【原创】某软件算法分析

Eddy 发布于2009-11-14 22:5:16 分类: 技术心得 已浏览loading 网友评论0条 我要评论

此软件加的UPX壳,轻松脱之;脱完发现是Delphi写的东西,利用DeDe定位注册按钮事件,最终得知按钮事件地址为:00500234

接下来就慢慢看^_

00500234    55              PUSH EBP                                 ; 按钮事件
00500235    8BEC            MOV EBP,ESP
00500237    B9 49000000     MOV ECX,49
0050023C    6A 00           PUSH 0
0050023E    6A 00           PUSH 0
00500240    49              DEC ECX
00500241  ^ 75 F9           JNZ SHORT 0050023C
00500243    51              PUSH ECX
00500244    53              PUSH EBX
00500245    56              PUSH ESI
00500246    57              PUSH EDI
00500247    8BF2            MOV ESI,EDX
00500249    8BD8            MOV EBX,EAX
0050024B    33C0            XOR EAX,EAX
0050024D    55              PUSH EBP
0050024E    68 97065000     PUSH 00500697
00500253    64:FF30         PUSH DWORD PTR FS:[EAX]
00500256    64:8920         MOV DWORD PTR FS:[EAX],ESP
00500259    8B46 08         MOV EAX,DWORD PTR DS:[ESI+8]
0050025C    BA B0065000     MOV EDX,005006B0                         ; ASCII "fdkfwefrweirjodfdsf_434"
00500261    E8 964DF0FF     CALL 00404FFC
00500266    0F85 AA030000   JNZ 00500616
0050026C    8D95 20FEFFFF   LEA EDX,DWORD PTR SS:[EBP-1E0]
00500272    8B83 FC020000   MOV EAX,DWORD PTR DS:[EBX+2FC]
00500278    E8 ABE3F5FF     CALL 0045E628                            ; 获取假码
0050027D    83BD 20FEFFFF 0>CMP DWORD PTR SS:[EBP-1E0],0
00500284    0F84 8C030000   JE 00500616                              ; 注册码为空?
0050028A    8D85 1CFEFFFF   LEA EAX,DWORD PTR SS:[EBP-1E4]
00500290    50              PUSH EAX
00500291    8D95 18FEFFFF   LEA EDX,DWORD PTR SS:[EBP-1E8]
00500297    8B83 FC020000   MOV EAX,DWORD PTR DS:[EBX+2FC]
0050029D    E8 86E3F5FF     CALL 0045E628
005002A2    8B85 18FEFFFF   MOV EAX,DWORD PTR SS:[EBP-1E8]
005002A8    B9 02000000     MOV ECX,2
005002AD    BA 01000000     MOV EDX,1
005002B2    E8 594EF0FF     CALL 00405110
005002B7    8B85 1CFEFFFF   MOV EAX,DWORD PTR SS:[EBP-1E4]
005002BD    BA D0065000     MOV EDX,005006D0                         ; ASCII "36"
005002C2    E8 354DF0FF     CALL 00404FFC                            ; 假码头两位与 36 比较,不等完蛋
005002C7    0F85 49030000   JNZ 00500616
005002CD    8D95 10FEFFFF   LEA EDX,DWORD PTR SS:[EBP-1F0]
005002D3    8B83 FC020000   MOV EAX,DWORD PTR DS:[EBX+2FC]
005002D9    E8 4AE3F5FF     CALL 0045E628
005002DE    8B85 10FEFFFF   MOV EAX,DWORD PTR SS:[EBP-1F0]
005002E4    8D8D 14FEFFFF   LEA ECX,DWORD PTR SS:[EBP-1EC]
005002EA    BA 02000000     MOV EDX,2
005002EF    E8 18F4FFFF     CALL 004FF70C
005002F4    8B85 14FEFFFF   MOV EAX,DWORD PTR SS:[EBP-1EC]
005002FA    BA DC065000     MOV EDX,005006DC                         ; ASCII "94"
005002FF    E8 F84CF0FF     CALL 00404FFC                            ; 假码最后两位与94比较,不等完蛋
00500304    0F85 0C030000   JNZ 00500616
0050030A    8D45 FC         LEA EAX,DWORD PTR SS:[EBP-4]
0050030D    50              PUSH EAX
0050030E    8D95 0CFEFFFF   LEA EDX,DWORD PTR SS:[EBP-1F4]
00500314    8B83 FC020000   MOV EAX,DWORD PTR DS:[EBX+2FC]
0050031A    E8 09E3F5FF     CALL 0045E628
0050031F    8B85 0CFEFFFF   MOV EAX,DWORD PTR SS:[EBP-1F4]
00500325    B9 20000000     MOV ECX,20
0050032A    BA 03000000     MOV EDX,3
0050032F    E8 DC4DF0FF     CALL 00405110                            ; 从第三位起取假码32位
00500334    8D95 08FEFFFF   LEA EDX,DWORD PTR SS:[EBP-1F8]
0050033A    8BC3            MOV EAX,EBX
0050033C    E8 33FEFFFF     CALL 00500174                            ; 关键call
00500341    8B95 08FEFFFF   MOV EDX,DWORD PTR SS:[EBP-1F8]           ; 真码中间部分出现
00500347    8B45 FC         MOV EAX,DWORD PTR SS:[EBP-4]             ; 上面取的32位
0050034A    E8 AD4CF0FF     CALL 00404FFC                            ; 比较,不等则完蛋
0050034F    0F85 C1020000   JNZ 00500616
00500355    8D45 F8         LEA EAX,DWORD PTR SS:[EBP-8]
00500358    E8 E7FAFFFF     CALL 004FFE44
0050035D    8B45 F8         MOV EAX,DWORD PTR SS:[EBP-8]             ; 机器码
00500360    E8 4B4BF0FF     CALL 00404EB0
00500365    8BF0            MOV ESI,EAX
00500367    85F6            TEST ESI,ESI
00500369    7E 41           JLE SHORT 005003AC
0050036B    BF 01000000     MOV EDI,1
00500370    8B45 F8         MOV EAX,DWORD PTR SS:[EBP-8]
00500373    0FB64438 FF     MOVZX EAX,BYTE PTR DS:[EAX+EDI-1]
00500378    05 F0000000     ADD EAX,0F0
0050037D    05 F0000000     ADD EAX,0F0
00500382    83E8 76         SUB EAX,76
00500385    05 AF000000     ADD EAX,0AF
0050038A    8D8D 04FEFFFF   LEA ECX,DWORD PTR SS:[EBP-1FC]
00500390    BA 02000000     MOV EDX,2
00500395    E8 AA97F0FF     CALL 00409B44
0050039A    8B95 04FEFFFF   MOV EDX,DWORD PTR SS:[EBP-1FC]
005003A0    8D45 F4         LEA EAX,DWORD PTR SS:[EBP-C]
005003A3    E8 104BF0FF     CALL 00404EB8
005003A8    47              INC EDI
005003A9    4E              DEC ESI
005003AA  ^ 75 C4           JNZ SHORT 00500370
005003AC    8D95 F0FDFFFF   LEA EDX,DWORD PTR SS:[EBP-210]
005003B2    8B45 F4         MOV EAX,DWORD PTR SS:[EBP-C]
005003B5    E8 86F1FFFF     CALL 004FF540
005003BA    8D85 F0FDFFFF   LEA EAX,DWORD PTR SS:[EBP-210]
005003C0    8D95 00FEFFFF   LEA EDX,DWORD PTR SS:[EBP-200]
005003C6    E8 E9F1FFFF     CALL 004FF5B4
005003CB    8B85 00FEFFFF   MOV EAX,DWORD PTR SS:[EBP-200]
005003D1    8D55 F8         LEA EDX,DWORD PTR SS:[EBP-8]
005003D4    E8 1790F0FF     CALL 004093F0
