A simple Crack with Hacker thinking to create smart Backdoor-vulnerability warning-the black bar safety net

2009-03-30T00:00:00
ID MYHACK58:62200922713
Type myhack58
Reporter 佚名
Modified 2009-03-30T00:00:00

Description

Text/ dickboy black anti -

For readers: to crack fans, black Arsenal boss Pre-knowledge: the Crack tool's Basic use method Icefire: a long crack enthusiasts are constantly seeking a way that can break through Cracker limited way, it can not only in various types of software in free gallop, the more to the network this piece of heaven and earth, the freedom to soar. Perhaps this article will provide a combination of both more clever way For readers: to crack fans, black Arsenal boss

Pre-knowledge: the Crack tool's Basic use method

Icefire: a long crack enthusiasts are constantly seeking a way that can break through Cracker limited way, it can not only in various types of software in free gallop, the more to the network this piece of heaven and earth, the freedom to soar. Perhaps this article will provide a combination of both more clever way, I hope to give you a little inspiration

I believe this article will cause network TV things like flying, and possibly a new back door, I can not have a little selfish, Ah, know this thing immediately and share.

Students like to see Network TV, unfortunately the program you want to register, put my this volunteer had called in the past, few get after a look at the registration fee...... Also really is not generally expensive! Should we also write one? Maybe you can also get some money flower flower. Accommodation still owe it, do not pay do not let the exam, poor kids. (Icefire: the fellow the fellow is! Like the original...... Alas, still don't want to, it's the New Year。), 5 5 5 5......。 Unfortunately I don't know how to write, I haven't learned Windows programming, remember on the issue of the magazine my article the Crack novice the evolution article? My patches but 黑忽忽 interface! Hey, no way Ah, not Windows programming, I had to analyze someone else's program, just to get network TV Pokemon to start with!

Peid check after the discovery is Delphi written, depressing, and very hard to find which function to automatically open A or Media Player to play audio and video data, if the use of VC++just fine. To Online to find a few similar to the network television program, not Delphi is VB written. Not a VC++, but for network TV Elf action Kung Fu-according to the arena rules, we singled out...... That take the onions of the aunt you come here!

Crack thinking

With Dede decompile, Tnit1 the TForm1 see a lot of events, a closer look, saw a CCTV1Click event, double-click the addresses in corresponding code:

004A1A80 5 3 push ebx

004A1A81 8BD8 mov ebx, eax

004A1A83 6A01 push $0 1

004A1A85 6A00 push $0 0

004A1A87 6A00 push $0 0

  • Possible String Reference t 'http://www.cctv.com/sports/'

|

004A1A89 68A01A4A00 push $004A1AA0

004A1A8E 6A00 push $0 0

004A1A90 8BC3 mov eax, ebx

  • Reference t QForms. TCustomForm. GetClientHandle(TCustomForm):QWorkspaceH;

|

004A1A92 E88501FAFF call 00441C1C

004A1A97 5 0 push eax

  • Reference t shell32. ShellExecuteA()

|

004A1A98 E89B94F8FF call 0042AF38

004A1A9D 5B pop ebx

004A1A9E C3 ret

Hey Hey, the original use of ShellExecuteA in. Open Ollydbg, load the network TV Pixie, the next breakpoint in the 004A1A80, that is CCTV1Click event begins with the first statement. To run, click on the Central one, and start playing....... Wait, wrong Ah, should not break under it?! Look carefully at the URL, the original use of ShellExecuteA is to open a web page<http://www.cctv.com/sports/>, CCTV1Click not call the Media Player. exe Open of the Central event, that this in the end is what stuff? Open the network TV Pixie look, at the network navigation of the sports section to see the original is to click on the CCTV sports event, fainted.

