【文章标题】: USB微狗去狗一例
【软件名称】: 某工程资料软件
【软件大小】: 45M
【下载地址】: 无
【保护方式】: 加密狗
【编写语言】: Delphi
【使用工具】: OLLYDBG
【操作平台】: WINXP SP2
【软件介绍】: 工程资料软件
【作者声明】: 只是感兴趣,没有其他目的。请勿用于商业用途。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
在整理资料的偶尔发现了这支狗,上次找了很久没有找到,这次带狗跟踪几遍后,发现了这只狗的“习性”。软件从狗中读取数据后在内存
某处写入一标记值,同时还返回一个常量0和狗流水号,通过流水号进行数值变换,并计算出相应密码。找到这些关键的地方后去狗应该不难了
,进入实战(这里我要说明一下,对狗我只了解点皮毛,正在学习中,希望大侠们看了后能够指点指定,我觉得交流非常重要。):
00631A9F . 68 F41D6300 PUSH slzl.00631DF4
00631AA4 . B9 201E6300 MOV ECX,slzl.00631E20
00631AA9 . BA 381E6300 MOV EDX,slzl.00631E38
00631AAE . 8B83 18030000 MOV EAX,DWORD PTR DS:[EBX+318]
00631AB4 . E8 6B52E7FF CALL slzl.004A6D24
00631AB9 . 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] ; 注意这里的EBP-4值,现在此处的内存值为0,读狗后会在
此处写入一个校验值
00631ABC . E8 D3E4F2FF CALL slzl.0055FF94 ; CALL1,判断是否有狗,有狗置AL=1,跟进该CALL,层层进
入可以直到狗的核心位置
00631AC1 . 84C0 TEST AL,AL
00631AC3 75 1B JNZ SHORT slzl.00631AE0 ; 跳
00631AC5 . B8 4C1E6300 MOV EAX,slzl.00631E4C
00631ACA . E8 7197F1FF CALL slzl.0054B240 ; 程序终止
00631ACF . A1 28066500 MOV EAX,DWORD PTR DS:[650628]
00631AD4 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00631AD6 . E8 F926E4FF CALL slzl.004741D4
00631ADB . E9 9B020000 JMP slzl.00631D7B
00631AE0 > 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] ; 有狗时,此时的EBP-4的值已经发生变化,这里是01034764
,无狗地址没有变化,为0,可以下内存写入断点看究竟是哪里在写入
00631AE3 . E8 ACE4F2FF CALL slzl.0055FF94 ; 又是上面那个判断是否有狗的CALL1
00631AE8 . 84C0 TEST AL,AL ; AL=1有狗
00631AEA 75 13 JNZ SHORT slzl.00631AFF ; 跳
00631AEC . 8BC3 MOV EAX,EBX
00631AEE . E8 5D640100 CALL slzl.00647F50 ; 学习版
00631AF3 . C683 8A060000>MOV BYTE PTR DS:[EBX+68A],0 ; 标志位,返回0功能异常
00631AFA . E9 7C020000 JMP slzl.00631D7B
00631AFF 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] ; 置EBP-10,这里可以打补丁,直接给EAX赋值内存值,MOV
EAX,01034764,不过先不管它,跟下去看看
00631B02 50 PUSH EAX
00631B03 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 读出的内存值放入EAX
00631B06 E8 79E3F2FF CALL slzl.0055FE84 ; CALL2,读狗流水号,如果没有返回那个内存值这个CALL会
异常,F7跟进看看
00631B0B . 8D4D F8 LEA ECX,DWORD PTR SS:[EBP-8]
00631B0E . BA 02000000 MOV EDX,2
00631B13 . E8 18EAF2FF CALL slzl.00560530 ; CALL3,密码算法,跟入
00631B18 . 84C0 TEST AL,AL ; 返回的AL为1有效
00631B1A 75 13 JNZ SHORT slzl.00631B2F ; 跳
00631B1C . 8BC3 MOV EAX,EBX
00631B1E . E8 2D640100 CALL slzl.00647F50 ; 学习版
00631B23 . C683 8A060000>MOV BYTE PTR DS:[EBX+68A],0
00631B2A . E9 4C020000 JMP slzl.00631D7B
00631B2F > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; EBP-4的值不陌生了
00631B32 E8 4DE3F2FF CALL slzl.0055FE84 ; 又是读狗流水号CALL2
00631B37 . 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
00631B3A . E8 79E4F2FF CALL slzl.0055FFB8 ; 判断流水号的正确,有效返回AL=1
00631B3F . 84C0 TEST AL,AL
00631B41 75 13 JNZ SHORT slzl.00631B56 ; 跳
00631B43 . 8BC3 MOV EAX,EBX
00631B45 . E8 06640100 CALL slzl.00647F50
00631B4A . C683 8A060000>MOV BYTE PTR DS:[EBX+68A],0
00631B51 . E9 25020000 JMP slzl.00631D7B
00631B56 > \68 701E6300 PUSH slzl.00631E70 ; ASCII "h576g3"
00631B5B . FF75 F8 PUSH DWORD PTR SS:[EBP-8]
