能力值:
( LV8,RANK:130 )
|
-
-
2 楼
SockMon5 这个版本的我以前为了使用分析过!不过因为是临时使用只是分析了一点点让他能够使用而已!因为最近单位非常的忙,根本没有时间,我就把我以前留的没有整理的分析记录给你做个参考吧!
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\0C5D07FF]
"1E695187"=hex:1c,00,00,00
"8B3844DE"=hex:3f,2b,0b,00
注册名:POWERBOY
注册码:E3A5223D-A5E2CEB5-7BDD9AD5
然后把上面的数据导入注册表
004BB47C > $ 55 PUSH EBP
004BB47D . 8BEC MOV EBP,ESP
004BB47F . 83C4 F0 ADD ESP,-10
004BB482 . 53 PUSH EBX
004BB483 . B8 ECB14B00 MOV EAX,dumped2_.004BB1EC
004BB488 . E8 F3B3F4FF CALL dumped2_.00406880
004BB48D . 8B1D E8D74B00 MOV EBX,DWORD PTR DS:[4BD7E8] ; dumped2_.004BEC34
004BB493 . E8 D42BFEFF CALL dumped2_.0049E06C
004BB498 . 84C0 TEST AL,AL
004BB49A . 74 07 JE SHORT dumped2_.004BB4A3 ;检测DEDE
004BB49C . 6A 00 PUSH 0 ; /ExitCode = 0
004BB49E . E8 1DB6F4FF CALL <JMP.&kernel32.ExitProcess> ; \ExitProcess
对字符串的处理!看不懂他根本就不知道程序成功和错误的字符串都是什么啊!
0049E170 /$ 55 PUSH EBP
0049E171 |. 8BEC MOV EBP,ESP
0049E173 |. 81C4 F4F7FFFF ADD ESP,-80C
0049E179 |. 53 PUSH EBX
0049E17A |. 56 PUSH ESI
0049E17B |. 57 PUSH EDI
0049E17C |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
0049E17F |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0049E182 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049E185 |. E8 8667F6FF CALL dumped2_.00404910
0049E18A |. 33C0 XOR EAX,EAX
0049E18C |. 55 PUSH EBP
0049E18D |. 68 13E24900 PUSH dumped2_.0049E213
0049E192 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0049E195 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0049E198 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049E19B |. E8 8067F6FF CALL dumped2_.00404920
0049E1A0 |. 8BD8 MOV EBX,EAX
0049E1A2 |. 8BD3 MOV EDX,EBX
0049E1A4 |. 8D85 F6F7FFFF LEA EAX,DWORD PTR SS:[EBP-80A]
0049E1AA |. E8 D9AFF6FF CALL dumped2_.00409188
0049E1AF |. 8BC3 MOV EAX,EBX
0049E1B1 |. E8 96AFF6FF CALL dumped2_.0040914C
0049E1B6 |. 8BF8 MOV EDI,EAX
0049E1B8 |. D1EF SHR EDI,1
0049E1BA |. 8BF7 MOV ESI,EDI
0049E1BC |. 4E DEC ESI
0049E1BD |. 85F6 TEST ESI,ESI
0049E1BF |. 7C 26 JL SHORT dumped2_.0049E1E7
0049E1C1 |. 46 INC ESI
0049E1C2 |. 8D85 F6F7FFFF LEA EAX,DWORD PTR SS:[EBP-80A]
0049E1C8 |. 8D95 F7FBFFFF LEA EDX,DWORD PTR SS:[EBP-409]
0049E1CE |> 8A08 /MOV CL,BYTE PTR DS:[EAX]
0049E1D0 |. 80E9 41 |SUB CL,41
0049E1D3 |. 8A58 01 |MOV BL,BYTE PTR DS:[EAX+1]
0049E1D6 |. 80EB 41 |SUB BL,41
0049E1D9 |. C1E3 04 |SHL EBX,4
