| |
|
| 大老的打狗教程 |
|
|
大老的打狗教程第一篇如解掉hasp的狗!希望对大家有所帮助!大老=[dcg]=
程序名:国外的工程类软件dasxx
保护 :hasp4 m1这是以色列的狗 m1是代表他有储存器
所用工具:trw2000 wasm32
我写的打狗教程这是第一篇!我共会写3篇的!写第一篇写个网上中文的教程比较少的hasp4的狗保护的软件!
我只是大体说一下破解的思路!
希望对大家有所帮助!
(1) 第一部分
=============================================================================================
:0042659a 50 push eax
:0042659b 51 push ecx
:0042659c 52 push edx
:0042659d 53 push ebx
:0042659e 68fe3f0000 push 00003ffe ===>这就是hasp狗读狗时要用到的密码! (1)
:004265a3 687b1d0000 push 00001d7b ===>hasp狗的密码! (2)
:004265a8 6800000000 push 00000000
:004265ad 6800000000 push 00000000
:004265b2 6801000000 push 00000001
:004265b7 e8a7fbffff call 00426163 ====>读狗 (1)
:004265bc 83c424 add esp, 00000024
:004265bf 8b45fc mov eax, dword ptr [ebp-04]==> 读狗后返回值=1就是有狗!
:004265c2 b901000000 mov ecx, 00000001
:004265c7 39c8 cmp eax, ecx
:004265c9 0f85ef020000 jne 004268be ===> 跳就完蛋
:004265cf 8d45f0 lea eax, dword ptr [ebp-10]
:004265d2 8d4df4 lea ecx, dword ptr [ebp-0c]
:004265d5 8d55f8 lea edx, dword ptr [ebp-08]
:004265d8 8d5dfc lea ebx, dword ptr [ebp-04]
:004265db 50 push eax
:004265dc 51 push ecx
:004265dd 52 push edx
:004265de 53 push ebx
:004265df 68fe3f0000 push 00003ffe
:004265e4 687b1d0000 push 00001d7b
:004265e9 6800000000 push 00000000
:004265ee 6800000000 push 00000000
:004265f3 6805000000 push 00000005
:004265f8 e866fbffff call 00426163 ========>读狗(2)
:004265fd 83c424 add esp, 00000024
:00426600 8b45fc mov eax, dword ptr [ebp-04] ==> 读狗后返回值=1就是有狗!
:00426603 b901000000 mov ecx, 00000001
:00426608 39c8 cmp eax, ecx
:0042660a 0f85c2010000 jne 004267d2 ===> 跳就完蛋
:00426610 8b45f8 mov eax, dword ptr [ebp-08] ===>另外一个返回值
:00426613 39c8 cmp eax, ecx
:00426615 0f85b7010000 jne 004267d2 ====>跳就完蛋!
:0042661b 8d0518e74500 lea eax, dword ptr [0045e718]
:00426621 8b4df4 mov ecx, dword ptr [ebp-0c]
:00426624 668908 mov word ptr [eax], cx
:00426627 6885510000 push 00005185
:0042662c 8d05bc614200 lea eax, dword ptr [004261bc]
:00426632 8d4de0 lea ecx, dword ptr [ebp-20]
:00426635 51 push ecx
:00426636 ffd0 call eax 计算返回的数据
:00426638 83c408 add esp, 00000008
:0042663b 8b45e0 mov eax, dword ptr [ebp-20]====>返回数据(1) 正确值是bb2
:0042663e b9b20b0000 mov ecx, 00000bb2 这里是要比较的值!
:00426643 39c8 cmp eax, ecx ===>比较
:00426645 0f8530000000 jne 0042667b ===>跳到报错
:0042664b 8b45e4 mov eax, dword ptr [ebp-1c] ====>返回数据(2) 正确值是a6fe
:0042664e b9fea60000 mov ecx, 0000a6fe
:00426653 39c8 cmp eax, ecx ===>比较
:00426655 0f8520000000 jne 0042667b ===>跳到报错
:0042665b 8b45e8 mov eax, dword ptr [ebp-18] ====>返回数据(3) 正确值是6a14
:0042665e b9146a0000 mov ecx, 00006a14
:00426663 39c8 cmp eax, ecx ===>比较
:0426665 0f8510000000 jne 0042667b ===>跳到报错 !
:0042666b 8b45ec mov eax, dword ptr [ebp-14]====>返回数据(4) 正确值是714d
:0042666e b94d710000 mov ecx, 0000714d
:00426673 39c8 cmp eax, ecx ===>比较 相等的话跳到正确处理流程
:00426675 0f84fc000000 je 00426777 ===>跳到正确处理流程 ===关键(1)====
* referenced by a (u)nconditional or ?onditional jump at addresses:
|:00426645?, :00426655?, :00426665?
|
:0042667b 8d0552924700 lea eax, dword ptr [00479252]
:00426681 6801000000 push 00000001
:00426686 50 push eax
:00426687 6800000000 push 00000000
:00426687 6800000000 push 00000000
* reference to: cvirt.loadpanel, ord:0133h
|
:0042668c e891b3fdff call 00401a22
:00426691 8d4ddc lea ecx, dword ptr [ebp-24]
:00426694 8901 mov dword ptr [ecx], eax
:00426696 8b45dc mov eax, dword ptr [ebp-24]
:00426699 b900000000 mov ecx, 00000000
:0042669e 39c8 cmp eax, ecx
:004266a0 0f8d20000000 jnl 004266c6
* reference to: cvirt.cvi_beep, ord:0259h
|
:004266a6 e845b8fdff call 00401ef0
:004266ab 8d05ea924700 lea eax, dword ptr [004792ea]
:004266b1 8d0daa924700 lea ecx, dword ptr [004792aa]
:004266b7 50 push eax
:004266b8 51 push ecx
* reference to: cvirt.messagepopup, ord:014dh ===>报错信息!
|
:004266b9 e8ccb7fdff call 00401e8a
:004266be 8d056a674200 lea eax, dword ptr [0042676a]
:004266c4 ffe0 jmp eax
* referenced by a (u)nconditional or ?onditional jump at address:
|:004266a0?
|
:004266c6 6800000000 push 00000000
:004266cb 6812020000 push 00000212
:004266d0 6803000000 push 00000003
==================================================================================================
你这样处理后运行程序还会有问题的!看样子是没有解决完!咱们在来看看!
第二部分
===================================================================================================
第一部分的程序(===关键(1)====)跳转后就到了这里le's go
* referenced by a (u)nconditional or ?onditional jump at address:
|:00426675?
|
:00426777 e8cbfbffff call 00426347
:0042677c 8d45fc lea eax, dword ptr [ebp-04]
:0042677f b903000000 mov ecx, 00000003
:00426784 8908 mov dword ptr [eax], ecx
:00426786 8d4df0 lea ecx, dword ptr [ebp-10]
:00426789 8d55f4 lea edx, dword ptr [ebp-0c]
:0042678c 8d5df8 lea ebx, dword ptr [ebp-08]
:0042678f 51 push ecx
:00426790 52 push edx
:00426791 53 push ebx
:00426792 50 push eax
:00426793 68fe3f0000 push 00003ffe
:00426798 687b1d0000 push 00001d7b
:0042679d 6800000000 push 00000000
:004267a2 6800000000 push 00000000
:004267a7 6803000000 push 00000003
:004267ac e8b2f9ffff call 00426163 ====>这里又有一处读狗!
