-
-
[原创]第一题分析
-
发表于: 2016-11-1 22:50 2423
-
所用工具: od
以下为分析过程:用OD附加,下断GetWindowTextW,得到以下位置
以上代码得出注册码必须为7位并且包含字符'b','p'
再看最后的判断call
以上代码比如初始化0-9,a-z,注册码转换成大写,提取出注册码里所有的字母,纯属多余
接下去直接看里面最后的call
以上分析完成得到一组注册码1215pb8
1)包含字符'b'''p'
2) 7位长度
3) 第1、2位为'1''2'
4) 第0位字符'1'(0x30)+第n位字符(计数所在位)'2'(0x32) = 0x63
5) 第3、4、5、6位为'15pb'
6) 最后1位为‘7’+计数
ps:这个cm设计不合理,代码杂乱无章
如果界面上的计数为3,那就是要第1位'1'+第3位'5'必须等于0x63,然而又规定了第3456位为'15pb',无法符合条件,只有在界面上计数为0时才能成功
以下为分析过程:用OD附加,下断GetWindowTextW,得到以下位置
01151CB0 55 push ebp 01151CB1 8BEC mov ebp, esp 01151CB3 81EC D0000000 sub esp, 0xD0 01151CB9 A1 14F01601 mov eax, dword ptr [0x116F014] 01151CBE 33C5 xor eax, ebp 01151CC0 8945 FC mov dword ptr [ebp-0x4], eax 01151CC3 57 push edi 01151CC4 8BF9 mov edi, ecx 01151CC6 85FF test edi, edi 01151CC8 0F84 61010000 je 01151E2F 01151CCE 85D2 test edx, edx 01151CD0 0F85 81000000 jnz 01151D57 01151CD6 E8 25FFFFFF call 01151C00 ;判断注册码是否包含'b' 01151CDB 85C0 test eax, eax 01151CDD 74 54 je short 01151D33 01151CDF 68 C8000000 push 0xC8 01151CE4 8D85 34FFFFFF lea eax, dword ptr [ebp-0xCC] 01151CEA 6A 00 push 0x0 01151CEC 50 push eax 01151CED E8 DE1C0000 call <memset> 01151CF2 83C4 0C add esp, 0xC 01151CF5 8D85 34FFFFFF lea eax, dword ptr [ebp-0xCC] 01151CFB 6A 64 push 0x64 01151CFD 50 push eax 01151CFE FF77 0C push dword ptr [edi+0xC] 01151D01 FF15 4C811601 call dword ptr [<&USER32.GetWindowTex>; user32.GetWindowTextW 01151D07 6A 70 push 0x70 01151D09 8D95 34FFFFFF lea edx, dword ptr [ebp-0xCC] 01151D0F E8 3C0D0000 call 01152A50 ; 判断注册码里是否包含'p' 01151D14 85C0 test eax, eax 01151D16 74 1B je short 01151D33 01151D18 BA 01000000 mov edx, 0x1 01151D1D 8BCF mov ecx, edi 01151D1F E8 8CFFFFFF call 01151CB0 01151D24 5F pop edi 01151D25 8B4D FC mov ecx, dword ptr [ebp-0x4] 01151D28 33CD xor ecx, ebp 01151D2A E8 960F0000 call 01152CC5 01151D2F 8BE5 mov esp, ebp 01151D31 5D pop ebp 01151D32 C3 retn 01151D33 6A 00 push 0x0 01151D35 68 0F040000 push 0x40F 01151D3A 68 11010000 push 0x111 01151D3F FF77 04 push dword ptr [edi+0x4] 01151D42 FF15 50811601 call dword ptr [<&USER32.SendMessageW>; user32.SendMessageW 01151D48 5F pop edi 01151D49 8B4D FC mov ecx, dword ptr [ebp-0x4] 01151D4C 33CD xor ecx, ebp 01151D4E E8 720F0000 call 01152CC5 01151D53 8BE5 mov esp, ebp 01151D55 5D pop ebp 01151D56 C3 retn 01151D33 6A 00 push 0x0 01151D35 68 0F040000 push 0x40F 01151D3A 68 11010000 push 0x111 01151D3F FF77 04 push dword ptr [edi+0x4] 01151D42 FF15 50811601 call dword ptr [<&USER32.SendMessageW>; user32.SendMessageW 01151D48 5F pop edi 01151D49 8B4D FC mov ecx, dword ptr [ebp-0x4] 01151D4C 33CD xor ecx, ebp 01151D4E E8 720F0000 call 