【文章标题】: **移动电子警察系统算法粗略分析
【文章作者】: 网络断魂
【软件名称】: **移动电子警察系统
【下载地址】: 商业软件,不方便提供下载地址,
【加壳方式】: 无
【保护方式】: 序列号
【使用工具】: PEID,OD,PYG算法工具
【软件介绍】: 雷达测速取证软件
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!(高手请勿偷笑
)
--------------------------------------------------------------------------------
【详细过程】
用PEID查壳,无壳,VC++6编写,运行软件,有字符提示:注册码错误,下面是简单分析过程:
追码录相可到 http://icg.uu1001.com/read.php?tid=109 下载,俺上传不了本地,谢谢
用OD查找字符串,来到下面:
0041E580 . 6A FF push -1
0041E582 . 68 78254400 push 00442578 ; SE 处理程序安装
0041E587 . 64:A1 0000000>mov eax, dword ptr fs:[0]
0041E58D . 50 push eax
0041E58E . 64:8925 00000>mov dword ptr fs:[0], esp
0041E595 . 51 push ecx
0041E596 . 56 push esi
0041E597 . 8BF1 mov esi, ecx
0041E599 . 8D4C24 04 lea ecx, dword ptr [esp+4]
0041E59D . E8 7A030200 call <jmp.&MFC42.#540>
0041E5A2 . 8D4424 04 lea eax, dword ptr [esp+4]
0041E5A6 . 8BCE mov ecx, esi
0041E5A8 . 50 push eax
0041E5A9 . 68 99040000 push 499
0041E5AE . C74424 18 000>mov dword ptr [esp+18], 0
0041E5B6 . E8 29050200 call <jmp.&MFC42.#3097> ; //取假码
0041E5BB . 8B46 64 mov eax, dword ptr [esi+64] ; //送真码,下一行就可以做内存注册机
0041E5BE . 8B4C24 04 mov ecx, dword ptr [esp+4] ; //送假码,此处做内存注册机,取EAX中的值
0041E5C2 . 50 push eax ; /s2
0041E5C3 . 51 push ecx ; |s1
0041E5C4 . FF15 8C364400 call dword ptr [<&MSVCRT._mbsicmp>] ; \//字符串比较
0041E5CA . 83C4 08 add esp, 8
0041E5CD . 85C0 test eax, eax
0041E5CF . 74 10 je short 0041E5E1 ; //跳过注册号错误,请重新输入
0041E5D1 . 6A 00 push 0
0041E5D3 . 6A 00 push 0
0041E5D5 . 68 8CF14400 push 0044F18C ; 注册号错误,请重新输入!!!
0041E5DA . E8 17050200 call <jmp.&MFC42.#1200> ; //错误提示
0041E5DF . EB 07 jmp short 0041E5E8
0041E5E1 > 8BCE mov ecx, esi
0041E5E3 . E8 9C040200 call <jmp.&MFC42.#4853>
0041E5E8 > 8D4C24 04 lea ecx, dword ptr [esp+4]
0041E5EC . C74424 10 FFF>mov dword ptr [esp+10], -1
0041E5F4 . E8 11030200 call <jmp.&MFC42.#800>
0041E5F9 . 8B4C24 08 mov ecx, dword ptr [esp+8]
0041E5FD . 5E pop esi
0041E5FE . 64:890D 00000>mov dword ptr fs:[0], ecx
0041E605 . 83C4 10 add esp, 10
0041E608 . C3 retn
0041E5BB . 8B46 64 mov eax, dword ptr [esi+64] ; //送真码,下一行就可以做内存注册机
跟踪真码存放位置003971B8后找到关键算法的地方:
00422150 /$ 6A FF push -1 ; //算法函数
00422152 |. 68 102A4400 push 00442A10 ; SE 处理程序安装
00422157 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
0042215D |. 50 push eax
0042215E |. 64:8925 00000>mov dword ptr fs:[0], esp
00422165 |. 83EC 44 sub esp, 44
00422168 |. 53 push ebx
00422169 |. 56 push esi
0042216A |. 8D4424 08 lea eax, dword ptr [esp+8]
0042216E |. 6A 00 push 0
00422170 |. 50 push eax
00422171 |. E8 0AFFFFFF call 00422080 ; //取硬盘码去掉前面的空格作为机器码,并计算出
长度
00422176 |. 83C4 08 add esp, 8
00422179 |. 8D4C24 18 lea ecx, dword ptr [esp+18]
0042217D |. C74424 54 000>mov dword ptr [esp+54], 0
00422185 |. E8 92C70100 call <jmp.&MFC42.#540>
0042218A |. 8D4C24 08 lea ecx, dword ptr [esp+8]
0042218E |. C64424 54 01 mov byte ptr [esp+54], 1
00422193 |. 51 push ecx
00422194 |. 8D4C24 18 lea ecx, dword ptr [esp+18]
00422198 |. E8 8DC80100 call <jmp.&MFC42.#535>
0042219D |. 8B5424 08 mov edx, dword ptr [esp+8] ; //送机器码
004221A1 |. C64424 54 02 mov byte ptr [esp+54], 2
004221A6 |. 8B42 F8 mov eax, dword ptr [edx-8] ; //送机器码长度!
004221A9 |. 83F8 10 cmp eax, 10 ; //机器码长度与10(16)比较
004221AC |. 0F8D A4000000 jge 00422256 ; //大于等于则跳
004221B2 |. 8D4C24 0C lea ecx, dword ptr [esp+C]
004221B6 |. E8 61C70100 call <jmp.&MFC42.#540>
004221BB |. 8B4424 08 mov eax, dword ptr [esp+8] ; //送机器码
004221BF |. B9 10000000 mov ecx, 10 ; //送计算标志,10H
004221C4 |. B3 03 mov bl, 3
004221C6 |. 33F6 xor esi, esi ; //计数器(ESI)清零
004221C8 |. 8B40 F8 mov eax, dword ptr [eax-8] ; //送机器码
004221CB |. 885C24 54 mov byte ptr [esp+54], bl
004221CF |. 2BC8 sub ecx, eax ; //标志长度减去实际长度=要补充的位数
004221D1 |. 85C9 test ecx, ecx ; //较验要补充的位数是否为零
004221D3 |. 7E 43 jle short 00422218 ; //为零则跳走,不补充
004221D5 |> 8D5424 0C /lea edx, dword ptr [esp+C]
004221D9 |. 68 9CF24400 |push 0044F29C ; h //机器码不足16位时补充H
004221DE |. 8D4424 20 |lea eax, dword ptr [esp+20]
004221E2 |. 52 |push edx
004221E3 |. 50 |push eax
004221E4 |. E8 37C90100 |call <jmp.&MFC42.#924>
004221E9 |. 50 |push eax
004221EA |. 8D4C24 10 |lea ecx, dword ptr [esp+10]
004221EE |. C64424 58 04 |mov byte ptr [esp+58], 4
004221F3 |. E8 04C90100 |call <jmp.&MFC42.#858>
004221F8 |. 8D4C24 1C |lea ecx, dword ptr [esp+1C]
004221FC |. 885C24 54 |mov byte ptr [esp+54], bl
00422200 |. E8 05C70100 |call <jmp.&MFC42.#800>
00422205 |. 8B4C24 08 |mov ecx, dword ptr [esp+8]
00422209 |. BA 10000000 |mov edx, 10
0042220E |. 46 |inc esi
0042220F |. 8B41 F8 |mov eax, dword ptr [ecx-8]
00422212 |. 2BD0 |sub edx, eax
00422214 |. 3BF2 |cmp esi, edx
00422216 |.^ 7C BD \jl short 004221D5 ; //循环给机器码填充H,直至16位
00422218 |> 8D4424 0C lea eax, dword ptr [esp+C]
0042221C |. 8D4C24 08 lea ecx, dword ptr [esp+8]
00422220 |. 50 push eax
