某美容诊断软件保护方式分析

来源：互联网发布：js中offset函数编辑：程序博客网时间：2024/04/30 11:10

软件：XXX美容诊断程序

加密方式：序列号+系统码+解锁码方式，vb6程序，无壳。

首先输入序列号，然后输入解锁码。

输入错误的序列号，弹出错误提示，于是在rtcMsgBox上下断点。很快中断了，返回到进程空间。

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:006B9871(C)

* Reference To: MSVBVM60.__vbaVarDup, Ord:0000h

:006B9B43 8B3D34134000 mov edi, dword ptr [00401334]

:006B9B49 B904000280 mov ecx, 80020004

:006B9B4E 894D8C mov dword ptr [ebp-74], ecx

:006B9B51 B80A000000 mov eax, 0000000A

:006B9B56 894D9C mov dword ptr [ebp-64], ecx

:006B9B59 8D9554FFFFFF lea edx, dword ptr [ebp+FFFFFF54]

:006B9B5F 8D4DA4 lea ecx, dword ptr [ebp-5C]

:006B9B62 894584 mov dword ptr [ebp-7C], eax

:006B9B65 894594 mov dword ptr [ebp-6C], eax

:006B9B68 C7855CFFFFFFDCFC4300 mov dword ptr [ebp+FFFFFF5C], 0043FCDC

:006B9B72 C78554FFFFFF08000000 mov dword ptr [ebp+FFFFFF54], 00000008

:006B9B7C FFD7 call edi

:006B9B7E 8D9564FFFFFF lea edx, dword ptr [ebp+FFFFFF64]

:006B9B84 8D4DB4 lea ecx, dword ptr [ebp-4C]

:006B9B87 C7856CFFFFFFC0FC4300 mov dword ptr [ebp+FFFFFF6C], 0043FCC0

:006B9B91 C78564FFFFFF08000000 mov dword ptr [ebp+FFFFFF64], 00000008

:006B9B9B FFD7 call edi

:006B9B9D 8D4584 lea eax, dword ptr [ebp-7C]

:006B9BA0 8D4D94 lea ecx, dword ptr [ebp-6C]

:006B9BA3 50 push eax

:006B9BA4 8D55A4 lea edx, dword ptr [ebp-5C]

:006B9BA7 51 push ecx

:006B9BA8 52 push edx

:006B9BA9 8D45B4 lea eax, dword ptr [ebp-4C]

:006B9BAC 6A40 push 00000040

:006B9BAE 50 push eax

* Reference To: MSVBVM60.rtcMsgBox, Ord:0253h

:006B9BAF FF15E0104000 Call dword ptr [004010E0]

上面的代码有2个关键的地方，一个是rtcMsgBox，还有一个是参考地址006B9871,来到参考地址处，这里应该是失败的地方。

* Reference To: MSVBVM60.rtcUpperCaseVar, Ord:0210h

:006B9837 FF156C114000 Call dword ptr [0040116C]

:006B983D 8D5584 lea edx, dword ptr [ebp-7C]

:006B9840 8D4594 lea eax, dword ptr [ebp-6C]

:006B9843 52 push edx

:006B9844 50 push eax

* Reference To: MSVBVM60.__vbaVarTstEq, Ord:0000h

:006B9845 FF1584114000 Call dword ptr [00401184]

:006B984B 8D4DC4 lea ecx, dword ptr [ebp-3C]

:006B984E 668BF8 mov di, ax

* Reference To: MSVBVM60.__vbaFreeObj, Ord:0000h

:006B9851 FF15C4134000 Call dword ptr [004013C4]

:006B9857 8D4D94 lea ecx, dword ptr [ebp-6C]

:006B985A 8D5584 lea edx, dword ptr [ebp-7C]

:006B985D 51 push ecx

:006B985E 8D45A4 lea eax, dword ptr [ebp-5C]

:006B9861 52 push edx

:006B9862 8D4DB4 lea ecx, dword ptr [ebp-4C]

