好友
阅读权限30
听众
最后登录1970-1-1
|
作者主页】: http://hi.baidu.com/beyond0769
【软件名称】: 1 Privacy Eraser 2.5
【下载地址】: http://www.onlinedown.net/soft/51674.htm
参考文章作者:BeyondMe
原文地址:http://blog.sina.com.cn/s/blog_88d6921f0102vrea.html
这篇算法分析是参考了一下别人的分析文章,但是,你所看到的分析大多数是我自己分析出来的,我想我的分析比原作者还详细,但我还是感谢原作者。
今天我们要研究的算法软件是Borland Delphi 6.0 - 7.0 写的,不用我多说了可以下按钮事件,或者直接搜索字符串都可以定位到关键地方。
[Asm] 纯文本查看 复制代码 004FAA48 /. 55 push ebp ; 按钮事件
004FAA49 |. 8BEC mov ebp,esp
004FAA4B |. 6A 00 push 0x0
004FAA4D |. 6A 00 push 0x0
004FAA4F |. 6A 00 push 0x0
004FAA51 |. 53 push ebx
004FAA52 |. 8BD8 mov ebx,eax
004FAA54 |. 33C0 xor eax,eax
004FAA56 |. 55 push ebp
004FAA57 |. 68 0DAB4F00 push PrivacyE.004FAB0D
004FAA5C |. 64:FF30 push dword ptr fs:[eax]
004FAA5F |. 64:8920 mov dword ptr fs:[eax],esp
004FAA62 |. 8D55 FC lea edx,[local.1]
004FAA65 |. 8B83 74040000 mov eax,dword ptr ds:[ebx+0x474] ; PrivacyE.0047D9F0
004FAA6B |. E8 BCB3F6FF call PrivacyE.00465E2C
004FAA70 |. 8B45 FC mov eax,[local.1] ; 假码长度
004FAA73 |. 50 push eax
004FAA74 |. 6A 00 push 0x0
004FAA76 |. 8D55 F8 lea edx,[local.2]
004FAA79 |. 8B83 70040000 mov eax,dword ptr ds:[ebx+0x470] ; 假码
004FAA7F |. E8 A8B3F6FF call PrivacyE.00465E2C ; 获取机器码长度
004FAA84 |. 8B55 F8 mov edx,[local.2] ; 机器码 2152332188
004FAA87 |. 33C9 xor ecx,ecx
004FAA89 |. 8B83 DC030000 mov eax,dword ptr ds:[ebx+0x3DC]
004FAA8F |. E8 E05DFFFF call PrivacyE.004F0874 ; 关键call
004FAA94 |. 3C 01 cmp al,0x1
004FAA96 |. 75 48 jnz short PrivacyE.004FAAE0
004FAA98 |. B8 24AB4F00 mov eax,PrivacyE.004FAB24 ; Successfully Registered. Please restart the application in order to changes to take effect.
004FAA9D |. E8 D696F3FF call PrivacyE.00434178
004FAAA2 |. 6A 01 push 0x1
004FAAA4 |. 6A 00 push 0x0
004FAAA6 |. 6A 00 push 0x0
004FAAA8 |. 8D55 F4 lea edx,[local.3]
004FAAAB |. A1 98245000 mov eax,dword ptr ds:[0x502498]
004FAAB0 |. 8B00 mov eax,dword ptr ds:[eax] ; PrivacyE.004F800C
004FAAB2 |. E8 61CFF8FF call PrivacyE.00487A18
004FAAB7 |. 8B45 F4 mov eax,[local.3]
004FAABA |. E8 65A1F0FF call PrivacyE.00404C24
004FAABF |. 50 push eax
004FAAC0 |. 68 80AB4F00 push PrivacyE.004FAB80 ; open
004FAAC5 |. 8BC3 mov eax,ebx
004FAAC7 |. E8 5C1CF7FF call PrivacyE.0046C728
004FAACC |. 50 push eax ; |hWnd = 014D3A14
004FAACD |. E8 2A72F3FF call <jmp.&shell32.ShellExecuteA> ; \ShellExecuteA
004FAAD2 |. A1 98245000 mov eax,dword ptr ds:[0x502498]
004FAAD7 |. 8B00 mov eax,dword ptr ds:[eax] ; PrivacyE.004F800C
004FAAD9 |. E8 66C9F8FF call PrivacyE.00487444
004FAADE |. EB 0A jmp short PrivacyE.004FAAEA
004FAAE0 |> B8 90AB4F00 mov eax,PrivacyE.004FAB90 ; Incorrect Registration Code!
004FAAE5 |. E8 8E96F3FF call PrivacyE.00434178
004FAAEA |> 33C0 xor eax,eax
004FAAEC |. 5A pop edx ; PrivacyE.004673D2
004FAAED |. 59 pop ecx ; PrivacyE.004673D2
004FAAEE |. 59 pop ecx ; PrivacyE.004673D2
004FAAEF |. 64:8910 mov dword ptr fs:[eax],edx
004FAAF2 |. 68 14AB4F00 push PrivacyE.004FAB14
004FAAF7 |> 8D45 F4 lea eax,[local.3]
004FAAFA |. E8 659CF0FF call PrivacyE.00404764
004FAAFF |. 8D45 F8 lea eax,[local.2]
004FAB02 |. BA 02000000 mov edx,0x2
004FAB07 |. E8 7C9CF0FF call PrivacyE.00404788
004FAB0C \. C3 retn
进入004FAA8F |. E8 E05DFFFF call PrivacyE.004F0874 ; 关键call
[Asm] 纯文本查看 复制代码 004F0874 $ 55 push ebp 关键call
004F0875 . 8BEC mov ebp,esp
004F0877 . 83C4 BC add esp,-0x44
004F087A . 53 push ebx
004F087B . 56 push esi ; PrivacyE.0045CF44
004F087C . 57 push edi
004F087D . 33DB xor ebx,ebx
004F087F . 895D BC mov dword ptr ss:[ebp-0x44],ebx 数据清0
004F0882 . 895D C0 mov dword ptr ss:[ebp-0x40],ebx
004F0885 . 895D C4 mov dword ptr ss:[ebp-0x3C],ebx
004F0888 . 895D C8 mov dword ptr ss:[ebp-0x38],ebx
004F088B . 895D DC mov dword ptr ss:[ebp-0x24],ebx
004F088E . 895D F0 mov dword ptr ss:[ebp-0x10],ebx
004F0891 . 895D EC mov dword ptr ss:[ebp-0x14],ebx
004F0894 . 895D E8 mov dword ptr ss:[ebp-0x18],ebx
004F0897 . 894D F8 mov dword ptr ss:[ebp-0x8],ecx
004F089A . 8955 FC mov dword ptr ss:[ebp-0x4],edx ; 2152332188
004F089D . 8BD8 mov ebx,eax
004F089F . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
004F08A2 . E8 6D43F1FF call PrivacyE.00404C14
004F08A7 . 8B45 F8 mov eax,dword ptr ss:[ebp-0x8] ; 2152332188
004F08AA . E8 6543F1FF call PrivacyE.00404C14
004F08AF . 8B45 0C mov eax,dword ptr ss:[ebp+0xC] ; 假码
004F08B2 . E8 5D43F1FF call PrivacyE.00404C14
