菜鸟学破解之----DELPHI编程宝典算法分析历程
目标程序DELPHI编程宝典
1)用PEID看了一下,无壳,DELPHI编写
(2)试着输入阅读密码,提示"阅读文书密码错误"
(3)W32DASM反汇编,搜索"阅读文书密码错误"双击来到这里
004AAD35 |. E8 4A20FFFF call Delphi编.0049CD84<---------------算法CALL跟进
004AAD3A |> 8D95 E4FDFFFF lea edx,dword ptr ss:[ebp-21C]
004AAD40 |. 8B83 94030000 mov eax,dword ptr ds:[ebx+394]
004AAD46 |. E8 5159F8FF call Delphi编.0043069C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAD10(C)
|
:004AAD3A 8D95E4FDFFFF lea edx, dword ptr [ebp+FFFFFDE4]
:004AAD40 8B8394030000 mov eax, dword ptr [ebx+00000394]
:004AAD46 E85159F8FF call 0043069C
:004AAD4B 8B85E4FDFFFF mov eax, dword ptr [ebp+FFFFFDE4]<---------------取试炼码EAX
:004AAD51 8B55FC mov edx, dword ptr [ebp-04]<---------------取计算好的注册码EDX
:004AAD54 E87391F5FF call 00403ECC<---------------跟进这个CALL可以发现明文密码,也就是上面计算好的,来到这个CALL进行比较
:004AAD59 0F85F0000000 jne 004AAE4F<---------------不相等就提示密码错误
:004AAD5F 33C0 xor eax, eax
:004AAD61 898328380200 mov dword ptr [ebx+00023828], eax
:004AAD67 8B8304060000 mov eax, dword ptr [ebx+00000604]
:004AAD6D 8B10 mov edx, dword ptr [eax]
:004AAD6F FF92B4000000 call dword ptr [edx+000000B4]
:004AAD75 3C01 cmp al, 01
:004AAD77 0F85B8000000 jne 004AAE35<---------------al不等于1就提示成功
:004AAD7D 8D85E0FDFFFF lea eax, dword ptr [ebp+FFFFFDE0]
:004AAD83 50 push eax
:004AAD84 8D95DCFDFFFF lea edx, dword ptr [ebp+FFFFFDDC]
:004AAD8A A128DB4A00 mov eax, dword ptr [004ADB28]
:004AAD8F 8B00 mov eax, dword ptr [eax]
:004AAD91 E8DA42FAFF call 0044F070
:004AAD96 8B85DCFDFFFF mov eax, dword ptr [ebp+FFFFFDDC]
:004AAD9C E81B90F5FF call 00403DBC
:004AADA1 83E803 sub eax, 00000003
:004AADA4 50 push eax
:004AADA5 8D95D8FDFFFF lea edx, dword ptr [ebp+FFFFFDD8]
:004AADAB A128DB4A00 mov eax, dword ptr [004ADB28]
:004AADB0 8B00 mov eax, dword ptr [eax]
:004AADB2 E8B942FAFF call 0044F070
:004AADB7 8B85D8FDFFFF mov eax, dword ptr [ebp+FFFFFDD8]
:004AADBD BA01000000 mov edx, 00000001
:004AADC2 59 pop ecx
:004AADC3 E8FC91F5FF call 00403FC4
:004AADC8 8B95E0FDFFFF mov edx, dword ptr [ebp+FFFFFDE0]
:004AADCE 8D45F8 lea eax, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"txt"
|
:004AADD1 B9E8AF4A00 mov ecx, 004AAFE8
:004AADD6 E82D90F5FF call 00403E08
:004AADDB 8B55F8 mov edx, dword ptr [ebp-08]
:004AADDE 8D852CFEFFFF lea eax, dword ptr [ebp+FFFFFE2C]
:004AADE4 E8DDB0F5FF call 00405EC6
