TA的每日心情 | 开心
2018-12-18 12:34 |
|---|
签到天数: 4 天 [LV.2]偶尔看看I
|
软件大小:933KB 软件类别:国外软件/卸载工具 共享绿色
下载次数:3726 软件授权:共享版
软件语言:英文 运行环境:Win9x/Me/NT/2000/XP/2003
软件评级: 更新时间:2009-6-15 9:48:54
开 发 商:Home Page 联 系 人:未知
http://nj.onlinedown.net/soft/27152.htm
Evidence Exterminator是个人隐私保护软件,可以清除用户使用电脑后留下的所有记录.
程序为Dephi编写,试运行,输入加码后有错误提示"Registration code is invalid!,利用OD插件查找字符串
就可以来到注册核心处。- 00498608 /$ 55 push ebp ; 按钮事件
- 00498609 |. 8BEC mov ebp, esp
- 0049860B |. B9 05000000 mov ecx, 5
- 00498610 |> 6A 00 /push 0
- 00498612 |. 6A 00 |push 0
- 00498614 |. 49 |dec ecx
- 00498615 |.^ 75 F9 \jnz short 00498610
- 00498617 |. 51 push ecx
- 00498618 |. 53 push ebx
- 00498619 |. 56 push esi
- 0049861A |. 8BF0 mov esi, eax
- 0049861C |. 33C0 xor eax, eax
- 0049861E |. 55 push ebp
- 0049861F |. 68 8D874900 push 0049878D
- 00498624 |. 64:FF30 push dword ptr fs:[eax]
- 00498627 |. 64:8920 mov dword ptr fs:[eax], esp
- 0049862A |. 8D55 F4 lea edx, dword ptr [ebp-C]
- 0049862D |. 8B86 44030000 mov eax, dword ptr [esi+344]
- 00498633 |. E8 403BFDFF call 0046C178 ; 读取假码
- 00498638 |. 8B45 F4 mov eax, dword ptr [ebp-C]
- 0049863B |. 8D55 F8 lea edx, dword ptr [ebp-8]
- 0049863E |. E8 2D59FFFF call 0048DF70
- 00498643 |. 8B55 F8 mov edx, dword ptr [ebp-8]
- 00498646 |. B8 88004B00 mov eax, 004B0088
- 0049864B |. E8 DCC2F6FF call 0040492C
- 00498650 |. E8 7BFDFFFF call 004983D0 ; 关键CALL,待会跟进
- 00498655 |. 8BD8 mov ebx, eax
- 00498657 |. 84DB test bl, bl ; 判断标志位
- 00498659 |. 0F84 DC000000 je 0049873B ; 跳则失败
- 0049865F |. C686 64030000>mov byte ptr [esi+364], 1
- 00498666 |. 8D45 FC lea eax, dword ptr [ebp-4]
- 00498669 |. 50 push eax
- 0049866A |. 8D55 F0 lea edx, dword ptr [ebp-10]
- 0049866D |. B8 A4874900 mov eax, 004987A4 ; bb8281988088ae999f81be949e
- 00498672 |. E8 1167FFFF call 0048ED88 ; 解密函数,可以进去看看
- 00498677 |. 8B45 F0 mov eax, dword ptr [ebp-10]
- 0049867A |. 50 push eax
- 0049867B |. 8D55 EC lea edx, dword ptr [ebp-14]
- 0049867E |. B8 C8874900 mov eax, 004987C8 ; be828b999a8c9f88b1a0848e9f829e828b99b1a9bfa0bfbeb5
- 00498683 |. E8 0067FFFF call 0048ED88 ; 解密函数
- 00498688 |. 8B55 EC mov edx, dword ptr [ebp-14]
- 0049868B |. A1 90004B00 mov eax, dword ptr [4B0090]
- 00498690 |. 59 pop ecx
- 00498691 |. E8 1A83FFFF call 004909B0
- 00498696 |. 8D55 E8 lea edx, dword ptr [ebp-18]
- 00498699 |. A1 88004B00 mov eax, dword ptr [4B0088] ; 指向注册码
- 0049869E |. E8 4966FFFF call 0048ECEC ; 加密函数
- 004986A3 |. 8B45 E8 mov eax, dword ptr [ebp-18] ; 对注册码进行了加密处理
- 004986A6 |. 50 push eax
- 004986A7 |. 8D55 E4 lea edx, dword ptr [ebp-1C]
- 004986AA |. B8 04884900 mov eax, 00498804 ; a1848a8599bb8c819888
- 004986AF |. E8 D466FFFF call 0048ED88 ; 解密
- 004986B4 |. 8B45 E4 mov eax, dword ptr [ebp-1C]
- 004986B7 |. 50 push eax
- 004986B8 |. 8D45 E0 lea eax, dword ptr [ebp-20]
- 004986BB |. 50 push eax
- 004986BC |. B8 C8874900 mov eax, 004987C8 ; be828b999a8c9f88b1a0848e9f829e828b99b1a9bfa0bfbeb5
- 004986C1 |. 5A pop edx
- 004986C2 |. E8 C166FFFF call 0048ED88
- 004986C7 |. 8B55 E0 mov edx, dword ptr [ebp-20]
- 004986CA |. A1 90004B00 mov eax, dword ptr [4B0090]
- 004986CF |. 59 pop ecx
- 004986D0 |. E8 1B84FFFF call 00490AF0
- 004986D5 |. 837D FC 00 cmp dword ptr [ebp-4], 0
- 004986D9 |. 75 46 jnz short 00498721
- 004986DB |. E8 6023F7FF call 0040AA40 ; 取注册时间进行运算
- 004986E0 |. 83C4 F8 add esp, -8
- 004986E3 |. DD1C24 fstp qword ptr [esp]
- 004986E6 |. 9B wait
- 004986E7 |. 8D45 DC lea eax, dword ptr [ebp-24]
- 004986EA |. E8 2D61FFFF call 0048E81C ; 转为字符串
- 004986EF |. 8B45 DC mov eax, dword ptr [ebp-24]
- 004986F2 |. 50 push eax
- 004986F3 |. 8D55 D8 lea edx, dword ptr [ebp-28]
- 004986F6 |. B8 A4874900 mov eax, 004987A4 ; bb8281988088ae999f81be949e
- 004986FB |. E8 8866FFFF call 0048ED88
- 00498700 |. 8B45 D8 mov eax, dword ptr [ebp-28]
- 00498703 |. 50 push eax
- 00498704 |. 8D45 D4 lea eax, dword ptr [ebp-2C]
- 00498707 |. 50 push eax
- 00498708 |. B8 C8874900 mov eax, 004987C8 ; be828b999a8c9f88b1a0848e9f829e828b99b1a9bfa0bfbeb5
- 0049870D |. 5A pop edx
- 0049870E |. E8 7566FFFF call 0048ED88
- 00498713 |. 8B55 D4 mov edx, dword ptr [ebp-2C]
- 00498716 |. A1 90004B00 mov eax, dword ptr [4B0090]
- 0049871B |. 59 pop ecx
- 0049871C |. E8 CF83FFFF call 00490AF0
- 00498721 |> 6A 40 push 40
- 00498723 |. B9 1C884900 mov ecx, 0049881C ; information
- 00498728 |. BA 28884900 mov edx, 00498828 ; registration has been completed successfully!
- 0049872D |. A1 8CE84A00 mov eax, dword ptr [4AE88C]
- 00498732 |. 8B00 mov eax, dword ptr [eax]
- 00498734 |. E8 2F43FFFF call 0048CA68
- 00498739 |. EB 22 jmp short 0049875D
- 0049873B |> B8 88004B00 mov eax, 004B0088
- 00498740 |. E8 93C1F6FF call 004048D8
- 00498745 |. 6A 10 push 10
- 00498747 |. B9 58884900 mov ecx, 00498858 ; error
- 0049874C |. BA 60884900 mov edx, 00498860 ; registration code is invalid!
- 00498751 |. A1 8CE84A00 mov eax, dword ptr [4AE88C]
- 00498756 |. 8B00 mov eax, dword ptr [eax]
- 00498758 |. E8 0B43FFFF call 0048CA68
跟进 call 004983D0
下面就是关键算法了- 004983D0 /$ 53 push ebx
- 004983D1 |. 56 push esi
- 004983D2 |. 57 push edi
- 004983D3 |. BF 88004B00 mov edi, 004B0088
- 004983D8 |. 33F6 xor esi, esi ; esi清零,后面计算用到
- 004983DA |. 33DB xor ebx, ebx ; ebx清零
- 004983DC |. 8B07 mov eax, dword ptr [edi]
- 004983DE |. E8 B5C7F6FF call 00404B98 ; 取假码长度
- 004983E3 |. 83F8 0E cmp eax, 0E ; 长度必须是14位
- 004983E6 |. 75 67 jnz short 0049844F
- 004983E8 |. 8B07 mov eax, dword ptr [edi] ; 指向假码
- 004983EA |. 8038 32 cmp byte ptr [eax], 32 ; 第1位是否是字符2
- 004983ED |. 0F94C0 sete al ; 为真则al置1
- 004983F0 |. 83E0 7F and eax, 7F ; 与操作,高位清零
- 004983F3 |. 03F0 add esi, eax ; esi保存判断为真次数
- 004983F5 |. 8B07 mov eax, dword ptr [edi]
- 004983F7 |. 8078 02 36 cmp byte ptr [eax+2], 36 ; 第3位是否是字符6
- 004983FB |. 0F94C0 sete al
- 004983FE |. 83E0 7F and eax, 7F
- 00498401 |. 03F0 add esi, eax
- 00498403 |. 8B07 mov eax, dword ptr [edi]
- 00498405 |. 8078 03 33 cmp byte ptr [eax+3], 33 ; 第4位是否是字符3
- 00498409 |. 0F94C0 sete al
- 0049840C |. 83E0 7F and eax, 7F
- 0049840F |. 03F0 add esi, eax
- 00498411 |. 8B07 mov eax, dword ptr [edi]
- 00498413 |. 8078 04 32 cmp byte ptr [eax+4], 32 ; 第5位是否是字符2
- 00498417 |. 0F94C0 sete al
- 0049841A |. 83E0 7F and eax, 7F
- 0049841D |. 03F0 add esi, eax
- 0049841F |. 8B07 mov eax, dword ptr [edi]
- 00498421 |. 8078 07 33 cmp byte ptr [eax+7], 33 ; 第8位是否是字符3
- 00498425 |. 0F94C0 sete al
- 00498428 |. 83E0 7F and eax, 7F
- 0049842B |. 03F0 add esi, eax
- 0049842D |. 8B07 mov eax, dword ptr [edi]
- 0049842F |. 8078 08 33 cmp byte ptr [eax+8], 33 ; 第9位是否是字符3
- 00498433 |. 0F94C0 sete al
- 00498436 |. 83E0 7F and eax, 7F
- 00498439 |. 03F0 add esi, eax
- 0049843B |. 8B07 mov eax, dword ptr [edi]
- 0049843D |. 8078 0A 34 cmp byte ptr [eax+A], 34 ; 第11位是否是字符4
- 00498441 |. 0F94C0 sete al
- 00498444 |. 83E0 7F and eax, 7F
- 00498447 |. 03F0 add esi, eax ; 判断了假码的7位,全部为真则ESI=7
- 00498449 |. 83FE 07 cmp esi, 7 ; 比较
- 0049844C |. 0F94C3 sete bl ; 为真则置bl=1
- 0049844F |> 8BC3 mov eax, ebx ; 传递给eax
- 00498451 |. 5F pop edi
- 00498452 |. 5E pop esi
- 00498453 |. 5B pop ebx
- 00498454 \. C3 retn
算法不难,但后面保存到注册表时,大家可以看到注册表项和子键都做了加密,使用时进行了解密。
注册码进行了加密,注册时间运算后也在注册表进行了保存。我们可以看看如何解密的。
跟进 call 0048ED88 这个解密函数看看- 0048ED88 /$ 55 push ebp
- 0048ED89 |. 8BEC mov ebp, esp
- 0048ED8B |. 6A 00 push 0
- 0048ED8D |. 6A 00 push 0
- 0048ED8F |. 6A 00 push 0
- 0048ED91 |. 53 push ebx
- 0048ED92 |. 56 push esi
- 0048ED93 |. 57 push edi
- 0048ED94 |. 8BF2 mov esi, edx
- 0048ED96 |. 8945 FC mov dword ptr [ebp-4], eax
- 0048ED99 |. 8B45 FC mov eax, dword ptr [ebp-4]
- 0048ED9C |. E8 E75FF7FF call 00404D88
- 0048EDA1 |. 33C0 xor eax, eax
- 0048EDA3 |. 55 push ebp
- 0048EDA4 |. 68 1BEE4800 push 0048EE1B
- 0048EDA9 |. 64:FF30 push dword ptr fs:[eax]
- 0048EDAC |. 64:8920 mov dword ptr fs:[eax], esp
- 0048EDAF |. 8BC6 mov eax, esi
- 0048EDB1 |. E8 225BF7FF call 004048D8
- 0048EDB6 |. 33FF xor edi, edi
- 0048EDB8 |. EB 3A jmp short 0048EDF4
- 0048EDBA |> 8D45 F8 /lea eax, dword ptr [ebp-8]
- 0048EDBD |. 50 |push eax
- 0048EDBE |. 8D57 01 |lea edx, dword ptr [edi+1]
- 0048EDC1 |. B9 02000000 |mov ecx, 2
- 0048EDC6 |. 8B45 FC |mov eax, dword ptr [ebp-4]
- 0048EDC9 |. E8 2A60F7FF |call 00404DF8 ; 依次取固定字符串2位
- 0048EDCE |. 8B45 F8 |mov eax, dword ptr [ebp-8]
- 0048EDD1 |. E8 C6F4FFFF |call 0048E29C ; 字符转为对应16进制数值
- 0048EDD6 |. E8 09FFFFFF |call 0048ECE4 ; 16进制数值再进行简单计算,跟进
- 0048EDDB |. 8BD8 |mov ebx, eax ; 然后依次保存到一内存空间
- 0048EDDD |. 8D45 F4 |lea eax, dword ptr [ebp-C]
- 0048EDE0 |. 8BD3 |mov edx, ebx
- 0048EDE2 |. E8 D95CF7FF |call 00404AC0
- 0048EDE7 |. 8B55 F4 |mov edx, dword ptr [ebp-C]
- 0048EDEA |. 8BC6 |mov eax, esi
- 0048EDEC |. E8 AF5DF7FF |call 00404BA0
- 0048EDF1 |. 83C7 02 |add edi, 2 ; 每次取2位,所以加2
- 0048EDF4 |> 8B45 FC mov eax, dword ptr [ebp-4]
- 0048EDF7 |. E8 9C5DF7FF |call 00404B98 ; 取固定码长度
- 0048EDFC |. 3BF8 |cmp edi, eax ; 判断固定码是否取完
- 0048EDFE |.^ 7C BA \jl short 0048EDBA
- 0048EE00 |. 33C0 xor eax, eax
- 0048EE02 |. 5A pop edx
- 0048EE03 |. 59 pop ecx
- 0048EE04 |. 59 pop ecx
- 0048EE05 |. 64:8910 mov dword ptr fs:[eax], edx
- 0048EE08 |. 68 22EE4800 push 0048EE22
- 0048EE0D |> 8D45 F4 lea eax, dword ptr [ebp-C]
- 0048EE10 |. BA 03000000 mov edx, 3
- 0048EE15 |. E8 E25AF7FF call 004048FC
- 0048EE1A \. C3 retn
- 再跟进call 0048ECE4 看看
- 0048ECE4 /$ F6D0 not al
- 0048ECE6 |. 34 ED xor al, 0ED
- 0048ECE8 |. F6D0 not al
- 0048ECEA \. C3 retn
取反后再与0EDh异或,组成另一字符串,解密即完成。如
26位固定字符串"BB8281988088AE999F81BE949E"
解密后为13位
"VolumeCtrlSys"。
感兴趣大家可以用正在学的C语言自己写下解密函数。
总结:算法非常简单,注册表加密显得意义不大,不过可以作为我们学习简单算法和加密的对象。
简单构成一个可用注册码:21632673304897
我的注册表项
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRMRSX]
"SuperStructure"="39979.6338688079"
"LightValue"="DFDCDBDEDFDBDADEDEDDD9D5D4DA"
"VolumeCtrlSys"="39979.6653520949"
"DFDCDBDEDFDBDADEDEDDD9D5D4DA"就是加密后的“21632673304897”。 |
|
IP卡
发表于 2009-6-15 16:53:09
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2009-6-27 10:23:32
发表于 2009-6-27 13:31:08
发表于 2009-6-27 22:39:14