【文章标题】: 带壳另类的打Rockey4狗大法
【文章作者】: KuNgBiM/[CCG]
【作者邮箱】: kungbim@163.com
【软件名称】: **标书制作系统 5.1
【软件类型】: 商业软件
【软件大小】: 2.72 MB
【下载地址】: 自己搜索下载
【保护方式】: Rockey4 Dongle
【加壳方式】: ASProtect 2.11 SKE build 03.13 Release
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OllyICE
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
PEiD查壳,发现是ASProtect所保护,首先尝试使用Volx大哥的脚本脱壳,但发现脱壳后的文件报错,随即决定带壳分析。
OllyICE载入程序,忽略所有异常,F9运行之,待程序加载并运行完毕后,搜索查找可疑字符串:
************************************************************************************************
地址 反汇编 文本字串
........(略)
004FC515 mov ecx,004FC66C ASCII "bs51.ini"
004FC575 mov edx,004FC680 ASCII "Oldies"
004FC5B9 mov edx,004FC680 ASCII "Oldies"
004FC5D5 mov edx,004FC680 ASCII "Oldies"
004FC5F7 mov edx,004FC680 ASCII "Oldies"
004FC6D3 mov ecx,004FC750 ASCII "bs51.ini"
004FC705 mov edx,004FC764 ASCII "Oldies"
004FCA8F push 004FCB40 ASCII "wjp.idx"
004FCABA push 004FCB7C ASCII "RY2_Find"
004FCACC push 004FCB88 ASCII "RY2_Open"
004FCADE push 004FCB94 ASCII "RY2_Close"
004FCAF0 push 004FCBA0 ASCII "RY2_GenUID"
004FCB02 push 004FCBAC ASCII "RY2_Write"
004FCB14 push 004FCBB8 ASCII "RY2_Read"
004FCF6E mov esi,004FD2A8 ASCII "ROCKEYNT"
004FCF9E mov edi,004FD3A8 ASCII "\\.\RockeyNT"
004FCFA5 mov edi,004FD3B8 ASCII "\\.\ROCKEY9X"
004FCFDC mov edi,004FD3C8 ASCII "\\.\rockey9x.vxd"
004FD062 mov edx,004FD3DC ASCII "\drivers\rockeynt.sys"
004FD0E4 mov edx,004FD3F4 ASCII "\rockeynt.sys"
004FD1D4 push 004FD404 ASCII "\\.\ROCKEYNT"
004FD6CB mov eax,004FD740 ASCII "Rockey4ND%08x"
004FD857 mov eax,004FDA40 ASCII "ROCKEY4_MUTEX0%d"
004FD876 mov eax,004FDA5C ASCII "ROCKEY4_MUTEX%d"
004FD8BA push 004FDA6C ASCII "SETUPAPI.DLL"
004FD8D2 push 004FDA7C ASCII "SetupDiDestroyDeviceInfoList"
004FD8E7 push 004FDA9C ASCII "SetupDiGetDeviceInterfaceDetailA"
004FD8FC push 004FDAC0 ASCII "SetupDiEnumDeviceInterfaces"
004FD911 push 004FDADC ASCII "SetupDiGetClassDevsA"
004FD926 push 004FDAF4 ASCII "HID.DLL"
004FD942 push 004FDAFC ASCII "HidD_FreePreparsedData"
004FD957 push 004FDB14 ASCII "HidP_GetCaps"
004FD96C push 004FDB24 ASCII "HidD_GetPreparsedData"
004FD981 push 004FDB3C ASCII "HidD_SetFeature"
004FD996 push 004FDB4C ASCII "HidD_GetFeature"
004FD9AB push 004FDB5C ASCII "HidD_FlushQueue"
004FD9C0 push 004FDB6C ASCII "HidD_GetSerialNumberString"
004FD9D5 push 004FDB88 ASCII "HidD_GetProductString"
004FD9EA push 004FDBA0 ASCII "HidD_GetAttributes"
004FD9FF push 004FDBB4 ASCII "HidD_GetHidGuid"
004FDFC9 mov edx,004FE0B8 ASCII "HID Dongle"
........(略)
00578D25 push 00578D3C ASCII "http://www.ztys.com"
00578D81 push 00578D98 ASCII "mailto:ztsoft@ztys.com"
00579BBA mov ecx,00579CAC ASCII "Seach.ini"
00579D30 mov ecx,00579E00 ASCII "Seach.ini"
00579E63 push 00579F14 ASCII "ccp.idx"
00579E8E push 00579F50 ASCII "checkdog"
