-
-
[原创]Allok Video Splitter 分析附注册机
-
发表于: 2013-6-11 04:09
-
【文章标题】Allok Video Splitter 分析
【联系作者】zhong_sf@sina.com
【软件名称】Allok Video Splitter
【附件下载】http://www.onlinedown.net/soft/46878.htm
【注册机源码下载】 keygen to allok video splitter.rar
记得之前有分析过Ultra Video Joiner 这款软件 ,Allok Video Splitter与它长得很相似,不知道不是出自同一作者, 前者是用于视频合成 ,后者用于视频分割. 注册算法都是基于大整数的RSA算法的变形, 但二者还是有差异. 由于之前不懂RSA为何物, 不会脱壳 ,所以之前的分析基本都是在还原大数运算库的算法 ,还没有脱壳
,这些天碰巧了解到了RSA算法 ....好吧, 不多说了 ,开始吧!
1.还是先脱壳吧,带壳分析总感觉很别扭,加的是MoleBox壳,
1.1.找OEP: 直接esp定律就到了.不多说了.
1.2.IAT修复: MoleBox壳除了绑定了部分dll文件外(这里只绑定了aveData.dll一个),似乎没有对IAT进行加密,至少在这软件中没有. 现在要做得就是提取绑定的dll, 用一种比较通用的方法吧,
1.2.1. bp GetSystemTimeAsFileTime ,中断2数次返回到用户代码 ,如下
00491181 . 50 push eax ; /pFileTime
00491182 . FF15 C0174A00 call dword ptr ds:[0x4A17C0] ; \GetSystemTimeAsFileTime
00491188 . 8B45 C4 mov eax,dword ptr ss:[ebp-0x3C] ; 这里eax就是dll的pe文件头指针
0049118B > 8B4D F0 mov ecx,dword ptr ss:[ebp-0x10]
0049118E . 64:890D 000000>mov dword ptr fs:[0],ecx
00491195 . 5F pop edi
00491196 . 5E pop esi
00491197 . 5B pop ebx
00491198 . C9 leave
00491199 . C2 0800 retn 0x8
在数据窗口中查看并复制pe头,0x400字节就够了 ,保存备用,
1.2.2.接着 bp CreateFileA 中断数次直到堆栈窗口出现捆绑的dll文件名 ,如下:
0018F7F8 741CC4A4 /CALL 到 CreateFileA 来自 AcLayers.741CC4A1
0018F7FC 003094C8 |FileName = "C:\USERS\ZHONG_SF\APPDATA\LOCAL\TEMP\MBX@940@2F1C38.###"
0018F800 40000000 |Access = GENERIC_WRITE
0018F804 00000000 |ShareMode = 0
0018F808 00000000 |pSecurity = NULL
0018F80C 00000002 |Mode = CREATE_ALWAYS
0018F810 00000000 |Attributes = 0
0018F814 00000000 \hTemplateFile = NULL
0018F818 00000000
在数据窗口中查看文件名,并将其改个名字 ,接着 bp GetModuleHandleA ,中断一次即可,此时打开Lordpe 将被捆绑的dll dump下来,
1.2.3.修复dll ,将之前转存的pe头数据在16进制编辑器覆盖上一步dump的dll的pe头 ,并将ImageBase字段改为当前基址,以防重定位失败.
至此 ,脱壳就算是完成了.这种方法是参照CCDebuger总结出来的 ,最关键的就是dump的时间点,在非正确的时间dump出来的dll是数据不正确. 如果没有跟踪过外壳代码是很难知道为什么得在这两处dump才行,至少我就是(跟踪过,跟晕了),我之前有试过在很多地方dump,但都不可行,我一直觉得在外壳填写对应的IAT时dump,此时的数据应该是正确的,但就是不行,我就无语了 ,后来才发现如上述的CCDebuger的方法.
