20CN网络安全小组论坛 - 编程破解 - [转帖]Xelectronicalreadsystem[脱壳+算法分析]

论坛: 编程破解标题: [转帖]Xelectronicalreadsystem[脱壳+算法分析]

作者: yongmin [yongmin]

论坛用户

作者:鹭影依凌
转贴自：一蓑烟雨
PEiD查下:
Borland Delphi 6.0 - 7.0 [Overlay]
EP区段:.mjg-
OD载入后，超级字符串捕获不到半个字符>_<，狠人,字符串隐藏的真好呀~

一、脱壳

;=====================================================================
005CB000 > 68 54C1C101 push 1C1C154 ; //带来代码
005CB005 58 pop eax
005CB006 BE 16B05C00 mov esi, 005CB016
005CB00B BF C4060000 mov edi, 6C4
005CB010 31043E xor dword ptr [esi+edi], eax
005CB013 4F dec edi
005CB014 83EF 03 sub edi, 3
005CB017 ^ 75 F7 jnz short 005CB010 ; //往回跳
005CB019 90 nop ; //在这F4断下
005CB01A BC BCC00154 mov esp, 5401C0BC
005CB01F C1C1 01 rol ecx, 1
005CB022 54 push esp
005CB023 C181 01D449D3 0>rol dword ptr [ecx+D349D401], 1
;=====================================================================
按下F4后，下段程序代码发生变形
;---------------------------------------------------------------------
005CB010 31043E xor dword ptr [esi+edi], eax
005CB013 4F dec edi
005CB014 83EF 03 sub edi, 3
005CB017 ^ 75 F7 jnz short 005CB010 ; //这“冒”出来一个CALL
005CB019 90 nop
005CB01A E8 7D010000 call 005CB19C ; //F7跟进
005CB01F 0000 add byte ptr [eax], al
005CB021 0000 add byte ptr [eax], al
;=====================================================================
来到如下代码:
;---------------------------------------------------------------------
005CB19C 55 push ebp ; //肯定不是OEP
005CB19D 8BEC mov ebp, esp ; 有了上次notingfound的先例
005CB19F 81C4 B4FEFFFF add esp, -14C ; 大胆猜想
005CB1A5 C645 F7 00 mov byte ptr [ebp-9], 0 ; 在最后的retn直接F4断下
005CB1A9 8BC5 mov eax, ebp
005CB1AB 83C0 04 add eax, 4
005CB1AE 8B10 mov edx, dword ptr [eax]
005CB1B0 83EA 05 sub edx, 5
005CB1B3 8955 FC mov dword ptr [ebp-4], edx
005CB1B6 8B4D FC mov ecx, dword ptr [ebp-4]
005CB1B9 81C1 84000000 add ecx, 84
005CB1BF 894D F8 mov dword ptr [ebp-8], ecx
005CB1C2 8B45 FC mov eax, dword ptr [ebp-4]
005CB1C5 8B50 0C mov edx, dword ptr [eax+C]
005CB1C8 8B4D FC mov ecx, dword ptr [ebp-4]
005CB1CB 0351 08 add edx, dword ptr [ecx+8]
005CB1CE 8BC5 mov eax, ebp
005CB1D0 83C0 04 add eax, 4
005CB1D3 8910 mov dword ptr [eax], edx
005CB1D5 FF75 F8 push dword ptr [ebp-8]
005CB1D8 FF75 FC push dword ptr [ebp-4]
005CB1DB 8D55 BC lea edx, dword ptr [ebp-44]