00631B5E . 68 801E6300 PUSH slzl.00631E80 ; ASCII "yu4q3d"
00631B63 . 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
00631B66 . BA 03000000 MOV EDX,3
00631B6B . E8 0435DDFF CALL slzl.00405074
00631B70 . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
00631B73 . 50 PUSH EAX
00631B74 . 68 701E6300 PUSH slzl.00631E70 ; ASCII "h576g3"
00631B79 . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
00631B7C . E8 4F85DDFF CALL slzl.0040A0D0
00631B81 . 40 INC EAX
00631B82 . 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30]
00631B85 . E8 A684DDFF CALL slzl.0040A030
00631B8A . 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
00631B8D . 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
00631B90 . E8 8BE6F2FF CALL slzl.00560220
00631B95 . FF75 D4 PUSH DWORD PTR SS:[EBP-2C]
00631B98 . 68 801E6300 PUSH slzl.00631E80 ; ASCII "yu4q3d"
00631B9D . 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
00631BA0 . BA 03000000 MOV EDX,3
00631BA5 . E8 CA34DDFF CALL slzl.00405074
00631BAA . 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]
00631BAD . 58 POP EAX
00631BAE . E8 4535DDFF CALL slzl.004050F8 ; 再次读狗,有狗返回EAX为0
00631BB3 75 0C JNZ SHORT slzl.00631BC1 ; 不能跳,改NOP(修改第三处)
00631BB5 . C683 8A060000>MOV BYTE PTR DS:[EBX+68A],1 ; 标志位1,功能正常
00631BBC /E9 BA010000 JMP slzl.00631D7B ; 跳到正常程序=========
00631BC1 > |8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ; 流水号
00631BC4 . |E8 0785DDFF CALL slzl.0040A0D0
00631BC9 . |40 INC EAX
00631BCA . |8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38]
00631BCD . |E8 5E84DDFF CALL slzl.0040A030
00631BD2 . |8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
00631BD5 . |8D55 CC LEA EDX,DWORD PTR SS:[EBP-34]
00631BD8 . |E8 CBE7F2FF CALL slzl.005603A8
00631BDD . |8B55 CC MOV EDX,DWORD PTR SS:[EBP-34]
00631BE0 . |8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 密码
00631BE3 . |E8 1035DDFF CALL slzl.004050F8
00631BE8 |0F85 73010000 JNZ slzl.00631D61
00631BEE . |837D F0 01 CMP DWORD PTR SS:[EBP-10],1
00631BF2 |0F8D 44010000 JGE slzl.00631D3C
00631BF8 . |8B0D 28066500 MOV ECX,DWORD PTR DS:[650628] ; slzl.00651C38
00631BFE . |8B09 MOV ECX,DWORD PTR DS:[ECX]
00631C00 . |B2 01 MOV DL,1
00631C02 . |A1 C4545600 MOV EAX,DWORD PTR DS:[5654C4]
00631C07 . |E8 54ABE3FF CALL slzl.0046C760
00631C0C . |8B15 8C016500 MOV EDX,DWORD PTR DS:[65018C] ; slzl.00652038
00631C12 . |8902 MOV DWORD PTR DS:[EDX],EAX
00631C14 . |A1 8C016500 MOV EAX,DWORD PTR DS:[65018C]
00631C19 . |8B00 MOV EAX,DWORD PTR DS:[EAX]
00631C1B . |05 18030000 ADD EAX,318
00631C20 . |8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] ; 流水号
00631C23 . |E8 1831DDFF CALL slzl.00404D40
00631C28 . |A1 8C016500 MOV EAX,DWORD PTR DS:[65018C]
00631C2D . |8B00 MOV EAX,DWORD PTR DS:[EAX]
00631C2F . |8B10 MOV EDX,DWORD PTR DS:[EAX]
00631C31 . |FF92 E8000000 CALL DWORD PTR DS:[EDX+E8] ; 根据流水号输入注册码
00631C37 . |A1 8C016500 MOV EAX,DWORD PTR DS:[65018C]
00631C3C . |8B00 MOV EAX,DWORD PTR DS:[EAX]
