大叔的草莓CM20140314分析
本帖最后由 a070458 于 2014-3-23 13:23 编辑-------------------------------------------------【文章简介】-------------------------------------------------
【文章标题】 大叔的草莓CM20140314分析
【文章作者】 a070458
【作者邮箱】 无
【作者主页】 无
【软件名称】CM20140314
【软件大小】 297 KB (304,305 字节)
【下载地址】 http://www.52pojie.cn/thread-242985-1-1.html
【加壳方式】 未知
【保护方式】 未知
【编写语言】 e
【使用工具】 OD
【操作平台】 XP
【软件介绍】 cm
【作者声明】 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
-------------------------------------------------【文章正文】-------------------------------------------------
输入然后下按钮事件断点点击确认
直接来到关键 00405ED8发现代码很有问题。被乱序了。。。。 看着真不爽,果断写个脚本 记录一下代码。
重来-----运行 ----输入假码----0042191D 下断点----------点击按钮
断下0042191D 运行脚本 开始跟踪
幸好这次的乱序代码没其他垃圾代码 所以整理很容易
整理整理 申请地址 粘贴代码 开始分析
00405ED8- E9 23A18900 jmp 00CA0000
00CA0000 55 push ebp
00CA0001 8BEC mov ebp,esp
00CA0003 83EC 3C sub esp,0x3C
00CA0006 E8 C26376FF call CM201403.004063CD
00CA000B 8945 F8 mov dword ptr ss:,eax
00CA000E 837D F8 01 cmp dword ptr ss:,0x1
00CA0012 90 nop
00CA0013 90 nop
00CA0014 90 nop
00CA0015 90 nop
00CA0016 90 nop
00CA0017 90 nop
00CA0018 C705 90014900 0>mov dword ptr ds:,0x1
00CA0022 C745 FC 0000000>mov dword ptr ss:,0x0
00CA0029 6A 00 push 0x0
00CA002B 8D45 FC lea eax,dword ptr ss:
00CA002E 50 push eax
00CA002F C745 F8 0000000>mov dword ptr ss:,0x0
00CA0036 6A 00 push 0x0
00CA0038 8D45 F8 lea eax,dword ptr ss:
00CA003B 50 push eax
00CA003C C745 F4 0000000>mov dword ptr ss:,0x0
00CA0043 6A 00 push 0x0
00CA0045 FF75 F4 push dword ptr ss:
00CA0048 E8 6A1276FF call CM201403.004012B7 ; //获取机器码
00CA004D 8945 F0 mov dword ptr ss:,eax ;// 返回一个int 类型
00CA0050 8B5D F8 mov ebx,dword ptr ss:
00CA0053 85DB test ebx,ebx
00CA0055 74 07 je short 00CA005E
00CA0057 90 nop
00CA0058 90 nop
00CA0059 90 nop
00CA005A 90 nop
00CA005B 8B5D FC mov ebx,dword ptr ss:
00CA005E 85DB test ebx,ebx
00CA0060 90 nop
00CA0061 90 nop
00CA0062 90 nop
00CA0063 90 nop
00CA0064 90 nop
00CA0065 90 nop
00CA0066 68 01030080 push 0x80000301
00CA006B 6A 00 push 0x0
00CA006D FF75 F0 push dword ptr ss:
00CA0070 6A 01 push 0x1
00CA0072 BB 608A4000 mov ebx,0x408A60 ;// 到文本(机器码)
00CA0077 E8 A27F76FF call CM201403.0040801E
00CA007C 83C4 10 add esp,0x10
00CA007F 8945 EC mov dword ptr ss:,eax
00CA0082 8D45 EC lea eax,dword ptr ss:
00CA0085 50 push eax ; //压入机器码
00CA0086 E8 435676FF call CM201403.004056CE ; //算法1
00CA008B 8945 E8 mov dword ptr ss:,eax
00CA008E 8B5D EC mov ebx,dword ptr ss:
00CA0091 85DB test ebx,ebx
00CA0093 74 0D je short 00CA00A2
00CA0095 90 nop
00CA0096 90 nop
00CA0097 90 nop
00CA0098 90 nop
00CA0099 53 push ebx
00CA009A E8 737F76FF call CM201403.00408012
00CA009F 83C4 04 add esp,0x4
00CA00A2 68 04000080 push 0x80000004
00CA00A7 6A 00 push 0x0
00CA00A9 8B45 E8 mov eax,dword ptr ss:
00CA00AC 85C0 test eax,eax
00CA00AE 90 nop
00CA00AF 90 nop
00CA00B0 90 nop
00CA00B1 90 nop
00CA00B2 90 nop
00CA00B3 90 nop
00CA00B4 50 push eax
00CA00B5 6A 01 push 0x1
00CA00B7 BB 30874000 mov ebx,0x408730 ;// 到大写
00CA00BC E8 5D7F76FF call CM201403.0040801E ; //这里把算法1(机器码)到大写
00CA00C1 83C4 10 add esp,0x10 ;// 变为界面的机器码了
00CA00C4 8945 E4 mov dword ptr ss:,eax
00CA00C7 8B5D E8 mov ebx,dword ptr ss:
00CA00CA 85DB test ebx,ebx
00CA00CC- 0F84 9CB881FF je CM201403.004BB96E
00CA00D2 53 push ebx
00CA00D3 E8 3A7F76FF call CM201403.00408012
00CA00D8 83C4 04 add esp,0x4
00CA00DB 6A FF push -0x1
00CA00DD 6A 08 push 0x8
00CA00DF 68 C6170116 push 0x160117C6
00CA00E4 68 01000152 push 0x52010001
00CA00E9 E8 3C7F76FF call CM201403.0040802A ;// 取输入的假码
00CA00EE 83C4 10 add esp,0x10
00CA00F1 8945 E0 mov dword ptr ss:,eax
00CA00F4 6A 01 push 0x1
00CA00F6 8D45 E4 lea eax,dword ptr ss:
00CA00F9 50 push eax ;// 压入机器码
00CA00FA 8D45 E0 lea eax,dword ptr ss:
00CA00FD 50 push eax ; //压入假码
00CA00FE E8 EA6576FF call CM201403.004066ED ; //算法2
00CA0103 8945 DC mov dword ptr ss:,eax ; //返回字节集
00CA0106 8B5D E0 mov ebx,dword ptr ss: ; //称之key1
00CA0109 85DB test ebx,ebx
00CA010B 90 nop
00CA010C 90 nop
00CA010D 90 nop
00CA010E 90 nop
00CA010F 90 nop
00CA0110 90 nop
00CA0111 53 push ebx
00CA0112 E8 FB7E76FF call CM201403.00408012
00CA0117 83C4 04 add esp,0x4
00CA011A 8B5D E4 mov ebx,dword ptr ss:
00CA011D 85DB test ebx,ebx
00CA011F 90 nop
00CA0120 90 nop
00CA0121 90 nop
00CA0122 90 nop
00CA0123 90 nop
00CA0124 90 nop
00CA0125 53 push ebx
00CA0126 E8 E77E76FF call CM201403.00408012
00CA012B 83C4 04 add esp,0x4
00CA012E 6A FF push -0x1
00CA0130 6A 08 push 0x8
00CA0132 68 C3170116 push 0x160117C3
00CA0137 68 01000152 push 0x52010001
00CA013C E8 E97E76FF call CM201403.0040802A
00CA0141 83C4 10 add esp,0x10
00CA0144 8945 D8 mov dword ptr ss:,eax
00CA0147 68 04000080 push 0x80000004
00CA014C 6A 00 push 0x0
00CA014E 8B45 D8 mov eax,dword ptr ss:
00CA0151 85C0 test eax,eax
00CA0153 90 nop
00CA0154 90 nop
00CA0155 90 nop
00CA0156 90 nop
00CA0157 90 nop
00CA0158 90 nop
00CA0159 50 push eax
00CA015A 6A 01 push 0x1
00CA015C BB 608A4000 mov ebx,0x408A60
00CA0161 E8 B87E76FF call CM201403.0040801E
00CA0166 83C4 10 add esp,0x10
00CA0169 8945 D4 mov dword ptr ss:,eax
00CA016C 8B5D D8 mov ebx,dword ptr ss:
00CA016F 85DB test ebx,ebx
00CA0171 90 nop
00CA0172 90 nop
00CA0173 90 nop
00CA0174 90 nop
00CA0175 90 nop
00CA0176 90 nop
00CA0177 53 push ebx
00CA0178 E8 957E76FF call CM201403.00408012
00CA017D 83C4 04 add esp,0x4
00CA0180 8D45 D4 lea eax,dword ptr ss:
00CA0183 50 push eax ; //压入用户名
00CA0184 E8 455576FF call CM201403.004056CE ;// 算法1
00CA0189 8945 D0 mov dword ptr ss:,eax
00CA018C 8B5D D4 mov ebx,dword ptr ss:
00CA018F 85DB test ebx,ebx
00CA0191 90 nop
00CA0192 90 nop
00CA0193 90 nop
00CA0194 90 nop
00CA0195 90 nop
00CA0196 90 nop
00CA0197 53 push ebx
00CA0198 E8 757E76FF call CM201403.00408012
00CA019D 83C4 04 add esp,0x4
00CA01A0 8B45 D0 mov eax,dword ptr ss:
00CA01A3 50 push eax ; //压入算法1(用户名)
00CA01A4 FF75 DC push dword ptr ss: ; //压入key1
00CA01A7 E8 8F5C76FF call CM201403.00405E3B ;// 比较
00CA01AC 83C4 08 add esp,0x8
00CA01AF 83F8 00 cmp eax,0x0
00CA01B2 B8 00000000 mov eax,0x0
00CA01B7 0F94C0 sete al
00CA01BA 8945 CC mov dword ptr ss:,eax
00CA01BD 8B5D DC mov ebx,dword ptr ss:
00CA01C0 85DB test ebx,ebx
00CA01C2 90 nop
00CA01C3 90 nop
00CA01C4 90 nop
00CA01C5 90 nop
00CA01C6 90 nop
00CA01C7 90 nop
00CA01C8 53 push ebx
00CA01C9 E8 447E76FF call CM201403.00408012
00CA01CE 83C4 04 add esp,0x4
00CA01D1 8B5D D0 mov ebx,dword ptr ss:
00CA01D4 85DB test ebx,ebx
00CA01D6 90 nop
00CA01D7 90 nop
00CA01D8 90 nop
00CA01D9 90 nop
00CA01DA 90 nop
00CA01DB 90 nop
00CA01DC 53 push ebx
00CA01DD E8 307E76FF call CM201403.00408012
00CA01E2 83C4 04 add esp,0x4
00CA01E5 837D CC 00 cmp dword ptr ss:,0x0
00CA01E9- 0F85 DF6281FF jnz CM201403.004B64CE //这个跳不知干啥
00CA01EF E8 717576FF call CM201403.00407765 ; //返回一串东西
00CA01F4 8945 FC mov dword ptr ss:,eax
00CA01F7 C745 F8 0000000>mov dword ptr ss:,0x0
00CA01FE 6A 00 push 0x0
00CA0200 8D45 F8 lea eax,dword ptr ss:
00CA0203 50 push eax
00CA0204 C745 F4 0000000>mov dword ptr ss:,0x0
00CA020B 6A 00 push 0x0
00CA020D 8D45 F4 lea eax,dword ptr ss:
00CA0210 50 push eax
00CA0211 C745 F0 0000000>mov dword ptr ss:,0x0
00CA0218 6A 00 push 0x0
00CA021A FF75 F0 push dword ptr ss:
00CA021D E8 951076FF call CM201403.004012B7 ; //又取机器码
00CA0222 8945 EC mov dword ptr ss:,eax
00CA0225 8B5D F4 mov ebx,dword ptr ss:
00CA0228 85DB test ebx,ebx
00CA022A 90 nop
00CA022B 90 nop
00CA022C 90 nop
00CA022D 90 nop
00CA022E 90 nop
00CA022F 90 nop
00CA0230 8B5D F8 mov ebx,dword ptr ss:
00CA0233 85DB test ebx,ebx
00CA0235 90 nop
00CA0236 90 nop
00CA0237 90 nop
00CA0238 90 nop
00CA0239 90 nop
00CA023A 90 nop
00CA023B 68 01030080 push 0x80000301
00CA0240 6A 00 push 0x0
00CA0242 FF75 EC push dword ptr ss:
00CA0245 6A 01 push 0x1
00CA0247 BB 608A4000 mov ebx,0x408A60
00CA024C E8 CD7D76FF call CM201403.0040801E
00CA0251 83C4 10 add esp,0x10
00CA0254 8945 E8 mov dword ptr ss:,eax
00CA0257 8D45 E8 lea eax,dword ptr ss:
00CA025A 50 push eax ; //压入机器码
00CA025B E8 6E5476FF call CM201403.004056CE ; //算法1
00CA0260 8945 E4 mov dword ptr ss:,eax ; //继续算出机器码
00CA0263 8B5D E8 mov ebx,dword ptr ss:
00CA0266 85DB test ebx,ebx
00CA0268 90 nop
00CA0269 90 nop
00CA026A 90 nop
00CA026B 90 nop
00CA026C 90 nop
00CA026D 90 nop
00CA026E 53 push ebx
00CA026F E8 9E7D76FF call CM201403.00408012
00CA0274 83C4 04 add esp,0x4
00CA0277 68 04000080 push 0x80000004
00CA027C 6A 00 push 0x0
00CA027E 8B45 E4 mov eax,dword ptr ss:
00CA0281 85C0 test eax,eax
00CA0283 90 nop
00CA0284 90 nop
00CA0285 90 nop
00CA0286 90 nop
00CA0287 90 nop
00CA0288 90 nop
00CA0289 50 push eax
00CA028A 6A 01 push 0x1
00CA028C BB 30874000 mov ebx,0x408730 ;// 到大写
00CA0291 E8 887D76FF call CM201403.0040801E
00CA0296 83C4 10 add esp,0x10
00CA0299 8945 E0 mov dword ptr ss:,eax
00CA029C 8B5D E4 mov ebx,dword ptr ss:
00CA029F 85DB test ebx,ebx
00CA02A1 90 nop
00CA02A2 90 nop
00CA02A3 90 nop
00CA02A4 90 nop
00CA02A5 90 nop
00CA02A6 90 nop
00CA02A7 53 push ebx
00CA02A8 E8 657D76FF call CM201403.00408012
00CA02AD 83C4 04 add esp,0x4
00CA02B0 FF75 E0 push dword ptr ss:
00CA02B3 FF75 FC push dword ptr ss:
00CA02B6 B9 02000000 mov ecx,0x2
00CA02BB E8 540F76FF call CM201403.00401214 ;// 一串东西和机器码相加
00CA02C0 83C4 08 add esp,0x8 ;// 称之key2
00CA02C3 8945 DC mov dword ptr ss:,eax
00CA02C6 8B5D FC mov ebx,dword ptr ss:
00CA02C9 85DB test ebx,ebx
00CA02CB- 0F84 219981FF je CM201403.004B9BF2
00CA02D1 53 push ebx
00CA02D2 E8 3B7D76FF call CM201403.00408012
00CA02D7 83C4 04 add esp,0x4
