【1小组】【中华灯谜】【算法】
本帖最后由 月之精灵 于 2010-6-2 19:11 编辑【破文标题】中华灯谜算法分析
【文章作者】: 天下
【软件名称】: 中华灯谜
【加壳方式】: aspack
【使用工具】: OD keymake
【作者声明】: 失误之处敬请诸位大侠赐教!
========================================
程序载入后,脱壳。。。。来到
======================================================
0054EE9A|.E8 4584EBFF CALL <JMP.&kernel32.GetSystemDirectoryA> ; \GetSystemDirectoryA
0054EE9F|.8D45 FC LEA EAX,DWORD PTR SS:
0054EEA2|.8D95 7BFFFFFF LEA EDX,DWORD PTR SS:
0054EEA8|.B9 81000000 MOV ECX,81
0054EEAD|.E8 665DEBFF CALL dumped_.00404C18
0054EEB2|.8D95 74FFFFFF LEA EDX,DWORD PTR SS:
0054EEB8|.8B83 C8030000 MOV EAX,DWORD PTR DS:
0054EEBE|.E8 C58CEFFF CALL dumped_.00447B88
0054EEC3|.83BD 74FFFFFF 00 CMP DWORD PTR SS:,0 ;检测注册码是否为空
0054EECA|.74 1A JE SHORT dumped_.0054EEE6
0054EECC|.8D95 70FFFFFF LEA EDX,DWORD PTR SS:
0054EED2|.8B83 C0030000 MOV EAX,DWORD PTR DS:
0054EED8|.E8 AB8CEFFF CALL dumped_.00447B88
0054EEDD|.83BD 70FFFFFF 00 CMP DWORD PTR SS:,0 ;检测订单号是否为空
0054EEE4|.75 0F JNZ SHORT dumped_.0054EEF5
0054EEE6|>B8 D4F05400 MOV EAX,dumped_.0054F0D4 ;注册信息没有填写齐全
0054EEEB|.E8 8C1EEFFF CALL dumped_.00440D7C
0054EEF0|.E9 51010000 JMP dumped_.0054F046
0054EEF5|>8D95 6CFFFFFF LEA EDX,DWORD PTR SS:
0054EEFB|.8B83 C8030000 MOV EAX,DWORD PTR DS:
0054EF01|.E8 828CEFFF CALL dumped_.00447B88
0054EF06|.8B85 6CFFFFFF MOV EAX,DWORD PTR SS: ;假码入EAX
0054EF0C|.50 PUSH EAX
0054EF0D|.8D95 64FFFFFF LEA EDX,DWORD PTR SS:
0054EF13|.8B83 C0030000 MOV EAX,DWORD PTR DS:
0054EF19|.E8 6A8CEFFF CALL dumped_.00447B88
0054EF1E|.8B85 64FFFFFF MOV EAX,DWORD PTR SS: ;获取定单号
0054EF24|.E8 DBA6EBFF CALL dumped_.00409604 ; 123456
0054EF29|.B9 3A000000 MOV ECX,3A
0054EF2E|.99 CDQ ;edx 清0
0054EF2F|.F7F9 IDIV ECX ;EAX=123456除3A 取商给 eax, 余数EDX
0054EF31|.8BC2 MOV EAX,EDX
0054EF33|.8D95 68FFFFFF LEA EDX,DWORD PTR SS:
0054EF39|.E8 62A6EBFF CALL dumped_.004095A0 ;???????
0054EF3E|.8D85 68FFFFFF LEA EAX,DWORD PTR SS:
0054EF44|.50 PUSH EAX
0054EF45|.8D95 58FFFFFF LEA EDX,DWORD PTR SS:
0054EF4B|.8B83 C0030000 MOV EAX,DWORD PTR DS:
0054EF51|.E8 328CEFFF CALL dumped_.00447B88
0054EF56|.8B85 58FFFFFF MOV EAX,DWORD PTR SS:
0054EF5C|.E8 A3A6EBFF CALL dumped_.00409604
0054EF61|.8D95 5CFFFFFF LEA EDX,DWORD PTR SS:
0054EF67|.E8 80DCFFFF CALL dumped_.0054CBEC ;================
0054EF6C|.8B85 5CFFFFFF MOV EAX,DWORD PTR SS:
0054EF72|.E8 8DA6EBFF CALL dumped_.00409604
0054EF77|.8D95 60FFFFFF LEA EDX,DWORD PTR SS:
0054EF7D|.E8 4ADDFFFF CALL dumped_.0054CCCC ;出注册码
0054EF82|.8B95 60FFFFFF MOV EDX,DWORD PTR SS:
0054EF88|.58 POP EAX
0054EF89|.E8 E25CEBFF CALL dumped_.00404C70
0054EF8E|.8B95 68FFFFFF MOV EDX,DWORD PTR SS:
0054EF94|.58 POP EAX
0054EF95|.E8 125EEBFF CALL dumped_.00404DAC ;做内存注册机
0054EF9A|.0F85 8F000000 JNZ dumped_.0054F02F
0054EFA0|.B8 F4F05400 MOV EAX,dumped_.0054F0F4 ;注册成功,谢谢你的注册!
0054EFA5|.E8 D21DEFFF CALL dumped_.00440D7C
0054EFAA|.BA 18F15400 MOV EDX,dumped_.0054F118 ;本软件已注册
=====================================================================================================================
00409604/$53 PUSH EBX
00409605|.56 PUSH ESI
00409606|.83C4 F4 ADD ESP,-0C
00409609|.8BD8 MOV EBX,EAX
0040960B|.8BD4 MOV EDX,ESP
0040960D|.8BC3 MOV EAX,EBX
0040960F|.E8 509DFFFF CALL dumped_.00403364 ; 订单号的算法
00409614|.8BF0 MOV ESI,EAX
00409616|.833C24 00 CMP DWORD PTR SS:,0
0040961A|.74 19 JE SHORT dumped_.00409635
0040961C|.895C24 04 MOV DWORD PTR SS:,EBX
00409620|.C64424 08 0B MOV BYTE PTR SS:,0B
00409625|.8D5424 04 LEA EDX,DWORD PTR SS:
======================================================================================================================
00403377|> /8A1E /MOV BL,BYTE PTR DS: ;取第1位
00403379|. |46 |INC ESI
0040337A|. |80FB 20 |CMP BL,20 ;和空格比较
0040337D|.^\74 F8 \JE SHORT dumped_.00403377
0040337F|.B5 00 MOV CH,0
00403381|.80FB 2D CMP BL,2D ;和-比较
00403384|.74 62 JE SHORT dumped_.004033E8
00403386|.80FB 2B CMP BL,2B ;+
00403389|.74 5F JE SHORT dumped_.004033EA
0040338B|.80FB 24 CMP BL,24 ;$
0040338E|.74 5F JE SHORT dumped_.004033EF
00403390|.80FB 78 CMP BL,78 ;x
00403393|.74 5A JE SHORT dumped_.004033EF
00403395|.80FB 58 CMP BL,58 ;X
00403398|.74 55 JE SHORT dumped_.004033EF
0040339A|.80FB 30 CMP BL,30 ;0
0040339D|.75 13 JNZ SHORT dumped_.004033B2
0040339F|.8A1E MOV BL,BYTE PTR DS:
004033A1|.46 INC ESI
004033A2|.80FB 78 CMP BL,78
004033A5|.74 48 JE SHORT dumped_.004033EF
004033A7|.80FB 58 CMP BL,58
004033AA|.74 43 JE SHORT dumped_.004033EF
004033AC|.84DB TEST BL,BL
004033AE|.74 20 JE SHORT dumped_.004033D0
004033B0|.EB 04 JMP SHORT dumped_.004033B6
004033B2|>84DB TEST BL,BL
004033B4|.74 2D JE SHORT dumped_.004033E3
004033B6|>80EB 30 /SUB BL,30
004033B9|.80FB 09 |CMP BL,9
004033BC|.77 25 |JA SHORT dumped_.004033E3
004033BE|.39F8 |CMP EAX,EDI
004033C0|.77 21 |JA SHORT dumped_.004033E3
004033C2|.8D0480 |LEA EAX,DWORD PTR DS: ;EAX*5
004033C5|.01C0 |ADD EAX,EAX ;eax+eax
004033C7|.01D8 |ADD EAX,EBX ;EAX=eax+ebx
004033C9|.8A1E |MOV BL,BYTE PTR DS:
004033CB|.46 |INC ESI
004033CC|.84DB |TEST BL,BL
004033CE|.^ 75 E6 \JNZ SHORT dumped_.004033B6
=============================================================================================================
上面是订单号的算法 每位*10 再相加
================================================================================================================
0040A07E|> /31D2 /XOR EDX,EDX
0040A080|. |F7F1 |DIV ECX
0040A082|. |80C2 30 |ADD DL,30
0040A085|. |80FA 3A |CMP DL,3A
0040A088|. |72 03 |JB SHORT dumped_.0040A08D
0040A08A|. |80C2 07 |ADD DL,7
0040A08D|> |4E |DEC ESI
