方正飛騰3.1加密狗破解過程-----淺談Sentinel Super Pro的加密演算法 (14千字)

標題:方正飛騰3.1加密狗破解過程-----淺談Sentinel Super Pro的加密演算法 (14千字)

發信人:crackjack

時間:2001-10-14 16:15:45

詳細資訊:

Sentinel superpro是加密強度很高的產品，如果用得好，在沒有狗的的情況解它幾乎是沒有可能，這次解它是帶狗來破它的（

真的狗小弟買不起，只好用人家的模擬狗，用模擬狗來破小弟是頭一回，呵呵），小弟旨在透過本文，讓各位朋友瞭解SUPERPRO

的加密演算法和在帶狗的情況下破解軟體。

工具：
Trw2000
Hview
IDA（w32dasm在反彙編大檔案時會死掉，不知哪位朋友有什麼好的方法解決）

好，我們用最常見的方法中斷程式：bpio 378，中斷後返回到主程式，而且我們知道狗驅動是sx32w.dll:

.text:00951A32 push offset unk_B99568
.text:00951A37 call RNBOsproFormatPacket <=====初始化狗資料
.text:00951A3C movzx eax, ax
.text:00951A3F test eax, eax
.text:00951A41 jz short loc_951A49
.text:00951A43 xor eax, eax
.text:00951A45 add esp, 4
.text:00951A48 retn
.text:00951A49 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00951A49
.text:00951A49 loc_951A49: ; CODE XREF: sub_951A10+31j
.text:00951A49 push offset unk_B99568
.text:00951A4E call RNBOsproInitialize <=====初始化函式
.text:00951A53 movzx eax, ax <=====返回到這裡
.text:00951A56 test eax, eax
.text:00951A58 jz short loc_951A60
.text:00951A5A xor eax, eax
.text:00951A5C add esp, 4
.text:00951A5F retn
.text:00951A60 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00951A60
.text:00951A60 loc_951A60: ; CODE XREF: sub_951A10+48j
.text:00951A60 push 0A9ACh
.text:00951A65 push offset unk_B99568
.text:00951A6A call RNBOsproFindFirstUnit <=====查詢狗,如果有則返回0
.text:00951A6F movzx eax, ax <=====這裡可以改為xor eax,eax nop
.text:00951A72 test eax, eax
.text:00951A74 jz short loc_951A7C
.text:00951A76 xor eax, eax
.text:00951A78 add esp, 4
.text:00951A7B retn
.text:00951A7C ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00951A7C
.text:00951A7C loc_951A7C: ; CODE XREF: sub_951A10+64j
.text:00951A7C ; sub_951A10+95j
.text:00951A7C push offset unk_B99568
.text:00951A81 call sub_951AC0 <=====F8進入---------------------1
.text:00951A86 add esp, 4
.text:00951A89 test eax, eax
.text:00951A8B jz short loc_951A96
.text:00951A8D call sub_951B20 <=====F8進入---------------------2
.text:00951A92 test eax, eax
.text:00951A94 jnz short loc_951AAD

進入1處的CALL:

.text:00951AC0 mov eax, [esp+arg_0]
.text:00951AC4 push eax
.text:00951AC5 call sub_951AE0 <=====F8進入
.text:00951ACA add esp, 4
.text:00951ACD sub eax, 4
.text:00951AD0 cmp eax, 1
.text:00951AD3 sbb eax, eax
.text:00951AD5 neg eax
.text:00951AD7 retn
.text:00951AD7 sub_951AC0 endp
.text:00951AD7
.text:00951AD7 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00951AD8

align 10h
.text:00951AE0
.text:00951AE0 ; 壙壙壙壙壙壙壙?S U B R O U T I N E 壙壙壙壙壙壙壙壙壙壙壙壙壙壙壙壙壙壙壙?
.text:00951AE0
.text:00951AE0
.text:00951AE0 sub_951AE0 proc near ; CODE XREF: sub_951AC0+5p
.text:00951AE0
.text:00951AE0 var_E = dword ptr -0Eh
.text:00951AE0 var_2 = byte ptr -2
.text:00951AE0 arg_0 = dword ptr 4
.text:00951AE0
.text:00951AE0 mov eax, [esp+arg_0]
.text:00951AE4 sub esp, 4
.text:00951AE7 test eax, eax
.text:00951AE9 jnz short loc_951AF1
.text:00951AEB xor eax, eax
.text:00951AED add esp, 4
.text:00951AF0 retn
.text:00951AF1 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00951AF1
.text:00951AF1 loc_951AF1: ; CODE XREF: sub_951AE0+9j
.text:00951AF1 lea ecx, [esp+4+var_2]
.text:00951AF5 push ecx
.text:00951AF6 push 8
.text:00951AF8 push eax
.text:00951AF9 call RNBOsproRead <=====讀狗,如果正確,ax=0,[151FC3A]=4
.text:00951AFE movzx eax, ax <=====改為PUSH 0 POP EAX
.text:00951B01 test eax, eax
.text:00951B03 jz short loc_951B0B
.text:00951B05 xor eax, eax
.text:00951B07 add esp, 4
.text:00951B0A retn
.text:00951B0B ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00951B0B
.text:00951B0B loc_951B0B: ; CODE XREF: sub_951AE0+23j
.text:00951B0B mov eax, [esp+10h+var_E]
.text:00951B0F add esp, 4
.text:00951B12 and eax, 0FFFFh <=====改mov eax,4
.text:00951B17 retn

