Source insight 4.x大白补丁图文破解教程

gagmeng

软件官网：
http://www.sourceinsight.com/
破解过程：

1、 IDA加载sourceinsight4.exe，shift+F12查找所有字符串，并搜索字符串“BEGIN PUBLIC KEY”，定位到pszString

2、 右键Jump to xref to operand，

点击OK定位到int __cdecl sub_507B70(BYTE *pbData, DWORD dwDataLen, BYTE *pbSignature, DWORD dwSigLen)

3、sub_507B70汇编代码以及使用F5反编译成的C代码如下所示。

[Asm] 纯文本查看 复制代码

.text:00507B70                               ; =============== S U B R O U T I N E =======================================
.text:00507B70
.text:00507B70
.text:00507B70                               ; int __cdecl sub_507B70(BYTE *pbData, DWORD dwDataLen, BYTE *pbSignature, DWORD dwSigLen)
.text:00507B70                               sub_507B70      proc near               ; CODE XREF: sub_508790+108p
.text:00507B70
.text:00507B70                               hHash           = dword ptr -818h
.text:00507B70                               phProv          = dword ptr -814h
.text:00507B70                               pvStructInfo    = dword ptr -810h
.text:00507B70                               phKey           = dword ptr -80Ch
.text:00507B70                               pcbBinary       = dword ptr -808h
.text:00507B70                               pcbStructInfo   = dword ptr -804h
.text:00507B70                               pbBinary        = byte ptr -800h
.text:00507B70                               pbData          = dword ptr  4
.text:00507B70                               dwDataLen       = dword ptr  8
.text:00507B70                               pbSignature     = dword ptr  0Ch
.text:00507B70                               dwSigLen        = dword ptr  10h
.text:00507B70
.text:00507B70 81 EC 18 08 00 00                             sub     esp, 818h
.text:00507B76 6A 00                                         push    0               ; pdwFlags
.text:00507B78 6A 00                                         push    0               ; pdwSkip
.text:00507B7A 8D 44 24 18                                   lea     eax, [esp+820h+pcbBinary]
.text:00507B7E 50                                            push    eax             ; pcbBinary
.text:00507B7F 8D 4C 24 24                                   lea     ecx, [esp+824h+pbBinary]
.text:00507B83 51                                            push    ecx             ; pbBinary
.text:00507B84 6A 00                                         push    0               ; dwFlags
.text:00507B86 6A 00                                         push    0               ; cchString
.text:00507B88 68 50 42 63 00                                push    offset pszString ; "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgk"...
.text:00507B8D C7 44 24 1C 00 00 00 00                       mov     [esp+834h+hHash], 0
.text:00507B95 C7 44 24 28 00 00 00 00                       mov     [esp+834h+phKey], 0
.text:00507B9D C7 44 24 2C 00 08 00 00                       mov     [esp+834h+pcbBinary], 800h
.text:00507BA5 C7 44 24 20 00 00 00 00                       mov     [esp+834h+phProv], 0
.text:00507BAD FF 15 A8 20 5C 00                             call    ds:CryptStringToBinaryA
.text:00507BB3 85 C0                                         test    eax, eax
.text:00507BB5 75 0C                                         jnz     short loc_507BC3
.text:00507BB7
.text:00507BB7                               loc_507BB7:                             ; CODE XREF: sub_507B70+7Aj
.text:00507BB7 B8 D8 01 00 00                                mov     eax, 1D8h
.text:00507BBC 81 C4 18 08 00 00                             add     esp, 818h
.text:00507BC2 C3                                            retn
.text:00507BC3                               ; ---------------------------------------------------------------------------
.text:00507BC3
.text:00507BC3                               loc_507BC3:                             ; CODE XREF: sub_507B70+45j
.text:00507BC3 8B 4C 24 10                                   mov     ecx, [esp+818h+pcbBinary]
.text:00507BC7 8D 54 24 14                                   lea     edx, [esp+818h+pcbStructInfo]
.text:00507BCB 52                                            push    edx             ; pcbStructInfo
.text:00507BCC 8D 44 24 0C                                   lea     eax, [esp+81Ch+pvStructInfo]
.text:00507BD0 50                                            push    eax             ; pvStructInfo
