9 (Run) udkESdyfvdkufwJhtcgrSmawmh hardware breakpoint &Sd&m VA 004BA03D rSm &yfoGm;wm awGU&ygr,f/ xl;qef;wmu uRefawmfwdkU entry point &Sd&m VA 004BA042 rSm MOV EAX, XXX tpm; JMP 00484724 vdkUjzpfaewmawGY&ygw,f/ 'gaMumifhvJ 'D virtual address ae&mudk apmifhMunfh cdkif;xm;wm jzpfygw,f/ ☺☺/ wu,fawmh PEtite u entry point ae&mem;rSmyJ uk'fawGudk decompress vkyfwmjzpf ygw,f/ VA 004BA042 &Sd&mqDa&mufvmatmif F8 udkESdyfvmyg/ JMP 00484724 [m y&dk*&rf&JU OEP &Sd&mudk jump vkyfygw,f/ yHk(9)/

yHk(9)

yHk(9)u OEP &Sd&mudka&mufjyDqdk&if dump vkyfygr,f/ Right-click ESdyfjyD; Dump debugged process udka&G;vdkufyg/ yHk(10)twdkif; jrif&ygr,f/

yHk(10)


yHk(10)u Dump button udka&G;jyD; dump.exe trnfeJU zdkifudkodrf;vdkufyg/ jyD;&if odrf;xm;wJhzdkif tvkyfvkyf^rvkyfod&atmif jyefzGifhMunfhvdkufyg/

yHk(11)

yHk(11)[m uRefawmfwdkU tapmydkif;ujrifcJhwJh yHk(1)eJUawmh vHk;vHk;MuD;jcm;em;aeygw,f/ zdkif&JUt&G,f tpm;udk Munfhvdkufjyef&ifvJ yHk(12)twdkif; jrif&ygw,f/ Overlay zdkifygvmwm rawGY&ygbl;/

yHk(12)

'DyHkpHtwdkif;qdk&ifawmh uRefawmfwdkU unpack vkyfvdkufwm tukefygrvmrSef;aocsmygw,f/ usefcJhwJh tydkif;uawmh HTML zdkifawGygwJhtydkif;jzpfygw,f/ Dump vkyfvdkufwJhzdkifudk PEiD eJUppfMunfhyg/ Borland Delphi 3.0 eJUa&;om;xm;w,fvdkUjyygw,f/ wu,fawmh uRefawmfwdkU dump vkyfvkdufwJhzdkif[m Web Compiler aqmhzf0Jvfoufoufomjzpfygw,f/ dump.exe &JU File menu u Compiler Option udka&G;vdkuf yg/ yHk(13)twdkif; jrif&ygr,f/ (Jsittarh.exe &JU File menu rSmawmh Compiler Option ygrvmygbl;/)

yHk(13)

yHk(13)udk taotcsmMunfhyg/ yHk(3^14)rSmjrif&wJh dialogbox [m yHk(13)aMumifhjzpfwmem;vnfyg ovm;/ aqmhzf0Jvfu password udkxkwfay;zdkUtwGuf yxrqHk; master key wpfckudkzefwD;ygw,f/ jyD;awmhrS


user key ay:vdkufjyD; password udkzefwD;ygw,f/ 'DvkdrsdK; password routine uae password udkcefUrSef;zdkU qdkwm enf;enf;av;awmh vuf0ifrSmyg/ TEAM LAXiTY uawmh key udkwGufcsufzl;ygw,f/ uRefawmf cracking e,fy,fudk r0ifcifwkef;uawmh 'D key av;ukdyJtoHk;jyKcJhwmyg/ Key uawmh 15416??? jzpfyg w,f/ 'Dae&mrSmawmh uRefawmfhtaeeJU key udkajymjyrSmr[kwfygbl;/ wu,fvdkU key udkodcsif&ifawmh oif udk,fwdkif &SmazGwGufcsuf&rSmjzpfygw,f/ 'grSom cracker yDorSmjzpfygw,f/ ☺☺☺☺☺☺☺☺☺

yHk(14)

Dump.exe rSm tcsuftvuftcsdKUudk &SmazGod&SdjyD;wJhaemuf Jsittarh.exe udkjyefMunfhvdkufMu&atmif/

yHk(15)

yHk(15)rSm dump vkyfjyD; cP&yfxm;cJhwmudk jyefqufMu&atmif/ OEP ae&mudkodjyD;jyDrdkU hardware breakpoint awGudk zsufvdkU&ygjyD/ zsufjyD;oGm;&ifawmh F9 (Run) udkESdyfvkdufyg/ yHk(1)twdkif;awGU&ygr,f/ 'Dtaetxm;a&muf&if 79nn u 7900 » DNS problems in .. udkzGifhjyD; register vkyfzdkU MudK;pm;Munfhygr,f/ yHk(16)/

yHk(16)

yHk(16)twdkif;jrif&wJhtcgrSm Olly rSm F12 udkESdyfjyD; y&dk*&rfudk cP&yfvdkufyg/ yHk(17)twdkif; jrif&yg r,f/

yHk(17)

Alt + K udkESdyfjyD; Call Stack udkMunfh&if yHk(18)twdkif;jrif&ygw,f/

yHk(18)


yHk(18)u procedure tptm;vHk;udk breakpoint owfrSwfyg/ Breakpoint owfrSwfzdkU 'D virtual address ae&mrSm right-click ESdyfjyD; Show procedure (Enter key) udka&G;ay;yg/ Breakpoint owfrSwfjyD; &ifawmh yHk(16)u OK button udka&G;vdkufyg/ yHk(19)twdkif; awGU&ygr,f/

yHk(19)

yHk(19)&JU VA 0047E52D u CALL 00403AFC udk ppfaq;Munfhvkdufyg/ EAX &JUwefzdk;awG ajymif;vJaewm awGU&rSmyg/ 'Dae&mrSm pdwft0ifpm;qHk;uawmh VA 0047E53C ae&myg/ 'Dae&mrSm JE 0047E5E0 (0F,84,9E,00,00,00) tpm; JMP 0047E5E0 (E9,9F,00,00,00,90)vdkUjyifjyD; y&dk*&rfudk run Munfhvdkufyg/ Breakpoint awGtm;vHk;udk rvkdawmhwJhtwGuf jyefjzKwfvkdufyg/ (rSwfcsuf/ / Hex *Pef;awG udkawmhh pm&GufvGwfwpf&GufrSmcsa&;xm;yg/ toHk;0ifvmygvdrfhr,f/)

yHk(20)

yHk(20)twdkif; uk'fudkjyifjyD; y&dk*&rfudk run MunfhvdkufwJhtcg yHk(21)twdkif; jrif&ygw,f/

yHk(21)

'gqdk uRefawmfwdkUzwfcsifaewJh taMumif;t&mudk key rodbJzwfvdkU&ygjyD/ 'gayr,fh 0rf;enf;p&m aumif;wmuawmh y&dk*&rfudk Olly rSmzGifhxm;wkef;yJ 'DvdkzwfvdkU&wmyg/ uRefawmfwdkUtaeeJU MudKufwJhtcsdefrSm MudKufovdkzwfvdkU&Edkifatmif patch vkyfzdkUawmhvdkygjyD/ aumif;jyD? uRefawmfwdkU uk'fawGjyifxm;wJhzdkifudk Olly rSm odrf;qnf;vdkufyg/ yHk(22)rSm jrif&wJhtwdkif; zdkifudk odrf;qnf;vdkUr&ygbl;/


yHk(22)

bmaMumifh 'Dvdk error wuf&wmvJqdkwm tajz&Sm&atmif/ y&dk*&rf (Jsittarh.exe) udk Olly eJUjyefzGifh vdkufyg/ Entry point (004BA042) udkatmufygtwdkif; awGU&ygw,f/

yHk(23)

'DtcsdefrSm uRefawmfwdkU patch vkyfr,fhae&mjzpfwJh VA 0047E53C qDoGm;MunfhvdkufMu&atmif/ yHk(23)/

yHk(24)

bmqdkbmuk'frS rawGUygbl;/ oknawGyJ&Sdygw,f/ ckeujrifcJhwJhuk'fawG[m decompression stub u unpack vkyfjyD;ae&mvmcsay;xm;vdkUjzpfygw,f/ wu,fawmh unpack vkyfjyD;om;zdkifawGrSmqdk 'Dvdk jyóemrsdK; MuHK&rSmr[kwfygbl;/ 'gayr,fh PEtite udk uRefawmfwdkU unpack vkyfwm ratmifjrifcJhygbl;/ 'gaMumifh 'Djyóemudkajz&Sif;Edkifatmif loader zdkifudkzefwD;ay;zdkUvdkygjyD/ Loader &JUtvkyfuawmh PEtite u y&dk*&rfudk rSwfOmPfrSm process tjzpfae&mcsxm;jyD; unpack vkyfcsdefrSm patch vkyfr,fh byte (uk'f) udkvdkuf&SmjyD; udk,fESpfouf&m byte (uk'f) eJUtpm;xdk;zdkUjzpfygw,f/

Loader/Patch zdkifudkzefwD;zdkU ABEL Loader Generator 2.31 udkzGifhvdkufyg/ yHk(25)/

yHk(25)


jyD;&ifawmh atmufygtwdkif;aqmif&GufjyD; loader zdkifudk zefwD;vdkufyg –

1/ uRefawmfwdkU patch vkyfr,fhzdkiftrnf (Jsittarh.exe) udk&dkufxnhfyg/

2/ Loader zdkiftrnfudk owfrSwfyg/ (Jsittarh_Loader.exe)

3/ Timeout qdkwmuawmh loader u process udk load vkyfzdkU apmifh&r,fhtcsdefyg/ y&dkqufqm tjrefEIef; enf;wJh uGefysLwmawGrSmqdk&ifawmh timeout wefzdk;udk 15 vkdUowfrSwfEdkifygw,f/

4/ Patch vkyfr,fh virtual address uawmh VA 0047E53C rSmjzpfjyD; jyifr,fh byte awGuawmh uRefawmfckeu pm&GufvGwfrSm rSwfom;ckdif;xm;wJh HEX *Pef;awGjzpfygw,f/ (JE 0047E5E0 (0F,84,9E, 00,00,00) eJU JMP 0047E5E0 (E9,9F,00,00,00,90))/ yHk(26)/

5/ aemufqHk;tqifhuawmh Generate button udkESdyfvdkuf&Hkyg/

yHk(26)

Loader zdkifudkzefwD;jyD;wJhaemufrSmawmh loader zdkif (Jsittarh_Loader.exe) udk Jsittarh.exe eJU directory wpfckwnf;atmufrSmxm;jyD;zGifhMunfhvdkufyg/ yHk(27)twdkif;awGU&jyD; bm key rS&dkufxnfhp&mrvdkbJ^ rawmif;bJ tm;vHk;tqifajyoGm;ygvdrfhr,f/

yHk(27)

tcef;(21) - Crypto uk'frsm;udk avhvmjcif; - 319 -

tcef;(21) - Crypto uk'frsm;udk avhvmjcif;

'DwpfcgrSmawmh crack vkyf&mrSm tawGUrsm;r,fh crypto uk'fawGtaMumif; avhvmrSmjzpfygw,f/ Crypto qdkwmuawmh cryptography &JUtwdkaumufjzpfjyD; encrypt vkyfjcif;? decryption vkyfjcif;eJU ouf qdkifygw,f/ Encrypt vkyfw,fqdkwmuawmh oufqdkif&m key wpfckckudkoHk;jyD;(key rygwmvJjzpfEdkifygw,f) pmom;awGudk em;rvnfEdkifwJh pmom;awGtjzpf ajymif;vJay;wmjzpfygw,f/ Decrypt vkyfwmuawmh 0Suf xm;wJhuk'f^pmom;awGudk rlvtwdkif;jzpfatmif jyefazmf,lwmyg/ 'Denf;ynm&yfudkawmh ppfbufqdkif&m aMu; eef;awGrSm 0SufpmtaeeJU toHk;jyKjcif;tjyif aqmhzf0JvftcsdKU&JU registration key zdkifawGudk vlawGrodap csifwJhtcgrSm toHk;jyKygw,f/ 'ghjyif crypto uk'fawGudk unpack vkyfwJhtcgrSmvnf;aumif;? serial routine awGrSmvnf;aumif;? CRC udk ppfaq;&mrSmvnf;aumif; MuHKawGU&rSmjzpfvdkU 'Dtcef;rSm xnfhoGif;aqG;aEG; &jcif; jzpfygw,f/ a&SUtcef;awGrSm ajymcJhovdkyJ 'Dpmtkyf[m tajccHtcsufawGudkyJ OD;pm;ay;&Sif;jywmjzpfvdkU oifhtaeeJU cryptography taMumif; tao;pdwfodcsif&ifawmh Michael Welschenbach a&;om;wJh "Cryptography in C and C++" eJU Oded Goldreich a&;om;wJh "Foundations of Cryptography" pmtkyfawGudk zwf&IygvdkU tMuHjyKvdkygw,f/ 'DpmtkyfawGudk nTef;&wJhtaMumif;&if;uawmh tGefvdkif;rSm tcrJh (w&m;r0if) &&SdEdkifvdkUyJ jzpfygw,f/

uRefawmfwdkUavhvmr,fh tajccH crypto enf;ynmtcsdKUuawmh atmufygtwdkif;jzpfygw,f -

(1) Transposition

(2) Substitution

(3) Frequency analysis

(4) Le Chiffre Indéchiffrable

(5) Charles Babbage & Vigenére

(6) Playfair

(7) ADFGX crypto

(1) Transposition

'Denf;vrf;uawmh pmom;awGudk ae&mcsif;vJwJhenf;yg/ 'D&dk;&Sif;vSwJh ae&mcsif;vJvS,fwJhenf;rSm awmh message udk twef;ESpfwef;cGJjyD; a&;zdkUyg/

- yxrwef;rSm 1? 3? 5 pwmawGygygr,f/

- 'kwd,wef;rSmawmh 2? 4? 6 pwmawGygygr,f/

Oyrm message/

- Your secret is your prisoner, let it go and you become its prisoner. yxrwef;rSm&Sd&rSmuawmh r*Pef;ajrmufpmvHk;awGjzpfygw,f/

- Yusceiyupioelyyonyueoeypioi

'kwd,wef;rSm&Sd&rSmuawmh pHk*Pef;ajrmufpmvHk;awGjzpfygw,f/

- orertsorrsnreigadobcmisrsnr

'DESpfckudk crypt vkyfvdkufcsdefrSmawmh atmufygtwdkif; awGU&ygw,f ...

- Yusceiyupioelyyonyueoeypioiorertsorrsnreigadobcmisrsnr

(2) Substitution

'Denf;vrf;uawmh pmvHk;wpfvHk;udk tjcm;pmvHk;wpfvHk;eJU tpm;xdk;jcif;jzpfygw,f/

uk'fwpfck[m pmvHk;tkyfpk (odkU) pum;vHk;wpfckudk tpm;xdk;ygw,f/

(2.1) Monoalphabetic substitution

erlemyHkpHwpfckuawmh Caesar roll jzpfygw,f/ 'guawmh crypt rvkyfxm;wJh message udk ae&m a&TUwmjzpfygw,f/ rsm;aomtm;jzifh 'DvdkyHkpHoHk;&ifawmh rlvpmom;udk pmvHk;ao;eJUazmfjyjyD;? crypt vkyfcH&wJh pmom;uawmh pmvHk;MuD;eJU jzpfaerSmyg/

rlvpmom;

- abcdefghijklmnopqrstuvwxyz


Crypt vkyfxm;aompmom;

- DEFGHIJKLMNOPQRSTUVWXYZABC ('DOyrmrSmawmh nmzufudk rotate vSnfhxm; wm jzpfygw,f/)

rlvpmom;

- veni, vidi vici


- YHQL, YLGL, YLFL

'DOyrmudkMunfhr,fqkd&if v ae&mwdkif;rSm Y eJUtpm;xdk;jyD; i ae&mwdkif;rSm L eJUtpm;xdk;xm;wm awGU&ygw,f/ 'gaMumifh 'Denf;eJUumuG,fwm[m pdwfrcs&wm awGU&ygw,f/ 'gaMumifh y&dk*&rfrmu pmvHk; awGudk tMudrfMudrfvSnfhjyD; rlvpmom;udk tvG,fwuljyefazmfEdkifygw,f/

(2.2) Key ygaom Monoalphabetic substitution

'Denf;uawmh cracker awGudk awmfawmfOD;aESmufajcmufapygw,f/ wu,fvdkU cracker wpfa,muf [m crypt vkyfxm;wJhpmom;eJU aqmhzf0Jvf&JU algorithm udk&xm;cJhr,fqdk&ifawmif crypted uk'fudkjyefajzzdkU rvG,fulygbl;/ bmaMumifhvJqdkawmh crypt vkyfxm;wJh key udk rodvdkUyg/ jzpfEdkifwJh key ta&twGufuvJ 400 000 000 000 000 000 000 000 000 avmuf&SdEdkifygw,f/ 'gaMumifh oif[m wpfpuúefUrSm key wpfckEIef;eJU uk'fudk jyefazmfr,fqdk&if oifh&JUtouf[m 10+9 avmuf&SdrSyJ crypted uk'fudkajzEdkifrSmjzpfygw,f/

rlvpmom;



- DJKTUVCWNOLPAEGFHIQRXYMSZB

rlvpmom;

- ettu, brute?


- URRX, JIXRU?

'Denf;rSm oiftoHk;jyKwJh key [m &Snfvsm;cJhr,fqdk&if cracker awGtzdkU key udkrodcJh&if decrypt vkyfzkdU cufcJaerSmjzpfygw,f/

key wkdjcif;? wlnDaom key udkyif tMudrfMudrfoHk;aejcif;? pmvHk;wGJrsm;oHk;jcif; (Oyrm – Julius Ceasar)? space ESifh pmvHk;wlrsm;oHk;jcif; (Julius Ceasar tpm; JULISCAER vdkUoHk;&rSmjzpfygw,f) awGu 'Denf;udk tm;enf;csufjzpfapygw,f/ usefwJhpmvHk;awGuawmh key qHk;wJhae&muaepjyD;awmh shift vkyf,lEdkif ygw,f/

rlvpmom;



- JULISCAERTVWXYZBDFGHKMNOPQ

Crypt vkyfxm;aompmom; (atmufygtwdkif;vJ vSnfhEdkifygw,f)

- CAERTVWXYZBDFGHKMNOPQJULIS

'Denf;&JU aumif;wJhtcsufwpfckuawmh key (odkU) key pmom;udk rSwf&vG,fuljcif;ygyJ/ &dk;&Sif;vSwJh key awGudkaygif;pyfjyD; pmom;awGudk razmfEdkifatmif encrypt vkyfcJhwmuawmh vGefcJhwJh Espfwpfaxmifavmuf uyg/ 'Denf;udk zsufqD;EdkifwJh enf;vrf;awG&Sdayr,fh tm&yfvlrsdK;awGu yxrqHk; jzpfcJhMuygw,f/

(3) Frequency Analysis

Monoalphabetic crypto udkazmfEdkifcJh tm&yfwpfa,muf&JU a&;om;csuf[m 800 AD avmufu jzpfygw,f/ 'DvSnfhuGufav;uawmh b,fbmompum;rSmrqdk rMumcPtoHk;jyKavh&SdwJh pmvHk;awGyJ jzpfyg w,f/ wu,fvdkUom bmompum;wpfckrSm toHk;rsm;wJhpmvHk;awGudkom odcJhr,fqdk&if crypt vkyfxm;wJh pmom;&JU toHk;rsm;qHk;pmvHk;awGudk tpm;xdk;zdkUyJjzpfygw,f/ aemufwpfckuawmh toHk;trsm;qHk;pum;vHk;awG rSm tpm;xdk;wmudkvJ tvm;wl toHk;jyKEdkifygw,f/


Cracker wpfa,muftaeeJUuawmh pmom;zdkiftcsdKUudk pdppfay;EdkifwJh application tao;pm;wGudk

a&;zdkU&m vG,fulrSmyg/ wu,fvdkU *.asm zdkifwpfckudk oifhtaeeJUuk'fazmfr,fqdk&if EAX? EBX? ECX pwJh pmvHk;awGuae ajc&mcH&rSm jzpfygw,f/ bmaMumifhvJqdkawmh Assembly bmompum;eJU y&dk*&rfa&;om;&m rSm 'D register awGudk trsm;qHk; toHk;jyKMuvdkUyg/

(4) Le Chiffre Indéchiffrable

vQdKU0SufpmawGa&;zdkU monoalphabetic substitution crypto [m &mpkESpfaygif;rsm;pGm acwfpm;cJhwJh enf;jzpfygw,f/ 'gayr,fh tm&yfawGu frequency analysis udkwDxGifvdkufwJhtcgrSmawmh 'Denf;vrf;[m toHk;jyK&mrSm pdwfcs&rIr&Sdawmhygbl;/

'D crypto topf&JU rlvtawG;tac:uawmh 1404-ckESpfrSm arG;zGm;cJhwJh Leon Battista Alberti qDu&wmjzpfygw,f/ olU&JUt,ltquawmh ESpfck (odkU) 'DhxufydkwJh crypto tu©&mudktoHk;jyKjyD; olwdkU tcsif;csif;udk ae&mvJay;zdkUjzpfygw,f/

rlvpmom;

- a b c d e f g h i j k l m n o p q r stuvwxyz

Crypt vkyfxm;aompmom; 1

- F Z B V K I X A Y M E P L S D H J O RGNQCUTW

- G O X B F W T H Q I L A Z P J D E S YVCRKUHN

Crypt vkyfxm;aompmom; 2

- GOXBFWTHQILAZPJDESYVCRKUHN

wu,fvdkU uRefawmfwdkUtaeeJU hello qdkwJhpum;vHk;udk crypt vkyfr,fqdk&if yxrtu©&m h [m A jzpfvmygr,f/ 'kwd,tu©&m e uawmh F jzpfvmygr,f/ 'Denf;vrf;udk toHk;jyK&if hello [m AFPAD jzpfvmygw,f/

1523-ckESpfrSm arG;zGm;cJhwJh Blaise de Vigenére u 'Denf;vrf;udk develop xyfvkyfcJhwmjzpfygw,f/ tu©&mESpfvHk; (odkU) oHk;vHk;tpm; oluawmh 26vHk; (t*Fvdyfbmompum;twGuf a-z)udk toHk;jyKcJhwmjzpfyg w,f/ olU&JUt,ltq[m t&ifvlawGay:tajccHcJhayr,fhvJ 'Denf;udkawmh Vigenére crypto vdkUac:a0:Mu ygw,f/ wpfvHk;xufydkwJh crypto tu©&mudk toHk;jyKwJhtwGuf 'Dvdk crypto rsdK;udk polyalphabetic crypto vdkUtrnfwyfMuygw,f/

'Denf;rSm yxrqHk;vkyf&rSmuawmh Vigenére Z,m;wpfckudk a&;zdkUyg/ crypto tu©&mawGaemufrSm rlvpmom;awGvdkufjcif;tm;jzifh Z,m;udka&;qGJEdkifjyD; twef;toD;oD;udk ae&mvSnfhjcif;â&TUjcif;[m jyD;cJhwJh twef;eJU qufEG,frI&Sdygw,f/

rlvpmom;

abcdefghijklmnopqrstuvwxyz

Crypt vkyf&efqGJxm;aomZ,m;

1 BCDEFGHIJKLMNOPQRSTUVWXYZA 2 CDEFGHIJKLMNOPQRSTUVWXYZAB 3 DEFGHIJKLMNOPQRSTUVWXYZABC 4 EFGHIJKLMNOPQRSTUVWXYZABCD 5 FGHIJKLMNOPQRSTUVWXYZABCDE 6 GHIJKLMNOPQRSTUVWXYZABCDEF 7 HIJKLMNOPQRSTUVWXYZABCDEFG 8 IJKLMNOPQRSTUVWXYZABCDEFGH 9 JKLMNOPQRSTUVWXYZABCDEFGHI 10 KLMNOPQRSTUVWXYZABCDEFGHIJ 11 LMNOPQRSTUVWXYZABCDEFGHIJK 12 MNOPQRSTUVWXYZABCDEFGHIJKL 13 NOPQRSTUVWXYZABCDEFGHIJKLM 14 OPQRSTUVWXYZABCDEFGHIJKLMN 15 PQRSTUVWXYZABCDEFGHIJKLMNO 16 QRSTUVWXYZABCDEFGHIJKLMNOP 17 RSTUVWXYZABCDEFGHIJKLMNOPQ 18 STUVWXYZABCDEFGHIJKLMNOPQR 19 TUVWXYZABCDEFGHIJKLMNOPQRS


20 UVWXYZABCDEFGHIJKLMNOPQRST 21 VWXYZABCDEFGHIJKLMNOPQRSTU 22 WXYZABCDEFGHIJKLMNOPQRSTUV 23 XYZABCDEFGHIJKLMNOPQRSTUVW 24 YZABCDEFGHIJKLMNOPQRSTUVWX 25 ZABCDEFGHIJKLMNOPQRSTUVWXY 26 ABCDEFGHIJKLMNOPQRSTUVWXYZ

yxrtwef;[m Caesar roll eJU crypto tu©&mwpfvHk;jzpfygw,f/ 'gudk ae&mwpfae&mpm a&TUxm; wmjzpfygw,f/ 'Denf;udk toHk;jyKr,fqdk&if oif crypt vkyfvdkufwJhtpmvHk;twGuf twef;topfwpfckudk toHk;jyK&rSmjzpfygw,f/ Decrypt jyefvkyfzdkUtwGuf cracker [m b,fpmvHk;twGuf b,ftwef;udk toHk;jyK& rvJqdkwm odxm;&ygr,f/ oifhtaeeJU crypt vkyfzdkU

yxrpmvHk;twGuf - twef;(5)

'kwd,pmvHk;twGuf - twef;(14)

wwd,pmvHk;twGuf - twef;(21) pwmawGudktoHk;jyKEdkifygw,f/

'DvdkrsdK;0SufpmawGudkazmfzdkU 0Sufpmudk vufcH&&Sdol[m b,ftwef;awGudktoHk;jyK&rvJqdkwm odxm;& ygr,f/ 'DtwGuf enf;vrf;wpfckuawmh keyword wpfckudk toHk;jyKzdkU jzpfygw,f/

Oyrmajym&&if "Begin attack at sundown" qdkwJhpmom;udk 0SufzdkUtwGuf GREEN qdkwJh keyword udktoHk;jyKr,fvdkU,lqMuygpdkU/ 'gqdk keyword udk pmom;tay:xyfumxyfuma&;&rSmjzpfygw,f/ 'grSom keyword xJrSm&SdwJhpmvHk;awG[m 0Sufr,fhpmom;xJrSm&SdwJhpmvHk;awGeJU csdwfqufrdrSmjzpfyg w,f/

G R E E N G R E E N G R E E N G R E E N (keyword) b e g i n a t t a c k a t s u n d o w n (message)

b qdkwJhpmvHk;udk 0SufzdkUtwGuf keyword xJu,lrSmuawmh G yg/ Vigenére Z,m;t& G &Sdwmu awmh twef;(6)rSmjzpfygw,f/ b udktpm;xdk;r,fhtu©&muawmh twef;(6)u b eJUwpfwef;wnf;rSm&SdwJh H pmvHk;jzpfygw,f/

e qdkwJhpmvHk;udk 0SufzdkUtwGuf keyword xJu,lrSmuawmh R yg/ Vigenére Z,m;t& R &Sdwmu awmh twef;(17)rSmjzpfygw,f/ e udktpm;xdk;r,fhtu©&muawmh twef;(17)u e eJUwpfwef;wnf;rSm&SdwJh V pmvHk;jzpfygw,f/

'gaMumifh "beginattackatsundown" pmom;udk "GREEN" qdkwJh keyword oHk;jyD; 0SufvdkU&vmwJh aemufqHk;pmom;uawmh "HVKMAGKXEPQRXWHTUSAA" jzpfygw,f/

Keyword awG[m &Snf&ifyJjzpfjzpf? 0gusawGudk keyword tjzpfeJUtoHk;jyKwmyJjzpfjzpf oifhtaeeJU Vigenére Z,m;utwef;awGudk ydkrkdxnfhoGif;EdkifwmjzpfwJhtwGuf oifh&JU crypto uk'fudk jyefazmfEdkifzdkU cufcJaprSmjzpfygw,f/ wu,fvdkU oifhtaeeJU frequency analysis udktoHk;jyKr,fqdk&if b,fpmvHk;[m t vJvdkU ajym&cufaerSmjzpfygw,f/ Vigenére &JUawGU&SdrIudk 1586-ckESpfrSm Tracicté des Chiffres rSmxkwfazmfcJhayr,fhvJ ESpfaygif; 200avmufxd toHk;rsm;wJhtqifh a&mufrvmcJhygbl;/

(5) Charles Babbage & Vigenére

Vigenére crypto &JUtpGrf;[m enf;vrf;aygif;pHkeJU crypt vkyfEdkifwJh pmvHk;wpfvHk;jzpfygw,f/ wu,f vdkU KING qdkwJh keyword udktoHk;jyKr,fqdk&if owfrSwfxm;wJhpmvHk;wpfvHk;udk crypt vkyfzdkU enf;(4)enf; jzpfEdkifygw,f/ pum;vHk;awGudk crypt vkyf&mrSmvJ 'DvdkygyJ/ "the" qdkwJh pum;vHk;udk crypt vkyfr,fqdk&if awGUEdkifwmuawmh DRQ? BUK? GNO eJU ZRM wdkUjzpfygw,f/ 'gudk decrypt vkyfzkdUydkjyD;cufcJEdkifayr,fh rjzpfEdkifbl;awmhvJ r[kwfygbl;/

1791-ckESpfzGm; Charles Babbage uawmh 'Dvdk crypto rsdK;udk yxrqHk;azmfEdkifcJhwJholjzpfygw,f/ ol[m pm&if;Z,m;awGeJUywfoufjyD; b0udktcsdefjynfhjrKyfESHcJhygw,f/ 'DaeU touftmrcHukrÜPDrSm wGifus,f pGmtoHk;jyKaeMuwJh arG;âoqufET,frIeJUywfoufwJh pm&if;awGudk jyKvkyf&mrSm ol[m wpfOD;tygt0if jzpfcJh ygw,f/

olpOf;pm;rdwmuawmh wu,fvdkU "the" udk crypt vkyfzdkU&m enf;vrf;(4)rsdK;om &SdcJhr,fqdk&if 0Sufpm xJrSm tMudrfajrmufrsm;pGm toHk;jyKxm;wJh pum;vHk;awG[m wlnDwJh crypto enf;udk tMudrfMudrf toHk; jyKrSmyJvdkU cefUrSef;rdcJhwmyg/ pmom;awG&Snfavav tcGifhta&;ydkavavyg/ 'DvdktMudrfMudrf toHk;jyKjcif;u Babbage udk Vigenére crypto twGuf decryption enf;vrf;udk awGU&SdapcJhwmjzpfygw,f/

Babbage &JUenf;vrf;uawmh &dk;&Sif;ygw,f/ 0SufpmawGxJrSm wpfMudrfxufru toHk;jyKxm;wJh pmvHk;wGJawGudk &Smcdkif;ygw,f/ 0Sufpmtp&JUtuGmta0;eJU pmvHk;wGJESpfckwlnDwJhtcg ¤if;wdkUMum;tuGmta0;u oifhudk keyword tvHk;ta&twGufeJUywfoufwJh oJvGefpawGudk ay;rSmjzpfygw,f/ wu,fvdkU keyword


tvHk;ta&twGufudkodcJh&if rlvpmom;udk crypt vkyf&mrSm crypto tu©&m b,fESpfvHk;toHk;jyKovJqdkwm wGufcsufEdkifrSm jzpfygw,f/ (a&SUydkif;rSm uRefawmf erlemjycJhwmuawmh crypto tu©&m (A-Z) 26vHk;eJUyg/) wu,fvdkU oiftoHk;jyKcJhwmu crypto tu©&m wpfvHk;wnf;qdk&if monolaphabetic crypto jzpfjyD; b,fvdk decrypt vkyf&rvJqdkwm oifodrSmjzpfygw,f/

wu,fvdkU keyword [m 5vHk;jzpfaew,fqdk&if oifhtaeeJU yxrqHk;tu©&mtwGuf 1? 6? 11 pwJh pmvHk;awGudktoHk;jyK&rSmjzpfygw,f/ 'kwd,tu©&mtwGuf 2? 7? 12 pwJh pmvHk;awGudktoHk;jyK&rSmjzpfygw,f/ Keyword xJrSm&SdwJh pmvHk;awGvdkyJ oifhtaeeJU ajrmufrsm;vSpGmaom tu©&mawGudktoHk;jyK&rSm jzpfygw,f/ b,ftu©&mudktoHk;jyK&r,fqdkwm b,fvdkod&SdEdkifygovJ/ 'DtwGuftajzuawmh oifcefUrSef;rdrSmyg/ Frequency analysis jzpfygw,f/ wu,fvdkU oifhtaeeJU keyword &JUtvHk;ta&twGufudk odr,fqdk&if oif toHk;jyK&rSmu frequency analysis yg/ rSwfxm;&rSmuawmh crypto tu©&m[m t&iftwef;upmvHk;awGudk ae&ma&TUxm;wJh &dk;&dk;tu©&m wpfvHk;omjzpfygw,f/

Vigenére udk assembler wGifprf;oyfjcif;

Vigenére crypto udk assembler rSmprf;oyfzdkU rSwfOmPfrSm Vigenére Z,m;tajrmuftrsm; vdktyf ygw,f/ uRefawmfwdkUtaeeJU index eJU key char pointer awGtrsm;MuD; vdktyfygw,f/ erlemy&dk*&rfwpfyk'f udk MunfhMu&atmif/

Crypting: add al,ah ;al is clear char and ah is key char sub al,"A"+"A" cmp al,25 jng @F sub al,26 ;Overflow, wrap around @@: add al,"A" ;al is now crypted char Decrypting: sub al,ah ;al is crypt char and ah is key char cmp al,0 jge @F add al,26 ;Underflow, wrap around. @@: add al,"A" ;al is now clear char

'D Assembly uk'fawGudk em;vnfzdkUtwGuf Vigenére Z,m;rSm tu©&m 26vHk;&Sdwm trSwf&yg/ wpfvHk;pD[m jyD;cJhwJhtwef;udk wpfae&mpm a&TUygw,f/

wu,fvdkU "the" qdkwJhpum;vHk;udk KING qdkwJh keyword eJU crypt vkyfr,fqdk&if yxrpmvHk; t twGuf 0Sufxm;jyD;om; pmvHk;[m twef;(10) K eJU t pmvHk;wdkUwpfxyfwnf;uswJhae&m D jzpfvmygr,f/

'gudkMunfhzdkU aemufwpfenf;uawmh A eJUpwJhtwef;u K &SdwJh column udkoGm;yg/ Column 10 jzpfygw,f/ (A column uawmh column 0 jzpfygw,f/) T column &Sd&mjzpfwJh column 19 udk K column &Sd&m column 10 eJYaygif;&if 29 &ygr,f/ t*Fvdyftu©&mrSm pmvHk; 26vHk;yJ&SdwJhtwGuf overflow jzpfaeyg w,f/ 29 jzpfwJhtwGuf aemufwpfMudrfqdk&if 0(A)? 27(B)? 28(C)? 29(D)? 30(E) ponfjzifhjzpfwJhtwGuf D column &Sd&mudk &ygw,f/ 'guawmh T pmvHk;udk K key toHk;jyKwJhtcg tpm;xdk;r,fhpmvHk; wGufcsufyHkyg/

uRefawmfwdkUtaeeJU decryption vkyf&mrSmvJ 'DwlnDwJhOya'oudk toHk;jyKygw,f/ 'gayr,fh 'Dae&m rSmawmh crypt vkyfxm;wJhpmvHk;uae key pmvHk;udk EIwf,lygw,f/ 'gaMumifh overflow udk&Smr,fhtpm; underflow udkom&Smygw,f/ 'Davmufqdk&if Vigenére crypto udkem;vnfavmufjyDxifygw,f/ 'gaMumifh decrypt vkyfxm;wJh atmufyguk'fudk azmfMunfhyg/

BBLM RS VRJ XTYOETOSWP UNTYOJH XBLHCOQ DLVTSQX FHO T PRQMJLJ UJG?

QXJ CD FJDG YK JWTBTKM FHO BB DCXLYCHDS HYW WSBUDTOS NZ IUAA GNNS,

MQE QDMYC BB UUOI NZ VJRTI LLZVNRKOX.

QSTC IU DMY OBOFGBJHNX KEVGJYY XAOVSH UYW TIPUD?

YCHCIE SX ODBWG C PJUEANR....MSSEJ BB UUSSA EAN WJYQY NARCMOS.

Vigenére udka&Smif&Sm;jcif;

Vigenére crypto tpGrf;xufjcif;u olUudktoHk;jyK&wm ydkrdkcufcJapygw,f/ Monoalphabetic crypto xufydkrdktpGrf;xufjyD; Vigenére crypto xuftoHk;jyK&wm ydkrdkvG,fulwmuawmh homophonic substitution crypto yJjzpfygw,f/


'D crypto rSmawmh oifhtaeeJU pmvHk;wpfvHk;udk pmvHk;awGtrsm;MuD;eJU tpm;xdk;EdkifjyD; tpm;xdk;wJh

pmvHk;ta&twGuf[m pmvHk;toHk;jyKrIeJU tcsdK;usygw,f/ wu,fvdkU pmvHk; a udktoHk;jyKrI[m 9%&Sdr,fqdk &if? uRefawmfwdkUtaeeJU a pmvHk;twGuf tpm;xdk;&rSmu tu©&m 8vHk;jzpfygw,f/ 0Sufr,hfpmom;xJrSm a qdkwJh pmvHk;udkawGUwdkif; uRefawmfwdkUtaeeJU a eJU assign vkyfxm;wJh b,ftu©&m 8vHk;eJUrqdk tpm;xdk;&rSm jzpfygw,f/ 'D8vHk;rSmawmh b,fpmvHk;jzpfjzpf ta&;rMuD;ygbl;/ pmom;udk 0SufjyD;wJhtcsdefrSmawmh a twGuf tpm;xdk;vdkufwJh pmvHk;wdkif;[m 0SufpmxJrSm toHk;jyKrIEIef;[m 1%yJ&SdrSmjzpfygw,f/ wu,fvdkU b (odkU) tjcm;pmvHk;awGqdk&ifvJ toHk;jyKrIEIef;[m 1%yJ&SdrSmjzpfygw,f/ b qdk&ifawmh uRefawmfwdkUtaeeJU tu©&m 2vHk;xd tpm;xdk;&rSm jzpfygw,f/ rlvpmom;xJu b,fpmvHk;udk 0Sufvdkuf&ifyJjzpfjzpf? 0SufpmxJrSmawmh olwdkU&JU toHk;jyKrIEIef;u 1%yJ&SdaerSmyg/

atmufrSmazmfjyxm;wmuawmh homophonic substitution crypto eJUywfoufwJherlemyg/ 'D*Pef; awGudk toHk;jyKygw,f/

a b c d e f g h i j k l m n o p q r s t u v w x y z 09 48 13 01 14 10 06 23 32 15 04 26 22 18 00 38 94 29 11 17 08 34 60 28 21 02

12 81 41 03 16 31 25 39 70 37 27 58 05 95 35 19 20 61 89 52

33 62 45 24 50 73 51 59 07 40 36 30 63

47 79 44 56 83 84 66 54 42 76 43

53 46 65 88 71 72 77 86 49

67 55 68 93 91 90 80 96 69

78 57 99 75

92 64 85

74 97

82

87

98

toHk;jyKEIef; 1%&SdwJh tu©&mwdkif;twGuf 0SufpmxJrSm frequency analysis udktoHk;jyKzdkUenf;vrf; r&Sdygbl;/ 'gqdk jyefazmfvdkUr&awmhbl;vm;/ 'DvdkawmhvJ r[kwfygbl;/ ☺☺☺

Decrypter rSmvJ oJvGefpawG &Sdygw,f/ bmompum;wdkif;&JU pmvHk;wdkif;rSm olU&JUyifudkt&nftcsif; eJU tjcm;pum;vHk;awGMum; qufEG,frI &Sdygw,f/ wu,fvdkU homophonic substitution crypto udkoHk;cJh&if awmh 'gudk cGJjcm;Edkifygw,f/

Oyrmjy&&if t*Fvdyfbmompum; q aemufrSmqdk&if u tjrJwrf;vdkuf&ygw,f/ tjcm; b,fpmvHk;rS vdkufvdkU r&ygbl;/ wu,fvdkU homophonic substitution crypto eJU 0Sufxm;wJh t*Fvdyfpmom;udk decrypt vkyfr,fqdk&if uRefawmfwdkUtaeeJU q qdkwJhpmvHk;udk&SmjyD; tu©&mwpfvHk; (odkU *Pef;wpfvHk;)eJU t&iftpm;xdk; &rSmjzpfygw,f/ u udktoHk;jyKEIef;[m pmvHk;awGtm;vHk;&JU 3%jzpfaMumif; odxm;wJhtwGuf u ae&mrSm tu©&m 3vHk;eJU tpm;xdk;&aumif; xdk;&ygvdrfhr,f/

wu,fvdkU 0SufpmxJrSm wlnDwJhtu©&m 3vHk;vdkufwJh pmvHk;wpfvHk;udk awGUcJh&if uRefawmfwdkUtaeeJU ,HkMunf&rSmu 'Dtu©&mawG[m u udkqdkvdkcsifwmjzpfjyD; yxrpmvHk;uawmh q jzpfygw,f/ tjcm;pmvHk;awG udkawmh a&G;xkwfzdkU cufygvdrhfr,f/ 'gayr,fh olwdkUtcsif;csif;qufEG,frIawGu b,fpmvHk; jzpfw,fqdkwm wGufxkwfEdkifygvdrfhr,f/ 'Dvkd crypto rsdK;udk jyefazmfEdkifzdkU jzpfEdkifayr,fh &dk;&Sif;vSwJh monoalphabetic crypto xufpm&ifawmh trsm;MuD; pdwfcs&ygw,f/

omrefumvQHumMunfhr,fqdk&ifawmh homophonic substituion crypto [m polyalphabetic crypto trsdK;tpm;tcsdKUeJU wloa,mifa,mif &Sdygw,f/ rlvpmom;&JU pmvHk;wdkif;udk tu©&mwpfckckeJU tpm; xdk;Edkifayr,fh olwdkUrSm xif&Sm;wJhuGJjym;jcm;em;csuf &Sdygw,f/

tay:u OyrmrSm a pmvHk;udk rwlnDwJh*Pef; 8vHk;eJU azmfjycJhygw,f/ 'D*Pef;awG[m a udkazmfjyjyD; a wpfvHk;wnf;udkom azmfjyEdkifMuygw,f/ Polyalphabetic crypto rSmawmh rlvpmom;xJu pmvHk;wpfvHk;udk pmvHk;ajrmufrsm;pGmeJU azmfjyEdkifygw,f/ 'gayr,fh tpm;xdk;r,fh pmvHk;awGudkawmh rlvpmom;xJrSmygwJh pmvHk; awGeJUyJ tpm;xdk;Edkifygw,f/ 'gaMumifhrdkUvJ homophonic substituion crypto udk monoalphabetic crypto vkdUyJ ajymEdkifwmyg/ Crypto tu©&mwpfvHk;udk zefwD;jyD;csdefrSmawmh wpfavQmufvHk; toHk;jyKoGm;rSmjzpfyg w,f/ pmvHk;wpfvHk;udk tpm;xdk;zdkUtwGuf pmvHk;wpfvHk; tpm;xdk;&mrSmawmh uGJjym;rIr&Sdygbl;/ wu,fvdkU


poly alphabetic crypto udkoHk;r,fqdk&ifawmh rwlnDwJh crypto tu©&mawGudk tqufrjywf ajymif;ay; ae&rSm jzpfygw,f/

Homophonic substituion crypto eJU decrypt vkyfxm;wJh atmufyguk'fudk azmfMunfhyg/

HNE 0IQWtG OY98CKÂ5u YfTBÅ7| pA vÏÃ2ä] éJ 1W[UZÂjweh3 XÈ i

åÅçgÄvâ ìqmV-sSkboDÁÏI6 }dcaäYz xÉÆÊÇÎË ÍL åét2Wë ãSáÌèDíæT

2.2, 9u ï]HÂ0|Cà X13-5Ã ëZ7gycK. Ulî Ëpx8MEçeikÅÄI ÏtDQw1GB o

äJÁ æA 3éVAObfuch[ jqÇvsz| åWÃ2Â] ÈÆmV-ÎSád}xíïÉ 2.2 Êçg

vÅI2Ïë âãàA-îSHÌèDK0T ]EZì5t9Q GËäUé7u, årWc{ ÂB Å|xy1O3 vÏeÀ

kNäJ Dpën ÄV åéÃ2W].

(6) Playfair

Playfair crypto ukdzefwD;cJhwmuawmh Lyon Playfair jzpfygw,f/ 'D crypto [m rlvpmom; xJrSm &SdwJh pmvHk;ESpfvHk;wdkif;udk tjcm;pmvHk;wGJeJU tpmxdk;wmjzpfygw,f/ pmom;udk crypt vkyf&mrSmeJU decrypt vkyf &mrSmawmh ay;ydkUoleJU vufcH&&SdolwdkU[m keyword wpfckudktoHk;jyKzdkU MudKwifoabmwlnDxm;&rSm jzpfygw,f/

'D crypto udk toHk;jyKyHkuawmh 'Dvdkyg ...

pmvHk;awGudk 5x5 (a-z) pwk&ef;yHk csa&;yg/ I eJU J uawmh wlnDwJhae&mrSm &Sdae&ygr,f/ Keyword uae

pwifyg/ Keyword taeeJU CHARLES udkoHk;r,fqdk&if &&SdrSmuawmh -

C H A R L E S B D F G I/J K M N O P Q T U V W X Y Z

'DhaemufrSmawmh oifhtaeeJU message pmom;udk bigram vdkUac:wJh pmvHk;wGJawGtaeeJU ydkif;vdkU&jyD jzpfygw,f/ Bigram wkdif;rSm rwlnDwJhpmvHk;awG yg0if&ygr,f/ 'ghaMumifh oifhtaeeJU x udk pmvHk;wlnDwJh twGJrSmxm;&ygr,f/ 'DvdkrS r[kwf&ifawmh wlnDwJh bigram rSm tqHk;owf&ygvdrfhr,f/

rlvpmom;

We meet at hammersmith bridge at seven.

Bigram xJ&Sdpmom;

we-me-et-at-ha-mx-me-rs-mi-th-br-id-ge-at-se-ve-nx

'DhaemufrSmawmh pm0Sufwm pwifygw,f/ Bigram wdkif;uawmh atmufygtkyfpkwpfckckxJu jzpfEdkifygw,f/

1/ pmvHk;wGJ[m wlnDwJh rsOf;wpfaMumif;wnf;ay:rSm jzpfygw,f/

2/ pmvHk;wGJ[m column wpfckwnf;rSm jzpfygw,f/

3/ tay:ESpfckpvHk; rjzpfEdkifbl;/

1/ wu,fvdkU pmvHk;ESpfvHk;vHk;[m wlnDwJh row wpfckwnf;rSm &SdaecJh&if? olwdkUudk nmzufu wpfvHk;pDeJU tpm;xdk;&ygr,f/ MI qdk&if NK jzpfvmygr,f/ wu,fvdkU pmvHk;wpfvHk;[m aemufqHk;pmvHk; jzpfaecJh&if 'D row rSm&SdwJh yxrqHk;pmvHk;eJU tpm;xdk;&rSm jzpfygw,f/

2/ wu,fvdkU pmvHk;wGJ[m wlnDwJh column wpfckwnf;rSm &SdaecJh&if? olwdkU&JU atmufu pmvHk;wpfvHk;pDeJU tpm;xdk;&ygw,f/ GE qdk&if OG jzpfvmygr,f/ wu,fvdkU pmvHk;wpfvHk;[m aemufqHk; row rSmom &Sdae cJh&if yxrqHk; row upmvHk;eJU tpm;xdk;&rSmjzpfygw,f/ YR qdk&if RD jzpfvmygr,f/

3/ 'DESpfckvHk;xJu r[kwfcJh&if 'Dvdk vkyfaqmif&rSm jzpfygw,f/ yxrpmvHk;udk0SufzdkU 'kwd,pmvHk;&Sd&m column ra&mufcif row udkMunfh&rSmjzpfygw,f/ 'DpmvHk;ESpfvHk;wdkU qHk&mae&m[m yxrpmvHk;udk tpm;xdk;zdkU jzpfygw,f/ 'kwd,pmvHk;udk0SufzdkUtwGufuawmh yxrpmvHk;&JU column ra&mufcif row jzpfygw,f/ 'DpmvHk; ESpfvHk;wdkU qHk&mae&m[m 'kwd,pmvHk;udk tpm;xdk;zdkU jzpfygw,f/ 'gaMumifh VI [m WG jzpfvmjyD; SV uawmh EW jzpfvmygw,f/

wu,fvdkU rlvpmom;&JU pmvHk;awGudk av;axmifhuGufwpfck&JU axmifhawGtaeeJU awGUjrifEdkifjyD; tpm; xdk;vdkufwJh pmvHk;awGudkawmh qefUusifbuf axmifhawGrSm awGUjrif&rSmjzpfygw,f/


Bigram pmom;

we me et at ha mx me rs mi th br id ge at se ve nx


VSDGODQRARKYDGDHNKRPADSMOGQRBSCGKZ

(7) ADFGX crypto

ADFGVX crypto rSmawmh ae&mvJwma&m? tpm;xdk;wmyg toHk;jyKygw,f/ Crypto udk toHk;jyKyHk u 'Dvdkyg/ pwk&ef;yHk&JU ae&m 36ckrSm A-Z eJU 0-9 udk MuHK&ma&;csyg/ Row eJU column rSm ADFGVX vdkU trnfwyfyg/ pwk&ef;uGufxJu pmvHk;awGuawmh key &JUwpfpdwfwpfa'ojzpfjyD; 'D0Sufpmudkazmfr,fholqDrSm 'Dpwk&ef;uGuf &Sd&ygr,f/

A D F G V X A 8 p 3 d l n

D l t 4 0 a h

F 7 k b c 5 z

G j u 6 w g m

V x s v i r 2

X 9 e y 0 f q

yxrtqifhu b,f row eJU b,f column rSm 0Sufr,fhpmom;xJu pmvHk;&SdaeovJqdkwm Munfh&yg r,f/ 'DhaemufrSmawmh 'DpmvHk;&Sd&mae&mudk a&G;cs,f&ygr,f/ 'DOyrmtwGufqdk&if 8 udk AA eJUtpm;xdk;EdkifjyD; p udk AD eJU tpm;xdk;&rSmjzpfygw,f/

rlvpmom;

Attack at 2230


DV DD DD DV FG FD DV DD VX VX AF XG

'g[m &dk;&Sif;vSwJh monoalphabetic substitution crypto jzpfwJhtwGuf frequency analysis eJU tvG,fwul jyefazmfEdkifygw,f/ 'kwd,tqifhuawmh ae&mcsif;vJzdkU jzpfygw,f/ ae&mcsif;vJwmuawmh key wpfckay: rlwnfygw,f/ 'DOyrmrSmawmh MARK qdkwJh key udkoHk;ygw,f/ 'D key udkawmh vufcH&&SdwJh oluyg odxm;&rSmjzpfygw,f/

ae&mvJwmudkawmh atmufygtwdkif;jyKvkyf&rSm jzpfygw,f/

pwk&ef;uGuf topfxJrSm&SdwJh yxrqHk; row rSm key pmvHk;awGudkcsa&;yg/ 'DhaemufrSmawmh yxr tqifhwkef;u 0SufvdkufwJhpmom;awGudk key &JUta&twGuftwdkif; csa&;yg/ Key xJrSm&SdwJhpmvHk;awGudk i,fpOfMuD;vdkufpDyg/ 'gqdk tjcm; column wpfck&&Sdvmygvdrfhr,f/

M A R K D V D D D D D V F G F D D V D D V X V X A F X G

A K M R V D D D D V D D G D F F V D D D X X V V F G A X

aemufqHk; crypt vkyfvdkufaompmom;

VD DD DV DD GD FF VD DD XX VV FG AX

bmaMumifh A? D? F? G? V eJU X udk toHk;jyK&ovJqdk&ifawmh 'DpmvHk;awGudk Morse tu©&mtaeeJU toHk;jyKvdkUjzpfygw,f/ 'DvdkjyKvkyfjcif;tm;jzifh 0Sufpmudkay;ydkUwJhtcsdefrSm trSm;enf;EdkifvdkUjzpfygw,f/

aumif;jyD/ Crypto oabmw&m;awGudk odjyD;wJhaemufrSmawmh crypto algorithm tcsdKUudk avhvm Munfhygr,f/ toHk;trsm;qHk; crypto algorithm awGuawmh ADELR32? AES? BLOWFISH? CAST? CRC16/32? DES? DESX? FROG? GOST? HAVAL? ICE? ICELOCK? MARS? MD4/5? MISTY? NEWDES? Q128? RC2/5/6? RIJNDAEL? RIPEMD? RSA? SHA? SHARK? SKIPJACK? SNEFRU? SQUARE? TIGER? TWOFISH eJU ZLIB ponfwdkUjzpfygw,f/


'D algorithm awGtm;vHk;xJrSmrS MD5 udkavhvmMunfhygr,f/ Xilisoft uxkwfwJh application

tm;vHk;[m MD5 udktoHk;jyKjyD; registration routine udka&;om;xm;Muwm jzpfygw,f/ 'gaMumifh MD5 udk toHk;jyKxm;wJh Xilisoft Audio Converter 2.1.x &JU registration routine udkavhvmMunfhMu&atmif/

(8) MD5 qdkonfrSm ...

