ResScope,一个将比exeScope更强的软件资源分析工具,很不错的软件。
delphi程序,无壳无反调试无校验,我喜欢,:)。
通过字符串容易找到这里,很容易看到,读取注册表中的用户名和注册码,分别计算后进行再比较。
CODE:0051B6EB mov cl, 1
CODE:0051B6ED mov edx, offset aSoftwareRest_3 ; "SOFTWARE\\RESTOOLS\\ResScope"
CODE:0051B6F2 mov eax, [ebp+var_8]
CODE:0051B6F5 call @Registry@TRegistry@OpenKey$qqrx17System@AnsiStringo ; Registry::TRegistry::OpenKey(System::AnsiString,bool)
CODE:0051B6FA test al, al
CODE:0051B6FC jz loc_51B888
CODE:0051B702 lea eax, [ebp+var_C]
CODE:0051B705 call @System@@LStrClr$qqrr17System@AnsiString ; System::__linkproc__ LStrClr(System::AnsiString &)
CODE:0051B70A lea eax, [ebp+var_10]
CODE:0051B70D call @System@@LStrClr$qqrr17System@AnsiString ; System::__linkproc__ LStrClr(System::AnsiString &)
CODE:0051B712 mov edx, offset aReguser_2 ; "reguser"
CODE:0051B717 mov eax, [ebp+var_8]
CODE:0051B71A call @Registry@TRegistry@ValueExists$qqrx17System@AnsiString ; Registry::TRegistry::ValueExists(System::AnsiString)
CODE:0051B71F test al, al
CODE:0051B721 jz short loc_51B733
CODE:0051B723 lea ecx, [ebp+var_C]
CODE:0051B726 mov edx, offset aReguser_2 ; "reguser"
CODE:0051B72B mov eax, [ebp+var_8]
CODE:0051B72E call @TRegistry@ReadString$qqrx10AnsiString ; TRegistry::ReadString(AnsiString)
CODE:0051B733
CODE:0051B733 loc_51B733: ; CODE XREF: sub_51B6A0+81j
CODE:0051B733 mov edx, offset aRegcode_1 ; "regcode"
CODE:0051B738 mov eax, [ebp+var_8]
CODE:0051B73B call @Registry@TRegistry@ValueExists$qqrx17System@AnsiString ; Registry::TRegistry::ValueExists(System::AnsiString)
CODE:0051B740 test al, al
CODE:0051B742 jz short loc_51B754
CODE:0051B744 lea ecx, [ebp+var_10]
CODE:0051B747 mov edx, offset aRegcode_1 ; "regcode"
CODE:0051B74C mov eax, [ebp+var_8]
CODE:0051B74F call @TRegistry@ReadString$qqrx10AnsiString ; TRegistry::ReadString(AnsiString)
CODE:0051B754
CODE:0051B754 loc_51B754: ; CODE XREF: sub_51B6A0+A2j
CODE:0051B754 mov eax, [ebp+var_10]
CODE:0051B757 call @System@@LStrLen ; System::__linkproc__ LStrLen
CODE:0051B75C cmp eax, 30h
CODE:0051B75F jnz loc_51B888
CODE:0051B765 mov eax, [ebp+var_C]
CODE:0051B768 call @System@@LStrLen ; System::__linkproc__ LStrLen
CODE:0051B76D test eax, eax
CODE:0051B76F jle loc_51B888
CODE:0051B775 lea eax, [ebp+var_14] ; 保存返回值
CODE:0051B775 ; 指向18字节长PCHAR
CODE:0051B778 push eax
CODE:0051B779 mov cl, 1
CODE:0051B77B mov dl, 1
CODE:0051B77D mov eax, [ebp+var_C] ; "reguser"
CODE:0051B780 call sub_51A06C ; 处理用户名
CODE:0051B785 mov eax, [ebp+var_14] ; 处理用户名得到的18字节长的串,先入栈,待会好比较
CODE:0051B788 push eax
CODE:0051B789 lea ecx, [ebp+var_18] ; 保存返回值。。
