此软件加的UPX壳,轻松脱之;脱完发现是Delphi写的东西,利用DeDe定位注册按钮事件,最终得知按钮事件地址为:00500234
接下来就慢慢看^_
00500234 55 PUSH EBP ; 按钮事件
00500235 8BEC MOV EBP,ESP
00500237 B9 49000000 MOV ECX,49
0050023C 6A 00 PUSH 0
0050023E 6A 00 PUSH 0
00500240 49 DEC ECX
00500241 ^ 75 F9 JNZ SHORT 0050023C
00500243 51 PUSH ECX
00500244 53 PUSH EBX
00500245 56 PUSH ESI
00500246 57 PUSH EDI
00500247 8BF2 MOV ESI,EDX
00500249 8BD8 MOV EBX,EAX
0050024B 33C0 XOR EAX,EAX
0050024D 55 PUSH EBP
0050024E 68 97065000 PUSH 00500697
00500253 64:FF30 PUSH DWORD PTR FS:[EAX]
00500256 64:8920 MOV DWORD PTR FS:[EAX],ESP
00500259 8B46 08 MOV EAX,DWORD PTR DS:[ESI+8]
0050025C BA B0065000 MOV EDX,005006B0 ; ASCII "fdkfwefrweirjodfdsf_434"
00500261 E8 964DF0FF CALL 00404FFC
00500266 0F85 AA030000 JNZ 00500616
0050026C 8D95 20FEFFFF LEA EDX,DWORD PTR SS:[EBP-1E0]
00500272 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+2FC]
00500278 E8 ABE3F5FF CALL 0045E628 ; 获取假码
0050027D 83BD 20FEFFFF 0>CMP DWORD PTR SS:[EBP-1E0],0
00500284 0F84 8C030000 JE 00500616 ; 注册码为空?
0050028A 8D85 1CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1E4]
00500290 50 PUSH EAX
00500291 8D95 18FEFFFF LEA EDX,DWORD PTR SS:[EBP-1E8]
00500297 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+2FC]
0050029D E8 86E3F5FF CALL 0045E628
005002A2 8B85 18FEFFFF MOV EAX,DWORD PTR SS:[EBP-1E8]
005002A8 B9 02000000 MOV ECX,2
005002AD BA 01000000 MOV EDX,1
005002B2 E8 594EF0FF CALL 00405110
005002B7 8B85 1CFEFFFF MOV EAX,DWORD PTR SS:[EBP-1E4]
005002BD BA D0065000 MOV EDX,005006D0 ; ASCII "36"
005002C2 E8 354DF0FF CALL 00404FFC ; 假码头两位与 36 比较,不等完蛋
005002C7 0F85 49030000 JNZ 00500616
005002CD 8D95 10FEFFFF LEA EDX,DWORD PTR SS:[EBP-1F0]
005002D3 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+2FC]
005002D9 E8 4AE3F5FF CALL 0045E628
005002DE 8B85 10FEFFFF MOV EAX,DWORD PTR SS:[EBP-1F0]
005002E4 8D8D 14FEFFFF LEA ECX,DWORD PTR SS:[EBP-1EC]
005002EA BA 02000000 MOV EDX,2
005002EF E8 18F4FFFF CALL 004FF70C
005002F4 8B85 14FEFFFF MOV EAX,DWORD PTR SS:[EBP-1EC]
005002FA BA DC065000 MOV EDX,005006DC ; ASCII "94"
005002FF E8 F84CF0FF CALL 00404FFC ; 假码最后两位与94比较,不等完蛋
00500304 0F85 0C030000 JNZ 00500616
0050030A 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0050030D 50 PUSH EAX
0050030E 8D95 0CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1F4]
00500314 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+2FC]
0050031A E8 09E3F5FF CALL 0045E628
0050031F 8B85 0CFEFFFF MOV EAX,DWORD PTR SS:[EBP-1F4]
00500325 B9 20000000 MOV ECX,20
0050032A BA 03000000 MOV EDX,3
0050032F E8 DC4DF0FF CALL 00405110 ; 从第三位起取假码32位
00500334 8D95 08FEFFFF LEA EDX,DWORD PTR SS:[EBP-1F8]
0050033A 8BC3 MOV EAX,EBX
0050033C E8 33FEFFFF CALL 00500174 ; 关键call
00500341 8B95 08FEFFFF MOV EDX,DWORD PTR SS:[EBP-1F8] ; 真码中间部分出现
00500347 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 上面取的32位
0050034A E8 AD4CF0FF CALL 00404FFC ; 比较,不等则完蛋
0050034F 0F85 C1020000 JNZ 00500616
00500355 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00500358 E8 E7FAFFFF CALL 004FFE44
0050035D 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 机器码
00500360 E8 4B4BF0FF CALL 00404EB0
00500365 8BF0 MOV ESI,EAX
00500367 85F6 TEST ESI,ESI
00500369 7E 41 JLE SHORT 005003AC
0050036B BF 01000000 MOV EDI,1
