某视频的逆向分析(爆破\注册机\提取源)
某视频的逆向分析(爆破\注册机\提取源)1、爆破分析
2、注册机分析
3、提取源文件
分析过程
1、查壳Microsoft Visual C++ v6.0
2、打开视频
当前目录下生成 reg 文件,notepad++打开
3、典型的重启验证,OD载入 定位关键字 reg 找到2处 分别下断
004011AE|.68 30504000 push demo.00405030 ;\reg
004019D8|.68 30504000 push demo.00405030 ;\reg
4、F9运行 跑起来
004019D8|.68 30504000 push demo.00405030 ;\reg
004019DD|.8D4C24 08 lea ecx,dword ptr ss:
004019E1|.50 push eax
004019E2|.51 push ecx
004019E3|.C74424 24 00000000 mov dword ptr ss:,0x0
004019EB|.E8 38090000 call <jmp.&MFC42.#operator+_924>
004019F0|.8D4C24 08 lea ecx,dword ptr ss:
004019F4|.C64424 18 02 mov byte ptr ss:,0x2
004019F9|.E8 12090000 call <jmp.&MFC42.#CString::~CString_800>
004019FE|.8B5424 04 mov edx,dword ptr ss:
00401A02|.52 push edx ; /Path = ""
00401A03|.FF15 7C324000 call dword ptr ds:[<&SHLWAPI.PathFileExistsA>] ; \PathFileExistsA
00401A09|.85C0 test eax,eax
00401A0B|.74 1A je short demo.00401A27
00401A0D|.51 push ecx
00401A0E|.8D4424 08 lea eax,dword ptr ss:
00401A12|.8BCC mov ecx,esp
00401A14|.896424 10 mov dword ptr ss:,esp
00401A18|.50 push eax
00401A19|.E8 F8080000 call <jmp.&MFC42.#CString::CString_535>
00401A1E|.8BCE mov ecx,esi
00401A20|.E8 3B000000 call demo.00401A60
00401A25|.EB 07 jmp short demo.00401A2E
00401A27|>8BCE mov ecx,esi
00401A29|.E8 12FFFFFF call demo.00401940
00401A2E|>8D4C24 04 lea ecx,dword ptr ss:
00401A32|.C74424 18 FFFFFFFF mov dword ptr ss:,-0x1
00401A3A|.E8 D1080000 call <jmp.&MFC42.#CString::~CString_800>
00401A3F|.8B4C24 10 mov ecx,dword ptr ss:
00401A43|.B8 01000000 mov eax,0x1
00401A20|.E8 3B000000 call demo.00401A60 这里是关键Call 进入
00401A60/$6A FF push -0x1
00401A62|.68 0E2A4000 push demo.00402A0E ;葛9@; SE 处理程序安装
00401A67|.64:A1 00000000 mov eax,dword ptr fs:
00401A6D|.50 push eax
00401A6E|.64:8925 00000000 mov dword ptr fs:,esp
00401A75|.81EC 10030000 sub esp,0x310
00401A7B|.55 push ebp
00401A7C|.56 push esi
00401A7D|.57 push edi ;user32.SendMessageA
00401A7E|.8BE9 mov ebp,ecx
00401A80|.8D4C24 0C lea ecx,dword ptr ss:
00401A84|.C78424 24030000 00000000 mov dword ptr ss:,0x0
00401A8F|.E8 B2080000 call <jmp.&MFC42.#CString::CString_540>
00401A94|.8B8424 2C030000 mov eax,dword ptr ss:
00401A9B|.68 A4514000 push demo.004051A4 ; /r
00401AA0|.50 push eax ; |path = "@;9"
00401AA1|.C68424 2C030000 01 mov byte ptr ss:,0x1 ; |
00401AA9|.FF15 5C324000 call dword ptr ds:[<&MSVCRT.fopen>] ; \fopen
00401AAF|.83C4 08 add esp,0x8
00401AB2|.8BF0 mov esi,eax
00401AB4|.8D4C24 0C lea ecx,dword ptr ss:
00401AB8|.56 push esi
00401AB9|.6A 0A push 0xA
00401ABB|.6A 00 push 0x0
