|
论坛贵宾
|
CW商业管理系统 之 算法&去暗桩分析
ASPack 2.11 -> Alexey Solodovnikov,脱之~修复下即可正常运行
MessageBoxA下断,算法分析如下:
;====================================================================|
006BA999 55 push ebp
006BA99A 68 CDAA6B00 push 006BAACD
006BA99F 64:FF30 push dword ptr fs:[eax]
006BA9A2 64:8920 mov dword ptr fs:[eax], esp
006BA9A5 8D55 F8 lea edx, dword ptr [ebp-8]
006BA9A8 8B83 00030000 mov eax, dword ptr [ebx+300]
006BA9AE E8 59B2E8FF call 00545C0C
006BA9B3 8B45 F8 mov eax, dword ptr [ebp-8] ; ASCII "crack"
006BA9B6 8D55 FC lea edx, dword ptr [ebp-4]
006BA9B9 E8 FEF4D4FF call 00409EBC
006BA9BE 837D FC 00 cmp dword ptr [ebp-4], 0 ; ASCII "crack"
006BA9C2 75 2B jnz short 006BA9EF ; //
006BA9C4 6A 40 push 40
006BA9C6 B9 DCAA6B00 mov ecx, 006BAADC
006BA9CB BA E4AA6B00 mov edx, 006BAAE4
006BA9D0 A1 1CDE7D00 mov eax, dword ptr [7DDE1C]
006BA9D5 8B00 mov eax, dword ptr [eax]
006BA9D7 E8 88BDDBFF call 00476764
006BA9DC 8B83 00030000 mov eax, dword ptr [ebx+300]
006BA9E2 8B10 mov edx, dword ptr [eax]
006BA9E4 FF92 C0000000 call dword ptr [edx+C0]
006BA9EA E9 C3000000 jmp 006BAAB2
006BA9EF A1 101A7E00 mov eax, dword ptr [7E1A10]
006BA9F4 50 push eax ; ASCII "015122-D01A31AF"
006BA9F5 8D55 F4 lea edx, dword ptr [ebp-C]
006BA9F8 8B83 08030000 mov eax, dword ptr [ebx+308]
006BA9FE E8 09B2E8FF call 00545C0C
006BAA03 8B45 F4 mov eax, dword ptr [ebp-C] ; ASCII ASCII "9876543210abcdef2468013579fedcba0592"
006BAA06 50 push eax
006BAA07 E8 A43E0000 call 006BE8B0 ; =>关键CALL跟入
006BAA0C 84C0 test al, al
006BAA0E 0F84 86000000 je 006BAA9A
;---------------------------|
006BAA14 8D55 EC lea edx, dword ptr [ebp-14]
006BAA17 8B83 08030000 mov eax, dword ptr [ebx+308]
006BAA1D E8 EAB1E8FF call 00545C0C
006BAA22 8B45 EC mov eax, dword ptr [ebp-14]
006BAA25 8D55 F0 lea edx, dword ptr [ebp-10]
006BAA28 E8 8FF4D4FF call 00409EBC
006BAA2D 8B45 F0 mov eax, dword ptr [ebp-10]
006BAA30 50 push eax
006BAA31 A1 101A7E00 mov eax, dword ptr [7E1A10]
006BAA36 50 push eax
006BAA37 68 FCAA6B00 push 006BAAFC ; ASCII "djb"
006BAA3C E8 773E0000 call 006BE8B8 ; jmp 到 regdll.WriteRegistry
006BAA41 8D55 E4 lea edx, dword ptr [ebp-1C]
006BAA44 8B83 08030000 mov eax, dword ptr [ebx+308]
006BAA4A E8 BDB1E8FF call 00545C0C
006BAA4F 8B45 E4 mov eax, dword ptr [ebp-1C]
006BAA52 8D55 E8 lea edx, dword ptr [ebp-18]
006BAA55 E8 62F4D4FF call 00409EBC
006BAA5A 8B45 E8 mov eax, dword ptr [ebp-18]
006BAA5D 50 push eax
006BAA5E 8D55 DC lea edx, dword ptr [ebp-24]
006BAA61 8B83 00030000 mov eax, dword ptr [ebx+300]
006BAA67 E8 A0B1E8FF call 00545C0C
006BAA6C 8B45 DC mov eax, dword ptr [ebp-24]
006BAA6F 8D55 E0 lea edx, dword ptr [ebp-20]
006BAA72 E8 45F4D4FF call 00409EBC
006BAA77 8B45 E0 mov eax, dword ptr [ebp-20]
006BAA7A 5A pop edx
006BAA7B E8 686F0000 call 006C19E8
