|
 | 作者: yongmin [yongmin]
 论坛用户 |
登录 |
| 程序名:国内的结构设计类软件 名字隐去 作者:孤城(寂静如风) 孤城=寂静如风 ^_^ 保护 :Hasp--Hardlock 所用工具: OllyDBG 1.10 PEID LordPE ImportREC 1.6 我只是大体说一下思路! 用PEID查壳,没有狗壳,UPX壳而已,简单的脱壳,过程不叙述。 00702C8A |. E8 B9A10500 CALL <JMP.&KERNEL32.OutputDebugStringA> ; \OutputDebugStringA 00702C8F |. 8D53 08 LEA EDX,DWORD PTR DS:[EBX+8] 00702C92 |. 52 PUSH EDX ; /Arg1 00702C93 |. E8 F8060000 CALL czr_ggg.00703390 ; \xxx.00703390 重要的CALL 去看看 00702C98 |. 59 POP ECX 00702C99 |. 48 DEC EAX 00702C9A |. 75 1B JNZ SHORT czr_ggg.00702CB7 00702C9C |. C743 04 04000>MOV DWORD PTR DS:[EBX+4],4 00702CA3 |. 53 PUSH EBX ; /Arg1 00702CA4 |. E8 D7000000 CALL czr_ggg.00702D80 ; \xxx.00702D80 这里也去看看 00702CA9 |. 59 POP ECX 00702CAA |. A3 48E99100 MOV DWORD PTR DS:[91E948],EAX 00702CAF |. B8 01000000 MOV EAX,1 00702CB4 |. 5B POP EBX 00702CB5 |. 5D POP EBP 00702CB6 |. C3 RETN 00702CB7 |> 68 70DD9000 PUSH czr_ggg.0090DD70 " 继续看 进入刚才的CALL 00703390 /$ 55 PUSH EBP 00703391 |. 8BEC MOV EBP,ESP 00703393 |. 53 PUSH EBX 00703394 |. 56 PUSH ESI 00703395 |. 57 PUSH EDI 00703396 |. 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8] 00703399 |. 8B43 04 MOV EAX,DWORD PTR DS:[EBX+4] 0070339C 48 DEC EAX 到这里为检测狗的类型 0070339D 75 0A JNZ SHORT czr_ggg.007033A9 跳则为网络版,让其变为单机版 否则网络验证 0070339F B8 01000000 MOV EAX,1 007033A4 |. E9 03010000 JMP czr_ggg.007034AC 007033A9 |> 53 PUSH EBX ; /Arg1 007033AA |. E8 75FEFFFF CALL czr_ggg.00703224 ; \xxx.00703224 007033AF |. 59 POP ECX 007033B0 |. 8D53 28 LEA EDX,DWORD PTR DS:[EBX+28] 007033B3 |. 52 PUSH EDX ; /Arg9 007033B4 |. 8D4B 24 LEA ECX,DWORD PTR DS:[EBX+24] ; | 007033B7 |. 51 PUSH ECX ; |Arg8 007033B8 |. 8D7B 20 LEA EDI,DWORD PTR DS:[EBX+20] ; | 007033BB |. 57 PUSH EDI ; |Arg7 007033BC |. 8D73 1C LEA ESI,DWORD PTR DS:[EBX+1C] ; | 007033BF |. 56 PUSH ESI ; |Arg6 007033C0 |. 8B43 14 MOV EAX,DWORD PTR DS:[EBX+14] ; | 007033C3 |. 50 PUSH EAX ; |Arg5 007033C4 |. 8B53 10 MOV EDX,DWORD PTR DS:[EBX+10] ; | 007033C7 |. 52 PUSH EDX ; |Arg4 007033C8 |. 8B4B 18 MOV ECX,DWORD PTR DS:[EBX+18] ; | 007033CB |. 51 PUSH ECX ; |Arg3 007033CC |. 6A 01 PUSH 1 ; |Arg2 = 00000001 007033CE |. 6A 01 PUSH 1 ; |Arg1 = 00000001 007033D0 |. E8 2F6A0500 CALL czr_ggg.00759E04 ; \xxx.00759E04 007033D5 |. 83C4 24 ADD ESP,24 007033D8 |. 8B43 1C MOV EAX,DWORD PTR DS:[EBX+1C] 007033DB |. 