飘云阁电脑XX助手算法分析 - Powered by Discuz! Archiver

丑男无敌 发表于 2009-3-1 19:19:37

电脑XX助手算法分析

【文章标题】: 电脑XX助手算法分析
【文章作者】: 丑男无敌
【软件名称】: 电脑XX助手
【加壳方式】: 无壳
【编写语言】: Delphi
【使用工具】: OD
【操作平台】: XP
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
   因为是国内软件，就不写出名字了。而且作者在网上放出的软件是demo版，代码和资源都不全，仅当练习分析算法之用。
   作者耍了一个小把戏，安装完的程序只是个幌子，只是调用的作用，真正的程序放在了C盘，这个用任务管理器一看就看出来了。注册软件会有错误提示，随便输入假吗，出现错误提示后用F12暂停法，断下后，通过几层回溯找到错误处，很快就找到关键call了。

00498828|.FF92 04010000 call dword ptr          ;关键call,F7进去
0049882E|.8B15 ACFF4900 mov edx, dword ptr       ;
00498834|.8802       mov byte ptr , al
00498836|.A1 ACFF4900 mov eax, dword ptr
0049883B|.8038 00    cmp byte ptr , 0
0049883E|.75 19       jnz short 00498859
00498840|.6A 00       push 0
00498842|.A1 00044A00 mov eax, dword ptr
00498847|.8B00       mov eax, dword ptr
00498849|.66:8B0D C0884>mov cx, word ptr
00498850|.B2 01       mov dl, 1
00498852|.E8 EDA4F9FF call 00432D44                      ;注册码错误提示
00498857|.EB 3E       jmp short 00498897

00498754/.55          push ebp
00498755|.8BEC       mov ebp, esp
00498757|.6A 00       push 0
00498759|.6A 00       push 0
0049875B|.53          push ebx
0049875C|.8BD8       mov ebx, eax
0049875E|.33C0       xor eax, eax
00498760|.55          push ebp
00498761|.68 B6874900 push 004987B6
00498766|.64:FF30    push dword ptr fs:
00498769|.64:8920    mov dword ptr fs:, esp
0049876C|.8D55 FC    lea edx, dword ptr
0049876F|.8BC3       mov eax, ebx
00498771|.8B08       mov ecx, dword ptr
00498773|.FF91 F4000000 call dword ptr
00498779|.8B45 FC    mov eax, dword ptr
0049877C|.50          push eax
0049877D|.8D55 F8    lea edx, dword ptr
00498780|.8BC3       mov eax, ebx
00498782|.8B08       mov ecx, dword ptr
00498784|.FF91 F8000000 call dword ptr
0049878A|.8B45 F8    mov eax, dword ptr       ;机器码出现 3414745805
0049878D|.8B8B 20030000 mov ecx, dword ptr
00498793|.5A          pop edx
00498794|.E8 B7ECFFFF call 00497450                      ;关键call，继续F7进

00497450/$55          push ebp
00497451|.8BEC       mov ebp, esp
00497453|.81C4 FCFEFFFF add esp, -104
00497459|.53          push ebx
0049745A|.56          push esi
0049745B|.57          push edi
0049745C|.33DB       xor ebx, ebx
0049745E|.895D FC    mov dword ptr , ebx
00497461|.8BF9       mov edi, ecx
00497463|.8BF2       mov esi, edx
00497465|.8BD8       mov ebx, eax
00497467|.33C0       xor eax, eax
00497469|.55          push ebp
0049746A|.68 B7744900 push 004974B7
0049746F|.64:FF30    push dword ptr fs:
00497472|.64:8920    mov dword ptr fs:, esp
00497475|.8D8D FCFEFFFF lea ecx, dword ptr
0049747B|.8BD7       mov edx, edi
0049747D|.8BC3       mov eax, ebx
0049747F|.E8 64FEFFFF call 004972E8                      ;关键算法处，F7跟进
00497484|.8D95 FCFEFFFF lea edx, dword ptr
0049748A|.8D45 FC    lea eax, dword ptr
0049748D|.E8 4ACFF6FF call 004043DC
00497492|.8B45 FC    mov eax, dword ptr
00497495|.8BD6       mov edx, esi
00497497|.E8 E8D0F6FF call 00404584                      ;真假比较,明码的软件
0049749C|.0F94C0    sete al                            ;标志位，可爆破，改 setne al 或 mov al,1 均可
0049749F|.8BD8       mov ebx, eax
004974A1|.33C0       xor eax, eax

