好友
阅读权限30
听众
最后登录1970-1-1
|
红绡枫叶
发表于 2015-1-11 00:09
本帖最后由 zjh16529 于 2019-6-6 21:48 编辑
Protected Folder,这是一款我比较喜欢的软件,保护文件挺方便的.可以看图:
注册方式是本地验证后再网络验证.因此分两部分分析.delphi2009编译的.
第一部分: 本地注册算法分析.
首先应该明白delphi编译器的特点.参数三个之内用寄存器,多的用堆栈.即
delphi(eax,edx,ecx,stack...) 从右往左依次传参!参数位置使用的传参变量固定.
所有的符号分析有IDR完成,生成map给od用还是挺方便的.在IDR中可以找到注册按钮事件地址:
[Asm] 纯文本查看 复制代码 005D0DB8 > . 55 push ebp ; UnitUserRegister_TFormUserRegister_Button_ActivateClick
005D0DB9 . 8BEC mov ebp,esp
005D0DBB . B9 39000000 mov ecx,0x39
005D0DC0 > 6A 00 push 0x0
005D0DC2 . 6A 00 push 0x0
005D0DC4 . 49 dec ecx
005D0DC5 .^ 75 F9 jnz short Protecte.005D0DC0
005D0DC7 . 53 push ebx
005D0DC8 . 56 push esi
005D0DC9 . 57 push edi
005D0DCA . 8985 0CFFFFFF mov dword ptr ss:[ebp-0xF4],eax
005D0DD0 . 8D85 10FFFFFF lea eax,dword ptr ss:[ebp-0xF0]
005D0DD6 . 8B15 D0C34500 mov edx,dword ptr ds:[0x45C3D0] ; Protecte.0045C3D4
005D0DDC . E8 8363E3FF call <Protecte.System_@InitializeRecord>
005D0DE1 . 33C0 xor eax,eax
005D0DE3 . 55 push ebp
005D0DE4 . 68 DB1C5D00 push Protecte.005D1CDB
005D0DE9 . 64:FF30 push dword ptr fs:[eax]
005D0DEC . 64:8920 mov dword ptr fs:[eax],esp
005D0DEF . 8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0DF5 . 8B80 A8030000 mov eax,dword ptr ds:[eax+0x3A8]
005D0DFB . 33D2 xor edx,edx
005D0DFD . E8 6AF2F0FF call <Protecte.TControl_SetVisible>
005D0E02 . 8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0E08 . 8B80 90030000 mov eax,dword ptr ds:[eax+0x390]
005D0E0E . 33D2 xor edx,edx
005D0E10 . 8B08 mov ecx,dword ptr ds:[eax]
005D0E12 . FF51 64 call dword ptr ds:[ecx+0x64]
005D0E15 . 8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0E1B . 8B80 94030000 mov eax,dword ptr ds:[eax+0x394]
005D0E21 . 8B80 A8010000 mov eax,dword ptr ds:[eax+0x1A8]
005D0E27 . 8B40 0C mov eax,dword ptr ds:[eax+0xC]
005D0E2A . BA 58020000 mov edx,0x258
005D0E2F . E8 00CCFFFF call <Protecte.TGIFImage_SetAnimationSpeed>
005D0E34 . 8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0E3A . 8B80 94030000 mov eax,dword ptr ds:[eax+0x394]
005D0E40 . B2 01 mov dl,0x1
005D0E42 . E8 25F2F0FF call <Protecte.TControl_SetVisible>
005D0E47 . 8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0E4D . 8B80 94030000 mov eax,dword ptr ds:[eax+0x394]
005D0E53 . 8B80 A8010000 mov eax,dword ptr ds:[eax+0x1A8]
005D0E59 . 8B40 0C mov eax,dword ptr ds:[eax+0xC]
005D0E5C . B2 01 mov dl,0x1
005D0E5E . E8 ADCBFFFF call <Protecte.GIFImg_TGIFImage_SetAnimate>
005D0E63 . A1 54075F00 mov eax,dword ptr ds:[0x5F0754]
005D0E68 . 8B00 mov eax,dword ptr ds:[eax]
005D0E6A . E8 BD0CF3FF call <Protecte.Forms_TApplication_ProcessMes>
005D0E6F . 8D95 00FFFFFF lea edx,dword ptr ss:[ebp-0x100]
005D0E75 . 8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0E7B . 8B80 90030000 mov eax,dword ptr ds:[eax+0x390]
005D0E81 . E8 9EF2F0FF call <Protecte.TControl_GetText> //IDR分析得不错,看标签就知道取注册码了
005D0E86 . 8B95 00FFFFFF mov edx,dword ptr ss:[ebp-0x100]
005D0E8C . 8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0E92 . E8 39180000 call <Protecte.regkeyValidate> //那么这个就是非常关键的call了.现在进去分析.(名字是我自己取的)
005D0E97 . 84C0 test al,al
005D0E99 . 0F85 D5000000 jnz Protecte.005D0F74 //如果不跳转,就马上到下面的出错提示了
005D0E9F . 8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0EA5 . 8B80 90030000 mov eax,dword ptr ds:[eax+0x390]
005D0EAB . B2 01 mov dl,0x1
005D0EAD . 8B08 mov ecx,dword ptr ds:[eax]
005D0EAF . FF51 64 call dword ptr ds:[ecx+0x64]
005D0EB2 . A1 54075F00 mov eax,dword ptr ds:[0x5F0754]
005D0EB7 . 8B00 mov eax,dword ptr ds:[eax]
005D0EB9 . E8 6E0CF3FF call <Protecte.Forms_TApplication_ProcessMes>
005D0EBE . 8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0EC4 . 8B80 94030000 mov eax,dword ptr ds:[eax+0x394]
005D0ECA . 33D2 xor edx,edx
005D0ECC . E8 9BF1F0FF call <Protecte.TControl_SetVisible>
005D0ED1 . 8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0ED7 . 8B80 94030000 mov eax,dword ptr ds:[eax+0x394]
005D0EDD . 8B80 A8010000 mov eax,dword ptr ds:[eax+0x1A8]
005D0EE3 . 8B40 0C mov eax,dword ptr ds:[eax+0xC]
005D0EE6 . 33D2 xor edx,edx
005D0EE8 . E8 23CBFFFF call <Protecte.GIFImg_TGIFImage_SetAnimate>
005D0EED . 8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0EF3 . 8B80 90030000 mov eax,dword ptr ds:[eax+0x390]
005D0EF9 . BA E08A8A00 mov edx,0x8A8AE0
005D0EFE . E8 D9F3F0FF call <Protecte.TControl_SetColor>
005D0F03 . 8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0F09 . 8B80 90030000 mov eax,dword ptr ds:[eax+0x390]
005D0F0F . E8 C43BEDFF call <Protecte.StdCtrls_TCustomEdit_SelectAl>
005D0F14 . 8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0F1A . 8B80 90030000 mov eax,dword ptr ds:[eax+0x390]
005D0F20 . 8B10 mov edx,dword ptr ds:[eax]
005D0F22 . FF92 D8000000 call dword ptr ds:[edx+0xD8]
005D0F28 . 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-0x104]
005D0F2E . 50 push eax
005D0F2F . A1 84055F00 mov eax,dword ptr ds:[0x5F0584]
005D0F34 . 8B00 mov eax,dword ptr ds:[eax]
005D0F36 . B9 F81C5D00 mov ecx,<Protecte.aInvalidLicense> ; UNICODE "Invalid license code!Please retry."
005D0F3B . BA 4C1D5D00 mov edx,<Protecte.aInvalic> ; UNICODE "invaLic" 出错提示太明显了....
005D0F40 . E8 CBC6FBFF call <Protecte.PLabelNote_sub_0058D610>
005D0F45 . 8B95 FCFEFFFF mov edx,dword ptr ss:[ebp-0x104]
005D0F4B . 8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0F51 . 8B80 A8030000 mov eax,dword ptr ds:[eax+0x3A8]
005D0F57 . E8 00F2F0FF call <Protecte.Controls_TControl_SetText>
005D0F5C . 8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0F62 . 8B80 A8030000 mov eax,dword ptr ds:[eax+0x3A8]
005D0F68 . B2 01 mov dl,0x1
005D0F6A . E8 FDF0F0FF call <Protecte.TControl_SetVisible>
005D0F6F . E9 200D0000 jmp Protecte.005D1C94
005D0F74 > 8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
进入关键call 005D0E92 call <Protecte.regkeyValidate> 分析:
[Asm] 纯文本查看 复制代码 005D26D0 >/$ 55 push ebp ; regkeyValidate
005D26D1 |. 8BEC mov ebp,esp
005D26D3 |. B9 22000000 mov ecx,0x22
005D26D8 |> 6A 00 /push 0x0
005D26DA |. 6A 00 |push 0x0
005D26DC |. 49 |dec ecx
005D26DD |.^ 75 F9 \jnz short Protecte.005D26D8
005D26DF |. 51 push ecx
005D26E0 |. 53 push ebx
005D26E1 |. 8955 FC mov [local.1],edx
005D26E4 |. 8B45 FC mov eax,[local.1]
005D26E7 |. E8 E83FE3FF call <Protecte.j_System_@LStrAddRef>
005D26EC |. 33C0 xor eax,eax
005D26EE |. 55 push ebp
005D26EF |. 68 112F5D00 push Protecte.005D2F11
005D26F4 |. 64:FF30 push dword ptr fs:[eax]
005D26F7 |. 64:8920 mov dword ptr fs:[eax],esp
005D26FA |. 33DB xor ebx,ebx
005D26FC |. 8D55 E8 lea edx,[local.6]
005D26FF |. 8B45 FC mov eax,[local.1]
005D2702 |. E8 BDA4E8FF call <Protecte._Unit13_UpperCase> //将注册码转成大写
005D2707 |. 8B55 E8 mov edx,[local.6]
005D270A |. 8D45 FC lea eax,[local.1]
005D270D |. E8 2E40E3FF call <Protecte.@UStrLAsg> //类似这些函数,是字符串赋值产生的(字符串都是对象)
005D2712 |. 0FB605 242F5D>movzx eax,byte ptr ds:[0x5D2F24]
005D2719 |. 50 push eax
005D271A |. 8D45 E4 lea eax,[local.7]
005D271D |. 50 push eax
005D271E |. B9 342F5D00 mov ecx,<Protecte.char_0>
005D2723 |. BA 442F5D00 mov edx,<Protecte.char_O>//我这里已经做了注释,很重要的参数
005D2728 |. 8B45 FC mov eax,[local.1]
005D272B |. E8 0C3FE9FF call <Protecte.StringReplace> //看参数知道是将O换成0.
