-
-
[原创]菜鸟也来内存注册机
-
发表于: 2014-11-27 09:39
-
-------------------------------------------------【文章简介】-----------------------------------
【文章标题】 菜鸟使用内存注册机
【文章作者】 激动的马
【软件名称】 某屏幕录像器ZD Soft Screen Recorder
【软件大小】 2M
【下载地址】 http://www.cr173.com/soft/66019.html
【加壳方式】 PECompact 2.x -> Jeremy Collake
【保护方式】 加壳
【编写语言】 VC++6.0
【使用工具】 Od
【操作平台】 windows
【软件介绍】 自己搜索
【作者声明】 大牛请飘过,仅供小菜玩乐,有不对或不足的地方还请多多指教,不胜感激!
-------------------------------------------------【文章正文】-------------------------------------
一.脱壳。
软件安装以后先用peid查壳是PECompact 2.x -> Jeremy Collake,所以直接用UnPECompact2 v0.1脱了(手工脱对我来说难度太大)。运行了一下发现原来华丽的界面没了不知道怎么回事不过用这算出的注册码是通用的。
没脱壳 脱壳后
二.脱完壳下面开始进入正题了。
用od加载软件,然后在选项-》关于可以看到免费试用的时间是30天。需要注册才能继续使用。先随便输入用户、邮箱、密码,设置bp GetWindowTextW(先用ctrl+N查下)。
由于这个api会断在很多地方,所以要设置条件,点击w按钮可以看到很多信息(没有内容就刷新下)。
这里我对2002f0句柄下条件断点。
确定后到注册的界面点击确定。会断下来再alt+f9回到应用程序的领空。可以在消息窗口中看到获取了用户名。
004184F2 . E8 01BC0800 call <jmp.&MFC42u.#DDX_Text_2362>
004184F7 . 8D4E 64 lea ecx, dword ptr ds:[esi+0x64];alt+F9回到这里
004184FA . 51 push ecx ;获取用户名
004184FB . 68 4E4F0000 push 0x4F4E
00418500 . 57 push edi
00418501 . E8 F2BB0800 call <jmp.&MFC42u.#DDX_Text_2362>;获取邮箱内容
00418506 . 83C6 68 add esi, 0x68
00418509 . 56 push esi
0041850A . 68 4F4F0000 push 0x4F4F
0041850F . 57 push edi
00418510 . E8 E3BB0800 call <jmp.&MFC42u.#DDX_Text_2362> ;获取密码
00418515 . 5F pop edi
00418516 . 5E pop esi
00418517 . C2 0400 retn 0x4
一直f8到retn 0x4,会到mfc中直接alt+f9回到这里来:
00418538 . E8 03BC08>call <jmp.&MFC42u.#CWnd::UpdateData_6330>
0041853D . 8D6E 60 lea ebp, dword ptr ds:[esi+0x60] ; 来到这里
00418540 . 8BCD mov ecx, ebp
00418542 . E8 E9BC08>call <jmp.&MFC42u.#CString::TrimLeft_6278>;从函数名可以看出对用户名进行去左右空格的处理,下面也是一样。
00418547 . 8BCD mov ecx, ebp
00418549 . E8 DCBC08>call <jmp.&MFC42u.#CString::TrimRight_6279>
0041854E . 8D7E 64 lea edi, dword ptr ds:[esi+0x64]
00418551 . 8BCF mov ecx, edi
00418553 . E8 D8BC08>call <jmp.&MFC42u.#CString::TrimLeft_6278> ;邮箱
00418558 . 8BCF mov ecx, edi
0041855A . E8 CBBC08>call <jmp.&MFC42u.#CString::TrimRight_6279>
0041855F . 8BCF mov ecx, edi
00418561 . E8 A2BD08>call <jmp.&MFC42u.#CString::MakeLower_4197>;转化成小写
00418566 . 8D5E 68 lea ebx, dword ptr ds:[esi+0x68]
00418569 . 8BCB mov ecx, ebx
0041856B . E8 C0BC08>call <jmp.&MFC42u.#CString::TrimLeft_6278>; 密码
00418570 . 8BCB mov ecx, ebx
00418572 . E8 B3BC08>call <jmp.&MFC42u.#CString::TrimRight_6279>
00418577 . 8BCB mov ecx, ebx
00418579 . E8 84BD08>call <jmp.&MFC42u.#CString::MakeUpper_4199> 转化成大写
0041857E . 8B6D 00 mov ebp, dword ptr ss:[ebp] ; 保存用户名
00418581 . 8B45 F8 mov eax, dword ptr ss:[ebp-0x8]; 保存密码
00418584 . 85C0 test eax, eax
00418586 . 0F84 C500>je ScnRec_.00418651 ; 密码为空出错
0041858C . 8B07 mov eax, dword ptr ds:[edi]
0041858E . 8B48 F8 mov ecx, dword ptr ds:[eax-0x8]
00418591 . 85C9 test ecx, ecx
00418593 . 0F84 B800>je ScnRec_.00418651 ;
00418599 . 8B0B mov ecx, dword ptr ds:[ebx]; 邮箱
