MSTCAD2004空间网格结构设计软件 无狗解狗
破解目标:MSTCAD2004空间网格结构设计软件
破解工具:W32DASM3.0,UltraEdit10.0,flyollydbg1.10
破解目的:学习,无狗解狗
软件简介:空间网格结构近二十几年来已经得到了广泛的应用和发展,这一方面是由于这种结构具有空间受力特性、建筑造型丰富、重量轻、
材料省、产品工厂化、施工安装方便、工程质量高、工期短等优点,另一方面,计算机的广泛应用和普及、计算技术的渐趋成熟、软件的不断
研制和开发也为空间网格结构的应用和发展奠定了基础。
该软件可在其主页公开下载,不须带狗即可安装,但须带狗运行。
据说3月要出2005版,变化很大,那我们就来把2004搞掉,给他们的下次加密提供借鉴。
破解过程:
先用fi3.01检查没有加壳,再看安装帮助文件,发现是升级版,就是说还是原来的老狗(Gs-mh)(见我的上篇破文看雪论坛精华5,6里有
)。
软件在运行时,如果没有狗,则会跳出一个对话框"没有找到加密器。",和原来一样,怎么还没有改变啊。
那就先用 W32dsm 看看,反编译成功后,在串式参考查找出错的信息"没有找到加密器。",
找到下面
* Reference To: MFC42.Ordinal:0B02, Ord:0B02h
|
:004BF434 E855EF0400 Call 0050E38E
:004BF439 83C40C add esp, 0000000C
:004BF43C 8BCE mov ecx, esi
:004BF43E 89BED4D59201 mov dword ptr [esi+0192D5D4], edi
:004BF444 E857060000 call 004BFAA0 ;关键call[1],检查狗。简单跳过是不行的。里面比上次变化了不少。
:004BF449 85C0 test eax, eax
:004BF44B 7513 jne 004BF460
:004BF44D 57 push edi
:004BF44E 57 push edi
* Possible StringData Ref from Data Obj ->"没有找到加密器。"
|
:004BF44F 6824D25400 push 0054D224
* Reference To: MFC42.Ordinal:04B0, Ord:04B0h
|
:004BF454 E82FEF0400 Call 0050E388
:004BF459 57 push edi
* Reference To: MSVCRT.exit, Ord:0249h
|
:004BF45A FF1568E75100 Call dword ptr [0051E768]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BF44B(C)
|
:004BF460 8BCE mov ecx, esi
:004BF462 E8B9060000 call 004BFB20 ;关键call[2],确定是版本:企业版,设计版..
:004BF467 85C0 test eax, eax
:004BF469 7513 jne 004BF47E
:004BF46B 57 push edi
:004BF46C 57 push edi
* Possible StringData Ref from Data Obj ->"非合法用户,软件无法使用。"
|
:004BF46D 6808D25400 push 0054D208
* Reference To: MFC42.Ordinal:04B0, Ord:04B0h
|
:004BF472 E811EF0400 Call 0050E388
:004BF477 57 push edi
* Reference To: MSVCRT.exit, Ord:0249h
|
:004BF478 FF1568E75100 Call dword ptr [0051E768]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BF469(C)
|
:004BF47E 8BCE mov ecx, esi
:004BF480 E8AB0A0000 call 004BFF30 ;关键call[3],检测使用时间在2005-2006之间。
:004BF485 85C0 test eax, eax
:004BF487 7507 jne 004BF490
:004BF489 57 push edi
* Reference To: MSVCRT.exit, Ord:0249h
|
:004BF48A FF1568E75100 Call dword ptr [0051E768]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BF487(C)
|
:004BF490 8BCE mov ecx, esi ;====>成功,来到这里!
:004BF492 E849040000 call 004BF8E0
:004BF497 B901000000 mov ecx, 00000001
:004BF49C B880808000 mov eax, 00808080
:004BF4A1 890D18C02802 mov dword ptr [0228C018], ecx
:004BF4A7 890D2CC02802 mov dword ptr [0228C02C], ecx
:004BF4AD B9C0C0C000 mov ecx, 00C0C0C0
:004BF4B2 893D1CC02802 mov dword ptr [0228C01C], edi
:004BF4B8 890D44C02802 mov dword ptr [0228C044], ecx
:004BF4BE 890D48C02802 mov dword ptr [0228C048], ecx
......
......
