-
-
[原创]破解某位图CM
-
发表于: 2009-10-27 12:53
-
【文章标题】:破解某位图CM
【文章作者】:riusksk
【作者主页】:http://riusksk.blogbus.com
【软件下载】: cm.rar
【保护方式】: keyfile
【操作平台】:windows vista sp1
【使用工具】:OD,WinHex
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
------------------------------------------------------------------------------------------------------------------
【破解过程】:
先打开CM,点击”Unlock Me”按钮后,提示“系统找不到指定的文件”,然后就自动关闭了。由此可知,这个CM是个keyfile CM,因此我们可以下断点bpx CreateFileA,运行后停在下面地址:
0040149F |. 6A 00 PUSH 0 ; /hTemplateFile = NULL
004014A1 |. 68 A0000008 PUSH 80000A0 ; |Attributes = ARCHIVE|NORMAL|SEQUENTIAL_SCAN
004014A6 |. 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING
004014A8 |. 6A 00 PUSH 0 ; |pSecurity = NULL
004014AA |. 6A 00 PUSH 0 ; |ShareMode = 0
004014AC |. 68 00000080 PUSH 80000000 ; |Access = GENERIC_READ
004014B1 |. 68 6C604000 PUSH Imaginat.0040606C ; |FileName = "ohmygod.bmp"
004014B6 |. FFD7 CALL EDI ; \CreateFileA
因此我们先新建一个文件名为“ohmygod.bmp”的文件,然后用系统自带的画图工具打开,直接点保存,这样就保存一张空白图片了,然后我们再根据分析出来的内容再去修改此文件。接下来我们先看一看BMP文件头和信息头的相关信息,我查了一下《Win32 Programmer’s Reference》,具体内容如下:
位图文件头:
typedef struct tagBITMAPFILEHEADER { // bmfh
WORD bfType;
DWORD bfSize;
WORD bfReserved1;
WORD bfReserved2;
DWORD bfOffBits;
} BITMAPFILEHEADER;
Members
bfType
Specifies the file type. It must be BM.
bfSize
Specifies the size, in bytes, of the bitmap file.
bfReserved1
Reserved; must be zero.
bfReserved2
Reserved; must be zero.
bfOffBits
Specifies the offset, in bytes, from the BITMAPFILEHEADER structure to the bitmap bits.
位图信息头:
typedef struct tagBITMAPINFOHEADER{ // bmih
DWORD biSize;
LONG biWidth;
LONG biHeight;
WORD biPlanes;
WORD biBitCount
DWORD biCompression;
DWORD biSizeImage;
LONG biXPelsPerMeter;
LONG biYPelsPerMeter;
DWORD biClrUsed;
DWORD biClrImportant;
} BITMAPINFOHEADER;
Members
biSize
Specifies the number of bytes required by the structure.
biWidth
Specifies the width of the bitmap, in pixels.
biHeight
Specifies the height of the bitmap, in pixels. If biHeight is positive, the bitmap is a bottom-up DIB and its origin is the lower left corner. If biHeight is negative, the bitmap is a top-down DIB and its origin is the upper left corner.
biPlanes
Specifies the number of planes for the target device. This value must be set to 1.
biBitCount
Specifies the number of bits per pixel. This value must be 1, 4, 8, 16, 24, or 32.
biCompression
Specifies the type of compression for a compressed bottom-up bitmap (top-down DIBs cannot be compressed). It can be one of the following values:
Value Description
BI_RGB An uncompressed format.
BI_RLE8 A run-length encoded (RLE) format for bitmaps with 8 bits per pixel. The compression format is a two-byte format consisting of a count byte followed by a byte containing a color index. For more information, see the following Remarks section.
BI_RLE4 An RLE format for bitmaps with 4 bits per pixel. The compression format is a two-byte format consisting of a count byte followed by two word-length color indices. For more information, see the following Remarks section.
BI_BITFIELDS Specifies that the bitmap is not compressed and that the color table consists of three doubleword color masks that specify the red, green, and blue components, respectively, of each pixel. This is valid when used with 16- and 32-bits-per-pixel bitmaps.
biSizeImage
Specifies the size, in bytes, of the image. This may be set to 0 for BI_RGB bitmaps.
biXPelsPerMeter
Specifies the horizontal resolution, in pixels per meter, of the target device for the bitmap. An application can use this value to select a bitmap from a resource group that best matches the characteristics of the current device.
biYPelsPerMeter
Specifies the vertical resolution, in pixels per meter, of the target device for the bitmap.
biClrUsed
Specifies the number of color indices in the color table that are actually used by the bitmap. If this value is zero, the bitmap uses the maximum number of colors corresponding to the value of the biBitCount member for the compression mode specified by biCompression.
