【软件名称】某交通客运信息管理系统 【软件限制】注册码+加密狗 【破解声明】破解只是感兴趣,无其它目的。失误之处敬请诸位大侠赐教! 【破解工具】W32Dasm8.93 TRW20001.23 ======================================================================================== 【分析过程】
此软件不注册运行在试用版功能,注册后加密狗启动,程序无法运行. 我只找了一下注册码,没有详细分析算法.主要把加密狗解除思路写一下. 分析如下:
* Possible StringData Ref from Code Obj ->"197712280530qlm提示窗口" | :0062365A BAA8376200 mov edx, 006237A8 :0062365F E8F4BCECFF call 004EF358 :00623664 8D95F0FEFFFF lea edx, dword ptr [ebp+FFFFFEF0] :0062366A 8B83F4020000 mov eax, dword ptr [ebx+000002F4] :00623670 E843B2E2FF call 0044E8B8 :00623675 8B85F0FEFFFF mov eax, dword ptr [ebp+FFFFFEF0] :0062367B 8D95F4FEFFFF lea edx, dword ptr [ebp+FFFFFEF4] :00623681 E8525FDEFF call 004095D8 :00623686 8B85F4FEFFFF mov eax, dword ptr [ebp+FFFFFEF4] :0062368C 50 push eax :0062368D 8D95ECFEFFFF lea edx, dword ptr [ebp+FFFFFEEC] :00623693 8B45FC mov eax, dword ptr [ebp-04] :00623696 E83D5FDEFF call 004095D8 :0062369B 8B95ECFEFFFF mov edx, dword ptr [ebp+FFFFFEEC] //注册码 算法省略... :006236A1 58 pop eax :006236A2 E85119DEFF call 00404FF8 :006236A7 743B je 006236E4 :006236A9 6A40 push 00000040 :006236AB B9B8376200 mov ecx, 006237B8
* Possible StringData Ref from Code Obj ->"您输入的注册号错误,请重新输入." | :006236B0 BAC4376200 mov edx, 006237C4 :006236B5 A140426300 mov eax, dword ptr [00634240] :006236BA 8B00 mov eax, dword ptr [eax] :006236BC E827B7E4FF call 0046EDE8 :006236C1 8B83F4020000 mov eax, dword ptr [ebx+000002F4] :006236C7 66BEB8FF mov si, FFB8 :006236CB E8DC08DEFF call 00403FAC :006236D0 84C0 test al, al :006236D2 747E je 00623752 :006236D4 8B83F4020000 mov eax, dword ptr [ebx+000002F4] :006236DA 8B10 mov edx, dword ptr [eax] :006236DC FF92C0000000 call dword ptr [edx+000000C0] :006236E2 EB6E jmp 00623752
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:006236A7(C) | :006236E4 8BC3 mov eax, ebx :006236E6 E891010000 call 0062387C :006236EB 84C0 test al, al :006236ED 744B je 0062373A //不能跳 :006236EF 6A40 push 00000040 :006236F1 B9B8376200 mov ecx, 006237B8
* Possible StringData Ref from Code Obj ->"恭喜您注册成功,欢迎使用状元正版软件。 请重新
==================================================================================== * Possible StringData Ref from Code Obj ->" 试用版 V5.0 " | :00628870 BA048E6200 mov edx, 00628E04 :00628875 E86E60E2FF call 0044E8E8 :0062887A E9D3040000 jmp 00628D52
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00628865(C) | :0062887F 8B45FC mov eax, dword ptr [ebp-04] :00628882 8B8000030000 mov eax, dword ptr [eax+00000300]
* Possible StringData Ref from Code Obj ->" 正试版 V5.0 " | :00628888 BA1C8E6200 mov edx, 00628E1C :0062888D E85660E2FF call 0044E8E8 :00628892 A15C656300 mov eax, dword ptr [0063655C] :00628897 8B80FC020000 mov eax, dword ptr [eax+000002FC]
* Possible StringData Ref from Code Obj ->"系统正在检测加密狗,请等待。。。" | :0062889D BA348E6200 mov edx, 00628E34 :006288A2 E84160E2FF call 0044E8E8 :006288A7 33C0 xor eax, eax :006288A9 A34C656300 mov dword ptr [0063654C], eax :006288AE E8AD4E0000 call 0062D760 //在这里读狗 杀入..... :006288B3 8BD8 mov ebx, eax //返回eax=0表明有狗 :006288B5 85DB test ebx, ebx //ebx必须等于0 :006288B7 7428 je 006288E1 //跳走就成功了,简单的爆破可能会有隐患,因此我们必须进入上面的call观察 :006288B9 33D2 xor edx, edx
