【文章标题】: zapline 第二天CM的算法分析
【文章作者】: samisgod
【作者邮箱】: 21gh@163.com
【下载地址】: http://bbs.52pojie.cn/thread-18096-1-1.html
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
前两天简单看了下这个CM,没写文,今天补上
首先查找字符串来到这里
简单分析,可以知道403166==0x10为成功条件
而00401453处是个代码调度器,我们跟进0040128D |> \3D 13010000 cmp eax,113
00401292 |. 75 50 jnz short 004012E4
00401294 |. E8 BA010000 call 00401453
00401299 |. 0FBE05 66314000 movsx eax,byte ptr [403166]
004012A0 |. 3A05 67314000 cmp al,byte ptr [403167]
004012A6 |. 75 06 jnz short 004012AE
004012A8 |. 33C0 xor eax,eax
004012AA |. C9 leave
004012AB |. C2 1000 retn 10
004012AE |> A2 67314000 mov byte ptr [403167],al
004012B3 |. 83F8 10 cmp eax,10
004012B6 |. 74 16 je short 004012CE
004012B8 |. 68 65304000 push 403065
; /your serial is not valid.
004012BD |. FF35 7C314000 push dword ptr [40317C]
; |hWnd = 001500F0 ('Your serial is not valid.',class='Edit',parent=001200E0)
004012C3 |. E8 66020000 call 0040152E
; \SetWindowTextA
004012C8 |. 33C0 xor eax,eax
004012CA |. C9 leave
004012CB |. C2 1000 retn 10
004012CE |> 68 7F304000 push 40307F
; /yes! you found your serial!!
004012D3 |. FF35 7C314000 push dword ptr [40317C]
; |hWnd = 001500F0 ('Your serial is not valid.',class='Edit',parent=001200E0)
004012D9 |. E8 50020000 call 0040152E
; \SetWindowTextA
004012DE |. 33C0 xor eax,eax
004012E0 |. C9 leave
004012E1 |. C2 1000 retn 10
到401465时,可以看到所有的目标地址了00401453 /$ 55 push ebp
00401454 |. 8BEC mov ebp,esp
00401456 |. 83C4 FC add esp,-4
00401459 |. 8925 A0314000 mov dword ptr [4031A0],esp
0040145F |. 8D25 52314000 lea esp,dword ptr [403152]
00401465 |. 0FBE05 66314000 movsx eax,byte ptr [403166]
0040146C |. 03E0 add esp,eax
0040146E \. C3 retn
如下所示00403152 0040146F Chafe_1.0040146F
00403156 00401063 Chafe_1.00401063
0040315A 00401361 Chafe_1.00401361
0040315E 0040149C Chafe_1.0040149C
00403162 004014BA Chafe_1.004014BA
下面我们逐一分析0040146F . 8B25 A0314000 mov esp,dword ptr [4031A0]
00401475 . 6A 00 push 0 ; /IsSigned = FALSE
00401477 . 8D45 FC lea eax,dword ptr [ebp-4] ; |
0040147A . 50 push eax ; |pSuccess = 0054C563
0040147B . 6A 64 push 64 ; |ControlID = 64 (100.)
0040147D . FF35 70314000 push dword ptr [403170] ; |hWnd = 001200E0 ('TEXme v1.0',class='TEXcls')
00401483 . E8 64000000 call 004014EC ; \GetDlgItemInt
00401488 . A3 88314000 mov dword ptr [403188],eax
0040148D . 837D FC 00 cmp dword ptr [ebp-4],0
00401491 . 74 07 je short 0040149A ; Chafe_1.0040149A
00401493 . 8005 66314000 04 add byte ptr [403166],4
0040149A > C9 leave ; (initial cpu selection)
0040149B . C3 retn
这里只要注册码为数字即可通过,使[403166]+4,这也将使调度器进入第二层处理
如下00401063 . 8B25 A0314000 mov esp,dword ptr [4031A0]
00401069 . 6A 14 push 14 ; /Count = 14 (20.)
