【文章标题】: iawen CM-9 算法分析
【文章作者】: samisgod
【作者邮箱】: 21gh@163.com
【软件名称】: iawen CM-9
【下载地址】: http://bbs.pediy.com/showthread.php?t=80299
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
某日闲的看见此CM,决定一玩...
怎么找验证函数不说了,难度不大
下面贴下验证函数
验证部分主要分为2部分,前16位注册码验证和后4位解码
前一部分正确后才会进入第二部分
第二部分起始点我标记为The Proc2
这个CM共有2次大循环,两次情况我用/隔开,不代表除法
00401210 $ 55 push ebp
00401211 . 8BEC mov ebp, esp
00401213 . 81EC 58020000 sub esp, 258
00401219 . A1 04B04000 mov eax, dword ptr [40B004]
0040121E . 33C5 xor eax, ebp
00401220 . 8945 CC mov dword ptr [ebp-34], eax
00401223 . 53 push ebx
00401224 . 56 push esi
00401225 . 57 push edi
00401226 . C705 D8C64000 E816>mov dword ptr [40C6D8], 004016E8
00401230 . C705 D4C64000 2617>mov dword ptr [40C6D4], 00401726
0040123A . C685 00FFFFFF 00 mov byte ptr [ebp-100], 0
00401241 . 68 C7000000 push 0C7
00401246 . 6A 00 push 0
00401248 . 8D85 01FFFFFF lea eax, dword ptr [ebp-FF]
0040124E . 50 push eax
0040124F . E8 1C510000 call 00406370
00401254 . 83C4 0C add esp, 0C
00401257 . C685 28FEFFFF 00 mov byte ptr [ebp-1D8], 0
0040125E . 68 C7000000 push 0C7
00401263 . 6A 00 push 0
00401265 . 8D8D 29FEFFFF lea ecx, dword ptr [ebp-1D7]
0040126B . 51 push ecx
0040126C . E8 FF500000 call 00406370
00401271 . 83C4 0C add esp, 0C
00401274 . 68 C8000000 push 0C8
00401279 . 6A 00 push 0
0040127B . 8D95 28FEFFFF lea edx, dword ptr [ebp-1D8]
00401281 . 52 push edx
00401282 . E8 E9500000 call 00406370
00401287 . 83C4 0C add esp, 0C
0040128A . C785 B4FDFFFF E0C6>mov dword ptr [ebp-24C], 0040C6E0
00401294 . 8B85 B4FDFFFF mov eax, dword ptr [ebp-24C]
0040129A . 83C0 01 add eax, 1
0040129D . 8985 B0FDFFFF mov dword ptr [ebp-250], eax
004012A3 > 8B8D B4FDFFFF mov ecx, dword ptr [ebp-24C]
004012A9 . 8A11 mov dl, byte ptr [ecx]
004012AB . 8895 AFFDFFFF mov byte ptr [ebp-251], dl
004012B1 . 8385 B4FDFFFF 01 add dword ptr [ebp-24C], 1
004012B8 . 80BD AFFDFFFF 00 cmp byte ptr [ebp-251], 0
004012BF .^ 75 E2 jnz short 004012A3
004012C1 . 8B85 B4FDFFFF mov eax, dword ptr [ebp-24C]
004012C7 . 2B85 B0FDFFFF sub eax, dword ptr [ebp-250]
004012CD . 8985 A8FDFFFF mov dword ptr [ebp-258], eax
004012D3 . 8B8D A8FDFFFF mov ecx, dword ptr [ebp-258]
004012D9 . 898D F4FEFFFF mov dword ptr [ebp-10C], ecx
004012DF . 8D95 C8FDFFFF lea edx, dword ptr [ebp-238]
004012E5 . 52 push edx
004012E6 . 33DB xor ebx, ebx
004012E8 . 33FF xor edi, edi
004012EA . 33D2 xor edx, edx
004012EC . 33C9 xor ecx, ecx
004012EE . E8 4D040000 call 00401740
004012F3 . 83C4 04 add esp, 4
004012F6 . 68 E0C64000 push 0040C6E0 ; Username
004012FB . 8B85 F4FEFFFF mov eax, dword ptr [ebp-10C]
