算法分析遇到困难!
【软件大小】: 323KB【下载地址】: 附件
【加壳方式】: ASPack 2.12 -> Alexey Solodovnikov
【保护方式】: 加壳
【编写语言】: Borland Delphi 4.0 - 5.0
【使用工具】: OD PEID ImportREC DEDE
【操作平台】: 2K/XP
--------------------------------------------------------------------------------
【详细过程】
我用OD手动脱壳 后用ImportREC 修复 ,软件可以正常运行 ,本想分析它的算法 ,想不到的事情发生了
在算法分析过程中用OD跟踪到关键算法内部的某个CALL就无法过去 OD状态栏提示进程退出 !不知是何原
因
004B1C94 >/.55 PUSH EBP ;<-
Tfrmreg@FlatButton9Click
004B1C95|.8BEC MOV EBP,ESP
004B1C97|.83C4 F0 ADD ESP,-10
004B1C9A|.33C9 XOR ECX,ECX
004B1C9C|.894D F0 MOV DWORD PTR SS:,ECX
004B1C9F|.894D F4 MOV DWORD PTR SS:,ECX
004B1CA2|.8945 FC MOV DWORD PTR SS:,EAX
004B1CA5|.33C0 XOR EAX,EAX
004B1CA7|.55 PUSH EBP
004B1CA8|.68 951D4B00 PUSH <1_exe_un.->system.@HandleFinally;>
004B1CAD|.64:FF30 PUSH DWORD PTR FS:
004B1CB0|.64:8920 MOV DWORD PTR FS:,ESP
004B1CB3|.B2 01 MOV DL,1
004B1CB5|.A1 BCC14400 MOV EAX,DWORD PTR DS:
004B1CBA >|.E8 FDA5F9FF CALL 1_exe_un.0044C2BC ;-
>Unit_0044C15C.Proc_0044C2BC
004B1CBF|.8945 F8 MOV DWORD PTR SS:,EAX
004B1CC2|.33C0 XOR EAX,EAX
004B1CC4|.55 PUSH EBP
004B1CC5|.68 4C1D4B00 PUSH <1_exe_un.->system.@HandleFinally;>
004B1CCA|.64:FF30 PUSH DWORD PTR FS:
004B1CCD|.64:8920 MOV DWORD PTR FS:,ESP
004B1CD0|.BA 02000080 MOV EDX,80000002
004B1CD5|.8B45 F8 MOV EAX,DWORD PTR SS:
004B1CD8 >|.E8 7FA6F9FF CALL 1_exe_un.0044C35C ;-
>Unit_0044C15C.Proc_0044C35C
004B1CDD|.B1 01 MOV CL,1
004B1CDF|.BA A81D4B00 MOV EDX,1_exe_un.004B1DA8 ;ASCII
"\SOFTWARE\qqpic"
004B1CE4|.8B45 F8 MOV EAX,DWORD PTR SS:
004B1CE7 >|.E8 D4A6F9FF CALL 1_exe_un.0044C3C0 ;-
>Unit_0044C15C.Proc_0044C3C0
004B1CEC|.8D55 F4 LEA EDX,DWORD PTR SS:
004B1CEF|.8B45 FC MOV EAX,DWORD PTR SS:
004B1CF2|.8B80 04030000 MOV EAX,DWORD PTR DS:
004B1CF8 >|.E8 7BB0F7FF CALL 1_exe_un.0042CD78 ;-
>controls.TControl.GetText(TControl):TCaption;取得用户名长度EAX
004B1CFD|.8B4D F4 MOV ECX,DWORD PTR SS: ;用户名字符
004B1D00|.BA C01D4B00 MOV EDX,1_exe_un.004B1DC0 ;ASCII "reguser"
004B1D05|.8B45 F8 MOV EAX,DWORD PTR SS:
004B1D08 >|.E8 4FA8F9FF CALL 1_exe_un.0044C55C ;-
>Unit_0044C15C.Proc_0044C55C
004B1D0D|.8D55 F0 LEA EDX,DWORD PTR SS:
004B1D10|.8B45 FC MOV EAX,DWORD PTR SS:
004B1D13|.8B80 08030000 MOV EAX,DWORD PTR DS:
004B1D19 >|.E8 5AB0F7FF CALL 1_exe_un.0042CD78 ;-
>controls.TControl.GetText(TControl):TCaption;取得假码长度EAX
004B1D1E|.8B4D F0 MOV ECX,DWORD PTR SS: ;假码指针
004B1D21|.BA D01D4B00 MOV EDX,1_exe_un.004B1DD0 ;ASCII "regcode"
