-
-
[原创]Port Explorer算法分析
-
发表于: 2008-11-22 12:19 7100
-
软件名称:Port Explorer
功能:为初学者以及进阶使用者设计的Socket分析及探测工具。它支援了通讯埠与处理程序对应、反木马程式以及网路窃听,并且可以像Whois搜寻客户端一样。这软体可以显示所有的TCP与UDP接口,以及每个接口的状况。使用者可以在每个接口安排监视程序,然後隔离从任一个或所有的接口接收或传送的资讯。
假码为:PS123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF1234PE
1.该软件要求注册码的长度为112=272位,属于0-9和A-F之间的数组成。以堆栈方式求出注册码长度
即15*18=270 ,PS+270+4+PE
2.该软件主要采用循环异或运算,以堆栈方式传值,特别要注意运算中堆栈值的变化
异或规则:a xor b xor c=d a=d xor c xor b 用异或表运算,比较容易返推出正确的注册码
3.此软件有重启验证。
00402ACF 55 push ebp
00402AD0 8BEC mov ebp, esp
00402AD2 81EC 04050000 sub esp, 504
00402AD8 8B45 0C mov eax, dword ptr [ebp+C]
00402ADB 83E8 10 sub eax, 10
00402ADE 53 push ebx
00402ADF 56 push esi
00402AE0 57 push edi
00402AE1 0F84 5A020000 je 00402D41
00402AE7 BE 00010000 mov esi, 100
00402AEC 2BC6 sub eax, esi
00402AEE 0F84 0B020000 je 00402CFF
00402AF4 48 dec eax
00402AF5 0F85 58020000 jnz 00402D53
00402AFB 66:817D 10 6D04 cmp word ptr [ebp+10], 46D
00402B01 0F85 4C020000 jnz 00402D53
00402B07 6A 7F push 7F
00402B09 59 pop ecx
00402B0A 33C0 xor eax, eax
00402B0C 33DB xor ebx, ebx
00402B0E 889D 00FEFFFF mov byte ptr [ebp-200], bl
00402B14 8DBD 01FEFFFF lea edi, dword ptr [ebp-1FF]
00402B1A F3:AB rep stos dword ptr es:[edi]
00402B1C 66:AB stos word ptr es:[edi]
00402B1E AA stos byte ptr es:[edi]
00402B1F 6A 7F push 7F
00402B21 59 pop ecx
00402B22 33C0 xor eax, eax
00402B24 889D FCFAFFFF mov byte ptr [ebp-504], bl
00402B2A 8DBD FDFAFFFF lea edi, dword ptr [ebp-503]
00402B30 F3:AB rep stos dword ptr es:[edi]
00402B32 66:AB stos word ptr es:[edi]
00402B34 68 00020000 push 200
00402B39 AA stos byte ptr es:[edi]
00402B3A 8D85 00FEFFFF lea eax, dword ptr [ebp-200]
00402B40 50 push eax
00402B41 68 6E040000 push 46E
00402B46 FF75 08 push dword ptr [ebp+8]
00402B49 FF15 04B44300 call dword ptr [43B404] ; user32.GetDlgItemTextA
00402B4F 8D85 00FEFFFF lea eax, dword ptr [ebp-200]
00402B55 50 push eax
00402B56 E8 D5E70200 call 00431330 //取注册码长度
00402B5B 3BC6 cmp eax, esi
00402B5D 59 pop ecx //后面CALL 0041A299指出注册码长度为112位
00402B5E 0F8C 89010000 jl 00402CED //判断注册码长度不能小于100
00402B64 33D2 xor edx, edx
00402B66 3BC3 cmp eax, ebx
00402B68 7E 14 jle short 00402B7E
00402B6A 8D8C15 00FEFFFF lea ecx, dword ptr [ebp+edx-200]
00402B71 8039 50 cmp byte ptr [ecx], 50 //检测注册码是否以P开头
00402B74 74 08 je short 00402B7E
00402B76 42 inc edx
00402B77 3BD0 cmp edx, eax
00402B79 C601 20 mov byte ptr [ecx], 20 //20=空格的十六进制值
00402B7C ^ 7C EC jl short 00402B6A
00402B7E 8D85 00FEFFFF lea eax, dword ptr [ebp-200]
00402B84 68 C00D4500 push 00450DC0 ; ASCII "PS"
00402B89 50 push eax //检测注册码是否以PS开头
00402B8A E8 C1EA0200 call 00431650
00402B8F 3BC3 cmp eax, ebx
00402B91 59 pop ecx
00402B92 59 pop ecx
00402B93 0F84 54010000 je 00402CED
00402B99 68 BC0D4500 push 00450DBC ; ASCII "PE"
00402B9E 50 push eax //检测注册码中是否含有PE
00402B9F E8 ACEA0200 call 00431650
00402BA4 3BC3 cmp eax, ebx
00402BA6 59 pop ecx
00402BA7 59 pop ecx
00402BA8 0F84 3F010000 je 00402CED
00402BAE 6A 81 push -7F
00402BB0 8858 02 mov byte ptr [eax+2], bl
00402BB3 8818 mov byte ptr [eax], bl
00402BB5 5F pop edi
00402BB6 83FF 30 cmp edi, 30 //限定注册码的取值范围
00402BB9 7C 05 jl short 00402BC0
00402BBB 83FF 39 cmp edi, 39 //数字0-9
00402BBE 7E 17 jle short 00402BD7
00402BC0 83FF 41 cmp edi, 41
00402BC3 7C 05 jl short 00402BCA
00402BC5 83FF 46 cmp edi, 46 //字母A-F
00402BC8 7E 0D jle short 00402BD7
