打狗棒法:深思3軟體狗(47千字)
打狗棒法:深思3軟體狗
應用軟體:某EDA電路設計軟體FOR 98/nt/2000/xp
保護方法:深思3型軟體狗
破解工具:TRW2000 1.23,WDasm89
破解方法:帶狗殺狗
作者:crack123 [FCG]
-------------------------------------------------------------
轉載:大老於大老的解狗論壇
http://dalao2002.yeah.net
-------------------------------------------------------------
破解過程:
一、
該軟體無狗執行時提示"校驗邏輯錯誤, 未找到軟體加密鎖!",因此在TRW2000中下
BPX MESSAGEBOXA,攔截後回到主程式空間:
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040C98D(C), :0040CB87(C)
|
:0040CB97 8D8C24A0000000
lea ecx, dword ptr [esp+000000A0]
:0040CB9E 899C2460060000
mov dword ptr [esp+00000660], ebx
:0040CBA5 E8D5FE1700
call 0058CA7F
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0040C933(C)
|
:0040CBAA 8BCD
mov ecx, ebp
:0040CBAC E88F590000
call 00412540 **
:0040CBB1 85C0
test eax, eax
:0040CBB3 89442420
mov dword ptr [esp+20], eax
:0040CBB7 6A10
push 00000010
:0040CBB9 751C
jne 0040CBD7 **跳轉後的程式見第二部分
* Possible StringData Ref from Data Obj ->"eda"
|
:0040CBBB A12C035F00 mov
eax, dword ptr [005F032C]
* Possible StringData Ref from Data Obj ->"校驗邏輯錯誤,
未找到軟體加密鎖!"
|
:0040CBC0 8B0D28035F00
mov ecx, dword ptr [005F0328]
:0040CBC6
50
push eax
:0040CBC7 51
push ecx
:0040CBC8 6A00
push 00000000
* Reference To: USER32.MessageBoxA,
Ord:01BEh
|
:0040CBCA FF15F0165C00
Call dword ptr [005C16F0]
:0040CBD0 33C0
xor eax, eax
:0040CBD2 E96E070000 jmp 0040D345
顯然,40CBAA處的呼叫就是讀狗進行校驗,跟進去看看:
--------------
* Referenced
by a CALL at Address:
|:0040CBAC
|
:00412540 E84B96FFFF
call 0040BB90 **
:00412545
66F7D8 neg ax
:00412548 1BC0
sbb eax, eax
:0041254A 257EFAFFFF
and eax, FFFFFA7E
:0041254F 0582050000
add eax, 00000582
:00412554 C3
ret
只一個412540處的呼叫,再進:
--------------
* Referenced by a CALL at Addresses:
|:00412540
, :00412874 , :00412891
|
* Possible Reference to Dialog:
|
:0040BB90 6868326000
push 00603268
:0040BB95 66C7056C3260009300
mov word ptr [0060326C], 0093 **\
:0040BB9E 66C7056E3260000201
mov word ptr [0060326E], 0102 ** \深思3讀狗口令
:0040BBA7
66C705703260006A0E mov word ptr [00603270], 0E6A
** /
:0040BBB0 66C7056A326000FFFF mov word ptr [0060326A],
FFFF **/
:0040BBB9 E8121C1600
call 0056D7D0 ** 讀狗
:0040BBBE 66A168326000
mov ax, word ptr [00603268]
**此地址為狗標誌
:0040BBC4 C3
ret
0為有狗,非0無狗
:0040BBC5
90
nop
:0040BBC6 90
nop
:0040BBC7 90
nop
:0040BBC8 90
nop
:0040BBC9 90
nop
:0040BBCA 90
nop
:0040BBCB 90
nop
:0040BBCC 90
nop
:0040BBCD 90
nop
:0040BBCE 90
nop
:0040BBCF 90
nop
只要將[00603268]等於0,即可跳過錯誤提示。
因有多處呼叫,且程式有空地方供使用,最好在此處對【603268】和AX賦值,而不要在40CBB9處強制
跳轉,否則程式執行到後面,【603268】的值不對仍會出錯。
二、繼續執行程式,顯示軟體啟動封面後,出現非法錯誤提示,
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0040CBB9(C)
|
* Reference
To: USER32.GetSystemMetrics, Ord:0146h
|
:0040CBD7 FF15F8175C00 Call dword
ptr [005C17F8]
:0040CBDD 3D00050000
cmp eax, 00000500
:0040CBE2 7E16
jle 0040CBFA
:0040CBE4 C70558F35E0028000000
mov dword ptr [005EF358], 00000028
:0040CBEE C70554F35E001E000000
mov dword ptr [005EF354], 0000001E
:0040CBF8 EB4B
jmp 0040CC45
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0040CBE2(C)
|
* Possible Reference to Dialog: DialogID_00BA, CONTROL_ID:0400, ""
|
:0040CBFA 3D00040000
cmp eax, 00000400
:0040CBFF 7E16
jle 0040CC17
:0040CC01
C70558F35E0032000000 mov dword ptr [005EF358], 00000032
:0040CC0B
C70554F35E0023000000 mov dword ptr [005EF354], 00000023
:0040CC15
EB2E jmp
0040CC45
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:0040CBFF(C)
|
:0040CC17 3D84030000
cmp eax, 00000384
:0040CC1C 7E16
jle 0040CC34
:0040CC1E
C70558F35E003C000000 mov dword ptr [005EF358], 0000003C
:0040CC28
C70554F35E0028000000 mov dword ptr [005EF354], 00000028
:0040CC32
EB11 jmp
0040CC45
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:0040CC1C(C)
|
:0040CC34 3DBC020000
cmp eax, 000002BC
:0040CC39 7E0A
jle 0040CC45
:0040CC3B
C70558F35E0050000000 mov dword ptr [005EF358], 00000050
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040CBF8(U),
:0040CC15(U), :0040CC32(U), :0040CC39(C)
|
:0040CC45 8BCD
mov ecx, ebp
:0040CC47
E876C41900 call 005A90C2
* Possible Reference to Dialog:
|
:0040CC4C 689C0C5F00 push
005F0C9C
:0040CC51 8BCD
mov ecx, ebp
:0040CC53 E8D8C11900
call 005A8E30
:0040CC58 6A04
push 00000004
:0040CC5A 8BCD
mov ecx, ebp
:0040CC5C E887B21900 call 005A7EE8
:0040CC61 8D542434
lea edx, dword ptr [esp+34]
:0040CC65 BB0B000000
mov ebx, 0000000B
:0040CC6A 52
push edx
:0040CC6B 66895C243A
mov word ptr [esp+3A], bx
:0040CC70
E8EBF1FFFF call 0040BE60
:0040CC75 8B44243E mov
eax, dword ptr [esp+3E]
:0040CC79 BF0A000000
mov edi, 0000000A
:0040CC7E 25FFFF0000
and eax, 0000FFFF
:0040CC83 66897C243A
mov word ptr [esp+3A], di
:0040CC88
8D0480 lea eax,
dword ptr [eax+4*eax]
:0040CC8B 8D0480
lea eax, dword ptr [eax+4*eax]
:0040CC8E 8D0480
lea eax, dword ptr [eax+4*eax]
:0040CC91 8D3480
lea esi, dword ptr [eax+4*eax]
:0040CC94 8D442438
lea eax, dword ptr [esp+38]
:0040CC98 50
push eax
:0040CC99 C1E604
shl esi, 04
:0040CC9C E8BFF1FFFF
call 0040BE60
:0040CCA1 8B4C2442
mov ecx, dword ptr [esp+42]
