[.NET][爆破]我的Microsoft Math 3.0激活之路
[標 題]
[原創][.NET][爆破]我的Microsoft Math 3.0激活之路
[作 者]
快雪時晴,2007年6月16日
[目 標]
在CNBeta看到一則新聞:
Microsoft Math 3.0 試用版發布啦!
CB_Freshman發布于 2007-06-14 06:54:32|3185 次閱讀 字體:大 小 打印預覽
來源:AppBeta
微軟推出的Math工具提供了強大的數學工具,尤其適合學生和教師,可以幫助他們逐步解方程,更好的理解代數學、幾何學、物理、化學和微積分等。
(該軟件為收費軟件,30天試用時間)
Math的界面左側被設計成一個計算器模型,右側則是主要的顯示區域。主要功能有:
1、圖形化計算器:具有廣泛的圖形和解方程能力,具有制作2D和增強的3D彩色圖形功能,有助于人們可視化解決問題并理解概念。
2、逐步解方程:從基本的數學問題到微積分,可以解決許多數學問題。
3、公式和方程庫:具有100多個常用方程和公式。
4、解三角形。
5、單位換算。
6、新:支持Tablet和Ultra-Mobile PC的數字墨水技術,可以通過手寫解決許多Math可以識別的問題。
提示:Math是收費軟件,這個是30天試用版。
每次程序運行都會提示,30天后必須輸入25位產品序列ID。
下載地址:http://msft-dnl.digitalrivercont ... 66853/X13-66853.exe
oh-yeah,就是它!
[工 具]
PEID、OllyICE、010Editor、Reflector、ILDasm、
ILAsm、SN.exe、SNRemove、SNReplace.exe、StrongName Patcher、
Abel_Load231、DUP2.15final
PEBrowseDbg_pro
[平 臺]
EN-WINXPSP2+MUI
.Net Framwork v2.0.50727
[第一部分] 探究關鍵代碼
主程序MATHAPP.EXE為.NET程序,當然首先采用靜態分析方法了(動態調試還不熟悉,工具和參考資料都遠不及WIN32 PE)。
微軟的東西就是好,不加殼,沒有應用代碼混淆,很快就找到關鍵地方。
===============================================Reflector逆向情況========================================================
private static void Main(string[] args);
Declaring Type: Microsoft.MicrosoftMath.Application.AppMain
Assembly: MathApp, Version=3.0.1184.1020
[STAThread]
private static void Main(string[] args)
{
Application.SetUnhandledExceptionMode(UnhandledExceptionMode.ThrowException);
AppDomain.CurrentDomain.UnhandledException += new UnhandledExceptionEventHandler(AppMain.OnUnhandledException);
ResManager.InitializeMinimum();
SingleInstance.AppName = (ResManager.SKU == null) ? "EncCalc" : ("EncCalc-" + ResManager.SKU);
if (SingleInstance.CheckSingleInstance(args, false, true) == SingleInstanceState.AlreadyRunning)
{
return;
}
AppResManager.Initialize();
AppDrawingInfo.Initialize();
uint dwGraceTime = 0;
AppResManager.Activated = NativeMethods.CheckLicenseStatus(ResManager.SKU, out dwGraceTime) != 0;
if (!CheckEula())
{
return;
}
CheckSQM();
if (!AppResManager.VerifyMSCertificate(Path.Combine(ResManager.AppDirectory, "MathRichEditNative.dll")))
{
AppResManager.ExitApp();
}
if (!AppResManager.Activated)
{
string pszProdKey = null;
switch (NativeMethods.ShowActivationWizard(IntPtr.Zero, pszProdKey, 0, dwGraceTime, ResManager.SKU))
{
case 0:
case 0xc000000c:
case 0xf000000e:
AppResManager.Activated = NativeMethods.CheckLicenseStatus(ResManager.SKU, out dwGraceTime) != 0;
if ((dwGraceTime == 0) && !AppResManager.Activated)
{
AppResManager.ExitApp();
}
goto Label_00FB;
}
if (dwGraceTime == 0)
{
AppResManager.ExitApp();
}
}
Label_00FB:
Application.ApplicationExit += new EventHandler(AppMain.OnApplicationExit);
Application.Idle += new EventHandler(AppMain.OnApplicationIdle);
Application.EnableVisualStyles();
MainForm mainForm = new MainForm();
mainForm.SetCommandArgs(args);
Application.Run(mainForm);
}
====================================ILDASM 顯示情況========================================================
.method private hidebysig static void Main(string[] args) cil managed
// SIG: 00 01 01 1D 0E
{
.entrypoint
.custom instance void [mscorlib]System.STAThreadAttribute::.ctor() = ( 01 00 00 00 )
// Method begins at RVA 0xb80c
// Code size 313 (0x139)
.maxstack 5
.locals init (valuetype [MathControls]Microsoft.MicrosoftMath.Controls.SingleInstanceState V_0,
uint32 V_1,
string V_2,
uint32 V_3,
class Microsoft.MicrosoftMath.Application.MainForm V_4)
IL_0000: /* 17 | */ ldc.i4.1
IL_0001: /* 28 | (0A)0001DD */ call void [System.Windows.Forms]System.Windows.Forms.Application::SetUnhandledExceptionMode(valuetype [System.Windows.Forms]System.Windows.Forms.UnhandledExceptionMode)
IL_0006: /* 28 | (0A)0001DE */ call class [mscorlib]System.AppDomain [mscorlib]System.AppDomain::get_CurrentDomain()
IL_000b: /* 14 | */ ldnull
