WinRip 2.0保护机制分析及其补丁制作 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → WinRip 2.0保护机制分析及其补丁制作

WinRip 2.0保护机制分析及其补丁制作 时间：2004/10/15 0:52:00来源：本站整理作者：蓝点我要评论(0): 　

WinRip 2.0保护机制分析及其补丁制作

工具：ollydbg 1.07a
平台：Windows 2000 Professional

该软件在试用期（30天）过后，将会出现NAG，功能也会受到限制。根据这一现象，在GetSystemTime处设断，运行程序，被拦截后一步一步返回到了这里（0040ce45）：

0040CDF8 /$ B8 18884300 MOV EAX,WinRip.00438818
0040CDFD |. E8 2EEB0000 CALL WinRip.0041B930
0040CE02 |. 83EC 68 SUB ESP,68
0040CE05 |. 53 PUSH EBX
0040CE06 |. 56 PUSH ESI
0040CE07 |. BB 7CBA4300 MOV EBX,WinRip.0043BA7C
0040CE0C |. 57 PUSH EDI
0040CE0D |. 8BF1 MOV ESI,ECX
0040CE0F |. 895D D4 MOV [LOCAL.11],EBX
0040CE12 |. E8 94E0FFFF CALL WinRip.0040AEAB
0040CE17 |. 33FF XOR EDI,EDI
0040CE19 |. 8D4D D4 LEA ECX,[LOCAL.11]
0040CE1C |. 57 PUSH EDI ; /Arg2 => 00000000
0040CE1D |. 50 PUSH EAX ; |Arg1
0040CE1E |. E8 FFF8FFFF CALL WinRip.0040C722 ; \WinRip.0040C722
0040CE23 |. 57 PUSH EDI
0040CE24 |. 897D FC MOV [LOCAL.1],EDI
0040CE27 |. FF15 14AA4300 CALL [DWORD DS:<&ole32.CoInitialize>] ; ole32.CoInitialize
0040CE2D |. 3BC7 CMP EAX,EDI
0040CE2F |. 8945 F0 MOV [LOCAL.4],EAX
0040CE32 |. 7C 7B JL SHORT WinRip.0040CEAF
0040CE34 |. 8D45 EC LEA EAX,[LOCAL.5]
0040CE37 |. 50 PUSH EAX
0040CE38 |. 68 E4B74300 PUSH WinRip.0043B7E4
0040CE3D |. 6A 01 PUSH 1
0040CE3F |. 57 PUSH EDI
0040CE40 |. 68 44B84300 PUSH WinRip.0043B844
0040CE45 |. FF15 0CAA4300 CALL [DWORD DS:<&ole32.CoCreateInstance>>; ole32.CoCreateInstance <取得系统时间>
0040CE4B |. 3BC7 CMP EAX,EDI
0040CE4D |. 8945 F0 MOV [LOCAL.4],EAX
0040CE50 |. 7C 57 JL SHORT WinRip.0040CEA9
0040CE52 |. 6A 40 PUSH 40 ; /n = 40 (64.)
0040CE54 |. 8D45 94 LEA EAX,[LOCAL.27] ; |
0040CE57 |. 57 PUSH EDI ; |c
0040CE58 |. 50 PUSH EAX ; |s
0040CE59 |. 897D 90 MOV [LOCAL.28],EDI ; |
0040CE5C |. E8 F5EA0000 CALL ; \memset
0040CE61 |. 8D86 F0000000 LEA EAX,[DWORD DS:ESI+F0]
0040CE67 |. 6A 40 PUSH 40 ; /maxlen = 40 (64.)
0040CE69 |. 50 PUSH EAX ; |src
0040CE6A |. 8D45 94 LEA EAX,[LOCAL.27] ; |
0040CE6D |. 50 PUSH EAX ; |dest
0040CE6E |. FF15 E4A74300 CALL [DWORD DS:<&MSVCRT.strncpy>] ; \strncpy
0040CE74 |. 8B86 30010000 MOV EAX,[DWORD DS:ESI+130]
0040CE7A |. 83C4 18 ADD ESP,18
0040CE7D |. 8945 90 MOV [LOCAL.28],EAX
0040CE80 |. C745 8C 050000>MOV [LOCAL.29],5
0040CE87 |. E8 48000000 CALL WinRip.0040CED4 <进去看看,参考下面>
0040CE8C |. 8B4D EC MOV ECX,[LOCAL.5]
0040CE8F |. 50 PUSH EAX <参数1:如果为0则导致过期，正常值应该是1E>
0040CE90 |. FF75 08 PUSH [ARG.1]
0040CE93 |. 8D45 8C LEA EAX,[LOCAL.29]
0040CE96 |. 8B11 MOV EDX,[DWORD DS:ECX]
0040CE98 |. 50 PUSH EAX
0040CE99 |. 51 PUSH ECX
0040CE9A |. FF52 10 CALL [DWORD DS:EDX+10] <此处调用了appregag.10003c31,根据参数1,是否出现NAG并是否限制功能>
0040CE9D |. 8945 F0 MOV [LOCAL.4],EAX
0040CEA0 |. 8B45 EC MOV EAX,[LOCAL.5]
0040CEA3 |. 50 PUSH EAX
0040CEA4 |. 8B08 MOV ECX,[DWORD DS:EAX]
0040CEA6 |. FF51 08 CALL [DWORD DS:ECX+8]
0040CEA9 |> FF15 10AA4300 CALL [DWORD DS:<&ole32.CoUninitialize>] ; ole32.CoUninitialize
0040CEAF |> 397D E8 CMP [LOCAL.6],EDI
0040CEB2 |. 5F POP EDI
0040CEB3 |. 895D D4 MOV [LOCAL.11],EBX
0040CEB6 |. 5E POP ESI
0040CEB7 |. 5B POP EBX
0040CEB8 |. 74 09 JE SHORT WinRip.0040CEC3
0040CEBA |. FF75 E8 PUSH [LOCAL.6] ; /hObject
0040CEBD |. FF15 ACA14300 CALL [DWORD DS:<&KERNEL32.CloseHandle>] ; \CloseHandle
0040CEC3 |> 8B4D F4 MOV ECX,[LOCAL.3]
0040CEC6 |. 8B45 F0 MOV EAX,[LOCAL.4]
0040CEC9 |. 64:890D 000000>MOV [DWORD FS:0],ECX
0040CED0 |. C9 LEAVE
0040CED1 \. C2 0400 RETN 4

=====<<由40CE87调用>>===================================================================
0040CED4 /$ 56 PUSH ESI
0040CED5 |. E8 D1DFFFFF CALL WinRip.0040AEAB
0040CEDA |. 50 PUSH EAX
0040CEDB |. E8 65DBFFFF CALL WinRip.0040AA45
0040CEE0 |. 8BF0 MOV ESI,EAX
0040CEE2 |. 59 POP ECX
0040CEE3 |. 85F6 TEST ESI,ESI
0040CEE5 |. 74 17 JE SHORT WinRip.0040CEFE
0040CEE7 |. 57 PUSH EDI
0040CEE8 |. 8BCE MOV ECX,ESI
0040CEEA |. E8 719A0200 CALL WinRip.00436960 <确定参数1的值,进出看看,必须在此前下断点后,才能看到,是动态生成的>
0040CEEF |. 8BF8 MOV EDI,EAX
0040CEF1 |. 8B06 MOV EAX,[DWORD DS:ESI]
0040CEF3 |. 6A 01 PUSH 1
0040CEF5 |. 8BCE MOV ECX,ESI
0040CEF7 |. FF10 CALL [DWORD DS:EAX]
0040CEF9 |. 8BC7 MOV EAX,EDI
0040CEFB |. 5F POP EDI
0040CEFC |. 5E POP ESI
0040CEFD |. C3 RETN
0040CEFE |> 33C0 XOR EAX,EAX <如果执行了这一条,则出现NAG,功能也受到限制>
0040CF00 |. 5E POP ESI
0040CF01 \. C3 RETN

