申请会员ID:AQQD【申请通过】
1、申 请 I D:AQQD
2、个人邮箱:656961@qq.com
3、分析CM:https://www.52pojie.cn/thread-1181283-1-1.html
玩逆向有几年了,取之于民用之于民。
1.先分析第一个CM
对于没有VM的程序 最合适的方式就是直接放到OD 直接看字符串或者关键字符 看可疑字符串找函数头 Ctrl+R 找上级回溯地址
So……从字符串看发现检测OD字样,双击进入然后找call004034E0 $55 push ebp 头部 Ctrl+R 找上级回溯地址00401E65|.E8 76160000 call cm.004034E0
继续找00401E65的头部地址 00401D62/$55 push ebpCtrl+R 找上级回溯地址 00401D59|> \E8 04000000 call cm.00401D62继续找到头部地址00401C52/$55 push ebp
类推 00401BA4|.E8 A9000000 call cm.00401C52最终到 00401BA1/.55 push ebp//F2下段让程序跑起来(也可以用按钮事件 对于易语言可以直接忽略上面的文字直接用 FF 55 FC 5F 5E 直接下端 方法很多看个人喜欢)
2.跑起来后 编辑框随意输入key程序断下 单步F7
到此处发现eax有类似MD5的数据出现 于是对地址0x4B2290 右键 -》查找参考 -》地址常量
找到有一个赋值的地址 双击进入( ps:为何要找赋值的地址 因为只有赋值的地址才能知道具体数据是不是MD5 这样看起来只是类似 不能确定)
于是 进入到地址0040149D|.A3 90224B00 mov dword ptr ds:,eax
找到段首004010F2/.55 push ebp F2 下端 重新跑起来程序 看看数据来由
3.单步F8后的数据直接贴代码和注释
004010F2 55 push ebp ; 0
004010F3 8BEC mov ebp,esp
004010F5 81EC 44000000 sub esp,0x44
004010FB B8 CCA14800 mov eax,cm.0048A1CC ; 52pj
00401100 50 push eax
00401101 8B1D 78224B00 mov ebx,dword ptr ds: ; 52pj
00401107 85DB test ebx,ebx
00401109 74 09 je Xcm.00401114
0040110B 53 push ebx
0040110C E8 D6410000 call cm.004052E7
00401111 83C4 04 add esp,0x4
00401114 58 pop eax
00401115 A3 78224B00 mov dword ptr ds:,eax ; 52pj
0040111A 6A FF push -0x1
0040111C 6A 08 push 0x8
0040111E 68 6C010116 push 0x1601016C
00401123 68 01000152 push 0x52010001
00401128 E8 D2410000 call cm.004052FF ; 程序可能被调试// 从窗体获取文本
0040112D 83C4 10 add esp,0x10
00401130 8945 FC mov dword ptr ss:,eax
00401133 68 04000080 push 0x80000004
00401138 6A 00 push 0x0
0040113A 8B45 FC mov eax,dword ptr ss:
0040113D 85C0 test eax,eax
0040113F 75 05 jnz Xcm.00401146
00401141 B8 D1A14800 mov eax,cm.0048A1D1 ; ā
00401146 50 push eax
00401147 68 01000000 push 0x1
0040114C BB A05C4000 mov ebx,<cm.到字节集>
00401151 E8 9D410000 call cm.004052F3
00401156 83C4 10 add esp,0x10
00401159 8945 F8 mov dword ptr ss:,eax
0040115C 8B5D FC mov ebx,dword ptr ss:
0040115F 85DB test ebx,ebx
00401161 74 09 je Xcm.0040116C
00401163 53 push ebx
00401164 E8 7E410000 call cm.004052E7
00401169 83C4 04 add esp,0x4
0040116C 68 01030080 push 0x80000301
00401171 6A 00 push 0x0
00401173 68 02000000 push 0x2
00401178 68 04000080 push 0x80000004
0040117D 6A 00 push 0x0
0040117F A1 78224B00 mov eax,dword ptr ds: ; 52pj //加密key
00401184 85C0 test eax,eax
00401186 75 05 jnz Xcm.0040118D
00401188 B8 D1A14800 mov eax,cm.0048A1D1 ; ā
0040118D 50 push eax
0040118E 68 05000080 push 0x80000005
00401193 6A 00 push 0x0
00401195 8B45 F8 mov eax,dword ptr ss:
00401198 85C0 test eax,eax
0040119A 75 05 jnz Xcm.004011A1
0040119C B8 D2A14800 mov eax,cm.0048A1D2
004011A1 50 push eax
004011A2 68 03000000 push 0x3
004011A7 B8 01000000 mov eax,0x1
004011AC BB 70454600 mov ebx,<cm.加密数据>
004011B1 E8 37410000 call cm.004052ED ; 加密数据
004011B6 83C4 28 add esp,0x28
004011B9 8945 F4 mov dword ptr ss:,eax
004011BC 8B5D F8 mov ebx,dword ptr ss:
004011BF 85DB test ebx,ebx
004011C1 74 09 je Xcm.004011CC
004011C3 53 push ebx
004011C4 E8 1E410000 call cm.004052E7
004011C9 83C4 04 add esp,0x4
004011CC 8B45 F4 mov eax,dword ptr ss:
004011CF 50 push eax
004011D0 8B1D 7C224B00 mov ebx,dword ptr ds: ; x3k
004011D6 85DB test ebx,ebx
004011D8 74 09 je Xcm.004011E3
004011DA 53 push ebx
004011DB E8 07410000 call cm.004052E7
004011E0 83C4 04 add esp,0x4
004011E3 58 pop eax
004011E4 A3 7C224B00 mov dword ptr ds:,eax ; 存放加密数据 程序可能被调试 这个文本的加密数据
004011E9 6A FF push -0x1
004011EB 6A 08 push 0x8
004011ED 68 4B010116 push 0x1601014B
004011F2 68 01000152 push 0x52010001
004011F7 E8 03410000 call cm.004052FF ; 从窗体获取发现代码变化 文本
004011FC 83C4 10 add esp,0x10
004011FF 8945 FC mov dword ptr ss:,eax
00401202 68 04000080 push 0x80000004
00401207 6A 00 push 0x0
00401209 8B45 FC mov eax,dword ptr ss:
0040120C 85C0 test eax,eax
0040120E 75 05 jnz Xcm.00401215
