【原创】资料收集管理专家1.7正式版算法详尽分析
【作者】WindayJiang
【日期】2006.01.28
【破解声明】无聊时随便下的软件,算法简单,适合新手学习
【破解工具】OLLDBG, PEID
【破解难度】EASY
【软件保护】SN
没有加壳,查一下字串,向上翻来到这里:
00505A40 .>CALL DataColl.0044DCA4
00505A45 .>MOV EAX,DWORD PTR SS:[EBP-8] ; 注册码到EAX
00505A48 .>PUSH EAX
00505A49 .>LEA EDX,DWORD PTR SS:[EBP-C]
00505A4C .>MOV EAX,DWORD PTR DS:[EBX+314]
00505A52 .>CALL DataColl.0044DCA4
00505A57 .>MOV EAX,DWORD PTR SS:[EBP-C] ; 组织名到EAX
00505A5A .>PUSH EAX
00505A5B .>LEA EDX,DWORD PTR SS:[EBP-10]
00505A5E .>MOV EAX,DWORD PTR DS:[EBX+310]
00505A64 .>CALL DataColl.0044DCA4
00505A69 .>MOV EDX,DWORD PTR SS:[EBP-10] ; 用户名到EDx
00505A6C .>MOV EAX,DWORD PTR DS:[EBX+32C]
00505A72 .>POP ECX
00505A73 .>CALL DataColl.00504AF0 ; 算法CALL
00505A78 .>TEST AL,AL
00505A7A .>JNZ SHORT DataColl.00505AA8 ; 不跳GAMEOVER
.......................................................
跟进505A73后见到:
......省略一部分不关重要的......
00504B21 |.>PUSH EBP
00504B22 |.>PUSH DataColl.00504BDA
00504B27 |.>PUSH DWORD PTR FS:[EAX]
00504B2A |.>MOV DWORD PTR FS:[EAX],ESP
00504B2D |.>MOV EAX,DWORD PTR SS:[EBP-4]
00504B30 |.>CALL DataColl.00404FFC
00504B35 |.>CMP EAX,DWORD PTR DS:[EBX+4C] ; 用户名长度与100作比较
00504B38 |.>JG SHORT DataColl.00504B53 ; 没有人用那么长的吧。。。汗
00504B3A |.>MOV EAX,DWORD PTR SS:[EBP-4] ; 用户名到EAX
00504B3D |.>CALL DataColl.00404FFC
00504B42 |.>CMP EAX,DWORD PTR DS:[EBX+50] ; 用户名长度与3作比较
00504B45 |.>JL SHORT DataColl.00504B53 ; 小于3大于100估计都没好事
00504B47 |.>MOV EAX,DWORD PTR SS:[EBP+8] ; 注册码到EAX
00504B4A |.>CALL DataColl.00404FFC
00504B4F |.>TEST EAX,EAX ; 这里判断注册码是否为空
00504B51 |.>JNZ SHORT DataColl.00504B57
00504B53 |>>XOR EBX,EBX
00504B55 |.>JMP SHORT DataColl.00504BB7
00504B57 |>>LEA EDX,DWORD PTR SS:[EBP-C]
00504B5A |.>MOV EAX,DWORD PTR SS:[EBP+8]
00504B5D |.>CALL DataColl.00409574 ; 这里将注册码的字母变大写
00504B62 |.>MOV EDX,DWORD PTR SS:[EBP-C]
00504B65 |.>LEA EAX,DWORD PTR SS:[EBP+8]
00504B68 |.>CALL DataColl.00404DDC
00504B6D |.>LEA ECX,DWORD PTR SS:[EBP-10]
00504B70 |.>MOV EDX,DWORD PTR SS:[EBP-4]
00504B73 |.>MOV EAX,EBX
00504B75 |.>CALL DataColl.005046C0 ; 算法CALL
00504B7A |.>MOV EAX,DWORD PTR SS:[EBP-10] ; 真码
00504B7D |.>MOV EDX,DWORD PTR SS:[EBP+8] ; 假码
00504B80 |.>CALL DataColl.004095EC ; 比较CALL
00504B85 |.>TEST EAX,EAX
00504B87 |.>JE SHORT DataColl.00504B8D
00504B89 |.>XOR EBX,EBX ; 清空标志位
00504B8B |.>JMP SHORT DataColl.00504BB7
00504B8D |>>LEA EAX,DWORD PTR DS:[EBX+48]
00504B90 |.>MOV EDX,DWORD PTR SS:[EBP-4]
00504B93 |.>CALL DataColl.00404D98
00504B98 |.>LEA EAX,DWORD PTR DS:[EBX+54]
