串行生成器/破解是如何开发的?

发布于 2024-07-05 17:19:30 字数 71 浏览 10 评论 0原文

我的意思是,我一直想知道为什么有人能够开发算法来打破/欺骗许多共享软件程序中合法使用的限制。

只是为了好奇。

I mean, I always was wondered about how the hell somebody can develop algorithms to break/cheat the constraints of legal use in many shareware programs out there.

Just for curiosity.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(8

若无相欠,怎会相见 2024-07-12 17:19:30

Nils 的帖子涉及密钥生成器。 对于裂缝,通常您会找到一个分支点并反转(或删除条件)逻辑。 例如,您将测试软件是否已注册,如果是,测试可能会返回零,然后相应地跳转。 您可以通过修改单个字节将“等于零时跳转(je)”更改为“不等于零时跳转(jne)”。 或者,您可以在代码的各个部分编写无操作来执行您不想执行的操作。

编译后的程序可以反汇编,只要有足够的时间,有决心的人就可以开发二进制补丁。 破解只是一个二进制补丁,可以让程序表现不同。

Nils's post deals with key generators. For cracks, usually you find a branch point and invert (or remove the condition) the logic. For example, you'll test to see if the software is registered, and the test may return zero if so, and then jump accordingly. You can change the "jump if equals zero (je)" to "jump if not-equals zero (jne)" by modifying a single byte. Or you can write no-operations over various portions of the code that do things that you don't want to do.

Compiled programs can be disassembled and with enough time, determined people can develop binary patches. A crack is simply a binary patch to get the program to behave differently.

偷得浮生 2024-07-12 17:19:30

除了非法之外,这是一项非常复杂的任务。

从理论上讲,常见的方法是反汇编要破解的程序,并尝试找到检查密钥或序列码的位置。

说起来容易做起来难,因为任何严格的保护方案都会检查多个位置的值,并且还会从序列密钥中获取关键信息以供以后使用,这样当您认为您猜对了时,程序就会崩溃。

要创建裂缝,您必须识别完成检查的所有点并适当修改汇编代码(通常反转条件跳转或将常量存储到内存位置)。

要创建注册机,您必须了解算法并编写一个程序来重新进行完全相同的计算(我记得 MS Office 的一个旧版本,其序列号有一个非常简单的规则,数字之和应该是7,所以编写注册机相当简单)。

这两项活动都要求您在调试器中跟踪应用程序的执行情况,并尝试找出发生了什么。 并且您需要了解操作系统的低级 API。

一些受到严格保护的应用程序对代码进行了加密,以便文件无法被反汇编。 它在加载到内存时被解密,但如果它们检测到内存中调试器已启动,它们就会拒绝启动,

本质上,这是需要非常深入的知识、独创性和大量时间的东西! 哦,我有没有提到这在大多数国家都是非法的?

如果您想了解更多信息,请谷歌搜索 +ORC 破解教程,它们非常古老,现在可能毫无用处,但会让您很好地了解它的含义。

无论如何,了解这一切的一个很好的理由是如果您想编写自己的保护方案。

Apart from being illegal, it's a very complex task.

Speaking just at a teoretical level the common way is to disassemble the program to crack and try to find where the key or the serialcode is checked.

Easier said than done since any serious protection scheme will check values in multiple places and also will derive critical information from the serial key for later use so that when you think you guessed it, the program will crash.

To create a crack you have to identify all the points where a check is done and modify the assembly code appropriately (often inverting a conditional jump or storing costants into memory locations).

To create a keygen you have to understand the algorithm and write a program to re-do the exact same calculation (I remember an old version of MS Office whose serial had a very simple rule, the sum of the digit should have been a multiple of 7, so writing the keygen was rather trivial).

Both activities requires you to follow the execution of the application into a debugger and try to figure out what's happening. And you need to know the low level API of your Operating System.

Some heavily protected application have the code encrypted so that the file can't be disassembled. It is decrypted when loaded into memory but then they refuse to start if they detect that an in-memory debugger has started,

In essence it's something that requires a very deep knowledge, ingenuity and a lot of time! Oh, did I mention that is illegal in most countries?

If you want to know more, Google for the +ORC Cracking Tutorials they are very old and probably useless nowdays but will give you a good idea of what it means.

Anyway, a very good reason to know all this is if you want to write your own protection scheme.

不即不离 2024-07-12 17:19:30

坏人使用反汇编程序搜索密钥检查代码。 如果您知道如何做到这一点,这相对容易。

然后将密钥检查代码翻译为 C 或其他语言(此步骤是可选的)。 逆转密钥检查过程即可获得密钥生成器。

如果您了解汇编程序,大约需要一个周末才能学习如何做到这一点。 我几年前就完成了(虽然从未发布过任何东西。这只是我的游戏开发工作的研究。要编写难以破解的密钥,您必须了解人们如何破解)。

The bad guys search for the key-check code using a disassembler. This is relative easy if you know how to do this.

Afterwards you translate the key-checking code to C or another language (this step is optional). Reversing the process of key-checking gives you a key-generator.

If you know assembler it takes roughly a weekend to learn how to do this. I've done it just some years ago (never released anything though. It was just research for my game-development job. To write a hard to crack key you have to understand how people approach cracking).