If biClrUsed is nonzero and the biBitCount member is less than 16, the biClrUsed member specifies the actual number of colors the graphics engine or device driver accesses. If biBitCount is 16 or greater, then biClrUsed member specifies the size of the color table used to optimize performance of Windows color palettes. If biBitCount equals 16 or 32, the optimal color palette starts immediately following the three doubleword masks.
If the bitmap is a packed bitmap (a bitmap in which the bitmap array immediately follows the BITMAPINFO header and which is referenced by a single pointer), the biClrUsed member must be either 0 or the actual size of the color table.
biClrImportant
Specifies the number of color indices that are considered important for displaying the bitmap. If this value is zero, all colors are important.
我们继续F8下去,来到:
004014DF |. E8 5CFBFFFF CALL Imaginat.00401040 ;F7跟进去
{
00401040 /$ 83EC 40 SUB ESP,40
00401043 |. 53 PUSH EBX
00401044 |. 56 PUSH ESI
00401045 |. 57 PUSH EDI
00401046 |. 68 00040000 PUSH 400 ; /Size = 400 (1024.)
0040104B |. 6A 40 PUSH 40 ; |Flags = LPTR
0040104D |. C74424 14 000>MOV DWORD PTR SS:[ESP+14],0 ; |
00401055 |. FF15 5C504000 CALL DWORD PTR DS:[<&KERNEL32.LocalAlloc>] ; \LocalAlloc
0040105B |. 8B7C24 54 MOV EDI,DWORD PTR SS:[ESP+54]
0040105F |. 8B1D 60504000 MOV EBX,DWORD PTR DS:[<&KERNEL32.ReadFile>] ; kernel32.ReadFile
00401065 |. 894424 10 MOV DWORD PTR SS:[ESP+10],EAX
00401069 |. 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+C]
0040106D |. 6A 00 PUSH 0 ; /pOverlapped = NULL
0040106F |. 50 PUSH EAX ; |pBytesRead
00401070 |. 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C] ; |
00401074 |. 6A 0E PUSH 0E ; |BytesToRead = E (14.)
00401076 |. 51 PUSH ECX ; |Buffer 《=注意这里的地址为[ESP+1C],后面会对里面的内容进行比较
00401077 |. 57 PUSH EDI ; |hFile
00401078 |. FFD3 CALL EBX ; \ReadFile
0040107A |. 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
0040107E |. 85C0 TEST EAX,EAX
00401080 |. 75 09 JNZ SHORT Imaginat.0040108B
00401082 |. 5F POP EDI
00401083 |. 5E POP ESI
00401084 |. 33C0 XOR EAX,EAX
00401086 |. 5B POP EBX
00401087 |. 83C4 40 ADD ESP,40
0040108A |. C3 RETN
0040108B |> 8D5424 0C LEA EDX,DWORD PTR SS:[ESP+C]
0040108F |. 6A 00 PUSH 0
00401091 |. 52 PUSH EDX
00401092 |. 8D4424 2C LEA EAX,DWORD PTR SS:[ESP+2C]
00401096 |. 6A 28 PUSH 28
00401098 |. 50 PUSH EAX
00401099 |. 57 PUSH EDI
0040109A |. FFD3 CALL EBX
0040109C |. 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
004010A0 |. 85C0 TEST EAX,EAX
004010A2 |. 75 09 JNZ SHORT Imaginat.004010AD
004010A4 |. 5F POP EDI
004010A5 |. 5E POP ESI
