-
-
[原创]一款宝宝取名软件的注册分析(算法+注册机源码)
-
发表于: 2012-1-10 18:42
-
【文章标题】: 一款宝宝取名软件的注册分析(算法+注册机源码)
【文章作者】: suredwang
【作者邮箱】: suredwang@126.com
【软件名称】: 小精灵宝宝取名
【软件大小】: 4.26M
【下载地址】: 自己搜索下载
【加壳方式】: UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
【保护方式】: 加壳+反调试+机器码
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OD PEID UPX脱壳
【操作平台】: windowXP
【软件介绍】: 这款取名软件功能非常强大,里面还有许多附加功能,
【作者声明】: 本人实在是个小小菜鸟,只是感兴趣,研究各种加密软件方法,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
下面算是本人分析笔记:首先用PEID查壳,UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo,窃喜,这种老壳大侠的脱壳工具都早做好了,不过为练习下,手动脱下看,顺利的话比找工具脱要快,好了,开始,用OD载入主程序如下
007E07A0 > 60 pushad
007E07A1 BE 00A06A00 mov esi, 006AA000
007E07A6 8DBE 0070D5FF lea edi, dword ptr [esi+FFD57000]
007E07AC 57 push edi
007E07AD 83CD FF or ebp, FFFFFFFF
007E07B0 EB 10 jmp short 007E07C2
007E07B2 90 nop
007E07B3 90 nop
007E07B4 90 nop
007E07B5 90 nop
007E07B6 90 nop
007E07B7 90 nop
007E07B8 8A06 mov al, byte ptr [esi]
007E07BA 46 inc esi
007E07BB 8807 mov byte ptr [edi], al
007E07BD 47 inc edi
007E07BE 01DB add ebx, ebx
007E07C0 75 07 jnz short 007E07C9
007E07C2 8B1E mov ebx, dword ptr [esi]
呵呵,典型的特征码,既然有pushad那定有popad,点右键查找命令--输入 popad 查找到了这
007E08E6 57 push edi
007E08E7 48 dec eax
007E08E8 F2:AE repne scas byte ptr es:[edi]
007E08EA 55 push ebp
007E08EB FF96 046D3F00 call dword ptr [esi+3F6D04]
007E08F1 09C0 or eax, eax
007E08F3 74 07 je short 007E08FC
007E08F5 8903 mov dword ptr [ebx], eax
007E08F7 83C3 04 add ebx, 4
007E08FA ^ EB E1 jmp short 007E08DD
007E08FC FF96 086D3F00 call dword ptr [esi+3F6D08]
007E0902 61 popad ; 找到这,下断
007E0903 - E9 408EEBFF jmp 00699748
007E0908 2009 and byte ptr [ecx], cl
007E090A 7E 00 jle short 007E090C
007E090C 3009 xor byte ptr [ecx], cl
007E090E 7E 00 jle short 007E0910
007E0910 AC lods byte ptr [esi]
007E0911 A0 69000000 mov al, byte ptr [69]
这样明显的跳转指令, - E9 408EEBFF jmp 00699748 奔向OEP,不用说了,就是OEP啦,不放心的再按B查找看看还别的没有POPAD,没找到,只有这一个,好了,F2下断007E0902,再按F4或F9运行断下,取消断点,按F8,到达OEP
00699748 55 push ebp 到此点右键DUMP此进程
00699749 8BEC mov ebp, esp
0069974B B9 07000000 mov ecx, 7
00699750 6A 00 push 0
00699752 6A 00 push 0
00699754 49 dec ecx
00699755 ^ 75 F9 jnz short 00699750
00699757 53 push ebx
00699758 56 push esi
00699759 57 push edi
0069975A B8 B08E6900 mov eax, 00698EB0
0069975F E8 E8DED6FF call 0040764C
00699764 33C0 xor eax, eax
00699766 55 push ebp
00699767 68 FF9A6900 push 00699AFF
运行DUMP出来的程序,正常,点系统注册,晕倒,出现错误了,不出机器码,看来要OVERLY数据了,弄了半天,没找到什么原因,也没修复
好,算了,投降
,用大侠脱壳工具看看,呵呵,运行正常点注册,机器码出现了,惭愧啊。好了,用PEID再查无壳,Borland Delphi 6.0 - 7.0语言编写。 用OD载入脱壳后程序如下
00699748 > $ 55 push ebp
00699749 . 8BEC mov ebp, esp
0069974B . B9 07000000 mov ecx, 7
00699750 > 6A 00 push 0
00699752 . 6A 00 push 0
00699754 . 49 dec ecx
00699755 .^ 75 F9 jnz short 00699750
00699757 . 53 push ebx
00699758 . 56 push esi
00699759 . 57 push edi
0069975A . B8 B08E6900 mov eax, 00698EB0
0069975F . E8 E8DED6FF call 0040764C
00699764 . 33C0 xor eax, eax
00699766 . 55 push ebp
点右键查找注册失败字符 “注册码不正确”只有一处,好了, 双击定位来到主程序领空,往上追踪查看如下入口代码,F2下断
006030AC . 55 push ebp
006030AD . 8BEC mov ebp, esp
006030AF . B9 46000000 mov ecx, 46
006030B4 > 6A 00 push 0
006030B6 . 6A 00 push 0
006030B8 . 49 dec ecx
006030B9 .^ 75 F9 jnz short 006030B4
006030BB . 51 push ecx
006030BC . 53 push ebx
006030BD . 8945 FC mov dword ptr [ebp-4], eax
006030C0 . 33C0 xor eax, eax
006030C2 . 55 push ebp
006030C3 . 68 96356000 push 00603596
006030C8 . 64:FF30 push dword ptr fs:[eax]
006030CB . 64:8920 mov dword ptr fs:[eax], esp
006030CE . 8D95 1CFEFFFF lea edx, dword ptr [ebp-1E4]
006030D4 . 8B45 FC mov eax, dword ptr [ebp-4]
006030D7 . 8B80 0C030000 mov eax, dword ptr [eax+30C]
006030DD . E8 FE6AEBFF call 004B9BE0
006030E2 . 8B85 1CFEFFFF mov eax, dword ptr [ebp-1E4]
006030E8 . 8D95 20FEFFFF lea edx, dword ptr [ebp-1E0]
006030EE . E8 B16CE0FF call 00409DA4
006030F3 . 83BD 20FEFFFF>cmp dword ptr [ebp-1E0], 0
006030FA . 75 1D jnz short 00603119
006030FC . 6A 40 push 40
006030FE . B9 A8356000 mov ecx, 006035A8 ; 提示
00603103 . BA B0356000 mov edx, 006035B0 ; 用户码不能为空!
