- UID
- 8748
注册时间2006-3-1
阅读权限8
最后登录1970-1-1
初入江湖
该用户从未签到
|
程序名:国内的结构设计类软件 名字隐去
作者:孤城(寂静如风) 孤城=寂静如风 ^_^
保护 :Hasp--Hardlock
所用工具: OllyDBG 1.10 PEID LordPE ImportREC 1.6
我只是大体说一下思路!
用PEID查壳,没有狗壳,UPX壳而已,简单的脱壳,过程不叙述。
00702C8A |. E8 B9A10500 CALL <JMP.&KERNEL32.OutputDebugStringA> ; \OutputDebugStringA
00702C8F |. 8D53 08 LEA EDX,DWORD PTR DS:[EBX+8]
00702C92 |. 52 PUSH EDX ; /Arg1
00702C93 |. E8 F8060000 CALL czr_ggg.00703390 ; \xxx.00703390 重要的CALL 去看看
00702C98 |. 59 POP ECX
00702C99 |. 48 DEC EAX
00702C9A |. 75 1B JNZ SHORT czr_ggg.00702CB7
00702C9C |. C743 04 04000>MOV DWORD PTR DS:[EBX+4],4
00702CA3 |. 53 PUSH EBX ; /Arg1
00702CA4 |. E8 D7000000 CALL czr_ggg.00702D80 ; \xxx.00702D80 这里也去看看
00702CA9 |. 59 POP ECX
00702CAA |. A3 48E99100 MOV DWORD PTR DS:[91E948],EAX
00702CAF |. B8 01000000 MOV EAX,1
00702CB4 |. 5B POP EBX
00702CB5 |. 5D POP EBP
00702CB6 |. C3 RETN
00702CB7 |> 68 70DD9000 PUSH czr_ggg.0090DD70
"
继续看
进入刚才的CALL
00703390 /$ 55 PUSH EBP
00703391 |. 8BEC MOV EBP,ESP
00703393 |. 53 PUSH EBX
00703394 |. 56 PUSH ESI
00703395 |. 57 PUSH EDI
00703396 |. 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8]
00703399 |. 8B43 04 MOV EAX,DWORD PTR DS:[EBX+4]
0070339C 48 DEC EAX 到这里为检测狗的类型
0070339D 75 0A JNZ SHORT czr_ggg.007033A9 跳则为网络版,让其变为单机版 否则网络验证
0070339F B8 01000000 MOV EAX,1
007033A4 |. E9 03010000 JMP czr_ggg.007034AC
007033A9 |> 53 PUSH EBX ; /Arg1
007033AA |. E8 75FEFFFF CALL czr_ggg.00703224 ; \xxx.00703224
007033AF |. 59 POP ECX
007033B0 |. 8D53 28 LEA EDX,DWORD PTR DS:[EBX+28]
007033B3 |. 52 PUSH EDX ; /Arg9
007033B4 |. 8D4B 24 LEA ECX,DWORD PTR DS:[EBX+24] ; |
007033B7 |. 51 PUSH ECX ; |Arg8
007033B8 |. 8D7B 20 LEA EDI,DWORD PTR DS:[EBX+20] ; |
007033BB |. 57 PUSH EDI ; |Arg7
007033BC |. 8D73 1C LEA ESI,DWORD PTR DS:[EBX+1C] ; |
007033BF |. 56 PUSH ESI ; |Arg6
007033C0 |. 8B43 14 MOV EAX,DWORD PTR DS:[EBX+14] ; |
007033C3 |. 50 PUSH EAX ; |Arg5
007033C4 |. 8B53 10 MOV EDX,DWORD PTR DS:[EBX+10] ; |
007033C7 |. 52 PUSH EDX ; |Arg4
007033C8 |. 8B4B 18 MOV ECX,DWORD PTR DS:[EBX+18] ; |
007033CB |. 51 PUSH ECX ; |Arg3
007033CC |. 6A 01 PUSH 1 ; |Arg2 = 00000001
007033CE |. 6A 01 PUSH 1 ; |Arg1 = 00000001
007033D0 |. E8 2F6A0500 CALL czr_ggg.00759E04 ; \xxx.00759E04
007033D5 |. 83C4 24 ADD ESP,24
007033D8 |. 8B43 1C MOV EAX,DWORD PTR DS:[EBX+1C]
