优盘搬运工 V2.3 算法分析
【文章标题】: 优盘搬运工 V2.3 算法分析【文章作者】: lzq1973
【作者邮箱】: [email protected]
【作者QQ号】: 150787972
【软件名称】: 优盘搬运工 2.3
【软件大小】: 2039KB
【下载地址】: http://nj.onlinedown.net/soft/46244.htm
【加壳方式】: ASPack 2.12 -> Alexey Solodovnikov
【保护方式】: SN
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OD、PEID
【操作平台】: WIN2000
【软件介绍】: 软件时刻监控电脑USB端口,对所有插入的移动存贮设备(优盘、移动硬盘、读卡器)进行操作,依据预先设置把搜索到的符合条件的文件转移到电脑指定位置。
软件采用多线程高速拷贝,智能识别分拣文件。
软件有两种方式启动拷贝操作:
一种是监测到移动存贮设备后自动拷贝,一种是软件启动后立即进行拷贝操作。
完成拷贝操作后可根据设置自动打开目标文件夹或自动卸载移动存贮设备。
软件运行后隐藏在后台,设置或关闭时请用热键呼出:
默认热键为: Ctrl+Alt+U为呼出主界面; Alt+F9为设置是否允许在后台拷贝;
热键可以根据用户使用习惯自定义
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
PEID查壳为ASPack 2.12 -> Alexey Solodovnikov,用其插件轻松脱之。
OD载入(属重启验证)断在这里
0048BC1C $55 PUSH EBP
0048BC1D .8BEC MOV EBP,ESP
0048BC1F .B9 04000000 MOV ECX,4
0048BC24 >6A 00 PUSH 0
0048BC26 .6A 00 PUSH 0
0048BC28 .49 DEC ECX
0048BC29 .^ 75 F9 JNZ SHORT ucopy_ex.0048BC24
0048BC2B .51 PUSH ECX
0048BC2C .53 PUSH EBX
0048BC2D .56 PUSH ESI
0048BC2E .57 PUSH EDI
0048BC2F .8BD8 MOV EBX,EAX
0048BC31 .33C0 XOR EAX,EAX
0048BC33 .55 PUSH EBP
0048BC34 .68 D3BD4800 PUSH ucopy_ex.0048BDD3
0048BC39 .64:FF30 PUSH DWORD PTR FS:
0048BC3C .64:8920 MOV DWORD PTR FS:,ESP
0048BC3F .C645 FF 00 MOV BYTE PTR SS:,0
0048BC43 .B2 01 MOV DL,1
0048BC45 .A1 002F4300 MOV EAX,DWORD PTR DS:
0048BC4A .E8 B173FAFF CALL ucopy_ex.00433000
0048BC4F .8945 F0 MOV DWORD PTR SS:,EAX
0048BC52 .BA 02000080 MOV EDX,80000002
0048BC57 .8B45 F0 MOV EAX,DWORD PTR SS:
0048BC5A .E8 4174FAFF CALL ucopy_ex.004330A0
0048BC5F .B1 01 MOV CL,1
0048BC61 .BA ECBD4800 MOV EDX,ucopy_ex.0048BDEC ;software\yuelusoft\ucopy
0048BC66 .8B45 F0 MOV EAX,DWORD PTR SS:
0048BC69 .E8 9674FAFF CALL ucopy_ex.00433104
0048BC6E .84C0 TEST AL,AL
0048BC70 .0F84 2D010000 JE ucopy_ex.0048BDA3
0048BC76 .33C9 XOR ECX,ECX
0048BC78 .55 PUSH EBP
0048BC79 .68 69BD4800 PUSH ucopy_ex.0048BD69
0048BC7E .64:FF31 PUSH DWORD PTR FS:
0048BC81 .64:8921 MOV DWORD PTR FS:,ESP
0048BC84 .BA 10BE4800 MOV EDX,ucopy_ex.0048BE10 ;sflag
0048BC89 .8B45 F0 MOV EAX,DWORD PTR SS:
0048BC8C .E8 2377FAFF CALL ucopy_ex.004333B4
0048BC91 .84C0 TEST AL,AL
0048BC93 .0F84 88000000 JE ucopy_ex.0048BD21
