一款宝宝取名软件的注册分析(算法+注册机)[转]
【文章标题】: 一款宝宝取名软件的注册分析(算法+注册机源码)【文章作者】: suredwang
【软件名称】: 小精灵宝宝取名
【软件大小】: 4.26M
【下载地址】: 自己搜索下载
【加壳方式】: UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
【保护方式】: 加壳+反调试+机器码
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OD PEID UPX脱壳
【操作平台】: windowXP
【软件介绍】: 这款取名软件功能非常强大,里面还有许多附加功能,
【作者声明】: 本人实在是个小小菜鸟,只是感兴趣,研究各种加密软件方法,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
下面算是本人分析笔记:首先用PEID查壳,UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo,窃喜,这种老壳大侠的脱壳工具都早做好了,不过为练习下,手动脱下看,顺利的话比找工具脱要快,好了,开始,用OD载入主程序如下
007E07A0 >60 pushad
007E07A1 BE 00A06A00 mov esi, 006AA000
007E07A6 8DBE 0070D5FF lea edi, dword ptr
007E07AC 57 push edi
007E07AD 83CD FF or ebp, FFFFFFFF
007E07B0 EB 10 jmp short 007E07C2
007E07B2 90 nop
007E07B3 90 nop
007E07B4 90 nop
007E07B5 90 nop
007E07B6 90 nop
007E07B7 90 nop
007E07B8 8A06 mov al, byte ptr
007E07BA 46 inc esi
007E07BB 8807 mov byte ptr , al
007E07BD 47 inc edi
007E07BE 01DB add ebx, ebx
007E07C0 75 07 jnz short 007E07C9
007E07C2 8B1E mov ebx, dword ptr
呵呵,典型的特征码,既然有pushad那定有popad,点右键查找命令--输入 popad 查找到了这
007E08E6 57 push edi
007E08E7 48 dec eax
007E08E8 F2:AE repne scas byte ptr es:
007E08EA 55 push ebp
007E08EB FF96 046D3F00 call dword ptr
007E08F1 09C0 or eax, eax
007E08F3 74 07 je short 007E08FC
007E08F5 8903 mov dword ptr , eax
007E08F7 83C3 04 add ebx, 4
007E08FA^ EB E1 jmp short 007E08DD
007E08FC FF96 086D3F00 call dword ptr
007E0902 61 popad ; 找到这,下断
007E0903- E9 408EEBFF jmp 00699748
007E0908 2009 and byte ptr , cl
007E090A 7E 00 jle short 007E090C
007E090C 3009 xor byte ptr , cl
007E090E 7E 00 jle short 007E0910
007E0910 AC lods byte ptr
007E0911 A0 69000000 mov al, byte ptr
这样明显的跳转指令, - E9 408EEBFF jmp 00699748 奔向OEP,不用说了,就是OEP啦,不放心的再按B查找看看还别的没有POPAD,没找到,只有这一个,好了,F2下断007E0902,再按F4或F9运行断下,取消断点,按F8,到达OEP
00699748 55 push ebp 到此点右键DUMP此进程
00699749 8BEC mov ebp, esp
0069974B B9 07000000 mov ecx, 7
00699750 6A 00 push 0
00699752 6A 00 push 0
00699754 49 dec ecx
00699755^ 75 F9 jnz short 00699750
00699757 53 push ebx
00699758 56 push esi
00699759 57 push edi
0069975A B8 B08E6900 mov eax, 00698EB0
0069975F E8 E8DED6FF call 0040764C
00699764 33C0 xor eax, eax
00699766 55 push ebp
00699767 68 FF9A6900 push 00699AFF
运行DUMP出来的程序,正常,点系统注册,晕倒,出现错误了,不出机器码,看来要OVERLY数据了,弄了半天,没找到什么原因,也没修复http://bbs.pediy.com/images/smilies/eek.gif
好,算了,投降http://bbs.pediy.com/images/smilies/124.gif,用大侠脱壳工具看看,呵呵,运行正常点注册,机器码出现了,惭愧啊。好了,用PEID再查无壳,Borland Delphi 6.0 - 7.0语言编写。用OD载入脱壳后程序如下
00699748 > $55 push ebp
00699749 .8BEC mov ebp, esp
0069974B .B9 07000000 mov ecx, 7
00699750 >6A 00 push 0
00699752 .6A 00 push 0
00699754 .49 dec ecx
00699755 .^ 75 F9 jnz short 00699750
00699757 .53 push ebx
00699758 .56 push esi
00699759 .57 push edi
0069975A .B8 B08E6900 mov eax, 00698EB0
0069975F .E8 E8DED6FF call 0040764C
00699764 .33C0 xor eax, eax
00699766 .55 push ebp
点右键查找注册失败字符 “注册码不正确”只有一处,好了, 双击定位来到主程序领空,往上追踪查看如下入口代码,F2下断
006030AC .55 push ebp
006030AD .8BEC mov ebp, esp
006030AF .B9 46000000 mov ecx, 46
006030B4 >6A 00 push 0
006030B6 .6A 00 push 0
006030B8 .49 dec ecx
006030B9 .^ 75 F9 jnz short 006030B4
006030BB .51 push ecx
006030BC .53 push ebx
006030BD .8945 FC mov dword ptr , eax
006030C0 .33C0 xor eax, eax
006030C2 .55 push ebp
006030C3 .68 96356000 push 00603596
006030C8 .64:FF30 push dword ptr fs:
006030CB .64:8920 mov dword ptr fs:, esp
006030CE .8D95 1CFEFFFF lea edx, dword ptr
006030D4 .8B45 FC mov eax, dword ptr
006030D7 .8B80 0C030000 mov eax, dword ptr
006030DD .E8 FE6AEBFF call 004B9BE0
006030E2 .8B85 1CFEFFFF mov eax, dword ptr
006030E8 .8D95 20FEFFFF lea edx, dword ptr
006030EE .E8 B16CE0FF call 00409DA4
006030F3 .83BD 20FEFFFF>cmp dword ptr , 0
006030FA .75 1D jnz short 00603119
006030FC .6A 40 push 40
006030FE .B9 A8356000 mov ecx, 006035A8 ;提示
00603103 .BA B0356000 mov edx, 006035B0 ;用户码不能为空!
00603108 .A1 5CCB6A00 mov eax, dword ptr
0060310D .8B00 mov eax, dword ptr
0060310F .E8 106DEAFF call 004A9E24
00603114 .E9 9E030000 jmp 006034B7
00603119 >8D95 14FEFFFF lea edx, dword ptr
0060311F .8B45 FC mov eax, dword ptr
00603122 .8B80 08030000 mov eax, dword ptr
00603128 .E8 B36AEBFF call 004B9BE0
0060312D .8B85 14FEFFFF mov eax, dword ptr
00603133 .8D95 18FEFFFF lea edx, dword ptr
00603139 .E8 666CE0FF call 00409DA4
0060313E .83BD 18FEFFFF>cmp dword ptr , 0
00603145 .75 1D jnz short 00603164
00603147 .6A 40 push 40
00603149 .B9 A8356000 mov ecx, 006035A8 ;提示
0060314E .BA C4356000 mov edx, 006035C4 ;注册码不能为空!
00603153 .A1 5CCB6A00 mov eax, dword ptr
00603158 .8B00 mov eax, dword ptr
0060315A .E8 C56CEAFF call 004A9E24
0060315F .E9 53030000 jmp 006034B7
00603164 >8D95 0CFEFFFF lea edx, dword ptr
0060316A .8B45 FC mov eax, dword ptr
0060316D .8B80 0C030000 mov eax, dword ptr
00603173 .E8 686AEBFF call 004B9BE0
00603178 .8B85 0CFEFFFF mov eax, dword ptr
0060317E .8D95 10FEFFFF lea edx, dword ptr
00603184 .E8 1B6CE0FF call 00409DA4
00603189 .8B85 10FEFFFF mov eax, dword ptr
0060318F .8D4D F0 lea ecx, dword ptr
00603192 .BA E0356000 mov edx, 006035E0 ;ofdssdesds
00603197 .E8 6430F2FF call 00526200
0060319C .8D95 00FEFFFF lea edx, dword ptr
006031A2 .8B45 FC mov eax, dword ptr
006031A5 .8B80 08030000 mov eax, dword ptr
006031AB .E8 306AEBFF call 004B9BE0
006031B0 .8B85 00FEFFFF mov eax, dword ptr
006031B6 .8D95 04FEFFFF lea edx, dword ptr
006031BC .E8 E36BE0FF call 00409DA4
006031C1 .8B85 04FEFFFF mov eax, dword ptr
006031C7 .8D8D 08FEFFFF lea ecx, dword ptr
006031CD .BA E0356000 mov edx, 006035E0 ;ofdssdesds
006031D2 .E8 3D32F2FF call 00526414
006031D7 .8B95 08FEFFFF mov edx, dword ptr
006031DD .8B45 F0 mov eax, dword ptr
006031E0 .E8 D320E0FF call 004052B8
006031E5 .74 3E je short 00603225
006031E7 .6A 40 push 40
006031E9 .B9 A8356000 mov ecx, 006035A8 ;提示
006031EE .BA EC356000 mov edx, 006035EC ;注册码不正确!双击到这里
006031F3 .A1 5CCB6A00 mov eax, dword ptr
006031F8 .8B00 mov eax, dword ptr
006031FA .E8 256CEAFF call 004A9E24
006031FF .8B45 FC mov eax, dword ptr
00603202 .8B80 08030000 mov eax, dword ptr
00603208 .33D2 xor edx, edx
0060320A .E8 E569EBFF call 004B9BF4
0060320F .8B45 FC mov eax, dword ptr
00603212 .8B80 08030000 mov eax, dword ptr
00603218 .8B10 mov edx, dword ptr
0060321A .FF92 C4000000 call dword ptr
00603220 .E9 92020000 jmp 006034B7
00603225 >8D95 F4FDFFFF lea edx, dword ptr
0060322B .8B45 FC mov eax, dword ptr
0060322E .8B80 08030000 mov eax, dword ptr
00603234 .E8 A769EBFF call 004B9BE0
00603239 .8B85 F4FDFFFF mov eax, dword ptr
汗!按F9运行,直接关机,看来还用反调试的代码呀,还好,这种关机代码容易查找,不管调用DOS关机指令还是其它什么关机函数,应该有shutdown 字符。
重启电脑,重新载入,点右键查找字符串,在字符串界面上点右键查找“shutdown”,呵呵,找到了,再按B 查找下一个,无,只有一处
Ultra String Reference, 条目 2819
Address=00602882
Disassembly=push 006028EC
Text String=seshutdownprivilege
原来关机权限令牌在这里!双击点位到程序领空 ,来到这里
0060286C/$83C4 C0 add esp, -40 此处点鼠标,界面下面出现“本地调用来自 00602AB2”,点右键
0060286F|.E8 CC51E0FF call <jmp.&KERNEL32.GetCurrentProcess>; [GetCurrentProcess
00602874|.54 push esp ; /phToken
00602875|.6A 28 push 28 ; |DesiredAccess = TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES
00602877|.50 push eax ; |hProcess
00602878|.E8 9B50E0FF call <jmp.&advapi32.OpenProcessToken> ; \OpenProcessToken
0060287D|.8D4424 08 lea eax, dword ptr
00602881|.50 push eax ; /pLocalId
00602882|.68 EC286000 push 006028EC ; |seshutdownprivilege
00602887|.68 00296000 push 00602900 ; |SystemName = ""
0060288C|.E8 7F50E0FF call <jmp.&advapi32.LookupPrivilegeVa>; \LookupPrivilegeValueA
00602891|.8B4424 08 mov eax, dword ptr
00602895|.894424 34 mov dword ptr , eax
00602899|.8B4424 0C mov eax, dword ptr
转到这里
00602A8F|> \8D95 C8FEFFFF |lea edx, dword ptr
00602A95|.8BC6 |mov eax, esi
00602A97|.E8 88FBFFFF |call 00602624
00602A9C|.83F8 01 |cmp eax, 1
00602A9F|.1BDB |sbb ebx, ebx
00602AA1|.43 |inc ebx
00602AA2|>84DB test bl, bl
00602AA4|.^ 0F85 FBFEFFFF \jnz 006029A5
00602AAA|.8B45 F4 mov eax, dword ptr
00602AAD|.3B45 F8 cmp eax, dword ptr
00602AB0|.74 19 je short 00602ACB
00602AB2|.E8 B5FDFFFF call 0060286C
00602AB7|.6A 00 push 0 ; /ExitCode = 0
00602AB9|.8B45 FC mov eax, dword ptr ; |
00602ABC|.50 push eax ; |hProcess
00602ABD|.E8 5651E0FF call <jmp.&KERNEL32.TerminateProcess> ; \TerminateProcess 检测进程
00602AC2|.6A 00 push 0 ; /Reserved = 0
00602AC4|.6A 08 push 8 ; |Options = EWX_POWEROFF 关闭电源
00602AC6|.E8 5557E0FF call <jmp.&user32.ExitWindowsEx> ; \ExitWindowsEx 退出系统
00602ACB|>33C0 xor eax, eax
00602ACD|.5A pop edx
呵呵,很明显了,这里就是关机的沦陷地
00602AB0|. /74 19 je short 00602ACB 把je改成JMP,保存,重新载入运行,正常了
接着刚才关机前的步骤,F9运行,好 ,正常,点系统注册,任意输入8765432187654321假码,注册断在这里,按F8单步走
006030AC .55 push ebp ;点注册断在这里
006030AD .8BEC mov ebp, esp ;定位入口地址
006030AF .B9 46000000 mov ecx, 46
006030B4 >6A 00 push 0
006030B6 .6A 00 push 0
006030B8 .49 dec ecx
006030B9 .^ 75 F9 jnz short 006030B4
006030BB .51 push ecx
006030BC .53 push ebx
006030BD .8945 FC mov dword ptr , eax
006030C0 .33C0 xor eax, eax
006030C2 .55 push ebp
006030C3 .68 96356000 push 00603596
006030C8 .64:FF30 push dword ptr fs:
006030CB .64:8920 mov dword ptr fs:, esp
006030CE .8D95 1CFEFFFF lea edx, dword ptr
006030D4 .8B45 FC mov eax, dword ptr
006030D7 .8B80 0C030000 mov eax, dword ptr
006030DD .E8 FE6AEBFF call 004B9BE0 ; 注意:下面多处CALL都是按F8直接跳走,不知是否含有所
谓的“仿真代码”,只好按F4或F9
006030E2 .8B85 1CFEFFFF mov eax, dword ptr ; 如果要想知道CALL的内容,此处按F2下断后按F4或F9断下
006030E8 .8D95 20FEFFFF lea edx, dword ptr ;取出机器码(用户码)
006030EE .E8 B16CE0FF call 00409DA4 ; 清除字符串中的空格
006030F3 .83BD 20FEFFFF>cmp dword ptr , 0 ;判断机器码是否为空
006030FA .75 1D jnz short 00603119
006030FC .6A 40 push 40
006030FE .B9 A8356000 mov ecx, 006035A8 ;提示
00603103 .BA B0356000 mov edx, 006035B0 ;用户码不能为空!
00603108 .A1 5CCB6A00 mov eax, dword ptr
0060310D .8B00 mov eax, dword ptr
0060310F .E8 106DEAFF call 004A9E24
00603114 .E9 9E030000 jmp 006034B7
00603119 >8D95 14FEFFFF lea edx, dword ptr
0060311F .8B45 FC mov eax, dword ptr
00603122 .8B80 08030000 mov eax, dword ptr
00603128 .E8 B36AEBFF call 004B9BE0 ;同上,此处按F4或F9跳过
0060312D .8B85 14FEFFFF mov eax, dword ptr
00603133 .8D95 18FEFFFF lea edx, dword ptr ;取出注册码(假码)
00603139 .E8 666CE0FF call 00409DA4 ;同上
0060313E .83BD 18FEFFFF>cmp dword ptr , 0 ; 判断注册码是否为空
00603145 .75 1D jnz short 00603164
00603147 .6A 40 push 40
00603149 .B9 A8356000 mov ecx, 006035A8 ;提示
0060314E .BA C4356000 mov edx, 006035C4 ;注册码不能为空!