:006B9865 50 push eax

:006B9866 51 push ecx

:006B9867 6A04 push 00000004

:006B9869 FFD3 call ebx

:006B986B 83C414 add esp, 00000014

:006B986E 6685FF test di, di

:006B9871 0F84CC020000 je 006B9B43

这里有个__vbaVarTstEq函数，比较是否相等，在006B9871处有个跳转，这个跳转一跳，就失败，所以如果把这个跳转改掉，就顺利进入主界面了。

进入主界面后，点击某些功能，依然弹出注册的对话框，虽然这个时候也能随便注册成功，但是总是不爽。而且启动的时候也有这个对话框。

整理一下思路，首先软件启动的时候弹出注册框，说明在启动的时候先校验是否注册成功，这个时候有2种可能，一种是把序列号和解锁码放在注册表里，启动的时候直接调用某个函数校验，还有一种是在注册表里做一个是否注册成功的标志。如果是第一种方式，那么很可能启动时校验和注册时校验调用的是同一个函数。跟踪注册过程，看到核心函数：00636280:

eax=0017C48C, (UNICODE "1234567890")

Stack ss:[0012EEC4]=001F1444, (UNICODE "QIN-PSIM-BAS-648444312-C8D3F30F4425080D-ANGEL-11111-22222-33333-44444-55555-QI")

006B97E6 > /8B45 D4 mov eax,dword ptr ss:[ebp-2C] ; 解锁码

006B97E9 . 8D55 E8 lea edx,dword ptr ss:[ebp-18]

006B97EC . 8945 8C mov dword ptr ss:[ebp-74],eax ; eax=用户输入解锁码

006B97EF . 8D45 B4 lea eax,dword ptr ss:[ebp-4C]

006B97F2 . 8995 6CFFFFFF mov dword ptr ss:[ebp-94],edx

006B97F8 . 8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-9C]

006B97FE . 50 push eax

006B97FF . 8D55 A4 lea edx,dword ptr ss:[ebp-5C]

006B9802 . 51 push ecx

006B9803 . 52 push edx

006B9804 . C745 D4 00000000 mov dword ptr ss:[ebp-2C],0

006B980B . C745 84 08800000 mov dword ptr ss:[ebp-7C],8008

006B9812 . C745 BC 10000000 mov dword ptr ss:[ebp-44],10

006B9819 . C745 B4 02000000 mov dword ptr ss:[ebp-4C],2

006B9820 . C785 64FFFFFF 0840>mov dword ptr ss:[ebp-9C],4008

006B982A . E8 51CAF7FF call Angel.00636280 《--核心算号的地方

006B982F . 8D45 A4 lea eax,dword ptr ss:[ebp-5C]

006B9832 . 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]

006B9835 . 50 push eax

006B9836 . 51 push ecx

006B9837 FF15 6C114000 call dword ptr ds:[<&MSVBVM60.#528>] ; MSVBVM60.rtcUpperCaseVar

006B983D . 8D55 84 lea edx,dword ptr ss:[ebp-7C] ; "-44444-55555"

006B9840 . 8D45 94 lea eax,dword ptr ss:[ebp-6C]

006B9843 . 52 push edx

006B9844 . 50 push eax

006B9845 . FF15 84114000 call dword ptr ds: [<&MSVBVM60.__vbaVarTstEq>] ; MSVBVM60.__vbaVarTstEq

006B984B . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]

006B984E . 66:8BF8 mov di,ax

006B9851 . FF15 C4134000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj

006B9857 . 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]

006B985A . 8D55 84 lea edx,dword ptr ss:[ebp-7C]

006B985D . 51 push ecx

006B985E . 8D45 A4 lea eax,dword ptr ss:[ebp-5C]

006B9861 . 52 push edx

006B9862 . 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]