00579EA0 push 00579F5C ASCII "checkbook"
00579EB2 push 00579F68 ASCII "checktimes"
00579EC4 push 00579F74 ASCII "checkver"
00579ED6 push 00579F80 ASCII "checkdate"
00579EE8 push 00579F8C ASCII "checklastdate"
........(略)
************************************************************************************************
我们从字符串中可以找到2处重要的信息:
第一处:
004FCABA push 004FCB7C ASCII "RY2_Find" // 读狗
004FCA8F push 004FCB40 ASCII "wjp.idx" // 读狗时检测的文件
第二处:
00579E8E push 00579F50 ASCII "checkdog" // 校验狗
00579E63 push 00579F14 ASCII "ccp.idx" // 校验狗时检测的文件
分别双击以上2处,来到对应地址:
【第一处】
004FCA78 55 push ebp ; 读狗(可以联想到程序调用为:CALL 004FCA78)
004FCA79 8BEC mov ebp,esp
004FCA7B 53 push ebx
004FCA7C BB 34EE5A00 mov ebx,005AEE34
004FCA81 33C0 xor eax,eax
004FCA83 55 push ebp
004FCA84 68 34CB4F00 push 004FCB34
004FCA89 64:FF30 push dword ptr fs:[eax]
004FCA8C 64:8920 mov dword ptr fs:[eax],esp
004FCA8F 68 40CB4F00 push 004FCB40 ; ASCII "wjp.idx"
004FCA94 E8 37B1F0FF call 00407BD0 ; jmp 到 kernel32.LoadLibraryA
004FCA99 8903 mov dword ptr ds:[ebx],eax
004FCA9B 833B 00 cmp dword ptr ds:[ebx],0
004FCA9E 75 1A jnz short 004FCABA
004FCAA0 6A 10 push 10
004FCAA2 B9 48CB4F00 mov ecx,004FCB48
004FCAA7 BA 54CB4F00 mov edx,004FCB54
004FCAAC A1 5CD95A00 mov eax,dword ptr ds:[5AD95C]
004FCAB1 8B00 mov eax,dword ptr ds:[eax]
004FCAB3 E8 1077F9FF call 004941C8
004FCAB8 EB 6C jmp short 004FCB26
004FCABA 68 7CCB4F00 push 004FCB7C ; ASCII "RY2_Find"
004FCABF 8B03 mov eax,dword ptr ds:[ebx]
004FCAC1 50 push eax
004FCAC2 E8 31B0F0FF call 00407AF8 ; jmp 到 kernel32.GetProcAddress
004FCAC7 A3 38EE5A00 mov dword ptr ds:[5AEE38],eax
004FCACC 68 88CB4F00 push 004FCB88 ; ASCII "RY2_Open"
004FCAD1 8B03 mov eax,dword ptr ds:[ebx]
004FCAD3 50 push eax
004FCAD4 E8 1FB0F0FF call 00407AF8 ; jmp 到 kernel32.GetProcAddress
004FCAD9 A3 3CEE5A00 mov dword ptr ds:[5AEE3C],eax
004FCADE 68 94CB4F00 push 004FCB94 ; ASCII "RY2_Close"
004FCAE3 8B03 mov eax,dword ptr ds:[ebx]
004FCAE5 50 push eax
004FCAE6 E8 0DB0F0FF call 00407AF8 ; jmp 到 kernel32.GetProcAddress
004FCAEB A3 40EE5A00 mov dword ptr ds:[5AEE40],eax
004FCAF0 68 A0CB4F00 push 004FCBA0 ; ASCII "RY2_GenUID"
004FCAF5 8B03 mov eax,dword ptr ds:[ebx]
004FCAF7 50 push eax
004FCAF8 E8 FBAFF0FF call 00407AF8 ; jmp 到 kernel32.GetProcAddress
004FCAFD A3 44EE5A00 mov dword ptr ds:[5AEE44],eax
004FCB02 68 ACCB4F00 push 004FCBAC ; ASCII "RY2_Write"
004FCB07 8B03 mov eax,dword ptr ds:[ebx]
004FCB09 50 push eax
004FCB0A E8 E9AFF0FF call 00407AF8 ; jmp 到 kernel32.GetProcAddress
004FCB0F A3 4CEE5A00 mov dword ptr ds:[5AEE4C],eax
004FCB14 68 B8CB4F00 push 004FCBB8 ; ASCII "RY2_Read"
004FCB19 8B03 mov eax,dword ptr ds:[ebx]
004FCB1B 50 push eax
004FCB1C E8 D7AFF0FF call 00407AF8 ; jmp 到 kernel32.GetProcAddress
004FCB21 A3 48EE5A00 mov dword ptr ds:[5AEE48],eax
