说明:
1.本文代码在olydbg手工输入后保存
2.相关文件操作API函数的说明
文件打开:
GENERIC_READ = &H80000000
GENERIC_WRITE = &H40000000
OPEN_ALWAYS = 4 文件不存在则创建
OPEN_EXISTING = 3 文件必须存在
FILE_ATTRIBUTE_NORMAL = &H80 默认文件属性
hFile=CreateFile(filename,GENETIC_READ+GENERIC_WRITE,0,0,OPEN_EXISTING,FILE_ATTRIBUTE,0)
移动文件指针:
lDistanceToMove:移动距离的低32位
lDistanceToMoveHigh:移动距离的高32位(一般为0)
FILE_BEGIN = 0 文件移动从起点算
FILE_CURRENT = 1 文件移动从当前点算
FILE_END = 2
SetFilePointer (hFile,lDistanceToMove,lpDistanceToMoveHigh,FILE_BEGIN)
返加当前指针=SetFilePointer (hFile,0,NULL,FILE_CREENT)
读写文件:
lpBuffer 缓冲区地址
nNumberOfBytes 缓冲区字节数
nNumberBytesOfOk 实际操作成功的字节数缓冲区地区
WriteFile(hFile,lpBuffer,nNumberOfBytes,lpnNumberBytesOfOk,Null)
ReadFile(hFile,lpBuffer,nNumberOfBytes,lpnNumberBytesOfOk,Null)
读取文件失败返回0,成功为非0
3.功能:
a.在被解密程序中增加读写文件的代码
b.可以破解针对用多张硬件卡号或单张卡号的加密
c.本文同时增加了被解密程序的再加密
4.缓冲区说明:
1001da00:硬件号缓冲(单路)
1001dac0:硬件号缓冲(四路)
1001de00:注册文件名
1001de10:注册文件名柄
1001de14:注册文件长
1001de18:注册文件指针
1001de1c:通道号
1001de20:返回的实际注册文件长度缓冲区
1001de24:计数器
1001de50:从注册文件读入的16字节序列号缓冲
1001de70:根据硬件号计算得到的序列号缓冲
5.本人实在太懒,能写这么多就很不错了,看了这个觉得烦的兄弟可别怪我!
具体的破解代码:(从100025d0处跳转过来)
;---------------------------------------------------------------------------------------
1001D7F8 60 PUSHAD 所有寄存器入栈
1001D7F9 6A 00 PUSH 0
1001D7FB 68 80000000 PUSH 80
1001D800 6A 03 PUSH 3
1001D802 6A 00 PUSH 0
1001D804 6A 01 PUSH 1
1001D806 68 00000080 PUSH 80000000
1001D80B 68 00DE0110 PUSH tmSDK.1001DE00
1001D810 FF15 64E20110 CALL DWORD PTR DS:[<&KERNEL32.CreateFile> KERNEL32.CreateFileA 打开注册文件
1001D816 83F8 00 CMP EAX,0
1001D819 0F8E 1A010000 JLE tmSDK.1001D939
1001D81F A3 10DE0110 MOV DWORD PTR DS:[1001DE10],EAX
1001D824 6A 02 PUSH 2
1001D826 6A 00 PUSH 0
1001D828 6A 00 PUSH 0
1001D82A FF35 10DE0110 PUSH DWORD PTR DS:[1001DE10]
1001D830 FF15 68E20110 CALL DWORD PTR DS:[<&KERNEL32.SetFilePoi>; KERNEL32.SetFilePointer 得到文件长度
1001D836 83F8 00 CMP EAX,0
1001D839 0F8C EE000000 JL tmSDK.1001D92D
1001D83F 90 NOP
1001D840 A3 14DE0110 MOV DWORD PTR DS:[1001DE14],EAX
1001D845 33C9 XOR ECX,ECX
1001D847 890D 18DE0110 MOV DWORD PTR DS:[1001DE18],ECX
1001D84D 6A 00 PUSH 0
1001D84F 6A 00 PUSH 0
1001D851 FF35 18DE0110 PUSH DWORD PTR DS:[1001DE18]
1001D857 FF35 10DE0110 PUSH DWORD PTR DS:[1001DE10]
1001D85D FF15 68E20110 CALL DWORD PTR DS:[<&KERNEL32.SetFilePoi>; KERNEL32.SetFilePointer 移动文件指针
1001D863 83F8 00 CMP EAX,0
1001D866 0F8C C1000000 JL tmSDK.1001D92D
1001D86C 90 NOP
1001D86D 90 NOP
1001D86E 90 NOP
1001D86F 90 NOP
1001D870 6A 00 PUSH 0
1001D872 68 20DE0110 PUSH tmSDK.1001DE20
1001D877 6A 10 PUSH 10
1001D879 68 50DE0110 PUSH tmSDK.1001DE50
1001D87E FF35 10DE0110 PUSH DWORD PTR DS:[1001DE10]