:0040CCA5 66897C243E
mov word ptr [esp+3E], di
:0040CCAA
81E1FFFF0000 and ecx, 0000FFFF
:0040CCB0
8D740E01 lea esi, dword
ptr [esi+ecx+01]
:0040CCB4 B910270000
mov ecx, 00002710
:0040CCB9 8BC6
mov eax, esi
:0040CCBB 99
cdq
:0040CCBC
F7F9 idiv
ecx
:0040CCBE 668954243C
mov word ptr [esp+3C], dx
:0040CCC3 8D54243C
lea edx, dword ptr [esp+3C]
:0040CCC7 52
push edx
:0040CCC8
E8E3F8FFFF call 0040C5B0
:0040CCCD B8AD8BDB68 mov eax,
68DB8BAD
:0040CCD2 8D4C2440
lea ecx, dword ptr [esp+40]
:0040CCD6 F7EE
imul esi
:0040CCD8 C1FA0C
sar edx, 0C
:0040CCDB
8BC2 mov
eax, edx
:0040CCDD 51
push ecx
:0040CCDE C1E81F
shr eax, 1F
:0040CCE1 03D0
add edx, eax
:0040CCE3
66895C2446 mov word ptr [esp+46],
bx
:0040CCE8 6689542444 mov
word ptr [esp+44], dx
:0040CCED E8BEF8FFFF
call 0040C5B0
:0040CCF2 83C410
add esp, 00000010
:0040CCF5 8BCD
mov ecx, ebp
:0040CCF7
E814070000 call 0040D410
**
:0040CCFC 6A00
push 00000000
:0040CCFE 6A00
push 00000000
:0040CD00
6A00 push
00000000
:0040CD02 6A03
push 00000003
:0040CD04 E849171800
call 0058E452
:0040CD09 50
push eax
:0040CD0A B99C886000
mov ecx, 0060889C
:0040CD0F E862461800
call 00591376
:0040CD14 6A5C
push 0000005C
:0040CD16 E8C44A1800 call 005917DF
:0040CD1B 83C404
add esp, 00000004
:0040CD1E 89442418
mov dword ptr [esp+18], eax
:0040CD22 85C0
test eax, eax
:0040CD24
C784246006000001000000 mov dword ptr [esp+00000660], 00000001
:0040CD2F
740D je 0040CD3E
:0040CD31 6A00
push 00000000
:0040CD33 8BC8
mov ecx, eax
:0040CD35 E826471100
call 00521460
:0040CD3A 8BF0
mov esi, eax
:0040CD3C
EB02 jmp
0040CD40
經跟蹤40CCF7處CALL 40D410內一段程式有看頭:
* Referenced
by a CALL at Address:
|:0040CCF7
|
* Possible Reference
to Menu: MenuID_00FF
|
:0040D410 6AFF
push FFFFFFFF
:0040D412 68D8145B00 push 005B14D8
:0040D417 64A100000000 mov eax,
dword ptr fs:[00000000]
:0040D41D 50
push eax
:0040D41E 64892500000000
mov dword ptr fs:[00000000], esp
:0040D425 83EC64
sub esp, 00000064
:0040D428 A1D0096000 mov eax,
dword ptr [006009D0]
:0040D42D 53
push ebx
:0040D42E 55
push ebp
:0040D42F
57
push edi
:0040D430 8BE9
mov ebp, ecx
:0040D432 8944240C
mov dword ptr [esp+0C], eax
:0040D436 8D4C2428
lea ecx, dword ptr [esp+28]
:0040D43A 33DB
xor ebx, ebx
:0040D43C 51
push ecx
:0040D43D 895C247C
mov dword ptr [esp+7C], ebx
:0040D441
66C744242E0C00 mov [esp+2E], 000C
:0040D448
E813EAFFFF call 0040BE60
**讀狗
:0040D44D 668B442432
mov ax, word ptr [esp+32]
:0040D452 83C404
add esp, 00000004
:0040D455 663DD007 cmp
ax, 07D0
:0040D459 7206
jb 0040D461 ** 不能跳,否則後面程式出錯
:0040D45B 663DD507
cmp ax, 07D5
:0040D45F 760E
jbe 0040D46F **一定要跳
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D459(C)
|
* Possible Reference to Dialog: DialogID_0064
|
:0040D461 B964000000
mov ecx, 00000064 **跳到此處將記憶體中資料區清0,肯定要出錯!
:0040D466 33C0
xor eax, eax
* Possible StringData Ref from Data Obj ->""
|
:0040D468 BF38F35E00 mov
edi, 005EF338
:0040D46D F3
repz
:0040D46E AB
stosd
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0040D45F(C)
|
:0040D46F 56
push esi
***到這兒就對了!!!
:0040D470 B914000000
mov ecx, 00000014
* Possible StringData
Ref from Data Obj ->"PP"
|
:0040D475
BE40F65E00 mov esi, 005EF640
:0040D47A BFE8836000 mov edi,
006083E8
:0040D47F F3
repz
:0040D480 A5
movsd
:0040D481 8B0D2C846000
mov ecx, dword ptr [0060842C]
:0040D487
8B1534846000 mov edx, dword ptr [00608434]
:0040D48D A130846000 mov
eax, dword ptr [00608430]
:0040D492 890D18F45E00
mov dword ptr [005EF418], ecx
:0040D498 B914000000
mov ecx, 00000014
三、
經過上一步驟,再次執行程式,又出現提示"校驗邏輯錯誤,
未找到軟體加密鎖!",還得繼續看:
* Reference To: KERNEL32.GlobalAddAtomA, Ord:017Fh
|
:0040CF9E FF15F8125C00
Call dword ptr [005C12F8]
:0040CFA4 53
push ebx
:0040CFA5 668985C0000000 mov word ptr [ebp+000000C0],
ax
:0040CFAC E8DFB41600 call
00578490
:0040CFB1 50
push eax
:0040CFB2 E8AAB41600
call 00578461
:0040CFB7 E8B2B41600
call 0057846E
:0040CFBC A338035F00
mov dword ptr [005F0338], eax
:0040CFC1
B90A000000 mov ecx, 0000000A
:0040CFC6 99
cdq
:0040CFC7 F7F9
idiv ecx
:0040CFC9 891534035F00
mov dword ptr [005F0334], edx
:0040CFCF E89AB41600
call 0057846E ***生成隨即數1
:0040CFD4 99
cdq
* Possible Reference to Dialog: DialogID_00C8
|
:0040CFD5 B9C8000000
mov ecx, 000000C8
:0040CFDA F7F9
idiv ecx
:0040CFDC 8915A4716000
mov dword ptr [006071A4], edx
**此處將隨機數1儲存
:0040CFE2 E887B41600
call 0057846E **生成隨機數2
:0040CFE7 99
cdq
*
Possible Reference to Dialog: DialogID_00C8
|
:0040CFE8 B9C8000000 mov
ecx, 000000C8
:0040CFED F7F9
idiv ecx
:0040CFEF 66A138035F00
mov ax, word ptr [005F0338]
:0040CFF5 8D4C243C
lea ecx, dword ptr [esp+3C]
:0040CFF9 51
push ecx
:0040CFFA 6689442440
mov word ptr [esp+40], ax
:0040CFFF 8915A0716000
mov dword ptr [006071A0], edx **隨機數2儲存
:0040D005 668B1534035F00 mov dx, word ptr [005F0334]
:0040D00C 6689542442 mov
word ptr [esp+42], dx
:0040D011 E89AF5FFFF
call 0040C5B0
:0040D016 83C40C
add esp, 0000000C
:0040D019 8BCD
mov ecx, ebp
:0040D01B
E840550000 call 00412560
***此處仍是讀狗校驗,比上一個重要
:0040D020 3D82050000
cmp eax, 00000582 ,看後面的分析吧!
