【文章标题】: 处女作CCProxy6.3.9分析
【文章作者】: atomy
【软件名称】: CCProxy6.3.9
【下载地址】: http://www.ccproxy.com/download/ccproxysetup.exe
【使用工具】: Peid,Ollydbg,W32dsm
【软件介绍】: 代理服务器
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
第一次学习破解,很多地方都不懂。本次分析也是按照论坛以前老前辈发的文章作参考的。
也是我第一次写这种文章,请大家多多包涵。不多说了,进入主题
拿到软件,发现软件是多语言版本的。 未注册版有三个客户端的限制。 运行软件,点击注册输入88888888
点击“注册”按钮弹出“对不起,注册失败!”
再看该软件下面 Language 文件夹下的 ChineseGB.ini 文件 看到注册失败的文本对应的字符
Congratulations. You have registered successfully!=祝贺您,注册成功!
Sorry. Registration Failed!=对不起,注册失败!
用Peid查壳,发现无壳,为Microsoft Visual C++ 6.0 编写。
按照老前辈说的方法用W32dsm打开软件,查找字符串“ registered successfully ”找到一处
记录下地址为 00418001
用Ollydbg 加载软件后 找到该地址处函数入口处下断点 运行软件,点击注册输入88888888 点击“注册” 程序被断下
00417DC0 . 6A FF push -1 ;断在这里
00417DC2 . 68 56914700 push 00479156 ; SE 处理程序安装
00417DC7 . 64:A1 0000000>mov eax, fs:[0]
00417DCD . 50 push eax
00417DCE . 64:8925 00000>mov fs:[0], esp
00417DD5 . 81EC 10080000 sub esp, 810
00417DDB . 53 push ebx
00417DDC . 55 push ebp
00417DDD . 56 push esi
00417DDE . 57 push edi
00417DDF . 8BF1 mov esi, ecx
00417DE1 . 6A 01 push 1
00417DE3 . E8 0D4A0500 call 0046C7F5
00417DE8 . 8B86 1C010000 mov eax, [esi+11C] ; 获得注册码 放入ax
00417DEE . 8B1D 4CC34700 mov ebx, [<&KERNEL32.WritePrivatePro>; kernel32.WritePrivateProfileStringA
00417DF4 . 8DBE 1C010000 lea edi, [esi+11C]
00417DFA . 68 B83E4900 push 00493EB8 ; /FileName = ""
00417DFF . 50 push eax ; |String
00417E00 . 68 28E54800 push 0048E528 ; |Key = "RegCode"
00417E05 . 68 8CD14800 push 0048D18C ; |Section = "System"
00417E0A . FFD3 call ebx ; \将注册信息写入配置文件
00417E0C . 8B86 24010000 mov eax, [esi+124]
00417E12 . 8DAE 24010000 lea ebp, [esi+124]
00417E18 . 68 B83E4900 push 00493EB8 ; /FileName = ""
00417E1D . 50 push eax ; |String
00417E1E . 68 2CD44800 push 0048D42C ; |Key = "UserName"
00417E23 . 68 8CD14800 push 0048D18C ; |Section = "System"
00417E28 . FFD3 call ebx ; \将序列号写入配置文件
00417E2A . 8BCE mov ecx, esi
00417E2C . E8 E8550500 call 0046D419
00417E31 . E8 3A7E0200 call 0043FC70 ; 关键CALL 跟进
00417E36 . 8BCE mov ecx, esi
00417E38 . E8 F1550500 call 0046D42E
00417E3D . A1 3C1A4900 mov eax, [491A3C]
00417E42 . 894424 14 mov [esp+14], eax
00417E46 . 8B0D C03F4900 mov ecx, [493FC0]
00417E4C . C78424 280800>mov dword ptr [esp+828], 0
00417E57 . F7D9 neg ecx
00417E59 . 1BC9 sbb ecx, ecx
00417E5B . 83E1 05 and ecx, 5
00417E5E . 51 push ecx
00417E5F . 68 A3040000 push 4A3
00417E64 . 8BCE mov ecx, esi
00417E66 . E8 0E580500 call 0046D679
00417E6B . 8BC8 mov ecx, eax
00417E6D . E8 F8590500 call 0046D86A
00417E72 . 8B15 C03F4900 mov edx, [493FC0]
00417E78 . 8BCE mov ecx, esi
00417E7A . F7DA neg edx
00417E7C . 1BD2 sbb edx, edx
00417E7E . 83E2 FB and edx, FFFFFFFB
00417E81 . 83C2 05 add edx, 5
00417E84 . 52 push edx
00417E85 . 68 A1040000 push 4A1
00417E8A . E8 EA570500 call 0046D679
00417E8F . 8BC8 mov ecx, eax
00417E91 . E8 D4590500 call 0046D86A
00417E96 . A1 C03F4900 mov eax, [493FC0]
00417E9B . 8BCE mov ecx, esi
00417E9D . F7D8 neg eax
00417E9F . 1BC0 sbb eax, eax