1001D884 FF15 D8E00110 CALL DWORD PTR DS:[<&KERNEL32.ReadFile>] KERNEL32.ReadFile 从文件读16字节
1001D88A 85C0 TEST EAX,EAX
1001D88C 0F84 97000000 JE tmSDK.1001D929
1001D892 C705 24DE0110 MOV DWORD PTR DS:[1001DE24],0
1001D89C 90 NOP
;-----------根据硬件号得到序列号(用查表法编写的简单的再加密算法的代码)-----------
1001D89D 8B5C24 5C MOV EBX,DWORD PTR SS:[ESP+5C] 得到硬件号
1001D8A1 86DF XCHG BH,BL
1001D8A3 C1C3 10 ROL EBX,10
1001D8A6 86DF XCHG BH,BL
1001D8A8 33C0 XOR EAX,EAX
1001D8AA 8AC3 MOV AL,BL
1001D8AC 8DB0 F0DC0110 LEA ESI,DWORD PTR DS:[EAX+1001DCF0]
1001D8B2 A1 24DE0110 MOV EAX,DWORD PTR DS:[1001DE24]
1001D8B7 3E:8D3C85 70DE0>LEA EDI,DWORD PTR DS:[EAX*4+1001DE70]
1001D8BF B9 04000000 MOV ECX,4
1001D8C4 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
1001D8C6 8B0D 24DE0110 MOV ECX,DWORD PTR DS:[1001DE24]
1001D8CC 41 INC ECX
1001D8CD 890D 24DE0110 MOV DWORD PTR DS:[1001DE24],ECX
1001D8D3 C1CB 08 ROR EBX,8
1001D8D6 83F9 04 CMP ECX,4
1001D8D9 ^ 75 CD JNZ SHORT tmSDK.1001D8A8
;---------------------------------------------------------------------------------
1001D8DB 8D35 70DE0110 LEA ESI,DWORD PTR DS:[1001DE70]
1001D8E1 8D3D 50DE0110 LEA EDI,DWORD PTR DS:[1001DE50]
1001D8E7 A6 CMPS BYTE PTR DS:[ESI],BYTE PTR ES:[EDI] 比较读入的序列号与计算得到的序列号
1001D8E8 74 18 JE SHORT tmSDK.1001D902
1001D8EA 90 NOP
1001D8EB 90 NOP
1001D8EC 90 NOP
1001D8ED 8B0D 18DE0110 MOV ECX,DWORD PTR DS:[1001DE18]
1001D8F3 41 INC ECX
1001D8F4 3B0D 14DE0110 CMP ECX,DWORD PTR DS:[1001DE14]
1001D8FA ^ 0F8C 47FFFFFF JL tmSDK.1001D847 循环读取注册文件,以便查完整个文件
1001D900 EB 2B JMP SHORT tmSDK.1001D92D
;-------------------序列号正确执行的代码----------------------------------
1001D902 A1 1CDE0110 MOV EAX,DWORD PTR DS:[1001DE1C]
1001D907 BE 90DE0110 MOV ESI,tmSDK.1001DE90
1001D90C 90 NOP
1001D90D 8D3486 LEA ESI,DWORD PTR DS:[ESI+EAX*4]
1001D910 33C0 XOR EAX,EAX
1001D912 8A4424 28 MOV AL,BYTE PTR SS:[ESP+28]
1001D916 2C 10 SUB AL,10
1001D918 BB 0C000000 MOV EBX,0C
1001D91D F6EB IMUL BL
1001D91F 8D3430 LEA ESI,DWORD PTR DS:[EAX+ESI]
1001D922 8D7C24 28 LEA EDI,DWORD PTR SS:[ESP+28]
1001D926 B9 04000000 MOV ECX,4
1001D92B F3:A4 REP MOVSB
;-------------------------------------------------------------------------
1001D92D FF35 10DE0110 PUSH DWORD PTR DS:[1001DE10]
1001D933 FF15 58E20110 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; KERNEL32.CloseHandle 关闭文件
1001D939 61 POPAD
;----------补上100025d0处被改动的原代码-----------------------------------
1001D93A 33C0 XOR EAX,EAX
1001D93C 83C4 18 ADD ESP,18
;-------------------------------------------------------------------------
1001D93F ^ E9 914CFEFF JMP tmSDK.100025D5 返回跳转处的下一句
作者:天狐 clsznz@163.net http://www.thznz.net QQ:82769488