004FCB26 33C0 xor eax,eax
004FCB28 5A pop edx
004FCB29 59 pop ecx
004FCB2A 59 pop ecx
004FCB2B 64:8910 mov dword ptr fs:[eax],edx
004FCB2E 68 3BCB4F00 push 004FCB3B
004FCB33 C3 retn
004FCB34 ^ E9 3F7CF0FF jmp 00404778
004FCB39 ^ EB F8 jmp short 004FCB33
004FCB3B 5B pop ebx
004FCB3C 5D pop ebp
004FCB3D C3 retn
【第二处】
00579E4C 55 push ebp ; 校验狗(可以联想到程序调用为:CALL 00579E4C)
00579E4D 8BEC mov ebp,esp
00579E4F 53 push ebx
00579E50 BB B0445B00 mov ebx,005B44B0
00579E55 33C0 xor eax,eax
00579E57 55 push ebp
00579E58 68 089F5700 push 00579F08
00579E5D 64:FF30 push dword ptr fs:[eax]
00579E60 64:8920 mov dword ptr fs:[eax],esp
00579E63 68 149F5700 push 00579F14 ; ASCII "ccp.idx"
00579E68 E8 63DDE8FF call 00407BD0 ; jmp 到 kernel32.LoadLibraryA
00579E6D 8903 mov dword ptr ds:[ebx],eax
00579E6F 833B 00 cmp dword ptr ds:[ebx],0
00579E72 75 1A jnz short 00579E8E
00579E74 6A 10 push 10
00579E76 B9 1C9F5700 mov ecx,00579F1C
00579E7B BA 289F5700 mov edx,00579F28
00579E80 A1 5CD95A00 mov eax,dword ptr ds:[5AD95C]
00579E85 8B00 mov eax,dword ptr ds:[eax]
00579E87 E8 3CA3F1FF call 004941C8
00579E8C EB 6C jmp short 00579EFA
00579E8E 68 509F5700 push 00579F50 ; ASCII "checkdog"
00579E93 8B03 mov eax,dword ptr ds:[ebx]
00579E95 50 push eax
00579E96 E8 5DDCE8FF call 00407AF8 ; jmp 到 kernel32.GetProcAddress
00579E9B A3 C0445B00 mov dword ptr ds:[5B44C0],eax
00579EA0 68 5C9F5700 push 00579F5C ; ASCII "checkbook"
00579EA5 8B03 mov eax,dword ptr ds:[ebx]
00579EA7 50 push eax
00579EA8 E8 4BDCE8FF call 00407AF8 ; jmp 到 kernel32.GetProcAddress
00579EAD A3 B4445B00 mov dword ptr ds:[5B44B4],eax
00579EB2 68 689F5700 push 00579F68 ; ASCII "checktimes"
00579EB7 8B03 mov eax,dword ptr ds:[ebx]
00579EB9 50 push eax
00579EBA E8 39DCE8FF call 00407AF8 ; jmp 到 kernel32.GetProcAddress
00579EBF A3 B8445B00 mov dword ptr ds:[5B44B8],eax
00579EC4 68 749F5700 push 00579F74 ; ASCII "checkver"
00579EC9 8B03 mov eax,dword ptr ds:[ebx]
00579ECB 50 push eax
00579ECC E8 27DCE8FF call 00407AF8 ; jmp 到 kernel32.GetProcAddress
00579ED1 A3 BC445B00 mov dword ptr ds:[5B44BC],eax
00579ED6 68 809F5700 push 00579F80 ; ASCII "checkdate"
00579EDB 8B03 mov eax,dword ptr ds:[ebx]
00579EDD 50 push eax
00579EDE E8 15DCE8FF call 00407AF8 ; jmp 到 kernel32.GetProcAddress
00579EE3 A3 C4445B00 mov dword ptr ds:[5B44C4],eax
00579EE8 68 8C9F5700 push 00579F8C ; ASCII "checklastdate"
00579EED 8B03 mov eax,dword ptr ds:[ebx]
00579EEF 50 push eax
00579EF0 E8 03DCE8FF call 00407AF8 ; jmp 到 kernel32.GetProcAddress
00579EF5 A3 C8445B00 mov dword ptr ds:[5B44C8],eax
00579EFA 33C0 xor eax,eax
00579EFC 5A pop edx
00579EFD 59 pop ecx
00579EFE 59 pop ecx
00579EFF 64:8910 mov dword ptr fs:[eax],edx
00579F02 68 0F9F5700 push 00579F0F
00579F07 C3 retn
00579F08 ^ E9 6BA8E8FF jmp 00404778
00579F0D ^ EB F8 jmp short 00579F07
00579F0F 5B pop ebx
00579F10 5D pop ebp
00579F11 C3 retn
【小结提示】
常见类型加密狗都是以调用固定地址作为狗检测、狗校验的。
根据以上结论可以得出该软件:
读狗(可以联想到程序调用为:CALL 004FCA78)
校验狗(可以联想到程序调用为:CALL 00579E4C)
所以我们在程序中可以Ctrl+S搜索:
CALL 004FCA78 以及 CALL 00579E4C
▲找到的相关的地址▲
【读取狗数据】
0058DC28 55 push ebp ; 来到此处F2下段
0058DC29 8BEC mov ebp,esp
0058DC2B B9 08000000 mov ecx,8
0058DC30 6A 00 push 0
0058DC32 6A 00 push 0
0058DC34 49 dec ecx
0058DC35 ^ 75 F9 jnz short 0058DC30
0058DC37 53 push ebx
0058DC38 56 push esi
0058DC39 57 push edi
0058DC3A 8955 F8 mov dword ptr ss:[ebp-8],edx
0058DC3D 8945 FC mov dword ptr ss:[ebp-4],eax
0058DC40 33C0 xor eax,eax
0058DC42 55 push ebp
0058DC43 68 52DF5800 push 0058DF52
0058DC48 64:FF30 push dword ptr fs:[eax]
0058DC4B 64:8920 mov dword ptr fs:[eax],esp
0058DC4E 833D 58D25A00 02 cmp dword ptr ds:[5AD258],2
0058DC55 75 3C jnz short 0058DC93
0058DC57 8D45 F0 lea eax,dword ptr ss:[ebp-10]
0058DC5A 8B0D 5CD25A00 mov ecx,dword ptr ds:[5AD25C]
0058DC60 8B15 54D25A00 mov edx,dword ptr ds:[5AD254]
0058DC66 E8 A175E7FF call 0040520C
0058DC6B 8B55 F0 mov edx,dword ptr ss:[ebp-10]
0058DC6E 8B45 FC mov eax,dword ptr ss:[ebp-4]
0058DC71 E8 124DEEFF call 00472988
0058DC76 8D55 EC lea edx,dword ptr ss:[ebp-14]
0058DC79 8B45 FC mov eax,dword ptr ss:[ebp-4]
0058DC7C E8 D74CEEFF call 00472958
0058DC81 8B55 EC mov edx,dword ptr ss:[ebp-14]
0058DC84 B8 54D25A00 mov eax,005AD254
0058DC89 E8 C672E7FF call 00404F54
0058DC8E E9 6A020000 jmp 0058DEFD
0058DC93 803D 44465B00 00 cmp byte ptr ds:[5B4644],0
0058DC9A 74 67 je short 0058DD03
0058DC9C 8B45 FC mov eax,dword ptr ss:[ebp-4]
0058DC9F E8 2CEDFFFF call 0058C9D0
0058DCA4 85C0 test eax,eax
0058DCA6 75 19 jnz short 0058DCC1
0058DCA8 C705 40465B00 03000000 mov dword ptr ds:[5B4640],3
0058DCB2 BA 68DF5800 mov edx,0058DF68
0058DCB7 8B45 FC mov eax,dword ptr ss:[ebp-4]
0058DCBA E8 C94CEEFF call 00472988
0058DCBF EB 25 jmp short 0058DCE6
0058DCC1 33C0 xor eax,eax
0058DCC3 A3 40465B00 mov dword ptr ds:[5B4640],eax
0058DCC8 8D45 E8 lea eax,dword ptr ss:[ebp-18]
0058DCCB 8B0D 5CD25A00 mov ecx,dword ptr ds:[5AD25C]
0058DCD1 BA 68DF5800 mov edx,0058DF68
0058DCD6 E8 3175E7FF call 0040520C
0058DCDB 8B55 E8 mov edx,dword ptr ss:[ebp-18]
0058DCDE 8B45 FC mov eax,dword ptr ss:[ebp-4]
0058DCE1 E8 A24CEEFF call 00472988
0058DCE6 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
0058DCE9 B8 02000000 mov eax,2
0058DCEE E8 5954E7FF call 0040314C
0058DCF3 8B55 E4 mov edx,dword ptr ss:[ebp-1C]
0058DCF6 8B45 FC mov eax,dword ptr ss:[ebp-4]
0058DCF9 E8 6EF9FFFF call 0058D66C
0058DCFE E9 18010000 jmp 0058DE1B
0058DD03 33C0 xor eax,eax
0058DD05 55 push ebp
0058DD06 68 D3DD5800 push 0058DDD3
0058DD0B 64:FF30 push dword ptr fs:[eax]
0058DD0E 64:8920 mov dword ptr fs:[eax],esp