:004267b1 83c424 add esp, 00000024
:004267b4 8b45f4 mov eax, dword ptr [ebp-0c] ====>返回值(1)应该是0
:004267b7 b900000000 mov ecx, 00000000
:004267bc 39c8 cmp eax, ecx ===>比较
:004267be 0f85de010000 jne 004269a2 不跳
:004267c4 8b45f8 mov eax, dword ptr [ebp-08]
:004267c7 0fb7c0 movzx eax, ax
:004267ca 8d0da7694200 lea ecx, dword ptr [004269a7] 注意这里ecx的值是从这里的地址里来的
:004267d0 ffe1 jmp ecx =======>跳到下一个部分!go ====关键2===
* referenced by a (u)nconditional or ?onditional jump at addresses:
|:0042660a?, :00426615?
|
:004267d2 8d0545924700 lea eax, dword ptr [00479245]
:004267d8 6801000000 push 00000001
:004267dd 50 push eax
:004267de 6800000000 push 00000000
* reference to: cvirt.loadpanel, ord:0133h
|
:004267e3 e83ab2fdff call 00401a22
:004267e8 8d4ddc lea ecx, dword ptr [ebp-24]
:004267eb 8901 mov dword ptr [ecx], eax
:004267ed 8b45dc mov eax, dword ptr [ebp-24]
:004267f0 b900000000 mov ecx, 00000000
:004267f5 39c8 cmp eax, ecx
:004267f7 0f8d20000000 jnl 0042681d
* reference to: cvirt.cvi_beep, ord:0259h
|
:004267fd e8eeb6fdff call 00401ef0
:00426802 8d05be924700 lea eax, dword ptr [004792be]
:00426808 8d0d96924700 lea ecx, dword ptr [00479296]
:0042680e 50 push eax
:0042680f 51 push ecx
* reference to: cvirt.messagepopup, ord:014dh ====>出错信息!
|
:00426810 e875b6fdff call 00401e8a
:00426815 8d05a9684200 lea eax, dword ptr [004268a9]
:0042681b ffe0 jmp eax
* referenced by a (u)nconditional or ?onditional jump at address:
|:004267f7?
|
:0042681d 6800000000 push 00000000
:00426822 6812020000 push 00000212
:00426827 6803000000 push 00000003
:0042682c 8b45dc mov eax, dword ptr [ebp-24]
:0042682f 50 push eax
* reference to: cvirt.setctrlattribute, ord:00aeh
|
:00426830 e8bfacfdff call 004014f4
:00426835 83c410 add esp, 00000010
:00426838 6800000000 push 00000000
:0042683d 6812020000 push 00000212
:00426842 6804000000 push 00000004
=======================================================================================================
经过上部分!咱们看看下面部分如何! 经过对====关键2===的跟踪发现!到了下面的程序!
:0042afce 8908 mov dword ptr [eax], ecx
:0042afd0 e8b1b5ffff call 00426586
:0042afd5 8d8de8feffff lea ecx, dword ptr [ebp+fffffee8]
:0042afdb 668901 mov word ptr [ecx], ax
:0042afde 668b85e8feffff mov ax, word ptr [ebp+fffffee8]
:0042afe5 0fb7c0 movzx eax, ax
:0042afe8 b901000000 mov ecx, 00000001
:0042afed 39c8 cmp eax, ecx ======注意这个比较
:0042afef 0f8432000000 je 0042b027 =====>不跳就over
* possible reference to string resource id=65535: "das32"
|
:0042aff5 b9ffff0000 mov ecx, 0000ffff
:0042affa 39c8 cmp eax, ecx
:0042affc 0f8425000000 je 0042b027
* reference to: cvirt.cvi_beep, ord:0259h
|
:0042b002 e8e96efdff call 00401ef0
:0042b007 8d0504b04700 lea eax, dword ptr [0047b004]
:0042b00d 8d0dafb34700 lea ecx, dword ptr [0047b3af]
:0042b013 50 push eax
:0042b014 51 push ecx
* reference to: cvirt.messagepopup, ord:014dh =====出错信息!
|
:0042b015 e8706efdff call 00401e8a
:0042b01a 6800000000 push 00000000
:0042b01f e82f75fdff call 00402553
:0042b024 83c404 add esp, 00000004
* referenced by a (u)nconditional or ?onditional jump at addresses:
|:0042afef?, :0042affc?
|
:0042b027 8d45fc lea eax, dword ptr [ebp-04] ====正确的流程!
:0042b02a 50 push eax
:0042b02b 6801000000 push 00000001
======================================================================================================
经过了这部分后狗部分就解掉了!
总结!
上面的部分只是解狗里面的一种而已!想这个软件还有好几种解法!这种解法比较容易理解!呵呵~我就献丑了!希望大家不要笑我!
希望大家经常来我的论坛来看看交流一下!现在有些人对我有意见!哪是不可避免的!也是很正常的!!谢谢大家看完此文! 如果你觉得写的还行请回个贴子!支持一下!谢谢!
如果要转载请保留完整
|
|
|
|
大老的打狗教程第二篇如解掉,深思3的狗加密的软件!希望对大家有所帮助!大老=[dcg]=
软件名:国内某著名标书制作软件
保护 :北京深思3洛克公司深思3的狗(sense3)
所用工具:trw2000 wasm32
破解难度:难
破解人:大老
所属组织:=bcg= =[dcg]=
本人邮箱:dalao@top86.com
本人论坛:http://dalao2002.yeah.net
此文献给所有爱好解密的朋友们!
我写的打狗教程这是第二篇!我共会写3篇的!这一篇主要讲讲如何破解程序中需要狗里数据的深思3加密的程序!
我只是大体说一下破解的思路! 高手不要见笑呀!
希望对大家有所帮助!
(1)
这个程序很有意思!如果没有狗!会弹出对话框告诉你 非法用户-请插上软件狗,并检查软件狗是否完好无损!
这其实就是一个很好的切入点!咱们看看下面的程序!我给大家讲一下!