:004BF51A C70510C02802400D0300 mov dword ptr [0228C010], 00030D40
:004BF524 C70514C028020A000000 mov dword ptr [0228C014], 0000000A
:004BF52E C70538C0280202000000 mov dword ptr [0228C038], 00000002
:004BF538 5E pop esi
:004BF539 64890D00000000 mov dword ptr fs:[00000000], ecx
:004BF540 81C410010000 add esp, 00000110
:004BF546 C3 ret
1.解决掉狗的call
我们看看关键call[1],检查狗的call,来到:
* Referenced by a CALL at Addresses:
|:004BF444 , :004D04C3
|
:004BFAA0 83EC50 sub esp, 00000050
:004BFAA3 C6054457AA0400 mov byte ptr [04AA5744], 00
:004BFAAA C7054C57AA042A030000 mov dword ptr [04AA574C], 0000032A
:004BFAB4 56 push esi
:004BFAB5 57 push edi
:004BFAB6 8BF1 mov esi, ecx
:004BFAB8 E88981F4FF call 00407C46 ;关键call[4],我们看看
:004BFABD 8BF8 mov edi, eax
:004BFABF 33C9 xor ecx, ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BFAE1(C)
|
:004BFAC1 C7440C0800000000 mov [esp+ecx+08], 00000000
:004BFAC9 33C0 xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BFAD9(C)
|
:004BFACB 8B540408 mov edx, dword ptr [esp+eax+08]
:004BFACF 83C004 add eax, 00000004
:004BFAD2 83F828 cmp eax, 00000028
:004BFAD5 89540C30 mov dword ptr [esp+ecx+30], edx
:004BFAD9 7CF0 jl 004BFACB
:004BFADB 83C104 add ecx, 00000004
:004BFADE 83F928 cmp ecx, 00000028
:004BFAE1 7CDE jl 004BFAC1
:004BFAE3 8B86CC000000 mov eax, dword ptr [esi+000000CC]
:004BFAE9 6A00 push 00000000
:004BFAEB 89BEC4000000 mov dword ptr [esi+000000C4], edi
:004BFAF1 8D4C3801 lea ecx, dword ptr [eax+edi+01]
:004BFAF5 0FAFCF imul ecx, edi
:004BFAF8 898ED0000000 mov dword ptr [esi+000000D0], ecx
:004BFAFE 8BCE mov ecx, esi
:004BFB00 E8CB040000 call 004BFFD0
:004BFB05 33C0 xor eax, eax
:004BFB07 85FF test edi, edi
:004BFB09 5F pop edi
:004BFB0A 5E pop esi
:004BFB0B DDD8 fstp st(0)
:004BFB0D 0F94C0 sete al
:004BFB10 83C450 add esp, 00000050
:004BFB13 C3 ret
看到有2处调用这个关键call[1],我们在这里观察返回值eax,发现在这里改返回值eax=0,可以跳过"没有找到加密器。"提示窗口,但是仅仅
这样是不够的。我们还是进入 关键call[4] 看一下吧。
* Referenced by a CALL at Address:
|:004BFAB8
|
:00407C46 55 push ebp
:00407C47 8BEC mov ebp, esp
:00407C49 51 push ecx
:00407C4A 53 push ebx
:00407C4B 56 push esi
:00407C4C 57 push edi
:00407C4D 52 push edx
:00407C4E 51 push ecx
:00407C4F 68077C4000 push 00407C07
:00407C54 689A754000 push 0040759A
:00407C59 6A01 push 00000001
:00407C5B E8D893FFFF call 00401038 ;关键call[5],这里我称它为关键的狗操作call!我们进去看看。
:00407C60 83C40C add esp, 0000000C
:00407C63 8945FC mov dword ptr [ebp-04], eax
:00407C66 59 pop ecx
:00407C67 5A pop edx
:00407C68 8B45FC mov eax, dword ptr [ebp-04]
:00407C6B 5F pop edi
:00407C6C 5E pop esi
:00407C6D 5B pop ebx
:00407C6E C9 leave
:00407C6F C3 ret
这儿的空间没什么新鲜,我们还是进入 关键call[5] 看一下吧。