:004AADE9 8D852CFEFFFF lea eax, dword ptr [ebp+FFFFFE2C]
:004AADEF E872B4F5FF call 00406266
:004AADF4 E8537AF5FF call 0040284C
:004AADF9 8D95D4FDFFFF lea edx, dword ptr [ebp+FFFFFDD4]
:004AADFF 8B8394030000 mov eax, dword ptr [ebx+00000394]
:004AAE05 E89258F8FF call 0043069C
:004AAE0A 8B95D4FDFFFF mov edx, dword ptr [ebp+FFFFFDD4]
:004AAE10 8D852CFEFFFF lea eax, dword ptr [ebp+FFFFFE2C]
:004AAE16 E83993F5FF call 00404154
:004AAE1B E88BB6F5FF call 004064AB
:004AAE20 E8277AF5FF call 0040284C
:004AAE25 8D852CFEFFFF lea eax, dword ptr [ebp+FFFFFE2C]
:004AAE2B E800B2F5FF call 00406030
:004AAE30 E8177AF5FF call 0040284C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAD77(C)
|
:004AAE35 6A00 push 00000000
* Possible StringData Ref from Code Obj ->"提示"
|
:004AAE37 B958AF4A00 mov ecx, 004AAF58
* Possible StringData Ref from Code Obj ->"现在可阅读全部目录了!"
|
:004AAE3C BAECAF4A00 mov edx, 004AAFEC
:004AAE41 A128DB4A00 mov eax, dword ptr [004ADB28]
:004AAE46 8B00 mov eax, dword ptr [eax]
:004AAE48 E8B33EFAFF call 0044ED00
:004AAE4D EB18 jmp 004AAE67
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAD59(C)
|
:004AAE4F 6A00 push 00000000
* Possible StringData Ref from Code Obj ->"提示"
|
:004AAE51 B958AF4A00 mov ecx, 004AAF58
* Possible StringData Ref from Code Obj ->"阅读文书密码错误!"<------------------双击来到这里
|
:004AAE56 BA04B04A00 mov edx, 004AB004
:004AAE5B A128DB4A00 mov eax, dword ptr [004ADB28]
:004AAE60 8B00 mov eax, dword ptr [eax]
:004AAE62 E8993EFAFF call 0044ED00
--------------------------------------------------------------------------------
跟进算法CALL
0049CD84 /$ 55 push ebp ; 右边寄存器显示ECX=机器码,Y14845390524"
EDX="wsy54321`"
0049CD85 |. 8BEC mov ebp,esp ;注意1后面还有一个符号(ascii码是60H)
0049CD87 |. 83C4 E4 add esp,-1C
0049CD8A |. 53 push ebx
0049CD8B |. 56 push esi
0049CD8C |. 57 push edi
0049CD8D |. 33DB xor ebx,ebx
0049CD8F |. 895D E4 mov dword ptr ss:[ebp-1C],ebx
0049CD92 |. 895D E8 mov dword ptr ss:[ebp-18],ebx
0049CD95 |. 894D F8 mov dword ptr ss:[ebp-8],ecx ; ss:[ebp-8]=机器码
0049CD98 |. 8955 FC mov dword ptr ss:[ebp-4],edx ; ss:[ebp-4]="wsy54321`"
0049CD9B |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
0049CD9E |. E8 CD71F6FF call Delphi编.00403F70
0049CDA3 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0049CDA6 |. E8 C571F6FF call Delphi编.00403F70
0049CDAB |. 33C0 xor eax,eax
0049CDAD |. 55 push ebp
