没事跟踪这个CreateMe,我以为断下就要遭遇RSA,谁知道刚断下就来到这么段古怪的代码,折腾了半天才搞明白干什么用的...
开始怀疑是BASE64编码,结果完全不是,基本功不行啊.......
我把这东西发出来和我一样菜及比我菜的人见见世面,你们跟踪的时候免得在这里浪费太多时间了.
这段代码的功能主要就是用查表法排除注册码中
"非法"的字符.不晓得是不是,看雪老大写的,错了大家不要笑.
用GetDlgItemTextA可以断在这里
004011A2 |. 8B3>
MOV EDI,
DWORD PTR DS:[<&USER32.GetDlgItemT>
; USER32.GetDlgItemTextA
004011A8 |. BE >
MOV ESI, 0C9
004011AD |. 8D8>
LEA EAX,
DWORD PTR SS:[
EBP-194]
; szName=[ebp-194]
004011B3 |. 56
PUSH ESI ; /Count => C9 (201.)004011B4 |. 50
PUSH EAX ; |Buffer
004011B5 |. 6A >
PUSH 6E
; |ControlID = 6E (110.)
004011B7 |. FF7>
PUSH DWORD PTR SS:[
EBP+8]
; |hWnd
004011BA |. FFD>
CALL EDI ; \GetDlgItemTextA
004011BC |. 8D8>
LEA EAX,
DWORD PTR SS:[
EBP-194]
004011C2 |. 50
PUSH EAX ;
004011C3 |. E8 >
CALL 004062E0
004011C8 |. 85C>
TEST EAX,
EAX
004011CA |. 59
POP ECX
004011CB |. 0F8>
JE 004012E8
004011D1 |. 8D8>
LEA EAX,
DWORD PTR SS:[
EBP-CC]
; szSerial=[ebp-cc]
004011D7 |. 56
PUSH ESI ; /Count => C9 (201.)
004011D8 |. 50
PUSH EAX ; |Buffer
004011D9 |. 68 >
PUSH 3E8
; |ControlID = 3E8 (1000.)
004011DE |. FF7>
PUSH DWORD PTR SS:[
EBP+8]
; |hWnd
004011E1 |. FFD>
CALL EDI ; \GetDlgItemTextA
004011E3 |. 389>
CMP BYTE PTR SS:[
EBP-CC],
BL
004011E9 |. 74 >
JE SHORT 00401228
004011EB |. 8DB>
LEA ESI,
DWORD PTR SS:[
EBP-CC]
; ESI=szSerial
004011F1 |. BF >
MOV EDI, 80
; EDI=80(1000 0000B)
004011F6 |> 833>/
CMP DWORD PTR DS:[40BDE4], 1
004011FD |. 7E >|
JLE SHORT 0040120D
........
0040120D |> 0FB>|
MOVSX EAX,
BYTE PTR DS:[
ESI]
00401210 |. 8B0>|
MOV ECX,
DWORD PTR DS:[40BBD8]
; ECX=40BBE2
00401216 |. 8A0>|
MOV AL,
BYTE PTR DS:[
ECX+
EAX*2]
; 根据字符的ASCII码查表40BBE2
00401219 |. 23C>|
AND EAX,
EDI ; EAX =EAX AND 1000 0000B,除第7位外全部置0
0040121B |> 3BC>|
CMP EAX,
EBX
0040121D |. 0F8>|
JE 004012E8
; 第7位为0则挂了.
00401223 |. 46 |
INC ESI
00401224 |. 381>|
CMP BYTE PTR DS:[
ESI],
BL
00401226 |.^ 75 >\
JNZ SHORT 004011F6
; 没有检查完继续检查
.......
004012E8 |> 33C>
XOR EAX,
EAX ; 以下代码 return 0
004012EA |> 5F
POP EDI
004012EB |. 5E
POP ESI
004012EC |. 5B
POP EBX
004012ED |. C9
LEAVE
004012EE \. C3
RET
查看内存40BBE2到40BBE2+7F*2的内容可得ASCII从0--7F的对应的表值:
---
ADDR-- --VALUE--
0040BBE2 00200020
0040BBE6 00200020
0040BBEA 00200020
0040BBEE 00200020
0040BBF2 00280020
0040BBF6 00280028
0040BBFA 00280028
0040BBFE 00200020
0040BC02 00200020
0040BC06 00200020
0040BC0A 00200020
0040BC0E 00200020
0040BC12 00200020
0040BC16 00200020
0040BC1A 00200020
0040BC1E 00200020
0040BC22 00100048
0040BC26 00100010
0040BC2A 00100010
0040BC2E 00100010
0040BC32 00100010
0040BC36 00100010
0040BC3A 00100010
0040BC3E 00100010
0040BC42 00840084
0040BC46 00840084
0040BC4A 00840084
0040BC4E 00840084
0040BC52 00840084
0040BC56 00100010
0040BC5A 00100010
0040BC5E 00100010
0040BC62 00810010
0040BC66 00810081
0040BC6A 00810081
0040BC6E 00010081
0040BC72 00010001
0040BC76 00010001
0040BC7A 00010001
0040BC7E 00010001
0040BC82 00010001
0040BC86 00010001
0040BC8A 00010001
0040BC8E 00010001
0040BC92 00010001
0040BC96 00100001
0040BC9A 00100010
0040BC9E 00100010
0040BCA2 00820010
0040BCA6 00820082
0040BCAA 00820082
0040BCAE 00020082
0040BCB2 00020002
0040BCB6 00020002
0040BCBA 00020002
0040BCBE 00020002
0040BCC2 00020002
0040BCC6 00020002
0040BCCA 00020002
0040BCCE 00020002
0040BCD2 00020002
0040BCD6 00100002
0040BCDA 00100010
0040BCDE 00200010
0040BCE2 00000000
00401216到0040121D的代码可以看出:
BYTE PTR DS:[40BBE2+
EAX*2]必须等于8X(1XXX XXXXB)否则就有
AND EAX 80后,
EAX==0,验证失败
因此,注册码每一个字符的ASCII码乘以2,所以的值作为索引查表40BBE2,查得的值必须是8X的形式才是有资格让RSA验证的注册码
从表0040BBE2整理出不会挂的字符
--
ADDR--- --VALUE--
0040BBE2
0040BC42 00840084 (bc42-bbe2)/2=60/2=30
0040BC46 00840084
0040BC4A 00840084
0040BC4E 00840084
0040BC52 00840084
;'0'---'9'
0040BC62 00810010 (bc62-bbe2)/2=80/2=40
0040BC66 00810081
0040BC6A 00810081
0040BC6E 00010081
;'A'--'F'
0040BCA2 00820010 (bca2-bbe2)/2=c0/2=60
0040BCA6 00820082
0040BCAA 00820082
0040BCAE 00020082
;'a'--'f'
因此'0'---'9','A'-'F','a'-'f'只有这些符是合法的.不然还轮不到RSA出手,注册码就挂了.
看这些字符咋这么面熟,到底是什么,JMP 三楼.....一世的英明差点毁到这上面了.....
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