00603108 . A1 5CCB6A00 mov eax, dword ptr [6ACB5C]
0060310D . 8B00 mov eax, dword ptr [eax]
0060310F . E8 106DEAFF call 004A9E24
00603114 . E9 9E030000 jmp 006034B7
00603119 > 8D95 14FEFFFF lea edx, dword ptr [ebp-1EC]
0060311F . 8B45 FC mov eax, dword ptr [ebp-4]
00603122 . 8B80 08030000 mov eax, dword ptr [eax+308]
00603128 . E8 B36AEBFF call 004B9BE0
0060312D . 8B85 14FEFFFF mov eax, dword ptr [ebp-1EC]
00603133 . 8D95 18FEFFFF lea edx, dword ptr [ebp-1E8]
00603139 . E8 666CE0FF call 00409DA4
0060313E . 83BD 18FEFFFF>cmp dword ptr [ebp-1E8], 0
00603145 . 75 1D jnz short 00603164
00603147 . 6A 40 push 40
00603149 . B9 A8356000 mov ecx, 006035A8 ; 提示
0060314E . BA C4356000 mov edx, 006035C4 ; 注册码不能为空!
00603153 . A1 5CCB6A00 mov eax, dword ptr [6ACB5C]
00603158 . 8B00 mov eax, dword ptr [eax]
0060315A . E8 C56CEAFF call 004A9E24
0060315F . E9 53030000 jmp 006034B7
00603164 > 8D95 0CFEFFFF lea edx, dword ptr [ebp-1F4]
0060316A . 8B45 FC mov eax, dword ptr [ebp-4]
0060316D . 8B80 0C030000 mov eax, dword ptr [eax+30C]
00603173 . E8 686AEBFF call 004B9BE0
00603178 . 8B85 0CFEFFFF mov eax, dword ptr [ebp-1F4]
0060317E . 8D95 10FEFFFF lea edx, dword ptr [ebp-1F0]
00603184 . E8 1B6CE0FF call 00409DA4
00603189 . 8B85 10FEFFFF mov eax, dword ptr [ebp-1F0]
0060318F . 8D4D F0 lea ecx, dword ptr [ebp-10]
00603192 . BA E0356000 mov edx, 006035E0 ; ofdssdesds
00603197 . E8 6430F2FF call 00526200
0060319C . 8D95 00FEFFFF lea edx, dword ptr [ebp-200]
006031A2 . 8B45 FC mov eax, dword ptr [ebp-4]
006031A5 . 8B80 08030000 mov eax, dword ptr [eax+308]
006031AB . E8 306AEBFF call 004B9BE0
006031B0 . 8B85 00FEFFFF mov eax, dword ptr [ebp-200]
006031B6 . 8D95 04FEFFFF lea edx, dword ptr [ebp-1FC]
006031BC . E8 E36BE0FF call 00409DA4
006031C1 . 8B85 04FEFFFF mov eax, dword ptr [ebp-1FC]
006031C7 . 8D8D 08FEFFFF lea ecx, dword ptr [ebp-1F8]
006031CD . BA E0356000 mov edx, 006035E0 ; ofdssdesds
006031D2 . E8 3D32F2FF call 00526414
006031D7 . 8B95 08FEFFFF mov edx, dword ptr [ebp-1F8]
006031DD . 8B45 F0 mov eax, dword ptr [ebp-10]
006031E0 . E8 D320E0FF call 004052B8
006031E5 . 74 3E je short 00603225
006031E7 . 6A 40 push 40
006031E9 . B9 A8356000 mov ecx, 006035A8 ; 提示
006031EE . BA EC356000 mov edx, 006035EC ; 注册码不正确! 双击到这里
006031F3 . A1 5CCB6A00 mov eax, dword ptr [6ACB5C]
006031F8 . 8B00 mov eax, dword ptr [eax]
006031FA . E8 256CEAFF call 004A9E24
006031FF . 8B45 FC mov eax, dword ptr [ebp-4]
00603202 . 8B80 08030000 mov eax, dword ptr [eax+308]
00603208 . 33D2 xor edx, edx
0060320A . E8 E569EBFF call 004B9BF4
0060320F . 8B45 FC mov eax, dword ptr [ebp-4]
00603212 . 8B80 08030000 mov eax, dword ptr [eax+308]
00603218 . 8B10 mov edx, dword ptr [eax]
0060321A . FF92 C4000000 call dword ptr [edx+C4]
00603220 . E9 92020000 jmp 006034B7
00603225 > 8D95 F4FDFFFF lea edx, dword ptr [ebp-20C]
0060322B . 8B45 FC mov eax, dword ptr [ebp-4]
0060322E . 8B80 08030000 mov eax, dword ptr [eax+308]
00603234 . E8 A769EBFF call 004B9BE0
00603239 . 8B85 F4FDFFFF mov eax, dword ptr [ebp-20C]
汗!按F9运行,直接关机,看来还用反调试的代码呀,还好,这种关机代码容易查找,不管调用DOS关机指令还是其它什么关机函数,应该有shutdown 字符。
重启电脑,重新载入,点右键查找字符串,在字符串界面上点右键查找“shutdown”,呵呵,找到了,再按B 查找下一个,无,只有一处
Ultra String Reference, 条目 2819
Address=00602882
Disassembly=push 006028EC
Text String=seshutdownprivilege
原来关机权限令牌在这里!双击点位到程序领空 ,来到这里
0060286C /$ 83C4 C0 add esp, -40 此处点鼠标,界面下面出现“本地调用来自 00602AB2”,点右键
0060286F |. E8 CC51E0FF call <jmp.&KERNEL32.GetCurrentProcess>; [GetCurrentProcess
00602874 |. 54 push esp ; /phToken
00602875 |. 6A 28 push 28 ; |DesiredAccess = TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES
00602877 |. 50 push eax ; |hProcess
00602878 |. E8 9B50E0FF call <jmp.&advapi32.OpenProcessToken> ; \OpenProcessToken
0060287D |. 8D4424 08 lea eax, dword ptr [esp+8]
00602881 |. 50 push eax ; /pLocalId
00602882 |. 68 EC286000 push 006028EC ; |seshutdownprivilege
00602887 |. 68 00296000 push 00602900 ; |SystemName = ""
0060288C |. E8 7F50E0FF call <jmp.&advapi32.LookupPrivilegeVa>; \LookupPrivilegeValueA
00602891 |. 8B4424 08 mov eax, dword ptr [esp+8]
00602895 |. 894424 34 mov dword ptr [esp+34], eax
00602899 |. 8B4424 0C mov eax, dword ptr [esp+C]
转到这里
00602A8F |> \8D95 C8FEFFFF |lea edx, dword ptr [ebp-138]
00602A95 |. 8BC6 |mov eax, esi
00602A97 |. E8 88FBFFFF |call 00602624
00602A9C |. 83F8 01 |cmp eax, 1
00602A9F |. 1BDB |sbb ebx, ebx
00602AA1 |. 43 |inc ebx
00602AA2 |> 84DB test bl, bl
00602AA4 |.^ 0F85 FBFEFFFF \jnz 006029A5
00602AAA |. 8B45 F4 mov eax, dword ptr [ebp-C]
00602AAD |. 3B45 F8 cmp eax, dword ptr [ebp-8]
00602AB0 |. 74 19 je short 00602ACB
00602AB2 |. E8 B5FDFFFF call 0060286C
00602AB7 |. 6A 00 push 0 ; /ExitCode = 0
00602AB9 |. 8B45 FC mov eax, dword ptr [ebp-4] ; |
00602ABC |. 50 push eax ; |hProcess
00602ABD |. E8 5651E0FF call <jmp.&KERNEL32.TerminateProcess> ; \TerminateProcess 检测进程
00602AC2 |. 6A 00 push 0 ; /Reserved = 0
00602AC4 |. 6A 08 push 8 ; |Options = EWX_POWEROFF 关闭电源
00602AC6 |. E8 5557E0FF call <jmp.&user32.ExitWindowsEx> ; \ExitWindowsEx 退出系统
00602ACB |> 33C0 xor eax, eax
00602ACD |. 5A pop edx
呵呵,很明显了,这里就是关机的沦陷地
00602AB0 |. /74 19 je short 00602ACB 把je改成JMP,保存,重新载入运行,正常了
接着刚才关机前的步骤,F9运行,好 ,正常,点系统注册,任意输入8765432187654321假码,注册断在这里,按F8单步走
006030AC . 55 push ebp ; 点注册断在这里
006030AD . 8BEC mov ebp, esp ; 定位入口地址
006030AF . B9 46000000 mov ecx, 46
006030B4 > 6A 00 push 0
006030B6 . 6A 00 push 0
006030B8 . 49 dec ecx
006030B9 .^ 75 F9 jnz short 006030B4
006030BB . 51 push ecx
006030BC . 53 push ebx
006030BD . 8945 FC mov dword ptr [ebp-4], eax
006030C0 . 33C0 xor eax, eax
006030C2 . 55 push ebp
006030C3 . 68 96356000 push 00603596
006030C8 . 64:FF30 push dword ptr fs:[eax]
006030CB . 64:8920 mov dword ptr fs:[eax], esp
006030CE . 8D95 1CFEFFFF lea edx, dword ptr [ebp-1E4]
006030D4 . 8B45 FC mov eax, dword ptr [ebp-4]
006030D7 . 8B80 0C030000 mov eax, dword ptr [eax+30C]
006030DD . E8 FE6AEBFF call 004B9BE0 ; 注意:下面多处CALL都是按F8直接跳走,不知是否含有所
谓的“仿真代码”,只好按F4或F9
006030E2 . 8B85 1CFEFFFF mov eax, dword ptr [ebp-1E4] ; 如果要想知道CALL的内容,此处按F2下断后按F4或F9断下
006030E8 . 8D95 20FEFFFF lea edx, dword ptr [ebp-1E0] ; 取出机器码(用户码)
006030EE . E8 B16CE0FF call 00409DA4 ; 清除字符串中的空格
006030F3 . 83BD 20FEFFFF>cmp dword ptr [ebp-1E0], 0 ; 判断机器码是否为空
006030FA . 75 1D jnz short 00603119
006030FC . 6A 40 push 40
006030FE . B9 A8356000 mov ecx, 006035A8 ; 提示
00603103 . BA B0356000 mov edx, 006035B0 ; 用户码不能为空!
00603108 . A1 5CCB6A00 mov eax, dword ptr [6ACB5C]
0060310D . 8B00 mov eax, dword ptr [eax]
0060310F . E8 106DEAFF call 004A9E24
00603114 . E9 9E030000 jmp 006034B7
00603119 > 8D95 14FEFFFF lea edx, dword ptr [ebp-1EC]
0060311F . 8B45 FC mov eax, dword ptr [ebp-4]
00603122 . 8B80 08030000 mov eax, dword ptr [eax+308]
00603128 . E8 B36AEBFF call 004B9BE0 ; 同上,此处按F4或F9跳过
0060312D . 8B85 14FEFFFF mov eax, dword ptr [ebp-1EC]
00603133 . 8D95 18FEFFFF lea edx, dword ptr [ebp-1E8] ; 取出注册码(假码)
00603139 . E8 666CE0FF call 00409DA4 ; 同上
0060313E . 83BD 18FEFFFF>cmp dword ptr [ebp-1E8], 0 ; 判断注册码是否为空
00603145 . 75 1D jnz short 00603164
00603147 . 6A 40 push 40
00603149 . B9 A8356000 mov ecx, 006035A8 ; 提示
0060314E . BA C4356000 mov edx, 006035C4 ; 注册码不能为空!