0049E1DC |. 02CB |ADD CL,BL
0049E1DE |. 880A |MOV BYTE PTR DS:[EDX],CL
0049E1E0 |. 42 |INC EDX
0049E1E1 |. 83C0 02 |ADD EAX,2
0049E1E4 |. 4E |DEC ESI
0049E1E5 |.^ 75 E7 \JNZ SHORT dumped2_.0049E1CE
0049E1E7 |> C6843D F7FBFF>MOV BYTE PTR SS:[EBP+EDI-409],0
0049E1EF |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049E1F2 |. 8D95 F7FBFFFF LEA EDX,DWORD PTR SS:[EBP-409]
0049E1F8 |. E8 6364F6FF CALL dumped2_.00404660
0049E1FD |. 33C0 XOR EAX,EAX
0049E1FF |. 5A POP EDX
0049E200 |. 59 POP ECX
0049E201 |. 59 POP ECX
0049E202 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
0049E205 |. 68 1AE24900 PUSH dumped2_.0049E21A
0049E20A |> 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0049E20D |. E8 5E62F6FF CALL dumped2_.00404470
0049E212 \. C3 RETN
:004B7166 6A00 push 00000000
:004B7168 8D95F0FDFFFF lea edx, dword ptr [ebp+FFFFFDF0]
* Possible StringData Ref from Data Obj ->"ILANANLLHNCKCLBODNDMLLHKKDACFCDH"
//上面的字符串用字符串解密函数解密之后就是:
0012F7B7 B8 D0 D0 BB D7 A2 B2 E1 D3 C3 BB A7 3A 20 25 73 感谢注册用户: %s
|
:004B716E B808744B00 mov eax, 004B7408
:004B7173 E8F86FFEFF call 0049E170
:004B7178 8B85F0FDFFFF mov eax, dword ptr [ebp+FFFFFDF0]
:004B717E E89DD7F4FF call 00404920
:004B7183 8BD0 mov edx, eax
:004B7185 8D85FBFEFFFF lea eax, dword ptr [ebp+FFFFFEFB]
:004B718B 8985E8FDFFFF mov dword ptr [ebp+FFFFFDE8], eax
:004B7191 C685ECFDFFFF06 mov byte ptr [ebp+FFFFFDEC], 06
:004B7198 8D8DE8FDFFFF lea ecx, dword ptr [ebp+FFFFFDE8]
:004B719E 8D85FAFDFFFF lea eax, dword ptr [ebp+FFFFFDFA]
:004B71A4 E89726F5FF call 00409840
:004B71A9 6A00 push 00000000
:004B71AB E8A8F9F4FF call 00406B58
:004B71B0 3BF0 cmp esi, eax
:004B71B2 745A je 004B720E
:004B71B4 6A01 push 00000001
:004B71B6 8D95E4FDFFFF lea edx, dword ptr [ebp+FFFFFDE4]
* Possible StringData Ref from Data Obj ->"EMDOLLJLDNANFCEGMMMODNLOFCEGELOMKMENDNDMFLEMGM"
->"KNPMON"
|
:004B71BC B834744B00 mov eax, 004B7434
:004B71C1 E8AA6FFEFF call 0049E170
:004B71C6 8B85E4FDFFFF mov eax, dword ptr [ebp+FFFFFDE4]
:004B71CC E84FD7F4FF call 00404920
:004B71D1 8BD0 mov edx, eax
:004B71D3 8BC6 mov eax, esi
:004B71D5 C1E810 shr eax, 10
:004B71D8 25FF000000 and eax, 000000FF
:004B71DD 8985D4FDFFFF mov dword ptr [ebp+FFFFFDD4], eax
:004B71E3 C685D8FDFFFF00 mov byte ptr [ebp+FFFFFDD8], 00
:004B71EA 81E6FF000000 and esi, 000000FF