00417EA1 . 24 FB and al, 0FB
00417EA3 . 83C0 05 add eax, 5
00417EA6 . 50 push eax
00417EA7 . 68 2D040000 push 42D
00417EAC . E8 C8570500 call 0046D679
00417EB1 . 8BC8 mov ecx, eax
00417EB3 . E8 B2590500 call 0046D86A
00417EB8 . 6A 00 push 0
00417EBA . 68 A2040000 push 4A2
00417EBF . 8BCE mov ecx, esi
00417EC1 . E8 B3570500 call 0046D679
00417EC6 . 8BC8 mov ecx, eax
00417EC8 . E8 9D590500 call 0046D86A
00417ECD . 6A 00 push 0
00417ECF . 68 2E040000 push 42E
00417ED4 . 8BCE mov ecx, esi
00417ED6 . E8 9E570500 call 0046D679
00417EDB . 8BC8 mov ecx, eax
00417EDD . E8 88590500 call 0046D86A
00417EE2 . 8B0D C03F4900 mov ecx, [493FC0]
00417EE8 . F7D9 neg ecx
00417EEA . 1BC9 sbb ecx, ecx
00417EEC . 83E1 FB and ecx, FFFFFFFB
00417EEF . 83C1 05 add ecx, 5
00417EF2 . 51 push ecx
00417EF3 . 68 CA000000 push 0CA
00417EF8 . 8BCE mov ecx, esi
00417EFA . E8 7A570500 call 0046D679
00417EFF . 8BC8 mov ecx, eax
00417F01 . E8 64590500 call 0046D86A
00417F06 . 8B15 C03F4900 mov edx, [493FC0]
00417F0C . 8BCE mov ecx, esi
00417F0E . F7DA neg edx
00417F10 . 1BD2 sbb edx, edx
00417F12 . 83E2 FB and edx, FFFFFFFB
00417F15 . 83C2 05 add edx, 5
00417F18 . 52 push edx
00417F19 . 68 CB000000 push 0CB
00417F1E . E8 56570500 call 0046D679
00417F23 . 8BC8 mov ecx, eax
00417F25 . E8 40590500 call 0046D86A
00417F2A . A1 C03F4900 mov eax, [493FC0]
00417F2F . 85C0 test eax, eax
00417F31 . 75 54 jnz short 00417F87
00417F33 . 8D4424 10 lea eax, [esp+10]
00417F37 . 6A 04 push 4 ; /BufSize = 4
00417F39 . 50 push eax ; |Buffer
00417F3A . 6A 03 push 3 ; |InfoType = 3
00417F3C . 68 00080000 push 800 ; |LocaleId = 800
00417F41 . FF15 14C34700 call [<&KERNEL32.GetLocaleInfoA>] ; \GetLocaleInfoA
00417F47 . 8D4C24 10 lea ecx, [esp+10]
00417F4B . 68 A0E44800 push 0048E4A0 ; ASCII "CHS"
00417F50 . 51 push ecx
00417F51 . E8 3A450400 call 0045C490
00417F56 . 83C4 08 add esp, 8
00417F59 . 85C0 test eax, eax
00417F5B . 74 2A je short 00417F87
00417F5D . 6A 05 push 5
00417F5F . 68 A2040000 push 4A2
00417F64 . 8BCE mov ecx, esi
00417F66 . E8 0E570500 call 0046D679
00417F6B . 8BC8 mov ecx, eax
00417F6D . E8 F8580500 call 0046D86A
00417F72 . 6A 05 push 5
00417F74 . 68 2E040000 push 42E
00417F79 . 8BCE mov ecx, esi
00417F7B . E8 F9560500 call 0046D679
00417F80 . 8BC8 mov ecx, eax
00417F82 . E8 E3580500 call 0046D86A
00417F87 > 8B1D 5CC34700 mov ebx, [<&KERNEL32.GetPrivateProfi>; kernel32.GetPrivateProfileStringA
00417F8D . 68 B83E4900 push 00493EB8 ; /IniFileName = ""
00417F92 . 8D5424 1C lea edx, [esp+1C] ; |
00417F96 . 68 00040000 push 400 ; |BufSize = 400 (1024.)
00417F9B . 52 push edx ; |ReturnBuffer
00417F9C . 68 C03A4900 push 00493AC0 ; |Default = ""
00417FA1 . 68 28E54800 push 0048E528 ; |Key = "RegCode"
00417FA6 . 68 8CD14800 push 0048D18C ; |Section = "System"
00417FAB . FFD3 call ebx ; \GetPrivateProfileStringA
00417FAD . 68 B83E4900 push 00493EB8 ; /IniFileName = ""
00417FB2 . 8D8424 200400>lea eax, [esp+420] ; |
00417FB9 . 68 00040000 push 400 ; |BufSize = 400 (1024.)