00402BCA 57 push edi
00402BCB 8DB5 00FEFFFF lea esi, dword ptr [ebp-200]
00402BD1 E8 FF050100 call 004131D5 //返回注册码的长度
00402BD6 59 pop ecx
00402BD7 47 inc edi
00402BD8 81FF 80000000 cmp edi, 80
00402BDE ^ 7C D6 jl short 00402BB6
00402BE0 8D85 00FEFFFF lea eax, dword ptr [ebp-200] //去掉PS和PE的注册码
00402BE6 50 push eax
00402BE7 8D85 FCFAFFFF lea eax, dword ptr [ebp-504]
00402BED 68 B40D4500 push 00450DB4 ; ASCII "PS%sPE"
00402BF2 50 push eax //看上面格式,说明注册码格式PS开头,PE结尾
00402BF3 FF15 34B44300 call dword ptr [43B434] ; user32.wsprintfA
00402BF9 83C4 0C add esp, 0C //写入注册表
00402BFC 8D85 FCFAFFFF lea eax, dword ptr [ebp-504]
00402C02 50 push eax
00402C03 8D85 00FEFFFF lea eax, dword ptr [ebp-200]
00402C09 50 push eax
00402C0A FF15 18B24300 call dword ptr [43B218]
00402C10 8D85 00FEFFFF lea eax, dword ptr [ebp-200]
00402C16 50 push eax
00402C17 68 AC0D4500 push 00450DAC //存放在注册表中的名称 ; ASCII "pecode"
00402C1C 68 48494500 push 00454948 ; ASCII "Software\Diamond Computer Systems\Port Explorer" //存放于注册表值的位置
00402C21 68 02000080 push 80000002
00402C26 E8 3DE00200 call 00430C68
00402C2B FF35 34014600 push dword ptr [460134]
00402C31 8D45 0C lea eax, dword ptr [ebp+C]
00402C34 FF35 48014600 push dword ptr [460148]
00402C3A 50 push eax
00402C3B 8D45 10 lea eax, dword ptr [ebp+10]
00402C3E 50 push eax
00402C3F FF35 30014600 push dword ptr [460130]
00402C45 8D85 00FEFFFF lea eax, dword ptr [ebp-200]
00402C4B 50 push eax
00402C4C E8 46720100 call 00419E97 //关键的判断,在重启验证前
00402C51 83C4 28 add esp, 28
00402C54 3BC3 cmp eax, ebx
00402C56 0F84 91000000 je 00402CED
00402C5C 68 940D4500 push 00450D94 ; ASCII "Global\DCS_PE_Restart"
00402C61 6A 01 push 1
00402C63 53 push ebx
00402C64 FF15 08B24300 call dword ptr [43B208]
00402C6A A3 D0F04500 mov dword ptr [45F0D0], eax
00402C6F 6A 40 push 40
00402C71 33C0 xor eax, eax
00402C73 889D FCFCFFFF mov byte ptr [ebp-304], bl
00402C79 59 pop ecx
00402C7A 8DBD FDFCFFFF lea edi, dword ptr [ebp-303]
00402C80 F3:AB rep stos dword ptr es:[edi]
00402C82 66:AB stos word ptr es:[edi]
00402C84 AA stos byte ptr es:[edi]
00402C85 8D85 FCFCFFFF lea eax, dword ptr [ebp-304]
00402C8B 50 push eax
00402C8C E8 7F210100 call 00414E10
00402C91 6A 11 push 11
00402C93 8D85 FCFCFFFF lea eax, dword ptr [ebp-304]
00402C99 68 800D4500 push 00450D80 ; ASCII "PortExplorer.exe"
00402C9E 50 push eax
00402C9F E8 7CE80200 call 00431520
00402CA4 83C4 10 add esp, 10
00402CA7 6A 0A push 0A
00402CA9 53 push ebx
00402CAA 53 push ebx
00402CAB 8D85 FCFCFFFF lea eax, dword ptr [ebp-304]
00402CB1 50 push eax
00402CB2 68 780D4500 push 00450D78 ; ASCII "open"
00402CB7 53 push ebx
00402CB8 FF15 9CB24300 call dword ptr [43B29C] ; SHELL32.ShellExecuteA
00402CBE A1 58F54500 mov eax, dword ptr [45F558]
00402CC3 3BC3 cmp eax, ebx
00402CC5 8B35 3CB44300 mov esi, dword ptr [43B43C] ; user32.SendMessageA
00402CCB 74 0E je short 00402CDB
00402CCD 53 push ebx
00402CCE 68 65050000 push 565
00402CD3 68 11010000 push 111
00402CD8 50 push eax
00402CD9 FFD6 call esi
00402CDB A1 00F54500 mov eax, dword ptr [45F500]
00402CE0 3BC3 cmp eax, ebx
00402CE2 74 5F je short 00402D43
00402CE4 53 push ebx
00402CE5 53 push ebx
00402CE6 6A 10 push 10
00402CE8 50 push eax
00402CE9 FFD6 call esi
00402CEB EB 56 jmp short 00402D43
00402CED 6A 10 push 10
00402CEF B8 E0794600 mov eax, 004679E0 ; ASCII "Error!"