006BAA80 6A 40 push 40
006BAA82 B9 DCAA6B00 mov ecx, 006BAADC
006BAA87 BA 00AB6B00 mov edx, 006BAB00
006BAA8C A1 1CDE7D00 mov eax, dword ptr [7DDE1C]
006BAA91 8B00 mov eax, dword ptr [eax]
006BAA93 E8 CCBCDBFF call 00476764
006BAA98 EB 18 jmp short 006BAAB2
006BAA9A 6A 40 push 40
006BAA9C B9 DCAA6B00 mov ecx, 006BAADC
006BAAA1 BA 20AB6B00 mov edx, 006BAB20
006BAAA6 A1 1CDE7D00 mov eax, dword ptr [7DDE1C]
006BAAAB 8B00 mov eax, dword ptr [eax]
006BAAAD E8 B2BCDBFF call 00476764 ; 注册失败
006BAAB2 33C0 xor eax, eax
006BAAB4 5A pop edx
006BAAB5 59 pop ecx
006BAAB6 59 pop ecx
006BAAB7 64:8910 mov dword ptr fs:[eax], edx
006BAABA 68 D4AA6B00 push 006BAAD4
006BAABF 8D45 DC lea eax, dword ptr [ebp-24]
006BAAC2 BA 09000000 mov edx, 9
006BAAC7 E8 44A5D4FF call 00405010
006BAACC C3 retn
006BAACD ^ E9 BE9DD4FF jmp 00404890
006BAAD2 ^ EB EB jmp short 006BAABF
006BAAD4 5B pop ebx
006BAAD5 8BE5 mov esp, ebp
006BAAD7 5D pop ebp
006BAAD8 C3 retn
;====================================================================|
;在地址006BAA07处跟进关键CALL->006BE8B0
;====================================================================|
00E33DD8 > 55 push ebp ; //
00E33DD9 8BEC mov ebp, esp
00E33DDB 33C9 xor ecx, ecx
00E33DDD 51 push ecx
00E33DDE 51 push ecx
00E33DDF 51 push ecx
00E33DE0 51 push ecx
00E33DE1 53 push ebx
00E33DE2 33C0 xor eax, eax ; EAX置零
00E33DE4 55 push ebp
00E33DE5 68 673EE300 push 00E33E67
00E33DEA 64:FF30 push dword ptr fs:[eax]
00E33DED 64:8920 mov dword ptr fs:[eax], esp
00E33DF0 8D45 F8 lea eax, dword ptr [ebp-8]
00E33DF3 8B55 08 mov edx, dword ptr [ebp+8] ; ASCII ASCII "9876543210abcdef2468013579fedcba0592"
00E33DF6 E8 0507FBFF call 00DE4500
00E33DFB 8B45 F8 mov eax, dword ptr [ebp-8] ; ASCII ASCII "9876543210abcdef2468013579fedcba0592"
00E33DFE 66:BA 7200 mov dx, 72 ; dx = 72
00E33E02 E8 79080000 call 00E34680 ; =>跟进
00E33E07 8BD0 mov edx, eax ; eax=021C28A4[被加密的数据]
00E33E09 8D45 FC lea eax, dword ptr [ebp-4]
00E33E0C E8 EF06FBFF call 00DE4500
00E33E11 8D45 F4 lea eax, dword ptr [ebp-C]
00E33E14 8B55 0C mov edx, dword ptr [ebp+C] ; ASCII "015122-D01A31AF"
00E33E17 E8 E406FBFF call 00DE4500
00E33E1C 8B45 F4 mov eax, dword ptr [ebp-C] ; ASCII "015122-D01A31AF"
00E33E1F 50 push eax ; eax=021C203C, (ASCII "015122-D01A31AF")
00E33E20 8D45 F0 lea eax, dword ptr [ebp-10] ; 堆栈地址=0012F25C
00E33E23 50 push eax
00E33E24 8B45 FC mov eax, dword ptr [ebp-4] ; 被加密数据地址
00E33E27 E8 9C07FBFF call 00DE45C8
00E33E2C 8BC8 mov ecx, eax ; 8
00E33E2E BA 04000000 mov edx, 4
00E33E33 8B45 FC mov eax, dword ptr [ebp-4] ; 被加密数据
00E33E36 E8 E509FBFF call 00DE4820 ; =>去掉前面3个byte
00E33E3B 8B55 F0 mov edx, dword ptr [ebp-10] ; 新数值
00E33E3E 58 pop eax ; ASCII "015122-D01A31AF"
;-----------|
变后:021C2A3C 0D 4D 53 CB B7 C0 0F 9B B4 7A 0E E8 25 F9 52 00 .MS朔?洿z�?鵕.
