软件名: 真实表格
网址:
http://www.truetable.com/gmsoft/TrueTable96.zip
该软件与AUTOCAD配套使用,可把DWG中的文字表格转到EXCEL。
根据Truetable9.6版本爆破的.
安装完毕后,在Program files下的truetable目录下,生成一个Truetable2000.arx 和 truetable.reg 文件。
运行Ollydbg,忽略所有异常并隐身。载入acad.exe并运行。
查看模块truetabl,进入了truetabl的领空。
在autocad的命令行,输入命令gt,有“未注册”“作者: ”等字样,于是在truetabl中找到了它们的代码行。
上下看看发现这个软件有一个关键的跳转。在这些代码处下断,重新运行一下acad.exe.
1C010617 52 push edx
1C010618 FF15 8810031C call dword ptr ds:[<&ADVAPI32.RegSetValueExA>] ; ADVAPI32.RegSetValueExA
1C01061E 8B4424 20 mov eax,dword ptr ss:[esp+20]
1C010622 50 push eax
1C010623 FF15 A810031C call dword ptr ds:[<&ADVAPI32.RegCloseKey>] ; ADVAPI32.RegCloseKey
1C010629 8B4424 10 mov eax,dword ptr ss:[esp+10]
1C01062D 48 dec eax
1C01062E 894424 10 mov dword ptr ss:[esp+10],eax
1C010632 ^ 0F85 ACFEFFFF jnz TrueTabl.1C0104E4
1C010638 8B0D 4C3A071C mov ecx,dword ptr ds:[1C073A4C] 《--ds:[1C073A4C]中存放着关键跳转标志的指针
1C01063E 8379 78 58 cmp dword ptr ds:[ecx+78],58 《--发现这里是一个关键点。不相等,下面的解
码就会出现“未注册”字样
1C010642 74 3F je short TrueTabl.1C010683
1C010644 8B2D 1411031C mov ebp,dword ptr ds:[<&KERNEL32.GetModuleHandleA>] ; kernel32.GetModuleHandleA
1C01064A 68 00AF031C push TrueTabl.1C03AF00 ; ASCII "GetWindowTextA"
1C01064F 68 38A9031C push TrueTabl.1C03A938 ; ASCII "kernel32.dll"
1C010654 FFD5 call ebp
1C010656 50 push eax
1C010657 FF15 1011031C call dword ptr ds:[<&KERNEL32.GetProcAddress>] ; kernel32.GetProcAddress
1C01065D 8BD0 mov edx,eax
1C01065F BF 88A7031C mov edi,TrueTabl.1C03A788 ; ASCII " "
1C010664 83C9 FF or ecx,FFFFFFFF
1C010667 33C0 xor eax,eax
1C010669 F2:AE repne scas byte ptr es:[edi]
1C01066B F7D1 not ecx
1C01066D 2BF9 sub edi,ecx
1C01066F 8BC1 mov eax,ecx
1C010671 8BF7 mov esi,edi
1C010673 8BFA mov edi,edx
1C010675 C1E9 02 shr ecx,2
1C010678 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
1C01067A 8BC8 mov ecx,eax
1C01067C 83E1 03 and ecx,3
1C01067F F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
1C010681 EB 06 jmp short TrueTabl.1C010689
1C010683 8B2D 1411031C mov ebp,dword ptr ds:[<&KERNEL32.GetModuleHandleA>] ; kernel32.GetModuleHandleA
1C010689 A0 F831071C mov al,byte ptr ds:[1C0731F8]
1C01068E 84C0 test al,al
1C010690 75 37 jnz short TrueTabl.1C0106C9
1C010692 A1 F030071C mov eax,dword ptr ds:[1C0730F0]
1C010697 6A 10 push 10
1C010699 3D A8030000 cmp eax,3A8
1C01069E 68 DCA2031C push TrueTabl.1C03A2DC ; ASCII "TrueTable"
1C0106A3 75 12 jnz short TrueTabl.1C0106B7
1C0106A5 68 50B6031C push TrueTabl.1C03B650
1C0106AA 6A 00 push 0
1C0106AC FF15 8816031C call dword ptr ds:[<&USER32.MessageBoxA>] ; USER32.MessageBoxA
1C0106B2 E9 FA050000 jmp TrueTabl.1C010CB1
1C0106B7 68 2CB6031C push TrueTabl.1C03B62C ; ASCII "Error:You have not admin
rights!"
