大家看看这个软件的暗桩和算法-软件逆向-看雪-安全社区|安全招聘|kanxue.com

大家看看这个软件的暗桩和算法

发表于: 2006-6-23 11:25 4195

大家看看这个软件的暗桩和算法

软件医生

2006-6-23 11:25

4195

00454E3C  /$  55          PUSH EBP
00454E3D  |.  8BEC       MOV EBP,ESP
00454E3F  |.  51          PUSH ECX
00454E40  |.  B9 06000000 MOV ECX,6
00454E45  |>  6A 00       /PUSH 0
00454E47  |.  6A 00       |PUSH 0
00454E49  |.  49          |DEC ECX
00454E4A  |.^ 75 F9       \JNZ SHORT Registra.00454E45
00454E4C  |.  51          PUSH ECX
00454E4D  |.  874D FC    XCHG DWORD PTR SS:[EBP-4],ECX
00454E50  |.  53          PUSH EBX
00454E51  |.  56          PUSH ESI
00454E52  |.  57          PUSH EDI
00454E53  |.  894D F8    MOV DWORD PTR SS:[EBP-8],ECX
00454E56  |.  8BDA       MOV EBX,EDX
00454E58  |.  8945 FC    MOV DWORD PTR SS:[EBP-4],EAX
00454E5B  |.  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
00454E5E  |.  E8 21F6FAFF CALL Registra.00404484
00454E63  |.  33C0       XOR EAX,EAX
00454E65  |.  55          PUSH EBP
00454E66  |.  68 79504500 PUSH Registra.00455079
00454E6B  |.  64:FF30    PUSH DWORD PTR FS:[EAX]
00454E6E  |.  64:8920    MOV DWORD PTR FS:[EAX],ESP
00454E71  |.  8D45 F4    LEA EAX,DWORD PTR SS:[EBP-C]
00454E74  |.  8BD3       MOV EDX,EBX
00454E76  |.  E8 F1F1FAFF CALL Registra.0040406C
00454E7B  |.  8B45 F4    MOV EAX,DWORD PTR SS:[EBP-C]
00454E7E  |.  E8 11F4FAFF CALL Registra.00404294
00454E83  |.  25 01000080 AND EAX,80000001
00454E88  |.  79 05       JNS SHORT Registra.00454E8F
00454E8A  |.  48          DEC EAX
00454E8B  |.  83C8 FE    OR EAX,FFFFFFFE
00454E8E  |.  40          INC EAX
00454E8F  |>  48          DEC EAX
00454E90    75 0F       JNZ SHORT Registra.00454EA1
00454E92  |.  B8 94504500 MOV EAX,Registra.00455094             ;  错误！////////这里有暗桩
00454E97  |.  E8 9428FDFF CALL Registra.00427730
00454E9C  |.  E9 A8010000 JMP Registra.00455049
00454EA1  |>  8D4D F0    LEA ECX,DWORD PTR SS:[EBP-10]
00454EA4  |.  8B55 F8    MOV EDX,DWORD PTR SS:[EBP-8]
00454EA7  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
00454EAA  |.  E8 8DFDFFFF CALL Registra.00454C3C
00454EAF  |.  8D45 E8    LEA EAX,DWORD PTR SS:[EBP-18]
00454EB2  |.  8B55 F4    MOV EDX,DWORD PTR SS:[EBP-C]
