数据卫士 v1.0.1 脱壳与算法分析
【文章标题】: 数据卫士 v1.0.1 脱壳与算法分析【文章作者】: lzq1973
【作者邮箱】: [email protected]
【作者QQ号】: 150787972
【软件名称】: 数据卫士 v1.0.1
【软件大小】: 525 KB
【下载地址】: http://www5.skycn.com/soft/26186.html
【加壳方式】: PECompact 2.x -> Jeremy Collake
【保护方式】: SN
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OD、PEID
【操作平台】: WIN2000
【软件介绍】: 《数据卫士》是专为保障数据安全而设计制作的软件,具有自动备份数据,自动上传备份数据到FTP更有自动清理本地FTP上过期数据功能,防止本地或FTP空间不足以至备份失败。
《数据卫士》v1.0.1在v1.0.0基础上进一步去除了bugs,改变了授权机制,由上一个版本的限制功能免费,改为在试用期内无任何限制,试用期为十天.
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
第一步 脱壳
00401000 >B8 D4025B00 MOV EAX,DataGuar.005B02D4 ; 载入停在这里
00401005 50 PUSH EAX
00401006 64:FF35 0000000>PUSH DWORD PTR FS:
0040100D 64:8925 0000000>MOV DWORD PTR FS:,ESP ; F8到这里,ESP突现 ESP=0012FFBC
00401014 33C0 XOR EAX,EAX
00401016 8908 MOV DWORD PTR DS:,ECX
00401018 50 PUSH EAX
00401019 45 INC EBP
0040101A 43 INC EBX
0040101B 6F OUTS DX,DWORD PTR ES: ; I/O 命令
下硬件断点HR 12FFBC,F9运行
005B0303 83C4 04 ADD ESP,4 ; F9运行到这里
005B0306 55 PUSH EBP
005B0307 53 PUSH EBX
005B0308 51 PUSH ECX
005B0309 57 PUSH EDI
005B030A 56 PUSH ESI
005B030B 52 PUSH EDX
005B030C 8D98 12120010 LEA EBX,DWORD PTR DS:
005B0312 8B53 18 MOV EDX,DWORD PTR DS:
005B0315 52 PUSH EDX
005B0316 8BE8 MOV EBP,EAX
005B0318 6A 40 PUSH 40
005B031A 68 00100000 PUSH 1000
005B031F FF73 04 PUSH DWORD PTR DS:
005B0322 6A 00 PUSH 0
005B0324 8B4B 10 MOV ECX,DWORD PTR DS:
005B0327 03CA ADD ECX,EDX
005B0329 8B01 MOV EAX,DWORD PTR DS:
005B032B FFD0 CALL EAX ; 这里回车 EAX=77E7175C (kernel32.VirtualAlloc)
005B032D 5A POP EDX
005B032E 8BF8 MOV EDI,EAX
005B0330 50 PUSH EAX
005B0331 52 PUSH EDX
005B0332 8B33 MOV ESI,DWORD PTR DS:
F8到 005B032B FFD0 CALL EAX 这里,回车
77E7175C >55 PUSH EBP ; 回车到这里
77E7175D 8BEC MOV EBP,ESP
77E7175F FF75 14 PUSH DWORD PTR SS:
77E71762 FF75 10 PUSH DWORD PTR SS:
77E71765 FF75 0C PUSH DWORD PTR SS:
77E71768 FF75 08 PUSH DWORD PTR SS:
77E7176B 6A FF PUSH -1
77E7176D E8 04000000 CALL kernel32.VirtualAllocEx
77E71772 5D POP EBP
77E71773 C2 1000 RETN 10
77E71776 >55 PUSH EBP
77E71777 8BEC MOV EBP,ESP
77E71779 6A FF PUSH -1
F9运行,到这里
0005B0395 5D POP EBP ; 0012FFF0
005B0396 FFE0 JMP EAX ; 这里F8,就是OEP
005B0398 302453 XOR BYTE PTR DS:,AH
005B039B 00BC03 5B00CC03 ADD BYTE PTR DS:,BH
005B03A2 5B POP EBX
005B03A3 00B403 5B00B803 ADD BYTE PTR DS:,DH
005B03AA 5B POP EBX
005B03AB 0000 ADD BYTE PTR DS:,AL
