IAR ICCARM V8.32.3在Windows Server端進行Ollydbg破解
阿新 • • 發佈:2020-08-26
IAR為嵌入式常用的編譯器,網上資料一般採用註冊機的方法進行破解。但是最近需要在阿里雲的Windows Server端進行自動化編譯,進行持續整合。在Windows Server端,可能由於是基於虛擬機器的原因,註冊機的方法一直破解不成功,所以只能採用Ollydbg反彙編方法破解啦。
IAR版本:EWARM-CD-8323-20228.exe
在沒有破解的情況下,命令列執行iccarm.exe,出現License Manager失敗的情況
C:\temp>iccarm.exe IAR ANSI C/C++ Compiler V8.32.3.193/W32 for ARM Copyright 1999-2019 IAR Systems AB. Fatal error[LMS001]: License check failed. Use the IAR License Manager to resolve the problem. No license found. [LicenseCheck:2.16.5.1338, RMS:9.2.1.0011, Feature:ARM.EW.COMPILER, Version:1.15] Fatal error detected, aborting.
採用 OllDbg v1.10 反彙編工具
首先在ollDbg中載入iccarm.exe
Ctrl+G快捷鍵,找到地址為0x01AB9A30的函式,這個函式為進行檢查license的過程(只是我瞎猜的)
01AB9A2F CC INT3 01AB9A30 55 PUSH EBP 01AB9A31 8BEC MOV EBP,ESP 01AB9A33 6A FF PUSH -1 01AB9A35 68 E829D901 PUSH iccarm.01D929E8 01AB9A3A 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] 01AB9A40 50 PUSH EAX 01AB9A41 64:8925 0000000>MOV DWORD PTR FS:[0],ESP 01AB9A48 83EC 2C SUB ESP,2C 01AB9A4B 53 PUSH EBX 01AB9A4C 8BD9 MOV EBX,ECX 01AB9A4E 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10] 01AB9A51 56 PUSH ESI 01AB9A52 8B43 7C MOV EAX,DWORD PTR DS:[EBX+7C] 01AB9A55 8B30 MOV ESI,DWORD PTR DS:[EAX] 01AB9A57 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18] 01AB9A5A 50 PUSH EAX 01AB9A5B E8 8042FFFF CALL iccarm.01AADCE0 01AB9A60 FF75 14 PUSH DWORD PTR SS:[EBP+14] 01AB9A63 83EC 0C SUB ESP,0C 01AB9A66 F3: PREFIX REP: ; 多餘的字首 01AB9A67 0F7E00 MOVD DWORD PTR DS:[EAX],MM0 01AB9A6A 8BCC MOV ECX,ESP 01AB9A6C 8B40 08 MOV EAX,DWORD PTR DS:[EAX+8] 01AB9A6F 6A 00 PUSH 0 01AB9A71 FF75 0C PUSH DWORD PTR SS:[EBP+C] 01AB9A74 66:0FD6 ??? ; 未知命令 01AB9A77 0189 41088B4B ADD DWORD PTR DS:[ECX+4B8B0841],ECX 01AB9A7D 7C FF JL SHORT iccarm.01AB9A7E 01AB9A7F 56 PUSH ESI 01AB9A80 04 50 ADD AL,50 01AB9A82 FF75 10 PUSH DWORD PTR SS:[EBP+10] 01AB9A85 8D4D C8 LEA ECX,DWORD PTR SS:[EBP-38] 01AB9A88 FF75 0C PUSH DWORD PTR SS:[EBP+C] 01AB9A8B FF75 08 PUSH DWORD PTR SS:[EBP+8] 01AB9A8E E8 3D0B0200 CALL iccarm.01ADA5D0 01AB9A93 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38] 01AB9A96 C745 FC 0000000>MOV DWORD PTR SS:[EBP-4],0 01AB9A9D 50 PUSH EAX 01AB9A9E 8BCB MOV ECX,EBX 01AB9AA0 E8 3B250000 CALL iccarm.01ABBFE0 01AB9AA5 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24] 01AB9AA8 C745 FC 0100000>MOV DWORD PTR SS:[EBP-4],1 01AB9AAF E8 4C4B0000 CALL iccarm.01ABE600 01AB9AB4 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30] 01AB9AB7 E8 3439FFFF CALL iccarm.01AAD3F0 01AB9ABC 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] 01AB9ABF 5E POP ESI 01AB9AC0 64:890D 0000000>MOV DWORD PTR FS:[0],ECX 01AB9AC7 5B POP EBX 01AB9AC8 8BE5 MOV ESP,EBP 01AB9ACA 5D POP EBP 01AB9ACB C2 1000 RETN 10 01AB9ACE CC INT3
將這個函式進行直接返回處理,把函式開頭0x01AB9A31和01AB9A32彙編程式碼修改如下
01AB9A2F CC INT3 01AB9A30 55 PUSH EBP 01AB9A31 5D POP EBP 01AB9A32 C2 0C00 RETN 0C 01AB9A35 68 E829D901 PUSH iccarm.01D929E8 01AB9A3A 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] 01AB9A40 50 PUSH EAX 01AB9A41 64:8925 0000000>MOV DWORD PTR FS:[0],ESP 01AB9A48 83EC 2C SUB ESP,2C 01AB9A4B 53 PUSH EBX
後面就是儲存修改後的反彙編二進位制程式了
在OD頁面上,右鍵->複製到可執行檔案->所有修改->全部複製->儲存檔案,重新命名一個為iccarm2.exe吧
執行情況如下,跳過了license的過程
C:\temp>iccarm2.exe
IAR ANSI C/C++ Compiler V8.32.3.193/W32 for ARM
Copyright 1999-2019 IAR Systems AB.
Available command line options:
--aapcs {std|vfp}
Specify calling convention.
--aeabi Generate aeabi compliant code
--align_sp_on_irq
Generate code to align SP on entry to __irq functions
--arm Generate code in arm mode, same as --cpu_mode arm
--c++ C++
--c89 Use C89 standard
--char_is_signed
'Plain' char is treated as signed char
--char_is_unsigned
'plain' char is treated as unsigned char
--cmse Enable CMSE secure object generation
--cpu core Specify target core
Valid options are core names such as Cortex-M3
and architecture names such as 7M
Cortex-M3 is default
--cpu_mode {arm|a|thumb|t}
Select default mode for functions, arm is default
-D symbol[=value]
Define macro (same as #define symbol [value])
--debug
-r Insert debug info in object file
--dependencies=[i|m|n][s][lw][b] file|directory|+