0041859B . 8B41 F8 mov eax, dword ptr ds:[ecx-0x8]
0041859E . 85C0 test eax, eax
004185A0 . 0F84 AB00>je ScnRec_.00418651
004185A6 . 8B4E 6C mov ecx, dword ptr ds:[esi+0x6C]
004185A9 . 55 push ebp
004185AA . 83C1 04 add ecx, 0x4
004185AD . E8 22BB08>call <jmp.&MFC42u.#CString::operator=_861>
004185B2 . 8B17 mov edx, dword ptr ds:[edi]
004185B4 . 8B4E 6C mov ecx, dword ptr ds:[esi+0x6C]
004185B7 . 52 push edx
004185B8 . 83C1 08 add ecx, 0x8
004185BB . E8 14BB08>call <jmp.&MFC42u.#CString::operator=_861>
004185C0 . 8B03 mov eax, dword ptr ds:[ebx]
004185C2 . 8B4E 6C mov ecx, dword ptr ds:[esi+0x6C]
004185C5 . 50 push eax ;密码压入
004185C6 . E8 65F600>call ScnRec_.00427C30 ;先跟进看看
004185CB . 8B4E 6C mov ecx, dword ptr ds:[esi+0x6C]
004185CE . E8 5DFC00>call ScnRec_.00428230 ;关键call
004185D3 . 85C0 test eax, eax
004185D5 . 75 3A jnz XScnRec_.00418611
004185D7 . E8 22BB08>call <jmp.&MFC42u.#AfxGetThread_1172>
004185DC . 85C0 test eax, eax
004185DE . 74 09 je XScnRec_.004185E9
004185E0 . 8B10 mov edx, dword ptr ds:[eax]
004185E2 . 8BC8 mov ecx, eax
004185E4 . FF52 7C call Xdword ptr ds:[edx+0x7C]
004185E7 . EB 02 jmp XScnRec_.004185EB
004185E9 > 33C0 xor eax, eax
004185EB > 6A 00 push 0x0
004185ED . 6A 00 push 0x0
004185EF . 6A 00 push 0x0
004185F1 . 6A 00 push 0x0
004185F3 . 6A 00 push 0x0
004185F5 . 6A 00 push 0x0
004185F7 . 6A 00 push 0x0
004185F9 . 6A 01 push 0x1
004185FB . 6A 10 push 0x10
004185FD . 6A 00 push 0x0
004185FF . 68 AE4F00>push 0x4FAE
00418604 . 8BC8 mov ecx, eax
00418606 . 56 push esi
00418607 . E8 745C00>call ScnRec_.0041E280 ;执行这句就会出现出错窗口了
0041860C . 5F pop edi
0041860D . 5E pop esi
0041860E . 5D pop ebp
0041860F . 5B pop ebx
00418610 . C3 retn
这里是427c30的call:
00427C30 /$ 51 push ecx
00427C31 |. 53 push ebx
00427C32 |. 55 push ebp
00427C33 |. 56 push esi
00427C34 |. 83C1 0C add ecx, 0xC
00427C37 |. 57 push edi
00427C38 |. 894C24 10 mov dword ptr ss:[esp+0x10], ecx
00427C3C |. E8 4DC507>call <jmp.&MFC42u.#CString::Empty_2606>
00427C41 |. 8B7C24 18 mov edi, dword ptr ss:[esp+0x18]
00427C45 |. 85FF test edi, edi
00427C47 |. 74 61 je XScnRec_.00427CAA
00427C49 |. 33ED xor ebp, ebp
00427C4B |> 33DB /xor ebx, ebx ;大循环5次
00427C4D |> 66:8B37 |/mov si, word ptr ds:[edi] ;小循环5次
00427C50 |. 83C7 02 ||add edi, 0x2
00427C53 |. 66:85F6 ||test si, si
00427C56 |. 74 52 ||je XScnRec_.00427CAA
00427C58 |. 56 ||push esi ; /w
00427C59 |. FF15 CC36>||call Xdword ptr ds:[<&MSVCRT.iswdigit>] ; \iswdigit
00427C5F |. 83C4 04 ||add esp, 0x4 ;判断是否是数字
00427C62 |. 85C0 ||test eax, eax
00427C64 |. 75 11 ||jnz XScnRec_.00427C77
00427C66 |. 56 ||push esi ; /w
00427C67 |. FF15 D036>||call Xdword ptr ds:[<&MSVCRT.iswalpha>] ; \iswalpha
00427C6D |. 83C4 04 ||add esp, 0x4 ;判断是否是字母
00427C70 |. 85C0 ||test eax, eax
00427C72 |. 75 03 ||jnz XScnRec_.00427C77
00427C74 |. 4B ||dec ebx
00427C75 |. EB 0A ||jmp XScnRec_.00427C81
