Evidence Exterminator 2.52 简单分析
软件大小:933KB 软件类别:国外软件/卸载工具 共享绿色下载次数:3726 软件授权:共享版
软件语言:英文 运行环境:Win9x/Me/NT/2000/XP/2003
软件评级: 更新时间:2009-6-15 9:48:54
开 发 商:Home Page 联 系 人:未知
http://nj.onlinedown.net/soft/27152.htm
Evidence Exterminator是个人隐私保护软件,可以清除用户使用电脑后留下的所有记录.
程序为Dephi编写,试运行,输入加码后有错误提示"Registration code is invalid!,利用OD插件查找字符串
就可以来到注册核心处。00498608/$55 push ebp ;按钮事件
00498609|.8BEC mov ebp, esp
0049860B|.B9 05000000 mov ecx, 5
00498610|>6A 00 /push 0
00498612|.6A 00 |push 0
00498614|.49 |dec ecx
00498615|.^ 75 F9 \jnz short 00498610
00498617|.51 push ecx
00498618|.53 push ebx
00498619|.56 push esi
0049861A|.8BF0 mov esi, eax
0049861C|.33C0 xor eax, eax
0049861E|.55 push ebp
0049861F|.68 8D874900 push 0049878D
00498624|.64:FF30 push dword ptr fs:
00498627|.64:8920 mov dword ptr fs:, esp
0049862A|.8D55 F4 lea edx, dword ptr
0049862D|.8B86 44030000 mov eax, dword ptr
00498633|.E8 403BFDFF call 0046C178 ;读取假码
00498638|.8B45 F4 mov eax, dword ptr
0049863B|.8D55 F8 lea edx, dword ptr
0049863E|.E8 2D59FFFF call 0048DF70
00498643|.8B55 F8 mov edx, dword ptr
00498646|.B8 88004B00 mov eax, 004B0088
0049864B|.E8 DCC2F6FF call 0040492C
00498650|.E8 7BFDFFFF call 004983D0 ;关键CALL,待会跟进
00498655|.8BD8 mov ebx, eax
00498657|.84DB test bl, bl ;判断标志位
00498659|.0F84 DC000000 je 0049873B ;跳则失败
0049865F|.C686 64030000>mov byte ptr , 1
00498666|.8D45 FC lea eax, dword ptr
00498669|.50 push eax
0049866A|.8D55 F0 lea edx, dword ptr
0049866D|.B8 A4874900 mov eax, 004987A4 ;bb8281988088ae999f81be949e
00498672|.E8 1167FFFF call 0048ED88 ;解密函数,可以进去看看
00498677|.8B45 F0 mov eax, dword ptr
0049867A|.50 push eax
0049867B|.8D55 EC lea edx, dword ptr
0049867E|.B8 C8874900 mov eax, 004987C8 ;be828b999a8c9f88b1a0848e9f829e828b99b1a9bfa0bfbeb5
00498683|.E8 0067FFFF call 0048ED88 ;解密函数
00498688|.8B55 EC mov edx, dword ptr
0049868B|.A1 90004B00 mov eax, dword ptr
00498690|.59 pop ecx
00498691|.E8 1A83FFFF call 004909B0
00498696|.8D55 E8 lea edx, dword ptr
00498699|.A1 88004B00 mov eax, dword ptr ;指向注册码
0049869E|.E8 4966FFFF call 0048ECEC ;加密函数
004986A3|.8B45 E8 mov eax, dword ptr ;对注册码进行了加密处理
004986A6|.50 push eax
004986A7|.8D55 E4 lea edx, dword ptr
004986AA|.B8 04884900 mov eax, 00498804 ;a1848a8599bb8c819888
004986AF|.E8 D466FFFF call 0048ED88 ;解密
004986B4|.8B45 E4 mov eax, dword ptr
004986B7|.50 push eax
004986B8|.8D45 E0 lea eax, dword ptr
004986BB|.50 push eax
004986BC|.B8 C8874900 mov eax, 004987C8 ;be828b999a8c9f88b1a0848e9f829e828b99b1a9bfa0bfbeb5
004986C1|.5A pop edx
004986C2|.E8 C166FFFF call 0048ED88
004986C7|.8B55 E0 mov edx, dword ptr
004986CA|.A1 90004B00 mov eax, dword ptr
004986CF|.59 pop ecx
004986D0|.E8 1B84FFFF call 00490AF0
004986D5|.837D FC 00 cmp dword ptr , 0
004986D9|.75 46 jnz short 00498721
004986DB|.E8 6023F7FF call 0040AA40 ;取注册时间进行运算
004986E0|.83C4 F8 add esp, -8
004986E3|.DD1C24 fstp qword ptr
004986E6|.9B wait
004986E7|.8D45 DC lea eax, dword ptr
004986EA|.E8 2D61FFFF call 0048E81C ;转为字符串
004986EF|.8B45 DC mov eax, dword ptr
004986F2|.50 push eax
004986F3|.8D55 D8 lea edx, dword ptr
004986F6|.B8 A4874900 mov eax, 004987A4 ;bb8281988088ae999f81be949e
004986FB|.E8 8866FFFF call 0048ED88
00498700|.8B45 D8 mov eax, dword ptr
00498703|.50 push eax
00498704|.8D45 D4 lea eax, dword ptr
00498707|.50 push eax
00498708|.B8 C8874900 mov eax, 004987C8 ;be828b999a8c9f88b1a0848e9f829e828b99b1a9bfa0bfbeb5
0049870D|.5A pop edx
0049870E|.E8 7566FFFF call 0048ED88
00498713|.8B55 D4 mov edx, dword ptr
00498716|.A1 90004B00 mov eax, dword ptr
0049871B|.59 pop ecx
0049871C|.E8 CF83FFFF call 00490AF0
00498721|>6A 40 push 40
00498723|.B9 1C884900 mov ecx, 0049881C ;information
00498728|.BA 28884900 mov edx, 00498828 ;registration has been completed successfully!
0049872D|.A1 8CE84A00 mov eax, dword ptr
00498732|.8B00 mov eax, dword ptr
00498734|.E8 2F43FFFF call 0048CA68
00498739|.EB 22 jmp short 0049875D
0049873B|>B8 88004B00 mov eax, 004B0088
00498740|.E8 93C1F6FF call 004048D8
00498745|.6A 10 push 10
00498747|.B9 58884900 mov ecx, 00498858 ;error
0049874C|.BA 60884900 mov edx, 00498860 ;registration code is invalid!
00498751|.A1 8CE84A00 mov eax, dword ptr
00498756|.8B00 mov eax, dword ptr
00498758|.E8 0B43FFFF call 0048CA68***********************************************************************************************************
跟进 call 004983D0
下面就是关键算法了004983D0/$53 push ebx
004983D1|.56 push esi
004983D2|.57 push edi
004983D3|.BF 88004B00 mov edi, 004B0088
004983D8|.33F6 xor esi, esi ;esi清零,后面计算用到
004983DA|.33DB xor ebx, ebx ;ebx清零
004983DC|.8B07 mov eax, dword ptr
004983DE|.E8 B5C7F6FF call 00404B98 ;取假码长度
004983E3|.83F8 0E cmp eax, 0E ;长度必须是14位
004983E6|.75 67 jnz short 0049844F
004983E8|.8B07 mov eax, dword ptr ;指向假码
004983EA|.8038 32 cmp byte ptr , 32 ;第1位是否是字符2
004983ED|.0F94C0 sete al ;为真则al置1
004983F0|.83E0 7F and eax, 7F ;与操作,高位清零
004983F3|.03F0 add esi, eax ;esi保存判断为真次数
004983F5|.8B07 mov eax, dword ptr
004983F7|.8078 02 36 cmp byte ptr , 36 ;第3位是否是字符6
004983FB|.0F94C0 sete al
004983FE|.83E0 7F and eax, 7F
00498401|.03F0 add esi, eax
00498403|.8B07 mov eax, dword ptr
00498405|.8078 03 33 cmp byte ptr , 33 ;第4位是否是字符3
00498409|.0F94C0 sete al
0049840C|.83E0 7F and eax, 7F
0049840F|.03F0 add esi, eax
00498411|.8B07 mov eax, dword ptr
00498413|.8078 04 32 cmp byte ptr , 32 ;第5位是否是字符2
00498417|.0F94C0 sete al
0049841A|.83E0 7F and eax, 7F
0049841D|.03F0 add esi, eax
0049841F|.8B07 mov eax, dword ptr
00498421|.8078 07 33 cmp byte ptr , 33 ;第8位是否是字符3
00498425|.0F94C0 sete al
00498428|.83E0 7F and eax, 7F
0049842B|.03F0 add esi, eax
0049842D|.8B07 mov eax, dword ptr
0049842F|.8078 08 33 cmp byte ptr , 33 ;第9位是否是字符3
00498433|.0F94C0 sete al
00498436|.83E0 7F and eax, 7F
00498439|.03F0 add esi, eax
0049843B|.8B07 mov eax, dword ptr
0049843D|.8078 0A 34 cmp byte ptr , 34 ;第11位是否是字符4
00498441|.0F94C0 sete al
00498444|.83E0 7F and eax, 7F
00498447|.03F0 add esi, eax ;判断了假码的7位,全部为真则ESI=7
00498449|.83FE 07 cmp esi, 7 ;比较
0049844C|.0F94C3 sete bl ;为真则置bl=1
0049844F|>8BC3 mov eax, ebx ;传递给eax
00498451|.5F pop edi
00498452|.5E pop esi
00498453|.5B pop ebx
00498454\.C3 retn*********************************************************************************************