004010A6 |. 33C0 XOR EAX,EAX
004010A8 |. 5B POP EBX
004010A9 |. 83C4 40 ADD ESP,40
004010AC |. C3 RETN
我们接着分析下去:
004010AD |> \66:817C24 14 >CMP WORD PTR SS:[ESP+14],4D42 ; 位图文件类型bfType是否为BM
004010B4 |. 74 10 JE SHORT Imaginat.004010C6
004010B6 |. 57 PUSH EDI ; /hObject
004010B7 |. FF15 64504000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; \CloseHandle
004010BD |. 5F POP EDI
004010BE |. 5E POP ESI
004010BF |. 33C0 XOR EAX,EAX
004010C1 |. 5B POP EBX
004010C2 |. 83C4 40 ADD ESP,40
004010C5 |. C3 RETN
004010C6 |> 66:837C24 32 >CMP WORD PTR SS:[ESP+32],18 ; 每个像素所需的位数biBitCount是否为0x18
004010CC |. 74 10 JE SHORT Imaginat.004010DE
004010CE |. 57 PUSH EDI ; /hObject
004010CF |. FF15 64504000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; \CloseHandle
004010D5 |. 5F POP EDI
004010D6 |. 5E POP ESI
004010D7 |. 33C0 XOR EAX,EAX
004010D9 |. 5B POP EBX
004010DA |. 83C4 40 ADD ESP,40
004010DD |. C3 RETN
004010DE |> 817C24 16 AA6>CMP DWORD PTR SS:[ESP+16],160AA ; 位图文件大小bfSize是否等于0x160AA
004010E6 |. 74 10 JE SHORT Imaginat.004010F8
004010E8 |. 57 PUSH EDI ; /hObject
004010E9 |. FF15 64504000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; \CloseHandle
004010EF |. 5F POP EDI
004010F0 |. 5E POP ESI
004010F1 |. 33C0 XOR EAX,EAX
004010F3 |. 5B POP EBX
004010F4 |. 83C4 40 ADD ESP,40
004010F7 |. C3 RETN
004010F8 |> 8B4424 34 MOV EAX,DWORD PTR SS:[ESP+34] ; 位图压缩类型biCompression是否为0(不压缩)
004010FC |. 85C0 TEST EAX,EAX
004010FE |. 74 10 JE SHORT Imaginat.00401110
00401100 |. 57 PUSH EDI ; /hObject
00401101 |. FF15 64504000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; \CloseHandle
00401107 |. 5F POP EDI
00401108 |. 5E POP ESI
00401109 |. 33C0 XOR EAX,EAX
0040110B |. 5B POP EBX
0040110C |. 83C4 40 ADD ESP,40
0040110F |. C3 RETN
00401110 |> 8B4C24 2C MOV ECX,DWORD PTR SS:[ESP+2C] ; 位图高度biHeight
00401114 |. 8B7424 28 MOV ESI,DWORD PTR SS:[ESP+28] ; 位图宽度biWidth
00401118 |. 8D1431 LEA EDX,DWORD PTR DS:[ECX+ESI] ; EDX=biHeight + biWidth
0040111B |. 81FA E5010000 CMP EDX,1E5 ; 宽+高=0x1E5时则跳转
00401121 |. 74 29 JE SHORT Imaginat.0040114C
00401123 |. 8BC6 MOV EAX,ESI
00401125 |. 2BC1 SUB EAX,ECX ; EAX=宽-高
00401127 |. 3D 53010000 CMP EAX,153 ; 宽+高=0x153时则跳转
0040112C |. 74 1E JE SHORT Imaginat.0040114C
0040112E |. 8D1449 LEA EDX,DWORD PTR DS:[ECX+ECX*2] ; EDX=高*3
00401131 |. C1E2 03 SHL EDX,3 ; EDX=高*3*8
00401134 |. 81FA D8060000 CMP EDX,6D8 ; 高*3*8=0x6d8时则跳转,这里的三处跳转必须有一处实现,否则将会挂掉,这里我就让第三处实现跳转,也就是高=0x49
0040113A |. 74 10 JE SHORT Imaginat.0040114C
0040113C |. 57 PUSH EDI ; /hObject
0040113D |. FF15 64504000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; \CloseHandle