:0040D025 745B
je 0040D082 **此處跳轉
* Possible StringData
Ref from Data Obj ->"eda"
|
:0040D027
8B152C035F00 mov edx, dword ptr [005F032C]
* Possible StringData Ref from Data Obj ->"校驗邏輯錯誤, 未找到軟體加密鎖!"
|
:0040D02D A128035F00
mov eax, dword ptr [005F0328]
:0040D032 6A10
push 00000010
:0040D034
52
push edx
:0040D035 50
push eax
:0040D036 53
push ebx
* Reference To: USER32.MessageBoxA,
Ord:01BEh
|
:0040D037 FF15F0165C00
Call dword ptr [005C16F0]
:0040D03D 8D4C241C
lea ecx, dword ptr [esp+1C]
:0040D041 C684246006000006 mov byte ptr [esp+00000660],
06
:0040D049 E89F411800 call
005911ED
:0040D04E 8D4C247C
lea ecx, dword ptr [esp+7C]
:0040D052 C684246006000002
mov byte ptr [esp+00000660], 02
:0040D05A E8B3AF1900
call 005A8012
:0040D05F C7442410F4025D00
mov [esp+10], 005D02F4
:0040D067 8D4C2410
lea ecx, dword ptr [esp+10]
:0040D06B
C784246006000009000000 mov dword ptr [esp+00000660], 00000009
:0040D076
E8B9831800 call 00595434
:0040D07B 33C0
xor eax, eax
:0040D07D E9C3020000
jmp 0040D345
接下來看看40D01B CALL 412560裡有什麼?
* Referenced by a CALL at Address:
|:0040D01B
|
:00412560 81EC98000000 sub esp, 00000098
:00412566 66A134035F00 mov ax, word
ptr [005F0334]
:0041256C 56
push esi
:0041256D 8D4C2404
lea ecx, dword ptr [esp+04]
:00412571
57
push edi
:00412572 51
push ecx
:00412573 668944240E
mov word ptr [esp+0E], ax
:00412578 E8E398FFFF
call 0040BE60
**讀狗
:0041257D 8B542412
mov edx, dword ptr [esp+12]
:00412581 A138035F00
mov eax, dword ptr [005F0338]
:00412586 81E2FFFF0000
and edx, 0000FFFF
:0041258C 83C404
add esp, 00000004
:0041258F 3BD0
cmp edx, eax
:00412591 740C
je 0041259F ***一定要跳,後面是讀狗資料,還要運算
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004125F4(C), :00412656(C), :004126C7(C), :00412718(C), :0041278B(C)
|:004127DC(C),
:00412849(C)
|
:00412593 5F
pop edi
:00412594 83C8FF
or eax, FFFFFFFF
:00412597
5E
pop esi
:00412598 81C498000000 add
esp, 00000098
:0041259E C3
ret
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00412591(C)
|
:0041259F BE10000000
mov esi, 00000010
**一定要跳到這兒,否則死定了!
:004125A4 8D7C2450
lea edi, dword ptr [esp+50]
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004125CD(C)
|
:004125A8 8D442408
lea eax, dword ptr [esp+08]
:004125AC 668974240A
mov word ptr [esp+0A], si
:004125B1 50
push eax
:004125B2
E8A998FFFF call 0040BE60
**讀狗
:004125B7 8B4C2412
mov ecx, dword ptr [esp+12]
:004125BB 83C404
add esp, 00000004
:004125BE
81E1FFFF0000 and ecx, 0000FFFF
:004125C4
46
inc esi
:004125C5 890F
mov dword ptr [edi], ecx
:004125C7 83C704
add edi, 00000004
:004125CA 83FE17
cmp esi, 00000017
:004125CD 7CD9
jl 004125A8
:004125CF 8B442458
mov eax, dword ptr [esp+58] **[ESP+58]=14
:004125D3 8B542454
mov edx, dword ptr [esp+54]
**[ESP+54]=0A
:004125D7 A350F35E00
mov dword ptr [005EF350], eax
:004125DC 89154CF35E00
mov dword ptr [005EF34C], edx
:004125E2
33C0 xor
eax, eax
:004125E4 8D4C2450
lea ecx, dword ptr [esp+50]
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004125FD(C)
|
:004125E8 8B31
mov esi, dword
ptr [ecx]
:004125EA 33D2
xor edx, edx
:004125EC 8A9060035F00
mov dl, byte ptr [eax+005F0360] **與碼錶第1組數比對
:004125F2 3BD6
cmp edx, esi
**CMP EDX,EDX 以下同此
:004125F4 759D
jne 00412593 **後面所有這樣的跳轉可千萬不能跳,否則還得死!!
