|
一、用OD加载DLL,并分析: 10001320 >/$ B8 4C140000 mov eax,0x144C //加密狗关键函数一
10001325 |. E8 660A0000 call f2.10001D90 //打开加密狗函数,检测加密狗是否存在
1000132A |. 53 push ebx
1000132B |. 55 push ebp
1000132C |. 56 push esi
1000132D |. 33DB xor ebx,ebx
1000132F |. 57 push edi
10001330 |. 33ED xor ebp,ebp
10001332 |. 895C24 18 mov dword ptrss:[esp+0x18],ebx
10001336 |. 891D E8CC0010 mov dword ptrds:[0x1000CCE8],ebx
1000133C |. E8 2FFEFFFF call f2.10001170
10001341 |. 8D4424 30 lea eax,dword ptrss:[esp+0x30]
10001345 |. 50 push eax
10001346 |. E8 FB070000 call<jmp.&HID.HidD_GetHidGuid>
1000134B |. 6A 12 push 0x12
1000134D |. 53 push ebx
1000134E |. 8D4C24 38 lea ecx,dword ptrss:[esp+0x38]
10001352 |. 53 push ebx
10001353 |. 51 push ecx
……………………
10001680 |. 3BEB cmp ebp,ebx
10001682 |. 8BC5 mov eax,ebp
10001684 |. 75 05 jnz short f2.1000168B //加密狗克隆的关键点
10001686 |. B8 0100870E mov eax,0xE870001
1000168B |> 5F pop edi
1000168C |. 5E pop esi
1000168D |. 5D pop ebp
1000168E |. 5B pop ebx
1000168F |. 81C4 4C140000 add esp,0x144C
10001695 \. C3 retn
100016A0 >/$ 53 push ebx //加密狗克隆关键点二
100016A1 |. 55 push ebp //打开加密狗函数,如果打开失败,则退出程序
100016A2 |. 56 push esi
100016A3 |. 8B35 E8CC0010 mov esi,dword ptrds:[0x1000CCE8]
100016A9 |. 57 push edi
100016AA |. 33DB xor ebx,ebx
100016AC |. 33FF xor edi,edi
100016AE |. 85F6 test esi,esi
100016B0 |. 7E 34 jle short f2.100016E6
100016B2 |. 8B5424 1C mov edx,dword ptrss:[esp+0x1C]
100016B6 |. 8B4C24 14 mov ecx,dword ptrss:[esp+0x14]
100016BA |. B8 70AB0010 mov eax,f2.1000AB70
100016BF |> 85C9 /test ecx,ecx
100016C1 |. 7E 0E |jle short f2.100016D1
100016C3 |. 8B68 FC |mov ebp,dword ptrds:[eax-0x4]
100016C6 |. 3B6C24 18 |cmp ebp,dword ptrss:[esp+0x18]
100016CA |. 75 10 |jnz short f2.100016DC
100016CC |. 43 |inc ebx
100016CD |. 3BCB |cmp ecx,ebx
100016CF |. 75 0B |jnz short f2.100016DC
100016D1 |> 83F9 FF |cmp ecx,-0x1
100016D4 |. 75 1C |jnz short f2.100016F2
100016D6 |. 8B28 |mov ebp,dword ptr ds:[eax]
100016D8 |. 3B2A |cmp ebp,dword ptr ds:[edx]
100016DA |. 74 16 |je short f2.100016F2 //加密狗克隆关键点,必须跳
100016DC |> 47 |inc edi
100016DD |. 05 14010000 |add eax,0x114
100016E2 |. 3BFE |cmp edi,esi
100016E4 |.^ 7C D9 \jl short f2.100016BF
100016E6 |> 5F pop edi
100016E7 |. 5E pop esi
100016E8 |. 5D pop ebp
100016E9 |. B8 01000000 mov eax,0x1
100016EE |. 5B pop ebx
100016EF |. C2 0C00 retn 0xC
100016F2 |> 8D047F lea eax,dword ptrds:[edi+edi*2]
100016F5 |. 6A 00 push 0x0 ; /hTemplateFile =NULL
100016F7 |. C1E0 03 shl eax,0x3 ; |
100016FA |. 2BC7 sub eax,edi ; |
100016FC |. 6A 00 push 0x0 ; |Attributes = 0
100016FE |. 6A 03 push 0x3 ; |Mode =OPEN_EXISTING
10001700 |. 6A 00 push 0x0 ; |pSecurity = NULL
10001702 |. 8D3440 lea esi,dword ptrds:[eax+eax*2] ; |
10001705 |. 6A 03 push 0x3 ; |ShareMode =FILE_SHARE_READ|FILE_SHARE_WRITE
10001707 |. C1E6 02 shl esi,0x2 ; |
1000170A |. 68 000000C0 push 0xC0000000 ;|Access = GENERIC_READ|GENERIC_WRITE
1000170F |. 8B86 70AB0010 mov eax,dword ptrds:[esi+0x1000AB70] ; |
10001715 |. 8D8E 68AA0010 lea ecx,dword ptrds:[esi+0x1000AA68] ; |
1000171B |. 51 push ecx ; |FileName