0049CDAE |. 68 2DCF4900 push Delphi编.0049CF2D
0049CDB3 |. 64:FF30 push dword ptr fs:[eax]
0049CDB6 |. 64:8920 mov dword ptr fs:[eax],esp
0049CDB9 |. C745 EC 4400000>mov dword ptr ss:[ebp-14],44 ;ss:[ebp-14]=44
0049CDC0 |. 33C0 xor eax,eax
0049CDC2 |. 8945 F4 mov dword ptr ss:[ebp-C],eax
0049CDC5 |. 8D45 E8 lea eax,dword ptr ss:[ebp-18]
0049CDC8 |. E8 6F6DF6FF call Delphi编.00403B3C
*************************************************************************************************
0049CDCD |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0049CDD0 |. E8 E76FF6FF call Delphi编.00403DBC
0049CDD5 |. 8BF0 mov esi,eax ; 机器码长度到ESI
0049CDD7 |. 85F6 test esi,esi
0049CDD9 |. 7E 14 jle short Delphi编.0049CDEF
0049CDDB |. BB 01000000 mov ebx,1
0049CDE0 |> 8B45 F8 /mov eax,dword ptr ss:[ebp-8]
0049CDE3 |. 0FB64418 FF |movzx eax,byte ptr ds:[eax+ebx-1] ; EAX=59('Y')
0049CDE8 |. 0145 F4 |add dword ptr ss:[ebp-C],eax
0049CDEB |. 43 |inc ebx
0049CDEC |. 4E |dec esi
0049CDED |.^ 75 F1 \jnz short Delphi编.0049CDE0
跟了一遍这个循环,发现是机器码的逐位相加(ASCII码的16进制)保存到SS:[EBP-C]
***************************************************************************************************
――――――――――――――――――――――――――――――――――――――――――――――――――
0049CDEF |> 33C0 xor eax,eax
0049CDF1 |. 8945 F0 mov dword ptr ss:[ebp-10],eax ;SS:[EBP-10]=0
0049CDF4 |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ;EAX="WSY54321`"
0049CDF7 |. E8 C06FF6FF call Delphi编.00403DBC ;取上面字符串的长度
0049CDFC |. 8BF0 mov esi,eax ;长度=9到ESI
0049CDFE |. 85F6 test esi,esi
0049CE00 |. 7E 14 jle short Delphi编.0049CE16
0049CE02 |. BB 01000000 mov ebx,1
0049CE07 |> 8B45 FC /mov eax,dword ptr ss:[ebp-4]
0049CE0A |. 0FB64418 FF |movzx eax,byte ptr ds:[eax+ebx-1]
0049CE0F |. 0145 F0 |add dword ptr ss:[ebp-10],eax
0049CE12 |. 43 |inc ebx
0049CE13 |. 4E |dec esi
0049CE14 |.^ 75 F1 \jnz short Delphi编.0049CE07
跟了一遍这个循环,发现是WSY54321`每一位的十六进制ASCII码逐位相加保存到ss:[ebp-10]
――――――――――――――――――――――――――――――――――――――――――――――――――
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
从这里开始又是一个循环
0049CE16 |> 8B45 FC mov eax,dword ptr ss:[ebp-4] ;EAX="wsy54321'"
0049CE19 |. E8 9E6FF6FF call Delphi编.00403DBC 取"wsy54321'"长度
0049CE1E |. 8BF0 mov esi,eax 长度保存到ESI
0049CE20 |. 85F6 test esi,esi 测试ESI 是否等于0
0049CE22 |. 0F8E D2000000 jle Delphi编.0049CEFA 小于跳出循环
0049CE28 |. BB 01000000 mov ebx,1 EBX=1(计数器)
