好友
阅读权限10
听众
最后登录1970-1-1
|
新手:bjjgq
软件:MTV**相册8.5
工具:OD
先查壳,PIED: ASProtect 1.2x - 1.3x [Registered] -> Alexey Solodovnikov ,在网上找了很多脚本也不成,也没有找到现成的工具,就带壳调试吧。
这只是一个试用版的,注册的时候会弹出一个对话框,要求输入用户名和注册码,随便录入一个,就会有错误的提示,F12断下来后看堆栈,然后逐步反推就可以找到关键的部分:
0085DBB0 /. 55 push ebp
0085DBB1 |. 8BEC mov ebp,esp
0085DBB3 |. B9 05000000 mov ecx,5
0085DBB8 |> 6A 00 /push 0
0085DBBA |. 6A 00 |push 0
0085DBBC |. 49 |dec ecx
0085DBBD |.^ 75 F9 \jnz short MTVAlbum.0085DBB8
0085DBBF |. 53 push ebx
0085DBC0 |. 8BD8 mov ebx,eax
0085DBC2 |. 33C0 xor eax,eax
0085DBC4 |. 55 push ebp
0085DBC5 |. 68 30DD8500 push MTVAlbum.0085DD30
0085DBCA |. 64:FF30 push dword ptr fs:[eax]
0085DBCD |. 64:8920 mov dword ptr fs:[eax],esp
0085DBD0 |. 8D55 F8 lea edx,[local.2]
0085DBD3 |. 8B83 94030000 mov eax,dword ptr ds:[ebx+394]
0085DBD9 |. E8 C6D5D1FF call MTVAlbum.0057B1A4
0085DBDE |. 8B45 F8 mov eax,[local.2] ; 读取用户名
0085DBE1 |. 8D55 FC lea edx,[local.1]
0085DBE4 |. E8 F381BBFF call MTVAlbum.00415DDC
0085DBE9 |. 837D FC 00 cmp [local.1],0 ; 判断用户名是否为空
0085DBED |. 0F84 E2000000 je MTVAlbum.0085DCD5
0085DBF3 |. 8D55 F0 lea edx,[local.4]
0085DBF6 |. 8B83 98030000 mov eax,dword ptr ds:[ebx+398]
0085DBFC |. E8 A3D5D1FF call MTVAlbum.0057B1A4 ; 读取注册码
0085DC01 |. 8B45 F0 mov eax,[local.4]
0085DC04 |. 8D55 F4 lea edx,[local.3]
0085DC07 |. E8 D081BBFF call MTVAlbum.00415DDC
0085DC0C |. 837D F4 00 cmp [local.3],0 ; 判断码是否为空
0085DC10 |. 0F84 BF000000 je MTVAlbum.0085DCD5
0085DC16 |. 33D2 xor edx,edx
0085DC18 |. 8B83 9C030000 mov eax,dword ptr ds:[ebx+39C]
0085DC1E |. 8B08 mov ecx,dword ptr ds:[eax]
0085DC20 |. FF51 74 call dword ptr ds:[ecx+74]
0085DC23 |. 8D55 E8 lea edx,[local.6]
0085DC26 |. 8B83 98030000 mov eax,dword ptr ds:[ebx+398]
0085DC2C |. E8 73D5D1FF call MTVAlbum.0057B1A4
0085DC31 |. 8B45 E8 mov eax,[local.6] ; 注册码
0085DC34 |. 8D55 EC lea edx,[local.5]
0085DC37 |. E8 A081BBFF call MTVAlbum.00415DDC
0085DC3C |. 8B45 EC mov eax,[local.5]
0085DC3F |. 50 push eax
0085DC40 |. 8D55 E0 lea edx,[local.8]
0085DC43 |. 8B83 94030000 mov eax,dword ptr ds:[ebx+394]
0085DC49 |. E8 56D5D1FF call MTVAlbum.0057B1A4
0085DC4E |. 8B45 E0 mov eax,[local.8] ; 用户名
0085DC51 |. 8D55 E4 lea edx,[local.7]
