OD+IDA6.1破解HideWizardv9.29(无忧隐藏)
生活随笔
收集整理的這篇文章主要介紹了
OD+IDA6.1破解HideWizardv9.29(无忧隐藏)
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
標 題:
?【原創】OD+IDA6.1破解HideWizardv9.29(無憂隱藏)
作 者:?hsluoyz
時 間:?2012-04-22,22:01:19
鏈 接:?http://bbs.pediy.com/showthread.php?t=149743
偶以前搞過一些破解,但都是一些軟柿子,前幾天有隱藏木馬這么個需求,包括進程、窗口、硬盤文件等,非要用HideWIzard出手不可。HideWIzard6.4有破解版但功能不夠,只好拿HideWIzard最新版9.29開刀了。感覺還是挺麻煩的,也許是我水平很菜把,廢話不說進入正題
0)先對程序的情況說明一下,程序總共有三處驗證,有些可以觀察到,有些是破解過程中發現
1.對注冊碼在客戶端進行初步判斷,輸入不正確的話什么提示都沒有,否則進入第二步服務器激活驗證;
2.與服務器通信,在static控件顯示返回結果;
3.使用imagehlp進行EXE校驗,如果發現二進制被修改則自動退出
下面詳細闡述哈
1)首先是PEiD查殼,啥也沒發現,事實上到最后我也不知道是什么殼,也沒學過脫殼,汗一個,哪位大大知道不妨告知哈。IDA6.1打開EXE,可以判斷是MFC程序
2)OD加載程序后,自帶的7E42xxxx斷點一定要清除,否則會導致系統假死,狂按F9過一分鐘能緩回來,緩不回來只好重啟了。加載成功后窗口切換焦點時也是一頓一頓的,不知是不是有意為之,調試過程中盡量不要切換焦點。頓的程度好像與系統和OD也有關系,具體作用關系不明,最好找個能自動清除debug標志位的。OD換了好幾個才碰上個順手的,我用的ODbyDYK?v1.10里的Pza74.exe,能自動清除debug標志位,對call?jmp等指令能高亮顯示,Pza74缺點是插件不如OllyICE多,但OllyICE沒高亮,看的很頭疼。
3)正式進入調試步驟,首先需要在激活按鈕處下斷,因為沒有任何提示,只好在CCmdTarget::OnCmdMsg處下斷,在IDA記下地址在OD直接bp。OnCmdMsg第四個參數即為消息響應函數。函數如下,程序在0042AB9B處檢查注冊碼位數,只要讓輸入的注冊碼為17位就不會跳到函數末尾,在末尾處可以看出SendMessageA是進入下一步的關鍵,因此中間的算法就不用看了,直接找跳轉,把該nop的nop掉。
代碼: 0042AB5F???/.??55?????????????push?ebp 0042AB60???|.??8BEC???????????mov?ebp,esp 0042AB62???|.??83EC?14????????sub?esp,14 0042AB65???|.??56?????????????push?esi 0042AB66???|.??8BF1???????????mov?esi,ecx 0042AB68???|.??8975?EC????????mov?dword?ptr?ss:[ebp-14],esi 0042AB6B???|.??FF15?C4D14600??call?dword?ptr?ds:[<&KERNEL32.GetTickCount>]?????;?[GetTickCount 0042AB71???|.??8BC8???????????mov?ecx,eax 0042AB73???|.??2B0D?A4F44800??sub?ecx,dword?ptr?ds:[48F4A4] 0042AB79???|.??81F9?2C010000??cmp?ecx,12C 0042AB7F???|.??0F82?40010000??jb?HideWiza.0042ACC5 0042AB85???|.??6A?01??????????push?1 0042AB87???|.??8BCE???????????mov?ecx,esi 0042AB89???|.??A3?A4F44800????mov?dword?ptr?ds:[48F4A4],eax 0042AB8E???|.??E8?B0530000????call?HideWiza.0042FF43 0042AB93???|.??81C6?10040000??add?esi,410 0042AB99???|.??8B06???????????mov?eax,dword?ptr?ds:[esi] 0042AB9B???|.??8378?F4?11?????cmp?dword?ptr?ds:[eax-C],11? 0042AB9F???|.??8BCE???????????mov?ecx,esi 0042ABA1???|.??0F85?14010000??jnz?HideWiza.0042ACBB?不成立則跳到0042ACC5處,不能跳,需要nop掉 ... 0042AC9B???|.?/75?1C??????????jnz?short?HideWiza.0042ACB9?/不能跳,需要nop掉 0042AC9D???|.?|394D?F0????????cmp?dword?ptr?ss:[ebp-10],ecx 0042ACA0???|.?|75?17??????????jnz?short?HideWiza.0042ACB9?/不能跳,需要nop掉 0042ACA2???|.?|8B45?EC????????mov?eax,dword?ptr?ss:[ebp-14] 0042ACA5???|.?|6A?0A??????????push?0A??????????????????????????????????????????;?/lParam?=?A 0042ACA7???|.?|6A?01??????????push?1???????????????????????????????????????????;?|wParam?=?1 0042ACA9???|.?|68?CA040000????push?4CA?????????????????????????????????????????;?|Message?=?MSG(4CA) 0042ACAE???|.?|FF70?20????????push?dword?ptr?ds:[eax+20]???????????????????????;?|hWnd 0042ACB1???|.?|FF15?84D54600??call?dword?ptr?ds:[<&USER32.SendMessageA>]???????;?\SendMessageA 0042ACB7???|.?|EB?0C??????????jmp?short?HideWiza.0042ACC5 0042ACB9???|>?\8BCE???????????mov?ecx,esi 0042ACBB???|>??68?F2DC4600????push?HideWiza.0046DCF2 0042ACC0???|.??E8?1B7BFDFF????call?HideWiza.004027E0 0042ACC5???|>??5E?????????????pop?esi 0042ACC6???|.??C9?????????????leave 0042ACC7???\.??C3?????????????retn 4)用ue把exe改掉后發現程序自動退出,猜測是某種校驗,這時程序不會彈出窗口,判斷是在CXXDlg構造函數或OnInitialDialog等處。直接在入口處跟進,這里有個取巧的辦法,直接od同時加載未修改和已修改的一起debug,比較哪里不一樣,如果過程中哪個call直接把窗口彈出來或是退出,就需要重新加載跟進這個call。最后發現下面的代碼,終于找到了,就是imagehlp.MapFileAndCheckSumA這個東西做的怪。查了一下imagehlp,的確是進行二進制校驗的一個東東。0041E36E處可以看出[ebp-2C]與[ebp-28]一個是編譯時生成的,一個是現算的。后面jnz判斷是否一致,后面的OpenMutexA啥的應該是保證程序單例,是程序后面的邏輯,因此把jnz?nop掉即可。