0049CE2D |> 8B45 F8 /mov eax,dword ptr ss:[ebp-8] EAX=机器码
0049CE30 |. E8 876FF6FF |call Delphi编.00403DBC 取机器码长度
0049CE35 |. 83E8 06 |sub eax,6 EAX=长度-6
0049CE38 |. 3BD8 |cmp ebx,eax 计数器EBX和EAX做比较
0049CE3A |. 7D 4D |jge short Delphi编.0049CE89 大于跳到下面第29行开始执行
0049CE3C |. 8D43 05 |lea eax,dword ptr ds:[ebx+5] EAX=6
0049CE3F |. 8B55 FC |mov edx,dword ptr ss:[ebp-4] EDX="wsy54321'"
0049CE42 |. 0FB6541A FF |movzx edx,byte ptr ds:[edx+ebx-1] 取上面字符串第一位的十六进制ASCII码(w就是77)到EDX
0049CE47 |. F7EA |imul edx ;EDX(77)*EAX
0049CE49 |. 03C3 |add eax,ebx ;EAX=EAX+EBX=2CA+1
0049CE4B |. 8B55 F8 |mov edx,dword ptr ss:[ebp-8] ;EDX=机器码
0049CE4E |. 0FB6541A 03 |movzx edx,byte ptr ds:[edx+ebx+3] ;机器码第5位开始的十六进制ASCII码(34)到EDX,
0049CE53 |. F7EA |imul edx ;EDX(34)*EAX
0049CE55 |. 8BCB |mov ecx,ebx ;ECX=EBX=1
0049CE57 |. 03C9 |add ecx,ecx ;ECX=ECX+ECX=2
0049CE59 |. 8BD1 |mov edx,ecx ;EDX=ECX=2
0049CE5B |. 0FAF55 EC |imul edx,dword ptr ss:[ebp-14] ;EDX=EDX*44=88 ;在上面已经被赋值为44,循环过程中不变
0049CE5F |. 03C2 |add eax,edx ;EAX=EAX+EDX=913C+88
0049CE61 |. 0FAFCB |imul ecx,ebx ;ECX=ECX*EBX=1*2
0049CE64 |. 83C1 0D |add ecx,0D ;ECX=ECX+0D=2+0D=F
0049CE67 |. 0FAF4D F4 |imul ecx,dword ptr ss:[ebp-C] ;ECX=ECX*296=26CA ;ss:[ebp-C]是上面计算好的结果
0049CE6B |. 03C1 |add eax,ecx ;EAX=EAX+ECX=91C4+26CA
0049CE6D |. 8D145B |lea edx,dword ptr ds:[ebx+ebx*2] ;EDX=03 ;与[ebx+ebx*2]计算出来的值一样
0049CE70 |. 83C2 0C |add edx,0C ;EDX=EDX+0C=F
0049CE73 |. 0FAF55 F0 |imul edx,dword ptr ss:[ebp-10] ;EDX=EDX*2C2 ;ss:[ebp-10]也是上面计算好的结果
0049CE77 |. 03C2 |add eax,edx ;EAX=EAX+EDX=B88E+295E
0049CE79 |. BA 72000000 |mov edx,72 ;EDX=72
0049CE7E |. 2BD3 |sub edx,ebx ;EDX=EDX-EBX=72-1
0049CE80 |. 8BCA |mov ecx,edx ;ECX=EDX=71
0049CE82 |. 99 |cdq
0049CE83 |. F7F9 |idiv ecx ;EAX/ECX
0049CE85 |. 8BFA |mov edi,edx ;EDI=EDX=5D(余数到EDI)
0049CE87 |. EB 49 |jmp short Delphi编.0049CED2 ;跳到CMP EDI,23处执行
************************************************************这部分是EBX>6的时候的算法**********
0049CE89 |> 8BCB |mov ecx,ebx ;这里就是与(大于跳到下面第29行开始执行)对应的
0049CE8B |. C1E1 02 |shl ecx,2
0049CE8E |. 8BC1 |mov eax,ecx
0049CE90 |. 83C0 08 |add eax,8
0049CE93 |. 8B55 FC |mov edx,dword ptr ss:[ebp-4]
0049CE96 |. 0FB6541A FF |movzx edx,byte ptr ds:[edx+ebx-1]
0049CE9B |. 8BFA |mov edi,edx
0049CE9D |. C1E2 03 |shl edx,3
0049CEA0 |. 2BD7 |sub edx,edi
0049CEA2 |. 03C2 |add eax,edx