004972E8/$55          push ebp
004972E9|.8BEC       mov ebp, esp
004972EB|.83C4 E0    add esp, -20
004972EE|.53          push ebx
004972EF|.56          push esi
004972F0|.57          push edi
004972F1|.33DB       xor ebx, ebx
004972F3|.895D E0    mov dword ptr , ebx
004972F6|.895D E4    mov dword ptr , ebx
004972F9|.895D E8    mov dword ptr , ebx
004972FC|.8BF9       mov edi, ecx
004972FE|.8955 F8    mov dword ptr , edx
00497301|.8945 FC    mov dword ptr , eax
00497304|.8B45 FC    mov eax, dword ptr
00497307|.E8 1CD3F6FF call 00404628
0049730C|.8B45 F8    mov eax, dword ptr
0049730F|.E8 14D3F6FF call 00404628
00497314|.33C0       xor eax, eax
00497316|.55          push ebp
00497317|.68 41744900 push 00497441
0049731C|.64:FF30    push dword ptr fs:
0049731F|.64:8920    mov dword ptr fs:, esp
00497322|.837D FC 00 cmp dword ptr , 0
00497326|.74 6F       je    short 00497397
00497328|.BB 01000000 mov ebx, 1
0049732D|.8D75 EF    lea esi, dword ptr
00497330|>8B45 FC    /mov eax, dword ptr
00497333|.E8 00D1F6FF |call 00404438                      ;取机器码位数，10位
00497338|.50          |push eax
00497339|.8BC3       |mov eax, ebx
0049733B|.48          |dec eax
0049733C|.5A          |pop edx
0049733D|.8BCA       |mov ecx, edx
0049733F|.99          |cdq
00497340|.F7F9       |idiv ecx
00497342|.8B45 FC    |mov eax, dword ptr
00497345|.8A0410    |mov al, byte ptr       ;顺序逐次取机器码
00497348|.50          |push eax
00497349|.8B45 FC    |mov eax, dword ptr
0049734C|.E8 E7D0F6FF |call 00404438
00497351|.5A          |pop edx
00497352|.32D0       |xor dl, al                      ;机器码与机器码的位数异或
00497354|.32D3       |xor dl, bl                      ;机器码与其序号异或，得X
00497356|.8816       |mov byte ptr , dl
00497358|.43          |inc ebx
00497359|.46          |inc esi
0049735A|.83FB 0A    |cmp ebx, 0A
0049735D|.^ 75 D1       \jnz short 00497330                ;循环
0049735F|.8B45 FC    mov eax, dword ptr
00497362|.E8 D1D0F6FF call 00404438
00497367|.8BF0       mov esi, eax
00497369|.85F6       test esi, esi
0049736B|.7E 2A       jle short 00497397
0049736D|.BB 01000000 mov ebx, 1
00497372|>8B45 FC    /mov eax, dword ptr
00497375|.E8 BED0F6FF |call 00404438
0049737A|.2BC3       |sub eax, ebx
0049737C|.8B55 FC    |mov edx, dword ptr
0049737F|.8A0C02    |mov cl, byte ptr       ;倒序逐次取机器码
00497382|.8BC3       |mov eax, ebx
00497384|.48          |dec eax
00497385|.51          |push ecx
00497386|.B9 09000000 |mov ecx, 9
0049738B|.99          |cdq
0049738C|.F7F9       |idiv ecx
0049738E|.59          |pop ecx
0049738F|.304C15 EF |xor byte ptr , cl    ;倒序取出的机器码与上面得出的 X 异或,得Y
00497393|.43          |inc ebx
00497394|.4E          |dec esi
00497395|.^ 75 DB       \jnz short 00497372                ;循环
