如有侵權,請告知。
【應用平台】Win2000
【作者郵箱】chubing6143@sina.com
【使用工具】 peid, OllyDbg1.10
【軟件限制】狗
【破解工具】OllyDbg v1.10
採用USB狗加密這種方式的軟件很多,例如PAWS等,還有些軟件是狗與Flexlm加密綜合使用的,我打狗棒法未曾學精,但也打過一兩個簡單狗,見罈子上大家學習打狗棒法熱情也很高,就將自己的淺薄經驗拿出來與大家分享.高手飄過!
一、超級簡單的打狗
這樣的軟件基本上是通過一個函數對狗的有無進行驗證,然後一個關鍵跳轉,錯誤彈出對話框,正確繼續執行,下面是某程序的例子:
0042ADF0 > \6A FF PUSH -1
0042ADF2 . 68 2F465200 PUSH Eb.0052462F ; SE handler installation
0042ADF7 . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0042ADFD . 50 PUSH EAX
0042ADFE . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
0042AE05 . 81EC C8000000 SUB ESP,0C8
0042AE0B . 55 PUSH EBP
0042AE0C . 56 PUSH ESI
0042AE0D . 8BE9 MOV EBP,ECX
0042AE0F . 6A 00 PUSH 0
0042AE11 . 896C24 10 MOV DWORD PTR SS:[ESP+10],EBP
0042AE15 . E8 C2510A00 CALL <JMP.&MFC42.#561>
0042AE1A . 8DB5 C4000000 LEA ESI,DWORD PTR SS:[EBP+C4]
0042AE20 . C78424 D80000>MOV DWORD PTR SS:[ESP+D8],0
0042AE2B . 8BCE MOV ECX,ESI
0042AE2D . FF15 48255300 CALL DWORD PTR DS:[<&customui.??0CBCGWorkspace@@>; customui.??0CBCGWorkspace@@QAE@XZ
0042AE33 . 8D8D DC000000 LEA ECX,DWORD PTR SS:[EBP+DC]
0042AE39 . C68424 D80000>MOV BYTE PTR SS:[ESP+D8],1
0042AE41 . FF15 24255300 CALL DWORD PTR DS:[<&customui.??0CBCGKeyboardMan>; customui.??0CBCGKeyboardManager@@QAE@XZ
0042AE47 . 8D8D E0000000 LEA ECX,DWORD PTR SS:[EBP+E0]
0042AE4D . C68424 D80000>MOV BYTE PTR SS:[ESP+D8],2
0042AE55 . FF15 A8265300 CALL DWORD PTR DS:[<&customui.??0CBCGMouseManage>; customui.??0CBCGMouseManager@@QAE@XZ
0042AE5B . 8D8D 38010000 LEA ECX,DWORD PTR SS:[EBP+138]
0042AE61 . C68424 D80000>MOV BYTE PTR SS:[ESP+D8],3
0042AE69 . FF15 B0255300 CALL DWORD PTR DS:[<&customui.??0CBCGContextMenu>; customui.??0CBCGContextMenuManager@@QAE@XZ
0042AE6F . 8D8D 74010000 LEA ECX,DWORD PTR SS:[EBP+174]
0042AE75 . C68424 D80000>MOV BYTE PTR SS:[ESP+D8],4
0042AE7D . E8 54510A00 CALL <JMP.&MFC42.#459>
0042AE82 . 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
0042AE86 . C68424 D80000>MOV BYTE PTR SS:[ESP+D8],5
0042AE8E . 50 PUSH EAX
0042AE8F . C745 00 48705>MOV DWORD PTR SS:[EBP],Eb.00537048
0042AE96 . C706 10705300 MOV DWORD PTR DS:[ESI],Eb.00537010
0042AE9C . E8 BFF3FFFF CALL Eb.0042A260
0042AEA1 . 83C4 04 ADD ESP,4
0042AEA4 . 85C0 TEST EAX,EAX
0042AEA6 . 75 6A JNZ SHORT Eb.0042AF12 ; 關鍵跳轉,前面函數檢查加密狗是否存在,此處必須跳轉
0042AEA8 . E8 33310000 CALL Eb.0042DFE0
0042AEAD . 66:85C0 TEST AX,AX
0042AEB0 . BE 63000000 MOV ESI,63
0042AEB5 . 74 1A JE SHORT Eb.0042AED1
0042AEB7 . 6A 01 PUSH 1
0042AEB9 . C705 789A5500>MOV DWORD PTR DS:[559A78],460
0042AEC3 . 8935 749A5500 MOV DWORD PTR DS:[559A74],ESI
0042AEC9 . E8 5241FEFF CALL Eb.0040F020
0042AECE . 83C4 04 ADD ESP,4
0042AED1 > E8 9AFDFFFF CALL Eb.0042AC70
0042AED6 . 85C0 TEST EAX,EAX
0042AED8 . 74 1A JE SHORT Eb.0042AEF4
0042AEDA . 6A 03 PUSH 3
0042AEDC . C705 789A5500>MOV DWORD PTR DS:[559A78],474
0042AEE6 . 8935 749A5500 MOV DWORD PTR DS:[559A74],ESI
0042AEEC . E8 2F41FEFF CALL Eb.0040F020
0042AEF1 . 83C4 04 ADD ESP,4
0042AEF4 > E8 27310000 CALL Eb.0042E020
0042AEF9 . 8BC5 MOV EAX,EBP
0042AEFB . 5E POP ESI
0042AEFC . 5D POP EBP
0042AEFD . 8B8C24 C80000>MOV ECX,DWORD PTR SS:[ESP+C8]
0042AF04 . 64:890D 00000>MOV DWORD PTR FS:[0],ECX
0042AF0B . 81C4 D4000000 ADD ESP,0D4
0042AF11 . C3 RETN
0042AF12 > 57 PUSH EDI
0042AF13 . 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
0042AF17 . E8 B6420A00 CALL <JMP.&MFC42.#540>
0042AF1C . 68 98B45500 PUSH Eb.0055B498 ; "授權使用"
0042AF21 . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
0042AF25 . C68424 E00000>MOV BYTE PTR SS:[ESP+E0],6
0042AF2D . E8 D6420A00 CALL <JMP.&MFC42.#860>
0042AF32 . 8B7C24 0C MOV EDI,DWORD PTR SS:[ESP+C]
0042AF36 . 83C9 FF OR ECX,FFFFFFFF
0042AF39 . 33C0 XOR EAX,EAX
0042AF3B . 8D5424 54 LEA EDX,DWORD PTR SS:[ESP+54]
0042AF3F . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
0042AF41 . F7D1 NOT ECX
0042AF43 . 2BF9 SUB EDI,ECX
0042AF45 . 8BC1 MOV EAX,ECX
0042AF47 . 8BF7 MOV ESI,EDI
0042AF49 . 8BFA MOV EDI,EDX
0042AF4B . 8D5424 54 LEA EDX,DWORD PTR SS:[ESP+54]
0042AF4F . C1E9 02 SHR ECX,2
0042AF52 . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
0042AF54 . 8BC8 MOV ECX,EAX
0042AF56 . 33C0 XOR EAX,EAX
0042AF58 . 83E1 03 AND ECX,3
0042AF5B . 50 PUSH EAX ; /Style => MB_OK|MB_APPLMODAL
0042AF5C . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; |
0042AF5E . 8D7C24 18 LEA EDI,DWORD PTR SS:[ESP+18] ; |
0042AF62 . 83C9 FF OR ECX,FFFFFFFF ; |
0042AF65 . F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; |