00417FBE . 50 push eax ; |ReturnBuffer
00417FBF . 68 C03A4900 push 00493AC0 ; |Default = ""
00417FC4 . 68 2CD44800 push 0048D42C ; |Key = "UserName"
00417FC9 . 68 8CD14800 push 0048D18C ; |Section = "System"
00417FCE . FFD3 call ebx ; \GetPrivateProfileStringA
00417FD0 . 8D4C24 18 lea ecx, [esp+18]
00417FD4 . 51 push ecx
00417FD5 . 8BCF mov ecx, edi
00417FD7 . E8 FF5D0500 call 0046DDDB
00417FDC . 8D9424 1C0400>lea edx, [esp+41C]
00417FE3 . 8BCD mov ecx, ebp
00417FE5 . 52 push edx
00417FE6 . E8 F05D0500 call 0046DDDB
00417FEB . 6A 00 push 0
00417FED . 8BCE mov ecx, esi
00417FEF . E8 01480500 call 0046C7F5
00417FF4 . A1 C03F4900 mov eax, [493FC0]
00417FF9 . 5F pop edi
00417FFA . 5E pop esi
00417FFB . 5D pop ebp
00417FFC . 85C0 test eax, eax
00417FFE . 5B pop ebx
00417FFF . 74 40 je short 00418041
00418001 . 8D4424 00 lea eax, [esp] ;注册成功
00418005 . 6A 7D push 7D
00418007 . 50 push eax
00418008 . E8 C3A5FEFF call 004025D0
0041800D . 83C4 08 add esp, 8
00418010 . 50 push eax
00418011 . 8D4C24 08 lea ecx, [esp+8]
00418015 . C68424 1C0800>mov byte ptr [esp+81C], 1
0041801D . E8 695D0500 call 0046DD8B
00418022 . 8D4C24 00 lea ecx, [esp]
00418026 . C68424 180800>mov byte ptr [esp+818], 0
0041802E . E8 1F5C0500 call 0046DC52
00418033 . 8B4C24 04 mov ecx, [esp+4]
00418037 . 6A 00 push 0 ; /Arg3 = 00000000
00418039 . 6A 40 push 40 ; |Arg2 = 00000040
0041803B . 51 push ecx ; |Arg1
0041803C . E8 959D0500 call 00471DD6 ; \CCProxy.00471DD6
00418041 > 8D4C24 04 lea ecx, [esp+4]
00418045 . C78424 180800>mov dword ptr [esp+818], -1
00418050 . E8 FD5B0500 call 0046DC52
00418055 . 8B8C24 100800>mov ecx, [esp+810]
0041805C . 64:890D 00000>mov fs:[0], ecx
00418063 . 81C4 1C080000 add esp, 81C
00418069 . C3 retn
从00417E31 跟进 call 0043FC70
发现前面有很长一段代码是用来读取配置文件的注册码和序列号的 按了N次F8 来到关键地方
0043FCEA |. 51 push ecx
0043FCEB |. 68 BC094900 push 004909BC ; ASCII "%s\CCProxy.ini"
0043FCF0 |. 52 push edx
0043FCF1 |. E8 4D7A0100 call 00457743
0043FCF6 |. A0 C03A4900 mov al, [493AC0]
0043FCFB |. B9 FF000000 mov ecx, 0FF
0043FD00 |. 888424 C01F00>mov [esp+1FC0], al
0043FD07 |. 33C0 xor eax, eax
0043FD09 |. 8DBC24 C11F00>lea edi, [esp+1FC1]
0043FD10 |. 83C4 14 add esp, 14
0043FD13 |. F3:AB rep stos dword ptr es:[edi]
0043FD15 |. 8B1D 5CC34700 mov ebx, [<&KERNEL32.GetPrivateProfi>; kernel32.GetPrivateProfileStringA
0043FD1B |. 8D8C24 980200>lea ecx, [esp+298]
0043FD22 |. 51 push ecx ; /IniFileName
0043FD23 |. 8D9424 A80700>lea edx, [esp+7A8] ; |
0043FD2A |. 68 00040000 push 400 ; |BufSize = 400 (1024.)
0043FD2F |. 52 push edx ; |ReturnBuffer
0043FD30 |. 66:AB stos word ptr es:[edi] ; |
0043FD32 |. 68 C03A4900 push 00493AC0 ; |Default = ""
0043FD37 |. 68 28E54800 push 0048E528 ; |Key = "RegCode"
0043FD3C |. 68 8CD14800 push 0048D18C ; |Section = "System"
0043FD41 |. AA stos byte ptr es:[edi] ; |
0043FD42 |. FFD3 call ebx ; \GetPrivateProfileStringA
0043FD44 |. 8D8424 980200>lea eax, [esp+298]
0043FD4B |. 8D8C24 A00300>lea ecx, [esp+3A0]
0043FD52 |. 50 push eax ; /IniFileName
0043FD53 |. 68 00040000 push 400 ; |BufSize = 400 (1024.)
0043FD58 |. 51 push ecx ; |ReturnBuffer
0043FD59 |. 68 C03A4900 push 00493AC0 ; |Default = ""
0043FD5E |. 68 2CD44800 push 0048D42C ; |Key = "UserName"
0043FD63 |. 68 8CD14800 push 0048D18C ; |Section = "System"
0043FD68 |. FFD3 call ebx ; \GetPrivateProfileStringA
..................