1C0106BC 6A 00 push 0
1C0106BE FF15 8816031C call dword ptr ds:[<&USER32.MessageBoxA>] ; USER32.MessageBoxA
于是发现ds:[1C073A4C]中存放着关键跳转标志的指针。在反汇编中搜索这个字串“ds:[1C073A4C]”,注意看这字串下面要和58比较的代码
,并留意
有mov命令往这指针中的指针赋值的地方。结果一下就找到了:
C007C51 83C4 04 add esp,4
1C007C54 888435 FCFEFFFF mov byte ptr ss:[ebp+esi-104],al
1C007C5B 46 inc esi
1C007C5C 81FE C0000000 cmp esi,0C0
1C007C62 ^ 7C D7 jl short TrueTabl.1C007C3B
1C007C64 B3 01 mov bl,1
1C007C66 33F6 xor esi,esi
1C007C68 68 38A8031C push TrueTabl.1C03A838 ; ASCII "DD7788C9B2DF0D463ABE121C21F9C157"
1C007C6D E8 AE930000 call TrueTabl.1C011020
1C007C72 8A4435 8C mov al,byte ptr ss:[ebp+esi-74]
1C007C76 8BCE mov ecx,esi
1C007C78 C1E1 04 shl ecx,4
1C007C7B 34 47 xor al,47
1C007C7D 83C4 04 add esp,4
1C007C80 3881 3035071C cmp byte ptr ds:[ecx+1C073530],al
1C007C86 75 4D jnz short TrueTabl.1C007CD5 1C007C51 83C4 04 add esp,4
1C007C54 888435 FCFEFFFF mov byte ptr ss:[ebp+esi-104],al
1C007C5B 46 inc esi
1C007C5C 81FE C0000000 cmp esi,0C0
1C007C62 ^ 7C D7 jl short TrueTabl.1C007C3B
1C007C64 B3 01 mov bl,1
1C007C66 33F6 xor esi,esi
1C007C68 68 38A8031C push TrueTabl.1C03A838 ; ASCII "DD7788C9B2DF0D463ABE121C21F9C157"
1C007C6D E8 AE930000 call TrueTabl.1C011020
1C007C72 8A4435 8C mov al,byte ptr ss:[ebp+esi-74]
1C007C76 8BCE mov ecx,esi
1C007C78 C1E1 04 shl ecx,4
1C007C7B 34 47 xor al,47
1C007C7D 83C4 04 add esp,4
1C007C80 3881 3035071C cmp byte ptr ds:[ecx+1C073530],al
1C007C86 75 4D jnz short TrueTabl.1C007CD5 1C007C51 83C4 04 add esp,4
1C007C54 888435 FCFEFFFF mov byte ptr ss:[ebp+esi-104],al
1C007C5B 46 inc esi
1C007C5C 81FE C0000000 cmp esi,0C0
1C007C62 ^ 7C D7 jl short TrueTabl.1C007C3B
1C007C64 B3 01 mov bl,1
1C007C66 33F6 xor esi,esi
1C007C68 68 38A8031C push TrueTabl.1C03A838 ; ASCII "DD7788C9B2DF0D463ABE121C21F9C157"
1C007C6D E8 AE930000 call TrueTabl.1C011020
1C007C72 8A4435 8C mov al,byte ptr ss:[ebp+esi-74] 《--这里放着输入的注册码运算后的数据
1C007C76 8BCE mov ecx,esi
1C007C78 C1E1 04 shl ecx,4
1C007C7B 34 47 xor al,47
1C007C7D 83C4 04 add esp,4
1C007C80 3881 3035071C cmp byte ptr ds:[ecx+1C073530],al 《--[1c073530]中放着根据计算机名计算后的数据
1C007C86 75 4D jnz short TrueTabl.1C007CD5 <---这里是关键的比较,nop掉。跳走就不能注册了
1C007C88 E8 43950000 call TrueTabl.1C0111D0
1C007C8D 46 inc esi
1C007C8E 83FE 10 cmp esi,10
1C007C91 ^ 7C D5 jl short TrueTabl.1C007C68
1C007C93 84DB test bl,bl
