我分析了好久可是近来是越来越迷!
这个软件似乎用了数组对数据进行加密。在下分析不出来!
不知道哪位高手可以分析一下,教一教俺!(我分析的是5.4这个版本,在网上应该有很多地方可以下载的,行业软件的保护似乎比一般软件要强很多,希望在进行分析的时候要有心理准备哟!)一开始用PEID可以知道她有一个壳,当退去这层壳后我发现程序的入口似乎也被处理过,我就不知道该怎么办了。
这个程序似乎是通过注册表来进行注册的,在系统文件夹中会有一个相关的文件rundl132.dll可以用记事本打开,注册表中会有相应的键值。但是我不知道对于注册码的比较是在按注册按钮后还是下次程序运行时?在安装目录下的DATA中的hygysdb.mdb文件中也有相应的记录。不知道作者是什么思路?
在安装的时候有一个SN:HYGYS-5400F-20040308
下面是我所分析到的数据:
---------------------------------------------------------------------------------
0070E088 55 push ebp
0070E089 8BEC mov ebp, esp
0070E08B B92B000000 mov ecx, $0000002B
0070E090 6A00 push $00
0070E092 6A00 push $00
0070E094 49 dec ecx
0070E095 75F9 jnz 0070E090
0070E097 51 push ecx
0070E098 53 push ebx
0070E099 56 push esi
0070E09A 57 push edi
0070E09B 8945FC mov [ebp-$04], eax
0070E09E 33C0 xor eax, eax
0070E0A0 55 push ebp
* Possible String Reference to: '轸V?脎_^[?]?
|
0070E0A1 6833E37000 push $0070E333
***** TRY
|
0070E0A6 64FF30 push dword ptr fs:[eax]
0070E0A9 648920 mov fs:[eax], esp
0070E0AC 68FF000000 push $000000FF
0070E0B1 8D85C4FEFFFF lea eax, [ebp+$FFFFFEC4]
0070E0B7 50 push eax
* Reference to: kernel32.GetSystemDirectoryA()
|
0070E0B8 E8F3A2CFFF call 004083B0
0070E0BD 8D55DC lea edx, [ebp-$24]
0070E0C0 8D85C4FEFFFF lea eax, [ebp+$FFFFFEC4]
* Reference to: sysutils.StrPas(PChar):AnsiString;
|
0070E0C6 E821D3CFFF call 0040B3EC
0070E0CB B201 mov dl, $01
0070E0CD A18CD74700 mov eax, dword ptr [$0047D78C]
* Reference to: registry.TRegistry.Create(TRegistry;boolean);overload;
|
0070E0D2 E821F8D6FF call 0047D8F8
0070E0D7 8BF0 mov esi, eax
0070E0D9 BA02000080 mov edx, $80000002
0070E0DE 8BC6 mov eax, esi
* Reference to: registry.TRegistry.SetRootKey(TRegistry;HKEY);
|
0070E0E0 E8EFF8D6FF call 0047D9D4
0070E0E5 8D85C0FEFFFF lea eax, [ebp+$FFFFFEC0]
* Possible String Reference to: '\rundl132.dll'
|
0070E0EB B94CE37000 mov ecx, $0070E34C
0070E0F0 8B55DC mov edx, [ebp-$24]
* Reference to: system.@LStrCat3;
|
0070E0F3 E8D862CFFF call 004043D0
0070E0F8 8B8DC0FEFFFF mov ecx, [ebp+$FFFFFEC0]
0070E0FE B201 mov dl, $01
0070E100 A194C34700 mov eax, dword ptr [$0047C394]
* Reference to: axctrls.TOleStream.Create(TOleStream;boolean;IStream);
| or: inifiles.TCustomIniFile.Create(TCustomIniFile;boolean;AnsiString);
| or: sysutils.Exception.Create(Exception;boolean;AnsiString);
|
0070E105 E8DAE3D6FF call 0047C4E4
0070E10A 8945D4 mov [ebp-$2C], eax
