|
論壇說明 |
歡迎您來到『史萊姆論壇』 ^___^ 您目前正以訪客的身份瀏覽本論壇,訪客所擁有的權限將受到限制,您可以瀏覽本論壇大部份的版區與文章,但您將無法參與任何討論或是使用私人訊息與其他會員交流。若您希望擁有完整的使用權限,請註冊成為我們的一份子,註冊的程序十分簡單、快速,而且最重要的是--註冊是完全免費的! 請點擊這裡:『註冊成為我們的一份子!』 |
|
主題工具 | 顯示模式 |
2004-01-05, 11:17 AM | #1 |
榮譽會員
|
用破解Flax2.02的文件自校驗
用破解Flax2.02的文件自校驗
一種動態打文件修正檔的方法-談破解Flax的自校驗 作者:lzrlzr 郵箱:crack_lzrlzr@163.com 日期:2003年11月28日 軟體:Flax 2.02 加密方式:自校驗,機器碼+註冊碼 難度:中等 所用工具:softice,hiew6.83 破解環境:win2000 宣告: 此文僅用於學習及交流,若要轉載請保持文章完整 引用論壇中一位兄弟的原文: 一款支持中文的 Flash 文字動畫工具 flax2.02,我們Hanzify論壇的人要漢化,但是如果改動了其中的資源以後,就失去動畫既時預覽的功能了。 菜菜的我起初想到是自校驗,追了一上午了。沒什麼進展。只跟出了軟體在啟動時會在TEMP目錄下新增一個flax1.exe文件,如果發現主文件被改動時,flax1.exe將退出。 > 程序不大,才幾00k。 http://xbol-http.skycn.net:8080/down/flax202.exe 我經常用漢化的軟體,於是想為漢化人作點事,以感謝他們的辛苦工作,願他們作得更好,我們大家有更多的漢化軟體使用。 請這位兄弟和我聯繫,我把打過修正檔的主程序flax.exe 發給你。 自校驗功能和既時預覽功能 這個軟體在執行時由主文件產生兩個臨時文件,Flax001.exe,Flax002.exe,Flax001.exe主要是完成既時預覽,Flax002.exe主要是對主文件Flax.exe進行完整性校驗,如果文件完整,沒有被修改,則載入Flax001.exe進行既時預覽,如果發現主文件Flax.exe被修改,則載入Flax001.exe文件不成功,這時軟體就沒有了既時預覽功能,自校驗完成後程序自動刪除Flax002.exe,主程序退出時自動刪除Flax001.exe。 而且這兩個文件的檔案名在不同的環境下檔案名還不類BIOS。 所以要保留既時預覽功能,就必須破解它的自校驗 Flax002.exe的文件大小是41000字元 以下是Flax002.exe文件中的一段程式碼: :00401000 55 push ebp :00401001 8BEC mov ebp, esp :00401003 81EC5C010000 sub esp, 0000015C :00401009 6A00 push 00000000 :0040100B 6880000000 push 00000080 :00401010 6A03 push 00000003 :00401012 6A00 push 00000000 :00401014 6A03 push 00000003 :00401016 6800000080 push 80000000 * Possible StringData Ref from Data Obj ->"C:\Program Files\Goldshell\FlaX.exe" | :0040101B 68A0904000 push 004090A0 * Reference To: KERNEL32.CreateFileA, Ord:0034h | :00401020 FF1510804000 Call dword ptr [00408010] :00401026 8945FC mov dword ptr [ebp-04], eax :00401029 837DFCFF cmp dword ptr [ebp-04], FFFFFFFF :0040102D 0F84FE000000 je 00401131 :00401033 A158904000 mov eax, dword ptr [00409058] :00401038 8945F8 mov dword ptr [ebp-08], eax :0040103B 837DF800 cmp dword ptr [ebp-08], 00000000 :0040103F 0F8EE2000000 jle 00401127 :00401045 6A00 push 00000000 :00401047 6A00 push 00000000 :00401049 6A00 push 00000000 :0040104B 8B4DFC mov ecx, dword ptr [ebp-04] :0040104E 51 push ecx * Reference To: KERNEL32.SetFilePointer, Ord:026Ah | :0040104F FF150C804000 Call dword ptr [0040800C] :00401055 8B55F8 mov edx, dword ptr [ebp-08] :00401058 52 push edx :00401059 8B45FC mov eax, dword ptr [ebp-04] :0040105C 50 push eax :0040105D E8D7000000 call 00401139*********************在這個程序中對Flax.exe進行校驗運算。 :00401062 83C408 add esp, 00000008 ==================================================== :00401065 8B0D50904000 mov ecx, dword ptr [00409050]*******運算結果和[00409050]的值進行xor運算 :0040106B 33C8 xor ecx, eax************************ ==================================================== :0040106D 890D50904000 mov dword ptr [00409050], ecx*******運算結果儲存在[00409050]中,所以這兩行程式碼是我要打修正檔 :00401073 8B55FC mov edx, dword ptr [ebp-04]*********的地方,標記為A :00401076 52 push edx :00401077 E885050000 call 00401601 :0040107C 83C404 add esp, 00000004 :0040107F 6800010000 push 00000100 :00401084 8D85E8FEFFFF lea eax, dword ptr [ebp+FFFFFEE8] :0040108A 50 push eax :0040108B 6A00 push 00000000 * Reference To: KERNEL32.GetModuleFileNameA, Ord:0124h | :0040108D FF1508804000 Call dword ptr [00408008] :00401093 8B0D6C904000 mov ecx, dword ptr [0040906C] :00401099 51 push ecx * Possible StringData Ref from Data Obj ->"flax%03d.exe" | :0040109A 6838904000 push 00409038 :0040109F 6A5C push 0000005C :004010A1 8D95E8FEFFFF lea edx, dword ptr [ebp+FFFFFEE8] :004010A7 52 push edx :004010A8 E8B3380000 call 00404960******************根據環境產生不同的檔案名:Flax00*.exe :004010AD 83C408 add esp, 00000008 :004010B0 83C001 add eax, 00000001 :004010B3 50 push eax * Reference To: USER32.wsprintfA, Ord:02ACh | :004010B4 FF15B0804000 Call dword ptr [004080B0] :004010BA 83C40C add esp, 0000000C * Possible StringData Ref from Data Obj ->"罰? | :004010BD 6850904000 push 00409050 :004010C2 8D85E8FEFFFF lea eax, dword ptr [ebp+FFFFFEE8] :004010C8 50 push eax :004010C9 E8B2370000 call 00404880*********************在這個程序中對[00409050]中的運算結果檢測,並根據結果決定 :004010CE 83C408 add esp, 00000008*****************載入Flax001.exe文件能不能成功 :004010D1 6A44 push 00000044 :004010D3 6A00 push 00000000 :004010D5 8D8DA4FEFFFF lea ecx, dword ptr [ebp+FFFFFEA4] :004010DB 51 push ecx :004010DC E82F370000 call 00404810 :004010E1 83C40C add esp, 0000000C :004010E4 C785A4FEFFFF44000000 mov dword ptr [ebp+FFFFFEA4], 00000044 :004010EE 66C785D4FEFFFF0000 mov word ptr [ebp+FFFFFED4], 0000 :004010F7 C785D0FEFFFF01000000 mov dword ptr [ebp+FFFFFED0], 00000001 :00401101 8D55E8 lea edx, dword ptr [ebp-18] :00401104 52 push edx :00401105 8D85A4FEFFFF lea eax, dword ptr [ebp+FFFFFEA4] :0040110B 50 push eax :0040110C 6A00 push 00000000 :0040110E 6A00 push 00000000 :00401110 6A00 push 00000000 :00401112 6A00 push 00000000 :00401114 6A00 push 00000000 :00401116 6A00 push 00000000 :00401118 8D8DE8FEFFFF lea ecx, dword ptr [ebp+FFFFFEE8] :0040111E 51 push ecx :0040111F 6A00 push 00000000 * Reference To: KERNEL32.CreateProcessA, Ord:0044h | :00401121 FF1504804000 Call dword ptr [00408004]************載入Flax001.exe,如果文件Flax.exe被修改,則載入失敗。 經過用softice反覆動態偵錯,發現程式碼A處的計算結果為:00465820H 則可以對Flax002.exe打修正檔,修改結果為: 001B:00401065 mov ecx,00465820 001B:0040106A nop 001B:0040106B nop 001B:0040106C nop 但Flax002.exe是動態產生的臨時文件,是無法直接打修正檔的 打修正檔方法分析 經過對主文件Flax.exe反覆動態偵錯,發現Flax002.exe是用Flax.exe的幾段資源資料經過解密還完出來的,沒有辦法在Flax.exe文件中進行修改。最後決定在Flax002.exe文件解密還完以後,還沒有實現自校驗,也就是還沒有工作以前對它進行修改。也就是在Flax.exe執行時產生完整的Flax002.exe以後,還沒有載入Flax002.exe以前,由Flax.exe對Flax002.exe動態打修正檔。 於是對Flax.exe文件動態偵錯,並用 bpx CreateFileA bpx CloseHandle bpx CreateProcessA 下斷點,最後得到以下: :0041C82D 68A8634400 push 004463A8 :0041C832 6A00 push 00000000 * Reference To: KERNEL32.GetModuleFileNameA, Ord:0124h | :0041C834 FF154CE14300 Call dword ptr [0043E14C] :0041C83A 8D95E4FEFFFF lea edx, dword ptr [ebp+FFFFFEE4] :0041C840 52 push edx :0041C841 E865130100 call 0042DBAB***********用createfilea產生新的Flax002.exe文件。 :0041C846 83C404 add esp, 00000004 :0041C849 898590FEFFFF mov dword ptr [ebp+FFFFFE90], eax :0041C84F 6A00 push 00000000 :0041C851 6A00 push 00000000 * Possible StringData Ref from Data Obj ->" " | :0041C853 B8A8644400 mov eax, 004464A8 :0041C858 2D70634400 sub eax, 00446370 :0041C85D 50 push eax * Possible StringData Ref from Data Obj ->"" | :0041C85E 6870634400 push 00446370 :0041C863 E871140100 call 0042DCD9*********對新的Flax002.exe文件進行資料還原,從Flax.exe文件中取出加密過的資料, :0041C868 83C410 add esp, 00000010*****並經過還原後,寫入Flax002.exe文件 :0041C86B 6800120000 push 00001200 * Possible StringData Ref from Data Obj ->"pad" | :0041C870 68D8644400 push 004464D8 :0041C875 E8F3200100 call 0042E96D*********對新的Flax002.exe文件進行資料還原,從Flax.exe文件中取出加密過的資料, :0041C87A 83C408 add esp, 00000008*****並經過還原後,寫入Flax002.exe文件 :0041C87D 8B8D90FEFFFF mov ecx, dword ptr [ebp+FFFFFE90] :0041C883 51 push ecx :0041C884 E898130100 call 0042DC21***********還原結束以後,關閉開啟的Flax002.exe檔案名柄,這兒就是我要加入程式碼的 :0041C889 83C404 add esp, 00000004*******地方,在關閉Flax002.exe檔案名柄以前,修改Flax002.exe,寫入自已的補 :0041C88C 8B9594FEFFFF mov edx, dword ptr [ebp+FFFFFE94]***丁程式碼,實現對Flax002.exe文件的動態修改。標記為B :0041C892 52 push edx :0041C893 E889130100 call 0042DC21***********還原結束以後,關閉開啟的Flax.exe檔案名柄 :0041C898 83C404 add esp, 00000004 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0041C7CA(C), :0041C7F0(U) | :0041C89B 837DE800 cmp dword ptr [ebp-18], 00000000 :0041C89F 7452 je 0041C8F3 :0041C8A1 6A01 push 00000001 :0041C8A3 6A01 push 00000001 :0041C8A5 E86BBC0000 call 00428515 :0041C8AA 83C408 add esp, 00000008 :0041C8AD 6A44 push 00000044 :0041C8AF 6A00 push 00000000 :0041C8B1 8D859CFEFFFF lea eax, dword ptr [ebp+FFFFFE9C] :0041C8B7 50 push eax :0041C8B8 E813CD0100 call 004395D0 :0041C8BD 83C40C add esp, 0000000C :0041C8C0 C7859CFEFFFF44000000 mov dword ptr [ebp+FFFFFE9C], 00000044 :0041C8CA 8D4DF0 lea ecx, dword ptr [ebp-10] :0041C8CD 51 push ecx :0041C8CE 8D959CFEFFFF lea edx, dword ptr [ebp+FFFFFE9C] :0041C8D4 52 push edx :0041C8D5 6A00 push 00000000 :0041C8D7 6A00 push 00000000 :0041C8D9 6A00 push 00000000 :0041C8DB 6A00 push 00000000 :0041C8DD 6A00 push 00000000 :0041C8DF 6A00 push 00000000 :0041C8E1 8D85E4FEFFFF lea eax, dword ptr [ebp+FFFFFEE4] :0041C8E7 50 push eax :0041C8E8 6A00 push 00000000 * Reference To: KERNEL32.CreateProcessA, Ord:0044h | :0041C8EA FF152CE14300 Call dword ptr [0043E12C]**************載入Flax002.exe對Flax.exe進行完整性校驗 :0041C8F0 8945E8 mov dword ptr [ebp-18], eax 在Flax.exe文件中找到一段空白的程式碼段,寫入一段程式碼(其中的nop是我預留的,以防程式碼要修改,寫的比較爛,後來也沒有再重寫,請大家能看懂原理就可以了,可不要罵我啊) .00440501: 90 nop .00440502: 90 nop .00440503: 90 nop .00440504: 8D55FC lea edx,[ebp][-04]****在局部變數(文件緩衝區)中填入要修正檔的資料。 .00440507: 8B12 mov edx,[edx] .00440509: C702B9205846 mov d,[edx],0465820B9 .0044050F: C7420400909090 mov d,[edx][04],090909000 .00440516: 90 nop .00440517: 90 nop .0044051F: 90 nop .00440520: 51 push ecx .00440521: 59 pop ecx .00440522: 6A00 push 000 .00440524: 50 push eax .00440525: FF1568E14300 call GetFileSize .0044052B: 3D28A00000 cmp eax,00000A028 .00440530: 0F854A0A0000 jne .000440F78 **** 得到文件大小,判斷是否是Flax002.exe文件, .00440536: 6A00 push 000 ******** Flax002.exe的文件大小是41000字元 .00440538: 6A00 push 000 .0044053A: 6865100000 push 000001065 .0044053F: 8B4D08 mov ecx,[ebp][08] .00440542: 51 push ecx .00440543: FF151CE14300 call SetFilePointer .00440549: 90 nop **** 移動當前文件游標到要修改的文件偏移 .0044054A: 90 nop .0044054F: 90 nop .00440551: 6A00 push 000 .00440553: 8D45F8 lea eax,[ebp][-08] .00440556: 50 push eax .00440557: 6A08 push 008 .00440559: 90 nop .0044055A: 8B4DFC mov ecx,[ebp][-04] .0044055D: 51 push ecx .00440566: 90 nop .00440567: 90 nop .00440568: 8B4D08 mov ecx,[ebp][08] .0044056B: 51 push ecx .0044056C: FF1590E14300 call WriteFile ;KERNEL32.dll .00440572: 90 nop ****在文件中寫入修正檔資料 .00440575: 90 nop .00440591: E9E2090000 jmp .000440F78 ----- (1) .00440596: 90 nop .00440F78: 8B4D08 mov ecx,[ebp][08] .00440F7A: 90 nop .00440F7E: 90 nop .00440F7F: 90 nop .00440F80: 51 push ecx .00440F81: FF159CE14300 call CloseHandle**** 關閉檔案名柄,完成程序原來的功能 .00440F87: C705C0966000FFFFFFFF mov d,[006096C0],0FFFFFFFF .00440F91: E93FCDFEFF jmp .00042DCD5 然後在標記B處使用的程序call 0042DC21中修改一處程式碼 :0042DC21 55 push ebp :0042DC22 8BEC 然後在標記B處使用的程序call 0042DC21中修改一處程式碼 :0042DC21 55 push ebp :0042DC22 8BEC mov ebp, esp :0042DC24 83EC0C sub esp, 0000000C :0042DC27 E8C4FBFFFF call 0042D7F0 :0042DC2C 837D08FF cmp dword ptr [ebp+08], FFFFFFFF :0042DC30 0F849F000000 je 0042DCD5 :0042DC36 8B4508 mov eax, dword ptr [ebp+08] :0042DC39 3B05C0966000 cmp eax, dword ptr [006096C0] :0042DC3F 7516 jne 0042DC57 :0042DC41 8B4D08 mov ecx, dword ptr [ebp+08] :0042DC44 51 push ecx * Reference To: KERNEL32.CloseHandle, Ord:001Bh | :0042DC45 FF159CE14300 Call dword ptr [0043E19C] :0042DC4B C705C0966000FFFFFFFF mov dword ptr [006096C0], FFFFFFFF :0042DC55 EB7E jmp 0042DCD5 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0042DC3F(C) | :0042DC57 8B5508 mov edx, dword ptr [ebp+08] :0042DC5A 3B15E09B6000 cmp edx, dword ptr [00609BE0] :0042DC60 7573 jne 0042DCD5 :0042DC62 833DE49B600000 cmp dword ptr [00609BE4], 00000000 :0042DC69 7456 je 0042DCC1 :0042DC6B B8ECA06000 mov eax, 0060A0EC :0042DC70 8B0DE49B6000 mov ecx, dword ptr [00609BE4] :0042DC76 6BC928 imul ecx, 00000028 :0042DC79 2BC1 sub eax, ecx :0042DC7B 8945FC mov dword ptr [ebp-04], eax :0042DC7E 8B15E49B6000 mov edx, dword ptr [00609BE4] :0042DC84 6BD228 imul edx, 00000028 :0042DC87 8955F4 mov dword ptr [ebp-0C], edx * Possible StringData Ref from Data Obj ->"GLUE" | :0042DC8A 68349D4400 push 00449D34 :0042DC8F E8ACE0FDFF call 0040BD40 :0042DC94 83C404 add esp, 00000004 :0042DC97 6A01 push 00000001 :0042DC99 8B45F4 mov eax, dword ptr [ebp-0C] :0042DC9C 50 push eax :0042DC9D 8B4DFC mov ecx, dword ptr [ebp-04] :0042DCA0 51 push ecx :0042DCA1 E8A1E2FDFF call 0040BF47 :0042DCA6 83C40C add esp, 0000000C :0042DCA9 6A00 push 00000000 :0042DCAB 8D55F8 lea edx, dword ptr [ebp-08] :0042DCAE 52 push edx :0042DCAF 8B45F4 mov eax, dword ptr [ebp-0C] :0042DCB2 50 push eax :0042DCB3 8B4DFC mov ecx, dword ptr [ebp-04] :0042DCB6 51 push ecx :0042DCB7 8B5508 mov edx, dword ptr [ebp+08] :0042DCBA 52 push edx * Reference To: KERNEL32.WriteFile, Ord:02DFh | :0042DCBB FF1590E14300 Call dword ptr [0043E190]****這兒有一個寫操作,所以直接使用它的局部變數。 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0042DC69(C) | :0042DCC1 8B4508 mov eax, dword ptr [ebp+08] ======================================修改前 :0042DCC4 50 push eax * Reference To: KERNEL32.CloseHandle, Ord:001Bh | :0042DCC5 FF159CE14300 Call dword ptr [0043E19C] :0042DCCB C705E09B6000FFFFFFFF mov dword ptr [00609BE0], FFFFFFFF ======================================= * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0042DC30(C), :0042DC55(U), :0042DC60(C) | :0042DCD5 8BE5 mov esp, ebp :0042DCD7 5D pop ebp :0042DCD8 C3 ret ===================================修改後,以跳到自已的程式碼處對flax002.exe文件進行寫操作 :0042DCC1 8B4508 mov eax, dword ptr [ebp+08] :0042DCC4 E938280100 jmp 00440501 :0042DCC9 90 nop :0042DCCA 90 nop ======================================= ===============附動態修正檔的結果======================== :00401058 52 push edx :00401059 8B45FC mov eax, dword ptr [ebp-04] :0040105C 50 push eax :0040105D E8D7000000 call 00401139*********************在這個程序中對Flax.exe進行校驗運算。 :00401062 83C408 add esp, 00000008 =================================這是動態修正檔以後Flax002.exe的結果 :00401065 mov ecx,00465820 :0040106A nop :0040106B nop :0040106C nop ==================================================== :0040106D 890D50904000 mov dword ptr [00409050], ecx*******運算結果儲存在[00409050]中 :00401073 8B55FC mov edx, dword ptr [ebp-04] :00401076 52 push edx :00401077 E885050000 call 00401601 :0040107C 83C404 add esp, 00000004 :0040107F 6800010000 push 00000100 到此,對Flax.exe作任意修改都沒問題,包括暴破和漢化。 總結說明: 在這個Flax.exe中,要用到的幾個API GetFileSize SetFilePointer WriteFile 在輸入表中都已經存在,所以不用增加API 在call 0042DC21程序中,有一個文件的寫操作,所以就直接使用它的局部變數,這也是為什麼要在這裡加入功能程式碼的主要原因。 修改以後,每一次主程序Flax.exe執行時,自動產生一個已經被打過修正檔的 flax002.exe,所以flax002.exe的自校驗每一次都行到正確的運算結果,既時預覽功能正常,這個程序還有機器碼+註冊碼的註冊,我沒有破,以後有時間再破解它了。 中間寫的比較粗,在實際中多跟幾次就可以明白程序的一段程式碼的功能作用。 如果大家有問題可以給我發郵件,大家共同學習。 歡迎大家來指點不足,希望能和大家互相交流經驗。 |
送花文章: 3,
|