00401143 |. 5F POP EDI
00401144 |. 5E POP ESI
00401145 |. 33C0 XOR EAX,EAX
00401147 |. 5B POP EBX
00401148 |. 83C4 40 ADD ESP,40
0040114B |. C3 RETN
0040114C |> \8B4424 30 MOV EAX,DWORD PTR SS:[ESP+30] ; 目标设备级别biPlanes=1和每个像素所需的位数biBitCount=0x18
00401150 |. 8B5424 24 MOV EDX,DWORD PTR SS:[ESP+24] ; 位图信息头结构大小biSize = 28
00401154 |. 25 FFFF0000 AND EAX,0FFFF ; EAX = biPlanes=1
00401159 |. 55 PUSH EBP
0040115A |. 8D8410 AA6001>LEA EAX,DWORD PTR DS:[EAX+EDX+160AA] ; EAX=biPlanes+biSize+160AA
00401161 |. 99 CDQ
00401162 |. 8BE8 MOV EBP,EAX
00401164 |. 8D41 BA LEA EAX,DWORD PTR DS:[ECX-46] ; EAX=高-0x46
00401167 |. 0FAFC6 IMUL EAX,ESI ; EAX=(高-0x46)*宽
0040116A |. 33EA XOR EBP,EDX ; EBP=EBP^EDX
0040116C |. 2BEA SUB EBP,EDX ; EBP=EBP-EDX
0040116E |. 99 CDQ
0040116F |. 33C2 XOR EAX,EDX
00401171 |. 2BC2 SUB EAX,EDX
00401173 |. 03E8 ADD EBP,EAX
00401175 |. 81FD A7650100 CMP EBP,165A7 ; EBP=(biHeight - 46) * biWidth + biSize + biPlanes + 160AA=3*宽+28+1+160AA,因此这里要求宽必须为0x19C
0040117B |. 5D POP EBP
0040117C |. 74 10 JE SHORT Imaginat.0040118E
0040117E |. 57 PUSH EDI ; /hObject
0040117F |. FF15 64504000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; \CloseHandle
00401185 |. 5F POP EDI
00401186 |. 5E POP ESI
00401187 |. 33C0 XOR EAX,EAX
00401189 |. 5B POP EBX
0040118A |. 83C4 40 ADD ESP,40
0040118D |. C3 RETN
0040118E |> 8B4424 58 MOV EAX,DWORD PTR SS:[ESP+58]
00401192 |. 8B5424 5C MOV EDX,DWORD PTR SS:[ESP+5C]
00401196 |. 8930 MOV DWORD PTR DS:[EAX],ESI
00401198 |. 8B7424 60 MOV ESI,DWORD PTR SS:[ESP+60]
0040119C |. 890A MOV DWORD PTR DS:[EDX],ECX
0040119E |. 8B5424 1E MOV EDX,DWORD PTR SS:[ESP+1E]
004011A2 |. B8 AA600100 MOV EAX,160AA
004011A7 |. 2BC2 SUB EAX,EDX
004011A9 |. 50 PUSH EAX ; /Size
004011AA |. 6A 40 PUSH 40 ; |Flags = LPTR
004011AC |. 8906 MOV DWORD PTR DS:[ESI],EAX ; |
004011AE |. FF15 5C504000 CALL DWORD PTR DS:[<&KERNEL32.LocalAlloc>] ; \LocalAlloc
004011B4 |. 8B16 MOV EDX,DWORD PTR DS:[ESI]
004011B6 |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
004011BA |. 6A 00 PUSH 0
004011BC |. 51 PUSH ECX
004011BD |. 52 PUSH EDX
004011BE |. 50 PUSH EAX
004011BF |. 57 PUSH EDI
004011C0 |. FFD3 CALL EBX
004011C2 |. 85C0 TEST EAX,EAX
004011C4 |. 75 10 JNZ SHORT Imaginat.004011D6
004011C6 |. 57 PUSH EDI ; /hObject
004011C7 |. FF15 64504000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; \CloseHandle
004011CD |. 5F POP EDI
004011CE |. 5E POP ESI
004011CF |. 33C0 XOR EAX,EAX
004011D1 |. 5B POP EBX
004011D2 |. 83C4 40 ADD ESP,40
004011D5 |. C3 RETN
004011D6 |> 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