007033DB |. 85C0 TEST EAX,EAX
007033DD |. 75 07 JNZ SHORT czr_ggg.007033E6
007033DF |. 33C0 XOR EAX,EAX
当中的代码省略
继续往下看。 重点部分1
00759E04 /$ 55 PUSH EBP
00759E05 |. 8BEC MOV EBP,ESP
00759E07 |. 83C4 EC ADD ESP,-14
00759E0A |. 53 PUSH EBX
00759E0B |. 56 PUSH ESI
00759E0C |. 57 PUSH EDI
00759E0D |. 8B45 20 MOV EAX,DWORD PTR SS:[EBP+20]
00759E10 |. 8B7D 18 MOV EDI,DWORD PTR SS:[EBP+18]
00759E13 |. 8B75 14 MOV ESI,DWORD PTR SS:[EBP+14]
00759E16 |. 8B5D 10 MOV EBX,DWORD PTR SS:[EBP+10]
00759E19 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
00759E1C |. 83FA 09 CMP EDX,9
00759E1F |. 74 22 JE SHORT czr_ggg.00759E43
00759E21 |. 8B4D 28 MOV ECX,DWORD PTR SS:[EBP+28]
00759E24 |. 51 PUSH ECX ; /Arg9
00759E25 |. 8B4D 24 MOV ECX,DWORD PTR SS:[EBP+24] ; |
00759E28 |. 51 PUSH ECX ; |Arg8
00759E29 |. 50 PUSH EAX ; |Arg7
00759E2A |. 8B45 1C MOV EAX,DWORD PTR SS:[EBP+1C] ; |
00759E2D |. 50 PUSH EAX ; |Arg6
00759E2E |. 57 PUSH EDI ; |Arg5
00759E2F |. 56 PUSH ESI ; |Arg4
00759E30 |. 53 PUSH EBX ; |Arg3
00759E31 |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] ; |
00759E34 |. 50 PUSH EAX ; |Arg2 = 00000001
00759E35 |. 52 PUSH EDX ; |Arg1
00759E36 |. E8 81010000 CALL czr_ggg.00759FBC ; \xxx.00759FBC 进去看看
00759E3B |. 83C4 24 ADD ESP,24
00759E3E |. E9 6F010000 JMP czr_ggg.00759FB2
00759FBC /$ 55 PUSH EBP
00759FBD |. 8BEC MOV EBP,ESP
00759FBF |. 83C4 B8 ADD ESP,-48
00759FC2 |. 53 PUSH EBX
00759FC3 |. 56 PUSH ESI
00759FC4 |. 57 PUSH EDI
00759FC5 |. 8B75 28 MOV ESI,DWORD PTR SS:[EBP+28]
00759FC8 |. 8B5D 20 MOV EBX,DWORD PTR SS:[EBP+20]
00759FCB |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00759FCE |. 8D7D B8 LEA EDI,DWORD PTR SS:[EBP-48]
00759FD1 |. 3D FF000000 CMP EAX,0FF 对狗密码进行比较
00759FD6 76 0E JBE SHORT czr_ggg.00759FE6 跳 就 完蛋
00759FD8 |. 8B45 24 MOV EAX,DWORD PTR SS:[EBP+24]
00759FDB |. C700 19FCFFFF MOV DWORD PTR DS:[EAX],-3E7
00759FE1 |. E9 84000000 JMP czr_ggg.0075A06A
00759FE6 |> C747 08 6C687>MOV DWORD PTR DS:[EDI+8],6873686C
00759FED |. C607 02 MOV BYTE PTR DS:[EDI],2
00759FF0 |. C747 04 01000>MOV DWORD PTR DS:[EDI+4],1
00759FF7 |. 8847 16 MOV BYTE PTR DS:[EDI+16],AL
00759FFA |. 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
00759FFD |. 8957 18 MOV DWORD PTR DS:[EDI+18],EDX
0075A000 |. 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
0075A003 |. 894F 1C MOV DWORD PTR DS:[EDI+1C],ECX
