【文章标题】: ******注册算法分析(RC2,SHA-1)
【文章作者】: icow
【加壳方式】: UPX
【保护方式】: 注册码
【编写语言】: Delphi
【使用工具】: OllyDbg,Damn Hash Calculator1.51
【操作平台】: Win98
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
脱壳及关键的注册代码定位比较容易,这里只关注注册算法。初次写破文,有不当或疏漏欢迎大家批评指正。
程序注册时提供的机器码:F4258784957
输入注册码:ka98765432 ;为什么输两个字母8个数字,下面再讲。
来到如下注册代码:
00578FF1 55 PUSH EBP
00578FF2 68 7E925700 PUSH MYZC.0057927E
00578FF7 64:FF30 PUSH DWORD PTR FS:[EAX]
00578FFA 64:8920 MOV DWORD PTR FS:[EAX],ESP
00578FFD 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00579000 E8 ABFDFFFF CALL MYZC.00578DB0 ; 计算机器码
00579005 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00579008 50 PUSH EAX
00579009 B9 0A000000 MOV ECX,0A
0057900E BA 02000000 MOV EDX,2
00579013 A1 DC875800 MOV EAX,DWORD PTR DS:[5887DC]
00579018 E8 93C1E8FF CALL MYZC.004051B0 ;从机器码第二个字节开始取出"4258784957"十个字节放入[EBP-4]
0057901D 8D85 D8FEFFFF LEA EAX,DWORD PTR SS:[EBP-128]
00579023 50 PUSH EAX
00579024 B9 02000000 MOV ECX,2
00579029 BA 09000000 MOV EDX,9
0057902E 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00579031 E8 7AC1E8FF CALL MYZC.004051B0 ;取出最后两个字节"57"入栈
00579036 FFB5 D8FEFFFF PUSH DWORD PTR SS:[EBP-128]
0057903C 8D85 D4FEFFFF LEA EAX,DWORD PTR SS:[EBP-12C]
00579042 50 PUSH EAX
00579043 B9 02000000 MOV ECX,2
00579048 BA 01000000 MOV EDX,1
0057904D 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00579050 E8 5BC1E8FF CALL MYZC.004051B0 ;取出头两个字节"42"入栈
00579055 FFB5 D4FEFFFF PUSH DWORD PTR SS:[EBP-12C]
0057905B 68 94925700 PUSH MYZC.00579294
00579060 8D85 D0FEFFFF LEA EAX,DWORD PTR SS:[EBP-130]
00579066 50 PUSH EAX
00579067 B9 06000000 MOV ECX,6
0057906C BA 03000000 MOV EDX,3
00579071 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00579074 E8 37C1E8FF CALL MYZC.004051B0 ;取出中间六个字节"587849"入栈
00579079 FFB5 D0FEFFFF PUSH DWORD PTR SS:[EBP-130]
0057907F 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00579082 BA 04000000 MOV EDX,4
00579087 E8 8CBFE8FF CALL MYZC.00405018 ; 组合出"5742-587849"
0057908C A1 5C4C5800 MOV EAX,DWORD PTR DS:[584C5C]
00579091 8B00 MOV EAX,DWORD PTR DS:[EAX]
00579093 8B80 18030000 MOV EAX,DWORD PTR DS:[EAX+318]
00579099 33D2 XOR EDX,EDX
0057909B E8 88E4ECFF CALL MYZC.00447528
005790A0 8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4] ;注册这个[EBP-A4]
005790A6 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] ; "5742-587849"
005790A9 E8 CE79F2FF CALL MYZC.004A0A7C 关键CALL,跟进
004A0A7C 53 PUSH EBX
004A0A7D 56 PUSH ESI
004A0A7E 57 PUSH EDI
004A0A7F 83C>ADD ESP,-60 ;注意观察栈的内容变化
004A0A82 8BD>MOV EBX,EDX
004A0A84 8BF>MOV EDI,EAX
004A0A86 8BC>MOV EAX,ESP
004A0A88 E8 >CALL MYZC.004A0814 ;跟进去看一看:SHA-1的五个32位常数入栈
004A0A8D 8BC>MOV EAX,EBX ;EAX指向字串"5742-587849"
004A0A8F E8 >CALL MYZC.00404F58 ; 取字串的长度
004A0A94 50 PUSH EAX
004A0A95 8BC>MOV EAX,EBX
004A0A97 E8 >CALL MYZC.00405150
004A0A9C 8BD>MOV EDX,EAX
004A0A9E 8D4>LEA EAX,DWORD PTR SS:[ESP+4]
004A0AA2 59 POP ECX
004A0AA3 E8 >CALL MYZC.004A0878 ;字串"5742-587849"入栈,这是d esp看看:
0108FA70 00 00 00 00 58 00 00 00 0B 00 00 00 01 23 45 67 ....X......#Eg
0108FA80 89 AB CD EF FE DC BA 98 76 54 32 10 F0 E1 D2 C3 ?惋??vT2疳颐
0108FA90 35 37 34 32 2D 35 38 37 38 34 39 00 00 00 00 00 5742-587849.....
0108FAA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0108FAB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0108FAC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
有什么发现?
004A0AA8 B8 >MOV EAX,14
004A0AAD E8 >CALL MYZC.004027D8
004A0AB2 8BD>MOV EBX,EAX
004A0AB4 8BF>MOV ESI,EBX
004A0AB6 8BD>MOV EDX,ESI
004A0AB8 8BC>MOV EAX,ESP
004A0ABA E8 >CALL MYZC.004A08E0 ; SHA-1散列函数,160位散列值放在[ESI]
CALL 4A08E0是SHA-1散列函数,不是很了解SHA-1的具体算法.我是用Damn Hash Calculator验正的.