004F08B7 . 8B45 08 mov eax,dword ptr ss:[ebp+0x8] ; 00000
004F08BA . E8 5543F1FF call PrivacyE.00404C14
004F08BF . 33C0 xor eax,eax
004F08C1 . 55 push ebp
004F08C2 . 68 AC0B4F00 push PrivacyE.004F0BAC
004F08C7 . 64:FF30 push dword ptr fs:[eax]
004F08CA . 64:8920 mov dword ptr fs:[eax],esp
004F08CD > E8 5668F1FF call <jmp.&kernel32.GetTickCount> ; [GetTickCount
004F08D2 . 8BF0 mov esi,eax
004F08D4 . 68 D0070000 push 0x7D0 ; /Timeout = 2000. ms
004F08D9 . E8 A6E4F1FF call <jmp.&kernel32.Sleep> ; \延迟
004F08DE . 8B43 54 mov eax,dword ptr ds:[ebx+0x54]
004F08E1 . 8078 04 00 cmp byte ptr ds:[eax+0x4],0x0
004F08E5 . 74 0A je short PrivacyE.004F08F1
004F08E7 . 8D55 FC lea edx,dword ptr ss:[ebp-0x4]
004F08EA . 8BC3 mov eax,ebx
004F08EC . E8 A7F9FFFF call PrivacyE.004F0298
004F08F1 > E8 3268F1FF call <jmp.&kernel32.GetTickCount> ; [GetTickCount
004F08F6 . 81C6 CF070000 add esi,0x7CF
004F08FC . 3BC6 cmp eax,esi ; PrivacyE.0045CF44
004F08FE .^ 72 CD jb short PrivacyE.004F08CD
004F0900 . 8B45 FC mov eax,dword ptr ss:[ebp-0x4] ; 2152332188
004F0903 . E8 1C41F1FF call PrivacyE.00404A24 ; 获取机器码长度
004F0908 . 3B43 58 cmp eax,dword ptr ds:[ebx+0x58] ; 长度和32对比
004F090B . 7F 19 jg short PrivacyE.004F0926
004F090D . 8B45 FC mov eax,dword ptr ss:[ebp-0x4] ; 2152332188
004F0910 . E8 0F41F1FF call PrivacyE.00404A24 ; 获取机器码长度
004F0915 . 3B43 5C cmp eax,dword ptr ds:[ebx+0x5C] ; 和5对比
004F0918 . 7C 0C jl short PrivacyE.004F0926
004F091A . 8B45 0C mov eax,dword ptr ss:[ebp+0xC] ; 假码
004F091D . E8 0241F1FF call PrivacyE.00404A24 ; 假码长度
004F0922 . 85C0 test eax,eax
004F0924 . 75 09 jnz short PrivacyE.004F092F
004F0926 > C645 F7 00 mov byte ptr ss:[ebp-0x9],0x0
004F092A . E9 33020000 jmp PrivacyE.004F0B62
004F092F > 8D55 DC lea edx,dword ptr ss:[ebp-0x24]
004F0932 . 8B45 0C mov eax,dword ptr ss:[ebp+0xC] ; 假码
004F0935 . E8 6A85F1FF call PrivacyE.00408EA4
004F093A . 8B55 DC mov edx,dword ptr ss:[ebp-0x24] ; 假码
004F093D . 8D45 0C lea eax,dword ptr ss:[ebp+0xC]
004F0940 . E8 B73EF1FF call PrivacyE.004047FC
004F0945 . C645 F7 00 mov byte ptr ss:[ebp-0x9],0x0
004F0949 . B1 01 mov cl,0x1
004F094B . 8B55 0C mov edx,dword ptr ss:[ebp+0xC] ; 假码
004F094E . 8BC3 mov eax,ebx
004F0950 . E8 03FBFFFF call PrivacyE.004F0458
004F0955 . 84C0 test al,al
004F0957 . 0F85 05020000 jnz PrivacyE.004F0B62
004F095D . 33C9 xor ecx,ecx
004F095F . 55 push ebp
004F0960 . 68 E80A4F00 push PrivacyE.004F0AE8
004F0965 . 64:FF31 push dword ptr fs:[ecx]
004F0968 . 64:8921 mov dword ptr fs:[ecx],esp
004F096B . 8D45 F0 lea eax,dword ptr ss:[ebp-0x10]
004F096E . 8B55 0C mov edx,dword ptr ss:[ebp+0xC] ; 假码
004F0971 . 8A52 01 mov dl,byte ptr ds:[edx+0x1] ; 假码的第二位
004F0974 . E8 D33FF1FF call PrivacyE.0040494C
004F0979 . 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
004F097C . 8B55 0C mov edx,dword ptr ss:[ebp+0xC] ; 假码
004F097F . 8A52 09 mov dl,byte ptr ds:[edx+0x9] ; 指向假码的第10位
004F0982 . 8850 01 mov byte ptr ds:[eax+0x1],dl
004F0985 . C600 01 mov byte ptr ds:[eax],0x1
004F0988 . 8D55 D8 lea edx,dword ptr ss:[ebp-0x28]
004F098B . 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C]
004F098E . E8 7927F1FF call PrivacyE.0040310C
004F0993 . 8D45 D0 lea eax,dword ptr ss:[ebp-0x30]
004F0996 . 8B55 0C mov edx,dword ptr ss:[ebp+0xC] ; 假码
004F0999 . 8A52 07 mov dl,byte ptr ds:[edx+0x7] ; 指向假码的第8位
004F099C . 8850 01 mov byte ptr ds:[eax+0x1],dl
004F099F . C600 01 mov byte ptr ds:[eax],0x1
004F09A2 . 8D55 D0 lea edx,dword ptr ss:[ebp-0x30]
004F09A5 . 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C]
004F09A8 . B1 02 mov cl,0x2
004F09AA . E8 2D27F1FF call PrivacyE.004030DC
004F09AF . 8D55 D4 lea edx,dword ptr ss:[ebp-0x2C] ; 合并10位和8位字符串
004F09B2 . 8D45 EC lea eax,dword ptr ss:[ebp-0x14]
004F09B5 . E8 0E40F1FF call PrivacyE.004049C8
004F09BA . 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
004F09BD . 8B55 0C mov edx,dword ptr ss:[ebp+0xC] ; PrivacyE.0045CF65
004F09C0 . 8A52 03 mov dl,byte ptr ds:[edx+0x3] ; 指向假码的第4位
004F09C3 . 8850 01 mov byte ptr ds:[eax+0x1],dl
004F09C6 . C600 01 mov byte ptr ds:[eax],0x1
004F09C9 . 8D55 D8 lea edx,dword ptr ss:[ebp-0x28]
004F09CC . 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C]
004F09CF . E8 3827F1FF call PrivacyE.0040310C
004F09D4 . 8D45 D0 lea eax,dword ptr ss:[ebp-0x30]
004F09D7 . 8B55 0C mov edx,dword ptr ss:[ebp+0xC] ; PrivacyE.0045CF65
