某軟體聖天諾加密狗破解過程
阿新 • • 發佈:2019-01-04
這個軟體是用聖天諾狗來加密的,當軟體沒有檢測到加密狗時,則需要註冊它。好,我們看看怎麼樣來破解它。
工具:trw2000
軟體在執行時,如果沒有狗,則會跳出一個需要註冊的對話方塊,而且也是用動態註冊的方法,如果註冊碼不正確register按鈕是灰色的。這類軟體一般用斷點bpx hmemcpy,今天我們用另外的斷點來破它,用什麼斷點呢?想一下要取得對話方塊的資料要用到什麼函式,對了,是getdlgitemtexta。好,我們先輸入使用者名稱,然後輸入假註冊碼12345678,切換到TRW,下斷點bpx getdlgitemtexta,按F5返回程式,馬上被中斷了,按F10返回到主程式,如下:
:004C6798 8D852C010000 lea eax, dword ptr [ebp
:004C679E 50 push eax
:004C679F 6A06 push 00000006
:004C67A1 E8BAFFFEFF call 004B6760
:004C67A6 83C410 add esp, 00000010
:004C67A9 E99E000000 jmp 004C684C
------------------------------------------------
按幾下F10,到下面:
:004C684C 55 push
:004C684D E84E010000 call 004C69A0 <====計算和比較註冊碼的CALL,所以要F8進入
:004C6852 83C404 add esp, 00000004
:004C6855 85C0 test eax, eax
:004C6857 7427 je 004C6880
:004C6859 8B8DEC020000 mov ecx, dword ptr [ebp+000002EC]
:004C685F 51 push
:004C6860 E86B000000 call 004C68D0
:004C6865 6A00 push 00000000
:004C6867 6A07 push 00000007
:004C6869 E8C205FFFF call 004B6E30
:004C686E 83C40C add esp, 0000000C
:004C6871 B801000000 mov eax, 00000001
:004C6876 5F pop edi
:004C6877 5E pop esi
:004C6878 5D pop ebp
:004C6879 81C498000000 add esp, 00000098
:004C687F C3 ret
---------------------------------------------------
進入4C684D的CALL:
:004C69A0 81EC18020000 sub esp, 00000218
:004C69A6 53 push ebx
:004C69A7 55 push ebp
:004C69A8 8BAC2424020000 mov ebp, dword ptr [esp+00000224]
:004C69AF 56 push esi
:004C69B0 57 push edi
* Possible StringData Ref from Data Obj ->"Demo"
|
:004C69B1 BFD0115300 mov edi, 005311D0 <====取試用的註冊碼,這個註冊碼可以用到2001-12-31日,這不是我們所要的,繼續GO
:004C69B6 8DB52C010000 lea esi, dword ptr [ebp+0000012C] <====用d esi可以看到我們輸入的假註冊碼
:004C69BC 8BC6 mov eax, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C69E0(C)
|
:004C69BE 8A10 mov dl, byte ptr [eax]
:004C69C0 8A1F mov bl, byte ptr [edi]
:004C69C2 8ACA mov cl, dl
:004C69C4 3AD3 cmp dl, bl <=====比較註冊碼
:004C69C6 751E jne 004C69E6 <=====不相等則跳到正式使用者註冊碼運算的程式碼
:004C69C8 84C9 test cl, cl
:004C69CA 7416 je 004C69E2
:004C69CC 8A5001 mov dl, byte ptr [eax+01]
------------------------------------------------
* Possible StringData Ref from Data Obj ->"Never"
|
:004C6A82 BF10135300 mov edi, 00531310 <====取字串Never
:004C6A87 83C9FF or ecx, FFFFFFFF
:004C6A8A 8985EC020000 mov dword ptr [ebp+000002EC], eax
:004C6A90 C744241800000000 mov [esp+18], 00000000
:004C6A98 F2 repnz
:004C6A99 AE scasb
:004C6A9A F7D1 not ecx
:004C6A9C 2BF9 sub edi, ecx
:004C6A9E 8BC1 mov eax, ecx
:004C6AA0 8BF7 mov esi, edi
:004C6AA2 8BFA mov edi, edx
:004C6AA4 C1E902 shr ecx, 02
:004C6AA7 F3 repz