打开Hash Calculator,选SHA160,在TEXT处输入5742-587849,点Calculate,即可得到160位散列值.如[ESI]完全一致.
004A0ABF 6A >PUSH 0
004A0AC1 8BD>MOV EDX,ESI ;160位散列值作为下面RC2的KEY
004A0AC3 8BC>MOV EAX,EDI ;EAX指向RC2加密密文输出,[EAX+0x10]为密钥初始化后的表
004A0AC5 B9 >MOV ECX,0A0 ;密钥长度
004A0ACA E8 >CALL MYZC.004A0DA0 ;关键CALL: RC2密钥变换,并对FFFFFFFFFFFFFFFF进行RC2加密
004A0ACF 8BC>MOV EAX,ESI
004A0AD1 B9 >MOV ECX,0FF
004A0AD6 BA >MOV EDX,14
004A0ADB E8 >CALL MYZC.0040329C
004A0AE0 8BC>MOV EAX,EBX
004A0AE2 E8 >CALL MYZC.004027F8
004A0AE7 8BC>MOV EAX,ESP
004A0AE9 E8 >CALL MYZC.004A0844
004A0AEE 83C>ADD ESP,60
004A0AF1 5F POP EDI
004A0AF2 5E POP ESI
004A0AF3 5B POP EBX
004A0AF4 C3 RETN
005790AE 8D95 C4FEFFFF LEA EDX,DWORD PTR SS:[EBP-13C]
005790B4 A1 5C4C5800 MOV EAX,DWORD PTR DS:[584C5C]
005790B9 8B00 MOV EAX,DWORD PTR DS:[EAX]
005790BB 8B80 04030000 MOV EAX,DWORD PTR DS:[EAX+304]
005790C1 E8 0E9AEDFF CALL MYZC.00452AD4 ; 取注册码
005790C6 8B85 C4FEFFFF MOV EAX,DWORD PTR SS:[EBP-13C] ;[EBP-13C]输入的注册码
005790CC 8D95 C8FEFFFF LEA EDX,DWORD PTR SS:[EBP-138]
005790D2 E8 7505E9FF CALL MYZC.0040964C
005790D7 8B85 C8FEFFFF MOV EAX,DWORD PTR SS:[EBP-138]
005790DD 8D95 CCFEFFFF LEA EDX,DWORD PTR SS:[EBP-134]
005790E3 E8 1403E9FF CALL MYZC.004093FC ; 注册码所有字母转换为大写
005790E8 8B85 CCFEFFFF MOV EAX,DWORD PTR SS:[EBP-134] ;"KA98765432"
005790EE E8 997FF2FF CALL MYZC.004A108C ;关键CALL
005790F3 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX ; 注意EAX的值:为处理注册码得到的32位值.
005790F6 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
005790F9 A3 C0775800 MOV DWORD PTR DS:[5877C0],EAX
005790FE 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10] ;密文输出BUFFER
00579101 8D95 64FFFFFF LEA EDX,DWORD PTR SS:[EBP-9C] ;指向第一次RC2加密结果,作为本次RC2加密的明文输入
00579107 8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4] ;EAX+10指向上次RC2初始化密钥得到的表
0057910D E8 E679F2FF CALL MYZC.004A0AF8 ;关键CALL:RC2加密函数. 对上次RC2加密结果进行二次加密
00579112 6A 04 PUSH 4
00579114 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
00579117 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8] ;指向处理注册码得到的32位值
0057911A 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] ;指向RC2二次加密输出的64位值
0057911D E8 A673F2FF CALL MYZC.004A04C8 ;将EAX指向的低32位与EDX指向的32位异或,结果放入[EBP-14]
00579122 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
00579125 B9 FF000000 MOV ECX,0FF
0057912A BA 08000000 MOV EDX,8
0057912F E8 68A1E8FF CALL MYZC.0040329C
00579134 8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4]
0057913A E8 C97DF2FF CALL MYZC.004A0F08
0057913F 6A 00 PUSH 0
00579141 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14] ;指向刚才异或结果32位值
00579144 8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4];[EBP-A4]指向第三个RC2加密的输出(64位)
0057914A B9 20000000 MOV ECX,20 ;[EBP-A4+10]指向本次RC2初始化密钥后的表
0057914F E8 4C7CF2FF CALL MYZC.004A0DA0 ; 关键CALL:第三个RC2加密.[EBP-14]作为KEY,长度0x20位,再次对0xffffffffffffffff进行RC2加密
00579154 33C0 XOR EAX,EAX
00579156 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
00579159 33C0 XOR EAX,EAX
0057915B 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
0057915E 8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4]