0085DC54 |. E8 8381BBFF call MTVAlbum.00415DDC
0085DC59 |. 8B55 E4 mov edx,[local.7]
0085DC5C |. 8BC3 mov eax,ebx
0085DC5E |. 59 pop ecx
0085DC5F |. E8 A8FCFFFF call MTVAlbum.0085D90C ; 这个地方会做什么呢?见下文
0085DC64 |. 84C0 test al,al
0085DC66 |. 75 3E jnz short MTVAlbum.0085DCA6
0085DC68 |. 8D55 DC lea edx,[local.9]
0085DC6B |. B8 48DD8500 mov eax,MTVAlbum.0085DD48 ; UNICODE "t8e3qNPDu6fD+7vy16Ky4cLro6zH68Gqz7W/qrei1d+5usLy1f3KvbDmo6E="
0085DC70 |. E8 6F6BF8FF call MTVAlbum.007E47E4 ;解密上面的字符串
0085DC75 |. 8B45 DC mov eax,[local.9]
0085DC78 |. E8 E370F8FF call MTVAlbum.007E4D60
0085DC7D |. B2 01 mov dl,1
0085DC7F |. 8B83 9C030000 mov eax,dword ptr ds:[ebx+39C]
0085DC85 |. 8B08 mov ecx,dword ptr ds:[eax]
0085DC87 |. FF51 74 call dword ptr ds:[ecx+74]
0085DC8A |. 6A 01 push 1
0085DC8C |. 6A 00 push 0
0085DC8E |. 6A 00 push 0
0085DC90 |. 68 C4DD8500 push MTVAlbum.0085DDC4 ; UNICODE "http://www.fhsoft.net/buy_MTVAlbum.htm"
0085DC95 |. 6A 00 push 0
0085DC97 |. 8BC3 mov eax,ebx
0085DC99 |. E8 1A1BC8FF call MTVAlbum.004DF7B8
0085DC9E |. 50 push eax ; |hWnd
0085DC9F |. E8 644DC1FF call MTVAlbum.00472A08 ; \ShellExecuteW
0085DCA4 |. EB 2F jmp short MTVAlbum.0085DCD5
0085DCA6 |> 8D55 D8 lea edx,[local.10]
0085DCA9 |. B8 20DE8500 mov eax,MTVAlbum.0085DE20 ; UNICODE "x+vPyLXHwr3V/cq9sObTw7unt/7O8cf4o6zPwtTY1f3KvbDmsLLXsLrz1NnXorLho6E="
0085DCAE |. E8 316BF8FF call MTVAlbum.007E47E4 ;解密上面的字符串为
0085DCB3 |. 8B45 D8 mov eax,[local.10]
0085DCB6 |. E8 A570F8FF call MTVAlbum.007E4D60 ;弹出对话框
0085DCBB |. 6A 01 push 1
0085DCBD |. 6A 00 push 0
0085DCBF |. 6A 00 push 0
0085DCC1 |. 68 ACDE8500 push MTVAlbum.0085DEAC ; UNICODE "http://www.fhsoft.net/UserLogin"
0085DCC6 |. 6A 00 push 0
0085DCC8 |. 8BC3 mov eax,ebx
0085DCCA |. E8 E91AC8FF call MTVAlbum.004DF7B8
0085DCCF |. 50 push eax ; |hWnd
0085DCD0 |. E8 334DC1FF call MTVAlbum.00472A08 ; \ShellExecuteW
0085DCD5 |> 33C0 xor eax,eax
0085DCD7 |. 5A pop edx
0085DCD8 |. 59 pop ecx
0085DCD9 |. 59 pop ecx
0085DCDA |. 64:8910 mov dword ptr fs:[eax],edx
0085DCDD |. 68 37DD8500 push MTVAlbum.0085DD37
0085DCE2 |> 8D45 D8 lea eax,[local.10]
0085DCE5 |. BA 02000000 mov edx,2
0085DCEA |. E8 719EBAFF call MTVAlbum.00407B60
0085DCEF |. 8D45 E0 lea eax,[local.8]
