应一个朋友的要求,本文不便公开软件的名称,本文旨在技术上的交流,所以知不知道软件名称并不重要。
好,今天我们带狗破解金天地的TDSD狗。
工具:TRW2000,HVIEW,W32DASM,FILEMON
这个程序是VB程序,程序没有狗时,会出现没有狗的提示,好,我们用最常用的破狗断点:bpx deviceiocontrol,中断后会在win32DLL.DLL中,所以这个文件就是读狗的DLL,我们用filwmon还可以知道程序要读TDSD.VXD这个文件,所以这个狗是金天地的狗。然后一直按F10,返回到主程序,如下:
* Possible StringData Ref from Code Obj ->"BBBBBBBBBBB" <=====查狗的查询串,用来算出返回的种子
|
:00436947 BAE8A44000 mov edx,
0040A4E8
:0043694C 8D4DDC
lea ecx, dword ptr [ebp-24]
* Reference To: MSVBVM60.__vbaStrCopy, Ord:0000h
|
:0043694F FF15D0114000 Call dword ptr
[004011D0]
:00436955 8B45DC
mov eax, dword ptr [ebp-24]
:00436958 50
push eax
:00436959 8D4DCC
lea ecx, dword ptr [ebp-34]
:0043695C 51
push ecx
* Reference To: MSVBVM60.__vbaStrToAnsi, Ord:0000h
|
:0043695D FF150C124000 Call dword ptr
[0040120C]
:00436963 50
push eax
:00436964 57
push edi
:00436965 6A0A
push 0000000A
:00436967 E8680DFDFF call 004076D4
<=====读狗的CALL
:0043696C 8BF0
mov esi, eax <=====返回到这里,将EAX赋给ESI,如果没有狗,EAX是一个非零的数,有狗时,EAX为零。
也许你会问,那把ESI的值改为0不就破掉了吗?那你错了,金天地的TDMD&TDSD狗不单单是返回一个标志,还会返回一个种子,程序要用这个种子来解密程序中的字符,如果没有这个种子,程序中的字符将会显示乱码,所以如果没有狗,是不知道这个种子的。
* Reference To: MSVBVM60.__vbaSetSystemError, Ord:0000h
|
:0043696E FF1558104000 Call dword ptr
[00401058]
:00436974 8B55CC
mov edx, dword ptr [ebp-34] <=====取种子K7W9B3T2R9
:00436977 52
push edx
:00436978 8D45DC
lea eax, dword ptr [ebp-24] <=====取种子地址,这个地址是560A48
:0043697B 50
push eax
* Reference To: MSVBVM60.__vbaStrToUnicode, Ord:0000h
|
:0043697C FF1568114000 Call dword ptr
[00401168] <=====扩展为unicode
:00436982 8D4DCC
lea ecx, dword ptr [ebp-34]
* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
|
:00436985 FF1564124000 Call dword ptr
[00401264]
:0043698B 3BF7
cmp esi, edi <=====判断狗的标志,如果不相同,则跳到出错信息框的地方
:0043698D 754B
jne 004369DA
:0043698F 8D4DDC
lea ecx, dword ptr [ebp-24]
程序破完了吗?当然还没有,这个程序是两次读狗,怎么知道呢?方法很简单,在win32DLL.DLL的DOGREAD函数第一行下一个断点,如下:
Exported fn(): DogRead - Ord:0001h
:10001020 8B442408 mov
eax, dword ptr [esp+08] <=====下断点
:10001024 56
push esi
:10001025 8B742408 mov
esi, dword ptr [esp+08]
:10001029 57
push edi
:1000102A 8B7C2414 mov
edi, dword ptr [esp+14]
:1000102E 893550950010 mov dword ptr
[10009550], esi
:10001034 893D58950010 mov dword ptr
[10009558], edi
:1000103A A354950010 mov dword
ptr [10009554], eax
:1000103F E85C020000 call 100012A0
:10001044 C6043E00 mov
byte ptr [esi+edi], 00
:10001048 5F
pop edi
:10001049 5E
pop esi
:1000104A C20C00
ret 000C
然后在地址43698B处把ESI改为0,然后按F5,程序被中断了,按一次F12,再按一次F10,返回到第二次读狗的地方,如下:
* Possible StringData Ref from Code Obj ->"AAAAAAAAAAAAAAAAAAAAA" <=====查狗的查询串,用来算出返回的种子
|
:0041324B BA4C754000 mov edx,
0040754C
:00413250 8D4DEC
lea ecx, dword ptr [ebp-14]
:00413253 897DEC
mov dword ptr [ebp-14], edi
:00413256 897DDC
mov dword ptr [ebp-24], edi
:00413259 897DCC
mov dword ptr [ebp-34], edi
:0041325C 897DBC
mov dword ptr [ebp-44], edi
* Reference To: MSVBVM60.__vbaStrCopy, Ord:0000h
|
:0041325F FF15D0114000 Call dword ptr
[004011D0]
:00413265 8B45EC
mov eax, dword ptr [ebp-14]
:00413268 8D4DDC
lea ecx, dword ptr [ebp-24]
:0041326B 50
push eax
:0041326C 51
push ecx
* Reference To: MSVBVM60.__vbaStrToAnsi, Ord:0000h
|
:0041326D FF150C124000 Call dword ptr