00579164 E8 9F7DF2FF CALL MYZC.004A0F08
00579169 6A 0C PUSH 0C
0057916B 8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0]
00579171 BA 58465800 MOV EDX,MYZC.00584658 ;指向一个12字节的表.404f500ad7a167b6ba7c0943
00579176 8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4]
0057917C E8 977DF2FF CALL MYZC.004A0F18 ;关键CALL,跟进. 计算出十二字节sha-1明文
00579181 8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4]
00579187 E8 7C7DF2FF CALL MYZC.004A0F08
0057918C 8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4]
00579192 E8 357DF2FF CALL MYZC.004A0ECC
00579197 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110]
0057919D E8 7276F2FF CALL MYZC.004A0814 ;跟进去看一看:SHA-1的五个32位常数入栈
005791A2 8D95 50FFFFFF LEA EDX,DWORD PTR SS:[EBP-B0]
005791A8 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110]
005791AE B9 0C000000 MOV ECX,0C
005791B3 E8 C076F2FF CALL MYZC.004A0878
005791B8 8D95 DCFEFFFF LEA EDX,DWORD PTR SS:[EBP-124]
005791BE 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110]
005791C4 E8 1777F2FF CALL MYZC.004A08E0 ;SHA-1散列函数,160位散列值放在[EBP-124]
005791C9 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110]
005791CF E8 7076F2FF CALL MYZC.004A0844
005791D4 33C9 XOR ECX,ECX
005791D6 8D85 DCFEFFFF LEA EAX,DWORD PTR SS:[EBP-124]
005791DC BA 64465800 MOV EDX,MYZC.00584664 ;指向程序自带的160位散列值
005791E1 8A18 MOV BL,BYTE PTR DS:[EAX]
005791E3 3A1A CMP BL,BYTE PTR DS:[EDX]
005791E5 75 08 JNZ SHORT MYZC.005791EF ;不等则跳转
005791E7 41 INC ECX
005791E8 42 INC EDX
005791E9 40 INC EAX
005791EA 83F9 14 CMP ECX,14
005791ED ^75 F2 JNZ SHORT MYZC.005791E1
005791EF 83F9 14 CMP ECX,14
005791F2 75 52 JNZ SHORT MYZC.00579246 ;0x14个字节都相等则不跳转,注册成功.
005791F4 BA F0865800 MOV EDX,MYZC.005886F0
005791F9 8D85 50FFFFFF LEA EAX,DWORD PTR SS:[EBP-B0]
005791FF B9 0C000000 MOV ECX,0C
00579204 E8 E397E8FF CALL MYZC.004029EC
00579209 E8 BEC8FFFF CALL MYZC.00575ACC
0057920E E8 A5F8FFFF CALL MYZC.00578AB8
00579213 E8 4CC6FFFF CALL MYZC.00575864
CALL 4A0DA0:其中部分代码如下:
004A0DE6 8BC>MOV ECX,ESI
004A0DE8 8BC>MOV EAX,EDX
004A0DEA 8D9>LEA EDX,DWORD PTR SS:[EBP-84]
004A0DF0 E8 >CALL MYZC.004029EC ; 复制一份KEY
004A0DF5 8BD>MOV EDX,ESI
004A0DF7 83F>CMP EDX,7F
004A0DFA 7F >JG SHORT MYZC.004A0E3A
004A0DFC 8D8>LEA EAX,DWORD PTR SS:[EBP+EDX-85]
004A0E03 8BC>MOV ECX,EBX ;开始初始化密钥
004A0E05 85C>TEST ECX,ECX
004A0E07 79 >JNS SHORT MYZC.004A0E0C
004A0E09 83C>ADD ECX,7
004A0E0C C1F>SAR ECX,3
004A0E0F 8BF>MOV ESI,EDX
004A0E11 2BF>SUB ESI,ECX
004A0E13 33C>XOR ECX,ECX
004A0E15 8A8>MOV CL,BYTE PTR SS:[EBP+ESI-84]
004A0E1C 0FB>MOVZX ESI,BYTE PTR DS:[EAX]
004A0E1F 03C>ADD ECX,ESI
004A0E21 81E>AND ECX,0FF
004A0E27 8A8>MOV CL,BYTE PTR DS:[ECX+5837C8]
004A0E2D 884>MOV BYTE PTR DS:[EAX+1],CL
004A0E30 42 INC EDX
004A0E31 40 INC EAX
004A0E32 81F>CMP EDX,80
004A0E38 ^75 >JNZ SHORT MYZC.004A0E03
004A0E3A 33C>XOR EAX,EAX
004A0E3C 8A8>MOV AL,BYTE PTR SS:[EBP-84]
004A0E42 8A8>MOV AL,BYTE PTR DS:[EAX+5837C8]
004A0E48 888>MOV BYTE PTR SS:[EBP-84],AL
004A0E4E 8B5>MOV EDX,DWORD PTR SS:[EBP-4]
004A0E51 83C>ADD EDX,10
004A0E54 8D8>LEA EAX,DWORD PTR SS:[EBP-84]