004B1D26|.8B45 F8 MOV EAX,DWORD PTR SS:
004B1D29 >|.E8 2EA8F9FF CALL 1_exe_un.0044C55C ;-
>Unit_0044C15C.Proc_0044C55C
004B1D2E|.8B45 F8 MOV EAX,DWORD PTR SS:
004B1D31 >|.E8 F6A5F9FF CALL 1_exe_un.0044C32C ;-
>Unit_0044C15C.Proc_0044C32C
004B1D36|.33C0 XOR EAX,EAX
004B1D38|.5A POP EDX
004B1D39|.59 POP ECX
004B1D3A|.59 POP ECX
004B1D3B|.64:8910 MOV DWORD PTR FS:,EDX
004B1D3E|.68 531D4B00 PUSH 1_exe_un.004B1D53
004B1D43|>8B45 F8 MOV EAX,DWORD PTR SS:
004B1D46 >|.E8 9912F5FF CALL 1_exe_un.00402FE4 ;-
>system.TObject.Free(TObject);
004B1D4B\.C3 RETN ;跳到004B1D53
004B1D4C > .^ E9 B319F5FF JMP 1_exe_un.00403704 ;-
>system.@HandleFinally;
004B1D51 .^ EB F0 JMP SHORT 1_exe_un.004B1D43
004B1D53 .8B45 FC MOV EAX,DWORD PTR SS:
004B1D56 > .E8 295FF9FF CALL 1_exe_un.00447C84 ;-
>forms.TCustomForm.Close(TCustomForm);
004B1D5B > .E8 14F7FFFF CALL <1_exe_un.<-Tfrmreg@Proc_004B1474>;-
>:Tfrmreg.Proc_004B1474()关键部分算法
004B1D60 .3C 01 CMP AL,1
004B1D62 75 0C JNZ SHORT 1_exe_un.004B1D70 ;跳就完
004B1D64 .B8 E01D4B00 MOV EAX,1_exe_un.004B1DE0
004B1D69 > .E8 6A81FBFF CALL 1_exe_un.00469ED8 ;-
>dialogs.ShowMessage(AnsiString);
004B1D6E .EB 0A JMP SHORT 1_exe_un.004B1D7A ;跳过注册失败信息
004B1D70 >B8 F81D4B00 MOV EAX,1_exe_un.004B1DF8
004B1D75 > .E8 5E81FBFF CALL 1_exe_un.00469ED8 ;-
>dialogs.ShowMessage(AnsiString);
004B1D7A >33C0 XOR EAX,EAX
004B1D7C .5A POP EDX
004B1D7D .59 POP ECX
004B1D7E .59 POP ECX
004B1D7F .64:8910 MOV DWORD PTR FS:,EDX
004B1D82 .68 9C1D4B00 PUSH 1_exe_un.004B1D9C
004B1D87 >8D45 F0 LEA EAX,DWORD PTR SS:
004B1D8A .BA 02000000 MOV EDX,2
004B1D8F > .E8 D81FF5FF CALL 1_exe_un.00403D6C ;-
>system.@LStrArrayClr;
004B1D94 .C3 RETN
004B1D95 > .^ E9 6A19F5FF JMP 1_exe_un.00403704 ;-
>system.@HandleFinally;
004B1D9A .^ EB EB JMP SHORT 1_exe_un.004B1D87
004B1D9C .8BE5 MOV ESP,EBP
004B1D9E .5D POP EBP
004B1D9F .C3 RETN
跟入关键部分:
004B1474 >/$55 PUSH EBP ;<-
Tfrmreg@Proc_004B1474
004B1475|.8BEC MOV EBP,ESP
004B1477|.B9 06000000 MOV ECX,6
004B147C|>6A 00 /PUSH 0
004B147E|.6A 00 |PUSH 0
004B1480|.49 |DEC ECX ;ECX清零
004B1481|.^ 75 F9 \JNZ SHORT 1_exe_un.004B147C
004B1483|.51 PUSH ECX
004B1484|.53 PUSH EBX
004B1485|.33C0 XOR EAX,EAX
004B1487|.55 PUSH EBP
004B1488|.68 6F164B00 PUSH <1_exe_un.->system.@HandleFinally;>
004B148D|.64:FF30 PUSH DWORD PTR FS:
004B1490|.64:8920 MOV DWORD PTR FS:,ESP
004B1493|.C645 FF 00 MOV BYTE PTR SS:,0