IL_000c: /* FE06 | (06)00009C */ ldftn void Microsoft.MicrosoftMath.Application.AppMain::OnUnhandledException(object, class [mscorlib]System.UnhandledExceptionEventArgs)
IL_0012: /* 73 | (0A)0001DF */ newobj instance void [mscorlib]System.UnhandledExceptionEventHandler::.ctor(object,native int)
IL_0017: /* 6F | (0A)0001E0 */ callvirt instance void [mscorlib]System.AppDomain::add_UnhandledException(class [mscorlib]System.UnhandledExceptionEventHandler)
IL_001c: /* 28 | (0A)0001E1 */ call void [MathControls]Microsoft.MicrosoftMath.Controls.ResManager::InitializeMinimum()
IL_0021: /* 28 | (0A)0001E2 */ call string [MathControls]Microsoft.MicrosoftMath.Controls.ResManager::get_SKU()
IL_0026: /* 2C | 11 */ brfalse.s IL_0039
IL_0028: /* 72 | (70)0006A9 */ ldstr "EncCalc-"
IL_002d: /* 28 | (0A)0001E2 */ call string [MathControls]Microsoft.MicrosoftMath.Controls.ResManager::get_SKU()
IL_0032: /* 28 | (0A)000091 */ call string [mscorlib]System.String::Concat(string,string)
IL_0037: /* 2B | 05 */ br.s IL_003e
IL_0039: /* 72 | (70)0006BB */ ldstr "EncCalc"
IL_003e: /* 28 | (0A)0001E3 */ call void [MathControls]Microsoft.MicrosoftMath.Controls.SingleInstance::set_AppName(string)
IL_0043: /* 02 | */ ldarg.0
IL_0044: /* 16 | */ ldc.i4.0
IL_0045: /* 17 | */ ldc.i4.1
IL_0046: /* 28 | (0A)0001E4 */ call valuetype [MathControls]Microsoft.MicrosoftMath.Controls.SingleInstanceState [MathControls]Microsoft.MicrosoftMath.Controls.SingleInstance::CheckSingleInstance(string[],bool,bool)
IL_004b: /* 0A | */ stloc.0
IL_004c: /* 06 | */ ldloc.0
IL_004d: /* 17 | */ ldc.i4.1
IL_004e: /* 33 | 01 */ bne.un.s IL_0051
IL_0050: /* 2A | */ ret
IL_0051: /* 28 | (06)00027A */ call void Microsoft.MicrosoftMath.Application.AppResManager::Initialize()
IL_0056: /* 28 | (06)00009E */ call void Microsoft.MicrosoftMath.Application.AppDrawingInfo::Initialize()
IL_005b: /* 16 | */ ldc.i4.0
IL_005c: /* 0B | */ stloc.1
IL_005d: /* 28 | (0A)0001E2 */ call string [MathControls]Microsoft.MicrosoftMath.Controls.ResManager::get_SKU()
IL_0062: /* 12 | 01 */ ldloca.s V_1
*********************************************************
*二進制搜索定位(共2處):1201281304000616FE0116FE0128//這句看不懂,有看懂的朋友跟我說一聲
*********************************************************
IL_0064: /* 28 | (06)000413 */ call uint32 Microsoft.MicrosoftMath.Application.NativeMethods::CheckLicenseStatus(string,uint32&)
IL_0069: /* 16 | */ ldc.i4.0
IL_006a: /* FE01 | */ ceq
IL_006c: /* 16 | */ ldc.i4.0
IL_006d: /* FE01 | */ ceq
IL_006f: /* 28 | (06)00026D */ call void Microsoft.MicrosoftMath.Application.AppResManager::set_Activated(bool)
IL_0074: /* 28 | (06)000099 */ call bool Microsoft.MicrosoftMath.Application.AppMain::CheckEula()
IL_0079: /* 2D | 01 */ brtrue.s IL_007c
IL_007b: /* 2A | */ ret
IL_007c: /* 28 | (06)000098 */ call void Microsoft.MicrosoftMath.Application.AppMain::CheckSQM()
IL_0081: /* 28 | (0A)0001E5 */ call string [MathControls]Microsoft.MicrosoftMath.Controls.ResManager::get_AppDirectory()
IL_0086: /* 72 | (70)0006CB */ ldstr "MathRichEditNative.dll"
IL_008b: /* 28 | (0A)0001E6 */ call string [mscorlib]System.IO.Path::Combine(string, string)
IL_0090: /* 28 | (06)000291 */ call bool Microsoft.MicrosoftMath.Application.AppResManager::VerifyMSCertificate(string)
IL_0095: /* 2D | 05 */ brtrue.s IL_009c
IL_0097: /* 28 | (06)000292 */ call void Microsoft.MicrosoftMath.Application.AppResManager::ExitApp()
IL_009c: /* 28 | (06)00026C */ call bool Microsoft.MicrosoftMath.Application.AppResManager::get_Activated()
IL_00a1: /* 2D | 58 */ brtrue.s IL_00fb
IL_00a3: /* 14 | */ ldnull
IL_00a4: /* 0C | */ stloc.2
IL_00a5: /* 7E | (0A)0001E7 */ ldsfld native int [mscorlib]System.IntPtr::Zero
IL_00aa: /* 08 | */ ldloc.2
IL_00ab: /* 16 | */ ldc.i4.0
IL_00ac: /* 07 | */ ldloc.1
