好友
阅读权限10
听众
最后登录1970-1-1
|
千江月
发表于 2009-4-11 12:58
MouseStar 3.55算法分析
软件大小:735KB 软件类别:国外软件/鼠标键盘
下载次数:26721 软件授权:共享版
软件语言:英文 运行环境:Win9x/Me/NT/2000/XP/2003
软件评级: 更新时间:2008-1-25 14:51:36
软件下载地址:http://www.onlinedown.net/soft/12912.htm
Nisy老大算法分析地址:http://www.unpack.cn/viewthread.php?tid=12352
大家好,前两天从《一蓑烟雨》里看到Nisy老大的一篇算法分析,我看到Nisy老大最后说算法分析不难,心想正是在学习算法的时候,正好抓一个软柿子捏一捏,于是就下了软件来试一试,蛮以为很简单,没有想到碰到了一个硬脑壳,算法分析花了我三个晚上,字符串串过来串过去串的我头都晕了,所以就有了下面这篇算法分析文章,第一次写算法分析文章,有什么不清楚的请大家谅解。
首先当然是查壳了,无壳,Borland Delphi 4.0 - 5.0写的,于是用DEDE和pexplorer找到了注册地址:
00491BF4 /. 55 push ebp
OD载入,下断。
用户名:qianjiangyue 注册码:0123456789 就这样断下来了。
00491BF4 /. 55 PUSH EBP
00491BF5 |. 8BEC MOV EBP,ESP
00491BF7 |. 33C9 XOR ECX,ECX
00491BF9 |. 51 PUSH ECX
00491BFA |. 51 PUSH ECX
00491BFB |. 51 PUSH ECX
00491BFC |. 51 PUSH ECX
00491BFD |. 51 PUSH ECX
00491BFE |. 51 PUSH ECX
00491BFF |. 53 PUSH EBX
00491C00 |. 56 PUSH ESI
00491C01 |. 8BD8 MOV EBX,EAX
00491C03 |. 33C0 XOR EAX,EAX
00491C05 |. 55 PUSH EBP
00491C06 |. 68 301D4900 PUSH MouseSta.00491D30
00491C0B |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00491C0E |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00491C11 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
00491C14 |. 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+2FC]
00491C1A |. E8 05A0F9FF CALL MouseSta.0042BC24 ; 取用户名的位数
00491C1F |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
00491C22 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
00491C25 |. E8 2E64F7FF CALL MouseSta.00408058
00491C2A |. 8D4D FC LEA ECX,DWORD PTR SS:[EBP-4]
00491C2D |. A1 98BB4900 MOV EAX,DWORD PTR DS:[49BB98]
00491C32 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00491C34 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00491C37 |. E8 64560000 CALL MouseSta.004972A0 ; 注册码算法call,跟进
00491C3C |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
00491C3F |. 8B83 00030000 MOV EAX,DWORD PTR DS:[EBX+300]
00491C45 |. E8 DA9FF9FF CALL MouseSta.0042BC24 ; 取假码的位数
00491C4A 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00491C4D |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
00491C50 |. E8 0364F7FF CALL MouseSta.00408058
00491C55 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ; 假码放入eax
00491C58 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] ; 真码给edx,
00491C5B |. E8 4C22F7FF CALL MouseSta.00403EAC ; 真假码比较call
00491C60 |. 0F85 8F000000 JNZ MouseSta.00491CF5 ; 爆破点
00491C66 |. A1 98BB4900 MOV EAX,DWORD PTR DS:[49BB98]
从00491C37 |. E8 64560000 CALL MouseSta.004972A0 进入,这个call算法call ,跟进
004972A0 /$ 55 PUSH EBP
004972A1 |. 8BEC MOV EBP,ESP
004972A3 |. 6A 00 PUSH 0
004972A5 |. 6A 00 PUSH 0
004972A7 |. 6A 00 PUSH 0
004972A9 |. 6A 00 PUSH 0
004972AB |. 6A 00 PUSH 0
004972AD |. 6A 00 PUSH 0
004972AF |. 6A 00 PUSH 0
004972B1 |. 53 PUSH EBX
004972B2 |. 8BD9 MOV EBX,ECX
004972B4 |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
004972B7 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004972BA |. E8 91CCF6FF CALL MouseSta.00403F50
004972BF |. 33C0 XOR EAX,EAX
004972C1 |. 55 PUSH EBP
004972C2 |. 68 48734900 PUSH MouseSta.00497348
004972C7 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004972CA |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004972CD |. 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
