CCProxy V6.2注册算法分析
虽然用PEiD查到使用了DES,BASE64加密算法,但注册部分仅使用
了MD5,Base64是用来网络传输的,DES用在什么地方我没仔细看
在动态分析前,最好先用IDA来表态分析一下,导出.map文件,然后再用OD导入
.map文件,这样分析起来就容易多了
一. 关于怎样得到Machine ID
取ProductID :HKLM\\Software\\Microsoft\Windows\CurrentVersion ProductID
我的是55274-640-0000356-23224,然后从后往前取12位,”-“用”0”来替换,得到
422320653000,然后经过下面的这个Call就可以得到机器码了
----------------------------------------------------------------------------------------
00433E8B |. E8 10FDFFFF call <CCProxy.sub_433BA0>
-----------------------------------------------------------------------------------------
二. 注册码的生成算法
主要使用了MD5算法
用文字描述如下:
str1=你注册的名字
str2=Machine ID
str3=MD5(str1)+MD5(str1)的最后两位
str4=MD5(str2)
str5=MD5(str3)
SerialNumber=str5+str4的最后两位
--------------------------------------------------------------------------------------------------------------------
00409EE0 <>/$ B8 10140000 mov eax,1410 ; CheckRegInfo
00409EE5 |. E8 46620300 call <CCProxy.__alloca_probe>
00409EEA |. 53 push ebx
00409EEB |. 55 push ebp
00409EEC |. 8BAC24 20140000 mov ebp,dword ptr ss:[esp+1420]
00409EF3 |. 56 push esi
00409EF4 |. 57 push edi
00409EF5 |. 55 push ebp ;用户名/机器码
00409EF6 |. 55 push ebp ;用户名/str3
00409EF7 |. E8 B4410200 call <CCProxy.MD5Hash>
00409EFC |. 8BF8 mov edi,eax
00409EFE |. 83C9 FF or ecx,FFFFFFFF
00409F01 |. 33C0 xor eax,eax
00409F03 |. 8D5424 24 lea edx,dword ptr ss:[esp+24]
00409F07 |. F2:AE repne scas byte ptr es:[edi]
00409F09 |. F7D1 not ecx
00409F0B |. 2BF9 sub edi,ecx
00409F0D |. 8BC1 mov eax,ecx
00409F0F |. 8BF7 mov esi,edi
00409F11 |. 8BFA mov edi,edx
00409F13 |. 8D5424 24 lea edx,dword ptr ss:[esp+24]
00409F17 |. C1E9 02 shr ecx,2
00409F1A |. F3:A5 rep movs dword ptr es:[edi],dword >
00409F1C |. 8BC8 mov ecx,eax
00409F1E |. 83E1 03 and ecx,3
00409F21 |. F3:A4 rep movs byte ptr es:[edi],byte pt>
00409F23 |. 8B8C24 34140000 mov ecx,dword ptr ss:[esp+1434]
00409F2A |. 51 push ecx
00409F2B |. 52 push edx
00409F2C |. E8 7F410200 call <CCProxy.MD5Hash >
00409F31 |. 8BD0 mov edx,eax
-------------------------------------------------------------------------------------------------------------------
0042E0B0 <>/$ 81EC D4000000 sub esp,0D4 ; MD5Hash
0042E0B6 |. 83C9 FF or ecx,FFFFFFFF
0042E0B9 |. 33C0 xor eax,eax
0042E0BB |. 56 push esi
0042E0BC |. 8BB424 DC000000 mov esi,dword ptr ss:[esp+DC]
0042E0C3 |. 57 push edi
0042E0C4 |. 8BFE mov edi,esi
0042E0C6 |. F2:AE repne scas byte ptr es:[edi]
0042E0C8 |. F7D1 not ecx
0042E0CA |. 8D4424 2C lea eax,dword ptr ss:[esp+2C]
0042E0CE |. 49 dec ecx
0042E0CF |. 50 push eax ;Context
0042E0D0 |. 8BF9 mov edi,ecx
0042E0D2 |. E8 E9000000 call <CCProxy.MD5Initial>
-------------------------------------------------------------------
{0042E1C0 <>/$ 8B4424 04 mov eax,dword ptr ss:[esp+4] ; MD5Initial
0042E1C4 |. 33C9 xor ecx,ecx
0042E1C6 |. C700 01234567 mov dword ptr ds:[eax],67452301
0042E1CC |. C740 04 89ABCDEF mov dword ptr ds:[eax+4],EFCDAB89
0042E1D3 |. C740 08 FEDCBA98 mov dword ptr ds:[eax+8],98BADCFE
0042E1DA |. C740 0C 76543210 mov dword ptr ds:[eax+C],10325476
0042E1E1 |. 8948 10 mov dword ptr ds:[eax+10],ecx
0042E1E4 |. 8948 14 mov dword ptr ds:[eax+14],ecx
0042E1E7 \. C3 retn
}
--------------------------------------------------------------------