005D2730 |. 8B55 E4 mov edx,[local.7]
005D2733 |. 8D45 FC lea eax,[local.1]
005D2736 |. E8 0540E3FF call <Protecte.@UStrLAsg>
005D273B |. 0FB605 242F5D>movzx eax,byte ptr ds:[0x5D2F24]
005D2742 |. 50 push eax
005D2743 |. 8D45 E0 lea eax,[local.8]
005D2746 |. 50 push eax
005D2747 |. B9 542F5D00 mov ecx,<Protecte.char_1>
005D274C |. BA 642F5D00 mov edx,<Protecte.char_L>
005D2751 |. 8B45 FC mov eax,[local.1]
005D2754 |. E8 E33EE9FF call <Protecte.StringReplace>//将L换成1
005D2759 |. 8B55 E0 mov edx,[local.8]
005D275C |. 8D45 FC lea eax,[local.1]
005D275F |. E8 DC3FE3FF call <Protecte.@UStrLAsg>
005D2764 |. 0FB605 242F5D>movzx eax,byte ptr ds:[0x5D2F24]
005D276B |. 50 push eax
005D276C |. 8D45 DC lea eax,[local.9]
005D276F |. 50 push eax
005D2770 |. 33C9 xor ecx,ecx
005D2772 |. BA 742F5D00 mov edx,<Protecte.char_space>
005D2777 |. 8B45 FC mov eax,[local.1]
005D277A |. E8 BD3EE9FF call <Protecte.StringReplace>//清除空格
005D277F |. 8B55 DC mov edx,[local.9]
005D2782 |. 8D45 FC lea eax,[local.1]
005D2785 |. E8 B63FE3FF call <Protecte.@UStrLAsg>
005D278A |. 0FB605 242F5D>movzx eax,byte ptr ds:[0x5D2F24]
005D2791 |. 50 push eax
005D2792 |. 8D45 D8 lea eax,[local.10]
005D2795 |. 50 push eax
005D2796 |. 33C9 xor ecx,ecx
005D2798 |. BA 842F5D00 mov edx,<Protecte.wchar_0>
005D279D |. 8B45 FC mov eax,[local.1]
005D27A0 |. E8 973EE9FF call <Protecte.StringReplace> //清除宽字符0....没用
005D27A5 |. 8B55 D8 mov edx,[local.10]
005D27A8 |. 8D45 FC lea eax,[local.1]
005D27AB |. E8 903FE3FF call <Protecte.@UStrLAsg>
005D27B0 |. 8B45 FC mov eax,[local.1]
005D27B3 |. 85C0 test eax,eax
005D27B5 |. 74 16 je short Protecte.005D27CD
005D27B7 |. 8BD0 mov edx,eax
005D27B9 |. 83EA 0A sub edx,0xA
005D27BC |. 66:833A 02 cmp word ptr ds:[edx],0x2
005D27C0 |. 74 0B je short Protecte.005D27CD
005D27C2 |. 8D45 FC lea eax,[local.1]
005D27C5 |. 8B55 FC mov edx,[local.1]
005D27C8 |. E8 C331E3FF call <Protecte.System_@InternalUStrFromLStr>
005D27CD |> 85C0 test eax,eax
005D27CF |. 74 05 je short Protecte.005D27D6
005D27D1 |. 83E8 04 sub eax,0x4
005D27D4 |. 8B00 mov eax,dword ptr ds:[eax]
005D27D6 |> 83F8 17 cmp eax,0x17 //比较字符串长度是不是23...包括"-"
005D27D9 |. 0F85 23060000 jnz Protecte.005D2E02 //不是就跳向 xor eax,eax....显然是让返回值为零
005D27DF |. 8B45 FC mov eax,[local.1]
005D27E2 |. 85C0 test eax,eax
005D27E4 |. 74 16 je short Protecte.005D27FC
005D27E6 |. 8BD0 mov edx,eax
005D27E8 |. 83EA 0A sub edx,0xA
005D27EB |. 66:833A 02 cmp word ptr ds:[edx],0x2 //这些看起来很奇怪的比较是检测字符串类型的
005D27EF |. 74 0B je short Protecte.005D27FC
005D27F1 |. 8D45 FC lea eax,[local.1]
005D27F4 |. 8B55 FC mov edx,[local.1]
005D27F7 |. E8 9431E3FF call <Protecte.System_@InternalUStrFromLStr>
005D27FC |> 66:8378 0A 2D cmp word ptr ds:[eax+0xA],0x2D //比较第11个是不是"-"
005D2801 |. 74 04 je short Protecte.005D2807
005D2803 |. B0 01 mov al,0x1
005D2805 |. EB 25 jmp short Protecte.005D282C
005D2807 |> 8B45 FC mov eax,[local.1]
005D280A |. 85C0 test eax,eax
005D280C |. 74 16 je short Protecte.005D2824
005D280E |. 8BD0 mov edx,eax
005D2810 |. 83EA 0A sub edx,0xA
005D2813 |. 66:833A 02 cmp word ptr ds:[edx],0x2
005D2817 |. 74 0B je short Protecte.005D2824
005D2819 |. 8D45 FC lea eax,[local.1]
005D281C |. 8B55 FC mov edx,[local.1]
005D281F |. E8 6C31E3FF call <Protecte.System_@InternalUStrFromLStr>
005D2824 |> 66:8378 16 2D cmp word ptr ds:[eax+0x16],0x2D //比较第22个是不是"-"
005D2829 |. 0F95C0 setne al
005D282C |> 84C0 test al,al
005D282E |. 74 04 je short Protecte.005D2834
005D2830 |. B0 01 mov al,0x1
005D2832 |. EB 25 jmp short Protecte.005D2859
005D2834 |> 8B45 FC mov eax,[local.1]
005D2837 |. 85C0 test eax,eax
005D2839 |. 74 16 je short Protecte.005D2851
005D283B |. 8BD0 mov edx,eax
005D283D |. 83EA 0A sub edx,0xA
005D2840 |. 66:833A 02 cmp word ptr ds:[edx],0x2
005D2844 |. 74 0B je short Protecte.005D2851
005D2846 |. 8D45 FC lea eax,[local.1]
005D2849 |. 8B55 FC mov edx,[local.1]
005D284C |. E8 3F31E3FF call <Protecte.System_@InternalUStrFromLStr>
005D2851 |> 66:8378 22 2D cmp word ptr ds:[eax+0x22],0x2D //
005D2856 |. 0F95C0 setne al
005D2859 |> 84C0 test al,al
005D285B |. 0F85 A1050000 jnz Protecte.005D2E02
005D2861 |. 0FB605 242F5D>movzx eax,byte ptr ds:[0x5D2F24]
005D2868 |. 50 push eax
005D2869 |. 8D45 D4 lea eax,[local.11]
005D286C |. 50 push eax
005D286D |. 33C9 xor ecx,ecx
005D286F |. BA 942F5D00 mov edx,<Protecte.char_2D>
005D2874 |. 8B45 FC mov eax,[local.1]
005D2877 |. E8 C03DE9FF call <Protecte.StringReplace> //清除"-"
005D287C |. 8B55 D4 mov edx,[local.11]
005D287F |. 8D45 FC lea eax,[local.1]
005D2882 |. E8 B93EE3FF call <Protecte.@UStrLAsg>
005D2887 |. 8B45 FC mov eax,[local.1]
005D288A |. 85C0 test eax,eax
005D288C |. 74 16 je short Protecte.005D28A4
005D288E |. 8BD0 mov edx,eax
005D2890 |. 83EA 0A sub edx,0xA
005D2893 |. 66:833A 02 cmp word ptr ds:[edx],0x2
005D2897 |. 74 0B je short Protecte.005D28A4
005D2899 |. 8D45 FC lea eax,[local.1]
005D289C |. 8B55 FC mov edx,[local.1]
005D289F |. E8 EC30E3FF call <Protecte.System_@InternalUStrFromLStr>
005D28A4 |> 85C0 test eax,eax
005D28A6 |. 74 05 je short Protecte.005D28AD
005D28A8 |. 83E8 04 sub eax,0x4
005D28AB |. 8B00 mov eax,dword ptr ds:[eax]
005D28AD |> 83F8 14 cmp eax,0x14
005D28B0 |. 0F85 4C050000 jnz Protecte.005D2E02
005D28B6 |. B8 01000000 mov eax,0x1
005D28BB |> 8B55 FC /mov edx,[local.1]
005D28BE |. 0FB75442 FE |movzx edx,word ptr ds:[edx+eax*2-0x2]
005D28C3 |. 83C2 D0 |add edx,-0x30
005D28C6 |. 66:83EA 0A |sub dx,0xA
005D28CA |. 72 0D |jb short Protecte.005D28D9
005D28CC |. 83C2 F9 |add edx,-0x7
005D28CF |. 66:83EA 06 |sub dx,0x6
005D28D3 |. 0F83 29050000 |jnb Protecte.005D2E02 //这一句又是跳向xor eax,eax
005D28D9 |> 40 |inc eax //这个小循环只是检测输入的字符是否小于 0x3a
005D28DA |. 83F8 15 |cmp eax,0x15 //或者是否小于0x47....说白了输入范围就是 0-9,A-F(不管大小)
005D28DD |.^ 75 DC \jnz short Protecte.005D28BB
005D28DF |. 8D45 CC lea eax,[local.13]
005D28E2 |. 8B55 FC mov edx,[local.1]
005D28E5 |. E8 7E40E3FF call <Protecte.System_@WStrFromUStr>
005D28EA |. 8B45 CC mov eax,[local.13]
005D28ED |. 8D4D D0 lea ecx,[local.12]
005D28F0 |. BA 04000000 mov edx,0x4
005D28F5 |. E8 7A89E8FF call <Protecte._Unit13_LeftStr> //取注册码左4位...到时候要用的.
