技术资料

 当前位置:首页 - 技术资料 - 加密狗破解

传真机软件加密狗破解全过程

2017.02.06
  传真机软件加密狗破解全过程如下:
  这是一款国外的传真机软件,用的是软件加密狗。
  PEID检测为ASPack 2.12 -> Alexey Solodovnikov,简单壳,顺手脱掉即可。
  试用软件,程序主界面可以出来,但是马上就弹出提示:请确认加密狗已经插入计算机的USB口,点击确定,退出
  软件。
  既然有提示,那第一步非常简单,根据错误提示查找读取加密狗的代码:
  004B0348    08C7            or bh,al
  004B034A    8D85 70FFFFFF   lea eax,dword ptr ss:[ebp-0x90]
  004B0350    A3 FCF25C00     mov dword ptr ds:[0x5CF2FC],eax
  004B0355    E8 341C0000     call UnPack_.004B1F8E  //第一次读取加密狗
  004B035A    8BD8            mov ebx,eax
  004B035C    3BDF            cmp ebx,edi
  004B035E    74 06           je short UnPack_.004B0366  //加密狗破解关键点一,必须跳走
  004B0360    46              inc esi
  004B0361    83FE 03         cmp esi,0x3
  004B0364  ^ 7C AF           jl short UnPack_.004B0315
  004B0366    E8 99180100     call <jmp.&mfc42.#AfxGetModuleState_1168>
  004B036B    8B40 04         mov eax,dword ptr ds:[eax+0x4]
  004B036E    3978 2C         cmp dword ptr ds:[eax+0x2C],edi
  004B0371    75 0C           jnz short UnPack_.004B037F
  004B0373    8183 84850300 0>add dword ptr ds:[ebx+0x38584],0x3020103
  004B037D    08C7            or bh,al
  004B037F    3BDF            cmp ebx,edi
  004B0381    74 14           je short UnPack_.004B0397
  004B0383    8D4D F0         lea ecx,dword ptr ss:[ebp-0x10]
  004B0386    E8 0B200100     call <jmp.&mfc42.#CSingleLock::Unlock_63>
  004B038B    5F              pop edi
  004B038C    5E              pop esi
  004B038D    B8 01000000     mov eax,0x1
  004B0392    5B              pop ebx
  004B0393    8BE5            mov esp,ebp
  004B0395    5D              pop ebp
  004B0396    C3              retn
  004B0397    8B8D 70FFFFFF   mov ecx,dword ptr ss:[ebp-0x90]
  004B039D    894D FC         mov dword ptr ss:[ebp-0x4],ecx
  004B03A0    E8 5F180100     call <jmp.&mfc42.#AfxGetModuleState_1168>
  004B03A5    8B40 04         mov eax,dword ptr ds:[eax+0x4]
  004B03A8    3978 2C         cmp dword ptr ds:[eax+0x2C],edi
  004B03AB    75 0C           jnz short UnPack_.004B03B9  //加密狗破解关键点二
  004B03AD    81C7 83848503   add edi,0x3858483
  004B03B3    0301            add eax,dword ptr ds:[ecx]
  004B03B5    0203            add al,byte ptr ds:[ebx]
  004B03B7    08C7            or bh,al
  004B03B9    8175 FC 2437010>xor dword ptr ss:[ebp-0x4],0x13724
  004B03C0    E8 3F180100     call <jmp.&mfc42.#AfxGetModuleState_1168>
  004B03C5    8B40 04         mov eax,dword ptr ds:[eax+0x4]
  004B03C8    3978 2C         cmp dword ptr ds:[eax+0x2C],edi
  004B03CB    75 08           jnz short UnPack_.004B03D5   //加密狗破解关键点三
  004B03CD    81C7 85030301   add edi,0x1030385
  004B03D3    02C7            add al,bh
  004B03D5    8D95 70FFFFFF   lea edx,dword ptr ss:[ebp-0x90]
  004B03DB    6A 32           push 0x32
  004B03DD    52              push edx
  004B03DE    E8 4D040000     call UnPack_.004B0830
  004B03E3    83C4 08         add esp,0x8
  004B03E6    66:3D FFFF      cmp ax,0xFFFF
  004B03EA    0F85 2F020000   jnz UnPack_.004B061F   //加密狗破解关键点四
  004B03F0    E8 0F180100     call <jmp.&mfc42.#AfxGetModuleState_1168>
  004B03F5    8B40 04         mov eax,dword ptr ds:[eax+0x4]
  004B03F8    3978 2C         cmp dword ptr ds:[eax+0x2C],edi
  ……
  004B0627    5F              pop edi
  004B0628    5E              pop esi
  004B0629    B8 02000000     mov eax,0x2
  004B062E    5B              pop ebx
  004B062F    8BE5            mov esp,ebp
  004B0631    5D              pop ebp
  004B0632    C3              retn
  相似代码过多,就不再一一列出来了,第一个加密狗破解的关键点很容易就找到了,由于手上没有原狗,所以接下来的工作就比较麻烦了,继续查找:
  00471CC1    E8 BAE50300     call UnPack_.004B0280  //读取加密狗
  00471CC6    85F6            test esi,esi
  00471CC8    8945 F0         mov dword ptr ss:[ebp-0x10],eax
  00471CCB    74 07           je short UnPack_.00471CD4  //加密狗破解关键点五
  00471CCD    8B46 20         mov eax,dword ptr ds:[esi+0x20]
  00471CD0    85C0            test eax,eax
  00471CD2    75 0E           jnz short UnPack_.00471CE2 
  
  经过漫长的测试与跟踪分析,加密狗破解就基本完成了,由于没有相应的传真机,所以是否还存在BUG,还有待验证!