OD+IDA6.1破解HideWizardv9.29(无忧隐藏)
生活随笔
收集整理的這篇文章主要介紹了
OD+IDA6.1破解HideWizardv9.29(无忧隐藏)
小編覺(jué)得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
標(biāo) 題:
?【原創(chuàng)】OD+IDA6.1破解HideWizardv9.29(無(wú)憂隱藏)
作 者:?hsluoyz
時(shí) 間:?2012-04-22,22:01:19
鏈 接:?http://bbs.pediy.com/showthread.php?t=149743
偶以前搞過(guò)一些破解,但都是一些軟柿子,前幾天有隱藏木馬這么個(gè)需求,包括進(jìn)程、窗口、硬盤文件等,非要用HideWIzard出手不可。HideWIzard6.4有破解版但功能不夠,只好拿HideWIzard最新版9.29開(kāi)刀了。感覺(jué)還是挺麻煩的,也許是我水平很菜把,廢話不說(shuō)進(jìn)入正題
0)先對(duì)程序的情況說(shuō)明一下,程序總共有三處驗(yàn)證,有些可以觀察到,有些是破解過(guò)程中發(fā)現(xiàn)
1.對(duì)注冊(cè)碼在客戶端進(jìn)行初步判斷,輸入不正確的話什么提示都沒(méi)有,否則進(jìn)入第二步服務(wù)器激活驗(yàn)證;
2.與服務(wù)器通信,在static控件顯示返回結(jié)果;
3.使用imagehlp進(jìn)行EXE校驗(yàn),如果發(fā)現(xiàn)二進(jìn)制被修改則自動(dòng)退出
下面詳細(xì)闡述哈
1)首先是PEiD查殼,啥也沒(méi)發(fā)現(xiàn),事實(shí)上到最后我也不知道是什么殼,也沒(méi)學(xué)過(guò)脫殼,汗一個(gè),哪位大大知道不妨告知哈。IDA6.1打開(kāi)EXE,可以判斷是MFC程序
2)OD加載程序后,自帶的7E42xxxx斷點(diǎn)一定要清除,否則會(huì)導(dǎo)致系統(tǒng)假死,狂按F9過(guò)一分鐘能緩回來(lái),緩不回來(lái)只好重啟了。加載成功后窗口切換焦點(diǎn)時(shí)也是一頓一頓的,不知是不是有意為之,調(diào)試過(guò)程中盡量不要切換焦點(diǎn)。頓的程度好像與系統(tǒng)和OD也有關(guān)系,具體作用關(guān)系不明,最好找個(gè)能自動(dòng)清除debug標(biāo)志位的。OD換了好幾個(gè)才碰上個(gè)順手的,我用的ODbyDYK?v1.10里的Pza74.exe,能自動(dòng)清除debug標(biāo)志位,對(duì)call?jmp等指令能高亮顯示,Pza74缺點(diǎn)是插件不如OllyICE多,但OllyICE沒(méi)高亮,看的很頭疼。
3)正式進(jìn)入調(diào)試步驟,首先需要在激活按鈕處下斷,因?yàn)闆](méi)有任何提示,只好在CCmdTarget::OnCmdMsg處下斷,在IDA記下地址在OD直接bp。OnCmdMsg第四個(gè)參數(shù)即為消息響應(yīng)函數(shù)。函數(shù)如下,程序在0042AB9B處檢查注冊(cè)碼位數(shù),只要讓輸入的注冊(cè)碼為17位就不會(huì)跳到函數(shù)末尾,在末尾處可以看出SendMessageA是進(jìn)入下一步的關(guān)鍵,因此中間的算法就不用看了,直接找跳轉(zhuǎn),把該nop的nop掉。
代碼: 0042AB5F???/.??55?????????????push?ebp 0042AB60???|.??8BEC???????????mov?ebp,esp 0042AB62???|.??83EC?14????????sub?esp,14 0042AB65???|.??56?????????????push?esi 0042AB66???|.??8BF1???????????mov?esi,ecx 0042AB68???|.??8975?EC????????mov?dword?ptr?ss:[ebp-14],esi 0042AB6B???|.??FF15?C4D14600??call?dword?ptr?ds:[<&KERNEL32.GetTickCount>]?????;?[GetTickCount 0042AB71???|.??8BC8???????????mov?ecx,eax 0042AB73???|.??2B0D?A4F44800??sub?ecx,dword?ptr?ds:[48F4A4] 0042AB79???|.??81F9?2C010000??cmp?ecx,12C 0042AB7F???|.??0F82?40010000??jb?HideWiza.0042ACC5 0042AB85???|.??6A?01??????????push?1 0042AB87???|.??8BCE???????????mov?ecx,esi 0042AB89???|.??A3?A4F44800????mov?dword?ptr?ds:[48F4A4],eax 0042AB8E???|.??E8?B0530000????call?HideWiza.0042FF43 0042AB93???|.??81C6?10040000??add?esi,410 0042AB99???|.??8B06???????????mov?eax,dword?ptr?ds:[esi] 0042AB9B???|.??8378?F4?11?????cmp?dword?ptr?ds:[eax-C],11? 0042AB9F???|.??8BCE???????????mov?ecx,esi 0042ABA1???|.??0F85?14010000??jnz?HideWiza.0042ACBB?不成立則跳到0042ACC5處,不能跳,需要nop掉 ... 0042AC9B???|.?/75?1C??????????jnz?short?HideWiza.0042ACB9?/不能跳,需要nop掉 0042AC9D???|.?|394D?F0????????cmp?dword?ptr?ss:[ebp-10],ecx 0042ACA0???|.?|75?17??????????jnz?short?HideWiza.0042ACB9?/不能跳,需要nop掉 0042ACA2???|.?|8B45?EC????????mov?eax,dword?ptr?ss:[ebp-14] 0042ACA5???|.?|6A?0A??????????push?0A??????????????????????????????????????????;?/lParam?=?A 0042ACA7???|.?|6A?01??????????push?1???????????????????????????????????????????;?|wParam?=?1 0042ACA9???|.?|68?CA040000????push?4CA?????????????????????????????????????????;?|Message?=?MSG(4CA) 0042ACAE???|.?|FF70?20????????push?dword?ptr?ds:[eax+20]???????????????????????;?|hWnd 0042ACB1???|.?|FF15?84D54600??call?dword?ptr?ds:[<&USER32.SendMessageA>]???????;?\SendMessageA 0042ACB7???|.?|EB?0C??????????jmp?short?HideWiza.0042ACC5 0042ACB9???|>?\8BCE???????????mov?ecx,esi 0042ACBB???|>??68?F2DC4600????push?HideWiza.0046DCF2 0042ACC0???|.??E8?1B7BFDFF????call?HideWiza.004027E0 0042ACC5???|>??5E?????????????pop?esi 0042ACC6???|.??C9?????????????leave 0042ACC7???\.??C3?????????????retn 4)用ue把exe改掉后發(fā)現(xiàn)程序自動(dòng)退出,猜測(cè)是某種校驗(yàn),這時(shí)程序不會(huì)彈出窗口,判斷是在CXXDlg構(gòu)造函數(shù)或OnInitialDialog等處。直接在入口處跟進(jìn),這里有個(gè)取巧的辦法,直接od同時(shí)加載未修改和已修改的一起debug,比較哪里不一樣,如果過(guò)程中哪個(gè)call直接把窗口彈出來(lái)或是退出,就需要重新加載跟進(jìn)這個(gè)call。最后發(fā)現(xiàn)下面的代碼,終于找到了,就是imagehlp.MapFileAndCheckSumA這個(gè)東西做的怪。查了一下imagehlp,的確是進(jìn)行二進(jìn)制校驗(yàn)的一個(gè)東東。0041E36E處可以看出[ebp-2C]與[ebp-28]一個(gè)是編譯時(shí)生成的,一個(gè)是現(xiàn)算的。后面jnz判斷是否一致,后面的OpenMutexA啥的應(yīng)該是保證程序單例,是程序后面的邏輯,因此把jnz?nop掉即可。
