軟體背景資料
執行平臺: Win9X/NT
檔名稱: Lockdown2000.exe
程式型別: 防毒工具
下載地點: http://lockdown2000.com\download.html
檔案大小: 2,046KB
使用的工具
SoftIce V3.25--Win9X Debugger
W32Dasm V8.93--Win9X Dissembler
Hex WorkShop v2.54--Hex Editor
RegSnap V2.51--Registry Tracer
難易程度
Easy(X) Medium( ) Hard( ) Pro( )
----------=======宣告========----------
未經作者同意,不得修改、引用原文,一切權利保留。
本教程只供教學用,其他一切用途皆被禁止。
----------=======軟體介紹========----------
簡單地說,它是一個查殺網上流行駭客程式的共享軟體(還是先防防我的cracking吧,^O^)他
的查殺速度我可不敢恭維,另外啟動極慢,反正我是不會用的。
----------=======軟體的保護機制========-------
第一次執行時間記錄在windows目錄\AJBALSE.INI中
註冊時,不需要name,程式自動產生一個Product Serial,我的是:6WD-Q2D3-6F67-2,為了證
實這個碼是不是隨機產生的,我曾將該軟體反安裝,為了保險,並將安裝時在windows目錄裡生成的
檔案、登錄檔鍵值均統統刪掉,然後再次安裝,看看Product Serial變沒變,結果還是
6WD-Q2D3-6F67-2,但我估計他的產生有可能根據windows安裝時你輸入的個人資訊。如果你感興趣
,在你的機器上安裝此軟體,看看是否與我的Product Serial一樣。
註冊後,註冊資訊儲存在登錄檔的
HKEY_LOCAL_MACHINE\Software\Harbor Telco\LockDown 2000 v3.0\3.0.1.1\Register
----------========正文========----------
Part1 Snippet out code
在註冊視窗中,輸入任意的code,我輸入:12121212
在SoftIce中設斷點bpx hmemcpy do "p ret;",Ctrl-D,回到註冊視窗,press
"OK" button,
重新回到SoftIce中,"bc *",取消所有斷點,Press F12數次,程式停在:
:004C5132 E8CDDCF6FF call 00432E04
:004C5137 8B55F8
mov edx, dword ptr [ebp-08] <==回到這裡,edx指向我
們輸入的code的首地址
:004C513A 58
pop eax
:004C513B E8FCEEF3FF call 0040403C
<==計算註冊碼
:004C5140 7504
jne 004C5146 <==註冊不成功,jump to 004c5146
:004C5142 B301
mov bl, 01 <==註冊成功,bl=1
:004C5144 EB02
jmp 004C5148
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C5140(C)
|
:004C5146 33DB
xor ebx, ebx <==ebx=0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C5144(U)
|
:004C5148 84DB
test bl, bl
:004C514A 7523
jne 004C516F <==註冊成功,則bl=1,jump to 004C516F
:004C514C 6A00
push 00000000
:004C514E 668B0D7C524C00 mov cx, word ptr
[004C527C]
:004C5155 33D2
xor edx, edx
* Possible StringData Ref from Code Obj ->"The unlock code you have entered "
->"is invalid
for this machine, please "
->"re-type the
number or contact "
->"Harbor Telco
to receive a new "
->"registration
number."
|
:004C5157 B888524C00 mov eax,
004C5288
:004C515C E80F14F9FF call 00456570
:004C5161 8B86CC020000 mov eax, dword
ptr [esi+000002CC]
:004C5167 8B10
mov edx, dword ptr [eax]
:004C5169 FF92B4000000 call dword ptr
[edx+000000B4]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C514A(C)
|
:004C516F 84DB
test bl, bl <==再一次檢查bl是否為1
:004C5171 0F84D9000000 je 004C5250 〈==不等於0,顯示註冊成功
:004C5177 8D55F8 lea edx, dword ptr [ebp-08]
:004C517A 8B86CC020000 mov eax, dword
ptr [esi+000002CC]
:004C5180 E87FDCF6FF call 00432E04
:004C5185 8B45F8 mov eax, dword ptr [ebp-08]
:004C5188 E8F7E5FDFF call 004A3784
:004C518D 6A00
push 00000000
:004C518F 668B0D7C524C00 mov cx, word ptr
[004C527C]
:004C5196 B202
mov dl, 02
* Possible StringData Ref from Code Obj ->"Thank you for registering LockDown "
->"2000!"
