flv-converter1.60算法分析
1.运行软件试注册一下发现有提示框~~~~2.peid 查是没有壳的.
2.可以F12暂停法,Alt+k调用堆,调用堆栈。在堆栈中可以看到 调用来自=flv.004BCD1A.双击可以到注册提示。
3.找到段首下断运行软件.断下来了
\**********************************************************************
004BCBFC $55 PUSH EBP
004BCBFD .8BEC MOV EBP,ESP
004BCBFF .33C9 XOR ECX,ECX
004BCC01 .51 PUSH ECX
004BCC02 .51 PUSH ECX
004BCC03 .51 PUSH ECX
004BCC04 .51 PUSH ECX
004BCC05 .51 PUSH ECX
004BCC06 .53 PUSH EBX
004BCC07 .56 PUSH ESI
004BCC08 .57 PUSH EDI
004BCC09 .8945 FC MOV DWORD PTR SS:,EAX
004BCC0C .33C0 XOR EAX,EAX
004BCC0E .55 PUSH EBP
004BCC0F .68 4DCD4B00 PUSH flv.004BCD4D
004BCC14 .64:FF30 PUSH DWORD PTR FS:
004BCC17 .64:8920 MOV DWORD PTR FS:,ESP
004BCC1A .8B45 FC MOV EAX,DWORD PTR SS:
004BCC1D .E8 B2FEFFFF CALL flv.004BCAD4 ;关键CALL跟进去分析
004BCC22 .84C0 TEST AL,AL
004BCC24 .0F84 DB000000 JE flv.004BCD05 ;关键跳跳向注册提示
004BCC2A .33C0 XOR EAX,EAX
004BCC2C .55 PUSH EBP
004BCC2D .68 E9CC4B00 PUSH flv.004BCCE9
004BCC32 .64:FF30 PUSH DWORD PTR FS:
004BCC35 .64:8920 MOV DWORD PTR FS:,ESP
004BCC38 .B2 01 MOV DL,1
004BCC3A .A1 E8B34300 MOV EAX,DWORD PTR DS:
004BCC3F .E8 A4E8F7FF CALL flv.0043B4E8
004BCC44 .8BD8 MOV EBX,EAX
004BCC46 .BA 02000080 MOV EDX,80000002
004BCC4B .8BC3 MOV EAX,EBX
004BCC4D .E8 36E9F7FF CALL flv.0043B588
004BCC52 .B1 01 MOV CL,1
004BCC54 .BA 64CD4B00 MOV EDX,flv.004BCD64 ;ASCII "Software\\mp4soft\\flvconverter"
004BCC59 .8BC3 MOV EAX,EBX
004BCC5B .E8 8CE9F7FF CALL flv.0043B5EC
004BCC60 .8D55 F4 LEA EDX,DWORD PTR SS:
004BCC63 .8B45 FC MOV EAX,DWORD PTR SS:
004BCC66 .8B80 04030000 MOV EAX,DWORD PTR DS:
004BCC6C .E8 77A4FAFF CALL flv.004670E8
004BCC71 .8B45 F4 MOV EAX,DWORD PTR SS:
004BCC74 .8D55 F8 LEA EDX,DWORD PTR SS:
004BCC77 .E8 ECBCF4FF CALL flv.00408968
004BCC7C .8B4D F8 MOV ECX,DWORD PTR SS:
004BCC7F .BA 8CCD4B00 MOV EDX,flv.004BCD8C ;ASCII "Name"
004BCC84 .8BC3 MOV EAX,EBX
004BCC86 .E8 FDEAF7FF CALL flv.0043B788
004BCC8B .8D55 EC LEA EDX,DWORD PTR SS:
004BCC8E .8B45 FC MOV EAX,DWORD PTR SS:
004BCC91 .8B80 08030000 MOV EAX,DWORD PTR DS:
004BCC97 .E8 4CA4FAFF CALL flv.004670E8
004BCC9C .8B45 EC MOV EAX,DWORD PTR SS:
004BCC9F .8D55 F0 LEA EDX,DWORD PTR SS:
004BCCA2 .E8 C1BCF4FF CALL flv.00408968
004BCCA7 .8B4D F0 MOV ECX,DWORD PTR SS:
004BCCAA .BA 9CCD4B00 MOV EDX,flv.004BCD9C ;ASCII "Pass"
004BCCAF .8BC3 MOV EAX,EBX
004BCCB1 .E8 D2EAF7FF CALL flv.0043B788
004BCCB6 .8BC3 MOV EAX,EBX
004BCCB8 .E8 0368F4FF CALL flv.004034C0
004BCCBD .6A 40 PUSH 40
004BCCBF .68 A4CD4B00 PUSH flv.004BCDA4
004BCCC4 .68 B0CD4B00 PUSH flv.004BCDB0
004BCCC9 .8B45 FC MOV EAX,DWORD PTR SS:
004BCCCC .E8 FF0BFBFF CALL flv.0046D8D0
004BCCD1 .50 PUSH EAX ; |hOwner
004BCCD2 .E8 79A5F4FF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
004BCCD7 .8B45 FC MOV EAX,DWORD PTR SS:
004BCCDA .E8 8971FCFF CALL flv.00483E68
004BCCDF .33C0 XOR EAX,EAX
004BCCE1 .5A POP EDX
004BCCE2 .59 POP ECX
004BCCE3 .59 POP ECX
004BCCE4 .64:8910 MOV DWORD PTR FS:,EDX
004BCCE7 .EB 36 JMP SHORT flv.004BCD1F
004BCCE9 .^ E9 B26CF4FF JMP flv.004039A0
004BCCEE .8B45 FC MOV EAX,DWORD PTR SS:
004BCCF1 .E8 7271FCFF CALL flv.00483E68
004BCCF6 .8B45 FC MOV EAX,DWORD PTR SS:
004BCCF9 .E8 12FDFFFF CALL flv.004BCA10
004BCCFE .E8 0570F4FF CALL flv.00403D08
004BCD03 .EB 1A JMP SHORT flv.004BCD1F
004BCD05 >6A 40 PUSH 40
004BCD07 .68 30CE4B00 PUSH flv.004BCE30 ;ASCII "Register"
004BCD0C .68 3CCE4B00 PUSH flv.004BCE3C
004BCD11 .8B45 FC MOV EAX,DWORD PTR SS:
004BCD14 .E8 B70BFBFF CALL flv.0046D8D0
004BCD19 .50 PUSH EAX ; |hOwner
004BCD1A .E8 31A5F4FF CALL <JMP.&user32.MessageBoxA> ; \输入假码注册提示
\****************************************************************************************************************\
004BCC1D .E8 B2FEFFFF CALL flv.004BCAD4 跟进去可以来到
004BCAD4/$55 PUSH EBP
004BCAD5|.8BEC MOV EBP,ESP
004BCAD7|.B9 04000000 MOV ECX,4
004BCADC|>6A 00 /PUSH 0
004BCADE|.6A 00 |PUSH 0
004BCAE0|.49 |DEC ECX
004BCAE1|.^ 75 F9 \JNZ SHORT flv.004BCADC
004BCAE3|.51 PUSH ECX
004BCAE4|.53 PUSH EBX
004BCAE5|.56 PUSH ESI
004BCAE6|.8BF0 MOV ESI,EAX
004BCAE8|.33C0 XOR EAX,EAX
004BCAEA|.55 PUSH EBP
004BCAEB|.68 EBCB4B00 PUSH flv.004BCBEB
004BCAF0|.64:FF30 PUSH DWORD PTR FS:
004BCAF3|.64:8920 MOV DWORD PTR FS:,ESP
004BCAF6|.8D55 F8 LEA EDX,DWORD PTR SS:
004BCAF9|.8B86 08030000 MOV EAX,DWORD PTR DS:
004BCAFF|.E8 E4A5FAFF CALL flv.004670E8 ;取假码
004BCB04|.8B45 F8 MOV EAX,DWORD PTR SS:
004BCB07|.8D55 FC LEA EDX,DWORD PTR SS:
004BCB0A|.E8 59BEF4FF CALL flv.00408968
004BCB0F|.8B45 FC MOV EAX,DWORD PTR SS:
004BCB12|.50 PUSH EAX
004BCB13|.8D55 EC LEA EDX,DWORD PTR SS:
004BCB16|.8B86 04030000 MOV EAX,DWORD PTR DS:
004BCB1C|.E8 C7A5FAFF CALL flv.004670E8 ;取用户名
004BCB21|.8B45 EC MOV EAX,DWORD PTR SS:
004BCB24|.8D55 F0 LEA EDX,DWORD PTR SS:
004BCB27|.E8 3CBEF4FF CALL flv.00408968
004BCB2C|.8B55 F0 MOV EDX,DWORD PTR SS:
004BCB2F|.8D4D F4 LEA ECX,DWORD PTR SS:
004BCB32|.8BC6 MOV EAX,ESI
004BCB34|.E8 E7FCFFFF CALL flv.004BC820 ; 算法CALL跟进
004BCB39|.8B55 F4 MOV EDX,DWORD PTR SS:
004BCB3C|.58 POP EAX
004BCB3D|.E8 F67BF4FF CALL flv.00404738
004BCB42|.75 52 JNZ SHORT flv.004BCB96
004BCB44|.B3 01 MOV BL,1
004BCB46|.8D55 E4 LEA EDX,DWORD PTR SS:
004BCB49|.8B86 04030000 MOV EAX,DWORD PTR DS:
004BCB4F|.E8 94A5FAFF CALL flv.004670E8
004BCB54|.8B45 E4 MOV EAX,DWORD PTR SS:
004BCB57|.8D55 E8 LEA EDX,DWORD PTR SS:
004BCB5A|.E8 09BEF4FF CALL flv.00408968
004BCB5F|.8B55 E8 MOV EDX,DWORD PTR SS:
004BCB62|.8D86 1C030000 LEA EAX,DWORD PTR DS:
004BCB68|.E8 F777F4FF CALL flv.00404364
004BCB6D|.8D55 DC LEA EDX,DWORD PTR SS:
004BCB70|.8B86 08030000 MOV EAX,DWORD PTR DS:
004BCB76|.E8 6DA5FAFF CALL flv.004670E8
004BCB7B|.8B45 DC MOV EAX,DWORD PTR SS:
004BCB7E|.8D55 E0 LEA EDX,DWORD PTR SS:
004BCB81|.E8 E2BDF4FF CALL flv.00408968
004BCB86|.8B55 E0 MOV EDX,DWORD PTR SS:
004BCB89|.8D86 20030000 LEA EAX,DWORD PTR DS:
004BCB8F|.E8 D077F4FF CALL flv.00404364
004BCB94|.EB 02 JMP SHORT flv.004BCB98
004BCB96|>33DB XOR EBX,EBX
004BCB98|>33C0 XOR EAX,EAX
004BCB9A|.5A POP EDX
004BCB9B|.59 POP ECX
004BCB9C|.59 POP ECX
004BCB9D|.64:8910 MOV DWORD PTR FS:,EDX
004BCBA0|.68 F2CB4B00 PUSH flv.004BCBF2
004BCBA5|>8D45 DC LEA EAX,DWORD PTR SS:
004BCBA8|.E8 6377F4FF CALL flv.00404310
004BCBAD|.8D45 E0 LEA EAX,DWORD PTR SS:
004BCBB0|.E8 5B77F4FF CALL flv.00404310
004BCBB5|.8D45 E4 LEA EAX,DWORD PTR SS:
004BCBB8|.E8 5377F4FF CALL flv.00404310
004BCBBD|.8D45 E8 LEA EAX,DWORD PTR SS:
004BCBC0|.E8 4B77F4FF CALL flv.00404310
004BCBC5|.8D45 EC LEA EAX,DWORD PTR SS:
004BCBC8|.E8 4377F4FF CALL flv.00404310
004BCBCD|.8D45 F0 LEA EAX,DWORD PTR SS:
004BCBD0|.BA 02000000 MOV EDX,2
004BCBD5|.E8 5A77F4FF CALL flv.00404334
004BCBDA|.8D45 F8 LEA EAX,DWORD PTR SS:
004BCBDD|.E8 2E77F4FF CALL flv.00404310
004BCBE2|.8D45 FC LEA EAX,DWORD PTR SS:
004BCBE5|.E8 2677F4FF CALL flv.00404310
004BCBEA\.C3 RETN
004BCBEB .^ E9 6470F4FF JMP flv.00403C54
004BCBF0 .^ EB B3 JMP SHORT flv.004BCBA5
004BCBF2 .8BC3 MOV EAX,EBX
004BCBF4 .5E POP ESI
004BCBF5 .5B POP EBX
004BCBF6 .8BE5 MOV ESP,EBP
004BCBF8 .5D POP EBP
\************************************************************************************************\
004BCB34|.E8 E7FCFFFF CALL flv.004BC820 ; 算法CALL跟进 go
004BC820/$55 PUSH EBP
004BC821|.8BEC MOV EBP,ESP
004BC823|.51 PUSH ECX
004BC824|.B9 04000000 MOV ECX,4
004BC829|>6A 00 /PUSH 0
004BC82B|.6A 00 |PUSH 0
004BC82D|.49 |DEC ECX
004BC82E|.^ 75 F9 \JNZ SHORT flv.004BC829
004BC830|.51 PUSH ECX
004BC831|.874D FC XCHG DWORD PTR SS:,ECX
004BC834|.53 PUSH EBX
004BC835|.56 PUSH ESI
004BC836|.57 PUSH EDI
004BC837|.8BF9 MOV EDI,ECX
004BC839|.8955 FC MOV DWORD PTR SS:,EDX
004BC83C|.8B45 FC MOV EAX,DWORD PTR SS:
004BC83F|.E8 987FF4FF CALL flv.004047DC
004BC844|.33C0 XOR EAX,EAX
004BC846|.55 PUSH EBP
004BC847|.68 E1C94B00 PUSH flv.004BC9E1
004BC84C|.64:FF30 PUSH DWORD PTR FS:
004BC84F|.64:8920 MOV DWORD PTR FS:,ESP
004BC852|.8BC7 MOV EAX,EDI
004BC854|.E8 B77AF4FF CALL flv.00404310
004BC859|.8B45 FC MOV EAX,DWORD PTR SS:
004BC85C|.E8 8B7DF4FF CALL flv.004045EC
004BC861|.8BF0 MOV ESI,EAX
004BC863|.85F6 TEST ESI,ESI
004BC865|.7E 26 JLE SHORT flv.004BC88D
004BC867|.BB 01000000 MOV EBX,1
004BC86C|>8D4D EC /LEA ECX,DWORD PTR SS:
004BC86F|.8B45 FC |MOV EAX,DWORD PTR SS:
004BC872|.0FB64418 FF |MOVZX EAX,BYTE PTR DS: ;取出用户名第N位
004BC877|.33D2 |XOR EDX,EDX ;EDX清0
004BC879|.E8 66C4F4FF |CALL flv.00408CE4 ;把用户名转化为16进制数
004BC87E|.8B55 EC |MOV EDX,DWORD PTR SS:
004BC881|.8D45 F8 |LEA EAX,DWORD PTR SS:
004BC884|.E8 6B7DF4FF |CALL flv.004045F4
004BC889|.43 |INC EBX
004BC88A|.4E |DEC ESI
004BC88B|.^ 75 DF \JNZ SHORT flv.004BC86C
004BC88D|>8B45 F8 MOV EAX,DWORD PTR SS:
004BC890|.E8 577DF4FF CALL flv.004045EC
004BC895|.8BF0 MOV ESI,EAX
004BC897|.85F6 TEST ESI,ESI
004BC899|.7E 2C JLE SHORT flv.004BC8C7
004BC89B|.BB 01000000 MOV EBX,1
004BC8A0|>8B45 F8 /MOV EAX,DWORD PTR SS:
004BC8A3|.E8 447DF4FF |CALL flv.004045EC ;取上次16进制数的位数
004BC8A8|.2BC3 |SUB EAX,EBX ;EBX=1
004BC8AA|.8B55 F8 |MOV EDX,DWORD PTR SS: ;把16进制数给EDX
