【文章标题】: 重启验证,机器码计算以及注册码生成算法
【文章作者】: zhlzn
【下载地址】: 本地搜索
【加壳方式】: aspack2.12
【保护方式】: 壳,注册
【编写语言】: VC++
【使用工具】: OD,PEid
【操作平台】: XP2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
菜鸟一个。这是我第一次的破文,主要说明的是重启验证过程,机器码获取过程,以及真正注册码产生算法。
下面进入正题:
首先查壳,很简单的一个壳,aspack2.12,手脱足矣。
然后对脱壳后的程序分析:
00403583 . E8 18E9FFFF call dumped_.00401EA0 ; 读取注册表里面的内容,并且重新计算机器码比较----进去分析
××××××××××××××××××××××××××××××××××××××××××
这个段代码的大致意思是:每次执行文件时,就打开注册表,并读取内容(要打开的表项,和读取内容位置都已经指定了),然后把内容给保存了,最后再计算机器码得到真正的注册码。
这个有效的防止了,一旦修改注册表里的内容,就会失效,也就是需要重新注册。
00401EA0 /$ 64:A1 0000000>mov eax,dword ptr fs:[0]
00401EA6 |. 6A FF push -1
00401EA8 |. 68 60E44100 push dumped_.0041E460
00401EAD |. 50 push eax
00401EAE |. 64:8925 00000>mov dword ptr fs:[0],esp
00401EB5 |. 83EC 20 sub esp,20
00401EB8 |. 57 push edi
00401EB9 |. 8D4424 14 lea eax,dword ptr ss:[esp+14]
00401EBD |. 50 push eax ; /pHandle
00401EBE |. 68 19000200 push 20019 ; |Access = KEY_READ
00401EC3 |. 33FF xor edi,edi ; |
00401EC5 |. 57 push edi ; |Reserved => 0
00401EC6 |. 68 64F54100 push dumped_.0041F564 ; |Software\Microsoft\Internet Explorer\Main\
00401ECB |. 68 01000080 push 80000001 ; |hKey = HKEY_CURRENT_USER
00401ED0 |. FF15 04F04100 call dword ptr ds:[<&advapi32.RegOpenKey>; \RegOpenKeyExA
00401ED6 |. 3BC7 cmp eax,edi
00401ED8 |. 74 1F je short dumped_.00401EF9 跳转了,就是为了读取注册表里面的内容
到这里
00401EF9 |> 56 push esi
00401EFA |. 6A 50 push 50
00401EFC |. E8 870B0100 call dumped_.00412A88 ; new 操作符
00401F01 |. 83C4 04 add esp,4
00401F04 |. 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
00401F08 |. 51 push ecx ; /pBufSize
00401F09 |. 8BF0 mov esi,eax ; |
00401F0B |. 8B4424 1C mov eax,dword ptr ss:[esp+1C] ; |
00401F0F |. 56 push esi ; |Buffer 注册表里面内容就是这个
00401F10 |. 8D5424 2C lea edx,dword ptr ss:[esp+2C] ; |
00401F14 |. 52 push edx ; |pValueType
00401F15 |. 57 push edi ; |Reserved
00401F16 |. 68 44F54100 push dumped_.0041F544 ; |cranley
00401F1B |. 50 push eax ; |hKey
00401F1C |. C74424 3C 010>mov dword ptr ss:[esp+3C],1 ; |
00401F24 |. C74424 38 500>mov dword ptr ss:[esp+38],50 ; |读取内容
00401F2C |. FF15 00F04100 call dword ptr ds:[<&advapi32.RegQueryVa>; \RegQueryValueExA
00401F32 |. 3BC7 cmp eax,edi
00401F34 |. 74 27 je short dumped_.00401F5D 读完之后就要关闭注册表了
00401F5D |> 56 push esi
00401F5E |. 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
00401F62 |. E8 99FCFFFF call dumped_.00401C00 ;可能是移动内容吧,检查是否有空字符
00401F67 |. 56 push esi
00401F68 |. 897C24 34 mov dword ptr ss:[esp+34],edi
00401F6C |. E8 1C0B0100 call dumped_.00412A8D ; 前面new了,现在自然要free了
00401F71 |. 8B5424 1C mov edx,dword ptr ss:[esp+1C]
00401F75 |. 83C4 04 add esp,4
00401F78 |. 52 push edx ; /hKey
00401F79 |. FF15 20F04100 call dword ptr ds:[<&advapi32.RegCloseKe>; \RegCloseKey 关闭注册表
00401F7F |. 8D4424 0C lea eax,dword ptr ss:[esp+C]
00401F83 |. 50 push eax
00401F84 |. E8 D7FDFFFF call dumped_.00401D60 ;生成机器码,后面在分析。
00401F89 |. 83C4 04 add esp,4
00401F8C |. 8B4C24 0C mov ecx,dword ptr ss:[esp+C]
00401F90 |. 3979 F4 cmp dword ptr ds:[ecx-C],edi
00401F93 |. C64424 30 01 mov byte ptr ss:[esp+30],1
