【文章标题】: Rlpack1.20破解及算法简单分析
【文章作者】: Smoke
【作者邮箱】: 97463448@QQ.com
【作者QQ号】: 97463448
【软件名称】: Rlpack1.20
【下载地址】: 自己搜索下载
【加壳方式】: Rlpack1.20
【保护方式】: Rlpack1.20
【编写语言】: ASM32
【使用工具】: OllyDbg
【操作平台】: Windows Xp Sp3
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
Rlpack1.20脱壳就不演示了,主要讲下破解及算法简单分析
脱壳后Peid侦查 MASM32 / TASM32 把脱壳后的程序载入OLLYDBG
查找字符串 找到 授权给:%s 双击进入
往上拉代码 来到 F9运行 断下后 单步跟吧 发现是通过license.reg来验证的
0040C6C6 55 push ebp
0040C6C7 8BEC mov ebp, esp
0040C6C9 83C4 F8 add esp, -8
0040C6CC 60 pushad
0040C6CD 6A 00 push 0
0040C6CF 68 80000000 push 80
0040C6D4 6A 03 push 3
0040C6D6 6A 00 push 0
0040C6D8 6A 00 push 0
0040C6DA 68 00000080 push 80000000
0040C6DF FF75 08 push dword ptr [ebp+8]
0040C6E2 E8 BDD30000 call <jmp.&kernel32.CreateFileA> //通过CreateFileA函数打开license.reg
0040C6E7 A3 F6FD4100 mov dword ptr [41FDF6], eax //判断是否存在 license.reg
0040C6EC 83F8 FF cmp eax, -1
0040C6EF 0F84 8C010000 je 0040C881 //不存在就跳到失败之处,存在就不跳
0040C6F5 6A 00 push 0
0040C6F7 FF35 F6FD4100 push dword ptr [41FDF6]
0040C6FD E8 D8D30000 call <jmp.&kernel32.GetFileSize> //获取文件大小
0040C702 A3 9EF34100 mov dword ptr [41F39E], eax
0040C707 6A 00 push 0
0040C709 68 6AF84100 push 0041F86A
0040C70E FF35 9EF34100 push dword ptr [41F39E]
0040C714 68 20FE4100 push 0041FE20
0040C719 FF35 F6FD4100 push dword ptr [41FDF6]
0040C71F E8 E0D30000 call <jmp.&kernel32.ReadFile> //读取license.reg文件
0040C724 FF35 F6FD4100 push dword ptr [41FDF6]
0040C72A E8 69D30000 call <jmp.&kernel32.CloseHandle> //读取完license.reg文件内信息后关闭license.reg文件
0040C72F BE 20FE4100 mov esi, 0041FE20
0040C734 0335 9EF34100 add esi, dword ptr [41F39E]
0040C73A EB 01 jmp short 0040C73D
0040C73C 4E dec esi
0040C73D 803E 3D cmp byte ptr [esi], 3D
0040C740 ^ 75 FA jnz short 0040C73C
0040C742 46 inc esi
0040C743 56 push esi
0040C744 E8 0D1C0000 call 0040E356
0040C749 A3 EEEB4100 mov dword ptr [41EBEE], eax
0040C74E EB 01 jmp short 0040C751
0040C750 4E dec esi
0040C751 66:813E 0D0A cmp word ptr [esi], 0A0D
0040C756 ^ 75 F8 jnz short 0040C750
0040C758 66:C706 0000 mov word ptr [esi], 0
0040C75D EB 01 jmp short 0040C760
0040C75F 4E dec esi
0040C760 66:813E 0D0A cmp word ptr [esi], 0A0D
0040C765 ^ 75 F8 jnz short 0040C75F
0040C767 66:C706 0000 mov word ptr [esi], 0
0040C76C BE 20FE4100 mov esi, 0041FE20
0040C771 EB 01 jmp short 0040C774
0040C773 46 inc esi
0040C774 803E 3D cmp byte ptr [esi], 3D
0040C777 ^ 75 FA jnz short 0040C773
0040C779 46 inc esi
0040C77A 8975 FC mov dword ptr [ebp-4], esi
0040C77D EB 01 jmp short 0040C780
0040C77F 46 inc esi
0040C780 803E 3D cmp byte ptr [esi], 3D
0040C783 ^ 75 FA jnz short 0040C77F
0040C785 46 inc esi
0040C786 8975 F8 mov dword ptr [ebp-8], esi
0040C789 68 04010000 push 104
0040C78E 68 B2F34100 push 0041F3B2
0040C793 E8 78D30000 call <jmp.&kernel32.RtlZeroMemory>
0040C798 FF75 FC push dword ptr [ebp-4]
0040C79B 68 B2F34100 push 0041F3B2
0040C7A0 E8 A1D30000 call <jmp.&kernel32.lstrcat>
0040C7A5 FF75 F8 push dword ptr [ebp-8]
0040C7A8 68 B2F34100 push 0041F3B2
0040C7AD E8 94D30000 call <jmp.&kernel32.lstrcat>