00631C3E . |80B8 14030000>CMP BYTE PTR DS:[EAX+314],0
00631C45 . |75 11 JNZ SHORT slzl.00631C58
00631C47 . A1 28066500 MOV EAX,DWORD PTR DS:[650628]
00631C4C . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00631C4E . E8 8125E4FF CALL slzl.004741D4
00631C53 . E9 23010000 JMP slzl.00631D7B
00631C58 > 68 701E6300 PUSH slzl.00631E70 ; ASCII "h576g3"
00631C5D . A1 8C016500 MOV EAX,DWORD PTR DS:[65018C]
00631C62 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00631C64 . FFB0 1C030000 PUSH DWORD PTR DS:[EAX+31C]
00631C6A . 68 801E6300 PUSH slzl.00631E80 ; ASCII "yu4q3d"
00631C6F . 8D45 C4 LEA EAX,DWORD PTR SS:[EBP-3C]
00631C72 . BA 03000000 MOV EDX,3
00631C77 . E8 F833DDFF CALL slzl.00405074
00631C7C . 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C]
00631C7F . 50 PUSH EAX
00631C80 . 68 701E6300 PUSH slzl.00631E70 ; ASCII "h576g3"
00631C85 . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
00631C88 . E8 4384DDFF CALL slzl.0040A0D0
00631C8D . 40 INC EAX
00631C8E . 8D55 B8 LEA EDX,DWORD PTR SS:[EBP-48]
00631C91 . E8 9A83DDFF CALL slzl.0040A030
00631C96 . 8B45 B8 MOV EAX,DWORD PTR SS:[EBP-48]
00631C99 . 8D55 BC LEA EDX,DWORD PTR SS:[EBP-44]
00631C9C . E8 7FE5F2FF CALL slzl.00560220
00631CA1 . FF75 BC PUSH DWORD PTR SS:[EBP-44]
00631CA4 . 68 801E6300 PUSH slzl.00631E80 ; ASCII "yu4q3d"
00631CA9 . 8D45 C0 LEA EAX,DWORD PTR SS:[EBP-40]
00631CAC . BA 03000000 MOV EDX,3
00631CB1 . E8 BE33DDFF CALL slzl.00405074
00631CB6 . 8B55 C0 MOV EDX,DWORD PTR SS:[EBP-40]
00631CB9 . 58 POP EAX
00631CBA . E8 3934DDFF CALL slzl.004050F8
00631CBF 75 57 JNZ SHORT slzl.00631D18
00631CC1 . 68 E7030000 PUSH 3E7
00631CC6 . A1 8C016500 MOV EAX,DWORD PTR DS:[65018C]
00631CCB . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00631CCD . 8B80 1C030000 MOV EAX,DWORD PTR DS:[EAX+31C]
00631CD3 . 50 PUSH EAX
00631CD4 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00631CD7 . E8 A8E1F2FF CALL slzl.0055FE84
00631CDC . B9 02000000 MOV ECX,2
00631CE1 . 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] ; 流水号
00631CE4 . E8 93E3F2FF CALL slzl.0056007C ; 密码算法
00631CE9 . 84C0 TEST AL,AL
00631CEB 74 13 JE SHORT slzl.00631D00
00631CED . B8 901E6300 MOV EAX,slzl.00631E90
00631CF2 . E8 4995F1FF CALL slzl.0054B240 ; 注册成功
00631CF7 . C683 8A060000>MOV BYTE PTR DS:[EBX+68A],1
00631CFE . EB 7B JMP SHORT slzl.00631D7B ; 跳到正常程序=========
00631D00 > B8 A81E6300 MOV EAX,slzl.00631EA8
00631D05 . E8 3695F1FF CALL slzl.0054B240
00631D0A . A1 28066500 MOV EAX,DWORD PTR DS:[650628]
00631D0F . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00631D11 . E8 BE24E4FF CALL slzl.004741D4
00631D16 . EB 63 JMP SHORT slzl.00631D7B
00631D18 > B8 A81E6300 MOV EAX,slzl.00631EA8
00631D1D . E8 1E95F1FF CALL slzl.0054B240 ; 注册失败
00631D22 . A1 28066500 MOV EAX,DWORD PTR DS:[650628]
00631D27 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00631D29 . E8 A624E4FF CALL slzl.004741D4
00631D2E . EB 4B JMP SHORT slzl.00631D7B
...