00603153 . A1 5CCB6A00 mov eax, dword ptr [6ACB5C]
00603158 . 8B00 mov eax, dword ptr [eax]
0060315A . E8 C56CEAFF call 004A9E24
0060315F . E9 53030000 jmp 006034B7
00603164 > 8D95 0CFEFFFF lea edx, dword ptr [ebp-1F4]
0060316A . 8B45 FC mov eax, dword ptr [ebp-4]
0060316D . 8B80 0C030000 mov eax, dword ptr [eax+30C]
00603173 . E8 686AEBFF call 004B9BE0 ; 取机器码
00603178 . 8B85 0CFEFFFF mov eax, dword ptr [ebp-1F4]
0060317E . 8D95 10FEFFFF lea edx, dword ptr [ebp-1F0] ; 机器码送入寄存器
00603184 . E8 1B6CE0FF call 00409DA4 ; 清除字符串中的空格
00603189 . 8B85 10FEFFFF mov eax, dword ptr [ebp-1F0]
0060318F . 8D4D F0 lea ecx, dword ptr [ebp-10]
00603192 . BA E0356000 mov edx, 006035E0 ; AGDGDGDF 字符串送入寄存器运算
00603197 . E8 6430F2FF call 00526200 ; 算法CALL,F7进入
0060319C . 8D95 00FEFFFF lea edx, dword ptr [ebp-200]
006031A2 . 8B45 FC mov eax, dword ptr [ebp-4]
006031A5 . 8B80 08030000 mov eax, dword ptr [eax+308]
006031AB . E8 306AEBFF call 004B9BE0 ; 取出假码
006031B0 . 8B85 00FEFFFF mov eax, dword ptr [ebp-200]
006031B6 . 8D95 04FEFFFF lea edx, dword ptr [ebp-1FC]
006031BC . E8 E36BE0FF call 00409DA4 ; 检查清除空格
006031C1 . 8B85 04FEFFFF mov eax, dword ptr [ebp-1FC]
006031C7 . 8D8D 08FEFFFF lea ecx, dword ptr [ebp-1F8]
006031CD . BA E0356000 mov edx, 006035E0 ; AGDGDGDF 字符串送入寄存器运算
006031D2 . E8 3D32F2FF call 00526414 ; 第二个算法CALL,F7进入
006031D7 . 8B95 08FEFFFF mov edx, dword ptr [ebp-1F8] ; 假码异或结果作ASCII再转为的字符串
006031DD . 8B45 F0 mov eax, dword ptr [ebp-10] ; 机器码异或结果
006031E0 . E8 D320E0FF call 004052B8 ; 关键CALL 两组算法的结果在些作比较
006031E5 . 74 3E je short 00603225 关键跳,不跳就死
006031E7 . 6A 40 push 40
006031E9 . B9 A8356000 mov ecx, 006035A8 ; 提示
006031EE . BA EC356000 mov edx, 006035EC ; 注册码不正确!
006031F3 . A1 5CCB6A00 mov eax, dword ptr [6ACB5C]
跟第一个算法关键CALL
00526200 /$ 55 push ebp ; 定位地址
00526201 |. 8BEC mov ebp, esp
00526203 |. 51 push ecx
00526204 |. B9 07000000 mov ecx, 7
00526209 |> 6A 00 /push 0
0052620B |. 6A 00 |push 0
0052620D |. 49 |dec ecx
0052620E |.^ 75 F9 \jnz short 00526209
00526210 |. 874D FC xchg dword ptr [ebp-4], ecx
00526213 |. 53 push ebx
00526214 |. 56 push esi
00526215 |. 57 push edi
00526216 |. 894D F8 mov dword ptr [ebp-8], ecx
00526219 |. 8955 FC mov dword ptr [ebp-4], edx
0052621C |. 8BD8 mov ebx, eax
0052621E |. 8B45 FC mov eax, dword ptr [ebp-4] ; 机器码
00526221 |. E8 36F1EDFF call 0040535C
00526226 |. 33C0 xor eax, eax ; 清空EAX
00526228 |. 55 push ebp
00526229 |. 68 02645200 push 00526402
0052622E |. 64:FF30 push dword ptr fs:[eax]
00526231 |. 64:8920 mov dword ptr fs:[eax], esp
00526234 |. 8D55 F4 lea edx, dword ptr [ebp-C]
00526237 |. 8BC3 mov eax, ebx ; 机器码
00526239 |. E8 C2FDFFFF call 00526000
0052623E |. 8D55 F0 lea edx, dword ptr [ebp-10]
00526241 |. 8B45 FC mov eax, dword ptr [ebp-4] ; "OFDSSDESDS"字符串
00526244 |. E8 B7FDFFFF call 00526000 ; 机器码全部转成ASCII码
00526249 |. 8D45 EC lea eax, dword ptr [ebp-14]
0052624C |. 8B55 F4 mov edx, dword ptr [ebp-C]
0052624F |. E8 F0ECEDFF call 00404F44 ; 字符串全部转成ASCII码
00526254 |. 8B45 F0 mov eax, dword ptr [ebp-10]
00526257 |. E8 10EFEDFF call 0040516C
0052625C |. D1F8 sar eax, 1
0052625E |. 79 03 jns short 00526263
00526260 |. 83D0 00 adc eax, 0
00526263 |> 85C0 test eax, eax
00526265 |. 0F8E 54010000 jle 005263BF
0052626B |. 8945 E0 mov dword ptr [ebp-20], eax
0052626E |. BE 01000000 mov esi, 1
00526273 |> 83FE 01 /cmp esi, 1 ; 进入算法循环
00526276 |. 74 0B |je short 00526283
00526278 |. 8D45 EC |lea eax, dword ptr [ebp-14]
0052627B |. 8B55 E8 |mov edx, dword ptr [ebp-18]
0052627E |. E8 C1ECEDFF |call 00404F44
00526283 |> 8D45 E8 |lea eax, dword ptr [ebp-18]
00526286 |. E8 21ECEDFF |call 00404EAC
0052628B |. 8B45 EC |mov eax, dword ptr [ebp-14] ; 机器码的ASCII码
0052628E |. E8 D9EEEDFF |call 0040516C
