TweakBit算法分析
本帖最后由 whyida 于 2016-10-26 23:00 编辑pc 维护软件,具体作用百度吧。
下载地址:
http://www.tweakbit.com/fix-my-pc/
delphi2010编译用ID R 反编译没什么效果,反而下断点CreateWindowExW后堆栈回溯很容易找到关键代码。程序有反调试,只要一关机以前的断点就没了,有crc 效验。
500B5B98 8B43 4C MOV EAX,DWORD PTR DS: ;
500B5B9B FF53 48 CALL NEAR DWORD PTR DS: ; Common_1.05F84A60;算法
500B5B9E B0 01 MOV AL,0x1
500B5BA0 5B POP EBX
500B5BA1 C3 RETN
500B5BA2 33C0 XOR EAX,EAX
500B5BA4 5B POP EBX
500B5BA5 C3 RETN
500B5BA6 8BC0 MOV EAX,EAX
500B5BA8 >53 PUSH EBX
500B5BA9 66:8378 52 00 CMP WORD PTR DS:,0x0
500B5BAE 74 0E JE SHORT rtl160.500B5BBE
500B5BB0 8BD8 MOV EBX,EAX
500B5BB2 8BD0 MOV EDX,EAX
500B5BB4 8B43 54 MOV EAX,DWORD PTR DS:
500B5BB7 FF53 50 CALL NEAR DWORD PTR DS:
500B5BBA B0 01 MOV AL,0x1
500B5BBC 5B POP EBX
500B5BBD C3 RETN
500B5BBE 33C0 XOR EAX,EAX
500B5BC0 5B POP EBX
500B5BC1 C3 RETN
由 500B5B9B联接后来到下面地址
05F84A60 55 PUSH EBP
05F84A61 8BEC MOV EBP,ESP
05F84A63 6A 00 PUSH 0x0
05F84A65 6A 00 PUSH 0x0
05F84A67 6A 00 PUSH 0x0
05F84A69 53 PUSH EBX
05F84A6A 8BD8 MOV EBX,EAX
05F84A6C 33C0 XOR EAX,EAX
05F84A6E 55 PUSH EBP
05F84A6F 68 B34BF805 PUSH Common_1.05F84BB3
05F84A74 64:FF30 PUSH DWORD PTR FS:
05F84A77 64:8920 MOV DWORD PTR FS:,ESP
05F84A7A 0FB605 C04BF805 MOVZX EAX,BYTE PTR DS:
05F84A81 50 PUSH EAX
05F84A82 8D45 FC LEA EAX,DWORD PTR SS:
05F84A85 50 PUSH EAX
05F84A86 8D55 F8 LEA EDX,DWORD PTR SS:
05F84A89 8B83 E4040000 MOV EAX,DWORD PTR DS:
05F84A8F E8 6812FEFF CALL <JMP.&vcl160.@Vcl@Controls@TControl@GetText$>; ;获得密码
05F84A94 8B45 F8 MOV EAX,DWORD PTR SS:
05F84A97 8B0D 2830F905 MOV ECX,DWORD PTR DS:[<&rtl160.@System@Sysutils@E>; rtl160.@System@Sysutils@EmptyStr
05F84A9D 8B09 MOV ECX,DWORD PTR DS:
05F84A9F BA D04BF805 MOV EDX,Common_1.05F84BD0
05F84AA4 E8 F7FDFDFF CALL <JMP.&rtl160.@System@Sysutils@StringReplace$>
05F84AA9 8B45 FC MOV EAX,DWORD PTR SS:
05F84AAC E8 D7C6FDFF CALL <JMP.&rtl160.@System@@UStrLen$qqrx20System@U>; ;长度
05F84AB1 83F8 1D CMP EAX,0x1D
05F84AB4 74 32 JE SHORT Common_1.05F84AE8
05F84AB6 8B45 FC MOV EAX,DWORD PTR SS:
05F84AB9 E8 CAC6FDFF CALL <JMP.&rtl160.@System@@UStrLen$qqrx20System@U>
05F84ABE 85C0 TEST EAX,EAX
05F84AC0 7F 0E JG SHORT Common_1.05F84AD0
05F84AC2 B2 01 MOV DL,0x1
05F84AC4 A1 481EF805 MOV EAX,DWORD PTR DS:
05F84AC9 E8 46D5FFFF CALL Common_1.05F82014
05F84ACE EB 0C JMP SHORT Common_1.05F84ADC
05F84AD0 B2 02 MOV DL,0x2
05F84AD2 A1 481EF805 MOV EAX,DWORD PTR DS:
05F84AD7 E8 38D5FFFF CALL Common_1.05F82014
05F84ADC 8BC3 MOV EAX,EBX
05F84ADE E8 F9F7FFFF CALL Common_1.05F842DC
05F84AE3 E9 A5000000 JMP Common_1.05F84B8D
05F84AE8 8D45 F4 LEA EAX,DWORD PTR SS:
05F84AEB E8 6479FEFF CALL Common_1.05F6C454