00497397|>837D F8 00 cmp dword ptr , 0
0049739B|.74 39       je    short 004973D6
0049739D|.BB 01000000 mov ebx, 1
004973A2|.8D75 EF    lea esi, dword ptr       ;将 Y 的最后一位替换第一位
004973A5|>8B45 F8    /mov eax, dword ptr       ;固定码 weEF789Ld0121 参与运算
004973A8|.E8 8BD0F6FF |call 00404438                      ;取固定码位数
004973AD|.50          |push eax
004973AE|.8BC3       |mov eax, ebx
004973B0|.48          |dec eax
004973B1|.5A          |pop edx
004973B2|.8BCA       |mov ecx, edx
004973B4|.99          |cdq
004973B5|.F7F9       |idiv ecx
004973B7|.8B45 F8    |mov eax, dword ptr
004973BA|.8A0410    |mov al, byte ptr       ;顺序逐次取固定码
004973BD|.3206       |xor al, byte ptr          ;Y与固定码异或，得Z
004973BF|.50          |push eax
004973C0|.8B45 F8    |mov eax, dword ptr
004973C3|.E8 70D0F6FF |call 00404438
004973C8|.5A          |pop edx
004973C9|.32D0       |xor dl, al                      ;Z与固定码位数异或，得A
004973CB|.32D3       |xor dl, bl                      ;A与固定码序号异或，得B
004973CD|.8816       |mov byte ptr , dl          ;传送B到EDX
004973CF|.43          |inc ebx
004973D0|.46          |inc esi
004973D1|.83FB 0A    |cmp ebx, 0A
004973D4|.^ 75 CF       \jnz short 004973A5
004973D6|>8D45 E8    lea eax, dword ptr
004973D9|.E8 9ACDF6FF call 00404178
004973DE|.BB 09000000 mov ebx, 9
004973E3|.8D75 EF    lea esi, dword ptr
004973E6|>8D45 E4    /lea eax, dword ptr       ;此循环是把B合并起来
004973E9|.8A16       |mov dl, byte ptr
004973EB|.E8 70CFF6FF |call 00404360
004973F0|.8B55 E4    |mov edx, dword ptr
004973F3|.8D45 E8    |lea eax, dword ptr
004973F6|.E8 45D0F6FF |call 00404440
004973FB|.46          |inc esi
004973FC|.4B          |dec ebx
004973FD|.^ 75 E7       \jnz short 004973E6
004973FF|.8D55 E0    lea edx, dword ptr
00497402|.8B45 E8    mov eax, dword ptr       ;合并起来的B EfK@3<?Bg
00497405|.E8 9AFDFFFF call 004971A4                      ;最后一层算法，F7跟进
0049740A|.8B55 E0    mov edx, dword ptr       ;真码
0049740D|.8BC7       mov eax, edi
0049740F|.B9 FF000000 mov ecx, 0FF
00497414|.E8 FBCFF6FF call 00404414
00497419|.33C0       xor eax, eax
0049741B|.5A          pop edx
0049741C|.59          pop ecx
0049741D|.59          pop ecx
0049741E|.64:8910    mov dword ptr fs:, edx
00497421|.68 48744900 push 00497448
00497426|>8D45 E0    lea eax, dword ptr
00497429|.BA 03000000 mov edx, 3
0049742E|.E8 69CDF6FF call 0040419C
00497433|.8D45 F8    lea eax, dword ptr
00497436|.BA 02000000 mov edx, 2
0049743B|.E8 5CCDF6FF call 0040419C
00497440\.C3          retn
00497441 .^ E9 36C7F6FF jmp 00403B7C
00497446 .^ EB DE       jmp short 00497426
00497448 .5F          pop edi
00497449 .5E          pop esi
0049744A .5B          pop ebx
0049744B .8BE5       mov esp, ebp
0049744D .5D          pop ebp
0049744E .C3          retn

