本文轉自http://www.jiamigou.net/crack/225.html
這個監控類的軟件,由於加密狗遺失,只能爆破了。
用PEID檢測爲Microsoft Visual Basic 5.0 / 6.0,無殼。
試運行軟件,彈出提示:Can’t Open Dog!
用OD加載程序,
程序入口:
004135A4 > $ 68 10624100 push Man.00416210 ; ASCII "VB5!6&vb6chs.dll"
004135A9 . E8 F0FFFFFF call <jmp.&MSVBVM60.#100>
004135AE . 0000 add byte ptr ds:[eax],al
004135B0 . 0000 add byte ptr ds:[eax],al
004135B2 . 0000 add byte ptr ds:[eax],al
接下來查找讀取加密狗和檢測加密狗的代碼:
0010394D . 51 push ecx
0010394E . 8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8]
00103954 . 52 push edx
00103955 . 6A 03 push 0x3
00103957 . FF15 50134000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
0010395D . 83C4 10 add esp,0x10
00103960 . 0FBF85 CCFDFF>movsx eax,word ptr ss:[ebp-0x234]
00103967 . 85C0 test eax,eax
00103969 . 0F84 36060000 je Man.00103FA5 //加密狗破解關鍵點一,不跳則掛
0010396F . C745 FC 96010>mov dword ptr ss:[ebp-0x4],0x196
00103976 . C785 28FEFFFF>mov dword ptr ss:[ebp-0x1D8],0x19F5
00103980 . C785 20FEFFFF>mov dword ptr ss:[ebp-0x1E0],0x2
0010398A . 8D95 20FEFFFF lea edx,dword ptr ss:[ebp-0x1E0]
00103990 . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
00103996 . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
0010399C . C745 FC 97010>mov dword ptr ss:[ebp-0x4],0x197
001039A3 . C785 44FFFFFF>mov dword ptr ss:[ebp-0xBC],0x9E48
001039AD . C745 FC 98010>mov dword ptr ss:[ebp-0x4],0x198
通過同樣的方法,繼續查找讀取加密狗的位置:
001039E4 . 8B85 D8FDFFFF mov eax,dword ptr ss:[ebp-0x228]
001039EA . 8985 6CFFFFFF mov dword ptr ss:[ebp-0x94],eax
001039F0 . C745 FC 99010>mov dword ptr ss:[ebp-0x4],0x199
001039F7 . 83BD 6CFFFFFF>cmp dword ptr ss:[ebp-0x94],0x0
001039FE . 0F85 8F050000 jnz Man.00103F93 //加密狗破解關鍵點二
00103A04 . C745 FC 9A010>mov dword ptr ss:[ebp-0x4],0x19A
00103A0B . 68 FFFF0000 push 0xFFFF
00103A10 . E8 230DECFF call Man.0044C738
00103A15 . 8985 D8FDFFFF mov dword ptr ss:[ebp-0x228],eax
00103A1B . FF15 98104000 call dword ptr ds:[<&MSVBVM60.__vbaSetSy>; MSVBVM60.__vbaSetSystemError
00103A21 . 8B8D D8FDFFFF mov ecx,dword ptr ss:[ebp-0x228]
00103A27 . 898D 6CFFFFFF mov dword ptr ss:[ebp-0x94],ecx
00103A2D . C745 FC 9B010>mov dword ptr ss:[ebp-0x4],0x19B
00103A34 . 83BD 6CFFFFFF>cmp dword ptr ss:[ebp-0x94],0x0
00103A3B . 0F85 4B050000 jnz Man.00103F8C
00103A41 . C745 FC 9C010>mov dword ptr ss:[ebp-0x4],0x19C
00103A48 . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-0xA8]
00103A4E . 52 push edx
第三處檢測加密狗:
001070B1 . 8D85 5CFFFFFF lea eax,dword ptr ss:[ebp-0xA4]
001070B7 . 50 push eax
001070B8 . FF15 74124000 call dword ptr ds:[<&MSVBVM60.__vbaStrTo>; MSVBVM60.__vbaStrToUnicode
001070BE . 33C9 xor ecx,ecx
001070C0 . 66:83BD DCFDF>cmp word ptr ss:[ebp-0x224],0x0
001070C8 . 0F94C1 sete cl
001070CB . F7D9 neg ecx
001070CD . 66:898D CCFDF>mov word ptr ss:[ebp-0x234],cx
001070D4 . 8D8D 08FFFFFF lea ecx,dword ptr ss:[ebp-0xF8]
001070DA . FF15 30144000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
001070E0 . 0FBF95 CCFDFF>movsx edx,word ptr ss:[ebp-0x234]
001070E7 . 85D2 test edx,edx
001070E9 . 0F84 B30D0000 je Man.00107EA2 //加密狗破解關鍵點三
001070EF . C745 FC B6010>mov dword ptr ss:[ebp-0x4],0x1B6
001070F6 . 66:C785 60FFF>mov word ptr ss:[ebp-0xA0],0xA
001070FF . C745 FC B7010>mov dword ptr ss:[ebp-0x4],0x1B7
00107106 . 8B85 5CFFFFFF mov eax,dword ptr ss:[ebp-0xA4]
通過同樣的方法,查找檢測加密狗的位置以及讀取加密狗函數,通過多次修改,程序可以正常運行!加密狗破解完美成功!