【破文标题】 KeyGenMe 1 by Taliesin反调试及算法分析
【破文作者】 koala
【调试工具】 Ollydbg
【破解过程】
一、反调试分析
由于程序有反调试代码,检测程序中和GetDlgItemTextA函数是否有int3断点,故考虑下消息断点,分析如下
00401230 /. 55
push ebp
00401231 |. 8BEC
mov ebp,
esp
00401233 |. 817D 0C 10010>
cmp dword ptr [
ebp+C], 110
; WM_INITDIALOG消息
0040123A |. 75 1E
jnz short 0040125A
0040123C |. 68 057F0000
push 7F05
; /RsrcName = IDI_WINLOGO
00401241 |. 6A 00
push 0
; |hInst = NULL
00401243 |. E8 5A030000
call <jmp.&user32.LoadIconA>
; \LoadIconA
00401248 |. 50
push eax ; /lParam
00401249 |. 6A 01
push 1
; |wParam = 1
0040124B |. 68 80000000
push 80
; |Message = WM_SETICON
00401250 |. FF75 08
push dword ptr [
ebp+8]
; |hWnd
00401253 |. E8 56030000
call <jmp.&user32.SendMessageA>
; \SendMessageA
00401258 |. EB 36
jmp short 00401290
0040125A |> 817D 0C 11010>
cmp dword ptr [
ebp+C], 111
; WM_COMMAND消息
00401261 |. 75 1D
jnz short 00401280
00401263 |. 817D 10 E9030>
cmp dword ptr [
ebp+10], 3E9
; 按钮消息
0040126A |. 75 24
jnz short 00401290
0040126C |. E8 A8020000
call 00401519
; 检测int3断点,此处下断
{
00401519 $ BF 96124000
mov edi, 00401296
; 入口地址
0040151E . B9 00010000
mov ecx, 100
00401523 . B0 99
mov al, 99
00401525 . 34 55
xor al, 55
; al=CC (int3)
00401527 . F2:AE
repne scas byte ptr es:[
edi]
; 检测
00401529 . 85C9
test ecx,
ecx
0040152B . 74 06
je short 00401533
; ecx不为0,则有断点
0040152D . 5E
pop esi
0040152E . 33F6
xor esi,
esi
00401530 . 57
push edi
00401531 .^ EB C2
jmp short 004014F5
; 跳至结束
00401533 > C3
retn
}
00401271 |. E8 33020000
call 004014A9
; 检测int3断点
{
004014A9 $ BE 9C154000
mov esi, <jmp.&user32.GetDlgItemText>
004014AE . 8B7E 02
mov edi, [
esi+2]
004014B1 . 8B3F
mov edi, [
edi]
; user32.GetDlgItemTextA
004014B3 . B9 06000000
mov ecx, 6
004014B8 . B0 CC
mov al, 0CC
; al=CC (int3)
004014BA . F2:AE
repne scas byte ptr es:[
edi]
; 检测
004014BC . 85C9
test ecx,
ecx
004014BE . 74 06
je short 004014C6
; ecx不为0,则有断点
004014C0 . 5E
pop esi
004014C1 . 33F6
xor esi,
esi
004014C3 . 57
push edi
004014C4 . EB 2F
jmp short 004014F5
; 跳至结束
004014C6 > C3
retn
}
00401276 |. FF75 08
push dword ptr [
ebp+8]
00401279 |. E8 18000000
call 00401296
; 算法call
0040127E |. EB 10
jmp short 00401290
00401280 |> 837D 0C 10
cmp dword ptr [
ebp+C], 10
00401284 |. 75 0A
jnz short 00401290
00401286 |. 6A 00
push 0
; /Result = 0
00401288 |. FF75 08
push dword ptr [
ebp+8]
; |hWnd
0040128B |. E8 06030000
call <jmp.&user32.EndDialog>
; \EndDialog
00401290 |> 33C0
xor eax,
eax
00401292 |. C9
leave
00401293 \. C2 1000
retn 10
二、算法分析
==================== 跟进 00401279
call 00401296 ====================
00401296 $ 55
push ebp
00401297 . 8BEC
mov ebp,
esp
00401299 . 60
pushad
0040129A . BE FE124000
mov esi, 004012FE
0040129F . 56
push esi
004012A0 . 64:FF35 00000>
push dword ptr fs:[0]
004012A7 . 64:8925 00000>
mov fs:[0],
esp
004012AE . FF35 3C304000
push dword ptr [40303C]
; /Count = 1E (30.)
