|
WinRip 2.0保護機制分析及其修正檔製作
WinRip 2.0保護機制分析及其修正檔製作
工具:ollydbg 1.07a 平台:Windows 2000 Professional 該軟體在試用期(30天)過後,將會出現NAG,功能也會受到限制。根據這一現象,在GetSystemTime處設斷,執行程序,被攔截後一步一步返回到了這裡(0040ce45): 0040CDF8 /$ B8 18884300 MOV EAX,WinRip.00438818 0040CDFD |. E8 2EEB0000 CALL WinRip.0041B930 0040CE02 |. 83EC 68 SUB ESP,68 0040CE05 |. 53 PUSH EBX 0040CE06 |. 56 PUSH ESI 0040CE07 |. BB 7CBA4300 MOV EBX,WinRip.0043BA7C 0040CE0C |. 57 PUSH EDI 0040CE0D |. 8BF1 MOV ESI,ECX 0040CE0F |. 895D D4 MOV [LOCAL.11],EBX 0040CE12 |. E8 94E0FFFF CALL WinRip.0040AEAB 0040CE17 |. 33FF XOR EDI,EDI 0040CE19 |. 8D4D D4 LEA ECX,[LOCAL.11] 0040CE1C |. 57 PUSH EDI ; /Arg2 => 00000000 0040CE1D |. 50 PUSH EAX ; |Arg1 0040CE1E |. E8 FFF8FFFF CALL WinRip.0040C722 ; \WinRip.0040C722 0040CE23 |. 57 PUSH EDI 0040CE24 |. 897D FC MOV [LOCAL.1],EDI 0040CE27 |. FF15 14AA4300 CALL [DWORD DS:<&ole32.CoInitialize>] ; ole32.CoInitialize 0040CE2D |. 3BC7 CMP EAX,EDI 0040CE2F |. 8945 F0 MOV [LOCAL.4],EAX 0040CE32 |. 7C 7B JL SHORT WinRip.0040CEAF 0040CE34 |. 8D45 EC LEA EAX,[LOCAL.5] 0040CE37 |. 50 PUSH EAX 0040CE38 |. 68 E4B74300 PUSH WinRip.0043B7E4 0040CE3D |. 6A 01 PUSH 1 0040CE3F |. 57 PUSH EDI 0040CE40 |. 68 44B84300 PUSH WinRip.0043B844 0040CE45 |. FF15 0CAA4300 CALL [DWORD DS:<&ole32.CoCreateInstance>>; ole32.CoCreateInstance <取得系統時間> 0040CE4B |. 3BC7 CMP EAX,EDI 0040CE4D |. 8945 F0 MOV [LOCAL.4],EAX 0040CE50 |. 7C 57 JL SHORT WinRip.0040CEA9 0040CE52 |. 6A 40 PUSH 40 ; /n = 40 (64.) 0040CE54 |. 8D45 94 LEA EAX,[LOCAL.27] ; | 0040CE57 |. 57 PUSH EDI ; |c 0040CE58 |. 50 PUSH EAX ; |s 0040CE59 |. 897D 90 MOV [LOCAL.28],EDI ; | 0040CE5C |. E8 F5EA0000 CALL <JMP.&MSVCRT.memset> ; \memset 0040CE61 |. 8D86 F0000000 LEA EAX,[DWORD DS:ESI+F0] 0040CE67 |. 6A 40 PUSH 40 ; /maxlen = 40 (64.) 0040CE69 |. 50 PUSH EAX ; |src 0040CE6A |. 8D45 94 LEA EAX,[LOCAL.27] ; | 0040CE6D |. 50 PUSH EAX ; |dest 0040CE6E |. FF15 E4A74300 CALL [DWORD DS:<&MSVCRT.strncpy>] ; \strncpy 0040CE74 |. 8B86 30010000 MOV EAX,[DWORD DS:ESI+130] 0040CE7A |. 83C4 18 ADD ESP,18 0040CE7D |. 8945 90 MOV [LOCAL.28],EAX 0040CE80 |. C745 8C 050000>MOV [LOCAL.29],5 0040CE87 |. E8 48000000 CALL WinRip.0040CED4 <進去看看,參考下面> 0040CE8C |. 8B4D EC MOV ECX,[LOCAL.5] 0040CE8F |. 50 PUSH EAX <參數1:如果為0則導致過期,正常值應該是1E> 0040CE90 |. FF75 08 PUSH [ARG.1] 0040CE93 |. 