代碼: 0041E349????.??E9?AD030000????jmp?HideWiza.0041E6FB 0041E34E????>??8D45?D8????????lea?eax,dword?ptr?ss:[ebp-28] 0041E351????.??50?????????????push?eax 0041E352????.??8D45?D4????????lea?eax,dword?ptr?ss:[ebp-2C] 0041E355????.??33FF???????????xor?edi,edi 0041E357????.??50?????????????push?eax 0041E358????.??47?????????????inc?edi 0041E359????.??68?40EA4800????push?HideWiza.0048EA40 0041E35E????.??897D?D4????????mov?dword?ptr?ss:[ebp-2C],edi 0041E361????.??895D?D8????????mov?dword?ptr?ss:[ebp-28],ebx 0041E364????.??FF15?FCD74600??call?dword?ptr?ds:[<&imagehlp.Ma>;??imagehlp.MapFileAndCheckSumA?/Checksum!!! 0041E36A????.??85C0???????????test?eax,eax 0041E36C????.??75?0C??????????jnz?short?HideWiza.0041E37A 0041E36E????.??8B45?D4????????mov?eax,dword?ptr?ss:[ebp-2C] 0041E371????.??3B45?D8????????cmp?eax,dword?ptr?ss:[ebp-28] 0041E374????.??0F85?81030000??jnz?HideWiza.0041E6FB?should?not?jmp,?so?nop?it 0041E37A????>??68?6C3E4700????push?HideWiza.00473E6C???????????;??ASCII?"SEAN_U_HIDE_WIZARD" 0041E37F????.??8D4D?E0????????lea?ecx,dword?ptr?ss:[ebp-20] 0041E382????.??E8?604BFEFF????call?HideWiza.00402EE7 0041E387????.??FF75?E0????????push?dword?ptr?ss:[ebp-20]???????;?/MutexName 0041E38A????.??895D?FC????????mov?dword?ptr?ss:[ebp-4],ebx?????;?| 0041E38D????.??53?????????????push?ebx?????????????????????????;?|Inheritable 0041E38E????.??57?????????????push?edi?????????????????????????;?|Access 0041E38F????.??FF15?2CD44600??call?dword?ptr?ds:[<&KERNEL32.Op>;?\OpenMutexA 0041E395????.??8B7D?DC????????mov?edi,dword?ptr?ss:[ebp-24] 0041E398????.??8987?A4000000??mov?dword?ptr?ds:[edi+A4],eax 0041E39E????.??3BC3???????????cmp?eax,ebx 0041E3A0????.??0F84?97000000??je?HideWiza.0041E43D
5)終于到最后一步,這時運行程序隨便輸入注冊碼注冊,發現還有服務器驗證,IDA里發現程序網絡通信用的是CHttpFile,繼承于CInternetFile,結合IDA6.1的hex?rays進行反編譯,CInternetFile有四個方法,Read?ReadString?Write?WriteString,我們主要關心的是讀取,記下地址在OD里下斷,發現程序調用的是CInternetFile::Read函數。一般人寫通信程序都會把建立連接、發送、接受、關閉連接自己封裝一下,因此可以順便在IDA里把周圍的關于網絡通信的函數沒名字的都命名一下,找調用者就結合OD,這么比較方便查看。
用OD在CInternetFile::Read往上導,發現一個可疑函數,IDA反編譯一下:
代碼: signed?int?__thiscall?sub_42BFB4(void?*this,?int?a2,?int?a3) {int?v3;?//?edi@1void?*v4;?//?ebx@1int?v6;?//?eax@3int?v7;?//?eax@3int?v8;?//?eax@3int?v9;?//?edi@3const?CHAR?*v10;?//?ebx@5int?v11;?//?esi@5int?v12;?//?esi@7int?v13;?//?eax@10int?v14;?//?eax@10int?v15;?//?eax@12int?v16;?//?eax@12int?v17;?//?eax@14int?v18;?//?eax@14int?v19;?//?eax@15int?v20;?//?eax@15int?v21;?//?eax@15int?v22;?//?[sp+Ch]?[bp-20h]@11const?CHAR?*v23;?//?[sp+10h]?[bp-1Ch]@3char?*v24;?//?[sp+14h]?[bp-18h]@15int?v25;?//?[sp+18h]?[bp-14h]@3int?v26;?//?[sp+1Ch]?[bp-10h]@3int?v27;?//?[sp+28h]?[bp-4h]@1char?v28;?//?[sp+2Ch]?[bp+0h]@1char?Src;?//?[sp+82Ch]?[bp+800h]@15char?v30;?//?[sp+82Dh]?[bp+801h]@15unsigned?int?v31;?//?[sp+C2Ch]?[bp+C00h]@1v31?=?(unsigned?int)&v28?^?__security_cookie;v3?=?a3;v4?=?this;v27?=?0;if?(?!WaitForSingleObject(hHandle,?0)?)goto?LABEL_2;unknown_libname_115(v3);v6?=?sub_435E86(v26);unknown_libname_113(v6);v7?=?sub_435E86(v26);unknown_libname_113(v7);LOBYTE(v27)?=?2;sub_402793(&a2);sub_42BF09(&v25,?&v23);LOBYTE(v27)?=?3;v8?=?(int)_LN34_4(v4,?0,?0,?0,?0);v9?=?v8;if?(?!v8?){ATL::CStringData::Release(v23?-?16);ATL::CStringData::Release(v25?-?16); LABEL_2:ATL::CStringData::Release(a2?-?16);return?-20;}v10?=?v23;v27?=?2;LOBYTE(v27)?=?5;v11?=?(int)sub_4415E2(v8,?0,?v23,?0,?1u,?0,?0,?0x20000000u);if?(?!v11?)goto?LABEL_6;v27?=?2;LOBYTE(v27)?=?7;if?(?!CHttpFile::SendRequest(v11,?0,?0,?0,?0)?)?///發送消息{(*(void?(__thiscall?**)(int))(*(_DWORD?*)v11?+?76))(v11);v13?=?*(_DWORD?*)v11;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v13?+?4))(v11,?1);(*(void?(__thiscall?**)(int))(*(_DWORD?*)v9?+?12))(v9);v14?=?*(_DWORD?*)v9;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v14?+?4))(v9,?1); LABEL_6:ATL::CStringData::Release(v10?-?16);ATL::CStringData::Release(v25?-?16);v25?=?-20; LABEL_7:v12?=?v25; LABEL_8:ATL::CStringData::Release(a2?-?16);return?v12;}v27?=?2;if?(?!CHttpFile::QueryInfoStatusCode(&v22)?){(*(void?(__thiscall?**)(int))(*(_DWORD?*)v11?+?76))(v11);v15?=?*(_DWORD?*)v11;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v15?+?4))(v11,?1);(*(void?(__thiscall?**)(int))(*(_DWORD?*)v9?+?12))(v9);v16?=?*(_DWORD?*)v9;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v16?+?4))(v9,?1);ATL::CStringData::Release(v10?-?16);ATL::CStringData::Release(v25?-?16);v25?=?-21;goto?LABEL_7;}if?