0063B313 |. A1 AC096500 MOV EAX,DWORD PTR DS:[6509AC]
0063B318 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
0063B31A |. 8B10 MOV EDX,DWORD PTR DS:[EAX]
0063B31C |. FF92 E8000000 CALL DWORD PTR DS:[EDX+E8] ; 运行正常界面
0063B322 |. A1 AC096500 MOV EAX,DWORD PTR DS:[6509AC]
0063B327 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
0063B329 |. 80B8 20030000>CMP BYTE PTR DS:[EAX+320],0
0063B330 |. 74 1C JE SHORT slzl.0063B34E
============================================================================
CALL1跟进 CALL 0055FF94
0055FF94 /$ 53 PUSH EBX
0055FF95 |. 33DB XOR EBX,EBX
0055FF97 |. 33D2 XOR EDX,EDX
0055FF99 |. 8910 MOV DWORD PTR DS:[EAX],EDX
0055FF9B |. 33D2 XOR EDX,EDX
0055FF9D |. 8915 08206500 MOV DWORD PTR DS:[652008],EDX
0055FFA3 |. A3 1C206500 MOV DWORD PTR DS:[65201C],EAX
0055FFA8 |. E8 31540000 CALL slzl.005653DE ; 读狗,有狗返回EAX=0
0055FFAD |. 85C0 TEST EAX,EAX
0055FFAF 75 02 JNZ SHORT slzl.0055FFB3 ; 不跳
0055FFB1 |. B3 01 MOV BL,1 ; BL赋值1
0055FFB3 |> 8BC3 MOV EAX,EBX ; EAX赋值1
0055FFB5 |. 5B POP EBX
0055FFB6 \. C3 RETN
跟进CALL 005653DE
005653DE /$ 52 PUSH EDX
005653DF |. 51 PUSH ECX
005653E0 |. 68 27535600 PUSH slzl.00565327
005653E5 |. 68 9B4E5600 PUSH slzl.00564E9B
005653EA |. 6A 0B PUSH 0B
005653EC |. E8 A7E7FFFF CALL slzl.00563B98 ; 读狗核心,返回的EAX值和内存值
005653F1 |. 83C4 0C ADD ESP,0C
005653F4 |. 59 POP ECX
005653F5 |. 5A POP EDX
005653F6 \. C3 RETN
跟进CALL 00563B98
00563B98 55 PUSH EBP ; 狗核心数据,后面跟着一大堆花指令,只要让它直接返回
EAX=0即可,返回的狗流水号先不管他,此处改为XOR EAX,EAX RET(修改的第一处)
00563B99 8BEC MOV EBP,ESP
00563B9B 81C4 4CFFFFFF ADD ESP,-0B4
00563BA1 53 PUSH EBX
00563BA2 . 56 PUSH ESI
00563BA3 . 57 PUSH EDI
00563BA4 . C745 C0 A5A50>MOV DWORD PTR SS:[EBP-40],0A5A5
00563BAB . 66:C785 64FFF>MOV WORD PTR SS:[EBP-9C],0A
00563BB4 . E9 5D040000 JMP slzl.00564016
00563BB9 > EB 01 JMP SHORT slzl.00563BBC
=====================================================================
CALL2 CALL 0055FE84
0055FE84 55 PUSH EBP
0055FE85 8BEC MOV EBP,ESP
0055FE87 33C9 XOR ECX,ECX
0055FE89 51 PUSH ECX
0055FE8A |. 51 PUSH ECX
0055FE8B |. 51 PUSH ECX
0055FE8C |. 51 PUSH ECX
0055FE8D |. 51 PUSH ECX
0055FE8E |. 51 PUSH ECX
0055FE8F |. 53 PUSH EBX
0055FE90 |. 56 PUSH ESI
0055FE91 |. 57 PUSH EDI
0055FE92 |. 33D2 XOR EDX,EDX
0055FE94 |. 55 PUSH EBP
0055FE95 |. 68 81FF5500 PUSH slzl.0055FF81
0055FE9A |. 64:FF32 PUSH DWORD PTR FS:[EDX]
0055FE9D |. 64:8922 MOV DWORD PTR FS:[EDX],ESP
0055FEA0 |. 8BD8 MOV EBX,EAX
0055FEA2 |. C1E3 03 SHL EBX,3
0055FEA5 |. 83EB 03 SUB EBX,3
0055FEA8 |. C1E3 02 SHL EBX,2
0055FEAB |. 8BC3 MOV EAX,EBX
0055FEAD |. 33D2 XOR EDX,EDX
0055FEAF |. 52 PUSH EDX ; /Arg2 => 00000000
0055FEB0 |. 50 PUSH EAX ; |Arg1
0055FEB1 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] ; |堆栈地址=0012FD98
0055FEB4 |. E8 A7A1EAFF CALL slzl.0040A060 ; \slzl.0040A060
0055FEB9 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] ; 堆栈地址=0012FD94