005CB1DE 52 push edx
005CB1DF E8 78000000 call 005CB25C
005CB1E4 84C0 test al, al
005CB1E6 74 6D je short 005CB255
005CB1E8 FF75 F8 push dword ptr [ebp-8]
005CB1EB 8D4D BC lea ecx, dword ptr [ebp-44]
005CB1EE 51 push ecx
005CB1EF 8D85 B4FEFFFF lea eax, dword ptr [ebp-14C]
005CB1F5 50 push eax
005CB1F6 E8 05020000 call 005CB400
005CB1FB 84C0 test al, al
005CB1FD 74 23 je short 005CB222
005CB1FF 66:83BD B4FEFFF>cmp word ptr [ebp-14C], 6
005CB207 72 19 jb short 005CB222
005CB209 FF75 F8 push dword ptr [ebp-8]
005CB20C FF75 FC push dword ptr [ebp-4]
005CB20F 8D55 BC lea edx, dword ptr [ebp-44]
005CB212 52 push edx
005CB213 8D8D B6FEFFFF lea ecx, dword ptr [ebp-14A]
005CB219 51 push ecx
005CB21A E8 51020000 call 005CB470
005CB21F 8845 F7 mov byte ptr [ebp-9], al
005CB222 807D F7 00 cmp byte ptr [ebp-9], 0
005CB226 75 2D jnz short 005CB255
005CB228 FF75 FC push dword ptr [ebp-4]
005CB22B 8D45 BC lea eax, dword ptr [ebp-44]
005CB22E 50 push eax
005CB22F 8D95 B6FEFFFF lea edx, dword ptr [ebp-14A]
005CB235 52 push edx
005CB236 E8 81020000 call 005CB4BC
005CB23B 84C0 test al, al
005CB23D 74 16 je short 005CB255
005CB23F FF75 F8 push dword ptr [ebp-8]
005CB242 FF75 FC push dword ptr [ebp-4]
005CB245 8D4D BC lea ecx, dword ptr [ebp-44]
005CB248 51 push ecx
005CB249 8D85 B6FEFFFF lea eax, dword ptr [ebp-14A]
005CB24F 50 push eax
005CB250 E8 1B020000 call 005CB470
005CB255 8BE5 mov esp, ebp
005CB257 5D pop ebp
005CB258 C3 retn ; //F4断下(程序未运行)
;=====================================================================
继续F8,返回到如下代码
;---------------------------------------------------------------------
00528880 /. 55 push ebp ; //此处是OPE了
00528881 |. 8BEC mov ebp, esp ; //Delphi特征
00528883 |. 83C4 E0 add esp, -20
00528886 |. 53 push ebx
00528887 |. 33C0 xor eax, eax
00528889 |. 8945 E4 mov dword ptr [ebp-1C], eax
0052888C |. 8945 E0 mov dword ptr [ebp-20], eax
0052888F |. 8945 EC mov dword ptr [ebp-14], eax
00528892 |. 8945 E8 mov dword ptr [ebp-18], eax
00528895 |. B8 B0845200 mov eax, 005284B0
0052889A |. E8 B1E0EDFF call 00406950
0052889F |. 8B1D 18CC5200 mov ebx, dword ptr [52CC18] ; ×××.0052DC0C
;=====================================================================