正解:021C203C 30 31 35 31 32 32 2D 44 30 31 41 33 31 41 46 00 015122-D01A31AF.
;-----------|
00E33E3F E8 C808FBFF call 00DE470C
00E33E44 74 04 je short 00E33E4A ; //不跳则挂
00E33E46 33DB xor ebx, ebx ; 标志位EBX置零
00E33E48 EB 02 jmp short 00E33E4C ; //
00E33E4A B3 01 mov bl, 1 ; 标志位bl = 1
00E33E4C 33C0 xor eax, eax ; EAX置零
00E33E4E 5A pop edx
00E33E4F 59 pop ecx
00E33E50 59 pop ecx
00E33E51 64:8910 mov dword ptr fs:[eax], edx
00E33E54 68 6E3EE300 push 00E33E6E
00E33E59 8D45 F0 lea eax, dword ptr [ebp-10]
00E33E5C BA 04000000 mov edx, 4
00E33E61 E8 CE04FBFF call 00DE4334
00E33E66 C3 retn ; //
00E33E67 ^ E9 44FEFAFF jmp 00DE3CB0
00E33E6C ^ EB EB jmp short 00E33E59
00E33E6E 8BC3 mov eax, ebx ; EAX = EBX
00E33E70 5B pop ebx
00E33E71 8BE5 mov esp, ebp
00E33E73 5D pop ebp
00E33E74 C2 0800 retn 8 ; //返回
;====================================================================|
;在地址00E33E02处跟进CALL->00E34680
;--------------------------------------------------------------------|
00E34680 55 push ebp ; //开始
00E34681 8BEC mov ebp, esp
00E34683 83C4 EC add esp, -14
00E34686 53 push ebx
00E34687 56 push esi
00E34688 57 push edi
00E34689 33C9 xor ecx, ecx ; ECX置零
00E3468B 894D EC mov dword ptr [ebp-14], ecx
00E3468E 894D F0 mov dword ptr [ebp-10], ecx
00E34691 8BFA mov edi, edx ; edx=00000072
00E34693 8945 FC mov dword ptr [ebp-4], eax ; ASCII ASCII "9876543210abcdef2468013579fedcba0592"
00E34696 8B45 FC mov eax, dword ptr [ebp-4]
00E34699 E8 1201FBFF call 00DE47B0
00E3469E 33C0 xor eax, eax ; EAX置零
00E346A0 55 push ebp
00E346A1 68 9447E300 push 00E34794
00E346A6 64:FF30 push dword ptr fs:[eax]
00E346A9 64:8920 mov dword ptr fs:[eax], esp
00E346AC B8 50000000 mov eax, 50 ; EAX = 50
00E346B1 E8 CA43FBFF call 00DE8A80
00E346B6 8945 F8 mov dword ptr [ebp-8], eax ; eax=021C27F4
00E346B9 8B45 FC mov eax, dword ptr [ebp-4] ; ASCII ASCII "9876543210abcdef2468013579fedcba0592"
00E346BC E8 07FFFAFF call 00DE45C8 ; 取字符串长度
00E346C1 8BF0 mov esi, eax ; eax=00000010
00E346C3 D1FE sar esi, 1
00E346C5 79 03 jns short 00E346CA ; //跳转(实现)
00E346C7 83D6 00 adc esi, 0
00E346CA 85F6 test esi, esi
00E346CC 7E 42 jle short 00E34710 ; //跳转(未实现)
00E346CE BB 01000000 mov ebx, 1 ; EBX = 1
;---------------------------|
00E346D3 8BC3 mov eax, ebx
00E346D5 03C0 add eax, eax ; EAX = EAX + EAX
00E346D7 8B55 FC mov edx, dword ptr [ebp-4] ; ASCII ASCII "9876543210abcdef2468013579fedcba0592"
00E346DA 0FB65402 FE movzx edx, byte ptr [edx+eax-2] ; EDX = '9'