0055FEBC |. E8 2B4EEAFF CALL slzl.00404CEC ; 读狗流水号,F7跟进
0055FEC1 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 有狗时返回正确流水号543747188
0055FEC4 |. E8 EB50EAFF CALL slzl.00404FB4 ; 取流水号长度,这里是9位
0055FEC9 |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX ; EAX=9
0055FECC |. 33FF XOR EDI,EDI
0055FECE |. 8B5D F4 MOV EBX,DWORD PTR SS:[EBP-C] ; 放入EBX
0055FED1 |. 85DB TEST EBX,EBX ; 是否小于等于0
0055FED3 |. 7E 22 JLE SHORT slzl.0055FEF7 ; 不会跳的
0055FED5 |. BE 01000000 MOV ESI,1
0055FEDA 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] ; 置EBP-10
0055FEDD |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4] ; 流水号
0055FEE0 |. 8A5432 FF |MOV DL,BYTE PTR DS:[EDX+ESI-1] ; 逐个取流水号
0055FEE4 |. E8 E34FEAFF |CALL slzl.00404ECC ; 数值变换
0055FEE9 |. 8B45 F0 |MOV EAX,DWORD PTR SS:[EBP-10] ; 返回的结果存放在EBP-10里
0055FEEC |. E8 DFA1EAFF |CALL slzl.0040A0D0 ; 检验该新数值
0055FEF1 |. 03F8 |ADD EDI,EAX
0055FEF3 |. 46 |INC ESI
0055FEF4 |. 4B |DEC EBX
0055FEF5 |.^ 75 E3 \JNZ SHORT slzl.0055FEDA
0055FEF7 |> 8BC7 MOV EAX,EDI
0055FEF9 |. B9 0A000000 MOV ECX,0A
0055FEFE |. 99 CDQ
0055FEFF |. F7F9 IDIV ECX
0055FF01 |. 8BFA MOV EDI,EDX
0055FF03 |. 8B5D F4 MOV EBX,DWORD PTR SS:[EBP-C] ; 流水号长度
0055FF06 |. 85DB TEST EBX,EBX ; 是否为0
0055FF08 |. 7E 3F JLE SHORT slzl.0055FF49
0055FF0A |. BE 01000000 MOV ESI,1
0055FF0F |> 8D45 E8 /LEA EAX,DWORD PTR SS:[EBP-18] ; 置EBP-18
0055FF12 |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4]
0055FF15 |. 8A5432 FF |MOV DL,BYTE PTR DS:[EDX+ESI-1]
0055FF19 |. E8 AE4FEAFF |CALL slzl.00404ECC ; 数值变换
0055FF1E |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
0055FF21 |. E8 AAA1EAFF |CALL slzl.0040A0D0 ; 检验该数值
0055FF26 |. 03C7 |ADD EAX,EDI
0055FF28 |. B9 0A000000 |MOV ECX,0A
0055FF2D |. 99 |CDQ
0055FF2E |. F7F9 |IDIV ECX
0055FF30 |. 8BC2 |MOV EAX,EDX
0055FF32 |. 8D55 EC |LEA EDX,DWORD PTR SS:[EBP-14]
0055FF35 |. E8 F6A0EAFF |CALL slzl.0040A030
0055FF3A |. 8B55 EC |MOV EDX,DWORD PTR SS:[EBP-14]
0055FF3D |. 8D45 F8 |LEA EAX,DWORD PTR SS:[EBP-8]
0055FF40 |. E8 7750EAFF |CALL slzl.00404FBC
0055FF45 |. 46 |INC ESI
0055FF46 |. 4B |DEC EBX
0055FF47 |.^ 75 C6 \JNZ SHORT slzl.0055FF0F
0055FF49 |> 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 新数值
0055FF4C |. E8 7FA1EAFF CALL slzl.0040A0D0 ; call5,再次检验该数值,关键,跟入
0055FF51 |. 8BD8 MOV EBX,EAX
0055FF53 |. C1E3 02 SHL EBX,2
0055FF56 |. 83EB 07 SUB EBX,7
0055FF59 |. 33C0 XOR EAX,EAX
0055FF5B |. 5A POP EDX
0055FF5C |. 59 POP ECX
0055FF5D |. 59 POP ECX
0055FF5E |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
0055FF61 |. 68 88FF5500 PUSH slzl.0055FF88
0055FF66 |> 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
0055FF69 |. BA 03000000 MOV EDX,3
0055FF6E |. E8 9D4DEAFF CALL slzl.00404D10
0055FF73 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
0055FF76 |. BA 02000000 MOV EDX,2
0055FF7B |. E8 904DEAFF CALL slzl.00404D10
0055FF80 \. C3 RETN
0055FF81 .^ E9 6E47EAFF JMP slzl.004046F4
0055FF86 .^ EB DE JMP SHORT slzl.0055FF66
0055FF88 . 8BC3 MOV EAX,EBX
0055FF8A . 5F POP EDI
0055FF8B . 5E POP ESI
0055FF8C . 5B POP EBX
0055FF8D . 8BE5 MOV ESP,EBP
0055FF8F . 5D POP EBP
0055FF90 . C3 RETN
CALL5,跟进CALL 0040A0D0
0040A0D0 /$ 53 PUSH EBX
0040A0D1 |. 56 PUSH ESI
0040A0D2 |. 83C4 F4 ADD ESP,-0C
0040A0D5 |. 8BD8 MOV EBX,EAX
0040A0D7 |. 8BD4 MOV EDX,ESP
0040A0D9 |. 8BC3 MOV EAX,EBX
0040A0DB |. E8 3096FFFF CALL slzl.00403710 ; 检验流水号,这里有狗跟无狗肯定不一样,跟进看看
0040A0E0 |. 8BF0 MOV ESI,EAX
0040A0E2 |. 833C24 00 CMP DWORD PTR SS:[ESP],0 ; 正确返回ESP地址的值为0
0040A0E6 74 19 JE SHORT slzl.0040A101 ; 跳,该为JMP(修改第二处)
0040A0E8 |. 895C24 04 MOV DWORD PTR SS:[ESP+4],EBX
0040A0EC |. C64424 08 0B MOV BYTE PTR SS:[ESP+8],0B
0040A0F1 |. 8D5424 04 LEA EDX,DWORD PTR SS:[ESP+4]
0040A0F5 |. A1 70036500 MOV EAX,DWORD PTR DS:[650370]
0040A0FA |. 33C9 XOR ECX,ECX
0040A0FC |. E8 F3F6FFFF CALL slzl.004097F4
0040A101 |> 8BC6 MOV EAX,ESI
0040A103 |. 83C4 0C ADD ESP,0C
0040A106 |. 5E POP ESI
0040A107 |. 5B POP EBX
0040A108 \. C3 RETN
CALL 00403710的内容:
00403710 /$ 53 PUSH EBX
00403711 |. 56 PUSH ESI
00403712 |. 57 PUSH EDI
00403713 |. 89C6 MOV ESI,EAX
00403715 |. 50 PUSH EAX
00403716 |. 85C0 TEST EAX,EAX ; 是否为0
00403718 |. 74 6C JE SHORT slzl.00403786
0040371A |. 31C0 XOR EAX,EAX
0040371C |. 31DB XOR EBX,EBX
0040371E |. BF CCCCCC0C MOV EDI,0CCCCCCC ; EDI赋值0CCCCCCC=214748364
00403723 |> 8A1E /MOV BL,BYTE PTR DS:[ESI]
00403725 |. 46 |INC ESI
00403726 |. 80FB 20 |CMP BL,20 ; 是否为空格
00403729 |.^ 74 F8 \JE SHORT slzl.00403723
0040372B |. B5 00 MOV CH,0
0040372D |. 80FB 2D CMP BL,2D ; 是否为-号
00403730 |. 74 62 JE SHORT slzl.00403794
00403732 |. 80FB 2B CMP BL,2B ; 是否为+号
00403735 |. 74 5F JE SHORT slzl.00403796
00403737 |. 80FB 24 CMP BL,24 ; 是否为$
0040373A |. 74 5F JE SHORT slzl.0040379B
0040373C |. 80FB 78 CMP BL,78 ; 是否为$
0040373F |. 74 5A JE SHORT slzl.0040379B
00403741 |. 80FB 58 CMP BL,58 ; 是否为X
00403744 |. 74 55 JE SHORT slzl.0040379B
00403746 |. 80FB 30 CMP BL,30 ; 是否为0
00403749 |. 75 13 JNZ SHORT slzl.0040375E
0040374B |. 8A1E MOV BL,BYTE PTR DS:[ESI]
0040374D |. 46 INC ESI
0040374E |. 80FB 78 CMP BL,78
00403751 |. 74 48 JE SHORT slzl.0040379B
00403753 |. 80FB 58 CMP BL,58
00403756 |. 74 43 JE SHORT slzl.0040379B
00403758 |. 84DB TEST BL,BL
0040375A |. 74 20 JE SHORT slzl.0040377C
0040375C |. EB 04 JMP SHORT slzl.00403762
0040375E |> 84DB TEST BL,BL ; 是否为0
00403760 |. 74 2D JE SHORT slzl.0040378F
00403762 |> 80EB 30 /SUB BL,30 ; 件30H
00403765 |. 80FB 09 |CMP BL,9 ; 是否大于9
00403768 |. 77 25 |JA SHORT slzl.0040378F
0040376A |. 39F8 |CMP EAX,EDI ; 是否大于0CCCCCCC=214748364
0040376C |. 77 21 |JA SHORT slzl.0040378F
0040376E |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX+EAX*4]
00403771 |. 01C0 |ADD EAX,EAX
00403773 |. 01D8 |ADD EAX,EBX
00403775 |. 8A1E |MOV BL,BYTE PTR DS:[ESI]
00403777 |. 46 |INC ESI
00403778 |. 84DB |TEST BL,BL
0040377A |.^ 75 E6 \JNZ SHORT slzl.00403762
0040377C |> FECD DEC CH
0040377E |. 74 09 JE SHORT slzl.00403789
00403780 |. 85C0 TEST EAX,EAX ; 是否大于0
00403782 |. 7D 4E JGE SHORT slzl.004037D2
00403784 |. EB 09 JMP SHORT slzl.0040378F
00403786 |> 46 INC ESI
00403787 |. EB 06 JMP SHORT slzl.0040378F
00403789 |> F7D8 NEG EAX
0040378B |. 7E 45 JLE SHORT slzl.004037D2
0040378D |. 78 43 JS SHORT slzl.004037D2
0040378F |> 5B POP EBX ; Default case of switch 004037AF
00403790 |. 29DE SUB ESI,EBX
00403792 |. EB 41 JMP SHORT slzl.004037D5
00403794 |> FEC5 INC CH
00403796 |> 8A1E MOV BL,BYTE PTR DS:[ESI]
00403798 |. 46 INC ESI
00403799 |.^ EB C3 JMP SHORT slzl.0040375E
0040379B |> BF FFFFFF0F MOV EDI,0FFFFFFF
004037A0 |. 8A1E MOV BL,BYTE PTR DS:[ESI]
004037A2 |. 46 INC ESI
004037A3 |. 84DB TEST BL,BL
004037A5 |.^ 74 DF JE SHORT slzl.00403786
004037A7 |> 80FB 61 /CMP BL,61
004037AA |. 72 03 |JB SHORT slzl.004037AF
004037AC |. 80EB 20 |SUB BL,20
004037AF |> 80EB 30 |SUB BL,30 ; Switch (cases 30..46)
004037B2 |. 80FB 09 |CMP BL,9
004037B5 |. 76 0B |JBE SHORT slzl.004037C2
004037B7 |. 80EB 11 |SUB BL,11
004037BA |. 80FB 05 |CMP BL,5
004037BD |.^ 77 D0 |JA SHORT slzl.0040378F
004037BF |. 80C3 0A |ADD BL,0A ; Cases 41 ('A'),42 ('B'),43 ('C'),44 ('D'),45
('E'),46 ('F') of switch 004037AF
004037C2 |> 39F8 |CMP EAX,EDI ; Cases 30 ('0'),31 ('1'),32 ('2'),33 ('3'),34
('4'),35 ('5'),36 ('6'),37 ('7'),38 ('8'),39 ('9') of switch 004037AF
004037C4 |.^ 77 C9 |JA SHORT slzl.0040378F
004037C6 |. C1E0 04 |SHL EAX,4
004037C9 |. 01D8 |ADD EAX,EBX
004037CB |. 8A1E |MOV BL,BYTE PTR DS:[ESI]
004037CD |. 46 |INC ESI
004037CE |. 84DB |TEST BL,BL
004037D0 |.^ 75 D5 \JNZ SHORT slzl.004037A7
004037D2 |> 59 POP ECX
004037D3 |. 31F6 XOR ESI,ESI
004037D5 |> 8932 MOV DWORD PTR DS:[EDX],ESI
004037D7 |. 5F POP EDI
004037D8 |. 5E POP ESI
004037D9 |. 5B POP EBX
004037DA \. C3 RETN
=======================================================================
CALL3 跟进CALL 00560530
00560530 55 PUSH EBP
00560531 8BEC MOV EBP,ESP
00560533 83C4 DC ADD ESP,-24
00560536 |. 53 PUSH EBX
00560537 |. 56 PUSH ESI
00560538 |. 57 PUSH EDI
00560539 |. 33DB XOR EBX,EBX
0056053B |. 895D DC MOV DWORD PTR SS:[EBP-24],EBX
0056053E |. 895D F8 MOV DWORD PTR SS:[EBP-8],EBX
00560541 |. 8BF1 MOV ESI,ECX
00560543 |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
00560546 |. 33D2 XOR EDX,EDX
00560548 |. 55 PUSH EBP
00560549 |. 68 0F065600 PUSH slzl.0056060F
0056054E |. 64:FF32 PUSH DWORD PTR FS:[EDX]
00560551 |. 64:8922 MOV DWORD PTR FS:[EDX],ESP
00560554 |. 33DB XOR EBX,EBX
00560556 |. A3 14206500 MOV DWORD PTR DS:[652014],EAX
0056055B |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
0056055E |. A3 1C206500 MOV DWORD PTR DS:[65201C],EAX
00560563 |. C705 10206500>MOV DWORD PTR DS:[652010],14
0056056D |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00560570 |. C1E0 02 SHL EAX,2