00526293 |. 8BF8 |mov edi, eax
00526295 |. D1FF |sar edi, 1
00526297 |. 79 03 |jns short 0052629C
00526299 |. 83D7 00 |adc edi, 0
0052629C |> 85FF |test edi, edi
0052629E |. 0F8E 11010000 |jle 005263B5
005262A4 |. BB 01000000 |mov ebx, 1
005262A9 |> BA 10645200 |/mov edx, 00526410
005262AE |. 8D45 D8 ||lea eax, dword ptr [ebp-28]
005262B1 |. E8 1ED2EDFF ||call 004034D4
005262B6 |. 8D45 D4 ||lea eax, dword ptr [ebp-2C]
005262B9 |. 8BD3 ||mov edx, ebx
005262BB |. 03D2 ||add edx, edx
005262BD |. 8B4D EC ||mov ecx, dword ptr [ebp-14]
005262C0 |. 8A5411 FE ||mov dl, byte ptr [ecx+edx-2] ; 机器码的ASCII码以下我以“A"表示,取第一位
005262C4 |. 8850 01 ||mov byte ptr [eax+1], dl ; 存入
005262C7 |. C600 01 ||mov byte ptr [eax], 1
005262CA |. 8D55 D4 ||lea edx, dword ptr [ebp-2C]
005262CD |. 8D45 D8 ||lea eax, dword ptr [ebp-28]
005262D0 |. B1 02 ||mov cl, 2
005262D2 |. E8 CDD1EDFF ||call 004034A4 ; 存入双字节地址
005262D7 |. 8D55 D8 ||lea edx, dword ptr [ebp-28]
005262DA |. 8D45 D0 ||lea eax, dword ptr [ebp-30]
005262DD |. E8 F2D1EDFF ||call 004034D4
005262E2 |. 8D45 D4 ||lea eax, dword ptr [ebp-2C]
005262E5 |. 8BD3 ||mov edx, ebx
005262E7 |. 03D2 ||add edx, edx
005262E9 |. 8B4D EC ||mov ecx, dword ptr [ebp-14]
005262EC |. 8A5411 FF ||mov dl, byte ptr [ecx+edx-1] ; A的第二位
005262F0 |. 8850 01 ||mov byte ptr [eax+1], dl
005262F3 |. C600 01 ||mov byte ptr [eax], 1
005262F6 |. 8D55 D4 ||lea edx, dword ptr [ebp-2C]
005262F9 |. 8D45 D0 ||lea eax, dword ptr [ebp-30]
005262FC |. B1 03 ||mov cl, 3
005262FE |. E8 A1D1EDFF ||call 004034A4 ; 存入地址
00526303 |. 8D55 D0 ||lea edx, dword ptr [ebp-30]
00526306 |. 8D45 DC ||lea eax, dword ptr [ebp-24]
00526309 |. E8 02EEEDFF ||call 00405110
0052630E |. 8B45 DC ||mov eax, dword ptr [ebp-24]
00526311 |. E8 4E40EEFF ||call 0040A364
00526316 |. 8845 E7 ||mov byte ptr [ebp-19], al
00526319 |. BA 10645200 ||mov edx, 00526410
0052631E |. 8D45 D8 ||lea eax, dword ptr [ebp-28]
00526321 |. E8 AED1EDFF ||call 004034D4
00526326 |. 8D45 D4 ||lea eax, dword ptr [ebp-2C]
00526329 |. 8BD6 ||mov edx, esi
0052632B |. 03D2 ||add edx, edx
0052632D |. 8B4D F0 ||mov ecx, dword ptr [ebp-10]
00526330 |. 8A5411 FE ||mov dl, byte ptr [ecx+edx-2] ; 固定字符串的ASCII码我以B表示,取第一位
00526334 |. 8850 01 ||mov byte ptr [eax+1], dl
00526337 |. C600 01 ||mov byte ptr [eax], 1
0052633A |. 8D55 D4 ||lea edx, dword ptr [ebp-2C]
0052633D |. 8D45 D8 ||lea eax, dword ptr [ebp-28]
00526340 |. B1 02 ||mov cl, 2
00526342 |. E8 5DD1EDFF ||call 004034A4 ; 同上
00526347 |. 8D55 D8 ||lea edx, dword ptr [ebp-28]
0052634A |. 8D45 D0 ||lea eax, dword ptr [ebp-30]
0052634D |. E8 82D1EDFF ||call 004034D4
00526352 |. 8D45 D4 ||lea eax, dword ptr [ebp-2C]
00526355 |. 8BD6 ||mov edx, esi
00526357 |. 03D2 ||add edx, edx
00526359 |. 8B4D F0 ||mov ecx, dword ptr [ebp-10]
0052635C |. 8A5411 FF ||mov dl, byte ptr [ecx+edx-1] ; 取B的第二位
00526360 |. 8850 01 ||mov byte ptr [eax+1], dl
00526363 |. C600 01 ||mov byte ptr [eax], 1
00526366 |. 8D55 D4 ||lea edx, dword ptr [ebp-2C]
00526369 |. 8D45 D0 ||lea eax, dword ptr [ebp-30]
0052636C |. B1 03 ||mov cl, 3
0052636E |. E8 31D1EDFF ||call 004034A4 ; 同上
00526373 |. 8D55 D0 ||lea edx, dword ptr [ebp-30]
00526376 |. 8D45 CC ||lea eax, dword ptr [ebp-34]
00526379 |. E8 92EDEDFF ||call 00405110
0052637E |. 8B45 CC ||mov eax, dword ptr [ebp-34]
00526381 |. E8 DE3FEEFF ||call 0040A364
00526386 |. 3245 E7 ||xor al, byte ptr [ebp-19] ; 两组以十六进制双字节异或
00526389 |. 8845 E6 ||mov byte ptr [ebp-1A], al ; 结果储存起来
0052638C |. 8D45 C4 ||lea eax, dword ptr [ebp-3C]
0052638F |. 8A55 E6 ||mov dl, byte ptr [ebp-1A]
00526392 |. E8 FDECEDFF ||call 00405094
00526397 |. 8B45 C4 ||mov eax, dword ptr [ebp-3C]
0052639A |. 8D55 C8 ||lea edx, dword ptr [ebp-38]
