1st Security Center Pro 7.5.2.3的算法分析
没有什么太多需要说的,只是把分析时的一些摘录整理到这里而已。1、用PEid查壳,无壳
2、直接用OD载入,F9运行起来,然后输入试练码,确认后有弹出提示框
3、在出现提示框后,先不确定,F12暂停,然后在堆栈调用窗口,找到对MessageBox的调用位置,跟随进去
4、往上看,很快看到关键的CALL了
5、下面的摘录就是对关键CALL的一些分析:
005CA06C /$55 push ebp
005CA06D |.8BEC mov ebp,esp
005CA06F |.B9 08000000 mov ecx,8
005CA074 |>6A 00 /push 0
005CA076 |.6A 00 |push 0
005CA078 |.49 |dec ecx
005CA079 |.^ 75 F9 \jnz short sc.005CA074
005CA07B |.53 push ebx
005CA07C |.56 push esi
005CA07D |.8955 F8 mov dword ptr ss:,edx
005CA080 |.8945 FC mov dword ptr ss:,eax
005CA083 |.8B45 FC mov eax,dword ptr ss:
005CA086 |.E8 B1BAE3FF call sc.00405B3C
005CA08B |.8B45 F8 mov eax,dword ptr ss:
005CA08E |.E8 A9BAE3FF call sc.00405B3C
005CA093 |.33C0 xor eax,eax
005CA095 |.55 push ebp
005CA096 |.68 72A25C00 push sc.005CA272
005CA09B |.64:FF30 push dword ptr fs:
005CA09E |.64:8920 mov dword ptr fs:,esp
005CA0A1 |.33DB xor ebx,ebx
005CA0A3 |.8D45 E8 lea eax,dword ptr ss:
005CA0A6 |.8B55 FC mov edx,dword ptr ss:
005CA0A9 |.E8 A6B6E3FF call sc.00405754
005CA0AE |.B8 AC5D5D00 mov eax,sc.005D5DAC
005CA0B3 |.8B55 FC mov edx,dword ptr ss:
005CA0B6 |.E8 55B6E3FF call sc.00405710
005CA0BB |.B8 B05D5D00 mov eax,sc.005D5DB0
005CA0C0 |.8B55 F8 mov edx,dword ptr ss:
005CA0C3 |.E8 48B6E3FF call sc.00405710
005CA0C8 |.8B55 E8 mov edx,dword ptr ss: ;得到注册码的长度
005CA0CB |.8BC2 mov eax,edx
005CA0CD |.85C0 test eax,eax
005CA0CF |.74 05 je short sc.005CA0D6
005CA0D1 |.83E8 04 sub eax,4
005CA0D4 |.8B00 mov eax,dword ptr ds:
005CA0D6 |>83F8 0B cmp eax,0B ;将注册码的长度与0xB相比
005CA0D9 |.0F8E F5000000 jle sc.005CA1D4 ;小于等于则跳出出错
005CA0DF |.8BC2 mov eax,edx
005CA0E1 |.85C0 test eax,eax
005CA0E3 |.74 05 je short sc.005CA0EA
005CA0E5 |.83E8 04 sub eax,4
005CA0E8 |.8B00 mov eax,dword ptr ds:
005CA0EA |>83F8 0E cmp eax,0E ;将注册码的长度与0xE相比
005CA0ED |.0F8F E1000000 jg sc.005CA1D4 ;大于则跳出出错
005CA0F3 |.8D45 F4 lea eax,dword ptr ss: ;所以,注册码的长度范围是0xC到0xE
005CA0F6 |.50 push eax
005CA0F7 |.B9 06000000 mov ecx,6
005CA0FC |.BA 01000000 mov edx,1
005CA101 |.8B45 FC mov eax,dword ptr ss:
005CA104 |.E8 ABBAE3FF call sc.00405BB4
005CA109 |.8D45 D0 lea eax,dword ptr ss:
005CA10C |.B9 8CA25C00 mov ecx,sc.005CA28C ;ASCII "1st Security Center Pro"
005CA111 |.8B15 B05D5D00 mov edx,dword ptr ds:
005CA117 |.E8 B8B8E3FF call sc.004059D4 ;将上面的字符串与用户名相连
005CA11C |.8B45 D0 mov eax,dword ptr ss:
005CA11F |.8D55 D4 lea edx,dword ptr ss:
005CA122 |.E8 39A5FEFF call sc.005B4660
005CA127 |.8D45 D4 lea eax,dword ptr ss:
005CA12A |.8D55 E4 lea edx,dword ptr ss:
005CA12D |.E8 BAA4FEFF call sc.005B45EC ;MD5加密
005CA132 |.8B45 E4 mov eax,dword ptr ss:
005CA135 |.8D55 F0 lea edx,dword ptr ss:
005CA138 |.E8 B302E4FF call sc.0040A3F0
005CA13D |.8D45 EC lea eax,dword ptr ss:
005CA140 |.E8 77B5E3FF call sc.004056BC
005CA145 |.8D45 CC lea eax,dword ptr ss:
005CA148 |.50 push eax
005CA149 |.B9 02000000 mov ecx,2
005CA14E |.BA 01000000 mov edx,1
005CA153 |.8B45 FC mov eax,dword ptr ss:
005CA156 |.E8 59BAE3FF call sc.00405BB4 ;取假码前2位
005CA15B |.8B45 CC mov eax,dword ptr ss: ;得num1
005CA15E |.E8 B90BE4FF call sc.0040AD1C ;必须是数字,否则异常出错
005CA163 |.8BF0 mov esi,eax
005CA165 |.8D45 C8 lea eax,dword ptr ss:
005CA168 |.50 push eax
005CA169 |.B9 02000000 mov ecx,2
005CA16E |.BA 03000000 mov edx,3
