-
-
[原创]Arila Sound Recorder (RSA)分析
-
发表于: 2008-11-3 18:09 6299
-
【文章标题】: Arial Sound Recorder V1.171 算法分析(RSA)兼FGInt库的使用
【软件名称】: Arial Sound Recorder V1.171
【保护方式】: RSA
【详细过程】
1. PEid分析是Delphi程序
2. 用OllyICE分析出注册对话框中OK按钮的事件地址是004C24A0
3. 本人惭愧,采用的逆向方式,由注册码一步步返推出算法。
4.参考大侠们的破文,看出本软件采用典型的RSA保护算法。
注:本文排序有点乱,大家勉强凑合着看。用OllyICE载入本软件时,初时会出现运行异常现象,SHIFT+F9 多按几次可以照常运行。
最近含三聚氰氨的鸡蛋,大家不要朝我扔了。
004C24A0 |. 55 push ebp //在此处下断点
004C24A1 |. 68 27254C00 push 004C2527
004C24A6 |. 64:FF30 push dword ptr fs:[eax]
004C24A9 |. 64:8920 mov dword ptr fs:[eax], esp
004C24AC |. 8D55 FC lea edx, dword ptr [ebp-4]
004C24AF |. 8B83 14030000 mov eax, dword ptr [ebx+314]
004C24B5 |. E8 82C4FAFF call 0046E93C //判断用户名长度
004C24BA |. 8D55 F8 lea edx, dword ptr [ebp-8]
004C24BD |. 8B83 18030000 mov eax, dword ptr [ebx+318]
004C24C3 |. E8 74C4FAFF call 0046E93C //判断注册码长度
004C24C8 |. A1 180E4D00 mov eax, dword ptr [4D0E18]
004C24CD |. 8B00 mov eax, dword ptr [eax]
004C24CF |. 8B4D F8 mov ecx, dword ptr [ebp-8] //假注册码
004C24D2 |. 8B55 FC mov edx, dword ptr [ebp-4] //用户名
004C24D5 |. E8 62A60000 call 004CCB3C //关键,判断注册码正确与否
004C24DA |. 84C0 test al, al
004C24DC |. 74 2E je short 004C250C // 从下面可以看到此处不能跳,一跳就死
004C24DE |. A1 180E4D00 mov eax, dword ptr [4D0E18]
004C24E3 |. 8B00 mov eax, dword ptr [eax]
004C24E5 |. 8B55 FC mov edx, dword ptr [ebp-4]
004C24E8 |. E8 C3A90000 call 004CCEB0
004C24ED |. 6A 40 push 40
004C24EF |. B9 34254C00 mov ecx, 004C2534 ; ASCII "Congratulations!"
004C24F4 |. BA 48254C00 mov edx, 004C2548 ; ASCII "Register successfully! Thank you for your support!"
004C24F9 |. A1 C00C4D00 mov eax, dword ptr [4D0CC0]
004C24FE |. 8B00 mov eax, dword ptr [eax]
004C2500 |. E8 A7D3FCFF call 0048F8AC
004C2505 |. 8BC3 mov eax, ebx
004C2507 |. E8 589AFCFF call 0048BF64
004C250C |> 33C0 xor eax, eax
004C250E |. 5A pop edx
004C250F |. 59 pop ecx
004C2510 |. 59 pop ecx
004C2511 |. 64:8910 mov dword ptr fs:[eax], edx
004C2514 |. 68 2E254C00 push 004C252E
004C2519 |> 8D45 F8 lea eax, dword ptr [ebp-8]
004C251C |. BA 02000000 mov edx, 2
004C2521 |. E8 AA21F4FF call 004046D0
004C2526 \. C3 retn
进Call 004CCB3C 判断区域一看究境
004CCB3C /$ 55 push ebp
004CCB3D |. 8BEC mov ebp, esp
004CCB3F |. 83C4 E4 add esp, -1C
004CCB42 |. 53 push ebx
004CCB43 |. 33DB xor ebx, ebx
004CCB45 |. 895D F4 mov dword ptr [ebp-C], ebx
004CCB48 |. 894D F8 mov dword ptr [ebp-8], ecx
004CCB4B |. 8955 FC mov dword ptr [ebp-4], edx
004CCB4E |. 8B45 FC mov eax, dword ptr [ebp-4]
004CCB51 |. E8 0680F3FF call 00404B5C
004CCB56 |. 8B45 F8 mov eax, dword ptr [ebp-8]
004CCB59 |. E8 FE7FF3FF call 00404B5C
004CCB5E |. 8D45 EC lea eax, dword ptr [ebp-14]
004CCB61 |. 8B15 1C054A00 mov edx, dword ptr [4A051C] ; Arial_So.004A0520
004CCB67 |. E8 2486F3FF call 00405190
004CCB6C |. 8D45 E4 lea eax, dword ptr [ebp-1C]
004CCB6F |. 8B15 1C054A00 mov edx, dword ptr [4A051C] ; Arial_So.004A0520
004CCB75 |. E8 1686F3FF call 00405190
004CCB7A |. 33C0 xor eax, eax
004CCB7C |. 55 push ebp
004CCB7D |. 68 FECB4C00 push 004CCBFE
004CCB82 |. 64:FF30 push dword ptr fs:[eax]
004CCB85 |. 64:8920 mov dword ptr fs:[eax], esp
004CCB88 |. 33DB xor ebx, ebx
004CCB8A |. 8D55 EC lea edx, dword ptr [ebp-14]
004CCB8D |. A1 2C094D00 mov eax, dword ptr [4D092C] //EAX=66357
004CCB92 |. E8 1540FDFF call 004A0BAC //将65537转换成二进制数
66357=10000000000000001
004CCB97 |. 8D55 E4 lea edx, dword ptr [ebp-1C]