005D28FA |. 8B55 D0 mov edx,[local.12]
005D28FD |. 8D45 EC lea eax,[local.5]
005D2900 |. E8 4F40E3FF call <Protecte.System_@UStrFromWStr>
005D2905 |. 8D45 C4 lea eax,[local.15]
005D2908 |. 8B55 FC mov edx,[local.1]
005D290B |. E8 5840E3FF call <Protecte.System_@WStrFromUStr>
005D2910 |. 8B45 C4 mov eax,[local.15]
005D2913 |. 8D4D C8 lea ecx,[local.14]
005D2916 |. BA 10000000 mov edx,0x10
005D291B |. E8 7089E8FF call <Protecte.RightStr> //取注册码右16位
005D2920 |. 8B55 C8 mov edx,[local.14]
005D2923 |. 8D45 FC lea eax,[local.1]
005D2926 |. E8 2940E3FF call <Protecte.System_@UStrFromWStr>
005D292B |. 8D45 BC lea eax,[local.17]
005D292E |. 8B55 FC mov edx,[local.1]
005D2931 |. E8 3240E3FF call <Protecte.System_@WStrFromUStr>
005D2936 |. 8B45 BC mov eax,[local.17]
005D2939 |. 8D4D C0 lea ecx,[local.16]
005D293C |. BA 05000000 mov edx,0x5
005D2941 |. E8 2E89E8FF call <Protecte._Unit13_LeftStr>//取注册码右16位的左5位
005D2946 |. 8B55 C0 mov edx,[local.16]
005D2949 |. 8D45 F0 lea eax,[local.4]
005D294C |. E8 0340E3FF call <Protecte.System_@UStrFromWStr>
005D2951 |. 8D45 B4 lea eax,[local.19]
005D2954 |. 8B55 FC mov edx,[local.1]
005D2957 |. E8 0C40E3FF call <Protecte.System_@WStrFromUStr>
005D295C |. 8B45 B4 mov eax,[local.19]
005D295F |. 8D4D B8 lea ecx,[local.18]
005D2962 |. BA 0B000000 mov edx,0xB
005D2967 |. E8 2489E8FF call <Protecte.RightStr> //取注册码右11位
005D296C |. 8B55 B8 mov edx,[local.18]
005D296F |. 8D45 FC lea eax,[local.1]
005D2972 |. E8 DD3FE3FF call <Protecte.System_@UStrFromWStr>
005D2977 |. 8D45 AC lea eax,[local.21]
005D297A |. 8B55 FC mov edx,[local.1]
005D297D |. E8 E63FE3FF call <Protecte.System_@WStrFromUStr>
005D2982 |. 8B45 AC mov eax,[local.21]
005D2985 |. 8D4D B0 lea ecx,[local.20]
005D2988 |. BA 04000000 mov edx,0x4
005D298D |. E8 E288E8FF call <Protecte._Unit13_LeftStr>//取注册码右11位的左4位
005D2992 |. 8B55 B0 mov edx,[local.20]
005D2995 |. 8D45 F8 lea eax,[local.2]
005D2998 |. E8 B73FE3FF call <Protecte.System_@UStrFromWStr>
005D299D |. 8D45 A4 lea eax,[local.23]
005D29A0 |. 8B55 FC mov edx,[local.1]
005D29A3 |. E8 C03FE3FF call <Protecte.System_@WStrFromUStr>
005D29A8 |. 8B45 A4 mov eax,[local.23]
005D29AB |. 8D4D A8 lea ecx,[local.22]
005D29AE |. BA 07000000 mov edx,0x7
005D29B3 |. E8 D888E8FF call <Protecte.RightStr>//取注册码右7位
005D29B8 |. 8B55 A8 mov edx,[local.22]
005D29BB |. 8D45 FC lea eax,[local.1]
005D29BE |. E8 913FE3FF call <Protecte.System_@UStrFromWStr>
005D29C3 |. 8D45 9C lea eax,[local.25]
005D29C6 |. 8B55 FC mov edx,[local.1]
005D29C9 |. E8 9A3FE3FF call <Protecte.System_@WStrFromUStr>
005D29CE |. 8B45 9C mov eax,[local.25]
005D29D1 |. 8D4D A0 lea ecx,[local.24]
005D29D4 |. BA 05000000 mov edx,0x5
005D29D9 |. E8 9688E8FF call <Protecte._Unit13_LeftStr>//取注册码右7位左5位
005D29DE |. 8B55 A0 mov edx,[local.24]
005D29E1 |. 8D45 F4 lea eax,[local.3]
005D29E4 |. E8 6B3FE3FF call <Protecte.System_@UStrFromWStr>
005D29E9 |. 8D45 94 lea eax,[local.27]
005D29EC |. 8B55 FC mov edx,[local.1]
005D29EF |. E8 743FE3FF call <Protecte.System_@WStrFromUStr>
005D29F4 |. 8B45 94 mov eax,[local.27]
005D29F7 |. 8D4D 98 lea ecx,[local.26]
005D29FA |. BA 02000000 mov edx,0x2
005D29FF |. E8 8C88E8FF call <Protecte.RightStr>//取注册码右2位
005D2A04 |. 8B55 98 mov edx,[local.26]
005D2A07 |. 8D45 FC lea eax,[local.1]
005D2A0A |. E8 453FE3FF call <Protecte.System_@UStrFromWStr>
005D2A0F |. 8D85 7CFFFFFF lea eax,[local.33]
005D2A15 |. 8B55 EC mov edx,[local.5]
005D2A18 |. B9 00000000 mov ecx,0x0
005D2A1D |. E8 0E3FE3FF call <Protecte.System_@LStrFromUStr>
005D2A22 |. 8B85 7CFFFFFF mov eax,[local.33] //左4位
005D2A28 |. 8D55 80 lea edx,[local.32]
005D2A2B |. E8 A8B6FCFF call <Protecte.calcMD5> //计算MD5...当初也分析了一会儿才知道,早该用Kypto analyzer的
005D2A30 |. 8D45 80 lea eax,[local.32]
005D2A33 |. 8D55 90 lea edx,[local.28]
005D2A36 |. E8 35B7FCFF call <Protecte.MD5Hex2Ustr>//MD5算出来是hex数值,要转成str...很简单的分析,不说了
005D2A3B |. 8B45 90 mov eax,[local.28]
005D2A3E |. 50 push eax
005D2A3F |. 8D85 60FFFFFF lea eax,[local.40]
005D2A45 |. 8B55 F8 mov edx,[local.2]
005D2A48 |. B9 00000000 mov ecx,0x0
005D2A4D |. E8 DE3EE3FF call <Protecte.System_@LStrFromUStr>
005D2A52 |. 8B85 60FFFFFF mov eax,[local.40]
005D2A58 |. 8D55 80 lea edx,[local.32]
005D2A5B |. E8 78B6FCFF call <Protecte.calcMD5> //计算右11位再取左四位的MD5
005D2A60 |. 8D45 80 lea eax,[local.32]
005D2A63 |. 8D95 64FFFFFF lea edx,[local.39]
005D2A69 |. E8 02B7FCFF call <Protecte.MD5Hex2Ustr>
005D2A6E |. 8B85 64FFFFFF mov eax,[local.39]
005D2A74 |. 8D95 68FFFFFF lea edx,[local.38]
005D2A7A |. E8 45A1E8FF call <Protecte._Unit13_UpperCase>
005D2A7F |. 8B95 68FFFFFF mov edx,[local.38]
005D2A85 |. 8D85 6CFFFFFF lea eax,[local.37]
005D2A8B |. E8 D83EE3FF call <Protecte.System_@WStrFromUStr>
005D2A90 |. 8B85 6CFFFFFF mov eax,[local.37]
005D2A96 |. 8D8D 70FFFFFF lea ecx,[local.36]
005D2A9C |. BA 04000000 mov edx,0x4
005D2AA1 |. E8 EA87E8FF call <Protecte.RightStr>
005D2AA6 |. 8B95 70FFFFFF mov edx,[local.36]
005D2AAC |. 8D85 74FFFFFF lea eax,[local.35]
005D2AB2 |. B9 00000000 mov ecx,0x0
005D2AB7 |. E8 5C30E3FF call <Protecte.System_@LStrFromWStr>
005D2ABC |. 8B85 74FFFFFF mov eax,[local.35]
005D2AC2 |. 8D55 80 lea edx,[local.32]
005D2AC5 |. E8 0EB6FCFF call <Protecte.calcMD5>//计算右11位再取左4位的MD5的右4位的MD5....有点绕了
005D2ACA |. 8D45 80 lea eax,[local.32]
005D2ACD |. 8D95 78FFFFFF lea edx,[local.34]
005D2AD3 |. E8 98B6FCFF call <Protecte.MD5Hex2Ustr>
005D2AD8 |. 8B95 78FFFFFF mov edx,[local.34]
005D2ADE |. 58 pop eax
005D2ADF |. E8 1443E3FF call <Protecte.j_@UStrCmp>//比较上面计算的MD5值...换一种表达就是key[0-3]_md5, key[9-12]_md5_r4_md5
005D2AE4 |. 0F85 18030000 jnz Protecte.005D2E02
005D2AEA |. FF75 EC push [local.5]
005D2AED |. FF75 F0 push [local.4]
005D2AF0 |. FF75 F8 push [local.2]
005D2AF3 |. FF75 F4 push [local.3]
005D2AF6 |. FF75 FC push [local.1]
005D2AF9 |. 8D45 FC lea eax,[local.1]
005D2AFC |. BA 05000000 mov edx,0x5
005D2B01 |. E8 4A41E3FF call <Protecte.System_@UStrCatN>
005D2B06 |. B8 01000000 mov eax,0x1
005D2B0B |> 8B55 FC /mov edx,[local.1]
005D2B0E |. 0FB75442 FE |movzx edx,word ptr ds:[edx+eax*2-0x2]
005D2B13 |. 83C2 D0 |add edx,-0x30
005D2B16 |. 66:83EA 0A |sub dx,0xA
005D2B1A |. 72 0D |jb short Protecte.005D2B29
005D2B1C |. 83C2 F9 |add edx,-0x7
005D2B1F |. 66:83EA 09 |sub dx,0x9
005D2B23 |. 0F83 D9020000 |jnb Protecte.005D2E02
005D2B29 |> 40 |inc eax
005D2B2A |. 83F8 15 |cmp eax,0x15 //这个小循环和上面是一样的.限制范围的
005D2B2D |.^ 75 DC \jnz short Protecte.005D2B0B
005D2B2F |. 8D85 58FFFFFF lea eax,[local.42]
005D2B35 |. 8B55 FC mov edx,[local.1]
005D2B38 |. E8 2B3EE3FF call <Protecte.System_@WStrFromUStr>
005D2B3D |. 8B85 58FFFFFF mov eax,[local.42]
005D2B43 |. 8D8D 5CFFFFFF lea ecx,[local.41]
005D2B49 |. BA 04000000 mov edx,0x4
005D2B4E |. E8 2187E8FF call <Protecte._Unit13_LeftStr> //好吧,又开始取了,左4位