00500370 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00500373 0FB64438 FF MOVZX EAX,BYTE PTR DS:[EAX+EDI-1]
00500378 05 F0000000 ADD EAX,0F0
0050037D 05 F0000000 ADD EAX,0F0
00500382 83E8 76 SUB EAX,76
00500385 05 AF000000 ADD EAX,0AF
0050038A 8D8D 04FEFFFF LEA ECX,DWORD PTR SS:[EBP-1FC]
00500390 BA 02000000 MOV EDX,2
00500395 E8 AA97F0FF CALL 00409B44
0050039A 8B95 04FEFFFF MOV EDX,DWORD PTR SS:[EBP-1FC]
005003A0 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
005003A3 E8 104BF0FF CALL 00404EB8
005003A8 47 INC EDI
005003A9 4E DEC ESI
005003AA ^ 75 C4 JNZ SHORT 00500370
005003AC 8D95 F0FDFFFF LEA EDX,DWORD PTR SS:[EBP-210]
005003B2 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
005003B5 E8 86F1FFFF CALL 004FF540
005003BA 8D85 F0FDFFFF LEA EAX,DWORD PTR SS:[EBP-210]
005003C0 8D95 00FEFFFF LEA EDX,DWORD PTR SS:[EBP-200]
005003C6 E8 E9F1FFFF CALL 004FF5B4
005003CB 8B85 00FEFFFF MOV EAX,DWORD PTR SS:[EBP-200]
005003D1 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
005003D4 E8 1790F0FF CALL 004093F0
005003D9 8D95 E8FDFFFF LEA EDX,DWORD PTR SS:[EBP-218]
005003DF 33C0 XOR EAX,EAX
005003E1 E8 A227F0FF CALL 00402B88
005003E6 8B85 E8FDFFFF MOV EAX,DWORD PTR SS:[EBP-218]
005003EC 8D95 ECFDFFFF LEA EDX,DWORD PTR SS:[EBP-214]
005003F2 E8 7D9CF0FF CALL 0040A074
005003F7 8B95 ECFDFFFF MOV EDX,DWORD PTR SS:[EBP-214]
005003FD 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
00500400 B9 E8065000 MOV ECX,005006E8 ; ASCII "data\smsinfo"
00500405 E8 F24AF0FF CALL 00404EFC 软件把注册码中间32位保存在目录data文件夹下的xxxxxx文件中
0050040A 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0050040D E8 FA99F0FF CALL 00409E0C
00500412 E8 B19AF0FF CALL 00409EC8
00500417 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
0050041A 8D85 24FEFFFF LEA EAX,DWORD PTR SS:[EBP-1DC]
00500420 E8 2F2BF0FF CALL 00402F54
00500425 8D85 24FEFFFF LEA EAX,DWORD PTR SS:[EBP-1DC]
0050042B E8 C028F0FF CALL 00402CF0
00500430 E8 5B25F0FF CALL 00402990
00500435 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00500438 8D85 24FEFFFF LEA EAX,DWORD PTR SS:[EBP-1DC]
0050043E E8 894EF0FF CALL 004052CC
00500443 E8 4833F0FF CALL 00403790
00500448 E8 4325F0FF CALL 00402990
0050044D 8D85 24FEFFFF LEA EAX,DWORD PTR SS:[EBP-1DC]
00500453 E8 AC2BF0FF CALL 00403004
00500458 E8 3325F0FF CALL 00402990
0050045D 8D85 24FEFFFF LEA EAX,DWORD PTR SS:[EBP-1DC]
00500463 E8 B42BF0FF CALL 0040301C
00500468 E8 2325F0FF CALL 00402990
0050046D 8D95 E0FDFFFF LEA EDX,DWORD PTR SS:[EBP-220]
00500473 B8 00075000 MOV EAX,00500700
00500478 E8 476AF0FF CALL 00406EC4
0050047D 8B95 E0FDFFFF MOV EDX,DWORD PTR SS:[EBP-220]
00500483 8D85 E4FDFFFF LEA EAX,DWORD PTR SS:[EBP-21C]
00500489 E8 EA49F0FF CALL 00404E78
0050048E 8B85 E4FDFFFF MOV EAX,DWORD PTR SS:[EBP-21C]
00500494 E8 5B7EF3FF CALL 004382F4
00500499 8D95 D8FDFFFF LEA EDX,DWORD PTR SS:[EBP-228]
0050049F 33C0 XOR EAX,EAX
005004A1 E8 E226F0FF CALL 00402B88
005004A6 8B85 D8FDFFFF MOV EAX,DWORD PTR SS:[EBP-228]
005004AC 8D95 DCFDFFFF LEA EDX,DWORD PTR SS:[EBP-224]
005004B2 E8 BD9BF0FF CALL 0040A074
005004B7 8D85 DCFDFFFF LEA EAX,DWORD PTR SS:[EBP-224]
005004BD BA 28075000 MOV EDX,00500728 ; ASCII "data\setup.ini"
005004C2 E8 F149F0FF CALL 00404EB8
