【破文标题】 CCproxy6.0的算法分析
【破文作者】 daxia2002
【作者邮箱】 [email]daxia2002@126.com[/email]
【使用工具】 Peid,Ollydbg
【破解平台】 Win2000/XP
【软件名称】 CCproxy6.0
【下载地址】
http://www.youngzsoft.com/download/ccproxysetup.exe
【软件主要功能和特点】
设置简单,功能强大,完全支持 Win98/WinMe/WinNT/Win2000/WinXP/Win2003。
支持共享Modem、ISDN、ADSL、DDN、专线、蓝牙、二级代理等访问Internet。
支持HTTP、FTP、Gopher、SOCKS4/5、Telnet、Secure(HTTPS)、News(NNTP)、RTSP、MMS等代理协议。
支持浏览器通过HTTP/Secure/FTP(Web)/Gopher代理上网。
支持客户端使用Outlook、Outlook Express、Foxmail等通用邮件客户端软件收发邮件。
支持OICQ、ICQ、Yahoo Messenger、MSN、iMRC、联众游戏、股票软件通过HTTPS、SOCKS5代理上网。
支持CuteFTP、CuteFTP Pro、WS-FTP、FXP-FTP等FTP软件通过代理上网。
支持RealPlayer通过RTSP代理接收视频,支持MediaPlayer通过MMS代理接收视频。
支持NetTerm通过Telnet代理上网。
支持Outlook通过News代理连接新闻服务器。
支持远程拨号、自动拨号、自动断线、自动关机功能。
支持二级代理,可以使代理服务器通过其他代理服务器上网。
双击界面上的绿色网格可以实时观测代理用户连接信息。
简单实用的帐号管理功能,可以针对不同用户定义不同的上网限制。
帐号管理支持IP段设置方式和自动扫描帐号功能,建立帐号更轻松。
支持多种方式的帐号认证方式和混和应用:IP地址、MAC地址、用户名密码、域帐号管理。
支持HTTP和SOCKS5用户验证。
内置域名解析功能DNS。
时间管理功能:可以自由控制不同用户的上网时间。
网站过滤功能:可以屏蔽特定网站和内容,也可以限定用户只能上指定的网站。
缓存功能:可以自由设定缓存大小,更新时间,提高访问速度。
带宽控制:可以灵活的控制每个客户端的上网速度。
支持WinNT/Win2K/WinXP/Win2003下以NT服务运行方式。
其他高级功能:加载代理广告条、启动时拨号、端口映射、流量计费等,具体用法参加主页和论坛。
【软件大小】815KB
【保护方式】无
【破解目的】研究算法分析
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
【破解内容】
用Peid查壳,发现无壳,为Microsoft Visual C++ 6.0 编写。
用OllyDbg加载、运行,点击“注册”按钮弹出注册窗口。在注册窗口里,序列号栏输入:daxia2002,注册码栏输入:88888888,点击“注册”按钮,当然弹出“对不起,注册失败!”对话框。
切换到OllyDbg,按F12暂停,按ALT+K打开调用堆栈窗口,显示的信息如下:
调用堆栈
地址 堆栈 例程 / 参数 调用来自
0012BC98 77D13C6B 包含 7FFE0304 USER32.77D13C69 0012BCCC
0012BC9C 77D1B406 USER32.WaitMessage USER32.77D1B401 0012BCCC
0012BCD0 77D1D9AA USER32.77D1B279 USER32.77D1D9A5 0012BCCC
0012BCF8 77D362F4 USER32.77D1D8F6 USER32.77D362EF 0012BCF4
0012BFB0 77D35D77 ? USER32.SoftModalMessageBox USER32.77D35D72 0012BF38
0012C0F8 77D36441 ? USER32.77D35C3D USER32.77D3643C 0012C080
0012C14C 77D36529 USER32.MessageBoxTimeoutW USER32.77D36524 0012C148
0012C180 77D364B6 ? USER32.MessageBoxTimeoutA USER32.77D364B1 0012C17C
0012C1A0 77D3649A ? USER32.MessageBoxExA USER32.77D36495 0012C19C
0012C1A4 000703E8 hOwner = 000703E8 ('注册',class='#32770',parent=000D03BA)
0012C1A8 00C57758 Text = "对不起,注册失败!"
0012C1AC 00A906A0 Title = "CCProxy"
0012C1B0 00000010 Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0012C1B4 00000000 LanguageID = 0 (LANG_NEUTRAL)
0012C1B8 00454F7F ? USER32.MessageBoxA CCProxy.00454F79
0012C1BC 000703E8 hOwner = 000703E8 ('注册',class='#32770',parent=000D03BA)
0012C1C0 00C57758 Text = "对不起,注册失败!"
0012C1C4 00A906A0 Title = "CCProxy"
0012C1C8 00000010 Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
堆栈友好显示调用来自CCProxy.00454F79显示了注册失败的窗口,好的,双击这一行,跳转到地址00454f79:
00454EC7 /$ 55 push ebp
00454EC8 |. 8BEC mov ebp,esp
00454ECA |. 81EC 14010000 sub esp,114
00454ED0 |. 53 push ebx
00454ED1 |. 56 push esi
00454ED2 |. 57 push edi
00454ED3 |. 33DB xor ebx,ebx
00454ED5 |. 8BF9 mov edi,ecx
00454ED7 |. 53 push ebx
00454ED8 |. 897D F0 mov dword ptr ss:[ebp-10],edi
00454EDB |. E8 B9FFFFFF call CCProxy.00454E99
00454EE0 |. 8D45 FC lea eax,dword ptr ss:[ebp-4]
00454EE3 |. 50 push eax
00454EE4 |. 53 push ebx
00454EE5 |. E8 55010000 call CCProxy.0045503F
00454EEA |. 33F6 xor esi,esi
00454EEC |. 3BC3 cmp eax,ebx
00454EEE |. 8945 F4 mov dword ptr ss:[ebp-C],eax
00454EF1 |. 74 18 je short CCProxy.00454F0B
00454EF3 |. 53 push ebx ; /lParam
00454EF4 |. 53 push ebx ; |wParam
00454EF5 |. 68 76030000 push 376 ; |Message = MSG(376)
00454EFA |. FF75 FC push dword ptr ss:[ebp-4] ; |hWnd
00454EFD |. FF15 BCE54500 call dword ptr ds:[<&USER32.SendMessageA>] ; \SendMessageA
00454F03 |. 3BC3 cmp eax,ebx
00454F05 |. 74 04 je short CCProxy.00454F0B
00454F07 |. 8BF0 mov esi,eax
00454F09 |. EB 0A jmp short CCProxy.00454F15
00454F0B |> 3BFB cmp edi,ebx
00454F0D |. 74 06 je short CCProxy.00454F15
00454F0F |. 8DB7 9C000000 lea esi,dword ptr ds:[edi+9C]
00454F15 |> 3BF3 cmp esi,ebx
00454F17 |. 895D F8 mov dword ptr ss:[ebp-8],ebx
00454F1A |. 74 13 je short CCProxy.00454F2F
00454F1C |. 8B06 mov eax,dword ptr ds:[esi]
00454F1E |. 8945 F8 mov dword ptr ss:[ebp-8],eax
00454F21 |. 8B45 10 mov eax,dword ptr ss:[ebp+10]
00454F24 |. 3BC3 cmp eax,ebx
00454F26 |. 74 07 je short CCProxy.00454F2F
00454F28 |. 05 00000300 add eax,30000
00454F2D |. 8906 mov dword ptr ds:[esi],eax
00454F2F |> 8B5D 0C mov ebx,dword ptr ss:[ebp+C]
00454F32 |. F6C3 F0 test bl,0F0
00454F35 |. 75 17 jnz short CCProxy.00454F4E
00454F37 |. 8BC3 mov eax,ebx
00454F39 |. 83E0 0F and eax,0F
00454F3C |. 83F8 01 cmp eax,1
00454F3F |. 76 0A jbe short CCProxy.00454F4B
00454F41 |. 83F8 02 cmp eax,2
00454F44 |. 76 08 jbe short CCProxy.00454F4E
00454F46 |. 83F8 04 cmp eax,4
00454F49 |. 77 03 ja short CCProxy.00454F4E
00454F4B |> 83CB 30 or ebx,30
00454F4E |> 85FF test edi,edi
00454F50 |. 74 05 je short CCProxy.00454F57
00454F52 |. 8B7F 78 mov edi,dword ptr ds:[edi+78]
00454F55 |. EB 1A jmp short CCProxy.00454F71
00454F57 |> 8D85 ECFEFFFF lea eax,dword ptr ss:[ebp-114]
00454F5D |. 68 04010000 push 104 ; /BufSize = 104 (260.)
00454F62 |. 50 push eax ; |PathBuffer
00454F63 |. 6A 00 push 0 ; |hModule = NULL
00454F65 |. 8DBD ECFEFFFF lea edi,dword ptr ss:[ebp-114] ; |
00454F6B |. FF15 18E24500 call dword ptr ds:[<&KERNEL32.GetModuleFile>; \GetModuleFileNameA
00454F71 |> 53 push ebx ; /Style
00454F72 |. 57 push edi ; |Title
00454F73 |. FF75 08 push dword ptr ss:[ebp+8] ; |Text
00454F76 |. FF75 F4 push dword ptr ss:[ebp-C] ; |hOwner
00454F79 |. FF15 30E44500 call dword ptr ds:[<&USER32.MessageBoxA>] ; \MessageBoxA //跳到这里
00454F7F |. 85F6 test esi,esi ; CCProxy.00473E94
看了一下,这里并没有关键判断的地方。下断点bp GetWindowTextA,点击“注册”按钮,断了下来,ALT+F9返回到程序领空,返回到00454C8C,这里取注册码。
00454C57 /$ 55 push ebp
00454C58 |. 8BEC mov ebp,esp
00454C5A |. 56 push esi
00454C5B |. 57 push edi
00454C5C |. 8B7D 08 mov edi,dword ptr ss:[ebp+8]
00454C5F |. FF75 0C push dword ptr ss:[ebp+C]
00454C62 |. 8BCF mov ecx,edi
00454C64 |. E8 2FFEFFFF call CCProxy.00454A98
00454C69 |. 833F 00 cmp dword ptr ds:[edi],0
00454C6C |. 8BF0 mov esi,eax
00454C6E |. 74 28 je short CCProxy.00454C98
00454C70 |. 56 push esi ; /hWnd
00454C71 |. FF15 44E44500 call dword ptr ds:[<&USER32.GetWindowTextLe>; \GetWindowTextLengthA
00454C77 |. 8D48 01 lea ecx,dword ptr ds:[eax+1]
00454C7A |. 51 push ecx
00454C7B |. 8B4D 10 mov ecx,dword ptr ss:[ebp+10]
00454C7E |. 50 push eax
00454C7F |. E8 4DC6FFFF call CCProxy.004512D1
00454C84 |. 50 push eax ; |Buffer
00454C85 |. 56 push esi ; |hWnd
00454C86 |. FF15 48E44500 call dword ptr ds:[<&USER32.GetWindowTextA>>; \GetWindowTextA
00454C8C |. 8B4D 10 mov ecx,dword ptr ss:[ebp+10] //返回到这里
00454C8F |. 6A FF push -1
00454C91 |. E8 13C6FFFF call CCProxy.004512A9
00454C96 |. EB 0B jmp short CCProxy.00454CA3
00454C98 |> 8B45 10 mov eax,dword ptr ss:[ebp+10]
00454C9B |. FF30 push dword ptr ds:[eax] ; /Arg2
00454C9D |. 56 push esi ; |Arg1
00454C9E |. E8 86F0FFFF call CCProxy.00453D29 ; \CCProxy.00453D29
00454CA3 |> 5F pop edi
00454CA4 |. 5E pop esi
00454CA5 |. 5D pop ebp
00454CA6 \. C2 0C00 retn 0C
跟进call CCProxy.004512A9,计算注册码的长度。
004512A9 /$ 56 push esi
004512AA |. 8BF1 mov esi,ecx
004512AC |. E8 88FBFFFF call CCProxy.00450E39
004512B1 |. 8B4424 08 mov eax,dword ptr ss:[esp+8]
004512B5 |. 83F8 FF cmp eax,-1
004512B8 |. 75 08 jnz short CCProxy.004512C2
004512BA |. FF36 push dword ptr ds:[esi] ; /String
004512BC |. FF15 0CE24500 call dword ptr ds:[<&KERNEL32.lstrlenA>] ; \lstrlenA
//计算注册码的长度
004512C2 |> 8B0E mov ecx,dword ptr ds:[esi]
004512C4 |. 8941 F8 mov dword ptr ds:[ecx-8],eax
004512C7 |. 8B0E mov ecx,dword ptr ds:[esi]
004512C9 |. 5E pop esi
004512CA |. 802401 00 and byte ptr ds:[ecx+eax],0
004512CE \. C2 0400 retn 4
从地址00454CA6还会后,来到0040b619,类似的操作,分别处理特征码和用户名。
0040B619 . 8D96 20010000 lea edx,dword ptr ds:[esi+120]
0040B61F . 52 push edx ; /Arg3
0040B620 . 68 2C040000 push 42C ; |Arg2 = 0000042C
0040B625 . 57 push edi ; |Arg1
0040B626 . E8 2C960400 call CCProxy.00454C57 ; \CCProxy.00454C57
0040B62B . 81C6 24010000 add esi,124
0040B631 . 56 push esi ; /Arg3
0040B632 . 68 2D040000 push 42D ; |Arg2 = 0000042D
0040B637 . 57 push edi ; |Arg1
0040B638 . E8 1A960400 call CCProxy.00454C57 ; \CCProxy.00454C57
0040B63D . 5F pop edi
0040B63E . 5E pop esi
0040B63F . C2 0400 retn 4
从0040B63F最后返回后到0040d633,原来是将注册码和用户名保存到CCProxy.ini文件。
0040D633 . 8B86 1C010000 mov eax,dword ptr ds:[esi+11C]
0040D639 . 8B3D 88E24500 mov edi,dword ptr ds:[<&KERNEL32.WritePriva>; kernel32.WritePrivateProfileStringA
0040D63F . 68 E83B4700 push CCProxy.00473BE8 ; /FileName = "D:\CCProxy\CCProxy.ini"
0040D644 . 50 push eax ; |String
0040D645 . 68 5CF04600 push CCProxy.0046F05C ; |Key = "RegCode"
0040D64A . 68 54EF4600 push CCProxy.0046EF54 ; |Section = "System"
0040D64F . FFD7 call edi ; \WritePrivateProfileStringA
0040D651 . 8B86 24010000 mov eax,dword ptr ds:[esi+124]
0040D657 . 68 E83B4700 push CCProxy.00473BE8 ; /FileName = "D:\CCProxy\CCProxy.ini"
0040D65C . 50 push eax ; |String
0040D65D . 68 E4F04600 push CCProxy.0046F0E4 ; |Key = "UserName"
0040D662 . 68 54EF4600 push CCProxy.0046EF54 ; |Section = "System"
0040D667 . FFD7 call edi ; \WritePrivateProfileStringA
0040D669 . 8BCE mov ecx,esi
0040D66B . E8 E62F0400 call CCProxy.00450656
0040D670 . E8 3BC6FFFF call CCProxy.00409CB0
0040D675 . 8BCE mov ecx,esi
0040D677 . E8 EF2F0400 call CCProxy.0045066B
从0040D670跟进
00409CB0 /$ B8 8C210000 mov eax,218C
00409CB5 |. E8 46110300 call CCProxy.0043AE00
00409CBA |. 55 push ebp
00409CBB |. 56 push esi
00409CBC |. 57 push edi
00409CBD |. 68 E03A4700 push CCProxy.00473AE0 ; /pCriticalSection = CCProxy.00473AE0
00409CC2 |. FF15 78E24500 call dword ptr ds:[<&KERNEL32.EnterCritical>; \EnterCriticalSection
00409CC8 |. A0 B03A4700 mov al,byte ptr ds:[473AB0]
00409CCD |. B9 FF000000 mov ecx,0FF
00409CD2 |. 888424 90050000 mov byte ptr ss:[esp+590],al
00409CD9 |. 33C0 xor eax,eax
00409CDB |. 8DBC24 91050000 lea edi,dword ptr ss:[esp+591]
00409CE2 |. 8B35 98E24500 mov esi,dword ptr ds:[<&KERNEL32.GetPrivate>; kernel32.GetPrivateProfileStringA
00409CE8 |. F3:AB rep stos dword ptr es:[edi]
00409CEA |. 68 E83B4700 push CCProxy.00473BE8 ; /IniFileName = "D:\CCProxy\CCProxy.ini"
00409CEF |. 8D8C24 940D0000 lea ecx,dword ptr ss:[esp+D94] ; |
00409CF6 |. 68 00040000 push 400 ; |BufSize = 400 (1024.)
00409CFB |. 51 push ecx ; |ReturnBuffer
00409CFC |. 66:AB stos word ptr es:[edi] ; |
00409CFE |. 68 B03A4700 push CCProxy.00473AB0 ; |Default = ""
00409D03 |. 68 5CF04600 push CCProxy.0046F05C ; |Key = "RegCode"
00409D08 |. 68 54EF4600 push CCProxy.0046EF54 ; |Section = "System"
00409D0D |. AA stos byte ptr es:[edi] ; |
00409D0E |. FFD6 call esi ; \GetPrivateProfileStringA
//取注册码
00409D10 |. 68 E83B4700 push CCProxy.00473BE8 ; /IniFileName = "D:\CCProxy\CCProxy.ini"
00409D15 |. 8D9424 90010000 lea edx,dword ptr ss:[esp+190] ; |
00409D1C |. 68 00040000 push 400 ; |BufSize = 400 (1024.)
00409D21 |. 52 push edx ; |ReturnBuffer
00409D22 |. 68 B03A4700 push CCProxy.00473AB0 ; |Default = ""
00409D27 |. 68 E4F04600 push CCProxy.0046F0E4 ; |Key = "UserName"
00409D2C |. 68 54EF4600 push CCProxy.0046EF54 ; |Section = "System"
00409D31 |. FFD6 call esi ; \GetPrivateProfileStringA
//取用户名
00409D33 |. 8D8424 8C010000 lea eax,dword ptr ss:[esp+18C] //eax指向用户名
00409D3A |. 8D8C24 900D0000 lea ecx,dword ptr ss:[esp+D90] //ecx指向注册码
00409D41 |. 50 push eax //用户名入?
00409D42 |. 51 push ecx //注册码入?
00409D43 |. E8 28F9FFFF call CCProxy.00409670 //关键的call
00409D48 |. 83C4 08 add esp,8 //平衡堆栈
00409D4B |. A3 D4F65100 mov dword ptr ds:[51F6D4],eax //将返回值保存到地址51F6D4,注册标志
00409D50 |. 85C0 test eax,eax //判断,eax=1注册,eax=0没注册
00409D52 |. 0F84 7B010000 je CCProxy.00409ED3 //作者为了防止爆破,在很多地方进行
//这种判断,还用了timer,但始终用call CCProxy.00409670,所以爆破很简单,进入这个call
//直接修改为mov eax,1,ret。所以编程一定不要规范,呵呵。
//好了,让我们进入call CCProxy.00409670,精彩的算法还在后面。
00409D58 |. 80BC24 91010000 3>cmp byte ptr ss:[esp+191],30
00409D60 |. 0F85 6D010000 jnz CCProxy.00409ED3
00409D66 |. 8A15 B03A4700 mov dl,byte ptr ds:[473AB0]
00409D6C |. B9 41000000 mov ecx,41
00409D71 |. 33C0 xor eax,eax
00409D73 |. 8DBC24 85000000 lea edi,dword ptr ss:[esp+85]
00409D7A |. 889424 84000000 mov byte ptr ss:[esp+84],dl
00409D81 |. 68 04010000 push 104 ; /BufSize = 104 (260.)