00401210 B8 D1A14800 mov eax,cm.0048A1D1 ; ā
00401215 50 push eax
00401216 68 01000000 push 0x1
0040121B BB A05C4000 mov ebx,<cm.到字节集>
00401220 E8 CE400000 call cm.004052F3
00401225 83C4 10 add esp,0x10
00401228 8945 F8 mov dword ptr ss:,eax
0040122B 8B5D FC mov ebx,dword ptr ss:
0040122E 85DB test ebx,ebx
00401230 74 09 je Xcm.0040123B
00401232 53 push ebx
00401233 E8 AF400000 call cm.004052E7
00401238 83C4 04 add esp,0x4
0040123B 68 01030080 push 0x80000301
00401240 6A 00 push 0x0
00401242 68 02000000 push 0x2
00401247 68 04000080 push 0x80000004
0040124C 6A 00 push 0x0
0040124E A1 78224B00 mov eax,dword ptr ds: ; 52pj//同样的加密key
00401253 85C0 test eax,eax
00401255 75 05 jnz Xcm.0040125C
00401257 B8 D1A14800 mov eax,cm.0048A1D1 ; ā
0040125C 50 push eax
0040125D 68 05000080 push 0x80000005
00401262 6A 00 push 0x0
00401264 8B45 F8 mov eax,dword ptr ss:
00401267 85C0 test eax,eax
00401269 75 05 jnz Xcm.00401270
0040126B B8 D2A14800 mov eax,cm.0048A1D2
00401270 50 push eax
00401271 68 03000000 push 0x3
00401276 B8 01000000 mov eax,0x1
0040127B BB 70454600 mov ebx,<cm.加密数据>
00401280 E8 68400000 call cm.004052ED
00401285 83C4 28 add esp,0x28
00401288 8945 F4 mov dword ptr ss:,eax
0040128B 8B5D F8 mov ebx,dword ptr ss:
0040128E 85DB test ebx,ebx
00401290 74 09 je Xcm.0040129B
00401292 53 push ebx
00401293 E8 4F400000 call cm.004052E7
00401298 83C4 04 add esp,0x4
0040129B 8B45 F4 mov eax,dword ptr ss:
0040129E 50 push eax
0040129F 8B1D 80224B00 mov ebx,dword ptr ds:
004012A5 85DB test ebx,ebx
004012A7 74 09 je Xcm.004012B2
004012A9 53 push ebx
004012AA E8 38400000 call cm.004052E7
004012AF 83C4 04 add esp,0x4
004012B2 58 pop eax
004012B3 A3 80224B00 mov dword ptr ds:,eax ; 存放 上面文本的加密数据常量地址
004012B8 B8 DAA14800 mov eax,cm.0048A1DA ; 程序可能正在被调试
004012BD 50 push eax
004012BE 8B1D 84224B00 mov ebx,dword ptr ds: ; 程序可能正在被调试
004012C4 85DB test ebx,ebx
004012C6 74 09 je Xcm.004012D1
004012C8 53 push ebx
004012C9 E8 19400000 call cm.004052E7
004012CE 83C4 04 add esp,0x4
004012D1 58 pop eax
004012D2 A3 84224B00 mov dword ptr ds:,eax ; 程序可能正在被调试
004012D7 68 00000000 push 0x0
004012DC BB 10554000 mov ebx,<cm.取执行文件名> ; j
004012E1 E8 0D400000 call cm.004052F3 ; 获取执行文件名
004012E6 83C4 04 add esp,0x4
004012E9 8945 FC mov dword ptr ss:,eax
004012EC 68 04000080 push 0x80000004
004012F1 6A 00 push 0x0
004012F3 8B45 FC mov eax,dword ptr ss:
004012F6 85C0 test eax,eax
004012F8 75 05 jnz Xcm.004012FF
004012FA B8 D1A14800 mov eax,cm.0048A1D1 ; ā
004012FF 50 push eax
00401300 68 01000000 push 0x1
00401305 BB 50634000 mov ebx,<cm.读入文件>
0040130A E8 E43F0000 call cm.004052F3 ; 读入文件字节集
0040130F 83C4 10 add esp,0x10
00401312 8945 F8 mov dword ptr ss:,eax
00401315 8B5D FC mov ebx,dword ptr ss:
00401318 85DB test ebx,ebx
0040131A 74 09 je Xcm.00401325
0040131C 53 push ebx
0040131D E8 C53F0000 call cm.004052E7
00401322 83C4 04 add esp,0x4
00401325 8B45 F8 mov eax,dword ptr ss:
00401328 50 push eax
00401329 8B1D 88224B00 mov ebx,dword ptr ds:
0040132F 85DB test ebx,ebx
00401331 74 09 je Xcm.0040133C
00401333 53 push ebx
00401334 E8 AE3F0000 call cm.004052E7
00401339 83C4 04 add esp,0x4
0040133C 58 pop eax
0040133D A3 88224B00 mov dword ptr ds:,eax
00401342 68 05000080 push 0x80000005
00401347 6A 00 push 0x0
00401349 A1 88224B00 mov eax,dword ptr ds:
0040134E 85C0 test eax,eax
00401350 75 05 jnz Xcm.00401357
00401352 B8 D2A14800 mov eax,cm.0048A1D2
00401357 50 push eax
00401358 68 01000000 push 0x1
0040135D BB F0544000 mov ebx,<cm.取字节集长度>
00401362 E8 8C3F0000 call cm.004052F3
00401367 83C4 10 add esp,0x10
0040136A 8945 F4 mov dword ptr ss:,eax
0040136D DB45 F4 fild dword ptr ss:
00401370 DD5D F4 fstp qword ptr ss:
00401373 DD45 F4 fld qword ptr ss:
00401376 DC25 EDA14800 fsub qword ptr ds: ; 文件总长度 减去 32
0040137C DD5D EC fstp qword ptr ss:
0040137F DD45 EC fld qword ptr ss:
00401382 E8 7DFCFFFF call cm.00401004
00401387 68 01030080 push 0x80000301
0040138C 6A 00 push 0x0
0040138E 50 push eax
0040138F 68 05000080 push 0x80000005
00401394 6A 00 push 0x0
00401396 A1 88224B00 mov eax,dword ptr ds:
0040139B 85C0 test eax,eax
0040139D 75 05 jnz Xcm.004013A4
0040139F B8 D2A14800 mov eax,cm.0048A1D2
004013A4 50 push eax
004013A5 68 02000000 push 0x2
004013AA BB A05D4000 mov ebx,<cm.取字节集左边>
004013AF E8 3F3F0000 call cm.004052F3
004013B4 83C4 1C add esp,0x1C
004013B7 8945 E8 mov dword ptr ss:,eax
004013BA 68 05000080 push 0x80000005
004013BF 6A 00 push 0x0
004013C1 8B45 E8 mov eax,dword ptr ss:
004013C4 85C0 test eax,eax
004013C6 75 05 jnz Xcm.004013CD
004013C8 B8 D2A14800 mov eax,cm.0048A1D2
004013CD 50 push eax
004013CE 68 01000000 push 0x1
004013D3 B8 01000000 mov eax,0x1
004013D8 BB 90414600 mov ebx,<cm.取数据秘钥>
004013DD E8 0B3F0000 call cm.004052ED ; 获取到截取数据的 md5
004013E2 83C4 10 add esp,0x10
004013E5 8945 E4 mov dword ptr ss:,eax
004013E8 8B5D E8 mov ebx,dword ptr ss:
004013EB 85DB test ebx,ebx
004013ED 74 09 je Xcm.004013F8
004013EF 53 push ebx
004013F0 E8 F23E0000 call cm.004052E7
004013F5 83C4 04 add esp,0x4
004013F8 8B45 E4 mov eax,dword ptr ss:
004013FB 50 push eax
004013FC 8B1D 8C224B00 mov ebx,dword ptr ds:
00401402 85DB test ebx,ebx
00401404 74 09 je Xcm.0040140F
00401406 53 push ebx
00401407 E8 DB3E0000 call cm.004052E7
0040140C 83C4 04 add esp,0x4
0040140F 58 pop eax
00401410 A3 8C224B00 mov dword ptr ds:,eax ; 动态存放截取数据秘钥
00401415 68 01030080 push 0x80000301
0040141A 6A 00 push 0x0
0040141C 68 20000000 push 0x20
00401421 68 05000080 push 0x80000005
00401426 6A 00 push 0x0
00401428 A1 88224B00 mov eax,dword ptr ds:
0040142D 85C0 test eax,eax
0040142F 75 05 jnz Xcm.00401436
00401431 B8 D2A14800 mov eax,cm.0048A1D2
00401436 50 push eax
00401437 68 02000000 push 0x2
0040143C BB E05D4000 mov ebx,<cm.取字节集左边>
00401441 E8 AD3E0000 call cm.004052F3 ; 从程序字节集的最左边取出 静态 md5
00401446 83C4 1C add esp,0x1C
00401449 8945 FC mov dword ptr ss:,eax
0040144C 68 05000080 push 0x80000005
00401451 6A 00 push 0x0
00401453 8B45 FC mov eax,dword ptr ss:
00401456 85C0 test eax,eax
00401458 75 05 jnz Xcm.0040145F
0040145A B8 D2A14800 mov eax,cm.0048A1D2
0040145F 50 push eax
00401460 68 01000000 push 0x1
00401465 BB 00604000 mov ebx,<cm.到文本>
0040146A E8 843E0000 call cm.004052F3
0040146F 83C4 10 add esp,0x10
00401472 8945 F8 mov dword ptr ss:,eax
00401475 8B5D FC mov ebx,dword ptr ss:
00401478 85DB test ebx,ebx
0040147A 74 09 je Xcm.00401485
0040147C 53 push ebx
0040147D E8 653E0000 call cm.004052E7
00401482 83C4 04 add esp,0x4
00401485 8B45 F8 mov eax,dword ptr ss:
00401488 50 push eax
00401489 8B1D 90224B00 mov ebx,dword ptr ds:
0040148F 85DB test ebx,ebx
00401491 74 09 je Xcm.0040149C
00401493 53 push ebx
00401494 E8 4E3E0000 call cm.004052E7
00401499 83C4 04 add esp,0x4
0040149C 58 pop eax
0040149D A3 90224B00 mov dword ptr ds:,eax ; 存放静态MD5
004014A2 B8 F5A14800 mov eax,cm.0048A1F5 ; hackabi
004014A7 50 push eax
004014A8 8B1D 94224B00 mov ebx,dword ptr ds: ; hackabi
004014AE 85DB test ebx,ebx
004014B0 74 09 je Xcm.004014BB
004014B2 53 push ebx
004014B3 E8 2F3E0000 call cm.004052E7
004014B8 83C4 04 add esp,0x4
004014BB 58 pop eax
004014BC A3 94224B00 mov dword ptr ds:,eax ; 存放key hackabi
004014C1 68 00000000 push 0x0
004014C6 BB 10634000 mov ebx,<cm.取现行时间>
004014CB E8 233E0000 call cm.004052F3
004014D0 83C4 04 add esp,0x4
004014D3 68 03000080 push 0x80000003
004014D8 52 push edx
004014D9 50 push eax
004014DA 68 01000000 push 0x1
004014DF BB B0624000 mov ebx,<cm.取月份>
004014E4 E8 0A3E0000 call cm.004052F3 ; 得到时间月
004014E9 83C4 10 add esp,0x10
004014EC 8945 F4 mov dword ptr ss:,eax
004014EF 68 00000000 push 0x0
004014F4 BB 10634000 mov ebx,<cm.取现行时间>
004014F9 E8 F53D0000 call cm.004052F3
004014FE 83C4 04 add esp,0x4
00401501 68 03000080 push 0x80000003
