API Monitor---------------Using API Monitor to crack copy protected software

Posted 小小猫钓小小鱼

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了API Monitor---------------Using API Monitor to crack copy protected software相关的知识,希望对你有一定的参考价值。

For this tutorial we will be using Mirial Softphone which is a HD video conferencing application. This tutorial is for educational purposes only, so please do not use this to create or distribute a cracked copy of the software.

When you first install the application, it prompts you for a license file. After installing the license you have 30 days to evaluate the application. The expiration date is displayed on this screen; in our case it is March 15, 2011.

技术分享图片

Step 1

Trial applications usually store license information in either the registry or on the file system. Since this application prompted us for a license file, we know that it uses the file system. Start up the 32-bit version of API Monitor and enable API’s from the File Management category.

技术分享图片

Step 2

Select Hook Process from the File menu to start monitoring the application.

技术分享图片

API Monitor will start monitoring and displaying API calls. The application should now display a message indicating that it is an evaluation version. Hit cancel to quit the application.

Step 3

Now that we have captured the API calls made by the application, we need to find the one that reads the license file. Scan through the calls in the API summary view until you find the right one.

技术分享图片

The application is reading from mirial.lic file. The name suggests that it might be a license file, so let’s open it up.

技术分享图片

We’ve located the license file and it has the expiration date in it.

Step 4

Modify the expiration date in the license file to 2012-03-15 and save the file. Now launch the application again. The application should now display an error indicating that the license is invalid. Hit cancel to quit the application.

技术分享图片

Step 5

Our next step is to start debugging the application right after it has read the license file. From Step 3, we know that the application uses CreateFileA to open the file and ReadFile to read the file. Setup a Breakpoint on CreateFileA and launch the application in API Monitor. The breakpoint will be hit multiple times; continue until you reach the one that opens the license file.

技术分享图片

Switch back to API Monitor and enable a post-call breakpoint on the ReadFile API and disable the CreateFileA breakpoint. Now hit Continue to let the application run. API Monitor should now display the ReadFile breakpoint.

技术分享图片

Now hit the Break button to have API Monitor generate a breakpoint in the application. You should now be able to attach to the application using a debugger.

Step 6

Your debugger should now display disassembled instructions from the application

技术分享图片

If you look at the call stack, you’ll notice that the current frame is in apimonitor-drv-x86.sys. Use the debugger to step out until you reach code in the application.

技术分享图片

Step 7

The debugger is currently at a location right after the application has finished reading the license file and before it checks the validity of the license. We need to locate the code that performs this check and disable it.

The most common software crack is the modification of an application’s binary to cause or prevent a specific key branch in the program’s execution. This is accomplished by reverse engineering the compiled program code using a debugger such as SoftICE, OllyDbg, GDB, or MacsBug until the software cracker reaches the subroutine that contains the primary method of protecting the software (or by disassembling an executable file with a program such as IDA). The binary is then modified using the debugger or a hex editor in a manner that replaces a prior branching opcode with its complement or a NOP opcode so the key branch will either always execute a specific subroutine or skip over it. – Wikipedia

Stepping though some of the code, we come across this location which looks like a possible match to the code we’re looking for.

技术分享图片

Step 8

The value of register eax is 0, right after the function call. Let’s modify the value to 1 and continue running the application. The application displays a different error message this time; instead of an invalid license, the application is telling us that it is unable to locate the file.

技术分享图片

Step 9

Now that we have pinpointed the location where the application checks for a valid license, all we need to do is to play around with the values and jmp instructions to find one that works. In this case, inverting the jump instruction from je to jne tells the application that it has a valid license file. Running the application with the modified code displays our new expiration date of March 15, 2012.

技术分享图片

Discuss this article here: http://www.rohitab.com/discuss/topic/37059-using-api-monitor-to-crack-copy-protected-software/


以上是关于API Monitor---------------Using API Monitor to crack copy protected software的主要内容,如果未能解决你的问题,请参考以下文章

plantuml画链路图

plantuml画链路图

Oracle LiveLabs实验:Manage and Monitor Autonomous Database

Oracle LiveLabs实验:Manage and Monitor Autonomous Database

如何创建与 Windows 7 向后兼容的缩放和大小更改的 Per-Monitor DPI 感知应用程序?

ceph rest api启用