004F09DA . 8A52 05 mov dl,byte ptr ds:[edx+0x5] ; 指向假码的第6位
004F09DD . 8850 01 mov byte ptr ds:[eax+0x1],dl
004F09E0 . C600 01 mov byte ptr ds:[eax],0x1
004F09E3 . 8D55 D0 lea edx,dword ptr ss:[ebp-0x30]
004F09E6 . 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C]
004F09E9 . B1 02 mov cl,0x2
004F09EB . E8 EC26F1FF call PrivacyE.004030DC ; 合并 4 6
004F09F0 . 8D55 D4 lea edx,dword ptr ss:[ebp-0x2C]
004F09F3 . 8D45 CC lea eax,dword ptr ss:[ebp-0x34]
004F09F6 . E8 1127F1FF call PrivacyE.0040310C
004F09FB . 8D45 D0 lea eax,dword ptr ss:[ebp-0x30]
004F09FE . 8B55 0C mov edx,dword ptr ss:[ebp+0xC] ; PrivacyE.0045CF65
004F0A01 . 8A52 0B mov dl,byte ptr ds:[edx+0xB] ; 指向假码的第12位
004F0A04 . 8850 01 mov byte ptr ds:[eax+0x1],dl
004F0A07 . C600 01 mov byte ptr ds:[eax],0x1
004F0A0A . 8D55 D0 lea edx,dword ptr ss:[ebp-0x30]
004F0A0D . 8D45 CC lea eax,dword ptr ss:[ebp-0x34]
004F0A10 . B1 03 mov cl,0x3
004F0A12 . E8 C526F1FF call PrivacyE.004030DC
004F0A17 . 8D55 CC lea edx,dword ptr ss:[ebp-0x34] ; 4 6 12位合并
004F0A1A . 8D45 E8 lea eax,dword ptr ss:[ebp-0x18]
004F0A1D . E8 A63FF1FF call PrivacyE.004049C8 ; 03 34 36 43 01 43 46 00 02 34 36 00 01 34 00 00
004F0A22 . 8D45 C8 lea eax,dword ptr ss:[ebp-0x38] ; 上面所有合并的字符 全部有序写到内存
004F0A25 . 8B4D F0 mov ecx,dword ptr ss:[ebp-0x10] ; 假码第二位
004F0A28 . BA C80B4F00 mov edx,PrivacyE.004F0BC8 ; $
004F0A2D . E8 3E40F1FF call PrivacyE.00404A70
004F0A32 . 8B45 C8 mov eax,dword ptr ss:[ebp-0x38] ; 假码第二位加上特定字符 $2 记为X1
004F0A35 . BA FFFF0000 mov edx,0xFFFF
004F0A3A . E8 358BF1FF call PrivacyE.00409574
004F0A3F . 8BF0 mov esi,eax ; 2 转换为16进制的02
004F0A41 . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C]
004F0A44 . 8B4D EC mov ecx,dword ptr ss:[ebp-0x14] ; A8
004F0A47 . BA C80B4F00 mov edx,PrivacyE.004F0BC8 ; $
004F0A4C . E8 1F40F1FF call PrivacyE.00404A70
004F0A51 . 8B45 C4 mov eax,dword ptr ss:[ebp-0x3C] ; $A8 记为X2
004F0A54 . BA FFFF0000 mov edx,0xFFFF
004F0A59 . E8 168BF1FF call PrivacyE.00409574
004F0A5E . 8BF8 mov edi,eax ; A8 转换为16进制的00000A8
004F0A60 . 8D45 C0 lea eax,dword ptr ss:[ebp-0x40]
004F0A63 . 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18] ; 46C
004F0A66 . BA C80B4F00 mov edx,PrivacyE.004F0BC8 ; $
004F0A6B . E8 0040F1FF call PrivacyE.00404A70
004F0A70 . 8B45 C0 mov eax,dword ptr ss:[ebp-0x40] ; $46C 记为X3
004F0A73 . BA FFFF0000 mov edx,0xFFFF
004F0A78 . E8 F78AF1FF call PrivacyE.00409574
004F0A7D . 8BD7 mov edx,edi ; 46C 转换16进制46c
004F0A7F . 0BD6 or edx,esi ; edx=A8 esi=2
004F0A81 . 0BD0 or edx,eax
004F0A83 . 81FA FFFF0000 cmp edx,0xFFFF
004F0A89 . 75 0F jnz short PrivacyE.004F0A9A 关键判断1 这一定要跳走
004F0A8B . 64:8F05 00000>pop dword ptr fs:[0] ; PrivacyE.004FAA94
004F0A92 . 83C4 08 add esp,0x8
004F0A95 . E9 C8000000 jmp PrivacyE.004F0B62
004F0A9A > \8BD6 mov edx,esi edx=2
004F0A9C . 66:83F2 07 xor dx,0x7 xor X1,0x7
004F0AA0 . 8BF7 mov esi,edi
004F0AA2 . 66:81F6 B700 xor si,0xB7
004F0AA7 . 66:35 B705 xor ax,0x5B7
004F0AAB . 8BCE mov ecx,esi
小结:
当假码[1](123456789ABCDEFG)时:
小结:
1. 取假码第2位转换成十六进制数值, 记为 X1. [这里是 2,]
2. 取假码第8和第10位转换成十六进制数值, 记为 X2. [这里是 A8,]
3. 取假码第4,第6和第12位转换成十六进制数值, 记为 X3. [这里是 $46C]
4. X1 or X2 or X3 不能等于 0xFFFF
5. DX = X1 xor 7 =5 [月份]=month
SI = X2 xor $B7 = 0x1F(31) [日期] =day
AX = X3 xor $5B7 = 0x1DB (475)[年份] =year
004F0AAD . E8 46AAF1FF call PrivacyE.0040B4F8 ; 关键算法:进行日期格式检测及日期计算,F7进入
[Asm] 纯文本查看 复制代码 0040B4F8 /$ 53 push ebx
0040B4F9 |. 56 push esi
0040B4FA |. 57 push edi
0040B4FB |. 83C4 F8 add esp,-0x8
0040B4FE |. 8BF9 mov edi,ecx
0040B500 |. 8BF2 mov esi,edx
0040B502 |. 8BD8 mov ebx,eax
0040B504 |. 54 push esp
0040B505 |. 8BCF mov ecx,edi
0040B507 |. 8BD6 mov edx,esi
0040B509 |. 8BC3 mov eax,ebx
0040B50B |. E8 18FFFFFF call PrivacyE.0040B428 关键call
0040B510 |. 84C0 test al,al
0040B512 |. 75 0A jnz short PrivacyE.0040B51E 这个一定要实现跳转
0040B514 |. A1 D4245000 mov eax,dword ptr ds:[0x5024D4] ; h6P
0040B519 |. E8 B6D8FFFF call PrivacyE.00408DD4 ; 抛出异常
0040B51E |> DD0424 fld qword ptr ss:[esp]
0040B521 |. 59 pop ecx ; PrivacyE.004F0AB2
0040B522 |. 5A pop edx ; PrivacyE.004F0AB2
0040B523 |. 5F pop edi ; PrivacyE.004F0AB2
0040B524 |. 5E pop esi ; PrivacyE.004F0AB2
0040B525 |. 5B pop ebx ; PrivacyE.004F0AB2
0040B526 \. C3 retn
F7进入 0040B50B |. E8 18FFFFFF call PrivacyE.0040B428 关键call
[Asm] 纯文本查看 复制代码 0040B428 /$ 55 push ebp
0040B429 |. 8BEC mov ebp,esp
