好友
阅读权限10
听众
最后登录1970-1-1
|
朋友还在使用塞班诺基亚,叫我分析一下注册机算法,给了我一个注册机,他说360老是报毒,我在虚拟机下分析。
有提示:You must enter 15 digits of IMEI!堆栈法和字符串法都可以。
向下看分析。
[Asm] 纯文本查看 复制代码 0040140F 68 05400080 push 0x80004005
00401414 E8 57050000 call xpp.00401970
00401419 8B10 mov edx,dword ptr ds:[eax]
0040141B 8BC8 mov ecx,eax
0040141D 8B42 0C mov eax,dword ptr ds:[edx+0xC]
00401420 FFD0 call eax
00401422 83C0 10 add eax,0x10
00401425 894424 14 mov dword ptr ss:[esp+0x14],eax
00401429 8D4C24 14 lea ecx,dword ptr ss:[esp+0x14]
0040142D 51 push ecx
0040142E 8D4E 78 lea ecx,dword ptr ds:[esi+0x78]
00401431 897C24 30 mov dword ptr ss:[esp+0x30],edi
00401435 E8 3C700000 call xpp.00408476
0040143A 8B5424 14 mov edx,dword ptr ss:[esp+0x14]
0040143E 8B42 F4 mov eax,dword ptr ds:[edx-0xC]
00401441 83F8 0F cmp eax,0xF
00401444 74 13 je short xpp.00401459
00401446 57 push edi
00401447 57 push edi
00401448 68 486D4200 push xpp.00426D48 ; UNICODE "You must enter 15 digits of IMEI!"
0040144D 8BCE mov ecx,esi
0040144F E8 C74E0000 call xpp.0040631B
00401454 E9 0D010000 jmp xpp.00401566
00401444处判断是15位,算法肯定在jmp下面。
[Asm] 纯文本查看 复制代码 00401454 /E9 0D010000 jmp xpp.00401566
00401459 |6A 05 push 0x5
0040145B |8D4C24 1C lea ecx,dword ptr ss:[esp+0x1C]
0040145F |51 push ecx
00401460 |8D4C24 1C lea ecx,dword ptr ss:[esp+0x1C]
00401464 |E8 D7010000 call xpp.00401640
00401469 |6A 05 push 0x5
0040146B |8D5424 20 lea edx,dword ptr ss:[esp+0x20]
0040146F |52 push edx
00401470 |8D4C24 1C lea ecx,dword ptr ss:[esp+0x1C]
00401474 |C64424 34 01 mov byte ptr ss:[esp+0x34],0x1
00401479 |E8 42010000 call xpp.004015C0
0040147E |C64424 2C 02 mov byte ptr ss:[esp+0x2C],0x2
00401483 |8B00 mov eax,dword ptr ds:[eax]
00401485 |8B48 F4 mov ecx,dword ptr ds:[eax-0xC]
00401488 |51 push ecx
00401489 |50 push eax
0040148A |8D4C24 20 lea ecx,dword ptr ss:[esp+0x20]
0040148E |E8 FD020000 call xpp.00401790
00401493 |C64424 2C 01 mov byte ptr ss:[esp+0x2C],0x1
00401498 |8B4424 1C mov eax,dword ptr ss:[esp+0x1C]
0040149C |83C0 F0 add eax,-0x10
0040149F |8D48 0C lea ecx,dword ptr ds:[eax+0xC]
004014A2 |83CA FF or edx,0xFFFFFFFF
004014A5 |F0:0FC111 lock xadd dword ptr ds:[ecx],edx
004014A9 |4A dec edx
004014AA |85D2 test edx,edx
004014AC |7F 0A jg short xpp.004014B8
004014AE |8B08 mov ecx,dword ptr ds:[eax]
004014B0 |8B11 mov edx,dword ptr ds:[ecx]
004014B2 |50 push eax
004014B3 |8B42 04 mov eax,dword ptr ds:[edx+0x4]
004014B6 |FFD0 call eax
004014B8 |8B5C24 18 mov ebx,dword ptr ss:[esp+0x18]
004014BC |33F6 xor esi,esi
004014BE |85F6 test esi,esi
004014C0 |0F8C DC000000 jl xpp.004015A2
004014C6 |3B73 F4 cmp esi,dword ptr ds:[ebx-0xC]
004014C9 |0F8F D3000000 jg xpp.004015A2
004014CF |0FB70473 movzx eax,word ptr ds:[ebx+esi*2]
004014D3 |0FBEC8 movsx ecx,al
004014D6 |8BD6 mov edx,esi
004014D8 |81F2 DE020000 xor edx,0x2DE
004014DE |2BD1 sub edx,ecx
004014E0 |03D7 add edx,edi
004014E2 |8DAF C1000000 lea ebp,dword ptr ds:[edi+0xC1]
004014E8 |8D81 A7010000 lea eax,dword ptr ds:[ecx+0x1A7]
004014EE |0FAFEA imul ebp,edx
004014F1 |0FAFCF imul ecx,edi
004014F4 |0FAFC7 imul eax,edi
004014F7 |81F5 E60E0000 xor ebp,0xEE6
004014FD |BA D01D0000 mov edx,0x1DD0
00401502 |2BD1 sub edx,ecx
00401504 |2BC5 sub eax,ebp
00401506 |8BCE mov ecx,esi
00401508 |03C2 add eax,edx
0040150A |83F1 0F xor ecx,0xF
0040150D |83C6 01 add esi,0x1
00401510 |83FE 0A cmp esi,0xA
00401513 |8D3C01 lea edi,dword ptr ds:[ecx+eax]
00401516 ^|7C A6 jl short xpp.004014BE
00401518 |81E7 FFFF0000 and edi,0xFFFF
0040151E |57 push edi
0040151F |8D4424 1C lea eax,dword ptr ss:[esp+0x1C]
00401523 |68 F06E4200 push xpp.00426EF0 ; UNICODE "%d"
00401528 |50 push eax
00401529 |E8 32060000 call xpp.00401B60
0040152E |8B7424 24 mov esi,dword ptr ss:[esp+0x24]
00401532 |8B4C24 2C mov ecx,dword ptr ss:[esp+0x2C]
00401536 |83C4 0C add esp,0xC
00401539 |56 push esi
0040153A |81C1 CC000000 add ecx,0xCC
00401540 |E8 CB980000 call xpp.0040AE10
00401545 |8D46 F0 lea eax,dword ptr ds:[esi-0x10]
00401548 |C64424 2C 00 mov byte ptr ss:[esp+0x2C],0x0
0040154D |8D48 0C lea ecx,dword ptr ds:[eax+0xC]
00401550 |83CA FF or edx,0xFFFFFFFF
00401553 |F0:0FC111 lock xadd dword ptr ds:[ecx],edx
00401557 |4A dec edx
00401558 |85D2 test edx,edx
0040155A |7F 0A jg short xpp.00401566
0040155C |8B08 mov ecx,dword ptr ds:[eax]
0040155E |8B11 mov edx,dword ptr ds:[ecx]
00401560 |50 push eax
00401561 |8B42 04 mov eax,dword ptr ds:[edx+0x4]
00401564 |FFD0 call eax
00401566 \C74424 2C FFFFF>mov dword ptr ss:[esp+0x2C],-0x1
分析上面代码可得核心算法
在004014C0和00401516之间
这是一段arm汇编代码对比看一下:
[Asm] 纯文本查看 复制代码 .text:00008D84 loc_8D84 ; CODE XREF: sub_8CE0+68�j
.text:00008D84 LDR R0, =dword_CC00
.text:00008D88 BL sub_923C
.text:00008D8C MOV R3, R0
.text:00008D90 SUB R0, R11, #-var_224
.text:00008D94 MOV R1, R3
.text:00008D98 BL sub_9260
.text:00008D9C SUB R3, R11, #-var_224
.text:00008DA0 LDR R0, [R11,#var_18]
.text:00008DA4 MOV R1, R3
.text:00008DA8 BL sub_86C8
.text:00008DAC SUB R0, R11, #-var_244
.text:00008DB0 BL sub_9298
.text:00008DB4 SUB R3, R11, #-var_224
.text:00008DB8 SUB R0, R11, #-var_24C
.text:00008DBC MOV R1, R3
.text:00008DC0 MOV R2, #5
.text:00008DC4 BL _ZNK7TDesC164LeftEi ; TDesC16::Left(int)
.text:00008DC8 SUB R3, R11, #-var_24C
.text:00008DCC SUB R0, R11, #-var_244
.text:00008DD0 MOV R1, R3
.text:00008DD4 BL _ZN6TDes166AppendERK7TDesC16 ; TDes16::Append(TDesC16 const&)
.text:00008DD8 SUB R3, R11, #-var_224
.text:00008DDC SUB R0, R11, #-var_24C
.text:00008DE0 MOV R1, R3
.text:00008DE4 MOV R2, #5
.text:00008DE8 BL _ZNK7TDesC165RightEi ; TDesC16::Right(int)
.text:00008DEC SUB R3, R11, #-var_24C
.text:00008DF0 SUB R0, R11, #-var_244
.text:00008DF4 MOV R1, R3
.text:00008DF8 BL _ZN6TDes166AppendERK7TDesC16 ; TDes16::Append(TDesC16 const&)
.text:00008DFC MOV R3, #0
.text:00008E00 STR R3, [R11,#var_258]
.text:00008E04 MOV R3, #0
.text:00008E08 STR R3, [R11,#var_264]
.text:00008E0C
.text:00008E0C loc_8E0C ; CODE XREF: sub_8CE0+238�j
.text:00008E0C LDR R3, [R11,#var_264]
.text:00008E10 CMP R3, #9
.text:00008E14 BGT loc_8F1C
.text:00008E18 SUB R0, R11, #-var_244
.text:00008E1C LDR R1, [R11,#var_264]
.text:00008E20 BL sub_91B4
.text:00008E24 LDRH R3, [R0]
.text:00008E28 STRB R3, [R11,#var_24D]
