带狗杀TDSD狗

标题：带狗杀TDSD狗
作者：nahum
时间：2003/04/24 09:34pm　
链接：http://bbs.pediy.com

使用工具 TRW2000，WIN32DSAM，HIEW，PE-SCAN。菜鸟没办法，靠工具了。
某公司条码打印软件，先判断狗的类型发现是TDSD的，看看没有壳。没狗的时候有提示！
先反汇编找到提示地址如下：:00419F00 6AFF push FFFFFFFF
:00419F02 68902A4800 push 00482A90
:00419F07 64A100000000 mov eax, dword ptr fs:[00000000]
:00419F0D 50 push eax
:00419F0E 64892500000000 mov dword ptr fs:[00000000], esp
:00419F15 83EC08 sub esp, 00000008
:00419F18 A1A89D4A00 mov eax, dword ptr [004A9DA8]
:00419F1D 56 push esi
:00419F1E 8BF1 mov esi, ecx
:00419F20 89442404 mov dword ptr [esp+04], eax
:00419F24 C744241400000000 mov [esp+14], 00000000
:00419F2C 89442408 mov dword ptr [esp+08], eax
:00419F30 A1BCC64A00 mov eax, dword ptr [004AC6BC]有狗时是0无狗为1
:00419F35 C644241401 mov [esp+14], 01
:00419F3A 85C0 test eax, eax
:00419F3C 744F je 00419F8D关键跳转
:00419F3E 8B0DC0C64A00 mov ecx, dword ptr [004AC6C0]
:00419F44 85C9 test ecx, ecx
:00419F46 7545 jne 00419F8D
:00419F48 83F801 cmp eax, 00000001
:00419F4B 7507 jne 00419F54

* Possible StringData Ref from Data Obj ->"没有安装软件狗或软件狗不对应! "
->"本软件只能运行在演示模式。"
|
:00419F4D 682C924A00 push 004A922C
:00419F52 EB05 jmp 00419F59

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00419F4B(C)
|

* Possible StringData Ref from Data Obj ->"没有安装软件狗驱动程序! 本软件只能运行在演示模"
->"式。"
|
:00419F54 68F8914A00 push 004A91F8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00419F52(U)
|
:00419F59 8D4C2408 lea ecx, dword ptr [esp+08]
:00419F5D E80DFE0300 call 00459D6F

* Possible StringData Ref from Data Obj ->"警告"
|
:00419F62 68F0914A00 push 004A91F0
:00419F67 8D4C240C lea ecx, dword ptr [esp+0C]
:00419F6B E8FFFD0300 call 00459D6F
:00419F70 8B442408 mov eax, dword ptr [esp+08]
:00419F74 8B4C2404 mov ecx, dword ptr [esp+04]
:00419F78 6A30 push 00000030
:00419F7A 50 push eax
:00419F7B 51 push ecx
:00419F7C 8BCE mov ecx, esi
:00419F7E C705C0C64A0001000000 mov dword ptr [004AC6C0], 00000001
:00419F88 E8B4CE0300 call 00456E41

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00419F3C(C), :00419F46(C)
|
:00419F8D 8B561C mov edx, dword ptr [esi+1C]有狗到这里。
:00419F90 6A01 push 00000001
:00419F92 52 push edx
更改以上中的关键跳转为“754f”
不行，没有破解过狗，没有经验，错误提示是没有了，但是仍然不能正确显示汉字。郁闷了2周，期间用TRW2000反复跟踪有狗和无狗的变化，经常饿着肚子哟。
用BPIO 378下断点没有收获。忘记了VXD的狗是0级的，用该断点没有意义。换之。
使用BPX DEVICEIOCONTROL 有两次分别如下：
0167:00402D4B FFD6 CALL ESI——调用DEVICEIOCONTROL
0167:00402D4D 85C0 TEST EAX,EAX
0167:00402D4F 7507 JNZ 00402D58 无狗跳，故改为NOP
0167:00402D51 C7458C08000000 MOV DWORD [EBP-74],08改为0
0167:00402D58 837D8C00 CMP DWORD [EBP-74],BYTE +00
0167:00402D5C 741D JZ 00402D7B跳
0167:00402D5E EB01 JMP SHORT 00402D61
0167:00402D60 43 INC EBX
0167:00402D61 FF75FC PUSH DWORD [EBP-04]
0167:00402D64 FF1548844800 CALL `KERNEL32!FindCloseChangeNotification`
0167:00402D6A EB01 JMP SHORT 00402D6D
0167:00402D6C 76FF JNA 00402D6D
0167:00402D6E 75F8 JNZ 00402D68
0167:00402D70 E835010000 CALL 00402EAA
0167:00402D75 59 POP ECX
0167:00402D76 E927010000 JMP 00402EA2
0167:00402D7B EB01 JMP SHORT 00402D7E
0167:00402D7D 8D DB 8D
0167:00402D7E EB0B JMP SHORT 00402D8B跳
0167:00402D80 0BE7 OR ESP,EDI
0167:00402D82 8E DB 8E
0167:00402D83 BE685C4EBE MOV ESI,BE4E5C68
0167:00402D88 51 PUSH ECX
0167:00402D89 1F POP DS