00427C77 |> 8B4C24 10 ||mov ecx, dword ptr ss:[esp+0x10]
00427C7B |. 56 ||push esi
00427C7C |. E8 B9C707>||call <jmp.&MFC42u.#CString::operator+=_94>;字符串连接操作
00427C81 |> 43 ||inc ebx
00427C82 |. 83FB 05 ||cmp ebx, 0x5
00427C85 |.^ 7C C6 |\jl XScnRec_.00427C4D
00427C87 |. 8D75 01 |lea esi, dword ptr ss:[ebp+0x1]
00427C8A |. 83FE 05 |cmp esi, 0x5
00427C8D |. 7D 0B |jge XScnRec_.00427C9A
00427C8F |. 8B4C24 10 |mov ecx, dword ptr ss:[esp+0x10]
00427C93 |. 6A 2D |push 0x2D ;’-’
00427C95 |. E8 A0C707>|call <jmp.&MFC42u.#CString::operator+=_941>
00427C9A |> 8BEE |mov ebp, esi
00427C9C |. 83FD 05 |cmp ebp, 0x5
00427C9F |.^ 7C AA \jl XScnRec_.00427C4B
00427CA1 |. 8B4C24 10 mov ecx, dword ptr ss:[esp+0x10]
00427CA5 |. E8 58C607>call <jmp.&MFC42u.#CString::MakeUpper_4199>
00427CAA |> 5F pop edi
00427CAB |. 5E pop esi
00427CAC |. 5D pop ebp
00427CAD |. 5B pop ebx
00427CAE |. 59 pop ecx
00427CAF \. C2 0400 retn 0x4
这个函数主要完成的功能就是把输入的密码由xxxxxxxxxxxxxxx..变为xxxxx-xxxxx-xxxxx-xxxxx-xxxxxx这种形式,应该是要和真密码的形式一至才能比较。
这里是428230处:
00428230 /$ 64:A1 000>mov eax, dword ptr fs:[0]
00428236 |. 6A FF push -0x1
00428238 |. 68 F02650>push ScnRec_.005026F0
0042823D |. 50 push eax ;邮箱名
0042823E |. 64:8925 0>mov dword ptr fs:[0], esp
00428245 |. 83EC 08 sub esp, 0x8
00428248 |. 56 push esi
00428249 |. 8BF1 mov esi, ecx
0042824B |. 57 push edi
0042824C |. 8B46 08 mov eax, dword ptr ds:[esi+0x8] ;
0042824F |. 8D7E 08 lea edi, dword ptr ds:[esi+0x8]
00428252 |. 8B48 F8 mov ecx, dword ptr ds:[eax-0x8]
00428255 |. 85C9 test ecx, ecx
00428257 |. 74 73 je XScnRec_.004282CC
00428259 |. 8B4E 0C mov ecx, dword ptr ds:[esi+0xC] ;改变过形式的源密码
0042825C |. 8B41 F8 mov eax, dword ptr ds:[ecx-0x8] ;邮箱名
0042825F |. 85C0 test eax, eax
00428261 |. 74 69 je XScnRec_.004282CC
00428263 |. 6A 5C push 0x5C
00428265 |. 8D5424 10 lea edx, dword ptr ss:[esp+0x10]
00428269 |. 56 push esi
0042826A |. 52 push edx
0042826B |. E8 8ABF07>call <jmp.&MFC42u.#operator+_924>
00428270 |. 57 push edi
00428271 |. 50 push eax
00428272 |. 8D4424 10 lea eax, dword ptr ss:[esp+0x10]
00428276 |. C74424 20>mov dword ptr ss:[esp+0x20], 0x0
0042827E |. 50 push eax
0042827F |. E8 94BF07>call <jmp.&MFC42u.#operator+_922>;经过这个操作后邮箱名变成了新的字符串:
堆栈 “Software\ZD Soft\Screen Recorder\qweqwe”
00428284 |. 8B00 mov eax, dword ptr ds:[eax]
00428286 |. 8BCE mov ecx, esi
00428288 |. 50 push eax ;新的邮箱字符串
00428289 |. 68 E80300>push 0x3E8 ;3e8=1000
0042828E |. C64424 20>mov byte ptr ss:[esp+0x20], 0x1
00428293 |. E8 B8FDFF>call ScnRec_.00428050 ;关键call跟进
00428298 |. 8D4C24 08 lea ecx, dword ptr ss:[esp+0x8]
0042829C |. 8BF8 mov edi, eax
0042829E |. C64424 18>mov byte ptr ss:[esp+0x18], 0x0
004282A3 |. E8 20BE07>call <jmp.&MFC42u.#CString::~CString_800>
004282A8 |. 8D4C24 0C lea ecx, dword ptr ss:[esp+0xC]
004282AC |. C74424 18>mov dword ptr ss:[esp+0x18], -0x1