:004B71F0 89B5DCFDFFFF mov dword ptr [ebp+FFFFFDDC], esi
:004B71F6 C685E0FDFFFF00 mov byte ptr [ebp+FFFFFDE0], 00
:004B71FD 8D8DD4FDFFFF lea ecx, dword ptr [ebp+FFFFFDD4]
:004B7203 8D85FAFDFFFF lea eax, dword ptr [ebp+FFFFFDFA]
:004B7209 E83226F5FF call 00409840
入栈参数就是我们输入的用户名注册码:
004B6FCF . E8 006AFEFF CALL <JMP.&smcomm.SMVer_Check> ;检测函数返回值很有用
004B6FD4 . 8BF0 MOV ESI,EAX
004B6FD6 . 8BD6 MOV EDX,ESI
004B6FD8 . 8BC3 MOV EAX,EBX
0049D9D4 $- FF25 B4275000 JMP DWORD PTR DS:[<&smcomm.SMVer_Ch>; smcomm.SMVer_Check
004B7003 . E8 4C69FEFF CALL <JMP.&smcomm.SMCache_Open>
004B7008 . A3 94ED4B00 MOV DWORD PTR DS:[4BED94],EAX
004B700D . 833D 94ED4B00>CMP DWORD PTR DS:[4BED94],0
004B7014 . 75 22 JNZ SHORT pj.004B7038 ;检测函数是否被修改
10001FC0 > 8B442408 MOV EAX,DWORD PTR SS:[ESP+8]
10001FC4 8B542404 MOV EDX,DWORD PTR SS:[ESP+4]
10001FC8 8B0D D0A10010 MOV ECX,DWORD PTR DS:[1000A1D0]
10001FCE 50 PUSH EAX
10001FCF 52 PUSH EDX
10001FD0 E8 CB060000 CALL smcomm.100026A0
10001FD5 C2 0800 RETN 8
10001FC0 > 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
10001FC4 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4]
10001FC8 8B0D D0A10010 MOV ECX,DWORD PTR DS:[1000A1D0]
10001FCE B8 11110000 MOV EAX,1111
10001FD3 90 NOP
10001FD4 90 NOP
10001FD5 C2 0800 RETN 8
100026D3 8BCB MOV ECX,EBX
100026D5 E8 46000000 CALL smcomm.10002720
100026DA 85C0 TEST EAX,EAX
100026DC 74 1D JE SHORT smcomm.100026FB
算法
10002735 894424 24 MOV DWORD PTR SS:[ESP+24],EAX
10002739 8BFD MOV EDI,EBP
1000273B 83C9 FF OR ECX,FFFFFFFF
1000273E 894424 28 MOV DWORD PTR SS:[ESP+28],EAX
10002742 F2:AE REPNE SCAS BYTE PTR ES:[EDI]
10002744 F7D1 NOT ECX
10002746 49 DEC ECX
10002747 B2 47 MOV DL,47
10002749 8AC1 MOV AL,CL
1000274B 33DB XOR EBX,EBX
1000274D F6EA IMUL DL
1000274F 894C24 14 MOV DWORD PTR SS:[ESP+14],ECX
10002753 895C24 18 MOV DWORD PTR SS:[ESP+18],EBX
10002757 884424 50 MOV BYTE PTR SS:[ESP+50],AL ; AL=$47*LENGTH(NAME)
1000275B 8BC3 MOV EAX,EBX
1000275D 8D741C 1C LEA ESI,DWORD PTR SS:[ESP+EBX+1C]
10002761 99 CDQ
10002762 F7F9 IDIV ECX
10002764 8A4424 50 MOV AL,BYTE PTR SS:[ESP+50]
10002768 8A0C2A MOV CL,BYTE PTR DS:[EDX+EBP] ; 取名字
1000276B B2 11 MOV DL,11
1000276D 32C8 XOR CL,AL ; ORD(NAME[0]) XOR STRTOINT(LENGTH(NAME))
1000276F 8AC3 MOV AL,BL
10002771 F6EA IMUL DL
10002773 02C8 ADD CL,AL
10002775 33D2 XOR EDX,EDX
