以前破解的一工程软件

一款工程预算软件，曾经在上海建筑行业一度非常风光
研究了其技术，发觉是采用vb16编写的，后来经过升级到了vb32。
要破解其实有两个步骤:
1.分析rockey 软件狗加密和调用接口
2.vb虚拟解释器的跟踪

vb代码跟踪还是比较麻烦的事情，因为软件的加密算法存储在rockey狗里面，软件产生算法并调用加密狗运算，比对其结果是否一致就认为软件合法性了，所以只要跟踪出vb里面的运算算法然后伪造出rockey的加密狗接口即可了
vb算法跟踪工作当初由兽兽搞了2个星期在softice下很不容易的完成了
接下来的rockey接口就由我来干了
以下是rockey模拟接口，
        dllshell.cpp 模拟 rydll16.dll rockey功能函数
        z.dll     是rydll16.dll(未作修改，只是更改名称)
        rydll16.dll 修改过的动态库，与并口软件狗匹配
        狗的密码都是公开，参见rockey sdk文档或代码，
        并口狗的身份id: 0x5193e484

  1 // Borland C++ - (C) Copyright 1991, 1992 by Borland International
  2
  3 // Example program used to demonstrate DLL's. This file one of the
  4 // files used to build BITMAP.DLL which is used in the DLLDEMO program.
  5
  6 #define  STRICT
  7 #include <windows.h>
  8
  9 // Turn off warning: Parameter '' is never used
10 #pragma argsused
11
12 // Every DLL has an entry point LibMain and an exit point WEP.
13 int FAR PASCAL LibMain( HINSTANCE hInstance, WORD wDataSegment,
14                                    WORD wHeapSize, LPSTR lpszCmdLine )
15 {
16     // The startup code for the DLL initializes the local heap (if there is one)
17     // with a call to LocalInit which locks the data segment.
18     if ( wHeapSize != 0 )
19         UnlockData( 0 );
20     return 1;   // Indicate that the DLL was initialized successfully.
21 }
22
23 // Turn off warning: Parameter '' is never used
24 #pragma argsused
25
26 int FAR PASCAL WEP ( int bSystemExit )
27 {
28     return 1;
29 }
30
31 #include <stdio.h>
32 #include <string.h>
33 #include <stdlib.h>
34
35
36 WORD (CALLBACK *_Rockey)(WORD function, WORD FAR* handle, DWORD FAR* lp1,  DWORD FAR* lp2, WORD FAR* p1, WORD FAR* p2, WORD FAR* p3, WORD FAR* p4, BYTE FAR* buffer);
37
38
39 extern "C" PASCAL WORD  FAR  _export Rockey(WORD function, WORD* handle,
40 DWORD* lp1,  DWORD* lp2, WORD* p1, WORD* p2, WORD* p3, WORD* p4, BYTE* buffer){
41           char buf[2048];
42     memset(buf,0,2048);
43    //    sprintf(buf,"传入参数:function:%d,handle:%d,p1:%d,p2:%d,p3:%d,p4:%d",
44    //    function,*handle,*p1,*p2,*p3,*p4);
45
46
47 /*    sprintf(buf,"传入参数:function:%d,handle:%d,p1:%p,p2:%p,p3:%p,p4:%p",
48     function,*handle,p1,p2,p3,p4);
49 */
50     sprintf(buf,"传入参数:function:%d,handle:%d,p1:%p,%d,p2:%p,%d,p3:%p,%d,p4:%p,%d",
51     function,*handle,p1,*p1,p2,*p2,p3,*p3,p4,*p4);
52 //    MessageBox(0,buf,"RYDLL16",MB_OK);
53
54
55 /***********************************************************/
56 /*
57         查询安插的软件狗
58     */
59      //注意:
60      /*
61         在这里loadlibrary和freelibrary必须成对出现，如果忘记freelibrary则软件再次启动加载
62         动态库时将失败
63
64                 2003.06.24 10:49 am   runonce   shanghai radio
65
66
67          */
68     if(function==1){  //查狗
69         HINSTANCE hDll;
70         WORD _handle[16], _p1, _p2, _p3, _p4, _retcode;
71         DWORD _lp1, _lp2;
72         hDll = LoadLibrary("z.dll");
73         if (hDll == NULL)
74         {
75             MessageBox(0,"load z.dll failed",0,MB_OK);
76             return 1;
77         }
78
79         (FARPROC)_Rockey = GetProcAddress(hDll, "Rockey");
80         _p1 = 0xc44c;
81         _p2 = 0xc8f8;
82         _p3 = 0x0799;
83         _p4 = 0xc43b;
84         WORD retcode;
85         if(_Rockey==NULL){
86             FreeLibrary(hDll);
87             return 1;
88             }
89
90         char bb[500];
91              memset(bb,0,sizeof(bb));
92              sprintf(bb,"yyyyyy

.  %d",*_Rockey);
93        //             MessageBox(0,bb,0,MB_OK);
94
95         BYTE _buffer[200];
96         memset(_buffer,0,sizeof(_buffer));
97         retcode = _Rockey(1, &_handle[0], &_lp1, &_lp2, &_p1, &_p2, &_p3, &_p4, _buffer);
98         FreeLibrary(hDll);
99         if(retcode){
100              //    MessageBox(0,"ret is not zero",0,MB_OK);
101             return 2;
102         }
103         if(_lp1 !=0x5193E484){    //并口软件狗ID,
104                //    MessageBox(0,"find dog error!",0,MB_OK);
105             return 2;
106         }
107         else{
108                //    MessageBox(0,"find dog ok!",0,MB_OK);
109             return 0;
110         }
111
112         }
113
114 /***********************************************************/
115     if(function==5){
116       strcpy(buffer,"ZYYS");
117     }
118     if(function==14){
119       char temp[25];
120       memset(temp,0,25);
121       //记下传入的参数
122       int temp1=*p1;
123       int temp2=*p2;
124       int temp3=*p3;
125       int temp4=*p4;
126       *p1=(temp1*temp2)+(temp1*temp2*temp4);
127       *p2=(temp3+temp4+temp1*temp2+temp1*temp2*temp4)*2;
128       *p3=temp1*temp2*temp4;
129       *p4=(temp4+1)*temp2*(temp1*2)+(*p2);
130     }
131
132     return 0;
133 }

posted on 2008-07-03 23:12 放屁阿狗阅读(987) 评论(0) 编辑收藏引用所属分类: Crack

常用链接

留言簿(9)

随笔分类

随笔档案

文章分类

文章档案

相册

Gis

OpenSource

搜索

最新评论

阅读排行榜

评论排行榜