0042AF67 . F7D1 NOT ECX ; |
0042AF69 . 2BF9 SUB EDI,ECX ; |
0042AF6B . 68 98B45500 PUSH Eb.0055B498 ; |Title = "授權使用"
0042AF70 . 8BF7 MOV ESI,EDI ; |
0042AF72 . 8BFA MOV EDI,EDX ; |
0042AF74 . 8BD1 MOV EDX,ECX ; |
0042AF76 . 83C9 FF OR ECX,FFFFFFFF ; |
0042AF79 . F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; |
0042AF7B . 8BCA MOV ECX,EDX ; |
0042AF7D . 4F DEC EDI ; |
0042AF7E . C1E9 02 SHR ECX,2 ; |
0042AF81 . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; |
0042AF83 . 8BCA MOV ECX,EDX ; |
0042AF85 . 8D4424 5C LEA EAX,DWORD PTR SS:[ESP+5C] ; |
0042AF89 . 83E1 03 AND ECX,3 ; |
0042AF8C . 50 PUSH EAX ; |Text
0042AF8D . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; |
0042AF8F . 6A 00 PUSH 0 ; |hOwner = NULL
0042AF91 . FF15 38235300 CALL DWORD PTR DS:[<&USER32.MessageBoxA>] ; \MessageBoxA
0042AF97 . 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
0042AF9B . C68424 DC0000>MOV BYTE PTR SS:[ESP+DC],5
0042AFA3 . E8 48420A00 CALL <JMP.&MFC42.#800>
0042AFA8 . 8B8C24 D40000>MOV ECX,DWORD PTR SS:[ESP+D4]
0042AFAF . 5F POP EDI
0042AFB0 . 8BC5 MOV EAX,EBP
0042AFB2 . 5E POP ESI
0042AFB3 . 5D POP EBP
0042AFB4 . 64:890D 00000>MOV DWORD PTR FS:[0],ECX
0042AFBB . 81C4 D4000000 ADD ESP,0D4
0042AFC1 . C3 RETN
看到沒有0042AEA6 處就是一個函數的判斷,然後跟著判斷跳轉,只需要爆破就可。當然這樣爆破彈出的「授權使用」的名稱的是亂碼,為此,可以自己DIY了。
為了使得彈出的"授權使用"的對話框能夠顯示我自己的名稱,我利用PEID 打開程序,點 EP 段後面的那個 > 號,隨便選擇一個區段右擊,
選「搜索全0處」(原版好像是cave什麼的):找到RVA為130025,偏移為130025,長度為0xFDB的全0處.利用UltraEdit編輯130025處為
"授權使用laowang!",然後利用Hiew編輯代碼
0042AF85 . 8D4424 5C LEA EAX,DWORD PTR SS:[ESP+5C] ; |
0042AF89 . 83E1 03 AND ECX,3 ; |
0042AF8C . 50 PUSH EAX ; |Text
修改為
0042AF85 . 68 25005300 PUSH 復件_Eb.00530025 ; |Text = "授權使用laowang!"
0042AF8A . 90 NOP ; |
0042AF8B . 90 NOP ; |
0042AF8C . 90 NOP ; |
這樣,就能彈出授權laowang的對話框了.大功告成.
二、略微複雜的打狗
某軟件的破解主要針對RYC_OPEN,RYC_READ等函數即可.具體需要修改多處.為了某種需要將軟件名稱用「****」代替,其實這是脫殼之後的流程。
文中通過「-----」表示一級函數調用,「========」表示二級函數調用,請大家參看地址讀該軟件流程。
00402D60 . 55 push ebp
00402D61 . 8B6C24 08 mov ebp,dword ptr ss:[esp+8]
00402D65 . 56 push esi
00402D66 . 8B7424 10 mov esi,dword ptr ss:[esp+10]
00402D6A . 57 push edi
00402D6B . 8BF9 mov edi,ecx
00402D6D . 8B47 0C mov eax,dword ptr ds:[edi+C]
00402D70 . 85C0 test eax,eax
00402D72 . 896F 04 mov dword ptr ds:[edi+4],ebp
00402D75 . 8977 08 mov dword ptr ds:[edi+8],esi
00402D78 . 75 06 jnz short ****.00402D80
00402D7A . 5F pop edi
00402D7B . 5E pop esi
00402D7C . 5D pop ebp
00402D7D . C2 0800 retn 8
00402D80 > 53 push ebx
00402D81 . 8B18 mov ebx,dword ptr ds:[eax]
00402D83 . 837B 14 00 cmp dword ptr ds:[ebx+14],0
00402D87 . 74 05 je short ****.00402D8E
00402D89 . E8 D2C90000 call ****.0040F760 ; 判斷是否插入了USB狗
--------------------------------------------------------------------------------------------------------
此處F7進去:
0040F760 /$ 56 push esi
0040F761 |. 57 push edi
0040F762 |. 33FF xor edi,edi
0040F764 |. 8D73 04 lea esi,dword ptr ds:[ebx+4]
0040F767 |> 833E 00 /cmp dword ptr ds:[esi],0
0040F76A |. 74 0D |je short ****.0040F779
0040F76C |. 8B0E |mov ecx,dword ptr ds:[esi]
0040F76E |. 8B01 |mov eax,dword ptr ds:[ecx]
0040F770 |. 8B50 04 |mov edx,dword ptr ds:[eax+4]
0040F773 |. FFD2 |call edx ; 當循環到edi==3時,查詢是否插入Rockey USB狗的關鍵函數,此時F7進去
=========================================================================================================
此處F7進去:
00412700 . 81EC 08020000 sub esp,208
00412706 . A1 8C924800 mov eax,dword ptr ds:[48928C]
0041270B . 33C4 xor eax,esp
0041270D . 898424 04020000 mov dword ptr ss:[esp+204],eax
00412714 . 56 push esi
00412715 . 8BF1 mov esi,ecx
00412717 . 837E 30 00 cmp dword ptr ds:[esi+30],0
0041271B . 0F84 95000000 je ****.004127B6
00412721 . 837E 0C 00 cmp dword ptr ds:[esi+C],0
00412725 . 74 4E je short ****.00412775
00412727 . 8B46 18 mov eax,dword ptr ds:[esi+18]
0041272A . FFD0 call eax ; 調用RY2_Find函數
0041272C 85C0 test eax,eax ; 改為xor eax,eax
0041272E . 0F8E 82000000 jle ****.004127B6 ; nop掉
00412734 . 8B56 1C mov edx,dword ptr ds:[esi+1C]
00412737 . 8D4C24 04 lea ecx,dword ptr ss:[esp+4]
0041273B . 51 push ecx
0041273C . 68 2DEE9384 push 8493EE2D
00412741 . 6A 01 push 1
00412743 . FFD2 call edx ; 調用Rockye2.RY2_Open函數
00412745 . 85C0 test eax,eax ; 改為xor eax,eax
00412747 . 7C 6D jl short ****.004127B6 ; nop掉
00412749 . 8B4C24 04 mov ecx,dword ptr ss:[esp+4]
0041274D . 894E 08 mov dword ptr ds:[esi+8],ecx
00412750 > 8946 04 mov dword ptr ds:[esi+4],eax