00401F98 |. 75 69 jnz short dumped_.00402003 ;这个就是通过机器码计算注册码,也在后面分析。
下面就是计算出来的注册码和从注册表里面的注册码进行比较
00402200 |> 8A10 /mov dl,byte ptr ds:[eax] ; 为了比较
00402202 |. 8A1E |mov bl,byte ptr ds:[esi]
00402204 |. 8ACA |mov cl,dl
00402206 |. 3AD3 |cmp dl,bl
00402208 |. 75 28 |jnz short dumped_.00402232
0040220A |. 84C9 |test cl,cl
0040220C |. 74 16 |je short dumped_.00402224
0040220E |. 8A50 01 |mov dl,byte ptr ds:[eax+1]
00402211 |. 8A5E 01 |mov bl,byte ptr ds:[esi+1]
00402214 |. 8ACA |mov cl,dl
00402216 |. 3AD3 |cmp dl,bl
00402218 |. 75 18 |jnz short dumped_.00402232
0040221A |. 83C0 02 |add eax,2
0040221D |. 83C6 02 |add esi,2
00402220 |. 84C9 |test cl,cl
00402222 |.^ 75 DC \jnz short dumped_.00402200
00402224 |> 33C0 xor eax,eax
00402226 |. EB 0F jmp short dumped_.00402237
00402228 |> 68 57000780 push 80070057
0040222D |. E8 CEEEFFFF call dumped_.00401100
00402232 |> 1BC0 sbb eax,eax
00402234 |. 83D8 FF sbb eax,-1
00402237 |> 85C0 test eax,eax
00402239 |. 8B4424 18 mov eax,dword ptr ss:[esp+18]
0040223D |. 0F94C3 sete bl
00402240 |. 83C0 F0 add eax,-10
00402243 |. 83CE FF or esi,FFFFFFFF
00402246 |. 8D48 0C lea ecx,dword ptr ds:[eax+C]
00402249 |. 8BD6 mov edx,esi
0040224B |. F0:0FC111 lock xadd dword ptr ds:[ecx],edx
0040224F |. 4A dec edx
00402250 |. 85D2 test edx,edx
00402252 |. 7F 08 jg short dumped_.0040225C
00402254 |. 8B08 mov ecx,dword ptr ds:[eax]
00402256 |. 8B11 mov edx,dword ptr ds:[ecx]
00402258 |. 50 push eax
00402259 |. FF52 04 call dword ptr ds:[edx+4]
0040225C |> 8D45 F0 lea eax,[local.4]
0040225F |. 8BD6 mov edx,esi
00402261 |. C64424 38 01 mov byte ptr ss:[esp+38],1
00402266 |. 8D48 0C lea ecx,dword ptr ds:[eax+C]
00402269 |. F0:0FC111 lock xadd dword ptr ds:[ecx],edx
0040226D |. 4A dec edx
0040226E |. 84DB test bl,bl
00402270 |. 74 62 je short dumped_.004022D4 ;不等,就跳;相等的话后面就直接打开主窗口,就不会出现注册框了。
××××××××××××××××××××××××××××××××××××××××××
00403588 . 84C0 test al,al
0040358A . 74 0B je short dumped_.00403597
0040358C . 881D A0894200 mov byte ptr ds:[4289A0],bl
00403592 . E9 26010000 jmp dumped_.004036BD
00403597 > 8D5424 10 lea edx,dword ptr ss:[esp+10]
0040359B . 52 push edx
0040359C . E8 BFE7FFFF call dumped_.00401D60 ; 读取机器码
××××××××××××××××××××××××××××××××××××××××××××××××××××××××××
这个通过卷标信息来取得机器码
00401D60 /$ 6A FF push -1
00401D62 |. 68 33E44100 push dumped_.0041E433 ; SE 处理程序安装
00401D67 |. 64:A1 0000000>mov eax,dword ptr fs:[0]
00401D6D |. 50 push eax
00401D6E |. 64:8925 00000>mov dword ptr fs:[0],esp
00401D75 |. 81EC 10010000 sub esp,110
00401D7B |. A1 B07A4200 mov eax,dword ptr ds:[427AB0]
00401D80 |. 56 push esi
00401D81 |. 33F6 xor esi,esi
00401D83 |. 56 push esi ; /pFileSystemNameSize => NULL
00401D84 |. 56 push esi ; |pFileSystemNameBuffer => NULL
00401D85 |. 56 push esi ; |pFileSystemFlags => NULL
00401D86 |. 56 push esi ; |pMaxFilenameLength => NULL
00401D87 |. 898424 200100>mov dword ptr ss:[esp+120],eax ; |
00401D8E |. 8D4424 18 lea eax,dword ptr ss:[esp+18] ; |
00401D92 |. 50 push eax ; |关键,卷标序列数
00401D93 |. 68 04010000 push 104 ; |MaxVolumeNameSize = 104 (260.)