05F84AF0 8B55 F4 MOV EDX,DWORD PTR SS:
05F84AF3 8B45 FC MOV EAX,DWORD PTR SS:
05F84AF6 E8 95FCFDFF CALL <JMP.&rtl160.@System@Sysutils@SameText$qqrx2>; ;是否已经注册成功的密码
05F84AFB 84C0 TEST AL,AL
05F84AFD 74 15 JE SHORT Common_1.05F84B14
05F84AFF B2 04 MOV DL,0x4
05F84B01 A1 481EF805 MOV EAX,DWORD PTR DS:
05F84B06 E8 09D5FFFF CALL Common_1.05F82014
05F84B0B 8BC3 MOV EAX,EBX
05F84B0D E8 BEFBFFFF CALL Common_1.05F846D0
05F84B12 EB 79 JMP SHORT Common_1.05F84B8D
05F84B14 8B15 2830F905 MOV EDX,DWORD PTR DS:[<&rtl160.@System@Sysutils@E>; rtl160.@System@Sysutils@EmptyStr
05F84B1A 8B12 MOV EDX,DWORD PTR DS:
05F84B1C 8B4D FC MOV ECX,DWORD PTR SS:
05F84B1F A1 E862F605 MOV EAX,DWORD PTR DS:
05F84B24 E8 6B7AFEFF CALL Common_1.05F6C594 ; ;步入
05F84B29 84C0 TEST AL,AL
05F84B2B 75 15 JNZ SHORT Common_1.05F84B42
由05F84B24来到05F6C594 55 PUSH EBP
05F6C595 8BEC MOV EBP,ESP
05F6C597 833D 0803F905 0>CMP DWORD PTR DS:,0x0
05F6C59E 74 0A JE SHORT Common_1.05F6C5AA
05F6C5A0 51 PUSH ECX
05F6C5A1 52 PUSH EDX
05F6C5A2 FF15 0803F905 CALL NEAR DWORD PTR DS: ; ;步入
05F6C5A8 5D POP EBP
05F6C5A9 C3 RETN
来到05C88896
05C88896 8BC0 MOV EAX,EAX
05C88898 55 PUSH EBP
05C88899 8BEC MOV EBP,ESP
05C8889B 83C4 B0 ADD ESP,-0x50
05C8889E 53 PUSH EBX
05C8889F 56 PUSH ESI
05C888A0 33DB XOR EBX,EBX
05C888A2 895D B4 MOV DWORD PTR SS:,EBX
05C888A5 895D B0 MOV DWORD PTR SS:,EBX
05C888A8 895D FC MOV DWORD PTR SS:,EBX
05C888AB 8BF1 MOV ESI,ECX
05C888AD 8BDA MOV EBX,EDX
05C888AF 8D45 B8 LEA EAX,DWORD PTR SS:
05C888B2 8B15 8072C805 MOV EDX,DWORD PTR DS:
05C888B8 E8 E388FFFF CALL 05C811A0 ; JMP 到 rtl160.@System@@InitializeRecord$qqrpvt1
05C888BD 33C0 XOR EAX,EAX
05C888BF 55 PUSH EBP
05C888C0 68 7189C805 PUSH 0x5C88971
05C888C5 64:FF30 PUSH DWORD PTR FS:
05C888C8 64:8920 MOV DWORD PTR FS:,ESP
05C888CB A1 78E2C805 MOV EAX,DWORD PTR DS:
05C888D0 50 PUSH EAX
05C888D1 8BCE MOV ECX,ESI
05C888D3 8BD3 MOV EDX,EBX
05C888D5 A1 F857C805 MOV EAX,DWORD PTR DS:
05C888DA E8 79E7FFFF CALL 05C87058 ; ;步入
05C888DF 8BD8 MOV EBX,EAX
05C888E1 84DB TEST BL,BL
05C888E3 74 58 JE SHORT 05C8893D
05C888E5 8D4D B8 LEA ECX,DWORD PTR SS:
05C888E8 8B15 78E2C805 MOV EDX,DWORD PTR DS:
05C888EE A1 F473C805 MOV EAX,DWORD PTR DS:
05C888F3 E8 CCECFFFF CALL 05C875C4
05C888F8 84C0 TEST AL,AL
05C888FA 74 41 JE SHORT 05C8893D
05C888FC 8D55 B0 LEA EDX,DWORD PTR SS:
05C888FF 8BC6 MOV EAX,ESI
05C88901 E8 06B4FFFF CALL 05C83D0C ; JMP 到 rtl160.@System@Sysutils@AnsiUpperCase$qqrx20System@UnicodeString
05C88906 8B55 B0 MOV EDX,DWORD PTR SS:
05C88909 8D4D B4 LEA ECX,DWORD PTR SS:
05C8890C A1 EC45C805 MOV EAX,DWORD PTR DS:
05C88911 E8 7EBEFFFF CALL 05C84794
05C88916 8B45 B4 MOV EAX,DWORD PTR SS:
05C88919 E8 26BCFFFF CALL 05C84544 ; JMP 到 AxCompon.@Auslogics@Utils@Hash@Crc16@HashCRC16@FromString$qqrx27System@%AnsiStringT$us$i0$%
05C8891E 8BD0 MOV EDX,EAX
05C88920 8D4D FC LEA ECX,DWORD PTR SS:
05C88923 A1 5CFBC805 MOV EAX,DWORD PTR DS:
05C88928 E8 1FBCFFFF CALL 05C8454C ; JMP 到 AxCompon.@Auslogics@Utils@Hash@Crc16@HashCRC16@AsString$qqrus
05C8892D 8B55 DC MOV EDX,DWORD PTR SS:
05C88930 8B45 FC MOV EAX,DWORD PTR SS:
05C88933 E8 5888FFFF CALL 05C81190 ; JMP 到 rtl160.@System@Pos$qqrx20System@UnicodeStringt1
05C88938 85C0 TEST EAX,EAX
05C8893A 0F9EC3 SETLE BL
05C8893D 33C0 XOR EAX,EAX
05C8893F 5A POP EDX
05C88940 59 POP ECX
05C88941 59 POP ECX
05C88942 64:8910 MOV DWORD PTR FS:,EDX
05C88945 68 7889C805 PUSH 0x5C88978
05C8894A 8D45 B0 LEA EAX,DWORD PTR SS:
05C8894D E8 8E87FFFF CALL 05C810E0 ; JMP 到 rtl160.@System@@UStrClr$qqrpv
05C88952 8D45 B4 LEA EAX,DWORD PTR SS:
05C88955 E8 8E87FFFF CALL 05C810E8 ; JMP 到 rtl160.@System@@LStrClr$qqrpv
05C8895A 8D45 B8 LEA EAX,DWORD PTR SS:
05C8895D 8B15 8072C805 MOV EDX,DWORD PTR DS:
05C88963 E8 4088FFFF CALL 05C811A8 ; JMP 到 rtl160.@System@@FinalizeRecord$qqrpvt1
05C88968 8D45 FC LEA EAX,DWORD PTR SS:
05C8896B E8 7087FFFF CALL 05C810E0 ; JMP 到 rtl160.@System@@UStrClr$qqrpv
05C88970 C3 RETN
05C88971^ E9 3A87FFFF JMP 05C810B0 ; JMP 到 rtl160.@System@@HandleFinally$qqrv
05C88976^ EB D2 JMP SHORT 05C8894A
05C88978 8BC3 MOV EAX,EBX
05C8897A 5E POP ESI
05C8897B 5B POP EBX
05C8897C 8BE5 MOV ESP,EBP
05C8897E 5D POP EBP
05C8897F C3 RETN
三组判断
05C87056 8BC0 MOV EAX,EAX
05C87058 55 PUSH EBP
05C87059 8BEC MOV EBP,ESP
05C8705B 51 PUSH ECX
05C8705C B9 05000000 MOV ECX,0x5
05C87061 6A 00 PUSH 0x0
05C87063 6A 00 PUSH 0x0
05C87065 49 DEC ECX
05C87066^ 75 F9 JNZ SHORT 05C87061
05C87068 874D FC XCHG DWORD PTR SS:,ECX
05C8706B 53 PUSH EBX
05C8706C 56 PUSH ESI
05C8706D 57 PUSH EDI
05C8706E 8BF9 MOV EDI,ECX
05C87070 8955 F4 MOV DWORD PTR SS:,EDX
05C87073 8BF0 MOV ESI,EAX
05C87075 33C0 XOR EAX,EAX
05C87077 55 PUSH EBP
05C87078 68 AF71C805 PUSH 0x5C871AF
05C8707D 64:FF30 PUSH DWORD PTR FS:
05C87080 64:8920 MOV DWORD PTR FS:,ESP
05C87083 8BC7 MOV EAX,EDI
05C87085 E8 8EA0FFFF CALL 05C81118 ; JMP 到 rtl160.@System@@UStrLen$qqrx20System@UnicodeString
05C8708A 8B15 8CB8C805 MOV EDX,DWORD PTR DS:
05C87090 3B02 CMP EAX,DWORD PTR DS:
05C87092 0F94C3 SETE BL
05C87095 84DB TEST BL,BL
05C87097 0F84 EA000000 JE 05C87187
05C8709D 8D55 F0 LEA EDX,DWORD PTR SS:
05C870A0 8BC7 MOV EAX,EDI
05C870A2 E8 65CCFFFF CALL 05C83D0C ; JMP 到 rtl160.@System@Sysutils@AnsiUpperCase$qqrx20System@UnicodeString
05C870A7 8B55 F0 MOV EDX,DWORD PTR SS:
05C870AA 8D4D F8 LEA ECX,DWORD PTR SS:
05C870AD 8BC6 MOV EAX,ESI
05C870AF E8 D4FDFFFF CALL 05C86E88
05C870B4 8B45 F8 MOV EAX,DWORD PTR SS:
05C870B7 E8 5CA0FFFF CALL 05C81118 ; JMP 到 rtl160.@System@@UStrLen$qqrx20System@UnicodeString
05C870BC 8B15 8CB8C805 MOV EDX,DWORD PTR DS:
05C870C2 8B12 MOV EDX,DWORD PTR DS:
05C870C4 83EA 04 SUB EDX,0x4
05C870C7 3BC2 CMP EAX,EDX
05C870C9 74 07 JE SHORT 05C870D2
05C870CB 33DB XOR EBX,EBX
05C870CD E9 B5000000 JMP 05C87187
05C870D2 8D55 EC LEA EDX,DWORD PTR SS:
05C870D5 8B45 F4 MOV EAX,DWORD PTR SS:
05C870D8 E8 37CCFFFF CALL 05C83D14 ; JMP 到 rtl160.@System@Sysutils@Trim$qqrx20System@UnicodeString
05C870DD 8B45 EC MOV EAX,DWORD PTR SS:
05C870E0 E8 33A0FFFF CALL 05C81118 ; JMP 到 rtl160.@System@@UStrLen$qqrx20System@UnicodeString
05C870E5 85C0 TEST EAX,EAX
05C870E7 7F 12 JG SHORT 05C870FB
05C870E9 8D45 FC LEA EAX,DWORD PTR SS:
05C870EC 8B15 94B8C805 MOV EDX,DWORD PTR DS:
05C870F2 8B12 MOV EDX,DWORD PTR DS:
05C870F4 E8 17A0FFFF CALL 05C81110 ; JMP 到 rtl160.@System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString
05C870F9 EB 0B JMP SHORT 05C87106
05C870FB 8D55 FC LEA EDX,DWORD PTR SS:
05C870FE 8B45 F4 MOV EAX,DWORD PTR SS:
05C87101 E8 06CCFFFF CALL 05C83D0C ; JMP 到 rtl160.@System@Sysutils@AnsiUpperCase$qqrx20System@UnicodeString
05C87106 8D4D E8 LEA ECX,DWORD PTR SS:
05C87109 8B55 F8 MOV EDX,DWORD PTR SS:
05C8710C 8BC6 MOV EAX,ESI
05C8710E E8 C9EBFFFF CALL 05C85CDC ; ;K1
05C87113 8B45 E8 MOV EAX,DWORD PTR SS:
05C87116 50 PUSH EAX
05C87117 8D4D E4 LEA ECX,DWORD PTR SS:
05C8711A 8B55 F8 MOV EDX,DWORD PTR SS:
05C8711D 8BC6 MOV EAX,ESI
05C8711F E8 78ECFFFF CALL 05C85D9C ; ;k2
05C87124 8B55 E4 MOV EDX,DWORD PTR SS:
05C87127 58 POP EAX
05C87128 E8 4BA0FFFF CALL 05C81178 ; JMP 到 rtl160.@System@@UStrEqual$qqrv
05C8712D 75 52 JNZ SHORT 05C87181
05C8712F 8D4D E0 LEA ECX,DWORD PTR SS:
05C87132 8B55 F8 MOV EDX,DWORD PTR SS:
05C87135 8BC6 MOV EAX,ESI
05C87137 E8 40EBFFFF CALL 05C85C7C
05C8713C 8B45 E0 MOV EAX,DWORD PTR SS:
05C8713F 50 PUSH EAX
05C87140 8D4D DC LEA ECX,DWORD PTR SS:
05C87143 8B55 FC MOV EDX,DWORD PTR SS:
05C87146 8BC6 MOV EAX,ESI
05C87148 E8 77E8FFFF CALL 05C859C4 ; ;k3
05C8714D 8B55 DC MOV EDX,DWORD PTR SS:
05C87150 58 POP EAX
05C87151 E8 22A0FFFF CALL 05C81178 ; ;k4
05C87156 75 29 JNZ SHORT 05C87181
05C87158 8D4D D8 LEA ECX,DWORD PTR SS:
05C8715B 8B55 F8 MOV EDX,DWORD PTR SS:
05C8715E 8BC6 MOV EAX,ESI
05C87160 E8 D7EBFFFF CALL 05C85D3C ; ;k5
05C87165 8B45 D8 MOV EAX,DWORD PTR SS:
05C87168 50 PUSH EAX
05C87169 8D4D D4 LEA ECX,DWORD PTR SS:
05C8716C 8B55 08 MOV EDX,DWORD PTR SS:
05C8716F 8BC6 MOV EAX,ESI
05C87171 E8 4EE8FFFF CALL 05C859C4 ; ;k6
05C87176 8B55 D4 MOV EDX,DWORD PTR SS:
05C87179 58 POP EAX
05C8717A E8 F99FFFFF CALL 05C81178 ; JMP 到 rtl160.@System@@UStrEqual$qqrv
05C8717F 74 04 JE SHORT 05C87185
05C87181 33DB XOR EBX,EBX
05C87183 EB 02 JMP SHORT 05C87187
05C87185 B3 01 MOV BL,0x1
05C87187 33C0 XOR EAX,EAX
05C87189 5A POP EDX
05C8718A 59 POP ECX
05C8718B 59 POP ECX
05C8718C 64:8910 MOV DWORD PTR FS:,EDX
05C8718F 68 B671C805 PUSH 0x5C871B6
05C87194 8D45 D4 LEA EAX,DWORD PTR SS:
05C87197 BA 08000000 MOV EDX,0x8
05C8719C E8 4F9FFFFF CALL 05C810F0 ; JMP 到 rtl160.@System@@UStrArrayClr$qqrpvi
05C871A1 8D45 F8 LEA EAX,DWORD PTR SS:
05C871A4 BA 02000000 MOV EDX,0x2
05C871A9 E8 429FFFFF CALL 05C810F0 ; JMP 到 rtl160.@System@@UStrArrayClr$qqrpvi
05C871AE C3 RETN
k1 取密码第6,7,19,20位,然后 过滤字符串(字符串中包含两个字母就取出)"AJS","BKT","CLU","DMV","ENW","FPX","FPX","GQY","HRZ"
05C85CDB 90 NOP
05C85CDC 55 PUSH EBP
05C85CDD 8BEC MOV EBP,ESP
05C85CDF 6A 00 PUSH 0x0
05C85CE1 53 PUSH EBX
05C85CE2 56 PUSH ESI
05C85CE3 57 PUSH EDI
05C85CE4 8BF9 MOV EDI,ECX
05C85CE6 8BF2 MOV ESI,EDX
05C85CE8 8BD8 MOV EBX,EAX
05C85CEA 33C0 XOR EAX,EAX
05C85CEC 55 PUSH EBP
05C85CED 68 2E5DC805 PUSH 0x5C85D2E
05C85CF2 64:FF30 PUSH DWORD PTR FS:
05C85CF5 64:8920 MOV DWORD PTR FS:,ESP
05C85CF8 6A 03 PUSH 0x3
05C85CFA 8D45 FC LEA EAX,DWORD PTR SS:
05C85CFD 50 PUSH EAX
05C85CFE B9 75B8C805 MOV ECX,0x5C8B875
05C85D03 8BD6 MOV EDX,ESI
05C85D05 8BC3 MOV EAX,EBX
05C85D07 E8 A0FDFFFF CALL 05C85AAC ; ;k1 取4位密码
05C85D0C 8B55 FC MOV EDX,DWORD PTR SS:
05C85D0F 8BCF MOV ECX,EDI
05C85D11 8BC3 MOV EAX,EBX
05C85D13 E8 000E0000 CALL 05C86B18 ; k1 字符串
05C85D18 33C0 XOR EAX,EAX
05C85D1A 5A POP EDX
05C85D1B 59 POP ECX
05C85D1C 59 POP ECX
05C85D1D 64:8910 MOV DWORD PTR FS:,EDX
05C85D20 68 355DC805 PUSH 0x5C85D35
05C85D25 8D45 FC LEA EAX,DWORD PTR SS:
05C85D28 E8 B3B3FFFF CALL 05C810E0 ; JMP 到 rtl160.@System@@UStrClr$qqrpv
05C85D2D C3 RETN
k2原密码经过k1字符串过滤后会加 "@df3sdG_#$%(" 这一段字符串。
5003FFBB 90 NOP
5003FFBC >53 PUSH EBX
5003FFBD 56 PUSH ESI
5003FFBE 57 PUSH EDI
5003FFBF 51 PUSH ECX
5003FFC0 8BF9 MOV EDI,ECX
5003FFC2 8BDA MOV EBX,EDX
5003FFC4 8BF0 MOV ESI,EAX
5003FFC6 8BC6 MOV EAX,ESI
5003FFC8 E8 F3ECFFFF CALL rtl160.5003ECC0
5003FFCD 8B06 MOV EAX,DWORD PTR DS:
5003FFCF 890424 MOV DWORD PTR SS:,EAX
5003FFD2 8B0424 MOV EAX,DWORD PTR SS:
5003FFD5 85C0 TEST EAX,EAX
5003FFD7 74 05 JE SHORT rtl160.5003FFDE
5003FFD9 83E8 04 SUB EAX,0x4
5003FFDC 8B00 MOV EAX,DWORD PTR DS: ; ;0x1D-4=0x19
5003FFDE 83FB 01 CMP EBX,0x1
5003FFE1 7C 36 JL SHORT rtl160.50040019
5003FFE3 3BC3 CMP EAX,EBX
5003FFE5 7C 32 JL SHORT rtl160.50040019
5003FFE7 85FF TEST EDI,EDI
5003FFE9 7E 2E JLE SHORT rtl160.50040019
5003FFEB 4B DEC EBX
5003FFEC 8BD0 MOV EDX,EAX