:004125F6 40
inc eax
:004125F7 83C104
add ecx, 00000004
:004125FA 83F807
cmp eax, 00000007
:004125FD
7CE9 jl 004125E8
:004125FF BE17000000 mov
esi, 00000017
:00412604 8D7C2450
lea edi, dword ptr [esp+50]
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0041262D(C)
|
:00412608 8D442408
lea eax, dword ptr [esp+08]
:0041260C 668974240A mov word
ptr [esp+0A], si
:00412611 50
push eax
:00412612 E84998FFFF
call 0040BE60
:00412617 8B4C2412
mov ecx, dword ptr [esp+12]
:0041261B
83C404 add esp,
00000004
:0041261E 81E1FFFF0000
and ecx, 0000FFFF
:00412624 46
inc esi
:00412625 890F
mov dword ptr [edi], ecx
:00412627
83C704 add edi,
00000004
:0041262A 83FE1D
cmp esi, 0000001D
:0041262D 7CD9
jl 00412608
:0041262F 8B442460
mov eax, dword ptr [esp+60]
**[ESP+60]=53
:00412633 8B4C245C
mov ecx, dword ptr [esp+5C] **[ESP+60]=50
:00412637 2BC1
sub eax, ecx
:00412639 8D4C2450
lea ecx, dword ptr [esp+50]
:0041263D 8D1480
lea edx, dword ptr [eax+4*eax]
:00412640 D1E2
shl edx, 1
:00412642 8915A8886000
mov dword ptr [006088A8], edx
:00412648 33C0
xor eax, eax
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00412663(C)
|
:0041264A 8B31
mov esi, dword
ptr [ecx]
:0041264C 33D2
xor edx, edx
:0041264E 8A9068035F00
mov dl, byte ptr [eax+005F0368] **與碼錶第2組數比對
:00412654 3BD6
cmp edx, esi
:00412656 0F8537FFFFFF
jne 00412593
:0041265C 40
inc eax
:0041265D 83C104
add ecx, 00000004
:00412660
83F806 cmp eax,
00000006
:00412663 7CE5
jl 0041264A
:00412665 BE1D000000
mov esi, 0000001D
:0041266A 8D7C2450
lea edi, dword ptr [esp+50]
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00412693(C)
|
:0041266E 8D442408
lea eax, dword ptr [esp+08]
:00412672 668974240A
mov word ptr [esp+0A], si
:00412677 50
push eax
:00412678
E8E397FFFF call 0040BE60
:0041267D 8B4C2412 mov
ecx, dword ptr [esp+12]
:00412681 83C404
add esp, 00000004
:00412684 81E1FFFF0000
and ecx, 0000FFFF
:0041268A 46
inc esi
:0041268B
890F mov
dword ptr [edi], ecx
:0041268D 83C704
add edi, 00000004
:00412690 83FE23
cmp esi, 00000023
:00412693 7CD9
jl 0041266E
:00412695 A1A8886000 mov eax,
dword ptr [006088A8]
:0041269A 8B542454
mov edx, dword ptr [esp+54] **[ESP+54]=08
:0041269E 8B4C245C
mov ecx, dword ptr [esp+5C] **[ESP+5C]=0B
:004126A2 2BC2
sub eax, edx
:004126A4 03C1
add eax, ecx
:004126A6 8D4C2450
lea ecx, dword ptr [esp+50]
:004126AA 8D0480
lea eax, dword ptr [eax+4*eax]
:004126AD 8D1480
lea edx, dword ptr [eax+4*eax]
:004126B0 C1E202
shl edx, 02
:004126B3 8915A8886000
mov dword ptr [006088A8], edx
:004126B9
33C0 xor
eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004126D4(C)
|
:004126BB 8B31
mov esi, dword ptr [ecx]
:004126BD
33D2 xor
edx, edx
:004126BF 8A9070035F00
mov dl, byte ptr [eax+005F0370] **與碼錶第3組數比對
:004126C5 3BD6
cmp edx, esi
:004126C7
0F85C6FEFFFF jne 00412593
:004126CD
40
inc eax
:004126CE 83C104
add ecx, 00000004
:004126D1 83F806
cmp eax, 00000006
:004126D4 7CE5
jl 004126BB
:004126D6 BE23000000 mov esi,
00000023
:004126DB 8D7C2450
lea edi, dword ptr [esp+50]
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00412704(C)
|
:004126DF 8D442408
lea eax, dword ptr [esp+08]
:004126E3 668974240A mov word
ptr [esp+0A], si
:004126E8 50
push eax
:004126E9 E87297FFFF
call 0040BE60
:004126EE 8B4C2412
mov ecx, dword ptr [esp+12]
:004126F2
83C404 add esp,
00000004
:004126F5 81E1FFFF0000
and ecx, 0000FFFF
:004126FB 46
inc esi
:004126FC 890F
mov dword ptr [edi], ecx
:004126FE
83C704 add edi,
00000004
:00412701 83FE29
cmp esi, 00000029
:00412704 7CD9
jl 004126DF
:00412706 33C0
xor eax, eax
:00412708 8D4C2450 lea
ecx, dword ptr [esp+50]
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00412725(C)
|
:0041270C 8B31
mov esi, dword ptr [ecx]
:0041270E 33D2
xor edx, edx
:00412710 8A9078035F00
mov dl, byte ptr [eax+005F0378] **與碼錶第4組數比對
:00412716 3BD6
cmp edx, esi
:00412718
0F8575FEFFFF jne 00412593
:0041271E
40
inc eax
:0041271F 83C104
add ecx, 00000004
:00412722 83F806
cmp eax, 00000006
:00412725 7CE5
jl 0041270C
:00412727 BE29000000 mov esi,
00000029
:0041272C 8D7C2450
lea edi, dword ptr [esp+50]
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00412755(C)
|
:00412730 8D442408
lea eax, dword ptr [esp+08]
:00412734 668974240A mov word
ptr [esp+0A], si
:00412739 50
push eax
:0041273A E82197FFFF
call 0040BE60
:0041273F 8B4C2412
mov ecx, dword ptr [esp+12]
:00412743
83C404 add esp,
00000004
:00412746 81E1FFFF0000
and ecx, 0000FFFF
:0041274C 46
inc esi
:0041274D 890F
mov dword ptr [edi], ecx
:0041274F
83C704 add edi,
00000004
:00412752 83FE30
cmp esi, 00000030
:00412755 7CD9
jl 00412730
:00412757 A1A8886000
mov eax, dword ptr [006088A8]
:0041275C
8B742464 mov esi, dword
ptr [esp+64] **[ESP+64]=30
:00412760 8B542468
mov edx, dword ptr [esp+68] **[ESP+68]=3A
:00412764 8B4C2458
mov ecx, dword ptr [esp+58] **[ESP+58]=14
:00412768 2BC6
sub eax, esi
:0041276A 03C2
add eax, edx
:0041276C 03C1
add eax, ecx
:0041276E 8D4C2450
lea ecx, dword ptr [esp+50]
:00412772
8D1480 lea edx,
dword ptr [eax+4*eax]
:00412775 D1E2
shl edx, 1
:00412777 8915A8886000
mov dword ptr [006088A8], edx
:0041277D 33C0
xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412798(C)
|
:0041277F 8B31
mov esi, dword ptr [ecx]
:00412781 33D2
xor edx, edx
:00412783 8A9080035F00 mov dl, byte ptr
[eax+005F0380] **與碼錶第5組數比對
:00412789 3BD6
cmp edx, esi
:0041278B 0F8502FEFFFF
jne 00412593
:00412791 40
inc eax
:00412792
83C104 add ecx,
00000004
:00412795 83F807
cmp eax, 00000007
:00412798 7CE5
jl 0041277F
:0041279A BE30000000
mov esi, 00000030
:0041279F 8D7C2450
lea edi, dword ptr [esp+50]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004127C8(C)
|
:004127A3 8D442408
lea eax, dword ptr [esp+08]
:004127A7 668974240A