004B1497|.B2 01 MOV DL,1
004B1499|.A1 BCC14400 MOV EAX,DWORD PTR DS:
004B149E >|.E8 19AEF9FF CALL 1_exe_un.0044C2BC ;-
>Unit_0044C15C.Proc_0044C2BC
004B14A3|.8945 D4 MOV DWORD PTR SS:,EAX ;SEH
004B14A6|.33C0 XOR EAX,EAX
004B14A8|.55 PUSH EBP
004B14A9|.68 0E154B00 PUSH <1_exe_un.->system.@HandleFinally;>
004B14AE|.64:FF30 PUSH DWORD PTR FS:
004B14B1|.64:8920 MOV DWORD PTR FS:,ESP
004B14B4|.BA 02000080 MOV EDX,80000002
004B14B9|.8B45 D4 MOV EAX,DWORD PTR SS:
004B14BC >|.E8 9BAEF9FF CALL 1_exe_un.0044C35C ;-
>Unit_0044C15C.Proc_0044C35C
004B14C1|.B1 01 MOV CL,1
004B14C3|.BA 88164B00 MOV EDX,1_exe_un.004B1688 ;ASCII
"\SOFTWARE\qqpic"
004B14C8|.8B45 D4 MOV EAX,DWORD PTR SS:
004B14CB >|.E8 F0AEF9FF CALL 1_exe_un.0044C3C0 ;-
>Unit_0044C15C.Proc_0044C3C0,
004B14D0|.8D4D DC LEA ECX,DWORD PTR SS: ;用户名
004B14D3|.BA A0164B00 MOV EDX,1_exe_un.004B16A0 ;ASCII "reguser"
004B14D8|.8B45 D4 MOV EAX,DWORD PTR SS:
004B14DB >|.E8 A8B0F9FF CALL 1_exe_un.0044C588 ;-
>Unit_0044C15C.Proc_0044C588
004B14E0|.8D4D D8 LEA ECX,DWORD PTR SS: ;注册码
004B14E3|.BA B0164B00 MOV EDX,1_exe_un.004B16B0 ;ASCII "regcode"
004B14E8|.8B45 D4 MOV EAX,DWORD PTR SS:
004B14EB >|.E8 98B0F9FF CALL 1_exe_un.0044C588 ;-
>Unit_0044C15C.Proc_0044C588
004B14F0|.8B45 D4 MOV EAX,DWORD PTR SS:
004B14F3 >|.E8 34AEF9FF CALL 1_exe_un.0044C32C ;-
>Unit_0044C15C.Proc_0044C32C
004B14F8|.33C0 XOR EAX,EAX ;
004B14FA|.5A POP EDX ;
004B14FB|.59 POP ECX
004B14FC|.59 POP ECX
004B14FD|.64:8910 MOV DWORD PTR FS:,EDX
004B1500|.68 15154B00 PUSH 1_exe_un.004B1515
004B1505|>8B45 D4 MOV EAX,DWORD PTR SS:
004B1508 >|.E8 D71AF5FF CALL 1_exe_un.00402FE4 ;-
>system.TObject.Free(TObject);
004B150D\.C3 RETN ;跳到4B1515
004B150E > .^ E9 F121F5FF JMP 1_exe_un.00403704 ;-
>system.@HandleFinally;
004B1513 .^ EB F0 JMP SHORT 1_exe_un.004B1505
004B1515 .837D DC 00 CMP DWORD PTR SS:,0 ;判断用户名是否存在
004B1519 .0F84 1B010000 JE 1_exe_un.004B163A
004B151F .837D D8 00 CMP DWORD PTR SS:,0 ;判断注册码是否存在
004B1523 .0F84 11010000 JE 1_exe_un.004B163A
004B1529 .8B45 D8 MOV EAX,DWORD PTR SS:
004B152C > .E8 972AF5FF CALL 1_exe_un.00403FC8 ;-
>system.@LStrLen:Integer;取得假码长度存入EAX
004B1531 .25 01000080 AND EAX,80000001 ;判断假码长度奇偶性
004B1536 .79 05 JNS SHORT 1_exe_un.004B153D ;假码长度是奇数就跳
004B1538 .48 DEC EAX
004B1539 .83C8 FE OR EAX,FFFFFFFE ;
004B153C .40 INC EAX
004B153D >85C0 TEST EAX,EAX
004B153F .0F85 F5000000 JNZ 1_exe_un.004B163A ;假码长度要是偶数才不
