手上有个可用的license文件, 只是feature不全,所以有了crack的想法, 看了很多这方面的文章,但由于是外行, 基本看不懂.
不过,一知半解的是: 1.我有了正确的license,应该是知道了vendor name/id, feature name(包括缺的feature,我也知道它们的name), sign的结构等等, 那是不是只要找到2个seed就能写出完整feature的license呢?
2.因为我可以使用合法license正常启动程序,是不是通过监控程序正常这个过程可以比较便捷的找到破解需要的信息呢?
下面给出我比较拙劣的操作过程,主要参照了,laoqian的<<制作AUTOcad2002中文版网络版的Flexlm license>>,诚挚希望过来人能给予些许点拨,当万分感激.
第一步:
用W32Dasm读主程序执行文件xxx.exe (避免麻烦,不写真名). 完成后直接搜索文本"7648B98E",一共找到2处,如下(===隔开).
借鉴高人文章, 判断要用到的应该是第一段.
* Referenced by a CALL at Addresses:
|:00B1FA83 , :00B200A3 , :00B2DDB0 , :00B38FAC , :00B47459
|:00B5BED4
|
:00B21432 55 push ebp
:00B21433 8BEC mov ebp, esp
:00B21435 83EC30 sub esp, 00000030
:00B21438 C745F08EB94876 mov [ebp-10], 7648B98E
:00B2143F C745EC03000000 mov [ebp-14], 00000003
:00B21446 8B4508 mov eax, dword ptr [ebp+08]
:00B21449 8B486C mov ecx, dword ptr [eax+6C]
:00B2144C 8B91D4010000 mov edx, dword ptr [ecx+000001D4]
:00B21452 81E200800000 and edx, 00008000
:00B21458 85D2 test edx, edx
:00B2145A 7423 je 00B2147F
:00B2145C 833DCC4B030200 cmp dword ptr [02034BCC], 00000000
:00B21463 741A je 00B2147F
:00B21465 8B4510 mov eax, dword ptr [ebp+10]
:00B21468 50 push eax
:00B21469 8B4D0C mov ecx, dword ptr [ebp+0C]
:00B2146C 51 push ecx
:00B2146D 8B5508 mov edx, dword ptr [ebp+08]
:00B21470 52 push edx
:00B21471 FF15CC4B0302 call dword ptr [02034BCC]
:00B21477 83C40C add esp, 0000000C
:00B2147A E913010000 jmp 00B21592
====================================================================================
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00B2147A(U)
|
:00B21592 8BE5 mov esp, ebp
:00B21594 5D pop ebp
:00B21595 C3 ret
:00B21596 55 push ebp
:00B21597 8BEC mov ebp, esp
:00B21599 83EC20 sub esp, 00000020
:00B2159C C745F88EB94876 mov [ebp-08], 7648B98E
:00B215A3 C745F403000000 mov [ebp-0C], 00000003
:00B215AA 6A04 push 00000004
:00B215AC 8D45E0 lea eax, dword ptr [ebp-20]
:00B215AF 50 push eax
:00B215B0 8B4D0C mov ecx, dword ptr [ebp+0C]
:00B215B3 83C10C add ecx, 0000000C
:00B215B6 51 push ecx
:00B215B7 8B5508 mov edx, dword ptr [ebp+08]
:00B215BA 52 push edx
:00B215BB E833950100 call 00B3AAF3
:00B215C0 83C410 add esp, 00000010
:00B215C3 C645F300 mov [ebp-0D], 00
:00B215C7 8A45F3 mov al, byte ptr [ebp-0D]
:00B215CA 8845F2 mov byte ptr [ebp-0E], al
:00B215CD 8A4DF2 mov cl, byte ptr [ebp-0E]
:00B215D0 884DF1 mov byte ptr [ebp-0F], cl
:00B215D3 8A55F1 mov dl, byte ptr [ebp-0F]
:00B215D6 8855F0 mov byte ptr [ebp-10], dl
=======================================================================================
于是, 记住(00B21432,00B21471) 2个位置,准备在OllyDBG中下断.
第二步:
OllyDBG调入xxx.exe, 发现错误, 提示有2个dll文件找不到,其实它们就在同文件夹下的一个子文件夹里面.
没办法了,只能把他们复制出来,放在xxx.exe同目录下,这次检查通过了,程序顺利载入. (!!!后来发现一个问题:这几个dll在外面的时候,程序使用合法license无法正常启动,必须放回原来的位置才行.但调试却必须把他们放在外面,什么原因呢?)
先不管了, 在刚才记录下来的2个位置下断,F9运行,奇怪的是,程序直接在中间某个位置停了, 并没有执行到断点的位置.