004282B4 |. E8 0FBE07>call <jmp.&MFC42u.#CString::~CString_800>
004282B9 |. 85FF test edi, edi
004282BB |. 7C 0F jl XScnRec_.004282CC
004282BD |. 81FF E803>cmp edi, 0x3E8
004282C3 |. 7D 07 jge XScnRec_.004282CC
004282C5 |. B8 010000>mov eax, 0x1
004282CA |. EB 02 jmp XScnRec_.004282CE
004282CC |> 33C0 xor eax, eax
004282CE |> 85C0 test eax, eax
004282D0 |. 8946 18 mov dword ptr ds:[esi+0x18], eax
004282D3 |. 75 08 jnz XScnRec_.004282DD
004282D5 |. 50 push eax
004282D6 |. 8BCE mov ecx, esi
004282D8 |. E8 53F9FF>call ScnRec_.00427C30
004282DD |> 8BCE mov ecx, esi
004282DF |. E8 DCFAFF>call ScnRec_.00427DC0
004282E4 |. 8B4C24 10 mov ecx, dword ptr ss:[esp+0x10]
004282E8 |. 8B46 18 mov eax, dword ptr ds:[esi+0x18]
004282EB |. 5F pop edi
004282EC |. 5E pop esi
004282ED |. 64:890D 0>mov dword ptr fs:[0], ecx
004282F4 |. 83C4 14 add esp, 0x14
004282F7 \. C3 retn
这里是428050函数处:
00428050 /$ 6A FF push -0x1
00428052 |. 68 C82650>push ScnRec_.005026C8 ; SE 处理程序安装
00428057 |. 64:A1 000>mov eax, dword ptr fs:[0]
0042805D |. 50 push eax
0042805E |. 64:8925 0>mov dword ptr fs:[0], esp
00428065 |. 83EC 68 sub esp, 0x68
00428068 |. 55 push ebp
00428069 |. 57 push edi
0042806A |. 8BE9 mov ebp, ecx
0042806C |. B9 080000>mov ecx, 0x8
00428071 |. 33C0 xor eax, eax
00428073 |. 8D7C24 09 lea edi, dword ptr ss:[esp+0x9]
00428077 |. C64424 08>mov byte ptr ss:[esp+0x8], 0x0
0042807C |. F3:AB rep stos dword ptr es:[edi]
0042807E |. 8B8424 84>mov eax, dword ptr ss:[esp+0x84]
00428085 |. 8D4C24 08 lea ecx, dword ptr ss:[esp+0x8]
00428089 |. 50 push eax ;新的邮箱名字符串
0042808A |. 51 push ecx
0042808B |. 8BCD mov ecx, ebp
0042808D |. E8 FEFDFF>call ScnRec_.00427E90 ;继续跟进
在427e90处:
00427E90 /$ 64:A1 000>mov eax, dword ptr fs:[0]
00427E96 |. 6A FF push -0x1
00427E98 |. 68 AB2650>push ScnRec_.005026AB
00427E9D |. 50 push eax
00427E9E |. 64:8925 0>mov dword ptr fs:[0], esp
00427EA5 |. 81EC AC00>sub esp, 0xAC
00427EAB |. 53 push ebx
00427EAC |. 8B9C24 C4>mov ebx, dword ptr ss:[esp+0xC>
00427EB3 |. 85DB test ebx, ebx
00427EB5 |. 0F84 7001>je ScnRec_.0042802B
00427EBB |. 66:833B 0>cmp word ptr ds:[ebx], 0x0
00427EBF |. 0F84 6601>je ScnRec_.0042802B
00427EC5 |. 55 push ebp
00427EC6 |. 56 push esi
00427EC7 |. 57 push edi
00427EC8 |. 53 push ebx ; /s
00427EC9 |. FF15 8836>call Xdword ptr ds:[<&MSVCRT.w>; \wcslen
00427ECF |. 8BF8 mov edi, eax
00427ED1 |. 8D6F 01 lea ebp, dword ptr ds:[edi+0x1>
00427ED4 |. 55 push ebp
00427ED5 |. E8 D2C207>call <jmp.&MFC42u.#operator ne>
00427EDA |. 8BF0 mov esi, eax
00427EDC |. 83C4 08 add esp, 0x8
00427EDF |. 85F6 test esi, esi
00427EE1 |. 0F84 3A01>je ScnRec_.00428021
00427EE7 |. 6A 00 push 0x0 ; /pDefaultCharUsed = NULL
00427EE9 |. 6A 00 push 0x0 ; |pDefaultChar = NULL
00427EEB |. 55 push ebp ; |MultiByteCount
00427EEC |. 56 push esi ; |MultiByteStr
00427EED |. 6A FF push -0x1 ; |WideCharCount = FFFFFFFF (-1.)
