飘云阁Source insight 4.x大白补丁图文破解教程

gagmeng 发表于 2017-2-17 08:19:06

Source insight 4.x大白补丁图文破解教程

本帖最后由 gagmeng 于 2017-2-17 08:22 编辑

软件官网：
http://www.sourceinsight.com/
破解过程：
1、 IDA加载sourceinsight4.exe，shift+F12查找所有字符串，并搜索字符串“BEGIN PUBLIC KEY”，定位到pszString

2、右键Jump to xref to operand，点击OK定位到int __cdecl sub_507B70(BYTE *pbData, DWORD dwDataLen, BYTE *pbSignature, DWORD dwSigLen)

3、sub_507B70汇编代码以及使用F5反编译成的C代码如下所示。
.text:00507B70                            ; =============== S U B R O U T I N E =======================================
.text:00507B70
.text:00507B70
.text:00507B70                            ; int __cdecl sub_507B70(BYTE *pbData, DWORD dwDataLen, BYTE *pbSignature, DWORD dwSigLen)
.text:00507B70                            sub_507B70    proc near             ; CODE XREF: sub_508790+108p
.text:00507B70
.text:00507B70                            hHash       = dword ptr -818h
.text:00507B70                            phProv       = dword ptr -814h
.text:00507B70                            pvStructInfo = dword ptr -810h
.text:00507B70                            phKey       = dword ptr -80Ch
.text:00507B70                            pcbBinary    = dword ptr -808h
.text:00507B70                            pcbStructInfo = dword ptr -804h
.text:00507B70                            pbBinary    = byte ptr -800h
.text:00507B70                            pbData       = dword ptr4
.text:00507B70                            dwDataLen    = dword ptr8
.text:00507B70                            pbSignature = dword ptr0Ch
.text:00507B70                            dwSigLen    = dword ptr10h
.text:00507B70
.text:00507B70 81 EC 18 08 00 00                         sub esp, 818h
.text:00507B76 6A 00                                     push 0             ; pdwFlags
.text:00507B78 6A 00                                     push 0             ; pdwSkip
.text:00507B7A 8D 44 24 18                               lea eax,
.text:00507B7E 50                                        push eax          ; pcbBinary
.text:00507B7F 8D 4C 24 24                               lea ecx,
.text:00507B83 51                                        push ecx          ; pbBinary
.text:00507B84 6A 00                                     push 0             ; dwFlags
.text:00507B86 6A 00                                     push 0             ; cchString
.text:00507B88 68 50 42 63 00                            push offset pszString ; "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgk"...
.text:00507B8D C7 44 24 1C 00 00 00 00                   mov , 0
.text:00507B95 C7 44 24 28 00 00 00 00                   mov , 0
.text:00507B9D C7 44 24 2C 00 08 00 00                   mov , 800h
.text:00507BA5 C7 44 24 20 00 00 00 00                   mov , 0
.text:00507BAD FF 15 A8 20 5C 00                         call ds:CryptStringToBinaryA
.text:00507BB3 85 C0                                     test eax, eax
.text:00507BB5 75 0C                                     jnz short loc_507BC3
.text:00507BB7
.text:00507BB7                            loc_507BB7:                         ; CODE XREF: sub_507B70+7Aj
.text:00507BB7 B8 D8 01 00 00                            mov eax, 1D8h
.text:00507BBC 81 C4 18 08 00 00                         add esp, 818h
.text:00507BC2 C3                                        retn
.text:00507BC3                            ; ---------------------------------------------------------------------------
.text:00507BC3
.text:00507BC3                            loc_507BC3:                         ; CODE XREF: sub_507B70+45j
.text:00507BC3 8B 4C 24 10                               mov ecx,
.text:00507BC7 8D 54 24 14                               lea edx,
.text:00507BCB 52                                        push edx          ; pcbStructInfo
.text:00507BCC 8D 44 24 0C                               lea eax,
.text:00507BD0 50                                        push eax          ; pvStructInfo
.text:00507BD1 6A 00                                     push 0             ; pDecodePara
.text:00507BD3 68 00 80 00 00                            push 8000h       ; dwFlags
.text:00507BD8 51                                        push ecx          ; cbEncoded
.text:00507BD9 8D 54 24 2C                               lea edx,
.text:00507BDD 52                                        push edx          ; pbEncoded
.text:00507BDE 6A 08                                     push 8             ; lpszStructType
.text:00507BE0 6A 01                                     push 1             ; dwCertEncodingType
.text:00507BE2 FF 15 AC 20 5C 00                         call ds:CryptDecodeObjectEx
.text:00507BE8 85 C0                                     test eax, eax
.text:00507BEA 74 CB                                     jz    short loc_507BB7
.text:00507BEC 68 00 00 00 F0                            push 0F0000000h    ; dwFlags
.text:00507BF1 6A 01                                     push 1             ; dwProvType
.text:00507BF3 6A 00                                     push 0             ; szProvider
.text:00507BF5 6A 00                                     push 0             ; szContainer
.text:00507BF7 8D 44 24 14                               lea eax,
.text:00507BFB 50                                        push eax          ; phProv
.text:00507BFC FF 15 28 20 5C 00                         call ds:CryptAcquireContextW
.text:00507C02 85 C0                                     test eax, eax
.text:00507C04 75 0C                                     jnz short loc_507C12
.text:00507C06 B8 D9 01 00 00                            mov eax, 1D9h
.text:00507C0B 81 C4 18 08 00 00                         add esp, 818h
.text:00507C11 C3                                        retn
.text:00507C12                            ; ---------------------------------------------------------------------------