00603153 .A1 5CCB6A00 mov eax, dword ptr
00603158 .8B00 mov eax, dword ptr
0060315A .E8 C56CEAFF call 004A9E24
0060315F .E9 53030000 jmp 006034B7
00603164 >8D95 0CFEFFFF lea edx, dword ptr
0060316A .8B45 FC mov eax, dword ptr
0060316D .8B80 0C030000 mov eax, dword ptr
00603173 .E8 686AEBFF call 004B9BE0 ;取机器码
00603178 .8B85 0CFEFFFF mov eax, dword ptr
0060317E .8D95 10FEFFFF lea edx, dword ptr ;机器码送入寄存器
00603184 .E8 1B6CE0FF call 00409DA4 ;清除字符串中的空格
00603189 .8B85 10FEFFFF mov eax, dword ptr
0060318F .8D4D F0 lea ecx, dword ptr
00603192 .BA E0356000 mov edx, 006035E0 ;AGDGDGDF 字符串送入寄存器运算
00603197 .E8 6430F2FF call 00526200 ;算法CALL,F7进入
0060319C .8D95 00FEFFFF lea edx, dword ptr
006031A2 .8B45 FC mov eax, dword ptr
006031A5 .8B80 08030000 mov eax, dword ptr
006031AB .E8 306AEBFF call 004B9BE0 ;取出假码
006031B0 .8B85 00FEFFFF mov eax, dword ptr
006031B6 .8D95 04FEFFFF lea edx, dword ptr
006031BC .E8 E36BE0FF call 00409DA4 ;检查清除空格
006031C1 .8B85 04FEFFFF mov eax, dword ptr
006031C7 .8D8D 08FEFFFF lea ecx, dword ptr
006031CD .BA E0356000 mov edx, 006035E0 ;AGDGDGDF 字符串送入寄存器运算
006031D2 .E8 3D32F2FF call 00526414 ;第二个算法CALL,F7进入
006031D7 .8B95 08FEFFFF mov edx, dword ptr ;假码异或结果作ASCII再转为的字符串
006031DD .8B45 F0 mov eax, dword ptr ;机器码异或结果
006031E0 .E8 D320E0FF call 004052B8 ;关键CALL 两组算法的结果在些作比较
006031E5 .74 3E je short 00603225 关键跳,不跳就死
006031E7 .6A 40 push 40
006031E9 .B9 A8356000 mov ecx, 006035A8 ;提示
006031EE .BA EC356000 mov edx, 006035EC ;注册码不正确!
006031F3 .A1 5CCB6A00 mov eax, dword ptr
跟第一个算法关键CALL
00526200/$55 push ebp ;定位地址
00526201|.8BEC mov ebp, esp
00526203|.51 push ecx
00526204|.B9 07000000 mov ecx, 7
00526209|>6A 00 /push 0
0052620B|.6A 00 |push 0
0052620D|.49 |dec ecx
0052620E|.^ 75 F9 \jnz short 00526209
00526210|.874D FC xchg dword ptr , ecx
00526213|.53 push ebx
00526214|.56 push esi
00526215|.57 push edi
00526216|.894D F8 mov dword ptr , ecx
00526219|.8955 FC mov dword ptr , edx
0052621C|.8BD8 mov ebx, eax
0052621E|.8B45 FC mov eax, dword ptr ;机器码
00526221|.E8 36F1EDFF call 0040535C
00526226|.33C0 xor eax, eax ;清空EAX
00526228|.55 push ebp
00526229|.68 02645200 push 00526402
0052622E|.64:FF30 push dword ptr fs:
00526231|.64:8920 mov dword ptr fs:, esp
00526234|.8D55 F4 lea edx, dword ptr
00526237|.8BC3 mov eax, ebx ;机器码
00526239|.E8 C2FDFFFF call 00526000
0052623E|.8D55 F0 lea edx, dword ptr
00526241|.8B45 FC mov eax, dword ptr ;"OFDSSDESDS"字符串
00526244|.E8 B7FDFFFF call 00526000 ;机器码全部转成ASCII码
00526249|.8D45 EC lea eax, dword ptr
0052624C|.8B55 F4 mov edx, dword ptr
0052624F|.E8 F0ECEDFF call 00404F44 ;字符串全部转成ASCII码
00526254|.8B45 F0 mov eax, dword ptr
00526257|.E8 10EFEDFF call 0040516C
0052625C|.D1F8 sar eax, 1
0052625E|.79 03 jns short 00526263
00526260|.83D0 00 adc eax, 0
00526263|>85C0 test eax, eax
00526265|.0F8E 54010000 jle 005263BF
0052626B|.8945 E0 mov dword ptr , eax
0052626E|.BE 01000000 mov esi, 1
00526273|>83FE 01 /cmp esi, 1 ;进入算法循环
00526276|.74 0B |je short 00526283
00526278|.8D45 EC |lea eax, dword ptr
0052627B|.8B55 E8 |mov edx, dword ptr
0052627E|.E8 C1ECEDFF |call 00404F44
00526283|>8D45 E8 |lea eax, dword ptr
00526286|.E8 21ECEDFF |call 00404EAC
0052628B|.8B45 EC |mov eax, dword ptr ;机器码的ASCII码
0052628E|.E8 D9EEEDFF |call 0040516C