IL_00ad: /* 28 | (0A)0001E2 */ call string [MathControls]Microsoft.MicrosoftMath.Controls.ResManager::get_SKU()
IL_00b2: /* 28 | (06)000414 */ call uint32 Microsoft.MicrosoftMath.Application.NativeMethods::ShowActivationWizard(native int,string,uint32,uint32,string)
IL_00b7: /* 0D | */ stloc.3
IL_00b8: /* 09 | */ ldloc.3
IL_00b9: /* 2C | 10 */ brfalse.s IL_00cb
IL_00bb: /* 09 | */ ldloc.3
IL_00bc: /* 20 | 0C0000C0 */ ldc.i4 0xc000000c
IL_00c1: /* 2E | 08 */ beq.s IL_00cb
IL_00c3: /* 09 | */ ldloc.3
IL_00c4: /* 20 | 0E0000F0 */ ldc.i4 0xf000000e
IL_00c9: /* 33 | 28 */ bne.un.s IL_00f3
IL_00cb: /* 28 | (0A)0001E2 */ call string [MathControls]Microsoft.MicrosoftMath.Controls.ResManager::get_SKU()
IL_00d0: /* 12 | 01 */ ldloca.s V_1
IL_00d2: /* 28 | (06)000413 */ call uint32 Microsoft.MicrosoftMath.Application.NativeMethods::CheckLicenseStatus(string, uint32&)
IL_00d7: /* 16 | */ ldc.i4.0
IL_00d8: /* FE01 | */ ceq
IL_00da: /* 16 | */ ldc.i4.0
IL_00db: /* FE01 | */ ceq
IL_00dd: /* 28 | (06)00026D */ call void Microsoft.MicrosoftMath.Application.AppResManager::set_Activated(bool)
IL_00e2: /* 07 | */ ldloc.1
IL_00e3: /* 2D | 16 */ brtrue.s IL_00fb
IL_00e5: /* 28 | (06)00026C */ call bool Microsoft.MicrosoftMath.Application.AppResManager::get_Activated()
IL_00ea: /* 2D | 0F */ brtrue.s IL_00fb
IL_00ec: /* 28 | (06)000292 */ call void Microsoft.MicrosoftMath.Application.AppResManager::ExitApp()
IL_00f1: /* 2B | 08 */ br.s IL_00fb
IL_00f3: /* 07 | */ ldloc.1
IL_00f4: /* 2D | 05 */ brtrue.s IL_00fb
IL_00f6: /* 28 | (06)000292 */ call void Microsoft.MicrosoftMath.Application.AppResManager::ExitApp()
IL_00fb: /* 14 | */ ldnull
IL_00fc: /* FE06 | (06)00009A */ ldftn void Microsoft.MicrosoftMath.Application.AppMain::OnApplicationExit(object, class [mscorlib]System.EventArgs)
IL_0102: /* 73 | (0A)000020 */ newobj instance void [mscorlib]System.EventHandler::.ctor(object, native int)
IL_0107: /* 28 | (0A)0001E8 */ call void [System.Windows.Forms]System.Windows.Forms.Application::add_ApplicationExit(class [mscorlib]System.EventHandler)
IL_010c: /* 14 | */ ldnull
IL_010d: /* FE06 | (06)00009B */ ldftn void Microsoft.MicrosoftMath.Application.AppMain::OnApplicationIdle(object, class [mscorlib]System.EventArgs)
IL_0113: /* 73 | (0A)000020 */ newobj instance void [mscorlib]System.EventHandler::.ctor(object,native int)
IL_0118: /* 28 | (0A)0001E9 */ call void [System.Windows.Forms]System.Windows.Forms.Application::add_Idle(class [mscorlib]System.EventHandler)
IL_011d: /* 28 | (0A)0001EA */ call void [System.Windows.Forms]System.Windows.Forms.Application::EnableVisualStyles()
IL_0122: /* 73 | (06)00047C */ newobj instance void Microsoft.MicrosoftMath.Application.MainForm::.ctor()
IL_0127: /* 13 | 04 */ stloc.s V_4
IL_0129: /* 11 | 04 */ ldloc.s V_4
IL_012b: /* 02 | */ ldarg.0
IL_012c: /* 6F | (06)0004B2 */ callvirt instance void Microsoft.MicrosoftMath.Application.MainForm::SetCommandArgs(string[])
IL_0131: /* 11 | 04 */ ldloc.s V_4
IL_0133: /* 28 | (0A)0001EB */ call void [System.Windows.Forms]System.Windows.Forms.Application::Run(class [System.Windows.Forms]System.Windows.Forms.Form)
IL_0138: /* 2A | */ ret
} // end of method AppMain::Main
[第二部分] 找下手的地方
用二進制編輯器010Editor搜索:
1201281304000616FE0116FE0128
查到兩處,只改第一處即可使AppResManager.Activated為真。
簡單問題不簡單,改后保存,程序異常退出拒絕運行。
用PEBrowdbg調試,修改后的主程序(不管是IL patch,還是強名去除,或是強名替換)在加載過程中異常,說明是.NET檢測到程序被修改了。
這都是強名保護干的好事了,RSA1024保護著,要破解得到正確產品ID看來不可能了。
去強名吧,網上似乎談的也多。
下了好幾個工具,比如SNRemover,SNReplacer等等,都不行,難道微軟的.NET Framework對這些小動作有了新anti功能。
我沒有去試直接修改.net平臺檢測強名簽名的程序,那樣影響整個.net平臺的安全性,不大好。
辦法總是有,生活從來不缺少意外,當然也包括驚喜。
====================================================================================================
注意到注冊驗證模塊在MathRichEditNative.dll(本地方法)中:
名稱位于 MathRich, 條目 25
地址=4745650C
