学习破解加密狗的软件,遇到一些问题,向各位请教,请不吝赐教!!
该软件情况如下:
1.无壳
2.有 没有软件锁,30分钟后退出的提示,但用W32ASM反汇编找不到!
3.用OD载入,下DeviceIoControl断点
找到以下代码
0066F941 |. FF15 70626E00 |CALL DWORD PTR DS:[<&KERNEL32.DeviceIoC>; \DeviceIoControl
0066F947 |. 8BE8 |MOV EBP,EAX ;
0066F949 |. 53 |PUSH EBX ; /hObject
0066F94A |. FF15 B0616E00 |CALL DWORD PTR DS:[<&KERNEL32.CloseHand>; \CloseHandle
0066F950 |. 85ED |TEST EBP,EBP ; ebp=1
0066F952 |. 74 0A |JE SHORT McgsSetW.0066F95E ; 不跳
0066F954 |. 83BC24 340100>|CMP DWORD PTR SS:[ESP+134],0
0066F95C |. 74 0A |JE SHORT McgsSetW.0066F968 ; 跳
0066F95E |> 47 |INC EDI
0066F95F |. 83FF 03 |CMP EDI,3
0066F962 |.^ 0F8C 76FFFFFF \JL McgsSetW.0066F8DE
0066F968 |> 83FF 03 CMP EDI,3
0066F96B |. 75 17 JNZ SHORT McgsSetW.0066F984 ; 跳
0066F96D |. B8 10270000 MOV EAX,2710
0066F972 |. 5D POP EBP
0066F973 |. C605 4C407800>MOV BYTE PTR DS:[78404C],30
0066F97A |. 5F POP EDI
0066F97B |. 5E POP ESI
0066F97C |. 5B POP EBX
0066F97D |. 81C4 28020000 ADD ESP,228
0066F983 |. C3 RETN
0066F984 |> 33C0 XOR EAX,EAX ;
0066F986 |. 5D POP EBP ;
0066F987 |. 5F POP EDI ;
0066F988 |. 5E POP ESI
0066F989 |. 5B POP EBX
0066F98A |. 81C4 28020000 ADD ESP,228
0066F990 \. C3 RETN
-------------------------------------------------------------------------------------------
0067009A |. E8 21F8FFFF CALL McgsSetW.0066F8C0 ; 第一次查狗
0067009F |. 85C0 TEST EAX,EAX ; eax=0
006700A1 |. 0F85 91010000 JNZ McgsSetW.00670238 ; 不跳
006700A7 |. 803D C43F7800>CMP BYTE PTR DS:[783FC4],0 ;
006700AE |. 75 05 JNZ SHORT McgsSetW.006700B5 ; 不跳
006700B0 |. E8 9B010000 CALL McgsSetW.00670250 ; 第二次查狗
006700B5 |> 85C0 TEST EAX,EAX ; eax=0
006700B7 |. 74 10 JE SHORT McgsSetW.006700C9 ; 跳
006700B9 |. B8 20A10700 MOV EAX,7A120
006700BE |. 5D POP EBP
006700BF |. 5F POP EDI
006700C0 |. 5E POP ESI
006700C1 |. 5B POP EBX
006700C2 |. 81C4 28020000 ADD ESP,228
006700C8 |. C3 RETN
006700C9 |> 6A 00 PUSH 0 ; /hTemplateFile = NULL
006700CB |. 6A 00 PUSH 0 ; |Attributes = 0
006700CD |. 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING
006700CF |. 6A 00 PUSH 0 ; |pSecurity = NULL
006700D1 |. 6A 01 PUSH 1 ; |ShareMode = FILE_SHARE_READ
006700D3 |. 68 00000080 PUSH 80000000 ; |Access = GENERIC_READ
006700D8 |. 68 40407800 PUSH McgsSetW.00784040 ; |FileName = "\\.\LPTDogMD0"
006700DD |. FF15 7C616E00 CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; \CreateFileA
006700E3 |. 83F8 FF CMP EAX,-1
006700E6 |. 8BF0 MOV ESI,EAX
006700E8 |. 75 10 JNZ SHORT McgsSetW.006700FA ; 跳
006700EA |. B8 10270000 MOV EAX,2710
006700EF |. 5D POP EBP
006700F0 |. 5F POP EDI
006700F1 |. 5E POP ESI
006700F2 |. 5B POP EBX
006700F3 |. 81C4 28020000 ADD ESP,228
006700F9 |. C3 RETN
006700FA |> 33DB XOR EBX,EBX
006700FC |. 66:391D B4FD7>CMP WORD PTR DS:[77FDB4],BX ; bx=0
00670103 |. 0F8E 08010000 JLE McgsSetW.00670211 ; 不跳
00670109 |> E8 52F6FFFF /CALL McgsSetW.0066F760
0067010E |. 894424 14 |MOV DWORD PTR SS:[ESP+14],EAX
00670112 |. E8 59F2FFFF |CALL McgsSetW.0066F370
00670117 |. 0FB7F8 |MOVZX EDI,AX ;
0067011A |. C1E7 10 |SHL EDI,10 ;
0067011D |. E8 4EF2FFFF |CALL McgsSetW.0066F370
00670122 |. 0FB7C0 |MOVZX EAX,AX ;
00670125 |. 0BF8 |OR EDI,EAX ;
00670127 |. 897C24 18 |MOV DWORD PTR SS:[ESP+18],EDI ;
0067012B |. E8 60FBFFFF |CALL McgsSetW.0066FC90
00670130 |. 66:A1 04CC780>|MOV AX,WORD PTR DS:[78CC04]
00670136 |. 02C3 |ADD AL,BL
00670138 |. 50 |PUSH EAX ; /Arg1
00670139 |. E8 62F8FFFF |CALL McgsSetW.0066F9A0 ; \McgsSetW.0066F9A0
0067013E |. 894424 20 |MOV DWORD PTR SS:[ESP+20],EAX
00670142 |. 83C4 04 |ADD ESP,4
00670145 |. 66:A1 B4FD770>|MOV AX,WORD PTR DS:[77FDB4]
0067014B |. 2AC3 |SUB AL,BL
0067014D |. 50 |PUSH EAX ; /Arg1
0067014E |. E8 4DF8FFFF |CALL McgsSetW.0066F9A0 ; \McgsSetW.0066F9A0
00670153 |. 66:8B0D 08CC7>|MOV CX,WORD PTR DS:[78CC08]
0067015A |. 894424 24 |MOV DWORD PTR SS:[ESP+24],EAX
0067015E |. 83C4 04 |ADD ESP,4
00670161 |. 51 |PUSH ECX ; /Arg1
00670162 |. E8 C9FAFFFF |CALL McgsSetW.0066FC30 ; \McgsSetW.0066FC30
00670167 |. 894424 28 |MOV DWORD PTR SS:[ESP+28],EAX
0067016B |. 83C4 04 |ADD ESP,4
0067016E |. 8B0D B0D57800 |MOV ECX,DWORD PTR DS:[78D5B0]
00670174 |. 8B15 14407800 |MOV EDX,DWORD PTR DS:[784014]
0067017A |. A1 18407800 |MOV EAX,DWORD PTR DS:[784018]
0067017F |. 6A 00 |PUSH 0 ; /pOverlapped = NULL
00670181 |. 894C24 34 |MOV DWORD PTR SS:[ESP+34],ECX ; |
00670185 |. 8D4C24 14 |LEA ECX,DWORD PTR SS:[ESP+14] ; |
00670189 |. 895424 2C |MOV DWORD PTR SS:[ESP+2C],EDX ; |
0067018D |. 51 |PUSH ECX ; |pBytesReturned
0067018E |. 8D9424 3C0100>|LEA EDX,DWORD PTR SS:[ESP+13C] ; |
00670195 |. 68 04010000 |PUSH 104 ; |OutBufferSize = 104 (260.)
0067019A |. 894424 38 |MOV DWORD PTR SS:[ESP+38],EAX ; |
0067019E |. 52 |PUSH EDX ; |OutBuffer
0067019F |. 8D4424 24 |LEA EAX,DWORD PTR SS:[ESP+24] ; |
006701A3 |. 6A 20 |PUSH 20 ; |InBufferSize = 20 (32.)
006701A5 |. 50 |PUSH EAX ; |InBuffer
006701A6 |. 68 0864409C |PUSH 9C406408 ; |IoControlCode = 9C406408
006701AB |. 56 |PUSH ESI ; |hDevice
006701AC |. FF15 70626E00 |CALL DWORD PTR DS:[<&KERNEL32.DeviceIoC>; \DeviceIoControl
006701B2 |. 8BF8 |MOV EDI,EAX
006701B4 |. 85FF |TEST EDI,EDI
006701B6 |. 74 5D |JE SHORT McgsSetW.00670215 ; 不跳
006701B8 |. 83BC24 340100>|CMP DWORD PTR SS:[ESP+134],0
006701C0 |. 75 53 |JNZ SHORT McgsSetW.00670215 ; 不跳
006701C2 |. 33C9 |XOR ECX,ECX
006701C4 |. 33D2 |XOR EDX,EDX
006701C6 |. 8B4424 10 |MOV EAX,DWORD PTR SS:[ESP+10]
006701CA |. 83E8 04 |SUB EAX,4
006701CD |. 85C0 |TEST EAX,EAX
006701CF |. 7E 2B |JLE SHORT McgsSetW.006701FC ; 不跳
006701D1 |> 8A8414 380100>|/MOV AL,BYTE PTR SS:[ESP+EDX+138] 计算序列号
006701D8 |. 8B2D F8C57800 ||MOV EBP,DWORD PTR DS:[78C5F8] ; McgsSetW.0078C79C
006701DE |. 32440C 18 ||XOR AL,BYTE PTR SS:[ESP+ECX+18]
006701E2 |. 03EA ||ADD EBP,EDX
006701E4 |. 41 ||INC ECX
006701E5 |. 88441D 00 ||MOV BYTE PTR SS:[EBP+EBX],AL
006701E9 |. 83F9 04 ||CMP ECX,4
006701EC |. 75 02 ||JNZ SHORT McgsSetW.006701F0
006701EE |. 33C9 ||XOR ECX,ECX
006701F0 |> 42 ||INC EDX
006701F1 |. 8B4424 10 ||MOV EAX,DWORD PTR SS:[ESP+10]
006701F5 |. 83E8 04 ||SUB EAX,4
006701F8 |. 3BC2 ||CMP EAX,EDX
006701FA |.^ 7F D5 |\JG SHORT McgsSetW.006701D1 ; 跳走计算下一位
006701FC |> 0FBF05 B4FD77>|MOVSX EAX,WORD PTR DS:[77FDB4] //计算完成,序列号会保存在0078C79c处
//如何修改使此处始终是我设定的数值??
00670203 |. 035C24 10 |ADD EBX,DWORD PTR SS:[ESP+10]
00670207 |. 3BC3 |CMP EAX,EBX
00670209 |.^ 0F8F FAFEFFFF \JG McgsSetW.00670109 ; 不跳
0067020F |. EB 04 JMP SHORT McgsSetW.00670215
00670211 |> 8B7C24 14 MOV EDI,DWORD PTR SS:[ESP+14]
00670215 |> 56 PUSH ESI ; /hObject
00670216 |. FF15 B0616E00 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
0067021C |. 85FF TEST EDI,EDI
0067021E |. 75 11 JNZ SHORT McgsSetW.00670231 ; 跳
00670220 |. FF15 E8616E00 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr>; [GetLastError
00670226 |. 5D POP EBP
00670227 |. 5F POP EDI
00670228 |. 5E POP ESI
00670229 |. 5B POP EBX
0067022A |. 81C4 28020000 ADD ESP,228
00670230 |. C3 RETN
00670231 |> 8B8424 340100>MOV EAX,DWORD PTR SS:[ESP+134] ;
00670238 |> 5D POP EBP
00670239 |. 5F POP EDI
0067023A |. 5E POP ESI
0067023B |. 5B POP EBX
0067023C |. 81C4 28020000 ADD ESP,228
00670242 \. C3 RETN
--------------------------------------------------------------------------------------------
00670250 /$ 81EC 28020000 SUB ESP,228
00670256 |. 56 PUSH ESI
00670257 |. 57 PUSH EDI
00670258 |. E8 63F6FFFF CALL McgsSetW.0066F8C0
0067025D |. 85C0 TEST EAX,EAX ; eax=0
0067025F |. 0F85 CD000000 JNZ McgsSetW.00670332 ; 不跳
00670265 |. 6A 00 PUSH 0 ; /hTemplateFile = NULL
00670267 |. 6A 00 PUSH 0 ; |Attributes = 0
00670269 |. 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING
0067026B |. 6A 00 PUSH 0 ; |pSecurity = NULL
0067026D |. 6A 01 PUSH 1 ; |ShareMode = FILE_SHARE_READ
0067026F |. 68 00000080 PUSH 80000000 ; |Access = GENERIC_READ
00670274 |. 68 40407800 PUSH McgsSetW.00784040 ; |FileName = "\\.\LPTDogMD0"
00670279 |. FF15 7C616E00 CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; \CreateFileA
0067027F |. 83F8 FF CMP EAX,-1
00670282 |. 8BF0 MOV ESI,EAX
00670284 |. 75 0E JNZ SHORT McgsSetW.00670294 ; 跳
00670286 |. B8 10270000 MOV EAX,2710
0067028B |. 5F POP EDI
0067028C |. 5E POP ESI
0067028D |. 81C4 28020000 ADD ESP,228
00670293 |. C3 RETN
00670294 |> E8 C7F4FFFF CALL McgsSetW.0066F760
00670299 |. 898424 100100>MOV DWORD PTR SS:[ESP+110],EAX ; nzk
006702A0 |. E8 CBF0FFFF CALL McgsSetW.0066F370
006702A5 |. 0FB7F8 MOVZX EDI,AX ;
006702A8 |. C1E7 10 SHL EDI,10
006702AB |. E8 C0F0FFFF CALL McgsSetW.0066F370
006702B0 |. 0FB7C0 MOVZX EAX,AX ;
006702B3 |. 66:8B0D 08CC7>MOV CX,WORD PTR DS:[78CC08] ;
006702BA |. 0BF8 OR EDI,EAX ;
006702BC |. 89BC24 140100>MOV DWORD PTR SS:[ESP+114],EDI
006702C3 |. 51 PUSH ECX ;
006702C4 |. E8 67F9FFFF CALL McgsSetW.0066FC30
006702C9 |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10] ;
006702CD |. 898424 1C0100>MOV DWORD PTR SS:[ESP+11C],EAX ;
006702D4 |. 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+C] ;
006702D8 |. 83C4 04 ADD ESP,4 ;
006702DB |. 8D9424 100100>LEA EDX,DWORD PTR SS:[ESP+110] ;
006702E2 |. 6A 00 PUSH 0 ; /pOverlapped = NULL
006702E4 |. 50 PUSH EAX ; |pBytesReturned
006702E5 |. 6A 08 PUSH 8 ; |OutBufferSize = 8
006702E7 |. 51 PUSH ECX ; |OutBuffer
006702E8 |. 6A 0C PUSH 0C ; |InBufferSize = C (12.)
006702EA |. 52 PUSH EDX ; |InBuffer
006702EB |. 68 1064409C PUSH 9C406410 ; |IoControlCode = 9C406410
006702F0 |. 56 PUSH ESI ; |hDevice
006702F1 |. FF15 70626E00 CALL DWORD PTR DS:[<&KERNEL32.DeviceIoCo>; \DeviceIoControl
006702F7 |. 8BF8 MOV EDI,EAX ; eax=1
006702F9 |. 85FF TEST EDI,EDI ;
006702FB |. 74 17 JE SHORT McgsSetW.00670314 ; 不跳
006702FD |. 837C24 0C 00 CMP DWORD PTR SS:[ESP+C],0 ;
00670302 |. 75 10 JNZ SHORT McgsSetW.00670314 ; 不能跳
00670304 |. C605 C43F7800>MOV BYTE PTR DS:[783FC4],1 ;
0067030B |. 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10] ;
0067030F |. A3 B0D57800 MOV DWORD PTR DS:[78D5B0],EAX ;
00670314 |> 56 PUSH ESI ; /hObject
00670315 |. FF15 B0616E00 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
0067031B |. 85FF TEST EDI,EDI ; edi=1
0067031D |. 75 0F JNZ SHORT McgsSetW.0067032E ; 跳
0067031F |. FF15 E8616E00 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr>; [GetLastError
00670325 |. 5F POP EDI
00670326 |. 5E POP ESI
00670327 |. 81C4 28020000 ADD ESP,228
0067032D |. C3 RETN
0067032E |> 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
00670332 |> 5F POP EDI
00670333 |. 5E POP ESI
00670334 |. 81C4 28020000 ADD ESP,228
0067033A \. C3 RETN
-----------------------------------------------------------------
0066FA1C 81 DB 81
0066FA1D > 3D 00000080 CMP EAX,80000000
0066FA22 . 73 0A JNB SHORT McgsSetW.0066FA2E
0066FA24 . EB 01 JMP SHORT McgsSetW.0066FA27
0066FA26 81 DB 81
0066FA27 > E8 64060000 CALL McgsSetW.00670090 ; 三次查狗后返回到这
0066FA2C . 59 POP ECX
0066FA2D . C3 RETN 再返回到005D8441
不知这些地方是不是关键点,我看不明白,请各位指点指点,应如何解决???
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
