好友
阅读权限25
听众
最后登录1970-1-1
|
这个软件让我很是头疼一段时间·····
(如有错误,望大佬指出,共同学习! 不胜感激!!)
一、基础信息
基础页面:
可见的按键有三个。。。。
意思和006一样,要把按键变消失,才算成功,
Delphi写的·· 无壳
有三个事件需要关注一下 , (反编译工具 DarkDe 4)
二、暴力破解
给上面三个事件下断点,简单分析下后进行暴力破解
00442F28 RegisterzClik:
[Asm] 纯文本查看 复制代码 00442F28 /. 55 push ebp
00442F29 |. 8BEC mov ebp,esp
00442F2B |. 83C4 F8 add esp,-0x8
00442F2E |. 53 push ebx
00442F2F |. 56 push esi ; aLoNg3x_.<ModuleEntryPoint>
00442F30 |. 33C9 xor ecx,ecx ; aLoNg3x_.<ModuleEntryPoint>
00442F32 |. 894D F8 mov [local.2],ecx ; aLoNg3x_.<ModuleEntryPoint>
00442F35 |. 8BD8 mov ebx,eax
00442F37 |. 33C0 xor eax,eax
00442F39 |. 55 push ebp
00442F3A |. 68 22304400 push aLoNg3x_.00443022
00442F3F |. 64:FF30 push dword ptr fs:[eax]
00442F42 |. 64:8920 mov dword ptr fs:[eax],esp
00442F45 |. 8D55 F8 lea edx,[local.2]
00442F48 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
00442F4E |. E8 ED02FEFF call aLoNg3x_.00423240
00442F53 |. 8B45 F8 mov eax,[local.2] ; kernel32.BaseThreadInitThunk
00442F56 |. 8D55 FC lea edx,[local.1]
00442F59 |. E8 FAF9FBFF call aLoNg3x_.00402958
00442F5E |. 8BF0 mov esi,eax
00442F60 |. 837D FC 00 cmp [local.1],0x0
00442F64 |. 74 37 je short aLoNg3x_.00442F9D
00442F66 |. B8 38304400 mov eax,aLoNg3x_.00443038 ; ASCII 59,"ou MUST insert a valid Long Integer Value in the Code Editor... Thank you :)"
00442F6B |. E8 00F6FFFF call aLoNg3x_.00442570
00442F70 |. 8D55 F8 lea edx,[local.2]
00442F73 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
00442F79 |. E8 C202FEFF call aLoNg3x_.00423240
00442F7E |. 8B45 F8 mov eax,[local.2] ; kernel32.BaseThreadInitThunk
00442F81 |. E8 06FBFFFF call aLoNg3x_.00442A8C
00442F86 |. A3 30584400 mov dword ptr ds:[0x445830],eax
00442F8B |. BA 90304400 mov edx,aLoNg3x_.00443090 ; UNICODE "0"
00442F90 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
00442F96 |. E8 D502FEFF call aLoNg3x_.00423270
00442F9B |. EB 6F jmp short aLoNg3x_.0044300C
00442F9D |> 85F6 test esi,esi ; aLoNg3x_.<ModuleEntryPoint>
00442F9F |. 7E 5A jle short aLoNg3x_.00442FFB
00442FA1 |. 8D55 F8 lea edx,[local.2]
00442FA4 |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+0x2D8]
00442FAA |. E8 9102FEFF call aLoNg3x_.00423240
00442FAF |. 8B4D F8 mov ecx,[local.2] ; kernel32.BaseThreadInitThunk
00442FB2 |. 8BD6 mov edx,esi ; aLoNg3x_.<ModuleEntryPoint>
00442FB4 |. A1 30584400 mov eax,dword ptr ds:[0x445830]
00442FB9 |. E8 EAF9FFFF call aLoNg3x_.004429A8 //重要call
00442FBE |. 84C0 test al,al
00442FC0 |. 74 30 je short aLoNg3x_.00442FF2 //关键跳转