00440030 |> \8D8424 A00300>lea eax, [esp+3A0]
00440037 |. 8D8C24 A40700>lea ecx, [esp+7A4]
0044003E |. 50 push eax ; 将注册码入栈
0044003F |. 51 push ecx ; 将序列号稿入栈
00440040 |. E8 BBE3FFFF call 0043E400 ; 关键call 不跟进就没了
00440045 |. 83C4 08 add esp, 8
00440048 |. A3 C03F4900 mov [493FC0], eax ; 注册标志放入内存
0044004D |. 85C0 test eax, eax ; ax=1 注册 ax=0 未注册
0044004F 0F84 7B010000 je 004401D0 ; 没注册 走人
00440055 |. 80BC24 A50300>cmp byte ptr [esp+3A5], 30
0044005D |. 0F85 6D010000 jnz 004401D0
从00440040 跟进 call 0043E400
这里发现注册码原来是 12 位的 重新启动程序输入注册码 888888888888
0043E400 /$ 6A FF push -1
0043E402 |. 64:A1 0000000>mov eax, fs:[0]
0043E408 |. 68 8C9D4700 push 00479D8C
0043E40D |. 50 push eax
0043E40E |. B8 88290000 mov eax, 2988
0043E413 |. 64:8925 00000>mov fs:[0], esp
0043E41A |. E8 01940100 call 00457820
0043E41F |. A0 C03A4900 mov al, [493AC0]
0043E424 |. 53 push ebx
0043E425 |. 55 push ebp
0043E426 |. 56 push esi
0043E427 |. 57 push edi
0043E428 |. 884424 24 mov [esp+24], al
0043E42C |. B9 41000000 mov ecx, 41
0043E431 |. 33C0 xor eax, eax
0043E433 |. 8D7C24 25 lea edi, [esp+25]
0043E437 |. 68 05010000 push 105 ; /BufSize = 105 (261.)
0043E43C |. F3:AB rep stos dword ptr es:[edi] ; |
0043E43E |. 8D4C24 28 lea ecx, [esp+28] ; |
0043E442 |. 33F6 xor esi, esi ; |
0043E444 |. 51 push ecx ; |PathBuffer
0043E445 |. 56 push esi ; |hModule => NULL
0043E446 |. FF15 50C34700 call [<&KERNEL32.GetModuleFileNameA>] ; \GetModuleFileNameA
0043E44C |. 8D5424 24 lea edx, [esp+24]
0043E450 |. 6A 5C push 5C
0043E452 |. 52 push edx
0043E453 |. E8 689B0100 call 00457FC0
0043E458 |. C600 00 mov byte ptr [eax], 0
0043E45B |. A0 C03A4900 mov al, [493AC0]
0043E460 |. 888424 B40100>mov [esp+1B4], al
0043E467 |. B9 41000000 mov ecx, 41
0043E46C |. 33C0 xor eax, eax
0043E46E |. 8DBC24 B50100>lea edi, [esp+1B5]
0043E475 |. F3:AB rep stos dword ptr es:[edi]
0043E477 |. 8D4C24 2C lea ecx, [esp+2C]
0043E47B |. 8D9424 B40100>lea edx, [esp+1B4]
0043E482 |. 51 push ecx
0043E483 |. 68 BC094900 push 004909BC ; ASCII "%s\CCProxy.ini"
0043E488 |. 52 push edx
0043E489 |. E8 B5920100 call 00457743
0043E48E |. 8B9C24 C02900>mov ebx, [esp+29C0]
0043E495 |. 83C9 FF or ecx, FFFFFFFF
0043E498 |. 8BFB mov edi, ebx ; 把注册码放入目的寄存器 DI 用于比较
0043E49A |. 33C0 xor eax, eax ; 清0
0043E49C |. 83C4 14 add esp, 14
0043E49F |. F2:AE repne scas byte ptr es:[edi] ; 扫描注册码
0043E4A1 |. F7D1 not ecx
0043E4A3 |. 49 dec ecx ; cx = 注册码长度
0043E4A4 0F84 61040000 je 0043E90B ; 为空跳转
0043E4AA |. 8BFB mov edi, ebx ; 将注册码放入 目的寄存器 di
0043E4AC |. 83C9 FF or ecx, FFFFFFFF
0043E4AF |. F2:AE repne scas byte ptr es:[edi]
0043E4B1 |. F7D1 not ecx
0043E4B3 |. 49 dec ecx
0043E4B4 |. 83F9 0C cmp ecx, 0C
0043E4B7 74 34 je short 0043E4ED ; 如果注册码 = 12 位 则跳转
0043E4B9 |. 8D4424 10 lea eax, [esp+10]
0043E4BD |. 6A 7E push 7E
0043E4BF |. 50 push eax
0043E4C0 |. E8 0B41FCFF call 004025D0
0043E4C5 |. 83C4 08 add esp, 8
0043E4C8 |. 8B00 mov eax, [eax]
0043E4CA |. 56 push esi ; /Arg3
0043E4CB |. 56 push esi ; |Arg2
0043E4CC |. 50 push eax ; |Arg1
0043E4CD |. 89B424 AC2900>mov [esp+29AC], esi ; |
0043E4D4 |. E8 FD380300 call 00471DD6 ; \CCProxy.00471DD6
0043E4D9 |. C78424 A02900>mov dword ptr [esp+29A0], -1
0043E4E4 |. 8D4C24 10 lea ecx, [esp+10]