區段=.text
類型=輸出
名稱=CheckLicenseStatus
用PEID檢測MathRichEditNative.dll,顯示Armidillo殼,????似乎不太可能吧,這不是微軟的作風。
我就不把它當有殼,呵呵。
用OllyICE加載,CTRL+N,輸入輸出函數都很齊全擺那,應該是PEid誤報了。
更重要的一點是該dll沒有自校驗,那修改起來就省去很多麻煩了。
該輸出函數似乎沒干什么正事,可能只是.net IMPORT外部dll的一個COM接口代碼而已,實際代碼需要繼續跟下去。
4745650C >/$ 51 push ecx
4745650D |. 8D6424 FC lea esp, dword ptr [esp-4]
47456511 |. 890C24 mov dword ptr [esp], ecx
47456514 |. 8D0D D1634547 lea ecx, dword ptr [474563D1]
4745651A |. 8D89 6D010000 lea ecx, dword ptr [ecx+16D]
47456520 |. 894C24 04 mov dword ptr [esp+4], ecx
47456524 |. 8D0D 38815247 lea ecx, dword ptr [47528138]
4745652A |. 8D89 5C010000 lea ecx, dword ptr [ecx+15C]
47456530 |. 8D6424 FC lea esp, dword ptr [esp-4]
47456534 |. 890C24 mov dword ptr [esp], ecx
47456537 |. 8B4C24 04 mov ecx, dword ptr [esp+4]
4745653B \. C2 0400 retn 4
堆棧:(ESP--〉0012F430)
0012F430 00A7B2B1 返回到 00A7B2B1
0012F434 013E6920 UNICODE "G07ASTRC"
0012F438 0012F474
根據堆棧指示直接來到這里:(retn 4不會立即返回00A7B2B1)
00A7B2AF FF10 call dword ptr [eax]
00A7B2B1 C643 08 01 mov byte ptr [ebx+8], 1
//在OllyICE中手動修改EAX=1,函數返回真,程序變成已經激活!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
//---------------------------------------但如何修改呢?請注意這里是動態申請的內存空間
00A7B2B5 833D F017387A 00 cmp dword ptr [7A3817F0], 0
當然也可以逐級返回跟蹤:
036D0266 E8 91903BFD call 00A892FC
036D026B 85C0 test eax, eax
//返回這里
036D026D 0F95C2 setne dl
036D0270 0FB6D2 movzx edx, dl
036D0273 8815 6C35A800 mov byte ptr [A8356C], dl
做內存補丁的時候把
setne dl
修改為
sete dl
OD加載.NET程序時最初停在kernel.dll領空,因為.net程序是類似java虛擬機/vb一樣從中間字節碼
解釋執行的,這時候程序二進制代碼還沒有產生(感覺沒還脫殼一樣)。
不知道做出來的內存補丁loader能不能跨平臺,或許不同機器不同的.net平臺版本會申請不同的內存地址,
以至于補丁地址不一樣。
^^^^^^想法總是好的,但制作內存補丁的路子似乎有點坎坷而且沒有成功,一切源于.NET以及其強名保護(STRONG NAME)
我沒找到用現有的loader制作工具似乎難以定位啥時候打補丁,如何針對動態內存打。
先繼續看看上面跟蹤到的這段代碼:
036D024C FF15 8872A800 call dword ptr [A87288]
036D0252 FF15 E87CA800 call dword ptr [A87CE8]
036D0258 33D2 xor edx, edx
036D025A 8955 F4 mov dword ptr [ebp-C], edx
036D025D 8B0D 14343E02 mov ecx, dword ptr [23E3414]
036D0263 8D55 F4 lea edx, dword ptr [ebp-C]
036D0266 E8 91903BFD call 00A892FC //********************
036D026B 85C0 test eax, eax
036D026D 0F95C2 setne dl
036D0270 0FB6D2 movzx edx, dl
036D0273 8815 6C35A800 mov byte ptr [A8356C], dl
036D0279 FF15 6036A800 call dword ptr [A83660]
036D027F 85C0 test eax, eax
036D0281 75 05 jnz short 036D0288
036D0283 59 pop ecx
036D0284 5E pop esi
036D0285 5F pop edi
036D0286 5D pop ebp
036D0287 C3 retn
036D0288 FF15 5C36A800 call dword ptr [A8365C]
036D028E 8B0D 2C343E02 mov ecx, dword ptr [23E342C]
036D0294 8B15 D07B3E02 mov edx, dword ptr [23E7BD0]
036D029A E8 2DECCA75 call mscorlib.7937EECC
036D029F 8BC8 mov ecx, eax
036D02A1 FF15 E472A800 call dword ptr [A872E4]
036D02A7 85C0 test eax, eax
036D02A9 75 13 jnz short 036D02BE
036D02AB E8 105B9F77 call System_W.7B0C5DC0
036D02B0 E8 F343F976 call System_n.7A6646A8
036D02B5 8BC8 mov ecx, eax
036D02B7 3909 cmp dword ptr [ecx], ecx
036D02B9 E8 AE771A77 call System_n.7A877A6C
036D02BE 803D 6C35A800 0>cmp byte ptr [A8356C], 0
036D02C5 0F85 7F000000 jnz 036D034A
036D02CB 6A 00 push 0
036D02CD FF75 F4 push dword ptr [ebp-C]
036D02D0 FF35 14343E02 push dword ptr [23E3414]
036D02D6 33D2 xor edx, edx
036D02D8 33C9 xor ecx, ecx
036D02DA E8 29903BFD call 00A89308
036D02DF 85C0 test eax, eax
036D02E1 74 0E je short 036D02F1
036D02E3 3D 0C0000C0 cmp eax, C000000C
036D02E8 74 07 je short 036D02F1
036D02EA 3D 0E0000F0 cmp eax, F000000E
036D02EF 75 40 jnz short 036D0331
036D02F1 8B0D 14343E02 mov ecx, dword ptr [23E3414]
036D02F7 8D55 F4 lea edx, dword ptr [ebp-C]
036D02FA E8 FD8F3BFD call 00A892FC //********************
036D02FF 85C0 test eax, eax
036D0301 0F95C2 setne dl
036D0304 0FB6D2 movzx edx, dl
036D0307 8815 6C35A800 mov byte ptr [A8356C], dl
是不是和我們在reflector里看到的c#源代碼或者ildasm里看到的IL代碼很相似呢?