:004C6AA8 A5 movsd
:004C6AA9 8BC8 mov ecx, eax
:004C6AAB 83E103 and ecx, 00000003
:004C6AAE F3 repz
:004C6AAF A4 movsb
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C6A6B(U)
|
:004C6AB0 8D4C241C lea ecx, dword ptr [esp+1C]
:004C6AB4 51 push ecx
:004C6AB5 53 push ebx
:004C6AB6 E855090000 call 004C7410
:004C6ABB 8D5528 lea edx, dword ptr [ebp+28] <====取字串22
:004C6ABE 8DB544020000 lea esi, dword ptr [ebp+00000244]
:004C6AC4 52 push edx
:004C6AC5 8D8594020000 lea eax, dword ptr [ebp+00000294] <====取使用者名稱
:004C6ACB 56 push esi
:004C6ACC 8D4D3C lea ecx, dword ptr [ebp+3C]
:004C6ACF 50 push eax
:004C6AD0 8D9424AC000000 lea edx, dword ptr [esp+000000AC]
:004C6AD7 51 push ecx
:004C6AD8 52 push edx
:004C6AD9 E862050000 call 004C7040 <====連線成運算碼,比如輸入的使用者名稱為crackjack,則連線成22crackjack(0DH)Never(0DH)22
---------------------------------------------
一直走,走到:
:004C6B22 8D442434 lea eax, dword ptr [esp+34]
:004C6B26 56 push esi
:004C6B27 8D8C24AC000000 lea ecx, dword ptr [esp+000000AC]
:004C6B2E 50 push eax
:004C6B2F 51 push ecx
:004C6B30 E88B060000 call 004C71C0 <=====運算註冊碼的CALLL,F8進入
:004C6B35 8B44242C mov eax, dword ptr [esp+2C] <=====取運算出來的註冊碼
:004C6B39 8B4C2438 mov ecx, dword ptr [esp+38] <=====取我們輸入的註冊碼,我們可以在這裡暴破它,改為mov ecx, dword ptr [esp+2C]
:004C6B3D 83C41C add esp, 0000001C
:004C6B40 3BC8 cmp ecx, eax <=====比較註冊碼
:004C6B42 8985F0020000 mov dword ptr [ebp+000002F0], eax
:004C6B48 898DF4020000 mov dword ptr [ebp+000002F4], ecx
:004C6B4E 7510 jne 004C6B60
:004C6B50 5F pop edi
:004C6B51 5E pop esi
:004C6B52 5D pop ebp
:004C6B53 B801000000 mov eax, 00000001
:004C6B58 5B pop ebx
:004C6B59 81C418020000 add esp, 00000218
:004C6B5F C3 ret
-----------------------------------------------
:004C7260 6A00 push 00000000
:004C7262 C1E00D shl eax, 0D
:004C7265 0BC6 or eax, esi
:004C7267 8B74242C mov esi, dword ptr [esp+2C]
:004C726B 55 push ebp
:004C726C 68F4535300 push 005353F4
:004C7271 8906 mov dword ptr [esi], eax
:004C7273 8B442424 mov eax, dword ptr [esp+24]
:004C7277 50 push eax
:004C7278 E813FFFFFF call 004C7190 <====F8進入
:004C727D 8B5C2440 mov ebx, dword ptr [esp+40]
:004C7281 83C410 add esp, 00000010
:004C7284 85DB test ebx, ebx
----------------------------------------------------
:004C719C F2 repnz
:004C719D AE scasb
:004C719E F7D1 not ecx
:004C71A0 49 dec ecx
:004C71A1 51 push ecx
:004C71A2 52 push edx
:004C71A3 E8584A0000 call 004CBC00 <=====F8進入
:004C71A8 8B4C2418 mov ecx, dword ptr [esp+18]
:004C71AC 83C408 add esp, 00000008
:004C71AF 8901 mov dword ptr [ecx], eax
:004C71B1 5F pop edi
-------------------------------------------------------
下面就是運算註冊碼的程式碼,這個軟體的運算有點特別,它用程式本身的程式碼資料(相當於密碼錶)來算出註冊碼,只要改一下所用到的資料,就讓破解者的註冊機無效了
:004CBC00 56 push esi
:004CBC01 8B74240C mov esi, dword ptr [esp+0C]
:004CBC05 83C8FF or eax, FFFFFFFF <====EAX的初始值為0FFFFFFFF
:004CBC08 85F6 test esi, esi
:004CBC0A 7E24 jle 004CBC30
:004CBC0C 8B4C2408 mov ecx, dword ptr [esp+08]
:004CBC10 57 push edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004CBC2D(C)
|
:004CBC11 33D2 xor edx, edx <=====清0
:004CBC13 8BF8 mov edi, eax <=====EDI=EAX
:004CBC15 8A11 mov dl, byte ptr [ecx] <=====取第N個字元
:004CBC17 81E7FF000000 and edi, 000000FF <=====取EDI的最低位
:004CBC1D 33D7 xor edx, edi <=====EDX xor EDI
:004CBC1F C1E808 shr eax, 08 <=====結果右移8位
:004CBC22 8B1495D4145300 mov edx, dword ptr [4*edx+005314D4] <====取程式中地址為EDX*4+5314d4的程式碼資料,我們知道,字元的最大數是FF,則密碼錶的長度為4*FF+5314d4=5318d0,我們用Hview開啟主檔案,可知它的地址為1314d4--1318d0,這個地址範圍的數值就做為運算註冊碼的密碼
:004CBC29 33C2 xor eax, edx <====EAX xor EDX,結果作為下一個字元的運算引數
:004CBC2B 41 inc ecx
:004CBC2C 4E dec esi
:004CBC2D 75E2 jne 004CBC11 <====運算完了嗎,沒有則繼續運算
:004CBC2F 5F pop edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004CBC0A(C)
|
:004CBC30 F7D0 not eax <=====將結果取非,最後的結果就是註冊碼的十六進位制,比如EAX=29C8BF83,則註冊碼為701022083
:004CBC32 5E pop esi
:004CBC33 C3 ret
工具:trw2000
軟體在執行時,如果沒有狗,則會跳出一個需要註冊的對話方塊,而且也是用動態註冊的方法,如果註冊碼不正確register按鈕是灰色的。這類軟體一般用斷點bpx hmemcpy,今天我們用另外的斷點來破它,用什麼斷點呢?想一下要取得對話方塊的資料要用到什麼函式,對了,是getdlgitemtexta。好,我們先輸入使用者名稱,然後輸入假註冊碼12345678,切換到TRW,下斷點bpx getdlgitemtexta,按F5返回程式,馬上被中斷了,按F10返回到主程式,如下:
:004C6798 8D852C010000 lea eax, dword ptr [ebp
:004C679E 50 push eax
:004C679F 6A06 push 00000006
:004C67A1 E8BAFFFEFF call 004B6760
:004C67A6 83C410 add esp, 00000010
:004C67A9 E99E000000 jmp 004C684C
------------------------------------------------
按幾下F10,到下面:
:004C684C 55 push
:004C684D E84E010000 call 004C69A0 <====計算和比較註冊碼的CALL,所以要F8進入
:004C6852 83C404 add esp, 00000004
:004C6855 85C0 test eax, eax
:004C6857 7427 je 004C6880
:004C6859 8B8DEC020000 mov ecx, dword ptr [ebp+000002EC]
:004C685F 51 push
:004C6860 E86B000000 call 004C68D0
:004C6865 6A00 push 00000000
:004C6867 6A07 push 00000007
:004C6869 E8C205FFFF call 004B6E30
:004C686E 83C40C add esp, 0000000C
:004C6871 B801000000 mov eax, 00000001
:004C6876 5F pop edi
:004C6877 5E pop esi
:004C6878 5D pop ebp
:004C6879 81C498000000 add esp, 00000098
:004C687F C3 ret
---------------------------------------------------
進入4C684D的CALL:
:004C69A0 81EC18020000 sub esp, 00000218
:004C69A6 53 push ebx
:004C69A7 55 push ebp