00427EEF |. 53 push ebx ; |WideCharStr
00427EF0 |. 6A 00 push 0x0 ; |Options = 0
00427EF2 |. 6A 00 push 0x0 ; |CodePage = CP_ACP
00427EF4 |. FF15 FC31>call Xdword ptr ds:[<&KERNEL32>; \WideCharToMultiByte
00427EFA |. 8D4C24 24 lea ecx, dword ptr ss:[esp+0x2>
00427EFE |. E8 0D0800>call ScnRec_.00428710 ;call1
00427F03 |. 33C0 xor eax, eax
00427F05 |. 57 push edi
00427F06 |. 894424 15 mov dword ptr ss:[esp+0x15], e>
00427F0A |. 56 push esi
00427F0B |. 894424 1D mov dword ptr ss:[esp+0x1D], e>
00427F0F |. 8D4C24 2C lea ecx, dword ptr ss:[esp+0x2>
00427F13 |. 894424 21 mov dword ptr ss:[esp+0x21], e>
00427F17 |. C78424 CC>mov dword ptr ss:[esp+0xCC], 0>
00427F22 |. 66:894424>mov word ptr ss:[esp+0x25], ax
00427F27 |. C64424 18>mov byte ptr ss:[esp+0x18], 0x>
00427F2C |. 884424 27 mov byte ptr ss:[esp+0x27], al
00427F30 |. E8 3B0800>call ScnRec_.00428770 ; call2
00427F35 |. 8D4C24 10 lea ecx, dword ptr ss:[esp+0x1>
00427F39 |. 51 push ecx
00427F3A |. 8D4C24 28 lea ecx, dword ptr ss:[esp+0x2>
00427F3E |. E8 ED0800>call ScnRec_.00428830 ; call3
00427F43 |. 8B5424 1F mov edx, dword ptr ss:[esp+0x1>
00427F47 |. 8B4424 1E mov eax, dword ptr ss:[esp+0x1>
00427F4B |. 8B4C24 1D mov ecx, dword ptr ss:[esp+0x1>
00427F4F |. 81E2 FF00>and edx, 0xFF
00427F55 |. 52 push edx ; /<%02X>;看到这种格式很熟悉了
00427F56 |. 8B5424 20 mov edx, dword ptr ss:[esp+0x2>; |
00427F5A |. 25 FF0000>and eax, 0xFF ; |
00427F5F |. 81E1 FF00>and ecx, 0xFF ; |
00427F65 |. 50 push eax ; |<%02X>
00427F66 |. 8B4424 23 mov eax, dword ptr ss:[esp+0x2>; |
00427F6A |. 81E2 FF00>and edx, 0xFF ; |
00427F70 |. 51 push ecx ; |<%02X>
00427F71 |. 8B4C24 26 mov ecx, dword ptr ss:[esp+0x2>; |
00427F75 |. 52 push edx ; |<%02X>
00427F76 |. 8B5424 29 mov edx, dword ptr ss:[esp+0x2>; |
00427F7A |. 25 FF0000>and eax, 0xFF ; |
00427F7F |. 81E1 FF00>and ecx, 0xFF ; |
00427F85 |. 50 push eax ; |<%02X>
00427F86 |. 8B4424 2C mov eax, dword ptr ss:[esp+0x2>; |
00427F8A |. 81E2 FF00>and edx, 0xFF ; |
00427F90 |. 51 push ecx ; |<%02X>
00427F91 |. 8B4C24 2F mov ecx, dword ptr ss:[esp+0x2>; |
00427F95 |. 52 push edx ; |<%02X>
00427F96 |. 8B5424 32 mov edx, dword ptr ss:[esp+0x3>; |
00427F9A |. 25 FF0000>and eax, 0xFF ; |
00427F9F |. 81E1 FF00>and ecx, 0xFF ; |
00427FA5 |. 50 push eax ; |<%02X>
00427FA6 |. 8B4424 35 mov eax, dword ptr ss:[esp+0x3>; |
00427FAA |. 81E2 FF00>and edx, 0xFF ; |
00427FB0 |. 51 push ecx ; |<%02X>
00427FB1 |. 8B4C24 38 mov ecx, dword ptr ss:[esp+0x3>; |
00427FB5 |. 52 push edx ; |<%02X>
00427FB6 |. 8B5424 3B mov edx, dword ptr ss:[esp+0x3>; |
00427FBA |. 25 FF0000>and eax, 0xFF ; |
00427FBF |. 81E1 FF00>and ecx, 0xFF ; |
00427FC5 |. 50 push eax ; |<%02X>
00427FC6 |. 8B4424 3E mov eax, dword ptr ss:[esp+0x3>; |
00427FCA |. 81E2 FF00>and edx, 0xFF ; |
00427FD0 |. 51 push ecx ; |<%02X>
00427FD1 |. 8B4C24 41 mov ecx, dword ptr ss:[esp+0x4>; |
00427FD5 |. 52 push edx ; |<%02X>
00427FD6 |. 8B5424 44 mov edx, dword ptr ss:[esp+0x4>; |
00427FDA |. 25 FF0000>and eax, 0xFF ; |
00427FDF |. 81E1 FF00>and ecx, 0xFF ; |
00427FE5 |. 50 push eax ; |<%02X>
00427FE6 |. 8B8424 04>mov eax, dword ptr ss:[esp+0x1>; |
00427FED |. 81E2 FF00>and edx, 0xFF ; |
00427FF3 |. 51 push ecx ; |<%02X>
00427FF4 |. 52 push edx ; |<%02X>
00427FF5 |. 68 C06F54>push ScnRec_.00546FC0 ; |format = "%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X"
00427FFA |. 50 push eax ; |s
00427FFB |. FF15 D436>call Xdword ptr ds:[<&MSVCRT.s>; \sprintf
00428001 |. 83C4 48 add esp, 0x48
00428004 |. 8D4C24 24 lea ecx, dword ptr ss:[esp+0x2>
00428008 |. C78424 C4>mov dword ptr ss:[esp+0xC4], ->
00428013 |. E8 48C806>call ScnRec_.00494860
00428018 |. 56 push esi ; /block
00428019 |. E8 CEC007>call <jmp.&MFC42u.#operator de>; \free
0042801E |. 83C4 04 add esp, 0x4
00428021 |> 5F pop edi
00428022 |. 5E pop esi
00428023 |. B8 010000>mov eax, 0x1
00428028 |. 5D pop ebp
00428029 |. EB 02 jmp XScnRec_.0042802D
0042802B |> 33C0 xor eax, eax
0042802D |> 8B8C24 B0>mov ecx, dword ptr ss:[esp+0xB>
00428034 |. 5B pop ebx
00428035 |. 64:890D 0>mov dword ptr fs:[0], ecx
0042803C |. 81C4 B800>add esp, 0xB8
00428042 \. C2 0800 retn 0x8
可以看到这个函数吧新的邮箱名字符串经过了call1,call2,call33次运算过后再用sprintf打印出来。
跟进call1处428710;
00428710 /$ 56 push esi
00428711 |. 8BF1 mov esi, ecx
00428713 |. E8 080000>call ScnRec_.00428720;再跟进
00428718 |. 8BC6 mov eax, esi
0042871A |. 5E pop esi
0042871B \. C3 retn
Call428720处:
00428720 /$ 8BD1 mov edx, ecx
00428722 |. 57 push edi
00428723 |. 33C0 xor eax, eax
00428725 |. B9 100000>mov ecx, 0x10
0042872A |. 8D7A 18 lea edi, dword ptr ds:[edx+0x18]
0042872D |. 8942 14 mov dword ptr ds:[edx+0x14], eax
00428730 |. 8942 10 mov dword ptr ds:[edx+0x10], eax
00428733 |. C702 0123>mov dword ptr ds:[edx], 0x67452301
00428739 |. C742 04 8>mov dword ptr ds:[edx+0x4], 0xEFCDAB89
00428740 |. C742 08 F>mov dword ptr ds:[edx+0x8], 0x98BADCFE
00428747 |. C742 0C 7>mov dword ptr ds:[edx+0xC], 0x10325476
0042874E |. 83C2 58 add edx, 0x58
00428751 |. F3:AB rep stos dword ptr es:[edi]
00428753 |. B9 100000>mov ecx, 0x10
00428758 |. 8BFA mov edi, edx
0042875A |. F3:AB rep stos dword ptr es:[edi]
0042875C |. C602 80 mov byte ptr ds:[edx], 0x80
0042875F |. 5F pop edi
00428760 \. C3 retn