00526293|.8BF8 |mov edi, eax
00526295|.D1FF |sar edi, 1
00526297|.79 03 |jns short 0052629C
00526299|.83D7 00 |adc edi, 0
0052629C|>85FF |test edi, edi
0052629E|.0F8E 11010000 |jle 005263B5
005262A4|.BB 01000000 |mov ebx, 1
005262A9|>BA 10645200 |/mov edx, 00526410
005262AE|.8D45 D8 ||lea eax, dword ptr
005262B1|.E8 1ED2EDFF ||call 004034D4
005262B6|.8D45 D4 ||lea eax, dword ptr
005262B9|.8BD3 ||mov edx, ebx
005262BB|.03D2 ||add edx, edx
005262BD|.8B4D EC ||mov ecx, dword ptr
005262C0|.8A5411 FE ||mov dl, byte ptr ;机器码的ASCII码以下我以“A"表示,取第一位
005262C4|.8850 01 ||mov byte ptr , dl ;存入
005262C7|.C600 01 ||mov byte ptr , 1
005262CA|.8D55 D4 ||lea edx, dword ptr
005262CD|.8D45 D8 ||lea eax, dword ptr
005262D0|.B1 02 ||mov cl, 2
005262D2|.E8 CDD1EDFF ||call 004034A4 ;存入双字节地址
005262D7|.8D55 D8 ||lea edx, dword ptr
005262DA|.8D45 D0 ||lea eax, dword ptr
005262DD|.E8 F2D1EDFF ||call 004034D4
005262E2|.8D45 D4 ||lea eax, dword ptr
005262E5|.8BD3 ||mov edx, ebx
005262E7|.03D2 ||add edx, edx
005262E9|.8B4D EC ||mov ecx, dword ptr
005262EC|.8A5411 FF ||mov dl, byte ptr ;A的第二位
005262F0|.8850 01 ||mov byte ptr , dl
005262F3|.C600 01 ||mov byte ptr , 1
005262F6|.8D55 D4 ||lea edx, dword ptr
005262F9|.8D45 D0 ||lea eax, dword ptr
005262FC|.B1 03 ||mov cl, 3
005262FE|.E8 A1D1EDFF ||call 004034A4 ;存入地址
00526303|.8D55 D0 ||lea edx, dword ptr
00526306|.8D45 DC ||lea eax, dword ptr
00526309|.E8 02EEEDFF ||call 00405110
0052630E|.8B45 DC ||mov eax, dword ptr
00526311|.E8 4E40EEFF ||call 0040A364
00526316|.8845 E7 ||mov byte ptr , al
00526319|.BA 10645200 ||mov edx, 00526410
0052631E|.8D45 D8 ||lea eax, dword ptr
00526321|.E8 AED1EDFF ||call 004034D4
00526326|.8D45 D4 ||lea eax, dword ptr
00526329|.8BD6 ||mov edx, esi
0052632B|.03D2 ||add edx, edx
0052632D|.8B4D F0 ||mov ecx, dword ptr
00526330|.8A5411 FE ||mov dl, byte ptr ;固定字符串的ASCII码我以B表示,取第一位
00526334|.8850 01 ||mov byte ptr , dl
00526337|.C600 01 ||mov byte ptr , 1
0052633A|.8D55 D4 ||lea edx, dword ptr
0052633D|.8D45 D8 ||lea eax, dword ptr
00526340|.B1 02 ||mov cl, 2
00526342|.E8 5DD1EDFF ||call 004034A4 ;同上
00526347|.8D55 D8 ||lea edx, dword ptr
0052634A|.8D45 D0 ||lea eax, dword ptr
0052634D|.E8 82D1EDFF ||call 004034D4
00526352|.8D45 D4 ||lea eax, dword ptr
00526355|.8BD6 ||mov edx, esi
00526357|.03D2 ||add edx, edx
00526359|.8B4D F0 ||mov ecx, dword ptr
0052635C|.8A5411 FF ||mov dl, byte ptr ;取B的第二位
00526360|.8850 01 ||mov byte ptr , dl
00526363|.C600 01 ||mov byte ptr , 1
00526366|.8D55 D4 ||lea edx, dword ptr
00526369|.8D45 D0 ||lea eax, dword ptr
0052636C|.B1 03 ||mov cl, 3
0052636E|.E8 31D1EDFF ||call 004034A4 ;同上
00526373|.8D55 D0 ||lea edx, dword ptr
00526376|.8D45 CC ||lea eax, dword ptr
00526379|.E8 92EDEDFF ||call 00405110
0052637E|.8B45 CC ||mov eax, dword ptr
00526381|.E8 DE3FEEFF ||call 0040A364
00526386|.3245 E7 ||xor al, byte ptr ;两组以十六进制双字节异或
00526389|.8845 E6 ||mov byte ptr , al ;结果储存起来
0052638C|.8D45 C4 ||lea eax, dword ptr
0052638F|.8A55 E6 ||mov dl, byte ptr
00526392|.E8 FDECEDFF ||call 00405094
00526397|.8B45 C4 ||mov eax, dword ptr
0052639A|.8D55 C8 ||lea edx, dword ptr
0052639D|.E8 5EFCFFFF ||call 00526000
005263A2|.8B55 C8 ||mov edx, dword ptr ;结果转寄存器EDX