1C007C95 74 3E je short TrueTabl.1C007CD5
1C007C97 8B3D 3815031C mov edi,dword ptr ds:[<&MSVCRT.sprintf>] ; MSVCRT.sprintf
1C007C9D BE 0A000000 mov esi,0A
1C007CA2 56 push esi
1C007CA3 8D95 88FAFFFF lea edx,dword ptr ss:[ebp-578]
1C007CA9 68 84A7031C push TrueTabl.1C03A784 ; ASCII "i%d"
1C007CAE 52 push edx
1C007CAF FFD7 call edi
1C007CB1 8D85 88FAFFFF lea eax,dword ptr ss:[ebp-578]
1C007CB7 50 push eax
1C007CB8 E8 53940000 call TrueTabl.1C011110
1C007CBD 8B0D 4C3A071C mov ecx,dword ptr ds:[1C073A4C] 《---搜索到的字串“ds:[1C073A4C]”
1C007CC3 83C4 10 add esp,10
1C007CC6 C704B1 58000000 mov dword ptr ds:[ecx+esi*4],58 《--要是正确的注册码,这里就赋值58
1C007CCD 46 inc esi
1C007CCE 83FE 14 cmp esi,14
1C007CD1 ^ 7C CF jl short TrueTabl.1C007CA2
1C007CD3 EB 1A jmp short TrueTabl.1C007CEF
1C007CD5 8B15 4C3A071C mov edx,dword ptr ds:[1C073A4C]
1C007CDB 68 50AA031C push TrueTabl.1C03AA50 ; ASCII "E0E5F91FE6BCF649E5B1633AF3554AAC"
1C007CE0 C742 28 FFFFFFFF mov dword ptr ds:[edx+28],-1 《---要是错误的注册码,这里就赋值ffffffff
1C007CE7 E8 34930000 call TrueTabl.1C011020
1C007CEC 83C4 04 add esp,4
1C007CEF E8 DC940000 call TrueTabl.1C0111D0
1C007CF4 68 7CA7031C push TrueTabl.1C03A77C ; ASCII "12ds"
1C007CF9 E8 22930000 call TrueTabl.1C011020
1C007CFE A1 4C3A071C mov eax,dword ptr ds:[1C073A4C]
1C007D03 83C4 04 add esp,4
1C007D06 8378 50 58 cmp dword ptr ds:[eax+50],58
1C007D0A 74 3B je short TrueTabl.1C007D47
1C007D0C 68 68A7031C push TrueTabl.1C03A768 ; ASCII "GetDiskFreeSpaceA"
1C007D11 68 38A9031C push TrueTabl.1C03A938 ; ASCII "kernel32.dll"
1C007D16 FF15 1411031C call dword ptr ds:[<&KERNEL32.GetModuleHand>; kernel32.GetModuleHandleA
1C007D1C 50 push eax
1C007D1D FF15 1011031C call dword ptr ds:[<&KERNEL32.GetProcAddres>; kernel32.GetProcAddress
1C007D23 8BD0 mov edx,eax
1C007D25 BF 88A7031C mov edi,TrueTabl.1C03A788 ; ASCII " "
1C010148 C64424 1F 01 mov byte ptr ss:[esp+1F],1
1C01014D 33DB xor ebx,ebx
1C01014F BD 3035071C mov ebp,TrueTabl.1C073530
1C010154 8A841C CC000000 mov al,byte ptr ss:[esp+ebx+CC]
1C01015B 8A4D 00 mov cl,byte ptr ss:[ebp]
1C01015E 34 47 xor al,47
1C010160 3AC8 cmp cl,al
1C010162 0F85 0D010000 jnz TrueTabl.1C010275 <---nop掉。这里是关键的比较,nop掉。跳走就不能注册了
1C010168 00CC add ah,cl
1C01016A B6 03 mov dh,3
1C01016C 1C 83 sbb al,83
1C01016E C9 leave
1C01016F FF33 push dword ptr ds:[ebx]
1C010171 C08D 94243C01 00 ror byte ptr ss:[ebp+13C2494],0
