Главная Книга о Взломе

Kris Kasperski 2:5063/61.
8
��
��
- ��p�� p�� p��

�� p� ��
�� p��. �� p��
�� p��".
�. ��p��p� "�� "
�� p�� "��p" �� . �� p��

��p�� "��p�-��". �� p��,
� �� , �� .
��p�� p� �p�� , ��
�p�� p��, ��, �p��
�� p��.
�� , �� (� ��
��, �� ) �p�� p�� p��,
� �� p�� p�� p� ��-�p�� p��, � ��
�� , �� , �� p�� p
�� p�� p�� .
�p�� , �� .
� �� p�� p�� . ��p�� p ��
��p�� p� �p��p�� , ��
�� p�� p�� p��, � ��
�� .
�� p�� p�, �� p�� , ��p��
�p�� . ��
��p��, ��p�� p��
"�p�� p��p��". H�� p�� p��
�� . H� ��
�p�� p��p��
��p�� p��. �� p�� p��
�� p�� p�� p��p��p� �� p�� .
��p�� p�� p�� p��
�p�� p�� \�� . �� ,
�� p�� p�� ,
�� p�� p�� p��
�� p� �� p� �� .
� �� p�� p�� p �� p��, �� .
�� Intel �� p��, �� p��p� �� "��p��"
�� (�� p�� ).
��, �� p�� IBM �� p��
��p �� p�� p�� . ��p��, � �� p��
�� p�� p��.
��p� IBM-�� p�� p�� p�� p
�� , ��-��
��. �� p�� p��p�
��p�� p��p��p�. H� � ��
�� p��p�� , � �� p�p� �� .
��p�� p�� p��
WINDOWS NT, �� p�� p��
�� p��p�� .
�� p p�� WINDOWS 95\WINDOWS
98. ��p��, �� p��, �� , ��
�� p�� , �p�� p��
��p�� . � ��
��. �� p��p�� p�� p�� p��.
��, � �� p� �� .
H� �� p�� "��p��" ��p��
�� WINDOWS 9x - �� p� �� , � �� p��
��, �� p�� WINDOWS NT. �� p��
�p��, �� p�� p� �� .
��p�� p�� - ��, �� p��
�p��p�� p�� p��. ��
�� ? ��p�� p��, ��
�� p�� p��, �� p�� .
��p�� p��
�� - ��p��, ��p��, ��...
�� . � ��-�� p� ��
��p��p�� . � �� . �
�� p� �� p�� .
��p �� p�� p��. ��
�p�� , �� p��
�p�p��p�� p�� p��p�� -�� p��
��.
� ��
�� p��p��p�� p�� p��, ��
�� . ��
p�� p� �� 5 �� 10 �p��
�� p� ��p�� (�p� �� 50% �� p��
�� p�� ).
��, ��, �� p�� ,
�� "��p�� p�� ". �� p��p��
�� "�p��p� ��p��" (� �� p��p��
��) � �� "��" �� "��p��" (�.�.
��p�� ) �� p�� , � ��
��. �p�� "��p�� p�� " ��
��.
H��p�� , �� p��!
�� pp�p� �� p�� p��, ��
��p�� p��, �� , � � p��
��p�. �� p��, ��
��-�� . �p�� (� �� p��) ��
�� , � � ��, �.�. � �� .
�� p��p�� p� ��
�� . H�� , �p�� .
H� �� p� �p��
��. �� p��, � �� . �p��
�� , ��
��p� � �p�� p��, �p��
��.
�� p�� . � ��p�� p��
��p�� p�� "�� " ��
"p��p��" �� . ��, �� p��
�� p�� . ��
��, �� p�� p��
��p�� p�� ?
�� p�� , � ��
��p��, �� p�� p��p�� - �� . �p��
�� p��, �� , ��
��? �� ...
H��, � �� p�� p��, �� p��
�p�� p�� , � �p��
�� p�� p�� p�� p��p��. ��p��, ��, ��
�� p�� , �� p�� p� �� p��
�� p�� . ��
�� -�� p�� p��
� �� .
H�� . �� p��
�� p��p��. �� p��
��. �� , ��p�� ?
��, �� p�� p��p�� , ��
��, �� p��p ��
��, � ��p�� .
��p�� . �� p�� (�� p��
- �� p�� "��" ��
��p��) �� , �� p��
�p��. �� - �� p��
�� -�� p��. �� p��
�p��, � �� . H� �� p�� "��p��
�� p�� p��".
� �� p�� p�� p��, ��
�p�� , �� p�� . ��
�� p�� p�� p��
��. �p� �� p�� p�� p� ��p�� p��
�� p�� . �� p��
�� . ��, �� p� �� p��
�� p �� .
� �� p� ��
��p��. �p� �� p�� "�� ", �� ,
��p�� p�� ,
��p�� "��", �p��p��, �� , �� p��
�� p�� , �� -��p�� p��, �.
�. �� p�� p��. �p� ��
�� p�� "�� p��".
��p�� p��p�� p��
��. �p� �� p��
��. � ��, ��
�� p��, ��p� ��
�� p��.
�� , �� p�� , �� p
�� p��. ��p��, �� , ��
�� p�� p�� -�� -�� p��
�� .
�� p�� p�� - �� p��
�p��. �p�� p�� p��
��p�� . ��, �p��
p�� . �p� �� "��p��
��" � �� p��. ��p��, ��
��p�� p��p��p��.
H� � �� p��p�� . ��, ��
��p�� p� � �� p��p��p�� p��
�� p�� . �� p��
�� p�p��, � �� p��p �� .
��p��, �p�� p�� , �� . �
��p�� -�� p��. ��,
�� -�� p��, ��
�� p��.
�� p��p��. � � �� p��
�� p�� . �p��
��p�� .
Kris Kasperski 2:5063/61.8 13 Mar 99 15:16:00
��
��p��: �� p�� p�� p��p��

��p�� "�� \��p�� ". �p�� ,
�� -�� p��p��. �� p��
KPNC@Null.ru ��p�� p�� KPNC@Usa.net
��H��H�� H��
�� p��p�p�� p�� , ��

�� p��. �� p��p�� p��p��
p��p��, �� p�� p� �� . ��
�p�� , �� p�� p��p�� p��p��
DEMO-��p�� p�� . �� p� �� p��p��,
�� - �� p��. ��p��
��p�, �� p��, �� , ��
��, �� p�� , � �p��p�� .
�� , �� . ��
�p�� (��p��p, �� p
��p�p�� p�� , �� p��
�� ), �� p�� , ��
�� . �� p��
�p��, �p�� p��
�� .
��, �� p��, �� p��
�� p��. H��p��p, �p�� p�� p�� ,
�� file://CD/SRC/CRACK0D/Crack0D.exe �� p��
�� p��p��p��. �� p��p��
� p��p� p��p�� p�� p��
'Disabled'. H� �� p�� , �� p�� .
H�� p��p�� p��p��p�. � �p��
�� 'Symantex ResourceStudio 1.0', ��
�p��. ��p�� . ��
��p�� p�� p��p��, � �� p��, ��
�� , �� p�� p��p �� p��
�� p�� p��p�� p�� p�� . H��p��p, �
�� Borland Resource WorkShop ��
��p��. �� p�� p�� p��p� ��, �� p��p��
��p�� .
�� p��p�� p�� , ��
�� 'Disabled' �� 'Grayed', ��
��p�� . �� p��p��, �� p��p�� p��.
��! H� ��p�� p��
��p� � �� !
��, �� p ��
p�� p��. �� p��p�� .
�� p�� p��. ��, ��p�� , ��,
�� , �� p�� p��, �� p��p��
p��p�� , �� p�� API ��
EnableWindow(false). �.�. ��p�� p�� p��
�p�� p��. ��, �� p��
�� . �� p � �� p��p. ��
�� p �� p��p��, �� Customizer,
��p� �� "��" �� , � � ��
�� .
�� p�� p�� , ��
��p�� p�� p�� . ��
��p� ��p�� 'Registered' � �p��p�� p� ��
��. �� Registered p�� , � �� -��
��p�� p�� p�� , �� p��
��p�� p�� p��, ��p� �� p��
�� .
H��p��p, �� p�� crack0E. ��p��
p��p�� p��p�� , �� p��p��.
�� , �� , �� API.
��p�� p��p�� p�� customizer-�. � ��p��
�� , �� p��. H� ��p�� "hello".
�� p��p�p�� p�� p�� .
�� p�� p��p �� p��.
��, �� p�� , �� p��
��p�� .
��p�� MSDN � �� p�� "Disable Window". �p��
�� , ��p�� win32
API - EnableWindow. �� p��
�� p��p�� p�.
H� �� , ��, �� . ��
��p�� p��p��. � �� p��
��p�� p�� , �� .
��, �� "�� p��p�p�� " ��
��. �� p�� p� AfxMessageBox ��
��p��. �� p�� , � �� . ��
PE �� , ��p��p, � �� HIEW. ��
�� p�� p��p��, ��
�p��p�� PE ��.
H�� p�� "�� p��p�p�� ", ��
��p��, � ��p�� Hiew � p�� p�� . �
�� 0�00403030. H� �� p� ��p�� p��
�� , �� '30 30 40 00'. ��
�p��, �� . ��p�� p�� hiew-�
�� :
.00401547: 8B4660 mov eax,[esi][00060]

