sworm目标: XX CAD设计软件。
加密形式: 深思Ⅲ加密狗。
破解工具:Winice, Hiew, Wdasm893中文版。
【破解过程】
㈠运行程序,显示“Internal Error. 软件出现致命错误,请检查加密狗是否正确!”后退出。
㈡在Wice中Bpx Messageboxa,再运行程序,显示上述信息时弹出。按F12若干次回到调用处,可见是xxxxxrx调用ACAD.acrx_abort。
㈢反汇编xxxxxrx.arx文件,得:
Exported fn(): acrxEntryPoint - Ord:0002h
:1C05CF00 8B442404 mov eax, dword ptr [esp+04]
:1C05CF04 48 dec eax
:1C05CF05 83F804 cmp eax, 00000004
:1C05CF08 0F878C000000 ja 1C05CF9A
:1C05CF0E FF2485A0CF051C jmp dword ptr [4*eax+1C05CFA0]
:1C05CF15 8B442408 mov eax, dword ptr [esp+08]
:1C05CF19 50 push eax
* Reference To: ACAD.acrxUnlockApplication, Ord:0D5Bh
|
:1C05CF1A E8BDC00800 Call 1C0E8FDC
:1C05CF1F 83C404 add esp, 00000004
:1C05CF22 E8C9AAFEFF call 1C0479F0
:1C05CF27 85C0 test eax, eax
:1C05CF29 7505 jne 1C05CF30
:1C05CF2B E8C0AAFEFF call 1C0479F0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C05CF29(C)
|
:1C05CF30 E84BFEFFFF call 1C05CD80
:1C05CF35 E8A6A8FEFF call 1C0477E0
:1C05CF3A E8019CFEFF call 1C046B40
:1C05CF3F A388E00F1C mov dword ptr [1C0FE088], eax
:1C05CF44 85C0 test eax, eax
:1C05CF46 7521 jne 1C05CF69
:1C05CF48 6A00 push 00000000
:1C05CF4A 6A04 push 00000004
:1C05CF4C E82FAAFEFF call 1C047980
:1C05CF51 83C408 add esp, 00000008
:1C05CF54 E807ABFEFF call 1C047A60
* Possible StringData Ref from Data Obj ->"
软件出现致命错误,请检查加密狗是否正确!"========>就在这!
|
:1C05CF59 6888560F1C push 1C0F5688
* Reference To: ACAD.acrx_abort, Ord:0D5Dh
|
:1C05CF5E E8CBBF0800 Call 1C0E8F2E
:1C05CF63 83C404 add esp, 00000004
:1C05CF66 33C0 xor eax, eax
:1C05CF68 C3 ret
㈣在显示错误前,ACAD.acrxUnlockApplication下面,有:
1C05CF22 E8C9AAFEFF call 1C0479F0-------看call 1C046B40也可
查看该处指令,见:
:1C0479F0 83EC60 sub esp, 00000060
:1C0479F3 E888FB0100 call 1C067580
:1C0479F8 85C0 test eax, eax
:1C0479FA 7507 jne 1C047A03-------------à是否为TDMD狗?
