如何破解深思Ⅲ加密狗!想解狗的朋友過來看了! (10千字)

目標： XX CAD設計軟體。
加密形式：深思Ⅲ加密狗。
破解工具：Winice, Hiew, Wdasm893中文版。
作者:sworm

【破解過程】
㈠執行程式，顯示“Internal Error. 軟體出現致命錯誤,請檢查加密狗是否正確!”後退出。
㈡在Wice中Bpx Messageboxa，再執行程式，顯示上述資訊時彈出。按F12若干次回到呼叫處，可見是xxxxxrx呼叫ACAD.acrx_abort。
㈢反彙編xxxxxrx.arx檔案，得：

Exported fn(): acrxEntryPoint - Ord:0002h
:1C05CF00 8B442404 mov eax, dword ptr [esp+04]
:1C05CF04 48 dec eax
:1C05CF05 83F804 cmp eax, 00000004
:1C05CF08 0F878C000000 ja 1C05CF9A
:1C05CF0E FF2485A0CF051C jmp dword ptr [4*eax+1C05CFA0]
:1C05CF15 8B442408 mov eax, dword ptr [esp+08]
:1C05CF19 50 push eax

* Reference To: ACAD.acrxUnlockApplication, Ord:0D5Bh
|
:1C05CF1A E8BDC00800 Call 1C0E8FDC
:1C05CF1F 83C404 add esp, 00000004
:1C05CF22 E8C9AAFEFF call 1C0479F0
:1C05CF27 85C0 test eax, eax
:1C05CF29 7505 jne 1C05CF30
:1C05CF2B E8C0AAFEFF call 1C0479F0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C05CF29(C)
|
:1C05CF30 E84BFEFFFF call 1C05CD80
:1C05CF35 E8A6A8FEFF call 1C0477E0
:1C05CF3A E8019CFEFF call 1C046B40
:1C05CF3F A388E00F1C mov dword ptr [1C0FE088], eax
:1C05CF44 85C0 test eax, eax
:1C05CF46 7521 jne 1C05CF69
:1C05CF48 6A00 push 00000000
:1C05CF4A 6A04 push 00000004
:1C05CF4C E82FAAFEFF call 1C047980
:1C05CF51 83C408 add esp, 00000008
:1C05CF54 E807ABFEFF call 1C047A60

* Possible StringData Ref from Data Obj ->"
軟體出現致命錯誤,請檢查加密狗是否正確!"＝＝＝＝＝＝＝＝>就在這！
|
:1C05CF59 6888560F1C push 1C0F5688

* Reference To: ACAD.acrx_abort, Ord:0D5Dh
|
:1C05CF5E E8CBBF0800 Call 1C0E8F2E
:1C05CF63 83C404 add esp, 00000004
:1C05CF66 33C0 xor eax, eax
:1C05CF68 C3 ret

㈣在顯示錯誤前，ACAD.acrxUnlockApplication下面，有:
1C05CF22 E8C9AAFEFF call 1C0479F0-------看call 1C046B40也可
檢視該處指令，見：
:1C0479F0 83EC60 sub esp, 00000060
:1C0479F3 E888FB0100 call 1C067580
:1C0479F8 85C0 test eax, eax
:1C0479FA 7507 jne 1C047A03-------------à是否為TDMD狗？
:1C0479FC B801000000 mov eax, 00000001
:1C047A01 EB31 jmp 1C047A34

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C0479FA(C)
|
:1C047A03 66C7442404AF07 mov [esp+04], 07AFDDD>應用口令
:1C047A0A 66C74424060700 mov [esp+06], 0007DDD>應用口令
:1C047A11 66C74424081A00 mov [esp+08], 001ADDD>應用口令
:1C047A18 66C7442402FFFF mov [esp+02], FFFFDDDD>開鎖
:1C047A1F 8D442400 lea eax, dword ptr [esp]
:1C047A23 50 push eax
:1C047A24 E817170A00 call 1C0E9140DDDDD★
:1C047A29 66837C240001 cmp word ptr [esp], 0001
:1C047A2F 1BC0 sbb eax, eax
:1C047A31 83E002 and eax, 00000002

