WinRip 2.0保護機制分析及其補丁製作 (9千字)

WinRip 2.0保護機制分析及其補丁製作

工具：ollydbg 1.07a
平臺：Windows 2000 Professional

該軟體在試用期（30天）過後，將會出現NAG，功能也會受到限制。根據這一現象，在GetSystemTime處設斷，執行程式，被攔截後一步一步返回到了這裡（0040ce45）：

0040CDF8 /$ B8 18884300 MOV EAX,WinRip.00438818
0040CDFD |. E8 2EEB0000 CALL WinRip.0041B930
0040CE02 |. 83EC 68 SUB ESP,68
0040CE05 |. 53 PUSH EBX
0040CE06 |. 56 PUSH ESI
0040CE07 |. BB 7CBA4300 MOV EBX,WinRip.0043BA7C
0040CE0C |. 57 PUSH EDI
0040CE0D |. 8BF1 MOV ESI,ECX
0040CE0F |. 895D D4 MOV [LOCAL.11],EBX
0040CE12 |. E8 94E0FFFF CALL WinRip.0040AEAB
0040CE17 |. 33FF XOR EDI,EDI
0040CE19 |. 8D4D D4 LEA ECX,[LOCAL.11]
0040CE1C |. 57 PUSH EDI ; /Arg2 => 00000000
0040CE1D |. 50 PUSH EAX ; |Arg1
0040CE1E |. E8 FFF8FFFF CALL WinRip.0040C722 ; \WinRip.0040C722
0040CE23 |. 57 PUSH EDI
0040CE24 |. 897D FC MOV [LOCAL.1],EDI
0040CE27 |. FF15 14AA4300 CALL [DWORD DS:<&ole32.CoInitialize>] ; ole32.CoInitialize
0040CE2D |. 3BC7 CMP EAX,EDI
0040CE2F |. 8945 F0 MOV [LOCAL.4],EAX
0040CE32 |. 7C 7B JL SHORT WinRip.0040CEAF
0040CE34 |. 8D45 EC LEA EAX,[LOCAL.5]
0040CE37 |. 50 PUSH EAX
0040CE38 |. 68 E4B74300 PUSH WinRip.0043B7E4
0040CE3D |. 6A 01 PUSH 1
0040CE3F |. 57 PUSH EDI
0040CE40 |. 68 44B84300 PUSH WinRip.0043B844
0040CE45 |. FF15 0CAA4300 CALL [DWORD DS:<&ole32.CoCreateInstance>>; ole32.CoCreateInstance <取得系統時間>
0040CE4B |. 3BC7 CMP EAX,EDI
0040CE4D |. 8945 F0 MOV [LOCAL.4],EAX
0040CE50 |. 7C 57 JL SHORT WinRip.0040CEA9
0040CE52 |. 6A 40 PUSH 40 ; /n = 40 (64.)
0040CE54 |. 8D45 94 LEA EAX,[LOCAL.27] ; |
0040CE57 |. 57 PUSH EDI ; |c
0040CE58 |. 50 PUSH EAX ; |s
0040CE59 |. 897D 90 MOV [LOCAL.28],EDI ; |
0040CE5C |. E8 F5EA0000 CALL <JMP.&MSVCRT.memset> ; \memset
0040CE61 |. 8D86 F0000000 LEA EAX,[DWORD DS:ESI+F0]
0040CE67 |. 6A 40 PUSH 40 ; /maxlen = 40 (64.)
0040CE69 |. 50 PUSH EAX ; |src
0040CE6A |. 8D45 94 LEA EAX,[LOCAL.27] ; |
0040CE6D |. 50 PUSH EAX ; |dest
0040CE6E |. FF15 E4A74300 CALL [DWORD DS:<&MSVCRT.strncpy>] ; \strncpy
0040CE74 |. 8B86 30010000 MOV EAX,[DWORD DS:ESI+130]
0040CE7A |. 83C4 18 ADD ESP,18
0040CE7D |. 8945 90 MOV [LOCAL.28],EAX
0040CE80 |. C745 8C 050000>MOV [LOCAL.29],5
0040CE87 |. E8 48000000 CALL WinRip.0040CED4 <進去看看,參考下面>
0040CE8C |. 8B4D EC MOV ECX,[LOCAL.5]
0040CE8F |. 50 PUSH EAX <引數1:如果為0則導致過期，正常值應該是1E>
0040CE90 |. FF75 08 PUSH [ARG.1]
0040CE93 |. 8D45 8C LEA EAX,[LOCAL.29]
0040CE96 |. 8B11 MOV EDX,[DWORD DS:ECX]
0040CE98 |. 50 PUSH EAX
0040CE99 |. 51 PUSH ECX
0040CE9A |. FF52 10 CALL [DWORD DS:EDX+10] <此處呼叫了appregag.10003c31,根據引數1,是否出現NAG並是否限制功能>
0040CE9D |. 8945 F0 MOV [LOCAL.4],EAX
0040CEA0 |. 8B45 EC MOV EAX,[LOCAL.5]
0040CEA3 |. 50 PUSH EAX
0040CEA4 |. 8B08 MOV ECX,[DWORD DS:EAX]
0040CEA6 |. FF51 08 CALL [DWORD DS:ECX+8]
0040CEA9 |> FF15 10AA4300 CALL [DWORD DS:<&ole32.CoUninitialize>] ; ole32.CoUninitialize
0040CEAF |> 397D E8 CMP [LOCAL.6],EDI
0040CEB2 |. 5F POP EDI
0040CEB3 |. 895D D4 MOV [LOCAL.11],EBX
0040CEB6 |. 5E POP ESI
0040CEB7 |. 5B POP EBX
0040CEB8 |. 74 09 JE SHORT WinRip.0040CEC3
0040CEBA |. FF75 E8 PUSH [LOCAL.6] ; /hObject
0040CEBD |. FF15 ACA14300 CALL [DWORD DS:<&KERNEL32.CloseHandle>] ; \CloseHandle
0040CEC3 |> 8B4D F4 MOV ECX,[LOCAL.3]
0040CEC6 |. 8B45 F0 MOV EAX,[LOCAL.4]
0040CEC9 |. 64:890D 000000>MOV [DWORD FS:0],ECX
0040CED0 |. C9 LEAVE
0040CED1 \. C2 0400 RETN 4