5003FFEE 2BD3 SUB EDX,EBX ; ;edx=0x19-5
5003FFF0 2BD7 SUB EDX,EDI ; ;edx=0x14-1
5003FFF2 8BFA MOV EDI,EDX
5003FFF4 85FF TEST EDI,EDI
5003FFF6 7D 02 JGE SHORT rtl160.5003FFFA
5003FFF8 33FF XOR EDI,EDI
5003FFFA 2BC7 SUB EAX,EDI
5003FFFC 8B16 MOV EDX,DWORD PTR DS:
5003FFFE 8D0442 LEA EAX,DWORD PTR DS: ; ;从第七位取密码
50040001 8BCF MOV ECX,EDI
50040003 03C9 ADD ECX,ECX
50040005 8B16 MOV EDX,DWORD PTR DS:
50040007 8D145A LEA EDX,DWORD PTR DS: ; ;从第6位开始的密码
5004000A E8 DD7FFFFF CALL rtl160.@System@Move$qqrpxvpvi ; ;密码最后一位重复
5004000F 8D141F LEA EDX,DWORD PTR DS:
50040012 8BC6 MOV EAX,ESI
50040014 E8 B3FCFFFF CALL rtl160.@System@@UStrSetLength$qqrr20System@U>
50040019 5A POP EDX ; 067A3BDC
5004001A 5F POP EDI
5004001B 5E POP ESI
5004001C 5B POP EBX
5004001D C3 RETN
*k2 的关键代码:
0077F738 52 PUSH EDX
0077F739 43 INC EBX
0077F73A 3136 XOR DWORD PTR DS:,ESI
0077F73C 0000 ADD BYTE PTR DS:,AL
0077F73E 0000 ADD BYTE PTR DS:,AL
0077F740 0200 ADD AL,BYTE PTR DS:
0077F742 0000 ADD BYTE PTR DS:,AL
0077F744 >53 PUSH EBX ; ;crc
0077F745 56 PUSH ESI
0077F746 66:B9 FFFF MOV CX,0xFFFF
0077F74A 8B18 MOV EBX,DWORD PTR DS:
0077F74C 8BC2 MOV EAX,EDX
0077F74E 48 DEC EAX
0077F74F 85C0 TEST EAX,EAX
0077F751 7C 26 JL SHORT AxCompon.0077F779
0077F753 40 INC EAX
0077F754 0FB7D1 MOVZX EDX,CX
0077F757 C1EA 08 SHR EDX,0x8
0077F75A 0FB633 MOVZX ESI,BYTE PTR DS:
0077F75D 33D6 XOR EDX,ESI
0077F75F 81E2 FF000000 AND EDX,0xFF
0077F765 0FB71455 E4B478>MOVZX EDX,WORD PTR DS:[EDX*2+@Auslogics@Utils@Has>
0077F76D C1E1 08 SHL ECX,0x8
0077F770 66:33D1 XOR DX,CX
0077F773 8BCA MOV ECX,EDX
0077F775 43 INC EBX
0077F776 48 DEC EAX
0077F777^ 75 DB JNZ SHORT AxCompon.0077F754
0077F779 8BC1 MOV EAX,ECX
0077F77B 5E POP ESI
0077F77C 5B POP EBX
0077F77D C3 RETN
0077F77E 8BC0 MOV EAX,EAX
0077F780 >55 PUSH EBP
0077F781 8BEC MOV EBP,ESP
0077F783 51 PUSH ECX
0077F784 8945 FC MOV DWORD PTR SS:,EAX
0077F787 8B45 FC MOV EAX,DWORD PTR SS:
0077F78A E8 711AF5FF CALL <JMP.&rtl160.@System@@LStrLen$qqrx27System@%>
0077F78F 8BD0 MOV EDX,EAX
0077F791 8D45 FC LEA EAX,DWORD PTR SS:
0077F794 E8 ABFFFFFF CALL AxCompon.@Auslogics@Utils@Hash@Crc16@HashCRC> 经过计算后密码的位数+程序crc值
0077F799 59 POP ECX
0077F79A 5D POP EBP
0077F79B C3 RETN
0077F79C >55 PUSH EBP
0077F79D 8BEC MOV EBP,ESP
0077F79F 51 PUSH ECX
0077F7A0 8945 FC MOV DWORD PTR SS:,EAX
0077F7A3 8B45 FC MOV EAX,DWORD PTR SS:
0077F7A6 E8 451AF5FF CALL <JMP.&rtl160.@System@@UStrLen$qqrx20System@U>
0077F7AB 8BD0 MOV EDX,EAX
0077F7AD 03D2 ADD EDX,EDX
0077F7AF 8D45 FC LEA EAX,DWORD PTR SS:
0077F7B2 E8 8DFFFFFF CALL AxCompon.@Auslogics@Utils@Hash@Crc16@HashCRC>
0077F7B7 59 POP ECX
0077F7B8 5D POP EBP