AppResManager.Initialize();
AppDrawingInfo.Initialize();
uint dwGraceTime = 0;
AppResManager.Activated = NativeMethods.CheckLicenseStatus(ResManager.SKU, out dwGraceTime) != 0;
if (!CheckEula())
{
return;
}
CheckSQM();
if (!AppResManager.VerifyMSCertificate(Path.Combine(ResManager.AppDirectory, "MathRichEditNative.dll")))
{
AppResManager.ExitApp();
}
if (!AppResManager.Activated)
{
string pszProdKey = null;
switch (NativeMethods.ShowActivationWizard(IntPtr.Zero, pszProdKey, 0, dwGraceTime, ResManager.SKU))
{
case 0:
case 0xc000000c:
case 0xf000000e:
AppResManager.Activated = NativeMethods.CheckLicenseStatus(ResManager.SKU, out dwGraceTime) != 0;
if ((dwGraceTime == 0) && !AppResManager.Activated)
{
AppResManager.ExitApp();
}
goto Label_00FB;
}
if (dwGraceTime == 0)
{
AppResManager.ExitApp();
}
}
Label_00FB:
.net程序真的跟脫殼很相似,二進制代碼就這么動態出現了。
==========================================================================================================
事實就是這樣,我用PEBorwseDBG動態跟蹤程序看到的情況:
Disassembly of JITTED Microsoft.MicrosoftMath.Application.AppMain::Main (06000097) at 0x03A48990
; Stack Size (in BYTES): 16 (0x00000010)
; Number of Parameters: 0
; Local Variables Size (in BYTES): 4 (0x00000004)
; Prologue Size (in BYTES): 27 (0x1B)
; Standard Frame
0x3A48990: 6A00 PUSH 0x0
0x3A48992: 6A00 PUSH 0x0
0x3A48994: 6A00 PUSH 0x0
0x3A48996: 680036A600 PUSH 0xA63600
0x3A4899B: E810875B0C CALL 0x100010B0
0x3A489A0: 55 PUSH EBP
0x3A489A1: 8BEC MOV EBP,ESP
0x3A489A3: 57 PUSH EDI
0x3A489A4: 56 PUSH ESI
0x3A489A5: 50 PUSH EAX
0x3A489A6: 33C0 XOR EAX,EAX
0x3A489A8: 8945F4 MOV DWORD PTR [EBP-0xC],EAX; VAR:0xC
; end of prologue
0x3A489AB: 8BF9 MOV EDI,ECX
; IL_0000: ldc.i4.1
; IL_0001: call System.Windows.Forms.Application::SetUnhandledExceptionMode()
0x3A489AD: B901000000 MOV ECX,0x1
0x3A489B2: FF15981F2904 CALL DWORD PTR [0x4291F98]
; IL_0006: call System.AppDomain::get_CurrentDomain()
; IL_000B: ldnull
; IL_000C: ldftn Microsoft.MicrosoftMath.Application.AppMain::OnUnhandledException()
; IL_0012: newobj System.UnhandledExceptionEventHandler::.ctor()
0x3A489B8: B9641BAB03 MOV ECX,0x3AB1B64
0x3A489BD: E80A9700FD CALL 0xA520CC
0x3A489C2: 8BF0 MOV ESI,EAX
0x3A489C4: FF15F8273701 CALL DWORD PTR [0x13727F8]
0x3A489CA: 8BC8 MOV ECX,EAX
0x3A489CC: 8D5604 LEA EDX,[ESI+0x4]
0x3A489CF: E852B04276 CALL DllUnregisterServerInternal + 0x0206 ; (0x79E73A26)
0x3A489D4: C7460C04213900 MOV DWORD PTR [ESI+0xC],0x392104
0x3A489DB: B8F8212904 MOV EAX,0x42921F8
0x3A489E0: 894610 MOV DWORD PTR [ESI+0x10],EAX
; IL_0017: callvirt System.AppDomain::add_UnhandledException()
0x3A489E3: 8BD6 MOV EDX,ESI
0x3A489E5: 8B01 MOV EAX,DWORD PTR [ECX]
0x3A489E7: FF9020010000 CALL DWORD PTR [EAX+0x120]
; IL_001C: call Microsoft.MicrosoftMath.Controls.ResManager::InitializeMinimum()
; IL_0021: call Microsoft.MicrosoftMath.Controls.ResManager::get_SKU()
; IL_0026: brfalse.s IL_0039
; IL_0028: ldstr "EncCalc-"
; IL_002D: call Microsoft.MicrosoftMath.Controls.ResManager::get_SKU()
; IL_0032: call System.String::Concat()
; IL_0037: br.s IL_003E
; IL_0039: ldstr "EncCalc"
; IL_003E: call Microsoft.MicrosoftMath.Controls.SingleInstance::set_AppName()
0x3A489ED: FF1580252904 CALL DWORD PTR [0x4292580]
0x3A489F3: 833D34364F0200 CMP DWORD PTR [0x24F3634],0x0
0x3A489FA: 7414 JE 0x3A48A10 ; (*+0x16)
0x3A489FC: 8B0DC8204F02 MOV ECX,DWORD PTR [0x24F20C8]
0x3A48A02: 8B1534364F02 MOV EDX,DWORD PTR [0x24F3634]
0x3A48A08: FF15C495A800 CALL DWORD PTR [0xA895C4]
0x3A48A0E: EB06 JMP 0x3A48A16
0x3A48A10: 8B05CC204F02 MOV EAX,DWORD PTR [0x24F20CC] ; <==0x03A489FA(*-0x16)