经过检查,原来主程序入口在外围, 主要调用了msvcrt.dll, F8分步调试,发现,程序是这样运行的:
00E254FC >/$ 55 PUSH EBP
00E254FD |. 8BEC MOV EBP,ESP
00E254FF |. 6A FF PUSH -1
00E25501 |. 68 B856E300 PUSH xxx.00E356B8
00E25506 |. 68 4858E200 PUSH <JMP.&MSVCRT._except_handler3> ; SE 处理程序安装
00E2550B |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00E25511 |. 50 PUSH EAX
00E25512 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00E25519 |. 83EC 20 SUB ESP,20
00E2551C |. 53 PUSH EBX
00E2551D |. 56 PUSH ESI
00E2551E |. 57 PUSH EDI
00E2551F |. 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00E25522 |. 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
00E25526 |. 6A 01 PUSH 1
00E25528 |. FF15 64C6E200 CALL DWORD PTR DS:[<&MSVCRT.__set_app_type>] ; MSVCRT.__set_app_type
00E2552E |. 59 POP ECX
00E2552F |. 830D 904A5303>OR DWORD PTR DS:[3534A90],FFFFFFFF
00E25536 |. 830D 944A5303>OR DWORD PTR DS:[3534A94],FFFFFFFF
00E2553D |. FF15 60C6E200 CALL DWORD PTR DS:[<&MSVCRT.__p__fmode>] ; MSVCRT.__p__fmode
00E25543 |. 8B0D 4CA70E02 MOV ECX,DWORD PTR DS:[20EA74C]
00E25549 |. 8908 MOV DWORD PTR DS:[EAX],ECX
00E2554B |. FF15 5CC6E200 CALL DWORD PTR DS:[<&MSVCRT.__p__commode>] ; MSVCRT.__p__commode
00E25551 |. 8B0D 48A70E02 MOV ECX,DWORD PTR DS:[20EA748]
00E25557 |. 8908 MOV DWORD PTR DS:[EAX],ECX
00E25559 |. A1 58C6E200 MOV EAX,DWORD PTR DS:[<&MSVCRT._adjust_fdiv>]
00E2555E |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00E25560 |. A3 8C4A5303 MOV DWORD PTR DS:[3534A8C],EAX
00E25565 |. E8 DD020000 CALL xxx.00E25847
00E2556A |. 833D 602AFD00>CMP DWORD PTR DS:[FD2A60],0
00E25571 |. 75 0C JNZ SHORT xxx.00E2557F -
00E25573 |. 68 4458E200 PUSH xxx.00E25844 |
00E25578 |. FF15 54C6E200 CALL DWORD PTR DS:[<&MSVCRT.__setusermatherr>] | go to ; MSVCRT.__setusermatherr
00E2557E |. 59 POP ECX |
00E2557F |> E8 AE020000 CALL xxx.00E25832 <-
00E25584 |. 68 3C90E300 PUSH xxx.00E3903C
00E25589 |. 68 3890E300 PUSH xxx.00E39038
00E2558E |. E8 99020000 CALL <JMP.&MSVCRT._initterm>
00E25593 |. A1 44A70E02 MOV EAX,DWORD PTR DS:[20EA744]
00E25598 |. 8945 D8 MOV DWORD PTR SS:[EBP-28],EAX
00E2559B |. 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
00E2559E |. 50 PUSH EAX
00E2559F |. FF35 40A70E02 PUSH DWORD PTR DS:[20EA740]
00E255A5 |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
00E255A8 |. 50 PUSH EAX
00E255A9 |. 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
00E255AC |. 50 PUSH EAX
00E255AD |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
00E255B0 |. 50 PUSH EAX
00E255B1 |. FF15 4CC6E200 CALL DWORD PTR DS:[<&MSVCRT.__getmainargs>] ; MSVCRT.__getmainargs
00E255B7 |. 68 3490E300 PUSH xxx.00E39034
00E255BC |. 68 0090E300 PUSH xxx.00E39000
00E255C1 |. E8 66020000 CALL <JMP.&MSVCRT._initterm>
00E255C6 |. FF15 48C6E200 CALL DWORD PTR DS:[<&MSVCRT.__p___initenv>] ; MSVCRT.__p___initenv
00E255CC |. 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-20]
00E255CF |. 8908 MOV DWORD PTR DS:[EAX],ECX
00E255D1 |. FF75 E0 PUSH DWORD PTR SS:[EBP-20]
00E255D4 |. FF75 D4 PUSH DWORD PTR SS:[EBP-2C]
00E255D7 |. FF75 E4 PUSH DWORD PTR SS:[EBP-1C]
00E255DA |. E8 B1C05DFF CALL xxx.00401690 ,
这里直接跳到下面,而不是00401690,为什么?
