Task Lock.EXE的分析
工具:softice、ida pro
目标程序下载:http://www.pediy.com/tutorial/chap3/Chap3-4.htm
版权:一篇烂文章,你爱转就哪转哪。但千万不要贴到黄色网站去,那太没意思了。
注册码分析:
一开始用bpx messageboxa跟踪,从断点处一直往上找,没看到注册码比较的语句。下面是messageboxa所在的call的代码:
:u eip l 50
001B:004115D5 RET 000C //从下一句(004115D8)到最后一句(0041161F),应该是同一个call吧?
001B:004115D8 MOV EAX,0041F7A8 //这几句是什么意思?每次都不执行到这里。花指令?
001B:004115DD JMP 00403B2A //这几句是什么意思?每次都不执行到这里。花指令?
001B:004115E2 LEA ECX,[EBP-1C] //这几句是什么意思?每次都不执行到这里。花指令?
001B:004115E5 JMP 0040E555 //这几句是什么意思?每次都不执行到这里。花指令?
001B:004115EA PUSH ESI //保存现场
001B:004115EB PUSH EDI //保存现场
001B:004115EC MOV ESI,ECX //esi=ecx ecx应该是句柄
001B:004115EE MOV EDI,[ESP+10] //messagebox的标题 Windows Task Lock
001B:004115F2 TEST EDI,EDI //测试edi是否为空
001B:004115F4 JNZ 004115FC //不为空就跳到004115FC
001B:004115F6 MOV EDI,[0041BDB4] //为空就重新赋值为"Task Lock"
001B:004115FC CALL 00419727 //里面调用了getlasterror和setlasterror
001B:00411601 MOV ECX,00000000 //ecx=0
001B:00411606 TEST ESI,ESI //esi==0?实际上是ecx==0。请注意004115EC处的语句
001B:00411608 JZ 0041160D
001B:0041160A MOV ECX,[ESI+1C] //ecx 重新赋值
001B:0041160D PUSH DWORD PTR [ESP+14]//图标
001B:00411611 PUSH EDI //标题
001B:00411612 PUSH DWORD PTR [ESP+14]//内容
001B:00411616 PUSH ECX //句柄
001B:00411617 CALL [USER32!MessageBoxA]
int MessageBox(
HWND hWnd, // handle of owner window
LPCTSTR lpText, // address of text in message box
LPCTSTR lpCaption, // address of title of message box
UINT uType // style of message box
);
Return Values
The return value is zero if there is not enough memory to create the message box.
If the function succeeds, the return value is one of the following menu-item values returned by the dialog box:
Value Meaning
IDABORT Abort button was selected.
IDCANCEL Cancel button was selected.
IDIGNORE Ignore button was selected.
IDNO No button was selected.
IDOK OK button was selected.
IDRETRY Retry button was selected.
IDYES Yes button was selected.
001B:0041161D POP EDI
001B:0041161E POP ESI
001B:0041161F RET 000C //光标到这里时,按F10就回到调用此call的地方了,
//我们把这个call命名为DispErr_call
看来,这只是一个显示错误的call。单步跟踪到ret语句,返回调用此call的地方。ok,我们把调用DispErr_call的call的代码抓下来:
给它起个名字吧:OKBtnClick_call。为什么叫着OKBtnClick呢?因为我在下面的代码中看到GetDlgItemTextA了,所以猜测是OK按钮的click事
件代码。
:u eip l 500
001B:00402AF8 PUSH EBP
001B:00402AF9 MOV EBP,ESP
001B:00402AFB SUB ESP,0000009C
001B:00402B01 PUSH ESI
001B:00402B02 LEA EAX,[EBP-34]
001B:00402B05 PUSH EDI
001B:00402B06 MOV ESI,ECX
001B:00402B08 PUSH 32
001B:00402B0A PUSH EAX
001B:00402B0B PUSH 000003F4
001B:00402B10 PUSH DWORD PTR [ESI+1C]
001B:00402B13 CALL [USER32!GetDlgItemTextA] //读取用户输放的注册码
UINT GetDlgItemText(
HWND hDlg, // handle of dialog box
int nIDDlgItem, // identifier of control
LPTSTR lpString, // address of buffer for text
int nMaxCount // maximum size of string
);
001B:00402B19 LEA ECX,[EBP-009C]
001B:00402B1F PUSH ECX
001B:00402B20 CALL 00401CBB //取出第一个注册码,放在EBP-009C
001B:00402B25 ADD ESP,04
001B:00402B28 LEA EAX,[EBP-68]
001B:00402B2B LEA EDI,[ESI+44] //上一次存盘的注册码放到edi
001B:00402B2E PUSH EAX