00422221 |. 8D5424 20 lea edx, dword ptr [esp+20]
00422225 |. 51 push ecx
00422226 |. 52 push edx
00422227 |. E8 CECA0100 call <jmp.&MFC42.#922> ; //字符连接
0042222C |. 50 push eax
0042222D |. 8D4C24 0C lea ecx, dword ptr [esp+C]
00422231 |. C64424 58 05 mov byte ptr [esp+58], 5
00422236 |. E8 C1C80100 call <jmp.&MFC42.#858>
0042223B |. 8D4C24 1C lea ecx, dword ptr [esp+1C]
0042223F |. 885C24 54 mov byte ptr [esp+54], bl
00422243 |. E8 C2C60100 call <jmp.&MFC42.#800>
00422248 |. 8D4C24 0C lea ecx, dword ptr [esp+C]
0042224C |. C64424 54 02 mov byte ptr [esp+54], 2
00422251 |. E8 B4C60100 call <jmp.&MFC42.#800>
00422256 |> 8D4424 1C lea eax, dword ptr [esp+1C]
0042225A |. 6A 10 push 10
0042225C |. 50 push eax
0042225D |. 8D4C24 10 lea ecx, dword ptr [esp+10]
00422261 |. E8 D2C80100 call <jmp.&MFC42.#4129>
00422266 |. 50 push eax
00422267 |. 8D4C24 1C lea ecx, dword ptr [esp+1C]
0042226B |. C64424 58 06 mov byte ptr [esp+58], 6
00422270 |. E8 87C80100 call <jmp.&MFC42.#858>
00422275 |. 8D4C24 1C lea ecx, dword ptr [esp+1C]
00422279 |. C64424 54 02 mov byte ptr [esp+54], 2
0042227E |. E8 87C60100 call <jmp.&MFC42.#800>
00422283 |. 33C9 xor ecx, ecx
00422285 |. 8D5424 1C lea edx, dword ptr [esp+1C]
00422289 |. 894C24 20 mov dword ptr [esp+20], ecx
0042228D |. 6A 08 push 8
0042228F |. 894C24 28 mov dword ptr [esp+28], ecx
00422293 |. 52 push edx
00422294 |. 884C24 30 mov byte ptr [esp+30], cl
00422298 |. 8D4C24 20 lea ecx, dword ptr [esp+20]
0042229C |. E8 97C80100 call <jmp.&MFC42.#4129>
004222A1 |. 8B00 mov eax, dword ptr [eax]
004222A3 |. 8B08 mov ecx, dword ptr [eax]
004222A5 |. 894C24 20 mov dword ptr [esp+20], ecx
004222A9 |. 8B50 04 mov edx, dword ptr [eax+4]
004222AC |. 8D4C24 1C lea ecx, dword ptr [esp+1C]
004222B0 |. 895424 24 mov dword ptr [esp+24], edx
004222B4 |. E8 51C60100 call <jmp.&MFC42.#800>
004222B9 |. 6A 00 push 0
004222BB |. 68 90F24400 push 0044F290 ; 19770126,DES算法密钥
004222C0 |. E8 9B010000 call 00422460 ; //密钥转换
004222C5 |. 33C0 xor eax, eax
004222C7 |. 8D4C24 34 lea ecx, dword ptr [esp+34]
004222CB |. 894424 34 mov dword ptr [esp+34], eax
004222CF |. 8D5424 28 lea edx, dword ptr [esp+28]
004222D3 |. 894424 38 mov dword ptr [esp+38], eax
004222D7 |. 51 push ecx
004222D8 |. 52 push edx
004222D9 |. 884424 44 mov byte ptr [esp+44], al
004222DD |. E8 9E010000 call 00422480 ; //前8位DES算法加密,并较验单号上的字符是否为
零,为零则去除
004222E2 |. 8B4424 3C mov eax, dword ptr [esp+3C]