OD插件DUMP下，还好，不用修复就可正常运行~
PEiD查下
Borland Delphi 6.0 - 7.0
EP区段:CODE
OK,下一步...

二、算法分析

将脱壳后的文件载入OD

超级字符串搜索下，呼呼，字符串全出来咯~~~

定位下，代码分析如下：
;=====================================================================
00523934 /. 55 push ebp ; //开始
00523935 |. 8BEC mov ebp, esp
00523937 |. 33C9 xor ecx, ecx
00523939 |. 51 push ecx
0052393A |. 51 push ecx
0052393B |. 51 push ecx
0052393C |. 51 push ecx
0052393D |. 51 push ecx
0052393E |. 51 push ecx
0052393F |. 51 push ecx
00523940 |. 53 push ebx
00523941 |. 8BD8 mov ebx, eax
00523943 |. 33C0 xor eax, eax
00523945 |. 55 push ebp
00523946 |. 68 743A5200 push 00523A74
0052394B |. 64:FF30 push dword ptr fs:[eax]
0052394E |. 64:8920 mov dword ptr fs:[eax], esp
00523951 |. 8D55 F4 lea edx, dword ptr [ebp-C]
00523954 |. 8B83 1C030000 mov eax, dword ptr [ebx+31C]
0052395A |. E8 0179F4FF call 0046B260
0052395F |. 8B45 F4 mov eax, dword ptr [ebp-C] ; EAX = 序列号
00523962 |. 8D55 F8 lea edx, dword ptr [ebp-8]
00523965 |. E8 2654EEFF call 00408D90
0052396A |. 8B45 F8 mov eax, dword ptr [ebp-8] ; EAX = 序列号
0052396D |. 50 push eax
0052396E |. 8D55 EC lea edx, dword ptr [ebp-14]
00523971 |. 8B83 18030000 mov eax, dword ptr [ebx+318]
00523977 |. E8 E478F4FF call 0046B260
0052397C |. 8B45 EC mov eax, dword ptr [ebp-14] ; EAX = (ASCII "TOPTHINK")
0052397F |. 8D55 F0 lea edx, dword ptr [ebp-10]
00523982 |. E8 0954EEFF call 00408D90
00523987 |. 8B45 F0 mov eax, dword ptr [ebp-10] ; EAX = (ASCII "TOPTHINK")
0052398A |. 50 push eax
0052398B |. 8D55 E4 lea edx, dword ptr [ebp-1C]
0052398E |. 8B83 14030000 mov eax, dword ptr [ebx+314]
00523994 |. E8 C778F4FF call 0046B260
00523999 |. 8B45 E4 mov eax, dword ptr [ebp-1C] ; EAX = (ASCII "TOPTHINK")
0052399C |. 8D55 E8 lea edx, dword ptr [ebp-18]
0052399F |. E8 EC53EEFF call 00408D90
005239A4 |. 8B55 E8 mov edx, dword ptr [ebp-18] ; EDX = (ASCII "TOPTHINK")
005239A7 |. 8B83 2C030000 mov eax, dword ptr [ebx+32C]
005239AD |. 59 pop ecx
005239AE |. E8 B1EFFFFF call 00522964 ; |*|关键CALL
005239B3 |. 84C0 test al, al
005239B5 |. 75 2C jnz short 005239E3
005239B7 |. 8D45 FC lea eax, dword ptr [ebp-4]
005239BA |. BA 883A5200 mov edx, 00523A88 ; 输入注册码不正确，请检查！
005239BF |. E8 C00AEEFF call 00404484
005239C4 |. 6A 40 push 40
005239C6 |. 8B45 FC mov eax, dword ptr [ebp-4]
005239C9 |. E8 DE0EEEFF call 004048AC
005239CE |. 8BD0 mov edx, eax
005239D0 |. B9 A43A5200 mov ecx, 00523AA4 ; 输入错误
005239D5 |. A1 18CC5200 mov eax, dword ptr [52CC18]
005239DA |. 8B00 mov eax, dword ptr [eax]
005239DC |. E8 678DF6FF call 0048C748
005239E1 |. EB 4E jmp short 00523A31
005239E3 |> 68 B83A5200 push 00523AB8 ; 注册成功！
005239E8 |. 8B83 2C030000 mov eax, dword ptr [ebx+32C]
005239EE |. FF70 5C push dword ptr [eax+5C]
005239F1 |. 68 E43A5200 push 00523AE4 ; \n
005239F6 |. 68 F03A5200 push 00523AF0 ; 感谢您对我们的支持！请重新启动××××！
005239FB |. 8D45 FC lea eax, dword ptr [ebp-4]
005239FE |. BA 04000000 mov edx, 4
00523A03 |. E8 640DEEFF call 0040476C
00523A08 |. 6A 40 push 40
00523A0A |. 8B45 FC mov eax, dword ptr [ebp-4]
00523A0D |. E8 9A0EEEFF call 004048AC
00523A12 |. 8BD0 mov edx, eax
00523A14 |. B9 1C3B5200 mov ecx, 00523B1C ; 注册成功
00523A19 |. A1 18CC5200 mov eax, dword ptr [52CC18]
00523A1E |. 8B00 mov eax, dword ptr [eax]
00523A20 |. E8 238DF6FF call 0048C748
00523A25 |. A1 18CC5200 mov eax, dword ptr [52CC18]
