WinRip 2.0保护机制分析及其补丁制作
工具:ollydbg 1.07a
平台:Windows 2000 Professional
该软件在试用期(30天)过后,将会出现NAG,功能也会受到限制。根据这一现象,在GetSystemTime处设断,运行程序,被拦截后一步一步返回到了这里(0040ce45):
0040CDF8 /$ B8 18884300 MOV EAX,WinRip.00438818
0040CDFD |. E8 2EEB0000 CALL WinRip.0041B930
0040CE02
|. 83EC 68 SUB ESP,68
0040CE05 |. 53
PUSH EBX
0040CE06 |. 56
PUSH ESI
0040CE07 |. BB 7CBA4300
MOV EBX,WinRip.0043BA7C
0040CE0C |. 57
PUSH EDI
0040CE0D |. 8BF1
MOV ESI,ECX
0040CE0F |. 895D D4 MOV
[LOCAL.11],EBX
0040CE12 |. E8 94E0FFFF CALL WinRip.0040AEAB
0040CE17 |. 33FF XOR EDI,EDI
0040CE19 |. 8D4D D4 LEA ECX,[LOCAL.11]
0040CE1C
|. 57 PUSH EDI
; /Arg2 => 00000000
0040CE1D |. 50
PUSH EAX
; |Arg1
0040CE1E |.
E8 FFF8FFFF CALL WinRip.0040C722
; \WinRip.0040C722
0040CE23 |. 57
PUSH EDI
0040CE24 |. 897D FC
MOV [LOCAL.1],EDI
0040CE27 |. FF15 14AA4300
CALL [DWORD DS:<&ole32.CoInitialize>] ; ole32.CoInitialize
0040CE2D |. 3BC7 CMP EAX,EDI
0040CE2F |. 8945 F0 MOV [LOCAL.4],EAX
0040CE32
|. 7C 7B JL SHORT WinRip.0040CEAF
0040CE34
|. 8D45 EC LEA EAX,[LOCAL.5]
0040CE37 |.
50 PUSH EAX
0040CE38 |. 68
E4B74300 PUSH WinRip.0043B7E4
0040CE3D |. 6A 01
PUSH 1
0040CE3F |. 57
PUSH EDI
0040CE40 |. 68 44B84300
PUSH WinRip.0043B844
0040CE45 |. FF15 0CAA4300 CALL [DWORD DS:<&ole32.CoCreateInstance>>;
ole32.CoCreateInstance <取得系统时间>
0040CE4B |. 3BC7
CMP EAX,EDI
0040CE4D |. 8945 F0
MOV [LOCAL.4],EAX
0040CE50 |. 7C 57
JL SHORT WinRip.0040CEA9
0040CE52 |. 6A 40
PUSH 40
; /n = 40 (64.)
0040CE54
|. 8D45 94 LEA EAX,[LOCAL.27]
; |
0040CE57 |. 57
PUSH EDI
;
|c
0040CE58 |. 50 PUSH EAX
; |s
0040CE59 |. 897D 90
MOV [LOCAL.28],EDI
; |
0040CE5C |. E8 F5EA0000 CALL <JMP.&MSVCRT.memset>
; \memset
0040CE61
|. 8D86 F0000000 LEA EAX,[DWORD DS:ESI+F0]
0040CE67 |. 6A 40
PUSH 40
; /maxlen
= 40 (64.)
0040CE69 |. 50
PUSH EAX
; |src
0040CE6A |. 8D45 94
LEA EAX,[LOCAL.27]
; |
0040CE6D |. 50
PUSH EAX
; |dest
0040CE6E |. FF15 E4A74300 CALL [DWORD DS:<&MSVCRT.strncpy>]
; \strncpy
0040CE74 |. 8B86 30010000 MOV
EAX,[DWORD DS:ESI+130]
0040CE7A |. 83C4 18
ADD ESP,18
0040CE7D |. 8945 90 MOV [LOCAL.28],EAX
0040CE80 |. C745 8C 050000>MOV [LOCAL.29],5
0040CE87 |.
E8 48000000 CALL WinRip.0040CED4 <进去看看,参考下面>
0040CE8C |. 8B4D EC MOV ECX,[LOCAL.5]
0040CE8F
|. 50 PUSH EAX
<参数1:如果为0则导致过期,正常值应该是1E>
0040CE90 |.