00409D86 |. F3:AB rep stos dword ptr es:[edi] ; |
00409D88 |. 8D8424 88000000 lea eax,dword ptr ss:[esp+88] ; |
00409D8F |. C68424 9C010000 0>mov byte ptr ss:[esp+19C],0 ; |
00409D97 |. 50 push eax ; |Buffer
00409D98 |. FF15 6CE24500 call dword ptr ds:[<&KERNEL32.GetWindowsDir>; \GetWindowsDirectoryA
00409D9E |. BF D8F04600 mov edi,CCProxy.0046F0D8 ; ASCII "\Win.ini"
00409DA3 |. 83C9 FF or ecx,FFFFFFFF
00409DA6 |. 33C0 xor eax,eax
00409DA8 |. 8D9424 84000000 lea edx,dword ptr ss:[esp+84]
00409DAF |. F2:AE repne scas byte ptr es:[edi]
00409DB1 |. F7D1 not ecx
00409DB3 |. 2BF9 sub edi,ecx
00409DB5 |. 8BF7 mov esi,edi
00409DB7 |. 8BE9 mov ebp,ecx
00409DB9 |. 8BFA mov edi,edx
00409DBB |. 83C9 FF or ecx,FFFFFFFF
00409DBE |. F2:AE repne scas byte ptr es:[edi]
00409DC0 |. 8BCD mov ecx,ebp
00409DC2 |. 4F dec edi
00409DC3 |. C1E9 02 shr ecx,2
00409DC6 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[e>
00409DC8 |. 8BCD mov ecx,ebp
00409DCA |. 8D8424 84000000 lea eax,dword ptr ss:[esp+84]
00409DD1 |. 83E1 03 and ecx,3
00409DD4 |. 50 push eax ; /IniFileName
00409DD5 |. F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi>; |
00409DD7 |. 8D8C24 90010000 lea ecx,dword ptr ss:[esp+190] ; |
00409DDE |. 6A 00 push 0 ; |Default = 0
00409DE0 |. 51 push ecx ; |Key
00409DE1 |. 68 D0F04600 push CCProxy.0046F0D0 ; |Section = "Product"
00409DE6 |. FF15 70E24500 call dword ptr ds:[<&KERNEL32.GetPrivatePro>; \GetPrivateProfileIntA
00409DEC |. 8D5424 10 lea edx,dword ptr ss:[esp+10]
00409DF0 |. 8BE8 mov ebp,eax
00409DF2 |. 52 push edx ; /pSystemTime
00409DF3 |. FF15 94E24500 call dword ptr ds:[<&KERNEL32.GetSystemTime>; \GetSystemTime
00409DF9 |. 8D4424 10 lea eax,dword ptr ss:[esp+10]
00409DFD |. 6A FF push -1 ; /Arg2 = FFFFFFFF
00409DFF |. 50 push eax ; |Arg1
00409E00 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14] ; |
00409E04 |. E8 D1150400 call CCProxy.0044B3DA ; \CCProxy.0044B3DA
00409E09 |. 6A 00 push 0
00409E0B |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00409E0F |. E8 71160400 call CCProxy.0044B485
00409E14 |. 8B70 14 mov esi,dword ptr ds:[eax+14]
00409E17 |. 6A 00 push 0
00409E19 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00409E1D |. 81C6 6C070000 add esi,76C
00409E23 |. E8 5D160400 call CCProxy.0044B485
00409E28 |. 8B78 10 mov edi,dword ptr ds:[eax+10]
00409E2B |. 6A 00 push 0
00409E2D |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00409E31 |. 47 inc edi
00409E32 |. E8 4E160400 call CCProxy.0044B485
00409E37 |. 8D14F6 lea edx,dword ptr ds:[esi+esi*8]
00409E3A |. 8BC8 mov ecx,eax
00409E3C |. 8B49 0C mov ecx,dword ptr ds:[ecx+C]
00409E3F |. 8D04D6 lea eax,dword ptr ds:[esi+edx*8]
00409E42 |. 8BD7 mov edx,edi
00409E44 |. 8D0480 lea eax,dword ptr ds:[eax+eax*4]
00409E47 |. C1E2 04 shl edx,4
00409E4A |. 03C8 add ecx,eax
00409E4C |. 2BD7 sub edx,edi
00409E4E |. 85ED test ebp,ebp
00409E50 |. 8D1451 lea edx,dword ptr ds:[ecx+edx*2]
00409E53 |. 75 5A jnz short CCProxy.00409EAF
00409E55 |. A0 B03A4700 mov al,byte ptr ds:[473AB0]
00409E5A |. B9 FF000000 mov ecx,0FF
00409E5F |. 888424 90090000 mov byte ptr ss:[esp+990],al
00409E66 |. 33C0 xor eax,eax
00409E68 |. 8DBC24 91090000 lea edi,dword ptr ss:[esp+991]
00409E6F |. 52 push edx
00409E70 |. F3:AB rep stos dword ptr es:[edi]
00409E72 |. 66:AB stos word ptr es:[edi]
00409E74 |. 8D8C24 94090000 lea ecx,dword ptr ss:[esp+994]
00409E7B |. 68 50E14600 push CCProxy.0046E150 ; ASCII "%d"
00409E80 |. 51 push ecx
00409E81 |. AA stos byte ptr es:[edi]
00409E82 |. E8 3D110300 call CCProxy.0043AFC4
00409E87 |. 83C4 0C add esp,0C
00409E8A |. 8D9424 84000000 lea edx,dword ptr ss:[esp+84]
00409E91 |. 8D8424 90090000 lea eax,dword ptr ss:[esp+990]
00409E98 |. 8D8C24 8C010000 lea ecx,dword ptr ss:[esp+18C]
00409E9F |. 52 push edx ; /FileName
00409EA0 |. 50 push eax ; |String
00409EA1 |. 51 push ecx ; |Key
00409EA2 |. 68 D0F04600 push CCProxy.0046F0D0 ; |Section = "Product"
00409EA7 |. FF15 88E24500 call dword ptr ds:[<&KERNEL32.WritePrivateP>; \WritePrivateProfileStringA
00409EAD |. EB 24 jmp short CCProxy.00409ED3
00409EAF |> 8BF2 mov esi,edx
00409EB1 |. 2BF5 sub esi,ebp
00409EB3 |. 78 14 js short CCProxy.00409EC9
00409EB5 |. 8D9424 96010000 lea edx,dword ptr ss:[esp+196]
00409EBC |. 52 push edx
00409EBD |. E8 C71E0300 call CCProxy.0043BD89
00409EC2 |. 83C4 04 add esp,4
00409EC5 |. 3BF0 cmp esi,eax
00409EC7 |. 7C 0A jl short CCProxy.00409ED3
00409EC9 |> C705 D4F65100 000>mov dword ptr ds:[51F6D4],0
00409ED3 |> B0 43 mov al,43
00409ED5 |. BF 4CE14600 mov edi,CCProxy.0046E14C