=====<<由40CE87呼叫>>===================================================================
0040CED4 /$ 56 PUSH ESI
0040CED5 |. E8 D1DFFFFF CALL WinRip.0040AEAB
0040CEDA |. 50 PUSH EAX
0040CEDB |. E8 65DBFFFF CALL WinRip.0040AA45
0040CEE0 |. 8BF0 MOV ESI,EAX
0040CEE2 |. 59 POP ECX
0040CEE3 |. 85F6 TEST ESI,ESI
0040CEE5 |. 74 17 JE SHORT WinRip.0040CEFE
0040CEE7 |. 57 PUSH EDI
0040CEE8 |. 8BCE MOV ECX,ESI
0040CEEA |. E8 719A0200 CALL WinRip.00436960 <確定引數1的值,進出看看,必須在此前下斷點後,才能看到,是動態生成的>
0040CEEF |. 8BF8 MOV EDI,EAX
0040CEF1 |. 8B06 MOV EAX,[DWORD DS:ESI]
0040CEF3 |. 6A 01 PUSH 1
0040CEF5 |. 8BCE MOV ECX,ESI
0040CEF7 |. FF10 CALL [DWORD DS:EAX]
0040CEF9 |. 8BC7 MOV EAX,EDI
0040CEFB |. 5F POP EDI
0040CEFC |. 5E POP ESI
0040CEFD |. C3 RETN
0040CEFE |> 33C0 XOR EAX,EAX <如果執行了這一條,則出現NAG,功能也受到限制>
0040CF00 |. 5E POP ESI
0040CF01 \. C3 RETN

=====<<由40CEEA呼叫,注:此段程式碼是動態生成的>>============================
00436960 /$ 51 PUSH ECX
00436961 |. 56 PUSH ESI
00436962 |. 8D4424 04 LEA EAX,[DWORD SS:ESP+4]
00436966 |. 50 PUSH EAX ; /timer
00436967 |. 8BF1 MOV ESI,ECX ; |
00436969 |. FF15 D4A74300 CALL [DWORD DS:<&MSVCRT.time>] ; \time
0043696F |. 83C4 04 ADD ESP,4
00436972 |. 8BCE MOV ECX,ESI
00436974 |. E8 77FFFFFF CALL WinRip.004368F0 <在此call中的4368F9處的子過程中有取得磁碟卷序號的呼叫,
以及在436931處的子過程中有查詢登錄檔的呼叫>