004972D0 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 用户名放入eax
004972D3 |. E8 800DF7FF CALL MouseSta.00408058
004972D8 |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
004972DB |. 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
004972DE |. E8 650BF7FF CALL MouseSta.00407E48 ; 把用户名转成大写
004972E3 |. 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18]
004972E6 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004972E9 |. B9 5C734900 MOV ECX,MouseSta.0049735C ; ASCII "DELPHI2005"
004972EE |. E8 F5CAF6FF CALL MouseSta.00403DE8
004972F3 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004972F6 |. BA 70734900 MOV EDX,MouseSta.00497370 ; ASCII "MagicUtils2005"
004972FB |. E8 B4C8F6FF CALL MouseSta.00403BB4
00497300 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
00497303 |. BA 88734900 MOV EDX,MouseSta.00497388 ; ASCII "zhiyuan"
00497308 |. E8 A7C8F6FF CALL MouseSta.00403BB4
0049730D |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00497310 |. BA 98734900 MOV EDX,MouseSta.00497398 ; ASCII "3.55"
00497315 |. E8 9AC8F6FF CALL MouseSta.00403BB4
0049731A |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0049731D |. 50 PUSH EAX
0049731E |. 53 PUSH EBX
0049731F |. 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
00497322 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
00497325 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00497328 |. E8 1F8EFFFF CALL MouseSta.0049014C ; 关键call,跟进
0049732D |. 33C0 XOR EAX,EAX
0049732F |. 5A POP EDX
00497330 |. 59 POP ECX
00497331 |. 59 POP ECX
00497332 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00497335 |. 68 4F734900 PUSH MouseSta.0049734F
0049733A |> 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
0049733D |. BA 07000000 MOV EDX,7
00497342 |. E8 F9C7F6FF CALL MouseSta.00403B40
00497347 \. C3 RETN
跟进去后看到有一些字符串,我们记录下来:
把用户名转成大写:qianjiangyue变大写QIANJIANGYUE
DELPHI2005
MagicUtils2005
zhiyuan
3.55
00497328 |. E8 1F8EFFFF CALL MouseSta.0049014C 这个也是是关键call,跟进
0049014C /$ 55 PUSH EBP
0049014D |. 8BEC MOV EBP,ESP
0049014F |. 83C4 EC ADD ESP,-14
00490152 |. 53 PUSH EBX
00490153 |. 33DB XOR EBX,EBX
00490155 |. 895D EC MOV DWORD PTR SS:[EBP-14],EBX
00490158 |. 895D F0 MOV DWORD PTR SS:[EBP-10],EBX
0049015B |. 894D F4 MOV DWORD PTR SS:[EBP-C],ECX
0049015E |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
00490161 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00490164 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00490167 |. E8 E43DF7FF CALL MouseSta.00403F50
0049016C |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049016F |. E8 DC3DF7FF CALL MouseSta.00403F50
00490174 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
00490177 |. E8 D43DF7FF CALL MouseSta.00403F50
0049017C |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
0049017F |. E8 CC3DF7FF CALL MouseSta.00403F50
00490184 |. 33C0 XOR EAX,EAX
00490186 |. 55 PUSH EBP
00490187 |. 68 F2014900 PUSH MouseSta.004901F2
0049018C |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0049018F |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00490192 |. FF75 FC PUSH DWORD PTR SS:[EBP-4]
00490195 |. FF75 F8 PUSH DWORD PTR SS:[EBP-8]