00401D98 |. 8D4C24 24 lea ecx,dword ptr ss:[esp+24] ; |
00401D9C |. 51 push ecx ; |VolumeNameBuffer
00401D9D |. 897424 20 mov dword ptr ss:[esp+20],esi ; |
00401DA1 |. 68 18F54100 push dumped_.0041F518 ; |C:\
00401DA6 |. 897424 28 mov dword ptr ss:[esp+28],esi ; |
00401DAA |. FF15 7CF24100 call dword ptr ds:[<&kernel32.GetVolumeI>; \GetVolumeInformationA
00401DB0 |. 8B4424 08 mov eax,dword ptr ss:[esp+8]
00401DB4 |. 3BC6 cmp eax,esi
00401DB6 |. 75 26 jnz short dumped_.00401DDE ; 这个在我机器上跳了,所以直接到跳转的地方,其实下面没有多大的用处(当然是为了注册算法了)
对卷标序列数进行处理,
00401DDE |> 8BC8 mov ecx,eax
00401DE0 |. 53 push ebx
00401DE1 |. C1E9 08 shr ecx,8
00401DE4 |. 0FB6F0 movzx esi,al
00401DE7 |. 8BD0 mov edx,eax
00401DE9 |. 8BD8 mov ebx,eax
00401DEB |. C1E6 08 shl esi,8
00401DEE |. 0FB6C1 movzx eax,cl
00401DF1 |. C1EA 10 shr edx,10
00401DF4 |. 03F0 add esi,eax
00401DF6 |. 0FB6CA movzx ecx,dl
00401DF9 |. C1E6 08 shl esi,8
00401DFC |. C1EB 18 shr ebx,18
00401DFF |. 03F1 add esi,ecx
00401E01 |. 0FB6D3 movzx edx,bl
00401E04 |. C1E6 08 shl esi,8
00401E07 |. 57 push edi
00401E08 |. 03F2 add esi,edx ; 到这里
其实上面的操作很简单的,就是反序,比如我的机器上是,AC5B5AEF,反序后就是EF5A5BAC,然后转换为八进制的数,就是机器码了
00401E0A |. E8 790B0100 call dumped_.00412988
00401E0F |. 8B10 mov edx,dword ptr ds:[eax]
00401E11 |. 8BC8 mov ecx,eax
00401E13 |. FF52 0C call dword ptr ds:[edx+C]
00401E16 |. 83C0 10 add eax,10
00401E19 |. 894424 0C mov dword ptr ss:[esp+C],eax
00401E1D |. 56 push esi
00401E1E |. 8D4424 10 lea eax,dword ptr ss:[esp+10]
00401E22 |. 68 14F54100 push dumped_.0041F514 ; %o 看到这个有什么想法!!呵呵
00401E27 |. 50 push eax
00401E28 |. C78424 300100>mov dword ptr ss:[esp+130],1
00401E33 |. E8 88FBFFFF call dumped_.004019C0 ; 以八进制输出,得到机器码
00401E38 |. 8B7424 18 mov esi,dword ptr ss:[esp+18]
00401E3C |. 83C6 F0 add esi,-10
00401E3F |. 56 push esi
00401E40 |. E8 6BF5FFFF call dumped_.004013B0
机器码思路:
eax =AC5B5AEF
ecx 右移八位 得到AC5B5A
后八位给esi=EF
eax给ebx,edx=AC5B5AEF
esi左移8位 =EF00
ecx后八位给eax=5A
edx右移16位=AC5B
esi与ecx相加=EF5A
edx后八位给ecx=5B
esi左移8位=EF5A00
ebx右移24位=AC
esi与ecx相加=EF5A5B
ebx后八位给edx
esi左移八位=EF5A5B00
esi与edx相加=EF5A5BAC
然后对其以八进制输出就是机器码了
由此可以看出机器码是通过C:\卷标来得出来的,先进行反序,然后在以八进制输出就是机器码了!!