005263A5|.8D45 E8 ||lea eax, dword ptr
005263A8|.E8 C7EDEDFF ||call 00405174 ;连接字符串
005263AD|.43 ||inc ebx
005263AE|.4F ||dec edi ;循环计数 减1
005263AF|.^ 0F85 F4FEFFFF |\jnz 005262A9 ;开始循环
005263B5|>46 |inc esi ;小循环完毕,大循环计数开始
005263B6|.FF4D E0 |dec dword ptr ;大循环计数减1
005263B9|.^ 0F85 B4FEFFFF \jnz 00526273
005263BF|>8B45 F8 mov eax, dword ptr
005263C2|.8B55 E8 mov edx, dword ptr ;整个循环异或结果储存寄存器,作比较用的
005263C5|.E8 36EBEDFF call 00404F00
005263CA|.33C0 xor eax, eax
005263CC|.5A pop edx
005263CD|.59 pop ecx
005263CE|.59 pop ecx
005263CF|.64:8910 mov dword ptr fs:, edx
005263D2|.68 09645200 push 00526409
005263D7|>8D45 C4 lea eax, dword ptr
005263DA|.BA 03000000 mov edx, 3
005263DF|.E8 ECEAEDFF call 00404ED0
005263E4|.8D45 DC lea eax, dword ptr
005263E7|.E8 C0EAEDFF call 00404EAC
005263EC|.8D45 E8 lea eax, dword ptr
005263EF|.BA 04000000 mov edx, 4
005263F4|.E8 D7EAEDFF call 00404ED0
005263F9|.8D45 FC lea eax, dword ptr
005263FC|.E8 ABEAEDFF call 00404EAC
00526401\.C3 retn
第二个算法CALL
00526414/$55 push ebp ;定位入口地址
00526415|.8BEC mov ebp, esp
00526417|.51 push ecx
00526418|.B9 06000000 mov ecx, 6
0052641D|>6A 00 /push 0
0052641F|.6A 00 |push 0
00526421|.49 |dec ecx
00526422|.^ 75 F9 \jnz short 0052641D
00526424|.51 push ecx
00526425|.874D FC xchg dword ptr , ecx
00526428|.53 push ebx
00526429|.56 push esi
0052642A|.57 push edi
0052642B|.894D F8 mov dword ptr , ecx
0052642E|.8955 FC mov dword ptr , edx
00526431|.8BD8 mov ebx, eax
00526433|.8B45 FC mov eax, dword ptr
00526436|.E8 21EFEDFF call 0040535C ;算法同第一个相似,以下简略
0052643B|.33C0 xor eax, eax
0052643D|.55 push ebp
0052643E|.68 45665200 push 00526645
00526443|.64:FF30 push dword ptr fs:
00526446|.64:8920 mov dword ptr fs:, esp
00526449|.8D45 F4 lea eax, dword ptr
0052644C|.8BD3 mov edx, ebx
0052644E|.E8 F1EAEDFF call 00404F44
00526453|.8B45 F4 mov eax, dword ptr
00526456|.E8 11EDEDFF call 0040516C
0052645B|.25 01000080 and eax, 80000001
00526460|.79 05 jns short 00526467
00526462|.48 dec eax
00526463|.83C8 FE or eax, FFFFFFFE
00526466|.40 inc eax
00526467|>48 dec eax
00526468|.0F84 9F010000 je 0052660D
0052646E|.8D55 F0 lea edx, dword ptr
00526471|.8B45 FC mov eax, dword ptr
00526474|.E8 87FBFFFF call 00526000
00526479|.8D45 E8 lea eax, dword ptr
0052647C|.8B55 F4 mov edx, dword ptr
0052647F|.E8 C0EAEDFF call 00404F44
00526484|.8D45 EC lea eax, dword ptr
00526487|.8B55 F4 mov edx, dword ptr
0052648A|.E8 B5EAEDFF call 00404F44
0052648F|.8B45 F0 mov eax, dword ptr
00526492|.E8 D5ECEDFF call 0040516C
00526497|.8BF0 mov esi, eax
00526499|.D1FE sar esi, 1
0052649B|.79 03 jns short 005264A0
0052649D|.83D6 00 adc esi, 0
005264A0|>83FE 01 cmp esi, 1
005264A3|.0F8C 59010000 jl 00526602
005264A9|>8B45 F0 /mov eax, dword ptr
005264AC|.E8 BBECEDFF |call 0040516C
005264B1|.D1F8 |sar eax, 1
005264B3|.79 03 |jns short 005264B8
005264B5|.83D0 00 |adc eax, 0
005264B8|>3BF0 |cmp esi, eax
005264BA|.74 0B |je short 005264C7
005264BC|.8D45 EC |lea eax, dword ptr
005264BF|.8B55 E8 |mov edx, dword ptr
005264C2|.E8 7DEAEDFF |call 00404F44
005264C7|>8D45 E8 |lea eax, dword ptr
005264CA|.E8 DDE9EDFF |call 00404EAC
005264CF|.8B45 EC |mov eax, dword ptr
005264D2|.E8 95ECEDFF |call 0040516C
005264D7|.8BF8 |mov edi, eax
005264D9|.D1FF |sar edi, 1