00402CF4 50 push eax
00402CF5 50 push eax
00402CF6 53 push ebx
00402CF7 FF15 F0B34300 call dword ptr [43B3F0] ; user32.MessageBoxA
00402CFD EB 44 jmp short 00402D43
00402CFF 8B7D 08 mov edi, dword ptr [ebp+8]
00402D02 8B35 A4B24300 mov esi, dword ptr [43B2A4] ; user32.SetDlgItemTextA
00402D08 68 E08A4600 push 00468AE0 ; ASCII "Please enter your unlock code"
00402D0D 68 6F040000 push 46F
00402D12 57 push edi
00402D13 893D 44EE4800 mov dword ptr [48EE44], edi
00402D19 FFD6 call esi
00402D1B 68 E08B4600 push 00468BE0 ; ASCII "&Ok"
00402D20 68 6D040000 push 46D
00402D25 57 push edi
00402D26 FFD6 call esi
00402D28 FF15 0CB24300 call dword ptr [43B20C]
00402D2E 50 push eax
00402D2F E8 9CE90200 call 004316D0
00402D34 59 pop ecx
00402D35 C705 40EE4800 0>mov dword ptr [48EE40], 8
00402D3F EB 12 jmp short 00402D53
00402D41 33DB xor ebx, ebx
00402D43 53 push ebx
00402D44 FF75 08 push dword ptr [ebp+8]
00402D47 891D 44EE4800 mov dword ptr [48EE44], ebx
00402D4D FF15 10B44300 call dword ptr [43B410] ; user32.EndDialog
00402D53 5F pop edi
00402D54 5E pop esi
00402D55 33C0 xor eax, eax
00402D57 5B pop ebx
00402D58 C9 leave
00402D59 C2 1000 retn 10
进入
0041A250 8038 50 cmp byte ptr [eax], 50 //再次判断注册开头和结尾是否为PS和PE
0041A253 0F85 E40A0000 jnz 0041AD3D
0041A259 8078 01 53 cmp byte ptr [eax+1], 53
0041A25D 0F85 DA0A0000 jnz 0041AD3D
0041A263 807C07 FE 50 cmp byte ptr [edi+eax-2], 50
0041A268 0F85 CF0A0000 jnz 0041AD3D
0041A26E 807C07 FF 45 cmp byte ptr [edi+eax-1], 45
0041A273 0F85 C40A0000 jnz 0041AD3D
0041A279 83C0 02 add eax, 2
0041A27C 50 push eax
0041A27D 8D85 FCFAFFFF lea eax, dword ptr [ebp-504]
0041A283 50 push eax
0041A284 FF15 18B24300 call dword ptr [43B218]
0041A28A 80A43D F8FAFFFF>and byte ptr [ebp+edi-508], 0
0041A292 8D85 FCFAFFFF lea eax, dword ptr [ebp-504]
0041A298 50 push eax
0041A299 E8 92700100 call 00431330 //判断注册码的真正长度
0041A29E 3D 12010000 cmp eax, 112 //真正的注码的位数,PS+112位注册码+PE
0041A2A3 59 pop ecx
0041A2A4 0F85 930A0000 jnz 0041AD3D
0041A2AA 8975 FC mov dword ptr [ebp-4], esi
0041A2AD 33C0 xor eax, eax
0041A2AF 8D7D F1 lea edi, dword ptr [ebp-F]
0041A2B2 66:AB stos word ptr es:[edi]
0041A2B4 8B45 FC mov eax, dword ptr [ebp-4]
0041A2B7 03C0 add eax, eax
0041A2B9 8A8C05 FCFAFFFF mov cl, byte ptr [ebp+eax-504]
0041A2C0 8A8405 FDFAFFFF mov al, byte ptr [ebp+eax-503]
0041A2C7 6A 10 push 10
0041A2C9 8845 F1 mov byte ptr [ebp-F], al
0041A2CC 8D45 F0 lea eax, dword ptr [ebp-10]
0041A2CF 56 push esi
0041A2D0 50 push eax
0041A2D1 884D F0 mov byte ptr [ebp-10], cl
0041A2D4 E8 387C0100 call 00431F11
0041A2D9 8B4D FC mov ecx, dword ptr [ebp-4]
0041A2DC 83C4 0C add esp, 0C
0041A2DF FF45 FC inc dword ptr [ebp-4]
0041A2E2 817D FC 8900000>cmp dword ptr [ebp-4], 89 //89=137
0041A2E9 88840D 00FEFFFF mov byte ptr [ebp+ecx-200], al
0041A2F0 ^ 72 BB jb short 0041A2AD //注册码转换为137位16进制数
0041A2F2 6A 20 push 20 //例31=1 32=2 合并,转换成12 存放堆栈0012D230
0041A2F4 8D45 C0 lea eax, dword ptr [ebp-40]