00442FC2 |. 33D2 xor edx,edx ; aLoNg3x_.<ModuleEntryPoint>
00442FC4 |. 8B83 CC020000 mov eax,dword ptr ds:[ebx+0x2CC]
00442FCA |. E8 6101FEFF call aLoNg3x_.00423130
OD运行随便输入两串字符后,修改00442FC0的标志位后,运行程序
004430BC AgainClick:
[Asm] 纯文本查看 复制代码 004430BC /. 55 push ebp
004430BD |. 8BEC mov ebp,esp
004430BF |. 6A 00 push 0x0
004430C1 |. 6A 00 push 0x0
004430C3 |. 6A 00 push 0x0
004430C5 |. 53 push ebx
004430C6 |. 56 push esi ; aLoNg3x_.<ModuleEntryPoint>
004430C7 |. 8BD8 mov ebx,eax
004430C9 |. 33C0 xor eax,eax
004430CB |. 55 push ebp
004430CC |. 68 2D324400 push aLoNg3x_.0044322D
004430D1 |. 64:FF30 push dword ptr fs:[eax]
004430D4 |. 64:8920 mov dword ptr fs:[eax],esp
004430D7 |. 8D55 F4 lea edx,[local.3]
004430DA |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
004430E0 |. E8 5B01FEFF call aLoNg3x_.00423240
004430E5 |. 8B45 F4 mov eax,[local.3]
004430E8 |. 8D55 FC lea edx,[local.1]
004430EB |. E8 68F8FBFF call aLoNg3x_.00402958
004430F0 |. 8BF0 mov esi,eax
004430F2 |. 837D FC 00 cmp [local.1],0x0
004430F6 |. 74 3A je short aLoNg3x_.00443132
004430F8 |. B8 44324400 mov eax,aLoNg3x_.00443244 ; ASCII 59,"ou MUST insert a valid Long Integer Value in the Code Editor... Thank you :)"
004430FD |. E8 6EF4FFFF call aLoNg3x_.00442570
00443102 |. 8D55 F4 lea edx,[local.3]
00443105 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
0044310B |. E8 3001FEFF call aLoNg3x_.00423240
00443110 |. 8B45 F4 mov eax,[local.3]
00443113 |. E8 74F9FFFF call aLoNg3x_.00442A8C
00443118 |. A3 30584400 mov dword ptr ds:[0x445830],eax
0044311D |. BA 9C324400 mov edx,aLoNg3x_.0044329C ; UNICODE "0"
00443122 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
00443128 |. E8 4301FEFF call aLoNg3x_.00423270
0044312D |. E9 DD000000 jmp aLoNg3x_.0044320F
00443132 |> 85F6 test esi,esi ; aLoNg3x_.<ModuleEntryPoint>
00443134 |. 0F8E C4000000 jle aLoNg3x_.004431FE
0044313A |. 8D55 F4 lea edx,[local.3]
0044313D |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+0x2D8]
00443143 |. E8 F800FEFF call aLoNg3x_.00423240
00443148 |. 8B4D F4 mov ecx,[local.3]
0044314B |. 8BD6 mov edx,esi ; aLoNg3x_.<ModuleEntryPoint>
0044314D |. A1 30584400 mov eax,dword ptr ds:[0x445830]
00443152 |. E8 51F8FFFF call aLoNg3x_.004429A8 //重要call
00443157 |. 84C0 test al,al
00443159 |. 74 73 je short aLoNg3x_.004431CE //关键跳转
0044315B |. 33D2 xor edx,edx ; aLoNg3x_.<ModuleEntryPoint>
0044315D |. 8B83 E8020000 mov eax,dword ptr ds:[ebx+0x2E8]
同样是修改00443159的标志位后,运行程序
就此程序已经可以暴力破解了·
三、深入探究程序
先来好好分析一下这三个事件:
一开始随便输入用户名和序列号跑一边后,懵逼了···· 因为关键点的一个常量为0, 导致了整个运算代码都变得无意义了,后来我先放弃了这个事件的关键call,转向AgainClick事件的关键call
不过又是发现这个关键call居然和上一个是一样的 (深入探究的时候跟着暴力破解的思路走,一般情况下会思路清晰的多。)
在后来我就回头到一开始的关键call,跟踪一些关键点: cmp ebx,dword ptr ss:[ebp-0x4] 的两个参数,以及00442A16 |. 0FAFD7 ||imul edx,edi 中的edi
其中edi发现是关机call开始的eax传值得,而eax是 00442FB4 |. A1 30584400 mov eax,dword ptr ds:[0x445830] 中的一个常量 于是我右键查找-》常量——》输入445830 找到了关键点
先上我分析后的代码吧,其中步骤看代码,自己跑一遍就了解,我自己也不好组织语言了
RegisterzClik的关键call:
[Asm] 纯文本查看 复制代码 004429A8 /$ 55 push ebp
004429A9 |. 8BEC mov ebp,esp
004429AB |. 83C4 F4 add esp,-0xC
004429AE |. 53 push ebx
004429AF |. 56 push esi
004429B0 |. 57 push edi
004429B1 |. 894D F8 mov [local.2],ecx
004429B4 |. 8955 FC mov [local.1],edx ; ntdll.KiFastSystemCallRet
004429B7 |. 8BF8 mov edi,eax ; edi
004429B9 |. 8B45 F8 mov eax,[local.2] ; kernel32.7C817080
004429BC |. E8 2712FCFF call aLoNg3x_.00403BE8
004429C1 |. 33C0 xor eax,eax
004429C3 |. 55 push ebp
004429C4 |. 68 7A2A4400 push aLoNg3x_.00442A7A
004429C9 |. 64:FF30 push dword ptr fs:[eax]
004429CC |. 64:8920 mov dword ptr fs:[eax],esp
004429CF |. 8B45 F8 mov eax,[local.2] ; kernel32.7C817080
004429D2 |. E8 5D10FCFF call aLoNg3x_.00403A34
004429D7 |. 83F8 04 cmp eax,0x4 ; 长度大于4
004429DA |. 0F8E 82000000 jle aLoNg3x_.00442A62 ; 跑飞
004429E0 |. 33DB xor ebx,ebx
004429E2 |. 8B45 F8 mov eax,[local.2] ; kernel32.7C817080
004429E5 |. E8 4A10FCFF call aLoNg3x_.00403A34 ; 计算用户名字符长度
004429EA |. 85C0 test eax,eax
004429EC |. 7E 38 jle short aLoNg3x_.00442A26 ; 跳出
004429EE |. 8945 F4 mov [local.3],eax ; local.3是字符长度
004429F1 |. BE 01000000 mov esi,0x1
004429F6 |> 8B45 F8 /mov eax,[local.2] ; kernel32.7C817080
004429F9 |. E8 3610FCFF |call aLoNg3x_.00403A34 ; 计算用户名字符长度
004429FE |. 83F8 01 |cmp eax,0x1
00442A01 |. 7C 1D |jl short aLoNg3x_.00442A20 ; 二次验证
00442A03 |> 8B55 F8 |/mov edx,[local.2] ; kernel32.7C817080
00442A06 |. 0FB65432 FF ||movzx edx,byte ptr ds:[edx+esi-0x1]
00442A0B |. 8B4D F8 ||mov ecx,[local.2] ; kernel32.7C817080
00442A0E |. 0FB64C01 FF ||movzx ecx,byte ptr ds:[ecx+eax-0x1]
00442A13 |. 0FAFD1 ||imul edx,ecx ; 第n个乘于第n+1个
00442A16 |. 0FAFD7 ||imul edx,edi ; edi ??? edx不等于0就过
00442A19 |. 03DA ||add ebx,edx ; ntdll.KiFastSystemCallRet
00442A1B |. 48 ||dec eax
00442A1C |. 85C0 ||test eax,eax
00442A1E |.^ 75 E3 |\jnz short aLoNg3x_.00442A03
00442A20 |> 46 |inc esi
00442A21 |. FF4D F4 |dec [local.3] ; kernel32.7C839AD8
00442A24 |.^ 75 D0 \jnz short aLoNg3x_.004429F6 ; edi为0 上面整个循环无用
00442A26 |> 8BC3 mov eax,ebx
00442A28 |. 99 cdq
