如何破解深思Ⅲ加密狗!想解狗的朋友過來看了! (10千字)

看雪資料發表於2015-11-15
加密

目標: XX CAD設計軟體。
加密形式:  深思Ⅲ加密狗。
破解工具:Winice, Hiew, Wdasm893中文版。
作者:sworm

【破解過程】
㈠執行程式,顯示“Internal Error.  軟體出現致命錯誤,請檢查加密狗是否正確!”後退出。
㈡在Wice中Bpx Messageboxa,再執行程式,顯示上述資訊時彈出。按F12若干次回到呼叫處,可見是xxxxxrx呼叫ACAD.acrx_abort。
㈢反彙編xxxxxrx.arx檔案,得:

Exported fn(): acrxEntryPoint - Ord:0002h
:1C05CF00 8B442404              mov eax, dword ptr [esp+04]
:1C05CF04 48                    dec eax
:1C05CF05 83F804                  cmp eax, 00000004
:1C05CF08 0F878C000000            ja 1C05CF9A
:1C05CF0E FF2485A0CF051C        jmp dword ptr [4*eax+1C05CFA0]
:1C05CF15 8B442408                mov eax, dword ptr [esp+08]
:1C05CF19 50                      push eax

* Reference To: ACAD.acrxUnlockApplication, Ord:0D5Bh
                                |
:1C05CF1A E8BDC00800            Call 1C0E8FDC
:1C05CF1F 83C404                  add esp, 00000004
:1C05CF22 E8C9AAFEFF            call 1C0479F0
:1C05CF27 85C0                    test eax, eax
:1C05CF29 7505                    jne 1C05CF30
:1C05CF2B E8C0AAFEFF              call 1C0479F0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C05CF29(C)
|
:1C05CF30 E84BFEFFFF            call 1C05CD80
:1C05CF35 E8A6A8FEFF              call 1C0477E0
:1C05CF3A E8019CFEFF              call 1C046B40
:1C05CF3F A388E00F1C              mov dword ptr [1C0FE088], eax
:1C05CF44 85C0                    test eax, eax
:1C05CF46 7521                    jne 1C05CF69
:1C05CF48 6A00                    push 00000000
:1C05CF4A 6A04                    push 00000004
:1C05CF4C E82FAAFEFF              call 1C047980
:1C05CF51 83C408                  add esp, 00000008
:1C05CF54 E807ABFEFF              call 1C047A60

* Possible StringData Ref from Data Obj ->"
軟體出現致命錯誤,請檢查加密狗是否正確!"========>就在這!
                                |
:1C05CF59 6888560F1C              push 1C0F5688

* Reference To: ACAD.acrx_abort, Ord:0D5Dh
                                |
:1C05CF5E E8CBBF0800              Call 1C0E8F2E
:1C05CF63 83C404                  add esp, 00000004
:1C05CF66 33C0                    xor eax, eax
:1C05CF68 C3                      ret

㈣在顯示錯誤前,ACAD.acrxUnlockApplication下面,有:
1C05CF22 E8C9AAFEFF            call 1C0479F0-------看call 1C046B40也可
檢視該處指令,見:
:1C0479F0 83EC60                sub esp, 00000060
:1C0479F3 E888FB0100              call 1C067580
:1C0479F8 85C0                    test eax, eax
:1C0479FA 7507                    jne 1C047A03-------------à是否為TDMD狗?
:1C0479FC B801000000              mov eax, 00000001
:1C047A01 EB31                    jmp 1C047A34

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C0479FA(C)
|
:1C047A03 66C7442404AF07          mov [esp+04], 07AFDDD>應用口令
:1C047A0A 66C74424060700          mov [esp+06], 0007DDD>應用口令
:1C047A11 66C74424081A00          mov [esp+08], 001ADDD>應用口令
:1C047A18 66C7442402FFFF          mov [esp+02], FFFFDDDD>開鎖
:1C047A1F 8D442400                lea eax, dword ptr [esp]
:1C047A23 50                      push eax
:1C047A24 E817170A00              call 1C0E9140DDDDD★
:1C047A29 66837C240001            cmp word ptr [esp], 0001
:1C047A2F 1BC0                    sbb eax, eax
:1C047A31 83E002                  and eax, 00000002