0040B42B |. 83C4 F4 add esp,-0xC
0040B42E |. 53 push ebx
0040B42F |. 56 push esi
0040B430 |. 57 push edi
0040B431 |. 8BD9 mov ebx,ecx
0040B433 |. 8BFA mov edi,edx
0040B435 |. 8BF0 mov esi,eax
0040B437 |. C645 FF 00 mov byte ptr ss:[ebp-0x1],0x0
0040B43B |. 8BC6 mov eax,esi
0040B43D |. E8 AAFFFFFF call PrivacyE.0040B3EC
0040B442 |. 83E0 7F and eax,0x7F
0040B445 |. 8D0440 lea eax,dword ptr ds:[eax+eax*2]
0040B448 |. 8D04C5 E00050>lea eax,dword ptr ds:[eax*8+0x5000E0] ; ������������_x001D_����������
0040B44F |. 8945 F8 mov [local.2],eax
0040B452 |. 66:83FE 01 cmp si,0x1 对比year==1
0040B456 |. 0F82 8E000000 jb PrivacyE.0040B4EA 低于跳转
0040B45C |. 66:81FE 0F27 cmp si,0x270F ; 年份必须是1-9999
0040B461 |. 0F87 83000000 ja PrivacyE.0040B4EA 高于跳转
0040B467 |. 66:83FF 01 cmp di,0x1 month==1
0040B46B |. 72 7D jb short PrivacyE.0040B4EA
0040B46D |. 66:83FF 0C cmp di,0xC ; 月份1-12
0040B471 |. 77 77 ja short PrivacyE.0040B4EA
0040B473 |. 66:83FB 01 cmp bx,0x1 day==1
0040B477 |. 72 71 jb short PrivacyE.0040B4EA
0040B479 |. 0FB7C7 movzx eax,di
0040B47C |. 8B55 F8 mov edx,[local.2]
0040B47F |. 66:3B5C42 FE cmp bx,word ptr ds:[edx+eax*2-0x2] ; 日期1-31
0040B484 |. 77 64 ja short PrivacyE.0040B4EA
0040B486 |. 0FB7C7 movzx eax,di
0040B489 |. 48 dec eax
0040B48A |. 85C0 test eax,eax
0040B48C |. 7E 11 jle short PrivacyE.0040B49F
0040B48E |. B9 01000000 mov ecx,0x1
0040B493 |> 8B55 F8 /mov edx,[local.2]
0040B496 |. 66:035C4A FE |add bx,word ptr ds:[edx+ecx*2-0x2] ; 结果保存在BX
0040B49B |. 41 |inc ecx
0040B49C |. 48 |dec eax
0040B49D |.^ 75 F4 \jnz short PrivacyE.0040B493 ; 循环计算该日期总共的天数 ebx=97 10进制151
0040B49F |> \0FB7CE movzx ecx,si
0040B4A2 |. 49 dec ecx ; 年份-1
0040B4A3 |. 8BC1 mov eax,ecx
0040B4A5 |. BE 64000000 mov esi,0x64 ; 100
0040B4AA |. 99 cdq
0040B4AB |. F7FE idiv esi
0040B4AD |. 69F1 6D010000 imul esi,ecx,0x16D ; 365*474(年数)
0040B4B3 |. 8BD1 mov edx,ecx ; 结果=173010
0040B4B5 |. 85D2 test edx,edx
0040B4B7 |. 79 03 jns short PrivacyE.0040B4BC
0040B4B9 |. 83C2 03 add edx,0x3
0040B4BC |> C1FA 02 sar edx,0x2
0040B4BF |. 03F2 add esi,edx
0040B4C1 |. 2BF0 sub esi,eax
0040B4C3 |. 8BC1 mov eax,ecx
0040B4C5 |. B9 90010000 mov ecx,0x190 ; 400
0040B4CA |. 99 cdq
0040B4CB |. F7F9 idiv ecx ; 年数 mod 400
0040B4CD |. 03F0 add esi,eax
0040B4CF |. 0FB7C3 movzx eax,bx
0040B4D2 |. 03F0 add esi,eax ; esi=当前系统年份 esi=736151 736151/365=2016
0040B4D4 |. 81EE 5A950A00 sub esi,0xA955A ; 1900年的总天数 - 2016的总天数
0040B4DA |. 8975 F4 mov [local.3],esi
0040B4DD |. DB45 F4 fild [local.3] ; 把结果浮点
0040B4E0 |. 8B45 08 mov eax,[arg.1]
0040B4E3 |. DD18 fstp qword ptr ds:[eax]
0040B4E5 |. 9B wait
0040B4E6 |. C645 FF 01 mov byte ptr ss:[ebp-0x1],0x1
0040B4EA |> 8A45 FF mov al,byte ptr ss:[ebp-0x1]
0040B4ED |. 5F pop edi
0040B4EE |. 5E pop esi
0040B4EF |. 5B pop ebx
0040B4F0 |. 8BE5 mov esp,ebp
0040B4F2 |. 5D pop ebp
0040B4F3 \. C2 0400 retn 0x4
小结:
1. 取假码第2位转换成十六进制数值, 记为 X1. [这里是 2,]
2. 取假码第8和第10位转换成十六进制数值, 记为 X2. [这里是 A8,]
3. 取假码第4,第6和第12位转换成十六进制数值, 记为 X3. [这里是 $46C]
DX = X1 xor 7 =5 [月份]=month
SI = X2 xor $B7 = 0x1F(31) [日期] =day
AX = X3 xor $5B7 = 0x1DB (475)[年份] =year
其实程序从一开始取假码的第几位,就知道程序不断进行对比的是哪几位,在前面取了假码的 2 4 6 8 10 12 这几个数据进行不断运算然后进行各种对比,其实影响最后的结果就是假码这几位所输入的数据一定要符合这几点
1. 这里的SI等于AX 0x270F> AX== X2 xor $B7 >1 即SI的值要在1-9999的范围里 所以可以推算出X3 接着可以推算出假码第4 第6 第12位数应该填什么
2.这里的DI其实是等于DX (注意看标记为红色的地址) 可以知道 C>DX>1 即DX范围为 1-12
3.这里的BX等于上面的SI 31>SI>1 即SI范围 1-31 所以继续可以推算出 假码第8和第10位应该填什么
[Asm] 纯文本查看 复制代码 0040B49F |> \0FB7CE movzx ecx,si ;
0040B4A2 |. 49 dec ecx ;
0040B4A3 |. 8BC1 mov eax,ecx
0040B4A5 |. BE 64000000 mov esi,0x64 ;
0040B4AB |. F7FE idiv esi
0040B4AD |. 69F1 6D010000 imul esi,ecx,0x16D ;
0040B4B3 |. 8BD1 mov edx,ecx ;
0040B4B5 |. 85D2 test edx,edx
0040B4B7 |. 79 03 jns short PrivacyE.0040B4BC
0040B4B9 |. 83C2 03 add edx,0x3
0040B4BC |> C1FA 02 sar edx,0x2 ;
0040B4BF |. 03F2 add esi,edx
0040B4C1 |. 2BF0 sub esi,eax
0040B4C3 |. 8BC1 mov eax,ecx
0040B4C5 |. B9 90010000 mov ecx,0x190 ;
0040B4CA |. 99 cdq
0040B4CB |. F7F9 idiv ecx ;
0040B4CD |. 03F0 add esi,eax
0040B4CF |. 0FB7C3 movzx eax,bx
0040B4D2 |. 03F0 add esi,eax ;
0040B4D4 |. 81EE 5A950A00 sub esi,0xA955A ;
上面汇编指令可以得出
SI=1DB=AX
(AX-1)*365+118-4+1+97=173276
4.计算出1900年的总天数 1900*365= 693594 然后把693594-由AX计算出的天数 AX是由假码 4 6 12位影响 即173276-6693594 =-520318 这里记为T1 然后把得出的结果进行浮点处理
来到这段代码 然而我输入的假码目前所有条件都符合,所以暂时不用修改假码!