|
:004C5198 B828534C00 mov eax,
004C5328
:004C519D E8CE13F9FF call 00456570
:004C51A2 A120EC4C00 mov eax,
dword ptr [004CEC20]
:004C51A7 8B00
mov eax, dword ptr [eax]
:004C51A9 80784700 cmp
byte ptr [eax+47], 00
:004C51AD 750E
jne 004C51BD
:004C51AF A120EC4C00 mov eax,
dword ptr [004CEC20]
為了找到註冊碼, 讓我們trace into call 0040403C
:0040403C 53
push ebx
:0040403D 56
push esi
:0040403E 57
push edi
:0040403F 89C6
mov esi, eax <==令esi指向real code的首地址
:00404041 89D7
mov edi, edx <==令edi指向fake code的首地址
:00404043 39D0
cmp eax, edx
:00404045 0F848F000000 je 004040DA
:0040404B 85F6
test esi, esi
:0040404D 7468
je 004040B7
:0040404F 85FF
test edi, edi
:00404051 746B
je 004040BE
:00404053 8B46FC mov eax, dword ptr [esi-04]
:00404056 8B57FC mov edx, dword ptr [edi-04]
:00404059 29D0
sub eax, edx
:0040405B 7702
ja 0040405F
:0040405D 01C2
add edx, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040405B(C)
|
:0040405F 52
push edx
:00404060 C1EA02 shr edx, 02
:00404063 7426
je 0040408B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404081(C)
|
:00404065 8B0E
mov ecx, dword ptr [esi] 〈==real code前四位字元的
ASCII碼值賦給ecx
:00404067 8B1F
mov ebx, dword ptr [edi] <==fake code前四位字元的
ASCII碼值賦給ecx
:00404069 39D9
cmp ecx, ebx <==比較real與fake的前四位字元
:0040406B 7558
jne 004040C5
:0040406D 4A
dec edx
:0040406E 7415
je 00404085 <==jump to 00404085
:00404070 8B4E04 mov ecx, dword ptr [esi+04]
:00404073 8B5F04 mov ebx, dword ptr [edi+04]
:00404076 39D9
cmp ecx, ebx
:00404078 754B
jne 004040C5
:0040407A 83C608 add esi, 00000008
:0040407D 83C708 add edi, 00000008
:00404080 4A
dec edx
:00404081 75E2
jne 00404065
:00404083 EB06
jmp 0040408B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040406E(C)
|
:00404085 83C604
add esi, 00000004 <==esi=esi+4
:00404088 83C704
add edi, 00000004 <==edi=edi+4
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404063(C), :00404083(U)
|
:0040408B 5A
pop edx
:0040408C 83E203 and edx, 00000003
:0040408F 7422
je 004040B3
:00404091 8B0E
mov ecx, dword ptr [esi] <==從real code第五位取四位
字元的ASCII碼賦給ecx
:00404093 8B1F
mov ebx, dword ptr [edi] 〈==從fake code第五位取四位
字元的ASCII碼賦給ecx
:00404095 38D9
cmp cl, bl <==比較fake與real的第五位字元的ASCII
碼值
:00404097 7541
jne 004040DA
:00404099 4A
dec edx
:0040409A 7417
je 004040B3
:0040409C 38FD
cmp ch, bh 〈==比較fake與real的第六位字元的ASCII
碼值
:0040409E 753A
jne 004040DA
:004040A0 4A
dec edx
:004040A1 7410
je 004040B3 〈==jump to 004040B3
:004040A3 81E30000FF00 and ebx, 00FF0000
:004040A9 81E10000FF00 and ecx, 00FF0000
:004040AF 39D9
cmp ecx, ebx
:004040B1 7527
jne 004040DA
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040408F(C), :0040409A(C), :004040A1(C)
|
:004040B3 01C0
add eax, eax
:004040B5 EB23
jmp 004040DA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040404D(C)
|
:004040B7 8B57FC mov edx, dword ptr [edi-04]
:004040BA 29D0
sub eax, edx
:004040BC EB1C
jmp 004040DA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404051(C)
|
:004040BE 8B46FC mov eax, dword ptr [esi-04]
:004040C1 29D0
sub eax, edx
:004040C3 EB15
jmp 004040DA
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040406B(C), :00404078(C)
|
:004040C5 5A
pop edx
:004040C6 38D9
cmp cl, bl
:004040C8 7510
jne 004040DA
:004040CA 38FD
cmp ch, bh
:004040CC 750C
jne 004040DA
:004040CE C1E910 shr ecx, 10
:004040D1 C1EB10 shr ebx, 10
:004040D4 38D9
cmp cl, bl
:004040D6 7502
jne 004040DA
:004040D8 38FD
cmp ch, bh
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404045(C), :00404097(C), :0040409E(C), :004040B1(C), :004040B5(U)
|:004040BC(U), :004040C3(U), :004040C8(C), :004040CC(C), :004040D6(C)
|
:004040DA 5F
pop edi
:004040DB 5E
pop esi
:004040DC 5B
pop ebx
:004040DD C3
ret
有註釋的部分為填入的code正確時程式的執行過程,其實在0040403F處,我們在SoftIce中下
命令“d eax”,即可在資料視窗看到real code,做註釋的目的使你更清楚程式是如何檢驗你輸入的
code的正確性。
我的code:7ERE55
Part2 快速破解法
線索
當我從該軟體公司的主頁下載此程式時,對方告之試用版只能查駭客程式而不能殺掉。
在W32Dasm中,反彙編LockDown2000.exe,用滑鼠點選工具欄中的“String Data References
”,調出程式參考的字串,你會看到程式參考的字串量非常大,你需要有耐心,一點點找,當你
發現下面的這部分:
"tcp is the only protocol supported "
"tcp"
"test.txt"
"text/html"
"TextHeight"
"Thank you for registering LockDown "
"The trial period on this demo "
"The unlock code you have entered "
"time to live expired"
"To enable LockDown 2000 trojan " 〈==這一行
"Too many levels of remote in path"
"Too many levels of symbolic links"
"Too many open files"
"Too many processes"
"Too many references: can't splice"
"Too many users"
"too much data availaible"
用滑鼠雙擊這一行,主視窗將顯示與此字串相關的程式程式碼部分;
:004C5617 E83CE2FDFF call 004A3858
:004C561C 84C0
test al, al
:004C561E 751A
jne 004C563A <==
* Possible StringData Ref from Code Obj ->"To enable LockDown 2000 trojan "
->"removal and
repair features, you "
->"must first
purchase a license "
->"for this computer."