0040A08E|. |8816 |MOV BYTE PTR DS:,DL
0040A090|. |09C0 |OR EAX,EAX
0040A092|.^\75 EA \JNZ SHORT dumped_.0040A07E
算出前几位
==============================================================
0054CC06|.64:8920 MOV DWORD PTR FS:,ESP
0054CC09|.81F3 F1250B00 XOR EBX,0B25F1 ;123456 xor 0B25F1=706481
0054CC0F|.8BC3 MOV EAX,EBX
0054CC11|.33D2 XOR EDX,EDX
0054CC13|.52 PUSH EDX ; /Arg2 => 00000000
0054CC14|.50 PUSH EAX ; |Arg1
0054CC15|.8D45 FC LEA EAX,DWORD PTR SS: ; |
0054CC18|.E8 B3C9EBFF CALL dumped_.004095D0 ; \dumped_.004095D0
0054CC1D|.8B45 FC MOV EAX,DWORD PTR SS:
0054CC20|.0FB600 MOVZX EAX,BYTE PTR DS: ;取十进制第一个数ASCI37 ('7')
0054CC23|.8B55 FC MOV EDX,DWORD PTR SS:
0054CC26|.0FB652 01 MOVZX EDX,BYTE PTR DS: ;取十进制第二个数ASCI30 ('0')
0054CC2A|.03C2 ADD EAX,EDX ;EAX+EDX
0054CC2C|.B9 05000000 MOV ECX,5
0054CC31|.99 CDQ ;EDX清0
0054CC32|.F7F9 IDIV ECX ;EAX%ECX
0054CC34|.80C2 34 ADD DL,34 ;余数+34
0054CC37|.8855 F8 MOV BYTE PTR SS:,DL ;37 (‘7’) ===[
0054CC3A|.8B45 FC MOV EAX,DWORD PTR SS:
0054CC3D|.0FB640 02 MOVZX EAX,BYTE PTR DS: ;取十进制第三个数ASCI36 ('6')
0054CC41|.8B55 FC MOV EDX,DWORD PTR SS:
0054CC44|.0FB652 03 MOVZX EDX,BYTE PTR DS: ;取十进制第4个数ASCI34 ('4')
0054CC48|.03C2 ADD EAX,EDX ;EAX+EDX
0054CC4A|.B9 05000000 MOV ECX,5 ;ECX=5
0054CC4F|.99 CDQ ;EDX清0
0054CC50|.F7F9 IDIV ECX ;EAX/ECX
0054CC52|.8BDA MOV EBX,EDX
0054CC54|.80C3 33 ADD BL,33 ;余数+33
0054CC57|.885D F9 MOV BYTE PTR SS:,BL ;34 (‘4’)
0054CC5A|.8D45 F4 LEA EAX,DWORD PTR SS:
0054CC5D|.8A55 F8 MOV DL,BYTE PTR SS:
0054CC60|.E8 2B7FEBFF CALL dumped_.00404B90
0054CC65|.8B45 F4 MOV EAX,DWORD PTR SS:
0054CC68|.8D55 FC LEA EDX,DWORD PTR SS:
0054CC6B|.B9 1B000000 MOV ECX,1B ;ECX=1B
=======================================================================================================
0054CCEB|.81F3 8776FBDD XOR EBX,DDFB7687 ;0436016E(ebx) xor DDFB7687
0054CCF1|.8BC3 MOV EAX,EBX
0054CCF3|.33D2 XOR EDX,EDX
0054CCF5|.52 PUSH EDX ; /Arg2 => 00000000
0054CCF6|.50 PUSH EAX ; |Arg1
0054CCF7|.8D45 FC LEA EAX,DWORD PTR SS: ; |
0054CCFA|.E8 D1C8EBFF CALL dumped_.004095D0 ; \dumped_.004095D0
0054CCFF|.8B45 FC MOV EAX,DWORD PTR SS: ;3654121449 =0436016E(ebx) xor DDFB7687
0054CD02|.0FB600 MOVZX EAX,BYTE PTR DS: ;取第一位 33(3)
0054CD05|.8B55 FC MOV EDX,DWORD PTR SS:
0054CD08|.0FB652 01 MOVZX EDX,BYTE PTR DS: ;取第二位36 6
0054CD0C|.03C2 ADD EAX,EDX ;EAX+EDX=69
0054CD0E|.B9 05000000 MOV ECX,5 ;ECX=5
0054CD13|.99 CDQ ;edx 清0
0054CD14|.F7F9 IDIV ECX ;EAX/ECX
0054CD16|.80C2 66 ADD DL,66
0054CD19|.8855 F8 MOV BYTE PTR SS:,DL ;66 f
0054CD1C|.8B45 FC MOV EAX,DWORD PTR SS:
0054CD1F|.0FB640 02 MOVZX EAX,BYTE PTR DS: ;取第3位 35 5
0054CD23|.8B55 FC MOV EDX,DWORD PTR SS:
0054CD26|.0FB652 03 MOVZX EDX,BYTE PTR DS: ;取第4位
0054CD2A|.03C2 ADD EAX,EDX ;eax+edx