(?v22?!=?200?){(*(void?(__thiscall?**)(_DWORD))(*(_DWORD?*)v11?+?76))(v11);v17?=?*(_DWORD?*)v11;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v17?+?4))(v11,?1);(*(void?(__thiscall?**)(_DWORD))(*(_DWORD?*)v9?+?12))(v9);v18?=?*(_DWORD?*)v9;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v18?+?4))(v9,?1);v12?=?v22;ATL::CStringData::Release(v10?-?16);ATL::CStringData::Release(v25?-?16);goto?LABEL_8;}Src?=?0;memset(&v30,?0,?0x3FFu);sub_4027E0(Caption);v19?=?*(_DWORD?*)v11;v25?=?1000;v24?=?&Src;(*(void?(__thiscall?**)(int,?char?*,?signed?int))(v19?+?52))(v11,?&Src,?1000);?CInternetFile_Read?此處地址00440915?一共兩次read,調用CInternet::Readsub_4027E0(&Src);?/?-->調用sub_402466?Src返回的c字符串?此處地址為0042C1F3?寫了2個byte的內存,后面都不用看了(*(void?(__thiscall?**)(_DWORD))(*(_DWORD?*)v11?+?76))(v11);?CInternetFile::Closev20?=?*(_DWORD?*)v11;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v20?+?4))(v11,?1);?CHttpFile::_scalar_deleting_destructor_(*(void?(__thiscall?**)(_DWORD))(*(_DWORD?*)v9?+?12))(v9);?CInternetFile::Closev21?=?*(_DWORD?*)v9;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v21?+?4))(v9,?1);?sub_440C6D一些字符串釋放ATL::CStringData::Release(v10?-?16);ATL::CStringData::Release(v25?-?16);ATL::CStringData::Release(a2?-?16);return?1; } 6)可以發現干貨就在最后幾行,00440915內部調用CInternet::Read,整個函數一共調用了兩次,用ethereal截報文發現客戶端向www.seapsoft.com發送兩個HTTP請求,服務器回的都是很簡單的字符串1,存在Src里,sub_4027E0(&Src)處理一下,寫了兩個2Bytes的內存,位置是動態分配的,第一個字節是Src的長度,也就是1,(似乎Src作為狀態字長度1個Byte也就夠了,不知作者為何要做此設計),第二個字節就是狀態字(從內存對齊上也可看出Src只能是1個Byte)。自己在這里修改一下Src對照程序的提示可以發現數字的含義:2是序列號已存在,1是序列號無效,其它值似乎都是網絡故障云云。可以大膽猜測程序以后肯定會讀取Src或者其復制版本。
7)明顯的思路是在2Bytes的內存處下內存訪問斷點,發現到了strtoxl這么個函數,是C的一個內部使用的函數,往上導,到strtol,最后到atol,后來發現這個地址被讀了十幾次,于是干脆換了另一個方法。程序在請求返回后會設置static字符串,于是在SetWindowTextA處下API斷點。往上倒騰,功夫不負有心人,發現了程序的驗證邏輯:
代碼: 0042B1F5????>?\FF75?DC????????push?dword?ptr?ss:[ebp-24] 0042B1F8????.??E8?46620200????call?HideWiza.00451443 0042B1FD????.??83F8?1E????????cmp?eax,1E 0042B200????.??59?????????????pop?ecx 0042B201????.??7D?77??????????jge?short?HideWiza.0042B27A?//jump?it 0042B203????.??83F8?02????????cmp?eax,2 0042B206????.??75?21??????????jnz?short?HideWiza.0042B229 0042B208????.??51?????????????push?ecx 0042B209????.??8BCC???????????mov?ecx,esp 0042B20B????.??8965?F0????????mov?dword?ptr?ss:[ebp-10],esp 0042B20E????.??68?24534700????push?HideWiza.00475324 0042B213????.??E8?CF7CFDFF????call?HideWiza.00402EE7 0042B218????.??8D45?F0????????lea?eax,dword?ptr?ss:[ebp-10] 0042B21B????.??50?????????????push?eax 0042B21C????.??E8?EFEEFFFF????call?HideWiza.0042A110 0042B221????.??59?????????????pop?ecx 0042B222????.??59?????????????pop?ecx 0042B223????.??C645?FC?0A?????mov?byte?ptr?ss:[ebp-4],0A 0042B227????.^?EB?9D??????????jmp?short?HideWiza.0042B1C6?jump?back?to?death 0042B229????>??3BC7???????????cmp?eax,edi 0042B22B????.??74?29??????????je?short?HideWiza.0042B256 0042B22D????.??83F8?14????????cmp?eax,14 0042B230????.??74?24??????????je?short?HideWiza.0042B256 0042B232????.??51?????????????push?ecx 0042B233????.??8BCC???????????mov?ecx,esp 0042B235????.??8965?F0????????mov?dword?ptr?ss:[ebp-10],esp 0042B238????.??68?E4524700????push?HideWiza.004752E4 0042B23D????.??E8?A57CFDFF????call?HideWiza.00402EE7 0042B242????.??8D45?F0????????lea?eax,dword?ptr?ss:[ebp-10] 0042B245????.??50?????????????push?eax 0042B246????.??E8?C5EEFFFF????call?HideWiza.0042A110 0042B24B????.??59?????????????pop?ecx 0042B24C????.??59?????????????pop?ecx 0042B24D????.??C645?FC?0C?????mov?byte?ptr?ss:[ebp-4],0C 0042B251????.^?E9?70FFFFFF????jmp?HideWiza.0042B1C6?jump?back?to?death 0042B256????>??51?????????????push?ecx 0042B257????.??8BCC???????????mov?ecx,esp 0042B259????.??8965?F0????????mov?dword?ptr?ss:[ebp-10],esp 0042B25C????.??68?0C534700????push?HideWiza.0047530C 0042B261????.??E8?817CFDFF????call?HideWiza.00402EE7 0042B266????.??8D45?F0????????lea?eax,dword?ptr?ss:[ebp-10] 0042B269????.??50?????????????push?eax 0042B26A????.??E8?A1EEFFFF????call?HideWiza.0042A110 0042B26F????.??59?????????????pop?ecx 0042B270????.??59?????????????pop?ecx 0042B271????.??C645?FC?0B?????mov?byte?ptr?ss:[ebp-4],0B 0042B275????.