打狗棒法:TDSD軟體狗 (20千字)

看雪資料發表於2002-07-02

打狗棒法:TDSD軟體狗

軟體名稱:XX行業資訊管理系統V2.3
保護方式:呼叫TDSD.VXD的軟體狗(彩虹)
破解方法:帶狗殺狗
破解工具:TRW2000 V1.23, WDASM 8.93


一、在無狗時執行程式,沒有任何提示自動退出。還是插上狗,在TRW2000下用BPX DEVICEIOCONTROL攔截,下PMODULE返回主程式領空,我們來看看:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AFE81(U)
|
:005AFE84 391D540B5C00            cmp dword ptr [005C0B54], ebx
:005AFE8A 8B3580125C00            mov esi, dword ptr [005C1280]
:005AFE90 BF84000000              mov edi, 00000084
:005AFE95 756A                    jne 005AFF01
:005AFE97 8D45F4                  lea eax, dword ptr [ebp-0C]
:005AFE9A 53                      push ebx
:005AFE9B 50                      push eax
:005AFE9C 8D458C                  lea eax, dword ptr [ebp-74]
:005AFE9F 6A68                    push 00000068
:005AFEA1 50                      push eax
:005AFEA2 8D8508FFFFFF            lea eax, dword ptr [ebp+FFFFFF08]
:005AFEA8 57                      push edi
:005AFEA9 50                      push eax
:005AFEAA 6A03                    push 00000003
:005AFEAC FF75FC                  push [ebp-04]
:005AFEAF FFD6                    call esi        -->攔截到的call deviceiocontrol
:005AFEB1 3BC3                    cmp eax, ebx    -->返回到這兒了!
:005AFEB3 7507                    jne 005AFEBC    -->此處有狗無狗都跳,不知為何?
:005AFEB5 C7458C08000000          mov [ebp-74], 00000008    -->此地址存放有狗標誌,
                                                              0為有狗,8為無狗

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AFEB3(C)
|
:005AFEBC 395D8C                  cmp dword ptr [ebp-74], ebx    -->比較是否有狗?
:005AFEBF 741D                    je 005AFEDE                    -->有狗跳轉
:005AFEC1 EB01                    jmp 005AFEC4
:005AFEC3 3D                      BYTE 3D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AFEC1(U)
|
:005AFEC4 FF75FC                  push [ebp-04]
:005AFEC7 FF1548125C00            call dword ptr [005C1248]
:005AFECD EB01                    jmp 005AFED0
:005AFECF 3D                      BYTE 3D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AFECD(U)
|
:005AFED0 FF75F8                  push [ebp-08]
:005AFED3 E8D9F7FFFF              call 005AF6B1
:005AFED8 59                      pop ecx
:005AFED9 E9F3000000              jmp 005AFFD1