经过好久来到这里
007034F9 |. 8B53 18 MOV EDX,DWORD PTR DS:[EBX+18]
007034FC |. 52 PUSH EDX ; |Arg3
007034FD |. 6A 01 PUSH 1 ; |Arg2 = 00000001
007034FF |. 6A 03 PUSH 3 ; |Arg1 = 00000003
00703501 |. E8 FE680500 CALL czr_ggg.00759E04 \xxx.00759E04 这不就是我们刚才去过的
00703506 |. 83C4 24 ADD ESP,24
00703509 |. 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
0070350C |. 66:8B43 20 MOV AX,WORD PTR DS:[EBX+20]
00703510 |. 66:8901 MOV WORD PTR DS:[ECX],AX
00703513 |. 8B43 24 MOV EAX,DWORD PTR DS:[EBX+24]
00703516 |. 8943 0C MOV DWORD PTR DS:[EBX+C],EAX
00703519 |. 85C0 TEST EAX,EAX 判断是否有狗,eax=0则有狗 改之
0070351B |. 74 05 JE SHORT czr_ggg.00703522 相等则为有狗 跳
0070351D |. 33C0 XOR EAX,EAX
0070351F |. 5B POP EBX
00703520 |. 5D POP EBP
00703521 |. C3 RETN
继续看,来到这里 关键
00702E22 |. E8 09FFFFFF CALL czr_ggg.00702D30 ; \xxx.00702D30
00702E27 |. 83C4 0C ADD ESP,0C
00702E2A |. 85C0 TEST EAX,EAX 对返回值进行判断
00702E2C |. 75 05 JNZ SHORT czr_ggg.00702E33 不跳就完蛋
00702E2E |. 83C8 FF OR EAX,FFFFFFFF
00702E31 |. EB 43 JMP SHORT czr_ggg.00702E76 跳到报错 程序无反应
00702E33 |> 8D55 FE LEA EDX,DWORD PTR SS:[EBP-2]
00702E36 |. 52 PUSH EDX ; /Arg3
00702E37 |. 6A 02 PUSH 2 ; |Arg2 = 00000002
00702E39 |. 68 50E99100 PUSH czr_ggg.0091E950 ; |Arg1 = 0091E950
00702E3E |. E8 EDFEFFFF CALL czr_ggg.00702D30 ; \xxx.00702D30 计算返回的数据 00702E43 |. 83C4 0C ADD ESP,0C
00702E46 |. 48 DEC EAX
00702E47 |. 75 2A JNZ SHORT czr_ggg.00702E73 跳就完蛋 程序无反应
00702E49 |. 66:817D FE 70>CMP WORD PTR SS:[EBP-2],3570 比较数据的值
00702E4F |. 75 22 JNZ SHORT czr_ggg.00702E73 跳就完蛋 程序无反应
00702E51 |. 8D4D FE LEA ECX,DWORD PTR SS:[EBP-2]
00702E54 |. 51 PUSH ECX ; /Arg3
00702E55 |. 56 PUSH ESI ; |Arg2
00702E56 |. 68 50E99100 PUSH czr_ggg.0091E950 ; |Arg1 = 0091E950
00702E5B |. E8 D0FEFFFF CALL czr_ggg.00702D30 ; \xxx.00702D30 计算返回的数据
00702E60 |. 83C4 0C ADD ESP,0C
00702E63 |. 85C0 TEST EAX,EAX 对返回值进行判断
00702E65 |. 74 0C JE SHORT czr_ggg.00702E73 跳就完蛋 程序无反应
00702E67 |. 0FB745 FE MOVZX EAX,WORD PTR SS:[EBP-2]
00702E6B |. 85D8 TEST EAX,EBX 对返回值再次进行判断
00702E6D |. 74 04 JE SHORT czr_ggg.00702E73 跳就完蛋 程序无反应
00702E6F |. 33C0 XOR EAX,EAX
00702E71 |. EB 03 JMP SHORT czr_ggg.00702E76 到正确的流程
00702E73 |> 83C8 FF OR EAX,FFFFFFFF
00702E76 |> 5E POP ESI
继续的检测部分
004012E0 . 6A 00 PUSH 0 ; /Arg2 = 00000000
004012E2 . 6A 4B PUSH 4B ; |Arg1 = 0000004B
