【文章标题】: 彩票阿凡提 V2004 精简版 注册算法分析
【文章作者】: anchovy
【作者邮箱】: canyun3160@tom.com
【作者QQ号】: 276055658
【软件名称】: 彩票阿凡提 V2004 精简版
【下载地址】: http://soft123.3322.net/
【加壳方式】: ASPack 2.12 -> Alexey Solodovnikov
【保护方式】: 注册码
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OllyDbg
【软件介绍】: 彩票阿凡提V2004精简版汇集众多彩票分析软件之精华
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
PEID查壳->ASPack 2.12 -> Alexey Solodovnikov,用waspack脱掉。再次查看->Borland Delphi 6.0 - 7.0
输入试验码,程序提示重启效验!
下断bp GetPrivateProfileStringA,F9运行程序,程序中断在系统领空,Alt+F9回到程序领空!
004A2C27 |. 50 push eax ; |Section
004A2C28 |. E8 FB44F6FF call <jmp.&kernel32.GetPrivateProfile>; \GetPrivateProfileStringA
004A2C2D |. 8BC8 mov ecx, eax
004A2C2F |. 8D95 00F8FFFF lea edx, dword ptr [ebp-800]
004A2C35 |. 8B45 08 mov eax, dword ptr [ebp+8]
004A2C38 |. E8 831DF6FF call 004049C0
004A2C3D |. 5F pop edi
004A2C3E |. 5E pop esi
004A2C3F |. 5B pop ebx
004A2C40 |. 8BE5 mov esp, ebp
004A2C42 |. 5D pop ebp
004A2C43 \. C2 0800 retn 8
此段代码粗跟了一遍,返回到此处:
0050EA25 . 8B55 F4 mov edx, dword ptr [ebp-C] ; 试验码
0050EA28 . 8B45 F8 mov eax, dword ptr [ebp-8] ; 机器码
0050EA2B . E8 90E5FFFF call <jmp.&programe.CheckUser> ; F7进入
0050EA30 . 48 dec eax
0050EA31 . 75 0C jnz short 0050EA3F
0050EA33 . C705 0CAF5200>mov dword ptr [52AF0C], 1
0050EA3D . EB 07 jmp short 0050EA46
0050EA3F > 33C0 xor eax, eax
0050EA41 . A3 0CAF5200 mov dword ptr [52AF0C], eax
0050EA46 > 33C0 xor eax, eax
0050EA48 . 5A pop edx
0050EA49 . 59 pop ecx
0050EA4A . 59 pop ecx
0050EA4B . 64:8910 mov dword ptr fs:[eax], edx
0050EA4E . EB 11 jmp short 0050EA61
0050EA50 .^ E9 EF55EFFF jmp 00404044
0050EA55 . 33C0 xor eax, eax
0050EA57 . A3 0CAF5200 mov dword ptr [52AF0C], eax
0050EA5C . E8 4B59EFFF call 004043AC
0050EA61 > 833D 0CAF5200>cmp dword ptr [52AF0C], 1
0050EA68 . 75 12 jnz short 0050EA7C
0050EA6A . 8B45 FC mov eax, dword ptr [ebp-4]
0050EA6D . 8B80 14030000 mov eax, dword ptr [eax+314]
0050EA73 . 33D2 xor edx, edx
0050EA75 . E8 A66CF4FF call 00455720
0050EA7A . EB 08 jmp short 0050EA84
0050EA7C > 8B45 FC mov eax, dword ptr [ebp-4]
0050EA7F . E8 44E5FFFF call 0050CFC8
0050EA84 > 33C0 xor eax, eax
0050EA86 . 5A pop edx
0050EA87 . 59 pop ecx
0050EA88 . 59 pop ecx
0050EA89 . 64:8910 mov dword ptr fs:[eax], edx
0050EA8C . 68 A6EA5000 push 0050EAA6
0050EA91 > 8D45 E0 lea eax, dword ptr [ebp-20]
0050EA94 . BA 07000000 mov edx, 7
0050EA99 . E8 565EEFFF call 004048F4
0050EA9E . C3 retn
0050EA9F .^ E9 5458EFFF jmp 004042F8