0048BC99 .8D4D E8 LEA ECX,DWORD PTR SS:
0048BC9C .BA 20BE4800 MOV EDX,ucopy_ex.0048BE20 ;ASCII "ucopystr"
0048BCA1 .8B45 F0 MOV EAX,DWORD PTR SS:
0048BCA4 .E8 4376FAFF CALL ucopy_ex.004332EC
0048BCA9 .8B45 E8 MOV EAX,DWORD PTR SS: ;假码
0048BCAC .8D55 F8 LEA EDX,DWORD PTR SS:
0048BCAF .E8 04CDF7FF CALL ucopy_ex.004089B8
0048BCB4 .8D4D E4 LEA ECX,DWORD PTR SS:
0048BCB7 .BA 34BE4800 MOV EDX,ucopy_ex.0048BE34 ;ASCII "Name"
0048BCBC .8B45 F0 MOV EAX,DWORD PTR SS:
0048BCBF .E8 2876FAFF CALL ucopy_ex.004332EC
0048BCC4 .8B45 E4 MOV EAX,DWORD PTR SS: ;用户名
0048BCC7 .8D55 F4 LEA EDX,DWORD PTR SS:
0048BCCA .E8 E9CCF7FF CALL ucopy_ex.004089B8
0048BCCF .8B45 F4 MOV EAX,DWORD PTR SS:
0048BCD2 .E8 7D8CF7FF CALL ucopy_ex.00404954
0048BCD7 .48 DEC EAX ;用户名长度-1
0048BCD8 .85C0 TEST EAX,EAX
0048BCDA .7C 12 JL SHORT ucopy_ex.0048BCEE
0048BCDC .40 INC EAX ;加1
0048BCDD .33D2 XOR EDX,EDX
0048BCDF >8B4D F4 MOV ECX,DWORD PTR SS: ;用户名 [用户名长度-1,即除最后一位的前面各位字符16进制累加]
0048BCE2 .0FB64C11 FF MOVZX ECX,BYTE PTR DS: ;各字符16进制
0048BCE7 .014D EC ADD DWORD PTR SS:,ECX ;累加
0048BCEA .42 INC EDX
0048BCEB .48 DEC EAX
0048BCEC .^ 75 F1 JNZ SHORT ucopy_ex.0048BCDF ;循环(加完为止)
0048BCEE >8D45 DC LEA EAX,DWORD PTR SS:
0048BCF1 .50 PUSH EAX
0048BCF2 .8B93 DC030000 MOV EDX,DWORD PTR DS: ;硬件号 (ASCII "KEA52V7144")
0048BCF8 .66:8B4D EC MOV CX,WORD PTR SS: ;累加和赋给CX 堆栈 SS:=01F8
0048BCFC .8BC3 MOV EAX,EBX
0048BCFE .E8 2D480000 CALL ucopy_ex.00490530 ;算法关键1
0048BD03 .8B55 DC MOV EDX,DWORD PTR SS: ;(ASCII "4A5E0F9A0FB0E5DD15A2")
0048BD06 .8D4D E0 LEA ECX,DWORD PTR SS:
0048BD09 .8BC3 MOV EAX,EBX
0048BD0B .E8 E0450000 CALL ucopy_ex.004902F0 ;;算法关键2(b1g与b0相连即为注册码)
0048BD10 .8B45 E0 MOV EAX,DWORD PTR SS: ;(ASCII "EB09054AEFAF05")
0048BD13 .8B55 F8 MOV EDX,DWORD PTR SS: ;假码
0048BD16 .E8 858DF7FF CALL ucopy_ex.00404AA0
0048BD1B .75 04 JNZ SHORT ucopy_ex.0048BD21
0048BD1D .C645 FF 01 MOV BYTE PTR SS:,1
0048BD21 >33D2 XOR EDX,EDX
0048BD23 .55 PUSH EBP
0048BD24 .68 46BD4800 PUSH ucopy_ex.0048BD46
0048BD29 .64:FF32 PUSH DWORD PTR FS:
0048BD2C .64:8922 MOV DWORD PTR FS:,ESP
0048BD2F .BA 44BE4800 MOV EDX,ucopy_ex.0048BE44 ;ASCII "sShow"
0048BD34 .8B45 F0 MOV EAX,DWORD PTR SS:
0048BD37 .E8 7876FAFF CALL ucopy_ex.004333B4
0048BD3C .33C0 XOR EAX,EAX
0048BD3E .5A POP EDX
0048BD3F .59 POP ECX
0048BD40 .59 POP ECX
0048BD41 .64:8910 MOV DWORD PTR FS:,EDX
0048BD44 .EB 19 JMP SHORT ucopy_ex.0048BD5F
0048BD46 .^ E9 1580F7FF JMP ucopy_ex.00403D60
0048BD4B .B1 01 MOV CL,1
0048BD4D .BA 44BE4800 MOV EDX,ucopy_ex.0048BE44 ;ASCII "sShow"
0048BD52 .8B45 F0 MOV EAX,DWORD PTR SS:
0048BD55 .E8 4E76FAFF CALL ucopy_ex.004333A8
0048BD5A .E8 6983F7FF CALL ucopy_ex.004040C8
0048BD5F >33C0 XOR EAX,EAX
0048BD61 .5A POP EDX
0048BD62 .59 POP ECX
0048BD63 .59 POP ECX
0048BD64 .64:8910 MOV DWORD PTR FS:,EDX
0048BD67 .EB 3A JMP SHORT ucopy_ex.0048BDA3
0048BD69 .^ E9 F27FF7FF JMP ucopy_ex.00403D60
0048BD6E .33C9 XOR ECX,ECX
0048BD70 .BA 10BE4800 MOV EDX,ucopy_ex.0048BE10 ;ASCII "sFlag"
0048BD75 .8B45 F0 MOV EAX,DWORD PTR SS:
0048BD78 .E8 2B76FAFF CALL ucopy_ex.004333A8
0048BD7D .B9 54BE4800 MOV ECX,ucopy_ex.0048BE54 ;ASCII "www.new81.com"
0048BD82 .BA 20BE4800 MOV EDX,ucopy_ex.0048BE20 ;ASCII "ucopystr"
0048BD87 .8B45 F0 MOV EAX,DWORD PTR SS:
0048BD8A .E8 3175FAFF CALL ucopy_ex.004332C0
0048BD8F .B1 01 MOV CL,1
0048BD91 .BA 44BE4800 MOV EDX,ucopy_ex.0048BE44 ;ASCII "sShow"
0048BD96 .8B45 F0 MOV EAX,DWORD PTR SS:
0048BD99 .E8 0A76FAFF CALL ucopy_ex.004333A8
0048BD9E .E8 2583F7FF CALL ucopy_ex.004040C8
0048BDA3 >8B45 F0 MOV EAX,DWORD PTR SS:
0048BDA6 .E8 157BF7FF CALL ucopy_ex.004038C0
0048BDAB .33C0 XOR EAX,EAX
0048BDAD .5A POP EDX
0048BDAE .59 POP ECX
0048BDAF .59 POP ECX
0048BDB0 .64:8910 MOV DWORD PTR FS:,EDX
0048BDB3 .68 DABD4800 PUSH ucopy_ex.0048BDDA
0048BDB8 >8D45 DC LEA EAX,DWORD PTR SS:
0048BDBB .BA 04000000 MOV EDX,4
0048BDC0 .E8 F388F7FF CALL ucopy_ex.004046B8
0048BDC5 .8D45 F4 LEA EAX,DWORD PTR SS:
0048BDC8 .BA 02000000 MOV EDX,2
0048BDCD .E8 E688F7FF CALL ucopy_ex.004046B8
0048BDD2 .C3 RETN
0048BDD3 .^ E9 3C82F7FF JMP ucopy_ex.00404014
0048BDD8 .^ EB DE JMP SHORT ucopy_ex.0048BDB8
0048BDDA .8A45 FF MOV AL,BYTE PTR SS:
0048BDDD .5F POP EDI
0048BDDE .5E POP ESI
0048BDDF .5B POP EBX
0048BDE0 .8BE5 MOV ESP,EBP
0048BDE2 .5D POP EBP
0048BDE3 .C3 RETN
