分析主讲软件Pic2Ico V2.4_By_yAtEs
PYG第十轮教学要开班了,下载了N大的主将软件分析了一下,帖子:https://www.chinapyg.com/viewthread.php?tid=56123现在还不是学员,不知道帖子发这里合适不合适⊙﹏⊙
本文分析的是:
Pic2Ico V2.4(程序流程)
http://www.exeicon.com/picture-to-icon/
目标软件是压缩壳,直接带壳调试,可以查找错误提示来到关键位置:
—————————————————————————————————————————————————
00424CAB|.E8 08E3FFFF call 00422FB8 ;//算法CALL,跟进
00424CB0|.59 pop ecx
00424CB1|.8B0D 64D15000 mov ecx, dword ptr ;Pic2Ico._IconConverter
00424CB7|.8B11 mov edx, dword ptr
00424CB9|.8882 F8030000 mov byte ptr , al
00424CBF|.FF4D C4 dec dword ptr
00424CC2|.8D45 F4 lea eax, dword ptr
00424CC5|.BA 02000000 mov edx, 2
00424CCA|.E8 092E0C00 call 004E7AD8
00424CCF|.A1 64D15000 mov eax, dword ptr
00424CD4|.8B08 mov ecx, dword ptr
00424CD6|.80B9 F8030000>cmp byte ptr , 0
00424CDD|.0F84 1F020000 je 00424F02 ;//跳向注册失败
00424CE3|.66:C745 B8 2C>mov word ptr , 2C
00424CE9|.8D45 F0 lea eax, dword ptr
00424CEC|.E8 DFDDFDFF call 00402AD0
00424CF1|.8BD0 mov edx, eax
00424CF3|.FF45 C4 inc dword ptr
00424CF6|.8B4D A4 mov ecx, dword ptr
00424CF9|.8B81 04030000 mov eax, dword ptr
00424CFF|.E8 DC0B0900 call 004B58E0
00424D04|.8D55 F0 lea edx, dword ptr
00424D07|.8B45 A4 mov eax, dword ptr
00424D0A|.05 1C030000 add eax, 31C
00424D0F|.E8 F42D0C00 call 004E7B08
00424D14|.FF4D C4 dec dword ptr
00424D17|.8D45 F0 lea eax, dword ptr
00424D1A|.BA 02000000 mov edx, 2
00424D1F|.E8 B42D0C00 call 004E7AD8
00424D24|.8B45 A4 mov eax, dword ptr
00424D27|.05 1C030000 add eax, 31C
00424D2C|.E8 D3D0FDFF call 00401E04
00424D31|.0FBE50 17 movsx edx, byte ptr ;//取Sn1第24位的ASCII值
00424D35|.83FA 30 cmp edx, 30 ;//与30H(0)比较
00424D38|.7C 16 jl short 00424D50 ;//小于则跳
00424D3A|.8B45 A4 mov eax, dword ptr
00424D3D|.05 1C030000 add eax, 31C
00424D42|.E8 BDD0FDFF call 00401E04
00424D47|.0FBE50 17 movsx edx, byte ptr ;//取Sn1第24位的ASCII值
00424D4B|.83FA 39 cmp edx, 39 ;//与39H(9)比较
00424D4E|.7E 0F jle short 00424D5F ;//小于等于则跳
00424D50|>8B0D 64D15000 mov ecx, dword ptr ;Pic2Ico._IconConverter
00424D56|.8B01 mov eax, dword ptr
00424D58|.C680 F8030000>mov byte ptr , 0
00424D5F|>B2 01 mov dl, 1
00424D61|.A1 2CDA4500 mov eax, dword ptr
00424D66|.E8 C18D0300 call 0045DB2C
00424D6B|.8945 9C mov dword ptr , eax
00424D6E|.BA 01000080 mov edx, 80000001
00424D73|.8B45 9C mov eax, dword ptr
00424D76|.E8 692B0C00 call 004E78E4
00424D7B|.8B15 64D15000 mov edx, dword ptr ;Pic2Ico._IconConverter
00424D81|.8B0A mov ecx, dword ptr
00424D83|.80B9 F8030000>cmp byte ptr , 0
00424D8A|.0F84 06010000 je 00424E96 ;//下面将注册信息写入注册表
00424D90|.66:C745 B8 38>mov word ptr , 38
00424D96|.BA E5035000 mov edx, 005003E5 ;ASCII "Software\XTZY\Pic2Ico"
00424D9B|.8D45 EC lea eax, dword ptr
00424D9E|.E8 D52B0C00 call 004E7978
00424DA3|.FF45 C4 inc dword ptr
00424DA6|.8B10 mov edx, dword ptr
00424DA8|.B1 01 mov cl, 1
00424DAA|.8B45 9C mov eax, dword ptr
00424DAD|.E8 7E8E0300 call 0045DC30
00424DB2|.84C0 test al, al