00CA02DA 8B5D E0 mov ebx,dword ptr ss:
00CA02DD 85DB test ebx,ebx
00CA02DF- 0F84 19AA81FF je CM201403.004BACFE
00CA02E5 53 push ebx
00CA02E6 E8 277D76FF call CM201403.00408012
00CA02EB 83C4 04 add esp,0x4
00CA02EE 6A FF push -0x1
00CA02F0 6A 08 push 0x8
00CA02F2 68 C6170116 push 0x160117C6
00CA02F7 68 01000152 push 0x52010001
00CA02FC E8 297D76FF call CM201403.0040802A ;// 取假码
00CA0301 83C4 10 add esp,0x10
00CA0304 8945 D8 mov dword ptr ss:,eax
00CA0307 6A 01 push 0x1
00CA0309 8D45 DC lea eax,dword ptr ss:
00CA030C 50 push eax ; //压入假码
00CA030D 8D45 D8 lea eax,dword ptr ss:
00CA0310 50 push eax ; //压入key2
00CA0311 E8 D76376FF call CM201403.004066ED ;// 算法2
00CA0316 8945 D4 mov dword ptr ss:,eax ; //称之key3
00CA0319 8B5D D8 mov ebx,dword ptr ss:
00CA031C 85DB test ebx,ebx
00CA031E- 0F84 E6D381FF je CM201403.004BD70A
00CA0324 53 push ebx
00CA0325 E8 E87C76FF call CM201403.00408012
00CA032A 83C4 04 add esp,0x4
00CA032D 8B5D DC mov ebx,dword ptr ss:
00CA0330 85DB test ebx,ebx
00CA0332- 0F84 F26182FF je CM201403.004C652A
00CA0338 53 push ebx
00CA0339 E8 D47C76FF call CM201403.00408012
00CA033E 83C4 04 add esp,0x4
00CA0341 6A FF push -0x1
00CA0343 6A 08 push 0x8
00CA0345 68 C3170116 push 0x160117C3
00CA034A 68 01000152 push 0x52010001
00CA034F E8 D67C76FF call CM201403.0040802A ;// 取用户名
00CA0354 83C4 10 add esp,0x10
00CA0357 8945 D0 mov dword ptr ss:,eax
00CA035A 68 04000080 push 0x80000004
00CA035F 6A 00 push 0x0
00CA0361 8B45 D0 mov eax,dword ptr ss:
00CA0364 85C0 test eax,eax
00CA0366 90 nop
00CA0367 90 nop
00CA0368 90 nop
00CA0369 90 nop
00CA036A 90 nop
00CA036B 90 nop
00CA036C 50 push eax
00CA036D 6A 01 push 0x1
00CA036F BB 608A4000 mov ebx,0x408A60
00CA0374 E8 A57C76FF call CM201403.0040801E
00CA0379 83C4 10 add esp,0x10
00CA037C 8945 CC mov dword ptr ss:,eax
00CA037F 8B5D D0 mov ebx,dword ptr ss:
00CA0382 85DB test ebx,ebx
00CA0384- 0F84 936282FF je CM201403.004C661D
00CA038A 53 push ebx
00CA038B E8 827C76FF call CM201403.00408012
00CA0390 83C4 04 add esp,0x4
00CA0393 8D45 CC lea eax,dword ptr ss:
00CA0396 50 push eax ; //压入用户名
00CA0397 E8 325376FF call CM201403.004056CE ; //算法1
00CA039C 8945 C8 mov dword ptr ss:,eax
00CA039F 8B5D CC mov ebx,dword ptr ss:
00CA03A2 85DB test ebx,ebx
00CA03A4- 0F84 516482FF je CM201403.004C67FB
00CA03AA 53 push ebx