0043E4E8 |. E9 19040000 jmp 0043E906
0043E4ED |> 8D4C24 18 lea ecx, [esp+18]
0043E4F1 |. 6A 04 push 4 ; /BufSize = 4
0043E4F3 |. 51 push ecx ; |Buffer
0043E4F4 |. 6A 03 push 3 ; |InfoType = 3
0043E4F6 |. 68 00080000 push 800 ; |LocaleId = 800
0043E4FB |. FF15 14C34700 call [<&KERNEL32.GetLocaleInfoA>] ; \取得与指定“地方”有关的信息
0043E501 |. 8D5424 18 lea edx, [esp+18] ; 取得为中文系统 放入dx
0043E505 |. 68 A0E44800 push 0048E4A0 ; ASCII "CHS"
0043E50A |. 52 push edx
0043E50B |. E8 80DF0100 call 0045C490 ; 应该是对比是否为中文系统
0043E510 |. 83C4 08 add esp, 8
0043E513 |. 85C0 test eax, eax
0043E515 |. 74 1E je short 0043E535 ; 测试ax 是否为空 (中文系统转移)
0043E517 |. 8B8424 A82900>mov eax, [esp+29A8]
0043E51E |. 68 AC094900 push 004909AC ; ASCII "888888888888"
0043E523 |. 53 push ebx
0043E524 |. 50 push eax
0043E525 |. E8 06040000 call 0043E930
0043E52A |. 83C4 0C add esp, 0C
0043E52D |. 3BC6 cmp eax, esi
0043E52F |. 0F85 D8030000 jnz 0043E90D
0043E535 |> 8A15 C03A4900 mov dl, [493AC0]
0043E53B |. B9 FF000000 mov ecx, 0FF
0043E540 |. 33C0 xor eax, eax
0043E542 |. 8DBC24 B50600>lea edi, [esp+6B5]
0043E549 |. 889424 B40600>mov [esp+6B4], dl
0043E550 |. 889424 B40A00>mov [esp+AB4], dl
0043E557 |. F3:AB rep stos dword ptr es:[edi]
0043E559 |. 66:AB stos word ptr es:[edi]
0043E55B |. AA stos byte ptr es:[edi]
0043E55C |. B9 FF000000 mov ecx, 0FF
0043E561 |. 33C0 xor eax, eax
0043E563 |. 8DBC24 B50A00>lea edi, [esp+AB5]
跟到这里后 发现下面是一些与注册无关的一些代码,而且后面有很多这种情况 。
按F8 一起跳到下面的代码
发现这里又多了个序列号,但是在注册的时候只要输入单一的注册码。后来在注册的界面上乱点的时候 不小心把序列号的输入框给点出来了,呵呵 这也许是作者故意这样做的
并且作者还将注册码和网上进行了验证,如果那里不跳的话 注册就无效
0043E681 |. 8B8424 C82900>|mov eax, [esp+29C8] ;序列号
0043E688 |. 8D9424 D40600>|lea edx, [esp+6D4] ;特征码
0043E68F |. 52 |push edx
0043E690 |. 53 |push ebx ;注册码
0043E691 |. 50 |push eax
0043E692 |. E8 99020000 |call 0043E930 ; 核心计算函数
0043E697 |. 8A0D C03A4900 |mov cl, [493AC0]
0043E69D |. 8BE8 |mov ebp, eax
0043E69F |. 888C24 E00200>|mov [esp+2E0], cl
0043E6A6 |. B9 FF000000 |mov ecx, 0FF
0043E6AB |. 33C0 |xor eax, eax
0043E6AD |. 8DBC24 E10200>|lea edi, [esp+2E1]
0043E6B4 |. F3:AB |rep stos dword ptr es:[edi]
0043E6B6 |. 66:AB |stos word ptr es:[edi]
0043E6B8 |. 8D9424 E00600>|lea edx, [esp+6E0]
0043E6BF |. AA |stos byte ptr es:[edi]
0043E6C0 |. 52 |push edx
0043E6C1 |. 8D8424 E40200>|lea eax, [esp+2E4]
0043E6C8 |. 53 |push ebx ;注册码
0043E6C9 |. 50 |push eax ;特征码
0043E6CA |. E8 61130000 |call 0043FA30 ; 互联网验证函数
0043E6CF |. 83C4 38 |add esp, 38
0043E6D2 |. 85C0 |test eax, eax
0043E6D4 74 5F je short 0043E735 ; 如果连接网络失败 跳转
0043E6D6 |. 8A8424 B40200>|mov al, [esp+2B4] ;
0043E6DD |. 85ED |test ebp, ebp ;
0043E6DF 0F85 EC000000 jnz 0043E7D1 ; 关键跳转
0043E6E5 |. 3C 2D |cmp al, 2D
0043E6E7 75 27 jnz short 0043E710 ;
0043E6E9 |. 8D8C24 B50200>|lea ecx, [esp+2B5] ; 无效序列号
0043E6F0 |. 68 00040000 |push 400
0043E6F5 |. 8D9424 B80A00>|lea edx, [esp+AB8]
0043E6FC |. 51 |push ecx
0043E6FD |. 52 |push edx
0043E6FE |. E8 FD9B0100 |call 00458300
0043E703 |. 83C4 0C |add esp, 0C
0043E706 |. C68424 B30E00>|mov byte ptr [esp+EB3], 0
0043E70E |. EB 2D |jmp short 0043E73D
0043E710 |> 8D8424 B40600>|lea eax, [esp+6B4]
0043E717 |. 8D8C24 B40200>|lea ecx, [esp+2B4] ; 无效的序列号
0043E71E |. 50 |push eax
0043E71F |. 53 |push ebx
