飞腾3.1加密狗pj过程

gxmouse · 2005-09-25, 19:48

方正飞腾3.1加密狗和谐过程

旨在通过本文，让各位朋友了解SUPERPRO 的加密算法和在带狗的情况下和谐软件。

工具：
Trw2000
Hview
IDA(w32dasm在反汇编大文件时会死掉，不知哪位朋友有什么好的方法解决)

好，我们用最常见的方法中断程式：bpio 378，中断后返回到主程序，而且我们知道狗驱动是sx32w.dll:

.text:00951A32 push offset unk_B99568
.text:00951A37 call RNBOsproFormatPacket <=====初始化狗数据
.text:00951A3C movzx eax, ax
.text:00951A3F test eax, eax
.text:00951A41 jz short loc_951A49
.text:00951A43 xor eax, eax
.text:00951A45 add esp, 4
.text:00951A48 retn
.text:00951A49 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00951A49
.text:00951A49 loc_951A49: ; CODE XREF: sub_951A10+31j
.text:00951A49 push offset unk_B99568
.text:00951A4E call RNBOsproInitialize <=====初始化函数
.text:00951A53 movzx eax, ax <=====返回到这里
.text:00951A56 test eax, eax
.text:00951A58 jz short loc_951A60
.text:00951A5A xor eax, eax
.text:00951A5C add esp, 4
.text:00951A5F retn
.text:00951A60 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00951A60
.text:00951A60 loc_951A60: ; CODE XREF: sub_951A10+48j
.text:00951A60 push 0A9ACh
.text:00951A65 push offset unk_B99568
.text:00951A6A call RNBOsproFindFirstUnit <=====查找狗,如果有则返回0
.text:00951A6F movzx eax, ax <=====这里可以改为xor eax,eax nop
.text:00951A72 test eax, eax
.text:00951A74 jz short loc_951A7C
.text:00951A76 xor eax, eax
.text:00951A78 add esp, 4
.text:00951A7B retn
.text:00951A7C ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00951A7C
.text:00951A7C loc_951A7C: ; CODE XREF: sub_951A10+64j
.text:00951A7C ; sub_951A10+95j
.text:00951A7C push offset unk_B99568
.text:00951A81 call sub_951AC0 <=====F8进入---------------------1
.text:00951A86 add esp, 4
.text:00951A89 test eax, eax
.text:00951A8B jz short loc_951A96
.text:00951A8D call sub_951B20 <=====F8进入---------------------2
.text:00951A92 test eax, eax
.text:00951A94 jnz short loc_951和谐D

进入1处的CALL:

.text:00951AC0 mov eax, [esp+arg_0]
.text:00951AC4 push eax
.text:00951AC5 call sub_951AE0 <=====F8进入
.text:00951ACA add esp, 4
.text:00951ACD sub eax, 4
.text:00951AD0 cmp eax, 1
.text:00951AD3 sbb eax, eax
.text:00951AD5 neg eax
.text:00951AD7 retn
.text:00951AD7 sub_951AC0 endp
.text:00951AD7
.text:00951AD7 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00951AD8

align 10h
.text:00951AE0
.text:00951AE0 ; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹?
.text:00951AE0
.text:00951AE0
.text:00951AE0 sub_951AE0 proc near ; CODE XREF: sub_951AC0+5p
.text:00951AE0
.text:00951AE0 var_E = dword ptr -0Eh
.text:00951AE0 var_2 = byte ptr -2
.text:00951AE0 arg_0 = dword ptr 4
.text:00951AE0
.text:00951AE0 mov eax, [esp+arg_0]
.text:00951AE4 sub esp, 4
.text:00951AE7 test eax, eax
.text:00951AE9 jnz short loc_951AF1
.text:00951AEB xor eax, eax
.text:00951AED add esp, 4
.text:00951AF0 retn
.text:00951AF1 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00951AF1
.text:00951AF1 loc_951AF1: ; CODE XREF: sub_951AE0+9j
.text:00951AF1 lea ecx, [esp+4+var_2]
.text:00951AF5 push ecx
.text:00951AF6 push 8
.text:00951AF8 push eax
.text:00951AF9 call RNBOsproRead <=====读狗,如果正确,ax=0,[151FC3A]=4
.text:00951AFE movzx eax, ax <=====改为PUSH 0 POP EAX
.text:00951B01 test eax, eax
.text:00951B03 jz short loc_951B0B
.text:00951B05 xor eax, eax
.text:00951B07 add esp, 4
.text:00951B0A retn
.text:00951B0B ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00951B0B
.text:00951B0B loc_951B0B: ; CODE XREF: sub_951AE0+23j
.text:00951B0B mov eax, [esp+10h+var_E]
.text:00951B0F add esp, 4
.text:00951B12 and eax, 0FFFFh <=====改mov eax,4
.text:00951B17 retn