00CA03AB E8 627C76FF call CM201403.00408012
00CA03B0 83C4 04 add esp,0x4
00CA03B3 8B45 C8 mov eax,dword ptr ss:
00CA03B6 50 push eax ; //压入算法1(用户名)
00CA03B7 FF75 D4 push dword ptr ss: ; key3
00CA03BA E8 7C5A76FF call CM201403.00405E3B ; //比较
00CA03BF 83C4 08 add esp,0x8
00CA03C2 83F8 00 cmp eax,0x0
00CA03C5 B8 00000000 mov eax,0x0
00CA03CA 0F94C0 sete al ; //关键
00CA03CD 8945 C4 mov dword ptr ss:,eax
00CA03D0 8B5D D4 mov ebx,dword ptr ss:
00CA03D3 85DB test ebx,ebx
00CA03D5- 0F84 326581FF je CM201403.004B690D
00CA03DB 53 push ebx
00CA03DC E8 317C76FF call CM201403.00408012
00CA03E1 83C4 04 add esp,0x4
00CA03E4 8B5D C8 mov ebx,dword ptr ss:
00CA03E7 85DB test ebx,ebx
00CA03E9- 0F84 694D81FF je CM201403.004B5158
00CA03EF 53 push ebx
00CA03F0 E8 1D7C76FF call CM201403.00408012
00CA03F5 83C4 04 add esp,0x4
00CA03F8 837D C4 00 cmp dword ptr ss:,0x0
00CA03FC- 0F85 127182FF jnz CM201403.004C7514 ; //关键跳
00CA0402 68 04000080 push 0x80000004
00CA0407 6A 00 push 0x0
00CA0409 68 A1204700 push 0x4720A1
00CA040E 68 01030080 push 0x80000301
00CA0413 6A 00 push 0x0 ; //错误注册框
00CA0415 6A 00 push 0x0
00CA0417 68 04000080 push 0x80000004
00CA041C 6A 00 push 0x0
00CA041E 68 AA204700 push 0x4720AA
00CA0423 6A 03 push 0x3
00CA0425 BB F08E4000 mov ebx,0x408EF0
00CA042A E8 EF7B76FF call CM201403.0040801E
00CA042F 83C4 28 add esp,0x28
00CA0432 8BE5 mov esp,ebp
00CA0434 5D pop ebp
00CA0435 C3 retn
00CA03FC - 0F85 127182FF jnz CM201403.004C7514 ; //关键跳
对应地址为
004C750E^\0F84 BBBFFEFF je CM201403.004B34CF ///NOP即可
这里主要有2个算法call
00CA0086 E8 435676FF call CM201403.004056CE ; 算法1
00CA0311 E8 D76376FF call CM201403.004066ED ; 算法2
第一个算法call跟进去
仔细留意 0040583A E8 FD270000 call CM201403.0040803C ; MD2!!!
发现他调用
EAX 77DB9C71 ADVAPI32.CryptCreateHash
参数
ALG_ID=CALG_MD2就是MD2算法了
在我还在苦苦跟踪算法2 的时候
MistHill 大牛发帖说是变异RC4
果断上网找个RC4的E语言源码看看
发现基本一致 不过几个循环都被他修改了一点点
编译一份RC4和这个试炼慢慢跟踪对比很容易发现问题
原RC4算法
//////////////////////////////////////////////////////////////////////////////////////////
.版本 2
.子程序 rc4, 字节集, 公开
.参数 原文, 字节集, , 需要加密解密的字节集
.参数 密码, 文本型, , 输入相应的密码
.局部变量 m, 字节型, , "256"
.局部变量 i, 整数型
.局部变量 j, 整数型
.局部变量 key, 字节集
.局部变量 密码长度, 整数型
.局部变量 原文长度, 整数型
.局部变量 结果, 字节集
.局部变量 x, 整数型
.局部变量 k, 字节型, , "256"
.局部变量 temp, 字节型
原文长度 = 取字节集长度 (原文)
.如果真 (原文长度 < 1)
返回 ({})
.如果真结束
密码长度 = 取文本长度 (密码)
结果 = 取空白字节集 (原文长度)
.计次循环首 (256, i)' 初始化 M00 01 02 ...ff
m= i - 1