8D45 8C LEA EAX,[LOCAL.29] 0040CE96 |. 8B11 MOV EDX,[DWORD DS:ECX] 0040CE98 |. 50 PUSH EAX 0040CE99 |. 51 PUSH ECX 0040CE9A |. FF52 10 CALL [DWORD DS:EDX+10] <此處使用了appregag.10003c31,根據參數1,是否出現NAG並是否限制功能> 0040CE9D |. 8945 F0 MOV [LOCAL.4],EAX 0040CEA0 |. 8B45 EC MOV EAX,[LOCAL.5] 0040CEA3 |. 50 PUSH EAX 0040CEA4 |. 8B08 MOV ECX,[DWORD DS:EAX] 0040CEA6 |. FF51 08 CALL [DWORD DS:ECX+8] 0040CEA9 |> FF15 10AA4300 CALL [DWORD DS:<&ole32.CoUninitialize>] ; ole32.CoUninitialize 0040CEAF |> 397D E8 CMP [LOCAL.6],EDI 0040CEB2 |. 5F POP EDI 0040CEB3 |. 895D D4 MOV [LOCAL.11],EBX 0040CEB6 |. 5E POP ESI 0040CEB7 |. 5B POP EBX 0040CEB8 |. 74 09 JE SHORT WinRip.0040CEC3 0040CEBA |. FF75 E8 PUSH [LOCAL.6] ; /hObject 0040CEBD |. FF15 ACA14300 CALL [DWORD DS:<&KERNEL32.CloseHandle>] ; \CloseHandle 0040CEC3 |> 8B4D F4 MOV ECX,[LOCAL.3] 0040CEC6 |. 8B45 F0 MOV EAX,[LOCAL.4] 0040CEC9 |. 64:890D 000000>MOV [DWORD FS:0],ECX 0040CED0 |. C9 LEAVE 0040CED1 \. C2 0400 RETN 4 =====<<由40CE87使用>>=================================================================== 0040CED4 /$ 56 PUSH ESI 0040CED5 |. E8 D1DFFFFF CALL WinRip.0040AEAB 0040CEDA |. 50 PUSH EAX 0040CEDB |. E8 65DBFFFF CALL WinRip.0040AA45 0040CEE0 |. 8BF0 MOV ESI,EAX 0040CEE2 |. 59 POP ECX 0040CEE3 |. 85F6 TEST ESI,ESI 0040CEE5 |. 74 17 JE SHORT WinRip.0040CEFE 0040CEE7 |. 57 PUSH EDI 0040CEE8 |. 8BCE MOV ECX,ESI 0040CEEA |. E8 719A0200 CALL WinRip.00436960 <確定參數1的值,進出看看,必須在此前下斷點後,才能看到,是動態產生的> 0040CEEF |. 8BF8 MOV EDI,EAX 0040CEF1 |. 8B06 MOV EAX,[DWORD DS:ESI] 0040CEF3 |. 6A 01 PUSH 1 0040CEF5 |. 8BCE MOV ECX,ESI 0040CEF7 |. FF10 CALL [DWORD DS:EAX] 0040CEF9 |. 8BC7 MOV EAX,EDI 0040CEFB |. 5F POP EDI 0040CEFC |. 5E POP ESI 0040CEFD |. C3 RETN 0040CEFE |> 33C0 XOR EAX,EAX <如果執行了這一條,則出現NAG,功能也受到限制> 0040CF00 |. 5E POP ESI 0040CF01 \. C3 RETN =====<<由40CEEA使用,注:此段程式碼是動態產生的>>============================ 00436960 /$ 51 PUSH ECX 00436961 |. 56 PUSH ESI 00436962 |. 8D4424 04 LEA EAX,[DWORD SS:ESP+4] 00436966 |. 50 PUSH EAX ; /timer 00436967 |. 8BF1 MOV ESI,ECX ; | 00436969 |. FF15 D4A74300 CALL [DWORD DS:<&MSVCRT.time>] ; \time 0043696F |. 83C4 04 ADD ESP,4 00436972 |. 8BCE MOV ECX,ESI 00436974 |. E8 77FFFFFF CALL WinRip.004368F0 <在此call中的4368F9處的子程序中有取得磁牒磁碟區序號的使用, 以及在436931處的子程序中有查詢註冊表的使用> 00436979 |. 8B4C24 04 MOV ECX,[DWORD SS:ESP+4] 0043697D |. 