005264DB|.79 03 |jns short 005264E0
005264DD|.83D7 00 |adc edi, 0
005264E0|>85FF |test edi, edi
005264E2|.0F8E 11010000 |jle 005265F9
005264E8|.BB 01000000 |mov ebx, 1
005264ED|>BA 54665200 |/mov edx, 00526654
005264F2|.8D45 DC ||lea eax, dword ptr
005264F5|.E8 DACFEDFF ||call 004034D4
005264FA|.8D45 D8 ||lea eax, dword ptr
005264FD|.8BD3 ||mov edx, ebx
005264FF|.03D2 ||add edx, edx
00526501|.8B4D EC ||mov ecx, dword ptr
00526504|.8A5411 FE ||mov dl, byte ptr ;取假码的第一位,注意这次不是ASCII码
00526508|.8850 01 ||mov byte ptr , dl
0052650B|.C600 01 ||mov byte ptr , 1
0052650E|.8D55 D8 ||lea edx, dword ptr
00526511|.8D45 DC ||lea eax, dword ptr
00526514|.B1 02 ||mov cl, 2
00526516|.E8 89CFEDFF ||call 004034A4 ;步法同第一个相似,以下简略
0052651B|.8D55 DC ||lea edx, dword ptr
0052651E|.8D45 D4 ||lea eax, dword ptr
00526521|.E8 AECFEDFF ||call 004034D4
00526526|.8D45 D8 ||lea eax, dword ptr
00526529|.8BD3 ||mov edx, ebx
0052652B|.03D2 ||add edx, edx
0052652D|.8B4D EC ||mov ecx, dword ptr
00526530|.8A5411 FF ||mov dl, byte ptr ;取假码第二位
00526534|.8850 01 ||mov byte ptr , dl
00526537|.C600 01 ||mov byte ptr , 1
0052653A|.8D55 D8 ||lea edx, dword ptr
0052653D|.8D45 D4 ||lea eax, dword ptr
00526540|.B1 03 ||mov cl, 3
00526542|.E8 5DCFEDFF ||call 004034A4
00526547|.8D55 D4 ||lea edx, dword ptr
0052654A|.8D45 E0 ||lea eax, dword ptr
0052654D|.E8 BEEBEDFF ||call 00405110
00526552|.8B45 E0 ||mov eax, dword ptr
00526555|.E8 0A3EEEFF ||call 0040A364
0052655A|.8845 E7 ||mov byte ptr , al
0052655D|.BA 54665200 ||mov edx, 00526654
00526562|.8D45 DC ||lea eax, dword ptr
00526565|.E8 6ACFEDFF ||call 004034D4
0052656A|.8D45 D8 ||lea eax, dword ptr
0052656D|.8BD6 ||mov edx, esi
0052656F|.03D2 ||add edx, edx
00526571|.8B4D F0 ||mov ecx, dword ptr
00526574|.8A5411 FE ||mov dl, byte ptr ;此处与第一个算法不同,取B的倒数第二位
00526578|.8850 01 ||mov byte ptr , dl
0052657B|.C600 01 ||mov byte ptr , 1
0052657E|.8D55 D8 ||lea edx, dword ptr
00526581|.8D45 DC ||lea eax, dword ptr
00526584|.B1 02 ||mov cl, 2
00526586|.E8 19CFEDFF ||call 004034A4
0052658B|.8D55 DC ||lea edx, dword ptr
0052658E|.8D45 D4 ||lea eax, dword ptr
00526591|.E8 3ECFEDFF ||call 004034D4
00526596|.8D45 D8 ||lea eax, dword ptr
00526599|.8BD6 ||mov edx, esi
0052659B|.03D2 ||add edx, edx
0052659D|.8B4D F0 ||mov ecx, dword ptr
005265A0|.8A5411 FF ||mov dl, byte ptr ;此处与第一个算法不同,取B的倒数第一位
005265A4|.8850 01 ||mov byte ptr , dl
005265A7|.C600 01 ||mov byte ptr , 1
005265AA|.8D55 D8 ||lea edx, dword ptr
005265AD|.8D45 D4 ||lea eax, dword ptr
005265B0|.B1 03 ||mov cl, 3
005265B2|.E8 EDCEEDFF ||call 004034A4
005265B7|.8D55 D4 ||lea edx, dword ptr
005265BA|.8D45 D0 ||lea eax, dword ptr
005265BD|.E8 4EEBEDFF ||call 00405110
005265C2|.8B45 D0 ||mov eax, dword ptr
005265C5|.E8 9A3DEEFF ||call 0040A364
005265CA|.3245 E7 ||xor al, byte ptr ;两组以十六进制双字节异或
005265CD|.8845 E6 ||mov byte ptr , al
005265D0|.8D45 C8 ||lea eax, dword ptr
005265D3|.8A55 E6 ||mov dl, byte ptr
005265D6|.E8 B9EAEDFF ||call 00405094
005265DB|.8B45 C8 ||mov eax, dword ptr
005265DE|.8D55 CC ||lea edx, dword ptr
005265E1|.E8 1AFAFFFF ||call 00526000
005265E6|.8B55 CC ||mov edx, dword ptr
005265E9|.8D45 E8 ||lea eax, dword ptr
005265EC|.E8 83EBEDFF ||call 00405174
005265F1|.43 ||inc ebx
005265F2|.4F ||dec edi