MD5 (Message Digest 5) udk 1992-ckESpfrSm ygarmu© Ronald L. Rivest u zefwD;cJhwmjzpfyg w,f/ MD5 hash algorithm uawmh one-way hash algorithm awGxJu wpfckjzpfayr,fh toHk;trsm;qHk;? ,HkMunf&qHk;? emrnftMuD;qHk;jzpfygw,f/

Hash algorithm qdkwmuawmh tcsuftvufawGudk uspfvspfpGmjzpfEdkifa&;twGuf xkwfvkyfxm;wJh? twdkcsHK;xm;wJh ocsFm function wpfckomjzpfygw,f/ 'DvkdtwdkcsHK;jyD;&vmwJh tcsuftvufawGudk hash wefzdk; (odkU) hash vdkUac:ygw,f/ 'Dwefzdk;udk wGufcsufwJhjzpfpOfudkawmh hashing vdkUac:ygw,f/ Hash algorithm awGtm;vHk;&JU tajccHuawmh wlnDwJh ocsFm function udktoHk;jyKjyD; wGufcsufxm;wJh hash ESpfck[m rwlnDcJh &if input awG[m wenf;enf;eJU rwlnDvdkUjzpf&ygr,f/ Hash algorithm awGudk "one-way" vdkUac:qdk&jcif; taMumif;uawmh hash wefzdk;uae rlva'wmawGudk jyefvnfr&,lEdkifawmhvdkUyg/

MD5 [m message wpfck (odkU) a'wmzdkifwpfcktwGuf hash wpfckudkwGufcsuf&mawmh tvGef aumif;rGefwJh hash algorithm aumif;wpfckjzpfygw,f/ MD5 &JU wduswJhpmvHk;ta&twGuf&SdwJh uspfvspfpGm azmfjyjcif;udk message digest (odkU) fingerprint (odkU) MD5 hash vdkUac:ygw,f/ MD5 message digest [m taoowfrSwfxm;wJh 128-bits jzpfygw,f/ (128-bits = 16 Bytes = 4 DWords) MD5 taMumif; tao;pdwfodcsif&ifawmh Google toHk;jyKjyD; ]RFC 1321 - The MD5 Message-Digest Algorithm} pmwrf;udk &SmazGzwf&IEdkifygw,f/ 'Dpmwrf;rSm message digest wGufcsufyHk? MD5 &JUtm;omcsufeJU tm;enf; csufawGudk awGU&SdEdkifygw,f/

(9) Xilisoft Audio Converter \ serial udk&SmazGjcif;

Xilisoft &JU application awGrSm registration routine udk UILib71.dll? UILib8_MFCDll.dll zdkifrSm a&;om;xm;aMumif; ]Teleport Pro 1.61} oifcef;pmed*Hk;rSm ajymcJhwm jyeftrSwf&yg/ Xilisoft Audio Converter rSmawmh registration routine twGuf UILib71.dll zdkifudk toHk;jyKygw,f/ 'gaMumifh UILib71. dll udk PEiD eJUppfaq;Munfhygr,f/ yHk(1)/

yHk(1)

yHk(1)rSmjrif&wJhtwdkif; UILib71.dll udk Visual C++ 7.x eJUa&;om;xm;wmjzpfygw,f/ b,f

protector eJUrS protect vkyfxm;jcif;r&Sdygbl;/ udkESdyfjyD; Krypto Analyzer udka&G;vdkufwJhtcsdefrSmawmh yHk(2)twdkif; jrif&ygw,f/

yHk(2)


yHk(2)t&qdk&ifawmh UILib71.dll zdkifrSm MD5 algorithm udktoHk;jyKxm;yHk&ygw,f/ MD5 routine

&Sd&mae&mudkvJ jyxm;ygw,f/ 'Dae&mudk MunfhvdkufMu&atmif/ yHk(3)/

yHk(3)

yHk(3)&JU tay:zufudk scroll enf;enf;qGJjyD; Munfhr,fqdk&ifawmh MD5 routine &JUtpudk awGU&rSmyg/ yHk(4)/

yHk(4)

VA 1001E790 ae&mudk rSwfxm;yg/ MD5 algorithm udk oifavhvmvdkwJhtcg 'Dae&mrSm vmMunfh EdkifvdkUyg/ uRefawmfuawmh MD5 algorithm ukd pdwf0ifpm;jcif;r&Sdygbl;/ ☺☺☺ / bmaMumifhvJqdkawmh Xilisoft application awGrSm algorithm wpfckeJUwpfck wlnDjcif; r&SdvdkUyg/

aumif;jyD/ Xilisoft Audio Converter &JU exe zdkifjzpfwJh audioenc.exe zdkifudk Olly rSmzGifhygr,f/ yHk(5)/

yHk(5)

'gqdk yHk(5)rSmjrif&wJhtwdkif; entrypoint &Sd&mudk a&mufvmygr,f/ F9 udkESdyfjyD; y&dk*&rfudk run yg/ jyD;&if register vkyfMunfhyg/ yHk(6)/

yHk(6)

yHk(6)twdkif; register vkyfjyD;csdefrSmawmh yHk(7)twdkif; jrif&ygw,f/

yHk(7)


'gqdk&ifawmh oifbmvkyf&r,fqdkwm odoifhygjyD/ Olly rSm F12 (Pause) udkESdyfjyD; y&dk*&rf tvkyfvkyf

aewmudkcP&yfygr,f/ jyD;&if Ctrl+K (Call Stack) udkESdyfjyD; yHk(7)u BadBoy message box udk b,fuae ac:oHk;aewmvJqdkwm Munfhygr,f/ yHk(8)/

yHk(8)

yHk(8)rSm pdwf0ifpm;p&mawG awGU&ygw,f/ 'D message box udk UILib71.dll zdkifuaeac:oHk;wmyg/ twdtusajym&&ifawmh ImRegDlg dialog &JU OnOK function uae ac:oHk;xm;wmyg/ 'gaMumifh <JMP. &MFC71.#1123> ae&mrSm right-click ESdyfjyD; Execute to return (F4) udka&G;vdkufyg/ jyD;&if yHk(7)u OK button udkESdyfvdkuf&if yHk(9)twdkif; jrif&ygr,f/

yHk(9)

yHk(9)udk aoaocsmcsmMunfhyg/ oif&dkufxnhfvdkufwJh name eJU license code awGudk SaveRegInfo function oHk;jyD; registry xJrSm yxrqHk; odrf;ygw,f/ 'DhaemufrSmawmh yHk(6)rSm oif&kdufxnhfvdkufwJh key udk IsValidRegInfo oHk;jyD; rSef^rrSef ppfwmjzpfygw,f/ wu,fvdkU key rrSefcJh&ifawmh yHk(7)u BadBoy message udk jyrSmjzpfygw,f/ y&dk*&rf tvkyfvkyfyHkudk odEdkifatmifvdkU SaveRegInfo eJU IsValidRegInfo udk ppfaq;Munfh&atmif/

SaveRegInfo ae&mudka&G;vdkufjyD; Enter key udkESdyfvdkufyg/ yHk(10)twdkif; routine &Jutpudk jrifygr,f/

yHk(10)

yHk(10)&JU atmufem;udk scroll qGJjyD;MunfhcsdefrSmawmh yHk(11)twdkif; jrif&rSmjzpfygw,f/

yHk(11)

yHk(11)u String2HexA uawmh oif&dkufxnfhvdkufwJh license code udk HEX *Pef;taeeJU ajymif;vJay;wm jzpfygw,f/


yHk(12)

yHk(12)uawmh string uae hex udkajymif;ay;wJh loop yg/ 'D loop udk vkyfaqmifjyD;csdefrSmawmh MyanmarCrackingTeam-1234-5678-9012-3456 [m BF A7 26 FF 5B A1 AD CF 43 A7 94 F1 82 16 6F 9C 6E 2C 4C DB 51 20 47 4A F5 B0 45 D3 CC 20 47 3D DF FD 19 53 D7 B7 jzpfoGm;ygw,f/ yHk(13)/

yHk(13)

'DhaemufrSmawmh RegSetValueExA API oHk;jyD; 'D hex wefzdk;awGudk registry rSm oGm;odrf;wm jzpfyg w,f/ yHk(14)/

yHk(14)

ImRegDlg:SaveRegInfo() function &JUvkyfaqmifcsufuawmh 'DtxdygyJ/ ImRegDlg:IsValid RegInfo() function &JU tvkyfvkyfyHkudk qufjyD; avhvmMunfhygr,f/

IsValidRegInfo ae&mudka&G;vdkufjyD; Enter key udkESdyfvdkufyg/ yHk(15)twdkif; routine &JUtpudk jrifygr,f/

yHk(15)


yHk(16)

1/ RegQueryValueExA API udkoHk;jyD; registry xJrSm&SdwJh code key udkzwfygw,f/ 'DhaemufrSmawmh zwfvdkU&wJh HEX key udk Hex2StringA function oHk;jyD; string tjzpfjyefajymif;ygw,f/


yHk(17)

2/ MFC71.3997 function udkvkyfaqmifjyD;csdefrSmawmh key udk MyanmarCrackingTeam-1234-5678-9012- 3456 tpm; MyanmarCrackingTeam- tjzpfajymif;vJygw,f/

yHk(18)

3/ MFC71.781 function uawmh aqmhzf0Jvf&JU internal name jzpfwJh audioconverter udkzwfwmjzpfygw,f/

yHk(19)

4/ MFC71.4085 function udkvkyfaqmifjyD;csdefrSmawmh MSVCR71.dll &JU _mbsupr() API aMumifh MyanmarCrackingTeam- tpm; MYANMARCRACKINGTEAM- tjzpfajymif;vJoGm;ygw,f/

yHk(20)

5/ CALL UILib71.00342170 uawmh memcpy() API udkESpfcgoHk;jyD; MYANMARCRACKINGTEAM eJU audioconverter wdkUudk ae&mcsygw,f/ jyD;&if olwdkUESpfckudk aygif;ygw,f/ 'Dtcg MYANMAR CRACKINGTEAM-audioconverter &vmygw,f/

yHk(21)

6/ CALL UILib71.0035E730 uawmh oifvdkcsifwJh hash udkwGufxkwfay;rSmjzpfygw,f/ CALL UILib71.0035E730 ae&mudka&G;vdkufjyD; Enter key udkESdyfvdkufyg/ yHk(22)twdkif; routine &JUtpudk jrifygr,f/

yHk(22)

6.1/ CALL UILib71.0035E680 ae&mudka&G;vdkufjyD; Enter key udkESdyfvdkufyg/ yHk(23)twdkif; routine &JUtpudk jrifygr,f/

yHk(23)


yHk(23)&JU CALL 3ckudk rSwfom;yg/ CALL 0035E760 uawmh hash wefzdk;udk initialize vkyfwmyg/

CALL 0035F070 eJU CALL 0035F130 uawmh hash udkwGufxkwfay;wJh CALL udk ac:oHk;wmjzpfygw,f/

6.1.1/ CALL UILib71.0035E760 ae&mudka&G;vdkufjyD; Enter key udkESdyfvdkufyg/ yHk(24)twdkif; routine &JUtpudk jrifygr,f/

yHk(24)

yHk(24)rSmjrif&wJh uk'fawGudk execute vkyfjyD;csdefrSmawmh yHk(25)twdkif; jrif&ygw,f/

yHk(25)

6.1.2/ 'DwpfcgrSmawmh yHk(23)u CALL UILib71.0035F070 ae&mudka&G;jyD; Enter key udkESdyfygr,f/ 'gqdk yHk(26)twdkif; routine &JUtpudk jrifygr,f/

yHk(26)


yHk(27)

6.1.2.1/ yHk(27)u CALL UILib71.0035E790 ae&mudka&G;jyD; Enter key udkESdyfcsdefrSmawmh MD5 hash udkwGufwJh routine &JUtpudk jrifygw,f/ yHk(28)/

yHk(28)

yHk(28)eJU yHk(4)wdkU wlnDaewm owdxm;rdygovm;/ MD5 hash algorithm u EBX? EBP? ESI eJU EDI wdkUudk variable tjzpfxm;jyD; hash wefzdk; wGufcsufr,fhyHkyg/

yHk(28)&JU atmufqHk;em;udk scroll qGJjyD;MunfhcsdefrSmawmh yHk(29)twdkif; jrif&rSmjzpfygw,f/

yHk(29)


yHk(29)u MD5 algorithm &JUtqHk;udk MunfhvdkufcsdefrSmawmh EAX udkrlaoxm;jyD; wGufcsufvdkU&vm

wJh wefzdk;awGudk DS:[ESI] rSmvmxm;r,fhyHkyg/ 'Dae&mrSm ESI &JUwefzdk;u 12BAB0 jzpfwJhtwGuf EAX rSm&SdwJhwefzdk;udk DS:[12BAB0] rSmvmodrf;rSmyg/ yHk(30)/

yHk(30)

yHk(29)uuk'fudk &Sif;vif;&r,fqdk&ifawmh atmufygtwdkif;jzpfygw,f ___

EAX = ECX = EE5B36A2;

EBX = DS:[ESI+4] = DS:[12BAB4] = EFCDAB89;

EAX = EAX << 15 = D4400000;

ECX = ECX >> 0xB = 001DCB66;

EAX = EAX | ECX = D45DCB66;

EAX = EAX + EBX = C42B76EF;

EAX = EAX + EDI = 807A79F8;

'DhaemufrSmawmh EAX &JUwefzdk; 807A79F8 udk DS:[ESI+4] = DS:[12BAB4] qD ul;xnfhrSm jzpfygw,f/ Endian eJUpDwm trSwf&yg/ yHk(31)/

yHk(31)

usefwJhuk'fawGudk wpfaMumif;csif; vdkufvHppfaq;r,fqdk&ifawmh aemufqHk;rSm awGU&rSmuawmh yHk(32) twdkif; jzpfygw,f/

yHk(32)

'guawmh 12BAB0 rSm initialize vkyfvdkufwJh 01234567 89ABCDEF FEDCBA98 76543210 udk MD5 algorithm eJUwGufcsufvdkU&vmwJh 5D9BEC3D F8797A80 07E00955 4A973B68 tajzyg/

6.1.3/ yHk(23)u CALL UILib71.0035F130 ae&mudka&G;jyD; Enter key udkESdyfyg/ yHk(33)twdkif; routine &JUtpudk jrifygr,f/

yHk(33)

yHk(33)&JU atmufqHk;em;udk scroll qGJjyD;MunfhcsdefrSmawmh yHk(34)twdkif; jrif&rSmjzpfygw,f/

yHk(34)

6.1.3.1/ CALL UILib71.0035F070 [m MD5 hash algorithm udkac:oHk;wJh CALL jzpfw,fqdkwm oifodrSmyg/ yHk(34)&JU VA 0035F197 u CALL UILib71.0035F070 uawmh MD5 hash algorithm udk


ac:oHk;jcif; r&Sdygbl;/ 'gayr,fh VA 0035F1A4 u CALL UILib71.0035F070 uawmh MD5 hash algorithm udk ac:oHk;ygw,f/

6.1.3.1.1/ yHk(34)u CALL UILib71.0035F070 ae&mudka&G;jyD; Enter key udkESdyfyg/ 'gqdk yHk(26? 27? 28? 29? 30? 31? 32)rSm awGYcJh&wJhtwdkif; MuHK&rSmjzpfygw,f/

12BAB0 rSm ckeuwGufvdkufwJh 5D9BEC3D F8797A80 07E00955 4A973B68 udk MD5 hash algorithm eJU xyfrHwGufcsufwJhtcgrSmawmh AB6801EF DD311D00 C7A5A08B 983315D0 tajzyg/ yHk(35)/

yHk(35)

7/ yHk(36)u CALL UILib71.0035E730 udkvkyfaqmifjyD;csdefrSmawmh AB6801EF DD311D00 C7A5A08B 983315D0 wefzdk;udk &vmygw,f/

yHk(36)

8/ 'DhaemufrSmawmh CALL UILib71.0035E670 udkvkyfaqmifygw,f/ 'D CALL uawmh uRefawmfwdkU &&SdvmwJh hash wefzdk;udk stack ay:ul;wifygw,f/ yHk(37)/

yHk(37)

a&SUwavQmufrSmawmh stack window udkom t"duMunfhoGm;yg/ Stack window rSm license code eJU ywfoufwJh jyD;jynfhpHkwJhtcsuftvufawG ay;EdkifvdkUyg/

9/ yHk(36)rSm F8 ESdyfjyD; qufppfvmcsdefrSmawmh yHk(38)twdkif; jrif&rSmjzpfygw,f/

yHk(38)

yHk(38)rSmawmh hash wefzdk;udk 4vHk;pDwGJjyD; cGJxkwfay;rSmyg/ 'D loop udkvkyfaqmifjyD;csdefrSmawmh uRefawmfwdkU&JU license code [m ab6801efdd311d00c7a5a08b983315d0 tpm; a60e-d310-caa8-931d jzpfvmrSmyg/ yHk(39)/

yHk(39)

License code udkMunfh&if y&dk*&rfu wpfvHk;ausmf ,loGm;wmawGU&rSmyg/

9/ yHk(38)rSm F8 ESdyfjyD; qufppfvmcsdefrSmawmh yHk(40)twdkif; jrif&rSmjzpfygw,f/


yHk(40)

yHk(40)u CALL MFC71.4085 [m MSVCR71.dll zdkif&JU _mbsupr() API udkoHk;jyD; a60e-d310- caa8-931d- udk A60E-D310-CAA8-931D- tjzpf ajymif;vJay;vdkufygw,f/ 10/ yHk(41)u CALL MFC71.1916 uawmh MSVCR71.dll zdkif&JU memmove() API udkoHk;jyD; A60ED310- CAA8-931D- uae hyphen udk z,f&Sm;vdkufjyD; A60E-D310-CAA8-931D tjzpf ajymif;vJay;vdkuf ygw,f/

yHk(41)

11/ yHk(42)u CALL MFC71.876 uawmh DS:[ECX] = DS:[12BB34] rSmodrf;xm;wJh MyanmarCracking Team- pmom;udk EAX xJjyeful;ygw,f/

yHk(42)

12/ yHk(42)u CALL MFC71.3850 uawmh memmove() API eJU memcpy() API wdkUudktoHk;jyKjyD; MyanmarCrackingTeam- eJU A60E-D310-CAA8-931D wdkUudk twlae&mcsxm;ygw,f/

yHk(43)

'gudk stack window rSm Munfhvdkufr,fqdk&ifawmh yHk(44)twdkif; awGU&rSmjzpfygw,f/

yHk(44)

'Davmufqdk&ifawmh y&dk*&rftvkyfvkyfyHk &Sif;avmufjyDvdkU xifygw,f/ MyanmarCrackingTeam- A60E-D310-CAA8-931D eJU MyanmarCrackingTeam-1234-5678-9012-3456 udk EdIif;,SOfjyD; rnDcJh&if BadBoy Message udkjyrSmjzpfygw,f/

Xilisoft application awGeJUywfoufjyD; rSwfcsufjyK&r,fqdk&ifawmh ...

1/ Xilisoft application awG[m serial rSef^rrSefppfaq;zdkU MD5 udk toHk;jyKygw,f/

2/ Serial awG[m 39vHk;wdwd&Sd&ygr,f/ (Oyrm - MyanmarCrackingTeam-1234-5678-9012-3456)

3/ Serial &JU yxrwpf0uf[m MudKuf&mpmvHk;jzpfEdkifygw,f/ (Oyrm - MyanmarCrackingTeam-? 1234-5678-9012-3456-? AB124BCDE-7890-00002? Dead-beef-Cafe-Babe-)

4/ Serial &JU 'kwd,wpf0ufudkawmh hash wefzdk; wGufcsuf&mrSm toHk;jyKygw,f/ (Oyrm - 1234-5678-9012 -3456)

5/ Serial &JU yxrwpf0ufudk hash vkyfzdkU MudKwifowfrSwfxm;wJh string ESpfck&JUtv,frSm xm;ygw,f/ (Oyrm -1a□d□o□o□v.r□e.u□i□c□n□e.t.r00MYANMARCRACKINGTEAM-audioconverte)

6/ &&SdvmwJh hash wefzdk;udk pmvHk;ao;tjzpfajymif;ygw,f/ (Oyrm - ab6801efdd311d00c7a5a08b983315 d0)

7/ Hash wefzdk;xJu r*Pef;awGudk,ljyD; 4vHk;pDwGJygw,f/ (Oyrm - a60e-d310-caa8-931d) jyD;awmh pmvHk; tMuD;ajymif;ygw,f/ (Oyrm - A60E-D310-CAA8-931D)

8/ wGJvdkU&wJhwefzdk;awGudk yxrwpf0ufeJU jyefaygif;ygw,f/ (Oyrm - MyanmarCrackingTeam-A60ED31 0-CAA8-931D)


'DwpfcgrSmawmh Xilisoft Audio Converter twGuf key vSvSav;awGudk keygen ra&;om;bJ

y&dk*&rfu tvdktavsmuf b,fvdkxkwfay;rvJqdkwm MunfhMu&atmif/

yHk(45)

yHk(45)rSmjrif&wJh VA 00358769 ae&mwpfckwnf;udk breakpoint owfrSwfjyD; y&dk*&rfudk run vdkufyg/ jyD;&if register vkyfMunfhyg/ yHk(46)/ uRefawmfa&SUydkif;rSm aqG;aEG;cJhovdkyJ key &JU a&SUydkif; 19vHk;^20vHk;udk MudKufESpfoufovdk ajymif;vJay;vdkU&ygw,f/

yHk(46)

yHk(46)twdkif; register vkyfvdkuf&ifawmh Xilisoft u key udk tvdktavsmuf xkwfay;rSmjzpfygw,f/ yHk(47)/

yHk(47)

yHk(47)rSmjrif&wJhtwdkif; Xilisoft u stack window rSm license code jzpfwJh Myo Myint Htike---->65A3-6021-4C6D-A6C5 udk xkwfay;vdkufygw,f/

License code rSefrSefod&atmif Myo Myint Htike---->65A3-6021-4C6D-A6C5 udk register vkyfMunfhygr,f/ yHk(48)/

yHk(48)

yHk(48)rS OK button udkESdyfvdkuf&ifawmh Registered successfully! qdkwJhpmwef;ay:vmrSmjzpfygw,f/

(10) Exe Password 2004 jzifh protect vkyfxm;aom password tm; jyefazmfjcif;

'DwpfcgrSmawmh ]Patch vkyfjcif;} oifcef;pmu ]Beginner tqifh patch vkyfjcif;} tcef;rSm protect vkyfcJhwJh password udk jyefazmfMunfhygr,f/


'DwpfcgrSmawmh tajymif;tvJav;jzpfatmif calc.exe udk protect rvkyfbJ notepad.exe udkom

protect vkyfMunfhygr,f/ yHk(49)/

yHk(49)

yHk(49)rSmjrif&wJhtwdkif; notepad.exe udk rhythm qdkwJh password ay;jyD; protect vkyfvdkufygr,f/

Password ay;xm;wJh y&dk*&rfudk Olly rSmzGifhjyD; run (F9) vdkufygr,f/ yHk(50)/

yHk(50)

yHk(50)&JU password ae&mrSm 123456 vdkU&dkufxnfhjyD; OK udkESdyfvdkuf&if yHk(51)twdkif; BadBoy message udkjrif&rSmjzpfygw,f/

yHk(51)

yHkrSeft&qdk&ifawmh 'D message box ay:wJhtcgrSm F12 udkESdyfjyD; Olly udk cP&yfcdkif; &rSmjzpfygw,f/ bmaMumifh 'Denf;vrf;udk roHk;ovJqdk&ifawmh uRefawmfwdkU&JU y&dk*&rfudk Delphi eJU protect vkyfxm;vdkUyg/ 'gaMumifh "Password is incorrect." qdkwJhpmom;udk &dk;&dk;wef;wef; Search uaeyJ&SmrSmjzpfygw,f/

yHk(52)


"Password is incorrect." udk&SmawGUwJhtcg yHk(52)rSmjrif&wJhtwdkif; breakpoint owfrSwfyg/

aemufxyf breakpoint owfrSwfzdkU vdkwmuawmh VA 0054C86E rSmyg/ jyD;&if y&dk*&rfudk Olly rSmjyefzGifhyg/

yHk(53)

y&dk*&rfudk Olly rSmjyefzGifhjyD; password awmif;wJhtcg abcdef vdkU&dkufxnfhvdkuf&if yHk(53)twdkif; breakpoint &Sd&mudk wef;a&mufvmrSmyg/ 'Dtcg register window udkMunfhvdkufyg/ yHk(54)/

yHk(54)

uRefawmfwdkU breakpoint owfrSwfxm;wJh VA 0054C86E udkra&mufcifrSm CALL 005532AC udkvkyfaqmifcJhygw,f/ 'D CALL udkvkyfaqmifjyD;csdefrSm uRefawmfwdkU&dkufxnfhvdkufwJh abcdef udk RVV]PV tjzpfajymif;ay;vdkufygw,f/ jyD;&if EAX xJrSmodrf;ygw,f/ aemufwpfckuawmh y&dk*&rf&JU data segment xJu wefzdk;wpfckudk xkwf,ljyD; EDX xJxnfhwmyg/ 'Dxkwf,lvdkufwJht&muawmh uRefawmfwdkUvdkcsifwJh password ygyJ/ yHk(54)udkMunfhyg/ EDX xJa&mufaewm[m A\\LM]] jzpfaeygw,f/ 'gudk odyfrouFmygbl;/

bmaMumifhvJqdkawmh uRefawmfwdkUay;xm;cJhwJh password jzpfwJh rhythm [m 6vHk;yJ&SdjyD; tck 7vHk;jzpfaevdkUyg/ 'gaMumifh dump window rSmMunfhvdkufMu&atmif/ yHk(55)/

yHk(55)

Dump window udkaocsmMunfhvdkufawmhrS &Sif;oGm;ygw,f/ wu,fodrf;xm;wmu A\LM]] yg/ Debugger u escape sequence awGeJUa&maxG;rSm pdk;&drfwJhtwGuf slash (\) wpfckxyfwkd;ay;vdkufjcif; jzpfygw,f/ uRefawmfwdkUvkyf&rSmuawmh A\LM]] udk encrypt rvkyfcifu&SdcJhwJh rlv password udk jyef&&Sd EdkifzdkUyg/ 'grSom patch rvkyfbJ password udkjyefazmfEdkifrSmyg/ 'gaMumifh password udk encrypt vkyfay;wJh routine &Sd&m VA 0054C860 rSm breakpoint owfrSwfjyD; y&dk*&rfudk jyefpvdkufyg/ y&dk*&rfudk Olly rSm run jyD; password dialogbox rSm abcdef udk&dkufvdkuf&if yHk(56)twdkif; jrif&rSmjzpfygw,f/

yHk(56)

Register window udkMunfhr,fqdk&ifawmh yHk(57)twdkif; jrif&rSmjzpfygw,f/

yHk(57)

abcdef u uRefawmfwdkU &dkufxnfhvdkufwJh password jzpfjyD;? 3459501211xSSSFDb uawmh password udk encrypt vkyf&mrSmtoHk;jyKr,fh hash wefzdk;jzpfygw,f/ CALL 005532AC &Sd&ma&mufwJhtcg F7 udkESdyfjyD; CALL xJudk 0ifMunfhygr,f/ yHk(58)/


yHk(58)

yHk(58)udkawmh pdwfr0ifpm;ygbl;/ 'gaMumifh atmufudk scroll enf;enf;qGJjyD;Munfhvdkufyg/

yHk(59)

[LOCAL.1] qdkwmuawmh abcdef udk qdkvdkjcif;jzpfygw,f/ [LOCAL.2] qdkwmuawmh 34595012 11xSSSFDb udk qdkvdkjcif;jzpfygw,f/ y&dk*&rf&JU tMurf;zsif; tvkyfvkyfyHkuawmh -

1/ MOV EDX, [LOCAL.1]

EDX xJrSm abcdef udkxm;ygw,f/

2/ MOV DL, BYTE PTR DS:[EDX+ESI-1]

'DtcsdefrSm ESI &JUwefzdk;[m 1 jzpfwJhtwGuf *EDX=EDX[0] xJu yxrpmvHk;udk DL xJ ul;ydkUyg w,f/ 'gaMumifh DL xJrSm a a&mufvmygw,f/

3/ MOV ECX, [LOCAL.2]

ECX xJrSm 3459501211xSSSFDb udkxm;ygw,f/

4/ MOV CL, BYTE PTR DS:[ECX+EBX-1]

'DtcsdefrSm EBX &JUwefzdk;[m 1 jzpfwJhtwGuf *ECX=ECX[0] xJu yxrpmvHk;udk CL xJ ul;ydkUyg w,f/ 'gaMumifh CL xJrSm 3 a&mufvmygw,f/

5/ XOR DL, CL; DL = DL ^ CL = a ^ 3 = R

DL xJrSm&SdwJh a eJU CL xJrSm&SdwJh 3 wdkUudk XOR vkyfygw,f/ &v'f R udkawmh DL xJrSm odrf;ygw,f/

6/ MOV BYTE PTR DS:[EAX+ESI-1], DL

DL xJrSmodrf;xm;wJh R udk *EAX= EAX[0] xJa&TYygw,f/ 'gaMumifh EAX rSm Rbcdef jzpfvmyg w,f/ Rbcdef wefzdk;udk data segment u B858E0 rSmodrf;wmjzpfygw,f/

7/ INC EBX

ECX xJrSm&SdwJh aemufxyfpmvHk;awGudk zwfEdkifzdkUtwGuf EBX wefzdk;udk wpfaygif;ygw,f/

8/ INC ESI

EDX xJrSm&SdwJh aemufxyfpmvHk;awGudk zwfEdkifzdkUtwGuf ESI wefzdk;udk wpfaygif;ygw,f/

- 'DvdkeJU wpfvHk;csif;udk vkyfygw,f/

XOR DL, CL; DL = DL ^ CL = b ^ 4= V

XOR DL, CL; DL = DL ^ CL = c ^ 5= V

XOR DL, CL; DL = DL ^ CL = d ^ 9= ]

XOR DL, CL; DL = DL ^ CL = e ^ 5= P

XOR DL, CL; DL = DL ^ CL = f ^ 0= V

- tm;vHk;udk XOR vkyfjyD;csdefrSmawmh DWORD PTR SS:[EBP-4] = [LOCAL.1] xJrSm 'D&v'fudk odrf;qnf;ygw,f/


'guawmh encryption vkyfwJhvkyfief;pOfyg/ 'gqdk password udk decrypt vkyfay;r,fh y&dk*&rfudk C eJU

a&;MunfhMu&atmif/

#include<stdio.h> // Copyright © Myo Myint Htike, September 20 2009 #include<conio.h> // Compiler - Borland C++ 5.02 #include<string.h> // C Console Application int main() { int index = 0; char encrypted_password[30] = {0}; char decrypted_password[30] = {0}; char hash_value[20] = "3459501211xSSSFDb345"; scanf("%s", encrypted_password); while(index < strlen(encrypted_password)){ decrypted_password[index] = encrypted_password[index] ^ hash_value[index]; index++; } printf("Serial is = %s", &decrypted_password[0]); getch(); return 0; }

yHk(60)

yHk(60)uuk'fudk Borland C++ compiler rSm run vkyfvdkuf&ifawmh yHk(61)twdkif; jrif&rSmjzpfygw,f/

yHk(61)

uRefawmfwdkU decrypt vkyfcsifwJh password udk&dkufxnhfvdkufwJhtcgrSm rlv password udky&dk*&rfu jyefxkwfay;rSmjzpfygw,f/

wu,fvdkU password ay;xm;wJhzdkifrSm yHk(62)twdkif; breakpoint ae&mudka&mufvdkU register window rSm encrypt vkyfcH&wJh password awGudk rjrif&bl;qdk&if....

yHk(62)

'gqdk&ifawmh oif&dkufxnfhvdkufwJh password udk encrypt vkyfxm;wJhae&mudk&SmzdkU yHk(63)udkMunfhyg/

yHk(63)

yHk(63)u VA 0054C865 udkESdyf&if Olly pane window rSm Stack SS:[0012F668] = 0118F48 vdkUay:vmygvdrfhr,f/ 'Dae&mrSm right-click ESdyfjyD; Follow value in Dump udka&G;vdkuf&if dump window rSm encrypt vkyfxm;wJh password udkjrif&rSmjzpfygw,f/ 'gayr,fh 'D password [m uRefawmfwdkUtwGuf ta&;rygwJhtwGuf vspfvsL&Ixm;vdkU&ygw,f/

wu,fh password udk encrypt vkyfxm;wJhae&mudk&SmzdkU yHk(64)udkMunfhyg/


yHk(64)

yHk(64)u VA 0054C868 udkESdyf&if Olly pane window rSm DS:[005677BC] = 00FA7774 vdkUay:vmygvdrfhr,f/ 'Dae&mrSm right-click ESdyfjyD; Follow value in Dump udka&G;vdkuf&if dump window rSm encrypt vkyfxm;wJh password udkjrif&rSmjzpfygw,f/ Encrypt vkyfxm;wJh password uawmh jzpfygw,f/ 'gudk C eJUa&;xm;wJh y&dk*&rfudkoHk;jyD; password udkjyefazmfr,fqdk&ifawmh yHk(65)twdkif; jrif&rSmyg/

yHk(65)

EXE Password 2004 rSm password udk tvHk;20xufydkay;vdkUr&ygbl;/ 'gaMumifh password udk ay;wkef;u Myanmar Cracking Tea vdkUay;cJhwmjzpfygw,f/ Encrypt vkyfxm;wJh password udk&dkufxnfh wJhtcgrSm awGU&wJh ^R (Device Control 2) eJU ^Y (End of Medium) wdkUudk &dkufxnhfcsif&if Ctrl key eJU wGJESdyf&rSmjzpfygw,f/

wu,fvdkU oifay;xm;wJh password [m *Pef;awGyJjzpfr,fqdk&if keyboard uae &dkufxnfh&wm cufcJrSmjzpfygw,f/

yHk(66)

yHk(66)u encrypt vkyfxm;wJh password udk decrypt jyefvkyfr,fqdk&if ckeu uRefawmfwdkUa&;cJhwJh keygen udk toHk;jyKvdkU&awmhrSmr[kwfygbl;/ bmaMumifhvJqdkawmh 0D [m return keystroke eJU wlnDaewm jzpfwJhtwGuf ^B^F^F (020606) wdkUudk&dkufxnhfjyD; ^M (0D) udk&dkufxnhfcsdefrSm y&dk*&rfu password udk &dkufxnfhjyD;jyDvdkU,lqjyD; tajzxkwfay;vdkUyg/ 'DtwGuf y&dk*&rfudkjyifa&;&ygr,f/

#include<stdio.h> // Copyright © Myo Myint Htike, September 20 2009 #include<conio.h> // Compiler - Borland C++ 5.02 int main() { int index = 0; int encrypted_password[7] = {2, 6, 6, 0xD, 0, 6, 6}; char decrypted_password[30] = {0}; char hash_value[20] = "3459501211xSSSFDb345"; while(index < 7) { decrypted_password[index] = encrypted_password[index] ^ hash_value[index]; index++; } printf("Serial is = %s", &decrypted_password[0]); getch(); return 0; }

yHk(67)

yHk(67)uuk'fudk run vdkuf&ifawmh yHk(68)twdkif;jrif&rSmjzpfygw,f/

yHk(68)

tcef;(22) - Polymorphic uk'frsm;udk avhvmjcif; - 342 -

tcef;(22) - Polymorphic uk'frsm;udk avhvmjcif; 'DwpfcgrSmawmh cracker awG rodrjzpfodxm;&r,fh polymorphic uk'fawGtaMumif;udk avhvmrSmjzpf ygw,f/ 'Dwpfcg avhvmr,fhy&dk*&rfudkawmh bmeJUrS pack/protect vkyfxm;jcif; r&Sdygbl;/ Assembly oufoufeJUom a&;om;xm;wmjzpfwJhtwGuf PEiD eJUrppfawmhygbl;/ 'Dy&dk*&rf (ReverseMe Tutorial. exe)udk a&;om;xm;wJh y&dk*&rfrmuawmh Lena151 jzpfygw,f/ SND Team &JU download section rSm y&dk*&rfudk download vkyf,lEdkifygw,f/ aumif;jyD? y&dk*&rf&JU oabmobm0udk avhvmMunfhvdkufMu&atmif/

y&dk*&rfudkzGifhvdkufwJhtcgrSmawmh yHk(1)twdkif; nag udkjrif&ygw,f/ "You need to remove the nag. Try to do… "qdkwJhpmom;udkrSwfxm;yg/

yHk(1)

yHk(1)u OK button udkESdyfvdkuf&ifawmh yHk(2)twdkif;jrif&ygr,f/

yHk(2)

Nag window udk pmvHk;ESpfvHk;yJoHk;jyD; patch vkyfcdkif;xm;wmyg/ qdkvdkwmu nag window udkz,f &Sm;cdkif;wmyg/ cdkif;xm;wmu vG,fvGef;raebl;vm;/ ☺ ☺ ☺

y&dk*&rfudk patch vkyfEdkifzdkU Olly rSm zGifhjyD;ppfaq;MunfhvdkufMu&atmif/ yHk(3)/

yHk(3)

jyD;&ifawmh uRefawmfwdkUrSwfxm;wJh "You need to remove the nag. Try to do… " pmom;udk vdkuf&SmMunfhyg/

yHk(4)

yHk(4)rSmjrif&wJhtwdkif; uRefawmfwdkU&SmaewJhpmom;udkawGUygw,f/ Double-click ESdyfvdkufyg/ yHk(5)/

yHk(5)


yHk(5)rSmjrif&wmuawmh VA 00403134 rSmodrf;xm;wJh "You need to remove ..." pmom;udk MessageBox wpfcku ac:oHk;yHkygyJ/ 'D MessageBox [m uRefawmfwdkU z,f&Sm;&r,fh nag window jzpfyg w,f/ 'gaMumifh 'D MessageBox ae&mrSm breakpoint owfrSwfjyD; y&dk*&rfudk run (F9) MunfhvdkufMu& atmif/

yHk(6)

y&dk*&rfudk F9 ESdyfjyD; run MunfhvdkufcsdefrSmawmh uRefawmfwdkU owfrSwfxm;wJh breakpoint ae&mrSm y&dk*&rfur&yfbJ yHk(6)u nag window udkjrifae&ygw,f/

awmfawmfxl;qef;aeygw,f/ 'gqdk 'D nag window u b,fuaeay:vmwmygovJ/ tajzrSefudkod& atmif y&dk*&rfudk Olly rSmjyefzGifhMunfhvdkufMu&atmif/ (Ctrl+F2)/ 'gqdk yHk(7)twdkif; jrif&ygr,f/

yHk(7)

yHk(7)udk aocsmMunfhyg/ VA 0040128A uae VA 00401290 xd[m uk'fawGtpm; a'wmawGjzpf aeygw,f/ F8 udkESdyfjyD; bmjzpfrvJqdkwm qufMunfhyg/ yHk(8)/

yHk(8)

Olly u VA 0040128F ae&ma&mufawmh yHk(8)twdkif; breakpoint owfrSwfrvm;vdkUar;ygw,f/ Yes button udka&G;jyD; F8 udkqufESdyfyg/ Olly &JU tay:zufudk scroll enf;enf;qGJjyD;Munfhr,fqdk&ifawmh yHk(9)twdkif; jrif&ygw,f/

yHk(9)


yHk(9)uvJ xl;qef;aeygw,f/ bmuk'frS rawGU&ygbl;/ 'gaMumifhrdkU rlv mnemonics awGudkjrif& atmifvdkU Olly &JU analysis udkjzKwfvdkufyg/ yHk(10)/

INFO: : Olly u 'Duk'fawGudk a'wmtaeeJU&Ijrifaeygw,f/ (cPaeus&ifawmh &Sif;oGm;rSmyg/)

yHk(10)

yHk(10)twdkif; Remove analysis from module udka&G;jyD; analysis vkyfwmudkjzKwfvdkuf&ifawmh yHk(11)twdkif; jrif&rSmyg/

yHk(11)

Munfh&wmuawmh jyD;jynfhpHkrIr&SdwJh junkcode awGjzpfyHk&ygw,f/ Olly u tcsdKUudk unknown command vdkUjyaeygw,f/ Olly u uRefawmfwdkUudk r&Sif;rvif;jzpfapygw,f/ aumif;jyD? analysis udkawmh vdktyfrSyJ udk,fwdkifvkyfygawmhr,f/ 'gaMumifh auto-analysis udk atmufygtwdkif; jzKwfvdkufyg/ yHk(12)/

yHk(12)

yHk(12)twdkif; auto-analysis udkjzKwfjyD;&ifawmh Olly rSm y&dk*&rfudk jyefpvdkufyg/

yHk(13)


Ctrl+F2 (Restart) ESdyfjyD; y&dk*&rfudk jyefzGifhMunfhvdkuf&ifawmh EP &Sd&mae&mudk yHk(13)twdkif;jrif& rSmyg/ 'DwpfcgrSmawmh analysis udka&G;xm;wmxufpm&if enf;enf;av;em;vnfvmygw,f/ F9 udkESdyfjyD; y&dk*&rfudk run MunfhcsdefrSm yHk(13)u breakpoint owfrSwfxm;wJhae&mrSm y&dk*&rfu bmaMumifhr&yf&ovJ qdkwJhtaMumif; &Sif;jyygr,f/

tajzuawmh vG,fygw,f/ olwdkUawG[m diversion uk'fawGjzpfaevdkUyg/ vlopfwef; cracker awGudk tcufawGUapzdkU? vSnfhpm;zdkU 'Duk'fawGudk xnfhxm;jcif;jzpfygw,f/ trSefawmh 'Duk'fawG[m toHk;r0ifygbl;/ 'Duk'fawGudk b,fawmhrSvJ ac:,ltoHk;jyKrSmr[kwfygbl;/ 'gaMumifh breakpoint owfrSwfxm;wJhae&mawGudk a&mufrvmwmyg/ oifhtaeeJU oifjrif&wmudkyJ ,HkMunfraeygeJU/

INFO: : MessageBoxA wpfckrSm &yfwefUapzdkU enf;vrf;trsm;MuD;&Sdygw,f/ Oyrmjy&&if commandbar plug-in udkoHk;jyD; MessageBoxA rSm breakpoint owfrSwfyg/ jyD;&if breakpoint &Sd&mudka&mufapzdkU F9 udkESdyfyg/ 'DhaemufrSmawmh Alt+ F9 udkESdyfjyD; user uk'fqDa&mufatmifvkyfvdkU&ygw,f/ yHk(14)/ ('grSr[kwf Call Stack (Ctrl+K) uaevJ MessageBoxA &Sd&mae&mudk ajc&mcHEdkifygw,f/)

yHk(14)

yHk(14)twdkif; nag window &Sd&mudk&SmEdkifayr,fhvJ 'Dae&mrSmawmh uRefawmfwdkUtaeeJU uk'fawGudk wpfaMumif;csif;ppfaq;ygr,f/ yHk(15)udkjyefMunfhyg/

yHk(15)

yHk(15)&JU EP ae&muae F8 udkESdyfjyD; uk'fawGudk ppfMunfhygr,f/ Breakpoint awGudk rvdkawmhwJh twGuf z,f&Sm;vdkufyg/ VA 0040128A u GetModuleHandle taMumif;udkavhvmMunfhygr,f/

The GetModuleHandle function returns a module handle for the specified module if the file has been mapped into the address space of the calling process. HMODULE GetModuleHandle( LPCTSTR lpModuleName // address of module name to return handle for ); Parameters lpModuleName Points to a null-terminated string that names a Win32 module (either a .DLL or .EXE file). If the filename extension is omitted, the default library extension .DLL is appended. The filename string can include a trailing point character (.) to indicate that the module name has no extension. The string does not have to specify a path. The name is compared (case independently) to the names of modules currently mapped into the address space of the calling process. If this parameter is NULL, GetModuleHandle returns a handle of the file used to create the calling process. Return Values If the function succeeds, the return value is a handle to the specified module. If the function fails, the return value is NULL. To get extended error information, call GetLastError.

'D function rSm return wefzdk;uawmh EAX xJrSm&SdwJh imagebase wefzdk;jzpfrSmyg/ yHk(16)/

yHk(16)

MOV EDI, 00401011; // EDI xJrSm VA 00401011 udkxm;ygw,f/ qdkvdkwmuawmh wpfckckudk jyifqif aewm jzpfavmufygw,f/ (aemufydkif;wGifMunfhyg/)


CALL 0040130F; // 'guawmh pdwf0ifpm;p&maumif;ygw,f/ F7 udkESdyfjyD; CALL xJ0ifMunfhyg/ yHk(17)/

yHk(17)

yHk(17)rSmjrif&wJhtwdkif; uk'f section &JU VA tpudk EAX xJrSmxm;ygw,f/ owdxm;jyD;Munfhr,fqdk &ifawmh GetModuleHandle uvJ cracker awGudk tm&HkvTJwJh diversion uk'fjzpfaewmawGU&ygw,f/

yHk(18)

'DhaemufrSmawmh EAX &JUwefzdk;twGuf (401000 rSm&SdwJh data segment xJuwefzdk; ]E2} udk) 5A eJU XOR vkyfygw,f/ EAX wefzdk;udk wpfaygif;ygw,f/ jyD;&ifawmh EAX wefzdk;udk jmp.&user32. BeginPaint eJUEdIif;,SOfygw,f/ yHk(19)/

yHk(19)

yHk(19)rSmjrif&wJhtwdkif; EAX eJUEdIif;,SOfwmuawmh 401218 jzpfygw,f/ yHk(20)/

yHk(20)

wu,fvdkU vuf&Sd EAX wefzdk; (401001) eJU jmp.&user32. BeginPaint u&&SdvmwJh EAX wefzdk; (401218) wdkUudkEdIif;,SOf&mrSm wefzdk;ui,faer,fqdk&if VA 00401314 u XOR BYTE PTR DS:[EAX], 5A; qDa&mufoGm;jyD; XOR xyfvkyfOD;rSmjzpfygw,f/ yHk(20)u Assemble button ukda&GG;vdkufyg/

EAX udk 401218 eJU bmaMumifhEdIif;,SOf&ovJqdkwm enf;enf;MunfhvdkufMu&atmif/ yHk(21)/

yHk(21)


wu,fawmh VA 00401000 uae VA 00401218 xd code section u opcode awGudk 5A eJU XOR vkyfwmudk decrypt vkyfw,fvdkUac:ygw,f/ bmaMumifhvJqdkawmh t&ifu olwdkUudk encrypt vkyfxm;cJh vdkUyg/

INFO: : Encryption/Decryption qdkwmuawmh owif;tcsuftvufawGudk A[kokwtxl;r&Sd&if rod&SdEdkif atmifvkyfwJhjzpfpOfudkajymwmyg/ Encryption udk vHkjcHKa&;qdkif&mudpö&yfawGrSm toHk;jyKayr,fh tcsuftvuf awG rSef^rrSefwdkufqdkifppfaq;EdkifzdkU tjcm;enf;ynm&yfawGvdktyfaewkef;ygyJ/ Encryption (odkU) aqmhzf0Jvf uk'f obfuscation udkawmh cracker awG&efu umuG,fEdkifzdkU toHk;jyKMuygw,f/

INFO: : XOR instruction uawmh encrypt/decrypt vkyfwJh command wpfckjzpfjyD; tajccHusvSayr,fh toHk;rsm;ygw,f/ bmaMumifhvJqdkawmh olUudkvG,fulpGmtoHk;jyKjyD; decrypt vkyfEdkifvdkUyg/ aemufqHk;&vmwJh wefzdk;udk wlnDwJh*Pef;wpfckeJU XOR vkyfjcif;jzifh yxrqHk;wefzdk;udk jyef&&SdEdkifygw,f/ XOR instruction udk encryption vkyfwJhtcgrSm toHk;jyK&ifawmh olUudk ]encrypting XOR }(odkU) enxor vdkUoHk;EIef;avh&Sdygw,f/

XOR udktoHk;jyKjyD; y&dk*&rf b,fvdktvkyfvkyfovJqdkwm odEdkifatmifvdkU Olly &JU dump window u 401000 ae&mudkMunfhvdkufMu&atmif/ yHk(22)/

yHk(22)

Loop udk ESpfcgavmufywfjyD;csdefrSmawmh yHk(22)twdkif;jrif&ygw,f/ Dump window rSmjrif&wmu awmh code section &JU tpydkif; opcode awGyg/ bmawGudk decrypt vkyfaew,fqdkwm F8 ESdyfjyD; qufMunfh aeyg/ yHk(23)/

yHk(23)

yHk(23)rSmjrif&wJhtwdkif; decrypt vkyfxm;wJhuk'fawG teDa&miftjzpfajymif;ukefwm awGU&ygr,f/ yHk(23) u RETN rSm breakpoint owfrSwfjyD; F9 (Run) udkESdyfvdkufyg/ yHk(24)twdkif;jrif&ygr,f/

yHk(24)


yHk(24)udkMunfhvdkuf&if code section (VA 401218 xd)rSm decrypt vkyfjyD;oGm;wmawGU&ygr,f/ RETN rSmowfrSwfxm;wJh breakpoint udkjyefjzKwfjyD; tay:udk scroll qGJvdkuf&if yHk(25)twdkif;jrif&ygr,f/

yHk(25)

yHk(11)u zwfvdkUr&wJh junk uk'fawGtpm; zwfvdkU&wJh mnemonics awGtjzpfajymif;ukefwm awGU&rSm yg/

INFO: : 'Dae&mrSm uk'fawG[m bmaMumifh teDa&mifajymif;ae&ovJ qdkwmuawmh yHk(20)u uk'fwpfckudk assemble vkyfcJhrdvdkUyg/ 'gaMumifh Olly u uk'fawGudk ajymif;vJxm;w,fxifjyD; ajymif;vJaewJhuk'fawGudk teDa&mifvdkufajymif;wmjzpfygw,f/ omreftm;jzifhawmh uk'fawGajymif;vJaew,fqdk&ifawmif ajymif;vJoGm;wJh uk'fudk teufa&mifeJUomjyygw,f/ 'gudkawmh owdxm;apvdkygw,f/ wu,fvdkU ajymif;vJoGm;wJhuk'fawGudk MudKufwJhta&mifeJU jyapcsif&if yHk(26)twdkif; jyefjyifvkdU&ygw,f/

yHk(26)

INFO: : Code section [m omreftm;jzifhawmh a&;vdkUr&ygbl;/ Code section rSm a&;csifw,fqdk&ifawmh PE tool (LordPE, WPE, PE Tools … ponfjzifh) awGudktoHk;jyKjyD; code section &JU characteristics udk jyifvdkU&ygw,f/

'DwpfcgrSmawmh aemufxyfpdwf0ifpm;p&maumif;wJh CALL wpfckudk avhvmMunfhygr,f/

yHk(27)

yHk(27)rSmjrif&wJh CALL udk avhvmEdkifzdkU F7 (Step into) udkESdyfvdkufyg/ yHk(28)twdkif;jrif&ygr,f/


yHk(28)

yHk(28)rSmjrif&wmuawmh decrypt function udkvkyfaqmiftjyD;jzpfygw,f/ wu,fawmh y&dk*&rfu decrypt vkyfxm;wJhuk'fawGudkzwfjyD; nag window udkjyozdkUMudK;pm;aewmjzpfygw,f/ uk'fawGudk aocsm Munfhr,fqdk&ifawmh MOV instruction awmfawmfrsm;rsm;udk awGUrSmjzpfygw,f/ olwdkUawG[m EDI register eJUywfoufaewmudkvJjrif&rSmyg/ 'gaMumifh EDI xJrSm VA 401011 udkxm;wm[m wpfckckvkyfzdkU jyifqifae wmjzpfaMumif; a&SUydkif;rSm ajymcJhwmyg/ 'Dae&mrSm udk,fwdkifjyefjyifEdkifwJhuk'fawGtaMumif;udk avhvmMunfh ygr,f/

INFO: : Self-modifying code qdkwmuawmh &nf&G,fcsufwpfckckeJU udk,fhuk'fudk udk,fwdkifjyefjyifwmyg/ uGefysLwmacwfOD;ydkif;rSmawmh 'Dvdkuk'fawGudk tuefUtowf&SdwJh rSwfOmPfae&mudk acRwmEdkifzdkU toHk;jyKcJhMu wmyg/ Instruction set awG[m omref branch cGJwmavmufyJ vkyfaqmifEdkifcsdefrSm (odkU) vkyfaqmifcsufawG udk ajymif;vJvkyfaqmifEdkifzdkU instruction awGudk ausmfvTm;csdefrSm sub-routine call awGeJU return awGudk prf;oyfppfaq;EdkifzdkU olwdkUawGudk toHk;jyKcJhMuwmjzpfygw,f/

INFO: : Self-modifying code awGudk 1980wkef;u DOS *drf;awGrSm copy prtotection instruction awGudkzHk;uG,fEdkifzdkU toHk;jyKcJhwmjzpfygw,f/ 'gaMumifh Floppy drive udkzwfwJh instruction jzpfwJh INT 13 udk exe zdkifxJrSm &SmawGUEdkifrSmr[kwfygbl;/ 'gayr,fh y&dk*&rf run aecsdef rSwfOmPfxJu image xJrSmawmh &SdaerSmyg/ 'DaeUacwfrSm self-modifying code awGudktoHk;jyKaeMuwmuawmh olwdkU&Sdaewmudk rjyocsifvdkU bJjzpfygw,f/ Oyrmjy&&ifawmh uGefysLwmAdkif;&yfpfawGeJU tcsdKUaom shell uk'fawGjzpfygw,f/ Adkif;&yfpfawGeJU shell uk'fawG[m self-modifying code udktoHk;jyKMuwmjzpfjyD; rsm;aomtm;jzifh polymorphic code awGeJUwGJoHk;Muwmjzpfygw,f/ Polymorphic Adkif;&yfpfawGudkawmh wcgw&HrSm primitive self-mutator awG vdkUac:ygw,f/ olwdkU[m run aewJhuk'fwpfpdwfwpfa'oudk jyKjyifjyD; OS udk buffer overflow jzpfapwJh attack vkyfrIawG jyKvkyfygw,f/

txufazmfjyygtcsufawGaMumifh cracker awG[m 'Dvdk obfuscation trsdK;tpm;awGudk b,fvdkudkif wG,f&rvJqdkwm &Sif;&Sif;vif;vif; odxm;zdkUvdktyfygw,f/ F8 udkESdyfjyD; bmqufjzpfrvJqdkwm MunfhvdkufMu &atmif/ yHk(28)udkjyefMunfhyg/

XOR EAX,EAX; // EAX udk oknjzpfatmif &Sif;vif;vdkufygw,f/ MOV WORD PTR DS:[EDI],6A; // 401011 rSm&SdwJh 33C0 ae&mrSm 6A00 eJUtpm;xdk;ygw,f/

yHk(29)

'gaMumifh VA 00401011 u XOR EAX, EAX; (33C0) ae&mrSm PUSH 0; (6A00) jzpfoGm;wm awGU&rSmyg/

ADD EDI,2; // EDI udk 2 aygif;ygw,f/ (0x401013) MOV WORD PTR DS:[EDI],40307D68; // 40307D68 wefzdk;udk VA 0x401013 rSmxm;ygw,f/ yHk(30)/


yHk(30)

'gaMumifh VA 00401013 u MOV WORD PTR DS:[EDI],40307D68; ae&mrSm PUSH 0040307D; jzpfoGm;wmawGU&rSmyg/

yHk(31)

yHk(31)rSmjrif&wJh VA 00401052 a&mufwJhtxd F8 udkESdyfvmcJhr,fqdk&if VA 00401011 u VA 0040104B xd[m yHk(32)twdkif;ajymif;vJoGm;wmawGU&ygw,f/

yHk(32)

yHk(31)u CALL EDI [m wu,fawmh CALL 00401000 udkjyefnTef;wm awGU&ygw,f/ yHk(33)/

yHk(33)

yHk(33)rSmjrif&wJhtwdkif;qdk&ifawmh ckeu zefwD;cJhwJh self-modifying code udkjyeftvkyfvkyfawmhr,f xifygw,f/ 'gaMumifh Analyze This! plugin udkoHk;jyD; uk'fudk analyze vkyfMunfhvdkufyg/ yHk(34)/

yHk(34)


yHk(34)udkMunfhr,fqdk&if self-modifying code u MessageBox wpfckudkzefwD;cJhwm awGU&ygw,f/

