【文章标题】: “变形”MD5 - Adsl超级一线通计时软件 v2.15
【文章作者】: Suyana
【作者邮箱】: Suyasha@163.com
【作者QQ号】: 517949855(请注明来自看雪论坛)
【软件名称】: Adsl超级一线通计时软件 v2.15
【加壳方式】: 无壳
【编写语言】: Microsoft Visual C++ 6.0
【使用工具】: OD
【软件介绍】: 具有ADSL、ISDN和拨号上网计时的功能。提供每天上网
【作者声明】: 我只是一只小菜鸟,失误之处难免,敬望诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
用peid查看一下,无壳,Microsoft Visual C++ 6.0,顺便查看一下加密算法,哈,又是md5
(MD5 :: 0000F37E :: 0040F37E),自从Image To PDF以来,算上这个,偶破了三个软件,都 是md5的。不知该是喜是忧呀!
软件注册失败没有提示,但成功有。运行,注册,下断"GetWindowTextA",点"确定",程序中断 在0043C41F,这只是是一个读取的函数,所以按Ctrl+F9返回,来到:
00408706 push edi
00408707 mov edi, [esp+C]
0040870B lea eax, [esi+60]
0040870E push eax ; /Arg3
0040870F push 403 ; |Arg2 = 00000403
00408714 push edi ; |Arg1
00408715 call 0043C3F0 ; \得到机器码
0040871A lea eax, [esi+64]
0040871D push eax ; /Arg3
0040871E push 402 ; |Arg2 = 00000402
00408723 push edi ; |Arg1
00408724 call 0043C3F0 ; \得到注册码
00408729 add esi, 68
0040872C push esi ; /Arg3
0040872D push 401 ; |Arg2 = 00000401
00408732 push edi ; |Arg1
00408733 call 0043C3F0 ; \得到邮箱
00408738 pop edi
这也只是一个读取机器码的函数,同样,按Ctrl+F9返回,来到:
00434B95 mov ecx, esi
00434B97 call [eax+84] ; 取机器码,邮箱,注册码
00434B9D mov dword ptr [ebp+8], 1 ; 返回到这里
00434BA4 jmp short 00434BCD
...
按F8单步跟踪,程序返回到:
004087E5 |. 895D E0 mov [ebp-20], ebx
004087E8 |. E8 5BC30200 call 00434B48
004087ED |. 8B46 68 mov eax, [esi+68] ; 返回到这里
004087F0 |. 8D7E 68 lea edi, [esi+68]
004087F3 |. 3958 F8 cmp [eax-8], ebx
004087F6 |. 74 1C je short 00408814
004087F8 |. 6A 40 push 40
004087FA |. 8BCF mov ecx, edi
004087FC |. E8 B3960200 call 00431EB4 ; 判断邮箱有没有'@'
00408801 |. 83F8 FF cmp eax, -1
00408804 |. 74 0E je short 00408814 ; 有@不跳?
00408806 |. 6A 2E push 2E
00408808 |. 8BCF mov ecx, edi
0040880A |. E8 A5960200 call 00431EB4 ; 判断邮箱有没有'.'
0040880F |. 83F8 FF cmp eax, -1
00408812 |. 75 0C jnz short 00408820
00408814 |> 53 push ebx ; /Arg3
00408815 |. 53 push ebx ; |Arg2
00408816 |. 68 E0784600 push 004678E0 ; |请输入正确的email地址
0040881B |. E8 73360300 call 0043BE93 ; \AdslTime.0043BE93
00408820 |> 8D8D A0FEFFFF lea ecx, [ebp-160]
00408826 |. E8 43690000 call 0040F16E ; 填充md5常数
0040882B |. 6A 01 push 1
0040882D |. 8BCE mov ecx, esi
0040882F |. C645 FC 01 mov byte ptr [ebp-4], 1
00408833 |. E8 10C30200 call 00434B48
00408838 |. 8D46 60 lea eax, [esi+60]
0040883B |. 57 push edi
0040883C |. 50 push eax
0040883D |. 8D45 EC lea eax, [ebp-14]
00408840 |. 50 push eax
00408841 |. E8 D6930200 call 00431C1C
00408846 |. 8B45 F0 mov eax, [ebp-10]
00408849 |. 8D4D EC lea ecx, [ebp-14]
0040884C |. C645 FC 02 mov byte ptr [ebp-4], 2
00408850 |. 8B40 F8 mov eax, [eax-8]
00408853 |. 40 inc eax
00408854 |. 50 push eax
00408855 |. E8 C3950200 call 00431E1D ; 机器码加邮箱
0040885A |. 50 push eax
0040885B |. 8D8D A0FEFFFF lea ecx, [ebp-160]
00408861 |. E8 B4740000 call 0040FD1A ; md5加密
00408866 |. 8D7E 64 lea edi, [esi+64] ; 得出注册码
00408869 |. BB B8714600 mov ebx, 004671B8 ; -
0040886E |> 53 /push ebx ; 下面的函数是判断注册码的格式的
0040886F |. 8BCF |mov ecx, edi ; 注册码格式为每8位加上一个'-'
00408871 |. E8 384B0200 |call 0042D3AE ; 查找注册码是否有'-'
00408876 |. 83F8 FF |cmp eax, -1
00408879 |. 8945 E8 |mov [ebp-18], eax
0040887C |. 74 70 |je short 004088EE
0040887E |. 50 |push eax
0040887F |. 8D45 D8 |lea eax, [ebp-28]
