好友
阅读权限10
听众
最后登录1970-1-1
|
Mrack
发表于 2016-8-14 19:07
本帖最后由 Mrack 于 2016-8-14 19:18 编辑
参考JPG文件结构分析:http://m.blog.csdn.net/article/details?id=50725720
CM来源:
http://www.52pojie.cn/thread-524632-1-1.html
@onmiuncai
通过作者放出的成功图像.可以看见有个图片
直接用exeinfope提取出来.发现是个jpg的图片文件.
然而无法打开.提示图片损坏.
用C32Asm查看下图片的数据.
看看每个段的数据是否正常.
SOI
| FFD8 | | APP0 | FFE000104A46494600010101006000600000 | | COM | 没COM段. | | DQT(1) | FFDB004300080606070605080707070909080A0C140D0C0B00001912130F141D1A1F1E1D1A1C1C20242E2720222C231C1C2837292C30313434341F27393D38323C2E333432 | | DQT(2) | FFDB0043010909090C0B0C180D0D1832211C213232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232 | | SOF0 | FFDA000C03010002100311000001F11B3560 | | DHT(1) | FFC4001A000002030101000000000000000000000000010203040506 | | DHT(2) | C3A0001801010101010100000000000000000000000001020304 | | 组件数量 | 03 | | Y组件 | 0100 | | Cb组件 | 0210 | | Cr组件 | 0000 |
通过观察.我们可以发现
DHT(2)段标识,段类型 是错误的.
Cr组件的组件ID,Huffman表号缺失.
我们用C32Asm把他们补回去.
发现图片正常打开.
接下来用OD打开CM.分析他是如何通过注册码对这些字段进行填充的.
在OD中找到该图片的字节集,并定位在哪使用了该字节集.
我们便可以看到
mov ebx,0x406320这样一个指令.
对ebx赋值调用命令的指针,进而调用.
通过对00406320的分析我们发现这是易语言的字节集替换命令的call.
我们在这个CALL下段.输入12345678进行验证.
[Asm] 纯文本查看 复制代码 00401E83 /$ 55 push ebp
00401E84 |. 8BEC mov ebp,esp
00401E86 |. 81EC 54000000 sub esp,0x54
00401E8C |. C745 FC 00000>mov [local.1],0x0
00401E93 |. C745 F8 00000>mov [local.2],0x0
00401E9A |. C745 F4 00000>mov [local.3],0x0
00401EA1 |. C745 F0 00000>mov [local.4],0x0
00401EA8 |. C745 EC 00000>mov [local.5],0x0
00401EAF |. C745 E8 00000>mov [local.6],0x0
00401EB6 |. C745 E4 00000>mov [local.7],0x0
00401EBD |. 68 01030080 push 0x80000301
00401EC2 |. 6A 00 push 0x0
00401EC4 |. FF75 08 push [arg.1] 第四位.
00401EC7 |. 68 01030080 push 0x80000301
00401ECC |. 6A 00 push 0x0
00401ECE |. 68 73000000 push 0x73
00401ED3 |. 68 02000000 push 0x2
00401ED8 |. BB E0594000 mov ebx,<CM.位异或>
00401EDD |. E8 B2360000 call CM.00405594 ; jmp 到 <CM.调用命令>
00401EE2 |. 83C4 1C add esp,0x1C
00401EE5 |. 8945 FC mov [local.1],eax
00401EE8 |. 68 01030080 push 0x80000301
00401EED |. 6A 00 push 0x0
00401EEF |. FF75 0C push [arg.2] 第八位.
