某行业软件带狗破解
工具:W32Dasm OD
先用W32Dasm 反汇编进行静态分析,通过查看输入DLL列表,发现一个可疑DLL文件***key***.dll
(这里为了维护版权将该文件名隐去一部分),再查看该DLL详细信息,发现该DLL在程序中共有3个输入
函数,通过测试,其中***Key_In***函数为读狗函数
用OD将主文件载入,直接在该函数处设断点:
0043F38A |. FF15 4C0F4600 |call dword ptr [<&***Key***.Key***.__***>; <===此处设断
0043F390 |. 3BC3 |cmp eax, ebx <===无狗则EAX=FFFFFFFF
0043F392 |. 8986 E0000000 |mov dword ptr [esi+E0], eax 有狗则EAX=0
0043F398 |. 0F85 F0000000 |jnz 0043F48E
0043F39E |. 6A 78 |push 78
0043F3A0 |. 8D85 64FFFFFF |lea eax, dword ptr [ebp-9C]
0043F3A6 |. 53 |push ebx
0043F3A7 |. 50 |push eax
0043F3A8 |. E8 55650100 |call <jmp.&MSVCRT.memset>
..................................................................
在0043F38A处F7进入,来到这里
002543C0 8B4424 04 mov eax, dword ptr [esp+4]
002543C4 B9 98682500 mov ecx, 00256898
002543C9 50 push eax
002543CA E8 F1D9FFFF call 00251DC0 <=====F7进入
002543CF C2 0400 retn 4
..................................................................
来到这里:
00251DC0 64:A1 00000000 mov eax, dword ptr fs:[0]
00251DC6 6A FF push -1
00251DC8 68 0C482500 push 0025480C
00251DCD 50 push eax
00251DCE 64:8925 0000000>mov dword ptr fs:[0], esp
00251DD5 81EC 38050000 sub esp, 538
00251DDB 33C0 xor eax, eax
00251DDD 53 push ebx
00251DDE 55 push ebp
00251DDF 56 push esi
00251DE0 8BF1 mov esi, ecx
00251DE2 57 push edi
00251DE3 33DB xor ebx, ebx
00251DE5 83CD FF or ebp, FFFFFFFF
00251DE8 B9 1E000000 mov ecx, 1E
00251DED 8D7E 04 lea edi, dword ptr [esi+4]
00251DF0 895E 7C mov dword ptr [esi+7C], ebx
00251DF3 899E F8000000 mov dword ptr [esi+F8], ebx
00251DF9 899E 74010000 mov dword ptr [esi+174], ebx
00251DFF 89AE 78010000 mov dword ptr [esi+178], ebp
00251E05 89AE 80010000 mov dword ptr [esi+180], ebp
00251E0B 899E 7C010000 mov dword ptr [esi+17C], ebx
00251E11 F3:AB rep stos dword ptr es:[edi]
00251E13 B9 1E000000 mov ecx, 1E <===此处设一临时断点,否则
步过00251E11程序会自动运行,请高手指教原因
00251E18 8DBE 80000000 lea edi, dword ptr [esi+80]
00251E1E F3:AB rep stos dword ptr es:[edi]
00251E20 B9 1E000000 mov ecx, 1E <===此处设一临时断点,原因同上
00251E25 8DBE FC000000 lea edi, dword ptr [esi+FC]
00251E2B F3:AB rep stos dword ptr es:[edi]
00251E2D 8B8424 58050000 mov eax, dword ptr [esp+558] <===此处设一临时断点,原因同上
00251E34 8B08 mov ecx, dword ptr [eax]
00251E36 3959 F8 cmp dword ptr [ecx-8], ebx
00251E39 7F 23 jg short 00251E5E
00251E3B 8D5424 3C lea edx, dword ptr [esp+3C]
00251E3F 68 04010000 push 104
00251E44 52 push edx
00251E45 E8 6A260000 call <jmp.&ComDll.omDll._GetIns>
00251E4A 8DBE 84010000 lea edi, dword ptr [esi+184]
00251E50 8D4424 3C lea eax, dword ptr [esp+3C]
00251E54 50 push eax