:004e1d9b 8bc6 mov eax, esi
:004e1d9d e88a20f3ff call 00413e2c
:004e1da2 8bc6 mov eax, esi
:004e1da4 e81720f3ff call 00413dc0
:004e1da9 8945ec mov dword ptr [ebp-14], eax
:004e1dac 8bc6 mov eax, esi
:004e1dae e80d20f3ff call 00413dc0
:004e1db3 8945e8 mov dword ptr [ebp-18], eax
:004e1db6 8bc6 mov eax, esi
:004e1db8 e80320f3ff call 00413dc0
:004e1dbd 8945e4 mov dword ptr [ebp-1c], eax
:004e1dc0 8bc6 mov eax, esi
:004e1dc2 e86d20f3ff call 00413e34
:004e1dc7 8bc6 mov eax, esi
:004e1dc9 e8f612f2ff call 004030c4
:004e1dce 8bc3 mov eax, ebx
:004e1dd0 e8ef12f2ff call 004030c4
:004e1dd5 8d8528feffff lea eax, dword ptr [ebp+fffffe28]
:004e1ddb 668b55ec mov dx, word ptr [ebp-14]
:004e1ddf 6689952cfeffff mov word ptr [ebp+fffffe2c], dx ===>深思3的调用模式-密码1
:004e1de6 668b55e8 mov dx, word ptr [ebp-18]
:004e1dea 6689952efeffff mov word ptr [ebp+fffffe2e], dx ===>深思3的调用模式-密码2
:004e1df1 668b55e4 mov dx, word ptr [ebp-1c]
:004e1df5 66899530feffff mov word ptr [ebp+fffffe30], dx ===>深思3的调用模式-密码3
:004e1dfc 66c7852afeffffffff mov word ptr [ebp+fffffe2a], ffff ===>功能代码-打开狗
:004e1e05 50 push eax
:004e1e06 e8097bf7ff call 00459914 ========>这里读狗
:004e1e0b 33c0 xor eax, eax
:004e1e0d 5a pop edx
:004e1e0e 59 pop ecx
:004e1e0f 59 pop ecx
:004e1e10 648910 mov dword ptr fs:[eax], edx
:004e1e13 eb2e jmp 004e1e43
:004e1e15 e96616f2ff jmp 00403480
:004e1e1a 6a00 push 00000000
* possible stringdata ref from code obj ->"非法用户"
|
:004e1e1c b910264e00 mov ecx, 004e2610
* possible stringdata ref from code obj ->"不能读取系统注册信息,系统无法启动!"
|
:004e1e21 ba1c264e00 mov edx, 004e261c
:004e1e26 a1540f4f00 mov eax, dword ptr [004f0f54]
:004e1e2b 8b00 mov eax, dword ptr [eax]
:004e1e2d e89266f4ff call 004284c4
:004e1e32 a1540f4f00 mov eax, dword ptr [004f0f54]
:004e1e37 8b00 mov eax, dword ptr [eax]
:004e1e39 e8e265f4ff call 00428420
:004e1e3e e8e118f2ff call 00403724
* referenced by a (u)nconditional or ?onditional jump at address:
|:004e1e13(u)
|
:004e1e43 6683bd28feffff00 cmp word ptr [ebp+fffffe28], 0000 ====>判断打开狗是否成功!
:004e1e4b 7424 je 004e1e71 ====>一定要跳呀!
:004e1e4d 6a00 push 00000000
* possible stringdata ref from code obj ->"非法用户"
|
:004e1e4f b910264e00 mov ecx, 004e2610
* possible stringdata ref from code obj ->"请插上软件狗,并检查软件狗是否完好无损!"
|
:004e1e54 ba44264e00 mov edx, 004e2644
:004e1e59 a1540f4f00 mov eax, dword ptr [004f0f54]
:004e1e5e 8b00 mov eax, dword ptr [eax]
:004e1e60 e85f66f4ff call 004284c4
:004e1e65 a1540f4f00 mov eax, dword ptr [004f0f54]
:004e1e6a 8b00 mov eax, dword ptr [eax]
:004e1e6c e8af65f4ff call 00428420
* referenced by a (u)nconditional or ?onditional jump at address:
|:004e1e4b?
|
:004e1e71 a1002c4f00 mov eax, dword ptr [004f2c00]
:004e1e76 8b802c040000 mov eax, dword ptr [eax+0000042c]
:004e1e7c c74058ffffffff mov [eax+58], ffffffff
:004e1e83 817dece7030000 cmp dword ptr [ebp-14], 000003e7 ====>判断端口!
:004e1e8a 7527 jne 004e1eb3
:004e1e8c 817de878030000 cmp dword ptr [ebp-18], 00000378
:004e1e93 751e jne 004e1eb3
:004e1e95 817de409030000 cmp dword ptr [ebp-1c], 00000309
:004e1e9c 7515 jne 004e1eb3
:004e1e9e a1002c4f00 mov eax, dword ptr [004f2c00]
:004e1ea3 8b802c040000 mov eax, dword ptr [eax+0000042c]
:004e1ea9 33d2 xor edx, edx
:004e1eab 895058 mov dword ptr [eax+58], edx
:004e1eae e988000000 jmp 004e1f3b
* referenced by a (u)nconditional or ?onditional jump at addresses:
|:004e1e8a?, :004e1e93?, :004e1e9c?
|
:004e1eb3 817dec78030000 cmp dword ptr [ebp-14], 00000378
:004e1eba 7526 jne 004e1ee2
:004e1ebc 817de8e7030000 cmp dword ptr [ebp-18], 000003e7
:004e1ec3 751d jne 004e1ee2
----------------------------------------------------------------------------------------------------------------------
(2)以上的只是前半部分!呵呵!通过后!最终可以进入程序的主界面!过程中会报加载资源库失败!进入后功能方面是有问题的!
咱们来找找原因!
下断点
bpio 378 ====>这条指令是监视并口378端的io通讯!如果有通讯则中断!
然后运行程序!当跳过上面的部分后!再中断后安f12最终回到下面的部分!
:004e9a0e 899db0feffff mov dword ptr [ebp+fffffeb0], ebx
:004e9a14 899dacfeffff mov dword ptr [ebp+fffffeac], ebx
:004e9a1a 895de8 mov dword ptr [ebp-18], ebx
:004e9a1d 895dcc mov dword ptr [ebp-34], ebx
:004e9a20 894df8 mov dword ptr [ebp-08], ecx
:004e9a23 8955fc mov dword ptr [ebp-04], edx
:004e9a26 8b45fc mov eax, dword ptr [ebp-04]
:004e9a29 e85ea6f1ff call 0040408c
:004e9a2e 33c0 xor eax, eax
:004e9a30 55 push ebp
:004e9a31 68b9a04e00 push 004ea0b9
:004e9a36 64ff30 push dword ptr fs:[eax]
:004e9a39 648920 mov dword ptr fs:[eax], esp
:004e9a3c a16c0e4f00 mov eax, dword ptr [004f0e6c]
:004e9a41 8b00 mov eax, dword ptr [eax]
:004e9a43 8b802c040000 mov eax, dword ptr [eax+0000042c]
:004e9a49 c6405400 mov [eax+54], 00
:004e9a4d 8b156c0e4f00 mov edx, dword ptr [004f0e6c]
:004e9a53 8b4058 mov eax, dword ptr [eax+58]
:004e9a56 83e801 sub eax, 00000001 =====>这里判断狗的种类!
:004e9a59 721b jb 004e9a76 ======>跳到标准版的部分!
:004e9a5b 0f84db000000 je 004e9b3c
:004e9a61 83e805 sub eax, 00000005
:004e9a64 0f8498010000 je 004e9c02
:004e9a6a 48 dec eax
:004e9a6b 0f8457020000 je 004e9cc8
:004e9a71 e907030000 jmp 004e9d7d
* referenced by a (u)nconditional or ?onditional jump at address:
|:004e9a59?
|
:004e9a76 e83d0df7ff call 0045a7b8 =====>打开狗
:004e9a7b 6685c0 test ax, ax
:004e9a7e 0f85f9020000 jne 004e9d7d ====>跳就是没有狗!