005D2B53 |. 8B95 5CFFFFFF mov edx,[local.41]
005D2B59 |. 8D45 EC lea eax,[local.5]
005D2B5C |. E8 F33DE3FF call <Protecte.System_@UStrFromWStr>
005D2B61 |. 8D85 50FFFFFF lea eax,[local.44]
005D2B67 |. 8B55 FC mov edx,[local.1]
005D2B6A |. E8 F93DE3FF call <Protecte.System_@WStrFromUStr>
005D2B6F |. 8B85 50FFFFFF mov eax,[local.44]
005D2B75 |. 8D8D 54FFFFFF lea ecx,[local.43]
005D2B7B |. BA 10000000 mov edx,0x10
005D2B80 |. E8 0B87E8FF call <Protecte.RightStr> //右16位
005D2B85 |. 8B95 54FFFFFF mov edx,[local.43]
005D2B8B |. 8D45 FC lea eax,[local.1]
005D2B8E |. E8 C13DE3FF call <Protecte.System_@UStrFromWStr>
005D2B93 |. 8D85 48FFFFFF lea eax,[local.46]
005D2B99 |. 8B55 FC mov edx,[local.1]
005D2B9C |. E8 C73DE3FF call <Protecte.System_@WStrFromUStr>
005D2BA1 |. 8B85 48FFFFFF mov eax,[local.46]
005D2BA7 |. 8D8D 4CFFFFFF lea ecx,[local.45]
005D2BAD |. BA 05000000 mov edx,0x5
005D2BB2 |. E8 BD86E8FF call <Protecte._Unit13_LeftStr> //右16位的左5位
005D2BB7 |. 8B95 4CFFFFFF mov edx,[local.45]
005D2BBD |. 8D45 F0 lea eax,[local.4]
005D2BC0 |. E8 8F3DE3FF call <Protecte.System_@UStrFromWStr>
005D2BC5 |. 8D85 40FFFFFF lea eax,[local.48]
005D2BCB |. 8B55 FC mov edx,[local.1]
005D2BCE |. E8 953DE3FF call <Protecte.System_@WStrFromUStr>
005D2BD3 |. 8B85 40FFFFFF mov eax,[local.48]
005D2BD9 |. 8D8D 44FFFFFF lea ecx,[local.47]
005D2BDF |. BA 0B000000 mov edx,0xB
005D2BE4 |. E8 A786E8FF call <Protecte.RightStr> //右11位
005D2BE9 |. 8B95 44FFFFFF mov edx,[local.47]
005D2BEF |. 8D45 FC lea eax,[local.1]
005D2BF2 |. E8 5D3DE3FF call <Protecte.System_@UStrFromWStr>
005D2BF7 |. 8D85 38FFFFFF lea eax,[local.50]
005D2BFD |. 8B55 FC mov edx,[local.1]
005D2C00 |. E8 633DE3FF call <Protecte.System_@WStrFromUStr>
005D2C05 |. 8B85 38FFFFFF mov eax,[local.50]
005D2C0B |. 8D8D 3CFFFFFF lea ecx,[local.49]
005D2C11 |. BA 04000000 mov edx,0x4
005D2C16 |. E8 5986E8FF call <Protecte._Unit13_LeftStr> //右11位的左4位
005D2C1B |. 8B95 3CFFFFFF mov edx,[local.49]
005D2C21 |. 8D45 F8 lea eax,[local.2]
005D2C24 |. E8 2B3DE3FF call <Protecte.System_@UStrFromWStr>
005D2C29 |. 8D85 30FFFFFF lea eax,[local.52]
005D2C2F |. 8B55 FC mov edx,[local.1]
005D2C32 |. E8 313DE3FF call <Protecte.System_@WStrFromUStr>
005D2C37 |. 8B85 30FFFFFF mov eax,[local.52]
005D2C3D |. 8D8D 34FFFFFF lea ecx,[local.51]
005D2C43 |. BA 07000000 mov edx,0x7
005D2C48 |. E8 4386E8FF call <Protecte.RightStr> //右7位
005D2C4D |. 8B95 34FFFFFF mov edx,[local.51]
005D2C53 |. 8D45 FC lea eax,[local.1]
005D2C56 |. E8 F93CE3FF call <Protecte.System_@UStrFromWStr>
005D2C5B |. 8D85 28FFFFFF lea eax,[local.54]
005D2C61 |. 8B55 FC mov edx,[local.1]
005D2C64 |. E8 FF3CE3FF call <Protecte.System_@WStrFromUStr>
005D2C69 |. 8B85 28FFFFFF mov eax,[local.54]
005D2C6F |. 8D8D 2CFFFFFF lea ecx,[local.53]
005D2C75 |. BA 05000000 mov edx,0x5
005D2C7A |. E8 F585E8FF call <Protecte._Unit13_LeftStr>//右7位的左5位
005D2C7F |. 8B95 2CFFFFFF mov edx,[local.53]
005D2C85 |. 8D45 F4 lea eax,[local.3]
005D2C88 |. E8 C73CE3FF call <Protecte.System_@UStrFromWStr>
005D2C8D |. 8D85 20FFFFFF lea eax,[local.56]
005D2C93 |. 8B55 FC mov edx,[local.1]
005D2C96 |. E8 CD3CE3FF call <Protecte.System_@WStrFromUStr>
005D2C9B |. 8B85 20FFFFFF mov eax,[local.56]
005D2CA1 |. 8D8D 24FFFFFF lea ecx,[local.55]
005D2CA7 |. BA 02000000 mov edx,0x2
005D2CAC |. E8 DF85E8FF call <Protecte.RightStr> //右两位
005D2CB1 |. 8B95 24FFFFFF mov edx,[local.55]
005D2CB7 |. 8D45 FC lea eax,[local.1]
005D2CBA |. E8 953CE3FF call <Protecte.System_@UStrFromWStr>
005D2CBF |. 8D85 10FFFFFF lea eax,[local.60]
005D2CC5 |. 8B55 F0 mov edx,[local.4]
005D2CC8 |. B9 00000000 mov ecx,0x0
005D2CCD |. E8 5E3CE3FF call <Protecte.System_@LStrFromUStr>
005D2CD2 |. 8B85 10FFFFFF mov eax,[local.60]
005D2CD8 |. 8D55 80 lea edx,[local.32]
005D2CDB |. E8 F8B3FCFF call <Protecte.calcMD5> //计算右16位的左5位MD5
005D2CE0 |. 8D45 80 lea eax,[local.32]
005D2CE3 |. 8D95 14FFFFFF lea edx,[local.59]
005D2CE9 |. E8 82B4FCFF call <Protecte.MD5Hex2Ustr>
005D2CEE |. 8B95 14FFFFFF mov edx,[local.59]
005D2CF4 |. 8D85 18FFFFFF lea eax,[local.58]
005D2CFA |. B9 00000000 mov ecx,0x0
005D2CFF |. E8 2C3CE3FF call <Protecte.System_@LStrFromUStr>
005D2D04 |. 8B85 18FFFFFF mov eax,[local.58]
005D2D0A |. 8D55 80 lea edx,[local.32]
005D2D0D |. E8 C6B3FCFF call <Protecte.calcMD5>//计算右16位的左5位MD5的MD5
005D2D12 |. 8D45 80 lea eax,[local.32]
005D2D15 |. 8D95 1CFFFFFF lea edx,[local.57]
005D2D1B |. E8 50B4FCFF call <Protecte.MD5Hex2Ustr>
005D2D20 |. 8B85 1CFFFFFF mov eax,[local.57]
005D2D26 |. 50 push eax
005D2D27 |. 8D85 ECFEFFFF lea eax,[local.69]
005D2D2D |. 8B55 F4 mov edx,[local.3]
005D2D30 |. B9 00000000 mov ecx,0x0
005D2D35 |. E8 F63BE3FF call <Protecte.System_@LStrFromUStr>
005D2D3A |. 8B85 ECFEFFFF mov eax,[local.69]
005D2D40 |. 8D55 80 lea edx,[local.32]
005D2D43 |. E8 90B3FCFF call <Protecte.calcMD5> //计算右7位的左5位MD5
005D2D48 |. 8D45 80 lea eax,[local.32]
005D2D4B |. 8D95 F0FEFFFF lea edx,[local.68]
005D2D51 |. E8 1AB4FCFF call <Protecte.MD5Hex2Ustr>
005D2D56 |. 8B85 F0FEFFFF mov eax,[local.68]
005D2D5C |. 8D95 F4FEFFFF lea edx,[local.67]
005D2D62 |. E8 5D9EE8FF call <Protecte._Unit13_UpperCase>
005D2D67 |. 8B95 F4FEFFFF mov edx,[local.67]
005D2D6D |. 8D85 F8FEFFFF lea eax,[local.66]
005D2D73 |. E8 F03BE3FF call <Protecte.System_@WStrFromUStr>
005D2D78 |. 8B85 F8FEFFFF mov eax,[local.66]
005D2D7E |. 8D8D FCFEFFFF lea ecx,[local.65]
005D2D84 |. BA 05000000 mov edx,0x5
005D2D89 |. E8 E684E8FF call <Protecte._Unit13_LeftStr>//取右7位的左5位MD5的左5位
005D2D8E |. 8B95 FCFEFFFF mov edx,[local.65]
005D2D94 |. 8D85 00FFFFFF lea eax,[local.64]
005D2D9A |. B9 00000000 mov ecx,0x0
005D2D9F |. E8 742DE3FF call <Protecte.System_@LStrFromWStr>
005D2DA4 |. 8B85 00FFFFFF mov eax,[local.64]
005D2DAA |. 8D55 80 lea edx,[local.32]
005D2DAD |. E8 26B3FCFF call <Protecte.calcMD5>//计算右7位的左5位MD5的左5位的MD5
005D2DB2 |. 8D45 80 lea eax,[local.32]
005D2DB5 |. 8D95 04FFFFFF lea edx,[local.63]
005D2DBB |. E8 B0B3FCFF call <Protecte.MD5Hex2Ustr>
005D2DC0 |. 8B95 04FFFFFF mov edx,[local.63]
005D2DC6 |. 8D85 08FFFFFF lea eax,[local.62]
005D2DCC |. B9 00000000 mov ecx,0x0
005D2DD1 |. E8 5A3BE3FF call <Protecte.System_@LStrFromUStr>
005D2DD6 |. 8B85 08FFFFFF mov eax,[local.62]
005D2DDC |. 8D55 80 lea edx,[local.32]
005D2DDF |. E8 F4B2FCFF call <Protecte.calcMD5>计算右7位的左5位MD5的左5位的MD5的MD5....我自己看着都晕了
005D2DE4 |. 8D45 80 lea eax,[local.32] //简化一下就是key_r7_L5_md5_L5_md5_md5
005D2DE7 |. 8D95 0CFFFFFF lea edx,[local.61]
005D2DED |. E8 7EB3FCFF call <Protecte.MD5Hex2Ustr>
005D2DF2 |. 8B95 0CFFFFFF mov edx,[local.61]
005D2DF8 |. 58 pop eax
005D2DF9 |. E8 FA3FE3FF call <Protecte.j_@UStrCmp>//比较上述计算出来的MD5,即key[4-8]_MD5_MD5 ,key[13-17]_MD5_L5_MD5_MD5比较
005D2DFE |. 75 02 jnz short Protecte.005D2E02
005D2E00 |. B3 01 mov bl,0x1
005D2E02 |> 33C0 xor eax,eax //不等就让返回值为0了...