0042E0D7 |. 57 push edi ;the length 8/22
0042E0D8 |. 8D4C24 34 lea ecx,dword ptr ss:[esp+34]
0042E0DC |. 56 push esi ;
----------------------------------------------------------------------------------
cnbragon / c0c0646e6eefdf3fbfbbf3767edef6ffbf
-----------------------------------------------------------------------------------
0042E0DD |. 51 push ecx ;Context
0042E0DE |. E8 0D010000 call <CCProxy.MD5Update>
0042E0E3 |. 8D5424 3C lea edx,dword ptr ss:[esp+3C]
0042E0E7 |. 8D4424 18 lea eax,dword ptr ss:[esp+18]
0042E0EB |. 52 push edx ;Context
0042E0EC |. 50 push eax ;SzHash
0042E0ED |. E8 EE010000 call <CCProxy.MD5Final>
0042E0F2 |. 8BB424 FC000000 mov esi,dword ptr ss:[esp+FC]
0042E0F9 |. 83C9 FF or ecx,FFFFFFFF
0042E0FC |. 8BFE mov edi,esi
0042E0FE |. 33C0 xor eax,eax
0042E100 |. F2:AE repne scas byte ptr es:[edi]
0042E102 |. F7D1 not ecx
0042E104 |. 49 dec ecx
0042E105 |. 8BF9 mov edi,ecx
0042E107 |. 8D8C24 9C000000 lea ecx,dword ptr ss:[esp+9C]
0042E10E |. 51 push ecx
0042E10F |. E8 AC000000 call <CCProxy.MD5Initial>
0042E114 |. 57 push edi ;
0042E115 |. 8D9424 A4000000 lea edx,dword ptr ss:[esp+A4]
0042E11C |. 56 push esi ;
0042E11D |. 52 push edx ;
0042E11E |. E8 CD000000 call <CCProxy.MD5Update>
0042E123 |. 8D8424 AC000000 lea eax,dword ptr ss:[esp+AC]
0042E12A |. 8D4C24 40 lea ecx,dword ptr ss:[esp+40]
0042E12E |. 50 push eax
0042E12F |. 51 push ecx
0042E130 |. E8 AB010000 call <CCProxy.MD5Final>
0042E135 |. 8B5424 38 mov edx,dword ptr ss:[esp+38]
0042E139 |. C605 8A6D4A00 00 mov byte ptr ds:[4A6D8A],0
0042E140 |. 81E2 FF000000 and edx,0FF
0042E146 |. 52 push edx
0042E147 |. 68 54604700 push CCProxy.00476054
0042E14C |. 68 686D4A00 push CCProxy.004A6D68
0042E151 |. E8 011F0100 call <CCProxy._sprintf>
0042E156 |. 83C4 3C add esp,3C
0042E159 |. BF 6A6D4A00 mov edi,CCProxy.004A6D6A
0042E15E |. 33F6 xor esi,esi
0042E160 <>|> 33C0 xor eax,eax ; loc_42E160
0042E162 |. 33C9 xor ecx,ecx
-------------------------------------------------------------------------
开始
0042E164 |. 8A4434 09 mov al,byte ptr ss:[esp+esi+9]
0042E168 |. 8A4C34 18 mov cl,byte ptr ss:[esp+esi+18]
0042E16C |. 0BC1 or eax,ecx
0042E16E |. 50 push eax
0042E16F |. 68 54604700 push CCProxy.00476054
0042E174 |. 57 push edi
0042E175 |. E8 DD1E0100 call <CCProxy._sprintf>
0042E17A |. 83C4 0C add esp,0C
0042E17D |. 46 inc esi
0042E17E |. 83C7 02 add edi,2
0042E181 |. 8D56 01 lea edx,dword ptr ds:[esi+1]
0042E184 |. 83FA 10 cmp edx,10
0042E187 |.^ 72 D7 jb short <CCProxy.loc_42E160>
--------------------------------------------------------------------------
上面这一部分是把计算出来的Hash每两个字节为一组进行or操作,但Hash的
前两位不变
--------------------------------------------------------------------------
0042E189 |. 8B4424 27 mov eax,dword ptr ss:[esp+27]
0042E18D |. 25 FF000000 and eax,0FF
0042E192 |. 50 push eax
0042E193 |. 68 54604700 push CCProxy.00476054
0042E198 |. 68 886D4A00 push CCProxy.004A6D88
0042E19D |. E8 B51E0100 call <CCProxy._sprintf>
0042E1A2 |. 83C4 0C add esp,0C
0042E1A5 |. B8 686D4A00 mov eax,CCProxy.004A6D68
0042E1AA |. 5F pop edi
0042E1AB |. 5E pop esi
0042E1AC |. 81C4 D4000000 add esp,0D4
0042E1B2 \. C3 retn
知道了算法就很容易写注册机了,这个就你去写吧,OK?
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)