=====<<由40CEEA调用,注:此段代码是动态生成的>>============================
00436960 /$ 51 PUSH ECX
00436961 |. 56 PUSH ESI
00436962 |. 8D4424 04 LEA EAX,[DWORD SS:ESP+4]
00436966 |. 50 PUSH EAX ; /timer
00436967 |. 8BF1 MOV ESI,ECX ; |
00436969 |. FF15 D4A74300 CALL [DWORD DS:<&MSVCRT.time>] ; \time
0043696F |. 83C4 04 ADD ESP,4
00436972 |. 8BCE MOV ECX,ESI
00436974 |. E8 77FFFFFF CALL WinRip.004368F0 <在此call中的4368F9处的子过程中有取得磁盘卷序号的调用,
以及在436931处的子过程中有查询注册表的调用>

00436979 |. 8B4C24 04 MOV ECX,[DWORD SS:ESP+4]
0043697D |. 2BC8 SUB ECX,EAX
0043697F |. B8 07452EC2 MOV EAX,C22E4507
00436984 |. F7E9 IMUL ECX
00436986 |. 8B46 14 MOV EAX,[DWORD DS:ESI+14] <值1E,即30(D)>
00436989 |. 03D1 ADD EDX,ECX
0043698B |. C1FA 10 SAR EDX,10
0043698E |. 8BCA MOV ECX,EDX
00436990 |. C1E9 1F SHR ECX,1F
00436993 |. 03D1 ADD EDX,ECX
00436995 |. 3BD0 CMP EDX,EAX
00436997 |. 5E POP ESI
00436998 |. 7E 04 JLE SHORT WinRip.0043699E <改成JMP SHORT WinRip.004369A4,所有限制将被去掉(代码EB07)>
0043699A |. 33C0 XOR EAX,EAX
0043699C |. 59 POP ECX
0043699D |. C3 RETN
0043699E |> 85D2 TEST EDX,EDX
004369A0 |. 7E 02 JLE SHORT WinRip.004369A4
004369A2 |. 2BC2 SUB EAX,EDX
004369A4 |> 59 POP ECX
004369A5 \. C3 RETN

=====<<由这里解码出上面的代码>>============================
00435F06 |> 3BCF CMP ECX,EDI <40c8f8-40cc2e,436200-436f50:解码地址>
00435F08 |. 8B45 08 MOV EAX,[ARG.1]
00435F0B |. 73 3B JNB SHORT WinRip.00435F48
00435F0D |. 8D49 00 LEA ECX,[DWORD DS:ECX]
00435F10 |> 8B31 /MOV ESI,[DWORD DS:ECX] <取待解码数据,传给esi>
00435F12 |. 33F0 |XOR ESI,EAX
00435F14 |. 8BD6 |MOV EDX,ESI
00435F16 |. 03C2 |ADD EAX,EDX
00435F18 |. 8931 |MOV [DWORD DS:ECX],ESI <存入解码后的数据>
00435F1A |. 8BD0 |MOV EDX,EAX
00435F1C |. C1EA 06 |SHR EDX,6
00435F1F |. 8BF0 |MOV ESI,EAX
00435F21 |. 81E2 00F80700 |AND EDX,7F800
00435F27 |. 81E6 00F80700 |AND ESI,7F800
00435F2D |. 33D6 |XOR EDX,ESI
00435F2F |. 8BF0 |MOV ESI,EAX
00435F31 |. C1EA 0B |SHR EDX,0B
00435F34 |. 81E6 FF000000 |AND ESI,0FF
00435F3A |. 33D6 |XOR EDX,ESI
00435F3C |. C1E0 08 |SHL EAX,8
00435F3F |. 83C1 04 |ADD ECX,4
00435F42 |. 0BC2 |OR EAX,EDX
00435F44 |. 3BCF |CMP ECX,EDI <循环条件判断>
00435F46 |.^72 C8 \JB SHORT WinRip.00435F10 <跳转，取下一个待解码数据>
00435F48 |> 5F POP EDI

补丁原理:
1、根据上面解码原理编写一个解码过程 DeCode(Byte buff[]);
2、打开“WinRip.exe”，把 436200-436f50这一段读入Byte buff[0xD50] ，并对其用DeCode(Byte buff[])进行解码；
3、修改 buff[0x998]、buff[0x999]中数据的值分别为eb 、07;
4、重新对buff[]用DeCode(Byte buff[])进行编码(编码、解码是对称的);
5、把buff[]写回文件；

至此，程序已经完全破解。

youth
2002-8-23

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法