当前位置 : > 软件破解 > 去掉加密狗 >

阿拉丁狗破解过程

来源：未知作者：admin 时间：2010-12-26 22:15 浏览：【大中小】

这是一个国外的工程类软件，用的是阿拉丁的加密狗，软件是几年之前破解的，正好留下了文档，今天就贴上来。

0063659E 68FE3F0000 push 00003FFE //这就是阿拉丁狗读加密狗时要用到的密码! (1)

006365A3 687B1D0000 push 00001D7B //阿拉丁狗的密码! (2)

006365A8 6800000000 push 00000000

006365AD 6800000000 push 00000000

006365B2 6801000000 push 00000001

006365B7 E8A7FBFFFF call 00426163 //读加密狗 (1)

006365BC 83C424 add esp, 00000024

006365BF 8B45FC mov eax, dword ptr [ebp-04]> //读加密狗后返回值1就是有狗!

006365C2 B901000000 mov ecx, 00000001

006365C7 39C8 cmp eax, ecx

006365C9 0F85EF020000 jne 004268BE // 跳就完蛋

006365CF 8D45F0 lea eax, dword ptr [ebp-10]

006365D2 8D4DF4 lea ecx, dword ptr [ebp-0C]

006365D5 8D55F8 lea edx, dword ptr [ebp-08]

006365D8 8D5DFC lea ebx, dword ptr [ebp-04]

006365DB 50 push eax

006365DC 51 push ecx

006365DD 52 push edx

006365DE 53 push ebx

006365DF 68FE3F0000 push 00003FFE

006365E4 687B1D0000 push 00001D7B

006365E9 6800000000 push 00000000

006365EE 6800000000 push 00000000

006365F3 6805000000 push 00000005

006365F8 E866FBFFFF call 00426163 //读加密狗(2)

006365FD 83C424 add esp, 00000024

00636600 8B45FC mov eax, dword ptr [ebp-04] // 读加密狗后返回值1就是有狗!

00636603 B901000000 mov ecx, 00000001

00636608 39C8 cmp eax, ecx

0063660A 0F85C2010000 jne 004267D2 // 跳就完蛋

00636610 8B45F8 mov eax, dword ptr [ebp-08] //另外一个返回值

00636613 39C8 cmp eax, ecx

00636615 0F85B7010000 jne 004267D2 //跳就完蛋!

0063661B 8D0518E74500 lea eax, dword ptr [0045E718]

00636621 8B4DF4 mov ecx, dword ptr [ebp-0C]

00636624 668908 mov word ptr [eax], cx

00636627 6885510000 push 00005185

0063662C 8D05BC614200 lea eax, dword ptr [004261BC]

00636632 8D4DE0 lea ecx, dword ptr [ebp-20]

00636635 51 push ecx

00636636 FFD0 call eax //计算返回的数据

00636638 83C408 add esp, 00000008

0063663B 8B45E0 mov eax, dword ptr [ebp-20]//返回数据(1) 正确值是bb2

0063663E B9B20B0000 mov ecx, 00000BB2 //这里是要比较的值!

00636643 39C8 cmp eax, ecx //比较

00636645 0F8530000000 jne 0042667B //跳到报错

0063664B 8B45E4 mov eax, dword ptr [ebp-1C] //返回数据(2) 正确值是A6FE

0063664E B9FEA60000 mov ecx, 0000A6FE

00636653 39C8 cmp eax, ecx //比较

00636655 0F8520000000 jne 0042667B //跳到报错

0063665B 8B45E8 mov eax, dword ptr [ebp-18] //返回数据(3) 正确值是6A14

0063665E B9146A0000 mov ecx, 00006A14

00636663 39C8 cmp eax, ecx

:0426665 0F8510000000 jne 0042667B //跳到报错 !

0063666B 8B45EC mov eax, dword ptr [ebp-14]//返回数据(4) 正确值是714D

0063666E B94D710000 mov ecx, 0000714D

00636673 39C8 cmp eax, ecx //比较相等的话跳到正确处理流程

00636675 0F84FC000000 je 00426777 //跳到正确处理流程关键(1)

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:

|00636645(C), 00636655(C), 00636665(C)

0063667B 8D0552924700 lea eax, dword ptr [00479252]

00636681 6801000000 push 00000001

00636686 50 push eax

00636687 6800000000 push 00000000

* Reference To: cvirt.LoadPanel, Ord:0133h

0063668C E891B3FDFF Call 00401A22

00636691 8D4DDC lea ecx, dword ptr [ebp-24]

00636694 8901 mov dword ptr [ecx], eax

00636696 8B45DC mov eax, dword ptr [ebp-24]

00636699 B900000000 mov ecx, 00000000

0063669E 39C8 cmp eax, ecx

006366A0 0F8D20000000 jnl 004266C6

* Reference To: cvirt.CVI_Beep, Ord:0259h

006366A6 E845B8FDFF Call 00401EF0

006366AB 8D05EA924700 lea eax, dword ptr [004792EA]

006366B1 8D0DAA924700 lea ecx, dword ptr [004792AA]

006366B7 50 push eax

006366B8 51 push ecx

* Reference To: cvirt.MessagePopup, Ord:014Dh >报错信息!

006366B9 E8CCB7FDFF Call 00401E8A

006366BE 8D056A674200 lea eax, dword ptr [0042676A]

006366C4 FFE0 jmp eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|006366A0(C)

006366C6 6800000000 push 00000000

006366CB 6812020000 push 00000212

006366D0 6803000000 push 00000003

////////////////////////////////////////////////

你这样处理后运行程序还会有问题的!看样子是没有解决完!咱们在来看看!