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C047A01(U)
|
:1C047A34 83F801 cmp eax, 00000001
:1C047A37 7509 jne 1C047A42
:1C047A39 B801000000 mov eax, 00000001
:1C047A3E 83C460 add esp, 00000060
:1C047A41 C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C047A37(C)
|
:1C047A42 83F802 cmp eax, 00000002DDDDD>是否sense3狗
:1C047A45 7511 jne 1C047A58
:1C047A47 E874560100 call 1C05D0C0
:1C047A4C 663D0100 cmp ax, 0001
:1C047A50 1BC0 sbb eax, eax
:1C047A52 83C460 add esp, 00000060
:1C047A55 F7D8 neg eax
:1C047A57 C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C047A45(C)
|
:1C047A58 33C0 xor eax, eax
:1C047A5A 83C460 add esp, 00000060
:1C047A5D C3 ret

標誌處即為sense3狗操作函式。該[esp]=0 有狗。又是一個拿生日作口令的！

㈤檢視1C0E9140處程式，見：
* Referenced by a CALL at Addresses
|:1C046774 , :1C0467EA , :1C046A26 , :1C046B75 , :1C046C96
|:1C046DD6 , :1C046F16 , :1C047065 , :1C047176 , :1C0472B6
|:1C047817 , :1C047A24 , :1C047A94 , :1C05D0E9 , :1C05D10E
|:1C05D1D6 , :1C05D2B0
|
:1C0E9140 8B442404 mov eax, dword ptr [esp+04]
:1C0E9144 6A01 push 00000001
:1C0E9146 50 push eax
:1C0E9147 E864020000 call 1C0E93B0
:1C0E914C 83C408 add esp, 00000008
:1C0E914F C20400 ret 0004

由reference表，知有17處加密狗操作。
前14處均為開鎖操作，第15處為關鎖操作，最後兩處為狗操作，必然在開鎖操作之後，我們隨便觀察一處開鎖：
* Referenced by a CALL at Addresses:
|:1C0101AA , :1C0156C0 , :1C026A29 , :1C05CF3A , :1C06D469
|:1C0720C7 , :1C0CC80A , :1C0D65DA
|
:1C046B40 83EC64 sub esp, 00000064
:1C046B43 57 push edi
:1C046B44 E8370A0200 call 1C067580
:1C046B49 85C0 test eax, eax-------------à是否為TDMD狗？
:1C046B4B 7507 jne 1C046B54
:1C046B4D B801000000 mov eax, 00000001
:1C046B52 EB31 jmp 1C046B85

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C046B4B(C)
|
:1C046B54 66C7442408AF07 mov [esp+08], 07AF
:1C046B5B 66C744240A0700 mov [esp+0A], 0007
:1C046B62 66C744240C1A00 mov [esp+0C], 001A
:1C046B69 66C7442406FFFF mov [esp+06], FFFF
:1C046B70 8D442404 lea eax, dword ptr [esp+04]
:1C046B74 50 push eax
:1C046B75 E8C6250A00 call 1C0E9140DDDsense3函式
:1C046B7A 66837C240401 cmp word ptr [esp+04], 0001
:1C046B80 1BC0 sbb eax, eax
:1C046B82 83E002 and eax, 00000002

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C046B52(U)
|
:1C046B85 83F801 cmp eax, 00000001
:1C046B88 0F8584000000 jne 1C046C12