跳死
004B1545 .8D55 E0 LEA EDX,DWORD PTR SS: ;飞过海
004B1548 .B8 C0164B00 MOV EAX,1_exe_un.004B16C0 ;ASCII "922198542863"
004B154D > .E8 EAE6FFFF CALL 1_exe_un.004AFC3C ;-
>Unit_004AE7C0.Proc_004AFC3C
004B1552 .8D55 E4 LEA EDX,DWORD PTR SS:
004B1555 .B8 D8164B00 MOV EAX,1_exe_un.004B16D8 ;ASCII "3323005532047"
004B155A > .E8 DDE6FFFF CALL 1_exe_un.004AFC3C ;-
>Unit_004AE7C0.Proc_004AFC3C
004B155F .8D45 F8 LEA EAX,DWORD PTR SS:
004B1562 .8B55 DC MOV EDX,DWORD PTR SS: ;用户名
004B1565 > .E8 7628F5FF CALL 1_exe_un.00403DE0 ;-
>system.@LStrLAsg;string之间是数据Copy
004B156A .33DB XOR EBX,EBX ;
004B156C .8B45 F8 MOV EAX,DWORD PTR SS: ;用户名
004B156F > .E8 542AF5FF CALL 1_exe_un.00403FC8 ;-
>system.@LStrLen:Integer;取得用户名长度EAX
004B1574 .85C0 TEST EAX,EAX
004B1576 .7E 13 JLE SHORT 1_exe_un.004B158B
004B1578 .BA 01000000 MOV EDX,1
004B157D >8B4D F8 MOV ECX,DWORD PTR SS: ;用户名
004B1580 .0FB64C11 FF MOVZX ECX,BYTE PTR DS: ;用户名字符ASC十六进制
004B1585 .03D9 ADD EBX,ECX ;把每个用户名字符ASC十
六进制相加起来保存在EBX
004B1587 .42 INC EDX
004B1588 .48 DEC EAX ;EAX为计数器
004B1589 .^ 75 F2 JNZ SHORT 1_exe_un.004B157D ;每个用户名字符都计算
完就不跳
004B158B >8D45 F4 LEA EAX,DWORD PTR SS:
004B158E .50 PUSH EAX
004B158F .B9 01000000 MOV ECX,1
004B1594 .BA 01000000 MOV EDX,1
004B1599 .8B45 F8 MOV EAX,DWORD PTR SS: ;用户名
004B159C > .E8 2F2CF5FF CALL 1_exe_un.004041D0 ;->system.@LStrCopy;
004B15A1 .8BC3 MOV EAX,EBX ;将上面计算结果存入EAX
004B15A3 .B9 09000000 MOV ECX,9
004B15A8 .99 CDQ
004B15A9 .F7F9 IDIV ECX ;eax=eax div 9
004B15AB .8BC2 MOV EAX,EDX ;将其余数送到EAX
004B15AD .8D55 D0 LEA EDX,DWORD PTR SS:
004B15B0 > .E8 2F83F5FF CALL 1_exe_un.004098E4 ;-
>Unit_00408838.Proc_004098E4
004B15B5 .8B55 D0 MOV EDX,DWORD PTR SS:
004B15B8 .8D45 F4 LEA EAX,DWORD PTR SS:
004B15BB > .E8 102AF5FF CALL 1_exe_un.00403FD0 ;->system.@LStrCat;
004B15C0 .8D45 EC LEA EAX,DWORD PTR SS:
004B15C3 .8B55 D8 MOV EDX,DWORD PTR SS: ;假码
004B15C6 > .E8 1528F5FF CALL 1_exe_un.00403DE0 ;->system.@LStrLAsg;
004B15CB 8D55 E8 LEA EDX,DWORD PTR SS:
004B15CE 8B45 EC MOV EAX,DWORD PTR SS: ;假码
004B15D1 > .E8 AEFDFFFF CALL <1_exe_un.<-Tfrmreg@Proc_004B1384>;-
>:Tfrmreg.Proc_004B1384() 就在跟踪到这里时按F8步过时,程序退出
004B15D6 .8D45 F0 LEA EAX,DWORD PTR SS:
004B15D9 .50 PUSH EAX
004B15DA .8B4D E4 MOV ECX,DWORD PTR SS:
004B15DD .8B55 E0 MOV EDX,DWORD PTR SS:
004B15E0 .8B45 E8 MOV EAX,DWORD PTR SS:
004B15E3 > .E8 98F7FFFF CALL 1_exe_un.004B0D80 ;-