01152CC5 01151D53 8BE5 mov esp, ebp 01151D55 5D pop ebp 01151D56 C3 retn 01151D57 56 push esi 01151D58 E8 812B0000 call 011548DE 01151D5D 68 C8000000 push 0xC8 01151D62 8985 30FFFFFF mov dword ptr [ebp-0xD0], eax 01151D68 8D85 34FFFFFF lea eax, dword ptr [ebp-0xCC] 01151D6E 6A 00 push 0x0 01151D70 50 push eax 01151D71 E8 5A1C0000 call <memset> 01151D76 83C4 0C add esp, 0xC 01151D79 8D85 34FFFFFF lea eax, dword ptr [ebp-0xCC] 01151D7F 68 C8000000 push 0xC8 01151D84 50 push eax 01151D85 FF77 0C push dword ptr [edi+0xC] 01151D88 FF15 4C811601 call dword ptr [<&USER32.GetWindowTex>; user32.GetWindowTextW 01151D8E 33F6 xor esi, esi 01151D90 8D85 34FFFFFF lea eax, dword ptr [ebp-0xCC] 01151D96 66:39B5 34FFFFF>cmp word ptr [ebp-0xCC], si 01151D9D 74 0B je short 01151DAA 01151D9F 90 nop 01151DA0 8D40 02 lea eax, dword ptr [eax+0x2] 01151DA3 46 inc esi 01151DA4 66:8338 00 cmp word ptr [eax], 0x0 01151DA8 ^ 75 F6 jnz short 01151DA0 01151DAA 33C9 xor ecx, ecx 01151DAC 8D46 01 lea eax, dword ptr [esi+0x1] 01151DAF BA 02000000 mov edx, 0x2 01151DB4 F7E2 mul edx 01151DB6 53 push ebx 01151DB7 0F90C1 seto cl 01151DBA F7D9 neg ecx 01151DBC 0BC8 or ecx, eax 01151DBE 51 push ecx 01151DBF E8 120F0000 call 01152CD6 01151DC4 83C4 04 add esp, 0x4 01151DC7 8BD8 mov ebx, eax 01151DC9 E8 102B0000 call 011548DE 01151DCE 2B85 30FFFFFF sub eax, dword ptr [ebp-0xD0] 01151DD4 83F8 02 cmp eax, 0x2 01151DD7 7F 65 jg short 01151E3E 01151DD9 8D85 34FFFFFF lea eax, dword ptr [ebp-0xCC] 01151DDF 50 push eax 01151DE0 53 push ebx 01151DE1 E8 8A0A0000 call 01152870 01151DE6 83FE 07 cmp esi, 0x7 ;注册码是否为7位 01151DE9 73 0B jnb short 01151DF6 01151DEB 6A 00 push 0x0 01151DED 6A 00 push 0x0 01151DEF 68 0E040000 push 0x40E 01151DF4 EB 0B jmp short 01151E01 01151DF6 76 2C jbe short 01151E24 01151DF8 6A 00 push 0x0 01151DFA 6A 00 push 0x0 01151DFC 68 0D040000 push 0x40D 01151E01 FF77 04 push dword ptr [edi+0x4] 01151E04 FF15 50811601 call dword ptr [<&USER32.SendMessageW>; user32.SendMessageW 01151E0A 53 push ebx 01151E0B E8 CF0E0000 call 01152CDF 01151E10 83C4 04 add esp, 0x4 01151E13 5B pop ebx 01151E14 5E pop esi 01151E15 5F pop edi 01151E16 8B4D FC mov ecx, dword ptr [ebp-0x4] 01151E19 33CD xor ecx, ebp 01151E1B E8 A50E0000 call 01152CC5 01151E20 8BE5 mov esp, ebp 01151E22 5D pop ebp 01151E23 C3 retn 01151E24 8BD3 mov edx, ebx 01151E26 8BCF mov ecx, edi 01151E28 E8 33FCFFFF call 01151A60 ;这里进入最后的判断 01151E2D 5B pop ebx 01151E2E 5E pop esi 01151E2F 8B4D FC mov ecx, dword ptr [ebp-0x4] 01151E32 33CD xor ecx, ebp 01151E34 5F pop edi 01151E35 E8 8B0E0000 call 01152CC5 01151E3A 8BE5 mov esp, ebp 01151E3C 5D pop ebp 01151E3D C3 retn 01151E3E 6A 00 push 0x0 01151E40 E8 6C2D0000 call 01154BB1