005D2E04 |. 5A pop edx
005D2E05 |. 59 pop ecx
005D2E06 |. 59 pop ecx
005D2E07 |. 64:8910 mov dword ptr fs:[eax],edx
005D2E0A |. 68 1B2F5D00 push Protecte.005D2F1B
005D2E0F |> 8D85 ECFEFFFF lea eax,[local.69]
005D2E15 |. E8 8A29E3FF call <Protecte.System_@LStrClr>
005D2E1A |. 8D85 F0FEFFFF lea eax,[local.68]
005D2E20 |. BA 02000000 mov edx,0x2
005D2E25 |. E8 BA38E3FF call <Protecte.j_@LStrArrayClr>
005D2E2A |. 8D85 F8FEFFFF lea eax,[local.66]
005D2E30 |. BA 02000000 mov edx,0x2
005D2E35 |. E8 6A34E3FF call <Protecte.System_@WStrArrayClr>
005D2E3A |. 8D85 00FFFFFF lea eax,[local.64]
005D2E40 |. E8 5F29E3FF call <Protecte.System_@LStrClr>
005D2E45 |. 8D85 04FFFFFF lea eax,[local.63]
005D2E4B |. E8 8C38E3FF call <Protecte.j_System_@LStrClr>
005D2E50 |. 8D85 08FFFFFF lea eax,[local.62]
005D2E56 |. E8 4929E3FF call <Protecte.System_@LStrClr>
005D2E5B |. 8D85 0CFFFFFF lea eax,[local.61]
005D2E61 |. E8 7638E3FF call <Protecte.j_System_@LStrClr>
005D2E66 |. 8D85 10FFFFFF lea eax,[local.60]
005D2E6C |. E8 3329E3FF call <Protecte.System_@LStrClr>
005D2E71 |. 8D85 14FFFFFF lea eax,[local.59]
005D2E77 |. E8 6038E3FF call <Protecte.j_System_@LStrClr>
005D2E7C |. 8D85 18FFFFFF lea eax,[local.58]
005D2E82 |. E8 1D29E3FF call <Protecte.System_@LStrClr>
005D2E87 |. 8D85 1CFFFFFF lea eax,[local.57]
005D2E8D |. E8 4A38E3FF call <Protecte.j_System_@LStrClr>
005D2E92 |. 8D85 20FFFFFF lea eax,[local.56]
005D2E98 |. BA 10000000 mov edx,0x10
005D2E9D |. E8 0234E3FF call <Protecte.System_@WStrArrayClr>
005D2EA2 |. 8D85 60FFFFFF lea eax,[local.40]
005D2EA8 |. E8 F728E3FF call <Protecte.System_@LStrClr>
005D2EAD |. 8D85 64FFFFFF lea eax,[local.39]
005D2EB3 |. BA 02000000 mov edx,0x2
005D2EB8 |. E8 2738E3FF call <Protecte.j_@LStrArrayClr>
005D2EBD |. 8D85 6CFFFFFF lea eax,[local.37]
005D2EC3 |. BA 02000000 mov edx,0x2
005D2EC8 |. E8 D733E3FF call <Protecte.System_@WStrArrayClr>
005D2ECD |. 8D85 74FFFFFF lea eax,[local.35]
005D2ED3 |. E8 CC28E3FF call <Protecte.System_@LStrClr>
005D2ED8 |. 8D85 78FFFFFF lea eax,[local.34]
005D2EDE |. E8 F937E3FF call <Protecte.j_System_@LStrClr>
005D2EE3 |. 8D85 7CFFFFFF lea eax,[local.33]
005D2EE9 |. E8 B628E3FF call <Protecte.System_@LStrClr>
005D2EEE |. 8D45 90 lea eax,[local.28]
005D2EF1 |. E8 E637E3FF call <Protecte.j_System_@LStrClr>
005D2EF6 |. 8D45 94 lea eax,[local.27]
005D2EF9 |. BA 10000000 mov edx,0x10
005D2EFE |. E8 A133E3FF call <Protecte.System_@WStrArrayClr>
005D2F03 |. 8D45 D4 lea eax,[local.11]
005D2F06 |. BA 0B000000 mov edx,0xB
005D2F0B |. E8 D437E3FF call <Protecte.j_@LStrArrayClr>
005D2F10 \. C3 retn
005D2F11 .^ E9 B21EE3FF jmp <Protecte.@HandleFinally>
005D2F16 .^ E9 F4FEFFFF jmp Protecte.005D2E0F
005D2F1B . 8BC3 mov eax,ebx //返回值在ebx
005D2F1D . 5B pop ebx
005D2F1E . 8BE5 mov esp,ebp
005D2F20 . 5D pop ebp
005D2F21 . C3 retn
综合以上分析,可以知道,对注册码的要求是: 范围:0-9,A-F.并且
key[0-3]_md5 == key[9-12]_md5_r4_md5
key[4-8]_MD5_MD5 == key[13-17]_MD5_L5_MD5_MD5
显然即 key[0-3]=key[9-12]_md5_r4,key[4-8]=key[13-17]_MD5_L5.
这个本地注册算法就很简单了,我写了C++版的供参考:
[C++] 纯文本查看 复制代码 class KeyMaker
{
public:
KeyMaker::KeyMaker(const char* keyset="0123456789abcdeflo")
{
keyset_.assign(keyset);
generator_ = nullptr;
distribution_ = nullptr;
}
KeyMaker::~KeyMaker()
{
}
std::string operator()()
{
if (distribution_ != nullptr)
delete distribution_;
if (generator_ != nullptr)
delete generator_;
distribution_ = new std::uniform_int_distribution<int>(0, keyset_.length() - 1);
seed_ = std::chrono::system_clock::now().time_since_epoch().count();
generator_ = new std::default_random_engine(seed_);
makeKey();
return rawkey_;
}
private:
void makeKey()
{
randomKey();
kcer.prepare(key_[2]);
kcer.prepare(key_[3]);
kcer.upperStr(key_[2]);
key_[0] = hasher(key_[2].c_str(), "md5");
key_[0] = key_[0].substr(key_[0].length() - 4, 4);
kcer.upperStr(key_[3]);
key_[1] = hasher(key_[3].c_str(), "md5");
key_[1] = key_[1].substr(0, 5);
rawkey_.insert(0, key_[1]);
rawkey_.insert(0, key_[0]);
kcer.lowerStr(rawkey_);
decorate();
}
char randomC()
{
return keyset_[(*distribution_)(*generator_)];
}
void randomKey()
{
for (int i = 0; i < 4; ++i)
{
key_[2] += randomC();
}
for (int i = 0; i < 5; ++i)
{
key_[3] += randomC();
}
key_[4] += randomC();
key_[4] += randomC();
rawkey_ = key_[2] + key_[3] + key_[4];
}
void decorate()
{
for (size_t i = 1; i < rawkey_.length()/5; i++)
{
rawkey_.insert(i * 5 + i - 1, "-");
}
}
private:
std::string keyset_;
std::string key_[5];
std::string rawkey_;
unsigned int seed_;
std::default_random_engine *generator_;
std::uniform_int_distribution<int> *distribution_;
HASH hasher;
KeyChecker kcer;//还原软件算法的类
};
我也还原了一下软件的算法,写成一个类:
[C++] 纯文本查看 复制代码 class KeyChecker
{
public:
KeyChecker::KeyChecker()
{
}
KeyChecker::~KeyChecker()
{
}
void upperStr(std::string &str)
{
for (size_t i = 0; i < str.length(); i++)
{
str[i] = toupper(str[i]);
}
}
void lowerStr(std::string &str)
{
for (size_t i = 0; i < str.length(); i++)
{
str[i] = tolower(str[i]);
}
}
bool operator()(const char* kstr)
{
std::string edata(kstr);
prepare(edata);
key[0] = edata.substr(0, 4);
key[2] = edata.substr(9, 4);
key[1] = edata.substr(4, 5);
key[3] = edata.substr(13, 5);
makeK1();
makeK2();
makeK3();
makeK4();
printKeys();
return key[0] == key[2] && key[1] == key[3];
}
void prepare(std::string& str)
{
lowerStr(str);
replaceKc(str, "-", "");
replaceKc(str, "o", "0");
replaceKc(str, "l", "1");
replaceKc(str, " ", "");
}
private:
void replaceKc(std::string& str, std::string oldpat, std::string newpat)
{
while (str.find(oldpat) != std::string::npos)
{
str.replace(str.find(oldpat), oldpat.length(), newpat);
}
}
void makeK1()
{
upperStr(key[0]);
key[0] = hashfunc(key[0].c_str(), "md5");
}
void makeK2()
{
upperStr(key[1]);
key[1] = hashfunc(key[1].c_str(), "md5");
key[1] = hashfunc(key[1].c_str(), "md5");
}
void makeK3()
{
upperStr(key[2]);
key[2] = hashfunc(key[2].c_str(), "md5");
key[2] = key[2].substr(key[2].length() - 4, 4);
upperStr(key[2]);
key[2] = hashfunc(key[2].c_str(), "md5");
}
void makeK4()
{
upperStr(key[3]);
key[3] = hashfunc(key[3].c_str(), "md5");
key[3] = key[3].substr(0, 5);
upperStr(key[3]);
key[3] = hashfunc(key[3].c_str(), "md5");
key[3] = hashfunc(key[3].c_str(), "md5");
}
void printKeys()
{
printf("%s == %s &&\n%s == %s\n", key[0].c_str(), key[2].c_str(), key[1].c_str(), key[3].c_str());
}
private:
HASH hashfunc;//计算MD5的用的类,就不放出来了
std::string key[4];
};
至此,第一部分本地算法验证部分就分析完了.
第二部分:网络验证的过程逻辑分析.
从 call <Protecte.regkeyValidate> 出来后本地验证正确的话:
005D0E92 . E8 39180000 call <Protecte.regkeyValidate>
005D0E97 . 84C0 test al,al
005D0E99 . 0F85 D5000000 jnz Protecte.005D0F74 //本地验证正确会跳转
005D0E9F . 8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
...............................