0052639D |. E8 5EFCFFFF ||call 00526000
005263A2 |. 8B55 C8 ||mov edx, dword ptr [ebp-38] ; 结果转寄存器EDX
005263A5 |. 8D45 E8 ||lea eax, dword ptr [ebp-18]
005263A8 |. E8 C7EDEDFF ||call 00405174 ; 连接字符串
005263AD |. 43 ||inc ebx
005263AE |. 4F ||dec edi ; 循环计数 减1
005263AF |.^ 0F85 F4FEFFFF |\jnz 005262A9 ; 开始循环
005263B5 |> 46 |inc esi ; 小循环完毕,大循环计数开始
005263B6 |. FF4D E0 |dec dword ptr [ebp-20] ; 大循环计数减1
005263B9 |.^ 0F85 B4FEFFFF \jnz 00526273
005263BF |> 8B45 F8 mov eax, dword ptr [ebp-8]
005263C2 |. 8B55 E8 mov edx, dword ptr [ebp-18] ; 整个循环异或结果储存寄存器,作比较用的
005263C5 |. E8 36EBEDFF call 00404F00
005263CA |. 33C0 xor eax, eax
005263CC |. 5A pop edx
005263CD |. 59 pop ecx
005263CE |. 59 pop ecx
005263CF |. 64:8910 mov dword ptr fs:[eax], edx
005263D2 |. 68 09645200 push 00526409
005263D7 |> 8D45 C4 lea eax, dword ptr [ebp-3C]
005263DA |. BA 03000000 mov edx, 3
005263DF |. E8 ECEAEDFF call 00404ED0
005263E4 |. 8D45 DC lea eax, dword ptr [ebp-24]
005263E7 |. E8 C0EAEDFF call 00404EAC
005263EC |. 8D45 E8 lea eax, dword ptr [ebp-18]
005263EF |. BA 04000000 mov edx, 4
005263F4 |. E8 D7EAEDFF call 00404ED0
005263F9 |. 8D45 FC lea eax, dword ptr [ebp-4]
005263FC |. E8 ABEAEDFF call 00404EAC
00526401 \. C3 retn
第二个算法CALL
00526414 /$ 55 push ebp ; 定位入口地址
00526415 |. 8BEC mov ebp, esp
00526417 |. 51 push ecx
00526418 |. B9 06000000 mov ecx, 6
0052641D |> 6A 00 /push 0
0052641F |. 6A 00 |push 0
00526421 |. 49 |dec ecx
00526422 |.^ 75 F9 \jnz short 0052641D
00526424 |. 51 push ecx
00526425 |. 874D FC xchg dword ptr [ebp-4], ecx
00526428 |. 53 push ebx
00526429 |. 56 push esi
0052642A |. 57 push edi
0052642B |. 894D F8 mov dword ptr [ebp-8], ecx
0052642E |. 8955 FC mov dword ptr [ebp-4], edx
00526431 |. 8BD8 mov ebx, eax
00526433 |. 8B45 FC mov eax, dword ptr [ebp-4]
00526436 |. E8 21EFEDFF call 0040535C ; 算法同第一个相似,以下简略
0052643B |. 33C0 xor eax, eax
0052643D |. 55 push ebp
0052643E |. 68 45665200 push 00526645
00526443 |. 64:FF30 push dword ptr fs:[eax]
00526446 |. 64:8920 mov dword ptr fs:[eax], esp
00526449 |. 8D45 F4 lea eax, dword ptr [ebp-C]
0052644C |. 8BD3 mov edx, ebx
0052644E |. E8 F1EAEDFF call 00404F44
00526453 |. 8B45 F4 mov eax, dword ptr [ebp-C]
00526456 |. E8 11EDEDFF call 0040516C
0052645B |. 25 01000080 and eax, 80000001
00526460 |. 79 05 jns short 00526467
00526462 |. 48 dec eax
00526463 |. 83C8 FE or eax, FFFFFFFE
00526466 |. 40 inc eax
00526467 |> 48 dec eax
00526468 |. 0F84 9F010000 je 0052660D
0052646E |. 8D55 F0 lea edx, dword ptr [ebp-10]
00526471 |. 8B45 FC mov eax, dword ptr [ebp-4]
00526474 |. E8 87FBFFFF call 00526000
00526479 |. 8D45 E8 lea eax, dword ptr [ebp-18]
0052647C |. 8B55 F4 mov edx, dword ptr [ebp-C]
0052647F |. E8 C0EAEDFF call 00404F44
00526484 |. 8D45 EC lea eax, dword ptr [ebp-14]
00526487 |. 8B55 F4 mov edx, dword ptr [ebp-C]
0052648A |. E8 B5EAEDFF call 00404F44
0052648F |. 8B45 F0 mov eax, dword ptr [ebp-10]
00526492 |. E8 D5ECEDFF call 0040516C
00526497 |. 8BF0 mov esi, eax
00526499 |. D1FE sar esi, 1
0052649B |. 79 03 jns short 005264A0
0052649D |. 83D6 00 adc esi, 0
005264A0 |> 83FE 01 cmp esi, 1
005264A3 |. 0F8C 59010000 jl 00526602
005264A9 |> 8B45 F0 /mov eax, dword ptr [ebp-10]
005264AC |. E8 BBECEDFF |call 0040516C
005264B1 |. D1F8 |sar eax, 1
005264B3 |. 79 03 |jns short 005264B8
005264B5 |. 83D0 00 |adc eax, 0
005264B8 |> 3BF0 |cmp esi, eax
005264BA |. 74 0B |je short 005264C7
005264BC |. 8D45 EC |lea eax, dword ptr [ebp-14]
005264BF |. 8B55 E8 |mov edx, dword ptr [ebp-18]
005264C2 |. E8 7DEAEDFF |call 00404F44
005264C7 |> 8D45 E8 |lea eax, dword ptr [ebp-18]
005264CA |. E8 DDE9EDFF |call 00404EAC
005264CF |. 8B45 EC |mov eax, dword ptr [ebp-14]