00401ABD|.E8 D00A0000 call <jmp.&MFC42.#CString::GetBuffer_2915>
00401AC2|.50 push eax ; |s = 0012F840
00401AC3|.FF15 54324000 call dword ptr ds:[<&MSVCRT.fgets>] ; \fgets
00401AC9|.56 push esi ; /stream = 0012FE50
00401ACA|.FF15 64324000 call dword ptr ds:[<&MSVCRT.fclose>] ; \fclose
00401AD0|.83C4 0C add esp,0xC
00401AD3|.8D5424 10 lea edx,dword ptr ss:
00401AD7|.8BCC mov ecx,esp
00401AD9|.896424 14 mov dword ptr ss:,esp
00401ADD|.52 push edx ;mfc42.73E02630
00401ADE|.E8 33080000 call <jmp.&MFC42.#CString::CString_535>
00401AE3|.8BCD mov ecx,ebp
00401AE5|.E8 46010000 call demo.00401C30
00401AEA|.85C0 test eax,eax
00401AEC|.0F84 E8000000 je demo.00401BDA
5、 爆破
00401AEC|. /0F84 E8000000 je demo.00401BDAnop之后 可以直接播放
6、分析算法
00401AE5 |. E8 46010000 call demo.00401C30; 进入关键call
00401C30/$6A FF push -0x1
00401C32|.68 402A4000 push demo.00402A40 ;SE 处理程序安装
00401C37|.64:A1 00000000 mov eax,dword ptr fs:
00401C3D|.50 push eax
00401C3E|.64:8925 00000000 mov dword ptr fs:,esp
00401C45|.83EC 10 sub esp,0x10
00401C48|.56 push esi
00401C49|.8BF1 mov esi,ecx
00401C4B|.8D4C24 08 lea ecx,dword ptr ss:
00401C4F|.C74424 1C 00000000 mov dword ptr ss:,0x0
00401C57|.E8 EA060000 call <jmp.&MFC42.#CString::CString_540>
00401C5C|.8D4C24 04 lea ecx,dword ptr ss:
00401C60|.C64424 1C 01 mov byte ptr ss:,0x1
00401C65|.E8 DC060000 call <jmp.&MFC42.#CString::CString_540>
00401C6A|.8D4424 08 lea eax,dword ptr ss:
00401C6E|.C64424 1C 02 mov byte ptr ss:,0x2
00401C73|.50 push eax
00401C74|.E8 47F4FFFF call demo.004010C0 ;取机器码
00401C79|.83C4 04 add esp,0x4
00401C7C|.8D4C24 24 lea ecx,dword ptr ss:
00401C80|.51 push ecx
00401C81|.8D4C24 08 lea ecx,dword ptr ss:
00401C85|.E8 92060000 call <jmp.&MFC42.#CString::operator=_858>
00401C8A|.51 push ecx
00401C8B|.8D5424 08 lea edx,dword ptr ss:
00401C8F|.8BCC mov ecx,esp
00401C91|.896424 10 mov dword ptr ss:,esp
00401C95|.52 push edx ;mfc42.73E02630
00401C96|.E8 7B060000 call <jmp.&MFC42.#CString::CString_535>
00401C9B|.51 push ecx
00401C9C|.8D4424 10 lea eax,dword ptr ss:
00401CA0|.8BCC mov ecx,esp
00401CA2|.896424 18 mov dword ptr ss:,esp
00401CA6|.50 push eax
00401CA7|.C64424 28 03 mov byte ptr ss:,0x3
00401CAC|.E8 65060000 call <jmp.&MFC42.#CString::CString_535>
00401CB1|.8BCE mov ecx,esi
00401CB3|.C64424 24 02 mov byte ptr ss:,0x2
00401CB8|.E8 83000000 call demo.00401D40 ;对比Call
00401CBD|.85C0 test eax,eax
00401CBF|.C64424 1C 01 mov byte ptr ss:,0x1
00401CC4|.8D4C24 04 lea ecx,dword ptr ss:
00401CC8|.74 3B je short demo.00401D05 ;
00401CB8 |. E8 83000000 call demo.00401D40 ; 关键对比Call进入
