【软件名称】: Total Commander
【软件版本】: 7.56a
【加壳方式】: 新版不加壳
【编写语言】: Borland Delphi 2.0 [Overlay]
【使用工具】: OD PEID IDA
【操作平台】: Windows XP
【软件介绍】: 一款挺不错的双栏文件管理软件
【作者声明】: 只是研究用,使用请购买正版
我们知道Total Commander是有自校验的,通过跟踪CreateFile和ReadFile函数,确定校验过程是在函数sub_47823C中进行的。
0047823C push ebp ; 自校验函数
0047823D mov ebp, esp
0047823F add esp, -824
00478245 mov dword ptr [ebp-4], -1 ; 初始化校验和为 CHECKSUM=-1
0047824C lea eax, dword ptr [ebp-814]
00478252 mov dword ptr [ebp-18], eax
00478255 lea eax, dword ptr [ebp-824]
0047825B mov edx, 3FF
00478260 call 006BE3AC ; GetModuleFileName()
00478265 lea edx, dword ptr [ebp-1C]
00478268 mov eax, dword ptr [6C7D58]
0047826D mov ecx, 4
00478272 call 004027B4
00478277 mov eax, 8001
0047827C call 00402684 ; AllocateMem()
00478281 mov dword ptr [ebp-C], eax
00478284 lea eax, dword ptr [ebp-824]
0047828A mov ecx, 1
0047828F xor edx, edx
00478291 call 0041D70C ; CreateFile()
00478296 mov dword ptr [ebp-10], eax
00478299 call 004035AC
0047829E cmp dword ptr [eax+C], 0
004782A5 je short 004782BF
004782F7 xor eax, eax
004782F9 mov dword ptr [ebp-24], eax
004782FC mov eax, dword ptr [ebp-10]
004782FF call 00419874 ; 计算文件大小
00478304 sub eax, 18
00478307 sub eax, 0C ; 文件大小减去36字节
0047830A mov dword ptr [ebp-20], eax
0047830D cmp dword ptr [ebp-20], 8000
00478314 jle short 0047831E
00478316 mov word ptr [ebp-12], 8000
0047831C jmp short 00478326
0047831E mov ax, word ptr [ebp-20]
00478322 mov word ptr [ebp-12], ax
00478326 lea eax, dword ptr [ebp-14]
00478329 push eax
0047832A mov edx, dword ptr [ebp-C]
0047832D mov cx, word ptr [ebp-12]
00478331 mov eax, dword ptr [ebp-10]
00478334 call 0041DE4C ; ReadFile():从文件中读取0x8000大小的数据块
00478339 cmp dword ptr [ebp-24], 0
0047833D jnz short 0047834A
0047833F lea edx, dword ptr [ebp-20]
00478342 mov eax, dword ptr [ebp-C]
00478345 call 00478054 ; 首次计算校验和前先清除Checksum和数字签名,并计算要校验的数据大小
0047834A lea ecx, dword ptr [ebp-4]
0047834D movzx edx, word ptr [ebp-14]
00478351 mov eax, dword ptr [ebp-C]
00478354 call 0067FF10 ; 分块分片计算校验和
00478359 movzx eax, word ptr [ebp-14]
0047835D sub dword ptr [ebp-20], eax
00478360 movzx eax, word ptr [ebp-14]
00478364 add dword ptr [ebp-24], eax
00478367 movzx eax, word ptr [ebp-14]
0047836B cmp eax, 8000
00478370 jnz short 00478378
00478372 cmp dword ptr [ebp-20], 0
00478376 jnz short 0047830D
00478378 mov edx, 8001
0047837D mov eax, dword ptr [ebp-C]
00478380 call 0040269C ; FreeMem()
00478385 lea eax, dword ptr [ebp-14]
00478388 push eax
00478389 lea edx, dword ptr [ebp-824]
0047838F mov cx, 24
00478393 mov eax, dword ptr [ebp-10]
00478396 call 0041DE4C ; 读取最后36的字节,校验和存储在第16~20字节里面
0047839B mov eax, dword ptr [ebp-10]
0047839E call 0041DDE4 ; CloseHandle()
004783A3 mov eax, dword ptr [ebp-18]
004783A6 mov eax, dword ptr [eax]
004783A8 xor eax, 2A67BE65 ; 对存储的校验和进行异或
004783AD mov dword ptr [ebp-8], eax
004783B0 push ebp
004783B1 call 004781E4 ; 比较异或后的两个校验和,并利用两个校验和计算其它数据
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
上传的附件: