原帖子
http://bbs.pediy.com/showthread.php?s=&threadid=21435
1)去壳,去anti-debug等。
2)通过DeDe分析,得到下面
004597EC /. 55 push ebp
004597ED |. 8BEC mov ebp, esp
004597EF |. B9 0B000000 mov ecx, 0B
004597F4 |> 6A 00 /push 0
004597F6 |. 6A 00 |push 0
004597F8 |. 49 |dec ecx
004597F9 |.^ 75 F9 \jnz short 004597F4
004597FB |. 53 push ebx
004597FC |. 56 push esi
004597FD |. 8955 C4 mov [ebp-3C], edx
00459800 |. 8945 FC mov [ebp-4], eax
00459803 |. 33C0 xor eax, eax
00459805 |. 55 push ebp
00459806 |. 68 6E9A4500 push 00459A6E
0045980B |. 64:FF30 push dword ptr fs:[eax]
0045980E |. 64:8920 mov fs:[eax], esp
00459811 |. 8D55 C0 lea edx, [ebp-40]
00459814 |. 8B45 FC mov eax, [ebp-4]
00459817 |. 8B80 04030000 mov eax, [eax+304]
0045981D |. E8 C6B7FDFF call 00434FE8 ; get serail
00459822 |. 8B45 C0 mov eax, [ebp-40] ; serail string
00459825 |. E8 7AAAFAFF call 004042A4
0045982A |. 83F8 10 cmp eax, 10
0045982D |. 0F85 E1010000 jnz 00459A14
00459833 |. 8D55 F8 lea edx, [ebp-8]
00459836 |. 8B45 FC mov eax, [ebp-4]
00459839 |. 8B80 F8020000 mov eax, [eax+2F8]
0045983F |. E8 A4B7FDFF call 00434FE8 ; get name
00459844 |. 8B45 F8 mov eax, [ebp-8] ; name string
00459847 |. E8 80E9FFFF call 004581CC ; 加密name ;这里不说了,注册机源代码里有这部
分分析
0045984C |. 8945 F4 mov [ebp-C], eax
0045984F |. 8D45 F8 lea eax, [ebp-8]
00459852 |. E8 2DF7FFFF call 00458F84 ; getproductid
00459857 |. 8B45 F8 mov eax, [ebp-8]
0045985A |. E8 6DE9FFFF call 004581CC ; 加密productid ;这里不说了,注册机源代码里有这
部分分析
0045985F |. 3145 F4 xor [ebp-C], eax ; xor 加密name 和 加密productid 送到important
00459862 |. 8D45 F8 lea eax, [ebp-8]
00459865 |. E8 7AA7FAFF call 00403FE4
0045986A |. 8B45 F4 mov eax, [ebp-C]
0045986D |. 33D2 xor edx, edx
0045986F |. 52 push edx ; /Arg2 => 00000000
00459870 |. 50 push eax ; |Arg1
00459871 |. 8D55 D4 lea edx, [ebp-2C] ; |
00459874 |. B8 08000000 mov eax, 8 ; |
00459879 |. E8 C6E7FAFF call 00408044 ; \上面的结果important转换成的字符strimportant
0045987E |. 8D55 BC lea edx, [ebp-44]
00459881 8B45 D4 mov eax, [ebp-2C] ; strimportant
00459884 |. E8 2BE7FFFF call 00457FB4 ; md5变换上面的东西
00459889 8B45 BC mov eax, [ebp-44]
0045988C |. 8D55 D0 lea edx, [ebp-30]
0045988F |. E8 24E3FAFF call 00407BB8 ; 大写变换
00459894 |. 8D55 B4 lea edx, [ebp-4C]
00459897 |. 8B45 D0 mov eax, [ebp-30]
0045989A |. E8 29C9FFFF call 004561C8 ; sha变换
0045989F |. 8B45 B4 mov eax, [ebp-4C] ; 变换的字符String1
004598A2 |. 8D55 B8 lea edx, [ebp-48]
004598A5 |. E8 0EE3FAFF call 00407BB8 ; 大写变换