0077F7B9 C3 RETN
k3 继续调用crc
0077F780 >55 PUSH EBP
0077F781 8BEC MOV EBP,ESP
0077F783 51 PUSH ECX
0077F784 8945 FC MOV DWORD PTR SS:,EAX
0077F787 8B45 FC MOV EAX,DWORD PTR SS:
0077F78A E8 711AF5FF CALL <JMP.&rtl160.@System@@LStrLen$qqrx27System@%AnsiStringT$us$>
0077F78F 8BD0 MOV EDX,EAX
0077F791 8D45 FC LEA EAX,DWORD PTR SS:
0077F794 E8 ABFFFFFF CALL AxCompon.@Auslogics@Utils@Hash@Crc16@HashCRC16@FromBuffer$q>
0077F799 59 POP ECX
0077F79A 5D POP EBP
0077F79B C3 RETN
k3对字符串"NAMELESS" crc 加密 计算后的四位字符串 与密码的关系如下:
1 第2位
2 第14位
3第3位
4第23位
k4 取密码第2,14,3,23位。
k5取密码第2,24根据计算出来的索引取 ”A2CE2512“两个字符,
05C85D3C 55 PUSH EBP
05C85D3D 8BEC MOV EBP,ESP
05C85D3F 6A 00 PUSH 0x0
05C85D41 53 PUSH EBX
05C85D42 56 PUSH ESI
05C85D43 57 PUSH EDI
05C85D44 8BF9 MOV EDI,ECX
05C85D46 8BF2 MOV ESI,EDX
05C85D48 8BD8 MOV EBX,EAX
05C85D4A 33C0 XOR EAX,EAX
05C85D4C 55 PUSH EBP
05C85D4D 68 8E5DC805 PUSH 0x5C85D8E
05C85D52 64:FF30 PUSH DWORD PTR FS:
05C85D55 64:8920 MOV DWORD PTR FS:,ESP
05C85D58 6A 03 PUSH 0x3
05C85D5A 8D45 FC LEA EAX,DWORD PTR SS:
05C85D5D 50 PUSH EAX
05C85D5E B9 64B8C805 MOV ECX,0x5C8B864
05C85D63 8BD6 MOV EDX,ESI
05C85D65 8BC3 MOV EAX,EBX
05C85D67 E8 40FDFFFF CALL 05C85AAC
05C85D6C 8B55 FC MOV EDX,DWORD PTR SS:
05C85D6F 8BCF MOV ECX,EDI
05C85D71 8BC3 MOV EAX,EBX
05C85D73 E8 A00D0000 CALL 05C86B18
05C85D78 33C0 XOR EAX,EAX
05C85D7A 5A POP EDX
05C85D7B 59 POP ECX
05C85D7C 59 POP ECX
05C85D7D 64:8910 MOV DWORD PTR FS:,EDX
05C85D80 68 955DC805 PUSH 0x5C85D95
05C85D85 8D45 FC LEA EAX,DWORD PTR SS:
05C85D88 E8 53B3FFFF CALL 05C810E0 ; JMP 到 rtl160.@System@@UStrClr$qqrpv
05C85D8D C3 RETN
05C85D8E^ E9 1DB3FFFF JMP 05C810B0 ; JMP 到 rtl160.@System@@HandleFinally$qqrv
05C85D93^ EB F0 JMP SHORT 05C85D85
05C85D95 5F POP EDI
05C85D96 5E POP ESI
05C85D97 5B POP EBX
05C85D98 59 POP ECX
05C85D99 5D POP EBP
05C85D9A C3 RETN
K6密码加上 "@df3sdG_#$%(" 再crc 加密
05C859D9 55 PUSH EBP
05C859DA 68 745AC805 PUSH 0x5C85A74
05C859DF 64:FF30 PUSH DWORD PTR FS:
05C859E2 64:8920 MOV DWORD PTR FS:,ESP
05C859E5 8D45 F4 LEA EAX,DWORD PTR SS:
05C859E8 B9 905AC805 MOV ECX,0x5C85A90 ; UNICODE "@df3sdG_#$%("
05C859ED 8BD6 MOV EDX,ESI
05C859EF E8 74B7FFFF CALL 05C81168 ; JMP 到 rtl160.@System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2
05C859F4 8B55 F4 MOV EDX,DWORD PTR SS:
05C859F7 8D45 F8 LEA EAX,DWORD PTR SS:
05C859FA E8 51B7FFFF CALL 05C81150 ; JMP 到 rtl160.@System@@WStrFromUStr$qqrr17System@WideStringx20System@UnicodeString
05C859FF 8B45 F8 MOV EAX,DWORD PTR SS:
05C85A02 8D55 FC LEA EDX,DWORD PTR SS:
05C85A05 E8 62EBFFFF CALL 05C8456C ; JMP 到 AxCompon.@Auslogics@Utils@Hash@Sha1@HashSHA1@FromString$qqrx17System@WideString