00401EF2 |. 68 01030080 push 0x80000301
00401EF7 |. 6A 00 push 0x0
00401EF9 |. 68 7B000000 push 0x7B
00401EFE |. 68 02000000 push 0x2
00401F03 |. BB E0594000 mov ebx,<CM.位异或>
00401F08 |. E8 87360000 call CM.00405594 ; jmp 到 <CM.调用命令>
00401F0D |. 83C4 1C add esp,0x1C
00401F10 |. 8945 F8 mov [local.2],eax
00401F13 |. 837D 10 38 cmp [arg.3],0x38
00401F17 |. 0F85 27010000 jnz CM.00402044
00401F1D |. 68 01030080 push 0x80000301
00401F22 |. 6A 00 push 0x0
00401F24 |. FF75 FC push [local.1]
00401F27 |. 68 01000000 push 0x1
00401F2C |. BB 505F4000 mov ebx,<CM.到字节>
00401F31 |. E8 5E360000 call CM.00405594 ; jmp 到 <CM.调用命令>
00401F36 |. 83C4 10 add esp,0x10
00401F39 |. 68 01010080 push 0x80000101
00401F3E |. 6A 00 push 0x0
00401F40 |. 50 push eax
00401F41 |. 68 01000000 push 0x1
00401F46 |. BB 50604000 mov ebx,<CM.到字节集>
00401F4B |. E8 44360000 call CM.00405594 ; jmp 到 <CM.调用命令>
00401F50 |. 83C4 10 add esp,0x10
00401F53 |. 8945 DC mov [local.9],eax
00401F56 |. 68 01030080 push 0x80000301
00401F5B |. 6A 00 push 0x0
00401F5D |. FF75 F8 push [local.2]
00401F60 |. 68 01000000 push 0x1
00401F65 |. BB 505F4000 mov ebx,<CM.到字节>
00401F6A |. E8 25360000 call CM.00405594 ; jmp 到 <CM.调用命令>
00401F6F |. 83C4 10 add esp,0x10
00401F72 |. 68 01010080 push 0x80000101
00401F77 |. 6A 00 push 0x0
00401F79 |. 50 push eax
00401F7A |. 68 01000000 push 0x1
00401F7F |. BB 50604000 mov ebx,<CM.到字节集>
00401F84 |. E8 0B360000 call CM.00405594 ; jmp 到 <CM.调用命令>
00401F89 |. 83C4 10 add esp,0x10
00401F8C |. 8945 D4 mov [local.11],eax
00401F8F |. FF75 D4 push [local.11]
00401F92 |. FF75 DC push [local.9]
00401F95 |. B9 02000000 mov ecx,0x2
00401F9A |. E8 E8F3FFFF call <CM.字符连接>
00401F9F |. 83C4 08 add esp,0x8
00401FA2 |. 8945 D0 mov [local.12],eax
00401FA5 |. 8B5D DC mov ebx,[local.9]
00401FA8 |. 85DB test ebx,ebx
00401FAA |. 74 09 je short CM.00401FB5
00401FAC |. 53 push ebx
00401FAD |. E8 DC350000 call CM.0040558E ; jmp 到 <CM.释放变量空间>
00401FB2 |. 83C4 04 add esp,0x4
00401FB5 |> 8B5D D4 mov ebx,[local.11]
00401FB8 |. 85DB test ebx,ebx
00401FBA |. 74 09 je short CM.00401FC5
00401FBC |. 53 push ebx
00401FBD |. E8 CC350000 call CM.0040558E ; jmp 到 <CM.释放变量空间>
00401FC2 |. 83C4 04 add esp,0x4
00401FC5 |> 68 05000080 push 0x80000005
00401FCA |. 6A 00 push 0x0
00401FCC |. 8B45 D0 mov eax,[local.12]
00401FCF |. 85C0 test eax,eax
00401FD1 |. 75 05 jnz short CM.00401FD8
00401FD3 |. B8 19014A00 mov eax,CM.004A0119
00401FD8 |> 50 push eax
00401FD9 |. 68 01030080 push 0x80000301
00401FDE |. 6A 00 push 0x0
00401FE0 |. 68 02000000 push 0x2
00401FE5 |. 68 01030080 push 0x80000301
00401FEA |. 6A 00 push 0x0
00401FEC |. 68 F1000000 push 0xF1
00401FF1 |. 68 05000080 push 0x80000005
00401FF6 |. 6A 00 push 0x0
00401FF8 |. 68 21014A00 push CM.004A0121
00401FFD |. 68 04000000 push 0x4
00402002 |. BB 20634000 mov ebx,<CM.字节集替换>
00402007 |. E8 88350000 call CM.00405594 ; jmp 到 <CM.调用命令>
0040200C |. 83C4 34 add esp,0x34
这代码是对图片0xF0处进行替换。
第四位 与 0x73 异或 得到Cr组件的组件ID
第八位 与 0x7B 异或 得到Huffman表号
我们将03,10分别与0x73 ,0x7B异或得到注册码的第四位与第六位.