85C0 TEST EAX,EAX 007033DD |. 75 07 JNZ SHORT czr_ggg.007033E6 007033DF |. 33C0 XOR EAX,EAX 当中的代码省略 继续往下看。 重点部分1 00759E04 /$ 55 PUSH EBP 00759E05 |. 8BEC MOV EBP,ESP 00759E07 |. 83C4 EC ADD ESP,-14 00759E0A |. 53 PUSH EBX 00759E0B |. 56 PUSH ESI 00759E0C |. 57 PUSH EDI 00759E0D |. 8B45 20 MOV EAX,DWORD PTR SS:[EBP+20] 00759E10 |. 8B7D 18 MOV EDI,DWORD PTR SS:[EBP+18] 00759E13 |. 8B75 14 MOV ESI,DWORD PTR SS:[EBP+14] 00759E16 |. 8B5D 10 MOV EBX,DWORD PTR SS:[EBP+10] 00759E19 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] 00759E1C |. 83FA 09 CMP EDX,9 00759E1F |. 74 22 JE SHORT czr_ggg.00759E43 00759E21 |. 8B4D 28 MOV ECX,DWORD PTR SS:[EBP+28] 00759E24 |. 51 PUSH ECX ; /Arg9 00759E25 |. 8B4D 24 MOV ECX,DWORD PTR SS:[EBP+24] ; | 00759E28 |. 51 PUSH ECX ; |Arg8 00759E29 |. 50 PUSH EAX ; |Arg7 00759E2A |. 8B45 1C MOV EAX,DWORD PTR SS:[EBP+1C] ; | 00759E2D |. 50 PUSH EAX ; |Arg6 00759E2E |. 57 PUSH EDI ; |Arg5 00759E2F |. 56 PUSH ESI ; |Arg4 00759E30 |. 53 PUSH EBX ; |Arg3 00759E31 |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] ; | 00759E34 |. 50 PUSH EAX ; |Arg2 = 00000001 00759E35 |. 52 PUSH EDX ; |Arg1 00759E36 |. E8 81010000 CALL czr_ggg.00759FBC ; \xxx.00759FBC 进去看看 00759E3B |. 83C4 24 ADD ESP,24 00759E3E |. E9 6F010000 JMP czr_ggg.00759FB2 00759FBC /$ 55 PUSH EBP 00759FBD |. 8BEC MOV EBP,ESP 00759FBF |. 83C4 B8 ADD ESP,-48 00759FC2 |. 53 PUSH EBX 00759FC3 |. 56 PUSH ESI 00759FC4 |. 57 PUSH EDI 00759FC5 |. 8B75 28 MOV ESI,DWORD PTR SS:[EBP+28] 00759FC8 |. 8B5D 20 MOV EBX,DWORD PTR SS:[EBP+20] 00759FCB |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00759FCE |. 8D7D B8 LEA EDI,DWORD PTR SS:[EBP-48] 00759FD1 |. 3D FF000000 CMP EAX,0FF 对狗密码进行比较 00759FD6 76 0E JBE SHORT czr_ggg.00759FE6 跳 就 完蛋 00759FD8 |. 8B45 24 MOV EAX,DWORD PTR SS:[EBP+24] 00759FDB |. C700 19FCFFFF MOV DWORD PTR DS:[EAX],-3E7 00759FE1 |. E9 84000000 JMP czr_ggg.0075A06A 00759FE6 |> C747 08 6C687>MOV DWORD PTR DS:[EDI+8],6873686C 00759FED |. C607 02 MOV BYTE PTR DS:[EDI],2 00759FF0 |. C747 04 01000>MOV DWORD PTR DS:[EDI+4],1 00759FF7 |. 8847 16 MOV BYTE PTR DS:[EDI+16],AL 00759FFA |. 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C] 00759FFD |. 8957 18 MOV DWORD PTR DS:[EDI+18],EDX 0075A000 |. 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10] 0075A003 |. 