.text:00507C12
.text:00507C12                            loc_507C12:                         ; CODE XREF: sub_507B70+94j
.text:00507C12 8B 54 24 08                               mov edx,
.text:00507C16 8B 44 24 04                               mov eax,
.text:00507C1A 8D 4C 24 0C                               lea ecx,
.text:00507C1E 51                                        push ecx          ; phKey
.text:00507C1F 52                                        push edx          ; pInfo
.text:00507C20 6A 01                                     push 1             ; dwCertEncodingType
.text:00507C22 50                                        push eax          ; hCryptProv
.text:00507C23 FF 15 B8 20 5C 00                         call ds:CryptImportPublicKeyInfo
.text:00507C29 85 C0                                     test eax, eax
.text:00507C2B 75 0C                                     jnz short loc_507C39
.text:00507C2D
.text:00507C2D                            loc_507C2D:                         ; CODE XREF: sub_507B70+EEj
.text:00507C2D B8 DA 01 00 00                            mov eax, 1DAh
.text:00507C32 81 C4 18 08 00 00                         add esp, 818h
.text:00507C38 C3                                        retn
.text:00507C39                            ; ---------------------------------------------------------------------------
.text:00507C39
.text:00507C39                            loc_507C39:                         ; CODE XREF: sub_507B70+BBj
.text:00507C39 8B 4C 24 08                               mov ecx,
.text:00507C3D 51                                        push ecx          ; hMem
.text:00507C3E FF 15 8C 22 5C 00                         call ds:LocalFree
.text:00507C44 8B 44 24 04                               mov eax,
.text:00507C48 8D 14 24                                  lea edx,
.text:00507C4B 52                                        push edx          ; phHash
.text:00507C4C 6A 00                                     push 0             ; dwFlags
.text:00507C4E 6A 00                                     push 0             ; hKey
.text:00507C50 68 04 80 00 00                            push 8004h       ; Algid
.text:00507C55 50                                        push eax          ; hProv
.text:00507C56 FF 15 50 20 5C 00                         call ds:CryptCreateHash
.text:00507C5C 85 C0                                     test eax, eax
.text:00507C5E 74 CD                                     jz    short loc_507C2D
.text:00507C60 8B 8C 24 20 08 00 00                      mov ecx,
.text:00507C67 8B 94 24 1C 08 00 00                      mov edx,
.text:00507C6E 8B 04 24                                  mov eax,
.text:00507C71 6A 00                                     push 0             ; dwFlags
.text:00507C73 51                                        push ecx          ; dwDataLen
.text:00507C74 52                                        push edx          ; pbData
.text:00507C75 50                                        push eax          ; hHash
.text:00507C76 FF 15 48 20 5C 00                         call ds:CryptHashData
.text:00507C7C 85 C0                                     test eax, eax
.text:00507C7E 75 0C                                     jnz short loc_507C8C
.text:00507C80 B8 DB 01 00 00                            mov eax, 1DBh
.text:00507C85 81 C4 18 08 00 00                         add esp, 818h
.text:00507C8B C3                                        retn
.text:00507C8C                            ; ---------------------------------------------------------------------------
.text:00507C8C
.text:00507C8C                            loc_507C8C:                         ; CODE XREF: sub_507B70+10Ej
.text:00507C8C 8B 4C 24 0C                               mov ecx,
.text:00507C90 8B 94 24 28 08 00 00                      mov edx,
.text:00507C97 8B 84 24 24 08 00 00                      mov eax,
.text:00507C9E 56                                        push esi
.text:00507C9F 6A 00                                     push 0             ; dwFlags
.text:00507CA1 6A 00                                     push 0             ; szDescription
.text:00507CA3 51                                        push ecx          ; hPubKey
.text:00507CA4 8B 4C 24 10                               mov ecx,
.text:00507CA8 52                                        push edx          ; dwSigLen
.text:00507CA9 50                                        push eax          ; pbSignature
.text:00507CAA 51                                        push ecx          ; hHash
.text:00507CAB FF 15 44 20 5C 00                         call ds:CryptVerifySignatureW
.text:00507CB1 8B 54 24 04                               mov edx,
.text:00507CB5 52                                        push edx          ; hHash
.text:00507CB6 8B F0                                     mov esi, eax
.text:00507CB8 FF 15 40 20 5C 00                         call ds:CryptDestroyHash
.text:00507CBE 8B 44 24 08                               mov eax,
.text:00507CC2 6A 00                                     push 0             ; dwFlags
.text:00507CC4 50                                        push eax          ; hProv
.text:00507CC5 FF 15 3C 20 5C 00                         call ds:CryptReleaseContext
.text:00507CCB F7 DE                                     neg esi
.text:00507CCD 1B C0                                     sbb eax, eax
.text:00507CCF 25 FA FE FF FF                            and eax, 0FFFFFEFAh
.text:00507CD4 05 CE 01 00 00                            add eax, 1CEh
.text:00507CD9 5E                                        pop esi
.text:00507CDA 81 C4 18 08 00 00                         add esp, 818h
.text:00507CE0 C3                                        retn
.text:00507CE0                            sub_507B70    endp
.text:00507CE0

