【破文标题】QuickCHM破解分析
【破文标题】QuickCHM破解分析【破文作者】萧萧黄叶
【作者邮箱】
【作者主页】
【破解工具】PEiD,OD
【破解平台】WinXP
【软件名称】Quick CHM V2.6
【软件大小】1.43 M
【原版下载】http://www.skycn.com/soft/6785.html
【保护方式】ASPack 2.1
【软件简介】原名电子文档处理大师。是真正的所见即所得(WYSIWYG)CHM文件制作软件,内置简单易用的所见即所得网页编辑器,使你可以不必在两个软件之间切换,只使用一个软件就可以完成CHM文件的制作。软件采用html help workshop的格式保存和读取,使你不在为格式不同而烦恼。增强反编译功能,反编译后直接可以用QuickCHM读取,使你的工作更轻松。
【破解声明】我只是一只小小鸟,高手请飘过!但欢迎指导和共同学习!
------------------------------------------------------------------------
【破解过程】安装后运行程序,一开始就要求你注册,并且说明了未注册版本的功能限制。
试着注册看看有没有什么提示,要先输入用户名,再输入密钥,密钥分三组,每组最多可输入八位,确定后没有错误的提示,试用进入主界面后有未注册的字样。
开始了,先用PEiD探壳:ASPack 2.1 -> Alexey Solodovnikov
这是一个很简单的壳,用ESP定律很快可以脱壳,OD载入后停在这里:
0059B001 >60 PUSHAD
0059B002 E8 72050000 CALL QuickCHM.0059B579
单步一次后下硬件断点,下面就是OEP了:
004F5D04 55 PUSH EBP
004F5D05 8BEC MOV EBP,ESP
004F5D07 83C4 F4 ADD ESP,-0C
就在这里脱壳,另存。
再次PEiD探壳:Borland Delphi 4.0 - 5.0
再运行程序看看,OK,可以正常运行不需要修复。
再次OD载入:
004F5D04 > $55 PUSH EBP
004F5D05 .8BEC MOV EBP,ESP
004F5D07 .83C4 F4 ADD ESP,-0C
运行程序,注册,我用xxhy作为用户名,假码:12345678-23456789-34567890,下万能断点后确定:
77D33566 F3:A5 REP MOVS DWORD PTR ES:,DWORD PTR DS>
77D33568 8BC8 MOV ECX,EAX
77D3356A 83E1 03 AND ECX,3
注意看寄存器,ESI上为我的用户名,清除断点返回一直到这里:
004F4145|.8D45 F4 LEA EAX,DWORD PTR SS:
004F4148|.BA 504B4F00 MOV EDX,脱壳后.004F4B50 ;ASCII "Loveada99"
004F414D|.E8 4EFDF0FF CALL 脱壳后.00403EA0
向下看看还有很多,也有循环,应该就是中心部分了,在上面下断了,重新来过:
004F410C/$55 PUSH EBP
004F410D|.8BEC MOV EBP,ESP
004F410F|.B9 12000000 MOV ECX,12
继续向下走,一直到这里:
004F413A|.8B80 D0020000 MOV EAX,DWORD PTR DS:
004F4140|.E8 7315F4FF CALL 脱壳后.004356B8 ;这里是刚才我们下万能断点后出来的地方,经过这个CALL计算了用户名的位数。
004F4145|.8D45 F4 LEA EAX,DWORD PTR SS:
004F4148|.BA 504B4F00 MOV EDX,脱壳后.004F4B50 ;ASCII "Loveada99"
004F414D|.E8 4EFDF0FF CALL 脱壳后.00403EA0 ;将4F4B50处的字符 "Loveada99"移到EDX上
004F4152|.8D55 F8 LEA EDX,DWORD PTR SS:
004F4155|.8B45 FC MOV EAX,DWORD PTR SS:
004F4158|.E8 C384FFFF CALL 脱壳后.004EC620 ;跟进这个CALL。
004F415D|.8B45 F8 MOV EAX,DWORD PTR SS: ;经过上面的CALL计算出来一个新的用户名"eHhoeQ=="
004F4160|.E8 23FFF0FF CALL 脱壳后.00404088
004F4165|.8945 EC MOV DWORD PTR SS:,EAX
004F4168|.8B45 F4 MOV EAX,DWORD PTR SS: ;取字符 "Loveada99"
004F416B|.E8 18FFF0FF CALL 脱壳后.00404088
004F4170|.8945 E8 MOV DWORD PTR SS:,EAX
004F4173|.C745 F0 64000>MOV DWORD PTR SS:,64
004F417A|.8D45 E0 LEA EAX,DWORD PTR SS:
004F417D|.B9 FF000000 MOV ECX,0FF
004F4182|.BA 01000000 MOV EDX,1
004F4187|.E8 4401F1FF CALL 脱壳后.004042D0
004F418C|.8D45 D8 LEA EAX,DWORD PTR SS:
004F418F|.B9 FF000000 MOV ECX,0FF
004F4194|.BA 01000000 MOV EDX,1
004F4199|.E8 3201F1FF CALL 脱壳后.004042D0
004F419E|.C745 E4 01000>MOV DWORD PTR SS:,1
004F41A5|.C645 DE 01 MOV BYTE PTR SS:,1
004F41A9|>8D45 E0 /LEA EAX,DWORD PTR SS:
004F41AC|.50 |PUSH EAX
004F41AD|.8B4D E8 |MOV ECX,DWORD PTR SS:
004F41B0|.8B55 E4 |MOV EDX,DWORD PTR SS:
004F41B3|.8B45 F8 |MOV EAX,DWORD PTR SS:
004F41B6|.E8 D500F1FF |CALL 脱壳后.00404290
004F41BB|.8B45 E4 |MOV EAX,DWORD PTR SS:
004F41BE|.0345 E8 |ADD EAX,DWORD PTR SS:
004F41C1|.48 |DEC EAX
004F41C2|.3B45 EC |CMP EAX,DWORD PTR SS:
004F41C5|.7E 16 |JLE SHORT 脱壳后.004F41DD
004F41C7|.8B45 EC |MOV EAX,DWORD PTR SS:
004F41CA|.40 |INC EAX
004F41CB|.2B45 E4 |SUB EAX,DWORD PTR SS:
004F41CE|.8945 E8 |MOV DWORD PTR SS:,EAX
004F41D1|.807D DE 00 |CMP BYTE PTR SS:,0
004F41D5|.74 06 |JE SHORT 脱壳后.004F41DD
004F41D7|.8B45 EC |MOV EAX,DWORD PTR SS:
004F41DA|.8945 E8 |MOV DWORD PTR SS:,EAX
004F41DD|>C645 DE 00 |MOV BYTE PTR SS:,0
004F41E1|.8B75 E8 |MOV ESI,DWORD PTR SS:
004F41E4|.85F6 |TEST ESI,ESI
004F41E6|.7E 47 |JLE SHORT 脱壳后.004F422F
004F41E8|.BB 01000000 |MOV EBX,1
004F41ED|>8B45 E0 |/MOV EAX,DWORD PTR SS: ;取新用户名"eHhoeQ=="
004F41F0|.0FB67C18 FF ||MOVZX EDI,BYTE PTR DS: ;按序取每一位字符的ASCII码
004F41F5|.8B45 F4 ||MOV EAX,DWORD PTR SS: ; 取字符"Loveada99"
004F41F8|.0FB64418 FF ||MOVZX EAX,BYTE PTR DS: ;按序取每一位字符的ASCII码
004F41FD|.33F8 ||XOR EDI,EAX ;两者进行异或运算
004F41FF|.8D45 E0 ||LEA EAX,DWORD PTR SS:
004F4202|.B9 01000000 ||MOV ECX,1
004F4207|.8BD3 ||MOV EDX,EBX
004F4209|.E8 C200F1FF ||CALL 脱壳后.004042D0
004F420E|.8BC7 ||MOV EAX,EDI
004F4210|.8845 DF ||MOV BYTE PTR SS:,AL ;数据窗口跟随BYTE PTR SS:
004F4213|.8D45 CC ||LEA EAX,DWORD PTR SS:
004F4216|.8A55 DF ||MOV DL,BYTE PTR SS:
004F4219|.E8 92FDF0FF ||CALL 脱壳后.00403FB0
004F421E|.8B45 CC ||MOV EAX,DWORD PTR SS:
004F4221|.8D55 E0 ||LEA EDX,DWORD PTR SS:
004F4224|.8BCB ||MOV ECX,EBX
004F4226|.E8 ED00F1FF ||CALL 脱壳后.00404318
004F422B|.43 ||INC EBX
004F422C|.4E ||DEC ESI
004F422D|.^ 75 BE |\JNZ SHORT 脱壳后.004F41ED
004F422F|>8D45 D8 |LEA EAX,DWORD PTR SS: ;经过上面的计算,结果为:29,27,1E,0A,04,35,5C,04,设为Y