005264D2 |. E8 95ECEDFF |call 0040516C
005264D7 |. 8BF8 |mov edi, eax
005264D9 |. D1FF |sar edi, 1
005264DB |. 79 03 |jns short 005264E0
005264DD |. 83D7 00 |adc edi, 0
005264E0 |> 85FF |test edi, edi
005264E2 |. 0F8E 11010000 |jle 005265F9
005264E8 |. BB 01000000 |mov ebx, 1
005264ED |> BA 54665200 |/mov edx, 00526654
005264F2 |. 8D45 DC ||lea eax, dword ptr [ebp-24]
005264F5 |. E8 DACFEDFF ||call 004034D4
005264FA |. 8D45 D8 ||lea eax, dword ptr [ebp-28]
005264FD |. 8BD3 ||mov edx, ebx
005264FF |. 03D2 ||add edx, edx
00526501 |. 8B4D EC ||mov ecx, dword ptr [ebp-14]
00526504 |. 8A5411 FE ||mov dl, byte ptr [ecx+edx-2] ; 取假码的第一位,注意这次不是ASCII码
00526508 |. 8850 01 ||mov byte ptr [eax+1], dl
0052650B |. C600 01 ||mov byte ptr [eax], 1
0052650E |. 8D55 D8 ||lea edx, dword ptr [ebp-28]
00526511 |. 8D45 DC ||lea eax, dword ptr [ebp-24]
00526514 |. B1 02 ||mov cl, 2
00526516 |. E8 89CFEDFF ||call 004034A4 ; 步法同第一个相似,以下简略
0052651B |. 8D55 DC ||lea edx, dword ptr [ebp-24]
0052651E |. 8D45 D4 ||lea eax, dword ptr [ebp-2C]
00526521 |. E8 AECFEDFF ||call 004034D4
00526526 |. 8D45 D8 ||lea eax, dword ptr [ebp-28]
00526529 |. 8BD3 ||mov edx, ebx
0052652B |. 03D2 ||add edx, edx
0052652D |. 8B4D EC ||mov ecx, dword ptr [ebp-14]
00526530 |. 8A5411 FF ||mov dl, byte ptr [ecx+edx-1] ; 取假码第二位
00526534 |. 8850 01 ||mov byte ptr [eax+1], dl
00526537 |. C600 01 ||mov byte ptr [eax], 1
0052653A |. 8D55 D8 ||lea edx, dword ptr [ebp-28]
0052653D |. 8D45 D4 ||lea eax, dword ptr [ebp-2C]
00526540 |. B1 03 ||mov cl, 3
00526542 |. E8 5DCFEDFF ||call 004034A4
00526547 |. 8D55 D4 ||lea edx, dword ptr [ebp-2C]
0052654A |. 8D45 E0 ||lea eax, dword ptr [ebp-20]
0052654D |. E8 BEEBEDFF ||call 00405110
00526552 |. 8B45 E0 ||mov eax, dword ptr [ebp-20]
00526555 |. E8 0A3EEEFF ||call 0040A364
0052655A |. 8845 E7 ||mov byte ptr [ebp-19], al
0052655D |. BA 54665200 ||mov edx, 00526654
00526562 |. 8D45 DC ||lea eax, dword ptr [ebp-24]
00526565 |. E8 6ACFEDFF ||call 004034D4
0052656A |. 8D45 D8 ||lea eax, dword ptr [ebp-28]
0052656D |. 8BD6 ||mov edx, esi
0052656F |. 03D2 ||add edx, edx
00526571 |. 8B4D F0 ||mov ecx, dword ptr [ebp-10]
00526574 |. 8A5411 FE ||mov dl, byte ptr [ecx+edx-2] ; 此处与第一个算法不同,取B的倒数第二位
00526578 |. 8850 01 ||mov byte ptr [eax+1], dl
0052657B |. C600 01 ||mov byte ptr [eax], 1
0052657E |. 8D55 D8 ||lea edx, dword ptr [ebp-28]
00526581 |. 8D45 DC ||lea eax, dword ptr [ebp-24]
00526584 |. B1 02 ||mov cl, 2
00526586 |. E8 19CFEDFF ||call 004034A4
0052658B |. 8D55 DC ||lea edx, dword ptr [ebp-24]
0052658E |. 8D45 D4 ||lea eax, dword ptr [ebp-2C]
00526591 |. E8 3ECFEDFF ||call 004034D4
00526596 |. 8D45 D8 ||lea eax, dword ptr [ebp-28]
00526599 |. 8BD6 ||mov edx, esi
0052659B |. 03D2 ||add edx, edx
0052659D |. 8B4D F0 ||mov ecx, dword ptr [ebp-10]
005265A0 |. 8A5411 FF ||mov dl, byte ptr [ecx+edx-1] ; 此处与第一个算法不同,取B的倒数第一位
005265A4 |. 8850 01 ||mov byte ptr [eax+1], dl
005265A7 |. C600 01 ||mov byte ptr [eax], 1
005265AA |. 8D55 D8 ||lea edx, dword ptr [ebp-28]
005265AD |. 8D45 D4 ||lea eax, dword ptr [ebp-2C]
005265B0 |. B1 03 ||mov cl, 3
005265B2 |. E8 EDCEEDFF ||call 004034A4
005265B7 |. 8D55 D4 ||lea edx, dword ptr [ebp-2C]
005265BA |. 8D45 D0 ||lea eax, dword ptr [ebp-30]
005265BD |. E8 4EEBEDFF ||call 00405110
005265C2 |. 8B45 D0 ||mov eax, dword ptr [ebp-30]
005265C5 |. E8 9A3DEEFF ||call 0040A364
005265CA |. 3245 E7 ||xor al, byte ptr [ebp-19] ; 两组以十六进制双字节异或
005265CD |. 8845 E6 ||mov byte ptr [ebp-1A], al
005265D0 |. 8D45 C8 ||lea eax, dword ptr [ebp-38]
005265D3 |. 8A55 E6 ||mov dl, byte ptr [ebp-1A]
005265D6 |. E8 B9EAEDFF ||call 00405094
005265DB |. 8B45 C8 ||mov eax, dword ptr [ebp-38]
005265DE |. 8D55 CC ||lea edx, dword ptr [ebp-34]