--------------- 在这里 0048BCFE .E8 2D480000 CALL ucopy_ex.00490530 F7跟进 ----
00490530/$55 PUSH EBP ; 来到这里
00490531|.8BEC MOV EBP,ESP
00490533|.83C4 F0 ADD ESP,-10
00490536|.53 PUSH EBX
00490537|.56 PUSH ESI
00490538|.57 PUSH EDI
00490539|.33DB XOR EBX,EBX
0049053B|.895D F0 MOV DWORD PTR SS:,EBX
0049053E|.8BF9 MOV EDI,ECX ;ECX=000001F8赋给EDI
00490540|.8955 F8 MOV DWORD PTR SS:,EDX ;(ASCII "KEA52V7144")
00490543|.8945 FC MOV DWORD PTR SS:,EAX
00490546|.8B75 08 MOV ESI,DWORD PTR SS:
00490549|.33C0 XOR EAX,EAX
0049054B|.55 PUSH EBP
0049054C|.68 F5054900 PUSH ucopy_ex.004905F5
00490551|.64:FF30 PUSH DWORD PTR FS:
00490554|.64:8920 MOV DWORD PTR FS:,ESP
00490557|.8BC6 MOV EAX,ESI
00490559|.8B55 F8 MOV EDX,DWORD PTR SS: ;(ASCII "KEA52V7144")
0049055C|.E8 8741F7FF CALL ucopy_ex.004046E8
00490561|.8B45 F8 MOV EAX,DWORD PTR SS: ;机器码
00490564|.E8 EB43F7FF CALL ucopy_ex.00404954
00490569|.85C0 TEST EAX,EAX ;测试长度
0049056B|.7E 5B JLE SHORT ucopy_ex.004905C8
0049056D|.8945 F4 MOV DWORD PTR SS:,EAX ;机器码长度10
00490570|.BB 01000000 MOV EBX,1 ;EBX=1
00490575|>8BC6 /MOV EAX,ESI
00490577|.E8 3046F7FF |CALL ucopy_ex.00404BAC
0049057C|.8B55 F8 |MOV EDX,DWORD PTR SS: ;机器码(ASCII "KEA52V7144")
0049057F|.8A541A FF |MOV DL,BYTE PTR DS: ;对应字符16进制,设为a
00490583|.0FB7CF |MOVZX ECX,DI ;DI初始值为用户名累加而来
00490586|.C1E9 08 |SHR ECX,8 ;逻辑右移8位,为c
00490589|.32D1 |XOR DL,CL ;DL=XOR(DL,c)DL为对应字符的16进制
0049058B|.885418 FF |MOV BYTE PTR DS:,DL ;将其转为字符
0049058F|.8B06 |MOV EAX,DWORD PTR DS: ;逐一转换后的
00490591|.0FB64418 FF |MOVZX EAX,BYTE PTR DS: ;对应的转换后的字符16进制,设其为a
00490596|.66:03F8 |ADD DI,AX ;DI=DI+a
00490599|.8BC7 |MOV EAX,EDI ;EAX=DI
0049059B|.C1E0 02 |SHL EAX,2 ;逻辑左移2,即*4
0049059E|.8D0440 |LEA EAX,DWORD PTR DS: ;EAX*3
004905A1|.66:83C0 62 |ADD AX,62 ;+62
004905A5|.8BF8 |MOV EDI,EAX ;EDI=EAX
004905A7|.8B06 |MOV EAX,DWORD PTR DS:
004905A9|.807C18 FF 00|CMP BYTE PTR DS:,0
004905AE|.75 12 |JNZ SHORT ucopy_ex.004905C2
004905B0|.8BC6 |MOV EAX,ESI
004905B2|.E8 F545F7FF |CALL ucopy_ex.00404BAC
004905B7|.8B55 F8 |MOV EDX,DWORD PTR SS:
004905BA|.8A541A FF |MOV DL,BYTE PTR DS:
004905BE|.885418 FF |MOV BYTE PTR DS:,DL
004905C2|>43 |INC EBX
004905C3|.FF4D F4 |DEC DWORD PTR SS:
004905C6|.^ 75 AD \JNZ SHORT ucopy_ex.00490575
004905C8|>8D4D F0 LEA ECX,DWORD PTR SS:
004905CB|.8B16 MOV EDX,DWORD PTR DS:
004905CD|.8B45 FC MOV EAX,DWORD PTR SS:
004905D0|.E8 77FEFFFF CALL ucopy_ex.0049044C ;将字符串转为16进制
004905D5|.8B55 F0 MOV EDX,DWORD PTR SS: ; (ASCII "4A5E0F9A0FB0E5DD15A2")
004905D8|.8BC6 MOV EAX,ESI
004905DA|.E8 0941F7FF CALL ucopy_ex.004046E8
004905DF|.33C0 XOR EAX,EAX
004905E1|.5A POP EDX
004905E2|.59 POP ECX
004905E3|.59 POP ECX
004905E4|.64:8910 MOV DWORD PTR FS:,EDX
004905E7|.68 FC054900 PUSH ucopy_ex.004905FC
004905EC|>8D45 F0 LEA EAX,DWORD PTR SS:
004905EF|.E8 A040F7FF CALL ucopy_ex.00404694
004905F4\.C3 RETN
004905F5 .^ E9 1A3AF7FF JMP ucopy_ex.00404014
004905FA .^ EB F0 JMP SHORT ucopy_ex.004905EC
004905FC .5F POP EDI
004905FD .5E POP ESI
004905FE .5B POP EBX
004905FF .8BE5 MOV ESP,EBP
00490601 .5D POP EBP
00490602 .C2 0400 RETN 4
---- 在这里 0048BD0B .E8 E0450000 CALL ucopy_ex.004902F0 F7跟进-------
004902F0/$55 PUSH EBP 到这里
004902F1|.8BEC MOV EBP,ESP
004902F3|.6A 00 PUSH 0
004902F5|.6A 00 PUSH 0
004902F7|.6A 00 PUSH 0
004902F9|.6A 00 PUSH 0
004902FB|.6A 00 PUSH 0
004902FD|.53 PUSH EBX
004902FE|.56 PUSH ESI
004902FF|.8BF1 MOV ESI,ECX
00490301|.8955 FC MOV DWORD PTR SS:,EDX ; (ASCII "4A5E0F9A0FB0E5DD15A2"),设其为B
00490304|.8B45 FC MOV EAX,DWORD PTR SS:
00490307|.E8 3848F7FF CALL ucopy_ex.00404B44
0049030C|.33C0 XOR EAX,EAX
0049030E|.55 PUSH EBP
0049030F|.68 A7034900 PUSH ucopy_ex.004903A7
00490314|.64:FF30 PUSH DWORD PTR FS:
00490317|.64:8920 MOV DWORD PTR FS:,ESP
0049031A|.8BC6 MOV EAX,ESI
0049031C|.E8 7343F7FF CALL ucopy_ex.00404694
00490321|.BB 01000000 MOV EBX,1
00490326|>8BC3 /MOV EAX,EBX ;在B中取前14位的奇偶数位组成两组字串
00490328|.25 01000080 |AND EAX,80000001
0049032D|.79 05 |JNS SHORT ucopy_ex.00490334
0049032F|.48 |DEC EAX
00490330|.83C8 FE |OR EAX,FFFFFFFE
00490333|.40 |INC EAX
00490334|>85C0 |TEST EAX,EAX ;是否为单或双
00490336|.75 20 |JNZ SHORT ucopy_ex.00490358
00490338|.8D45 F0 |LEA EAX,DWORD PTR SS: ;是双(即0)就不跳
0049033B|.50 |PUSH EAX
0049033C|.B9 01000000 |MOV ECX,1
00490341|.8BD3 |MOV EDX,EBX
00490343|.8B45 FC |MOV EAX,DWORD PTR SS:
00490346|.E8 6948F7FF |CALL ucopy_ex.00404BB4