0167:00402D8E A318104B00 MOV [004B1018],EAX原来的
0167:00402D93 EB01 JMP SHORT 00402D96
0167:00402D95 1E PUSH DS

0167:00402D8B MOV EAX，[EBP-70]改为20167
0167:00402D8E mov 4b1018,eas
0167:00402D95 nop 改为

0167:00402D96 C60500104B0001 MOV BYTE [004B1000],01
0167:00402D9D EB01 JMP SHORT 00402DA0
0167:00402D9F EC IN AL,DX
0167:00402DA0 8B8508FFFFFF MOV EAX,[EBP+FFFFFF08]改为：mov eax,1 补上一个NOP
0167:00402DA6 A304104B00 MOV [004B1004],EAX
0167:00402DAB EB01 JMP SHORT 00402DAE
0167:00402DAD 43 INC EBX
0167:00402DAE A0B4C64A00 MOV AL,[004AC6B4]
0167:00402DB3 50 PUSH EAX
0167:00402DB4 E898FAFFFF CALL 00402851
0167:00402DB9 898514FFFFFF MOV [EBP+FFFFFF14],EAX
0167:00402DBF EB01 JMP SHORT 00402DC2
0167:00402DC1 09E8 OR EAX,EBP
0167:00402DC3 28FA SUB DL,BH
0167:00402DC5 FF DB FF
0167:00402DC6 FF0F DEC DWORD [EDI]
0167:00402DC8 B7D8 MOV BH,D8
0167:00402DCA C1E310 SHL EBX,10
0167:00402DCD E81DFAFFFF CALL 004027EF
0167:00402DD2 0FB7C0 MOVZX EAX,AX
0167:00402DD5 0BD8 OR EBX,EAX
0167:00402DD7 899D0CFFFFFF MOV [EBP+FFFFFF0C],EBX
0167:00402DDD EB01 JMP SHORT 00402DE0
0167:00402DDF 09E8 OR EAX,EBP
0167:00402DE1 CC INT3
0167:00402DE2 FA CLI
0167:00402DE3 FF DB FF
0167:00402DE4 FF DB FF
0167:00402DE5 EB01 JMP SHORT 00402DE8
0167:00402DE7 34A0 XOR AL,A0
0167:00402DE9 B8C64A0050 MOV EAX,50004AC6
0167:00402DEE E85EFAFFFF CALL 00402851
0167:00402DF3 59 POP ECX
0167:00402DF4 898510FFFFFF MOV [EBP+FFFFFF10],EAX
0167:00402DFA 59 POP ECX
0167:00402DFB EB0B JMP SHORT 00402E08
0167:00402DFD 0B6769 OR ESP,[EDI+69]
0167:00402E00 03E9 ADD EBP,ECX
0167:00402E02 70C2 JO 00402DC6
0167:00402E04 AB STOSD
0167:00402E05 362632A118104B00 XOR AH,[ES:ECX+004B1018]
0167:00402E0D 898520FFFFFF MOV [EBP+FFFFFF20],EAX
0167:00402E13 EB01 JMP SHORT 00402E16
0167:00402E15 65EB01 JMP SHORT 00402E19
0167:00402E18 07 POP ES
0167:00402E19 8D45F4 LEA EAX,[EBP-0C]
0167:00402E1C 6A00 PUSH BYTE +00
0167:00402E1E 50 PUSH EAX
0167:00402E1F 8D458C LEA EAX,[EBP-74]
0167:00402E22 6A68 PUSH BYTE +68
0167:00402E24 50 PUSH EAX
0167:00402E25 8D8504FFFFFF LEA EAX,[EBP+FFFFFF04]
0167:00402E2B 57 PUSH EDI
0167:00402E2C 50 PUSH EAX
0167:00402E2D 6A01 PUSH BYTE +01