:004e9a84 66c78578ffffff0200 mov word ptr [ebp+ffffff78], 0002
:004e9a8d 8d8574ffffff lea eax, dword ptr [ebp+ffffff74]
:004e9a93 e8540df7ff call 0045a7ec ======>读狗的数据区
:004e9a98 6685c0 test ax, ax ======>ax=0读狗成功
:004e9a9b 0f85dc020000 jne 004e9d7d =====>ax=0时这里不跳
:004e9aa1 0fb78574ffffff movzx eax, word ptr [ebp+ffffff74] ===>关键读狗成功后返回的数据
:004e9aa8 8945e4 mov dword ptr [ebp-1c], eax
:004e9aab 66c78578ffffff0300 mov word ptr [ebp+ffffff78], 0003
:004e9ab4 8d8574ffffff lea eax, dword ptr [ebp+ffffff74]
:004e9aba e82d0df7ff call 0045a7ec ======>读狗的数据区
:004e9abf 6685c0 test ax, ax ======>ax=0读狗成功
:004e9ac2 0f85b5020000 jne 004e9d7d
:004e9ac8 0fb78574ffffff movzx eax, word ptr [ebp+ffffff74] ===>关键读狗成功后返回的数据
:004e9acf 8945e0 mov dword ptr [ebp-20], eax =====>把数据写入临时地址!
:004e9ad2 66c78578ffffff0400 mov word ptr [ebp+ffffff78], 0004
:004e9adb 8d8574ffffff lea eax, dword ptr [ebp+ffffff74]
:004e9ae1 e8060df7ff call 0045a7ec ======>读狗的数据区
:004e9ae6 6685c0 test ax, ax ======>ax=0读狗成功
:004e9ae9 0f858e020000 jne 004e9d7d
:004e9aef 0fb78574ffffff movzx eax, word ptr [ebp+ffffff74] ===>关键读狗成功后返回的数据
:004e9af6 8945dc mov dword ptr [ebp-24], eax
:004e9af9 668b45e0 mov ax, word ptr [ebp-20]
:004e9afd 66898574ffffff mov word ptr [ebp+ffffff74], ax
:004e9b04 668b45dc mov ax, word ptr [ebp-24]
:004e9b08 66898576ffffff mov word ptr [ebp+ffffff76], ax
:004e9b0f 8d8574ffffff lea eax, dword ptr [ebp+ffffff74]
:004e9b15 e86a0ef7ff call 0045a984 ======>读狗的数据区返回数据和上面的数据进行计算结果放到下面的<1><2>
:004e9b1a 6685c0 test ax, ax ======>ax=0读狗成功
:004e9b1d 0f855a020000 jne 004e9d7d
:004e9b23 0fb78574ffffff movzx eax, word ptr [ebp+ffffff74] ======>数据<1>
:004e9b2a 8945e0 mov dword ptr [ebp-20], eax
:004e9b2d 0fb78576ffffff movzx eax, word ptr [ebp+ffffff76] ======>数据<2>
:004e9b34 8945dc mov dword ptr [ebp-24], eax
:004e9b37 e941020000 jmp 004e9d7d
----------------------------------------------------------------------------------------------------------------------
(3)上面的就是加载资源库所用到的狗里数据的过程!破解很简单!只要把返回的数据给他模拟一下就行!
下面的部分是标书软件别的软件版本狗的处理过程!大家可以看看和上面的是一样的!只是返回的数据不同罢了!
* referenced by a (u)nconditional or ?onditional jump at address:
|:004e9a5b?
|
:004e9b3c e80f10f7ff call 0045ab50
:004e9b41 6685c0 test ax, ax
:004e9b44 0f8533020000 jne 004e9d7d
:004e9b4a 66c78552ffffff0200 mov word ptr [ebp+ffffff52], 0002
:004e9b53 8d8550ffffff lea eax, dword ptr [ebp+ffffff50]
:004e9b59 e82610f7ff call 0045ab84
:004e9b5e 6685c0 test ax, ax
:004e9b61 0f8516020000 jne 004e9d7d
:004e9b67 0fb78554ffffff movzx eax, word ptr [ebp+ffffff54]
:004e9b6e 8945e4 mov dword ptr [ebp-1c], eax
:004e9b71 66c78552ffffff0300 mov word ptr [ebp+ffffff52], 0003
:004e9b7a 8d8550ffffff lea eax, dword ptr [ebp+ffffff50]
:004e9b80 e8ff0ff7ff call 0045ab84
:004e9b85 6685c0 test ax, ax
:004e9b88 0f85ef010000 jne 004e9d7d
:004e9b8e 0fb78554ffffff movzx eax, word ptr [ebp+ffffff54]
:004e9b95 8945e0 mov dword ptr [ebp-20], eax
:004e9b98 66c78552ffffff0400 mov word ptr [ebp+ffffff52], 0004
:004e9ba1 8d8550ffffff lea eax, dword ptr [ebp+ffffff50]
:004e9ba7 e8d80ff7ff call 0045ab84
:004e9bac 6685c0 test ax, ax
:004e9baf 0f85c8010000 jne 004e9d7d
:004e9bb5 0fb78554ffffff movzx eax, word ptr [ebp+ffffff54]
:004e9bbc 8945dc mov dword ptr [ebp-24], eax
:004e9bbf 668b45e0 mov ax, word ptr [ebp-20]
:004e9bc3 66898552ffffff mov word ptr [ebp+ffffff52], ax
:004e9bca 668b45dc mov ax, word ptr [ebp-24]
:004e9bce 66898550ffffff mov word ptr [ebp+ffffff50], ax
:004e9bd5 8d8550ffffff lea eax, dword ptr [ebp+ffffff50]
:004e9bdb e80411f7ff call 0045ace4
:004e9be0 6685c0 test ax, ax
:004e9be3 0f8594010000 jne 004e9d7d
:004e9be9 0fb78552ffffff movzx eax, word ptr [ebp+ffffff52]
:004e9bf0 8945e0 mov dword ptr [ebp-20], eax
:004e9bf3 0fb78550ffffff movzx eax, word ptr [ebp+ffffff50]
:004e9bfa 8945dc mov dword ptr [ebp-24], eax
:004e9bfd e97b010000 jmp 004e9d7d
* referenced by a (u)nconditional or ?onditional jump at address:
|:004e9a64?
-----------------------------------------------------------------------------------------------------------------------|
(4)总结
上面部分全部通过后!程序进本上已经解决完了!程序可以正常的加载资源库和大部分功能的正常使用了!但还有一点错误就是
在新建文件后再拖资源库数据的时候!会报错!其实很好解决的!大家自己找找把!我就不写了!
总结一下这个程序的破解过程!!程序的前半部分很简单!后半部分是个难点!尤其是返回数据的处理部分!只要大家掌握了后半部分!
在有狗的情况下,破解深思3的狗加密的软件应该是不成问题的!
有人说我大老不会解狗是个软件收集狂我写的打狗教程是别人帮我写的!!呵呵!我就不多说了!留给大家去评判吧!
写教程太累!下一篇也许会写的短点吧!
谢谢大家看完此文!
如果大家觉得不错请回复一下贴子支持一下!!
如果转载此文请保留完整!
|
|
|
|
大老的打狗教程第二篇如解掉,深思3的狗加密的软件!希望对大家有所帮助!大老=[dcg]=
软件名:国内某著名标书制作软件
保护 :北京深思3洛克公司深思3的狗(sense3)
所用工具:trw2000 wasm32
破解难度:难
破解人:大老
所属组织:=bcg= =[dcg]=
本人邮箱:dalao@top86.com
本人论坛:http://dalao2002.yeah.net
此文献给所有爱好解密的朋友们!