代碼: 0041E349????.??E9?AD030000????jmp?HideWiza.0041E6FB 0041E34E????>??8D45?D8????????lea?eax,dword?ptr?ss:[ebp-28] 0041E351????.??50?????????????push?eax 0041E352????.??8D45?D4????????lea?eax,dword?ptr?ss:[ebp-2C] 0041E355????.??33FF???????????xor?edi,edi 0041E357????.??50?????????????push?eax 0041E358????.??47?????????????inc?edi 0041E359????.??68?40EA4800????push?HideWiza.0048EA40 0041E35E????.??897D?D4????????mov?dword?ptr?ss:[ebp-2C],edi 0041E361????.??895D?D8????????mov?dword?ptr?ss:[ebp-28],ebx 0041E364????.??FF15?FCD74600??call?dword?ptr?ds:[<&imagehlp.Ma>;??imagehlp.MapFileAndCheckSumA?/Checksum!!! 0041E36A????.??85C0???????????test?eax,eax 0041E36C????.??75?0C??????????jnz?short?HideWiza.0041E37A 0041E36E????.??8B45?D4????????mov?eax,dword?ptr?ss:[ebp-2C] 0041E371????.??3B45?D8????????cmp?eax,dword?ptr?ss:[ebp-28] 0041E374????.??0F85?81030000??jnz?HideWiza.0041E6FB?should?not?jmp,?so?nop?it 0041E37A????>??68?6C3E4700????push?HideWiza.00473E6C???????????;??ASCII?"SEAN_U_HIDE_WIZARD" 0041E37F????.??8D4D?E0????????lea?ecx,dword?ptr?ss:[ebp-20] 0041E382????.??E8?604BFEFF????call?HideWiza.00402EE7 0041E387????.??FF75?E0????????push?dword?ptr?ss:[ebp-20]???????;?/MutexName 0041E38A????.??895D?FC????????mov?dword?ptr?ss:[ebp-4],ebx?????;?| 0041E38D????.??53?????????????push?ebx?????????????????????????;?|Inheritable 0041E38E????.??57?????????????push?edi?????????????????????????;?|Access 0041E38F????.??FF15?2CD44600??call?dword?ptr?ds:[<&KERNEL32.Op>;?\OpenMutexA 0041E395????.??8B7D?DC????????mov?edi,dword?ptr?ss:[ebp-24] 0041E398????.??8987?A4000000??mov?dword?ptr?ds:[edi+A4],eax 0041E39E????.??3BC3???????????cmp?eax,ebx 0041E3A0????.??0F84?97000000??je?HideWiza.0041E43D
5)終于到最后一步,這時(shí)運(yùn)行程序隨便輸入注冊(cè)碼注冊(cè),發(fā)現(xiàn)還有服務(wù)器驗(yàn)證,IDA里發(fā)現(xiàn)程序網(wǎng)絡(luò)通信用的是CHttpFile,繼承于CInternetFile,結(jié)合IDA6.1的hex?rays進(jìn)行反編譯,CInternetFile有四個(gè)方法,Read?ReadString?Write?WriteString,我們主要關(guān)心的是讀取,記下地址在OD里下斷,發(fā)現(xiàn)程序調(diào)用的是CInternetFile::Read函數(shù)。一般人寫通信程序都會(huì)把建立連接、發(fā)送、接受、關(guān)閉連接自己封裝一下,因此可以順便在IDA里把周圍的關(guān)于網(wǎng)絡(luò)通信的函數(shù)沒(méi)名字的都命名一下,找調(diào)用者就結(jié)合OD,這么比較方便查看。
用OD在CInternetFile::Read往上導(dǎo),發(fā)現(xiàn)一個(gè)可疑函數(shù),IDA反編譯一下:
代碼: signed?int?__thiscall?sub_42BFB4(void?*this,?int?a2,?int?a3) {int?v3;?//?edi@1void?*v4;?//?ebx@1int?v6;?//?eax@3int?v7;?//?eax@3int?v8;?//?eax@3int?v9;?//?edi@3const?CHAR?*v10;?//?ebx@5int?v11;?//?esi@5int?v12;?//?esi@7int?v13;?//?eax@10int?v14;?//?eax@10int?v15;?//?eax@12int?v16;?//?eax@12int?v17;?//?eax@14int?v18;?//?eax@14int?v19;?//?eax@15int?v20;?//?eax@15int?v21;?//?eax@15int?v22;?//?[sp+Ch]?[bp-20h]@11const?CHAR?*v23;?//?[sp+10h]?[bp-1Ch]@3char?*v24;?//?[sp+14h]?[bp-18h]@15int?v25;?//?[sp+18h]?[bp-14h]@3int?v26;?//?[sp+1Ch]?[bp-10h]@3int?v27;?//?[sp+28h]?[bp-4h]@1char?v28;?//?[sp+2Ch]?[bp+0h]@1char?Src;?//?[sp+82Ch]?[bp+800h]@15char?v30;?//?[sp+82Dh]?[bp+801h]@15unsigned?int?v31;?//?[sp+C2Ch]?[bp+C00h]@1v31?=?(unsigned?int)&v28?^?__security_cookie;v3?=?a3;v4?=?this;v27?=?0;if?(?!WaitForSingleObject(hHandle,?0)?)goto?LABEL_2;unknown_libname_115(v3);v6?=?sub_435E86(v26);unknown_libname_113(v6);v7?=?sub_435E86(v26);unknown_libname_113(v7);LOBYTE(v27)?=?2;sub_402793(&a2);sub_42BF09(&v25,?&v23);LOBYTE(v27)?=?3;v8?=?(int)_LN34_4(v4,?0,?0,?0,?0);v9?=?v8;if?(?!v8?){ATL::CStringData::Release(v23?-?16);ATL::CStringData::Release(v25?-?16); LABEL_2:ATL::CStringData::Release(a2?-?16);return?-20;}v10?=?v23;v27?=?2;LOBYTE(v27)?=?5;v11?=?(int)sub_4415E2(v8,?0,?v23,?0,?1u,?0,?0,?0x20000000u);if?(?!v11?)goto?LABEL_6;v27?=?2;LOBYTE(v27)?=?7;if?(?!CHttpFile::SendRequest(v11,?0,?0,?0,?0)?)?///發(fā)送消息{(*(void?(__thiscall?**)(int))(*(_DWORD?*)v11?+?76))(v11);v13?=?*(_DWORD?*)v11;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v13?+?4))(v11,?1);(*(void?(__thiscall?**)(int))(*(_DWORD?*)v9?+?12))(v9);v14?=?*(_DWORD?*)v9;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v14?+?4))(v9,?1); LABEL_6:ATL::CStringData::Release(v10?-?16);ATL::CStringData::Release(v25?-?16);v25?=?-20; LABEL_7:v12?=?v25; LABEL_8:ATL::CStringData::Release(a2?-?16);return?v12;}v27?=?2;if?(?!CHttpFile::QueryInfoStatusCode(&v22)?){(*(void?(__thiscall?**)(int))(*(_DWORD?*)v11?+?76))(v11);v15?=?*(_DWORD?*)v11;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v15?+?4))(v11,?1);(*(void?(__thiscall?**)(int))(*(_DWORD?*)v9?+?12))(v9);v16?=?*(_DWORD?*)v9;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v16?+?4))(v9,?1);ATL::CStringData::Release(v10?