004012E4 . E8 971B3000 CALL czr_ggg.00702E80 ; \xxx.00702E80 计算数据
004012E9 . 85C0 TEST EAX,EAX 对数据进行判断
004012EB . 74 3E JE SHORT czr_ggg.0040132B 不跳就完蛋
004012ED . 66:C745 E0 14>MOV WORD PTR SS:[EBP-20],14
004012F3 . BA 40EA7500 MOV EDX,czr_ggg.0075EA40
004012F8 . 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004012FB . E8 909C3500 CALL czr_ggg.0075AF90
00401300 . FF45 EC INC DWORD PTR SS:[EBP-14]
00401303 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00401305 . E8 DE6A2300 CALL czr_ggg.00637DE8
0040130A . FF4D EC DEC DWORD PTR SS:[EBP-14]
0040130D . 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00401310 . BA 02000000 MOV EDX,2
00401315 . E8 429E3500 CALL czr_ggg.0075B15C
0040131A . 33C0 XOR EAX,EAX
0040131C . 8B55 D0 MOV EDX,DWORD PTR SS:[EBP-30]
0040131F . 64:8915 00000>MOV DWORD PTR FS:[0],EDX
00401326 . E9 F6000000 JMP czr_ggg.00401421
0040132B > 8B0D 7C949100 MOV ECX,DWORD PTR DS:[91947C] ; xxx.00919D34
00401331 . 8B01 MOV EAX,DWORD PTR DS:[ECX]
00401333 . E8 38E52200 CALL czr_ggg.0062F870
00401338 . 66:C745 E0 20>MOV WORD PTR SS:[EBP-20],20
0040133E . BA 59EA7500 MOV EDX,czr_ggg.0075EA59
00401343 . 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00401346 . E8 459C3500 CALL czr_ggg.0075AF90
这样处理后运行程序还会有问题的!看样子是没有解决完!咱们在来看看!
第二部分
007033FB . 51 PUSH ECX ; |Arg3
007033FC . 6A 01 PUSH 1 ; |Arg2 = 00000001
007033FE . 6A 05 PUSH 5 ; |Arg1 = 00000005
00703400 . E8 FF690500 CALL czr_ggg.00759E04 ; \xxx.00759E04 再次读狗
00703405 . 83C4 24 ADD ESP,24
00703408 . 8B43 24 MOV EAX,DWORD PTR DS:[EBX+24] 返回的数据值
0070340B . 85C0 TEST EAX,EAX 比较
0070340D . 75 6D JNZ SHORT czr_ggg.0070347C 跳到报错,程序无反应
0070340F . 53 PUSH EBX ; /Arg1
00703410 . E8 0FFEFFFF CALL czr_ggg.00703224 ; \xxx.00703224 计算返回的数据
00703415 . 59 POP ECX
00703416 . B8 4E740000 MOV EAX,744E
0070341B . C743 10 CB080>MOV DWORD PTR DS:[EBX+10],8CB
00703422 . 8943 14 MOV DWORD PTR DS:[EBX+14],EAX
00703425 . 8D53 28 LEA EDX,DWORD PTR DS:[EBX+28]
00703428 . 52 PUSH EDX ; /Arg9
00703429 . 8D4B 24 LEA ECX,DWORD PTR DS:[EBX+24] ; |
0070342C . 51 PUSH ECX ; |Arg8
0070342D . 57 PUSH EDI ; |Arg7
0070342E . 56 PUSH ESI ; |Arg6
0070342F . 50 PUSH EAX ; |Arg5 => 0000744E
00703430 . 8B43 10 MOV EAX,DWORD PTR DS:[EBX+10] ; |
00703433 . 50 PUSH EAX ; |Arg4
00703434 . 8B53 18 MOV EDX,DWORD PTR DS:[EBX+18] ; |
00703437 . 52 PUSH EDX ; |Arg3