894F 1C MOV DWORD PTR DS:[EDI+1C],ECX 经过好久来到这里 007034F9 |. 8B53 18 MOV EDX,DWORD PTR DS:[EBX+18] 007034FC |. 52 PUSH EDX ; |Arg3 007034FD |. 6A 01 PUSH 1 ; |Arg2 = 00000001 007034FF |. 6A 03 PUSH 3 ; |Arg1 = 00000003 00703501 |. E8 FE680500 CALL czr_ggg.00759E04 \xxx.00759E04 这不就是我们刚才去过的 00703506 |. 83C4 24 ADD ESP,24 00703509 |. 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10] 0070350C |. 66:8B43 20 MOV AX,WORD PTR DS:[EBX+20] 00703510 |. 66:8901 MOV WORD PTR DS:[ECX],AX 00703513 |. 8B43 24 MOV EAX,DWORD PTR DS:[EBX+24] 00703516 |. 8943 0C MOV DWORD PTR DS:[EBX+C],EAX 00703519 |. 85C0 TEST EAX,EAX 判断是否有狗,eax=0则有狗 改之 0070351B |. 74 05 JE SHORT czr_ggg.00703522 相等则为有狗 跳 0070351D |. 33C0 XOR EAX,EAX 0070351F |. 5B POP EBX 00703520 |. 5D POP EBP 00703521 |. C3 RETN 继续看,来到这里 关键 00702E22 |. E8 09FFFFFF CALL czr_ggg.00702D30 ; \xxx.00702D30 00702E27 |. 83C4 0C ADD ESP,0C 00702E2A |. 85C0 TEST EAX,EAX 对返回值进行判断 00702E2C |. 75 05 JNZ SHORT czr_ggg.00702E33 不跳就完蛋 00702E2E |. 83C8 FF OR EAX,FFFFFFFF 00702E31 |. EB 43 JMP SHORT czr_ggg.00702E76 跳到报错 程序无反应 00702E33 |> 8D55 FE LEA EDX,DWORD PTR SS:[EBP-2] 00702E36 |. 52 PUSH EDX ; /Arg3 00702E37 |. 6A 02 PUSH 2 ; |Arg2 = 00000002 00702E39 |. 68 50E99100 PUSH czr_ggg.0091E950 ; |Arg1 = 0091E950 00702E3E |. E8 EDFEFFFF CALL czr_ggg.00702D30 ; \xxx.00702D30 计算返回的数据 00702E43 |. 83C4 0C ADD ESP,0C 00702E46 |. 48 DEC EAX 00702E47 |. 75 2A JNZ SHORT czr_ggg.00702E73 跳就完蛋 程序无反应 00702E49 |. 66:817D FE 70>CMP WORD PTR SS:[EBP-2],3570 比较数据的值 00702E4F |. 75 22 JNZ SHORT czr_ggg.00702E73 跳就完蛋 程序无反应 00702E51 |. 8D4D FE LEA ECX,DWORD PTR SS:[EBP-2] 00702E54 |. 51 PUSH ECX ; /Arg3 00702E55 |. 56 PUSH ESI ; |Arg2 00702E56 |. 68 50E99100 PUSH czr_ggg.0091E950 ; |Arg1 = 0091E950 00702E5B |. E8 D0FEFFFF CALL czr_ggg.00702D30 ; \xxx.00702D30 计算返回的数据 00702E60 |. 83C4 0C ADD ESP,0C 00702E63 |. 85C0 TEST EAX,EAX 对返回值进行判断 00702E65 |. 74 0C JE SHORT czr_ggg.00702E73 跳就完蛋 程序无反应 00702E67 |. 0FB745 FE MOVZX EAX,WORD PTR SS:[EBP-2] 00702E6B |. 85D8 TEST EAX,EBX 对返回值再次进行判断 00702E6D |. 74 04 JE SHORT czr_ggg.00702E73 跳就完蛋 程序无反应 00702E6F |. 33C0 XOR EAX,EAX 00702E71 |. EB 03 JMP SHORT czr_ggg.00702E76 到正确的流程 00702E73 |> 83C8 FF OR EAX,FFFFFFFF 00702E76 |> 5E POP ESI 继续的检测部分 004012E0 . 6A 00 PUSH 0 ; /Arg2 = 00000000 004012E2 . 