一个解码CM的分析
本帖最后由 Mrack 于 2016-8-14 19:18 编辑参考JPG文件结构分析:http://m.blog.csdn.net/article/details?id=50725720
CM来源:
http://www.52pojie.cn/thread-524632-1-1.html
@onmiuncai
通过作者放出的成功图像.可以看见有个图片
直接用exeinfope提取出来.发现是个jpg的图片文件.
然而无法打开.提示图片损坏.
用C32Asm查看下图片的数据.
看看每个段的数据是否正常.
SOI
FFD8
APP0 FFE000104A46494600010101006000600000
COM 没COM段.
DQT(1) FFDB004300080606070605080707070909080A0C140D0C0B00001912130F141D1A1F1E1D1A1C1C20242E2720222C231C1C2837292C30313434341F27393D38323C2E333432
DQT(2) FFDB0043010909090C0B0C180D0D1832211C213232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232
SOF0 FFDA000C03010002100311000001F11B3560
DHT(1) FFC4001A000002030101000000000000000000000000010203040506
DHT(2) C3A0001801010101010100000000000000000000000001020304
组件数量 03
Y组件 0100
Cb组件 0210
Cr组件 0000
通过观察.我们可以发现
DHT(2)段标识,段类型 是错误的.
Cr组件的组件ID,Huffman表号缺失.
我们用C32Asm把他们补回去.
发现图片正常打开.
接下来用OD打开CM.分析他是如何通过注册码对这些字段进行填充的.
在OD中找到该图片的字节集,并定位在哪使用了该字节集.
我们便可以看到
mov ebx,0x406320这样一个指令.
对ebx赋值调用命令的指针,进而调用.
通过对00406320的分析我们发现这是易语言的字节集替换命令的call.
我们在这个CALL下段.输入12345678进行验证.
00401E83/$55 push ebp
00401E84|.8BEC mov ebp,esp
00401E86|.81EC 54000000 sub esp,0x54
00401E8C|.C745 FC 00000>mov ,0x0
00401E93|.C745 F8 00000>mov ,0x0
00401E9A|.C745 F4 00000>mov ,0x0
00401EA1|.C745 F0 00000>mov ,0x0
00401EA8|.C745 EC 00000>mov ,0x0
00401EAF|.C745 E8 00000>mov ,0x0
00401EB6|.C745 E4 00000>mov ,0x0
00401EBD|.68 01030080 push 0x80000301
00401EC2|.6A 00 push 0x0
00401EC4|.FF75 08 push 第四位.
00401EC7|.68 01030080 push 0x80000301
00401ECC|.6A 00 push 0x0
00401ECE|.68 73000000 push 0x73
00401ED3|.68 02000000 push 0x2
00401ED8|.BB E0594000 mov ebx,<CM.位异或>
00401EDD|.E8 B2360000 call CM.00405594 ;jmp 到 <CM.调用命令>
00401EE2|.83C4 1C add esp,0x1C
00401EE5|.8945 FC mov ,eax
00401EE8|.68 01030080 push 0x80000301
00401EED|.6A 00 push 0x0
00401EEF|.FF75 0C push 第八位.
00401EF2|.68 01030080 push 0x80000301
00401EF7|.6A 00 push 0x0
00401EF9|.68 7B000000 push 0x7B
00401EFE|.68 02000000 push 0x2
00401F03|.BB E0594000 mov ebx,<CM.位异或>
00401F08|.E8 87360000 call CM.00405594 ;jmp 到 <CM.调用命令>
00401F0D|.83C4 1C add esp,0x1C
00401F10|.8945 F8 mov ,eax
00401F13|.837D 10 38 cmp ,0x38
00401F17|.0F85 27010000 jnz CM.00402044
00401F1D|.68 01030080 push 0x80000301
00401F22|.6A 00 push 0x0
00401F24|.FF75 FC push
00401F27|.68 01000000 push 0x1
00401F2C|.BB 505F4000 mov ebx,<CM.到字节>
00401F31|.E8 5E360000 call CM.00405594 ;jmp 到 <CM.调用命令>
00401F36|.83C4 10 add esp,0x10
00401F39|.68 01010080 push 0x80000101
00401F3E|.6A 00 push 0x0
00401F40|.50 push eax
00401F41|.68 01000000 push 0x1
00401F46|.BB 50604000 mov ebx,<CM.到字节集>
00401F4B|.E8 44360000 call CM.00405594 ;jmp 到 <CM.调用命令>
00401F50|.83C4 10 add esp,0x10
00401F53|.8945 DC mov ,eax
00401F56|.68 01030080 push 0x80000301
00401F5B|.6A 00 push 0x0
00401F5D|.FF75 F8 push
00401F60|.68 01000000 push 0x1
00401F65|.BB 505F4000 mov ebx,<CM.到字节>