00401301 . 8D8D C8FDFFFF lea ecx, dword ptr [ebp-238]
00401307 . E8 84040000 call 00401790
0040130C . 83C4 04 add esp, 4
0040130F . 8DB5 C8FDFFFF lea esi, dword ptr [ebp-238]
00401315 . 8D8D 00FFFFFF lea ecx, dword ptr [ebp-100]
0040131B . E8 20050000 call 00401840 ; MD5(Username)
00401320 . C785 C0FDFFFF 0000>mov dword ptr [ebp-240], 0
0040132A . EB 0F jmp short 0040133B
0040132C > 8B85 C0FDFFFF mov eax, dword ptr [ebp-240]
00401332 . 83C0 01 add eax, 1
00401335 . 8985 C0FDFFFF mov dword ptr [ebp-240], eax
0040133B > 83BD C0FDFFFF 10 cmp dword ptr [ebp-240], 10
00401342 . 7D 2D jge short 00401371
00401344 . 8B8D C0FDFFFF mov ecx, dword ptr [ebp-240]
0040134A . 0FB6940D 00FFFFFF movzx edx, byte ptr [ebp+ecx-100]
00401352 . 52 push edx ; /<%02X>
00401353 . 68 64A34000 push 0040A364 ; |%02x
00401358 . 8B85 C0FDFFFF mov eax, dword ptr [ebp-240] ; |
0040135E . 8D8C45 28FEFFFF lea ecx, dword ptr [ebp+eax*2-1D8] ; |
00401365 . 51 push ecx ; |s
00401366 . FF15 F4904000 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA
0040136C . 83C4 0C add esp, 0C ; MD5 HASH -> ASC
0040136F .^ EB BB jmp short 0040132C
00401371 > C645 DB 00 mov byte ptr [ebp-25], 0 ; [ebp-25] 初始化为 0x0
00401375 . C745 D0 00000000 mov dword ptr [ebp-30], 0 ; [ebp-30] 初始化为 0x0 设为GLO.K2
0040137C . C785 C4FDFFFF 0000>mov dword ptr [ebp-23C], 0 ; [ebp-23C] 初始化为 0x0 设为GLO.K1
00401386 . C745 E0 04000000 mov dword ptr [ebp-20], 4 ; [ebp-20] 初始化为 0x4 设为GLO.K3
0040138D . C785 20FEFFFF 0400>mov dword ptr [ebp-1E0], 4 ; [ebp-1E0] 初始化为 0x4 设为 GLO.K4
00401397 . C745 D4 01000000 mov dword ptr [ebp-2C], 1 ; [ebp-2c] 初始化为 0x1
0040139E > BA 01000000 mov edx, 1 ; 大循环起始点
004013A3 . 85D2 test edx, edx
004013A5 . 0F84 77020000 je 00401622
004013AB . 8B45 D0 mov eax, dword ptr [ebp-30]
004013AE . 8985 B8FDFFFF mov dword ptr [ebp-248], eax
004013B4 . 8B8D C4FDFFFF mov ecx, dword ptr [ebp-23C] ; GLO.K1 在大循环运行一次后+1
004013BA . 898D BCFDFFFF mov dword ptr [ebp-244], ecx ; 设[ebp-244]为Cir1.S1 = GLO.K1
004013C0 . 837D D4 01 cmp dword ptr [ebp-2C], 1
004013C4 . 75 6F jnz short 00401435
004013C6 . 8B95 C4FDFFFF mov edx, dword ptr [ebp-23C] ; Cir1.S1=GLO.K1
004013CC . 8995 BCFDFFFF mov dword ptr [ebp-244], edx
004013D2 . EB 0F jmp short 004013E3
004013D4 > 8B85 BCFDFFFF mov eax, dword ptr [ebp-244] ; -------循环1-------------
004013DA . 83C0 01 add eax, 1 ; 设[ebp-1E0]为Cir1.Max.其将在子循环2结束-1
004013DD . 8985 BCFDFFFF mov dword ptr [ebp-244], eax ; Cir1.S1++
004013E3 > 8B8D BCFDFFFF mov ecx, dword ptr [ebp-244] ; Cir1.S1为循环计数器
004013E9 . 3B8D 20FEFFFF cmp ecx, dword ptr [ebp-1E0] ; Cir1.K4 (循环终止条件)
004013EF . 7D 34 jge short 00401425 ; >=Cir1.K4?