6A 4B PUSH 4B ; |Arg1 = 0000004B 004012E4 . E8 971B3000 CALL czr_ggg.00702E80 ; \xxx.00702E80 计算数据 004012E9 . 85C0 TEST EAX,EAX 对数据进行判断 004012EB . 74 3E JE SHORT czr_ggg.0040132B 不跳就完蛋 004012ED . 66:C745 E0 14>MOV WORD PTR SS:[EBP-20],14 004012F3 . BA 40EA7500 MOV EDX,czr_ggg.0075EA40 004012F8 . 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 004012FB . E8 909C3500 CALL czr_ggg.0075AF90 00401300 . FF45 EC INC DWORD PTR SS:[EBP-14] 00401303 . 8B00 MOV EAX,DWORD PTR DS:[EAX] 00401305 . E8 DE6A2300 CALL czr_ggg.00637DE8 0040130A . FF4D EC DEC DWORD PTR SS:[EBP-14] 0040130D . 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 00401310 . BA 02000000 MOV EDX,2 00401315 . E8 429E3500 CALL czr_ggg.0075B15C 0040131A . 33C0 XOR EAX,EAX 0040131C . 8B55 D0 MOV EDX,DWORD PTR SS:[EBP-30] 0040131F . 64:8915 00000>MOV DWORD PTR FS:[0],EDX 00401326 . E9 F6000000 JMP czr_ggg.00401421 0040132B > 8B0D 7C949100 MOV ECX,DWORD PTR DS:[91947C] ; xxx.00919D34 00401331 . 8B01 MOV EAX,DWORD PTR DS:[ECX] 00401333 . E8 38E52200 CALL czr_ggg.0062F870 00401338 . 66:C745 E0 20>MOV WORD PTR SS:[EBP-20],20 0040133E . BA 59EA7500 MOV EDX,czr_ggg.0075EA59 00401343 . 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] 00401346 . E8 459C3500 CALL czr_ggg.0075AF90 这样处理后运行程序还会有问题的!看样子是没有解决完!咱们在来看看! 第二部分 007033FB . 51 PUSH ECX ; |Arg3 007033FC . 6A 01 PUSH 1 ; |Arg2 = 00000001 007033FE . 6A 05 PUSH 5 ; |Arg1 = 00000005 00703400 . E8 FF690500 CALL czr_ggg.00759E04 ; \xxx.00759E04 再次读狗 00703405 . 83C4 24 ADD ESP,24 00703408 . 8B43 24 MOV EAX,DWORD PTR DS:[EBX+24] 返回的数据值 0070340B . 85C0 TEST EAX,EAX 比较 0070340D . 75 6D JNZ SHORT czr_ggg.0070347C 跳到报错,程序无反应 0070340F . 53 PUSH EBX ; /Arg1 00703410 . E8 0FFEFFFF CALL czr_ggg.00703224 ; \xxx.00703224 计算返回的数据 00703415 . 59 POP ECX 00703416 . B8 4E740000 MOV EAX,744E 0070341B . C743 10 CB080>MOV DWORD PTR DS:[EBX+10],8CB 00703422 . 8943 14 MOV DWORD PTR DS:[EBX+14],EAX 00703425 . 8D53 28 LEA EDX,DWORD PTR DS:[EBX+28] 00703428 . 52 PUSH EDX ; /Arg9 00703429 . 8D4B 24 LEA ECX,DWORD PTR DS:[EBX+24] ; | 0070342C . 51 PUSH ECX ; |Arg8 0070342D . 57 PUSH EDI ; |Arg7 0070342E . 56 PUSH ESI ; |Arg6 0070342F . 50 PUSH EAX ; |Arg5 => 0000744E 00703430 . 8B43 10 MOV EAX,DWORD PTR DS:[EBX+10] ; | 00703433 . 50 PUSH EAX ; |Arg4 00703434 . 8B53 18 MOV EDX,DWORD PTR DS:[EBX+18] ; | 00703437 . 52 PUSH EDX ; |Arg3 00703438 . 