【文章标题】: 按键精灵 V2.68 注册过程分析
【文章作者】: sando
【作者邮箱】: gafeicat@21cn.com
【软件名称】: 按键精灵 V2.68
【下载地址】: 自己搜索下载
【加壳方式】: UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
【保护方式】: 壳+注册码
【使用工具】: peid,od
【软件介绍】: 模拟键盘鼠标的软件
【作者声明】: 只是感兴趣,没有其他目的。仅供学习,请勿用于非法用途。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
在硬盘底找出来的软件,很老了!以前是用来做简单的外挂的。upx壳+名码比较,强度不大。ESP定律脱壳后,peid查为C++。断点不好下,常用的API断不了,整天在MFC42走来走去。只是消息断点+内存断点+运气来到关键的地方。
004153E0 6A FF push -1
004153E2 68 35094200 push 00420935
004153E7 64:A1 00000000 mov eax, dword ptr fs:[0]
004153ED 50 push eax
004153EE 64:8925 0000000>mov dword ptr fs:[0], esp
004153F5 81EC BC000000 sub esp, 0BC
004153FB 56 push esi
004153FC 57 push edi
004153FD 8BF1 mov esi, ecx
004153FF 6A 01 push 1
00415401 E8 78760000 call <jmp.&MFC42.#6334>
00415406 8D4C24 08 lea ecx, dword ptr [esp+8] ; 伪注册码
0041540A E8 09760000 call <jmp.&MFC42.#540>
0041540F 8B86 2C010000 mov eax, dword ptr [esi+12C] ; 用户名
00415415 8DBE 2C010000 lea edi, dword ptr [esi+12C]
0041541B 68 A0CD4200 push 0042CDA0
00415420 50 push eax
00415421 C78424 D4000000>mov dword ptr [esp+D4], 0
0041542C FF15 CC284200 call dword ptr [<&msvcrt._mbscmp>] ; msvcrt._mbscmp
00415432 83C4 08 add esp, 8
00415435 85C0 test eax, eax ; 测试用户名是否为空
00415437 75 21 jnz short 0041545A ; 要跳
00415439 68 9F000000 push 9F
0041543E 8D4C24 0C lea ecx, dword ptr [esp+C]
00415442 E8 19760000 call <jmp.&MFC42.#4160>
00415447 8B4424 08 mov eax, dword ptr [esp+8]
0041544B 6A 00 push 0
0041544D 6A 00 push 0
0041544F 50 push eax
00415450 E8 5B7A0000 call <jmp.&MFC42.#1200>
00415455 E9 F7010000 jmp 00415651
0041545A 8D4C24 7C lea ecx, dword ptr [esp+7C]
0041545E E8 CDE1FFFF call 00413630
00415463 51 push ecx
00415464 8D96 30010000 lea edx, dword ptr [esi+130]
0041546A 8BCC mov ecx, esp
0041546C 896424 18 mov dword ptr [esp+18], esp
00415470 52 push edx
00415471 C68424 D4000000>mov byte ptr [esp+D4], 1
00415479 E8 84760000 call <jmp.&MFC42.#535>
0041547E 51 push ecx
0041547F C68424 D4000000>mov byte ptr [esp+D4], 2
00415487 8BCC mov ecx, esp
00415489 896424 18 mov dword ptr [esp+18], esp
0041548D 57 push edi
0041548E E8 6F760000 call <jmp.&MFC42.#535>
00415493 8D8C24 84000000 lea ecx, dword ptr [esp+84]
0041549A C68424 D4000000>mov byte ptr [esp+D4], 1
004154A2 E8 99EDFFFF call 00414240 ; 关键call,跟进,注册码正确时EAX=1
004154A7 83E8 00 sub eax, 0
004154AA 0F84 74010000 je 00415624
004154B0 48 dec eax
004154B1 74 23 je short 004154D6
004154B3 48 dec eax
004154B4 0F85 86010000 jnz 00415640
004154BA 68 9E000000 push 9E
004154BF 8D4C24 0C lea ecx, dword ptr [esp+C]
004154C3 E8 98750000 call <jmp.&MFC42.#4160>
004154C8 8B4424 08 mov eax, dword ptr [esp+8]
004154CC 6A 00 push 0
004154CE 6A 00 push 0
004154D0 50 push eax
004154D1 E9 65010000 jmp 0041563B
004154D6 68 9D000000 push 9D
004154DB 8D4C24 0C lea ecx, dword ptr [esp+C]
004154DF E8 7C750000 call <jmp.&MFC42.#4160>
004154E4 8B4C24 08 mov ecx, dword ptr [esp+8]
004154E8 6A 00 push 0
004154EA 6A 00 push 0
004154EC 51 push ecx