00409EDA |. 884424 20 mov byte ptr ss:[esp+20],al
00409EDE |. 884424 21 mov byte ptr ss:[esp+21],al
00409EE2 |. 83C9 FF or ecx,FFFFFFFF
00409EE5 |. 33C0 xor eax,eax
00409EE7 |. F2:AE repne scas byte ptr es:[edi]
00409EE9 |. F7D1 not ecx
00409EEB |. 2BF9 sub edi,ecx
00409EED |. 8D5424 20 lea edx,dword ptr ss:[esp+20]
00409EF1 |. 8BF7 mov esi,edi
00409EF3 |. 8BE9 mov ebp,ecx
00409EF5 |. 8BFA mov edi,edx
00409EF7 |. 83C9 FF or ecx,FFFFFFFF
00409EFA |. C64424 22 50 mov byte ptr ss:[esp+22],50
00409EFF |. C64424 23 72 mov byte ptr ss:[esp+23],72
00409F04 |. C64424 24 6F mov byte ptr ss:[esp+24],6F
00409F09 |. C64424 25 78 mov byte ptr ss:[esp+25],78
00409F0E |. C64424 26 79 mov byte ptr ss:[esp+26],79
00409F13 |. C64424 27 00 mov byte ptr ss:[esp+27],0
00409F18 |. F2:AE repne scas byte ptr es:[edi]
00409F1A |. 8BCD mov ecx,ebp
00409F1C |. 4F dec edi
00409F1D |. C1E9 02 shr ecx,2
00409F20 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[e>
00409F22 |. 8BCD mov ecx,ebp
00409F24 |. 83E1 03 and ecx,3
00409F27 |. F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi>
00409F29 |. E8 F25C0200 call CCProxy.0042FC20
00409F2E |. 8BF8 mov edi,eax
00409F30 |. 83C9 FF or ecx,FFFFFFFF
00409F33 |. 33C0 xor eax,eax
00409F35 |. 8D5424 20 lea edx,dword ptr ss:[esp+20]
00409F39 |. F2:AE repne scas byte ptr es:[edi]
00409F3B |. F7D1 not ecx
00409F3D |. 2BF9 sub edi,ecx
00409F3F |. 8BF7 mov esi,edi
00409F41 |. 8BE9 mov ebp,ecx
00409F43 |. 8BFA mov edi,edx
00409F45 |. 83C9 FF or ecx,FFFFFFFF
00409F48 |. F2:AE repne scas byte ptr es:[edi]
00409F4A |. 8BCD mov ecx,ebp
00409F4C |. 4F dec edi
00409F4D |. C1E9 02 shr ecx,2
00409F50 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[e>
00409F52 |. A0 B03A4700 mov al,byte ptr ds:[473AB0]
00409F57 |. 8BCD mov ecx,ebp
00409F59 |. 83E1 03 and ecx,3
00409F5C |. F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi>
00409F5E |. 888424 94110000 mov byte ptr ss:[esp+1194],al
00409F65 |. B9 00040000 mov ecx,400
00409F6A |. 33C0 xor eax,eax
00409F6C |. 8DBC24 95110000 lea edi,dword ptr ss:[esp+1195]
00409F73 |. F3:AB rep stos dword ptr es:[edi]
00409F75 |. A1 D4F65100 mov eax,dword ptr ds:[51F6D4]
00409F7A |. 5F pop edi
00409F7B |. 5E pop esi
00409F7C |. 5D pop ebp
00409F7D |. 85C0 test eax,eax
00409F7F |. 74 42 je short CCProxy.00409FC3
00409F81 |. 8D8C24 88110000 lea ecx,dword ptr ss:[esp+1188]
00409F88 |. 51 push ecx
00409F89 |. 6A 7F push 7F
00409F8B |. E8 50480200 call CCProxy.0042E7E0
00409F90 |. 8D5424 1C lea edx,dword ptr ss:[esp+1C]
00409F94 |. 8D8424 90110000 lea eax,dword ptr ss:[esp+1190]
00409F9B |. 52 push edx
00409F9C |. 8D8C24 90050000 lea ecx,dword ptr ss:[esp+590]
00409FA3 |. 50 push eax
00409FA4 |. 51 push ecx
00409FA5 |. E8 1A100300 call CCProxy.0043AFC4
00409FAA |. 83C4 14 add esp,14
00409FAD |. E8 B0750400 call CCProxy.00451562
00409FB2 |. 85C0 test eax,eax
00409FB4 |. 74 62 je short CCProxy.0040A018
00409FB6 |. 8B10 mov edx,dword ptr ds:[eax]
00409FB8 |. 8BC8 mov ecx,eax
00409FBA |. FF52 74 call dword ptr ds:[edx+74]
00409FBD |. 85C0 test eax,eax
00409FBF |. 74 57 je short CCProxy.0040A018
00409FC1 |. EB 43 jmp short CCProxy.0040A006
00409FC3 |> 8D8424 88110000 lea eax,dword ptr ss:[esp+1188]
00409FCA |. 50 push eax
00409FCB |. 68 80000000 push 80
00409FD0 |. E8 0B480200 call CCProxy.0042E7E0
00409FD5 |. 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
00409FD9 |. 8D9424 90110000 lea edx,dword ptr ss:[esp+1190]
00409FE0 |. 51 push ecx
00409FE1 |. 8D8424 90050000 lea eax,dword ptr ss:[esp+590]
00409FE8 |. 52 push edx
00409FE9 |. 50 push eax
00409FEA |. E8 D50F0300 call CCProxy.0043AFC4
00409FEF |. 83C4 14 add esp,14
00409FF2 |. E8 6B750400 call CCProxy.00451562
00409FF7 |. 85C0 test eax,eax
00409FF9 |. 74 1D je short CCProxy.0040A018
00409FFB |. 8B10 mov edx,dword ptr ds:[eax]
00409FFD |. 8BC8 mov ecx,eax
00409FFF |. FF52 74 call dword ptr ds:[edx+74]
0040A002 |. 85C0 test eax,eax
0040A004 |. 74 12 je short CCProxy.0040A018
0040A006 |> 8B50 1C mov edx,dword ptr ds:[eax+1C]
0040A009 |. 8D8C24 84050000 lea ecx,dword ptr ss:[esp+584]
0040A010 |. 51 push ecx ; /Text
0040A011 |. 52 push edx ; |hWnd
0040A012 |. FF15 8CE54500 call dword ptr ds:[<&USER32.SetWindowTextA>>; \SetWindowTextA
0040A018 |> 68 E03A4700 push CCProxy.00473AE0 ; /pCriticalSection = CCProxy.00473AE0
0040A01D |. FF15 74E24500 call dword ptr ds:[<&KERNEL32.LeaveCritical>; \LeaveCriticalSection
0040A023 |. 81C4 8C210000 add esp,218C
0040A029 \. C3 retn
进入call CCProxy.00409670后来到00409670
00409670 81EC 44090000 sub esp,944