00E346DF 83EA 41 sub edx, 41 ; EDX = EDX - 41
00E346E2 6BD2 1A imul edx, edx, 1A ; EDX = EDX * 1A
00E346E5 8955 F4 mov dword ptr [ebp-C], edx ; [ebp-C] = EDX
00E346E8 8B55 FC mov edx, dword ptr [ebp-4] ; ASCII ASCII "9876543210abcdef2468013579fedcba0592"
00E346EB 0FB64402 FF movzx eax, byte ptr [edx+eax-1] ; '8'
00E346F0 83E8 41 sub eax, 41 ; EAX = EAX - 41
00E346F3 0145 F4 add dword ptr [ebp-C], eax ; [ebp-C] = [ebp-C] + EAX
00E346F6 8D45 EC lea eax, dword ptr [ebp-14]
00E346F9 8A55 F4 mov dl, byte ptr [ebp-C] ; dl = [ebp-C] = 27
00E346FC E8 EFFDFAFF call 00DE44F0
00E34701 8B55 EC mov edx, dword ptr [ebp-14]
00E34704 8D45 F0 lea eax, dword ptr [ebp-10]
00E34707 E8 C4FEFAFF call 00DE45D0
00E3470C 43 inc ebx
00E3470D 4E dec esi
00E3470E ^ 75 C3 jnz short 00E346D3 ; //循环
;---------------------------|
00E34710 8D45 FC lea eax, dword ptr [ebp-4] ; 序列号地址
00E34713 8B55 F0 mov edx, dword ptr [ebp-10] ; 加密数值地址
;------|
021C2A4C 27 F1 BB 85 4F 61 97 CD 6D D9 36 88 F4 E6 B0 7A '窕匫a椡m?堲姘z
021C2A5C 3A 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :!..............
;------|
00E34716 E8 8DFCFAFF call 00DE43A8
00E3471B 8B45 FC mov eax, dword ptr [ebp-4] ; 加密数值地址
00E3471E E8 A5FEFAFF call 00DE45C8
00E34723 8BF0 mov esi, eax
00E34725 85F6 test esi, esi
00E34727 7E 3A jle short 00E34763
00E34729 BB 01000000 mov ebx, 1 ; DI = 72
;---------------------------|
00E3472E 8D45 F0 lea eax, dword ptr [ebp-10] ; 加密数值地址
00E34731 E8 E200FBFF call 00DE4818
00E34736 8B55 FC mov edx, dword ptr [ebp-4] ; 加密数值地址
00E34739 8A541A FF mov dl, byte ptr [edx+ebx-1] ; ds:[021C2860]=27 (''')
00E3473D 0FB7CF movzx ecx, di ; ECX = DI
00E34740 C1E9 08 shr ecx, 8 ; ECX = ECX / (2^8)
00E34743 32D1 xor dl, cl ; dl = dl ^ cl
00E34745 885418 FF mov byte ptr [eax+ebx-1], dl ; 保存数据
00E34749 8B45 FC mov eax, dword ptr [ebp-4]
00E3474C 0FB64418 FF movzx eax, byte ptr [eax+ebx-1] ; ds:[021C2860]=27 (''')
00E34751 66:03F8 add di, ax ; di = di + ax
00E34754 66:69C7 0404 imul ax, di, 404 ; ax = di * 404
00E34759 66:05 9E03 add ax, 39E ; ax = ax + 39E
00E3475D 8BF8 mov edi, eax
00E3475F 43 inc ebx
00E34760 4E dec esi
00E34761 ^ 75 CB jnz short 00E3472E ; //
;---------------------------|
00E34763 8B55 F0 mov edx, dword ptr [ebp-10] ; 加密后的数据地址
00E34766 8B45 F8 mov eax, dword ptr [ebp-8]
;------|
021C2620 27 9B C0 0D 4D 53 CB B7 C0 0F 9B B4 7A 0E E8 25 '浝.MS朔?洿z�?
021C2630 F9 52 00 00 5A 00 00 00 54 00 00 00 27 9B C0 0D 鵕..Z...T...'浝.