.0040154A: 85C0 test eax,eax
.0040154C: 7516 jne .000401564 -------- (1)
.0040154E: 6830304000 push 000403030 ;" @00"
^^^^^^^^^
.00401553: E8C2020000 call .00040181A -------- (2)
.00401558: 6A00 push 000
.0040155A: 8D4E64 lea ecx,[esi][00064]
.0040155D: E8B2020000 call .000401814 -------- (3)
.00401562: 5E pop esi
.00401563: C3 retn
��p�� p��. H��, ��

�� p��p��. ��, �� . ��
��. �� -�p�� p��, � ��
�� . ��, ��, ��
�� WindowEnable, �� p��p�� , ��
�� p��.
H�� p��, ��p� ��p�� p��p��. ��,
�� [esi+0x060] �� . H�� , ��p�� p��
��. �� p��, �� p��p��
��p��p�p��.
�� , �p��, �� esi �� p
�� p�� p�� . �� ,
��p�� , �� p�� p��. H� ��
�� , �� p��p��, ��
�� , �� p�� p��. ��, ��
�� p��, �� p�� , ��
��p�� . � ��
�p��.
H� �� p��, �� hiew �� p��:
.004013D3: 8B4C240C mov ecx,[esp][0000C]

.004013D7: C7466000000000 mov d,[esi][00060],00000
.004013DE: 5F pop edi
�� , �� p�� . ��p�� , ��
�p�� p��p�� p��p��. ��p�� p��
�� , �� . �.�. ��
��p�� p�� p�� p��p��. H�, ��
�� . ��p�� p�� p�� -
.004013D7: C7466000000000 mov d,[esi][00060],00001
� ��p�� p��p��. �� p��! H�� p��

��p�� p�� . �� (��p��-��)
�� . H� � ��
��, �� p�� p�� . �� .
�� p�� p��.
��, �� , ��
�p�� p��p�p�� . �� p��
� ��p�� p��p�� . ��p�� p��
�� , �� p��
�p��, p��p�� p��p��.
��p��, p��p�� p�� .
�� p�� , � ��
�p��. �� , �� p��p��, ��
�� . �� , �p��
��. � �� p�� , �� p��p��
�� p�� , � �� p�� p��
�� p��, �� p��p�� p��, �� p�� p��.
�� .
return SomeResult*(!FlagReg1 ^ FlagReg2);
�� p�� p�� p��, �� p�� !

�� p�� p�� p��. �� , ��p��p, ��
�p��p�� p�� p��, �� . ��
��, �� p��p�� p�� p��
��p�� p��p��. �� p� �� , � ��
�� -�� . ��
�� p��, �p�� p�� p��.
� ��, �p��p�� , ��
�� p�p�� p��p�. � p�� p�� Crack0F.
��p�� . ��p�� p�� .
��, �� , �� EnableWindow.
j_?EnableWindow@CWnd@@QAEHH@Z proc near ; CODE XREF: sub_0_401360+D4.p

; .text:004015CF.p
jmp ds:?EnableWindow@CWnd@@QAEHH@Z
j_?EnableWindow@CWnd@@QAEHH@Z endp
�� . �� p�� . ��

�p�� :
.text:0040142A mov eax, [esi+68h]

.text:0040142D lea ecx, [esi+0ACh]
.text:00401433 push eax
.text:00401434 call j_?EnableWindow@CWnd@@QAEHH@Z ;
� �� p�� p��:
.text:004015C8 mov eax, [esi+60h]

.text:004015CB lea ecx, [esi+6Ch]
.text:004015CE push eax
.text:004015CF call j_?EnableWindow@CWnd@@QAEHH@Z ;
��p�� , �� , '46 60', �.�. [esi+60] � '46
68'- [esi+68]. �� p�� p�� -
.00401385: C7466001000000 mov d,[esi][00060],000000000
.004012CC: C7466801000000 mov d,[esi][00068],000000000
��, �� . � ��p��

�� p�� . ��, ��
�� p��. �� , �� .
�� -�� p��, �� p��-��? H� ��p��
��:
--------------------�
+ �
� �
� �
� �
� �
� �
� �
� p�� pe �
L--------------------
�� p��, �� ? ��, ��
��p�� p�� p�� p��. � �� , ��
�� , �� p�� (��
�p�� ). ��
p�� (��p�� p��p��). � �� p��p� ��
�p�� , �� , ��, ��p��
�p��. �� p�� p�� p�� ,
�� p�� p�� .
��, p��p�� , �� p ��
p�� p�� p��, �� p�� p��p�
��. � �� , � �� p��p� ��p�p�� p�� DWORD -
[esi+60] � [esi+68]. H��p�� , �� p�� "��p��"
p�� . �� p�� - �� ?
��p�� '46 64':
.004015B3: C7466400000000 mov d,[esi][00064],000000000
�� ? ��p��, �... �p��!

�� p� �p�� "Hell0, Sailor!". �� !
��, �� p��p�� p�� p� �p� ��
��p�� :
s0.SetAt(0,s0[0]*(!RegFlag_1 ^ RegFlag_3));
H� �� p��p��, �� p�� ? H�

�� , �� p�� p�� p��
�p��p�� . �p�� , �� p��p��
�� p��. �� p�� p��p�� p��p��
��-�p��p�� .
��, �� p��
p��p�� . �� p��
�p�� p�� p� �� . H�,
�� p��.
��p�� p�� p��.
�� p�� p� �� p�� p��
(��p��p, �� ) �� , ��p��p��
�� p�� p��. ��
�� (��p�� , p�� ) ��
��, �� p�� p��.
��p�� p�� p��p�� , ��
��p��. �� p�� p�� . ��p�� p��
�� , �� , p�� p��
��-�p�� . ��, �� p�� p��p�� ,
�� p��p�� , � �� .
�� , �� p�� p��
p��p�� p�� .
��p�� p�� p��p �� : fiel:
//CD/SRC/CRACK10/Crack10.exe �� p�� p��p, ��p�� p�
�p� �� p�� p��p�� ,
��p��p�� -��p��.
H�� p�� :
.text:00401440
.text:00401440 push 0
.text:00401442 push 0
.text:00401444 push offset unk_0_404090
.text:00401449 call j_?AfxMessageBox@@YGHPBDII@Z
.text:0040144E xor eax, eax
.text:00401450 retn 4
.text:0040144E NagScreen endp
.text:0040144E
��, �� j_?AfxMessageBox@@YGHPBDII@Z, ��

��? ��, �� , ��p��
��. ��p��, �� p��, �� p��
�� retn �� -�� . �� p��
�� p��:
BOOL CCRACK10Doc::OnSaveDocument(LPCTSTR lpszPathName)

{
AfxMessageBox("�� p�� p��. ��, �p��p�� ");
return 0;
return CCRACK10Doc::OnSaveDocument(lpszPathName);
}
��, ��p�� p� � �� p��
�� . �� p��, ��p��, �� p�� , ��
�� p�� . �� p�� p��p��
��, �� p��p��.
��p��, � �� . ��
�� p � �p�� p�� . ��
�� p�� .
��p�� p��p� �� p��p� ��
�� p�� . ��
�� (� �� ?
) � � �� , ��
�p��p��, �� , p�� p��.
��, ��p�� p�� , �
�� p�� p�� exe-��. �� MS-DOS �� p��
�� p�� , �� Windows �� p��
��. �� p�� p�� p��. �
�p�� p�� windows �p�� .
H��p��p, �� DLL � �p�� . ��p��
p��p�� p��p�� p�� , ��
p��p�� p�� p��.
��p�� . ��p�� p��p�� , ��
�� .
.rdata:00403644 dd offset j_?OnOpenDocument@CDocument

.rdata:00403648 dd offset sub_0_401440
^^^^^^^^^^^^^^^^^^^
.rdata:0040364C dd offset j_?OnCloseDocument@CDocument
�� p�� p�� ? �p��p��, ��

MFC, �� p �� CDocumnet. ��
��p��, �� p��p�� p�� p� � ��p��
��p��p�� , �� p��:
401390 sub_0_401390 proc near