'gayr,fh Tilte eJU Text u bmawGa&;xm;rSef;rodygbl;/ 'gaMumifh F7 udkESdyfjyD; CALL xJudk0ifMunfhvdkuf Mu&atmif/ yHk(35)/

yHk(35)

yHk(35)rSmvJ enxor wpfckxyfawGU&ygw,f/ 'gudkawmh oifem;vnfr,fvdkUxifygw,f/ EAX xJudk 00403000 wefzdk;vmxnfhygw,f/ 'Dtcsdef 403000 &JU data segment rSm&Sdwmuawmh E1 qdkwJhwefzdk;yg/ yHk(36)/

yHk(36)

E1 wefzdk;udk B3 eJU XOR vkyfygr,f/ jyD;&if EAX (403000) wefzdk;udk 1 aygif;ygr,f/ EAX wefzdk;[m 403128 jzpfrjzpfppfygr,f/ 403128 xufi,fao;&ifawmh 'D loop udkqufvkyfaeOD;rSmjzpfygw,f/ 'gaMumifh dump window udk MunfhzdkUvdkvmygjyD/ yHk(37)/

yHk(37)

F8 udkESdyfjyD; uk'fawGudk ppfoGm;&if ykH(37)twdkif; XOR vkyfxm;cH&wJh byte awGudkawGU&rSmyg/ F8 udkqufwdkufESdyfjyD; loop xJuxGufvdkuf&if yHk(38)twdkif; jrif&ygw,f/

yHk(38)

yHk(38)udkMunfhr,fqdk&if MessageBoxA twGufvdktyfwJh a'wmawGudk decrypt vkyfjyD; csufcsif; MessageBoxA API udkac:oHk;wmawGU&ygw,f/

yHk(39)


VA 0040101F a&mufwJhtxd F8 udkESdyfvmcJh&ifawmh yHk(39)twdkif; uRefawmfwdkUz,f&Sm;&r,fh nag

window udkjrif&ygw,f/ MessageBoxA API udk enf;enf;avmufavhvmMunfh&atmif/ a&SUydkif;rSmvJ 'D API taMumif; avhvmjyD;jyDrdkU 'Dae&mrSmawmh ta&;MuD;wJh argument avmufudkyJ avhvmygr,f/

int MessageBox( HWND hWnd, // handle of owner window LPCTSTR lpText, // address of text in message box LPCTSTR lpCaption, // address of title of message box UINT uType // style of message box ); Parameters hWnd Identifies the owner window of the message box to be created. If this parameter is NULL, the message box has no owner window.

wu,fvdkUom uRefawmfwdkUtaeeJU hWnd udk 1 jzpfatmifvkyfr,fqdk&if owner udk&SmawGUrSmr[kwfwJh tjyif messagebox udkvJjyEdkifrSmr[kwfygbl;/ 'gaMumifh VA 40101D u PUSH 0; udk PUSH 1; vdkUjyif vdkuf&if nag window udkz,f&Sm;jyD;om; jzpfoGm;rSmyg/ (qdkvdkcsifwmu loader zdkifwpfckudkzefwD;jyD; 'Dae&mudk jyifvdkuf&HkygyJ/)

'gayr,fh y&dk*&rfa&;om;ol Lena151 u 'D nag udk 2 bytes yJoHk;jyD; patch vkyfygvdkU cdkif;cJhygw,f/

yHk(40)

yHk(40)udkMunfhyg/ Nag window udkvkyfaqmifjyD;csdefrSm y&dk*&rf[m VA 40106A qD jump vkyfoGm; ygw,f/ wu,fvdkUom nag window rwdkifcif VA 40106A qD jump vkyfEdkif&ifaum ...☺☺☺

qdkvdkwmu y&dk*&rfu VA 401011 u PUSH 0 udktvkyfvkyfapr,fhtpm; yHk(41)twdkif;jyifvdkuf&if bmjzpfoGm;rSmygvJ/

yHk(41)

'gaMumifh VA 40106A qD jump vkyfay;Edkifr,fh opcode (self-modifying code) jzpfwJh EB 57 udkrSwfom;xm;yg/

INFO: : wu,fawmh nag udkz,f&Sm;wJh tjcm;jzpfEdkifzG,fenf;vrf;awG &Sdygao;w,f/ Oyrm – VA 401010 u byte udktoHk;jyKjcif;/

VA 40106A udkqufMunfhyg/ Self-modifying code awGudk xyfawGU&ygr,f/ yHk(42)/

yHk(42)


VA 401075 xd F8 ESdyfjyD; assemble vkyfcsdefrSmawmh yHk(41)wkef;u uRefawmfwdkUajymif;cJhwJh JMP

ae&mrSm yHk(43)twdkif; uk'fawGajymif;aewmjrif&ygw,f/

yHk(43)

aemufxyfbmawGjzpfao;vJqdkwm qufMunfhMuygr,f/ yHk(44)/

yHk(44)

CALL EDI uawmh self-modifying code &JU tqHk;jzpfygw,f/ jyKjyifxm;wJhuk'fudk csufcsif; execute vkyfMunfhEdkifatmifvdkU CALL EDI xJudk F7 ESdyfjyD;0ifMunfhMu&atmif/ yHk(45)/

yHk(45)

Olly u topfajymif;vJxm;wJh uk'fawGudk analyze vkyfxm;yHkr&ygbl;/ ? awGjyaeygw,f/ 'gaMumifh t&if analyze vkyfvdkufyg/ yHk(46)/

yHk(46)

yHk(46)udkMunfhvdkuf&if self-modifying code [m yifry&dk*&rftwGuf jyifqifjyD;yHk&ygw,f/ bmawG jzpfrvJodEdkifatmifvdkU F8 udkESdyfjyD; ppfMunfhyg/

yHk(47)


INFO: : Self-modifying code &JU 'kwd,tpdwftydkif;uawmh uRefawmfwdkUudk bmrStcufrawGUapygbl;/ 'DtcsdefrSmawmh uRefawmfwdkU[m nag udk ausmfvTm;vmcJhjyD;ygjyD/

Main window udkydwfvdkuf&ifawmh yHk(48)twdkif; jrif&ygr,f/

yHk(48)

yHk(48)u CALL 401320; rSmawmh pdwf0ifpm;p&maumif;wmawG awGUEdkifr,fvdkUxifygw,f/ F7 udk ESdyfjyD; CALL xJ0ifMunfhvdkufyg/ yHk(49)/

yHk(49)

yHk(49)rSmjrif&wJhuk'fawGuawmh y&dk*&rfeJUtwlygvmwJh rlvuk'fawGjzpfygw,f/ 'Dvdkuk'fawGudk oifh taeeJUjrifzl;rSmyg/ 'DwpfcgrSmawmh 8D eJU XOR vkyfygw,f/ XOR vkyfr,fhae&muawmh VA 403000 &JU opcode awG&Sd&mae&muaeprSmyg/ yHk(50)/

yHk(50)

VA 403000 uae VA 403128 xd XOR vkyfjyD;csdefrSmawmh yHk(50)[m yHk(51)twdkif; jzpfoGm;ygr,f/

yHk(51)

yHk(51)rSmjrif&wJhtwdkif; 'Dy&dk*&rfudka&;om;wJh y&dk*&rfrmu uRefawmfwdkUudk tcufawGUatmifvkyfwm yg/ ajc&mcH&r,fh oufaoawGtm;vHk;udk olr(Lena151)u zsufqD;vdkufygw,f/

rSwfcsuf/ / wu,fawmh 'Dy&kd*&rfu oifhudk tajccHtawG;tac:&&HktwGuf jyowmjzpfygw,f/ vufawGYrSm awmh 'DxufydkjyD; &IyfaxG;wJhy&dk*&rfawGeJU oifMuHKawGU&rSmjzpfygw,f/ uk'fawGrsm;jym;vSwJh MuD;rm;wJhy&dk*&rf awGxJrSm &dk;&Sif;vSwJh enxor awGtpm; wu,fhudk&IyfaxG;vSwJh decryption routine awGudkom awGU&rSmyg/ 'D routine awGxJrSm ydkjyD;&IyfaxG;vSwJh polymorphic uk'fawG&SdaerSmyg/

INFO: : Polymorphic uk'fqdkwmuawmh rlv algorithm udk yuwdtwdkif;&SdaeapatmifvkyfaepOftwGif; toGifajymif;vJoGm;wJh uk'fudkajymwmjzpfygw,f/ 'Denf;ynmudk wcgw&HrSm uGefysLwmAdkif;&yfpfawG? shell uk'fawGeJU uGefysLwm worm awGu olwdkU&Sdaewmudk zHk;uG,fEdkifzdkUtwGuf toHk;jyKMuwmjzpfygw,f/ Anti-virus aqmhzf0JvfeJU vHkjcHKa&;pepf awmfawmfrsm;rsm;uawmh uGefysLwmuGef,ufwpfavQmuf ydkYvTwfvdkufwJh data packet awGeJU uGefysLwmzdkifawGxJuae malicious uk'fawGudk &SmzdkUMudK;pm;Muygw,f/ wu,fvdkUom


vHkjcHKa&;aqmhzf0JvfawGu olwdkUawGxJrSm Adkif;&yfpf^worm awGeJUywfoufwJh odxm;jyD;om; signature awGudk&SmawGUcJhr,fqdk&if 'D threat awGudk tjyD;wdkif neutralize vkyfzdkUMudK;pm;rSmjzpfygw,f/ Polymorphic algorithm awGuawmh rawmfra&mfuk'fawGudk &SmazGwJh 'Dvdkaqmhzf0JvfawGudk tcufawGUapygw,f/ bm aMumifhvJqdkawmh olU&JUuk'fawG[m tqufrjywfajymif;vJaevdkUyg/

INFO: : Encryption uawmh polymorphism udk uk'ftoGifeJY &&SdapEdkifzdkU trsm;qHk;toHk;jyKwJhenf; vrf;jzpfygw,f/ bmyJjzpfjzpf uk'ftm;vHk;udkawmh encrypt vkyfypfvdkUr&ygbl;/ bmaMumifhvJqdkawmh uk'f tm;vHk;udk encrypt vkyfvdkuf&if toHk;jyKvdkU&awmhrSm r[kwfvdkUyg/ y&dk*&rf&JU tydkif;i,fwpfckudkawmh encrypt rvkyfbJxm;&rSmjzpfjyD; encrypt vkyfxm;wJhaqmhzf0Jvf&Sd&mqD jump vkyfjyD; y&dk*&rfudk pwifap&rSm jzpfygw,f/ Anti-virus aqmhzf0JvfawGuawmh encrypt rvkyfxm;wJh 'Duk'ftydkif;tpudkyJ ajc&mcHMuwm jzpfygw,f/ Malicious y&dk*&rfrmawGuawmh 'DAsL[mawGuae tawGUtMuHK,ljyD; Adkif;&yfpfawG^worm awG yGm;rsm;ysHUESHUcsdefrSm encrypt rvkyfxm;wJh decryption engine &Sd&muk'fudk jyefxyfjyifa&;MujyD; olwdkU&JU polymorphic uk'fawGudkumuG,fzdkU MudK;pm;Muwmjzpfygw,f/ Anti-virus aqmhzf0JvfawGu decryption engine toGif ajymif;vJaepOftwGif; ikyfvQdK;aewJhuk'fawGudk &SmazGawGY&SdEdkifzdkUtwGuf &IyfaxG;vSwJh uk'fcGJjcrf; pdwfjzmrIawGjyKvkyfEdkifr,fqdk&if 'Dvdk malware awGudk pHkprf;axmufvSrf;EdkifzdkU arQmfvifh&ygw,f/

INFO: : Metamorphic uk'fqdkwmuawmh oludk,fwdkifjyefjyD; y&dk*&rfjyefa&;EdkifwJhuk'fudk ajymwmjzpfygw,f/ rMumcPqdkovdkyJ olU&JUudk,fydkifuk'fudk ,m,DyHkpHwpfcktjzpf ajymif;vJay;vdkufjyD;rS yHkrSefuk'fudk jyefjzpfap wmyg/ 'Denf;udkawmh tcsdKUAdkif;&yfpfawGu zdkiftopfawGudk ul;pufapwJhtcgrSm toHk;jyKygw,f/ &v'fuawmh olwdkU&JU children (Adkif;&yfpfxdxm;aomy&dk*&rfrsm;)awG[m b,fawmhrS olwdkUeJUwlawmhrSm r[kwfygbl;/ uGefysLwmAdkif;&yfpfawGu 'Denf;udk toHk;jyK&wJhtaMumif;&if;uawmh anti-virus aqmhzf0JvfawGu signature awGudkrSwfrdjcif;rS a&Smif&Sm;EdkifzdkUjzpfygw,f/ wu,fh algorithm uawmhrajymif;vJbl;vdkU qdkEdkifayr,fhvJ t&m&mwdkif;uawmh jzpfEdkifygw,f/ Metamorphic uk'fuawmh polymorphic uk'fxuf ydkjyD;tpGrf;xufyg w,f/ bmaMumifhvJqdkawmh anti-virus aqmhzf0Jvfawmfawmfrsm;rsm;u uk'fawG execute vkyfcsdefrSm odxm; jyD;om; Adkif;&yfpfuk'fawGudk &SmazGzdkU MudK;pm;MuvdkUyg/ Metamorphic uk'fawG[m rwlnDwJh OS ESpfckMum; (Oyrm – Windows ESifh Linux) (odkU) 'DxufydkjyD; (odkU) rwlnDwJh uGefysLwmwnfaqmufrI(y&dkqufqm) awG &Sd&ifawmifrS exe zdkifawGudk ul;pufapjyD; tvkyfvkyfapEdkifygw,f/ rMumcPqdkovdkyJ Adkif;&yfpfawG[m ol udk,fwdkif ajrmufrsm;pGmaom Adkif;&yfpfawGudko,faqmifjyD; plygAdkif;&yfpftoGifeJU twlwuGvma&muf aygif;pyf Muygw,f/

INFO: : Alphanumeric uk'fuawmh pmvHk;awG? *Pef;awGaygif;pyfxm;wJhtwGJ('gaMumifh 'DvdktrnfwGif& wmyg)wpfckjzpfjyD; olwdkUudk uGefysLwmuom process vkyfEkdifwJh em;rvnfEdkifwJhyHkpHwpfcktoGifeJU a&;xm;Mu wmyg/ erlem alphanumeric uk'fwpfckuawmh ASCII jzpfygw,f/ 'DxufydkjyD;ajym&&ifawmh alphanumeric uk'fqdkwm machine uk'fjzpfjyD; olwdkUudk vHk;0zwfvdkU&wJh ASCII pmvHk;tjzpf assemble vkyfjyD;a&;xm;Mu wmyg/ Oyrm – "a" – "z", "A" – "Z", "1" – "9", "#", "!", "@" ponf ... / Alphanumeric uk'fawGudk a&;wJhtcgrSmawmh 'Duk'fudktvkyfvkyfapr,fh owfrSwfxm;wJh uGefysLwmzGJUpnf;wnfaqmufrIyHkpHeJUywfoufwJh machine uk'f&JU encoding pepfudk aumif;aumif;em;vnfxm;zdkUvdkygw,f/ 'Duk'fudkawmh web form wdkUvkd application awGudk t&l;vkyfzdkU&nf&GnfcsufeJU toHk;jyKMuwmjzpfygw,f/ 'Duk'fawGudk vufcHjcif;tm;jzifh exploit jzpfaprSmjzpfygw,f/ 'D exploit jzpfapwmuyJ buffer overflow jyóemudk MuHKawGUaprSmjzpfygw,f/ wcgw&HrSmawmh alphanumeric uk'fudk y&dk*&rfrmwpfa,mufu b,f compiler (odkU) assembler rSr&SdbJ y&dk*&rfwpfyk'fudka&;zdkU vdktyfvmwJhtcgrSm toHk;jyKMuygw,f/ Alphanumeric y&dk*&rfwpfyk'fudk a&;zdkUvdktyfwmuawmh text editor wpfckyg/

INFO: : Shell uk'fqdkwmuawmh aqmhzf0Jvf bug uae tcGifhaumif;,ljyD; payload tjzpftoHk;jyKwJh machine uk'f&JUwpfpdwfwpfa'ojzpfygw,f/ Machine rSmtvkyfvkyfaewJh aqmhzf0Jvf&JUtm;enf;csufudk tcGifhaumif;,ljyD; tcGifhr&SdwJhoHk;pGJolawGudk OS &JU command-line uaewqifh uGefysLwmeJU csdwfqufEdkif atmifcGifhjyKygw,f/ yHkrSeftm;jzifhawmh null-terminated (\0) string taeeJUodrf;qnf;wmjzpfjyD; null character awGawmh ryg0ifEdkifygbl;/ Exploit vkyfcHxm;&wJh process &JU privilege awG&xm;whJ uGefysLwm pepfwpfckudk command-line access &xm;&if shell uk'fwpfckudk exploit payload wpfcktaeeJU toHk;jyKEdkif ygw,f/ Anti-intrusion awGu pHkprf;wmudk a&Smif&Sm;zdkUeJU string wpfckxufydkjyD; odrf;qnf;EdkifzdkU y&dk*&rfrm awG[m rMumcPqdkovdkyJ self-decrypting uk'f? polymorphic uk'f? alphanumeric uk'fawGudk toHk;jyK Muygw,f/ Shell uk'fawGudk process wpfck&JU rSwfOmPfae&mvGwfrSm odrf;qnf;xm;EdkifjyD; stack eJU heap udktajccHwJU buffer overflow (odkU) format string attack wdkUvdk tm;enf;csufawGudk toHk;jyKjyD; y&dk*&rf awG&JU wkefUjyefrIudk xdef;csKyfvdkufjyD;aemufrSmawmh attacker awGu 'Duk'fawGudk tvkyfvkyfapwm jzpfygw,f/ y&dk*&rf&JUwkefUjyefrIudk xdef;csKyfwJhenf;vrf;awGuawmh trsm;MuD;&SdjyD; OS eJU y&dkqufqm wnfaqmufrIay: rlwnfjyD;uGJjym;aerSjzpfygw,f/ 'Denf;vrf;awGxJu tcsdKUuawmh stack frame xJu return address udkzsuf a&;jcif;? exception handler awGudkzsufa&;jcif;eJU Windows udktajcjyKwJh shatter attack wkdUyJjzpfygw,f/


INFO: : Machine uk'f (odkU) machine bmompum; qdkwmuawmh uGefysLwm&JU CPU u wdkuf&dkuf em;vnfEdkifwJh instruction awGeJU a'wmawGyg0ifwJh pepfwpfckjzpfygw,f/ Machine bmompum;wpfck&JU "words" qdkwmuawmh instruction awGudkac:a0:wmjzpfjyD; olwdkUtoD;oD;[m CPU &JU &dk;&Sif;vSwJh vkyf aqmifcsufwpfckudk vkyfapygw,f/ Instructon awGudk bit awGeJUzGJUpnf;xm;wmjzpfjyD; command awGrwl&if awmh rwlnDwJh bit yHkpHawGjzpfaerSmyg/ CPU model wdkif;rSmawmh olU&JUudk,fydkif machine uk'f (odkU) instr-uction set &SdjyD; wpfxyfwnf;awmh uscsifrSusEdkifygvdrfhr,f/ wu,fvdkUom CPU A u CPU B &JU bmom pum;tm;vHk;udk em;vnfw,fqdk&ifawmh CPU A [m CPU B eJU o[Zmwjzpfw,fvdkU ajymvdkU&ygw,f/ wu,fvdkU CPU B u CPU A &JUuk'ftcsdKUudk em;rvnfcJhbl;qdk&ifawmh CPU B [m CPU A eJU o[Zmw rjzpfygbl;/ tcsdKU machine bmompum;awG[m olwdkU&JU instruction awGudk bit ta&twGuf wlnDpGm xm;wmawGU&ygw,f/ yHkpHawGudk b,fvdkzGJUpnf;xm;w,fqdkwmuawmh machine uk'fowfrSwfcsuf ay: trsm;MuD;rlwnfygw,f/ trsm;pkuawmh instruciton wpfckudk field awGtjzpfcGJvdkufwmjzpfygw,f/ yHkrSef tm;jzifhqdk&ifawmh field wpfck&JUwefzdk; (opcode) [m wduswJhvkyfaqmifcsufwpfckudk (Oyrm - add) owf rSwfygw,f/ tjcm; field awGuawmh operand trsdK;tpm;? olwdkU&JUwnfae&m (odkU) olwdkU&JUwefzdk;udk wdkuf&dkufay;ygw,f/ (instrucion wpfckxJrSmyg0ifwJh operand awGudk immediate vdkUac:ygw,f/) xl;xl; qef;qef; instruction set tcsdKUrSmawmh opcode field wpfckr&SdbJ operand awGomyg&Sdygw,f/ tjcm; instruction set awGrSmvJ operand wpfckwav csdKUwJhEdkifygw,f/ (Oyrm - NOSC)

aumif;jyD? yHk(49)udkjyefMunfhvdkufyg/ 'Duk'fawG[m data section &JUwpfpdwfwpfa'oudk encrypt jyefvkyfwmjzpfygw,f/ 'D encryption routine uae F8 udkESdyfvdkuf&ifawmh yHk(52)twdkif; jrif&ygr,f/

yHk(52)

yHk(52)rSmjrif&wmuawmh aemufxyf CALL wpfckjzpfygw,f/ F7 udkESdyfjyD; CALL xJudk 0ifMunfh vdkufMu&atmif/ yHk(53)/

yHk(53)

yHk(53)udkawmh &Sif;jyp&mrvdkawmhbl;vdkUxifygw,f/ ☺☺☺ tusOf;csKyfjyef&Sif;jy&r,fqdk&ifawmh 'Dy&dk*&rfav;[m uRefawmfwdkUudk tm&HkvTJwJhuk'fudk yxrqHk;jyyg

w,f/ 'DhaemufrSmawmh code section udk decrypt vkyfygw,f/ Nag udkzefwD;zdkU self-modifying uk'f tcsdKUudk tvkyfvkyfapygw,f/ Nag twGufvdktyfwJh data section udk decrypt vkyfygw,f/ jyD;&if nag udk run jyD; main y&dk*&rfudkzefwD;zdkU self-modifying uk'ftcsdKUudk tvkyfvkyfapygw,f/ 'DhaemufrSmawmh y&dk*&rf udk run jyD; y&dk*&rf&JUvkyfaqmifcsuf jyD;qHk;vdkU rxGufcifrSm tjcm; enxor wpfckeJU encryption jyefvkyfjcif;jzifh data section udk zsufqD;vdkufygw,f/

'gawGudk 'Dae&mrSmyJ ed*Hk;csKyfvdkufjyD; nag udk zsufzdkUjyifygr,f/ y&dk*&rfudk Olly rSmjyefzGifhvdkufyg/ (Ctrl+F2)/ yHk(54)/

yHk(54)

VA 401016 eJU VA 401017 Mum;rSm PUSH 0; udk zefwD;wmjzpfwJhtwGuf 'Dae&mrSm JMP 40106A; vdkUjyifygr,f/ 'gayr,fhrSwfxm;&rSmu 'DtcsdefrSmawmh 'D byte awGudk encrypt vkyfxm;wkef;&Sdyg ao;w,f/ yxrqHk; VA 401016 eJU VA 401017 rSm bmawG&SdaeovJqdkwm t&ifMunfhMuygr,f/ tay:udk scroll enf;enf;qGJvdkufyg/ yHk(55)/


yHk(55)

ajymif;&rSmuawmh yHk(55)rSmjrif&wJhtwdkif; 305A ae&mrSmyg/ 'gudk &dk;&Sif;vSwJh enxor oHk;jyD;ajz&Sif; vdkU&ygw,f/ Code section decryption rSm XOR vkyfwm[m 5A eJUqdkwm rSwfrdygovm;/ Crackers' Tools udkzGifhvdkufyg/ yHk(56)/

yHk(56)

INFO: :

XOR A, B; // C

XOR A, C; // B

XOR B, C; // A

'gaMumifh JMP 40106A (EB57) twGuf EB udk XOR vkyfygr,f/ yHk(57)/

yHk(57)

B1 qdkwmuawmh VA 401016 rSm&dS&r,fh byte jzpfygw,f/ 57 udk XOR vkyfygr,f/ yHk(58)/

yHk(58)

0D qdkwmuawmh VA 401017 rSm&dS&r,fh byte jzpfygw,f/

Decrypt vkyfrSmjzpfwJhtwGuf yHk(55)u 305A ae&mrSm EB57 vdkU uRefawmfwdkUu assemble rvkyfwmyg/ 'gayr,fh 305A ae&mrSm B10D vdkUjyif&rSmjzpfygw,f/ VA 401016 ae&mrSm right-click ESdyfjyD; Binary edit udka&G;yg/ yHk(59)/

yHk(59)


yHk(59)twdkif;jyifvdkuf&ifawmh yHk(60)twdkif; jrif&rSmjzpfygw,f/

yHk(60)

'DjyifvdkufwJhzdkifudk Patch.exe trnfeJUodrf;vdkufjyD; Patch.exe zdkifudk Olly rSmzGifhvdkufyg/ yHk(61)/

yHk(61)

yHk(61)u VA 401299 u CALL 40130F uawmh decryption routine udkac:oHk;wmyg/ Encrypt vkyfxm;wJhuk'fawGudk yxrqHk;MunfhvdkufMu&atmif/ yHk(62)/

yHk(62)

yHk(62)rSm uRefawmfwdkU patch vkyfxm;wJhuk'fudk awGU&ygw,f/ F8 udkESdyfjyD; 'Dae&mrSm bmqufjzpf rvJqdkwmMunfhvdkufMu&atmif/ yHk(63)/

yHk(63)

yHk(61)u VA 401299 udkvkyfaqmifjyD;csdefrSm jrif&wmuawmh yHk(63)rSmjrif&wJhtwdkif; jzpfygw,f/ Self-modifying uk'f[m 57EB wefzdk;udk VA 401016/401017 rSmoGm;xm;awmhrSmjzpfygw,f/ uRefawmf wdkUtaeeJU decryption call udk execute vkyfjyD;oGm;ygjyD/ Decryption call (VA 401299) udkvkyfaqmifjyD; csdefrSm 'Duk'fawGudk ac:oHk;wJh call 401011 (VA 40129E) xJudk F7 ESdyfjyD; 0ifMunfhvdkufMu&atmif/

yHk(64)

yHk(63)rSmjrif&wJhtwdkif; VA 401013 udk execute vkyfjyD;csdefrSmawmh VA 401011 ae&mrSm JMP 40106A; vdkUay:vmwmawGU&ygw,f/ usefwJhtydkif;udkawmh &Sif;jyp&mrvdkawmhbl;xifygw,f/ y&dk*&rfu nag twGufvdktyfwJhuk'fawGudk decrypt vkyfjyD;wJhaemufrSm VA 401011 ae&mudk xyfa&mufvmrSm jzpfyg w,f/

'DwpfcgrSmawmh VA 40106A &Sd&mqD jump jzpfoGm;jyD; nag window udkausmfoGm;rSmjzpfygw,f/

INFO: : uRefawmfhtaeeJU 1 byte xJoHk;&r,fhajz&Sif;enf;udkvJ ajymcJhygw,f/ Messagebox u PUSH 0; udk PUSH 1; tjzpfajymif;zdkUyg/ wu,fvdkU oifhtaeeJU 'gudkMudK;pm;Munfhcsifw,fqdk&ifawmh VA 401039 u 5A ae&mrSm 5B vdkU assemble vkyf&ygr,f/ bmyJjzpfjzpf 'Denf;uawmh taumif;qHk;eJU tvG,fqHk; ajz&Sif;wJhenf;jzpfygw,f/ ☺☺☺

tcef;(23) - Registration number udk tGefvdkif;wGif ppfaq;jcif;tm; z,f&Sm;jcif; - 359 -

tcef;(23) - Registration number udk tGefvdkif;wGif ppfaq;jcif;tm; z,f&Sm;jcif;

]tcsdKUy&dk*&rfawG[m registration number udk awmfwnfhrSefuefpGm toHk;jyKapzdkU aemufqHk;ay: enf;ynmawG udk toHk;jyKvmMuygw,f/ Registration number udk &dkufoGif;vdkuf&if y&dk*&rfu tJ'gudk ppfaq;zdkUtwGuf tifwmeufuwqifh ydkYvdkufygw,f/ qmAmu tJ'Duk'f rSefrrSefudk prf;oyfjyD; taMumif;jyefygw,f/ y&dk*&rf uawmh rSefuefpGm register vkyfxm;jcif; &Sd^r&Sd ppfaq;ygw,f/ } (]Software Protection} tcef;rS)

'DwpfcgrSmawmh registration udk tGefvdkif;rSmppfaq;wwfwJh y&dk*&rfawGudk crack vkyfMunfhrSmjzpfyg w,f/ rsm;aomtm;jzifhawmh 'Dvdky&dk*&rfawG[m tifwmeufeJUqdkifwJhaqmhzf0JvfawG jzpfMuwmrsm;ygw,f/ 'gaMumifhrdkUvJ olwdkUudk tifwmeuftquftoG,f&SdrSom toHk;jyKvdkU&ygw,f/ Crack vkyfzdkUa&G;cs,fxm;wJh aqmhzf0Jvfuawmh Download Accelerator PLUS (DAP) jzpfygw,f/ DAP [m tifwmeufuzdkifawGudk jrefEIef;jrifh speed eJU download vkyfay;EdkifwJhaqmhzf0JvfjzpfjyD; download vkyf&mrSmawmh taumif;qHk;eJU tjrefqHk;aqmhzf0Jvfwpfckjzpfygw,f/ (tjcm; download accelerator aqmhzf0JvfwpfckjzpfwJh FlashGet uawmh link awG cPcPajymif;vJavh&SdwJh zdkifawGudk resume taeeJU download vkyfay;EdkifwJh tm;omcsuf awmh &Sdygw,f/) DAP ukd www.speedbit.com uae download vkyf,ljyD; install vkyfvdkufyg/ vuf&Sd version uawmh trsdK;rsdK;ajymif;vJayEdkifayr,fh uRefawmferlem crack jyrSmuawmh Version 8.0.4.1 jzpfyg w,f/ b,f version yJjzpfjzpf oabmw&m;csif;uawmh twlwlygyJ/

Crack rvkyfcif uRefawmfwdkU ppfaq;&rSmuawmh 'Dy&dk*&rfudk bmeJUa&;xm;ovJqdkwmudkyg/ yHk(1)/

yHk(1)

'Dy&dk*&rfudk SVK Protector eJU protect vkyfxm;wmjzpfygw,f/ omreftm;jzifhawmh uRefawmfhtaeeJU pack vkyfxm;wmudk unpack vkyfjyzdkU wm0efr&Sdygbl;/ bmaMumifhvJqkdawmh unpack vkyfenf;udk ]Packer (Protector) rsm;} tcef;rSm aqG;aEG;jyD;jzpfvdkUyg/ 'gayr,fh uRefawmfhtaeeJU 'Dtcef;rSm SVKP eJU pack vkyfxm;wmudk b,fvdk unpack vkyf&rvJqdkwmudk wcgwnf;&Sif;jyrSmjzpfygw,f/ SVKP udk a&;om;ol uawmh Pavol Cerven yg/ 'Demrnfudk aemufwpfcgxyfawGU&jyefygjyD/ SVKP eJUywfoufwJh unpacker awGudkrawGU&wmuwaMumif;? SVKP eJUywfoufwJh unpacking oifcef;pmtcsdKU[mvJ tvkyfrjzpfwmu waMumif;rdkU oihftaeeJU unpack vkyf&wmtcuftcJjzpfrSmpdk;&drfwJhtwGuf unpack vkyfenf;udkyg wcgwnf; &Sif;jy&jcif;jzpfygw,f/ (AHTeam ua&;om;xm;wJh Quick Unpack 2.1 [m packer awmfawmfrsm;rsm;udk unpack vkyfay;Edkifayr,fh SVKP eJU protect vkyfxm;wJhzdkifawGtwGuf jyóem tenf;i,f&Sdaeygw,f/) SVKP [m zdkifudk protect vkyfzdkUtwGuf rwlnDwJh enf;vrf;4&yfudk toHk;jyKygw,f/ 'gawGuawmh (1) RSA algorithm udk toHk;jyKjcif;? (2) API function rsm;udkvSnfhpm;rIjyKvkyfxm;jcif;? (3) anti-debug vSnfhpm;rI rsm;xnfhoGif;xm;jcif;? (4) rSwfOmPfESifh tracer awGrS dump rvkyfEdkifatmifumuG,fxm;jcif; wdkUjzpfygw,f/

(1) SVKP jzifh protect vkyfxm;aomzdkiftm; unpack vkyfjcif;

'Doifcef;pmudk ydkjyD;em;vnfatmifvdkU uRefawmfhtaeeJU atmufygtwdkif; tydkif;(5)ydkif; cGJjyD;aqG;aEG;rSm jzpfygw,f -

(1.1) OEP udk &Smjcif;

(1.2) Stolen byte rsm;udk &Smjcif;

(1.3) zdkifudk dump vkyfjcif;

(1.4) IAT udkjyifjcif;

(1.5) zdkifudkjyifjcif;


(1.1) OEP udk &Smjcif;

OEP udk&Sm&wmuawmh stolen code aMumifhyg/ bmaMumifhvJqdkawmh uRefawmfwdkUtaeeJU stole tvkyfrcH&wJh rlv code section &JU yxrqHk; instruction rSm&SdwJh OEP em;rSm (OEP rSm r[kwfygbl;) break vkyf&rSmrdkUvdkUyg/ aumif;jyD? DAP.exe zdkifudk Olly rSmrzGifhcif Olly csnf;oufoufzGifhvdkufyg/ jyD;&if Alt + O udkESdyfjyD; Debugging options &JU SFX tab udka&G;vdkufyg/ yHk(2)/

yHk(2)

yHk(2)rSm jrif&wJhtwdkif; Trace real entry blockwise radio button udk a&G;cs,fyg/ 'ghtjyif Pass exceptions to SFX extractor checkbox udkvJ check vkyfvdkufyg/ 'gawGudk bmaMumifh a&G;cs,f&ovJ qdkwmawmh &Sif;jyawmhrSm r[kwfygbl;/ bmaMumifhvJqdkawmh Olly &JU Help zdkifrSm tao;pdwf &Sif;jyxm;vdkUyg/

Trace real entry blockwise (inaccurate)

OllyDbg uses 4-K blocks to step through the packed code. This method may cause detection of false real entry.

Pass exceptions to SFX extractor

This option tells OllyDbg to pass some kinds of software exceptions that occur while tracing for real SFX entry (memory access violation, INT3 breakpoint, division by 0, privileged or illegal instruction) directly to self-extractor.

aumif;jyD? DAP.exe zdkifudk Olly rSmzGifhMunfhvdkufMu&atmif/ yHk(3)/

yHk(3)

yHk(3)rSm jrif&wJhtwdkif; VA 0053F432 rSm Olly [m &yfoGm;rSmyg/ ckqdk&if uRefawmfwdkU[m stolen byte awGaemufu code section xJu yxrqHk; instruction &Sd&ma&mufaeygjyD/ 'gudk uRefawmfwdkU b,fvdk odovJqdkwm odEdkifatmifvdkU VA 0053F432 &JU tay:zufudk scroll enf;enf;avmufqGJjyD; Munfh&atmif/ yHk(4)/

yHk(4)


wu,fawmh yHk(4)u uRefawmfwdkU jrif&wJh NOP instruction ae&mawGrSm uk'fawG&Sd&rSmyg/ aumif;jyD? yHk(3)u VA 0053F432 ae&mudk pm&GufvGwfwpf&GufrSm rSwfxm;vdkufyg/ jyD;&ifawmh yHk(2)u Trace real entry blockwise radio button tpm; Stop at entry of self-extractor udkjyefa&G;vdkufyg/

(1.2) Stolen bytes udk &Smjcif;

'guawmh unpack vkyf&mrSm tcufqHk;eJU tMumqHk;jzpfygw,f/ raMumufygeJU? oifxifoavmufawmh r&Iyfygbl;/ yxrqHk; Ctrl + F2 udkESdyfjyD; y&dk*&rfudk jyefpvdkufyg/ 'Dtcg yHk(5)twdkif; ar;ygvdrfhr,f/

yHk(5)

yHk(5)u No button udk a&G;vdkufyg/ Entry point udka&mufwJhtcg Alt+O udkESdyfjyD; yHk(6)twdkif; Exception tab udkjyifvdkufyg/

yHk(6)

yHk(6)rSm Memory access violation eJU Ignore aslo following … udk jzKwfvdkufygw,f/ 'gjyD;&ifawmh yHk(7)twdkif; entry point &Sd&mudk jyefoGm;vdkufyg/

yHk(7)

yHk(7)rSm F7 udk wpfcgESdyfjyD; CALL function &Sd&m VA 00731001 udkoGm;yg/ CALL function &Sd&mudk a&mufjyDqdk&if Registers window udk Munfhvdkufyg/ yHk(8)/

yHk(8)

yHk(8)udkMunfhvdkuf&if ESP register ae&mrSm eDaewmudk awGU&rSmyg/ bmaMumifhvJqdkawmh ESP wefzdk;ajymif;vJoGm;vdkUyg/ 'Dae&mrSm right-click ESdyfjyD; Follow in Dump udka&G;vdkufyg/ yHk(9)twdkif; awGU&ygr,f/


yHk(9)

yHk(9)u 38 07 91 70 ae&mrSm right-click ESdyfjyD; hardware, on access u Dword udka&G;vdkufyg/ jyD;&if F9 (Run) udk ESdyfvdkufyg/

yHk(10)

yHk(10)twdkif; exception udkjrif&wJhtcg Shift+F9 udkESdyfyg/ Exception error wufwdkif; Shift+F9 udkESdyfyg/ yHk(11)udkawGU&ygr,f/ SVKP version ay:rlwnfjyD; Shift+F9 udkESdyfwJhta&twGuf[m 4Mudrf (odkU) 4Mudrfxufydkygvdrfhr,f/

yHk(11)

yHk(11)twdkif;awGUwJhtcg Alt + M udkESdyfjyD; memory map window udkac:yg/ yHk(12)/

yHk(12)

yHk(12)u highlight jzpfaewJhae&mrSm right-click ESdyfjyD; set memory breakpoint on access udk a&G;cs,fyg/ jyD;&if Shift+F9 udkESdyfyg/ yHk(13)twdkif; jrif&ygr,f/

yHk(13)


yHk(13)uawmh SVKP &JU decompression code jzpfygw,f/ 'Dtcg Alt+M udka&G;jyD; PE header ay:rSm right-click ESdyfyg/ jyD;&if Remove memory breakpoint udka&G;cs,fyg/ 'Dvdk memory breakpoint udkz,f&Sm;jyD;&ifawmh Shift+F9 udkESdyfyg/ aemufxyf PUSHAD instruction &Sd&mrSm &yfwefUygvdrfhr,f/ yHk(14)/

yHk(14)

yHk(14)twdkif;jrif&wJhtcg uRefawmftapmydkif;u pm&GufvGwfwpf&GufrSm rSwfcdkif;xm;wJh OEP (VA 0053F432) qDukdoGm;zdkU jyifygr,f/ Ctrl+G ukdESdyfjyD; OEP wefzdk;udk&dkufxnfhyg/ yHk(15)/

yHk(15)

yHk(15)u OK button udka&G;vdkuf&if yHk(16)twdkif; jrif&rSmyg/

yHk(16)

VA 0053F432 ae&mrSm omref breakpoint wpfckowfrSwfvdkuf&if yHk(16)twdkif;jrif&rSmyg/ aumif;jyD? 'DtcsdefrSm hardware breakpoint awGudkrvdkawmhwJhtwGuf Debug menu u Hadrware breakpoints udka&G;jyD; breakpoint awGudkzsufvdkufyg/ jyD;&ifawmh trace vdkufEdkifzdkU Ctrl+F11 (Trace into) udka&G;vdkufyg/ 'Dtcg uRefawmfwdkU omref breakpoint owfrSwfvdkufwJh OEP ae&mudk ESpfpuúefUtwGif; a&mufvmygw,f/ 'DhaemufrSmawmh uRefawmfwdkU stolen bytes udk&SmzdkU trace vdkufcJhwJhae&mawGudk jyefMunfhzdkU vdkvmygjyD/ Olly &JU View menu u Run trace udka&G;vdkufyg/ yHk(17)/

yHk(17)

yHk(17)uawmh Olly u PUSHAD uae CALL 0042B5E4 xd trace vkyfoGm;wmudk jywmyg/ Highlight jzpfaewJhae&muawmh uRefawmfwdkU&SmaewJh stolen bytes ygyJ/ ààà

INFO: : Stolen bytes qdkwmuawmh rlv exe zdkifuae ,lvmcJhwJh? rlv exe zdkifuaezsuf,lvmcJhwJh


pmvHk;awGjzpfjyD; packer &JU uk'fxJrSm vmxm;ygw,f/ 'DpmvHk;awG[m OEP rSm&SdwJh rSwfOmPfuae dump vkyfjyD;wJhaemufrSmawmh dump vkyfxm;jyD;om; exe zdkifxJrSmawmif r&Sdawmhygbl;/ (&Sdr,fvdkU arQmfvifhxm;wJh ae&mrSmawmif r&Sdawmhygbl;/) 'ghaMumifhrdkUvJ y&dk*&rfawG[m crash jzpfMuwmyg/ qdkvdkwmuawmh 'g[m y&dk*&rfudk crack rvkyfEdkifatmif umuG,frIwpfckyg/ y&dk*&rfawGudk pack vkyfxm;wJhtcsdefrSmawmh crash rjzpfygbl;/ bmaMumifhvJqdkawmh 'D stolen bytes awG[m OEP ra&mufciftwGif;rSm protector xJ run aeMuvdkUyg/

(1.3) zdkifudk dump vkyfjcif;

'DwpfcgrSmawmh OEP udkawGUjyDjzpfwJhtwGuf process (Task ManagerrSmtvkyfvkyfaewJh DAP.exe) udk dump vkyfMuygr,f/ Olly rSm right-click ESdyfjyD; make dump of process udka&G;vdkufyg/ yHk(18)twdkif; awGU&ygr,f/

yHk(18)

yHk(18)u Get MAP button udka&G;vdkufyg/ yHk(19)/

yHk(19)

yHk(17)wkef;u uRefawmfwdkU&JU stolen byte awG&Sd&mudk rSwfrdygao;vm;/ 'Dae&mem;a&mufwJhtxd scroll qGJjyD;Munfhvdkufr,fqdk&if yHk(19)twdkif; jrif&rSmyg/ 00E60000 ae&mudka&G;jyD; Add button udkESdyfyg/ yHk(20)twdkif; jrif&ygr,f/

yHk(20)


yHk(20)u Name qdkwJhtuGufrSm oifESpfouf&mtrnfwpfck &dkufxnhfvdkufjyD; Apply button udka&G;vdkufyg/ yHk(21)twdkif;awGU&ygr,f/

yHk(21)

aemufxyfvkyf&rSmuawmh yHk(19)u 00E90000 ae&mudka&G;jyD; Add button udkESdyfyg/

yHk(22)

'DwpfcgrSmvJ yHk(22)u Name qdkwJhtuGufrSm oifESpfouf&mtrnfwpfck &dkufxnhfvdkufjyD; Apply button udka&G;vdkufyg/ jyD;&ifawmh yHk(19)u Close button udka&G;vdkufyg/ yHk(23)twdkif; jrif&ygr,f/

yHk(23)


yHk(23)u teDa&mifeJU jyxm;wJhae&mawGtwdkif; jzpfatmifvkyfyg/ jyD;&if Dump button udkESdyfjyD; dumped.exe qdkwJhtrnfeJUzdkifudk odrf;yg/ 'gqdk&ifawmh dump vkyfwmjyD;pD;ygjyD/

(1.4) IAT (Import Address Table) udkjyifjcif;

'DwpfcgrSmawmh IAT udkjyifzdkU vkyfygr,f/

yHk(24)

yHk(24)twdkif; OEP ae&mrSm 0013F432 udk&dkufxnfhjyD; AutoSearch button udka&G;cs,fyg/ Found something! qdkwJh MessagBox ay:vmygvdrfhr,f/ 'Dtcg Get Import button udkESdyfjyD; import function awGudk Munfhyg/ yHk(24)t&qdk function awmfawmfrsm;rsm;udk import vkyf&mrSm rSm;,Gif;aewm awGU&ygw,f/ tao;pdwfod&atmif Show Invalid button udka&G;cs,fyg/

yHk(25)

jyD;&ifawmh yHk(25)twdkif; 'D invalid jzpfaewJh address awGay: right-click ESdyfjyD; Trace Level1 (Disasm) udk a&G;cs,fyg/ yHk(26)twdkif; jrif&ygr,f/

yHk(26)


'DtcgrSmawmh dumped.exe zdkifudkjyifzdkUvkyfygawmhr,f/ yHk(24)u Fix Dump button udka&G;vdkufyg/ jyD;&if dumped.exe udka&G;ay;vdkufyg/ yHk(27)twdkif; jrif&ygr,f/

yHk(27)

yHk(27)twdkif;jrif&jyD;&ifawmh ImpREC u IAT jyifjyD;om;zdkifudk dumped_.exe trnfeJU tvdk tavsmufodrf;qnf;ay;ygw,f/

(1.5) zdkifudkjyifjcif;

dumped_.exe tvkyfvkyf^rvkyfod&atmif zGifhMunfhygr,f/ yHk(28)/

yHk(28)

uRefawmfwdkU uHraumif;ygbl;/ Windows u uRefawmfwdkUzdkif[m PE zdkifr[kwfbl;vdkU ajymaeyg w,f/ uRefawmfwdkU OEP udkjyifMunfhygr,f/ dumped_.exe udk PE Editor 1.7 rSm zGifhvdkufjyD; OEP udk A805B3 vdkUajymif;vdkufyg/ yHk(29)/

yHk(29)

'Dae&mrSm owday;vdkwmuawmh OEP udkjyif&mrSm LordPE eJUrjyifygeJU/ LordPE eJUjyifwJh y&dk*&rf awG[m trSm;rsm;vSygw,f/ (OEP ae&mrSm A805B3 vdkU&dkufcdkif;&wJhtaMumif;&if;uawmh yHk(17)u uRefawmfwdkU&JU stolen bytes &Sd&m virtual address [m OEP [E805B3-400000 = A805B3h] tppftrSef jzpfygw,f/) jyifjyD;&if zdkifudkodrf;vdkufyg/ 'gayr,fhvJ zdkifudkzGifhvdkuf&if yHk(28)twdkif; jyaewkef;ygyJ/

yHk(30)

wu,fawmh dumped_.exe rSm PE header jyóem&SdaevdkUyg/ 'gaMumifh CFF explorer rSm PE header udkjyefjyifjyD; zdkifudkodrf;vdkufyg/ 'gqdk bmjyóemrSr&SdawmhbJJ SVKP eJU protect vkyfxm;wJh DAP.exe zdkifudk atmifjrifpGm unpack vkyfjyD;oGm;jyDjzpfygw,f/


(2) Registration number udk tGefvdkif;wGif ppfaq;jcif;tm; z,f&Sm;jcif;

uRefawmfwdkU unpack vkyfxm;wJh dump_.exe zdkifudk PEiD eJU ppfaq;MunfhwJhtcgrSmawmh yHk(31) twdkif; jrif&ygw,f/

yHk(31)

uRefawmf bmaMumifh section topfawGudk xyfxnfh&ovJqdkwm oifhtaeeJU &Sif;avmufjyDxifyg w,f/ OEP [m topfxyfaygif;xm;wJh section xJrSm&SdaewmrdkUvdkUyg/ dump_.exe udk Visual C++ 6.0 eJUa&;om;xm;wm aocsmjyDrdkU y&dk*&rf&JU tvkyfvkyfyHkudk aocsmMunfh&atmif/ dump_.exe udk yHkrSeftwdkif; zGifh vdkufyg/ yHk(32)/

yHk(32)

yHk(32)udk tifwmeuftquftoG,f&SdwJh uGefysLwmrSmMunfhr,fqdk&ifawmh aMumfjimawGudk awGU&rSmjzpf ygw,f/ Help menu u About udkMunfhygr,f/ yHk(33)/

yHk(33)


yHk(33)rSmjrif&wmuawmh aqmhzf0Jvf[m register rvkyfxm;aMumif;eJU 0,foHk;zdkUjzpfygw,f/

yHk(34)

Help menu udka&G;vdkuf&ifawmh yHk(34)twdkif;jrif&rSmyg/ Enter Registration Info… button udk ESdyfjyD; register vkyfMunfhMuvdkuf&atmif/ yHk(35)/

yHk(35)

yHk(35)rSm OK udka&G;ay;&ifawmh yHk(36)twdkif;jrif&rSmjzpfygw,f/

yHk(36)

uRefawmfhuGefysLwm[m tifwmeufeJUcsdwfqufxm;jcif; r&SdwJhtwGuf 'Dvdkay:aewmyg/ 'Davmuf qdk&if crack vkyfzdkU tcsuftvufawG awmfawmfav; vHkavmufjyDvdkUxifygw,f/ 'gaMumifh dump_.exe udk Olly rSmzGifhjyD; ppfMunfh&atmif/ yHk(37)/

yHk(37)


yHk(37)uawmh OEP &Sd&mudkjyygw,f/ DB 2A? DB 84? DB 3F? DB AD pwmawGudkMunfhvdkuf&if

awmh 'gawG[m uk'fawGjzpfaMumif; em;vnfrSmyg/ (VB rSmqdk&ifawmh 'gawG[m p-code awGjzpfygw,f/) F9 ESdyfjyD; y&dk*&rfudk run vdkufyg/

yHk(38)

yHk(38)u exception udk Shift+F9 ESdyfjyD; ausmfvdkufyg/ aemufxyf exception wpfckxyfawGUygr,f/

yHk(39)

'D exception udkvJ Shift+F9 ESdyfjyD; ausmfvdkufyg/ 'gqdk&ifawmh Olly rSm dump_.exe y&dk*&rf run aeygvdrfhr,f/ 'Dtcg register vkyfMunfhMuygr,f/ yHk(40)/

yHk(40)

yHk(40)rSm OK udka&G;vdkuf&ifawmh yHk(41)twdkif; jrif&rSmyg/

yHk(41)

yHk(41)u MessageBox udkawmh oifjrifzl;rSmyg/ 'D MessageBox udkb,fae&mu ac:oHk;wmvJ od&atmifvdkU Olly udk Pause execution (F12) vkyfvdkufyg/

yHk(42)

Pause ay;vdkufwJhtcg yHk(42)twdkif; jrif&ygw,f/ 'Dtcg udka&G;jyD; Call Stack (Ctrl+K) udk Munfhvdkufyg/

yHk(43)


yHk(43)rSm jrif&wJhtwdkif; 'D MessageBox udk mfc42.#4224 u ac:oHk;wmjzpfygw,f/ 'gaMumifh 'D

CALL &Sd&mudkMunfhygr,f/ yHk(44)/

yHk(44)

yHk(44)u BadBoy udkac:roHk;cifrSm conditional jump (JE, JNZ) awGudk awGU&ygw,f/ 'Dtcg Resource Hacker aqmhzf0JvfudkoHk;jyD; BadBoy message tcsdKUudkMunfhygr,f/ MessageBox wpfckay:zdkU qdkwm MessageBox rSmjyr,fh pmom;awGudk stack ay: t&iful;wif&w,fvdkU ajymcJhzl;wm jyeftrSwf&yg/ 'gaMumifh BadBoy message tcsdKUudk MunfhvdkufMu&atmif/

PUSH 0F2BF = 62143, "Your registration could not be completed due to unknown result from the activation server. \n\n Please try again in a few minutes, or email [email protected] for more help.\n" PUSH 0F2C0 = 62144, "Your registration could not be completed due to submission of incorrect request to the Activation Server \n\nPlease re-check the details you have entered or contact [email protected] \n" PUSH 0F2BE = 62142, "Your registration could not be completed due to lack of Internet connection with SpeedBit activation server.\n\nPlease try again in a few minutes, or email [email protected] for more help.\n" PUSH 0F2BD = 62141, "Your registration could not be completed due to lack of Internet connection.\n\nPlease make sure you are connected to the Internet.\n"

Message awGtm;vHk;uawmh aumif;wmwpfckrS r&Sdygbl;/ 'gaMumifhvJ ykH(45)u MessageBoxA udk tvkyfvkyfapwm jzpfygw,f/

yHk(45)

aumif;jyD/ y&dk*&rf&JU OEP &Sd&mqD jyefMunfhMu&atmif/ yHk(46)/

yHk(46)

yHk(46)u JMP udka&G;jyD; Enter key ESdyfvdkuf&if yHk(47)twdkif; jrif&ygw,f/

yHk(47)

yHk(47)u JMP udka&G;jyD; Enter key ESdyfvdkuf&if yHk(48)twdkif; jrif&ygw,f/

yHk(48)


ckcsdefxdawmh bmuk'frS r,fr,f&& a&;xm;wm rawGU&ygbl;/ 'Duk'fawG[m cracker awGudk tm&HkvTJ

zdkUvkyfxm;wJh diversion uk'fawGqdkwm aocsmygw,f/ ckeu register vkyfwkef;u uRefawmfwdkU a&muf&SdaecJh wJh address awG[m 4xx,xxx 0ef;usifrSmyg/ vuf&Sd uRefawmfwdkU jrifae&wJh address awG[m 4,xxx,xxx 0ef;usifjzpfygw,f/ 'gaMumifh Search for uae string pmom;awGudk &SmawmhvJ yHk(49)twdkif; jrif&wmyg/

yHk(49)

'gqdk&if string awGudk&SmzdkU 4xx,xxx awGqDoGm;Munfhygr,f/ Ctrl+G udkESdyfjyD; 401000 vdkU&dkufxnfh vdkufyg/ jyD;&if Search for uae All referenced text strings udka&G;vdkuf&if yHk(50)twdkif; jrif&ygr,f/

yHk(50)