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AFEBF(C)
|
:005AFEDE EB01                    jmp 005AFEE1              -->有狗跳到這兒,一直向下走
:005AFEE0 3D                      BYTE 3D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AFEDE(U)
|
:005AFEE1 8B4590                  mov eax, dword ptr [ebp-70] 
:005AFEE4 A3640B5C00              mov dword ptr [005C0B64], eax
:005AFEE9 EB01                    jmp 005AFEEC
:005AFEEB 3D                      BYTE 3D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AFEE9(U)
|
:005AFEEC C605500B5C0001          mov byte ptr [005C0B50], 01
:005AFEF3 EB01                    jmp 005AFEF6
:005AFEF5 3D                      BYTE 3D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AFEF3(U)
|
:005AFEF6 8B850CFFFFFF            mov eax, dword ptr [ebp+FFFFFF0C]
:005AFEFC A3540B5C00              mov dword ptr [005C0B54], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AFE95(C)
|
:005AFF01 EB01                    jmp 005AFF04
:005AFF03 3D                      BYTE 3D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AFF01(U)
|
:005AFF04 A0F80B5C00              mov al, byte ptr [005C0BF8]
:005AFF09 50                      push eax
:005AFF0A E85BF1FFFF              call 005AF06A
:005AFF0F 59                      pop ecx
:005AFF10 898518FFFFFF            mov dword ptr [ebp+FFFFFF18], eax
:005AFF16 EB01                    jmp 005AFF19
:005AFF18 3D                      BYTE 3D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AFF16(U)
|
:005AFF19 E8E9F0FFFF              call 005AF007
:005AFF1E 0FB7D8                  movzx ebx, ax
:005AFF21 E8E1F0FFFF              call 005AF007
:005AFF26 0FB7C0                  movzx eax, ax
:005AFF29 C1E010                  shl eax, 10
:005AFF2C 0BD8                    or ebx, eax
:005AFF2E 899D10FFFFFF            mov dword ptr [ebp+FFFFFF10], ebx
:005AFF34 EB01                    jmp 005AFF37
:005AFF36 3D                      BYTE 3D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AFF34(U)
|
:005AFF37 E881F1FFFF              call 005AF0BD
:005AFF3C EB01                    jmp 005AFF3F
:005AFF3E 3D                      BYTE 3D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AFF3C(U)
|
:005AFF3F A0FC0B5C00              mov al, byte ptr [005C0BFC]
:005AFF44 50                      push eax
:005AFF45 E820F1FFFF              call 005AF06A
:005AFF4A 898514FFFFFF            mov dword ptr [ebp+FFFFFF14], eax
:005AFF50 A1640B5C00              mov eax, dword ptr [005C0B64]
:005AFF55 59                      pop ecx
:005AFF56 898524FFFFFF            mov dword ptr [ebp+FFFFFF24], eax
:005AFF5C EB01                    jmp 005AFF5F
:005AFF5E 3D                      BYTE 3D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AFF5C(U)
|
:005AFF5F EB01                    jmp 005AFF62
:005AFF61 3D                      BYTE 3D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AFF5F(U)
|
:005AFF62 8D45F4                  lea eax, dword ptr [ebp-0C]
:005AFF65 6A00                    push 00000000
:005AFF67 50                      push eax
:005AFF68 8D458C                  lea eax, dword ptr [ebp-74]
:005AFF6B 6A68                    push 00000068
:005AFF6D 50                      push eax
:005AFF6E 8D8508FFFFFF            lea eax, dword ptr [ebp+FFFFFF08]
:005AFF74 57                      push edi
:005AFF75 50                      push eax
:005AFF76 6A04                    push 00000004
:005AFF78 FF75FC                  push [ebp-04]
:005AFF7B FFD6                    call esi                -->到這兒 call deviceiocontrol
:005AFF7D FF75FC                  push [ebp-04]          -->從狗內取回第一組數8位元組
:005AFF80 8BF0                    mov esi, eax
:005AFF82 FF1548125C00            call dword ptr [005C1248] -->這兒再次讀狗,
:005AFF88 FF75F8                  push [ebp-08]          -->從狗內取出第二組8位元組數
:005AFF8B E821F7FFFF              call 005AF6B1
:005AFF90 59                      pop ecx
:005AFF91 EB01                    jmp 005AFF94
:005AFF93 3D                      BYTE 3D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AFF91(U)
|
:005AFF94 85F6                    test esi, esi          -->此處比較是否有狗             
:005AFF96 742F                    je 005AFFC7            -->無狗跳轉
:005AFF98 837D8C00                cmp dword ptr [ebp-74], 00000000  -->與5AFEAF處讀狗標誌比較
:005AFF9C 7530                    jne 005AFFCE        -->再次確認是否有狗,無狗時跳轉
:005AFF9E 33C9                    xor ecx, ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AFFC3(C)
|
:005AFFA0 EB01                    jmp 005AFFA3
:005AFFA2 3D                      BYTE 3D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AFFA0(U)
|
:005AFFA3 8BC1                    mov eax, ecx
:005AFFA5 6A04                    push 00000004
:005AFFA7 99                      cdq
:005AFFA8 5E                      pop esi
:005AFFA9 F7FE                    idiv esi
:005AFFAB 8A442990                mov al, byte ptr [ecx+ebp-70]        -->第一組數逐位元組與
:005AFFAF 32842A10FFFFFF          xor al, byte ptr [edx+ebp-000000F0]  -->第二組數異或
:005AFFB6 8B15F40B5C00            mov edx, dword ptr [005C0BF4]
:005AFFBC 88040A                  mov byte ptr [edx+ecx], al            -->結果儲存
:005AFFBF 41                      inc ecx                             
:005AFFC0 83F908                  cmp ecx, 00000008
:005AFFC3 7CDB                    jl 005AFFA0
:005AFFC5 EB07                    jmp 005AFFCE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AFF96(C)
|
:005AFFC7 C7458C08000000          mov [ebp-74], 00000008