401390 push esi
401391 mov esi, ecx
401393 call j_??0CDocument@@QAE@XZ
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
401398 mov dword ptr [esi], offset off_0_4035C8
40139E mov eax, esi
4013A0 pop esi
4013A1 retn
4013A1 sub_0_401390 endp
� �� , �� sub_0_401440 �� p��

�� CDocument::OnSav�Document()! H� p��p�� p��
��p�� , � �� p�� .
� �� sub_0_401440 ��
OnSaveDocument? �� p��p��
�� p��p�� . �� IDA � ��
�� rdata. � �� OnSaveDocument � �� p��
��. ��, ��, �� DLL ��p��,
��p�� LoadLibray. ��, ��, ��p��
p�� . H� ��, �� .
��p ��p�� p�� p�� 0x10 ��
�� p��p��, �� "��p", ��p��
�� .
�� p��, ��
�p��p��p�� windows. ��, �p� ��p�� p��
�� p�� p��. �� p��,
�� GetProcAddress, � �p�� p��p�� .
�� p�� , �� p��. ��
�� p��, �� .
�� p� �� , ��
�� p��p�� p��. ��
��p�� PE ��, ��p�� , ��p��p, � MSDN. �� p��p� ��
�� . ��p�� crack10.exe � myfile.exe ��p� ��
HIEW 6.x (�� ) � ��p�� p��. � ��
p�� IMAGE_IMPORT_DESCRIPOR. ��p�� p��p� ��
��p�� SDK �� MSDN. �� RVA
(relative virtual address) �� p��p� IMAGE_THUNK_DATA. ��
��-�� . �p��p�� rva � �� p� PE ��
�� image base, ��p� ��
��.
�� p�� IMAGE_THUNK_DATA? ��
RVAFunctionName. H�� p��
��p��p� � �� p�� p��p�,
��p��p hiew. �� p��, �� PE �� p��, �
�� p�� p��p�. ��, �� p��
�� p��, �� . ��p ��
p�� , � �� p�� . �p��p ��
�� p�� p��p��
��p��\��p�� (��p��p PEKPNXE �p�� p��) � ��
��p��p�� p��, �� p�� .
H��p�� - p�� p�� PE �� p��
�� p�� p�� p��. ��
��p� WINDOWS �� WINNT.H, ��p�� p��
�� p��p�, ��, ��, �� p�� p�� .
�� p�� p�� .
�� p�� hiew. �� p��, ��
�� p��, �� p�� p�� p�� p��.
�� PE �� . ��
p�� DOS-�� , ��p� �� p��. �� PE
�� p�. �� (�� )
�� image base, ��p�� p�� ,
�� RVA, � �� p�� 0x400000, �� win32
��.
��p� �� p�� p�� . �� p��
��p��p�� (��p�� p��). �� p��p��
��p��p�, p�� OPTIONAL HEADER� � ��p��
�� p��. � �� p�� p��, ��
MSDN � wintnt.h �� p�� p��
�� p��
��p��. �� , �� p��
��p�� p�� , ��p��
�p�� p�� p��p��
�� , ��p� ��
��p�� p�� p�� p�
��p��, MicroSoft. H� �� ? ��
��, � ��p�� "�p��" - ��
�� p�� .
��, �p��, �� , �� p��
p�� p�� 0x40000+0x3A90=0x43a90. ��p��
p��p��, � �� p��p�� IMAGE_THUNK_DATA, ��p��
��p�� . ��p�� p��:
.00403E30: F6 3E 00 00-02 3F 00 00-16 3F 00 00-C6 3E 00 00

.00403E40: E6 3E 00 00-26 3F 00 00-44 3F 00 00-BE 3E 00 00
.00403E50: 6A 3F 00 00-A8 3E 00 00-9A 3E 00 00-86 3E 00 00
.00403E60: 36 3F 00 00-56 3F 00 00-D8 3F 00 00-00 00 00 00
��p�� -�p�� , �� -

�� - �� RVA ��. H� �� ,
��p��p 0x3EF6 - �� , ��
�� p��. �p�� , �� p�� p�� p��
��p��
��.
�� , �� p��
��. �� p�, �� p�� , ��
�� H� ��? �� p��, �� p��, ��
��p�� p��p�� . �� p��
��p�� :
0403F00: 6D 00 83 00-5F 5F 73 65-74 75 73 65-72 6D 61 74 m � __setusermat

^
0403F10: 68 65 72 72-00 00 9D 00-5F 61 64 6A-75 73 74 5F herr � _adjust_
0403F20: 66 64 69 76-00 00 6A 00-5F 5F 70 5F-5F 63 6F 6D fdiv j __p__com
0403F30: 6D 6F 64 65-00 00 6F 00-5F 5F 70 5F-5F 66 6D 6F mode o __p__fmo
�� , � �� p�� , ��,

�p��! ��, �� - ��
��, ��p�� p��p�� p�� p��
�� p�� . H� �� H�� - ��
p�� p��? �� , ��p�� MicroSoft
� ��p�� p��p�� p��. � ��
�� IMAGE_THUNK_DATA �p�� , �
��p�� p�� . �� p�� p��
�� p�� p�� . � p��, ��
�� :
.00403B00: B2 10 00 80-86 11 00 80-FA 09 00 80-D0 09 00 80

.00403B10: 63 16 00 80-52 0F 00 80-41 04 00 80-4F 14 00 80
.00403B20: 5C 09 00 80-12 0D 00 80-B4 14 00 80-B6 14 00 80
.00403B30: A5 0A 00 80-EF 0F 00 80-5A 12 00 80-BB 14 00 80
.00403B40: A9 14 00 80-52 16 00 80-A6 0B 00 80-4B 0C 00 80
��, �� WINDOWS NT MicroSoft ��p��

� �� p��,
� ��p�� p��p�� . �� p��
MicroSoft �� p�� . ��, ��p��
�� p��, ��
�p��p�. � �� p�� p��, �� "p�� MicroSoft" ��
�� p��, �� p�� p��. � �� windows � �� p��
��, � �� p�� p�� p�� "��". � � ��
�� - �� p�� .
�� p��p� �� p�� p��
�� p��
��. ��, ��p��p�� p��.
�� p�� p�� (�� ) � ��. ��
�� , � �� p�� p�� .
�� . RVA ��p�� p�� p��p� IMAGE_THUNK_DATA
p�� 0x3B00. ��, �� image base 0x400000, ��
�� 0x403B00. �� p��p�� ?
�� Name IMAGE_IMPORT_DESCRIPTOR, (��p��
�� ). � �� 'MFC42.DLL' ��
� �� OnSaveDocument. ��,
��
��. �� p��p��, �� . H�
�� IMAGE_THUNK_DATA �� . � ��
��p�� p�� (��p�� p��
��) � � �� p�� ?
��, �� . � ��
�� . ��,
�� , �� p�� p�� p��
��, �� .
��p� ��p�� p�� p�� p��p��
�p�� p��p��.
��p�� p��p�, ��p��p, �� p�� 0�404110. ��
�� p�� p�� 0�403E24 �� 0�403E6B � ��
�� . ��p� ��
��p��. H� �p�� pp��p�� p��
�p��. �� IMAGE_IMPORT_DESCRIPTOR �p�� RVA ��p��
��pp�� .
�� , �� , �� p��
p��. �p�� p�� p��p�� . ��
�� , �� p��, ��
"�� " PE ��, � �� p�� p��. ��
�� p��p�� :
.00403B00: B2 10 00 80-86 11 00 80-FA 09 00 80-D0 09 00 80

^^ ^^ ^^ ^^
.00403B10: 63 16 00 80-52 0F 00 80-41 04 00 80-4F 14 00 80
.00403B20: 5C 09 00 80-12 0D 00 80-B4 14 00 80-B6 14 00 80
.00403B30: A5 0A 00 80-EF 0F 00 80-5A 12 00 80-BB 14 00 80
.00403B40: A9 14 00 80-52 16 00 80-A6 0B 00 80-4B 0C 00 80
��, �� p��p�� p��. � ��

�� . H�� MFC42.map �� OnSaveDocument � ��
�� p�� p�� dumpbin ��
�p�� , �� p�� 0x1359. ��
�� . �� dumpbin, �� p��, ��
�p�� . ��, �� p��, � ��p��
�� . �� IMAGE_THUK_DATA? ��
��p� ��. H�� p�� p��, � ��
��? �� IMAGE_IMPORT_DESCRIPTOR -
�� , �� p�� , � ��
��p�� p�� p�� p�� p��
��p��p�� . � �� MFC42.DLL �� p��p�
p�� p�� 0x40300C. ��p�� , �� p��
��, �� p�� 0x40300C �� p�� p��
�� p�� .rdata �� ,
�.�. �� p�� p��
��, � �� . �� p��
�� p�� .rdata H� �� p��? ��p�� p��
��p�� , �� p��
�� p��. ��p�� :
.00403000: 8C 3F 00 00-78 3F 00 00-00 00 00 00-B2 10 00 80