0049CEA4 |. 8B55 F4 |mov edx,dword ptr ss:[ebp-C]
0049CEA7 |. C1E2 03 |shl edx,3
0049CEAA |. 03C2 |add eax,edx
0049CEAC |. 8B55 F0 |mov edx,dword ptr ss:[ebp-10]
0049CEAF |. 8D14D2 |lea edx,dword ptr ds:[edx+edx*8]
0049CEB2 |. 03C2 |add eax,edx
0049CEB4 |. 8BD3 |mov edx,ebx
0049CEB6 |. 0FAFD3 |imul edx,ebx
0049CEB9 |. 03C2 |add eax,edx
0049CEBB |. 0FAF4D EC |imul ecx,dword ptr ss:[ebp-14]
0049CEBF |. 83C1 17 |add ecx,17
0049CEC2 |. F7E9 |imul ecx
0049CEC4 |. BA 77000000 |mov edx,77
0049CEC9 |. 2BD3 |sub edx,ebx
0049CECB |. 8BCA |mov ecx,edx
0049CECD |. 99 |cdq
0049CECE |. F7F9 |idiv ecx
0049CED0 |. 8BFA |mov edi,edx
****************************************************************这部分是EBX>6的时候的算法(下同)**************
0049CED2 |> 83FF 23 |cmp edi,23 ;余数EDI(5D)和23做比较
0049CED5 |. 7D 06 |jge short Delphi编.0049CEDD ;大于跳到下面第三行
0049CED7 |. 8D443B 22 |lea eax,dword ptr ds:[ebx+edi+22] ;小于的话EAX=EBX+EDI+22
0049CEDB |. 8BF8 |mov edi,eax ;EAX到EDI也就是阅读密码的十六进制进制的ASCII码
0049CEDD |> 8D45 E4 |lea eax,dword ptr ss:[ebp-1C]
0049CEE0 |. 8BD7 |mov edx,edi ;大于的时候把EDI保存到EDX就是阅读密码的十六进制进制的ASCII码
0049CEE2 |. E8 FD6DF6FF |call Delphi编.00403CE4
0049CEE7 |. 8B55 E4 |mov edx,dword ptr ss:[ebp-1C]
0049CEEA |. 8D45 E8 |lea eax,dword ptr ss:[ebp-18]
0049CEED |. E8 D26EF6FF |call Delphi编.00403DC4
0049CEF2 |. 43 |inc ebx ;计数器EBX+1
0049CEF3 |. 4E |dec esi ;计数器ESI-1
0049CEF4 |.^ 0F85 33FFFFFF \jnz Delphi编.0049CE2D 不相等跳到上面继续循环
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
0049CEFA |> 8B45 08 mov eax,dword ptr ss:[ebp+8]
0049CEFD |. 8B55 E8 mov edx,dword ptr ss:[ebp-18] ;计算好的阅读密码到EDX
0049CF00 |. E8 8B6CF6FF call Delphi编.00403B90
0049CF05 |. 33C0 xor eax,eax
0049CF07 |. 5A pop edx
0049CF08 |. 59 pop ecx
0049CF09 |. 59 pop ecx
0049CF0A |. 64:8910 mov dword ptr fs:[eax],edx
0049CF0D |. 68 34CF4900 push Delphi编.0049CF34
0049CF12 |> 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
0049CF15 |. BA 02000000 mov edx,2
0049CF1A |. E8 416CF6FF call Delphi编.00403B60
0049CF1F |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0049CF22 |. BA 02000000 mov edx,2
0049CF27 |. E8 346CF6FF call Delphi编.00403B60
0049CF2C \. C3 retn
本人程序表达能力欠佳,想了好久都不能把上面的过程写出来,只能用笔慢慢算了,希望有人给我写一个,我对应的十六进制的ASCII码依次是5D,65,42,2B,66,4B,53,1A,61,转换过来也就是]eB+fKS*a,程序比较过程中虽然出现了明文,但是我为了锻炼一下自己的分析能力,所以跟了一遍,还请不要见笑哦
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课