00442A29 |. 33C2 xor eax,edx ; 与edx -> 00000000 异或
00442A2B |. 2BC2 sub eax,edx ; ntdll.KiFastSystemCallRet
00442A2D |. B9 2A2C0A00 mov ecx,0xA2C2A ; 赋值
00442A32 |. 99 cdq ; 若eax>=0x80000000, 则edx=0xFFFFFFFF;若eax<0x80000000,则edx=0x00000000
00442A33 |. F7F9 idiv ecx ; 除以 A2C2A
00442A35 |. 8BDA mov ebx,edx ; edx -> ebx
00442A37 |. 8B45 FC mov eax,[local.1] ; 此时local.1是什么???(第二次输入的int型的序列号进制)
00442A3A |. B9 59000000 mov ecx,0x59 ; 赋值
00442A3F |. 99 cdq ; 若eax>=0x80000000, 则edx=0xFFFFFFFF;若eax<0x80000000,则edx=0x00000000
00442A40 |. F7F9 idiv ecx ; local.1 除于59
00442A42 |. 8BC8 mov ecx,eax ; 除数放在 ecx
00442A44 |. 8B45 FC mov eax,[local.1]
00442A47 |. BE 50000000 mov esi,0x50 ; 赋值
00442A4C |. 99 cdq ; 若eax>=0x80000000, 则edx=0xFFFFFFFF;若eax<0x80000000,则edx=0x00000000
00442A4D |. F7FE idiv esi ; local.1除以50
00442A4F |. 03CA add ecx,edx ; 上一次的除以59的除数 加 除以50的余数
00442A51 |. 41 inc ecx ; 结果自加 1
00442A52 |. 894D FC mov [local.1],ecx
00442A55 |. 3B5D FC cmp ebx,[local.1]
00442A58 |. 75 04 jnz short aLoNg3x_.00442A5E ; 关键跳转 cmp不等于0就跳
00442A5A |. B3 01 mov bl,0x1 ; bl =1
00442A5C |. EB 06 jmp short aLoNg3x_.00442A64
RegisterzClik事件:
[Asm] 纯文本查看 复制代码 00442F28 55 push ebp ; RegisterzClick
00442F29 8BEC mov ebp,esp
00442F2B |. 83C4 F8 add esp,-0x8
00442F2E |. 53 push ebx
00442F2F |. 56 push esi
00442F30 |. 33C9 xor ecx,ecx
00442F32 |. 894D F8 mov [local.2],ecx
00442F35 |. 8BD8 mov ebx,eax
00442F37 |. 33C0 xor eax,eax
00442F39 |. 55 push ebp
00442F3A |. 68 22304400 push aLoNg3x_.00443022
00442F3F |. 64:FF30 push dword ptr fs:[eax]
00442F42 |. 64:8920 mov dword ptr fs:[eax],esp
00442F45 |. 8D55 F8 lea edx,[local.2]
00442F48 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
00442F4E |. E8 ED02FEFF call aLoNg3x_.00423240
00442F53 |. 8B45 F8 mov eax,[local.2] ; local.2 用户名
00442F56 |. 8D55 FC lea edx,[local.1]
00442F59 |. E8 FAF9FBFF call aLoNg3x_.00402958 ; Long Integer 判断call
00442F5E |. 8BF0 mov esi,eax
00442F60 |. 837D FC 00 cmp [local.1],0x0
00442F64 |. 74 37 je short aLoNg3x_.00442F9D ; 不属于长整型就不跳
00442F66 |. B8 38304400 mov eax,aLoNg3x_.00443038 ; You MUST insert a valid Long Integer Value in the Code Editor... Thank you :)
00442F6B |. E8 00F6FFFF call aLoNg3x_.00442570 ; 弹窗
00442F70 |. 8D55 F8 lea edx,[local.2] ; local.2是输入的序列号
00442F73 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
00442F79 |. E8 C202FEFF call aLoNg3x_.00423240 ; 计算输入序列号的长度
00442F7E |. 8B45 F8 mov eax,[local.2] ; kernel32.7C817080
00442F81 |. E8 06FBFFFF call aLoNg3x_.00442A8C ; 要注意的重要call 追踪 eax值不等于0都好说?