:1C0479FC B801000000 mov eax, 00000001
:1C047A01 EB31 jmp 1C047A34
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C0479FA(C)
|
:1C047A03 66C7442404AF07 mov [esp+04], 07AF―――>应用口令
:1C047A0A 66C74424060700 mov [esp+06], 0007―――>应用口令
:1C047A11 66C74424081A00 mov [esp+08], 001A―――>应用口令
:1C047A18 66C7442402FFFF mov [esp+02], FFFF――――>开锁
:1C047A1F 8D442400 lea eax, dword ptr [esp]
:1C047A23 50 push eax
:1C047A24 E817170A00 call 1C0E9140―――――★
:1C047A29 66837C240001 cmp word ptr [esp], 0001
:1C047A2F 1BC0 sbb eax, eax
:1C047A31 83E002 and eax, 00000002
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C047A01(U)
|
:1C047A34 83F801 cmp eax, 00000001
:1C047A37 7509 jne 1C047A42
:1C047A39 B801000000 mov eax, 00000001
:1C047A3E 83C460 add esp, 00000060
:1C047A41 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C047A37(C)
|
:1C047A42 83F802 cmp eax, 00000002―――――>是否sense3狗
:1C047A45 7511 jne 1C047A58
:1C047A47 E874560100 call 1C05D0C0
:1C047A4C 663D0100 cmp ax, 0001
:1C047A50 1BC0 sbb eax, eax
:1C047A52 83C460 add esp, 00000060
:1C047A55 F7D8 neg eax
:1C047A57 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C047A45(C)
|
:1C047A58 33C0 xor eax, eax
:1C047A5A 83C460 add esp, 00000060
:1C047A5D C3 ret
标志处即为sense3狗操作函数。该[esp]=0 有狗。又是一个拿生日作口令的!
㈤查看1C0E9140处程序,见:
* Referenced by a CALL at Addresses
|:1C046774 , :1C0467EA , :1C046A26 , :1C046B75 , :1C046C96
|:1C046DD6 , :1C046F16 , :1C047065 , :1C047176 , :1C0472B6
|:1C047817 , :1C047A24 , :1C047A94 , :1C05D0E9 , :1C05D10E
|:1C05D1D6 , :1C05D2B0
|
:1C0E9140 8B442404 mov eax, dword ptr [esp+04]
:1C0E9144 6A01 push 00000001
:1C0E9146 50 push eax
:1C0E9147 E864020000 call 1C0E93B0
:1C0E914C 83C408 add esp, 00000008
:1C0E914F C20400 ret 0004
由reference表,知有17处加密狗操作。
前14处均为开锁操作,第15处为关锁操作,最后两处为狗操作,必然在开锁操作之后,我们随便观察一处开锁:
* Referenced by a CALL at Addresses:
|:1C0101AA , :1C0156C0 , :1C026A29 , :1C05CF3A , :1C06D469
|:1C0720C7 , :1C0CC80A , :1C0D65DA
|
:1C046B40 83EC64 sub esp, 00000064
:1C046B43 57 push edi
:1C046B44 E8370A0200 call 1C067580
:1C046B49 85C0 test eax, eax-------------à是否为TDMD狗?
:1C046B4B 7507 jne 1C046B54
:1C046B4D B801000000 mov eax, 00000001
:1C046B52 EB31 jmp 1C046B85
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C046B4B(C)
|
:1C046B54 66C7442408AF07 mov [esp+08], 07AF
:1C046B5B 66C744240A0700 mov [esp+0A], 0007
:1C046B62 66C744240C1A00 mov [esp+0C], 001A
:1C046B69 66C7442406FFFF mov [esp+06], FFFF
:1C046B70 8D442404 lea eax, dword ptr [esp+04]
:1C046B74 50 push eax
:1C046B75 E8C6250A00 call 1C0E9140―――sense3函数
:1C046B7A 66837C240401 cmp word ptr [esp+04], 0001
:1C046B80 1BC0 sbb eax, eax
:1C046B82 83E002 and eax, 00000002
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C046B52(U)
|
:1C046B85 83F801 cmp eax, 00000001
:1C046B88 0F8584000000 jne 1C046C12
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C046B88(C)
|
:1C046C12 83F802 cmp eax, 00000002―――sense3狗?
:1C046C15 753F jne 1C046C56
:1C046C17 68164C0000 push 00004C16
:1C046C1C 684B110000 push 0000114B
:1C046C21 E84A660100 call 1C05D270――――干吗的?