.text:00507BD1 6A 00                                         push    0               ; pDecodePara
.text:00507BD3 68 00 80 00 00                                push    8000h           ; dwFlags
.text:00507BD8 51                                            push    ecx             ; cbEncoded
.text:00507BD9 8D 54 24 2C                                   lea     edx, [esp+82Ch+pbBinary]
.text:00507BDD 52                                            push    edx             ; pbEncoded
.text:00507BDE 6A 08                                         push    8               ; lpszStructType
.text:00507BE0 6A 01                                         push    1               ; dwCertEncodingType
.text:00507BE2 FF 15 AC 20 5C 00                             call    ds:CryptDecodeObjectEx
.text:00507BE8 85 C0                                         test    eax, eax
.text:00507BEA 74 CB                                         jz      short loc_507BB7
.text:00507BEC 68 00 00 00 F0                                push    0F0000000h      ; dwFlags
.text:00507BF1 6A 01                                         push    1               ; dwProvType
.text:00507BF3 6A 00                                         push    0               ; szProvider
.text:00507BF5 6A 00                                         push    0               ; szContainer
.text:00507BF7 8D 44 24 14                                   lea     eax, [esp+828h+phProv]
.text:00507BFB 50                                            push    eax             ; phProv
.text:00507BFC FF 15 28 20 5C 00                             call    ds:CryptAcquireContextW
.text:00507C02 85 C0                                         test    eax, eax
.text:00507C04 75 0C                                         jnz     short loc_507C12
.text:00507C06 B8 D9 01 00 00                                mov     eax, 1D9h
.text:00507C0B 81 C4 18 08 00 00                             add     esp, 818h
.text:00507C11 C3                                            retn
.text:00507C12                               ; ---------------------------------------------------------------------------
.text:00507C12
.text:00507C12                               loc_507C12:                             ; CODE XREF: sub_507B70+94j
.text:00507C12 8B 54 24 08                                   mov     edx, [esp+818h+pvStructInfo]
.text:00507C16 8B 44 24 04                                   mov     eax, [esp+818h+phProv]
.text:00507C1A 8D 4C 24 0C                                   lea     ecx, [esp+818h+phKey]
.text:00507C1E 51                                            push    ecx             ; phKey
.text:00507C1F 52                                            push    edx             ; pInfo
.text:00507C20 6A 01                                         push    1               ; dwCertEncodingType
.text:00507C22 50                                            push    eax             ; hCryptProv
.text:00507C23 FF 15 B8 20 5C 00                             call    ds:CryptImportPublicKeyInfo
.text:00507C29 85 C0                                         test    eax, eax
.text:00507C2B 75 0C                                         jnz     short loc_507C39
.text:00507C2D
.text:00507C2D                               loc_507C2D:                             ; CODE XREF: sub_507B70+EEj
.text:00507C2D B8 DA 01 00 00                                mov     eax, 1DAh
.text:00507C32 81 C4 18 08 00 00                             add     esp, 818h
.text:00507C38 C3                                            retn
.text:00507C39                               ; ---------------------------------------------------------------------------
.text:00507C39
.text:00507C39                               loc_507C39:                             ; CODE XREF: sub_507B70+BBj
.text:00507C39 8B 4C 24 08                                   mov     ecx, [esp+818h+pvStructInfo]
.text:00507C3D 51                                            push    ecx             ; hMem
.text:00507C3E FF 15 8C 22 5C 00                             call    ds:LocalFree
.text:00507C44 8B 44 24 04                                   mov     eax, [esp+818h+phProv]
.text:00507C48 8D 14 24                                      lea     edx, [esp+818h+hHash]
.text:00507C4B 52                                            push    edx             ; phHash
.text:00507C4C 6A 00                                         push    0               ; dwFlags