-?16);ATL::CStringData::Release(v25?-?16);v25?=?-21;goto?LABEL_7;}if?(?v22?!=?200?){(*(void?(__thiscall?**)(_DWORD))(*(_DWORD?*)v11?+?76))(v11);v17?=?*(_DWORD?*)v11;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v17?+?4))(v11,?1);(*(void?(__thiscall?**)(_DWORD))(*(_DWORD?*)v9?+?12))(v9);v18?=?*(_DWORD?*)v9;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v18?+?4))(v9,?1);v12?=?v22;ATL::CStringData::Release(v10?-?16);ATL::CStringData::Release(v25?-?16);goto?LABEL_8;}Src?=?0;memset(&v30,?0,?0x3FFu);sub_4027E0(Caption);v19?=?*(_DWORD?*)v11;v25?=?1000;v24?=?&Src;(*(void?(__thiscall?**)(int,?char?*,?signed?int))(v19?+?52))(v11,?&Src,?1000);?CInternetFile_Read?此處地址00440915?一共兩次read,調(diào)用CInternet::Readsub_4027E0(&Src);?/?-->調(diào)用sub_402466?Src返回的c字符串?此處地址為0042C1F3?寫了2個(gè)byte的內(nèi)存,后面都不用看了(*(void?(__thiscall?**)(_DWORD))(*(_DWORD?*)v11?+?76))(v11);?CInternetFile::Closev20?=?*(_DWORD?*)v11;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v20?+?4))(v11,?1);?CHttpFile::_scalar_deleting_destructor_(*(void?(__thiscall?**)(_DWORD))(*(_DWORD?*)v9?+?12))(v9);?CInternetFile::Closev21?=?*(_DWORD?*)v9;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v21?+?4))(v9,?1);?sub_440C6D一些字符串釋放ATL::CStringData::Release(v10?-?16);ATL::CStringData::Release(v25?-?16);ATL::CStringData::Release(a2?-?16);return?1; } 6)可以發(fā)現(xiàn)干貨就在最后幾行,00440915內(nèi)部調(diào)用CInternet::Read,整個(gè)函數(shù)一共調(diào)用了兩次,用ethereal截報(bào)文發(fā)現(xiàn)客戶端向www.seapsoft.com發(fā)送兩個(gè)HTTP請(qǐng)求,服務(wù)器回的都是很簡(jiǎn)單的字符串1,存在Src里,sub_4027E0(&Src)處理一下,寫了兩個(gè)2Bytes的內(nèi)存,位置是動(dòng)態(tài)分配的,第一個(gè)字節(jié)是Src的長(zhǎng)度,也就是1,(似乎Src作為狀態(tài)字長(zhǎng)度1個(gè)Byte也就夠了,不知作者為何要做此設(shè)計(jì)),第二個(gè)字節(jié)就是狀態(tài)字(從內(nèi)存對(duì)齊上也可看出Src只能是1個(gè)Byte)。自己在這里修改一下Src對(duì)照程序的提示可以發(fā)現(xiàn)數(shù)字的含義:2是序列號(hào)已存在,1是序列號(hào)無(wú)效,其它值似乎都是網(wǎng)絡(luò)故障云云。可以大膽猜測(cè)程序以后肯定會(huì)讀取Src或者其復(fù)制版本。
7)明顯的思路是在2Bytes的內(nèi)存處下內(nèi)存訪問(wèn)斷點(diǎn),發(fā)現(xiàn)到了strtoxl這么個(gè)函數(shù),是C的一個(gè)內(nèi)部使用的函數(shù),往上導(dǎo),到strtol,最后到atol,后來(lái)發(fā)現(xiàn)這個(gè)地址被讀了十幾次,于是干脆換了另一個(gè)方法。程序在請(qǐng)求返回后會(huì)設(shè)置static字符串,于是在SetWindowTextA處下API斷點(diǎn)。往上倒騰,功夫不負(fù)有心人,發(fā)現(xiàn)了程序的驗(yàn)證邏輯:
代碼: 0042B1F5????>?\FF75?DC????????push?dword?ptr?ss:[ebp-24] 0042B1F8????.??E8?46620200????call?HideWiza.00451443 0042B1FD????.??83F8?1E????????cmp?eax,1E 0042B200????.??59?????????????pop?ecx 0042B201????.??7D?77??????????jge?short?HideWiza.0042B27A?//jump?it 0042B203????.??83F8?02????????cmp?eax,2 0042B206????.??75?21??????????jnz?short?HideWiza.0042B229 0042B208????.??51?????????????push?ecx 0042B209????.??8BCC???????????mov?ecx,esp 0042B20B????.??8965?F0????????mov?dword?ptr?ss:[ebp-10],esp 0042B20E????.??68?24534700????push?HideWiza.00475324 0042B213????.??E8?CF7CFDFF????call?HideWiza.00402EE7 0042B218????.??8D45?F0????????lea?eax,dword?ptr?ss:[ebp-10] 0042B21B????.??50?????????????push?eax 0042B21C????.??E8?EFEEFFFF????call?HideWiza.0042A110 0042B221????.??59?????????????pop?ecx 0042B222????.??59?????????????pop?ecx 0042B223????.??C645?FC?0A?????mov?byte?ptr?ss:[ebp-4],0A 0042B227????.^?EB?9D??????????jmp?short?HideWiza.0042B1C6?jump?back?to?death 0042B229????>??3BC7???????????cmp?eax,edi 0042B22B????.??74?29??????????je?short?HideWiza.0042B256 0042B22D????.??83F8?14????????cmp?eax,14 0042B230????.??74?24??????????je?short?HideWiza.0042B256 0042B232????.??51?????????????push?ecx 0042B233????.??8BCC???????????mov?ecx,esp 0042B235????.??8965?F0????????mov?dword?ptr?ss:[ebp-10],esp 0042B238????.??68?E4524700????push?HideWiza.004752E4 0042B23D????.??E8?A57CFDFF????call?HideWiza.00402EE7 0042B242????.??8D45?F0????????lea?eax,dword?ptr?ss:[ebp-10] 0042B245????.??50?????????????push?eax 0042B246????.??E8?C5EEFFFF????call?HideWiza.0042A110 0042B24B????.??59?????????????pop?ecx 0042B24C????.??59?????????????pop?ecx 0042B24D????.??C645?FC?0C?????mov?byte?ptr?ss:[ebp-4],0C 0042B251????.^?E9?70FFFFFF????jmp?HideWiza.0042B1C6?jump?back?to?death 0042B256????>??51?????????????push?ecx 0042B257????.??8BCC???????????mov?ecx,esp 0042B259????.??8965?F0????????mov?dword?ptr?ss:[ebp-10],esp 0042B25C????.??68?0C534700????push?HideWiza.0047530C 0042B261????.??E8?817CFDFF????call?HideWiza.00402EE7 0042B266????.??8D45?F0????????lea?eax,dword?ptr?ss:[ebp-10] 0042B269????.??50?????????????push?eax 0042B26A????.??E8?A1EEFFFF????call?HideWiza.0042A110 0042B26F????.??59?????????????pop?ecx 0042B270????.??59?????????????pop?ecx 0042B271????.??C645?FC?0B?????mov?byte?ptr?ss:[ebp-4],0B 0042B275????.