00412753 . C746 10 01000000 mov dword ptr ds:[esi+10],1
0041275A > B8 01000000 mov eax,1
0041275F . 5E pop esi
00412760 . 8B8C24 04020000 mov ecx,dword ptr ss:[esp+204]
00412767 . 33CC xor ecx,esp
00412769 . E8 ACFC0400 call ****.0046241A
0041276E . 81C4 08020000 add esp,208
00412774 . C3 retn
00412775 > 837E 10 00 cmp dword ptr ds:[esi+10],0
00412779 . 75 27 jnz short ****.004127A2
0041277B . 8B56 18 mov edx,dword ptr ds:[esi+18]
0041277E . FFD2 call edx
00412780 . 85C0 test eax,eax
00412782 . 7E 32 jle short ****.004127B6
00412784 . 8B4E 1C mov ecx,dword ptr ds:[esi+1C]
00412787 . 8D4424 04 lea eax,dword ptr ss:[esp+4]
0041278B . 50 push eax
0041278C . 68 2DEE9384 push 8493EE2D
00412791 . 6A 01 push 1
00412793 . FFD1 call ecx
00412795 . 85C0 test eax,eax
00412797 . 7C 1D jl short ****.004127B6
00412799 . 8B5424 04 mov edx,dword ptr ss:[esp+4]
0041279D . 8956 08 mov dword ptr ds:[esi+8],edx
004127A0 .^ EB AE jmp short ****.00412750
004127A2 > 8B4E 04 mov ecx,dword ptr ds:[esi+4]
004127A5 . 8B56 28 mov edx,dword ptr ds:[esi+28]
004127A8 . 8D4424 08 lea eax,dword ptr ss:[esp+8]
004127AC . 50 push eax
004127AD . 6A 00 push 0
004127AF . 51 push ecx
004127B0 . FFD2 call edx
004127B2 . 85C0 test eax,eax
004127B4 .^ 7D A4 jge short ****.0041275A
004127B6 > 8B8C24 08020000 mov ecx,dword ptr ss:[esp+208]
004127BD . 5E pop esi
004127BE . 33CC xor ecx,esp
004127C0 . 33C0 xor eax,eax
004127C2 . E8 53FC0400 call ****.0046241A
004127C7 . 81C4 08020000 add esp,208
004127CD . C3 retn
004127CE CC int3
004127CF CC int3
004127D0 . 33C0 xor eax,eax
004127D2 . 3941 30 cmp dword ptr ds:[ecx+30],eax
004127D5 . 0F95C0 setne al
004127D8 . C3 retn
=========================================================================================================
0040F775 |. 85C0 |test eax,eax
0040F777 |. 75 15 |jnz short ****.0040F78E
0040F779 |> 83C7 01 |add edi,1
0040F77C |. 83C6 04 |add esi,4
0040F77F |. 83FF 04 |cmp edi,4
0040F782 |.^ 7C E3 \jl short ****.0040F767
0040F784 |. 5F pop edi
0040F785 |. C743 18 FFFFFFFF mov dword ptr ds:[ebx+18],-1
0040F78C |. 5E pop esi
0040F78D |. C3 retn
0040F78E |> 897B 18 mov dword ptr ds:[ebx+18],edi
0040F791 |. 5F pop edi
0040F792 |. 5E pop esi
0040F793 \. C3 retn
--------------------------------------------------------------------------------------------------------
00402D8E > 837B 18 FF cmp dword ptr ds:[ebx+18],-1
00402D92 . 0F84 0A010000 je ****.00402EA2 ; 錯誤跳轉1
00402D98 . 8B43 18 mov eax,dword ptr ds:[ebx+18]
00402D9B . 8B4C83 04 mov ecx,dword ptr ds:[ebx+eax*4+4]
00402D9F . 8B11 mov edx,dword ptr ds:[ecx]
00402DA1 . 8B42 04 mov eax,dword ptr ds:[edx+4]
00402DA4 . FFD0 call eax ; 此處與402DB9一樣再次判斷是否插入了USB狗,前面的爆破搞定
00402DA6 . 85C0 test eax,eax
00402DA8 . 0F84 F4000000 je ****.00402EA2 ; 錯誤跳轉2
00402DAE . 8B47 0C mov eax,dword ptr ds:[edi+C]
00402DB1 . 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00402DB5 . 51 push ecx
00402DB6 . E8 552C0000 call ****.00405A10 ; 讀取狗中數據,進行驗證
--------------------------------------------------------------------------------------------------------
此處F7進去:
00405A10 /$ 51 push ecx
00405A11 |. 53 push ebx
00405A12 |. 8B18 mov ebx,dword ptr ds:[eax]
00405A14 |. 837B 14 00 cmp dword ptr ds:[ebx+14],0
00405A18 |. 74 05 je short ****.00405A1F
00405A1A |. E8 419D0000 call ****.0040F760 ; 判斷是否插入了USB狗,前面處理過了
00405A1F |> 837B 18 FF cmp dword ptr ds:[ebx+18],-1
00405A23 |. 74 20 je short ****.00405A45
00405A25 |. 8B4B 18 mov ecx,dword ptr ds:[ebx+18]
00405A28 |. 8B4C8B 04 mov ecx,dword ptr ds:[ebx+ecx*4+4]
00405A2C |. 8B11 mov edx,dword ptr ds:[ecx]
00405A2E |. 8B52 0C mov edx,dword ptr ds:[edx+C]
00405A31 |. 8D4424 04 lea eax,dword ptr ss:[esp+4]
00405A35 |. 50 push eax
00405A36 |. 6A 04 push 4
00405A38 |. 6A 30 push 30
00405A3A |. 68 E2850000 push 85E2
00405A3F |. FFD2 call edx ; 讀狗數據
=========================================================================================================
004127E0 . 81EC 04020000 sub esp,204
004127E6 . A1 8C924800 mov eax,dword ptr ds:[48928C]
004127EB . 33C4 xor eax,esp
004127ED . 898424 00020000 mov dword ptr ss:[esp+200],eax
004127F4 . 56 push esi
004127F5 . 8BF1 mov esi,ecx
004127F7 . 837E 30 00 cmp dword ptr ds:[esi+30],0
004127FB . 57 push edi
004127FC . 8BBC24 1C020000 mov edi,dword ptr ss:[esp+21C]
00412803 . 75 04 jnz short ****.00412809
00412805 > 33C0 xor eax,eax
00412807 . EB 4C jmp short ****.00412855
00412809 > 68 00020000 push 200 ; /n = 200 (512.)