00408882 |. 50 |push eax
00408883 |. 8BCF |mov ecx, edi
00408885 |. E8 8A4A0200 |call 0042D314
0040888A |. 50 |push eax
0040888B |. 8D45 F0 |lea eax, [ebp-10]
0040888E |. 50 |push eax
0040888F |. 8D45 DC |lea eax, [ebp-24]
00408892 |. 50 |push eax
00408893 |. C645 FC 03 |mov byte ptr [ebp-4], 3
00408897 |. E8 80930200 |call 00431C1C
0040889C |. 50 |push eax
0040889D |. 8D4D F0 |lea ecx, [ebp-10]
004088A0 |. C645 FC 04 |mov byte ptr [ebp-4], 4
004088A4 |. E8 7D920200 |call 00431B26
004088A9 |. 8D4D DC |lea ecx, [ebp-24]
004088AC |. C645 FC 03 |mov byte ptr [ebp-4], 3
004088B0 |. E8 84910200 |call 00431A39
004088B5 |. 8D4D D8 |lea ecx, [ebp-28]
004088B8 |. C645 FC 02 |mov byte ptr [ebp-4], 2
004088BC |. E8 78910200 |call 00431A39
004088C1 |. 8B45 E8 |mov eax, [ebp-18]
004088C4 |. 8BCF |mov ecx, edi
004088C6 |. 40 |inc eax
004088C7 |. 50 |push eax
004088C8 |. 8D45 E4 |lea eax, [ebp-1C]
004088CB |. 50 |push eax
004088CC |. E8 0E490200 |call 0042D1DF
004088D1 |. 50 |push eax
004088D2 |. 8BCF |mov ecx, edi
004088D4 |. C645 FC 05 |mov byte ptr [ebp-4], 5
004088D8 |. E8 49920200 |call 00431B26
004088DD |. 8D4D E4 |lea ecx, [ebp-1C]
004088E0 |. C645 FC 02 |mov byte ptr [ebp-4], 2
004088E4 |. E8 50910200 |call 00431A39
004088E9 |. FF45 E0 |inc dword ptr [ebp-20]
004088EC |.^ EB 80 \jmp short 0040886E
004088EE |> 8D45 F0 lea eax, [ebp-10] ; (初始 cpu 选择)
004088F1 |. 57 push edi
----------------------------------------------------
这里说一下注册码格式:例如偶得到的注册码是925544d7f90cd3663531546f080bbed8,则
每8位要插入一个'-',即注册码为925544d7-f90cd366-3531546f-080bbed8
还要说一下,这个软件用的md5常数不是标准的md5常数,但只是变了一个字节而已:进入:
00408826 |. E8 43690000 call 0040F16E ; 填充md5常数
0040F16E /$ B8 DF0D4500 mov eax, 00450DDF
0040F173 |. E8 40E80000 call 0041D9B8
0040F178 |. 51 push ecx
0040F179 |. A1 588C4600 mov eax, [468C58]
0040F17E |. 56 push esi
0040F17F |. 8BF1 mov esi, ecx
0040F181 |. 8975 F0 mov [ebp-10], esi
0040F184 |. 8946 04 mov [esi+4], eax
0040F187 |. 33C0 xor eax, eax
0040F189 |. C706 80604500 mov dword ptr [esi], 00456080
0040F18F |. 8945 FC mov [ebp-4], eax
0040F192 |. 8886 A0000000 mov [esi+A0], al
0040F198 |. 8886 D1000000 mov [esi+D1], al
0040F19E |. E8 39000000 call 0040F1DC ;这就是填充md5常数的函数了,进入:
0040F1A3 |. 8B4D F4 mov ecx, [ebp-C]
0040F1A6 |. 8BC6 mov eax, esi
0040F1A8 |. 5E pop esi
0040F1A9 |. 64:890D 00000>mov fs:[0], ecx
0040F1B0 |. C9 leave
0040F1B1 \. C3 retn
0040F1DC /$ 56 push esi
0040F1DD |. 33C0 xor eax, eax
0040F1DF |. 8D71 60 lea esi, [ecx+60]
0040F1E2 |. 6A 40 push 40
0040F1E4 |. 50 push eax
0040F1E5 |. 56 push esi
0040F1E6 |. 8941 1C mov [ecx+1C], eax
0040F1E9 |. 8941 18 mov [ecx+18], eax
0040F1EC |. C741 08 01234>mov dword ptr [ecx+8], 67452301
0040F1F3 |. C741 0C 89ABC>mov dword ptr [ecx+C], EFCDAB89
0040F1FA |. C741 10 FEDCB>mov dword ptr [ecx+10], 98BADCFE
0040F201 |. C741 14 76543>mov dword ptr [ecx+14], 19325476 ; 注意
~
标准的md5常数应该是10325476,它改成19了,眼神不好的话可是会被骗的喔!
FNKTZDHNUVUIWSAsuyasha@163.com
815f6aa8-b70f7a33-ea1ade0a-5cfaf3c9
---------
文章写于2007-08-15
--------------------------------------------------------------------------------
【经验总结】
MD5不可避免要明文比较,建议不要直接用MD5来计算注册码。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课