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C047A01(U)
|
:1C047A34 83F801                  cmp eax, 00000001
:1C047A37 7509                    jne 1C047A42
:1C047A39 B801000000              mov eax, 00000001
:1C047A3E 83C460                  add esp, 00000060
:1C047A41 C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C047A37(C)
|
:1C047A42 83F802                  cmp eax, 00000002DDDDD>是否sense3狗
:1C047A45 7511                    jne 1C047A58
:1C047A47 E874560100              call 1C05D0C0
:1C047A4C 663D0100                cmp ax, 0001
:1C047A50 1BC0                    sbb eax, eax
:1C047A52 83C460                  add esp, 00000060
:1C047A55 F7D8                    neg eax
:1C047A57 C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C047A45(C)
|
:1C047A58 33C0                    xor eax, eax
:1C047A5A 83C460                  add esp, 00000060
:1C047A5D C3                      ret

標誌處即為sense3狗操作函式。該[esp]=0 有狗。又是一個拿生日作口令的!

㈤檢視1C0E9140處程式,見:
* Referenced by a CALL at Addresses
|:1C046774  , :1C0467EA  , :1C046A26  , :1C046B75  , :1C046C96 
|:1C046DD6  , :1C046F16  , :1C047065  , :1C047176  , :1C0472B6 
|:1C047817  , :1C047A24  , :1C047A94  , :1C05D0E9  , :1C05D10E 
|:1C05D1D6  , :1C05D2B0 
|
:1C0E9140 8B442404                mov eax, dword ptr [esp+04]
:1C0E9144 6A01                    push 00000001
:1C0E9146 50                      push eax
:1C0E9147 E864020000              call 1C0E93B0
:1C0E914C 83C408                  add esp, 00000008
:1C0E914F C20400                  ret 0004

由reference表,知有17處加密狗操作。
前14處均為開鎖操作,第15處為關鎖操作,最後兩處為狗操作,必然在開鎖操作之後,我們隨便觀察一處開鎖:
* Referenced by a CALL at Addresses:
|:1C0101AA  , :1C0156C0  , :1C026A29  , :1C05CF3A  , :1C06D469 
|:1C0720C7  , :1C0CC80A  , :1C0D65DA 
|
:1C046B40 83EC64                  sub esp, 00000064
:1C046B43 57                      push edi
:1C046B44 E8370A0200              call 1C067580
:1C046B49 85C0                    test eax, eax-------------à是否為TDMD狗?
:1C046B4B 7507                    jne 1C046B54
:1C046B4D B801000000              mov eax, 00000001
:1C046B52 EB31                    jmp 1C046B85

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C046B4B(C)
|
:1C046B54 66C7442408AF07          mov [esp+08], 07AF
:1C046B5B 66C744240A0700          mov [esp+0A], 0007
:1C046B62 66C744240C1A00          mov [esp+0C], 001A
:1C046B69 66C7442406FFFF          mov [esp+06], FFFF
:1C046B70 8D442404                lea eax, dword ptr [esp+04]
:1C046B74 50                      push eax
:1C046B75 E8C6250A00              call 1C0E9140DDDsense3函式
:1C046B7A 66837C240401            cmp word ptr [esp+04], 0001
:1C046B80 1BC0                    sbb eax, eax
:1C046B82 83E002                  and eax, 00000002

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C046B52(U)
|
:1C046B85 83F801                  cmp eax, 00000001
:1C046B88 0F8584000000            jne 1C046C12