0041280E . 8D4424 0C lea eax,dword ptr ss:[esp+C] ; |
00412812 . 6A 00 push 0 ; |c = 00
00412814 . 50 push eax ; |s
00412815 . E8 9EFC0400 call <jmp.&MSVCR80.memset> ; \memset
0041281A . 8B56 04 mov edx,dword ptr ds:[esi+4]
0041281D . 8B46 28 mov eax,dword ptr ds:[esi+28]
00412820 . 83C4 0C add esp,0C
00412823 . 8D4C24 08 lea ecx,dword ptr ss:[esp+8]
00412827 . 51 push ecx
00412828 . 6A 00 push 0
0041282A . 52 push edx
0041282B . FFD0 call eax ; 調用Rockey2.RY2_Read函數,讀取狗中的數據進行驗證
0041282D . 85C0 test eax,eax ; 爆破為xor eax,eax
0041282F .^\7C D4 jl short ****.00412805
00412831 . 0FBF8C24 18020000 movsx ecx,word ptr ss:[esp+218]
00412839 . 0FBF9424 14020000 movsx edx,word ptr ss:[esp+214]
00412841 . 51 push ecx ; /n
00412842 . 8D4414 0C lea eax,dword ptr ss:[esp+edx+C] ; |
00412846 . 50 push eax ; |src
00412847 . 57 push edi ; |dest
00412848 . E8 B5FC0400 call <jmp.&MSVCR80.memcpy> ; \memcpy
0041284D . 83C4 0C add esp,0C
00412850 . B8 01000000 mov eax,1
00412855 > 8B8C24 08020000 mov ecx,dword ptr ss:[esp+208]
0041285C . 5F pop edi
0041285D . 5E pop esi
0041285E . 33CC xor ecx,esp
00412860 . E8 B5FB0400 call ****.0046241A
00412865 . 81C4 04020000 add esp,204
0041286B . C2 1000 retn 10
=========================================================================================================
00405A41 |. 85C0 test eax,eax
00405A43 |. 75 0A jnz short ****.00405A4F
00405A45 |> B8 01000000 mov eax,1
00405A4A |. 5B pop ebx
00405A4B |. 59 pop ecx
00405A4C |. C2 0400 retn 4
00405A4F |> \8B4424 04 mov eax,dword ptr ss:[esp+4]
00405A53 |. 8B4C24 0C mov ecx,dword ptr ss:[esp+C]
00405A57 8901 mov dword ptr ds:[ecx],eax ; 為了402DC3處的比較,爆破為mov dword ptr ds:[ecx],esi
00405A59 |. 33C0 xor eax,eax
00405A5B |. 5B pop ebx
00405A5C |. 59 pop ecx
00405A5D \. C2 0400 retn 4
--------------------------------------------------------------------------------------------------------
00402DBB . 85C0 test eax,eax
00402DBD . 0F85 DF000000 jnz ****.00402EA2 ; 錯誤跳轉3
00402DC3 . 397424 14 cmp dword ptr ss:[esp+14],esi
00402DC7 . 0F85 D5000000 jnz ****.00402EA2 ; 錯誤跳轉4
00402DCD . 8B47 0C mov eax,dword ptr ds:[edi+C]
00402DD0 . 8D5424 14 lea edx,dword ptr ss:[esp+14]
00402DD4 . 33DB xor ebx,ebx
00402DD6 . 52 push edx
00402DD7 . 895C24 18 mov dword ptr ss:[esp+18],ebx
00402DDB . E8 C02B0000 call ****.004059A0
00402DE0 . 85C0 test eax,eax
00402DE2 . 75 09 jnz short ****.00402DED
00402DE4 . 66:817C24 14 0408 cmp word ptr ss:[esp+14],804
00402DEB . 75 12 jnz short ****.00402DFF
00402DED > 81FD 04080000 cmp ebp,804
00402DF3 . 74 0A je short ****.00402DFF
00402DF5 . 8B7F 2C mov edi,dword ptr ds:[edi+2C]
00402DF8 . 3BFB cmp edi,ebx
00402DFA . E9 A8000000 jmp ****.00402EA7
00402DFF > 8B4F 0C mov ecx,dword ptr ds:[edi+C]
00402E02 . 8D77 18 lea esi,dword ptr ds:[edi+18]
00402E05 . 895F 10 mov dword ptr ds:[edi+10],ebx
00402E08 . E8 D32A0000 call ****.004058E0 ; 驗證函數
--------------------------------------------------------------------------------------------------------
此處F7進去:
004058E0 /$ 83EC 1C sub esp,1C
004058E3 |. A1 8C924800 mov eax,dword ptr ds:[48928C]
004058E8 |. 33C4 xor eax,esp
004058EA |. 894424 18 mov dword ptr ss:[esp+18],eax
004058EE |. 33C0 xor eax,eax
004058F0 |. 53 push ebx
004058F1 |. 8B19 mov ebx,dword ptr ds:[ecx]
004058F3 |. 894424 10 mov dword ptr ss:[esp+10],eax
004058F7 |. 894424 14 mov dword ptr ss:[esp+14],eax
004058FB |. 884424 18 mov byte ptr ss:[esp+18],al
004058FF |. 3943 14 cmp dword ptr ds:[ebx+14],eax
00405902 |. 74 05 je short ****.00405909
00405904 |. E8 579E0000 call ****.0040F760 ; 查詢USB狗是否存在,前面爆破了
00405909 |> 837B 18 FF cmp dword ptr ds:[ebx+18],-1
0040590D |. 74 20 je short ****.0040592F
0040590F |. 8B43 18 mov eax,dword ptr ds:[ebx+18]
00405912 |. 8B4C83 04 mov ecx,dword ptr ds:[ebx+eax*4+4]
00405916 |. 8B11 mov edx,dword ptr ds:[ecx]
00405918 |. 8B52 0C mov edx,dword ptr ds:[edx+C]
0040591B |. 8D4424 10 lea eax,dword ptr ss:[esp+10]
0040591F |. 50 push eax
00405920 |. 6A 08 push 8
00405922 |. 6A 24 push 24
00405924 |. 68 E2850000 push 85E2
00405929 |. FFD2 call edx ; 讀USB狗數據,前面爆破了
0040592B |. 85C0 test eax,eax
0040592D |. 75 15 jnz short ****.00405944
0040592F |> B8 01000000 mov eax,1
00405934 |. 5B pop ebx
00405935 |. 8B4C24 18 mov ecx,dword ptr ss:[esp+18]
00405939 |. 33CC xor ecx,esp
0040593B |. E8 DACA0500 call ****.0046241A
00405940 |. 83C4 1C add esp,1C
00405943 |. C3 retn
00405944 |> 33C0 xor eax,eax
00405946 |. 894424 04 mov dword ptr ss:[esp+4],eax
0040594A |. 894424 08 mov dword ptr ss:[esp+8],eax
0040594E |. 884424 0C mov byte ptr ss:[esp+C],al
00405952 |. 8D4424 04 lea eax,dword ptr ss:[esp+4]
00405956 |. 50 push eax
00405957 |. B8 70C64800 mov eax,****.0048C670
0040595C |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00405960 |. E8 3BAC0000 call ****.004105A0
00405965 |. 8B4C24 08 mov ecx,dword ptr ss:[esp+8]
00405969 |. 81C1 03250000 add ecx,2503
0040596F |. F7D1 not ecx
00405971 |. 83C4 04 add esp,4
00405974 |. 66:394C24 08 cmp word ptr ss:[esp+8],cx
00405979 |.^ 75 B4 jnz short ****.0040592F ; nop掉
0040597B |. 0FB75424 04 movzx edx,word ptr ss:[esp+4]