可以看到很奇怪的一些数据这些数据是md5的初始化数据也就01234567890abcdeffedcba09876543210不过光看到这些还不能确定是md5还要往后面看。返回后继续跟到call2处:
00428904 |. 23CB and ecx, ebx
00428906 |. 8BFB mov edi, ebx
00428908 |. 0BC1 or eax, ecx
0042890A |. 8B4C24 14 mov ecx, dword ptr ss:[esp+0x14]
0042890E |. 03C1 add eax, ecx
00428910 |. 8B4C24 10 mov ecx, dword ptr ss:[esp+0x10]
00428914 |. 8D8C01 78>lea ecx, dword ptr ds:[ecx+eax+0xD76AA478];看到这些数据的时候基本上能确定是md5加密了。
0042891B |. 8BC1 mov eax, ecx
0042891D |. C1E8 19 shr eax, 0x19
00428920 |. C1E1 07 shl ecx, 0x7
00428923 |. 0BC1 or eax, ecx
00428925 |. 03C3 add eax, ebx
00428927 |. 8BC8 mov ecx, eax
00428929 |. 23F8 and edi, eax
0042892B |. F7D1 not ecx
0042892D |. 23CD and ecx, ebp
0042892F |. 0BCF or ecx, edi
00428931 |. 8B7C24 18 mov edi, dword ptr ss:[esp+0x18]
00428935 |. 03CF add ecx, edi
00428937 |. 8D940A 56>lea edx, dword ptr ds:[edx+ecx+0xE8C7B756];特殊常数
0042893E |. 8BCA mov ecx, edx
00428940 |. C1E9 14 shr ecx, 0x14
00428943 |. C1E2 0C shl edx, 0xC
00428946 |. 0BCA or ecx, edx
00428948 |. 03C8 add ecx, eax
0042894A |. 8BD1 mov edx, ecx
后面的算法还有很多就不贴了,,,
跟出来后直接f8过call3了,跟到sprintf处可以看到加密后的字符串了:C3F4499B98E4FAA793BBB76F3F6D66DA
返回后会来到下面
004280F0 |> /8D5424 34 /lea edx, dword ptr ss:[esp+0x34]
004280F4 |. |6A 21 |push 0x21
004280F6 |. |52 |push edx
004280F7 |. |8D4424 18 |lea eax, dword ptr ss:[esp+0x18]
004280FB |. |6A FF |push -0x1
004280FD |. |50 |push eax
004280FE |. |6A 00 |push 0x0
00428100 |. |6A 00 |push 0x0
00428102 |. |FFD3 |call Xebx
00428104 |. |8D4C24 34 |lea ecx, dword ptr ss:[esp+0x34]
00428108 |. |8D5424 10 |lea edx, dword ptr ss:[esp+0x10]
0042810C |. |51 |push ecx
0042810D |. |52 |push edx
0042810E |. |8BCD |mov ecx, ebp
00428110 |. |E8 7BFDFF>|call ScnRec_.00427E90 ;md5加密
00428115 |. |33F6 |xor esi, esi
00428117 |> |66:8B4474>|/mov ax, word ptr ss:[esp+esi*2+0x34]
0042811C |. |50 ||push eax ; /w
0042811D |. |FF15 D036>||call Xdword ptr ds:[<&MSVCRT.iswalpha>] ; \iswalpha
00428123 |. |83C4 04 ||add esp, 0x4
00428126 |. |85C0 ||test eax, eax
00428128 |. |0F85 8600>||jnz ScnRec_.004281B4
0042812E |. |8BC6 ||mov eax, esi
00428130 |. |25 010000>||and eax, 0x80000001
00428135 |. |79 05 ||jns XScnRec_.0042813C
00428137 |. |48 ||dec eax
00428138 |. |83C8 FE ||or eax, 0xFFFFFFFE
0042813B |. |40 ||inc eax
0042813C |> |74 16 ||je XScnRec_.00428154
0042813E |. |33C9 ||xor ecx, ecx
00428140 |. |66:8B4C74>||mov cx, word ptr ss:[esp+esi*2+0x34]
00428145 |. |81E1 0100>||and ecx, 0x80000001
0042814B |. |79 05 ||jns XScnRec_.00428152
0042814D |. |49 ||dec ecx
0042814E |. |83C9 FE ||or ecx, 0xFFFFFFFE
00428151 |. |41 ||inc ecx