1C010178 00F2 add dl,dh
1C01017A AE scas byte ptr es:[edi]
1C01017B F7D1 not ecx
1C01017D 2BF9 sub edi,ecx
1C01017F 8BC1 mov eax,ecx
1C010181 8BF7 mov esi,edi
1C010183 8BFA mov edi,edx
1C010185 33D2 xor edx,edx
1C010187 C1E9 02 shr ecx,2
1C01018A F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[e>
1C01018C 8BC8 mov ecx,eax
1C01018E 33C0 xor eax,eax
1C010190 83E1 03 and ecx,3
1C010193 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi>
1C010195 BF CCB6031C mov edi,TrueTabl.1C03B6CC ; ASCII "serw"
1C01019A 83C9 FF or ecx,FFFFFFFF
1C01019D F2:AE repne scas byte ptr es:[edi]
1C01019F F7D1 not ecx
1C0101A1 49 dec ecx
1C0101A2 85C9 test ecx,ecx
1C0101A4 7E 45 jle short TrueTabl.1C0101EB
1C0101A6 8DBC24 3C010000 lea edi,dword ptr ss:[esp+13C]
1C0101AD 83C9 FF or ecx,FFFFFFFF
1C0101B0 33C0 xor eax,eax
1C0101B2 8DB424 3C010000 lea esi,dword ptr ss:[esp+13C]
1C0101B9 F2:AE repne scas byte ptr es:[edi]
1C0101BB F7D1 not ecx
1C0101BD 2BF9 sub edi,ecx
1C0101BF 897424 10 mov dword ptr ss:[esp+10],esi
1C0101C3 8BC1 mov eax,ecx
1C0101C5 8BF7 mov esi,edi
1C0101C7 8B7C24 10 mov edi,dword ptr ss:[esp+10]
1C0101CB C1E9 02 shr ecx,2
1C0101CE F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[e>
1C0101D0 8BC8 mov ecx,eax
1C0101D2 33C0 xor eax,eax
1C0101D4 83E1 03 and ecx,3
1C0101D7 42 inc edx
1C0101D8 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi>
1C0101DA BF CCB6031C mov edi,TrueTabl.1C03B6CC ; ASCII "serw"
1C0101DF 83C9 FF or ecx,FFFFFFFF
在这个软件中,很多中文字串都是简单加了点密的,其实就是这样xor 47加密的,使人反汇编它后看到了很多莫名其妙
的字符串。
这个软件有主程序的完整性校验。修改truetable.arx后,提示出错。提示中告诉了出错地址,它的校验就在出错地址附近。
* Possible StringData Ref from Data Obj ->"4F81F16ED3AFAA83D7E8896A31B3C99B"
|
:1C007AFE 6880A8031C push 1C03A880
:1C007B03 888435FCFEFFFF mov byte ptr [ebp+esi-00000104], al
:1C007B0A E801960000 call 1C011110
:1C007B0F 83C404 add esp, 00000004
:1C007B12 46 inc esi
:1C007B13 81FEC0000000 cmp esi, 000000C0
:1C007B19 7CDC jl 1C007AF7
:1C007B1B B101 mov cl, 01
:1C007B1D 33C0 xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C007B3A(C)
|
:1C007B1F 8BF0 mov esi, eax
:1C007B21 8DBC1DFCFEFFFF lea edi, dword ptr [ebp+ebx-00000104]
:1C007B28 C1E604 shl esi, 04
:1C007B2B 8A96AC41071C mov dl, byte ptr [esi+1C0741AC]
:1C007B31 3A1407 cmp dl, byte ptr [edi+eax]
:1C007B34 7547 jne 1C007B7D 《---第一处校验,不能跳
:1C007B36 40 inc eax
