运行守护者简单算法分析。。
软件自己找吧。。。。程序是ASPROTECT的壳,用脚本脱掉。。
软件有自校检,出现错误提示用用F12+堆栈调用**很容易定位到。0041ECDE改为EB 20即可通过自校检,很简单就不细讲了。。
载入程序运行后输入注册信息,出现错误提示。用C32查找错误信息可以定位到注册部分代码:
0041BEF4 .8BCE mov ecx,esi
0041BEF6 .E8 4BB80200 call <jmp.&mfc42.#3097>
0041BEFB .8B5424 0C mov edx,dword ptr ss:
0041BEFF .395A F8 cmp dword ptr ds:,ebx ;比较用户名长度是否为0
0041BF02 .75 2D jnz short unpacked.0041BF31
0041BF04 .68 26040000 push 426
0041BF09 .8BCE mov ecx,esi
0041BF0B .E8 6AB70200 call <jmp.&mfc42.#3092>
0041BF10 .8BC8 mov ecx,eax
0041BF12 .E8 B1B70200 call <jmp.&mfc42.#5981>
0041BF17 .8B4E 60 mov ecx,dword ptr ds:
0041BF1A .53 push ebx
0041BF1B .6A 02 push 2
0041BF1D .68 D8DE4500 push unpacked.0045DED8
0041BF22 .68 CCDE4500 push unpacked.0045DECC
0041BF27 .E8 445C0000 call unpacked.00421B70
0041BF2C .E9 96000000 jmp unpacked.0041BFC7
0041BF31 >8B4424 08 mov eax,dword ptr ss:
0041BF35 .8B40 F8 mov eax,dword ptr ds:
0041BF38 .3BC3 cmp eax,ebx ;比较注册码长度是否为0
0041BF3A .75 2A jnz short unpacked.0041BF66
0041BF3C .68 27040000 push 427
0041BF41 .8BCE mov ecx,esi
0041BF43 .E8 32B70200 call <jmp.&mfc42.#3092>
0041BF48 .8BC8 mov ecx,eax
0041BF4A .E8 79B70200 call <jmp.&mfc42.#5981>
0041BF4F .8B4E 60 mov ecx,dword ptr ds:
0041BF52 .53 push ebx
0041BF53 .6A 02 push 2
0041BF55 .68 ACDE4500 push unpacked.0045DEAC
0041BF5A .68 CCDE4500 push unpacked.0045DECC
0041BF5F .E8 0C5C0000 call unpacked.00421B70
0041BF64 .EB 61 jmp short unpacked.0041BFC7
0041BF66 >83F8 1D cmp eax,1D ;比较注册码长度是否为16进制1D
0041BF69 .0F85 87000000 jnz unpacked.0041BFF6 ;跳向错误提示
0041BF6F .6A 2D push 2D
0041BF71 .8D4C24 0C lea ecx,dword ptr ss:
0041BF75 .E8 ECB80200 call <jmp.&mfc42.#2763> ;检测注册码第6位是否为字符"-"
0041BF7A .83F8 05 cmp eax,5
0041BF7D .75 77 jnz short unpacked.0041BFF6 ;跳向错误提示
0041BF7F .8D4C24 0C lea ecx,dword ptr ss:
0041BF83 .51 push ecx
完成后软件提示重启验证注册信息。再次查看字符串信息,提示找到可疑字符“sUserID”和“sSerialID”。用OD都下上断点,重启后断在了004226A7,这里是加载注册信息的地方;返回出这个CALL就能看到关键东西了。。。
0041FF2E .E8 B9770200 call <jmp.&mfc42.#1768>
0041FF33 .8BCE mov ecx,esi
0041FF35 .E8 A6220000 call unpacked.004221E0 ;出来在这里
0041FF3A .85C0 test eax,eax
0041FF3C .75 0C jnz short unpacked.0041FF4A
0041FF3E .68 D7000000 push 0D7 ; /Arg1 = 000000D7
0041FF43 .8BCE mov ecx,esi ; |
0041FF45 .E8 A6A6FEFF call unpacked.0040A5F0 ; \unpacked.0040A5F0
0041FF4A >8D9E FC0B0000 lea ebx,dword ptr ds:
0041FF50 .68 19000200 push 20019
0041FF55 .68 D4DA4500 push unpacked.0045DAD4 ;ASCII "SOFTWARE\softown\RunGuard\Rules"