0043E720 |. 51 |push ecx
0043E721 |. E8 0A020000 |call 0043E930
0043E726 |. 8BF8 |mov edi, eax
0043E728 |. 83C4 0C |add esp, 0C
0043E72B |. 85FF |test edi, edi
0043E72D |. 0F85 CF000000 |jnz 0043E802
0043E733 |. EB 08 |jmp short 0043E73D
0043E735 |> 85ED |test ebp, ebp
0043E737 |. 0F85 EC000000 |jnz 0043E829
0043E73D |> 8B4424 10 |mov eax, [esp+10]
0043E741 |. 8B4C24 14 |mov ecx, [esp+14]
0043E745 |. 40 |inc eax
0043E746 |. 83C6 10 |add esi, 10
0043E749 |. 3BC1 |cmp eax, ecx
0043E74B |. 894424 10 |mov [esp+10], eax
0043E74F |.^ 0F8C CEFEFFFF \jl 0043E623
0043E755 |> 8A8424 B40A00>mov al, [esp+AB4]
0043E75C |. 8D4C24 18 lea ecx, [esp+18]
0043E760 |. 84C0 test al, al
0043E762 |. 68 A0E44800 push 0048E4A0 ; ASCII "CHS"
0043E767 |. 51 push ecx
0043E768 |. 0F84 ED000000 je 0043E85B
0043E76E |. E8 1DDD0100 call 0045C490
0043E773 |. 83C4 08 add esp, 8
0043E776 |. 85C0 test eax, eax
0043E778 |. 6A 7E push 7E
0043E77A |. 0F84 B0000000 je 0043E830
0043E780 |. 8D5424 18 lea edx, [esp+18]
0043E784 |. 52 push edx
0043E785 |. E8 463EFCFF call 004025D0
0043E78A |. 8B30 mov esi, [eax]
0043E78C |. 8D4424 18 lea eax, [esp+18]
0043E790 |. 6A 7E push 7E
0043E792 |. 50 push eax
0043E793 |. C78424 B02900>mov dword ptr [esp+29B0], 1
0043E79E |. E8 2D3EFCFF call 004025D0
0043E7A3 |. 8B00 mov eax, [eax]
0043E7A5 |. 83C4 10 add esp, 10
0043E7A8 |. 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0043E7AA |. 56 push esi ; |Title
0043E7AB |. 50 push eax ; |Text
0043E7AC |. 6A 00 push 0 ; |hOwner = NULL
0043E7AE |. FF15 00C54700 call [<&USER32.MessageBoxA>] ; \MessageBoxA
0043E7B4 |. 8D4C24 10 lea ecx, [esp+10]
0043E7B8 |. E8 95F40200 call 0046DC52
0043E7BD |. C78424 A02900>mov dword ptr [esp+29A0], -1
0043E7C8 |. 8D4C24 14 lea ecx, [esp+14]
0043E7CC |. E9 35010000 jmp 0043E906
0043E7D1 |> 3C 2D cmp al, 2D
0043E7D3 75 54 jnz short 0043E829 ; 不跳 序列号无效
0043E7D5 |. 8D5424 10 lea edx, [esp+10]
0043E7D9 |. 6A 7E push 7E
0043E7DB |. 52 push edx
0043E7DC |. E8 EF3DFCFF call 004025D0
0043E7E1 |. 8B00 mov eax, [eax]
0043E7E3 |. 83C4 08 add esp, 8
0043E7E6 |. 8D8C24 B50200>lea ecx, [esp+2B5]
0043E7ED |. 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0043E7EF |. 50 push eax ; |Title
0043E7F0 |. 51 push ecx ; |Text
0043E7F1 |. 6A 00 push 0 ; |hOwner = NULL
0043E7F3 |. FF15 00C54700 call [<&USER32.MessageBoxA>] ; \MessageBoxA
0043E7F9 |. 8D4C24 10 lea ecx, [esp+10]
0043E7FD |. E9 04010000 jmp 0043E906
0043E802 |> 8D9424 AC0100>lea edx, [esp+1AC]
0043E809 |. 8D8424 B40200>lea eax, [esp+2B4]
0043E810 |. 52 push edx ; /FileName
0043E811 |. 50 push eax ; |String
0043E812 |. 68 28E54800 push 0048E528 ; |Key = "RegCode"
0043E817 |. 68 8CD14800 push 0048D18C ; |Section = "System"
0043E81C |. FF15 4CC34700 call [<&KERNEL32.WritePrivateProfileS>; \WritePrivateProfileStringA
0043E822 |. 8BC7 mov eax, edi
0043E824 |. E9 E4000000 jmp 0043E90D
0043E829 |> 8BC5 mov eax, ebp
0043E82B |. E9 DD000000 jmp 0043E90D
0043E830 |> 8D4C24 14 lea ecx, [esp+14]
0043E834 |. 51 push ecx
0043E835 |. E8 963DFCFF call 004025D0
0043E83A |. 8B10 mov edx, [eax]
0043E83C |. 83C4 08 add esp, 8
0043E83F |. 8D8424 B40A00>lea eax, [esp+AB4]
0043E846 |. 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0043E848 |. 52 push edx ; |Title