004F4232|.8B55 E0 |MOV EDX,DWORD PTR SS:
004F4235|.E8 56FEF0FF |CALL 脱壳后.00404090
004F423A|.8B45 E8 |MOV EAX,DWORD PTR SS:
004F423D|.0145 E4 |ADD DWORD PTR SS:,EAX
004F4240|.8B45 E4 |MOV EAX,DWORD PTR SS:
004F4243|.3B45 EC |CMP EAX,DWORD PTR SS:
004F4246|.^ 0F8E 5DFFFFFF \JLE 脱壳后.004F41A9
004F424C|.8D45 F8 LEA EAX,DWORD PTR SS:
004F424F|.8B55 D8 MOV EDX,DWORD PTR SS:
004F4252|.E8 49FCF0FF CALL 脱壳后.00403EA0
004F4257|.8B45 F8 MOV EAX,DWORD PTR SS:
004F425A|.E8 29FEF0FF CALL 脱壳后.00404088
004F425F|.83F8 04 CMP EAX,4
004F4262|.7D 10 JGE SHORT 脱壳后.004F4274
004F4264|.8D45 F8 LEA EAX,DWORD PTR SS:
004F4267|.8B4D F8 MOV ECX,DWORD PTR SS:
004F426A|.BA 644B4F00 MOV EDX,脱壳后.004F4B64 ;ASCII "love"
004F426F|.E8 60FEF0FF CALL 脱壳后.004040D4
004F4274|>8B45 F8 MOV EAX,DWORD PTR SS:
004F4277|.E8 0CFEF0FF CALL 脱壳后.00404088
004F427C|.8BC8 MOV ECX,EAX
004F427E|.83E9 04 SUB ECX,4
004F4281|.8D45 F8 LEA EAX,DWORD PTR SS:
004F4284|.BA 01000000 MOV EDX,1
004F4289|.E8 4200F1FF CALL 脱壳后.004042D0
004F428E|.8B45 F8 MOV EAX,DWORD PTR SS:
004F4291|.E8 F2FDF0FF CALL 脱壳后.00404088
004F4296|.8945 EC MOV DWORD PTR SS:,EAX
004F4299|.8D45 D8 LEA EAX,DWORD PTR SS:
004F429C|.B9 FF000000 MOV ECX,0FF
004F42A1|.BA 01000000 MOV EDX,1
004F42A6|.E8 2500F1FF CALL 脱壳后.004042D0
004F42AB|.8B75 EC MOV ESI,DWORD PTR SS:
004F42AE|.85F6 TEST ESI,ESI
004F42B0|.7E 2B JLE SHORT 脱壳后.004F42DD
004F42B2|.BB 01000000 MOV EBX,1
004F42B7|>8D45 D4 /LEA EAX,DWORD PTR SS:
004F42BA|.50 |PUSH EAX
004F42BB|.8B55 EC |MOV EDX,DWORD PTR SS:
004F42BE|.2BD3 |SUB EDX,EBX
004F42C0|.42 |INC EDX
004F42C1|.B9 01000000 |MOV ECX,1
004F42C6|.8B45 F8 |MOV EAX,DWORD PTR SS:
004F42C9|.E8 C2FFF0FF |CALL 脱壳后.00404290
004F42CE|.8D45 D8 |LEA EAX,DWORD PTR SS:
004F42D1|.8B55 D4 |MOV EDX,DWORD PTR SS:
004F42D4|.E8 B7FDF0FF |CALL 脱壳后.00404090
004F42D9|.43 |INC EBX
004F42DA|.4E |DEC ESI
004F42DB|.^ 75 DA \JNZ SHORT 脱壳后.004F42B7
004F42DD|>8D45 F8 LEA EAX,DWORD PTR SS:
004F42E0|.8B55 D8 MOV EDX,DWORD PTR SS:
004F42E3|.E8 B8FBF0FF CALL 脱壳后.00403EA0
004F42E8|.8D45 D8 LEA EAX,DWORD PTR SS:
004F42EB|.B9 FF000000 MOV ECX,0FF
004F42F0|.BA 01000000 MOV EDX,1
004F42F5|.E8 D6FFF0FF CALL 脱壳后.004042D0
004F42FA|.8D55 D8 LEA EDX,DWORD PTR SS:
004F42FD|.A1 A8884F00 MOV EAX,DWORD PTR DS:
004F4302|.8B00 MOV EAX,DWORD PTR DS:
004F4304|.8B80 DC020000 MOV EAX,DWORD PTR DS:
004F430A|.E8 A913F4FF CALL 脱壳后.004356B8
004F430F|.8B75 EC MOV ESI,DWORD PTR SS:
004F4312|.85F6 TEST ESI,ESI
004F4314|.0F8E B1000000 JLE 脱壳后.004F43CB
004F431A|.BB 01000000 MOV EBX,1
004F431F|>8B45 F8 /MOV EAX,DWORD PTR SS:
004F4322|.0FB67C18 FF |MOVZX EDI,BYTE PTR DS: ;倒序取Y的值,取了后面四个。
004F4327|.037D F0 |ADD EDI,DWORD PTR SS: ;加固定值H64
004F432A|.81FF FF000000 |CMP EDI,0FF
004F4330|.7E 06 |JLE SHORT 脱壳后.004F4338
004F4332|.81EF FF000000 |SUB EDI,0FF
004F4338|>85FF |TEST EDI,EDI
004F433A|.7D 06 |JGE SHORT 脱壳后.004F4342
004F433C|.81C7 FF000000 |ADD EDI,0FF
004F4342|>8D45 C4 |LEA EAX,DWORD PTR SS:
004F4345|.8BD3 |MOV EDX,EBX
004F4347|.4A |DEC EDX
004F4348|.03D2 |ADD EDX,EDX
004F434A|.8B4D D8 |MOV ECX,DWORD PTR SS: ;取第一组注册码
004F434D|.8A1411 |MOV DL,BYTE PTR DS: ;取第一组注册码的第一位
004F4350|.8850 01 |MOV BYTE PTR DS:,DL
004F4353|.C600 01 |MOV BYTE PTR DS:,1
004F4356|.8D55 C4 |LEA EDX,DWORD PTR SS:
004F4359|.8D45 C0 |LEA EAX,DWORD PTR SS:
004F435C|.E8 4BE8F0FF |CALL 脱壳后.00402BAC
004F4361|.8D45 BC |LEA EAX,DWORD PTR SS:
004F4364|.8BD3 |MOV EDX,EBX
004F4366|.4A |DEC EDX
004F4367|.03D2 |ADD EDX,EDX
004F4369|.8B4D D8 |MOV ECX,DWORD PTR SS:
004F436C|.8A5411 01 |MOV DL,BYTE PTR DS: ;取第一组注册码的第二位
004F4370|.8850 01 |MOV BYTE PTR DS:,DL
004F4373|.C600 01 |MOV BYTE PTR DS:,1
004F4376|.8D55 BC |LEA EDX,DWORD PTR SS:
004F4379|.8D45 C0 |LEA EAX,DWORD PTR SS:
004F437C|.B1 02 |MOV CL,2
004F437E|.E8 F9E7F0FF |CALL 脱壳后.00402B7C
004F4383|.8D55 C0 |LEA EDX,DWORD PTR SS:
004F4386|.8D45 C8 |LEA EAX,DWORD PTR SS:
004F4389|.E8 9EFCF0FF |CALL 脱壳后.0040402C
004F438E|.8B45 C8 |MOV EAX,DWORD PTR SS:
004F4391|.50 |PUSH EAX
004F4392|.8D45 B8 |LEA EAX,DWORD PTR SS:
004F4395|.50 |PUSH EAX ; /Arg1
004F4396|.897D B0 |MOV DWORD PTR SS:,EDI ; |
004F4399|.C645 B4 00 |MOV BYTE PTR SS:,0 ; |
004F439D|.8D55 B0 |LEA EDX,DWORD PTR SS: ; |
004F43A0|.33C9 |XOR ECX,ECX ; |
004F43A2|.B8 744B4F00 |MOV EAX,脱壳后.004F4B74 ; |ASCII "%1.2x"
004F43A7|.E8 5C5EF1FF |CALL 脱壳后.0040A208 ; \脱壳后.0040A208
004F43AC|.8B55 B8 |MOV EDX,DWORD PTR SS:
004F43AF|.58 |POP EAX
004F43B0|.E8 E3FDF0FF |CALL 脱壳后.00404198 ;将刚才取出的Y的值与第一组注册码的第一、二位进行比较,不符合就跳走。也就是失败!