00442F86 |. A3 30584400 mov dword ptr ds:[0x445830],eax ; dword ptr ds:[0x445830] 地址赋值处
00442F8B |. BA 90304400 mov edx,aLoNg3x_.00443090 ; 0
00442F90 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
00442F96 |. E8 D502FEFF call aLoNg3x_.00423270
00442F9B |. EB 6F jmp short aLoNg3x_.0044300C ; 跳空
00442F9D |> 85F6 test esi,esi
00442F9F |. 7E 5A jle short aLoNg3x_.00442FFB ; 不跳
00442FA1 |. 8D55 F8 lea edx,[local.2]
00442FA4 |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+0x2D8]
00442FAA |. E8 9102FEFF call aLoNg3x_.00423240 ; 计算用户名字符长度
00442FAF |. 8B4D F8 mov ecx,[local.2] ; kernel32.7C817080
00442FB2 |. 8BD6 mov edx,esi
00442FB4 |. A1 30584400 mov eax,dword ptr ds:[0x445830] ; 关键点 地址 445830
00442FB9 |. E8 EAF9FFFF call aLoNg3x_.004429A8 ; 关键call
00442FBE |. 84C0 test al,al
00442FC0 |. 74 30 je short aLoNg3x_.00442FF2 ; 重要跳转
00442FC2 |. 33D2 xor edx,edx ; ntdll.KiFastSystemCallRet
00442FC4 |. 8B83 CC020000 mov eax,dword ptr ds:[ebx+0x2CC]
00442FCA |. E8 6101FEFF call aLoNg3x_.00423130
00442FCF |. B2 01 mov dl,0x1 ; dl=1 时 Again键显现 用户输入框锁定
RegisterzClik事件输入非长整型时call:
[Asm] 纯文本查看 复制代码 00442A8C /$ 55 push ebp
00442A8D |. 8BEC mov ebp,esp
00442A8F |. 51 push ecx
00442A90 |. 53 push ebx
00442A91 |. 56 push esi
00442A92 |. 57 push edi
00442A93 |. 8945 FC mov [local.1],eax ; local.1序列号
00442A96 |. 8B45 FC mov eax,[local.1]
00442A99 |. E8 4A11FCFF call aLoNg3x_.00403BE8
00442A9E |. 33C0 xor eax,eax
00442AA0 |. 55 push ebp
00442AA1 |. 68 212B4400 push aLoNg3x_.00442B21
00442AA6 |. 64:FF30 push dword ptr fs:[eax]
00442AA9 |. 64:8920 mov dword ptr fs:[eax],esp
00442AAC |. 8B45 FC mov eax,[local.1]
00442AAF |. E8 800FFCFF call aLoNg3x_.00403A34 ; 计算长度
00442AB4 |. 83F8 05 cmp eax,0x5
00442AB7 |. 7E 3D jle short aLoNg3x_.00442AF6 ; 序列号长度大于5
00442AB9 |. BE 7B030000 mov esi,0x37B
00442ABE |. 8B45 FC mov eax,[local.1]
00442AC1 |. E8 6E0FFCFF call aLoNg3x_.00403A34 ; 计算长度
00442AC6 |. 8BD8 mov ebx,eax
00442AC8 |. 4B dec ebx
00442AC9 |. 85DB test ebx,ebx
00442ACB |. 7E 2B jle short aLoNg3x_.00442AF8
00442ACD |. B9 01000000 mov ecx,0x1
00442AD2 |> 8B45 FC /mov eax,[local.1]
00442AD5 |. 0FB60408 |movzx eax,byte ptr ds:[eax+ecx] ; n+1