0043E849 |. 50 push eax ; |Text
0043E84A |. 6A 00 push 0 ; |hOwner = NULL
0043E84C |. FF15 00C54700 call [<&USER32.MessageBoxA>] ; \MessageBoxA
0043E852 |. 8D4C24 10 lea ecx, [esp+10]
0043E856 |. E9 AB000000 jmp 0043E906
0043E85B |> E8 30DC0100 call 0045C490
0043E860 |. 83C4 08 add esp, 8
0043E863 |. 85C0 test eax, eax
0043E865 |. 6A 7E push 7E
0043E867 75 51 jnz short 0043E8BA ;
0043E869 |. 8D5424 18 lea edx, [esp+18]
0043E86D |. 52 push edx
0043E86E |. E8 5D3DFCFF call 004025D0
0043E873 |. 8B30 mov esi, [eax]
0043E875 |. 8D4424 18 lea eax, [esp+18]
0043E879 |. 68 18094900 push 00490918
0043E87E |. 50 push eax
0043E87F |. C78424 B02900>mov dword ptr [esp+29B0], 2
0043E88A |. E8 C197FCFF call 00408050
0043E88F |. 8B00 mov eax, [eax]
0043E891 |. 83C4 10 add esp, 10
0043E894 |. 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0043E896 |. 56 push esi ; |Title
0043E897 |. 50 push eax ; |Text
0043E898 |. 6A 00 push 0 ; |hOwner = NULL
0043E89A |. FF15 00C54700 call [<&USER32.MessageBoxA>] ; \MessageBoxA
0043E8A0 |. 8D4C24 10 lea ecx, [esp+10]
0043E8A4 |. E8 A9F30200 call 0046DC52
0043E8A9 |. C78424 A02900>mov dword ptr [esp+29A0], -1
0043E8B4 |. 8D4C24 14 lea ecx, [esp+14]
0043E8B8 |. EB 4C jmp short 0043E906
0043E8BA |> 8D4C24 24 lea ecx, [esp+24]
0043E8BE |. 51 push ecx
0043E8BF |. E8 0C3DFCFF call 004025D0
0043E8C4 |. 8B30 mov esi, [eax]
0043E8C6 |. 8D5424 24 lea edx, [esp+24]
0043E8CA |. 6A 7E push 7E
0043E8CC |. 52 push edx
0043E8CD |. C78424 B02900>mov dword ptr [esp+29B0], 3
0043E8D8 |. E8 F33CFCFF call 004025D0
0043E8DD |. 8B00 mov eax, [eax]
0043E8DF |. 83C4 10 add esp, 10
0043E8E2 |. 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0043E8E4 |. 56 push esi ; |Title
0043E8E5 |. 50 push eax ; |Text
0043E8E6 |. 6A 00 push 0 ; |hOwner = NULL
0043E8E8 |. FF15 00C54700 call [<&USER32.MessageBoxA>] ; \MessageBoxA
0043E8EE |. 8D4C24 1C lea ecx, [esp+1C]
0043E8F2 |. E8 5BF30200 call 0046DC52
0043E8F7 |. C78424 A02900>mov dword ptr [esp+29A0], -1
0043E902 |. 8D4C24 20 lea ecx, [esp+20]
0043E906 |> E8 47F30200 call 0046DC52
0043E90B |> 33C0 xor eax, eax
0043E90D |> 8B8C24 982900>mov ecx, [esp+2998]
0043E914 |. 5F pop edi
0043E915 |. 5E pop esi
0043E916 |. 5D pop ebp
0043E917 |. 5B pop ebx
0043E918 |. 64:890D 00000>mov fs:[0], ecx
0043E91F |. 81C4 94290000 add esp, 2994
0043E925 C3 retn
从0043E692 跟进 call 0043E930 核心算法 。
这里算法俺就不会分析了。 应该是和以前的版本一样 将注册码进行两次计算 然后得出了真的注册码
偶现在只想找到内存中的是否有注册码的明码对比。
0043E930 /$ B8 E4140000 mov eax, 14E4
0043E935 |. E8 E68E0100 call 00457820
0043E93A |. 53 push ebx
0043E93B |. 8B9C24 F01400>mov ebx, [esp+14F0]
0043E942 |. 55 push ebp
0043E943 |. 56 push esi
0043E944 |. 57 push edi
0043E945 |. 8BFB mov edi, ebx ; 把注册码送入目的寄存器
0043E947 |. 83C9 FF or ecx, FFFFFFFF
0043E94A |. 33C0 xor eax, eax
0043E94C |. F2:AE repne scas byte ptr es:[edi]
0043E94E |. F7D1 not ecx
0043E950 |. 49 dec ecx ; 计算注册码位数
0043E951 |. C74424 2C 012>mov dword ptr [esp+2C], 67452301 ; 初始化MD5算法
0043E959 |. 8BE9 mov ebp, ecx ; 把注册码长度 放到bp中
0043E95B |. C74424 30 89A>mov dword ptr [esp+30], EFCDAB89
0043E963 |. C1E9 1D shr ecx, 1D
0043E966 |. 8D04ED 000000>lea eax, [ebp*8]
0043E96D |. 83FD 40 cmp ebp, 40 ; 对比 注册码位数?
