好友
阅读权限40
听众
最后登录1970-1-1
|
【文章标题】: zapline转载CM(第九天)分析
【文章作者】: creantan
【作者邮箱】: creantan@126.com
【作者主页】: www.crack-me.com
【下载地址】: http://bbs.52pojie.cn/thread-18577-1-1.html
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
【详细过程】
peid查壳->MASM32 / TASM32 [Overlay]
汇编的。。呵呵。。
代码清晰。。。0040105C . 6A 00 push 0 ; |/(initial cpu selection)
0040105E . 68 6F214000 push 0040216F ; ||Attributes = READONLY|HIDDEN|SYSTEM|ARCHIVE|TEMPORARY|402048
00401063 . 6A 03 push 3 ; ||Mode = OPEN_EXISTING
00401065 . 6A 00 push 0 ; ||pSecurity = NULL
00401067 . 6A 03 push 3 ; ||ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401069 . 68 000000C0 push C0000000 ; ||Access = GENERIC_READ|GENERIC_WRITE
0040106E . 68 79204000 push 00402079 ; ||due-cm2.dat
00401073 . E8 0B020000 call <jmp.&KERNEL32.CreateFileA> ; |\CreateFileA
00401078 . 83F8 FF cmp eax, -1 ; |打开文件due-cm2.dat文件
0040107B . 75 1D jnz short 0040109A ; |不存在则出现过期信息
0040107D . 6A 00 push 0 ; |/Style = MB_OK|MB_APPLMODAL
0040107F . 68 01204000 push 00402001 ; ||duelist's crackme #2
00401084 . 68 17204000 push 00402017 ; ||your time-trial has ended... please register and copy the keyfile sent to you to this directory!
00401089 . 6A 00 push 0 ; ||hOwner = NULL
0040108B . E8 D7020000 call <jmp.&USER32.MessageBoxA> ; |\MessageBoxA
00401090 . E8 24020000 call <jmp.&KERNEL32.ExitProcess> ; \ExitProcess
00401095 . E9 28010000 jmp 004011C2
0040109A > 6A 00 push 0 ; /pOverlapped = NULL
0040109C . 68 73214000 push 00402173 ; |pBytesRead = DueList_.00402173
004010A1 . 6A 46 push 46 ; |读取70个字节
004010A3 . 68 1A214000 push 0040211A ; |保存地址
004010A8 . 50 push eax ; |hFile
004010A9 . E8 2F020000 call <jmp.&KERNEL32.ReadFile> ; \ReadFile
004010AE . 85C0 test eax, eax ; 读取文件
004010B0 . 75 02 jnz short 004010B4
004010B2 . EB 43 jmp short 004010F7
004010B4 > 33DB xor ebx, ebx
004010B6 . 33F6 xor esi, esi
004010B8 . 833D 73214000>cmp dword ptr [402173], 12 ; 文件中字符个数与18比较
004010BF . 7C 36 jl short 004010F7 ; 小于则弹出无效的Key文件提示
004010C1 > 8A83 1A214000 mov al, byte ptr [ebx+40211A] ; 逐个取字符
004010C7 . 3C 00 cmp al, 0 ; 看是否结束
004010C9 . 74 08 je short 004010D3
004010CB . 3C 01 cmp al, 1 ; 字符ASICC值是否为0x1
004010CD . 75 01 jnz short 004010D0 ; 不等则跳
004010CF . 46 inc esi ; ESI++
004010D0 > 43 inc ebx ; EBX++
004010D1 .^ EB EE jmp short 004010C1
004010D3 > 83FE 02 cmp esi, 2 ; 扫描文件中ASCII码值为1的字符个数是否多余2个
004010D6 . 7C 1F jl short 004010F7 ; 小于的话提示无效的KEY文件提示
004010D8 . 33F6 xor esi, esi ; esi = 0
004010DA . 33DB xor ebx, ebx ; ebx = 0
004010DC > 8A83 1A214000 mov al, byte ptr [ebx+40211A] ; 开始从头开始扫描文件
004010E2 . 3C 00 cmp al, 0 ; 看是否文件结束
004010E4 . 74 09 je short 004010EF
004010E6 . 3C 01 cmp al, 1 ; 比较字符ASCII值是否为0x1
004010E8 . 74 05 je short 004010EF
004010EA . 03F0 add esi, eax ; 从文件开始直到读到ASCII值为0X1且文件没有结束的字符ASCII码求和
004010EC . 43 inc ebx
004010ED .^ EB ED jmp short 004010DC
004010EF > 81FE D5010000 cmp esi, 1D5 ; 所求和与0X1D5比较
004010F5 . 74 1D je short 00401114 ; 不等提示无效KEY文件
004010F7 > 6A 00 push 0 ; |/Style = MB_OK|MB_APPLMODAL
004010F9 . 68 01204000 push 00402001 ; ||duelist's crackme #2
004010FE . 68 86204000 push 00402086 ; ||your current keyfile is invalid... please obtain a valid one from the software author!