.text:00507C4E 6A 00                                         push    0               ; hKey
.text:00507C50 68 04 80 00 00                                push    8004h           ; Algid
.text:00507C55 50                                            push    eax             ; hProv
.text:00507C56 FF 15 50 20 5C 00                             call    ds:CryptCreateHash
.text:00507C5C 85 C0                                         test    eax, eax
.text:00507C5E 74 CD                                         jz      short loc_507C2D
.text:00507C60 8B 8C 24 20 08 00 00                          mov     ecx, [esp+818h+dwDataLen]
.text:00507C67 8B 94 24 1C 08 00 00                          mov     edx, [esp+818h+pbData]
.text:00507C6E 8B 04 24                                      mov     eax, [esp+818h+hHash]
.text:00507C71 6A 00                                         push    0               ; dwFlags
.text:00507C73 51                                            push    ecx             ; dwDataLen
.text:00507C74 52                                            push    edx             ; pbData
.text:00507C75 50                                            push    eax             ; hHash
.text:00507C76 FF 15 48 20 5C 00                             call    ds:CryptHashData
.text:00507C7C 85 C0                                         test    eax, eax
.text:00507C7E 75 0C                                         jnz     short loc_507C8C
.text:00507C80 B8 DB 01 00 00                                mov     eax, 1DBh
.text:00507C85 81 C4 18 08 00 00                             add     esp, 818h
.text:00507C8B C3                                            retn
.text:00507C8C                               ; ---------------------------------------------------------------------------
.text:00507C8C
.text:00507C8C                               loc_507C8C:                             ; CODE XREF: sub_507B70+10Ej
.text:00507C8C 8B 4C 24 0C                                   mov     ecx, [esp+818h+phKey]
.text:00507C90 8B 94 24 28 08 00 00                          mov     edx, [esp+818h+dwSigLen]
.text:00507C97 8B 84 24 24 08 00 00                          mov     eax, [esp+818h+pbSignature]
.text:00507C9E 56                                            push    esi
.text:00507C9F 6A 00                                         push    0               ; dwFlags
.text:00507CA1 6A 00                                         push    0               ; szDescription
.text:00507CA3 51                                            push    ecx             ; hPubKey
.text:00507CA4 8B 4C 24 10                                   mov     ecx, [esp+828h+hHash]
.text:00507CA8 52                                            push    edx             ; dwSigLen
.text:00507CA9 50                                            push    eax             ; pbSignature
.text:00507CAA 51                                            push    ecx             ; hHash
.text:00507CAB FF 15 44 20 5C 00                             call    ds:CryptVerifySignatureW
.text:00507CB1 8B 54 24 04                                   mov     edx, [esp+81Ch+hHash]
.text:00507CB5 52                                            push    edx             ; hHash
.text:00507CB6 8B F0                                         mov     esi, eax
.text:00507CB8 FF 15 40 20 5C 00                             call    ds:CryptDestroyHash
.text:00507CBE 8B 44 24 08                                   mov     eax, [esp+81Ch+phProv]
.text:00507CC2 6A 00                                         push    0               ; dwFlags
.text:00507CC4 50                                            push    eax             ; hProv
.text:00507CC5 FF 15 3C 20 5C 00                             call    ds:CryptReleaseContext
.text:00507CCB F7 DE                                         neg     esi
.text:00507CCD 1B C0                                         sbb     eax, eax
.text:00507CCF 25 FA FE FF FF                                and     eax, 0FFFFFEFAh
.text:00507CD4 05 CE 01 00 00                                add     eax, 1CEh
.text:00507CD9 5E                                            pop     esi
.text:00507CDA 81 C4 18 08 00 00                             add     esp, 818h
.text:00507CE0 C3                                            retn
.text:00507CE0                               sub_507B70      endp
.text:00507CE0