'Davmufqdk uRefawmfwdkUtwGuf awmfawmftqifajyygjyD/ 'Dwpfcg Help menu u About rSmjrifcJh& wJh DAP Unregistered qdkwJhpmom;udk&SmMunfhygr,f/ yHk(51)/ (yHk(33)udk jyefMunfhyg/)

yHk(51)

yHk(51)rSm OK ESdyfjyD;&Smawmh uRefawmfwdkUvdkcsifwJh pmom;udk rawGUygbl;/ ÃàÀã Resource Hacker udk toHk;jyKjyD; 'Dpmom;awGudk &SmMunfhygr,f/

yHk(52)

bmaMumifh "DAP Unregistered" pmom;udk &SmrawGUwmvJqdkwm oifhtaeeJU em;vnfavmufjyD xifygw,f/ wu,fawmh 'Dpmom;awGudk code section/ data section a&;xm;wmr[kwfbJ resource section rSm odrf;xm;wmrdkUvdkUyg/ 'D string awGudk vdktyfrSom stack ay:ul;wifjyD; toHk;jyKwmjzpfygw,f/

10003 = 2713 = DAP Premium

10008 = 2718 = DAP Unregistered

'gaMumifh code section rSm PUSH 2718 vdkU&dkufxnfhjyD; ajymif;&SmMunfhvdkuf&atmif/ Disassembler window rSm right-click ESdyfjyD; Search for u Command udka&G;vdkufyg/ yHk(53)/


yHk(53)

yHk(53)u Find button udka&G;jyD; &SmvdkufwJhtcgrSm yHk(54)twdkif;awGU&ygw,f/

yHk(54)

Help menu u About udka&G;wJhtcgrSm "DAP Unregistered" vdkUjy&wJhtaMumif;&if;uawmh JNZ u jump rjzpfvdkUjzpfygw,f/ Jump jzpfEdkif^rjzpfEdkifudk VA 004DAF53 u CMP DWORD PTR DS: [5DCEA0], EBX rSmppfaq;wmjzpfygw,f/ 'gaMumifh dump window &JU 5DCEA0 ae&mrSm breakpoint owfrSwfjyD; bmawGqufjzpfrvJqdkwm apmifhMunfhMu&atmif/

yHk(55)

'gaMumifh 5DCEA0 ae&mrSm right-click ESdyfjyD; Breakpoint u Hardware, on access Byte udka&G;yg/ jyD;&if F9 udkESdyfjyD; y&dk*&rfudk run Munfhyg/

yHk(56)

'gqdk yHk(56)rSmjrif&wJhtwkdif; MOV DWORD PTR DS:[ESI+F8], EDI udk execute vkyfjyD;csdefrSm uRefawmfwdkUowfrSwfxm;wJh breakpoint ae&mrSm &yfoGm;wmawGU&ygw,f/ F9 udk xyfEdSyfyg/

yHk(57)


yHk(57)rSmjrif&wJhtwkdif; MOV DWORD PTR SS:[EBP-277C], EAX udk execute vkyfjyD;csdefrSm

hardware breakpoint &Sd&mrSm xyf&yfjyefygw,f/ 'Dae&mrSm owdxm;apvdkwmuawmh wu,fvdkU 5DCEA0 u byte wefzdk;eJU oknwdkUnDcJhcsdefrSm polymorphic uk'fawGudk ausmfvTm;rSmjzpfygw,f/ F9 udkqufESdyfyg/

yHk(58)

yHk(58)rSmjrif&wJhtwkdif; MOV EAX, DWORD PTR DS:[5DCEA0] udk execute vkyfjyD;csdefrSm hardware breakpoint &Sd&mrSm xyf&yfjyefygw,f/ F9 udkqufESdyfyg/ Hardware breakpoint &Sd&ma&mufwJh tcgrSm &yfygvdrfhr,f/ DAP y&dk*&rf run wJhtxd F9 udkESdyfvmcJhyg/ DAP y&dk*&rfudkjrifwJhtcgrSmawmh Help menu u About udka&G;vdkufyg/

yHk(59)

'DtcsdefrSmawmh Help menu udk a&G;vdkufcsdefrSmyJ yHk(59)rSmjrif&wJh hardware breakpoint rSmyJ y&dk*&rf[m &yfwefUaewmawGU&ygw,f/ About submenu udkawmif a&G;vdkUr&awmhygbl;/ 'gaMumifh HW BP udk jzKwfvdkufygr,f/ yHk(60)/

yHk(60)

jyD;&if Help menu u About udka&G;vdkufyg/

yHk(61)

'DtcgrSmawmh uRefawmfwdkU aqmhzf0Jvf brekpoint owfrSwfxm;wJhae&mudk a&mufvmygjyD/ Dump window u 5DCEA0 rSmawmh byte wefzdk;u oknjzpfaeygw,f/ 'DtcsdefrSm EBX &JUwefzdk;uvJ oknjzpf aeygw,f/ oknwefzdk;ESpfckudk EdIif;,SOfwJhtcgrSmawmh JNZ (Jump if not zero) [m jump rjzpfEdkifwJhtwGuf PUSH 2718 (DAP Unregistered) qDa&mufvmrSmyg/ y&dk*&rf[m register vkyfxm;jcif;&Sd^r&Sdudk dump window u 5DCEA0 rSm&SdwJh byte wefzdk;udkzwfjyD; qHk;jzwfaeyHkyg/ 'gaMumifh 5DCEA0 rSm okntpm; 1 vdkUjyifvdkufygr,f/

'gaMumifh 5DCEA0 u byte (00) ae&mrSm right-click ESdyfjyD; Binary Edit udka&G;vdkufyg/ yHk(62)/ yHk(62)twdkif; jrif&wJhtcgrSm 01 vdkUjyifjyD; OK udka&G;vdkufyg/ 'DaemufrSmawmh jyifxm;wJh byte (01) udkodrf;qnf;zdkU 01 ae&mrSm right-click ESdyfjyD; Copy to executable file udka&G;jyD; patch.exe qdkwJhtrnfeJU zdkifudkodrf;vdkufyg/


yHk(62)

odrf;vdkufwJhzdkif tvkyfrvkyfod&atmif (patch.exe) zdkifudk jyefzGifhvdkufyg/ jyD;&if Help menu u About udka&G;vdkuf&if yHk(63)twdkif; jrif&ygw,f/

yHk(63)

wpfckckawmh rSm;aeygjyD/ patch.exe zdkifudk Olly rSmzGifhjyD; jyefppfMunfhygr,f/ yHk(64)/

yHk(64)

yHk(64)rSmjrif&wJhtwdkif; entry point &Sd&mae&mrSmawmh dump window u 5DCEA0 &JU byte wefzdk;[m 01 jzpfygw,f/ F9 ESdyfjyD; y&dk*&rfudk run Munfhyg/ jyD;&ifawmh Help menu u About udka&G; vdkufyg/ yHk(65)/

yHk(65)

yHk(65)u dump window udkMunfhvdkuf&ifawmh 5DCEA0 u byte wefzdk;[m oknjzpfaewm awGU& rSmyg/ 'gaMumifhvJ yHk(63)rSmjrif&wJhtwdkif; DAP Unregistered vdkUjyaewmjzpfygw,f/ b,fae&mrSm 5DCEA0 &JU byte wefzdk;[m 1 tpm; 0 ajymif;oGm;ovJqdkwmMunfh&atmif/ 'gaMumifh 5DCEA0 u byte (01) ae&mrSm hardware breakpoint owfrSwfEdkifzdkU Breakpoint u Hardware, on write byte udka&G;vdkufyg/ 'DwpfcgrSmawmh access tpm; write udka&G;vdkufwm owdjyKyg/ Breakpoint owfrSwfjyD; oGm;&ifawmh F9 udkESdyfvdkufyg/ yHk(66)/

yHk(66)


yHk(66)rSmjrif&wJhtwdkif; MOV DWORD PTR DS:[ESI+F8], EDI udk execute vkyfjyD;csdefrSm

5DCEA0 &JU byte (01) wefzdk;ajymif;oGm;wmjzpfygw,f/ 'gaMumifh 'Dae&mrSm yHk(67)twdkif; jyifvdkufjyD; y&dk*&rfudk quf run (F9) Munfhyg/

yHk(67)

F9 udkESdyfjyD; quf run Munfh&mrSmawmh yHk(68)twdkif; jrif&ygw,f/

yHk(68)

yHk(68)rSm OK button udka&G;ay;vdkuf&ifawmh quftvkyfrvkyfawmhbJ y&dk*&rf[m jyD;qHk;oGm;wmawGU &ygw,f/ 'gqdk&ifawmh 01 ajymif;wdkif; tvkyfrjzpfwmawmh aocsmygjyD/ uRefawmfhtxifajym&r,fqdk&ifawmh y&dk*&rf[m 1 jzpf^rjzpfudk main window pwifray:vmcifrSm ppfwmjzpfEdkifygw,f/ 'gaMumifh hardware breakpoint ESpfck owfrSwfjyD; 5DCEA0 u byte wefzdk;udk apmifhMunfhMu&atmif/ HW BP wpfckuawmh on access jzpfjyD; aemufwpfckuawmh on write jzpfygw,f/ yHk(69)/

yHk(69)

Breakpoint awG owfrSwfjyD;oGm;&ifawmh F9 key udkESdyfvmcJhyg/ uRefawmfwdkU owfrSwfxm;wJh BP wdkif;rSm Olly u &yfygvdrfhr,f/ F9 ESdyfjyD; qufoGm;yg/ yHk(70)twdkif; jrif&&ifawmh cP&yfvdkufyg/

yHk(70)


'Dae&mrSm uRefawmf bmaMumifh&yfcdkif;&ovJqdkwm oifhtaeeJU &Sif;vmygvdrfhr,f/ wu,fawmh

polymorphic uk'fawGudk awGUvdkufvdkU &yfcdkif;vdkuf&wmyg/ 0045E6F5 u JNZ [m jump rjzpfwJhtwGuf polymorphic uk'fawGqD a&mufvmrSmyg/ 0045E71B u PUSHAD udk owdxm;rdygovm;/ PUSHAD qdkwmuawmh "PUSH all Double" udk qdkvdkwmjzpfjyD; CPU udk stack ay:rSm&SdwJh EAX uaetpcsDjyD; EDI rSmtqHk;owfwJh 32bit (DOWRD) register tm;vHk;xJrSmygwJht&m tm;vHk;udk odrf;xm;ay;zdkU nTefMum;yg w,f/ PUSHAD udkoHk;&if ESP wefzdk;udk apmifhMunfh&ygw,f/ yHk(71)/

yHk(71)

'DtcsdefrSmawmh F9 udkrESdyfbJ yHk(72)rSmjrif&wJhtxd F8 udkom ESdyfvmcJhyg/

yHk(72)

yHk(72)u JMP ECX ae&mrSm F8 udkESdyf&ifawmh yHk(73)twdkif; jrif&ygr,f/ bmaMumifhvJqdkawmh ECX &JUwefzdk;[m 0012E774 jzpfaevdkUyg/

yHk(73)

PUSHAD udk POPAD eJUwGJoHk;&ygw,f/ POPAD [m stack uae register xJrSm&SdwJht&m tm;vHk;udk ul;ygw,f/ 'gaMumifh POPAD &SdwJhae&mrSm breakpoint owfrSwfjyD; F9 (run) udkESdyfvdkufyg/

yHk(74)

'DtcgrSm yHk(73)[m (74)twdkif; uk'fawGajymif;oGm;rSmjzpfygw,f/ PUSH + RETN uawmh JMP eJUnDwmjzpfwJhtwGuf F8 udkESdyfr,fqdk&if VA 0045E81D qD jump vkyfoGm;rSmjzpfygw,f/ VA 0045E81D uawmhta&;rMuD;vSwJhtwGuf aemufxyf HW BP wpfck&Sd&mqDa&mufatmif F9 udkESdyfvkdufyg/ yHk(75)/

yHk(75)


yHk(75)rSmawGU&wJh JE uawmh polymorphic uk'fawGudk ausmfvTm;oGm;wm awGU&ygw,f/ 'Dae&mudk

rSwfom;xm;yg/ wu,fvdkU uRefawmfwdkU register vkyfwmratmifjrif&if 'Dae&mudk patch vkyf&rSmrdkUvdkUyg/ F9 udk xyfESdyfyg/ yHk(76)/

yHk(76)

yHk(76)udk Munfhr,fqdk&if polymorphic uk'fawGukdxyfawGUygw,f/ wu,fvdkUom oifhtaeeJU polymorphic uk'fawGtaMumif;udkom a&SUoifcef;pmwkef;u ravhvmxm;cJhbl;qdk&if ckqdk&if OD;aESmufajcmuf aeavmufygjyD/ 'DwpfcgrSmvJ JNZ [m jump rjzpfwJhtwGuf polymorphic uk'fawG[m bmawGvkyfovJ qdkwm xyfavhvmMunfhygr,f/ yHk(77)/

yHk(77)

yHk(77)u JMP ECX ae&mxda&mufatmif F8 udkESdyf&ifawmh yHk(78)twdkif; jrif&ygr,f/

yHk(78)

yHk(78)u 0012DEE5 ae&mxda&mufatmif F8 udkESdyfvmcJh&ifawmh yHk(79)twdkif; jrif&ygw,f/

yHk(79)


PUSH + RETN uawmh JMP eJUnDwmjzpfwJhtwGuf F8 udkESdyfr,fqdk&if VA 004AED97 qD jump

vkyfoGm;rSmjzpfygw,f/ 'D VA 004AED97 uvJxl;jcm;rIr&Sdygbl;/ 'gaMumifh F9 udkqufEdSyfyg/ 'DvdkeJU 491C56? 49201F? 491ABB? 4918E8? 4ADF16? 4AEB94? 4AE4F8? 49444A? 469148? 4DA1C3? 4DF802 pwJh hardware breakpoint awGudk jzwfoef;jyD;oGm;wJhaemufrSmawmh DAP &JU main window ay:vmrSmjzpfygw,f/ Main window ray:cifrSm dump window u 5DCEA0 &JU byte wefzdk;[m 1 jzpf^ rjzpf ppfwmjzpfEdkifw,fvdkU ckeu uRefawmfhtjrifudk ajymcJhygw,f/ [kwf?r[kwf odEdkifatmifvdkU 4DA1C3 udk a&mufcsdefrSm 5DCEA0 &JU byte wefzdk;udk 1 vdkUjyifMunfhMu&atmif/ yHk(80)/

yHk(80)

yHk(80)twdkif; jyifjyD;csdefrSmawmh hardware breakpoint awGtm;vHk;udk jzKwfvdkufjyD; y&dk*&rfudk run (F9) Munfhyg/ yHk(81)/

yHk(81)

yHk(81)t&qdk&ifawmh tajctaeaumif;yHk&ygw,f/ Buy DAP qdkwJht&kyfuav;u toufrJhaeyg w,f/ qdkvdkcsifwmuawmh 0,fp&mrvdkawmhygbl;/ Help menu udkMunfhygr,f/ yHk(82)/

yHk(82)

yHk(82)udk jrif&wmuawmh tm;&p&mygyJ/ 4DA1C3 rSm jyifzdkUqHk;jzwfvdkufwm rSefoGm;ygw,f/ 'gaMumifh 'Dae&mudk patch vkyfzdkU MudK;pm;Munhfygr,f/ 4DA1C3 rSm breakpoint (F2) owfrSwfjyD; y&dk*&rfudk jyefpvdkufyg/ (Ctrl+F2)/ jyD;&if F9 udkESdyfvdkuf&ifawmh yHk(83)twdkif; jrif&ygr,f/


yHk(83)

yHk(83)twdkif; jrif&wJhtcgrSmawmh yHk(84)twdkif; jyif&ygr,f/

yHk(84)

yHk(84)twdkif; jyifjyD;&ifawmh zdkifudk ESpfouf&mtrnfeJUodrf;vdkufyg/ y&dk*&rfaumif;aumif; tvkyfvkyf ygvdrfhr,f/ ☺ ☺ ☺

pum;rpyfajym&r,fqkd&ifawmh BetaMaster uawmh 004ADF16 rSm breakpoint &yfoGm;jyD;aemufrSm dump window u 5DCEA0 &JU byte wefzdk;udk 01 vdkUjyifcJhygw,f/ 'gqdk bmjzpfrvJqdkwm MunfhvdkufMu& atmif/

yHk(85)

yHk(85)rSmjrif&wJhtwkdif; ? eJU wdkUaysmufoGm;wm awGU&ygw,f/ usefwmuawmh twlwlyJjzpfygw,f/ wu,fvdkU 'Dvdkjrifcsif&ifawmh yHk(86) twdkif; uk'fudk jyif&rSmjzpfygw,f/

yHk(86)

tESpfcsKyfajymjy&r,fqdk&ifawmh uRefawmfwdkUtaeeJU DAP y&dk*&rfudk vsifjrefpGm patch vkyfEdkifwm[m Resource Hacker &JU aus;Zl;aMumifhjzpfygw,f/ PUSH 2718 ("DAP Unregistered") udk &SmazGawGU&Sdjcif;u DAP y&dk*&rfudk patch vkyfEdkifzdkU tqifajyapcJhwmjzpfygw,f/ DAP &JU yHkrSefvkyfaqmifcsufuawmh Premium version jzpfapzdkU tifwmeufudk tquftoG,fvkyfygw,f/ oif&dkufxnfhvdkufwJhuk'feJU tD;ar;vf[m rSefuefcJh r,fqdk&if 'Duk'feJU tD;ar;vfwdkUudk registry eJU dapreg8.key zdkifxJrSmodrf;qnf;rSmjzpfjyD; aemufwpfMudrf y&dk *&rfudkjyeftzGifhrSm 'gawGudk ppfaq;rSmjzpfygw,f/ uRefawmfwdkUuawmh DAP y&dk*&rfudk registry eJU dapreg8.key zdkifwdkUudk rppfaq;apawmhbJ vSnfhpm;EdkifcJhvdkU Premium version tjzpfoHk;pGJEdkifwmjzpfygw,f/ BetaMaster &JU dap-8.0.4.1-patch.exe zdkifuvJ crack vkyf&mrSm rsm;pGmtaxmuftuljyKcJhygaMumif; ajym Mum;vdkygw,f/

aemufqHk;taeeJU owday;vdkwmuawmh DAP 9.2 udk Armadillo 5.40 eJU protect vkyfxm;wmjzpfjyD; registration scheme [mvJ ydkjyD;tqifhjrifhvmwm awGU&ygw,f/ DAP 9.2 udk 2009? Mo*kwfv? 3&ufrSm download vkyfxm;wmjzpfygw,f/


uRefawmfhtaeeJU Armadillo eJU protect vkyfxm;wmudk unpack rvkyfcsifawmhtwGuf DAP 9.2

twGuf loader zdkifyJa&;ygawmhr,f/

Premium user jzpfzdkU b,fae&mrSm jyif&rvJqdkwmudk wef;a&;rSm jzpfygw,f/

yHk(87)

yHk(87)uuk'fudk yHk(88)twdkif;jyifygr,f/

yHk(88)

yHk(88)rSmjyifwmu erlemjyifjywmyg/ wu,fjyif&rSmuawmh ABEL loader rSmyg/

yHk(89)

ABEL loader rSm yHk(89)twdkif; jyifjyD;&if loader zdkifudkESpfouf&mtrnfeJUodrf;jyD; zGifhvdkufyg/ DAP &JU Help menu u About submenu udka&G;vdkuf&ifawmh yHk(90)twdkif; jrif&rSmjzpfygw,f/

yHk(90)

tcef;(27) - Themida tm;avhvmjcif; - 382 -

tcef;(27) - Themida tm;avhvmjcif;

a&SUoifcef;pmawGrSm uRefawmfhtaeeJU packer/protector awG b,fvdktvkyfvkyfovJqdkwmudk tMurf;zsif;aqG;aEG;cJhovdk pack vkyfxm;wJh zdkiftcsdKUukdvJ unpack vkyfjycJhygw,f/ 'DwpfcgrSmawmh cracker awGudk 'ku©tay;qHk;? cracker awGtwGuf pdwftaESmifht,Sufjzpf&qHk; protector wpfckjzpfwJh Themida taMumif;udk avhvmMunfhygr,f/ Themida &JU tvkyfvkyfyHkudk odjcif;tm;jzifh Themida udk b,fvdk unpack vkyf&r,fqdkwmudk oifhtaeeJU em;vnfEdkifrSmjzpfwJhtwGuf yxrqHk; Themida taMumif;udk tenf;i,f aqG;aEG;vdkygw,f/

(1) Themida qdkonfrSm ...

Themida qdkwmuawmh aqmhzf0JvfawGudk crack vkyfjcif;&efu umuG,fEdkifatmifvdkU Secure Engine protection pepfudk oHk;xm;wJh protection pepfwpfckjzpfygw,f/ Cracker awGtjrift&qdk&ifawmh Themida [m oHk;pGJaeus aqmhzf0Jvf protector awGeJU vHk;0rwlbJ uGJjym;jcm;em;aeygw,f/ Developer awGtwGufuawmh Themida [m vG,fulpGm toHk;jyKEdkifjyD; olwdkUjzpfapcsifwJh tqifhjrifhwJh protection awGudk vG,fulpGmeJU a&G;cs,fEdkifygw,f/ yHk(1)/

yHk(1)

Advanced Anti-Debugger – 'D option uawmh oifh&JU application udk debugger awG&efu umuG,f ay;rSmjzpfygw,f/ SecureEngine [m debugger awmfawmfrsm;rsm;udk (user-mode eJU kernel-mode debugger awGtygt0if) pHkprf;od&SdEdkifygw,f/

Anti Dumpers – Protect vkyfxm;wJhaqmhzf0JvfawGtwGuf tEÅ&m,ft&SdqHk; tool awGxJuwpfckuawmh memory dumper awGjzpfygw,f/ 'D tool awGudk cracker awGu decrypt vkyfxm;wJhuk'f (odkU) a'wm awGudk rSwfOmPfxJuae disk ay:rSmodrf;qnf;zdkU toHk;jyKMuwmjzpfygw,f/ 'Dhaemuf protect rvkyfcifrSm &SdaewJhtwdkif; rlvy&dk*&rf&JU wduswJh image udkjyefvnf&,lEdkifygw,f/ 'D option udka&G;cs,fjcif;tm;jzifh Secure Engine u MemoryGuard enf;ynmudkoHk;jyD; rSwfOmPfuae disk ay:udk dump vkyfjcif;rS umuG,fay;ygw,f/

Entrypoint Obfuscation – olUudka&G;cs,fxm;r,fqdk&ifawmh SecureEngine u oifh application &JU entry point udka&maxG;oGm;apygw,f/ Application xJrSm&SdwJh yxrqHk; tvkyfvkyfwJh instruction awG[m Secure Engine &JU uk'fawGjzpfygvdrfhr,f/ 'Dvdk SecureEntryPoint enf;ynmudk toHk;jyKxm;wJhtwGuf cracker awGu oifh application &JU rSefuefwJh entry point udkr&&SdEdkifwJhtwGuf crack vkyfzdkU&m cufcJoGm;apygvdrfh r,f/


Resources Encryption – 'D option udka&G;cs,fxm;r,fqdk&ifawmh oifh application utoHk;jyKwJh resource awGudk encrypt vkyfygvdrfhr,f/ 'gaMumifh cracker awG[m oifh application &JU zGJUpnf;wnfaqmufyHkudk apmifhrMunfhEdkifawmhygbl;/ SecureEngine u resourece awGudk vHkjcHKpdwfcsapzdkU vdktyfrSom vdktyfwJh resource awGudk decrypt vkyfrSmjzpfygw,f/

VMWare/ Virtual PC – 'D option uawmh protect vkyfxm;wJh oifh application udk VMWare eJU Virtual PC wdkUvdk virtual OS wpfckatmufrSm tvkyfvkyfEdkifapzdkUjzpfygw,f/

Advance API-Wrapping – 'D option uawmh protect vkyfxm;wJh oifh application u toHk;jyKwJh API trsdK;rsdK;udk cGJjcrf;pdppfEdkifjcif;r&SdEdkifatmif SecureAPIWrapper enf;ynmudk toHk;jyKxm;ygw,f/

Anti-Patching – 'D option udk a&G;cs,fr,fqdk&ifawmh protect vkyfxm;wJh application udk Adkif;&yfpf^ cracker^tjcm; application awGu jyKjyifxm;jcif;&Sd^r&Sdppfygw,f/ wu,fvdkU tjcm; protector wpfckckudk xyfrHtoHk;jyKzdkU &nf&G,fxm;&ifyJjzpfjzpf? exe zdkif&JUuk'ftcsdKUudk xyfrHjyKjyifvdkwm&Sd&ifyJjzpfjzpf Themida u uk'fawGjyifxm;jcif;&Sd^r&Sd tvdktavsmufppfaq;jcif;u umuG,fEdkifzdkU 'D option udk None vkdUa&G;cs,fay; xm;&ygr,f/ 'DvdkrSr[kwf&ifawmh Themida u error message udkjyjyD; y&dk*&rfudk csufcsif;&yfqdkif;ap ygr,f/

Metamorph Security – 'Denf;ynmuawmh application qD protect vkyfxm;wJhuk'fawGudk aygif;xnfhEdkifzdkU SecureEngine udkcGifhjyKygw,f/ 'D SmartMetamorph enf;ynm[m rl&if; awGudk awGavhvmjcif;&efu umuG,fEdkifzdkU qifwluk'fawGtaeeJU ajymif;vJay;jyD; awGudk vSnfhpm;ygw,f/

Advanced Debugger Monitors – 'D option udka&G;cs,fvdkufr,fqdk&ifawmh SecureEngine u tqifhjrifh wJh anti-debugging enf;ynmawGudk oifh&JU application awGxJ xnfhoGif;rSmjzpfygw,f/ 'grSom cracker awG[m oifh&JUuk'fudk avhvmEdkifzdkU debugger awGudk toHk;rjyKEdkifrSmyg/ SecureEngine &JU Debugger Guard enf;ynm[m rSwfOmPfrSm tvkyfvkyfaeMuwJh debugger awGtm;vHk;udk pHkprf;od&SdEdkifygw,f/ tqHk; pGefajym&&if kernel rSm tvkyfvkyfaeMuwJh ring 0 debugger awGudkawmif pHkprf;od&SdEdkifygw,f/

Compression – SecureEngine u application wpfckudk protect vkyfcsdefrSm tvGefMuD;rm;rsm;jym;vSwJh uk'fawGudk application qDaygif;xnhfwmjzpfwJhtwGuf oifh&JU application ukd t&G,ftpm;MuD;rm;aprSm jzpfygw,f/ Protect vkyfcsdefrSm oifh application &JU t&G,ftpm;MuD;rm;jcif;u umuG,fEdkifzdkU 'D option udk a&G;cs,fr,fqdk&ifawmh application uk'f? resource awGeJU protection uk'fawGudk compress vkyfay;rSm jzpfygw,f/ SecureEngine [m SmartCompression enf;ynmudk toHk;jyKxm;wmjzpfwJhtwGuf olU&JU decompression algorithm [m oihf application udk rSwfOmPfay:ul;wifwJhtcsdefrSm application &JU pGrf;aqmif&nfEIef;udk xdcdkufaprSmr[kwfygbl;/

Monitor Blockers – oifh application u zdkiftajrmuftrsm; (odkU) registry key awGudk &,loHk;pGJcsdefrSm cracker awG&efuumuG,fEdkifzdkU SecureEngine u MonitorBlocker enf;ynmudk toHk;jyKygw,f/ Cracker awGu registry key (odkU) zdkiftoGif;txkwfawGudk apmihfMunfhwJh 'D tool awGudk toHk;rjyKEdkifbl; qdk&ifawmh crack vkyfwJhtcgrSm rSefuefwJhqHk;jzwfcsufudk csEdkifzdkU cJ,Of;aprSmjzpfygw,f/ (oihftaeeJU trial version awGtwGuf trial oufwrf;wpfckudk owfrSwfzdkUtwGuf zdkifwpfckrSma&;jcif; (odkU) registry key wpfcktaeeJU owfrSwfjcif;wdkUudk jyKvkyf&wmjzpfygw,f/)

Delphi/BCB form protection – oifhtaeeJU oifh&JU application udk Delphi (odkU) Borland C++ builder wdkUeJU a&;om;xm;wJhtcg oifh application &JU form awGudk umuG,fzdkU toHk;jyKwmyg/ 'gaMumifhrdkUvJ oifh application tvkyfvkyfaecsdefrSm Delphi/BCB form awGudk extract vkyfMuwJh cracking tool awGudk SecureEngine u us&IH;apwmyg/

(2) SecureEngine qdkonfrSm ...

SecureEngine qdkwmuawmh rsufarSmufacwf cracking &efrS Windows application awGudk umuG,fEdkifzdkUtwGuf toHk;jyKwJh qef;opfwJhenf;ynmwpfckjzpfygw,f/ tjcm; protector awG[m omref application awG&&SdwJhtcGifhtmPm? 'grSr[kwf OS uuefUowfxm;wJh? cGifhjyKxm;wJh tcGifhtmPmavmufudk omtoHk;jyKMuwmjzpfygw,f/ 'gaMumifhvJ kernel-level rSmtvkyfvkyfaeMuwJh cracking tool awmfawmfrsm; rsm;u application-level avmufrSm tvkyfvkyfaeMuwJh olwdkUudk tvG,fwulavhvmEdkifMuwmjzpfjyD; olwdkU &JU protection routine awGudk crack vkyfEkdifMuwmjzpfygw,f/ SecureEngine udk 'DvdktjzpfrsdK;u a&Smif&Sm; EdkifzdkU 'DZdkif;jyKxm;ygw,f/ olU&JUuk'fawG[m OS eJU tcGifhta&;wlnDpGm tvkyfvkyfaeMuwmjzpfygw,f/ 'gaMumifhvJ b,f protection enf;ynmudkrqdk OS &JU uefUowfrIr&SdbJ vGwfvyfpGm vkyfaqmifEdkifwmyg/ wpfzufuMunfhjyef&ifvJ cracking tool awG[m Secure Engine u kernel eJU tqifhwlnDpGm tvkyfvkyf


aewmjzpfwJhtwGuf protection routine awGudk crack vkyfEdkifjcif;? avhvmEdkifjcif;? pHkprf;awGU&Sdjcif; r&Sdygbl;/ Themida eJU WinLicense wdkU[m SecureEngine enf;ynmudk toHk;jyKMuwmjzpfygw,f/

SecureEngine u toHk;jyKwJhenf;ynmawGuawmh atmufygtwdkif;jzpfygw,f –

AntiAPISpyer – rMumcPqdkovdkyJ cracker awG[m application wpfckuac:oHk;wJh API awG b,fvdk tvkyfvkyfovJqdkwmavhvmMujyD; protection awGudkausmfvTm;zdkU MudK;pm;Muygw,f/ SecureEngine u 'Dvdk crack vkyfwmudk wm;jrpfzdkUtwGuf AntiAPISpyer enf;ynmudk toHk;jyKwmjzpfjyD; protect vkyfxm;wJh application u ac:oHk;wJh API awGudk rjrifEdkifatmifjyKvkyfygw,f/

AntiBreakpoints – omreftm;jzifhawmh cracker awGu debugger awGudk oHk;Muwmu application wpfckudk udk,fMudKufwJhae&mrSm &yfapcsifvdkYjzpfygw,f/ Breakpoint awGu application wpfcktvkyfvkyfwm udk &yfwefUapEdkifjyD; 'D&yfwefUcsdefrSm application u bmawGvkyfaqmifaeovJqdkwm cracker awGudk od&Sd apEdkifygw,f/ SecureEngine uawmh breakpoint rsdK;pHkudkpHkprf;zdkU tqifhjrifhwJhenf;ynmawGyg&SdjyD; breakpoint udkawGUwmeJU olwdkUawGudkausmfvTm;jyD; y&dk*&rftvkyfvkyfwmudk jyD;qHk;aprSmjzpfygw,f/

vuf&Sdaqmhzf0Jvf protector awmfawmfrsm;rsm;uawmh protect vkyfxm;wJh application awGxJu brekpoint awGudk &SmazG&mrSm tm;enf;csuf &Sdaewkef;ygbJ/ Oyrmjy&&if olwdkUawG[m API routine &JU yxr qHk; instruction awGudkom breakpoint owfrSwfxm;jcif; &Sd^r&Sd ppfaq;MuvdkUyg/ 'gudk ausmfvTm;EdkifzdkU twGuf cracker awGu API &JUpHkprf;vdkUr&EdkifwJh routine tv,frSmom breakpoint udkowfrSwfMuygw,f/ yHkrSef crcking tool awGudktoHk;jyKjyD; OS breakpoint pHkprf;wJh routine awGudk vG,fulpGmausmfvTm;Edkif ygw,f/

AntiCrackTools – SecureEngine &JU AntiCrackTools enf;ynmuawmh tEÅ&m,f&SdwJh cracking tool awG rSwfOmPfxJrSm tvkyfvkyfaeaMumif; od&SdcJh&if protect vkyfxm;wJh application udk&yfwefUapwmyg/ 'grSr[kwf 'D tool awGxJuwpfckudk pHkprf;od&SdcsdefrSm owfrSwfxm;wJh protection routine udk tvkyfvkyfap ygw,f/ AntiCrackTools enf;ynmu &IyfaxG;vSwJhenf;vrf;awGoHk;jyD; rSwfOmPfxJu cracking tool awGudkpHkprf;jyD; kernel-mode rSmtvkyfvkyfygw,f/

AntiDumperPro – aqmhzf0Jvf protector awGtm;vHk;u olwdkUtvkyfrvkyfcifrSm protect vkyfxm;wJhzdkifudk encrypt vkyfxm;Muwmjzpfygw,f/ Protect vkyfxm;wJh application udkzGifhwJhtcsdefrSmawmh CPU u em;vnftvkyfvkyfapEdkifzdkU application udk decrypt vkyf&ygw,f/ Cracker awmfawmfrsm;rsm;u application tvkyfvkyfaecsdefrSm rSwfOmPfxJuae disk ay: dump vkyfEdkifzdkU tool awGudktoHk;jyKMuygw,f/ SecureEngine uawmh dump vkyfwJh tool rSeforQudk dump rvkyfEdkifatmif wm;qD;ygw,f/ Device driver taeeJU tvkyfvkyfwJh dumper awGawmif ygygao;w,f/

vuf&Sd protector awmfawmfrsm;rsm;uawmh run aecsdefrSm executable header udkzsufjcif;wdkUvdk memory dumper &efuumuG,fwJh enf;ynm&yfawGrSm tm;enf;csuf&Sdygw,f/ 'gaMumifhvJ aemufydkif;xGuf&Sd wJh dumping tool awGu 'Denf;awGudk vG,fulpGmausmfvTm;Edkifwmyg/ yHk(2)eJU yHk(3)rSmjyxm;wmuawmh rSwfOmPfuae dump vkyfxm;wJh rl&if;y&dk*&rfeJU AntiDumperPro enf;ynmeJUumuG,fxm;wJh y&dk*&rfudk jyojcif;jzpfygw,f/

yHk(2) rSwfOmPfrS dump vkyfxm;aom rl&if;y&dk*&rf

yHk(3) AntiDumperPro enf;ynmjzifh umuG,fxm;onfh y&dk*&rf

ClearCode – ClearCode enf;ynmuawmh uk'fawGudk tvkyfvkyfjyD;wJhaemuf z,f&Sm;ypfwmjzpfygw,f/ Application wpfck[m rSwfOmPfxJ tvkyfvkyfaecsdefrSm rSwfOmPfxJrSm&SdwJht&mawGudk disk ay:rSmodrf;qnf; zdkU cracker awGu dumping tool awGudk toHk;jyKMuwmjzpfwJhtwGuf execute vkyfjyD;jyD;csif; uk'f block awGudk rSwfOmPfxJuae csufcsif;z,f&Sm;jcif;tm;jzifh crakcer awG dump vkyfwJh&efu umuG,fEdkifygw,f/


CodeEncrypt – CodeEncrypt enf;ynmuawmh uk'fawGudk tvkyfrvkyfcsdefrSm encrypt vkyfxm;ay;yg w,f/ Execute vkyfjyD;jyD;csif; uk'fawGudk encrypt jyefvkyfwmjzpfwJhtwGuf crakcer awG rSwfOmPfxJuae dump vkyfjcif;rS umuG,fEdkifygw,f/ yHk(4^5)/

yHk(4) Protect rvkyfxm;csdef

yHk(5) Protect vkyfxm;csdef

CodeReplace – CodeReplace uawmh enf;ynm&yftopfwpfckjzpfjyD; application uk'f&JU tpdwftydkif; tcsdKUrSm rvdktyfwJhuk'fawGeJU usyef;tpm;xdk;wmjzpfygw,f/ SecureEngine u wu,fhuk'fudk vHkjcHK&wJh ae&mwpfckrSm encrypt vkyfjyD;odrf;qnf;vdkufygw,f/ wu,fhuk'fuawmh protection scheme [mrSefuef aMumif;eJU &SdaMumif;aocsmrSom decrypt jyefvkyfjyD; tvkyfvkyfwmjzpfygw,f/ wu,fvdkUom cracker wpfa,muf[m rl&if;y&dk*&rftjzpf jyefwnfaqmufr,fqdk&if rl&if;uk'ftpm; rqdkifwJhuk'fawGudkom &&SdrSm jzpfygw,f/ Cracker [m protection scheme udkvHk;0z,f&Sm;r,fqdkjyef&ifvJ SecureEngine &JUtpdwf tydkif;jzpfvmr,fh rl&if;uk'fudk z,f&Sm;ovdk jzpfaeygw,f/

'Denf;ynmudk tjcm; protector awGrSm prf;oyftoHk;jyKjcif;r&Sdao;ygbl;/ tenf;i,faom protector tcsdKUuom wlnDwJhenf;ynmudktoHk;jyKzdkU MudK;pm;Muayr,fh SecureEngine u jyKvkyfovdk uk'f block wpfckvHk;udk jyKvkyfEdkifjcif;r&SdbJ instruction wpfckwnf;omz,f&Sm;jcif;udk jyKvkyfygw,f/

DebuggerGuard – 'Denf;ynmuawmh rSwfOmPfxJrSm&SdwJh debugger udk pHkprf;zdkUjzpfygw,f/ xGuf&SdjyD;om; cracking tool awGuawmh 'Denf;ynmudk ausmfvTm;Edkifjcif; r&Sdygbl;/ wu,fvdkU cracker wpfa,mufu olwdkUb,fvdktvkyfvkyfovJqdkwm od&ifawmif ausmfvTm;zdkUqdkwm rjzpfEdkifoavmufygbJ/ 'gaMumifh 'Denf;ynmu protect vkyfxm;wJh application awGudk debugger awGuif;a0;wJh ywf0ef;usifrSm aumif;pGm tvkyfvkyfapEdkifygw,f/

aqmhzf0Jvf protector awG[m rSwfOmPfxJrSm debugger awG&Sd^r&Sdudk od&SdEdkifzdkU tvGefxif&Sm;wJh vSnfhuGufawGudk toHk;jyKMuygw,f/ 'Denf;vrf;awGudk pmapmifawG? pmtkyfawGeJU tGefvdkif;wdkUrSm azmfjyjyD;jzpf wmaMumifh 'Denf;vrf;awGu debugger awGudk od&SdEdkifzdkU rjzpfEdkifwmyg/

DynamicEncryption – SecureEngine u application wpfckudk protect vkyfcsdefrSm rwlnDwJh algorithm awGeJU key awGudk toHk;jyKxm;wmjzpfwJhtwGuf cracker awGu 'D protect vkyfxm;wJh application awGtm;vHk;udk decrypt vkyfzdkU enf;vrf;udk &SmazGawGU&SdEdkifrSm r[kwfygbl;/

GarbageCode – GarbageCode uawmh wu,fhuk'fawGudk rqdkifwJhuk'fawGeJU a&mxm;jcif;jzpfygw,f/ 'DvdkjyKvkyfxm;jcif;tm;jzifh cracker awGu routine wpfckckudk avhvmwJhtcgrSm rqdkifwJhuk'fawGudk jrifae&rSm jzpfygw,f/ GarbageCode enf;ynmrSm tqifhjrifhwJh algorithm awGyg&SdwJhtwGuf xkwfay;vdkufwJh rqdkif wJhuk'fawG[m wu,fhuk'fawGeJU qifaerSmjzpfjyD; cracker awGtwGuf b,fuk'f[m uk'ftppftrSefvJ qdkwm a0cGJzdkUcufaerSmjzpfygw,f/ Oyrmjy&&if – cracker wpfa,muf[m disassemble vkyfxm;wJh application wpfckudkMunfhr,fqdk&if rlv instruction ta&twGuf 1000 &Sd&r,fhtpm; 8000 avmufudkawGU&rSmjzpfyg w,f/

tcsdKU protector awGuawmh wu,fhuk'fawGudk rqdkifwJhuk'fawGudk a&maESm&mrSm tuefUtowfeJUom toHk;jyKwmjzpfwJhtwGuf cracker awGu b,fuk'f[mtppf? b,fuk'f[mtwkvJqdkwm vG,fulpGmcGJxkwfEdkifyg w,f/ rsm;aomtm;jzifhawmh routine tcsdKUudkom rqdkifwJhuk'fawGeJU a&maESmMuwmjzpfygw,f/

yHk(6)eJU yHk(7)rSmazmfjyxm;wmuawmh rl&if;uk'f block eJU GarbageCode enf;ynmudktoHk;jyKxm;wJh uk'f block wdkUjzpfygw,f/


xor [esi], bh sub [esi+1], bl xor [esi+2], ah xor [esi+3], al add esi, 4 loop EncodeData

yHk(6) Encode vkyfxm;aoma'wm

xor [esi], bh push ebx sub ebx, eax xor edi, ebx pop ebx sub [esi+1], bl dec edi xor edi, eax xor [esi+2], ah jmp short $+2 pusha mov ecx, eax xor ebx, edx rdtsc popa xor [esi+3], al rol edx, cl sub edi, edx push eax xor eax, edi mov edi, eax pop eax add esi, 4 dec edx imul edx, eax, 3 loop EncodeData

yHk(7) GarbageCode enf;ynmudktoHk;jyKxm;yHk

intDebugShield – x86 architecture u aqmhzf0Jvf debugger awGutoHk;jyKwJh debugging pGrf;aqmif &nfudk jzpfapygw,f/ 'DpGrf;aqmif&nfomr&SdcJh&if aqmhzf0Jvf debugger awG[m rSefuefpGm tvkyfvkyfEdkifrSm r[kwfygbl;/ SecureEngine u protect vkyfxm;wJh application wpfcktvkyfvkyfaecsdefrSm debugger awGvHk;0r&SdapzdkU x86 debugging pGrf;aqmif&nfudk tjynfht0xdef;csKyfygw,f/ omref protector awGrSmawmh 'Denf;udk oHk;pGJEdkifjcif;r&Sdygbl;/ bmaMumifhvJqdkawmh olwdkU[m kernel-mode rSm tvkyfrvkyfEdkifMuvdkUyg/

InteractiveEngine – InteractiveEngine uawmh SecureEngine eJU protect vkyfxm;wJh application wdkUMum;qufoG,fay;wJh ESpfrsdK;oHk;enf;ynmwpfckjzpfygw,f/ Protect vkyfxm;wJh application [m rSwfOmPf xJrSm ol&Sd^r&SdeJU crack vkyfzdkUMudK;pm;aejcif;&Sd^r&Sdudk ppfaq;ay;zdkU SecureEngine udk MudKufwJhtcsdefrSm ajym qdkEdkifygw,f/ InteractiveEngine eJUtwl SecureEngine eJU protect vkyfxm;wJh application wdkU[m wpfaygif;wpfpnf;wnf; tvkyfvkyfMuygw,f/

wu,fvdkUom cracker wpfa,muf[m protection scheme udkz,f&Sm;cJhr,fqdk&if 'gudk protect vkyfxm;wJh application xHtoday;rSmjzpfjyD; rSwfOmPfxJrSm tvkyfvkyfaejcif;udk &yfqdkif;rSmjzpfygw,f/

MemoryGuard – tcsdKUtajctaeawGrSmawmh cracker wpfa,muf[m protect vkyfxm;wJh application wpfckudk rl&if;uk'ftjzpf jyefvnfwnfaqmufrSm r[kwfygbl;/ 'Dvdkvkyfr,fhtpm; y&kd*&rf&JU tjyKtrludk ajymif;vJapzdkU rSwfOmPfxJrSm a'wm (odkU) uk'ftcsdKUudk ajymif;vJrSmjzpfygw,f/ 'DvkdtjzpfrsKd;udk *drf;awGrSm MuHK&avh&SdjyD; tydkqkawG&&SdcsifwJhtwGuf 'DvdkvkyfMuwmjzpfygw,f/ (Oyrm – Red Alert 2 *drf;wGif num lock rS * key ESifh \ key wdkUudkESdyfí ydkufqHESifh satellite cdk;jcif;/)

SecureEngine uawmh protect vkyfxm;wJh application wpfck rSwfOmPfxJ tvkyfvkyfaecsdefrSm uk'fawG? a'wmawGudk tpm;xdk;0ifa&;jcif;rS a&Smif&Sm;EdkifzdkU &IyfaxG;vSwJh enf;ynmudk toHk;jyKxm;ygw,f/ MonitorBlocker – Cracker awmfawmfrsm;rsm;uawmh application wpfcku b,fzdkifawG? b,f registry key awGudk ,loHk;aeovJqdkwm od&atmif zdkif^registry monitor awGudk toHk;jyKMuygw,f/ Application awmfawmfrsm;rsm;[m olwdkU&JU trial oufwrf;eJUywfoufwJh tcsuftvufawGudk zdkif (odkU) registry key tae eJU oHk;Muwmjzpfygw,f/ Cracker awG[m 'gawGudkavhvmjyD; application wpfck&JU trial oufwrf;udk b,f vdkvSnfhpm;&rvJqdkwm qHk;jzwfMuwmjzpfygw,f/


vuf&Sd protector trsm;pk[m OS pepfxJrSm register vkyfxm;wJh window &JU class trnfawGudk

&Smjcif;? rSwfOmPfxJu executable udkpHkprf;jcif;awGjyKvkyfjyD; zdkif^registry monitor awGudkpHkprf;wJh enf;ynm awGudk toHk;jyKMuwmjzpfygw,f/

SecureEngine uawmh tvGeftqifhjrifhvSwJh enf;ynmudktoHk;jyKwmjzpfjyD; protector awGxJrSm 'Denf;udktoHk;jyKzl;jcif; r&Sdao;ygbl;/

MutatorEngine – 'Denf;ynmuawmh protect vkyfr,fh application xJu instruction awGudk wlnDwJh tjcm; instruction awGeJUtpm;xdk;rSmjzpfygw,f/ 'Denf;udk toHk;jyKjcif;tm;jzifh application wpfckrSm wlnDwJh uk'fawG&Sdaejcif;u a&Smif&Sm;EdkifjyD; cracker awGu uk'fawGudk ajc&mcH&mrSm ydkrdkcufcJapygw,f/

PasswordProtect – SecureEngine rSm oifh appication udk tcGifhr&bJ toHk;rjyKEdkifatmif password ay;xm;vdkU&ygw,f/

PolymorphicLayers – Protect vkyfxm;wJh application (odkU) protection scheme udk disassemble vkyfjcif;rS a&Smif&Sm;EdkifzdkU SecureEngine u encryption layer awGudktoHk;jyKygw,f/ Encryption layer awGrSm uk'fawGudk vHk;0 encrypt vkyfxm;wmjzpfjyD; vdktyfwJhtcsdefrSom decrypt vkyfwmjzpfygw,f/

Encryption udk ydkrdktm;jznfhwJhtaeeJU SecureEngine u polymorphic encryption layer awGudk toHk;jyKygw,f/ Polymorphic layer wdkif;rSm rwlnDwJh algorithm awGeJU encryption key awG&SdjyD; encryption layer &JUtpeJUtqHk;udkawmif od&SdEdkifzdkU cufcJygvdrfhr,f/ yHk(8)/

yHk(8) Polymorphic layer rsm;jzifh protect vkyfxm;aom application

RealTimeSpy – RealTimeSpy uawmh application wpfck[m vHkjcHKpdwfcs&wJh ywf0ef;usifwpfckrSm tvkyf vkyfaejcif;&Sd^r&Sdudk ppfaq;zdkU ThreadEngine &JUpGrf;tm;udk toHk;jyKwmjzpfwJhtwGuf protect vkyfxm;wJh application udk crack vkyfEdkifrSm r[kwfygbl;/

Protector awmfawmfrsm;rsm;uawmh application udk decrypt vkyfjyD;csdefrSm rSwfOmPfxJrSm ypfxm; avh&Sdygw,f/ 'gaMumifhvJ cracker awGu decrypt vkyfxm;wJh application udk jyefvnf&,ljyD; rl&if;twdkif; jzpfatmif vkyfMuwmjzpfygw,f/

SecureAPIWrapper – Cracker wpfa,muf[m protection scheme udkz,f&Sm;zdkU MudK;pm;r,fqdk&if application uac:,loHk;wJh API awGudk odzdkUvdkygw,f/ SecureAPIWrapper [m application uac:oHk; wJh API tm;vHk;udk umuG,fay;xm;wmjzpfwJhtwGuf y&dk*&rfudk disk ay: dump vkyfr,fqdk&if cracker awGtaeeJU b,f API awGudkac:oHk;ovJqdkwmudk odrSmr[kwfygbl;/

SecureEntryPoint – Application wpfckudk protect vkyfcsdefrSm SecureEngine u application &JU entrypoint udkz,f&Sm;vdkufjyD; 'DyxrqHk;uk'fawGae&mrSm rqdkifwJhuk'fawGeJU tpm;xdk;vdkufygw,f/ EP ae&m u rlv instruction awGudkawmh SecureEngine uk'ftjzpf ajymif;vJvdkufwmjzpfygw,f/ wu,fvdkU cracker awGu entrypoint udk&Smr,fqdk&if olwdkUtaeeJU rqdkifwJhuk'fawGudkom &&SdrSmjzpfygw,f/ yHk(9)/


yHk(9)

SmartMorph – SecureEngine [m application awGudk protect vkyfzdkUtwGuf tvGefrsm;jym;vSwJhuk'f awGudk aygif;xnfhygw,f/ Application xJrSm&SdwJh uk'fawGrwlnDapa&;twGuf SmartMorph enf;ynmu rlvuk'fawGudk wpfckeJUwpfck rwlatmif toGifajymif;ay;ygw,f/ uk'fawGrwlnDayr,fh vkyfaqmifcsufuawmh wlnDygw,f/ 'gaMumifh cracker awGu 'Duk'fawG[m rwlnDbl;xifjyD; xyfrHavhvm&wJhtwGuf crack vkyf csdefydkvmrSm jzpfygw,f/ yHk(10)/

yHk(10) wlnDaomuk'fudk rwlnDpGmvkyfaqmifMuyHk

uRefawmfhtaeeJU SecureEngine &JU tvkyfvkyfyHkudk &Sif;jy&wJh taMumif;&if;u Themida &JUtvkyf vkyfyHktao;pdwfudk &Sif;jycsif&Hkoufoufwif r[kwfygbl;/ 'Denf;ynmawGudk odxm;jcif;tm;jzifh trnfrod protector awGeJU awGUMuHK&wJhtcg protector awG&JU tvkyfvkyfyHkudk odxm;apcsifvdkUyg/

(3) Themida (Anti-Debugger) zdkiftm; unpack vkyfjcif;

'DwpfcgrSmawmh Themida eJU protect vkyfxm;wJhzdkifawGudk unpack vkyfMunfhMuygr,f/ toHk;jyKxm; wJh Themida version uawmh 1.9.1 jzpfygw,f/ Themida eJU protect vkyfxm;wJh Unpackme_lvl1.exe zdkifudk http://hvaonline.net rSm download vkyf,lEdkifygw,f/ Unpackme_lvl1.exe zdkifudk PEiD eJU ppfaq;wJhtcg yHk(11)twdkif;awGU&ygw,f/

mov edi,eax add eax,7FC97Eh mov ebx,eax shl ebx,2

push eax pop edi add eax,0E35F09h sub eax,63958Bh mov ecx, eax xchg ebx,ecx imul ebx,4

mov ecx,eax schg edi,ecx mov ebx,84A8473h xor ebx,8354D0Dh add eax,ebx xor ebx,ebx or ebx,eax shl ebx,1 shl eax,1

Smart Metamorph Technology



yHk(11)

yHk(11)rSmjrif&wJhtwdkif; PEiD u Themida version twdtusudk ppfray;Edkifayr,fh teD;pyfqHk; cefUrSef;ay;EdkifcJhygw,f/ Unpackme_lvl1.exe zdkifudk Olly rSmzGifhjyD; run (F9) Munfhygr,f/

yHk(12)

Olly rSm F9 ESdyfjyD; MunfhwJhtcgrSm yHk(12)twdkif; jrif&ygw,f/ wu,fawmh uRefawmfh&JU Olly udk debugger awG pHkprf;jcif;rS umuG,fEdkifzdkU Hide Caption? HideOD eJU IsDebugPresent plug-in DLL awG toHk;jyKxm;ygw,f/ HideOD plug-in udkvJ yHk(13)twdkif; a&G;cs,fxm;ygao;w,f/

yHk(13)

bmaMumifh yHk(12)twdkif; jrif&ovJqkdwm od&atmif Unpackme_lvl1.exe udk protect vkyfxm;wJh Themida option udkMunfhMu&atmif/ yHk(14)/


Protection Options for Unpackme_lvl1.exe ----------------------------------- Macros Information ----------------------------------- VM Macros: 0 CodeReplace Macros: 0 ENCRYPT Macros: 0 CLEAR Macros: 0 XBundler files ----------------------------------- No files to bundle Protection Options ----------------------------------- Anti-Debugger: ENABLED Anti-Dumpers: DISABLED API-Wrapping Level: 0 Virtual Machine: ENABLED Entry Point Ofuscation: DISABLED Memory Guard: DISABLED Anti-File Monitor: DISABLED Anti-Registry Monitor: DISABLED Resource Encryption: DISABLED VMWare compatible: DISABLED Delphi/BCB form protection: DISABLED Advanced Protection Options ----------------------------------- Encrypt Application: DISABLED .NET assemblies: DISABLED DLL plugin: DISABLED Active Context: DISABLED Last Section Name: hacnho Compression ----------------------------------- Application compression: DISABLED Resources compression: DISABLED SecureEngine compression: DISABLED Virtual Machine Settings ----------------------------------- Number of Virtual APIs wrapped: 0 Entry Point Virtualization: 0 instructions Virtual Machine Processor: Mutable CISC processor Number of CPUs: 1 Opcode Type: Static opcodes Dynamic Opcode: DISABLED

yHk(14)

wu,fawmh Themida udk protect vkyfvdkufcsdefrSm Anti-Debugger option udka&G;cs,fcJhvdkU jzpfyg w,f/ (omref protector awmfawmfrsm;rsm;[m anti-debug vSnfhpm;rIawGudk xnfhoGif;xm;ayr,fh Hide Caption? HideOD eJU IsDebugPresent plug-in DLL awGukd ausmfvTm;Edkifjcif; r&Sdygbl;/)