0049034B|.8B55 F0 |MOV EDX,DWORD PTR SS:
0049034E|.8D45 F8 |LEA EAX,DWORD PTR SS:
00490351|.E8 0646F7FF |CALL ucopy_ex.0040495C
00490356|.EB 21 |JMP SHORT ucopy_ex.00490379
00490358|>8D45 EC |LEA EAX,DWORD PTR SS: ;是单(即1)就跳到这里
0049035B|.50 |PUSH EAX
0049035C|.B9 01000000 |MOV ECX,1
00490361|.8BD3 |MOV EDX,EBX
00490363|.8B45 FC |MOV EAX,DWORD PTR SS: ;(ASCII "4A5E0F9A0FB0E5DD15A2")
00490366|.E8 4948F7FF |CALL ucopy_ex.00404BB4 ;从右往左连接
0049036B|.8B55 EC |MOV EDX,DWORD PTR SS:
0049036E|.8D45 F4 |LEA EAX,DWORD PTR SS:
00490371|.8B4D F4 |MOV ECX,DWORD PTR SS: ;连接后的赋给ECX
00490374|.E8 2746F7FF |CALL ucopy_ex.004049A0
00490379|>43 |INC EBX
0049037A|.83FB 0F |CMP EBX,0F ;取前14位
0049037D|.^ 75 A7 \JNZ SHORT ucopy_ex.00490326
0049037F|.8BC6 MOV EAX,ESI
00490381|.8B4D F8 MOV ECX,DWORD PTR SS: ; 奇数位(ASCII "AEFAF05")设其为b0
00490384|.8B55 F4 MOV EDX,DWORD PTR SS: ;偶数位翻转(ASCII "EB09054"),设其为b1
00490387|.E8 1446F7FF CALL ucopy_ex.004049A0
0049038C|.33C0 XOR EAX,EAX
0049038E|.5A POP EDX
0049038F|.59 POP ECX
00490390|.59 POP ECX
00490391|.64:8910 MOV DWORD PTR FS:,EDX
00490394|.68 AE034900 PUSH ucopy_ex.004903AE
00490399|>8D45 EC LEA EAX,DWORD PTR SS:
0049039C|.BA 05000000 MOV EDX,5
004903A1|.E8 1243F7FF CALL ucopy_ex.004046B8
004903A6\.C3 RETN
004903A7 .^ E9 683CF7FF JMP ucopy_ex.00404014
004903AC .^ EB EB JMP SHORT ucopy_ex.00490399
004903AE .5E POP ESI
004903AF .5B POP EBX
004903B0 .8BE5 MOV ESP,EBP
004903B2 .5D POP EBP
004903B3 .C3 RETN
--------------------------------------------------------------------------------
【经验总结】
1、x为用户名(除最后一位外的其它各字符16制)累加和
2、a为对应的机器码字符转为的16进制,其初始值为0
3、DI初始值为x
则DI=DI+a,
d=DI*4*3+62(取低位)
那转换后的对应字符16进制b
b=XOR(a,SHR(d,8))
将b逐一相连成B
4、再取B的前14位的奇数(奇数取后要翻转)偶数位分别分为b1、b0,相连就是注册码。
如我的机码为KEA52V7144,用户名为lzq1973,则用户名前6位16进制累加和x为1F8
机器码转各字符分别转为16进制后为4B 45 41 35 32 56 37 31 34 34,即a所对应的值
经运算后B为4A5E0F9A0FB0E5DD15A2,则b0=AEFAF05 ,b1=EB09054(即将45090BE翻转)
注册码=b1+b0=EB09054AEFAF05
--------------------------------------------------------------------------------
【版权声明】: 本文纯属技术交流[请支持正版], 转载请注明作者并保持文章的完整, 谢谢!
2006年04月16日 17:30:50
[ 本帖最后由 lzq1973 于 2006-4-17 05:35 编辑 ] 我现在学的就应该是这里了。谢谢详细的分析。 好祥细。。。学习的说! 好文章,值得学习。
页:
[1]