004011DA |. 50 PUSH EAX ; /hMemory
004011DB |. FF15 68504000 CALL DWORD PTR DS:[<&KERNEL32.LocalFree>] ; \LocalFree
004011E1 |. 5F POP EDI
004011E2 |. 5E POP ESI
004011E3 |. B8 01000000 MOV EAX,1
004011E8 |. 5B POP EBX
004011E9 |. 83C4 40 ADD ESP,40
004011EC \. C3 RETN
}
004014E4 |. 83C4 18 ADD ESP,18
004014E7 |. 85C0 TEST EAX,EAX
004014E9 |. 75 09 JNZ SHORT Imaginat.004014F4
004014EB |. 53 PUSH EBX
004014EC |. E8 1F010000 CALL Imaginat.00401610
004014F1 |. 83C4 04 ADD ESP,4
004014F4 |> 8B1D 64504000 MOV EBX,DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; kernel32.CloseHandle
004014FA |. 55 PUSH EBP
004014FB |. 56 PUSH ESI ; /hObject
004014FC |. FFD3 CALL EBX ; \CloseHandle
004014FE |. 6A 00 PUSH 0
00401500 |. 68 A0000008 PUSH 80000A0
00401505 |. 6A 03 PUSH 3
00401507 |. 6A 00 PUSH 0
00401509 |. 6A 00 PUSH 0
0040150B |. 68 00000080 PUSH 80000000
00401510 |. 68 6C604000 PUSH Imaginat.0040606C ; ASCII "ohmygod.bmp"
00401515 |. FFD7 CALL EDI ; kernel32.CreateFileA
00401517 |. 8BF0 MOV ESI,EAX
00401519 |. 56 PUSH ESI
0040151A |. E8 71FDFFFF CALL Imaginat.00401290
{
00401290 /$ 83EC 08 SUB ESP,8
00401293 |. 53 PUSH EBX
00401294 |. 55 PUSH EBP
00401295 |. 56 PUSH ESI
00401296 |. 57 PUSH EDI
00401297 |. 6A 0A PUSH 0A ; /Size = A (10.)
00401299 |. 6A 40 PUSH 40 ; |Flags = LPTR
0040129B |. C74424 18 000>MOV DWORD PTR SS:[ESP+18],2000000 ; |
004012A3 |. FF15 5C504000 CALL DWORD PTR DS:[<&KERNEL32.LocalAlloc>] ; \LocalAlloc
004012A9 |. 8B6C24 1C MOV EBP,DWORD PTR SS:[ESP+1C]
004012AD |. 6A 00 PUSH 0 ; /Origin = FILE_BEGIN
004012AF |. 6A 00 PUSH 0 ; |pOffsetHi = NULL
004012B1 |. 6A 36 PUSH 36 ; |OffsetLo = 36 (54.)
004012B3 |. 55 PUSH EBP ; |hFile
004012B4 |. 8BF0 MOV ESI,EAX ; |
004012B6 |. FF15 38504000 CALL DWORD PTR DS:[<&KERNEL32.SetFilePointer>] ; \SetFilePointer
004012BC |. 8B1D F8504000 MOV EBX,DWORD PTR DS:[<&USER32.wsprintfA>] ; USER32.wsprintfA
004012C2 |. 33FF XOR EDI,EDI
004012C4 |> 8D4424 14 /LEA EAX,DWORD PTR SS:[ESP+14]
004012C8 |. 6A 00 |PUSH 0 ; /pOverlapped = NULL
004012CA |. 50 |PUSH EAX ; |pBytesRead
004012CB |. 8D4C24 18 |LEA ECX,DWORD PTR SS:[ESP+18] ; |
004012CF |. 6A 04 |PUSH 4 ; |BytesToRead = 4
004012D1 |. 51 |PUSH ECX ; |Buffer
004012D2 |. 55 |PUSH EBP ; |hFile
004012D3 |. FF15 60504000 |CALL DWORD PTR DS:[<&KERNEL32.ReadFile>] ; \ReadFile
004012D9 |. FF15 58504000 |CALL DWORD PTR DS:[<&KERNEL32.GetLastError>] ; [GetLastError
004012DF |. 85C0 |TEST EAX,EAX
004012E1 |. 75 47 |JNZ SHORT Imaginat.0040132A
004012E3 |. 8B4424 14 |MOV EAX,DWORD PTR SS:[ESP+14]
004012E7 |. 85C0 |TEST EAX,EAX
004012E9 |. 74 3F |JE SHORT Imaginat.0040132A