^?E9?4CFFFFFF????jmp?HideWiza.0042B1C6?jump?back?to?death 0042B27A????>??8B4D?E4????????mov?ecx,dword?ptr?ss:[ebp-1C] 0042B27D????.??8BD1???????????mov?edx,ecx 0042B27F????.??6BD2?0D????????imul?edx,edx,0D 0042B282????.??81EA?2E160000??sub?edx,162E 0042B288????.??3BD0???????????cmp?edx,eax 0042B28A????.??74?46??????????je?short?HideWiza.0042B2D2?//jump?it 0042B28C????.??51?????????????push?ecx 0042B28D????.??8BCC???????????mov?ecx,esp 0042B28F????.??8965?F0????????mov?dword?ptr?ss:[ebp-10],esp 0042B292????.??68?E4524700????push?HideWiza.004752E4 0042B297????.??E8?4B7CFDFF????call?HideWiza.00402EE7 0042B29C????.??8D45?F0????????lea?eax,dword?ptr?ss:[ebp-10] 0042B29F????.??50?????????????push?eax 0042B2A0????.??E8?6BEEFFFF????call?HideWiza.0042A110 0042B2A5????.??59?????????????pop?ecx 0042B2A6????.??59?????????????pop?ecx 0042B2A7????.??FF30???????????push?dword?ptr?ds:[eax]???????????????;?/Arg1 0042B2A9????.??8B4D?E0????????mov?ecx,dword?ptr?ss:[ebp-20]?????????;?| 0042B2AC????.??C645?FC?0D?????mov?byte?ptr?ss:[ebp-4],0D????????????;?| 0042B2B0????.??E8?2A1F0000????call?HideWiza.0042D1DF????????????????;?\HideWiza.0042D1DF 0042B2B5????.??8B4D?F0????????mov?ecx,dword?ptr?ss:[ebp-10] 0042B2B8????.??83C1?F0????????add?ecx,-10 0042B2BB????.??C645?FC?07?????mov?byte?ptr?ss:[ebp-4],7 0042B2BF????.??E8?DF5DFDFF????call?HideWiza.004010A3 0042B2C4????.??8B4D?EC????????mov?ecx,dword?ptr?ss:[ebp-14] 0042B2C7????.??57?????????????push?edi??????????????????????????????;?/Arg1 0042B2C8????.??E8?F61F0000????call?HideWiza.0042D2C3????????????????;?\HideWiza.0042D2C3 0042B2CD????.??E9?B8020000????jmp?HideWiza.0042B58A 0042B2D2????>??6BC9?0B????????imul?ecx,ecx,0B 0042B2D5????.??81F1?07060000??xor?ecx,607 0042B2DB????.??8BC1???????????mov?eax,ecx 0042B2DD????.??894D?EC????????mov?dword?ptr?ss:[ebp-14],ecx 0042B2E0????.??B9?10270000????mov?ecx,2710 0042B2E5????.??3BC1???????????cmp?eax,ecx 0042B2E7????.??7D?0A??????????jge?short?HideWiza.0042B2F3?//auto?jump?it 0042B2E9????>??6BC0?0A????????imul?eax,eax,0A 0042B2EC????.??3BC1???????????cmp?eax,ecx 0042B2EE????.^?7C?F9??????????jl?short?HideWiza.0042B2E9 0042B2F0????.??8945?EC????????mov?dword?ptr?ss:[ebp-14],eax 0042B2F3????>??3D?A0860100????cmp?eax,186A0 0042B2F8????.??7C?15??????????jl?short?HideWiza.0042B30F?//auto?jump?it 0042B2FA????.??EB?03??????????jmp?short?HideWiza.0042B2FF 0042B2FC????>??8B45?EC????????mov?eax,dword?ptr?ss:[ebp-14] 0042B2FF????>??6A?0A??????????push?0A 0042B301????.??99?????????????cdq 0042B302????.??59?????????????pop?ecx 0042B303????.??F7F9???????????idiv?ecx 0042B305????.??3D?A0860100????cmp?eax,186A0 0042B30A????.??8945?EC????????mov?dword?ptr?ss:[ebp-14],eax 0042B30D????.^?7D?ED??????????jge?short?HideWiza.0042B2FC 0042B30F????>??893D?40F04800??mov?dword?ptr?ds:[48F040],edi 0042B315????.??E8?6CAB0000????call?HideWiza.00435E86 0042B31A????.??50?????????????push?eax 0042B31B????.??8D4D?E4????????lea?ecx,dword?ptr?ss:[ebp-1C] 0042B31E????.??E8?816DFDFF????call?HideWiza.004020A4 0042B323????.??FF75?EC????????push?dword?ptr?ss:[ebp-14] 0042B326????.??8D45?E4????????lea?eax,dword?ptr?ss:[ebp-1C] 0042B329????.??68?F0EF4600????push?HideWiza.0046EFF0????????????????;??ASCII?"%d" 8)0042D21B是CWnd::SetWindowText,他調(diào)用SetWindowTextA顯示序列號(hào)無(wú)效字符串
0042D21B的調(diào)用者為0042B1CB,找通向0042B1CB的跳轉(zhuǎn),有三處,還都在后邊,分別是227?251?275,分析一下這段代碼,發(fā)現(xiàn)eax被判了多次,且eax=1,可以初步判定這就是服務(wù)器返回的狀態(tài)字。0042B201處判斷eax是不是不小于1e,如果小于1e,再判斷是不是2,如果是2,進(jìn)入227玩完;不是2,判斷是不是14,不是的話進(jìn)入251玩完,是的話進(jìn)入275玩完。總之是進(jìn)入了死胡同,只好在前面的0042B201處jmp掉。隨后在0042B28A處發(fā)現(xiàn)一個(gè)je,一般相等肯定是驗(yàn)證對(duì)不對(duì),肯定是好的,不用看直接jmp掉,最后什么都沒(méi)改,程序已經(jīng)crack掉了,記錄一下中間沒(méi)改卻實(shí)現(xiàn)的跳轉(zhuǎn),0042B2E7和0042B2F8,為保險(xiǎn)起見(jiàn),可以jmp一下。
后記:
很早就注冊(cè)pediy了,最近實(shí)驗(yàn)室搞安全方面的東西,才開(kāi)始經(jīng)常在pediy混,前兩天發(fā)現(xiàn)以前只顧問(wèn)問(wèn)題,都弄得木有分了,等到失去才發(fā)現(xiàn)分的珍貴,現(xiàn)在趁肚子里有點(diǎn)貨,果斷寫篇破解賺點(diǎn)分,水平本來(lái)就有限,還是第一次寫破解教程,寫的不好,各位大大輕拍啊
最后附上源程序+破解補(bǔ)丁:
http://115.com/file/c2a07wc1#
《窗口、文件、進(jìn)程隱藏工具——無(wú)憂隱藏》(HideWizard_v9.29)最新版含破解補(bǔ)丁.rar*轉(zhuǎn)載請(qǐng)注明來(lái)自看雪論壇@PEdiy.com?