004154ED E8 BE790000 call <jmp.&MFC42.#1200> ; 成功注册窗口
跟进 004154A2 的call 00414240 一直来到
0041430A E8 F7860000 call <jmp.&MFC42.#800>
0041430F 8B4C24 28 mov ecx, dword ptr [esp+28] ; 伪注册码
00414313 8B5424 0C mov edx, dword ptr [esp+C] ; 真注册码
00414317 51 push ecx
00414318 52 push edx
00414319 FF15 CC284200 call dword ptr [<&msvcrt._mbscmp>] ; 比较
0041431F 83C4 08 add esp, 8
00414322 85C0 test eax, eax
00414324 0F85 A0000000 jnz 004143CA ; 正确时不跳
0041432A 68 B8C54200 push 0042C5B8 ; ASCII "\win.ini"
0041432F 8D4424 14 lea eax, dword ptr [esp+14]
00414333 56 push esi
00414334 50 push eax
00414335 E8 7A870000 call <jmp.&MFC42.#924>
0041433A 8B00 mov eax, dword ptr [eax]
0041433C 8B5424 24 mov edx, dword ptr [esp+24]
00414340 8B4E 1C mov ecx, dword ptr [esi+1C]
00414343 8B3D 9C204200 mov edi, dword ptr [<&kernel32.Write>; kernel32.WritePrivateProfileStringA
00414349 50 push eax
0041434A 52 push edx
0041434B 51 push ecx
0041434C 68 9CC54200 push 0042C59C ; ASCII "Compatibility"
00414351 FFD7 call edi ; 用户名写入注册表 HLM\SoftWare\Mircrosoft\Window NT\CurrentVersion\Compatibility\SYSQCHT32N
00414353 8D4C24 10 lea ecx, dword ptr [esp+10]
00414357 E8 AA860000 call <jmp.&MFC42.#800>
0041435C 68 B8C54200 push 0042C5B8 ; ASCII "\win.ini"
00414361 8D4424 14 lea eax, dword ptr [esp+14]
00414365 56 push esi
00414366 50 push eax
00414367 E8 48870000 call <jmp.&MFC42.#924>
0041436C 8B00 mov eax, dword ptr [eax]
0041436E 8B4C24 28 mov ecx, dword ptr [esp+28]
00414372 8B76 20 mov esi, dword ptr [esi+20]
00414375 50 push eax
00414376 51 push ecx
00414377 56 push esi
00414378 68 9CC54200 push 0042C59C ; ASCII "Compatibility"
0041437D FFD7 call edi ; 注册码写入注册表 HLM\SoftWare\Mircrosoft\Window NT\CurrentVersion\Compatibility\SYSQCHT32C
0041437F 8D4C24 10 lea ecx, dword ptr [esp+10]
00414383 E8 7E860000 call <jmp.&MFC42.#800>
00414388 8D4C24 0C lea ecx, dword ptr [esp+C]
0041438C 885C24 1C mov byte ptr [esp+1C], bl
00414390 E8 71860000 call <jmp.&MFC42.#800>
00414395 8D4C24 24 lea ecx, dword ptr [esp+24]
00414399 C64424 1C 00 mov byte ptr [esp+1C], 0
0041439E E8 63860000 call <jmp.&MFC42.#800>
004143A3 8D4C24 28 lea ecx, dword ptr [esp+28]
004143A7 C74424 1C FFFFF>mov dword ptr [esp+1C], -1
004143AF E8 52860000 call <jmp.&MFC42.#800>
004143B4 8BC3 mov eax, ebx
004143B6 8B4C24 14 mov ecx, dword ptr [esp+14]
004143BA 64:890D 0000000>mov dword ptr fs:[0], ecx
004143C1 5F pop edi
004143C2 5E pop esi
004143C3 5B pop ebx
004143C4 83C4 14 add esp, 14
004143C7 C2 0800 retn 8
--------------------------------------------------------------------------------
【经验总结】
软件为upx的壳,简单脱。软件通过用户名,算出真正注册码,计算过程在004142ED的call 00413890里(没有跟了)。真注
册码与输入的注册码明码比较。正确时用户名和注册码分别写入注册表HLM\SoftWare\Mircrosoft\Window
NT\CurrentVersion\Compatibility\SYSQCHT32N 和 HLM\SoftWare\Mircrosoft\Window
NT\CurrentVersion\Compatibility\SYSQCHT32C 两个地方,弹出成功对话框,退出软件。再次启动软件时读取注册表信息
,核对注册码。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2008年06月26日 下午 01:32:34
[课程]Android-CTF解题方法汇总!