我写的打狗教程这是第二篇!我共会写3篇的!这一篇主要讲讲如何破解程序中需要狗里数据的深思3加密的程序!
我只是大体说一下破解的思路! 高手不要见笑呀!
希望对大家有所帮助!
(1)
这个程序很有意思!如果没有狗!会弹出对话框告诉你 非法用户-请插上软件狗,并检查软件狗是否完好无损!
这其实就是一个很好的切入点!咱们看看下面的程序!我给大家讲一下!
:004e1d9b 8bc6 mov eax, esi
:004e1d9d e88a20f3ff call 00413e2c
:004e1da2 8bc6 mov eax, esi
:004e1da4 e81720f3ff call 00413dc0
:004e1da9 8945ec mov dword ptr [ebp-14], eax
:004e1dac 8bc6 mov eax, esi
:004e1dae e80d20f3ff call 00413dc0
:004e1db3 8945e8 mov dword ptr [ebp-18], eax
:004e1db6 8bc6 mov eax, esi
:004e1db8 e80320f3ff call 00413dc0
:004e1dbd 8945e4 mov dword ptr [ebp-1c], eax
:004e1dc0 8bc6 mov eax, esi
:004e1dc2 e86d20f3ff call 00413e34
:004e1dc7 8bc6 mov eax, esi
:004e1dc9 e8f612f2ff call 004030c4
:004e1dce 8bc3 mov eax, ebx
:004e1dd0 e8ef12f2ff call 004030c4
:004e1dd5 8d8528feffff lea eax, dword ptr [ebp+fffffe28]
:004e1ddb 668b55ec mov dx, word ptr [ebp-14]
:004e1ddf 6689952cfeffff mov word ptr [ebp+fffffe2c], dx ===>深思3的调用模式-密码1
:004e1de6 668b55e8 mov dx, word ptr [ebp-18]
:004e1dea 6689952efeffff mov word ptr [ebp+fffffe2e], dx ===>深思3的调用模式-密码2
:004e1df1 668b55e4 mov dx, word ptr [ebp-1c]
:004e1df5 66899530feffff mov word ptr [ebp+fffffe30], dx ===>深思3的调用模式-密码3
:004e1dfc 66c7852afeffffffff mov word ptr [ebp+fffffe2a], ffff ===>功能代码-打开狗
:004e1e05 50 push eax
:004e1e06 e8097bf7ff call 00459914 ========>这里读狗
:004e1e0b 33c0 xor eax, eax
:004e1e0d 5a pop edx
:004e1e0e 59 pop ecx
:004e1e0f 59 pop ecx
:004e1e10 648910 mov dword ptr fs:[eax], edx
:004e1e13 eb2e jmp 004e1e43
:004e1e15 e96616f2ff jmp 00403480
:004e1e1a 6a00 push 00000000
* possible stringdata ref from code obj ->"非法用户"
|
:004e1e1c b910264e00 mov ecx, 004e2610
* possible stringdata ref from code obj ->"不能读取系统注册信息,系统无法启动!"
|
:004e1e21 ba1c264e00 mov edx, 004e261c
:004e1e26 a1540f4f00 mov eax, dword ptr [004f0f54]
:004e1e2b 8b00 mov eax, dword ptr [eax]
:004e1e2d e89266f4ff call 004284c4
:004e1e32 a1540f4f00 mov eax, dword ptr [004f0f54]
:004e1e37 8b00 mov eax, dword ptr [eax]
:004e1e39 e8e265f4ff call 00428420
:004e1e3e e8e118f2ff call 00403724
* referenced by a (u)nconditional or ?onditional jump at address:
|:004e1e13(u)
|
:004e1e43 6683bd28feffff00 cmp word ptr [ebp+fffffe28], 0000 ====>判断打开狗是否成功!
:004e1e4b 7424 je 004e1e71 ====>一定要跳呀!
:004e1e4d 6a00 push 00000000
* possible stringdata ref from code obj ->"非法用户"
|
:004e1e4f b910264e00 mov ecx, 004e2610
* possible stringdata ref from code obj ->"请插上软件狗,并检查软件狗是否完好无损!"
|
:004e1e54 ba44264e00 mov edx, 004e2644
:004e1e59 a1540f4f00 mov eax, dword ptr [004f0f54]
:004e1e5e 8b00 mov eax, dword ptr [eax]
:004e1e60 e85f66f4ff call 004284c4
:004e1e65 a1540f4f00 mov eax, dword ptr [004f0f54]
:004e1e6a 8b00 mov eax, dword ptr [eax]
:004e1e6c e8af65f4ff call 00428420
* referenced by a (u)nconditional or ?onditional jump at address:
|:004e1e4b?
|
:004e1e71 a1002c4f00 mov eax, dword ptr [004f2c00]
:004e1e76 8b802c040000 mov eax, dword ptr [eax+0000042c]
:004e1e7c c74058ffffffff mov [eax+58], ffffffff
:004e1e83 817dece7030000 cmp dword ptr [ebp-14], 000003e7 ====>判断端口!
:004e1e8a 7527 jne 004e1eb3
:004e1e8c 817de878030000 cmp dword ptr [ebp-18], 00000378
:004e1e93 751e jne 004e1eb3
:004e1e95 817de409030000 cmp dword ptr [ebp-1c], 00000309
:004e1e9c 7515 jne 004e1eb3
:004e1e9e a1002c4f00 mov eax, dword ptr [004f2c00]
:004e1ea3 8b802c040000 mov eax, dword ptr [eax+0000042c]
:004e1ea9 33d2 xor edx, edx
:004e1eab 895058 mov dword ptr [eax+58], edx
:004e1eae e988000000 jmp 004e1f3b
* referenced by a (u)nconditional or ?onditional jump at addresses:
|:004e1e8a?, :004e1e93?, :004e1e9c?
|
:004e1eb3 817dec78030000 cmp dword ptr [ebp-14], 00000378
:004e1eba 7526 jne 004e1ee2
:004e1ebc 817de8e7030000 cmp dword ptr [ebp-18], 000003e7
:004e1ec3 751d jne 004e1ee2
----------------------------------------------------------------------------------------------------------------------
(2)以上的只是前半部分!呵呵!通过后!最终可以进入程序的主界面!过程中会报加载资源库失败!进入后功能方面是有问题的!
咱们来找找原因!
下断点
bpio 378 ====>这条指令是监视并口378端的io通讯!如果有通讯则中断!
然后运行程序!当跳过上面的部分后!再中断后安f12最终回到下面的部分!
:004e9a0e 899db0feffff mov dword ptr [ebp+fffffeb0], ebx
:004e9a14 899dacfeffff mov dword ptr [ebp+fffffeac], ebx
:004e9a1a 895de8 mov dword ptr [ebp-18], ebx
:004e9a1d 895dcc mov dword ptr [ebp-34], ebx
:004e9a20 894df8 mov dword ptr [ebp-08], ecx
:004e9a23 8955fc mov dword ptr [ebp-04], edx
:004e9a26 8b45fc mov eax, dword ptr [ebp-04]
:004e9a29 e85ea6f1ff call 0040408c
:004e9a2e 33c0 xor eax, eax
:004e9a30 55 push ebp
:004e9a31 68b9a04e00 push 004ea0b9
:004e9a36 64ff30 push dword ptr fs:[eax]
:004e9a39 648920 mov dword ptr fs:[eax], esp
:004e9a3c a16c0e4f00 mov eax, dword ptr [004f0e6c]
:004e9a41 8b00 mov eax, dword ptr [eax]
:004e9a43 8b802c040000 mov eax, dword ptr [eax+0000042c]
:004e9a49 c6405400 mov [eax+54], 00
:004e9a4d 8b156c0e4f00 mov edx, dword ptr [004f0e6c]
:004e9a53 8b4058 mov eax, dword ptr [eax+58]
:004e9a56 83e801 sub eax, 00000001 =====>这里判断狗的种类!
