Sentinel superpro是加密强度很高的产品,如果用得好,在没有狗的的情况解它几乎是没有可能,这次解它是带狗来破它的(
真的狗小弟买不起,只好用人家的模拟狗,用模拟狗来破小弟是头一回,呵呵),小弟旨在通过本文,让各位朋友了解SUPERPRO
的加密算法和在带狗的情况下破解软件。
工具:
Trw2000
Hview
IDA(w32dasm在反汇编大文件时会死掉,不知哪位朋友有什么好的方法解决)
好,我们用最常见的方法中断程式:bpio
378,中断后返回到主程序,而且我们知道狗驱动是sx32w.dll:
.text:00951A32
push offset unk_B99568
.text:00951A37
call RNBOsproFormatPacket
<=====初始化狗数据
.text:00951A3C
movzx eax, ax
.text:00951A3F
test eax, eax
.text:00951A41
jz short loc_951A49
.text:00951A43 xor
eax, eax
.text:00951A45
add esp, 4
.text:00951A48
retn
.text:00951A49 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00951A49
.text:00951A49 loc_951A49:
; CODE XREF:
sub_951A10+31j
.text:00951A49
push offset unk_B99568
.text:00951A4E
call RNBOsproInitialize
<=====初始化函数
.text:00951A53
movzx eax, ax <=====返回到这里
.text:00951A56
test eax, eax
.text:00951A58 jz
short loc_951A60
.text:00951A5A
xor eax, eax
.text:00951A5C
add esp, 4
.text:00951A5F retn
.text:00951A60 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00951A60
.text:00951A60 loc_951A60:
; CODE XREF: sub_951A10+48j
.text:00951A60
push 0A9ACh
.text:00951A65 push
offset unk_B99568
.text:00951A6A
call RNBOsproFindFirstUnit <=====查找狗,如果有则返回0
.text:00951A6F movzx
eax, ax <=====这里可以改为xor
eax,eax nop
.text:00951A72
test eax, eax
.text:00951A74
jz short loc_951A7C
.text:00951A76 xor
eax, eax
.text:00951A78
add esp, 4
.text:00951A7B
retn
.text:00951A7C ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00951A7C
.text:00951A7C loc_951A7C:
; CODE XREF:
sub_951A10+64j
.text:00951A7C
; sub_951A10+95j
.text:00951A7C
push offset unk_B99568
.text:00951A81
call sub_951AC0
<=====F8进入---------------------1
.text:00951A86
add esp, 4
.text:00951A89
test eax, eax
.text:00951A8B
jz short loc_951A96
.text:00951A8D
call sub_951B20
<=====F8进入---------------------2
.text:00951A92
test eax, eax
.text:00951A94
jnz short loc_951AAD
进入1处的CALL:
.text:00951AC0
mov eax, [esp+arg_0]
.text:00951AC4
push eax
.text:00951AC5
call sub_951AE0
<=====F8进入
.text:00951ACA
add esp, 4
.text:00951ACD
sub eax, 4
.text:00951AD0
cmp eax, 1
.text:00951AD3 sbb
eax, eax
.text:00951AD5
neg eax
.text:00951AD7
retn
.text:00951AD7 sub_951AC0 endp
.text:00951AD7
.text:00951AD7 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00951AD8
align 10h
.text:00951AE0
.text:00951AE0 ; 圹圹圹圹圹圹圹?S U B R O U
T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹?