004A0E5A B9 >MOV ECX,80
004A0E5F E8 >CALL MYZC.004029EC ;将初始化得到的0x80字节的表COPY到[EBP-4+10]
004A0E64 837>CMP DWORD PTR SS:[EBP+8],0
004A0E68 75 >JNZ SHORT MYZC.004A0E9F
004A0E6A 8B4>MOV EAX,DWORD PTR SS:[EBP-4]
004A0E6D B9 >MOV ECX,0FF
004A0E72 BA >MOV EDX,8
004A0E77 E8 >CALL MYZC.0040329C ;将[EBP-4]指向的8个字节置为0x0ffffffffffffffff
004A0E7C 8B4>MOV ECX,DWORD PTR SS:[EBP-4]
004A0E7F 8B5>MOV EDX,DWORD PTR SS:[EBP-4]
004A0E82 8B4>MOV EAX,DWORD PTR SS:[EBP-4]
004A0E85 E8 >CALL MYZC.004A0AF8 ; RC2加密函数.对[ebp-4]进行加密
004A0E8A 8B5>MOV EDX,DWORD PTR SS:[EBP-4]
004A0E8D 83C>ADD EDX,8
004A0E90 8B4>MOV EAX,DWORD PTR SS:[EBP-4]
004A0E93 B9 >MOV ECX,8
004A0E98 E8 >CALL MYZC.004029EC
RC2加密CALL:非常典型的RC2
004A0AF8 53 PUSH EBX
004A0AF9 56 PUSH ESI
004A0AFA 57 PUSH EDI
004A0AFB 55 PUSH EBP
004A0AFC 83C>ADD ESP,-0C
004A0AFF 890>MOV DWORD PTR SS:[ESP],ECX
004A0B02 8BF>MOV ESI,EAX
004A0B04 8D5>LEA EBX,DWORD PTR SS:[ESP+4]
004A0B08 8BC>MOV EAX,EDX
004A0B0A 8BD>MOV EDX,EBX
004A0B0C B9 >MOV ECX,8
004A0B11 E8 >CALL MYZC.004029EC
004A0B16 33F>XOR EDI,EDI
004A0B18 8BE>MOV EBP,EDI
004A0B1A C1E>SHL EBP,2
004A0B1D 66:>MOV AX,WORD PTR DS:[EBX+6]
004A0B21 66:>NOT AX
004A0B24 66:>AND AX,WORD PTR DS:[EBX+2]
004A0B28 66:>ADD AX,WORD PTR DS:[EBX]
004A0B2B 66:>MOV DX,WORD PTR DS:[EBX+4]
004A0B2F 66:>AND DX,WORD PTR DS:[EBX+6]
004A0B33 66:>ADD AX,DX
004A0B36 66:>ADD AX,WORD PTR DS:[ESI+EBP*2+10]
004A0B3B BA >MOV EDX,1
004A0B40 E8 >CALL MYZC.004A0490
004A0B45 66:>MOV WORD PTR DS:[EBX],AX
004A0B48 66:>MOV AX,WORD PTR DS:[EBX]
004A0B4B 66:>NOT AX
004A0B4E 66:>AND AX,WORD PTR DS:[EBX+4]
004A0B52 66:>ADD AX,WORD PTR DS:[EBX+2]
004A0B56 66:>MOV DX,WORD PTR DS:[EBX+6]
004A0B5A 66:>AND DX,WORD PTR DS:[EBX]
004A0B5D 66:>ADD AX,DX
004A0B60 66:>ADD AX,WORD PTR DS:[ESI+EBP*2+12]
004A0B65 BA >MOV EDX,2
004A0B6A E8 >CALL MYZC.004A0490
004A0B6F 66:>MOV WORD PTR DS:[EBX+2],AX
004A0B73 66:>MOV AX,WORD PTR DS:[EBX+2]
004A0B77 66:>NOT AX
004A0B7A 66:>AND AX,WORD PTR DS:[EBX+6]
004A0B7E 66:>ADD AX,WORD PTR DS:[EBX+4]
004A0B82 66:>MOV DX,WORD PTR DS:[EBX]
004A0B85 66:>AND DX,WORD PTR DS:[EBX+2]
004A0B89 66:>ADD AX,DX
004A0B8C 66:>ADD AX,WORD PTR DS:[ESI+EBP*2+14]
004A0B91 BA >MOV EDX,3
004A0B96 E8 >CALL MYZC.004A0490
004A0B9B 66:>MOV WORD PTR DS:[EBX+4],AX
004A0B9F 66:>MOV AX,WORD PTR DS:[EBX+4]
004A0BA3 66:>NOT AX
004A0BA6 66:>AND AX,WORD PTR DS:[EBX]
004A0BA9 66:>ADD AX,WORD PTR DS:[EBX+6]
004A0BAD 66:>MOV DX,WORD PTR DS:[EBX+2]
004A0BB1 66:>AND DX,WORD PTR DS:[EBX+4]
004A0BB5 66:>ADD AX,DX
004A0BB8 66:>ADD AX,WORD PTR DS:[ESI+EBP*2+16]
004A0BBD BA >MOV EDX,5
004A0BC2 E8 >CALL MYZC.004A0490
004A0BC7 66:>MOV WORD PTR DS:[EBX+6],AX
004A0BCB 83F>CMP EDI,4
004A0BCE 74 >JE SHORT MYZC.004A0BD5
004A0BD0 83F>CMP EDI,0A
004A0BD3 75 >JNZ SHORT MYZC.004A0C23
004A0BD5 66:>MOV AX,WORD PTR DS:[EBX+6]
004A0BD9 66:>AND AX,3F
004A0BDD 0FB>MOVZX EAX,AX
004A0BE0 66:>MOV AX,WORD PTR DS:[ESI+EAX*2+10]
004A0BE5 66:>ADD WORD PTR DS:[EBX],AX
004A0BE8 66:>MOV AX,WORD PTR DS:[EBX]
004A0BEB 66:>AND AX,3F
004A0BEF 0FB>MOVZX EAX,AX
004A0BF2 66:>MOV AX,WORD PTR DS:[ESI+EAX*2+10]