0054CD2C|.B9 05000000 MOV ECX,5
0054CD31|.99 CDQ
0054CD32|.F7F9 IDIV ECX
0054CD34|.80C2 75 ADD DL,75
0054CD37|.8855 F9 MOV BYTE PTR SS:,DL ;75 u
0054CD3A|.8B45 FC MOV EAX,DWORD PTR SS:
0054CD3D|.0FB640 04 MOVZX EAX,BYTE PTR DS: ;第5位 31 1
0054CD41|.8B55 FC MOV EDX,DWORD PTR SS:
0054CD44|.0FB652 05 MOVZX EDX,BYTE PTR DS: ;第6位32 2
0054CD48|.03C2 ADD EAX,EDX ;EAX+EDX
0054CD4A|.B9 05000000 MOV ECX,5
0054CD4F|.99 CDQ
0054CD50|.F7F9 IDIV ECX
0054CD52|.80C2 7A ADD DL,7A
0054CD55|.8855 FA MOV BYTE PTR SS:,DL ;7E ~
0054CD58|.8B45 FC MOV EAX,DWORD PTR SS:
0054CD5B|.0FB640 06 MOVZX EAX,BYTE PTR DS: ;第7位31 1
0054CD5F|.8B55 FC MOV EDX,DWORD PTR SS:
0054CD62|.0FB652 07 MOVZX EDX,BYTE PTR DS: ;第8位 34 4
0054CD66|.03C2 ADD EAX,EDX ;EAX+EDX
0054CD68|.8B55 FC MOV EDX,DWORD PTR SS:
0054CD6B|.0FB652 08 MOVZX EDX,BYTE PTR DS: ;第9位 34 4
0054CD6F|.03C2 ADD EAX,EDX ;EAX+EDX
0054CD71|.B9 05000000 MOV ECX,5
0054CD76|.99 CDQ
0054CD77|.F7F9 IDIV ECX
0054CD79|.80C2 69 ADD DL,69
0054CD7C|.8855 FB MOV BYTE PTR SS:,DL ;6C l
0054CD7F|.8D45 F4 LEA EAX,DWORD PTR SS:
0054CD82|.8A55 F8 MOV DL,BYTE PTR SS: ;f
0054CD85|.E8 067EEBFF CALL dumped_.00404B90
0054CD8A|.8B45 F4 MOV EAX,DWORD PTR SS:
0054CD8D|.8D55 FC LEA EDX,DWORD PTR SS:
0054CD90|.B9 07000000 MOV ECX,7
0054CD95|.E8 AE81EBFF CALL dumped_.00404F48
0054CD9A|.8D45 F0 LEA EAX,DWORD PTR SS:
0054CD9D|.8A55 FB MOV DL,BYTE PTR SS: ;l
0054CDA0|.E8 EB7DEBFF CALL dumped_.00404B90
0054CDA5|.8B45 F0 MOV EAX,DWORD PTR SS:
0054CDA8|.8D55 FC LEA EDX,DWORD PTR SS:
0054CDAB|.B9 03000000 MOV ECX,3
0054CDB0|.E8 9381EBFF CALL dumped_.00404F48
0054CDB5|.8D45 EC LEA EAX,DWORD PTR SS:
0054CDB8|.8A55 F9 MOV DL,BYTE PTR SS: ;u
0054CDBB|.E8 D07DEBFF CALL dumped_.00404B90
0054CDC0|.8B45 EC MOV EAX,DWORD PTR SS:
0054CDC3|.8D55 FC LEA EDX,DWORD PTR SS:
0054CDC6|.B9 05000000 MOV ECX,5
0054CDCB|.E8 7881EBFF CALL dumped_.00404F48
0054CDD0|.8D45 E8 LEA EAX,DWORD PTR SS:
0054CDD3|.8A55 FA MOV DL,BYTE PTR SS: ;~
========================================================================
算出注册码
===========================
0054EFF8|.50 PUSH EAX
0054EFF9|.B9 44F15400 MOV ECX,dumped_.0054F144 ;sepop
0054EFFE|.BA 54F15400 MOV EDX,dumped_.0054F154 ;syssetup
0054F003|.8BC6 MOV EAX,ESI
0054F005|.8B18 MOV EBX,DWORD PTR DS:
0054F007|.FF53 04 CALL DWORD PTR DS:
0054F00A|.8D85 4CFFFFFF LEA EAX,DWORD PTR SS:
0054F010|.B9 30F15400 MOV ECX,dumped_.0054F130 ;\dC0n.dll
0054F015|.8B55 FC MOV EDX,DWORD PTR SS:
0054F018|.E8 975CEBFF CALL dumped_.00404CB4
0054F01D|.8B85 4CFFFFFF MOV EAX,DWORD PTR SS:
注册成功后,信息写入
"C:\WINDOWS\system32\dC0n.dll")
不会编程,只能简单分析下。。。。
================================
最后附一个内存注册机
**** Hidden Message ***** 学习学习!!!!!!!1111
页:
[1]