进入2处的CALL:

.text:00951B2C push esi
.text:00951B2D push edi
.text:00951B2E push 10h
.text:00951B30 push eax
.text:00951B31 push ecx
.text:00951B32 push offset unk_B84C90
.text:00951B37 push 10h
.text:00951B39 push offset unk_B99568
.text:00951B3E call RNBOsproQuery <=====查询加密狗中的数据,如果成功则AX返回0
.text:00951B43 movzx ecx, ax <=====改push 0 pop eax
.text:00951B46 test ecx, ecx
.text:00951B48 jz short loc_951B53
.text:00951B4A xor eax, eax
.text:00951B4C pop edi
.text:00951B4D pop esi
.text:00951B4E pop ebx
.text:00951B4F add esp, 14h
.text:00951B52 retn
.text:00951B53 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00951B53
.text:00951B53 loc_951B53: ; CODE XREF: sub_951B20+28j
.text:00951B53 xor eax, eax
.text:00951B55
.text:00951B55 loc_951B55: ; CODE XREF: sub_951B20+47j
.text:00951B55 mov ecx, dword ptr unk_B84CA0[eax]
.text:00951B5B cmp [esp+eax+38h+var_28], ecx <=====比较查询结果
.text:00951B5F jnz short loc_951BD4 <=====不相等就跳,改为NOP NOP
.text:00951B61 add eax, 4
.text:00951B64 cmp eax, 10h
.text:00951B67 jl short loc_951B55
.text:00951B69 xor esi, esi
.text:00951B6B call _rand
.text:00951B70 mov edi, eax
.text:00951B72 xor ebx, ebx
.text:00951B74
.text:00951B74 loc_951B74: ; CODE XREF: sub_951B20+76j
.text:00951B74 lea eax, [edi+esi]
.text:00951B77 inc esi
.text:00951B78 cdq
.text:00951B79 xor eax, edx
.text:00951B7B sub eax, edx
.text:00951B7D and eax, 0Fh
.text:00951B80 xor eax, edx
.text:00951B82 sub eax, edx
.text:00951B84 shl eax, 2
.text:00951B87 mov dword_B84CB0[eax], ebx
.text:00951B8D call ds:off_B07B28[eax]
.text:00951B93 cmp esi, 10h
.text:00951B96 jl short loc_951B74
.text:00951B98 mov eax, dword_B84CF0
.text:00951B9D push eax
.text:00951B9E push 10h
.text:00951BA0 push offset unk_B99568
.text:00951BA5 call sub_951120 <=====F8进入
.text:00951B和谐 mov [esp+44h+var_2C], eax
.text:00951BAE add esp, 0Ch
.text:00951BB1 mov eax, dword_B84CF4
.text:00951BB6 xor [esp+38h+var_2C], eax
.text:00951BBA mov eax, [esp+38h+var_2C]
.text:00951BBE and eax, 0Fh
.text:00951BC1 cmp dword_B84CB0[eax*4], 0 <=====比较标志
.text:00951BC9 jnz short loc_951BDD <=====不相等就跳,改为JMPS short loc_951BDD
.text:00951BCB xor eax, eax
.text:00951BCD pop edi
.text:00951BCE pop esi
.text:00951BCF pop ebx
.text:00951BD0 add esp, 14h
.text:00951BD3 retn

进入951BA5的CALL:

.text:00951120 mov ecx, [esp+arg_0]
.text:00951124 sub esp, 8
.text:00951127 test ecx, ecx
.text:00951129 jnz short loc_951133
.text:0095112B mov eax, [esp+8+arg_8]
.text:0095112F add esp, 8
.text:00951132 retn
.text:00951133 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00951133
.text:00951133 loc_951133: ; CODE XREF: sub_951120+9j
.text:00951133 lea eax, [esp+8+var_4]
.text:00951137 push 4
.text:00951139 lea edx, [esp+0Ch+var_8]
.text:0095113D push eax
.text:0095113E lea eax, [esp+10h+arg_8]
.text:00951142 push edx
.text:00951143 mov edx, [esp+14h+arg_4]
.text:00951147 push eax
.text:00951148 push edx
.text:00951149 push ecx
.text:0095114A call RNBOsproQuery <=====查询加密狗中的数据,如果成功则AX返回0
.text:0095114F movzx ecx, ax <=====改push 0 pop eax
.text:00951152 test ecx, ecx
.text:00951154 jz short loc_95115E
.text:00951156 mov eax, [esp+20h+var_C]
.text:0095115A add esp, 8
.text:0095115D retn
.text:0095115E ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0095115E
.text:0095115E loc_95115E: ; CODE XREF: sub_951120+34j
.text:0095115E mov eax, [esp+20h+var_20]
.text:00951162 add esp, 8
.text:00951165 retn