0070E10D 8D95BCFEFFFF lea edx, [ebp+$FFFFFEBC]
* Possible String Reference to: '1F48FE74F55210A5734C8459CE8334AC10A
| CB886578475E4D9E2A38B8DE20ADEE9C09F
| 28CE980F4726393B9079104F72483F4A5B'
|
0070E113 B864E37000 mov eax, $0070E364
* Reference to : TForm_Register._PROC_0070DCC8()
|
0070E118 E8ABFBFFFF call 0070DCC8
0070E11D 8B95BCFEFFFF mov edx, [ebp+$FFFFFEBC]
0070E123 B101 mov cl, $01
0070E125 8BC6 mov eax, esi
* Reference to: registry.TRegistry.OpenKey(TRegistry;AnsiString;Boolean):Boolean;
|
0070E127 E8ECF9D6FF call 0047DB18
0070E12C 33FF xor edi, edi
0070E12E 8D45C4 lea eax, [ebp-$3C]
|
0070E131 E8F6F8FFFF call 0070DA2C
* Reference to : TForm_Register._PROC_0070DA64()
|
0070E136 E829F9FFFF call 0070DA64
0070E13B 8BD0 mov edx, eax
0070E13D 8D85B8FEFFFF lea eax, [ebp+$FFFFFEB8]
* Reference to: system.@LStrFromPChar(String;String;PAnsiChar);
| or: system.@WStrFromPChar(WideString;WideString;PAnsiChar);
|
0070E143 E87461CFFF call 004042BC
0070E148 8B85B8FEFFFF mov eax, [ebp+$FFFFFEB8]
0070E14E 8D55F4 lea edx, [ebp-$0C]
* Reference to: sysutils.Trim(AnsiString):AnsiString;
|
0070E151 E85AC3CFFF call 0040A4B0
0070E156 8D55F0 lea edx, [ebp-$10]
0070E159 8B45C4 mov eax, [ebp-$3C]
* Reference to: sysutils.IntToStr(Integer):AnsiString;overload;
|
0070E15C E837C6CFFF call 0040A798
0070E161 8D55EC lea edx, [ebp-$14]
0070E164 8B45D0 mov eax, [ebp-$30]
* Reference to: sysutils.IntToStr(Integer):AnsiString;overload;
|
0070E167 E82CC6CFFF call 0040A798
0070E16C FF75F4 push dword ptr [ebp-$0C]
0070E16F FF75F0 push dword ptr [ebp-$10]
0070E172 FF75EC push dword ptr [ebp-$14]
0070E175 8D45F8 lea eax, [ebp-$08]
0070E178 BA03000000 mov edx, $00000003
* Reference to: system.@LStrCatN;
|
0070E17D E8C262CFFF call 00404444
0070E182 8D55E8 lea edx, [ebp-$18]
0070E185 8B45FC mov eax, [ebp-$04]
* Reference to control Serial : TMemo
|
0070E188 8B80E4020000 mov eax, [eax+$02E4]
* Reference to: controls.TControl.GetText(TControl):TCaption;
|
0070E18E E895B0D2FF call 00439228
0070E193 8D95B0FEFFFF lea edx, [ebp+$FFFFFEB0]
0070E199 8B45E8 mov eax, [ebp-$18]
* Reference to : TForm_Register._PROC_0070DCC8()
|
0070E19C E827FBFFFF call 0070DCC8
0070E1A1 8B85B0FEFFFF mov eax, [ebp+$FFFFFEB0]
* Reference to: system.@LStrToPChar;
|
0070E1A7 E89C63CFFF call 00404548
0070E1AC 8BD0 mov edx, eax
0070E1AE 8D85B4FEFFFF lea eax, [ebp+$FFFFFEB4]
* Reference to: system.@LStrFromPChar(String;String;PAnsiChar);