00401506 52 push edx
00401507 50 push eax
00401508 68 01000000 push 0x1
0040150D BB 90624000 mov ebx,<cm.取年份>
00401512 E8 DC3D0000 call cm.004052F3 ; 得到时间年eax2021
00401517 83C4 10 add esp,0x10
0040151A 8945 E8 mov dword ptr ss:,eax
0040151D 68 00000000 push 0x0
00401522 BB 10634000 mov ebx,<cm.取现行时间>
00401527 E8 C73D0000 call cm.004052F3
0040152C 83C4 04 add esp,0x4
0040152F 68 03000080 push 0x80000003
00401534 52 push edx
00401535 50 push eax
00401536 68 01000000 push 0x1
0040153B BB F0624000 mov ebx,<cm.取分钟>
00401540 E8 AE3D0000 call cm.004052F3 ; 得到时间 分钟
00401545 83C4 10 add esp,0x10 ; 算法
00401548 8945 DC mov dword ptr ss:,eax
0040154B DB45 F4 fild dword ptr ss:
0040154E DD5D D4 fstp qword ptr ss:
00401551 DD45 D4 fld qword ptr ss:
00401554 DB45 E8 fild dword ptr ss:
00401557 DD5D CC fstp qword ptr ss:
0040155A DC45 CC fadd qword ptr ss: ; 年+月份
0040155D DB45 DC fild dword ptr ss:
00401560 DD5D C4 fstp qword ptr ss:
00401563 DC45 C4 fadd qword ptr ss: ; 结果再加 分钟
00401566 DD5D BC fstp qword ptr ss:
00401569 DD45 BC fld qword ptr ss:
0040156C E8 93FAFFFF call cm.00401004 ; 得到 2065 结果
00401571 A3 98224B00 mov dword ptr ds:,eax ; 存放 结果
00401576 68 00000000 push 0x0
0040157B BB 10634000 mov ebx,<cm.取现行时间>
00401580 E8 6E3D0000 call cm.004052F3
00401585 83C4 04 add esp,0x4
00401588 68 03000080 push 0x80000003
0040158D 52 push edx
0040158E 50 push eax
0040158F 68 01000000 push 0x1
00401594 BB D0624000 mov ebx,<cm.取日期>
00401599 E8 553D0000 call cm.004052F3 ; 得到日期
0040159E 83C4 10 add esp,0x10
004015A1 A3 9C224B00 mov dword ptr ds:,eax ; 日期
004015A6 DB05 98224B00 fild dword ptr ds:
004015AC DD5D F8 fstp qword ptr ss:
004015AF DD45 F8 fld qword ptr ss:
004015B2 DC0D EDA14800 fmul qword ptr ds: ; 上面的加法结果*32
004015B8 DD5D F0 fstp qword ptr ss:
004015BB DD45 F0 fld qword ptr ss:
004015BE DC05 FDA14800 fadd qword ptr ds: ; 结果再加 2020
004015C4 DD5D E8 fstp qword ptr ss:
004015C7 DD45 E8 fld qword ptr ss:
004015CA DB05 9C224B00 fild dword ptr ds:
004015D0 DD5D E0 fstp qword ptr ss:
004015D3 DC65 E0 fsub qword ptr ss: ; 结果再减去 12
004015D6 DD5D D8 fstp qword ptr ss:
004015D9 DD45 D8 fld qword ptr ss:
004015DC E8 23FAFFFF call cm.00401004
004015E1 A3 A0224B00 mov dword ptr ds:,eax ; 得到 68088 的结果
004015E6 68 01010080 push 0x80000101
004015EB 6A 00 push 0x0
004015ED 68 63000000 push 0x63 ; 从这push 和出来的结果 可以判断是 取了字符c
004015F2 68 01000000 push 0x1
004015F7 BB C0554000 mov ebx,<cm.字符>
004015FC E8 F23C0000 call cm.004052F3
00401601 83C4 10 add esp,0x10
00401604 8945 FC mov dword ptr ss:,eax
00401607 8B45 FC mov eax,dword ptr ss:
0040160A 50 push eax
0040160B 8B1D A4224B00 mov ebx,dword ptr ds:
00401611 85DB test ebx,ebx
00401613 74 09 je Xcm.0040161E
00401615 53 push ebx
00401616 E8 CC3C0000 call cm.004052E7
0040161B 83C4 04 add esp,0x4
0040161E 58 pop eax
0040161F A3 A4224B00 mov dword ptr ds:,eax ; 存放字符 C
00401624 68 01030080 push 0x80000301
00401629 6A 00 push 0x0
0040162B FF35 A0224B00 push dword ptr ds:
00401631 68 01000000 push 0x1
00401636 BB 00604000 mov ebx,<cm.到文本>
0040163B E8 B33C0000 call cm.004052F3
00401640 83C4 10 add esp,0x10
00401643 8945 FC mov dword ptr ss:,eax
00401646 68 04000080 push 0x80000004
0040164B 6A 00 push 0x0
0040164D A1 A4224B00 mov eax,dword ptr ds:
00401652 85C0 test eax,eax
00401654 75 05 jnz Xcm.0040165B
00401656 B8 D1A14800 mov eax,cm.0048A1D1 ; ā
0040165B 50 push eax
0040165C 68 01000000 push 0x1
00401661 BB 00604000 mov ebx,<cm.到文本>
00401666 E8 883C0000 call cm.004052F3
0040166B 83C4 10 add esp,0x10
0040166E 8945 F8 mov dword ptr ss:,eax
00401671 68 01010080 push 0x80000101
00401676 6A 00 push 0x0
00401678 68 61000000 push 0x61 ; 同上一样取字符a
0040167D 68 01000000 push 0x1
00401682 BB C0554000 mov ebx,<cm.字符>
00401687 E8 673C0000 call cm.004052F3
0040168C 83C4 10 add esp,0x10
0040168F 8945 F4 mov dword ptr ss:,eax
00401692 68 04000080 push 0x80000004