004013F1 . 8B95 B8FDFFFF mov edx, dword ptr [ebp-248] ; 各比较4/2次 [对每次进入此循环而言]
004013F7 . 8B85 BCFDFFFF mov eax, dword ptr [ebp-244] ; 40C7A8 为输入SN地址
004013FD . 0FBE8C90 A8C74000 movsx ecx, byte ptr [eax+edx*4+40C7A8] ; 依次取SN N+Cir1.S1*4+1位 N为循环计数器
00401405 . 0FB655 DB movzx edx, byte ptr [ebp-25] ; 即 1 2 3 4 / 6 7 位
00401409 . 0FBE8415 28FEFFFF movsx eax, byte ptr [ebp+edx-1D8] ; EBP-1D8 为MD5 HASH保存地址
00401411 . 3BC8 cmp ecx, eax ; 用[ebp-25] 取MD5 HASH 1 2 3 4/13 14位
00401413 . 74 05 je short 0040141A
00401415 . E9 0C030000 jmp 00401726
0040141A > 8A4D DB mov cl, byte ptr [ebp-25]
0040141D . 80C1 01 add cl, 1
00401420 . 884D DB mov byte ptr [ebp-25], cl ; [ebp-25] ++
00401423 .^ EB AF jmp short 004013D4 ; -------循环1结束-------------
00401425 > C745 D4 02000000 mov dword ptr [ebp-2C], 2 ; 结束循环 [ebp-2c] = 2
0040142C . 8B55 D0 mov edx, dword ptr [ebp-30]
0040142F . 83C2 01 add edx, 1
00401432 . 8955 D0 mov dword ptr [ebp-30], edx ; GLO.K2 ++
00401435 > 0FB645 DB movzx eax, byte ptr [ebp-25]
00401439 . 83F8 10 cmp eax, 10
0040143C . 7C 05 jl short 00401443
0040143E . E9 DF010000 jmp 00401622
00401443 > 837D D4 02 cmp dword ptr [ebp-2C], 2
00401447 . 75 7E jnz short 004014C7
00401449 . 8B8D BCFDFFFF mov ecx, dword ptr [ebp-244] ; 此时 Cir1.S1=Cir1.Max
0040144F . 83E9 01 sub ecx, 1
00401452 . 898D BCFDFFFF mov dword ptr [ebp-244], ecx ; Cir1.S1--
00401458 . 8B55 D0 mov edx, dword ptr [ebp-30]
0040145B . 8995 B8FDFFFF mov dword ptr [ebp-248], edx ; [ebp-248] = GLO.K2 = 1/2
00401461 . EB 0F jmp short 00401472 ; -------循环2-------------
00401463 > 8B85 B8FDFFFF mov eax, dword ptr [ebp-248]
00401469 . 83C0 01 add eax, 1
0040146C . 8985 B8FDFFFF mov dword ptr [ebp-248], eax ; GLO.K3在子循环3结束后将-1
00401472 > 8B8D B8FDFFFF mov ecx, dword ptr [ebp-248] ; ebp-248为循环计数器
00401478 . 3B4D E0 cmp ecx, dword ptr [ebp-20] ; >= GLO.K3 ?