004012EB |. 8B4424 10 |MOV EAX,DWORD PTR SS:[ESP+10] ; 从bmp文件偏移0x36(注意这里是十六进制的,相当于十进制的54,之前我就直接把它当作十进制处理,结果编辑位图文件时改错位置了)开始读取的4字节数据,这里我们表示为 AABBCCDD
004012EF |. 33D2 |XOR EDX,EDX
004012F1 |. 8BC8 |MOV ECX,EAX
004012F3 |. 8AD4 |MOV DL,AH ; DL=CC
004012F5 |. C1E9 10 |SHR ECX,10 ; 上面4字节数据除以 2^10
004012F8 |. 81E2 FF000000 |AND EDX,0FF ; EDX=CC
004012FE |. 81E1 FF000000 |AND ECX,0FF ; ECX=BB
00401304 |. 03D1 |ADD EDX,ECX ; EDX=BB+CC
00401306 |. 25 FF000000 |AND EAX,0FF ; EAX=DD
0040130B |. 03D0 |ADD EDX,EAX ; EDX=BB+CC+DD
0040130D |. 52 |PUSH EDX
0040130E |. 56 |PUSH ESI
0040130F |. 68 30604000 |PUSH Imaginat.00406030 ; ASCII "%s%c"
00401314 |. 56 |PUSH ESI
00401315 |. FFD3 |CALL EBX ; USER32.wsprintfA
00401317 |. 83C4 10 |ADD ESP,10
0040131A |. 47 |INC EDI ; 计数器
0040131B |. 83FF 09 |CMP EDI,9 ; 从bmp文件偏移36h处连续读取9个DWORD
0040131E |.^ 7C A4 \JL SHORT Imaginat.004012C4
00401320 |. 8BC6 MOV EAX,ESI
00401322 |. 5F POP EDI
00401323 |. 5E POP ESI
00401324 |. 5D POP EBP
00401325 |. 5B POP EBX
00401326 |. 83C4 08 ADD ESP,8
00401329 |. C3 RETN
0040132A |> 5F POP EDI
0040132B |. 5E POP ESI
0040132C |. 5D POP EBP
0040132D |. 33C0 XOR EAX,EAX
0040132F |. 5B POP EBX
00401330 |. 83C4 08 ADD ESP,8
00401333 \. C3 RETN
}
0040151F |. 56 PUSH ESI
00401520 |. 8BF8 MOV EDI,EAX ; 计算后的字符串String1保存到EDI
00401522 |. E8 19FEFFFF CALL Imaginat.00401340 ; 接上次地址再连续读取5个dword,并对其进行计算,计算方法与上面相同
{
00401340 /$ 83EC 08 SUB ESP,8
00401343 |. 53 PUSH EBX
00401344 |. 55 PUSH EBP
00401345 |. 56 PUSH ESI
00401346 |. 57 PUSH EDI
00401347 |. 6A 06 PUSH 6 ; /Size = 6
00401349 |. 6A 40 PUSH 40 ; |Flags = LPTR
0040134B |. C74424 18 000>MOV DWORD PTR SS:[ESP+18],2000000 ; |ASCII "RESCDIR"
00401353 |. FF15 5C504000 CALL DWORD PTR DS:[<&KERNEL32.LocalAlloc>] ; \LocalAlloc
00401359 |. 8B6C24 1C MOV EBP,DWORD PTR SS:[ESP+1C]
0040135D |. 8B1D F8504000 MOV EBX,DWORD PTR DS:[<&USER32.wsprintfA>] ; USER32.wsprintfA
00401363 |. 8BF0 MOV ESI,EAX
00401365 |. 33FF XOR EDI,EDI
00401367 |> 8D4424 14 /LEA EAX,DWORD PTR SS:[ESP+14]
0040136B |. 6A 00 |PUSH 0 ; /pOverlapped = NULL
0040136D |. 50 |PUSH EAX ; |pBytesRead
0040136E |. 8D4C24 18 |LEA ECX,DWORD PTR SS:[ESP+18] ; |
00401372 |. 6A 04 |PUSH 4 ; |BytesToRead = 4
00401374 |. 51 |PUSH ECX ; |Buffer
00401375 |. 55 |PUSH EBP ; |hFile
00401376 |. FF15 60504000 |CALL DWORD PTR DS:[<&KERNEL32.ReadFile>] ; \ReadFile
0040137C |. FF15 58504000 |CALL DWORD PTR DS:[<&KERNEL32.GetLastError>] ; [GetLastError
00401382 |. 85C0 |TEST EAX,EAX
00401384 |. 75 47 |JNZ SHORT Imaginat.004013CD
00401386 |. 8B4424 14 |MOV EAX,DWORD PTR SS:[ESP+14] ; 实际读取的字节数