^^
.00403010: 86 11 00 80-FA 09 00 80-D0 09 00 80-63 16 00 80
.00403020: 52 0F 00 80-41 04 00 80-4F 14 00 80-5C 09 00 80
.00403030: 12 0D 00 80-B4 14 00 80-B6 14 00 80-A5 0A 00 80
.00403040: EF 0F 00 80-5A 12 00 80-BB 14 00 80-A9 14 00 80
H� �p�� ? � �� p�� p�� p��.
�� p�� . ��p�� p��
�� p�� p��, � �� p��
��p�� p��p�� p��. � ��
�p�� CALL DWORD PTR [0x403010].
��, �� p��
�� ASCIIZ-��p�� p�� . ��
MSDN �� p�� p�� , ��
�� p��. �� p�� p windows
�� p�� p�� , ��
�� p��.
��, �� p��p�� p��
��p��, ��p�� p��
��. � � p��
�� "�� windows ��p�� . � ��
OpenFile �� , � �� p��. ��?" ��
�� p��p�� win32 ��, �� p��p
�� p��. �� . �� window 3.1
��p��, �� , ��
�p��p�� p��. H�� p!
�� , �� p �� p��
�� MFC, �� OLE � ActiveX � �� p��p��p��
�p�� - �� p��p�� .
�� - �� MicroSoft � ��
�� p��, �� (�� ) �� p��
�p��. �p��p�� p�� p ��
p�� p�� p��p�� , ��
��.
�� MFC � C++,
� ��p�� p�� p�� p�� p�� .
�� p�, � �p�� p�� . H��p��
�� win32 �� p�� , ��
�� p�� p��p� ��.��
��p�� p�� p�� .
�� p��. H� �� p�� .
�p��, � �� . H��, ��
�� . � �� , ��
�� p�� ... �� GPF.
� �� , �� p�� .
�� p�� , �� , ��
�� p��.
��p��, �� , � �� p��
��p�p�� p�� :
.004018D0: FF25C4314000 jmp MFC42.4612

.004018D6: FF2590314000 jmp MFC42.4610
.004018DC: FF2594314000 jmp MFC42.6375
.004018E2: FF2510304000 jmp MFC42.4486
.004018E8: FF2514304000 jmp MFC42.2554
.004018EE: FF2518304000 jmp MFC42.2512
.004018F4: FF251C304000 jmp MFC42.5731
.004018FA: FF2520304000 jmp MFC42.3922
.00401900: FF2524304000 jmp MFC42.1089
�� p��, �� , ��p� �

�� p��p��. ��, � ��
�� . H� �� , � �p�� , ��
��, ��. � ��p�� p��, ��p� ��
�� pp�� p��p��
� IDA.
��, �� p�� p��. ��
�� , ��
p�� ! �� p��.
�� p�� IMAGE_IMPORT_DESCRIPOR ��
IMAGE_THUNK_DATA, �� , �� , ��
��p�� . ��p�� p�� p��,
�� p��p�� . ��p��
��p� �� p�� p�� p��
p��p�� p�� .data - �� p��p�� , �
�� ... hiew "��p��" �� . �,
��, ��. ��, �� p�� windows ��
��, �� p�� p�� p��
� �� , ��p�� p�� p��p ��, � ��
�� p��. �� p�� null-��.
H� �� , ��
p��. H�� p��p��, �� MicroSoft �� p��
��p��, ��p�� p��p�� p��
�p��p�� (� �� p��) ��p�� p��p��
��pp�� .
� �p�� p��, p�� p� �� p��
�� p�� p��. � �p��
�� , ��
��p��p�� p�� p��
��, �� p�� p�� p��p��.
��p�� IMAGE_IMPORT_DESCRIPOR � ��
� �� Import Directory. ��p� ��
�� . H�� p�� , ��
��. �� p�� 'MFC42.DLL', � ��
�� . ��
��. �� :
.004041D0: 4D 46 43 34-32 2E 44 4C-4C 00 00 00-00 00 00 00 MFC42.DLL
��p��, �� p��p�� . ��p� ��

�� IMAGE_THUNK_DATA, ��, "��" �p�� , ��
�� .
.004041E0: 59 13 00 80-00 00 00 00-00 00 00 00-00 00 00 00 Y. �
��, �� 0x1359 �� p��p�� OnSaveDocument, �

��p�� 0x8000 ��, �� p��p�� p��.
�� p��, ��
��. H� ��p� �� , �� p��
�� , �� p�� p�� ,
�� p��, � ��
�� p��, � ��p�� p��
(IMAGE_THUNK_DATA). �� p��p��
�� IMAGE_IMPORT_DESCRIPOR.
��, �� p�� p��. ��p��
�� .rdata, � ��p��
��. �� , �� p��, ��
�� p��p�� p��p��. �� , ��
p�� p�� p��p��
�� . � ��, �� . ��
��, �� .
0403FC0: 57 69 6E 64-6F 77 00 00-55 53 45 52-33 32 2E 64 Window USER32.d

0403FD0: 6C 6C 00 00-AA 01 5F 73-65 74 6D 62-63 70 00 00 ll �._setmbcp
0403FE0: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
0403FF0: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
�� pp��p�� IMAGE_THUNK_DATA. �� p��

�� -
0404160: E0 41 00 00-00 00 00 00-00 00 00 00-D0 41 00 00 pA �A

0404170: E0 3F 00 00-00 00 00 00-00 00 00 00-00 00 00 00 p?
�� dumpbin, �� p�� p��.
MFC42.DLL
403FE0 Import Address Table
4041E0 Import Name Table
0 time date stamp
0 Index of first forwarder reference
Ordinal 4953
�� p�� 0x403FE0, �� p��

� ��p�� p�� OnSaveDocument. �p��p��, ��
�� . �� p�� (�� u � soft-ice) ��
p�� . �p� �� p�� p�� .
�� , �� p��. ��
��. �� p�� , �� p��p��
OnSaveDocument. �� p�� . ��p�� p��:
.00401440: 6A00 push 000

.00401442: 6A00 push 000
.00401444: 6890404000 push 000404090
.00401449: E812070000 call AfxMessageBox
.0040144E: 33C0 xor eax,eax
.00401450: C20400 retn 00004
��, �� p�� p��p �� p��:
.00401440: FF742404 push d,[esp][00004]

.00401444: 90 nop
.00401445: 90 nop
.00401446: 90 nop
.00401447: 90 nop
.00401448: 90 nop
.00401449: 2EFF15E03F4000 call d,cs:[000403FE0]
.00401450: C20400 retn 00004
�� p�� SDK. �� p��
virtual BOOL OnSaveDocument( LPCTSTR lpszPathName );
�� push dword [esp][00004], ��

��. �� , ��p�� 0x403FE0 �� p��,
�� . � �� ! ��
��. �� . �� p��
��p�� . �� p��
�p��p� � ��? �� p�� MFC ��
�� p�� p��p�� p��p��. ��
��?
H� �� , �� p��p��, ��
��, �� p� ��p�� p��, � ��
�� ... �� DLL, � ��
�� p�� . �p� �� p��
�� , ��p�� p��p��
��. �� p�� p�� p��p�� (��p��p, MS
VC) � �� , �� MFC �
��-�p��p�� ++. �� p�� p�� -�p��
�� p��.
�� p�� exe �� MS-DOS ��
��p. � �� p�� p�� (p��, ��
�� ), � � �p�� . �p�� , � windwos ��p��
�� p�� p�� p��p��, �.�. ��
�� p��, � ��-�p��p�� (��p��
��p�� p��) ��p�p�� p��p��
��p��. ��
��, ��p�� p�� .
�� , �� p��p�� p��
�� p�� p��, �� p�� p��p� ��
�� . ��, �p� ��p�� p��p�� p��,
��p�� p�� p�� p��. ��, �� p�� p��
�p��p�� p�� p��p�p,
�� p�� p�� p��. �� , ��
�� p��p�� p��, � p�� "�
�� p��-�� p��".
�� , �� windows �� p��
�� p�� , ��
�� . ��p��, �� p��p�� p��
�� , � �p��
p�� p�� p� �� p��. ��p��, �� ,
��p�� p�� p��p� ��p��
��p��, �� .
��p�� p��p�. ��p�� . �� p��
�� , � �� p�� p��. ��, �� p
�� p��p�� p��p��. ��-��
�� p�� p��? �� , ��
�� . H� �� p��
��p�� IDA, � �� p�� hiew-��.
�� p��, �� p�� ,
�� . �� p��
�p��:
.00401410: 8B442404 mov eax,[esp][00004]