mov word ptr [esp+0A], si
:004127AC
50
push eax
:004127AD E8AE96FFFF
call 0040BE60
:004127B2 8B4C2412
mov ecx, dword ptr [esp+12]
:004127B6 83C404
add esp, 00000004
:004127B9 81E1FFFF0000
and ecx, 0000FFFF
:004127BF 46
inc esi
:004127C0
890F mov
dword ptr [edi], ecx
:004127C2 83C704
add edi, 00000004
:004127C5 83FE36
cmp esi, 00000036
:004127C8 7CD9
jl 004127A3
:004127CA 33C0
xor eax, eax
:004127CC 8D4C2450
lea ecx, dword ptr [esp+50]
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004127E9(C)
|
:004127D0 8B31
mov esi, dword
ptr [ecx]
:004127D2 33D2
xor edx, edx
:004127D4 8A9088035F00
mov dl, byte ptr [eax+005F0388] **與碼錶第6組數比對
:004127DA
3BD6 cmp
edx, esi
:004127DC 0F85B1FDFFFF
jne 00412593
:004127E2 40
inc eax
:004127E3 83C104
add ecx, 00000004
:004127E6 83F806
cmp eax, 00000006
:004127E9 7CE5
jl 004127D0
:004127EB BE36000000
mov esi, 00000036
:004127F0 8D7C2450
lea edi, dword ptr [esp+50]
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00412819(C)
|
:004127F4 8D442408
lea eax, dword ptr [esp+08]
:004127F8 668974240A mov word
ptr [esp+0A], si
:004127FD 50
push eax
:004127FE E85D96FFFF
call 0040BE60
:00412803 8B4C2412
mov ecx, dword ptr [esp+12]
:00412807
83C404 add esp,
00000004
:0041280A 81E1FFFF0000
and ecx, 0000FFFF
:00412810 46
inc esi
:00412811 890F
mov dword ptr [edi], ecx
:00412813
83C704 add edi,
00000004
:00412816 83FE3C
cmp esi, 0000003C
:00412819 7CD9
jl 004127F4
:0041281B 8B542460
mov edx, dword ptr [esp+60]
**[ESP+60]=15
:0041281F 8B442450
mov eax, dword ptr [esp+50] **[ESP+50]=1A
:00412823 03C2
add eax, edx
:00412825 8D0480
lea eax, dword ptr [eax+4*eax]
:00412828 8D0480
lea eax, dword ptr [eax+4*eax]
:0041282B 8D0C80
lea ecx, dword ptr [eax+4*eax]
:0041282E C1E103
shl ecx, 03
:00412831 890DA4886000
mov dword ptr [006088A4], ecx
:00412837
33C0 xor
eax, eax
:00412839 8D4C2450
lea ecx, dword ptr [esp+50]
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00412856(C)
|
:0041283D 8B31
mov esi, dword
ptr [ecx]
:0041283F 33D2
xor edx, edx
:00412841 8A9098035F00
mov dl, byte ptr [eax+005F0398] **與碼錶第8組數比對
:00412847
3BD6 cmp
edx, esi
:00412849 0F8544FDFFFF
jne 00412593
:0041284F 40
inc eax
:00412850 83C104
add ecx, 00000004
:00412853 83F806
cmp eax, 00000006
:00412856 7CE5
jl 0041283D
:00412858 5F
pop edi
:00412859 B882050000
mov eax, 00000582
:0041285E 5E
pop esi
:0041285F
81C498000000 add esp, 00000098
:00412865
C3
ret
以上這段程式碼讀了8次狗,並將讀回來的資料進行運算,儲存到指定地址中備用。同時讀回來的
這8組數還與記憶體中[005F0360]開始的8組數進行明碼比較,由此可知,此軟體在[5F0360]存放著
碼錶,共8組分別有6或7個位元組:
1. 00 0A 14 1B 27 32 3C
2. 46 45 4C 50 53 5A
3. 0F 08 0D 0B 11 07
4. 1A 1A 19 1B 13 14
5. 00 0A 14 1B 25 30 3A
6. 46 45 4C 41 53 5A
7. 14 08 07 13 16 07
8. 1A 1A 16 18 15 14
四、從40D025處跳轉繼續執行,軟體自動退出,怎麼回事,只好繼續往下看:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D025(C)
|
:0040D082 8B16
mov edx, dword ptr [esi]
:0040D084 8BCE
mov ecx, esi
:0040D086 FF5258
call [edx+58]
:0040D089
8B442420 mov eax, dword
ptr [esp+20]
:0040D08D 8BCD
mov ecx, ebp
:0040D08F 50
push eax
:0040D090 E81B580000
call 004128B0
:0040D095 8BCD
mov ecx, ebp
:0040D097 E874440000 call 00411510
**此處讀狗
:0040D09C 83F8FF
cmp eax, FFFFFFFF
:0040D09F 7545
jne 0040D0E6
**此處跳轉到40D0E6,進入程式主介面,OK!
:0040D0A1 8D4C241C
lea ecx, dword ptr [esp+1C]
:0040D0A5
C684246006000006 mov byte ptr [esp+00000660], 06
:0040D0AD E83B411800 call 005911ED
:0040D0B2 8D4C247C
lea ecx, dword ptr [esp+7C]
:0040D0B6 C684246006000002
mov byte ptr [esp+00000660], 02
:0040D0BE E84FAF1900
call 005A8012
:0040D0C3 C7442410F4025D00
mov [esp+10], 005D02F4
:0040D0CB 8D4C2410
lea ecx, dword ptr [esp+10]
:0040D0CF
C78424600600000A000000 mov dword ptr [esp+00000660], 0000000A
:0040D0DA
E855831800 call 00595434
:0040D0DF 33C0
xor eax, eax
:0040D0E1 E95F020000
jmp 0040D345
進411510看看吧:
* Referenced by a CALL at Address:
|:0040D097
|
:00411510 83EC70
sub esp, 00000070
:00411513 66A134035F00
mov ax, word ptr [005F0334]
:00411519
56
push esi
:0041151A 8BF1
mov esi, ecx
:0041151C 668944242E
mov word ptr [esp+2E], ax
:00411521 8D4C242C
lea ecx, dword ptr [esp+2C]
:00411525
51
push ecx
:00411526 E835A9FFFF
call 0040BE60
:0041152B 8B542436
mov edx, dword ptr [esp+36]
:0041152F A138035F00
mov eax, dword ptr [005F0338]
:00411534
81E2FFFF0000 and edx, 0000FFFF
:0041153A
83C404 add esp,
00000004
:0041153D 3BD0
cmp edx, eax
:0041153F 7408
je 00411549
**此處一定要跳
:00411541 83C8FF
or eax, FFFFFFFF
:00411544 5E
pop esi
:00411545 83C470
add esp, 00000070
:00411548 C3
ret
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:0041153F(C)
|
:00411549 8BCE
mov ecx, esi
:0041154B E8B0070000
call 00411D00 **進去看看!
:00411550 83F8FF
cmp eax, FFFFFFFF
:00411553 7507
jne 0041155C **此處一定要跳
:00411555 0BC0
or eax, eax
:00411557 5E
pop esi
:00411558 83C470
add esp, 00000070
:0041155B
C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:00411553(C)
|
:0041155C 8BCE
mov ecx, esi
:0041155E E8AD0C0000
call 00412210 **進去看看!
:00411563 83F8FF
cmp eax, FFFFFFFF
:00411566 7507
jne 0041156F
:00411568 0BC0
or eax, eax
:0041156A 5E
pop esi
:0041156B 83C470
add esp, 00000070
:0041156E C3
ret
*****
* Referenced
by a CALL at Address:
|:0041154B
|
:00411D00 81ECF8020000
sub esp, 000002F8
:00411D06 53
push ebx
:00411D07
55
push ebp
:00411D08 56
push esi
:00411D09 57
push edi
:00411D0A 6A04
push 00000004
:00411D0C
6800100000 push 00001000
:00411D11 33FF
xor edi, edi
:00411D13 6860E31600
push 0016E360
:00411D18 57
push edi
* Reference To: KERNEL32.VirtualAlloc,
Ord:02BBh
|
:00411D19 FF15E4125C00
Call dword ptr [005C12E4]
:00411D1F 3BC7
cmp eax, edi
:00411D21 A3DC836000 mov dword
ptr [006083DC], eax
:00411D26 7521
jne 00411D49
* Possible StringData Ref from
Data Obj ->"致命錯誤,記憶體不足!"