004F43B5|.0F9445 D3 |SETE BYTE PTR SS:
004F43B9|.807D D3 00 |CMP BYTE PTR SS:,0
004F43BD|.0F84 04070000 |JE 脱壳后.004F4AC7 ;将这个跳NOP掉就可以实现第一组注册码注册成功,下面还有!为了进行分析可以先NOP掉看下面的算法。
004F43C3|.43 |INC EBX
004F43C4|.4E |DEC ESI
004F43C5|.^ 0F85 54FFFFFF \JNZ 脱壳后.004F431F ;如果符合就继续比较。这是一个分段进行比较的注册机制,不太容易做出内存注册机。一段错误就不继续进行下面的比较了。
004F43CB|>8D55 F8 LEA EDX,DWORD PTR SS:
004F43CE|.A1 A8884F00 MOV EAX,DWORD PTR DS:
将004F43BD|.0F84 04070000 |JE 脱壳后.004F4AC7这一句NOP后继续向下来到这里:
004F43CE|.A1 A8884F00 MOV EAX,DWORD PTR DS: ;将004F43BD 处的JE 脱壳后.004F4AC7 NOP后来到这里。
004F43D3|.8B00 MOV EAX,DWORD PTR DS:
004F43D5|.8B80 D0020000 MOV EAX,DWORD PTR DS:
004F43DB|.E8 D812F4FF CALL 脱壳后.004356B8
004F43E0|.8D45 F4 LEA EAX,DWORD PTR SS:
004F43E3|.BA 844B4F00 MOV EDX,脱壳后.004F4B84 ;ASCII "BestLove"
004F43E8|.E8 B3FAF0FF CALL 脱壳后.00403EA0 ; 取出了第二个字符"BestLove"
004F43ED|.8D55 F8 LEA EDX,DWORD PTR SS:
004F43F0|.8B45 FC MOV EAX,DWORD PTR SS:
004F43F3|.E8 2882FFFF CALL 脱壳后.004EC620 ;注意这里和004F4158|.E8 C384FFFF CALL 脱壳后.004EC620 这里是跟进的同一个CALL,得到了同一个结果,新的用户名"eHhoeQ=="
004F43F8|.8B45 F8 MOV EAX,DWORD PTR SS:
004F43FB|.E8 88FCF0FF CALL 脱壳后.00404088
004F4400|.8945 EC MOV DWORD PTR SS:,EAX
004F4403|.8B45 F4 MOV EAX,DWORD PTR SS:
004F4406|.E8 7DFCF0FF CALL 脱壳后.00404088
004F440B|.8945 E8 MOV DWORD PTR SS:,EAX
004F440E|.C745 F0 14000>MOV DWORD PTR SS:,14 ;用新的固定值H14取代H64
004F4415|.8D45 D8 LEA EAX,DWORD PTR SS:
004F4418|.B9 FF000000 MOV ECX,0FF
004F441D|.BA 01000000 MOV EDX,1
004F4422|.E8 A9FEF0FF CALL 脱壳后.004042D0
004F4427|.8B75 EC MOV ESI,DWORD PTR SS:
004F442A|.85F6 TEST ESI,ESI
004F442C|.7E 2B JLE SHORT 脱壳后.004F4459
004F442E|.BB 01000000 MOV EBX,1
004F4433|>8D45 D4 /LEA EAX,DWORD PTR SS:
004F4436|.50 |PUSH EAX
004F4437|.8B55 EC |MOV EDX,DWORD PTR SS:
004F443A|.2BD3 |SUB EDX,EBX
004F443C|.42 |INC EDX
004F443D|.B9 01000000 |MOV ECX,1
004F4442|.8B45 F8 |MOV EAX,DWORD PTR SS:
004F4445|.E8 46FEF0FF |CALL 脱壳后.00404290
004F444A|.8D45 D8 |LEA EAX,DWORD PTR SS:
004F444D|.8B55 D4 |MOV EDX,DWORD PTR SS:
004F4450|.E8 3BFCF0FF |CALL 脱壳后.00404090
004F4455|.43 |INC EBX
004F4456|.4E |DEC ESI
004F4457|.^ 75 DA \JNZ SHORT 脱壳后.004F4433 ;经过这个循环将新用户名倒序了 "==QeohHe"
004F4459|>8D45 F8 LEA EAX,DWORD PTR SS:
004F445C|.8B55 D8 MOV EDX,DWORD PTR SS:
004F445F|.E8 3CFAF0FF CALL 脱壳后.00403EA0
004F4464|.8D45 E0 LEA EAX,DWORD PTR SS:
004F4467|.B9 FF000000 MOV ECX,0FF
004F446C|.BA 01000000 MOV EDX,1
004F4471|.E8 5AFEF0FF CALL 脱壳后.004042D0
004F4476|.8D45 D8 LEA EAX,DWORD PTR SS:
004F4479|.B9 FF000000 MOV ECX,0FF
004F447E|.BA 01000000 MOV EDX,1
004F4483|.E8 48FEF0FF CALL 脱壳后.004042D0
004F4488|.C745 E4 01000>MOV DWORD PTR SS:,1
004F448F|.C645 DE 01 MOV BYTE PTR SS:,1
004F4493|>8D45 E0 /LEA EAX,DWORD PTR SS:
004F4496|.50 |PUSH EAX
004F4497|.8B4D E8 |MOV ECX,DWORD PTR SS:
004F449A|.8B55 E4 |MOV EDX,DWORD PTR SS:
004F449D|.8B45 F8 |MOV EAX,DWORD PTR SS:
004F44A0|.E8 EBFDF0FF |CALL 脱壳后.00404290
004F44A5|.8B45 E4 |MOV EAX,DWORD PTR SS:
004F44A8|.0345 E8 |ADD EAX,DWORD PTR SS:
004F44AB|.48 |DEC EAX
004F44AC|.3B45 EC |CMP EAX,DWORD PTR SS:
004F44AF|.7E 16 |JLE SHORT 脱壳后.004F44C7
004F44B1|.8B45 EC |MOV EAX,DWORD PTR SS:
004F44B4|.40 |INC EAX
004F44B5|.2B45 E4 |SUB EAX,DWORD PTR SS:
004F44B8|.8945 E8 |MOV DWORD PTR SS:,EAX
004F44BB|.807D DE 00 |CMP BYTE PTR SS:,0
004F44BF|.74 06 |JE SHORT 脱壳后.004F44C7
004F44C1|.8B45 EC |MOV EAX,DWORD PTR SS:
004F44C4|.8945 E8 |MOV DWORD PTR SS:,EAX
004F44C7|>C645 DE 00 |MOV BYTE PTR SS:,0
004F44CB|.8B75 E8 |MOV ESI,DWORD PTR SS:
004F44CE|.85F6 |TEST ESI,ESI
004F44D0|.7E 47 |JLE SHORT 脱壳后.004F4519
004F44D2|.BB 01000000 |MOV EBX,1
004F44D7|>8B45 E0 |/MOV EAX,DWORD PTR SS: ;取新用户名 "==QeohHe"
004F44DA|.0FB67C18 FF ||MOVZX EDI,BYTE PTR DS: ;按序取每一位
004F44DF|.8B45 F4 ||MOV EAX,DWORD PTR SS: ;取字符 "BestLove"
004F44E2|.0FB64418 FF ||MOVZX EAX,BYTE PTR DS: ;取字符 "BestLove"每一位的ASCII码
004F44E7|.33F8 ||XOR EDI,EAX ;两者进行异或运算
004F44E9|.8D45 E0 ||LEA EAX,DWORD PTR SS:
004F44EC|.B9 01000000 ||MOV ECX,1
004F44F1|.8BD3 ||MOV EDX,EBX
004F44F3|.E8 D8FDF0FF ||CALL 脱壳后.004042D0
004F44F8|.8BC7 ||MOV EAX,EDI
004F44FA|.8845 DF ||MOV BYTE PTR SS:,AL
004F44FD|.8D45 AC ||LEA EAX,DWORD PTR SS:
004F4500|.8A55 DF ||MOV DL,BYTE PTR SS:
004F4503|.E8 A8FAF0FF ||CALL 脱壳后.00403FB0
004F4508|.8B45 AC ||MOV EAX,DWORD PTR SS:
004F450B|.8D55 E0 ||LEA EDX,DWORD PTR SS:
004F450E|.8BCB ||MOV ECX,EBX
004F4510|.E8 03FEF0FF ||CALL 脱壳后.00404318
004F4515|.43 ||INC EBX
004F4516|.4E ||DEC ESI
004F4517|.^ 75 BE |\JNZ SHORT 脱壳后.004F44D7
004F4519|>8D45 D8 |LEA EAX,DWORD PTR SS: ;经过循环计算得到一组数值:7f,58,22,11,23,07,3e,00,设为M
004F451C|.8B55 E0 |MOV EDX,DWORD PTR SS:
004F451F|.E8 6CFBF0FF |CALL 脱壳后.00404090
004F4524|.8B45 E8 |MOV EAX,DWORD PTR SS:
004F4527|.0145 E4 |ADD DWORD PTR SS:,EAX
004F452A|.8B45 E4 |MOV EAX,DWORD PTR SS:
004F452D|.3B45 EC |CMP EAX,DWORD PTR SS:
004F4530|.^ 0F8E 5DFFFFFF \JLE 脱壳后.004F4493
004F4536|.8D45 F8 LEA EAX,DWORD PTR SS:
004F4539|.8B55 D8 MOV EDX,DWORD PTR SS:
004F453C|.E8 5FF9F0FF CALL 脱壳后.00403EA0
004F4541|.8B45 F8 MOV EAX,DWORD PTR SS:
004F4544|.E8 3FFBF0FF CALL 脱壳后.00404088
004F4549|.83F8 04 CMP EAX,4
004F454C|.7D 10 JGE SHORT 脱壳后.004F455E
004F454E|.8D45 F8 LEA EAX,DWORD PTR SS:
004F4551|.8B4D F8 MOV ECX,DWORD PTR SS:
004F4554|.BA 644B4F00 MOV EDX,脱壳后.004F4B64 ;ASCII "love"
004F4559|.E8 76FBF0FF CALL 脱壳后.004040D4
004F455E|>8B45 F8 MOV EAX,DWORD PTR SS:
004F4561|.E8 22FBF0FF CALL 脱壳后.00404088
004F4566|.8BC8 MOV ECX,EAX
004F4568|.83E9 04 SUB ECX,4
004F456B|.8D45 F8 LEA EAX,DWORD PTR SS:
004F456E|.BA 01000000 MOV EDX,1
004F4573|.E8 58FDF0FF CALL 脱壳后.004042D0
004F4578|.8B45 F8 MOV EAX,DWORD PTR SS:
004F457B|.E8 08FBF0FF CALL 脱壳后.00404088
004F4580|.8945 EC MOV DWORD PTR SS:,EAX
004F4583|.8D45 D8 LEA EAX,DWORD PTR SS:
004F4586|.B9 FF000000 MOV ECX,0FF
004F458B|.BA 01000000 MOV EDX,1
004F4590|.E8 3BFDF0FF CALL 脱壳后.004042D0
004F4595|.8D55 D8 LEA EDX,DWORD PTR SS:
004F4598|.A1 A8884F00 MOV EAX,DWORD PTR DS:
004F459D|.8B00 MOV EAX,DWORD PTR DS:
004F459F|.8B80 E8020000 MOV EAX,DWORD PTR DS:
004F45A5|.E8 0E11F4FF CALL 脱壳后.004356B8
004F45AA|.8B75 EC MOV ESI,DWORD PTR SS:
004F45AD|.85F6 TEST ESI,ESI
004F45AF|.0F8E B1000000 JLE 脱壳后.004F4666
004F45B5|.BB 01000000 MOV EBX,1
004F45BA|>8B45 F8 /MOV EAX,DWORD PTR SS: ;这个循环进行第二组注册码的对比
004F45BD|.0FB67C18 FF |MOVZX EDI,BYTE PTR DS: ;取M的后四位的第一位
004F45C2|.037D F0 |ADD EDI,DWORD PTR SS: ;加H14
004F45C5|.81FF FF000000 |CMP EDI,0FF
004F45CB|.7E 06 |JLE SHORT 脱壳后.004F45D3
004F45CD|.81EF FF000000 |SUB EDI,0FF
004F45D3|>85FF |TEST EDI,EDI
004F45D5|.7D 06 |JGE SHORT 脱壳后.004F45DD
004F45D7|.81C7 FF000000 |ADD EDI,0FF
004F45DD|>8D45 C4 |LEA EAX,DWORD PTR SS:
004F45E0|.8BD3 |MOV EDX,EBX
004F45E2|.4A |DEC EDX
004F45E3|.03D2 |ADD EDX,EDX
004F45E5|.8B4D D8 |MOV ECX,DWORD PTR SS: ;取第二组注册码
004F45E8|.8A1411 |MOV DL,BYTE PTR DS: ;取第二组注册码的第一位
004F45EB|.8850 01 |MOV BYTE PTR DS:,DL
004F45EE|.C600 01 |MOV BYTE PTR DS:,1
004F45F1|.8D55 C4 |LEA EDX,DWORD PTR SS:
004F45F4|.8D45 C0 |LEA EAX,DWORD PTR SS:
004F45F7|.E8 B0E5F0FF |CALL 脱壳后.00402BAC
004F45FC|.8D45 BC |LEA EAX,DWORD PTR SS:
004F45FF|.8BD3 |MOV EDX,EBX
004F4601|.4A |DEC EDX
004F4602|.03D2 |ADD EDX,EDX
004F4604|.8B4D D8 |MOV ECX,DWORD PTR SS:
004F4607|.8A5411 01 |MOV DL,BYTE PTR DS: ;取第二组注册码的第二位
004F460B|.8850 01 |MOV BYTE PTR DS:,DL
004F460E|.C600 01 |MOV BYTE PTR DS:,1
004F4611|.8D55 BC |LEA EDX,DWORD PTR SS:
004F4614|.8D45 C0 |LEA EAX,DWORD PTR SS:
004F4617|.B1 02 |MOV CL,2
004F4619|.E8 5EE5F0FF |CALL 脱壳后.00402B7C
004F461E|.8D55 C0 |LEA EDX,DWORD PTR SS:
004F4621|.8D45 A8 |LEA EAX,DWORD PTR SS:
004F4624|.E8 03FAF0FF |CALL 脱壳后.0040402C
004F4629|.8B45 A8 |MOV EAX,DWORD PTR SS:
004F462C|.50 |PUSH EAX
004F462D|.8D45 A4 |LEA EAX,DWORD PTR SS:
004F4630|.50 |PUSH EAX ; /Arg1
004F4631|.897D B0 |MOV DWORD PTR SS:,EDI ; |
004F4634|.C645 B4 00 |MOV BYTE PTR SS:,0 ; |
004F4638|.8D55 B0 |LEA EDX,DWORD PTR SS: ; |
004F463B|.33C9 |XOR ECX,ECX ; |
004F463D|.B8 744B4F00 |MOV EAX,脱壳后.004F4B74 ; |ASCII "%1.2x"
004F4642|.E8 C15BF1FF |CALL 脱壳后.0040A208 ; \脱壳后.0040A208
004F4647|.8B55 A4 |MOV EDX,DWORD PTR SS:
004F464A|.58 |POP EAX
004F464B|.E8 48FBF0FF |CALL 脱壳后.00404198 ;真假码进行对比。与上面相同
004F4650|.0F9445 D3 |SETE BYTE PTR SS:
004F4654|.807D D3 00 |CMP BYTE PTR SS:,0
004F4658|.0F84 69040000 |JE 脱壳后.004F4AC7
004F465E|.43 |INC EBX
004F465F|.4E |DEC ESI
004F4660|.^ 0F85 54FFFFFF \JNZ 脱壳后.004F45BA
004F4666|>8D55 F8 LEA EDX,DWORD PTR SS:
再将004F4658|.0F84 69040000 |JE 脱壳后.004F4AC7这一句NOP掉继续向下走,还有最后一部分注册码:
004F4676|.E8 3D10F4FF CALL 脱壳后.004356B8
004F467B|.8D45 F4 LEA EAX,DWORD PTR SS:
004F467E|.BA 984B4F00 MOV EDX,脱壳后.004F4B98 ;ASCII "LoveYang"
004F4683|.E8 18F8F0FF CALL 脱壳后.00403EA0 ;这里又取了一个新字符 "LoveYang"
004F4688|.8D55 F8 LEA EDX,DWORD PTR SS:
004F468B|.8B45 FC MOV EAX,DWORD PTR SS:
004F468E|.E8 8D7FFFFF CALL 脱壳后.004EC620 ;还是同一个CALL对用户名进行了计算得到一个新的用户名
004F4693|.8B45 F8 MOV EAX,DWORD PTR SS:
004F4696|.E8 EDF9F0FF CALL 脱壳后.00404088
004F469B|.8945 EC MOV DWORD PTR SS:,EAX
004F469E|.8B45 F4 MOV EAX,DWORD PTR SS:
004F46A1|.E8 E2F9F0FF CALL 脱壳后.00404088
004F46A6|.8945 E8 MOV DWORD PTR SS:,EAX
004F46A9|.C745 F0 1E000>MOV DWORD PTR SS:,1E
004F46B0|.8D45 D8 LEA EAX,DWORD PTR SS:
004F46B3|.8B4D D8 MOV ECX,DWORD PTR SS:
004F46B6|.BA AC4B4F00 MOV EDX,脱壳后.004F4BAC ;ASCII "Book"
004F46BB|.E8 14FAF0FF CALL 脱壳后.004040D4
004F46C0|.8D45 D8 LEA EAX,DWORD PTR SS:
004F46C3|.B9 FF000000 MOV ECX,0FF
004F46C8|.BA 01000000 MOV EDX,1
004F46CD|.E8 FEFBF0FF CALL 脱壳后.004042D0
004F46D2|.BB 01000000 MOV EBX,1
004F46D7|>8D45 D4 /LEA EAX,DWORD PTR SS:
004F46DA|.50 |PUSH EAX
004F46DB|.8B55 EC |MOV EDX,DWORD PTR SS:
004F46DE|.2BD3 |SUB EDX,EBX
004F46E0|.42 |INC EDX
004F46E1|.B9 01000000 |MOV ECX,1
004F46E6|.8B45 F8 |MOV EAX,DWORD PTR SS:
004F46E9|.E8 A2FBF0FF |CALL 脱壳后.00404290
004F46EE|.8D45 D8 |LEA EAX,DWORD PTR SS:
004F46F1|.8B55 D4 |MOV EDX,DWORD PTR SS:
004F46F4|.E8 97F9F0FF |CALL 脱壳后.00404090
004F46F9|.43 |INC EBX
004F46FA|.83FB 05 |CMP EBX,5
004F46FD|.^ 75 D8 \JNZ SHORT 脱壳后.004F46D7 ;这一次这个循环仍然是将新用户名倒序,同时只取前四位堆栈 "==Qe"
004F46FF|.8D45 F8 LEA EAX,DWORD PTR SS:
004F4702|.8B55 D8 MOV EDX,DWORD PTR SS:
004F4705|.E8 96F7F0FF CALL 脱壳后.00403EA0
004F470A|.8B45 F8 MOV EAX,DWORD PTR SS:
004F470D|.E8 76F9F0FF CALL 脱壳后.00404088
004F4712|.8945 EC MOV DWORD PTR SS:,EAX
004F4715|.8D45 D8 LEA EAX,DWORD PTR SS:
004F4718|.B9 FF000000 MOV ECX,0FF
004F471D|.BA 01000000 MOV EDX,1
004F4722|.E8 A9FBF0FF CALL 脱壳后.004042D0
004F4727|.8B75 EC MOV ESI,DWORD PTR SS:
004F472A|.85F6 TEST ESI,ESI
004F472C|.7E 2B JLE SHORT 脱壳后.004F4759
004F472E|.BB 01000000 MOV EBX,1
004F4733|>8D45 D4 /LEA EAX,DWORD PTR SS:
004F4736|.50 |PUSH EAX
004F4737|.8B55 EC |MOV EDX,DWORD PTR SS:
004F473A|.2BD3 |SUB EDX,EBX
004F473C|.42 |INC EDX
004F473D|.B9 01000000 |MOV ECX,1
004F4742|.8B45 F8 |MOV EAX,DWORD PTR SS:
004F4745|.E8 46FBF0FF |CALL 脱壳后.00404290
004F474A|.8D45 D8 |LEA EAX,DWORD PTR SS:
004F474D|.8B55 D4 |MOV EDX,DWORD PTR SS:
004F4750|.E8 3BF9F0FF |CALL 脱壳后.00404090
004F4755|.43 |INC EBX
004F4756|.4E |DEC ESI
004F4757|.^ 75 DA \JNZ SHORT 脱壳后.004F4733
004F4759|>8D45 F8 LEA EAX,DWORD PTR SS:
004F475C|.8B55 D8 MOV EDX,DWORD PTR SS:
004F475F|.E8 3CF7F0FF CALL 脱壳后.00403EA0
004F4764|.8D45 E0 LEA EAX,DWORD PTR SS:
004F4767|.B9 FF000000 MOV ECX,0FF
004F476C|.BA 01000000 MOV EDX,1
004F4771|.E8 5AFBF0FF CALL 脱壳后.004042D0
004F4776|.8D45 D8 LEA EAX,DWORD PTR SS:
004F4779|.B9 FF000000 MOV ECX,0FF
004F477E|.BA 01000000 MOV EDX,1
004F4783|.E8 48FBF0FF CALL 脱壳后.004042D0
004F4788|.C745 E4 01000>MOV DWORD PTR SS:,1
004F478F|.C645 DE 01 MOV BYTE PTR SS:,1
004F4793|>8D45 E0 /LEA EAX,DWORD PTR SS:
004F4796|.50 |PUSH EAX
004F4797|.8B4D E8 |MOV ECX,DWORD PTR SS:
004F479A|.8B55 E4 |MOV EDX,DWORD PTR SS:
004F479D|.8B45 F8 |MOV EAX,DWORD PTR SS:
004F47A0|.E8 EBFAF0FF |CALL 脱壳后.00404290
004F47A5|.8B45 E4 |MOV EAX,DWORD PTR SS:
004F47A8|.0345 E8 |ADD EAX,DWORD PTR SS:
004F47AB|.48 |DEC EAX
004F47AC|.3B45 EC |CMP EAX,DWORD PTR SS:
004F47AF|.7E 16 |JLE SHORT 脱壳后.004F47C7
004F47B1|.8B45 EC |MOV EAX,DWORD PTR SS:
004F47B4|.40 |INC EAX
004F47B5|.2B45 E4 |SUB EAX,DWORD PTR SS:
004F47B8|.8945 E8 |MOV DWORD PTR SS:,EAX
004F47BB|.807D DE 00 |CMP BYTE PTR SS:,0
004F47BF|.74 06 |JE SHORT 脱壳后.004F47C7
004F47C1|.8B45 EC |MOV EAX,DWORD PTR SS:
004F47C4|.8945 E8 |MOV DWORD PTR SS:,EAX
004F47C7|>C645 DE 00 |MOV BYTE PTR SS:,0
004F47CB|.8B75 E8 |MOV ESI,DWORD PTR SS:
004F47CE|.85F6 |TEST ESI,ESI
004F47D0|.7E 47 |JLE SHORT 脱壳后.004F4819
004F47D2|.BB 01000000 |MOV EBX,1
004F47D7|>8B45 E0 |/MOV EAX,DWORD PTR SS: ;仍然是和上面一样的运算
004F47DA|.0FB67C18 FF ||MOVZX EDI,BYTE PTR DS:
004F47DF|.8B45 F4 ||MOV EAX,DWORD PTR SS:
004F47E2|.0FB64418 FF ||MOVZX EAX,BYTE PTR DS:
004F47E7|.33F8 ||XOR EDI,EAX
004F47E9|.8D45 E0 ||LEA EAX,DWORD PTR SS:
004F47EC|.B9 01000000 ||MOV ECX,1
004F47F1|.8BD3 ||MOV EDX,EBX
004F47F3|.E8 D8FAF0FF ||CALL 脱壳后.004042D0
004F47F8|.8BC7 ||MOV EAX,EDI
004F47FA|.8845 DF ||MOV BYTE PTR SS:,AL
004F47FD|.8D45 A0 ||LEA EAX,DWORD PTR SS:
004F4800|.8A55 DF ||MOV DL,BYTE PTR SS:
004F4803|.E8 A8F7F0FF ||CALL 脱壳后.00403FB0
004F4808|.8B45 A0 ||MOV EAX,DWORD PTR SS:
004F480B|.8D55 E0 ||LEA EDX,DWORD PTR SS:
004F480E|.8BCB ||MOV ECX,EBX
004F4810|.E8 03FBF0FF ||CALL 脱壳后.00404318
004F4815|.43 ||INC EBX
004F4816|.4E ||DEC ESI
004F4817|.^ 75 BE |\JNZ SHORT 脱壳后.004F47D7
004F4819|>8D45 D8 |LEA EAX,DWORD PTR SS: ;循环计算得到29,3e,4b,58,设为N
004F481C|.8B55 E0 |MOV EDX,DWORD PTR SS:
004F481F|.E8 6CF8F0FF |CALL 脱壳后.00404090
004F4824|.8B45 E8 |MOV EAX,DWORD PTR SS:
004F4827|.0145 E4 |ADD DWORD PTR SS:,EAX
004F482A|.8B45 E4 |MOV EAX,DWORD PTR SS:
004F482D|.3B45 EC |CMP EAX,DWORD PTR SS:
004F4830|.^ 0F8E 5DFFFFFF \JLE 脱壳后.004F4793
004F4836|.8D45 F8 LEA EAX,DWORD PTR SS:
004F4839|.8B55 D8 MOV EDX,DWORD PTR SS:
004F483C|.E8 5FF6F0FF CALL 脱壳后.00403EA0
004F4841|.8D45 D8 LEA EAX,DWORD PTR SS:
004F4844|.B9 FF000000 MOV ECX,0FF
004F4849|.BA 01000000 MOV EDX,1
004F484E|.E8 7DFAF0FF CALL 脱壳后.004042D0
004F4853|.8D55 D8 LEA EDX,DWORD PTR SS:
004F4856|.A1 A8884F00 MOV EAX,DWORD PTR DS:
004F485B|.8B00 MOV EAX,DWORD PTR DS:
004F485D|.8B80 EC020000 MOV EAX,DWORD PTR DS:
004F4863|.E8 500EF4FF CALL 脱壳后.004356B8
004F4868|.8B75 EC MOV ESI,DWORD PTR SS:
004F486B|.85F6 TEST ESI,ESI
004F486D|.0F8E B1000000 JLE 脱壳后.004F4924
004F4873|.BB 01000000 MOV EBX,1
004F4878|>8B45 F8 /MOV EAX,DWORD PTR SS: ;这里进行第三组注册码的对比
004F487B|.0FB67C18 FF |MOVZX EDI,BYTE PTR DS:
004F4880|.037D F0 |ADD EDI,DWORD PTR SS:
004F4883|.81FF FF000000 |CMP EDI,0FF
004F4889|.7E 06 |JLE SHORT 脱壳后.004F4891
004F488B|.81EF FF000000 |SUB EDI,0FF
004F4891|>85FF |TEST EDI,EDI
004F4893|.7D 06 |JGE SHORT 脱壳后.004F489B
004F4895|.81C7 FF000000 |ADD EDI,0FF
004F489B|>8D45 C4 |LEA EAX,DWORD PTR SS:
004F489E|.8BD3 |MOV EDX,EBX
004F48A0|.4A |DEC EDX
004F48A1|.03D2 |ADD EDX,EDX
004F48A3|.8B4D D8 |MOV ECX,DWORD PTR SS:
004F48A6|.8A1411 |MOV DL,BYTE PTR DS:
004F48A9|.8850 01 |MOV BYTE PTR DS:,DL
004F48AC|.C600 01 |MOV BYTE PTR DS:,1
004F48AF|.8D55 C4 |LEA EDX,DWORD PTR SS:
004F48B2|.8D45 C0 |LEA EAX,DWORD PTR SS:
004F48B5|.E8 F2E2F0FF |CALL 脱壳后.00402BAC
004F48BA|.8D45 BC |LEA EAX,DWORD PTR SS:
004F48BD|.8BD3 |MOV EDX,EBX
004F48BF|.4A |DEC EDX
004F48C0|.03D2 |ADD EDX,EDX
004F48C2|.8B4D D8 |MOV ECX,DWORD PTR SS:
004F48C5|.8A5411 01 |MOV DL,BYTE PTR DS:
004F48C9|.8850 01 |MOV BYTE PTR DS:,DL
004F48CC|.C600 01 |MOV BYTE PTR DS:,1
004F48CF|.8D55 BC |LEA EDX,DWORD PTR SS:
004F48D2|.8D45 C0 |LEA EAX,DWORD PTR SS:
004F48D5|.B1 02 |MOV CL,2
004F48D7|.E8 A0E2F0FF |CALL 脱壳后.00402B7C
004F48DC|.8D55 C0 |LEA EDX,DWORD PTR SS:
004F48DF|.8D45 9C |LEA EAX,DWORD PTR SS:
004F48E2|.E8 45F7F0FF |CALL 脱壳后.0040402C
004F48E7|.8B45 9C |MOV EAX,DWORD PTR SS:
004F48EA|.50 |PUSH EAX
004F48EB|.8D45 98 |LEA EAX,DWORD PTR SS:
004F48EE|.50 |PUSH EAX ; /Arg1
004F48EF|.897D B0 |MOV DWORD PTR SS:,EDI ; |
004F48F2|.C645 B4 00 |MOV BYTE PTR SS:,0 ; |
004F48F6|.8D55 B0 |LEA EDX,DWORD PTR SS: ; |
004F48F9|.33C9 |XOR ECX,ECX ; |
004F48FB|.B8 744B4F00 |MOV EAX,脱壳后.004F4B74 ; |ASCII "%1.2x"
004F4900|.E8 0359F1FF |CALL 脱壳后.0040A208 ; \脱壳后.0040A208
004F4905|.8B55 98 |MOV EDX,DWORD PTR SS:
004F4908|.58 |POP EAX
004F4909|.E8 8AF8F0FF |CALL 脱壳后.00404198
004F490E|.0F9445 D3 |SETE BYTE PTR SS:
004F4912|.807D D3 00 |CMP BYTE PTR SS:,0
004F4916|.0F84 AB010000 |JE 脱壳后.004F4AC7
004F491C|.43 |INC EBX
004F491D|.4E |DEC ESI
004F491E|.^ 0F85 54FFFFFF \JNZ 脱壳后.004F4878
004F4924|>807D D3 00 CMP BYTE PTR SS:,0
004F4928|.0F84 99010000 JE 脱壳后.004F4AC7
在我们运行到上面这个JE时发现程序又跳向了失败:
004F4924|> \807D D3 00 CMP BYTE PTR SS:,0
004F4928|.0F84 99010000 JE 脱壳后.004F4AC7 ;即使我们将上面几个JENOP掉,程序走到这里时还会在这里跳向失败,原因很简单,就是因为CALL 00404198时对比时真假码不符合,BYTE PTR SS:为0的缘故,所以在爆破不能忘记这里也要NOP才行。但实际上也只是在这一次爆破了,程序重启时还要求注册。
004F492E|.B2 01 MOV DL,1
下面是几个CALL跟进的情况
CALL 004EC620跟进:
004EC620/$55 PUSH EBP
004EC621|.8BEC MOV EBP,ESP
004EC623|.6A 00 PUSH 0