00454EB5  |.  E8 B2F1FAFF CALL Registra.0040406C
00454EBA  |.  8D45 EC    LEA EAX,DWORD PTR SS:[EBP-14]
00454EBD  |.  8B55 F4    MOV EDX,DWORD PTR SS:[EBP-C]
00454EC0  |.  E8 A7F1FAFF CALL Registra.0040406C
00454EC5  |.  8B45 F0    MOV EAX,DWORD PTR SS:[EBP-10]
00454EC8  |.  E8 C7F3FAFF CALL Registra.00404294
00454ECD  |.  8BF0       MOV ESI,EAX
00454ECF  |.  D1FE       SAR ESI,1
00454ED1  |.  79 03       JNS SHORT Registra.00454ED6
00454ED3  |.  83D6 00    ADC ESI,0
00454ED6  |>  83FE 01    CMP ESI,1
00454ED9  |.  0F8C 5C010000 JL Registra.0045503B
00454EDF  |>  8B45 F0    /MOV EAX,DWORD PTR SS:[EBP-10]
00454EE2  |.  E8 ADF3FAFF |CALL Registra.00404294
00454EE7  |.  D1F8       |SAR EAX,1
00454EE9  |.  79 03       |JNS SHORT Registra.00454EEE
00454EEB  |.  83D0 00    |ADC EAX,0
00454EEE  |>  3BF0       |CMP ESI,EAX
00454EF0  |.  74 0B       |JE SHORT Registra.00454EFD
00454EF2  |.  8D45 EC    |LEA EAX,DWORD PTR SS:[EBP-14]
00454EF5  |.  8B55 E8    |MOV EDX,DWORD PTR SS:[EBP-18]
00454EF8  |.  E8 6FF1FAFF |CALL Registra.0040406C
00454EFD  |>  8D45 E8    |LEA EAX,DWORD PTR SS:[EBP-18]
00454F00  |.  E8 CFF0FAFF |CALL Registra.00403FD4
00454F05  |.  8B45 EC    |MOV EAX,DWORD PTR SS:[EBP-14]
00454F08  |.  E8 87F3FAFF |CALL Registra.00404294
00454F0D  |.  8BF8       |MOV EDI,EAX
00454F0F  |.  D1FF       |SAR EDI,1
00454F11  |.  79 03       |JNS SHORT Registra.00454F16
00454F13  |.  83D7 00    |ADC EDI,0
00454F16  |>  85FF       |TEST EDI,EDI
00454F18  |.  0F8E 14010000 |JLE Registra.00455032
00454F1E  |.  BB 01000000 |MOV EBX,1
00454F23  |>  BA 9C504500 |/MOV EDX,Registra.0045509C
00454F28  |.  8D45 DC    ||LEA EAX,DWORD PTR SS:[EBP-24]
00454F2B  |.  E8 54DCFAFF ||CALL Registra.00402B84
00454F30  |.  8D45 D8    ||LEA EAX,DWORD PTR SS:[EBP-28]
00454F33  |.  8BD3       ||MOV EDX,EBX
00454F35  |.  03D2       ||ADD EDX,EDX
00454F37  |.  8B4D EC    ||MOV ECX,DWORD PTR SS:[EBP-14]
00454F3A  |.  8A5411 FE    ||MOV DL,BYTE PTR DS:[ECX+EDX-2]
00454F3E  |.  8850 01    ||MOV BYTE PTR DS:[EAX+1],DL
00454F41  |.  C600 01    ||MOV BYTE PTR DS:[EAX],1
00454F44  |.  8D55 D8    ||LEA EDX,DWORD PTR SS:[EBP-28]
00454F47  |.  8D45 DC    ||LEA EAX,DWORD PTR SS:[EBP-24]