005265E1 |. E8 1AFAFFFF ||call 00526000
005265E6 |. 8B55 CC ||mov edx, dword ptr [ebp-34]
005265E9 |. 8D45 E8 ||lea eax, dword ptr [ebp-18]
005265EC |. E8 83EBEDFF ||call 00405174
005265F1 |. 43 ||inc ebx
005265F2 |. 4F ||dec edi
005265F3 |.^ 0F85 F4FEFFFF |\jnz 005264ED ; 小循环
005265F9 |> 4E |dec esi
005265FA |. 85F6 |test esi, esi
005265FC |.^ 0F85 A7FEFFFF \jnz 005264A9 ; 大循环
00526602 |> 8B55 F8 mov edx, dword ptr [ebp-8]
00526605 |. 8B45 E8 mov eax, dword ptr [ebp-18] ; 假码的异或结果送入寄存器EAX
00526608 |. E8 8FFAFFFF call 0052609C
0052660D |> 33C0 xor eax, eax
0052660F |. 5A pop edx
00526610 |. 59 pop ecx
00526611 |. 59 pop ecx
00526612 |. 64:8910 mov dword ptr fs:[eax], edx
00526615 |. 68 4C665200 push 0052664C
0052661A |> 8D45 C8 lea eax, dword ptr [ebp-38]
0052661D |. BA 03000000 mov edx, 3
00526622 |. E8 A9E8EDFF call 00404ED0 ;假码异或结果作ASCII再转为字符串
00526627 |. 8D45 E0 lea eax, dword ptr [ebp-20]
0052662A |. E8 7DE8EDFF call 00404EAC
0052662F |. 8D45 E8 lea eax, dword ptr [ebp-18]
00526632 |. BA 04000000 mov edx, 4
00526637 |. E8 94E8EDFF call 00404ED0
0052663C |. 8D45 FC lea eax, dword ptr [ebp-4]
0052663F |. E8 68E8EDFF call 00404EAC
00526644 \. C3 retn
--------------------------------------------------------------------------------
【经验总结】
本软件使用关机反调试及仿真代码CALL(是从网上查的,可能是仿真代码),按F7进入也都是虚拟地址,在CALL处按F8就跳出,调试起来有些麻烦的,不过一步一步来,也不是太难,算法并不复杂,还有那个壳手动脱了后运行其它都正常,只是点注册时不出注册码,不知何原因,补数据也不行,还得要努力学习才行
好了,算法总结如下:分两段
第一,取机器码转成ASCII码,再用固定字符串"OFDSSDESDS"的ASCII码分别以第一组开始作十六进制双字节异或,异或结果再
与下一组ASCII码异或。。。直到全部异或完,结果为C
第二段,取注册码,与固定字符串"OFDSSDESDS"的ASCII码分别以相反顺序即先从最后一组的十六进制双字节作异或,异或结果
再与下一组ASCII码异或。。。直到全部异或完,并把结果作为ASCII码转为字符串为D
最后只要C=D就能注册成功,成功后软件具有完整功能。
注册成功后在安装夹生成一个“备份.TXT“文件,并以一定格式写入CoTel.dll中,删除里面的信息,又可重注册,好了,
算法出来了,用VB写个注册机:
Private Sub Command1_Click()
Dim a() As String, i As Integer
Dim b() As String, j As Integer
Dim c As String
Dim d As String
Dim m As String
Dim t As String
Dim s As String
Dim u As String
Dim v As String
Dim w As String
Dim x() As String
Dim y() As String
c = Text1.Text
If c = "" Then Exit Sub
For i = 0 To Len(c) - 1
d = Hex(Asc(Mid(c, Len(c) - i, 1))) & " " & d
Next i
d = Trim(d)
a = Split(d, " ")
For i = 0 To UBound(a)
If Len(a(i)) <> 2 Then MsgBox "输入的数据不对!": Exit Sub
Next i
m = "OFDSSDESDS"
If m = "" Then Exit Sub
For i = 0 To Len(m) - 1
t = Hex(Asc(Mid(m, Len(m) - i, 1))) & " " & t
Next i
t = Trim(t)
b = Split(t, " ")
For i = 0 To UBound(b)
If Len(b(i)) <> 2 Then MsgBox "输入的数据不对!": Exit Sub
Next i
For j = 0 To UBound(b)
For i = 0 To UBound(a)
a(i) = Val("&h" & a(i)) Xor Val("&h" & b(j))
a(i) = Hex(a(i))
Next i
Next j
For i = 0 To UBound(a)
s = s & a(i)
Next i
For i = 0 To Len(s) - 1
u = Hex(Asc(Mid(s, Len(s) - i, 1))) & " " & u
Next i
u = Trim(u)
x = Split(u, " ")
For i = 0 To UBound(x)
If Len(x(i)) <> 2 Then MsgBox "输入的数据不对!": Exit Sub
Next i
m = "OFDSSDESDS"
If m = "" Then Exit Sub
For i = 0 To Len(m) - 1
w = Hex(Asc(Mid(m, Len(m) - i, 1))) & " " & w
Next i
w = Trim(w)
y = Split(w, " ")
For i = 0 To UBound(y)
If Len(y(i)) <> 2 Then MsgBox "输入的数据不对!": Exit Sub
Next i
For j = 0 To UBound(y)
For i = 0 To UBound(x)
x(i) = Val("&h" & x(i)) Xor Val("&h" & y(j))
x(i) = Hex(x(i))
Next i
Next j
For i = 0 To UBound(x)
v = v & x(i)
Next i
Text2.Text = v
End Sub
好了,终于大功告成,本注册机在多台电脑已测试通过
破解说明:本人是一个菜鸟,只为爱好,无其它目的,支持正版!上面分析有错误的地方,请各位大侠不要见笑。本人虚心请教,在这里我
要特别感谢看雪版主老大,他给了我很多鼓励!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2012年01月10日 18:27:13
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
|
|
|
楼主辛苦了
|
|
|
|
|
|
|
|
|
邮件已发,请查收,只为学习,请勿有商业目的,支持作者哦,
|
|
|
|
|
|
|
|
|
|
|
|
呵呵,没有什么BUG吧,我本来是用三个文本框的,后来发布时又改成了二个了,所以有二个IF判断是多余的了,可以删除,不过运行是正常的
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