FF75 08 PUSH [ARG.1]
0040CE93 |. 8D45 8C
LEA EAX,[LOCAL.29]
0040CE96 |. 8B11
MOV EDX,[DWORD DS:ECX]
0040CE98 |. 50
PUSH EAX
0040CE99 |. 51
PUSH ECX
0040CE9A |. FF52 10
CALL [DWORD DS:EDX+10] <此处调用了appregag.10003c31,根据参数1,是否出现NAG并是否限制功能>
0040CE9D |. 8945 F0 MOV [LOCAL.4],EAX
0040CEA0 |. 8B45 EC MOV EAX,[LOCAL.5]
0040CEA3
|. 50 PUSH EAX
0040CEA4 |.
8B08 MOV ECX,[DWORD DS:EAX]
0040CEA6
|. FF51 08 CALL [DWORD DS:ECX+8]
0040CEA9
|> FF15 10AA4300 CALL [DWORD DS:<&ole32.CoUninitialize>] ;
ole32.CoUninitialize
0040CEAF |> 397D E8
CMP [LOCAL.6],EDI
0040CEB2 |. 5F
POP EDI
0040CEB3 |. 895D D4 MOV [LOCAL.11],EBX
0040CEB6 |. 5E POP ESI
0040CEB7 |. 5B POP EBX
0040CEB8
|. 74 09 JE SHORT WinRip.0040CEC3
0040CEBA
|. FF75 E8 PUSH [LOCAL.6]
; /hObject
0040CEBD |. FF15 ACA14300 CALL [DWORD DS:<&KERNEL32.CloseHandle>]
; \CloseHandle
0040CEC3 |> 8B4D F4 MOV ECX,[LOCAL.3]
0040CEC6 |. 8B45 F0 MOV EAX,[LOCAL.4]
0040CEC9 |. 64:890D 000000>MOV [DWORD FS:0],ECX
0040CED0 |. C9
LEAVE
0040CED1 \. C2 0400
RETN 4
=====<<由40CE87调用>>===================================================================
0040CED4 /$ 56 PUSH ESI
0040CED5 |. E8 D1DFFFFF CALL WinRip.0040AEAB
0040CEDA
|. 50 PUSH EAX
0040CEDB |.
E8 65DBFFFF CALL WinRip.0040AA45
0040CEE0 |. 8BF0
MOV ESI,EAX
0040CEE2 |. 59
POP ECX
0040CEE3 |. 85F6
TEST ESI,ESI
0040CEE5 |. 74 17
JE SHORT WinRip.0040CEFE
0040CEE7 |. 57
PUSH EDI
0040CEE8 |. 8BCE
MOV ECX,ESI
0040CEEA |. E8 719A0200 CALL
WinRip.00436960 <确定参数1的值,进出看看,必须在此前下断点后,才能看到,是动态生成的>
0040CEEF
|. 8BF8 MOV EDI,EAX
0040CEF1 |. 8B06
MOV EAX,[DWORD DS:ESI]
0040CEF3 |. 6A 01
PUSH 1
0040CEF5 |. 8BCE
MOV ECX,ESI
0040CEF7 |. FF10
CALL [DWORD DS:EAX]
0040CEF9 |. 8BC7
MOV EAX,EDI
0040CEFB |. 5F
POP EDI
0040CEFC |. 5E
POP ESI
0040CEFD |. C3 RETN
0040CEFE |> 33C0 XOR EAX,EAX
<如果执行了这一条,则出现NAG,功能也受到限制>
0040CF00
|. 5E POP ESI
0040CF01 \.
C3 RETN
=====<<由40CEEA调用,注:此段代码是动态生成的>>============================
00436960 /$ 51 PUSH ECX
00436961 |. 56 PUSH ESI
00436962
|. 8D4424 04 LEA EAX,[DWORD SS:ESP+4]
00436966
|. 50 PUSH EAX
; /timer
00436967 |. 8BF1 MOV ESI,ECX
; |
00436969 |. FF15 D4A74300 CALL [DWORD DS:<&MSVCRT.time>]
; \time
0043696F |. 83C4 04
ADD ESP,4
00436972 |. 8BCE
MOV ECX,ESI
00436974 |. E8 77FFFFFF CALL WinRip.004368F0
<在此call中的4368F9处的子过程中有取得磁盘卷序号的调用,
以及在436931处的子过程中有查询注册表的调用>
00436979 |. 8B4C24 04 MOV ECX,[DWORD SS:ESP+4]
0043697D |. 2BC8 SUB ECX,EAX
0043697F |. B8 07452EC2 MOV EAX,C22E4507
00436984
|. F7E9 IMUL ECX
00436986 |. 8B46
14 MOV EAX,[DWORD DS:ESI+14] <值1E,即30(D)>
00436989
|. 03D1 ADD EDX,ECX
0043698B |. C1FA
10 SAR EDX,10
0043698E |. 8BCA
MOV ECX,EDX
00436990 |. C1E9 1F
SHR ECX,1F
00436993 |. 03D1
ADD EDX,ECX
00436995 |. 3BD0 CMP
EDX,EAX
00436997 |.