作 者:?hsluoyz
時(shí) 間:?2012-04-22,22:01:19
鏈 接:?http://bbs.pediy.com/showthread.php?t=149743
偶以前搞過(guò)一些破解,但都是一些軟柿子,前幾天有隱藏木馬這么個(gè)需求,包括進(jìn)程、窗口、硬盤文件等,非要用HideWIzard出手不可。HideWIzard6.4有破解版但功能不夠,只好拿HideWIzard最新版9.29開(kāi)刀了。感覺(jué)還是挺麻煩的,也許是我水平很菜把,廢話不說(shuō)進(jìn)入正題
0)先對(duì)程序的情況說(shuō)明一下,程序總共有三處驗(yàn)證,有些可以觀察到,有些是破解過(guò)程中發(fā)現(xiàn)
1.對(duì)注冊(cè)碼在客戶端進(jìn)行初步判斷,輸入不正確的話什么提示都沒(méi)有,否則進(jìn)入第二步服務(wù)器激活驗(yàn)證;
2.與服務(wù)器通信,在static控件顯示返回結(jié)果;
3.使用imagehlp進(jìn)行EXE校驗(yàn),如果發(fā)現(xiàn)二進(jìn)制被修改則自動(dòng)退出
下面詳細(xì)闡述哈
1)首先是PEiD查殼,啥也沒(méi)發(fā)現(xiàn),事實(shí)上到最后我也不知道是什么殼,也沒(méi)學(xué)過(guò)脫殼,汗一個(gè),哪位大大知道不妨告知哈。IDA6.1打開(kāi)EXE,可以判斷是MFC程序
2)OD加載程序后,自帶的7E42xxxx斷點(diǎn)一定要清除,否則會(huì)導(dǎo)致系統(tǒng)假死,狂按F9過(guò)一分鐘能緩回來(lái),緩不回來(lái)只好重啟了。加載成功后窗口切換焦點(diǎn)時(shí)也是一頓一頓的,不知是不是有意為之,調(diào)試過(guò)程中盡量不要切換焦點(diǎn)。頓的程度好像與系統(tǒng)和OD也有關(guān)系,具體作用關(guān)系不明,最好找個(gè)能自動(dòng)清除debug標(biāo)志位的。OD換了好幾個(gè)才碰上個(gè)順手的,我用的ODbyDYK?v1.10里的Pza74.exe,能自動(dòng)清除debug標(biāo)志位,對(duì)call?jmp等指令能高亮顯示,Pza74缺點(diǎn)是插件不如OllyICE多,但OllyICE沒(méi)高亮,看的很頭疼。
3)正式進(jìn)入調(diào)試步驟,首先需要在激活按鈕處下斷,因?yàn)闆](méi)有任何提示,只好在CCmdTarget::OnCmdMsg處下斷,在IDA記下地址在OD直接bp。OnCmdMsg第四個(gè)參數(shù)即為消息響應(yīng)函數(shù)。函數(shù)如下,程序在0042AB9B處檢查注冊(cè)碼位數(shù),只要讓輸入的注冊(cè)碼為17位就不會(huì)跳到函數(shù)末尾,在末尾處可以看出SendMessageA是進(jìn)入下一步的關(guān)鍵,因此中間的算法就不用看了,直接找跳轉(zhuǎn),把該nop的nop掉。
代碼: 0042AB5F???/.??55?????????????push?ebp 0042AB60???|.??8BEC???????????mov?ebp,esp 0042AB62???|.??83EC?14????????sub?esp,14 0042AB65???|.??56?????????????push?esi 0042AB66???|.??8BF1???????????mov?esi,ecx 0042AB68???|.??8975?EC????????mov?dword?ptr?ss:[ebp-14],esi 0042AB6B???|.??FF15?C4D14600??call?dword?ptr?ds:[<&KERNEL32.GetTickCount>]?????;?[GetTickCount 0042AB71???|.??8BC8???????????mov?ecx,eax 0042AB73???|.??2B0D?A4F44800??sub?ecx,dword?ptr?ds:[48F4A4] 0042AB79???|.??81F9?2C010000??cmp?ecx,12C 0042AB7F???|.??0F82?40010000??jb?HideWiza.0042ACC5 0042AB85???|.??6A?01??????????push?1 0042AB87???|.??8BCE???????????mov?ecx,esi 0042AB89???|.??A3?A4F44800????mov?dword?ptr?ds:[48F4A4],eax 0042AB8E???|.??E8?B0530000????call?HideWiza.0042FF43 0042AB93???|.??81C6?10040000??add?esi,410 0042AB99???|.??8B06???????????mov?eax,dword?ptr?ds:[esi] 0042AB9B???|.??8378?F4?11?????cmp?dword?ptr?ds:[eax-C],11? 0042AB9F???|.??8BCE???????????mov?ecx,esi 0042ABA1???|.??0F85?14010000??jnz?HideWiza.0042ACBB?不成立則跳到0042ACC5處,不能跳,需要nop掉 ... 0042AC9B???|.?/75?1C??????????jnz?short?HideWiza.0042ACB9?/不能跳,需要nop掉 0042AC9D???|.?|394D?F0????????cmp?dword?ptr?ss:[ebp-10],ecx 0042ACA0???|.?|75?17??????????jnz?short?HideWiza.0042ACB9?/不能跳,需要nop掉 0042ACA2???|.?|8B45?EC????????mov?eax,dword?ptr?ss:[ebp-14] 0042ACA5???|.?|6A?0A??????????push?0A??????????????????????????????????????????;?/lParam?=?A 0042ACA7???|.?|6A?01??????????push?1???????????????????????????????????????????;?|wParam?=?1 0042ACA9???|.?|68?CA040000????push?4CA?????????????????????????????????????????;?|Message?=?MSG(4CA) 0042ACAE???|.?|FF70?20????????push?dword?ptr?ds:[eax+20]???????????????????????;?|hWnd 0042ACB1???|.?|FF15?84D54600??call?dword?ptr?ds:[<&USER32.SendMessageA>]???????;?\SendMessageA 0042ACB7???|.?|EB?0C??????????jmp?short?HideWiza.0042ACC5 0042ACB9???|>?\8BCE???????????mov?ecx,esi 0042ACBB???|>??68?F2DC4600????push?HideWiza.0046DCF2 0042ACC0???|.??E8?1B7BFDFF????call?HideWiza.004027E0 0042ACC5???|>??5E?????????????pop?esi 0042ACC6???|.??C9?????????????leave 0042ACC7???\.??C3?????????????retn 4)用ue把exe改掉后發(fā)現(xiàn)程序自動(dòng)退出,猜測(cè)是某種校驗(yàn),這時(shí)程序不會(huì)彈出窗口,判斷是在CXXDlg構(gòu)造函數(shù)或OnInitialDialog等處。直接在入口處跟進(jìn),這里有個(gè)取巧的辦法,直接od同時(shí)加載未修改和已修改的一起debug,比較哪里不一樣,如果過(guò)程中哪個(gè)call直接把窗口彈出來(lái)或是退出,就需要重新加載跟進(jìn)這個(gè)call。最后發(fā)現(xiàn)下面的代碼,終于找到了,就是imagehlp.MapFileAndCheckSumA這個(gè)東西做的怪。查了一下imagehlp,的確是進(jìn)行二進(jìn)制校驗(yàn)的一個(gè)東東。0041E36E處可以看出[ebp-2C]與[ebp-28]一個(gè)是編譯時(shí)生成的,一個(gè)是現(xiàn)算的。后面jnz判斷是否一致,后面的OpenMutexA啥的應(yīng)該是保證程序單例,是程序后面的邏輯,因此把jnz?nop掉即可。