第二部分

第一部分的程序(关键(1)//)跳转后就到了这里le's go

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|00636675(C)

00636777 E8CBFBFFFF call 00426347

0063677C 8D45FC lea eax, dword ptr [ebp-04]

0063677F B903000000 mov ecx, 00000003

00636784 8908 mov dword ptr [eax], ecx

00636786 8D4DF0 lea ecx, dword ptr [ebp-10]

00636789 8D55F4 lea edx, dword ptr [ebp-0C]

0063678C 8D5DF8 <, FONT size=3>lea ebx, dword ptr [ebp-08]

0063678F 51 push ecx

00636790 52 push edx

00636791 53 push ebx

00636792 50 push eax

00636793 68FE3F0000 push 00003FFE

00636798 687B1D0000 push 00001D7B

0063679D 6800000000 push 00000000

006367A2 6800000000 push 00000000

006367A7 6803000000 push 00000003

006367AC E8B2F9FFFF call 00426163 //这里又有一处读加密狗!

006367B1 83C424 add esp, 00000024

006367B4 8B45F4 mov eax, dword ptr [ebp-0C] //>返回值(1)应该是0

006367B7 B900000000 mov ecx, 00000000

006367BC 39C8 cmp eax, ecx >比较

006367BE 0F85DE010000 jne 004269A2 不跳

006367C4 8B45F8 mov eax, dword ptr [ebp-08]

006367C7 0FB7C0 movzx eax, ax

006367CA 8D0DA7694200 lea ecx, dword ptr [004269A7] 注意这里ecx的值是从这里的地址里来的

006367D0 FFE1 jmp ecx //跳到下一个部分!go //关键2

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:

|0063660A(C), 00636615(C)

006367D2 8D0545924700 lea eax, dword ptr [00479245]

006367D8 6801000000 push 00000001

006367DD 50 push eax

006367DE 6800000000 push 00000000

* Reference To: cvirt.LoadPanel, Ord:0133h

006367E3 E83AB2FDFF Call 00401A22

006367E8 8D4DDC lea ecx, dword ptr [ebp-24]

006367EB 8901 mov dword ptr [ecx], eax

006367ED 8B45DC mov eax, dword ptr [ebp-24]

006367F0 B900000000 mov ecx, 00000000

006367F5 39C8 cmp eax, ecx

006367F7 0F8D20000000 jnl 0042681D

* Reference To: cvirt.CVI_Beep, Ord:0259h

006367FD E8EEB6FDFF Call 00401EF0

00636802 8D05BE924700 lea eax, dword ptr [004792BE]

00636808 8D0D96924700 lea ecx, dword ptr [00479296]

0063680E 50 push eax

0063680F 51 push ecx

* Reference To: cvirt.MessagePopup, Ord:014Dh //>出错信息!

00636810 E875B6FDFF Call 00401E8A

00636815 8D05A9684200 lea eax, dword ptr [004268A9]

0063681B FFE0 jmp eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|006367F7(C)

0063681D 6800000000 push 00000000

00636822 6812020000 push 00000212

00636827 6803000000 push 00000003

0063682C 8B45DC mov eax, dword ptr [ebp-24]

0063682F 50 push eax

* Reference To: cvirt.SetCtrlAttribute, Ord:00AEh

00636830 E8BFACFDFF Call 004014F4

00636835 83C410 add esp, 00000010

00636838 6800000000 push 00000000

0063683D 6812020000 push 00000212

00636842 6804000000 push 00000004

//////////////////////////////////////////////////

经过上部分!咱们看看下面部分如何! 经过对//关键2的跟踪发现!到了下面的程序!

0063AFCE 8908 mov dword ptr [eax], ecx

0063AFD0 E8B1B5FFFF call 00426586

0063AFD5 8D8DE8FEFFFF lea ecx, dword ptr [ebp+FFFFFEE8]

0063AFDB 668901 mov word ptr [ecx], ax

0063AFDE 668B85E8FEFFFF mov ax, word ptr [ebp+FFFFFEE8]

0063AFE5 0FB7C0 movzx eax, ax

0063AFE8 B901000000 mov ecx, 00000001

0063AFED 39C8 cmp eax, ecx //注意这个比较

0063AFEF 0F8432000000 je 0042B027 //不跳就over

* Possible Reference to String Resource ID65535: "Das32"

0063AFF5 B9FFFF0000 mov ecx, 0000FFFF

0063AFFA 39C8 cmp eax, ecx

0063AFFC 0F8425000000 je 0042B027

* Reference To: cvirt.CVI_Beep, Ord:0259h

0063B002 E8E96EFDFF Call 00401EF0

0063B007 8D0504B04700 lea eax, dword ptr [0047B004]

0063B00D 8D0DAFB34700 lea ecx, dword ptr [0047B3AF]

0063B013 50 push eax

0063B014 51 push ecx

* Reference To: cvirt.MessagePopup, Ord:014Dh //出错信息!

0063B015 E8706EFDFF Call 00401E8A

0063B01A 6800000000 push 00000000

0063B01F E82F75FDFF call 00402553

0063B024 83C404 add esp, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:

|0063AFEF(C), 0063AFFC(C)

0063B027 8D45FC lea eax, dword ptr [ebp-04] //正确的流程!

0063B02A 50 push eax

0063B02B 6801000000 push 00000001

总结：

到此，这个软件的加密狗破解就成功了，当然了，破解这种软件并不止一种方法。

接下来就是试用软件了，经过测试，软件功能一切正常，没有任何BUG！

Tags：

[打印] [关闭]

上一篇：没有了
下一篇：并口加密狗与USB加密狗破解

相关栏目

热点关注

赞助商链接