00490198 |. FF75 F4 PUSH DWORD PTR SS:[EBP-C]
0049019B |. FF75 0C PUSH DWORD PTR SS:[EBP+C]
0049019E |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
004901A1 |. 50 PUSH EAX
004901A2 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004901A5 |. 50 PUSH EAX
004901A6 |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
004901A9 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
004901AC |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004901AF |. E8 80FDFFFF CALL MouseSta.0048FF34 ; 算重要字符串,此call一定要跟进
004901B4 |. FF75 EC PUSH DWORD PTR SS:[EBP-14]
004901B7 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004901BA |. BA 05000000 MOV EDX,5
004901BF |. E8 983CF7FF CALL MouseSta.00403E5C ; 把上面出现的一些字符串连接起来,关键算法call2
004901C4 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
004901C7 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004901CA |. E8 31000000 CALL MouseSta.00490200 ; 注册码算法call,跟进
004901CF |. 33C0 XOR EAX,EAX
004901D1 |. 5A POP EDX
004901D2 |. 59 POP ECX
004901D3 |. 59 POP ECX
004901D4 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004901D7 |. 68 F9014900 PUSH MouseSta.004901F9
004901DC |> 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004901DF |. BA 05000000 MOV EDX,5
004901E4 |. E8 5739F7FF CALL MouseSta.00403B40
004901E9 |. 8D45 0C LEA EAX,DWORD PTR SS:[EBP+C]
004901EC |. E8 2B39F7FF CALL MouseSta.00403B1C
004901F1 \. C3 RETN
004901F2 .^ E9 3933F7FF JMP MouseSta.00403530
004901F7 .^ EB E3 JMP SHORT MouseSta.004901DC
004901F9 . 5B POP EBX
004901FA . 8BE5 MOV ESP,EBP
004901FC . 5D POP EBP
004901FD . C2 0800 RETN 8
我们对这个call跟进:004901AF |. E8 80FDFFFF CALL MouseSta.0048FF34 ; 算重要字符串,此call一定要跟进
0048FF34 /$ 55 PUSH EBP
0048FF35 |. 8BEC MOV EBP,ESP
0048FF37 |. 83C4 E8 ADD ESP,-18
0048FF3A |. 53 PUSH EBX
0048FF3B |. 33DB XOR EBX,EBX
0048FF3D |. 895D E8 MOV DWORD PTR SS:[EBP-18],EBX
0048FF40 |. 895D EC MOV DWORD PTR SS:[EBP-14],EBX
0048FF43 |. 895D F0 MOV DWORD PTR SS:[EBP-10],EBX
0048FF46 |. 894D F4 MOV DWORD PTR SS:[EBP-C],ECX
0048FF49 |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
0048FF4C |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0048FF4F |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0048FF52 |. E8 F93FF7FF CALL MouseSta.00403F50
0048FF57 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0048FF5A |. E8 F13FF7FF CALL MouseSta.00403F50
0048FF5F |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0048FF62 |. E8 E93FF7FF CALL MouseSta.00403F50
0048FF67 |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
0048FF6A |. E8 E13FF7FF CALL MouseSta.00403F50
0048FF6F |. 33C0 XOR EAX,EAX
0048FF71 |. 55 PUSH EBP
0048FF72 |. 68 EFFF4800 PUSH MouseSta.0048FFEF
0048FF77 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0048FF7A |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0048FF7D |. 33D2 XOR EDX,EDX
0048FF7F |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
0048FF82 |. E8 3182F7FF CALL MouseSta.004081B8
0048FF87 |. 8BD0 MOV EDX,EAX
0048FF89 |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
0048FF8C |. B8 00004900 MOV EAX,MouseSta.00490000
0048FF91 |. E8 6E000000 CALL MouseSta.00490004
0048FF96 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0048FF99 |. E8 C23FF7FF CALL MouseSta.00403F60