0041A2F7 50 push eax
0041A2F8 8D85 00FEFFFF lea eax, dword ptr [ebp-200]
0041A2FE 68 89000000 push 89
0041A303 50 push eax
0041A304 E8 45FBFFFF call 00419E4E //对注册码进行第一次异或运算
0041A309 83C4 10 add esp, 10
0041A30C C745 FC FA00000>mov dword ptr [ebp-4], 0FA //常量FA ,第二次循环异或运算开始
0041A313 8A55 FC mov dl, byte ptr [ebp-4] //将FA传递给DL
0041A316 8D85 00FEFFFF lea eax, dword ptr [ebp-200] //再次出现注册异或后的注册码表
0041A31C 68 89000000 push 89 //89再次出现,作为常量
0041A321 50 push eax
0041A322 E8 54FBFFFF call 00419E7B //用FA参与注册表中的值异或运算
0041A327 FF4D FC dec dword ptr [ebp-4] // FA-1=F9,依次递减1
0041A32A 3975 FC cmp dword ptr [ebp-4], esi
0041A32D 59 pop ecx
0041A32E 59 pop ecx
0041A32F ^ 7F E2 jg short 0041A313 //由FA开头依次递减1的异或注册码循环
0041A331 80A5 FCFCFFFF 0>and byte ptr [ebp-304], 0
0041A338 80A5 6BFFFFFF 0>and byte ptr [ebp-95], 0
0041A33F 8065 8D 00 and byte ptr [ebp-73], 0
0041A343 8065 D0 00 and byte ptr [ebp-30], 0
0041A347 80A5 4BFFFFFF 0>and byte ptr [ebp-B5], 0
0041A34E 6A 40 push 40
0041A350 33C0 xor eax, eax
0041A352 59 pop ecx
0041A353 8DBD FDFCFFFF lea edi, dword ptr [ebp-303]
进入 call 00419E4E
00419E4E 55 push ebp
00419E4F 8BEC mov ebp, esp
00419E51 56 push esi
00419E52 33F6 xor esi, esi //置零
00419E54 33C9 xor ecx, ecx //置零
00419E56 3975 0C cmp dword ptr [ebp+C], esi
00419E59 76 1B jbe short 00419E76
00419E5B 8B45 08 mov eax, dword ptr [ebp+8] //注册码
00419E5E 8B55 10 mov edx, dword ptr [ebp+10] //依次取堆栈中的值与注册码异或
00419E61 8A1411 mov dl, byte ptr [ecx+edx] //第一次dl=50,依次类推,见异或表
00419E64 03C6 add eax, esi
00419E66 3010 xor byte ptr [eax], dl //50 xor 12=42 F0 xor 34=C4
00419E68 41 inc ecx //依次类推
00419E69 3B4D 14 cmp ecx, dword ptr [ebp+14] //EBP+14=20=32
00419E6C 72 02 jb short 00419E70
00419E6E 33C9 xor ecx, ecx //20为一组进行异或运算
00419E70 46 inc esi
00419E71 3B75 0C cmp esi, dword ptr [ebp+C] //EBP+C=89=137
00419E74 ^ 72 E5 jb short 00419E5B
00419E76 33C0 xor eax, eax
00419E78 5E pop esi
00419E79 5D pop ebp
00419E7A C3 retn
保存变化的码表,以方便以后对注册码变化进行跟踪
注册码表
0012D230 12 34 56 78 9A BC DE F1 23 45 67 89 AB CD EF 12 B4Vx毤揆#Eg壂惋
0012D240 34 56 78 9A BC DE F1 23 45 67 89 AB CD EF 12 34 4Vx毤揆#Eg壂惋4
0012D250 56 78 9A BC DE F1 23 45 67 89 AB CD EF 12 34 56 Vx毤揆#Eg壂惋4V
0012D260 78 9A BC DE F1 23 45 67 89 AB CD EF 12 34 56 78 x毤揆#Eg壂惋4Vx
0012D270 9A BC DE F1 23 45 67 89 AB CD EF 12 34 56 78 9A 毤揆#Eg壂惋4Vx
0012D280 BC DE F1 23 45 67 89 AB CD EF 12 34 56 78 9A BC 嫁?Eg壂惋4Vx毤
0012D290 DE F1 23 45 67 89 AB CD EF 12 34 56 78 9A BC DE 揆#Eg壂惋4Vx毤
0012D2A0 F1 23 45 67 89 AB CD EF 12 34 56 78 9A BC DE F1 ?Eg壂惋4Vx毤揆
0012D2B0 23 45 67 89 AB CD EF 12 34 //特殊注意一下 4C 70 #Eg壂惋4 Lp
异或码表
0012D3F0 50 F0 A0 BA BE CA F1 05 CA F0 A0 BE 30 CA F1 DE P馉壕蜀署牼0蜀
0012D400 50 F0 AC 40 30 BA F1 05 52 F0 A5 40 30 BA F1 05 P瓞@0厚R馥@0厚
注册码异或后的码表
0012D223 00 00 00 00 00 00 00 00 00 00 00 00 00 42 C4 F6 .............B啮
0012D233 C2 24 76 2F F4 E9 B5 C7 37 9B 07 1E CC 64 A6 D4 ?v/糸登7?蘢υ
0012D243 DA 8C 64 00 26 17 97 2C EB FD 55 E3 31 06 88 3A 趯d.&?臊U??