00405980 |. 8B4C24 1C mov ecx,dword ptr ss:[esp+1C]
00405984 |. 5B pop ebx
00405985 |. 33CC xor ecx,esp
00405987 |. 8916 mov dword ptr ds:[esi],edx
00405989 |. 33C0 xor eax,eax
0040598B |. E8 8ACA0500 call ****.0046241A
00405990 |. 83C4 1C add esp,1C
00405993 \. C3 retn
--------------------------------------------------------------------------------------------------------
00402E0D . 85C0 test eax,eax
00402E0F . 74 0A je short ****.00402E1B ; 錯誤跳轉5
00402E11 . 8B7F 2C mov edi,dword ptr ds:[edi+2C]
00402E14 . 3BFB cmp edi,ebx
00402E16 . E9 8C000000 jmp ****.00402EA7
00402E1B > \8B4F 0C mov ecx,dword ptr ds:[edi+C]
00402E1E . E8 2D260000 call ****.00405450 ; 驗證函數2
--------------------------------------------------------------------------------------------------------
此處F7進去:
00405450 /$ 83EC 1C sub esp,1C
00405453 |. A1 8C924800 mov eax,dword ptr ds:[48928C]
00405458 |. 33C4 xor eax,esp
0040545A |. 894424 18 mov dword ptr ss:[esp+18],eax
0040545E |. 33C0 xor eax,eax
00405460 |. 53 push ebx
00405461 |. 8B19 mov ebx,dword ptr ds:[ecx]
00405463 |. 894424 10 mov dword ptr ss:[esp+10],eax
00405467 |. 894424 14 mov dword ptr ss:[esp+14],eax
0040546B |. 884424 18 mov byte ptr ss:[esp+18],al
0040546F |. 3943 14 cmp dword ptr ds:[ebx+14],eax
00405472 |. 74 05 je short ****.00405479
00405474 |. E8 E7A20000 call ****.0040F760 ; 查詢USB狗是否存在
00405479 |> 837B 18 FF cmp dword ptr ds:[ebx+18],-1
0040547D |. 74 20 je short ****.0040549F
0040547F |. 8B43 18 mov eax,dword ptr ds:[ebx+18]
00405482 |. 8B4C83 04 mov ecx,dword ptr ds:[ebx+eax*4+4]
00405486 |. 8B11 mov edx,dword ptr ds:[ecx]
00405488 |. 8B52 0C mov edx,dword ptr ds:[edx+C]
0040548B |. 8D4424 10 lea eax,dword ptr ss:[esp+10]
0040548F |. 50 push eax
00405490 |. 6A 08 push 8
00405492 |. 6A 14 push 14
00405494 |. 68 E2850000 push 85E2
00405499 |. FFD2 call edx ; 讀取USB狗數據
0040549B |. 85C0 test eax,eax
0040549D |. 75 15 jnz short ****.004054B4
0040549F |> B8 01000000 mov eax,1
004054A4 |. 5B pop ebx
004054A5 |. 8B4C24 18 mov ecx,dword ptr ss:[esp+18]
004054A9 |. 33CC xor ecx,esp
004054AB |. E8 6ACF0500 call ****.0046241A
004054B0 |. 83C4 1C add esp,1C
004054B3 |. C3 retn
004054B4 |> 33C0 xor eax,eax
004054B6 |. 894424 04 mov dword ptr ss:[esp+4],eax
004054BA |. 894424 08 mov dword ptr ss:[esp+8],eax
004054BE |. 884424 0C mov byte ptr ss:[esp+C],al
004054C2 |. 8D4424 04 lea eax,dword ptr ss:[esp+4]
004054C6 |. 50 push eax
004054C7 |. B8 70C64800 mov eax,****.0048C670
004054CC |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
004054D0 |. E8 CBB00000 call ****.004105A0
004054D5 |. 8B4424 08 mov eax,dword ptr ss:[esp+8]
004054D9 |. 8D88 29090000 lea ecx,dword ptr ds:[eax+929]
004054DF |. F7D1 not ecx
004054E1 |. 83C4 04 add esp,4
004054E4 |. 3B4C24 08 cmp ecx,dword ptr ss:[esp+8]
004054E8 |.^ 75 B5 jnz short ****.0040549F ; nop掉
004054EA |. 8B4C24 1C mov ecx,dword ptr ss:[esp+1C]
004054EE |. 33D2 xor edx,edx
004054F0 |. 3D 73743612 cmp eax,12367473
004054F5 |. 0F95C2 setne dl
004054F8 |. 5B pop ebx
004054F9 |. 33CC xor ecx,esp
004054FB |. 8BC2 mov eax,edx
004054FD |. E8 18CF0500 call ****.0046241A
00405502 |. 83C4 1C add esp,1C
00405505 \. C3 retn
--------------------------------------------------------------------------------------------------------
00402E23 . 85C0 test eax,eax
00402E25 . 75 03 jnz short ****.00402E2A ; 錯誤跳轉6
00402E27 . 895F 14 mov dword ptr ds:[edi+14],ebx
00402E2A > 395F 14 cmp dword ptr ds:[edi+14],ebx
00402E2D . 74 67 je short ****.00402E96
00402E2F . 8B4F 0C mov ecx,dword ptr ds:[edi+C]
00402E32 . 8D7424 14 lea esi,dword ptr ss:[esp+14]
00402E36 . E8 F5280000 call ****.00405730 ; 驗證函數3
--------------------------------------------------------------------------------------------------------
此處F7進去:
00405730 /$ 83EC 1C sub esp,1C
00405733 |. A1 8C924800 mov eax,dword ptr ds:[48928C]
00405738 |. 33C4 xor eax,esp
0040573A |. 894424 18 mov dword ptr ss:[esp+18],eax
0040573E |. 33C0 xor eax,eax
00405740 |. 53 push ebx
00405741 |. 8B19 mov ebx,dword ptr ds:[ecx]
00405743 |. 894424 10 mov dword ptr ss:[esp+10],eax
00405747 |. 894424 14 mov dword ptr ss:[esp+14],eax
0040574B |. 884424 18 mov byte ptr ss:[esp+18],al
0040574F |. 3943 14 cmp dword ptr ds:[ebx+14],eax
00405752 |. 74 05 je short ****.00405759
00405754 |. E8 07A00000 call ****.0040F760
00405759 |> 837B 18 FF cmp dword ptr ds:[ebx+18],-1
0040575D |. 74 20 je short ****.0040577F
0040575F |. 8B43 18 mov eax,dword ptr ds:[ebx+18]
00405762 |. 8B4C83 04 mov ecx,dword ptr ds:[ebx+eax*4+4]
00405766 |. 8B11 mov edx,dword ptr ds:[ecx]
00405768 |. 8B52 0C mov edx,dword ptr ds:[edx+C]
0040576B |. 8D4424 10 lea eax,dword ptr ss:[esp+10]
0040576F |. 50 push eax
00405770 |. 6A 08 push 8
00405772 |. 6A 1C push 1C
00405774 |. 68 E2850000 push 85E2
00405779 |. FFD2 call edx
0040577B |. 85C0 test eax,eax
0040577D |. 75 15 jnz short ****.00405794
0040577F |> B8 01000000 mov eax,1
00405784 |. 5B pop ebx
00405785 |. 8B4C24 18 mov ecx,dword ptr ss:[esp+18]
00405789 |. 33CC xor ecx,esp
0040578B |. E8 8ACC0500 call ****.0046241A