0085DCF2 |. E8 619EBAFF call MTVAlbum.00407B58
0085DCF7 |. 8D45 E4 lea eax,[local.7]
0085DCFA |. E8 599EBAFF call MTVAlbum.00407B58
0085DCFF |. 8D45 E8 lea eax,[local.6]
0085DD02 |. E8 519EBAFF call MTVAlbum.00407B58
0085DD07 |. 8D45 EC lea eax,[local.5]
0085DD0A |. E8 499EBAFF call MTVAlbum.00407B58
0085DD0F |. 8D45 F0 lea eax,[local.4]
0085DD12 |. E8 419EBAFF call MTVAlbum.00407B58
0085DD17 |. 8D45 F4 lea eax,[local.3]
0085DD1A |. E8 399EBAFF call MTVAlbum.00407B58
0085DD1F |. 8D45 F8 lea eax,[local.2]
0085DD22 |. E8 319EBAFF call MTVAlbum.00407B58
0085DD27 |. 8D45 FC lea eax,[local.1]
0085DD2A |. E8 299EBAFF call MTVAlbum.00407B58
0085DD2F \. C3 retn
0085DD30 .^ E9 9F84BAFF jmp MTVAlbum.004061D4
0085DD35 .^ EB AB jmp short MTVAlbum.0085DCE2
0085DD37 . 5B pop ebx
0085DD38 . 8BE5 mov esp,ebp
0085DD3A . 5D pop ebp
0085DD3B . C3 retn
0085D90C /$ 55 push ebp
0085D90D |. 8BEC mov ebp,esp
0085D90F |. 83C4 F8 add esp,-8
0085D912 |. 53 push ebx
0085D913 |. 894D F8 mov [local.2],ecx ; 注册码
0085D916 |. 8955 FC mov [local.1],edx ; 用户名
0085D919 |. 8B45 FC mov eax,[local.1]
0085D91C |. E8 2FA2BAFF call MTVAlbum.00407B50 ; 修改标志位
0085D921 |. 8B45 F8 mov eax,[local.2]
0085D924 |. E8 27A2BAFF call MTVAlbum.00407B50
0085D929 |. 33C0 xor eax,eax
0085D92B |. 55 push ebp
0085D92C |. 68 95DA8500 push MTVAlbum.0085DA95
0085D931 |. 64:FF30 push dword ptr fs:[eax]
0085D934 |. 64:8920 mov dword ptr fs:[eax],esp
0085D937 |. B3 01 mov bl,1
0085D939 |. 837D FC 00 cmp [local.1],0 ; 比较用户名
0085D93D |. 75 07 jnz short MTVAlbum.0085D946
0085D93F |. 33DB xor ebx,ebx
0085D941 |. E9 34010000 jmp MTVAlbum.0085DA7A
0085D946 |> 8B45 FC mov eax,[local.1]
0085D949 |. 85C0 test eax,eax
0085D94B |. 74 16 je short MTVAlbum.0085D963
0085D94D |. 8BD0 mov edx,eax
0085D94F |. 83EA 0A sub edx,0A
0085D952 |. 66:833A 02 cmp word ptr ds:[edx],2 ; local.1-10=2
0085D956 |. 74 0B je short MTVAlbum.0085D963
0085D958 |. 8D45 FC lea eax,[local.1]
0085D95B |. 8B55 FC mov edx,[local.1]
0085D95E |. E8 6593BAFF call MTVAlbum.00406CC8
0085D963 |> 85C0 test eax,eax
0085D965 |. 74 05 je short MTVAlbum.0085D96C
0085D967 |. 83E8 04 sub eax,4
0085D96A |. 8B00 mov eax,dword ptr ds:[eax]
