因为没有key.dat无法解码,所以只是简单看了下,可能对伪注册有点帮助。
0079AA76 CALL <GetDeltaInEbp>
0079AA7B CALL 0079AA91
0079AA91 PUSH DWORD PTR [EBP+<hKernel32>] ; kernel32.7C800000
0079AA97 CALL DWORD PTR [EBP+<AddrGetProcAddress>]
0079AA9D CALL EAX ; GetCommandLineA
0079AA9F MOV ESI,EAX
0079AAA1 LEA EDI,DWORD PTR [EBP+<lpPathkeydat>]
0079AAA7 LODS BYTE PTR [ESI]
0079AAA8 OR AL,AL
0079AAAA JE SHORT 0079AADC
0079AAAC NOP
0079AAAD NOP
0079AAAE NOP
0079AAAF NOP
0079AAB0 CMP AL,5C
0079AAB2 JNZ SHORT 0079AABF
0079AAB4 NOP
0079AAB5 NOP
0079AAB6 NOP
0079AAB7 NOP
0079AAB8 MOV BYTE PTR [EBP+413A90],1
0079AABF CMP DWORD PTR [ESI-5],4558452E ; '.EXE'
0079AAC6 JE SHORT 0079AADC
0079AAC8 NOP
0079AAC9 NOP
0079AACA NOP
0079AACB NOP
0079AACC CMP DWORD PTR [ESI-5],6578652E ; '.exe'
0079AAD3 JE SHORT 0079AADC
0079AAD5 NOP
0079AAD6 NOP
0079AAD7 NOP
0079AAD8 NOP
0079AAD9 STOS BYTE PTR ES:[EDI]
0079AADA JMP SHORT 0079AAA7
0079AADC DEC EDI
0079AADD MOV AL,BYTE PTR [EDI]
0079AADF OR AL,AL
0079AAE1 JE SHORT 0079AAEB
0079AAE3 NOP
0079AAE4 NOP
0079AAE5 NOP
0079AAE6 NOP
0079AAE7 CMP AL,5C ; '\'
0079AAE9 JNZ SHORT 0079AADC
0079AAEB INC EDI ; 定位到exe文件名
0079AAEC CMP BYTE PTR [EBP+413A90],1
0079AAF3 JE SHORT 0079AAFF
0079AAF5 NOP
0079AAF6 NOP
0079AAF7 NOP
0079AAF8 NOP
0079AAF9 LEA EDI,DWORD PTR [EBP+<lpPathkeydat>]
0079AAFF LEA ESI,DWORD PTR [EBP+<szkeydat>]
0079AB05 MOV ECX,1B
0079AB0A REP MOVS BYTE PTR ES:[EDI],BYTE PTR [ESI]
0079AB0C CMP BYTE PTR [EBP+413A90],1
0079AB15 NOP
0079AB16 NOP
0079AB17 NOP
0079AB18 NOP
0079AB19 LEA EDI,DWORD PTR [EBP+<szkeydat>]
0079AB1F JMP SHORT 0079AB35
0079AB21 NOP
0079AB22 NOP
0079AB23 NOP
0079AB24 MOV AX,WORD PTR [EDI]
0079AB27 CMP AX,5C3A ; ":\"
0079AB2B JE SHORT 0079AB34
0079AB2D NOP
0079AB2E NOP
0079AB2F NOP
0079AB30 NOP
0079AB31 DEC EDI
0079AB32 JMP SHORT 0079AB24
0079AB34 DEC EDI
0079AB35 PUSH 0
0079AB37 PUSH 80
0079AB3C PUSH 3
0079AB3E PUSH 0
0079AB40 PUSH 1
0079AB42 PUSH 80000000
0079AB47 PUSH EDI
0079AB47 PUSH EDI
0079AB48 CALL DWORD PTR [EBP+<AddrCreateFileA>]
0079AB4E OR EAX,EAX
0079AB50 JNZ SHORT 0079AB5B
0079AB52 NOP
0079AB53 NOP
0079AB54 NOP
0079AB55 NOP
0079AB56 JMP 0079ACBB
0079AB5B PUSH EAX
0079AB5C LEA ESI,DWORD PTR [EBP+<lpBytesRead>]