0012D253 06 60 3B D2 40 AD 79 0B 73 DF D8 C5 88 28 6A 10 `;褸瓂s哓艌(j
0012D263 9E C1 99 B4 62 DB 5B 68 AF 22 8E A7 7D CA 4C 7E 灹櫞b踇h?帶}蔐~
0012D273 4B 9D 8F 96 8C 61 3D 4F AC 04 9C 89 44 EC 2E 5D K潖枌a=O?湁D?]
0012D283 63 75 DD 78 AE 9F 1F B7 74 66 C2 6B B9 8E 01 83 cu輝疅穞f耴箮
0012D293 FF D9 43 5A C8 25 E2 94 E8 48 50 4D 00 A1 D3 E9 貱Z?鈹鐷PM.∮
0012D2A3 27 B9 11 3C EA 40 C4 F3 38 AA 06 2F F4 73 B5 C7 '?<闌捏8?/魋登
0012D2B3 33 15 07 1E 17 FE 4C 70 00 00 00 00 00 00 00 00 3﨤p........
进入 call 00419E7B
00419E7B 33C9 xor ecx, ecx
00419E7D 394C24 08 cmp dword ptr [esp+8], ecx
00419E81 76 11 jbe short 00419E94
00419E83 8B4424 04 mov eax, dword ptr [esp+4] //异或后的注册码表,堆栈0012D230
00419E87 03C1 add eax, ecx
00419E89 3010 xor byte ptr [eax], dl //FA异或注册码表中的第一个值
00419E8B 0210 add dl, byte ptr [eax] //FA+异或后的值=DL 再与第二个值运算
00419E8D 41 inc ecx //依次类推 42 xor FA=B8
00419E8E 3B4C24 08 cmp ecx, dword ptr [esp+8]//B8+FA=1B2,取后两位 C4 xor B2=76
00419E92 ^ 72 EF jb short 00419E83 // esp+8=89=137
00419E94 33C0 xor eax, eax
00419E96 C3 retn
第一次异或后的码表
0012D230 B8 76 DE C4 EE CE A9 DB E3 58 82 F0 2C E4 D9 6C 竩弈钗┷鉞傪,滟l
0012D240 68 D2 92 02 56 54 84 2E 21 C0 3B B9 F6 54 B6 3A h覓VT?!?滚T?
0012D250 43 00 B2 3C 16 B7 91 94 C5 54 8A 78 5C 07 23 81 C.?窇斉T妜\#
0012D260 A2 46 62 4A DF 64 D5 54 51 80 33 21 8D B2 49 4A bJ遜誘Q€3!嵅IJ
0012D270 4B 80 32 35 2E 6E D9 A4 AD 44 F2 03 B6 F4 D5 75 K€25.n伽璂?遏誹
0012D280 4A DE 93 02 16 A4 65 2C 31 C0 28 B3 1C 54 81 D2 J迵,1??T佉
0012D290 B3 F1 62 BC 26 66 D1 94 D5 27 78 8C B8 F8 ED 8D 绸b?f褦?x尭
0012D2A0 BB 06 32 2A 8E D4 A5 D4 52 A0 F7 C3 14 D4 89 DB ?2*幵ピR狑?詨
0012D2B0 79 36 7E 04 2E 6E C9 B7 A9 4C 70 y6~.n煞㎜p..
最后一次异或后的码表
0012D230 B9 44 58 58 7E 40 E2 FC 05 FD 98 CA 16 82 4D 0D 笵XX~@恻龢?侻.
0012D240 A7 6D 9E 24 90 3A 87 B1 46 7C 87 50 F9 AE E9 91 ??嚤F|嘝閼
0012D250 F1 11 37 8E B9 7F B5 E8 FE DE 7D A0 21 82 21 EA ?7幑佃}??
0012D260 19 5E E1 D0 A8 2F 96 85 4E FF 72 4A F6 A8 7D 8E ^嵝?枀NrJ雳}
0012D270 31 DC B6 37 C1 08 BE B7 A0 AF F2 AE 4A F4 85 4F 1芏7?痉牤虍J魠O
0012D280 21 B9 D1 3D 9E 04 2E F4 FC 74 37 4C 91 6A 3B 81 !寡=?.酎t7L慾;
0012D290 07 28 B0 2A 89 66 98 20 C0 38 AF B8 11 E0 D9 02 (?塮??噘
0012D2A0 A2 7F 95 2C 5D 30 76 A9 26 03 5C 40 BC 86 71 6D ??]0v?\@紗qm
0012D2B0 0A 36 92 94 F4 36 DE 29 22 4C 70 00 00 00 00 00 .6挃??"Lp.....