0058DD11 833D 40465B00 03 cmp dword ptr ds:[5B4640],3 ; ★若程序有狗,005B4640中数据为3★
0058DD18 74 0F je short 0058DD29 ; 有狗则跳
0058DD1A B8 02000000 mov eax,2
0058DD1F E8 28F7F6FF call 004FD44C
0058DD24 A3 40465B00 mov dword ptr ds:[5B4640],eax
0058DD29 833D 40465B00 03 cmp dword ptr ds:[5B4640],3
0058DD30 74 0F je short 0058DD41 ; 有狗则跳
0058DD32 B8 02000000 mov eax,2
0058DD37 E8 B020F7FF call 004FFDEC
0058DD3C A3 40465B00 mov dword ptr ds:[5B4640],eax
0058DD41 E8 32EDF6FF call 004FCA78 ; ▲找到仅此一处读狗▲(向上找到代码头下段)
0058DD46 833D 40465B00 03 cmp dword ptr ds:[5B4640],3
0058DD4D 74 62 je short 0058DDB1 ; 有狗则跳
0058DD4F 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0058DD52 BA 02000000 mov edx,2
0058DD57 B8 F6426A70 mov eax,706A42F6
0058DD5C E8 63EEF6FF call 004FCBC4
0058DD61 8B55 E0 mov edx,dword ptr ss:[ebp-20]
0058DD64 B8 68DF5800 mov eax,0058DF68
0058DD69 E8 9677E7FF call 00405504
0058DD6E 48 dec eax
0058DD6F 7D 40 jge short 0058DDB1
0058DD71 8D45 DC lea eax,dword ptr ss:[ebp-24]
0058DD74 8B0D 5CD25A00 mov ecx,dword ptr ds:[5AD25C]
0058DD7A 8B15 54D25A00 mov edx,dword ptr ds:[5AD254]
0058DD80 E8 8774E7FF call 0040520C
0058DD85 8B55 DC mov edx,dword ptr ss:[ebp-24]
0058DD88 8B45 FC mov eax,dword ptr ss:[ebp-4]
0058DD8B E8 F84BEEFF call 00472988
0058DD90 8D55 D8 lea edx,dword ptr ss:[ebp-28]
0058DD93 8B45 FC mov eax,dword ptr ss:[ebp-4]
0058DD96 E8 BD4BEEFF call 00472958
0058DD9B 8B55 D8 mov edx,dword ptr ss:[ebp-28]
0058DD9E B8 54D25A00 mov eax,005AD254
0058DDA3 E8 AC71E7FF call 00404F54
0058DDA8 33C0 xor eax,eax
0058DDAA A3 40465B00 mov dword ptr ds:[5B4640],eax
0058DDAF EB 18 jmp short 0058DDC9
0058DDB1 C705 40465B00 03000000 mov dword ptr ds:[5B4640],3
0058DDBB 8B15 54D25A00 mov edx,dword ptr ds:[5AD254]
0058DDC1 8B45 FC mov eax,dword ptr ss:[ebp-4]
0058DDC4 E8 BF4BEEFF call 00472988
0058DDC9 33C0 xor eax,eax
0058DDCB 5A pop edx
0058DDCC 59 pop ecx
0058DDCD 59 pop ecx
0058DDCE 64:8910 mov dword ptr fs:[eax],edx
0058DDD1 EB 48 jmp short 0058DE1B
0058DDD3 ^ E9 EC66E7FF jmp 004044C4
0058DDD8 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
0058DDDB 8B0D 5CD25A00 mov ecx,dword ptr ds:[5AD25C]
0058DDE1 8B15 54D25A00 mov edx,dword ptr ds:[5AD254]
0058DDE7 E8 2074E7FF call 0040520C
0058DDEC 8B55 D4 mov edx,dword ptr ss:[ebp-2C]
0058DDEF 8B45 FC mov eax,dword ptr ss:[ebp-4]
0058DDF2 E8 914BEEFF call 00472988
0058DDF7 8D55 D0 lea edx,dword ptr ss:[ebp-30]
0058DDFA 8B45 FC mov eax,dword ptr ss:[ebp-4]
0058DDFD E8 564BEEFF call 00472958
0058DE02 8B55 D0 mov edx,dword ptr ss:[ebp-30]
0058DE05 B8 54D25A00 mov eax,005AD254
0058DE0A E8 4571E7FF call 00404F54
0058DE0F 33C0 xor eax,eax
0058DE11 A3 40465B00 mov dword ptr ds:[5B4640],eax
0058DE16 E8 D56AE7FF call 004048F0
0058DE1B E8 58EAE7FF call 0040C878