6A 01 PUSH 1 ; |Arg2 = 00000001 0070343A . 6A 01 PUSH 1 ; |Arg1 = 00000001 0070343C . E8 C3690500 CALL czr_ggg.00759E04 ; \xxx.00759E04 再次读狗 00703441 . 83C4 24 ADD ESP,24 00703444 . 8B4B 1C MOV ECX,DWORD PTR DS:[EBX+1C] 返回的数据值 00703447 . 85C9 TEST ECX,ECX 比较 00703449 . 75 04 JNZ SHORT czr_ggg.0070344F 跳到报错 程序无反应 0070344B . 33C0 XOR EAX,EAX 这里为有狗 0070344D . EB 5D JMP SHORT czr_ggg.007034AC 正确的流程 0070344F > 8D53 28 LEA EDX,DWORD PTR DS:[EBX+28] 00703452 . 8D4B 24 LEA ECX,DWORD PTR DS:[EBX+24] 00703455 . 52 PUSH EDX ; /Arg9 00703456 . 51 PUSH ECX ; |Arg8 00703457 . 57 PUSH EDI ; |Arg7 00703458 . 56 PUSH ESI ; |Arg6 00703459 . 8B43 14 MOV EAX,DWORD PTR DS:[EBX+14] ; | 0070345C . 50 PUSH EAX ; |Arg5 0070345D . 8B53 10 MOV EDX,DWORD PTR DS:[EBX+10] ; | 00703460 . 52 PUSH EDX ; |Arg4 00703461 . 8B4B 18 MOV ECX,DWORD PTR DS:[EBX+18] ; | 00703464 . 51 PUSH ECX ; |Arg3 00703465 . 6A 01 PUSH 1 ; |Arg2 = 00000001 00703467 . 6A 05 PUSH 5 ; |Arg1 = 00000005 00703469 . E8 96690500 CALL czr_ggg.00759E04 ; xxx.00759E04 再次读狗 0070346E . 83C4 24 ADD ESP,24 00703471 . 8B43 24 MOV EAX,DWORD PTR DS:[EBX+24] 返回的数据值 00703474 . 85C0 TEST EAX,EAX 比较 00703476 . 75 04 JNZ SHORT czr_ggg.0070347C 跳到报错 程序无反应 00703478 . 33C0 XOR EAX,EAX 这里为有狗 0070347A . EB 30 JMP SHORT czr_ggg.007034AC 正确的流程 0070347C > 8B53 20 MOV EDX,DWORD PTR DS:[EBX+20] 0070347F . 83FA 05 CMP EDX,5 比较 00703482 . 75 16 JNZ SHORT czr_ggg.0070349A 跳到错误的流程 继续比较 00703484 . 53 PUSH EBX ; /Arg1 00703485 . E8 C2FDFFFF CALL czr_ggg.0070324C ; \xxx.0070324C 计算返回的数据 0070348A . 59 POP ECX 0070348B . 85C0 TEST EAX,EAX 比较 0070348D . 75 04 JNZ SHORT czr_ggg.00703493 跳到错误的流程 0070348F . 33C0 XOR EAX,EAX 00703491 . EB 19 JMP SHORT czr_ggg.007034AC 到正确的流程 00703493 > C743 08 01000>MOV DWORD PTR DS:[EBX+8],1 0070349A > 8B53 24 MOV EDX,DWORD PTR DS:[EBX+24] 0070349D . B8 01000000 MOV EAX,1 007034A2 . 8953 18 MOV DWORD PTR DS:[EBX+18],EDX 007034A5 . C743 04 01000>MOV DWORD PTR DS:[EBX+4],1 007034AC > 5F POP EDI 007034AD . 5E POP ESI 007034AE . 5B POP EBX 007034AF . 5D POP EBP 007034B0 . C3 RETN 经过了这部分后狗部分就解掉了! 总结! 上面的部分只是解狗里面的一种而已!想这个软件还有好几种解法!这种解法比较容易理解!呵呵~我就献丑了!希望大家不要笑我! 孤城(寂静如风) wx73721@163.com 2006.2.27 BTW:wx73721 孤城 寂静如风 都是我的注册ID |
| 地主 发表时间: 06-11-03 10:45 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 编程破解
标题: [转帖]简单Hasp加密锁的分析与解密