0041A4E0 8D85 FCFCFFFF lea eax, dword ptr [ebp-304]
0041A4E6 50 push eax
0041A4E7 FFD7 call edi
0041A4E9 8BF8 mov edi, eax
0041A4EB 56 push esi
0041A4EC 57 push edi
0041A4ED FF55 F4 call dword ptr [ebp-C] ;kernel32.GetFileSize
0041A4F0 3D 801A0600 cmp eax, 61A80
0041A4F5 0F87 47030000 ja 0041A842
0041A4FB 56 push esi
0041A4FC 57 push edi
0041A4FD FF55 F4 call dword ptr [ebp-C] ;kernel32.GetFileSize
0041A500 3D 7F1A0600 cmp eax, 61A7F
0041A505 0F87 37030000 ja 0041A842
0041A50B 56 push esi
0041A50C 57 push edi
0041A50D FF55 F4 call dword ptr [ebp-C] ;kernel32.GetFileSize
0041A510 3D 70F30500 cmp eax, 5F370
0041A515 0F87 27030000 ja 0041A842 //校验文件大小
0041A51B 83FF FF cmp edi, -1
0041A51E 74 07 je short 0041A527
0041A520 57 push edi
0041A521 FF15 14B24300 call dword ptr [43B214] ;CloseHandle
0041A527 BF 89000000 mov edi, 89
0041A52C 57 push edi
0041A52D 8D85 00FEFFFF lea eax, dword ptr [ebp-200]
0041A533 50 push eax
0041A534 8D85 8CFEFFFF lea eax, dword ptr [ebp-174]
0041A53A 50 push eax
0041A53B E8 C0710100 call 00431700
0041A540 8D85 8CFEFFFF lea eax, dword ptr [ebp-174]
0041A546 50 push eax
0041A547 8BC7 mov eax, edi
0041A549 89B5 0DFFFFFF mov dword ptr [ebp-F3], esi
0041A54F 89B5 11FFFFFF mov dword ptr [ebp-EF], esi
0041A555 89B5 8CFEFFFF mov dword ptr [ebp-174], esi
0041A55B E8 46F7FFFF call 00419CA6 //运算真注册码与异或注册码表比较
0041A560 83C4 10 add esp, 10 //密码表见堆栈0012D2B4
0041A563 3985 81FEFFFF cmp dword ptr [ebp-17F], eax
0041A569 8985 0DFFFFFF mov dword ptr [ebp-F3], eax
0041A56F 0F85 C8070000 jnz 0041AD3D //此处不能跳,一跳就OVER
//判断注册码表的第266位至270位的值是否等于(F4949236),整个异或后注册码表的乘积(3BD552DC)。
进入call 00419CA6
00419CA6 55 push ebp
00419CA7 8BEC mov ebp, esp
00419CA9 51 push ecx
00419CAA 53 push ebx
00419CAB 56 push esi
00419CAC 8D70 FF lea esi, dword ptr [eax-1]
00419CAF 85F6 test esi, esi
00419CB1 BB 09BADCFE mov ebx, FEDCBA09 //EBX=FEDCBA09
00419CB6 7C 53 jl short 00419D0B
00419CB8 57 push edi
00419CB9 8BFE mov edi, esi //esi=edi=88
00419CBB 0FAFF8 imul edi, eax //88*89=48C8
00419CBE F7D8 neg eax //neg 89= FFFFFF77
00419CC0 8945 FC mov dword ptr [ebp-4], eax
00419CC3 8B45 08 mov eax, dword ptr [ebp+8]
00419CC6 0FB60406 movzx eax, byte ptr [esi+eax]
00419CCA 8D0C38 lea ecx, dword ptr [eax+edi] //ECX=48C8
00419CCD 03CB add ecx, ebx //ECX+EBX=48C8+FEDCBA09=FEDD02D1
00419CCF 8BD0 mov edx, eax //EDX清零
00419CD1 C1EA 06 shr edx, 6 //edx 左移6位
00419CD4 42 inc edx //EDX=1
00419CD5 0FAFCA imul ecx, edx //ECX*EDX=ECX=FEDD02D1
00419CD8 8D14C5 01000000 lea edx, dword ptr [eax*8+1]
00419CDF 69C0 20400000 imul eax, eax, 4020 //eax=0
00419CE5 0FAFCA imul ecx, edx //ECX*EDX=ECX=FEDD02D1
00419CE8 69C9 01020000 imul ecx, ecx, 201 //ECX=B8E2A4D1
00419CEE 2BC8 sub ecx, eax
00419CF0 8BD9 mov ebx, ecx //EBX=B8E2A4D1
00419CF2 8BC6 mov eax, esi
00419CF4 99 cdq
00419CF5 6A 06 push 6
00419CF7 59 pop ecx //ECX=6
00419CF8 F7F9 idiv ecx //EAX=88 ecx=6 =>eax=16 ecx=6 edx=4
00419CFA 037D FC add edi, dword ptr [ebp-4]
00419CFD 8BC3 mov eax, ebx //EAX=EBX=B8E2A4D1
00419CFF 8BCA mov ecx, edx //ECX=EDX=4
00419D01 D3E0 shl eax, cl //B8E2A4D1 shl 4 = 8E2A4D10
00419D03 03D8 add ebx, eax //B8E2A4D1+8E2A4D10 = 470CF1E1
00419D05 4E dec esi // esi-1=88-1=87
00419D06 85F6 test esi, esi
00419D08 ^ 7D B9 jge short 00419CC3
00419D0A 5F pop edi
00419D0B 5E pop esi
00419D0C 8BC3 mov eax, ebx
00419D0E 5B pop ebx
00419D0F C9 leave
00419D10 C3 retn
//运算中所使用到的密码表
0012D2B4 00 00 00 00 7E 40 E2 FC ...~@恻
0012D2C4 05 FD 98 CA 16 82 4D 0D A7 6D 9E 24 90 3A 87 B1 龢?侻.??嚤
0012D2D4 46 7C 87 50 F9 AE E9 91 F1 11 37 8E B9 7F B5 E8 F|嘝閼?7幑佃
0012D2E4 FE DE 7D A0 21 82 21 EA 19 5E E1 D0 A8 2F 96 85 }???^嵝?枀
0012D2F4 4E FF 72 4A F6 A8 7D 8E 31 DC B6 37 C1 08 BE B7 NrJ雳}?芏7?痉
0012D304 A0 AF F2 AE 4A F4 85 4F 21 B9 D1 3D 9E 04 2E F4 牤虍J魠O!寡=?.