:004e9a59 721b jb 004e9a76 ======>跳到标准版的部分!
:004e9a5b 0f84db000000 je 004e9b3c
:004e9a61 83e805 sub eax, 00000005
:004e9a64 0f8498010000 je 004e9c02
:004e9a6a 48 dec eax
:004e9a6b 0f8457020000 je 004e9cc8
:004e9a71 e907030000 jmp 004e9d7d
* referenced by a (u)nconditional or ?onditional jump at address:
|:004e9a59?
|
:004e9a76 e83d0df7ff call 0045a7b8 =====>打开狗
:004e9a7b 6685c0 test ax, ax
:004e9a7e 0f85f9020000 jne 004e9d7d ====>跳就是没有狗!
:004e9a84 66c78578ffffff0200 mov word ptr [ebp+ffffff78], 0002
:004e9a8d 8d8574ffffff lea eax, dword ptr [ebp+ffffff74]
:004e9a93 e8540df7ff call 0045a7ec ======>读狗的数据区
:004e9a98 6685c0 test ax, ax ======>ax=0读狗成功
:004e9a9b 0f85dc020000 jne 004e9d7d =====>ax=0时这里不跳
:004e9aa1 0fb78574ffffff movzx eax, word ptr [ebp+ffffff74] ===>关键读狗成功后返回的数据
:004e9aa8 8945e4 mov dword ptr [ebp-1c], eax
:004e9aab 66c78578ffffff0300 mov word ptr [ebp+ffffff78], 0003
:004e9ab4 8d8574ffffff lea eax, dword ptr [ebp+ffffff74]
:004e9aba e82d0df7ff call 0045a7ec ======>读狗的数据区
:004e9abf 6685c0 test ax, ax ======>ax=0读狗成功
:004e9ac2 0f85b5020000 jne 004e9d7d
:004e9ac8 0fb78574ffffff movzx eax, word ptr [ebp+ffffff74] ===>关键读狗成功后返回的数据
:004e9acf 8945e0 mov dword ptr [ebp-20], eax =====>把数据写入临时地址!
:004e9ad2 66c78578ffffff0400 mov word ptr [ebp+ffffff78], 0004
:004e9adb 8d8574ffffff lea eax, dword ptr [ebp+ffffff74]
:004e9ae1 e8060df7ff call 0045a7ec ======>读狗的数据区
:004e9ae6 6685c0 test ax, ax ======>ax=0读狗成功
:004e9ae9 0f858e020000 jne 004e9d7d
:004e9aef 0fb78574ffffff movzx eax, word ptr [ebp+ffffff74] ===>关键读狗成功后返回的数据
:004e9af6 8945dc mov dword ptr [ebp-24], eax
:004e9af9 668b45e0 mov ax, word ptr [ebp-20]
:004e9afd 66898574ffffff mov word ptr [ebp+ffffff74], ax
:004e9b04 668b45dc mov ax, word ptr [ebp-24]
:004e9b08 66898576ffffff mov word ptr [ebp+ffffff76], ax
:004e9b0f 8d8574ffffff lea eax, dword ptr [ebp+ffffff74]
:004e9b15 e86a0ef7ff call 0045a984 ======>读狗的数据区返回数据和上面的数据进行计算结果放到下面的<1><2>
:004e9b1a 6685c0 test ax, ax ======>ax=0读狗成功
:004e9b1d 0f855a020000 jne 004e9d7d
:004e9b23 0fb78574ffffff movzx eax, word ptr [ebp+ffffff74] ======>数据<1>
:004e9b2a 8945e0 mov dword ptr [ebp-20], eax
:004e9b2d 0fb78576ffffff movzx eax, word ptr [ebp+ffffff76] ======>数据<2>
:004e9b34 8945dc mov dword ptr [ebp-24], eax
:004e9b37 e941020000 jmp 004e9d7d
----------------------------------------------------------------------------------------------------------------------
(3)上面的就是加载资源库所用到的狗里数据的过程!破解很简单!只要把返回的数据给他模拟一下就行!
下面的部分是标书软件别的软件版本狗的处理过程!大家可以看看和上面的是一样的!只是返回的数据不同罢了!
* referenced by a (u)nconditional or ?onditional jump at address:
|:004e9a5b?
|
:004e9b3c e80f10f7ff call 0045ab50
:004e9b41 6685c0 test ax, ax
:004e9b44 0f8533020000 jne 004e9d7d
:004e9b4a 66c78552ffffff0200 mov word ptr [ebp+ffffff52], 0002
:004e9b53 8d8550ffffff lea eax, dword ptr [ebp+ffffff50]
:004e9b59 e82610f7ff call 0045ab84
:004e9b5e 6685c0 test ax, ax
:004e9b61 0f8516020000 jne 004e9d7d
:004e9b67 0fb78554ffffff movzx eax, word ptr [ebp+ffffff54]
:004e9b6e 8945e4 mov dword ptr [ebp-1c], eax
:004e9b71 66c78552ffffff0300 mov word ptr [ebp+ffffff52], 0003
:004e9b7a 8d8550ffffff lea eax, dword ptr [ebp+ffffff50]
:004e9b80 e8ff0ff7ff call 0045ab84
:004e9b85 6685c0 test ax, ax
:004e9b88 0f85ef010000 jne 004e9d7d
:004e9b8e 0fb78554ffffff movzx eax, word ptr [ebp+ffffff54]
:004e9b95 8945e0 mov dword ptr [ebp-20], eax
:004e9b98 66c78552ffffff0400 mov word ptr [ebp+ffffff52], 0004
:004e9ba1 8d8550ffffff lea eax, dword ptr [ebp+ffffff50]
:004e9ba7 e8d80ff7ff call 0045ab84
:004e9bac 6685c0 test ax, ax
:004e9baf 0f85c8010000 jne 004e9d7d
:004e9bb5 0fb78554ffffff movzx eax, word ptr [ebp+ffffff54]
:004e9bbc 8945dc mov dword ptr [ebp-24], eax
:004e9bbf 668b45e0 mov ax, word ptr [ebp-20]
:004e9bc3 66898552ffffff mov word ptr [ebp+ffffff52], ax
:004e9bca 668b45dc mov ax, word ptr [ebp-24]
:004e9bce 66898550ffffff mov word ptr [ebp+ffffff50], ax
:004e9bd5 8d8550ffffff lea eax, dword ptr [ebp+ffffff50]
:004e9bdb e80411f7ff call 0045ace4
:004e9be0 6685c0 test ax, ax
:004e9be3 0f8594010000 jne 004e9d7d
:004e9be9 0fb78552ffffff movzx eax, word ptr [ebp+ffffff52]
:004e9bf0 8945e0 mov dword ptr [ebp-20], eax
:004e9bf3 0fb78550ffffff movzx eax, word ptr [ebp+ffffff50]
:004e9bfa 8945dc mov dword ptr [ebp-24], eax
:004e9bfd e97b010000 jmp 004e9d7d
* referenced by a (u)nconditional or ?onditional jump at address:
|:004e9a64?