001B:00402B2F CALL 00401B89 //取出第二个注册码,放在EBP-68
001B:00402B34 ADD ESP,04
001B:00402B37 LEA EAX,[EBP-009C]
001B:00402B3D PUSH EAX //第一个正确的注册码
001B:00402B3E PUSH EDI //上一次存盘的注册码
001B:00402B3F CALL 00403DD0 //比较注册码
001B:00402B44 ADD ESP,08
001B:00402B47 TEST EAX,EAX
001B:00402B49 JNZ 00402B5C //注册码不正确,上一次存盘的注册码与第二正确的注册码比较
001B:00402B4B PUSH 30
001B:00402B4D PUSH 00422038 //"windows Task-Lock"
001B:00402B52 PUSH 00422374 //"Windows Task-Lock is already registered: single system"
001B:00402B57 JMP 00402C0B //显示提示框
001B:00402B5C LEA EAX,[EBP-68]
001B:00402B5F PUSH EAX //第二个正确的注册码
001B:00402B60 PUSH EDI //上一次存盘的注册码
001B:00402B61 CALL 00403DD0 //比较注册码
001B:00402B66 ADD ESP,08
001B:00402B69 TEST EAX,EAX
001B:00402B6B JNZ 00402B7E //跳到比较第一个正确的注册码
001B:00402B6D PUSH 30
001B:00402B6F PUSH 00422038 //"windows Task-Lock"
001B:00402B74 PUSH 0042233C //"Windows Task-Lock is already registered: site license"
001B:00402B79 JMP 00402C0B //显示提示框
001B:00402B7E LEA EAX,[EBP-009C]
001B:00402B84 LEA ECX,[EBP-34]
001B:00402B87 PUSH EAX //第一个正确的注册码
001B:00402B88 PUSH ECX //用户输入的注册码
001B:00402B89 CALL 00403DD0 //与第一个正确的注册码比较
001B:00402B8E ADD ESP,08
001B:00402B91 TEST EAX,EAX
001B:00402B93 JNZ 00402BC0 //比较失败,与下一个注册码
001B:00402B95 PUSH 30
001B:00402B97 MOV ECX,ESI
001B:00402B99 PUSH 00422038 //"windows Task-Lock"
001B:00402B9E PUSH 00422310 //"Windows Task-Lock is already registered: single system"
001B:00402BA3 CALL 004115EA //提示注册成功
001B:00402BA8 LEA EAX,[EBP-34]
001B:00402BAB PUSH EAX //用户输入的注册码
001B:00402BAC PUSH EDI //上一次存盘的注册码
001B:00402BAD CALL 00403E58 //把eax指向的字符串赋值到edi中
001B:00402BB2 ADD ESP,08
001B:00402BB5 PUSH EDI //用户输入的注册码
001B:00402BB6 CALL 00401EAE //将注册码写入注册文件,看下面对文件格式的深入分析
001B:00402BBB ADD ESP,04
001B:00402BBE JMP 00402C12 //注册成功,退出
001B:00402BC0 LEA EAX,[EBP-68]
001B:00402BC3 LEA ECX,[EBP-34]
001B:00402BC6 PUSH EAX //第二个正确的注册码
001B:00402BC7 PUSH ECX //用户输入的注册码
001B:00402BC8 CALL 00403DD0 //与第二个正确的注册码比较
001B:00402BCD ADD ESP,08
001B:00402BD0 TEST EAX,EAX
001B:00402BD2 JNZ 00402BFF //显示提示框
001B:00402BD4 PUSH 30
001B:00402BD6 MOV ECX,ESI
001B:00402BD8 PUSH 00422038 //"windows Task-Lock"
001B:00402BDD PUSH 004222E4 //"Windows Task-Lock is already registered: site license"
001B:00402BE2 CALL 004115EA //提示注册成功
001B:00402BE7 LEA EAX,[EBP-34]
001B:00402BEA PUSH EAX //用户输入的注册码
001B:00402BEB PUSH EDI //上一次存盘的注册码
001B:00402BEC CALL 00403E58 //把eax指向的字符串赋值到edi中
001B:00402BF1 ADD ESP,08
001B:00402BF4 PUSH EDI //用户输入的注册码
001B:00402BF5 CALL 00401EAE //将注册码写入注册文件,看下面对文件格式的深入分析
001B:00402BFA ADD ESP,04
001B:00402BFD JMP 00402C12 //注册成功,退出
001B:00402BFF PUSH 10
001B:00402C01 PUSH 00422038 //"windows Task-Lock"
001B:00402C06 PUSH 004222C4 //"Registration number incorrect"
001B:00402C0B MOV ECX,ESI //ecx存放句柄
001B:00402C0D CALL 004115EA //显示提示框
001B:00402C12 PUSH 00
001B:00402C14 PUSH DWORD PTR [ESI+1C]
001B:00402C17 CALL [USER32!EndDialog] //退出
The EndDialog function destroys a modal dialog box, causing the system to end any processing for the dialog box.