:004C69A8 8BAC2424020000 mov ebp, dword ptr [esp+00000224]
:004C69AF 56 push esi
:004C69B0 57 push edi
* Possible StringData Ref from Data Obj ->"Demo"
|
:004C69B1 BFD0115300 mov edi, 005311D0 <====取試用的註冊碼,這個註冊碼可以用到2001-12-31日,這不是我們所要的,繼續GO
:004C69B6 8DB52C010000 lea esi, dword ptr [ebp+0000012C] <====用d esi可以看到我們輸入的假註冊碼
:004C69BC 8BC6 mov eax, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C69E0(C)
|
:004C69BE 8A10 mov dl, byte ptr [eax]
:004C69C0 8A1F mov bl, byte ptr [edi]
:004C69C2 8ACA mov cl, dl
:004C69C4 3AD3 cmp dl, bl <=====比較註冊碼
:004C69C6 751E jne 004C69E6 <=====不相等則跳到正式使用者註冊碼運算的程式碼
:004C69C8 84C9 test cl, cl
:004C69CA 7416 je 004C69E2
:004C69CC 8A5001 mov dl, byte ptr [eax+01]
------------------------------------------------
* Possible StringData Ref from Data Obj ->"Never"
|
:004C6A82 BF10135300 mov edi, 00531310 <====取字串Never
:004C6A87 83C9FF or ecx, FFFFFFFF
:004C6A8A 8985EC020000 mov dword ptr [ebp+000002EC], eax
:004C6A90 C744241800000000 mov [esp+18], 00000000
:004C6A98 F2 repnz
:004C6A99 AE scasb
:004C6A9A F7D1 not ecx
:004C6A9C 2BF9 sub edi, ecx
:004C6A9E 8BC1 mov eax, ecx
:004C6AA0 8BF7 mov esi, edi
:004C6AA2 8BFA mov edi, edx
:004C6AA4 C1E902 shr ecx, 02
:004C6AA7 F3 repz
:004C6AA8 A5 movsd
:004C6AA9 8BC8 mov ecx, eax
:004C6AAB 83E103 and ecx, 00000003
:004C6AAE F3 repz
:004C6AAF A4 movsb
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C6A6B(U)
|
:004C6AB0 8D4C241C lea ecx, dword ptr [esp+1C]
:004C6AB4 51 push ecx
:004C6AB5 53 push ebx
:004C6AB6 E855090000 call 004C7410
:004C6ABB 8D5528 lea edx, dword ptr [ebp+28] <====取字串22
:004C6ABE 8DB544020000 lea esi, dword ptr [ebp+00000244]
:004C6AC4 52 push edx
:004C6AC5 8D8594020000 lea eax, dword ptr [ebp+00000294] <====取使用者名稱
:004C6ACB 56 push esi
:004C6ACC 8D4D3C lea ecx, dword ptr [ebp+3C]
:004C6ACF 50 push eax
:004C6AD0 8D9424AC000000 lea edx, dword ptr [esp+000000AC]
:004C6AD7 51 push ecx
:004C6AD8 52 push edx
:004C6AD9 E862050000 call 004C7040 <====連線成運算碼,比如輸入的使用者名稱為crackjack,則連線成22crackjack(0DH)Never(0DH)22
---------------------------------------------
一直走,走到:
:004C6B22 8D442434 lea eax, dword ptr [esp+34]
:004C6B26 56 push esi
:004C6B27 8D8C24AC000000 lea ecx, dword ptr [esp+000000AC]
:004C6B2E 50 push eax
:004C6B2F 51 push ecx
:004C6B30 E88B060000 call 004C71C0 <=====運算註冊碼的CALLL,F8進入
:004C6B35 8B44242C mov eax, dword ptr [esp+2C] <=====取運算出來的註冊碼
:004C6B39 8B4C2438 mov ecx, dword ptr [esp+38] <=====取我們輸入的註冊碼,我們可以在這裡暴破它,改為mov ecx, dword ptr [esp+2C]
:004C6B3D 83C41C add esp, 0000001C
:004C6B40 3BC8 cmp ecx, eax <=====比較註冊碼