Continue, and then find a familiar: BBC1Click, from the name of view, should be to play BBC radio or TV station of the event, don't know there is no BBC TV, Oh, and double-click the addresses in the corresponding place, find this code and the above is completely different:

0048E298 BAB0E24800 mov edx, $0048E2B0

  • Reference to control TForm1. WebBrowser1 : TWebBrowser

|

0048E29D 8B805C040000 mov eax, [eax+$045C]

  • Reference to : TWebBrowser. _PROC_0046395C()

|

0048E2A3 E8B456FDFF call 0046395C

0048E2A8 C3 ret

The analysis found that network TV Elf seems to use the TWebBrowser component to play online video and audio information. Quickly from the Internet for a bit TWebBrowser information, the original is Delphi a control...... Not Ah, no way. Can't give up., and then look for other events-1 2:0 0, or sleep again, tomorrow morning to attend classes too!

Just lying on the bed, suddenly remembered the front of the ShellExecuteA can not open the page? That there is no other role? Hurry up! With IDA disassembly network TV Elf, find ShellExecuteA do not ask me how I looking for, in the Names option, the IDA is well, given the comments:

jmp ds:__imp_ShellExecuteA ; Opens or prints a specified file

See? A simple translation should be: open or print a specific file.

It seems promising, watch movies online don't also open a specific file? Also remember to use Realone watch movies online bar, suddenly dropped when not pop up a dialog, what to say*. rm can't play. Hurry up with Baidu and looked ShellExecuteA information, wow, too much, most of it is VB how to use this control, not the one I want. Inspiration, change a way of thinking: when we click on a TV Station or a broadcasting station, not with Media Player. exe open with A. exe open. So, if you can use ShellExecuteA and with A. exe as a parameter you can open an online audio and video files, then use“ShellExecuteA realplay.exe”search should be fruitful.

Well, search for“ShellExecuteA realplay.exe”not found, does not it? Ok, then to search for ShellExecuteA Media Player.exe that is also a result. Had to a trick, come up with Cracker the prerequisite of the API manual, check ShellExecuteA, actually is with the VB description of......

The next day when the class did not mind, continue to think about this problem, no result, back to the dormitory, check the MSDN, there is found:

HINSTANCE ShellExecute( HWND hwnd,

LPCTSTR lpOperation,

LPCTSTR lpFile,

LPCTSTR lpParameters,

LPCTSTR lpDirectory,

INT nShowCmd

);

lpOperation support of the usage are:

edit

Launches an editor and opens the document for editing. If lpFile is not a document file, the function will fail.

explore

Explores the folder specified by lpFile.

find

Initiates a search starting from the specified directory.

open

Opens the file specified by the lpFile parameter. The file can be an executable file, a document file, or a folder.

print

Prints the document file specified by lpFile. If lpFile is not a document file, the function will fail.

English dish, it is not translated, more specific consult the MSDN, I'm afraid that I lied to royalties on. To here, what are your thoughts? lpOperation have pointed out some operation, for the preparation of network TV useful only if the above“open”it. Later from Internet to find out the simple ShellExecute of: the

Q: How to open a web page?

ShellExecute(this->m_hWnd,"open","notepad.exe", "c:\\MyLog.log","",SW_SHOW );

As you can see, I haven't passed the full path of the programs.

ShellExecute(this->m_hWnd, "open", "http://www.google.com", "", "", SW_SHOW );

Do you think which is more useful? The first one? Experiment a bit, if I replace Notepad. exe for Media Player.exe replace“c:\\MyLog.log”“d:\\t.mid”of course here“d:\\t.mid”is the real presence of MID music, is that OK? The first simple test. Select the Start menu->run, enter“Media Player.exe d:\t.mid”pop-up Windows Media Player to start playing t. mid.

Hurry up with the VC to create a new Win32 Console Application project, enter the following code:

include <windows. h>

int main(int argc, char* argv[])

{

ShellExecute(0, "open", "Media Player.exe", "d:\\t.mid", "", SW_SHOW);

return 0;

}

The execution, huh, is not a 黑忽忽 of the interface, pop-up Windows Media Player to start playing t. mid? Success!