005CA173 |.8B45 FC mov eax,dword ptr ss:
005CA176 |.E8 39BAE3FF call sc.00405BB4 ;取3、4位
005CA17B |.8B45 C8 mov eax,dword ptr ss: ;得num2
005CA17E |.E8 990BE4FF call sc.0040AD1C
005CA183 |.03F0 add esi,eax
005CA185 |.8D45 C4 lea eax,dword ptr ss:
005CA188 |.50 push eax
005CA189 |.B9 02000000 mov ecx,2
005CA18E |.BA 05000000 mov edx,5
005CA193 |.8B45 FC mov eax,dword ptr ss: ;取5、6位
005CA196 |.E8 19BAE3FF call sc.00405BB4 ;得num3
005CA19B |.8B45 C4 mov eax,dword ptr ss:
005CA19E |.E8 790BE4FF call sc.0040AD1C
005CA1A3 |.03F0 add esi,eax ;将取得3个值相加
005CA1A5 |.8B5D FC mov ebx,dword ptr ss:
005CA1A8 |.85DB test ebx,ebx ;Num=num1+num2+num3
005CA1AA |.74 05 je short sc.005CA1B1
005CA1AC |.83EB 04 sub ebx,4
005CA1AF |.8B1B mov ebx,dword ptr ds:
005CA1B1 |>8D45 C0 lea eax,dword ptr ss:
005CA1B4 |.50 push eax
005CA1B5 |.8BD3 mov edx,ebx
005CA1B7 |.4A dec edx
005CA1B8 |.B9 02000000 mov ecx,2
005CA1BD |.8B45 FC mov eax,dword ptr ss:
005CA1C0 |.E8 EFB9E3FF call sc.00405BB4
005CA1C5 |.8B45 C0 mov eax,dword ptr ss: ;取最后2位
005CA1C8 |.E8 4F0BE4FF call sc.0040AD1C ;得num4
005CA1CD |.3BF0 cmp esi,eax ;与上面前6位相加的和比较(Num==num4)
005CA1CF |.0F94C0 sete al
005CA1D2 |.8BD8 mov ebx,eax
005CA1D4 |>84DB test bl,bl
005CA1D6 |.74 72 je short sc.005CA24A ;不等则跳出出错
005CA1D8 |.A1 7C655D00 mov eax,dword ptr ds:
005CA1DD |.8B00 mov eax,dword ptr ds:
005CA1DF |.8B4D F4 mov ecx,dword ptr ss: ;前6位假码
005CA1E2 |.BA ACA25C00 mov edx,sc.005CA2AC ;ASCII "KY"
005CA1E7 |.E8 F49CECFF call sc.00493EE0
005CA1EC |.A1 7C655D00 mov eax,dword ptr ds:
005CA1F1 |.8B00 mov eax,dword ptr ds:
005CA1F3 |.8B4D FC mov ecx,dword ptr ss: ;假码
005CA1F6 |.BA B8A25C00 mov edx,sc.005CA2B8 ;ASCII "UK"
005CA1FB |.E8 E09CECFF call sc.00493EE0
005CA200 |.A1 7C655D00 mov eax,dword ptr ds:
005CA205 |.8B00 mov eax,dword ptr ds:
005CA207 |.8B4D F8 mov ecx,dword ptr ss: ;用户名
005CA20A |.BA C4A25C00 mov edx,sc.005CA2C4 ;ASCII "UN"
005CA20F |.E8 CC9CECFF call sc.00493EE0
005CA214 |.A1 7C655D00 mov eax,dword ptr ds:
005CA219 |.8B00 mov eax,dword ptr ds:
005CA21B |.8B4D F0 mov ecx,dword ptr ss: ;MD5值
005CA21E |.BA D0A25C00 mov edx,sc.005CA2D0 ;ASCII "ES"
005CA223 |.E8 B89CECFF call sc.00493EE0
005CA228 |.A1 7C655D00 mov eax,dword ptr ds:
005CA22D |.8B00 mov eax,dword ptr ds:
005CA22F |.8B4D EC mov ecx,dword ptr ss:
005CA232 |.BA DCA25C00 mov edx,sc.005CA2DC ;ASCII "DS"
005CA237 |.E8 A49CECFF call sc.00493EE0
005CA23C |.A1 7C655D00 mov eax,dword ptr ds:
005CA241 |.8B00 mov eax,dword ptr ds:
005CA243 |.B2 01 mov dl,1
005CA245 |.E8 5697ECFF call sc.004939A0
005CA24A |>33C0 xor eax,eax
005CA24C |.5A pop edx
005CA24D |.59 pop ecx
005CA24E |.59 pop ecx
005CA24F |.64:8910 mov dword ptr fs:,edx
005CA252 |.68 79A25C00 push sc.005CA279
005CA257 |>8D45 C0 lea eax,dword ptr ss:
005CA25A |.BA 05000000 mov edx,5
005CA25F |.E8 7CB4E3FF call sc.004056E0
005CA264 |.8D45 E4 lea eax,dword ptr ss:
005CA267 |.BA 07000000 mov edx,7
005CA26C |.E8 6FB4E3FF call sc.004056E0
005CA271 \.C3 retn
005CA272 .^ E9 F9ABE3FF jmp sc.00404E70
005CA277 .^ EB DE jmp short sc.005CA257
005CA279 .8BC3 mov eax,ebx
005CA27B .5E pop esi
005CA27C .5B pop ebx
005CA27D .8BE5 mov esp,ebp
005CA27F .5D pop ebp
005CA280 .C3 retn转自:IaWeN's Blog
链接:http://www.iawen.com/read.php/261.htm
页:
[1]