0048FF9E |. 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
0048FFA1 |. 33D2 XOR EDX,EDX
0048FFA3 |. E8 5C000000 CALL MouseSta.00490004
0048FFA8 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0048FFAB |. E8 B03FF7FF CALL MouseSta.00403F60
0048FFB0 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
0048FFB3 |. 33D2 XOR EDX,EDX
0048FFB5 |. E8 4A000000 CALL MouseSta.00490004 ; 关键点之一(把大写的用户名和DELPHI2005连接起来进行计算)
0048FFBA |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0048FFBD |. E8 9E3FF7FF CALL MouseSta.00403F60
0048FFC2 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
0048FFC5 |. 33D2 XOR EDX,EDX
0048FFC7 |. E8 38000000 CALL MouseSta.00490004 ; 又是计算字符串
0048FFCC |. 33C0 XOR EAX,EAX
0048FFCE |. 5A POP EDX
0048FFCF |. 59 POP ECX
0048FFD0 |. 59 POP ECX
0048FFD1 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
0048FFD4 |. 68 F6FF4800 PUSH MouseSta.0048FFF6
0048FFD9 |> 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
0048FFDC |. BA 06000000 MOV EDX,6
0048FFE1 |. E8 5A3BF7FF CALL MouseSta.00403B40
0048FFE6 |. 8D45 0C LEA EAX,DWORD PTR SS:[EBP+C]
0048FFE9 |. E8 2E3BF7FF CALL MouseSta.00403B1C
0048FFEE \. C3 RETN
0048FFEF .^ E9 3C35F7FF JMP MouseSta.00403530
0048FFF4 .^ EB E3 JMP SHORT MouseSta.0048FFD9
0048FFF6 . 5B POP EBX
0048FFF7 . 8BE5 MOV ESP,EBP
0048FFF9 . 5D POP EBP
0048FFFA . C2 0800 RETN 8
0048FFB5 |. E8 4A000000 CALL MouseSta.00490004 ; 关键点之一(把大写的用户名和DELPHI2005连接起来进行计算
00490004 |. 55 PUSH EBP
00490005 |. 8BEC MOV EBP,ESP
00490007 |. 83C4 EC ADD ESP,-14
0049000A |. 53 PUSH EBX
0049000B |. 56 PUSH ESI
0049000C |. 57 PUSH EDI
0049000D |. 33DB XOR EBX,EBX
0049000F |. 895D EC MOV DWORD PTR SS:[EBP-14],EBX
00490012 |. 895D F0 MOV DWORD PTR SS:[EBP-10],EBX
00490015 |. 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
00490018 |. 8BF2 MOV ESI,EDX
0049001A |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0049001D |. 33C0 XOR EAX,EAX
0049001F |. 55 PUSH EBP
00490020 |. 68 3E014900 PUSH MouseSta.0049013E
00490025 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00490028 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0049002B |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0049002E |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00490031 |. E8 9E3CF7FF CALL MouseSta.00403CD4
00490036 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00490039 |. E8 5E3DF7FF CALL MouseSta.00403D9C
0049003E |. 8BD8 MOV EBX,EAX
00490040 |. 85DB TEST EBX,EBX
00490042 |. 75 13 JNZ SHORT MouseSta.00490057
00490044 |. 8935 10CC4900 MOV DWORD PTR DS:[49CC10],ESI
0049004A |. 6BC6 64 IMUL EAX,ESI,64
0049004D |. A3 14CC4900 MOV DWORD PTR DS:[49CC14],EAX
00490052 |. E9 CC000000 JMP MouseSta.00490123
00490057 |> 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049005A |. E8 BD3AF7FF CALL MouseSta.00403B1C
0049005F |. 8BFB MOV EDI,EBX
00490061 |. 4F DEC EDI
00490062 |. 85FF TEST EDI,EDI
00490064 |. 0F8C B9000000 JL MouseSta.00490123 下面是第一次循环我做的注释
0049006A |. 47 INC EDI
0049006B |. 33F6 XOR ESI,ESI
0049006D |> 8B45 FC /MOV EAX,DWORD PTR SS:[EBP-4] ; 把用户名大写字母+DELPHI2005放到eax中
00490070 |. 8A0430 |MOV AL,BYTE PTR DS:[EAX+ESI] ; 逐个取字符到AL
00490073 |. 3C 20 |CMP AL,20 ; 和20比较,低于20则跳
00490075 |. 0F82 A0000000 |JB MouseSta.0049011B
