-
-
[原创]pgc-kgme分析
-
发表于:
2006-10-17 17:14
6211
-
【文章标题】: pgc-kgme分析
【文章作者】: HappyTown
【作者邮箱】: [email]wxr277@163.com[/email]
【作者主页】: www.pediy.com
【软件名称】: pgc-kgme.exe
【下载地址】: 附件内
【加壳方式】: 无
【保护方式】: MD5 + RSA
【编写语言】: MASM32 / TASM32
【使用工具】: OD + Hash 0.30
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
一、基本情况:
1. 没壳,用PEiD的KANAL插件分析使用了MD5和大数库;
2. 用IDA什么也没有分析出;
3. 根据出错提示在00401A0E处下断点。
二、分析过程:
1. 很容易发现字符串"10001",猜测是RSA或者IDEA^_^,很显然只能是RSA;
2. 输入试炼码:
name:happy
code:7654321
00401A0E />push ebx
00401A0F |>push edi
00401A10 |>push esi
00401A11 |>push 11 ; /Count = 11 (17.)
00401A13 |>push 004042AC ; |Buffer = pgc-kgme.004042AC
00401A18 |>push dword ptr [404594] ; |hWnd = 00010186 (class='Edit',parent=00020182)
00401A1E |>call <jmp.&USER32.GetWindowTextA> ; \GetWindowTextA
00401A23 |>cmp eax, 1
00401A26 |>jl 00401B43
00401A2C |>mov [40426D], eax
00401A31 |>push 22 ; /Count = 22 (34.)
00401A33 |>push 004042BD ; |Buffer = pgc-kgme.004042BD
00401A38 |>push dword ptr [404598] ; |hWnd = 00010188 (class='Edit',parent=00020182)
00401A3E |>call <jmp.&USER32.GetWindowTextA> ; \GetWindowTextA
00401A43 |>cmp eax, 1
00401A46 |>jl 00401B57
00401A4C |>mov [404271], eax
00401A51 |>push 0
00401A53 |>call 00402320
00401A58 |>mov [404269], eax
00401A5D |>mov eax, [404271]
00401A62 |>push dword ptr [404269] ; /Arg2 = 00E80000
00401A68 |>push 004042BD ; |Arg1 = 004042BD: code:7654321
00401A6D |>call 004024C3 ; \pgc-kgme.004024C3
00401A72 |>push 0040429C ; /StringToAdd = "[PGCTRiAL/2oo2]"
00401A77 |>push 004042AC ; |ConcatString = "happy[PGCTRiAL/2oo2]"
00401A7C |>call <jmp.&KERNEL32.lstrcatA> ; \lstrcatA
00401A81 |>push 004042AC ; /String = "happy[PGCTRiAL/2oo2]"
00401A86 |>call <jmp.&KERNEL32.lstrlenA> ; \lstrlenA
00401A8B |>push 004042DF ; /Arg4 = 004042DF ASCII "27e7f8ac8a5c0c5d165ce9c90f9357e6"
00401A90 |>push 00404510 ; |Arg3 = 00404510
00401A95 |>push eax ; |Arg2
00401A96 |>push 004042AC ; |Arg1 = 004042AC
00401A9B |>call 00401000 ; \pgc-kgme.00401000
00401AA0 |>push 0
00401AA2 |>call 00402320
00401AA7 |>mov [40425D], eax
00401AAC |>push 0
00401AAE |>call 00402320
00401AB3 |>mov [404259], eax
00401AB8 |>push 0
00401ABA |>call 00402320
00401ABF |>mov [404261], eax
00401AC4 |>push 0
00401AC6 |>call 00402320
00401ACB |>mov [404265], eax
00401AD0 |>mov eax, 2
00401AD5 |>shl eax, 4
00401AD8 |>push dword ptr [40425D] ; /Arg2 = 00E40000
00401ADE |>push 004042DF ; |Arg1 = 004042DF ASCII "27e7f8ac8a5c0c5d165ce9c90f9357e6" h
00401AE3 |>call 004024C3 ; \pgc-kgme.004024C3
00401AE8 |>push dword ptr [404265] ; /Arg2 = 00E70000
00401AEE |>push 00404275 ; |Arg1 = 00404275 ASCII "10001":e
00401AF3 |>call 004024C3 ; \pgc-kgme.004024C3
00401AF8 |>push dword ptr [404261] ; /Arg2 = 00E60000
00401AFE |>push 0040427B ; |Arg1 = 0040427B ASCII "8e701a4c793eb8b739166bb23b49e421":n
00401B03 |>call 004024C3 ; \pgc-kgme.004024C3
00401B08 |>push dword ptr [404259]
00401B0E |>push dword ptr [404261] ; n = C2E0C6C46F34EEEB * BB1CC85B7A9D2E23(用RSATool很快就分解出来了,但没用上)
00401B14 |>push dword ptr [404265] ; e
00401B1A |>push dword ptr [40425D] ; h=MD5(happy[PGCTRiAL/2oo2])
00401B20 |>call 00402DAC ; c = h^e (mod n) = 478571769066735A7FB279BF75FB62BC
00401B25 |>push dword ptr [404269] ; code
00401B2B |>push dword ptr [404259] ; 478571769066735A7FB279BF75FB62BC
00401B31 |>call 00402397 ; 明码比较 c 和 code
00401B36 |>test eax, eax
00401B38 |>je short 00401B6B
00401B3A |>call 00401BC4
00401B3F |>pop esi
00401B40 |>pop edi
00401B41 |>pop ebx
00401B42 |>retn
00401B43 |>push 00404404 ; /Text = "Name Must Be >= 1 Character."
00401B48 |>push dword ptr [404598] ; |hWnd = 00010188 (class='Edit',parent=00020182)
00401B4E |>call <jmp.&USER32.SetWindowTextA> ; \SetWindowTextA
00401B53 |>pop esi
00401B54 |>pop edi
00401B55 |>pop ebx
00401B56 |>retn
00401B57 |>push 00404421 ; /Text = "Key Must Be >= 1 Character."
00401B5C |>push dword ptr [404598] ; |hWnd = 00010188 (class='Edit',parent=00020182)
00401B62 |>call <jmp.&USER32.SetWindowTextA> ; \SetWindowTextA
00401B67 |>pop esi
00401B68 |>pop edi
00401B69 |>pop ebx
00401B6A |>retn
00401B6B |>push 0 ; /Style = MB_OK|MB_APPLMODAL
00401B6D |>push 0040443D ; |Title = "Congratulations!"
00401B72 |>push 0040444E ; |Text = " You've done it!",CR,LF,"Please send your keygen along with",CR,LF,"source code to [email]pgc@dangerous-minds.com[/email]",CR,LF,"if you would like to be considered as",CR,LF," a new member of PGC."
00401B77 |>push dword ptr [40458C] ; |hOwner = 00020182 ('PGC',class='PGCWinClass')
00401B7D |>call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
--------------------------------------------------------------------------------
【经验总结】
采用公钥密码学+hash函数很少有明码比较的,这个的作者心地真是大大地善良啊。
code的生成算法很简单:code = MD5(name+[PGCTRiAL/2oo2])^e(mod n)
一组可用的注册码:
name:happy
code:478571769066735A7FB279BF75FB62BC
注册机就不写了。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年10月15日 8:55:34
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