///////////中间省略很多//////////////////

00455245  |.  B9 90524500 MOV ECX,Registra.00455290             ;  diskid////显示硬盘序列号
0045524A  |.  BA A0524500 MOV EDX,Registra.004552A0             ;  userpass/////显示注册密码
0045524F  |.  A1 008C4500 MOV EAX,DWORD PTR DS:[458C00]
00455254  |.  8B30       MOV ESI,DWORD PTR DS:[EAX]
00455256  |.  FF16       CALL DWORD PTR DS:[ESI]
00455258  |.  8B55 FC    MOV EDX,DWORD PTR SS:[EBP-4]
0045525B  |.  8B83 F8020000 MOV EAX,DWORD PTR DS:[EBX+2F8]
00455261  |.  E8 86EBFDFF CALL Registra.00433DEC
00455266  |.  33C0       XOR EAX,EAX
00455268  |.  5A          POP EDX
00455269  |.  59          POP ECX
0045526A  |.  59          POP ECX
0045526B  |.  64:8910    MOV DWORD PTR FS:[EAX],EDX
0045526E  |.  68 83524500 PUSH Registra.00455283
00455273  |>  8D45 FC    LEA EAX,DWORD PTR SS:[EBP-4]
00455276  |.  E8 59EDFAFF CALL Registra.00403FD4
0045527B  \.  C3          RETN
0045527C .^ E9 57E7FAFF JMP Registra.004039D8
00455281 .^ EB F0       JMP SHORT Registra.00455273
00455283 .  5E          POP ESI
00455284 .  5B          POP EBX
00455285 .  59          POP ECX
00455286 .  5D          POP EBP
00455287 .  C3          RETN
00455288 .  FFFFFFFF    DD FFFFFFFF
0045528C .  06000000    DD 00000006
00455290 .  64 69 73 6B 6>ASCII "diskid",0
00455297    00          DB 00
00455298 .  FFFFFFFF    DD FFFFFFFF
0045529C .  08000000    DD 00000008
004552A0 .  75 73 65 72 7>ASCII "userpass",0
004552A9    00          DB 00
004552AA    00          DB 00
004552AB    00          DB 00
004552AC  /.  55          PUSH EBP
004552AD  |.  8BEC       MOV EBP,ESP
004552AF  |.  33C9       XOR ECX,ECX
004552B1  |.  51          PUSH ECX
004552B2  |.  51          PUSH ECX
004552B3  |.  51          PUSH ECX
004552B4  |.  51          PUSH ECX
004552B5  |.  51          PUSH ECX
004552B6  |.  51          PUSH ECX
004552B7  |.  53          PUSH EBX
004552B8  |.  8BD8       MOV EBX,EAX
004552BA  |.  33C0       XOR EAX,EAX
004552BC  |.  55          PUSH EBP
004552BD  |.  68 B1534500 PUSH Registra.004553B1//////后面开始算法（我不明白）
004552C2  |.  64:FF30    PUSH DWORD PTR FS:[EAX]
004552C5  |.  64:8920    MOV DWORD PTR FS:[EAX],ESP
004552C8  |.  8D55 FC    LEA EDX,DWORD PTR SS:[EBP-4]
004552CB  |.  8B83 F8020000 MOV EAX,DWORD PTR DS:[EBX+2F8]
004552D1  |.  E8 E6EAFDFF CALL Registra.00433DBC
004552D6  |.  837D FC 00 CMP DWORD PTR SS:[EBP-4],0
004552DA    0F84 95000000 JE Registra.00455375
004552E0  |.  8D45 F4    LEA EAX,DWORD PTR SS:[EBP-C]
004552E3  |.  BA 048C4500 MOV EDX,Registra.00458C04
004552E8  |.  B9 20000000 MOV ECX,20
004552ED  |.  E8 52EFFAFF CALL Registra.00404244
004552F2  |.  8B45 F4    MOV EAX,DWORD PTR SS:[EBP-C]
004552F5  |.  8D55 F8    LEA EDX,DWORD PTR SS:[EBP-8]
004552F8  |.  E8 9B2AFBFF CALL Registra.00407D98
004552FD  |.  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
00455300  |.  50          PUSH EAX
00455301  |.  8D45 F0    LEA EAX,DWORD PTR SS:[EBP-10]
00455304  |.  50          PUSH EAX
00455305  |.  8D55 EC    LEA EDX,DWORD PTR SS:[EBP-14]
00455308  |.  8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+2FC]
0045530E  |.  E8 A9EAFDFF CALL Registra.00433DBC
00455313  |.  8B55 EC    MOV EDX,DWORD PTR SS:[EBP-14]
00455316  |.  B9 C8534500 MOV ECX,Registra.004553C8             ;  bin
0045531B  |.  8BC3       MOV EAX,EBX
0045531D  |.  E8 1AFBFFFF CALL Registra.00454E3C
00455322  |.  8B55 F0    MOV EDX,DWORD PTR SS:[EBP-10]
00455325  |.  58          POP EAX
00455326  |.  E8 B5F0FAFF CALL Registra.004043E0/////关键CALL
0045532B    75 3E       JNZ SHORT Registra.0045536B//////关键跳转，不相等就跳往失败（后面）
0045532D  |.  8D55 E8    LEA EDX,DWORD PTR SS:[EBP-18]
00455330  |.  8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+2FC]
00455336  |.  E8 81EAFDFF CALL Registra.00433DBC
0045533B  |.  8B45 E8    MOV EAX,DWORD PTR SS:[EBP-18]
0045533E  |.  50          PUSH EAX
0045533F  |.  B9 D4534500 MOV ECX,Registra.004553D4             ;  sn
00455344  |.  BA E0534500 MOV EDX,Registra.004553E0             ;  userpass
00455349  |.  A1 008C4500 MOV EAX,DWORD PTR DS:[458C00]
0045534E  |.  8B18       MOV EBX,DWORD PTR DS:[EAX]
00455350  |.  FF53 04    CALL DWORD PTR DS:[EBX+4]
00455353  |.  B8 F4534500 MOV EAX,Registra.004553F4             ;  恭喜您获得正式版用户，您将得到所有的功能以及今后的免费升级！\n您将体验正式版的所有功能！
00455358  |.  E8 D323FDFF CALL Registra.00427730
0045535D  |.  A1 E8704500 MOV EAX,DWORD PTR DS:[4570E8]
00455362  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
00455364  |.  E8 97E2FFFF CALL Registra.00453600
00455369  |.  EB 0A       JMP SHORT Registra.00455375
0045536B  |>  B8 54544500 MOV EAX,Registra.00455454             ;  注册码不正确！
00455370  |.  E8 BB23FDFF CALL Registra.00427730
00455375  |>  A1 E8704500 MOV EAX,DWORD PTR DS:[4570E8]
0045537A  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
0045537C  |.  E8 7FE2FFFF CALL Registra.00453600