004971A4/$55          push ebp
004971A5|.8BEC       mov ebp, esp
004971A7|.83C4 F0    add esp, -10
004971AA|.53          push ebx
004971AB|.56          push esi
004971AC|.57          push edi
004971AD|.33C9       xor ecx, ecx
004971AF|.894D F0    mov dword ptr , ecx
004971B2|.8BFA       mov edi, edx
004971B4|.8945 FC    mov dword ptr , eax
004971B7|.8B45 FC    mov eax, dword ptr
004971BA|.E8 69D4F6FF call 00404628
004971BF|.33C0       xor eax, eax
004971C1|.55          push ebp
004971C2|.68 D8724900 push 004972D8
004971C7|.64:FF30    push dword ptr fs:
004971CA|.64:8920    mov dword ptr fs:, esp
004971CD|.8BC7       mov eax, edi
004971CF|.E8 A4CFF6FF call 00404178
004971D4|.E9 D7000000 jmp 004972B0
004971D9|>8B45 FC    /mov eax, dword ptr       ;此call是把B分成三段来计算，以第一段EfK来演示
004971DC|.E8 57D2F6FF |call 00404438
004971E1|.8BC8       |mov ecx, eax
004971E3|.8BC1       |mov eax, ecx
004971E5|.BB 03000000 |mov ebx, 3
004971EA|.99          |cdq
004971EB|.F7FB       |idiv ebx
004971ED|.85C0       |test eax, eax
004971EF|.7E 07       |jle short 004971F8
004971F1|.BB 03000000 |mov ebx, 3
004971F6|.EB 02       |jmp short 004971FA
004971F8|>8BD9       |mov ebx, ecx
004971FA|>8D45 F9    |lea eax, dword ptr
004971FD|.33C9       |xor ecx, ecx
004971FF|.BA 03000000 |mov edx, 3
00497204|.E8 9BBBF6FF |call 00402DA4
00497209|.8D45 F5    |lea eax, dword ptr
0049720C|.B9 40000000 |mov ecx, 40
00497211|.BA 04000000 |mov edx, 4
00497216|.E8 89BBF6FF |call 00402DA4
0049721B|.8D45 FC    |lea eax, dword ptr
0049721E|.E8 6DD4F6FF |call 00404690
00497223|.8D55 F9    |lea edx, dword ptr
00497226|.8BCB       |mov ecx, ebx
00497228|.E8 5FB7F6FF |call 0040298C
0049722D|.83FB 03    |cmp ebx, 3
00497230|.7C 08       |jl    short 0049723A
00497232|.8A45 FB    |mov al, byte ptr          ;取第3字节 4B
00497235|.24 3F       |and al, 3F                      ;与运算
00497237|.8845 F8    |mov byte ptr , al          ;得 0B——————计算得的第1个字节
0049723A|>83FB 02    |cmp ebx, 2
0049723D|.7C 15       |jl    short 00497254
0049723F|.8A45 FA    |mov al, byte ptr          ;第2字节 66
00497242|.C1E0 02    |shl eax, 2                      ;左移两位
00497245|.33D2       |xor edx, edx
00497247|.8A55 FB    |mov dl, byte ptr          ;第3字节 4B
0049724A|.C1EA 06    |shr edx, 6                      ;右移两位
0049724D|.0AC2       |or    al, dl                      ;移位后的两者异或
0049724F|.24 3F       |and al, 3F                      ;与运算
00497251|.8845 F7    |mov byte ptr , al          ;得 19——————计算得的第2个字节
00497254|>8A45 F9    |mov al, byte ptr          ;第1字节 45
00497257|.8BD0       |mov edx, eax
00497259|.C1E2 04    |shl edx, 4                      ;左移四位
0049725C|.33C9       |xor ecx, ecx
0049725E|.8A4D FA    |mov cl, byte ptr          ;第2字节 66
00497261|.C1E9 04    |shr ecx, 4                      ;右移四位
00497264|.0AD1       |or    dl, cl                      ;移位后两者异或
00497266|.80E2 3F    |and dl, 3F                      ;与运算
00497269|.8855 F6    |mov byte ptr , dl          ;得 16——————计算得的第3个字节
0049726C|.25 FF000000 |and eax, 0FF                      ;与远算
00497271|.C1E8 02    |shr eax, 2                      ;右移两位
00497274|.24 3F       |and al, 3F                      ;与运算
00497276|.8845 F5    |mov byte ptr , al          ;得11 ——————计算得的第4个字节
00497279|.8D45 FC    |lea eax, dword ptr
0049727C|.8BCB       |mov ecx, ebx
0049727E|.BA 01000000 |mov edx, 1
00497283|.E8 50D4F6FF |call 004046D8                      ;取剩下的B@3<?Bg
00497288|.BE 04000000 |mov esi, 4
0049728D|.8D5D F5    |lea ebx, dword ptr
00497290|>8D45 F0    |/lea eax, dword ptr
00497293|.33D2       ||xor edx, edx
00497295|.8A13       ||mov dl, byte ptr          ;倒序取刚才计算出的4个字节，放入edx
00497297|.8A92 2DFD4900 ||mov dl, byte ptr    ;注意的地址，通过查表得注册码
0049729D|.E8 BED0F6FF ||call 00404360
004972A2|.8B55 F0    ||mov edx, dword ptr
004972A5|.8BC7       ||mov eax, edi
004972A7|.E8 94D1F6FF ||call 00404440
004972AC|.43          ||inc ebx
004972AD|.4E          ||dec esi
004972AE|.^ 75 E0       |\jnz short 00497290             ;循环4次
004972B0|>837D FC 00 cmp dword ptr , 0          ;
004972B4|.^ 0F85 1FFFFFFF \jnz 004971D9                      ;循环2次，把B计算完
004972BA|.33C0       xor eax, eax
004972BC|.5A          pop edx
004972BD|.59          pop ecx
004972BE|.59          pop ecx
004972BF|.64:8910    mov dword ptr fs:, edx
004972C2|.68 DF724900 push 004972DF
004972C7|>8D45 F0    lea eax, dword ptr
004972CA|.E8 A9CEF6FF call 00404178
004972CF|.8D45 FC    lea eax, dword ptr
004972D2|.E8 A1CEF6FF call 00404178
004972D7\.C3          retn
004972D8 .^ E9 9FC8F6FF jmp 00403B7C
004972DD .^ EB E8       jmp short 004972C7
004972DF .5F          pop edi
004972E0 .5E          pop esi                            ;0012CBD0
004972E1 .5B          pop ebx
004972E2 .8BE5       mov esp, ebp
004972E4 .5D          pop ebp
004972E5 .C3          retn