|
:004C5620 B858564C00 mov eax,
004C5658
:004C5625 E83E10F9FF call 00456668
:004C562A A11CEB4C00 mov eax,
dword ptr [004CEB1C]
:004C562F 8B00
mov eax, dword ptr [eax]
從004C5617至004C561E ,又是經典的call/test/conditional jump,讓我們進入那個call看
看,用滑鼠單擊 004C5617這一行,這使視窗高亮顯示這一行程式碼,再用滑鼠點選工具欄中的“
Execute Call”,視窗將顯示下面這部分程式碼:
* Referenced by a CALL at Addresses:
|:004A457F , :004A46A6 , :004A4B70 , :004A507F , :004B78F5
|:004BD0A1 , :004BE69C , :004C3F12 , :004C5617 , :004C5773
|
:004A3858 55
push ebp
:004A3859 8BEC
mov ebp, esp
:004A385B 6A00
push 00000000
:004A385D 6A00
push 00000000
:004A385F 53
push ebx
:004A3860 33C0
xor eax, eax
:004A3862 55
push ebp
:004A3863 68E9384A00 push 004A38E9
:004A3868 64FF30 push dword ptr fs:[eax]
:004A386B 648920 mov dword ptr fs:[eax], esp
:004A386E B201
mov dl, 01
:004A3870 A15C974700 mov eax,
dword ptr [0047975C]
:004A3875 E82260FDFF call 0047989C
:004A387A 8BD8
mov ebx, eax
:004A387C BA02000080 mov edx,
80000002
:004A3881 8BC3
mov eax, ebx
:004A3883 E8AC60FDFF call 00479934
:004A3888 B101
mov cl, 01
* Possible StringData Ref from Code Obj ->"Software\Harbor Telco\LockDown "
->"2000 v3.0\3.0.1.1"
|
:004A388A BA00394A00 mov edx,
004A3900
:004A388F 8BC3
mov eax, ebx
:004A3891 E80261FDFF call 00479998
:004A3896 8D4DFC lea ecx, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"Register"
|
:004A3899 BA3C394A00 mov edx,
004A393C
:004A389E 8BC3
mov eax, ebx
:004A38A0 E8EB64FDFF call 00479D90
:004A38A5 8BC3
mov eax, ebx
:004A38A7 E85860FDFF call 00479904
:004A38AC 8BC3
mov eax, ebx
:004A38AE E869F7F5FF call 0040301C
:004A38B3 8D45F8 lea eax, dword ptr [ebp-08]
:004A38B6 E89DFBFFFF call 004A3458
:004A38BB 8B55F8 mov edx, dword ptr [ebp-08]
:004A38BE 8B45FC mov eax, dword ptr [ebp-04]
:004A38C1 E87607F6FF call 0040403C
:004A38C6 7504
jne 004A38CC
:004A38C8 B301
mov bl, 01
:004A38CA EB02
jmp 004A38CE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A38C6(C)
|
:004A38CC 33DB
xor ebx, ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A38CA(U)
|
:004A38CE 33C0
xor eax, eax
:004A38D0 5A
pop edx
:004A38D1 59
pop ecx
:004A38D2 59
pop ecx
:004A38D3 648910 mov dword ptr fs:[eax], edx
:004A38D6 68F0384A00 push 004A38F0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A38EE(U)
|
:004A38DB 8D45F8 lea eax, dword ptr [ebp-08]
:004A38DE BA02000000 mov edx,
00000002
:004A38E3 E8EC03F6FF call 00403CD4
:004A38E8 C3
ret
看到了嗎?這部分程式碼從登錄檔的
HKEY_LOCAL_MACHINE\Software\Harbor Telco\LockDown 2000 v3.0\3.0.1.1\Register
獲取註冊資訊,若存在,檢驗正確性,一切OK,讓返回值al=1。另外,你還會看到,此段程式碼被10個
call參考,那就說明程式從10個不同方面檢查你是否註冊。
我沒有再仔細分析這段程式碼,為了讓所有參考此部分程式碼的call都認為程式已註冊,最簡單的
方法:在004A3858處,按順序修改程式碼為 (1)mov al, 01 (2)ret
修改後,重新執行程式,bingo!程式百分之百註冊!
----------=======The
Patch========----------
在檔案LockDown2000.exe的offset:0xA2C58處,修改558BEC為B001C3。