00401697 6A 00 push 0x0
00401699 8B45 F4 mov eax,dword ptr ss:
0040169C 85C0 test eax,eax
0040169E 75 05 jnz Xcm.004016A5
004016A0 B8 D1A14800 mov eax,cm.0048A1D1 ; ā
004016A5 50 push eax
004016A6 68 01000000 push 0x1
004016AB BB 00594000 mov ebx,<cm.到大写>
004016B0 E8 3E3C0000 call cm.004052F3 ; 转换成大写
004016B5 83C4 10 add esp,0x10
004016B8 8945 F0 mov dword ptr ss:,eax
004016BB 8B5D F4 mov ebx,dword ptr ss:
004016BE 85DB test ebx,ebx
004016C0 74 09 je Xcm.004016CB
004016C2 53 push ebx
004016C3 E8 1F3C0000 call cm.004052E7
004016C8 83C4 04 add esp,0x4
004016CB 68 04000080 push 0x80000004
004016D0 6A 00 push 0x0
004016D2 8B45 F0 mov eax,dword ptr ss:
004016D5 85C0 test eax,eax
004016D7 75 05 jnz Xcm.004016DE
004016D9 B8 D1A14800 mov eax,cm.0048A1D1 ; ā
004016DE 50 push eax
004016DF 68 01000000 push 0x1
004016E4 BB 00604000 mov ebx,<cm.到文本>
004016E9 E8 053C0000 call cm.004052F3
004016EE 83C4 10 add esp,0x10
004016F1 8945 EC mov dword ptr ss:,eax
004016F4 8B5D F0 mov ebx,dword ptr ss:
004016F7 85DB test ebx,ebx
004016F9 74 09 je Xcm.00401704
004016FB 53 push ebx
004016FC E8 E63B0000 call cm.004052E7
00401701 83C4 04 add esp,0x4
00401704 6A 00 push 0x0
00401706 6A 00 push 0x0
00401708 6A 00 push 0x0
0040170A 68 01000000 push 0x1
0040170F B8 02000000 mov eax,0x2
00401714 BB A0734600 mov ebx,<cm.取ip地址>
00401719 E8 CF3B0000 call cm.004052ED ; 192.168.1.8//取本地ip地址
0040171E 83C4 10 add esp,0x10
00401721 8945 E8 mov dword ptr ss:,eax
00401724 68 01030080 push 0x80000301
00401729 6A 00 push 0x0
0040172B 68 02000000 push 0x2
00401730 68 04000080 push 0x80000004
00401735 6A 00 push 0x0
00401737 8B45 E8 mov eax,dword ptr ss:
0040173A 85C0 test eax,eax
0040173C 75 05 jnz Xcm.00401743
0040173E B8 D1A14800 mov eax,cm.0048A1D1 ; ā
00401743 50 push eax
00401744 68 02000000 push 0x2
00401749 BB 70554000 mov ebx,<cm.取文本右边>
0040174E E8 A03B0000 call cm.004052F3 ; 取文本右边 2位
00401753 83C4 1C add esp,0x1C
00401756 8945 E4 mov dword ptr ss:,eax
00401759 8B5D E8 mov ebx,dword ptr ss:
0040175C 85DB test ebx,ebx
0040175E 74 09 je Xcm.00401769
00401760 53 push ebx
00401761 E8 813B0000 call cm.004052E7
00401766 83C4 04 add esp,0x4
00401769 68 04000080 push 0x80000004
0040176E 6A 00 push 0x0
00401770 8B45 E4 mov eax,dword ptr ss:
00401773 85C0 test eax,eax
00401775 75 05 jnz Xcm.0040177C
00401777 B8 D1A14800 mov eax,cm.0048A1D1 ; ā
0040177C 50 push eax
0040177D 68 01000000 push 0x1
00401782 BB 00604000 mov ebx,<cm.到文本>
00401787 E8 673B0000 call cm.004052F3
0040178C 83C4 10 add esp,0x10
0040178F 8945 E0 mov dword ptr ss:,eax
00401792 8B5D E4 mov ebx,dword ptr ss:
00401795 85DB test ebx,ebx
00401797 74 09 je Xcm.004017A2
00401799 53 push ebx
0040179A E8 483B0000 call cm.004052E7
0040179F 83C4 04 add esp,0x4
004017A2 FF75 E0 push dword ptr ss:
004017A5 FF75 EC push dword ptr ss:
004017A8 FF75 F8 push dword ptr ss:
004017AB 68 05A24800 push cm.0048A205 ; 1992
004017B0 FF75 FC push dword ptr ss:
004017B3 B9 05000000 mov ecx,0x5
004017B8 E8 D9F8FFFF call cm.00401096 ; 文本组合 68088 + 1992 + c+ A+ .8
004017BD 83C4 14 add esp,0x14
004017C0 8945 DC mov dword ptr ss:,eax
004017C3 8B5D FC mov ebx,dword ptr ss:
004017C6 85DB test ebx,ebx
004017C8 74 09 je Xcm.004017D3
004017CA 53 push ebx
004017CB E8 173B0000 call cm.004052E7
004017D0 83C4 04 add esp,0x4
004017D3 8B5D F8 mov ebx,dword ptr ss:
004017D6 85DB test ebx,ebx
004017D8 74 09 je Xcm.004017E3
004017DA 53 push ebx
004017DB E8 073B0000 call cm.004052E7
004017E0 83C4 04 add esp,0x4
004017E3 8B5D EC mov ebx,dword ptr ss:
004017E6 85DB test ebx,ebx
004017E8 74 09 je Xcm.004017F3
004017EA 53 push ebx
004017EB E8 F73A0000 call cm.004052E7
004017F0 83C4 04 add esp,0x4
004017F3 8B5D E0 mov ebx,dword ptr ss:
004017F6 85DB test ebx,ebx
004017F8 74 09 je Xcm.00401803
004017FA 53 push ebx
004017FB E8 E73A0000 call cm.004052E7
