昨日尝试着用OD破解 PEDIY CrackMe 2007 中[序列号-analog]这个例子中的CrackMe---aescul.exe。
发现在OD中地址403038~403183这段代码根例子中破解作者analog所给出的这段地址的反汇编码很不一致,现分别贴出来
我用OD看到的(也换用过PEDIY提供的OLLYICE,看到的也是如此)
00403038 . 33C0 XOR EAX,EAX
0040303A . 68 93334000 PUSH aescul.00403393
0040303F . 64:FF30 PUSH DWORD PTR FS:[EAX]
00403042 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00403045 . 9C PUSHFD
00403046 . 9C PUSHFD
00403047 . 58 POP EAX
00403048 . 0D 00010000 OR EAX,100
0040304D . 50 PUSH EAX
0040304E . 9D POPFD
0040304F . 90 NOP
00403050 . CC INT3
00403051 . 2133 AND DWORD PTR DS:[EBX],ESI
00403053 . 00CC ADD AH,CL
00403055 . 5A POP EDX
00403056 . D196 DE96EFFF RCL DWORD PTR DS:[ESI+FFEF96DE],1
0040305C . 40 INC EAX
0040305D . FBEAFDFF DD FFFDEAFB
00403061 55 DB 55 ; CHAR 'U'
00403062 2A DB 2A ; CHAR '*'
00403063 D4 DB D4
00403064 42 DB 42 ; CHAR 'B'
00403065 . 7EEEFDFF DD FFFDEE7E
00403069 88 DB 88
0040306A . 515EBFFF DD FFBF5E51
0040306E D5 DB D5
0040306F DF DB DF
00403070 CC INT3
00403071 C7 DB C7
00403072 C1 DB C1
00403073 . FD STD
00403074 . 7C 3E JL SHORT aescul.004030B4
00403076 . C3 RETN
00403077 B8 DB B8
00403078 > 04 FF ADD AL,0FF
0040307A FF DB FF
0040307B FF DB FF
0040307C 77 DB 77 ; CHAR 'w'
0040307D F1 DB F1
0040307E D5 DB D5
0040307F 9F DB 9F
00403080 CC INT3
00403081 8F DB 8F
00403082 87 DB 87
00403083 78 DB 78 ; CHAR 'x'
00403084 74 DB 74 ; CHAR 't'
00403085 7C DB 7C ; CHAR '|'
00403086 5C DB 5C ; CHAR '\'
00403087 7A DB 7A ; CHAR 'z'
00403088 FF DB FF
00403089 FF DB FF
0040308A FF DB FF
0040308B BB DB BB
0040308C B8 DB B8
0040308D FD DB FD
0040308E 86 DB 86
0040308F 05 DB 05
00403090 2A DB 2A ; CHAR '*'
00403091 37 DB 37 ; CHAR '7'
00403092 1F DB 1F
00403093 1C DB 1C
00403094 FD DB FD
00403095 89 DB 89
00403096 44 DB 44 ; CHAR 'D'
00403097 54 DB 54 ; CHAR 'T'
00403098 73 DB 73 ; CHAR 's'
00403099 99 DB 99
0040309A 42 DB 42 ; CHAR 'B'
0040309B 3A DB 3A ; CHAR ':'
0040309C 79 DB 79 ; CHAR 'y'
0040309D . 8AF6FDFF DD FFFDF68A
004030A1 8E DB 8E
004030A2 58 DB 58 ; CHAR 'X'
004030A3 . FEBA7FFF DD FF7FBAFE
004030A7 26 DB 26 ; CHAR '&'
004030A8 . C3 RETN
004030A9 51 DB 51 ; CHAR 'Q'
004030AA AE DB AE
004030AB 3E DB 3E ; CHAR '>'
004030AC 39 DB 39 ; CHAR '9'
004030AD F7 DB F7
004030AE D1 DB D1
004030AF CB DB CB
004030B0 . 54B7EFFF DD FFEFB754
004030B4 >^ 74 C2 JE SHORT aescul.00403078
004030B6 . F7D5FBFF DD FFFBD5F7
004030BA 31 DB 31 ; CHAR '1'
004030BB 1E DB 1E
004030BC 8A DB 8A
004030BD 9B DB 9B
004030BE F1 DB F1
004030BF C9 DB C9
004030C0 BF DB BF
004030C1 8E DB 8E
004030C2 5E DB 5E ; CHAR '^'
004030C3 . A2BD7FFF DD FF7FBDA2
004030C7 A3 DB A3
004030C8 16 DB 16
004030C9 . BFAEDFFF DD FFDFAEBF
004030CD 89 DB 89
004030CE F0 DB F0
004030CF 54 DB 54 ; CHAR 'T'
004030D0 0E DB 0E