00424DB4|.0F95C0 setne al
00424DB7|.83E0 01 and eax, 1
00424DBA|.50 push eax
00424DBB|.FF4D C4 dec dword ptr
00424DBE|.8D45 EC lea eax, dword ptr
00424DC1|.BA 02000000 mov edx, 2
00424DC6|.E8 0D2D0C00 call 004E7AD8
00424DCB|.59 pop ecx
00424DCC|.85C9 test ecx, ecx
00424DCE|.0F84 C2000000 je 00424E96
00424DD4|.8D45 E4 lea eax, dword ptr
00424DD7|.E8 F4DCFDFF call 00402AD0
00424DDC|.8BD0 mov edx, eax
00424DDE|.FF45 C4 inc dword ptr
00424DE1|.8B4D A4 mov ecx, dword ptr
00424DE4|.8B81 04030000 mov eax, dword ptr
00424DEA|.E8 F10A0900 call 004B58E0
00424DEF|.8D55 E4 lea edx, dword ptr
00424DF2|.FF32 push dword ptr
00424DF4|.66:C745 B8 44>mov word ptr , 44
00424DFA|.BA FB035000 mov edx, 005003FB ;ASCII "NO"
00424DFF|.8D45 E8 lea eax, dword ptr
00424E02|.E8 712B0C00 call 004E7978
00424E07|.FF45 C4 inc dword ptr
00424E0A|.8B10 mov edx, dword ptr
00424E0C|.8B45 9C mov eax, dword ptr
00424E0F|.59 pop ecx
00424E10|.E8 B78F0300 call 0045DDCC
00424E15|.FF4D C4 dec dword ptr
00424E18|.8D45 E4 lea eax, dword ptr
00424E1B|.BA 02000000 mov edx, 2
00424E20|.E8 B32C0C00 call 004E7AD8
00424E25|.FF4D C4 dec dword ptr
00424E28|.8D45 E8 lea eax, dword ptr
00424E2B|.BA 02000000 mov edx, 2
00424E30|.E8 A32C0C00 call 004E7AD8
00424E35|.8D45 DC lea eax, dword ptr
00424E38|.E8 93DCFDFF call 00402AD0
00424E3D|.8BD0 mov edx, eax
00424E3F|.FF45 C4 inc dword ptr
00424E42|.8B4D A4 mov ecx, dword ptr
00424E45|.8B81 00030000 mov eax, dword ptr
00424E4B|.E8 900A0900 call 004B58E0
00424E50|.8D55 DC lea edx, dword ptr
00424E53|.FF32 push dword ptr
00424E55|.66:C745 B8 50>mov word ptr , 50
00424E5B|.BA FE035000 mov edx, 005003FE ;ASCII "Name"
00424E60|.8D45 E0 lea eax, dword ptr
00424E63|.E8 102B0C00 call 004E7978
00424E68|.FF45 C4 inc dword ptr
00424E6B|.8B10 mov edx, dword ptr
00424E6D|.8B45 9C mov eax, dword ptr
00424E70|.59 pop ecx
00424E71|.E8 568F0300 call 0045DDCC
00424E76|.FF4D C4 dec dword ptr
00424E79|.8D45 DC lea eax, dword ptr
00424E7C|.BA 02000000 mov edx, 2
00424E81|.E8 522C0C00 call 004E7AD8
00424E86|.FF4D C4 dec dword ptr
00424E89|.8D45 E0 lea eax, dword ptr
00424E8C|.BA 02000000 mov edx, 2
00424E91|.E8 422C0C00 call 004E7AD8
00424E96|>8B45 9C mov eax, dword ptr
00424E99|.E8 FE8C0300 call 0045DB9C
00424E9E|.8B55 9C mov edx, dword ptr
00424EA1|.8955 D4 mov dword ptr , edx
00424EA4|.837D D4 00 cmp dword ptr , 0
00424EA8|.74 21 je short 00424ECB
00424EAA|.8B4D D4 mov ecx, dword ptr
00424EAD|.8B01 mov eax, dword ptr
00424EAF|.8945 D8 mov dword ptr , eax
00424EB2|.66:C745 B8 68>mov word ptr , 68
00424EB8|.BA 03000000 mov edx, 3
00424EBD|.8B45 D4 mov eax, dword ptr
00424EC0|.8B08 mov ecx, dword ptr
00424EC2|.FF51 FC call dword ptr
00424EC5|.66:C745 B8 5C>mov word ptr , 5C
00424ECB|>66:C745 B8 74>mov word ptr , 74
00424ED1|.BA 03045000 mov edx, 00500403 ;ASCII "Register successfully!",LF,"Thank you."