10002777 880E MOV BYTE PTR DS:[ESI],CL
10002779 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14]
1000277D 85C9 TEST ECX,ECX
1000277F 7E 2E JLE SHORT smcomm.100027AF
10002781 8AC3 MOV AL,BL
10002783 B1 47 MOV CL,47
10002785 F6E9 IMUL CL
10002787 884424 13 MOV BYTE PTR SS:[ESP+13],AL
1000278B 8A0C2A MOV CL,BYTE PTR DS:[EDX+EBP]
1000278E 8A1E MOV BL,BYTE PTR DS:[ESI]
10002790 32CB XOR CL,BL
10002792 8AC2 MOV AL,DL
10002794 B3 11 MOV BL,11
10002796 F6EB IMUL BL
10002798 8A5C24 13 MOV BL,BYTE PTR SS:[ESP+13]
1000279C 02C8 ADD CL,AL
1000279E 02CB ADD CL,BL
100027A0 42 INC EDX
100027A1 880E MOV BYTE PTR DS:[ESI],CL
100027A3 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14]
100027A7 3BD1 CMP EDX,ECX
100027A9 ^ 7C E0 JL SHORT smcomm.1000278B
100027AB 8B5C24 18 MOV EBX,DWORD PTR SS:[ESP+18]
100027AF 43 INC EBX
100027B0 83FB 10 CMP EBX,10
100027B3 895C24 18 MOV DWORD PTR SS:[ESP+18],EBX
100027B7 ^ 7C A2 JL SHORT smcomm.1000275B
0012FB6C E3 A5 22 3D A5 E2 CE B5 7B DD 9A D5 9D DA 66 6D 悭"=モ蔚{??阪m
100027EE 68 089D0010 PUSH smcomm.10009D08 ; ASCII "%2.2X%2.2X%2.2X%2.2X-"
100027B9 8B5424 1F MOV EDX,DWORD PTR SS:[ESP+1F]
100027BD 8B4424 1E MOV EAX,DWORD PTR SS:[ESP+1E]
100027C1 8B4C24 1D MOV ECX,DWORD PTR SS:[ESP+1D]
100027C5 81E2 FF000000 AND EDX,0FF
100027CB 8B3D 14710010 MOV EDI,DWORD PTR DS:[10007114] ; user32.wsprintfA
100027D1 52 PUSH EDX
100027D2 8B5424 20 MOV EDX,DWORD PTR SS:[ESP+20]
100027D6 25 FF000000 AND EAX,0FF
100027DB 81E1 FF000000 AND ECX,0FF
100027E1 50 PUSH EAX
100027E2 81E2 FF000000 AND EDX,0FF
100027E8 51 PUSH ECX
100027E9 52 PUSH EDX
100027EA 8D4424 3C LEA EAX,DWORD PTR SS:[ESP+3C]
100027EE 68 089D0010 PUSH smcomm.10009D08 ; ASCII "%2.2X%2.2X%2.2X%2.2X-"
100027F3 50 PUSH EAX
100027F4 FFD7 CALL EDI
100027F6 8B4C24 3B MOV ECX,DWORD PTR SS:[ESP+3B]
100027FA 8B5424 3A MOV EDX,DWORD PTR SS:[ESP+3A]
100027FE 81E1 FF000000 AND ECX,0FF
10002804 8BF0 MOV ESI,EAX
10002806 8B4424 39 MOV EAX,DWORD PTR SS:[ESP+39]
1000280A 51 PUSH ECX
1000280B 8B4C24 3C MOV ECX,DWORD PTR SS:[ESP+3C]
1000280F 81E2 FF000000 AND EDX,0FF
10002815 25 FF000000 AND EAX,0FF
1000281A 52 PUSH EDX
1000281B 81E1 FF000000 AND ECX,0FF
10002821 50 PUSH EAX
10002822 51 PUSH ECX
10002823 8D5434 54 LEA EDX,DWORD PTR SS:[ESP+ESI+54]
10002827 68 089D0010 PUSH smcomm.10009D08 ; ASCII "%2.2X%2.2X%2.2X%2.2X-"