| or: system.@WStrFromPChar(WideString;WideString;PAnsiChar);
|
0070E1B4 E80361CFFF call 004042BC
0070E1B9 8B95B4FEFFFF mov edx, [ebp+$FFFFFEB4]
0070E1BF B8D8E37000 mov eax, $0070E3D8
* Reference to: sysutils.AnsiPos(AnsiString;AnsiString):Integer;
|
0070E1C4 E8130AD0FF call 0040EBDC
0070E1C9 8BD8 mov ebx, eax
0070E1CB 8D95ACFEFFFF lea edx, [ebp+$FFFFFEAC]
0070E1D1 8B45E8 mov eax, [ebp-$18]
* Reference to : TForm_Register._PROC_0070DCC8()
|
0070E1D4 E8EFFAFFFF call 0070DCC8
0070E1D9 8B85ACFEFFFF mov eax, [ebp+$FFFFFEAC]
* Reference to: system.@LStrLen:Integer;
| or: system.@DynArrayLength;
| or: system.DynArraySize(Pointer):Integer;
|
0070E1DF E8A061CFFF call 00404384
0070E1E4 8945D8 mov [ebp-$28], eax
0070E1E7 85DB test ebx, ebx
0070E1E9 7517 jnz 0070E202
0070E1EB 8B45FC mov eax, [ebp-$04]
* Reference to control btnTrial : TButton
|
0070E1EE 8B80D8020000 mov eax, [eax+$02D8]
0070E1F4 66BBECFF mov bx, $FFEC
* Reference to: system.@CallDynaInst;
|
0070E1F8 E8AB52CFFF call 004034A8
0070E1FD E906010000 jmp 0070E308
0070E202 8D45E4 lea eax, [ebp-$1C]
0070E205 50 push eax
0070E206 8D95A8FEFFFF lea edx, [ebp+$FFFFFEA8]
0070E20C 8B45E8 mov eax, [ebp-$18]
* Reference to : TForm_Register._PROC_0070DCC8()
|
0070E20F E8B4FAFFFF call 0070DCC8
0070E214 8B85A8FEFFFF mov eax, [ebp+$FFFFFEA8]
0070E21A 8BCB mov ecx, ebx
0070E21C 49 dec ecx
0070E21D BA01000000 mov edx, $00000001
* Reference to: system.@LStrCopy;
|
0070E222 E86563CFFF call 0040458C
0070E227 8D45E0 lea eax, [ebp-$20]
0070E22A 50 push eax
0070E22B 8D95A4FEFFFF lea edx, [ebp+$FFFFFEA4]
0070E231 8B45E8 mov eax, [ebp-$18]
* Reference to : TForm_Register._PROC_0070DCC8()
|
0070E234 E88FFAFFFF call 0070DCC8
0070E239 8B85A4FEFFFF mov eax, [ebp+$FFFFFEA4]
0070E23F 8B4DD8 mov ecx, [ebp-$28]
0070E242 2BCB sub ecx, ebx
0070E244 41 inc ecx
0070E245 8D5301 lea edx, [ebx+$01]
* Reference to: system.@LStrCopy;
|
0070E248 E83F63CFFF call 0040458C
0070E24D 8B45E0 mov eax, [ebp-$20]
0070E250 8B55F8 mov edx, [ebp-$08]
* Reference to: system.@LStrCmp;
|
0070E253 E83C62CFFF call 00404494
0070E258 7405 jz 0070E25F
0070E25A BF01000000 mov edi, $00000001
0070E25F 8B45E0 mov eax, [ebp-$20]
0070E262 8B55F8 mov edx, [ebp-$08]
* Reference to: system.@LStrCmp;
|
0070E265 E82A62CFFF call 00404494
0070E26A 7579 jnz 0070E2E5
* Possible String Reference to: '注册成功!谢谢您使用我们的产品.'
