发布时间 : 星期二 文章某制图软件域天加密狗破解过程更新完毕开始阅读6af6212d4a35eefdc8d376eeaeaad1f34693117e
某制图软件域天加密狗破解过程
某制图软件域天加密狗破解过程
--------------------------------------------------------------------------------
来源: 发布时间: 2011-9-20 22:08:30 浏览: 7
这是一个商业软件,具体名称就不写出来了,主要用于企事业单位的网络图形化设计,在没有加密狗的情况下软件有功能限制,一个工程最多只能保存800个节点,再添加节点就无法保存了。对一般的小企业是足够了,如果碰上大的单位,这个限制就使用该软件无法胜任。经过软件跟踪发现,该软件用的是域天加密狗。
用PEID检测,提示为Microsoft Visual Basic 5.0 / 6.0。
用OD加载:
00423C24 > $ 68 883F4200 push VisualNe.00423F88 ; ASCII "VB5!
6&vb6chs.dll"
00423C29 . E8 F0FFFFFF call <jmp.&MSVBVM60.#100>
00423C2E . 0000 add byte ptr ds:[eax],al
00423C30 . 0000 add byte ptr ds:[eax],al
00423C32 . 0000 add byte ptr ds:[eax],al
00423C34 . 3000 xor byte ptr ds:[eax],al
00423C36 . 0000 add byte ptr ds:[eax],al
由于软件只是在节点数达到800的时候才无法保存工程,所以我们只需要找到保存文件的函数:
0103E179 . 66:8985 CCFEF>mov word ptr ss:[ebp-0x134],ax
0103E180 . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
0103E183 . FF15 30144000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0103E189 . 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58]
0103E18C . FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
0103E192 . 0FBF8D CCFEFF>movsx ecx,word ptr ss:[ebp-0x134]
0103E199 . 85C9 test ecx,ecx
0103E19B . 0F84 B7130000 je VisualNe.0103F558 //加密狗破解关键跳转,NOP掉
0103E1A1 . C745 FC 1B000>mov dword ptr ss:[ebp-0x4],0x1B
0103E1A8 . 6A 00 push 0x0
0103E1AA . 6A 01 push 0x1
0103E1AC . 8B95 B4FEFFFF mov edx,dword ptr ss:[ebp-0x14C]
0103E1B2 . 52 push edx
0103E1B3 . 8D45 A8 lea eax,dword ptr ss:[ebp-0x58]
0103E1B6 . 50 push eax
0103E1B7 . FF15 08124000 call dword ptr ds:[<&MSVBVM60.__vbaLateI>;
MSVBVM60.__vbaLateIdCallLd
0103E1BD . 83C4 10 add esp,0x10
0103E1C0 . 50 push eax
0103E1C1 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVa>;
MSVBVM60.__vbaStrVarMove
0103E1C7 . 8945 A0 mov dword ptr ss:[ebp-0x60],eax
0103E1CA . C745 98 08000>mov dword ptr ss:[ebp-0x68],0x8
0103E1D1 . 6A 00 push 0x0
0103E1D3 . 8D4D 98 lea ecx,dword ptr ss:[ebp-0x68]
0103E1D6 . 51 push ecx
0103E1D7 . FF15 DC124000 call dword ptr ds:[<&MSVBVM60.#645>] ; MSVBVM60.rtcDir
0103E1DD . 8BD0 mov edx,eax
0103E1DF . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
0103E1E2 . FF15 CC134000 call dword p
tr ds:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0103E1E8 . 50 push eax
0103E1E9 . 68 883E4500 push VisualNe.00453E88
0103E1EE . FF15 AC114000 call dword ptr ds:[<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
0103E1F4 . F7D8 neg eax
0103E1F6 . 1BC0 sbb eax,eax
0103E1F8 . F7D8 neg eax
0103E1FA . F7D8 neg eax
0103E1FC . 66:8985 CCFEF>mov word ptr ss:[ebp-0x134],ax
0103E203 . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
0103E206 . FF15 30144000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0103E20C . 8D55 98 lea edx,dword ptr ss:[ebp-0x68]
0103E20F . 52 push edx
0103E210 . 8D45 A8 lea eax,dword ptr ss:[ebp-0x58]
0103E213 . 50 push eax
0103E214 . 6A 02 push 0x2
0103E216 . FF15 4C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;
MSVBVM60.__vbaFreeVarList
0103E21C . 83C4 0C add esp,0xC
0103E21F . 0FBF8D CCFEFF>movsx ecx,word ptr ss:[ebp-0x134]
0103E226 . 85C9 test ecx,ecx
0103E228 . 0F84 DD030000 je VisualNe.0103E60B //加密狗破解关键点,NOP掉
0103E22E . C745 FC 1C000>mov dword ptr ss:[ebp-0x4],0x1C
0103E235 . C745 80 04000>mov dword ptr ss:[ebp-0x80],0x80020004
0103E23C . C785 78FFFFFF>mov dword ptr ss:[ebp-0x88],0xA
0103E246 . C745 90 04000>mov dword ptr ss:[ebp-0x70],0x80020004
0103E24D . C745 88 0A000>mov dword ptr ss:[ebp-0x78],0xA
0103E254 . C745 A0 04000>mov dword ptr ss:[ebp-0x60],0x80020004
0103E25B . C745 98 0A000>mov dword ptr ss:[ebp-0x68],0xA
0103E262 . C785 70FFFFFF>mov dword ptr ss:[ebp-0x90],VisualNe.004>
0103E26C . C785 68FFFFFF>mov dword ptr ss:[ebp-0x98],0x8