7C90E514 > C3 RETN
下面是0040169开始的代码段
================================================================================================================
00401690 /$ 81EC 1C020000 SUB ESP,21C
00401696 |. 68 F0174000 PUSH xxx.004017F0
0040169B |. E8 D0347000 CALL xxx.00B04B70
004016A0 |. 6A 00 PUSH 0
004016A2 |. E8 499B7600 CALL xxx.00B6B1F0
004016A7 |. 83C4 08 ADD ESP,8
004016AA |. E8 E15E6E00 CALL xxx.00AE7590
004016AF |. 85C0 TEST EAX,EAX
004016B1 |. 75 15 JNZ SHORT xxx.004016C8
004016B3 |. 68 9492E300 PUSH xxx.00E39294 ; ASCII "InitOSLevel1 failed...
"
004016B8 |. E8 839A7600 CALL xxx.00B6B140
004016BD |. 83C4 04 ADD ESP,4
004016C0 |. 6A FF PUSH -1 ; /status = FFFFFFFF (-1.)
004016C2 |. FF15 90C6E200 CALL DWORD PTR DS:[<&MSVCRT.exit>] ; \exit
004016C8 |> E8 63B50500 CALL xxx.0045CC30
第三步:
实在没办法了, 因为意识到实际主程序的入口应该在如下的位置(代码开始位置,而且下面有license check的过程),所以想通过PEditor改变主程序入口位置后再运行看看.
+++++++++++++++++++ ASSEMBLY CODE LISTING ++++++++++++++++++
//********************** Start of Code in Object .text **************
Program Entry Point = 00E254FC (xxx.exe File Offset:014514FC)
:00401000 83EC20 sub esp, 00000020
:00401003 56 push esi
* Possible StringData Ref from Data Obj ->"Main database"
|
:00401004 681092E300 push 00E39210
:00401009 6A04 push 00000004
:0040100B 6A01 push 00000001
:0040100D C744241800000000 mov [esp+18], 00000000
:00401015 E886A07600 call 00B6B0A0
:0040101A 83C40C add esp, 0000000C
:0040101D A36060FD00 mov dword ptr [00FD6060], eax
:00401022 85C0 test eax, eax
:00401024 7507 jne 0040102D
:00401026 5E pop esi
:00401027 83C420 add esp, 00000020
:0040102A C20400 ret 0004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401024(C)
|
:0040102D E81E867600 call 00B69650
:00401032 E8B95E6E00 call 00AE6EF0
:00401037 8D44240C lea eax, dword ptr [esp+0C]
:0040103B 50 push eax
:0040103C E829627600 call 00B6726A
:00401041 E8CA680400 call 00447910
:00401046 8D4C2404 lea ecx, dword ptr [esp+04]
:0040104A C744240400000000 mov [esp+04], 00000000
:00401052 51 push ecx
* Possible StringData Ref from Data Obj ->"SETUP"
|
:00401053 680892E300 push 00E39208
* Possible StringData Ref from Data Obj ->"ETHERNETDEVICE"
|
:00401058 68F891E300 push 00E391F8
:0040105D E86E837600 call 00B693D0
:00401062 83C40C add esp, 0000000C
:00401065 85C0 test eax, eax
:00401067 740D je 00401076
:00401069 8B542404 mov edx, dword ptr [esp+04]
:0040106D 52 push edx
:0040106E E82D5C7600 call 00B66CA0
:00401073 83C404 add esp, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401067(C)
|
* Possible StringData Ref from Data Obj ->"
"
|
:00401076 68F491E300 push 00E391F4
:0040107B E810A17600 call 00B6B190
* Possible StringData Ref from Data Obj ->"xxx_LICENSE_FILE"
|
:00401080 68DC91E300 push 00E391DC
* Reference To: MSVCRT.getenv, Ord:026Ah
|
:00401085 FF158CC6E200 Call dword ptr [00E2C68C]
:0040108B 50 push eax
* Possible StringData Ref from Data Obj ->"LICENSE CHECKING (xxx_LICENSE_FILE=%s)
"
|
:0040108C 68AC91E300 push 00E391AC
:00401091 E8FAA07600 call 00B6B190
:00401096 83C410 add esp, 00000010
:00401099 E8E2377000 call 00B04880
:0040109E 85C0 test eax, eax
:004010A0 89442408 mov dword ptr [esp+08], eax
:004010A4 751A jne 004010C0
================================================================
参照网上资料, 把原来入口处的2句NOP, 在程序最后的空白处补上刚才被NOP的语句, 下面再JMP 至原入口的第3句,保存.
第四步:
PEditor 设定入口位置 00401000, 保存.
OllyDBG 调入更新后的exe, 入口已经调整,但还是异常中断了, 这次死心了,知道这样不能解决问题.
写的比较罗嗦,是担心给的信息不够详细, 看完的都是好心人.
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课