004598AA |. 8B55 B8 mov edx, [ebp-48] ; String1的大写字符串String2
004598AD |. 8D45 D0 lea eax, [ebp-30]
004598B0 |. E8 C7A7FAFF call 0040407C
004598B5 |. 8B45 D0 mov eax, [ebp-30]
004598B8 |. E8 E3EBFFFF call 004584A0 ; blowfish_初始化 Key是String2
004598BD |. 8B45 F4 mov eax, [ebp-C]
004598C0 |. 33D2 xor edx, edx
004598C2 |. 8945 D8 mov [ebp-28], eax
004598C5 |. 8955 DC mov [ebp-24], edx
004598C8 |. FF75 DC push dword ptr [ebp-24] ; /Arg2
004598CB |. FF75 D8 push dword ptr [ebp-28] ; |Arg1
004598CE |. E8 6DEAFFFF call 00458340 ; \Blowfish加密(important,0)
004598D3 |. 52 push edx ; /Blowfish加密的right DWORD
004598D4 |. 50 push eax ; |Blowfish加密的left DWORD
004598D5 |. 8D55 CC lea edx, [ebp-34] ; |
004598D8 |. 33C0 xor eax, eax ; |
004598DA |. E8 65E7FAFF call 00408044 ; \转换合并成一个字符串16位的String
004598DF |. B8 849A4500 mov eax, 00459A84 ; ASCII "kernel32.dll"
004598E4 |. E8 B7EBFFFF call 004584A0 ; blowfish_初始化 Key是"kernel32.dll"
004598E9 |. 8D55 B0 lea edx, [ebp-50]
004598EC |. 8B45 FC mov eax, [ebp-4]
004598EF |. 8B80 04030000 mov eax, [eax+304]
004598F5 |. E8 EEB6FDFF call 00434FE8
004598FA |. 8B45 B0 mov eax, [ebp-50] ; Serial String
004598FD |. E8 F6CFFFFF call 004568F8 ; 转换成数值
00459902 |. 8945 D8 mov [ebp-28], eax
00459905 |. 8955 DC mov [ebp-24], edx
00459908 |. FF75 DC push dword ptr [ebp-24] ; /Blowfish_decipher Left DWORD
0045990B |. FF75 D8 push dword ptr [ebp-28] ; |Blowfish Decipher RIGHT DWORD
0045990E |. E8 7DE9FFFF call 00458290 ; \Blowfish Decipher
00459913 |. 52 push edx ; /解密Left DWORD
00459914 |. 50 push eax ; |解密的Right DWORD
00459915 |. 8D55 C8 lea edx, [ebp-38] ; |
00459918 |. 33C0 xor eax, eax ; |
0045991A |. E8 25E7FAFF call 00408044 ; \转换成字符串String3
0045991F |. 8B45 F4 mov eax, [ebp-C]
00459922 |. 33D2 xor edx, edx
00459924 |. 52 push edx ; /Arg2 => 00000000
00459925 |. 50 push eax ; |Arg1
00459926 |. 8D55 A8 lea edx, [ebp-58] ; |
00459929 |. 33C0 xor eax, eax ; |
0045992B |. E8 14E7FAFF call 00408044 ; \dumped_1.00408044
00459930 |. 8B45 A8 mov eax, [ebp-58]
00459933 |. 8D55 AC lea edx, [ebp-54]
00459936 |. E8 7DE2FAFF call 00407BB8
0045993B |. 8B55 AC mov edx, [ebp-54] ;String
0045993E |. 8B45 C8 mov eax, [ebp-38] ;第二次
00459941 |. E8 AAAAFAFF call 004043F0 ; 比较函数
00459946 0F85 C8000000 jnz 00459A14 ;关键跳
0045994C |. 8D45 F0 lea eax, [ebp-10]
0045994F |. BA 9C9A4500 mov edx, 00459A9C
00459954 |. E8 23A7FAFF call 0040407C
00459959 |. 8D45 EC lea eax, [ebp-14]
0045995C |. BA B49A4500 mov edx, 00459AB4