第二处：
0167:00402E32 FFD6 CALL ESI
0167:00402E34 FF75FC PUSH DWORD [EBP-04]
0167:00402E37 8BF0 MOV ESI,EAX
0167:00402E39 FF1548844800 CALL `KERNEL32!FindCloseChangeNotification`
0167:00402E3F EB0B JMP SHORT 00402E4C
0167:00402E41 0B2B OR EBP,[EBX]
0167:00402E43 C48D2D92948D LES ECX,[EBP+8D94922D]
0167:00402E49 195161 SBB [ECX+61],EDX
0167:00402E4C FF75F8 PUSH DWORD [EBP-08] 改为push 48
0167:00402E4F E856000000 CALL 00402EAA
0167:00402E54 59 POP ECX
0167:00402E55 EB01 JMP SHORT 00402E58
0167:00402E57 3285F6743C83 XOR AL,[EBP+833C74F6]
0167:00402E5D 7D8C JNL 00402DEB
0167:00402E5F 00753D ADD [EBP+3D],DH
0167:00402E62 8B7588 MOV ESI,[EBP-78]
0167:00402E65 85F6 TEST ESI,ESI
0167:00402E67 7503 JNZ 00402E6C
0167:00402E69 6A04 PUSH BYTE +04
0167:00402E6B 5E POP ESI
0167:00402E6C 33C9 XOR ECX,ECX
0167:00402E6E 85F6 TEST ESI,ESI
0167:00402E70 7E2D JNG 00402E9F
0167:00402E72 EB01 JMP SHORT 00402E75
0167:00402E74 008BC16A0499 ADD [EBX+99046AC1],CL
0167:00402E7A 5F POP EDI
0167:00402E7B F7FF IDIV EDI
0167:00402E7D 8A842A0CFFFFFF MOV AL,[EDX+EBP+FFFFFF0C]
0167:00402E84 8B15B0C64A00 MOV EDX,[004AC6B0]
0167:00402E8A 32442990 XOR AL,[ECX+EBP-70]
0167:00402E8E 880411 MOV [ECX+EDX],AL
0167:00402E91 41 INC ECX
0167:00402E92 3BCE CMP ECX,ESI
0167:00402E94 7CDC JL 00402E72 (JUMP)
0167:00402E96 EB07 JMP SHORT 00402E9F
0167:00402E98 C7458C08000000 MOV DWORD [EBP-74],08
0167:00402E9F EB01 JMP SHORT 00402EA2
0167:00402EA1 43 INC EBX
0167:00402EA2 8B458C MOV EAX,[EBP-74]
0167:00402EA5 5F POP EDI
0167:00402EA6 5E POP ESI
0167:00402EA7 5B POP EBX
0167:00402EA8 C9 LEAVE

改完后还是补能用，怎么问题。重新找到报错的地址：
:00419F02 68902A4800 push 00482A90
:00419F07 64A100000000 mov eax, dword ptr fs:[00000000]
:00419F0D 50 push eax
:00419F0E 64892500000000 mov dword ptr fs:[00000000], esp
:00419F15 83EC08 sub esp, 00000008
:00419F18 A1A89D4A00 mov eax, dword ptr [004A9DA8]
:00419F1D 56 push esi
:00419F1E 8BF1 mov esi, ecx更改为：mov esi,2321480
:00419F20 89442404 mov dword ptr [esp+04], eax
:00419F24 C744241400000000 mov [esp+14], 00000000
:00419F2C 89442408 mov dword ptr [esp+08], eax
:00419F30 A1BCC64A00 mov eax, dword ptr [004AC6BC]有狗时是0无狗为1
关键在这里，如何更改内存地址的值呢？
:00419F35 C644241401 mov [esp+14], 01
:00419F3A 85C0 test eax, eax
:00419F3C 744F je 00419F8D 关键跳转
:00419F3E 8B0DC0C64A00 mov ecx, dword ptr [004AC6C0]
:00419F44 85C9 test ecx, ecx
:00419F46 7545 jne 00419F8D
:00419F48 83F801 cmp eax, 00000001
:00419F4B 7507 jne 00419F54
反汇编，查找：mov dword ptr [004AC6BC] 发现有四处，其中两处分别给内存赋值1和2。
省下两个地址是有寄存器赋值。更改相应地址419ea3 和 419f92全部替换为NOP。
最后破解成功经验证可用。
从以上破解过成可能走了不少弯路，但是每次付出总是有收获的，请高手指教洗耳恭听。肚子饿了去吃饭了。再见各位。