^?E9?4CFFFFFF????jmp?HideWiza.0042B1C6?jump?back?to?death 0042B27A????>??8B4D?E4????????mov?ecx,dword?ptr?ss:[ebp-1C] 0042B27D????.??8BD1???????????mov?edx,ecx 0042B27F????.??6BD2?0D????????imul?edx,edx,0D 0042B282????.??81EA?2E160000??sub?edx,162E 0042B288????.??3BD0???????????cmp?edx,eax 0042B28A????.??74?46??????????je?short?HideWiza.0042B2D2?//jump?it 0042B28C????.??51?????????????push?ecx 0042B28D????.??8BCC???????????mov?ecx,esp 0042B28F????.??8965?F0????????mov?dword?ptr?ss:[ebp-10],esp 0042B292????.??68?E4524700????push?HideWiza.004752E4 0042B297????.??E8?4B7CFDFF????call?HideWiza.00402EE7 0042B29C????.??8D45?F0????????lea?eax,dword?ptr?ss:[ebp-10] 0042B29F????.??50?????????????push?eax 0042B2A0????.??E8?6BEEFFFF????call?HideWiza.0042A110 0042B2A5????.??59?????????????pop?ecx 0042B2A6????.??59?????????????pop?ecx 0042B2A7????.??FF30???????????push?dword?ptr?ds:[eax]???????????????;?/Arg1 0042B2A9????.??8B4D?E0????????mov?ecx,dword?ptr?ss:[ebp-20]?????????;?| 0042B2AC????.??C645?FC?0D?????mov?byte?ptr?ss:[ebp-4],0D????????????;?| 0042B2B0????.??E8?2A1F0000????call?HideWiza.0042D1DF????????????????;?\HideWiza.0042D1DF 0042B2B5????.??8B4D?F0????????mov?ecx,dword?ptr?ss:[ebp-10] 0042B2B8????.??83C1?F0????????add?ecx,-10 0042B2BB????.??C645?FC?07?????mov?byte?ptr?ss:[ebp-4],7 0042B2BF????.??E8?DF5DFDFF????call?HideWiza.004010A3 0042B2C4????.??8B4D?EC????????mov?ecx,dword?ptr?ss:[ebp-14] 0042B2C7????.??57?????????????push?edi??????????????????????????????;?/Arg1 0042B2C8????.??E8?F61F0000????call?HideWiza.0042D2C3????????????????;?\HideWiza.0042D2C3 0042B2CD????.??E9?B8020000????jmp?HideWiza.0042B58A 0042B2D2????>??6BC9?0B????????imul?ecx,ecx,0B 0042B2D5????.??81F1?07060000??xor?ecx,607 0042B2DB????.??8BC1???????????mov?eax,ecx 0042B2DD????.??894D?EC????????mov?dword?ptr?ss:[ebp-14],ecx 0042B2E0????.??B9?10270000????mov?ecx,2710 0042B2E5????.??3BC1???????????cmp?eax,ecx 0042B2E7????.??7D?0A??????????jge?short?HideWiza.0042B2F3?//auto?jump?it 0042B2E9????>??6BC0?0A????????imul?eax,eax,0A 0042B2EC????.??3BC1???????????cmp?eax,ecx 0042B2EE????.^?7C?F9??????????jl?short?HideWiza.0042B2E9 0042B2F0????.??8945?EC????????mov?dword?ptr?ss:[ebp-14],eax 0042B2F3????>??3D?A0860100????cmp?eax,186A0 0042B2F8????.??7C?15??????????jl?short?HideWiza.0042B30F?//auto?jump?it 0042B2FA????.??EB?03??????????jmp?short?HideWiza.0042B2FF 0042B2FC????>??8B45?EC????????mov?eax,dword?ptr?ss:[ebp-14] 0042B2FF????>??6A?0A??????????push?0A 0042B301????.??99?????????????cdq 0042B302????.??59?????????????pop?ecx 0042B303????.??F7F9???????????idiv?ecx 0042B305????.??3D?A0860100????cmp?eax,186A0 0042B30A????.??8945?EC????????mov?dword?ptr?ss:[ebp-14],eax 0042B30D????.^?7D?ED??????????jge?short?HideWiza.0042B2FC 0042B30F????>??893D?40F04800??mov?dword?ptr?ds:[48F040],edi 0042B315????.??E8?6CAB0000????call?HideWiza.00435E86 0042B31A????.??50?????????????push?eax 0042B31B????.??8D4D?E4????????lea?ecx,dword?ptr?ss:[ebp-1C] 0042B31E????.??E8?816DFDFF????call?HideWiza.004020A4 0042B323????.??FF75?EC????????push?dword?ptr?ss:[ebp-14] 0042B326????.??8D45?E4????????lea?eax,dword?ptr?ss:[ebp-1C] 0042B329????.??68?F0EF4600????push?HideWiza.0046EFF0????????????????;??ASCII?"%d" 8)0042D21B是CWnd::SetWindowText,他調用SetWindowTextA顯示序列號無效字符串
0042D21B的調用者為0042B1CB,找通向0042B1CB的跳轉,有三處,還都在后邊,分別是227?251?275,分析一下這段代碼,發現eax被判了多次,且eax=1,可以初步判定這就是服務器返回的狀態字。0042B201處判斷eax是不是不小于1e,如果小于1e,再判斷是不是2,如果是2,進入227玩完;不是2,判斷是不是14,不是的話進入251玩完,是的話進入275玩完。總之是進入了死胡同,只好在前面的0042B201處jmp掉。隨后在0042B28A處發現一個je,一般相等肯定是驗證對不對,肯定是好的,不用看直接jmp掉,最后什么都沒改,程序已經crack掉了,記錄一下中間沒改卻實現的跳轉,0042B2E7和0042B2F8,為保險起見,可以jmp一下。
后記:
很早就注冊pediy了,最近實驗室搞安全方面的東西,才開始經常在pediy混,前兩天發現以前只顧問問題,都弄得木有分了,等到失去才發現分的珍貴,現在趁肚子里有點貨,果斷寫篇破解賺點分,水平本來就有限,還是第一次寫破解教程,寫的不好,各位大大輕拍啊
最后附上源程序+破解補丁:
http://115.com/file/c2a07wc1#
《窗口、文件、進程隱藏工具——無憂隱藏》(HideWizard_v9.29)最新版含破解補丁.rar*轉載請注明來自看雪論壇@PEdiy.com?