BOOL EndDialog(
HWND hDlg, // handle to dialog box
int nResult // value to return
);
001B:00402C1D POP EDI
001B:00402C1E POP ESI
001B:00402C1F MOV ESP,EBP
001B:00402C21 POP EBP
001B:00402C22 RET
从上面的分析我们可以看到,把messagebox所在的call命名为dispErr_call是错误的,因为这不是一个显示错误的对话框,命名为DispMsg_call更合适些。
到这里注册码已经很明了了。在分析注册码时,删了好几次注册文件,曾经用记事本打开过,发现是乱码,加密过的。那注册文件的格式是什
么呢?继续分析,下面是ida保存下来的,用看ice看得头大。所以请ida帮忙分析一些已知函数:
.text:00401EAE Save proc near ; CODE XREF: sub_402AF8+BEp
.text:00401EAE ; sub_402AF8+FDp
.text:00401EAE
.text:00401EAE Buffer = byte ptr -1CCh
.text:00401EAE Var_codedStr = dword ptr -0CCh
.text:00401EAE var_codeLen = dword ptr -4
.text:00401EAE RegCode = dword ptr 8
.text:00401EAE
.text:00401EAE push ebp
.text:00401EAF mov ebp, esp
.text:00401EB1 sub esp, 1CCh
.text:00401EB7 push ebx
.text:00401EB8 lea eax, [ebp+Buffer]
.text:00401EBE push esi
.text:00401EBF push edi
.text:00401EC0 push 100h ; uSize
.text:00401EC5 push eax ; lpBuffer
.text:00401EC6 call ds:GetWindowsDirectoryA
.text:00401ECC lea ecx, [ebp+Buffer]
.text:00401ED2 push ecx ; %windir%
.text:00401ED3 call _strlen
.text:00401ED8 add esp, 4
.text:00401EDB cmp [ebp+eax+Buffer], 5Ch ; "\"
.text:00401EE3 jz short Cat_aKcllgs10_reg_0
.text:00401EE5 push offset aKcllgs10_reg ; "\\kcllgs10.reg"
.text:00401EEA jmp short Cat_aKcllgs10_reg
.text:00401EEC ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00401EEC
.text:00401EEC Cat_aKcllgs10_reg_0: ; CODE XREF: Save+35j
.text:00401EEC push offset aKcllgs10_reg_0 ; "kcllgs10.reg"
.text:00401EF1
.text:00401EF1 Cat_aKcllgs10_reg: ; CODE XREF: Save+3Cj
.text:00401EF1 lea eax, [ebp+Buffer] ; "\kcllgs10.reg"
.text:00401EF7 push eax ; %windir%
.text:00401EF8 call _strcat
.text:00401EFD add esp, 8
.text:00401F00 lea eax, [ebp+Buffer] ; %windir%\kcllgs10.reg
.text:00401F06 push offset aWb ; "wb"
.text:00401F0B push eax
.text:00401F0C call _fopen
.text:00401F11 add esp, 8
.text:00401F14 mov esi, eax ; 文件句柄
.text:00401F16 test esi, esi ; 句柄不为0
.text:00401F18 jz short exit ; 为0,则退出
.text:00401F1A lea eax, [ebp+Var_codedStr]
.text:00401F20 push eax
.text:00401F21 push offset aChristjesusisl ; "ChristJesusIsLord"
.text:00401F26 push [ebp+RegCode]
.text:00401F29 call Sub_encrypt
.text:00401F2E add esp, 0Ch
.text:00401F31 mov [ebp+var_codeLen], eax
.text:00401F34 lea eax, [ebp+var_codeLen]
.text:00401F37 push esi ; 文件句柄
.text:00401F38 push 1
.text:00401F3A xor ebx, ebx
.text:00401F3C push 4
.text:00401F3E push eax
.text:00401F3F call _fwrite
.text:00401F44 add esp, 10h
.text:00401F47 cmp [ebp+var_codeLen], ebx
.text:00401F4A jle short Close_File_Handle
.text:00401F4C lea edi, [ebp+Var_codedStr]
.text:00401F52
.text:00401F52 loop: ; CODE XREF: Save+B9j
.text:00401F52 push esi ; 文件句柄
.text:00401F53 inc ebx
.text:00401F54 push 1
.text:00401F56 push 4
.text:00401F58 push edi
.text:00401F59 call _fwrite
.text:00401F5E add esp, 10h
.text:00401F61 add edi, 4
.text:00401F64 cmp [ebp+var_codeLen], ebx
.text:00401F67 jg short loop
.text:00401F69
.text:00401F69 Close_File_Handle: ; CODE XREF: Save+9Cj
.text:00401F69 push esi
.text:00401F6A call _fclose
.text:00401F6F add esp, 4
.text:00401F72
.text:00401F72 exit: ; CODE XREF: Save+6Aj
.text:00401F72 pop edi
.text:00401F73 pop esi
.text:00401F74 pop ebx
.text:00401F75 mov esp, ebp
.text:00401F77 pop ebp
.text:00401F78 retn
.text:00401F78 Save endp
那个关键的Sub_encrypt还没分析,明天再来了。分析得真慢,一天过去了。
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!