2.注册分析:
有很多种方法可以定位到程序注册加密的代码处,就不详细说了,直接来到下面的代码处:
10001B20 > 6A FF push -0x1
10001B22 68 8AAF0010 push aveData.1000AF8A
10001B27 64:A1 00000000 mov eax,dword ptr fs:[0]
10001B2D 50 push eax
10001B2E 64:8925 00000000 mov dword ptr fs:[0],esp
10001B35 81EC B8020000 sub esp,0x2B8
10001B3B 6A 00 push 0x0
10001B3D 8D4C24 04 lea ecx,dword ptr ss:[esp+0x4] ; --------
10001B41 C74424 5C 716A6EAE mov dword ptr ss:[esp+0x5C],0xAE6E6A71
10001B49 C74424 60 98C87CE3 mov dword ptr ss:[esp+0x60],0xE37CC898
10001B51 C74424 64 5CC46F44 mov dword ptr ss:[esp+0x64],0x446FC45C
10001B59 C74424 68 E64B6F64 mov dword ptr ss:[esp+0x68],0x646F4BE6
10001B61 C74424 6C 61CE7550 mov dword ptr ss:[esp+0x6C],0x5075CE61
10001B69 C74424 70 4DB38FB5 mov dword ptr ss:[esp+0x70],0xB58FB34D ; 这些常数就是RSA算法的 p ,q ,d
10001B71 C74424 74 AFBABA53 mov dword ptr ss:[esp+0x74],0x53BABAAF ; 每个都是大整数
10001B79 C74424 78 78E74BE6 mov dword ptr ss:[esp+0x78],0xE64BE778
10001B81 C74424 7C D14222E7 mov dword ptr ss:[esp+0x7C],0xE72242D1
10001B89 C78424 80000000 ED1>mov dword ptr ss:[esp+0x80],0x5BF1EED
10001B94 C78424 84000000 0A9>mov dword ptr ss:[esp+0x84],0xC13A930A
10001B9F C78424 88000000 1B0>mov dword ptr ss:[esp+0x88],0xE1F6051B
10001BAA C78424 8C000000 5BA>mov dword ptr ss:[esp+0x8C],0x4E63A75B
10001BB5 C78424 90000000 C6D>mov dword ptr ss:[esp+0x90],0x841FD5C6
10001BC0 C78424 94000000 912>mov dword ptr ss:[esp+0x94],0xC0742A91
10001BCB C78424 98000000 9BC>mov dword ptr ss:[esp+0x98],0x5A59C59B ; --------
10001BD6 E8 E5120000 call aveData.10002EC0 ; 类构造函数
10001BDB 6A 00 push 0x0
10001BDD 8D4C24 0C lea ecx,dword ptr ss:[esp+0xC]
10001BE1 C78424 C4020000 000>mov dword ptr ss:[esp+0x2C4],0x0
10001BEC E8 CF120000 call aveData.10002EC0
10001BF1 8B8424 C8020000 mov eax,dword ptr ss:[esp+0x2C8]
10001BF8 8D9424 B8000000 lea edx,dword ptr ss:[esp+0xB8]
10001BFF C68424 C0020000 01 mov byte ptr ss:[esp+0x2C0],0x1 ; ----
10001C07 2BD0 sub edx,eax
10001C09 8A08 mov cl,byte ptr ds:[eax]
10001C0B 880C02 mov byte ptr ds:[edx+eax],cl ; szUserName转存
10001C0E 40 inc eax
10001C0F 84C9 test cl,cl
10001C11 ^ 75 F6 jnz XaveData.10001C09 ; ----
10001C13 53 push ebx
10001C14 55 push ebp
10001C15 56 push esi
10001C16 57 push edi ; -----
10001C17 8DBC24 C8000000 lea edi,dword ptr ss:[esp+0xC8]
10001C1E 83C9 FF or ecx,0xFFFFFFFF
10001C21 33C0 xor eax,eax
10001C23 33D2 xor edx,edx
10001C25 F2:AE repne scas byte ptr es:[edi]
10001C27 F7D1 not ecx
10001C29 49 dec ecx
10001C2A 74 28 je XaveData.10001C54
10001C2C 80BC14 C8000000 27 cmp byte ptr ss:[esp+edx+0xC8],0x27 ; 将szUserName中的空格换成 ' ,如果有的话
10001C34 75 08 jnz XaveData.10001C3E
10001C36 C68414 C8000000 20 mov byte ptr ss:[esp+edx+0xC8],0x20
10001C3E 8DBC24 C8000000 lea edi,dword ptr ss:[esp+0xC8]
10001C45 83C9 FF or ecx,0xFFFFFFFF
10001C48 33C0 xor eax,eax
10001C4A 42 inc edx
10001C4B F2:AE repne scas byte ptr es:[edi]
10001C4D F7D1 not ecx
10001C4F 49 dec ecx
10001C50 3BD1 cmp edx,ecx
10001C52 ^ 72 D8 jb XaveData.10001C2C ; ------
10001C54 6A 00 push 0x0
10001C56 8D4C24 2C lea ecx,dword ptr ss:[esp+0x2C]
10001C5A E8 61120000 call aveData.10002EC0
10001C5F 6A 00 push 0x0
10001C61 8D4C24 34 lea ecx,dword ptr ss:[esp+0x34]
10001C65 C68424 D4020000 02 mov byte ptr ss:[esp+0x2D4],0x2