00401F6A|.E8 25360000 call CM.00405594 ;jmp 到 <CM.调用命令>
00401F6F|.83C4 10 add esp,0x10
00401F72|.68 01010080 push 0x80000101
00401F77|.6A 00 push 0x0
00401F79|.50 push eax
00401F7A|.68 01000000 push 0x1
00401F7F|.BB 50604000 mov ebx,<CM.到字节集>
00401F84|.E8 0B360000 call CM.00405594 ;jmp 到 <CM.调用命令>
00401F89|.83C4 10 add esp,0x10
00401F8C|.8945 D4 mov ,eax
00401F8F|.FF75 D4 push
00401F92|.FF75 DC push
00401F95|.B9 02000000 mov ecx,0x2
00401F9A|.E8 E8F3FFFF call <CM.字符连接>
00401F9F|.83C4 08 add esp,0x8
00401FA2|.8945 D0 mov ,eax
00401FA5|.8B5D DC mov ebx,
00401FA8|.85DB test ebx,ebx
00401FAA|.74 09 je short CM.00401FB5
00401FAC|.53 push ebx
00401FAD|.E8 DC350000 call CM.0040558E ;jmp 到 <CM.释放变量空间>
00401FB2|.83C4 04 add esp,0x4
00401FB5|>8B5D D4 mov ebx,
00401FB8|.85DB test ebx,ebx
00401FBA|.74 09 je short CM.00401FC5
00401FBC|.53 push ebx
00401FBD|.E8 CC350000 call CM.0040558E ;jmp 到 <CM.释放变量空间>
00401FC2|.83C4 04 add esp,0x4
00401FC5|>68 05000080 push 0x80000005
00401FCA|.6A 00 push 0x0
00401FCC|.8B45 D0 mov eax,
00401FCF|.85C0 test eax,eax
00401FD1|.75 05 jnz short CM.00401FD8
00401FD3|.B8 19014A00 mov eax,CM.004A0119
00401FD8|>50 push eax
00401FD9|.68 01030080 push 0x80000301
00401FDE|.6A 00 push 0x0
00401FE0|.68 02000000 push 0x2
00401FE5|.68 01030080 push 0x80000301
00401FEA|.6A 00 push 0x0
00401FEC|.68 F1000000 push 0xF1
00401FF1|.68 05000080 push 0x80000005
00401FF6|.6A 00 push 0x0
00401FF8|.68 21014A00 push CM.004A0121
00401FFD|.68 04000000 push 0x4
00402002|.BB 20634000 mov ebx,<CM.字节集替换>
00402007|.E8 88350000 call CM.00405594 ;jmp 到 <CM.调用命令>
0040200C|.83C4 34 add esp,0x34
这代码是对图片0xF0处进行替换。
第四位 与 0x73 异或 得到Cr组件的组件ID
第八位 与 0x7B 异或 得到Huffman表号
我们将03,10分别与0x73 ,0x7B异或得到注册码的第四位与第六位.
第四位为p,第八位k
F9再次运行
00401971|.68 01030080 push 0x80000301
00401976|.6A 00 push 0x0
00401978|.8B5D DC mov ebx,
0040197B|.FF33 push dword ptr ds: 第三位
0040197D|.68 01030080 push 0x80000301
00401982|.6A 00 push 0x0
00401984|.68 9E000000 push 0x9E
00401989|.68 02000000 push 0x2
0040198E|.BB E0594000 mov ebx,<CM.位异或>
00401993|.E8 FC3B0000 call CM.00405594 ;jmp 到 <CM.调用命令>
00401998|.83C4 1C add esp,0x1C
0040199B|.8945 E4 mov ,eax
0040199E|.8B5D F0 mov ebx,
004019A1|.E8 C1F9FFFF call <CM.重定义数组>
004019A6|.B8 04000000 mov eax,0x4
004019AB|.3BC1 cmp eax,ecx
004019AD|.7C 0D jl short CM.004019BC
004019AF|.68 01000000 push 0x1
004019B4|.E8 ED3B0000 call CM.004055A6 ;jmp 到 <CM.程序异常>
004019B9|.83C4 04 add esp,0x4
004019BC|>C1E0 02 shl eax,0x2
004019BF|.03D8 add ebx,eax
004019C1|.895D DC mov ,ebx
004019C4|.68 01030080 push 0x80000301
004019C9|.6A 00 push 0x0
004019CB|.8B5D DC mov ebx,
004019CE|.FF33 push dword ptr ds: 第5位
004019D0|.68 01030080 push 0x80000301
004019D5|.6A 00 push 0x0
004019D7|.68 B7000000 push 0xB7
004019DC|.68 02000000 push 0x2
004019E1|.BB E0594000 mov ebx,<CM.位异或>