00424ED6|.8D45 D0 lea eax, dword ptr
00424ED9|.E8 9A2A0C00 call 004E7978
00424EDE|.FF45 C4 inc dword ptr
00424EE1|.8B00 mov eax, dword ptr
00424EE3|.E8 80B00800 call 004AFF68
00424EE8|.FF4D C4 dec dword ptr
00424EEB|.8D45 D0 lea eax, dword ptr
00424EEE|.BA 02000000 mov edx, 2
00424EF3|.E8 E02B0C00 call 004E7AD8
00424EF8|.8B45 A4 mov eax, dword ptr
00424EFB|.E8 F0010800 call 004A50F0
00424F00|.EB 37 jmp short 00424F39
00424F02|>66:C745 B8 80>mov word ptr , 80
00424F08|.BA 25045000 mov edx, 00500425 ;ASCII "Your registration code is invalid.",LF,"If you have purchased this software and get the wrong code, maybe you have not downloaded and installed the latest version. Or please send email to: [email protected] ",LF
—————————————————————————————————————————————————
00423025|.E8 F243FEFF call 0040741C
0042302A|.83F8 2C cmp eax, 2C ;//取试炼码位数与2C比较
0042302D|.0F85 44020000 jnz 00423277 ;//不等则跳死
00423033|.BE B4FF4F00 mov esi, 004FFFB4 ;1z1h+2a0n-0g8y*9a1n|
00423038|.8D7D 84 lea edi, dword ptr
0042303B|.B9 05000000 mov ecx, 5
00423040|.F3:A5 rep movs dword ptr es:, dword ptr >
00423042|.A4 movs byte ptr es:, byte ptr
00423043|.66:C745 E8 08>mov word ptr , 8
00423049|.8D45 08 lea eax, dword ptr
0042304C|.E8 B3EDFDFF call 00401E04
00423051|.0FBE50 28 movsx edx, byte ptr ;//取Sn1第41位ASCII值
00423055|.83FA 50 cmp edx, 50 ;//与50(P)比较
00423058|.74 23 je short 0042307D ;//相等则跳
0042305A|.33C0 xor eax, eax
0042305C|.50 push eax
0042305D|.FF4D F4 dec dword ptr
00423060|.8D45 08 lea eax, dword ptr
00423063|.BA 02000000 mov edx, 2
00423068|.E8 6B4A0C00 call 004E7AD8
0042306D|.58 pop eax
0042306E|.8B55 D8 mov edx, dword ptr
00423071|.64:8915 00000>mov dword ptr fs:, edx
00423078|.E9 19020000 jmp 00423296
0042307D|>8D45 08 lea eax, dword ptr
00423080|.E8 7FEDFDFF call 00401E04
00423085|.0FBE50 29 movsx edx, byte ptr ;//取Sn1第42位ASCII值
00423089|.83FA 32 cmp edx, 32 ;//与32(2)比较
0042308C|.74 23 je short 004230B1 ;//相等则跳
0042308E|.33C0 xor eax, eax
00423090|.50 push eax
00423091|.FF4D F4 dec dword ptr
00423094|.8D45 08 lea eax, dword ptr
00423097|.BA 02000000 mov edx, 2
0042309C|.E8 374A0C00 call 004E7AD8
004230A1|.58 pop eax
004230A2|.8B55 D8 mov edx, dword ptr
004230A5|.64:8915 00000>mov dword ptr fs:, edx
004230AC|.E9 E5010000 jmp 00423296
004230B1|>8D45 08 lea eax, dword ptr
004230B4|.E8 4BEDFDFF call 00401E04