0040106B . 68 8C314000 push 40318C ; |Buffer = Chafe_1.0040318C
00401070 . FF35 74314000 push dword ptr [403174] ; |hWnd = 00190110 (class='Edit',parent=001200E0)
00401076 . E8 7D040000 call 004014F8 ; \GetWindowTextA
0040107B . B9 14000000 mov ecx,14
00401080 . 2BC8 sub ecx,eax
00401082 . 8DB8 8C314000 lea edi,dword ptr [eax+40318C]
00401088 > C607 00 mov byte ptr [edi],0
0040108B . 47 inc edi
0040108C . 49 dec ecx
0040108D .^ 75 F9 jnz short 00401088 ; Chafe_1.00401088
0040108F . 85C0 test eax,eax
00401091 . 74 10 je short 004010A3 ; Chafe_1.004010A3
00401093 . 8005 66314000 04 add byte ptr [403166],4
0040109A . C605 68314000 00 mov byte ptr [403168],0
004010A1 . EB 06 jmp short 004010A9 ; Chafe_1.004010A9
004010A3 > 8825 66314000 mov byte ptr [403166],ah
004010A9 > C9 leave
004010AA . C3 retn
这个依然很简单,只要用户名不为空即可通过
下面第三层处理
简单分析可知403168用于对用户名逐位寻址
403188这里初始为注册码的对应Hex值,然后每次计算中+1,然后与对应寻址出的用户名异或
下面会给出详细说明00401361 . 8D3D 8C314000 lea edi,dword ptr [40318C]
00401367 . 0FBE05 68314000 movsx eax,byte ptr [403168]
0040136E . 03F8 add edi,eax
00401370 . FE05 68314000 inc byte ptr [403168]
00401376 . A1 88314000 mov eax,dword ptr [403188]
0040137B . 8B25 A0314000 mov esp,dword ptr [4031A0]
00401381 . 40 inc eax
00401382 . FF05 88314000 inc dword ptr [403188]
00401388 . 3307 xor eax,dword ptr [edi]
0040138A . A3 88314000 mov dword ptr [403188],eax
0040138F . 803D 68314000 10 cmp byte ptr [403168],10
00401396 . 75 07 jnz short 0040139F
00401398 . 8005 66314000 04 add byte ptr [403166],4
0040139F > C9 leave
004013A0 . C3 retn
我这里的用户名为SFL Violator
对应ASC如下0040318C 204C4653
00403190 6C6F6956
00403194 726F7461
00403198 00000000
因此,每次需要异或的值如下表所示204C4653
56204C46
6956204C
6F695620
6C6F6956
616C6F69
74616C6F
6F74616C
726F7461
00726F74
0000726F
00000072
00000000
00000000
00000000
00000000
也就是SN++
SN^=204C4653
SN++
SN^=56204C46
SN++
SN^=6956204C
......
然后我们看最后一个流程0040149C . A1 88314000 mov eax,dword ptr [403188]
004014A1 . 05 78241109 add eax,9112478
004014A6 . 85C0 test eax,eax
004014A8 . 75 09 jnz short 004014B3 ; Chafe_1.004014B3
004014AA . 8005 66314000 04 add byte ptr [403166],4
004014B1 . EB 07 jmp short 004014BA ; Chafe_1.004014BA
004014B3 > C605 66314000 00 mov byte ptr [403166],0
004014BA > 8B25 A0314000 mov esp,dword ptr [4031A0]
004014C0 . C9 leave
004014C1 . C3 retn
eax=[403188]
为保证004014A8处不跳,我们需要
eax+9112478=100000000
于是
eax=F6EEDB88
下面我们开始根据这个值逐位逆推
我没写程序...要算死了
请从下往上看,推到最上面一步后得到Hex为E2B6C5E9
对应十进制为3803629033即为注册码
记得要粘贴进去,否则....(E2B6C5E9) ->3803629033
204C4653
(C2FA83BA)
56204C46
(94DACFFD)
6956204C
(FD8CEFB2)
6F695620
(92E5B992)
6C6F6956
(FE8AD0C6)
616C6F69
(9FE6BFAF)
74616C6F
(EB87D3DF)
6F74616C
(84F3B28C)
726F7461
(F69CC6EC)
00726F74
(F6EEA999)
0000726F
(F6EEDBF5)
00000072
(F6EEDB84)
00000000
(F6EEDB85)
00000000
(F6EEDB86)
00000000
(F6EEDB87)
00000000
(F6EEDB88)
最后,谢谢费神观看^_^
2009年01月31日 9:21:26
[ 本帖最后由 samisgod 于 2009-1-31 09:34 编辑 ] |