00523A2A |. 8B00 mov eax, dword ptr [eax]
00523A2C |. E8 738CF6FF call 0048C6A4
00523A31 |> 33C0 xor eax, eax
00523A33 |. 5A pop edx
00523A34 |. 59 pop ecx
00523A35 |. 59 pop ecx
00523A36 |. 64:8910 mov dword ptr fs:[eax], edx
00523A39 |. 68 7B3A5200 push 00523A7B
00523A3E |> 8D45 E4 lea eax, dword ptr [ebp-1C]
00523A41 |. E8 A609EEFF call 004043EC
00523A46 |. 8D45 E8 lea eax, dword ptr [ebp-18]
00523A49 |. E8 9E09EEFF call 004043EC
00523A4E |. 8D45 EC lea eax, dword ptr [ebp-14]
00523A51 |. E8 9609EEFF call 004043EC
00523A56 |. 8D45 F0 lea eax, dword ptr [ebp-10]
00523A59 |> E8 8E09EEFF call 004043EC
00523A5E |. 8D45 F4 lea eax, dword ptr [ebp-C]
00523A61 |. E8 8609EEFF call 004043EC
00523A66 |. 8D45 F8 lea eax, dword ptr [ebp-8]
00523A69 |. BA 02000000 mov edx, 2
00523A6E |. E8 9D09EEFF call 00404410
00523A73 \. C3 retn
00523A74 .^ E9 9702EEFF jmp 00403D10
00523A79 .^ EB C3 jmp short 00523A3E
00523A7B . 5B pop ebx
00523A7C . 8BE5 mov esp, ebp
00523A7E . 5D pop ebp
00523A7F . C3 retn
;=====================================================================
在地址005239AE处F7跟进关键CALL->00522964
;---------------------------------------------------------------------
00522964 /$ 55 push ebp ; //调用
00522965 |. 8BEC mov ebp, esp
00522967 |. 83C4 F0 add esp, -10
0052296A |. 53 push ebx
0052296B |. 33DB xor ebx, ebx
0052296D |. 895D F0 mov dword ptr [ebp-10], ebx
00522970 |. 895D F4 mov dword ptr [ebp-C], ebx
00522973 |. 894D F8 mov dword ptr [ebp-8], ecx
00522976 |. 8955 FC mov dword ptr [ebp-4], edx
00522979 |. 8BD8 mov ebx, eax
0052297B |. 8B45 FC mov eax, dword ptr [ebp-4]
0052297E |. E8 191FEEFF call 0040489C
00522983 |. 8B45 F8 mov eax, dword ptr [ebp-8]
00522986 |. E8 111FEEFF call 0040489C
0052298B |. 8B45 08 mov eax, dword ptr [ebp+8] ; EAX = 序列号
0052298E |. E8 091FEEFF call 0040489C
00522993 |. 33C0 xor eax, eax ; EAX置零
00522995 |. 55 push ebp
00522996 |. 68 4E2A5200 push 00522A4E
0052299B |. 64:FF30 push dword ptr fs:[eax]
0052299E |. 64:8920 mov dword ptr fs:[eax], esp
005229A1 |. 8B45 FC mov eax, dword ptr [ebp-4]
005229A4 |. E8 031DEEFF call 004046AC
005229A9 |. 3B43 4C cmp eax, dword ptr [ebx+4C]
005229AC |. 7F 19 jg short 005229C7
005229AE |. 8B45 FC mov eax, dword ptr [ebp-4]
005229B1 |. E8 F61CEEFF call 004046AC
005229B6 |. 3B43 50 cmp eax, dword ptr [ebx+50]
005229B9 |. 7C 0C jl short 005229C7
005229BB |. 8B45 08 mov eax, dword ptr [ebp+8] ; EAX = 序列号
005229BE |. E8 E91CEEFF call 004046AC
005229C3 |. 85C0 test eax, eax
005229C5 |. 75 04 jnz short 005229CB
005229C7 |> 33DB xor ebx, ebx
005229C9 |. EB 60 jmp short 00522A2B
005229CB |> 8D55 F4 lea edx, dword ptr [ebp-C]
005229CE |. 8B45 08 mov eax, dword ptr [ebp+8] ; EAX = 序列号
005229D1 |. E8 4A61EEFF call 00408B20 ; 序列号转换为大写
005229D6 |. 8B55 F4 mov edx, dword ptr [ebp-C]
005229D9 |. 8D45 08 lea eax, dword ptr [ebp+8]
005229DC |. E8 A31AEEFF call 00404484
005229E1 |. 8D4D F0 lea ecx, dword ptr [ebp-10]
005229E4 |. 8B55 FC mov edx, dword ptr [ebp-4]
005229E7 |. 8BC3 mov eax, ebx
005229E9 |. E8 46FBFFFF call 00522534 ; |*|关键CALL
005229EE |. 8B45 F0 mov eax, dword ptr [ebp-10] ; (ASCII "0000932C03CB")
005229F1 |. 8B55 08 mov edx, dword ptr [ebp+8] ; (ASCII "9876543210ABCDEF")
005229F4 |. E8 9F61EEFF call 00408B98 ; //真假码比较
005229F9 |. 85C0 test eax, eax
005229FB |. 74 04 je short 00522A01 ; //不跳就挂

005229FD |. 33DB xor ebx, ebx ; EBX置零
005229FF |. EB 2A jmp short 00522A2B

00522A01 |> 8D43 48 lea eax, dword ptr [ebx+48]
00522A04 |. 8B55 FC mov edx, dword ptr [ebp-4]
00522A07 |. E8 341AEEFF call 00404440
00522A0C |. 8D43 54 lea eax, dword ptr [ebx+54]
00522A0F |. 8B55 F8 mov edx, dword ptr [ebp-8]
00522A12 |. E8 291AEEFF call 00404440
00522A17 |. 8D43 5C lea eax, dword ptr [ebx+5C]
00522A1A |. 8B55 08 mov edx, dword ptr [ebp+8]
00522A1D |. E8 1E1AEEFF call 00404440
00522A22 |. 8BC3 mov eax, ebx
00522A24 |. E8 5B020000 call 00522C84
00522A29 |. B3 01 mov bl, 1 ; bl = 1

00522A2B |> 33C0 xor eax, eax ; EAX置零
00522A2D |. 5A pop edx
00522A2E |. 59 pop ecx
00522A2F |. 59 pop ecx
00522A30 |. 64:8910 mov dword ptr fs:[eax], edx
00522A33 |. 68 552A5200 push 00522A55
00522A38 |> 8D45 F0 lea eax, dword ptr [ebp-10]
00522A3B |. BA 04000000 mov edx, 4
00522A40 |. E8 CB19EEFF call 00404410
00522A45 |. 8D45 08 lea eax, dword ptr [ebp+8]
00522A48 |. E8 9F19EEFF call 004043EC
00522A4D \. C3 retn
00522A4E .^ E9 BD12EEFF jmp 00403D10
00522A53 .^ EB E3 jmp short 00522A38
00522A55 . 8BC3 mov eax, ebx ; EAX = EBX
00522A57 . 5B pop ebx
00522A58 . 8BE5 mov esp, ebp
00522A5A . 5D pop ebp
00522A5B . C2 0400 retn 4 ; //返回
;=====================================================================
在地址005229E9 处F7跟进关键CALL->00522534
;---------------------------------------------------------------------
00522534 /$ 55 push ebp ; //调用
00522535 |. 8BEC mov ebp, esp
00522537 |. 51 push ecx
00522538 |. B9 04000000 mov ecx, 4
0052253D |> 6A 00 /push 0
0052253F |. 6A 00 |push 0
00522541 |. 49 |dec ecx
00522542 |.^ 75 F9 \jnz short 0052253D
00522544 |. 874D FC xchg dword ptr [ebp-4], ecx
00522547 |. 53 push ebx
00522548 |. 56 push esi
00522549 |. 57 push edi
0052254A |. 8BF9 mov edi, ecx
0052254C |. 8955 FC mov dword ptr [ebp-4], edx
0052254F |. 8BF0 mov esi, eax
00522551 |. 8B45 FC mov eax, dword ptr [ebp-4] ; EAX = (ASCII "TOPTHINK")
00522554 |. E8 4323EEFF call 0040489C
00522559 |. 33C0 xor eax, eax
0052255B |. 55 push ebp
0052255C |. 68 D4265200 push 005226D4
00522561 |. 64:FF30 push dword ptr fs:[eax]
00522564 |. 64:8920 mov dword ptr fs:[eax], esp
00522567 |. 8D55 DC lea edx, dword ptr [ebp-24]
0052256A |. 8BC6 mov eax, esi
0052256C |. E8 070F0000 call 00523478
00522571 |. 8B45 DC mov eax, dword ptr [ebp-24] ; EAX = 机器码(ASCII "0000423A3456")
00522574 |. 8D55 EC lea edx, dword ptr [ebp-14]
00522577 |. E8 1468EEFF call 00408D90
0052257C |. 837D EC 00 cmp dword ptr [ebp-14], 0 ; 机器码和0比较
00522580 |. 75 0D jnz short 0052258F ; 跳走
00522582 |. 8D45 E0 lea eax, dword ptr [ebp-20]
00522585 |. 8B55 FC mov edx, dword ptr [ebp-4]
00522588 |. E8 F71EEEFF call 00404484
0052258D |. EB 5D jmp short 005225EC
0052258F |> 8B45 EC mov eax, dword ptr [ebp-14] ; EAX = 机器码
00522592 |. E8 1521EEFF call 004046AC ; 取机器码长度
00522597 |. 8BD8 mov ebx, eax ; EBX = EAX
00522599 |. 8D45 E8 lea eax, dword ptr [ebp-18]
0052259C |. 50 push eax
0052259D |. 8BCB mov ecx, ebx ; ECX = EBX
0052259F |. D1F9 sar ecx, 1 ; ECX = ECX /2
005225A1 |. 79 03 jns short 005225A6 ; 跳走
005225A3 |. 83D1 00 adc ecx, 0
005225A6 |> BA 01000000 mov edx, 1 ; EDX = 1
005225AB |. 8B45 EC mov eax, dword ptr [ebp-14] ; EAX = 机器码
005225AE |. E8 5923EEFF call 0040490C
005225B3 |. 8D45 E4 lea eax, dword ptr [ebp-1C]
005225B6 |. 50 push eax
005225B7 |. 8BC3 mov eax, ebx
005225B9 |. D1F8 sar eax, 1 ; EAX = EAX / 2
005225BB |. 79 03 jns short 005225C0
005225BD |. 83D0 00 adc eax, 0
005225C0 |> 8BCB mov ecx, ebx ; ECX = EBX
005225C2 |. 2BC8 sub ecx, eax ; ECX = ECX - EAX
005225C4 |. 8BD3 mov edx, ebx ; EDX = EBX
005225C6 |. D1FA sar edx, 1 ; EDX = EDX / 2
005225C8 |. 79 03 jns short 005225CD
005225CA |. 83D2 00 adc edx, 0
005225CD |> 42 inc edx ; EDX++
005225CE |. 8B45 EC mov eax, dword ptr [ebp-14] ; EAX = 机器码
005225D1 |. E8 3623EEFF call 0040490C
005225D6 |. FF75 E8 push dword ptr [ebp-18] ; (ASCII "000042")
005225D9 |. FF75 FC push dword ptr [ebp-4] ; (ASCII "TOPTHINK")
005225DC |. FF75 E4 push dword ptr [ebp-1C] ; (ASCII "3A3456")
005225DF |. 8D45 E0 lea eax, dword ptr [ebp-20]
005225E2 |. BA 03000000 mov edx, 3 ; EDX = 3
005225E7 |. E8 8021EEFF call 0040476C
005225EC |> C745 F0 00000>mov dword ptr [ebp-10], 0
005225F3 |. C745 F4 00000>mov dword ptr [ebp-C], 0
005225FA |. 8B45 FC mov eax, dword ptr [ebp-4] ; EAX = (ASCII "TOPTHINK")
005225FD |. E8 AA20EEFF call 004046AC
00522602 |. 3B46 4C cmp eax, dword ptr [esi+4C]
00522605 |. 7F 0D jg short 00522614
00522607 |. 8B45 FC mov eax, dword ptr [ebp-4]
0052260A |. E8 9D20EEFF call 004046AC
0052260F |. 3B46 50 cmp eax, dword ptr [esi+50]
00522612 |. 7D 0C jge short 00522620
00522614 |> 8BC7 mov eax, edi
00522616 |. E8 D11DEEFF call 004043EC
0052261B |. E9 91000000 jmp 005226B1
00522620 |> 8B45 E0 mov eax, dword ptr [ebp-20] ; EAX = (ASCII "000042TOPTHINK3A3456")
00522623 |. E8 8420EEFF call 004046AC
00522628 |. 8BD8 mov ebx, eax ; EBX = EAX
0052262A |. EB 37 jmp short 00522663