[Asm] 纯文本查看 复制代码 004F0AAD . E8 46AAF1FF call PrivacyE.0040B4F8 ; 关键算法:进行日期格式检测及日期计算,F7进入
004F0AB2 . DD5D E0 fstp qword ptr ss:[ebp-0x20] ; -520318
004F0AB5 . 9B wait
004F0AB6 . E8 B5ACF1FF call PrivacyE.0040B770 ; 获取当前系统时间 42557为1900年到今天的天数 F7进入
004F0ABB . DC5D E0 fcomp qword ptr ss:[ebp-0x20] ; 比较
004F0ABE . DFE0 fstsw ax
004F0AC0 . 9E sahf
004F0AC1 . 76 1B jbe short PrivacyE.004F0ADE ; 不跳
进入004F0AB6 这个call
[Asm] 纯文本查看 复制代码 0040B770 /$ 83C4 E8 add esp,-0x18
0040B773 |. 8D4424 08 lea eax,dword ptr ss:[esp+0x8]
0040B777 |. 50 push eax ; /pLocaltime = 0012FC9C
0040B778 |. E8 3BB9FFFF call <jmp.&kernel32.GetLocalTime> ; \GetLocalTime
0040B77D |. 66:8B4C24 0E mov cx,word ptr ss:[esp+0xE] ; 日 6
0040B782 |. 66:8B5424 0A mov dx,word ptr ss:[esp+0xA] ; 月 7
0040B787 |. 66:8B4424 08 mov ax,word ptr ss:[esp+0x8] ; 年 2016
0040B78C |. E8 67FDFFFF call PrivacyE.0040B4F8 ; 关键算法:进行日期格式检测及日期计算,F7进入
0040B791 |. DD1C24 fstp qword ptr ss:[esp]
0040B794 |. 9B wait
0040B795 |. DD0424 fld qword ptr ss:[esp]
0040B798 |. 83C4 18 add esp,0x18
0040B79B \. C3 retn
0040B78C这个地址的call 是进回刚才计算日期的call 请参考上面的信息
所以得出: 我现在的时间是 2016-07-06 2016的总天数是 736151 然后1900年的总天数是693594 736151-693594=42557 最后将结果浮点型 这里记为T2
[Asm] 纯文本查看 复制代码 004F0AAD . E8 46AAF1FF call PrivacyE.0040B4F8 ; 关键算法:进行日期格式检测及日期计算,F7进入
004F0AB2 . DD5D E0 fstp qword ptr ss:[ebp-0x20]
004F0AB5 . 9B wait
004F0AB6 . E8 B5ACF1FF call PrivacyE.0040B770 ; 获取当前系统时间 42557为1900年到今天的天数
004F0ABB . DC5D E0 fcomp qword ptr ss:[ebp-0x20] ; T1和T2比较
004F0ABE . DFE0 fstsw ax
004F0AC0 . 9E sahf
004F0AC1 . 76 1B jbe short PrivacyE.004F0ADE ; 这个跳转一定要实现 不高于跳转 所以T1一定要大于T2
004F0AC3 . DD45 E0 fld qword ptr ss:[ebp-0x20]
004F0AC6 . D81D CC0B4F00 fcomp dword ptr ds:[0x4F0BCC]
004F0ACC . DFE0 fstsw ax
004F0ACE . 9E sahf
004F0ACF . 74 0D je short PrivacyE.004F0ADE
上图很明显看出T1<T2
所以跳转不实现,然后我们要进行修改下假码,令到这个跳转实现。
因为涉及计算,所以我们先理清下思路
我们现在想要得到的结果是T2>T1,上面已经说过了,T2是等于现在的年份的总天数-1900年的总天数
T1=(AX-1)*365+118-4+1+97-1900*365=173276-693594=-520318 1900年的总天数到由假码计算出的天数
123456789ABCDEFG
取假码第4,第6和第12位转换成十六进制数值, 记为 X3. [这里是 $46C]
AX = X3 xor $5B7 = 0x1DB (475)[年份] =year
我把上面得出的结论再复制一遍 这样比较容易分析 然后我们分析得出要符合T1>T2 必须AX>现在的年份(现在是2016)
所以我想要AX=2020吧 这个数字比较好。。 X3要xor $5B7=7E4
异或
不同 1
相同 0
01001010011 X3=253
10110110111 5B7
11111100100 7E4
4位为 2 6位为5 12位为3
更新后的假码:123255789AB3DEFG
004F0AC1 . /76 1B jbe short PrivacyE.004F0ADE ; 如果 T1 大于 T2 则跳走 不高于跳转
现在来到这个跳转后 跳转是实现的
好了,接下来继续下一步调试分析。
[Asm] 纯文本查看 复制代码 004F0AC1 . /76 1B jbe short PrivacyE.004F0ADE ; 如果 T1 大于 T2 则跳走 不高于跳转
004F0AC3 . |DD45 E0 fld qword ptr ss:[ebp-0x20]
004F0AC6 . |D81D CC0B4F00 fcomp dword ptr ds:[0x4F0BCC]
004F0ACC . |DFE0 fstsw ax
004F0ACE . |9E sahf
004F0ACF . |74 0D je short PrivacyE.004F0ADE
004F0AD1 . |33C0 xor eax,eax
004F0AD3 . |5A pop edx ; PrivacyE.004F0B0A
004F0AD4 . |59 pop ecx ; PrivacyE.004F0B0A
004F0AD5 . |59 pop ecx ; PrivacyE.004F0B0A
004F0AD6 . |64:8910 mov dword ptr fs:[eax],edx
004F0AD9 . |E9 84000000 jmp PrivacyE.004F0B62
004F0ADE > \33C0 xor eax,eax 正常情况下跳到这里
004F0AE0 . 5A pop edx ; PrivacyE.004F0B0A
004F0AE1 . 59 pop ecx ; PrivacyE.004F0B0A
004F0AE2 . 59 pop ecx ; PrivacyE.004F0B0A
004F0AE3 . 64:8910 mov dword ptr fs:[eax],edx
004F0AE6 . EB 11 jmp short PrivacyE.004F0AF9
004F0AE8 .^ E9 3B32F1FF jmp PrivacyE.00403D28
004F0AED . E8 6236F1FF call PrivacyE.00404154
004F0AF2 . EB 6E jmp short PrivacyE.004F0B62
004F0AF4 . E8 5B36F1FF call PrivacyE.00404154
004F0AF9 > 8D45 BC lea eax,dword ptr ss:[ebp-0x44]
004F0AFC . 50 push eax
004F0AFD . 8B4D 0C mov ecx,dword ptr ss:[ebp+0xC] ; 假码
004F0B00 . 8B55 FC mov edx,dword ptr ss:[ebp-0x4] ; 机器码
004F0B03 . 8BC3 mov eax,ebx
004F0B05 . E8 F6F0FFFF call PrivacyE.004EFC00 ; 关键算法2
[Asm] 纯文本查看 复制代码 004EFC00 /$ 55 push ebp
004EFC01 |. 8BEC mov ebp,esp
004EFC03 |. 83C4 C4 add esp,-0x3C
004EFC06 |. 53 push ebx
004EFC07 |. 56 push esi
004EFC08 |. 57 push edi
004EFC09 |. 33DB xor ebx,ebx
004EFC0B |. 895D C4 mov [local.15],ebx
004EFC0E |. 895D C8 mov [local.14],ebx
004EFC11 |. 895D CC mov [local.13],ebx
004EFC14 |. 895D D0 mov [local.12],ebx
004EFC17 |. 895D F0 mov [local.4],ebx
004EFC1A |. 895D EC mov [local.5],ebx
004EFC1D |. 894D F4 mov [local.3],ecx
004EFC20 |. 8955 F8 mov [local.2],edx
004EFC23 |. 8945 FC mov [local.1],eax
004EFC26 |. 8B45 F8 mov eax,[local.2]
004EFC29 |. E8 E64FF1FF call PrivacyE.00404C14
004EFC2E |. 8B45 F4 mov eax,[local.3] ; 假码
004EFC31 |. E8 DE4FF1FF call PrivacyE.00404C14
004EFC36 |. 33C0 xor eax,eax
004EFC38 |. 55 push ebp
004EFC39 |. 68 A4FF4E00 push PrivacyE.004EFFA4
004EFC3E |. 64:FF30 push dword ptr fs:[eax]
004EFC41 |. 64:8920 mov dword ptr fs:[eax],esp