005265F3|.^ 0F85 F4FEFFFF |\jnz 005264ED ;小循环
005265F9|>4E |dec esi
005265FA|.85F6 |test esi, esi
005265FC|.^ 0F85 A7FEFFFF \jnz 005264A9 ;大循环
00526602|>8B55 F8 mov edx, dword ptr
00526605|.8B45 E8 mov eax, dword ptr ;假码的异或结果送入寄存器EAX
00526608|.E8 8FFAFFFF call 0052609C
0052660D|>33C0 xor eax, eax
0052660F|.5A pop edx
00526610|.59 pop ecx
00526611|.59 pop ecx
00526612|.64:8910 mov dword ptr fs:, edx
00526615|.68 4C665200 push 0052664C
0052661A|>8D45 C8 lea eax, dword ptr
0052661D|.BA 03000000 mov edx, 3
00526622|.E8 A9E8EDFF call 00404ED0 ;假码异或结果作ASCII再转为字符串
00526627|.8D45 E0 lea eax, dword ptr
0052662A|.E8 7DE8EDFF call 00404EAC
0052662F|.8D45 E8 lea eax, dword ptr
00526632|.BA 04000000 mov edx, 4
00526637|.E8 94E8EDFF call 00404ED0
0052663C|.8D45 FC lea eax, dword ptr
0052663F|.E8 68E8EDFF call 00404EAC
00526644\.C3 retn
--------------------------------------------------------------------------------
【经验总结】
本软件使用关机反调试及仿真代码CALL(是从网上查的,可能是仿真代码),按F7进入也都是虚拟地址,在CALL处按F8就跳出,调试起来有些麻烦的,不过一步一步来,也不是太难,算法并不复杂,还有那个壳手动脱了后运行其它都正常,只是点注册时不出注册码,不知何原因,补数据也不行,还得要努力学习才行
好了,算法总结如下:分两段
第一,取机器码转成ASCII码,再用固定字符串"OFDSSDESDS"的ASCII码分别以第一组开始作十六进制双字节异或,异或结果再
与下一组ASCII码异或。。。直到全部异或完,结果为C
第二段,取注册码,与固定字符串"OFDSSDESDS"的ASCII码分别以相反顺序即先从最后一组的十六进制双字节作异或,异或结果
再与下一组ASCII码异或。。。直到全部异或完,并把结果作为ASCII码转为字符串为D
最后只要C=D就能注册成功,成功后软件具有完整功能。
注册成功后在安装夹生成一个“备份.TXT“文件,并以一定格式写入CoTel.dll中,删除里面的信息,又可重注册,好了,
算法出来了,用VB写个注册机:
Private Sub Command1_Click()
Dim a() As String, i As Integer
Dim b() As String, j As Integer
Dim c As String
Dim d As String
Dim m As String
Dim t As String
Dim s As String
Dim u As String
Dim v As String
Dim w As String
Dim x() As String
Dim y() As String
c = Text1.Text
If c = "" Then Exit Sub
For i = 0 To Len(c) - 1
d = Hex(Asc(Mid(c, Len(c) - i, 1))) & " " & d
Next i
d = Trim(d)
a = Split(d, " ")
For i = 0 To UBound(a)
If Len(a(i)) <> 2 Then MsgBox "输入的数据不对!": Exit Sub
Next i
m = "OFDSSDESDS"
If m = "" Then Exit Sub
For i = 0 To Len(m) - 1
t = Hex(Asc(Mid(m, Len(m) - i, 1))) & " " & t
Next i
t = Trim(t)
b = Split(t, " ")
For i = 0 To UBound(b)
If Len(b(i)) <> 2 Then MsgBox "输入的数据不对!": Exit Sub
Next i
For j = 0 To UBound(b)
For i = 0 To UBound(a)
a(i) = Val("&h" & a(i)) Xor Val("&h" & b(j))
a(i) = Hex(a(i))
Next i
Next j
For i = 0 To UBound(a)
s = s & a(i)
Next i
For i = 0 To Len(s) - 1
u = Hex(Asc(Mid(s, Len(s) - i, 1))) & " " & u
Next i
u = Trim(u)
x = Split(u, " ")
For i = 0 To UBound(x)
If Len(x(i)) <> 2 Then MsgBox "输入的数据不对!": Exit Sub
Next i
m = "OFDSSDESDS"
If m = "" Then Exit Sub
For i = 0 To Len(m) - 1
w = Hex(Asc(Mid(m, Len(m) - i, 1))) & " " & w
Next i
w = Trim(w)
y = Split(w, " ")
For i = 0 To UBound(y)
If Len(y(i)) <> 2 Then MsgBox "输入的数据不对!": Exit Sub
Next i
For j = 0 To UBound(y)
For i = 0 To UBound(x)
x(i) = Val("&h" & x(i)) Xor Val("&h" & y(j))
x(i) = Hex(x(i))
Next i
Next j
For i = 0 To UBound(x)
v = v & x(i)
Next i
Text2.Text = v
End Sub
分析很牛很细,有时间再上个来练习一下,先收藏了 新手学习学习,可惜孩子已经取好了名字了,要不然就研究研究 小手一抖,金币拿走。 530530 发表于 2012-6-15 23:41 static/image/common/back.gif
貌似经常看到你这样回复 ?
不可能,我就刚才看到别人这样回复的,感觉好猜用的 530530 发表于 2012-6-15 23:44 static/image/common/back.gif
这样是不行的,会算恶意灌水的。一直这样刷帖是会被举报 1-2次还好。
{:301_977:} 感谢提醒。 谢谢,分析的很好! o(︶︿︶)o直接提供下载多好. 唉唉唉唉唉 分析得很好,新手学习一下,呆会试一遍