文章作者:xsy3660
软件介绍:
Easy Sticky Note 是一个记录和提醒的电子便条工具软件,能像桌面便条那样“贴”在你的桌面上。软件可以设置便条平时处于隐藏状态,然后在指定时间跳出提醒。
本人使用时觉得较好,当提示事件字符串较长时不会出现有部分不能看到的情况。
分析过程:
国庆结束最后一天,返回无事,拿一软柿子看了看。
PEID查看,无壳,Microsoft Visual C++ 6.0。哈哈,太好了!OD载入,查看字符串,好家伙,有“Registration finished, thank for your registration!",双击,往上看看,有一跳转(40BEC4),暴破的话就是它了(不过还有启动验证的啦!)!算法也看了看,过程好下:
0040BD68 53 push ebx
0040BD69 55 push ebp
0040BD6A 56 push esi
0040BD6B 8BF1 mov esi,ecx
0040BD6D 57 push edi
0040BD6E 8B86 7001>mov eax,dword ptr ds:[esi+170]
0040BD74 83F8 02 cmp eax,2
0040BD77 0F8F E801>jg StickyNo.0040BF65
0040BD7D 40 inc eax
0040BD7E 6A 01 push 1
0040BD80 8986 7001>mov dword ptr ds:[esi+170],eax
0040BD86 E8 382102>call StickyNo.0042DEC3
0040BD8B 8D86 6001>lea eax,dword ptr ds:[esi+160]
0040BD91 8DBE 5C01>lea edi,dword ptr ds:[esi+15C]
0040BD97 50 push eax
0040BD98 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
0040BD9C 57 push edi
0040BD9D 51 push ecx
0040BD9E E8 C73902>call StickyNo.0042F76A
0040BDA3 8D96 6401>lea edx,dword ptr ds:[esi+164]
0040BDA9 33DB xor ebx,ebx
0040BDAB 52 push edx
0040BDAC 50 push eax
0040BDAD 8D4424 1C lea eax,dword ptr ss:[esp+1C]
0040BDB1 895C24 34 mov dword ptr ss:[esp+34],ebx
0040BDB5 50 push eax
0040BDB6 E8 AF3902>call StickyNo.0042F76A
0040BDBB 8D8E 6801>lea ecx,dword ptr ds:[esi+168]
0040BDC1 8D5424 10 lea edx,dword ptr ss:[esp+10]
0040BDC5 51 push ecx
0040BDC6 50 push eax
0040BDC7 52 push edx
0040BDC8 C64424 38>mov byte ptr ss:[esp+38],1
0040BDCD E8 983902>call StickyNo.0042F76A //以上四个call为分别获取假码的四段
0040BDD2 50 push eax
0040BDD3 8BCF mov ecx,edi
0040BDD5 C64424 30>mov byte ptr ss:[esp+30],2
0040BDDA E8 953802>call StickyNo.0042F674
0040BDDF 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0040BDE3 C64424 2C>mov byte ptr ss:[esp+2C],1
0040BDE8 E8 4E3702>call StickyNo.0042F53B
0040BDED 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040BDF1 885C24 2C mov byte ptr ss:[esp+2C],bl
0040BDF5 E8 413702>call StickyNo.0042F53B
0040BDFA 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
0040BDFE C74424 2C>mov dword ptr ss:[esp+2C],-1
0040BE06 E8 303702>call StickyNo.0042F53B
0040BE0B 68 206945>push StickyNo.00456920
0040BE10 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040BE14 E8 903702>call StickyNo.0042F5A9
0040BE19 8DAE 5801>lea ebp,dword ptr ds:[esi+158]
0040BE1F 8D4424 18 lea eax,dword ptr ss:[esp+18]
0040BE23 BB 030000>mov ebx,3
0040BE28 55 push ebp
0040BE29 50 push eax
0040BE2A B9 486A45>mov ecx,StickyNo.00456A48
0040BE2F 895C24 34 mov dword ptr ss:[esp+34],ebx
0040BE33 E8 28F4FF>call StickyNo.0040B260 // 取出注册名的前二位(大写)与字符串
“wefwfrw3rf32wasfaf“相连后记为n1
0040BE38 50 push eax
0040BE39 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040BE3D C64424 30>mov byte ptr ss:[esp+30],4
0040BE42 E8 2D3802>call StickyNo.0042F674
0040BE47 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
0040BE4B 885C24 2C mov byte ptr ss:[esp+2C],bl
0040BE4F E8 E73602>call StickyNo.0042F53B
0040BE54 8B4424 10 mov eax,dword ptr ss:[esp+10] // n1给eax
0040BE58 8B48 F8 mov ecx,dword ptr ds:[eax-8] // n1位数给ecx
0040BE5B 51 push ecx
0040BE5C 8D4C24 18 lea ecx,dword ptr ss:[esp+18] // 注册名前二位
0040BE60 50 push eax
0040BE61 51 push ecx
0040BE62 E8 19A2FF>call StickyNo.00406080 // 用n1进行D5算法,得到真码,跟进1
0040BE67 83C4 0C add esp,0C
0040BE6A 50 push eax
0040BE6B 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040BE6F C64424 30>mov byte ptr ss:[esp+30],5
0040BE74 E8 FB3702>call StickyNo.0042F674
0040BE79 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040BE7D 885C24 2C mov byte ptr ss:[esp+2C],bl
0040BE81 E8 B53602>call StickyNo.0042F53B
0040BE86 8D5424 1C lea edx,dword ptr ss:[esp+1C]
0040BE8A 6A 10 push 10
0040BE8C 52 push edx
0040BE8D 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
0040BE91 E8 65D201>call StickyNo.004290FB
0040BE96 50 push eax
0040BE97 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040BE9B C64424 30>mov byte ptr ss:[esp+30],6
0040BEA0 E8 CF3702>call StickyNo.0042F674
0040BEA5 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
0040BEA9 885C24 2C mov byte ptr ss:[esp+2C],bl
0040BEAD E8 893602>call StickyNo.0042F53B
0040BEB2 8B07 mov eax,dword ptr ds:[edi] // 取假码
0040BEB4 50 push eax
0040BEB5 8B4424 14 mov eax,dword ptr ss:[esp+14] //真码
0040BEB9 50 push eax
0040BEBA E8 69F600>call StickyNo.0041B528 //真假比较,等则返回0
0040BEBF 83C4 08 add esp,8
0040BEC2 85C0 test eax,eax
0040BEC4 75 53 jnz short StickyNo.0040BF19
0040BEC6 83CB FF or ebx,FFFFFFFF
0040BEC9 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0040BECD 895C24 2C mov dword ptr ss:[esp+2C],ebx
0040BED1 E8 653602>call StickyNo.0042F53B
0040BED6 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
0040BEDA 51 push ecx
0040BEDB B9 486A45>mov ecx,StickyNo.00456A48
0040BEE0 E8 0BF5FF>call StickyNo.0040B3F0
0040BEE5 8B00 mov eax,dword ptr ds:[eax]
0040BEE7 6A 40 push 40
0040BEE9 50 push eax
0040BEEA 68 941E45>push StickyNo.00451E94 ; ASCII "Registration finished,
thank for your registration!"
0040BEEF 8BCE mov ecx,esi
0040BEF1 C74424 38>mov dword ptr ss:[esp+38],7
0040BEF9 E8 CF1702>call StickyNo.0042D6CD
0040BEFE 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
0040BF02 895C24 2C mov dword ptr ss:[esp+2C],ebx
0040BF06 E8 303602>call StickyNo.0042F53B
0040BF0B 57 push edi
0040BF0C 55 push ebp
0040BF0D B9 486A45>mov ecx,StickyNo.00456A48
0040BF12 E8 E9F1FF>call StickyNo.0040B100
0040BF17 EB 45 jmp short StickyNo.0040BF5E
0040BF19 83CF FF or edi,FFFFFFFF
0040BF1C 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0040BF20 897C24 2C mov dword ptr ss:[esp+2C],edi
0040BF24 E8 123602>call StickyNo.0042F53B
0040BF29 8D5424 20 lea edx,dword ptr ss:[esp+20]
0040BF2D B9 486A45>mov ecx,StickyNo.00456A48
0040BF32 52 push edx
0040BF33 E8 B8F4FF>call StickyNo.0040B3F0
0040BF38 8B00 mov eax,dword ptr ds:[eax]
0040BF3A 6A 10 push 10
0040BF3C 50 push eax
0040BF3D 68 581E45>push StickyNo.00451E58 ; ASCII "Registration failed, please check the
code and try again!"
0040BF42 8BCE mov ecx,esi
0040BF44 C74424 38>mov dword ptr ss:[esp+38],8
0040BF4C E8 7C1702>call StickyNo.0042D6CD
----------------------------------------------------------------------
跟进1
00406099 8B7424 7C mov esi,dword ptr ss:[esp+7C]
0040609D 57 push edi
0040609E 8B7C24 7C mov edi,dword ptr ss:[esp+7C]
004060A2 6A 00 push 0
004060A4 56 push esi
004060A5 57 push edi
004060A6 C74424 14>mov dword ptr ss:[esp+14],0
004060AE E8 B63602>call StickyNo.00429769
004060B3 8D4C24 0C lea ecx,dword ptr ss:[esp+C] ; 假码
004060B7 E8 A40A00>call StickyNo.00406B60 ; 取MD5常数
004060BC 56 push esi
004060BD 57 push edi
004060BE 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
004060C2 C74424 78>mov dword ptr ss:[esp+78],0
004060CA E8 810C00>call StickyNo.00406D50
004060CF 8B7424 78 mov esi,dword ptr ss:[esp+78]
004060D3 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
004060D7 56 push esi
004060D8 E8 130B00>call StickyNo.00406BF0 ; 取得真码,跟进2
004060DD 8B4C24 68 mov ecx,dword ptr ss:[esp+68]
004060E1 8BC6 mov eax,esi
004060E3 5F pop edi
004060E4 5E pop esi
004060E5 64:890D 0>mov dword ptr fs:[0],ecx
004060EC 83C4 6C add esp,6C
004060EF C3 retn
------------------------------------------------------------------------------
跟进2
00406C7C 897C24 3C mov dword ptr ss:[esp+3C],edi
00406C80 B3 02 mov bl,2
00406C82 8B15 682A4500 mov edx,dword ptr ds:[452A68] ; StickyNo.00452A7C
00406C88 895424 0C mov dword ptr ss:[esp+C],edx
00406C8C 8A4434 24 mov al,byte ptr ss:[esp+esi+24] ; 依次取真码中的值相连,至到16为止
00406C90 885C24 3C mov byte ptr ss:[esp+3C],bl
00406C94 84C0 test al,al
00406C96 75 2C jnz short StickyNo.00406CC4
00406C98 68 E0114500 push StickyNo.004511E0 ; ASCII "00"
00406C9D 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
00406CA1 E8 03890200 call StickyNo.0042F5A9
00406CA6 50 push eax
00406CA7 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00406CAB C64424 40 03 mov byte ptr ss:[esp+40],3
00406CB0 E8 BF890200 call StickyNo.0042F674
00406CB5 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00406CB9 885C24 3C mov byte ptr ss:[esp+3C],bl
00406CBD E8 79880200 call StickyNo.0042F53B
00406CC2 EB 2E jmp short StickyNo.00406CF2
00406CC4 3C 0F cmp al,0F
00406CC6 77 12 ja short StickyNo.00406CDA
00406CC8 25 FF000000 and eax,0FF
00406CCD 50 push eax
00406CCE 8D4424 10 lea eax,dword ptr ss:[esp+10]
00406CD2 68 DC114500 push StickyNo.004511DC ; ASCII "0%x"
00406CD7 50 push eax
00406CD8 EB 10 jmp short StickyNo.00406CEA
00406CDA 25 FF000000 and eax,0FF
00406CDF 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
00406CE3 50 push eax
00406CE4 68 D8114500 push StickyNo.004511D8 ; ASCII "%x"
00406CE9 51 push ecx
00406CEA E8 2C280200 call StickyNo.0042951B
00406CEF 83C4 0C add esp,0C
00406CF2 8D5424 0C lea edx,dword ptr ss:[esp+C]
00406CF6 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00406CFA 52 push edx
00406CFB E8 3E8C0200 call StickyNo.0042F93E
00406D00 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
00406D04 C64424 3C 01 mov byte ptr ss:[esp+3C],1
00406D09 E8 2D880200 call StickyNo.0042F53B
00406D0E 46 inc esi //循环次数
00406D0F 83FE 10 cmp esi,10 //是否为第16次
00406D12 ^ 0F8C 6AFFFFFF jl StickyNo.00406C82
00406D18 8B7424 44 mov esi,dword ptr ss:[esp+44]
-------------------------------------------------------
真假比较:
0041B549 6A 19 push 19
0041B54B E8 AA3200>call StickyNo.0041E7FA
0041B550 8B75 0C mov esi,dword ptr ss:[ebp+C] ; 假码
0041B553 8B7D 08 mov edi,dword ptr ss:[ebp+8] ; 假码
0041B556 59 pop ecx
0041B557 66:0FB60F movzx cx,byte ptr ds:[edi] ; 依次取真码
0041B55B 0FB6C1 movzx eax,cl ;给eax
0041B55E 47 inc edi ;加1
0041B55F 894D 0C mov dword ptr ss:[ebp+C],ecx
0041B562 F680 A1A1>test byte ptr ds:[eax+45A1A1],4
0041B569 74 16 je short StickyNo.0041B581
0041B56B 8A07 mov al,byte ptr ds:[edi]
0041B56D 84C0 test al,al
0041B56F 75 06 jnz short StickyNo.0041B577
0041B571 8365 0C 0>and dword ptr ss:[ebp+C],0
0041B575 EB 0A jmp short StickyNo.0041B581
0041B577 33D2 xor edx,edx
0041B579 47 inc edi
0041B57A 8AF1 mov dh,cl
0041B57C 8AD0 mov dl,al
0041B57E 8955 0C mov dword ptr ss:[ebp+C],edx
0041B581 66:0FB61E movzx bx,byte ptr ds:[esi] ; 依次取假码
0041B585 0FB6C3 movzx eax,bl
0041B588 46 inc esi
0041B589 F680 A1A1>test byte ptr ds:[eax+45A1A1],4
0041B590 74 13 je short StickyNo.0041B5A5
0041B592 8A06 mov al,byte ptr ds:[esi]
0041B594 84C0 test al,al
0041B596 75 04 jnz short StickyNo.0041B59C
0041B598 33DB xor ebx,ebx
0041B59A EB 09 jmp short StickyNo.0041B5A5
0041B59C 33C9 xor ecx,ecx
0041B59E 46 inc esi
0041B59F 8AEB mov ch,bl
0041B5A1 8AC8 mov cl,al
0041B5A3 8BD9 mov ebx,ecx
0041B5A5 66:395D 0>cmp word ptr ss:[ebp+C],bx ; 比较二者是否相等
0041B5A9 75 09 jnz short StickyNo.0041B5B4
0041B5AB 66:837D 0>cmp word ptr ss:[ebp+C],0
0041B5B0 74 16 je short StickyNo.0041B5C8
0041B5B2 ^ EB A3 jmp short StickyNo.0041B557
0041B5B4 6A 19 push 19
小结:
1、取注册名的前二位(若是字母则变成大写)与wefwfrw3rf32wasfaf相连作为字符串进行MD5运算得串A
2、从串A中取出16位得到真的注册码
3、真注册码与输入的假比较。
注册名:xsy3660
注册码:fbf1fa4595c03ada
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