05C85A0A 8B55 FC MOV EDX,DWORD PTR SS:
05C85A0D 8BC3 MOV EAX,EBX
05C85A0F E8 34B7FFFF CALL 05C81148 ; JMP 到 rtl160.@System@@UStrFromWStr$qqrr20System@UnicodeStringx17System@WideString
05C85A14 8D4D EC LEA ECX,DWORD PTR SS:
05C85A17 8B13 MOV EDX,DWORD PTR DS:
05C85A19 A1 EC45C805 MOV EAX,DWORD PTR DS:
05C85A1E E8 71EDFFFF CALL 05C84794
05C85A23 8B45 EC MOV EAX,DWORD PTR SS:
05C85A26 E8 19EBFFFF CALL 05C84544 ; ;k2
05C85A2B 8BD0 MOV EDX,EAX
05C85A2D 8D4D F0 LEA ECX,DWORD PTR SS:
05C85A30 A1 5CFBC805 MOV EAX,DWORD PTR DS:
05C85A35 E8 12EBFFFF CALL 05C8454C ; JMP 到 AxCompon.@Auslogics@Utils@Hash@Crc16@HashCRC16@AsString$qqrus
05C85A3A 8B55 F0 MOV EDX,DWORD PTR SS:
05C85A3D 8BC3 MOV EAX,EBX
05C85A3F E8 C4B6FFFF CALL 05C81108 ; JMP 到 rtl160.@System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString
05C85A44 33C0 XOR EAX,EAX
05C85A46 5A POP EDX
05C85A47 59 POP ECX
05C85A48 59 POP ECX
05C85A49 64:8910 MOV DWORD PTR FS:,EDX
05C85A4C 68 7B5AC805 PUSH 0x5C85A7B
05C85A51 8D45 EC LEA EAX,DWORD PTR SS:
05C85A54 E8 8FB6FFFF CALL 05C810E8 ; JMP 到 rtl160.@System@@LStrClr$qqrpv
05C85A59 8D45 F0 LEA EAX,DWORD PTR SS:
05C85A5C BA 02000000 MOV EDX,0x2
05C85A61 E8 8AB6FFFF CALL 05C810F0 ; JMP 到 rtl160.@System@@UStrArrayClr$qqrpvi
05C85A66 8D45 F8 LEA EAX,DWORD PTR SS:
05C85A69 BA 02000000 MOV EDX,0x2
05C85A6E E8 85B6FFFF CALL 05C810F8 ; JMP 到 rtl160.@System@@WStrArrayClr$qqrpvi
05C85A73 C3 RETN
05C85A74^ E9 37B6FFFF JMP 05C810B0 ; JMP 到 rtl160.@System@@HandleFinally$qqrv
05C85A79^ EB D6 JMP SHORT 05C85A51
05C85A7B 5E POP ESI
05C85A7C 5B POP EBX
05C85A7D 8BE5 MOV ESP,EBP
05C85A7F 5D POP EBP
05C85A80 C3 RETN
k6计算的值与密码的关系
1 第7位
2 第9位
3第10位
4第23位
k4 取密码第2,14,3,23位。
k1=k2, k3=k4 ,k5=k6 注册成功。附上一组密码:52EJA-dcid7-1830e-9881d-52CAg
使用楼主的CreateWindowExW,测试了下,断是能断下来,但是回溯时没有找到关键点,回溯过头了,所以没找到。
之后用F12暂停法回溯,在这块也回溯过头了,所以就没有找到算法验证处了。因为这个位置怎么看,怎么不像验证点。
不知道楼主是怎么确定是这里的呢?
当点主界面中的"Register now时",上面上je默认不跳,走到Call dword ptr ds:处时,
弹出了让注册的界面,如果是输入假码后,点"REGISTER"后,弹出的错误框也是这个Call dword ptr ds:,
貌似能说明这个CALL能弹出不同的对话框,但是类型是一样的对话框,都是调用的这个CALL,但是你是怎么确定要跟进CALL才能找到找到
算法验证的位置。。。
而je上面的cmp word ptr ds:,0x0是影响这个je的,为什么却不是判断这个eax+0x4A验证的关键呢?
在eax+0x4A的上面找算法验证?
wushishen 发表于 2016-10-30 18:54
我看楼主也就这点本事,搬运嘛!希望多搬运点好文章来!在下不才,只能搬点自己感兴趣的东西,全人类就看你 ...
从来都是原创,不搬运。智商不够才搬运。 恭喜楼主搞定了,很有耐心和钻研精神,佩服。 恭喜 恭喜 文章简洁易懂。 Sound 发表于 2016-10-26 23:19
恭喜 恭喜 文章简洁易懂。
谢谢版主鼓励。你的破解速度让我大开眼界。 hahacker 发表于 2016-10-26 23:15
恭喜楼主搞定了,很有耐心和钻研精神,佩服。
谢谢。破解有点像下象棋,只有不断与高手过招才会有进步。破解也是在枯噪的调试过程中寻找乐趣。 热心回复!谢谢分享。 算法有点看不懂 算法分析 恭喜楼主。我的思路是上dede。稍后我试试 本帖最后由 whyida 于 2016-10-29 10:29 编辑
cqr2287 发表于 2016-10-29 08:57
恭喜楼主。我的思路是上dede。稍后我试试
delphi 2010编译 ,dede不支持。
页:
[1]
2