-----------------------------------------------------------------------------------------------------------------------|
(4)总结
上面部分全部通过后!程序进本上已经解决完了!程序可以正常的加载资源库和大部分功能的正常使用了!但还有一点错误就是
在新建文件后再拖资源库数据的时候!会报错!其实很好解决的!大家自己找找把!我就不写了!
总结一下这个程序的破解过程!!程序的前半部分很简单!后半部分是个难点!尤其是返回数据的处理部分!只要大家掌握了后半部分!
在有狗的情况下,破解深思3的狗加密的软件应该是不成问题的!
有人说我大老不会解狗是个软件收集狂我写的打狗教程是别人帮我写的!!呵呵!我就不多说了!留给大家去评判吧!
写教程太累!下一篇也许会写的短点吧!
谢谢大家看完此文!
如果大家觉得不错请回复一下贴子支持一下!!
如果转载此文请保留完整!
|
|
|
大老的打狗教程第三篇(最终篇)如何解掉,rockey4的狗加密的软件!希望对大家有所帮助!大老=[dcg]=
软件名:国内北京某著名婚纱摄影设计制作软件
保护 :北京飞天诚信公司公司坚石的狗(rockey4)
所用工具:trw2000 wasm32 hiew688
破解难度:难
破解人:大老
所属组织:=bcg= =[dcg]=
本人作品:文件加密狗检测工具 2.0
本人邮箱:dalao@qdcnc.com dalao@126.com
本人主页:http://dalao2002.yeah.net
本人论坛:http://61.177.65.168/dalaobbs
oicq:79234668
此文献给所有爱好解密的朋友们!
我写的打狗教程这是第三篇!也是最后一篇了!这一篇我写两部分!其中第一部分是狗壳,第二部分是程序本身的解密了!
如果你看过我的第一篇hasp解密教程的话!会对你解rockey狗有所帮助!
rockey狗和hasp狗读狗调用有些方面是很相似的!
我只是大体说一下破解的思路! 高手不要见笑呀!
希望对大家有所帮助!
(第一部分) =狗壳=
我来讲讲rockey4的外壳!rockey4的外壳做得不错!兼容性非常好!保护后有程序的每个段需要4组狗里的
返回数据来还原!遗憾的是这个外壳的花指令基本上没有!好了不说了!go go..
==========================================================================================
(1)读狗部分
:004b1935 83c408 add esp, 00000008
:004b1938 8d4c2408 lea ecx, dword ptr [esp+08]
:004b193c 8d542406 lea edx, dword ptr [esp+06]
:004b1940 8d442430 lea eax, dword ptr [esp+30]
:004b1944 6a00 push 00000000
:004b1946 51 push ecx
:004b1947 8b4e0a mov ecx, dword ptr [esi+0a]
:004b194a 6a02 push 00000002
:004b194c 52 push edx
:004b194d 6a28 push 00000028
:004b194f 50 push eax
:004b1950 6800e410a4 push a410e400
:004b1955 51 push ecx
:004b1956 ff9616050000 call dword ptr [esi+00000516] ------>这里是deviceiocontrol函数 上面的是函数入口的参数 写底层仿真的话!上面有你需要的重要信息!
:004b195c 85c0 test eax, eax
:004b195e 7509 jne 004b1969
:004b1960 660dffff or ax, ffff
:004b1964 5e pop esi
:004b1965 83c454 add esp, 00000054
:004b1968 c3 ret
* referenced by a (u)nconditional or (c)onditional jump at address:
|:004b195e(c)
|
:004b1969 668b442406 mov ax, word ptr [esp+06] =========>这里是读狗返回的标志!没有狗是3!有狗返回的是0!
:004b196e 5e pop esi
:004b196f 83c454 add esp, 00000054
--------------------------------------------------------------------------------------------
(2)加密段数据解密部分
:004b12dc 8d55d4 lea edx, dword ptr [ebp-2c]
:004b12df 52 push edx
:004b12e0 8d45e0 lea eax, dword ptr [ebp-20]
:004b12e3 50 push eax
:004b12e4 8d4de8 lea ecx, dword ptr [ebp-18]
:004b12e7 51 push ecx
:004b12e8 8d55b0 lea edx, dword ptr [ebp-50]
:004b12eb 52 push edx
:004b12ec 8d45b8 lea eax, dword ptr [ebp-48]
:004b12ef 50 push eax
:004b12f0 8d4dd0 lea ecx, dword ptr [ebp-30]
:004b12f3 51 push ecx
* possible reference to dialog: dialogid_0066, control_id:0008, ""
|
:004b12f4 6a08 push 00000008
:004b12f6 e8b5050000 call 004b18b0 ========>读狗,如果成功eax=0
:004b12fb 83c424 add esp, 00000024
:004b12fe 25ffff0000 and eax, 0000ffff
:004b1303 85c0 test eax, eax
:004b1305 7405 je 004b130c =====>成功jmp
:004b1307 e900020000 jmp 004b150c
* referenced by a (u)nconditional or (c)onditional jump at address:
|:004b1305(c)
|
:004b130c 668b55e8 mov dx, word ptr [ebp-18] ======>注意返回的(重要数据1)
:004b1310 668955bc mov word ptr [ebp-44], dx
:004b1314 668b45e0 mov ax, word ptr [ebp-20] ======>注意返回的(重要数据2)
:004b1318 668945be mov word ptr [ebp-42], ax
:004b131c 668b4dd4 mov cx, word ptr [ebp-2c] ======>注意返回的(重要数据3)
:004b1320 66894dc0 mov word ptr [ebp-40], cx
:004b1324 668b55b4 mov dx, word ptr [ebp-4c] ======>注意返回的(重要数据4)
:004b1328 668955c2 mov word ptr [ebp-3e], dx
:004b132c 8b45fc mov eax, dword ptr [ebp-04]
:004b132f 8b4812 mov ecx, dword ptr [eax+12]
:004b1332 8b55ac mov edx, dword ptr [ebp-54]
:004b1335 030a add ecx, dword ptr [edx]
:004b1337 894df4 mov dword ptr [ebp-0c], ecx
:004b133a c745d800000000 mov [ebp-28], 00000000
:004b1341 eb09 jmp 004b134c
=================================================================================================
下面是数据还原解密部分
* referenced by a (u)nconditional or (c)onditional jump at address:
|:004b1379(u)
|
:004b1343 8b45d8 mov eax, dword ptr [ebp-28]
:004b1346 83c001 add eax, 00000001
:004b1349 8945d8 mov dword ptr [ebp-28], eax
* referenced by a (u)nconditional or (c)onditional jump at address:
|:004b1341(u)
|
:004b134c 8b4dac mov ecx, dword ptr [ebp-54]
:004b134f 8b55d8 mov edx, dword ptr [ebp-28]
:004b1352 3b5104 cmp edx, dword ptr [ecx+04] ========>判断是不是数据段解密完毕
:004b1355 7324 jnb 004b137b ========>如果是真则是数据还原解密完毕!下面的是还原算法!
