【文章作者】: tzl
【作者邮箱】: tigerisme@126.com
【软件名称】: 图片吸血鬼 V1.30
【软件大小】: 966KB
【下载地址】: http://www.skycn.com/soft/17808.html
【加壳方式】: 无
【保护方式】: 注册码,时间限制
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OD PEID
【操作平台】: XP SP2
【更新时间】: 2006-09-30 10:03:02
软件介绍:
图片吸血鬼是一款从网站上下载图片的共享软件,它可以把网站上的图片都下载下来,特点:1,设定下载图片的格式(如jpg,gif或swf);2,可自己设置下载图片的大小;3,搜索准确度高,可以把下级页面的图片都搜索出来。
分析过程如下:
这个软件有使用时间上的限制,注册后需要重新启动以验证注册码是否正确,我们od加载后观察到第一次次填写的注册名及假码的信息不会被清除而是保存着。既然是这样,我们利用这个保存信息开始着手,即第一步先运行od加载程序,一直运行到注册窗口,然后注册,记住注册名就可以;第二步关闭程序,重新加载, 搜索“未注册版 还剩 天”信息,然后向上找到入口点进行分析:
我用的注册名:tigerisme 试练码:1234567890
0051D03C . 55 push ebp ; 入口点,从这里开始分析
0051D03D . 68 36D15100 push Down.0051D136
0051D042 . 64:FF30 push dword ptr fs:[eax]
0051D045 . 64:8920 mov dword ptr fs:[eax],esp
0051D048 . B2 01 mov dl,1
0051D04A . A1 28C14300 mov eax,dword ptr ds:[43C128]
0051D04F . E8 D4F1F1FF call Down.0043C228
0051D054 . 8945 F0 mov dword ptr ss:[ebp-10],eax
0051D057 . BA 02000080 mov edx,80000002
0051D05C . 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0051D05F . E8 64F2F1FF call Down.0043C2C8
0051D064 . 8D45 EC lea eax,dword ptr ss:[ebp-14]
0051D067 . BA 74D35100 mov edx,Down.0051D374 ; software\zy\pic
0051D06C . E8 B37AEEFF call Down.00404B24
0051D071 . B1 01 mov cl,1
0051D073 . 8B55 EC mov edx,dword ptr ss:[ebp-14]
0051D076 . 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0051D079 . E8 AEF2F1FF call Down.0043C32C
0051D07E . 84C0 test al,al
0051D080 . 0F84 92000000 je Down.0051D118
0051D086 . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
0051D089 . BA 8CD35100 mov edx,Down.0051D38C ; name
0051D08E . 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0051D091 . E8 5EF4F1FF call Down.0043C4F4
0051D096 . 8B55 C0 mov edx,dword ptr ss:[ebp-40] ; ebp-40=注册名“tigerisme”,送edx
0051D099 . 8B45 FC mov eax,dword ptr ss:[ebp-4] ; tigerisme=edx
0051D09C . 05 FC030000 add eax,3FC
0051D0A1 . E8 3A7AEEFF call Down.00404AE0
0051D0A6 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
0051D0A9 . BA 9CD35100 mov edx,Down.0051D39C ; pass
0051D0AE . 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0051D0B1 . E8 3EF4F1FF call Down.0043C4F4
0051D0B6 . 8B55 BC mov edx,dword ptr ss:[ebp-44] ; ebp-44=试练码“1234567890”,送edx
0051D0B9 . 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 1234567890=edx
0051D0BC . 05 00040000 add eax,400
0051D0C1 . E8 1A7AEEFF call Down.00404AE0
0051D0C6 . 33C0 xor eax,eax
0051D0C8 . 55 push ebp
0051D0C9 . 68 EFD05100 push Down.0051D0EF
0051D0CE . 64:FF30 push dword ptr fs:[eax]
0051D0D1 . 64:8920 mov dword ptr fs:[eax],esp
0051D0D4 . BA ACD35100 mov edx,Down.0051D3AC ; date
0051D0D9 . 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0051D0DC . E8 FBF4F1FF call Down.0043C5DC
0051D0E1 . DD5D E0 fstp qword ptr ss:[ebp-20]
0051D0E4 . 9B wait
0051D0E5 . 33C0 xor eax,eax
0051D0E7 . 5A pop edx