.text:00951AE0
.text:00951AE0
.text:00951AE0
sub_951AE0 proc near
; CODE XREF: sub_951AC0+5p
.text:00951AE0
.text:00951AE0 var_E
= dword ptr -0Eh
.text:00951AE0 var_2
= byte ptr -2
.text:00951AE0 arg_0
= dword ptr 4
.text:00951AE0
.text:00951AE0
mov eax, [esp+arg_0]
.text:00951AE4 sub
esp, 4
.text:00951AE7
test eax, eax
.text:00951AE9
jnz short loc_951AF1
.text:00951AEB
xor eax, eax
.text:00951AED add
esp, 4
.text:00951AF0
retn
.text:00951AF1 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00951AF1
.text:00951AF1 loc_951AF1:
; CODE XREF: sub_951AE0+9j
.text:00951AF1 lea
ecx, [esp+4+var_2]
.text:00951AF5
push ecx
.text:00951AF6
push 8
.text:00951AF8
push eax
.text:00951AF9
call RNBOsproRead
<=====读狗,如果正确,ax=0,[151FC3A]=4
.text:00951AFE
movzx eax, ax
<=====改为PUSH 0 POP EAX
.text:00951B01
test eax, eax
.text:00951B03
jz short
loc_951B0B
.text:00951B05
xor eax, eax
.text:00951B07
add esp, 4
.text:00951B0A
retn
.text:00951B0B ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00951B0B
.text:00951B0B loc_951B0B:
; CODE XREF:
sub_951AE0+23j
.text:00951B0B
mov eax, [esp+10h+var_E]
.text:00951B0F
add esp, 4
.text:00951B12 and
eax, 0FFFFh <=====改mov eax,4
.text:00951B17
retn
进入2处的CALL:
.text:00951B2C push
esi
.text:00951B2D
push edi
.text:00951B2E
push 10h
.text:00951B30
push eax
.text:00951B31
push ecx
.text:00951B32
push offset unk_B84C90
.text:00951B37 push
10h
.text:00951B39
push offset unk_B99568
.text:00951B3E
call RNBOsproQuery
<=====查询加密狗中的数据,如果成功则AX返回0
.text:00951B43
movzx ecx, ax <=====改push
0 pop eax
.text:00951B46
test ecx, ecx
.text:00951B48
jz short loc_951B53
.text:00951B4A
xor eax, eax
.text:00951B4C pop
edi
.text:00951B4D
pop esi
.text:00951B4E
pop ebx
.text:00951B4F
add esp, 14h
.text:00951B52
retn
.text:00951B53 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00951B53
.text:00951B53 loc_951B53:
; CODE XREF:
sub_951B20+28j
.text:00951B53
xor eax, eax
.text:00951B55
.text:00951B55 loc_951B55:
; CODE XREF: sub_951B20+47j
.text:00951B55
mov ecx, dword ptr unk_B84CA0[eax]
.text:00951B5B cmp
[esp+eax+38h+var_28], ecx <=====比较查询结果
.text:00951B5F
jnz short loc_951BD4
<=====不相等就跳,改为NOP NOP
.text:00951B61
add eax, 4
.text:00951B64
cmp eax, 10h
.text:00951B67
jl short loc_951B55
.text:00951B69 xor
esi, esi
.text:00951B6B
call _rand
.text:00951B70
mov edi, eax
.text:00951B72
xor ebx, ebx
.text:00951B74
.text:00951B74 loc_951B74:
; CODE XREF: sub_951B20+76j
.text:00951B74 lea
eax, [edi+esi]
.text:00951B77
inc esi
.text:00951B78
cdq
.text:00951B79
xor eax, edx
.text:00951B7B
sub eax, edx
.text:00951B7D and
eax, 0Fh
.text:00951B80
xor eax, edx
.text:00951B82
sub eax, edx
.text:00951B84
shl eax, 2
.text:00951B87 mov
dword_B84CB0[eax], ebx
.text:00951B8D
call ds:off_B07B28[eax]
.text:00951B93
cmp esi, 10h
.text:00951B96 jl
short loc_951B74
.text:00951B98
mov eax, dword_B84CF0
.text:00951B9D
push eax
.text:00951B9E
push 10h
.text:00951BA0
push offset unk_B99568
.text:00951BA5 call
sub_951120
<=====F8进入
.text:00951BAA
mov [esp+44h+var_2C], eax
.text:00951BAE
add esp, 0Ch
.text:00951BB1 mov
eax, dword_B84CF4
.text:00951BB6
xor [esp+38h+var_2C], eax
.text:00951BBA
mov eax, [esp+38h+var_2C]
.text:00951BBE and
eax, 0Fh
.text:00951BC1
cmp dword_B84CB0[eax*4], 0 <=====比较标志
.text:00951BC9 jnz
short loc_951BDD <=====不相等就跳,改为JMPS
short loc_951BDD
.text:00951BCB
xor eax, eax
.text:00951BCD
pop edi
.text:00951BCE
pop esi
.text:00951BCF
pop ebx
.text:00951BD0
add esp, 14h
.text:00951BD3 retn
进入951BA5的CALL:
.text:00951120