004030D1 8F DB 8F
004030D2 4E DB 4E ; CHAR 'N'
004030D3 FD DB FD
004030D4 74 DB 74 ; CHAR 't'
004030D5 F2 DB F2
004030D6 . 15EDFBFF DD FFFBED15
004030DA 1D DB 1D
004030DB B0 DB B0
004030DC . FD75FEFF DD FFFE75FD
004030E0 4C DB 4C ; CHAR 'L'
004030E1 87 DB 87
004030E2 A2 DB A2
004030E3 F9 DB F9
004030E4 38 DB 38 ; CHAR '8'
004030E5 F5 DB F5
004030E6 . 34DDFBFF DD FFFBDD34
004030EA BF DB BF
004030EB FF DB FF
004030EC FF DB FF
004030ED FF DB FF
004030EE 50 DB 50 ; CHAR 'P'
004030EF AF DB AF
004030F0 83 DB 83
004030F1 5F DB 5F ; CHAR '_'
004030F2 . 43DDBFFF DD FFBFDD43
004030F6 FF DB FF
004030F7 FF DB FF
004030F8 FF DB FF
004030F9 FF DB FF
004030FA 98 DB 98
004030FB 66 DB 66 ; CHAR 'f'
004030FC 3F DB 3F ; CHAR '?'
004030FD 37 DB 37 ; CHAR '7'
004030FE C1 DB C1
004030FF FF DB FF
00403100 C7 DB C7
00403101 67 DB 67 ; CHAR 'g'
00403102 FE DB FE
00403103 3E DB 3E ; CHAR '>'
00403104 C2 DB C2
00403105 . 1AEEFDFF DD FFFDEE1A
00403109 DF DB DF
0040310A A2 DB A2
0040310B 75 DB 75 ; CHAR 'u'
0040310C 95 DB 95
0040310D 7F DB 7F
0040310E 5E DB 5E ; CHAR '^'
0040310F . 16FBF7FF DD FFF7FB16
00403113 CB DB CB
00403114 . 547DFEFF DD FFFE7D54
00403118 59 DB 59 ; CHAR 'Y'
00403119 FF DB FF
0040311A C5 DB C5
0040311B AB DB AB
0040311C FC DB FC
0040311D FF DB FF
0040311E FF DB FF
0040311F A0 DB A0
00403120 CE DB CE
00403121 B2 DB B2
00403122 F3 DB F3
00403123 CB DB CB
00403124 . AF7FFEFF DD FFFE7FAF
00403128 79 DB 79 ; CHAR 'y'
00403129 . 35EFDFFF DD FFDFEF35
0040312D 2B DB 2B ; CHAR '+'
0040312E FF DB FF
0040312F B8 DB B8
00403130 C6 DB C6
00403131 9F DB 9F
00403132 FF DB FF
00403133 FF DB FF
00403134 95 DB 95
00403135 FF DB FF
00403136 5C DB 5C ; CHAR '\'
00403137 B9 DB B9
00403138 CF DB CF
00403139 FF DB FF
0040313A FF DB FF
0040313B 3B DB 3B ; CHAR ';'
0040313C CA DB CA
0040313D . 22EEFDFF DD FFFDEE22
00403141 8E DB 8E
00403142 BA DB BA
00403143 . 8ABB7FFF DD FF7FBB8A
00403147 A3 DB A3
00403148 2F DB 2F ; CHAR '/'
00403149 . 23EEDFFF DD FFDFEE23
0040314D 89 DB 89
0040314E B8 DB B8
0040314F 6C DB 6C ; CHAR 'l'
00403150 DF DB DF
00403151 99 DB 99
00403152 4B DB 4B ; CHAR 'K'
00403153 78 DB 78 ; CHAR 'x'
00403154 41 DB 41 ; CHAR 'A'
00403155 17 DB 17
00403156 . AB STOS DWORD PTR ES:[EDI]
00403157 . FFE7 JMP EDI
00403159 23 DB 23 ; CHAR '#'
0040315A 3C DB 3C ; CHAR '<'
0040315B FF DB FF
0040315C FF DB FF
0040315D FE DB FE
0040315E 1A DB 1A
0040315F D7 DB D7
00403160 1B DB 1B
00403161 8F DB 8F
00403162 4C DB 4C ; CHAR 'L'
00403163 87 DB 87
00403164 B9 DB B9
00403165 89 DB 89
00403166 3C DB 3C ; CHAR '<'
00403167 5C DB 5C ; CHAR '\'
00403168 6F DB 6F ; CHAR 'o'
00403169 B7 DB B7
0040316A . 3117 XOR DWORD PTR DS:[EDI],EDX
0040316C . 833433 69 XOR DWORD PTR DS:[EBX+ESI],69