0079AB62 LEA EDI,DWORD PTR [EBP+<szRegName8>]
0079AB68 PUSH 0
0079AB6A PUSH ESI
0079AB6B PUSH 200
0079AB70 PUSH EDI
0079AB71 PUSH EAX
0079AB72 CALL DWORD PTR [EBP+<AddrReadFile>] ; 读200h个字节
0079AB78 CALL DWORD PTR [EBP+<AddrCloseHandle>]
0079AB7E CMP DWORD PTR [EBP+<lpBytesRead>],200
0079AB88 JNZ 0079ACBB
0079AB8E LEA EAX,DWORD PTR [EBP+<szRegName8pE0>]
0079AB94 MOV ECX,80
0079AB99 CALL <MulAdd> ; 初步加权和校验
0079AB9E CMP EAX,DWORD PTR [EBP+<ValMulAdd>]
0079ABA4 JE SHORT 0079ABB8
0079ABA6 NOP
0079ABA7 NOP
0079ABA8 NOP
0079ABA9 NOP
0079ABAA MOV WORD PTR [EBP+<szRegName8>],0FF00
0079ABB3 JMP 0079ACBB
0079ABB8 LEA ESI,DWORD PTR [EBP+<szBannedID>] ; 黑名单
0079ABBE LEA EDI,DWORD PTR [EBP+<szRegName8>]
0079ABC4 CMP DWORD PTR [ESI],0
0079ABC7 JE SHORT 0079AC04
0079ABC9 NOP
0079ABCA NOP
0079ABCB NOP
0079ABCC NOP
0079ABCD CMP DWORD PTR [ESI],20202020
0079ABD3 JE SHORT 0079AC04
0079ABD5 NOP
0079ABD6 NOP
0079ABD7 NOP
0079ABD8 NOP
0079ABD9 MOV ECX,20
0079ABDE REPE CMPS BYTE PTR ES:[EDI],BYTE PTR [ESI]
0079ABE0 OR ECX,ECX
0079ABE2 JE SHORT 0079ABF6
0079ABE4 NOP
0079ABE5 NOP
0079ABE6 NOP
0079ABE7 NOP
0079ABE8 CMP BYTE PTR [ESI-1],0
0079ABEC JE SHORT 0079ABF6
0079ABEE NOP
0079ABEF NOP
0079ABF0 NOP
0079ABF1 NOP
0079ABF2 ADD ESI,ECX
0079ABF4 JMP SHORT 0079ABBE
0079ABF6 MOV WORD PTR [EBP+<szRegName8>],0FF01
0079ABFF JMP 0079ACBB
0079AC04 PUSH 10
0079AC06 LEA ESI,DWORD PTR [EBP+<szRegName8p200>]
0079AC0C PUSH ESI
0079AC0D LEA ESI,DWORD PTR [EBP+<szRegName8pE0>]
0079AC13 PUSH ESI
0079AC14 LEA ESI,DWORD PTR [EBP+<szRegName8pD0>]
0079AC1A PUSH ESI
0079AC1B LEA ESI,DWORD PTR [EBP+<szRegName8p170>]
0079AC21 PUSH ESI
0079AC22 CALL DWORD PTR [EBP+<AddrPerplex_zcf_decrypt>] ; RSA解码
0079AC28 ADD ESP,14
0079AC2B MOV ECX,10
0079AC30 LEA ESI,DWORD PTR [EBP+<szRegName8>]
0079AC36 LEA EDI,DWORD PTR [EBP+<szRegName8p200>]
0079AC3C LODS DWORD PTR [ESI]
0079AC3D MOV EBX,DWORD PTR [EDI]
0079AC3F ADD EDI,4
0079AC42 DEC ECX
0079AC43 JE SHORT 0079AC61
0079AC45 NOP
0079AC46 NOP
0079AC47 NOP
0079AC48 NOP
0079AC49 CMP EAX,EBX ; 开头10h个字节的解码校验
0079AC4B JNZ SHORT 0079AC53
0079AC4D NOP
0079AC4E NOP
0079AC4F NOP
0079AC50 NOP
0079AC51 JMP SHORT 0079AC3C