第四位为p,第八位k
F9再次运行
[Asm] 纯文本查看 复制代码 00401971 |. 68 01030080 push 0x80000301
00401976 |. 6A 00 push 0x0
00401978 |. 8B5D DC mov ebx,[local.9]
0040197B |. FF33 push dword ptr ds:[ebx] 第三位
0040197D |. 68 01030080 push 0x80000301
00401982 |. 6A 00 push 0x0
00401984 |. 68 9E000000 push 0x9E
00401989 |. 68 02000000 push 0x2
0040198E |. BB E0594000 mov ebx,<CM.位异或>
00401993 |. E8 FC3B0000 call CM.00405594 ; jmp 到 <CM.调用命令>
00401998 |. 83C4 1C add esp,0x1C
0040199B |. 8945 E4 mov [local.7],eax
0040199E |. 8B5D F0 mov ebx,[local.4]
004019A1 |. E8 C1F9FFFF call <CM.重定义数组>
004019A6 |. B8 04000000 mov eax,0x4
004019AB |. 3BC1 cmp eax,ecx
004019AD |. 7C 0D jl short CM.004019BC
004019AF |. 68 01000000 push 0x1
004019B4 |. E8 ED3B0000 call CM.004055A6 ; jmp 到 <CM.程序异常>
004019B9 |. 83C4 04 add esp,0x4
004019BC |> C1E0 02 shl eax,0x2
004019BF |. 03D8 add ebx,eax
004019C1 |. 895D DC mov [local.9],ebx
004019C4 |. 68 01030080 push 0x80000301
004019C9 |. 6A 00 push 0x0
004019CB |. 8B5D DC mov ebx,[local.9]
004019CE |. FF33 push dword ptr ds:[ebx] 第5位
004019D0 |. 68 01030080 push 0x80000301
004019D5 |. 6A 00 push 0x0
004019D7 |. 68 B7000000 push 0xB7
004019DC |. 68 02000000 push 0x2
004019E1 |. BB E0594000 mov ebx,<CM.位异或>
004019E6 |. E8 A93B0000 call CM.00405594 ; jmp 到 <CM.调用命令>
004019EB |. 83C4 1C add esp,0x1C
004019EE |. 8945 E0 mov [local.8],eax
004019F1 |. 68 01030080 push 0x80000301
004019F6 |. 6A 00 push 0x0
004019F8 |. FF75 E4 push [local.7]
004019FB |. 68 01000000 push 0x1
00401A00 |. BB 505F4000 mov ebx,<CM.到字节>
00401A05 |. E8 8A3B0000 call CM.00405594 ; jmp 到 <CM.调用命令>
00401A0A |. 83C4 10 add esp,0x10
00401A0D |. 68 01010080 push 0x80000101
00401A12 |. 6A 00 push 0x0
00401A14 |. 50 push eax
00401A15 |. 68 01000000 push 0x1
00401A1A |. BB 50604000 mov ebx,<CM.到字节集>
00401A1F |. E8 703B0000 call CM.00405594 ; jmp 到 <CM.调用命令>
00401A24 |. 83C4 10 add esp,0x10
00401A27 |. 8945 D8 mov [local.10],eax
00401A2A |. 68 01030080 push 0x80000301
00401A2F |. 6A 00 push 0x0
00401A31 |. FF75 E0 push [local.8]
00401A34 |. 68 01000000 push 0x1
00401A39 |. BB 505F4000 mov ebx,<CM.到字节>
00401A3E |. E8 513B0000 call CM.00405594 ; jmp 到 <CM.调用命令>