00401800 83C4 04 add esp,0x4
00401803 6A 00 push 0x0
00401805 FF75 DC push dword ptr ss:
00401808 6A FF push -0x1
0040180A 6A 08 push 0x8
0040180C 68 0B000116 push 0x1601000B
00401811 68 01000152 push 0x52010001
00401816 E8 023B0000 call cm.0040531D
0040181B 83C4 18 add esp,0x18
0040181E 8B5D DC mov ebx,dword ptr ss:
00401821 85DB test ebx,ebx
00401823 74 09 je Xcm.0040182E
00401825 53 push ebx
00401826 E8 BC3A0000 call cm.004052E7
0040182B 83C4 04 add esp,0x4
0040182E 68 00000000 push 0x0
00401833 BB 10634000 mov ebx,<cm.取现行时间>
00401838 E8 B63A0000 call cm.004052F3
0040183D 83C4 04 add esp,0x4
00401840 68 03000080 push 0x80000003
00401845 52 push edx
00401846 50 push eax
00401847 68 01000000 push 0x1
0040184C BB 90624000 mov ebx,<cm.取年份>
00401851 E8 9D3A0000 call cm.004052F3 ; 取年份
00401856 83C4 10 add esp,0x10
00401859 68 01030080 push 0x80000301
0040185E 6A 00 push 0x0
00401860 50 push eax
00401861 68 01000000 push 0x1
00401866 BB 00604000 mov ebx,<cm.到文本>
0040186B E8 833A0000 call cm.004052F3
00401870 83C4 10 add esp,0x10
00401873 8945 F0 mov dword ptr ss:,eax
00401876 68 00000000 push 0x0
0040187B BB 10634000 mov ebx,<cm.取现行时间>
00401880 E8 6E3A0000 call cm.004052F3
00401885 83C4 04 add esp,0x4
00401888 68 03000080 push 0x80000003
0040188D 52 push edx
0040188E 50 push eax
0040188F 68 01000000 push 0x1
00401894 BB B0624000 mov ebx,<cm.取月份>
00401899 E8 553A0000 call cm.004052F3 ; 取月份
0040189E 83C4 10 add esp,0x10
004018A1 68 01030080 push 0x80000301
004018A6 6A 00 push 0x0
004018A8 50 push eax
004018A9 68 01000000 push 0x1
004018AE BB 00604000 mov ebx,<cm.到文本>
004018B3 E8 3B3A0000 call cm.004052F3
004018B8 83C4 10 add esp,0x10
004018BB 8945 E0 mov dword ptr ss:,eax
004018BE 68 00000000 push 0x0
004018C3 BB 10634000 mov ebx,<cm.取现行时间>
004018C8 E8 263A0000 call cm.004052F3
004018CD 83C4 04 add esp,0x4
004018D0 68 03000080 push 0x80000003
004018D5 52 push edx
004018D6 50 push eax
004018D7 68 01000000 push 0x1
004018DC BB D0624000 mov ebx,<cm.取日期>
004018E1 E8 0D3A0000 call cm.004052F3 ; 取日期
004018E6 83C4 10 add esp,0x10
004018E9 68 01030080 push 0x80000301
004018EE 6A 00 push 0x0
004018F0 50 push eax
004018F1 68 01000000 push 0x1
004018F6 BB 00604000 mov ebx,<cm.到文本>
004018FB E8 F3390000 call cm.004052F3
00401900 83C4 10 add esp,0x10
00401903 8945 D0 mov dword ptr ss:,eax
00401906 FF75 D0 push dword ptr ss:
00401909 FF75 E0 push dword ptr ss:
0040190C FF75 F0 push dword ptr ss:
0040190F B9 03000000 mov ecx,0x3
00401914 E8 7DF7FFFF call cm.00401096 ; 文本组合2021212
00401919 83C4 0C add esp,0xC
0040191C 8945 CC mov dword ptr ss:,eax
0040191F 8B5D F0 mov ebx,dword ptr ss:
00401922 85DB test ebx,ebx
00401924 74 09 je Xcm.0040192F
00401926 53 push ebx
00401927 E8 BB390000 call cm.004052E7
0040192C 83C4 04 add esp,0x4
0040192F 8B5D E0 mov ebx,dword ptr ss:
00401932 85DB test ebx,ebx
00401934 74 09 je Xcm.0040193F
00401936 53 push ebx
00401937 E8 AB390000 call cm.004052E7
0040193C 83C4 04 add esp,0x4
0040193F 8B5D D0 mov ebx,dword ptr ss:
00401942 85DB test ebx,ebx
00401944 74 09 je Xcm.0040194F
00401946 53 push ebx
00401947 E8 9B390000 call cm.004052E7
0040194C 83C4 04 add esp,0x4
0040194F 6A 00 push 0x0
00401951 FF75 CC push dword ptr ss:
00401954 6A FF push -0x1
00401956 6A 08 push 0x8
00401958 68 02000116 push 0x16010002
0040195D 68 01000152 push 0x52010001
00401962 E8 B6390000 call cm.0040531D
00401967 83C4 18 add esp,0x18
0040196A 8B5D CC mov ebx,dword ptr ss:
0040196D 85DB test ebx,ebx
0040196F 74 09 je Xcm.0040197A
00401971 53 push ebx
00401972 E8 70390000 call cm.004052E7
00401977 83C4 04 add esp,0x4
0040197A 6A FF push -0x1
0040197C 6A 08 push 0x8
0040197E 68 02000116 push 0x16010002
00401983 68 01000152 push 0x52010001
00401988 E8 72390000 call cm.004052FF
0040198D 83C4 10 add esp,0x10
00401990 8945 FC mov dword ptr ss:,eax
00401993 68 04000080 push 0x80000004