004BC8AD|.8A1402 |MOV DL,BYTE PTR DS: ;取16进制数的最后一位
004BC8B0|.8D45 E8 |LEA EAX,DWORD PTR SS: 从004BC8A0到004BC8C5的作用是把16进制数的位数
004BC8B3|.E8 407CF4FF |CALL flv.004044F8 倒过来如1234变城4321一样
004BC8B8|.8B55 E8 |MOV EDX,DWORD PTR SS:
004BC8BB|.8D45 F4 |LEA EAX,DWORD PTR SS:
004BC8BE|.E8 317DF4FF |CALL flv.004045F4
004BC8C3|.43 |INC EBX
004BC8C4|.4E |DEC ESI
004BC8C5|.^ 75 D9 \JNZ SHORT flv.004BC8A0
004BC8C7|>8D45 F8 LEA EAX,DWORD PTR SS:
004BC8CA|.50 PUSH EAX
004BC8CB|.B9 04000000 MOV ECX,4 ;ECX=4
004BC8D0|.BA 01000000 MOV EDX,1 ;EDX=1
004BC8D5|.8B45 F4 MOV EAX,DWORD PTR SS: ;把上次算出的16进制数给EAX
004BC8D8|.E8 6F7FF4FF CALL flv.0040484C ;算法CALL取出前4位
004BC8DD|.8D45 F4 LEA EAX,DWORD PTR SS:
004BC8E0|.50 PUSH EAX
004BC8E1|.B9 04000000 MOV ECX,4
004BC8E6|.BA 05000000 MOV EDX,5
004BC8EB|.8B45 F4 MOV EAX,DWORD PTR SS:
004BC8EE|.E8 597FF4FF CALL flv.0040484C ;算法CALL取倒过的16进制数的前4-8位
004BC8F3|.8B45 F8 MOV EAX,DWORD PTR SS:
004BC8F6|.E8 F17CF4FF CALL flv.004045EC
004BC8FB|.83F8 04 CMP EAX,4
004BC8FE|.7D 2F JGE SHORT flv.004BC92F
004BC900|.8B45 F8 MOV EAX,DWORD PTR SS:
004BC903|.E8 E47CF4FF CALL flv.004045EC
004BC908|.8BD8 MOV EBX,EAX
004BC90A|.83FB 03 CMP EBX,3
004BC90D|.7F 20 JG SHORT flv.004BC92F
004BC90F|>8D4D E4 /LEA ECX,DWORD PTR SS:
004BC912|.8BC3 |MOV EAX,EBX
004BC914|.C1E0 02 |SHL EAX,2
004BC917|.33D2 |XOR EDX,EDX
004BC919|.E8 C6C3F4FF |CALL flv.00408CE4
004BC91E|.8B55 E4 |MOV EDX,DWORD PTR SS:
004BC921|.8D45 F8 |LEA EAX,DWORD PTR SS:
004BC924|.E8 CB7CF4FF |CALL flv.004045F4
004BC929|.43 |INC EBX
004BC92A|.83FB 04 |CMP EBX,4
004BC92D|.^ 75 E0 \JNZ SHORT flv.004BC90F
004BC92F|>8B45 F4 MOV EAX,DWORD PTR SS:
004BC932|.E8 B57CF4FF CALL flv.004045EC
004BC937|.83F8 04 CMP EAX,4
004BC93A|.7D 2F JGE SHORT flv.004BC96B
004BC93C|.8B45 F4 MOV EAX,DWORD PTR SS:
004BC93F|.E8 A87CF4FF CALL flv.004045EC
004BC944|.8BD8 MOV EBX,EAX
004BC946|.83FB 03 CMP EBX,3
004BC949|.7F 20 JG SHORT flv.004BC96B
004BC94B|>8D4D E0 /LEA ECX,DWORD PTR SS:
004BC94E|.8BC3 |MOV EAX,EBX
004BC950|.C1E0 02 |SHL EAX,2
004BC953|.33D2 |XOR EDX,EDX
004BC955|.E8 8AC3F4FF |CALL flv.00408CE4
004BC95A|.8B55 E0 |MOV EDX,DWORD PTR SS:
004BC95D|.8D45 F4 |LEA EAX,DWORD PTR SS:
004BC960|.E8 8F7CF4FF |CALL flv.004045F4
004BC965|.43 |INC EBX
004BC966|.83FB 04 |CMP EBX,4