跳到这里
00532430 55 PUSH EBP ; 这里DUMP
00532431 8BEC MOV EBP,ESP
00532433 83C4 F0 ADD ESP,-10
00532436 53 PUSH EBX
00532437 B8 081C5300 MOV EAX,DataGuar.00531C08
0053243C E8 6B46EDFF CALL DataGuar.00406AAC
00532441 8B1D B0AC5300 MOV EBX,DWORD PTR DS: ; DataGuar.0053BBE8
00532447 8B03 MOV EAX,DWORD PTR DS:
00532449 E8 02EEF3FF CALL DataGuar.00471250
到此脱壳完毕~~
第二步 找注册码
老规矩,OD载入后查找相关字符后断在这里
005317DC .55 PUSH EBP
005317DD .8BEC MOV EBP,ESP
005317DF .B9 07000000 MOV ECX,7
005317E4 >6A 00 PUSH 0
005317E6 .6A 00 PUSH 0
005317E8 .49 DEC ECX
005317E9 .^ 75 F9 JNZ SHORT 1.005317E4
005317EB .53 PUSH EBX
005317EC .56 PUSH ESI
005317ED .57 PUSH EDI
005317EE .8945 FC MOV DWORD PTR SS:,EAX
005317F1 .33C0 XOR EAX,EAX
005317F3 .55 PUSH EBP
005317F4 .68 EF1A5300 PUSH 1.00531AEF
005317F9 .64:FF30 PUSH DWORD PTR FS:
005317FC .64:8920 MOV DWORD PTR FS:,ESP
005317FF .8D55 F0 LEA EDX,DWORD PTR SS:
00531802 .8B45 FC MOV EAX,DWORD PTR SS:
00531805 .8B80 2C040000 MOV EAX,DWORD PTR DS:
0053180B .E8 24F4F1FF CALL 1.00450C34
00531810 .8B45 F0 MOV EAX,DWORD PTR SS: ;假码
00531813 .E8 B031EDFF CALL 1.004049C8
00531818 .48 DEC EAX ;假码长度
00531819 .0F8E 67020000 JLE 1.00531A86
0053181F .33FF XOR EDI,EDI
00531821 .8D55 F8 LEA EDX,DWORD PTR SS:
00531824 .8B45 FC MOV EAX,DWORD PTR SS:
00531827 .8B80 24040000 MOV EAX,DWORD PTR DS:
0053182D .E8 02F4F1FF CALL 1.00450C34
00531832 .BE 01000000 MOV ESI,1
00531837 >8D55 EC LEA EDX,DWORD PTR SS: ;算法开始
0053183A .8B45 FC MOV EAX,DWORD PTR SS:
0053183D .8B80 24040000 MOV EAX,DWORD PTR DS:
00531843 .E8 ECF3F1FF CALL 1.00450C34
00531848 .8B45 EC MOV EAX,DWORD PTR SS: ;机器码 (ASCII "567071508776")
0053184B .E8 7831EDFF CALL 1.004049C8
00531850 .8BD8 MOV EBX,EAX
00531852 .2BDE SUB EBX,ESI
00531854 .85DB TEST EBX,EBX
00531856 .7E 1C JLE SHORT 1.00531874
00531858 >8D45 E8 LEA EAX,DWORD PTR SS:
0053185B .8B55 F8 MOV EDX,DWORD PTR SS: ;机器码 (ASCII "567071508776")
0053185E .8A5432 FF MOV DL,BYTE PTR DS:
00531862 .E8 8930EDFF CALL 1.004048F0
00531867 .8B45 E8 MOV EAX,DWORD PTR SS:
0053186A .E8 F57AEDFF CALL 1.00409364
0053186F .03F8 ADD EDI,EAX
00531871 .4B DEC EBX
00531872 .^ 75 E4 JNZ SHORT 1.00531858
00531874 >8D55 E4 LEA EDX,DWORD PTR SS:
00531877 .8BC7 MOV EAX,EDI
00531879 .E8 AA79EDFF CALL 1.00409228
0053187E .8B55 E4 MOV EDX,DWORD PTR SS: ;(ASCII "55")
00531881 .8D45 F4 LEA EAX,DWORD PTR SS:
00531884 .E8 4731EDFF CALL 1.004049D0
00531889 .46 INC ESI
0053188A .83FE 07 CMP ESI,7
0053188D .^ 75 A8 JNZ SHORT 1.00531837
0053188F .8D55 E0 LEA EDX,DWORD PTR SS:
00531892 .8B45 FC MOV EAX,DWORD PTR SS:
00531895 .8B80 2C040000 MOV EAX,DWORD PTR DS:
0053189B .E8 94F3F1FF CALL 1.00450C34
005318A0 .8B45 E0 MOV EAX,DWORD PTR SS:
005318A3 .E8 307BEDFF CALL 1.004093D8
005318A8 .52 PUSH EDX
005318A9 .50 PUSH EAX
005318AA .8B45 F4 MOV EAX,DWORD PTR SS: ;(ASCII "55115178178227233")
005318AD .E8 267BEDFF CALL 1.004093D8
005318B2 .3B5424 04 CMP EDX,DWORD PTR SS:
005318B6 .75 03 JNZ SHORT 1.005318BB
005318B8 .3B0424 CMP EAX,DWORD PTR SS:
005318BB >5A POP EDX
005318BC .58 POP EAX
005318BD .0F85 68010000 JNZ 1.00531A2B ;不等就跳完玩
005318C3 .8D55 D8 LEA EDX,DWORD PTR SS:
005318C6 .33C0 XOR EAX,EAX
005318C8 .E8 6B13EDFF CALL 1.00402C38
005318CD .8B45 D8 MOV EAX,DWORD PTR SS:
005318D0 .8D55 DC LEA EDX,DWORD PTR SS:
005318D3 .E8 A083EDFF CALL 1.00409C78
005318D8 .8D45 DC LEA EAX,DWORD PTR SS:
005318DB .BA 081B5300 MOV EDX,1.00531B08 ;config.ini
005318E0 .E8 EB30EDFF CALL 1.004049D0
005318E5 .8B4D DC MOV ECX,DWORD PTR SS:
005318E8 .B2 01 MOV DL,1
005318EA .A1 985D4300 MOV EAX,DWORD PTR DS:
005318EF .E8 5445F0FF CALL 1.00435E48
005318F4 .8BD8 MOV EBX,EAX
005318F6 .33C0 XOR EAX,EAX
005318F8 .55 PUSH EBP
005318F9 .68 34195300 PUSH 1.00531934
005318FE .64:FF30 PUSH DWORD PTR FS:
00531901 .64:8920 MOV DWORD PTR FS:,ESP
00531904 .8D55 D4 LEA EDX,DWORD PTR SS:
00531907 .8B45 FC MOV EAX,DWORD PTR SS:
0053190A .8B80 2C040000 MOV EAX,DWORD PTR DS:
00531910 .E8 1FF3F1FF CALL 1.00450C34
00531915 .8B45 D4 MOV EAX,DWORD PTR SS:
00531918 .50 PUSH EAX
00531919 .B9 1C1B5300 MOV ECX,1.00531B1C ;注册码
0053191E .BA 2C1B5300 MOV EDX,1.00531B2C ;注册
00531923 .8BC3 MOV EAX,EBX
00531925 .8B18 MOV EBX,DWORD PTR DS:
00531927 .FF53 04 CALL DWORD PTR DS:
0053192A .33C0 XOR EAX,EAX
0053192C .5A POP EDX
0053192D .59 POP ECX
0053192E .59 POP ECX
0053192F .64:8910 MOV DWORD PTR FS:,EDX
00531932 .EB 0A JMP SHORT 1.0053193E
00531934 .^ E9 9B24EDFF JMP 1.00403DD4
00531939 .E8 FE27EDFF CALL 1.0040413C
0053193E >E8 FD9AEDFF CALL 1.0040B440
00531943 .83C4 F8 ADD ESP,-8 ; /
00531946 .DD1C24 FSTP QWORD PTR SS: ; |Arg1 (8 字节)
00531949 .9B WAIT ; |
0053194A .8D45 CC LEA EAX,DWORD PTR SS: ; |
0053194D .E8 5EA8EDFF CALL 1.0040C1B0 ; \1.0040C1B0