0052262C |> 8B45 F0 /mov eax, dword ptr [ebp-10] ; EAX = [ebp-10]
0052262F |. 8B55 F4 |mov edx, dword ptr [ebp-C] ; EDX = [ebp-C]
00522632 |. 0346 68 |add eax, dword ptr [esi+68] ; EAX = EAX + [esi+68]
00522635 |. 1356 6C |adc edx, dword ptr [esi+6C] ; EDX = EDX + [esi+6C]
00522638 |. 52 |push edx ; <<<进栈
00522639 |. 50 |push eax ; <<<进栈
0052263A |. 8B45 E0 |mov eax, dword ptr [ebp-20] ; EAX = 字符串
0052263D |. 0FB64418 FF |movzx eax, byte ptr [eax+ebx-1] ; 从后往前逐个取字符串
00522642 |. 50 |push eax ; <<<进栈
00522643 |. B8 59040000 |mov eax, 459 ; EAX = 459
00522648 |. 5A |pop edx ; >>>出栈
00522649 |. 8BCA |mov ecx, edx ; ECX = EDX
0052264B |. 33D2 |xor edx, edx ; EDX置零
0052264D |. F7F1 |div ecx ; EDX = EAX / ECX
0052264F |. 8BC2 |mov eax, edx ; EAX = EDX
00522651 |. 33D2 |xor edx, edx ; EDX置零
00522653 |. 290424 |sub dword ptr [esp], eax
00522656 |. 195424 04 |sbb dword ptr [esp+4], edx
0052265A |. 58 |pop eax ; >>>出栈
0052265B |. 5A |pop edx ; >>>出栈
0052265C |. 8945 F0 |mov dword ptr [ebp-10], eax ; [ebp-10] = eax
0052265F |. 8955 F4 |mov dword ptr [ebp-C], edx ; [ebp-C] = edx
00522662 |. 4B |dec ebx ; EBX--
00522663 |> 8B45 E0 mov eax, dword ptr [ebp-20]
00522666 |. E8 4120EEFF |call 004046AC
0052266B |. 3BD8 |cmp ebx, eax
0052266D |. 7F 04 |jg short 00522673 ; //跳出循环体(一直未实现)
0052266F |. 85DB |test ebx, ebx
00522671 |.^ 7F B9 \jg short 0052262C ; //循环14H次