Tip: Windows 9 8 Not Media Player.exe that 9 8 下面 是 Mplayer2.exe please everyone control your own machine to do the experiment. The text of the machine is Windows XP.

The second example opens a web page, with what open? With IE, specifically with the default browser, because it does not specify what to open, that is open the web page has an associated program, which is the default browser. Diverging a bit of thinking, if put herehttp://www.google.cominto the other? Here I replaced“d:\\t.mid”hurry up with the VC to create a new Win32 Console Application project, enter the following code:

include <windows. h>

int main(int argc, char* argv[])

{

ShellExecute(0, "open", "d:\\t.mid", "", "", SW_SHOW);

//Note that with the above difference,removed the“Media Player.exe”while you want to open file to specific position into the first 3 parameters

return 0;

}

The execution, huh, is not a 黑忽忽 the interface pop-up Windows Media Player to start playing t. mid. Because my test machine the default MID associated with Windows Media Player. This is why I highlighted above“to open the web page associated with the default browser”, if your machine default associated with other players such as Hero of the series, you should pop Hero of Super Audio King play t. mid.

Have already appeared the light of dawn, and now to Baidu to find a song, I'm looking for: Kelly Chen-Notepad. View the properties, get the address:<http://mp3.baidu.com/u?u=http://www.jsshmzx.com/zhuwei/geci/flash/ZzI$. mp3>

Continue to modify the program:

hellExecute(0, "open", "<http://mp3.baidu.com/u?u=http://www.jsshmzx.com/zhuwei/geci/flash//ZzI$. mp3>", "", "", SW_SHOW );

Tips: this address is Baidu search, to Reader the time of the test may be outdated.

Running, Windows Media Player start to play Kelly Chen Notebook! Success!

Hacker thinking

When we access the Internet when watching TV, the Windows Media Player or Realone will open Internet TV built-in url, this URL is to be used as Windows Media Player or Realone request sent to the server, so here are two methods:

1. Since it is network TV the built-in URL, then we can first use the W32dasm disassembly after to find the URL.

Here is still network TV Elf, for example, with the W32dasm disassembly, you will find a large number of URLs, but look carefully, will find that virtually no a URL is used to watch TV and listen to the radio, are network TV Elf inside the network navigation with the web site. Seems to be no exit for? And so on, and then use Ollydbg to load network TV Pixie, view the character reference, no surprise, right? Basic can find all the watch TV and listen to the broadcast URL.

2. Since this web site is to be used as Windows Media Player or Realone request sent to the server, so we can use the Sniffer to get the real address.

When testing I used the physical location, personal think it is I'll wait for rookie best with a Sniffer, here is my simple way, set the filter conditions: the IP is your own machine's IP, you'll capture the outflow of data packets. Set the Protocol, because the play audio and video files in General agreement with these: mms://, rtsp://, etc. If the capture is less than address, the relaxed conditions.

Ok, now to solve all the problems, the rest is constantly added to the URL, write the code. The following talk about how to use ShellExecute to do one of their own hidden back door, which is also from the contents of the above trigger of inspiration. Look at the following code:

// test.cpp: the definition of Console Application entry point

//

include <windows. h>

int main(int argc, char* argv[])

{

ShellExecute(0, "open", "Media Player.exe", "d:\\t.mid", 0, SW_HIDE);

return 0;

}

To test the above code, run, find anything? Should have it: 黑忽忽 interface after hear the music! But see“Media Player”interface? No! This is because the last parameter to SW_HIDE; if here the 2 parameter is not Open, but with 0 it does not render the“Media Player”interface, but when playing music--think what? Think about it, if this is not the Media Player.exe that 而是 你 的 木马 xx.exe it? 你 用 另外 的 一 个 正常 的 程序 悄悄 启动 xx.exe it? Oh, this idea good! It's has not easy is to kill the need for the back door!

Well, the article is finished, I hope you can see, I want to write out the ShellExecute prototype is because I want to make friends to explore each parameter's meaning, maybe you can find the treasure!