表：
0049FD27       47 00 41 49 59 .AIY
0049FD2F41 47 50 58 44 4A 51 57AGPXDJQW
0049FD374D 48 56 43 4E 46 55 5AMHVCNFUZ
0049FD3F52 42 4B 45 53 4F 4C 54RBKESOLT
0049FD4774 66 6B 79 73 62 6F 68tfkysboh
0049FD4F6C 75 6A 77 65 63 70 6Dlujwecpm
0049FD5769 61 71 6E 64 78 7A 76iaqndxzv
0049FD5F67 72 34 36 2B 30 32 35gr46+025
0049FD6737 33 2F 38 31 3D 39 8B73/81=9
0049FD6FC0 30 31 32 33 34 35 36?123456
0049FD7737 38 39 61 62 63 64 65789abcde
0049FD7F66                   f

--------------------------------------------------------------------------------
【经验总结】
1、顺序逐次取机器码，然后与其位数异或，再与其序号异或，得X
2、倒序逐次取机器码，与上面得出的 X 异或,得Y，并把Y 的最后替换到第一位
3、固定码 weEF789Ld0121 参与运算，顺序逐次取固定码与Y异或，然后分别与固定码的位数和序号异或，得B
4、把B分成三段来计算，每一段经过计算得4个字节，将字节倒序放入edx，通过的地址查到对应的字母，再
把12个字母合起来就是注册码了。

软件是明码比较的，一下就爆出来了，但是放出来的demo版，也拿它没办法。算法虽然有很多段，但是都是比较简单的运算
，注册码的最后一段算法，其实就是首先设置一个密码表，然后通过一个循环，让内存地址的指针指向密码表的某个位置，
所指的字符就是注册码，再把这12个字符合起来就是注册码了，这样的算法不知道该怎么写算法注册机。

--------------------------------------------------------------------------------

[ 本帖最后由丑男无敌于 2009-3-1 19:38 编辑 ]

孤漂江湖狼 发表于 2009-3-1 21:50:01

进来膜拜/:good

孤漂江湖狼 发表于 2009-3-1 21:50:55

给个软件的下载地址，也好学习啊

兰色流氓兔 发表于 2009-3-2 23:20:33

这个算法分析进来学习下

页: [1]

飘云阁's Archiver

电脑XX助手算法分析