.00401414: 8B5014 mov edx,[eax][00014]
.00401417: F7D2 not edx
.00401419: F6C201 test dl,001
.0040141C: 7411 je .00040142F
^^^^^^^^^^^^^^^^^^^
.0040141E: 6A00 push 000
.00401420: 6A00 push 000
.00401422: 6854404000 push 000404054 ; << ��p��
.00401427: E834070000 call AfxMessageBox
.0040142C: C20400 retn 00004 ;"
.00401430: 8B4130 mov eax,[ecx][00030]
.00401433: 8B4808 mov ecx,[eax][00008]
.00401436: E81F070000 call Serialize
.0040143B: C20400 retn 00004
MFC-�p��p�� p�� p��. �� p��

�� , �� edx �� p�� , �� . ��
�� p�� . � �p�� p��
��:
void CCRACK10Doc::Serialize(CArchive& ar)
{
// CEditView contains an edit control which handles all serialization
if (ar.IsStoring())
{
AfxMessageBox("�� p�� p��. ��, �p��p�� ");
return;
}
((CEditView*)m_viewList.GetHead())->SerializeRaw(ar);
}
��, �� p�� p��

�� . �� p�� p�� ret. ��
�� -�p�� "p��", �� . ��
�� p��p�� . ��
�� p��, �� p��p�� nag-screen-��
�� p�� p��p�� p�� p��. � �p��
��p�� p�� p��p� ��
��. ��
��p��.
��p�� p�� ret, �� , �� nop. � ��p��
�� p�� p�� p��p��. ��, �� p��p��
�� p�� , �� GPF - "�p��p��
�� pp�� p�� p��". � �� ? �
��p�� p�� , ��
�� p��p�� p��. �p��
��p�� p�. �� AfxMessageBox �� p��
p��p�� eax � ecx, � ��, p�� , ��
�p��, �� p�� . ��, ��
��p��, �� , ��
��. �� p��, � �� - �� p� �� push
� pop, �� -�� p�� . ��, ��
��p�� p��p��. ��, ��,
�� , ��
�p��, �� p��
�� ? � �� , �� p�� not, � jz �� jnz ��
�� , �� p�� , �� p�� p� p��p��. ��, ��
��p�� pp�� p��, �� push p��
"��" ��. � �� p��:
.00401417: 50 push eax

.00401418: 51 push ecx
.00401419: F6C201 test dl,001
.0040141C: 750E jne .00040142C
.0040141E: 6A00 push 000
.00401420: 6A00 push 000
.00401422: 6854404000 push 000404054
.00401427: E834070000 call .000401B60
.0040142C: 59 pop ecx
.0040142D: 90 nop
.0040142E: 90 nop
.0040142F: 90 nop
.00401430: 8B4130 mov eax,[ecx][00030]
.00401433: 8B4808 mov ecx,[eax][00008]
.00401436: E81F070000 call .000401B5A
.0040143B: C20400 retn 00004
��p��, �� p��! ��, �� p��
� �� p��. ��p��
�� .
��, �� p�� - ��
��p�� p��p��, �� . ��, ��
�� , ��p��
��p�� p�� . �� ? �� p��p�� p��
� �� p� ��, � �� p��
�� !
��, ��p��, ��, �� ,
�� . H� � � �� p��
�� .
H�� p� �� p�� . �� p�� p��.
��p�� p�� . H� ��-�� p��
�� p��, �� p��
��.
Kris Kasperski 2:5063/61.8 12 Feb 99 00:51:00
��
�� p�� p��p�,

�� , ��
�p�� p�� , � �� p��
��, ��p�� p��.
�� p��, �� . �� p��
�� p�� "��p��" �p��, ��
�� ! �� p��, �� p��
p��p�� (� p�� ?) �p�� p��
�� ! �p�� arj �� p��
�� p�� ~2^24 ��p��, �.�. �� ~17.000.000
��p�� p��. ��p�� p��p� � �p��p��
�� MS VC �� 30.000 ��p��/��. ��p��
��p�� 600 �� (10 ��), �� p�� p�� p��
p�� p�� 64 �� :( H��
��p�� p��, �� .
�� - �� p��, ��
�� p��?
� �� , �� p��. � �p��p��
�� , � �� 200 ��. �� :( ��
�� , �� , � ��p��p�� -��. � ��
�� p��, �� p�� p��. �� p� � ��
�� . � �� p�� - � ��
�p�� ? �� , ��, ��, ��
��p��p�� p��, �� p�� . H��
� �� , "��p�" �� , � ��
�� p��...
�� , �� p�� p��
��. �� p�� ?
�� , �� p�� , ��
�p� �� p��. �� (��, ��, ��) �p��
�� . �� p�� - �� ?
2.2 �p�� p��.
" - �� , ��

�� ,-
�� .
- �� p�� ,
�� p��
��p��
��."
�. ��p��p�. "��"
�� p�� p�� p��

��. �� p� �� p��.
H��p�� p�� :
if (!IsValidUser)
{
Message("Invalid user! Aborting...");
Abort;
}
�p��p�� p�� p�� :
CALL IsValidUser
OR AX,AX
JZ continue
^^^^^^^^^^^^^
PUSH offset str_invalid_user
CALL Message
CALL Abort
continue: ; ��p�� p�� p��p��
...........
� �� p�� .��

�� p�� JZ continue �� JMP continue ��
p�� p��p��. H� �� p��
IsvaldUser - �� p��p�� p�� p�
��p�� p�� p�� p��
�p��p��. H� �� p�� p��p�� :
IsValidUser;
if (!true)
{
Message("Invalid user! Aborting...");
Abort;
}
�.�. �� {...} �� p��! H� ��

�� p��, �� p��
��p��. � �� p��p�� p��.
�� p��, �� p�� , �p��
��p�� p�� ... ��, ��
�p�� p� �� . �� p��
�� . � � �� p� IDA, ��
Soft-Ice � p�� cup386 ��
�p��p�� , �� p�� p�� .
�� , �� p�� ,
�p��p p�� p�� p��
��p�� p��p�� p��
�p��p��, ��p� "��p�� " �� p��,
�� . �� p�� p��
��, � ��p�� , ��p�� p� ��p��
��. �� p�� p��, �� p��
�� p��, ��p��
�p��.
�� p��. ��p�� , ��
p��, ��p�� . ��
�� p� �� p�� p��p��
��, �� p �� p�� , � ��
�� p� �� p��-�p��.
�� p�� , �� p��p��
�� p�� . H� �� p��
�� p� ��. �� p��p��
�� , ��
��.
��, �� p��, �� , p��p�� p��
�� p��p��. �� p��, ��
��p�� p��. �� p��
�p��? H� �� p�� p��
��, ��p��p, ��p�� .
�p�� , �� p��
�� p�� p�� p� �� . ��
�p�� p�� p� � ��
p��p��p�� p��p�� p�� p��
�p��. �p�� , ��
�� p��p ��, � ��
��. �� p�� p�� -�� p��.
��p��, �p�� p�� p��
�� p��p�� . ��p�� p�� p��p��
��p�� p�� .
�� p��
��p�� . ��, ��
p��p��, �p�� p�� , �� p��
�p�� p�� . ��p��, �� , �.�.
�p�� p�� . �p�� IDA ��
��p �� p�� p�� . ��
��p��, �� p �� p��p��.
H��, ��p�� . �p�
�� p�� p� � �� p�� p�� p��!
��, �� p��, �� p��, ��, ��
�� p�� p�� !
��, �� p�� p��
��p�� xor. �� p��. ��p��
��p�� p�� . ��p�� p��
��p�� , �� p�� p�� . ��, ��
a xor b xor a = b.
�� p�� p�� a � b � ��

��:
a\b � 0 � 1
-----+---------------------+---------------------
0 � 0 xor 0 xor 0 == 0 � 0 xor 1 xor 0 == 1
� �
1 � 1 xor 0 xor 1 == 0 � 1 xor 1 xor 1 == 1
�
��, �� xor �� p��. �p�� a � b ��
�� 0,1. ��, �� p�� p�� p��
�� . �� p��p� XOR word, const ��
�p�� word xor const, � �� p��
�� p�� p��.
��p� ��p�� , �� a xor 0 == a; a xor 1 == !a. �.�.
�� p�� . ��
p�� p�� , � ��p��
p��p�� p��. � �p��p�, 00001111b (0xF) �� , �.�.
�� p� ��p�� p��, ��
�� (�� ) �� p. �� 01010011
�� p�� p��p��
��p��, �� p��.
�� p�� - �� . � ��p��

�� p�� p�� p��, ��
�� . �� , ��
��, �� p�� p��.��
�� p�� p��, �� p�� . ��p ��
�� p�� p��p��
��. �� p��.
�� p��p��, ��
�� p��p�� . �p� �� p��p� ��
p��p��, � �p� �� p�� . ��
�� p, ��p�� p��p�� p��, ��
�� , � �p�� .
�� p��p� ��p�� p��p��. �p��
�p��p�� p�, �� p��
��, �� , �� p�� , �
p�� p�� .
��p�� p�� p��p (file://CD:/SRC/Crypt00.asm).
LEA SI,beginCrypt ; ��p�� p��

Repeat: ; <-----------------------------�
XOR Byte ptr [SI],077h ; ��p�� p��
INC SI ; ��p��
CMP SI,offset endCrypt ; ?��
JNA Repeat ; --{SI<=offset endCrypt}-------
�� p��p�� p�� p��

��p�� p�� [offset beginCrypt,offset endCrypt] �� xor 0x77. ��
�� HIEW, ��p�� IDA ��
�p��p�, ��p� �� .
------------------------� ------------------------�
� � � �
� p�� p1 � � p�� p2 �
L------------------------ L------------------------
��p� �p�� p��. ��p��

�� , �� p�� "Hello,Wordl!".
�� p�� p��
�p�� p��, �p�� p��p�� .�.
��p�� p�� p��p��. �� p �
�� .
1AEF:0100 BE0D01 MOV SI,010D

1AEF:0103 803477 XOR BYTE PTR [SI],77
1AEF:0106 46 INC SI
1AEF:0107 81FE2401 CMP SI,0124
1AEF:010B 76F6 JBE 0103
1AEF:010D C3 RET ; < �� p��
1AEF:010E 7ECD JLE 00DD
1AEF:0110 62 DB 62
1AEF:0111 76BA JBE 00CD
1AEF:0113 56 PUSH SI
1AEF:0114 B43F MOV AH,3F
1AEF:0116 121B ADC BL,[BP+DI]
1AEF:0118 1B18 SBB BX,[BX+SI]
1AEF:011A 5B POP BX
1AEF:011B 57 PUSH DI
1AEF:011C 2018 AND [BX+SI],BL
1AEF:011E 051356 ADD AX,5613
1AEF:0121 7A7D JPE 01A0
1AEF:0123 53 PUSH BX
�� p��p�� ? ��
�� ?
�� p�� p IDA, ��p��
��p�� -�� . �� p�� (file://CD:/SRC/crypt00.
idc) �� . ��
�� : idax -Scrypt00.idc crypt00.com
��p�� p��:
for (a=0x10D;a<0x124;a++) // �� p��

{
c=Byte(MK_FP(0x1000,a)); // ��
c = c ^ 0x77; // ��p��
PatchByte(MK_FP(0x1000,a),c); // �� p��
}
�� p�� p�� p��p��, � ��

p��. �p�� p��p�� p�� p�� , ��p��
�� IDA �� p��. ��
��p�� p��. � �� , ��
�p�� p�� p� � ��p�� p�� . ��
�� p��p�� (� ��
�� ). ��p�� p�� p
� �� , ��p�� .
�� , �� 32 ��

0x100000000 ��p�� p�� p�� p��p�. � ��
�� 64 ��?0x10000000000000000 ��p�� p�� ~30000 ��
�� p��p� (� �� p��).
�� p��
�� , �p�� ... �p��
��p��, �� p�� p��! ��
�� p�� p��
�� . �� , �� p��
��p�� p�� . � ��
�� p�� A � A' �� p��. ��
�p��, �� , �� p�� . �p��
��, �� p�� . �� p�� , ��
�� A'?
---------------�
L--------------- ,
T�T-------------T�T----- - - -
+---------------+------- - - -
� �
�<---- L ------>�
�� p�� AA. ��, ��

�� "��" � �� A^2 ��. � �� "��"
p�� p��? �� L, � �p�� R. ��
�� L �� p�� R. ��
��p�� p�� . �� p��
�p�� ' p�� #A/#A^2 == 1/#A, �� # - ��
��.
��, �� p�� , ��p��
��p�� p�� L �p�� p��, �� L �� p�� .
�� p�� p��
��, �� p��
�� , ��p�� p�� p��p�� p��
��. �� #A p�� (!) � �� . � ��p��
�� , �� p�� . �� p�
�� p�� . ��
�� p�� p��p�� . �� p��
p��, �� . �� p��, ��
�� p�� p��p�� p�� p�� . ��
�� p�� p��, �� (��
�p��) �� p��p � �� p�� p��.
�� , ��
�� 64+1 �� p��
��. ��p��
��. H� �� ? �� ?
H��p��p, �� p�� p��
��, ��p� ��p�� , � �� p��p�� (��
�p�� , p��). �� p��
�� p��p��, �� .
��, ��p ��
��p �� p�� p� � ��
��p�� , �� , ��
�� . ��p�� p��? �� (�� p� - �
�� p�� ). �� p�� !
�� , �� -��
�� p�� , �� p��
��p��! � �p� �� p�� p�� p�� L ��
��.
��p�� - �� s0 �� p��
��. �p�� p�� p��
�� H�� , �� . ��
��p�� , �� p�� #s0. �� s0 ��p��
��p��, �� p��. ��,
��, �� p�� p��
��. �� p�� s1 � ��p��
�� p��. ��p� ��p�� f(s0) � �� f(s1)
��. ��p�� , �� p��. � ��
��p�� , �� p��
�� p�� p��. ��
�� p��, ��p�� , ��p�� p��
�p�� p�� p�� (�� p�� ).
�� p�� p��
�p��, �� p��p�� . � ��
�� p��
��p��. �p�� p��.
� �� p� �� p�� p��! � �� p - ��
�� p�� p�� p�� .
�� p��.
�� . ��
�� p�� p�� p�� , ��
�� Sn, ��p�� p��
�� p��!
�� crackMe03 (�� )
�p� �� p ��, �� p��p��

p��, � �p�� p��. � �� p��p� � ��
p��p�� p��p�� crackme0.com (file://CD:/SRC/Crackme.com).
��p�� p��p�� . ��,
�� p�� p��.
CalcCRC: ; <--------------------------------�
LODSB ; �� p��
ADD AH,AL ; ��p��
LOOP CalcCRC ; --{CX}----------------------------
�� p��p� �� CRC � �� p��. CRC �� p��

�� p��. �� p�� CRC,
�� p�� -��
�� p��.
LEA SI,Crypt ; H� �� p��

Decrypt: ; <--------------------------------�
XOR [SI],AH ; ��p��
INC SI ; ��
CMP SI,offset Buffer; ?�� p��p��
JB Decrypt ; --{SI<offset Buffer---------------
��p�� p��p�� p�� p��!

�p�� 0x100 (256) ��p�� p��p��! H��p��
�� p��p�� . ��
(0x1000) �� p�� p�� !
�� p��, �� p��p��p�� p�� p��
�p��p��. ��, �� p� ��! ��
��p��p�� p��, � �� (�.�. �� -��), ��
��p�� p�� . ��
��p�� (0x100000000). ��
�� p��, �� p��p� �p��-�� .
�� p�� p�� , �� p��
�� 167 ��, �� p�� p� ��. �p��
��, �� ? �� p�� p��p� ��,
�� p�� p��.
�� p��p �� p�� p��
�� p��p�� p��. �p��p��, ��,
�� p��p�� p��
CRC �� p��, �� p��p�� . ��p�� :
CmpCRC: ; <--------------------------------�
DEC SI ; ��
ADD CL,[SI] ; ��p��
CMP SI,offset Crypt ; ?��
JNB CmpCRC ; --{SI>offset Crypt}---------------
CMP CL,0C3h ; ?�� CRC ��p��

JZ Crypt ; --CRC OK-->
; �RC FAIL
�� p��p�� p�� . ��

�� -��p�� -�� . � ��
p�� 0xC3.
��, �� p�� p�� p��p��, �p�
��p�� p�� ? ��, ��
��! � � p�� p�� p��p�� "��" ��
��p�� p��! ��, �� p� 32-�� p��
�p�� , � ��p�� p��
�� , �p�� p��p�� p��! �p� ��
�� p�� p��p�� p��
�� p��. ��p�� -�� !
��p��, �� p��, �� p��,
�� , �� p��p��. ��,
�p��, �� 1% ��p�� p��, ��
�� 0x10000 (65536) �� 655 ��p��, � �� 0x10000 ��
42.949.672! ��p�� , �� p�� p��p��
��p�� p��!
��, �� p��
�� . H� �� ? ��
�p�� p�� , �p��p��
��p��, �� p�� p��... H� ��
�� p��! � � �� (�� p�� p��) ��
�� p��, �� p�� p��
�� .
��p�� p��! �� p�
�p��. ��p� �� p�� . �p��p��
�� p�� . � �� , ��
�� p�� , �� p��
��p�� p�� ! �� p�� xor:
X xor Key = Y, Y xor Key = X, �� X xor Y = Key!
� �� p��p� � �� p��

�� p�� , �� Key, ��p��
�p�� p�� . H� �� -��
�� p��? ��, ��, �� !
��, �� p��, �� p�� p��
�� !
�� p��, �� p�� p�� p�� p��
INT 0x21. �� -�� 0x21CD (�� p� ��p��
��p�� ?) �p�� , � ��
�p�� . � �� p�� X xor Y = key ��
�� X, �� key, �p� ��p�� Y �� . �� #Y > #Key, ��
�� X1 xor Y1 == X2 xor Y2 == key!
�� , �� p��
�p�� p��, ��p�� . � �� hiew
��p�� p��p�� p�� p�� p�� p�� XOR 0x21CD.
--------------�
� p�� 4 �
L--------------
00000030: C3 74 08 B4-09 BA BE 01-CD 21 C3 B0-B5 E4 BB A9

00000040: 00 20_20 2E-0C E7 51 8C-72 9E 76 82-73 89 21 A2
00000050: 4A CC^01 E7-25 7D 01 CD-21 CD 00 00-00 00 00 00
00000060: 00 00�00 00-00 00 00 00-00 00 00 00-00 00 00 00
�
��p�� 0x2020. � �� p��
�p�� 0x21CD, ��p�� 0x20!
�� , �� p��. ��
�p��
��. � �� , �
�� ? ��
�� p�� (� ��
��p��), �� p�� p�� p��! ��,
��, �� p��
��. �� ? � �� p��
�p�� , �� p��. � �� p��p� ��
�� 0xA0D - ��p�� . �� p��, �� p��p ��
��-�� p��, ��p� ��p�� p�� p�� p��. ��
�� p�� p�� , � �� p��
�� - � �� p�� p��p��
�� . H� �� , � ��
�� p��p��p��! �� . � ��
�� p�� p��p�. �� , �� (c),
Copyright, OK, Cancel, Yes, No... ��p�� p��, �p��+
�� .�.
�p�� , �� , �� CRC �� ,
�� p� ��p�� -
�p��. � �� p�� p�� p��
��p�� , �� p� ��
�� . �� p�� p��
�� p� �p� �� p�� (��
p�� ) p�� !
� �� p��p� �� 0x20. ��
�� p��, �� p�� p��:
----------------------�
� �
� p�� 5 �
L----------------------
� �� HH�� ? �� p��? ��
�� xor 0x20 ��p�� p�� p��p
��p�� p�� . � �� p��
��p�� p��, ��p�� p��
�p��. �� p�� . � ��p� �� , ��
0x20 - 100000b, �� p�� , ��
�� ! �.�. ��p�� .
��p�� p�� p��p�� , �� - ��.
��, �� p�� , ��
�� p�� , � ��p��
��.
ORC
� �� p��.�� p�� p��

� ��p�� "��" ��p��. �� p�� p��
� �� p��. �� p�� p��
� �� p�� p�� p�� p � ��,
� �� p� �� p�� p�� p�.
L= 12-02-99 = 23:04:07 =
HOW TO CRACK, by +ORC, A TUTORIAL

=================================
[�� 1: ��H��] [PoolDemo.exe]
"""""""""""""""""" """"""""""""""
�� p�� (�.�. �p��p�� , ��
��p�� (�p��, ��) ��
�� p� �p��p�� )
�� p�� p��, �� p��,
��p�� .
� �� p� �� p�� p��. H�
��, �� p�� ... ��p��
��p� �� p��: �� p��
"��" �p�� {�� trick - ��p��, �p��. �� p��
�� p�� p��}, �� p�� p��
�� p�� p�� (� ��p�� ) ��. ��
��: H�� "��p��" �p��p�� (��
�� "�p��" {��p� �� -"protectionists" �� p��
�p�� "��" �p��p��} �� p��: ��
�� p�� (�� , �p��
��p��) �� p��p�� . ��
"��p��" ��p��, �� p�� ,
p�� p�� , �� p�� p�� p��
�� . �� "��p��" �� p��
��p��, ��-�p��p�� , � ��p�� .
�� "��" �� (�� p�� 3),
�� p��p� �� "��p��" �p�� "��p��"
��. �� p��
��. � �� . � ��
�� p��p�� p��
�� p�� p��.
�� p��p��. �� p�� p��
"� �� -��" �� p��
p��. � �� , �� , ��
��p�� . � �p�� p��, �� p��
p�� p� � �� p�� p�� , ��
�� p�� p�� p�� . (��
�� , � �� p��
�p��p��, �� ).
�� p�� :
v ��p�� p� (�� , ��

��p�� )
v ��-��
v H�� p��p� { ��p��p, �� :) }
�p��, ��

��p��:
v �� p�� (�p�� )
v �� (�� p�� )
v �p��, ��p�� (�p�� )
v �p�� p�� p�� ( �� p��

�� p�� )
v �� (��p�� p��)

v �p�� CD-ROM� (�� p�� )
v �� (�.�. ��p�� , ��

��p�� (XOR & SHL) (�� p�� )
v �� p��. (�� )
�� STUFF]

""""""""""""""""""
�� p�� p��p�� "DEMO" ��p��
��p�� p��p�! {� �� . H��p��p "��
�� 97" - �� } H��
�� , �� p�� p��
�� {�� H��. ��, �� ...} �� CR-ROM�
�� p�� p�� (��p�� ), ��
��-�� p�� (�� p�� ). ��
�� p��p �� p��p��! ��! H��
�� LOTUS {�� p�� } �p�� (�� M$
�� WordPrefect) �� "�p�� 30 ��" �� "20 ��" p��.
�� , �� \��
��-�� web �� p��, ��
�� $$$ �� .
�� p�� p��! �� p��
�� p��p��, �.�. �� "��p��" � �� , ��
�� H� �� p��, ��p�� p�
��, ��p�� . ��p�, ��p��, �� p��
�� p� �� 35.000-��
�� , �� p� ��p��
DDL��, ��p�� p�� 2.000.000 �� . ��
"��p��" �p��p��, �� p��
�� "��p�� p�� p��" ��. ��
�� p��p��p�� p�: �� p��
"��" ��p�� , �� Visual C++ {�� MS VC ��
�� . �� , �� MFC} (H�
��... � �� p� �� p�� p��)
�p�� p�� p� "p�� p��" ��p, �� p��
�� H� �� , ��p� ��
��p�� p�� (� ��) ��p�� p, ��
�� "��" �� "��" � �p��
�p�� p��.
�� p�� p�� p��
��p��, �� p�� p��
�� p�� p��p�� (BBS ��
ATM) {ATM �p��-��, �.�. ��p�� . ��
�� - �� , �� }
�� p� �� p��p "time-protect"
��. �� (-> �p�� 4) �� p��, �� "��" ��
�p�� (�.�. "�� p��" �� "�� ") ��p��
�� p�� (�� p�� p�� )
v �� "��" : H��
v �� p�� p�p�� : ��
v ��-��-�� p�� p�� : NOOP��
v �p��p�� : H�� H�H�� JMP!
� �� p�� p��p�� "�� ", �p��

�� p��, � � ��p�� p�� p��p�� : ��
�� p�� . � �� p��, ��p��
�p�� p��p� "��p��" (��
�� "��" �p��).
��: [ARCADE POOL]

"""""""""""""""""""""
��p�� p�� PC by East Point Software Ltd, (c) Team 17
Software Ltd 1994. �� p��
�� 1995 �� {� �� ?}
�� p��p�� p� �� "time" ��p��. �� p�� 2
��, �� "nag"-p��p�� p��
�� {�� p�� p�� }
H�, �� ? �� (�� ):
�� [Soft-Ice] � ��p�� config.sys (��
p�� "��p�� p��" � �� "��p��, ��p��
�� p�� by KPNC") ��p�� 2.6 ��-�� MARQUIS DE SOIREE
� �� Web {�� www.dore.da.ru - �� soft-ice
2.8 - �� p�� DOS}
v ��p�� p� ��p�� p��
v ��, ��! ldr pooldemo.exe
v �p�� p� � p�� p��
v {...��, �� ...}
v p��p�� p��
v ��p� ��, �� PoolDemo ��
v ��-�p��
v �� p��
!IDA DEBUGER!
� �� IDA? H��? � �p�. �� p�� . �

��. � �� !
�� p�� . � �� p�� p��
��p�� p��p ��! H�� p ��
�� . ��, ��p�� p�� 3.6 ��
�� p��, �� p��. ��
�� DLL � ��. ��p�� . ��p��p ��p��
��, ��p�� p�� p�� (��
� ��).
� �� ? � � ��, �� ,
� _��_ ��! �� ? �� p��
�p��p�� . �� p��, �� p��
��p�� p��. � IDA �� p��p � �� , ��
�� p��p�� p. ��
�p�� p�� , �.�. �� p�� p��. � �� !
�� p�� ! � ��
�� p��p��\�� p��
�� p��. �� p�� p��
�� .
�� p�� p��p�� - �� p�� - ��
�� p��p��. �p�� p�� p��p��
��, �� ! � �p��-�� p��!
�� IDA � ICE �� p�� p��
��. �� p�� - ��p��
ICE (�� p�� IDA) � ��p��. �� IDA � �p�� .
�� , �� , � �p�� IDA ��
��.
�� p��. �� p��. �� p��
�� p�� - �� - �� p��! ��
�� - �� .