004230B9|.0FBE50 2A movsx edx, byte ptr ;//取Sn1第43位ASCII值
004230BD|.83FA 49 cmp edx, 49 ;//与49(I)比较
004230C0|.74 23 je short 004230E5 ;//相等则跳
004230C2|.33C0 xor eax, eax
004230C4|.50 push eax
004230C5|.FF4D F4 dec dword ptr
004230C8|.8D45 08 lea eax, dword ptr
004230CB|.BA 02000000 mov edx, 2
004230D0|.E8 034A0C00 call 004E7AD8
004230D5|.58 pop eax
004230D6|.8B55 D8 mov edx, dword ptr
004230D9|.64:8915 00000>mov dword ptr fs:, edx
004230E0|.E9 B1010000 jmp 00423296
004230E5|>8D45 08 lea eax, dword ptr
004230E8|.E8 17EDFDFF call 00401E04
004230ED|.0FBE50 2B movsx edx, byte ptr ;//取Sn1第44位ASCII值
004230F1|.83FA 34 cmp edx, 34 ;//与34(4)比较
004230F4|.74 23 je short 00423119 ;//相等则跳
004230F6|.33C0 xor eax, eax
004230F8|.50 push eax
004230F9|.FF4D F4 dec dword ptr
004230FC|.8D45 08 lea eax, dword ptr
004230FF|.BA 02000000 mov edx, 2
00423104|.E8 CF490C00 call 004E7AD8
00423109|.58 pop eax
0042310A|.8B55 D8 mov edx, dword ptr
0042310D|.64:8915 00000>mov dword ptr fs:, edx
00423114|.E9 7D010000 jmp 00423296
00423119|>8D45 08 lea eax, dword ptr
0042311C|.E8 E3ECFDFF call 00401E04
00423121|.50 push eax
00423122|.8D55 9C lea edx, dword ptr
00423125|.52 push edx
00423126|.E8 FD940B00 call 004DC628
0042312B|.83C4 08 add esp, 8
0042312E|.0FBE4D 9D movsx ecx, byte ptr ;//取Sn1第2位ASCII值
00423132|.83F9 33 cmp ecx, 33 ;//与33(3)比较
00423135|.0F85 3C010000 jnz 00423277 ;//不等则跳
0042313B|.C645 9D 23 mov byte ptr , 23 ;//23(#)→Sn1第二位
0042313F|.C645 D7 01 mov byte ptr , 1
00423143|.C745 D0 02000>mov dword ptr , 2
0042314A|> /8B45 D0 /mov eax, dword ptr
0042314D|. |0FBE5405 84 |movsx edx, byte ptr ;//取Sn2第3位ASCII值
00423152|. |8B4D D0 |mov ecx, dword ptr
00423155|. |0FBE440D 9B |movsx eax, byte ptr ;//取Sn1第2位ASCII值
0042315A|. |03D0 |add edx, eax ;//Sn1.3+Sn1.2
0042315C|. |8B4D D0 |mov ecx, dword ptr
0042315F|. |0FBE440D 9C |movsx eax, byte ptr ;//取Sn1第3位ASCII值
00423164|. |33D0 |xor edx, eax ;//xor (Sn1.3+Sn1.2),Sn1.3=
00423166|. |8B4D D0 |mov ecx, dword ptr
00423169|. |0FBE440D 84 |movsx eax, byte ptr ;//取Sn2第3位ASCII值
0042316E|. |33D0 |xor edx, eax ;//xor ,Sn2.2=
00423170|. |52 |push edx
00423171|. |E8 A275FEFF |call 0040A718
00423176|. |59 |pop ecx
00423177|. |B9 1A000000 |mov ecx, 1A ;//1A存入ECX
0042317C|. |99 |cdq
0042317D|. |F7F9 |idiv ecx ;//W÷1A,商3存入EAX,余数8存入EDX
0042317F|. |83C2 41 |add edx, 41 ;//余数+41=