0043E970 |. C74424 34 FED>mov dword ptr [esp+34], 98BADCFE
0043E978 |. C74424 38 765>mov dword ptr [esp+38], 10325476
0043E980 |. 894424 3C mov [esp+3C], eax ;
0043E984 |. 894C24 40 mov [esp+40], ecx ;
0043E988 |. 72 39 jb short 0043E9C3 ; 小于 40 转移
这里是算法,这里又好像和原来的版本不一样 原来把一些算法函数分开了
这个版本没有 全部放在一个函数里的
.................................................
0043ECB4 |. 8B8C24 930000>mov ecx, [esp+93]
0043ECBB |. 81E1 FF000000 and ecx, 0FF
0043ECC1 |. 51 push ecx
0043ECC2 |. 68 14D54800 push 0048D514 ; ASCII "%02x"
0043ECC7 |. 68 B0215300 push 005321B0 ; ASCII "77"
0043ECCC |. E8 728A0100 call 00457743
0043ECD1 |. 8A15 C03A4900 mov dl, [493AC0]
0043ECD7 |. B9 00040000 mov ecx, 400
0043ECDC |. 33C0 xor eax, eax
0043ECDE |. 8DBC24 FD0400>lea edi, [esp+4FD]
0043ECE5 |. 889424 FC0400>mov [esp+4FC], dl
0043ECEC |. 83C4 0C add esp, 0C
0043ECEF |. F3:AB rep stos dword ptr es:[edi]
0043ECF1 |. BF 90215300 mov edi, 00532190 ; ASCII "b96deb5effe36fdd64efffffd3ffdefb77"
0043ECF6 |. 83C9 FF or ecx, FFFFFFFF
0043ECF9 |. F2:AE repne scas byte ptr es:[edi]
0043ECFB |. F7D1 not ecx
0043ECFD |. 2BF9 sub edi, ecx
0043ECFF |. 8D9424 F00400>lea edx, [esp+4F0]
0043ED06 |. 8BC1 mov eax, ecx
0043ED08 |. 8BF7 mov esi, edi ; ESI 指向注册码
0043ED0A |. 8BFA mov edi, edx
0043ED0C |. 8BAC24 F81400>mov ebp, [esp+14F8]
0043ED13 |. C1E9 02 shr ecx, 2
0043ED16 |. F3:A5 rep movs dword ptr es:[edi], dword p>; 将注册码复制到EDI里面
0043ED18 |. 8BC8 mov ecx, eax
0043ED1A |. 8D8424 F00400>lea eax, [esp+4F0]
0043ED21 |. 83E1 03 and ecx, 3
0043ED24 |. F3:A4 rep movs byte ptr es:[edi], byte ptr>; 经过这里 才是真正的注册码
0043ED26 |. 8BF5 mov esi, ebp ; 假注册码
0043ED28 |> 8A10 /mov dl, [eax] ; 一个一个的对比
0043ED2A |. 8A1E |mov bl, [esi]
0043ED2C |. 8ACA |mov cl, dl
0043ED2E |. 3AD3 |cmp dl, bl
0043ED30 75 1E jnz short 0043ED50 ; 不对就没了
0043ED32 |. 84C9 |test cl, cl
0043ED34 74 16 je short 0043ED4C ; 是否对比完成
0043ED36 |. 8A50 01 |mov dl, [eax+1]
0043ED39 |. 8A5E 01 |mov bl, [esi+1]
0043ED3C |. 8ACA |mov cl, dl
0043ED3E |. 3AD3 |cmp dl, bl
0043ED40 75 0E jnz short 0043ED50 ; 不对就没了
0043ED42 |. 83C0 02 |add eax, 2
0043ED45 |. 83C6 02 |add esi, 2
0043ED48 |. 84C9 |test cl, cl
0043ED4A |.^ 75 DC \jnz short 0043ED28
0043ED4C |> 33C0 xor eax, eax
0043ED4E |. EB 05 jmp short 0043ED55
0043ED50 |> 1BC0 sbb eax, eax
0043ED52 |. 83D8 FF sbb eax, -1
0043ED55 |> 85C0 test eax, eax
0043ED57 |. 0F85 95020000 jnz 0043EFF2 ; 不为空 不对 没了
0043ED5D |. 8B9C24 FC1400>mov ebx, [esp+14FC]
0043ED64 |. 83C9 FF or ecx, FFFFFFFF
0043ED67 |. 8BFB mov edi, ebx
0043ED69 |. F2:AE repne scas byte ptr es:[edi]
0043ED6B |. F7D1 not ecx
0043ED6D |. 49 dec ecx
0043ED6E |. 83F9 0C cmp ecx, 0C ; 序列号是否=12
0043ED71 |. 74 10 je short 0043ED83 ; 不等死路
0043ED73 |. 5F pop edi
0043ED74 |. 5E pop esi
0043ED75 |. 5D pop ebp
0043ED76 |. B8 03000000 mov eax, 3
0043ED7B |. 5B pop ebx
0043ED7C |. 81C4 E4140000 add esp, 14E4
0043ED82 |. C3 retn
终于找到 正确的注册码了。 但是到后面该软件还去网上进行了验证 里面也有一些验证的算法 有兴趣的朋友可以继续跟下去
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年09月28日 10:23:42
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