004EC625|.6A 00 PUSH 0
004EC627|.6A 00 PUSH 0
004EC629|.53 PUSH EBX
004EC62A|.8BDA MOV EBX,EDX
004EC62C|.33C0 XOR EAX,EAX
004EC62E|.55 PUSH EBP
004EC62F|.68 B1C64E00 PUSH 脱壳后.004EC6B1
004EC634|.64:FF30 PUSH DWORD PTR FS:
004EC637|.64:8920 MOV DWORD PTR FS:,ESP
004EC63A|.B2 01 MOV DL,1
004EC63C|.A1 18A14A00 MOV EAX,DWORD PTR DS:
004EC641|.E8 26DBFBFF CALL 脱壳后.004AA16C
004EC646|.8945 FC MOV DWORD PTR SS:,EAX
004EC649|.33C0 XOR EAX,EAX
004EC64B|.55 PUSH EBP
004EC64C|.68 8FC64E00 PUSH 脱壳后.004EC68F
004EC651|.64:FF30 PUSH DWORD PTR FS:
004EC654|.64:8920 MOV DWORD PTR FS:,ESP
004EC657|.8D45 F8 LEA EAX,DWORD PTR SS:
004EC65A|.8B13 MOV EDX,DWORD PTR DS: ;这里注意了,程序取出了我们的用户名
004EC65C|.E8 3F78F1FF CALL 脱壳后.00403EA0
004EC661|.8D4D F4 LEA ECX,DWORD PTR SS:
004EC664|.8B55 F8 MOV EDX,DWORD PTR SS:
004EC667|.8B45 FC MOV EAX,DWORD PTR SS:
004EC66A|.E8 E9DBFBFF CALL 脱壳后.004AA258 ;继续跟进这个CALL。
004EC66F|.8BC3 MOV EAX,EBX
004EC671|.8B55 F4 MOV EDX,DWORD PTR SS:
CALL 004AA258跟进:
004AA258/$55 PUSH EBP
004AA259|.8BEC MOV EBP,ESP
004AA25B|.83C4 E0 ADD ESP,-20
004AA25E|.53 PUSH EBX
004AA25F|.56 PUSH ESI
004AA260|.57 PUSH EDI
004AA261|.33DB XOR EBX,EBX
004AA263|.895D E0 MOV DWORD PTR SS:,EBX
004AA266|.895D E4 MOV DWORD PTR SS:,EBX
004AA269|.895D E8 MOV DWORD PTR SS:,EBX
004AA26C|.895D EC MOV DWORD PTR SS:,EBX
004AA26F|.8BF1 MOV ESI,ECX
004AA271|.8955 F8 MOV DWORD PTR SS:,EDX
004AA274|.8945 FC MOV DWORD PTR SS:,EAX
004AA277|.8B45 F8 MOV EAX,DWORD PTR SS:
004AA27A|.E8 BD9FF5FF CALL 脱壳后.0040423C
004AA27F|.33C0 XOR EAX,EAX
004AA281|.55 PUSH EBP
004AA282|.68 13A44A00 PUSH 脱壳后.004AA413
004AA287|.64:FF30 PUSH DWORD PTR FS:
004AA28A|.64:8920 MOV DWORD PTR FS:,ESP
004AA28D|.8BC6 MOV EAX,ESI
004AA28F|.E8 749BF5FF CALL 脱壳后.00403E08
004AA294|.8B45 F8 MOV EAX,DWORD PTR SS:
004AA297|.E8 EC9DF5FF CALL 脱壳后.00404088
004AA29C|.8BF8 MOV EDI,EAX
004AA29E|.C745 F4 01000>MOV DWORD PTR SS:,1
004AA2A5|.85FF TEST EDI,EDI
004AA2A7|.75 07 JNZ SHORT 脱壳后.004AA2B0
004AA2A9|.33DB XOR EBX,EBX
004AA2AB|.E9 40010000 JMP 脱壳后.004AA3F0
004AA2B0|>8B45 F8 /MOV EAX,DWORD PTR SS: ;取用户名
004AA2B3|.8B55 F4 |MOV EDX,DWORD PTR SS:
004AA2B6|.8A5C10 FF |MOV BL,BYTE PTR DS: ;按序取用户名每一位字符的ASCII码
004AA2BA|.FF45 F4 |INC DWORD PTR SS:
004AA2BD|.4F |DEC EDI
004AA2BE|.33C0 |XOR EAX,EAX
004AA2C0|.8AC3 |MOV AL,BL
004AA2C2|.C1E8 02 |SHR EAX,2 ;ASCII码向右位移两位
004AA2C5|.8845 F3 |MOV BYTE PTR SS:,AL
004AA2C8|.8D4D F2 |LEA ECX,DWORD PTR SS:
004AA2CB|.8A55 F3 |MOV DL,BYTE PTR SS:
004AA2CE|.8B45 FC |MOV EAX,DWORD PTR SS:
004AA2D1|.E8 D2FEFFFF |CALL 脱壳后.004AA1A8 ;这个CALL是用计算出来的值到字典里寻找相应的字符
004AA2D6|.84C0 |TEST AL,AL
004AA2D8|.75 07 |JNZ SHORT 脱壳后.004AA2E1
004AA2DA|.B3 01 |MOV BL,1
004AA2DC|.E9 0F010000 |JMP 脱壳后.004AA3F0
004AA2E1|>8D45 EC |LEA EAX,DWORD PTR SS:
004AA2E4|.8A55 F2 |MOV DL,BYTE PTR SS:
004AA2E7|.E8 C49CF5FF |CALL 脱壳后.00403FB0
004AA2EC|.8B55 EC |MOV EDX,DWORD PTR SS:
004AA2EF|.8BC6 |MOV EAX,ESI
004AA2F1|.E8 9A9DF5FF |CALL 脱壳后.00404090
004AA2F6|.8BC3 |MOV EAX,EBX
004AA2F8|.85FF |TEST EDI,EDI
004AA2FA|.75 04 |JNZ SHORT 脱壳后.004AA300 ;看看用户名有没有计算完,计算结束就跳走
004AA2FC|.33DB |XOR EBX,EBX
004AA2FE|.EB 0D |JMP SHORT 脱壳后.004AA30D
004AA300|>8B55 F8 |MOV EDX,DWORD PTR SS: ;这里和上面差不多了,只是计算方法不同
004AA303|.8B4D F4 |MOV ECX,DWORD PTR SS:
004AA306|.8A5C0A FF |MOV BL,BYTE PTR DS:
004AA30A|.FF45 F4 |INC DWORD PTR SS:
004AA30D|>4F |DEC EDI
004AA30E|.24 03 |AND AL,3 ;将上一个字符的ASCII码与3进行AND运算
004AA310|.C1E0 04 |SHL EAX,4 ;运算结果再向左位移四位
004AA313|.33D2 |XOR EDX,EDX
004AA315|.8AD3 |MOV DL,BL
004AA317|.C1EA 04 |SHR EDX,4 ;第二个字符的ASCII码进行向右位移四位的运算
004AA31A|.02C2 |ADD AL,DL ;上面两者相加
004AA31C|.8845 F3 |MOV BYTE PTR SS:,AL
004AA31F|.8D4D F2 |LEA ECX,DWORD PTR SS:
004AA322|.8A55 F3 |MOV DL,BYTE PTR SS:
004AA325|.8B45 FC |MOV EAX,DWORD PTR SS:
004AA328|.E8 7BFEFFFF |CALL 脱壳后.004AA1A8 ;查字典
004AA32D|.84C0 |TEST AL,AL
004AA32F|.75 07 |JNZ SHORT 脱壳后.004AA338
004AA331|.B3 01 |MOV BL,1
004AA333|.E9 B8000000 |JMP 脱壳后.004AA3F0
004AA338|>8D45 E8 |LEA EAX,DWORD PTR SS:
004AA33B|.8A55 F2 |MOV DL,BYTE PTR SS:
004AA33E|.E8 6D9CF5FF |CALL 脱壳后.00403FB0
004AA343|.8B55 E8 |MOV EDX,DWORD PTR SS:
004AA346|.8BC6 |MOV EAX,ESI
004AA348|.E8 439DF5FF |CALL 脱壳后.00404090
004AA34D|.8BC3 |MOV EAX,EBX