00409676 |. 83C9 FF or ecx,FFFFFFFF
00409679 |. 33C0 xor eax,eax
0040967B |. 53 push ebx
0040967C |. 55 push ebp
0040967D |. 56 push esi
0040967E |. 8BB424 58090000 mov esi,dword ptr ss:[esp+958] //esi指向用户名
00409685 |. 57 push edi
00409686 |. 8BFE mov edi,esi
00409688 |. F2:AE repne scas byte ptr es:[edi]
0040968A |. F7D1 not ecx
0040968C |. 49 dec ecx //ecx为用户名长度
0040968D |. 75 0B jnz short CCProxy.0040969A //不为0来到0040969A
一路来到004097A8,跟进call CCProxy.0042EEC0
0042E4C0 /$ 8B4C24 08 mov ecx,dword ptr ss:[esp+8]
0042E4C4 |. 8B5424 04 mov edx,dword ptr ss:[esp+4]
0042E4C8 |. 55 push ebp
0042E4C9 |. 8B6C24 14 mov ebp,dword ptr ss:[esp+14]
0042E4CD |. 8D4424 0C lea eax,dword ptr ss:[esp+C]
0042E4D1 |. 56 push esi
0042E4D2 |. 33F6 xor esi,esi
0042E4D4 |. 50 push eax ; /pHandle
0042E4D5 |. 6A 01 push 1 ; |Access = KEY_QUERY_VALUE
0042E4D7 |. 56 push esi ; |Reserved => 0
0042E4D8 |. 51 push ecx ; |Subkey
//ecx指向“SoftWare\Microsoft\Windows\CurrentVersion”
0042E4D9 |. 52 push edx ; |hKey
0042E4DA |. C645 00 00 mov byte ptr ss:[ebp],0 ; |
0042E4DE |. FF15 50E04500 call dword ptr ds:[<&ADVAPI32.RegOpenKeyExA>; \RegOpenKeyExA
0042E4E4 |. 85C0 test eax,eax
0042E4E6 |. 0F85 81000000 jnz CCProxy.0042E56D
0042E4EC |. 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
0042E4F0 |. 8D4424 18 lea eax,dword ptr ss:[esp+18]
0042E4F4 |. 57 push edi
0042E4F5 |. 8B7C24 18 mov edi,dword ptr ss:[esp+18]
0042E4F9 |. 50 push eax ; /pBufSize
0042E4FA |. 56 push esi ; |Buffer => NULL
0042E4FB |. 56 push esi ; |pValueType => NULL
0042E4FC |. 56 push esi ; |Reserved => NULL
0042E4FD |. 57 push edi ; |ValueName //指向“ProductId”
0042E4FE |. 51 push ecx ; |hKey
0042E4FF |. FF15 08E04500 call dword ptr ds:[<&ADVAPI32.RegQueryValue>; \RegQueryValueExA
0042E505 |. 85C0 test eax,eax
0042E507 |. 75 53 jnz short CCProxy.0042E55C
0042E509 |. 8B5424 1C mov edx,dword ptr ss:[esp+1C]
0042E50D |. 53 push ebx
0042E50E |. 52 push edx
0042E50F |. E8 2D2E0200 call CCProxy.00451341
0042E514 |. 8B4C24 1C mov ecx,dword ptr ss:[esp+1C]
0042E518 |. 83C4 04 add esp,4
0042E51B |. 8BD8 mov ebx,eax
0042E51D |. 8D4424 20 lea eax,dword ptr ss:[esp+20]
0042E521 |. 50 push eax ; /pBufSize
0042E522 |. 53 push ebx ; |Buffer
0042E523 |. 56 push esi ; |pValueType
0042E524 |. 56 push esi ; |Reserved
0042E525 |. 57 push edi ; |ValueName
0042E526 |. 51 push ecx ; |hKey
0042E527 |. FF15 08E04500 call dword ptr ds:[<&ADVAPI32.RegQueryValue>; \RegQueryValueExA
//ebx指向取得ProductId值
0042E52D |. 85C0 test eax,eax
0042E52F |. 75 21 jnz short CCProxy.0042E552
0042E531 |. 8B4424 20 mov eax,dword ptr ss:[esp+20]
0042E535 |. 8BF3 mov esi,ebx
0042E537 |. 8BC8 mov ecx,eax
0042E539 |. 8BFD mov edi,ebp
0042E53B |. 8BD1 mov edx,ecx
0042E53D |. C1E9 02 shr ecx,2
0042E540 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[e>
0042E542 |. 8BCA mov ecx,edx
0042E544 |. 83E1 03 and ecx,3
0042E547 |. F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi>
0042E549 |. C60428 00 mov byte ptr ds:[eax+ebp],0
0042E54D |. BE 01000000 mov esi,1
0042E552 |> 53 push ebx
0042E553 |. E8 122E0200 call CCProxy.0045136A
0042E558 |. 83C4 04 add esp,4
0042E55B |. 5B pop ebx
0042E55C |> 8B4424 14 mov eax,dword ptr ss:[esp+14]
0042E560 |. 50 push eax ; /hKey
0042E561 |. FF15 48E04500 call dword ptr ds:[<&ADVAPI32.RegCloseKey>] ; \RegCloseKey
0042E567 |. 8BC6 mov eax,esi
0042E569 |. 5F pop edi
0042E56A |. 5E pop esi
0042E56B |. 5D pop ebp
0042E56C |. C3 retn
原来取系统的ProductId,再做一些变换,作为硬件标识特征码,方法不错。跟踪还发现如果是win2000系统,
用自带的uuid.dll调用函数UUID2K产生硬件标识特征码,具体的我就不列出了。
一路上经过各种对用户名和硬件标识特征码的变换,我发现那是作者迷惑跟踪者,最后终于来到了算法的核心,
来到了00409149:
00409149 |> \55 push ebp //ebp指向用户名入?
0040914A |. 55 push ebp //ebp指向用户名入?,入了2次,看样子需要计算2次
0040914B |. E8 90FB0100 call CCProxy.00428CE0 //跟进算法的核心
00409150 |. 8BF8 mov edi,eax
00409152 |. 83C9 FF or ecx,FFFFFFFF
00409155 |. 33C0 xor eax,eax
00409157 |. 8D9424 28140000 lea edx,dword ptr ss:[esp+1428]
0040915E |. F2:AE repne scas byte ptr es:[edi]
00409160 |. F7D1 not ecx
00409162 |. 2BF9 sub edi,ecx
00409164 |. 53 push ebx //特征码入?
00409165 |. 8BC1 mov eax,ecx
00409167 |. 8BF7 mov esi,edi
00409169 |. 8BFA mov edi,edx
0040916B |. C1E9 02 shr ecx,2
0040916E |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[e>
00409170 |. 8BC8 mov ecx,eax
00409172 |. 83E1 03 and ecx,3
00409175 |. F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi>
00409177 |. 8D8C24 2C140000 lea ecx,dword ptr ss:[esp+142C]
0040917E |. 51 push ecx //由call CCProxy.00428CE0生成处理后的信息z1z2...z17入?
0040917F |. E8 5CFB0100 call CCProxy.00428CE0 //相同的算法