0040C7B2 68 B2F34100 push 0041F3B2
0040C7B7 E8 9CD30000 call <jmp.&kernel32.lstrlen>
0040C7BC 8BC8 mov ecx, eax //把eax给ecx
0040C7BE B8 B2F34100 mov eax, 0041F3B2 //把eax指向name和type
0040C7C3 33DB xor ebx, ebx //清空ebx
0040C7C5 99 cdq
0040C7C6 EB 09 jmp short 0040C7D1
算法部分:0040C7C8 8A10 mov dl, byte ptr [eax] //把eax指向name和type //[Smoke3]
0040C7CA C1C3 07 rol ebx, 7 //给一个字节到edx 然后rol
0040C7CD 32DA xor bl, dl //把bl和dl异或
0040C7CF 40 inc eax
0040C7D0 49 dec ecx
0040C7D1 83F9 00 cmp ecx, 0
0040C7D4 ^ 77 F2 ja short 0040C7C8 //算法循环
0040C7D6 C1CB 03 ror ebx, 3 //在ebx出现了明码
0040C7D9 3B1D EEEB4100 cmp ebx, dword ptr [41EBEE] //将ebx的值与license.reg文件内的值进行比较
0040C7DF 75 70 jnz short 0040C851 //比较后值一样就继续往下,不一样就跳到失败之处
0040C7E1 68 04010000 push 104
0040C7E6 68 B2F34100 push 0041F3B2
0040C7EB E8 20D30000 call <jmp.&kernel32.RtlZeroMemory>
0040C7F0 FF75 FC push dword ptr [ebp-4]
0040C7F3 68 F8E04100 push 0041E0F8 ; 授权给:%s
0040C7F8 68 B2F34100 push 0041F3B2
0040C7FD E8 24D20000 call <jmp.&user32.wsprintfA>
0040C802 83C4 0C add esp, 0C
0040C805 68 B2F34100 push 0041F3B2
0040C80A E8 201B0000 call 0040E32F
0040C80F 8B45 F8 mov eax, dword ptr [ebp-8]
0040C812 0FB600 movzx eax, byte ptr [eax]
0040C815 8945 F8 mov dword ptr [ebp-8], eax
0040C818 837D F8 31 cmp dword ptr [ebp-8], 31 //1
0040C81C 75 0F jnz short 0040C82D
0040C81E 68 16E14100 push 0041E116 ; 授权类型:个人版
0040C823 E8 071B0000 call 0040E32F
0040C828 E9 82000000 jmp 0040C8AF
0040C82D 837D F8 32 cmp dword ptr [ebp-8], 32 //2
0040C831 75 0C jnz short 0040C83F
0040C833 68 28E14100 push 0041E128 ; 授权类型:开发版
0040C838 E8 F21A0000 call 0040E32F
0040C83D EB 70 jmp short 0040C8AF
0040C83F 837D F8 33 cmp dword ptr [ebp-8], 33 //3
0040C843 75 6A jnz short 0040C8AF
0040C845 68 3AE14100 push 0041E13A ; 授权类型:企业版
0040C84A E8 E01A0000 call 0040E32F
0040C84F EB 5E jmp short 0040C8AF
0040C851 68 04E14100 push 0041E104 ; 授权给:非法拷贝
0040C856 E8 D41A0000 call 0040E32F
0040C85B 68 16E14100 push 0041E116 ; 授权类型:个人版
0040C860 E8 CA1A0000 call 0040E32F
0040C865 6A 10 push 10
0040C867 68 18DA4100 push 0041DA18 ; 错误
0040C86C 68 1DDA4100 push 0041DA1D ; 您的许可文件无效或已丢失,rlpack 将退出!
0040C871 6A 00 push 0
0040C873 E8 FCD10000 call <jmp.&user32.MessageBoxA>
0040C878 6A 00 push 0
0040C87A E8 3DD20000 call <jmp.&kernel32.ExitProcess>
0040C87F EB 2E jmp short 0040C8AF
0040C881 68 04E14100 push 0041E104 ; 授权给:非法拷贝
0040C886 E8 A41A0000 call 0040E32F
0040C88B 68 16E14100 push 0041E116 ; 授权类型:个人版
0040C890 E8 9A1A0000 call 0040E32F
0040C895 6A 10 push 10
0040C897 68 18DA4100 push 0041DA18 ; 错误
0040C89C 68 1DDA4100 push 0041DA1D ; 您的许可文件无效或已丢失,rlpack 将退出!
0040C8A1 6A 00 push 0
0040C8A3 E8 CCD10000 call <jmp.&user32.MessageBoxA>
0040C8A8 6A 00 push 0
0040C8AA E8 0DD20000 call <jmp.&kernel32.ExitProcess>
0040C8AF 61 popad
0040C8B0 C9 leave
0040C8B1 C2 0400 retn 4
我们现在license.reg文件内是
NAME=Smoke
TYPE=3
PASS=BBBF5E05
所以就是企业版了
--------------------------------------------------------------------------------
【版权声明】: 本文出自Smoke, 转载请注明作者并保持文章的完整, 谢谢!
2011年04月13日
|