[课程]Linux pwn 探索篇！

收藏・0

免费・0

支持

最新回复 (3)
软件医生雪币： 191 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 85 粉丝 0 关注私信	软件医生 2 楼 0045532B 75 3E JNZ，修改75不成功修改这里虽然不出现错误了，但是还是有问题最好有算法分析 2006-6-23 12:06 0
steak 雪币： 243 活跃值： (274) 能力值： ( LV6，RANK：90 ) 在线值：发帖 13 回帖 113 粉丝 14 关注私信	steak 2 3 楼你都知道关键CALL了怎么不进去看看.这是外层吧. 2006-6-23 12:13 0
软件医生雪币： 191 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 85 粉丝 0 关注私信	软件医生 4 楼有意思，这个软件还真的有点难度 2006-6-23 13:15 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

软件医生

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (3)
软件医生雪币： 191 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 85 粉丝 0 关注私信	软件医生 2 楼 0045532B 75 3E JNZ，修改75不成功修改这里虽然不出现错误了，但是还是有问题最好有算法分析 2006-6-23 12:06 0
steak 雪币： 243 活跃值： (274) 能力值： ( LV6，RANK：90 ) 在线值：发帖 13 回帖 113 粉丝 14 关注私信	steak 2 3 楼你都知道关键CALL了怎么不进去看看.这是外层吧. 2006-6-23 12:13 0
软件医生雪币： 191 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 85 粉丝 0 关注私信	软件医生 4 楼有意思，这个软件还真的有点难度 2006-6-23 13:15 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复