API Monitor---------------Using API Monitor to crack copy protected software

For this tutorial we will be using Mirial Softphone which is a HD video conferencing application. This tutorial is for educational purposes only, so please do not use this to create or distribute a cracked copy of the software.

When you first install the application, it prompts you for a license file. After installing the license you have 30 days to evaluate the application. The expiration date is displayed on this screen; in our case it is March 15, 2011.

Step 1

Trial applications usually store license information in either the registry or on the file system. Since this application prompted us for a license file, we know that it uses the file system. Start up the 32-bit version of API Monitor and enable API’s from the File Management category.

Step 2

Select Hook Process from the File menu to start monitoring the application.

API Monitor will start monitoring and displaying API calls. The application should now display a message indicating that it is an evaluation version. Hit cancel to quit the application.

Step 3

Now that we have captured the API calls made by the application, we need to find the one that reads the license file. Scan through the calls in the API summary view until you find the right one.

The application is reading from mirial.lic file. The name suggests that it might be a license file, so let’s open it up.

We’ve located the license file and it has the expiration date in it.

Step 4

Modify the expiration date in the license file to 2012-03-15 and save the file. Now launch the application again. The application should now display an error indicating that the license is invalid. Hit cancel to quit the application.

Step 5

Our next step is to start debugging the application right after it has read the license file. From Step 3, we know that the application uses CreateFileA to open the file and ReadFile to read the file. Setup a Breakpoint on CreateFileA and launch the application in API Monitor. The breakpoint will be hit multiple times; continue until you reach the one that opens the license file.

Switch back to API Monitor and enable a post-call breakpoint on the ReadFile API and disable the CreateFileA breakpoint. Now hit Continue to let the application run. API Monitor should now display the ReadFile breakpoint.

Now hit the Break button to have API Monitor generate a breakpoint in the application. You should now be able to attach to the application using a debugger.

Step 6

Your debugger should now display disassembled instructions from the application

If you look at the call stack, you’ll notice that the current frame is in apimonitor-drv-x86.sys. Use the debugger to step out until you reach code in the application.

Step 7

The debugger is currently at a location right after the application has finished reading the license file and before it checks the validity of the license. We need to locate the code that performs this check and disable it.

The most common software crack is the modification of an application’s binary to cause or prevent a specific key branch in the program’s execution. This is accomplished by reverse engineering the compiled program code using a debugger such as SoftICE, OllyDbg, GDB, or MacsBug until the software cracker reaches the subroutine that contains the primary method of protecting the software (or by disassembling an executable file with a program such as IDA). The binary is then modified using the debugger or a hex editor in a manner that replaces a prior branching opcode with its complement or a NOP opcode so the key branch will either always execute a specific subroutine or skip over it. – Wikipedia

Stepping though some of the code, we come across this location which looks like a possible match to the code we’re looking for.

Step 8

The value of register eax is 0, right after the function call. Let’s modify the value to 1 and continue running the application. The application displays a different error message this time; instead of an invalid license, the application is telling us that it is unable to locate the file.

Step 9

Now that we have pinpointed the location where the application checks for a valid license, all we need to do is to play around with the values and jmp instructions to find one that works. In this case, inverting the jump instruction from je to jne tells the application that it has a valid license file. Running the application with the modified code displays our new expiration date of March 15, 2012.

Discuss this article here: http://www.rohitab.com/discuss/topic/37059-using-api-monitor-to-crack-copy-protected-software/

原文地址:https://www.cnblogs.com/h2zZhou/p/9341406.html

时间: 2024-10-08 15:58:01

API Monitor---------------Using API Monitor to crack copy protected software的相关文章

HTML5之本地文件系统API - File System API

HTML5之本地文件系统API - File System API 2014-06-03 17:54 19991人阅读 评论(0) 收藏 举报 目录(?)[+] 新的HTML5标准给我们带来了大量的新特性和惊喜,例如,画图的画布Canvas,多媒体的audio和video等等.除了上面我们提到的,还有比较新的特性 - File System API,它能够帮助我们来突破沙箱访问我们本地的文件系统,从而有效的弥补桌面和web应用之间的鸿沟.在今天这篇文章中,我们将会介绍基本的File system