004A0BF7 66:>ADD WORD PTR DS:[EBX+2],AX
004A0BFB 66:>MOV AX,WORD PTR DS:[EBX+2]
004A0BFF 66:>AND AX,3F
004A0C03 0FB>MOVZX EAX,AX
004A0C06 66:>MOV AX,WORD PTR DS:[ESI+EAX*2+10]
004A0C0B 66:>ADD WORD PTR DS:[EBX+4],AX
004A0C0F 66:>MOV AX,WORD PTR DS:[EBX+4]
004A0C13 66:>AND AX,3F
004A0C17 0FB>MOVZX EAX,AX
004A0C1A 66:>MOV AX,WORD PTR DS:[ESI+EAX*2+10]
004A0C1F 66:>ADD WORD PTR DS:[EBX+6],AX
004A0C23 47 INC EDI
004A0C24 83F>CMP EDI,10
004A0C27 ^0F8>JNZ MYZC.004A0B18
004A0C2D 8B1>MOV EDX,DWORD PTR SS:[ESP]
004A0C30 8BC>MOV EAX,EBX
004A0C32 B9 >MOV ECX,8
004A0C37 E8 >CALL MYZC.004029EC
004A0C3C 83C>ADD ESP,0C
004A0C3F 5D POP EBP
004A0C40 5F POP EDI
004A0C41 5E POP ESI
004A0C42 5B POP EBX
004A0C43 C3 RETN
CALL 4A108C:
004A108C 55 PUSH EBP
004A108D 8BE>MOV EBP,ESP
004A108F 33C>XOR ECX,ECX
004A1091 51 PUSH ECX
004A1092 51 PUSH ECX
004A1093 51 PUSH ECX
004A1094 51 PUSH ECX
004A1095 51 PUSH ECX
004A1096 53 PUSH EBX
004A1097 56 PUSH ESI
004A1098 894>MOV DWORD PTR SS:[EBP-4],EAX
004A109B 8B4>MOV EAX,DWORD PTR SS:[EBP-4]
004A109E E8 >CALL MYZC.00405140
004A10A3 33C>XOR EAX,EAX
004A10A5 55 PUSH EBP
004A10A6 68 >PUSH MYZC.004A1183
004A10AB 64:>PUSH DWORD PTR FS:[EAX]
004A10AE 64:>MOV DWORD PTR FS:[EAX],ESP
004A10B1 8D5>LEA EDX,DWORD PTR SS:[EBP-8]
004A10B4 8B4>MOV EAX,DWORD PTR SS:[EBP-4]
004A10B7 E8 >CALL MYZC.0040964C
004A10BC 8B5>MOV EDX,DWORD PTR SS:[EBP-8]
004A10BF 8D4>LEA EAX,DWORD PTR SS:[EBP-4]
004A10C2 E8 >CALL MYZC.00404D38
004A10C7 8B4>MOV EAX,DWORD PTR SS:[EBP-4]
004A10CA E8 >CALL MYZC.00404F58
004A10CF 83F>CMP EAX,0A
004A10D2 74 >JE SHORT MYZC.004A10DE
004A10D4 BE >MOV ESI,1
004A10D9 E9 >JMP MYZC.004A1168
004A10DE 8D4>LEA EAX,DWORD PTR SS:[EBP-C]
004A10E1 8B5>MOV EDX,DWORD PTR SS:[EBP-4]
004A10E4 8A1>MOV DL,BYTE PTR DS:[EDX] ;注册码第一字节送入DL
004A10E6 E8 >CALL MYZC.00404E80
004A10EB 8B4>MOV EAX,DWORD PTR SS:[EBP-C]
004A10EE 8B1>MOV EDX,DWORD PTR DS:[5838D4] ;[5838D4]指向表"ABCDEFPWXYZQSTKH"
004A10F4 E8 >CALL MYZC.00405294 ; 查表求出首字母位置."K"返回0x0f
004A10F9 8BD>MOV EBX,EAX ;0x0f送入EBX
004A10FB 8D4>LEA EAX,DWORD PTR SS:[EBP-10]
004A10FE 8B5>MOV EDX,DWORD PTR SS:[EBP-4]
004A1101 8A5>MOV DL,BYTE PTR DS:[EDX+1] ;注册码第二字节送入DL
004A1104 E8 >CALL MYZC.00404E80
004A1109 8B4>MOV EAX,DWORD PTR SS:[EBP-10]
004A110C 8B1>MOV EDX,DWORD PTR DS:[5838D4] ; MYZC.004A1078
004A1112 E8 >CALL MYZC.00405294 ;查表求出首字母位置."A"返回1
004A1117 8BD>MOV EDX,EBX
004A1119 0FA>IMUL EDX,EAX ;0x0f*0x1送入EDX
004A111C 85D>TEST EDX,EDX
004A111E 75 >JNZ SHORT MYZC.004A1127
004A1120 BE >MOV ESI,1
004A1125 EB >JMP SHORT MYZC.004A1168 ;若EDX=0则ESI=1,返回.
004A1127 8BF>MOV ESI,EBX
004A1129 4E DEC ESI ;首字母位置减1
004A112A C1E>SHL ESI,4 ;左移4位
004A112D 48 DEC EAX ;次字母位置减1
004A112E 0BF>OR ESI,EAX ;或
004A1130 33D>XOR EBX,EBX
004A1132 8D4>LEA EAX,DWORD PTR SS:[EBP-14]
004A1135 8B5>MOV EDX,DWORD PTR SS:[EBP-4]
004A1138 8A5>MOV DL,BYTE PTR DS:[EDX+EBX+2] ;注册码第(3+EBX)个字节送入DL
004A113C E8 >CALL MYZC.00404E80
004A1141 8B4>MOV EAX,DWORD PTR SS:[EBP-14]
004A1144 8B1>MOV EDX,DWORD PTR DS:[5838D0] ;[5838D0]指向表"23456789"
004A114A E8 >CALL MYZC.00405294 ;查表求出第(3+EBX)个字节在表中的位置.