;------|
00E34769 E8 B241FBFF call 00DE8920
00E3476E 8945 F8 mov dword ptr [ebp-8], eax
00E34771 33C0 xor eax, eax ; //加密后的数据地址
00E34773 5A pop edx
00E34774 59 pop ecx
00E34775 59 pop ecx
00E34776 64:8910 mov dword ptr fs:[eax], edx
00E34779 68 9B47E300 push 00E3479B
00E3477E 8D45 EC lea eax, dword ptr [ebp-14]
00E34781 BA 02000000 mov edx, 2
00E34786 E8 A9FBFAFF call 00DE4334
00E3478B 8D45 FC lea eax, dword ptr [ebp-4]
00E3478E E8 7DFBFAFF call 00DE4310
00E34793 C3 retn ; //
00E34794 ^ E9 17F5FAFF jmp 00DE3CB0
00E34799 ^ EB E3 jmp short 00E3477E
00E3479B 8B45 F8 mov eax, dword ptr [ebp-8]
00E3479E 5F pop edi
00E3479F 5E pop esi
00E347A0 5B pop ebx
00E347A1 8BE5 mov esp, ebp
00E347A3 5D pop ebp
00E347A4 C3 retn ; //
;====================================================================|
算法小结:
序列号sn长度需36位
string sn;
int x[18] = {};
for(int k =0; k < 18; k = k + 2)
x[k] = (sn[k]- 0x41) * 0x1A + (sn[k+1] - 0x41);//取低两位
int di = 0x72;
int y[18] = {};
for(int k =0; k < 18; k++)
{
y[k] = x[k] ^ (di / (2 ^ 8));//di取edi后四位
edi = (di + x[k]) * 0x404 + 0x39E;
}
y[18]去掉前三个字节,转化为字符串
和机器码对比,相等则注册成功
由于判断注册正确与否的代码段是动态生成的,所以还无法静态打文件补丁:(
;--------------------------------------------------------------------|
算号~~~
机器码:015122-D01A31AF
edi = (di + x[k]) * 0x404 + 0x39E;
y[0] = 30
x[0] = 30 = BW
di = 8E26
8E
y[1] = 30
x[0] = BE = HI
di = CF2E
CF
y[2] = 30
x[2] = FF = JV
di = F852
F8
y[3] = 30
x[3] = C8 = HS
di = 5006
50
y[4] = 31
x[4] = 61 = DT
di = E13A
E1
y[5] = 35
x[5] = D4 = IE
di = C3D6
C3
y[6] = 31
x[6] = F2 = JI
di = 36BE
36
y[7] = 32
x[7] = 4 = AE
di = E6A6
E6
y[8] = 32
x[8] = D4 = IE
di = 8986
89
y[9] = 2D
x[9] = A4 = GI
di = D446
D4
y[10] = 44
x[10] = 90 = Ei
di = AEF6
AE
y[11] = 30
x[11] = 9E = GC
di = 11EE
11
y[12] = 31
x[12] = 20 = BG
di = 83D6
83
y[13] = 41
x[13] = C2 = HM
di = 75FE
75
y[14] = 33
x[14] = 46 = CS
di = ECAE
EC
y[15] = 31
x[15] = DD = IN
di = E5CA
E5
y[16] = 41
x[16] = A4 = GI
di = 5556
55
y[17] = 46
x[17] = 13 = AT
di = F6F6
序列号:BWHIJVHSDTIEJIAEIEGIEiGCBGHMCSINGIAT
输入序列号,程序提示注册成功,提示重启
让咱重启就重启,好家伙嘛
刚一登录就提示:
谢谢您对我们软件的认可,请尽快和我公司联系注册事宜!(tel:********)
之后,程序一闪退出
晕死,算了半天的号就白算了吗?我不服输,去校验
同样,bp MessageBoxA下断,再两次CTRL+F9,来到如下代码
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
006BC0BD . E8 868FD9FF call 00455048
006BC0C2 . E9 94000000 jmp 006BC15B
006BC0C7 > 33C0 xor eax, eax
006BC0C9 . 55 push ebp
006BC0CA . 68 20C16B00 push 006BC120
006BC0CF . 64:FF30 push dword ptr fs:[eax]
006BC0D2 . 64:8920 mov dword ptr fs:[eax], esp
006BC0D5 . 68 88D86B00 push 006BD888 ; ASCII "djb"
006BC0DA . E8 01280000 call <jmp.®dll.getregposl>
006BC0DF . 48 dec eax
006BC0E0 . 74 34 je short 006BC116
006BC0E2 . 68 10100000 push 1010
006BC0E7 . B9 34D86B00 mov ecx, 006BD834
006BC0EC . BA 3CD86B00 mov edx, 006BD83C
006BC0F1 . A1 1CDE7D00 mov eax, dword ptr [7DDE1C]
006BC0F6 . 8B00 mov eax, dword ptr [eax]
006BC0F8 . E8 67A6DBFF call 00476764
006BC0FD . A1 1CDE7D00 mov eax, dword ptr [7DDE1C] ; //停在这
006BC102 . 8B00 mov eax, dword ptr [eax]
在地址006BC0F8处应该是弹出对话框咯,把上面的je修改为jmp~ OD保存之
重新启动软件OK,软件正常运行,标题也显示为(正式版),功能上暂时未发现有何限制
|