5E POP ESI
00436998 |. 7E
04 JLE SHORT WinRip.0043699E <改成JMP SHORT
WinRip.004369A4,所有限制将被去掉(代码EB07)>
0043699A |. 33C0
XOR EAX,EAX
0043699C |. 59
POP ECX
0043699D |. C3
RETN
0043699E |> 85D2 TEST
EDX,EDX
004369A0 |. 7E 02 JLE SHORT
WinRip.004369A4
004369A2 |. 2BC2
SUB EAX,EDX
004369A4 |> 59
POP ECX
004369A5 \. C3 RETN
=====<<由这里解码出上面的代码>>============================
00435F06
|> 3BCF CMP ECX,EDI
<40c8f8-40cc2e,436200-436f50:解码地址>
00435F08 |. 8B45 08
MOV EAX,[ARG.1] <B672AB32,78F03D5D:解码初值>
00435F0B
|. 73 3B JNB SHORT WinRip.00435F48
00435F0D
|. 8D49 00 LEA ECX,[DWORD DS:ECX]
00435F10
|> 8B31 /MOV ESI,[DWORD DS:ECX]
<取待解码数据,传给esi>
00435F12 |. 33F0
|XOR ESI,EAX <esi=esi ^ eax
这里就是解码核心的核心了>
00435F14 |. 8BD6
|MOV EDX,ESI <edx=esi>
00435F16 |. 03C2 |ADD EAX,EDX
<eax=eax + edx>
00435F18 |. 8931
|MOV [DWORD DS:ECX],ESI <存入解码后的数据>
00435F1A |. 8BD0 |MOV EDX,EAX
<edx=eax>
00435F1C |.
C1EA 06 |SHR EDX,6
<esi=edx % 0x40>
00435F1F |. 8BF0
|MOV ESI,EAX
<esi=eax>
00435F21 |. 81E2 00F80700 |AND EDX,7F800
<edx=edx & 0x7f800>
00435F27 |.
81E6 00F80700 |AND ESI,7F800 <esi=esi
& 0xf7800>
00435F2D |. 33D6 |XOR
EDX,ESI <edx=edx^esi>
00435F2F |. 8BF0 |MOV ESI,EAX
<esi=eax>
00435F31 |. C1EA 0B
|SHR EDX,0B
<edx=edx & 0x800>
00435F34 |. 81E6 FF000000 |AND
ESI,0FF <esi=esi & 0xff>
00435F3A |. 33D6 |XOR EDX,ESI
<edx=edx ^ esi>
00435F3C
|. C1E0 08 |SHL EAX,8
<eax=eax * 0x100>
00435F3F |. 83C1 04
|ADD ECX,4
<ecx=ecx +0x4>
00435F42 |. 0BC2
|OR EAX,EDX <eax=eax
| edx>
00435F44 |. 3BCF |CMP ECX,EDI
<循环条件判断>
00435F46 |.^72
C8 \JB SHORT WinRip.00435F10 <跳转,取下一个待解码数据>
00435F48 |> 5F POP EDI
补丁原理:
1、根据上面解码原理编写一个解码过程 DeCode(Byte buff[]);
2、打开“WinRip.exe”,把
436200-436f50这一段读入Byte buff[0xD50] ,并对其用DeCode(Byte buff[])进行解码;
3、修改 buff[0x998]、buff[0x999]中数据的值分别为eb
、07;
4、重新对buff[]用DeCode(Byte buff[])进行编码(编码、解码是对称的);
5、把buff[]写回文件;
至此,程序已经完全破解。
youth
2002-8-23
- 标 题:WinRip 2.0保护机制分析及其补丁制作 (9千字)
- 作 者:youth[chat001]
- 时 间:2002-8-24
5:49:38
- 链 接:http://bbs.pediy.com