通过beego快速创建一个Restful风格API项目及API文档自动化(转)

通过beego快速创建一个Restful风格API项目及API文档自动化 本文演示如何快速(一分钟内,不写一行代码)的根据数据库及表创建一个Restful风格的API项目,及提供便于在线测试API的界面. 一.创建数据库及数据表(MySQL) #db--jeedev -- ---------------------------- -- Table structure for `app` -- ---------------------------- DROP TABLE IF EXISTS `a

LwIP - raw/callback API、协议栈API(sequential API)、BSD API(或者说 SOCKET API)

1.使用raw/callback API编程,用户编程的方法是向内核注册各种自定义的回调函数,回调函数是与内核实现交换的唯一方式. recv_udp, accept_function, sent_tcp, recv_tcp, do_connected, poll_tcp, err_tcp! 2.协议栈API(sequential API)是基于raw/callback API实现的,它与内核交换的方式也只能通过回调. netconn_new, netconn_delete, netconn_ge

关于CUDA两种API:Runtime API 和 Driver API

CUDA 眼下有两种不同的 API:Runtime API 和 Driver API,两种 API 各有其适用的范围. 高级API(cuda_runtime.h)是一种C++风格的接口,构建于低级API之上.因为 runtime API 较easy使用,一開始我们会以 runetime API 为主:

用API网关把API管起来

最开始只是想找个API网关防止API被恶意请求,找了一圈发现基于Nginx的OpenResty(Lua语言)扩展模块Orange挺好(也找了Kong,但是感觉复杂了点没用),还偷懒用Vagrant结合Docker来快速搭建环境,基于别人的Dockerfile把整个实验跑通了,觉得还不错.想着好像CoreOS是专门为Docker服务的,还买了一本<CoreOS实践>花小半天时间看完了,CoreOS在集群环境下确实很牛,但是我的环境还是轻量级点,所以还是基于CentOS来做,就这样研究了两天时间,

spark2.x由浅入深深到底系列六之RDD java api调用scala api的原理

RDD java api其实底层是调用了scala的api来实现的,所以我们有必要对java api是怎么样去调用scala api,我们先自己简单的实现一个scala版本和java版本的RDD和SparkContext 一.简单实现scala版本的RDD和SparkContext class RDD[T](value: Seq[T]) {   //RDD的map操作   def map[U](f: T => U): RDD[U] = {     new RDD(value.map(f))   

heroku create ENOTFOUND: getaddrinfo ENOTFOUND api.heroku.com api.heroku.com:443

$heroku create出现下面的错误: Creating app... !!! ? ENOTFOUND: getaddrinfo ENOTFOUND api.heroku.com api.heroku.com:443 2016/03/17 15:20:05 Error: getaddrinfo ENOTFOUND api.heroku.com api.heroku.com:443 at errnoException (dns.js:26:10) at GetAddrInfoReqWrap.

[webapi] 如何在查看api时 显示api的说明

首先在Controller的方法中 写上相关注释,如下图 然后 右击webapi项目点属性.按照下图选择 红色框中内容要保持一致 然后保存. 在项目中找到到这个文件Areas/HelpPage/App_Start/HelpConfig.cs 双击打开,按照下图进行修改 然后预览此项目 路径 http://localhost:10643/Help 点击链接进去后 [webapi] 如何在查看api时 显示api的说明

【2017-4-27】Winform 窗体移动API 窗体阴影API

窗体移动API //窗体移动API [DllImport("user32.dll")] public static extern bool ReleaseCapture(); [DllImport("user32.dll")] public static extern bool SendMessage(IntPtr hwnd, int wMsg, int wParam, int IParam); public const int WM_SYSCOMMAND = 0x