代碼: 0041E349????.??E9?AD030000????jmp?HideWiza.0041E6FB 0041E34E????>??8D45?D8????????lea?eax,dword?ptr?ss:[ebp-28] 0041E351????.??50?????????????push?eax 0041E352????.??8D45?D4????????lea?eax,dword?ptr?ss:[ebp-2C] 0041E355????.??33FF???????????xor?edi,edi 0041E357????.??50?????????????push?eax 0041E358????.??47?????????????inc?edi 0041E359????.??68?40EA4800????push?HideWiza.0048EA40 0041E35E????.??897D?D4????????mov?dword?ptr?ss:[ebp-2C],edi 0041E361????.??895D?D8????????mov?dword?ptr?ss:[ebp-28],ebx 0041E364????.??FF15?FCD74600??call?dword?ptr?ds:[<&imagehlp.Ma>;??imagehlp.MapFileAndCheckSumA?/Checksum!!! 0041E36A????.??85C0???????????test?eax,eax 0041E36C????.??75?0C??????????jnz?short?HideWiza.0041E37A 0041E36E????.??8B45?D4????????mov?eax,dword?ptr?ss:[ebp-2C] 0041E371????.??3B45?D8????????cmp?eax,dword?ptr?ss:[ebp-28] 0041E374????.??0F85?81030000??jnz?HideWiza.0041E6FB?should?not?jmp,?so?nop?it 0041E37A????>??68?6C3E4700????push?HideWiza.00473E6C???????????;??ASCII?"SEAN_U_HIDE_WIZARD" 0041E37F????.??8D4D?E0????????lea?ecx,dword?ptr?ss:[ebp-20] 0041E382????.??E8?604BFEFF????call?HideWiza.00402EE7 0041E387????.??FF75?E0????????push?dword?ptr?ss:[ebp-20]???????;?/MutexName 0041E38A????.??895D?FC????????mov?dword?ptr?ss:[ebp-4],ebx?????;?| 0041E38D????.??53?????????????push?ebx?????????????????????????;?|Inheritable 0041E38E????.??57?????????????push?edi?????????????????????????;?|Access 0041E38F????.??FF15?2CD44600??call?dword?ptr?ds:[<&KERNEL32.Op>;?\OpenMutexA 0041E395????.??8B7D?DC????????mov?edi,dword?ptr?ss:[ebp-24] 0041E398????.??8987?A4000000??mov?dword?ptr?ds:[edi+A4],eax 0041E39E????.??3BC3???????????cmp?eax,ebx 0041E3A0????.??0F84?97000000??je?HideWiza.0041E43D
5)終于到最后一步,這時(shí)運(yùn)行程序隨便輸入注冊(cè)碼注冊(cè),發(fā)現(xiàn)還有服務(wù)器驗(yàn)證,IDA里發(fā)現(xiàn)程序網(wǎng)絡(luò)通信用的是CHttpFile,繼承于CInternetFile,結(jié)合IDA6.1的hex?rays進(jìn)行反編譯,CInternetFile有四個(gè)方法,Read?ReadString?Write?WriteString,我們主要關(guān)心的是讀取,記下地址在OD里下斷,發(fā)現(xiàn)程序調(diào)用的是CInternetFile::Read函數(shù)。一般人寫通信程序都會(huì)把建立連接、發(fā)送、接受、關(guān)閉連接自己封裝一下,因此可以順便在IDA里把周圍的關(guān)于網(wǎng)絡(luò)通信的函數(shù)沒(méi)名字的都命名一下,找調(diào)用者就結(jié)合OD,這么比較方便查看。
用OD在CInternetFile::Read往上導(dǎo),發(fā)現(xiàn)一個(gè)可疑函數(shù),IDA反編譯一下:
代碼: signed?int?__thiscall?sub_42BFB4(void?*this,?int?a2,?int?a3) {int?v3;?//?edi@1void?*v4;?//?ebx@1int?v6;?//?eax@3int?v7;?//?eax@3int?v8;?//?eax@3int?v9;?//?edi@3const?CHAR?*v10;?//?ebx@5int?v11;?//?esi@5int?v12;?//?esi@7int?v13;?//?eax@10int?v14;?//?eax@10int?v15;?//?eax@12int?v16;?//?eax@12int?v17;?//?eax@14int?v18;?//?eax@14int?v19;?//?eax@15int?v20;?//?eax@15int?v21;?//?eax@15int?v22;?//?[sp+Ch]?[bp-20h]@11const?CHAR?*v23;?//?[sp+10h]?[bp-1Ch]@3char?*v24;?//?[sp+14h]?[bp-18h]@15int?v25;?//?[sp+18h]?[bp-14h]@3int?v26;?//?[sp+1Ch]?[bp-10h]@3int?v27;?//?[sp+28h]?[bp-4h]@1char?v28;?//?[sp+2Ch]?[bp+0h]@1char?Src;?//?[sp+82Ch]?[bp+800h]@15char?v30;?//?[sp+82Dh]?[bp+801h]@15unsigned?int?v31;?//?[sp+C2Ch]?[bp+C00h]@1v31?=?(unsigned?int)&v28?^?__security_cookie;v3?=?a3;v4?=?this;v27?=?0;if?(?!WaitForSingleObject(hHandle,?0)?)goto?LABEL_2;unknown_libname_115(v3);v6?=?sub_435E86(v26);unknown_libname_113(v6);v7?=?sub_435E86(v26);unknown_libname_113(v7);LOBYTE(v27)?=?2;sub_402793(&a2);sub_42BF09(&v25,?&v23);LOBYTE(v27)?=?3;v8?=?(int)_LN34_4(v4,?0,?0,?0,?0);v9?=?v8;if?(?!v8?){ATL::CStringData::Release(v23?-?16);ATL::CStringData::Release(v25?-?16); LABEL_2:ATL::CStringData::Release(a2?-?16);return?-20;}v10?=?v23;v27?=?2;LOBYTE(v27)?=?5;v11?=?(int)sub_4415E2(v8,?0,?v23,?0,?1u,?0,?0,?0x20000000u);if?(?!v11?)goto?LABEL_6;v27?=?2;LOBYTE(v27)?=?7;if?(?!CHttpFile::SendRequest(v11,?0,?0,?0,?0)?)?///發(fā)送消息{(*(void?(__thiscall?**)(int))(*(_DWORD?*)v11?+?76))(v11);v13?=?*(_DWORD?*)v11;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v13?+?4))(v11,?1);(*(void?(__thiscall?**)(int))(*(_DWORD?*)v9?+?12))(v9);v14?=?*(_DWORD?*)v9;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v14?+?4))(v9,?1); LABEL_6:ATL::CStringData::Release(v10?-?16);ATL::CStringData::Release(v25?-?16);v25?=?-20; LABEL_7:v12?=?v25; LABEL_8:ATL::CStringData::Release(a2?-?16);return?v12;}v27?=?2;if?(?!CHttpFile::QueryInfoStatusCode(&v22)?){(*(void?(__thiscall?**)(int))(*(_DWORD?*)v11?+?76))(v11);v15?=?*(_DWORD?*)v11;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v15?+?4))(v11,?1);(*(void?(__thiscall?**)(int))(*(_DWORD?*)v9?+?12))(v9);v16?=?*(_DWORD?*)v9;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v16?+?4))(v9,?1);ATL::CStringData::Release(v10?-?16);ATL::CStringData::Release(v25?-?16);v25?=?-21;goto?LABEL_7;}if?(?v22?!=?200?){(*(void?(__thiscall?**)(_DWORD))(*(_DWORD?*)v11?+?76))(v11);v17?=?*(_DWORD?