[C] 纯文本查看 复制代码

int __cdecl sub_507B70(BYTE *pbData, DWORD dwDataLen, BYTE *pbSignature, DWORD dwSigLen)
{
  int result; // eax@2
  BOOL v5; // esi@11
  HCRYPTHASH hHash; // [sp+0h] [bp-818h]@1
  HCRYPTPROV phProv; // [sp+4h] [bp-814h]@1
  struct _CERT_PUBLIC_KEY_INFO *pvStructInfo; // [sp+8h] [bp-810h]@3
  HCRYPTKEY phKey; // [sp+Ch] [bp-80Ch]@1
  DWORD pcbBinary; // [sp+10h] [bp-808h]@1
  DWORD pcbStructInfo; // [sp+14h] [bp-804h]@3
  BYTE pbBinary; // [sp+18h] [bp-800h]@1

  hHash = 0;
  phKey = 0;
  pcbBinary = 2048;
  phProv = 0;
  if ( CryptStringToBinaryA(pszString, 0, 0, &pbBinary, &pcbBinary, 0, 0)
    && CryptDecodeObjectEx(1u, (LPCSTR)8, &pbBinary, pcbBinary, 0x8000u, 0, &pvStructInfo, &pcbStructInfo) )
  {
    if ( CryptAcquireContextW(&phProv, 0, 0, 1u, 0xF0000000) )
    {
      if ( CryptImportPublicKeyInfo(phProv, 1u, pvStructInfo, &phKey)
        && (LocalFree(pvStructInfo), CryptCreateHash(phProv, 0x8004u, 0, 0, &hHash)) )
      {
        if ( CryptHashData(hHash, pbData, dwDataLen, 0) )
        {
          v5 = CryptVerifySignatureW(hHash, pbSignature, dwSigLen, phKey, 0, 0);
          CryptDestroyHash(hHash);
          CryptReleaseContext(phProv, 0);
          result = v5 != 0 ? 200 : 462;
        }
        else
        {
          result = 475;
        }
      }
      else
      {
        result = 474;
      }
    }
    else
    {
      result = 473;
    }
  }
  else
  {
    result = 472;
  }
  return result;
}

4、因此只需将result = v5 != 0 ? 200 : 462;修改为result = v5 != 0 ? 462 : 200即可破解；或者CryptVerifySignatureW返回值为true亦可破解。
v5 != 0 ? 200 : 462部分对应的汇编代码为：

[Asm] 纯文本查看 复制代码

.text:00507CCB F7 DE                                         neg     esi
.text:00507CCD 1B C0                                         sbb     eax, eax
.text:00507CCF 25 FA FE FF FF                                and     eax, 0FFFFFEFAh
.text:00507CD4 05 CE 01 00 00                                add     eax, 1CEh
.text:00507CD9 5E                                            pop     esi
.text:00507CDA 81 C4 18 08 00 00                             add     esp, 818h
.text:00507CE0 C3                                            retn

可参考http://www.cnblogs.com/awpatp/archive/2009/11/06/1597488.html的解释进行爆破

5、使用神器大白进行补丁，只需在特征码定位到neg esi处，使esi的值为true，大白设置界面如下：


6、大白补丁文件和授权文件如下，授权文件中的内容可自行修改，感谢MistHill大神分享的授权文件。
source insigth 4大白补丁.rar (711.7 KB, 下载次数: 307)

2017-2-17 08:13 上传

点击文件名下载附件
补丁文件

si4-lic.rar (731 Bytes, 下载次数: 174)

2017-2-17 08:15 上传

点击文件名下载附件
授权文件

来自群组: 我们都爱月姐姐

jgs

这几天，关于这个软件破解方法讨论很热烈，学习了，长见识了。谢谢楼主分享
忘了，我是在沙发上，哈哈

zxxiaopi

都是大神

wgz001

求表哥带玩IDA

kingxiao

大白好牛逼！！！

wangye_123

谢谢分享  好东西

car_doge

感谢楼主神作，顺利使用。

sdnyzjzx

分析的真好，感谢分享！

HJIE

谢谢 思路清晰 很有帮助

wu0687050

佩服，多学点东西