0051D0E8 . 59 pop ecx
0051D0E9 . 59 pop ecx
0051D0EA . 64:8910 mov dword ptr fs:[eax],edx
0051D0ED . EB 29 jmp short Down.0051D118
0051D0EF .^ E9 6470EEFF jmp Down.00404158
0051D0F4 . FF75 DC push dword ptr ss:[ebp-24] ; /Arg2
0051D0F7 . FF75 D8 push dword ptr ss:[ebp-28] ; |Arg1
0051D0FA . BA ACD35100 mov edx,Down.0051D3AC ; |date
0051D0FF . 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; |
0051D102 . E8 C1F4F1FF call Down.0043C5C8 ; \Down.0043C5C8
0051D107 . 8B45 D8 mov eax,dword ptr ss:[ebp-28]
0051D10A . 8945 E0 mov dword ptr ss:[ebp-20],eax
0051D10D . 8B45 DC mov eax,dword ptr ss:[ebp-24]
0051D110 . 8945 E4 mov dword ptr ss:[ebp-1C],eax
0051D113 . E8 A873EEFF call Down.004044C0
0051D118 > 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0051D11B . E8 78F1F1FF call Down.0043C298
0051D120 . 33C0 xor eax,eax
0051D122 . 5A pop edx
0051D123 . 59 pop ecx
0051D124 . 59 pop ecx
0051D125 . 64:8910 mov dword ptr fs:[eax],edx
0051D128 . 68 3DD15100 push Down.0051D13D
0051D12D > 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0051D130 . E8 436BEEFF call Down.00403C78
0051D135 . C3 retn
0051D136 .^ E9 D172EEFF jmp Down.0040440C
0051D13B .^ EB F0 jmp short Down.0051D12D
0051D13D . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
0051D140 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0051D143 . 8B90 FC030000 mov edx,dword ptr ds:[eax+3FC] ; edx=“tigerisme”
0051D149 . A1 44295200 mov eax,dword ptr ds:[522944]
0051D14E . 8B00 mov eax,dword ptr ds:[eax]
0051D150 . E8 3BDBFFFF call Down.0051AC90 ; 算法分析call
0051D155 . 8B55 B8 mov edx,dword ptr ss:[ebp-48] ; 注册码出现"Pic4-56D6ei8es-3796",即注册码=Pic4+“-”+codeB前四位及ei8es组合+“-”codeB第5至8位
0051D158 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0051D15B . 8B80 00040000 mov eax,dword ptr ds:[eax+400]
0051D161 . E8 327DEEFF call Down.00404E98 ; 试练码与注册码比较************************
0051D166 . 75 25 jnz short Down.0051D18D ; 关键跳转,即传说总的爆破点:)
0051D168 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0051D16B . C680 F4030000>mov byte ptr ds:[eax+3F4],0
0051D172 . 8B55 F4 mov edx,dword ptr ss:[ebp-C]
0051D175 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0051D178 . E8 E7CAF4FF call Down.00469C64
0051D17D . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0051D180 . 8B80 68030000 mov eax,dword ptr ds:[eax+368]
0051D186 . 33D2 xor edx,edx
0051D188 . E8 ABEEF5FF call Down.0047C038
0051D18D > 8B45 FC mov eax,dword ptr ss:[ebp-4]
0051D190 . 80B8 F4030000>cmp byte ptr ds:[eax+3F4],0
0051D197 . 0F84 BE000000 je Down.0051D25B
0051D19D . DD45 D8 fld qword ptr ss:[ebp-28]
0051D1A0 . DC65 E0 fsub qword ptr ss:[ebp-20]
0051D1A3 . DD5D D0 fstp qword ptr ss:[ebp-30]
0051D1A6 . 9B wait
0051D1A7 . D905 B4D35100 fld dword ptr ds:[51D3B4]
0051D1AD . DC65 D0 fsub qword ptr ss:[ebp-30]
0051D1B0 . E8 0F5BEEFF call Down.00402CC4
