本帖最后由 longlonglong 于 2024-4-17 22:01 编辑
工具:52下的OD;
研究对象:dcls_vip.dll;
来源:理想论坛
理由:和谐过程中的一点心得;
软件类型:dll;
操作系统:winXP
要达到目的:功能正常使用
正常打开软件,出现
无法绑定。
OD加载TdxW.exe,F9运行到正常。OD:调试选项
公式管理器里绑定dcls_vip.dl
这种DLL一般在2处验证,一处是:ModuleEntryPoint
一处是:RegisterTdxFunc
首先断在ModuleEntryPoint:
[Asm] 纯文本查看 复制代码 1E159CB6 > 55 push ebp
1E159CB7 8BEC mov ebp,esp
1E159CB9 53 push ebx ; dcls_vip.<ModuleEntryPoint>
1E159CBA 8B5D 08 mov ebx,dword ptr ss:[ebp+0x8] ; dcls_vip.<ModuleEntryPoint>
1E159CBD 56 push esi
1E159CBE 8B75 0C mov esi,dword ptr ss:[ebp+0xC] ; dcls_vip.1DFE0000
1E159CC1 57 push edi
1E159CC2 8B7D 10 mov edi,dword ptr ss:[ebp+0x10]
1E159CC5 85F6 test esi,esi
1E159CC7 75 09 jnz short dcls_vip.1E159CD2
1E159CC9 833D D0981F1E 00 cmp dword ptr ds:[0x1E1F98D0],0x0
1E159CD0 EB 26 jmp short dcls_vip.1E159CF8
1E159CD2 83FE 01 cmp esi,0x1
1E159CD5 74 05 je short dcls_vip.1E159CDC
1E159CD7 83FE 02 cmp esi,0x2
1E159CDA 75 22 jnz short dcls_vip.1E159CFE
1E159CDC A1 48B51F1E mov eax,dword ptr ds:[0x1E1FB548]
1E159CE1 85C0 test eax,eax
1E159CE3 74 09 je short dcls_vip.1E159CEE
1E159CE5 57 push edi
1E159CE6 56 push esi
1E159CE7 53 push ebx ; dcls_vip.<ModuleEntryPoint>
1E159CE8 FFD0 call eax
1E159CEA 85C0 test eax,eax
1E159CEC 74 0C je short dcls_vip.1E159CFA
1E159CEE 57 push edi
1E159CEF 56 push esi
1E159CF0 53 push ebx ; dcls_vip.<ModuleEntryPoint>
1E159CF1 E8 E7FEFFFF call dcls_vip.1E159BDD
1E159CF6 85C0 test eax,eax
1E159CF8 75 04 jnz short dcls_vip.1E159CFE
1E159CFA 33C0 xor eax,eax
1E159CFC EB 4E jmp short dcls_vip.1E159D4C
1E159CFE 57 push edi
1E159CFF 56 push esi
1E159D00 53 push ebx ; dcls_vip.<ModuleEntryPoint>
1E159D01 E8 BAEEFFFF call dcls_vip.1E158BC0
1E159D06 83FE 01 cmp esi,0x1
1E159D09 8945 0C mov dword ptr ss:[ebp+0xC],eax
1E159D0C 75 0C jnz short dcls_vip.1E159D1A
1E159D0E 85C0 test eax,eax
1E159D10 75 37 jnz short dcls_vip.1E159D49
1E159D12 57 push edi
1E159D13 50 push eax
1E159D14 53 push ebx ; dcls_vip.<ModuleEntryPoint>
1E159D15 E8 C3FEFFFF call dcls_vip.1E159BDD
1E159D1A 85F6 test esi,esi
1E159D1C 74 05 je short dcls_vip.1E159D23
1E159D1E 83FE 03 cmp esi,0x3
1E159D21 75 26 jnz short dcls_vip.1E159D49
1E159D23 57 push edi
1E159D24 56 push esi
1E159D25 53 push ebx ; dcls_vip.<ModuleEntryPoint>
1E159D26 E8 B2FEFFFF call dcls_vip.1E159BDD
1E159D2B 85C0 test eax,eax
1E159D2D 75 03 jnz short dcls_vip.1E159D32
1E159D2F 2145 0C and dword ptr ss:[ebp+0xC],eax
1E159D32 837D 0C 00 cmp dword ptr ss:[ebp+0xC],0x0
1E159D36 74 11 je short dcls_vip.1E159D49
1E159D38 A1 48B51F1E mov eax,dword ptr ds:[0x1E1FB548]
1E159D3D 85C0 test eax,eax
1E159D3F 74 08 je short dcls_vip.1E159D49
1E159D41 57 push edi
1E159D42 56 push esi
1E159D43 53 push ebx ; dcls_vip.<ModuleEntryPoint>
1E159D44 FFD0 call eax
1E159D46 8945 0C mov dword ptr ss:[ebp+0xC],eax
1E159D49 8B45 0C mov eax,dword ptr ss:[ebp+0xC] ; dcls_vip.1DFE0000
1E159D4C 5F pop edi ; ntdll.7C92118A
1E159D4D 5E pop esi ; ntdll.7C92118A
1E159D4E 5B pop ebx ; ntdll.7C92118A
1E159D4F 5D pop ebp ; ntdll.7C92118A
1E159D50 C2 0C00 retn 0xC
F8,一直到走完这段程序,没有出现要验证的信息。可以确定,验证在RegisterTdxFunc,
1E009C98 > 56 push esi ; TCalc.020B2204
下F2断点,F9,断在地址1E009C98
[Asm] 纯文本查看 复制代码 1E009C98 > 56 push esi ; TCalc.020B2204
1E009C99 57 push edi ; dcls_vip.RegisterTdxFunc
1E009C9A 53 push ebx
1E009C9B 8D7424 10 lea esi,dword ptr ss:[esp+0x10]
1E009C9F 83EC 04 sub esp,0x4
1E009CA2 8BFC mov edi,esp
1E009CA4 FC cld
1E009CA5 B9 01000000 mov ecx,0x1
1E009CAA F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
1E009CAC E8 3877FDFF call dcls_vip.1DFE13E9
1E009CB1 5B pop ebx ; TCalc.01DF54E9
1E009CB2 5F pop edi ; TCalc.01DF54E9
1E009CB3 5E pop esi ; TCalc.01DF54E9
1E009CB4 C3 retn
跟踪一下1E009CAC E8 3877FDFF call dcls_vip.1DFE13E9 这个call
F7,
这个call的代码有点长,把关键处截一下:
找出这个DLL的定制机器码:
1DFE1440 68 F820181E push dcls_vip.1E1820F8 ; //DLL为特定机器定制
DLL生成的本机机器码:
1DFE1468 E8 8C060000 call dcls_vip.1DFE1AF9 ; //取本机器机器码
用定制机器码BFEBFBFF000506E3置换本机机器码0F8BFBFF000306A9。
程序走到,
1DFE17D1 8945 E4 mov dword ptr ss:[ebp-0x1C],eax
得到密文,将密文保存为文件dcsq.key。
下面验证一下,看看破解是否有效,OD重新加载加载TdxW.exe,F9运行到正常。公式管理器里绑定dcls_vip.dl
|