00531952 .FF75 CC PUSH DWORD PTR SS:
00531955 .68 3C1B5300 PUSH 1.00531B3C ;-
0053195A .E8 E19AEDFF CALL 1.0040B440
0053195F .83C4 F8 ADD ESP,-8 ; /
00531962 .DD1C24 FSTP QWORD PTR SS: ; |Arg1 (8 字节)
00531965 .9B WAIT ; |
00531966 .8D45 C8 LEA EAX,DWORD PTR SS: ; |
00531969 .E8 5AA8EDFF CALL 1.0040C1C8 ; \1.0040C1C8
0053196E .FF75 C8 PUSH DWORD PTR SS:
00531971 .68 481B5300 PUSH 1.00531B48 ; 注册成功
00531976 .8D45 D0 LEA EAX,DWORD PTR SS:
00531979 .BA 04000000 MOV EDX,4
0053197E .E8 0531EDFF CALL 1.00404A88
00531983 .8B55 D0 MOV EDX,DWORD PTR SS:
00531986 .8B45 FC MOV EAX,DWORD PTR SS:
00531989 .8B80 FC030000 MOV EAX,DWORD PTR DS:
0053198F .8B80 18020000 MOV EAX,DWORD PTR DS:
00531995 .E8 62A1EEFF CALL 1.0041BAFC
0053199A .8B45 FC MOV EAX,DWORD PTR SS:
0053199D .8B80 38040000 MOV EAX,DWORD PTR DS:
005319A3 .BA 601B5300 MOV EDX,1.00531B60 ;软件已经注册
005319A8 .E8 B7F2F1FF CALL 1.00450C64
005319AD .B1 FF MOV CL,0FF
005319AF .B2 80 MOV DL,80
005319B1 .33C0 XOR EAX,EAX
005319B3 .E8 7C60EDFF CALL 1.00407A34
005319B8 .8BD0 MOV EDX,EAX
005319BA .8B45 FC MOV EAX,DWORD PTR SS:
005319BD .8B80 38040000 MOV EAX,DWORD PTR DS:
005319C3 .8B40 68 MOV EAX,DWORD PTR DS:
005319C6 .E8 C54FEFFF CALL 1.00426990
005319CB .8B45 FC MOV EAX,DWORD PTR SS:
005319CE .8B80 30040000 MOV EAX,DWORD PTR DS:
005319D4 .33D2 XOR EDX,EDX
005319D6 .8B08 MOV ECX,DWORD PTR DS:
005319D8 .FF51 64 CALL DWORD PTR DS:
005319DB .8B45 FC MOV EAX,DWORD PTR SS:
005319DE .8B80 2C040000 MOV EAX,DWORD PTR DS:
005319E4 .B2 01 MOV DL,1
005319E6 .E8 5D2FF1FF CALL 1.00444948
005319EB .8B45 FC MOV EAX,DWORD PTR SS:
005319EE .8B80 38040000 MOV EAX,DWORD PTR DS:
005319F4 .E8 77F7F1FF CALL 1.00451170
005319F9 .8B45 FC MOV EAX,DWORD PTR SS:
005319FC .8B80 04030000 MOV EAX,DWORD PTR DS:
00531A02 .B2 01 MOV DL,1
00531A04 .8B08 MOV ECX,DWORD PTR DS:
00531A06 .FF51 64 CALL DWORD PTR DS:
00531A09 .8B45 FC MOV EAX,DWORD PTR SS:
00531A0C .8B80 08030000 MOV EAX,DWORD PTR DS:
00531A12 .B2 01 MOV DL,1
00531A14 .8B08 MOV ECX,DWORD PTR DS:
00531A16 .FF51 64 CALL DWORD PTR DS:
00531A19 .8B45 FC MOV EAX,DWORD PTR SS:
00531A1C .8B80 0C030000 MOV EAX,DWORD PTR DS:
00531A22 .B2 01 MOV DL,1
00531A24 .8B08 MOV ECX,DWORD PTR DS:
00531A26 .FF51 64 CALL DWORD PTR DS:
00531A29 .EB 65 JMP SHORT 1.00531A90
00531A2B >B8 7C1B5300 MOV EAX,1.00531B7C ;无效的注册码!
