无狗秒杀PCB锣机控制管理系统加密狗
这是一个PCB锣机的控制管理系统,用的是软件加密狗。
试用软件,弹出提示:找不到加密狗,请检测。
PEID检测为Microsoft Visual C++ 5.0 [Debug],这个程序应该有一定的年代了,呵呵。
用OD加载程序:
004A4210 >/$ 55 push ebp
004A4211 |. 8BEC mov ebp,esp
004A4213 |. 6A FF push -0x1
004A4215 |. 68 D8555100 push YK-0.005155D8
004A421A |. 68 10444A00 push <jmp.&MSVCRTD._except_handler3> ; SE 处理程序安装
004A421F |. 64:A1 0000000>mov eax,dword ptr fs:[0]
004A4225 |. 50 push eax
004A4226 |. 64:8925 00000>mov dword ptr fs:[0],esp
004A422D |. 83C4 94 add esp,-0x6C
由于有错误提示,找到对应读取加密狗的函数就相当简单了。
01C39610 |. E8 DD9E0700 call <jmp.&MFC42D.#3244>
01C39615 |. 6A 00 push 0x0
01C39617 |. E8 8EB00700 call <jmp.&MFCO42D.#798>
01C3961C |. 83C4 04 add esp,0x4
01C3961F |. B9 601C5200 mov ecx,YK-0.00521C60
01C39624 |. E8 38A5FDFF call YK-0.00403B61
01C39629 |. B9 A0185200 mov ecx,YK-0.005218A0
01C3962E |. E8 E093FDFF call YK-0.00402A13
01C39633 |. C745 C8 00000>mov [local.14],0x0
01C3963A |. B9 C81B5200 mov ecx,YK-0.00521BC8
01C3963F |. E8 9181FDFF call YK-0.004017D5 //读取加密狗函数
01C39644 |. 85C0 test eax,eax
01C39646 |. 75 24 jnz short YK-0.01C3966C //加密狗破解关键点一,不跳则挂
01C39648 |. 8BF4 mov esi,esp //弹出错误提示对话框
01C3964A |. 6A 30 push 0x30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
01C3964C |. 68 20B95000 push YK-0.0050B920 ; |Title = “出错”
01C39651 |. 68 5C075100 push YK-0.0051075C ; |Text = “找不到加密狗,请检测!”
01C39656 |. 6A 00 push 0x0 ; |hOwner = NULL
01C39658 |. FF15 B05B5200 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
01C3965E |. 3BF4 cmp esi,esp
01C39660 |. E8 05A80700 call <jmp.&MSVCRTD._chkesp>
01C39665 |. 33C0 xor eax,eax
01C39667 |. E9 BC050000 jmp YK-0.01C39C28
01C3966C |> 33D2 xor edx,edx
01C3966E |. 66:8B15 D01B5>mov dx,word ptr ds:[0x521BD0]
01C39675 |. 83FA 01 cmp edx,0x1
01C39678 |. 74 33 je short YK-0.01C396AD
01C3967A |. 33C0 xor eax,eax
01C3967C |. 66:A1 061C520>mov ax,word ptr ds:[0x521C06]
01C39682 |. 83E0 03 and eax,0x3
01C39685 |. 85C0 test eax,eax //第二次检测加密狗是否存在
01C39687 |. 75 24 jnz short YK-0.01C396AD //加密狗破解关键点二,不跳则挂
01C39689 |. 8BF4 mov esi,esp //弹出错误提示对话框
01C3968B |. 6A 30 push 0x30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
01C3968D |. 68 20B95000 push YK-0.0050B920 ; |Title = “出错”
01C39692 |. 68 30075100 push YK-0.00510730 ; |Text = “加密狗未经正式授权,请联系设备厂商!”
01C39697 |. 6A 00 push 0x0 ; |hOwner = NULL
01C39699 |. FF15 B05B5200 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
程序肯定不止一处读取加密狗的,继续查找:
0AC1FB4C |. 8915 08095200 mov dword ptr ds:[0x520908],edx
0AC1FB52 |. 833D 08095200>cmp dword ptr ds:[0x520908],0x0
0AC1FB59 |. 75 51 jnz short YK-0.0AC1FBAC
0AC1FB5B |. 833D DC175200>cmp dword ptr ds:[0x5217DC],0x0
0AC1FB62 |. 75 1A jnz short YK-0.0AC1FB7E
0AC1FB64 |. E8 793CFEFF call YK-0.004037E2 //读取加密狗数据
0AC1FB69 |. 85C0 test eax,eax
0AC1FB6B |. 75 11 jnz short YK-0.0AC1FB7E //加密狗破解关键点三,如果读取到的数量不正确,程序会直接退出,不会有任何错误提示
0AC1FB6D |. 8BF4 mov esi,esp
0AC1FB6F |. 6A 00 push 0x0 ; /ExitCode = 0
0AC1FB71 |. FF15 605C5200 call dword ptr ds:[<&USER32.PostQuitMess>; \PostQuitMessage
0AC1FB77 |. 3BF4 cmp esi,esp
0AC1FB79 |. E8 EC420800 call <jmp.&MSVCRTD._chkesp>
0AC1FB7E |> 833D D8175200>cmp dword ptr ds:[0x5217D8],0x0
0AC1FB85 |. 75 25 jnz short YK-0.0AC1FBAC
0AC1FB87 |. 833D DC175200>cmp dword ptr ds:[0x5217DC],0x0
0AC1FB8E |. 74 1C je short YK-0.0AC1FBAC
0AC1FB90 |. 8B15 64185200 mov edx,dword ptr ds:[0x521864]
0AC1FB96 |. 83C2 01 add edx,0x1
继续查找:
0B5556A0 |. 894D FC mov [local.1],ecx
0B5556A3 |. B9 C81B5200 mov ecx,YK-0.00521BC8
0B5556A8 |. E8 28C1F8FF call YK-0.004017D5 //再一次读取加密狗数据
0B5556AD |. 85C0 test eax,eax
0B5556AF |. 75 24 jnz short YK-0.0B5556D5 //加密狗破解关键点四,不跳则挂
0B5556B1 |. 8BF4 mov esi,esp
0B5556B3 |. 6A 30 push 0x30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
0B5556B5 |. 68 20B95000 push YK-0.0050B920 ; |Title = “出错”
0B5556BA |. 68 5C075100 push YK-0.0051075C ; |Text = “找不到加密狗,请检测!”
0B5556BF |. 6A 00 push 0x0 ; |hOwner = NULL
0B5556C1 |. FF15 B05B5200 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
0B5556C7 |. 3BF4 cmp esi,esp
0B5556C9 |. E8 9CE70200 call <jmp.&MSVCRTD._chkesp>
经过数次的修改代码与检测,软件终于可以正常使用了,加密狗破解成功!