作 者:?hsluoyz
時 間:?2012-04-22,22:01:19
鏈 接:?http://bbs.pediy.com/showthread.php?t=149743
偶以前搞過一些破解,但都是一些軟柿子,前幾天有隱藏木馬這么個需求,包括進程、窗口、硬盤文件等,非要用HideWIzard出手不可。HideWIzard6.4有破解版但功能不夠,只好拿HideWIzard最新版9.29開刀了。感覺還是挺麻煩的,也許是我水平很菜把,廢話不說進入正題
0)先對程序的情況說明一下,程序總共有三處驗證,有些可以觀察到,有些是破解過程中發現
1.對注冊碼在客戶端進行初步判斷,輸入不正確的話什么提示都沒有,否則進入第二步服務器激活驗證;
2.與服務器通信,在static控件顯示返回結果;
3.使用imagehlp進行EXE校驗,如果發現二進制被修改則自動退出
下面詳細闡述哈
1)首先是PEiD查殼,啥也沒發現,事實上到最后我也不知道是什么殼,也沒學過脫殼,汗一個,哪位大大知道不妨告知哈。IDA6.1打開EXE,可以判斷是MFC程序
2)OD加載程序后,自帶的7E42xxxx斷點一定要清除,否則會導致系統假死,狂按F9過一分鐘能緩回來,緩不回來只好重啟了。加載成功后窗口切換焦點時也是一頓一頓的,不知是不是有意為之,調試過程中盡量不要切換焦點。頓的程度好像與系統和OD也有關系,具體作用關系不明,最好找個能自動清除debug標志位的。OD換了好幾個才碰上個順手的,我用的ODbyDYK?v1.10里的Pza74.exe,能自動清除debug標志位,對call?jmp等指令能高亮顯示,Pza74缺點是插件不如OllyICE多,但OllyICE沒高亮,看的很頭疼。
3)正式進入調試步驟,首先需要在激活按鈕處下斷,因為沒有任何提示,只好在CCmdTarget::OnCmdMsg處下斷,在IDA記下地址在OD直接bp。OnCmdMsg第四個參數即為消息響應函數。函數如下,程序在0042AB9B處檢查注冊碼位數,只要讓輸入的注冊碼為17位就不會跳到函數末尾,在末尾處可以看出SendMessageA是進入下一步的關鍵,因此中間的算法就不用看了,直接找跳轉,把該nop的nop掉。
代碼: 0042AB5F???/.??55?????????????push?ebp 0042AB60???|.??8BEC???????????mov?ebp,esp 0042AB62???|.??83EC?14????????sub?esp,14 0042AB65???|.??56?????????????push?esi 0042AB66???|.??8BF1???????????mov?esi,ecx 0042AB68???|.??8975?EC????????mov?dword?ptr?ss:[ebp-14],esi 0042AB6B???|.??FF15?C4D14600??call?dword?ptr?ds:[<&KERNEL32.GetTickCount>]?????;?[GetTickCount 0042AB71???|.??8BC8???????????mov?ecx,eax 0042AB73???|.??2B0D?A4F44800??sub?ecx,dword?ptr?ds:[48F4A4] 0042AB79???|.??81F9?2C010000??cmp?ecx,12C 0042AB7F???|.??0F82?40010000??jb?HideWiza.0042ACC5 0042AB85???|.??6A?01??????????push?1 0042AB87???|.??8BCE???????????mov?ecx,esi 0042AB89???|.??A3?A4F44800????mov?dword?ptr?ds:[48F4A4],eax 0042AB8E???|.??E8?B0530000????call?HideWiza.0042FF43 0042AB93???|.??81C6?10040000??add?esi,410 0042AB99???|.??8B06???????????mov?eax,dword?ptr?ds:[esi] 0042AB9B???|.??8378?F4?11?????cmp?dword?ptr?ds:[eax-C],11? 0042AB9F???|.??8BCE???????????mov?ecx,esi 0042ABA1???|.??0F85?14010000??jnz?HideWiza.0042ACBB?不成立則跳到0042ACC5處,不能跳,需要nop掉 ... 0042AC9B???|.?/75?1C??????????jnz?short?HideWiza.0042ACB9?/不能跳,需要nop掉 0042AC9D???|.?|394D?F0????????cmp?dword?ptr?ss:[ebp-10],ecx 0042ACA0???|.?|75?17??????????jnz?short?HideWiza.0042ACB9?/不能跳,需要nop掉 0042ACA2???|.?|8B45?EC????????mov?eax,dword?ptr?ss:[ebp-14] 0042ACA5???|.?|6A?0A??????????push?0A??????????????????????????????????????????;?/lParam?=?A 0042ACA7???|.?|6A?01??????????push?1???????????????????????????????????????????;?|wParam?=?1 0042ACA9???|.?|68?CA040000????push?4CA?????????????????????????????????????????;?|Message?=?MSG(4CA) 0042ACAE???|.?|FF70?20????????push?dword?ptr?ds:[eax+20]???????????????????????;?|hWnd 0042ACB1???|.?|FF15?84D54600??call?dword?ptr?ds:[<&USER32.SendMessageA>]???????;?\SendMessageA 0042ACB7???|.?|EB?0C??????????jmp?short?HideWiza.0042ACC5 0042ACB9???|>?\8BCE???????????mov?ecx,esi 0042ACBB???|>??68?F2DC4600????push?HideWiza.0046DCF2 0042ACC0???|.??E8?1B7BFDFF????call?HideWiza.004027E0 0042ACC5???|>??5E?????????????pop?esi 0042ACC6???|.??C9?????????????leave 0042ACC7???\.??C3?????????????retn 4)用ue把exe改掉后發現程序自動退出,猜測是某種校驗,這時程序不會彈出窗口,判斷是在CXXDlg構造函數或OnInitialDialog等處。直接在入口處跟進,這里有個取巧的辦法,直接od同時加載未修改和已修改的一起debug,比較哪里不一樣,如果過程中哪個call直接把窗口彈出來或是退出,就需要重新加載跟進這個call。最后發現下面的代碼,終于找到了,就是imagehlp.MapFileAndCheckSumA這個東西做的怪。查了一下imagehlp,的確是進行二進制校驗的一個東東。0041E36E處可以看出[ebp-2C]與[ebp-28]一個是編譯時生成的,一個是現算的。后面jnz判斷是否一致,后面的OpenMutexA啥的應該是保證程序單例,是程序后面的邏輯,因此把jnz?nop掉即可。