00403170 . 41 INC ECX
00403171 . C3 RETN
00403172 9D DB 9D
00403173 75 DB 75 ; CHAR 'u'
00403174 . 1577FEFF DD FFFE7715
00403178 47 DB 47 ; CHAR 'G'
00403179 59 DB 59 ; CHAR 'Y'
0040317A . 44DDBFFF DD FFBFDD44
0040317E . C3 RETN
0040317F 0A DB 0A
00403180 BF DB BF
00403181 BA DB BA
00403182 6F DB 6F ; CHAR 'o'
00403183 . 1E PUSH DS
例子中analog所给出的反汇编代码
00403038 |. 33C0 xor eax,eax
0040303A |. 68 93334000 push aescul.00403393
0040303F |. 64:FF30 push dword ptr fs:[eax]
00403042 |. 64:8920 mov dword ptr fs:[eax],esp
00403045 |. 9C pushfd
00403046 |. 9C pushfd
00403047 |. 58 pop eax ; eax=246H
00403048 |. 0D 00010000 or eax,100 ; eax=346H
0040304D |. 50 push eax
0040304E |. 9D popfd
0040304F |. 90 nop
00403050 |. 33F6 xor esi,esi ; 清空寄存器
00403052 |. 33FF xor edi,edi ; 清空寄存器
00403054 |. 33D2 xor edx,edx ; 清空寄存器
00403056 |. 8B2D 124B4000 mov ebp,dword ptr ds:[404B12] ; 循环次数24
0040305C |. BF 02454000 mov edi,aescul.00404502 ; 变换后的正确注册码的地址
00403061 |> 55 /push ebp
00403062 |. 57 |push edi
00403063 |. 56 |push esi
00403064 |. BD C0444000 |mov ebp,aescul.004044C0 ; ASCII "0I5LZ7G123RXCV9OPAS6TBN48YUHJKDF0QWEM"(字符串2)
00403069 |. BB BA434000 |mov ebx,aescul.004043BA ; ASCII "WS55661-640-0059266-23364"
0040306E |. 8A0433 |mov al,byte ptr ds:[ebx+esi] ; 取"WS"+ProductID的一个字节放到al
00403071 |. C1F8 04 |sar eax,4 ; eax算术右移4次
00403074 |. 83E0 0F |and eax,0F ; eax和0F做与运算(取该字节的高四位)
00403077 |. E8 BF000000 |call aescul.0040313B
0040307C |. 8807 |mov byte ptr ds:[edi],al
0040307E |. 8A0C33 |mov cl,byte ptr ds:[ebx+esi] ; 取"WS"+ProduceID的一个字节放到cl
00403081 |. 83E1 0F |and ecx,0F ; 取ecx的低四位(取该字节的低四位)
00403084 |. 8BC1 |mov eax,ecx ; 移动到eax
00403086 |. E8 B0000000 |call aescul.0040313B
0040308B |. 8847 01 |mov byte ptr ds:[edi+1],al
0040308E |. 5E |pop esi
0040308F |. 5F |pop edi
00403090 |. 5D |pop ebp
00403091 |. 46 |inc esi
00403092 |. 83C7 02 |add edi,2
00403095 |. 3BEE |cmp ebp,esi
00403097 |.^ 75 C8 \jnz short aescul.00403061
00403099 |. 33F6 xor esi,esi ; 下面依次取码比较
0040309B |. 8B86 BA424000 mov eax,dword ptr ds:[esi+4042BA] ; 注册码
004030A1 |. 8B9E 02454000 mov ebx,dword ptr ds:[esi+404502] ; 变化后的字符串
004030A7 3BC0 cmp eax,eax ; 第一次比较
004030A9 |. 75 45 jnz short aescul.004030F0
004030AB |. 83C6 04 add esi,4
004030AE |. 8B86 BA424000 mov eax,dword ptr ds:[esi+4042BA]
004030B4 |. 8B9E 02454000 mov ebx,dword ptr ds:[esi+404502]
004030BA |. 3BC3 cmp eax,ebx ; 第二次比较
004030BC 74 32 je short aescul.004030F0 ; 不一样则跳
004030BE |. 83C6 04 add esi,4
004030C1 |. 8B86 BA424000 mov eax,dword ptr ds:[esi+4042BA]
004030C7 |. 8B9E 02454000 mov ebx,dword ptr ds:[esi+404502]
004030CD |. 3BC3 cmp eax,ebx ; 第三次比较
004030CF 74 1F je short aescul.004030F0 ; 不一样则跳
004030D1 |. 83C6 04 add esi,4