00401998 6A 00 push 0x0
0040199A 8B45 FC mov eax,dword ptr ss:
0040199D 85C0 test eax,eax
0040199F 75 05 jnz Xcm.004019A6
004019A1 B8 D1A14800 mov eax,cm.0048A1D1 ; ā
004019A6 50 push eax
004019A7 68 01000000 push 0x1
004019AC BB A05C4000 mov ebx,<cm.到字节集>
004019B1 E8 3D390000 call cm.004052F3
004019B6 83C4 10 add esp,0x10
004019B9 8945 F8 mov dword ptr ss:,eax
004019BC 8B5D FC mov ebx,dword ptr ss:
004019BF 85DB test ebx,ebx
004019C1 74 09 je Xcm.004019CC
004019C3 53 push ebx
004019C4 E8 1E390000 call cm.004052E7
004019C9 83C4 04 add esp,0x4
004019CC 68 01030080 push 0x80000301
004019D1 6A 00 push 0x0
004019D3 68 02000000 push 0x2
004019D8 68 04000080 push 0x80000004
004019DD 6A 00 push 0x0
004019DF A1 94224B00 mov eax,dword ptr ds: ; hackabi
004019E4 85C0 test eax,eax
004019E6 75 05 jnz Xcm.004019ED
004019E8 B8 D1A14800 mov eax,cm.0048A1D1 ; ā
004019ED 50 push eax
004019EE 68 05000080 push 0x80000005
004019F3 6A 00 push 0x0
004019F5 8B45 F8 mov eax,dword ptr ss:
004019F8 85C0 test eax,eax
004019FA 75 05 jnz Xcm.00401A01
004019FC B8 D2A14800 mov eax,cm.0048A1D2
00401A01 50 push eax
00401A02 68 03000000 push 0x3
00401A07 B8 01000000 mov eax,0x1
00401A0C BB 70454600 mov ebx,<cm.加密数据>
00401A11 E8 D7380000 call cm.004052ED ; 加密2021212 数据 hackabi是key
00401A16 83C4 28 add esp,0x28
00401A19 8945 F4 mov dword ptr ss:,eax
00401A1C 8B5D F8 mov ebx,dword ptr ss:
00401A1F 85DB test ebx,ebx
00401A21 74 09 je Xcm.00401A2C
00401A23 53 push ebx
00401A24 E8 BE380000 call cm.004052E7
00401A29 83C4 04 add esp,0x4
00401A2C 8B45 F4 mov eax,dword ptr ss:
00401A2F 50 push eax
00401A30 8B1D A8224B00 mov ebx,dword ptr ds: ; 棂k
00401A36 85DB test ebx,ebx
00401A38 74 09 je Xcm.00401A43
00401A3A 53 push ebx
00401A3B E8 A7380000 call cm.004052E7
00401A40 83C4 04 add esp,0x4
00401A43 58 pop eax
00401A44 A3 A8224B00 mov dword ptr ds:,eax ; 存放2021212 加密数据
00401A49 6A FF push -0x1
00401A4B 6A 08 push 0x8
00401A4D 68 0B000116 push 0x1601000B
00401A52 68 01000152 push 0x52010001
00401A57 E8 A3380000 call cm.004052FF
00401A5C 83C4 10 add esp,0x10
00401A5F 8945 FC mov dword ptr ss:,eax
00401A62 6A FF push -0x1
00401A64 6A 08 push 0x8
00401A66 68 02000116 push 0x16010002
00401A6B 68 01000152 push 0x52010001
00401A70 E8 8A380000 call cm.004052FF
00401A75 83C4 10 add esp,0x10
00401A78 8945 F8 mov dword ptr ss:,eax
00401A7B FF75 F8 push dword ptr ss:
00401A7E FF75 FC push dword ptr ss:
00401A81 B9 02000000 mov ecx,0x2
00401A86 E8 0BF6FFFF call cm.00401096 ; 文本组合 上次得到的结果+2021212
00401A8B 83C4 08 add esp,0x8
00401A8E 8945 F4 mov dword ptr ss:,eax
00401A91 8B5D FC mov ebx,dword ptr ss:
00401A94 85DB test ebx,ebx
00401A96 74 09 je Xcm.00401AA1
00401A98 53 push ebx
00401A99 E8 49380000 call cm.004052E7
00401A9E 83C4 04 add esp,0x4
00401AA1 8B5D F8 mov ebx,dword ptr ss:
00401AA4 85DB test ebx,ebx
00401AA6 74 09 je Xcm.00401AB1
00401AA8 53 push ebx
00401AA9 E8 39380000 call cm.004052E7
00401AAE 83C4 04 add esp,0x4
00401AB1 8B45 F4 mov eax,dword ptr ss:
00401AB4 50 push eax
00401AB5 8B1D AC224B00 mov ebx,dword ptr ds:
00401ABB 85DB test ebx,ebx
00401ABD 74 09 je Xcm.00401AC8
00401ABF 53 push ebx
00401AC0 E8 22380000 call cm.004052E7
00401AC5 83C4 04 add esp,0x4
00401AC8 58 pop eax
00401AC9 A3 AC224B00 mov dword ptr ds:,eax ; 存放 key
00401ACE 6A FF push -0x1
00401AD0 6A 08 push 0x8
00401AD2 68 EA000116 push 0x160100EA
00401AD7 68 01000152 push 0x52010001
00401ADC E8 1E380000 call cm.004052FF
00401AE1 83C4 10 add esp,0x10
00401AE4 8945 FC mov dword ptr ss:,eax
00401AE7 68 04000080 push 0x80000004
00401AEC 6A 00 push 0x0
00401AEE 8B45 FC mov eax,dword ptr ss:
00401AF1 85C0 test eax,eax
00401AF3 75 05 jnz Xcm.00401AFA
00401AF5 B8 D1A14800 mov eax,cm.0048A1D1 ; ā
00401AFA 50 push eax
00401AFB 68 01000000 push 0x1
00401B00 BB A05C4000 mov ebx,<cm.到字节集>
00401B05 E8 E9370000 call cm.004052F3