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C046B88(C)
|
:1C046C12 83F802 cmp eax, 00000002DDDsense3狗？
:1C046C15 753F jne 1C046C56
:1C046C17 68164C0000 push 00004C16
:1C046C1C 684B110000 push 0000114B
:1C046C21 E84A660100 call 1C05D270DDDD幹嗎的？
:1C046C26 83C408 add esp, 00000008
:1C046C29 8BC8 mov ecx, eax
:1C046C2B 81E1FFFF0000 and ecx, 0000FFFF
:1C046C31 250000FFFF and eax, FFFF0000
:1C046C36 3D0000DF00 cmp eax, 00DF0000
:1C046C3B 7512 jne 1C046C4F
:1C046C3D 81F937220000 cmp ecx, 00002237
:1C046C43 750A jne 1C046C4F
:1C046C45 B801000000 mov eax, 00000001DD好狗由此返回
:1C046C4A 5F pop edi
:1C046C4B 83C464 add esp, 00000064
:1C046C4E C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1C046C3B(C), :1C046C43(C)
|
:1C046C4F 33C0 xor eax, eaxDD壞狗由此返回
:1C046C51 5F pop edi
:1C046C52 83C464 add esp, 00000064
:1C046C55 C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C046C15(C)
|
:1C046C56 33C0 xor eax, eax
:1C046C58 5F pop edi
:1C046C59 83C464 add esp, 00000064
:1C046C5C C3 ret

到call 1c05d270看看，到底幹嗎？
* Referenced by a CALL at Address:
|:1C046C21
|
:1C05D270 668B4C2404 mov cx, word ptr [esp+04]
:1C05D275 B804000000 mov eax, 00000004
:1C05D27A 66C705FEEB111C0000 mov word ptr [1C11EBFE], 0000
:1C05D283 66C70500EC111CBFB7 mov word ptr [1C11EC00], B7BF
:1C05D28C 668B542408 mov dx, word ptr [esp+08]
:1C05D291 68F0EB111C push 1C11EBF0
:1C05D296 66A3F2EB111C mov word ptr [1C11EBF2], ax
:1C05D29C 66A3FAEB111C mov word ptr [1C11EBFA], ax
:1C05D2A2 66890DFCEB111C mov word ptr [1C11EBFC], cx
:1C05D2A9 66891502EC111C mov word ptr [1C11EC02], dx
:1C05D2B0 E88BBE0800 call 1C0E9140DDD>sense3函式，注意地址
:1C05D2B5 66833DF0EB111C00 cmp word ptr [1C11EBF0], 0000
:1C05D2BD 7409 je 1C05D2C8
:1C05D2BF 33C0 xor eax, eax
:1C05D2C1 66A1F0EB111C mov ax, word ptr [1C11EBF0]
:1C05D2C7 C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C05D2BD(C)
|
:1C05D2C8 33C0 xor eax, eax
:1C05D2CA 33C9 xor ecx, ecx
:1C05D2CC 66A106EC111C mov ax, word ptr [1C11EC06]
:1C05D2D2 C1E010 shl eax, 10
:1C05D2D5 668B0D0CEC111C mov cx, word ptr [1C11EC0C]
:1C05D2DC 0BC1 or eax, ecx
:1C05D2DE C3 ret

至此，程式的狗操作方式很清楚了。這個程式用的是碼錶法，且碼錶長度很有限。

Sense3的狗內程式碼執行是中看不中用的花拳繡腿。長度有限，只好完成簡單的數值運算，很少有程式有經常執行的相應程式碼可放入，最後只好作判斷狗之用。對付方法參考紫竹的大作吧。
【小結：】
先找到出錯提示，由此找到最底層的sense3函式，這是關鍵！在反彙編程式碼中，由reference表，可看見所有操作。一一對此修改即可破解，不會遺漏。本例共修改44位元組。
若要複製，也基本不成問題，唯一難點是程式碼區，一句老話，看悟性吧。我一般不復制，一則沒錢買空狗（誰贊助？Kao，只接到一個雞蛋！）；二則沒必要，重寫sense3函式即可，如將1C0E9140重寫。而本例全為判斷狗的Boolean函式，連使用狗內資料都沒有，無狗都可破解。
上次“廢話”篇中的程式碼為某加密程式的狗返回值處理函式，第一條指令mov eax，[esp+4]就是將sense3data中返回標誌賦給eax, 看出來了嗎？

寫教程很累，這是我的第二篇，以前寫過一篇TDMD加鑰匙盤的，都是虎頭蛇尾的，抱歉了。

如何破解深思Ⅲ加密狗!想解狗的朋友過來看了! (10千字)

相關文章