005004C7 8B8D DCFDFFFF MOV ECX,DWORD PTR SS:[EBP-224]
005004CD B2 01 MOV DL,1
005004CF A1 3CBA4300 MOV EAX,DWORD PTR DS:[43BA3C]
005004D4 E8 13B6F3FF CALL 0043BAEC
跟进0050033C处的call:
00500174 55 PUSH EBP
00500175 8BEC MOV EBP,ESP
00500177 83C4 E4 ADD ESP,-1C
0050017A 53 PUSH EBX
0050017B 56 PUSH ESI
0050017C 57 PUSH EDI
0050017D 33C9 XOR ECX,ECX
0050017F 894D F4 MOV DWORD PTR SS:[EBP-C],ECX
00500182 894D FC MOV DWORD PTR SS:[EBP-4],ECX
00500185 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
00500188 8BFA MOV EDI,EDX
0050018A 33C0 XOR EAX,EAX
0050018C 55 PUSH EBP
0050018D 68 24025000 PUSH 00500224
00500192 64:FF30 PUSH DWORD PTR FS:[EAX]
00500195 64:8920 MOV DWORD PTR FS:[EAX],ESP
00500198 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0050019B E8 A4FCFFFF CALL 004FFE44 ; 算机器码
005001A0 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
005001A3 E8 084DF0FF CALL 00404EB0
005001A8 8BD8 MOV EBX,EAX
005001AA 85DB TEST EBX,EBX
005001AC 7E 3B JLE SHORT 005001E9
005001AE BE 01000000 MOV ESI,1
005001B3 8D4D F4 LEA ECX,DWORD PTR SS:[EBP-C]
005001B6 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 机器码送EAX
005001B9 0FB64430 FF MOVZX EAX,BYTE PTR DS:[EAX+ESI-1] ; 依次取机器码各位
005001BE 05 F0000000 ADD EAX,0F0
005001C3 05 F0000000 ADD EAX,0F0
005001C8 83E8 76 SUB EAX,76
005001CB 05 AF000000 ADD EAX,0AF ; 四步简单运算
005001D0 BA 02000000 MOV EDX,2
005001D5 E8 6A99F0FF CALL 00409B44
005001DA 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] ; 本次运算结果送EDX
005001DD 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] ; 上次结果
005001E0 E8 D34CF0FF CALL 00404EB8 ; 本次运算结果与上次结果连接
005001E5 46 INC ESI ; 指针+1
005001E6 4B DEC EBX
005001E7 ^ 75 CA JNZ SHORT 005001B3
005001E9 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
005001EC 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 上面循环得到结果放到EAX
005001EF E8 4CF3FFFF CALL 004FF540
005001F4 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
005001F7 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
005001FA E8 B5F3FFFF CALL 004FF5B4 ; 对结果进行MD5加密
005001FF 8BD7 MOV EDX,EDI
00500201 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00500204 E8 E791F0FF CALL 004093F0 ; 变大写
00500209 33C0 XOR EAX,EAX
0050020B 5A POP EDX
0050020C 59 POP ECX
0050020D 59 POP ECX
0050020E 64:8910 MOV DWORD PTR FS:[EAX],EDX
00500211 68 2B025000 PUSH 0050022B
00500216 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00500219 BA 03000000 MOV EDX,3
0050021E E8 F149F0FF CALL 00404C14
00500223 C3 RETN
00500224 ^ E9 4742F0FF JMP 00404470
00500229 ^ EB EB JMP SHORT 00500216
0050022B 5F POP EDI
0050022C 5E POP ESI
0050022D 5B POP EBX
0050022E 8BE5 MOV ESP,EBP
00500230 5D POP EBP
00500231 C3 RETN
注册总结:很简单,程序首先比较注册码前两位(必须为36),然后比较最后两位(必须为94),最终比较中间的32位;其中中间的32位是关键,机器码每位循环运算得到一字符串,然后MD5加密下,与中间的32位比较。
给个VB的注册机源码:
Private Sub Command1_Click()
Dim Length As Integer
Dim I As Integer
Dim str As String
Dim sun As String
Dim jieguo As String
Length = Len(Trim(Text1.Text))
For I = 1 To Length
str = Mid(Trim(Text1.Text), I, 1)
sun = Asc(str)
sun = Hex(sun + 537) '我把原来程序中的4步并作一步了
jieguo = jieguo & sun
Next I
Text2.Text = "36" & MD5(jieguo) & "94"
End Sub
已经有(0)位网友发表了评论,你也评一评吧!
原创文章如转载,请注明:转载自Eddy Blog
原文地址:http://www.rrgod.com/technique/103.html 欢迎订阅Eddy Blog。
Tags:算法分析