* Referenced by a CALL at Addresses:
|:00401023 , :00407C31 , :00407C5B , :00407C93 , :00407CBD
|:00407CF3 , :00407D30
|
:00401038 55 push ebp
:00401039 8BEC mov ebp, esp
:0040103B 81EC3C020000 sub esp, 0000023C
:00401041 53 push ebx
:00401042 56 push esi
:00401043 57 push edi
:00401044 60 pushad
:00401045 EB39 jmp 00401080
:00401047 E8B9110000 call 00402205 ;这里以下,开始出现花指令了
:0040104C 00EB add bl, ch ;花指令
:0040104E 01BE68661040 add dword ptr [esi+40106668], edi
:00401054 007203 add byte ptr [edx+03], dh
:00401057 7301 jnb 0040105A
:00401059 15C30B0300 adc eax, 00030BC3
:0040105E 0102 add dword ptr [edx], eax
:00401060 030405060708EB add eax, dword ptr [eax+EB080706]
:00401067 0113 add dword ptr [ebx], edx
:00401069 49 dec ecx
:0040106A 7A03 jpe 0040106F
:0040106C 7B01 jpo 0040106F
:0040106E 8B67E3 mov esp, dword ptr [edi-1D]
:00401071 07 pop es
:00401072 7503 jne 00401077 ;花指令
:00401074 7401 je 00401077
:00401076 81 BYTE 81h
:00401077 EB BYTE ebh
:00401078 D4 BYTE d4h
:00401079 E8 BYTE e8h
* Referenced by a CALL at Addresses:
|:004026E8 , :004032CB , :004034CC
|
:0040107A E82E330000 call 004043AD ;花指令
:0040107F E8B9190000 call 00402A3D
:00401084 00EB add bl, ch
:00401086 01BE689E1040 add dword ptr [esi+40109E68], edi
:0040108C 007203 add byte ptr [edx+03], dh
:0040108F 7301 jnb 00401092
:00401091 15C30B0300 adc eax, 00030BC3
:00401096 0102 add dword ptr [edx], eax
:00401098 030405060708EB add eax, dword ptr [eax+EB080706]
:0040109F 0113 add dword ptr [ebx], edx
:004010A1 49 dec ecx
:004010A2 7A03 jpe 004010A7 ;花指令
:004010A4 7B01 jpo 004010A7
:004010A6 8B67E3 mov esp, dword ptr [edi-1D]
:004010A9 087503 or byte ptr [ebp+03], dh
:004010AC 7401 je 004010AF
:004010AE 81EBD4E8EB01 sub ebx, 01EBE8D4
:004010B4 80E89B sub al, 9B
:004010B7 64 BYTE 064h
无穷的花指令!!!
看到花指令,我们就知道这就是关键的call,刻意的隐藏!
我们可以去00401047 call 00402205 里看,也是无穷的花指令!
我们看到有7处调用这个关键call[5],我们不管花指令了,我们直接改返回值!
因为这是个老狗,因此不会放数据在狗里!但为了安全起见,我们去那7个调用那里改返回值,虽然麻烦一点。
我们举个例子,还是去:00407C5B,其余的一样。
* Referenced by a CALL at Address:
|:004BFAB8
|
:00407C46 55 push ebp
.....
....
:00407C59 6A01 push 00000001
:00407C5B E8D893FFFF call 00401038 ;关键call[5],这里我称它为关键的狗操作call!我们进去看看。
:00407C60 83C40C add esp, 0000000C
:00407C63 8945FC mov dword ptr [ebp-04], eax ;改这里
:00407C66 59 pop ecx
:00407C67 5A pop edx
:00407C68 8B45FC mov eax, dword ptr [ebp-04] ;改这里
:00407C6B 5F pop edi
:00407C6C 5E pop esi
:00407C6D 5B pop ebx
:00407C6E C9 leave
:00407C6F C3 ret
我们改:00407C63,:00407C68这2句,我们一眼就能看出返回值是eax,分析得到eax=0为正确
:00407C63 33c0 xor eax,eax ;eax清零!
:00407C65 90 nop ;不足,90补充
:00407C68 8945FC mov dword ptr [ebp-04], eax
其余6处的一样改。
2.解决版本问题
我们看看关键call[2],确定是版本:企业版,设计版..