0x3A48A16: 8D1560344F02 LEA EDX,[0x24F3460] ; <==0x03A48A0E(*-0x8)
0x3A48A1C: E80FAF4276 CALL DllUnregisterServerInternal + 0x0110 ; (0x79E73930)
; IL_0043: ldarg.0
; IL_0044: ldc.i4.0
; IL_0045: ldc.i4.1
; IL_0046: call Microsoft.MicrosoftMath.Controls.SingleInstance::CheckSingleInstance()
; IL_004B: stloc.0
0x3A48A21: 6A01 PUSH 0x1
0x3A48A23: 8BCF MOV ECX,EDI
0x3A48A25: 33D2 XOR EDX,EDX
0x3A48A27: FF1530282904 CALL DWORD PTR [0x4292830]
; IL_004C: ldloc.0
; IL_004D: ldc.i4.1
; IL_004E: bne.un.s IL_0051
0x3A48A2D: 83F801 CMP EAX,0x1
0x3A48A30: 7505 JNE 0x3A48A37 ; (*+0x7)
; IL_0050: ret
0x3A48A32: E983010000 JMP 0x3A48BBA
; IL_0051: call Microsoft.MicrosoftMath.Application.AppResManager::Initialize()
0x3A48A37: FF15782C2904 CALL DWORD PTR [0x4292C78] ; <==0x03A48A30(*-0x7)
; IL_0056: call Microsoft.MicrosoftMath.Application.AppDrawingInfo::Initialize()
0x3A48A3D: FF1588522904 CALL DWORD PTR [0x4295288]
; IL_005B: ldc.i4.0
; IL_005C: stloc.1
0x3A48A43: 33D2 XOR EDX,EDX
0x3A48A45: 8955F4 MOV DWORD PTR [EBP-0xC],EDX; VAR:0xC
; IL_005D: call Microsoft.MicrosoftMath.Controls.ResManager::get_SKU()
; IL_0062: ldloca.s 0x01
; IL_0064: call Microsoft.MicrosoftMath.Application.NativeMethods::CheckLicenseStatus()
; IL_0069: ldc.i4.0
; IL_006A: ceq
; IL_006C: ldc.i4.1
; IL_006D: ceq
; IL_006F: call Microsoft.MicrosoftMath.Application.AppResManager::set_Activated()
0x3A48A48: 8B0D34364F02 MOV ECX,DWORD PTR [0x24F3634]
0x3A48A4E: 8D55F4 LEA EDX,[EBP-0xC] ; VAR:0xC
0x3A48A51: E80636C400 CALL 0x468C05C
0x3A48A56: 85C0 TEST EAX,EAX
0x3A48A58: 0F94C2 SETZ DL
0x3A48A5B: 0FB6D2 MOVZX EDX,DL
0x3A48A5E: 88158035A600 MOV BYTE PTR [0xA63580],DL
; IL_0074: call Microsoft.MicrosoftMath.Application.AppMain::CheckEula()
; IL_0079: brtrue.s IL_007C
0x3A48A64: FF157836A600 CALL DWORD PTR [0xA63678]
0x3A48A6A: 85C0 TEST EAX,EAX
0x3A48A6C: 7505 JNZ 0x3A48A73 ; (*+0x7)
; IL_007B: ret
0x3A48A6E: E947010000 JMP 0x3A48BBA
; IL_007C: call Microsoft.MicrosoftMath.Application.AppMain::CheckSQM()
0x3A48A73: FF157436A600 CALL DWORD PTR [0xA63674] ; <==0x03A48A6C(*-0x7)
; IL_0081: call Microsoft.MicrosoftMath.Controls.ResManager::get_AppDirectory()
; IL_0086: ldstr "MathRichEditNative.dll"
; IL_008B: call System.IO.Path::Combine()
; IL_0090: call Microsoft.MicrosoftMath.Application.AppResManager::VerifyMSCertificate()
; IL_0095: brtrue.s IL_009C
0x3A48A79: 8B0D4C364F02 MOV ECX,DWORD PTR [0x24F364C]
0x3A48A7F: 8B15EC204F02 MOV EDX,DWORD PTR [0x24F20EC]
0x3A48A85: FF15E09C3701 CALL DWORD PTR [0x1379CE0]
0x3A48A8B: 8BC8 MOV ECX,EAX
0x3A48A8D: FF15D42C2904 CALL DWORD PTR [0x4292CD4]
0x3A48A93: 85C0 TEST EAX,EAX
0x3A48A95: 7515 JNZ 0x3A48AAC ; (*+0x17)
; IL_0097: call Microsoft.MicrosoftMath.Application.AppResManager::ExitApp()
0x3A48A97: FF15301F2904 CALL DWORD PTR [0x4291F30]
0x3A48A9D: FF15B0BD6804 CALL DWORD PTR [0x468BDB0]
0x3A48AA3: 8BC8 MOV ECX,EAX
0x3A48AA5: 3909 CMP DWORD PTR [ECX],ECX
0x3A48AA7: E8BC35C400 CALL 0x468C068
; IL_009C: call Microsoft.MicrosoftMath.Application.AppResManager::get_Activated()
; IL_00A1: brtrue.s IL_00FB
; IL_00A3: ldnull
; IL_00A4: stloc.2
0x3A48AAC: 803D8035A60000 CMP BYTE PTR [0xA63580],0x0 ; <==0x03A48A95(*-0x17)
0x3A48AB3: 0F8583000000 JNE 0x3A48B3C ; (*+0x89)
; IL_00A5: ldsfld System.IntPtr::Zero()
; IL_00AA: ldloc.2
; IL_00AB: ldc.i4.0
; IL_00AC: ldloc.1
; IL_00AD: call Microsoft.MicrosoftMath.Controls.ResManager::get_SKU()
; IL_00B2: call Microsoft.MicrosoftMath.Application.NativeMethods::ShowActivationWizard()
; IL_00B7: stloc.3