0050EAA4 .^ EB EB jmp short 0050EA91
0050EAA6 . 5F pop edi
0050EAA7 . 5E pop esi
0050EAA8 . 5B pop ebx
0050EAA9 . 8BE5 mov esp, ebp
0050EAAB . 5D pop ebp
0050EAAC . C3 retn
按F7后,会有一个jmp,跳转后来到00388A08
00388A08 > 55 push ebp
00388A09 8BEC mov ebp, esp
00388A0B 33C9 xor ecx, ecx
00388A0D 51 push ecx
00388A0E 51 push ecx
00388A0F 51 push ecx
00388A10 51 push ecx
00388A11 51 push ecx
00388A12 51 push ecx
00388A13 51 push ecx
00388A14 53 push ebx
00388A15 56 push esi
00388A16 57 push edi
00388A17 8955 F8 mov dword ptr [ebp-8], edx ; 试验码
00388A1A 8945 FC mov dword ptr [ebp-4], eax ; 机器码
00388A1D 8B45 FC mov eax, dword ptr [ebp-4]
00388A20 E8 7BBBFEFF call 003745A0
00388A25 8B45 F8 mov eax, dword ptr [ebp-8]
00388A28 E8 73BBFEFF call 003745A0
00388A2D 33C0 xor eax, eax
00388A2F 55 push ebp
00388A30 68 138C3800 push 00388C13
00388A35 64:FF30 push dword ptr fs:[eax]
00388A38 64:8920 mov dword ptr fs:[eax], esp
00388A3B 8D45 F0 lea eax, dword ptr [ebp-10]
00388A3E 8B55 FC mov edx, dword ptr [ebp-4]
00388A41 E8 52B7FEFF call 00374198
00388A46 8B45 F0 mov eax, dword ptr [ebp-10]
00388A49 E8 62BBFEFF call 003745B0
00388A4E E8 7DEFFEFF call 003779D0 ; 取机器码的长度
00388A53 8BF0 mov esi, eax
00388A55 C745 F4 2000000>mov dword ptr [ebp-C], 20 ; 设此内存块为A则A=20H
00388A5C 8BFE mov edi, esi
00388A5E 4F dec edi
00388A5F 85FF test edi, edi
00388A61 7E 65 jle short 00388AC8
00388A63 BB 01000000 mov ebx, 1
00388A68 8B45 F0 mov eax, dword ptr [ebp-10]
00388A6B 0FB67418 FF movzx esi, byte ptr [eax+ebx-1] ; esi=从机器码取1字节
00388A70 8B45 F0 mov eax, dword ptr [ebp-10]
00388A73 33C9 xor ecx, ecx
00388A75 8A0C18 mov cl, byte ptr [eax+ebx] ; cl=取下1字节
00388A78 8BC6 mov eax, esi ; eax=esi
00388A7A 99 cdq
00388A7B F7FB idiv ebx ; edx:eax除以ebx 余edx
00388A7D 0355 F4 add edx, dword ptr [ebp-C] ; edx=edx+A
00388A80 8BF2 mov esi, edx ; esi=edx
00388A82 33F1 xor esi, ecx ; esi=esi^ecx
00388A84 8B45 F4 mov eax, dword ptr [ebp-C] ; eax=A
00388A87 F7EB imul ebx ; edx:eax=eax*ebx
00388A89 05 173D1E00 add eax, 1E3D17 ; eax=eax+1E3D17
00388A8E C1E8 04 shr eax, 4 ; eax=eax>>4位
00388A91 8945 F4 mov dword ptr [ebp-C], eax ; A=eax
00388A94 015D F4 add dword ptr [ebp-C], ebx ; A=A+ebx
00388A97 0375 F4 add esi, dword ptr [ebp-C] ; esi=esi+A
00388A9A 81E6 1F000080 and esi, 8000001F ; esi=esi&8000001FH
00388AA0 79 05 jns short 00388AA7 ; (记下每次循环时esi的值)
00388AA2 4E dec esi
00388AA3 83CE E0 or esi, FFFFFFE0
00388AA6 46 inc esi
00388AA7 8D4D EC lea ecx, dword ptr [ebp-14]