00405790 |. 83C4 1C add esp,1C
00405793 |. C3 retn
00405794 |> 33C0 xor eax,eax
00405796 |. 894424 04 mov dword ptr ss:[esp+4],eax
0040579A |. 894424 08 mov dword ptr ss:[esp+8],eax
0040579E |. 884424 0C mov byte ptr ss:[esp+C],al
004057A2 |. 8D4424 04 lea eax,dword ptr ss:[esp+4]
004057A6 |. 50 push eax
004057A7 |. B8 70C64800 mov eax,****.0048C670
004057AC |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
004057B0 |. E8 EBAD0000 call ****.004105A0
004057B5 |. 8B4424 08 mov eax,dword ptr ss:[esp+8]
004057B9 |. 8D88 AC200000 lea ecx,dword ptr ds:[eax+20AC]
004057BF |. F7D1 not ecx
004057C1 |. 83C4 04 add esp,4
004057C4 |. 3B4C24 08 cmp ecx,dword ptr ss:[esp+8]
004057C8 |.^ 75 B5 jnz short ****.0040577F ; nop掉
004057CA |. 8B4C24 1C mov ecx,dword ptr ss:[esp+1C]
004057CE |. 5B pop ebx
004057CF |. 8906 mov dword ptr ds:[esi],eax
004057D1 |. 33CC xor ecx,esp
004057D3 |. 33C0 xor eax,eax
004057D5 |. E8 40CC0500 call ****.0046241A
004057DA |. 83C4 1C add esp,1C
004057DD \. C3 retn
--------------------------------------------------------------------------------------------------------
00402E3B . 85C0 test eax,eax
00402E3D . 74 07 je short ****.00402E46 ; 錯誤跳轉7
00402E3F . 8B7F 2C mov edi,dword ptr ds:[edi+2C]
00402E42 . 3BFB cmp edi,ebx
00402E44 . EB 61 jmp short ****.00402EA7
00402E46 > 8B4424 14 mov eax,dword ptr ss:[esp+14]
00402E4A . 8D48 FF lea ecx,dword ptr ds:[eax-1]
00402E4D . 81F9 0E0E0000 cmp ecx,0E0E
00402E53 . 77 19 ja short ****.00402E6E ; 是否過期判斷
00402E55 . 8B7F 28 mov edi,dword ptr ds:[edi+28]
00402E58 . 3BFB cmp edi,ebx
00402E5A . 74 3A je short ****.00402E96
00402E5C . 50 push eax
00402E5D . FFD7 call edi
00402E5F . 83C4 04 add esp,4
00402E62 . 5B pop ebx
00402E63 . 5F pop edi
00402E64 . 5E pop esi
00402E65 . B8 01000000 mov eax,1
00402E6A . 5D pop ebp
00402E6B . C2 0800 retn 8
00402E6E > 3BC3 cmp eax,ebx
00402E70 . 75 24 jnz short ****.00402E96
00402E72 . 8B47 30 mov eax,dword ptr ds:[edi+30]
00402E75 . 3BC3 cmp eax,ebx
00402E77 . 74 02 je short ****.00402E7B
00402E79 . FFD0 call eax
00402E7B > 8B17 mov edx,dword ptr ds:[edi]
00402E7D . 8B42 18 mov eax,dword ptr ds:[edx+18]
00402E80 . 8BCF mov ecx,edi
00402E82 . FFD0 call eax
00402E84 . 8B4F 0C mov ecx,dword ptr ds:[edi+C]
00402E87 . E8 C4250000 call ****.00405450
00402E8C . 85C0 test eax,eax
00402E8E . 75 1B jnz short ****.00402EAB
00402E90 . 895F 14 mov dword ptr ds:[edi+14],ebx
00402E93 . 895F 10 mov dword ptr ds:[edi+10],ebx
00402E96 > 5B pop ebx
00402E97 . 5F pop edi
00402E98 . 5E pop esi
00402E99 . B8 01000000 mov eax,1
00402E9E . 5D pop ebp
00402E9F . C2 0800 retn 8
00402EA2 > 8B7F 2C mov edi,dword ptr ds:[edi+2C]
00402EA5 . 85FF test edi,edi
00402EA7 > 74 02 je short ****.00402EAB
00402EA9 . FFD7 call edi
00402EAB > 5B pop ebx
00402EAC . 5F pop edi
00402EAD . 5E pop esi
00402EAE . 33C0 xor eax,eax
00402EB0 . 5D pop ebp
00402EB1 . C2 0800 retn 8
總結可以發現軟件打狗主要需要針對RYC_OPEN,RYC_READ函數調用進行爆破,具體爆破需要根據軟件流程進行爆破,很難三言兩語進行交待,我等菜鳥湊合看吧!
高手飄過。
2010年5月7日 星期五
簡單打狗文章一二
速達3000PRO加密狗軟體學習
我寫這篇文章是以技術交流為主,希望論壇的前輩多多指點。
看過XIAQIN[CCG]的文章後,想找個速達3000PRO加密狗軟體學習一下。恰好我有個朋友是其地區級的代理商,我去找到他給我了一張試用光碟,一看上面什麼軟體都有,於是決定試試。 下面談談我的學習程序。
這是小弟第六次學習加密狗的軟體,水準有限。不足之處,請各位大俠指點。
軟體簡介:《速達3000 PRO》軟體是非常著名的進銷存財務軟體。
破解工具:
Trw2000
SuperBPM
WINHEX
OFFCAL
在沒有安裝加密狗之前,在啟動軟體時會彈出「未檢測到本軟體使用的軟體狗,本軟體將工作試驗版狀態」對話視窗。在軟體的啟動畫面中醒目的有紅色「試用版」三個字。就進入了「選項公司帳套」。在進入軟體後。在 「關於速達3000 PRO」中同樣有紅色「試用版」三個字。
該軟體靜態分析時列機(用的W32Dasm),IDA又太慢,所以只好直接動態分析了。經過仔細跟蹤來到CC3250.EXE的領空,繼續單步跟蹤,一路上有很多的花指令,但用點技巧也是很容易走出來的。直到:
0167:3257DBEB PUSH EAX
0167:3257DBEC CALL NEAR [ESI+18] //F10走過時彈出對話視窗,F8進入
0167:3257DBEF ADD ESP,BYTE +10
0167:3257DBF2 PUSH EAX
0167:3257DBF3 CALL `CC3250MT!_exit`
0167:3257DBF8 POP ECX
0167:3257DBF9 JMP SHORT 3257DC1C
0167:3257DBFB MOV EDX,[325AD400]
0167:3257DC01 PUSH EDX
0167:3257DC02 MOV ECX,[325AD3FC]
從3257DBEC進入後來到:
.
.
.
0167:00401859 XOR EAX,EAX
0167:0040185B MOV EDX,[EBP-38]
0167:0040185E MOV [FS:00],EDX
0167:00401865 JMP 00401C52
0167:0040186A MOV BYTE [00B25934],00
0167:00401871 CMP BYTE [00B25934],00
0167:00401878 JNZ NEAR 004019A1
0167:0040187E MOV BYTE [00B25934],01
0167:00401885 CALL 00939944
0167:0040188A TEST AL,AL
0167:0040188C JZ 0040189A
0167:0040188E MOV BYTE [00B25934],00
0167:00401895 JMP 00401963
0167:0040189A MOV WORD [EBP-28],14
0167:004018A0 LEA EAX,[EBP-08]
0167:004018A3 CALL 00401C5C
0167:004018A8 INC DWORD [EBP-1C]
0167:004018AB CALL `SD3000PRO!@Dogtestpro@_ManCheckDlgDan$qqrv` //DOG
0167:004018B0 MOV WORD [EBP-28],08
0167:004018B6 MOV WORD [EBP-28],20
0167:004018BC MOV EDX,00942C1F
0167:004018C1 LEA EAX,[EBP-0C]
0167:004018C4 CALL 00939C34
0167:004018C9 INC DWORD [EBP-1C]
0167:004018CC LEA EDX,[EBP-0C]
0167:004018CF LEA EAX,[EBP-08]
0167:004018D2 CALL 00939FAC
0167:004018D7 PUSH EAX
0167:004018D8 DEC DWORD [EBP-1C]
0167:004018DB LEA EAX,[EBP-0C]
0167:004018DE MOV EDX,02
0167:004018E3 CALL 00939EC8
0167:004018E8 POP ECX
0167:004018E9 TEST CL,CL
0167:004018EB JZ 004018FF
0167:004018ED CALL `SD3000PRO!@Dogtestpro@_GoldenSoftCheckdlgDan$qqrv`
0167:004018F2 TEST AL,AL
0167:004018F4 JZ 0040194D
0167:004018F6 MOV BYTE [00B25934],00
.