00401D40/$6A FF push -0x1
00401D42|.68 602A4000 push demo.00402A60 ;SE 处理程序安装
00401D47|.64:A1 00000000 mov eax,dword ptr fs:
00401D4D|.50 push eax
00401D4E|.64:8925 00000000 mov dword ptr fs:,esp
00401D55|.83EC 08 sub esp,0x8
00401D58|.53 push ebx
00401D59|.55 push ebp
00401D5A|.56 push esi
00401D5B|.57 push edi ;user32.SendMessageA
00401D5C|.C74424 20 00000000 mov dword ptr ss:,0x0
00401D64|.8B4424 28 mov eax,dword ptr ss: ;1147521097机器码传递给eax
00401D68|.8A08 mov cl,byte ptr ds:
00401D6A|.884C24 14 mov byte ptr ss:,cl ;esp+14真码给第一个
00401D6E|.8B4C24 2C mov ecx,dword ptr ss: ;ecx是假码 210971147
00401D72|.8A11 mov dl,byte ptr ds:
00401D74|.885424 10 mov byte ptr ss:,dl ;假码第一个给 esp+10
00401D78|.8B5424 14 mov edx,dword ptr ss: ;edx 真码第一个
00401D7C|.8B7424 10 mov esi,dword ptr ss: ;esi 假码第一个
00401D80|.81E2 FF000000 and edx,0xFF ;位与FF 取出311--31
00401D86|.81E6 FF000000 and esi,0xFF ;取出322--32
00401D8C|.03F2 add esi,edx ;esi=esi+edx63
00401D8E|.8A50 01 mov dl,byte ptr ds: ;真码第二位
00401D91|.885424 10 mov byte ptr ss:,dl ;第二位给esp+10
00401D95|.8A51 01 mov dl,byte ptr ds: ;假码第二位
00401D98|.885424 14 mov byte ptr ss:,dl ;给esp+14
00401D9C|.8B5424 10 mov edx,dword ptr ss:
00401DA0|.8B7C24 14 mov edi,dword ptr ss: ;demo.004029E0
00401DA4|.81E2 FF000000 and edx,0xFF ;真码第二位 31 1
00401DAA|.81E7 FF000000 and edi,0xFF ;假码第二位 31 -1
00401DB0|.03FA add edi,edx ;edi=edi+edx62
00401DB2|.8A50 02 mov dl,byte ptr ds:
00401DB5|.885424 10 mov byte ptr ss:,dl
00401DB9|.8A51 02 mov dl,byte ptr ds:
00401DBC|.885424 14 mov byte ptr ss:,dl
00401DC0|.8B5424 10 mov edx,dword ptr ss:
00401DC4|.8B6C24 14 mov ebp,dword ptr ss: ;demo.004029E0
00401DC8|.81E2 FF000000 and edx,0xFF ;真码第三
00401DCE|.81E5 FF000000 and ebp,0xFF ;假码第三
00401DD4|.03EA add ebp,edx ;ebp= ebp+edx64
00401DD6|.8A50 03 mov dl,byte ptr ds:
00401DD9|.885424 10 mov byte ptr ss:,dl
00401DDD|.8A51 03 mov dl,byte ptr ds:
00401DE0|.8B5C24 10 mov ebx,dword ptr ss:
00401DE4|.885424 14 mov byte ptr ss:,dl
00401DE8|.8B5424 14 mov edx,dword ptr ss: ;demo.004029E0
00401DEC|.81E3 FF000000 and ebx,0xFF ;真4
00401DF2|.81E2 FF000000 and edx,0xFF ;假4
00401DF8|.03D3 add edx,ebx ;70 = edx=edx+ebx
00401DFA|.03EA add ebp,edx ;ebp =ebp+edx64+700D4
00401DFC|.8A50 04 mov dl,byte ptr ds: ;真5
00401DFF|.885424 10 mov byte ptr ss:,dl
00401E03|.8A51 04 mov dl,byte ptr ds: ;假5
00401E06|.03EF add ebp,edi ;ebp=ebp+edi 0d4+062136
00401E08|.885424 14 mov byte ptr ss:,dl
00401E0C|.8B5424 10 mov edx,dword ptr ss:
00401E10|.03EE add ebp,esi ;ebp =ebp +esi 136 +63 199