代碼: 0041E349????.??E9?AD030000????jmp?HideWiza.0041E6FB 0041E34E????>??8D45?D8????????lea?eax,dword?ptr?ss:[ebp-28] 0041E351????.??50?????????????push?eax 0041E352????.??8D45?D4????????lea?eax,dword?ptr?ss:[ebp-2C] 0041E355????.??33FF???????????xor?edi,edi 0041E357????.??50?????????????push?eax 0041E358????.??47?????????????inc?edi 0041E359????.??68?40EA4800????push?HideWiza.0048EA40 0041E35E????.??897D?D4????????mov?dword?ptr?ss:[ebp-2C],edi 0041E361????.??895D?D8????????mov?dword?ptr?ss:[ebp-28],ebx 0041E364????.??FF15?FCD74600??call?dword?ptr?ds:[<&imagehlp.Ma>;??imagehlp.MapFileAndCheckSumA?/Checksum!!! 0041E36A????.??85C0???????????test?eax,eax 0041E36C????.??75?0C??????????jnz?short?HideWiza.0041E37A 0041E36E????.??8B45?D4????????mov?eax,dword?ptr?ss:[ebp-2C] 0041E371????.??3B45?D8????????cmp?eax,dword?ptr?ss:[ebp-28] 0041E374????.??0F85?81030000??jnz?HideWiza.0041E6FB?should?not?jmp,?so?nop?it 0041E37A????>??68?6C3E4700????push?HideWiza.00473E6C???????????;??ASCII?"SEAN_U_HIDE_WIZARD" 0041E37F????.??8D4D?E0????????lea?ecx,dword?ptr?ss:[ebp-20] 0041E382????.??E8?604BFEFF????call?HideWiza.00402EE7 0041E387????.??FF75?E0????????push?dword?ptr?ss:[ebp-20]???????;?/MutexName 0041E38A????.??895D?FC????????mov?dword?ptr?ss:[ebp-4],ebx?????;?| 0041E38D????.??53?????????????push?ebx?????????????????????????;?|Inheritable 0041E38E????.??57?????????????push?edi?????????????????????????;?|Access 0041E38F????.??FF15?2CD44600??call?dword?ptr?ds:[<&KERNEL32.Op>;?\OpenMutexA 0041E395????.??8B7D?DC????????mov?edi,dword?ptr?ss:[ebp-24] 0041E398????.??8987?A4000000??mov?dword?ptr?ds:[edi+A4],eax 0041E39E????.??3BC3???????????cmp?eax,ebx 0041E3A0????.??0F84?97000000??je?HideWiza.0041E43D
5)終于到最后一步,這時運行程序隨便輸入注冊碼注冊,發現還有服務器驗證,IDA里發現程序網絡通信用的是CHttpFile,繼承于CInternetFile,結合IDA6.1的hex?rays進行反編譯,CInternetFile有四個方法,Read?ReadString?Write?WriteString,我們主要關心的是讀取,記下地址在OD里下斷,發現程序調用的是CInternetFile::Read函數。一般人寫通信程序都會把建立連接、發送、接受、關閉連接自己封裝一下,因此可以順便在IDA里把周圍的關于網絡通信的函數沒名字的都命名一下,找調用者就結合OD,這么比較方便查看。
用OD在CInternetFile::Read往上導,發現一個可疑函數,IDA反編譯一下:
代碼: signed?int?__thiscall?sub_42BFB4(void?*this,?int?a2,?int?a3) {int?v3;?//?edi@1void?*v4;?//?ebx@1int?v6;?//?eax@3int?v7;?//?eax@3int?v8;?//?eax@3int?v9;?//?edi@3const?CHAR?*v10;?//?ebx@5int?v11;?//?esi@5int?v12;?//?esi@7int?v13;?//?eax@10int?v14;?//?eax@10int?v15;?//?eax@12int?v16;?//?eax@12int?v17;?//?eax@14int?v18;?//?eax@14int?v19;?//?eax@15int?v20;?//?eax@15int?v21;?//?eax@15int?v22;?//?[sp+Ch]?[bp-20h]@11const?CHAR?*v23;?//?[sp+10h]?[bp-1Ch]@3char?*v24;?//?[sp+14h]?[bp-18h]@15int?v25;?//?[sp+18h]?[bp-14h]@3int?v26;?//?[sp+1Ch]?[bp-10h]@3int?v27;?//?[sp+28h]?[bp-4h]@1char?v28;?//?[sp+2Ch]?[bp+0h]@1char?Src;?//?[sp+82Ch]?[bp+800h]@15char?v30;?//?[sp+82Dh]?[bp+801h]@15unsigned?int?v31;?//?[sp+C2Ch]?[bp+C00h]@1v31?=?(unsigned?int)&v28?^?__security_cookie;v3?=?a3;v4?=?this;v27?=?0;if?(?!WaitForSingleObject(hHandle,?0)?)goto?LABEL_2;unknown_libname_115(v3);v6?=?sub_435E86(v26);unknown_libname_113(v6);v7?=?sub_435E86(v26);unknown_libname_113(v7);LOBYTE(v27)?=?2;sub_402793(&a2);sub_42BF09(&v25,?&v23);LOBYTE(v27)?=?3;v8?=?(int)_LN34_4(v4,?0,?0,?0,?0);v9?=?v8;if?(?!v8?){ATL::CStringData::Release(v23?-?16);ATL::CStringData::Release(v25?-?16); LABEL_2:ATL::CStringData::Release(a2?-?16);return?-20;}v10?=?v23;v27?=?2;LOBYTE(v27)?=?5;v11?=?(int)sub_4415E2(v8,?0,?v23,?0,?1u,?0,?0,?0x20000000u);if?(?!v11?)goto?LABEL_6;v27?=?2;LOBYTE(v27)?=?7;if?(?!CHttpFile::SendRequest(v11,?0,?0,?0,?0)?)?///發送消息{(*(void?(__thiscall?**)(int))(*(_DWORD?*)v11?+?76))(v11);v13?=?*(_DWORD?*)v11;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v13?+?4))(v11,?1);(*(void?(__thiscall?**)(int))(*(_DWORD?*)v9?+?12))(v9);v14?=?*(_DWORD?*)v9;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v14?+?4))(v9,?1); LABEL_6:ATL::CStringData::Release(v10?-?16);ATL::CStringData::Release(v25?-?16);v25?=?-20; LABEL_7:v12?=?v25; LABEL_8:ATL::CStringData::Release(a2?-?16);return?v12;}v27?=?2;if?(?!CHttpFile::QueryInfoStatusCode(&v22)?){(*(void?(__thiscall?**)(int))(*(_DWORD?*)v11?+?76))(v11);v15?=?*(_DWORD?*)v11;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v15?+?4))(v11,?1);(*(void?(__thiscall?**)(int))(*(_DWORD?*)v9?+?12))(v9);v16?=?*(_DWORD?*)v9;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v16?+?4))(v9,?1);ATL::CStringData::Release(v10?-?16);ATL::CStringData::Release(v25?-?16);v25?=?-21;goto?LABEL_7;}if?(?v22?!=?200?){(*(void?(__thiscall?**)(_DWORD))(*(_DWORD?*)v11?+?76))(v11);v17?=?*(_DWORD?*)v11;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v17?