0040138A |. 85C0 |TEST EAX,EAX
0040138C |. 74 3F |JE SHORT Imaginat.004013CD
0040138E |. 8B4424 10 |MOV EAX,DWORD PTR SS:[ESP+10] ; 读取的4字节数据
00401392 |. 33D2 |XOR EDX,EDX ; 后面的操作跟上一函数Imaginat.00401290相同
00401394 |. 8BC8 |MOV ECX,EAX
00401396 |. 8AD4 |MOV DL,AH
00401398 |. C1E9 10 |SHR ECX,10
0040139B |. 81E2 FF000000 |AND EDX,0FF
004013A1 |. 81E1 FF000000 |AND ECX,0FF
004013A7 |. 03D1 |ADD EDX,ECX
004013A9 |. 25 FF000000 |AND EAX,0FF
004013AE |. 03D0 |ADD EDX,EAX
004013B0 |. 52 |PUSH EDX
004013B1 |. 56 |PUSH ESI
004013B2 |. 68 30604000 |PUSH Imaginat.00406030 ; ASCII "%s%c"
004013B7 |. 56 |PUSH ESI
004013B8 |. FFD3 |CALL EBX ; USER32.wsprintfA
004013BA |. 83C4 10 |ADD ESP,10
004013BD |. 47 |INC EDI ; 计数器
004013BE |. 83FF 05 |CMP EDI,5 ; 连续读取5个dword
004013C1 |.^ 7C A4 \JL SHORT Imaginat.00401367
004013C3 |. 8BC6 MOV EAX,ESI
004013C5 |. 5F POP EDI
004013C6 |. 5E POP ESI
004013C7 |. 5D POP EBP
004013C8 |. 5B POP EBX
004013C9 |. 83C4 08 ADD ESP,8
004013CC |. C3 RETN
004013CD |> 5F POP EDI
004013CE |. 5E POP ESI
004013CF |. 5D POP EBP
004013D0 |. 33C0 XOR EAX,EAX
004013D2 |. 5B POP EBX
004013D3 |. 83C4 08 ADD ESP,8
004013D6 \. C3 RETN
}
00401527 |. 57 PUSH EDI
00401528 |. 8BE8 MOV EBP,EAX ; 计算后的字符串String2
0040152A |. E8 91000000 CALL Imaginat.004015C0
{
004015C0 /$ 53 PUSH EBX
004015C1 |. 55 PUSH EBP
004015C2 |. 56 PUSH ESI
004015C3 |. 57 PUSH EDI
004015C4 |. 6A 06 PUSH 6 ; /Size = 6
004015C6 |. 6A 40 PUSH 40 ; |Flags = LPTR
004015C8 |. FF15 5C504000 CALL DWORD PTR DS:[<&KERNEL32.LocalAlloc>] ; \LocalAlloc
004015CE |. 8B6C24 14 MOV EBP,DWORD PTR SS:[ESP+14]
004015D2 |. 8BF0 MOV ESI,EAX
004015D4 |. 55 PUSH EBP ; /String
004015D5 |. FF15 2C504000 CALL DWORD PTR DS:[<&KERNEL32.lstrlenA>] ; \lstrlenA
004015DB |. 8B1D F8504000 MOV EBX,DWORD PTR DS:[<&USER32.wsprintfA>] ; USER32.wsprintfA
004015E1 |. 33FF XOR EDI,EDI ; 清零
004015E3 |> 8A042F /MOV AL,BYTE PTR DS:[EDI+EBP] ; 上面计算出来的字符串中的第一个字符
004015E6 |. 84C0 |TEST AL,AL ; 不为0则跳
004015E8 |. 75 07 |JNZ SHORT Imaginat.004015F1
004015EA |. 68 78604000 |PUSH Imaginat.00406078
004015EF |. EB 05 |JMP SHORT Imaginat.004015F6
004015F1 |> 0FBEC0 |MOVSX EAX,AL ; 符号扩展赋予EAX
004015F4 |. 48 |DEC EAX ; EAX=EAX-1
004015F5 |. 50 |PUSH EAX
004015F6 |> 56 |PUSH ESI
004015F7 |. 68 30604000 |PUSH Imaginat.00406030 ; ASCII "%s%c"
004015FC |. 56 |PUSH ESI
004015FD |. FFD3 |CALL EBX ; USER32.wsprintfA
004015FF |. 83C4 10 |ADD ESP,10
00401602 |. 47 |INC EDI ; 计数器
00401603 |. 83FF 05 |CMP EDI,5 ; 连续读取5个字节
00401606 |.^ 7C DB \JL SHORT Imaginat.004015E3
00401608 |. 8BC6 MOV EAX,ESI
0040160A |. 5F POP EDI
0040160B |. 5E POP ESI