006B9865 . 50 push eax

006B9866 . 51 push ecx

006B9867 . 6A 04 push 4

006B9869 . FFD3 call ebx

006B986B . 83C4 14 add esp,14

006B986E . 66:85FF test di,di ; di是vbaVarTstEq的返回值，为0说明不等。

006B9871 . 0F84 CC020000 je <Angel.Fail>

于是在注册过程中的一个核心函数：00636280处下断点，启动后，果然中断，分析上下文，来到这里：

00656667 . 51 push ecx

00656668 . 52 push edx

00656669 . E8 12FCFDFF call Angel.00636280

0065666E . 8D45 A0 lea eax,dword ptr ss:[ebp-60]

00656671 . 8D4D 90 lea ecx,dword ptr ss:[ebp-70]

00656674 . 50 push eax

00656675 . 51 push ecx

00656676 . FF15 6C114000 call dword ptr ds:[<&MSVBVM60.#528>] ; MSVBVM60.rtcUpperCaseVar

0065667C . 8D55 80 lea edx,dword ptr ss:[ebp-80] ; "G:255 B:"

0065667F . 8D45 90 lea eax,dword ptr ss:[ebp-70]

00656682 . 52 push edx

00656683 . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-90]

00656689 . 50 push eax

0065668A . 51 push ecx

0065668B . FF15 6C124000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; MSVBVM60.__vbaVarCat

00656691 . 50 push eax

00656692 . FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMov>; MSVBVM60.__vbaStrVarMove

00656698 . 8BD0 mov edx,eax

0065669A . 8D4D E0 lea ecx,dword ptr ss:[ebp-20]

0065669D . FFD6 call esi

0065669F . 8D55 D4 lea edx,dword ptr ss:[ebp-2C]

006566A2 . 8D45 D8 lea eax,dword ptr ss:[ebp-28]

006566A5 . 52 push edx

006566A6 . 50 push eax

006566A7 . 6A 02 push 2

006566A9 . FF15 DC124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrLi>; MSVBVM60.__vbaFreeStrList

006566AF . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-90]

006566B5 . 8D55 90 lea edx,dword ptr ss:[ebp-70]

006566B8 . 51 push ecx

006566B9 . 8D45 80 lea eax,dword ptr ss:[ebp-80]

006566BC . 52 push edx

006566BD . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]

006566C0 . 50 push eax

006566C1 . 8D55 B0 lea edx,dword ptr ss:[ebp-50]

006566C4 . 51 push ecx

006566C5 . 8D45 C0 lea eax,dword ptr ss:[ebp-40]

006566C8 . 52 push edx

006566C9 . 50 push eax

006566CA . 6A 06 push 6

006566CC . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarLi>; MSVBVM60.__vbaFreeVarList

006566D2 . 8B4D E0 mov ecx,dword ptr ss:[ebp-20]

006566D5 . 83C4 28 add esp,28

006566D8 . 68 D09C4300 push Angel.00439CD0 ; UNICODE "QIN-"

006566DD . 51 push ecx

006566DE . FFD3 call ebx

006566E0 . 8BD0 mov edx,eax

006566E2 . 8D4D D8 lea ecx,dword ptr ss:[ebp-28]

006566E5 . FFD6 call esi

006566E7 . 50 push eax

006566E8 . 68 E09C4300 push Angel.00439CE0 ; UNICODE "-ANGEL-"

006566ED . FFD3 call ebx

006566EF . 8BD0 mov edx,eax

006566F1 . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]

006566F4 . FFD6 call esi

006566F6 . 8B55 DC mov edx,dword ptr ss:[ebp-24]

006566F9 . 50 push eax

006566FA . 52 push edx

006566FB . FFD3 call ebx

006566FD . 8BD0 mov edx,eax ; UNICODE "QIN-PSIM-BAS-648444312-C8D3F30F4425080D-ANGEL-11111-22222-33333-44444-55555")

这里可以看到，把用户输入的序列号和系统码拼接起来了。

006566FF . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]

00656702 . FFD6 call esi

00656704 . 50 push eax

00656705 . 68 F49C4300 push Angel.00439CF4 ; UNICODE "-QI"