004CCB9A |. A1 30094D00 mov eax, dword ptr [4D0930] //EAX=296330597038313779621622317537
004CCB9F |. E8 0840FDFF call 004A0BAC
//将EAX中值转换进二进制串0012F87C 0000000000000000000000000011101=0000001D
1110101111110111011001011111000=75FBB2F8
0010010010110000100100101100000=49612580
0010010100001100000000111100001=128601E1 //这些值在后面将会看到
004CCBA4 |. 8D45 FC lea eax, dword ptr [ebp-4]
004CCBA7 |. 50 push eax
004CCBA8 |. 8D4D E4 lea ecx, dword ptr [ebp-1C]
004CCBAB |. 8D55 EC lea edx, dword ptr [ebp-14]
004CCBAE |. 8B45 FC mov eax, dword ptr [ebp-4] //用户名出现
004CCBB1 |. E8 E263FDFF call 004A2F98 //关键 对用户名进行运算
004CCBB6 |. 8D55 F4 lea edx, dword ptr [ebp-C]
004CCBB9 |. 8B45 FC mov eax, dword ptr [ebp-4]
004CCBBC |. E8 C33BFDFF call 004A0784 //对加密后的二进制串转换操作
004CCBC1 |. 8B45 F8 mov eax, dword ptr [ebp-8] //假注册码出现,存放于EAX
004CCBC4 |. 8B55 F4 mov edx, dword ptr [ebp-C] //真注册码出现,存放于EDX
004CCBC7 |. E8 EC7EF3FF call 00404AB8 //判断注册码真伪
004CCBCC |. 75 02 jnz short 004CCBD0 //一跳就死
004CCBCE |. B3 01 mov bl, 1
004CCBD0 |> 33C0 xor eax, eax
004CCBD2 |. 5A pop edx
004CCBD3 |. 59 pop ecx
004CCBD4 |. 59 pop ecx
004CCBD5 |. 64:8910 mov dword ptr fs:[eax], edx
004CCBD8 |. 68 05CC4C00 push 004CCC05
004CCBDD |> 8D45 E4 lea eax, dword ptr [ebp-1C]
004CCBE0 |. 8B15 1C054A00 mov edx, dword ptr [4A051C] ; Arial_So.004A0520
004CCBE6 |. B9 02000000 mov ecx, 2
004CCBEB |. E8 BC86F3FF call 004052AC
004CCBF0 |. 8D45 F4 lea eax, dword ptr [ebp-C]
004CCBF3 |. BA 03000000 mov edx, 3
004CCBF8 |. E8 D37AF3FF call 004046D0
004CCBFD \. C3 retn
进入Call 004A2F98 看看如何计算的。
004A2F98 /$ 55 push ebp
004A2F99 |. 8BEC mov ebp, esp
004A2F9B |. 83C4 D0 add esp, -30
004A2F9E |. 53 push ebx
004A2F9F |. 56 push esi
004A2FA0 |. 57 push edi
004A2FA1 |. 33DB xor ebx, ebx
004A2FA3 |. 895D D0 mov dword ptr [ebp-30], ebx
004A2FA6 |. 895D DC mov dword ptr [ebp-24], ebx
004A2FA9 |. 895D D8 mov dword ptr [ebp-28], ebx
004A2FAC |. 895D D4 mov dword ptr [ebp-2C], ebx
004A2FAF |. 8BF9 mov edi, ecx
004A2FB1 |. 8955 F8 mov dword ptr [ebp-8], edx
004A2FB4 |. 8945 FC mov dword ptr [ebp-4], eax
004A2FB7 |. 8B45 FC mov eax, dword ptr [ebp-4]
004A2FBA |. E8 9D1BF6FF call 00404B5C
004A2FBF |. 8D45 F0 lea eax, dword ptr [ebp-10]
004A2FC2 |. 8B15 1C054A00 mov edx, dword ptr [4A051C] ; Arial_So.004A0520
004A2FC8 |. E8 C321F6FF call 00405190
004A2FCD |. 8D45 E8 lea eax, dword ptr [ebp-18]
004A2FD0 |. 8B15 1C054A00 mov edx, dword ptr [4A051C] ; Arial_So.004A0520
004A2FD6 |. E8 B521F6FF call 00405190
004A2FDB |. 8D45 E0 lea eax, dword ptr [ebp-20]
004A2FDE |. 8B15 1C054A00 mov edx, dword ptr [4A051C] ; Arial_So.004A0520
004A2FE4 |. E8 A721F6FF call 00405190
004A2FE9 |. 33C0 xor eax, eax
004A2FEB |. 55 push ebp
004A2FEC |. 68 DF314A00 push 004A31DF
004A2FF1 |. 64:FF30 push dword ptr fs:[eax]
004A2FF4 |. 64:8920 mov dword ptr fs:[eax], esp
004A2FF7 |. 8D55 E0 lea edx, dword ptr [ebp-20]
004A2FFA |. B8 F8314A00 mov eax, 004A31F8
004A2FFF |. E8 3CEBFFFF call 004A1B40
004A3004 |. 8D55 DC lea edx, dword ptr [ebp-24]
004A3007 |. 8BC7 mov eax, edi
004A3009 |. E8 4EEAFFFF call 004A1A5C //此处生成有一个二进制字符串
11101111010111111011101100101111100010010010110000100100101100000000010010100001100000000111100001 //128601E1,49612580,75FBB2F8,0000001D 对其求二进制串
004A300E |. 8B45 DC mov eax, dword ptr [ebp-24]
004A3011 |. E8 5619F6FF call 0040496C //取二进制串长度=62
004A3016 |. 8BD8 mov ebx, eax
004A3018 |. 8D55 DC lea edx, dword ptr [ebp-24]