:004b1357 8b45f4 mov eax, dword ptr [ebp-0c]
:004b135a 0345d8 add eax, dword ptr [ebp-28]
:004b135d 33c9 xor ecx, ecx
:004b135f 8a08 mov cl, byte ptr [eax]
:004b1361 8b45d8 mov eax, dword ptr [ebp-28]
:004b1364 33d2 xor edx, edx
:004b1366 f775f0 div [ebp-10]
:004b1369 33c0 xor eax, eax
:004b136b 8a4415bc mov al, byte ptr [ebp+edx-44]
:004b136f 33c8 xor ecx, eax
:004b1371 8b55f4 mov edx, dword ptr [ebp-0c]
:004b1374 0355d8 add edx, dword ptr [ebp-28]
:004b1377 880a mov byte ptr [edx], cl
:004b1379 ebc8 jmp 004b1343
==================================================================================================
(3)入口点
下面的代码就是外壳结尾部分
:004b14f3 8902 mov dword ptr [edx], eax
* referenced by a (u)nconditional or (c)onditional jump at addresses:
|:004b14e0(c), :004b14eb(c)
|
:004b14f5 41 inc ecx
:004b14f6 3b4b2e cmp ecx, dword ptr [ebx+2e]
:004b14f9 72df jb 004b14da
* referenced by a (u)nconditional or (c)onditional jump at address:
|:004b101d(c)
|
:004b14fb 8b83ea040000 mov eax, dword ptr [ebx+000004ea] ===============>这里就是入口点的数据地址
:004b1501 034312 add eax, dword ptr [ebx+12]
:004b1504 5f pop edi
:004b1505 5e pop esi
:004b1506 5b pop ebx
:004b1507 8be5 mov esp, ebp
:004b1509 5d pop ebp
:004b150a ffe0 jmp eax ========>如果有狗那么eax就是程序的入口点!
-----------------------------------------------------------------------------------------------------
上面就是狗壳部分!我讲完了!希望讲的还不是很糟!如果你不明白我也没办法了!
|
|
|
|
第二部分 (程序本身的解密)
这个程序本身的加密做得很好!有很多处加密点!而且还用到了部分算法数据在程序当中使用!所以这东西解起来比较麻烦!
我在这就简单写写了!
:0047fd14 ff1504e44b00 call dword ptr [004be404] ====================>这里读狗
:0047fd1a 85c0 test eax, eax
:0047fd1c 750f jne 0047fd2d
:0047fd1e 66b8ffff mov ax, ffff
:0047fd22 5d pop ebp
:0047fd23 5f pop edi
:0047fd24 5e pop esi
:0047fd25 5b pop ebx
:0047fd26 81c47c020000 add esp, 0000027c
:0047fd2c c3 ret
* referenced by a (u)nconditional or (c)onditional jump at address:
|:0047fd1c(c)
|
:0047fd2d 668b442412 mov ax, word ptr [esp+12] ================>读狗后的返回标志!ax=0就行了!
:0047fd32 5d pop ebp
:0047fd33 5f pop edi
:0047fd34 5e pop esi
:0047fd35 5b pop ebx
:0047fd36 81c47c020000 add esp, 0000027c
:0047fd3c c3 ret
这样搞完了!程序已经可以进入界面了!但是点重要功能!程序就非法*作了!
再来!经过跟踪!发现!
(1)
:0044dea4 68149d5200 push 00529d14
:0044dea9 681c9e5200 push 00529e1c
:0044deae 681e9e5200 push 00529e1e
:0044deb3 68209e5200 push 00529e20
:0044deb8 68229e5200 push 00529e22
:0044debd 68149e5200 push 00529e14
:0044dec2 68189e5200 push 00529e18
:0044dec7 68249e5200 push 00529e24
:0044decc 6a0e push 0000000e
:0044dece c705189e520000000000 mov dword ptr [00529e18], 00000000
:0044ded8 a3149e5200 mov dword ptr [00529e14], eax
:0044dedd e8fe1a0300 call 0047f9e0 ==========>这里读狗
:0044dee2 83c424 add esp, 00000024
:0044dee5 66f7d8 neg ax
:0044dee8 1bc0 sbb eax, eax
:0044deea f7d0 not eax
:0044deec 662305229e5200 and ax, word ptr [00529e22] ==========>这里是返回的重要数据!
:0044def3 c3 ret
还有这里
:0044be21 68149d5200 push 00529d14
:0044be26 681c9e5200 push 00529e1c
:0044be2b 681e9e5200 push 00529e1e
:0044be30 68209e5200 push 00529e20
:0044be35 68229e5200 push 00529e22
:0044be3a 68149e5200 push 00529e14
:0044be3f 68189e5200 push 00529e18
:0044be44 68249e5200 push 00529e24
:0044be49 6a08 push 00000008
:0044be4b c705149e520045970000 mov dword ptr [00529e14], 00009745
:0044be55 e8863b0300 call 0047f9e0 ============>这里读狗!
:0044be5a 83c424 add esp, 00000024
:0044be5d 6685c0 test ax, ax
:0044be60 7511 jne 0044be73 =======>有狗的话这里是不会跳转的!
:0044be62 66a11e9e5200 mov ax, word ptr [00529e1e] ===========>返回的重要数据!
:0044be68 6689442444 mov word ptr [esp+44], ax
:0044be6d 8b442444 mov eax, dword ptr [esp+44]
:0044be71 eb02 jmp 0044be75 =======>到正确的部分正常运行!
* referenced by a (u)nconditional or (c)onditional jump at address:
|:0044be60(c)
|
:0044be73 33c0 xor eax, eax
* referenced by a (u)nconditional or (c)onditional jump at address:
|:0044be71(u)
|
:0044be75 25ffff0000 and eax, 0000ffff ========>下面的是算法部分如果返回的数据错误会导致程序非法*作!
:0044be7a 8b7e04 mov edi, dword ptr [esi+04]
:0044be7d 2d44420000 sub eax, 00004244
:0044be82 8b7608 mov esi, dword ptr [esi+08]
:0044be85 8bc8 mov ecx, eax
:0044be87 b8abaaaa2a mov eax, 2aaaaaab
:0044be8c f7e9 imul ecx
:0044be8e d1fa sar edx, 1
===============================================================================================
程序中有多处类似的代码!来监测加密狗!好了!就先说这个多了!解决其实很简单!只要有狗把重要数据部分得到!呵呵剩下的不用我多说了吧!
终于写完了!累!写东西好累呀!呵呵!
再来说两句加密狗现在发展的好快现在的加密狗已经发展到第5代了!代表产品(深思4和rockey5)新的加密狗结合了传统加密锁技术和智能卡!硬件复制的难度好像更大了!软件本身破解的难度也提高了不少!如果加密者能结合新产品的特点灵活运用!软件本身的破解难度会变得异常的困难!当然了!如果加密者的加密方案比较简单或有漏洞软件还是可以破解的!谢谢大家看我罗嗦了这么多!希望以上写的对爱好解密的朋友!有所帮助!谢谢大家看完此文! 如果你觉得写的还行请回个贴子!支持一下!谢谢!
如果要转载请保留完整
|
|
|
|
|
[ 1 ]
|
|
共 1 页 5 条主题,当前第 1 页 |
|
|
|