以上代码得出注册码必须为7位并且包含字符'b','p'
再看最后的判断call
... 省略一部份代码 01151870 55 push ebp 01151871 8BEC mov ebp, esp 01151873 83EC 54 sub esp, 0x54 01151876 A1 14F01601 mov eax, dword ptr [0x116F014] 0115187B 33C5 xor eax, ebp 0115187D 8945 FC mov dword ptr [ebp-0x4], eax 01151880 53 push ebx 01151881 56 push esi 01151882 57 push edi 01151883 6A 36 push 0x36 01151885 8D45 B0 lea eax, dword ptr [ebp-0x50] 01151888 8BD9 mov ebx, ecx 0115188A 6A 00 push 0x0 0115188C 50 push eax 0115188D 8BFA mov edi, edx 0115188F 895D AC mov dword ptr [ebp-0x54], ebx 01151892 E8 39210000 call <memset> 01151897 83C4 0C add esp, 0xC 0115189A 8D4D E8 lea ecx, dword ptr [ebp-0x18] 0115189D B8 30000000 mov eax, 0x30 011518A2 66:8901 mov word ptr [ecx], ax 011518A5 8D49 02 lea ecx, dword ptr [ecx+0x2] 011518A8 40 inc eax 011518A9 83F8 39 cmp eax, 0x39 011518AC ^ 7E F4 jle short 011518A2 ; 0-9 011518AE B8 61000000 mov eax, 0x61 011518B3 8D4D B0 lea ecx, dword ptr [ebp-0x50] 011518B6 66:8901 mov word ptr [ecx], ax 011518B9 8D49 02 lea ecx, dword ptr [ecx+0x2] 011518BC 40 inc eax 011518BD 83F8 7A cmp eax, 0x7A 011518C0 ^ 7E F4 jle short 011518B6 ; a-z 011518C2 33D2 xor edx, edx 011518C4 8D45 B0 lea eax, dword ptr [ebp-0x50] 011518C7 66:3955 B0 cmp word ptr [ebp-0x50], dx 011518CB 74 0D je short 011518DA 011518CD 0F1F ??? ; 未知命令 011518CF 008D 40024266 add byte ptr [ebp+0x66420240], cl 011518D5 8338 00 cmp dword ptr [eax], 0x0 011518D8 ^ 75 F6 jnz short 011518D0 011518DA 33C9 xor ecx, ecx 011518DC 85D2 test edx, edx 011518DE 74 1C je short 011518FC 011518E0 0FB7444D B0 movzx eax, word ptr [ebp+ecx*2-0x50] 011518E5 83F8 61 cmp eax, 0x61 011518E8 72 0D jb short 011518F7 011518EA 83F8 7A cmp eax, 0x7A 011518ED 77 08 ja short 011518F7 011518EF 83C0 E0 add eax, -0x20 011518F2 66:89444D B0 mov word ptr [ebp+ecx*2-0x50], ax 011518F7 41 inc ecx 011518F8 3BCA cmp ecx, edx 011518FA ^ 72 E4 jb short 011518E0 011518FC 33C9 xor ecx, ecx 011518FE 8BC7 mov eax, edi 01151900 85FF test edi, edi 01151902 74 76 je short 0115197A 01151904 66:390F cmp word ptr [edi], cx 01151907 74 11 je short 0115191A 01151909 0F1F ??? ; 未知命令 0115190B 8000 00 add byte ptr [eax], 0x0 0115190E 0000 add byte ptr [eax], al 01151910 8D40 02 lea eax, dword ptr [eax+0x2] 01151913 41 inc ecx 01151914 66:8338 00 cmp word ptr [eax], 0x0 01151918 ^ 75 F6 jnz short 01151910 0115191A 33C0 xor eax, eax 0115191C 85C9 test ecx, ecx 0115191E 74 22 je short 01151942 01151920 83F8 02 cmp eax, 0x2 01151923 73 07 jnb short 0115192C 01151925 66:833447 0F xor word ptr [edi+eax*2], 0xF 0115192A EB 11 jmp short 0115193D 0115192C 83F8 04 cmp eax, 0x4 0115192F 73 07 jnb short 01151938 01151931 66:833447 50 xor word ptr [edi+eax*2], 0x50 01151936 EB 05 jmp short 0115193D 01151938 66:833447 42 xor word ptr [edi+eax*2], 0x42 0115193D 40 inc eax 0115193E 3BC1 cmp eax, ecx 01151940 ^ 72 DE jb short 01151920 01151942 33D2 xor edx, edx 01151944 8BC7 mov eax, edi 01151946 66:3917 cmp word ptr [edi], dx 01151949 74 0F je short 0115195A 0115194B 0F1F ??? ; 未知命令 0115194D 44 inc esp 0115194E 0000 add byte ptr [eax], al 01151950 8D40 02 lea eax, dword ptr [eax+0x2] 01151953 42 inc edx 01151954 66:8338 00 cmp word ptr [eax], 0x0 01151958 ^ 75 F6 jnz short 01151950 0115195A 33C9 xor ecx, ecx 0115195C 85D2 test edx, edx 0115195E 74 1A je short 0115197A 01151960 0FB7044F movzx eax, word ptr [edi+ecx*2] 01151964 83F8 61 cmp eax, 0x61 01151967 72 0C jb short 01151975 01151969 83F8 7A cmp eax, 0x7A 0115196C 77 07 ja short 01151975 0115196E 83C0 E0 add eax, -0x20 01151971 66:89044F mov word ptr [edi+ecx*2], ax 01151975 41 inc ecx 01151976 3BCA cmp ecx, edx 01151978 ^ 72 E6 jb short 01151960 0115197A 33F6 xor esi, esi 0115197C 0F57C0 xorps xmm0, xmm0 0115197F 66:0FD6 ??? ; 未知命令 01151982 45 inc ebp 01151983 F0:66:8975 F8 lock mov word ptr [ebp-0x8], si ; 不允许锁定前缀 01151988 66:3937 cmp word ptr [edi], si 0115198B 74 48 je short 011519D5 0115198D 66:8B4D B0 mov cx, word ptr [ebp-0x50] 01151991 8D5D F0 lea ebx, dword ptr [ebp-0x10] 01151994 8BC7 mov eax, edi 01151996 66:85C9 test cx, cx 01151999 74 2C je short 011519C7 0115199B 0FB710 movzx edx, word ptr [eax] 0115199E 8D4D B0 lea ecx, dword ptr [ebp-0x50] 011519A1 33C0 xor eax, eax 011519A3 66:3B11 cmp dx, word ptr [ecx] 011519A6 74 10 je short 011519B8 011519A8 40 inc eax 011519A9 8D4D B0 lea ecx, dword ptr [ebp-0x50] 011519AC 66:833C41 00 cmp word ptr [ecx+eax*2], 0x0 011519B1 8D0C41 lea ecx, dword ptr [ecx+eax*2] 011519B4 ^ 75 ED jnz short 011519A3 011519B6 EB 0B jmp short 011519C3 011519B8 66:8B4445 B0 mov ax, word ptr [ebp+eax*2-0x50] 011519BD 66:8903 mov word ptr [ebx], ax 011519C0 83C3 02 add ebx, 0x2 011519C3 66:8B4D B0 mov cx, word ptr [ebp-0x50] 011519C7 46 inc esi 011519C8 66:833C77 00 cmp word ptr [edi+esi*2], 0x0 011519CD 8D0477 lea eax, dword ptr [edi+esi*2] 011519D0 ^ 75 C4 jnz short 01151996 011519D2 8B5D AC mov ebx, dword ptr [ebp-0x54] 011519D5 33C9 xor ecx, ecx 011519D7 8D45 F0 lea eax, dword ptr [ebp-0x10] 011519DA 66:394D F0 cmp word ptr [ebp-0x10], cx 011519DE 74 59 je short 01151A39 011519E0 8D40 02 lea eax, dword ptr [eax+0x2] 011519E3 41 inc ecx 011519E4 66:8338 00 cmp word ptr [eax], 0x0 011519E8 ^ 75 F6 jnz short 011519E0 011519EA 83F9 02 cmp ecx, 0x2 011519ED 75 4A jnz short 01151A39 011519EF 33C0 xor eax, eax 011519F1 C745 F0 3100350>mov dword ptr [ebp-0x10], 0x350031 011519F8 C745 F4 5000420>mov dword ptr [ebp-0xC], 0x420050 011519FF 8D77 04 lea esi, dword ptr [edi+0x4] 01151A02 66:8945 F8 mov word ptr [ebp-0x8], ax 01151A06 33C9 xor ecx, ecx 01151A08 0F1F ??? ; 未知命令 01151A0A 8400 test byte ptr [eax], al 01151A0C 0000 add byte ptr [eax], al 01151A0E 0000 add byte ptr [eax], al 01151A10 66:8B444D F0 mov ax, word ptr [ebp+ecx*2-0x10] 01151A15 66:3B06 cmp ax, word ptr [esi] 01151A18 75 1F jnz short 01151A39 01151A1A 41 inc ecx 01151A1B 83C6 02 add esi, 0x2 01151A1E 83F9 04 cmp ecx, 0x4 01151A21 ^ 72 ED jb short 01151A10 01151A23 8BD7 mov edx, edi 01151A25 8BCB mov ecx, ebx 01151A27 E8 14FDFFFF call 01151740 ; 这里是最后判断的call, 01151A2C 6A 00 push 0x0 01151A2E 85C0 test eax, eax 01151A30 74 09 je short 01151A3B 01151A32 68 0B040000 push 0x40B 01151A37 EB 07 jmp short 01151A40 01151A39 6A 00 push 0x0 01151A3B 68 0A040000 push 0x40A 01151A40 68 11010000 push 0x111 01151A45 FF73 04 push dword ptr [ebx+0x4] 01151A48 FF15 54811601 call dword ptr [<&USER32.PostMessageW>; user32.PostMessageW ... 省略一部份代码
以上代码比如初始化0-9,a-z,注册码转换成大写,提取出注册码里所有的字母,纯属多余
接下去直接看里面最后的call
... 省略一部份代码 01151810 > /66:8B01 mov ax, word ptr [ecx] 01151813 . |66:3B040E cmp ax, word ptr [esi+ecx] ; 判断第1,2位是否为'12' 01151817 . |75 42 jnz short 0115185B 01151819 . |83C2 06 add edx, 0x6 0115181C . |83C1 02 add ecx, 0x2 0115181F . |83FA 39 cmp edx, 0x39 01151822 .^\7E EC jle short 01151810 01151824 . 0FB74F 12 movzx ecx, word ptr [edi+0x12] ; 第i位字符+第1位字符是否为0x63(设计不合理?) 01151828 . 0FB703 movzx eax, word ptr [ebx] 0115182B . 03C8 add ecx, eax 0115182D . 83F9 63 cmp ecx, 0x63 01151830 . 75 29 jnz short 0115185B 01151832 . 8B45 B4 mov eax, dword ptr [ebp-0x4C] 01151835 . 0FB74F 0C movzx ecx, word ptr [edi+0xC] 01151839 . 0308 add ecx, dword ptr [eax] 0115183B . 8B45 B0 mov eax, dword ptr [ebp-0x50] 0115183E . 0FB700 movzx eax, word ptr [eax] 01151841 . 3BC1 cmp eax, ecx 01151843 . 75 16 jnz short 0115185B ; 这里判断注册码最后一位是否等于用'123456789'替换了注册码的n位之后的字符判断的第0x0c位+n是否相等 01151845 . 5F pop edi 01151846 . 5E pop esi 01151847 . B8 01000000 mov eax, 0x1 0115184C . 5B pop ebx
以上分析完成得到一组注册码1215pb8
1)包含字符'b'''p'
2) 7位长度
3) 第1、2位为'1''2'
4) 第0位字符'1'(0x30)+第n位字符(计数所在位)'2'(0x32) = 0x63
5) 第3、4、5、6位为'15pb'
6) 最后1位为‘7’+计数
ps:这个cm设计不合理,代码杂乱无章
如果界面上的计数为3,那就是要第1位'1'+第3位'5'必须等于0x63,然而又规定了第3456位为'15pb',无法符合条件,只有在界面上计数为0时才能成功
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
|
|
|---|---|
|
|
赞赏
雪币:
留言:
