-
-
[原创]第7题算法分析步骤
-
2017-6-14 15:12 3018
-
工具:OD,VB,IDA
破解步骤:
1.该程序在Win7x64下运行异常,放入WinXP虚拟机,OD载入直接运行,下断:bp GetDlgItemTextA,输入注册码123456后回车,断下来了,返回到用户代码:
004104CD /$ 68 >push 0x90
004104D2 |. B8 >mov eax, 0045037E
004104D7 |. E8 >call 00413FD7
004104DC |. 8BF>mov esi, ecx
004104DE |. 6A >push 0x65
004104E0 |. 8D4>lea eax, dword ptr [ebp-0x80]
004104E3 |. 6A >push 0x0
004104E5 |. 50 push eax
004104E6 |. E8 >call 004156A0
004104EB |. 83C>add esp, 0xC
004104EE |. 8D4>lea eax, dword ptr [ebp-0x80]
004104F1 |. 6A >push 0x64 ; /Count = 64 (100.)
004104F3 |. 50 push eax ; |Buffer
004104F4 |. 68 >push 0x3E8 ; |ControlID = 3E8 (1000.)
004104F9 |. FF7>push dword ptr [esi+0x4] ; |hWnd
004104FC |. FF1>call dword ptr [<&USER32.GetDlgItemTextA>] ; \GetDlgItemTextA
00410502 |. 8D4>lea eax, dword ptr [ebp-0x80]
00410505 |. 50 push eax ; /Arg1
00410506 |. 8D8>lea ecx, dword ptr [ebp-0x98] ; |
0041050C |. E8 >call 0040FD2D ; \7-不问少.0040FD2D
00410511 |. 836>and dword ptr [ebp-0x4], 0x0
00410515 |. 8D4>lea eax, dword ptr [ebp-0x18]
00410518 |. 6A >push 0x5
0041051A |. 50 push eax
0041051B |. BB >mov ebx, 0x1AA
00410520 |. C74>mov dword ptr [ebp-0x18], 0x49444550
00410527 |. 53 push ebx
00410528 |. BF >mov edi, 00411B30
0041052D |. C64>mov byte ptr [ebp-0x14], 0x59
00410531 |. 57 push edi
00410532 |. E8 >call 00410DD6 ; code dec
00410537 |. 51 push ecx
00410538 |. 51 push ecx
00410539 |. 8D8>lea eax, dword ptr [ebp-0x98]
0041053F |. 89A>mov dword ptr [ebp-0x9C], esp
00410545 |. 8BC>mov ecx, esp
00410547 |. 50 push eax ; /Arg1
00410548 |. E8 >call 0040FD07 ; \7-不问少.0040FD07
0041054D |. C64>mov byte ptr [ebp-0x4], 0x1
00410551 |. C64>mov byte ptr [ebp-0x4], 0x0
00410555 |. 8D4>lea ecx, dword ptr [esi+0x40]
00410558 |. E8 >call 00411B30 ; code exec:user key exchange
0041055D |. 6A >push 0x5 ; /Arg4 = 00000005
0041055F |. 8D4>lea eax, dword ptr [ebp-0x18] ; |
00410562 |. 50 push eax ; |Arg3
00410563 |. 53 push ebx ; |Arg2
00410564 |. 57 push edi ; |Arg1
00410565 |. E8 >call 00410DD6 ; \code enc
0041056A |. 83C>add esp, 0x10
0041056D |. 8D4>lea ecx, dword ptr [esi+0x40]
00410570 |. E8 >call 00411825 ; calc key???
00410575 |. 834>or dword ptr [ebp-0x4], 0xFFFFFFFF
00410579 |. 8D8>lea ecx, dword ptr [ebp-0x98]
0041057F |. 6A >push 0x0 ; /Arg2 = 00000000
00410581 |. 6A >push 0x1 ; |Arg1 = 00000001
00410583 |. E8 >call <_memfree> ; \7-不问少.00410AE3
00410588 |. 33C>xor eax, eax
0041058A |. E8 >call 00413F81
0041058F \. C2 >retn 0x10
没有明显的比较过程,只能每个CALL里都看一下了。
2.00410532 call 00410DD6这个CALL里的操作是对00411B30处长度为0x1AA的代码使用“PEDIY”进行解码,然后00410558 call 00411B30运行,最后00410570 call 00411825再把代码加密。需要解密才运行,可见call 00411B30里有关键代码,跟进观察。
3.这个CALL 00411B30里算法比较绕,花了很长时才搞明白,分以下几步:
(1)先对输入码key xor 0xCC
(2)按字节调用00411C13 call 00410F4C在一个表里找索引值index,该表为:
tb1:
0016CFD0 89 BC 95 FC FB BA ED 9A BB AE FE 99 A2 98 B9 F9
0016CFE0 9F 84 9C FD 83 AD B6 A9 A5 F5 8C A7 9E 96 8A F4
0016CFF0 85 BE A8 8F 86 AF 88 9D 87 BF FF A1 8B 81 A0 AB
0016D000 8E BD B5 AA 82 94 A4 8D A3 F8 B4 FA 9B A6 B8 80
此表XOR 0xCC可以得到初始字符串列表:“EpY07v!Vwb2UnTu5SHP1Oazei9@kRZF8IrdCJcDQKs3mGMlgBqyfNXhAo4x6WjtL”
将索引值index进行计算,计算结果查上面的表tb1然后保存到原位置。算法用VB表示为:
For i = 1 To Len(s)
n = InStr(1, ss, Mid$(s, i, 1)) - 1
For j = 1 To i
n = (n + n \ 5 + 5) Mod &H40
Next
bb(i) = tb1(n)
Next
(3)在00411CA4 call 00410F75里,按字节XOR 0xCC再ror(5),保存回原位置,记为key2。
4.00410565 call 00410DD6把执行后的代码加密后,在00410570 call 00411825里验证刚才计算的结果,正确时执行后续操作。验证过程全部在00410570 call 00411825里,步骤为:
(1)00411987 call 0041191F把上一步计算的结果key2转换为HEX字符,记为key3。
(2)key3按字节调用004119F4 call 00410F4C在一个表里找索引值index,该表tb2为:
tb2:
00403D50 30 31 32 33 34 35 36 37 38 39 41 42 43 44 45 46 0123456789ABCDEF
将索引值index转换为四进制值保存。
(3)判断四进制结果的长度是否为0x50,即80字节。
(4)四进制结果与一个固定值比较,该固定值为:
tb3:
0016D120 02 02 00 03 00 00 02 03 00 01 02 03 02 00 00 02 10100011 00001011 00011011 10000010 A30B1B82
0016D130 02 00 02 02 02 03 02 03 01 00 02 02 02 01 02 03 10001010 10111011 01001010 10011011 8ABB4A9B
0016D140 02 02 02 01 02 03 02 03 02 01 00 03 02 02 02 02 10101001 10111011 10010011 10101010 A9BB93AA
0016D150 02 02 00 03 01 02 02 03 02 00 00 02 02 02 02 02 10100011 01101011 10000010 10101010 A36B82AA
0016D160 00 00 00 02 01 00 02 02 02 03 00 02 01 00 00 03 00000010 01001010 10110010 01000011 024AB243
把此四进制表转换为16进制,得到结果字符串为“A30B1B828ABB4A9BA9BB93AAA36B82AA024AB243”。
5.已经得到完整算法了,简化后VB表示为:
Function ShlAndSar(value As Byte) As Byte
Dim v1 As Long, v2 As Long
v1 = value
v1 = (v1 * 8) And &HFF
v2 = value And &H7F
If (value And &H80) <> 0 Then v2 = -v2
v2 = v2 \ 32
ShlAndSar = (v1 Or v2) And &HFF
End Function
Private Sub Command1_Click()
Dim ss As String
Dim i As Long, j As Long
Dim n As Byte
Dim s As String, t As String
ss = "EpY07v!Vwb2UnTu5SHP1Oazei9@kRZF8IrdCJcDQKs3mGMlgBqyfNXhAo4x6WjtL"
s = Text1.Text
For i = 1 To Len(s)
n = InStr(1, ss, Mid$(s, i, 1)) - 1
For j = 1 To i
n = (n + n \ 5 + 5) Mod &H40
Next
n = Asc(Mid$(ss, n + 1, 1))
n = ShlAndSar(n)
t = t & Right$("00" & Hex(n), 2)
Next
Text2.Text = t
End Sub
6.根据此算法,逆推还原算法,VB表示为:
Private Function GetIndex(ByVal n As Long, ByVal c As Long) As String
Dim i As Long, j As Long, k As Long
Dim s As String
Dim ss As String
ss = "EpY07v!Vwb2UnTu5SHP1Oazei9@kRZF8IrdCJcDQKs3mGMlgBqyfNXhAo4x6WjtL"
For i = 0 To 63
k = i
For j = 1 To n
k = (k + k \ 5 + 5) Mod &H40
Next
If k = c Then
s = Mid$(ss, i + 1, 1)
Exit For
End If
Next
GetIndex = s
End Function
Private Sub Command2_Click()
Dim ss As String
Dim i As Long, j As Long, k As Long
Dim n As Byte
Dim c As String
Dim s As String, t As String
Dim mm(&HFF) As Byte
For i = 0 To &HFF
mm(i) = ShlAndSar((i And &HFF))
Next
ss = "EpY07v!Vwb2UnTu5SHP1Oazei9@kRZF8IrdCJcDQKs3mGMlgBqyfNXhAo4x6WjtL"
s = Text1.Text
For i = 1 To Len(s) \ 2
n = Val("&H" & Mid$(s, i * 2 - 1, 2))
For j = 0 To &H7F
If mm(j) = n Then
n = InStr(1, ss, Chr(j)) - 1
t = t & GetIndex(i, n)
End If
Next
Next
Text2.Text = t
End Sub
得到注册码:BwndYbPHdPy2017@J9Ok
7.本来以为到这里就结束了,但是将此结果填进去还是没有正确提示。继续往下看,发现还有后续操作:
00411825 $ 6A >push 0x18
00411827 . B8 >mov eax, 0045054A
0041182C . E8 >call 0041400E
00411831 . 894>mov dword ptr [ebp-0x1C], ecx
00411834 . E8 >call 00411975 ; 校验注册码,必须返回1
00411839 . 84C>test al, al
0041183B . 0F8>je 00411919
00411841 . 6A >push 0x40 ; /Protect = PAGE_EXECUTE_READWRITE
00411843 . BB >mov ebx, 0x1000 ; |
00411848 . 53 push ebx ; |AllocationType => MEM_COMMIT
00411849 . 53 push ebx ; |Size => 1000 (4096.)
0041184A . 33F>xor esi, esi ; |
0041184C . 56 push esi ; |Address => NULL
0041184D . FF1>call dword ptr [<&KERNEL32.VirtualAlloc>] ; \申请空间
00411853 . 8BF>mov edi, eax
00411855 . 897>mov dword ptr [ebp-0x18], edi
00411858 . 68 >push 0x94 ; /Arg4 = 00000094
0041185D . 68 >push 00411A9C ; |Arg3 = 00411A9C
00411862 . 53 push ebx ; |Arg2 => 00001000
00411863 . 57 push edi ; |Arg1
00411864 . E8 >call 004121ED ; \复制代码
00411869 . 83C>add esp, 0x10
0041186C . 8BC>mov ecx, edi
0041186E . 894>mov dword ptr [ebp-0x14], ecx
00411871 . 897>mov dword ptr [ebp-0x4], esi
00411874 . 897>mov dword ptr [ebp-0x20], esi
00411877 . 8B4>mov ecx, dword ptr [ebp-0x1C]
0041187A > 81F>cmp esi, 0x94
00411880 . 7D >jge short 004118A9
00411882 . 8BC>mov eax, esi
00411884 . 33D>xor edx, edx
00411886 . F77>div dword ptr [ecx+0x34]
00411889 . 46 inc esi
0041188A . 897>mov dword ptr [ebp-0x20], esi
0041188D . 8D4>lea eax, dword ptr [ecx+0x24]
00411890 . 837>cmp dword ptr [eax+0x14], 0x10
00411894 . 72 >jb short 00411898
00411896 . 8B0>mov eax, dword ptr [eax]
00411898 > 8A0>mov al, byte ptr [eax+edx]
0041189B . 8B5>mov edx, dword ptr [ebp-0x14]
0041189E . 300>xor byte ptr [edx], al ; 使用输入key对代码解密
004118A0 . 42 inc edx
004118A1 . 895>mov dword ptr [ebp-0x14], edx
004118A4 . 895>mov dword ptr [ebp-0x24], edx
004118A7 .^ EB >jmp short 0041187A
004118A9 > 8B4>mov eax, dword ptr [ecx+0x34]
004118AC . 894>mov dword ptr [ebp-0x1C], eax
004118AF . 83C>add ecx, 0x24
004118B2 . 837>cmp dword ptr [ecx+0x14], 0x10
004118B6 . 72 >jb short 004118BA
004118B8 . 8B0>mov ecx, dword ptr [ecx]
004118BA > 8BC>mov eax, esi
004118BC . 33D>xor edx, edx
004118BE . F77>div dword ptr [ebp-0x1C]
004118C1 . 8A0>mov al, byte ptr [edx+ecx]
004118C4 . 8B4>mov ecx, dword ptr [ebp-0x14]
004118C7 . 300>xor byte ptr [ecx], al
004118C9 . 8D4>lea ecx, dword ptr [edi+0x60]
004118CC . BA >mov edx, 00411A9C
004118D1 . 8BC>mov eax, edx
004118D3 . 2BC>sub eax, ecx
004118D5 . 83C>add eax, 0x60
004118D8 . 014>add dword ptr [ecx+0x1], eax
004118DB . 8D8>lea ecx, dword ptr [edi+0x8B]
004118E1 . 8B4>mov eax, dword ptr [ecx+0x1]
004118E4 . 2BC>sub eax, ecx
004118E6 . 81C>add edx, 0x8B
004118EC . 03C>add eax, edx
004118EE . 894>mov dword ptr [ecx+0x1], eax
004118F1 . FF5>call dword ptr [ebp-0x18] ; 跳到解密代码执行
需要使用输入的注册码对代码解密,注册成功的提示藏在解密代码里。使用刚才得到的注册码,解密代码有错误指令。看来注册码有多解,需要逐一尝试才能得到正确的指令代码。先修改之前的VB程序:
Private Function GetIndex(ByVal n As Long, ByVal c As Long) As String
Dim i As Long, j As Long, k As Long
Dim s As String
Dim ss As String
ss = "EpY07v!Vwb2UnTu5SHP1Oazei9@kRZF8IrdCJcDQKs3mGMlgBqyfNXhAo4x6WjtL"
For i = 0 To 63
k = i
For j = 1 To n
k = (k + k \ 5 + 5) Mod &H40
Next
If k = c Then
s = s & "," & Mid$(ss, i + 1, 1)
End If
Next
GetIndex = s
End Function
Private Sub Command2_Click()
Dim ss As String
Dim i As Long, j As Long, k As Long
Dim n As Byte
Dim c As String
Dim s As String, t As String
Dim mm(&HFF) As Byte
For i = 0 To &HFF
mm(i) = ShlAndSar((i And &HFF))
Next
ss = "EpY07v!Vwb2UnTu5SHP1Oazei9@kRZF8IrdCJcDQKs3mGMlgBqyfNXhAo4x6WjtL"
s = Text1.Text
For i = 1 To Len(s) \ 2
n = Val("&H" & Mid$(s, i * 2 - 1, 2))
For j = 0 To &H7F
If mm(j) = n Then
n = InStr(1, ss, Chr(j)) - 1
t = t & " " & GetIndex(i, n)
End If
Next
t = t & vbCrLf
Next
Text2.Text = t
End Sub
运行后得到每一位可用解:
00 ,B
01 ,w,j
02 ,n
03 ,d,s
04 ,Y,l,A
05 ,b,t
06 ,P,i
07 ,H,e
08 ,d,c,s
09 ,P,i
0A ,y
0B ,2,5 ,P,i
0C ,0,g,o
0D ,1,a
0E ,7,B,4
0F ,@,r,K ,d,c,s
10 ,J,G,X
11 ,9,I,D
12 ,O
13 ,k,F
组合此代码,当注册码为“BwnsAtPediy2017KX9Ok”时,解密后指令可以运行:
00D50000 55 push ebp
00D50001 8BEC mov ebp, esp
00D50003 6A FF push -0x1
00D50005 68 E8054500 push 0x4505E8
00D5000A 64:A1 00000000 mov eax, dword ptr fs:[0]
00D50010 50 push eax
00D50011 83EC 24 sub esp, 0x24
00D50014 A1 84044000 mov eax, dword ptr [0x400484]
00D50019 33C5 xor eax, ebp
00D5001B 8945 F0 mov dword ptr [ebp-0x10], eax
00D5001E 50 push eax
00D5001F 8D45 F4 lea eax, dword ptr [ebp-0xC]
00D50022 64:A3 00000000 mov dword ptr fs:[0], eax
00D50028 8365 D8 00 and dword ptr [ebp-0x28], 0x0
00D5002C 8D45 D8 lea eax, dword ptr [ebp-0x28]
00D5002F 50 push eax
00D50030 8D4D DC lea ecx, dword ptr [ebp-0x24]
00D50033 C745 DC 42574E53 mov dword ptr [ebp-0x24], 0x534E5742
00D5003A 51 push ecx
00D5003B 8D45 ED lea eax, dword ptr [ebp-0x13]
00D5003E C745 E0 1532223F mov dword ptr [ebp-0x20], 0x3F223215
00D50045 50 push eax
00D50046 8D45 E0 lea eax, dword ptr [ebp-0x20]
00D50049 C745 E4 6233213D mov dword ptr [ebp-0x1C], 0x3D213362
00D50050 50 push eax
00D50051 8D45 D0 lea eax, dword ptr [ebp-0x30]
00D50054 C745 E8 2776747A mov dword ptr [ebp-0x18], 0x7A747627
00D5005B 50 push eax
00D5005C C645 EC 42 mov byte ptr [ebp-0x14], 0x42
00D50060 E8 AE106CFF call 7-不问少.00411113
00D50065 83C4 14 add esp, 0x14
00D50068 8D45 E0 lea eax, dword ptr [ebp-0x20]
00D5006B 6A 40 push 0x40
00D5006D 68 1D3D4000 push 0x403D1D
00D50072 50 push eax
00D50073 6A 00 push 0x0
00D50075 FF15 F03D4500 call dword ptr [<&USER32.MessageBoxA>] ; user32.MessageBoxA
00D5007B 8B4D F4 mov ecx, dword ptr [ebp-0xC]
00D5007E 64:890D 00000000 mov dword ptr fs:[0], ecx
00D50085 59 pop ecx
00D50086 8B4D F0 mov ecx, dword ptr [ebp-0x10]
00D50089 33CD xor ecx, ebp
00D5008B E8 CB3E6CFF call 7-不问少.00413F5B
00D50090 8BE5 mov esp, ebp
00D50092 5D pop ebp
00D50093 C3 retn
功能为弹出正确提示:“Well done!:)”。
8.在IDA里查看对代码加密解的函数调用,一共有3处,对00411B30进行加解密有2处,还有一处位于TLS回调函数中0040C179 call 00410DD6,作用是在程序正式运行前,对OEP处的代码进行解密。二处解密后的代码为:
00411B30 /$ 6A 28 push 0x28
00411B32 |. B8 25064500 mov eax, 00450625
00411B37 |. E8 67240000 call 00413FA3
00411B3C |. 8BF1 mov esi, ecx
00411B3E |. 33DB xor ebx, ebx
00411B40 |. 895D FC mov dword ptr [ebp-0x4], ebx
00411B43 |. 83EC 18 sub esp, 0x18
00411B46 |. 8D45 08 lea eax, dword ptr [ebp+0x8]
00411B49 |. 8965 E4 mov dword ptr [ebp-0x1C], esp
00411B4C |. 8BCC mov ecx, esp
00411B4E |. 50 push eax ; /Arg1
00411B4F |. E8 B3E1FFFF call 0040FD07 ; \7-不问少.0040FD07
00411B54 |. C645 FC 01 mov byte ptr [ebp-0x4], 0x1
00411B58 |. 885D FC mov byte ptr [ebp-0x4], bl
00411B5B |. 8BCE mov ecx, esi
00411B5D |. E8 7A010000 call 00411CDC
00411B62 |. 84C0 test al, al
00411B64 |. 0F84 5B010000 je 00411CC5
00411B6A |. 8D4E 24 lea ecx, dword ptr [esi+0x24]
00411B6D |. 8D45 08 lea eax, dword ptr [ebp+0x8]
00411B70 |. 3BC8 cmp ecx, eax
00411B72 |. 74 09 je short 00411B7D
00411B74 |. 6A FF push -0x1 ; /Arg3 = FFFFFFFF
00411B76 |. 53 push ebx ; |Arg2
00411B77 |. 50 push eax ; |Arg1
00411B78 |. E8 BBEFFFFF call 00410B38 ; \7-不问少.00410B38
00411B7D |> 8B45 18 mov eax, dword ptr [ebp+0x18]
00411B80 |. 8D4D F0 lea ecx, dword ptr [ebp-0x10]
00411B83 |. 51 push ecx
00411B84 |. 50 push eax
00411B85 |. 8D4D D8 lea ecx, dword ptr [ebp-0x28]
00411B88 |. 8945 D0 mov dword ptr [ebp-0x30], eax
00411B8B |. 885D F0 mov byte ptr [ebp-0x10], bl
00411B8E |. 895D D8 mov dword ptr [ebp-0x28], ebx
00411B91 |. 895D DC mov dword ptr [ebp-0x24], ebx
00411B94 |. 895D E0 mov dword ptr [ebp-0x20], ebx
00411B97 |. E8 B5010000 call 00411D51
00411B9C |. C645 FC 02 mov byte ptr [ebp-0x4], 0x2
00411BA0 |. 8D4D 08 lea ecx, dword ptr [ebp+0x8]
00411BA3 |. 8B5D 1C mov ebx, dword ptr [ebp+0x1C]
00411BA6 |. 83FB 10 cmp ebx, 0x10
00411BA9 |. 8B45 18 mov eax, dword ptr [ebp+0x18]
00411BAC |. 0F434D 08 cmovnb ecx, dword ptr [ebp+0x8]
00411BB0 |. 03C1 add eax, ecx
00411BB2 |. 83FB 10 cmp ebx, 0x10
00411BB5 |. 8D4D 08 lea ecx, dword ptr [ebp+0x8]
00411BB8 |. 8BF8 mov edi, eax
00411BBA |. 0F434D 08 cmovnb ecx, dword ptr [ebp+0x8]
00411BBE |. 33D2 xor edx, edx
00411BC0 |. 2155 EC and dword ptr [ebp-0x14], edx
00411BC3 |. 2BF9 sub edi, ecx
00411BC5 |. 3BC8 cmp ecx, eax
00411BC7 |. 0F477D EC cmova edi, dword ptr [ebp-0x14]
00411BCB |. 85FF test edi, edi
00411BCD |. 74 0C je short 00411BDB
00411BCF |> 8031 CC /xor byte ptr [ecx], 0xCC
00411BD2 |. 41 |inc ecx
00411BD3 |. 42 |inc edx
00411BD4 |. 3BD7 |cmp edx, edi
00411BD6 |.^ 75 F7 \jnz short 00411BCF
00411BD8 |. 8B5D 1C mov ebx, dword ptr [ebp+0x1C]
00411BDB |> 33C9 xor ecx, ecx
00411BDD |. 894D E8 mov dword ptr [ebp-0x18], ecx
00411BE0 |. 394D D0 cmp dword ptr [ebp-0x30], ecx
00411BE3 |. 0F8E B1000000 jle 00411C9A
00411BE9 |. 8B7D D8 mov edi, dword ptr [ebp-0x28]
00411BEC |. 33C0 xor eax, eax
00411BEE |. 40 inc eax
00411BEF |. 897D EC mov dword ptr [ebp-0x14], edi
00411BF2 |. 2BC7 sub eax, edi
00411BF4 |. C745 E4 05000000 mov dword ptr [ebp-0x1C], 0x5
00411BFB |. 8945 CC mov dword ptr [ebp-0x34], eax
00411BFE |> FF75 E4 /push dword ptr [ebp-0x1C] ; /Arg4
00411C01 |. 83FB 10 |cmp ebx, 0x10 ; |
00411C04 |. 8D45 08 |lea eax, dword ptr [ebp+0x8] ; |
00411C07 |. 0F4345 08 |cmovnb eax, dword ptr [ebp+0x8] ; |
00411C0B |. 03C1 |add eax, ecx ; |
00411C0D |. 50 |push eax ; |Arg3
00411C0E |. FF76 04 |push dword ptr [esi+0x4] ; |Arg2
00411C11 |. FF36 |push dword ptr [esi] ; |Arg1
00411C13 |. E8 34F3FFFF |call <_FindCharInStr> ; \get index in str
00411C18 |. 8BC8 |mov ecx, eax
00411C1A |. 83C4 10 |add esp, 0x10
00411C1D |. 3B4E 04 |cmp ecx, dword ptr [esi+0x4]