××××××××××××××××××××××××××××××××××××××××××××××××××××××××××
004035A1 . 83C4 04 add esp,4
004035A4 . 8B4424 10 mov eax,dword ptr ss:[esp+10]
004035A8 . 8B48 F4 mov ecx,dword ptr ds:[eax-C]
004035AB . 85C9 test ecx,ecx
004035AD . 899C24 980000>mov dword ptr ss:[esp+98],ebx
004035B4 . 75 43 jnz short dumped_.004035F9 跳到下面
004035F9 > 56 push esi
004035FA . 51 push ecx
004035FB . 83C0 F0 add eax,-10
004035FE . 896424 1C mov dword ptr ss:[esp+1C],esp
00403602 . 8BFC mov edi,esp
00403604 . 50 push eax
00403605 . E8 A6DDFFFF call dumped_.004013B0
0040360A . 83C0 10 add eax,10
0040360D . 83C4 04 add esp,4
00403610 . 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
00403614 . 8907 mov dword ptr ds:[edi],eax
00403616 . E8 45F7FFFF call dumped_.00402D60
0040361B . C68424 980000>mov byte ptr ss:[esp+98],2
00403623 > 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
00403627 . E8 DAFB0000 call dumped_.00413206 ; 显示出来注册框,并且获取注册码(假码)
0040362C . 3BC3 cmp eax,ebx
0040362E . 75 54 jnz short dumped_.00403684
00403630 . 8B8424 8C0000>mov eax,dword ptr ss:[esp+8C]
00403637 . 51 push ecx
00403638 . 83C0 F0 add eax,-10
0040363B . 896424 18 mov dword ptr ss:[esp+18],esp
0040363F . 8BFC mov edi,esp
00403641 . 50 push eax
00403642 . E8 69DDFFFF call dumped_.004013B0
00403647 . 83C0 10 add eax,10
0040364A . 83C4 04 add esp,4
0040364D . 8907 mov dword ptr ds:[edi],eax
0040364F . E8 ECECFFFF call dumped_.00402340 ;关键call,进!也就是算法分析了
×××××××××××××××××××××××××××××××××××××××××××××××××××××××
00402340 /$ 6A FF push -1
00402342 |. 68 A0E44100 push dumped_.0041E4A0 ; 复=B; SE 处理程序安装
00402347 |. 64:A1 0000000>mov eax,dword ptr fs:[0]
0040234D |. 50 push eax
0040234E |. 64:8925 00000>mov dword ptr fs:[0],esp
00402355 |. 83EC 18 sub esp,18
00402358 |. 55 push ebp
00402359 |. 33ED xor ebp,ebp
0040235B |. 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
0040235F |. 896C24 24 mov dword ptr ss:[esp+24],ebp
00402363 |. E8 08F8FFFF call dumped_.00401B70 ; 对注册名进行一些处理
00402368 |. 8BC8 mov ecx,eax
0040236A |. E8 51F3FFFF call dumped_.004016C0
0040236F |. 8D4424 08 lea eax,dword ptr ss:[esp+8]
00402373 |. 50 push eax
00402374 |. E8 E7F9FFFF call dumped_.00401D60
00402379 |. 83C4 04 add esp,4
0040237C |. 8B4C24 08 mov ecx,dword ptr ss:[esp+8]
00402380 |. 3969 F4 cmp dword ptr ds:[ecx-C],ebp
00402383 |. C64424 24 01 mov byte ptr ss:[esp+24],1
00402388 |. 75 68 jnz short dumped_.004023F2
004023F2 |> 53 push ebx
004023F3 |. 56 push esi
004023F4 |. 57 push edi
004023F5 |. E8 8E050100 call dumped_.00412988
004023FA |. 8B10 mov edx,dword ptr ds:[eax]
004023FC |. 8BC8 mov ecx,eax
004023FE |. FF52 0C call dword ptr ds:[edx+C]
00402401 |. 8D78 10 lea edi,dword ptr ds:[eax+10]
00402404 |. 897C24 18 mov dword ptr ss:[esp+18],edi
00402408 |. 8B5424 14 mov edx,dword ptr ss:[esp+14]
0040240C |. 8B42 F4 mov eax,dword ptr ds:[edx-C] ; 11位