0058DE20 83C4 F8 add esp,-8
0058DE23 DD1C24 fstp qword ptr ss:[esp]
0058DE26 9B wait
0058DE27 8D55 C8 lea edx,dword ptr ss:[ebp-38]
0058DE2A B8 7CDF5800 mov eax,0058DF7C
0058DE2F E8 40F7E7FF call 0040D574
0058DE34 8B4D C8 mov ecx,dword ptr ss:[ebp-38]
0058DE37 8D45 CC lea eax,dword ptr ss:[ebp-34]
0058DE3A BA 98DF5800 mov edx,0058DF98
0058DE3F E8 C873E7FF call 0040520C
0058DE44 8B45 CC mov eax,dword ptr ss:[ebp-34]
0058DE47 50 push eax
0058DE48 8B45 FC mov eax,dword ptr ss:[ebp-4]
0058DE4B 8B80 28030000 mov eax,dword ptr ds:[eax+328]
0058DE51 8B80 08020000 mov eax,dword ptr ds:[eax+208]
0058DE57 33D2 xor edx,edx
0058DE59 E8 3206ECFF call 0044E490
0058DE5E 5A pop edx
0058DE5F E8 8805ECFF call 0044E3EC
0058DE64 833D 40465B00 03 cmp dword ptr ds:[5B4640],3
0058DE6B 74 24 je short 0058DE91 ; 有狗则跳
0058DE6D 8B45 FC mov eax,dword ptr ss:[ebp-4]
0058DE70 8B80 28030000 mov eax,dword ptr ds:[eax+328]
0058DE76 8B80 08020000 mov eax,dword ptr ds:[eax+208]
0058DE7C BA 02000000 mov edx,2
0058DE81 E8 0A06ECFF call 0044E490
0058DE86 8B15 60D25A00 mov edx,dword ptr ds:[5AD260]
0058DE8C E8 5B05ECFF call 0044E3EC
0058DE91 8B45 FC mov eax,dword ptr ss:[ebp-4]
0058DE94 C680 BC040000 01 mov byte ptr ds:[eax+4BC],1
0058DE9B 8B45 FC mov eax,dword ptr ss:[ebp-4]
0058DE9E 8B10 mov edx,dword ptr ds:[eax]
0058DEA0 FF92 88000000 call dword ptr ds:[edx+88]
0058DEA6 8B45 FC mov eax,dword ptr ss:[ebp-4]
0058DEA9 E8 7A2AF0FF call 00490928
0058DEAE 8D55 C0 lea edx,dword ptr ss:[ebp-40]
0058DEB1 A1 5CD95A00 mov eax,dword ptr ds:[5AD95C]
0058DEB6 8B00 mov eax,dword ptr ds:[eax]
0058DEB8 E8 3B68F0FF call 004946F8
0058DEBD 8B45 C0 mov eax,dword ptr ss:[ebp-40]
0058DEC0 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
0058DEC3 E8 64CCE7FF call 0040AB2C
0058DEC8 8B55 C4 mov edx,dword ptr ss:[ebp-3C]
0058DECB 8D45 F4 lea eax,dword ptr ss:[ebp-C]
0058DECE B9 B4DF5800 mov ecx,0058DFB4 ; ASCII "tip.yes"
0058DED3 E8 3473E7FF call 0040520C
0058DED8 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0058DEDB E8 00C9E7FF call 0040A7E0
0058DEE0 84C0 test al,al
0058DEE2 75 0E jnz short 0058DEF2
0058DEE4 A1 D0DB5A00 mov eax,dword ptr ds:[5ADBD0]
0058DEE9 8B00 mov eax,dword ptr ds:[eax]
0058DEEB E8 382AF0FF call 00490928
0058DEF0 EB 0B jmp short 0058DEFD
0058DEF2 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0058DEF5 8B45 FC mov eax,dword ptr ss:[ebp-4]
0058DEF8 E8 BFF5FFFF call 0058D4BC
0058DEFD 33C0 xor eax,eax
0058DEFF 5A pop edx
0058DF00 59 pop ecx
0058DF01 59 pop ecx
0058DF02 64:8910 mov dword ptr fs:[eax],edx
0058DF05 68 59DF5800 push 0058DF59
0058DF0A 8D45 C0 lea eax,dword ptr ss:[ebp-40]
0058DF0D BA 04000000 mov edx,4
0058DF12 E8 0D70E7FF call 00404F24
0058DF17 8D45 D0 lea eax,dword ptr ss:[ebp-30]
0058DF1A E8 E16FE7FF call 00404F00