00560573 |. 8D0480 LEA EAX,DWORD PTR DS:[EAX+EAX*4]
00560576 |. A3 0C206500 MOV DWORD PTR DS:[65200C],EAX
0056057B |. E8 3C4E0000 CALL slzl.005653BC ; 读狗,返回EAX为0
00560580 |. 85C0 TEST EAX,EAX ; 返回EAX必须为0
00560582 |. 75 6D JNZ SHORT slzl.005605F1 ; 没跳
00560584 |. 8BC6 MOV EAX,ESI
00560586 |. E8 6147EAFF CALL slzl.00404CEC ; 密码算法
0056058B |. BF 14000000 MOV EDI,14
00560590 |. 8D5D E4 LEA EBX,DWORD PTR SS:[EBP-1C]
00560593 |> 803B 80 /CMP BYTE PTR DS:[EBX],80
00560596 |. 74 18 |JE SHORT slzl.005605B0
00560598 |. 8D45 DC |LEA EAX,DWORD PTR SS:[EBP-24]
0056059B |. 8A13 |MOV DL,BYTE PTR DS:[EBX] ; 密码放入DL
0056059D |. E8 2A49EAFF |CALL slzl.00404ECC
005605A2 |. 8B55 DC |MOV EDX,DWORD PTR SS:[EBP-24]
005605A5 |. 8BC6 |MOV EAX,ESI
005605A7 |. E8 104AEAFF |CALL slzl.00404FBC
005605AC |. 43 |INC EBX
005605AD |. 4F |DEC EDI
005605AE |.^ 75 E3 \JNZ SHORT slzl.00560593
005605B0 |> 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
005605B3 |. 50 PUSH EAX
005605B4 |. 8B06 MOV EAX,DWORD PTR DS:[ESI] ; 密码,有狗这里为q08iKfrD01E
005605B6 |. E8 F949EAFF CALL slzl.00404FB4 ; 取密码长度
005605BB |. 8BD0 MOV EDX,EAX
005605BD |. 8B06 MOV EAX,DWORD PTR DS:[ESI]
005605BF |. B9 01000000 MOV ECX,1
005605C4 |. E8 434CEAFF CALL slzl.0040520C
005605C9 |. 56 PUSH ESI
005605CA |. 8B06 MOV EAX,DWORD PTR DS:[ESI]
005605CC |. E8 E349EAFF CALL slzl.00404FB4
005605D1 |. 8BC8 MOV ECX,EAX
005605D3 |. 49 DEC ECX
005605D4 |. 8B06 MOV EAX,DWORD PTR DS:[ESI]
005605D6 |. BA 01000000 MOV EDX,1
005605DB |. E8 2C4CEAFF CALL slzl.0040520C
005605E0 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
005605E3 |. 8A00 MOV AL,BYTE PTR DS:[EAX]
005605E5 |. 25 FF000000 AND EAX,0FF
005605EA |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
005605ED |. 8902 MOV DWORD PTR DS:[EDX],EAX
005605EF |. B3 01 MOV BL,1 ; BL赋值1
005605F1 |> 33C0 XOR EAX,EAX ; 放入EAX
005605F3 |. 5A POP EDX
005605F4 |. 59 POP ECX
005605F5 |. 59 POP ECX
005605F6 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
005605F9 |. 68 16065600 PUSH slzl.00560616
005605FE |> 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
00560601 |. E8 E646EAFF CALL slzl.00404CEC
00560606 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00560609 |. E8 DE46EAFF CALL slzl.00404CEC
0056060E \. C3 RETN
0056060F .^\E9 E040EAFF JMP slzl.004046F4
00560614 .^ EB E8 JMP SHORT slzl.005605FE
00560616 . 8BC3 MOV EAX,EBX
00560618 . 5F POP EDI
00560619 . 5E POP ESI
0056061A . 5B POP EBX
0056061B . 8BE5 MOV ESP,EBP
0056061D . 5D POP EBP
0056061E . C2 0400 RETN 4
=======================================================================================
--------------------------------------------------------------------------------
【经验总结】
改这三处后,可以拿掉狗了,程序直接跳过了要求输入狗密码的地方,进入程序后,一切功能都正常。或者也可以修改代码
让狗返回一个流水号,再通过算法计算出他的密码。文中有不正之处希望大侠能够指出。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年03月13日 16:05:58
[课程]FART 脱壳王!加量不加价!FART作者讲授!