* Referenced by a CALL at Addresses:
|:004BF462 , :004D04D2
|
:004BFB20 6AFF push FFFFFFFF
:004BFB22 68689E5100 push 00519E68
:004BFB27 64A100000000 mov eax, dword ptr fs:[00000000]
:004BFB2D 50 push eax
:004BFB2E 64892500000000 mov dword ptr fs:[00000000], esp
:004BFB35 83EC10 sub esp, 00000010
:004BFB38 53 push ebx
:004BFB39 56 push esi
:004BFB3A 33DB xor ebx, ebx
:004BFB3C 8D44240C lea eax, dword ptr [esp+0C]
:004BFB40 8BF1 mov esi, ecx
:004BFB42 C7054C57AA042A030000 mov dword ptr [04AA574C], 0000032A
:004BFB4C 881D4457AA04 mov byte ptr [04AA5744], bl
:004BFB52 A34057AA04 mov dword ptr [04AA5740], eax
:004BFB57 66C7055057AA044D00 mov word ptr [04AA5750], 004D
:004BFB60 66C7055257AA040800 mov word ptr [04AA5752], 0008
:004BFB69 885C2414 mov byte ptr [esp+14], bl
:004BFB6D E8FE80F4FF call 00407C70
:004BFB72 3BC3 cmp eax, ebx
:004BFB74 0F85AD010000 jne 004BFD27 ;一定不能跳,可以nop
:004BFB7A 8D4C2408 lea ecx, dword ptr [esp+08]
* Reference To: MFC42.Ordinal:021C, Ord:021Ch
|
:004BFB7E E817E80400 Call 0050E39A
:004BFB83 8D4C240C lea ecx, dword ptr [esp+0C]
:004BFB87 8D542408 lea edx, dword ptr [esp+08]
:004BFB8B 51 push ecx
* Possible StringData Ref from Data Obj ->"%s"
|
:004BFB8C 68CC4F5400 push 00544FCC
:004BFB91 52 push edx
:004BFB92 895C242C mov dword ptr [esp+2C], ebx
* Reference To: MFC42.Ordinal:0B02, Ord:0B02h
|
:004BFB96 E8F3E70400 Call 0050E38E
:004BFB9B 83C40C add esp, 0000000C
:004BFB9E 8D4C2408 lea ecx, dword ptr [esp+08]
:004BFBA2 53 push ebx
* Possible StringData Ref from Data Obj ->"Luo98202"
|
:004BFBA3 68CCD25400 push 0054D2CC
* Reference To: MFC42.Ordinal:1A07, Ord:1A07h
|
:004BFBA8 E805E80400 Call 0050E3B2
....
....
....
* Reference To: MFC42.Ordinal:1A07, Ord:1A07h
|
:004BFBD6 E8D7E70400 Call 0050E3B2
:004BFBDB 85C0 test eax, eax
:004BFBDD 7D17 jge 004BFBF6 ;这里一定要跳,否则 死
:004BFBDF 53 push ebx
* Possible StringData Ref from Data Obj ->"Luo01"
|
:004BFBE0 68B0D25400 push 0054D2B0
:004BFBE5 8D4C2410 lea ecx, dword ptr [esp+10]
* Reference To: MFC42.Ordinal:1A07, Ord:1A07h
|
:004BFBE9 E8C4E70400 Call 0050E3B2
:004BFBEE 85C0 test eax, eax
:004BFBF0 0F8C20010000 jl 004BFD16 ;或者这里不要跳,否则 死
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BFBDD(C)
|
:004BFBF6 53 push ebx
* Possible StringData Ref from Data Obj ->"Luo01487"
|
:004BFBF7 68A4D25400 push 0054D2A4
:004BFBFC 8D4C2410 lea ecx, dword ptr [esp+10]
* Reference To: MFC42.Ordinal:1A07, Ord:1A07h
|
:004BFC00 E8ADE70400 Call 0050E3B2
:004BFC05 85C0 test eax, eax
:004BFC07 7C0A jl 004BFC13
:004BFC09 C705B858AA0401000000 mov dword ptr [04AA58B8], 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BFC07(C)
|
:004BFC13 53 push ebx
* Possible StringData Ref from Data Obj ->"Luo984"
|
:004BFC14 689CD25400 push 0054D29C
:004BFC19 8D4C2410 lea ecx, dword ptr [esp+10]
* Reference To: MFC42.Ordinal:1A07, Ord:1A07h
|
:004BFC1D E890E70400 Call 0050E3B2
:004BFC22 85C0 test eax, eax
:004BFC24 0F8DB1000000 jnl 004BFCDB ;这里可以跳,改起来麻烦
:004BFC2A 53 push ebx
* Possible StringData Ref from Data Obj ->"Luo985"
|
:004BFC2B 6894D25400 push 0054D294
:004BFC30 8D4C2410 lea ecx, dword ptr [esp+10]
* Reference To: MFC42.Ordinal:1A07, Ord:1A07h
|
:004BFC34 E879E70400 Call 0050E3B2
:004BFC39 85C0 test eax, eax
:004BFC3B 0F8D9A000000 jnl 004BFCDB ;这里可以跳,改起来麻烦
:004BFC41 53 push ebx
* Possible StringData Ref from Data Obj ->"Luo014"
|
:004BFC42 688CD25400 push 0054D28C
:004BFC47 8D4C2410 lea ecx, dword ptr [esp+10]
* Reference To: MFC42.Ordinal:1A07, Ord:1A07h
|
:004BFC4B E862E70400 Call 0050E3B2
:004BFC50 85C0 test eax, eax
:004BFC52 0F8D83000000 jnl 004BFCDB ;这里可以跳,改起来麻烦
:004BFC58 53 push ebx
* Possible StringData Ref from Data Obj ->"Luo015"
|
:004BFC59 6884D25400 push 0054D284
:004BFC5E 8D4C2410 lea ecx, dword ptr [esp+10]
* Reference To: MFC42.Ordinal:1A07, Ord:1A07h
|
:004BFC62 E84BE70400 Call 0050E3B2
:004BFC67 85C0 test eax, eax
:004BFC69 7D70 jge 004BFCDB ;这里可以跳了,改为jmp 004BFCDB, eb70
:004BFC6B 53 push ebx
* Possible StringData Ref from Data Obj ->"Luo01395"
......