0058DF1F 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
0058DF22 E8 D96FE7FF call 00404F00
0058DF27 8D45 D8 lea eax,dword ptr ss:[ebp-28]
0058DF2A E8 D16FE7FF call 00404F00
0058DF2F 8D45 DC lea eax,dword ptr ss:[ebp-24]
0058DF32 BA 04000000 mov edx,4
0058DF37 E8 E86FE7FF call 00404F24
0058DF3C 8D45 EC lea eax,dword ptr ss:[ebp-14]
0058DF3F E8 BC6FE7FF call 00404F00
0058DF44 8D45 F0 lea eax,dword ptr ss:[ebp-10]
0058DF47 BA 02000000 mov edx,2
0058DF4C E8 D36FE7FF call 00404F24
0058DF51 C3 retn
0058DF52 ^ E9 2168E7FF jmp 00404778
0058DF57 ^ EB B1 jmp short 0058DF0A
0058DF59 5F pop edi
0058DF5A 5E pop esi
0058DF5B 5B pop ebx
0058DF5C 8BE5 mov esp,ebp
0058DF5E 5D pop ebp
0058DF5F C3 retn
【校验狗数据】
005907A0 55 push ebp ; 来到此处F2下段
005907A1 8BEC mov ebp,esp
005907A3 33C9 xor ecx,ecx
005907A5 51 push ecx
005907A6 51 push ecx
005907A7 51 push ecx
005907A8 51 push ecx
005907A9 51 push ecx
005907AA 53 push ebx
005907AB 8BD8 mov ebx,eax
005907AD 33C0 xor eax,eax
005907AF 55 push ebp
005907B0 68 39095900 push 00590939
005907B5 64:FF30 push dword ptr fs:[eax]
005907B8 64:8920 mov dword ptr fs:[eax],esp
005907BB B8 48095900 mov eax,00590948 ; ASCII "0000000000"
005907C0 8945 FC mov dword ptr ss:[ebp-4],eax
005907C3 8B0D 5CD95A00 mov ecx,dword ptr ds:[5AD95C]
005907C9 8B09 mov ecx,dword ptr ds:[ecx]
005907CB B2 01 mov dl,1
005907CD A1 68435600 mov eax,dword ptr ds:[564368]
005907D2 E8 E1BDEFFF call 0048C5B8
005907D7 8B15 18D55A00 mov edx,dword ptr ds:[5AD518]
005907DD 8902 mov dword ptr ds:[edx],eax
005907DF A1 18D55A00 mov eax,dword ptr ds:[5AD518]
005907E4 8B00 mov eax,dword ptr ds:[eax]
005907E6 BA 9A0B0000 mov edx,0B9A
005907EB E8 2019EEFF call 00472110
005907F0 A1 18D55A00 mov eax,dword ptr ds:[5AD518]
005907F5 8B00 mov eax,dword ptr ds:[eax]
005907F7 8BD3 mov edx,ebx
005907F9 8B08 mov ecx,dword ptr ds:[eax]
005907FB FF51 68 call dword ptr ds:[ecx+68]
005907FE 833D 58D25A00 02 cmp dword ptr ds:[5AD258],2
00590805 75 1E jnz short 00590825
00590807 B8 5CD25A00 mov eax,005AD25C
0059080C BA 5C095900 mov edx,0059095C
00590811 E8 3E47E7FF call 00404F54
00590816 C705 40465B00 03000000 mov dword ptr ds:[5B4640],3
00590820 E9 F9000000 jmp 0059091E
00590825 E8 BA28E7FF call 004030E4
0059082A 83F8 02 cmp eax,2
0059082D 0F9405 44465B00 sete byte ptr ds:[5B4644]
00590834 803D 44465B00 00 cmp byte ptr ds:[5B4644],0
0059083B 0F85 DD000000 jnz 0059091E
00590841 E8 0696FEFF call 00579E4C ; ▲找到仅此一处检测狗▲(向上找到代码头下段)
00590846 A1 C4D85A00 mov eax,dword ptr ds:[5AD8C4]
0059084B 8B00 mov eax,dword ptr ds:[eax]
0059084D FFD0 call eax
0059084F 48 dec eax
00590850 75 1F jnz short 00590871
00590852 A1 3CDA5A00 mov eax,dword ptr ds:[5ADA3C]
00590857 8B00 mov eax,dword ptr ds:[eax]
00590859 FFD0 call eax
0059085B 48 dec eax
0059085C 0F85 BC000000 jnz 0059091E