00401B0A 83C4 10 add esp,0x10
00401B0D 8945 F8 mov dword ptr ss:,eax
00401B10 8B5D FC mov ebx,dword ptr ss:
00401B13 85DB test ebx,ebx
00401B15 74 09 je Xcm.00401B20
00401B17 53 push ebx
00401B18 E8 CA370000 call cm.004052E7
00401B1D 83C4 04 add esp,0x4
00401B20 68 01030080 push 0x80000301
00401B25 6A 00 push 0x0
00401B27 68 01000000 push 0x1
00401B2C 68 04000080 push 0x80000004
00401B31 6A 00 push 0x0
00401B33 A1 94224B00 mov eax,dword ptr ds: ; hackabi
00401B38 85C0 test eax,eax
00401B3A 75 05 jnz Xcm.00401B41
00401B3C B8 D1A14800 mov eax,cm.0048A1D1 ; ā
00401B41 50 push eax
00401B42 68 05000080 push 0x80000005
00401B47 6A 00 push 0x0
00401B49 8B45 F8 mov eax,dword ptr ss:
00401B4C 85C0 test eax,eax
00401B4E 75 05 jnz Xcm.00401B55
00401B50 B8 D2A14800 mov eax,cm.0048A1D2
00401B55 50 push eax
00401B56 68 03000000 push 0x3
00401B5B B8 01000000 mov eax,0x1
00401B60 BB 90454600 mov ebx,<cm.解密数据>
00401B65 E8 83370000 call cm.004052ED ; 解密出来 破解成功 文本 hackabi key
00401B6A 83C4 28 add esp,0x28
00401B6D 8945 F4 mov dword ptr ss:,eax
00401B70 8B5D F8 mov ebx,dword ptr ss:
00401B73 85DB test ebx,ebx
00401B75 74 09 je Xcm.00401B80
00401B77 53 push ebx
00401B78 E8 6A370000 call cm.004052E7
00401B7D 83C4 04 add esp,0x4
00401B80 8B45 F4 mov eax,dword ptr ss:
00401B83 50 push eax
00401B84 8B1D B0224B00 mov ebx,dword ptr ds: ; 切k
00401B8A 85DB test ebx,ebx
00401B8C 74 09 je Xcm.00401B97
00401B8E 53 push ebx
00401B8F E8 53370000 call cm.004052E7
00401B94 83C4 04 add esp,0x4
00401B97 58 pop eax
00401B98 A3 B0224B00 mov dword ptr ds:,eax ; 存放 破解成功
00401B9D 8BE5 mov esp,ebp
00401B9F 5D pop ebp
00401BA0 C3 retn
上面的注释中 理论上 疑惑的应该就是 取现行时间 其他应该通过eax 都很好理解和得出结论
对于随意一个 取现行时间的callF7 进入后
0046B2FD FF15 88814800 call dword ptr ds:[<&KERNEL32.GetLocalTim>; kernel32.GetLocalTime
0046B303 8D45 E0 lea eax,dword ptr ss:
0046B306 50 push eax
0046B307 FF15 8C814800 call dword ptr ds:[<&KERNEL32.GetSystemTi>; kernel32.GetSystemTime
看到这两个函数 百度一下就会知道这个call 是 易语言的取现行时间
通过上面的单步分析 算法应该也是很好写的 可以无损破解 写注册机
注册机代码 我也贴一下 方便各位看官参考
爆破是比较简单的
.版本 2
.支持库 eAPI
.子程序 _按钮1_被单击
.局部变量 时间, 日期时间型
时间 = 取现行时间 ()
编辑框1.内容 = 到文本 ((取年份 (时间) + 取月份 (时间) + 取分钟 (时间)) × 32 + 2020 - 取日 (时间)) + “1992” + 字符 (99) + 到大写 (字符 (97)) + 取文本右边 (取IP地址 (), 2) + 到文本 (取年份 (时间)) + 到文本 (取月份 (时间)) + 到文本 (取日 (时间))
爆破的时候 也可以修改程序最后32位为修改保存后的程序字节集长度-32长度的字节集的md5数据 有点绕口 不过只要去程序的最后看一下数据就明白了
第二个CM https://www.52pojie.cn/thread-1358909-1-1.html
这个很多大佬都粗描淡写的描述了一下 我也截图重复一次
放OD 有报错 下信息框断点 宽文本用 MessageBoxW
看堆栈窗口 找回溯地址
02D7FE90|004090CA返回到 CrackMe.004090CA 来自 CrackMe.00407770
再找到段首 00408E30 55 push ebp 下端
00408E39 68 F0F24100 push CrackMe.0041F2F0
0041F2F0 这里存放四个数据 69D8A5DE而且压入了堆栈中
00408E4F E8 3C0C0000 call CrackMe.00409A90//取出我们输入的key数据
00408E54 50 push eax//压入key数据
00408E55 E8 56CB0000 call CrackMe.004159B0// 对比key数据
进入call后
004159E5 891C24 mov dword ptr ss:,ebx
004159E8 E8 43240000 call <jmp.&msvcrt.wcslen> ; 取key数据长度
004159ED 893424 mov dword ptr ss:,esi
004159F0 89C7 mov edi,eax
004159F2 E8 39240000 call <jmp.&msvcrt.wcslen> ; 取 0041F2F0 压入的那四个数据的长度
004159F7 39F8 cmp eax,edi
004159F9 89C5 mov ebp,eax
004159FB 89F8 mov eax,edi
004159FD 0F4EC5 cmovle eax,ebp
00415A00 897424 04 mov dword ptr ss:,esi
00415A04 891C24 mov dword ptr ss:,ebx
00415A07 894424 08 mov dword ptr ss:,eax
00415A0B E8 18240000 call <jmp.&msvcrt.wcsncmp> ; 对比文本
所以我们修改我们输入的假key前面四个字节为 69D8A5DE 后面清空00 让对比实现
继续单步 然后就出来了 成功信息框 顺便出来了 𪚥 zhe 这个字 也就
最后祝大家牛年大吉大利!发大财!希望坛主审核一下!
I D:AQQD
邮箱:656961@qq.com
申请通过,欢迎光临吾爱破解论坛,期待吾爱破解有你更加精彩,ID和密码自己通过邮件密码找回功能修改,请即时登陆并修改密码!
登陆后请在一周内在此帖报道,否则将删除ID信息。 没有收到邮件。h大 游客 113.129.59.x 发表于 2021-2-13 14:48
没有收到邮件。h大
https://www.52pojie.cn/thread-98585-1-1.html 按这个教程排查,邮件是你自己找回,并不是主动发送。 谢谢H大,已解决。来报道。 Hmily 发表于 2021-2-12 17:23
I D:AQQD
邮箱:
H大,不好意思,打扰了
在坛友的要求下,在下搬运了一建刷题软件,搬运前没有尽到查看的义务,违反了版规,现在以深刻的认识到了错误,请H大再给一次机会
我的论坛账号为:lufew01
请H大给一次机会 此时此刻 我只能用一句好家伙 来形容我的心情
页:
[1]