【文章标题】: 魔法转换2.0算法分析(超级简单)
【文章作者】: guawoo
【作者邮箱】: thinkfree2008@yahoo.com.cn
【软件名称】: 魔法转换2.0
【下载地址】: 自己搜索下载
【加壳方式】: aspack
【保护方式】: 注册码
【编写语言】: delphi
【使用工具】: ollydbg
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
这个东东本来在ocn上发过,不过是用爆破把它干掉的,总觉的不爽。那时还是个newbie,看不懂算法。经过一段时间的
学习进步不少。所以今天又拿它来开刀了。
第一步脱衣。。哦不,是脱壳。
第二步体检,delphi体质。
好了,操dede上。等待了20分钟,终于分析完了。(555~~~,20分钟啊。我都可以进化为超人了)
下面就好办了,熟门熟路,看代码:
==============================================
00561234 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00561237 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
0056123A |. 8B83 E4020000 MOV EAX,DWORD PTR DS:[EBX+2E4]
00561240 |. E8 2779EDFF CALL unpacked.00438B6C ===》检测用户名
00561245 |. 837D FC 00 CMP DWORD PTR SS:[EBP-4],0
00561249 |. 75 18 JNZ SHORT unpacked.00561263 ===》不为空就跳,空就出错
0056124B |. 6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
0056124D |. 68 B8135600 PUSH unpacked.005613B8 ; |Title = "错误"
00561252 |. 68 C0135600 PUSH unpacked.005613C0 ; |Text = "请输入姓名!"
00561257 |. 6A 00 PUSH 0 ; |hOwner = NULL
00561259 |. E8 0269EAFF CALL ; \MessageBoxA
0056125E |. E9 08010000 JMP unpacked.0056136B
00561263 |> 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
00561266 |. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0056126C |. E8 FB78EDFF CALL unpacked.00438B6C
00561271 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00561274 |. 50 PUSH EAX
00561275 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
00561278 |. 8B83 E4020000 MOV EAX,DWORD PTR DS:[EBX+2E4]
0056127E |. E8 E978EDFF CALL unpacked.00438B6C
00561283 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00561286 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
00561289 |. E8 4E4CFFFF CALL unpacked.00555EDC ====》这个就是算法call了
0056128E |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
00561291 |. 58 POP EAX ====》弹出正确注册码
00561292 |. E8 052FEAFF CALL unpacked.0040419C ====》比较call,喜欢暴力的朋友杀进去。嘿嘿~~
00561297 |. 0F85 CE000000 JNZ unpacked.0056136B ====》掉就挂了
0056129D |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
005612A0 |. E8 EF48FFFF CALL unpacked.00555B94
005612A5 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
005612A8 |. BA D8135600 MOV EDX,unpacked.005613D8 ; ASCII "\win.ini"(保存注册码的文件,在widows目录下)
005612AD |. E8 E22DEAFF CALL unpacked.00404094
005612B2 |. 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
005612B5 |. B2 01 MOV DL,1
005612B7 |. A1 9C344700 MOV EAX,DWORD PTR DS:[47349C]
005612BC |. E8 2B23F1FF CALL unpacked.004735EC
005612C1 |. A3 E4675700 MOV DWORD PTR DS:[5767E4],EAX
005612C6 |. 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
005612C9 |. 8B83 E4020000 MOV EAX,DWORD PTR DS:[EBX+2E4]
005612CF |. E8 9878EDFF CALL unpacked.00438B6C
005612D4 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
005612D7 |. 50 PUSH EAX
005612D8 |. B9 EC135600 MOV ECX,unpacked.005613EC ; ASCII "name"
005612DD |. BA FC135600 MOV EDX,unpacked.005613FC ; ASCII "magct"
005612E2 |. A1 E4675700 MOV EAX,DWORD PTR DS:[5767E4]
005612E7 |. 8B30 MOV ESI,DWORD PTR DS:[EAX]
005612E9 |. FF56 04 CALL DWORD PTR DS:[ESI+4]