*)v11;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v17?+?4))(v11,?1);(*(void?(__thiscall?**)(_DWORD))(*(_DWORD?*)v9?+?12))(v9);v18?=?*(_DWORD?*)v9;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v18?+?4))(v9,?1);v12?=?v22;ATL::CStringData::Release(v10?-?16);ATL::CStringData::Release(v25?-?16);goto?LABEL_8;}Src?=?0;memset(&v30,?0,?0x3FFu);sub_4027E0(Caption);v19?=?*(_DWORD?*)v11;v25?=?1000;v24?=?&Src;(*(void?(__thiscall?**)(int,?char?*,?signed?int))(v19?+?52))(v11,?&Src,?1000);?CInternetFile_Read?此處地址00440915?一共兩次read,調(diào)用CInternet::Readsub_4027E0(&Src);?/?-->調(diào)用sub_402466?Src返回的c字符串?此處地址為0042C1F3?寫了2個(gè)byte的內(nèi)存,后面都不用看了(*(void?(__thiscall?**)(_DWORD))(*(_DWORD?*)v11?+?76))(v11);?CInternetFile::Closev20?=?*(_DWORD?*)v11;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v20?+?4))(v11,?1);?CHttpFile::_scalar_deleting_destructor_(*(void?(__thiscall?**)(_DWORD))(*(_DWORD?*)v9?+?12))(v9);?CInternetFile::Closev21?=?*(_DWORD?*)v9;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v21?+?4))(v9,?1);?sub_440C6D一些字符串釋放ATL::CStringData::Release(v10?-?16);ATL::CStringData::Release(v25?-?16);ATL::CStringData::Release(a2?-?16);return?1; } 6)可以發(fā)現(xiàn)干貨就在最后幾行,00440915內(nèi)部調(diào)用CInternet::Read,整個(gè)函數(shù)一共調(diào)用了兩次,用ethereal截報(bào)文發(fā)現(xiàn)客戶端向www.seapsoft.com發(fā)送兩個(gè)HTTP請(qǐng)求,服務(wù)器回的都是很簡(jiǎn)單的字符串1,存在Src里,sub_4027E0(&Src)處理一下,寫了兩個(gè)2Bytes的內(nèi)存,位置是動(dòng)態(tài)分配的,第一個(gè)字節(jié)是Src的長(zhǎng)度,也就是1,(似乎Src作為狀態(tài)字長(zhǎng)度1個(gè)Byte也就夠了,不知作者為何要做此設(shè)計(jì)),第二個(gè)字節(jié)就是狀態(tài)字(從內(nèi)存對(duì)齊上也可看出Src只能是1個(gè)Byte)。自己在這里修改一下Src對(duì)照程序的提示可以發(fā)現(xiàn)數(shù)字的含義:2是序列號(hào)已存在,1是序列號(hào)無(wú)效,其它值似乎都是網(wǎng)絡(luò)故障云云。可以大膽猜測(cè)程序以后肯定會(huì)讀取Src或者其復(fù)制版本。
7)明顯的思路是在2Bytes的內(nèi)存處下內(nèi)存訪問(wèn)斷點(diǎn),發(fā)現(xiàn)到了strtoxl這么個(gè)函數(shù),是C的一個(gè)內(nèi)部使用的函數(shù),往上導(dǎo),到strtol,最后到atol,后來(lái)發(fā)現(xiàn)這個(gè)地址被讀了十幾次,于是干脆換了另一個(gè)方法。程序在請(qǐng)求返回后會(huì)設(shè)置static字符串,于是在SetWindowTextA處下API斷點(diǎn)。往上倒騰,功夫不負(fù)有心人,發(fā)現(xiàn)了程序的驗(yàn)證邏輯:
代碼: 0042B1F5????>?\FF75?DC????????push?dword?ptr?ss:[ebp-24] 0042B1F8????.??E8?46620200????call?HideWiza.00451443 0042B1FD????.??83F8?1E????????cmp?eax,1E 0042B200????.??59?????????????pop?ecx 0042B201????.??7D?77??????????jge?short?HideWiza.0042B27A?//jump?it 0042B203????.??83F8?02????????cmp?eax,2 0042B206????.??75?21??????????jnz?short?HideWiza.0042B229 0042B208????.??51?????????????push?ecx 0042B209????.??8BCC???????????mov?ecx,esp 0042B20B????.??8965?F0????????mov?dword?ptr?ss:[ebp-10],esp 0042B20E????.??68?24534700????push?HideWiza.00475324 0042B213????.??E8?CF7CFDFF????call?HideWiza.00402EE7 0042B218????.??8D45?F0????????lea?eax,dword?ptr?ss:[ebp-10] 0042B21B????.??50?????????????push?eax 0042B21C????.??E8?EFEEFFFF????call?HideWiza.0042A110 0042B221????.??59?????????????pop?ecx 0042B222????.??59?????????????pop?ecx 0042B223????.??C645?FC?0A?????mov?byte?ptr?ss:[ebp-4],0A 0042B227????.^?EB?9D??????????jmp?short?HideWiza.0042B1C6?jump?back?to?death 0042B229????>??3BC7???????????cmp?eax,edi 0042B22B????.??74?29??????????je?short?HideWiza.0042B256 0042B22D????.??83F8?14????????cmp?eax,14 0042B230????.??74?24??????????je?short?HideWiza.0042B256 0042B232????.??51?????????????push?ecx 0042B233????.??8BCC???????????mov?ecx,esp 0042B235????.??8965?F0????????mov?dword?ptr?ss:[ebp-10],esp 0042B238????.??68?E4524700????push?HideWiza.004752E4 0042B23D????.??E8?A57CFDFF????call?HideWiza.00402EE7 0042B242????.??8D45?F0????????lea?eax,dword?ptr?ss:[ebp-10] 0042B245????.??50?????????????push?eax 0042B246????.??E8?C5EEFFFF????call?HideWiza.0042A110 0042B24B????.??59?????????????pop?ecx 0042B24C????.??59?????????????pop?ecx 0042B24D????.??C645?FC?0C?????mov?byte?ptr?ss:[ebp-4],0C 0042B251????.^?E9?70FFFFFF????jmp?HideWiza.0042B1C6?jump?back?to?death 0042B256????>??51?????????????push?ecx 0042B257????.??8BCC???????????mov?ecx,esp 0042B259????.??8965?F0????????mov?dword?ptr?ss:[ebp-10],esp 0042B25C????.??68?0C534700????push?HideWiza.0047530C 0042B261????.??E8?817CFDFF????call?HideWiza.00402EE7 0042B266????.??8D45?F0????????lea?eax,dword?ptr?ss:[ebp-10] 0042B269????.??50?????????????push?eax 0042B26A????.??E8?A1EEFFFF????call?HideWiza.0042A110 0042B26F????.??59?????????????pop?ecx 0042B270????.??59?????????????pop?ecx 0042B271????.??C645?FC?0B?????mov?byte?ptr?ss:[ebp-4],0B 0042B275????.