【文章标题】: 阿勇股票实时资讯 V3.6算法分析
【文章作者】: dgrzh
【作者邮箱】: dgrzh@sohu.com
【软件名称】: 阿勇股票实时资讯 V3.6
【下载地址】: 自己搜索下载
【保护方式】: 注册码
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OD PEID
【操作平台】: WINXP1
……………………………………………………………………………………………………………………….
用PeiD查壳,无壳。运行点"输入注册码"出现注册信息框。我这里
注册码:5377844965566888
验证码:1234567891234567(这里随便输入)
点"确定"提示"您输入的验证码不正确,请核实!"
OD载入,点插件-Ultra字符串参考-查找ASCII,在Ultra字符串参考表里找到关键字"您输入的验证码不正确,请核实!"双击。
004C2AFA 53 push ebx //到这里下断点
004C2AFB 33C9 xor ecx,ecx
004C2AFD 894D EC mov dword ptr ss:[ebp-14],ecx
004C2B00 894D F0 mov dword ptr ss:[ebp-10],ecx
004C2B03 8945 FC mov dword ptr ss:[ebp-4],eax
004C2B06 33C0 xor eax,eax
004C2B08 55 push ebp
004C2B09 68 8D2C4C00 push ayongsof.004C2C8D
004C2B0E 64:FF30 push dword ptr fs:[eax]
004C2B11 64:8920 mov dword ptr fs:[eax],esp
004C2B14 68 9C2C4C00 push ayongsof.004C2C9C ; regstockdll.dll
004C2B19 E8 4642F4FF call <jmp.&kernel32.LoadLibraryA>
004C2B1E 8945 F4 mov dword ptr ss:[ebp-C],eax
004C2B21 837D F4 00 cmp dword ptr ss:[ebp-C],0
004C2B25 76 6B jbe short ayongsof.004C2B92
004C2B27 33D2 xor edx,edx
004C2B29 55 push ebp
004C2B2A 68 8B2B4C00 push ayongsof.004C2B8B
004C2B2F 64:FF32 push dword ptr fs:[edx]
004C2B32 64:8922 mov dword ptr fs:[edx],esp
004C2B35 68 AC2C4C00 push ayongsof.004C2CAC ; abc126
004C2B3A 8B45 F4 mov eax,dword ptr ss:[ebp-C]
004C2B3D 50 push eax
004C2B3E E8 7141F4FF call <jmp.&kernel32.GetProcAddres>
004C2B43 85C0 test eax,eax
004C2B45 74 23 je short ayongsof.004C2B6A
004C2B47 8BD8 mov ebx,eax
004C2B49 8D55 F0 lea edx,dword ptr ss:[ebp-10]
004C2B4C 8B45 FC mov eax,dword ptr ss:[ebp-4]
004C2B4F 8B80 08030000 mov eax,dword ptr ds:[eax+308]
004C2B55 E8 8A2AF8FF call ayongsof.004455E4
004C2B5A 8B45 F0 mov eax,dword ptr ss:[ebp-10]
004C2B5D E8 DA1EF4FF call ayongsof.00404A3C
004C2B62 50 push eax
004C2B63 FFD3 call ebx ; 算法CALL
004C2B65 8845 FB mov byte ptr ss:[ebp-5],al
004C2B68 EB 0A jmp short ayongsof.004C2B74
004C2B6A B8 BC2C4C00 mov eax,ayongsof.004C2CBC ; abc126函数没有找到
004C2B6F E8 58BBF7FF call ayongsof.0043E6CC
004C2B74 33C0 xor eax,eax
004C2B76 5A pop edx
004C2B77 59 pop ecx
004C2B78 59 pop ecx
004C2B79 64:8910 mov dword ptr fs:[eax],edx
004C2B7C 68 9C2B4C00 push ayongsof.004C2B9C
004C2B81 8B45 F4 mov eax,dword ptr ss:[ebp-C]
004C2B84 50 push eax
004C2B85 E8 AA40F4FF call <jmp.&kernel32.FreeLibrary>
004C2B8A C3 retn
004C2B8B ^ E9 A013F4FF jmp ayongsof.00403F30
004C2B90 ^ EB EF jmp short ayongsof.004C2B81
004C2B92 B8 D82C4C00 mov eax,ayongsof.004C2CD8 ; regstockdll.dll没有找到
004C2B97 E8 30BBF7FF call ayongsof.0043E6CC
004C2B9C 8B45 FC mov eax,dword ptr ss:[ebp-4]
004C2B9F 33D2 xor edx,edx
004C2BA1 8990 0C030000 mov dword ptr ds:[eax+30C],edx
004C2BA7 807D FB 01 cmp byte ptr ss:[ebp-5],1
004C2BAB 0F85 8D000000 jnz ayongsof.004C2C3E ; 关键跳不等于0跳向注册失败
004C2BB1 6A 00 push 0
004C2BB3 68 F02C4C00 push ayongsof.004C2CF0 ; 提示
004C2BB8 68 F82C4C00 push ayongsof.004C2CF8 ; 注册成功,欢迎您使用!!
004C2BBD 8B45 FC mov eax,dword ptr ss:[ebp-4]
004C2BC0 E8 8B92F8FF call ayongsof.0044BE50
004C2BC5 50 push eax
004C2BC6 E8 2949F4FF call <jmp.&user32.MessageBoxA>
004C2BCB A1 B4864C00 mov eax,dword ptr ds:[4C86B4]
004C2BD0 8B00 mov eax,dword ptr ds:[eax]
004C2BD2 C780 48060000 0>mov dword ptr ds:[eax+648],1
004C2BDC A1 B4864C00 mov eax,dword ptr ds:[4C86B4]
004C2BE1 8B00 mov eax,dword ptr ds:[eax]
004C2BE3 8B80 4C060000 mov eax,dword ptr ds:[eax+64C]
004C2BE9 8B15 B4864C00 mov edx,dword ptr ds:[4C86B4] ; ayongsof.004C9E30
004C2BEF 8B12 mov edx,dword ptr ds:[edx]
004C2BF1 8982 AC030000 mov dword ptr ds:[edx+3AC],eax
004C2BF7 68 1C2D4C00 push ayongsof.004C2D1C ; verify
004C2BFC 8D55 EC lea edx,dword ptr ss:[ebp-14]
004C2BFF 8B45 FC mov eax,dword ptr ss:[ebp-4]
004C2C02 8B80 08030000 mov eax,dword ptr ds:[eax+308]
004C2C08 E8 D729F8FF call ayongsof.004455E4
004C2C0D 8B45 EC mov eax,dword ptr ss:[ebp-14]
004C2C10 50 push eax
004C2C11 A1 B4864C00 mov eax,dword ptr ds:[4C86B4]
004C2C16 8B00 mov eax,dword ptr ds:[eax]
004C2C18 B9 2C2D4C00 mov ecx,ayongsof.004C2D2C ; regedit
004C2C1D BA 3C2D4C00 mov edx,ayongsof.004C2D3C ; regstockdl1.dll
004C2C22 E8 6D110000 call ayongsof.004C3D94
004C2C27 8B45 FC mov eax,dword ptr ss:[ebp-4]
004C2C2A C780 0C030000 0>mov dword ptr ds:[eax+30C],1
004C2C34 8B45 FC mov eax,dword ptr ss:[ebp-4]
004C2C37 E8 2809FAFF call ayongsof.00463564
004C2C3C EB 34 jmp short ayongsof.004C2C72
004C2C3E 6A 00 push 0
004C2C40 68 F02C4C00 push ayongsof.004C2CF0 ; 提示
004C2C45 68 4C2D4C00 push ayongsof.004C2D4C ; 您输入的验证码不正确,请核实!
进入call ebx
011896DC Re> 55 push ebp
011896DD 8BEC mov ebp,esp
011896DF 33C9 xor ecx,ecx
011896E1 51 push ecx
011896E2 51 push ecx
011896E3 51 push ecx
011896E4 51 push ecx
011896E5 51 push ecx
011896E6 51 push ecx
011896E7 51 push ecx
011896E8 53 push ebx
011896E9 8945 FC mov dword ptr ss:[ebp-4],eax ;1234567891234567
011896EC 8B45 FC mov eax,dword ptr ss:[ebp-4]
011896EF E8 ECAEFEFF call Regstock.011745E0
011896F4 33C0 xor eax,eax
011896F6 55 push ebp
011896F7 68 C9971801 push Regstock.011897C9
011896FC 64:FF30 push dword ptr fs:[eax]
011896FF 64:8920 mov dword ptr fs:[eax],esp
01189702 E8 6DFDFFFF call Regstock.abc123 ;算法CALL
01189707 8BD8 mov ebx,eax
01189709 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0118970C 50 push eax
0118970D 8B55 FC mov edx,dword ptr ss:[ebp-4]
01189710 B8 E0971801 mov eax,Regstock.011897E0
01189715 E8 BEAFFEFF call Regstock.011746D8
0118971A 8BC8 mov ecx,eax
0118971C BA 01000000 mov edx,1
01189721 8B45 FC mov eax,dword ptr ss:[ebp-4]
01189724 E8 27AFFEFF call Regstock.01174650
01189729 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0118972C 50 push eax
0118972D 8D45 F4 lea eax,dword ptr ss:[ebp-C]
01189730 50 push eax
01189731 8D45 F0 lea eax,dword ptr ss:[ebp-10]
01189734 8BD3 mov edx,ebx
01189736 E8 F5ABFEFF call Regstock.01174330
0118973B 8B55 F0 mov edx,dword ptr ss:[ebp-10]
0118973E B8 E0971801 mov eax,Regstock.011897E0
01189743 E8 90AFFEFF call Regstock.011746D8
01189748 50 push eax
01189749 8D45 EC lea eax,dword ptr ss:[ebp-14]
0118974C 8BD3 mov edx,ebx
0118974E E8 DDABFEFF call Regstock.01174330
01189753 8B45 EC mov eax,dword ptr ss:[ebp-14]
01189756 BA 01000000 mov edx,1
0118975B 59 pop ecx
0118975C E8 EFAEFEFF call Regstock.01174650
01189761 8B55 F4 mov edx,dword ptr ss:[ebp-C]
01189764 58 pop eax
01189765 E8 D2ADFEFF call Regstock.0117453C
0118976A 75 40 jnz short Regstock.011897AC
0118976C 8D45 E8 lea eax,dword ptr ss:[ebp-18]
0118976F 50 push eax
01189770 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
01189773 8B45 FC mov eax,dword ptr ss:[ebp-4]
01189776 E8 1DDFFEFF call Regstock.01177698
0118977B 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
0118977E E8 75ACFEFF call Regstock.011743F8
01189783 8BD0 mov edx,eax
01189785 83EA 02 sub edx,2
01189788 B9 03000000 mov ecx,3
0118978D 8B45 FC mov eax,dword ptr ss:[ebp-4]
01189790 E8 BBAEFEFF call Regstock.01174650
01189795 8B45 E8 mov eax,dword ptr ss:[ebp-18]
01189798 BA EC971801 mov edx,Regstock.011897EC ; ASCII " **"
0118979D E8 9AADFEFF call Regstock.0117453C
011897A2 74 04 je short Regstock.011897A8
011897A4 33DB xor ebx,ebx
011897A6 EB 06 jmp short Regstock.011897AE
011897A8 B3 01 mov bl,1
011897AA EB 02 jmp short Regstock.011897AE
011897AC 33DB xor ebx,ebx
011897AE 33C0 xor eax,eax
011897B0 5A pop edx
011897B1 59 pop ecx
011897B2 59 pop ecx
011897B3 64:8910 mov dword ptr fs:[eax],edx
011897B6 68 D0971801 push Regstock.011897D0
011897BB 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
011897BE BA 07000000 mov edx,7
011897C3 E8 9CA9FEFF call Regstock.01174164
011897C8 C3 retn
011897C9 ^ E9 12A3FEFF jmp Regstock.01173AE0
011897CE ^ EB EB jmp short Regstock.011897BB
011897D0 8BC3 mov eax,ebx
011897D2 5B pop ebx
011897D3 8BE5 mov esp,ebp
011897D5 5D pop ebp
011897D6 C3 retn
011897D7 00FF add bh,bh
011897D9 FFFF ??? ; 未知命令
011897DB FF01 inc dword ptr ds:[ecx]
011897DD 0000 add byte ptr ds:[eax],al
011897DF 002D 000000FF add byte ptr ds:[FF000000],ch
011897E5 FFFF ??? ; 未知命令
011897E7 FF03 inc dword ptr ds:[ebx]
011897E9 0000 add byte ptr ds:[eax],al
011897EB 0020 add byte ptr ds:[eax],ah
011897ED 2A2A sub ch,byte ptr ds:[edx]
011897EF 0055 8B add byte ptr ss:[ebp-75],dl
011897F2 EC in al,dx
011897F3 33C0 xor eax,eax
011897F5 55 push ebp
011897F6 68 0F981801 push Regstock.0118980F
011897FB 64:FF30 push dword ptr fs:[eax]
011897FE 64:8920 mov dword ptr fs:[eax],esp
01189801 33C0 xor eax,eax
01189803 5A pop edx
01189804 59 pop ecx
01189805 59 pop ecx
01189806 64:8910 mov dword ptr fs:[eax],edx
01189809 68 16981801 push Regstock.01189816
0118980E C3 retn
0118980F ^ E9 CCA2FEFF jmp Regstock.01173AE0
01189814 ^ EB F8 jmp short Regstock.0118980E
01189816 5D pop ebp
01189817 C3 retn
进入call Regstock.abc123,这个call计算出真验证码
01189474 Re> 55 push ebp
01189475 8BEC mov ebp,esp
01189477 33C9 xor ecx,ecx
01189479 51 push ecx
0118947A 51 push ecx
0118947B 51 push ecx
0118947C 51 push ecx
0118947D 51 push ecx
0118947E 51 push ecx
0118947F 51 push ecx
01189480 51 push ecx
01189481 53 push ebx
01189482 56 push esi
01189483 33C0 xor eax,eax
01189485 55 push ebp
01189486 68 A8951801 push Regstock.011895A8
0118948B 64:FF30 push dword ptr fs:[eax]
0118948E 64:8920 mov dword ptr fs:[eax],esp
01189491 E8 BEF7FFFF call Regstock.01188C54
01189496 8BD0 mov edx,eax ; ASCII " 5MT1A8DX")
01189498 8D45 EC lea eax,dword ptr ss:[ebp-14]
0118949B E8 90AEFEFF call Regstock.01174330
011894A0 8B45 EC mov eax,dword ptr ss:[ebp-14]
011894A3 8D55 F0 lea edx,dword ptr ss:[ebp-10]
011894A6 E8 EDE1FEFF call Regstock.01177698
011894AB 8B45 F0 mov eax,dword ptr ss:[ebp-10]
011894AE E8 45AFFEFF call Regstock.011743F8
011894B3 8BD8 mov ebx,eax
011894B5 85DB test ebx,ebx
011894B7 7E 24 jle short Regstock.011894DD
011894B9 BE 01000000 mov esi,1
011894BE 8D55 E8 lea edx,dword ptr ss:[ebp-18]
011894C1 8B45 F0 mov eax,dword ptr ss:[ebp-10] ;字符串5MT1A8DX送eax
011894C4 0FB64430 FF movzx eax,byte ptr ds:[eax+esi-1] ;依次取5MT1A8DX每一位
011894C9 E8 7EE2FEFF call Regstock.0117774C ,将5MT1A8DX每一位转换成十进制ASCII码,
011894CE 8B55 E8 mov edx,dword ptr ss:[ebp-18]
011894D1 8D45 F4 lea eax,dword ptr ss:[ebp-C]
011894D4 E8 27AFFEFF call Regstock.01174400
011894D9 46 inc esi
011894DA 4B dec ebx
011894DB ^ 75 E1 jnz short Regstock.011894BE ;循环计算注册码
最后得到注册码:5377844965566888
011894DD 8D45 F0 lea eax,dword ptr ss:[ebp-10]
011894E0 8B55 F4 mov edx,dword ptr ss:[ebp-C]
011894E3 E8 F0ACFEFF call Regstock.011741D8 ;
011894E8 8D55 FC lea edx,dword ptr ss:[ebp-4]
011894EB 8B45 F0 mov eax,dword ptr ss:[ebp-10]
011894EE E8 D1F8FFFF call Regstock.01188DC4 ;将5377844965566888逐一转换成二进制ASCII "1011111111110001001001001110101101110110100010001000"
这里就不贴出来否则文章代码很长。
011894F3 8B45 FC mov eax,dword ptr ss:[ebp-4]
011894F6 E8 FDAEFEFF call Regstock.011743F8
011894FB 8BD8 mov ebx,eax
011894FD 83C3 05 add ebx,5
01189500 895D E4 mov dword ptr ss:[ebp-1C],ebx
01189503 DB45 E4 fild dword ptr ss:[ebp-1C]
01189506 D835 B8951801 fdiv dword ptr ds:[11895B8]
0118950C E8 7393FEFF call Regstock.01172884
01189511 8BD8 mov ebx,eax
01189513 8D43 02 lea eax,dword ptr ds:[ebx+2]
01189516 8945 E4 mov dword ptr ss:[ebp-1C],eax
01189519 DB45 E4 fild dword ptr ss:[ebp-1C]
0118951C D835 B8951801 fdiv dword ptr ds:[11895B8]
01189522 E8 5D93FEFF call Regstock.01172884
01189527 8BF0 mov esi,eax
01189529 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0118952C 50 push eax
0118952D 8D0C1E lea ecx,dword ptr ds:[esi+ebx]
01189530 8BD3 mov edx,ebx
01189532 2BD6 sub edx,esi
01189534 8B45 FC mov eax,dword ptr ss:[ebp-4]
01189537 E8 14B1FEFF call Regstock.01174650 ;去掉注册码前四位和后四位得到84496556的二进制值ASCII "10001001001001110101101110"
0118953C 8D55 F4 lea edx,dword ptr ss:[ebp-C]
0118953F 8B45 F8 mov eax,dword ptr ss:[ebp-8]
01189542 E8 F5FBFFFF call Regstock.0118913C ;第一个关键算法
01189547 FF75 F4 push dword ptr ss:[ebp-C] ; 得到串1值335AE7F
0118954A 68 C4951801 push Regstock.011895C4
0118954F 8B45 F4 mov eax,dword ptr ss:[ebp-C]
01189552 E8 A1AEFEFF call Regstock.011743F8
01189557 03C0 add eax,eax
01189559 50 push eax
0118955A B8 2D000000 mov eax,2D
0118955F 5A pop edx
01189560 2BC2 sub eax,edx
01189562 40 inc eax
01189563 8D55 E0 lea edx,dword ptr ss:[ebp-20]
01189566 E8 F1FDFFFF call Regstock.0118935C ; 第二个关键算法
得到串2值00822631340408029373687313428241
0118956B FF75 E0 push dword ptr ss:[ebp-20]
0118956E 8D45 F4 lea eax,dword ptr ss:[ebp-C]
01189571 BA 03000000 mov edx,3
01189576 E8 3DAFFEFF call Regstock.011744B8 这里将串1-串2联结起来
得到ASCII "335AE7F-00822631340408029373687313428241"也就是验证码。
0118957B 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0118957E E8 6DB0FEFF call Regstock.011745F0
01189583 8BD8 mov ebx,eax
01189585 33C0 xor eax,eax
01189587 5A pop edx
01189588 59 pop ecx
01189589 59 pop ecx
0118958A 64:8910 mov dword ptr fs:[eax],edx
0118958D 68 AF951801 push Regstock.011895AF
01189592 8D45 E0 lea eax,dword ptr ss:[ebp-20]
01189595 E8 A6ABFEFF call Regstock.01174140
0118959A 8D45 E8 lea eax,dword ptr ss:[ebp-18]
0118959D BA 06000000 mov edx,6
011895A2 E8 BDABFEFF call Regstock.01174164
011895A7 C3 retn
011895A8 ^ E9 33A5FEFF jmp Regstock.01173AE0
011895AD ^ EB E3 jmp short Regstock.01189592
011895AF 8BC3 mov eax,ebx
011895B1 5E pop esi
011895B2 5B pop ebx
011895B3 8BE5 mov esp,ebp
011895B5 5D pop ebp
011895B6 C3 retn
进入call 01188C54获得字符串
01188C54 55 push ebp
01188C55 8BEC mov ebp,esp
01188C57 81C4 C4FDFFFF add esp,-23C
01188C5D 53 push ebx
01188C5E BB 9C8D1801 mov ebx,Regstock.01188D9C
01188C63 A1 78A61801 mov eax,dword ptr ds:[118A678]
01188C68 8338 02 cmp dword ptr ds:[eax],2
01188C6B 75 21 jnz short Regstock.01188C8E
01188C6D 6A 00 push 0
01188C6F 6A 00 push 0
01188C71 6A 03 push 3
01188C73 6A 00 push 0
01188C75 6A 03 push 3
01188C77 68 000000C0 push C0000000
01188C7C 68 A08D1801 push Regstock.01188DA0 ; ASCII "\\.\PhysicalDrive0"
01188C81 E8 66D8FEFF call <jmp.&kernel32.CreateFileA>
01188C86 8985 ECFDFFFF mov dword ptr ss:[ebp-214],eax
01188C8C EB 1C jmp short Regstock.01188CAA
01188C8E 6A 00 push 0
01188C90 6A 00 push 0
01188C92 6A 01 push 1
01188C94 6A 00 push 0
01188C96 6A 00 push 0
01188C98 6A 00 push 0
01188C9A 68 B48D1801 push Regstock.01188DB4 ; ASCII "\\.\SMARTVSD"
01188C9F E8 48D8FEFF call <jmp.&kernel32.CreateFileA>
01188CA4 8985 ECFDFFFF mov dword ptr ss:[ebp-214],eax
01188CAA 83BD ECFDFFFF F>cmp dword ptr ss:[ebp-214],-1
01188CB1 0F84 DC000000 je Regstock.01188D93
01188CB7 33C0 xor eax,eax
01188CB9 55 push ebp
01188CBA 68 6B8D1801 push Regstock.01188D6B
01188CBF 64:FF30 push dword ptr fs:[eax]
01188CC2 64:8920 mov dword ptr fs:[eax],esp
01188CC5 8D85 C7FDFFFF lea eax,dword ptr ss:[ebp-239]
01188CCB 33C9 xor ecx,ecx
01188CCD BA 20000000 mov edx,20
01188CD2 E8 D19FFEFF call Regstock.01172CA8
01188CD7 8D85 F0FDFFFF lea eax,dword ptr ss:[ebp-210]
01188CDD 33C9 xor ecx,ecx
01188CDF BA 10020000 mov edx,210
01188CE4 E8 BF9FFEFF call Regstock.01172CA8
01188CE9 33C0 xor eax,eax
01188CEB 8985 E8FDFFFF mov dword ptr ss:[ebp-218],eax
01188CF1 C785 C7FDFFFF 0>mov dword ptr ss:[ebp-239],200
01188CFB C685 CCFDFFFF 0>mov byte ptr ss:[ebp-234],1
01188D02 C685 CDFDFFFF 0>mov byte ptr ss:[ebp-233],1
01188D09 C685 D0FDFFFF A>mov byte ptr ss:[ebp-230],0A0
01188D10 C685 D1FDFFFF E>mov byte ptr ss:[ebp-22F],0EC
01188D17 6A 00 push 0
01188D19 8D85 E8FDFFFF lea eax,dword ptr ss:[ebp-218]
01188D1F 50 push eax
01188D20 68 10020000 push 210
01188D25 8D85 F0FDFFFF lea eax,dword ptr ss:[ebp-210]
01188D2B 50 push eax
01188D2C 6A 20 push 20
01188D2E 8D85 C7FDFFFF lea eax,dword ptr ss:[ebp-239]
01188D34 50 push eax
01188D35 68 88C00700 push 7C088
01188D3A 8B85 ECFDFFFF mov eax,dword ptr ss:[ebp-214]
01188D40 50 push eax
01188D41 E8 B6D7FEFF call <jmp.&kernel32.DeviceIoControl>
01188D46 85C0 test eax,eax
01188D48 75 07 jnz short Regstock.01188D51
01188D4A E8 75AEFEFF call Regstock.01173BC4
01188D4F EB 42 jmp short Regstock.01188D93
01188D51 33C0 xor eax,eax
01188D53 5A pop edx
01188D54 59 pop ecx
01188D55 59 pop ecx
01188D56 64:8910 mov dword ptr fs:[eax],edx
01188D59 68 728D1801 push Regstock.01188D72
01188D5E 8B85 ECFDFFFF mov eax,dword ptr ss:[ebp-214]
01188D64 50 push eax
01188D65 E8 6AD7FEFF call <jmp.&kernel32.CloseHandle>
01188D6A C3 retn
01188D6B ^ E9 70ADFEFF jmp Regstock.01173AE0
01188D70 ^ EB EC jmp short Regstock.01188D5E
01188D72 8D9D 00FEFFFF lea ebx,dword ptr ss:[ebp-200]
01188D78 8D43 14 lea eax,dword ptr ds:[ebx+14] ;这里显示堆栈地址=0012F4E4, (ASCII " M51T8AXD")
01188D7B BA 14000000 mov edx,14
01188D80 E8 AFFEFFFF call Regstock.01188C34
01188D85 8D43 14 lea eax,dword ptr ds:[ebx+14]
01188D88 83C0 14 add eax,14 ;经过上面call调整为eax=0012F4E4, (ASCII " 5MT1A8DX")
01188D8B C600 00 mov byte ptr ds:[eax],0
01188D8E 8D43 14 lea eax,dword ptr ds:[ebx+14]
01188D91 8BD8 mov ebx,eax
01188D93 8BC3 mov eax,ebx
01188D95 5B pop ebx
01188D96 8BE5 mov esp,ebp
01188D98 5D pop ebp
01188D99 C3 retn
进入call 01174650
01174650 53 push ebx
01174651 85C0 test eax,eax ;判断二进制注册码是否为0
01174653 74 2D je short Regstock.01174682
01174655 8B58 FC mov ebx,dword ptr ds:[eax-4] ;不是将注册码二进制位也就是二进制位的总长度送ebx
01174658 85DB test ebx,ebx ;判断长度是否为0
0117465A 74 26 je short Regstock.01174682
0117465C 4A dec edx ;edx值减1
0117465D 7C 1B jl short Regstock.0117467A
0117465F 39DA cmp edx,ebx ;edx(注册码前四位二进制位长度)同ebx(注册码二进制位的总长度)比较
01174661 7D 1F jge short Regstock.01174682
01174663 29D3 sub ebx,edx ;ebx值减去,edx值(去掉注册码前四位二进制值)
01174665 85C9 test ecx,ecx ;需保留注册码二进制位长度
01174667 7C 19 jl short Regstock.01174682
01174669 39D9 cmp ecx,ebx ;
0117466B 7F 11 jg short Regstock.0117467E
0117466D 01C2 add edx,eax
0117466F 8B4424 08 mov eax,dword ptr ss:[esp+8]
01174673 E8 B8FBFFFF call Regstock.01174230 ;这个call去掉注册码后四位二进制值得到10001001001001110101101110,这里就不贴出来否则文章代码很长。
01174678 EB 11 jmp short Regstock.0117468B
0117467A 31D2 xor edx,edx
0117467C ^ EB E5 jmp short Regstock.01174663
0117467E 89D9 mov ecx,ebx
01174680 ^ EB EB jmp short Regstock.0117466D
01174682 8B4424 08 mov eax,dword ptr ss:[esp+8]
01174686 E8 B5FAFFFF call Regstock.01174140
0117468B 5B pop ebx
0117468C C2 0400 retn 4
0117468F C3 retn
============================================================================================================================================
进入第一个关键算法call 0118913C
0118913C 55 push ebp
0118913D 8BEC mov ebp,esp
0118913F B9 05000000 mov ecx,5
01189144 6A 00 push 0
01189146 6A 00 push 0
01189148 49 dec ecx
01189149 ^ 75 F9 jnz short Regstock.01189144
0118914B 53 push ebx
0118914C 56 push esi
0118914D 8BF2 mov esi,edx
0118914F 8945 FC mov dword ptr ss:[ebp-4],eax
01189152 8B45 FC mov eax,dword ptr ss:[ebp-4]
01189155 E8 86B4FEFF call Regstock.011745E0
0118915A 33C0 xor eax,eax
0118915C 55 push ebp
0118915D 68 28931801 push Regstock.01189328
01189162 64:FF30 push dword ptr fs:[eax]
01189165 64:8920 mov dword ptr fs:[eax],esp
01189168 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0118916B 50 push eax
0118916C 8B45 FC mov eax,dword ptr ss:[ebp-4]
0118916F E8 84B2FEFF call Regstock.011743F8
01189174 8BD0 mov edx,eax
01189176 83EA 03 sub edx,3
01189179 B9 04000000 mov ecx,4
0118917E 8B45 FC mov eax,dword ptr ss:[ebp-4]
01189181 E8 CAB4FEFF call Regstock.01174650
01189186 8D45 F4 lea eax,dword ptr ss:[ebp-C]
01189189 50 push eax
0118918A 8B45 FC mov eax,dword ptr ss:[ebp-4]
0118918D E8 66B2FEFF call Regstock.011743F8
01189192 8BC8 mov ecx,eax
01189194 83E9 04 sub ecx,4
01189197 BA 01000000 mov edx,1
0118919C 8B45 FC mov eax,dword ptr ss:[ebp-4]
0118919F E8 ACB4FEFF call Regstock.01174650
011891A4 8D45 F0 lea eax,dword ptr ss:[ebp-10]
011891A7 E8 94AFFEFF call Regstock.01174140
011891AC E9 42010000 jmp Regstock.011892F3
011891B1 33DB xor ebx,ebx
011891B3 8B45 F8 mov eax,dword ptr ss:[ebp-8]
011891B6 E8 3DB2FEFF call Regstock.011743F8
011891BB 48 dec eax
011891BC 75 10 jnz short Regstock.011891CE
011891BE 8D45 F8 lea eax,dword ptr ss:[ebp-8]
011891C1 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
011891C4 BA 40931801 mov edx,Regstock.01189340 ; ASCII "000"
011891C9 E8 76B2FEFF call Regstock.01174444
011891CE 8B45 F8 mov eax,dword ptr ss:[ebp-8]
011891D1 E8 22B2FEFF call Regstock.011743F8
011891D6 83F8 02 cmp eax,2
011891D9 75 10 jnz short Regstock.011891EB
011891DB 8D45 F8 lea eax,dword ptr ss:[ebp-8]
011891DE 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
011891E1 BA 4C931801 mov edx,Regstock.0118934C ; ASCII "00"
011891E6 E8 59B2FEFF call Regstock.01174444
011891EB 8B45 F8 mov eax,dword ptr ss:[ebp-8]
011891EE E8 05B2FEFF call Regstock.011743F8
011891F3 83F8 03 cmp eax,3
011891F6 75 10 jnz short Regstock.01189208
011891F8 8D45 F8 lea eax,dword ptr ss:[ebp-8]
011891FB 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
011891FE BA 58931801 mov edx,Regstock.01189358
01189203 E8 3CB2FEFF call Regstock.01174444
01189208 8D45 EC lea eax,dword ptr ss:[ebp-14]
0118920B 50 push eax
0118920C B9 01000000 mov ecx,1
01189211 BA 01000000 mov edx,1
01189216 8B45 F8 mov eax,dword ptr ss:[ebp-8]
01189219 E8 32B4FEFF call Regstock.01174650
0118921E 8B45 EC mov eax,dword ptr ss:[ebp-14]
01189221 E8 8AE5FEFF call Regstock.011777B0
01189226 03C0 add eax,eax
01189228 03C0 add eax,eax
0118922A 03C0 add eax,eax
0118922C 03D8 add ebx,eax
0118922E 8D45 E8 lea eax,dword ptr ss:[ebp-18]
01189231 50 push eax
01189232 B9 01000000 mov ecx,1
01189237 BA 02000000 mov edx,2
0118923C 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0118923F E8 0CB4FEFF call Regstock.01174650
01189244 8B45 E8 mov eax,dword ptr ss:[ebp-18]
01189247 E8 64E5FEFF call Regstock.011777B0
0118924C 03C0 add eax,eax
0118924E 03C0 add eax,eax
01189250 03D8 add ebx,eax
01189252 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
01189255 50 push eax
01189256 B9 01000000 mov ecx,1
0118925B BA 03000000 mov edx,3
01189260 8B45 F8 mov eax,dword ptr ss:[ebp-8]
01189263 E8 E8B3FEFF call Regstock.01174650
01189268 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
0118926B E8 40E5FEFF call Regstock.011777B0
01189270 03C0 add eax,eax
01189272 03D8 add ebx,eax
01189274 8D45 E0 lea eax,dword ptr ss:[ebp-20]
01189277 50 push eax
01189278 B9 01000000 mov ecx,1
0118927D BA 04000000 mov edx,4
01189282 8B45 F8 mov eax,dword ptr ss:[ebp-8]
01189285 E8 C6B3FEFF call Regstock.01174650
0118928A 8B45 E0 mov eax,dword ptr ss:[ebp-20]
0118928D E8 1EE5FEFF call Regstock.011777B0 ;二进制转十六进制
01189292 03D8 add ebx,eax ;这里得到十六进制值
01189294 8D55 D8 lea edx,dword ptr ss:[ebp-28]
01189297 8BC3 mov eax,ebx
01189299 E8 AEE4FEFF call Regstock.0117774C ;十六进制转十进制
0118929E 8B45 D8 mov eax,dword ptr ss:[ebp-28]
011892A1 8D55 DC lea edx,dword ptr ss:[ebp-24]
011892A4 E8 87FCFFFF call Regstock.01188F30 ; 关键算法
011892A9 8B55 DC mov edx,dword ptr ss:[ebp-24]
011892AC 8D45 F0 lea eax,dword ptr ss:[ebp-10]
011892AF 8B4D F0 mov ecx,dword ptr ss:[ebp-10]
011892B2 E8 8DB1FEFF call Regstock.01174444 ;将值从后往前存储到串1
011892B7 8D45 F8 lea eax,dword ptr ss:[ebp-8]
011892BA 50 push eax
011892BB 8B45 F4 mov eax,dword ptr ss:[ebp-C]
011892BE E8 35B1FEFF call Regstock.011743F8
011892C3 8BD0 mov edx,eax
011892C5 83EA 03 sub edx,3
011892C8 B9 04000000 mov ecx,4
011892CD 8B45 F4 mov eax,dword ptr ss:[ebp-C]
011892D0 E8 7BB3FEFF call Regstock.01174650
011892D5 8D45 F4 lea eax,dword ptr ss:[ebp-C]
011892D8 50 push eax
011892D9 8B45 F4 mov eax,dword ptr ss:[ebp-C]
011892DC E8 17B1FEFF call Regstock.011743F8
011892E1 8BC8 mov ecx,eax
011892E3 83E9 04 sub ecx,4
011892E6 BA 01000000 mov edx,1
011892EB 8B45 F4 mov eax,dword ptr ss:[ebp-C]
011892EE E8 5DB3FEFF call Regstock.01174650 从后按4位取二进制值
011892F3 8B45 F8 mov eax,dword ptr ss:[ebp-8]
将ASCII "10001001001001110101101110"从后按4位取二进制值送eax; 不足用0补充
011892F6 E8 FDB0FEFF call Regstock.011743F8
011892FB 85C0 test eax,eax
011892FD ^ 0F8F AEFEFFFF jg Regstock.011891B1
上面的循环结束后得到验证码的串1值335AE7F
01189303 8BC6 mov eax,esi
01189305 8B55 F0 mov edx,dword ptr ss:[ebp-10]
01189308 E8 87AEFEFF call Regstock.01174194
0118930D 33C0 xor eax,eax
0118930F 5A pop edx
01189310 59 pop ecx
01189311 59 pop ecx
01189312 64:8910 mov dword ptr fs:[eax],edx
01189315 68 2F931801 push Regstock.0118932F
0118931A 8D45 D8 lea eax,dword ptr ss:[ebp-28]
0118931D BA 0A000000 mov edx,0A
01189322 E8 3DAEFEFF call Regstock.01174164
01189327 C3 retn
01189328 ^ E9 B3A7FEFF jmp Regstock.01173AE0
0118932D ^ EB EB jmp short Regstock.0118931A
0118932F 5E pop esi
01189330 5B pop ebx
01189331 8BE5 mov esp,ebp
01189333 5D pop ebp
01189334 C3 retn
进入call 01188F30
01188F30 55 push ebp
01188F31 8BEC mov ebp,esp
01188F33 6A 00 push 0
01188F35 6A 00 push 0
01188F37 6A 00 push 0
01188F39 53 push ebx
01188F3A 8BDA mov ebx,edx
01188F3C 8945 FC mov dword ptr ss:[ebp-4],eax
01188F3F 8B45 FC mov eax,dword ptr ss:[ebp-4]
01188F42 E8 99B6FEFF call Regstock.011745E0
01188F47 33C0 xor eax,eax
01188F49 55 push ebp
01188F4A 68 87901801 push Regstock.01189087
01188F4F 64:FF30 push dword ptr fs:[eax]
01188F52 64:8920 mov dword ptr fs:[eax],esp
01188F55 8B45 FC mov eax,dword ptr ss:[ebp-4]
01188F58 E8 53E8FEFF call Regstock.011777B0 ;十进制转十六进制
01188F5D 40 inc eax ;结果加1
01188F5E 8D55 F4 lea edx,dword ptr ss:[ebp-C]
01188F61 E8 E6E7FEFF call Regstock.0117774C
01188F66 8B55 F4 mov edx,dword ptr ss:[ebp-C]
01188F69 8D45 FC lea eax,dword ptr ss:[ebp-4]
01188F6C E8 67B2FEFF call Regstock.011741D8
01188F71 8B45 FC mov eax,dword ptr ss:[ebp-4]
01188F74 BA 9C901801 mov edx,Regstock.0118909C
01188F79 E8 BEB5FEFF call Regstock.0117453C
01188F7E 77 1B ja short Regstock.01188F9B
01188F80 8B45 FC mov eax,dword ptr ss:[ebp-4]
01188F83 E8 70B4FEFF call Regstock.011743F8
01188F88 48 dec eax
01188F89 75 10 jnz short Regstock.01188F9B
01188F8B 8D45 F8 lea eax,dword ptr ss:[ebp-8]
01188F8E 8B55 FC mov edx,dword ptr ss:[ebp-4]
01188F91 E8 42B2FEFF call Regstock.011741D8
01188F96 E9 C7000000 jmp Regstock.01189062
01188F9B 8B45 FC mov eax,dword ptr ss:[ebp-4]
01188F9E BA A8901801 mov edx,Regstock.011890A8 ; ASCII "10"
01188FA3 E8 94B5FEFF call Regstock.0117453C
01188FA8 75 12 jnz short Regstock.01188FBC
01188FAA 8D45 F8 lea eax,dword ptr ss:[ebp-8]
01188FAD BA B4901801 mov edx,Regstock.011890B4
01188FB2 E8 21B2FEFF call Regstock.011741D8
01188FB7 E9 A6000000 jmp Regstock.01189062
01188FBC 8B45 FC mov eax,dword ptr ss:[ebp-4]
01188FBF BA C0901801 mov edx,Regstock.011890C0 ; ASCII "11"
01188FC4 E8 73B5FEFF call Regstock.0117453C
01188FC9 75 12 jnz short Regstock.01188FDD
01188FCB 8D45 F8 lea eax,dword ptr ss:[ebp-8]
01188FCE BA CC901801 mov edx,Regstock.011890CC
01188FD3 E8 00B2FEFF call Regstock.011741D8
01188FD8 E9 85000000 jmp Regstock.01189062
01188FDD 8B45 FC mov eax,dword ptr ss:[ebp-4]
01188FE0 BA D8901801 mov edx,Regstock.011890D8 ; ASCII "12"
01188FE5 E8 52B5FEFF call Regstock.0117453C
01188FEA 75 0F jnz short Regstock.01188FFB
01188FEC 8D45 F8 lea eax,dword ptr ss:[ebp-8]
01188FEF BA E4901801 mov edx,Regstock.011890E4
01188FF4 E8 DFB1FEFF call Regstock.011741D8
01188FF9 EB 67 jmp short Regstock.01189062
01188FFB 8B45 FC mov eax,dword ptr ss:[ebp-4]
01188FFE BA F0901801 mov edx,Regstock.011890F0 ; ASCII "13"
01189003 E8 34B5FEFF call Regstock.0117453C
01189008 75 0F jnz short Regstock.01189019
0118900A 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0118900D BA FC901801 mov edx,Regstock.011890FC
01189012 E8 C1B1FEFF call Regstock.011741D8
01189017 EB 49 jmp short Regstock.01189062
01189019 8B45 FC mov eax,dword ptr ss:[ebp-4]
0118901C BA 08911801 mov edx,Regstock.01189108 ; ASCII "14"
01189021 E8 16B5FEFF call Regstock.0117453C
01189026 75 0F jnz short Regstock.01189037
01189028 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0118902B BA 14911801 mov edx,Regstock.01189114
01189030 E8 A3B1FEFF call Regstock.011741D8
01189035 EB 2B jmp short Regstock.01189062
01189037 8B45 FC mov eax,dword ptr ss:[ebp-4]
0118903A BA 20911801 mov edx,Regstock.01189120 ; ASCII "15"
0118903F E8 F8B4FEFF call Regstock.0117453C
01189044 75 0F jnz short Regstock.01189055
01189046 8D45 F8 lea eax,dword ptr ss:[ebp-8]
01189049 BA 2C911801 mov edx,Regstock.0118912C
0118904E E8 85B1FEFF call Regstock.011741D8
01189053 EB 0D jmp short Regstock.01189062
01189055 8D45 F8 lea eax,dword ptr ss:[ebp-8]
01189058 BA 38911801 mov edx,Regstock.01189138
0118905D E8 76B1FEFF call Regstock.011741D8
01189062 8BC3 mov eax,ebx
01189064 8B55 F8 mov edx,dword ptr ss:[ebp-8]
01189067 E8 28B1FEFF call Regstock.01174194
0118906C 33C0 xor eax,eax
0118906E 5A pop edx
0118906F 59 pop ecx
01189070 59 pop ecx
01189071 64:8910 mov dword ptr fs:[eax],edx
01189074 68 8E901801 push Regstock.0118908E
01189079 8D45 F4 lea eax,dword ptr ss:[ebp-C]
0118907C BA 03000000 mov edx,3
01189081 E8 DEB0FEFF call Regstock.01174164
01189086 C3 retn
01189087 ^ E9 54AAFEFF jmp Regstock.01173AE0
0118908C ^ EB EB jmp short Regstock.01189079
0118908E 5B pop ebx
0118908F 8BE5 mov esp,ebp
01189091 5D pop ebp
01189092 C3 retn
========================================================
进入第二个关键算法call 0118935C
0118935C 55 push ebp
0118935D 8BEC mov ebp,esp
0118935F 6A 00 push 0
01189361 6A 00 push 0
01189363 53 push ebx
01189364 56 push esi
01189365 8BF2 mov esi,edx
01189367 8BD8 mov ebx,eax
01189369 33C0 xor eax,eax
0118936B 55 push ebp
0118936C 68 C8931801 push Regstock.011893C8
01189371 64:FF30 push dword ptr fs:[eax]
01189374 64:8920 mov dword ptr fs:[eax],esp
01189377 8D45 FC lea eax,dword ptr ss:[ebp-4]
0118937A E8 C1ADFEFF call Regstock.01174140
0118937F 85DB test ebx,ebx
01189381 7E 20 jle short Regstock.011893A3
01189383 B8 0A000000 mov eax,0A
01189388 E8 3B99FEFF call Regstock.01172CC8 ; 关键算法
得到注册码后半段也就是”串2”的ASCII "00822631340408029373687313428241"
0118938D 8D55 F8 lea edx,dword ptr ss:[ebp-8]
01189390 E8 B7E3FEFF call Regstock.0117774C
01189395 8B55 F8 mov edx,dword ptr ss:[ebp-8]
01189398 8D45 FC lea eax,dword ptr ss:[ebp-4]
0118939B E8 60B0FEFF call Regstock.01174400
011893A0 4B dec ebx
011893A1 ^ 75 E0 jnz short Regstock.01189383
011893A3 8BC6 mov eax,esi
011893A5 8B55 FC mov edx,dword ptr ss:[ebp-4]
011893A8 E8 E7ADFEFF call Regstock.01174194
011893AD 33C0 xor eax,eax
011893AF 5A pop edx
011893B0 59 pop ecx
011893B1 59 pop ecx
011893B2 64:8910 mov dword ptr fs:[eax],edx
011893B5 68 CF931801 push Regstock.011893CF
011893BA 8D45 F8 lea eax,dword ptr ss:[ebp-8]
011893BD BA 02000000 mov edx,2
011893C2 E8 9DADFEFF call Regstock.01174164
011893C7 C3 retn
011893C8 ^ E9 13A7FEFF jmp Regstock.01173AE0
011893CD ^ EB EB jmp short Regstock.011893BA
011893CF 5E pop esi
011893D0 5B pop ebx
011893D1 59 pop ecx
011893D2 59 pop ecx
011893D3 5D pop ebp
011893D4 C3 retn
进入关键算法call 01172CC8
算法分析:开始时eax值初始化为0A,[ebx+118A008]值初始化为零
每次调用,[ebx+118A008]值将被更新而eax值始终为0A。
01172CC8 53 push ebx
01172CC9 31DB xor ebx,ebx
01172CCB 6993 08A01801 0>imul edx,dword ptr ds:[ebx+118A008],8088405 ;
将乘积结果的低32位送edx
01172CD5 42 inc edx
01172CD6 8993 08A01801 mov dword ptr ds:[ebx+118A008],edx
01172CDC F7E2 mul edx ;将乘积结果的高32位送edx
01172CDE 89D0 mov eax,edx
01172CE0 5B pop ebx
01172CE1 C3 retn
算法总结:
计算验证码串1:
首先得到字符串(ASCII " M51T8AXD")
调整后得到5MT1A8DX,分别取每一位将其转换成十进制得到
5377844965566888,然后将5377844965566888分别取每一位将其转换成二进制得到
1011111111110001001001001110101101110110100010001000
去掉注册码前四位和后四位得到84496556的二进制值
ASCII "10001001001001110101101110"
从后逐个往前取4位,不足用0补充转换成十六进制,然后加一
循环7次最后得到串1值335AE7F
计算验证码串2:
进入算法call 01172CC8
开始时eax值初始化为0A,[ebx+118A008]值初始化为零
每次调用,[ebx+118A008]值将被更新而eax值始终为0A。
edx=[ebx+118A008]*8088405(将乘积结果的低32位值赋值给edx)
edx++(将edx的值加一)
[ebx+118A008]=edx(将edx值赋值给[ebx+118A008])
edx=eax*edx(将乘积结果的高32位值赋值给edx)
eax=edx(将edx值赋值给eax)
循环调用32次得到串2值00822631340408029373687313428241
最后串1-串2得到验证码:335AE7F-00822631340408029373687313428241
我是菜鸟这是我的第一篇正式的破文,不足之处还请大家多多指教,其中还有一些不
明白就是这个字符串(ASCII " M51T8AXD")从何而来,我想应该不是磁盘
的卷的序列号,不知是否是我的机器码,如果是请问如何查看自己的机器码,还请那
位高手指点一下
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)