004A301B |. 8B45 FC mov eax, dword ptr [ebp-4] //用户名出现
004A301E |. E8 E1D8FFFF call 004A0904 //用户名运算,生成二进制字符串
0110100001101111011101000110011001101001011100100110010100110001001100100011010100111000
004A3023 |. 8D45 DC lea eax, dword ptr [ebp-24]
004A3026 |. 8B4D DC mov ecx, dword ptr [ebp-24]
004A3029 |. BA 04324A00 mov edx, 004A3204 ; ASCII "111"
004A302E |. E8 8519F6FF call 004049B8 //在生成的二进制数字串前面加上111 在堆栈的变化中可以看得到
004A3033 |. 8BF3 mov esi, ebx
004A3035 |. 4E dec esi
004A3036 |. EB 10 jmp short 004A3048
004A3038 |> 8D45 DC /lea eax, dword ptr [ebp-24]
004A303B |. 8B4D DC |mov ecx, dword ptr [ebp-24]
004A303E |. BA F8314A00 |mov edx, 004A31F8
004A3043 |. E8 7019F6FF |call 004049B8 //在二进制数最前端加0
004A3048 |> 8B45 DC mov eax, dword ptr [ebp-24]
004A304B |. E8 1C19F6FF |call 0040496C //加上111后二进制字符串的长度=5B
004A3050 |. 99 |cdq
004A3051 |. F7FE |idiv esi //在二进制字符串前加6个零,ESI=61
004A3053 |. 85D2 |test edx, edx
004A3055 |.^ 75 E1 \jnz short 004A3038 //循环6次,61-5B=6,要求余数为零。
004A3057 |. 8B45 DC mov eax, dword ptr [ebp-24]
004A305A |. E8 0D19F6FF call 0040496C //取二进制串的长度EAX=61
004A305F |. 8BD3 mov edx, ebx
004A3061 |. 4A dec edx
004A3062 |. 8BCA mov ecx, edx
004A3064 |. 99 cdq
004A3065 |. F7F9 idiv ecx
004A3067 |. 8BF0 mov esi, eax
004A3069 |. 8D45 D8 lea eax, dword ptr [ebp-28] //加零后,判断长度61/61=1
004A306C |. E8 3B16F6FF call 004046AC //判断二进串度长能否满足要求
004A3071 |. 85F6 test esi, esi
004A3073 |. 0F8E 0A010000 jle 004A3183
004A3079 |> 8D45 D4 /lea eax, dword ptr [ebp-2C]
004A307C |. 50 |push eax
004A307D |. 8BCB |mov ecx, ebx
004A307F |. 49 |dec ecx
004A3080 |. BA 01000000 |mov edx, 1
004A3085 |. 8B45 DC |mov eax, dword ptr [ebp-24] //假码二进制数
004A3088 |. E8 3F1BF6FF |call 00404BCC
004A308D |. EB 12 |jmp short 004A30A1
004A308F |> 8D45 D4 |/lea eax, dword ptr [ebp-2C]
004A3092 |. B9 01000000 ||mov ecx, 1
004A3097 |. BA 01000000 ||mov edx, 1
004A309C |. E8 6B1BF6FF ||call 00404C0C
004A30A1 |> 8D45 D0 | lea eax, dword ptr [ebp-30]
004A30A4 |. 50 ||push eax
004A30A5 |. B9 01000000 ||mov ecx, 1
004A30AA |. BA 01000000 ||mov edx, 1
004A30AF |. 8B45 D4 ||mov eax, dword ptr [ebp-2C]
004A30B2 |. E8 151BF6FF ||call 00404BCC
004A30B7 |. 8B45 D0 ||mov eax, dword ptr [ebp-30]
004A30BA |. BA F8314A00 ||mov edx, 004A31F8
004A30BF |. E8 F419F6FF ||call 00404AB8
004A30C4 |. 75 0B ||jnz short 004A30D1
004A30C6 |. 8B45 D4 ||mov eax, dword ptr [ebp-2C]
004A30C9 |. E8 9E18F6FF ||call 0040496C
004A30CE |. 48 ||dec eax
004A30CF |.^ 7F BE |\jg short 004A308F //将二进制字符串前面的零去掉
004A30D1 |> 8D55 F0 |lea edx, dword ptr [ebp-10]
004A30D4 |. 8B45 D4 |mov eax, dword ptr [ebp-2C] //二进制串再次出现
004A30D7 |. E8 64EAFFFF |call 004A1B40
004A30DC |. 8BCB |mov ecx, ebx
004A30DE |. 49 |dec ecx
004A30DF |. 8D45 DC |lea eax, dword ptr [ebp-24] //含有6位零的二进制串
004A30E2 |. BA 01000000 |mov edx, 1
004A30E7 |. E8 201BF6FF |call 00404C0C
004A30EC |. 8B45 D4 |mov eax, dword ptr [ebp-2C] //去掉零后的二进制串
004A30EF |. BA F8314A00 |mov edx, 004A31F8
004A30F4 |. E8 BF19F6FF |call 00404AB8
004A30F9 |. 75 0D |jnz short 004A3108
004A30FB |. 8D55 E8 |lea edx, dword ptr [ebp-18]
004A30FE |. 8D45 E0 |lea eax, dword ptr [ebp-20]
004A3101 |. E8 6EE3FFFF |call 004A1474
004A3106 |. EB 11 |jmp short 004A3119
004A3108 |> 8D45 E8 |lea eax, dword ptr [ebp-18]
004A310B |. 50 |push eax
004A310C |. 8BCF |mov ecx, edi
004A310E |. 8B55 F8 |mov edx, dword ptr [ebp-8]
004A3111 |. 8D45 F0 |lea eax, dword ptr [ebp-10]