10001C6D E8 4E120000 call aveData.10002EC0
10001C72 6A 00 push 0x0
10001C74 8D4C24 3C lea ecx,dword ptr ss:[esp+0x3C]
10001C78 C68424 D4020000 03 mov byte ptr ss:[esp+0x2D4],0x3
10001C80 E8 3B120000 call aveData.10002EC0
10001C85 6A 00 push 0x0
10001C87 8D4C24 44 lea ecx,dword ptr ss:[esp+0x44]
10001C8B C68424 D4020000 04 mov byte ptr ss:[esp+0x2D4],0x4
10001C93 E8 28120000 call aveData.10002EC0
10001C98 8D4424 68 lea eax,dword ptr ss:[esp+0x68]
10001C9C B3 05 mov bl,0x5
10001C9E 6A 04 push 0x4
10001CA0 50 push eax
10001CA1 8D4C24 40 lea ecx,dword ptr ss:[esp+0x40]
10001CA5 889C24 D8020000 mov byte ptr ss:[esp+0x2D8],bl
10001CAC E8 DF100000 call aveData.10002D90 ; 类输入函数 ,这里初化p
10001CB1 8D4C24 78 lea ecx,dword ptr ss:[esp+0x78]
10001CB5 6A 04 push 0x4
10001CB7 51 push ecx
10001CB8 8D4C24 48 lea ecx,dword ptr ss:[esp+0x48]
10001CBC E8 CF100000 call aveData.10002D90 ; 类输入函数 ,这里初化q
10001CC1 68 01000100 push 0x10001
10001CC6 8D4C24 24 lea ecx,dword ptr ss:[esp+0x24]
10001CCA E8 F1110000 call aveData.10002EC0 ; 类构造函数,这里初始化 e=0x10001
10001CCF 8D5424 20 lea edx,dword ptr ss:[esp+0x20]
10001CD3 8D4C24 30 lea ecx,dword ptr ss:[esp+0x30]
10001CD7 52 push edx
10001CD8 C68424 D4020000 06 mov byte ptr ss:[esp+0x2D4],0x6
10001CE0 E8 3B120000 call aveData.10002F20 ; Lgint copy
10001CE5 8D4C24 20 lea ecx,dword ptr ss:[esp+0x20]
10001CE9 889C24 D0020000 mov byte ptr ss:[esp+0x2D0],bl
10001CF0 E8 7B120000 call aveData.10002F70 ; 类析造函数
10001CF5 8D8424 88000000 lea eax,dword ptr ss:[esp+0x88]
10001CFC 6A 08 push 0x8
10001CFE 50 push eax
10001CFF 8D4C24 30 lea ecx,dword ptr ss:[esp+0x30]
10001D03 E8 88100000 call aveData.10002D90 ; 类输入函数 ,这里初始化 n
10001D08 B9 08000000 mov ecx,0x8
10001D0D 33C0 xor eax,eax ; ---------
10001D0F 8DBC24 A8000000 lea edi,dword ptr ss:[esp+0xA8]
10001D16 33D2 xor edx,edx
10001D18 F3:AB rep stos dword ptr es:[edi]
10001D1A 8DBC24 C8000000 lea edi,dword ptr ss:[esp+0xC8]
10001D21 83C9 FF or ecx,0xFFFFFFFF
10001D24 F2:AE repne scas byte ptr es:[edi]
10001D26 F7D1 not ecx
10001D28 49 dec ecx
10001D29 74 24 je XaveData.10001D4F
10001D2B 8A8C14 C8000000 mov cl,byte ptr ss:[esp+edx+0xC8]
10001D32 8DBC24 C8000000 lea edi,dword ptr ss:[esp+0xC8]
10001D39 888C14 A8000000 mov byte ptr ss:[esp+edx+0xA8],cl
10001D40 83C9 FF or ecx,0xFFFFFFFF
10001D43 33C0 xor eax,eax ; 这里将输入的 szUserName
10001D45 42 inc edx ; 格式化以作为大整数输入
10001D46 F2:AE repne scas byte ptr es:[edi]
10001D48 F7D1 not ecx ; 具体是将每4个字节通过移位使其逆序,
10001D4A 49 dec ecx ; 各个4字节的顺序不变
10001D4B 3BD1 cmp edx,ecx
10001D4D ^ 72 DC jb XaveData.10001D2B
10001D4F B9 08000000 mov ecx,0x8
10001D54 33C0 xor eax,eax
10001D56 8D7C24 48 lea edi,dword ptr ss:[esp+0x48]
10001D5A F3:AB rep stos dword ptr es:[edi]
10001D5C 33D2 xor edx,edx
10001D5E 33C9 xor ecx,ecx
10001D60 8A9404 A8000000 mov dl,byte ptr ss:[esp+eax+0xA8]
10001D67 8A8C04 A9000000 mov cl,byte ptr ss:[esp+eax+0xA9]
10001D6E C1E2 08 shl edx,0x8
10001D71 03D1 add edx,ecx
10001D73 33C9 xor ecx,ecx
10001D75 8A8C04 AA000000 mov cl,byte ptr ss:[esp+eax+0xAA]
10001D7C 83C0 04 add eax,0x4
10001D7F C1E2 08 shl edx,0x8
10001D82 03D1 add edx,ecx
10001D84 33C9 xor ecx,ecx
10001D86 8A8C04 A7000000 mov cl,byte ptr ss:[esp+eax+0xA7]
10001D8D C1E2 08 shl edx,0x8
10001D90 03D1 add edx,ecx