00459961 |. E8 16A7FAFF call 0040407C
00459966 |. C745 E4 01000>mov dword ptr [ebp-1C], 1
0045996D |> 8D45 F0 /lea eax, [ebp-10]
00459970 |. E8 87ABFAFF |call 004044FC
00459975 |. 8B55 E4 |mov edx, [ebp-1C]
00459978 |. 8B4D F0 |mov ecx, [ebp-10]
0045997B |. 8B5D E4 |mov ebx, [ebp-1C]
0045997E |. 8A4C19 FF |mov cl, [ecx+ebx-1]
00459982 |. 8B5D EC |mov ebx, [ebp-14]
00459985 |. 8B75 E4 |mov esi, [ebp-1C]
00459988 |. 8A5C33 FF |mov bl, [ebx+esi-1]
0045998C |. 32CB |xor cl, bl
0045998E |. 884C10 FF |mov [eax+edx-1], cl
00459992 |. FF45 E4 |inc dword ptr [ebp-1C]
00459995 |. 837D E4 10 |cmp dword ptr [ebp-1C], 10
00459999 |.^ 75 D2 \jnz short 0045996D
0045999B |. 8D45 E8 lea eax, [ebp-18]
0045999E |. 8B55 F0 mov edx, [ebp-10]
004599A1 |. E8 D6A6FAFF call 0040407C
004599A6 |. 8B45 FC mov eax, [ebp-4]
004599A9 |. 8B80 14030000 mov eax, [eax+314]
004599AF |. 8B40 68 mov eax, [eax+68]
004599B2 |. BA FF000000 mov edx, 0FF
004599B7 |. E8 F82DFCFF call 0041C7B4
004599BC |. 8B45 FC mov eax, [ebp-4]
004599BF |. 8B80 14030000 mov eax, [eax+314]
004599C5 |. 8B40 68 mov eax, [eax+68]
004599C8 |. 8A15 C49A4500 mov dl, [459AC4]
004599CE |. E8 AD30FCFF call 0041CA80
004599D3 |. 8B55 E8 mov edx, [ebp-18]
004599D6 |. 8B45 FC mov eax, [ebp-4]
004599D9 |. 8B80 14030000 mov eax, [eax+314]
004599DF |. E8 34B6FDFF call 00435018
004599E4 |. 33D2 xor edx, edx
004599E6 |. 8B45 FC mov eax, [ebp-4]
004599E9 |. 8B80 F8020000 mov eax, [eax+2F8]
004599EF |. 8B08 mov ecx, [eax]
004599F1 |. FF51 64 call [ecx+64]
004599F4 |. 33D2 xor edx, edx
004599F6 |. 8B45 FC mov eax, [ebp-4]
004599F9 |. 8B80 04030000 mov eax, [eax+304]
004599FF |. 8B08 mov ecx, [eax]
00459A01 |. FF51 64 call [ecx+64]
00459A04 |. 33D2 xor edx, edx
00459A06 |. 8B45 FC mov eax, [ebp-4]
00459A09 |. 8B80 0C030000 mov eax, [eax+30C]
00459A0F |. 8B08 mov ecx, [eax]
00459A11 |. FF51 64 call [ecx+64]
00459A14 |> 33C0 xor eax, eax
00459A16 |. 5A pop edx
00459A17 |. 59 pop ecx
00459A18 |. 59 pop ecx
00459A19 |. 64:8910 mov fs:[eax], edx
00459A1C |. 68 759A4500 push 00459A75
00459A21 |> 8D45 A8 lea eax, [ebp-58]
00459A24 |. BA 02000000 mov edx, 2
00459A29 |. E8 DAA5FAFF call 00404008
00459A2E |. 8D45 B0 lea eax, [ebp-50]
00459A31 |. E8 AEA5FAFF call 00403FE4
00459A36 |. 8D45 B4 lea eax, [ebp-4C]
00459A39 |. BA 03000000 mov edx, 3
00459A3E |. E8 C5A5FAFF call 00404008
00459A43 |. 8D45 C0 lea eax, [ebp-40]
00459A46 |. E8 99A5FAFF call 00403FE4
00459A4B |. 8D45 C8 lea eax, [ebp-38]