0085D96C |> 83F8 06 cmp eax,6 ; 用户名长度是否为6
0085D96F |. 7D 04 jge short MTVAlbum.0085D975
0085D971 |. B0 01 mov al,1
0085D973 |. EB 24 jmp short MTVAlbum.0085D999
0085D975 |> 8B45 FC mov eax,[local.1]
0085D978 |. 85C0 test eax,eax
0085D97A |. 74 16 je short MTVAlbum.0085D992
0085D97C |. 8BD0 mov edx,eax
0085D97E |. 83EA 0A sub edx,0A
0085D981 |. 66:833A 02 cmp word ptr ds:[edx],2
0085D985 |. 74 0B je short MTVAlbum.0085D992
0085D987 |. 8D45 FC lea eax,[local.1]
0085D98A |. 8B55 FC mov edx,[local.1]
0085D98D |. E8 3693BAFF call MTVAlbum.00406CC8
0085D992 |> 66:8338 55 cmp word ptr ds:[eax],55 ; 用户名是否以U开头
0085D996 |. 0F95C0 setne al
0085D999 |> 84C0 test al,al
0085D99B |. 74 04 je short MTVAlbum.0085D9A1
0085D99D |. B0 01 mov al,1
0085D99F |. EB 3A jmp short MTVAlbum.0085D9DB
0085D9A1 |> 8B45 FC mov eax,[local.1]
0085D9A4 |. 85C0 test eax,eax
0085D9A6 |. 74 16 je short MTVAlbum.0085D9BE
0085D9A8 |. 8BD0 mov edx,eax
0085D9AA |. 83EA 0A sub edx,0A
0085D9AD |. 66:833A 02 cmp word ptr ds:[edx],2
0085D9B1 |. 74 0B je short MTVAlbum.0085D9BE
0085D9B3 |. 8D45 FC lea eax,[local.1]
0085D9B6 |. 8B55 FC mov edx,[local.1]
0085D9B9 |. E8 0A93BAFF call MTVAlbum.00406CC8
0085D9BE |> 85C0 test eax,eax
0085D9C0 |. 74 05 je short MTVAlbum.0085D9C7
0085D9C2 |. 83E8 04 sub eax,4
0085D9C5 |. 8B00 mov eax,dword ptr ds:[eax]
0085D9C7 |> 8B55 FC mov edx,[local.1]
0085D9CA |. 0FB74442 FE movzx eax,word ptr ds:[edx+eax*2-2]
0085D9CF |. 83C0 D0 add eax,-30
0085D9D2 |. 66:83E8 0A sub ax,0A
0085D9D6 |. 0F92C0 setb al
0085D9D9 |. 34 01 xor al,1
0085D9DB |> 84C0 test al,al ; 判断最后一位是否为数字
0085D9DD |. 74 07 je short MTVAlbum.0085D9E6
0085D9DF |. 33DB xor ebx,ebx
0085D9E1 |. E9 94000000 jmp MTVAlbum.0085DA7A
0085D9E6 |> 837D F8 00 cmp [local.2],0 ; 开始检验注册码
0085D9EA |. 75 07 jnz short MTVAlbum.0085D9F3
0085D9EC |. 33DB xor ebx,ebx
0085D9EE |. E9 87000000 jmp MTVAlbum.0085DA7A
0085D9F3 |> 8B45 F8 mov eax,[local.2]
0085D9F6 |. 85C0 test eax,eax
0085D9F8 |. 74 16 je short MTVAlbum.0085DA10
0085D9FA |. 8BD0 mov edx,eax
0085D9FC |. 83EA 0A sub edx,0A
0085D9FF |. 66:833A 02 cmp word ptr ds:[edx],2
0085DA03 |. 74 0B je short MTVAlbum.0085DA10
0085DA05 |. 8D45 F8 lea eax,[local.2]
0085DA08 |. 8B55 F8 mov edx,[local.2]