跳到这里:
[Asm] 纯文本查看 复制代码 005D0F74 > \8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0F7A . 8B80 90030000 mov eax,dword ptr ds:[eax+0x390]
005D0F80 . BA FFFFFF00 mov edx,0xFFFFFF
005D0F85 . E8 52F3F0FF call <Protecte.TControl_SetColor>
005D0F8A . 8D85 24FFFFFF lea eax,dword ptr ss:[ebp-0xDC]
005D0F90 . BA 681D5D00 mov edx,<Protecte.aMmDdYyyyHhMm_2> ; UNICODE "mm/dd/yyyy hh:mm:ss"
005D0F95 . E8 A657E3FF call <Protecte.@UStrLAsg>
005D0F9A . 66:C785 18FFF>mov word ptr ss:[ebp-0xE8],0x2F
005D0FA3 . 66:C785 1AFFF>mov word ptr ss:[ebp-0xE6],0x3A
005D0FAC . 8D55 F8 lea edx,dword ptr ss:[ebp-0x8]
005D0FAF . 8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D0FB5 . 8B80 90030000 mov eax,dword ptr ds:[eax+0x390]
005D0FBB . E8 64F1F0FF call <Protecte.TControl_GetText>
005D0FC0 . 8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-0x108]
005D0FC6 . 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
005D0FC9 . E8 F6BBE8FF call <Protecte._Unit13_UpperCase>
005D0FCE . 8B95 F8FEFFFF mov edx,dword ptr ss:[ebp-0x108]
005D0FD4 . 8D45 F8 lea eax,dword ptr ss:[ebp-0x8]
005D0FD7 . E8 6457E3FF call <Protecte.@UStrLAsg>
005D0FDC . 0FB605 901D5D>movzx eax,byte ptr ds:[0x5D1D90]
005D0FE3 . 50 push eax
005D0FE4 . 8D85 F4FEFFFF lea eax,dword ptr ss:[ebp-0x10C]
005D0FEA . 50 push eax
005D0FEB . B9 A01D5D00 mov ecx,<Protecte.char_0_>
005D0FF0 . BA B01D5D00 mov edx,<Protecte.char_O_>
005D0FF5 . 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
005D0FF8 . E8 3F56E9FF call <Protecte.StringReplace> //O用0替换
005D0FFD . 8B95 F4FEFFFF mov edx,dword ptr ss:[ebp-0x10C]
005D1003 . 8D45 F8 lea eax,dword ptr ss:[ebp-0x8]
005D1006 . E8 3557E3FF call <Protecte.@UStrLAsg>
005D100B . 0FB605 901D5D>movzx eax,byte ptr ds:[0x5D1D90]
005D1012 . 50 push eax
005D1013 . 8D85 F0FEFFFF lea eax,dword ptr ss:[ebp-0x110]
005D1019 . 50 push eax
005D101A . B9 C01D5D00 mov ecx,<Protecte.char_1_>
005D101F . BA D01D5D00 mov edx,<Protecte.char_L_>
005D1024 . 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
005D1027 . E8 1056E9FF call <Protecte.StringReplace>//L用1替换
005D102C . 8B95 F0FEFFFF mov edx,dword ptr ss:[ebp-0x110]
005D1032 . 8D45 F8 lea eax,dword ptr ss:[ebp-0x8]
005D1035 . E8 0657E3FF call <Protecte.@UStrLAsg>
005D103A . 0FB605 901D5D>movzx eax,byte ptr ds:[0x5D1D90]
005D1041 . 50 push eax
005D1042 . 8D85 ECFEFFFF lea eax,dword ptr ss:[ebp-0x114]
005D1048 . 50 push eax
005D1049 . 33C9 xor ecx,ecx
005D104B . BA E01D5D00 mov edx,<Protecte.char_space_>
005D1050 . 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
005D1053 . E8 E455E9FF call <Protecte.StringReplace> //清除空格
005D1058 . 8B95 ECFEFFFF mov edx,dword ptr ss:[ebp-0x114]
005D105E . 8D45 F8 lea eax,dword ptr ss:[ebp-0x8]
005D1061 . E8 DA56E3FF call <Protecte.@UStrLAsg>
005D1066 . 0FB605 901D5D>movzx eax,byte ptr ds:[0x5D1D90]
005D106D . 50 push eax
005D106E . 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-0x118]
005D1074 . 50 push eax
005D1075 . 33C9 xor ecx,ecx
005D1077 . BA F01D5D00 mov edx,<Protecte.wchar_0_>
005D107C . 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
005D107F . E8 B855E9FF call <Protecte.StringReplace>
005D1084 . 8B95 E8FEFFFF mov edx,dword ptr ss:[ebp-0x118]
005D108A . 8D45 F8 lea eax,dword ptr ss:[ebp-0x8]
005D108D . E8 AE56E3FF call <Protecte.@UStrLAsg>
005D1092 . B8 CC965F00 mov eax,Protecte.005F96CC
005D1097 . 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
005D109A . E8 4D56E3FF call <Protecte.@UStrAsg>
005D109F . B8 D0965F00 mov eax,Protecte.005F96D0
005D10A4 . BA 001E5D00 mov edx,<Protecte.aNA> ; UNICODE "N/A"
005D10A9 . E8 3E56E3FF call <Protecte.@UStrAsg>
005D10AE . B8 D4965F00 mov eax,Protecte.005F96D4
005D10B3 . 33D2 xor edx,edx
005D10B5 . E8 3256E3FF call <Protecte.@UStrAsg>
005D10BA . B8 DC965F00 mov eax,Protecte.005F96DC
005D10BF . BA 001E5D00 mov edx,<Protecte.aNA> ; UNICODE "N/A"
005D10C4 . E8 2356E3FF call <Protecte.@UStrAsg>
005D10C9 . B8 E0965F00 mov eax,Protecte.005F96E0
005D10CE . BA C01D5D00 mov edx,<Protecte.char_1_>
005D10D3 . E8 1456E3FF call <Protecte.@UStrAsg>
005D10D8 . C605 E4965F00>mov byte ptr ds:[0x5F96E4],0x0
005D10DF . C605 D8965F00>mov byte ptr ds:[0x5F96D8],0x0
005D10E6 . E8 F1FEE8FF call <Protecte.Now> //获取时间
005D10EB . 83C4 F8 add esp,-0x8 ; /
005D10EE . DD1C24 fstp qword ptr ss:[esp] ; |Arg1 (8-byte)
005D10F1 . 9B wait ; |
005D10F2 . 8D8D E4FEFFFF lea ecx,dword ptr ss:[ebp-0x11C] ; |
005D10F8 . 8D95 10FFFFFF lea edx,dword ptr ss:[ebp-0xF0] ; |
005D10FE . B8 681D5D00 mov eax,<Protecte.aMmDdYyyyHhMm_2> ; |UNICODE "mm/dd/yyyy hh:mm:ss"
005D1103 . E8 7019E9FF call <Protecte.formatTime> ; \formatTime
005D1108 . 8B95 E4FEFFFF mov edx,dword ptr ss:[ebp-0x11C]
005D110E . B8 E8965F00 mov eax,Protecte.005F96E8
005D1113 . E8 D455E3FF call <Protecte.@UStrAsg>
005D1118 . B8 EC965F00 mov eax,Protecte.005F96EC
005D111D . 33D2 xor edx,edx
005D111F . E8 C855E3FF call <Protecte.@UStrAsg>
005D1124 . A1 54075F00 mov eax,dword ptr ds:[0x5F0754]
005D1129 . 8B00 mov eax,dword ptr ds:[eax]
005D112B . E8 FC09F3FF call <Protecte.Forms_TApplication_ProcessMes>
005D1130 . 8D85 E0FEFFFF lea eax,dword ptr ss:[ebp-0x120]
005D1136 . E8 75ECFFFF call <Protecte.getCPUIDStr> //这里有点意思,经过分析是获取CPUID的部分数据
005D113B . 8B85 E0FEFFFF mov eax,dword ptr ss:[ebp-0x120]
005D1141 . 8D55 F0 lea edx,dword ptr ss:[ebp-0x10]
005D1144 . E8 6FC0E8FF call <Protecte._Unit13_Trim>
005D1149 . 8D85 DCFEFFFF lea eax,dword ptr ss:[ebp-0x124]
005D114F . E8 4CF4FCFF call <Protecte.ZLIBArchiveGlobals2_sub_005A0>
005D1154 . 8B85 DCFEFFFF mov eax,dword ptr ss:[ebp-0x124]
005D115A . 8D55 EC lea edx,dword ptr ss:[ebp-0x14]
005D115D . E8 56C0E8FF call <Protecte._Unit13_Trim>
005D1162 . 837D F0 00 cmp dword ptr ss:[ebp-0x10],0x0
005D1166 . 75 0D jnz short Protecte.005D1175
005D1168 . 8D45 F0 lea eax,dword ptr ss:[ebp-0x10]
005D116B . BA 141E5D00 mov edx,<Protecte.aNone_0> ; UNICODE "None"
005D1170 . E8 CB55E3FF call <Protecte.@UStrLAsg>
005D1175 > 837D EC 00 cmp dword ptr ss:[ebp-0x14],0x0
005D1179 . 75 0D jnz short Protecte.005D1188
005D117B . 8D45 EC lea eax,dword ptr ss:[ebp-0x14]
005D117E . BA 141E5D00 mov edx,<Protecte.aNone_0> ; UNICODE "None"
005D1183 . E8 B855E3FF call <Protecte.@UStrLAsg>
005D1188 > 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
005D118B . 8B4D F8 mov ecx,dword ptr ss:[ebp-0x8]
005D118E . BA 2C1E5D00 mov edx,<Protecte.aCode_0> ; UNICODE "Code="
005D1193 . E8 E859E3FF call <Protecte.System_@UStrCat3>
005D1198 . FF75 F4 push dword ptr ss:[ebp-0xC]
005D119B . 68 441E5D00 push <Protecte.CPU> ; UNICODE "&CPU="
005D11A0 . FF75 F0 push dword ptr ss:[ebp-0x10]
005D11A3 . 68 5C1E5D00 push <Protecte.DISK> ; UNICODE "&Disk=" //想知道这是怎么来的吗?