004222E6 |. 8B4C24 40 mov ecx, dword ptr [esp+40]
004222EA |. 33D2 xor edx, edx
004222EC |. 83C4 10 add esp, 10
004222EF |. 894424 38 mov dword ptr [esp+38], eax
004222F3 |. 895424 20 mov dword ptr [esp+20], edx
004222F7 |. 8D4424 1C lea eax, dword ptr [esp+1C]
004222FB |. 894C24 3C mov dword ptr [esp+3C], ecx
004222FF |. 895424 24 mov dword ptr [esp+24], edx
00422303 |. 6A 08 push 8
00422305 |. 50 push eax
00422306 |. 8D4C24 20 lea ecx, dword ptr [esp+20]
0042230A |. 885424 30 mov byte ptr [esp+30], dl
0042230E |. E8 1FC80100 call <jmp.&MFC42.#5710>
00422313 |. 8B00 mov eax, dword ptr [eax]
00422315 |. 8B08 mov ecx, dword ptr [eax]
00422317 |. 894C24 20 mov dword ptr [esp+20], ecx
0042231B |. 8B50 04 mov edx, dword ptr [eax+4]
0042231E |. 8D4C24 1C lea ecx, dword ptr [esp+1C]
00422322 |. 895424 24 mov dword ptr [esp+24], edx
00422326 |. E8 DFC50100 call <jmp.&MFC42.#800>
0042232B |. 33C0 xor eax, eax
0042232D |. 8D4C24 2C lea ecx, dword ptr [esp+2C]
00422331 |. 894424 2C mov dword ptr [esp+2C], eax
00422335 |. 8D5424 20 lea edx, dword ptr [esp+20]
00422339 |. 894424 30 mov dword ptr [esp+30], eax
0042233D |. 51 push ecx
0042233E |. 52 push edx
0042233F |. 884424 3C mov byte ptr [esp+3C], al
00422343 |. E8 38010000 call 00422480 ; //后8位DES算法加密,并较验单号上的字符是否为
零,为零则去除
00422348 |. 8B4C24 38 mov ecx, dword ptr [esp+38]
0042234C |. 8B4424 34 mov eax, dword ptr [esp+34]
00422350 |. 894C24 4C mov dword ptr [esp+4C], ecx
00422354 |. 83C4 08 add esp, 8
00422357 |. 8D4C24 10 lea ecx, dword ptr [esp+10]
0042235B |. 894424 40 mov dword ptr [esp+40], eax
0042235F |. E8 B8C50100 call <jmp.&MFC42.#540>
00422364 |. B3 07 mov bl, 7
00422366 |. 885C24 54 mov byte ptr [esp+54], bl
0042236A |. 33F6 xor esi, esi
0042236C |> 8D4C24 0C /lea ecx, dword ptr [esp+C] ; //循环取值
00422370 |. E8 A7C50100 |call <jmp.&MFC42.#540>
00422375 |. 33D2 |xor edx, edx
00422377 |. 8D4424 0C |lea eax, dword ptr [esp+C]
0042237B |. 8A5434 38 |mov dl, byte ptr [esp+esi+38]
0042237F |. C64424 54 08 |mov byte ptr [esp+54], 8
00422384 |. 52 |push edx
00422385 |. 68 8CF24400 |push 0044F28C ; %x
0042238A |. 50 |push eax
0042238B |. E8 86C50100 |call <jmp.&MFC42.#2818>
00422390 |. 83C4 0C |add esp, 0C
00422393 |. 8D4C24 0C |lea ecx, dword ptr [esp+C]
00422397 |. 51 |push ecx
00422398 |. 8D4C24 14 |lea ecx, dword ptr [esp+14]
0042239C |. E8 6FC80100 |call <jmp.&MFC42.#939>
