某制图软件域天加密狗破解过程某制图软件域天加密狗破解过程--------------------------------------------------------------------------------来源: 发布时间: 2011-9-20 22:08:30 浏览: 7这是一个商业软件，具体名称就不写出来了，主要用于企事业单位的网络图形化设计，在没有加密狗的情况下软件有功能限制，一个工程最多只能保存800个节点，再添加节点就无法保存了。

对一般的小企业是足够了，如果碰上大的单位，这个限制就使用该软件无法胜任。

经过软件跟踪发现，该软件用的是域天加密狗。

用PEID检测，提示为Microsoft Visual Basic 5.0 / 6.0。

用OD加载：00423C24 > $ 68 883F4200 push VisualNe.00423F88 ; ASCII "VB5!6&vb6chs.dll"00423C29 . E8 F0FFFFFF call <jmp.&MSVBVM60.#100>00423C2E . 0000 add byte ptr ds:[eax],al00423C30 . 0000 add byte ptr ds:[eax],al00423C32 . 0000 add byte ptr ds:[eax],al00423C34 . 3000 xor byte ptr ds:[eax],al00423C36 . 0000 add byte ptr ds:[eax],al由于软件只是在节点数达到800的时候才无法保存工程，所以我们只需要找到保存文件的函数：0103E179 . 66:8985 CCFEF>mov word ptr ss:[ebp-0x134],ax0103E180 . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]0103E183 . FF15 30144000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr0103E189 . 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58]0103E18C . FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar0103E192 . 0FBF8D CCFEFF>movsx ecx,word ptr ss:[ebp-0x134]0103E199 . 85C9 test ecx,ecx0103E19B . 0F84 B7130000 je VisualNe.0103F558 //加密狗破解关键跳转，NOP掉0103E1A1 . C745 FC 1B000>mov dword ptr ss:[ebp-0x4],0x1B0103E1A8 . 6A 00 push 0x00103E1AA . 6A 01 push 0x10103E1AC . 8B95 B4FEFFFF mov edx,dword ptr ss:[ebp-0x14C]0103E1B2 . 52 push edx0103E1B3 . 8D45 A8 lea eax,dword ptr ss:[ebp-0x58]0103E1B6 . 50 push eax0103E1B7 . FF15 08124000 call dword ptr ds:[<&MSVBVM60.__vbaLateI>; MSVBVM60.__vbaLateIdCallLd0103E1BD . 83C4 10 add esp,0x100103E1C0 . 50 push eax0103E1C1 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarMove0103E1C7 . 8945 A0 mov dword ptr ss:[ebp-0x60],eax0103E1CA . C745 98 08000>mov dword ptr ss:[ebp-0x68],0x80103E1D1 . 6A 00 push 0x00103E1D3 . 8D4D 98 lea ecx,dword ptr ss:[ebp-0x68]0103E1D6 . 51 push ecx0103E1D7 . FF15 DC124000 call dword ptr ds:[<&MSVBVM60.#645>] ; MSVBVM60.rtcDir0103E1DD . 8BD0 mov edx,eax0103E1DF . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]0103E1E2 . FF15 CC134000 call dword ptr ds:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove0103E1E8 . 50 push eax0103E1E9 . 68 883E4500 push VisualNe.00453E880103E1EE . FF15 AC114000 call dword ptr ds:[<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp0103E1F4 . F7D8 neg eax0103E1F6 . 1BC0 sbb eax,eax0103E1F8 . F7D8 neg eax0103E1FA . F7D8 neg eax0103E1FC . 66:8985 CCFEF>mov word ptr ss:[ebp-0x134],ax0103E203 . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]0103E206 . FF15 30144000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr0103E20C . 8D55 98 lea edx,dword ptr ss:[ebp-0x68]0103E20F . 52 push edx0103E210 . 8D45 A8 lea eax,dword ptr ss:[ebp-0x58]0103E213 . 50 push eax0103E214 . 6A 02 push 0x20103E216 . FF15 4C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList0103E21C . 83C4 0C add esp,0xC0103E21F . 0FBF8D CCFEFF>movsx ecx,word ptr ss:[ebp-0x134]0103E226 . 85C9 test ecx,ecx0103E228 . 0F84 DD030000 je VisualNe.0103E60B //加密狗破解关键点，NOP 掉0103E22E . C745 FC 1C000>mov dword ptr ss:[ebp-0x4],0x1C0103E235 . C745 80 04000>mov dword ptr ss:[ebp-0x80],0x800200040103E23C . C785 78FFFFFF>mov dword ptr ss:[ebp-0x88],0xA0103E246 . C745 90 04000>mov dword ptr ss:[ebp-0x70],0x800200040103E24D . C745 88 0A000>mov dword ptr ss:[ebp-0x78],0xA0103E254 . C745 A0 04000>mov dword ptr ss:[ebp-0x60],0x800200040103E25B . C745 98 0A000>mov dword ptr ss:[ebp-0x68],0xA0103E262 . C785 70FFFFFF>mov dword ptr ss:[ebp-0x90],VisualNe.004>0103E26C . C785 68FFFFFF>mov dword ptr ss:[ebp-0x98],0x80103E276 . 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-0x98]0103E27C . 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58]0103E27F . FF15 80134000 call dword ptr ds:[<&MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup0103E285 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88]0103E28B . 52 push edx0103E28C . 8D45 88 lea eax,dword ptr ss:[ebp-0x78]0103E28F . 50 push eax0103E290 . 8D4D 98 lea ecx,dword ptr ss:[ebp-0x68]0103E293 . 51 push ecx0103E294 . 6A 44 push 0x440103E296 . 8D55 A8 lea edx,dword ptr ss:[ebp-0x58]0103E299 . 52 push edx0103E29A . FF15 08114000 call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox0103E2A0 . 33C9 xor ecx,ecx0103E2A2 . 83F8 06 cmp eax,0x60103E2A5 . 0F94C1 sete cl0103E2A8 . F7D9 neg ecx0103E2AA . 66:898D CCFEF>mov word ptr ss:[ebp-0x134],cx0103E2B1 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88]0103E2B7 . 52 push edx0103E2B8 . 8D45 88 lea eax,dword ptr ss:[ebp-0x78]0103E2BB .50 push eax0103E2BC . 8D4D 98 lea ecx,dword ptr ss:[ebp-0x68]0103E2BF . 51 push ecx0103E2C0 . 8D55 A8 lea edx,dword ptr ss:[ebp-0x58]0103E2C3 . 52 push edx0103E2C4 . 6A 04 push 0x40103E2C6 . FF15 4C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList0103E2CC . 83C4 14 add esp,0x140103E2CF . 0FBF85 CCFEFF>movsx eax,word ptr ss:[ebp-0x134]0103E2D6 . 85C0 test eax,eax0103E2D8 . 0F84 93020000 je VisualNe.0103E571 //加密狗破解关键点，需要修改0103E2DE . C745 FC 1D000>mov dword ptr ss:[ebp-0x4],0x1D0103E2E5 . 833D 18832101>cmp dword ptr ds:[0x1218318],0x00103E2EC . 75 1C jnz short VisualNe.0103E30A0103E2EE . 68 18832101 push VisualNe.012183180103E2F3 . 68 68494500 push VisualNe.004549680103E2F8 . FF15 04134000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>>; MSVBVM60.__vbaNew20103E2FE . C785 78FEFFFF>mov dword ptr ss:[ebp-0x188],VisualNe.01>0103E308 . EB 0A jmp short VisualNe.0103E3140103E30A > C785 78FEFFFF>mov dword ptr ss:[ebp-0x188],VisualNe.01> 0103E314 > 8B8D 78FEFFFF mov ecx,dword ptr ss:[ebp-0x188]0103E31A . 8B11 mov edx,dword ptr ds:[ecx]0103E31C . 8995 CCFEFFFF mov dword ptr ss:[ebp-0x134],edx0103E322 . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C]0103E325 . 50 push eax0103E326 . 8B8D CCFEFFFF mov ecx,dword ptr ss:[ebp-0x134]0103E32C . 8B11 mov edx,dword ptr ds:[ecx]0103E32E . 8B85 CCFEFFFF mov eax,dword ptr ss:[ebp-0x134]0103E334 . 50 push eax0103E335 . FF52 18 call dword ptr ds:[edx+0x18]通过修改以上三处位置，彩虹加密狗破解就成功了，试用破解后的软件，没有发现任何BUG，加密狗破解完美成功！！！--------------------------------------------------------------------------------【关闭窗口】。