00411C20 |. 74 60 |je short 00411C82
00411C22 |. 8AC1 |mov al, cl
00411C24 |. 2A06 |sub al, byte ptr [esi]
00411C26 |. 8807 |mov byte ptr [edi], al
00411C28 |. 75 05 |jnz short 00411C2F
00411C2A |. 33DB |xor ebx, ebx
00411C2C |. 43 |inc ebx
00411C2D |. EB 03 |jmp short 00411C32
00411C2F |> 0FBED8 |movsx ebx, al
00411C32 |> 837D E8 00 |cmp dword ptr [ebp-0x18], 0x0
00411C36 |. 881F |mov byte ptr [edi], bl
00411C38 |. 7C 3E |jl short 00411C78
00411C3A |. 8B45 CC |mov eax, dword ptr [ebp-0x34]
00411C3D |. 03C7 |add eax, edi
00411C3F |. 8945 D4 |mov dword ptr [ebp-0x2C], eax
00411C42 |> 33FF |/xor edi, edi
00411C44 |> 41 ||/inc ecx
00411C45 |. 3B4E 04 |||cmp ecx, dword ptr [esi+0x4]
00411C48 |. 75 02 |||jnz short 00411C4C
00411C4A |. 8B0E |||mov ecx, dword ptr [esi]
00411C4C |> 0FBEC3 |||movsx eax, bl
00411C4F |. 47 |||inc edi
00411C50 |. 99 |||cdq
00411C51 |. F77D E4 |||idiv dword ptr [ebp-0x1C]
00411C54 |. 6A 05 |||push 0x5
00411C56 |. 5A |||pop edx
00411C57 |. 03C2 |||add eax, edx
00411C59 |. 3BF8 |||cmp edi, eax
00411C5B |.^ 75 E7 ||\jnz short 00411C44
00411C5D |. 8B7D EC ||mov edi, dword ptr [ebp-0x14]
00411C60 |. 8AC1 ||mov al, cl
00411C62 |. 2A06 ||sub al, byte ptr [esi]
00411C64 |. 8807 ||mov byte ptr [edi], al
00411C66 |. 75 05 ||jnz short 00411C6D
00411C68 |. 33DB ||xor ebx, ebx
00411C6A |. 43 ||inc ebx
00411C6B |. EB 03 ||jmp short 00411C70
00411C6D |> 0FBED8 ||movsx ebx, al
00411C70 |> 836D D4 01 ||sub dword ptr [ebp-0x2C], 0x1
00411C74 |. 881F ||mov byte ptr [edi], bl
00411C76 |.^ 75 CA |\jnz short 00411C42
00411C78 |> 0FBE0F |movsx ecx, byte ptr [edi]
00411C7B |. 8B06 |mov eax, dword ptr [esi]
00411C7D |. 8A0401 |mov al, byte ptr [ecx+eax]
00411C80 |. 8807 |mov byte ptr [edi], al
00411C82 |> 8B4D E8 |mov ecx, dword ptr [ebp-0x18]
00411C85 |. 41 |inc ecx
00411C86 |. 47 |inc edi
00411C87 |. 894D E8 |mov dword ptr [ebp-0x18], ecx
00411C8A |. 897D EC |mov dword ptr [ebp-0x14], edi
00411C8D |. 3B4D D0 |cmp ecx, dword ptr [ebp-0x30]
00411C90 |. 7D 08 |jge short 00411C9A
00411C92 |. 8B5D 1C |mov ebx, dword ptr [ebp+0x1C]
00411C95 |.^ E9 64FFFFFF \jmp 00411BFE
00411C9A |> 8D45 F0 lea eax, dword ptr [ebp-0x10]
00411C9D |. 50 push eax ; /Arg3
00411C9E |. FF75 DC push dword ptr [ebp-0x24] ; |Arg2
00411CA1 |. FF75 D8 push dword ptr [ebp-0x28] ; |Arg1
00411CA4 |. E8 CCF2FFFF call 00410F75 ; \xor 0xCC and ror(5)
00411CA9 |. 83C4 0C add esp, 0xC
00411CAC |. 8D45 D8 lea eax, dword ptr [ebp-0x28]
00411CAF |. 8D4E 0C lea ecx, dword ptr [esi+0xC]
00411CB2 |. 50 push eax
00411CB3 |. E8 34FAFFFF call 004116EC ; copy
00411CB8 |. 33DB xor ebx, ebx
00411CBA |. 885D FC mov byte ptr [ebp-0x4], bl