00459A4E |. BA 04000000 mov edx, 4
00459A53 |. E8 B0A5FAFF call 00404008
00459A58 |. 8D45 E8 lea eax, [ebp-18]
00459A5B |. BA 03000000 mov edx, 3
00459A60 |. E8 A3A5FAFF call 00404008
00459A65 |. 8D45 F8 lea eax, [ebp-8]
00459A68 |. E8 77A5FAFF call 00403FE4
00459A6D \. C3 retn
xor 加密name 和 加密productid 送到important。
important这个很重要。
昨天分析?算法用了md5,sha,今天继续分析,进入004584A0发现很像Blowfish的初始化过程,对比PArray和SBox,果然是
BlowFish的初始话
004584A0 /$ 55 push ebp
004584A1 |. 8BEC mov ebp, esp
004584A3 |. 83C4 E0 add esp, -20
004584A6 |. 8945 FC mov [ebp-4], eax
004584A9 |. 8B45 FC mov eax, [ebp-4]
004584AC |. E8 E3BFFAFF call 00404494
004584B1 |. 33C0 xor eax, eax
004584B3 |. 55 push ebp
004584B4 |. 68 F4854500 push 004585F4
004584B9 |. 64:FF30 push dword ptr fs:[eax]
004584BC |. 64:8920 mov fs:[eax], esp
004584BF |. B8 00E04500 mov eax, 0045E000
004584C4 |. 33C9 xor ecx, ecx
004584C6 |. BA 48100000 mov edx, 1048
004584CB |. E8 E0A7FAFF call 00402CB0 ; 分配内存
004584D0 |. C745 F4 01000>mov dword ptr [ebp-C], 1
004584D7 |. C745 F8 01000>mov dword ptr [ebp-8], 1
004584DE |> 33C0 /xor eax, eax
004584E0 |. 8945 EC |mov [ebp-14], eax
004584E3 |. 33C0 |xor eax, eax
004584E5 |. 8945 F0 |mov [ebp-10], eax
004584E8 |> 8B45 EC |/mov eax, [ebp-14]
004584EB |. C1E0 08 ||shl eax, 8
004584EE |. 8B55 FC ||mov edx, [ebp-4]
004584F1 |. 8B4D F4 ||mov ecx, [ebp-C]
004584F4 |. 0FB6540A FF ||movzx edx, byte ptr [edx+ecx-1]
004584F9 |. 0BC2 ||or eax, edx
004584FB |. 8945 EC ||mov [ebp-14], eax
004584FE |. FF45 F4 ||inc dword ptr [ebp-C]
00458501 |. 8B45 FC ||mov eax, [ebp-4]
00458504 |. E8 9BBDFAFF ||call 004042A4 ; 获得blowfish key的长度
00458509 |. 3B45 F4 ||cmp eax, [ebp-C]
0045850C |. 7D 07 ||jge short 00458515
0045850E |. C745 F4 01000>||mov dword ptr [ebp-C], 1
00458515 |> FF45 F0 ||inc dword ptr [ebp-10]
00458518 |. 837D F0 04 ||cmp dword ptr [ebp-10], 4
0045851C |.^ 75 CA |\jnz short 004584E8
0045851E |. 8B45 F8 |mov eax, [ebp-8]
00458521 |. 8B0485 A0AD45>|mov eax, [eax*4+45ADA0]
00458528 |. 3345 EC |xor eax, [ebp-14]
0045852B |. 8B55 F8 |mov edx, [ebp-8]
0045852E |. 890495 FCDF45>|mov [edx*4+45DFFC], eax
00458535 |. FF45 F8 |inc dword ptr [ebp-8]
00458538 |. 837D F8 13 |cmp dword ptr [ebp-8], 13
0045853C |.^ 75 A0 \jnz short 004584DE ; 初始化PArray
0045853E |. 33C0 xor eax, eax
00458540 |. 8945 F8 mov [ebp-8], eax
00458543 |> 33C0 /xor eax, eax
00458545 |. 8945 F4 |mov [ebp-C], eax
00458548 |> 8B45 F8 |/mov eax, [ebp-8]