00251E55 8BCF mov ecx, edi
00251E57 E8 AC260000 call <jmp.&MFC42.#860_CString::operator=>
00251E5C EB 0E jmp short 00251E6C
00251E5E 8DBE 84010000 lea edi, dword ptr [esi+184]
00251E64 50 push eax
00251E65 8BCF mov ecx, edi
00251E67 E8 96260000 call <jmp.&MFC42.#858_CString::operator=>
00251E6C 8D8E 8C010000 lea ecx, dword ptr [esi+18C]
00251E72 53 push ebx
00251E73 51 push ecx
00251E74 8D4C24 1C lea ecx, dword ptr [esp+1C]
00251E78 E8 7F260000 call <jmp.&MFC42.#521_CSingleLock::CSingleLock>
00251E7D 68 10270000 push 2710
00251E82 8D4C24 18 lea ecx, dword ptr [esp+18]
00251E86 899C24 54050000 mov dword ptr [esp+554], ebx
00251E8D E8 64260000 call <jmp.&MFC42.#4167_CSingleLock::Lock>
00251E92 85C0 test eax, eax
00251E94 74 1E je short 00251EB4
00251E96 8BCE mov ecx, esi
00251E98 E8 B3070000 call 00252650
00251E9D 8BCE mov ecx, esi
00251E9F E8 8C090000 call 00252830
00251EA4 8BCE mov ecx, esi
00251EA6 E8 950A0000 call 00252940 <=====这里步过会出无狗提示,F7跟进
00251EAB 8D4C24 14 lea ecx, dword ptr [esp+14]
00251EAF E8 3C260000 call <jmp.&MFC42.#6307_CSingleLock::Unlock>
.............................................................................
来到这里:
00252940 6A FF push -1
00252942 68 3B492500 push 0025493B
00252947 64:A1 00000000 mov eax, dword ptr fs:[0]
0025294D 50 push eax
0025294E 64:8925 0000000>mov dword ptr fs:[0], esp
00252955 81EC 20050000 sub esp, 520
0025295B 53 push ebx
0025295C 56 push esi
0025295D 8D4424 10 lea eax, dword ptr [esp+10]
00252961 57 push edi
00252962 8BD9 mov ebx, ecx
00252964 50 push eax
00252965 C74424 18 50230>mov dword ptr [esp+18], 2350
0025296D C74424 1C 64140>mov dword ptr [esp+1C], 1464
00252975 C74424 20 0E100>mov dword ptr [esp+20], 100E
0025297D E8 201B0000 call <jmp.&MyS3._S3_Open> <==狗头露出来了,深思3,这时带狗运行
00252982 83C4 04 add esp, 4
00252985 66:85C0 test ax, ax <== 有狗AX=0,此处不做修改,原因后面解释
00252988 0F85 BD000000 jnz 00252A4B
0025298E 33F6 xor esi, esi
00252990 8DBC24 AC000000 lea edi, dword ptr [esp+AC]
00252997 8D4C24 0C lea ecx, dword ptr [esp+C]
0025299B 51 push ecx
0025299C 56 push esi
0025299D E8 FA1A0000 call <jmp.&MyS3._S3_Read> <==读狗数据
002529A2 83C4 08 add esp, 8
002529A5 25 FFFF0000 and eax, 0FFFF
002529AA 894424 10 mov dword ptr [esp+10], eax
002529AE 0F85 9C000000 jnz 00252A50
002529B4 66:8B5424 0C mov dx, word ptr [esp+C]
002529B9 46 inc esi
002529BA 66:8917 mov word ptr [edi], dx
002529BD 83C7 02 add edi, 2
002529C0 83FE 3C cmp esi, 3C
002529C3 ^ 7C D2 jl short 00252997
002529C5 E8 CC1A0000 call <jmp.&MyS3._S3_Close>
002529CA B9 1E000000 mov ecx, 1E