004AA34F|.85FF |TEST EDI,EDI
004AA351|.7D 06 |JGE SHORT 脱壳后.004AA359 ;看看用户名有没有计算完,没有就继续,完了就用“3D”填充,也就是“=”。
004AA353|.C645 F2 3D |MOV BYTE PTR SS:,3D
004AA357|.EB 3D |JMP SHORT 脱壳后.004AA396
004AA359|>85FF |TEST EDI,EDI
004AA35B|.75 04 |JNZ SHORT 脱壳后.004AA361
004AA35D|.33DB |XOR EBX,EBX
004AA35F|.EB 0D |JMP SHORT 脱壳后.004AA36E
004AA361|>8B55 F8 |MOV EDX,DWORD PTR SS: ;继续对用户名进行计算
004AA364|.8B4D F4 |MOV ECX,DWORD PTR SS:
004AA367|.8A5C0A FF |MOV BL,BYTE PTR DS:
004AA36B|.FF45 F4 |INC DWORD PTR SS:
004AA36E|>4F |DEC EDI
004AA36F|.24 0F |AND AL,0F ;上一个字符的ASCII码与0F进行AND运算
004AA371|.C1E0 02 |SHL EAX,2 ;再各左位移两位
004AA374|.33D2 |XOR EDX,EDX
004AA376|.8AD3 |MOV DL,BL
004AA378|.C1EA 06 |SHR EDX,6 ;第三个字符的ASCII码向右位移六位
004AA37B|.02C2 |ADD AL,DL ;两者相加
004AA37D|.8845 F3 |MOV BYTE PTR SS:,AL
004AA380|.8D4D F2 |LEA ECX,DWORD PTR SS:
004AA383|.8A55 F3 |MOV DL,BYTE PTR SS:
004AA386|.8B45 FC |MOV EAX,DWORD PTR SS:
004AA389|.E8 1AFEFFFF |CALL 脱壳后.004AA1A8 ;查字典
004AA38E|.84C0 |TEST AL,AL
004AA390|.75 04 |JNZ SHORT 脱壳后.004AA396
004AA392|.B3 01 |MOV BL,1
004AA394|.EB 5A |JMP SHORT 脱壳后.004AA3F0
004AA396|>8D45 E4 |LEA EAX,DWORD PTR SS:
004AA399|.8A55 F2 |MOV DL,BYTE PTR SS:
004AA39C|.E8 0F9CF5FF |CALL 脱壳后.00403FB0
004AA3A1|.8B55 E4 |MOV EDX,DWORD PTR SS:
004AA3A4|.8BC6 |MOV EAX,ESI
004AA3A6|.E8 E59CF5FF |CALL 脱壳后.00404090
004AA3AB|.85FF |TEST EDI,EDI
004AA3AD|.7D 06 |JGE SHORT 脱壳后.004AA3B5
004AA3AF|.C645 F2 3D |MOV BYTE PTR SS:,3D
004AA3B3|.EB 1C |JMP SHORT 脱壳后.004AA3D1
004AA3B5|>80E3 3F |AND BL,3F ;上一个字符的ASCII码与3F作AND运算
004AA3B8|.885D F3 |MOV BYTE PTR SS:,BL
004AA3BB|.8D4D F2 |LEA ECX,DWORD PTR SS:
004AA3BE|.8A55 F3 |MOV DL,BYTE PTR SS:
004AA3C1|.8B45 FC |MOV EAX,DWORD PTR SS:
004AA3C4|.E8 DFFDFFFF |CALL 脱壳后.004AA1A8 ;查字典
004AA3C9|.84C0 |TEST AL,AL
004AA3CB|.75 04 |JNZ SHORT 脱壳后.004AA3D1
004AA3CD|.B3 01 |MOV BL,1
004AA3CF|.EB 1F |JMP SHORT 脱壳后.004AA3F0
004AA3D1|>8D45 E0 |LEA EAX,DWORD PTR SS:
004AA3D4|.8A55 F2 |MOV DL,BYTE PTR SS:
004AA3D7|.E8 D49BF5FF |CALL 脱壳后.00403FB0
004AA3DC|.8B55 E0 |MOV EDX,DWORD PTR SS:
004AA3DF|.8BC6 |MOV EAX,ESI
004AA3E1|.E8 AA9CF5FF |CALL 脱壳后.00404090
004AA3E6|.85FF |TEST EDI,EDI
004AA3E8|.^ 0F8F C2FEFFFF \JG 脱壳后.004AA2B0 ;没有计算完就跳回继续。
004AA3EE|.33DB XOR EBX,EBX
004AA3F0|>33C0 XOR EAX,EAX
004AA3F2|.5A POP EDX
004AA3F3|.59 POP ECX
004AA3F4|.59 POP ECX
004AA3F5|.64:8910 MOV DWORD PTR FS:,EDX
004AA3F8|.68 1AA44A00 PUSH 脱壳后.004AA41A
004AA3FD|>8D45 E0 LEA EAX,DWORD PTR SS:
004AA400|.BA 04000000 MOV EDX,4
004AA405|.E8 229AF5FF CALL 脱壳后.00403E2C
004AA40A|.8D45 F8 LEA EAX,DWORD PTR SS:
004AA40D|.E8 F699F5FF CALL 脱壳后.00403E08
004AA412\.C3 RETN
004AA413 .^ E9 E893F5FF JMP 脱壳后.00403800
004AA418 .^ EB E3 JMP SHORT 脱壳后.004AA3FD
004AA41A .8BC3 MOV EAX,EBX
004AA41C .5F POP EDI
004AA41D .5E POP ESI
004AA41E .5B POP EBX
004AA41F .8BE5 MOV ESP,EBP
004AA421 .5D POP EBP ;经过上面的计算得到了一个新的用户名,程序走到这里时可以在堆栈中看到。0012F144|00C61104ASCII "eHhoeQ=="
004AA422 .C3 RETN
CALL 004AA1A8跟进:
004AA1A8/$B0 01 MOV AL,1
004AA1AA|.80FA 3F CMP DL,3F
004AA1AD|.76 03 JBE SHORT 脱壳后.004AA1B2
004AA1AF|.33C0 XOR EAX,EAX
004AA1B1|.C3 RETN
004AA1B2|>81E2 FF000000 AND EDX,0FF
004AA1B8 8A92 49794F00 MOV DL,BYTE PTR DS: ;4F7949处是字典,按EDX+4F7949的值在字典里查找字符
004AA1BE|.8811 MOV BYTE PTR DS:,DL
004AA1C0\.C3 RETN
4F7949字典:
004F794941 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50ABCDEFGHIJKLMNOP
004F795951 52 53 54 55 56 57 58 59 5A 61 62 63 64 65 66QRSTUVWXYZabcdef
004F796967 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76ghijklmnopqrstuv
004F797977 78 79 7A 30 31 32 33 34 35 36 37 38 39 2B 2Fwxyz0123456789+/
------------------------------------------------------------------------
【破解总结】算法过程是这样的:
1、将用户名经过一定的计算,再根据这个结果在字典中取相应的字符,得到新的用户名,设为X
2、将X的每一位字符的ASCII码与"Loveada99"的每一位字符的ASCII码作异或运算并加上固定值H64,取后四位就是第一组注册码。
3、将X倒序后的每一位字符的ASCII码与"BestLove"的每一位字符的ASCII码作异或运算并加上固定值H14,取后四位就是第二组注册码。
4、将X倒序后的每一位字符的ASCII码与"LoveYang"的每一位字符的ASCII码作异或运算后取前四位,加上固定值H1e后就是第二组注册码。
------------------------------------------------------------------------
【版权声明】 支持.
Borland Delphi 的万能断点是怎样的
我用别的断点断下后要走很远才能到关键地方 看不懂 郁闷 分析的不错啊,
3楼看不懂的朋友,建议你多看几遍。
或者直接去下载回来,照着练习看看。 支持楼主!!!!! 学习学习谢谢分享 看看啊,到底如何 慢慢学习,谢谢了! 里面真的很不错,学习了 就这代码!只分析都要半天!佩服搂住
页:
[1]