0040240F |. 3BC5 cmp eax,ebp ; 比较是否大于11
00402411 |. C64424 30 02 mov byte ptr ss:[esp+30],2
00402416 |. 0F8E E3010000 jle dumped_.004025FF
0040241C |. 8D6424 00 lea esp,dword ptr ss:[esp]
00402420 |> 85ED /test ebp,ebp
00402422 |. 0F8C 05020000 |jl dumped_.0040262D
00402428 |. 3BE8 |cmp ebp,eax ; 比较是否大于11
0040242A |. 0F8F FD010000 |jg dumped_.0040262D
00402430 |. 8A0C2A |mov cl,byte ptr ds:[edx+ebp] ; 取机器码中的一个字符,以ebp作为计数器
00402433 |. 884C24 13 |mov byte ptr ss:[esp+13],cl
00402437 |. 8D48 FF |lea ecx,dword ptr ds:[eax-1]
0040243A |. 3BE9 |cmp ebp,ecx ; 比较是否等于10
0040243C |. 75 0C |jnz short dumped_.0040244A
0040243E |. 85C0 |test eax,eax
00402440 |. 0F8C E7010000 |jl dumped_.0040262D
00402446 |. 8A1A |mov bl,byte ptr ds:[edx]
00402448 |. EB 16 |jmp short dumped_.00402460
0040244A |> 8D4D 01 |lea ecx,dword ptr ss:[ebp+1] ; ebp加1,给ecx,目的是取下一位
0040244D |. 85C9 |test ecx,ecx
0040244F |. 0F8C D8010000 |jl dumped_.0040262D
00402455 |. 3BC8 |cmp ecx,eax ; 比较是否大于11
00402457 |. 0F8F D0010000 |jg dumped_.0040262D
0040245D |. 8A1C11 |mov bl,byte ptr ds:[ecx+edx]
00402460 |> E8 23050100 |call dumped_.00412988
00402465 |. 8B10 |mov edx,dword ptr ds:[eax]
00402467 |. 8BC8 |mov ecx,eax
00402469 |. FF52 0C |call dword ptr ds:[edx+C]
0040246C |. 83C0 10 |add eax,10
0040246F |. 894424 1C |mov dword ptr ss:[esp+1C],eax
00402473 |. 0FBE4424 13 |movsx eax,byte ptr ss:[esp+13]
00402478 |. 50 |push eax
00402479 |. 8D4C24 20 |lea ecx,dword ptr ss:[esp+20]
0040247D |. 68 28F54100 |push dumped_.0041F528 ; %d
00402482 |. 51 |push ecx
00402483 |. C64424 3C 03 |mov byte ptr ss:[esp+3C],3
00402488 |. E8 33F5FFFF |call dumped_.004019C0 ; 转换为ASCII码,相当于printf("%d",'3')
0040248D |. 8B5424 28 |mov edx,dword ptr ss:[esp+28]
00402491 |. 52 |push edx
00402492 |. E8 373C0000 |call dumped_.004060CE
00402497 |. 8BF0 |mov esi,eax
00402499 |. 0FBEC3 |movsx eax,bl
0040249C |. 50 |push eax
0040249D |. 8D4C24 30 |lea ecx,dword ptr ss:[esp+30]
004024A1 |. 68 28F54100 |push dumped_.0041F528 ; %d
004024A6 |. 51 |push ecx
004024A7 |. E8 14F5FFFF |call dumped_.004019C0 ; 同样,转换ASCII码
004024AC |. 8B5424 38 |mov edx,dword ptr ss:[esp+38]
004024B0 |. 52 |push edx
004024B1 |. E8 183C0000 |call dumped_.004060CE ; 待续
004024B6 |. 0FAFC0 |imul eax,eax ; 取机器码中的一个字符转为ASCII码,然后相乘。
004024B9 |. 8BCE |mov ecx,esi ; 下一个字符ASCII码给ESI
004024BB |. 0FAFCE |imul ecx,esi ; 然后二者相乘
004024BE |. 03C1 |add eax,ecx
004024C0 |. 99 |cdq ; edx清零
004024C1 |. B9 1A000000 |mov ecx,1A ; 1A也就是十进制的26
004024C6 |. F7F9 |idiv ecx ; EAX除以ECX,商放在EAX,余数在EDX
004024C8 |. 8B4424 34 |mov eax,dword ptr ss:[esp+34]
004024CC |. 8B40 F4 |mov eax,dword ptr ds:[eax-C]
004024CF |. 8D48 FF |lea ecx,dword ptr ds:[eax-1]
004024D2 |. 83C4 20 |add esp,20
004024D5 |. 83C2 41 |add edx,41 ; 余数加41
004024D8 |. 3BE9 |cmp ebp,ecx ; 是不是注册码的第11位
004024DA |. 8ADA |mov bl,dl