.
.
0167:00401932 TEST CL,CL
0167:00401934 JZ 0040194D
0167:00401936 XOR EAX,EAX
0167:00401938 CALL 00427814
0167:0040193D TEST AL,AL
0167:0040193F JZ 0040194D
0167:00401941 CALL `SD3000PRO!@Dogtestpro@WriteNewInfo$qqrv` //DOG
0167:00401946 MOV BYTE [00B25934],00
0167:0040194D DEC DWORD [EBP-1C]
0167:00401950 LEA EAX,[EBP-08]
0167:00401953 MOV EDX,02
0167:00401958 CALL 00939EC8
0167:0040195D MOV WORD [EBP-28],00
0167:00401963 CMP BYTE [00B25934],00
0167:0040196A JZ 004019A1
0167:0040196C MOV WORD [EBP-28],38
0167:00401972 MOV EDX,00942C23
.
.
.
從上面我們很容易發現[00b25934]的多次出現,且鞭後都跟有
比較指令,實際上[00b25934]值是0時表示有狗。我們看看是哪
個地方改變了[00b25934]的值。我們下斷點監看到的寫操作。
等攔斷後來到:
0167:00401871 CMP BYTE [00B25934],00
0167:00401878 JNZ NEAR 004019A1 //此處如果讓它直接跳走,即成為正式版了
0167:0040187E MOV BYTE [00B25934],01 //如果上面沒有跳走,這裡把01改成00也能成為正式版
0167:00401885 CALL 00939944
0167:0040188A TEST AL,AL
0167:0040188C JZ 0040189A
0167:0040188E MOV BYTE [00B25934],00
0167:00401895 JMP 00401963
0167:0040189A MOV WORD [EBP-28],14
0167:004018A0 LEA EAX,[EBP-08]
0167:004018A3 CALL 00401C5C
0167:004018A8 INC DWORD [EBP-1C]
0167:004018AB CALL `SD3000PRO!@Dogtestpro@_ManCheckDlgDan$qqrv`
0167:004018B0 MOV WORD [EBP-28],08
0167:004018B6 MOV WORD [EBP-28],20
0167:004018BC MOV EDX,00942C1F
0167:004018C1 LEA EAX,[EBP-0C]
0167:004018C4 CALL 00939C34
0167:004018C9 INC DWORD [EBP-1C]
0167:004018CC LEA EDX,[EBP-0C]
0167:004018CF LEA EAX,[EBP-08]
0167:004018D2 CALL 00939FAC
0167:004018D7 PUSH EAX
0167:004018D8 DEC DWORD [EBP-1C]
0167:004018DB LEA EAX,[EBP-0C]
0167:004018DE MOV EDX,02
0167:004018E3 CALL 00939EC8
0167:004018E8 POP ECX
0167:004018E9 TEST CL,CL
0167:004018EB JZ 004018FF
0167:004018ED CALL `SD3000PRO!@Dogtestpro@_GoldenSoftCheckdlgDan$qqrv`
0167:004018F2 TEST AL,AL
0167:004018F4 JZ 0040194D
0167:004018F6 MOV BYTE [00B25934],00
0167:004018FD JMP SHORT 0040194D
0167:004018FF MOV WORD [EBP-28],2C
0167:00401905 MOV EDX,00942C21
可見,改這個軟體只需一個字元,而且測試三次的結算限制也沒了。下一篇我想寫寫SD-ERP網路版丟狗方法
和某著名工程預算軟體的丟狗方法。在下水準有限,想和各位打狗高手及
PJ界的前輩學習一下,不知有人願意否,如有請留言,我會及時和你聯繫!
-------青石
acrobatcn申請第二篇:速達3000pro-無狗解狗
軟體名稱:速達3000 pro
軟體語言: 中文
軟體類別: 共享版/財務軟體
套用平台: Win9x/NT/2000/XP
限制類型:軟體狗
難易程度:易
下載地質:http://www.superdata.com.cn/download1/index.asp
1.peid檢查,無殼
2. w32dasm反彙編,結果不行,w32dasm死掉
3. 只能用trw了。
w32dasm在起始時就死了,不能正確的定位程序的起始,所以乾脆不用了,直接bpio 378
結果轉到了讀狗的tdsd.vxd裡,轉暈了也看不明白,而且也不太容易出來,pret在0級模式用不了。所以乾脆從程序的開始跟起,delphi的程序起始都一樣,以如下開頭:
0167:00401022 CALL `KERNEL32!GetModuleHandleA`
0167:00401027 MOV EDX,EAX
0167:00401029 CALL 009A534C
0167:0040102E POP EDX
0167:0040102F CALL `CC3250MT!___CRTL_MEM_UseBorMM`
0167:00401034 CALL 009A5390
0167:00401039 PUSH BYTE +00
0167:0040103B CALL 009A54C4
0167:00401040 POP ECX
0167:00401041 PUSH DWORD 009AED08
0167:00401046 PUSH BYTE +00
0167:00401048 CALL `KERNEL32!GetModuleHandleA`
0167:0040104D MOV [009AED67],EAX
0167:00401052 PUSH BYTE +00
0167:00401054 JMP CC3250MT!_Startup<----從這裡跳到CC3250MT裡,進入CC3250MT裡後,經過一系列的初始,小心按F7,很快來到:
0167:3257DBE0 PUSH EAX
0167:3257DBE1 PUSH EBX
0167:3257DBE2 PUSH BYTE +00
0167:3257DBE4 PUSH BYTE +00
0167:3257DBE6 CALL `KERNEL32!GetModuleHandleA`
0167:3257DBEB PUSH EAX
0167:3257DBEC CALL NEAR [ESI+18]<---還不進入主程序的領空嗎?快進吧!大家不要說我笨,按F11不就ok了嗎?你試試吧!
0167:3257DBEF ADD ESP,BYTE +10
0167:3257DBF2 PUSH EAX
0167:3257DBF3 CALL `CC3250MT!_exit`<-----看見了嗎?要exit了,所以前面的call是返回到主程序的。
..................................................................
進入了sd3000xp,如下很簡單:
.....