10001D92 83F8 20 cmp eax,0x20
10001D95 895404 44 mov dword ptr ss:[esp+eax+0x44],edx
10001D99 ^ 7C C1 jl XaveData.10001D5C ; --------
10001D9B 8D5424 48 lea edx,dword ptr ss:[esp+0x48]
10001D9F 6A 08 push 0x8
10001DA1 52 push edx
10001DA2 8D4C24 18 lea ecx,dword ptr ss:[esp+0x18]
10001DA6 E8 E50F0000 call aveData.10002D90 ; 初始化username为大整数
10001DAB 8D4424 10 lea eax,dword ptr ss:[esp+0x10]
10001DAF 8D4C24 20 lea ecx,dword ptr ss:[esp+0x20]
10001DB3 50 push eax
10001DB4 51 push ecx
10001DB5 8D4C24 30 lea ecx,dword ptr ss:[esp+0x30]
10001DB9 E8 C2030000 call aveData.10002180 ; F7跟进,这里是主要的加密在地方
10001DBE 50 push eax ; eax为计算结果对象指针
10001DBF 8D4C24 1C lea ecx,dword ptr ss:[esp+0x1C]
10001DC3 C68424 D4020000 07 mov byte ptr ss:[esp+0x2D4],0x7
10001DCB E8 50110000 call aveData.10002F20 ; LgInt Copy()
10001DD0 8D4C24 20 lea ecx,dword ptr ss:[esp+0x20]
10001DD4 889C24 D0020000 mov byte ptr ss:[esp+0x2D0],bl
10001DDB E8 90110000 call aveData.10002F70
10001DE0 8D5424 48 lea edx,dword ptr ss:[esp+0x48]
10001DE4 6A 08 push 0x8
10001DE6 52 push edx
10001DE7 8D4C24 20 lea ecx,dword ptr ss:[esp+0x20]
10001DEB E8 E00F0000 call aveData.10002DD0 ; 类输入函数,将大整数复制到参数缓冲区a
10001DF0 8B5424 58 mov edx,dword ptr ss:[esp+0x58] ; edx=a[4]
10001DF4 8B4C24 54 mov ecx,dword ptr ss:[esp+0x54] ; ecx=a[3]
10001DF8 8B7424 50 mov esi,dword ptr ss:[esp+0x50] ; esi=a[2]
10001DFC 8B7C24 4C mov edi,dword ptr ss:[esp+0x4C] ; edi=a[1]
10001E00 8B6C24 64 mov ebp,dword ptr ss:[esp+0x64] ; ebp=a[7]
10001E04 8B5C24 48 mov ebx,dword ptr ss:[esp+0x48] ; ebx=a[0]
10001E08 8D040A lea eax,dword ptr ds:[edx+ecx]
10001E0B 0FAFCE imul ecx,esi
10001E0E 03C6 add eax,esi
10001E10 03C7 add eax,edi
10001E12 33E8 xor ebp,eax ; ebp=a[7] xor (a[4]+a[3]+a[2]+a[1])
10001E14 8B4424 5C mov eax,dword ptr ss:[esp+0x5C]
10001E18 03D8 add ebx,eax
10001E1A 8B4424 60 mov eax,dword ptr ss:[esp+0x60]
10001E1E 33C3 xor eax,ebx ; eax=(a[5]+a[0]) xor a[6]
10001E20 896C24 64 mov dword ptr ss:[esp+0x64],ebp
10001E24 894424 60 mov dword ptr ss:[esp+0x60],eax
10001E28 0FAFC5 imul eax,ebp
10001E2B 8B6C24 48 mov ebp,dword ptr ss:[esp+0x48]
10001E2F 2BC1 sub eax,ecx
10001E31 8B4C24 5C mov ecx,dword ptr ss:[esp+0x5C]
10001E35 2BC1 sub eax,ecx
10001E37 8D8C24 C8010000 lea ecx,dword ptr ss:[esp+0x1C8]
10001E3E 03C5 add eax,ebp
10001E40 03C2 add eax,edx
10001E42 03C7 add eax,edi ; eax=eax*ebp-a[3]*a[2]-a[5]+a[4]+a[1]+a[0]
10001E44 50 push eax
10001E45 68 8CE40010 push aveData.1000E48C ; ASCII "%08lX"
10001E4A 51 push ecx
10001E4B E8 58240000 call aveData.100042A8 ; wsprintf( szSerial ,"%08lX" ,eax)
10001E50 8B8424 E8020000 mov eax,dword ptr ss:[esp+0x2E8]
10001E57 8D9424 D4010000 lea edx,dword ptr ss:[esp+0x1D4]
10001E5E 6A 08 push 0x8
10001E60 52 push edx
10001E61 50 push eax
10001E62 E8 09240000 call aveData.10004270 ; memcmp(szPasswod ,szSerial ,8)
10001E67 83C4 18 add esp,0x18
10001E6A 85C0 test eax,eax
10001E6C 5F pop edi
10001E6D 5E pop esi
10001E6E 5D pop ebp
10001E6F 5B pop ebx
10001E70 0F85 83000000 jnz aveData.10001EF9 ; ------------
10001E76 8D4C24 30 lea ecx,dword ptr ss:[esp+0x30]
10001E7A C68424 C0020000 09 mov byte ptr ss:[esp+0x2C0],0x9
10001E82 E8 E9100000 call aveData.10002F70
10001E87 8D4C24 28 lea ecx,dword ptr ss:[esp+0x28]