004024DC |. 75 12 |jnz short dumped_.004024F0
004024DE |. 0FBECA |movsx ecx,dl
004024E1 |. 41 |inc ecx ; 加1
004024E2 |. 83F9 5A |cmp ecx,5A ; 比较是否大于5A('Z')
004024E5 |. 7F 09 |jg short dumped_.004024F0
004024E7 |. 83F9 41 |cmp ecx,41 ; 是否小于'A',下面同样的道理
004024EA |. 0F8D 96000000 |jge dumped_.00402586
004024F0 |> 8D48 FE |lea ecx,dword ptr ds:[eax-2]
004024F3 |. 3BE9 |cmp ebp,ecx ; 是不是注册码的第10位
004024F5 |. 75 15 |jnz short dumped_.0040250C
004024F7 |. 0FBECA |movsx ecx,dl
004024FA |. 83C1 09 |add ecx,9 ; 加9
004024FD |. 83F9 5A |cmp ecx,5A
00402500 |. 7F 0A |jg short dumped_.0040250C
00402502 |. 83F9 41 |cmp ecx,41
00402505 |. 7C 05 |jl short dumped_.0040250C
00402507 |. 80C2 09 |add dl,9
0040250A |. EB 7C |jmp short dumped_.00402588
0040250C |> 8D48 FD |lea ecx,dword ptr ds:[eax-3]
0040250F |. 3BE9 |cmp ebp,ecx ; 是不是注册码的第9位
00402511 |. 75 15 |jnz short dumped_.00402528
00402513 |. 0FBECA |movsx ecx,dl
00402516 |. 83C1 08 |add ecx,8
00402519 |. 83F9 5A |cmp ecx,5A
0040251C |. 7F 0A |jg short dumped_.00402528
0040251E |. 83F9 41 |cmp ecx,41
00402521 |. 7C 05 |jl short dumped_.00402528
00402523 |. 80C2 08 |add dl,8
00402526 |. EB 60 |jmp short dumped_.00402588
00402528 |> 8D48 FC |lea ecx,dword ptr ds:[eax-4]
0040252B |. 3BE9 |cmp ebp,ecx ; 是不是注册码的第8位
0040252D |. 75 15 |jnz short dumped_.00402544
0040252F |. 0FBECA |movsx ecx,dl
00402532 |. 83C1 05 |add ecx,5
00402535 |. 83F9 5A |cmp ecx,5A
00402538 |. 7F 0A |jg short dumped_.00402544
0040253A |. 83F9 41 |cmp ecx,41
0040253D |. 7C 05 |jl short dumped_.00402544
0040253F |. 80C2 05 |add dl,5
00402542 |. EB 44 |jmp short dumped_.00402588
00402544 |> 8D48 FB |lea ecx,dword ptr ds:[eax-5]
00402547 |. 3BE9 |cmp ebp,ecx ; 是不是注册码的第7位
00402549 |. 75 0A |jnz short dumped_.00402555
0040254B |. 80FA 5A |cmp dl,5A
0040254E |. 7F 05 |jg short dumped_.00402555
00402550 |. 80FA 41 |cmp dl,41
00402553 |. 7D 35 |jge short dumped_.0040258A
00402555 |> 8D48 FA |lea ecx,dword ptr ds:[eax-6]
00402558 |. 3BE9 |cmp ebp,ecx ; 是不是注册码的第6位
0040255A |. 75 15 |jnz short dumped_.00402571
0040255C |. 0FBECA |movsx ecx,dl
0040255F |. 83C1 02 |add ecx,2
00402562 |. 83F9 5A |cmp ecx,5A
00402565 |. 7F 0A |jg short dumped_.00402571
00402567 |. 83F9 41 |cmp ecx,41
0040256A |. 7C 05 |jl short dumped_.00402571
0040256C |. 80C2 02 |add dl,2
0040256F |. EB 17 |jmp short dumped_.00402588
00402571 |> 83C0 F9 |add eax,-7
00402574 |. 3BE8 |cmp ebp,eax ; 是不是注册码的第5位
00402576 |. 75 12 |jnz short dumped_.0040258A
00402578 |. 0FBEC2 |movsx eax,dl
0040257B |. 40 |inc eax
0040257C |. 83F8 5A |cmp eax,5A
0040257F |. 7F 09 |jg short dumped_.0040258A
00402581 |. 83F8 41 |cmp eax,41
00402584 |. 7C 04 |jl short dumped_.0040258A
00402586 |> FEC2 |inc dl
00402588 |> 8ADA |mov bl,dl
0040258A |> 8B5424 18 |mov edx,dword ptr ss:[esp+18]
0040258E |. 8B42 FC |mov eax,dword ptr ds:[edx-4]