00423182|. |8B45 D0 |mov eax, dword ptr
00423185|. |0FBE4C05 A5 |movsx ecx, byte ptr ;//取Sn1第12位ASCII值
0042318A|. |3BD1 |cmp edx, ecx ;//与Sn1.12比较
0042318C|. |74 06 |je short 00423194 ;//相等则跳
0042318E|. |C645 D7 00 |mov byte ptr , 0
00423192|. |EB 09 |jmp short 0042319D
00423194|> |FF45 D0 |inc dword ptr ;//计数器
00423197|. |837D D0 0A |cmp dword ptr , 0A ;//所取字符个数与0A(10)比较
0042319B|.^\7C AD \jl short 0042314A
—————————————————————————————————————————————————
由分析得出对应Sn1的第12位注册码应为49(I);
计算方式是“加一”类推,如果前面合法的话就计算下一位,依次得出对应Sn1的第12~19位注册码是:IRNVLHHT
分析得出Sn1=13345678901IRNVLHHT012345678901234567890P2I4;
—————————————————————————————————————————————————
0042319D|>807D D7 00 cmp byte ptr , 0
004231A1|.0F84 C3000000 je 0042326A
004231A7|.C745 CC 18000>mov dword ptr , 18
004231AE|.66:C745 E8 08>mov word ptr , 8
004231B4|.837D CC 28 cmp dword ptr , 28
004231B8|.7D 4B jge short 00423205
004231BA|>8B55 CC /mov edx, dword ptr
004231BD|.0FBE4415 85 |movsx eax, byte ptr ;//取Sn1第2位ASCII值
004231C2|.B9 06000000 |mov ecx, 6 ;//6存入ECX
004231C7|.99 |cdq
004231C8|.F7F9 |idiv ecx ;//Sn1.2÷6,商5存入EAX,余数5存入EDX
004231CA|.8BCA |mov ecx, edx ;//余数5存入ECX
004231CC|.8B45 CC |mov eax, dword ptr
004231CF|.0FBE5405 86 |movsx edx, byte ptr ;//取Sn1第3位ASCII值
004231D4|.D3E2 |shl edx, cl ;//shl Sn1.3,5=
004231D6|.8B45 CC |mov eax, dword ptr
004231D9|.0FBE4C05 87 |movsx ecx, byte ptr ;//取Sn1第4位ASCII值
004231DE|.0BD1 |or edx, ecx ;//or ,Sn1.4=
004231E0|.52 |push edx
004231E1|.E8 3275FEFF |call 0040A718
004231E6|.59 |pop ecx
004231E7|.B9 1A000000 |mov ecx, 1A ;//1A存入ECX
004231EC|.99 |cdq
004231ED|.F7F9 |idiv ecx ;//÷1A,商3F存入EAX,余数E存入EDX
004231EF|.80C2 61 |add dl, 61 ;//余数+61=
004231F2|.8B45 CC |mov eax, dword ptr
004231F5|.889405 58FFFF>|mov byte ptr , dl ;//计算结果存入相应地址
004231FC|.FF45 CC |inc dword ptr ;//计数器
004231FF|.837D CC 28 |cmp dword ptr , 28 ;//所取字符位数与28H(40)比较
00423203|.^ 7C B5 \jl short 004231BA
—————————————————————————————————————————————————
“加一”类推,得出字符串:ovcplrkrrcewqmco;
设字符串ovcplrkrrcewqmco为Sn3;
—————————————————————————————————————————————————
00423205|> \C645 80 5A mov byte ptr , 5A ;//Z
00423209|.C645 81 59 mov byte ptr , 59 ;//Y
0042320D|.C745 C8 18000>mov dword ptr , 18 ;//组合字符串:ZY褀1z1h+2a0n-0g8y*9a1n|
00423214|.66:C745 E8 08>mov word ptr , 8
0042321A|.837D C8 28 cmp dword ptr , 28
0042321E|.7D 4A jge short 0042326A