00442AD9 |. BF 11000000 |mov edi,0x11
00442ADE |. 33D2 |xor edx,edx ; ntdll.KiFastSystemCallRet
00442AE0 |. F7F7 |div edi ; 取模11 (16)
00442AE2 |. 42 |inc edx ; 自加一
00442AE3 |. 8B45 FC |mov eax,[local.1]
00442AE6 |. 0FB64408 FF |movzx eax,byte ptr ds:[eax+ecx-0x1] ; n
00442AEB |. 0FAFD0 |imul edx,eax
00442AEE |. 03F2 |add esi,edx ; ntdll.KiFastSystemCallRet
00442AF0 |. 41 |inc ecx
00442AF1 |. 4B |dec ebx
00442AF2 |.^ 75 DE \jnz short aLoNg3x_.00442AD2
00442AF4 |. EB 02 jmp short aLoNg3x_.00442AF8
00442AF6 |> 33F6 xor esi,esi ; esi是关键传参数
00442AF8 |> 8BC6 mov eax,esi
00442AFA |. B9 48710000 mov ecx,0x7148
00442AFF |. 99 cdq
00442B00 |. F7F9 idiv ecx
00442B02 |. 8BC2 mov eax,edx ; ntdll.KiFastSystemCallRet
四、注册机
最后来总结一下这波事件:
程序需要向序列号框先输入一个非长整型值点击下验证按钮,让其运算后传值给常量dword ptr ds:[0x445830],这时序列号框值已经消失要再输入一个长整型的序列号,程序才进行正确的验证过程
我们设两个常量 A B
A= 输入的非int型序列号时,计算出来的数值
B= 输入的int型序列号时,计算出来的数值
A=输入非int字符的第n+1位 16进制除于11取余 自加1后 乘于 输入非int字符的第n位 16进制 加上常量esi -> 37B 结果放在esi中除以 7148 取余 (循环n-1次do...while )
00442F81地址call
B=
内循环:输入的用户名的第 esi 位16进制 乘于输入的用户名逆序的第n位 16进制再乘于 A 后和ebx(初始为0)相加结果放在ebx(循环用户名长度次 n-1)
外循环:esi 自加 1
最终结果存放在ebx 除于 A2C2A 取余
00442FB地址call
最终: 密码int值16进制除以0x59的值 加上 密码int值16进制除以0x50的余数+1需要等于B
根据上面写出注册机:
[C] 纯文本查看 复制代码 #include<stdio.h>
#include<iostream>
#include<string.h>
int main()
{
int i,j,a,c,x,A,B;
int b=891,esi=0,ebx=0; //数组中下标为0时是数组中的第一个
char name [15]={0};
char keys [15]={0};
printf("Input yous name: \n");
scanf("%s",&name);
printf("Input this not int keys: \n");
scanf("%s",&keys);
int len_one=strlen(name);
int len_tow=strlen(keys);
for(i=0;i<len_tow-1;i++)
{
a=(keys[i+1]%17)+1; //11的16进制->17 后方代码16进制转换略
a=a*keys[i];
b=b+a;
}
A=b%29000;
for(i=0;i<len_one;i++)
{
for(j=len_one;j>=0;j--)
{
x=name[esi]*name[j]*A ;
ebx=ebx+x;
}
esi++;
}
B=ebx;
if(B>=2147483648) // 16进制的80000000
{
B=B^0xFFFFFFFF;
B=B-4294967295; //16进制的FFFFFFFF
}
else
{
B=ebx%666666;
while(1)
{
if(i/89+i%80+1==B)
{
printf("This int key is: %d \n",i);
break;
}
}
system("pause");
}
return 0;
}
x/59 + x%50+1=B 实在逆推不了,只能用枚举法·· 输入的用户名和非int型的字符太长的话会枚举超级久···· 我是跑死在路上了··然后就拿出来了。(头疼!!)
大佬们如注册机或者帖子有错请指出,不胜感激!! 如有更好写注册机的法子也希望大佬留下一笔。 |
免费评分
-
查看全部评分
|
发表于 2018-5-21 22:36