00504B9B |.>MOV EDX,DWORD PTR SS:[EBP-8]
00504B9E |.>CALL DataColl.00404D98
00504BA3 |.>LEA EAX,DWORD PTR DS:[EBX+5C]
00504BA6 |.>MOV EDX,DWORD PTR SS:[EBP+8]
00504BA9 |.>CALL DataColl.00404D98
00504BAE |.>MOV EAX,EBX
00504BB0 |.>CALL DataColl.00504E10
00504BB5 |.>MOV BL,1 ; 标志位置1
00504BB7 |>>XOR EAX,EAX
00504BB9 |.>POP EDX
00504BBA |.>POP ECX
00504BBB |.>POP ECX
00504BBC |.>MOV DWORD PTR FS:[EAX],EDX
00504BBF |.>PUSH DataColl.00504BE1
00504BC4 |>>LEA EAX,DWORD PTR SS:[EBP-10]
00504BC7 |.>MOV EDX,4
00504BCC |.>CALL DataColl.00404D68
00504BD1 |.>LEA EAX,DWORD PTR SS:[EBP+8]
00504BD4 |.>CALL DataColl.00404D44
00504BD9 \.>RETN
00504BDA .>JMP DataColl.00404608
00504BDF .>JMP SHORT DataColl.00504BC4
00504BE1 .>MOV EAX,EBX ; 标志位到EAX,待会就用AL比较
00504BE3 .>POP EBX
00504BE4 .>MOV ESP,EBP
00504BE6 .>POP EBP
00504BE7 .>RETN 4
......................................................
跟进504B75看看
......省略一部分......
005046F3 |.>LEA EDX,DWORD PTR SS:[EBP-24]
005046F6 |.>MOV EAX,ESI
005046F8 |.>CALL DataColl.00505604 ; 检验码CALL
005046FD |.>MOV EAX,DWORD PTR SS:[EBP-24]
00504700 |.>LEA EDX,DWORD PTR SS:[EBP-14]
00504703 |.>CALL DataColl.004097C4
00504708 |.>CMP DWORD PTR SS:[EBP-14],0 ; 检验码是否为0
0050470C |.>JNZ SHORT DataColl.0050471B
0050470E |.>LEA EAX,DWORD PTR SS:[EBP-20]
00504711 |.>MOV EDX,DWORD PTR SS:[EBP-4]
00504714 |.>CALL DataColl.00404DDC
00504719 |.>JMP SHORT DataColl.00504778
0050471B |>>MOV EAX,DWORD PTR SS:[EBP-14]
0050471E |.>CALL DataColl.00404FFC ; 检验码长度
00504723 |.>MOV EBX,EAX
00504725 |.>LEA EAX,DWORD PTR SS:[EBP-18]
00504728 |.>PUSH EAX
00504729 |.>MOV ECX,EBX
0050472B |.>SAR ECX,1 ; ECX逻辑右移1(欲取的长度)
0050472D |.>JNS SHORT DataColl.00504732
0050472F |.>ADC ECX,0
00504732 |>>MOV EDX,1
00504737 |.>MOV EAX,DWORD PTR SS:[EBP-14]
0050473A |.>CALL DataColl.00405254 ; 类似MID功能
0050473F |.>LEA EAX,DWORD PTR SS:[EBP-1C]
00504742 |.>PUSH EAX
00504743 |.>MOV EAX,EBX
00504745 |.>SAR EAX,1
00504747 |.>JNS SHORT DataColl.0050474C
00504749 |.>ADC EAX,0
0050474C |>>MOV ECX,EBX
0050474E |.>SUB ECX,EAX ; 用检验码长度减刚才的长度
00504750 |.>MOV EDX,EBX
00504752 |.>SAR EDX,1
00504754 |.>JNS SHORT DataColl.00504759
00504756 |.>ADC EDX,0
00504759 |>>INC EDX
0050475A |.>MOV EAX,DWORD PTR SS:[EBP-14]
0050475D |.>CALL DataColl.00405254 ; 类似MID功能
00504762 |.>PUSH DWORD PTR SS:[EBP-18]
00504765 |.>PUSH DWORD PTR SS:[EBP-4]
00504768 |.>PUSH DWORD PTR SS:[EBP-1C]
0050476B |.>LEA EAX,DWORD PTR SS:[EBP-20]
0050476E |.>MOV EDX,3
00504773 |.>CALL DataColl.004050BC ; 串接字符:检验码一部分+用户名+另一部分