0012D314 FC 74 37 4C 91 6A 3B 81 07 28 B0 2A 89 66 98 20 黷7L慾;?(?塮?
0012D324 C0 38 AF B8 11 E0 D9 02 A2 7F 95 2C 5D 30 76 A9 ?噘??]0v
0012D334 26 03 5C 40 BC 86 71 6D 0A 00 00 00 00 00 00 00 &\@紗qm........
0012D344 00 .
//运算后密码表,将运算的结果存放到密码表的尾部
0012BD09 00 00 00 00 00 7E ..~
0012BD19 40 E2 FC 05 FD 98 CA 16 82 4D 0D A7 6D 9E 24 90 @恻龢?侻.?
0012BD29 3A 87 B1 46 7C 87 50 F9 AE E9 91 F1 11 37 8E B9 :嚤F|嘝閼?7幑
0012BD39 7F B5 E8 FE DE 7D A0 21 82 21 EA 19 5E E1 D0 A8 佃}???^嵝
0012BD49 2F 96 85 4E FF 72 4A F6 A8 7D 8E 31 DC B6 37 C1 /枀NrJ雳}?芏7
0012BD59 08 BE B7 A0 AF F2 AE 4A F4 85 4F 21 B9 D1 3D 9E 痉牤虍J魠O!寡=
0012BD69 04 2E F4 FC 74 37 4C 91 6A 3B 81 07 28 B0 2A 89 .酎t7L慾;?(?
0012BD79 66 98 20 C0 38 AF B8 11 E0 D9 02 A2 7F 95 2C 5D f??噘??]
0012BD89 30 76 A9 26 03 5C 40 BC 86 71 6D 0A DC 52 D5 3B 0v?\@紗qm.躌?
0012BD99 00 22 19 A7 。 。 。 。 ."Ы
。 。 。 。
//以上数字下有句号的地方是运算后求出值的地方。也是关键的比较地方
DC 52 D5 3B =36 92 94 F4
00 22 19 A7 =36 DE 29 22
0041A820 FF55 F4 call dword ptr [ebp-C]
0041A823 3D 801A0600 cmp eax, 61A80 //校验文件的大小
0041A828 77 18 ja short 0041A842
0041A82A 56 push esi
0041A82B 57 push edi
0041A82C FF55 F4 call dword ptr [ebp-C]
0041A82F 3D 7F1A0600 cmp eax, 61A7F //校验文件的大小
0041A834 77 0C ja short 0041A842
0041A836 56 push esi
0041A837 57 push edi
0041A838 FF55 F4 call dword ptr [ebp-C] //校验文件的大小
0041A83B 3D 70F30500 cmp eax, 5F370
0041A840 76 19 jbe short 0041A85B
0041A842 E8 59420100 call 0042EAA0
0041A847 50 push eax
0041A848 56 push esi
0041A849 6A 01 push 1
0041A84B FF15 B0B14300 call dword ptr [43B1B0]
0041A851 56 push esi
0041A852 50 push eax
0041A853 FF55 F0 call dword ptr [ebp-10]
0041A856 ^ E9 DDF8FFFF jmp 0041A138
0041A85B 83FF FF cmp edi, -1
0041A85E 74 07 je short 0041A867
0041A860 57 push edi
0041A861 FF15 14B24300 call dword ptr [43B214]
0041A867 8B85 85FEFFFF mov eax, dword ptr [ebp-17B]
0041A86D 3B85 11FFFFFF cmp eax, dword ptr [ebp-EF] // EAX=2229DE36 ebp-EF=A7192200 熟悉吧。哈哈
0041A873 0F85 C4040000 jnz 0041AD3D //跳就死
0041A879 8DB5 00FEFFFF lea esi, dword ptr [ebp-200]
0041A87F E8 A1F3FFFF call 00419C25 //关键运算
0041A884 85C0 test eax, eax
0041A886 0F85 B1040000 jnz 0041AD3D //此处应该不跳转才是正确的。
进入call 00419C25 由堆栈的值,可以看到此处调用了最后一次异或的注册码表
00419C2F 53 push ebx
00419C30 57 push edi
00419C31 6A 10 push 10
00419C33 33C0 xor eax, eax
00419C35 59 pop ecx
00419C36 8D7D B9 lea edi, dword ptr [ebp-47]
00419C39 F3:AB rep stos dword ptr es:[edi]
00419C3B 66:AB stos word ptr es:[edi]
00419C3D 33C9 xor ecx, ecx
00419C3F AA stos byte ptr es:[edi]
00419C40 894D FC mov dword ptr [ebp-4], ecx
00419C43 8A440E 24 mov al, byte ptr [esi+ecx+24]
