【文章标题】: 一个简单的重启验证型算法分析
【文章作者】: RCracker
【软件名称】: JBookMaker1.06免费版(号称免费,其实有限制)
【下载地址】: 自己搜索下载
【软件介绍】: JBookMaker(简称JBM)将文本(TXT)文件做成Java手机可以支持运行的格式,以方便在手机上阅读。做出来的也就是平时所说的Java书,这里我们称之为JBook。JBM是一个只有一个EXE文件的绿色软件,无需安装便可使用,文件只有1兆多,使用本软件时不需要在电脑上安装几十兆的Java运行库,这在同类的Java书制作软件里面是很少有的。
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
运行程序,填入用户名和注册码,点击确定,发现是重启验证。
OD载入,用ESP定律脱壳。
OD载入脱壳后的程序:
00402B38 > $ 68 B8404000 PUSH JBookMak.004040B8 ; (Initial CPU selection)
00402B3D . E8 EEFFFFFF CALL <JMP.&msvbvm60.ThunRTMain>
00402B42 . 0000 ADD BYTE PTR DS:[EAX],AL
00402B44 . 0000 ADD BYTE PTR DS:[EAX],AL
00402B46 . 0000 ADD BYTE PTR DS:[EAX],AL
00402B48 . 3000 XOR BYTE PTR DS:[EAX],AL
00402B4A . 0000 ADD BYTE PTR DS:[EAX],AL
00402B4C . 40 INC EAX
00402B4D . 0000 ADD BYTE PTR DS:[EAX],AL
搜索字符串,找到regcode,有两处。
---------------------------------
A、超级字串参考, 项目 407
地址=004207BF
反汇编=MOV EDX,JBookMak.00409DFC
文本字串=regcode
B、超级字串参考, 项目 452
地址=004284B4
反汇编=MOV EDX,JBookMak.00409DFC
文本字串=regcode
---------------------------------
估计A处是关键(启动时验证),双击:
004207B1 . BA B8804000 MOV EDX,JBookMak.004080B8
004207B6 . 8D4D 94 LEA ECX,DWORD PTR SS:[EBP-6C]
004207B9 . FF15 E8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCopy>] ; msvbvm60.__vbaStrCopy
004207BF . BA FC9D4000 MOV EDX,JBookMak.00409DFC ; regcode
004207C4 . 8D4D 98 LEA ECX,DWORD PTR SS:[EBP-68]
004207C7 . FF15 E8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCopy>] ; msvbvm60.__vbaStrCopy
004207CD . BA E49D4000 MOV EDX,JBookMak.00409DE4 ; register
004207D2 . 8D4D 9C LEA ECX,DWORD PTR SS:[EBP-64]
004207D5 . FF15 E8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCopy>] ; msvbvm60.__vbaStrCopy
004207DB . 8D4D 94 LEA ECX,DWORD PTR SS:[EBP-6C]
004207DE . 51 PUSH ECX
004207DF . 8D55 98 LEA EDX,DWORD PTR SS:[EBP-68]
004207E2 . 52 PUSH EDX
004207E3 . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
004207E6 . 50 PUSH EAX
004207E7 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
004207ED . 51 PUSH ECX
004207EE . E8 0D870000 CALL JBookMak.00428F00
004207F3 . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
004207F9 . 52 PUSH EDX
004207FA . 8D85 6CFFFFFF LEA EAX,DWORD PTR SS:[EBP-94]
00420800 . 50 PUSH EAX
00420801 . FF15 C8104000 CALL DWORD PTR DS:[<&msvbvm60.rtcTrimVar>] ; msvbvm60.rtcTrimVar
00420807 . 8D95 6CFFFFFF LEA EDX,DWORD PTR SS:[EBP-94]
0042080D . 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
00420810 . FF15 14104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarMove>] ; msvbvm60.__vbaVarMove
00420816 . 8D4D 94 LEA ECX,DWORD PTR SS:[EBP-6C]
00420819 . 51 PUSH ECX
0042081A . 8D55 98 LEA EDX,DWORD PTR SS:[EBP-68]
0042081D . 52 PUSH EDX
0042081E . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
00420821 . 50 PUSH EAX
00420822 . 6A 03 PUSH 3
00420824 . FF15 EC114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList
0042082A . 83C4 10 ADD ESP,10
0042082D . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
00420833 . FF15 20104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>] ; msvbvm60.__vbaFreeVar
00420839 . C745 FC 08000>MOV DWORD PTR SS:[EBP-4],8
00420840 . 66:C785 38FFF>MOV WORD PTR SS:[EBP-C8],1
00420849 . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0042084C . 51 PUSH ECX
0042084D . FF15 50104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrErrVarCopy>] ; msvbvm60.__vbaStrErrVarCopy
00420853 . 8945 84 MOV DWORD PTR SS:[EBP-7C],EAX ; 系列号
00420856 . C785 7CFFFFFF>MOV DWORD PTR SS:[EBP-84],8
00420860 . C785 44FFFFFF>MOV DWORD PTR SS:[EBP-BC],JBookMak.00409E10 ; 固定字符串AI34K123
0042086A . C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],8
00420874 . 8D55 A0 LEA EDX,DWORD PTR SS:[EBP-60]
00420877 . 52 PUSH EDX
00420878 . 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
0042087E . 50 PUSH EAX
0042087F . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]
00420885 . 51 PUSH ECX
00420886 . FF15 AC114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCat>] ; msvbvm60.__vbaVarCat
0042088C . 50 PUSH EAX
0042088D . 8D95 3CFFFFFF LEA EDX,DWORD PTR SS:[EBP-C4]
00420893 . 52 PUSH EDX
00420894 . 8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4]