004A114F 85C>TEST EAX,EAX
004A1151 75 >JNZ SHORT MYZC.004A115A
004A1153 BE >MOV ESI,1
004A1158 EB >JMP SHORT MYZC.004A1168 ;若不在表中则置ESI=1返回
004A115A 48 DEC EAX ;减1
004A115B C1E>SHL ESI,3 ;ESI左移3位
004A115E 0BC>OR EAX,ESI ;两数相OR
004A1160 8BF>MOV ESI,EAX;送入ESI
004A1162 43 INC EBX
004A1163 83F>CMP EBX,8
004A1166 ^75 >JNZ SHORT MYZC.004A1132
004A1168 33C>XOR EAX,EAX
004A116A 5A POP EDX
004A116B 59 POP ECX
004A116C 59 POP ECX
004A116D 64:>MOV DWORD PTR FS:[EAX],EDX
004A1170 68 >PUSH MYZC.004A118A
004A1175 8D4>LEA EAX,DWORD PTR SS:[EBP-14]
004A1178 BA >MOV EDX,5
004A117D E8 >CALL MYZC.00404CC4
004A1182 C3 RETN
004A1183 ^E9 >JMP MYZC.00404628
004A1188 ^EB >JMP SHORT MYZC.004A1175
004A118A 8BC>MOV EAX,ESI ;处理注册码得到的32数送入EAX
004A118C 5E POP ESI
004A118D 5B POP EBX
004A118E 8BE>MOV ESP,EBP
004A1190 5D POP EBP
004A1191 C3 RETN
关键CALL,计算出十二字节sha-1明文
004A0F18 55 PUSH EBP
004A0F19 8BE>MOV EBP,ESP
004A0F1B 83C>ADD ESP,-14
004A0F1E 53 PUSH EBX
004A0F1F 56 PUSH ESI
004A0F20 57 PUSH EDI
004A0F21 894>MOV DWORD PTR SS:[EBP-8],ECX
004A0F24 895>MOV DWORD PTR SS:[EBP-4],EDX
004A0F27 8BF>MOV EDI,EAX
004A0F29 8B4>MOV EAX,DWORD PTR SS:[EBP+8]
004A0F2C 85C>TEST EAX,EAX
004A0F2E 79 >JNS SHORT MYZC.004A0F33
004A0F30 83C>ADD EAX,7
004A0F33 C1F>SAR EAX,3
004A0F36 85C>TEST EAX,EAX
004A0F38 7E >JLE SHORT MYZC.004A0F9D
004A0F3A 894>MOV DWORD PTR SS:[EBP-14],EAX
004A0F3D BB >MOV EBX,1
004A0F42 8B4>MOV EAX,DWORD PTR SS:[EBP-4]
004A0F45 8BD>MOV EDX,EBX
004A0F47 4A DEC EDX
004A0F48 8BF>MOV ESI,EDX
004A0F4A C1E>SHL ESI,3
004A0F4D 03C>ADD EAX,ESI
004A0F4F 8D5>LEA EDX,DWORD PTR SS:[EBP-10]
004A0F52 B9 >MOV ECX,8
004A0F57 E8 >CALL MYZC.004029EC ;从[584658]复制8个字节到[EBP-10]
004A0F5C 8B4>MOV ECX,DWORD PTR SS:[EBP-8]
004A0F5F 03C>ADD ECX,ESI ;ECX指向解密后明文输出
004A0F61 8B5>MOV EDX,DWORD PTR SS:[EBP-4]
004A0F64 03D>ADD EDX,ESI ;EDX指向被解密的密文
004A0F66 8BC>MOV EAX,EDI ;EAX+10指向密钥初始化后的表(第三次RC2时初始化密钥得到的表)
004A0F68 E8 >CALL MYZC.004A0C44;关键CALL:RC2解密函数
004A0F6D 6A >PUSH 8
004A0F6F 8B4>MOV ECX,DWORD PTR SS:[EBP-8]
004A0F72 8BC>MOV EAX,EBX
004A0F74 48 DEC EAX
004A0F75 C1E>SHL EAX,3
004A0F78 03C>ADD ECX,EAX
004A0F7A 8B5>MOV EDX,DWORD PTR SS:[EBP-8]
004A0F7D 03D>ADD EDX,ESI ;EDX指向RC2解密后的明文
004A0F7F 8D4>LEA EAX,DWORD PTR DS:[EDI+8];EAX指向第三次RC2加密后的密文
004A0F82 E8 >CALL MYZC.004A04C8 ;[EDX]与[EAX]按位异或,结果存到[ECX].八个字节.