1000282C 52 PUSH EDX
1000282D FFD7 CALL EDI ; user32.wsprintfA
1000282F 8B4C24 56 MOV ECX,DWORD PTR SS:[ESP+56]
10002833 8B5424 55 MOV EDX,DWORD PTR SS:[ESP+55]
10002837 03F0 ADD ESI,EAX
10002839 8B4424 57 MOV EAX,DWORD PTR SS:[ESP+57]
1000283D 25 FF000000 AND EAX,0FF
10002842 81E1 FF000000 AND ECX,0FF
10002848 50 PUSH EAX
10002849 8B4424 58 MOV EAX,DWORD PTR SS:[ESP+58]
1000284D 81E2 FF000000 AND EDX,0FF
10002853 51 PUSH ECX
10002854 25 FF000000 AND EAX,0FF
10002859 52 PUSH EDX
1000285A 50 PUSH EAX
1000285B 8D4C34 6C LEA ECX,DWORD PTR SS:[ESP+ESI+6C]
1000285F 68 089D0010 PUSH smcomm.10009D08 ; ASCII "%2.2X%2.2X%2.2X%2.2X-"
10002864 51 PUSH ECX
10002865 FFD7 CALL EDI
10002867 8BBC24 9C000000 MOV EDI,DWORD PTR SS:[ESP+9C]
1000286E 03F0 ADD ESI,EAX
10002870 83C4 48 ADD ESP,48
10002873 33D2 XOR EDX,EDX
10002875 8D4E FF LEA ECX,DWORD PTR DS:[ESI-1]
10002878 8D7424 2C LEA ESI,DWORD PTR SS:[ESP+2C]
1000287C F3:A6 REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:>
1000287E 8B4C24 28 MOV ECX,DWORD PTR SS:[ESP+28]
10002882 8BC2 MOV EAX,EDX
10002884 0F95C0 SETNE AL
10002887 5F POP EDI
10002888 48 DEC EAX
10002889 5E POP ESI
1000288A 5D POP EBP
1000288B 23C1 AND EAX,ECX
1000288D 5B POP EBX
1000288E 83C4 3C ADD ESP,3C
10002891 C2 0800 RETN 8
0012FB7B 6D 45 33 41 35 32 32 33 44 2D 41 35 45 32 43 45 mE3A5223D-A5E2CE
0012FB8B 42 35 2D 37 42 44 44 39 41 44 35 2D 00 0B 00 00 B5-7BDD9AD5-.�..
0012FB7C 45 33 41 35 32 32 33 44 2D 41 35 45 32 43 45 42 E3A5223D-A5E2CEB
0012FB8C 35 2D 37 42 44 44 39 41 44 35 2D 00 0B 00 00 00 5-7BDD9AD5-.�...
E3A5223D-A5E2CEB5-7BDD9AD5-
0012F978 38 42 33 38 34 34 44 45 00 8B3844DE.
0012F958 31 45 36 39 35 31 38 37 00 00 00 00 02 00 00 00 1E695187....�...
B2B2A-9= //4月
B2B48-9=B2B3F //5月
B2B66
SMC破解过程!
004B6FD4 8BF0 MOV ESI,EAX ;这里的EAX值决定着能否使用
004B6FD6 8BD6 MOV EDX,ESI
004B6FD8 . 8BC3 MOV EAX,EBX
004B6FDA . E8 5DFEFFFF CALL pj11.004B6E3C
004B6FD4 /E9 E0470000 JMP pj11.004BB7B9 ;跳过去
004B6FD9 |90 NOP ;跳回这里继续执行
004BB7B9 . 0000 ADD BYTE PTR DS:[EAX],AL ;我们在这里发现了一些空的地址
004BB7BB . 0000 ADD BYTE PTR DS:[EAX],AL
004BB7BD . 0000 ADD BYTE PTR DS:[EAX],AL
004BB7BF . 0000 ADD BYTE PTR DS:[EAX],AL
004BB7B9 B8 11110000 MOV EAX,1111 ;我们想执行的执行完了
004BB7BE 8BF0 MOV ESI,EAX
004BB7C0 8BD6 MOV EDX,ESI
004BB7C2 8BC3 MOV EAX,EBX
004BB7C4 ^ E9 10B8FFFF JMP pj11.004B6FD9 ;跳回去
|