0042089A . 50 PUSH EAX
0042089B . FF15 AC114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCat>] ; msvbvm60.__vbaVarCat
004208A1 . 50 PUSH EAX
004208A2 . FF15 2C104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrVarMove>] ; 用户名、系列号和固定字符串依次相连
004208A8 . 8BD0 MOV EDX,EAX
004208AA . 8D4D 9C LEA ECX,DWORD PTR SS:[EBP-64]
004208AD . FF15 40124000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrMove>] ; msvbvm60.__vbaStrMove
004208B3 . 8D8D 38FFFFFF LEA ECX,DWORD PTR SS:[EBP-C8]
004208B9 . 51 PUSH ECX
004208BA . 8D55 9C LEA EDX,DWORD PTR SS:[EBP-64]
004208BD . 52 PUSH EDX
004208BE . E8 DD8A0000 CALL JBookMak.004293A0 ; 关键CALL(1)
004208C3 . 8985 54FFFFFF MOV DWORD PTR SS:[EBP-AC],EAX ; 真码
004208C9 . C785 4CFFFFFF>MOV DWORD PTR SS:[EBP-B4],8
进入关键CALL(1):
004293A0 $ 55 PUSH EBP
004293A1 . 8BEC MOV EBP,ESP
004293A3 . 83EC 0C SUB ESP,0C
004293A6 . 68 76274000 PUSH <JMP.&msvbvm60.__vbaExceptHandler> ; SE 处理程序安装
004293AB . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
004293B1 . 50 PUSH EAX
------------------省略部分代码------------------
004294CB . 8D85 90FEFFFF LEA EAX,DWORD PTR SS:[EBP-170]
004294D1 . 8D8D ACFEFFFF LEA ECX,DWORD PTR SS:[EBP-154]
004294D7 . 50 PUSH EAX ; /Arg2
004294D8 . 51 PUSH ECX ; |Arg1
004294D9 . E8 220C0000 CALL JBookMak.0042A100 ; \JBookMak.0042A100
004294DE . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
004294E1 . FF15 20104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>] ; msvbvm60.__vbaFreeVar
004294E7 . 8D95 90FEFFFF LEA EDX,DWORD PTR SS:[EBP-170]
004294ED . 52 PUSH EDX
004294EE . 57 PUSH EDI
004294EF . FF15 E4104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaErase>] ; msvbvm60.__vbaErase
004294F5 . E8 360A0000 CALL JBookMak.00429F30 ; 关键CALL(2)
//
进入关键CALL(2),发现:
-------------------------
A=0x01234567
B=0x89abcdef
C=0xfedcba98
D=0x76543210
四个常数,估计是MD5算法
-------------------------
//
004294FA . 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
004294FD . 66:8338 01 CMP WORD PTR DS:[EAX],1
00429501 . 0F85 1E020000 JNZ JBookMak.00429725
00429507 . 8B0D 90D04200 MOV ECX,DWORD PTR DS:[42D090]
0042950D . 83C1 04 ADD ECX,4
00429510 . 51 PUSH ECX
00429511 . E8 7A050000 CALL JBookMak.00429A90 ; 取字符串的1-8位
00429516 . 8B1D 40124000 MOV EBX,DWORD PTR DS:[<&msvbvm60.__vbaStrMove>]
0042951C . 8BD0 MOV EDX,EAX
0042951E . 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
00429521 . FFD3 CALL EBX ; <&msvbvm60.__vbaStrMove>
00429523 . 8B15 90D04200 MOV EDX,DWORD PTR DS:[42D090]
00429529 . 83C2 08 ADD EDX,8
0042952C . 52 PUSH EDX
0042952D . E8 5E050000 CALL JBookMak.00429A90 ; 取字符串的9-16位
00429532 . 8BD0 MOV EDX,EAX
00429534 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00429537 . FFD3 CALL EBX
00429539 . A1 90D04200 MOV EAX,DWORD PTR DS:[42D090]
0042953E . 83C0 0C ADD EAX,0C
00429541 . 50 PUSH EAX
00429542 . E8 49050000 CALL JBookMak.00429A90 ; 取字符串的17-24位
00429547 . 8BD0 MOV EDX,EAX
00429549 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
0042954C . FFD3 CALL EBX
0042954E . 8B0D 90D04200 MOV ECX,DWORD PTR DS:[42D090]
00429554 . 83C1 10 ADD ECX,10
00429557 . 51 PUSH ECX
00429558 . E8 33050000 CALL JBookMak.00429A90 ; 取字符串的25-32位
0042955D . 8BD0 MOV EDX,EAX
0042955F . 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
00429562 . FFD3 CALL EBX
00429564 . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
00429567 . 8B35 38124000 MOV ESI,DWORD PTR DS:[<&msvbvm60.rtcLeftCharVar>] ; msvbvm60.rtcLeftCharVar
0042956D . 8945 B8 MOV DWORD PTR SS:[EBP-48],EAX
------------------省略部分代码------------------
00429683 . 50 PUSH EAX
00429684 . 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110]
0042968A . 8D8D E0FEFFFF LEA ECX,DWORD PTR SS:[EBP-120]
00429690 . 50 PUSH EAX
00429691 . 51 PUSH ECX
00429692 . FFD6 CALL ESI
00429694 . 50 PUSH EAX
00429695 . FF15 2C104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrVarMove>] ; msvbvm60.__vbaStrVarMove
下面的简单,就不分析了.给出注册码形式:
(1-6位)-(9-14位)-(17-22位)-(25-30位)
--------------------------------------------------------------------------------
【经验总结】
1、用户名、系列号和固定字符串依次相连组成新的字符串
2、将新组成的字符串经MD5加密并转化为大写
3、大写的字符串按上面形式取出即为注册码
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