0065670A . FFD3 call ebx

0065670C . 8BD0 mov edx,eax

0065670E . 8D4D EC lea ecx,dword ptr ss:[ebp-14]

00656711 . FFD6 call esi

00656713 . 8D45 D0 lea eax,dword ptr ss:[ebp-30]

00656716 . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]

00656719 . 50 push eax

0065671A . 8D55 D8 lea edx,dword ptr ss:[ebp-28]

0065671D . 51 push ecx

0065671E . 52 push edx

0065671F . 6A 03 push 3

00656721 . FF15 DC124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrLi>; MSVBVM60.__vbaFreeStrList

00656727 . 83C4 10 add esp,10

0065672A . 8D45 EC lea eax,dword ptr ss:[ebp-14]

0065672D . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]

00656730 . 8985 68FFFFFF mov dword ptr ss:[ebp-98],eax ; UNICODE "-668135518"

00656736 . 8D95 60FFFFFF lea edx,dword ptr ss:[ebp-A0]

0065673C . 51 push ecx

0065673D . 8D45 B0 lea eax,dword ptr ss:[ebp-50]

00656740 . BB 02000000 mov ebx,2

00656745 . 52 push edx

00656746 . 50 push eax

00656747 . C745 C8 10000000 mov dword ptr ss:[ebp-38],10

0065674E . 895D C0 mov dword ptr ss:[ebp-40],ebx

00656751 . C785 60FFFFFF 0840>mov dword ptr ss:[ebp-A0],4008

0065675B . E8 20FBFDFF call Angel.00636280 调用核心函数，返回后出现明文的解码

00656760 . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]

00656763 . 8D55 A0 lea edx,dword ptr ss:[ebp-60]

00656766 . 51 push ecx

00656767 . 52 push edx

00656768 . FF15 6C114000 call dword ptr ds:[<&MSVBVM60.#528>] ; MSVBVM60.rtcUpperCaseVar

0065676E . 8D45 A0 lea eax,dword ptr ss:[ebp-60]

00656771 . 50 push eax

00656772 . FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMov>; MSVBVM60.__vbaStrVarMove

00656778 . 8BD0 mov edx,eax

0065677A . 8D4D E0 lea ecx,dword ptr ss:[ebp-20]

0065677D . FFD6 call esi

0065677F . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]

00656782 . 8D55 B0 lea edx,dword ptr ss:[ebp-50]

00656785 . 51 push ecx

00656786 . 8D45 C0 lea eax,dword ptr ss:[ebp-40]

00656789 . 52 push edx

0065678A . 50 push eax

0065678B . 6A 03 push 3

0065678D . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarLi>; MSVBVM60.__vbaFreeVarList

00656793 . 8B4D E4 mov ecx,dword ptr ss:[ebp-1C] ; "1234567890"

00656796 . 8B55 E0 mov edx,dword ptr ss:[ebp-20] ; "E32706D6BDC96F56" 〈---明文的解码，可以做内存注册机了。

00656799 . 83C4 10 add esp,10

0065679C . 51 push ecx

0065679D . 52 push edx

0065679E . FF15 78114000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp 比较字符串。

006567A4 . 85C0 test eax,eax

006567A6 . 0F84 9D000000 je Angel.00656849 〈-----如果爆破的话，就是改这个跳转就可以了。

006567AC . 393D E4557B00 cmp dword ptr ds:[7B55E4],edi

006567B2 . 75 10 jnz short Angel.006567C4

总结：软件采用序列号，系统号和解锁码的形式进行保护，入口是rtcMsgBox，不过分析完发现还有一个更加快捷的入口：__vbaStrCmp。系统将序列号，系统号进行组合，然后进行加密生成解锁码，和用户输入的解锁码进行比较，算法有缺陷，导致内存里直接出现解锁码，如果采用将用户输入的解锁码进行逆运算，然后比较会安全些。最终这个软件通过内存注册机或者暴力跳转都能顺利实现完美破解。如果有耐心再去跟踪00636280就可以看到具体的算法过程。