005D11A8 . FF75 EC push dword ptr ss:[ebp-0x14]
005D11AB . 68 781E5D00 push <Protecte.Ver> ; UNICODE "&Ver=100"
005D11B0 . 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
005D11B3 . BA 06000000 mov edx,0x6
005D11B8 . E8 935AE3FF call <Protecte.System_@UStrCatN>
005D11BD . B2 01 mov dl,0x1
005D11BF . A1 88424700 mov eax,dword ptr ds:[0x474288]
005D11C4 . E8 6F90EAFF call <Protecte.Classes_TStringList_Create>
005D11C9 . 8985 08FFFFFF mov dword ptr ss:[ebp-0xF8],eax
005D11CF . 8B55 F4 mov edx,dword ptr ss:[ebp-0xC]
005D11D2 . 8B85 08FFFFFF mov eax,dword ptr ss:[ebp-0xF8]
005D11D8 . E8 436FEAFF call <Protecte.Classes_TStrings_Append>
上面那个Disk是你硬盘的serialnumber,他是如何来的呢?我简单跟踪一下,发现在
005D114F call <Protecte.ZLIBArchiveGlobals2_sub_005A0>里面,最终追踪到如下:
[Asm] 纯文本查看 复制代码
005A013F . E8 1068E6FF call <Protecte.System_@UStrFromWStr>
005A0144 . 8B55 B4 mov edx,dword ptr ss:[ebp-0x4C]
005A0147 . B8 38045A00 mov eax,Protecte.005A0438 ; UNICODE "SELECT"
005A014C . E8 C76FE6FF call <Protecte.Pos_0>
005A0151 . 48 dec eax
005A0152 . 75 23 jnz short Protecte.005A0177
005A0154 . 8D45 F8 lea eax,dword ptr ss:[ebp-0x8]
005A0157 . E8 3488E6FF call <Protecte.System_@IntfClear>
005A015C . 50 push eax
005A015D . 6A 00 push 0x0
005A015F . 6A 10 push 0x10
005A0161 . 68 4C045A00 push Protecte.005A044C ; UNICODE "WQL"
005A0166 . 53 push ebx
005A0167 . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
005A016A . 50 push eax
005A016B . 8B00 mov eax,dword ptr ds:[eax]
005A016D . FF50 3C call dword ptr ds:[eax+0x3C]
005A0170 . E8 2B89E6FF call <Protecte.System_@CheckAutoResult>
005A0175 . EB 1C jmp short Protecte.005A0193
哈原来是WQL语言查询的(WMI中的查询语言).windows自带 wbemtest.exe WQL测试工具
通过查询语句SELECT * FROM Win32_PhysicalMedia可以看到一样的结果:
图................
向下继续分析来到:
[Asm] 纯文本查看 复制代码 005D1441 . 8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D1447 . 8B80 98030000 mov eax,dword ptr ds:[eax+0x398]
005D144D . 8B8D 08FFFFFF mov ecx,dword ptr ss:[ebp-0xF8]
005D1453 . 8B55 FC mov edx,dword ptr ss:[ebp-0x4]
005D1456 . E8 E59AF8FF call <Protecte.IdHTTP_TIdCustomHTTP_Post> //post数据,地址是[url=http://pf.iobit.com/functions/check.php]http://pf.iobit.com/functions/check.php[/url]
005D145B . A1 54075F00 mov eax,dword ptr ds:[0x5F0754]
005D1460 . 8B00 mov eax,dword ptr ds:[eax]
005D1462 . E8 C506F3FF call <Protecte.Forms_TApplication_ProcessMessages>
005D1467 . 8B85 08FFFFFF mov eax,dword ptr ss:[ebp-0xF8]
005D146D . 8B10 mov edx,dword ptr ds:[eax]
005D146F . FF52 44 call dword ptr ds:[edx+0x44]
005D1472 . 8B85 08FFFFFF mov eax,dword ptr ss:[ebp-0xF8]
005D1478 . 50 push eax
005D1479 . 8D95 B4FEFFFF lea edx,dword ptr ss:[ebp-0x14C]
005D147F . 8B85 04FFFFFF mov eax,dword ptr ss:[ebp-0xFC]
005D1485 . E8 7699EAFF call <Protecte.Classes_TStringStream_GetDataString>//获取服务器传回的数据
005D148A . 8B85 B4FEFFFF mov eax,dword ptr ss:[ebp-0x14C]
005D1490 . E8 E352E3FF call <Protecte.System_@UStrToPWChar>
005D1495 . 8BC8 mov ecx,eax
005D1497 . BA 50205D00 mov edx,Protecte.005D2050
005D149C . B8 70205D00 mov eax,<Protecte.char_@>
005D14A1 . E8 BA52EAFF call <Protecte.ExtractStrings>//结压缩服务器数据,其实就是分割,因为服务器传回的数据是XXX&XXX&XXX形式的.
005D14A6 . 8B85 08FFFFFF mov eax,dword ptr ss:[ebp-0xF8]
005D14AC . 8B10 mov edx,dword ptr ds:[eax]
005D14AE . FF52 14 call dword ptr ds:[edx+0x14]//这里指针调用的是Classes_TStringList_GetCount,即数据分割后得到的数据项数.
005D14B1 . 85C0 test eax,eax //必须大于一项,不然就是下面的出错提示了
005D14B3 . 75 6A jnz short Protecte.005D151F
005D14B5 . 6A 30 push 0x30
005D14B7 . 8D85 B0FEFFFF lea eax,dword ptr ss:[ebp-0x150]
005D14BD . 50 push eax
005D14BE . A1 84055F00 mov eax,dword ptr ds:[0x5F0584]
005D14C3 . 8B00 mov eax,dword ptr ds:[eax]
005D14C5 . B9 9C205D00 mov ecx,<Protecte.aActiveError> ; UNICODE "Active Error"
005D14CA . BA C4205D00 mov edx,<Protecte.aAcerr> ; UNICODE "acerr"
005D14CF . E8 3CC1FBFF call <Protecte.PLabelNote_sub_0058D610>
005D14D4 . 8B85 B0FEFFFF mov eax,dword ptr ss:[ebp-0x150]
005D14DA . E8 9952E3FF call <Protecte.System_@UStrToPWChar>
005D14DF . 50 push eax
005D14E0 . 8D85 ACFEFFFF lea eax,dword ptr ss:[ebp-0x154]
005D14E6 . 50 push eax
005D14E7 . A1 84055F00 mov eax,dword ptr ds:[0x5F0584]
005D14EC . 8B00 mov eax,dword ptr ds:[eax]
005D14EE . B9 DC205D00 mov ecx,<Protecte.aUnknownError> ; UNICODE "Unknown Error!"
005D14F3 . BA 08215D00 mov edx,<Protecte.aUnerr> ; UNICODE "unerr"
005D14F8 . E8 13C1FBFF call <Protecte.PLabelNote_sub_0058D610>
005D14FD . 8B85 ACFEFFFF mov eax,dword ptr ss:[ebp-0x154]
005D1503 . E8 7052E3FF call <Protecte.System_@UStrToPWChar>
005D1508 . 50 push eax
005D1509 . 8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D150F . E8 2475F1FF call <Protecte.Controls_TWinControl_GetHandle>
005D1514 . 50 push eax ; |hOwner
005D1515 . E8 E28FE3FF call <Protecte.MessageBoxW> ; \MessageBoxW
005D151A . E9 10060000 jmp Protecte.005D1B2F
005D151F > 8D8D A8FEFFFF lea ecx,dword ptr ss:[ebp-0x158]//服务器返回的数据项数大于一项会到这里
005D1525 . 33D2 xor edx,edx
005D1527 . 8B85 08FFFFFF mov eax,dword ptr ss:[ebp-0xF8]
005D152D . 8B18 mov ebx,dword ptr ds:[eax]
005D152F . FF53 0C call dword ptr ds:[ebx+0xC] //调用的是Classes_TStringList_Get,edx是获取的第几项,这里是第0项
005D1532 . 8B85 A8FEFFFF mov eax,dword ptr ss:[ebp-0x158]
005D1538 . BA A01D5D00 mov edx,<Protecte.char_0_>
005D153D . E8 B658E3FF call <Protecte.j_@UStrCmp> //也就是说,服务器返回数据的第一个是0才是正确的.
005D1542 . 0F85 8D010000 jnz Protecte.005D16D5
005D1548 . 8B85 08FFFFFF mov eax,dword ptr ss:[ebp-0xF8]
005D154E . 8B10 mov edx,dword ptr ds:[eax]
005D1550 . FF52 14 call dword ptr ds:[edx+0x14] //调用Classes_TStringList_GetCount,返回数据项数
005D1553 . 83F8 05 cmp eax,0x5 //必须是5项
005D1556 . 0F85 79010000 jnz Protecte.005D16D5
005D155C . B8 CC965F00 mov eax,Protecte.005F96CC
005D1561 . 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
005D1564 . E8 8351E3FF call <Protecte.@UStrAsg>
005D1569 . B8 D0965F00 mov eax,Protecte.005F96D0
005D156E . 8B4D EC mov ecx,dword ptr ss:[ebp-0x14]
005D1571 . 8B55 F0 mov edx,dword ptr ss:[ebp-0x10]
005D1574 . E8 0756E3FF call <Protecte.System_@UStrCat3>
005D1579 . B8 D4965F00 mov eax,Protecte.005F96D4
005D157E . BA 20215D00 mov edx,<Protecte.aPro_0> ; UNICODE "Pro"
005D1583 . E8 6451E3FF call <Protecte.@UStrAsg>
005D1588 . 8D8D A4FEFFFF lea ecx,dword ptr ss:[ebp-0x15C]
用wireshark拦截到发到服务器上去的数据:
POST /functions/check.php HTTP/1.0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
Host: pf.iobit.com
Accept: text/html, */*
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)
Code=22EAA-B9A86-4AC54-3FAAC&CPU=0003-06C3-BFEB-FBFF-7FFA-FBBF&Disk=J3390084J8V20D&Ver=100
继续往下分析:
[Asm] 纯文本查看 复制代码 005D158E . BA 01000000 mov edx,0x1
005D1593 . 8B85 08FFFFFF mov eax,dword ptr ss:[ebp-0xF8]
005D1599 . 8B18 mov ebx,dword ptr ds:[eax]
005D159B . FF53 0C call dword ptr ds:[ebx+0xC] //Classes_TStringList_Get,edx是获取的第几项,这里是第1项
005D159E . 8B95 A4FEFFFF mov edx,dword ptr ss:[ebp-0x15C]
005D15A4 . B8 DC965F00 mov eax,Protecte.005F96DC
005D15A9 . E8 3E51E3FF call <Protecte.@UStrAsg>
005D15AE . 8D8D A0FEFFFF lea ecx,dword ptr ss:[ebp-0x160]
005D15B4 . BA 02000000 mov edx,0x2
005D15B9 . 8B85 08FFFFFF mov eax,dword ptr ss:[ebp-0xF8]
005D15BF . 8B18 mov ebx,dword ptr ds:[eax]
005D15C1 . FF53 0C call dword ptr ds:[ebx+0xC]//Classes_TStringList_Get,edx是获取的第几项,这里是第2项
005D15C4 . 8B95 A0FEFFFF mov edx,dword ptr ss:[ebp-0x160]
005D15CA . B8 E0965F00 mov eax,Protecte.005F96E0
005D15CF . E8 1851E3FF call <Protecte.@UStrAsg>
005D15D4 . C605 E4965F00>mov byte ptr ds:[0x5F96E4],0x0
005D15DB . C605 D8965F00>mov byte ptr ds:[0x5F96D8],0x0
005D15E2 . E8 F5F9E8FF call <Protecte.Now>
005D15E7 . 83C4 F8 add esp,-0x8 ; /
005D15EA . DD1C24 fstp qword ptr ss:[esp] ; |Arg1 (8-byte)
005D15ED . 9B wait ; |
005D15EE . 8D8D 9CFEFFFF lea ecx,dword ptr ss:[ebp-0x164] ; |
005D15F4 . 8D95 10FFFFFF lea edx,dword ptr ss:[ebp-0xF0] ; |
005D15FA . B8 681D5D00 mov eax,<Protecte.aMmDdYyyyHhMm_2> ; |UNICODE "mm/dd/yyyy hh:mm:ss"
005D15FF . E8 7414E9FF call <Protecte.formatTime> ; \formatTime
005D1604 . 8B95 9CFEFFFF mov edx,dword ptr ss:[ebp-0x164]
005D160A . B8 E8965F00 mov eax,Protecte.005F96E8
005D160F . E8 D850E3FF call <Protecte.@UStrAsg>
005D1614 . 8D8D 98FEFFFF lea ecx,dword ptr ss:[ebp-0x168]
005D161A . BA 04000000 mov edx,0x4
005D161F . 8B85 08FFFFFF mov eax,dword ptr ss:[ebp-0xF8]
005D1625 . 8B18 mov ebx,dword ptr ds:[eax]
005D1627 . FF53 0C call dword ptr ds:[ebx+0xC]//Classes_TStringList_Get,edx是获取的第几项,这里是第4项
005D162A . 8B95 98FEFFFF mov edx,dword ptr ss:[ebp-0x168]
005D1630 . B8 EC965F00 mov eax,Protecte.005F96EC
005D1635 . E8 B250E3FF call <Protecte.@UStrAsg>
005D163A . 8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D1640 . E8 0B2B0000 call <Protecte.makeLicense>//分析得出这是存储服务器返回的数据,他是要验证的,因此很重要.