004A3114 |. E8 CFF7FFFF |call 004A28E8 //二进制串10000000000000001
004A3119 |> 8D45 F0 |lea eax, dword ptr [ebp-10]
004A311C |. E8 03DDFFFF |call 004A0E24
004A3121 |. 8D45 D4 |lea eax, dword ptr [ebp-2C] //用户名所生成的二进制串
004A3124 |. E8 8315F6FF |call 004046AC
004A3129 |. 8D55 D4 |lea edx, dword ptr [ebp-2C]
004A312C |. 8D45 E8 |lea eax, dword ptr [ebp-18] //用户名串的处理在以上面部分。
004A312F |. E8 28E9FFFF |call 004A1A5C //二进制字符串进生成
0000000000000000000000000001100=0000000C
1011010011111111111110110010011=5A7FFD93
1011010010010100011111000101010=5A4A3E2A
0001001100101010001100110000110=09951986 //这些值在后面将会看到
004A3134 |. EB 10 |jmp short 004A3146
004A3136 |> 8D45 D4 |/lea eax, dword ptr [ebp-2C]
004A3139 |. 8B4D D4 ||mov ecx, dword ptr [ebp-2C]
004A313C |. BA F8314A00 ||mov edx, 004A31F8
004A3141 |. E8 7218F6FF ||call 004049B8
004A3146 |> 8B45 D4 | mov eax, dword ptr [ebp-2C]
004A3149 |. E8 1E18F6FF ||call 0040496C
004A314E |. 99 ||cdq
004A314F |. F7FB ||idiv ebx
004A3151 |. 85D2 ||test edx, edx
004A3153 |.^ 75 E1 |\jnz short 004A3136 //二进制串左边加零,个数由EDX决定
004A3155 |. 8D45 D8 |lea eax, dword ptr [ebp-28]
004A3158 |. 8B55 D4 |mov edx, dword ptr [ebp-2C]
004A315B |. E8 1418F6FF |call 00404974
004A3160 |. 8D45 E8 |lea eax, dword ptr [ebp-18]
004A3163 |. E8 BCDCFFFF |call 004A0E24
004A3168 |. 4E |dec esi
004A3169 |.^ 0F85 0AFFFFFF \jnz 004A3079
004A316F |. EB 12 jmp short 004A3183
004A3171 |> 8D45 D8 /lea eax, dword ptr [ebp-28]
004A3174 |. B9 01000000 |mov ecx, 1
004A3179 |. BA 01000000 |mov edx, 1
004A317E |. E8 891AF6FF |call 00404C0C
004A3183 |> 8B45 D8 mov eax, dword ptr [ebp-28]
004A3186 |. 8038 30 |cmp byte ptr [eax], 30
004A3189 |. 75 0B |jnz short 004A3196
004A318B |. 8B45 D8 |mov eax, dword ptr [ebp-28]
004A318E |. E8 D917F6FF |call 0040496C
004A3193 |. 48 |dec eax
004A3194 |.^ 7F DB \jg short 004A3171 //去掉二进制串最左边的0
004A3196 |> 8B55 08 mov edx, dword ptr [ebp+8]
004A3199 |. 8B45 D8 mov eax, dword ptr [ebp-28]
004A319C |. E8 0FD8FFFF call 004A09B0 //将上面的二进制串转换成为16进制数
004A31A1 |. 8D45 E0 lea eax, dword ptr [ebp-20]
004A31A4 |. E8 7BDCFFFF call 004A0E24
004A31A9 |. 33C0 xor eax, eax
004A31AB |. 5A pop edx
004A31AC |. 59 pop ecx
004A31AD |. 59 pop ecx
004A31AE |. 64:8910 mov dword ptr fs:[eax], edx
004A31B1 |. 68 E6314A00 push 004A31E6
004A31B6 |> 8D45 D0 lea eax, dword ptr [ebp-30]
004A31B9 |. BA 04000000 mov edx, 4
004A31BE |. E8 0D15F6FF call 004046D0
004A31C3 |. 8D45 E0 lea eax, dword ptr [ebp-20]
004A31C6 |. 8B15 1C054A00 mov edx, dword ptr [4A051C] ; Arial_So.004A0520
004A31CC |. B9 03000000 mov ecx, 3
004A31D1 |. E8 D620F6FF call 004052AC
004A31D6 |. 8D45 FC lea eax, dword ptr [ebp-4]
004A31D9 |. E8 CE14F6FF call 004046AC
004A31DE \. C3 retn
进入Call 004A0904 对用户名进行运算
004A0904 /$ 55 push ebp
004A0905 |. 8BEC mov ebp, esp
004A0907 |. 81C4 FCFBFFFF add esp, -404
004A090D |. 53 push ebx
004A090E |. 56 push esi
004A090F |. 57 push edi
004A0910 |. 8BF2 mov esi, edx
004A0912 |. 8945 FC mov dword ptr [ebp-4], eax
004A0915 |. B9 00010000 mov ecx, 100
004A091A |. 8D85 FCFBFFFF lea eax, dword ptr [ebp-404]
004A0920 |. 8B15 10114000 mov edx, dword ptr [401110] ; Arial_So.00401114
004A0926 |. E8 9548F6FF call 004051C0
004A092B |. 33C0 xor eax, eax
004A092D |. 55 push ebp
004A092E |. 68 A1094A00 push 004A09A1
004A0933 |. 64:FF30 push dword ptr fs:[eax]
004A0936 |. 64:8920 mov dword ptr fs:[eax], esp
004A0939 |. 8BC6 mov eax, esi