004019E6|.E8 A93B0000 call CM.00405594 ;jmp 到 <CM.调用命令>
004019EB|.83C4 1C add esp,0x1C
004019EE|.8945 E0 mov ,eax
004019F1|.68 01030080 push 0x80000301
004019F6|.6A 00 push 0x0
004019F8|.FF75 E4 push
004019FB|.68 01000000 push 0x1
00401A00|.BB 505F4000 mov ebx,<CM.到字节>
00401A05|.E8 8A3B0000 call CM.00405594 ;jmp 到 <CM.调用命令>
00401A0A|.83C4 10 add esp,0x10
00401A0D|.68 01010080 push 0x80000101
00401A12|.6A 00 push 0x0
00401A14|.50 push eax
00401A15|.68 01000000 push 0x1
00401A1A|.BB 50604000 mov ebx,<CM.到字节集>
00401A1F|.E8 703B0000 call CM.00405594 ;jmp 到 <CM.调用命令>
00401A24|.83C4 10 add esp,0x10
00401A27|.8945 D8 mov ,eax
00401A2A|.68 01030080 push 0x80000301
00401A2F|.6A 00 push 0x0
00401A31|.FF75 E0 push
00401A34|.68 01000000 push 0x1
00401A39|.BB 505F4000 mov ebx,<CM.到字节>
00401A3E|.E8 513B0000 call CM.00405594 ;jmp 到 <CM.调用命令>
00401A43|.83C4 10 add esp,0x10
00401A46|.68 01010080 push 0x80000101
00401A4B|.6A 00 push 0x0
00401A4D|.50 push eax
00401A4E|.68 01000000 push 0x1
00401A53|.BB 50604000 mov ebx,<CM.到字节集>
00401A58|.E8 373B0000 call CM.00405594 ;jmp 到 <CM.调用命令>
00401A5D|.83C4 10 add esp,0x10
00401A60|.8945 D0 mov ,eax
00401A63|.FF75 D0 push
00401A66|.FF75 D8 push
00401A69|.B9 02000000 mov ecx,0x2
00401A6E|.E8 14F9FFFF call <CM.字符连接>
00401A73|.83C4 08 add esp,0x8
00401A76|.8945 CC mov ,eax
00401A79|.8B5D D8 mov ebx,
00401A7C|.85DB test ebx,ebx
00401A7E|.74 09 je short CM.00401A89
00401A80|.53 push ebx
00401A81|.E8 083B0000 call CM.0040558E ;jmp 到 <CM.释放变量空间>
00401A86|.83C4 04 add esp,0x4
00401A89|>8B5D D0 mov ebx,
00401A8C|.85DB test ebx,ebx
00401A8E|.74 09 je short CM.00401A99
00401A90|.53 push ebx
00401A91|.E8 F83A0000 call CM.0040558E ;jmp 到 <CM.释放变量空间>
00401A96|.83C4 04 add esp,0x4
00401A99|>68 05000080 push 0x80000005
00401A9E|.6A 00 push 0x0
00401AA0|.8B45 CC mov eax,
00401AA3|.85C0 test eax,eax
00401AA5|.75 05 jnz short CM.00401AAC
00401AA7|.B8 19014A00 mov eax,CM.004A0119
00401AAC|>50 push eax
00401AAD|.68 01030080 push 0x80000301
00401AB2|.6A 00 push 0x0
00401AB4|.68 02000000 push 0x2
00401AB9|.68 01030080 push 0x80000301
00401ABE|.6A 00 push 0x0
00401AC0|.68 CE000000 push 0xCE
00401AC5|.68 05000080 push 0x80000005
00401ACA|.6A 00 push 0x0
00401ACC|.A1 94C05C00 mov eax,dword ptr ds:
00401AD1|.85C0 test eax,eax
00401AD3|.75 05 jnz short CM.00401ADA
00401AD5|.B8 19014A00 mov eax,CM.004A0119
00401ADA|>50 push eax
00401ADB|.68 04000000 push 0x4
00401AE0|.BB 20634000 mov ebx,<CM.字节集替换>
00401AE5|.E8 AA3A0000 call CM.00405594 ;jmp 到 <CM.调用命令>
第三位 与 0x9E 异或 得到DHT段标识
第5位 与 0xB7 异或 得到DHT段类型
我们将FF,0xC4分别与0x9E ,0xB7 异或得到注册码的第三位与第5位.
第三位为a,第5位s
我们由此可以得到注册码
12aps67k
推荐个易语言分析软件.自己做的.对易语言程序分析上有一定帮助
但目前存在Bug,一些命令无法正确识别。
http://www.52pojie.cn/thread-416342-1-1.html
真心给力~楼主我看好你~{:17_1062:} 膜拜大神。。。 LZ加油qwq,我相信你能把工具完善的 新技能get 不错,学到了一些、、 学到了一些、 清晰,透彻,谢谢分享 清晰,透彻,谢谢分享 你好,我想破解一个QT语言的程序,希望你指导一下,,谢谢大牛了:victory:
页:
[1]