1000171C |. 8902 mov dword ptr ds:[edx],eax ; |
1000171E |. FF15 3C700010 call dword ptrds:[<&KERNEL32.CreateFile>; \CreateFileA
10001724 |. 85C0 test eax,eax
10001726 |. 8986 68AB0010 mov dword ptrds:[esi+0x1000AB68],eax
1000172C |. 75 0C jnz short f2.1000173A //加密狗克隆关键点,必须跳走
1000172E |. 5F pop edi
1000172F |. 5E pop esi
10001730 |. 5D pop ebp
10001731 |. B8 070010A0 mov eax,0xA0100007
10001736 |. 5B pop ebx
10001737 |. C2 0C00 retn 0xC
1000173A |> 8BC7 mov eax,edi
1000173C |. 5F pop edi
1000173D |. 5E pop esi
1000173E |. 5D pop ebp
1000173F |. 5B pop ebx
10001740 \. C2 0C00 retn 0xC 二、接下来就是读取加密狗中的数据,此函数如果直接修改跳转,程序就会出现BUG,必须根据原狗中的数据一一赋值。 10001890>/$ 81EC A0000000 sub esp,0xA0 //加密狗克隆关键点三, 10001896|. 56 push esi //读取加密狗中的数据 10001897|. 8BB424 A80000>mov esi,dword ptr ss:[esp+0xA8] 1000189E|. 8D0476 lea eax,dword ptr ds:[esi+esi*2] 100018A1|. C1E0 03 shl eax,0x3 100018A4|. 2BC6 sub eax,esi 100018A6|. 8D1440 lea edx,dword ptr ds:[eax+eax*2] 100018A9|. C1E2 02 shl edx,0x2 100018AC|. 8B82 68AB0010 mov eax,dword ptr ds:[edx+0x1000AB68] 100018B2|. 85C0 test eax,eax 100018D3|. F3:AB rep stos dword ptr es:[edi] 100018D5|. 8B8A 6CAB0010 mov ecx,dword ptr ds:[edx+0x1000AB6C] 100018DB|. 8BAC24 BC0000>mov ebp,dword ptr ss:[esp+0xBC] 100018E2|. AA stos byte ptr es:[edi] 100018E3|. 8A8424 B80000>mov al,byte ptr ss:[esp+0xB8] 100018EA|. 8DBA 78AB0010 lea edi,dword ptr ds:[edx+0x1000AB78] 100018F0|. C64424 19 00 mov byte ptr ss:[esp+0x19],0x0 100018F5|. C64424 1A 81 mov byte ptr ss:[esp+0x1A],0x81 100018FA|. 884424 1B mov byte ptr ss:[esp+0x1B],al 100018FE|. 894C24 1D mov dword ptr ss:[esp+0x1D],ecx 10001902|. 33DB xor ebx,ebx 1000195A|. 8B7424 10 mov esi,dword ptr ss:[esp+0x10] 1000195E|> 5F pop edi 1000195F|. 5D pop ebp 10001960|. 8BC6 mov eax,esi 10001962|. 5B pop ebx 10001963|. 5E pop esi 10001964|. 81C4 A0000000 add esp,0xA0 1000196A\. C2 0C00 retn 0xC 三、相关的代码因为比较多,这里就不贴上来了,只要有原狗,一切都非常顺利。 接下来的是获取软件的版本信息,也就是软件的的使用期限,如果读取信息错误的话,软件就无法正常使用,或是提示软件已过期。 10001A40>/$ 8B4C24 04 mov ecx,dword ptr ss:[esp+0x4] //加密狗破解关键点四 10001A44|. 8D0449 lea eax,dword ptr ds:[ecx+ecx*2] //获取软件使用期限 10001A47|. C1E0 03 shl eax,0x3 10001A4A|. 2BC1 sub eax,ecx 10001A4C|. 8D0440 lea eax,dword ptr ds:[eax+eax*2] 10001A4F|. C1E0 02 shl eax,0x2 10001A52|. 8B88 68AB0010 mov ecx,dword ptr ds:[eax+0x1000AB68] 10001A58|. 85C9 test ecx,ecx 10001A5A|. 75 08 jnz short f2.10001A64 //加密狗破解的关键位置 10001A5C|. B8 020010A0 mov eax,0xA0100002 10001A61|. C2 0800 retn 0x8 10001A64|> 8B5424 08 mov edx,dword ptr ss:[esp+0x8] 10001A68|. 33C9 xor ecx,ecx 10001A6A|. 66:8B88 74AB0>mov cx,word ptr ds:[eax+0x1000AB74] 10001A71|. 51 push ecx ; /<%d> 10001A72|. 68 50800010 push f2.10008050 ; |Format = "1.06.%d" 10001A77|. 52 push edx ; |s 10001A78|. FF15 28710010 call dword ptr ds:[<&USER32.wsprintfA>] ; \wsprintfA 10001A7E|. 83C4 0C add esp,0xC 10001A81|. 33C0 xor eax,eax 10001A83\. C2 0800 retn 0x8 此函数修改办法还是挺多,当然最好的就是无限制使用了,经过几次测试,软件可以无限制使用,没有任何BUG,加密狗复制完美成功! 以上只是克隆Rockey6加密狗复制资料的简单介绍,文章由(逆向开发技术网)编辑整理。
| 
QQ好友和群
QQ空间
腾讯微博
腾讯朋友
收藏
淘帖
顶
踩