00419C47 84C0 test al, al //判断B9=00
00419C49 75 07 jnz short 00419C52
00419C4B C745 FC 0100000>mov dword ptr [ebp-4], 1
00419C52 83F9 09 cmp ecx, 9 //进行9次循环xor运算
00419C55 76 06 jbe short 00419C5D
00419C57 837D FC 00 cmp dword ptr [ebp-4], 0
00419C5B 75 2D jnz short 00419C8A
00419C5D 837D FC 00 cmp dword ptr [ebp-4], 0
00419C61 6A 0A push 0A
00419C63 0F95C3 setne bl
00419C66 FECB dec bl
00419C68 33D2 xor edx, edx
00419C6A 5F pop edi
00419C6B 23D8 and ebx, eax //此处算术运算很重要
00419C6D 8BC1 mov eax, ecx //用确定异域表中字符的位置
00419C6F F7F7 div edi
00419C71 8BC1 mov eax, ecx
00419C73 83E0 07 and eax, 7
00419C76 8A5432 71 mov dl, byte ptr [edx+esi+71]
00419C7A 325430 68 xor dl, byte ptr [eax+esi+68]
00419C7E 32D3 xor dl, bl
00419C80 88540D B8 mov byte ptr [ebp+ecx-48], dl
00419C84 41 inc ecx
00419C85 83F9 44 cmp ecx, 44 //计数器,要循环44次产生68位的表
00419C88 ^ 72 B9 jb short 00419C43
00419C8A 6A 0F push 0F
00419C8C 8D45 B8 lea eax, dword ptr [ebp-48]
00419C8F 68 E4F64400 push 0044F6E4 ; ASCII "Gjah`qz$Dwfswgq"
00419C94 50 push eax //上面字符串用来进行注册码最后一次的判断
00419C95 E8 06950100 call 004331A0 //关键的运算
00419C9A 83C4 0C add esp, 0C
00419C9D F7D8 neg eax
00419C9F 1BC0 sbb eax, eax
00419CA1 5F pop edi
00419CA2 40 inc eax
00419CA3 5B pop ebx
00419CA4 C9 leave
00419CA5 C3 retn
上面运算后所生成的68位新的表
0012B824 06 D2 36 0D DF 48 0D 84 E2 E6 F1 C7 24 E3 08 A4 ?.逪.勨骜??
0012B834 C1 31 3A 61 20 8A 87 15 06 E6 7B 10 23 60 10 A0 ?:a 妵鎨#`
0012B844 2D 6D 21 79 18 69 28 F0 F5 59 06 AA 00 2F A1 19 -m!yi(瘐Y?/?
0012B854 5D 60 FE D9 C1 C9 DE 38 F8 74 97 65 69 5D 45 75 ]`辽?鴗梕i]Eu
0012B864 79 28 9E BE y(灳.
最后一次异或后的码表
0012D230 B9 44 58 58 7E 40 E2 FC 05 FD 98 CA 16 82 4D 0D 笵XX~@恻龢?侻.
0012D240 A7 6D 9E 24 90 3A 87 B1 46 7C 87 50 F9 AE E9 91 ??嚤F|嘝閼
0012D250 F1 11 37 8E B9 7F B5 E8 FE DE 7D A0 21 82 21 EA ?7幑佃}??
0012D260 19 5E E1 D0 A8 2F 96 85 4E FF 72 4A F6 A8 7D 8E ^嵝?枀NrJ雳}
0012D270 31 DC B6 37 C1 08 BE B7 A0 AF F2 AE 4A F4 85 4F 1芏7?痉牤虍J魠O
0012D280 21 B9 D1 3D 9E 04 2E F4 FC 74 37 4C 91 6A 3B 81 !寡=?.酎t7L慾;
0012D290 07 28 B0 2A 89 66 98 20 C0 38 AF B8 11 E0 D9 02 (?塮??噘
0012D2A0 A2 7F 95 2C 5D 30 76 A9 26 03 5C 40 BC 86 71 6D ??]0v?\@紗qm
0012D2B0 0A 36 92 94 F4 36 DE 29 22 4C 70 00 00 00 00 00 .6挃??"Lp.....
7f xor c0 xor b9
38 xor 95 xor 7f
2c xor af xor b5
5d xor b8 xor E5
30 xor 11 xor fe
76 xor e0 xor de
a9 xor d9 xor 7d
26 xor 02 xor a0
c0 xor 03 xor 21
38 xor 5c xor 82
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
- [原创]Port Explorer算法分析 7101
- [原创]Arila Sound Recorder (RSA)分析 6265
- [转帖]高手眼中的starforce破解方式 6687
- [推荐]StarForce破解方法 4763
- [推荐]拷贝保护光盘用的软件 6897