005612EC |. 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
005612EF |. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
005612F5 |. E8 7278EDFF CALL unpacked.00438B6C
005612FA |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
005612FD |. 50 PUSH EAX
005612FE |. B9 0C145600 MOV ECX,unpacked.0056140C ; ASCII "code"
00561303 |. BA FC135600 MOV EDX,unpacked.005613FC ; ASCII "magct"
00561308 |. A1 E4675700 MOV EAX,DWORD PTR DS:[5767E4]
0056130D |. 8B30 MOV ESI,DWORD PTR DS:[EAX]
0056130F |. FF56 04 CALL DWORD PTR DS:[ESI+4]
00561312 |. A1 E4675700 MOV EAX,DWORD PTR DS:[5767E4]
00561317 |. E8 781DEAFF CALL unpacked.00403094
0056131C |. BA 1C145600 MOV EDX,unpacked.0056141C
00561321 |. 8B83 F4020000 MOV EAX,DWORD PTR DS:[EBX+2F4]
00561327 |. E8 7078EDFF CALL unpacked.00438B9C
0056132C |. 33D2 XOR EDX,EDX
0056132E |. 8B83 F0020000 MOV EAX,DWORD PTR DS:[EBX+2F0]
00561334 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
00561336 |. FF51 5C CALL DWORD PTR DS:[ECX+5C]
00561339 |. 6A 40 PUSH 40
0056133B |. 68 24145600 PUSH unpacked.00561424
00561340 |. 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
00561343 |. 8B83 E4020000 MOV EAX,DWORD PTR DS:[EBX+2E4]
00561349 |. E8 1E78EDFF CALL unpacked.00438B6C
0056134E |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
00561351 |. BA 38145600 MOV EDX,unpacked.00561438
00561356 |. E8 392DEAFF CALL unpacked.00404094
0056135B |. 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
0056135E |. E8 ED2EEAFF CALL unpacked.00404250
00561363 |. 50 PUSH EAX ; |Text
00561364 |. 6A 00 PUSH 0 ; |hOwner = NULL
00561366 |. E8 F567EAFF CALL ; \MessageBoxA
0056136B |> 33C0 XOR EAX,EAX
0056136D |. 5A POP EDX
0056136E |. 59 POP ECX
0056136F |. 59 POP ECX
00561370 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00561373 |. 68 B2135600 PUSH unpacked.005613B2
00561378 |> 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
0056137B |. BA 03000000 MOV EDX,3
00561380 |. E8 9B2AEAFF CALL unpacked.00403E20
00561385 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00561388 |. E8 6F2AEAFF CALL unpacked.00403DFC
0056138D |> 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
00561390 |. E8 672AEAFF CALL unpacked.00403DFC
00561395 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00561398 |. E8 5F2AEAFF CALL unpacked.00403DFC
0056139D |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
005613A0 |. BA 02000000 MOV EDX,2
005613A5 |. E8 762AEAFF CALL unpacked.00403E20
005613AA \. C3 RETN
=================进入算法call=================
00555EE5 |. 33C9 XOR ECX,ECX
00555EE7 |. 894D F4 MOV DWORD PTR SS:[EBP-C],ECX
00555EEA |. 8BFA MOV EDI,EDX
00555EEC |. 8BF0 MOV ESI,EAX
00555EEE |. 33C0 XOR EAX,EAX
00555EF0 |. 55 PUSH EBP
00555EF1 |. 68 A95F5500 PUSH unpacked.00555FA9
00555EF6 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00555EF9 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00555EFC |. 85F6 TEST ESI,ESI
00555EFE |. 0F84 8F000000 JE unpacked.00555F93
00555F04 |. 8BC6 MOV EAX,ESI
00555F06 |. E8 81E1EAFF CALL unpacked.0040408C