Themida &JU Anti-Debugger option udk ausmfvTm;EdkifzdkUtwGuf oifhtaeeJU fly &JU The0DBG + hideToolz (odkU) CodeRipper &JU RAMODBG udk download vkyf,l&ygr,f/ uRefawmftoHk;jyKrSmuawmh RAMODBG jzpfygw,f/ RAMODBG [m Olly debugger udk Themida y&dk*&rfawGu rpHkprf;rod&Sd Edkifatmif jyKjyifxm;wJh Olly y&dk*&rfomjzpfjyD; olUrSm txl;pDrHxm;wJh plugin awGjzpfwJh API break? Strong OD? Poison eJU Phant0m wdkUyg0ifwJhtwGuf Themida &JU Version 1.9.5/2.0.1.0/2.0.3.0 awGrSm aumif;aumif; debug vkyfEdkifygw,f/

aumif;jyD/ Unpackme_lvl1.exe y&dk*&rfudk RAMODBG rSmzGifhMunfh&if yHk(15)twdkif; jrif&ygr,f/

yHk(15)


Ctrl+G (Go to address in disassembler) udkESdyfjyD; uRefawmfwdkU oGm;csifwJh^&SmcsifwJhae&mudk

wef;oGm;Muygr,f/ yHk(16)/

yHk(16)

yHk(16)rSmjrif&wJh native API wpfckjzpfwJh ZwFreeVirtualMemory() API function &Sd&mqDoGm; ygr,f/ yHk(17)/

yHk(17)

yHk(17)twdkif; ZwFreeVirtualMemory qDa&mufwJhtcg RETN 10; ae&mrSm breakpoint owfrSwf ygr,f/ owfrSwfjyD;&ifawmh F9 (run) udkESdyfvdkufyg/

yHk(18)

'gqdk yHk(17)rSmjrif&wJhtwdkif; breakpoint &Sd&mudk wef;a&mufvmygr,f/

jyD;&ifawmh F9 (run) udk 18MudrfESdyfyg/ yHk(19)twdkif;jrif&ygr,f/ (rSwfcsuf/ / Debug vkyfonfh y&dk*&rfay:rlwnfjyD; tMudrfta&twGuf ajymif;vJrnfjzpfygonf/ F9 (run) udk 18MudrfESdyfjcif;onf Unpack me_lvl1.exe twGufomjzpfygonf/ F9 udkESdyf&mwGif em;em;jyD;rSESdyfyg/ qufwdkuf 18cgrESdyfygESifh/)

yHk(19)

F9 (run) udk 17MudrfESdyfwJhtxdrSmawmh yHk(18)u breakpoint &Sd&mrSmyJ&yfygw,f/ 18Mudrfajrmuf ESdyfwJhtcgrSmawmh code section xJa&mufjyD; y&dk*&rf run wmawGU&ygr,f/ 'gqdk bmvkyf&r,fqdkwm oifod avmufygjyD/ ☺ ☺ ☺

Ctrl+F2 (Restart) udkESdyfjyD; y&dk*&rfudk jyefpyg/ ZwFreeVirtualMemory rSm breakpoint owf rSwfjyD; 'D breakpoint &Sd&mqD F9 (Alt+F9) ESdyfjyD;a&mufatmifvmcJhyg/ yHk(18)twdkif; breakpoint qDa&muf vmwJhtcg F9 (run) 17cgESdyfyg/ 17MudrfESdyfjyD;&ifawmh ZwFreeVirtualMemory rSmowfrSwfxm;wJh breakpoint udkjzKwfyg/

Alt+M udkESdyfjyD; memory window udkac:yg/ yHk(20)/

yHk(20)

yHk(20)u code section rSm right-click ESdyfjyD; Set memory breakpoint on access udka&G;vdkufyg/ jyD;&if F9 udkjyefESdyfyg/ Code section &JU entry point &Sd&mae&mrSm y&dk*&rfu vm&yfygvdrfhr,f/ ☺ ☺ ☺


yHk(21)

'DtcgrSmawmh Unpackme_lvl1.exe y&dk*&rfudk dump vkyfzdkUjyifygr,f/ Olly &JU disassembler window rSm right-click ESdyfjyD; Make dump process udka&G;yg/ yHk(22)/

yHk(22)

Dump vkyfxm;wJh y&dk*&rfudk dumped.exe trnfeJUodrf;vdkufjyD; ImpREC 1.7 eJU IAT awGudk jyifygr,f/ yHk(23)/

yHk(23)


yHk(23)rSm DDE1 udkoHk;jyD; IAT Autosearch eJU&Smwm RVA (28000) udkr&&SdwJhtwGuf Olly

Dump plugin u RVA udk,loHk;xm;wmjzpfygw,f/ Get Imports udktoHk;jyKjyD; API awGudk import vkyfyg/ Show Invalid udkoHk;jyD; invalid API awGudk&Smyg/ Invalid API address wpfckay: right-click ESdyfjyD; Cut Thunk(s) udka&G;yg/ jyD;&ifawmh Fix Dump button udkESdyfjyD; uRefawmfwdkU odrf;qnf;vdkufwJh dumped.exe udkjyifyg/ ImpREC u jyifvdkufwJhzdkifudk dumped_.exe trnfeJU odrf;ay;ygvdrfhr,f/ 'Dzdkifudk zGifhMunfhvdkuf&if aumif;aumif;tvkyfvkyfwm awGU&ygr,f/ 'gayr,fh zdkift&G,ftpm;u enf;enf;MuD;aewmrdkU rvdkwmawG z,fxkwfMuygr,f/ dumped_.exe udk CFF explorer eJUzGifhvdkufyg/ yHk(24)/

yHk(24)

yHk(24)rSmjrif&wJh hacnho section ay: right-click ESdyfjyD; Delete Section (Header and Data) udka&G;vdkufyg/ jyD;&if zdkifudk dumped_fixed.exe trnfeJUodrf;vdkufyg/ yHk(25)twdkif; jrif&ygr,f/

yHk(25)

'gqdk&ifawmh Anti-Debugger option udka&G;jyD; protect vkyfxm;wJh Themida zdkiftwGuf unpack vkyfjcif; jyD;pD;oGm;ygjyD/

(4) Themida (Anti-Debugger? Anti-File/Registry Monitor) zdkiftm; unpack vkyfjcif;

'DwpfcgrSmawmh wpfqifhwufjyD; avhvmMunfhMu&atmif/ Unpack vkyfzdkU a&G;cs,fxm;wJh y&dk*&rfu awmh Unpackm_lvl2.exe jzpfygw,f/ Unpackm_lvl2.exe udk protect vkyfxm;wJh Themida option udk MunfhMu&atmif/ yHk(26)/

Protection Options for Unpackm_lvl2.exe --------------------------------- Macros Information --------------------------------- VM Macros: 0 CodeReplace Macros: 0 ENCRYPT Macros: 0 CLEAR Macros: 0 XBundler files --------------------------------- No files to bundle Protection Options --------------------------------- Anti-Debugger: ENABLED Anti-Dumpers: DISABLED API-Wrapping Level: 0 Virtual Machine: ENABLED Entry Point Ofuscation: DISABLED Memory Guard: DISABLED Anti-File Monitor: ENABLED Anti-Registry Monitor: ENABLED Resource Encryption: DISABLED VMWare compatible: DISABLED Delphi/BCB form protection: DISABLED Advanced Protection Options --------------------------------- Encrypt Application: DISABLED .NET assemblies: DISABLED DLL plugin: DISABLED Active Context: DISABLED Last Section Name: hacnho Compression


--------------------------------- Application compression: ENABLED Resources compression: ENABLED SecureEngine compression: ENABLED Virtual Machine Settings --------------------------------- Number of Virtual APIs wrapped: 0 Entry Point Virtualization: 0 instructions Virtual Machine Processor: Mutable CISC processor Number of CPUs: 1 Opcode Type: Static opcodes Dynamic Opcode: DISABLED

yHk(26)

Unpackm_lvl2.exe udk Olly rSmzGifhMunfh&ifawmh yHk(27)twkdif; jrif&ygw,f/

yHk(27)

Ctrl+G ESdyfjyD; ZwFreeVirtualMemory &Sd&mudkoGm;yg/ yHk(28)twdkif; RETN 10; rSm breakpoint owfrSwfyg/

yHk(28)

jyD;&if F9^Shift+F9 udkESdyfjyD; breakpoint &Sd&mqDa&mufatmifvmyg/ yHk(29)/

yHk(29)

yHk(29)twdkif;jrif&wJhtcgrSmawmh F9 key udkb,fESpfMudrfESdyfwJhtcg y&dk*&rf&JU main window udk jrif&ovJqdkwm apmihfMunfha&wGufyg/ F9 (run) udk 26MudrfESdyfwJhtcgrSm main window udk jrif&ygw,f/ 'gqdk y&dk*&rfudk Ctrl+F2 (Restart) eJU jyefpvdkufjyD; yHk(29)&Sd&mqD ta&mufvmcJhyg/ F9 udk 25MudrfESdyfyg/ 25MudrfjynfhwJhtcsdefrSmawmh RETN 10; rSmowfrSwfxm;wJh breakpoint udkjzKwfvdkufyg/ Alt+M udkESdyfjyD; memory window udkac:yg/ code section rSm right-click ESdyfjyD; Set memory breakpoint on access udka&G;yg/ tm;vHk;jyD;&ifawmh F9 udkESdyfjyD; y&dk*&rfudk run yg/ code section &JU entry point (OEP) &Sd&mudk a&mufvmygr,f/ yHk(30)/

yHk(30)

y&dk*&rfudk dump vkyfzdkUtwGuf disassembly window rSm right-click ESdyfjyD; Make dump of process udka&G;yg/ jyD;&if dumped.exe trnfeJU zdkifudk dump vkyfyg/

Dump vkyfxm;wJhzdkifudk IAT jyifzdkUtwGuf ImpREC udkzGifhyg/ yHk(23)rSm vkyfcJhwJhtwdkif;vkyfjyD; dump vkyfxm;wJhzdkifudkjyifyg/ dumped_.exe qdkwJhzdkif&vmygr,f/ RVA wefzdk;rSm 28000 xnfh&wJh taMumif;&if;uawmh yHk(31)aMumifhjzpfygw,f/


yHk(31)

dumped_.exe udk CFF explorer rSmzGifhjyD; hacnho section udkzsufyg/ 'Dhaemuf PE header udkjyef rebuild vkyfjyD; jyifxm;wJhzdkifudk dumped_.exe trnfeJUyJ odrf;vdkufr,fqdk&if yHk(32)twdkif; jrif&rSmjzpfyg w,f/

yHk(32)

yHk(32)udk taotcsmMunfhr,fqdk&if vuf&Sd dumped.exe (1,259KB) zdkif[m a&SUtcef;rSm dump vkyfcJhwJh dumped.exe (791KB) zdkifeJU t&G,ftpm;csif;uGmaewm awGU&ygw,f/

(5) Themida (Anti-Debugger? Anti-Dumpers ...) zdkiftm; unpack vkyfjcif;

aemufwpfqifhudk xyfjyD;avhvmMunfhygr,f/ 'Dwpfcg unpack vkyfzdkU a&G;cs,fxm;wJh y&dk*&rfuawmh Unpackme_lvl3.exe jzpfygw,f/ Unpackme_lvl3.exe udk protect vkyfxm;wJh Themida option udk MunfhMu&atmif/ yHk(33)/

Protection Options for Unpackme_lvl3.exe --------------------------------- Macros Information --------------------------------- VM Macros: 0 CodeReplace Macros: 0 ENCRYPT Macros: 0 CLEAR Macros: 0 XBundler files --------------------------------- No files to bundle Protection Options --------------------------------- Anti-Debugger: ENABLED Anti-Dumpers: ENABLED API-Wrapping Level: 0 Virtual Machine: ENABLED Entry Point Ofuscation: DISABLED Memory Guard: DISABLED Anti-File Monitor: ENABLED Anti-Registry Monitor: ENABLED Resource Encryption: DISABLED VMWare compatible: DISABLED Delphi/BCB form protection: DISABLED Advanced Protection Options --------------------------------- Encrypt Application: DISABLED .NET assemblies: DISABLED DLL plugin: DISABLED Active Context: DISABLED Last Section Name: hacnho Compression --------------------------------- Application compression: ENABLED Resources compression: ENABLED SecureEngine compression: ENABLED Virtual Machine Settings --------------------------------- Number of Virtual APIs wrapped: 0


Entry Point Virtualization: 0 instructions Virtual Machine Processor: Mutable CISC processor Number of CPUs: 1 Opcode Type: Static opcodes Dynamic Opcode: DISABLED

yHk(33) Unpackme_lvl3.exe udk Olly rSmzGifhMunfh&ifawmh yHk(34)twkdif; jrif&ygw,f/

yHk(34)

Ctrl+G ESdyfjyD; ZwFreeVirtualMemory &Sd&mudkoGm;yg/ yHk(35)twdkif; RETN 10; rSm breakpoint owfrSwfyg/

yHk(35)

jyD;&if F9^Shift+F9 udkESdyfjyD; breakpoint &Sd&mqDa&mufatmifvmyg/ yHk(36)/

yHk(36)

yHk(36)twdkif;jrif&wJhtcgrSmawmh F9 key udkb,fESpfMudrfESdyfwJhtcg y&dk*&rf&JU main window udk jrif&ovJqdkwm apmihfMunfha&wGufyg/ F9 (run) udk 27MudrfESdyfwJhtcgrSm main window udk jrif&ygw,f/ 'gqdk y&dk*&rfudk Ctrl+F2 (Restart) eJU jyefpvdkufjyD; yHk(36)&Sd&mqD ta&mufvmcJhyg/ F9 udk 26MudrfESdyfyg/ 26MudrfjynfhwJhtcsdefrSmawmh RETN 10; rSmowfrSwfxm;wJh breakpoint udkjzKwfvdkufyg/ Alt+M udkESdyfjyD; memory window udkac:yg/ code section rSm right-click ESdyfjyD; Set memory breakpoint on access udka&G;yg/ tm;vHk;jyD;&ifawmh F9 udkESdyfjyD; y&dk*&rfudk run yg/ code section &JU entry point (OEP) &Sd&mudk a&mufvmygr,f/ yHk(37)/

yHk(37)

y&dk*&rfudk dump vkyfzdkUtwGuf disassembly window rSm right-click ESdyfjyD; Make dump of process udka&G;yg/ jyD;&if dumped.exe trnfeJU zdkifudk dump vkyfyg/

Dump vkyfxm;wJhzdkifudk IAT jyifzdkUtwGuf ImpREC udkzGifhyg/ yHk(23)rSm vkyfcJhwJhtwdkif;vkyfjyD; dump vkyfxm;wJhzdkifudkjyifyg/

dumped_.exe udk CFF explorer rSmzGifhjyD; hacnho section udkzsufyg/ 'Dhaemuf PE header udkjyef rebuild vkyfjyD; jyifxm;wJhzdkifudk dumped_.exe trnfeJUyJ odrf;vdkufr,fqdk&if yHk(38)twdkif; jrif&rSmjzpfyg w,f/

yHk(38)


Anti-Dumpers option a&G;xm;wJhtwGuf dump vkyfwm bmrSxl;jcm;rIr&SdvdkU oifhtaeeJU xifyg

vdrfhr,f/ wu,fawmh 'Dvkdr[kwfygbl;/ Unpackme_lvl3.exe udk LordPE rSm dump vkyfMunfhyg/ yHk(39)/

yHk(39)

LordPE eJU dump vkyfMunfhwJhtcg oifhtaeeJU dump vkyfvdkU&rSm r[kwfygbl;/ ☺ ☺ ☺ (6) Themida (Anti-Dumpers? Memory Guard ...) zdkiftm; unpack vkyfjcif;

aemufwpfqifhudk xyfjyD;avhvmMunfhygr,f/ 'Dwpfcg unpack vkyfzdkU a&G;cs,fxm;wJh y&dk*&rfuawmh Unpackm_lvl4.exe jzpfygw,f/ Unpackm_lvl4.exe udk protect vkyfxm;wJh Themida option udk Munfh Mu&atmif/ yHk(40)/

Protection Options for Unpackm_lvl4.exe --------------------------------- Macros Information --------------------------------- VM Macros: 0 CodeReplace Macros: 0 ENCRYPT Macros: 0 CLEAR Macros: 0 XBundler files --------------------------------- No files to bundle Protection Options --------------------------------- Anti-Debugger: ENABLED Anti-Dumpers: ENABLED API-Wrapping Level: 1 Virtual Machine: ENABLED Entry Point Ofuscation: DISABLED Memory Guard: ENABLED Anti-File Monitor: ENABLED Anti-Registry Monitor: ENABLED Resource Encryption: ENABLED VMWare compatible: DISABLED Delphi/BCB form protection: DISABLED Advanced Protection Options --------------------------------- Encrypt Application: DISABLED .NET assemblies: DISABLED DLL plugin: DISABLED Active Context: DISABLED Last Section Name: hacnho Compression --------------------------------- Application compression: ENABLED Resources compression: ENABLED SecureEngine compression: ENABLED Virtual Machine Settings --------------------------------- Number of Virtual APIs wrapped: 0 Entry Point Virtualization: 0 instructions Virtual Machine Processor: Mutable CISC processor Number of CPUs: 1 Opcode Type: Static opcodes Dynamic Opcode: DISABLED

yHk(40)


yHk(41)

Unpackm_lvl4.exe udk Olly rSmzGifhMunfh&ifawmh yHk(41)twkdif; jrif&ygw,f/

yHk(42)

t&if oifcef;pm(3)ckrSmawmh API-Wrapping udkra&G;cs,fcJhwJhtwGuf magic jump udkjyifp&mrvdkyg bl;/ 'DwpfcgrSmawmh magic jump udk &Sm&ygawmhr,f/

Alt+M udkESdyfjyD; memory window udkac:yg/ yHk(43)/

yHk(43)

yHk(43)u code section rSm right-click ESdyfjyD; Set memory breakpoint on write udka&G;yg/ jyD;&if F9 (Run) udkESdyfyg/

yHk(44)

yHk(44)twdkif;jrif&wJhtcg F8 (Step Over) udkwpfcgESdyfjyD; F9 (Run) udkxyfESdyfyg/

yHk(45)

yHk(45)twdkif;jrif&wJhtcg yHk(46)u VA 005276FF udkjrif&wJhtxd F9 (Run) udkqufESdyfyg/


yHk(46)

yHk(46)twdkif;jrif&wJhtcg F9 (Run) udkxyfESdyfyg/

yHk(47)

'DhaemufrSmawmh yHk(48)u JMP 0052764C; qDa&mufwJhtxd F8 (Step over) udkESdyfyg/

yHk(48)

JMP 0052764C; udk execute vkyfjyD;csdefrSmawmh yHk(48)twdkif; VA 0052764C &Sd&mqDa&mufvm ygw,f/ JMP 00526C27; &Sd&mrSm owfrSwfjyD; JMP 00526C27; qDa&mufwJhtxd F9 udkESdyfvmcJhyg/ JMP 00526C27; udk execute vkyfjyD;csdefrSmawmh yHk(49)twdkif; VA 00526C27 &Sd&mqDa&mufvmygw,f/

yHk(49)

yHk(48)rSmawGU&wJh JE 00526CD4; [m uRefawmfwdkU &SmaewJh magic jump yg/ 'Dae&mrSm JE 00526CD4; tpm; JMP 00526CD4; vdkUjyifygr,f/ yHk(50)/

yHk(50)


yHk(51)rSmjrif&wJh JE awGudk NOP vdkUjyifay;&ygr,f/

yHk(51)

JE awGudk NOP vdkUjyifjyD;csdefrSmawmh yHk(52)rSmjrif&wJhtwdkif; awGU&ygw,f/

yHk(52)

'Dwpfcg vkyf&rSmuawmh Alt+M udkESdyfjyD; memory window rSmowfrSwfxm;wJh memory breakpoint udkz,f&Sm;zdkUyg/ jyD;&ifawmh Ctrl+G udkESdyfjyD; ZwFreeVirtualMemory &Sd&mrSm breakpoint owfrSwfygr,f/ yHk(53)/

yHk(53)

yHk(53)twdkif; breakpoint owfrSwfjyD;&ifawmh F9 udkESdyfyg/ Breakpoint &Sd&mqD a&mufvmygr,f/ yHk(54)/

yHk(54)

VA 7C90DA54 qDa&mufwJhtcg code section &JU entry point (OEP) &Sd&mqDa&mufatmif F9 udk 15MudrfESdyfyg/ jyD;&if VA 7C90DA54 rSm owfrSwfxm;wJh breakpoint udkjzKwfjyD; memory window (Alt+M) rSm Set memory breakpoint on access udka&G;ay;yg/ 'gqdk yHk(55)rSmjrif&wJhtwdkif; OEP &Sd&mqD a&mufvmygr,f/ (rSwfcsuf/ / oiftoHk;jyKwJh Windows version ay:rlwnfjyD; F9 ESdyf&r,fh tMudrf ta& twGuf ajymif;vJEdkifygw,f/)

yHk(55)

'gqdk dump vkyfjyD; dumped.exe trnfeJU zdkifudkodrf;vdkufyg/ (oifcef;pm &Snfvsm;rSmpdk;wJhtwGuf r&Sif;jyawmhygbl;/ a&SUydkif;tcef;rsm;udk jyefMunfhyg/)

Dump vkyfjyD;om;zdkifudk ImpREC oHk;jyD; IAT udkjyifyg/ jyifjyD;om;zdkifudk dumped_.exe trnfeJU odrf;yg/ (a&SUydkif;tcef;rsm;udk jyefMunfhyg/)


dumped_.exe zdkifudk CFF explorer rSmzGifhjyD; hacnho section udkzsufyg/ jyifjyD;om;zdkifudk

dumped_fix.exe trnfeJUodrf;yg/ (a&SUydkif;tcef;rsm;udk jyefMunfhyg/)

jyD;&if PEiD u KDK &JU Rebuild PE plug-in udktoHk;jyKjyD; PE header udkjyifyg/ yHk(56)/

yHk(56)

yHk(56)twdkif; jyifjyD;&ifawmh zdkifawG&JUt&G,ftpm;udk yHk(57)twdkif; jrif&rSmjzpfygw,f/

yHk(57)

'Dae&mrSm owday;vdkwmuawmh Themida eJU protect rvkyfxm;cif Unpackme.exe zdkif&JU rlv t&G,ftpm;[m 251KB yJ&Sdygw,f/

'Davmufqdk&if Themida eJU protect vkyfxm;wJh zdkifawGudk oifhtaeeJU unpack vkyfEkdifavmufjyD xifygw,f/

(7) Default option a&G;cs,fjyD; pack vkyfxm;aom Themida zdkiftm; unpack vkyfjcif;

'Dwpfcg unpack vkyfMunfhr,fhzdkifuawmh Themida &JU option tm;vHk;udka&G;cs,fjyD; protect vkyfxm;wJh UnPackMe_Themida 1.9.1.0.c.exe zdkifyJjzpfygw,f/ yxrqHk; 'Dzdkifudk SND Team &JU download section rSm download vkyf,lyg/ 'Dwpfcg unpack vkyfjyrSmuawmh a&SUoifcef;pmawGeJU wlrSm r[kwfovdk vkyfwJhenf;vrf;uvJ ydkrdkvG,fulwmvJ awGU&rSmyg/

Unpack vkyf&mrSm atmufygtqifh (3)ckudk vkyfaqmif&ygr,f/

(u) OEP udk&SmazGjcif;

(c) IAT udkwnfaqmufjcif;

(*) Dump vkyfjcif;

(u) OEP udk&SmazGjcif;

yxrqHk; UnPackMe_xxx.exe zdkif&JU OEP udk&SmazGygr,f/

1/ yHk(58)twdkif; command bar rSm ZwFreeVirtualMemory udk breakpoint owfrSwfygr,f/

yHk(58)

2/ Breakpoint owfrSwfjyD;wJhtcg Shift+F9 udkESdyfjyD; EDI register udkapmifhMunfhyg/


yHk(59)

Olly uawmh ZwFreeVirtualMemory &Sd&mae&mwdkif;rSm yHk(59)twdkif;&yfaerSmjzpfygw,f/ Shift+ F9 udkESdyfjyD; EDI register udkapmifhMunfhyg/ Shift+F9 ESdyfvdkU EDI wefzdk;[m wlaer,fqdk&if breakpoint udkjyefjzKwfvdkufyg/

yHk(60)

yHk(60)rSmjrif&wJhtwdkif; EDI wefzdk; 0041C029 a&mufwJhtcg Shift+F9 ESdyfvJwefzdk;ajymif;vJjcif; r&SdawmhwJhtwGuf 7C90DA48 (ZwFreeVirtualMemory) rSmowfrSwfxm;wJh breakpoint udkjzKwfvdkU&jyD jzpfygw,f/ Breakpoint jzKwfjyD;aemufrSmawmh memory window (Alt+M) udkoGm;jyD; UnpackMe &JU .code section ay: right-click ESdyfjyD; Set memory breakpoint on access udka&G;vdkufyg/ jyD;&if Shift+F9 udkESdyfyg/ yHk(61)rSmjrif&wJhtwdkif; OEP &Sd&mqD a&mufvmygr,f/

yHk(61)

wu,fawmh yHk(61)rSmjrif&wmuawmh OEP tppfr[kwfao;ygbl;/

yHk(62)

OEP tppfu yHk(62)u NOP instruction tjyD;rSmrS pwmyg/

yHk(63)


'gaMumifh 'Dae&m (004271B0-004271DBxd)udk jyif&ygr,f/ OEP [m 004271B0 jzpfwmudkawmh

rSwfom;xm;yg/

(c) IAT udkwnfaqmufjcif;

'DwpfcgrSmawmh IAT udkjyifzdkUvkyfygr,f/

1/ y&dk*&rfudk jyefpvdkufyg/ (Ctrl+F2)

2/ Memory window (ALt+M) udkzGifhjyD; .code section ay: right-click ESdyfjyD; Set memory breakpoint on write udka&G;vdkufyg/ jyD;&if Shift+F9 udkESdyfyg/ yHk(64)twdkif; jrif&ygr,f/

yHk(64)

F8 udkESdyfyg/ VA 006F5E02 qDudka&mufvmygr,f/ 'Daemuf yHk(65)twdkif; jrif&atmif Shift+F9 udkESdyfvmcJhyg/

yHk(65)

3/ 'DwpfcgrSmawmh magic string udk&Smygr,f/ yHk(65)rSm right-click ESdyfjyD; Search for u Binary string udka&G;yg/ jyD;&if yHk(66)twdkif; 3D00000100 udk&dkufxnfhjyD;&Smyg/

yHk(66)

wu,fvdkU 'Denf;eJU&SmvdkU bmrSrawGUbl;qdk&ifawmh yHk(65)rSm right-click ESdyfjyD; Search for u Command udka&G;yg/ jyD;&if yHk(67)twdkif; cmp eax, 10000 udk&dkufxnfhjyD; &Smyg/

yHk(67)

'gqdk yHk(68)rSmjrif&wJhtwdkif; magic string ("ALLUSERPROFILE...") &Sd&mudk a&mufvmygr,f/

yHk(68)


4/ 'Dhaemuf CRC udkppfaq;wJh jump instruction (JE) udk&Smygr,f/ Disassemble window rSm right-click ESdyfjyD; Search for u Binary string udka&G;yg/ jyD;&if yHk(69)twdkif; 3985????????0F84 udk &dkufxnfhjyD; &Smyg/

yHk(69)

'gqdk&ifawmh yHk(70)twdkif; magic jump ukdawGU&rSmjzpfygw,f/

yHk(70)

VA 0070667F (JE 0070673A) rSm right-click ESdyfjyD; Breakpoint u Hardware, on execution udka&G;yg/

5/ aemufxyfvkyf&rSmuawmh API redirection udkvkyfaqmifwJh jump awGudk &SmazGzdkUyg/ 'D jump awGu tjrJwrf;(4)ck&SdjyD; jump vkyfwJh address uvJ twlwlyJjzpfygw,f/ Oyrm - (JE 04xxxxx)/ 'D JE instruction (4)ck[m magic string ("ALLUSERPROFILE...") atmufrSmyJ &Sdygw,f/

'gaMumifh disassemble window rSm right-click ESdyfjyD; Search for u Binary string udka&G;yg/ jyD;&if 0F84???????? udk&dkufxnfhjyD; &Smyg/

yHk(71)twdkif; awGU&ifawmh &yfvkdufyg/

yHk(71)

yHk(71)rSmjrif&wmuawmh virtual address wl jump (JE) 3ckyg/ aemufwpfckuawmh highlight jzpfaewJh address (00706E10-00706E12) ae&mrSmyg/ 'D jump (JE) udkjrifcsif&ifawmh Ctrl+G ESdyfjyD; 00706E11 vdkU&dkufxnfhvdkufyg/ yHk(72)twdkif; aemuf jump (JE) wpfckay:vmygvdrfhr,f/


yHk(72)

'gaMumifh 0F84???????? vdkU&Smr,fhtpm; 0F84??000000 vdkU&Sm&if jump (JE) udk&SmawGUwm ydkjref rSmjzpfygw,f/ VA 00706E11 (JE 00706EE7) rSm right-click ESdyfjyD; Breakpoint u Hardware, on execution udka&G;yg/

Ctrl+F2 ESdyfjyD; y&dk*&rfudk jyefpvdkufyg/

6/ 'gqdk CRC udkppfaq;wJh jump qDwef;a&mufvmygr,f/ yHk(73)/

yHk(73)

JE ae&mrSm JMP vdkUajymif;jyD; Shift+F9 udkESdyfyg/

7/ 'DtcgrSmawmh API udkppfwJhae&m (VA 00706E11) a&mufvmwmawGU&ygr,f/ yHk(74)/

yHk(74)

yHk(74)rSmjrif&wJhtwdkif; JE 00706EE7 ae&mwdkif;rSm NOP instruction eJUtpm;xdk;vdkufyg/ jyD;&if hardware breakpoint awGtm;vHk;udkjzKwfvdkufyg/

8/ 'Dtcg OEP(004271DC) &Sd&mae&mrSm breakpoint owfrSwfjyD; breakpoint qDa&mufatmif F9 udkESdyfyg/ yHk(75)/

yHk(75)

rSwf&ef/ / wu,fawmh OEP tppf&JU virtual address [m 004271B0 omjzpfygw,f/


yHk(76)

UnpackMe_xxx.exe udk Visual C++ 6.0 eJUa&;om;xm;jcif;jzpfygw,f/ 'gaMumifh yHk(76)rSm jyxm;wJhuk'fawGtpm; Visual C++ 6.0 signature udkajymif;ay;&ygr,f/ Visual C++ uk'ftp[m PUSH EBP eJUpavh&SdjyD; GetVersion API udkac:oHk;ygw,f/ olU&JU signature uawmh atmufygtwdkif; jzpfyg w,f/

55 8B EC 6A FF 68 60 0E 45 00 68 C8 92 42 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83

C4 A8 53 56 57 89 65 E8 FF 15 DC 0A 46 00

'D hex wefzdk;awGudk yHk(76)rSmtpm;xdk;vdkuf&if yHk(77)twdkif; jrif&rSmjzpfygw,f/

yHk(77)

VA 004271D6 ae&mrSm CALL kernel32.GetVersion vdkUjyifygr,f/ (rjyifvJ &ygw,f/)

yHk(78)

jyD;&if 004271B0 rSm right-click ESdyfjyD; New origin here udka&G;ygr,f/ 'guawmh OEP ae&mtopfudk owfrSwfwmjzpfygw,f/

9/ 'DtcgrSmawmh IAT udkjyifzdkU UIF (Universal Import Fixer) udkzGifhyg/

Task Manager uae process id wefzdk;udkzwfjyD;awmh Process ID ae&mrSm &dkufxnfhyg/

Olly &JU memory window uae vdktyfwJhwefzdk;awGudkzwfjyD; atmufygtwdkif;jznfhpGufyg/ yHk(79)/

Code Start: 401000? Code End: 463000? New IAT VA: 469000/

yHk(79)


yHk(79)twdkif; wefzdk;awGjznfhjyD;&ifawmh Fix Directly Imports eJU Fast Speed wdkUudk a&G;cs,fjyD;

Start button udkESdyfyg/ yHk(80)twdkif; awGU&ygr,f/

yHk(80)

(*) Dump vkyfjcif;

'DtcgrSmawmh UIF eJUjyifxm;wJh UnpackMe_xxx.exe zdkifudk dump vkyfygr,f/

yHk(81)

Disassemble window rSm right-click ESdyfjyD; yHk(80)twdkif;a&G;cs,fyg/ jyD;&if dump.exe trnfeJU zdkifudk odrf;qnf;yg/ 'DhaemufrSmawmh dump vkyfxm;wJhzdkifudk jyifwJhtydkif;jzpfygw,f/ yHk(82)/

yHk(82)


OEP uawmh 00271B0 jzpfygw,f/ OEP ae&mrSm 00271B0 vdkU&dkufxnfhjyD; IAT autosearch

udkESdyfjyD;&Sm&ifawmh import awGwpfckrS awGUrSmr[kwfygbl;/ bmaMumifhvJqdkawmh IAT &JU RVA rSm;aevdkUyg/ 'gaMumifh yHk(82)rSmawGU&wJh RVA eJU Size ae&mrSm yHk(80)rSmawGU&wJh RVA eJU Size wefzdk;awGudk xnfhay;yg/ jyD;&if Get Imports udka&G;jyD; dump.exe zdkifudkjyifyg/ aemufqHk;rSm dump_.exe zdkifxGufvm ygvdrfhr,f/

dump_.exe zdkifuae rvdktyfwJh Tuts4You section udk CFF Explorer oHk;jyD;zsufyg/ 'Dhaemuf PEiD &JU plug-in wpfckjzpfwJh Rebuild PE oHk;jyD; PE header udkjyifvdkufcsdefrSmawmh yHk(83)twdkif; zdkift&G,ftpm; ao;i,foGm;wm jrif&ygw,f/

yHk(83)

dump_(fix).exe zdkifudk PEiD eJUppfMunfh&ifawmh yHk(84)twdkif; jrif&rSmjzpfygw,f/

yHk(84)

ed*Hk;csKyftaeeJU ajymMum;vdkwmuawmh Themida [m version topfawGajymif;vJoGm;wdkif; patch vkyf&r,fhae&mawGu wlawmhrSm r[kwfygbl;/ Themida 1.9.1 aemufydkif; version awGrSm wlnDwJh address eJU JE 4ck ygrvmawmhygbl;/ Themida developer awG[m cracking zdk&rfawGudk apmihfMunfhaewmjzpfwJh twGuf cracker awGazmfjyaewJh unpacking enf;vrf;awGudk vkdufvHzmax;vQuf&Sdygw,f/ 'gaMumifh tcsdKU cracker awGu Themida &JUtm;enf;csuftcsdKUudk awGU&SdMuayr,fh zdk&rfawGrSm azmfjyavhr&SdMuygbl;/ oifh taeeJU Themida zdkifawGudk unpack vkyfcsifw,fqdk&ifawmh cracker awGazmfjyaewJh oifcef;pmawGudk tjrJwap avhvmae&r,fhtjyif udk,fydkif[efeJU unpack vkyfEdkifzdkU MudK;pm;ae&rSmjzpfygaMumif; ...

tcef;(28) - Flashy x&dk*sefESifh Windows Registry - 409 -

tcef;(28) - Flashy x&dk*sefESifh Windows Registry

uRefawmfwdkUtaeeJU a&SUtcef;awGrSm avhvmcJhwmawGu aqmhzf0JvfawGudk b,fvdk crack vkyfr,f qdkwJh tqdk;jrif oifcef;pmawG jzpfygw,f/ 'DwpfcgrSmawmh reversing udktoHk;csjyD; x&dk*sefÂdkif;&yfpfawG&JU tvkyfvkyfyHkudk avhvmMunfhygr,f/ avhvmMunfhrSmuawmh Flashy x&dk*sefudkyg/ vdktyfwJh aqmhzf0JvfawG uawmh-

(u) Fast Scanner 3?

(c) Olly Debugger 1.10?

(*) UnFSG 2.0?

(C) RegCleaner 4.3 by Jouni Vuorio?

(i) Proactive System Password Recovery 4.1.3.455 ESifhtxuf/

uRefawmfwdkU 'Dy&dk*&rfudk ravhvmcif txl;owdxm;&rSmu antivirus aqmhzf0JawGudk cPydwfxm; ay;zdkU jzpfygw,f/ bmvdkUvJqdkawmh yHk(1)rSm jyxm;wJhtwdkif; antivirus y&dk*&rfawGu Flashy.exe zdkifudk x&dk*seftaeeJU odxm;jyD; zdkifudk zsufypfvdkYyg/

yHk(1)

aumif;ygjyD/ uRefawmfwdkUtaeeJU Flashy udk b,fvdka&;om;xm;ovJqdkwm Olly rSm ppfaq;Munfh Mu&atmif/

yHk(2)

uRefawmfwdkUtaeeJU Flashy udk ppfvdkufwJhtcgrSm yHk(2)rSmtwdkif; message wpfckudk jrif&rSmyg/ bmvdkUvJqdkawmh entry point u 00400000 jzpfaevdkUyg/ yHk(3)/ (rSwfcsuf/ PE header wGif entry point onf tjrJwrf; 00401000 rSom pwifavh&Sdygonf/ xdktaMumif;udk “PE Header” tcef;wGif tao;pdwf aqG;aEG;xm;ygonf/)

yHk(3)

yHk(4)wGif jyxm;onfhtwdkif; context menu rS Search for | All referenced text strings udk toHk;jyKjyD; string rsm;udk &Smaomfvnf; yHk(4)wGif jyxm;onfhtwdkif; rnfonfh string udkrQ rawGY&yg/


yHk(4)

'gbmaMumifhvJqdkwm taotcsm MunfhvdkufMu&atmif/ yHk(2)u message rSm self�extracting zdkifjzpfEdkifygw,fvdkU Olly u tMuHjyKxm;wmudk awGU&rSmyg/ 'gqdk 'Dzdkifudk compress vkyfxm;wm aocsm ygjyD/

ydkjyD;aocsmatmif b,faqmhzf0JvfeJU compress (protect) vkyfxm;w,fqdkwm MunfhvdkufMu&atmif/ yHk(5)/

yHk(5)

yHk(5)twdkif; Fast Scanner 3 eJU MunfhvdkufwJhtcgrSm Flashy.exe zdkifudk FSG 2.0 toHk;jyKjyD; compress vkyfxm;wm awGU&ygr,f/ 'gaMumifhrdkU uRefawmfwdkUtaeeJY y&dk*&rfuk'fukdppfaq;vdkU r&wmyg/

yHk(6)

Fast Scanner 3 uawmh FSG udk unpack vkyfzdkU VMUnpacker (odkU) Quick Unpack udk oHk;cdkif;ygw,f/ 'gayr,fh uRefawmfwdkUtaeeJU UnFSG 2.0 udkom toHk;jyKygr,f/

yHk(7)

yHk(7)twdkif; unpack vkyfjyD;&if uRefawmfwdkUtaeeJU &&SdvmwJhzdkifudk Flashy-Unpacked.exe trnfeJU odrf;qnf;jyD; Fast Scanner eJY jyefppfaq;Munfhygr,f/ yHk(8)/


yHk(8)

wu,fawmh Flashy y&dk*&rfudk Microsoft Visual C++ 6.0 bmompum;eJU a&;xm;wmyg/ uk'fudk ajc&mrcHEdkifatmifvdkU FSG 2.0 udk toHk;jyKjyD; umuG,fxm;wmyg/

aumif;ygjyD/ 'Dwpfcg Flashy-Unpacked.exe udk Olly eJY zGifhjyD; text string awGudk&SmjyD; avhvm MunfhMuygr,f/ yHk(9)/

yHk(9)

'Doifcef;pmrSm y&dk*&rfwpfckvHk;&JU tvkyfvkyfyHkudk aqG;aEG;rSm r[kwfbJ Windows registry udk toHk;jyKjyD; y&dk*&rf b,fvdktvkyfvkyfoGm;ovJ qdkwmudkom aqG;aEG;rSm jzpfygw,f/ yHk(8)rSm jrif&wJhtwdkif; ppcsif; "user administrator hacked" qdkwJh shell script udk tvkyfvkyfrSm jzpfygw,f/ tusdK;qufuaum bmjzpfEdkifygovJ/ tcsdKU uGefysLwmawGrSm oHk;pGJoltcsdKU[m logon user name udk Administrator account wpfckwnf;taeeJU oHk;pGJMuygw,f/ tcsdKUuawmh admin privilege eJU tjcm; account xyfvkyfjyD; oHk;pGJMuygw,f/ Administrator account tjyif tjcm; account udk jyKvkyfjyD; oHk;pGJwJholawGuawmh Safemode taeeJY 0ifwJhtcsdefuvGJjyD; jyóem odyfr&Sdygbl;/ bmvdkUvJqdkawmh Flashy u Administrator account &JY logon password udk ajymif;vdkufvdkUyg/ t&ifu bm password yJay;xm;ay;xm; password udk hacked"vdkU ajymif;vJvdkufygw,f/ yHk(10)/

yHk(10)


Flashy u yHk(9)rSm jyxm;wJhtwdkif; Administrator account &JY logon password udk "hacked" vdkU ajymif;xm;ygw,f/ 'gudk Proactive System Password Recovery 4.1.3.455 udk toHk;jyKjyD; Munfh&IEdkifygw,f/ 'gaMumifhrdkU rSwfxm;&rSmu Falshy x&dk*sef xdxm;wJh Windows udk logon vkyfwJhtcg Administrator account taeeJU 0if&r,fqdk&if password ae&mrSm "hacked" qdkwJhpmvHk;udk &dkufxnfh &ygr,f/

jyD;&if Falshy u GetDriveType function udk toHk;jyKjyD; D? E? F? G? H? I eJU J drive wdkUudk ppfaq;jyD; tJ'D drive awG[m Falsh drive awG[kwf^r[kwf ppfygw,f/ Falsh drive om jzpfcJhr,fqdk&if CopyFileA function udk toHk;jyKjyD; folder trnfeJUwlwJh exe zdkifawGudk zefwD;vdkufygw,f/

yHk(11)

yHk(11)rSm jyxm;wJhtwdkif; Falshy u RegOpenKeyExA function udktoHk;jyKjyD; HKEY_ CURRENT_USER u "Software\Microsoft\Windows\Current\Explorer" udk zGifhygw,f/ jyD;&if vuf&Sd logon vkyfxm;wJh oHk;pGJoltrnfudk pHkprf;ygw,f/ yHk(12)/

yHk(12)

Falshy u bmaMumifh Logon User Name udk pHkprf;ovJqdkwm uRefawmfwdkU MunfhMuygr,f/ yHk(13)/

yHk(13)

wu,fawmh Falshy [m "%"%s\Documents and Settings\%s\Start Menu\Programs\ Startup\systemID.pif" u 'kwd, %s ae&mrSm Logon User Name udk tpm;xdk;jyD; yHk(13)rSm jyxm;wJhtwdkif; systemID.pif udk oGm;xm;csifvdkU jzpfygw,f/

jyD;&if system32 folder xJudk Falshy.exe udk ul;wifvdkufjyD; zdkif&JU attribute udk hidden taeeJU owfrSwfvdkufygw,f/ jyD;&if Registry xJu HKEY_LM &JU Run xJrSm aemufwpfMudrf Windows jyefwufvm&if Falshy udk tvkyfvkyfzdkU0ifa&;vdkufygw,f/ 'gudk Registry editor rSm Munfh&IEdkifygw,f/ yHk(14)/

yHk(14)

'Dhaemuf Flashy [m HKEY_CU &JU "Software\Microsoft\Windows\CurrentVersion\ Policies\System"" xJrSm DisableRegistryTools eJU DisableTaskMgr wdkUudk yHk(15)rSm jyxm;wJhtwdkif; 0ifa&;ygw,f/


yHk(15)

'Dvdk 0ifa&;wJhtusdK;qufuawmh yHk(16)eJU yHk(17)rSm jyxm;wJhtwdkif; jrif&rSmjzpfygw,f/

yHk(16)

yHk(17)

yHk(16)rSm jyxm;wJhtwdkif; Registry editor udk oHk;vdkUr&atmif disable vkyfxm;ygw,f/ yHk(17)uawmh Task Manager udk disable vkyfxm;wmyg/ 'gubmvdkUvJqdkawmh Flashy y&dk*&rfudk ydwfvdkUr&atmif? zsufvdkUr&atmif vkyfxm;wmyg/ 'gwifruao;ygbl;/ Flashy [m HKEY_CU &JU "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" xJrSm NoFolderOptions eJU "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" xJrSm HideFileExt wdkUudk yHk(15)rSm jyxm;wJhtwdkif; 0ifa&;ygw,f/ bmvdkU HideFileExt udk owfrSwfovJqdkawmh Flashy [m folder awGudk rjrifEdkifatmif zGufvdkufjyD; tJ'D folder trnfawGudk toHk;jyKjyD; application(.exe)) zdkifawGudk zefwD;vdkufygw,f/ 'gaMumifhrdkU zdkifawG&JUaemufrSm zdkif extension awG ygvmcJhr,fqdk&if oHk;pGJolawG[m zdkifrSef;odaewmaMumifh click &JrSm r[kwfwJhtwGuf zdkif extension udk azsmuf&jcif; jzpfygw,f/ NoFolder Options udk oHk;pGJjcif;&JU tusdK;qufuawmh yHk(18)rSm jrif&wJhtwdkif; jzpfygw,f/

yHk(18)

yHk(18)udk owdxm;jyD; Munfhr,fqdk&if cgwdkif;jrifaeMu Folder Options qdkwJh submenu av; aysmufaewm owdxm;rdrSmyg/ Registry editor udk uRrf;usifpGm toHk;rjyKEdkifao;wJholawGtwGuf wpfpHk wpfa,mufu zGufxm;wJhzdkifudk Munfhcsifw,fqdk&if Folder Options udk toHk;jyKjyD; Munfh&I&rSm jzpfygw,f/ yHk(19)/


yHk(19)

uRefawmfwdkU Flashy &JUtvkyfvkyfyHkudk avhvmcJhjyD;ygjyD/ 'Dawmh 'Dy&dk*&rfudk b,fvdkESdrfESif;rvJqdkwm MunfhMu&atmif/ yxrqHk; Task Manager rSm tvkyfvkyfaewJh Flashy y&dk*&rfudk ydwf&ygr,f/ 'gayr,fh Task Manager udk uRefawmfwdkUu ac:,loHk;vdkUr&wJhtwGuf uRefawmfwdkUtaeeJU command prompt udk toHk;jyKMuygr,f/ Command prompt rSm tasklist vdkU &dkufxnfhvdkufwJhtcg Task Manager rSm vuf&SdtvkyfvkyfaewJh y&dk*&rfawGudk jrif&rSm jzpfygw,f/ uRefawmfwdkU&JU Flashy [m Process ID(PID) 1224 eJU tvkyfvkyfaewm jrif&rSmyg/ yHk(20)/

yHk(20)

Flashy udk ydwfzdkU uRefawmfwdkU taskkill command udk toHk;jyKMuygr,f/ yHk(21)/

yHk(21)

'Dhaemuf uRefawmfwdkUtaeeJU Registry editor udk toHk;jyKvdkU&atmif vkyf&ygr,f/ Start u Run rSm REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /V DisableRegistryTools /T REG_SZ /D "0" /F vdkU &dkufxnfhvdkufyg/ 'gqdk Registry editor udk uRefawmfwdkU toHk;jyKvdkU&ygjyD/ yHk(22)/

yHk(22)

jyD;&if system32 folder qDoGm;jyD; Flashy udk zsufygr,f/ yHk(23)/

yHk(23)


'Daemuf RegCleaner 4.3 udk oHk;jyD; registry xJrSm a&;xm;wmudk zsufygr,f/ yHk(23)/

yHk(24)

Start menu u Run rSm gpedit.msc vdkU &dkufxnfhjyD; Group Policy udk ac:,lygr,f/ jyD;&if yHk(25)rSm jyxm;wJhtwdkif; Folder Options udk jyefjrif&atmif jyifygr,f/

yHk(25)

'ghtjyif HKEY_CU "Software\Microsoft\Windows\CurrentVersion\Policies\System" xJrSm DisableTaskMgr &JUwefzdk;udk oknvdkU jyifvdkufygr,f/ 'grSom Task Manager udk ac:,ltoHk;jyKvdkU &yg r,f/ aemufqHk;uawmh yHk(26)rSm jyxm;wJh systemID udk zsufypfzdkUyg/

yHk(26)

tcef;(29) - Olly Debug Script - 416 -

tcef;(29) - Olly Debug Script

'Dtcef;rSm avhvmMurSmuawmh Olly debug script taMumif;yg/ wcgw&HrSm tcsdKU unpacker awG[m script awGeJUvmwmuwaMumif;? rdrdudk,fwdkif script awGudk a&;om;EdkifapzdkUtwGufwaMumif; Olly script plugin udk &Sif;jy&jcif; jzpfygw,f/ Olly script twGuf vdktyfwJh DLL zdkifuawmh ODbgScript 1.78.3.dll (odkU) OllyScript 0.92.dll yg/ 'ghtjyif Arjun Sapkota a&;om;wJh Olly Script Editor &Sd&ifawmh oifhtwGuf script a&;om;wm taxmuftuljyKygvdrfhr,f/

(1) UPX jzifh pack vkyfxm;aom zdkiftwGuf OEP udk &Smjcif;

notepad.exe udk UPX eJU pack vkyfygr,f/ CFF explorer rSm UPX plugin wcgwnf; ygvm jyD;om; jzpfygw,f/ yHk(1)u pack button udkESdyfjyD; pack vkyfvdkufyg/

yHk(1)

Notepad xJrSm yHk(2)rSm jrif&wJh script awGudka&;om;jyD; UPXOepFinder.osc trnfeJU odrf;qnf; vdkufyg/

// UPX OEP Finder // Copyright © Myo Myint Htike, July 16 2010 findop eip, #61# bphws $RESULT, "x" run bphwc $RESULT findop eip, #E9# bphws $RESULT, "x" run bphwc $RESULT sto ret

yHk(2)

yHk(2)u script udk &Sif;&r,fqdk&ifawmh-

(1) findop eip, #61# = vuf&Sd address (EIP) upjyD;awmh 61 (POPAD) qdkwJh opcode wefzdk;udk &SmazGyg w,f/ wu,fvdkU &SmrawGUcJhbl;qdk&if $RESULT wefzdk;[m oknjzpfygr,f/ wu,fvdkU POPAD instruction udkawGUcJh&if 'D instruction &Sd&m virtual address udk $RESULT wefzdk;taeeJU rSwfygw,f/

(2) bphws $RESULT, "x" = bphws uawmh "Set hardware breakpoint" udkqdkvdkygw,f/ "x" uawmh 'D hardware breakpoint udk execute vkyfcsdefrSmyJ oHk;r,fvdkU aMunmwmyg/ wu,fvdkU uk'fudkzwfwJh tcsdefrSm breakpoint owfrSwfvdk&if "r"? uk'fudk jyifcsdefrSm breakpoint owfrSwfvdk&if "w" udk toHk;jyKEdkif ygw,f/ erlemtaeeJU jy&&if - bphws 401000, "x"/

(3) run = oluawmh Olly &JU run (F9) eJU wlygw,f/ uRefawmfwdkU owfrSwfvdkufwJh hardware breakpoint &Sd&mxd run rSmjzpfygw,f/

(4) bphwc $RESULT = uRefawmfwdkU owfrSwfxm;wJh breakpoint udk jyefjzKwfygw,f/

(5) findop eip, #E9# = vuf&Sd address (EIP) upjyD;awmh E9 (JMP xxxxxxxx) qdkwJh opcode wefzdk;udk &SmazGygw,f/

(6) bphws $RESULT, "x" = JMP insturction &Sd&m virtual address rSm breakpoint owfrSwfygw,f/


(7) 'Dhaemuf breakpoint &Sd&mxd run ygr,f/

(8) JMP instruction rSm owfrSwfcJhwJh breakpoint udk jyefjzKwfygw,f/

(9) sto = Olly u Step over (F8) eJU wlygw,f/ vuf&Sduk'fudk execute vkyfjyD; aemufwpfaMumif;qD oGm;ygw,f/ Step into (F7) jzpfwJh sti udkvJ toHk;jyKEdkifygw,f/

(10) ret = Script vkyfaqmifcsuf jyD;qHk;ygw,f/

'DwcgrSmawmh uRefawmfwdkU pack vkyfcJhwJh notepad.exe zdkifudk Olly rSm zGifhygr,f/ yHk(3)/

yHk(3)

Plugins menu OdbgScript Script(S) u Load... udk a&G;yg/

yHk(4)

yHk(4)&JU Load… uae UPXOepFinder.osc udka&G;yg/ yHk(5)twdkif; jrif&ygr,f/

yHk(5)

yHk(5)twdkif; jrif&wJhtcgrSmawmh uRefawmfwdkU&SmaewJh OEP udk &SmawGUjyD jzpfygw,f/ 'DtcgrSm dump vkyfjyD; zdkifudk odrf;qnf;yg/ jyD;&if IAT udkjyifqifyg/ ('DtwGuf ]tcef;(13) – Packer (Protector) rsm;} tcef;udkjyefMunfhyg/)

(2) SLVc0deProtector jzifh pack vkyfxm;aomzdkifudk unpack jyKvkyfjcif;

'DwpfcgrSmawmh SLVc0deProtector eJU pack vkyfxm;wJh SLVc0deProtector (SCP-0.61.exe) aqmhzf0Jvfzdkifudk unpack vkyfMunfhygr,f/ SCP-0.61.exe zdkif[m SLVc0deProtector 0.61 eJU protect vkyfxm;wJhzdkif jzpfygw,f/ 'Dzdkifudk unpack vkyfzdkU MudK;pm;Munfhygr,f/ SCP-0.61.exe udk Olly rSm zGifhMunfhyg/ yHk(6)/

yHk(6)


yHk(6)twdkif; jrif&wJhtcg atmufyg script udk run Munfhygr,f/

/* SLVc0deProtector 0.61 OEP Finder Made by: GaBoR RES */ gpa "OutputDebugStringA", "kernel32.dll" bphws $RESULT, "x" run bphwc $RESULT rtu sto rtu find eip, #4F6C6C79# find $RESULT, #4F6C6C79# fill $RESULT, 4, 47 findop eip, #F3A4# bphws $RESULT, "x" run bphwc $RESULT find eip, #5858FFE0# bphws $RESULT, "x" run bphwc $RESULT sto sto sto cmt eip, "OEP found by GaBoR RES" msg "Dump the process with Imprec, fix the IAT & fix header!" ret

yHk(7)

'DwpfcgrSmawmh Plugins menu OdbgScript Script(S) uae Load… udk ra&G;awmhygbl;/ Disassemble window rSm right-click ESdyfjyD; yHk(8) u Script Window (W) udka&G;ygr,f/

yHk(8)

'DhaemufrSmawmh Load Script u Open… udka&G;ygr,f/ yHk(9)/

yHk(9)

jyD;&if yHk(7)u script udk zGifhcsdefrSmawmh yHk(10)twdkif; jrif&ygvdrfhr,f/


yHk(10)

yHk(10)u script awGudk wpfqifhcsif; avhvmMunfhygr,f/ yHk(10)rSm right-click ESdyfjyD; Step (tab) udka&G;cs,fyg/

yHk(11)

yHk(10)u pmaMumif;-1 udk tvkyfvkyfjyD;csdefrSm yHk(11)twdkif; jrif&ygw,f/

(1) gpa "OutputDebugStringA", "kernel32.dll" = owfrSwfxm;wJh library zdkifxJu owfrSwfxm;wJh procedure &JU address udk&,lygw,f/ 'Dae&mrSmawmh kernel32.dll zdkifxJu OutputDebugStringA function &JU address jzpfwJh 7C85AD4C udk &,lygw,f/

(2) bphws $RESULT,"x" = 7C85AD4C rSm hardware breakpoint owfrSwfygw,f/

(3) run = 7C85AD4C xd run (F9) ygw,f/

(4) bphwc $RESULT = 7C85AD4C rSm owfrSwfcJhwJh breakpoint udk jyefjzKwfygw,f/

(5) rtu = Olly rSmawmh "Run to user code" (Alt + F9) eJUwlygw,f/ yHk(12)twdkif; VA 00157703 qDa&mufvmygw,f/

yHk(12)

(6) sto = Step over (F8) udk a&G;vdkufcsdefrSm JMP 0015770B qDa&mufvmygw,f/

(7) rtu = "Run to user code" (Alt + F9) udk xyfvkyfcsdefrSmawmh yHk(13)twdkif; jrif&ygw,f/

yHk(13)

(8) find eip,#4F6C6C79# = vuf&Sd EIP (0015570B) uae 4F6C6C79 udk&Smygw,f/ 00157D87 rSm 4F6C6C79 udkawGUygw,f/ 'gaMumifh $RESULT wefzdk;[m 00157D87 jzpfygw,f/ yHk(14)/ 4F6C6C79 qdkwm wu,fawmh Olly qdkwJh string jzpfygw,f/


yHk(14)

(9) find $RESULT, #4F6C6C79# = $RESULT wefzdk;jzpfwJh 00157D87 uae 4F6C6C79 udk xyf&Smygw,f/ bmaMumifhvJqdkawmh yxrwpfck[m Ollydbg.exe jzpfvdkUyg/

(10) fill $RESULT, 4, 47 = 00157D87 rSmawGUcJhwJh Olly qdkwJhpmvHk;awGudk GGGG eJU tpm;xdk;ygw,f/ wu,fawmh 'g[m debugger udk rpHkprf;apEdkifzdkU jzpfygw,f/

(11) findop eip, #F3A4# = vuf&Sd EIP (00157D87) uae F3A4 (REP MOVS BYTE PTR ES:[EDI], BYTE PTR DS:[ESI]) opcode udk &SmazGygw,f/ 00157845 rSm awGUygw,f/

(12) bphws $RESULT, "x" = 00157845 rSm hardware breakpoint owfrSwfygw,f/ yHk(15)/

yHk(15)

'D breakpoint uawmh protector udk udk,fwdkif decompress jyefvkyfapr,fh breakpoint jzpfygw,f/

(13) run = 00157845 xd run (F9) ygw,f/

(14) bphwc $RESULT = 00157845 rSm owfrSwfcJhwJh breakpoint udk jyefjzKwfygw,f/

(15) find eip, #5858FFE0# = vuf&Sd EIP (00157845) uae 5858FFE0 (POP EAX, POP EAX, JMP EAX) pwJh hex code awGudk &SmazGygw,f/ olwdkUu OEP &Sd&mqD jump vkyfrSm jzpfygw,f/ 0015798C rSm 5858FFE0 udkawGUygw,f/

(16) bphws $RESULT, "x" = 0015798C rSm hardware breakpoint owfrSwfygw,f/

(17) run = 0015798C xd run (F9) ygw,f/ 'Dtcg yHk(16)twdkif; jrif&ygw,f/

yHk(16)

(18) bphwc $RESULT = 00157845 rSm owfrSwfcJhwJh breakpoint udk jyefjzKwfygw,f/

(19^20^21) sto = yHk(16)uuk'fudk Step over (F8) 3cg vkyfaqmifjyD;oGm;wJhtcg yHk(17)twdkif; 004042B0 qD a&mufvmwm awGU&rSmyg/

yHk(17)


(22) cmt eip, "OEP found by GaBoR RES" = vuf&Sd EIP (004042B0) &JU comment ae&mrSm "OEP found by GaBoR RES" vdkU jrif&ygr,f/ yHk(17)/

(23) msg "Dump the process with Imprec, fix the IAT & fix header!" = Dump vkyfvdkU &jyDjzpfwJhtaMumif; today;wmyg/ yHk(18)/

yHk(18)

(24) ret = Script vkyfaqmifcsuf jyD;qHk;ygw,f/

Script vkyfaqmifcsuf jyD;qHk;csdefrSmawmh yHk(19)twdkif; vkyfMuygr,f/

yHk(19)

yHk(19)uae Dump button udka&G;jyD; ESpfouf&mtrnfeJU zdkifudk odrf;qnf;vdkufyg/ wu,fvdkU zdkift&G,ftpm;udk ao;i,fapcsif&if ::ICU:: section udkzsufypfyg/

(3) Yoda's Protector 1.03.3 jzifh pack vkyfxm;aomzdkifudk unpack jyKvkyfjcif;

'DwpfcgrSmawmh Yoda's Protector 1.03.3 eJU protect vkyfxm;wJh calc.exe (calculator) zdkifudk unpack vkyfMunfhygr,f/ calc.exe zdkifudk Windows &JU System32 folder atmufrSm&SmjyD; Yoda Protector eJU protector vkyfvdkufyg/ wu,fawmh Yoda's Protector [m Danilo Bzdok &JU Yoda's Cryptor udk Ashkbiz Danehkar u jyefjyifqifxm;wJh protector wpfckomjzpfjyD; version 1.03.3 rSm qufra&;awmhbJ &yfcJhygw,f/ Yoda's Cryptor rSmygwJh vSnhfpm;rIawGuawmh –

(1) PE header udkzsufjcif;?