0040160C |. 5D POP EBP
0040160D |. 5B POP EBX
0040160E \. C3 RETN
}
0040152F |. 83C4 0C ADD ESP,0C
00401532 |. 894424 10 MOV DWORD PTR SS:[ESP+10],EAX ; 计算出来的字符串String3
00401536 |. 56 PUSH ESI
00401537 |. FFD3 CALL EBX
00401539 |. 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
0040153D |. 55 PUSH EBP ; /String2
0040153E |. 50 PUSH EAX ; |String3
0040153F |. FF15 20504000 CALL DWORD PTR DS:[<&KERNEL32.lstrcmpA>] ; \lstrcmpA
00401545 |. 8B7424 28 MOV ESI,DWORD PTR SS:[ESP+28]
00401549 |. 5D POP EBP
0040154A |. 85C0 TEST EAX,EAX ; 上面两字符串若相等则跳转,不相等就挂掉了
0040154C |. /74 09 JE SHORT Imaginat.00401557 ; 这里可以将JE直接改成JMP进行暴破
0040154E |. 56 PUSH ESI
0040154F |. E8 BC000000 CALL Imaginat.00401610 ; 弹出错误提示框
00401554 |. 83C4 04 ADD ESP,4
00401557 |> 56 PUSH ESI ; /hWnd
00401558 |. FF15 E8504000 CALL DWORD PTR DS:[<&USER32.GetDC>] ; \GetDC
0040155E |. 8BD8 MOV EBX,EAX
00401560 |. 68 6C604000 PUSH Imaginat.0040606C ; ASCII "ohmygod.bmp"
00401565 |. 53 PUSH EBX
00401566 |. E8 85FCFFFF CALL Imaginat.004011F0
0040156B |. 83C4 08 ADD ESP,8
0040156E |. 85C0 TEST EAX,EAX
00401570 |. 75 09 JNZ SHORT Imaginat.0040157B
00401572 |. 56 PUSH ESI
00401573 |. E8 98000000 CALL Imaginat.00401610
00401578 |. 83C4 04 ADD ESP,4
0040157B |> 53 PUSH EBX ; /hDC
0040157C |. 56 PUSH ESI ; |hWnd
0040157D |. FF15 EC504000 CALL DWORD PTR DS:[<&USER32.ReleaseDC>] ; \ReleaseDC
00401583 |. 57 PUSH EDI ; /<%s>
00401584 |. 8B7C24 14 MOV EDI,DWORD PTR SS:[ESP+14] ; |
00401588 |. 68 44604000 PUSH Imaginat.00406044 ; |Format = "Congratulations %s! You registered me!"
0040158D |. 57 PUSH EDI ; |s
0040158E |. FF15 F8504000 CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; \wsprintfA
00401594 |. 83C4 0C ADD ESP,0C
00401597 |. 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
00401599 |. 68 38604000 PUSH Imaginat.00406038 ; |Title = "Imagination"
0040159E |. 57 PUSH EDI ; |Text
0040159F |. 56 PUSH ESI ; |hOwner
004015A0 |. FF15 F0504000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>] ; \MessageBoxA
004015A6 |. 57 PUSH EDI ; /hMemory
004015A7 |. FF15 68504000 CALL DWORD PTR DS:[<&KERNEL32.LocalFree>] ; \LocalFree
004015AD |. 5F POP EDI
004015AE |. 5E POP ESI
004015AF |. 5B POP EBX
004015B0 |. 83C4 14 ADD ESP,14
004015B3 \. C3 RETN
【算法总结】:
1. 先读取位图文件ohmygod.bmp,然后对文件头中的数据进行判断,要求位图文件大小必须为0x160AA,位图高度必须为0x49,位图宽度必须为0x19C;
2. 读取位图文件偏移0x36处的9个DWORD,并对其进行计算,得到字符串String1,相当于用户名;
3. 再读取位图文件5个DWORD,计算方法同上,得到字符串String2,相当于序列号,根据用户名前5位每一位减一,得到字符串String3;
4. 比较String2和String3,若相等则注册成功!
这里提供一个可注册成功的位图文件:
【测试结果】:
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
|
|
|
|
|
|
|
|
|
