一款工程预算软件,曾经在上海建筑行业一度非常风光 研究了其技术,发觉是采用vb16编写的,后来经过升级到了vb32。 要破解其实有两个步骤: 1.分析rockey 软件狗加密和调用接口 2.vb虚拟解释器的跟踪 vb代码跟踪还是比较麻烦的事情,因为软件的加密算法存储在rockey狗里面,软件产生算法并调用加密狗运算,比对其结果是否一致就认为软件合法性了,所以只要跟踪出vb里面的运算算法然后伪造出rockey的加密狗接口即可了 vb算法跟踪工作当初由兽兽搞了2个星期在softice下很不容易的完成了 接下来的rockey接口就由我来干了 以下是rockey模拟接口, dllshell.cpp 模拟 rydll16.dll rockey功能函数
z.dll 是rydll16.dll(未作修改,只是更改名称)
rydll16.dll 修改过的动态库,与并口软件狗匹配
狗的密码都是公开,参见rockey sdk文档或代码,
并口狗的身份id: 0x5193e484
1 // Borland C++ - (C) Copyright 1991, 1992 by Borland International 2 3 // Example program used to demonstrate DLL's. This file one of the 4 // files used to build BITMAP.DLL which is used in the DLLDEMO program. 5 6 #define STRICT 7 #include <windows.h> 8 9 // Turn off warning: Parameter '' is never used 10 #pragma argsused 11 12 // Every DLL has an entry point LibMain and an exit point WEP. 13 int FAR PASCAL LibMain( HINSTANCE hInstance, WORD wDataSegment, 14 WORD wHeapSize, LPSTR lpszCmdLine ) 15 { 16 // The startup code for the DLL initializes the local heap (if there is one) 17 // with a call to LocalInit which locks the data segment. 18 if ( wHeapSize != 0 ) 19 UnlockData( 0 ); 20 return 1; // Indicate that the DLL was initialized successfully. 21 } 22 23 // Turn off warning: Parameter '' is never used 24 #pragma argsused 25 26 int FAR PASCAL WEP ( int bSystemExit ) 27 { 28 return 1; 29 } 30 31 #include <stdio.h> 32 #include <string.h> 33 #include <stdlib.h> 34 35 36 WORD (CALLBACK *_Rockey)(WORD function, WORD FAR* handle, DWORD FAR* lp1, DWORD FAR* lp2, WORD FAR* p1, WORD FAR* p2, WORD FAR* p3, WORD FAR* p4, BYTE FAR* buffer); 37 38 39 extern "C" PASCAL WORD FAR _export Rockey(WORD function, WORD* handle, 40 DWORD* lp1, DWORD* lp2, WORD* p1, WORD* p2, WORD* p3, WORD* p4, BYTE* buffer){ 41 char buf[2048]; 42 memset(buf,0,2048); 43 // sprintf(buf,"传入参数:function:%d,handle:%d,p1:%d,p2:%d,p3:%d,p4:%d", 44 // function,*handle,*p1,*p2,*p3,*p4); 45 46 47 /* sprintf(buf,"传入参数:function:%d,handle:%d,p1:%p,p2:%p,p3:%p,p4:%p", 48 function,*handle,p1,p2,p3,p4); 49 */ 50 sprintf(buf,"传入参数:function:%d,handle:%d,p1:%p,%d,p2:%p,%d,p3:%p,%d,p4:%p,%d", 51 function,*handle,p1,*p1,p2,*p2,p3,*p3,p4,*p4); 52 // MessageBox(0,buf,"RYDLL16",MB_OK); 53 54 55 /***********************************************************/ 56 /* 57 查询安插的软件狗 58 */ 59 //注意: 60 /* 61 在这里loadlibrary和freelibrary必须成对出现,如果忘记freelibrary则软件再次启动加载 62 动态库时将失败 63 64 2003.06.24 10:49 am runonce shanghai radio 65 66 67 */ 68 if(function==1){ //查狗 69 HINSTANCE hDll; 70 WORD _handle[16], _p1, _p2, _p3, _p4, _retcode; 71 DWORD _lp1, _lp2; 72 hDll = LoadLibrary("z.dll"); 73 if (hDll == NULL) 74 { 75 MessageBox(0,"load z.dll failed",0,MB_OK); 76 return 1; 77 } 78 79 (FARPROC)_Rockey = GetProcAddress(hDll, "Rockey"); 80 _p1 = 0xc44c; 81 _p2 = 0xc8f8; 82 _p3 = 0x0799; 83 _p4 = 0xc43b; 84 WORD retcode; 85 if(_Rockey==NULL){ 86 FreeLibrary(hDll); 87 return 1; 88 } 89 90 char bb[500]; 91 memset(bb,0,sizeof(bb)); 92 sprintf(bb,"yyyyyy. %d",*_Rockey); 93 // MessageBox(0,bb,0,MB_OK); 94 95 BYTE _buffer[200]; 96 memset(_buffer,0,sizeof(_buffer)); 97 retcode = _Rockey(1, &_handle[0], &_lp1, &_lp2, &_p1, &_p2, &_p3, &_p4, _buffer); 98 FreeLibrary(hDll); 99 if(retcode){ 100 // MessageBox(0,"ret is not zero",0,MB_OK); 101 return 2; 102 } 103 if(_lp1 !=0x5193E484){ //并口软件狗ID, 104 // MessageBox(0,"find dog error!",0,MB_OK); 105 return 2; 106 } 107 else{ 108 // MessageBox(0,"find dog ok!",0,MB_OK); 109 return 0; 110 } 111 112 } 113 114 /***********************************************************/ 115 if(function==5){ 116 strcpy(buffer,"ZYYS"); 117 } 118 if(function==14){ 119 char temp[25]; 120 memset(temp,0,25); 121 //记下传入的参数 122 int temp1=*p1; 123 int temp2=*p2; 124 int temp3=*p3; 125 int temp4=*p4; 126 *p1=(temp1*temp2)+(temp1*temp2*temp4); 127 *p2=(temp3+temp4+temp1*temp2+temp1*temp2*temp4)*2; 128 *p3=temp1*temp2*temp4; 129 *p4=(temp4+1)*temp2*(temp1*2)+(*p2); 130 } 131 132 return 0; 133 }
|