004EFC44 |. 8B45 08 mov eax,[arg.1]
004EFC47 |. BA BCFF4E00 mov edx,PrivacyE.004EFFBC ; 542264156124568746123
004EFC4C |. E8 674BF1FF call PrivacyE.004047B8
004EFC51 |. 8B45 F8 mov eax,[local.2] ; 机器码
004EFC54 |. E8 CB4DF1FF call PrivacyE.00404A24
004EFC59 |. 8B55 FC mov edx,[local.1]
004EFC5C |. 3B42 58 cmp eax,dword ptr ds:[edx+0x58] ; 机器码长度和50比较
004EFC5F |. 0F8F 17030000 jg PrivacyE.004EFF7C
004EFC65 |. 8B45 F8 mov eax,[local.2] ; 机器码
004EFC68 |. E8 B74DF1FF call PrivacyE.00404A24
004EFC6D |. 8B55 FC mov edx,[local.1]
004EFC70 |. 3B42 5C cmp eax,dword ptr ds:[edx+0x5C] ; 机器码长度和5比较
004EFC73 |. 0F8C 03030000 jl PrivacyE.004EFF7C
004EFC79 |. 8D45 E0 lea eax,[local.8]
004EFC7C |. 8B55 F4 mov edx,[local.3] ; 假码
004EFC7F |. 8A12 mov dl,byte ptr ds:[edx] ; 假码第一位
004EFC81 |. 8850 01 mov byte ptr ds:[eax+0x1],dl
004EFC84 |. C600 01 mov byte ptr ds:[eax],0x1
004EFC87 |. 8D55 E0 lea edx,[local.8]
004EFC8A |. 8D45 DC lea eax,[local.9]
004EFC8D |. E8 7A34F1FF call PrivacyE.0040310C
004EFC92 |. 8D45 D8 lea eax,[local.10]
004EFC95 |. 8B55 F4 mov edx,[local.3]
004EFC98 |. 8A52 02 mov dl,byte ptr ds:[edx+0x2] ; 假码第三位
004EFC9B |. 8850 01 mov byte ptr ds:[eax+0x1],dl
004EFC9E |. C600 01 mov byte ptr ds:[eax],0x1
004EFCA1 |. 8D55 D8 lea edx,[local.10]
004EFCA4 |. 8D45 DC lea eax,[local.9]
004EFCA7 |. B1 02 mov cl,0x2
004EFCA9 |. E8 2E34F1FF call PrivacyE.004030DC
004EFCAE |. 8D55 DC lea edx,[local.9] ; 第一第3位合并 记为M1
004EFCB1 |. 8D45 F0 lea eax,[local.4]
004EFCB4 |. E8 0F4DF1FF call PrivacyE.004049C8
004EFCB9 |. 8D45 EC lea eax,[local.5]
004EFCBC |. 8B55 F4 mov edx,[local.3] ; 假码
004EFCBF |. 8A52 04 mov dl,byte ptr ds:[edx+0x4] ; 假码第5位
004EFCC2 |. E8 854CF1FF call PrivacyE.0040494C
004EFCC7 |. 8B45 F8 mov eax,[local.2] ; 机器码
004EFCCA |. E8 554DF1FF call PrivacyE.00404A24
004EFCCF |. 8BF0 mov esi,eax ; 机器码长度 记为len
004EFCD1 |. 8975 D4 mov [local.11],esi
004EFCD4 |. DB45 D4 fild [local.11] ; 浮点处理机器码长度
004EFCD7 |. D835 D4FF4E00 fdiv dword ptr ds:[0x4EFFD4] ; 10/2=5 记为R
004EFCDD |. E8 0E33F1FF call PrivacyE.00402FF0 ; 去掉小数部分取整 把除法结果存放在eax
004EFCE2 |. 8B55 F8 mov edx,[local.2] ; 机器码
004EFCE5 |. 0FB64402 FF movzx eax,byte ptr ds:[edx+eax-0x1] ; 机器码【R】
004EFCEA |. 8B55 F8 mov edx,[local.2]
004EFCED |. 0FB612 movzx edx,byte ptr ds:[edx] ; 机器码第一位
004EFCF0 |. 8B4D F8 mov ecx,[local.2]
004EFCF3 |. 0FB649 01 movzx ecx,byte ptr ds:[ecx+0x1] ; 机器码第2位
004EFCF7 |. 03D1 add edx,ecx ; 机器码第一位和机器码第2位相加=S1
004EFCF9 |. 03C2 add eax,edx ; S1+机器码【R】=S2
004EFCFB |. 8B55 F8 mov edx,[local.2] ; 假码
004EFCFE |. 0FB65432 FF movzx edx,byte ptr ds:[edx+esi-0x1] ; 机器码【len】
004EFD03 |. 03C2 add eax,edx ; S2+机器码【len】=s3
004EFD05 |. 8B55 F8 mov edx,[local.2]
004EFD08 |. 0FB65432 FE movzx edx,byte ptr ds:[edx+esi-0x2] ; 机器码【len-1】
004EFD0D |. 03C2 add eax,edx ; S3+机器码【len-1】=S4=106
004EFD0F |. 8945 E8 mov [local.6],eax
004EFD12 |. 8D45 D0 lea eax,[local.12]
004EFD15 |. 8B4D F0 mov ecx,[local.4]
004EFD18 |. BA E0FF4E00 mov edx,PrivacyE.004EFFE0 ; $
004EFD1D |. E8 4E4DF1FF call PrivacyE.00404A70
004EFD22 |. 8B45 D0 mov eax,[local.12] ; M1和$ 字符串合并$13
004EFD25 |. BA FFFF0000 mov edx,0xFFFF
004EFD2A |. E8 4598F1FF call PrivacyE.00409574
004EFD2F |. 8BF0 mov esi,eax ; M1转16进制 00000013
004EFD31 |. 81FE FFFF0000 cmp esi,0xFFFF ; 和-1比较
004EFD37 |. 0F84 3F020000 je PrivacyE.004EFF7C
004EFD3D |. 8B45 FC mov eax,[local.1]
004EFD40 |. 8B40 70 mov eax,dword ptr ds:[eax+0x70] ; BDE14F3 转10进制 199103731
004EFD43 |. 99 cdq ; S4 转10进制262
004EFD44 |. F77D E8 idiv [local.6] ; 199103731/S4 eax为 759937 edx为余数 237
004EFD47 |. 81E2 FF000000 and edx,0xFF ; 余数and操作
004EFD4D |. 3BF2 cmp esi,edx ; 和M1比较
004EFD4F |. 0F85 27020000 jnz PrivacyE.004EFF7C
小结一下:
1.机器码长度不能大于50位和不能少于5位
2.取假码第一位和第三位合并,记为M1(这里为13)
3.004EFCD7 |. D835 D4FF4E00 fdiv dword ptr ds:[0x4EFFD4] 这里的[0x4EFFD4]是2 应该每个人都不一样的,有可能是假码影响到这个值 我这里就不再调试这个值了
取机器码长度(我这里为10)÷2=5,结果记为R
4.机器码[1]+机器码[2]=S1
5.S1+机器码[R]=S2
6.机器码[R]+S2=S3
7.S3+机器码【len-1】=S4=106
8.M1和$ 字符串合并$13 转10进制 然后和-1对比 不能等于-1
9.004EFD40 |. 8B40 70 mov eax,dword ptr ds:[eax+0x70] ; [eax+0x70]=BDE14F3 转10进制 199103731
10.199103731/S4 = 759937 余 237 就是759937*S4+237=199103731
11.余数存放在edx,and edx,0xFF 进行and操作 然后和M1对比 但是0xED(237)和0xFFand操作后还是等于 237
12. 最后M1是要等于0xED 才能继续执行正确的路线,就是jnz不能实现跳转
13.上面已经声明了M1,所以已经很明显了,假码第一位改为E 第三位改为D
假码更新后为:E2D255789AB3DEFG
[Asm] 纯文本查看 复制代码 004EFD55 |. 8D45 CC lea eax,[local.13]
004EFD58 |. 8B4D EC mov ecx,[local.5] ; 假码第5位
004EFD5B |. BA E0FF4E00 mov edx,PrivacyE.004EFFE0 ; $
004EFD60 |. E8 0B4DF1FF call PrivacyE.00404A70
004EFD65 |. 8B45 CC mov eax,[local.13] ; 合并后$5