005D1645 . 6A 01 push 0x1
005D1647 . 6A 00 push 0x0
005D1649 . 68 0C050000 push 0x50C
005D164E . A1 30065F00 mov eax,dword ptr ds:[0x5F0630]
005D1653 . 8B00 mov eax,dword ptr ds:[eax]
005D1655 . E8 DE73F1FF call <Protecte.Controls_TWinControl_GetHandle>
005D165A . 50 push eax ; |hWnd
005D165B . E8 EC8EE3FF call <Protecte.PostMessageW> ; \PostMessageW
005D1660 . 6A 40 push 0x40
005D1662 . 8D85 94FEFFFF lea eax,dword ptr ss:[ebp-0x16C]
005D1668 . 50 push eax
005D1669 . A1 84055F00 mov eax,dword ptr ds:[0x5F0584]
005D166E . 8B00 mov eax,dword ptr ds:[eax]
005D1670 . B9 34215D00 mov ecx,<Protecte.aActivated> ; UNICODE "Activated"
005D1675 . BA 54215D00 mov edx,<Protecte.aActi> ; UNICODE "acti"
005D167A . E8 91BFFBFF call <Protecte.PLabelNote_sub_0058D610>
005D167F . 8B85 94FEFFFF mov eax,dword ptr ss:[ebp-0x16C]
005D1685 . E8 EE50E3FF call <Protecte.System_@UStrToPWChar>
005D168A . 50 push eax
005D168B . 8D85 90FEFFFF lea eax,dword ptr ss:[ebp-0x170]
005D1691 . 50 push eax
005D1692 . A1 84055F00 mov eax,dword ptr ds:[0x5F0584]
005D1697 . 8B00 mov eax,dword ptr ds:[eax]
005D1699 . B9 6C215D00 mov ecx,<Protecte.aProtectedFol_7> ; UNICODE "Protected Folder PRO activated successfully!"
005D169E . BA D4215D00 mov edx,<Protecte.aSuccess> ; UNICODE "success"
005D16A3 . E8 68BFFBFF call <Protecte.PLabelNote_sub_0058D610>
005D16A8 . 8B85 90FEFFFF mov eax,dword ptr ss:[ebp-0x170]
005D16AE . E8 C550E3FF call <Protecte.System_@UStrToPWChar>
005D16B3 . 50 push eax
005D16B4 . 8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
005D16BA . E8 7973F1FF call <Protecte.Controls_TWinControl_GetHandle>
005D16BF . 50 push eax ; |hOwner
005D16C0 . E8 378EE3FF call <Protecte.MessageBoxW> ; \MessageBoxW到这里就是正确了!
005D16C5 . 8B85 0CFFFFFF mov eax,dword ptr ss:[ebp-0xF4]
我们去服务器返回数据验证存储的call <Protecte.makeLicense>看看:
可以找到关键处理数据的地方:
[Asm] 纯文本查看 复制代码 005D4283 . B9 94445D00 mov ecx,<Protecte.aCode_2> ; UNICODE "Code"
005D4288 . BA AC445D00 mov edx,<Protecte.aMain_2> ; UNICODE "main"
005D428D . 8BC3 mov eax,ebx
005D428F . 8B38 mov edi,dword ptr ds:[eax]
005D4291 . FF57 04 call dword ptr ds:[edi+0x4]
005D4294 . A1 D0965F00 mov eax,dword ptr ds:[0x5F96D0]
005D4299 . 50 push eax
005D429A . B9 C4445D00 mov ecx,<Protecte.aFingerprint_0> ; UNICODE "FingerPrint"
005D429F . BA AC445D00 mov edx,<Protecte.aMain_2> ; UNICODE "main"
005D42A4 . 8BC3 mov eax,ebx
005D42A6 . 8B38 mov edi,dword ptr ds:[eax]
005D42A8 . FF57 04 call dword ptr ds:[edi+0x4]
005D42AB . A1 D4965F00 mov eax,dword ptr ds:[0x5F96D4]
005D42B0 . 50 push eax
005D42B1 . B9 E8445D00 mov ecx,<Protecte.aLicensetype_0> ; UNICODE "LicenseType"
005D42B6 . BA AC445D00 mov edx,<Protecte.aMain_2> ; UNICODE "main"
005D42BB . 8BC3 mov eax,ebx
005D42BD . 8B38 mov edi,dword ptr ds:[eax]
005D42BF . FF57 04 call dword ptr ds:[edi+0x4]
005D42C2 . 0FB605 D8965F>movzx eax,byte ptr ds:[0x5F96D8]
005D42C9 . 50 push eax
005D42CA . B9 0C455D00 mov ecx,<Protecte.aExpried_2> ; UNICODE "Expried"
005D42CF . BA AC445D00 mov edx,<Protecte.aMain_2> ; UNICODE "main"
005D42D4 . 8BC3 mov eax,ebx
005D42D6 . 8B38 mov edi,dword ptr ds:[eax]
005D42D8 . FF57 14 call dword ptr ds:[edi+0x14]
005D42DB . A1 E0965F00 mov eax,dword ptr ds:[0x5F96E0]
005D42E0 . 50 push eax
005D42E1 . B9 28455D00 mov ecx,<Protecte.aSeat_0> ; UNICODE "Seat"
005D42E6 . BA AC445D00 mov edx,<Protecte.aMain_2> ; UNICODE "main"
005D42EB . 8BC3 mov eax,ebx
005D42ED . 8B38 mov edi,dword ptr ds:[eax]
005D42EF . FF57 04 call dword ptr ds:[edi+0x4]
005D42F2 . A1 DC965F00 mov eax,dword ptr ds:[0x5F96DC]
005D42F7 . 50 push eax
005D42F8 . B9 40455D00 mov ecx,<Protecte.aExpdate_0> ; UNICODE "ExpDate"
005D42FD . BA AC445D00 mov edx,<Protecte.aMain_2> ; UNICODE "main"
005D4302 . 8BC3 mov eax,ebx
005D4304 . 8B38 mov edi,dword ptr ds:[eax]
005D4306 . FF57 04 call dword ptr ds:[edi+0x4]
005D4309 . A1 E8965F00 mov eax,dword ptr ds:[0x5F96E8]
005D430E . 50 push eax
005D430F . B9 5C455D00 mov ecx,<Protecte.aLastvalidate_0> ; UNICODE "LastValidate"
005D4314 . BA AC445D00 mov edx,<Protecte.aMain_2> ; UNICODE "main"
005D4319 . 8BC3 mov eax,ebx
005D431B . 8B38 mov edi,dword ptr ds:[eax]
005D431D . FF57 04 call dword ptr ds:[edi+0x4]
005D4320 . 0FB605 E4965F>movzx eax,byte ptr ds:[0x5F96E4]
005D4327 . 50 push eax
005D4328 . B9 84455D00 mov ecx,<Protecte.aOverseat_2> ; UNICODE "OverSeat"
005D432D . BA AC445D00 mov edx,<Protecte.aMain_2> ; UNICODE "main"
005D4332 . 8BC3 mov eax,ebx
005D4334 . 8B38 mov edi,dword ptr ds:[eax]
005D4336 . FF57 14 call dword ptr ds:[edi+0x14]
005D4339 . A1 EC965F00 mov eax,dword ptr ds:[0x5F96EC]
005D433E . 50 push eax
005D433F . B9 A4455D00 mov ecx,<Protecte.aLastserverda_0> ; UNICODE "LastServerDate"
005D4344 . BA AC445D00 mov edx,<Protecte.aMain_2> ; UNICODE "main"
005D4349 . 8BC3 mov eax,ebx
上面是存了几项从服务器返回的数据,自己写个小服务器,
分析得到服务器返回最终的数据表示的含义是:
--------------------------------------------
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Fri, 09 Jan 2015 13:57:04 GMT
Server: Apache
Content-Length: 2
Connection: keep-alive
0&expiredate&seat&unknown&lastserverdate
---------------------------------------
第四个数据我没分析出来是干嘛用的,可以猜想是校验用的.
基本分析完全了.我写了一个简单的网络注册机,可以完美注册.(使用前要把pf.iobit.com加入host文件)
注册机用了boost的asio库.代码凌乱,源码实在不好意思放出来.提供一个现成的网络注册机下载吧.
系统版本过低可能不兼容.
|
免费评分
-
查看全部评分
|
[复制链接]
发表于 2015-1-11 00:26
