LanSentry的破解過程
破解:D-X-C
破解時間:2002.1.19
該軟體用狗保護,用VC編寫,先反彙編,找線索,我前幾天還解過一個狗,發現
解狗的一種較為簡便和省力的方法是在DOG之外做文章。大家請看下文:
:00406C68 A1BC7F5500 mov eax,
dword ptr [00557FBC] //可見這是一個關鍵地址。
:00406C6D 85C0
test eax, eax
:00406C6F 7407
je 00406C78
:00406C71 68C07F5500 push 00557FC0
:00406C76 EB05
jmp 00406C7D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406C6F(C)
|
* Possible StringData Ref from Data Obj ->"[未授權使用者!試用時間:一小時]"
|
:00406C78 6828D84400 push 0044D828
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406C76(U)
|
:00406C7D 8D8EDC010000 lea ecx, dword
ptr [esi+000001DC]
下BPM 557FBC跟蹤,
:00409C76 E825010000 call 00409DA0
:00409C7B E890AC0000 call 00414910
:00409C80 8B0D404C4500 mov ecx, dword
ptr [00454C40] //由地址454C40送入。
* Reference To: KERNEL32.CreateThread, Ord:004Ah
|
:00409C86 8B2D54F24300 mov ebp, dword
ptr [0043F254]
:00409C8C 8D542414 lea
edx, dword ptr [esp+14]
:00409C90 89442410 mov
dword ptr [esp+10], eax
:00409C94 52
push edx
:00409C95 6A00
push 00000000
:00409C97 56
push esi
:00409C98 6850514100 push 00415150
:00409C9D 6A00
push 00000000
:00409C9F 6A00
push 00000000
:00409CA1 890DBC7F5500 mov dword ptr
[00557FBC], ecx //此處置557FBC的值,向上看這個值是哪來的。
:00409CA7 FFD5
call ebp
:00409CA9 8BF8
mov edi, eax
下BPM 454C40重新跟蹤,
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409AE1(C)
|
:00409AFC E82FFBFFFF call 00409630
//此CALL是關鍵,跟入
:00409B01 F7D8
neg eax
:00409B03 1BC0
sbb eax, eax
:00409B05 40
inc eax
:00409B06 A3404C4500 mov dword
ptr [00454C40], eax //此處送入
:00409B0B 0F8587000000 jne 00409B98
:00409B11 E8BAB60000 call 004151D0
:00409B16 85C0
test eax, eax
:00409B18 A3404C4500 mov dword
ptr [00454C40], eax
:00409B1D 7579
jne 00409B98
:00409B1F 50
push eax
》》》
* Referenced by a CALL at Address:
|:00409AFC
|
:00409630 83EC48
sub esp, 00000048
:00409633 B90A000000 mov ecx,
0000000A
:00409638 33C0
xor eax, eax
:0040963A 66C705BA7F55000000 mov word ptr [00557FBA], 0000
:00409643 56
push esi
:00409644 57
push edi
:00409645 BFC07F5500 mov edi,
00557FC0
:0040964A F3
repz
:0040964B AB
stosd
:0040964C AA
stosb
:0040964D B911000000 mov ecx,
00000011
:00409652 33C0
xor eax, eax
:00409654 8D7C240C lea
edi, dword ptr [esp+0C]
:00409658 F3
repz
:00409659 AB
stosd
:0040965A 8D442414 lea
eax, dword ptr [esp+14]
* Possible StringData Ref from Data Obj ->"LAN-SENTRY"
|
:0040965E BF14E84400 mov edi,
0044E814
:00409663 A3B47F5500 mov dword
ptr [00557FB4], eax
:00409668 83C9FF
or ecx, FFFFFFFF
:0040966B 33C0
xor eax, eax
:0040966D F2
repnz
:0040966E AE
scasb
:0040966F F7D1
not ecx
:00409671 49
dec ecx
:00409672 66890DB87F5500 mov word ptr [00557FB8],
cx
:00409679 E86E040100 call 00419AEC
:0040967E 85C0
test eax, eax
:00409680 740B
je 0040968D //此處不跳
:00409682 5F
pop edi
:00409683 B801000000 mov eax,
00000001 //EAX被送入1,所以將其改為mov eax, 00000000
:00409688 5E
pop esi
:00409689 83C448
add esp, 00000048
:0040968C C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409680(C)
|
:0040968D 53
push ebx
* Possible StringData Ref from Data Obj ->"LAN-SENTRY"
|
:0040968E BE14E84400 mov esi,
0044E814
:00409693 8D442418 lea
eax, dword ptr [esp+18]
》》》 》》》
並沒完,經過上面的修改後,開始執行前的NAG沒有了,但開啟欲設定時軟體就沒了響應。
用BPM 454C40、BPM 557FBC跟蹤,到下面
:0040A53D FFD7
call edi
:0040A53F A1BC7F5500 mov eax,
dword ptr [00557FBC]
:0040A544 85C0
test eax, eax //這句改成JNE 0040A570
:0040A546 7428
je 0040A570 //發現此處若不跳就死住了
:0040A548 BFC07F5500 mov edi,
00557FC0
:0040A54D 83C9FF
or ecx, FFFFFFFF
:0040A550 33C0
xor eax, eax
:0040A552 F2
repnz
》》》 》》》
跟蹤時可發現00557FBC地址還用來判斷是否到一小時後退出。
相關地址:4063DA、405B00、406431。