0040147B . 7D 34 jge short 004014B1 ; 共需循环3/1次 [对每次进入此循环而言]
0040147D . 8B95 B8FDFFFF mov edx, dword ptr [ebp-248]
00401483 . 8B85 BCFDFFFF mov eax, dword ptr [ebp-244] ; eax= Cir1.S1
00401489 . 0FBE8C90 A8C74000 movsx ecx, byte ptr [eax+edx*4+40C7A8] ; 分别取输入值 Nx4 + Cir1.S1 + 1 位,N=循环计数器
00401491 . 0FB655 DB movzx edx, byte ptr [ebp-25] ; 即分别取 8 12 16/11 位
00401495 . 0FBE8415 28FEFFFF movsx eax, byte ptr [ebp+edx-1D8] ; ebp-25 取MD5 HASH 5 6 7/15位
0040149D . 3BC8 cmp ecx, eax
0040149F . 74 05 je short 004014A6
004014A1 . E9 80020000 jmp 00401726
004014A6 > 8A4D DB mov cl, byte ptr [ebp-25]
004014A9 . 80C1 01 add cl, 1
004014AC . 884D DB mov byte ptr [ebp-25], cl ; [ebp-25] ++
004014AF .^ EB B2 jmp short 00401463 ; -------循环2结束-------------
004014B1 > C745 D4 03000000 mov dword ptr [ebp-2C], 3 ; [ebp-2C] = 3
004014B8 . 8B95 20FEFFFF mov edx, dword ptr [ebp-1E0]
004014BE . 83EA 01 sub edx, 1
004014C1 . 8995 20FEFFFF mov dword ptr [ebp-1E0], edx ; GLO.K4 --
004014C7 > 0FB645 DB movzx eax, byte ptr [ebp-25]
004014CB . 83F8 10 cmp eax, 10
004014CE . 7C 05 jl short 004014D5
004014D0 . E9 4D010000 jmp 00401622
004014D5 > 83BD 20FEFFFF 01 cmp dword ptr [ebp-1E0], 1
004014DC . 7F 05 jg short 004014E3
004014DE . E9 3F010000 jmp 00401622
004014E3 > 837D D4 03 cmp dword ptr [ebp-2C], 3
004014E7 . 0F85 81000000 jnz 0040156E
004014ED . 8B8D B8FDFFFF mov ecx, dword ptr [ebp-248] ; [ebp-248]=[GLO.K3]=4/3
004014F3 . 83E9 01 sub ecx, 1
004014F6 . 898D B8FDFFFF mov dword ptr [ebp-248], ecx ; [EBP-248] --
004014FC . 8B95 20FEFFFF mov edx, dword ptr [ebp-1E0]
00401502 . 83EA 01 sub edx, 1
00401505 . 8995 BCFDFFFF mov dword ptr [ebp-244], edx ; [ebp-244] = ( GLO.K4 - 1 ) =2/1
0040150B . EB 0F jmp short 0040151C ; -------循环3-------------
0040150D > 8B85 BCFDFFFF mov eax, dword ptr [ebp-244]
00401513 . 83E8 01 sub eax, 1
00401516 . 8985 BCFDFFFF mov dword ptr [ebp-244], eax ; [ebp-244] --
0040151C > 8B8D BCFDFFFF mov ecx, dword ptr [ebp-244] ; [ebp-244] 为循环计数器
00401522 . 3B8D C4FDFFFF cmp ecx, dword ptr [ebp-23C] ; < [ebp-23C] = 0 ?
00401528 . 7C 34 jl short 0040155E ; 共循环3/1次
0040152A . 8B95 B8FDFFFF mov edx, dword ptr [ebp-248] ; edx = [ebp-248] =3/2
00401530 . 8B85 BCFDFFFF mov eax, dword ptr [ebp-244]
00401536 . 0FBE8C90 A8C74000 movsx ecx, byte ptr [eax+edx*4+40C7A8] ; 分别取输入值 EDXx4 +N +1 位,N=[ebp-244]为循环计数器
0040153E . 0FB655 DB movzx edx, byte ptr [ebp-25] ; 即15 14 13/10 位
00401542 . 0FBE8415 28FEFFFF movsx eax, byte ptr [ebp+edx-1D8] ; 用 [ebp-25] 取MD5 HASH 8 9 10/16位
0040154A . 3BC8 cmp ecx, eax
0040154C . 74 05 je short 00401553
0040154E . E9 D3010000 jmp 00401726
00401553 > 8A4D DB mov cl, byte ptr [ebp-25]
00401556 . 80C1 01 add cl, 1
00401559 . 884D DB mov byte ptr [ebp-25], cl ; [ebp-25] ++
0040155C .^ EB AF jmp short 0040150D ; -------循环3结束-------------
