【操作平台】:xp sp3
【使用工具】:OD
分析过程:
1、PEID查壳:Microsoft Visual C++ 6.0
2、在OD中搜索字符串,发现并不是VC,而是易语言。
3、搜索易语言特征码:FF 55 FC 5F 5E ,F2下断
4、F9运行,输入任意的用户名和密码,点击注册,断下来了:
5、F8,发现时明码比较,并且用户名和密码的比较次数进行了多次。
[AppleScript] 纯文本查看 复制代码 004010A1 /. 55 push ebp ; 注册按钮事件
004010A2 |. 8BEC mov ebp,esp
004010A4 |. 81EC 1C000000 sub esp,1C
004010AA |. 68 010100A0 push A0000101
004010AF |. 6A 00 push 0
004010B1 |. 68 50AB4600 push 2013CM_?0046AB50
004010B6 |. 68 01000000 push 1
004010BB |. BB 501B4000 mov ebx,2013CM_?00401B50
004010C0 |. E8 15090000 call 2013CM_?004019DA
004010C5 |. 83C4 10 add esp,10 ; 出现真注册码str1 = 'asduiashdihasdjkanksd'
004010C8 |. 8945 FC mov [local.1],eax
004010CB |. 6A FF push -1
004010CD |. 6A 08 push 8
004010CF |. 68 04000116 push 16010004
004010D4 |. 68 01000152 push 52010001
004010D9 |. E8 02090000 call 2013CM_?004019E0 ; 取密码
004010DE |. 83C4 10 add esp,10
004010E1 |. 8945 F8 mov [local.2],eax
004010E4 |. 8B45 FC mov eax,[local.1]
004010E7 |. 50 push eax
004010E8 |. FF75 F8 push [local.2]
004010EB |. E8 14FFFFFF call 2013CM_?00401004 ; 密码与str1比较
004010F0 |. 83C4 08 add esp,8
004010F3 |. 83F8 00 cmp eax,0
004010F6 |. B8 00000000 mov eax,0
004010FB |. 0F94C0 sete al
004010FE |. 8945 F4 mov [local.3],eax
00401101 |. 8B5D F8 mov ebx,[local.2]
00401104 |. 85DB test ebx,ebx
00401106 |. 74 09 je short 2013CM_?00401111
00401108 |. 53 push ebx
00401109 |. E8 C0080000 call 2013CM_?004019CE
0040110E |. 83C4 04 add esp,4
00401111 |> 8B5D FC mov ebx,[local.1]
00401114 |. 85DB test ebx,ebx
00401116 |. 74 09 je short 2013CM_?00401121
00401118 |. 53 push ebx
00401119 |. E8 B0080000 call 2013CM_?004019CE
0040111E |. 83C4 04 add esp,4
00401121 |> 837D F4 00 cmp [local.3],0
00401125 |. 0F84 88000000 je 2013CM_?004011B3 ; 不能跳!!!
0040112B |. 68 010100A0 push A0000101
00401130 |. 6A 00 push 0
00401132 |. 68 6DAB4600 push 2013CM_?0046AB6D
00401137 |. 68 01000000 push 1
0040113C |. BB 501B4000 mov ebx,2013CM_?00401B50
00401141 |. E8 94080000 call 2013CM_?004019DA
00401146 |. 83C4 10 add esp,10 ; 出现真用户名str2 = 'sadsadasdsafaffdsfadasd'
00401149 |. 8945 F0 mov [local.4],eax
0040114C |. 6A FF push -1
0040114E |. 6A 08 push 8
00401150 |. 68 05000116 push 16010005
00401155 |. 68 01000152 push 52010001
0040115A |. E8 81080000 call 2013CM_?004019E0 ; 取用户名
0040115F |. 83C4 10 add esp,10
00401162 |. 8945 EC mov [local.5],eax
00401165 |. 8B45 F0 mov eax,[local.4]
00401168 |. 50 push eax
00401169 |. FF75 EC push [local.5]
0040116C |. E8 93FEFFFF call 2013CM_?00401004 ; 用户名与str2比较
00401171 |. 83C4 08 add esp,8
00401174 |. 83F8 00 cmp eax,0
00401177 |. B8 00000000 mov eax,0
0040117C |. 0F94C0 sete al
0040117F |. 8945 E8 mov [local.6],eax
00401182 |. 8B5D EC mov ebx,[local.5]
00401185 |. 85DB test ebx,ebx
00401187 |. 74 09 je short 2013CM_?00401192
00401189 |. 53 push ebx
0040118A |. E8 3F080000 call 2013CM_?004019CE
0040118F |. 83C4 04 add esp,4
00401192 |> 8B5D F0 mov ebx,[local.4]
00401195 |. 85DB test ebx,ebx
00401197 |. 74 09 je short 2013CM_?004011A2
00401199 |. 53 push ebx
0040119A |. E8 2F080000 call 2013CM_?004019CE
0040119F |. 83C4 04 add esp,4
004011A2 |> 837D E8 00 cmp [local.6],0
004011A6 |. 0F84 07000000 je 2013CM_?004011B3
004011AC |. B8 01000000 mov eax,1
004011B1 |. EB 02 jmp short 2013CM_?004011B5
004011B3 |> 33C0 xor eax,eax
004011B5 |> 85C0 test eax,eax
004011B7 |. 0F84 82050000 je 2013CM_?0040173F ; 不能跳!!!
004011BD |. 68 010100A0 push A0000101
004011C2 |. 6A 00 push 0
004011C4 |. 68 50AB4600 push 2013CM_?0046AB50
004011C9 |. 68 01000000 push 1
004011CE |. BB 501B4000 mov ebx,2013CM_?00401B50
004011D3 |. E8 02080000 call 2013CM_?004019DA
用户名:asduiashdihasdjkanksd
密码:sadsadasdsafaffdsfadasd
| 
发表于 2013-12-22 10:54
发表于 2013-12-22 11:11