00402591 |. 8B7A F4 |mov edi,dword ptr ds:[edx-C]
00402594 |. B9 01000000 |mov ecx,1
00402599 |. 2BC8 |sub ecx,eax
0040259B |. 8B42 F8 |mov eax,dword ptr ds:[edx-8]
0040259E |. 8D77 01 |lea esi,dword ptr ds:[edi+1]
004025A1 |. 2BC6 |sub eax,esi
004025A3 |. 0BC1 |or eax,ecx
004025A5 |. 7D 0E |jge short dumped_.004025B5
004025A7 |. 56 |push esi
004025A8 |. 8D4C24 1C |lea ecx,dword ptr ss:[esp+1C]
004025AC |. E8 AFEDFFFF |call dumped_.00401360
004025B1 |. 8B5424 18 |mov edx,dword ptr ss:[esp+18]
004025B5 |> 85F6 |test esi,esi
004025B7 |. 881C17 |mov byte ptr ds:[edi+edx],bl
004025BA |. 7C 71 |jl short dumped_.0040262D
004025BC |. 3B72 F8 |cmp esi,dword ptr ds:[edx-8]
004025BF |. 7F 6C |jg short dumped_.0040262D
004025C1 |. 8B4424 1C |mov eax,dword ptr ss:[esp+1C]
004025C5 |. 8972 F4 |mov dword ptr ds:[edx-C],esi
004025C8 |. 83C0 F0 |add eax,-10
004025CB |. C60416 00 |mov byte ptr ds:[esi+edx],0
004025CF |. C64424 30 02 |mov byte ptr ss:[esp+30],2
004025D4 |. 8D50 0C |lea edx,dword ptr ds:[eax+C]
004025D7 |. 83C9 FF |or ecx,FFFFFFFF
004025DA |. F0:0FC10A |lock xadd dword ptr ds:[edx],ecx
004025DE |. 49 |dec ecx
004025DF |. 85C9 |test ecx,ecx
004025E1 |. 7F 08 |jg short dumped_.004025EB
004025E3 |. 8B08 |mov ecx,dword ptr ds:[eax]
004025E5 |. 8B11 |mov edx,dword ptr ds:[ecx]
004025E7 |. 50 |push eax
004025E8 |. FF52 04 |call dword ptr ds:[edx+4]
004025EB |> 8B5424 14 |mov edx,dword ptr ss:[esp+14]
004025EF |. 8B42 F4 |mov eax,dword ptr ds:[edx-C]
004025F2 |. 45 |inc ebp ; 计数器加1
004025F3 |. 3BE8 |cmp ebp,eax
004025F5 |.^ 0F8C 25FEFFFF \jl dumped_.00402420
从以上可以得出算法原理如下:
每位注册码=(对应位的机器码^2+下面的那位机器码^2)%0x1A+0x41
另外!!
如果机器码是11位的话,以下的都要额外加个数
第5位+1 //6
第6位+2 //5
第8位+5 // 3
第9位+8 //2
第10位+9 //1
第11位+1 //0
004025FB |. 8B7C24 18 mov edi,dword ptr ss:[esp+18] ; 输入的注册码和通过机器码计算出来的注册码比较
004025FF |> 8B7424 38 mov esi,dword ptr ss:[esp+38]
00402603 |. 8BC7 mov eax,edi
00402605 |> 8A10 /mov dl,byte ptr ds:[eax]
00402607 |. 8A1E |mov bl,byte ptr ds:[esi]
00402609 |. 8ACA |mov cl,dl
0040260B |. 3AD3 |cmp dl,bl
0040260D |. 75 28 |jnz short dumped_.00402637
0040260F |. 84C9 |test cl,cl
00402611 |. 74 16 |je short dumped_.00402629
00402613 |. 8A50 01 |mov dl,byte ptr ds:[eax+1]
00402616 |. 8A5E 01 |mov bl,byte ptr ds:[esi+1]
00402619 |. 8ACA |mov cl,dl
0040261B |. 3AD3 |cmp dl,bl
0040261D |. 75 18 |jnz short dumped_.00402637
0040261F |. 83C0 02 |add eax,2
00402622 |. 83C6 02 |add esi,2
00402625 |. 84C9 |test cl,cl
00402627 |.^ 75 DC \jnz short dumped_.00402605
00402629 |> 33C0 xor eax,eax
0040262B |. EB 0F jmp short dumped_.0040263C
0040262D |> 68 57000780 push 80070057
00402632 |. E8 C9EAFFFF call dumped_.00401100
00402637 |> 1BC0 sbb eax,eax
00402639 |. 83D8 FF sbb eax,-1
0040263C |> 85C0 test eax,eax
0040263E |. 0F85 A0000000 jnz dumped_.004026E4
比较完全正确之后就写入注册表里面。
00402644 |. 8D4424 18 lea eax,dword ptr ss:[esp+18]