0040155E > C745 D4 04000000 mov dword ptr [ebp-2C], 4 ; [ebp-2C]=4
00401565 . 8B55 E0 mov edx, dword ptr [ebp-20] ;
00401568 . 83EA 01 sub edx, 1
0040156B . 8955 E0 mov dword ptr [ebp-20], edx ; GLO.K3 --
0040156E > 0FB645 DB movzx eax, byte ptr [ebp-25] ; 第二轮循环到此时[ebp-25]将为(4+3+3+2+2+1+1)=0x10
00401572 . 83F8 10 cmp eax, 10
00401575 . 7C 05 jl short 0040157C
00401577 . E9 A6000000 jmp 00401622 ; 跳往解码部分
0040157C > 837D E0 01 cmp dword ptr [ebp-20], 1
00401580 . 7F 05 jg short 00401587
00401582 . E9 9B000000 jmp 00401622
00401587 > 837D D4 04 cmp dword ptr [ebp-2C], 4
0040158B . 0F85 81000000 jnz 00401612
00401591 . 8B8D BCFDFFFF mov ecx, dword ptr [ebp-244]
00401597 . 83C1 01 add ecx, 1
0040159A . 898D BCFDFFFF mov dword ptr [ebp-244], ecx ; [ebp-244] ++ (=0)
004015A0 . 8B55 E0 mov edx, dword ptr [ebp-20]
004015A3 . 83EA 01 sub edx, 1
004015A6 . 8995 B8FDFFFF mov dword ptr [ebp-248], edx ; [ebp-248] = [ebp-20] -1 =2
004015AC . EB 0F jmp short 004015BD ; -------循环4-------------
004015AE > 8B85 B8FDFFFF mov eax, dword ptr [ebp-248]
004015B4 . 83E8 01 sub eax, 1
004015B7 . 8985 B8FDFFFF mov dword ptr [ebp-248], eax ; [ebp-248] --
004015BD > 8B8D B8FDFFFF mov ecx, dword ptr [ebp-248] ; [ebp-248]为循环计数器
004015C3 . 3B4D D0 cmp ecx, dword ptr [ebp-30] ; <1?
004015C6 . 7C 34 jl short 004015FC ; 共循环2次
004015C8 . 8B95 B8FDFFFF mov edx, dword ptr [ebp-248]
004015CE . 8B85 BCFDFFFF mov eax, dword ptr [ebp-244]
004015D4 . 0FBE8C90 A8C74000 movsx ecx, byte ptr [eax+edx*4+40C7A8] ; 取输入值的 Nx4 + 0 +1 位,N=[ebp-248]为循环计数器
004015DC . 0FB655 DB movzx edx, byte ptr [ebp-25] ; 即 9 5 位
004015E0 . 0FBE8415 28FEFFFF movsx eax, byte ptr [ebp+edx-1D8] ; 用[ebp-25]取MD5 HASH的11 12位
004015E8 . 3BC8 cmp ecx, eax
004015EA . 74 05 je short 004015F1
004015EC . E9 35010000 jmp 00401726
004015F1 > 8A4D DB mov cl, byte ptr [ebp-25]
004015F4 . 80C1 01 add cl, 1
004015F7 . 884D DB mov byte ptr [ebp-25], cl ; [ebp-25] ++
004015FA .^ EB B2 jmp short 004015AE ; -------循环4结束-------------
004015FC > C745 D4 01000000 mov dword ptr [ebp-2C], 1 ; [ebp-2C]=1
00401603 . 8B95 C4FDFFFF mov edx, dword ptr [ebp-23C]
00401609 . 83C2 01 add edx, 1
0040160C . 8995 C4FDFFFF mov dword ptr [ebp-23C], edx ; [ebp-23C] ++
00401612 > 0FB645 DB movzx eax, byte ptr [ebp-25]
00401616 . 83F8 10 cmp eax, 10
00401619 . 7C 02 jl short 0040161D
0040161B . EB 05 jmp short 00401622
0040161D >^ E9 7CFDFFFF jmp 0040139E
00401622 > 8B0D D8C64000 mov ecx, dword ptr [40C6D8] ; The Proc2
00401628 . 894D DC mov dword ptr [ebp-24], ecx
0040162B . 8B15 D4C64000 mov edx, dword ptr [40C6D4]
00401631 . 2B15 D8C64000 sub edx, dword ptr [40C6D8]
00401637 . 8995 F8FEFFFF mov dword ptr [ebp-108], edx
0040163D . C785 24FEFFFF 1000>mov dword ptr [ebp-1DC], 10
00401647 . 6A 1C push 1C ; /BufSize = 1C (28.)