>Unit_004B0D48.Proc_004B0D80
004B15E8 .8B45 F4 MOV EAX,DWORD PTR SS:
004B15EB .8B55 F0 MOV EDX,DWORD PTR SS:
004B15EE > .E8 E52AF5FF CALL 1_exe_un.004040D8 ;->system.@LStrCmp;
004B15F3 .75 06 JNZ SHORT 1_exe_un.004B15FB
004B15F5 .C645 FF 01 MOV BYTE PTR SS:,1
004B15F9 .EB 2F JMP SHORT 1_exe_un.004B162A
004B15FB >8D45 CC LEA EAX,DWORD PTR SS:
004B15FE .50 PUSH EAX
004B15FF .B9 01000000 MOV ECX,1
004B1604 .BA 01000000 MOV EDX,1
004B1609 .8B45 F0 MOV EAX,DWORD PTR SS:
004B160C > .E8 BF2BF5FF CALL 1_exe_un.004041D0 ;->system.@LStrCopy;
004B1611 .8B45 CC MOV EAX,DWORD PTR SS:
004B1614 .BA F0164B00 MOV EDX,1_exe_un.004B16F0
004B1619 > .E8 BA2AF5FF CALL 1_exe_un.004040D8 ;->system.@LStrCmp;
004B161E .75 06 JNZ SHORT 1_exe_un.004B1626
004B1620 .C645 FF 01 MOV BYTE PTR SS:,1
004B1624 .EB 04 JMP SHORT 1_exe_un.004B162A
004B1626 >C645 FF 00 MOV BYTE PTR SS:,0
004B162A >8D45 E0 LEA EAX,DWORD PTR SS:
004B162D > .E8 FAE8FFFF CALL 1_exe_un.004AFF2C ;-
>Unit_004AE7C0.Proc_004AFF2C
004B1632 .8D45 E4 LEA EAX,DWORD PTR SS:
004B1635 > .E8 F2E8FFFF CALL 1_exe_un.004AFF2C ;-
>Unit_004AE7C0.Proc_004AFF2C
004B163A >33C0 XOR EAX,EAX
004B163C .5A POP EDX
004B163D .59 POP ECX
004B163E .59 POP ECX
004B163F .64:8910 MOV DWORD PTR FS:,EDX
004B1642 .68 76164B00 PUSH 1_exe_un.004B1676
004B1647 >8D45 CC LEA EAX,DWORD PTR SS:
004B164A .BA 02000000 MOV EDX,2
004B164F > .E8 1827F5FF CALL 1_exe_un.00403D6C ;-
>system.@LStrArrayClr;
004B1654 .8D45 D8 LEA EAX,DWORD PTR SS:
004B1657 .BA 02000000 MOV EDX,2
004B165C > .E8 0B27F5FF CALL 1_exe_un.00403D6C ;-
>system.@LStrArrayClr;
004B1661 .8D45 E8 LEA EAX,DWORD PTR SS:
004B1664 .BA 05000000 MOV EDX,5
004B1669 > .E8 FE26F5FF CALL 1_exe_un.00403D6C ;-
>system.@LStrArrayClr;
004B166E .C3 RETN
004B166F > .^ E9 9020F5FF JMP 1_exe_un.00403704 ;-
>system.@HandleFinally;
004B1674 .^ EB D1 JMP SHORT 1_exe_un.004B1647
004B1676 .8A45 FF MOV AL,BYTE PTR SS:
004B1679 .5B POP EBX
004B167A .8BE5 MOV ESP,EBP
004B167C .5D POP EBP
004B167D .C3 RETN
--------------------------------------------------------------------------------
004B15D1 > .E8 AEFDFFFF CALL <1_exe_un.<-Tfrmreg@Proc_004B1384>;-
>:Tfrmreg.Proc_004B1384() 就在跟踪
到这里时按F8步过时,程序退出 使得算法分析无法继续下去了 :(
还望高手指教,小弟不胜感激!
--------------------------------------------------------------------------------
2007年06月16日 0:19:20 了解一下。 看来大家对我的问题不感兴趣啊!/:11
页:
[1]