0051D1B5 . 8BD8 mov ebx,eax
0051D1B7 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0051D1BA . 8998 04040000 mov dword ptr ds:[eax+404],ebx
0051D1C0 . 85DB test ebx,ebx
0051D1C2 . 7D 0B jge short Down.0051D1CF
0051D1C4 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0051D1C7 . 33D2 xor edx,edx
0051D1C9 . 8990 04040000 mov dword ptr ds:[eax+404],edx
0051D1CF > FF75 F4 push dword ptr ss:[ebp-C]
0051D1D2 . 68 C0D35100 push Down.0051D3C0 ; (未注册版 还剩
0051D1D7 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0051D1DA . DB80 04040000 fild dword ptr ds:[eax+404]
0051D1E0 . 83C4 F4 add esp,-0C
0051D1E3 . DB3C24 fstp tbyte ptr ss:[esp] ; |
0051D1E6 . 9B wait ; |
0051D1E7 . 8D45 B0 lea eax,dword ptr ss:[ebp-50] ; |
0051D1EA . E8 45DCEEFF call Down.0040AE34 ; \Down.0040AE34
0051D1EF . FF75 B0 push dword ptr ss:[ebp-50]
0051D1F2 . 68 DCD35100 push Down.0051D3DC ; 天)
0051D1F7 . 8D45 B4 lea eax,dword ptr ss:[ebp-4C]
0051D1FA . BA 04000000 mov edx,4
0051D1FF . E8 087CEEFF call Down.00404E0C
0051D204 . 8B55 B4 mov edx,dword ptr ss:[ebp-4C]
0051D207 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0051D20A . E8 55CAF4FF call Down.00469C64
0051D20F . DD45 D0 fld qword ptr ss:[ebp-30]
0051D212 . D81D B4D35100 fcomp dword ptr ds:[51D3B4]
0051D218 . DFE0 fstsw ax
0051D21A . 9E sahf
………
………
………
0051D285 . E8 2678EEFF call Down.00404AB0
0051D28A . C3 retn
*********************************************************************************
跟进算法call,来到这里
0051AC90 /$ 55 push ebp
0051AC91 |. 8BEC mov ebp,esp
0051AC93 |. 51 push ecx
0051AC94 |. B9 04000000 mov ecx,4
0051AC99 |> 6A 00 /push 0
0051AC9B |. 6A 00 |push 0
0051AC9D |. 49 |dec ecx
0051AC9E |.^ 75 F9 \jnz short Down.0051AC99
0051ACA0 |. 51 push ecx
0051ACA1 |. 874D FC xchg dword ptr ss:[ebp-4],ecx
0051ACA4 |. 53 push ebx
0051ACA5 |. 56 push esi
0051ACA6 |. 57 push edi
0051ACA7 |. 8BF9 mov edi,ecx
0051ACA9 |. 8955 FC mov dword ptr ss:[ebp-4],edx ; ebp-4=tigerisme
0051ACAC |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; eax=tigerisme
0051ACAF |. E8 88A2EEFF call Down.00404F3C
0051ACB4 |. 33C0 xor eax,eax ; eax清零
0051ACB6 |. 55 push ebp
0051ACB7 |. 68 51AE5100 push Down.0051AE51
0051ACBC |. 64:FF30 push dword ptr fs:[eax]
0051ACBF |. 64:8920 mov dword ptr fs:[eax],esp
0051ACC2 |. 8BC7 mov eax,edi
0051ACC4 |. E8 C39DEEFF call Down.00404A8C
0051ACC9 |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; eax=tigerisme
0051ACCC |. E8 7BA0EEFF call Down.00404D4C
0051ACD1 |. 8BF0 mov esi,eax ; 注册名位数9送esi
0051ACD3 |. 85F6 test esi,esi
0051ACD5 |. 7E 26 jle short Down.0051ACFD
0051ACD7 |. BB 01000000 mov ebx,1
0051ACDC |> 8D4D EC /lea ecx,dword ptr ss:[ebp-14]
0051ACDF |. 8B45 FC |mov eax,dword ptr ss:[ebp-4] ; tigerisme送eax
0051ACE2 |. 0FB64418 FF |movzx eax,byte ptr ds:[eax+ebx>; 逐位将注册名送eax
0051ACE7 |. 33D2 |xor edx,edx