Язык

Главная Книга о Взломе

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Главная Книга о Взломе

Загружено:

Авторское право:

Доступные форматы

Kris Kasperski 2:5063/61.

- ����p������ ��p������ ������p�����

�. ��p��p� "����� ���"

�� ��������� ���� �p������� "����p" ������ ����������. ��� � ��p��

��������� �������� �� �����

��p������: �� ��������� �p����� � �p��������� ����p������p�������

������ ����p�����p�p������� ��p��� �������� ���, ��� �����

.00401547: 8B4660 mov eax,[esi][00060]

��p���� �������� �� �������� ��p����. H���������, �� ����� � ������ ���

.004013D3: 8B4C240C mov ecx,[esp][0000C]

.004013D7: C7466000000000 mov d,[esi][00060],00001

� ��p��������� �p��p����. ��� �p�������! H�� �� �p������ ����

return SomeResult*(!FlagReg1 ^ FlagReg2);

���� ��� ����� �� p���� �p�� �p���, �� � p�������� �������� ����!

j_?EnableWindow@CWnd@@QAEHH@Z proc near ; CODE XREF: sub_0_401360+D4.p

�� ����� ���. ��� p�� �� ����� ��������� ��������. ���� ������ ��

.text:0040142A mov eax, [esi+68h]

� ���������� �p���� �p������:

.text:004015C8 mov eax, [esi+60h]

.00401385: C7466001000000 mov d,[esi][00060],000000000

.004012CC: C7466801000000 mov d,[esi][00068],000000000

������, ��� ������ ���������� ��� ����������� �����. � ��p���� �����

.004015B3: C7466400000000 mov d,[esi][00064],000000000

��� ����� ���� ���� �������� �� �������? ���p�����, �... �p�������!

H� ��� ����� ��p����p�����, ��� ��� �����p���� ��� ����� �����? H�

��������, ����� ������� ����� j_?AfxMessageBox@@YGHPBDII@Z, �� ���� �� ����

BOOL CCRACK10Doc::OnSaveDocument(LPCTSTR lpszPathName)

.rdata:00403644 dd offset j_?OnOpenDocument@CDocument

��� �p���������� ����� ��p���������� �������? �p��p�������, �������� �

401390 sub_0_401390 proc near

� ����� ������ ��������� ����, ��� sub_0_401440 ��� ��p�������

.00403E30: F6 3E 00 00-02 3F 00 00-16 3F 00 00-C6 3E 00 00

��p������� ��� ��� �������-�p��� ����� �������, ��� ��� ������� -

0403F00: 6D 00 83 00-5F 5F 73 65-74 75 73 65-72 6D 61 74 m � __setusermat

��� ������������� ����� �������, � ����� ������ ��p�� ����, ��������,

.00403B00: B2 10 00 80-86 11 00 80-FA 09 00 80-D0 09 00 80

��������, ��� � ����������� WINDOWS NT MicroSoft ���p����� ���� ��� �

.00403B00: B2 10 00 80-86 11 00 80-FA 09 00 80-D0 09 00 80

�����, ��� ��� ��� ����p��p��� �� �p������. � ��� ���������� ������

.00403000: 8C 3F 00 00-78 3F 00 00-00 00 00 00-B2 10 00 80

.004018D0: FF25C4314000 jmp MFC42.4612

����� ��p����, �� ������ ������� ������ ����� ���� ������, ����p� �

.004041D0: 4D 46 43 34-32 2E 44 4C-4C 00 00 00-00 00 00 00 MFC42.DLL

��p���, �� �����p��p������ ����� �� ��� ��������. ����p� ����������

.004041E0: 59 13 00 80-00 00 00 00-00 00 00 00-00 00 00 00 Y. �

������, ��� 0x1359 ��� � ���� ���p��p���� ������ OnSaveDocument, �

0403FC0: 57 69 6E 64-6F 77 00 00-55 53 45 52-33 32 2E 64 Window USER32.d

������� ������ ���pp����p����� IMAGE_THUNK_DATA. ��������� ��p���� �����

0404160: E0 41 00 00-00 00 00 00-00 00 00 00-D0 41 00 00 pA �A

������� � ������ dumpbin, ��� ��� ���p���� p�������.

���� �������� ���������� �� ��p��� 0x403FE0, �� ��� �� ����p���� �������

.00401440: 6A00 push 000

��������, ��� �� ����� ��p������� ���p���p �������� ��p����:

.00401440: FF742404 push d,[esp][00004]

�� �������� ����� ��p����� � SDK. ��� ����� �p������ ����� ������

virtual BOOL OnSaveDocument( LPCTSTR lpszPathName );

����� �������� ����� push dword [esp][00004], ������� �������� �����

.00401410: 8B442404 mov eax,[esp][00004]

MFC-�p��p������� ����� ���p���� ����� ��� �� p�������. ���� �p��������

���, ��� �p������ ������� �� �� ���������� ��� �������� �������� ��p����

.00401417: 50 push eax

Kris Kasperski 2:5063/61.8 12 Feb 99 00:51:00

������ ��p���� ����� � ��� �� ����� ��������� � ��������� ����p���p�,

- ��p�� p�� p��

�. ��p��p� "�� "

�� p�� "��p" �� . �� p��

��

��p��: �� p�� p�� p��p��

�� p��p�p�� p�� , ��

��p�� p��. H��, ��

� ��p�� p��p��. �� p��! H�� p��

�� p�� p�� p��, �� p�� !

�� . �� p�� . ��

� �� p�� p��:

��, �� . � ��p��

�� ? ��p��, �... �p��!

H� �� p��p��, �� p�� ? H�

��, �� j_?AfxMessageBox@@YGHPBDII@Z, ��

�� p�� p�� ? �p��p��, ��

� �� , �� sub_0_401440 �� p��

��p�� -�p�� , �� -

�� , � �� p�� , ��,

��, �� WINDOWS NT MicroSoft ��p��

��, �� p��p�� p��. � ��

�� p��, �� , ��p� �

��p��, �� p��p�� . ��p� ��

��, �� 0x1359 �� p��p�� OnSaveDocument, �

�� pp��p�� IMAGE_THUNK_DATA. �� p��

�� dumpbin, �� p�� p��.

�� p�� 0x403FE0, �� p��

��, �� p�� p��p �� p��:

�� p�� SDK. �� p��

�� push dword [esp][00004], ��

MFC-�p��p�� p�� p��. �� p��

��, �� p�� p��

�� p�� p��p�,

2.2 �p�� p��.

" - �� , ��

�� p�� p�� p��

H��p�� p�� :

�p��p�� p�� p�� :

� �� p�� .��

�.�. �� {...} �� p��! H� ��

�� p�� p�� a � b � ��

�� p�� - �� . � ��p��

LEA SI,beginCrypt ; ��p�� p��

�� p��p�� p�� p��

��p� �p�� p��. ��p��

for (a=0x10D;a<0x124;a++) // �� p��

�� p�� p�� p��p��, � ��

�� , �� 32 ��

�� p�� AA. ��, ��

�� crackMe03 (�� )

�p� �� p ��, �� p��p��

�� p��p� �� CRC � �� p��. CRC �� p��

LEA SI,Crypt ; H� �� p��

��p�� p��p�� p�� p��!

CMP CL,0C3h ; ?�� CRC ��p��

�� p��p�� p�� . ��

� �� p��p� � �� p��

� �� p��.�� p�� p��

v ��p�� p� (�� , ��

v H�� p��p� { ��p��p, �� :) }

�p��, ��

v �� p�� (�p�� )

v �� (�� p�� )

v �p��, ��p�� (�p�� )

v �p�� p�� p�� ( �� p��

v �� (��p�� p��)

v �� (�.�. ��p�� , ��

v �� p��. (�� )

�� STUFF]

v �� "��" : H��

v �� p�� p�p�� : ��

v ��-��-�� p�� p�� : NOOP��

v �p��p�� : H�� H�H�� JMP!

� �� p�� p��p�� "�� ", �p��

��: [ARCADE POOL]

v ��p�� p� ��p�� p��

v ��, ��! ldr pooldemo.exe

v �p�� p� � p�� p��

v {...��, �� ...}

v p��p�� p��