004012B4 . 68 00304000
push 00403000
; |
004012B9 . 68 EC030000
push 3EC
; |ControlID = 3EC (1004.)
004012BE . FF75 08
push dword ptr [
ebp+8]
; |hWnd
004012C1 . E8 D6020000
call <jmp.&user32.GetDlgItemTextA>
; \GetDlgItemTextA
004012C6 . FF35 40304000
push dword ptr [403040]
; /Count = 14 (20.)
004012CC . 68 23304000
push 00403023
; |
004012D1 . 68 ED030000
push 3ED
; |ControlID = 3ED (1005.)
004012D6 . FF75 08
push dword ptr [
ebp+8]
; |hWnd
004012D9 . E8 BE020000
call <jmp.&user32.GetDlgItemTextA>
; \GetDlgItemTextA
004012DE . E8 4F000000
call 00401332
; 检测验证call
004012E3 . 68 53304000
push 00403053
; zwatrqlcghpsxyenvbjdfkmu
004012E8 . E8 C9000000
call 004013B6
; 算法call
004012ED . E8 DC010000
call 004014CE
; 验证注册码最后一位
004012F2 . 6A 00
push 0
; /Result = 0
004012F4 . FF75 08
push dword ptr [
ebp+8]
; |hWnd
004012F7 . E8 9A020000
call <jmp.&user32.EndDialog>
; \EndDialog
==================== 跟进 004012DE
call 00401332 ====================
00401332 $ 33C0
xor eax,
eax
00401334 . B9 00000000
mov ecx, 0
00401339 . BE 23304000
mov esi, 00403023
; 注册码
0040133E . 8A06
mov al, [
esi]
; 依次取注册码并判断是否为大写
00401340 . EB 10
jmp short 00401352
00401342 > 0FB6C0
movzx eax,
al
00401345 . 80B8 50314000>
cmp byte ptr [
eax+403150], 2
; (initial cpu selection)
0040134C . 75 0A
jnz short 00401358
0040134E . 41
inc ecx
0040134F . 8A0431
mov al, [
ecx+
esi]
00401352 > 3C 00
cmp al, 0
00401354 .^ 77 EC
ja short 00401342
00401356 . EB 07
jmp short 0040135F
00401358 > C605 44304000>
mov byte ptr [403044], 40
; 若注册码不是大写,设置标志
0040135F > BE 00304000
mov esi, 00403000
; 用户名
00401364 . 33C9
xor ecx,
ecx
00401366 . B8 01000000
mov eax, 1
0040136B . 33D2
xor edx,
edx
0040136D . C705 45304000>
mov dword ptr [403045], 0
00401377 > B9 00000000
mov ecx, 0
0040137C . 8A0C32
mov cl, [
edx+
esi]
; 取用户名ASCII值
0040137F . 80F9 00
cmp cl, 0
00401382 . 74 09
je short 0040138D
00401384 . 42
inc edx
00401385 . 000D 45304000
add [403045],
cl
0040138B .^ EB EA
jmp short 00401377
0040138D > A1 45304000
mov eax, [403045]
; 用户名ASCII累加和sum
00401392 . B9 18000000
mov ecx, 18
00401397 . 99
cdq
00401398 . F7F9
idiv ecx
0040139A . 8815 4F304000
mov [40304F],
dl ; dl=sum%18h
004013A0 . 8A0D 44304000
mov cl, [403044]
; 取标志
004013A6 . 80F9 40
cmp cl, 40
004013A9 . 75 05
jnz short 004013B0
004013AB . E9 45010000
jmp 004014F5
; 跳至结束