004A093B |. E8 6C3DF6FF call 004046AC
004A0940 |. 8D85 FCFBFFFF lea eax, dword ptr [ebp-404]
004A0946 |. BA FF000000 mov edx, 0FF
004A094B |. E8 C0FCFFFF call 004A0610
004A0950 |. 8B45 FC mov eax, dword ptr [ebp-4]
004A0953 |. E8 1440F6FF call 0040496C //获取用户名长度
004A0958 |. 8BD8 mov ebx, eax
004A095A |. 85DB test ebx, ebx //判断用户名是否为空
004A095C |. 7E 1F jle short 004A097D
004A095E |. BF 01000000 mov edi, 1
004A0963 |> 8BC6 /mov eax, esi //关键的循环运算
004A0965 |. 8B55 FC |mov edx, dword ptr [ebp-4] //用户名的存放地址
004A0968 |. 0FB6543A FF |movzx edx, byte ptr [edx+edi-1] //依次传送用户名的一个字符
004A096D |. 8B9495 FCFBFF>|mov edx, dword ptr [ebp+edx*4-404]//按字符的16进制数,分别取其二进制数,如h的16进制是68,分别对6和8取二进制数再合并到一起。
004A0974 |. E8 FB3FF6FF |call 00404974 //将二进制字符串连接起来
004A0979 |. 47 |inc edi //计数器
004A097A |. 4B |dec ebx //用户名的长度
004A097B |.^ 75 E6 \jnz short 004A0963
004A097D |> 33C0 xor eax, eax
004A097F |. 5A pop edx
004A0980 |. 59 pop ecx
004A0981 |. 59 pop ecx
004A0982 |. 64:8910 mov dword ptr fs:[eax], edx
004A0985 |. 68 A8094A00 push 004A09A8
004A098A |> 8D85 FCFBFFFF lea eax, dword ptr [ebp-404]
004A0990 |. B9 00010000 mov ecx, 100
004A0995 |. 8B15 10114000 mov edx, dword ptr [401110] ; Arial_So.00401114
004A099B |. E8 0C49F6FF call 004052AC
004A09A0 \. C3 retn
进行入CALL 004A1A5C
004A1A5C /$ 55 push ebp
004A1A5D |. 8BEC mov ebp, esp
004A1A5F |. 83C4 F4 add esp, -0C
004A1A62 |. 53 push ebx
004A1A63 |. 56 push esi
004A1A64 |. 57 push edi
004A1A65 |. 33C9 xor ecx, ecx
004A1A67 |. 894D F4 mov dword ptr [ebp-C], ecx
004A1A6A |. 8BF2 mov esi, edx
004A1A6C |. 8945 FC mov dword ptr [ebp-4], eax
004A1A6F |. 33C0 xor eax, eax
004A1A71 |. 55 push ebp
004A1A72 |. 68 231B4A00 push 004A1B23
004A1A77 |. 64:FF30 push dword ptr fs:[eax]
004A1A7A |. 64:8920 mov dword ptr fs:[eax], esp
004A1A7D |. 8BC6 mov eax, esi
004A1A7F |. E8 282CF6FF call 004046AC
004A1A84 |. 8B45 FC mov eax, dword ptr [ebp-4]
004A1A87 |. 8B40 04 mov eax, dword ptr [eax+4]
004A1A8A |. 8B00 mov eax, dword ptr [eax]
004A1A8C |. 85C0 test eax, eax
004A1A8E |. 7E 5B jle short 004A1AEB
004A1A90 |. 8945 F8 mov dword ptr [ebp-8], eax
004A1A93 |. BF 01000000 mov edi, 1
004A1A98 |> 33DB /xor ebx, ebx
004A1A9A |> 8B45 FC |/mov eax, dword ptr [ebp-4]
004A1A9D |. 8B40 04 ||mov eax, dword ptr [eax+4]
004A1AA0 |. 8B54F8 04 ||mov edx, dword ptr [eax+edi*8+4]
004A1AA4 |. 8B04F8 ||mov eax, dword ptr [eax+edi*8]
004A1AA7 |. 8BCB ||mov ecx, ebx //09951986,5A4A3E2A,5A7FFD93,0000000C
004A1AA9 |. E8 BA3CF6FF ||call 00405768 //移位运算关键
004A1AAE |. 81E0 01000000 ||and eax, 1
004A1AB4 |. 33D2 ||xor edx, edx
004A1AB6 |. 52 ||push edx
004A1AB7 |. 50 ||push eax
004A1AB8 |. 8D45 F4 ||lea eax, dword ptr [ebp-C]
004A1ABB |. E8 0476F6FF ||call 004090C4
004A1AC0 |. 8B55 F4 ||mov edx, dword ptr [ebp-C]
004A1AC3 |. 8B0E ||mov ecx, dword ptr [esi]
004A1AC5 |. 8BC6 ||mov eax, esi
004A1AC7 |. E8 EC2EF6FF ||call 004049B8
004A1ACC |. 43 ||inc ebx
004A1ACD |. 83FB 1F ||cmp ebx, 1F
004A1AD0 |.^ 75 C8 |\jnz short 004A1A9A
004A1AD2 |. 47 |inc edi
004A1AD3 |. FF4D F8 |dec dword ptr [ebp-8]
004A1AD6 |.^ 75 C0 \jnz short 004A1A98 对上面的面进行移位转换成二进制串
004A1AD8 |. EB 11 jmp short 004A1AEB
004A1ADA |> 8BC6 /mov eax, esi
004A1ADC |. B9 01000000 |mov ecx, 1
004A1AE1 |. BA 01000000 |mov edx, 1
004A1AE6 |. E8 2131F6FF |call 00404C0C
004A1AEB |> 8B06 mov eax, dword ptr [esi]
004A1AED |. E8 7A2EF6FF |call 0040496C //取长度
004A1AF2 |. 48 |dec eax