|
:00411D28
A10C035F00 mov eax, dword ptr
[005F030C]
:00411D2D 57
push edi
:00411D2E 6894316000
push 00603194
:00411D33 50
push eax
:00411D34 57
push edi
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:00411D35 FF15F0165C00
Call dword ptr [005C16F0]
:00411D3B 5F
pop edi
:00411D3C 5E
pop esi
:00411D3D 5D
pop ebp
:00411D3E 83C8FF
or eax, FFFFFFFF
:00411D41 5B
pop ebx
:00411D42
81C4F8020000 add esp, 000002F8
:00411D48
C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:00411D26(C)
|
:00411D49 68E8886000
push 006088E8
:00411D4E 8D8C24F0000000
lea ecx, dword ptr [esp+000000F0]
* Possible
StringData Ref from Data Obj ->"%s\lib\*.lib"
|
:00411D55 6840185F00
push 005F1840
:00411D5A 51
push ecx
:00411D5B 893DE4836000
mov dword ptr [006083E4], edi
:00411D61 893DE0836000
mov dword ptr [006083E0], edi
:00411D67
E8BF601600 call 00577E2B
:00411D6C 8D9424FC010000 lea edx, dword ptr
[esp+000001FC]
:00411D73 8D8424F8000000
lea eax, dword ptr [esp+000000F8]
:00411D7A 52
push edx
:00411D7B 50
push eax
:00411D7C E8B15E1600 call
00577C32
:00411D81 8BD8
mov ebx, eax
:00411D83 83C414
add esp, 00000014
:00411D86 83FBFF
cmp ebx, FFFFFFFF
:00411D89
0F8492010000 je 00411F21
:00411D8F
8D8C2404020000 lea ecx, dword ptr [esp+00000204]
:00411D96 51
push ecx
:00411D97 B9D17E6000
mov ecx, 00607ED1
:00411D9C E8D5F51700
call 00591376
:00411DA1 BD01000000
mov ebp, 00000001
:00411DA6 BEDE7E6000
mov esi, 00607EDE
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00411DD9(C)
|
:00411DAB 8D9424F0010000 lea edx, dword
ptr [esp+000001F0]
:00411DB2 52
push edx
:00411DB3 53
push ebx
:00411DB4
E8465F1600 call 00577CFF
:00411DB9 83C408
add esp, 00000008
:00411DBC 85C0
test eax, eax
:00411DBE 751B
jne 00411DDB
:00411DC0 8D842404020000
lea eax, dword ptr [esp+00000204]
:00411DC7 8BCE
mov ecx, esi
:00411DC9 50
push eax
:00411DCA E8A7F51700
call 00591376
:00411DCF 83C60D
add esi, 0000000D
:00411DD2 45
inc ebp
:00411DD3 81FEE5836000
cmp esi, 006083E5
:00411DD9 7CD0
jl 00411DAB
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411DBE(C)
|
:00411DDB 8B0DDC836000
mov ecx, dword ptr [006083DC]
:00411DE1 3BEF
cmp ebp, edi
:00411DE3 892DE4836000
mov dword ptr [006083E4], ebp
:00411DE9
894C2410 mov dword ptr
[esp+10], ecx
:00411DED 897C241C
mov dword ptr [esp+1C], edi
:00411DF1 0F8E2A010000
jle 00411F21
:00411DF7 BDCE7E6000
mov ebp, 00607ECE
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:00411F1B(C)
|
:00411DFC 8B5503
mov edx, dword ptr [ebp+03]
:00411DFF 8D8424EC000000
lea eax, dword ptr [esp+000000EC]
:00411E06 52
push edx
:00411E07
68E8886000 push 006088E8
* Possible Reference to Dialog:
|
:00411E0C 6834185F00 push
005F1834
:00411E11 50
push eax
:00411E12 E814601600
call 00577E2B
:00411E17 8D8C24FC000000
lea ecx, dword ptr [esp+000000FC]
* Possible Reference
to Dialog:
|
:00411E1E
6830185F00 push 005F1830
:00411E23 51
push ecx
:00411E24 E825661600
call 0057844E
:00411E29 8BD8
mov ebx, eax
:00411E2B 83C418
add esp, 00000018
:00411E2E 3BDF
cmp ebx, edi
:00411E30 0F8446010000 je 00411F7C
:00411E36 53
push ebx
:00411E37 6A10
push 00000010
:00411E39 8D9424B4000000
lea edx, dword ptr [esp+000000B4]
:00411E40 6A02
push 00000002
:00411E42 52
push edx
:00411E43 E861691600
call 005787A9
:00411E48 8B8424BC000000
mov eax, dword ptr [esp+000000BC]
:00411E4F 8B0DE0836000
mov ecx, dword ptr [006083E0]
:00411E55 66894500
mov word ptr [ebp+00], ax
:00411E59 83C410
add esp, 00000010
:00411E5C 0FBFC0
movsx eax, ax
:00411E5F 03C8
add ecx, eax
:00411E61 897C2414
mov dword ptr [esp+14], edi
:00411E65 890DE0836000 mov dword ptr
[006083E0], ecx
:00411E6B 8B4C2410
mov ecx, dword ptr [esp+10]
:00411E6F 894DFA
mov dword ptr [ebp-06], ecx
:00411E72
66397D00 cmp word ptr [ebp+00],
di
:00411E76 897C2418
mov dword ptr [esp+18], edi
:00411E7A 897C2420
mov dword ptr [esp+20], edi
:00411E7E 7E6E
jle 00411EEE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411EEA(C)
|
:00411E80 53
push ebx
:00411E81 6A01
push 00000001
:00411E83
8D54244C lea edx, dword
ptr [esp+4C]
:00411E87 6A20
push 00000020
:00411E89 52
push edx
:00411E8A E81A691600
call 005787A9
:00411E8F 8D7C2454
lea edi, dword ptr [esp+54]
:00411E93 83C9FF
or ecx, FFFFFFFF
:00411E96 33C0
xor eax, eax
:00411E98 83C410
add esp, 00000010
:00411E9B F2
repnz
:00411E9C AE
scasb
:00411E9D F7D1
not ecx
:00411E9F 49
dec ecx
:00411EA0 8BC1
mov eax, ecx
:00411EA2
8B4C2418 mov ecx, dword
ptr [esp+18]
:00411EA6 40
inc eax
:00411EA7 3BC1
cmp eax, ecx
:00411EA9 7E04
jle 00411EAF
:00411EAB 89442418 mov
dword ptr [esp+18], eax
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00411EA9(C)
|
:00411EAF 8B742414
mov esi, dword ptr [esp+14]
:00411EB3
8B7C2410 mov edi, dword
ptr [esp+10]
:00411EB7 8BC8
mov ecx, eax
:00411EB9 03F0
add esi, eax
:00411EBB 8BD1
mov edx, ecx
:00411EBD 89742414 mov
dword ptr [esp+14], esi
:00411EC1 8D742444
lea esi, dword ptr [esp+44]
:00411EC5 C1E902
shr ecx, 02
:00411EC8 F3
repz
:00411EC9 A5
movsd
:00411ECA 8BCA
mov ecx, edx
:00411ECC 83E103
and ecx, 00000003
:00411ECF F3
repz
:00411ED0
A4
movsb
:00411ED1 8B7C2410
mov edi, dword ptr [esp+10]
:00411ED5 0FBF4D00
movsx ecx, word ptr [ebp+00]
:00411ED9
03F8 add
edi, eax
:00411EDB 8B442420
mov eax, dword ptr [esp+20]
:00411EDF 40
inc eax
:00411EE0 897C2410
mov dword ptr [esp+10], edi
:00411EE4 3BC1
cmp eax, ecx
:00411EE6 89442420
mov dword ptr [esp+20], eax
:00411EEA 7C94
jl 00411E80
:00411EEC 33FF
xor edi, edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411E7E(C)
|
:00411EEE 8A542418
mov dl, byte ptr [esp+18]
:00411EF2 668B442414
mov ax, word ptr [esp+14]
:00411EF7
885502 mov byte
ptr [ebp+02], dl
:00411EFA 53