0085DA0B |. E8 B892BAFF call MTVAlbum.00406CC8
0085DA10 |> 85C0 test eax,eax
0085DA12 |. 74 05 je short MTVAlbum.0085DA19
0085DA14 |. 83E8 04 sub eax,4
0085DA17 |. 8B00 mov eax,dword ptr ds:[eax]
0085DA19 |> 83F8 17 cmp eax,17 ; 位数是23位就对了
0085DA1C |. 74 04 je short MTVAlbum.0085DA22
0085DA1E |. B0 01 mov al,1
0085DA20 |. EB 25 jmp short MTVAlbum.0085DA47
0085DA22 |> 8B45 F8 mov eax,[local.2]
0085DA25 |. 85C0 test eax,eax
0085DA27 |. 74 16 je short MTVAlbum.0085DA3F
0085DA29 |. 8BD0 mov edx,eax
0085DA2B |. 83EA 0A sub edx,0A
0085DA2E |. 66:833A 02 cmp word ptr ds:[edx],2
0085DA32 |. 74 0B je short MTVAlbum.0085DA3F
0085DA34 |. 8D45 F8 lea eax,[local.2]
0085DA37 |. 8B55 F8 mov edx,[local.2]
0085DA3A |. E8 8992BAFF call MTVAlbum.00406CC8
0085DA3F |> 66:8378 0A 2D cmp word ptr ds:[eax+A],2D ; 第6位是‘-’
0085DA44 |. 0F95C0 setne al
0085DA47 |> 84C0 test al,al
0085DA49 |. 74 04 je short MTVAlbum.0085DA4F
0085DA4B |. B0 01 mov al,1
0085DA4D |. EB 25 jmp short MTVAlbum.0085DA74
0085DA4F |> 8B45 F8 mov eax,[local.2]
0085DA52 |. 85C0 test eax,eax
0085DA54 |. 74 16 je short MTVAlbum.0085DA6C
0085DA56 |. 8BD0 mov edx,eax
0085DA58 |. 83EA 0A sub edx,0A
0085DA5B |. 66:833A 02 cmp word ptr ds:[edx],2
0085DA5F |. 74 0B je short MTVAlbum.0085DA6C
0085DA61 |. 8D45 F8 lea eax,[local.2]
0085DA64 |. 8B55 F8 mov edx,[local.2]
0085DA67 |. E8 5C92BAFF call MTVAlbum.00406CC8
0085DA6C |> 66:8378 16 2D cmp word ptr ds:[eax+16],2D ; 第12位是‘-’
0085DA71 |. 0F95C0 setne al
0085DA74 |> 84C0 test al,al
0085DA76 |. 74 02 je short MTVAlbum.0085DA7A
0085DA78 |. 33DB xor ebx,ebx
0085DA7A |> 33C0 xor eax,eax
0085DA7C |. 5A pop edx
0085DA7D |. 59 pop ecx
0085DA7E |. 59 pop ecx
0085DA7F |. 64:8910 mov dword ptr fs:[eax],edx
0085DA82 |. 68 9CDA8500 push MTVAlbum.0085DA9C
0085DA87 |> 8D45 F8 lea eax,[local.2]
0085DA8A |. BA 02000000 mov edx,2
0085DA8F |. E8 CCA0BAFF call MTVAlbum.00407B60
0085DA94 \. C3 retn
0085DA95 .^ E9 3A87BAFF jmp MTVAlbum.004061D4
0085DA9A .^ EB EB jmp short MTVAlbum.0085DA87
0085DA9C . 8BC3 mov eax,ebx
0085DA9E . 5B pop ebx
0085DA9F . 59 pop ecx
0085DAA0 . 59 pop ecx
0085DAA1 . 5D pop ebp
0085DAA2 . C3 retn
用户名:U12345
注册码:15215-61981-98191-11981