004A1AF3 |. 7E 07 |jle short 004A1AFC
004A1AF5 |. 8B06 |mov eax, dword ptr [esi]
004A1AF7 |. 8038 30 |cmp byte ptr [eax], 30 //去掉二进制串最左边为零的值
004A1AFA |.^ 74 DE \je short 004A1ADA
004A1AFC |> 833E 00 cmp dword ptr [esi], 0
004A1AFF |. 75 0C jnz short 004A1B0D
004A1B01 |. 8BC6 mov eax, esi
004A1B03 |. BA 3C1B4A00 mov edx, 004A1B3C
004A1B08 |. E8 F32BF6FF call 00404700
004A1B0D |> 33C0 xor eax, eax
004A1B0F |. 5A pop edx
004A1B10 |. 59 pop ecx
004A1B11 |. 59 pop ecx
004A1B12 |. 64:8910 mov dword ptr fs:[eax], edx
004A1B15 |. 68 2A1B4A00 push 004A1B2A
004A1B1A |> 8D45 F4 lea eax, dword ptr [ebp-C]
004A1B1D |. E8 8A2BF6FF call 004046AC
004A1B22 \. C3 retn
004A1B23 .^ E9 6825F6FF jmp 00404090
004A1B28 .^ EB F0 jmp short 004A1B1A
004A1B2A . 5F pop edi
004A1B2B . 5E pop esi
004A1B2C . 5B pop ebx
004A1B2D . 8BE5 mov esp, ebp
004A1B2F . 5D pop ebp
进行入call 004A0784看看注册码是如何出现
004A0784 /$ 55 push ebp
004A0785 |. 8BEC mov ebp, esp
004A0787 |. 81C4 ECFBFFFF add esp, -414
004A078D |. 53 push ebx
004A078E |. 56 push esi
004A078F |. 57 push edi
004A0790 |. 33C9 xor ecx, ecx
004A0792 |. 898D ECFBFFFF mov dword ptr [ebp-414], ecx
004A0798 |. 898D F0FBFFFF mov dword ptr [ebp-410], ecx
004A079E |. 894D F8 mov dword ptr [ebp-8], ecx
004A07A1 |. 8BFA mov edi, edx
004A07A3 |. 8945 FC mov dword ptr [ebp-4], eax
004A07A6 |. B9 00010000 mov ecx, 100
004A07AB |. 8D85 F4FBFFFF lea eax, dword ptr [ebp-40C]
004A07B1 |. 8B15 10114000 mov edx, dword ptr [401110] ; Arial_So.00401114
004A07B7 |. E8 044AF6FF call 004051C0
004A07BC |. 33C0 xor eax, eax
004A07BE |. 55 push ebp
004A07BF |. 68 E9084A00 push 004A08E9
004A07C4 |. 64:FF30 push dword ptr fs:[eax]
004A07C7 |. 64:8920 mov dword ptr fs:[eax], esp
004A07CA |. 8D85 F4FBFFFF lea eax, dword ptr [ebp-40C]
004A07D0 |. BA FF000000 mov edx, 0FF
004A07D5 |. E8 36FEFFFF call 004A0610
004A07DA |. 8D45 F8 lea eax, dword ptr [ebp-8]
004A07DD |. E8 CA3EF6FF call 004046AC
004A07E2 |. 8B45 FC mov eax, dword ptr [ebp-4]
004A07E5 |. E8 8241F6FF call 0040496C
004A07EA |. 8BD8 mov ebx, eax
004A07EC |. 85DB test ebx, ebx
004A07EE |. 7E 2F jle short 004A081F
004A07F0 |. BE 01000000 mov esi, 1
004A07F5 |> 8D45 F8 /lea eax, dword ptr [ebp-8] //关键算法 最后一次的转换
004A07F8 |. 8B55 FC |mov edx, dword ptr [ebp-4]
004A07FB |. 0FB65432 FF |movzx edx, byte ptr [edx+esi-1]
004A0800 |. 8B9495 F4FBFF>|mov edx, dword ptr [ebp+edx*4-40C]
004A0807 |. E8 6841F6FF |call 00404974
004A080C |. 46 |inc esi
004A080D |. 4B |dec ebx
004A080E |.^ 75 E5 \jnz short 004A07F5 //所生成的二进制串
1100101101001111111111111011001001110110100100101000111110001010100001001100101010001100110000110
004A0810 |. EB 0D jmp short 004A081F
004A0812 |> 8D45 F8 /lea eax, dword ptr [ebp-8] //二进制串前补足7个零
004A0815 |. BA 00094A00 |mov edx, 004A0900
004A081A |. E8 5541F6FF |call 00404974
004A081F |> 8B45 F8 mov eax, dword ptr [ebp-8]
004A0822 |. E8 4541F6FF |call 0040496C
004A0827 |. B9 06000000 |mov ecx, 6
004A082C |. 99 |cdq
004A082D |. F7F9 |idiv ecx
004A082F |. 85D2 |test edx, edx
004A0831 |.^ 75 DF \jnz short 004A0812 //补7个零好,刚好108位
004A0833 |. 8B45 F8 mov eax, dword ptr [ebp-8]
004A0836 |. E8 3141F6FF call 0040496C //取二进制串长度108=6C
004A083B |. B9 06000000 mov ecx, 6
004A0840 |. 99 cdq
004A0841 |. F7F9 idiv ecx // 6C/6=12
004A0843 |. 8BD8 mov ebx, eax
004A0845 |. 8BC7 mov eax, edi
004A0847 |. E8 603EF6FF call 004046AC
004A084C |. 85DB test ebx, ebx //判断是否等于12
