wintop 发表于 2020-7-23 18:11

一个软件的dll算法,求给点思路

通过一系列的od 追踪到了 一个dll,通过ViewApi.exe 查到了dll 函数,并看到了汇编代码
PUSH -1
PUSH 10002908
MOV EAX,FS:
PUSH EAX
MOV FS:,ESP
SUB ESP,44
PUSH EBX
PUSH EBP
PUSH ESI
PUSH EDI
LEA ECX,SS:
CALL <jmp.&MFC42.ID:540>
LEA ECX,SS:
MOV DWORD PTR SS:,0
CALL <jmp.&MFC42.ID:540>
LEA ECX,SS:
MOV BYTE PTR SS:,1
CALL <jmp.&MFC42.ID:540>
LEA ECX,SS:
MOV BYTE PTR SS:,2
CALL <jmp.&MFC42.ID:540>
MOV ESI,SS:
MOV EBX,3
PUSH ESI
LEA ECX,SS:
MOV SS:,BL
CALL <jmp.&MFC42.ID:860>
MOV EAX,SS:
MOV EBP,DS:
CMP EBP,EBX
MOV SS:,EBP
JGE SHORT 1000190B
LEA ECX,SS:
MOV BYTE PTR SS:,2
CALL <jmp.&MFC42.ID:800>
LEA ECX,SS:
MOV BYTE PTR SS:,1
CALL <jmp.&MFC42.ID:800>
LEA ECX,SS:
MOV BYTE PTR SS:,0
CALL <jmp.&MFC42.ID:800>
LEA ECX,SS:
MOV DWORD PTR SS:,-1
CALL <jmp.&MFC42.ID:800>
OR EAX,FFFFFFFF
JMP 10001C34
PUSH 100041D0
LEA ECX,SS:
CALL <jmp.&MFC42.ID:860>
PUSH ESI
MOV ECX,SS:
MOV EDX,DS:
LEA ECX,SS:
MOV SS:,EDX
CALL <jmp.&MFC42.ID:860>
CMP EBP,1
MOV DWORD PTR SS:,1
JL 10001BC3
PUSH 1000433C
LEA ECX,SS:
CALL <jmp.&MFC42.ID:860>
PUSH 1
LEA EDX,SS:
MOV EAX,SS:
MOV EDI,DS:
LEA ECX,DS:
PUSH ECX
PUSH EDX
LEA ECX,SS:
CALL <jmp.&MFC42.ID:4278>
MOV EAX,DS:
LEA ECX,SS:
PUSH EAX
MOV BYTE PTR SS:,4
CALL <jmp.&MFC42.ID:2784>
MOV ESI,EAX
LEA ECX,SS:
INC ESI
MOV SS:,BL
CALL <jmp.&MFC42.ID:800>
ADD EDI,-2
PUSH 1
LEA EAX,SS:
PUSH EDI
PUSH EAX
LEA ECX,SS:
CALL <jmp.&MFC42.ID:4278>
MOV EAX,DS:
LEA ECX,SS:
PUSH EAX
MOV BYTE PTR SS:,5
CALL <jmp.&MFC42.ID:2784>
MOV EDI,EAX
LEA ECX,SS:
INC EDI
MOV SS:,BL
CALL <jmp.&MFC42.ID:800>
TEST ESI,ESI
JLE 10001C8B
TEST EDI,EDI
JLE 10001C8B
MOV EAX,SS:
SUB ESI,EDI
CMP ESI,1
JGE SHORT 100019DB
ADD ESI,EAX
ADD ESI,ESI
CMP ESI,EAX
JLE SHORT 100019E3
SUB ESI,EAX
DEC ESI
PUSH 1
LEA ECX,SS:
PUSH ESI
PUSH ECX
LEA ECX,SS:
CALL <jmp.&MFC42.ID:4278>
LEA EDX,SS:
MOV BYTE PTR SS:,6
PUSH EDX
PUSH EAX
LEA EAX,SS:
PUSH EAX
CALL <jmp.&MFC42.ID:922>
PUSH EAX
LEA ECX,SS:
MOV BYTE PTR SS:,7
CALL <jmp.&MFC42.ID:858>
LEA ECX,SS:
MOV BYTE PTR SS:,6
CALL <jmp.&MFC42.ID:800>
LEA ECX,SS:
MOV SS:,BL
CALL <jmp.&MFC42.ID:800>
MOV ECX,SS:
MOV EAX,DS:
CMP EAX,2
JL 10001B2B
LEA EBP,DS:
LEA EDX,SS:
PUSH 1
LEA EAX,SS:
PUSH EDX
PUSH EAX
LEA ECX,SS:
CALL <jmp.&MFC42.ID:4278>
MOV EAX,DS:
LEA ECX,SS:
PUSH EAX
MOV BYTE PTR SS:,8
CALL <jmp.&MFC42.ID:2784>
MOV ESI,EAX
LEA ECX,SS:
INC ESI
MOV SS:,BL
CALL <jmp.&MFC42.ID:800>
PUSH 1
LEA ECX,SS:
PUSH EBP
PUSH ECX
LEA ECX,SS:
CALL <jmp.&MFC42.ID:4278>
MOV EAX,DS:
LEA ECX,SS:
PUSH EAX
MOV BYTE PTR SS:,9
CALL <jmp.&MFC42.ID:2784>
MOV EDI,EAX
LEA ECX,SS:
INC EDI
MOV SS:,BL
CALL <jmp.&MFC42.ID:800>
TEST ESI,ESI
JLE 10001C49
TEST EDI,EDI
JLE 10001C49
SUB ESI,EDI
CMP ESI,1
JGE SHORT 10001AC9
ADD ESI,SS:
DEC ESI
PUSH 1
LEA EDX,SS:
PUSH ESI
PUSH EDX
LEA ECX,SS:
CALL <jmp.&MFC42.ID:4278>
LEA ECX,SS:
LEA EDX,SS:
PUSH ECX
PUSH EAX
PUSH EDX
MOV BYTE PTR SS:,A
CALL <jmp.&MFC42.ID:922>
PUSH EAX
LEA ECX,SS:
MOV BYTE PTR SS:,B
CALL <jmp.&MFC42.ID:858>
LEA ECX,SS:
MOV BYTE PTR SS:,A
CALL <jmp.&MFC42.ID:800>
LEA ECX,SS:
MOV SS:,BL
CALL <jmp.&MFC42.ID:800>
DEC EBP
LEA EAX,SS:
CMP EAX,2
JGE 10001A47
MOV EBP,SS:
MOV ECX,SS:
LEA EDX,SS:
MOV EAX,DS:
LEA ECX,SS:
DEC EAX
PUSH EAX
PUSH 0
PUSH EDX
CALL <jmp.&MFC42.ID:4278>
MOV ESI,EAX
LEA EAX,SS:
PUSH 1
PUSH EAX
LEA ECX,SS:
MOV BYTE PTR SS:,C
CALL <jmp.&MFC42.ID:5710>
PUSH ESI
LEA ECX,SS:
PUSH EAX
PUSH ECX
MOV BYTE PTR SS:,D
CALL <jmp.&MFC42.ID:922>
PUSH EAX
LEA ECX,SS:
MOV BYTE PTR SS:,E
CALL <jmp.&MFC42.ID:858>
LEA ECX,SS:
MOV BYTE PTR SS:,D
CALL <jmp.&MFC42.ID:800>
LEA ECX,SS:
MOV BYTE PTR SS:,C
CALL <jmp.&MFC42.ID:800>
LEA ECX,SS:
MOV SS:,BL
CALL <jmp.&MFC42.ID:800>
LEA EDX,SS:
LEA ECX,SS:
PUSH EDX
CALL <jmp.&MFC42.ID:858>
MOV EAX,SS:
INC EAX
CMP EAX,EBP
MOV SS:,EAX
JLE 1000193F
MOV ESI,SS:
MOV EBX,SS:
XOR ECX,ECX
MOV EAX,DS:
TEST EAX,EAX
JLE SHORT 10001BE8
MOV EDI,ESI
MOV EAX,EBX
SUB EDI,EBX
MOV DL,DS:
INC ECX
MOV DS:,DL
MOV EDX,DS:
INC EAX
CMP ECX,EDX
JL SHORT 10001BDA
PUSH C8
MOV BYTE PTR DS:,0
CALL DS:[<&KERNEL32.Sleep>]
LEA ECX,SS:
MOV BYTE PTR SS:,2
CALL <jmp.&MFC42.ID:800>
LEA ECX,SS:
MOV BYTE PTR SS:,1
CALL <jmp.&MFC42.ID:800>
LEA ECX,SS:
MOV BYTE PTR SS:,0
CALL <jmp.&MFC42.ID:800>
LEA ECX,SS:
MOV DWORD PTR SS:,-1
CALL <jmp.&MFC42.ID:800>
XOR EAX,EAX
MOV ECX,SS:
POP EDI
POP ESI
POP EBP
POP EBX
MOV FS:,ECX
ADD ESP,50
RETN 8
请问到这里后,下一步如何写出注册机。分析这个代码是没有一点思路,或者有推荐的书,看看去