004013B0 > E9 CB000000
jmp 00401480
004013B5 . C3
retn
00401480 > \E8 8B000000
call 00401510
{
00401510 $ A0 24304000
mov al, [403024]
; 取注册码第二位
00401515 . 3C 45
cmp al, 45
; 是否为'E'
00401517 .^ 75 DC
jnz short 004014F5
; 不是,跳至结束
00401519 $ BF 96124000
mov edi, 00401296
; 入口地址
0040151E . B9 00010000
mov ecx, 100
00401523 . B0 99
mov al, 99
00401525 . 34 55
xor al, 55
; al=CC (int3)
00401527 . F2:AE
repne scas byte ptr es:[
edi]
; 检测
00401529 . 85C9
test ecx,
ecx
0040152B EB 06
jmp short 00401533
; 不相等,则有断点
0040152D . 5E
pop esi
0040152E . 33F6
xor esi,
esi
00401530 . 57
push edi
00401531 .^ EB C2
jmp short 004014F5
; 跳至结束
00401533 > C3
retn
}
00401485 . 33DB
xor ebx,
ebx
00401487 . BF 80144000
mov edi, 00401480
; 入口地址
0040148C . 83EF 60
sub edi, 60
0040148F . B8 DE000000
mov eax, 0DE
00401494 . 83F0 12
xor eax, 12
; al=CC
00401497 . B9 59000000
mov ecx, 59
0040149C . F2:AE
repne scas byte ptr es:[
edi]
; 检测
0040149E . 85C9
test ecx,
ecx
004014A0 . 74 06
je short 004014A8
; ecx不为0,则有断点
004014A2 . 5E
pop esi
004014A3 . 33F6
xor esi,
esi
004014A5 . 57
push edi
004014A6 . EB 4D
jmp short 004014F5
; 跳至结束
004014A8 > C3
retn
==================== 跟进 004012E8
call 004013B6 ====================
004013B6 $ 55
push ebp
004013B7 . 8BEC
mov ebp,
esp
004013B9 . 68 23304000
push 00403023
; 注册码
004013BE . E8 7D010000
call 00401540
004013C3 . 83F8 0A
cmp eax, 0A
; 检测注册码长度是否为10
004013C6 . 0F85 29010000
jnz 004014F5
004013CC . BE 23304000
mov esi, 00403023
; 注册码
004013D1 . B8 00000000
mov eax, 0
004013D6 . BB 00000000
mov ebx, 0
004013DB . 33C9
xor ecx,
ecx
004013DD . EB 06
jmp short 004013E5
004013DF > 8A0C30
mov cl, [
eax+
esi]
004013E2 . 03D9
add ebx,
ecx ; 注册码ASCII累加和
004013E4 . 40
inc eax
004013E5 > 83F8 09
cmp eax, 9
004013E8 .^ 72 F5
jb short 004013DF
004013EA . 8BC3
mov eax,
ebx
004013EC . B9 09000000
mov ecx, 9
004013F1 . 99
cdq
004013F2 . F7F9
idiv ecx
004013F4 . A3 4A304000
mov [40304A],
eax ; 和/9的商
004013F9 . 8B7D 08
mov edi, [
ebp+8]
004013FC . 8A15 4F304000
mov dl, [40304F]
; 计算用户名的结果
00401402 . 8AC2
mov al,
dl
00401404 . 3C 18
cmp al, 18
00401406 . 76 02
jbe short 0040140A
00401408 . 2C 18
sub al, 18
0040140A > A2 4E304000
mov [40304E],
al
0040140F . 33C0
xor eax,
eax
00401411 . A0 4E304000
mov al, [40304E]
00401416 . 8A2438
mov ah, [
eax+
edi]
00401419 . 8A36
mov dh, [
esi]
0040141B . 38F4
cmp ah,