int __cdecl sub_507B70(BYTE *pbData, DWORD dwDataLen, BYTE *pbSignature, DWORD dwSigLen)
{
int result; // eax@2
BOOL v5; // esi@11
HCRYPTHASH hHash; // @1
HCRYPTPROV phProv; // @1
struct _CERT_PUBLIC_KEY_INFO *pvStructInfo; // @3
HCRYPTKEY phKey; // @1
DWORD pcbBinary; // @1
DWORD pcbStructInfo; // @3
BYTE pbBinary; // @1

hHash = 0;
phKey = 0;
pcbBinary = 2048;
phProv = 0;
if ( CryptStringToBinaryA(pszString, 0, 0, &pbBinary, &pcbBinary, 0, 0)
&& CryptDecodeObjectEx(1u, (LPCSTR)8, &pbBinary, pcbBinary, 0x8000u, 0, &pvStructInfo, &pcbStructInfo) )
{
if ( CryptAcquireContextW(&phProv, 0, 0, 1u, 0xF0000000) )
{
   if ( CryptImportPublicKeyInfo(phProv, 1u, pvStructInfo, &phKey)
   && (LocalFree(pvStructInfo), CryptCreateHash(phProv, 0x8004u, 0, 0, &hHash)) )
   {
   if ( CryptHashData(hHash, pbData, dwDataLen, 0) )
   {
      v5 = CryptVerifySignatureW(hHash, pbSignature, dwSigLen, phKey, 0, 0);
      CryptDestroyHash(hHash);
      CryptReleaseContext(phProv, 0);
      result = v5 != 0 ? 200 : 462;
   }
   else
   {
      result = 475;
   }
   }
   else
   {
   result = 474;
   }
}
else
{
   result = 473;
}
}
else
{
result = 472;
}
return result;
}

4、因此只需将result = v5 != 0 ? 200 : 462;修改为result = v5 != 0 ? 462 : 200即可破解；或者CryptVerifySignatureW返回值为true亦可破解。
v5 != 0 ? 200 : 462部分对应的汇编代码为：
.text:00507CCB F7 DE                                     neg esi
.text:00507CCD 1B C0                                     sbb eax, eax
.text:00507CCF 25 FA FE FF FF                            and eax, 0FFFFFEFAh
.text:00507CD4 05 CE 01 00 00                            add eax, 1CEh
.text:00507CD9 5E                                        pop esi
.text:00507CDA 81 C4 18 08 00 00                         add esp, 818h
.text:00507CE0 C3                                        retn

可参考http://www.cnblogs.com/awpatp/archive/2009/11/06/1597488.html的解释进行爆破

5、使用神器大白进行补丁，只需在特征码定位到neg esi处，使esi的值为true，大白设置界面如下：

6、大白补丁文件和授权文件如下，授权文件中的内容可自行修改，感谢MistHill大神分享的授权文件。

我们都爱月姐姐

jgs 发表于 2017-2-17 08:58:05

本帖最后由 jgs 于 2017-2-17 08:59 编辑

这几天，关于这个软件破解方法讨论很热烈，学习了，长见识了。谢谢楼主分享
忘了，我是在沙发上，哈哈

zxxiaopi 发表于 2017-2-17 09:18:47

都是大神

wgz001 发表于 2017-2-17 11:25:55

求表哥带玩IDA

kingxiao 发表于 2017-2-17 16:03:06

大白好牛逼！！！

wangye_123 发表于 2017-2-17 22:24:05

谢谢分享好东西

car_doge 发表于 2017-2-18 02:17:55

感谢楼主神作，顺利使用。

sdnyzjzx 发表于 2017-2-18 11:05:09

分析的真好，感谢分享！

HJIE 发表于 2017-2-18 11:07:14

谢谢思路清晰很有帮助

wu0687050 发表于 2017-2-18 11:14:33

佩服，多学点东西

页: [1] 2 3 4 5 6 7 8 9 10

飘云阁's Archiver

Source insight 4.x大白补丁图文破解教程