00388AAA BA 02000000 mov edx, 2
00388AAF 8BC6 mov eax, esi
00388AB1 E8 12ECFEFF call 003776C8
00388AB6 8D45 E8 lea eax, dword ptr [ebp-18]
00388AB9 8B4D E8 mov ecx, dword ptr [ebp-18]
00388ABC 8B55 EC mov edx, dword ptr [ebp-14]
00388ABF E8 40B9FEFF call 00374404 ; 每次循环esi将产生一个重要的值,将esi的值放到上次esi值的前面
00388AC4 43 inc ebx
00388AC5 4F dec edi
00388AC6 ^ 75 A0 jnz short 00388A68 ; 循环机器码长度-1次
00388AC8 8B45 E8 mov eax, dword ptr [ebp-18] ; 每次esi的值组合成了一串重要数据->eax
00388ACB E8 E0BAFEFF call 003745B0
00388AD0 E8 FBEEFEFF call 003779D0 ; 返回重要数据的长度
00388AD5 8BF0 mov esi, eax
00388AD7 8BFE mov edi, esi
00388AD9 85FF test edi, edi
00388ADB 0F8E 8D000000 jle 00388B6E
00388AE1 BB 01000000 mov ebx, 1
00388AE6 8BC3 mov eax, ebx
00388AE8 25 01000080 and eax, 80000001
00388AED 79 05 jns short 00388AF4
00388AEF 48 dec eax
00388AF0 83C8 FE or eax, FFFFFFFE
00388AF3 40 inc eax
00388AF4 85C0 test eax, eax
00388AF6 75 3D jnz short 00388B35 ; eax 和 80000001h 相与后,若不是0,则跳到00388B35 处.eax是奇数就跳
00388AF8 8D45 E4 lea eax, dword ptr [ebp-1C] ; 是偶数则执行以下代码
00388AFB 8B55 E8 mov edx, dword ptr [ebp-18]
00388AFE 8A541A FF mov dl, byte ptr [edx+ebx-1] ; edx=重要数据的地址,ebx=第几次循环?
00388B02 E8 D9B7FEFF call 003742E0 ; 将dl的值写入到ebp-1c所指向的地址
00388B07 8D45 E8 lea eax, dword ptr [ebp-18]
00388B0A E8 F9BAFEFF call 00374608
00388B0F 8BD6 mov edx, esi ; esi存放着重要数据的长度
00388B11 2BD3 sub edx, ebx ; edx=长度减去第几次循环?
00388B13 8B4D E8 mov ecx, dword ptr [ebp-18]
00388B16 8A5411 FF mov dl, byte ptr [ecx+edx-1] ; ecx=重要数据的地址
00388B1A 885418 FF mov byte ptr [eax+ebx-1], dl ; eax=重要数据的地址,ebx=第几次循环?
00388B1E 8D45 E8 lea eax, dword ptr [ebp-18]
00388B21 E8 E2BAFEFF call 00374608
00388B26 8BD6 mov edx, esi
00388B28 2BD3 sub edx, ebx ; edx=重要数据的长度减去第几次循环?得出一个差值
00388B2A 8B4D E4 mov ecx, dword ptr [ebp-1C] ; ecx=取出ebp-1c存放的内容
00388B2D 8A09 mov cl, byte ptr [ecx]
00388B2F 884C10 FF mov byte ptr [eax+edx-1], cl ; eax=重要数据的地址
00388B33 EB 31 jmp short 00388B66
00388B35 8D45 E4 lea eax, dword ptr [ebp-1C] ; 是奇数则执行以下代码.
00388B38 8B55 E8 mov edx, dword ptr [ebp-18]
00388B3B 8A541A FF mov dl, byte ptr [edx+ebx-1] ; edx=重要数据的地址,ebx=第几次循环?
00388B3F E8 9CB7FEFF call 003742E0 ; dl影响ebp-1c
00388B44 8D45 E8 lea eax, dword ptr [ebp-18]
00388B47 E8 BCBAFEFF call 00374608
00388B4C 8B55 E8 mov edx, dword ptr [ebp-18]
00388B4F 8A141A mov dl, byte ptr [edx+ebx] ; edx=重要数据的地址,ebx=第几次循环?
00388B52 885418 FF mov byte ptr [eax+ebx-1], dl ; eax=重要数据的地址,ebx=第几次循环?
