ChemPlot 1.1.1.2 (化学分子式编辑工具)算法分析
本帖最后由 speedboy 于 2016-7-9 10:03 编辑若觉得分析的不够贴切深入,请不要拍砖。
一、如何来到算法代码处
1、OD加载并运行程序,查找字符串“Registration key is incorrect.”,双击来到汇编窗口。2、往上看到(00404EB1|> \A1 C0554300 mov eax,dwordptr ds:)跳转来自(00404E2B|. /0F84 80000000 je ChemPlot.00404EB1)二、注册验证代码实现过程
紧挨着跳转上面的call即为算法call,F7跟进,来到这里。
00404A10/$55 push ebp ;》算法代码段首
00404A11|.8BEC mov ebp,esp
00404A13|.6A FF push -0x1
00404A15|.68 0B7A4200 push ChemPlot.00427A0B
00404A1A|.64:A1 0000000>mov eax,dword ptr fs:
00404A20|.50 push eax
00404A21|.83EC 0C sub esp,0xC
00404A24|.53 push ebx
00404A25|.56 push esi
00404A26|.57 push edi
00404A27|.A1 9C554300 mov eax,dword ptr ds:
00404A2C|.33C5 xor eax,ebp
00404A2E|.50 push eax
00404A2F|.8D45 F4 lea eax,
00404A32|.64:A3 0000000>mov dword ptr fs:,eax
00404A38|.894D F0 mov ,ecx
00404A3B|.8B35 60B14200 mov esi,dword ptr ds:[<&MSVCR100>;msvcr100.malloc
00404A41|.68 C8000000 push 0xC8 ; /size = C8 (200.)
00404A46|.FFD6 call esi ; \malloc
00404A48|.8BD8 mov ebx,eax
00404A4A|.83C4 04 add esp,0x4
00404A4D|.895D EC mov ,ebx
00404A50|.85DB test ebx,ebx
00404A52|.0F84 AC010000 je ChemPlot.00404C04
00404A58|.68 C8000000 push 0xC8
00404A5D|.FFD6 call esi
00404A5F|.8BF0 mov esi,eax
00404A61|.83C4 04 add esp,0x4
00404A64|.85F6 test esi,esi
00404A66|.0F84 98010000 je ChemPlot.00404C04
00404A6C|.8B7D 08 mov edi, ;ChemPlot.<ModuleEntryPoint>
00404A6F|.8B07 mov eax,dword ptr ds:
00404A71|.8D50 01 lea edx,dword ptr ds:
00404A74|>8A08 /mov cl,byte ptr ds:
00404A76|.40 |inc eax
00404A77|.84C9 |test cl,cl
00404A79|.^ 75 F9 \jnz short ChemPlot.00404A74
00404A7B|.2BC2 sub eax,edx ;ntdll.KiFastSystemCallRet
00404A7D|.83F8 10 cmp eax,0x10 ;》检测注册码字符个数是否是16位
00404A80|.0F85 7E010000 jnz ChemPlot.00404C04
00404A86|.6A 04 push 0x4
00404A88|.E8 FF130200 call <jmp.&mfc100.#1294>
00404A8D|.83C4 04 add esp,0x4
00404A90|.8945 08 mov ,eax
00404A93|.C745 FC 00000>mov ,0x0
00404A9A|.85C0 test eax,eax
00404A9C|.74 0F je short ChemPlot.00404AAD
00404A9E|.8B0F mov ecx,dword ptr ds:
00404AA0|.51 push ecx
00404AA1|.8BC8 mov ecx,eax
00404AA3|.FF15 C8B84200 call dword ptr ds:[<&mfc100.#310>;mfc100.#310
00404AA9|.8BF8 mov edi,eax
00404AAB|.EB 02 jmp short ChemPlot.00404AAF
00404AAD|>33FF xor edi,edi
00404AAF|>6A 04 push 0x4
00404AB1|.6A 00 push 0x0
00404AB3|.8D55 08 lea edx,
00404AB6|.52 push edx ;ntdll.KiFastSystemCallRet
00404AB7|.8BCF mov ecx,edi
00404AB9|.C745 FC FFFFF>mov ,-0x1
00404AC0|.FF15 D4B84200 call dword ptr ds:[<&mfc100.#787>;mfc100.#7876
00404AC6|.8BC8 mov ecx,eax
00404AC8|.FF15 98B94200 call dword ptr ds:[<&mfc100.#144>;mfc100.#6207
00404ACE|.50 push eax ;》取注册码前四位压栈
00404ACF|.68 C8000000 push 0xC8
00404AD4|.53 push ebx
00404AD5|.8B1D 44B14200 mov ebx,dword ptr ds:[<&MSVCR100>;msvcr100.strcpy_s
00404ADB|.FFD3 call ebx ;<&MSVCR100.strcpy_s>
00404ADD|.83C4 0C add esp,0xC
00404AE0|.8D4D 08 lea ecx,
00404AE3|.FF15 A0B94200 call dword ptr ds:[<&mfc100.#901>;mfc100.#13970
00404AE9|.8B45 EC mov eax,
00404AEC|.8B4D F0 mov ecx,
00404AEF|.6A 04 push 0x4
00404AF1|.50 push eax
00404AF2|.E8 B9F6FFFF call ChemPlot.004041B0 ;》取注册码前四位,检测每位是数字还是字母,是字母的转成大写输出
00404AF7|.6A 08 push 0x8
00404AF9|.6A 00 push 0x0
00404AFB|.8D4D 08 lea ecx,
00404AFE|.51 push ecx
00404AFF|.8BCF mov ecx,edi
00404B01|.8945 E8 mov ,eax
00404B04|.FF15 D4B84200 call dword ptr ds:[<&mfc100.#787>;mfc100.#7876
00404B0A|.8BC8 mov ecx,eax
00404B0C|.FF15 98B94200 call dword ptr ds:[<&mfc100.#144>;mfc100.#6207
00404B12|.50 push eax ;》取注册码前八位压栈
00404B13|.68 C8000000 push 0xC8
00404B18|.56 push esi
00404B19|.FFD3 call ebx
00404B1B|.83C4 0C add esp,0xC
00404B1E|.8D4D 08 lea ecx,
00404B21|.FF15 A0B94200 call dword ptr ds:[<&mfc100.#901>;mfc100.#13970
00404B27|.8B4D F0 mov ecx,
00404B2A|.6A 08 push 0x8
00404B2C|.56 push esi
00404B2D|.E8 7EF6FFFF call ChemPlot.004041B0 ;》取注册码前八位,检测每位是数字还是字母,是字母的转成大写输出
00404B32|.6A 0F push 0xF
00404B34|.6A 08 push 0x8
00404B36|.8D55 EC lea edx,
00404B39|.52 push edx ;ntdll.KiFastSystemCallRet
00404B3A|.8BCF mov ecx,edi
00404B3C|.8945 08 mov ,eax
00404B3F|.FF15 D4B84200 call dword ptr ds:[<&mfc100.#787>;mfc100.#7876
00404B45|.8BC8 mov ecx,eax
00404B47|.FF15 98B94200 call dword ptr ds:[<&mfc100.#144>;mfc100.#6207
00404B4D|.50 push eax ;》取注册码后八位压栈
00404B4E|.68 C8000000 push 0xC8
00404B53|.56 push esi
00404B54|.FFD3 call ebx
00404B56|.83C4 0C add esp,0xC
00404B59|.8D4D EC lea ecx,
00404B5C|.FF15 A0B94200 call dword ptr ds:[<&mfc100.#901>;mfc100.#13970
00404B62|.8B4D F0 mov ecx,
00404B65|.6A 08 push 0x8
00404B67|.56 push esi
00404B68|.E8 43F6FFFF call ChemPlot.004041B0 ;》取注册码后八位,检测每位是数字还是字母,是字母的转成大写输出
00404B6D|.0FB74D E8 movzx ecx,word ptr ss: ;》取注册码前四位
00404B71|.8BD1 mov edx,ecx
00404B73|.F7C1 00800000 test ecx,0x8000 ;》检测ecx中的数据第一位是否小于8,小于跳转实现
00404B79|.74 0C je short ChemPlot.00404B87 ;
00404B7B|.8D8C09 0000FF>lea ecx,dword ptr ds:[ecx+ecx-0x>
00404B82|.83C9 01 or ecx,0x1
00404B85|.EB 02 jmp short ChemPlot.00404B89
00404B87|>03C9 add ecx,ecx ;》注册码前四位自加
00404B89|>81F1 A8D6FFFF xor ecx,-0x2958 ;》负16进制数-2958的补码后四位为D6A8
00404B8F|.81E1 FFFF0000 and ecx,0xFFFF ;》取后四位数(第一个种子数)
00404B95|.C1E2 10 shl edx,0x10
00404B98|.03D1 add edx,ecx ;》合成注册码前8位
00404B9A|.F7C1 00800000 test ecx,0x8000 ;》检测ecx中的数据第一位是否小于8,小于跳转实现
00404BA0|.74 0C je short ChemPlot.00404BAE
00404BA2|.8D8C09 0000FF>lea ecx,dword ptr ds:[ecx+ecx-0x>;
00404BA9|.83C9 01 or ecx,0x1 ;
00404BAC|.EB 02 jmp short ChemPlot.00404BB0
00404BAE|>03C9 add ecx,ecx
00404BB0|>81F1 A8D6FFFF xor ecx,-0x2958
00404BB6|.81E1 FFFF0000 and ecx,0xFFFF ;》取后四位(第二个种子数)
00404BBC|.8BF1 mov esi,ecx
00404BBE|.F7C1 00800000 test ecx,0x8000 ;》检测ecx中的数据第一位是否小于8,小于跳转实现
00404BC4|.74 0C je short ChemPlot.00404BD2
00404BC6|.8D8C09 0000FF>lea ecx,dword ptr ds:[ecx+ecx-0x>
00404BCD|.83C9 01 or ecx,0x1
00404BD0|.EB 02 jmp short ChemPlot.00404BD4
00404BD2|>03C9 add ecx,ecx
00404BD4|>3B55 08 cmp edx, ;》验证前八位注册码是否正确
00404BD7|.75 2B jnz short ChemPlot.00404C04 ;》不正确跳转实现
00404BD9|.81F1 A8D6FFFF xor ecx,-0x2958
00404BDF|.81E1 FFFF0000 and ecx,0xFFFF
00404BE5|.C1E6 10 shl esi,0x10
00404BE8|.03CE add ecx,esi
00404BEA|.3BC8 cmp ecx,eax ;》验证后八位注册码是否正确
00404BEC|.75 16 jnz short ChemPlot.00404C04
00404BEE|.B0 01 mov al,0x1
00404BF0|.8B4D F4 mov ecx, ;kernel32.7C839AC0
00404BF3|.64:890D 00000>mov dword ptr fs:,ecx
00404BFA|.59 pop ecx ;kernel32.7C817067
00404BFB|.5F pop edi ;kernel32.7C817067
00404BFC|.5E pop esi ;kernel32.7C817067
00404BFD|.5B pop ebx ;kernel32.7C817067
00404BFE|.8BE5 mov esp,ebp
00404C00|.5D pop ebp ;kernel32.7C817067
00404C01|.C2 0400 retn 0x4
00404C04|>32C0 xor al,al
00404C06|.8B4D F4 mov ecx, ;kernel32.7C839AC0
00404C09|.64:890D 00000>mov dword ptr fs:,ecx
00404C10|.59 pop ecx ;kernel32.7C817067
00404C11|.5F pop edi ;kernel32.7C817067
00404C12|.5E pop esi ;kernel32.7C817067
00404C13|.5B pop ebx ;kernel32.7C817067
00404C14|.8BE5 mov esp,ebp
00404C16|.5D pop ebp ;kernel32.7C817067
00404C17\.C2 0400 retn 0x4 支持楼主一个!好深奥的样子看不懂,,,(我是小白) 虽然帖子不长,但是很美~ 赞一个! tree_fly 发表于 2016-7-9 16:46
虽然帖子不长,但是很美~ 赞一个!
我崇拜的人来捧场了,感谢! 很喜欢speedboy的算法分析帖,支持 Dxer 发表于 2016-7-12 14:28
很喜欢speedboy的算法分析帖,支持
感谢Dxer兄弟的鼓励。
楼主写的不错,学习了 看不懂啊,我是小白 楼主的大作,感谢。
页:
[1]