CODE:0051B78C mov dl, 1
CODE:0051B78E mov eax, [ebp+var_10] ; "regcode"
CODE:0051B791 call sub_519298 ; 注册码变换函数
CODE:0051B796 mov edx, [ebp+var_18]
CODE:0051B799 pop eax
CODE:0051B79A call @System@@LStrCmp$qqrv ; System::__linkproc__ LStrCmp(void)
CODE:0051B79F jnz short loc_51B7A5 ;
CODE:00525CBB mov eax, ds:off_525214 ; * Reference to class THexDumpPass
CODE:00525CC0 call sub_425EEC ; * Reference to: Classes.TComponent.Create(TComponent;boolean;TComponent);
CODE:00525CC5 mov ebx, eax
CODE:00525CC7 lea eax, [ebp+var_130]
CODE:00525CCD call sub_518E18 ; 用户名进行变换转为一串字符
CODE:00525CD2 mov edx, [ebp+var_130]
CODE:00525CD8 mov eax, ebx
CODE:00525CDA mov ecx, [eax]
CODE:00525CDC call dword ptr [ecx+18h] ; Classes::TComponent::SetName()
CODE:0051A0C3 mov edx, ds:dword_578440 ; 用户ID,类似"92F1L8EACT2FFNFF"一串字符。。。
CODE:0051A0C9 call @System@@LStrCat$qqrv ; System::__linkproc__ LStrCat(void)
CODE:0051A4A6 push offset unk_575B10 ; IVector,初始化向量
CODE:0051A4AB mov edx, offset byte_575B08 ; keyCAST..64位密钥
CODE:0051A4B0 lea eax, [ebp+var_F4_TCast128Data] ; 0012FAF8
CODE:0051A4B0 ; TCast128Data= record
CODE:0051A4B0 ; InitBlock: array[0..7] of byte; { initial IV }
CODE:0051A4B0 ; LastBlock: array[0..7] of byte; { current IV }
CODE:0051A4B0 ; xKey: array[0..31] of DWord;
CODE:0051A4B0 ; Rounds: integer;
CODE:0051A4B0 ; end;
CODE:0051A4B6 mov ecx, 8 ; sizeof(Key)
CODE:0051A4BB call Cast128Init ; 注意此处Cast128非调用DEC的函数,乃是独立的类。
; 注意其sbox乃是作者随机生成
CODE:0051A50E lea edx, [ebp+eax+var_48] ; 输入串,输出也保存再该地址
CODE:0051A512 lea eax, [ebp+var_F4_TCast128Data] ; 密钥初始化结果
CODE:0051A518 call Cast128EncryptCBC ; procedure Cast128EncryptCBC(var Data: TCast128Data; InData, OutData: pointer);
CODE:0051A518 ; { encrypts the data in a 64bit block using the CBC chaining mode }
CODE:0051A6FB mov edx, ds:off_4F31E0 ; Reference to class TCipher_3Way,这个可由DEDE反汇编代码中看到
CODE:0051A701 mov eax, [ebp+var_14]
CODE:0051A704 call @TCipherManager@@SetClass ; TCipherManager::__linkproc__ SetClass
CODE:0051A709 xor ecx, ecx
CODE:0051A70B mov edx, [ebp+var_18]
CODE:0051A70E mov eax, [ebp+var_14]
CODE:0051A711 call @TCipherManager@@InitKey ; procedure TCipherManager.InitKey(const Key: String; IVector: Pointer);
CODE:0051A716 push 18h ; 待Encode串长度
CODE:0051A718 lea ecx, [ebp+var_60] ; 返回串
CODE:0051A71B lea edx, [ebp+var_48] ; Source串,由Cast128而来
CODE:0051A71E mov eax, [ebp+var_14]
CODE:0051A721 call @TCipherManager@@EncodeBuffer ; procedure TCipherManager.EncodeBuffer
CODE:0051A721 ; (const Source; var Dest; DataSize: Integer);
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课