進入2處的CALL:

.text:00951B2C push esi
.text:00951B2D push edi
.text:00951B2E push 10h
.text:00951B30 push eax
.text:00951B31 push ecx
.text:00951B32 push offset unk_B84C90
.text:00951B37 push 10h
.text:00951B39 push offset unk_B99568
.text:00951B3E call RNBOsproQuery <=====查詢加密狗中的資料,如果成功則AX返回0
.text:00951B43 movzx ecx, ax <=====改push 0 pop eax
.text:00951B46 test ecx, ecx
.text:00951B48 jz short loc_951B53
.text:00951B4A xor eax, eax
.text:00951B4C pop edi
.text:00951B4D pop esi
.text:00951B4E pop ebx
.text:00951B4F add esp, 14h
.text:00951B52 retn
.text:00951B53 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00951B53
.text:00951B53 loc_951B53: ; CODE XREF: sub_951B20+28j
.text:00951B53 xor eax, eax
.text:00951B55
.text:00951B55 loc_951B55: ; CODE XREF: sub_951B20+47j
.text:00951B55 mov ecx, dword ptr unk_B84CA0[eax]
.text:00951B5B cmp [esp+eax+38h+var_28], ecx <=====比較查詢結果
.text:00951B5F jnz short loc_951BD4 <=====不相等就跳,改為NOP NOP
.text:00951B61 add eax, 4
.text:00951B64 cmp eax, 10h
.text:00951B67 jl short loc_951B55
.text:00951B69 xor esi, esi
.text:00951B6B call _rand
.text:00951B70 mov edi, eax
.text:00951B72 xor ebx, ebx
.text:00951B74
.text:00951B74 loc_951B74: ; CODE XREF: sub_951B20+76j
.text:00951B74 lea eax, [edi+esi]
.text:00951B77 inc esi
.text:00951B78 cdq
.text:00951B79 xor eax, edx
.text:00951B7B sub eax, edx
.text:00951B7D and eax, 0Fh
.text:00951B80 xor eax, edx
.text:00951B82 sub eax, edx
.text:00951B84 shl eax, 2
.text:00951B87 mov dword_B84CB0[eax], ebx
.text:00951B8D call ds:off_B07B28[eax]
.text:00951B93 cmp esi, 10h
.text:00951B96 jl short loc_951B74
.text:00951B98 mov eax, dword_B84CF0
.text:00951B9D push eax
.text:00951B9E push 10h
.text:00951BA0 push offset unk_B99568
.text:00951BA5 call sub_951120 <=====F8進入
.text:00951BAA mov [esp+44h+var_2C], eax
.text:00951BAE add esp, 0Ch
.text:00951BB1 mov eax, dword_B84CF4
.text:00951BB6 xor [esp+38h+var_2C], eax
.text:00951BBA mov eax, [esp+38h+var_2C]
.text:00951BBE and eax, 0Fh
.text:00951BC1 cmp dword_B84CB0[eax*4], 0 <=====比較標誌
.text:00951BC9 jnz short loc_951BDD <=====不相等就跳,改為JMPS short loc_951BDD
.text:00951BCB xor eax, eax
.text:00951BCD pop edi
.text:00951BCE pop esi
.text:00951BCF pop ebx
.text:00951BD0 add esp, 14h
.text:00951BD3 retn

進入951BA5的CALL:

.text:00951120 mov ecx, [esp+arg_0]
.text:00951124 sub esp, 8
.text:00951127 test ecx, ecx
.text:00951129 jnz short loc_951133
.text:0095112B mov eax, [esp+8+arg_8]
.text:0095112F add esp, 8
.text:00951132 retn
.text:00951133 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00951133
.text:00951133 loc_951133: ; CODE XREF: sub_951120+9j
.text:00951133 lea eax, [esp+8+var_4]
.text:00951137 push 4
.text:00951139 lea edx, [esp+0Ch+var_8]
.text:0095113D push eax
.text:0095113E lea eax, [esp+10h+arg_8]
.text:00951142 push edx
.text:00951143 mov edx, [esp+14h+arg_4]
.text:00951147 push eax
.text:00951148 push edx
.text:00951149 push ecx
.text:0095114A call RNBOsproQuery <=====查詢加密狗中的資料,如果成功則AX返回0
.text:0095114F movzx ecx, ax <=====改push 0 pop eax
.text:00951152 test ecx, ecx
.text:00951154 jz short loc_95115E
.text:00951156 mov eax, [esp+20h+var_C]
.text:0095115A add esp, 8
.text:0095115D retn
.text:0095115E ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0095115E
.text:0095115E loc_95115E: ; CODE XREF: sub_951120+34j
.text:0095115E mov eax, [esp+20h+var_20]
.text:00951162 add esp, 8
.text:00951165 retn

下面的部份是關鍵的部份:

.text:00951BDD loc_951BDD: ; CODE XREF: sub_951B20+A9j
.text:00951BDD mov eax, dword_B84CF8
.text:00951BE2 push eax
.text:00951BE3 push 10h
.text:00951BE5 push offset unk_B99568
.text:00951BEA call sub_951120
.text:00951BEF mov [esp+44h+var_2C], eax
.text:00951BF3 add esp, 0Ch
.text:00951BF6 mov eax, dword_B84CFC
.text:00951BFB xor [esp+38h+var_2C], eax
.text:00951BFF mov eax, dword_B84D00
.text:00951C04 mov esi, [esp+38h+var_2C]
.text:00951C08 push eax
.text:00951C09 add esi, dword_B9996C <=====改為mov esi,00951940 NOP
.text:00951C0F push 12h
.text:00951C11 push offset unk_B99568
.text:00951C16 call sub_951120
.text:00951C1B mov [esp+44h+var_2C], eax
.text:00951C1F add esp, 0Ch
.text:00951C22 mov eax, dword_B84D04
.text:00951C27 xor [esp+38h+var_2C], eax
.text:00951C2B mov ecx, [esp+38h+var_2C]
.text:00951C2F push ecx
.text:00951C30 call esi <=====這個地方就是主程式的入口,透過分析,如果沒有狗,這個地址是

錯誤的,程式會死掉,也就是說,程式必須用到加密狗的資料來算出入口地址,所以如果沒有狗,就沒辦法知道入口地址,除非你的反

推能力很好,就可以反推出它的入口地址.透過帶狗執行,可知入口地址是00951940.所以我們要讓ESI的數值為00951940
.text:00951C32 add esp, 4
.text:00951C35 pop edi
.text:00951C36 pop esi
.text:00951C37 pop ebx
.text:00951C38 add esp, 14h
.text:00951C3B retn

單步進入00951C30處的CALL:

.text:009519BB mov ecx, dword_B8EAD8
.text:009519C1 shr ecx, 10h
.text:009519C4 push eax
.text:009519C5 or edx, ecx
.text:009519C7 lea ecx, ds:0[esi*2]
.text:009519CE inc ecx <=====改為mov esi,0E4DBF5F6
.text:009519CF imul edx, ecx <=====
.text:009519D2 add esi, edx <=====
.text:009519D4 cmp esi, 0E4DBF5F6h
.text:009519DA jnz short loc_9519E8
.text:009519DC call sub_4493B0 <=====F8進入
.text:009519E1 add esp, 4
.text:009519E4 pop edi
.text:009519E5 pop esi
.text:009519E6 pop ebx
.text:009519E7 retn

單步進入009519DC處的CALL:

.text:004493B0 push ebp
.text:004493B1 mov ebp, esp
.text:004493B3 push ecx
.text:004493B4 mov eax, [ebp+arg_0]
.text:004493B7 cmp eax, dword_B8EAE0
.text:004493BD jz short loc_4493C3 <=====改為JMPS 004493C3
.text:004493BF xor eax, eax
.text:004493C1 jmp short loc_4493DD

至此全部的修改已完成,主程式可以在沒有真狗和假狗的條件下執行了,但透過我測試,只能在windows98下執行,在win2000下不能

執行,小弟沒有winice405 for NT版本,沒辦法破解出win2000的程式了.

透過這次破解,讓我們清楚不是所有的狗都可以在無狗的情況下破掉,如果程式用狗裡面的資料來運算的話,沒有狗是沒有辦法破

解它的.

如果有什麼錯誤的地方,歡迎各位大蝦指正.

寫完這一篇之後,小弟要休息一段時間了,希望下次的文章是解HASP的加密狗,那要看小弟的學習進度如何了.

方正飛騰3.1加密狗破解過程-----淺談Sentinel Super Pro的加密演算法 (14千字)

相關文章