00411CBD |. 8D4D D8 lea ecx, dword ptr [ebp-0x28]
00411CC0 |. E8 C9020000 call 00411F8E ; heap free
00411CC5 |> 834D FC FF or dword ptr [ebp-0x4], 0xFFFFFFFF
00411CC9 |. 8D4D 08 lea ecx, dword ptr [ebp+0x8]
00411CCC |. 53 push ebx ; /Arg2
00411CCD |. 6A 01 push 0x1 ; |Arg1 = 00000001
00411CCF |. E8 0FEEFFFF call <_memfree> ; \7-不问少.00410AE3
00411CD4 |. E8 93220000 call 00413F6C
00411CD9 \. C2 1800 retn 0x18
00414422 > $ E8 16050000 call 0041493D
00414427 .^ E9 5CFEFFFF jmp 00414288
0041442C /$ 55 push ebp
0041442D |. 8BEC mov ebp, esp
0041442F |. 81EC 24030000 sub esp, 0x324
00414435 |. 53 push ebx
00414436 |. 56 push esi
00414437 |. 6A 17 push 0x17
00414439 |. E8 52AA0300 call <jmp.&KERNEL32.IsProcessorFeaturePresent>
0041443E |. 85C0 test eax, eax
00414440 |. 74 05 je short 00414447
00414442 |. 8B4D 08 mov ecx, dword ptr [ebp+0x8]
00414445 |. CD 29 int 0x29
00414447 |> 33F6 xor esi, esi
00414449 |. 8D85 DCFCFFFF lea eax, dword ptr [ebp-0x324]
0041444F |. 68 CC020000 push 0x2CC
00414454 |. 56 push esi
00414455 |. 50 push eax
00414456 |. 8935 E02A4500 mov dword ptr [0x452AE0], esi
0041445C |. E8 3F120000 call 004156A0
00414461 |. 83C4 0C add esp, 0xC
00414464 |. 8985 8CFDFFFF mov dword ptr [ebp-0x274], eax
0041446A |. 898D 88FDFFFF mov dword ptr [ebp-0x278], ecx
00414470 |. 8995 84FDFFFF mov dword ptr [ebp-0x27C], edx
00414476 |. 899D 80FDFFFF mov dword ptr [ebp-0x280], ebx
0041447C |. 89B5 7CFDFFFF mov dword ptr [ebp-0x284], esi
00414482 |. 89BD 78FDFFFF mov dword ptr [ebp-0x288], edi
00414488 |. 66:8C95 A4FDFFFF mov word ptr [ebp-0x25C], ss
0041448F |. 66:8C8D 98FDFFFF mov word ptr [ebp-0x268], cs
00414496 |. 66:8C9D 74FDFFFF mov word ptr [ebp-0x28C], ds
0041449D |. 66:8C85 70FDFFFF mov word ptr [ebp-0x290], es
004144A4 |. 66:8CA5 6CFDFFFF mov word ptr [ebp-0x294], fs
004144AB |. 66:8CAD 68FDFFFF mov word ptr [ebp-0x298], gs
004144B2 |. 9C pushfd
004144B3 |. 8F85 9CFDFFFF pop dword ptr [ebp-0x264]
004144B9 |. 8B45 04 mov eax, dword ptr [ebp+0x4]
004144BC |. 8985 94FDFFFF mov dword ptr [ebp-0x26C], eax
004144C2 |. 8D45 04 lea eax, dword ptr [ebp+0x4]
004144C5 |. 8985 A0FDFFFF mov dword ptr [ebp-0x260], eax
004144CB |. C785 DCFCFFFF 01000100 mov dword ptr [ebp-0x324], 0x10001
004144D5 |. 8B40 FC mov eax, dword ptr [eax-0x4]
004144D8 |. 6A 50 push 0x50
004144DA |. 8985 90FDFFFF mov dword ptr [ebp-0x270], eax
004144E0 |. 8D45 A8 lea eax, dword ptr [ebp-0x58]
004144E3 |. 56 push esi
004144E4 |. 50 push eax
004144E5 |. E8 B6110000 call 004156A0
可以直接粘回EXE原位置便于IDA分析。
9.综上,注册码为“BwnsAtPediy2017KX9Ok”。搞定收工。
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法