002529CF 8DB424 AC000000 lea esi, dword ptr [esp+AC]
002529D6 8D7C24 34 lea edi, dword ptr [esp+34]
002529DA F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
002529DC 8D8C24 24010000 lea ecx, dword ptr [esp+124]
002529E3 E8 D8E8FFFF call 002512C0
002529E8 8D4424 34 lea eax, dword ptr [esp+34]
002529EC 6A 76 push 76
002529EE 50 push eax
002529EF E8 0CF2FFFF call 00251C00
002529F4 83C4 08 add esp, 8
002529F7 66:3B8424 AA000>cmp ax, word ptr [esp+AA]
002529FF 75 31 jnz short 00252A32
00252A01 66:85C0 test ax, ax
00252A04 76 2C jbe short 00252A32
00252A06 8D4C24 34 lea ecx, dword ptr [esp+34]
00252A0A 6A 76 push 76
00252A0C 51 push ecx
00252A0D E8 CEF1FFFF call 00251BE0
00252A12 8DBB FC000000 lea edi, dword ptr [ebx+FC]
00252A18 B9 1D000000 mov ecx, 1D
00252A1D 8D7424 3C lea esi, dword ptr [esp+3C]
00252A21 83C4 08 add esp, 8
00252A24 F3:A5 rep movs dword ptr es:[edi], dword ptr [esi] <==将狗数据写入内存 EDI=256994
00252A26 66:A5 movs word ptr es:[edi], word ptr [esi]
00252A28 C783 74010000 0>mov dword ptr [ebx+174], 1
00252A32 8D8C24 24010000 lea ecx, dword ptr [esp+124]
00252A39 C78424 34050000>mov dword ptr [esp+534], -1
00252A44 E8 87E8FFFF call 002512D0
00252A49 EB 05 jmp short 00252A50
00252A4B E8 461A0000 call <jmp.&MyS3._S3_Close> <===00252988处无狗直接跳到这里
00252A50 8B8C24 2C050000 mov ecx, dword ptr [esp+52C]
00252A57 5F pop edi
00252A58 5E pop esi
00252A59 5B pop ebx
00252A5A 64:890D 0000000>mov dword ptr fs:[0], ecx
00252A61 81C4 2C050000 add esp, 52C
00252A67 C3 retn
00252A68 90 nop <==后面自带几个NOP,正好打补丁用,嘿嘿
00252A69 90 nop
00252A6A 90 nop
00252A6B 90 nop
00252A6C 90 nop
00252A6D 90 nop
00252A6E 90 nop
00252A6F 90 nop
程序在00252A24处将狗数据写入内存,此时EDI=256994, 当运行到00252A67时,EDI=256A1C,
让我们来看看都写了些什么:输入D EDI-88,可以看到:
00256994 05 00 2E 25 5D 46 3A E9 84 44 00 00 00 00 30 37
002569A4 30 35 33 30 C9 F2 D1 F4 31 32 A3 AD 30 32 00 00
002569B4 00 00 00 00 FF FF FF FF FF FF FF FF 80 00 FF FF
002569C4 00 00 00 00 00 00 00 00 80 73 06 7E 00 00 00 00
002569D4 00 00 00 00 00 00 01 00 03 00 00 00 00 00 00 00
002569E4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
002569F4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00256A04 00 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF
00256A14 00 00 00 00 FF FF FF FF 80 48 B7 01 00 00 00 00
好了,至此,狗的数据已经全部暴露在我们面前了,剩下的就是对***key***.dll打补丁将狗数据直接写入内存。
无论有狗无狗,运行到00252A67时,EDI=256A1C,所以不必修改00252985处AX的值,它想跳就跳。在补丁里写数据就可以了
至于补丁怎么打,就不多说了,看雪上有教程。打好补丁后,经测试,狗已经被杀掉了。
PS:第一次写破文,不足之处请各位高手指点。另外为什么F8步过
00251E11 F3:AB rep stos dword ptr es:[edi] 处程序会自动运行,请高手指教下。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