(2) CRC udkppfaq;jcif; (uk'fESifhzdkif)?

(3) IsDebuggerPresent ppfaq;rI?

(4) API rsm;udk redirect vkyfjcif;ESifh import tcsuftvufrsm;udk zsufqD;jcif;/

Yoda's Protector rSmygvmwJh vSnfhpm;rItopfawGuawmh GetCurrentProcessId()? CreateTool help32Snapshot() wdkUudktoHk;jyKjyD; PID udkwdkufqdkifppfaq;um PID csif;rwlnDcJh&if Olly udkydwfapjcif;eJU BlockInput() API udktoHk;jyKjyD; mouse? keyboard wdkU&JU vkyfaqmifcsufawGudk &yfwefUapjcif;wdkU jzpfyg w,f/

calc.exe udk yHk(20)rSm jrif&wJhtwdkif; a&G;cs,fjyD; protect vkyfvdkufyg/


yHk(20)

uRefawmfwdkU protect vkyfxm;wJh calc.exe zdkifudk unpack jyefvkyfzdkU script a&;Munfhygr,f/ yHk(21)/

#log // Copyright © Myo Myint Htike, Aug 10 2010 var BaseOfCode var SizeOfCode var BlockI var DLLName var handle gmi eip, CODEBASE mov BaseOfCode, $RESULT gmi eip, CODESIZE mov SizeOfCode, $RESULT gpa "LoadLibraryA", "kernel32.dll" mov handle, $RESULT mov DLLName, "USER32.DLL" CheckDLL: go handle scmpi DLLName, [[esp+4]] je DLLFound jmp CheckDLL DLLFound: mov handle, [esp] bphws handle, "x" esto bphwc handle gpa "BlockInput", "user32.dll" fill $RESULT, 0C, 90 add $RESULT, 0C mov BlockI, $RESULT gpa "GetCurrentProcessId", "kernel32.dll" mov [$RESULT], 00000xxxB8 // mov eax, CurrentProcessID /* xxx onf Olly tvkyfvkyfaeaom vuf&Sd PID eHygwfjzpfonf/ xdkUaMumifh task manager rS Olly \ PID udk zwfjyD; PID eHygwfajymif;ay;&efvdkonf/ */ fill $RESULT+5, 4, 90 gpa "IsDebuggerPresent", "kernel32.dll" mov [$RESULT], 000000B8 mov [$RESULT+4], 90909000 mov [$RESULT+8], C3 bphws BlockI, "x" esto esto bphwc BlockI bprm BaseOfCode, SizeOfCode esto bpmc an eip cmt eip, "This is OEP - Found by rhythm (Myanmar Cracking Team)" msg "Dump and fix IAT now - Good day" ret

yHk(21)


yHk(21)u uk'fawGudk &Sif;jy&r,fqdk&ifawmh – (1) var BaseOfCode - Code section \ address tpudk variable tjzpf aMunmonf/

(2) var SizeOfCode - Code section \ size udk variable tjzpf aMunmonf/

(3) var BlockI - BlockInput function \ return ae&mwGif breakpoint owfrSwfrnfh variable jzpfonf/

(4) var DLLName - calc.exe u ac:,loHk;pGJaom DLL trnfrsm;udk zwf&I&efjzpfonf/

(5) var handle - DLL zdkif\ address tpjzpfonf/

(6) gmi eip, CODEBASE – EIP a&muf&Sdaeaom module ESifhywfoufaom tcsuftvufrsm;udk pHkprf; onf/ CODEBASE onf code section \ address udk qdkvdkjcif;jzpfonf/ yHk(22)/ CODEBASE wefzdk;onf 01001000 jzpfonf/

yHk(22)

(7) mov BaseOfCode, $RESULT – CODEBASE wefzdk;jzpfaom 01001000 udk BaseOfCode xJwGif vmxm;onf/

(8) gmi eip, CODESIZE – code section \ size udk pHkprf;onf/ yHk(22)/ CODESIZE wefzdk;onf 00013000 jzpfonf/

(9) mov SizeOfCode, $RESULT – CODESIZE wefzdk;jzpfaom 00013000 udk SizeOfCode xJwGif vmxm;onf/

(10) gpa "LoadLibraryA", "kernel32.dll" – kernel32.dll \ LoadLibraryA API &Sd&m address udk pHkprf;onf/

(11) mov handle, $RESULT – LoadLibraryA API \ address jzpfaom 7C801D7B udk handle xJwGif odrf;onf/ API address rsm;onf Windows OS ESifh DLL version wdkUtay:rlwnfjyD; uGJjym;Edkifyg onf/ yHk(23)/

yHk(23)

(12) mov DLLName, "USER32.DLL" – user32.dll udk&Sm&eftwGuf DLLName wGif vmodrf;ygonf/ tb,faMumifhqdkaomf yxrqHk;tMudrftjzpf calc.exe udk Olly wGifzGifhaomtcg yHk(24)wGif jrif&onfhtwdkif; user32.dll udk rSwfOmPfay:odkU ul;wifjcif; r&Sdao;aomaMumifhjzpfonf/

yHk(24)

(13) go handle – handle wefzdk; 7C801D7B qDodkUoGm;onf/ xdkUaMumifh vuf&Sd EIP onf 7C801D7B jzpfvmonf/ yHk(25)rS ESP wefzdk;udk right-click ESdyfjyD; Follow in Stack udka&G;yg/


yHk(25)

(14) scmpi DLLName, [[esp+4]] – ESP+4 (0006EC04) wGif&Sdaom DLL string ESifh USER32.DLL wdkUnD^rnD ppfonf/ pmvHk;tMuD;^tao;udk vspfvsL&Ionf/

yHk(26)

(15) je DLLFound – [[ESP+4] onf USER32.DLL jzpfvQif DLLFound qDodkU a&mufoGm;rnf/

(16) jmp CheckDLL – [[ESP+4] onf USER32.DLL rjzpfvQif CheckDLL qDodkU jyefa&mufoGm;jyD; user32.dll zdkifudk quf&Smrnf/

(17) mov handle, [esp] – "user32.dll" udkawGUcsdefwGif user32.dll udk vuf&Sdtvkyfvkyfaeonfh process \ ae&mvGwfwGif ul;wifae&mcsxm;ay;onf/ 10294CA onf ¤if;zdkif\ handle jzpfonf/

yHk(27)

(18) bphws handle, "x" – 10294CE wGif hardware breakpoint (execution) owfrSwfonf/

(19) esto – Shift+F9 udk ESdyfonf/

(20) bphwc handle – Hardware breakpoint udk jyefjzKwfonf/

(21) gpa "BlockInput", "user32.dll" – user32.dll rS BlockInput API &Sd&m address udk zwfonf/ 7E46CA7E jzpfonf/ yHk(28)/

yHk(28)

(22) fill $RESULT, 0C, 90 – yHk(28)\ 7E46CA7E rSpjyD; NOP (90) 12ckjzifh tpm;xdk;onf/ NOP jzifh tpm;xdk;&jcif;rSm BlockInput API onf keyboard ESifh mouse wdkU\ event rsm;udk vspfvsL&IaomaMumifh jzpfonf/

yHk(29)

(23) add $RESULT, 0C – 7E46CA7E udk 0C16 aygif;onf/

(24) mov BlockI, $RESULT – aygif;v'fjzpfaom 7E46CA8A udk BlockI wGif odrf;onf/

(25) gpa "GetCurrentProcessId", "kernel32.dll" – kernel32.dll rS GetCurrentProcessId API &Sd&m address udk zwfonf/ 7C8099C0 jzpfonf/ yHk(30)/


yHk(30)

(26) mov [$RESULT], 00000xxxB8 – Task manager wGif awGY&aom Olly \ PID udkul;jyD; xxx ae&mwGif tpm;xdk;yg/ yHk(31)/

yHk(31)

OllyDbg.exe \ PID rSm ACC16 (276410) jzpfaomaMumifh mov [$RESULT], 00000xxxB8 onf mov [$RESULT], 00000ACCB8 jzpfvmonf/ 7C8099C0 wGif MOV EAX, ACC jzifhtpm; xdk;onf/ yHk(32)/

(27) fill $RESULT+5, 4, 90 – 7C8099C5 wGif NOP 4ckjzifh tpm;xkd;onf/ yHk(32)/ Yoda protector onf OllyDbg.exe \ PID udk GetProcessId API jzifhppfjyD; OllyDbg.exe \ child process jzpfaom calc.exe \ PID udk CreateToolhelp32Snapshot API jzifh ppfaq;onf/ CreateToolhelp32Snapshot onf PID udk ppfaq;aomtcg GetProcessId udk jyefac:oHk;ojzifh PID udk ACC [k taoowfrSwfxm; jcif;jzpfonf/ PID csif;rwlvQif y&dk*&rfvkyfaqmifcsuf jyD;pD;oGm;ygvdrfhrnf/

yHk(32)

(28) gpa "IsDebuggerPresent", "kernel32.dll" – kernel32.dll rS IsDebuggerPresent API &Sd&m address udk zwfonf/ 7C813133 jzpfonf/ yHk(33)/

yHk(33)

(29) mov [$RESULT], 000000B8 – 7C813133 wGif MOV EAX, 0 jzifh tpm;xdk;onf/ yHk(34)/ MOV EAX, 0 onf debugger r&SdaMumif; vSnfhpm;jcif;jzpfonf/

(30) mov [$RESULT+4], 90909000 – 7C813138 wGif NOP (90) 4ckjzifh tpm;xdk;onf/ yHk(34)/

(31) mov [$RESULT+8], C3 – 7C81313B wGif RETN (C3) jzifh tpm;xdk;onf/ yHk(34)/

yHk(34)

(32) bphws BlockI, "x" – BlockI(7E46CA8A) wGif hardware breakpoint owfrSwfonf/


(33) esto – Shift +F9 ESdyfonf/ (run udkroHk;bJ esto udk oHk;&jcif;rSm exception rsm;&SdcJhvQif ausmfvTm;Edkif &efjzpfonf/ ODbgScript 1.74 aemufydkif;wGifrl esto command udk toHk;rjyKawmhbJ erun [ktpm;xdk;cJh onf/) esto command udk vkyfaqmifjyD;oGm;aomtcg 7E46CA8A (HW BP) qDodkU a&mufvmrnf/

yHk(35)

(34) esto – esto command udk vkyfaqmifjyD;oGm;aomtcg 7E46CA8A (HW BP) qDodkU a&mufvmrnf/

(35) bphwc BlockI – HW BP udk jyefjzKwfonf/

(36) bprm BaseOfCode, SizeOfCode – exe module \ code section wGif memory breakpoint owfrSwfonf/

(37) esto – esto command udk vkyfaqmifjyD;oGm;aomtcg 7E46CA8A (HW BP) qDodkU a&mufvmrnf/

(38) bpmc – memory breakpoint udk jyefjzKwfonf/

(39) an eip – Analyze vkyfonf/ rvkyfvQifvnf; &ygonf/

(40) cmt eip, "This is OEP - Found by rhythm (Myanmar Cracking Team)" – &Sif;jy&ef vdktyfrnf rxifyg/

(41) msg "Dump and fix IAT now - Good day" – &Sif;jy&ef vdktyfrnf rxifyg/

(42) ret – &Sif;jy&ef vdktyfrnf rxifyg/

yHk(36)

yHk(36)twdkif; jrif&wJhtcgrSmawmh dump vkyfvdkU&ygjyD/ Dump vkyfwJhtydkif;uawmh odjyD;om;rdkU r&Sif;jyawmhygbl;/

gpa "GetCurrentProcessId", "kernel32.dll" mov [$RESULT], 00000xxxB8 // mov eax, CurrentProcessID fill $RESULT+5, 4, 90 gpa "IsDebuggerPresent", "kernel32.dll" mov [$RESULT], 000000B8 mov [$RESULT+4], 90909000 mov [$RESULT+8], C3

yHk(37)

wu,fvdkU RAMODbg udkom toHk;jyKcJhr,fqdk&if yHk(37)uuk'fawGudk csefvSyfxm;cJhvdkU &ygw,f/ bmaMumifhvJqdkawmh RAMODbg udkoHk;csdefrSm debugger udk task manager rSm process tjzpfrawGU&wJh twGufyg/ 'Dhtjyif anti-debugger awGu RAMODbg udk &SmEdkifjcif; r&SdwJhtwGuf IsDebuggerPresent API udk jyifp&mrvdkygbl;/ tMuHay;vdkwmu y&dk*&rfawGudk debug vkyfawmhr,fqdk&if PhantOm plugin udk toHk;jyKzdkUyg/ ODbgScript 1.78.3 command awGuawmh atmufygtwdkif; jzpfygw,f/

General Purpose BACKUP CLOSE EVAL GSL REFRESH VAR

Assembly ASM ASMTXT EXEC/ENDE? OPCODE? PREOP?

Automation AN CMT DBH DBS KEY LBL LC LCLR OPENDUMP OPENTRACE TC


Breakpoints BC BD BP BPCND BPD BPGOTO BPHWC BPHWS BPL BPLCND BPMC BPRM BPWM BPX COB COE EOB EOE GBPM GBPR SBP RBP

Mathematic, Binary Operands ADD AND DEC DIV INC MOV MUL NEG NOT OR REV ROL ROR SHL SHR SUB TEST XOR XCHG

Jump, Call, Conditional Jumps CALL CMP JA JAE JB JBE JE JG JGE JMP JNE JNZ JZ RET?

Log Commands LOG LOGBUF WRT WRTA

Strings ATOI BUF GLBL GSTR GSTRW ITOA LEN READSTR SCMP SCMPI STR

Stepping AI AO ERUN ESTEP ESTI ESTO GO RTR RTU RUN STEP STI STO TI TICND TO TOCND

Information GAPI GCI GCMT GMA GMEMI GMEXP GMI GMIMP GN GPA GPI GRO REF TICK

Memory ALLOC DM DMA DPE FILL FREE GFO LM MEMCPY POP PUSH

Search FIND FINDCALLS FINDCMD FINDOP FINDOPREV FINDMEM GREF REPL

User Interface ASK MSG MSGYN PAUSE SETOPTION

Script Parameters

HISTORY UNICODE

ODbgScript rSm toHk;jyKEdkifwJh flag awGuawmh yHk(38)twdkif;jzpfygw,f/

!CF Carry !PF Parity !AF Auxiliary carry !ZF Zero flag !SF Sign !TF Trap !IF Interrupt !DF Direction !OF Overflow

yHk(38)

toHk;jyKyHkuawmh yHk(39)twdkif;jzpfygw,f/

var counter start: cmp !ZF,0 je end inc counter sti jmp start end: msg "Zeroflag is 0"

yHk(39)

tcef;(30) – Anti Unpacking enf;vrf;rsm; - 428 -

tcef;(30) - Anti Unpacking enf;vrf;rsm;

'Doifcef;pmrSm aqmhzf0JvfawGudk crack rvkyfEdkifatmif developer awGu b,fvdkvSnfhpm;avh&SdovJ qdkwmudk tus,fw0ifh&Sif;jyrSm jzpfwJhtwGuf developer awGtwGufa&m? cracker awGtwGufyg taxmuf tuljyKaprSm jzpfygw,f/ aqmhzf0JvfawGudk crack rvkyfEdkifapzdkU developer awmfawmfrsm;rsm;u packer/ protector awG&JU tultnDudk,ljyD; pack/protect vkyfMuygw,f/ Cracker awGuawmh pack vkyfxm;wJh zdkifawGudk unpack vkyfjyD; crack vkyfMu&wmjzpfwJhtwGuf cracker awGtcufawGUapEdkifr,fh anti- unpacking enf;vrf;rsm;udk azmfjyvdkufygw,f/

Unpack vkyf&mrSm tcufawGUapEdkifr,fh enf;vrf; (4)ckuawmh -

(1) Anti-Dumping

(2) Anti-Debugging

(3) Anti-Emulating

(4) Anti-Intercepting

(1) Anti-Dumping

Dump vkyfw,fqdkwmuawmh rSwfOmPfrSm vuf&SdtvkyfvkyfaewJh y&dk*&rf (process) &JU uk'fawGudk disk ay: odrf;qnf;jcif;ukd qdkvdkwmyg/ Anti-dumping twGuf vSnfhpm;rIawGuawmh atmufygtwdkif; jzpfygw,f/

(1.1) SizeOfImage

Dump vkyfjcif;udk wm;qD;zdkU taumif;qHk;enf;vrf;uawmh Process Environment Block (PEB) xJu SizeOfImage wefzdk;udk ajymif;zdkUjzpfygw,f/ yHk(5)/ 'Dvdkajymif;vdkuf&if debugger u process udk attach vkyfjcif;rS umuG,fEdkifovdk process udk access vkyfwm t[efUtwm;jzpfapygw,f/ 'ghjyif dump vkyfr,fh page ta&twGufudkvJ rrSefruef jzpfapygw,f/ 'Denf;[m default mode rSm tvkyfvkyfwJh LordPE vdk tool rsdK;udk dump rvkyfEdkifatmif wm;qD;Edkifygw,f/

erlemuk'fuawmh atmufygtwdkif; jzpfygw,f/

mov eax, fs:[30h] ; PEB (ProcessEnvironmentBlock) mov eax, [eax+0ch] ; LdrData ; get InLoadOrderModuleList mov eax, [eax+0ch] ; New SizeOfImage mov dword ptr [eax+20h], 1000h

'Denf;vrf;udk vuf&SdrSm packer awmfawmfrsm;rsm;u toHk;jyKvsuf&Sdygw,f/ bmyJjzpfjzpf? user-mode rSmqdk&ifawmh 'Denf;vrf;udk tvG,fwul acszsufEdkifygw,f/ uRefawmfwdkUtaeeJU SizeOfImage wefzdk;udk vspfvsL&IjyD; olUtpm; VirtualQuery() function udk ac:oHk;Edkifygw,f/ VirtualQuery() [m attribute csif;wlnDjyD; tpDtpOfwusjzpfaewJh page ta&twGufudk return jyefydkUygw,f/ rSwfOmPfxJu section awGMum;rSm ae&mvGwfrjzpfEdkifwmaMumifh jyD;cJhwJh page e,fy,f&JU tqHk;aemufu yxr page udk query vkyfjyD; page e,fy,fawGudk a&wGufEdkifygw,f/ a&wGufrIudk ImageBase uae pwmqdk&ifawmh MEM_IMAGE trsdK;tpm;udk return jyefydkUwJhtxd qufvufvkyfaqmifaeygvdrhfr,f/ Page wpfck[m MEM_IMAGE trsdK;tpm; r[kwfbl;qdk&ifawmh ol[m zdkifqDu vmwmr[kwfygbl;/

(1.2) Header udk zsufjcif;

tcsdKU unpacker awG[m image eJUoufqdkifwJh tcsuftvufawGudk &&SdzdkU section table udk ppfaq; Muygw,f/ PE header xJu section table udk zsufypfwmyJjzpfjzpf? ajymif;vJwmyJjzpfjzpf tcsuftvufawG &&SdzdkU taESmifht,Sufjzpfapygw,f/ 'guawmh ProcDump vdk image wpfckudk dump vkyfzdkU section table udkrSDcdkaewJh tool awGudk tcufawGUapzdkU toHk;jyKEdkifygw,f/

erlemuk'fuawmh atmufygtwdkif; jzpfygw,f/

// This function will erase the current images // PE header from memory preventing a successful image // if dumped inline void ErasePEHeaderFromMemory() { DWORD OldProtect = 0; // Get base address of module char *pBaseAddr = (char*)GetModuleHandle(NULL);


// Change memory protection VirtualProtect(pBaseAddr, 4096, // Assume x86 page size PAGE_READWRITE, &OldProtect); // Erase the header ZeroMemory(pBaseAddr, 4096); }

'Denf;vrf;udk toHk;jyKwmuawmh Yoda's Crypter jzpfygw,f/ tay:rSm qdkcJhovdkygyJ Virtual Query() function udk image &JUt&G,ftpm;wefzdk; jyefvnf&&SdEdkifzdkUeJU page awG[m executable vm;? writable vm; pwmawGudk od&SdEdkifzdkU toHk;jyKEdkifygw,f/ 'gayr,fh zsufypfvdkufwJh section table udk jyefvnfod&SdEdkifzdkUtwGufawmh enf;vrf; r&Sdao;ygbl;/

(1.3) Nanomites

Nanomite awGuawmh dump vkyfjcif;rS umuG,fzdkUtwGuf ydkjyD;tqifhjrifhwJh enf;vrf;wpfckjzpfjyD; Armadillo rSm pwiftoHk;jyKcJhwmjzpfygw,f/ olwdkUawG[m branch instruction (Jxx instruction) awGudk INT3 function eJUtpm;xdk;jyD; z,f&Sm;cH&wJh jump instruction awGeJUywfoufwJhtcsuftvufawGudk aoaocsmcsm encrypt vkyfxm;wJh table xJrSmodrf;qnf;ygw,f/ 'DtcsuftvufawGrSm jump &JU destination? vdktyfwJh CPU flag awGeJU jump awG&JUt&G,ftpm; (omreftm;jzifhawmh 2 bytes (odkU) 5 bytes) awGyg0ifygw,f/

Nanomite eJU protect vkyfxm;wJh process wpfck[m self-debugging jzpfzdkUvdkygw,f/ Armadillo rSmawmh debug blocker vdkU odxm;Muygw,f/ Debug blocker [m wlnDwJh process yHkwludk toHk;jyKjyD; breakpoint wpfck[m nanomite wpfck (odkU) wu,fh debug breakpoint wpfckvm;qdkwmppfaq;jyD; jump tjzpf ,l^r,ludk qHk;jzwfygw,f/ 'gaMumifh nanomite udkawGUcsdefrSm debugge u exception wpfckudk xkwfay;jyD; debugger u exception awGudk zrf;rdapwmjzpfygw,f/ Debugge xJrSm exception udkawGU csdefrSm debugger u exception address udk revover jyefvkyfjyD; 'gudk address table wpfcktxJrSm &Smygw,f/ wu,fvdkU &Smwm udkufnDcJh&if nanomite trsdK;tpm;udk type table xJuae &,lygw,f/ CPU flag awG[m trsdK;tpm; udkufnDcJhr,fqdk&if branch tjzpf,lygvdrfhr,f/ 'DvdkjzpfcsdefrSm destination address udk destination table uae&jyD; 'D address uae execution udkqufjzpfapygw,f/ 'DvkdrSr[kwf&ifawmh instruction ukdausmfvTm;EdkifzdkU jump &JU t&G,ftpm;udk size table uae&,lygw,f/ Armadillo [m cracker awGudk xifa,mifxifrSm;jzpfapzdkUtwGuf INT3 awGudk debugger awGrppfaq;EdkifwJhuk'fawGMum;rSm ae&mtESHU jzefUcsxm;ygw,f/

(1.4) Stolen bytes

Stolen bytes qdkwmuawmh rl&if;y&dk*&rfu jzwfxkwf&,lvmcJhwJh opcode awGjzpfjyD; olwdkU[m rSwfOmPf&JUwpfae&muae oD;jcm;pD run ygw,f/ jzpfEdkifajctrsm;qHk;uawmh stolen byte awG[m OEP tem;u jzwfxkwfxm;wJhuk'fawGjzpfjyD; olwdkUudk tjcm;rqdkifwJh junk code awGeJUa&mxm;jyD; OEP em; ra&mufcif rSwfOmPfxJrSm tvkyfvkyfMuygw,f/ 'gaMumifh OEP uae dump vkyfwJhtcg rl&if;uk'fawG ygrvmwJhtwGuf y&dk*&rf[m aumif;rGefpGm tvkyfrvkyfEdkifawmhygbl;/ jzwfxkwf,lvmwJhuk'fawGudk junk code awGeJU a&mxm;wmjzpfwJhtwGuf b,ft&m[m rl&if;uk'fvm;? rqdkifwJhuk'fvm;qdkwmudk cracker awG twGuf xifa,mifxifrSm; jzpfapygw,f/ 'gaMumifhvJ dump vkyfxm;wJhzdkifrSm rlvuk'fawGudk jyefxm;zdkU qdkwm t&nftcsif;&SdwJh^tawGUtMuHK&SdwJh cracker awGtwGufyJ tqifajyEdkifygvdrfhr,f/ Stolen byte awG&JU tpeJU tqHk;rSm jump instruction awGudk xm;avh&SdMuygw,f/ Stolen byte awGudk pwifrdwfqufcJhwm uawmh ASProtect rSmjzpfygw,f/

push ebp mov ebp, esp mov ecx, 7 push 0 dec ecx jnz short 0048E9D0

yHk(1) rl&if;uk'frSjzwfxkwfvmcJhaom Stolen bytes rsm;udk jyefvnfae&mcsxm;yHk db 00 db 00 db 00 db 00 db 00 db 00 db 00 db 00 push 0 push 0


dec ecx jnz short 0048E9D0

yHk(2) Stolen bytes rsm;udk jzwfxkwfjyD;aemuf jrif&yHk

(1.5) Guard Pages

Guard page awGudk vdktyfwJhtcsdef decrypt vkyfzdkUeJU decompress vkyfzdkU toHk;jyKMuygw,f/ Armadillo u decrypt vkyfzdkU toHk;jyKjyD; Shrinker uawmh decompress vkyfzdkUtwGuf toHk;jyKMuygw,f/ b,ftaMumif;aMumif;aMumifhyJjzpfjzpf guard page wpfckudk yxrqHk;tMudrf access vkyfcsdefrSm EXCEP TION_GUARD_PAGE (0x80000001) qdkwJh exception wpfck ay:vmygvdrfhr,f/ 'gudk trsdK;rsdK;tzHkzHk toHk;jyKEdkifayr,fhvJ tMurf;zsif;tm;jzifhawmh ol[m ring 3 uk'ftwGuf demand-paging pepftjzpf vkyf aqmifygw,f/ Page wpfck[m owfrSwfxm;wJhe,fy,fwpfcktwGif; &Sd^r&Sdppfaq;jyD; EXCEPTION_GU ARD_PAGE exception udkzrf;jcif;jzifh 'Denf;udk &&Sdygw,f/

'Denf;udk Shrinker u vdktyfwJhtcsdef decompress vkyfzdkUtwGuf toHk;jyKygw,f/ Access vkyfcJhwJh page awGudkom decompress vkyfjcif;jzifh y&dk*&rfpwifcsdefudk ododomom avsmhusapygw,f/ Page wdkif;udk access vkyfwm r[kwfwmaMumifh rSwfOmPfudk wu,fwrf;oHk;pGJrIudkvJ avsmhusapygw,f/ Application wpfckvHk;udk decompress vkyf&wJh tjcm; packer awGxufpm&if application &JUvkyfaqmifcsufudkvJ wkd;wufapygw,f/ Shrinker u ntdll &JU KiUserExceptionDispatcher() function udk hook vkyfjcif;jzifh tvkyfvkyfwmjzpfjyD; EXCEPTION_GUARD)PAGE (0x80000001) udkapmifhMunfhygw,f/ wu,fvdkU process &JU image ae&mxJrSm exception udkawGUcJh&ifawmh Shrinker u oD;jcm; page wpfckudk disk ay: uae ul;wifrSmjzpfjyD; 'gudk decompress vkyfjyD; execution qufvkyfaprSmjzpfygw,f/

'Denf;&JU aemufrluGJwpfckudkawmh Armadillo u toHk;jyKwmjzpfjyD; vdktyfrS decrypt vkyfzdkUjzpfyg w,f/ CopyMem2 vdkU ac:ygw,f/ bmyJjzpfjzpf? nanomite awGeJUjzpfwmaMumifh self-debugging udk toHk;jyKzdkUvdkygw,f/ 'guawmh Shrinker eJUrwlwJhtcsufygyJ/ Armadillo [m access vkyfcsdefrS disk uae ul;wifwmxuf? rSwfOmPfrSm page tm;vHk;udk csufcsif;yJ decompress vkyfygw,f/ Armadillo [m debugge xJu exception awGudkzrf;zdkU debugger udk toHk;jyKjyD; EXCEPTION_GUARD)PAGE (0x80000001) exception udk apmifhMunfhaeygw,f/ wu,fvdkU process &JU image ae&mxJrSm exception udkawGUcJh&ifawmh Armadillo u access vkyf,laewJh oD;jcm; page wpfckudk decrypt vkyfjyD; execution qufvkyfaprSmjzpfygw,f/ wu,fvdkU page ESpfckudk access vkyfwmqdk&ifawmh resume vkyfwJhtcg aemuf page wpfckrSm exception wpfckay:vmjyD; Armadillo u 'D page twGufvJ decrypt vkyfrSmjzpfygw,f/

Guard page enf;ynmrSm guard page wpfckudk page wpfckcsif; decrypt vkyfzdkUtwGuf toHk;jyKyg w,f/ wpfcsdefrSm page wpfckcsif;udk disk ay:a&;jcif;jzifh 'Denf;vrf;udk ausmfvTm;Edkifygw,f/ Page awGudk olwdkU&JUae&mrSm jyefrxm;EdkifatmifvkyfwJh page redirection enf;uawmh 'Dtm;enf;csufudk a&Smif&Sm;Edkifyg vdrfhr,f/ Page awGudk access vkyf,lrItm;vHk;[m vuf&Sd page awG&SdaewJh rSwfOmPfxJu tjcm;ae&mawGqD nTef;aeMuygw,f/ tusdK;qufuawmh kernel32.ReadProcessMemory() function udkoHk;jyD; rSwfOmPfudk dump vkyfvdkUr&Edkifapwmyg/ kernel32.WriteFile() function uvJ rlv address awGudk toHk;jyKjyD; rSwfOmPfudk dump vkyfvdkUr&apygbl;/ bmaMumifhvJqdkawmh redirection udk awGU&rSmr[kwfawmhvdkUyg/ b,fvdkyJajymajym rSwfOmPfudk dump vkyfzdkU enf;ESpfenf;awmh &Sdygw,f/ yxrenf;uawmh ae&mvTJxm;wJh page awG&JU address udk&SmzdkUyg/ 'kwd,enf;uawmh rlv address awGudktoHk;jyKjyD; a'wmawGudk user-mode copy vkyfzdkUyg/ jyD;&if 'gawGudk rSwfOmPfrSmae&mcsxm;wJh block wpfckqDul;&ygr,f/ 'DhaemufrSmawmh 'DrSwfOmPf&JU block uae a'wmawGudk wdkuf&dkufa&;&rSmjzpfygw,f/

(1.6) Imports

Import vkyfxm;wJh funtion awGudkom odr,fqdk&if y&kd*&rfwpfck[m b,fvdktvkyfvkyfovJ? b,fvdka&;xm;ovJqdkwJhtMuHudk cefUrSef;od&SdEdkifwJhtwGuf import awGtaMumif;[m tvGefta&;MuD;ygw,f/ 'Dvdkvkyfjcif;rS umuG,fEdkifzdkUtwGuf packer tcsdKU[m import vkyfxm;wJh function awGtwGuf address eHygwfawGudk ajz&Sif;jyD;pD;jyD;wJhtcsdefrSm import table udk ajymif;ypfvdkufygw,f/ ajymif;vJypfvdkufw,fvdkU qdk &mrSm import table udk vHk;0zsufqD;ypfwmrsdK; &Sdovdk import vkyfxm;wJh address awGudk bmrSr&SdwJh buffer awGqD nTef;vdkufwmrsdK;vJ jzpfEdkifygw,f/ 'gudk API redirection vdkUac:ygw,f/ Buffer awGxJrSmvJ wu,fh function awG&JU address awGqDoGm;wJh jump wpfckawmh&Sdygw,f/ yHkrSefqdk&ifawmh 'D buffer udk dump vkyfvdkUr&ygbl;/ 'gaMumifhvJ wu,fh function awG&JU address awG[m aysmufqHk;aejyD; y&dk*&rf[m crash jzpf&wmyg/ (API redirection taMumif;udk ]tcef;(14) – IAT ESifh API Redirection} tcef;wGif tao;pdwf aqG;aEG;jyD;jzpfygonf/)


(1.7) Virtual Machine

Virtual machine uawmh anti-dumping enf;ynmawGrSm tjrifhqHk;jzpfygw,f/ bmaMumifhvJ qdkawmh rSwfOmPfrSm jrifawGUaeMuuk'fawGudk wdkuf&dkufnTefjyEdkifjcif; r&SdvdkUyg/ Import table rSmvJ wu,fhudkvdktyfwJh function awG (LoadLibrary() ESifh GetProcAddress()) avmufyJygEdkifjyD; y&dk*&rf b,fvdktvkyfvkyfovJqdkwJh oJvGefpudk csefxm;avhr&Sdygbl;/ 'Dhxufydkajym&r,fqdk&if p-code awGudkawmifrS encode vkyfEdkifygw,f/ oabmcsif;wlwJh y&dk*&rfESpfckudkawmifrS rwlnDpGm encode vkyfay;Edkifygw,f/ 'Denf;vrf;udk toHk;jyKwmuawmh VMProtect jzpfygw,f/

P-code udk,fwdkifudku polymorphic uk'fjzpfEdkifjyD; bmrSr[kwfwJhuk'fawGudk uk'ftppfawGMum; xnfhjyD; native uk'fawGtwGufvJ 'DvdkyJ jyKvkyfMuwmjzpfygw,f/ 'Denf;udk toHk;jyKwmuawmh Themida jzpfygw,f/

P-code rSm owfrSwfxm;wJhwefzdk;udk owfrSwfxm;wJh rSwfOmPfae&mawGrSm ppfaq;wJh anti-debug ging routine awGygvmEdkifygw,f/ 'Denf;udk toHk;jyKwmuawmh HyperUnpackMe2 jzpfygw,f/

P-code interpreter udkvJ obfuscate vkyfEdkifygw,f/ Interpret vkyfzdkUenf;vrf;udkawmh csufcsif;MuD; od&SdrSmr[kwfygbl;/ 'Denf;udk toHk;jyKwmuawmh Themida eJU Virtual CPU jzpfygw,f/

(2) Anti-Debugging

Debugger uawmh process udk attach vkyfjyD; uk'fawGudk wpfqifhcsif;ppfaq;jcif; (odkU) owfrSwf xm;wJhae&mrSm &yfwefUEdkifatmif breakpoint rsm;xm;jcif;wdkUudk jyKvkyfygw,f/ Process udkvJ memory-dumper awGxufpm&if ydkrdkwduspGm dump vkyfay;Edkifygw,f/ Anti-debugging enf;vrf; 6ckuawmh atmufygtwdkif; jzpfygw,f/

(1) API udk tajccHaom anti-debugging?

(2) Exception udk tajccHaom anti-debugging?

(3) Process ESifh thread wdkUudk wdkuf&dkufpHkprf;jcif;?

(4) uk'frsm;jyKjyifxm;jcif; &Sd^r&Sd pHkprf;jcif;?

(5) Hardware ESifh regiser wdkUudk pHkprf;jcif;?

(6) tcsdefudk tajccHaom anti-debugging/

(2.1) API udk tajccHaom anti-debugging

API tajcjyK anti-debugging uawmh t&dk;&Sif;qHk;jzpfjyD; Microsoft u w&m;0ifxkwfjyefxm;wJh? xkwfjyefjcif;r&SdwJh API function awGudktoHk;jyKjyD; debugger awG&Sd^r&SdeJU olwdkU&JUvkyfaqmifcsufawGudk pHkprf;wmjzpfygw,f/ 'Doifcef;pmrSm IsDebuggerPresent() eJU CheckRemoteDebugger() wdkUvdk pmwpf aMumif;wnf;eJUac:oHk;wJh API awGudkavhvmrSmjzpfovdk CloseHandle() eJU debugger awG detach vkyfxm; jcif; &Sd^r&Sd ppfaq;wJh tenf;i,f&IyfaxG;wJh enf;vrf;awGudkvJ avhvmrSmjzpfygw,f/

(2.1.1) IsDebuggerPresent (kernel32.dll)

yxrqHk; anti-debugging enf;vrf;uawmh Microsoft API call wpfckjzpfwJh IsDebuggerPresent jzpfygw,f/ 'D function [m vuf&SdtvkyfvkyfaewJh PEB (Process Environment Block) udk analyze vkyfjyD; DebuggerPresent flag udkMunfhygw,f/ Function u return jyefwJhwefzdk;udk 'D flag rSm xm;&Sdwm jzpfygw,f/ wu,fvdkU return jyefwJhwefzdk;[m oknjzpfcJh&ifawmh r&Sdbl;vdkU developer awGu qHk;jzwfMu ygw,f/ PEB udk toHk;jyKxm;wJh IsDebuggerPresent &JUvkyfaqmifcsufuawmh yHk(3)twdkif; jzpfygw,f/

if(IsDebuggerPresent()) // Win 32 { MessageBoxA(NULL, "Please close your debugger and restart the program", "Debugger Detected!",0); ExitProcess(0); }

yHk(3)

tcsdKU packer awGuawmh IsDebuggerPresent udka&Smif&Sm;MujyD; PEB udk wdkuf&dkufMunfh&Iygw,f/

mov eax, fs:[30h] ;PEB ;check BeingDebugged cmp byte [eax+2], 0 jne being_debugged

yHk(4)


'gudk ausmfvTm;zdkUtwGuf PEB &JU BeingDebugged flag ukd FALSE (0) jzpfatmif vkyf&ygr,f/ PEB structure uawmh yHk(5)rSm jrif&wJhtwdkif; jzpfygw,f/

typedef struct _PEB { BOOLEAN InheritedAddressSpace; // 00 BOOLEAN ReadImageFileExecOptions; // 01 BOOLEAN BeingDebugged; // 02 BOOLEAN SpareBool; // 03 HANDLE Mutant; // 04 PVOID ImageBaseAddress; // 08 PPEB_LDR_DATA LdrData; // 0C PRTL_USER_PROCESS_PARAMETERS ProcessParameters; // 10 PVOID SubSystemData; // 14 PVOID ProcessHeap; // 18 PVOID FastPebLock; // 1c PPEBLOCKROUTINE FastPebLockRoutine; // 20 PPEBLOCKROUTINE FastPebUnlockRoutine; // 24 ULONG EnvironmentUpdateCount; // 28 PPVOID KernelCallbackTable; // 2c PVOID EventLogSection; // 30 PVOID EventLog; // 34 PPEB_FREE_BLOCK FreeList; // 38 ULONG TlsExpansionCounter; // 3c PVOID TlsBitmap; // 40 ULONG TlsBitmapBits[0x2]; // 44 PVOID ReadOnlySharedMemoryBase; // 4c PVOID ReadOnlySharedMemoryHeap; // 50 PPVOID ReadOnlyStaticServerData; // 54 PVOID AnsiCodePageData; // 58 PVOID OemCodePageData; // 5c PVOID UnicodeCaseTableData; // 60 ULONG NumberOfProcessors; // 64 ULONG NtGlobalFlag; // 68 BYTE Spare2[0x4]; // 6c LARGE_INTEGER CriticalSectionTimeout; // 70 ULONG HeapSegmentReserve; // 78 ULONG HeapSegmentCommit; // 7c ULONG HeapDeCommitTotalFreeThreshold; // 80 ULONG HeapDeCommitFreeBlockThreshold; // 84 ULONG NumberOfHeaps; // 88 ULONG MaximumNumberOfHeaps; // 8c PPVOID *ProcessHeaps; // 90 PVOID GdiSharedHandleTable; // 94 PVOID ProcessStarterHelper; // 98 PVOID GdiDCAttributeList; // 9c PVOID LoaderLock; // a0 ULONG OSMajorVersion; // a4 ULONG OSMinorVersion; // a8 ULONG OSBuildNumber; // ac ULONG OSPlatformId; // b0 ULONG ImageSubSystem; // b4 ULONG ImageSubSystemMajorVersion; // b8 ULONG ImageSubSystemMinorVersion; // bc ULONG ImageProcessInitRoutine; // c0 ULONG GdiHandleBuffer[0x22]; // c4 ULONG PostProcessInitRoutine; // 14c ULONG TlsExpansionBitmap; // 150 BYTE TlsExpansionBitmapBits[0x80]; // 154 ULONG SessionId; // 1d4 } PEB, *PPEB;

yHk(5) PEB Structure

Debugging vkyf&mrSm toHk;rsm;Muwmuawmh IsDebuggerPresent &JU yxrqHk; instruction rSm breakpoint owfrSwfMuwmyg/ tcsdKU unpacker awGu 'D breakpoint twGuf taotcsmppfaq;Muyg w,f/

Oyrmuk'fuawmh yHk(6)twdkif;jzpfygw,f/

push offset l1 call GetModuleHandleA push offset l2 push eax


call GetProcAddress cmp b [eax], 0cch je being_debugged ... l1: db "kernel32", 0 l2: db "IsDebuggerPresent", 0

yHk(6)

tcsdKU unpacker awGuawmh function xJu yxrqHk; byte jzpfwJh 64 ("FS:") qdkwJh opcode udk ppfaq;ygw,f/ erlemuk'fuawmh yHk(7)twdkif; jzpfygw,f/

push offset l1 call GetModuleHandleA push offset l2 push eax call GetProcAddress cmp b [eax], 64h jne being_debugged ... l1: db "kernel32", 0 l2: db "IsDebuggerPresent", 0

yHk(7)

(2.1.2) CheckRemoteDebuggerPresent (kernel32.dll)

IsDebuggerPresent eJUwlayr,fh BeingDebugged flag twGuf vuf&Sd process &JU PEB block udkppfaq;ygw,f/ 'D API [m tjcm; process awG debug vkyfcH&jcif; &Sd^r&Sd ppfaq;zdkUtwGufjzpfjyD; rdrd process udkvJ debug vkyfcH&jcif; &Sd^r&Sd ppfaq;Edkifygw,f/ CheckRemoteDebuggerPresent [m ntdll.dll &JU NtQueryInformationProcess udk ProcessInformationClass wefzdk; 7 (ProcessDebug Port) eJU ac:oHk;wmjzpfygw,f/ 'D API rSm parameter ESpfckyg0ifjyD; wpfckuawmh vuf&Sd process eJUqdkifwJh handle jzpfjyD;? aemufwpfckuawmh process [m debugger eJUcsdwfqufxm;jcif; &Sd^r&Sd return jyefr,fh wefzdk;jzpfygw,f/ 'D API udkoHk;zdkU Windows XP SP1 tenf;qHk;jzpf&ygr,f/ erlemuk'fuawmh yHk(8)twdkif; jzpfygw,f/

.386 .model flat, stdcall option casemap :none ; case sensitive include \masm32\include\windows.inc include \masm32\include\user32.inc include \masm32\include\kernel32.inc includelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib .data DbgNotFoundTitle db "Debugger status:",0h DbgFoundTitle db "Debugger status:",0h DbgNotFoundText db "Debugger not found!",0h DbgFoundText db "Debugger found!",0h krnl db "kernel32.dll",0h chkrdbg db "CheckRemoteDebuggerPresent",0h .data? IsItPresent dd ? .code start: PUSH offset krnl ;kernel32.dll CALL LoadLibrary PUSH offset chkrdbg ;CheckRemoteDebuggerPresent PUSH EAX CALL GetProcAddress ; IsItPresent variable will store the result PUSH offset IsItPresent PUSH -1 CALL EAX MOV EAX, DWORD PTR[IsItPresent] TEST EAX, EAX JNE @DebuggerDetected PUSH 40h PUSH offset DbgNotFoundTitle PUSH offset DbgNotFoundText PUSH 0 CALL MessageBox JMP @exit


@DebuggerDetected: PUSH 30h PUSH offset DbgFoundTitle PUSH offset DbgFoundText PUSH 0 CALL MessageBox @exit: PUSH 0 CALL ExitProcess end start

yHk(8)

tcsdKU packer awGuawmh kernel32.CheckRemoteDebuggerPresent() function udktoHk;rjyKbJ ntdll.NtQueryInformationProcess() function udkom wdkuf&dkuftoHk;jyKMuygw,f/

(2.1.3) NtQueryInformationProcess (ntdll.dll)

Microsoft [m Ntxxx API awGudk b,fvdktoHk;jyK&rvJqdkwm jynfhpHkpGm azmfjyay;avh r&Sdygbl;/ NtQueryInformationProcess()udk aemufydkif;xGuf&Sdr,fh Windows awGrSm toHk;rjyKEdkifawmhwmjzpfEdkifovdk function &JUvkyfaqmifcsufawGvJ ajymif;vJaumif;ajymif;vJygvdrfhr,fvdkU MSDN 2008 rSmrSwfcsufay;xm; ygw,f/ 'D function [m process wpfckeJUywfoufwJhtcsuftvufawGudk pHkprf;ygw,f/ olU&JU prototype uawmh yHk(9)twdkif; jzpfygw,f/

NTSTATUS WINAPI NtQueryInformationProcess( __in HANDLE ProcessHandle, __in PROCESSINFOCLASS ProcessInformationClass, __out PVOID ProcessInformation, __in ULONG ProcessInformationLength, __out_opt PULONG ReturnLength );

yHk(9)

'D function rSmawmh parameter 5ckyg0ifayr,fh uRefawmfwdkUuawmh yxrESpfckudkom pdwf0ifpm;yg w,f/ yxr parameter uawmh process &JU handle udkpHkprf;zdkUjzpfjyD; olUwefzdk;[m -1 jzpfcJh&if vuf&Sdtvkyf vkyfaewJh process udktoHk;jyKzdkU function udkajymwmjzpfygw,f/ 'kwd, parameter uawmh Process InformationClass eJUywfoufygw,f/ MSDN u ProcessInformationClass eJUywfoufjyD; 4ckom azmfjy ay;ygw,f/ 'D4ckuawmh ProcessBasicInformation (0)? ProcessDebugPort (7)? ProcessWow64 Information(26) eJU ProcessImageFileName (27) wdkUjzpfygw,f/ wu,fawmh Windows XP rSm class 38ck&SdjyD; Windows Vista rSmawmh class 45ck&Sdygw,f/

NtQueryInformationProcess() [m ntdll.dll xJrSm&Sdayr,fh export vkyfvdkU&wJh function r[kwf ygbl;/ 'gaMumifh module (.exe) wpfckudk rSwfOmPfay:ul;wifcsdefrSm 'D function udkoHk;vdkUr&ygbl;/ y&dk*&rf tvkyfvkyfaepOfrSmyJ 'D function udk toHk;jyKvdkU&rSmjzpfygw,f/ 'gudk run-time dynamic link vkyfw,fvdkU ac:ygw,f/ qdkvdkwmu dll zdkifxJu function awGudk function pointer awGtjzpft&ifae&mcsxm;jyD;rS ac:oHk;wmjzpfygw,f/ NtQueryInformationProcess() udktoHk;jyKzdkU yxrqHk;taeeJU LoadLibrary() udk oHk;jyD; ntdll.dll zdkifudk ul;wif&ygr,f/ jyD;awmh uRefawmfwdkUoHk;r,fh function &JU pointer udk GetProc Address() oHk;jyD;&,l&ygr,f/

wu,fvdkU ProcessInformationClass rSm ProcessDebugPort (7) udkxnfhjyD;toHk;jyKr,fqdk&if debug vkyf&mrSmtoHk;jyKxm;wJh port eHygwfudk return jyefydkUrSmjzpfygw,f/ Debugger udktoHk;rjyKxm; &ifawmh okntaeeJU return jyefrSmjzpfygw,f/ yHk(10)/