004A0F87 8D5>LEA EDX,DWORD PTR DS:[EDI+8]
004A0F8A 8D4>LEA EAX,DWORD PTR SS:[EBP-10]
004A0F8D B9 >MOV ECX,8
004A0F92 E8 >CALL MYZC.004029EC ;
004A0F97 43 INC EBX
004A0F98 FF4>DEC DWORD PTR SS:[EBP-14]
004A0F9B ^75 >JNZ SHORT MYZC.004A0F42
004A0F9D 8B5>MOV EBX,DWORD PTR SS:[EBP+8]
004A0FA0 81E>AND EBX,80000007
004A0FA6 79 >JNS SHORT MYZC.004A0FAD
004A0FA8 4B DEC EBX
004A0FA9 83C>OR EBX,FFFFFFF8
004A0FAC 43 INC EBX
004A0FAD 85D>TEST EBX,EBX
004A0FAF 74 >JE SHORT MYZC.004A0FD7
004A0FB1 8D4>LEA ECX,DWORD PTR SS:[EBP-10] ;ECX指向RC2加密输出缓冲区
004A0FB4 8D5>LEA EDX,DWORD PTR DS:[EDI+8] ;EDX指向从[584658]复制过来的8个字节:404f500ad7a167b6
004A0FB7 8BC>MOV EAX,EDI ;EAX+10指向第三个RC2密钥初始化后的表.
004A0FB9 E8 >CALL MYZC.004A0AF8 ; 第四个RC2加密
004A0FBE 53 PUSH EBX
004A0FBF 8B4>MOV ECX,DWORD PTR SS:[EBP-8]
004A0FC2 034>ADD ECX,DWORD PTR SS:[EBP+8]
004A0FC5 2BC>SUB ECX,EBX
004A0FC7 8B5>MOV EDX,DWORD PTR SS:[EBP-4]
004A0FCA 035>ADD EDX,DWORD PTR SS:[EBP+8] ;EDX为584660,指向[584658]后四个字节
004A0FCD 2BD>SUB EDX,EBX
004A0FCF 8D4>LEA EAX,DWORD PTR SS:[EBP-10] ;EAX指向第四个RC2加密后的密文(8个字节)
004A0FD2 E8 >CALL MYZC.004A04C8 ;[EAX]前四个字节与[EDX]四个字节按位异或,结果置于[ECX].四个字节.
004A0FD7 8D4>LEA EAX,DWORD PTR SS:[EBP-10]
004A0FDA B9 >MOV ECX,0FF
004A0FDF BA >MOV EDX,8
004A0FE4 E8 >CALL MYZC.0040329C
004A0FE9 5F POP EDI
004A0FEA 5E POP ESI
004A0FEB 5B POP EBX
004A0FEC 8BE>MOV ESP,EBP
004A0FEE 5D POP EBP
004A0FEF C2 >RETN 4
两次按位异或得到十二个字节.用来进行SHA-1.
RC2解密函数:
004A0C44 53 PUSH EBX
004A0C45 56 PUSH ESI
004A0C46 57 PUSH EDI
004A0C47 55 PUSH EBP
004A0C48 83C>ADD ESP,-0C
004A0C4B 890>MOV DWORD PTR SS:[ESP],ECX
004A0C4E 8BF>MOV ESI,EAX
004A0C50 8D5>LEA EBX,DWORD PTR SS:[ESP+4]
004A0C54 8BC>MOV EAX,EDX
004A0C56 8BD>MOV EDX,EBX
004A0C58 B9 >MOV ECX,8
004A0C5D E8 >CALL MYZC.004029EC
004A0C62 BF >MOV EDI,0F
004A0C67 8BE>MOV EBP,EDI
004A0C69 C1E>SHL EBP,2
004A0C6C BA >MOV EDX,5
004A0C71 66:>MOV AX,WORD PTR DS:[EBX+6]
004A0C75 E8 >CALL MYZC.004A04A8
004A0C7A 66:>MOV DX,WORD PTR DS:[EBX+4]
004A0C7E 66:>NOT DX
004A0C81 66:>AND DX,WORD PTR DS:[EBX]
004A0C84 66:>SUB AX,DX
004A0C87 66:>MOV DX,WORD PTR DS:[EBX+2]
004A0C8B 66:>AND DX,WORD PTR DS:[EBX+4]
004A0C8F 66:>SUB AX,DX
004A0C92 66:>SUB AX,WORD PTR DS:[ESI+EBP*2+16]
004A0C97 66:>MOV WORD PTR DS:[EBX+6],AX
004A0C9B BA >MOV EDX,3
004A0CA0 66:>MOV AX,WORD PTR DS:[EBX+4]
004A0CA4 E8 >CALL MYZC.004A04A8
004A0CA9 66:>MOV DX,WORD PTR DS:[EBX+2]
004A0CAD 66:>NOT DX
004A0CB0 66:>AND DX,WORD PTR DS:[EBX+6]
004A0CB4 66:>SUB AX,DX
004A0CB7 66:>MOV DX,WORD PTR DS:[EBX]
004A0CBA 66:>AND DX,WORD PTR DS:[EBX+2]
004A0CBE 66:>SUB AX,DX
004A0CC1 66:>SUB AX,WORD PTR DS:[ESI+EBP*2+14]
004A0CC6 66:>MOV WORD PTR DS:[EBX+4],AX
004A0CCA BA >MOV EDX,2
004A0CCF 66:>MOV AX,WORD PTR DS:[EBX+2]
004A0CD3 E8 >CALL MYZC.004A04A8
004A0CD8 66:>MOV DX,WORD PTR DS:[EBX]
004A0CDB 66:>NOT DX
004A0CDE 66:>AND DX,WORD PTR DS:[EBX+4]