^?E9?4CFFFFFF????jmp?HideWiza.0042B1C6?jump?back?to?death 0042B27A????>??8B4D?E4????????mov?ecx,dword?ptr?ss:[ebp-1C] 0042B27D????.??8BD1???????????mov?edx,ecx 0042B27F????.??6BD2?0D????????imul?edx,edx,0D 0042B282????.??81EA?2E160000??sub?edx,162E 0042B288????.??3BD0???????????cmp?edx,eax 0042B28A????.??74?46??????????je?short?HideWiza.0042B2D2?//jump?it 0042B28C????.??51?????????????push?ecx 0042B28D????.??8BCC???????????mov?ecx,esp 0042B28F????.??8965?F0????????mov?dword?ptr?ss:[ebp-10],esp 0042B292????.??68?E4524700????push?HideWiza.004752E4 0042B297????.??E8?4B7CFDFF????call?HideWiza.00402EE7 0042B29C????.??8D45?F0????????lea?eax,dword?ptr?ss:[ebp-10] 0042B29F????.??50?????????????push?eax 0042B2A0????.??E8?6BEEFFFF????call?HideWiza.0042A110 0042B2A5????.??59?????????????pop?ecx 0042B2A6????.??59?????????????pop?ecx 0042B2A7????.??FF30???????????push?dword?ptr?ds:[eax]???????????????;?/Arg1 0042B2A9????.??8B4D?E0????????mov?ecx,dword?ptr?ss:[ebp-20]?????????;?| 0042B2AC????.??C645?FC?0D?????mov?byte?ptr?ss:[ebp-4],0D????????????;?| 0042B2B0????.??E8?2A1F0000????call?HideWiza.0042D1DF????????????????;?\HideWiza.0042D1DF 0042B2B5????.??8B4D?F0????????mov?ecx,dword?ptr?ss:[ebp-10] 0042B2B8????.??83C1?F0????????add?ecx,-10 0042B2BB????.??C645?FC?07?????mov?byte?ptr?ss:[ebp-4],7 0042B2BF????.??E8?DF5DFDFF????call?HideWiza.004010A3 0042B2C4????.??8B4D?EC????????mov?ecx,dword?ptr?ss:[ebp-14] 0042B2C7????.??57?????????????push?edi??????????????????????????????;?/Arg1 0042B2C8????.??E8?F61F0000????call?HideWiza.0042D2C3????????????????;?\HideWiza.0042D2C3 0042B2CD????.??E9?B8020000????jmp?HideWiza.0042B58A 0042B2D2????>??6BC9?0B????????imul?ecx,ecx,0B 0042B2D5????.??81F1?07060000??xor?ecx,607 0042B2DB????.??8BC1???????????mov?eax,ecx 0042B2DD????.??894D?EC????????mov?dword?ptr?ss:[ebp-14],ecx 0042B2E0????.??B9?10270000????mov?ecx,2710 0042B2E5????.??3BC1???????????cmp?eax,ecx 0042B2E7????.??7D?0A??????????jge?short?HideWiza.0042B2F3?//auto?jump?it 0042B2E9????>??6BC0?0A????????imul?eax,eax,0A 0042B2EC????.??3BC1???????????cmp?eax,ecx 0042B2EE????.^?7C?F9??????????jl?short?HideWiza.0042B2E9 0042B2F0????.??8945?EC????????mov?dword?ptr?ss:[ebp-14],eax 0042B2F3????>??3D?A0860100????cmp?eax,186A0 0042B2F8????.??7C?15??????????jl?short?HideWiza.0042B30F?//auto?jump?it 0042B2FA????.??EB?03??????????jmp?short?HideWiza.0042B2FF 0042B2FC????>??8B45?EC????????mov?eax,dword?ptr?ss:[ebp-14] 0042B2FF????>??6A?0A??????????push?0A 0042B301????.??99?????????????cdq 0042B302????.??59?????????????pop?ecx 0042B303????.??F7F9???????????idiv?ecx 0042B305????.??3D?A0860100????cmp?eax,186A0 0042B30A????.??8945?EC????????mov?dword?ptr?ss:[ebp-14],eax 0042B30D????.^?7D?ED??????????jge?short?HideWiza.0042B2FC 0042B30F????>??893D?40F04800??mov?dword?ptr?ds:[48F040],edi 0042B315????.??E8?6CAB0000????call?HideWiza.00435E86 0042B31A????.??50?????????????push?eax 0042B31B????.??8D4D?E4????????lea?ecx,dword?ptr?ss:[ebp-1C] 0042B31E????.??E8?816DFDFF????call?HideWiza.004020A4 0042B323????.??FF75?EC????????push?dword?ptr?ss:[ebp-14] 0042B326????.??8D45?E4????????lea?eax,dword?ptr?ss:[ebp-1C] 0042B329????.??68?F0EF4600????push?HideWiza.0046EFF0????????????????;??ASCII?"%d" 8)0042D21B是CWnd::SetWindowText,他調(diào)用SetWindowTextA顯示序列號(hào)無(wú)效字符串
0042D21B的調(diào)用者為0042B1CB,找通向0042B1CB的跳轉(zhuǎn),有三處,還都在后邊,分別是227?251?275,分析一下這段代碼,發(fā)現(xiàn)eax被判了多次,且eax=1,可以初步判定這就是服務(wù)器返回的狀態(tài)字。0042B201處判斷eax是不是不小于1e,如果小于1e,再判斷是不是2,如果是2,進(jìn)入227玩完;不是2,判斷是不是14,不是的話進(jìn)入251玩完,是的話進(jìn)入275玩完。總之是進(jìn)入了死胡同,只好在前面的0042B201處jmp掉。隨后在0042B28A處發(fā)現(xiàn)一個(gè)je,一般相等肯定是驗(yàn)證對(duì)不對(duì),肯定是好的,不用看直接jmp掉,最后什么都沒(méi)改,程序已經(jīng)crack掉了,記錄一下中間沒(méi)改卻實(shí)現(xiàn)的跳轉(zhuǎn),0042B2E7和0042B2F8,為保險(xiǎn)起見(jiàn),可以jmp一下。
后記:
很早就注冊(cè)pediy了,最近實(shí)驗(yàn)室搞安全方面的東西,才開(kāi)始經(jīng)常在pediy混,前兩天發(fā)現(xiàn)以前只顧問(wèn)問(wèn)題,都弄得木有分了,等到失去才發(fā)現(xiàn)分的珍貴,現(xiàn)在趁肚子里有點(diǎn)貨,果斷寫篇破解賺點(diǎn)分,水平本來(lái)就有限,還是第一次寫破解教程,寫的不好,各位大大輕拍啊
最后附上源程序+破解補(bǔ)丁:
http://115.com/file/c2a07wc1#
《窗口、文件、進(jìn)程隱藏工具——無(wú)憂隱藏》(HideWizard_v9.29)最新版含破解補(bǔ)丁.rar*轉(zhuǎn)載請(qǐng)注明來(lái)自看雪論壇@PEdiy.com?
總結(jié)
以上是生活随笔為你收集整理的OD+IDA6.1破解HideWizardv9.29(无忧隐藏)的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: IDA Pro逆向实战之Crackme(
- 下一篇: INLINE HOOK过驱动保护的理论知