0041FF5A .68 02000080 push 80000002
0041FF5F .8BCB mov ecx,ebx
0041FF61 .E8 CA700200 call unpacked.00447030
0041FF66 .85C0 test eax,eax
0041FF68 .75 12 jnz short unpacked.0041FF7C
0041FF6A .57 push edi
0041FF6B .68 D4DA4500 push unpacked.0045DAD4 ;ASCII "SOFTWARE\softown\RunGuard\Rules"
0041FF70 .68 02000080 push 80000002
0041FF75 .8BCB mov ecx,ebx
0041FF77 .E8 F4700200 call unpacked.00447070
0041FF7C >8B86 8C1C0000 mov eax,dword ptr ds:
0041FF82 .8D8E 8C1C0000 lea ecx,dword ptr ds:
0041FF88 .3978 F8 cmp dword ptr ds:,edi ;比较用户名长度是否为0
0041FF8B .0F84 87010000 je unpacked.00420118
0041FF91 .8B96 901C0000 mov edx,dword ptr ds:
0041FF97 .837A F8 1D cmp dword ptr ds:,1D ;比较注册码长度是否为16进制1D
0041FF9B .0F85 77010000 jnz unpacked.00420118
0041FFA1 .8B40 F8 mov eax,dword ptr ds:
0041FFA4 .50 push eax
0041FFA5 .50 push eax
0041FFA6 .E8 E3770200 call <jmp.&mfc42.#2915>
0041FFAB .50 push eax
0041FFAC .8D4424 20 lea eax,dword ptr ss:
0041FFB0 .50 push eax
0041FFB1 .E8 BAA3FFFF call unpacked.0041A370 ;计算用户名MD5码(小写)
0041FFB6 .83C4 0C add esp,0C
0041FFB9 .89BC24 8C030000 mov dword ptr ss:,edi
0041FFC0 .897C24 2C mov dword ptr ss:,edi
0041FFC4 .33ED xor ebp,ebp
0041FFC6 >6A 05 push 5 ;循环开始
0041FFC8 .8D4C24 20 lea ecx,dword ptr ss:
0041FFCC .55 push ebp
0041FFCD .51 push ecx
0041FFCE .8D8E 901C0000 lea ecx,dword ptr ds:
0041FFD4 .E8 7F7A0200 call <jmp.&mfc42.#4278> ;依次取假码被"-"分割开的5位
0041FFD9 .8B5424 18 mov edx,dword ptr ss:
0041FFDD .8B4C24 2C mov ecx,dword ptr ss:
0041FFE1 .6A 04 push 4
0041FFE3 .51 push ecx
0041FFE4 .8A043A mov al,byte ptr ds: ;用户名MD5码依次到ASCII放入AL
0041FFE7 .8D5424 38 lea edx,dword ptr ss:
0041FFEB .52 push edx
0041FFEC .8D8E 881C0000 lea ecx,dword ptr ds:
0041FFF2 .C68424 98030000 01 mov byte ptr ss:,1
0041FFFA .884424 40 mov byte ptr ss:,al
0041FFFE .E8 557A0200 call <jmp.&mfc42.#4278> ;依次取机器码4位
00420003 .8B4C24 34 mov ecx,dword ptr ss:
00420007 .8D5424 24 lea edx,dword ptr ss:
0042000B .51 push ecx
0042000C .50 push eax
0042000D .52 push edx
0042000E .C68424 98030000 02 mov byte ptr ss:,2
00420016 .E8 D57B0200 call <jmp.&mfc42.#923> ;4位机器码与上面取出的MD5码的1位相连
0042001B .8D4C24 30 lea ecx,dword ptr ss:
0042001F .C68424 8C030000 04 mov byte ptr ss:,4
00420027 .E8 24760200 call <jmp.&mfc42.#800>
0042002C .8B4424 24 mov eax,dword ptr ss:
00420030 .8D4C24 24 lea ecx,dword ptr ss:
00420034 .8B40 F8 mov eax,dword ptr ds:
00420037 .50 push eax
00420038 .50 push eax
00420039 .E8 50770200 call <jmp.&mfc42.#2915>