笙痞 2024-07-12 17:19:30

潜在的破解者会反汇编程序并寻找“复制保护”位,特别是确定序列号是否有效的算法。 从该代码中,您通常可以看到解锁功能所需的位模式,然后编写一个生成器来使用这些模式创建数字。

另一种替代方法是查找如果序列号有效则返回“true”、如果无效则返回“false”的函数,然后开发一个二进制补丁,以便该函数始终返回“true”。

其他一切很大程度上都是这两个想法的变体。 根据定义,复制保护总是是可破坏的 - 在某些时候您必须得到可执行代码,否则处理器无法运行它。

A would-be cracker disassembles the program and looks for the "copy protection" bits, specifically for the algorithm that determines if a serial number is valid. From that code, you can often see what pattern of bits is required to unlock the functionality, and then write a generator to create numbers with those patterns.

Another alternative is to look for functions that return "true" if the serial number is valid and "false" if it's not, then develop a binary patch so that the function always returns "true".

Everything else is largely a variant on those two ideas. Copy protection is always breakable by definition - at some point you have to end up with executable code or the processor couldn't run it.

那些过往 2024-07-12 17:19:30

首先,大多数复制保护方案都不是很先进,这就是为什么现在你看不到很多人推出自己的方案。

有几种方法可以用来做到这一点。 您可以在调试器中单步执行代码,这通常需要良好的汇编知识。 使用它,您可以了解在程序中调用复制保护/密钥生成方法的位置。 这样,您可以使用像 IDA Pro 这样的反汇编程序来更仔细地分析代码并尝试了解发生了什么以及如何绕过它。 我之前通过在日期检查上插入 NOOP 指令来破解有时间限制的 Beta 版本。

这实际上取决于对软件的良好理解和对汇编的基本理解。 Hak5 在本季的前两集中制作了一个由两部分组成的系列,内容涉及逆向工程和破解的基础知识。 它确实很基本,但它可能正是您正在寻找的东西。

First, most copy-protection schemes aren't terribly well advanced, which is why you don't see a lot of people rolling their own these days.

There are a few methods used to do this. You can step through the code in a debugger, which does generally require a decent knowledge of assembly. Using that you can get an idea of where in the program copy protection/keygen methods are called. With that, you can use a disassembler like IDA Pro to analyze the code more closely and try to understand what is going on, and how you can bypass it. I've cracked time-limited Betas before by inserting NOOP instructions over the date-check.

It really just comes down to a good understanding of software and a basic understanding of assembly. Hak5 did a two-part series on the first two episodes this season on kind of the basics of reverse engineering and cracking. It's really basic, but it's probably exactly what you're looking for.

绮筵 2024-07-12 17:19:30

我假设每个裂缝都是不同的,但我猜在大多数情况下有人会花
在调试器中花费大量时间来跟踪有问题的应用程序。

串行生成器通过分析以下算法更进一步:
检查序列号的有效性并对其进行逆向工程。

I assume each crack is different, but I would guess in most cases somebody spends
a lot of time in the debugger tracing the application in question.

The serial generator takes that one step further by analyzing the algorithm that
checks the serial number for validity and reverse engineers it.

噩梦成真你也成魔 2024-07-12 17:19:30

我想知道为什么他们不只是分发个性化的二进制文件,其中所有者的名称存储在二进制文件中的某个位置(加密和混淆),或者更好地分布在整个二进制文件中。据我所知,Apple 正在对 iTunes 中的音乐文件执行此操作存储,但是从文件中删除名称太容易了。

I wonder why they don't just distribute personalized binaries, where the name of the owner is stored somewhere (encrypted and obfuscated) in the binary or better distributed over the whole binary.. AFAIK Apple is doing this with the Music files from the iTunes store, however there it's far too easy, to remove the name from the files.

勿忘心安 2024-07-12 17:19:30

您可以提取序列号的算法并开始对其进行“猜测”并寻找积极的响应。 计算机的功能非常强大,通常只需要一点时间就可以开始输出结果。

至于黑客攻击,我过去能够在较高级别上单步执行程序并寻找它停止工作的点。 然后您返回到最后一个成功的“呼叫”并进入其中,然后重复。 当时,复制保护通常是写入磁盘并查看后续读取是否成功(如果成功,则复制保护失败,因为他们过去用激光刻录了软盘的一部分,因此无法写入)。

然后,只需找到正确的调用并对该调用的正确返回值进行硬编码即可。

我确信它仍然相似,但他们付出了很多努力来隐藏通话位置。 我尝试的最后一个我放弃了,因为它不断地在我单步执行的代码上加载代码,而且我确信从那时起它变得更加复杂。

The serial number you can just extract the algorithm and start throwing "Guesses" at it and look for a positive response. Computers are powerful, usually only takes a little while before it starts spitting out hits.

As for hacking, I used to be able to step through programs at a high level and look for a point where it stopped working. Then you go back to the last "Call" that succeeded and step into it, then repeat. Back then, the copy protection was usually writing to the disk and seeing if a subsequent read succeeded (If so, the copy protection failed because they used to burn part of the floppy with a laser so it couldn't be written to).

Then it was just a matter of finding the right call and hardcoding the correct return value from that call.

I'm sure it's still similar, but they go through a lot of effort to hide the location of the call. Last one I tried I gave up because it kept loading code over the code I was single-stepping through, and I'm sure it's gotten lots more complicated since then.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文