Plug-in and Cracking Software Theory and Actual Combat
1 theory
1.1 Executable files under different operating systems
- Windows【PE】
PE format, Portable Executable,
is the main executable file format under Windows. Don't be fooled by the name, PE files must be files under Windows.
- Linux【ELF】
In the executable file of the Linux system (ELF file, Executable and Linkable Format, executable link format), the beginning is a file header, which is used to describe the layout of the program, the attributes of the entire file and other information, including whether the file is executable, static Or information such as dynamic link and entry address; the generated file is not a purely broken binary executable file, because the included program header is not executable code; after reading the file containing the program header into the memory, from the program header Read the entry address and jump to the entry address for execution;
- Mac【Mach-O】
Mach-O is the abbreviation of Mach Object file format. It is a file format used for executable files, object code, dynamic libraries, and core dumps. As an alternative to the a.out format, Mach-O provides greater scalability and improves access speed to information in the symbol table.
1.2 Knowledge on software cracking under Windows
◼ Necessary knowledge of Windows platform software cracking
File format: PE file
Assembly language: x86, x64 assembly
Tools: Ollydbg
Windows API
◼ OD commonly used shortcut keys
F2: switch breakpoint
F9: run program
F7: Step Into
F8: Step Over
Ctrl + G: search code
1.3 Packing and unpacking
-
General software cracking ideas
-
The idea of software cracking after packing (an extra layer on the ordinary software)
1.4 The nature of plug-ins
There are two common methods of plug-in:
-
Modify data in memory
-
Modify code in memory
Modify the assembly code through OD software and then resave it as a new .exe file
其实,数据和代码并没有本质区别,在内存中都是0和1
2 Practical steps
Software address:
链接:https://pan.baidu.com/s/1pIogCuXPR87p91og09zZZQ?pwd=zj8k
提取码:zj8k
2.1 Environment preparation
Visual studio 2022: c++ desktop development (MFC), visual studio extension development
Extension development:
2.2 OD assembly (Ollydbg)
Convert .exe file to assembly
2.4 cheaterEngines
Used to detect numerical changes in memory
2.5 General steps
Here is
植物大战僵尸an example
- Open visual studio and create an MFC project (similar to swing in java)
- 自定义log宏,简化打印
- 事件注册(手动、自动)
- 绑定变量(手动、自动)
- 单选框状态读取(勾选、不勾选)
- Drag the running file (.exe file) of Plants vs. Zombies into OD and watch the compilation
- Modify assembly logic
前后修改尽量不动字节数,比如:前面一行代码占字节,我们修改后的代码占2字节,
那么我们就需要使用NOP填充,相当于是空,当cpu执行到nop时,会直接跳过,nop
只起到一个占用位置的作用
Idea:
①秒杀僵尸:直接用僵尸的原有血量 - 僵尸的血量
②无限阳光:阳光存在一个struct中,通过地址找到值,然后使用API修改内存中的值
- Export the cracked exe file
- Find window using spy++
Windows plug-in desktop development may need to obtain the handle (ID) of the running file, and then control
4. Modify the code in visual studio [part]
Instant kill zombies, infinite sunshine
// 用来监控游戏的线程
DWORD monitorThreadFunc(LPVOID lpThreadParameter) {
while (1) {
// 获得植物大战僵尸窗口的句柄
HWND windowHandle = FindWindow(CString("MainWindow"), CString("植物大战僵尸中文版"));
if (windowHandle == NULL) {
g_dlg->m_bnKill.SetCheck(FALSE);
g_dlg->m_bnSun.SetCheck(FALSE);
g_dlg->m_bnKill.EnableWindow(FALSE);
g_dlg->m_bnSun.EnableWindow(FALSE);
g_processHandle = NULL;
} else if (g_processHandle == NULL) {
g_dlg->m_bnKill.EnableWindow(TRUE);
g_dlg->m_bnSun.EnableWindow(TRUE);
// 获得植物大战僵尸的进程ID
DWORD processPid;
GetWindowThreadProcessId(windowHandle, &processPid);
// 获得植物大战僵尸的进程句柄
g_processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processPid);
}
if (g_dlg->m_bnSun.GetCheck()) {
// 需要无限阳光
DWORD value = 9990;
WriteMemory(&value, sizeof(value), 0x6A9EC0, 0x320, 0x8, 0x0, 0x8, 0x144, 0x2c, 0x5560, -1);
}
// 休息睡眠
Sleep(1000);
}
return NULL;
}