0049007B |. 3C 7E |CMP AL,7E ; 和7E比较,高于7E则跳
0049007D |. 0F87 98000000 |JA MouseSta.0049011B ;
00490083 |. 8B15 10CC4900 |MOV EDX,DWORD PTR DS:[49CC10] ; 固定值2C19
00490089 |. 81E2 FFFFFF1F |AND EDX,1FFFFFFF
0049008F |. 8B0D 10CC4900 |MOV ECX,DWORD PTR DS:[49CC10]
00490095 |. C1E9 1D |SHR ECX,1D
00490098 |. 83E1 31 |AND ECX,31
0049009B |. 33D1 |XOR EDX,ECX
0049009D |. 8915 10CC4900 |MOV DWORD PTR DS:[49CC10],EDX ;
004900A3 |. 8845 F7 |MOV BYTE PTR SS:[EBP-9],AL
004900A6 |. A1 10CC4900 |MOV EAX,DWORD PTR DS:[49CC10] ; 2C19给eax
004900AB |. B9 5F000000 |MOV ECX,5F ; 除数5F
004900B0 |. 99 |CDQ ;
004900B1 |. F7F9 |IDIV ECX ; 除法运算,商放到eax中,
004900B3 |. 33D2 |XOR EDX,EDX ; 商为76
004900B5 |. 8A55 F7 |MOV DL,BYTE PTR SS:[EBP-9] ; 取用户名第一个字符到DL
004900B8 |. 83EA 20 |SUB EDX,20 ; 用户名第一个字符的十六进制数-20
004900BB |. 2BC2 |SUB EAX,EDX ; 商-(第一个字符的十六进制数-20)
004900BD |. E8 32FEFFFF |CALL MouseSta.0048FEF4
004900C2 |. 8BD8 |MOV EBX,EAX
004900C4 |. 80C3 20 |ADD BL,20 ; !!!!49010D这个call就是取的这个BL的值,
004900C7 |. FF05 14CC4900 |INC DWORD PTR DS:[49CC14] ; 49CC14(值为7)+1
004900CD |. 813D 14CC4900>|CMP DWORD PTR DS:[49CC14],5179
004900D7 |. 7C 07 |JL SHORT MouseSta.004900E0
004900D9 |. 33C0 |XOR EAX,EAX
004900DB |. A3 14CC4900 |MOV DWORD PTR DS:[49CC14],EAX
004900E0 |> 8A45 F7 |MOV AL,BYTE PTR SS:[EBP-9] ; 取第一位字符给AL
004900E3 |. 32C3 |XOR AL,BL ; al和bl异或
004900E5 |. 25 FF000000 |AND EAX,0FF
004900EA |. 8B15 10CC4900 |MOV EDX,DWORD PTR DS:[49CC10] ; 2C19给EDX
004900F0 |. 0315 10CC4900 |ADD EDX,DWORD PTR DS:[49CC10] ; 两个2C19相加得5832
004900F6 |. 03C2 |ADD EAX,EDX
004900F8 |. 0305 14CC4900 |ADD EAX,DWORD PTR DS:[49CC14]
004900FE |. A3 10CC4900 |MOV DWORD PTR DS:[49CC10],EAX
00490103 |. 8D45 EC |LEA EAX,DWORD PTR SS:[EBP-14]
00490106 |. 8BD3 |MOV EDX,EBX
00490108 |. E8 B73BF7FF |CALL MouseSta.00403CC4
0049010D |. 8B55 EC |MOV EDX,DWORD PTR SS:[EBP-14]
00490110 |. 8B45 F8 |MOV EAX,DWORD PTR SS:[EBP-8]
00490113 |. E8 8C3CF7FF |CALL MouseSta.00403DA4
00490118 |. 8B45 F8 |MOV EAX,DWORD PTR SS:[EBP-8]
0049011B |> 46 |INC ESI ; esi+1
0049011C |. 4F |DEC EDI ; edi-1
0049011D |.^ 0F85 4AFFFFFF \JNZ MouseSta.0049006D ; 循环
00490123 |> 33C0 XOR EAX,EAX
00490125 |. 5A POP EDX
00490126 |. 59 POP ECX
00490127 |. 59 POP ECX
00490128 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
0049012B |. 68 45014900 PUSH MouseSta.00490145
00490130 |> 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00490133 |. BA 02000000 MOV EDX,2
00490138 |. E8 033AF7FF CALL MouseSta.00403B40
0049013D \. C3 RETN
0049013E .^ E9 ED33F7FF JMP MouseSta.00403530
00490143 .^ EB EB JMP SHORT MouseSta.00490130
00490145 . 5F POP EDI
00490146 . 5E POP ESI
00490147 . 5B POP EBX
00490148 . 8BE5 MOV ESP,EBP
0049014A . 5D POP EBP
0049014B . C3 RETN
这一段循环主要的意思是:
把大写的用户名和DELPHI2005连接起来进行计算
第一:取固定值(被除数)2C19/(除数)5F=(商)
第二步:取大写的用户名的第一位换算过的16进制数-20
第三步:(商)-(取大写的用户名的第一位换算过的16进制数-20)+20
第四步:49CC14(值为7)+1=8 【每次循环要加1】
第五步:第三步得出的数和取大写的用户名的第一个转换过的16进制数 xor
第六步:固定值(2C19)+固定值(2C19)=和(5832)
第七步:把第六步和第五步得出的数相加
第八步:第七步和第四步的数相加
第九步:第八步得出的值就成了第一步的固定值(被除数),但是除数还是没有变
然后循环,我的用户名是:QIANJIANGYUE+DELPHI2005=QIANJIANGYUEDELPHI2005 ,就是要循环22次。
重点:这里我们主要是要得到我们的用户名+DELPHI2005得出来的最后一次循环过后算出的第八步的数值。
因为这个call被调用了两次,下次被调用的时候我们要用到最后一次循环到第八步的数值。
当我们单步走到:0048FFC7 |. E8 38000000 CALL MouseSta.00490004 这个call,我们单步跟进去,还是调用00490004这个call.