0079AC53 MOV WORD PTR [EBP+<szRegName8>],0FF02
0079AC5C JMP SHORT 0079ACBB
0079AC5E NOP
0079AC5F NOP
0079AC60 NOP
0079AC61 CMP DWORD PTR [EBP+<dwMachineID>],646E6152
0079AC6B JE SHORT 0079AC83
0079AC6D NOP
0079AC6E NOP
0079AC6F NOP
0079AC70 NOP
0079AC71 MOV EAX,DWORD PTR [EBP+<dwMachineID>]
0079AC77 CMP EAX,DWORD PTR [EBP+40F74C]
0079AC7D JNZ SHORT 0079ACBB
0079AC7F NOP
0079AC80 NOP
0079AC81 NOP
0079AC82 NOP
0079AC83 PUSH 10
0079AC85 LEA ESI,DWORD PTR [EBP+<szRegName8p200>]
0079AC8B PUSH ESI
0079AC8C LEA ESI,DWORD PTR [EBP+<szRegName8pE0>]
0079AC92 PUSH ESI
0079AC93 LEA ESI,DWORD PTR [EBP+<szRegName8pD0>]
0079AC99 PUSH ESI
0079AC9A LEA ESI,DWORD PTR [EBP+<szRegName8p40>]
0079ACA0 PUSH ESI
0079ACA1 CALL DWORD PTR [EBP+<AddrPerplex_zcf_decrypt>] ; RSA解码
0079ACA7 ADD ESP,14
0079ACAA CALL <RSADecode> ; 对嵌入部分解码
0079ACAF MOV BYTE PTR [EBP+<FlagDecodingDone>],1 ; 解码成功标志
0079ACB6 JMP SHORT 0079ACF6
0079ACB8 NOP
0079ACB9 NOP
0079ACBA NOP
0079ACBB MOV EBX,DWORD PTR [EBP+<dwRetAddr>] ; 返回地址表
0079ACC1 ADD EBX,2
0079ACC4 MOV ECX,-1
0079ACC9 INC ECX
0079ACCA MOV EAX,DWORD PTR [EBP+ECX*4+<lpRetAddrTable>]
0079ACD1 OR EAX,EAX
0079ACD3 JE SHORT 0079ACF6
0079ACD5 NOP
0079ACD6 NOP
0079ACD7 NOP
0079ACD8 NOP
0079ACD9 ADD EAX,DWORD PTR [EBP+<dwImageBase>]
0079ACDF CMP EAX,EBX ; 匹配返回地址
0079ACE1 JNZ SHORT 0079ACC9
0079ACE3 SUB EAX,2
0079ACE6 MOV ECX,DWORD PTR [EBP+ECX*4+<lpNoLicJmpTable>]
0079ACED ADD ECX,8
0079ACF0 MOV BYTE PTR [EAX],0E9 ; 解码失败,修改返回地址处的jmp跳过所有的加密部分
0079ACF3 MOV DWORD PTR [EAX+1],ECX
0079ACF6 PUSHAD
0079ACF7 CALL 0079ACFC
0079ACFC POP ESI
0079ACFD SUB ESI,6
0079AD00 MOV ECX,280
0079AD05 SUB ESI,ECX
0079AD07 MOV EDX,3A22136B
0079AD0C SHR ECX,2
0079AD0F SUB ECX,2
0079AD12 CMP ECX,0
0079AD15 JL SHORT 0079AD31
0079AD17 MOV EAX,DWORD PTR [ESI+ECX*4]
0079AD1A MOV EBX,DWORD PTR [ESI+ECX*4+4]
0079AD1E SUB EAX,EBX
0079AD20 ROR EAX,10
0079AD23 ADD EAX,EDX
0079AD25 ADD EDX,18063EBF
0079AD2B MOV DWORD PTR [ESI+ECX*4],EAX ; 把上面的代码重新加密
0079AD2E DEC ECX
0079AD2F JMP SHORT 0079AD12
0079AD31 POPAD
0079AD32 POPAD
0079AD33 RETN
如果没有"key.dat"或解码失败,观察返回位置变成:
0048193A CALL 00407684
0048193F JMP 00485095 ; 跳过所有加密代码
ACProtect 2.0只用了一组RSALock。
[注意]APP应用上架合规检测服务,协助应用顺利上架!