[0040120C]
:00413273 50
push eax
:00413274 6A0A
push 0000000A
:00413276 6A14
push 00000014
:00413278 E85744FFFF call 004076D4
<=====读狗的CALL
:0041327D 8BF0
mov esi, eax <=====返回到这里
* Reference To: MSVBVM60.__vbaSetSystemError, Ord:0000h
|
:0041327F FF1558104000 Call dword ptr
[00401058]
:00413285 8B55DC
mov edx, dword ptr [ebp-24] <=====取种子793a7fe2a9f3e1cf31f5
:00413288 8D45EC
lea eax, dword ptr [ebp-14] <=====取种子地址:4694DC
:0041328B 52
push edx
:0041328C 50
push eax
* Reference To: MSVBVM60.__vbaStrToUnicode, Ord:0000h
|
:0041328D FF1568114000 Call dword ptr
[00401168]
:00413293 8D4DDC
lea ecx, dword ptr [ebp-24]
* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
|
:00413296 FF1564124000 Call dword ptr
[00401264]
:0041329C 3BF7
cmp esi, edi <=====比较标志
:0041329E 753D
jne 004132DD <=====不相等则跳
:004132A0 8D55BC
lea edx, dword ptr [ebp-44]
好了,我们已经知道程序返回的种子了,下一步是怎么样补丁程序了,我们要把两个种子分别写入560A48和4694DC这两个地址,并把标志改为有狗的标志,我采用的方法是用SMC。在程序中地址为402526找到一片连续的大概有200字节的空间,而且程序没有用这些空间,这足够我们写SMC指令了。
我们先把436974-436978这三条指令记下来,因为我们要在这里加入跳到我们写的SMC指令,改动后的指令如下:
:00436967 E8680DFDFF call 004076D4
:0043696C 8BF0
mov esi, eax
* Reference To: MSVBVM60.__vbaSetSystemError, Ord:0000h
|
:0043696E FF1558104000 Call dword ptr
[00401058]
:00436974 E9ADBBFCFF jmp 00402526
<====改动的指令
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040254F(U)
|
:00436979 90
nop <====改动的指令
:0043697A 90
nop <====改动的指令
:0043697B 50
push eax
同样,在第二次读狗处也改为如下:
:00413278 E85744FFFF call 004076D4
:0041327D 8BF0
mov esi, eax
* Reference To: MSVBVM60.__vbaSetSystemError, Ord:0000h
|
:0041327F FF1558104000 Call dword ptr
[00401058]
:00413285 E9CFF2FEFF jmp 00402559
<====改动的指令
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402593(U)
|
:0041328A 90
nop <=====改动的指令
:0041328B 52
push edx
:0041328C 50
push eax
下面是第一个SMC:
:00402526 C705480A56004B375739 mov dword ptr [00560A48], 3957374B
<====写入种子
:00402530 C7054C0A560042335432 mov dword ptr [00560A4C], 32543342
:0040253A 66C705500A56005239 mov word ptr [00560A50], 3952
:00402543 8B55CC
mov edx, dword ptr [ebp-34] <=====还原原程序的指令
:00402546 52
push edx <=====还原原程序的指令
:00402547 8D45DC
lea eax, dword ptr [ebp-24] <=====还原原程序的指令
:0040254A BE00000000 mov esi,
00000000 <=====修改判断狗的标志
:0040254F E925440300 jmp 00436979
<=====跳回原程序
第二个SMC:
:00402559 C705DC94460037393341 mov dword ptr [004694DC], 41333937
<====写入种子
:00402563 C705E094460037464532 mov dword ptr [004694E0], 32454637
:0040256D C705E494460041394633 mov dword ptr [004694E4], 33463941
:00402577 C705E894460045314346 mov dword ptr [004694E8], 46433145
:00402581 C705EC94460033314635 mov dword ptr [004694EC], 35463133
:0040258B 8B55DC
mov edx, dword ptr [ebp-24] <=====还原原程序的指令
:0040258E 8D45EC
lea eax, dword ptr [ebp-14] <=====还原原程序的指令
:00402591 33F6
xor esi, esi <=====修改判断狗的标志
:00402593 E9F20C0100 jmp 0041328A
<=====跳回原程序
我不会用TOPO这个软件,我用这个程序增加字节后不能跳到修改的指令地址处,不知是为什么,哪位朋友知道的,可以教一下我好吗?
从我破解过的TDMD&TDSD狗中,绝大部份是要原狗才能破的,从中可以知道这种狗的特点是要用狗里面的数据来运算,如果没有原狗,几乎是没有办法来破解的,但在有狗的情况下,破解它却是很容易的。
- 标 题:很久没有打狗了,最近又被XXX的crackme搞得头昏,找个TDSD的狗出出气 (9千字)
- 作 者:crackjack[CCG]
- 时 间:2001-12-10 13:52:37
- 链 接:http://bbs.pediy.com