10001E8B C68424 C0020000 08 mov byte ptr ss:[esp+0x2C0],0x8
10001E93 E8 D8100000 call aveData.10002F70
10001E98 8D4C24 20 lea ecx,dword ptr ss:[esp+0x20]
10001E9C C68424 C0020000 0A mov byte ptr ss:[esp+0x2C0],0xA
10001EA4 E8 C7100000 call aveData.10002F70
10001EA9 8D4C24 18 lea ecx,dword ptr ss:[esp+0x18]
10001EAD C68424 C0020000 01 mov byte ptr ss:[esp+0x2C0],0x1
10001EB5 E8 B6100000 call aveData.10002F70
10001EBA 8D4C24 08 lea ecx,dword ptr ss:[esp+0x8]
10001EBE C68424 C0020000 00 mov byte ptr ss:[esp+0x2C0],0x0
10001EC6 E8 A5100000 call aveData.10002F70
10001ECB 8D4C24 00 lea ecx,dword ptr ss:[esp]
10001ECF C78424 C0020000 FFF>mov dword ptr ss:[esp+0x2C0],-0x1 ; 类析造函数 ,对象的析造
10001EDA E8 91100000 call aveData.10002F70
10001EDF B8 01000000 mov eax,0x1
10001EE4 8B8C24 B8020000 mov ecx,dword ptr ss:[esp+0x2B8]
10001EEB 64:890D 00000000 mov dword ptr fs:[0],ecx
10001EF2 81C4 C4020000 add esp,0x2C4
10001EF8 C3 retn
10001EF9 8D4C24 30 lea ecx,dword ptr ss:[esp+0x30]
10001EFD C68424 C0020000 0C mov byte ptr ss:[esp+0x2C0],0xC
10001F05 E8 66100000 call aveData.10002F70
10001F0A 8D4C24 28 lea ecx,dword ptr ss:[esp+0x28]
10001F0E C68424 C0020000 0B mov byte ptr ss:[esp+0x2C0],0xB
10001F16 E8 55100000 call aveData.10002F70
10001F1B 8D4C24 20 lea ecx,dword ptr ss:[esp+0x20]
10001F1F C68424 C0020000 0D mov byte ptr ss:[esp+0x2C0],0xD
10001F27 E8 44100000 call aveData.10002F70
10001F2C 8D4C24 18 lea ecx,dword ptr ss:[esp+0x18]
10001F30 C68424 C0020000 01 mov byte ptr ss:[esp+0x2C0],0x1
10001F38 E8 33100000 call aveData.10002F70
10001F3D 8D4C24 08 lea ecx,dword ptr ss:[esp+0x8]
10001F41 C68424 C0020000 00 mov byte ptr ss:[esp+0x2C0],0x0
10001F49 E8 22100000 call aveData.10002F70
10001F4E 8D4C24 00 lea ecx,dword ptr ss:[esp]
10001F52 C78424 C0020000 FFF>mov dword ptr ss:[esp+0x2C0],-0x1
10001F5D E8 0E100000 call aveData.10002F70
10001F62 8B8C24 B8020000 mov ecx,dword ptr ss:[esp+0x2B8]
10001F69 33C0 xor eax,eax
10001F6B 64:890D 00000000 mov dword ptr fs:[0],ecx
10001F72 81C4 C4020000 add esp,0x2C4 ; ------------
10001F78 C3 retn
上面这段主要是初始化RSA算法的一些变量,为之后加密使用,可以看到 初始化了 p ,q ,e ,n及 szUserName 输入 . 这里可以
下面跟 call 10002180 这句,主要的加密过程都在这个函数里 :
●
10002180 6A FF push -0x1
10002182 68 A7B00010 push aveData.1000B0A7
10002187 64:A1 00000000 mov eax,dword ptr fs:[0]
1000218D 50 push eax
1000218E 64:8925 00000000 mov dword ptr fs:[0],esp
10002195 81EC AC000000 sub esp,0xAC
1000219B 53 push ebx
1000219C 55 push ebp
1000219D 56 push esi
1000219E 57 push edi
1000219F 8BE9 mov ebp,ecx
100021A1 6A 01 push 0x1
100021A3 8D4C24 58 lea ecx,dword ptr ss:[esp+0x58]
100021A7 C74424 24 00000000 mov dword ptr ss:[esp+0x24],0x0
100021AF E8 0C0D0000 call aveData.10002EC0 ; 构造函数
100021B4 6A 01 push 0x1
100021B6 8D4C24 60 lea ecx,dword ptr ss:[esp+0x60]
100021BA C78424 C8000000 01000>mov dword ptr ss:[esp+0xC8],0x1
100021C5 E8 F60C0000 call aveData.10002EC0
100021CA 8D4424 54 lea eax,dword ptr ss:[esp+0x54]
100021CE 8D75 18 lea esi,dword ptr ss:[ebp+0x18]
100021D1 50 push eax
100021D2 8D4C24 68 lea ecx,dword ptr ss:[esp+0x68]
100021D6 56 push esi
100021D7 51 push ecx
100021D8 C68424 D0000000 02 mov byte ptr ss:[esp+0xD0],0x2
100021E0 E8 AB0F0000 call aveData.10003190 ; 大整数减法运算 q-1
100021E5 8BD8 mov ebx,eax
100021E7 8D5424 68 lea edx,dword ptr ss:[esp+0x68]
