一款工程預(yù)算軟件,曾經(jīng)在上海建筑行業(yè)一度非常風(fēng)光 研究了其技術(shù),發(fā)覺是采用vb16編寫的,后來經(jīng)過升級(jí)到了vb32。 要破解其實(shí)有兩個(gè)步驟: 1.分析rockey 軟件狗加密和調(diào)用接口 2.vb虛擬解釋器的跟蹤 vb代碼跟蹤還是比較麻煩的事情,因?yàn)檐浖募用芩惴ù鎯?chǔ)在rockey狗里面,軟件產(chǎn)生算法并調(diào)用加密狗運(yùn)算,比對(duì)其結(jié)果是否一致就認(rèn)為軟件合法性了,所以只要跟蹤出vb里面的運(yùn)算算法然后偽造出rockey的加密狗接口即可了 vb算法跟蹤工作當(dāng)初由獸獸搞了2個(gè)星期在softice下很不容易的完成了 接下來的rockey接口就由我來干了 以下是rockey模擬接口, dllshell.cpp 模擬 rydll16.dll rockey功能函數(shù)
z.dll 是rydll16.dll(未作修改,只是更改名稱)
rydll16.dll 修改過的動(dòng)態(tài)庫,與并口軟件狗匹配
狗的密碼都是公開,參見rockey sdk文檔或代碼,
并口狗的身份id: 0x5193e484
1 // Borland C++ - (C) Copyright 1991, 1992 by Borland International
2
3 // Example program used to demonstrate DLL's. This file one of the
4 // files used to build BITMAP.DLL which is used in the DLLDEMO program.
5
6 #define STRICT
7 #include <windows.h>
8
9 // Turn off warning: Parameter '' is never used
10 #pragma argsused
11
12 // Every DLL has an entry point LibMain and an exit point WEP.
13 int FAR PASCAL LibMain( HINSTANCE hInstance, WORD wDataSegment,
14 WORD wHeapSize, LPSTR lpszCmdLine )
15 {
16 // The startup code for the DLL initializes the local heap (if there is one)
17 // with a call to LocalInit which locks the data segment.
18 if ( wHeapSize != 0 )
19 UnlockData( 0 );
20 return 1; // Indicate that the DLL was initialized successfully.
21 }
22
23 // Turn off warning: Parameter '' is never used
24 #pragma argsused
25
26 int FAR PASCAL WEP ( int bSystemExit )
27 {
28 return 1;
29 }
30
31 #include <stdio.h>
32 #include <string.h>
33 #include <stdlib.h>
34
35
36 WORD (CALLBACK *_Rockey)(WORD function, WORD FAR* handle, DWORD FAR* lp1, DWORD FAR* lp2, WORD FAR* p1, WORD FAR* p2, WORD FAR* p3, WORD FAR* p4, BYTE FAR* buffer);
37
38
39 extern "C" PASCAL WORD FAR _export Rockey(WORD function, WORD* handle,
40 DWORD* lp1, DWORD* lp2, WORD* p1, WORD* p2, WORD* p3, WORD* p4, BYTE* buffer){
41 char buf[2048];
42 memset(buf,0,2048);
43 // sprintf(buf,"傳入?yún)?shù):function:%d,handle:%d,p1:%d,p2:%d,p3:%d,p4:%d",
44 // function,*handle,*p1,*p2,*p3,*p4);
45
46
47 /* sprintf(buf,"傳入?yún)?shù):function:%d,handle:%d,p1:%p,p2:%p,p3:%p,p4:%p",
48 function,*handle,p1,p2,p3,p4);
49 */
50 sprintf(buf,"傳入?yún)?shù):function:%d,handle:%d,p1:%p,%d,p2:%p,%d,p3:%p,%d,p4:%p,%d",
51 function,*handle,p1,*p1,p2,*p2,p3,*p3,p4,*p4);
52 // MessageBox(0,buf,"RYDLL16",MB_OK);
53
54
55 /***********************************************************/
56 /*
57 查詢安插的軟件狗
58 */
59 //注意:
60 /*
61 在這里loadlibrary和freelibrary必須成對(duì)出現(xiàn),如果忘記freelibrary則軟件再次啟動(dòng)加載
62 動(dòng)態(tài)庫時(shí)將失敗
63
64 2003.06.24 10:49 am runonce shanghai radio
65
66
67 */
68 if(function==1){ //查狗
69 HINSTANCE hDll;
70 WORD _handle[16], _p1, _p2, _p3, _p4, _retcode;
71 DWORD _lp1, _lp2;
72 hDll = LoadLibrary("z.dll");
73 if (hDll == NULL)
74 {
75 MessageBox(0,"load z.dll failed",0,MB_OK);
76 return 1;
77 }
78
79 (FARPROC)_Rockey = GetProcAddress(hDll, "Rockey");
80 _p1 = 0xc44c;
81 _p2 = 0xc8f8;
82 _p3 = 0x0799;
83 _p4 = 0xc43b;
84 WORD retcode;
85 if(_Rockey==NULL){
86 FreeLibrary(hDll);
87 return 1;
88 }
89
90 char bb[500];
91 memset(bb,0,sizeof(bb));
92 sprintf(bb,"yyyyyy . %d",*_Rockey);
93 // MessageBox(0,bb,0,MB_OK);
94
95 BYTE _buffer[200];
96 memset(_buffer,0,sizeof(_buffer));
97 retcode = _Rockey(1, &_handle[0], &_lp1, &_lp2, &_p1, &_p2, &_p3, &_p4, _buffer);
98 FreeLibrary(hDll);
99 if(retcode){
100 // MessageBox(0,"ret is not zero",0,MB_OK);
101 return 2;
102 }
103 if(_lp1 !=0x5193E484){ //并口軟件狗ID,
104 // MessageBox(0,"find dog error!",0,MB_OK);
105 return 2;
106 }
107 else{
108 // MessageBox(0,"find dog ok!",0,MB_OK);
109 return 0;
110 }
111
112 }
113
114 /***********************************************************/
115 if(function==5){
116 strcpy(buffer,"ZYYS");
117 }
118 if(function==14){
119 char temp[25];
120 memset(temp,0,25);
121 //記下傳入的參數(shù)
122 int temp1=*p1;
123 int temp2=*p2;
124 int temp3=*p3;
125 int temp4=*p4;
126 *p1=(temp1*temp2)+(temp1*temp2*temp4);
127 *p2=(temp3+temp4+temp1*temp2+temp1*temp2*temp4)*2;
128 *p3=temp1*temp2*temp4;
129 *p4=(temp4+1)*temp2*(temp1*2)+(*p2);
130 }
131
132 return 0;
133 }
|