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005AFF9C(C), :005AFFC5(U)
|
:005AFFCE EB01                    jmp 005AFFD1
:005AFFD0 3D                      BYTE 3D

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005AFED9(U), :005AFFCE(U)
|
:005AFFD1 8B458C                  mov eax, dword ptr [ebp-74]    -->此處將狗標誌放入暫存器備用

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AFE1E(C)
|
:005AFFD4 5F                      pop edi
:005AFFD5 5E                      pop esi
:005AFFD6 5B                      pop ebx
:005AFFD7 C9                      leave
:005AFFD8 C3                      ret

二、從上面程式段5AFFD8處返回,跟蹤到以下程式段:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005ADB6A(U)
|
:005ADB6D 8D45CC                  lea eax, dword ptr [ebp-34]
:005ADB70 A3F40B5C00              mov dword ptr [005C0BF4], eax
:005ADB75 E8A4200000              call 005AFC1E                -->呼叫(一)中的程式段
:005ADB7A 8945C8                  mov dword ptr [ebp-38], eax  -->返回到這兒!EAX存的是狗標誌
:005ADB7D 8B45CC                  mov eax, dword ptr [ebp-34]  -->此地址就是(一)中異或結果
:005ADB80 A3EC0B5C00              mov dword ptr [005C0BEC], eax    前4個位元組(19 76 6F FF)
:005ADB85 837DC800                cmp dword ptr [ebp-38], 00000000 -->是否有狗?
:005ADB89 7413                    je 005ADB9E      -->有狗就跳轉,程式出現啟動畫面!!!
:005ADB8B C70510005C00E1E75A00    mov dword ptr [005C0010], 005AE7E1
:005ADB95 C745C800000000          mov [ebp-38], 00000000
:005ADB9C EB3C                    jmp 005ADBDA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005ADB89(C)
|
:005ADB9E 833D74005C0000          cmp dword ptr [005C0074], 00000000
:005ADBA5 7429                    je 005ADBD0
:005ADBA7 A126005C00              mov eax, dword ptr [005C0026]
:005ADBAC 330514005C00            xor eax, dword ptr [005C0014]
:005ADBB2 8945D4                  mov dword ptr [ebp-2C], eax
:005ADBB5 8B45D4                  mov eax, dword ptr [ebp-2C]
:005ADBB8 3305EC0B5C00            xor eax, dword ptr [005C0BEC]
:005ADBBE A396025C00              mov dword ptr [005C0296], eax
:005ADBC3 A12A005C00              mov eax, dword ptr [005C002A]
:005ADBC8 310596025C00            xor dword ptr [005C0296], eax
:005ADBCE EB0A                    jmp 005ADBDA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005ADBA5(C)
|
:005ADBD0 A1EC0B5C00              mov eax, dword ptr [005C0BEC]
:005ADBD5 A396025C00              mov dword ptr [005C0296], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005ADB9C(U), :005ADBCE(U)
|
:005ADBDA 8B45C8                  mov eax, dword ptr [ebp-38]
:005ADBDD EB00                    jmp 005ADBDF

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005ADAA6(U), :005ADB1E(U), :005ADB45(U), :005ADB68(U), :005ADBDD(U)
|
:005ADBDF 5F                      pop edi
:005ADBE0 5E                      pop esi
:005ADBE1 5B                      pop ebx
:005ADBE2 C9                      leave
:005ADBE3 C3                      ret