100021EB 8D7D 10 lea edi,dword ptr ss:[ebp+0x10]
100021EE 52 push edx
100021EF 8D8424 BC000000 lea eax,dword ptr ss:[esp+0xBC]
100021F6 57 push edi
100021F7 50 push eax
100021F8 C68424 DC000000 03 mov byte ptr ss:[esp+0xDC],0x3
10002200 E8 8B0F0000 call aveData.10003190 ; 大整数减法运算 p-1
10002205 53 push ebx
10002206 8D8C24 98000000 lea ecx,dword ptr ss:[esp+0x98] ; 大整数乘法运算 fn=(p-1)*(q-1)
1000220D 50 push eax
1000220E 51 push ecx
1000220F C68424 E8000000 04 mov byte ptr ss:[esp+0xE8],0x4
10002217 E8 F40F0000 call aveData.10003210
1000221C 83C5 08 add ebp,0x8
1000221F 50 push eax
10002220 8D5424 4C lea edx,dword ptr ss:[esp+0x4C] ; 计算 d: d*fn%e=1
10002224 55 push ebp
10002225 52 push edx
10002226 C68424 F4000000 05 mov byte ptr ss:[esp+0xF4],0x5
1000222E E8 ED110000 call aveData.10003420 ; 这里是大整数的 扩展欧几里德算法求逆元过程
10002233 83C4 30 add esp,0x30 ; 感兴趣的可以F7跟进分析下
10002236 8D4C24 7C lea ecx,dword ptr ss:[esp+0x7C]
1000223A C68424 C4000000 0B mov byte ptr ss:[esp+0xC4],0xB
10002242 E8 290D0000 call aveData.10002F70
10002247 8D8C24 AC000000 lea ecx,dword ptr ss:[esp+0xAC]
1000224E C68424 C4000000 0A mov byte ptr ss:[esp+0xC4],0xA
10002256 E8 150D0000 call aveData.10002F70
1000225B 8D4C24 64 lea ecx,dword ptr ss:[esp+0x64]
1000225F C68424 C4000000 09 mov byte ptr ss:[esp+0xC4],0x9
10002267 E8 040D0000 call aveData.10002F70
1000226C 8D4C24 5C lea ecx,dword ptr ss:[esp+0x5C]
10002270 C68424 C4000000 08 mov byte ptr ss:[esp+0xC4],0x8
10002278 E8 F30C0000 call aveData.10002F70
1000227D 8D4C24 54 lea ecx,dword ptr ss:[esp+0x54]
10002281 C68424 C4000000 07 mov byte ptr ss:[esp+0xC4],0x7
10002289 E8 E20C0000 call aveData.10002F70
1000228E 56 push esi
1000228F 8D4424 30 lea eax,dword ptr ss:[esp+0x30] ; 计算 pqd: pqd*p%q=1
10002293 57 push edi
10002294 50 push eax
10002295 E8 86110000 call aveData.10003420 ; 同上
1000229A 83C4 0C add esp,0xC
1000229D 6A 01 push 0x1
1000229F 8D4C24 48 lea ecx,dword ptr ss:[esp+0x48]
100022A3 C68424 C8000000 0C mov byte ptr ss:[esp+0xC8],0xC
100022AB E8 100C0000 call aveData.10002EC0
100022B0 8D4C24 44 lea ecx,dword ptr ss:[esp+0x44]
100022B4 8D9424 9C000000 lea edx,dword ptr ss:[esp+0x9C]
100022BB 51 push ecx
100022BC 57 push edi
100022BD 52 push edx
100022BE C68424 D0000000 0D mov byte ptr ss:[esp+0xD0],0xD
100022C6 E8 C50E0000 call aveData.10003190
100022CB 50 push eax
100022CC 8D4424 34 lea eax,dword ptr ss:[esp+0x34]
100022D0 8D4C24 5C lea ecx,dword ptr ss:[esp+0x5C]
100022D4 50 push eax
100022D5 51 push ecx ; 计算 d % p-1
100022D6 C68424 DC000000 0E mov byte ptr ss:[esp+0xDC],0xE
100022DE E8 8D100000 call aveData.10003370 ; 这里是大整数的 取模运算 ,有兴趣可以跟进
100022E3 83C4 18 add esp,0x18
100022E6 8D8C24 9C000000 lea ecx,dword ptr ss:[esp+0x9C]
100022ED C68424 C4000000 11 mov byte ptr ss:[esp+0xC4],0x11
100022F5 E8 760C0000 call aveData.10002F70
100022FA 8D4C24 44 lea ecx,dword ptr ss:[esp+0x44]
100022FE C68424 C4000000 10 mov byte ptr ss:[esp+0xC4],0x10
10002306 E8 650C0000 call aveData.10002F70
1000230B 6A 01 push 0x1
1000230D 8D4C24 38 lea ecx,dword ptr ss:[esp+0x38]
10002311 E8 AA0B0000 call aveData.10002EC0
10002316 8D5424 34 lea edx,dword ptr ss:[esp+0x34]
1000231A 8D8424 8C000000 lea eax,dword ptr ss:[esp+0x8C]
10002321 52 push edx