HMODULE hmod; FARPROC _NtQueryInformationProcess; hmod = LoadLibrary("ntdll.dll"); _NtQueryInformationProcess = GetProcAddress(hmod, "NtQueryInformationProcess"); status = (_NtQueryInformationProcess) (-1, 0x07, &retVal, 4, NULL); if (retVal != 0) { MessageBoxA(NULL, "Debugger Detected Via NtQueryInformationProcess ProcessDebugPort", "Debugger Detected", MB_OK); } else { MessageBoxA(NULL, "No Debugger Detected", "No Debugger Detected", MB_OK); }

yHk(10)


aemufwpfckuawmh Microsoft u w&m;0ifxkwfa0xm;jcif;r&SdwJh NtQueryProcessInformation() &JU ProcessDebugFlags (0x1F) flag yg/ NtQueryProcessInformation() udk ProcessDebugFlags eJUac:oHk;csdefrSm return jyefrSmuawmh NoDebugInherit jzpfjyD; EPROCESS &JUqefUusifzufwefzdk; jzpfyg w,f/ qdkvdkwmu debugger udkawGU&SdcJhr,fqdk&if function u FALSE (0) udk return jyefydkUrSmjzpfygw,f/

erlemuk'fuawmh yHk(11)twdkif;jzpfygw,f/

inline bool CheckProcessDebugFlags() { #define NTSTATUS ULONG typedef NTSTATUS (WINAPI *pNtQueryInformationProcess) (HANDLE ,UINT ,PVOID ,ULONG , PULONG); DWORD NoDebugInherit = 0; NTSTATUS Status; // Get NtQueryInformationProcess pNtQueryInformationProcess NtQIP = (pNtQueryInformationProcess) GetProcAddress( GetModuleHandle( _TEXT("ntdll.dll") ), "NtQueryInformationProcess" ); Status = NtQIP(GetCurrentProcess(), 0x1f, // ProcessDebugFlags &NoDebugInherit, 4, NULL); if (Status != 0x00000000) return false; if(NoDebugInherit == FALSE) return true; else return false; }

yHk(11)

aemufwpfckudkvJ Microsoft u w&m;0ifxkwfa0xm;jcif;r&Sdygbl;/ ProcessDebugObjectHandle class yg/ Windows XP rSmpwifrdwfqufcJhwJh debug object wpfckjzpfygw,f/ Process session wpfck pwifcsdefrSm debug object wpfckudkzefwD;vdkufjyD; oleJUtwl handle wpfckwGJygvmygw,f/ ProcessDebug ObjectHandle class udkoHk;jyD; 'D handle &JU wefzdk;udk query vkyf,lEdkifygw,f/ erlemuk'fuawmh yHk(12) twdkif; jzpfygw,f/

inline bool DebugObjectCheck() { #define NTSTATUS ULONG typedef NTSTATUS (WINAPI *pNtQueryInformationProcess) (HANDLE ,UINT ,PVOID ,ULONG , PULONG); HANDLE hDebugObject = NULL; NTSTATUS Status; // Get NtQueryInformationProcess pNtQueryInformationProcess NtQIP = (pNtQueryInformationProcess) GetProcAddress( GetModuleHandle( _TEXT("ntdll.dll") ), "NtQueryInformationProcess" ); Status = NtQIP(GetCurrentProcess(), 0x1e, // ProcessDebugObjectHandle &hDebugObject, 4, NULL); if (Status != 0x00000000) return false; if(NoDebugInherit == FALSE) return true; else return false; }

yHk(12)

ProcessDebugPort udk toHk;jyK&mrSm txif&Sm;qHk;uawmh MSLRH jzpfygw,f/ ProcessDebug Flags udk toHk;jyKwmuawmh HyperUnpackMe2 jzpfygw,f/ ProcessDebugObjectHandle udk toHk;jyK wmuawmh HyperUnpackMe2 jzpfygw,f/

'Denf;vrf;awGuawmh wu,faumif;wJh anti-debugging enf;vrf;awGjzpfygw,f/ Cracker awG [m 'Denf;awGudk vG,fvG,feJUawmh ausmfvdkU&rSm r[kwfygbl;/ bmyJjzpfjzpf y&dk*&rfudk trace vkdufcsdefrSmawmh ZwNtQueryInformationProcess() u return jyefcsdefrSm Process Information udkjyifEdkifygw,f/ aemuf wpfenf;uawmh ZwNtQueryInformationProcess() udk hook vkyfr,fh system driver udktoHk;jyKzdkU jzpfygw,f/ NtQueryInformationProcess() udk cracker awGu ausmfvTm;EdkifcJhr,fqdk&if tjcm; anti-debugging enf;vrf;awmfawmfrsm;rsm;[mvnf; ausmfvTm;cH&rSmjzpfygw,f/ ☺☻☺ (Oyrm – Check RemoteDebuggerPresent()? UnhandledExceptionFilter())

(2.1.4) NtQuerySystemInformation (ntdll.dll)


NtQuerySystemInformation() eJUywfoufwJhtcsuftvuf tjynfhtpHkudkvnf; Microsoft u azmfjyay;xm;jcif; r&Sdygbl;/ NtQuerySystemInformation() &JU prototype uawmh yHk(13)twdkif; jzpfyg w,f/

NTSTATUS WINAPI NtQuerySystemInformation( __in SYSTEM_INFORMATION_CLASS SystemInformationClass, __in_out PVOID SystemInformation, __in ULONG SystemInformationLength, __out_opt PULONG ReturnLength );

yHk(13)

'Dae&mrSm uRefawmfwdkU pdwf0ifpm;wmuawmh SystemInformationClass class yg/ Windows XP rSmawmh class 72ck&SdjyD; Windows Vista rSmawmh class 106ck&Sdygw,f/ 'gayr,fh Microsoft uawmh class 9ckomazmfjyjyD; Windows NT rSmuwnf;uygvmwJh SystemKernelDebuggerInformation class udk awmif azmfjyjcif;r&Sdygbl;/

SystemKernelDebuggerInformation class [m flag ESpfck&JUwefzdk;udk return jyefydkUygw,f/ wpfckuawmh AL xJrSm&SdwJh KdDebuggerEnabled jzpfjyD; aemufwpfckuawmh AH xJrSm&SdwJh KdDebugger NotPresent yg/ 'gaMumifh debugger om&SdcJhr,fqdk&if AH xJu return jyefydkUr,fhwefzdk;[m FALSE jzpfyg r,f/ erlemuk'fuawmh yHk(14)twdkif;jzpfygw,f/

push eax mov eax, esp push 0 push 2 ; SystemInformationLength push eax ; SystemKernelDebuggerInformation push 23h call NtQuerySystemInformation pop eax test ah, ah je being_debugged

yHk(14)

'Denf;udktoHk;jyKwmuawmh SafeDisc jzpfygw,f/

(2.1.5) NtQueryObject (ntdll.dll)

NtQueryObject() function udkawmh MSDN 2008 rSm vHk;0azmfjyxm;jcif; r&Sdygbl;/ olU&JU prototype uawmh yHk(15)rSmjrif&wJhtwdkif;jzpfygw,f/

NtQueryObject( __in HANDLE ObjectHandle, __in OBJECT_INFORMATION_CLASS ObjectInformationClass, __out PVOID ObjectInformation, __in ULONG Length, __out PULONG ResultLength );

yHk(15)

'Dae&mrSm uRefawmfwdkUtaeeJU odzdkUvdkwmuawmh ObjectInformationClass &JU ObjectTypeInfor- mation structure yg/ yHk(16)/

typedef struct _OBJECT_TYPE_INFORMATION { UNICODE_STRING TypeName; ULONG TotalNumberOfHandles; ULONG TotalNumberOfObjects; WCHAR Unused1[8]; ULONG HighWaterNumberOfHandles; ULONG HighWaterNumberOfObjects; WCHAR Unused2[8]; ACCESS_MASK InvalidAttributes; GENERIC_MAPPING GenericMapping; ACCESS_MASK ValidAttributes; BOOLEAN SecurityRequired; BOOLEAN MaintainHandleCount; USHORT MaintainTypeList; POOL_TYPE PoolType; ULONG DefaultPagedPoolCharge;


ULONG DefaultNonPagedPoolCharge; } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;

yHk(16) OBJECT_TYPE_INFORMATION structure (Windows NT twGufom )

tay:rSmajymcJhovdkygyJ? Windows XP rSm debugging session wpfckpwifcsdefrSm debug object wpfckygwJh handle wpfckudkzefwD;ygw,f/ 'gaMumifh &SdjyD;om; object awG&JUpm&if;udk query vkyfzdkU jzpfEdkifjyD; &SdaewJh debug object awG&JUta&twGufudk ppfEdkifygw,f/ 'D API udk Windows NT platform awGrSm toHk;jyKjyD; Windows XP eJUaemufydkif; Windows awGrSmawmh pm&if;xJrSm&SdwJh debug object wpfckudk return jyefydkUwJh vkyfaqmifcsufwdk;vmygw,f/ Debugger om&SdcJhr,fqdk&if return wefzdk;[m oknr[kwfwJh wefzdk;wpfck jzpfygvdrfhr,f/ erlemuk'fuawmh yHk(17)rSm jrif&wJhtwdkif;jzpfygw,f/

typedef struct _OBJECT_TYPE_INFORMATION { UNICODE_STRING TypeName; ULONG TotalNumberOfHandles; ULONG TotalNumberOfObjects; } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; inline bool ObjectListCheck() { #define NTSTATUS ULONG typedef NTSTATUS(NTAPI *pNtQueryObject) (HANDLE, UINT, PVOID, ULONG, PULONG); POBJECT_ALL_INFORMATION pObjectAllInfo = NULL; void *pMemory = NULL; NTSTATUS Status; unsigned long Size = 0; // Get NtQueryObject pNtQueryObject NtQO = (pNtQueryObject)GetProcAddress(GetModuleHandle( _TEXT("ntdll.dll") ), "NtQueryObject" ); // Get the size of the list Status = NtQO(NULL, 3, //ObjectAllTypesInformation &Size, 4, &Size); // Allocate room for the list pMemory = VirtualAlloc(NULL, Size, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); if(pMemory == NULL) return false; // Now we can actually retrieve the list Status = NtQO((HANDLE)-1, 3, pMemory, Size, NULL); if (Status != 0x00000000) // Status != STATUS_SUCCESS { VirtualFree(pMemory, 0, MEM_RELEASE); return false; } // We have the information we need pObjectAllInfo = (POBJECT_ALL_INFORMATION)pMemory; unsigned char *pObjInfoLocation = (unsigned char*)pObjectAllInfo->ObjectTypeInformation; ULONG NumObjects = pObjectAllInfo->NumberOfObjects; for(UINT i = 0; i < NumObjects; i++) { POBJECT_TYPE_INFORMATION pObjectTypeInfo = (POBJECT_TYPE_INFORMATION)pObjInfoLocation; // The debug object will always be present if (wcscmp("DebugObject", pObjectTypeInfo->TypeName.Buffer) == 0) { // Are there any objects? if (pObjectTypeInfo->TotalNumberOfObjects > 0) { VirtualFree(pMemory, 0, MEM_RELEASE); return true; } else { VirtualFree(pMemory, 0, MEM_RELEASE); return false; } } // Get the address of the current entries // string so we can find the end pObjInfoLocation = (unsigned char*)pObjectTypeInfo->TypeName.Buffer; // Add the size pObjInfoLocation += pObjectTypeInfo->TypeName.Length; // Skip the trailing null and alignment bytes ULONG tmp = ((ULONG)pObjInfoLocation) & -4;


// Not pretty but it works pObjInfoLocation = ((unsigned char*)tmp) + sizeof(unsigned long); } // end of for loop VirtualFree(pMemory, 0, MEM_RELEASE); return true; }

yHk(17)

(2.1.6) NtSetInformationThread (ntdll.dll)

Windows 2000 rSm pwifrdwfqufcJhjyD; ZwQuertInformationProcess() &JU wrapper jzpfygw,f/ Function &JU prototype uawmh yHk(18)rSmjrif&wJhtwdkif;jzpfygw,f/

NtSetInformationThread ( IN HANDLE ThreadHandle, IN THREAD_INFORMATION_CLASS ThreadInformationClass, IN PVOID ThreadInformation, IN ULONG ThreadInformationLength );

yHk(18)

'Dae&mrSm uRefawmfwdkU pdwf0ifpm;wmuawmh thread handle eJU ThreadInformationClass wdkU yg0ifwJh yxreJU 'kwd, parameter awGjzpfygw,f/ ThreadInformationClass udkawmh yHk(19)rSm tus,fcsJU &Sif;jyxm;ygw,f/

typedef enum _THREAD_INFORMATION_CLASS { ThreadBasicInformation, ThreadTimes, ThreadPriority, ThreadBasePriority, ThreadAffinityMask, ThreadImpersonationToken, ThreadDescriptorTableEntry, ThreadEnableAlignmentFaultFixup, ThreadEventPair, ThreadQuerySetWin32StartAddress, ThreadZeroTlsCell, ThreadPerformanceCount, ThreadAmILastThread, ThreadIdealProcessor, ThreadPriorityBoost, ThreadSetTlsArrayAddress, ThreadIsIoPending, ThreadHideFromDebugger } THREAD_INFORMATION_CLASS, *PTHREAD_INFORMATION_CLASS;

yHk(19)

wu,fvdkU oifhtaeeJU ThreadInformationClass wefzdk;udk 0x11 (ThreadHideFromDebugger) vdkUowfrSwfcJh&if debugger u thread eJUoufqdkifwJh event awGtm;vHk;udk vufcHr&&SdawmhwJhtwGuf vuf&Sd tvkyfvkyfaewJh process udk qufjyD; Debug vkyfEkdifjcif;r&Sdawmhygbl;/ erlemuk'fuawmh yHk(20)twdkif;jzpfyg w,f/

inline bool HideThread(HANDLE hThread) { #define NTSTATUS ULONG typedef NTSTATUS (NTAPI *pNtSetInformationThread) (HANDLE, UINT, PVOID, ULONG); NTSTATUS Status; // Get NtSetInformationThread pNtSetInformationThread NtSIT = (pNtSetInformationThread) GetProcAddress(GetModuleHandle( _TEXT("ntdll.dll") ), "NtSetInformationThread"); // Shouldn't fail if (NtSIT == NULL) return false; // Set the thread info if (hThread == NULL) Status = NtSIT(GetCurrentThread(), 0x11, // HideThreadFromDebugger 0, 0); else Status = NtSIT(hThread, 0x11, 0, 0);


if (Status !=0x00000000) return false; else return true; }

yHk(20)

Function udkac:oHk;&ifawmh hThread ae&mrSm NULL eJUtpm;xdk;ay;&ygr,f/ 'Denf;vrf;udk toHk; jyK&mrSm txif&Sm;qHk;uawmh HyperUnpackMe2 jzpfygw,f/

(2.1.7) OpenProcess (kernel32.dll)

Debugger udkpHkprf;wJh 'Denf;uawmh process wpfck[m debugger wpfckatmufrSm tvkyfvkyfjcif;&Sd^ r&Sdudk pHkprf;od&SdEdkifzdkUtwGuf process privilege udktoHk;cswmjzpfygw,f/ 'Denf;utvkyfjzpfygw,f/ bm aMumifhvJqdkawmh process wpfck[m debugger eJUwGJxm;csdef (odkU) debugger atmufrSmtvkyfvkyfaecsdefrSm debugger u process privilege udk rSefuefpGmowfrSwfEdkifjcif; r&SdcJh&if b,f process wdkif;rqdkeJUqdkifwJh handle udkzGifhzdkU process udktcGifhay;EdkifwJh SeDebugPrivilege udk process u vufcH&&SdvdkUjzpfygw,f/ 'DudpörSm uRefawmfwdkUtaeeJU yHkrSef&,ltoHk;jyKEdkifjcif;r&SdwJh csrss.exe (Client/Server Runtime Sub-system) vdkrsdK; ta&;MuD;wJh system process wpfckawmifyg0ifygw,f/ oleJUywfoufwJh erlemuk'fuawmh yHk(21)rSmjrif&wJhtwdkif; jzpfygw,f/

// The function will attempt to open csrss.exe with PROCESS_ALL_ACCESS rights. // If it fails we're not being debugged however, if its successful we probably are inline bool CanOpenCsrss() { HANDLE Csrss = 0; bool InheritHandle = FALSE; // If we're being debugged and the process has SeDebugPrivileges privileges // then this call will be successful, note that this only works with PROCESS_ALL_ACCESS. Csrss = OpenProcess(0x1F0FFF, InheritHandle, CsrGetProcessId()); // 0x1F0FFF = PROCESS_ALL_ACCESS // If the function fails, the return value is NULL. if (Csrss != NULL) { CloseHandle(Csrss); return true; } else return false; }

yHk(21)

Process wpfck[m SeDebugPrivilege udktoHk;jyKcsdefrSm csrss.exe [m system process wpfckjzpf aewmawmif csrss.exe udk vHk;0xdef;csKyfEdkifwJh tcGifhta&;udk &&Sdygw,f/ 'gaMumifh SeDebugPrivilege u 'D process eJUywfoufwJh uefUowfcsufawGudk z,f&Sm;ygw,f/ 'Dhjyif privilege u debugger uzefwD; vdkufwJh child process awGxdawmif tusHK;0ifygao;w,f/ tusdK;qufuawmh debug vkyfcHxm;&wJh application wpfck[m csrss.exe &JU PID udkom &&SdEdkifr,fqdk&if ol[m OpenProcess() function uwqifh process awGudk xdef;csKyfEdkifrSmjzpfygw,f/ PID udkawmh CreateToolhelp32Snapshot() function eJU Process32Next() udkoHk;jyD; (odkU) NtQuerySystemInformation(SystemProcessInormation(5)) udk oHk;jyD; &&SdEdkifygw,f/ Windows XP uawmh 'DtwGuf CsrGetProcessId() function udkrdwfqufcJhjyD; toHk;jyK&wm ydkrdkvG,fulapygw,f/ Process wpfck[m debug vkyfcHxm;&w,fqdk&if SeDebugPrivilege u yHk(22)rSm jrif&wJhtwdkif; enable jzpfaerSmyg/

yHk(22) Process udk debug vkyfxm;&jcif; &Sd^r&Sd Process Explorer jzifhMunfhxm;yHk

'Denf;vrf;u csrss.exe udk rSm;,Gif;wJhvkyfaqmifcsufawG vkyfaqmifcdkif;jyD; denial-of-service udk jyKvkyfzdkU vrf;yGifhapygw,f/ enf;vrf;wpfckuawmh rjzpfEdkifwJh rSwfOmPf address wpfckrSm thread wpfckudk


zefwD;zdkUjzpfjyD; aemufwpfckuawmh rjyD;qHk;EdkifwJh loop udk vkyfaqmifwJh thread wpfckudkzefwD;zdkUjzpfygw,f/ OllyDbg eJU Windbg uawmh process udk debug vkyfzdkU debug privilege &&SdzdkUvdktyfayr,fh Turbo Debug uawmhrvdktyfygbl;/ 0rf;enf;p&mwpfckuawmh Olly &JU phantom plugin udktoHk;jyKcJhr,fqdk&if SeDebugPrivilege flag [m disabled jzpfaewJhtcsufyg/ (Cracker awGtwGufawmh 0rf;omp&mowif; wpfckaygh/)

(2.1.8) OutputDebugString (kernel32.dll)

OutputDebugString() udkpwifrdwfqufcJhwmuawmh Windows 2000 rSmjzpfjyD; usefwJh anti-debug function awGeJUtenf;i,f uGJjym;aeygw,f/ ReCrypt eJU pack vkyfxm;wJhzdkifawGrSm awGUEdkifjyD; uRefawmfwdkU&JU process [m debugger atmufrSm tvkyfvkyfaewmr[kwf&if error uk'fudk return jyefydkU wmjzpfygw,f/ bmaMumifh error wuf&wmvJqdkawmh process twGuf string udkvufcH&&SdzdkU debugger udkvdktyfvdkUyg/ yHk(23)/ DWORD Val = 666; SetLastError(Val); OutputDebugString("String"); if (GetLastError() == Val) // Is Value equal to 0? { MessageBox(NULL, "Debugger Detected Via OutputDebugString", "Debugger Detected", MB_OK); } else { MessageBox(NULL, "No Debugger Detected", "No Debugger Detected", MB_OK); }

yHk(23)

Debugger udkawGUcJhr,fqdk&if GetLastError() u return jyefr,fhwefzdk;[m 0 jzpfygw,f/

(2.1.9) FindWindow

FindWindow udktoHk;jyKjyD; pHkprf;wJhenf;uawmh process [m debugger eJU attach vkyfxm;jcif; &Sd^r&Sdudk pHkprf;wmr[kwfbJ owfrSwfxm;wJh string eJUudkufnDwJh class trnf&Sd&m tay:qHk; window &JU handle udk&,lwmjzpfygw,f/ Debugger awmfawmfrsm;rsm;&JU class awGudk FindWindow toHk;jyKjyD; ppfaq;Edkifygw,f/ WinDbg udkpHkprf;csif&ifawmh FindWindow eJUtwl WinDbgFrameClass class udk ac:oHk;&rSmjzpfygw,f/ wu,fvdkUom return wefzdk;[m NULL jzpfcJhr,fqdk&if 'D window udk &SmrawGU ygbl;/ yHk(24)/

// Determine if a window with the class name exists... HANDLE Hnd; Hnd = FindWindow("OLLYDBG", 0); if (hnd == NULL) { MessageBoxA(NULL, "OllyDbg Not Detected", "Not Detected", MB_OK); } else { MessageBoxA(NULL, "Ollydbg Detected Via OllyDbg FindWindow()", "OllyDbg Detected", MB_OK); }

yHk(24)

(2.1.10) Registry Key

Registry uaewqifh debugger &Sd^r&SdpHkprf;wJh 'Denf;uawmh debugger eJU process wGJxm;jcif; &Sd^r&Sd (odkU) debugger tvkyfvkyfaejcif; &Sd^r&Sdudk pHkprf;wmrsdK; r[kwfygbl;/ 'Denf;vrf;awGtpm; olu debugger udk install vkyfxm;jcif; &Sd^r&Sd pHkprf;wmyg/ qdkvdkcsifwmu oifh&JU OS rSm aqmhzf0JvfawGudk debug vkyfzdkU Olly udk shell extension taeeJU owfrSwfxm;cJhr,fqdk&if registry rSm yHk(25)twdkif; jrif&rSmjzpfjyD; oifhtaeeJU RegQueryValue() oHk;jyD; 'D string awGudk &Sm&rSmjzpfygw,f/

HKEY_CLASSES_ROOT\dllfile\shell\Open with Olly&Dbg\command HKEY_CLASSES_ROOT\exefile\shell\Open with Olly&Dbg\command

yHk(25)

'ghtjyif Registry rSm vsjitdebugger.exe (odkU) ollydbg.exe pwJh string awGudk&SmjyD; debugger &Sd^r&Sd pHkprf;Edkifygao;w,f/

(2.1.11) DebugActiveProcess jzifh udk,fwdkif debug vkyfjcif; (kernel32.dll)

'Denf;vrf;av;[m process wpfck[m wcsdefrSm debugger wpfckwnf;atmufrSmom tvkyfvkyfEdkif w,fqdkwJh tm;enf;csufudk tcGifhaumif;,lxm;wmyg/ qkdvdkwmu debugger wpfcku process wpfckudk


zGifhxm;csdefrSm aemuf debugger wpfcku 'D process udk attach vkyfvdkUr&awmhygbl;/ 'Denf;vrf;atmifjrifzdkU twGuf process u child process wpfckudk yxrqHk; zefwD;&ygr,f/ Child process u rdcif(rdb) process &JU PID udk (b,fenf;eJUyJ jzpfygap) vSrf;zwfjyD; DebugActiveProcess() oHk;um Debug vkyf&rSm jzpfygw,f/ Child process udkzefwD;zdkUtwGuf CreateProcess() udkoHk;&rSmjzpfygw,f/ Child process u rdcif process ay:rSm DebugActiveProcess() eJU debug vkyfvdkU&^r&prf;oyfjyD; debug vkyfvdkUr&cJh&if rdcif process udk debugger wpfckckeJU zGihfxm;aMumif;od&SdjyD; y&dk*&rfudk jyD;qHk;aprSmyg/ yHk(26)/

pid = GetCurrentProcessId(); _itow_s((int)pid, (wchar_t*)&pid_str, 8, 10); // Converts an integer to a string. wcsncat_s((wchar_t*)&szCmdline, 64, (wchar_t*)pid_str, 4); STARTUPINFOA si; PROCESS_INFORMATION pi; success = CreateProcess(path, szCmdline, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi); success = DebugActiveProcess(pid); if (success == 0) { printf("Error Code: %d\n", GetLastError()); MessageBoxA(NULL, "Debugger Detected - Unable to Attach", "Debugger Detected", MB_OK); }

if (success == 1) MessageBoxA(NULL, "No Debugger Detected", "No Debugger", MB_OK);

yHk(26)

(2.1.12) NtYieldExecution (ntdll.dll)

NtYieldExecution uawmh vuf&SdtvkyfvkyfaewJh thread udk olU&JU usefaeao;wJh execution awGudkqufrvkyfapbJ schedule qGJxm;wJh tjcm; thread awGudk execute vkyfapygw,f/ wu,fvdkU execute vkyfzdkU schedule owfrSwfxm;wJh thread awGr&SdcJhbl;qdk&if function u error wpfckudk jyefydkUrSm jzpfygw,f/ Application wpfck[m debug vkyfcHxm;&csdefrSm uk'fawGudkwpfaMumif;csif; ppfaq;wJhtjyKtrl [m debug event awGudkjzpfapygw,f/ tusdK;qufuawmh debugger thread [m execution tjrJwrf; qufvkyfzdkU schedule qGJcHae&ygw,f/ 'Dtcsufu high priority eJY tvkyfvkyfaewJh thread &Sd^r&Sd aumufcsufcszdkU toHk;jyKEdkifayr,fhvJ debugger &Sd^r&Sd aumufcsufcszdkUtwGufvJ toHk;jyKEdkifygw,f/ erlem uk'fuawmh yHk(27)twdkif;jzpfygw,f/

push 20h pop ebp l1: push 0fh call Sleep call NtYieldExecution cmp al, 1 adc ebx, ebx dec ebp jne l1 inc ebx je being_debugged

yHk(27)

'Denf;vrf;udk toHk;jyKwmuawmh Extreme Debugger Detector jzpfygw,f/

(2.1.13) NtSetLdtEntries (ntdll.dll)

LDT(local descriptor table) udk Windows u toHk;rjyKwmjzpfwmaMumifh debugger awGtwGuf vJ vHk;0toHk;jyKvdkU&rSm r[kwfygbl;/ 'gaMumifh 'gudk &dk;&Sif;vSwJh anti-debugger enf;vrf;tjzpf toHk; jyKEdkifygw,f/ txl;ojzifh tcsdKUuk'fawGudk ae&mcsay;r,fh LDT entry topfwpfckudk zefwD;Edkifygw,f/ 'Dhaemuf LDT entry topfqDoGm;r,fh call (odkU) jump wpfckudk zefwD;jcif;jzifh debugger [m 'Dae&mawG qDoGm;zdkU tcufawGUaerSmjzpfygw,f/ erlemuk'fuawmh yHk(28)twdkif;jzpfygw,f/

;base must be <= PE->ImageBase ;but no need for 64kb align base equ 12345678h ;sel must have bit 2 set ;CPU will set bits 0 and 1 ;even if we don’t do it sel equ 777h xor eax, eax push eax push eax push eax ;4k granular, 32-bit


;present, DPL3, exec-only code ;limit must not touch kernel mem ;calculate carefully to use APIs push (base and 0ff000000h) \ + 0c1f800h \ + ((base shr 10h) and 0ffh) push (base shl 10h) + 0ffffh push sel call NtSetLdtEntries ;jmp far sel:l1 db 0eah dd offset l1 – base dw sel l1: ;execution continues here ;but using LDT selector ...

yHk(28)

Turbo Debug32 uawmh LDT e,fy,fxJu uk'fawGudk disassemble vkyfEdkifrSm r[kwfygbl;/ 'gayr,fh execution uawmh aumif;aumif;tvkyfvkyfaerSmjzpfygw,f/ OllyDbg uvJ LDT e,fy,fxJrSm execution qufvkyfzkdU jiif;qefrSmjzpfygw,f/ WinDbg uom LDT xJu uk'fawGudk rSefuefpGm dis-assemble vkyfEdkifrSmjzpfygw,f/ 'Denf;vrf;udk malware tcsdKUu toHk;jyKMuygw,f/ 'Denf;vrf;[m system bit awGudkae&mrSmxm;jyD; Type field rSm awGtrsm;MuD;yg0ifaewJh ReactOS (http://www.reactos.org/)u rwduswJhpmwrf;tcsdKUudk tajccHwm jzpfaumif;jzpfEdkifygw,f/

(2.1.14) CloseHandle (kernel32.dll)

wu,fvdkU rSm;,Gif;aewJh handle wpfckudk kernel32.dll &JU CloseHandle() function xJjzwfoef; apr,fqdk&if (odkUr[kwf ntdll.dll &JU NtClose() function xJwdkuf&dkuf)? debugger om &Sdraebl;qdk&if error uk'fwpfckudk jyefydkUrSmjzpfygw,f/ Debugger udkom&SdaecJhr,fqdk&ifawmh EXCEPTION_INVALID_ HANDLE(0xC0000008) (odkU) EXCEPTION_HANDLE_NOT_CLOSABLE(0xC0000235) udk awGU&rSmjzpfygw,f/ 'D exception udk exception handler eJU zrf;,lEdkifjyD; 'g[m debugger wpfck tvkyf vkyfaewmudk nTefjyaeygw,f/ erlemuk'fuawmh yHk(29)twdkif;jzpfygw,f/

xor eax, eax push offset being_debugged push d fs:[eax] mov fs:[eax], esp push eax push eax push 3 ; OPEN_EXISTING push eax push eax push 80000000h ; GENERIC_READ push offset l1 call CreateFileA push eax ; HANDLE_FLAG_PROTECT_FROM_CLOSE push 2 push -1 xchg ebx, eax call SetHandleInformation push ebx call CloseHandle ... l1: db “myfile”, 0

yHk(29)

'Djyóemudk ajz&Sif;zdkUuawmh Windows XP rSm vG,fulvGef;vSygw,f/ Exception udkazsmufzdkU twGuf debugger u FirstHandler Vectored Exception Handler udk register vkyf&rSmjzpfygw,f/ wu,fawmh kernel32.dll &JU AddVectoredExceptionHandler() function udk hook vkyfzdkUtwGuf jyóem&Sdygw,f/ 'guawmh tjcm; handler wpfckudk yxrqHk; handler tjzpf register vkyfjcif;uaewm; qD;&mrSmjzpfygw,f/ bmyJajymajym exception udkazsmufzdkU SEH udk register vkyf&wJh NtClose() function udk hook vkyf&wmxufpm&ifawmh vG,fulaewkef;yJjzpfygw,f/


(2.1.15) NtSystemDebugControl (ntdll.dll)

NtSystemDebugControl() function [m debugger awGudk pHkprf;&mrSm awmfawmfav;aumif;wJh function wpfckjzpfygw,f/ olUudk Windows NT rSmrdwfqufcJhjyD; olU&JUpGrf;aqmif&nf[m Windows aemufydkif; version awGrSm awmfawmfav;wdk;wufvmygw,f/ olUrSm NtQuerySystemInformation() function &JU SystemProcessInformation class eJUrwlwJh SysDbgQueryModuleInformation command yg&Sdygw,f/ WindowsXP rSm SysDbgReadVirtual command udk rdwfqufcJhjyD; system xJub,fae&murqdk rSwfOmPfwkudkzwf&IEdkifygw,f/ wu,fhrSwfOmPfeJU MSR wdkUudk a&;EdkifzwfEdkifwJh? rSwfOmPfwkxJudk a&;om;EdkifwJh tjcm; command awGvJ&Sdygw,f/ Windows 2003 SP1 eJU aemufydkif;awG rSmawmh 'D function awGtm;vHk;udk ydwfyifxm;ygw,f/

(2.1.16) ReadFile (kernel32.dll)

kernel32.dll &JU ReadFile() function udkawmh uk'f stream eJUywfoufwJh zdkif content awGudk zwfjcif;jzifh self-modification twGufenf;vrf;wpfcktjzpf toHk;jyKEdkifygw,f/ 'Denf;[m debugger awGcs xm;r,fh aqmhzf0Jvf breakpoint awGudkz,f&Sm;&mrSm xda&mufwJhenf;vrf;wpfckjzpfygw,f/ 'Denf;vrf;udk 1999ckESpfrSm Peter Ferrie uyxrqHk;aqG;aEG;cJhzl;jyD; 2007rSmawmh Protr Bania u vlod&SifMum;xkwfazmfcJh ygw,f/ erlemuk'fuawmh yHk(30)twdkif;jzpfygw,f/

xor ebx, ebx mov ebp, offset l2 push 104h ; MAX_PATH push ebp push ebx ; self filename call GetModuleFileNameA push ebx push ebx push 3 ; OPEN_EXISTING push ebx push 1 ; FILE_SHARE_READ push 80000000h ; GENERIC_READ push ebp call CreateFileA push ebx push esp ; more bytes might be more useful push 1 push offset l1 push eax call ReadFile ; replaced by "M" ; from the MZ header l1: int 3 ... l2: db 104h dup (?) ;MAX_PATH

yHk(30)

'Djyóemudk ajz&Sif;zdkUuawmh API call awGaemufrSm aqmhzf0Jvf breakpoint awGudkroHk;bJ hardware breakpoint awGudkoHk;zdkUjzpfygw,f/

(2.1.17) WriteProcessMemory (kernel32.dll)

'Denf;vrf;uvJ ReadFile() function enf;vrf;udk tenf;i,fajymif;vJxm;wmyg/ 'gayr,fh process &JU rSwfOmPfae&mrSm a&;&r,fha'wmawG &Sdxm;jyD;om;jzpf&ygr,f/ erlemuk'fuawmh yHk(31)twdkif; jzpfygw,f/

push 1 push offset l1 push offset l2 push -1 ;GetCurrentProcess() call WriteProcessMemory l1: nop l2: int 3

yHk(31)

'Denf;vrf;udk NsAnti utoHk;jyKygw,f/ 'Djyóemudk ajz&Sif;zdkUuawmh API call awGaemufrSm aqmhzf0Jvf breakpoint awGudkroHk;bJ hardware breakpoint awGudkoHk;zdkUjzpfygw,f/


(2.1.18) UnhandledExceptionFilter (kernel32.dll)

Exception wpfckudkawGUcsdefrSm register vkyfxm;wJh SEH (odkU) VEH awGr&Sd&if? register vkyfxm;wJh handler awGu exception udk udkifwG,fEkdifjcif;r&Sdbl;qdk&if aemufqHk;tm;xm;&mtjzpf UnhandledExceptionFilter() function udkac:,l&ygvdrfhr,f/ qdkvdkwmu exception wpfck[m unhandled exception filter qDa&mufvm&if process [m debug vkyfcHxm;&wmjzpfjyD; register vkyfxm;wJh top level exception filter udkac:,loHk;vdkUr&awmhygbl;/ SetUnhandledExceptionFilter() function u top level exception filter udkowfrSwfygw,f/ tcsdKU packer awGuawmh _BasepCurrentTopLevel Filter() function eJU exception filter udkudk,fwdkifowfrSwfygw,f/ UnhandledExceptionFilter() [m debugger &Sd^r&SdukdqHk;jzwfzdkU NtQueryInformationProcess(ProcessDebugPort class) function udk ac:oHk;ygw,f/ erlemuk'fuawmh yHk(32)twdkif;jzpfygw,f/

push @not_debugged call SetUnhandledExceptionFilter xor eax, eax mov eax, dword [eax] ; trigger exception ; program terminated if debugged ; ... @not_debugged: ; process the exception ; continue the execution

yHk(32)

'Djyóemudk ajz&Sif;zdkU NtQueryInformationProcess() &JU return wefzdk;udkjyifay;&ygr,f/

(2.1.19) BlockInput (user32.dll)

Cracker awG debugger udktoHk;jyKjcif;rS wm;qD;wJh function wpfckjzpfygw,f/ Mouse eJU keyboard event awGudk application awGqDra&mufatmif block vkyfEdkifjyD; 'D function uom event awGudk unblock jyefvkyfEdkifygw,f/ 'Denf;vrf;udk toHk;jyKwmuawmh Yoda's protector jzpfygw,f/ (Yoda's protector taMumif;udk ]Olly Debug Script} tcef;wGif tao;pdwfaqG;aEG;jyD;jzpfygonf/)

BlockInput(TRUE); 'DjyóemtwGuf BlockInput() &Sd&mudk RETN owfrSwfay;vdkuf&if &ygjyD/ 'grSr[kwf Ctrl + Alt + Del ESdyf&if unblock jzpfygw,f/

(2.1.20) SuspendThread (kernel32.dll)

SuspendThread() function uawmh OllyDng eJU Turbo Debug wdkUvdk user-mode debugger awGudk disable vkyf&mrSm tvGefxda&mufwJhenf;vrf;wpfckjzpfygw,f/ 'Denf;udkawmh process awG pdppf a&wGufjcif;jzifh&&SdEdkifjyD; wu,fvdkU ]explorer.exe} eJUudkufnDrIr&SdcJhbl;qdk&if rdcif process &JU t"du thread udk qdkif;iHhxm;ygw,f/ 'Denf;udk toHk;jyKwmuawmh Yoda's Protector rSmjzpfygw,f/

(2.1.21) Guard Pages

Guard page awGudktoHk;jyKjyD; debugger udkpHkprf;Edkifygw,f/ 'Denf;[m Olly &JU on-access/write memory breakpoint eJUywfoufygw,f/ Olly &JU memory breakpoint awG[m guard page awGudktoHk;jyKxm;wmjzpfygw,f/ rSwfOmPfwpfckudk access vkyfcsdefrSm guard page awGu owday;Edkifyg w,f/ Exception handler wpfckudk register vkyfcsdefrSm execute vkyfEkdifwJhâ&;EdkifwJh page wpfckudkae&m csxm;vdkufjyD; C3(RET instruction) qdkwJh opcode udk a&;vdkufygw,f/ 'DaemufrSmawmh page protection [m PAGE_GUARD tjzpfajymif;oGm;ygw,f/ 'Dhaemuf instruction udk execute vkyfzdkUMudK;yrf;ygw,f/ Access vkyfcHae&wJh address [m guard page wpfck&JUtpdwftydkif;wpfckjzpfcJhr,fqdk&if exception handler u EXCEPTION_GUARD_ PAGE (0x80000001) exception wpfckudk&&Sdygw,f/ Process wpfck[m debugger atmufrSm debug vkyfcHxm;&jyD; guard page udk toHk;jyKaecJh&if exception uxGufrvm Edkifawmhygbl;/ 'gqdk access vkyfrIudk memory breakpoint tjzpfrSwf,lygw,f/ Packer awGu 'Denf;udk toHk;jyKMuwmjzpfygw,f/ erlemuk'fuawmh yHk(33)twdkif;jzpfygw,f/

; set up exception handler push .exception_handler push dword [fs:0] mov [fs:0], esp ; allocate memory push PAGE_READWRITE push MEM_COMMIT push 0x1000 push NULL


call [VirtualAlloc] test eax,eax jz .failed mov [.pAllocatedMem],eax ; store a RETN on the allocated memory mov byte [eax],0xC3 ; then set the PAGE_GUARD attribute of the allocated memory lea eax,[.dwOldProtect] push eax push PAGE_EXECUTE_READ | PAGE_GUARD push 0x1000 push dword [.pAllocatedMem] call [VirtualProtect] ; set marker (EAX) as 0 xor eax,eax ; trigger a STATUS_GUARD_PAGE_VIOLATION exception call [.pAllocatedMem] ; check if marker had not been changed (exception handler not called) test eax,eax je .debugger_found ::: .exception_handler ; EAX = CONTEXT record mov eax,[esp+0xc] ; set marker (CONTEXT.EAX) to 0xffffffff ; to signal that the exception handler was called mov dword [eax+0xb0],0xffffffff xor eax,eax retn

yHk(33)

yHk(33)uuk'fudk&Sif;&r,fqdk&if yxrqHk;rSwfOmPfwpfckudk ae&mcsxm;ygw,f/ ae&mcsxm;wJhrSwf OmPfrSm uk'fawGudkodrf;qnf;ygw,f/ 'Dhaemuf PAGE_GUARD atribute udk enable vkyfygw,f/ 'Dhaemuf EAX udk 0 vdkU initialize vkyfjyD; page-guard vkyfxm;wJh ae&mcsxm;wJJhrSwfOmPfxJrSm uk'fawGudk execute vkyfjcif;jzifh STATUS_GUARD_PAGE_VIOLATION udktpysdK;ay;vdkufygw,f/ wu,fvdkU uk'fawG [m OllyDbg rSm debug vkyfcHae&r,fqdk&if exception handler udkac:vdkUr&awmhwmaMumifh EAX &JU wefzdk;[m rajymif;vJEdkifawmhygbl;/

'Denf;udktoHk;jyKwmuawmh PC Guard jzpfygw,f/ Guard page awG[m exception wpfckudk tpysdK;wmaMumifh cracker awG[m exception handler udkac:,lEdkifzdkU exception wpfckudk wrifzefwD;jcif; jzifh 'Denf;udk ausmfvTm;Edkifygw,f/ 'gaMumifh yHk(33)uuk'fae&mrSm RETN instruction udk INT3 eJU tpm;xdk;&ygr,f/ jyD;rSom RETN vdkufygr,f/ INT3 udk execute vkyfcsdefrSm Shift+F9 uaewpfqifh exception handler udkac:zdkU debugger udkzdtm;ay;&ygr,f/ Exception handler udkac:jyD;csdefrSmawmh EAX wefzdk;udk oifhawmfwJhwefzdk;wpfck owfrSwfrSmjzpfjyD; 'DhaemufrSmawmh RETN instruction udk execute vkyfygvdrfhr,f/

wu,fvdkU exception handler u exception [m STATUS_GUARD_PAGE_VIOLATION [kwf^r[kwf ppfaq;cJhr,fqdk&if exception handler xJrSm breakpoint wpfckudkowfrSwfjyD; Exception Record parameter udkjyif&rSmjzpfygw,f/ ExceptionCode udkawmh STATUS_GUARD_PAGE_ VIOLATION vdkUudk,fwdkifjyif&rSmjzpfygw,f/

qufvufazmfjyygrnf/

Cracking qdkif&ma0g[m&rsm; - 446 -

Cracking qdkif&ma0g[m&rsm;

ActiveMARK – Trymedia onf RealNetworks \ tpdwftydkif;wpfckjzpfjyD; ActiveMark rSm Trymedia \ pack/protect vkyfonfhenf;ynmwpf&yfjzpfonf/ Trygames rSm Trymedia \ wpfpdwf wpfydkif;jzpfjyD; Trymedia \*drf;rsm;udk download vkyfjcif;udpö? trial qdkif&mudpöESifh a&mif;csjcif;udpöwdkUudk jyKvkyfonf/ alphanumeric code – Alphanumeric uk'fqdkonfrSm pmvHk;rsm;? *Pef;rsm;aygif;pyfxm;jcif;jzpfjyD; ¤if;wdkUudk uGefysLwmuom process vkyfEkdifonfh em;rvnfEdkifaomyHkpHwpfcktoGifjzifh a&;xm;jcif;jzpfonf/ erlem alphanumeric uk'fwpfckrSm ASCII jzpfonf/ xdkxufydkjyD;ajym&vQif alphanumeric uk'fqdkonfrSm machine uk'fjzpfjyD; ¤if;wdkUudk vHk;0zwfr&Edkifaom ASCII pmvHk;tjzpf assemble vkyfjyD;a&;xm;jcif;jzpf onf/ API – API [lonf OS ujznfhpGrf;ay;Edkifaom function rsm;tm; pkpnf;xm;jcif;omjzpfonf/ Windows y&dk*&rftm;vHk;onf API unction rsm;udk toHk;jyKMuonf/ xdk function rsm;onf Windows pepf\ dll zdkifrsm;jzpfaom kernel? user? gdi? shell? advapi ponfhzdkifrsm;xJwGif &Sdonf/ API udk native API ESifh Win32 API [lí ESpfrsdK;cGJxm;onf/ API redirection – API redirection [lonf packer^protector trsm;pku IAT (okdUr[kwf import table) tm; (wpfpdwfwpfa'o odkUr[kwf vHk;0)zsufqD;ypfvdkufaom vkyfaqmifcsufwpfckjzpfaomfvnf; IAT xJwGif redirect tvkyfcH&aom API toD;oD;\ oufqdkif&muk'fESifhqdkifaom pointer wpfckudk a&;vdkufonf/ qdkvdkonfrSm packer onf pack^protect vkyfxm;aomy&dk*&rftwGuf system \ DLL rsm;xJrS API \ address udkay;Edkif&ef owdxm;&rnfjzpfonf/ API redirection vkyfxm;onfh y&dk*&rfawmfawmfrsm;rsm;onf anti-virus aqmhzf0Jvfrsm;ESifh jyóemwufavh&Sdonf/ array – y&dk*&rfa&;om;jcif;wGif array onf wlnDaom a'wmtrsdK;tpm;udk pkpnf;ay;jyD; array xJwGif yg0ifonfht&mrsm;udk ac:,loHk;pGJvdkvQif index (odkU) element jzifh ac:,loHk;pGJ&onf/ Array rsm;onf y&dk*&rfa&;om;jcif;wGif tc&musvSonf/ ASCII – American Standard Code for Information Interchange \ twdkaumufjzpfjyD; pmvHk;rsm;? *Pef;rsm;? oauFwrsm;yg0ifaom tu©&m 256vHk;&Sdonf/ ASCII udk 1968 ckESpfwGif hardware ESifh aqmhzf 0Jvfrsm;Mum; a'wmrsm;tm; ydkUaqmif&eftwGuf &nf&G,fjcif;jzpfonf/ ASCII udk pH ASCII ESifh xyfjznfh ASCII [lí tpkESpfckcGJxm;onf/ assembler – Assembly bmompum;jzifh a&;om;xm;onfhy&dk*&rfrsm;tm; exe y&dk*&rfzdkiftjzpf ajymif;vJ ay;aom y&dk*&rfjzpfonf/ Assembly language – Low-level y&kd*&rfbmompum;wpfckjzpfjyD; mnemonic uk'frsm;udk toHk;jyKonf/ Assembler udktoHk;jyKí machine bmompum;tjzpf ajymif;Edkifonf/ toHk;jyKonfh y&dkqufqmay:rlwnf jyD; instruction rsm;uGJjym;rI&Sdonf/ Assembly bmompum;udk toHk;jyKjcif;\ tusdK;aus;Zl;um; tvkyf vkyfonfh EIef;jrefqefvmjcif;? hardware ESifh y&dk*&rfrmMum; wdkuf&dkufqufoG,fEdkifjcif;wdkUjzpfonf/ BadBoy – Trial version aqmhzf0JvfwpfckwGif oHk;pGJoltm; 0,f,l&efzdtm;ay;aom message rsm;? aMumfjim rsm;/ (odkU) Disassemble vkyfxm;aom y&dk*&rfwpfckwGif ¤if;wdkU&Sd&mae&m/ base address – tydkif;ESpfck&Sdaom rSwfOmPf address wpfck\ wpfpdwfwpfa'o/ ¤if;onf rajymif;vJbJ &SdaejyD; wGufcsufrnfh a'wm byte wpfck\ ae&mnTef;rSwfwpfckudk jznfhpGrf;ay;onf/ Base address wpfck\ aemufwGif offset wefzdk;wpfckuyfvdkufjyD; tcsuftvufrsm;\ wdusaomae&mudk &SmEdkif&eftwGuf base wGif ¤if;wefzdk;udk vmaygif;&onf/ tapmydkif; OS rsm;wGif toHk;jyKonf/ base relocation – .reloc section rSm&Sdaom entry rsm;udk base relocation [kac:onf/ tb,fhaMumifh qdkaomf ¤if;wdkUudk toHk;jyKrIonf loaded image \ base address ay:rlwnfíjzpfonf/ Base relocation onf image xJrS wnfae&mrsm;udkpkpnf;xm;jcif;jzpfjyD; ¤if;wdkUxJ aygif;xnfh&ef wefzdk;wpfck vdkygvdrfhrnf/ Base relocation entry rsm;tm; chunk wGJrsm;taejzifh package vkyfxm;jcif;jzpfonf/ Chunk toD;oD; onf image xJrS 4KB page wpfcktwGuf relocation [k azmfjyjcif;jzpfonf/ binary – udef;*Pef;pepfrsm;rS 0 ESifh 1 udkom azmfjyEdkifaom ESpfvDpepf/ xdk*Pef;rsm;udk logical wefzdk; jzpfaom TRUE (okdU) FALSE taejzifh azmfjyEdkifonf/ ESpfvD*Pef;rsm;onf vlom;rsm;em;vnfEdkif&ef cufcJaomaMumifh 8vDpepfESifh 16vDpepfudk toHk;rsm;Muonf/ bind – bit – Binary digit \ twdkaumuf/ uGefysLwmu udkifwG,faomtcsuftvufrsm;wGif tao;qHk;,lepf/ Bitwpfckonf ESpfvD*Pef;wpfckrS 1 (odkU) 0 udkom azmfjyEdkifonf/ 8 bits onf pmvHk;wpfvHk;ESifhnDaom aMumifh tu©&m? q,fvD*Pef;ESifh tjcm;pmvHk;rsm;udk azmfjyEdkifayonf/ breakpoint – y&kd*&rftvkyfvkyfjcif;udk &kwfw&uf &yfwefUEdkif&efESifh xdktcsdefwGif y&dk*&rfrnfodkUvkyfaqmif aeonfudk Munfh&Ippfaq;Edkif&ef y&dk*&rfwGif;ü owfrSwfxm;onhf ae&mwpfck/ Breakpoint rsm;udk debugger


rsm;twGif; owfrSwfMujyD; rsm;aomtm;jzifh jump rsm;? call rsm;wGif toHk;jyKMuonf/ Breakpoint udk aqmhzf0Jvf breakpoint? hardware breakpoint ESifh memory breakpoint [lí 3rsdK;cGJjcm;Edkifonf/ buffer overflow – tcsuftvufrsm;udk ajymif;a&TY&eftwGuf ,m,Dz,fxm;aom rSwfOmPfae&mrsm;wGif rvdkvm;tyfaomtjzpfaMumifh rSwfOmPfwpfckvHk; jynfhvQHoGm;jcif;/ y&dk*&rfrmrsm; y&dk*&rfa&;&mwGif rSm;,Gif; pGm a&;om;rIaMumifhaomfvnf;aumif;? [ufumrsm;u OS \pGrf;aqmif&nfudk usqif;apvdkaomaMumifh wdkuf cdkufaomtcgwGifvnf;aumif; MuHKawGU&onf/ bypass – Crack vkyf&mwGif rvdkvm;tyfaom routine rsm;? messagebox rsm;udk ausmfvTm;jcif;? vSnfhpm; jcif;/ cave – y&dk*&rfwpfckwGif uk'fâ'wmtjzpf toHk;rjyKbJ vGwfaeaomae&mrsm;/ ¤if;wdkUudk uk'frsm;xnfhoGif; &eftwGuf toHk;jyKonf/ cell – tcsuftvufudk odrf;qnf;xm;onfh unit wpfck/ Oyrm binary cell wpfck\ unit wpfckonf 1 bit ESifhywfoufaomtcsuftvufrsm;udk odrf;qnf;Edkifonf/ cell address – tcsuftvufudk odrf;qnf;xm;onfh cell &Sd&m address / character – pmvHk;wpfvHk;aomfvnf;aumif;? *Pef;wpfckaomfvnf;aumif;? tjcm;oauFwwpfckckaomfvnf; aumif; tu©&mwpfckudk udk,fpm;jyKonf/ y&dk*&rfbmompum;wGifrl character wpfck (odkU) wpfckxufydkaom identifier wpfckudk string [kac:onf/ checksum – Image \ wGufcsufxm;aomwefzdk;/ (a'wmrsm;udk odrf;qnf;&mwGif trSm;rsm;awGUMuHKjcif;&Sd ^r&Sd ppfaq;&ef toHk;jyKaom wGufcsufxm;onfhwefzdk;/ a'wmrsm;udk odrf;qnf;jyD;aomf ¤if;enf;vrf;udkyif toHk;jyKí checksum udkwGufcsufygonf/ checksum ESpfck rwlnDcJhaomf error udkjyí a'wmudk aemuf wpfMudrf jyefvnfodrf;qnf;ygonf/ Checksum rsm;onf error wdkif;udk rppfaq;Edkifyg/ Checksum wdkUonf error jzpfaeaoma'wmrsm;udk rjyifqifay;Edkifyg/) Checksum rsm;onf kernel-mode driver rsm;ESifh tcsdKUaom system DLL rsm;twGuf vdktyfonf/ child – Process wpfckatmufwGif tvkyfvkyfaom aemuf process wpfck/ tu,fí parent process udk ydwfcJhvQif child process onfvnf; tvdktavsmuf ydwfoGm;rnfjzpfonf/ class – OOP bmompum;wdkif;\ tajccH,lepf/ Class rsm;onf object rsm;udkzefwD;&mwGif toHk;jyKonfh template rsm;jzpfMuonf/ Class rsm;udk a'wmtrsdK;tpm;topfzefwD;&ef toHk;jyKEdkifonf/ y&dk*&rfa&;om; jcif;tm;vHk;udk class wpfcktwGif;wGif a&;om;Edkifonf/ Class rsm;wGif member varialble rsm;ESifh member method rsm;yg0ifonf/ CLR – Common Language Runtime \twdkaumuf/ .net y&dk*&rfrsm; tvkyfvkyf&eftwGuf vdktyfaom virtual machine/ code segment – y&dk*&rf instruction rsm;yg&Sdaom memory segment wpfck/ y&dk*&rf tvkyfvkyfaomtcg code segment udk memory segment tjzpf rSwfOmPfay: ul;wifonf/ yifry&dk*&rf segment ukd rSwfOmPfwGifxm;&SdjyD; auxiliary segment rsm;udkrl vdktyfrSom ul;wifonf/ comment – y&dk*&rfESifh oufqdkifaom tcsuftvufrsm;udk rSwfcsufay;jcif;/ Compiler u xdkrSwfcsufrsm; udk compile vkyfjcif;r&Sdyg/ compiler – Syntactic ESifh semantic pnf;rsOf;rsm;udk vdkufemjyD; high-level bmompum;rsm;jzifha&;om; xm;aom source uk'frsm;udk y&dk*&rf execution rvkyfrD object uk'ftxdajymif;vJay;Edkifaom y&dk*&rf/ conditional breakpoint – owfrSwfxm;aom tajctaeESifh udkufnDvQif y&dk*&rfudk &yfwefUapEdkifonfh tqifhjrifhaom breakpoint/ conditional jump – Low-level y&dk*&rfbmompum;rsm;wGif owfrSwfxm;aomae&modkUa&muf&ef tajc taewpf&yfudk EdIif;,SOfjyD; nD^rnD qHk;jzwfaom jump instruction/ Oyrm JE? JNZ/ constant – y&dk*&rftvkyfvkyfaepOf wefzdk;rajymif;vJaom identifier/ CopyMem2 – crack – aqmhzf0Jvftopfrsm;\ a&;om;[efudk odvdkí uk'fudkMunfhjcif;? (odkU) Trial version aqmhzf0JvfrS uefUowfcsufrsm;udk z,f&Sm;jcif;? uk'frsm;xnfhoGif;jcif;/ cracker – emrnfMuD;vdkaomaMumifhaomfvnf;aumif;? aqmhzf0Jvfrsm;\ tvkyfvkyfyHkudk odvdkaomaMumifh aomfvnf;aumif; cracking vkyfol/ cracking – Crack vkyfjcif;? (odkU) crack vkyfjcif;ynm/ CrackMe – vlopfwef; cracker rsm;twGuf cracking ynmudk oifMum;ydkUcs&ef&nf&G,fí a&;om;xm;aom erlemy&dk*&rf/ (odkU) tqifhjrifh cracker rsm;\ t&nftaoG;udk prf;oyf&ef cufcJeufeJpGm a&;om;xm;aom^ pack vkyfxm;aom y&dk*&rf/ CRC – Cyclic Redundancy Code \twdkaumuf/ uk'frsm;jyKjyifxm;jcif; &Sd^r&Sd? aqmhzf0Jvf breakpoint rsm;owfrSwfxm;jcif; &Sd^r&Sdukdppfaq;aomenf;vrf;/ Cracker rsm;u uk'frsm;udkjyKjyifonfhtcg CRC wefzdk; ajymif;vJoGm;onfhtwGuf anti-debugging enf;vrf;rsm;wGif wGifus,fpGmtoHk;jyKvsuf&Sdonf/


crypto – tcsuftvufrsm;udk ajymif;vJ&ef uk'frsm;udk toHk;jyKjcif;/ zwf&Iolu ¤if;wdkUudk zwf&IEdkif&eftwGuf key wpfckudk toHk;jyK&rnfjzpfonf/ Oyrm – Adobe Acrobat \ File-open password/ CS – uk'frsm;udk odrf;qnf;xm;aom rSwfOmPftuefU/ Code segment \twdkaumuf/ data segment – y&dk*&rfu vdktyfaomtcg ac:oHk;aom tcsuftvufrsm;udk odrf;qnf;xm;aom rSwfOmPf tuefU/ debug – y&dk*&rfwGif; trSm;rsm;&Sd^r&Sd pHkprf;onf/ Cracker rsm;url uk'frsm;udk jyifqif&eftwGuf? crack vkyf&eftwGuf debug vkyfMujcif;jzpfonf/ debug blocker – debugge – Child process wpfckudkzefwD;jyD; xkd process (debugger) \ debug vkyfjcif;udkcH&aom rdcif process/ debugger – a'wmrsm;udk ppfaq;Edkif&eftwGuf? variable wefzdk;rsm;ajymif;vJoGm;jcif;udk apmifhMunfhppfaq; Edkif&eftwGuf y&dk*&rfrmtm; y&dk*&rftwGif; wpfqifhcsif;Munfh&IEdkif&ef 'DZdkif;jyKxm;aom y&dk*&rf/ Cracker rsm;twGuf r&Sdrjzpfvdktyfaom tool/ debug object – decimal – q,fvDoHk; *Pef;pepf/ decompiler – Assembly uk'f (odkU) machine uk'frS high-level source uk'ftjzpf ajymif;vJay;Edkifaom y&dk*&rf/ jyóemum; tcsdKU Assembly bmompum;rsm;wGif high-level source uk'fESifh oufqdkifaomuk'f r&Sdjcif;jzpfonf/ decompression stub – Pack vkyfxm;aom y&dk*&rfrsm;wGif pack vkyfxm;aom^ compress vkyfxm;aom uk'fudk rl&if;uk'ftjzpf jyefajymif;ay;aomjzpfpOf (odkU) routine/ decryption – Encrypt vkyfxm;aom a'wmrsm;ukd rlvuk'ftoGifodkU jyefajymif;jcif;/ delay import table – Visual C++ u DELAYIMP.H wGif teufzGifhxm;onfh ClmgDelayDescr zGJUpnf;yHk\ array wpfckjzpaom Delayload information udk nTefjyonf/ ¤if;wdkUxJwGifawGU&aom API udk yxrtMudrf ac:,lroHk;rcsif; Delayloaded DLL rsm;tm;ul;wifjcif;r&Sdyg/ Windows wGif delay loading DLL ESifhywfoufjyD; vHk;vHk;vsm;vsm; ,HkMunf&jcif;r&Sdyg/ destination – zdkifwpfckudk (odkU) wefzdk;wpfckudk ul;rnfh? a&TUrnfhae&m/ disassembler – Machine uk'fudk Assembly source uk'ftjzpfajymif;vJay;aom y&dk*&rf/ tcsdKU debugger rsm;wGif built-in disassembler ygvmavh&SdjyD; exe y&dk*&rfudk vlom;wdkU zwf&IEdkifaom Assembly bmompum;tjzpf Munfhí&aponf/ diversion code – Cracker rsm;udk vSnfhpm;&eftwGuf xnhfoGif;xm;aom y&dk*&rfESifh rqdkifonfhuk'f/ DLL – Dynamic Link Library \twdkaumuf/ Function rsm;ESifh a'wmrsm;yg0ifaom module/ DLL wpfckudk exe zdkifrSaomfvnf;aumif;? tjcm; DLL zdkifwpfckrSaomfvnf;aumif; ac:,loHk;pGJonf/ DLL wpfckudk rSwfOmPfay:ul;wifcsdefwGif ac:,loHk;onfh process \ address ae&mtjzpf ae&mcsxm;jcif;cH& onf/ DLL zdkifrsm;udk vdktyfrSom ac:,loHk;pGJonfhtwGuf rSwfOmPfwGif ae&mvGwf ydkrdk&&Sdaponf/ DLL zdkifwpfckudk tjcm;y&dk*&rfrsm;uvnf; toHk;jyKEdkifygonf/ dongle – Hardware key wGifMunfhyg/ DOS header – PE zdkifrsm;onf DOS header ESifhpavh&SdjyD; zdkif\ yxrqHk; 64 bytes tjzpfawGU&onf/ y&dk*&rfonf DOS rSpwiftvkyfvkyfonf/ xdkUaMumifh DOS u rSefuefaom executable zdkifjzpfaMumif; todtrSwfjyKrSom header aemuwGif odrf;qnf;xm;aom DOS stub udk tvkyfvkyfrnfjzpfonf/ DOS header onf structure wpfckjzpfjyD; windows.inc (odkU) winnt.h zdkifrsm;wGif ¤if;udk t"dyÜm,fzGifhqdkxm; onf/ DOS header structure wGif member ta&twGuf 19 ck&Sdonf/ DOS stub – DOS stub onf yHkrSeftm;jzifh 'This program must be run under Microsoft Windows' qdkaompmom;udk xkwfay;avh&SdjyD; ¤if;udk,fwdkifyif DOS y&dk*&rfjzpfEdkifonf/ Windows application rsm;udk build vkyfcsdefwGif linker u exe zdkifxJodkU winstub.exe [kac:aom stub y&dk*&rfudk link csdwfay;vdkufjcif; jzpfonf/ dotNet Reactor – .net y&dk*&rfrsm;udk crack vkyfjcif;rS umuG,fEdkif&ef protect vkyfay;aom protector/ double – 'órudef;rsm;udk aMunm&eftwGuf toHk;jyKaom keyword/ 1.7 x 10-308 PrS 1.1 x 10P