push ebx
:00411EFB 668945FE
mov word ptr [ebp-02], ax
:00411EFF E83A641600
call 0057833E
:00411F04 8B442420
mov eax, dword ptr [esp+20]
:00411F08 8B0DE4836000 mov ecx, dword
ptr [006083E4]
:00411F0E 83C404
add esp, 00000004
:00411F11 40
inc eax
:00411F12 83C50D
add ebp, 0000000D
:00411F15 3BC1
cmp eax, ecx
:00411F17 8944241C
mov dword ptr [esp+1C], eax
:00411F1B 0F8CDBFEFFFF
jl 00411DFC
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00411D89(C), :00411DF1(C)
|
:00411F21 668B0DA4716000 mov cx, word ptr [006071A4]
:00411F28 668B15A0716000 mov dx, word ptr
[006071A0]
:00411F2F 8D442464
lea eax, dword ptr [esp+64]
:00411F33 66894C246A
mov word ptr [esp+6A], cx
:00411F38 50
push eax
:00411F39 668954246A mov
word ptr [esp+6A], dx
:00411F3E E8FDA3FFFF
call 0040C340
**隨機數1,2變換運算
:00411F43 8B4C246A
mov ecx, dword ptr [esp+6A]
:00411F47 8B44246E
mov eax, dword ptr [esp+6E]
:00411F4B 81E1FFFF0000 and ecx, 0000FFFF
:00411F51 25FFFF0000 and
eax, 0000FFFF
:00411F56 890D98716000
mov dword ptr [00607198], ecx
:00411F5C 8B0DA4716000
mov ecx, dword ptr [006071A4]
:00411F62 83C404
add esp, 00000004
:00411F65 3BC1
cmp eax, ecx
:00411F67 A39C716000
mov dword ptr [0060719C], eax
:00411F6C 752E
jne 00411F9C ***比較運算結果是否正確,此處要跳!
:00411F6E 5F
pop edi
:00411F6F 5E
pop esi
:00411F70 5D
pop ebp
:00411F71
83C8FF or eax, FFFFFFFF
:00411F74 5B
pop ebx
:00411F75 81C4F8020000
add esp, 000002F8
:00411F7B C3
ret
****
* Referenced by
a CALL at Address:
|:0041155E
|
:00412210 81EC14030000
sub esp, 00000314
:00412216 53
push ebx
:00412217
55
push ebp
:00412218 56
push esi
:00412219 57
push edi
:0041221A 6A04
push 00000004
:0041221C
6800100000 push 00001000
:00412221 68C0450400 push 000445C0
:00412226 6A00
push 00000000
* Reference To: KERNEL32.VirtualAlloc, Ord:02BBh
|
:00412228 FF15E4125C00
Call dword ptr [005C12E4]
:0041222E 85C0
test eax, eax
:00412230 A3E4876000 mov dword
ptr [006087E4], eax
:00412235 7522
jne 00412259
:00412237 50
push eax
*
Possible StringData Ref from Data Obj ->"致命錯誤,記憶體不足!"
|
:00412238 A10C035F00
mov eax, dword ptr [005F030C]
:0041223D 6894316000
push 00603194
:00412242 50
push eax
:00412243
6A00 push
00000000
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:00412245 FF15F0165C00
Call dword ptr [005C16F0]
:0041224B 5F
pop edi
:0041224C
5E
pop esi
:0041224D 5D
pop ebp
:0041224E 83C8FF
or eax, FFFFFFFF
:00412251 5B
pop ebx
:00412252
81C414030000 add esp, 00000314
:00412258
C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:00412235(C)
|
:00412259 68E8886000
push 006088E8
:0041225E 8D4C2460
lea ecx, dword ptr [esp+60]
* Possible StringData Ref from Data Obj ->"%s\font\slhz.lib"
|
:00412262 6868185F00
push 005F1868
:00412267 51
push ecx
:00412268 E8BE5B1600
call 00577E2B
:0041226D 8D542468
lea edx, dword ptr [esp+68]
* Possible Reference to Dialog:
|
:00412271 6830185F00 push
005F1830
:00412276 52
push edx
:00412277 E8D2611600
call 0057844E
:0041227C 83C414
add esp, 00000014
:0041227F A3E8876000
mov dword ptr [006087E8], eax
:00412284
85C0 test
eax, eax
:00412286 7520
jne 004122A8
:00412288 50
push eax
* Possible Reference
to Dialog:
|
:00412289
6894316000 push 00603194
* Possible StringData Ref from Data Obj ->"無法開啟向量字型檔檔案"
|
:0041228E 6850185F00
push 005F1850
:00412293 50
push eax
* Reference To: USER32.MessageBoxA,
Ord:01BEh
|
:00412294 FF15F0165C00
Call dword ptr [005C16F0]
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0041234A(C)
|
:0041229A 5F
pop edi
:0041229B 5E
pop esi
:0041229C 5D
pop ebp
:0041229D
83C8FF or eax, FFFFFFFF
:004122A0 5B
pop ebx
:004122A1 81C414030000
add esp, 00000314
:004122A7 C3
ret
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00412286(C)
|
:004122A8 66A19C716000
mov ax, word ptr [0060719C]
:004122AE
668B0D98716000 mov cx, word ptr [00607198]
:004122B5 8D542414 lea
edx, dword ptr [esp+14]
:004122B9 6689442422
mov word ptr [esp+22], ax
:004122BE 52
push edx
:004122BF
66894C2422 mov word ptr [esp+22],
cx
:004122C4 E8079EFFFF call
0040C0D0 **隨機數1,2變換運算結果逆變換
:004122C9 8B442426
mov eax, dword ptr [esp+26]
:004122CD 8B4C2422 mov
ecx, dword ptr [esp+22]
:004122D1 8B1DE4876000
mov ebx, dword ptr [006087E4]
:004122D7 83C404
add esp, 00000004
:004122DA
25FFFF0000 and eax, 0000FFFF
:004122DF 81E1FFFF0000 and ecx, 0000FFFF
:004122E5 A39C716000 mov
dword ptr [0060719C], eax
:004122EA 890D98716000
mov dword ptr [00607198], ecx
:004122F0 C74424100B000000
mov [esp+10], 0000000B
:004122F8 EB05
jmp 004122FF
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00412362(C)
|
:004122FA A19C716000 mov
eax, dword ptr [0060719C]
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:004122F8(U)
|
:004122FF 3B05A4716000
cmp eax, dword ptr [006071A4]
:00412305 755D
jne 00412364
:00412307 33ED
xor ebp, ebp
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:00412354(C)
|
:00412309 8B15E8876000
mov edx, dword ptr [006087E8]
:0041230F 8D842424010000
lea eax, dword ptr [esp+00000124]
:00412316 52
push edx
:00412317 6A01
push 00000001
:00412319 6800020000
push 00000200
:0041231E 50
push eax
:0041231F E885641600
call 005787A9
* Possible Reference
to Menu: MenuID_0080
|
* Possible
Reference to String Resource ID=00128: "eda-H"
|
:00412324 B980000000
mov ecx, 00000080
:00412329 8DB42434010000
lea esi, dword ptr [esp+00000134]
:00412330 8BFB
mov edi, ebx
:00412332 83C410
add esp, 00000010
:00412335 F3
repz
:00412336 A5
movsd
:00412337 8B0D98716000
mov ecx, dword ptr [00607198]
:0041233D A1A0716000
mov eax, dword ptr [006071A0]
:00412342
81C300020000 add ebx, 00000200
:00412348
3BC8 cmp
ecx, eax
:0041234A 0F854AFFFFFF
jne 0041229A **比較逆變換結果是否正確,此處不能跳!