004030D4 |. 8B86 BA424000 mov eax,dword ptr ds:[esi+4042BA]
004030DA |. 8B9E 02454000 mov ebx,dword ptr ds:[esi+404502]
004030E0 |. 3BC3 cmp eax,ebx ; 第四次比较
004030E2 74 0C je short aescul.004030F0 ; 不一样则跳
004030E4 |. C705 F2444000 0>mov dword ptr ds:[4044F2],1 ; 注册成功标志置1
004030EE |. EB 0A jmp short aescul.004030FA
004030F0 |> C705 F2444000 0>mov dword ptr ds:[4044F2],0 ; 置0(表示注册失败)
004030FA |> 9D popfd
004030FB |. 33C0 xor eax,eax
004030FD |. 64:8F00 pop dword ptr fs:[eax]
00403100 |. 83C4 04 add esp,4
00403103 |. 833D F2444000 0>cmp dword ptr ds:[4044F2],1 ; 时否成功
0040310A |. 75 15 jnz short aescul.00403121
0040310C |. 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
0040310E |. 68 3D404000 push aescul.0040403D ; |Title = "Congratulations..."
00403113 |. 68 AB414000 push aescul.004041AB ; |Text = "Registered to: yuchao"
00403118 |. 6A 00 push 0 ; |hOwner = NULL
0040311A |. E8 A8030000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA ;注册成功
0040311F |. EB 13 jmp short aescul.00403134
00403121 |> 6A 30 push 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00403123 |. 68 50404000 push aescul.00404050 ; |Title = "Error"
00403128 |. 68 56404000 push aescul.00404056 ; |Text = "Wrong Serial Number!"
0040312D |. 6A 00 push 0 ; |hOwner = NULL
0040312F |. E8 93030000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA ;注册失败
00403134 |> 6A 00 push 0 ; /ExitCode = 0
00403136 \. E8 C8030000 call <jmp.&KERNEL32.ExitProcess> ; \ExitProcess
0040313B /$ 8935 EE444000 mov dword ptr ds:[4044EE],esi
00403141 |. 8B15 EA444000 mov edx,dword ptr ds:[4044EA] ; 读出上次保存的位置记录
00403147 |. 8B0D E6444000 mov ecx,dword ptr ds:[4044E6] ; 字符串长度37
0040314D |. 3BD1 cmp edx,ecx ; 上次call时有没有遍历完字符串
0040314F |. 72 02 jb short aescul.00403153 ; 遍历完了则重新遍历
00403151 |. 33D2 xor edx,edx
00403153 |> 0FBE7415 00 /movsx esi,byte ptr ss:[ebp+edx] ; 取字符串2的字节
00403158 |. 81E6 0F000080 |and esi,8000000F ; 取esi的低四位
0040315E |. 79 05 |jns short aescul.00403165 ; 符号位为0时跳
00403160 |. 4E |dec esi
00403161 |. 83CE F0 |or esi,FFFFFFF0
00403164 |. 46 |inc esi
00403165 |> 3BF0 |cmp esi,eax ; 找到与eax相等的esi
00403167 |. 74 09 |je short aescul.00403172 ; 跳出
00403169 |. 42 |inc edx ; 计数器加1
0040316A |. 3BD1 |cmp edx,ecx ; 是否循环了37次
0040316C |.^ 7C E5 |jl short aescul.00403153 ; 没到则跳回
0040316E |. 33D2 |xor edx,edx ; 清edx
00403170 |.^ EB E1 \jmp short aescul.00403153 ; 跳回去再次遍历(字符串2)
00403172 |> 8915 EA444000 mov dword ptr ds:[4044EA],edx ; 把所找到的位置记录下
00403178 |. 8B35 EE444000 mov esi,dword ptr ds:[4044EE]
0040317E |. 0FBE042A movsx eax,byte ptr ds:[edx+ebp] ; 取那个字节
00403182 |. 42 inc edx
00403183 \. C3 retn
因为我才刚刚接触破解,也是刚刚才接触OD这个软件,不明白为什么会出现这种情况,故发此贴求助于各位,万望释疑。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