.text:00008E2C LDRB R3, [R11,#var_24D]
.text:00008E30 ADD R3, R3, #0x1A4
.text:00008E34 ADD R3, R3, #3
.text:00008E38 STR R3, [R11,#var_254]
.text:00008E3C LDR R2, [R11,#var_254]
.text:00008E40 LDR R3, [R11,#var_258]
.text:00008E44 MUL R3, R2, R3
.text:00008E48 STR R3, [R11,#var_254]
.text:00008E4C LDR R2, [R11,#var_264]
.text:00008E50 MOV R3, #0x2DE
.text:00008E58 EOR R3, R2, R3
.text:00008E5C STR R3, [R11,#var_25C]
.text:00008E60 LDRB R2, [R11,#var_24D]
.text:00008E64 LDR R3, [R11,#var_258]
.text:00008E68 RSB R3, R2, R3
.text:00008E6C STR R3, [R11,#var_260]
.text:00008E70 LDR R2, [R11,#var_25C]
.text:00008E74 LDR R3, [R11,#var_260]
.text:00008E78 ADD R3, R2, R3
.text:00008E7C STR R3, [R11,#var_25C]
.text:00008E80 LDR R3, [R11,#var_258]
.text:00008E84 ADD R3, R3, #0xC1
.text:00008E88 STR R3, [R11,#var_260]
.text:00008E8C LDR R2, [R11,#var_25C]
.text:00008E90 LDR R3, [R11,#var_260]
.text:00008E94 MUL R3, R2, R3
.text:00008E98 STR R3, [R11,#var_25C]
.text:00008E9C LDR R2, [R11,#var_25C]
.text:00008EA0 MOV R3, #0xEE6
.text:00008EA8 EOR R3, R2, R3
.text:00008EAC STR R3, [R11,#var_25C]
.text:00008EB0 LDR R2, [R11,#var_254]
.text:00008EB4 LDR R3, [R11,#var_25C]
.text:00008EB8 RSB R3, R3, R2
.text:00008EBC STR R3, [R11,#var_254]
.text:00008EC0 LDRB R2, [R11,#var_24D]
.text:00008EC4 LDR R3, [R11,#var_258]
.text:00008EC8 MUL R3, R2, R3
.text:00008ECC STR R3, [R11,#var_25C]
.text:00008ED0 LDR R2, [R11,#var_254]
.text:00008ED4 LDR R3, [R11,#var_25C]
.text:00008ED8 RSB R3, R3, R2
.text:00008EDC STR R3, [R11,#var_254]
.text:00008EE0 LDR R3, [R11,#var_254]
.text:00008EE4 ADD R3, R3, #0x1DC0
.text:00008EE8 ADD R3, R3, #0x10
.text:00008EEC STR R3, [R11,#var_254]
.text:00008EF0 LDR R3, [R11,#var_264]
.text:00008EF4 EOR R3, R3, #0xF
.text:00008EF8 STR R3, [R11,#var_25C]
.text:00008EFC LDR R2, [R11,#var_254]
.text:00008F00 LDR R3, [R11,#var_25C]
.text:00008F04 ADD R3, R2, R3
.text:00008F08 STR R3, [R11,#var_258]
.text:00008F0C LDR R3, [R11,#var_264]
.text:00008F10 ADD R3, R3, #1
.text:00008F14 STR R3, [R11,#var_264]
.text:00008F18 B loc_8E0C
看看arm code16和pc汇编的区别,就多出“与0xffff”;
这一段是格式化输出:
[Asm] 纯文本查看 复制代码 00401523 68 F06E4200 push xpp.00426EF0 ; UNICODE "%d"
00401528 50 push eax
00401529 E8 32060000 call xpp.00401B60
python伪汇编代码:
[Python] 纯文本查看 复制代码 imei="353766045767034"
ime=imei[:5]+imei[-5:]
esi=0
edi=0
while esi<10:
df=ord(ime[esi])
eax=df
#if df&0x80:
#eax=df|0xff00
ecx=df
edx=esi
edx=edx^0x2de
edx=edx-ecx
edx=edx+edi
ebp=edi+0xc1
eax=ecx+0x1a7
ebp=ebp*edx
ecx=ecx*edi
eax=eax*edi
ebp=ebp^0xee6
edx=0x1dd0
edx=edx-ecx
eax=eax-ebp
ecx=esi
eax=eax+edx
ecx=ecx^0xf
esi=esi+0x1
edi=ecx+eax
edi=edi&0xffff
print "%d"%edi
整理之后的代码:
[Python] 纯文本查看 复制代码 imei="351667056071799"
ime=imei[:5]+imei[-5:]
jieguo = 0
jis=0
i=0
while i<10:
df=ord(ime[i])
jis=df
jieguo = (jis + 423) * jieguo - (((i ^ 0x2DE) + jieguo - jis) * (jieguo + 193) ^ 0xEE6) - jis * jieguo + 7632 + (i ^ 0xF)
i+=1
jieguo=jieguo&0xffff
print "%d"%jieguo
朋友要在pc上运行故写此代码
vc6.0
xplore.zip
(28.84 KB, 下载次数: 6)
编译版:
xplore1.zip
(6.24 KB, 下载次数: 2)
这算法分析已完成。
|
免费评分
-
查看全部评分
|
[复制链接]