......
跳到这里,就是我们需要的!!!
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004BFC24(C), :004BFC3B(C), :004BFC52(C), :004BFC69(C), :004BFC7C(C)
|
:004BFCDB C705B458AA0402000000 mov dword ptr [04AA58B4], 00000002 ;跳到这里就是MST 2004(企业版)
:004BFCE5 8D4C2408 lea ecx, dword ptr [esp+08]
:004BFCE9 C786D4D5920101000000 mov dword ptr [esi+0192D5D4], 00000001
:004BFCF3 C7442420FFFFFFFF mov [esp+20], FFFFFFFF
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:004BFCFB E894E60400 Call 0050E394
:004BFD00 5E pop esi
:004BFD01 B801000000 mov eax, 00000001
:004BFD06 5B pop ebx
:004BFD07 8B4C2410 mov ecx, dword ptr [esp+10]
:004BFD0B 64890D00000000 mov dword ptr fs:[00000000], ecx
:004BFD12 83C41C add esp, 0000001C
:004BFD15 C3 ret
3.关键call[3],检测使用时间在2005-2006之间。这就简单了
* Referenced by a CALL at Address:
|:004BF480
|
:004BFF30 83EC08 sub esp, 00000008
....
....
....
* Reference To: MFC42.Ordinal:0D09, Ord:0D09h
|
:004BFF6A E8A1E60400 Call 0050E610
:004BFF6F 8B4014 mov eax, dword ptr [eax+14]
:004BFF72 056C070000 add eax, 0000076C
:004BFF77 3DD6070000 cmp eax, 000007D6 ;7D6为2006,改为7dF吧
:004BFF7C 7E15 jle 004BFF93 ;小于跳,否则过期
:004BFF7E 6A00 push 00000000
:004BFF80 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"您的软件应该升级了.请到www.mstcenter.com下载!"
|
:004BFF82 6860D35400 push 0054D360
* Reference To: MFC42.Ordinal:04B0, Ord:04B0h
|
:004BFF87 E8FCE30400 Call 0050E388
:004BFF8C 33C0 xor eax, eax
:004BFF8E 5E pop esi
:004BFF8F 83C408 add esp, 00000008
:004BFF92 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BFF7C(C)
|
:004BFF93 3DD5070000 cmp eax, 000007D5 ;7D5为2005
:004BFF98 7513 jne 004BFFAD ;不等就跳,
:004BFF9A 83FE08 cmp esi, 00000008 ;8月
:004BFF9D 7E0E jle 004BFFAD ;小于2005年8月跳,否则过期,有些乱??
:004BFF9F 6A00 push 00000000
:004BFFA1 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"您的软件应该升级了.请到www.mstcenter.com下载!"
|
:004BFFA3 6860D35400 push 0054D360
* Reference To: MFC42.Ordinal:04B0, Ord:04B0h
|
:004BFFA8 E8DBE30400 Call 0050E388
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004BFF98(C), :004BFF9D(C)
|
:004BFFAD B801000000 mov eax, 00000001
:004BFFB2 5E pop esi
:004BFFB3 83C408 add esp, 00000008
:004BFFB6 C3 ret
完工,大功告成,无限制。
总结我就不写了
不要太相信狗的保护能力,在软件中保护不要太脆弱,还是更换狗吧。这个软件里有很多花指令,又有何用?打狗要有耐心,恒心,要多仔细观察.
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