00436979 |. 8B4C24 04 MOV ECX,[DWORD SS:ESP+4]
0043697D |. 2BC8 SUB ECX,EAX
0043697F |. B8 07452EC2 MOV EAX,C22E4507
00436984 |. F7E9 IMUL ECX
00436986 |. 8B46 14 MOV EAX,[DWORD DS:ESI+14] <值1E,即30(D)>
00436989 |. 03D1 ADD EDX,ECX
0043698B |. C1FA 10 SAR EDX,10
0043698E |. 8BCA MOV ECX,EDX
00436990 |. C1E9 1F SHR ECX,1F
00436993 |. 03D1 ADD EDX,ECX
00436995 |. 3BD0 CMP EDX,EAX
00436997 |. 5E POP ESI
00436998 |. 7E 04 JLE SHORT WinRip.0043699E <改成JMP SHORT WinRip.004369A4,所有限制將被去掉(程式碼EB07)>
0043699A |. 33C0 XOR EAX,EAX
0043699C |. 59 POP ECX
0043699D |. C3 RETN
0043699E |> 85D2 TEST EDX,EDX
004369A0 |. 7E 02 JLE SHORT WinRip.004369A4
004369A2 |. 2BC2 SUB EAX,EDX
004369A4 |> 59 POP ECX
004369A5 \. C3 RETN

=====<<由這裡解碼出上面的程式碼>>============================
00435F06 |> 3BCF CMP ECX,EDI <40c8f8-40cc2e,436200-436f50:解碼地址>
00435F08 |. 8B45 08 MOV EAX,[ARG.1] <B672AB32,78F03D5D:解碼初值>
00435F0B |. 73 3B JNB SHORT WinRip.00435F48
00435F0D |. 8D49 00 LEA ECX,[DWORD DS:ECX]
00435F10 |> 8B31 /MOV ESI,[DWORD DS:ECX] <取待解碼資料,傳給esi>
00435F12 |. 33F0 |XOR ESI,EAX <esi=esi ^ eax 這裡就是解碼核心的核心了>
00435F14 |. 8BD6 |MOV EDX,ESI <edx=esi>
00435F16 |. 03C2 |ADD EAX,EDX <eax=eax + edx>
00435F18 |. 8931 |MOV [DWORD DS:ECX],ESI <存入解碼後的資料>
00435F1A |. 8BD0 |MOV EDX,EAX <edx=eax>
00435F1C |. C1EA 06 |SHR EDX,6 <esi=edx % 0x40>
00435F1F |. 8BF0 |MOV ESI,EAX <esi=eax>
00435F21 |. 81E2 00F80700 |AND EDX,7F800 <edx=edx & 0x7f800>
00435F27 |. 81E6 00F80700 |AND ESI,7F800 <esi=esi & 0xf7800>
00435F2D |. 33D6 |XOR EDX,ESI <edx=edx^esi>
00435F2F |. 8BF0 |MOV ESI,EAX <esi=eax>
00435F31 |. C1EA 0B |SHR EDX,0B <edx=edx & 0x800>
00435F34 |. 81E6 FF000000 |AND ESI,0FF <esi=esi & 0xff>
00435F3A |. 33D6 |XOR EDX,ESI <edx=edx ^ esi>
00435F3C |. C1E0 08 |SHL EAX,8 <eax=eax * 0x100>
00435F3F |. 83C1 04 |ADD ECX,4 <ecx=ecx +0x4>
00435F42 |. 0BC2 |OR EAX,EDX <eax=eax | edx>
00435F44 |. 3BCF |CMP ECX,EDI <迴圈條件判斷>
00435F46 |.^72 C8 \JB SHORT WinRip.00435F10 <跳轉，取下一個待解碼資料>
00435F48 |> 5F POP EDI

補丁原理:
1、根據上面解碼原理編寫一個解碼過程 DeCode(Byte buff[]);
2、開啟“WinRip.exe”，把 436200-436f50這一段讀入Byte buff[0xD50] ，並對其用DeCode(Byte buff[])進行解碼；
3、修改 buff[0x998]、buff[0x999]中資料的值分別為eb 、07;
4、重新對buff[]用DeCode(Byte buff[])進行編碼(編碼、解碼是對稱的);
5、把buff[]寫回檔案；

至此，程式已經完全破解。

youth
2002-8-23

WinRip 2.0保護機制分析及其補丁製作 (9千字)

相關文章