:1C007B37 83F810 cmp eax, 00000010
:1C007B3A 7CE3 jl 1C007B1F
:1C007B3C 84C9 test cl, cl
:1C007B3E 754C jne 1C007B8C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C007B8A(U)
|
* Possible StringData Ref from Data Obj ->"SetWindowTextA"
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C007FB4(C)
|
:1C007F95 8BF8 mov edi, eax
:1C007F97 8D9435FCFEFFFF lea edx, dword ptr [ebp+esi-00000104]
:1C007F9E C1E704 shl edi, 04
:1C007FA1 8A9FAC41071C mov bl, byte ptr [edi+1C0741AC]
:1C007FA7 3A1C02 cmp bl, byte ptr [edx+eax]
:1C007FAA 0F85C6000000 jne 1C008076 《---第二处校验,不能跳
:1C007FB0 40 inc eax
:1C007FB1 83F810 cmp eax, 00000010
:1C007FB4 7CDF jl 1C007F95
:1C007FB6 84C9 test cl, cl
:1C007FB8 0F8595000000 jne 1C008053
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C008083(U)
|
:1C007FBE E80D920000 call 1C0111D0
:1C007FC3 6A0F push 0000000F
* Possible Reference to Dialog: DialogID_007A
:1C00FE59 8A10 mov dl, byte ptr [eax]
:1C00FE5B 83C004 add eax, 00000004
:1C00FE5E 88540C3C mov byte ptr [esp+ecx+3C], dl
:1C00FE62 41 inc ecx
:1C00FE63 3D782F071C cmp eax, 1C072F78
:1C00FE68 7CEF jl 1C00FE59
:1C00FE6A 8D4C2C3C lea ecx, dword ptr [esp+ebp+3C]
:1C00FE6E B8AC41071C mov eax, 1C0741AC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1C00FE84(C)
|
:1C00FE73 8A10 mov dl, byte ptr [eax]
:1C00FE75 8A19 mov bl, byte ptr [ecx]
:1C00FE77 3AD3 cmp dl, bl
:1C00FE79 7510 jne 1C00FE8B 《---第三处校验,不能跳
:1C00FE7B 83C010 add eax, 00000010
:1C00FE7E 41 inc ecx
:1C00FE7F 3DAC42071C cmp eax, 1C0742AC
:1C00FE84 7CED jl 1C00FE73
:1C00FE86 E99C020000 jmp 1C010127
注册码算法在call 1c02bfb0中,俺无心无力去分析了。
1C02CEB1 F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
1C02CEB3 8BC8 mov ecx,eax
1C02CEB5 83E1 03 and ecx,3
1C02CEB8 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>
1C02CEBA 8D4B 04 lea ecx,dword ptr ds:[ebx+4]
1C02CEBD 51 push ecx
1C02CEBE 8BCB mov ecx,ebx
1C02CEC0 E8 EBF0FFFF call TrueTabl.1C02BFB0 <---算法就在这个call中。
1C02CEC5 8BFD mov edi,ebp
1C02CEC7 8D75 3F lea esi,dword ptr ss:[ebp+3F]
1C02CECA 8B6C24 18 mov ebp,dword ptr ss:[esp+18]
1C02CECE 3BF5 cmp esi,ebp
1C02CED0 73 1A jnb short TrueTabl.1C02CEEC
1C02CED2 8B5424 14 mov edx,dword ptr ss:[esp+14]
1C02CED6 8BCB mov ecx,ebx
1C02CED8 8D4432 C1 lea eax,dword ptr ds:[edx+esi-3F]
1C02CEDC 50 push eax
1C02CEDD E8 CEF0FFFF call TrueTabl.1C02BFB0
|