00401103 . 6A 00 push 0 ; ||hOwner = NULL
00401105 . E8 5D020000 call <jmp.&USER32.MessageBoxA> ; |\MessageBoxA
0040110A . E8 AA010000 call <jmp.&KERNEL32.ExitProcess> ; \ExitProcess
0040110F . E9 AE000000 jmp 004011C2
00401114 > 33F6 xor esi, esi ; esi = 0
00401116 > 43 inc ebx ; ebx++
00401117 . 8A83 1A214000 mov al, byte ptr [ebx+40211A] ; 取字符file[ebx] file为地址0x0040211A
0040111D . 3C 00 cmp al, 0
0040111F . 74 18 je short 00401139 ; 判断文件是否结束
00401121 . 3C 01 cmp al, 1
00401123 . 74 14 je short 00401139 ; 判读字符ASICC值是否为0X1
00401125 . 83FE 0F cmp esi, 0F ; esi与0x0f比较
00401128 . 73 0F jnb short 00401139
0040112A . 3286 1A214000 xor al, byte ptr [esi+40211A] ; al ^= file[esi]
00401130 . 8986 60214000 mov dword ptr [esi+402160], eax ; 这里就是后面注册成功显示的用户名了
00401136 . 46 inc esi ; esi++
00401137 .^ EB DD jmp short 00401116
00401139 > 43 inc ebx ; ebx++
0040113A . 33F6 xor esi, esi ; esi = 0
0040113C > 8A83 1A214000 mov al, byte ptr [ebx+40211A] ; 取file[ebx]
00401142 . 3C 00 cmp al, 0
00401144 . 74 09 je short 0040114F ; 判断文件是否结束
00401146 . 3C 01 cmp al, 1
00401148 .^ 74 F2 je short 0040113C ; 判读字符ASICC值是否为0X1
0040114A . 03F0 add esi, eax ; 求和
0040114C . 43 inc ebx ; ebx++
0040114D .^ EB ED jmp short 0040113C
0040114F > 81FE B2010000 cmp esi, 1B2 ; esi与0x1b2比较。。不等跳出无效KEY文件提示
00401155 .^ 75 A0 jnz short 004010F7
00401157 . 6A 00 push 0 ; /lParam = NULL
00401159 . 68 C9114000 push 004011C9 ; |DlgProc = DueList_.004011C9
0040115E . 6A 00 push 0 ; |hOwner = NULL
00401160 . 6A 05 push 5 ; |pTemplate = 5
00401162 . FF35 77214000 push dword ptr [402177] ; |hInst = NULL
00401168 . E8 42020000 call <jmp.&USER32.DialogBoxParamA> ; \DialogBoxParamA
004011F4 > \68 60214000 push 00402160 ; /用户名
004011F9 . 6A 01 push 1 ; |ControlID = 1
004011FB . FF75 08 push dword ptr [ebp+8] ; |hWnd
004011FE . E8 5E010000 call <jmp.&USER32.SetDlgItemTextA> ; \SetDlgItemTextA//设置EDIT里值为用户名即授权对象
--------------------------------------------------------------------------------
【经验总结】
汇编的代码比较清晰。。。喜欢。。。提供一个KEY文件。见附件
--------------------------------------------------------------------------------
【版权声明】: 本文原创于creantan, 转载请注明作者并保持文章的完整, 谢谢!
2009年02月05日 9:05:20 |
免费评分
-
查看全部评分
|
发帖前要善用【论坛搜索】功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。 |
|
|
|
|