00401A43 |. 83C4 10 add esp,0x10
00401A46 |. 68 01010080 push 0x80000101
00401A4B |. 6A 00 push 0x0
00401A4D |. 50 push eax
00401A4E |. 68 01000000 push 0x1
00401A53 |. BB 50604000 mov ebx,<CM.到字节集>
00401A58 |. E8 373B0000 call CM.00405594 ; jmp 到 <CM.调用命令>
00401A5D |. 83C4 10 add esp,0x10
00401A60 |. 8945 D0 mov [local.12],eax
00401A63 |. FF75 D0 push [local.12]
00401A66 |. FF75 D8 push [local.10]
00401A69 |. B9 02000000 mov ecx,0x2
00401A6E |. E8 14F9FFFF call <CM.字符连接>
00401A73 |. 83C4 08 add esp,0x8
00401A76 |. 8945 CC mov [local.13],eax
00401A79 |. 8B5D D8 mov ebx,[local.10]
00401A7C |. 85DB test ebx,ebx
00401A7E |. 74 09 je short CM.00401A89
00401A80 |. 53 push ebx
00401A81 |. E8 083B0000 call CM.0040558E ; jmp 到 <CM.释放变量空间>
00401A86 |. 83C4 04 add esp,0x4
00401A89 |> 8B5D D0 mov ebx,[local.12]
00401A8C |. 85DB test ebx,ebx
00401A8E |. 74 09 je short CM.00401A99
00401A90 |. 53 push ebx
00401A91 |. E8 F83A0000 call CM.0040558E ; jmp 到 <CM.释放变量空间>
00401A96 |. 83C4 04 add esp,0x4
00401A99 |> 68 05000080 push 0x80000005
00401A9E |. 6A 00 push 0x0
00401AA0 |. 8B45 CC mov eax,[local.13]
00401AA3 |. 85C0 test eax,eax
00401AA5 |. 75 05 jnz short CM.00401AAC
00401AA7 |. B8 19014A00 mov eax,CM.004A0119
00401AAC |> 50 push eax
00401AAD |. 68 01030080 push 0x80000301
00401AB2 |. 6A 00 push 0x0
00401AB4 |. 68 02000000 push 0x2
00401AB9 |. 68 01030080 push 0x80000301
00401ABE |. 6A 00 push 0x0
00401AC0 |. 68 CE000000 push 0xCE
00401AC5 |. 68 05000080 push 0x80000005
00401ACA |. 6A 00 push 0x0
00401ACC |. A1 94C05C00 mov eax,dword ptr ds:[0x5CC094]
00401AD1 |. 85C0 test eax,eax
00401AD3 |. 75 05 jnz short CM.00401ADA
00401AD5 |. B8 19014A00 mov eax,CM.004A0119
00401ADA |> 50 push eax
00401ADB |. 68 04000000 push 0x4
00401AE0 |. BB 20634000 mov ebx,<CM.字节集替换>
00401AE5 |. E8 AA3A0000 call CM.00405594 ; jmp 到 <CM.调用命令>
第三位 与 0x9E 异或 得到DHT段标识
第5位 与 0xB7 异或 得到DHT段类型
我们将FF,0xC4分别与0x9E ,0xB7 异或得到注册码的第三位与第5位.
第三位为a,第5位s
我们由此可以得到注册码
12aps67k
推荐个易语言分析软件.自己做的.对易语言程序分析上有一定帮助
但目前存在Bug,一些命令无法正确识别。
http://www.52pojie.cn/thread-416342-1-1.html
|
免费评分
-
查看全部评分
|
发表于 2016-8-14 19:20