:004C6B42 8985F0020000 mov dword ptr [ebp+000002F0], eax
:004C6B48 898DF4020000 mov dword ptr [ebp+000002F4], ecx
:004C6B4E 7510 jne 004C6B60
:004C6B50 5F pop edi
:004C6B51 5E pop esi
:004C6B52 5D pop ebp
:004C6B53 B801000000 mov eax, 00000001
:004C6B58 5B pop ebx
:004C6B59 81C418020000 add esp, 00000218
:004C6B5F C3 ret
-----------------------------------------------
:004C7260 6A00 push 00000000
:004C7262 C1E00D shl eax, 0D
:004C7265 0BC6 or eax, esi
:004C7267 8B74242C mov esi, dword ptr [esp+2C]
:004C726B 55 push ebp
:004C726C 68F4535300 push 005353F4
:004C7271 8906 mov dword ptr [esi], eax
:004C7273 8B442424 mov eax, dword ptr [esp+24]
:004C7277 50 push eax
:004C7278 E813FFFFFF call 004C7190 <====F8進入
:004C727D 8B5C2440 mov ebx, dword ptr [esp+40]
:004C7281 83C410 add esp, 00000010
:004C7284 85DB test ebx, ebx
----------------------------------------------------
:004C719C F2 repnz
:004C719D AE scasb
:004C719E F7D1 not ecx
:004C71A0 49 dec ecx
:004C71A1 51 push ecx
:004C71A2 52 push edx
:004C71A3 E8584A0000 call 004CBC00 <=====F8進入
:004C71A8 8B4C2418 mov ecx, dword ptr [esp+18]
:004C71AC 83C408 add esp, 00000008
:004C71AF 8901 mov dword ptr [ecx], eax
:004C71B1 5F pop edi
-------------------------------------------------------
下面就是運算註冊碼的程式碼,這個軟體的運算有點特別,它用程式本身的程式碼資料(相當於密碼錶)來算出註冊碼,只要改一下所用到的資料,就讓破解者的註冊機無效了
:004CBC00 56 push esi
:004CBC01 8B74240C mov esi, dword ptr [esp+0C]
:004CBC05 83C8FF or eax, FFFFFFFF <====EAX的初始值為0FFFFFFFF
:004CBC08 85F6 test esi, esi
:004CBC0A 7E24 jle 004CBC30
:004CBC0C 8B4C2408 mov ecx, dword ptr [esp+08]
:004CBC10 57 push edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004CBC2D(C)
|
:004CBC11 33D2 xor edx, edx <=====清0
:004CBC13 8BF8 mov edi, eax <=====EDI=EAX
:004CBC15 8A11 mov dl, byte ptr [ecx] <=====取第N個字元
:004CBC17 81E7FF000000 and edi, 000000FF <=====取EDI的最低位
:004CBC1D 33D7 xor edx, edi <=====EDX xor EDI
:004CBC1F C1E808 shr eax, 08 <=====結果右移8位
:004CBC22 8B1495D4145300 mov edx, dword ptr [4*edx+005314D4] <====取程式中地址為EDX*4+5314d4的程式碼資料,我們知道,字元的最大數是FF,則密碼錶的長度為4*FF+5314d4=5318d0,我們用Hview開啟主檔案,可知它的地址為1314d4--1318d0,這個地址範圍的數值就做為運算註冊碼的密碼
:004CBC29 33C2 xor eax, edx <====EAX xor EDX,結果作為下一個字元的運算引數
:004CBC2B 41 inc ecx
:004CBC2C 4E dec esi
:004CBC2D 75E2 jne 004CBC11 <====運算完了嗎,沒有則繼續運算
:004CBC2F 5F pop edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004CBC0A(C)
|
:004CBC30 F7D0 not eax <=====將結果取非,最後的結果就是註冊碼的十六進位制,比如EAX=29C8BF83,則註冊碼為701022083
:004CBC32 5E pop esi
:004CBC33 C3 ret
由於密碼錶的資料比較多,我就不編寫他的註冊機了,只是用暴破的方法來處理它,哪位朋友有興趣可以編出它的註冊機吧,讓大家來學習一下嘛.