00401649 . 8D45 E4 lea eax, dword ptr [ebp-1C] ; |
0040164C . 50 push eax ; |Buffer
0040164D . 8B4D DC mov ecx, dword ptr [ebp-24] ; |
00401650 . 51 push ecx ; |Address
00401651 . FF15 00904000 call dword ptr [<&KERNEL32.VirtualQuer>; \VirtualQuery
00401657 . 8D55 F8 lea edx, dword ptr [ebp-8]
0040165A . 52 push edx ; /pOldProtect
0040165B . 6A 04 push 4 ; |NewProtect = PAGE_READWRITE
0040165D . 8B45 F0 mov eax, dword ptr [ebp-10] ; |
00401660 . 50 push eax ; |Size
00401661 . 8B4D E4 mov ecx, dword ptr [ebp-1C] ; |
00401664 . 51 push ecx ; |Address
00401665 . FF15 04904000 call dword ptr [<&KERNEL32.VirtualProt>; \VirtualProtect
0040166B > 8B95 F8FEFFFF mov edx, dword ptr [ebp-108] ; 要解码的字符数
00401671 . 8B85 F8FEFFFF mov eax, dword ptr [ebp-108]
00401677 . 83E8 01 sub eax, 1
0040167A . 8985 F8FEFFFF mov dword ptr [ebp-108], eax
00401680 . 85D2 test edx, edx
00401682 . 74 47 je short 004016CB ; 解码完毕,跳出
00401684 . 8B4D DC mov ecx, dword ptr [ebp-24] ; 取要解码的地址 设为p
00401687 . 0FB611 movzx edx, byte ptr [ecx] ; 该地址Byte放入Edx
0040168A . 8B85 24FEFFFF mov eax, dword ptr [ebp-1DC] ; 密钥字符位置,设为p2
00401690 . 0FBE88 A8C74000 movsx ecx, byte ptr [eax+40C7A8] ; 从17位开始取,放ECX
00401697 . 33D1 xor edx, ecx ; edx^=ecx
00401699 . 8B45 DC mov eax, dword ptr [ebp-24]
0040169C . 8810 mov byte ptr [eax], dl ; 放回
0040169E . 8B4D DC mov ecx, dword ptr [ebp-24]
004016A1 . 83C1 01 add ecx, 1
004016A4 . 894D DC mov dword ptr [ebp-24], ecx ; p++
004016A7 . 8B95 24FEFFFF mov edx, dword ptr [ebp-1DC]
004016AD . 83C2 01 add edx, 1
004016B0 . 8995 24FEFFFF mov dword ptr [ebp-1DC], edx ; p2++
004016B6 . 83BD 24FEFFFF 14 cmp dword ptr [ebp-1DC], 14
004016BD . 7C 0A jl short 004016C9 ; 解码密钥字符取到20位时返回到16+1位继续
004016BF . C785 24FEFFFF 1000>mov dword ptr [ebp-1DC], 10
004016C9 >^ EB A0 jmp short 0040166B
004016CB > 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
004016D1 . 50 push eax ; /pOldProtect
004016D2 . 8B4D F8 mov ecx, dword ptr [ebp-8] ; |
004016D5 . 51 push ecx ; |NewProtect
004016D6 . 8B55 F0 mov edx, dword ptr [ebp-10] ; |
004016D9 . 52 push edx ; |Size
004016DA . 8B45 E4 mov eax, dword ptr [ebp-1C] ; |
004016DD . 50 push eax ; |Address
004016DE . FF15 04904000 call dword ptr [<&KERNEL32.VirtualProt>; \VirtualProtect
004016E4 . 40 inc eax
004016E5 . 48 dec eax
004016E6 . 50 push eax
004016E7 . 58 pop eax ; 以上应该是作者编译后用于查找要加密部分的标签
004016E8 . 22F958F6 dd F658F922
004016EC EA 0755CCD4 0021 jmp far 2100:D4CC5507
004016F3 4D db 4D ; CHAR 'M'
004016F4 C6 db C6
004016F5 77 db 77 ; CHAR 'w'
004016F6 5A db 5A ; CHAR 'Z'
004016F7 F1 db F1
004016F8 38 db 38 ; CHAR '8'
004016F9 . FD920F2D dd 2D0F92FD
004016FD C4 db C4
004016FE AF db AF
004016FF 1A db 1A
00401700 59 db 59 ; CHAR 'Y'
00401701 45 db 45 ; CHAR 'E'
00401702 BE db BE
00401703 6D db 6D ; CHAR 'm'
00401704 22 db 22 ; CHAR '"'
00401705 F9 db F9
00401706 50 db 50 ; CHAR 'P'
00401707 . F4EA0755 dd 5507EAF4
0040170B CC int3
0040170C D5 db D5
0040170D 08 db 08
0040170E 21 db 21 ; CHAR '!'