0042003E .8D4C24 24 lea ecx,dword ptr ss:
00420042 .50 push eax
00420043 .51 push ecx
00420044 .E8 27A3FFFF call unpacked.0041A370 ;算出连接后字符的MD5码
00420049 .83C4 0C add esp,0C
0042004C .8D4C24 20 lea ecx,dword ptr ss:
00420050 .C68424 8C030000 05 mov byte ptr ss:,5
00420058 .E8 997B0200 call <jmp.&mfc42.#4204> ;再转换到大写
0042005D .8D5424 10 lea edx,dword ptr ss:
00420061 .6A 05 push 5
00420063 .52 push edx
00420064 .8D4C24 28 lea ecx,dword ptr ss:
00420068 .E8 61760200 call <jmp.&mfc42.#4129> ;取出前5位(真码)
0042006D .8B00 mov eax,dword ptr ds:
0042006F .50 push eax ; /放入真码
00420070 .8B4424 20 mov eax,dword ptr ss: ; |
00420074 .50 push eax ; |放入假码
00420075 .FF15 E8F74400 call dword ptr ds:[<&msvcrt._mbscm>; \真假码比较
0042007B .83C4 08 add esp,8
0042007E .8D4C24 10 lea ecx,dword ptr ss:
00420082 .85C0 test eax,eax
00420084 0F95C3 setne bl ;爆破点之一
00420087 .E8 C4750200 call <jmp.&mfc42.#800>
0042008C .84DB test bl,bl
0042008E .C68424 8C030000 04 mov byte ptr ss:,4
00420096 .8D4C24 20 lea ecx,dword ptr ss:
0042009A .75 41 jnz short unpacked.004200DD
0042009C .E8 AF750200 call <jmp.&mfc42.#800>
004200A1 .8D4C24 24 lea ecx,dword ptr ss:
004200A5 .C68424 8C030000 01 mov byte ptr ss:,1
004200AD .E8 9E750200 call <jmp.&mfc42.#800>
004200B2 .8D4C24 1C lea ecx,dword ptr ss:
004200B6 .C68424 8C030000 00 mov byte ptr ss:,0
004200BE .E8 8D750200 call <jmp.&mfc42.#800>
004200C3 .8B4C24 2C mov ecx,dword ptr ss:
004200C7 .83C5 06 add ebp,6
004200CA .47 inc edi
004200CB .83C1 04 add ecx,4
004200CE .83FD 1E cmp ebp,1E
004200D1 .894C24 2C mov dword ptr ss:,ecx
004200D5 .^ 0F8C EBFEFFFF jl unpacked.0041FFC6 ;循环结尾
004200DB .EB 27 jmp short unpacked.00420104
004200DD >E8 6E750200 call <jmp.&mfc42.#800>
004200E2 .8D4C24 24 lea ecx,dword ptr ss:
爆破的方法很多种,我就说一种了。就是我上面标注那句setne bl 改为sete bl或者mov bl,0
算法很简单,就不总结了,附上算号器关键部分源码,易语言的很好明白。。
.版本 2
.支持库 dp1
yhm = 取数据摘要 (到字节集 (编辑框2.内容))
s1 = 到大写 (取文本左边 (取数据摘要 (到字节集 (取文本中间 (编辑框1.内容, 1, 4) + 取文本中间 (yhm, 1, 1))), 5))
s2 = 到大写 (取文本左边 (取数据摘要 (到字节集 (取文本中间 (编辑框1.内容, 5, 4) + 取文本中间 (yhm, 2, 1))), 5))
s3 = 到大写 (取文本左边 (取数据摘要 (到字节集 (取文本中间 (编辑框1.内容, 9, 4) + 取文本中间 (yhm, 3, 1))), 5))
s4 = 到大写 (取文本左边 (取数据摘要 (到字节集 (取文本中间 (编辑框1.内容, 13, 4) + 取文本中间 (yhm, 4, 1))), 5))
s5 = 到大写 (取文本左边 (取数据摘要 (到字节集 (取文本中间 (编辑框1.内容, 17, 4) + 取文本中间 (yhm, 5, 1))), 5))
sn = s1 + “-” + s2 + “-” + s3 + “-” + s4 + “-” + s5
其中编辑框1是机器码,编辑框2是用户名。取数据摘要就是取MD5码。
本人算法比较菜,也就能搞这些简单的了,呵呵。。。 呵呵呵..还有空桌子..坐下慢慢看./:014
页:
[1]