+4932 Pxd wefzdk;rsm;udk udkifwG,fEdkifonf/ driver – aqmzhf0Jvf? hardware rsm;udk OS ESifhcsdwfquf&mwGif r&Sdrjzpfvdktyfaom PE zdkifrsm;/ DS – tcsuftvufrsm;udk odrf;qnf;xm;aom rSwfOmPftuefU/ Data segment \twdkaumuf/ dump – rSwfOmPfxJrS decompress vkyfxm;aomzdkifudk disk ay:odkU odrf;qnf;jcif;/ EAX – ocsFmqdkif&mudpörsm;ESifh string rsm;udk odrf;qnf;&efoHk;aom register/ EBP – Stack udpörsm;aqmif&Guf&ef stack pointer ESifh wGJokH;onf/ Base pointer \twdkaumuf/ EBX – Stack rsm;ESifh csdwfquf&mwGif oHk;onfh register / ECX – *Pef;rsm;aygif;&mESifh looping rsm;wGif oHk;onfh register/


EDI – String/array \ destination udk owfrSwf&mwGiftoHk;jyKonfh register/ Destination index \ twdkaumuf/ EDX – rsm;aomtm;jzifh ocsFmpm;v'frS t<uif;udk odrf;qnf;onfh register/ EIP – aemuf instruction \ address udk odrf;xm;ay;onfh register/ EIP wefzdk;udk ajymif;vJí r&yg/ emulator – encode – Cracker rsm;\ debug vkyfjcif;rSumuG,fEdkif&ef rl&if;uk'fudk toGifajymif;vJonf/ (odkU) zdkift&G,ftpm;udk ao;i,fap&ef uk'fudkcsHKUonf/ endian – rSwfOmPfxJwGif hex wefzdk;rsm;udk ajymif;jyefpDjcif;/ nmzuftusqHk;pmvHk;onf significant tjzpf qHk;pmvHk;jzpfonf/ Oyrm 72 5E 7A 25 wefzdk;udk rSwfOmPfwGif;wGif 25 7A 5E 72 tjzpf awGU&ygonf/ entry point – y&dk*&rfwGif;&Sd execution pwifrnfhae&mwpfck/ y&dk*&rfpwifzwf&I tvkyfvkyfrnfh yxrqHk; instruction &Sd&m virtual address/ entrypoint Method – .net application pwifcsdefrSm ac:,loHk;onfh yxrqHk; Method jzpfjyD;? Method \ ta&;ygyHkrSm y&dk*&rf\vkyfaqmifcsufrsm;udk y&dk*&rfpwifonfhtcsdefrSpjyD; register vkyfonfh routine &Sd&ma&mufonftxd ajc&mcHEdkifjcif;jzpfonf/ enxor – XOR instruction udktoHk;jyKí encrypt vkyfjcif;/ ES – AGD'D,dkudpö&yfrsm;twGuf toHk;rsm;onf/ Extra segment \twdkaumuf/ ESI – String/array \ source udk owfrSwf&mwGifoHk;onf/ Source index \ twdkaumuf/ ESP – Stack rS wdusaom ae&mwpfckudk nTefjyonf/ Stack pointer \ twdkaumuf/ exception – exception handler – exe – rnfonfhzdkiftultnDrS rvdkbJ oD;oefU&yfwnfEdkifaom y&dk*&rf/ EXE Password 2004 – Salfeld computer rSxkwfvkyfjyD; exe zdkifrsm;udk olwyg; rzGifhapvdkaomtcg password toHk;jyKí umuG,fEdkifaomy&dk*&rf/ Password udk exe twGif;wGifyif odrf;qnf;jyD; vdktyfrSom decrypt jyefvkyfygonf/ executable – tvkyfvkyfEdkifaom y&dk*&rf/ Oyrm - file0.bat? file1.exe? or file2.com/ exploit – OS (odkU) aqmhzf0Jvfwpfckck\ vHkjcHKa&;qdkif&mtm;enf;csufudk &SmazGjyD; tcGifhaumif;,lonf/ file alignment – zdkifxJwGif section rsm;udk alignment csxm;rI/ þ field xJrS wefzdk;onf 512 (200h) jzpfvQif section wdkif;onf 512bytes \ ajrSmufazmfudef;*Pef;rsm;jzifh pwif&rnf/ tu,fí yxrqHk; section onf offset 200h ü&SdjyD; ¤if;\t&G,ftpm;onf 10bytes om&SdcJhvQifyif aemuf section onf 400h wGifpwifrnfjzpfonf/ 512 eJU 1024 Mum;rS vGwfaeaom offset ae&mrsm;udkrl toHk;jyKrnf r[kwfay/ Fish Packer – UPX? UPack uJhodkU zdkif\t&G,ftpm;udk tao;i,fqHk;jzpfatmif compress vkyfay;aom packer jzpfjyD; unpack vkyf&mwGif tenf;i,fcufcJrI&Sdygonf/ flag – tajctaeESpfckteufrS wpfckudk owfrSwfonfh register/ Zero flag onf wefzdk;ESpfckudk EdIif;,SOfaom tcg nDcJhvQif flag wefzdk;udk 1 [kowfrSwfygonf/ Carry flag? parity flag? auxiliary flag? zero flag? sign flag ponfjzifh flag rsm;pGm&Sdygonf/ flat memory – Windows OS rsm;wGif toHk;jyKonf/ Memory segment \ t&G,ftpm;onf 4GB &Sd onf/ float – 'órudef;rsm;udk aMunm&eftwGuf toHk;jyKaom keyword/ 3.4 x 10P

-38 P rS 1.7 x 10P

+38 P xd wefzdk; rsm;udk udkifwG,fEdkifonf/ freeware – tifwmeufwGif tcrJhay;aom y&dk*&rf/ Freeware aqmhzf0Jvfrsm;wGif register vkyfp&mrvdkyg/ FS – taxGaxGoHk; segment/ 80286 ESifhtxuf y&dkqufqmrsm;wGif toHk;jyKonf/ FSG – Fast Small Good \twdkaumuf/ exe zdkifrsm;udk compress vkyfay;aom packer y&dk*&rf/ full version – rnfonfhuefUowfcsufrSr&Sdaom? aqmhzf0Jvf\ pGrf;aqmifEdkifrItm;vHk;udk toHk;jyKEdkifaom version/ function – owfrSwfxm;aomtvkyfudk vkyfaqmifEdkif&ef instruction rsm;udkpkpnf;xm;aom? statement rsm;udkpkpnf;xm;aom y&dk*&rf\ routine wpfck/ udk ESifh [kESpfrsdK;cGJEdkifonf/ API? routine? subroutine? call rsm;[kvnf;ac:onf/ GoodBoy – 0,f,lonfhtwGufaus;Zl;wifaMumif;? register vkyfjcif;atmifjrifaMumif;ponfh messagebox? dialogbox rsm;ESifh ¤if;wdkUudkac:oHk;onfh routine rsm;? API rsm;/ GS – taxGaxGoHk; segment/ 80386 ESifhtxuf y&dkqufqmrsm;wGif toHk;jyKonf/ guard page – handle – Pointer wpfck\ pointer/ qdkvdkonfrSm tjcm; variable wpfck\ address yg0ifaom variable wpfck/ ¤if;wGif vdkcsifaom object \ address yg0ifonf/ OS wpfckwGif pointer rsm;u ajymif;vG,faom block wpfckudk nTef;aepOfwGif handle u rSwfOmPf\ rajymif;vJEdkifaomae&mwGif odrf;xm;onfh pointer


wpfckudk nTef;onf/ tu,fí y&dk*&rfrsm;onf handle rSompwifcJhvQif ¤if;wdkUu block udk&,lcsdefwdkif;wGif OS rS y&dk*&rfrsm;tm;xdcdkufrI r&SdapbJ rSwfOmPfpDrHcefUcGJrIrsm;udk aqmif&GufEdkifrnfjzpfonf/ hardware breakpoint – omref breakpoint rsm;onf uk'frsm;ajymif;vJoGm;aomtcg breakpoint ysufoGm;avh&Sdygonf/ owfrSwfxm;onhfae&m&Sd uk'fudk ac:,loHk;jcif;&Sd^r&Sd apmifhMunfhvdkaomtcgwGifvnf; aumif;? dump window (data window) rS a'wmrsm;udk a&;jcif;? zwfjcif; &Sd^r&Sdudk apmifhMunfhvdkaomtcg wGifvnf;aumif; hardware breakpoint udktoHk;jyKygonf/ hardware key – aqmhzf0Jvf(odkU)uGefysLwmudk w&m;r0ifoHk;pGJjcif;rS umuG,f&ef toHk;jyKaom printer port connector uJhokdUaom device/ Dongle [kvnf;ac:onf/ HASP key – Aladdin Knowledge Systems rS xkwfvkyfonfh dongle key/ heap flag – hexadecimal – *Pef;rsm;udk azmfjy&eftwGuf toHk;jyKonfh 16vDpepf/ pepfwGif q,fvDpepf*Pef;rsm; jzpfaom 0-15 udkazmfjy&eftwGuf 0-9? A-F wdkUyg0ifonf/ 16vDpepf *Pef;wpfvHk;onf 4 bits ESifh nDrQ onf/ Oyrm – ESpfvDpepf*Pef;jzpfaom 0101 0011 onf 16vDpepfwGif 53 ESihfwlnDonf/ ESpfvDpepfjzifh azmfjyjcif;onf zwf&I&cufcJonfhtwGuf 16vDpepfjzpfaom hexadecimal pepfudk xGifMujcif;jzpfonf/ Intel xkwf CPU awG\ mnemonic rSmygaom opcode rsm;ESifh shellcode rsm;udk HEX uk'frsm;ESifh azmfjyMu onf/ hook – y&dk*&rfrmrS debug vkyf&mwGif^ vkyfaqmifcsufrsm;udktqifhjrSifh&mwGif tjcm; routine rsm;ESifhcsdwf quf&ef? routine rsm;xnfhoGif;&ef routine^y&dk*&rfwpfckwGif;&Sd ae&mwpfck/ IAT – Import Address Table \twdkaumuf/ Win32 exe zdkifjzpfonfh application wdkif;wGif IAT &SdjyD; application wpfcku Windows \ API function wpfckudkac:oHk;onfhtcgwGif IAT tm; lookup table tjzpftoHk;jyKonf/ xdkUaMumifh y&dk*&rftvkyfrvkyfcif y&dk*&rfuac:oHk;&eftwGuf? IAT wpfckudk wnfaqmuf &eftwGuf Windows loader onf API toD;oD;\ address toD;oD;udk&Sm&rnfjzpfonf/ y&dk*&rftvkyf vkyfaeonfhtcsdefwGif API wpfckudk ac:oHk;vdkvQif IAT xJwGifMunfhjyD; DLL xJoGm;&efvdkaom address udk csufcsif;&SmazGayonf/ Unpack vkyfxmonfhzdkifrsm;wGif packer/protector rsm;u IAT udk zsufxm;onfh twGuf IAT udk jyefvnfwnfaqmuf&efvdkonf/ IDA – Interactive DisAssembler \twdkaumufjzpfjyD; DOS^WindowsÛnix^Macintosh^ Java^ .Net^Console y&dk*&rfrsm;tjyif tjcm; OS rsm;wGifa&;om;xm;wJh y&dk*&rfrsm;ukdyg debug vkyfay;Edkifaom taumif;qHk;aom disassembler wpfckjzpfonf/ IL – .net y&dk*&rfrsm;ukd compile vkyf&mwGif machine uk'ftjzpf wdkuf&dkuf compile vkyfjcif;r[kwfbJ IL [kac:aom Intemediate Language tjzpf compile vkyfvdkufjcif;jzpfonf/ IL &JUt"dutm;omcsufrSm compile vkyfxm;onfhy&dk*&rfrsm;wGif identifier (class name? function name? variable name) rsm; rysufr,Gif;yJ wnf&Sdaejcif;jzpfonf/ imagebase – PE zdkifrsm;twGuf preferred load address jzpfonf/ Imagebase wefzdk;onf 400000h jzpfvQif PE loader u 400000h rSpwifaom virtual address ae&mwGif zdkifudk ul;wif&ef MudK;pm;ay vdrfhrnf/ exe y&dk*&rfrsm;wGif imagebase wefzdk;onf 400000h jzpfjyD; (Visual C++ DLL method jzifh compile vkyfxm;aom Windows OS \ y&dk*&rfzdkifrsm;rSty) dll zdkifrsm;wGifrl 1000000h jzpfonf/ immediate value – Assembly bmompum; instruction wpfck vkyfaqmifcsdefwGif toHk;jyKaom udef;ao wefzdk;/ Instruction xJ&Sd address wpfcku point vkyfjcif;xuf instruction xJwGif udk,fwdkifyg0ifonf/ index register – Index register rsm;udk ¤if;wdkU\rlvwefzdk; rajymif;vJoa&GU taxGaxGoHk; register rsm; tjzpf (EIP rSwyg;) toHk;jyKEdkifonf/ Index register [kac:a0:onfhtaMumif;rSm ¤if;wdkUonf rMumcP qdkovdk rSwfOmPf\ address udk odrf;qnf;avh&Sdíjzpfonf/ tcsdKU opcode (movb, scasb,..) rsm;onf ¤if;wdkUudk toHk;jyKMuonf/ inline patching – txl;ojzifh pack/protect vkyfxm;aomzdkifrsm;wGif zdkifudk unpack rvkyfawmhbJ uk'fjyif jcif;? uk'ftopfxnfhoGif;jcif;/ instruction – Assembly bmompum;wGif mnemonics udkac:a0:aom toHk;tEIef;/ interceptor – interpret – y&dk*&rfuk'frsm;udk machine uk'ftjzpfodkU wpfaMumif;csif;bmomjyefonf/ interpreter – Basic/ CNC bmompum;rsm;udk a&;om;Edkifaom? machine uk'ftjzpf interpret vkyfay;Edkif aom y&dk*&rfi,f/ interrupt – &kwfjcnf;&yfwefUapjcif;/ (odkU) DOS pepfwGif toHk;jyKaom INT function/ jump – owfrSwfxm;aom ae&modkU ausmfvTm;jcif;/ junk code – kernel – OS \ yifrausm&dk;jzpfjyD; rSwfOmPf? zdkifrsm;ESifh hardware rsm;udk pDrHcefUcGJonf/ ¤if;tjyif tcsdef ESifh&ufpGJwdkUudkxdef;odrf;jcif;? application rsm;udkzGifhjcif;ESifh resource rsm;udkae&mcsxm;jcif;wdkU jyKvkyfonf/ keygen – oufqdkif&m user trnfESifhqdkifaom key udkxkwfay;Edkifaom cracker rsm;u zefwD;xm;aomzdkif/


KeygenMe – vlopfwef; cracker rsm;twGuf cracking ynmudk oifMum;ydkUcs&ef&nf&G,fjyD; a&;om;xm; aom erlemy&dk*&rf/ (odkU) tqifhjrifh cracker rsm;\ t&nftaoG;udk prf;oyf&ef cufcJeufeJpGm a&;om;xm; aomy&dk*&rf/ link – exe zdkiftjzpfodkU rajymif;rD DLL (odkU) OBJ zdkifrsm;ESifh csdwfqufjcif;/ linker – exe zdkiftjzpfodkUa&muf&Sd&ef DLL (odkU) OBJ zdkifrsm;ESifh csdwfquf&mwGif toHk;jyKonfh y&dk*&rf/ loader – Process wpfckudkpwifonfh tao;pm; application wpfckjzpfjyD; unpack vkyfaeonfh^protect vkyfxm;jcif;udk jyefajzaeonfh process (aqmhzf0Jvf)udk apmifhqdkif;onf/ xdkUaemuf y&dk*&rfxJrS y&dk*&rfa&; om;ol csef&pfcJhaomtrSm;rsm;^tm;enf;csufrsm;tm; tcGifhaumif;,ljyD; rSwfOmPfxJrS process udk patch vkyfonf/ machine code – uGefysLwm\ CPU u wdkuf&dkufem;vnfEdkifaom instruction rsm;ESifh a'wmrsm;yg0ifaom pepfwpfck/ CPU model wdkif;wGif ¤if;wdkU\udk,fydkif machine uk'f (odkU) instruction set &SdjyD; wpfxyfwnf; uscsifrSusEdkifayvdrfhrnf/ malicious code – tzsuftarSmifhvkyfief;rsm;vkyfaqmif&ef? vHkjcHKa&;tcsuftvufrsm; cdk;,l&ef y&dk*&rfrsm; wGif xnfhoGif;vdkuf^xm;aom y&dk*&rfESifh vHk;0roufqdkifaomuk'f/ Malicious uk'frsm;onf y&dk*&rfzdkif tcsif;csif; ul;pufEdkifonf/ malware – Malicious uk'frsm;yg0ifaom aqmhzf0Jvf/ MD5 – MIT Lab ESifh RSA Data Security Inc. wdkUrS xkwfvkyfvdkufaom 128-bit encryption pepf/ erlemtm;jzifh phpBB zdk&rfrsm;wGif login password udk encrypt vkyf&mwGif toHk;jyKonf/ memory breakpoint – Section wpfcktwGif;? owfrSwfxm;onfh address e,fy,ftwGif; y&dk*&rfrS tcsuftvufrsm;udk a&;om;aomtcg? tcsuftvufrsm;&,laomtcg od&SdEdkif&efESifh y&dk*&rfudk&yfwefUEdkif&ef owfrSwfaom breakpoint/ metadata – .net y&dk*&rfrsm;wGif yg0ifaom a'wmtrsdK;tpm;rsm;ESifhywfoufonfh tao;pdwftcsuftvuf rsm;/ .net reflector uJhodkUaomaqmhzf0Jvfrsm;onf exe zdkifxJrS metadata rsm;udkzwfjyD; rl&if; source uk'fudk jyefvnfazmfxkwfay;jcif;jzpfonfhtwGuf cracker rsm; tvG,fwul crack rvkyfEdkifap&ef metadata rsm;udk obfuscation vkyfxm;&efvdktyfonf/ metamorphic code – udk,fwdkifjyefjyD; y&dk*&rfjyefa&;Edkifonfhuk'f/ tcsdKUAdkif;&yfpfrsm;u zdkiftopfrsm;udk ul;pufapvdkaomtcgwGif toHk;jyKonf/ xdkUaMumifh Adkif;&yfpfxdxm;aomy&dk*&rfrsm;onf rl&if;y&dk*&rfESifh rnfonfhtcgrS wlnDawmhrnf r[kwfay/ uGefysLwmAdkif;&yfpfrsm;u þenf;udk toHk;jyK&onfh taMumif;&if;rSm anti-virus aqmhzf0Jvfrsm;u ¤if;wdkU\ signature rsm;udkrSwfrdjcif;rS a&Smif&Sm;Edkif&efjzpfonf/ mnemonics – Assembly bmompum;wGif aygif;jcif;? EIwfjcif;paom vkyfaqmifcsufwpfckudk vkyfaqmif Edkifaomuk'f/ module – Cracking wGif exe zdkifESifh ¤if; exe zdkifu ac:,ltoHk;jyKxm;aom DLL zdkifrsm;/ MoleBox – y&dk*&rfwpfck run aecsdefwGif vdktyfaomzdkiftm;vHk;udk exe zdkifwpfckwnf;tjzpf pack vkyfay;Edkif aom tqifhjrifh packer/ tu,fíom DLL twGif;wGif registration routine a&;xm;ygu cracker tzdkU crack vkyf&efcufcJaprnfjzpfonf/ nag screen – y&dk*&rfwpfckudk zGifh^ydwfaomtcgwGif awGU&aom pdwftaESmifht,Sufjzpfaponfh message screen ESifh aMumfjimrsm;/ Trial version aqmhzf0Jvfrsm;wGifom awGU&avh&Sdonf/ nanomite – Dump vkyfjcif;udk wm;qD;&mwGif toHk;jyKaom tqifhjrifhenf;vrf;jzpfjyD; Armadillo wGif pwiftoHk;jyKcJhonf/ Jump tcsdKUudk INT3 function jzifhtpm;xdk;onfhenf;vrf;jzpfonf/ neutralize – Anti-virus aqmhzf0Jvfrsm;u Adkif;&yfpf(odkU) x&dk*sefudk pHkprf;od&Sdaomtcg Adkif;&yfpftwGif;&Sd uk'fudkz,f&Sm;jcif; (odkU) Adkif;&yfzdkifudkzsufjcif; ponfwdkUudk jyKvkyfjcif;/ NFO – Crack vkyfxm;aomzdkifESihf oufqdkifaomtcsuftvufrsm;? cracking team rsm;ESifh ywfoufaom tcsuftvufzdkif/ NSPack – exe? dll? ocx ponfhzdkiftrsdK;tpm;rsm;tjyif .net zdkifrsm;ukdyg compress vkyfay;Edkifaom packer y&dk*&rf/ Pack vkyfxm;aomzdkift&G,ftpm;rSm UPX zdkifrsm;avmufyif&SdjyD; pack vkyfxm;aomzdkif onf Windows 98 üwGifyif aumif;pGmtvkyfvkyfEdkifonf/ obfuscation – Method ESifh class trnfrsm;udk &Smír&Edkifatmif zwfír&Edkifaom pmvHk;rsm;tjzpf ajymif;vJ ay;aomjzpfpOf/ octal – 8vD*Pef;pepf/ ocx – PE zdkiftrsdK;tpm;wpfckjzpfjyD; .dll zdkifuJhokdUyif imagebase onf 1,000,000 rSpwifonf/ OEP – rlv entry point/ Pack vkyfxm;aom zdkifrsm;wGif yxrqHk; awGU&aom address udk entry point [kac:jyD; decompression stub vkyfaqmifcsuftjyD;wGif awGU&aom address udk OEP [kac:onf/ OEP udkodrSom dump pwif vkyfaqmifEdkifjyD; OEP udk &SmazGay;onfh aqmhzf0Jvfrsm;onfvnf; cracker rsm;udk taxmuftyHh rsm;pGm jzpfapygonf/ offset – wdusaomuk'fwpfck&Sd&m address prSwfESifh ¤if;trSwfESifhtuGmta0;/


Olly – Cracker rsm;twGuf taumif;qHk;aom ring-3 debugger/ opcode – y&dkqufqmu em;vnfEdkifaom instruction wpfck/ Opcode trsm;pkwGif operand rsm;yg&Sdonf/ optional header – File header \aemufwGif uyfvsuf&Sdaom aemufxyf 224bytes jzpfjyD; PE zdkiftwGif;&Sd logical layout ESifhywfoufaomtaMumif;t&mrsm; yg0ifonf/ (Oyrm- AddressOfEntry Point)/ ordinary breakpoint – uk'frsm;wGif owfrSwfonfh omref breakpoint/ overflow flag – wefzdk;wpfckudk odrf;qnf;EdkifpGrf;yrmP xufausmfvGefaomtcg 1 wefzdk;udk owfrSwfonfh flag/ twGuftcsufrsm;wGif trsm;qHk;toHk;jyKonf/ overlay – exe zdkifxJwGif aemufqufwGJtaejzifh xnfhoGif;xm;aom a'wm (odkU) zdkif/ p-code – pack – exe zdkifudk compress vkyfjcif;? execute vkyfEdkifzdkU decompress jyefvkyfjcif;ESifh execution pwifjcif;wdkUudk vkyfaqmifay;&onfh decompression stub udk xnfhoGif;pOf;pm;&aomvkyfief;pOf/ Pack vkyfjcif;jzifh zdkift&G,ftpm;udk usoGm;apjyD; ae&mvGwfydkrdk&vmygonf/ packer – rlvzdkif\t&G,ftpm;udk tenf;qHk; 30% avmuf avQmhcsEdkifjyD; cracker rsm;twGuf uk'fudk ajc&mcHEdkif&ef cufcJapaom y&dk*&rf/ patch – udk,fwkdifaomfvnf;aumif;? y&dk*&rf\tultnD,líaomfvnf;aumif; y&dk*&rfuk'fudk jyifqifonf/ PE file – Windows OS rsm;wGifom tvkyfvkyfaom y&dk*&rfrsm;? zdkifrsm;/ PE header – IMAGE_NT_HEADERS [kac:aom structure wpfckjzpfjyD; þ structure wGif Windows loader u r&Sdrjzpfvdktyfaom tcsuftvufrsm;yg0ifonf/ PE signature – y&dk*&rfudk rnfonfh compiler jzifh compile vkyfxm;onf? rnfonfh packer jzifh pack vkyfxm;onfudk od&SdEdkif&ef wdkufqdkifppfaq;aom hex uk'frsm;/ PEB – ---- Process Environment Block PhantOm – Anti-debugging vkyfaqmifcsuf ajrmufjrm;pGmyg0ifonfh Olly \taumif;qHk;aom plugin wpfck/ pirate version – Crack vkyfxm;aom? olwyg;\uk'fudk w&m;r0if &,loHk;pGJxm;aom aqmhzf0Jvf/ pointer to raw data – zdkif\tprS section \a'wmrsm;xd&Sdaom offset/ ¤if;onf module header rS FileAlignment \qwdk;udef; jzpf&ayrnf/ pointer – Variable wpfck&JU address udkodrf;xm;aom variable wpfck/ polymorphic code – rlv algorithm udk yuwdtwdkif; &SdaeapatmifvkyfaepOftwGif; toGifajymif;vJ oGm;aomuk'f/ þenf;ynmtm; uGefysLwmAdkif;&yfpfrsm;? shell uk'frsm;ESifh uGefysLwm worm rsm;u ¤if;wdkU &Sdaejcif;udk zHk;uG,fEdkif&eftwGuf toHk;jyKonf/ prefetch – process – Windows wGif tajccHtusqHk;aom block wpfck/ y&dk*&rfrsm;tvkyfvkyf&mwGif toHk;jyKaom ae &mvGwfrsm;jzpfjyD; Windows u uk'f module rsm;udk process \ae&mvGwfodkU ul;wifEdkifjyD; y&dk*&rfwpfck tvkyfvkyfEdkif&eftwGuf tenf;qHk; thread wpfck tvkyfvkyfae&ygrnf/ protector – Packer wpfckomjzpfjyD; &dk;&Sif;aom packer rsm;xufpmvQif uk'frsm;tm; ydkjyD;pdppfcGJjcm;onf/ Protector rsm;\ t"dutm;enf;csufrSm protect vkyfxm;aomzdkif\ t&G,ftpm;jzpfonf/ Packer rsm;u pack vkyfxm;aom zdkif\t&G,ftpm;rsm;udk ao;i,fatmifvkyfaecsdefwGif protector rsm;u cracker &efu umuG,fEdkif&eftwGuf uk'frsm; tvGeftrif; xnfhoGif;MuonfhtwGuf protect vkyfxm;aom tcsdKUzdkifrsm;onf (ao;i,faomzdkifrsm;) rlvzdkifxuf 600% MuD;oGm;aMumif; awGU&onf/ recursion – Function wpfckudk tMudrfMudrf vkyfaqmifjcif;/ Reflector – .net y&dk*&rfrsm;udk decompile vkyf&eftwGuf toHk;jyKaom aqmhzf0Jvf/ Decompile vkyfxm; aomuk'frsm;udk C#? VB? Delphi? IL? Chrome ESifh Visual C++ bmompum;rsm;jzifh Munfh&IEdkifonf/ registration – aqmhzf0Jvfudk trial version rS full version jzpfap&eftwGuf vdktyfaom tcsuftvuf rsm;udk &dkufxnhfjcif; (odkU) xdkodkUjyKvkyfEdkif&ef a&;om;xm;aomuk'frsm;/ registry – Cracking wGif registration ESifhywfoufaomtcsuftvufrsm;xm;&Sd&m database/ relocation table – Base relocation information udk nTefjyonf/ resource – y&dk*&rfwpfcktwGif;wGif yg0ifaom icon rsm;? bitmap rsm;? dialog rsm;ESifh string rsm;/ reversing – OS^y&dk*&rfwpfck\ oabmobm0udk debugging tool rsm;toHk;jyKí avhvmjcif;/ rip – vdktyfaomuk'fudk ,lonf? jzwfxkwfonf/ RSA – Encryption e,fy,fwGif wGifus,fpGmtoHk;jyKvQuf&Sdaeom public/private key algorithm/ Microsoft Windows wGif cryptographic service provider (CSP) tjzpftoHk;jyKonf/ RVA – Relative Virtual Address \twdkaumuf/ section – y&dk*&rfwpfcktwGif;&Sd uk'f? a'wmESifh resource rsm;odrf;qnf;&mae&m/


section alignment – PE header rSmrwlnDwJh Alignment field ESpfck&Sdygw,f/ olwdkUawGuawmh section alignment eJU file alignment yg/ Section alignment qdkwm uawmh tay:rSmqdkxm;wJhtwdkif; rSwfOmPfxJrSm section awGudk b,fvdknSd,lrvJqdkwm jzpfygw,f/ Section rsm;\ Alignment udk rSwfOmPf wGif; ul;wifonf/ Byte jzifhjyonf/ þwefzdk;onf File Alignment ESifh nD&rnf (odkU) MuD;&rnf/ yHkao wefzdk;onf system \ page t&G,ftpm; jzpfonf/ segment register – rSwfOmPf\ segment udk toHk;jyKonf/ 16-bit OS rsm;wGif toHk;jyKonf/ DOS wGif rSwfOmPfudk 64KB &Sdaom segment rsm;tjzpf ydkif;vdkuonfhtwGuf rSwfOmPf\ address udk owfrSwfvdk vQif segment ESifh offset udk atmufygtwdkif; (0172:0500 (segment:offset)) owfrSwf&onf/ Segment register rsm;onf 16-bit register rsm;jzpfonf/ SEH – Sentinel – Rainbow Technology (www.rainbow.com ) rS xkwfvkyfonfh dongle key/ serial fishing – Debug vkyf&mwGif y&dk*&rfu wGufcsufvdkufaom serial udk&SmazGjcif;/ Serial fishing udk y&dk*&rfwdkif;wGif vkyfír&ay/ session – shareware – r0,fcif tcrJhoHk;pGJEdkifaom rlydkifcGifhvkyfxm;onfh aqmhzf0Jvf/ shellcode – aqmhzf0Jvf bug rsm;rSwqifh tcGifhaumif;,ljyD; payload tjzpftoHk;jyKaom machine uk'f\ wpfpdwfwpfa'o/ Machine wGiftvkyfvkyfaeaom aqmhzf0Jvf\tm;enf;csufudk tcGifhaumif;,ljyD; tcGifhr&Sd aomoHk;pGJolrsm;tm; OS \ command-line rSwqifh uGefysLwmeJU csdwfqufEdkifatmifcGifhjyKygw,f/ yHkrSef tm;jzifh null-terminated (\0) string taeESifhodrf;qnf;jcif;jzpfjyD; null character rsm;ryg0ifEdkifyg/ sign flag – taygif;^tEIwfoauFw jzpf^rjzpf owfrSwfaom flag/ size of raw data – Disk ay:&Sd zdkifxJrSm&dSaom section \a'wmt&G,ftpm;/ Module header rS FileAlignment \qwdk;udef;jzpfjyD;? tu,fí ¤if;wefzdk;onf virtual size xufi,fvQif section \ usefaomtydkif;rsm;onf oknESifh jynfhaernfjzpfonf/ Section ü uninitialized a'wmoufoufom &SdcsdefwGif þae&mü oknjzpf&ayrnf/ SLVc0deProtector – TeamICU rS SLV ua&;om;jyD; (1) Anti-debugging? (2) Anti-API break point? (3) DOS header udkzsufjcif;? (4) rlvzdkiftrnfudk ppfaq;jcif; ponfh vSnfhpm;rIrsm; yg0ifonf/ SmartCheck – VB y&dk*&rfrsm;udk serial zrf;&mwGif taumif;qHk;aom debugger/ SmartCheck jzifh VB uk'frsm; tvkyfvkyfyHkudk event rsm;rSwqifh tao;pdwfMunfh&IEdkifonf/ SmartCheck onf p-code rsm;udk debug vkyfEdkifjcif;r&Sdyg/ source – a&TUajymif;rnfhûl;,lrnfh a'wmrsm;&Sd&mae&m? source code – y&dk*&rfbmompum;rsm;jzifh y&dk*&rfrmrsm; a&;om;xm;aomuk'f/ SS – Routine rsm;rS ay;ydkUaom address rsm;udk odrf;qnf;&ef toHk;jyKaom register/ Stack segment \ twdkaumuf/ stack – oD;oefUz,fxm;aom rSwfOmPfae&mjzpfjyD; ¤if;wGif y&dk*&rfu procedure? function call address? parameter ESifh local variable wdkUESifhywfoufaom tcsuftvufwdkUudk odrf;qnf;onf/ Last in First Out (LIFO) enf;ynmudk toHk;jyKonf/ stolen bytes – rlv exe zdkifrS ,lvmcJhaom? rlv exe zdkifrSzsuf,lvmchJaom pmvHk;rsm;jzpfjyD; packer \ uk'fxJwGif ¤if;wdkUudk vmxm;onf/ OEP a&mufcsdefwGif y&dk*&rfudk rSwfOmPfrS dump vkyf,laomtcg dump vkyfvdkufaom exe zdkifxJwGif xdkpmvHk;rsm; yg&Sdawmhrnfr[kwfay/ xdkpmvHk;rsm; r&SdawmhvQif y&dk*&rf rsm; aumif;pGmtvkyfvkyfEdkifrnfr[kwfay/ þenf;vrf;onf y&dk*&rfudk crack rvkyfEdkif&ef umuG,frIwpfck jzpfonf/ string – wpfvHk; (odkU) wpfvHk;xufydkaom pum;vHk;rsm; yg0ifaompmom;/ StrongName – StrongName wpfckwGif y&dk*&rfESifhywfoufaom assembly \ identity rsm;yg0ifjyD; ¤if;wdkUrSm &dk;&Sif;vSaompmom;rsm;ESifhjzpfjyD; trnf? version trSwf? culture wdkUtjyif public key wpfckESifh digital signature wpfckwdkU yg0ifEdkifonf/ ¤if;wdkUudk assembly zdkifwpfckrS oufqdkif&m private key udk toHk;jyKjyD; xkwfay;jcif;jzpfonf/ Microsoft Visual Studio eJU .NET framework udktoHk;jyKMuaom tjcm; tool rsm;u StrongName rsm;udk assembly wpfcktaejzifh owfrSwfEdkifonf/ SVKP – SVKP onf exe zdkifrsm;tm; protect vkyfay;onfh protector wpfckjzpfjyD; protect vkyf&eftwGuf rwlnDaom enf;vrf;4&yfudk toHk;jyKonf/ ¤if;wdkUrSm (1) RSA algorithm udk toHk;jyKjcif;? (2) API function rsm;udk vSnfhpm;rIjyKvkyfxm;jcif;? (3) anti-debug vSnfhpm;rIrsm;xnfhoGif;xm;jcif;? (4) rSwfOmPf ESifh tracer rsm;rS dump rvkyfEdkifatmifumuG,fxm;jcif;wdkUjzpfonf/ tamper – Themida – aqmhzf0Jvfrsm;udk crack vkyfjcif;&efrS umuG,fEdkif&ef SecureEngine protection pepfudk oHk;xm;onfh protection pepfwpfck/ Cracker rsm;tjrift& Themida onf oHk;pGJaeusaqmhzf0Jvf protector


rsm;ESifh vHk;0rwlbJ uGJjym;jcm;em;vsuf&Sdonf/ Developer rsm;twGufrl Themida onf vG,fulpGm toHk;jyK EdkifjyD; ¤if;wdkUjzpfapcsifaom tqifhjrifhonfh protection rsm;udk vG,fulpGma&G;cs,fEdkifonf/ thread – MuD;rm;aom process wpfck (odkU) y&kd*&rfwpfck\ wpfpdwfwpfa'ojzpfaom process wpfckjzpfjyD; uk'frsm;udk execute vkyf&aom ,lepfwpfckjzpfonf/ Thread udk virtual processor wpfcktjzpfrSwf,lEdkifjyD; ¤if;wGif udk,fydkif context ESifh stack &Sdonf/ Windows onf tvkyfvkyfaeaom thread wpfckudk ESpfouf&m tcsdefwGif &yfwefUEdkifonf/ TimeDateStamp – TimeDateStamp onfzdkifudk zefwD;cJhaomtcsdefudk &nfnTef;onf/ Olly wGif ¤if;udk hex *Pef;jzifhjyonf/ tcsdKU PE Viewer rsm;wGifrl hex ESifhrjybJ &dk;&dk;yHkpHESifhomjyonf/ TLS table – Thread Local Storage \ initialization section udknTefjyonf/ TLS section wGif declspec (thread) jzifhaMunmxm;aom thread \ local variables rsm;yg0ifonf/ ¤if; variable rsm;toHk; jyKcsdefwGif compiler u olwdkUtm; .tls [ktrnf&aom section wGifoGm;xm;onf/ tracer – owfrSwfxm;aom breakpoint a&mufonftxd y&dk*&rf\uk'frsm;udk wpfaMumif;csif; ajc&mcHay;Edkifaom y&dk*&rf (odkU) function/ trial version – tcsdef^tMudrf tuefUtowfjzifh oHk;pGJ&aomaqmhzf0Jvf/ uncondition jump – rnfonfhtaMumif;jycsufjzpfygap owfrSwfxm;aom address odkUausmfvTm;aom jump/ UNICODE – Unicode Consortium u 1988ESifh 1991umvtwGif; develope vkyfcJhaom 16-bit oHk; pmvHk;/ pmvHk;wpfvHk;udk azmfjywdkif; 2 bytes toHk;jyKonf/ jzpfEdkifaom Unicode pmvHk; 65,536 xJrS 39,000 udktoHk;jyKvQuf&SdjyD; ¤if;wdkUxJrS 21,000 udk w&kwfpmvHk;rsm;twGuf toHk;jyKonf/ usef&SdaeaompmvHk;rsm;udk rl tvGwfxm;&Sdxm;onf/ unpack – Pack vkyfxm;aoma'wmrsm;udk rlvuk'fodkU jyefajymif;jcif;/ unpacker – Pack vkyfxm;aom zdkifrsm;udk unpack jyefvkyfay;Edkifaomy&dk*&rf/ unregistered – 0,f,loHk;pGJjcif;r&Sdaom tajctae/ UPX – exe zdkifrsm;udk t&G,ftpm;ao;i,fatmif vkyf&mwGif emrnfMuD;vSjyD; tqifhjrifh protection enf;vrf;rsm;oHk;xm;jcif; r&Sdaom packer/ Ultimate Packer for eXecutables \twdkaumuf/ virtual address – rSwfOmPfxJwGif application utoHk;jyKaom address / virus – y&dk*&rfzdkifudk udk,fwdkifyGm;Edkifaom? ul;pufapEdkifaom raumif;aom &nf&G,fcsufjzifh uGefysLwmoHk;pGJ oludk taESmifht,Sufjzpfapaom y&dk*&rfzdkif/ Adkif;&yfpfrsm;onf rawmfwqaomfvnf;aumif;? wrif&nf&G,fjyD; aomfvnf;aumif; qdk;usdK;rsm;jzpfaponf/ worm – uGefysLwmtoD;oD;\ rSwfOmPfwGif udk,fyGm;rsm;xkwfay;aeaom? uGefysLwmrsm;Mum; ysHUESHUvQuf&Sd aom y&dk*&rf/ Yoda's Cryptor – Danilo Bzdok u a&;om;jcif;jzpfjyD; (1) PE header udkzsufjcif;? (2) CRC udk ppfaq;jcif; (uk'fESifhzdkif)? (3) IsDebuggerPresent ppfaq;rI? (4) API rsm;udk redirect vkyfjcif;ESifh import tcsuftvufrsm;udk zsufqD;jcif; ponfh vSnhfpm;rIrsm; yg0ifonf/ Open source uk'fjzpfonf/

Yoda's Protector – Yoda's Cryptor udk jyefjyifqifxm;onfh protector wpfckomjzpfjyD; version 1.03.3 wGif qufra&;awmhbJ &yfcJhonf/ Yoda's Cryptor \ vkyfaqmifcsufrsm;tjyif PID rsm; ppfaq;onfh Get CurrentProcessId API? mouse ESifh keyboard wdkU\ vkyfaqmifcsufrsm;udk &yfwefUaponfh BlockInput API wdkUudk xyfrH xnfhoGif;xm;onf/ zero flag – wefzdk;ESpfck EdIif;,SOf&mwGif(EIwf&mwGif) oknjzpf^rjzpfqHk;jzwfaom flag/

Cracking qdkif&m tifwmeuf0ufbfqdkufrsm; - 455 -

CCCrrraaaccckkkiiinnnggg qqqdd d kk kiiiff f&&&mmm tttiiiff fwwwmmmeeeuuuff f000uuuff fbbbff fqqqdd d kk kuuuff frrrsssmmm;;;

(Link rsm;udk 2009? rwf 3 &ufwGif ppfaq;xm;jcif;jzpfygonf/ tcsdKU link rsm; r&SdEdkifawmhyg/) (1) ARTeam

http://www.accessroot.com

(2) SND Team (Seek and Destroy)

http://www.tuts4you.com

(3) AoRE (Art of Reverse Engineering)

http://www.aoreteam.com

(4) BiW Reversing

http://www.reversing.be

(5) Unpack Team (Chinese)

http://unpack.cn

http://www.cracktool.com

(6) Team ICU

http://www.teamicu.org

(7) AHTeam (Alien Hack)

http://www.ahteam.org

(8) RETeam (Reverse Engineering Team)

http://www.reteam.org

(9) True Team

http://www.lastepidemic.net/

(10) Reverse Engineering Association (Vietnamse)

http://www.reaonline.net/

(11) Bl@ck Storm Reverse Engineering Team

http://portal.b-at-s.info/news.php

(12) Cracking Tools (Russian)

http://www.cracklab.ru

(13) Cracking Tools (Chinese)

http://www.pediy.com

(14) Disassmebling Tools (Russian)

http://www.wasm.ru

(15) Arab Team 4 Reverse Engineering

http://www.at4re.com

(16) tjcm; Cracking qkdif&m0ufbfqdkufrsm;

http://board.anticrack.de

http://www.secretashell.com/PEid/

http://www.alame.com/vb/

http://www.woodmann.com

http://reng.ru/board/

http://www.absolutelock.de

http://www.ibsensoftware.com


http://pro-hack.ru

http://azmoaore.reversedcode.com

http://www.securitylab.ru/tools/

http://ap0x.jezgra.net/

http://www.openrce.org/

http://www.encryptpe.com/

http://www.chinadfcg.com/

http://www.cracking.com.cn/

http://www.debugman.com/

http://club.myarc.cn/

http://www.ccgcn.com/

http://forum.exetools.com/

http://crackmes.de/

http://petools.org.ru/

http://www.pearmor.com/

http://www.chinadcm.com/

http://bbs.wmzhe.com/

http://ocn.e5v.com/bbs/index.php

http://bbs.chinapyg.com/

http://bbs.vxer.cn/

http://bbs.thulu.com/

http://bbs.crsky.com/

http://bbs.cniso.org/

http://www.cracktool.com/

http://bbs.crkcn.com/

http://bbs.hanzify.org/index.php

(17) Cracked Version jzefUcsDaeaom0ufbfqdkufrsm;

http://www.appzworld.com

http://soft-best.net

http://www.directdl.com

http://www.enfull.com

http://www.lugarus.com

http://www.megauploaded.com

http://www.rapidshared.org

http://www.9iv.com

http://www.ddlcentral.com

http://www.inethouse.com

http://www.freeserials.com

http://www.phazeddl.com

http://www.appzplanet.com

http://warezall.com

(18) Cracked Version jzefUcsDaeaomzdk&rfrsm;

http://www.projectxwarez.com


http://www.projectw.org

http://www.projectws.org

http://forumw.org

http://forum.ru (19) y&dk*&rfa&;om;jcif;qdkif&m0ufbfqdkufrsm;

http://www.codeproject.com

http://www.functionx.com

http://www.ucancode.com

http://www.dreamincode.net

(20) Cracks? Serials ESifh Keygens jzefUcsDaeaom0ufbfqdkufrsm;

http://www.crackteam.ws

http://keygen.us

http://www.allseek.info

http://www.anycracks.com

http://www.bestserials.com

http://www.crack-cd.com

http://www.crackspider.net

http://www.cracksportal.com

http://www.freeserials.com

http://www.icracks.net

http://www.mscracks.com

http://www.thebugs.ws

References - 458 -

References

(01) Basic Rules of Cracking – ParaBytes (02) Cracker Definition – Invoker (03) A Little Guide for Wannabe Reverser – Zephyrous (04) The C Programming Language – Brian W. Kernighan & Dennis M. Ritchie (05) PC Assembly Language – Paul A. Carter (06) Win32asm Tutorial – Thomax Bleeker (07) Assembly for Beginners – The Cyborg (08) Assembly Tutorials – Ralph (09) Win32 Assembler Coding for Crackers 1.1 – Goppit (10) Assembler : The Basics in Reversing – Lena151 (11) The Wikibook of Reverse Engineering (12) CrackProof Your Software – Pavol Cerven (13) Disassembling Code: IDA Pro and SoftICE – Vlad Pirogov (14) RCE Emphasizing On Breaking Software Protection – tHE mUTABLE (15) Portable Executable File Format – Goppit (16) Basic Nag Removal + Header Problems – Lena151 (17) Indept Unpacking & Anti-Anti-Debugging, A Combination Packer & Protector – Lena151 (18) Serial Fishing Teleport Pro – nick123b (19) Serial Fishing CD to MP3 Maker 1.15 – ThunderPwr (20) KeygenMe Tutorial 1 – Ziggy (21) Basic + Aesthetic Patching – Lena151 (22) Intermediate Level Patching, Kanal in PEiD – Lena151 (23) tElock + Advanced Patching – Lena151 (24) Win32 Programmer Reference – Microsoft (25) Often Used APIs in Registration Schemes and Other – Lena151 (26) Reversing - Secrets of Reverse Engineering – Eldad Eilam (27) Reversing Using the Program's Resources – Lena151 (28) ActiveMARK 5.xx (Dumping and Rebuilding) – SSIEvIN (29) Unpacking Protections – Lena151 (30) Unpacking Advanced Packers – Lena151 (31) API Redirection – Lena151 (32) VB - Introduction to SmartCheck and Configuration – Lena151 (33) VB - Use of Decompilers and a Basic Anti-Anti-Trick – Lena151 (34) Info About P-code – Mahai (35) P-code Instruction Meaning of Quick Fact – Nisy (36) VB P-code Information – Mr Silver (37) Delphi in Olly & DeDe – Lena151 (38) Insights and Practice in Basic (self) Keygenning – Lena151 (39) Java Target – ThunderPwr (40) Cracking Java Programs – CodeRipper (41) Reversing .Net – Kwazy Webbit (42) .Net Reversing Tips – tKC (43) Manul Unpacking .NET Applications – Newbie_Cracker (44) Serial Fishing in .NET (Live Debugging) – zyzygy (45) Removing StrongName Signature in .NET Applications – Newbie_Cracker (46) Symbian Exploitation and Shellcode Development – Collin Mulliner (47) Symbian Executable File Format – Antony Pranata (48) Primer in Reversing Engineering Symbian 3rd Applications – argv (49) Reversing Symbian S60 Applications 1.4 – Shub-Nigurrath (50) Patching Packed Executables at Runtime Using Loaders – Lena151 (51) Basic Crypto Techniques – detten (52) Keygenning MD5 – Nieylana (53) Encryption Decryption Polymorphic Code – Lena151 (54) SVKP1.4x (Finding-The-OEP-Dumping) – Teddy Rogers (55) Bypassing & Killing Server Checks – Lena151

References - 459 -

(56) Themida 1.9.1.0 – UnpackMe – hacnho (57) Themida Unpacking – Joker_Italy (58) Unpacking Themida 1.x – SubZero (59) Themida 1.9.1.0 Help – Themida Team (60) Manual Unpacking Yoda's Protector 1.03.3 – NhatPhuongLe (61) Writing OllyDbg Scripts – Buzifier (62) Anti-Unpacking Techniques – Peter Ferrie (63) Anti-Debugging – A Developers View – Tyler Shields (64) Anti-Debugging Series – Tyler Shields (65) Windows Anti-Debug Reference – Nicolas Falliere (66) Anti-Debugging & Software Protection Advice – CrackZ (67) An Anti-Reverse Engineering Guide – Josh_Jackson (68) Anti Reverse Engineering Uncovered – Nicolas Brulez (69) CheckRemoteDebuggerPresent() Windows API – ap0x (70) Playing with RTDSC – Piotr Bania (71) Thwarting Virtual Machine Detection – Tom Liston & Ed Skoudis (72) The Art of Unpacking – Mark Vincent Yason (73) Windows Internals – Mark E. Russinovich & David A. Solomon (74) Microsoft Computer Dictionary – Microsoft