00490004 /$ 55 PUSH EBP
00490005 |. 8BEC MOV EBP,ESP
00490007 |. 83C4 EC ADD ESP,-14
0049000A |. 53 PUSH EBX
0049000B |. 56 PUSH ESI
0049000C |. 57 PUSH EDI
0049000D |. 33DB XOR EBX,EBX
0049000F |. 895D EC MOV DWORD PTR SS:[EBP-14],EBX
00490012 |. 895D F0 MOV DWORD PTR SS:[EBP-10],EBX
00490015 |. 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
00490018 |. 8BF2 MOV ESI,EDX
0049001A |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0049001D |. 33C0 XOR EAX,EAX
0049001F |. 55 PUSH EBP
00490020 |. 68 3E014900 PUSH MouseSta.0049013E
00490025 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00490028 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0049002B |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0049002E |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00490031 |. E8 9E3CF7FF CALL MouseSta.00403CD4
00490036 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00490039 |. E8 5E3DF7FF CALL MouseSta.00403D9C
0049003E |. 8BD8 MOV EBX,EAX
00490040 |. 85DB TEST EBX,EBX
00490042 |. 75 13 JNZ SHORT MouseSta.00490057
00490044 |. 8935 10CC4900 MOV DWORD PTR DS:[49CC10],ESI
0049004A |. 6BC6 64 IMUL EAX,ESI,64
0049004D |. A3 14CC4900 MOV DWORD PTR DS:[49CC14],EAX
00490052 |. E9 CC000000 JMP MouseSta.00490123
00490057 |> 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049005A |. E8 BD3AF7FF CALL MouseSta.00403B1C
0049005F |. 8BFB MOV EDI,EBX
00490061 |. 4F DEC EDI
00490062 |. 85FF TEST EDI,EDI
00490064 |. 0F8C B9000000 JL MouseSta.00490123
0049006A |. 47 INC EDI
0049006B |. 33F6 XOR ESI,ESI
0049006D |> 8B45 FC /MOV EAX,DWORD PTR SS:[EBP-4] ; MagicUtils2005放到eax中
00490070 |. 8A0430 |MOV AL,BYTE PTR DS:[EAX+ESI] ; 按位取字符到AL
00490073 |. 3C 20 |CMP AL,20 ; 和20比较,低于20则跳
00490075 |. 0F82 A0000000 |JB MouseSta.0049011B
0049007B |. 3C 7E |CMP AL,7E ; 和7E比较,高于7E则跳
0049007D |. 0F87 98000000 |JA MouseSta.0049011B
00490083 |. 8B15 10CC4900 |MOV EDX,DWORD PTR DS:[49CC10] ; 因为上次也是调用的这个call,所以上次循环最后一次的值(180FC3D5)就是这一次的固定值
00490089 |. 81E2 FFFFFF1F |AND EDX,1FFFFFFF
0049008F |. 8B0D 10CC4900 |MOV ECX,DWORD PTR DS:[49CC10]
00490095 |. C1E9 1D |SHR ECX,1D
00490098 |. 83E1 31 |AND ECX,31
0049009B |. 33D1 |XOR EDX,ECX
0049009D |. 8915 10CC4900 |MOV DWORD PTR DS:[49CC10],EDX
004900A3 |. 8845 F7 |MOV BYTE PTR SS:[EBP-9],AL
004900A6 |. A1 10CC4900 |MOV EAX,DWORD PTR DS:[49CC10] ; 取上次循环最后一次的值(180FC3D5)给eax
004900AB |. B9 5F000000 |MOV ECX,5F ; 除数5F
004900B0 |. 99 |CDQ
004900B1 |. F7F9 |IDIV ECX ; 除法运算,商放到eax中,
004900B3 |. 33D2 |XOR EDX,EDX
004900B5 |. 8A55 F7 |MOV DL,BYTE PTR SS:[EBP-9] ; 取第一个字符到DL
004900B8 |. 83EA 20 |SUB EDX,20 ; 第一个字符的十六进制数-20
004900BB |. 2BC2 |SUB EAX,EDX ; 商-(第一个字符的十六进制数-20)
004900BD |. E8 32FEFFFF |CALL MouseSta.0048FEF4
004900C2 |. 8BD8 |MOV EBX,EAX
004900C4 |. 80C3 20 |ADD BL,20 ; 取第二次循环到这里BL的值,转换成字符,这一次大的循环我们主要是需要这个BL循环过后转换的字符,一共需要循环14次,但是我们从第二次循环到BL开始取结果,一共取13次
004900C7 |. FF05 14CC4900 |INC DWORD PTR DS:[49CC14] ; 49CC14值(为上次初始值+循环次数)+1
004900CD |. 813D 14CC4900>|CMP DWORD PTR DS:[49CC14],5179
004900D7 |. 7C 07 |JL SHORT MouseSta.004900E0
004900D9 |. 33C0 |XOR EAX,EAX
004900DB |. A3 14CC4900 |MOV DWORD PTR DS:[49CC14],EAX
004900E0 |> 8A45 F7 |MOV AL,BYTE PTR SS:[EBP-9] ; 取第一位字符给AL
004900E3 |. 32C3 |XOR AL,BL ; al和bl异或