004A084E |. 7E 5D jle short 004A08AD
004A0850 |> 8D85 F0FBFFFF /lea eax, dword ptr [ebp-410] //关键解码步骤开始
004A0856 |. 50 |push eax //循环12次,共取12*6=72位数运算
004A0857 |. B9 06000000 |mov ecx, 6 //每次取6位二进制数
004A085C |. BA 01000000 |mov edx, 1
004A0861 |. 8B45 F8 |mov eax, dword ptr [ebp-8]
004A0864 |. E8 6343F6FF |call 00404BCC //获取二进制串的6位数
004A0869 |. 8B95 F0FBFFFF |mov edx, dword ptr [ebp-410]
004A086F |. 8D45 F4 |lea eax, dword ptr [ebp-C]
004A0872 |. E8 55FDFFFF |call 004A05CC //对6位字符串数转换成16进制数
004A0877 |. 8D85 ECFBFFFF |lea eax, dword ptr [ebp-414]
004A087D |. 8B55 F4 |mov edx, dword ptr [ebp-C] //二进制数累加值+基址004D06BF
004A0880 |. 8A92 BF064D00 |mov dl, byte ptr [edx+4D06BF] //密码对照表出现004D06BF
004A0886 |. E8 0940F6FF |call 00404894 //edx+基址004D06BF用于确定对应的值
004A088B |. 8B95 ECFBFFFF |mov edx, dword ptr [ebp-414]
004A0891 |. 8BC7 |mov eax, edi
004A0893 |. E8 DC40F6FF |call 00404974 //连接密码表中对应的字母
004A0898 |. 8D45 F8 |lea eax, dword ptr [ebp-8]
004A089B |. B9 06000000 |mov ecx, 6
004A08A0 |. BA 01000000 |mov edx, 1
004A08A5 |. E8 6243F6FF |call 00404C0C //从二进制串中去掉已经用过的串
004A08AA |. 4B |dec ebx
004A08AB |.^ 75 A3 \jnz short 004A0850
004A08AD |> 33C0 xor eax, eax
004A08AF |. 5A pop edx
004A08B0 |. 59 pop ecx
004A08B1 |. 59 pop ecx
004A08B2 |. 64:8910 mov dword ptr fs:[eax], edx
004A08B5 |. 68 F0084A00 push 004A08F0
004A08BA |> 8D85 ECFBFFFF lea eax, dword ptr [ebp-414]
004A08C0 |. BA 02000000 mov edx, 2
004A08C5 |. E8 063EF6FF call 004046D0
004A08CA |. 8D85 F4FBFFFF lea eax, dword ptr [ebp-40C]
004A08D0 |. B9 00010000 mov ecx, 100
004A08D5 |. 8B15 10114000 mov edx, dword ptr [401110] ; Arial_So.00401114
004A08DB |. E8 CC49F6FF call 004052AC
004A08E0 |. 8D45 F8 lea eax, dword ptr [ebp-8]
004A08E3 |. E8 C43DF6FF call 004046AC
004A08E8 \. C3 retn
密码表
004D06BF 61 41 62 42 63 43 64 44 65 45 66 46 67 47 68 aAbBcCdDeEfFgGh
004D06CF 48 69 49 6A 4A 6B 4B 6C 4C 6D 4D 6E 4E 6F 4F 70 HiIjJkKlLmMnNoOp
004D06DF 50 71 51 72 52 73 53 74 54 75 55 76 56 77 57 78 PqQrRsStTuUvVwWx
004D06EF 58 79 59 7A 5A 30 31 32 33 34 35 36 37 38 39 2B XyYzZ0123456789+
004D06FF 3D =
进入 CAll 004A05CC看二进制解码
004A05CC /$ 53 push ebx
004A05CD |. 56 push esi
004A05CE |. 57 push edi
004A05CF |. 8BDA mov ebx, edx
004A05D1 |. 8BF0 mov esi, eax
004A05D3 |. 33C0 xor eax, eax
004A05D5 |. 8906 mov dword ptr [esi], eax
004A05D7 |. 8BC3 mov eax, ebx
004A05D9 |. E8 8E43F6FF call 0040496C
004A05DE |. 8BD0 mov edx, eax
004A05E0 |. 85D2 test edx, edx
004A05E2 |. 7E 25 jle short 004A0609
004A05E4 |. B8 01000000 mov eax, 1
004A05E9 |> 83F8 06 /cmp eax, 6 //关键转换 判断长度
004A05EC |. 7F 1B |jg short 004A0609
004A05EE |. 807C03 FF 30 |cmp byte ptr [ebx+eax-1], 30 //判断是否为零,
004A05F3 |. 74 10 |je short 004A0605
004A05F5 |. B9 06000000 |mov ecx, 6
004A05FA |. 2BC8 |sub ecx, eax //取值为1的位置
004A05FC |. BF 01000000 |mov edi, 1
004A0601 |. D3E7 |shl edi, cl //长度-值为1的位置=左移位数
004A0603 |. 093E |or dword ptr [esi], edi //累加
004A0605 |> 40 |inc eax
004A0606 |. 4A |dec edx
004A0607 |.^ 75 E0 \jnz short 004A05E9
004A0609 |> FF06 inc dword ptr [esi] //累加的和+1
004A060B |. 5F pop edi
004A060C |. 5E pop esi
004A060D |. 5B pop ebx
004A060E \. C3 retn
004A09B0 /$ 55 push ebp
004A09B1 |. 8BEC mov ebp, esp
004A09B3 |. 83C4 F0 add esp, -10
004A09B6 |. 53 push ebx
004A09B7 |. 56 push esi
004A09B8 |. 33C9 xor ecx, ecx
004A09BA |. 894D F0 mov dword ptr [ebp-10], ecx
004A09BD |. 894D F4 mov dword ptr [ebp-C], ecx