.计次循环尾 ()
.如果真 (密码长度 > 0)
key = 到字节集 (密码)
j = 1
.计次循环首 (256, i)' 将密钥扩展到ff位然k
k= key
j = j + 1
.如果真 (j > 密码长度)
j = 1
.如果真结束
.计次循环尾 ()
j = 0
.计次循环首 (256, i)
j = 位与 (j + m+ k, 255)' 求余256一个样
temp = m
m= m
m = temp .计次循环尾 ()
.如果真结束
i = 0
j = 0
.计次循环首 (原文长度, x)
i = 位与 (i + 1 , 255)
j = 位与 (j + m , 255)
temp = m
m = m
m = temp
结果 = 位异或 (原文 , m [位与 (m + m , 255) + 1])
.计次循环尾 ()
返回 (结果)
///////////////////////////////////////////////////////////////////////////////////////////////
修改后的为
///////////////////////////////////////////////////////////////////////////////////////////////
.版本 2
.子程序 rc4, 字节集, 公开
.参数 原文, 字节集, , 需要加密解密的字节集
.参数 密码, 文本型, , 输入相应的密码
.局部变量 m, 字节型, , "256"
.局部变量 i, 整数型
.局部变量 j, 整数型
.局部变量 key, 字节集
.局部变量 密码长度, 整数型
.局部变量 原文长度, 整数型
.局部变量 结果, 字节集
.局部变量 x, 整数型
.局部变量 k, 字节型, , "256"
.局部变量 temp, 字节型
.局部变量 c1, 整数型
原文长度 = 取字节集长度 (原文)
.如果真 (原文长度 < 1)
返回 ({})
.如果真结束
密码长度 = 取文本长度 (密码)
结果 = 取空白字节集 (原文长度)
.计次循环首 (256, i)' 初始化 M00 01 02 ...ff
m = i - 1
.计次循环尾 ()
.如果真 (密码长度 > 0)
key = 到字节集 (密码)
j = 1
.计次循环首 (256, i)' 将密钥扩展到ff位然k
k = key
j = j + 1
.如果真 (j > 密码长度)
j = 1
.如果真结束
.计次循环尾 ()
j = 0
c1 = 0
.计次循环首 (256, i)
j = 位与 (j + m + k + c1, 255)' 求余256一个样 //c1是自己加上去的标准RC4没有
temp = m
m = m
m = temp
c1 = 1' //c1是自己加上去的标准RC4没有
.计次循环尾 ()
.如果真结束
i = 0
j = 0
c1 = 0
.计次循环首 (原文长度, x)
i = 位与 (i + 1 + c1, 255)' //c1是自己加上去的标准RC4没有
j = 位与 (j + m + c1, 255)
temp = m
m = m
m = temp
结果 = 位异或 (原文 , m [位与 (m + m , 255) + 1])
c1 = 1
.计次循环尾 ()
返回 (结果)
///////////////////////////////////////////////////////////////////////////////////////////////////////
注意c1这个变量
////////////////////////////////////////////////////////////////////////////////////////////////////////////
还有一个值得注意的地方
call 00407765这里会返回一个MD2计算后的数值
脱壳后就不同了
原程序算出来为
0012F6C0 00EB0E48ASCII "c87fbc6084bc9715c5ffca0f879936c6"
整理一下流程
机器码=到大写(MD2(call 004012B7)
key1=rc4(假码,机器码)
if(key1==MD2(用户名)){
goto004B64CE //这里跳不知干啥
}
key3=rc4(假码,“c87fbc6084bc9715c5ffca0f879936c6"+机器码)
if(key3==MD2(用户名)){
goto 004C7514
}
else
{
goto 004B34CF
}
附上注册机和源码和脚本和整理的代码
偷懒一下 用了个模块
膜拜中 头晕晕的 nice job
大叔的草莓奖金领取(20140314)
http://www.52pojie.cn/thread-246411-1-1.html
(出处: 吾爱破解论坛 - LCG - LSG |软件安全|病毒分析|破解软件|软件论坛|www.52pojie.cn)
膜拜算法!{:17_1068:} lz的图像好陶醉啊。。 好多金币呀 恭喜a070458获奖,祝贺活动圆满结束! 来学习的,纯菜鸟! 好厉害啊!
只能爆破! 看到已醉{:1_908:} 膜拜了。。。
自己弄了半天,只会爆破、、、
看到分析出算法的,给跪了。。。。
什么时候我也能分析个算法呢{:301_1001:}