//对md5(z1z2...z17) 和md5(特征码)进行运算处理,结果就是
//最后的注册码了。
00409184 |. 8BD0 mov edx,eax //eax为真正的的注册码,这里可以作内存注册机了
00409186 |. A0 B03A4700 mov al,byte ptr ds:[473AB0]
0040918B |. 888424 30180000 mov byte ptr ss:[esp+1830],al
00409192 |. B9 00040000 mov ecx,400
00409197 |. 33C0 xor eax,eax
00409199 |. 8DBC24 31180000 lea edi,dword ptr ss:[esp+1831]
004091A0 |. F3:AB rep stos dword ptr es:[edi]
004091A2 |. 8BFA mov edi,edx
004091A4 |. 83C9 FF or ecx,FFFFFFFF
004091A7 |. 83C4 10 add esp,10
004091AA |. 8D9C24 20180000 lea ebx,dword ptr ss:[esp+1820]
004091B1 |. F2:AE repne scas byte ptr es:[edi]
004091B3 |. F7D1 not ecx
004091B5 |. 2BF9 sub edi,ecx
004091B7 |. 8D8424 20180000 lea eax,dword ptr ss:[esp+1820]
004091BE |. 8BD1 mov edx,ecx
004091C0 |. 8BF7 mov esi,edi
004091C2 |. 8BFB mov edi,ebx
004091C4 |. C1E9 02 shr ecx,2
004091C7 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[e>
004091C9 |. 8BCA mov ecx,edx
004091CB |. 8B9424 28280000 mov edx,dword ptr ss:[esp+2828]
004091D2 |. 83E1 03 and ecx,3
004091D5 |. F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi>
004091D7 |. 8BF2 mov esi,edx
004091D9 |> 8A18 /mov bl,byte ptr ds:[eax] //bl=伪注册码
004091DB |. 8ACB |mov cl,bl
004091DD |. 3A1E |cmp bl,byte ptr ds:[esi] //进行按位比较
004091DF |. 75 1C |jnz short CCProxy.004091FD //不等就over
004091E1 |. 84C9 |test cl,cl
004091E3 |. 74 14 |je short CCProxy.004091F9
004091E5 |. 8A58 01 |mov bl,byte ptr ds:[eax+1]
004091E8 |. 8ACB |mov cl,bl
004091EA |. 3A5E 01 |cmp bl,byte ptr ds:[esi+1]
004091ED |. 75 0E |jnz short CCProxy.004091FD
004091EF |. 83C0 02 |add eax,2
004091F2 |. 83C6 02 |add esi,2
004091F5 |. 84C9 |test cl,cl
004091F7 |.^ 75 E0 \jnz short CCProxy.004091D9
004091F9 |> 33C0 xor eax,eax
004091FB |. EB 05 jmp short CCProxy.00409202
004091FD |> 1BC0 sbb eax,eax
004091FF |. 83D8 FF sbb eax,-1
00409202 |> 85C0 test eax,eax
00409204 |. 0F85 8E020000 jnz CCProxy.00409498
0040920A |. 8BFD mov edi,ebp
0040920C |. 83C9 FF or ecx,FFFFFFFF
0040920F |. F2:AE repne scas byte ptr es:[edi]
00409211 |. F7D1 not ecx
00409213 |. 49 dec ecx
00409214 |. 83F9 0C cmp ecx,0C
00409217 |. 74 10 je short CCProxy.00409229
00409219 |. 5F pop edi
0040921A |. 5E pop esi
0040921B |. 5D pop ebp
0040921C |. B8 03000000 mov eax,3
00409221 |. 5B pop ebx
00409222 |. 81C4 14280000 add esp,2814
00409228 |. C3 retn
跟进0040914B的call CCProxy.00428CE0,来到00428CE0
00428CE0 /$ 81EC D4000000 sub esp,0D4
00428CE6 |. 83C9 FF or ecx,FFFFFFFF
00428CE9 |. 33C0 xor eax,eax
00428CEB |. 56 push esi
00428CEC |. 8BB424 DC000000 mov esi,dword ptr ss:[esp+DC]
00428CF3 |. 57 push edi
00428CF4 |. 8BFE mov edi,esi
00428CF6 |. F2:AE repne scas byte ptr es:[edi]
00428CF8 |. F7D1 not ecx
00428CFA |. 8D4424 2C lea eax,dword ptr ss:[esp+2C]
00428CFE |. 49 dec ecx
00428CFF |. 50 push eax
00428D00 |. 8BF9 mov edi,ecx
00428D02 |. E8 E9000000 call CCProxy.00428DF0 //跟进,这里是对md5初始化
00428D07 |. 57 push edi
00428D08 |. 8D4C24 34 lea ecx,dword ptr ss:[esp+34]
00428D0C |. 56 push esi
00428D0D |. 51 push ecx
00428D0E |. E8 0D010000 call CCProxy.00428E20
00428D13 |. 8D5424 3C lea edx,dword ptr ss:[esp+3C]
00428D17 |. 8D4424 18 lea eax,dword ptr ss:[esp+18]
00428D1B |. 52 push edx
00428D1C |. 50 push eax
00428D1D |. E8 EE010000 call CCProxy.00428F10 //这里就是md5变换算法
00428D22 |. 8BB424 FC000000 mov esi,dword ptr ss:[esp+FC]
00428D29 |. 83C9 FF or ecx,FFFFFFFF
00428D2C |. 8BFE mov edi,esi
00428D2E |. 33C0 xor eax,eax
00428D30 |. F2:AE repne scas byte ptr es:[edi]
00428D32 |. F7D1 not ecx
00428D34 |. 49 dec ecx
00428D35 |. 8BF9 mov edi,ecx
00428D37 |. 8D8C24 9C000000 lea ecx,dword ptr ss:[esp+9C]
00428D3E |. 51 push ecx
00428D3F |. E8 AC000000 call CCProxy.00428DF0 //跟进,这里是对md5初始化
00428D44 |. 57 push edi
00428D45 |. 8D9424 A4000000 lea edx,dword ptr ss:[esp+A4]
00428D4C |. 56 push esi
00428D4D |. 52 push edx
00428D4E |. E8 CD000000 call CCProxy.00428E20
00428D53 |. 8D8424 AC000000 lea eax,dword ptr ss:[esp+AC]
00428D5A |. 8D4C24 40 lea ecx,dword ptr ss:[esp+40]
00428D5E |. 50 push eax
00428D5F |. 51 push ecx
00428D60 |. E8 AB010000 call CCProxy.00428F10 //这里就是md5变换算法
//原来对用户名进行md5两次,然后对这两个hash信息进行运算处理
我们知道md5的hash值为128 bit位,16个字节。假设第一轮md5(用户名)=x1x2x3.....x16,其中x1为
hash值的第1个字节,x2为hash值的第2个字节,依此类推,x16为hash值的第16个字节。
假设第二轮md5(用户名)=y1y2y3.....y16,其中y1为hash值的第1个字节,y2为hash值的第2个字节,依此类推,y16为hash值的第16个字节。
00428D65 |. 8B5424 38 mov edx,dword ptr ss:[esp+38] //edx=x4x3x2x1
00428D69 |. C605 BAF75100 00 mov byte ptr ds:[51F7BA],0
00428D70 |. 81E2 FF000000 and edx,0FF //edx=edx and 0FF,edx=x1
00428D76 |. 52 push edx //x1入?