004900E5 |. 25 FF000000 |AND EAX,0FF
004900EA |. 8B15 10CC4900 |MOV EDX,DWORD PTR DS:[49CC10] ; 上次循环最后的结果(180FC3D5)给EDX
004900F0 |. 0315 10CC4900 |ADD EDX,DWORD PTR DS:[49CC10] ; 上次循环最后的结果*2
004900F6 |. 03C2 |ADD EAX,EDX
004900F8 |. 0305 14CC4900 |ADD EAX,DWORD PTR DS:[49CC14]
004900FE |. A3 10CC4900 |MOV DWORD PTR DS:[49CC10],EAX
00490103 |. 8D45 EC |LEA EAX,DWORD PTR SS:[EBP-14]
00490106 |. 8BD3 |MOV EDX,EBX
00490108 |. E8 B73BF7FF |CALL MouseSta.00403CC4
0049010D |. 8B55 EC |MOV EDX,DWORD PTR SS:[EBP-14]
00490110 |. 8B45 F8 |MOV EAX,DWORD PTR SS:[EBP-8]
00490113 |. E8 8C3CF7FF |CALL MouseSta.00403DA4
00490118 |. 8B45 F8 |MOV EAX,DWORD PTR SS:[EBP-8]
0049011B |> 46 |INC ESI ; esi+1
0049011C |. 4F |DEC EDI ; edi-1
0049011D |.^ 0F85 4AFFFFFF \JNZ MouseSta.0049006D ; 循环
00490123 |> 33C0 XOR EAX,EAX
00490125 |. 5A POP EDX
00490126 |. 59 POP ECX
00490127 |. 59 POP ECX
00490128 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
0049012B |. 68 45014900 PUSH MouseSta.00490145
00490130 |> 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00490133 |. BA 02000000 MOV EDX,2
00490138 |. E8 033AF7FF CALL MouseSta.00403B40
0049013D \. C3 RETN
0049013E .^ E9 ED33F7FF JMP MouseSta.00403530
00490143 .^ EB EB JMP SHORT MouseSta.00490130
00490145 . 5F POP EDI
00490146 . 5E POP ESI
00490147 . 5B POP EBX
00490148 . 8BE5 MOV ESP,EBP
0049014A . 5D POP EBP
0049014B . C3 RETN
这一段循环主要的意思是:
用这个固定的字符串MagicUtils2005来进行计算,
004900C4 |. 80C3 20 |ADD BL,20 ; ,这一次的循环我们主要是需要这个循环过后这个地址BL的数值转换成字符,一共需要循环14次,但是我们从第二次循环到BL时开始取结果,一共取13次,也就得出13位的字符。
从这个call里取完了字符串后我们返回到
004901AF |. E8 80FDFFFF CALL MouseSta.0048FF34 ; 算重要字符串,此call一定要跟进
004901B4 |. FF75 EC PUSH DWORD PTR SS:[EBP-14]
004901B7 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004901BA |. BA 05000000 MOV EDX,5
004901BF |. E8 983CF7FF CALL MouseSta.00403E5C ; 把上面出现的一些字符串连接起来,关键算法call2
004901C4 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
004901C7 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004901CA |. E8 31000000 CALL MouseSta.00490200 ; 注册码算法call,跟进
004901CF |. 33C0 XOR EAX,EAX
004901D1 |. 5A POP EDX
004901D2 |. 59 POP ECX
004901D3 |. 59 POP ECX
004901D4 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004901D7 |. 68 F9014900 PUSH MouseSta.004901F9
004901DC |> 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004901DF |. BA 05000000 MOV EDX,5
004901E4 |. E8 5739F7FF CALL MouseSta.00403B40
004901E9 |. 8D45 0C LEA EAX,DWORD PTR SS:[EBP+C]
004901EC |. E8 2B39F7FF CALL MouseSta.00403B1C
004901F1 \. C3 RETN
下面这个004901BF |. E8 983CF7FF CALL MouseSta.00403E5C 它的意思就是把上面出现的一些字符串连接起来,我经过上两次计算过后注册的用户名连接起来的字符串就是:
QIANJIANGYUEDELPHI2005MagicUtils2005zhiyuan3.55>n3.-.T+~dv|$, 这一些了,一共是61位。
我们接着跟进到真正的注册码算法call里去:
004901CA |. E8 31000000 CALL MouseSta.00490200 ; 注册码算法call,跟进
00490200 /$ 55 PUSH EBP
00490201 |. 8BEC MOV EBP,ESP
00490203 |. 83C4 F4 ADD ESP,-0C
00490206 |. 53 PUSH EBX
00490207 |. 56 PUSH ESI
00490208 |. 33C9 XOR ECX,ECX
0049020A |. 894D F4 MOV DWORD PTR SS:[EBP-C],ECX
0049020D |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
00490210 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00490213 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00490216 |. E8 353DF7FF CALL MouseSta.00403F50
0049021B |. 33C0 XOR EAX,EAX