下面的部份是关键的部份:

.text:00951BDD loc_951BDD: ; CODE XREF: sub_951B20+A9j
.text:00951BDD mov eax, dword_B84CF8
.text:00951BE2 push eax
.text:00951BE3 push 10h
.text:00951BE5 push offset unk_B99568
.text:00951BEA call sub_951120
.text:00951BEF mov [esp+44h+var_2C], eax
.text:00951BF3 add esp, 0Ch
.text:00951BF6 mov eax, dword_B84CFC
.text:00951BFB xor [esp+38h+var_2C], eax
.text:00951BFF mov eax, dword_B84D00
.text:00951C04 mov esi, [esp+38h+var_2C]
.text:00951C08 push eax
.text:00951C09 add esi, dword_B9996C <=====改为mov esi,00951940 NOP
.text:00951C0F push 12h
.text:00951C11 push offset unk_B99568
.text:00951C16 call sub_951120
.text:00951C1B mov [esp+44h+var_2C], eax
.text:00951C1F add esp, 0Ch
.text:00951C22 mov eax, dword_B84D04
.text:00951C27 xor [esp+38h+var_2C], eax
.text:00951C2B mov ecx, [esp+38h+var_2C]
.text:00951C2F push ecx
.text:00951C30 call esi <=====这个地方就是主程序的入口,通过分析,如果没有狗,这个地址是

错误的,程序会死掉,也就是说,程序必须用到加密狗的数据来算出入口地址,所以如果没有狗,就没办法知道入口地址,除非你的反

推能力很好,就可以反推出它的入口地址.通过带狗运行,可知入口地址是00951940.所以我们要让ESI的数值为00951940
.text:00951C32 add esp, 4
.text:00951C35 pop edi
.text:00951C36 pop esi
.text:00951C37 pop ebx
.text:00951C38 add esp, 14h
.text:00951C3B retn

单步进入00951C30处的CALL:

.text:009519BB mov ecx, dword_B8EAD8
.text:009519C1 shr ecx, 10h
.text:009519C4 push eax
.text:009519C5 or edx, ecx
.text:009519C7 lea ecx, ds:0[esi*2]
.text:009519CE inc ecx <=====改为mov esi,0E4DBF5F6
.text:009519CF imul edx, ecx <=====
.text:009519D2 add esi, edx <=====
.text:009519D4 cmp esi, 0E4DBF5F6h
.text:009519DA jnz short loc_9519E8
.text:009519DC call sub_4493B0 <=====F8进入
.text:009519E1 add esp, 4
.text:009519E4 pop edi
.text:009519E5 pop esi
.text:009519E6 pop ebx
.text:009519E7 retn

单步进入009519DC处的CALL:

.text:004493B0 push ebp
.text:004493B1 mov ebp, esp
.text:004493B3 push ecx
.text:004493B4 mov eax, [ebp+arg_0]
.text:004493B7 cmp eax, dword_B8EAE0
.text:004493BD jz short loc_4493C3 <=====改为JMPS 004493C3
.text:004493BF xor eax, eax
.text:004493C1 jmp short loc_4493DD

至此全部的修改已完成,主程序可以在没有真狗和假狗的条件下运行了

final fantasy · 2005-09-26, 06:27

楼主厉害.虽然我不懂和谐,看不懂.

yylgttw · 2005-10-08, 11:57

以前在其它地方看过了吧？~~~~~~~~~~~~~~~~~~~~

邹家文 · 2005-10-12, 22:56

看不明白.....楼主有本事...............

wilsontsoi · 2005-10-28, 04:25

看不懂,但內心很配服......

silva · 2005-11-01, 13:20

这么专业，要学习哪种计算机语言才能进行和谐？

xiaoboah · 2005-11-17, 00:03

是呀,看不太明白,楼主真是厉害.

cmyk521762 · 2005-11-17, 20:59

看不懂____________________________>

yunfeng · 2005-11-18, 09:55

TMD都是一些菜鸟,这些东西都不懂!

zhonggq · 2005-12-07, 11:21

看不懂。。。。

**esky168** · 2005-12-07, 17:40

楼主真历害。。。！

gxnethy · 2005-12-08, 21:40

:song: :song: :song: :song: :song:

yanwork · 2005-12-24, 10:44

楼主真历害。。。！哩哩啦啦理论

benhsu · 2006-01-03, 13:32

:14: 还是楼主厉害，好详细哦！

Menu