00531A30 .E8 A319F0FF CALL 1.004333D8
00531A35 .8B45 FC MOV EAX,DWORD PTR SS:
00531A38 .8B80 2C040000 MOV EAX,DWORD PTR DS:
00531A3E .33D2 XOR EDX,EDX
00531A40 .E8 1FF2F1FF CALL 1.00450C64
00531A45 .8B45 FC MOV EAX,DWORD PTR SS:
00531A48 .8B80 38040000 MOV EAX,DWORD PTR DS:
00531A4E .BA 941B5300 MOV EDX,1.00531B94 ;软件尚未注册
00531A53 .E8 0CF2F1FF CALL 1.00450C64
00531A58 .33C9 XOR ECX,ECX
00531A5A .33D2 XOR EDX,EDX
00531A5C .B0 FF MOV AL,0FF
00531A5E .E8 D15FEDFF CALL 1.00407A34
00531A63 .8BD0 MOV EDX,EAX
00531A65 .8B45 FC MOV EAX,DWORD PTR SS:
00531A68 .8B80 38040000 MOV EAX,DWORD PTR DS:
00531A6E .8B40 68 MOV EAX,DWORD PTR DS:
00531A71 .E8 1A4FEFFF CALL 1.00426990
00531A76 .8B45 FC MOV EAX,DWORD PTR SS:
00531A79 .8B80 38040000 MOV EAX,DWORD PTR DS:
00531A7F .E8 ECF6F1FF CALL 1.00451170
00531A84 .EB 0A JMP SHORT 1.00531A90
00531A86 >B8 7C1B5300 MOV EAX,1.00531B7C ;无效的注册码!
00531A8B .E8 4819F0FF CALL 1.004333D8
00531A90 >33C0 XOR EAX,EAX
00531A92 .5A POP EDX
00531A93 .59 POP ECX
00531A94 .59 POP ECX
00531A95 .64:8910 MOV DWORD PTR FS:,EDX
00531A98 .68 F61A5300 PUSH 1.00531AF6
00531A9D >8D45 C8 LEA EAX,DWORD PTR SS:
00531AA0 .BA 03000000 MOV EDX,3
00531AA5 .E8 822CEDFF CALL 1.0040472C
00531AAA .8D45 D4 LEA EAX,DWORD PTR SS:
00531AAD .E8 562CEDFF CALL 1.00404708
00531AB2 .8D45 D8 LEA EAX,DWORD PTR SS:
00531AB5 .BA 02000000 MOV EDX,2
00531ABA .E8 6D2CEDFF CALL 1.0040472C
00531ABF .8D45 E0 LEA EAX,DWORD PTR SS:
00531AC2 .E8 412CEDFF CALL 1.00404708
00531AC7 .8D45 E4 LEA EAX,DWORD PTR SS:
00531ACA .BA 02000000 MOV EDX,2
00531ACF .E8 582CEDFF CALL 1.0040472C
00531AD4 .8D45 EC LEA EAX,DWORD PTR SS:
00531AD7 .BA 02000000 MOV EDX,2
00531ADC .E8 4B2CEDFF CALL 1.0040472C
00531AE1 .8D45 F4 LEA EAX,DWORD PTR SS:
00531AE4 .BA 02000000 MOV EDX,2
00531AE9 .E8 3E2CEDFF CALL 1.0040472C
00531AEE .C3 RETN
00531AEF .^ E9 9425EDFF JMP 1.00404088
00531AF4 .^ EB A7 JMP SHORT 1.00531A9D
00531AF6 .5F POP EDI
00531AF7 .5E POP ESI
00531AF8 .5B POP EBX
00531AF9 .8BE5 MOV ESP,EBP
00531AFB .5D POP EBP
00531AFC .C3 RETN
还好是明码比较,高兴~~
--------------------------------------------------------------------------------
【经验总结】
注:
1、小写字母为下标;
2、注册码只与机器码前6位有关;
设机器码长度为C
取机器码前6位为B,则各字符Bi=B(5)
对应的注册码各部分为A,则
i<7
i=1
i=i+1
Ai=A(i-1)+(C-1)*Bi
将上面计算出的16进制转为10进制后相连则为注册码。
如机器码为567071508776,则前6位B是567071,那Bi(B0=5,B1=6,B2=7,B3=0,B4=7,B5=1)
计算得
A1=37转10进制为55
A2=73转10进制为115
A3=B2转10进制为178
A4=B2转10进制为178
A5=E3转10进制为227
A6=E9转10进制为223
将其相连就是55115178178227233,注册码出来了!
如有兴趣的话帮写出注册码源码~~
--------------------------------------------------------------------------------
【版权声明】: 本文纯属技术交流[请支持正版], 转载请注明作者并保持文章的完整, 谢谢!
2006年04月03日 14:14:47
[ 本帖最后由 lzq1973 于 2006-4-3 06:41 编辑 ] 强~学习了! 好文。学习 真的是小强
页:
[1]