0x3A48AB9: 6A00 PUSH 0x0
0x3A48ABB: FF75F4 PUSH DWORD PTR [EBP-0xC] ; VAR:0xC
0x3A48ABE: FF3534364F02 PUSH DWORD PTR [0x24F3634]
0x3A48AC4: 33D2 XOR EDX,EDX
0x3A48AC6: 33C9 XOR ECX,ECX
0x3A48AC8: E8AF35C400 CALL 0x468C07C
; IL_00B8: ldloc.3
; IL_00B9: brfalse.s IL_00CB
0x3A48ACD: 85C0 TEST EAX,EAX
0x3A48ACF: 740E JZ 0x3A48ADF ; (*+0x10)
; IL_00BB: ldloc.3
; IL_00BC: ldc.i4 0xC000000C
; IL_00C1: beq.s IL_00CB
0x3A48AD1: 3D0C0000C0 CMP EAX,0xC000000C ; ERR:STATUS_TIMER_NOT_CANCELED
0x3A48AD6: 7407 JE 0x3A48ADF ; (*+0x9)
; IL_00C3: ldloc.3
; IL_00C4: ldc.i4 0xF000000E
; IL_00C9: bne.un.s IL_00F3
0x3A48AD8: 3D0E0000F0 CMP EAX,0xF000000E
0x3A48ADD: 7542 JNE 0x3A48B21 ; (*+0x44)
; IL_00CB: call Microsoft.MicrosoftMath.Controls.ResManager::get_SKU()
; IL_00D0: ldloca.s 0x01
; IL_00D2: call Microsoft.MicrosoftMath.Application.NativeMethods::CheckLicenseStatus()
; IL_00D7: ldc.i4.0
; IL_00D8: ceq
; IL_00DA: ldc.i4.1
; IL_00DB: ceq
; IL_00DD: call Microsoft.MicrosoftMath.Application.AppResManager::set_Activated()
0x3A48ADF: 8B0D34364F02 MOV ECX,DWORD PTR [0x24F3634] ; <==0x03A48ACF(*-0x10), 0x03A48AD6(*-0x9)
0x3A48AE5: 8D55F4 LEA EDX,[EBP-0xC] ; VAR:0xC
0x3A48AE8: E86F35C400 CALL 0x468C05C
0x3A48AED: 85C0 TEST EAX,EAX
0x3A48AEF: 0F94C2 SETZ DL
0x3A48AF2: 0FB6D2 MOVZX EDX,DL
0x3A48AF5: 88158035A600 MOV BYTE PTR [0xA63580],DL
; IL_00E2: ldloc.1
; IL_00E3: brtrue.s IL_00FB
0x3A48AFB: 837DF400 CMP DWORD PTR [EBP-0xC],0x0; VAR:0xC
0x3A48AFF: 753B JNE 0x3A48B3C ; (*+0x3D)
; IL_00E5: call Microsoft.MicrosoftMath.Application.AppResManager::get_Activated()
; IL_00EA: brtrue.s IL_00FB
0x3A48B01: 803D8035A60000 CMP BYTE PTR [0xA63580],0x0
0x3A48B08: 7532 JNE 0x3A48B3C ; (*+0x34)
; IL_00EC: call Microsoft.MicrosoftMath.Application.AppResManager::ExitApp()
; IL_00F1: br.s IL_00FB
0x3A48B0A: FF15301F2904 CALL DWORD PTR [0x4291F30]
0x3A48B10: FF15B0BD6804 CALL DWORD PTR [0x468BDB0]
0x3A48B16: 8BC8 MOV ECX,EAX
0x3A48B18: 3909 CMP DWORD PTR [ECX],ECX
0x3A48B1A: E84935C400 CALL 0x468C068
0x3A48B1F: EB1B JMP 0x3A48B3C
; IL_00F3: ldloc.1
; IL_00F4: brtrue.s IL_00FB
0x3A48B21: 837DF400 CMP DWORD PTR [EBP-0xC],0x0; VAR:0xC ; <==0x03A48ADD(*-0x44)
0x3A48B25: 7515 JNE 0x3A48B3C ; (*+0x17)
; IL_00F6: call Microsoft.MicrosoftMath.Application.AppResManager::ExitApp()
0x3A48B27: FF15301F2904 CALL DWORD PTR [0x4291F30]
0x3A48B2D: FF15B0BD6804 CALL DWORD PTR [0x468BDB0]
0x3A48B33: 8BC8 MOV ECX,EAX
0x3A48B35: 3909 CMP DWORD PTR [ECX],ECX
0x3A48B37: E82C35C400 CALL 0x468C068
; IL_00FB: ldnull
; IL_00FC: ldftn Microsoft.MicrosoftMath.Application.AppMain::OnApplicationExit()
; IL_0102: newobj System.EventHandler::.ctor()
0x3A48B3C: B9841CAB03 MOV ECX,0x3AB1C84 ; <==0x03A48B1F(*-0x1D), 0x03A48B25(*-0x17), 0x03A48B08(*-0x34), 0x03A48AB3(*-0x89), 0x03A48AFF(*-0x3D)
0x3A48B41: E8869500FD CALL 0xA520CC
0x3A48B46: 8BC8 MOV ECX,EAX
0x3A48B48: 8D5104 LEA EDX,[ECX+0x4]
0x3A48B4B: E809AE4276 CALL DllUnregisterServerInternal + 0x0139 ; (0x79E73959)
0x3A48B50: C7410C04213900 MOV DWORD PTR [ECX+0xC],0x392104
0x3A48B57: B868552904 MOV EAX,0x4295568
0x3A48B5C: 894110 MOV DWORD PTR [ECX+0x10],EAX
; IL_0107: call System.Windows.Forms.Application::add_ApplicationExit()
0x3A48B5F: FF15D81E2904 CALL DWORD PTR [0x4291ED8]
; IL_010C: ldnull
; IL_010D: ldftn Microsoft.MicrosoftMath.Application.AppMain::OnApplicationIdle()
; IL_0113: newobj System.EventHandler::.ctor()
0x3A48B65: B9841CAB03 MOV ECX,0x3AB1C84
0x3A48B6A: E85D9500FD CALL 0xA520CC
0x3A48B6F: 8BC8 MOV ECX,EAX
0x3A48B71: 8D5104 LEA EDX,[ECX+0x4]