00504778 |>>MOV DWORD PTR SS:[EBP-10],0
0050477F |.>MOV DWORD PTR SS:[EBP-C],0
00504786 |.>MOV EAX,DWORD PTR SS:[EBP-4]
00504789 |.>CALL DataColl.00404FFC ; 用户名长度
0050478E |.>CMP EAX,DWORD PTR DS:[ESI+4C]
00504791 |.>JG SHORT DataColl.005047A0 ; 大于100跳
00504793 |.>MOV EAX,DWORD PTR SS:[EBP-4]
00504796 |.>CALL DataColl.00404FFC
0050479B |.>CMP EAX,DWORD PTR DS:[ESI+50]
0050479E |.>JGE SHORT DataColl.005047AC ; 大于等于3跳
005047A0 |>>MOV EAX,EDI
005047A2 |.>CALL DataColl.00404D44
005047A7 |.>JMP DataColl.0050483D
005047AC |>>MOV EAX,DWORD PTR SS:[EBP-20]
005047AF |.>CALL DataColl.00404FFC ; 串接后的字符串长度
005047B4 |.>MOV EBX,EAX
005047B6 |.>JMP SHORT DataColl.005047EF
005047B8 |>>/MOV EAX,DWORD PTR SS:[EBP-10]
005047BB |.>|MOV EDX,DWORD PTR SS:[EBP-C]
005047BE |.>|ADD EAX,DWORD PTR DS:[ESI+68] ; 将计算的EAX加上0xA934C0AF
005047C1 |.>|ADC EDX,DWORD PTR DS:[ESI+6C] ; 将计算的EDX进位加上0x2E
005047C4 |.>|PUSH EDX
005047C5 |.>|PUSH EAX
005047C6 |.>|MOV EAX,DWORD PTR SS:[EBP-20]
005047C9 |.>|MOVZX EAX,BYTE PTR DS:[EAX+EBX-1] ; 从最后串接字符串开始依次向前取字符
005047CE |.>|PUSH EAX
005047CF |.>|MOV EAX,459 ; EAX=459
005047D4 |.>|POP EDX
005047D5 |.>|MOV ECX,EDX ; EDX是字符值
005047D7 |.>|XOR EDX,EDX
005047D9 |.>|DIV ECX ; 除法运算
005047DB |.>|MOV EAX,EDX ; 余数到EAX
005047DD |.>|XOR EDX,EDX
005047DF |.>|SUB DWORD PTR SS:[ESP],EAX ; 保存的结果减余数
005047E2 |.>|SBB DWORD PTR SS:[ESP+4],EDX
005047E6 |.>|POP EAX
005047E7 |.>|POP EDX
005047E8 |.>|MOV DWORD PTR SS:[EBP-10],EAX ; 保存新的结果,等会做迭加
005047EB |.>|MOV DWORD PTR SS:[EBP-C],EDX ; 同上
005047EE |.>|DEC EBX
005047EF |>> MOV EAX,DWORD PTR SS:[EBP-20]
005047F2 |.>|CALL DataColl.00404FFC
005047F7 |.>|CMP EBX,EAX
005047F9 |.>|JG SHORT DataColl.005047FF
005047FB |.>|TEST EBX,EBX
005047FD |.>\JG SHORT DataColl.005047B8
005047FF |>>MOV EBX,DWORD PTR DS:[ESI+60]
00504802 |.>TEST EBX,EBX
00504804 |.>JG SHORT DataColl.00504817 ; 比较检验码长度,大于0跳,正常应该会跳的
00504806 |.>PUSH DWORD PTR SS:[EBP-C] ; /Arg2
00504809 |.>PUSH DWORD PTR SS:[EBP-10] ; |Arg1
0050480C |.>MOV EDX,EDI ; |
0050480E |.>XOR EAX,EAX ; |
00504810 |.>CALL DataColl.00409B44 ; \DataColl.00409B44
00504815 |.>JMP SHORT DataColl.0050483D
00504817 |>>PUSH DWORD PTR SS:[EBP-C] ; /刚才的结果1
0050481A |.>PUSH DWORD PTR SS:[EBP-10] ; |结果2
0050481D |.>MOV EDX,EDI ; |
0050481F |.>MOV EAX,EBX ; |
00504821 |.>CALL DataColl.00409B44 ; \串接
00504826 |.>MOV EAX,DWORD PTR DS:[EDI] ; DS:[EDI]就是注册码了
总的来说,算法还是可以的,思路也很清淅,可惜用了明码作比较,败笔!
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