004A0CE2 66:>SUB AX,DX
004A0CE5 66:>MOV DX,WORD PTR DS:[EBX+6]
004A0CE9 66:>AND DX,WORD PTR DS:[EBX]
004A0CEC 66:>SUB AX,DX
004A0CEF 66:>SUB AX,WORD PTR DS:[ESI+EBP*2+12]
004A0CF4 66:>MOV WORD PTR DS:[EBX+2],AX
004A0CF8 BA >MOV EDX,1
004A0CFD 66:>MOV AX,WORD PTR DS:[EBX]
004A0D00 E8 >CALL MYZC.004A04A8
004A0D05 66:>MOV DX,WORD PTR DS:[EBX+6]
004A0D09 66:>NOT DX
004A0D0C 66:>AND DX,WORD PTR DS:[EBX+2]
004A0D10 66:>SUB AX,DX
004A0D13 66:>MOV DX,WORD PTR DS:[EBX+4]
004A0D17 66:>AND DX,WORD PTR DS:[EBX+6]
004A0D1B 66:>SUB AX,DX
004A0D1E 66:>SUB AX,WORD PTR DS:[ESI+EBP*2+10]
004A0D23 66:>MOV WORD PTR DS:[EBX],AX
004A0D26 83F>CMP EDI,5
004A0D29 74 >JE SHORT MYZC.004A0D30
004A0D2B 83F>CMP EDI,0B
004A0D2E 75 >JNZ SHORT MYZC.004A0D7E
004A0D30 66:>MOV AX,WORD PTR DS:[EBX+4]
004A0D34 66:>AND AX,3F
004A0D38 0FB>MOVZX EAX,AX
004A0D3B 66:>MOV AX,WORD PTR DS:[ESI+EAX*2+10]
004A0D40 66:>SUB WORD PTR DS:[EBX+6],AX
004A0D44 66:>MOV AX,WORD PTR DS:[EBX+2]
004A0D48 66:>AND AX,3F
004A0D4C 0FB>MOVZX EAX,AX
004A0D4F 66:>MOV AX,WORD PTR DS:[ESI+EAX*2+10]
004A0D54 66:>SUB WORD PTR DS:[EBX+4],AX
004A0D58 66:>MOV AX,WORD PTR DS:[EBX]
004A0D5B 66:>AND AX,3F
004A0D5F 0FB>MOVZX EAX,AX
004A0D62 66:>MOV AX,WORD PTR DS:[ESI+EAX*2+10]
004A0D67 66:>SUB WORD PTR DS:[EBX+2],AX
004A0D6B 66:>MOV AX,WORD PTR DS:[EBX+6]
004A0D6F 66:>AND AX,3F
004A0D73 0FB>MOVZX EAX,AX
004A0D76 66:>MOV AX,WORD PTR DS:[ESI+EAX*2+10]
004A0D7B 66:>SUB WORD PTR DS:[EBX],AX
004A0D7E 4F DEC EDI
004A0D7F 83F>CMP EDI,-1
004A0D82 ^0F8>JNZ MYZC.004A0C67
004A0D88 8B1>MOV EDX,DWORD PTR SS:[ESP]
004A0D8B 8BC>MOV EAX,EBX
004A0D8D B9 >MOV ECX,8
004A0D92 E8 >CALL MYZC.004029EC
004A0D97 83C>ADD ESP,0C
004A0D9A 5D POP EBP
004A0D9B 5F POP EDI
004A0D9C 5E POP ESI
004A0D9D 5B POP EBX
004A0D9E C3 RETN
注册算法总结:
1.机器码变换为XXXX-XXXXXX形式,做SHA-1得到160位散列值作为KEY,进行RC2密钥初始化对0xffffffffffffffff进行RC2(第一个)加密得64位值,设为A.
2.到输入的注册码,检查是否符合:注册码固定为10位,第1,2位是字母在(ABCDEFPWXYZQSTKH)之中,后面八位是数字在23456789之中.
然后再通过:(((首字母位置-1)<<4+次字母位置-1)<<3+首数字位置-1)............变换得到一个32位值,设为B
3.对A进行第二次RC2加密,得到一个64位值,设为C
4.将B与C按位异或得到一个32位值.设为D.
5.以D作为KEY,对0xffffffffffffffff进行RC2(第三个)加密,得到一个64位值,设为E.
6.以第三个RC2的初始化密钥表,对[584658]前八个字节进行RC2解密算法得到一个64位值,设为F.
7.将F与E按位异或,得到八个字节分别设为N1,N2.......N8
8.以第三个RC2的初始化密钥表,对[584658]前八个字节进行RC2加密算法得到一个64位值,设为G.
9.将[584660]指向的四个字节与G的低四个字节按位异或,得到四个字节分别设为N9,N10,N11,N12
10.对N1,N2,......N12一共12个字节进行SHA-1得到160位散列值高M
11.将M与[584664]所指向的160位值按位比较,若完全相等则注册成功,执行相应的注册成功操作.
关于注册机:
SHA-1是不可逆的,但由于注册码固定为10位,第1,2位是字母在(ABCDEFPWXYZQSTKH)之中,后面八位是数字在23456789之中。可通过遍历穷举求出注册码。运算量应不是很大的。
好多年没有编程过,加上工作比较忙,注册机做起来可能要点时间,迟点再努力做一个.
再次强调一下:
1.第一次做CRACK,请各位多支持.对算法的理解也仅仅是在网上找了一点资料对照着看的.分析的不对或做的不当的请各位老师不吝指教.
文章写得有点乱,各位就凑和着看看.
2.对共享软件不知能否这样做,如不对请版主删贴.
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年05月12日 1:42:50
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