|
0070E26C B8E4E37000 mov eax, $0070E3E4
* Reference to: dialogs.ShowMessage(AnsiString);
|
0070E271 E8E66FD5FF call 0046525C
0070E276 4F dec edi
0070E277 751E jnz 0070E297
0070E279 A14C2F7600 mov eax, dword ptr [$00762F4C]
0070E27E 8B00 mov eax, [eax]
0070E280 33D2 xor edx, edx
0070E282 89500C mov [eax+$0C], edx
0070E285 8B45FC mov eax, [ebp-$04]
* Reference to control btnTrial : TButton
|
0070E288 8B80D8020000 mov eax, [eax+$02D8]
0070E28E 66BBECFF mov bx, $FFEC
* Reference to: system.@CallDynaInst;
|
0070E292 E81152CFFF call 004034A8
0070E297 8B4DE8 mov ecx, [ebp-$18]
* Possible String Reference to: '583CA435E20D7E77347CB380433A56CBF22
| FEEF9F94268E90A4F'
|
0070E29A BA0CE47000 mov edx, $0070E40C
0070E29F 8BC6 mov eax, esi
* Reference to: registry.TRegistry.WriteString(TRegistry;AnsiString;AnsiString);
|
0070E2A1 E8B6FCD6FF call 0047DF5C
0070E2A6 8B45E8 mov eax, [ebp-$18]
0070E2A9 50 push eax
* Possible String Reference to: '583CA435E20D7E77347CB380433A56CBF22
| FEEF9F94268E90A4F'
|
0070E2AA B90CE47000 mov ecx, $0070E40C
* Possible String Reference to: '583CA435E20D7E77347CB380433A56CBF22
| FEEF9F94268E90A4F'
|
0070E2AF BA0CE47000 mov edx, $0070E40C
0070E2B4 8B45D4 mov eax, [ebp-$2C]
0070E2B7 8B18 mov ebx, [eax]
0070E2B9 FF5304 call dword ptr [ebx+$04]
0070E2BC 8BC6 mov eax, esi
* Reference to: system.TObject.Free(TObject);
|
0070E2BE E80950CFFF call 004032CC
0070E2C3 B201 mov dl, $01
0070E2C5 8B45D4 mov eax, [ebp-$2C]
0070E2C8 8B08 mov ecx, [eax]
0070E2CA FF51FC call dword ptr [ecx-$04]
0070E2CD A14C2F7600 mov eax, dword ptr [$00762F4C]
0070E2D2 8B00 mov eax, [eax]
0070E2D4 C7400C01000000 mov dword ptr [eax+$0C], $00000001
0070E2DB 8B45FC mov eax, [ebp-$04]
* Reference to: forms.TCustomForm.Close(TCustomForm);
|
0070E2DE E8BD78D4FF call 00455BA0
0070E2E3 EB23 jmp 0070E308
0070E2E5 8BC6 mov eax, esi
* Reference to: system.TObject.Free(TObject);
|
0070E2E7 E8E04FCFFF call 004032CC
0070E2EC B201 mov dl, $01
0070E2EE 8B45D4 mov eax, [ebp-$2C]
0070E2F1 8B08 mov ecx, [eax]
0070E2F3 FF51FC call dword ptr [ecx-$04]
0070E2F6 8B45FC mov eax, [ebp-$04]
* Reference to control btnTrial : TButton
|
0070E2F9 8B80D8020000 mov eax, [eax+$02D8]
0070E2FF 66BBECFF mov bx, $FFEC
* Reference to: system.@CallDynaInst;
|
0070E303 E8A051CFFF call 004034A8
0070E308 33C0 xor eax, eax
0070E30A 5A pop edx
0070E30B 59 pop ecx
0070E30C 59 pop ecx
0070E30D 648910 mov fs:[eax], edx
****** FINALLY
|
* Possible String Reference to: '_^[?]?
|
0070E310 683AE37000 push $0070E33A
0070E315 8D85A4FEFFFF lea eax, [ebp+$FFFFFEA4]
0070E31B BA08000000 mov edx, $00000008
* Reference to: system.@LStrArrayClr;
|
0070E320 E8F35DCFFF call 00404118
0070E325 8D45DC lea eax, [ebp-$24]
0070E328 BA08000000 mov edx, $00000008
* Reference to: system.@LStrArrayClr;
|
0070E32D E8E65DCFFF call 00404118
0070E332 C3 ret
* Reference to: system.@HandleFinally;
|
0070E333 E9F456CFFF jmp 00403A2C
0070E338 EBDB jmp 0070E315
****** END
|
0070E33A 5F pop edi
0070E33B 5E pop esi
0070E33C 5B pop ebx
0070E33D 8BE5 mov esp, ebp
0070E33F 5D pop ebp
0070E340 C3 ret
---------------------------------------------------------------------------------
我觉得关键在以上的代码中可是不知道最关键的部分,呵呵呵……就差一点儿!
另外,其安装目录下的data文件夹中的hygysdb.mdb的密码是huangye7731
这个软件可能用OD调试要好一些!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