0051ACE9 |. E8 32EAEEFF |call Down.00409720 ; 将注册名逐位字符转成十六进制
0051ACEE |. 8B55 EC |mov edx,dword ptr ss:[ebp-14]
0051ACF1 |. 8D45 F8 |lea eax,dword ptr ss:[ebp-8]
0051ACF4 |. E8 5BA0EEFF |call Down.00404D54
0051ACF9 |. 43 |inc ebx
0051ACFA |. 4E |dec esi ; esi-1
0051ACFB |.^ 75 DF \jnz short Down.0051ACDC
0051ACFD |> 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 最后形成"746967657269736D65"记做codeA,即将注册名逐位转成十六进制的ascii码
0051AD00 |. E8 47A0EEFF call Down.00404D4C
0051AD05 |. 8BF0 mov esi,eax ; eax=12(十六进制),即codeA的位数
0051AD07 |. 85F6 test esi,esi
0051AD09 |. 7E 2C jle short Down.0051AD37
0051AD0B |. BB 01000000 mov ebx,1
0051AD10 |> 8B45 F8 /mov eax,dword ptr ss:[ebp-8] ; codeA=ebp-8
0051AD13 |. E8 34A0EEFF |call Down.00404D4C ; eax=codeA
0051AD18 |. 2BC3 |sub eax,ebx ; eax=12(十六进制),循环减1
0051AD1A |. 8B55 F8 |mov edx,dword ptr ss:[ebp-8] ; codeA送edx
0051AD1D |. 8A1402 |mov dl,byte ptr ds:[edx+eax] ; 反向将codeA逐位送dl
0051AD20 |. 8D45 E8 |lea eax,dword ptr ss:[ebp-18]
0051AD23 |. E8 4C9FEEFF |call Down.00404C74
0051AD28 |. 8B55 E8 |mov edx,dword ptr ss:[ebp-18]
0051AD2B |. 8D45 F4 |lea eax,dword ptr ss:[ebp-C]
0051AD2E |. E8 21A0EEFF |call Down.00404D54
0051AD33 |. 43 |inc ebx
0051AD34 |. 4E |dec esi ; esi-1
0051AD35 |.^ 75 D9 \jnz short Down.0051AD10
0051AD37 |> 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0051AD3A |. 50 push eax
0051AD3B |. B9 04000000 mov ecx,4
0051AD40 |. BA 01000000 mov edx,1
0051AD45 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; ebp-c="56D637962756769647"出现,即上面的codeA倒转的结果,记做codeB
0051AD48 |. E8 5FA2EEFF call Down.00404FAC
0051AD4D |. 8D45 F4 lea eax,dword ptr ss:[ebp-C]
0051AD50 |. 50 push eax
0051AD51 |. B9 04000000 mov ecx,4
0051AD56 |. BA 05000000 mov edx,5
0051AD5B |. 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; codeB送eax
0051AD5E |. E8 49A2EEFF call Down.00404FAC
0051AD63 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; codeB的前4位,即56D6送eax
0051AD66 |. E8 E19FEEFF call Down.00404D4C
0051AD6B |. 83F8 04 cmp eax,4
0051AD6E |. 7D 2F jge short Down.0051AD9F
0051AD70 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0051AD73 |. E8 D49FEEFF call Down.00404D4C
0051AD78 |. 8BD8 mov ebx,eax
0051AD7A |. 83FB 03 cmp ebx,3
0051AD7D |. 7F 20 jg short Down.0051AD9F
0051AD7F |> 8D4D E4 /lea ecx,dword ptr ss:[ebp-1C]
0051AD82 |. 8BC3 |mov eax,ebx
0051AD84 |. C1E0 02 |shl eax,2
0051AD87 |. 33D2 |xor edx,edx
0051AD89 |. E8 92E9EEFF |call Down.00409720
0051AD8E |. 8B55 E4 |mov edx,dword ptr ss:[ebp-1C]
0051AD91 |. 8D45 F8 |lea eax,dword ptr ss:[ebp-8]
0051AD94 |. E8 BB9FEEFF |call Down.00404D54
0051AD99 |. 43 |inc ebx
0051AD9A |. 83FB 04 |cmp ebx,4
0051AD9D |.^ 75 E0 \jnz short Down.0051AD7F
0051AD9F |> 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; codeB的第4-8位,即3796送eax
0051ADA2 |. E8 A59FEEFF call Down.00404D4C
0051ADA7 |. 83F8 04 cmp eax,4