规则是这样的:用户名6位,要以U开头,以数字结尾;注册码共23位,每5位中间有一个‘-’分隔,但程序运行到这里只是对用户名和注册码做了简单的判断,并不是正直对的,需要注册的还要在网上进行检验,提示:“请先登陆正式版用户服务区,下载正式版安装后再注册”
下面这段是对一段特殊的字符串进行解密的
007E4738 /$ 55 push ebp
007E4739 |. 8BEC mov ebp,esp
007E473B |. 83C4 F4 add esp,-0C
007E473E |. 56 push esi
007E473F |. 57 push edi
007E4740 |. 894D F8 mov [local.2],ecx
007E4743 |. 85D2 test edx,edx
007E4745 |. 76 68 jbe short MTVAlbum.007E47AF
007E4747 |. 8BF8 mov edi,eax
007E4749 |. 03D7 add edx,edi
007E474B |. 8955 F4 mov [local.3],edx
007E474E |. 8B55 F8 mov edx,[local.2]
007E4751 |. 8B45 0C mov eax,[arg.2]
007E4754 |. 8B00 mov eax,dword ptr ds:[eax]
007E4756 |. 8B75 08 mov esi,[arg.1]
007E4759 |. 8B36 mov esi,dword ptr ds:[esi]
007E475B |. 3B7D F4 cmp edi,[local.3]
007E475E |. 74 3A je short MTVAlbum.007E479A
007E4760 |> 0FB60F /movzx ecx,byte ptr ds:[edi]
007E4763 |. 8B0C8D 40018B>|mov ecx,dword ptr ds:[ecx*4+8B0140]
007E476A |. 47 |inc edi
007E476B |. 81F9 FF000000 |cmp ecx,0FF
007E4771 |. 74 22 |je short MTVAlbum.007E4795
007E4773 |. C1E0 06 |shl eax,6
007E4776 |. 0BC1 |or eax,ecx
007E4778 |. 4E |dec esi
007E4779 |. 85F6 |test esi,esi
007E477B |. 75 18 |jnz short MTVAlbum.007E4795
007E477D |. 8842 02 |mov byte ptr ds:[edx+2],al
007E4780 |. C1E8 08 |shr eax,8
007E4783 |. 8842 01 |mov byte ptr ds:[edx+1],al
007E4786 |. C1E8 08 |shr eax,8
007E4789 |. 8802 |mov byte ptr ds:[edx],al
007E478B |. 33C0 |xor eax,eax
007E478D |. 83C2 03 |add edx,3
007E4790 |. BE 04000000 |mov esi,4
007E4795 |> 3B7D F4 |cmp edi,[local.3]
007E4798 |.^ 75 C6 \jnz short MTVAlbum.007E4760
007E479A |> 8B4D 0C mov ecx,[arg.2]
007E479D |. 8901 mov dword ptr ds:[ecx],eax
007E479F |. 8B45 08 mov eax,[arg.1]
007E47A2 |. 8930 mov dword ptr ds:[eax],esi
007E47A4 |. 8B45 F8 mov eax,[local.2]
007E47A7 |. 50 push eax
007E47A8 |. 8BC2 mov eax,edx
007E47AA |. 5A pop edx
007E47AB |. 2BC2 sub eax,edx
007E47AD |. EB 02 jmp short MTVAlbum.007E47B1
007E47AF |> 33C0 xor eax,eax
007E47B1 |> 5F pop edi
007E47B2 |. 5E pop esi
007E47B3 |. 8BE5 mov esp,ebp
007E47B5 |. 5D pop ebp
007E47B6 \. C2 0800 retn 8
例如本程序中就是把"x+vPyLXHwr3V/cq9sObTw7unt/7O8cf4o6zPwtTY1f3KvbDmsLLXsLrz1NnXorLho6E="解密成:请先登陆正式版用户服务区,下载正式版安装后再注册
|
免费评分
-
查看全部评分
|
发表于 2011-9-1 17:57