0045854B |. C1E0 07 ||shl eax, 7
0045854E |. 8D04C5 ECAD45>||lea eax, [eax*8+45ADEC]
00458555 |. 8B55 F4 ||mov edx, [ebp-C]
00458558 |. 8B0490 ||mov eax, [eax+edx*4]
0045855B |. 8B55 F8 ||mov edx, [ebp-8]
0045855E |. C1E2 08 ||shl edx, 8
00458561 |. 0355 F4 ||add edx, [ebp-C]
00458564 |. 890495 48E045>||mov [edx*4+45E048], eax
0045856B |. FF45 F4 ||inc dword ptr [ebp-C]
0045856E |. 817D F4 00010>||cmp dword ptr [ebp-C], 100
00458575 |.^ 75 D1 |\jnz short 00458548
00458577 |. FF45 F8 |inc dword ptr [ebp-8]
0045857A |. 837D F8 04 |cmp dword ptr [ebp-8], 4
0045857E |.^ 75 C3 \jnz short 00458543 ; 初始化SBox
00458580 |. C745 E0 00000>mov dword ptr [ebp-20], 0
00458587 |. C745 E4 00000>mov dword ptr [ebp-1C], 0
0045858E |. C745 F8 01000>mov dword ptr [ebp-8], 1
00458595 |> FF75 E4 /push dword ptr [ebp-1C] ; /Arg2
00458598 |. FF75 E0 |push dword ptr [ebp-20] ; |Arg1
0045859B |. E8 A0FDFFFF |call 00458340 ; \Blowfish_encipher
004585A0 |. 8945 E0 |mov [ebp-20], eax
004585A3 |. 8955 E4 |mov [ebp-1C], edx
004585A6 |. 8B45 E4 |mov eax, [ebp-1C]
004585A9 |. 33D2 |xor edx, edx
004585AB |. 8B55 F8 |mov edx, [ebp-8]
004585AE |. 03D2 |add edx, edx
004585B0 |. 890495 F8DF45>|mov [edx*4+45DFF8], eax ; 保存Left加密数据
004585B7 |. 6A 01 |push 1
004585B9 |. 6A 00 |push 0
004585BB |. 8B45 E0 |mov eax, [ebp-20]
004585BE |. 8B55 E4 |mov edx, [ebp-1C]
004585C1 |. E8 16C8FAFF |call 00404DDC
004585C6 |. 8B55 F8 |mov edx, [ebp-8]
004585C9 |. 03D2 |add edx, edx
004585CB |. 890495 FCDF45>|mov [edx*4+45DFFC], eax ; 保存Right加密数据
004585D2 |. FF45 F8 |inc dword ptr [ebp-8]
004585D5 |. 817D F8 0A020>|cmp dword ptr [ebp-8], 20A
004585DC |.^ 75 B7 \jnz short 00458595
004585DE |. 33C0 xor eax, eax
004585E0 |. 5A pop edx
004585E1 |. 59 pop ecx
004585E2 |. 59 pop ecx
004585E3 |. 64:8910 mov fs:[eax], edx
004585E6 |. 68 FB854500 push 004585FB
004585EB |> 8D45 FC lea eax, [ebp-4]
004585EE |. E8 F1B9FAFF call 00403FE4
004585F3 \. C3 retn
很明显00458340就是BlowFish的加密过程,程序共进行两次blowfish初始化,第一次用Key=String2,第二次Key="kernel32.dll"
,后来分析,其实前面的md5,sha,第一次blowfish都是没用的,只有最后一次blowfish才是真正的核心。于是猜想
0045990E |. E8 7DE9FFFF call 00458290 ; \Blowfish Decipher是Blowfish的解密过程,跟进去
果然没错。
序列号的解密过程是,把序列号变成两个DWORD,用第二次Blowfish解密,转换成字符串,看看和strimportant相等,相等就正确
了。第二次Blowfish的Key是"kernel32.dll"。
所以获得序列号的过程就是Blowfish加密(0,important),在把加密结果转换成16位的字符串就是serial了。
我的注册是:
name:nightfox
productid:76481-640-4179232-23767
serial:BE40505B4EE98FF2
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。