00428152 |> |75 60 ||jnz XScnRec_.004281B4
00428154 |> |85C0 ||test eax, eax
00428156 |. |75 16 ||jnz XScnRec_.0042816E
00428158 |. |33D2 ||xor edx, edx
0042815A |. |66:8B5474>||mov dx, word ptr ss:[esp+esi*2+0x34]
0042815F |. |81E2 0100>||and edx, 0x80000001 ; edx=edx&0x80000001
00428165 |. |79 05 ||jns XScnRec_.0042816C
00428167 |. |4A ||dec edx
00428168 |. |83CA FE ||or edx, 0xFFFFFFFE ;edx=edx|0xFFFFFFFE
0042816B |. |42 ||inc edx
0042816C |> |74 46 ||je XScnRec_.004281B4
0042816E |> |33C0 ||xor eax, eax
00428170 |. |B9 140000>||mov ecx, 0x14
00428175 |. |66:8B4474>||mov ax, word ptr ss:[esp+esi*2+0x34]
0042817A |. |03C6 ||add eax, esi ;eax=eax+esi
0042817C |. |03C7 ||add eax, edi ;eax=eax+edi
0042817E |. |99 ||cdq
0042817F |. |F7F9 ||idiv ecx ;eax=eax/ecx
00428181 |. |8D42 47 ||lea eax, dword ptr ds:[edx+0x47]
00428184 |. |66:3D 4F0>||cmp ax, 0x4F ;ax>0x4f?
00428188 |. |66:894474>||mov word ptr ss:[esp+esi*2+0x34], ax
0042818D |. |75 07 ||jnz XScnRec_.00428196
0042818F |. |66:C74474>||mov word ptr ss:[esp+esi*2+0x34], 0x30
00428196 |> |66:837C74>||cmp word ptr ss:[esp+esi*2+0x34], 0x49
0042819C |. |75 07 ||jnz XScnRec_.004281A5
0042819E |. |66:C74474>||mov word ptr ss:[esp+esi*2+0x34], 0x31
004281A5 |> |66:837C74>||cmp word ptr ss:[esp+esi*2+0x34], 0x5A
004281AB |. |75 07 ||jnz XScnRec_.004281B4
004281AD |. |66:C74474>||mov word ptr ss:[esp+esi*2+0x34], 0x32
004281B4 |> |46 ||inc esi
004281B5 |. |83FE 20 ||cmp esi, 0x20
004281B8 |.^|0F8C 59FF>|\jl ScnRec_.00428117
004281BE |. |8D5424 34 |lea edx, dword ptr ss:[esp+0x34]
004281C2 |. |8BCD |mov ecx, ebp
004281C4 |. |52 |push edx
004281C5 |. |E8 66FAFF>|call ScnRec_.00427C30
004281CA |. |8B8424 8C>|mov eax, dword ptr ss:[esp+0x8C]
004281D1 |. |8B4D 0C |mov ecx, dword ptr ss:[ebp+0xC]
004281D4 |. |50 |push eax ; /wstr2源码
004281D5 |. |51 |push ecx ; |wstr1真码
004281D6 |. |FF15 7C36>|call Xdword ptr ds:[<&MSVCRT.wcscmp>] ; \wcscmp
004281DC |. |83C4 08 |add esp, 0x8
004281DF |. |85C0 |test eax, eax
004281E1 |. |74 10 |je XScnRec_.004281F3
004281E3 |. |8B8424 88>|mov eax, dword ptr ss:[esp+0x88]
004281EA |. |47 |inc edi
004281EB |. |3BF8 |cmp edi, eax
004281ED |.^\0F8C FDFE>\jl ScnRec_.004280F0
此处是个双重的循环,大循环一千次(3e8)前面有过的,每次大循环都会用前一次的结果进行新一轮的加密,而小循环是对加密后的字符串进行运算处理;得到一个新的字符串。然后和源码比较。
三.程序算法总结:
1. 获取用户名(没用到),邮箱名,密码。
2. 把密码变成xxxxx-xxxxx- xxxxx-xxxxx-xxxxxx形式。
3. 把邮箱名和某字符串连接得到新的字符串str1。
4. 把新的字符串str1用md5加密并且做一些运算得到str2,并把str2变成xxxxx-xxxxx- xxxxx-xxxxx-xxxxxx。
5. 比较原密码与str2.如果不匹配就把str1=str2再回到4,循环一千次。
四.分析到这里就可以用内存注册机了,用的是刘建英的keymake。设置如下:
五.结果图如下:
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
