chap6-1-61.htm.primary

加密与解密,软件加密保护技术与解决方案,看雪文档!

        :004010BB 6A65                
        &nbsp; &nbsp; push 00000065 <br>
        :004010BD 56&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; push esi <br>
        <br>
        * Reference To: USER32.SetDlgItemTextA, Ord:0000h <br>
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
        :004010BE E859040000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Call 
        0040151C <br>
        :004010C3 EB23&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; jmp 004010E8 <br>
        <br>
        * Referenced by a (U)nconditional or (C)onditional Jump at Address: <br>
        |:0040109E(C) <br>
        | <br>
        :004010C5 6800100000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push 
        00001000 <br>
        <br>
        * Possible StringData Ref from Data Obj ->"Bad Luck" <br>
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
        :004010CA 68F3204000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push 
        004020F3 <br>
        <br>
        * Possible StringData Ref from Data Obj ->"This program isn't being run 
        from " <br>
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        ->"a CD, Please insert the CD" <br>
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
        :004010CF 68B6204000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push 
        004020B6 <br>
        :004010D4 6A00&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; push 00000000 <br>
        <br>
        * Reference To: USER32.MessageBoxA, Ord:0000h <br>
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
        :004010D6 E847040000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Call 
        00401522 <br>
        <br>
        * Possible StringData Ref from Data Obj ->"Invalid CD In Drive" <br>
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
        :004010DB 68FC204000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push 
        004020FC <br>
        <br>
        因此，如下改动： <br>
        <br>
        0040109E 7525&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; jne 004010C5 to <br>
        0040109E 7425&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; 
        je&nbsp; 004010C5 <br>
        <br>
        或 <br>
        0040109E 90&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; 
        &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; nop <br>
        0040109F 90&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; 
        &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; nop 
  </table>
</div>
<div id="KB2Parent" class="parent"> <span class="p9"><a href="#" onClick="expandIt('KB2'); return false"> 
  2、习题二 答案</a> </span></div>
<div id="KB2Child" class="child"> <span class="p9">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span> 
  <table width="100%" align="center" cellspacing="0">
    <tr bgcolor="#EFEFEF"> 
      <td height="7" class="p9">这程序利用了GetDriveTypeA检测光驱，还用CreateFileA找开光盘文件，如两者都OK,则成功。 
        <br>
        首先用W32DASM装载程序，用串式参考查找"You lost"，来到： <br>
        <br>
        * Reference To: KERNEL32.GetDriveTypeA, Ord:0104h <br>
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
        :00401349 FF1504204000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Call dword 
        ptr [00402004] <br>
        :0040134F 83F803&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; cmp eax, 00000003................如EAX是3则是硬盘 <br>
        :00401352 743E&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; je 00401392 -----------------------改成两个NOP， <br>
        :00401354 8D45E8&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; lea eax, dword ptr [ebp-18] <br>
        <br>
        * Possible StringData Ref from Data Obj ->"CD_CHECK.DAT" <br>
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
        :00401357 6858304000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push 
        00403058 <br>
        :0040135C 50&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; push eax <br>
        :0040135D 8D45E0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; lea eax, dword ptr [ebp-20] <br>
        :00401360 50&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; push eax <br>
        <br>
        * Reference To: MFC42.Ordinal:039C, Ord:039Ch <br>
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
        :00401361 E822030000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Call 
        00401688 <br>
        :00401366 8B00&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; mov eax, dword ptr [eax] <br>
        :00401368 53&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; push ebx <br>
        :00401369 53&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; push ebx <br>
        :0040136A 53&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; push ebx <br>
        :0040136B 53&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; push ebx <br>
        :0040136C 6A01&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; push 00000001 <br>
        :0040136E 6800000080&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push 
        80000000 <br>
        :00401373 50&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; push eax <br>
        <br>
        * Reference To: KERNEL32.CreateFileA, Ord:0034h <br>
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
        :00401374 FF1500204000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Call dword 
        ptr [00402000] <br>
        :0040137A 83F8FF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; cmp eax, FFFFFFFF................eax=-1打开文件失败 <br>
        :0040137D 8D4DE0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; lea ecx, dword ptr [ebp-20] <br>
        :00401380 0F9445F3&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        sete byte ptr [ebp-0D] <br>
        <br>
        * Reference To: MFC42.Ordinal:0320, Ord:0320h <br>
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
        :00401384 E811030000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Call 
        0040169A <br>
        :00401389 385DF3&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; cmp byte ptr [ebp-0D], bl <br>
        :0040138C 0F84F3000000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; je 00401485 
        ......如打开文件成功则跳转，改成：jmp 00401485 <br>
        <br>
        * Referenced by a (U)nconditional or (C)onditional Jump at Address: <br>
        |:00401352(C) <br>
        | <br>
        :00401392 FF45EC&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; inc [ebp-14] <br>
        :00401395 83C704&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; add edi, 00000004 <br>
        :00401398 837DEC07&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        cmp dword ptr [ebp-14], 00000007 <br>
        :0040139C 759F&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; jne 0040133D <br>
        :0040139E 53&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; push ebx <br>
        <br>
        * Possible StringData Ref from Data Obj ->"Try again" <br>
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
        :0040139F 684C304000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push 
        0040304C <br>
        <br>
        * Possible StringData Ref from Data Obj ->"You lost" <br>
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
        :004013A4 6840304000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push 
        00403040 <br>
        这样改之后，成功crack。 
  </table>
</div>
<div id="KB3Parent" class="parent"> <span class="p9"><a href="#" onClick="expandIt('KB3'); return false"> 
  3、习题三 答案</a> </span></div>
<div id="KB3Child" class="child"> <span class="p9">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span> 
  <table width="100%" align="center" cellspacing="0">
    <tr bgcolor="#EFEFEF"> 
      <td height="7" class="p9">reversing a lame cd-check, pay attention boy! 