wintop 发表于 2020-7-24 00:22

涛之雨 发表于 2020-7-23 21:21
感觉找的好像不对吧。
这种辅助可以贴一下文件(如果方便的话)
最好说一下是怎么定位的,

定位很简单,很多静态反汇编的都能定位, od 也可以

涛之雨 发表于 2020-7-24 06:55

wintop 发表于 2020-7-24 00:22
定位很简单,很多静态反汇编的都能定位, od 也可以

我当然知道定位简单,但是楼主你这个找到好像不对啊,这似乎是框架的代码

无闻无问 发表于 2020-7-23 18:36

你拿到ida中转换成伪c代码,不就轻松多了吗?

wintop 发表于 2020-7-23 18:49

无闻无问 发表于 2020-7-23 18:36
你拿到ida中转换成伪c代码,不就轻松多了吗?

已经在 ida 查看....复杂的要命

lykenan 发表于 2020-7-23 18:52

天书是什么,说的就是我这种小白看到这。。。。。。想学又不懂....

Light紫星 发表于 2020-7-23 19:50

ida f5啊,这个代码不是很长,只要确定了位置应该很容易搞的

JuncoJet 发表于 2020-7-23 20:09

注册算法确定要MFC?别闹,重新找找

Sound 发表于 2020-7-23 20:43

这个不是算法的汇编代码段吧

别欺负我啊 发表于 2020-7-23 20:52

MFC42... 估计得山总来

涛之雨 发表于 2020-7-23 21:21

感觉找的好像不对吧。
这种辅助可以贴一下文件(如果方便的话)
最好说一下是怎么定位的,

wintop 发表于 2020-7-24 00:20

Sound 发表于 2020-7-23 20:43
这个不是算法的汇编代码段吧

是算法,反汇编的。到IDA 数据很长
页: [1] 2
查看完整版本: 一个软件的dll算法,求给点思路


免责声明:
吾爱破解所发布的一切破解补丁、注册机和注册信息及软件的解密分析文章仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负。本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑中彻底删除上述内容。如果您喜欢该程序,请支持正版软件,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。

Mail To:Service@52pojie.cn