005003D9    8D95 E8FDFFFF   LEA EDX,DWORD PTR SS:[EBP-218]
005003DF    33C0            XOR EAX,EAX
005003E1    E8 A227F0FF     CALL 00402B88
005003E6    8B85 E8FDFFFF   MOV EAX,DWORD PTR SS:[EBP-218]
005003EC    8D95 ECFDFFFF   LEA EDX,DWORD PTR SS:[EBP-214]
005003F2    E8 7D9CF0FF     CALL 0040A074
005003F7    8B95 ECFDFFFF   MOV EDX,DWORD PTR SS:[EBP-214]
005003FD    8D45 F0         LEA EAX,DWORD PTR SS:[EBP-10]
00500400    B9 E8065000     MOV ECX,005006E8                         ; ASCII "data\smsinfo"
00500405    E8 F24AF0FF     CALL 00404EFC                                软件把注册码中间32位保存在目录data文件夹下的xxxxxx文件中
0050040A    8B45 F0         MOV EAX,DWORD PTR SS:[EBP-10]
0050040D    E8 FA99F0FF     CALL 00409E0C
00500412    E8 B19AF0FF     CALL 00409EC8
00500417    8B55 F0         MOV EDX,DWORD PTR SS:[EBP-10]
0050041A    8D85 24FEFFFF   LEA EAX,DWORD PTR SS:[EBP-1DC]
00500420    E8 2F2BF0FF     CALL 00402F54
00500425    8D85 24FEFFFF   LEA EAX,DWORD PTR SS:[EBP-1DC]
0050042B    E8 C028F0FF     CALL 00402CF0
00500430    E8 5B25F0FF     CALL 00402990
00500435    8B55 F8         MOV EDX,DWORD PTR SS:[EBP-8]
00500438    8D85 24FEFFFF   LEA EAX,DWORD PTR SS:[EBP-1DC]
0050043E    E8 894EF0FF     CALL 004052CC
00500443    E8 4833F0FF     CALL 00403790
00500448    E8 4325F0FF     CALL 00402990
0050044D    8D85 24FEFFFF   LEA EAX,DWORD PTR SS:[EBP-1DC]
00500453    E8 AC2BF0FF     CALL 00403004
00500458    E8 3325F0FF     CALL 00402990
0050045D    8D85 24FEFFFF   LEA EAX,DWORD PTR SS:[EBP-1DC]
00500463    E8 B42BF0FF     CALL 0040301C
00500468    E8 2325F0FF     CALL 00402990
0050046D    8D95 E0FDFFFF   LEA EDX,DWORD PTR SS:[EBP-220]
00500473    B8 00075000     MOV EAX,00500700
00500478    E8 476AF0FF     CALL 00406EC4
0050047D    8B95 E0FDFFFF   MOV EDX,DWORD PTR SS:[EBP-220]
00500483    8D85 E4FDFFFF   LEA EAX,DWORD PTR SS:[EBP-21C]
00500489    E8 EA49F0FF     CALL 00404E78
0050048E    8B85 E4FDFFFF   MOV EAX,DWORD PTR SS:[EBP-21C]
00500494    E8 5B7EF3FF     CALL 004382F4
00500499    8D95 D8FDFFFF   LEA EDX,DWORD PTR SS:[EBP-228]
0050049F    33C0            XOR EAX,EAX
005004A1    E8 E226F0FF     CALL 00402B88
005004A6    8B85 D8FDFFFF   MOV EAX,DWORD PTR SS:[EBP-228]
005004AC    8D95 DCFDFFFF   LEA EDX,DWORD PTR SS:[EBP-224]
005004B2    E8 BD9BF0FF     CALL 0040A074
005004B7    8D85 DCFDFFFF   LEA EAX,DWORD PTR SS:[EBP-224]
005004BD    BA 28075000     MOV EDX,00500728                         ; ASCII "data\setup.ini"
005004C2    E8 F149F0FF     CALL 00404EB8
005004C7    8B8D DCFDFFFF   MOV ECX,DWORD PTR SS:[EBP-224]
005004CD    B2 01           MOV DL,1
005004CF    A1 3CBA4300     MOV EAX,DWORD PTR DS:[43BA3C]
005004D4    E8 13B6F3FF     CALL 0043BAEC