00555F0B |. 85C0 TEST EAX,EAX
00555F0D |. 7E 4D JLE SHORT unpacked.00555F5C
00555F0F |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
00555F12 |. BB 01000000 MOV EBX,1 ===》EBX=1
00555F17 |> 33C0 /XOR EAX,EAX
00555F19 |. 8A441E FF |MOV AL,BYTE PTR DS:[ESI+EBX-1]===》取用户名第1位ASC码,记为A
00555F1D |. 99 |CDQ
00555F1E |. F7FB |IDIV EBX ====》A=A/EBX
00555F20 |. 8945 FC |MOV DWORD PTR SS:[EBP-4],EAX
00555F23 |. 8BC6 |MOV EAX,ESI
00555F25 |. E8 62E1EAFF |CALL unpacked.0040408C ====》取得用户名长度,记为len
00555F2A |. 50 |PUSH EAX
00555F2B |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]
00555F2E |. 5A |POP EDX
00555F2F |. 8BCA |MOV ECX,EDX
00555F31 |. 99 |CDQ
00555F32 |. F7F9 |IDIV ECX ====》A=A/len
00555F34 |. 33D2 |XOR EDX,EDX
00555F36 |. 8A541E FF |MOV DL,BYTE PTR DS:[ESI+EBX-1]===》再次取用户名第1位ASC码,记为B
00555F3A |. 83C2 03 |ADD EDX,3 ===》B=B+3
00555F3D |. F7EA |IMUL EDX ===》B=A×B,
00555F3F |. 8D4D F4 |LEA ECX,DWORD PTR SS:[EBP-C]
00555F42 |. BA 03000000 |MOV EDX,3
00555F47 |. E8 BC34EBFF |CALL unpacked.00409408 ====》保存B为注册码的第一部份
00555F4C |. 8B55 F4 |MOV EDX,DWORD PTR SS:[EBP-C]
00555F4F |. 8BC7 |MOV EAX,EDI
00555F51 |. E8 3EE1EAFF |CALL unpacked.00404094
00555F56 |. 43 |INC EBX ====》EBX+1
00555F57 |. FF4D F8 |DEC DWORD PTR SS:[EBP-8]
00555F5A |.^ 75 BB \JNZ SHORT unpacked.00555F17 =====》循环,重新开始计算。
00555F5C |> 8B07 MOV EAX,DWORD PTR DS:[EDI]
00555F5E |. E8 29E1EAFF CALL unpacked.0040408C
00555F63 |. 83F8 08 CMP EAX,8
00555F66 |. 7D 10 JGE SHORT unpacked.00555F78
00555F68 |. 8B0F MOV ECX,DWORD PTR DS:[EDI]
00555F6A |. 8BC7 MOV EAX,EDI
00555F6C |. BA C05F5500 MOV EDX,unpacked.00555FC0 ; ASCII "M8C"
00555F71 |. E8 62E1EAFF CALL unpacked.004040D8
00555F76 |. EB 1B JMP SHORT unpacked.00555F93
00555F78 |> 8B07 MOV EAX,DWORD PTR DS:[EDI]
00555F7A |. E8 0DE1EAFF CALL unpacked.0040408C
00555F7F |. 83F8 0C CMP EAX,0C
00555F82 |. 7E 0F JLE SHORT unpacked.00555F93
00555F84 |. 57 PUSH EDI
00555F85 |. 8B07 MOV EAX,DWORD PTR DS:[EDI]
00555F87 |. B9 0C000000 MOV ECX,0C
00555F8C |. 33D2 XOR EDX,EDX
00555F8E |. E8 01E3EAFF CALL unpacked.00404294
00555F93 |> 33C0 XOR EAX,EAX
00555F95 |. 5A POP EDX
00555F96 |. 59 POP ECX
00555F97 |. 59 POP ECX
00555F98 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00555F9B |. 68 B05F5500 PUSH unpacked.00555FB0
00555FA0 |> 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00555FA3 |. E8 54DEEAFF CALL unpacked.00403DFC
00555FA8 \. C3 RETN
==================算法总结=================
用于计算的字符只取用户名的前4位,多的不取,但取得的长度为整个用户名的长度。
每个计算字符取它的asc码的十六进制除以它的位置数再除以用户名的长度×(这个字符十六进制+3)
如,name:abcd
key1=hex(a)/1/len(name)*(hex(a)+3)
.
.
key4=hex(d)/4/len(name)*(hex(d)+3)
SN=key1+..+key4(把4个部份连起来)
--------------------------------------------------------------------------------
【经验总结】
慢慢猜,慢慢猜。。。。不要急。。多想想就出来了。。呵呵~~~~
高兴,唱歌。。。。
only you are a newbie
only you are a newcomer
only you unknow these codes
only you cry in midnight........................
--------------------------------------------------------------------------------
【版权声明】: 打击盗版,支持D版!!
2006年05月20日 19:49:19
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!