0051ADAA |. 7D 2F jge short Down.0051ADDB
0051ADAC |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0051ADAF |. E8 989FEEFF call Down.00404D4C
0051ADB4 |. 8BD8 mov ebx,eax
0051ADB6 |. 83FB 03 cmp ebx,3
0051ADB9 |. 7F 20 jg short Down.0051ADDB
0051ADBB |> 8D4D E0 /lea ecx,dword ptr ss:[ebp-20]
0051ADBE |. 8BC3 |mov eax,ebx
0051ADC0 |. C1E0 02 |shl eax,2
0051ADC3 |. 33D2 |xor edx,edx
0051ADC5 |. E8 56E9EEFF |call Down.00409720
0051ADCA |. 8B55 E0 |mov edx,dword ptr ss:[ebp-20]
0051ADCD |. 8D45 F4 |lea eax,dword ptr ss:[ebp-C]
0051ADD0 |. E8 7F9FEEFF |call Down.00404D54
0051ADD5 |. 43 |inc ebx
0051ADD6 |. 83FB 04 |cmp ebx,4
0051ADD9 |.^ 75 E0 \jnz short Down.0051ADBB
0051ADDB |> 8D45 F0 lea eax,dword ptr ss:[ebp-10]
0051ADDE |. BA 68AE5100 mov edx,Down.0051AE68 ; pic4ei8espr,固定值,计算注册码需要用到
0051ADE3 |. E8 3C9DEEFF call Down.00404B24
0051ADE8 |. 8D45 DC lea eax,dword ptr ss:[ebp-24]
0051ADEB |. 50 push eax
0051ADEC |. B9 04000000 mov ecx,4
0051ADF1 |. BA 01000000 mov edx,1
0051ADF6 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0051ADF9 |. E8 AEA1EEFF call Down.00404FAC
0051ADFE |. FF75 DC push dword ptr ss:[ebp-24] ; Pic4=ebp-24,即注册码第一部分
0051AE01 |. 68 7CAE5100 push Down.0051AE7C ; -,“-”连接符号引入
0051AE06 |. FF75 F8 push dword ptr ss:[ebp-8] ; ebp-8=56D6,与固定值组合得到注册码第二部分
0051AE09 |. 8D45 D8 lea eax,dword ptr ss:[ebp-28]
0051AE0C |. 50 push eax
0051AE0D |. B9 05000000 mov ecx,5
0051AE12 |. BA 05000000 mov edx,5
0051AE17 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; "Pic4ei8espr"=ebp-10
0051AE1A |. E8 8DA1EEFF call Down.00404FAC
0051AE1F |. FF75 D8 push dword ptr ss:[ebp-28] ; "ei8es"部分提出来
0051AE22 |. 68 7CAE5100 push Down.0051AE7C ; -,“-”连接符号引入
0051AE27 |. FF75 F4 push dword ptr ss:[ebp-C] ; ebp-c=3796,即注册码第三部分
0051AE2A |. 8BC7 mov eax,edi
0051AE2C |. BA 06000000 mov edx,6
0051AE31 |. E8 D69FEEFF call Down.00404E0C
0051AE36 |. 33C0 xor eax,eax
0051AE38 |. 5A pop edx
0051AE39 |. 59 pop ecx
0051AE3A |. 59 pop ecx
0051AE3B |. 64:8910 mov dword ptr fs:[eax],edx
0051AE3E |. 68 58AE5100 push Down.0051AE58
0051AE43 |> 8D45 D8 lea eax,dword ptr ss:[ebp-28]
0051AE46 |. BA 0A000000 mov edx,0A
0051AE4B |. E8 609CEEFF call Down.00404AB0
0051AE50 \. C3 retn
0051AE51 .^ E9 B695EEFF jmp Down.0040440C
0051AE56 .^ EB EB jmp short Down.0051AE43
0051AE58 . 5F pop edi
0051AE59 . 5E pop esi
0051AE5A . 5B pop ebx
0051AE5B . 8BE5 mov esp,ebp
0051AE5D . 5D pop ebp
0051AE5E . C3 retn
*******************************************************************************
算法小结:
这里利用了软件第一次注册后信息保存的特点,通过这样进而查找注册码;
这里的注册码只与注册名及固定值"Pic4ei8espr"有关,即注册码=Pic4+“-”+codeB前四位及ei8es组合+“-”+codeB第5至8位;
codeB为注册名逐位转成十六进制ascii码并倒转得来,我这里是tigerisme,逐位字符转成十六进制得到746967657269736D65,再倒转得到56D637962756769647,即codeB;
特别说明:本文仅做学习使用,是一些破解的心得和思路,完全是个人对程序的研究,无其他目的。
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!