* Possible StringData Ref from Code Obj ->" 系统检测加密狗失败!可能是网络不通或加密狗" ->"未安装正确! 请先进行调试后再运行本系统! " ->" 如果您仍无法解决,请与供应商联系!" | :006288BB B8608E6200 mov eax, 00628E60 :006288C0 E80B5DECFF call 004EE5D0 :006288C5 8B45FC mov eax, dword ptr [ebp-04] :006288C8 8B80FC020000 mov eax, dword ptr [eax+000002FC]
* Possible StringData Ref from Code Obj ->"加载加密狗失败!" | :006288CE BAEC8E6200 mov edx, 00628EEC :006288D3 E81060E2FF call 0044E8E8 :006288D8 C645FB00 mov [ebp-05], 00 :006288DC E971040000 jmp 00628D52
=====================================call 0062D760 =================================== * Referenced by a CALL at Address: |:006288AE
:0062D760 55 push ebp :0062D761 8BEC mov ebp, esp :0062D763 52 push edx :0062D764 51 push ecx :0062D765 6846D76200 push 0062D746 :0062D76A 68C1D46200 push 0062D4C1 :0062D76F 6A01 push 00000001 :0062D771 E829F6FFFF call 0062CD9F //读狗 :0062D776 83C40C add esp, 0000000C :0062D779 59 pop ecx :0062D77A 5A pop edx :0062D77B 5D pop ebp :0062D77C C3 ret
:0062D77D 55 push ebp :0062D77E 8BEC mov ebp, esp :0062D780 52 push edx :0062D781 51 push ecx :0062D782 6846D76200 push 0062D746 :0062D787 68C1D46200 push 0062D4C1 :0062D78C 6A05 push 00000005 :0062D78E E80CF6FFFF call 0062CD9F //读狗 :0062D793 83C40C add esp, 0000000C :0062D796 59 pop ecx :0062D797 5A pop edx :0062D798 5D pop ebp :0062D799 C3 ret
:0062D79A 55 push ebp :0062D79B 8BEC mov ebp, esp :0062D79D 52 push edx :0062D79E 51 push ecx :0062D79F 6846D76200 push 0062D746 :0062D7A4 68C1D46200 push 0062D4C1 :0062D7A9 6A02 push 00000002 :0062D7AB E8EFF5FFFF call 0062CD9F //读狗 :0062D7B0 83C40C add esp, 0000000C :0062D7B3 59 pop ecx :0062D7B4 5A pop edx :0062D7B5 85C0 test eax, eax :0062D7B7 750A jne 0062D7C3 :0062D7B9 8B1558656300 mov edx, dword ptr [00636558] :0062D7BF 33C9 xor ecx, ecx :0062D7C1 890A mov dword ptr [edx], ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0062D7B7(C) | :0062D7C3 5D pop ebp :0062D7C4 C3 ret
* Referenced by a CALL at Addresses: |:006288FE , :006289FE , :00628B18 , :00628C35 | :0062D7C5 55 push ebp :0062D7C6 8BEC mov ebp, esp :0062D7C8 52 push edx :0062D7C9 51 push ecx :0062D7CA 6846D76200 push 0062D746 :0062D7CF 68C1D46200 push 0062D4C1 :0062D7D4 6A03 push 00000003 :0062D7D6 E8C4F5FFFF call 0062CD9F //读狗 :0062D7DB 83C40C add esp, 0000000C :0062D7DE 59 pop ecx :0062D7DF 5A pop edx :0062D7E0 5D pop ebp :0062D7E1 C3 ret
从上面可以看出有不少地方在读狗.....进入call 0062CD9F
=======================================call 0062CD9F========================================= * Referenced by a CALL at Addresses: |:0062D771 , :0062D78E , :0062D7AB , :0062D7D6 | :0062CD9F 55 push ebp //修改为xor eax,eax ret //在这里让eax返回0就成功了 :0062CDA0 8BEC mov ebp, esp :0062CDA2 83C4B8 add esp, FFFFFFB8 :0062CDA5 53 push ebx :0062CDA6 56 push esi :0062CDA7 E8EEFEFFFF call 0062CC9A :0062CDAC 8945DC mov dword ptr [ebp-24], eax :0062CDAF 66C745D00A00 mov [ebp-30], 000A :0062CDB5 E9F0030000 jmp 0062D1AA :0062CDBA EB01 jmp 0062CDBD :0062CDBC 00 BYTE 00
======================================================================================== 【分析总结】 这个加密狗不是很复杂,只要让读狗后返回0解狗即可成功,采用一追到底的方法,到程序的 根部修改,而不是简单的修改跳转.好处是可以避免许多暗桩. 初学解狗希望对大家有所帮助,也希望起到抛砖引玉. ========================================================================================
|
|