dh ; 验证注册码第一位
0040141D . 0F85 D2000000
jnz 004014F5
00401423 . 80EE 41
sub dh, 41
00401426 . 8AF2
mov dh,
dl
00401428 . B4 00
mov ah, 0
0040142A . A2 4E304000
mov [40304E],
al
0040142F . 33C0
xor eax,
eax
00401431 . A0 4E304000
mov al, [40304E]
00401436 . 02C2
add al,
dl
00401438 . 3C 18
cmp al, 18
0040143A . 76 02
jbe short 0040143E
0040143C . 2C 18
sub al, 18
0040143E > B9 02000000
mov ecx, 2
00401443 . 8A2438
mov ah, [
eax+
edi]
00401446 . 8A3431
mov dh, [
ecx+
esi]
00401449 . 38F4
cmp ah,
dh ; 验证注册码第三位
0040144B . 0F85 A4000000
jnz 004014F5
00401451 . EB 24
jmp short 00401477
00401453 > A2 4E304000
mov [40304E],
al
00401458 . 33C0
xor eax,
eax
0040145A . A0 4E304000
mov al, [40304E]
0040145F . 80EE 41
sub dh, 41
00401462 . 8AD6
mov dl,
dh
00401464 . 41
inc ecx
00401465 . 02C2
add al,
dl
00401467 . 3C 18
cmp al, 18
00401469 . 76 02
jbe short 0040146D
0040146B . 2C 18
sub al, 18
0040146D > 8A2438
mov ah, [
eax+
edi]
00401470 . 8A3431
mov dh, [
ecx+
esi]
00401473 . 38F4
cmp ah,
dh ; 验证注册码其余位
00401475 90
nop
00401476 90
nop
00401477 > 83F9 08
cmp ecx, 8
0040147A .^ 72 D7
jb short 00401453
0040147C . C9
leave
0040147D . C2 0400
retn 4
【注册机源码】
.data
szTable
db "ZWATRQLCGHPSXYENVBJDFKMU",0
.data?
szName
db 64
dup (?)
szSerial
db 64
dup (?)
.code
GetSerial
proc hDlg
pushad
invoke RtlZeroMemory,
addr szName,
sizeof szName
invoke RtlZeroMemory,
addr szSerial,
sizeof szSerial
invoke GetDlgItemText,hDlg,IDC_NAME,
addr szName,
sizeof szName
.if eax
lea esi,szName
xor eax,
eax
@@:
mov cl,[
esi]
or cl,
cl
je @F
add al,
cl
inc esi
jmp @B
@@:
xor edx,
edx
mov ecx,18h
idiv ecx
lea esi,szTable
lea edi,szSerial
mov eax,
edx
cmp al,18h
jbe @F
sub al,18h
@@:
mov bl,[
esi+
eax]
mov [
edi],
bl
inc edi
mov BYTE ptr [
edi],
'E'
inc edi
add al,
dl
cmp al,18h
jbe @F
sub al,18h
@@:
mov bl,[
esi+
eax]
mov [
edi],
bl
inc edi
mov ecx,6
@L:
sub bl,41h
add al,
bl
cmp al,18h
jbe @F
sub al,18h
@@:
mov bl,[
esi+
eax]
mov [
edi],
bl
inc edi
dec ecx
jnz @L
xor eax,
eax
xor ebx,
ebx
lea edi,szSerial
@@:
mov bl,[
edi]
or bl,
bl
je @F
add eax,
ebx
inc edi
jmp @B
@@:
xor edx,
edx
mov ecx,9
idiv ecx
mov [
edi],
al
invoke SetDlgItemText,hDlg,IDC_REG,
addr szSerial
.else
invoke SetDlgItemText,hDlg,IDC_REG,CTXT(
"Please Enter Your Name.")
.endif
popad
ret
GetSerial
endp
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界