004EFD68 |. BA FFFF0000 mov edx,0xFFFF
004EFD6D |. E8 0298F1FF call PrivacyE.00409574
004EFD72 |. 8BF0 mov esi,eax ; 5转16进制 记为M2
004EFD74 |. 81FE FFFF0000 cmp esi,0xFFFF
004EFD7A |. 0F84 FC010000 je PrivacyE.004EFF7C
004EFD80 |. 8B45 F8 mov eax,[local.2] ; 机器码
004EFD83 |. E8 9C4CF1FF call PrivacyE.00404A24
004EFD88 |. 3BF0 cmp esi,eax ; 机器码长度和M2对比
004EFD8A |. 74 15 je short PrivacyE.004EFDA1
004EFD8C |. 8B45 F8 mov eax,[local.2] ; 机器码
004EFD8F |. E8 904CF1FF call PrivacyE.00404A24
004EFD94 |. 83F8 10 cmp eax,0x10 ; 机器码长度和16对比
004EFD97 |. 7E 08 jle short PrivacyE.004EFDA1 ; 这里必须要跳走
004EFD99 |. 85F6 test esi,esi
004EFD9B |. 0F85 DB010000 jnz PrivacyE.004EFF7C
004EFDA1 |> 8D45 E0 lea eax,[local.8]
004EFDA4 |. 8B55 F4 mov edx,[local.3] ; 假码
004EFDA7 |. 8A52 06 mov dl,byte ptr ds:[edx+0x6] ; 假码[7]
004EFDAA |. 8850 01 mov byte ptr ds:[eax+0x1],dl
004EFDAD |. C600 01 mov byte ptr ds:[eax],0x1 ; [eax]指向下一位假码
004EFDB0 |. 8D55 E0 lea edx,[local.8]
004EFDB3 |. 8D45 DC lea eax,[local.9]
004EFDB6 |. E8 5133F1FF call PrivacyE.0040310C
004EFDBB |. 8D45 D8 lea eax,[local.10]
004EFDBE |. 8B55 F4 mov edx,[local.3]
004EFDC1 |. 8A52 08 mov dl,byte ptr ds:[edx+0x8] ; 假码[9]
004EFDC4 |. 8850 01 mov byte ptr ds:[eax+0x1],dl
004EFDC7 |. C600 01 mov byte ptr ds:[eax],0x1
004EFDCA |. 8D55 D8 lea edx,[local.10]
004EFDCD |. 8D45 DC lea eax,[local.9]
004EFDD0 |. B1 02 mov cl,0x2
004EFDD2 |. E8 0533F1FF call PrivacyE.004030DC
004EFDD7 |. 8D55 DC lea edx,[local.9] ; 假码[7] 和假码[9]合并 这里为79
004EFDDA |. 8D45 D4 lea eax,[local.11]
004EFDDD |. E8 2A33F1FF call PrivacyE.0040310C
004EFDE2 |. 8D45 D8 lea eax,[local.10]
004EFDE5 |. 8B55 F4 mov edx,[local.3] ; 假码
004EFDE8 |. 8A52 0A mov dl,byte ptr ds:[edx+0xA] ; 假码[11]
004EFDEB |. 8850 01 mov byte ptr ds:[eax+0x1],dl
004EFDEE |. C600 01 mov byte ptr ds:[eax],0x1
004EFDF1 |. 8D55 D8 lea edx,[local.10]
004EFDF4 |. 8D45 D4 lea eax,[local.11]
004EFDF7 |. B1 03 mov cl,0x3
004EFDF9 |. E8 DE32F1FF call PrivacyE.004030DC
004EFDFE |. 8D55 D4 lea edx,[local.11] ; 假码[7] 假码[9] 假码[11] 合并 79B
004EFE01 |. 8D45 F0 lea eax,[local.4]
004EFE04 |. E8 BF4BF1FF call PrivacyE.004049C8
004EFE09 |. 8D45 C8 lea eax,[local.14]
004EFE0C |. 8B4D F0 mov ecx,[local.4] ; 79B
004EFE0F |. BA E0FF4E00 mov edx,PrivacyE.004EFFE0 ; $
004EFE14 |. E8 574CF1FF call PrivacyE.00404A70
004EFE19 |. 8B45 C8 mov eax,[local.14] ; $79B
004EFE1C |. BA FFFF0000 mov edx,0xFFFF
004EFE21 |. E8 4E97F1FF call PrivacyE.00409574
004EFE26 |. 8945 E8 mov [local.6],eax ; $79B转16进制 0000079B 记为M3
004EFE29 |. 817D E8 FFFF0>cmp [local.6],0xFFFF ; M3和0xFFFF对比
004EFE30 |. 0F84 46010000 je PrivacyE.004EFF7C
004EFE36 |. 33F6 xor esi,esi
004EFE38 |. 8B45 F8 mov eax,[local.2] ; 机器码
004EFE3B |. E8 E44BF1FF call PrivacyE.00404A24
004EFE40 |. 85C0 test eax,eax ; 对比机器码长度是否为空
004EFE42 |. 7E 13 jle short PrivacyE.004EFE57
004EFE44 |. BB 01000000 mov ebx,0x1
004EFE49 |> 8B55 F8 /mov edx,[local.2] ; 机器码
004EFE4C |. 0FB6541A FF |movzx edx,byte ptr ds:[edx+ebx-0x1] ; 指向机器码的每一个字节
004EFE51 |. 03F2 |add esi,edx ; esi=机器码相加后的结果 记为K k=203
004EFE53 |. 43 |inc ebx
004EFE54 |. 48 |dec eax
004EFE55 |.^ 75 F2 \jnz short PrivacyE.004EFE49
004EFE57 |> C1E6 04 shl esi,0x4 ; 00000203左移4位 等于00002030 记为K1
004EFE5A |. 8B45 FC mov eax,[local.1]
004EFE5D |. 3370 74 xor esi,dword ptr ds:[eax+0x74] ; 03C9642B和K1 xor 结果记为K2 K2=03C9441B
004EFE60 |. 81E6 FF0F0000 and esi,0xFFF ; K2和0xFFFand 记为K3
004EFE66 |. 8975 E4 mov [local.7],esi ; K3=41B
004EFE69 |. 8B45 E4 mov eax,[local.7]
004EFE6C |. 3B45 E8 cmp eax,[local.6] ; K3和M3比较 不相等就跳
004EFE6F |. 0F85 07010000 jnz PrivacyE.004EFF7C ; 所以一定要K3=M3
小结:
1.假码[5]转16进制 记为M2
2.Len和M2对比,
3.假码[7] 假码[9] 假码[11] 合并 记为M3 M3=79B
4.M3转16进制后和K3对比 一定要实现M3=K3
5.K3=41B 所以M3=41B 得出 假码[7]=4 假码[9]=1 假码[11]=B
假码更新为:E2D255481AB3DEFG
[Asm] 纯文本查看 复制代码 004EFE75 |. 8B45 F4 mov eax,[local.3] ; 假码
004EFE78 |. E8 A74BF1FF call PrivacyE.00404A24 ; 获取注册码长度
004EFE7D |. 83F8 0C cmp eax,0xC ; 注册码长度和12比较
004EFE80 |. 0F8E E9000000 jle PrivacyE.004EFF6F
004EFE86 |. 8D45 EC lea eax,[local.5]
004EFE89 |. E8 D648F1FF call PrivacyE.00404764
004EFE8E |. 33C0 xor eax,eax
004EFE90 |. 8945 E4 mov [local.7],eax
004EFE93 |. 8B45 F8 mov eax,[local.2] ; 机器码
004EFE96 |. E8 894BF1FF call PrivacyE.00404A24
004EFE9B |. 85C0 test eax,eax ; 对比机器码长度是否为空
004EFE9D |. 7E 14 jle short PrivacyE.004EFEB3
004EFE9F |. BB 01000000 mov ebx,0x1
004EFEA4 |> 8B55 F8 /mov edx,[local.2] ; 机器码
004EFEA7 |. 0FB6541A FF |movzx edx,byte ptr ds:[edx+ebx-0x1]
004EFEAC |. 0155 E4 |add [local.7],edx ; 机器码所有字节相加存到一个变量中 变量=203
004EFEAF |. 43 |inc ebx
004EFEB0 |. 48 |dec eax
004EFEB1 |.^ 75 F1 \jnz short PrivacyE.004EFEA4
004EFEB3 |> B8 FFFFFF07 mov eax,0x7FFFFFF ; x
004EFEB8 |. 99 cdq
004EFEB9 |. F77D E4 idiv [local.7] ; 134217727÷515=260616.....487
004EFEBC |. F76D E4 imul [local.7] ; 260616×515=134217240
004EFEBF |. 8945 E4 mov [local.7],eax
004EFEC2 |. 8B45 F4 mov eax,[local.3] ; 注册码
004EFEC5 |. E8 5A4BF1FF call PrivacyE.00404A24
004EFECA |. 83E8 0C sub eax,0xC ; 注册码长度-12=4
004EFECD |. 8945 E8 mov [local.6],eax
004EFED0 |. 8D45 F0 lea eax,[local.4]
004EFED3 |. 50 push eax
004EFED4 |. 8B4D E8 mov ecx,[local.6]
004EFED7 |. BA 0D000000 mov edx,0xD
004EFEDC |. 8B45 F4 mov eax,[local.3] ; 注册码
004EFEDF |. E8 A04DF1FF call PrivacyE.00404C84
004EFEE4 |. BF 1F000000 mov edi,0x1F
004EFEE9 |. BB 01000000 mov ebx,0x1
004EFEEE |> 8BCB /mov ecx,ebx
004EFEF0 |. 8B45 FC |mov eax,[local.1]
004EFEF3 |. 8B40 78 |mov eax,dword ptr ds:[eax+0x78]
004EFEF6 |. 8BF0 |mov esi,eax
004EFEF8 |. D3E6 |shl esi,cl
004EFEFA |. 8BCF |mov ecx,edi
004EFEFC |. D3E8 |shr eax,cl
004EFEFE |. 0BF0 |or esi,eax
004EFF00 |. 8BC6 |mov eax,esi
004EFF02 |. 99 |cdq
004EFF03 |. 33C2 |xor eax,edx
004EFF05 |. 2BC2 |sub eax,edx
004EFF07 |. 8BF0 |mov esi,eax
004EFF09 |. 3B75 E4 |cmp esi,[local.7] ; PrivacyE.004F0611
004EFF0C |. 7E 0A |jle short PrivacyE.004EFF18
004EFF0E |. 8BC6 |mov eax,esi
004EFF10 |. 99 |cdq
004EFF11 |. F77D E4 |idiv [local.7] ; PrivacyE.004F0611
004EFF14 |. 8BF2 |mov esi,edx
004EFF16 |. EB 08 |jmp short PrivacyE.004EFF20
004EFF18 |> 8B45 E4 |mov eax,[local.7] ; PrivacyE.004F0611
004EFF1B |. 99 |cdq
004EFF1C |. F7FE |idiv esi
004EFF1E |. 8BF2 |mov esi,edx
004EFF20 |> 8D4D C4 |lea ecx,[local.15]
004EFF23 |. 8BC6 |mov eax,esi
004EFF25 |. 25 FF0F0000 |and eax,0xFFF
004EFF2A |. BA 03000000 |mov edx,0x3
004EFF2F |. E8 DC95F1FF |call PrivacyE.00409510 这段主要循环计算得出一堆字符串 这堆字符串后面有用
004EFF34 |. 8B55 C4 |mov edx,[local.15] ; 0F40F46C86C80881104089F85400999E65B3B658B17CFF9EBDCC9F4DA9B4550C880208F174E083105727CCAF9DBDEF7F 记为str
004EFF37 |. 8D45 EC |lea eax,[local.5]
004EFF3A |. E8 ED4AF1FF |call PrivacyE.00404A2C
004EFF3F |. 4F |dec edi
004EFF40 |. 43 |inc ebx
004EFF41 |. 83FB 21 |cmp ebx,0x21 循环33次
004EFF44 |.^ 75 A8 \jnz short PrivacyE.004EFEEE
004EFF46 |. 8D45 EC lea eax,[local.5]
004EFF49 |. 50 push eax
004EFF4A |. 8B45 FC mov eax,[local.1]
004EFF4D |. 8B48 6C mov ecx,dword ptr ds:[eax+0x6C] ; 14
004EFF50 |. 83E9 0C sub ecx,0xC ; 14-C=8
004EFF53 |. BA 01000000 mov edx,0x1
004EFF58 |. 8B45 EC mov eax,[local.5] ; str=0F40F46C86C80881104089F85400999E65B3B658B17CFF9EBDCC9F4DA9B4550C880208F174E083105727CCAF9DBDEF7F
004EFF5B |. E8 244DF1FF call PrivacyE.00404C84 ; 拿出str 8位字符寸
004EFF60 |. 8B55 EC mov edx,[local.5] ; 0F40F46C 记为str1
004EFF63 |. 8B45 F0 mov eax,[local.4] ; 拿出假码第13位以后的字符 DFEG记为M4
004EFF66 |. E8 2990F1FF call PrivacyE.00408F94 ; str1和M4比较 不一样的话就实现跳转 这里不能跳,所以得出str1=M4
004EFF6B |. 85C0 test eax,eax
004EFF6D |. 75 0D jnz short PrivacyE.004EFF7C
004EFF6F |> 8B45 08 mov eax,[arg.1] ; PrivacyE.004F0C8F
004EFF72 |. BA ECFF4E00 mov edx,PrivacyE.004EFFEC ; 645364631365423154824
004EFF77 |. E8 3C48F1FF call PrivacyE.004047B8
004EFF7C |> 33C0 xor eax,eax
004EFF7E |. 5A pop edx ; PrivacyE.004F05C4
004EFF7F |. 59 pop ecx ; PrivacyE.004F05C4
004EFF80 |. 59 pop ecx ; PrivacyE.004F05C4
004EFF81 |. 64:8910 mov dword ptr fs:[eax],edx
004EFF84 |. 68 ABFF4E00 push PrivacyE.004EFFAB
004EFF89 |> 8D45 C4 lea eax,[local.15]
004EFF8C |. BA 04000000 mov edx,0x4
004EFF91 |. E8 F247F1FF call PrivacyE.00404788
004EFF96 |. 8D45 EC lea eax,[local.5]
004EFF99 |. BA 04000000 mov edx,0x4
004EFF9E |. E8 E547F1FF call PrivacyE.00404788
004EFFA3 \. C3 retn
004EFFA4 .^ E9 3340F1FF jmp PrivacyE.00403FDC
004EFFA9 .^ EB DE jmp short PrivacyE.004EFF89
004EFFAB . 5F pop edi ; PrivacyE.004F05C4
004EFFAC . 5E pop esi ; PrivacyE.004F05C4
004EFFAD . 5B pop ebx ; PrivacyE.004F05C4
004EFFAE . 8BE5 mov esp,ebp
004EFFB0 . 5D pop ebp ; PrivacyE.004F05C4
004EFFB1 . C2 0400 retn 0x4
小结:其实这段可以很清楚的看到假码第13位以后的字符一定要和str1相等,否则的话就注册失败。
所以最终注册码为 :E2D255481AB30F40F46C
关于这个注册机问题,因为这个软件的算法设计到其他未知变量,所以写注册机比较麻烦,要知道的参数比较多才行,比如str这个字符串是怎么计算出来的,因为最后会用到这个,所以写注册机的问题自己解决吧,
其实追码的教程也是一种享受!苦中作乐。
总结:完成这个追码教程弄了我几天,不过都是断断续续的再研究,每次研究不超过一小时,虽然有参考别人的文章,但是现在你所看到的整篇算法分析都是我自己写的,比原作者还要详细,当然这里肯定要先感谢原作者,
提供了一篇很好的分析文章,其实要有耐心,其实纵观全篇文章,其实这个算法并不难,主要还是有耐心分析下去才行,一开始我看原作者的前面的年月日的分析,我也搞不明白是什么意思,但是经过自己多次调试
和分析后,终于弄明白了,而且弄明白后,后面的问题也是迎刃而解,软件作者写的算法是一步接着一步来的,第一步走错了,就会全盘皆输。还有这个软件不是直接出真码的,是把真码拆分开来,一步一步来进行
对比。至此,研究了这么一个软件,令我收益颇多。
因为我不是很会排版,所以直接弄成了文档,给需要的人研究,如有错误,欢迎指正!!
一次苦中作乐的追码过程.zip
(263.89 KB, 下载次数: 19)
|
免费评分
-
查看全部评分
|
[复制链接]
发表于 2016-7-17 20:24