00402648 |. 50 push eax
00402649 |. 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0040264D |. 68 1CF54100 push dumped_.0041F51C ; HOMESOME
00402652 |. 51 push ecx
00402653 |. E8 48F4FFFF call dumped_.00401AA0 ; 链接字符
00402658 |. 83C4 0C add esp,0C
0040265B |. B3 04 mov bl,4
0040265D |. 68 C0F54100 push dumped_.0041F5C0 ; Software\Microsoft\Internet Explorer\Main
00402662 |. 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
00402666 |. 885C24 34 mov byte ptr ss:[esp+34],bl
0040266A |. E8 41F6FFFF call dumped_.00401CB0
0040266F |. 8B4424 20 mov eax,dword ptr ss:[esp+20]
00402673 |. 8D5424 24 lea edx,dword ptr ss:[esp+24]
00402677 |. 52 push edx ; /pHandle
00402678 |. 50 push eax ; |Subkey
00402679 |. 68 01000080 push 80000001 ; |hKey = HKEY_CURRENT_USER
0040267E |. C64424 3C 05 mov byte ptr ss:[esp+3C],5 ; |
00402683 |. FF15 0CF04100 call dword ptr ds:[<&advapi32.RegOpenKey>; \RegOpenKeyA
00402689 |. 85C0 test eax,eax
0040268B |. 0F84 D0000000 je dumped_.00402761
00402761 |> \8B7424 1C mov esi,dword ptr ss:[esp+1C]
00402765 |. 837E FC 01 cmp dword ptr ds:[esi-4],1
00402769 |. 8B7E F4 mov edi,dword ptr ds:[esi-C]
0040276C |. 7E 10 jle short dumped_.0040277E
0040276E |. 8BC7 mov eax,edi
00402770 |. 50 push eax
00402771 |. 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
00402775 |. E8 A6EAFFFF call dumped_.00401220
0040277A |. 8B7424 1C mov esi,dword ptr ss:[esp+1C]
0040277E |> 8B4C24 24 mov ecx,dword ptr ss:[esp+24]
00402782 |. 57 push edi ; /BufSize
00402783 |. 56 push esi ; |Buffer
00402784 |. 6A 01 push 1 ; |ValueType = REG_SZ
00402786 |. 6A 00 push 0 ; |Reserved = 0
00402788 |. 68 44F54100 push dumped_.0041F544 ; |cranley
0040278D |. 51 push ecx ; |hKey
0040278E |. FF15 08F04100 call dword ptr ds:[<&advapi32.RegSetValu>; \RegSetValueExA
00402794 |. 85C0 test eax,eax
00402796 |. 74 66 je short dumped_.004027FE
004027FE |> \8B4424 24 mov eax,dword ptr ss:[esp+24]
00402802 |. 50 push eax ; /hKey
00402803 |. FF15 20F04100 call dword ptr ds:[<&advapi32.RegCloseKe>; \RegCloseKey
很明显的,打开,写入,关闭 注册表
××××××××××××××××××××××××××××××××××××××××××××××××××××××××
00403654 . 83C4 04 add esp,4 ; (Initial CPU selection)
00403657 . 84C0 test al,al
00403659 . 6A 00 push 0
0040365B . 8BCE mov ecx,esi
0040365D . 6A 00 push 0
0040365F . 75 13 jnz short dumped_.00403674 ;根据这个跳转可以想象到上面的call就是关键的了,也就是算法。
00403661 . 68 C8FC4100 push dumped_.0041FCC8 ; 注册码不正确
00403666 . E8 9B0A0100 call dumped_.00414106
0040366B . C605 A0894200>mov byte ptr ds:[4289A0],0
00403672 .^ EB AF jmp short dumped_.00403623
00403674 > 68 BCFC4100 push dumped_.0041FCBC ; 注册成功
00403679 . E8 880A0100 call dumped_.00414106
--------------------------------------------------------------------------------
【版权声明】: 本文原创于zhlzn, 转载请注明作者并保持文章的完整, 谢谢!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)