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C046B88(C)
|
:1C046C12 83F802                  cmp eax, 00000002DDDsense3狗?
:1C046C15 753F                    jne 1C046C56
:1C046C17 68164C0000              push 00004C16
:1C046C1C 684B110000              push 0000114B
:1C046C21 E84A660100              call 1C05D270DDDD幹嗎的?
:1C046C26 83C408                  add esp, 00000008
:1C046C29 8BC8                    mov ecx, eax
:1C046C2B 81E1FFFF0000            and ecx, 0000FFFF
:1C046C31 250000FFFF              and eax, FFFF0000
:1C046C36 3D0000DF00              cmp eax, 00DF0000
:1C046C3B 7512                    jne 1C046C4F
:1C046C3D 81F937220000            cmp ecx, 00002237
:1C046C43 750A                    jne 1C046C4F
:1C046C45 B801000000              mov eax, 00000001DD好狗由此返回
:1C046C4A 5F                      pop edi
:1C046C4B 83C464                  add esp, 00000064
:1C046C4E C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1C046C3B(C), :1C046C43(C)
|
:1C046C4F 33C0                    xor eax, eaxDD壞狗由此返回
:1C046C51 5F                      pop edi
:1C046C52 83C464                  add esp, 00000064
:1C046C55 C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C046C15(C)
|
:1C046C56 33C0                    xor eax, eax
:1C046C58 5F                      pop edi
:1C046C59 83C464                  add esp, 00000064
:1C046C5C C3                      ret

到call 1c05d270看看,到底幹嗎?
* Referenced by a CALL at Address:
|:1C046C21 
|
:1C05D270 668B4C2404              mov cx, word ptr [esp+04]
:1C05D275 B804000000              mov eax, 00000004
:1C05D27A 66C705FEEB111C0000      mov word ptr [1C11EBFE], 0000
:1C05D283 66C70500EC111CBFB7      mov word ptr [1C11EC00], B7BF
:1C05D28C 668B542408              mov dx, word ptr [esp+08]
:1C05D291 68F0EB111C              push 1C11EBF0
:1C05D296 66A3F2EB111C            mov word ptr [1C11EBF2], ax
:1C05D29C 66A3FAEB111C            mov word ptr [1C11EBFA], ax
:1C05D2A2 66890DFCEB111C          mov word ptr [1C11EBFC], cx
:1C05D2A9 66891502EC111C          mov word ptr [1C11EC02], dx
:1C05D2B0 E88BBE0800              call 1C0E9140DDD>sense3函式,注意地址
:1C05D2B5 66833DF0EB111C00        cmp word ptr [1C11EBF0], 0000
:1C05D2BD 7409                    je 1C05D2C8
:1C05D2BF 33C0                    xor eax, eax
:1C05D2C1 66A1F0EB111C            mov ax, word ptr [1C11EBF0]
:1C05D2C7 C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C05D2BD(C)
|
:1C05D2C8 33C0                    xor eax, eax
:1C05D2CA 33C9                    xor ecx, ecx
:1C05D2CC 66A106EC111C            mov ax, word ptr [1C11EC06]
:1C05D2D2 C1E010                  shl eax, 10
:1C05D2D5 668B0D0CEC111C          mov cx, word ptr [1C11EC0C]
:1C05D2DC 0BC1                    or eax, ecx
:1C05D2DE C3                      ret

至此,程式的狗操作方式很清楚了。這個程式用的是碼錶法,且碼錶長度很有限。

Sense3的狗內程式碼執行是中看不中用的花拳繡腿。長度有限,只好完成簡單的數值運算,很少有程式有經常執行的相應程式碼可放入,最後只好作判斷狗之用。對付方法參考紫竹的大作吧。
【小結:】
先找到出錯提示,由此找到最底層的sense3函式,這是關鍵!在反彙編程式碼中,由reference表,可看見所有操作。一一對此修改即可破解,不會遺漏。本例共修改44位元組。
若要複製,也基本不成問題,唯一難點是程式碼區,一句老話,看悟性吧。我一般不復制,一則沒錢買空狗(誰贊助?Kao,只接到一個雞蛋!);二則沒必要,重寫sense3函式即可,如將1C0E9140重寫。而本例全為判斷狗的Boolean函式,連使用狗內資料都沒有,無狗都可破解。
上次“廢話”篇中的程式碼為某加密程式的狗返回值處理函式,第一條指令mov eax,[esp+4]就是將sense3data中返回標誌賦給eax, 看出來了嗎?

寫教程很累,這是我的第二篇,以前寫過一篇TDMD加鑰匙盤的,都是虎頭蛇尾的,抱歉了。

相關文章