0049021D |. 55 PUSH EBP
0049021E |. 68 9F024900 PUSH MouseSta.0049029F
00490223 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00490226 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00490229 |. 33DB XOR EBX,EBX
0049022B |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049022E |. E8 693BF7FF CALL MouseSta.00403D9C
00490233 |. 85C0 TEST EAX,EAX
00490235 |. 7E 2C JLE SHORT MouseSta.00490263
00490237 |. BE 01000000 MOV ESI,1
0049023C |> 8B55 FC /MOV EDX,DWORD PTR SS:[EBP-4] ; 把连接起来的字符串给edx
0049023F |. 8A5432 FF |MOV DL,BYTE PTR DS:[EDX+ESI-1] ; 按位取字符给dl
00490243 |. 32D3 |XOR DL,BL ; 和BL异或
00490245 |. 81E2 FF000000 |AND EDX,0FF
0049024B |. 8B1495 74B649>|MOV EDX,DWORD PTR DS:[EDX*4+49B674] ;
00490252 |. C1EB 08 |SHR EBX,8
00490255 |. 81E3 FFFFFF00 |AND EBX,0FFFFFF
0049025B |. 33D3 |XOR EDX,EBX
0049025D |. 8BDA |MOV EBX,EDX
0049025F |. 46 |INC ESI ; esi+1,准备取第二位字符
00490260 |. 48 |DEC EAX ; eax-1,位数减一
00490261 |.^ 75 D9 \JNZ SHORT MouseSta.0049023C ; 循环【最后取的就是EDX里的值进行注册码的运算】
00490263 |> 8BC3 MOV EAX,EBX
00490265 |. 33D2 XOR EDX,EDX
这一段循环代码最后取的edx的值就是我们最后注册码需要的关键值。
00490267 |. 52 PUSH EDX ; /Arg2 => 00000000
00490268 |. 50 PUSH EAX ; |Arg1
00490269 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C] ; |
0049026C |. B8 08000000 MOV EAX,8 ; |
00490271 |. E8 C67EF7FF CALL MouseSta.0040813C ; \MouseSta.0040813C
00490276 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
00490279 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0049027C |. E8 037CF7FF CALL MouseSta.00407E84 最后的注册码就在这里运算
我们跟进:
00407E84 /$ 53 PUSH EBX
00407E85 |. 56 PUSH ESI
00407E86 |. 57 PUSH EDI
00407E87 |. 8BFA MOV EDI,EDX
00407E89 |. 8BF0 MOV ESI,EAX
00407E8B |. 8BC6 MOV EAX,ESI
00407E8D |. E8 0ABFFFFF CALL MouseSta.00403D9C
00407E92 |. 8BD8 MOV EBX,EAX
00407E94 |. 8BC7 MOV EAX,EDI
00407E96 |. 8BD3 MOV EDX,EBX
00407E98 |. E8 33C2FFFF CALL MouseSta.004040D0
00407E9D |. 8BD6 MOV EDX,ESI
00407E9F |. 8B37 MOV ESI,DWORD PTR DS:[EDI]
00407EA1 |. 85DB TEST EBX,EBX
00407EA3 |. 74 15 JE SHORT MouseSta.00407EBA
00407EA5 |> 8A02 /MOV AL,BYTE PTR DS:[EDX] ; 把上面一个最后算出来的EDX的值逐位取给al
00407EA7 |. 3C 41 |CMP AL,41 ; 然后和41比较
00407EA9 |. 72 06 |JB SHORT MouseSta.00407EB1 ; 小于41跳走
00407EAB |. 3C 5A |CMP AL,5A ; 和5A比较
00407EAD |. 77 02 |JA SHORT MouseSta.00407EB1 ; 大于5A跳走
00407EAF |. 04 20 |ADD AL,20 ; 和20相加
00407EB1 |> 8806 |MOV BYTE PTR DS:[ESI],AL ; 放到ESI中
00407EB3 |. 42 |INC EDX ; edx取第二位
00407EB4 |. 46 |INC ESI ; esi加1,第二位
00407EB5 |. 4B |DEC EBX ; 位数减1
00407EB6 |. 85DB |TEST EBX,EBX
00407EB8 |.^ 75 EB \JNZ SHORT MouseSta.00407EA5 ; 循环
00407EBA |> 5F POP EDI
00407EBB |. 5E POP ESI
00407EBC |. 5B POP EBX
00407EBD \. C3 RETN
这一段的意思就是把上面一个最后算出来的EDX的值逐位比较,看是不是大写字母,如果是大写字母就改成小写,如果是别的就不动。
现在我们重新分析一下:
第一步:首先把改成大写的用户名和DELPHI2005字符连接起来进行计算,得到一个值。
第二步:接着再用MagicUtils2005这个字符串和上面得到的值进行相关的运算,重新得到一个13位的字符串。
第三步:然后用【大写的用户名 + DELPHI2005 + MagicUtils2005 + zhiyuan + 3.55> + 第二步得到的字符串】一起连接起来
第四步:再用第三步得到的长字符串进行相关的运算,算出的值放到EDX中。
第五步:把第四步得到的值逐位比较,看是不是大写字母,如果是大写字母就改成小写,如果是别的字符就不动。
我的用户名qianjiangyue最后得出的第四步的值是:C8C8414E,那么我的注册码就是c8c8414e
由于是第一次真正的进行算法的分析,可能有些地方说的不是很清楚,请大家谅解,但是大部分我都做了注释。其实和我一样的朋友只要大家多动手,多练习,就一定能够进步。这个软件其实爆破和追码都比较简单,但是分析起来和我一样的菜鸟朋友可能就有点麻烦,大家可以下一个回去自己试一下。
-251C-3B6-5F |
|
发表于 2009-4-11 14:11