2BC8 SUB ECX,EAX 0043697F |. B8 07452EC2 MOV EAX,C22E4507 00436984 |. F7E9 IMUL ECX 00436986 |. 8B46 14 MOV EAX,[DWORD DS:ESI+14] <值1E,即30(D)> 00436989 |. 03D1 ADD EDX,ECX 0043698B |. C1FA 10 SAR EDX,10 0043698E |. 8BCA MOV ECX,EDX 00436990 |. C1E9 1F SHR ECX,1F 00436993 |. 03D1 ADD EDX,ECX 00436995 |. 3BD0 CMP EDX,EAX 00436997 |. 5E POP ESI 00436998 |. 7E 04 JLE SHORT WinRip.0043699E <改成JMP SHORT WinRip.004369A4,所有限制將被去掉(程式碼EB07)> 0043699A |. 33C0 XOR EAX,EAX 0043699C |. 59 POP ECX 0043699D |. C3 RETN 0043699E |> 85D2 TEST EDX,EDX 004369A0 |. 7E 02 JLE SHORT WinRip.004369A4 004369A2 |. 2BC2 SUB EAX,EDX 004369A4 |> 59 POP ECX 004369A5 \. C3 RETN =====<<由這裡解碼出上面的程式碼>>============================ 00435F06 |> 3BCF CMP ECX,EDI <40c8f8-40cc2e,436200-436f50:解碼位址> 00435F08 |. 8B45 08 MOV EAX,[ARG.1] <B672AB32,78F03D5D:解碼初值> 00435F0B |. 73 3B JNB SHORT WinRip.00435F48 00435F0D |. 8D49 00 LEA ECX,[DWORD DS:ECX] 00435F10 |> 8B31 /MOV ESI,[DWORD DS:ECX] <取待解碼資料,傳給esi> 00435F12 |. 33F0 |XOR ESI,EAX <esi=esi ^ eax 這裡就是解碼核心的核心了> 00435F14 |. 8BD6 |MOV EDX,ESI <edx=esi> 00435F16 |. 03C2 |ADD EAX,EDX <eax=eax + edx> 00435F18 |. 8931 |MOV [DWORD DS:ECX],ESI <存入解碼後的資料> 00435F1A |. 8BD0 |MOV EDX,EAX <edx=eax> 00435F1C |. C1EA 06 |SHR EDX,6 <esi=edx % 0x40> 00435F1F |. 8BF0 |MOV ESI,EAX <esi=eax> 00435F21 |. 81E2 00F80700 |AND EDX,7F800 <edx=edx & 0x7f800> 00435F27 |. 81E6 00F80700 |AND ESI,7F800 <esi=esi & 0xf7800> 00435F2D |. 33D6 |XOR EDX,ESI <edx=edx^esi> 00435F2F |. 8BF0 |MOV ESI,EAX <esi=eax> 00435F31 |. C1EA 0B |SHR EDX,0B <edx=edx & 0x800> 00435F34 |. 81E6 FF000000 |AND ESI,0FF <esi=esi & 0xff> 00435F3A |. 33D6 |XOR EDX,ESI <edx=edx ^ esi> 00435F3C |. C1E0 08 |SHL EAX,8 <eax=eax * 0x100> 00435F3F |. 83C1 04 |ADD ECX,4 <ecx=ecx +0x4> 00435F42 |. 0BC2 |OR EAX,EDX <eax=eax | edx> 00435F44 |. 3BCF |CMP ECX,EDI <循環條件判斷> 00435F46 |.^72 C8 \JB SHORT WinRip.00435F10 <跳轉,取下一個待解碼資料> 00435F48 |> 5F POP EDI 修正檔原理: 1、根據上面解碼原理編寫一個解碼程序 DeCode(Byte buff[]); 2、開啟「WinRip.exe」,把 436200-436f50這一段讀入Byte buff[0xD50] ,並對其用DeCode(Byte buff[])進行解碼; 3、修改 buff[0x998]、buff[0x999]中資料的值分別為eb 、07; 4、重新對buff[]用DeCode(Byte buff[])進行編碼(編碼、解碼是對稱的); 5、把buff[]寫回文件; 至此,程序已經完全破解。 youth |
| 所有時間均為台北時間。現在的時間是 01:42 PM。 |
Powered by vBulletin® 版本 3.6.8
版權所有 ©2000 - 2024, Jelsoft Enterprises Ltd.
『服務條款』
* 有問題不知道該怎麼解決嗎?請聯絡本站的系統管理員 *