:00412350 45
inc ebp
:00412351 83FD20
cmp ebp, 00000020
:00412354 7CB3
jl 00412309
:00412356 8B442410
mov eax, dword ptr [esp+10]
:0041235A
40
inc eax
:0041235B 83F81C
cmp eax, 0000001C
:0041235E 89442410
mov dword ptr [esp+10], eax
:00412362 7C96
jl 004122FA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412305(C)
|
:00412364 5F
pop edi
:00412365 5E
pop esi
:00412366
5D
pop ebp
:00412367 33C0
xor eax, eax
:00412369 5B
pop ebx
:0041236A 81C414030000
add esp, 00000314
:00412370 C3
ret
五、
程式正常執行退出時軟體還要檢測有無狗,無狗時提示->"程式執行中去掉或共享軟體鎖,
可能會造成程式異常終止和設計資料丟失!",下BPX
MESSAGEBOXA再探:
:0040F659 90
nop
:0040F65A 90
nop
:0040F65B 90
nop
:0040F65C 90
nop
:0040F65D 90
nop
:0040F65E 90
nop
:0040F65F 90
nop
:0040F660 A138035F00
mov eax, dword ptr [005F0338]
:0040F665
81EC30040000 sub esp, 00000430
:0040F66B
85C0 test
eax, eax
:0040F66D 56
push esi
:0040F66E 57
push edi
:0040F66F 8BF9
mov edi, ecx
:0040F671
7C4D jl 0040F6C0
:0040F673 66A134035F00 mov ax, word
ptr [005F0334]
:0040F679 8D8C24F0030000
lea ecx, dword ptr [esp+000003F0]
:0040F680 51
push ecx
:0040F681 66898424F6030000
mov word ptr [esp+000003F6], ax
:0040F689 E862C5FFFF
call 0040BBF0
:0040F68E 8B9424FA030000
mov edx, dword ptr [esp+000003FA]
:0040F695 A138035F00
mov eax, dword ptr [005F0338]
:0040F69A
81E2FFFF0000 and edx, 0000FFFF
:0040F6A0
83C404 add esp,
00000004
:0040F6A3 3BD0
cmp edx, eax
:0040F6A5 7419
je 0040F6C0 **此處強制跳過即可!
:0040F6A7
6A10 push
00000010
* Possible Reference to Dialog:
|
:0040F6A9 6844175F00
push 005F1744
* Possible StringData Ref from Data Obj ->"程式執行中去掉或共享軟體鎖,可能會造成程式異常"
->"終止和設計資料丟失!"
|
:0040F6AE 6800175F00
push 005F1700
:0040F6B3 6A00
push 00000000
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:0040F6B5 FF15F0165C00
Call dword ptr [005C16F0]
:0040F6BB E8DB9F1700
call 0058969B
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:0040F671(C), :0040F6A5(C)
|
:0040F6C0 668B87C0000000 mov ax, word ptr [edi+000000C0]
:0040F6C7 50
push eax
*********
至此程式可正常免狗執行。
後話:這套軟體加密後自身帶有狗內的資料碼錶,功力深厚的高手無狗也可解掉它,可惜我水平太低,
有狗還跟了好幾天,才有了眉目。因為自己也覺得思路表述的不夠好,所以程式段複製的比較多,各位
看官多見諒!
最後,非常感謝老大PETERCHEN,大老的幫助和紫竹、羅降神的文章給我的提示!
CRACK123[FCG]
相關文章
- 打狗棒法:TDSD軟體狗 (20千字)2002-07-02
- 軟體狗,dongle
(3千字)2002-12-17
- 原創深思3加密狗破解2015-11-15加密
- TDMD軟體狗破解方法(帶狗殺狗) (6千字)2001-10-25
- 大老的打狗教程第二篇如解掉,深思3的狗加密的軟體!希望對大家有所幫助!大老=[DCG]=
(13千字)2015-11-15加密
- 如何破解深思Ⅲ加密狗!想解狗的朋友過來看了!
(10千字)2015-11-15加密
- 談到軟體狗,我說幾句 (1千字)2000-05-08
- 速達3000PRO加密狗軟體學習
(5千字)2003-02-19加密
- 本人作品,2488的解狗教程(DOS下的狗),應客戶要求,不便說出軟體名字。 (2千字)2002-02-18
- 彩虹的DL(也叫軟體狗)2004-08-28
- 這個軟體作者太狂妄了...... (3千字)2001-08-25
- Crack之親歷手跡6---破解AuthorWare5的軟體狗() (2千字)2002-03-09
- MSTCAD空間網格結構設計軟體另類解狗 (41千字)2015-11-15
- 如何破解掉vt4.0的軟體狗(一種醫藥用影像分析軟體) 不錯的文章
(7千字)2015-11-15
- Shub-Nigurrath的軟體狗教程2015-11-15
- 大老的打狗教程第三篇(最終篇)如何解掉,rockey4的狗加密的軟體!
(12千字)2015-11-15加密
- 軟體狗[Dongles]的加密與解密技術2002-05-27加密解密
- 利用磁碟的序列號進行軟體加密 (3千字)2001-04-21加密
- 超級個人軟體 V2.5 破解過程! (3千字)2002-03-04
- 解狗思路的一點總結!純屬個人意見! (3千字)2002-10-21
- 管家婆8.2單機版加密狗破解過程 (3千字)2001-10-13加密
- 密碼管理軟體。 (2千字)2001-03-12密碼
- 被狗搞的頭大,找個小軟體換換腦子,flashget96a去廣告條 (5千字)2001-07-10
- 再貼:軟體管理專家(Flashsoft) 1.05的破解(高手莫入)
(3千字)2001-04-22
- 兩個月的破解回顧以及7個軟體的破解! (3千字)2000-12-28
- Hardlock加密狗破解過程-----外殼型加密狗的破解方法 (7千字)2001-10-15加密
- 軟體設計法則2011-08-30
- 軟體開發32024-04-20
- unix軟體ncftpd 2.7.1之破解(11千字)2002-04-07FTP
- 五筆打字練習軟體 (11千字)2002-09-28
- 2個菜鳥級軟體 (1千字)2001-03-26
- 大學自考4.x軟體41千字)2001-09-06
- 蒙泰5.0加密狗破解過程 (6千字)2001-10-11加密
- 華登區塊狗現成系統軟體原始碼案例演示2019-06-26原始碼
- 兩個可愛語音朗讀軟體,初學者可用來練手。 (3千字)2000-08-29
- [MetalKit]47-Introducing Metal 3 Metal 3簡介2019-06-15
- 英語全文朗讀軟體---破解 (1千字)2000-10-04
- 一個超容易破解的軟體! (5千字)2001-01-21