        by R!SC -- risc@notme.com <br>
        <br>
        <br>
        starting from the top, cd-checks normally use kernel32!getdrivetypea to 
        find out what sort of <br>
        drive they are looking at, you simply push a pointer to a drive letter, 
        then after getdrivetypea <br>
        eax=03 for hard disk or eax=05 for a cd-rom. <br>
        <br>
        so load crackcd.exe, enter softice, and type in 'bpx getdrivetypea'. Click 
        on the CheckCD <br>
        button, and bingo! we have located the code to check the CD.. now pay 
        close attention to the <br>
        comments in dead listing... <br>
        <br>
        <br>
        <br>
        015F:004011B3&nbsp; 68EB234000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; PUSH&nbsp; 
        &nbsp; 004023EB&nbsp; &nbsp;&nbsp;; pointer to 'kernel32.dll',0 <br>
        015F:004011B8&nbsp; E861070000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CALL&nbsp; 
        &nbsp; KERNEL32!LoadLibraryA <br>
        015F:004011BD&nbsp; 8BF0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; MOV&nbsp; &nbsp; ESI,EAX&nbsp; &nbsp;&nbsp;; save address of kernel32 
        in esi <br>
        015F:004011BF&nbsp; 8D85E8FBFFFF&nbsp; &nbsp; &nbsp; &nbsp; LEA&nbsp; 
        &nbsp; EAX,[EBP+FFFFFBE8] <br>
        015F:004011C5&nbsp; 50&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; PUSH&nbsp; &nbsp; EAX&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;; 
        pointer to some free space <br>
        015F:004011C6&nbsp; 68F8234000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; PUSH&nbsp; 
        &nbsp; 004023F8&nbsp; &nbsp;&nbsp;; pointer to getdrivetypea (wide char...) 
        <br>
        015F:004011CB&nbsp; E8C3020000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CALL&nbsp; 
        &nbsp; 00401493&nbsp; &nbsp;&nbsp;; convert it to normal, pasting it into 
        the free space <br>
        015F:004011D0&nbsp; 83C408&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        ADD&nbsp; &nbsp; ESP,08 <br>
        015F:004011D3&nbsp; 8D95E8FBFFFF&nbsp; &nbsp; &nbsp; &nbsp; LEA&nbsp; 
        &nbsp; EDX,[EBP+FFFFFBE8] <br>
        015F:004011D9&nbsp; 52&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; PUSH&nbsp; &nbsp; EDX&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;; 
        points to the converted 'getdrivetypea' <br>
        015F:004011DA&nbsp; 56&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; PUSH&nbsp; &nbsp; ESI&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;; 
        kernel32 <br>
        015F:004011DB&nbsp; E820070000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CALL&nbsp; 
        &nbsp; KERNEL32!GetProcAddress&nbsp; &nbsp;&nbsp;; returns the address 
        of 'getdrivetypea' in eax <br>
        015F:004011E0&nbsp; 6A00&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; PUSH&nbsp; &nbsp; 00&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;; null, 
        return the drivetype of the current drive <br>
        015F:004011E2&nbsp; FFD0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; CALL&nbsp; &nbsp; EAX&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;; call 
        getdrivetypea (where softice will break) <br>
        015F:004011E4&nbsp; 8BF8&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; MOV&nbsp; &nbsp; EDI,EAX&nbsp; &nbsp;&nbsp;; eax will == 3 if the