004223A1 |. 8D4C24 0C |lea ecx, dword ptr [esp+C]
004223A5 |. 885C24 54 |mov byte ptr [esp+54], bl
004223A9 |. E8 5CC50100 |call <jmp.&MFC42.#800>
004223AE |. 46 |inc esi
004223AF |. 83FE 10 |cmp esi, 10
004223B2 |.^ 7C B8 \jl short 0042236C ; //循环取加密后的值
004223B4 |. 8D4C24 10 lea ecx, dword ptr [esp+10] ; //运行到此处,堆栈中出现了一长串字符串(加密
后的值),
004223B8 |. E8 0FCA0100 call <jmp.&MFC42.#4204> ; //加密后的值小写转大写,并取值
004223BD |. 8B4C24 5C mov ecx, dword ptr [esp+5C]
004223C1 |. 8D5424 10 lea edx, dword ptr [esp+10]
004223C5 |. 52 push edx
004223C6 |. E8 31C70100 call <jmp.&MFC42.#858>
004223CB |. 8B4424 14 mov eax, dword ptr [esp+14]
004223CF |. 8378 F8 10 cmp dword ptr [eax-8], 10 ; //原始机器码长度与10H比较
004223D3 |. 7E 2E jle short 00422403 ; //小于则跳
004223D5 |. 8D4C24 5C lea ecx, dword ptr [esp+5C]
004223D9 |. 6A 10 push 10
004223DB |. 51 push ecx
004223DC |. 8D4C24 1C lea ecx, dword ptr [esp+1C]
004223E0 |. E8 53C70100 call <jmp.&MFC42.#4129>
004223E5 |. 8B4C24 60 mov ecx, dword ptr [esp+60]
004223E9 |. 50 push eax
004223EA |. C64424 58 09 mov byte ptr [esp+58], 9
004223EF |. E8 08C70100 call <jmp.&MFC42.#858>
004223F4 |. 8D4C24 5C lea ecx, dword ptr [esp+5C]
004223F8 |. 885C24 54 mov byte ptr [esp+54], bl
004223FC |. E8 09C50100 call <jmp.&MFC42.#800>
00422401 |. EB 0E jmp short 00422411
00422403 |> 8B4C24 60 mov ecx, dword ptr [esp+60]
00422407 |. 8D5424 14 lea edx, dword ptr [esp+14]
0042240B |. 52 push edx
0042240C |. E8 EBC60100 call <jmp.&MFC42.#858>
00422411 |> 8D4C24 10 lea ecx, dword ptr [esp+10]
00422415 |. C64424 54 02 mov byte ptr [esp+54], 2
0042241A |. E8 EBC40100 call <jmp.&MFC42.#800>
0042241F |. 8D4C24 14 lea ecx, dword ptr [esp+14]
00422423 |. C64424 54 01 mov byte ptr [esp+54], 1
00422428 |. E8 DDC40100 call <jmp.&MFC42.#800>
0042242D |. 8D4C24 18 lea ecx, dword ptr [esp+18]
00422431 |. C64424 54 00 mov byte ptr [esp+54], 0
00422436 |. E8 CFC40100 call <jmp.&MFC42.#800>
0042243B |. 8D4C24 08 lea ecx, dword ptr [esp+8]
0042243F |. C74424 54 FFF>mov dword ptr [esp+54], -1
00422447 |. E8 BEC40100 call <jmp.&MFC42.#800>
0042244C |. 8B4C24 4C mov ecx, dword ptr [esp+4C]
00422450 |. 5E pop esi
00422451 |. 5B pop ebx
00422452 |. 64:890D 00000>mov dword ptr fs:[0], ecx
00422459 |. 83C4 50 add esp, 50
0042245C \. C3 retn
算法总结:
1、较验机器码是否大于16位,或大于则取前十六位,或不足则以H补充到16位;
2、以19770126为密钥,对填充后的16位机器码进行标准DES加密,
3、取加密后的结果,或单号上的字符是‘0’则去除,双号上的‘0’仍然保留,得到最终注册码!
[课程]Android-CTF解题方法汇总!