算法不难,但后面保存到注册表时,大家可以看到注册表项和子键都做了加密,使用时进行了解密。
注册码进行了加密,注册时间运算后也在注册表进行了保存。我们可以看看如何解密的。
跟进 call 0048ED88这个解密函数看看0048ED88/$55 push ebp
0048ED89|.8BEC mov ebp, esp
0048ED8B|.6A 00 push 0
0048ED8D|.6A 00 push 0
0048ED8F|.6A 00 push 0
0048ED91|.53 push ebx
0048ED92|.56 push esi
0048ED93|.57 push edi
0048ED94|.8BF2 mov esi, edx
0048ED96|.8945 FC mov dword ptr , eax
0048ED99|.8B45 FC mov eax, dword ptr
0048ED9C|.E8 E75FF7FF call 00404D88
0048EDA1|.33C0 xor eax, eax
0048EDA3|.55 push ebp
0048EDA4|.68 1BEE4800 push 0048EE1B
0048EDA9|.64:FF30 push dword ptr fs:
0048EDAC|.64:8920 mov dword ptr fs:, esp
0048EDAF|.8BC6 mov eax, esi
0048EDB1|.E8 225BF7FF call 004048D8
0048EDB6|.33FF xor edi, edi
0048EDB8|.EB 3A jmp short 0048EDF4
0048EDBA|>8D45 F8 /lea eax, dword ptr
0048EDBD|.50 |push eax
0048EDBE|.8D57 01 |lea edx, dword ptr
0048EDC1|.B9 02000000 |mov ecx, 2
0048EDC6|.8B45 FC |mov eax, dword ptr
0048EDC9|.E8 2A60F7FF |call 00404DF8 ;依次取固定字符串2位
0048EDCE|.8B45 F8 |mov eax, dword ptr
0048EDD1|.E8 C6F4FFFF |call 0048E29C ;字符转为对应16进制数值
0048EDD6|.E8 09FFFFFF |call 0048ECE4 ;16进制数值再进行简单计算,跟进
0048EDDB|.8BD8 |mov ebx, eax ;然后依次保存到一内存空间
0048EDDD|.8D45 F4 |lea eax, dword ptr
0048EDE0|.8BD3 |mov edx, ebx
0048EDE2|.E8 D95CF7FF |call 00404AC0
0048EDE7|.8B55 F4 |mov edx, dword ptr
0048EDEA|.8BC6 |mov eax, esi
0048EDEC|.E8 AF5DF7FF |call 00404BA0
0048EDF1|.83C7 02 |add edi, 2 ;每次取2位,所以加2
0048EDF4|>8B45 FC mov eax, dword ptr
0048EDF7|.E8 9C5DF7FF |call 00404B98 ;取固定码长度
0048EDFC|.3BF8 |cmp edi, eax ;判断固定码是否取完
0048EDFE|.^ 7C BA \jl short 0048EDBA
0048EE00|.33C0 xor eax, eax
0048EE02|.5A pop edx
0048EE03|.59 pop ecx
0048EE04|.59 pop ecx
0048EE05|.64:8910 mov dword ptr fs:, edx
0048EE08|.68 22EE4800 push 0048EE22
0048EE0D|>8D45 F4 lea eax, dword ptr
0048EE10|.BA 03000000 mov edx, 3
0048EE15|.E8 E25AF7FF call 004048FC
0048EE1A\.C3 retn
再跟进call 0048ECE4看看
0048ECE4/$F6D0 not al
0048ECE6|.34 ED xor al, 0ED
0048ECE8|.F6D0 not al
0048ECEA\.C3 retn所以解密很简单,依次取固定字符串2位,转为对应16进制
取反后再与0EDh异或,组成另一字符串,解密即完成。如
26位固定字符串"BB8281988088AE999F81BE949E"
解密后为13位
"VolumeCtrlSys"。
感兴趣大家可以用正在学的C语言自己写下解密函数。
总结:算法非常简单,注册表加密显得意义不大,不过可以作为我们学习简单算法和加密的对象。
简单构成一个可用注册码:21632673304897
我的注册表项
Windows Registry Editor Version 5.00
"SuperStructure"="39979.6338688079"
"LightValue"="DFDCDBDEDFDBDADEDEDDD9D5D4DA"
"VolumeCtrlSys"="39979.6653520949"
"DFDCDBDEDFDBDADEDEDDD9D5D4DA"就是加密后的“21632673304897”。 /:good 很好的对算法分析进行学习的例子 下载学习研究一下,顶 楼主分析的详细,学习了。
页:
[1]