【作者】 王成；

【导师】 徐高潮；

【作者基本信息】 吉林大学 ， 计算机系统结构， 2008， 硕士

【摘要】 随着软件应用领域的不断扩大,软件工程领域有意义和具有挑战性的一面不再仅仅是建立一个全新的软件系统,如何保护现有软件的安全和重构这些既有系统也成为软件工程的重要方向,软件逆向工程就是实现软件保护和重构既有系统的基础。软件逆向工程和再工程成为软件工程领域中的重要研究课题,具有重大的现实意义和经济价值。本文在参阅了国内外大量文献资料的基础上,结合作者的逆向工程经验,详细阐述了软件逆向工程中的多项关键技术,研究了运行在Win32平台的某款商用模拟考试系统。主要工作有:利用侦测工具PEID分析了该软件是否加壳和该软件的编程语言;借助IDA分析工具对该软件进行了静态分析,动态软件逆向分析工具OllyDbg进行了动态调试,分析出该软件的暴力破解位置,写出了文件补丁,成功实现了软件的暴力破解;分析文件完整性校验过程,分析了该软件机器码的生成过程及软件的注册过程,写出了注册机;最后利用软件再工程理论和二次开发技术对原系统增加了菜单,对软件功能进行了简单扩充。更多还原

【Abstract】 The application of software system is more and more widely used, creating a new software system is not the only problem in the field of software engineering, but also ways to protect and rebuild the existing system, the latter even seems to be more meaningful and challenging, the software reverse engineering, however, is the foundation of the reconstruction and protection for existing system. At present, the technologies of software reverse engineering and re-engineering have achieved a non-existing space for their development, both of them are becoming more important in the software engineering field, and making a great point in both handling and economy.The security of software problem has been concerned since the rapid development of software industry、its fast transport and the increasing demand, to analysis and design a good way to improve security of software is significant for copyright protection. To research on software security in the key technology is great meaningful for the authority protecting, creators’ profit protecting and users’ profit protecting. Besides, the Legacy System (LS) has brought new problems to the updating and moistening of the software, as the LS has problems such as the fallen technology, chaotic system structure, documents disappearing and high fee for maintaining, majority of the companies and communities adopt new tech to rebuild the legacy system to the new software or hardware ground, in order to increase the responsibility, availability, reparability and property of the system.In recent years, there are many researches in the software reverse engineering and re-engineering, but it is still could not be seen as an fully developed area, since there is no uniform, systematic, scientific software reverse engineering theory and methods, wherefore an in-depth study is highly needed.This article refers to the large number of domestic and international literature, and is related to the author’s experience in reverse engineering, identifying many core tech in reverse engineering minutely, studying a business testing system which run in the WIN32 platform. The main work is using spy tool PEID to analysis whether the system is shelled and the forming language of this soft; using IDA analysis tool to analysis the software statically, opposite active software analysis tool OLLYDBG to run the static analyze, getting where the software can be creaked violently and writing the patch, which achieve the violently creak in software; analysis the totally testing program of a film, knowing how the machine code formed and how the software resisted to create a register machine; at last, take advantage of the theory of rebuild system and the tech of recreate to gain new menu, expanding the function of software simply.1. The violent creak in softwareTo enhance the of software anti-cracking level, we need to learn how to creak in order to do better in anti-creak field. The author will take this software as an example to explain the process of violent creak. Firstly, using PEID to inspect, see whether the software have shell or other protective measures, through inspecting we know there are no shell, so that will be easier to creak; at the same time, we know the main file is written by VB6.0, the active link chain about the registion is written by VC++6.0, by knowing the writing language can accelerate the speed of reverse analyze.Then using static analysis software to analysis the model testing system, looking for the disassembly registration code, in OllyDbg dynamic debugging software on rtcMsgBox set up break point, running track, to find the DLL in the checkRegister() Function of the code, modify the value of the register (the function return value) or transformed into directive JMP jump to violence to achieve break.In order to retain the above-mentioned results, we need to modify the original document of the software; the author uses a patch file to achieve the goal. Firstly use the hex editor to search the place that need to modify the location and the revised code of hexadecimal form, then using C++ to revise the original file with the form of byte wave. At last, put the file which has been translated by C++ to the setup document, running the file to creak.2. The software registration flow analysisAnalysis of the software registration flow can help us to understand the software protection, the process and the principle of machine code’s generation, process and algorithm of the software registration, to enhance the anti-crack strength is essential for protecting the registration software. First of all, author executes examination simulation system software to learn the way of registration, and then using static and dynamic analysis of the combination of debugging software to track the implementation process.There are two types of registration: the network off-line registration and registration when the software runes to the registration step. At the same time, the system generates a 90-length binary string as machine code; a normal registration can be executed only when it contents all the three keys: user name, password and registered trade mark.According to the static analysis of the results, tracking software implementation process from the background of the violent break, we found that the software judged the integrity of the document to prevent file was modified illegally. Specific process is as follows: Calculation of the dynamic link library files Register.dll the MD5 value of the software released with a pre-MD5 value, to determine whether the link library files have been modified; in the dynamic link in the main document read in a number of bytes to read Master file has been modified. Then the computer software system based on the Main Board number, C logical disk serial number, date and other information generated string, and string BASE64 encoded to carry out the conversion, and then MD5 and RSA encryption, the final binary form. On the basis of the registration process analysis, prepared by VB6.0 registry, enter a user name and password to generate code.3. The software systems RedevelopmentSoftware re-engineering, simply speaking, is a re-assembly of the existing system through analysis and transformation of existing software systems; Redevelopment is through existing software systems analysis, on this basis On the part of the increase in the function that it can better meet the needs of the user, is the form of the initial application of second development. for the purpose of researching reverse engineering software, author just done a simple expansion for the simulation test system adds a menu function which is used to start VC++6.0.To add a menu through existing tools, set ID value for it, then go to the new WndProc message processing code, add new message judgment and event codes, to achieve the corresponding function by programming event processing code. Anti-assembly code can be received from Reverse engineering, we can use assembly language if source code has very few, but the source has a few readability and not easy to maintain in the future’s upgrade, and therefore I used the way of increasing DLL. Compiling the StartVC function with the VB6.0, the use of function is to detect if VC + +6.0 has been installed in systems, if it has, to start it as normal, otherwise, prompt users to install VC + +6.0. After generating the DLL files, to open the main file of simulation test system with LoadPE, increase the DLL reference and input StartVC function, and then set the correct address of the call. Finally we will see the new menu when re-start the simulation test system, after click we can implement the scheduled function.更多还原