00703438 . 6A 01 PUSH 1 ; |Arg2 = 00000001
0070343A . 6A 01 PUSH 1 ; |Arg1 = 00000001
0070343C . E8 C3690500 CALL czr_ggg.00759E04 ; \xxx.00759E04 再次读狗
00703441 . 83C4 24 ADD ESP,24
00703444 . 8B4B 1C MOV ECX,DWORD PTR DS:[EBX+1C] 返回的数据值
00703447 . 85C9 TEST ECX,ECX 比较
00703449 . 75 04 JNZ SHORT czr_ggg.0070344F 跳到报错 程序无反应
0070344B . 33C0 XOR EAX,EAX 这里为有狗
0070344D . EB 5D JMP SHORT czr_ggg.007034AC 正确的流程
0070344F > 8D53 28 LEA EDX,DWORD PTR DS:[EBX+28]
00703452 . 8D4B 24 LEA ECX,DWORD PTR DS:[EBX+24]
00703455 . 52 PUSH EDX ; /Arg9
00703456 . 51 PUSH ECX ; |Arg8
00703457 . 57 PUSH EDI ; |Arg7
00703458 . 56 PUSH ESI ; |Arg6
00703459 . 8B43 14 MOV EAX,DWORD PTR DS:[EBX+14] ; |
0070345C . 50 PUSH EAX ; |Arg5
0070345D . 8B53 10 MOV EDX,DWORD PTR DS:[EBX+10] ; |
00703460 . 52 PUSH EDX ; |Arg4
00703461 . 8B4B 18 MOV ECX,DWORD PTR DS:[EBX+18] ; |
00703464 . 51 PUSH ECX ; |Arg3
00703465 . 6A 01 PUSH 1 ; |Arg2 = 00000001
00703467 . 6A 05 PUSH 5 ; |Arg1 = 00000005
00703469 . E8 96690500 CALL czr_ggg.00759E04 ; xxx.00759E04 再次读狗
0070346E . 83C4 24 ADD ESP,24
00703471 . 8B43 24 MOV EAX,DWORD PTR DS:[EBX+24] 返回的数据值
00703474 . 85C0 TEST EAX,EAX 比较
00703476 . 75 04 JNZ SHORT czr_ggg.0070347C 跳到报错 程序无反应
00703478 . 33C0 XOR EAX,EAX 这里为有狗
0070347A . EB 30 JMP SHORT czr_ggg.007034AC 正确的流程
0070347C > 8B53 20 MOV EDX,DWORD PTR DS:[EBX+20]
0070347F . 83FA 05 CMP EDX,5 比较
00703482 . 75 16 JNZ SHORT czr_ggg.0070349A 跳到错误的流程 继续比较
00703484 . 53 PUSH EBX ; /Arg1
00703485 . E8 C2FDFFFF CALL czr_ggg.0070324C ; \xxx.0070324C 计算返回的数据
0070348A . 59 POP ECX
0070348B . 85C0 TEST EAX,EAX 比较
0070348D . 75 04 JNZ SHORT czr_ggg.00703493 跳到错误的流程
0070348F . 33C0 XOR EAX,EAX
00703491 . EB 19 JMP SHORT czr_ggg.007034AC 到正确的流程
00703493 > C743 08 01000>MOV DWORD PTR DS:[EBX+8],1
0070349A > 8B53 24 MOV EDX,DWORD PTR DS:[EBX+24]
0070349D . B8 01000000 MOV EAX,1
007034A2 . 8953 18 MOV DWORD PTR DS:[EBX+18],EDX
007034A5 . C743 04 01000>MOV DWORD PTR DS:[EBX+4],1
007034AC > 5F POP EDI
007034AD . 5E POP ESI
007034AE . 5B POP EBX
007034AF . 5D POP EBP
007034B0 . C3 RETN
经过了这部分后狗部分就解掉了!
总结!
上面的部分只是解狗里面的一种而已!想这个软件还有好几种解法!这种解法比较容易理解!呵呵~我就献丑了!希望大家不要笑我!
孤城(寂静如风)
[email protected]
2006.2.27
BTW:wx73721 孤城 寂静如风 都是我的注册ID |
|
IP卡
发表于 2006-4-2 18:16:17
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2006-4-20 18:07:36