三、程式出現啟動畫面後,又呼叫DEVICEIOCONTROL讀狗、比較、運算,和以上過程一樣,正確修改流程,並置入有效狗的資料後,程式就進入主介面執行了!!
我把程式段貼在下面,就不多敘述了,請各位自己看吧:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AF542(U)
|
:005AF545 0FBF05F80B5C00          movsx eax, word ptr [005C0BF8]
:005AF54C 391D540B5C00            cmp dword ptr [005C0B54], ebx
:005AF552 8B3580125C00            mov esi, dword ptr [005C1280]
:005AF558 894588                  mov dword ptr [ebp-78], eax
:005AF55B BF84000000              mov edi, 00000084
:005AF560 756A                    jne 005AF5CC
:005AF562 8D45F4                  lea eax, dword ptr [ebp-0C]
:005AF565 53                      push ebx
:005AF566 50                      push eax
:005AF567 8D458C                  lea eax, dword ptr [ebp-74]
:005AF56A 6A68                    push 00000068
:005AF56C 50                      push eax
:005AF56D 8D8504FFFFFF            lea eax, dword ptr [ebp+FFFFFF04]
:005AF573 57                      push edi
:005AF574 50                      push eax
:005AF575 6A03                    push 00000003
:005AF577 FF75FC                  push [ebp-04]
:005AF57A FFD6                    call esi
:005AF57C 3BC3                    cmp eax, ebx
:005AF57E 7507                    jne 005AF587
:005AF580 C7458C08000000          mov [ebp-74], 00000008

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AF57E(C)
|
:005AF587 395D8C                  cmp dword ptr [ebp-74], ebx
:005AF58A 741D                    je 005AF5A9
:005AF58C EB01                    jmp 005AF58F
:005AF58E 81                      BYTE 81

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AF58C(U)
|
:005AF58F FF75FC                  push [ebp-04]
:005AF592 FF1548125C00            call dword ptr [005C1248]
:005AF598 EB01                    jmp 005AF59B
:005AF59A 81                      BYTE 81

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AF598(U)
|
:005AF59B FF75F8                  push [ebp-08]
:005AF59E E80E010000              call 005AF6B1
:005AF5A3 59                      pop ecx
:005AF5A4 E900010000              jmp 005AF6A9

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AF58A(C)
|
:005AF5A9 EB01                    jmp 005AF5AC
:005AF5AB 81                      BYTE 81

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AF5A9(U)
|
:005AF5AC 8B4590                  mov eax, dword ptr [ebp-70]
:005AF5AF A3640B5C00              mov dword ptr [005C0B64], eax
:005AF5B4 EB01                    jmp 005AF5B7
:005AF5B6 81                      BYTE 81

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AF5B4(U)
|
:005AF5B7 C605500B5C0001          mov byte ptr [005C0B50], 01
:005AF5BE EB01                    jmp 005AF5C1
:005AF5C0 81                      BYTE 81

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AF5BE(U)
|
:005AF5C1 8B8508FFFFFF            mov eax, dword ptr [ebp+FFFFFF08]
:005AF5C7 A3540B5C00              mov dword ptr [005C0B54], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AF560(C)
|
:005AF5CC EB01                    jmp 005AF5CF
:005AF5CE 81                      BYTE 81

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AF5CC(U)
|
:005AF5CF A0F80B5C00              mov al, byte ptr [005C0BF8]
:005AF5D4 50                      push eax
:005AF5D5 E890FAFFFF              call 005AF06A
:005AF5DA 59                      pop ecx
:005AF5DB 898514FFFFFF            mov dword ptr [ebp+FFFFFF14], eax
:005AF5E1 EB01                    jmp 005AF5E4
:005AF5E3 81                      BYTE 81

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AF5E1(U)
|
:005AF5E4 E81EFAFFFF              call 005AF007
:005AF5E9 0FB7D8                  movzx ebx, ax
:005AF5EC E816FAFFFF              call 005AF007
:005AF5F1 0FB7C0                  movzx eax, ax
:005AF5F4 C1E010                  shl eax, 10
:005AF5F7 0BD8                    or ebx, eax
:005AF5F9 899D0CFFFFFF            mov dword ptr [ebp+FFFFFF0C], ebx
:005AF5FF EB01                    jmp 005AF602
:005AF601 81                      BYTE 81

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AF5FF(U)
|
:005AF602 E8B6FAFFFF              call 005AF0BD
:005AF607 EB01                    jmp 005AF60A
:005AF609 81                      BYTE 81