跟进0050033C处的call:

00500174    55              PUSH EBP
00500175    8BEC            MOV EBP,ESP
00500177    83C4 E4         ADD ESP,-1C
0050017A    53              PUSH EBX
0050017B    56              PUSH ESI
0050017C    57              PUSH EDI
0050017D    33C9            XOR ECX,ECX
0050017F    894D F4         MOV DWORD PTR SS:[EBP-C],ECX
00500182    894D FC         MOV DWORD PTR SS:[EBP-4],ECX
00500185    894D F8         MOV DWORD PTR SS:[EBP-8],ECX
00500188    8BFA            MOV EDI,EDX
0050018A    33C0            XOR EAX,EAX
0050018C    55              PUSH EBP
0050018D    68 24025000     PUSH 00500224
00500192    64:FF30         PUSH DWORD PTR FS:[EAX]
00500195    64:8920         MOV DWORD PTR FS:[EAX],ESP
00500198    8D45 FC         LEA EAX,DWORD PTR SS:[EBP-4]
0050019B    E8 A4FCFFFF     CALL 004FFE44                            ; 算机器码
005001A0    8B45 FC         MOV EAX,DWORD PTR SS:[EBP-4]
005001A3    E8 084DF0FF     CALL 00404EB0
005001A8    8BD8            MOV EBX,EAX
005001AA    85DB            TEST EBX,EBX
005001AC    7E 3B           JLE SHORT 005001E9
005001AE    BE 01000000     MOV ESI,1
005001B3    8D4D F4         LEA ECX,DWORD PTR SS:[EBP-C]
005001B6    8B45 FC         MOV EAX,DWORD PTR SS:[EBP-4]             ; 机器码送EAX
005001B9    0FB64430 FF     MOVZX EAX,BYTE PTR DS:[EAX+ESI-1]        ; 依次取机器码各位
005001BE    05 F0000000     ADD EAX,0F0
005001C3    05 F0000000     ADD EAX,0F0
005001C8    83E8 76         SUB EAX,76
005001CB    05 AF000000     ADD EAX,0AF                              ; 四步简单运算
005001D0    BA 02000000     MOV EDX,2
005001D5    E8 6A99F0FF     CALL 00409B44
005001DA    8B55 F4         MOV EDX,DWORD PTR SS:[EBP-C]             ; 本次运算结果送EDX
005001DD    8D45 F8         LEA EAX,DWORD PTR SS:[EBP-8]             ; 上次结果
005001E0    E8 D34CF0FF     CALL 00404EB8                            ; 本次运算结果与上次结果连接
005001E5    46              INC ESI                                  ; 指针+1
005001E6    4B              DEC EBX
005001E7  ^ 75 CA           JNZ SHORT 005001B3
005001E9    8D55 E4         LEA EDX,DWORD PTR SS:[EBP-1C]
005001EC    8B45 F8         MOV EAX,DWORD PTR SS:[EBP-8]             ; 上面循环得到结果放到EAX
005001EF    E8 4CF3FFFF     CALL 004FF540
005001F4    8D45 E4         LEA EAX,DWORD PTR SS:[EBP-1C]
005001F7    8D55 FC         LEA EDX,DWORD PTR SS:[EBP-4]
005001FA    E8 B5F3FFFF     CALL 004FF5B4                            ; 对结果进行MD5加密
005001FF    8BD7            MOV EDX,EDI
00500201    8B45 FC         MOV EAX,DWORD PTR SS:[EBP-4]
00500204    E8 E791F0FF     CALL 004093F0                            ; 变大写
00500209    33C0            XOR EAX,EAX
0050020B    5A              POP EDX
0050020C    59              POP ECX
0050020D    59              POP ECX
0050020E    64:8910         MOV DWORD PTR FS:[EAX],EDX
00500211    68 2B025000     PUSH 0050022B
00500216    8D45 F4         LEA EAX,DWORD PTR SS:[EBP-C]
00500219    BA 03000000     MOV EDX,3
0050021E    E8 F149F0FF     CALL 00404C14
00500223    C3              RETN
00500224  ^ E9 4742F0FF     JMP 00404470
00500229  ^ EB EB           JMP SHORT 00500216
0050022B    5F              POP EDI
0050022C    5E              POP ESI
0050022D    5B              POP EBX
0050022E    8BE5            MOV ESP,EBP
00500230    5D              POP EBP
00500231    C3              RETN

注册总结:很简单,程序首先比较注册码前两位(必须为36),然后比较最后两位(必须为94),最终比较中间的32位;其中中间的32位是关键,机器码每位循环运算得到一字符串,然后MD5加密下,与中间的32位比较。

给个VB的注册机源码:

Private Sub Command1_Click()
Dim Length As Integer
Dim I As Integer
Dim str As String
Dim sun As String
Dim jieguo As String

Length = Len(Trim(Text1.Text))
For I = 1 To Length
str = Mid(Trim(Text1.Text), I, 1)
sun = Asc(str)
sun = Hex(sun + 537)  '我把原来程序中的4步并作一步了
jieguo = jieguo & sun
Next I
Text2.Text = "36" & MD5(jieguo) & "94"
End Sub

已经有(0)位网友发表了评论,你也评一评吧!
原创文章如转载,请注明:转载自Eddy Blog
原文地址:http://www.rrgod.com/technique/103.html     欢迎订阅Eddy Blog

关于 算法分析  的相关文章

记住我的信息,下次不用再输入 欢迎给Eddy Blog留言