+?4))(v11,?1);(*(void?(__thiscall?**)(_DWORD))(*(_DWORD?*)v9?+?12))(v9);v18?=?*(_DWORD?*)v9;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v18?+?4))(v9,?1);v12?=?v22;ATL::CStringData::Release(v10?-?16);ATL::CStringData::Release(v25?-?16);goto?LABEL_8;}Src?=?0;memset(&v30,?0,?0x3FFu);sub_4027E0(Caption);v19?=?*(_DWORD?*)v11;v25?=?1000;v24?=?&Src;(*(void?(__thiscall?**)(int,?char?*,?signed?int))(v19?+?52))(v11,?&Src,?1000);?CInternetFile_Read?此處地址00440915?一共兩次read,調用CInternet::Readsub_4027E0(&Src);?/?-->調用sub_402466?Src返回的c字符串?此處地址為0042C1F3?寫了2個byte的內存,后面都不用看了(*(void?(__thiscall?**)(_DWORD))(*(_DWORD?*)v11?+?76))(v11);?CInternetFile::Closev20?=?*(_DWORD?*)v11;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v20?+?4))(v11,?1);?CHttpFile::_scalar_deleting_destructor_(*(void?(__thiscall?**)(_DWORD))(*(_DWORD?*)v9?+?12))(v9);?CInternetFile::Closev21?=?*(_DWORD?*)v9;v25?=?1;(*(void?(__thiscall?**)(int,?signed?int))(v21?+?4))(v9,?1);?sub_440C6D一些字符串釋放ATL::CStringData::Release(v10?-?16);ATL::CStringData::Release(v25?-?16);ATL::CStringData::Release(a2?-?16);return?1; } 6)可以發現干貨就在最后幾行,00440915內部調用CInternet::Read,整個函數一共調用了兩次,用ethereal截報文發現客戶端向www.seapsoft.com發送兩個HTTP請求,服務器回的都是很簡單的字符串1,存在Src里,sub_4027E0(&Src)處理一下,寫了兩個2Bytes的內存,位置是動態分配的,第一個字節是Src的長度,也就是1,(似乎Src作為狀態字長度1個Byte也就夠了,不知作者為何要做此設計),第二個字節就是狀態字(從內存對齊上也可看出Src只能是1個Byte)。自己在這里修改一下Src對照程序的提示可以發現數字的含義:2是序列號已存在,1是序列號無效,其它值似乎都是網絡故障云云。可以大膽猜測程序以后肯定會讀取Src或者其復制版本。
7)明顯的思路是在2Bytes的內存處下內存訪問斷點,發現到了strtoxl這么個函數,是C的一個內部使用的函數,往上導,到strtol,最后到atol,后來發現這個地址被讀了十幾次,于是干脆換了另一個方法。程序在請求返回后會設置static字符串,于是在SetWindowTextA處下API斷點。往上倒騰,功夫不負有心人,發現了程序的驗證邏輯:
代碼: 0042B1F5????>?\FF75?DC????????push?dword?ptr?ss:[ebp-24] 0042B1F8????.??E8?46620200????call?HideWiza.00451443 0042B1FD????.??83F8?1E????????cmp?eax,1E 0042B200????.??59?????????????pop?ecx 0042B201????.??7D?77??????????jge?short?HideWiza.0042B27A?//jump?it 0042B203????.??83F8?02????????cmp?eax,2 0042B206????.??75?21??????????jnz?short?HideWiza.0042B229 0042B208????.??51?????????????push?ecx 0042B209????.??8BCC???????????mov?ecx,esp 0042B20B????.??8965?F0????????mov?dword?ptr?ss:[ebp-10],esp 0042B20E????.??68?24534700????push?HideWiza.00475324 0042B213????.??E8?CF7CFDFF????call?HideWiza.00402EE7 0042B218????.??8D45?F0????????lea?eax,dword?ptr?ss:[ebp-10] 0042B21B????.??50?????????????push?eax 0042B21C????.??E8?EFEEFFFF????call?HideWiza.0042A110 0042B221????.??59?????????????pop?ecx 0042B222????.??59?????????????pop?ecx 0042B223????.??C645?FC?0A?????mov?byte?ptr?ss:[ebp-4],0A 0042B227????.^?EB?9D??????????jmp?short?HideWiza.0042B1C6?jump?back?to?death 0042B229????>??3BC7???????????cmp?eax,edi 0042B22B????.??74?29??????????je?short?HideWiza.0042B256 0042B22D????.??83F8?14????????cmp?eax,14 0042B230????.??74?24??????????je?short?HideWiza.0042B256 0042B232????.??51?????????????push?ecx 0042B233????.??8BCC???????????mov?ecx,esp 0042B235????.??8965?F0????????mov?dword?ptr?ss:[ebp-10],esp 0042B238????.??68?E4524700????push?HideWiza.004752E4 0042B23D????.??E8?A57CFDFF????call?HideWiza.00402EE7 0042B242????.??8D45?F0????????lea?eax,dword?ptr?ss:[ebp-10] 0042B245????.??50?????????????push?eax 0042B246????.??E8?C5EEFFFF????call?HideWiza.0042A110 0042B24B????.??59?????????????pop?ecx 0042B24C????.??59?????????????pop?ecx 0042B24D????.??C645?FC?0C?????mov?byte?ptr?ss:[ebp-4],0C 0042B251????.^?E9?70FFFFFF????jmp?HideWiza.0042B1C6?jump?back?to?death 0042B256????>??51?????????????push?ecx 0042B257????.??8BCC???????????mov?ecx,esp 0042B259????.??8965?F0????????mov?dword?ptr?ss:[ebp-10],esp 0042B25C????.??68?0C534700????push?HideWiza.0047530C 0042B261????.??E8?817CFDFF????call?HideWiza.00402EE7 0042B266????.??8D45?F0????????lea?eax,dword?ptr?ss:[ebp-10] 0042B269????.??50?????????????push?eax 0042B26A????.??E8?A1EEFFFF????call?HideWiza.0042A110 0042B26F????.??59?????????????pop?ecx 0042B270????.??59?????????????pop?ecx 0042B271????.??C645?FC?0B?????mov?byte?ptr?ss:[ebp-4],0B 0042B275????.^?E9?4CFFFFFF????jmp?HideWiza.0042B1C6?jump?back?to?death 0042B27A????>??8B4D?E4????????mov?ecx,dword?ptr?ss:[ebp-1C] 0042B27D????.??8BD1???????????mov?edx,ecx 0042B27F????.??6BD2?0D????????imul?edx,edx,0D 0042B282????.??81EA?2E160000??sub?edx,162E 0042B288????.??3BD0???????????cmp?edx,eax 0042B28A????.??74?46??????????je?short?HideWiza.0042B2D2?//jump?it 0042B28C????.??51?????????????push?ecx 0042B28D????.??8BCC???????????mov?ecx,esp 0042B28F????.??8965?F0????????mov?dword?ptr?ss:[ebp-10],esp 0042B292????.??68?E4524700????push?HideWiza.004752E4 0042B297????.??E8?4B7CFDFF????call?HideWiza.00402EE7 0042B29C????.??8D45?F0????????lea?eax,dword?ptr?ss:[ebp-10] 0042B29F????.??50?????????????push?eax 0042B2A0????.??E8?6BEEFFFF????call?HideWiza.0042A110 0042B2A5????.??59?????????????pop?ecx 0042B2A6????.??59?????????????pop?ecx 0042B2A7????.??FF30???????????push?dword?ptr?ds:[eax]???????????????;?/Arg1 0042B2A9????.??8B4D?E0????????mov?ecx,dword?ptr?ss:[ebp-20]?????????;?| 0042B2AC????.??C645?FC?0D?????mov?byte?ptr?ss:[ebp-4],0D????????????;?| 0042B2B0????.??E8?2A1F0000????call?HideWiza.0042D1DF????????????????;?\HideWiza.0042D1DF 0042B2B5????.??8B4D?F0????????mov?ecx,dword?ptr?ss:[ebp-10] 0042B2B8????.??83C1?F0????????add?ecx,-10 0042B2BB????.??C645?FC?07?????mov?byte?ptr?ss:[ebp-4],7 0042B2BF????.??E8?DF5DFDFF????call?HideWiza.004010A3 0042B2C4????.??8B4D?EC????????mov?ecx,dword?ptr?ss:[ebp-14] 0042B2C7????.??57?????????????push?edi??????????????????????????????;?/Arg1 0042B2C8????.??E8?F61F0000????call?HideWiza.0042D2C3????????????????;?\HideWiza.0042D2C3 0042B2CD????.??E9?B8020000????jmp?HideWiza.0042B58A 0042B2D2????>??6BC9?0B????????imul?ecx,ecx,0B 0042B2D5????.??81F1?07060000??xor?ecx,607 0042B2DB????.??8BC1???????????mov?eax,ecx 0042B2DD????.??894D?EC????????mov?dword?ptr?ss:[ebp-14],ecx 0042B2E0????.??B9?10270000????mov?ecx,2710 0042B2E5????.??3BC1???????????cmp?eax,ecx 0042B2E7????.??7D?0A??????????jge?short?HideWiza.0042B2F3?//auto?jump?it 0042B2E9????>??6BC0?0A????????imul?eax,eax,0A 0042B2EC????.??3BC1???????????cmp?eax,ecx 0042B2EE????.^?7C?F9??????????jl?short?HideWiza.0042B2E9 0042B2F0????.??8945?EC????????mov?dword?ptr?ss:[ebp-14],eax 0042B2F3????>??3D?A0860100????cmp?eax,186A0 0042B2F8????.??7C?15??????????jl?short?HideWiza.0042B30F?//auto?jump?it 0042B2FA????.??EB?03??????????jmp?short?HideWiza.0042B2FF 0042B2FC????>??8B45?EC????????mov?eax,dword?ptr?ss:[ebp-14] 0042B2FF????>??6A?0A??????????push?0A 0042B301????.??99?????????????cdq 0042B302????.??59?????????????pop?ecx 0042B303????.??F7F9???????????idiv?ecx 0042B305????.??3D?A0860100????cmp?eax,186A0 0042B30A????.??8945?EC????????mov?dword?ptr?ss:[ebp-14],eax 0042B30D????.^?7D?ED??????????jge?short?HideWiza.0042B2FC 0042B30F????>??893D?40F04800??mov?dword?ptr?ds:[48F040],edi 0042B315????.??E8?6CAB0000????call?HideWiza.00435E86 0042B31A????.??50?????????????push?eax 0042B31B????.??8D4D?E4????????lea?ecx,dword?ptr?ss:[ebp-1C] 0042B31E????.??E8?816DFDFF????call?HideWiza.004020A4 0042B323????.??FF75?EC????????push?dword?ptr?ss:[ebp-14] 0042B326????.??8D45?E4????????lea?eax,dword?ptr?ss:[ebp-1C] 0042B329????.??68?F0EF4600????push?HideWiza.0046EFF0????????????????;??ASCII?"%d" 8)0042D21B是CWnd::SetWindowText,他調用SetWindowTextA顯示序列號無效字符串
0042D21B的調用者為0042B1CB,找通向0042B1CB的跳轉,有三處,還都在后邊,分別是227?251?275,分析一下這段代碼,發現eax被判了多次,且eax=1,可以初步判定這就是服務器返回的狀態字。0042B201處判斷eax是不是不小于1e,如果小于1e,再判斷是不是2,如果是2,進入227玩完;不是2,判斷是不是14,不是的話進入251玩完,是的話進入275玩完。總之是進入了死胡同,只好在前面的0042B201處jmp掉。隨后在0042B28A處發現一個je,一般相等肯定是驗證對不對,肯定是好的,不用看直接jmp掉,最后什么都沒改,程序已經crack掉了,記錄一下中間沒改卻實現的跳轉,0042B2E7和0042B2F8,為保險起見,可以jmp一下。
后記:
很早就注冊pediy了,最近實驗室搞安全方面的東西,才開始經常在pediy混,前兩天發現以前只顧問問題,都弄得木有分了,等到失去才發現分的珍貴,現在趁肚子里有點貨,果斷寫篇破解賺點分,水平本來就有限,還是第一次寫破解教程,寫的不好,各位大大輕拍啊
最后附上源程序+破解補丁:
http://115.com/file/c2a07wc1#
《窗口、文件、進程隱藏工具——無憂隱藏》(HideWizard_v9.29)最新版含破解補丁.rar*轉載請注明來自看雪論壇@PEdiy.com?
總結
以上是生活随笔為你收集整理的OD+IDA6.1破解HideWizardv9.29(无忧隐藏)的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: IDA Pro逆向实战之Crackme(
- 下一篇: INLINE HOOK过驱动保护的理论知