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AF607(U)
|
:005AF60A A0FC0B5C00              mov al, byte ptr [005C0BFC]
:005AF60F 50                      push eax
:005AF610 E855FAFFFF              call 005AF06A
:005AF615 898510FFFFFF            mov dword ptr [ebp+FFFFFF10], eax
:005AF61B A1640B5C00              mov eax, dword ptr [005C0B64]
:005AF620 59                      pop ecx
:005AF621 898520FFFFFF            mov dword ptr [ebp+FFFFFF20], eax
:005AF627 EB01                    jmp 005AF62A
:005AF629 81                      BYTE 81

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AF627(U)
|
:005AF62A EB01                    jmp 005AF62D
:005AF62C 81                      BYTE 81

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AF62A(U)
|
:005AF62D 8D45F4                  lea eax, dword ptr [ebp-0C]
:005AF630 6A00                    push 00000000
:005AF632 50                      push eax
:005AF633 8D458C                  lea eax, dword ptr [ebp-74]
:005AF636 6A68                    push 00000068
:005AF638 50                      push eax
:005AF639 8D8504FFFFFF            lea eax, dword ptr [ebp+FFFFFF04]
:005AF63F 57                      push edi
:005AF640 50                      push eax
:005AF641 6A01                    push 00000001
:005AF643 FF75FC                  push [ebp-04]
:005AF646 FFD6                    call esi
:005AF648 FF75FC                  push [ebp-04]
:005AF64B 8BF0                    mov esi, eax
:005AF64D FF1548125C00            call dword ptr [005C1248]
:005AF653 FF75F8                  push [ebp-08]
:005AF656 E856000000              call 005AF6B1
:005AF65B 59                      pop ecx
:005AF65C EB01                    jmp 005AF65F
:005AF65E 81                      BYTE 81

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AF65C(U)
|
:005AF65F 85F6                    test esi, esi
:005AF661 743C                    je 005AF69F
:005AF663 837D8C00                cmp dword ptr [ebp-74], 00000000
:005AF667 753D                    jne 005AF6A6
:005AF669 8B7588                  mov esi, dword ptr [ebp-78]
:005AF66C 85F6                    test esi, esi
:005AF66E 7503                    jne 005AF673
:005AF670 6A04                    push 00000004
:005AF672 5E                      pop esi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AF66E(C)
|
:005AF673 33C9                    xor ecx, ecx
:005AF675 85F6                    test esi, esi
:005AF677 7E2D                    jle 005AF6A6

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AF69B(C)
|
:005AF679 EB01                    jmp 005AF67C
:005AF67B 81                      BYTE 81

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AF679(U)
|
:005AF67C 8BC1                    mov eax, ecx
:005AF67E 6A04                    push 00000004
:005AF680 99                      cdq
:005AF681 5F                      pop edi
:005AF682 F7FF                    idiv edi
:005AF684 8A442990                mov al, byte ptr [ecx+ebp-70]
:005AF688 32842A0CFFFFFF          xor al, byte ptr [edx+ebp-000000F4]
:005AF68F 8B15F40B5C00            mov edx, dword ptr [005C0BF4]
:005AF695 88040A                  mov byte ptr [edx+ecx], al
:005AF698 41                      inc ecx
:005AF699 3BCE                    cmp ecx, esi
:005AF69B 7CDC                    jl 005AF679
:005AF69D EB07                    jmp 005AF6A6

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AF661(C)
|
:005AF69F C7458C08000000          mov [ebp-74], 00000008

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005AF667(C), :005AF677(C), :005AF69D(U)
|
:005AF6A6 EB01                    jmp 005AF6A9
:005AF6A8 81                      BYTE 81

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005AF5A4(U), :005AF6A6(U)
|
:005AF6A9 8B458C                  mov eax, dword ptr [ebp-74]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005AF4DF(C)
|
:005AF6AC 5F                      pop edi
:005AF6AD 5E                      pop esi
:005AF6AE 5B                      pop ebx
:005AF6AF C9                      leave
:005AF6B0 C3                      ret

四、經過以上跟蹤修改,程式有些功能無效,經跟蹤發現程式中多處有
C7458C08000000          mov [ebp-74], 00000008
這一行,用ULTRAEDIT等工具都修改為C7458C00000000 (即mov [ebp-74], 00000008)後,該軟體完全被破解,所有功能就可使用。

                            crack123[FCG]
                            2002.7.2

相關文章