00401E12|.8B7424 14 mov esi,dword ptr ss: ;demo.004029E0
00401E16|.81E2 FF000000 and edx,0xFF ;35 真5
00401E1C|.81E6 FF000000 and esi,0xFF ;假5 37
00401E22|.03F2 add esi,edx ;esi= esi+edx = 6c
00401E24|.8A50 05 mov dl,byte ptr ds:
00401E27|.885424 10 mov byte ptr ss:,dl
00401E2B|.8A51 05 mov dl,byte ptr ds:
00401E2E|.885424 14 mov byte ptr ss:,dl
00401E32|.8B5424 10 mov edx,dword ptr ss:
00401E36|.8B7C24 14 mov edi,dword ptr ss: ;demo.004029E0
00401E3A|.81E2 FF000000 and edx,0xFF ;真6
00401E40|.81E7 FF000000 and edi,0xFF ;假6
00401E46|.03FA add edi,edx ;edi=edi+edx63
00401E48|.8A50 06 mov dl,byte ptr ds: ;真7
00401E4B|.8A40 07 mov al,byte ptr ds: ;真8
00401E4E|.885424 10 mov byte ptr ss:,dl
00401E52|.8A51 06 mov dl,byte ptr ds: ;假7
00401E55|.8A49 07 mov cl,byte ptr ds: ;假8
00401E58|.8B5C24 10 mov ebx,dword ptr ss: ;真7真8
00401E5C|.885424 14 mov byte ptr ss:,dl ;假7 假8
00401E60|.8B5424 14 mov edx,dword ptr ss: ;demo.004029E0
00401E64|.884C24 14 mov byte ptr ss:,cl
00401E68|.81E2 FF000000 and edx,0xFF ;31 假7
00401E6E|.81E3 FF000000 and ebx,0xFF ;31 真7
00401E74|.884424 10 mov byte ptr ss:,al ;真8
00401E78|.8B4424 14 mov eax,dword ptr ss: ;demo.004029E0
00401E7C|.03D3 add edx,ebx ;edx=edx+ebx 62
00401E7E|.25 FF000000 and eax,0xFF ;假8 34
00401E83|.8B4C24 10 mov ecx,dword ptr ss:
00401E87|.C64424 20 00 mov byte ptr ss:,0x0
00401E8C|.81E1 FF000000 and ecx,0xFF ;30 真8
00401E92|.03C1 add eax,ecx ;eax=eax+ecx64
00401E94|.8D4C24 28 lea ecx,dword ptr ss:
00401E98|.03D0 add edx,eax ;edx+eax = 0c6
00401E9A|.03D7 add edx,edi ;129 edx+eax
00401E9C|.5F pop edi ;0012FE50
00401E9D|.03D6 add edx,esi ;edx=edx+esi195
00401E9F|.5E pop esi ;0012FE50
00401EA0|.3BEA cmp ebp,edx ;对比结果
00401EA2|.5D pop ebp ;0012FE50
00401EA3|.5B pop ebx ;0012FE50
00401EA4|.75 2C jnz short demo.00401ED2 ;爆破第三处
7、注册机算法
简单说
机器码前4位 每一位(和FF进行and运算后)分别和注册码前4位 每一位(和FF进行and运算后)相加,最后的和加起来 A
机器码后4位 每一位(和FF进行and运算后)分别和注册码后4位 每一位(和FF进行and运算后)相加,最后的和加起来 B
判断 A和B是否一致 一致则正确 不一致择错误
换句话说 注册码是8位的。
8、注册机编写
代码很简单
.版本 2
.子程序 生成播放码, 文本型
.参数 机器码, 文本型
.局部变量 机器码字节集, 字节集
.局部变量 i, 整数型
.局部变量 注册码字节集, 字节集
机器码字节集 = 到字节集 (机器码)
注册码字节集 = 取空白字节集 (8)
.计次循环首 (8, i)
注册码字节集 = 位与 (机器码字节集 , 255)
.计次循环尾 ()
返回 (到文本 (注册码字节集))
9、提取文件 下个 createfile的断点即可 释放到临时目录的
有兴趣的自己去写一个提取的程序即可
百度网盘文件名52发帖算法跟踪.zip
kentish 发表于 2018-7-19 00:11
前面还可以看懂,到了算法还是没有太明白,还是需要再静静去研究下
算法的地方,我是换到了虚拟机里面 调试的,本机没有OD 所以 机器码和假码不同了~~ 学习了虽说没学会{:301_1008:} 思路很清晰 可行谢谢楼主分享经验Thanks 你这个名字好熟悉,好像在哪见过,应该是以前收集过你的教程或者易语言模块:victory: 请问你是虫子吗?在下小白鼠 多谢楼主。还是不会用 思路清楚,学习了,谢谢 就喜欢干货,谢谢分享 前面还可以看懂,到了算法还是没有太明白,还是需要再静静去研究下
就喜欢干货,谢谢分享