0167:00401887 0F854D010000 JNZ NEAR 004019DA (NO JUMP)1.<-----這裡改為跳轉就無nag,而且也無試用版字樣,有點奇怪吧!我為什麼要改它,因為它可以跳過nag視窗,而且如果你再去看看速達3000pro就知道了。
0167:0040188D C6051C3ABD0001 MOV BYTE [00BD3A1C],01
0167:00401894 E8D7305A00 CALL 009A4970<----讀狗,tdsd.vxd
0167:00401899 84C0 TEST AL,AL
0167:0040189B 740C JZ 004018A9
0167:0040189D C6051C3ABD0000 MOV BYTE [00BD3A1C],00<-------注意,00BD3A1C標誌位,在這裡改,連狗都不用讀了,就不會有試用版的字樣,成了正式版,太簡單了。
0167:004018A4 E9EA000000 JMP 00401993
0167:004018A9 66C78510FDFFFF14+MOV WORD [EBP+FFFFFD10],14
0167:004018B2 8D45F8 LEA EAX,[EBP-08]
0167:004018B5 E882350000 CALL 00404E3C<---又讀狗,煩
0167:004018BA FF851CFDFFFF INC DWORD [EBP+FFFFFD1C]
0167:004018C0 E8D3DA3300 CALL `SD3000XP!@Dogtestpro@_ManCheckDlgDan$qqrv`<-----多簡單,提示也太明顯了吧!是否有狗
0167:004018C5 66C78510FDFFFF08+MOV WORD [EBP+FFFFFD10],08
0167:004018CE 66C78510FDFFFF20+MOV WORD [EBP+FFFFFD10],20
0167:004018D7 BAAFED9A00 MOV EDX,009AEDAF
0167:004018DC 8D45F4 LEA EAX,[EBP-0C]
0167:004018DF E808405A00 CALL 009A58EC
0167:004018E4 FF851CFDFFFF INC DWORD [EBP+FFFFFD1C]
0167:004018EA 8D55F4 LEA EDX,[EBP-0C]
0167:004018ED 8D45F8 LEA EAX,[EBP-08]
0167:004018F0 E86F435A00 CALL 009A5C64
0167:004018F5 50 PUSH EAX
0167:004018F6 FF8D1CFDFFFF DEC DWORD [EBP+FFFFFD1C]
0167:004018FC 8D45F4 LEA EAX,[EBP-0C]
0167:004018FF BA02000000 MOV EDX,02
0167:00401904 E877425A00 CALL 009A5B80
0167:00401909 59 POP ECX
0167:0040190A 84C9 TEST CL,CL
0167:0040190C 7412 JZ 00401920<---改為不跳,跳了就over了
0167:0040190E E875DC3300 CALL `SD3000XP!@Dogtestpro@_GoldenSoftCheckdlgDan$qqrv`<--進行狗的判斷
0167:00401913 84C0 TEST AL,AL<---返回al為判斷值
0167:00401915 7460 JZ 00401977<---0就跳,改為不跳,讓下面的一句自己對標誌位賦值
0167:00401917 C6051C3ABD0000 MOV BYTE [00BD3A1C],00<-----呵呵,對標誌位賦值0,正式版啊!
0167:0040191E EB57 JMP SHORT 00401977<---跳
0167:00401920 66C78510FDFFFF2C+MOV WORD [EBP+FFFFFD10],2C
0167:00401929 BAB1ED9A00 MOV EDX,009AEDB1
0167:0040192E 8D45F0 LEA EAX,[EBP-10]
0167:00401931 E8B63F5A00 CALL 009A58EC
0167:00401936 FF851CFDFFFF INC DWORD [EBP+FFFFFD1C]
0167:0040193C 8D55F0 LEA EDX,[EBP-10]
0167:0040193F 8D45F8 LEA EAX,[EBP-08]
0167:00401942 E81D435A00 CALL 009A5C64
0167:00401947 50 PUSH EAX
0167:00401948 FF8D1CFDFFFF DEC DWORD [EBP+FFFFFD1C]
0167:0040194E 8D45F0 LEA EAX,[EBP-10]
0167:00401951 BA02000000 MOV EDX,02
0167:00401956 E825425A00 CALL 009A5B80
0167:0040195B 59 POP ECX
0167:0040195C 84C9 TEST CL,CL
0167:0040195E 7417 JZ 00401977
0167:00401960 33C0 XOR EAX,EAX
0167:00401962 E8158E0200 CALL 0042A77C
0167:00401967 84C0 TEST AL,AL
0167:00401969 740C JZ 00401977
0167:0040196B E88CE03300 CALL `SD3000XP!@Dogtestpro@WriteNewInfo$qqrv`
0167:00401970 C6051C3ABD0000 MOV BYTE [00BD3A1C],00
0167:00401977 FF8D1CFDFFFF DEC DWORD [EBP+FFFFFD1C]
0167:0040197D 8D45F8 LEA EAX,[EBP-08]
0167:00401980 BA02000000 MOV EDX,02
0167:00401985 E8F6415A00 CALL 009A5B80
0167:0040198A 66C78510FDFFFF00+MOV WORD [EBP+FFFFFD10],00
0167:00401993 803D1C3ABD0000 CMP BYTE [00BD3A1C],00<----標誌比較啊
0167:0040199A 743E JZ 004019DA<-----根據上面的結果,呵呵,會跳的,跳過nag,好了,我們啟動程序後,從說明 功能表力看看about,結果,呵呵,使用版三個字沒有了吧!
0167:0040199C 66C78510FDFFFF38+MOV WORD [EBP+FFFFFD10],38
0167:004019A5 BAB3ED9A00 MOV EDX,009AEDB3
0167:004019AA 8D45EC LEA EAX,[EBP-14]
0167:004019AD E83A3F5A00 CALL 009A58EC
0167:004019B2 FF851CFDFFFF INC DWORD [EBP+FFFFFD1C]
0167:004019B8 8B00 MOV EAX,[EAX]
0167:004019BA 33C9 XOR ECX,ECX
0167:004019BC 8B1554329C00 MOV EDX,[009C3254]
0167:004019C2 E869B90200 CALL 0042D330<-------nag,視窗啊,kill it!
0167:004019C7 FF8D1CFDFFFF DEC DWORD [EBP+FFFFFD1C]
0167:004019CD 8D45EC LEA EAX,[EBP-14]
0167:004019D0 BA02000000 MOV EDX,02
0167:004019D5 E8A6415A00 CALL 009A5B80
0167:004019DA 66C78510FDFFFF44+MOV WORD [EBP+FFFFFD10],44
0167:004019E3 8B0DB4C2BD00 MOV ECX,[00BDC2B4]
0167:004019E9 8B09 MOV ECX,[ECX]
0167:004019EB B201 MOV DL,01
0167:004019ED A1CC05B200 MOV EAX,[00B205CC]
0167:004019F2 E8411A3800 CALL 00783438
0167:004019F7 8B15A838BD00 MOV EDX,[00BD38A8]
0167:004019FD 8902 MOV [EDX],EAX
0167:004019FF A1A838BD00 MOV EAX,[00BD38A8]
0167:00401A04 8B00 MOV EAX,[EAX]
0167:00401A06 E857805A00 CALL `VCL50!@Forms@TCustomForm@Show$qqrv`
0167:00401A0B 8B15A838BD00 MOV EDX,[00BD38A8]
0167:00401A11 8B02 MOV EAX,[EDX]
0167:00401A13 8B10 MOV EDX,[EAX]
0167:00401A15 FF9280000000 CALL NEAR [EDX+80]
0167:00401A1B 8B0DB4C2BD00 MOV ECX,[00BDC2B4]
0167:00401A21 8B01 MOV EAX,[ECX]
0167:00401A23 E8627F5A00 CALL `VCL50!@Forms@TApplication@Initialize$qqrv`
0167:00401A28 B201 MOV DL,01
0167:00401A2A A1F8B6BD00 MOV EAX,[00BDB6F8]