IAR ICCARM V8.32.3在Windows Server端进行Ollydbg破解
IAR为嵌入式常用的编译器,网上资料一般采用注册机的方法进行破解。但是最近需要在阿里云的Windows Server端进行自动化编译,进行持续集成。在Windows Server端,可能由于是基于虚拟机的原因,注册机的方法一直破解不成功,所以只能采用Ollydbg反汇编方法破解啦。
IAR版本:EWARM-CD-8323-20228.exe
在没有破解的情况下,命令行执行iccarm.exe,出现License Manager失败的情况
C:\temp>iccarm.exe
IAR ANSI C/C++ Compiler V8.32.3.193/W32 for ARM
Copyright 1999-2019 IAR Systems AB.
Fatal error[LMS001]: License check failed. Use the IAR License Manager to
resolve the problem.
No license found. [LicenseCheck:2.16.5.1338,
RMS:9.2.1.0011, Feature:ARM.EW.COMPILER, Version:1.15]
Fatal error detected, aborting.
采用 OllDbg v1.10 反汇编工具
首先在ollDbg中载入iccarm.exe
Ctrl+G快捷键,找到地址为0x01AB9A30的函数,这个函数为进行检查license的过程(只是我瞎猜的)
01AB9A2F CC INT3
01AB9A30 55 PUSH EBP
01AB9A31 8BEC MOV EBP,ESP
01AB9A33 6A FF PUSH -1
01AB9A35 68 E829D901 PUSH iccarm.01D929E8
01AB9A3A 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
01AB9A40 50 PUSH EAX
01AB9A41 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
01AB9A48 83EC 2C SUB ESP,2C
01AB9A4B 53 PUSH EBX
01AB9A4C 8BD9 MOV EBX,ECX
01AB9A4E 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
01AB9A51 56 PUSH ESI
01AB9A52 8B43 7C MOV EAX,DWORD PTR DS:[EBX+7C]
01AB9A55 8B30 MOV ESI,DWORD PTR DS:[EAX]
01AB9A57 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
01AB9A5A 50 PUSH EAX
01AB9A5B E8 8042FFFF CALL iccarm.01AADCE0
01AB9A60 FF75 14 PUSH DWORD PTR SS:[EBP+14]
01AB9A63 83EC 0C SUB ESP,0C
01AB9A66 F3: PREFIX REP: ; 多余的前缀
01AB9A67 0F7E00 MOVD DWORD PTR DS:[EAX],MM0
01AB9A6A 8BCC MOV ECX,ESP
01AB9A6C 8B40 08 MOV EAX,DWORD PTR DS:[EAX+8]
01AB9A6F 6A 00 PUSH 0
01AB9A71 FF75 0C PUSH DWORD PTR SS:[EBP+C]
01AB9A74 66:0FD6 ??? ; 未知命令
01AB9A77 0189 41088B4B ADD DWORD PTR DS:[ECX+4B8B0841],ECX
01AB9A7D 7C FF JL SHORT iccarm.01AB9A7E
01AB9A7F 56 PUSH ESI
01AB9A80 04 50 ADD AL,50
01AB9A82 FF75 10 PUSH DWORD PTR SS:[EBP+10]
01AB9A85 8D4D C8 LEA ECX,DWORD PTR SS:[EBP-38]
01AB9A88 FF75 0C PUSH DWORD PTR SS:[EBP+C]
01AB9A8B FF75 08 PUSH DWORD PTR SS:[EBP+8]
01AB9A8E E8 3D0B0200 CALL iccarm.01ADA5D0
01AB9A93 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38]
01AB9A96 C745 FC 0000000>MOV DWORD PTR SS:[EBP-4],0
01AB9A9D 50 PUSH EAX
01AB9A9E 8BCB MOV ECX,EBX
01AB9AA0 E8 3B250000 CALL iccarm.01ABBFE0
01AB9AA5 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
01AB9AA8 C745 FC 0100000>MOV DWORD PTR SS:[EBP-4],1
01AB9AAF E8 4C4B0000 CALL iccarm.01ABE600
01AB9AB4 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
01AB9AB7 E8 3439FFFF CALL iccarm.01AAD3F0
01AB9ABC 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
01AB9ABF 5E POP ESI
01AB9AC0 64:890D 0000000>MOV DWORD PTR FS:[0],ECX
01AB9AC7 5B POP EBX
01AB9AC8 8BE5 MOV ESP,EBP
01AB9ACA 5D POP EBP
01AB9ACB C2 1000 RETN 10
01AB9ACE CC INT3
将这个函数进行直接返回处理,把函数开头0x01AB9A31和01AB9A32汇编代码修改如下
01AB9A2F CC INT3
01AB9A30 55 PUSH EBP
01AB9A31 5D POP EBP
01AB9A32 C2 0C00 RETN 0C
01AB9A35 68 E829D901 PUSH iccarm.01D929E8
01AB9A3A 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
01AB9A40 50 PUSH EAX
01AB9A41 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
01AB9A48 83EC 2C SUB ESP,2C
01AB9A4B 53 PUSH EBX
后面就是保存修改后的反汇编二进制程序了
在OD页面上,右键->复制到可执行文件->所有修改->全部复制->保存文件,重新命名一个为iccarm2.exe吧
运行情况如下,跳过了license的过程
C:\temp>iccarm2.exe
IAR ANSI C/C++ Compiler V8.32.3.193/W32 for ARM
Copyright 1999-2019 IAR Systems AB.
Available command line options:
--aapcs {std|vfp}
Specify calling convention.
--aeabi Generate aeabi compliant code
--align_sp_on_irq
Generate code to align SP on entry to __irq functions
--arm Generate code in arm mode, same as --cpu_mode arm
--c++ C++
--c89 Use C89 standard
--char_is_signed
'Plain' char is treated as signed char
--char_is_unsigned
'plain' char is treated as unsigned char
--cmse Enable CMSE secure object generation
--cpu core Specify target core
Valid options are core names such as Cortex-M3
and architecture names such as 7M
Cortex-M3 is default
--cpu_mode {arm|a|thumb|t}
Select default mode for functions, arm is default
-D symbol[=value]
Define macro (same as #define symbol [value])
--debug
-r Insert debug info in object file
--dependencies=[i|m|n][s][lw][b] file|directory|+