00388B56 8D45 E8 lea eax, dword ptr [ebp-18]
00388B59 E8 AABAFEFF call 00374608
00388B5E 8B55 E4 mov edx, dword ptr [ebp-1C]
00388B61 8A12 mov dl, byte ptr [edx]
00388B63 881418 mov byte ptr [eax+ebx], dl ; eax=重要数据的地址,ebx=第几次循环?
00388B66 43 inc ebx
00388B67 4F dec edi ; edi是重要数据的长度
00388B68 ^ 0F85 78FFFFFF jnz 00388AE6
00388B6E 33F6 xor esi, esi
00388B70 8B45 E8 mov eax, dword ptr [ebp-18] ; eax=正确的注册码地址
00388B73 E8 38BAFEFF call 003745B0
00388B78 E8 53EEFEFF call 003779D0
00388B7D 8BD8 mov ebx, eax
00388B7F 8B45 F8 mov eax, dword ptr [ebp-8]
00388B82 E8 29BAFEFF call 003745B0
00388B87 E8 44EEFEFF call 003779D0
00388B8C 3BD8 cmp ebx, eax
00388B8E 75 59 jnz short 00388BE9
00388B90 8B45 E8 mov eax, dword ptr [ebp-18]
00388B93 E8 18BAFEFF call 003745B0
00388B98 E8 33EEFEFF call 003779D0
00388B9D 8BF8 mov edi, eax
00388B9F 85FF test edi, edi
00388BA1 7E 1A jle short 00388BBD
00388BA3 BB 01000000 mov ebx, 1
00388BA8 8B45 E8 mov eax, dword ptr [ebp-18]
00388BAB 8A4418 FF mov al, byte ptr [eax+ebx-1]
00388BAF 8B55 F8 mov edx, dword ptr [ebp-8]
00388BB2 3A441A FF cmp al, byte ptr [edx+ebx-1]
00388BB6 75 01 jnz short 00388BB9
00388BB8 46 inc esi
00388BB9 43 inc ebx
00388BBA 4F dec edi
00388BBB ^ 75 EB jnz short 00388BA8
00388BBD 8B45 E8 mov eax, dword ptr [ebp-18]
00388BC0 E8 EBB9FEFF call 003745B0
00388BC5 E8 06EEFEFF call 003779D0
00388BCA 33D2 xor edx, edx
00388BCC 52 push edx
00388BCD 50 push eax
00388BCE 8BC6 mov eax, esi
00388BD0 99 cdq
00388BD1 3B5424 04 cmp edx, dword ptr [esp+4]
00388BD5 75 03 jnz short 00388BDA
00388BD7 3B0424 cmp eax, dword ptr [esp]
00388BDA 5A pop edx
00388BDB 58 pop eax
00388BDC 75 07 jnz short 00388BE5
00388BDE BB 01000000 mov ebx, 1
00388BE3 EB 06 jmp short 00388BEB
00388BE5 33DB xor ebx, ebx
00388BE7 EB 02 jmp short 00388BEB
00388BE9 33DB xor ebx, ebx
00388BEB 33C0 xor eax, eax
00388BED 5A pop edx
00388BEE 59 pop ecx
00388BEF 59 pop ecx
00388BF0 64:8910 mov dword ptr fs:[eax], edx
00388BF3 68 1A8C3800 push 00388C1A
00388BF8 8D45 E4 lea eax, dword ptr [ebp-1C]
00388BFB BA 04000000 mov edx, 4
00388C00 E8 1FB5FEFF call 00374124
00388C05 8D45 F8 lea eax, dword ptr [ebp-8]
00388C08 BA 02000000 mov edx, 2
00388C0D E8 12B5FEFF call 00374124
00388C12 C3 retn
00388C13 ^ E9 88AEFEFF jmp 00373AA0
00388C18 ^ EB DE jmp short 00388BF8
00388C1A 8BC3 mov eax, ebx
00388C1C 5F pop edi
00388C1D 5E pop esi
00388C1E 5B pop ebx
00388C1F 8BE5 mov esp, ebp
00388C21 5D pop ebp
00388C22 C3 retn
--------------------------------------------------------------------------------
【经验总结】
注册码验证函数在dll文件中,注释已经很详细了,就不再此费话了!
今夜的蝉真多!!!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年04月10日 14:24:43
[课程]Linux pwn 探索篇!