0x3A48B74: E8E0AD4276 CALL DllUnregisterServerInternal + 0x0139 ; (0x79E73959)
0x3A48B79: C7410C04213900 MOV DWORD PTR [ECX+0xC],0x392104
0x3A48B80: B878552904 MOV EAX,0x4295578
0x3A48B85: 894110 MOV DWORD PTR [ECX+0x10],EAX
; IL_0118: call System.Windows.Forms.Application::add_Idle()
0x3A48B88: FF15F01E2904 CALL DWORD PTR [0x4291EF0]
; IL_011D: call System.Windows.Forms.Application::EnableVisualStyles()
0x3A48B8E: FF15241F2904 CALL DWORD PTR [0x4291F24]
; IL_0122: newobj Microsoft.MicrosoftMath.Application.MainForm::.ctor()
; IL_0127: stloc.s 0x04
0x3A48B94: B9144F6804 MOV ECX,0x4684F14
0x3A48B99: E806554476 CALL LogHelp_TerminateOnAssert + 0x8054 ; (0x79E8E0A4)
0x3A48B9E: 8BF0 MOV ESI,EAX
0x3A48BA0: 8BCE MOV ECX,ESI
0x3A48BA2: E8E134C400 CALL 0x468C088
; IL_0129: ldloc.s 0x04
; IL_012B: ldarg.0
; IL_012C: callvirt Microsoft.MicrosoftMath.Application.MainForm::SetCommandArgs()
0x3A48BA7: 8BD7 MOV EDX,EDI
0x3A48BA9: 8BCE MOV ECX,ESI
0x3A48BAB: 3909 CMP DWORD PTR [ECX],ECX
0x3A48BAD: E8EA34C400 CALL 0x468C09C
; IL_0131: ldloc.s 0x04
; IL_0133: call System.Windows.Forms.Application::Run()
0x3A48BB2: 8BCE MOV ECX,ESI
0x3A48BB4: FF15841F2904 CALL DWORD PTR [0x4291F84]
; IL_0138: ret
0x3A48BBA: 6A00 PUSH 0x0 ; <==0x03A48A6E(*-0x14C), 0x03A48A32(*-0x188)
0x3A48BBC: 6A00 PUSH 0x0
0x3A48BBE: 6A00 PUSH 0x0
0x3A48BC0: 680036A600 PUSH 0xA63600
0x3A48BC5: E8E6845B0C CALL 0x100010B0
0x3A48BCA: 59 POP ECX
0x3A48BCB: 5E POP ESI
0x3A48BCC: 5F POP EDI
0x3A48BCD: 5D POP EBP
0x3A48BCE: C3 RET
簡直是字節碼和翻譯的二進制代碼一一對應,太~~~~~~~~~讓人興奮了,對于.NET程序似乎更有信心了。
[第三部分] 出彩之處就在那么一點
想了很久如何去打補丁,用OD的ODBGScript腳本倒是很方便,但誰用程序的時候還開個OD呀!
思路在一瞬間打開了,就從那個進入CheckLicenseStatus函數首地址時堆棧指示開始,
跳到找到的空白地址,記錄下當前ESP,然后修改它為[ESP]--〉[ESP]-5
為什么是-5呢,因為
MOV EAX,1
對應的二進制串:
B801000000
也就是通過直接修改MathRichEditNative.dll來間接修改MATHAPP.EXE動態申請的內存,使得返回時不是
到原來的00A7B2B1,而是00A7B2AC=00A7B2B1-5
使得
**********************************前面第一部分提到的*************************************
00A7B2AF FF10 call dword ptr [eax]
00A7B2B1 C643 08 01 mov byte ptr [ebx+8], 1
//在OllyICE中手動修改EAX=1,函數返回真,程序變成已經激活!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
//---------------------------------------但如何修改呢?請注意這里是動態申請的內存空間
00A7B2B5 833D F017387A 00 cmp dword ptr [7A3817F0], 0
*****************************************************************************************
變為
**********************************前面第一部分提到的*************************************
00A7B2AC B8 01000000 mov eax,1 //返回這里!!!!!!!!
00A7B2B1 C643 08 01 mov byte ptr [ebx+8], 1
00A7B2B5 833D F017387A 00 cmp dword ptr [7A3817F0], 0
*****************************************************************************************
爆破方法:只要修改MathRichEditNative.dll相關代碼
<第一處>
4745650C >/$ 51 push ecx
4745650D |. 8D6424 FC lea esp, dword ptr [esp-4]
47456511 |. 890C24 mov dword ptr [esp], ecx
===>修改為
4745650C > /E9 3F3A0D00 jmp 47529F50
47456511 |. |890C24 mov dword ptr [esp], ecx
<第二處>
DLL領空末尾空白:
47529F50 51 push ecx
47529F51 50 push eax
47529F52 8D4424 08 lea eax, dword ptr [esp+8]
47529F56 8B08 mov ecx, dword ptr [eax]
47529F58 83C1 FB add ecx, -5
47529F5B 8908 mov dword ptr [eax], ecx
47529F5D C701 B8010000 mov dword ptr [ecx], 1B8
47529F63 C641 04 00 mov byte ptr [ecx+4], 0
47529F67 58 pop eax
47529F68 59 pop ecx
47529F69 51 push ecx
47529F6A 8D6424 FC lea esp, dword ptr [esp-4]
47529F6E ^ E9 9EC5F2FF jmp 47456511
二進制:
51 50 8D 44 24 08 8B 08 83 C1 FB 89 08 C7 01 B8 01 00 00 C6 41 04 00 58 59 51 8D 64 24 FC E9 9E C5 F2 FF
復制保存替換原MathRichEditNative.dll文件。
退出OLLYDBG,運行程序,現在沒有30天試用提示要你激活的NAG了。
[總結]
程序破解了,補丁看來也要有技巧;
.NET程序強名保護的問題沒有解決。
|