00522673 |> 8B5E 60 mov ebx, dword ptr [esi+60]
00522676 |. 85DB test ebx, ebx
00522678 |. 7F 11 jg short 0052268B
0052267A |. FF75 F4 push dword ptr [ebp-C] ; /Arg2:0000
0052267D |. FF75 F0 push dword ptr [ebp-10] ; |Arg1:[ebp-10]
00522680 |. 8BD7 mov edx, edi ; |
00522682 |. 33C0 xor eax, eax ; |
00522684 |. E8 AB6BEEFF call 00409234 ; \1.00409234
00522689 |. EB 26 jmp short 005226B1
0052268B |> FF75 F4 push dword ptr [ebp-C] ; /Arg2
0052268E |. FF75 F0 push dword ptr [ebp-10] ; |Arg1
00522691 |. 8BD7 mov edx, edi ; |
00522693 |. 8BC3 mov eax, ebx ; |
00522695 |. E8 9A6BEEFF call 00409234 ; \1.00409234
0052269A |. 8B07 mov eax, dword ptr [edi] ; EAX = 真码(ASCII "0000932C03CB")
0052269C |. E8 0B20EEFF call 004046AC
005226A1 |. 8BC8 mov ecx, eax
005226A3 |. 2B4E 60 sub ecx, dword ptr [esi+60]
005226A6 |. 8B56 60 mov edx, dword ptr [esi+60]
005226A9 |. 42 inc edx
005226AA |. 8BC7 mov eax, edi
005226AC |. E8 9B22EEFF call 0040494C
005226B1 |> 33C0 xor eax, eax
005226B3 |. 5A pop edx
005226B4 |. 59 pop ecx
005226B5 |. 59 pop ecx
005226B6 |. 64:8910 mov dword ptr fs:[eax], edx
005226B9 |. 68 DB265200 push 005226DB
005226BE |> 8D45 DC lea eax, dword ptr [ebp-24]
005226C1 |. BA 05000000 mov edx, 5
005226C6 |. E8 451DEEFF call 00404410
005226CB |. 8D45 FC lea eax, dword ptr [ebp-4]
005226CE |. E8 191DEEFF call 004043EC
005226D3 \. C3 retn
005226D4 .^ E9 3716EEFF jmp 00403D10
005226D9 .^ EB E3 jmp short 005226BE
005226DB . 5F pop edi
005226DC . 5E pop esi
005226DD . 5B pop ebx
005226DE . 8BE5 mov esp, ebp
005226E0 . 5D pop ebp
005226E1 . C3 retn ; //返回
;=====================================================================
在运算中出现了两个含有变量的地址:
[esi+68] & [esi+6C]
重载时候跟踪了一下,两个都是常量
[esi+68] = 075BCD15
[esi+6C] = 00000000
明确了这个两个常量算法就相对明朗多了

算法如下:
机器码是12位数字,分为前六位str1和后六位str2
1.将机器码中间加入常量字符串"TOPTHINK"
得到新的字符串:str = str1-TOPTHINK-str2
2.进行如下运算:
int sum = 0;
int temp = 0;
for(int k = 19; k >=0; k--)
{
temp = 075BCD15H - (495H % array[k]);
sum = sum + temp;
}
说明:其中的运算是十六进制运算

3.构造注册码:
0000-sum

用calc转换下075BCD15H,小发现~
075BCD15H = 123456789D

有朋友可能会怀疑[esi+68] & [esi+6C]是不是真的是常量
还是用硬件特征计算出的数值

偶在其他的电脑上进行了测试
根据他的PC机器码，计算序列号
输入->注册成功

PS:心理猜测,机器码哪会那么巧,正好是123456789D呢

crack心得
1.[overlay]处理三个级别
(1)完全脱掉
(2)半脱掉(不能正常运行)
(3)不用理睬(已经定位了字符串)
2.熟悉堆栈,数据之间关系

题外话:(有关本例爆破的探讨)
按层次划分

一层:
005239B5 |. 75 2C jnz short 005239E3
现在只修改主程序就能达到爆破成功的软件几乎是绝迹了

二层:
{思路一}:让真假码指向同一个地址
005229EE |. 8B45 F0 mov eax, dword ptr [ebp-10] ; (ASCII "0000932C03CB")
005229F1 |. 8B55 08 mov edx, dword ptr [ebp+8] ; (ASCII "9876543210ABCDEF")
改后:
005229EE |. 8B45 F0 mov eax, dword ptr [ebp-10]
005229F1 |. 8B55 F0 mov edx, dword ptr [ebp-10]

{思路二}:反向跳转
005229FB |. 74 04 je short 00522A01
改后:
005229FB |. 75 04 jne short 00522A01

{思路三}:标志位赋值
00522A55 . 8BC3 mov eax, ebx

{思路四}:思路三的延展
直接把二层修改为:
mov eax,1
retn

行业软件中用爆破比较多
小型软件不推荐适用爆破

不知不觉��嗦了打半篇子，希望能对论坛的兄弟有所帮助
当然，有疏漏之处更欢迎兄弟们斧正

地主发表时间: 07-11-27 11:14

论坛: 编程破解