0040170F 4D db 4D ; CHAR 'M'
00401710 C6 db C6
00401711 53 db 53 ; CHAR 'S'
00401712 3F db 3F ; CHAR '?'
00401713 4F db 4F ; CHAR 'O'
00401714 45 db 45 ; CHAR 'E'
00401715 . 2BF60F2D dd 2D0FF62B
00401719 2F db 2F ; CHAR '/'
0040171A . 2DEC6D47 dd 476DEC2D
0040171E 3F db 3F ; CHAR '?'
0040171F 4F db 4F ; CHAR 'O'
00401720 D2 db D2
00401721 52 db 52 ; CHAR 'R'
00401722 . A9DF6D47 dd 476DDFA9
00401726 > 5F pop edi ; 以上部分将用于解码
00401727 . 5E pop esi
00401728 . 5B pop ebx
00401729 . 8B4D CC mov ecx, dword ptr [ebp-34]
0040172C . 33CD xor ecx, ebp
0040172E . E8 CB080000 call 00401FFE
00401733 . 8BE5 mov esp, ebp
00401735 . 5D pop ebp
00401736 . C3 retn
整理下得到算法
取用户名MD5,这里各位分别M*,*为其所在位数
给出个SN对应表
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
M1 M2 M3 M4 M12 M13 M14 M5 M11 M16 M15 M6 M10 M9 M8 M7
例:
用户名 SFL Violator
MD5=07454ce497cfdc36217f0dde5fd32b5b
列下表,后16位扔掉
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
0 7 4 5 4 C E 4 9 7 C F D C 3 6
对应位置
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
0 7 4 5 F D C 4 C 6 3 C 7 9 4 E
即
0745FDC4C63C794E
拼合密钥
即为注册码
下面我们进行密钥推导
从前面的情况看,注册失败会调用MessageBoxA来弹出消息,那么跟据我的
假定,在注册成功后将弹出一个成功提示,且也将使用MessageBoxA方式
Ctrl+N下,看MessageBoxA的调用情况
004010DF . 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
004010E1 . 68 30A34000 push 0040A330 ; |错误提示
004010E6 . 68 54A34000 push 0040A354 ; |请输入注册码!
004010EB . 6A 00 push 0 ; |hOwner = NULL
004010ED . FF15 FC904000 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA
直接查看4010ED处的命令
FF 15 FC 90 40 00
而根据前面的解码算法分析,我们需要一个4位字符的密钥
这里我们开始运算,拿出前面的401725-6+1=401720处的数据D252A9DF6D47
FF 15 FC 90 40 00
D2 52 A9 DF 6D 47
逐位异或
直接得到密钥
2D 47 55 4F 2D 47
注意到密钥为4位
那么最终解码密钥即时2D 47 55 4F
对应ASC为-GUO
连接第一部分注册码,最终得到
0745FDC4C63C794E-GUO
注册成功!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2009年01月17日 23:18:19
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!