00590862 C705 40465B00 03000000 mov dword ptr ds:[5B4640],3
0059086C E9 AD000000 jmp 0059091E
00590871 A1 A4D85A00 mov eax,dword ptr ds:[5AD8A4]
00590876 8B00 mov eax,dword ptr ds:[eax]
00590878 FFD0 call eax
0059087A 8BD8 mov ebx,eax
0059087C 85DB test ebx,ebx
0059087E 75 0C jnz short 0059088C
00590880 C705 40465B00 03000000 mov dword ptr ds:[5B4640],3
0059088A EB 3C jmp short 005908C8
0059088C 85DB test ebx,ebx
0059088E 7E 2F jle short 005908BF
00590890 8D55 F0 lea edx,dword ptr ss:[ebp-10]
00590893 8BC3 mov eax,ebx
00590895 E8 1E99E7FF call 0040A1B8
0059089A 8B4D F0 mov ecx,dword ptr ss:[ebp-10]
0059089D 8D45 F4 lea eax,dword ptr ss:[ebp-C]
005908A0 BA 70095900 mov edx,00590970
005908A5 E8 6249E7FF call 0040520C
005908AA 8B45 F4 mov eax,dword ptr ss:[ebp-C]
005908AD 50 push eax
005908AE E8 259BF4FF call 004DA3D8
005908B3 C705 40465B00 03000000 mov dword ptr ds:[5B4640],3
005908BD EB 09 jmp short 005908C8
005908BF 33C0 xor eax,eax
005908C1 A3 40465B00 mov dword ptr ds:[5B4640],eax
005908C6 EB 56 jmp short 0059091E
005908C8 8B45 FC mov eax,dword ptr ss:[ebp-4]
005908CB 50 push eax
005908CC A1 F8D45A00 mov eax,dword ptr ds:[5AD4F8]
005908D1 8B00 mov eax,dword ptr ds:[eax]
005908D3 FFD0 call eax
005908D5 48 dec eax
005908D6 75 3F jnz short 00590917
005908D8 8D45 F8 lea eax,dword ptr ss:[ebp-8]
005908DB 8B55 FC mov edx,dword ptr ss:[ebp-4]
005908DE E8 1548E7FF call 004050F8
005908E3 8B45 F8 mov eax,dword ptr ss:[ebp-8]
005908E6 BA 9C095900 mov edx,0059099C ; ASCII "0000000000"
005908EB E8 1C4AE7FF call 0040530C
005908F0 74 19 je short 0059090B
005908F2 8D45 EC lea eax,dword ptr ss:[ebp-14]
005908F5 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
005908F8 BA B0095900 mov edx,005909B0
005908FD E8 0A49E7FF call 0040520C
00590902 8B45 EC mov eax,dword ptr ss:[ebp-14]
00590905 50 push eax
00590906 E8 CD9AF4FF call 004DA3D8
0059090B C705 40465B00 03000000 mov dword ptr ds:[5B4640],3
00590915 EB 07 jmp short 0059091E
00590917 33C0 xor eax,eax
00590919 A3 40465B00 mov dword ptr ds:[5B4640],eax
0059091E 33C0 xor eax,eax
00590920 5A pop edx
00590921 59 pop ecx
00590922 59 pop ecx
00590923 64:8910 mov dword ptr fs:[eax],edx
00590926 68 40095900 push 00590940
0059092B 8D45 EC lea eax,dword ptr ss:[ebp-14]
0059092E BA 04000000 mov edx,4
00590933 E8 EC45E7FF call 00404F24
00590938 C3 retn
00590939 ^ E9 3A3EE7FF jmp 00404778
0059093E ^ EB EB jmp short 0059092B
00590940 5B pop ebx
00590941 8BE5 mov esp,ebp
00590943 5D pop ebp
00590944 C3 retn
【破解思路】
从以上设置的相应断点跟踪后发现,程序若是以带加密狗启动时,虚拟地址 005B4640 中的数据为3,如果非加密狗启动,则数据为0。
这样一来,我们便可以设计一个Loader,在进入程序前,修改虚拟地址 005B4640 中的数据为3即可。
废话:打狗完毕,后天就是元旦了,祝大家新年快乐!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年12月30日 10:00:18
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