:1C046C26 83C408 add esp, 00000008
:1C046C29 8BC8 mov ecx, eax
:1C046C2B 81E1FFFF0000 and ecx, 0000FFFF
:1C046C31 250000FFFF and eax, FFFF0000
:1C046C36 3D0000DF00 cmp eax, 00DF0000
:1C046C3B 7512 jne 1C046C4F
:1C046C3D 81F937220000 cmp ecx, 00002237
:1C046C43 750A jne 1C046C4F
:1C046C45 B801000000 mov eax, 00000001――好狗由此返回
:1C046C4A 5F pop edi
:1C046C4B 83C464 add esp, 00000064
:1C046C4E C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1C046C3B(C), :1C046C43(C)
|
:1C046C4F 33C0 xor eax, eax――坏狗由此返回
:1C046C51 5F pop edi
:1C046C52 83C464 add esp, 00000064
:1C046C55 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C046C15(C)
|
:1C046C56 33C0 xor eax, eax
:1C046C58 5F pop edi
:1C046C59 83C464 add esp, 00000064
:1C046C5C C3 ret
到call 1c05d270看看,到底干吗?
* Referenced by a CALL at Address:
|:1C046C21
|
:1C05D270 668B4C2404 mov cx, word ptr [esp+04]
:1C05D275 B804000000 mov eax, 00000004
:1C05D27A 66C705FEEB111C0000 mov word ptr [1C11EBFE], 0000
:1C05D283 66C70500EC111CBFB7 mov word ptr [1C11EC00], B7BF
:1C05D28C 668B542408 mov dx, word ptr [esp+08]
:1C05D291 68F0EB111C push 1C11EBF0
:1C05D296 66A3F2EB111C mov word ptr [1C11EBF2], ax
:1C05D29C 66A3FAEB111C mov word ptr [1C11EBFA], ax
:1C05D2A2 66890DFCEB111C mov word ptr [1C11EBFC], cx
:1C05D2A9 66891502EC111C mov word ptr [1C11EC02], dx
:1C05D2B0 E88BBE0800 call 1C0E9140―――>sense3函数,注意地址
:1C05D2B5 66833DF0EB111C00 cmp word ptr [1C11EBF0], 0000
:1C05D2BD 7409 je 1C05D2C8
:1C05D2BF 33C0 xor eax, eax
:1C05D2C1 66A1F0EB111C mov ax, word ptr [1C11EBF0]
:1C05D2C7 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C05D2BD(C)
|
:1C05D2C8 33C0 xor eax, eax
:1C05D2CA 33C9 xor ecx, ecx
:1C05D2CC 66A106EC111C mov ax, word ptr [1C11EC06]
:1C05D2D2 C1E010 shl eax, 10
:1C05D2D5 668B0D0CEC111C mov cx, word ptr [1C11EC0C]
:1C05D2DC 0BC1 or eax, ecx
:1C05D2DE C3 ret
至此,程序的狗操作方式很清楚了。这个程序用的是码表法,且码表长度很有限。
Sense3的狗内代码执行是中看不中用的花拳绣腿。长度有限,只好完成简单的数值运算,很少有程序有经常执行的相应代码可放入,最后只好作判断狗之用。对付方法参考紫竹的大作吧。
【小结:】
先找到出错提示,由此找到最底层的sense3函数,这是关键!在反汇编代码中,由reference表,可看见所有操作。一一对此修改即可破解,不会遗漏。本例共修改44字节。
若要复制,也基本不成问题,唯一难点是代码区,一句老话,看悟性吧。我一般不复制,一则没钱买空狗(谁赞助?Kao,只接到一个鸡蛋!);二则没必要,重写sense3函数即可,如将1C0E9140重写。而本例全为判断狗的Boolean函数,连使用狗内数据都没有,无狗都可破解。
上次“废话”篇中的代码为某加密程序的狗返回值处理函数,第一条指令mov eax,[esp+4]就是将sense3data中返回标志赋给eax, 看出来了吗?
愿和大家一起学习,进步!
文章转载地址:http://www.cnpaf.net/Class/hack/05121820345243918441.htm