004A09C0 |. 8BF2 mov esi, edx
004A09C2 |. 8945 FC mov dword ptr [ebp-4], eax
004A09C5 |. 8B45 FC mov eax, dword ptr [ebp-4]
004A09C8 |. E8 8F41F6FF call 00404B5C
004A09CD |. 33C0 xor eax, eax
004A09CF |. 55 push ebp
004A09D0 |. 68 920A4A00 push 004A0A92
004A09D5 |. 64:FF30 push dword ptr fs:[eax]
004A09D8 |. 64:8920 mov dword ptr fs:[eax], esp
004A09DB |. 8BC6 mov eax, esi
004A09DD |. E8 CA3CF6FF call 004046AC
004A09E2 |. EB 10 jmp short 004A09F4
004A09E4 |> 8D45 FC /lea eax, dword ptr [ebp-4]
004A09E7 |. 8B4D FC |mov ecx, dword ptr [ebp-4]
004A09EA |. BA A80A4A00 |mov edx, 004A0AA8
004A09EF |. E8 C43FF6FF |call 004049B8
004A09F4 |> 8B45 FC mov eax, dword ptr [ebp-4]
004A09F7 |. E8 703FF6FF |call 0040496C
004A09FC |. 25 07000080 |and eax, 80000007
004A0A01 |. 79 05 |jns short 004A0A08
004A0A03 |. 48 |dec eax
004A0A04 |. 83C8 F8 |or eax, FFFFFFF8
004A0A07 |. 40 |inc eax
004A0A08 |> 85C0 |test eax, eax
004A0A0A |.^ 75 D8 \jnz short 004A09E4 //要求二进制串是8的次方
004A0A0C |. 8B45 FC mov eax, dword ptr [ebp-4]
004A0A0F |. E8 583FF6FF call 0040496C //取二进制串长度
004A0A14 |. 85C0 test eax, eax
004A0A16 |. 79 03 jns short 004A0A1B
004A0A18 |. 83C0 07 add eax, 7
004A0A1B |> C1F8 03 sar eax, 3
004A0A1E |. 8BD8 mov ebx, eax
004A0A20 |. 85DB test ebx, ebx
004A0A22 |. 7E 4B jle short 004A0A6F
004A0A24 |> 8D45 F4 /lea eax, dword ptr [ebp-C]
004A0A27 |. 50 |push eax
004A0A28 |. B9 08000000 |mov ecx, 8
004A0A2D |. BA 01000000 |mov edx, 1
004A0A32 |. 8B45 FC |mov eax, dword ptr [ebp-4]
004A0A35 |. E8 9241F6FF |call 00404BCC //截取二进制串左边的8位数
004A0A3A |. 8B55 F4 |mov edx, dword ptr [ebp-C]
004A0A3D |. 8D45 FB |lea eax, dword ptr [ebp-5]
004A0A40 |. E8 F3FAFFFF |call 004A0538 //将8位二进制串依次转换16进制数
004A0A45 |. 8D45 F0 |lea eax, dword ptr [ebp-10]
004A0A48 |. 8A55 FB |mov dl, byte ptr [ebp-5]
004A0A4B |. E8 443EF6FF |call 00404894
004A0A50 |. 8B55 F0 |mov edx, dword ptr [ebp-10]
004A0A53 |. 8BC6 |mov eax, esi
004A0A55 |. E8 1A3FF6FF |call 00404974 转换的结果在EAX中显示
004A0A5A |. 8D45 FC |lea eax, dword ptr [ebp-4]
004A0A5D |. B9 08000000 |mov ecx, 8
004A0A62 |. BA 01000000 |mov edx, 1
004A0A67 |. E8 A041F6FF |call 00404C0C //截取后余下的串
004A0A6C |. 4B |dec ebx //循环的次数
004A0A6D |.^ 75 B5 \jnz short 004A0A24
004A0A6F |> 33C0 xor eax, eax
004A0A71 |. 5A pop edx
004A0A72 |. 59 pop ecx
004A0A73 |. 59 pop ecx
004A0A74 |. 64:8910 mov dword ptr fs:[eax], edx
004A0A77 |. 68 990A4A00 push 004A0A99
004A0A7C |> 8D45 F0 lea eax, dword ptr [ebp-10]
004A0A7F |. BA 02000000 mov edx, 2
004A0A84 |. E8 473CF6FF call 004046D0
004A0A89 |. 8D45 FC lea eax, dword ptr [ebp-4]
004A0A8C |. E8 1B3CF6FF call 004046AC
004A0A91 \. C3 retn
//注册机参考happytown大侠的,改编而成
program Sound;
{$APPTYPE CONSOLE}
Uses Windows,Messages,FGInt,FGIntRSA;
Var
n,e: TFGInt;
name,sn: String;
Begin
Base10StringToFGInt('296330597038313779621622317537', n);
Base10StringToFGInt('65537', e);
Write('User name:');
ReadLn(name); //name
RSAEncrypt(name, e, n, name);
ConvertBase256to64(name, sn);
FGIntdestroy(n);
FGIntdestroy(e);
WriteLn('Registration code:', sn);
MessageBox(0, PChar(sn), 'Registration code:', MB_OK);//用MessageBox显示出来,
End.
//注册码信息存放在安装目录的Setup.ini中,
[general]
info=aKi+u=bjzkBp+1NENi //我们写入的注册码
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
- [原创]Port Explorer算法分析 7138
- [原创]Arila Sound Recorder (RSA)分析 6300
- [转帖]高手眼中的starforce破解方式 6758
- [推荐]StarForce破解方法 4785
- [推荐]拷贝保护光盘用的软件 6938