mov ecx, [esp+arg_0]
.text:00951124
sub esp, 8
.text:00951127 test
ecx, ecx
.text:00951129
jnz short loc_951133
.text:0095112B
mov eax, [esp+8+arg_8]
.text:0095112F
add esp, 8
.text:00951132 retn
.text:00951133 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00951133
.text:00951133 loc_951133:
; CODE XREF: sub_951120+9j
.text:00951133
lea eax, [esp+8+var_4]
.text:00951137 push
4
.text:00951139
lea edx, [esp+0Ch+var_8]
.text:0095113D
push eax
.text:0095113E
lea eax, [esp+10h+arg_8]
.text:00951142 push
edx
.text:00951143
mov edx, [esp+14h+arg_4]
.text:00951147
push eax
.text:00951148
push edx
.text:00951149
push ecx
.text:0095114A
call RNBOsproQuery
<=====查询加密狗中的数据,如果成功则AX返回0
.text:0095114F
movzx ecx, ax
<=====改push 0 pop eax
.text:00951152
test ecx, ecx
.text:00951154
jz short
loc_95115E
.text:00951156
mov eax, [esp+20h+var_C]
.text:0095115A
add esp, 8
.text:0095115D
retn
.text:0095115E ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0095115E
.text:0095115E loc_95115E:
; CODE XREF:
sub_951120+34j
.text:0095115E
mov eax, [esp+20h+var_20]
.text:00951162
add esp, 8
.text:00951165
retn
下面的部份是关键的部份:
.text:00951BDD loc_951BDD:
; CODE XREF: sub_951B20+A9j
.text:00951BDD mov
eax, dword_B84CF8
.text:00951BE2
push eax
.text:00951BE3
push 10h
.text:00951BE5
push offset unk_B99568
.text:00951BEA call
sub_951120
.text:00951BEF
mov [esp+44h+var_2C], eax
.text:00951BF3
add esp, 0Ch
.text:00951BF6 mov
eax, dword_B84CFC
.text:00951BFB
xor [esp+38h+var_2C], eax
.text:00951BFF
mov eax, dword_B84D00
.text:00951C04 mov
esi, [esp+38h+var_2C]
.text:00951C08
push eax
.text:00951C09
add esi, dword_B9996C
<=====改为mov esi,00951940 NOP
.text:00951C0F
push 12h
.text:00951C11
push offset unk_B99568
.text:00951C16 call
sub_951120
.text:00951C1B
mov [esp+44h+var_2C], eax
.text:00951C1F
add esp, 0Ch
.text:00951C22 mov
eax, dword_B84D04
.text:00951C27
xor [esp+38h+var_2C], eax
.text:00951C2B
mov ecx, [esp+38h+var_2C]
.text:00951C2F push
ecx
.text:00951C30
call esi <=====这个地方就是主程序的入口,通过分析,如果没有狗,这个地址是
错误的,程序会死掉,也就是说,程序必须用到加密狗的数据来算出入口地址,所以如果没有狗,就没办法知道入口地址,除非你的反
推能力很好,就可以反推出它的入口地址.通过带狗运行,可知入口地址是00951940.所以我们要让ESI的数值为00951940
.text:00951C32
add esp, 4
.text:00951C35 pop
edi
.text:00951C36
pop esi
.text:00951C37
pop ebx
.text:00951C38
add esp, 14h
.text:00951C3B
retn
单步进入00951C30处的CALL:
.text:009519BB
mov ecx, dword_B8EAD8
.text:009519C1
shr ecx, 10h
.text:009519C4
push eax
.text:009519C5
or edx, ecx
.text:009519C7 lea
ecx, ds:0[esi*2]
.text:009519CE
inc ecx
<=====改为mov esi,0E4DBF5F6
.text:009519CF
imul edx, ecx <=====
.text:009519D2 add
esi, edx <=====
.text:009519D4
cmp esi, 0E4DBF5F6h
.text:009519DA jnz
short loc_9519E8
.text:009519DC
call sub_4493B0 <=====F8进入
.text:009519E1 add
esp, 4
.text:009519E4
pop edi
.text:009519E5
pop esi
.text:009519E6
pop ebx
.text:009519E7
retn
单步进入009519DC处的CALL:
.text:004493B0
push ebp
.text:004493B1
mov ebp, esp
.text:004493B3
push ecx
.text:004493B4
mov eax, [ebp+arg_0]
.text:004493B7 cmp
eax, dword_B8EAE0
.text:004493BD
jz short loc_4493C3 <=====改为JMPS
004493C3
.text:004493BF
xor eax, eax
.text:004493C1
jmp short loc_4493DD
至此全部的修改已完成,主程序可以在没有真狗和假狗的条件下运行了,但通过我测试,只能在windows98下运行,在win2000下不能
运行,小弟没有winice405 for NT版本,没办法破解出win2000的程序了.
通过这次破解,让我们清楚不是所有的狗都可以在无狗的情况下破掉,如果程序用狗里面的数据来运算的话,没有狗是没有办法破
解它的.
如果有什么错误的地方,欢迎各位大虾指正.
写完这一篇之后,小弟要休息一段时间了,希望下次的文章是解HASP的加密狗,那要看小弟的学习进度如何了.
- 标 题:方正飞腾3.1加密狗破解过程-----浅谈Sentinel Super Pro的加密算法 (14千字)
- 作 者:crackjack
- 时 间:2001-10-14
16:15:45
- 链 接:http://bbs.pediy.com