004BC969|.^ 75 E0 \JNZ SHORT flv.004BC94B
004BC96B|>8D45 F0 LEA EAX,DWORD PTR SS:
004BC96E|.BA F8C94B00 MOV EDX,flv.004BC9F8 ;ASCII "flv67u986e"
004BC973|.E8 307AF4FF CALL flv.004043A8
004BC978|.8D45 DC LEA EAX,DWORD PTR SS:
004BC97B|.50 PUSH EAX
004BC97C|.B9 04000000 MOV ECX,4 ;ECX=4
004BC981|.BA 01000000 MOV EDX,1
004BC986|.8B45 F0 MOV EAX,DWORD PTR SS: ;装入字串flv67u986e的有地址
004BC989|.E8 BE7EF4FF CALL flv.0040484C ;算法CALL取字串flv67u986e前4位
004BC98E|.FF75 DC PUSH DWORD PTR SS:
004BC991|.68 0CCA4B00 PUSH flv.004BCA0C
004BC996|.FF75 F8 PUSH DWORD PTR SS:
004BC999|.8D45 D8 LEA EAX,DWORD PTR SS:
004BC99C|.50 PUSH EAX
004BC99D|.B9 05000000 MOV ECX,5 ;ECX=5
004BC9A2|.BA 05000000 MOV EDX,5 ;EDX=5
004BC9A7|.8B45 F0 MOV EAX,DWORD PTR SS:
004BC9AA|.E8 9D7EF4FF CALL flv.0040484C ;算法CALL取字串flv67u986e前5-9位
004BC9AF|.FF75 D8 PUSH DWORD PTR SS: ;SS:中放的是字串flv67u986e前5-9位
004BC9B2|.68 0CCA4B00 PUSH flv.004BCA0C
004BC9B7|.FF75 F4 PUSH DWORD PTR SS: ;SS:放的是16进制数倒过来字串的5-8位
004BC9BA|.8BC7 MOV EAX,EDI
004BC9BC|.BA 06000000 MOV EDX,6
004BC9C1|.E8 E67CF4FF CALL flv.004046AC 这个是把字串串起来它是flv67u986e前4位-16进制数
004BC9C6|.33C0 XOR EAX,EAX 倒过来的前4位-6进制数倒过来字串的5-8位加
004BC9C8|.5A POP EDX 字串flv67u986e前5-9位-16进制数倒过来字串的5-8位
004BC9C9|.59 POP ECX 这样这组城了软件的注册码了
004BC9CA|.59 POP ECX
004BC9CB|.64:8910 MOV DWORD PTR FS:,EDX
004BC9CE|.68 E8C94B00 PUSH flv.004BC9E8
004BC9D3|>8D45 D8 LEA EAX,DWORD PTR SS:
004BC9D6|.BA 0A000000 MOV EDX,0A
004BC9DB|.E8 5479F4FF CALL flv.00404334
004BC9E0\.C3 RETN
004BC9E1 .^ E9 6E72F4FF JMP flv.00403C54
004BC9E6 .^ EB EB JMP SHORT flv.004BC9D3
004BC9E8 .5F POP EDI
004BC9E9 .5E POP ESI
004BC9EA .5B POP EBX
004BC9EB .8BE5 MOV ESP,EBP
004BC9ED .5D POP EBP
004BC9EE .C3 RETN
\*****************************************************************************************\
我来做个总结算法分析
1.把我们输入的用户名转化为16进制数存起.
2.在把16进制数倒过来比如以前123456倒过来就是654321了
3.在分别取出固定字串flv67u986e中的前4位(flv6)和5-9位(7u986)
4.在把它们组成注册码flv6-16进制数倒过来的前4位7u986-16进制数倒过来字串的5-8位这就是注册码了.
5.我两个用户名测试了一下得到注册码.
(1).第一个用户名是wangwei 转化为16进制数是77616E67776569倒过就是 96567776E61677得到注册码就flv6-96567u986-7776
(2).第二个用户名是sdrf5678lk转化为16进制数是73647266353637386C6B倒过就是B6C68373635366274637得到注册码就flv6-B6C67u986-8373 算法分析,好好学习下!
顶下兄弟了 分析贴,学习了 算法分析详细,支持。。
页:
[1]