00423220|>8B55 C8 /mov edx, dword ptr
00423223|.0FBE8415 58FF>|movsx eax, byte ptr ;//取Sn3第一位ASCII值
0042322B|.C1E0 04 |shl eax, 4 ;//shl Sn3.1,4=
0042322E|.8B55 C8 |mov edx, dword ptr
00423231|.0FBE8C15 59FF>|movsx ecx, byte ptr ;//取Sn3第二位ASCII值
00423239|.D1F9 |sar ecx, 1 ;//sar Sn3.2,1=
0042323B|.33C1 |xor eax, ecx ;//xor ,=
0042323D|.50 |push eax
0042323E|.E8 D574FEFF |call 0040A718
00423243|.59 |pop ecx
00423244|.B9 1A000000 |mov ecx, 1A ;//1A存入ECX
00423249|.99 |cdq
0042324A|.F7F9 |idiv ecx ;//÷1A,商42存入EAX,余数17存入EDX
0042324C|.83C2 41 |add edx, 41 ;//余数+41=
0042324F|.8B45 C8 |mov eax, dword ptr
00423252|.0FBE4405 9C |movsx eax, byte ptr ;//取Sn1第25位ASCII值
00423257|.3BD0 |cmp edx, eax ;//cmp ,Sn1.25
00423259|.74 06 |je short 00423261 ;//相等则跳
0042325B|.C645 D7 00 |mov byte ptr , 0
0042325F|.EB 09 |jmp short 0042326A
00423261|>FF45 C8 |inc dword ptr
00423264|.837D C8 28 |cmp dword ptr , 28
00423268|.^ 7C B6 \jl short 00423220
0042326A|> \0FBE55 A6 movsx edx, byte ptr ;//取Sn1第11位ASCII值
0042326E|.83FA 59 cmp edx, 59 ;//与59(Y)比较
00423271|.74 04 je short 00423277 ;//相等则跳
00423273|.C645 D7 00 mov byte ptr , 0
00423277|>8A45 D7 mov al, byte ptr
0042327A|.50 push eax
0042327B|.FF4D F4 dec dword ptr
0042327E|.8D45 08 lea eax, dword ptr
00423281|.BA 02000000 mov edx, 2
00423286|.E8 4D480C00 call 004E7AD8
0042328B|.58 pop eax
0042328C|.8B55 D8 mov edx, dword ptr
0042328F|.64:8915 00000>mov dword ptr fs:, edx
00423296|>5F pop edi
00423297|.5E pop esi
00423298|.8BE5 mov esp, ebp
0042329A|.5D pop ebp
0042329B\.C3 retn
—————————————————————————————————————————————————
由上面分析得出对应Sn1:1334567890YIRNVLHHT01234XBKARTDKIKFSKTJPP2I4;
☆.注册码必须是44位 (2CH=44);
☆.试炼码12345678901234567890123456789012345678901234 记为Sn1;
☆.固定字符串:1z1h+2a0n-0g8y*9a1n| 记为Sn2;
☆.注册码41~44位固定,必须是P2I4;
☆.注册码第2位必须是3;
☆.计算对应Sn1的注册码的时候用#替换Sn1.2;
☆.对应Sn1的第12~19位注册码是:IRNVLHHT;
☆.Sn1.X 代表Sn1的第X位;
☆.代表得出的结果,为方便表达用[]括起来;
☆.注册码第24位必须小于等于39H;
☆.一组可用注册码:
用户名:yAtEs
注册码:1334567890YIRNVLHHT01234XBKARTDKIKFSKTJPP2I4
☆.胜利截图:
还是不会写算法分析的文章,继续努力中,希望能参加第十轮教学,进一步提高自己^_^
By_yAtEs 2010.5.29 继续哦 貌似还有20次使用的暗桩 回复 2# Nisy
回去继续研究,不知道还有暗桩,谢谢N大提醒^_^ 厉害!! 学习了,汇编不行,好多语句看不懂…… 晕了水平太菜了 我分析不了 学习了,继续加油哈 厉害,学习了 本帖最后由 sdnyzjzx 于 2010-5-30 13:08 编辑
好像是有自校验,脱壳后修复运行不了啊!
改正一下,用OD自带脱壳插件脱出来,不修复IAI能正常运行,修复后反而不能运行,用Lord脱壳,修复与不修复都不能运行。 回复 9# sdnyzjzx
一看是压缩壳,Ctrl+F:popad,快速到达OEP,带壳分析/:017