00428D77 |. 68 20F04600 push CCProxy.0046F020 ; ASCII "%02x"
00428D7C |. 68 98F75100 push CCProxy.0051F798
00428D81 |. E8 3E220100 call CCProxy.0043AFC4 //把x1转成小写的16进制,长度为2位
00428D86 |. 83C4 3C add esp,3C
00428D89 |. BF 9AF75100 mov edi,CCProxy.0051F79A
00428D8E |. 33F6 xor esi,esi
00428D90 |> 33C0 xor eax,eax
00428D92 |. 33C9 xor ecx,ecx
00428D94 |. 8A4434 09 mov al,byte ptr ss:[esp+esi+9] //al=x2
00428D98 |. 8A4C34 18 mov cl,byte ptr ss:[esp+esi+18] //cl=y1
00428D9C |. 0BC1 or eax,ecx //eax=eax or ecx=x2 or y1
00428D9E |. 50 push eax
00428D9F |. 68 20F04600 push CCProxy.0046F020 ; ASCII "%02x"
00428DA4 |. 57 push edi
00428DA5 |. E8 1A220100 call CCProxy.0043AFC4 //把x2转成小写的16进制,长度为2位
00428DAA |. 83C4 0C add esp,0C
00428DAD |. 46 inc esi
00428DAE |. 83C7 02 add edi,2
00428DB1 |. 8D56 01 lea edx,dword ptr ds:[esi+1]
00428DB4 |. 83FA 10 cmp edx,10
00428DB7 |.^ 72 D7 jb short CCProxy.00428D90 //循环处理直到处理完x16
00428DB9 |. 8B4424 27 mov eax,dword ptr ss:[esp+27] //eax=y13y14y15y16
00428DBD |. 25 FF000000 and eax,0FF //eax=y16
00428DC2 |. 50 push eax
00428DC3 |. 68 20F04600 push CCProxy.0046F020 ; ASCII "%02x"
00428DC8 |. 68 B8F75100 push CCProxy.0051F7B8
00428DCD |. E8 F2210100 call CCProxy.0043AFC4 //把y16转成小写的16进制,长度为2位
00428DD2 |. 83C4 0C add esp,0C
00428DD5 |. B8 98F75100 mov eax,CCProxy.0051F798 //eax=处理完的hash信息,长度位17字节。
//假设为z1z2...z17
00428DDA |. 5F pop edi
00428DDB |. 5E pop esi
00428DDC |. 81C4 D4000000 add esp,0D4
00428DE2 \. C3 retn
跟进00428D02的call CCProxy.00428DF0,发现原来是md5算法。
00428DF0 /$ 8B4424 04 mov eax,dword ptr ss:[esp+4]
00428DF4 |. 33C9 xor ecx,ecx
00428DF6 |. C700 01234567 mov dword ptr ds:[eax],67452301 //这些常数是不是很熟悉
00428DFC |. C740 04 89ABCDEF mov dword ptr ds:[eax+4],EFCDAB89
00428E03 |. C740 08 FEDCBA98 mov dword ptr ds:[eax+8],98BADCFE
00428E0A |. C740 0C 76543210 mov dword ptr ds:[eax+C],10325476
00428E11 |. 8948 10 mov dword ptr ds:[eax+10],ecx
00428E14 |. 8948 14 mov dword ptr ds:[eax+14],ecx
00428E17 \. C3 retn
跟进00428D1D的call CCProxy.00428F10
00428F10 /$ 56 push esi
00428F11 |. 8B7424 0C mov esi,dword ptr ss:[esp+C]
00428F15 |. 57 push edi
00428F16 |. B9 3F000000 mov ecx,3F
00428F1B |. 8B46 10 mov eax,dword ptr ds:[esi+10]
00428F1E |. C1E8 03 shr eax,3
00428F21 |. 83E0 3F and eax,3F
00428F24 |. 2BC8 sub ecx,eax
00428F26 |. 8D7C30 18 lea edi,dword ptr ds:[eax+esi+18]
00428F2A |. C607 80 mov byte ptr ds:[edi],80
00428F2D |. 47 inc edi
00428F2E |. 83F9 08 cmp ecx,8
00428F31 |. 73 28 jnb short CCProxy.00428F5B
00428F33 |. 8BD1 mov edx,ecx
00428F35 |. 33C0 xor eax,eax
00428F37 |. C1E9 02 shr ecx,2
00428F3A |. F3:AB rep stos dword ptr es:[edi]
00428F3C |. 8BCA mov ecx,edx
00428F3E |. 83E1 03 and ecx,3
00428F41 |. F3:AA rep stos byte ptr es:[edi]
00428F43 |. 8D7E 18 lea edi,dword ptr ds:[esi+18]
00428F46 |. 57 push edi
00428F47 |. 56 push esi
00428F48 |. E8 63000000 call CCProxy.00428FB0
00428F4D |. 83C4 08 add esp,8
00428F50 |. B9 0E000000 mov ecx,0E
00428F55 |. 33C0 xor eax,eax
00428F57 |. F3:AB rep stos dword ptr es:[edi]
00428F59 |. EB 13 jmp short CCProxy.00428F6E
00428F5B |> 83C1 F8 add ecx,-8
00428F5E |. 33C0 xor eax,eax
00428F60 |. 8BD1 mov edx,ecx
00428F62 |. C1E9 02 shr ecx,2
00428F65 |. F3:AB rep stos dword ptr es:[edi]
00428F67 |. 8BCA mov ecx,edx
00428F69 |. 83E1 03 and ecx,3
00428F6C |. F3:AA rep stos byte ptr es:[edi]
00428F6E |> 8B46 10 mov eax,dword ptr ds:[esi+10]
00428F71 |. 8B4E 14 mov ecx,dword ptr ds:[esi+14]
00428F74 |. 8D56 18 lea edx,dword ptr ds:[esi+18]
00428F77 |. 8946 50 mov dword ptr ds:[esi+50],eax
00428F7A |. 52 push edx
00428F7B |. 56 push esi
00428F7C |. 894E 54 mov dword ptr ds:[esi+54],ecx
00428F7F |. E8 2C000000 call CCProxy.00428FB0 //这里就是md5变换算法,看了看很熟悉
00428F84 |. 8B4C24 14 mov ecx,dword ptr ss:[esp+14]
00428F88 |. 8BC6 mov eax,esi
00428F8A |. 83C4 08 add esp,8
00428F8D |. 8B10 mov edx,dword ptr ds:[eax]
00428F8F |. 8911 mov dword ptr ds:[ecx],edx //保存第一组hash信息,4个字节
00428F91 |. 5F pop edi
00428F92 |. 8B50 04 mov edx,dword ptr ds:[eax+4]
00428F95 |. 8951 04 mov dword ptr ds:[ecx+4],edx //保存第二组hash信息,4个字节
00428F98 |. 8B50 08 mov edx,dword ptr ds:[eax+8]
00428F9B |. 8951 08 mov dword ptr ds:[ecx+8],edx //保存第三组hash信息,4个字节
00428F9E |. 8B40 0C mov eax,dword ptr ds:[eax+C]
00428FA1 |. 8941 0C mov dword ptr ds:[ecx+C],eax //保存第四组hash信息,4个字节
00428FA4 |. C706 00000000 mov dword ptr ds:[esi],0
00428FAA |. 5E pop esi
00428FAB \. C3 retn
类似的处理,0040917F的call CCProxy.00428CE0相同的算法,对md5(z1z2...z17) 和md5(特征码)进行运算处理,
结果就是最后的注册码了。
最后用VB做了注册机,考虑到是国产软件,注册机就不发布了,只列出实现的代码。
Private Sub Command1_Click()
Dim md5_1, md5_2, m1, m2, s1, s2, s3 As String
Dim I, J, K As Integer
md5_1 = Md5_String_Calc(Trim(Text1.Text))
md5_2 = Md5_String_Calc(Trim(Text1.Text))
s1 = LCase(Hex(Val("&H" & (Left(md5_1, 2))) And &HFF))
For I = 1 To 15
J = Val("&H" & Mid(md5_1, 2 * I + 1, 2))
K = Val("&H" & Mid(md5_2, 2 * I - 1, 2))
J = J Or K
s2 = s2 & Format(Hex(J), "<")
Next I
s3 = LCase(Hex(Val("&H" & (Right(md5_2, 2))) And &HFF))
m1 = s1 & s2 & s3
md5_1 = Md5_String_Calc(CStr(m1))
md5_2 = Md5_String_Calc(Trim(Text2.Text))
s1 = LCase(Hex(Val("&H" & (Left(md5_1, 2))) And &HFF))
s2 = ""
For I = 1 To 15
J = Val("&H" & Mid(md5_1, 2 * I + 1, 2))
K = Val("&H" & Mid(md5_2, 2 * I - 1, 2))
J = J Or K
s2 = s2 & Format(Hex(J), "<")
Next I
s3 = LCase(Hex(Val("&H" & (Right(md5_2, 2))) And &HFF))
m2 = s1 & s2 & s3
Text3.Text = m2
End Sub
写了大半天好心苦,谢谢您耐心看完。再次感谢看学论坛和DFCG组织所有帮助过我的朋友们,
特别感谢weiyi75[DFCG]二哥,在他的一再鼓励和催促下,才有了此文。
daxia2002 2004.7.10
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