10002322 56 push esi
10002323 50 push eax
10002324 C68424 D0000000 12 mov byte ptr ss:[esp+0xD0],0x12
1000232C E8 5F0E0000 call aveData.10003190
10002331 8D4C24 30 lea ecx,dword ptr ss:[esp+0x30]
10002335 50 push eax
10002336 8D5424 4C lea edx,dword ptr ss:[esp+0x4C]
1000233A 51 push ecx ; 计算 d % q-1
1000233B 52 push edx
1000233C C68424 DC000000 13 mov byte ptr ss:[esp+0xDC],0x13
10002344 E8 27100000 call aveData.10003370 ; 同上
10002349 83C4 18 add esp,0x18
1000234C 8D8C24 8C000000 lea ecx,dword ptr ss:[esp+0x8C]
10002353 C68424 C4000000 16 mov byte ptr ss:[esp+0xC4],0x16
1000235B E8 100C0000 call aveData.10002F70
10002360 8D4C24 34 lea ecx,dword ptr ss:[esp+0x34]
10002364 C68424 C4000000 15 mov byte ptr ss:[esp+0xC4],0x15
1000236C E8 FF0B0000 call aveData.10002F70
10002371 8BAC24 D0000000 mov ebp,dword ptr ss:[esp+0xD0]
10002378 57 push edi
10002379 8D4424 70 lea eax,dword ptr ss:[esp+0x70]
1000237D 55 push ebp
1000237E 50 push eax
1000237F E8 EC0F0000 call aveData.10003370 ; 计算 LgInput % p
10002384 8D4C24 58 lea ecx,dword ptr ss:[esp+0x58] ; LgInput为输入的username整数变形
10002388 57 push edi
10002389 51 push ecx
1000238A 8D5424 2C lea edx,dword ptr ss:[esp+0x2C]
1000238E 50 push eax
1000238F 52 push edx ; 计算 tp = ((LgInput % p)^(d % p-1)) % (p)
10002390 C68424 E0000000 17 mov byte ptr ss:[esp+0xE0],0x17
10002398 E8 63170000 call aveData.10003B00 ; 这里是大数幂模运算,有兴趣可以跟进
1000239D 83C4 1C add esp,0x1C
100023A0 8D4C24 6C lea ecx,dword ptr ss:[esp+0x6C]
100023A4 C68424 C4000000 19 mov byte ptr ss:[esp+0xC4],0x19
100023AC E8 BF0B0000 call aveData.10002F70
100023B1 56 push esi
100023B2 8D4424 78 lea eax,dword ptr ss:[esp+0x78]
100023B6 55 push ebp
100023B7 50 push eax
100023B8 E8 B30F0000 call aveData.10003370 ; LgInput % q
100023BD 8D4C24 48 lea ecx,dword ptr ss:[esp+0x48]
100023C1 56 push esi
100023C2 51 push ecx
100023C3 8D5424 24 lea edx,dword ptr ss:[esp+0x24]
100023C7 50 push eax
100023C8 52 push edx ; 计算 tq = (LgInput % q)^(d % q-1) % (q)
100023C9 C68424 E0000000 1A mov byte ptr ss:[esp+0xE0],0x1A
100023D1 E8 2A170000 call aveData.10003B00 ; 同上
100023D6 83C4 1C add esp,0x1C
100023D9 8D4C24 74 lea ecx,dword ptr ss:[esp+0x74]
100023DD C68424 C4000000 1C mov byte ptr ss:[esp+0xC4],0x1C
100023E5 E8 860B0000 call aveData.10002F70
100023EA 8D4424 18 lea eax,dword ptr ss:[esp+0x18]
100023EE 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10]
100023F2 50 push eax
100023F3 51 push ecx
100023F4 E8 77090000 call aveData.10002D70 ; if Compare(tq ,tp)< 0 大数比较函数
100023F9 83C4 08 add esp,0x8 ; tq+=q
100023FC 85C0 test eax,eax
100023FE 74 0A je XaveData.1000240A
10002400 56 push esi
10002401 8D4C24 14 lea ecx,dword ptr ss:[esp+0x14]
10002405 E8 960B0000 call aveData.10002FA0 ; 大整数加法运算
1000240A 8D5424 18 lea edx,dword ptr ss:[esp+0x18]
1000240E 8D4424 10 lea eax,dword ptr ss:[esp+0x10]
10002412 52 push edx
10002413 8D8C24 B8000000 lea ecx,dword ptr ss:[esp+0xB8]
1000241A 50 push eax
1000241B 51 push ecx
1000241C E8 6F0D0000 call aveData.10003190 ; 计算 tq-tp
10002421 8D5424 38 lea edx,dword ptr ss:[esp+0x38]
10002425 C68424 D0000000 1D mov byte ptr ss:[esp+0xD0],0x1D
1000242D 52 push edx
1000242E 50 push eax
1000242F 8D8424 B8000000 lea eax,dword ptr ss:[esp+0xB8]
10002436 50 push eax
10002437 E8 D40D0000 call aveData.10003210 ; 计算 (tq-tp)*pqd
1000243C 56 push esi
1000243D 8D8C24 B0000000 lea ecx,dword ptr ss:[esp+0xB0]
10002444 50 push eax
10002445 51 push ecx
10002446 C68424 E8000000 1E mov byte ptr ss:[esp+0xE8],0x1E
1000244E E8 1D0F0000 call aveData.10003370 ; 计算 (tq-tp)*pqd % q
10002453 50 push eax
10002454 8D9424 AC000000 lea edx,dword ptr ss:[esp+0xAC]
1000245B B3 1F mov bl,0x1F
1000245D 57 push edi
1000245E 52 push edx
1000245F 889C24 F4000000 mov byte ptr ss:[esp+0xF4],bl
10002466 E8 A50D0000 call aveData.10003210 ; 计算 ((tq-tp)*pqd % q)*p
1000246B 8BB424 FC000000 mov esi,dword ptr ss:[esp+0xFC]
10002472 50 push eax
10002473 8D4424 4C lea eax,dword ptr ss:[esp+0x4C]
10002477 C68424 F8000000 20 mov byte ptr ss:[esp+0xF8],0x20
1000247F 50 push eax
10002480 56 push esi
10002481 E8 8A0C0000 call aveData.10003110 ; 计算 ((tq-tp)*pqd % q)*p + tp
10002486 83C4 3C add esp,0x3C
10002489 C74424 20 01000000 mov dword ptr ss:[esp+0x20],0x1
10002491 8D8C24 84000000 lea ecx,dword ptr ss:[esp+0x84] ; --------
10002498 889C24 C4000000 mov byte ptr ss:[esp+0xC4],bl
1000249F E8 CC0A0000 call aveData.10002F70
100024A4 8D8C24 94000000 lea ecx,dword ptr ss:[esp+0x94]
100024AB C68424 C4000000 1E mov byte ptr ss:[esp+0xC4],0x1E
100024B3 E8 B80A0000 call aveData.10002F70
100024B8 8D8C24 A4000000 lea ecx,dword ptr ss:[esp+0xA4]
100024BF C68424 C4000000 1D mov byte ptr ss:[esp+0xC4],0x1D
100024C7 E8 A40A0000 call aveData.10002F70
100024CC 8D8C24 B4000000 lea ecx,dword ptr ss:[esp+0xB4]
100024D3 C68424 C4000000 1C mov byte ptr ss:[esp+0xC4],0x1C
100024DB E8 900A0000 call aveData.10002F70
100024E0 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10]
100024E4 C68424 C4000000 19 mov byte ptr ss:[esp+0xC4],0x19
100024EC E8 7F0A0000 call aveData.10002F70
100024F1 8D4C24 18 lea ecx,dword ptr ss:[esp+0x18] ; 构造函数 ,对象的析造
100024F5 C68424 C4000000 15 mov byte ptr ss:[esp+0xC4],0x15
100024FD E8 6E0A0000 call aveData.10002F70
10002502 8D4C24 3C lea ecx,dword ptr ss:[esp+0x3C]
10002506 C68424 C4000000 10 mov byte ptr ss:[esp+0xC4],0x10
1000250E E8 5D0A0000 call aveData.10002F70
10002513 8D4C24 4C lea ecx,dword ptr ss:[esp+0x4C]
10002517 C68424 C4000000 0C mov byte ptr ss:[esp+0xC4],0xC
1000251F E8 4C0A0000 call aveData.10002F70
10002524 8D4C24 2C lea ecx,dword ptr ss:[esp+0x2C]
10002528 C68424 C4000000 07 mov byte ptr ss:[esp+0xC4],0x7
10002530 E8 3B0A0000 call aveData.10002F70
10002535 8D4C24 24 lea ecx,dword ptr ss:[esp+0x24]
10002539 C68424 C4000000 00 mov byte ptr ss:[esp+0xC4],0x0
10002541 E8 2A0A0000 call aveData.10002F70
10002546 8B8C24 BC000000 mov ecx,dword ptr ss:[esp+0xBC]
1000254D 8BC6 mov eax,esi ; ---------
1000254F 5F pop edi
10002550 5E pop esi
10002551 5D pop ebp
10002552 5B pop ebx
10002553 64:890D 00000000 mov dword ptr fs:[0],ecx
1000255A 81C4 B8000000 add esp,0xB8
10002560 C2 0800 retn 0x8
可以看到 ,上面进行了一系列的复杂在运算,这些运算都是基于大整数的, 这里省去这些运算细节 ,就不分析了,有兴趣的朋友可以跟进去研究,
综合一下上面的运算:
result={ [ ((LgInput%q)^(d%(q-1))%q)-(LgInput%p)^(d%(q-1))%q ]*pqd%q }*p
其中 pqd 是 x: p*x%q=1 的 解;
得到这个结果后,就是如上一段代码所示, 将结果的大整数 各个字段进行运算 ,最后将结果格式化为字符串并 与 假码进行比较 ,整个注册过程就是这样了.
写了这么久,看来是好久没发帖了, 要睡觉了 ,晚安,看雪的朋友们!!
【注册机源码下载】 keygen to allok video splitter.rar
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
