- UID
- 13110
注册时间2006-5-14
阅读权限20
最后登录1970-1-1
以武会友
 
该用户从未签到
|
【破文标题】某某VOD服务器端注册分析
【破文作者】johnroot
【破解工具】Ollydbg
【破解平台】windowsxp sp2
【软件名称】某某VOD服务器端
【保护方式】KEY文件、变形Base64
【软件简介】点歌系统软件。服务器端注册成功后,工作站端才能进入。
【成功图片】
------------------------------------------------------------------------
【破解过程】
1。脱壳:
peid查看之为"NsPacK V3.7"
简单压缩壳,很容易就可以手脱
2。去自效验:
运行脱壳后的程序进入到主界面就马上退出。 有自效验!?
Ollydbg载入下断bp GetFileSize
F9运行
停在
7C810A77 > 8BFF MOV EDI,EDI
7C810A79 55 PUSH EBP
7C810A7A 8BEC MOV EBP,ESP
7C810A7C 51 PUSH ECX
7C810A7D 51 PUSH ECX
7C810A7E 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
7C810A81 50 PUSH EAX
7C810A82 FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C810A85 E8 7FFFFFFF CALL kernel32.GetFileSizeEx
7C810A8A 85C0 TEST EAX,EAX
7C810A8C ^ 0F84 2996FFFF JE kernel32.7C80A0BB
7C810A92 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
7C810A95 85C0 TEST EAX,EAX
7C810A97 ^ 0F85 1496FFFF JNZ kernel32.7C80A0B1
7C810A9D 837D F8 FF CMP DWORD PTR SS:[EBP-8],-1
7C810AA1 0F84 82C20200 JE kernel32.7C83CD29
7C810AA7 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
7C810AAA C9 LEAVE
7C810AAB C2 0800 RETN 8 //F4到这里,F7返回
来到:
0049A013 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
0049A016 8942 48 MOV DWORD PTR DS:[EDX+48],EAX
0049A019 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049A01C 50 PUSH EAX
0049A01D 68 C89D4900 PUSH ppp_.00499DC8
一路F8来到:
0049A0EB E8 D097F8FF CALL ppp_.004238C0 //F7进入
0049A0F0 C3 RETN
来到:
004238C0 55 PUSH EBP
004238C1 8BEC MOV EBP,ESP
004238C3 8940 20 MOV DWORD PTR DS:[EAX+20],EAX
004238C6 33D2 XOR EDX,EDX
004238C8 8950 30 MOV DWORD PTR DS:[EAX+30],EDX
004238CB 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
004238CE 8950 28 MOV DWORD PTR DS:[EAX+28],EDX
004238D1 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
004238D4 8950 2C MOV DWORD PTR DS:[EAX+2C],EDX
004238D7 8D50 20 LEA EDX,DWORD PTR DS:[EAX+20]
004238DA 8B00 MOV EAX,DWORD PTR DS:[EAX]
004238DC E8 9FFEFFFF CALL ppp_.00423780 ////F7进入
004238E1 5D POP EBP
004238E2 C2 0800 RETN 8
来到:
00423780 55 PUSH EBP
00423781 8BEC MOV EBP,ESP
00423783 83C4 F4 ADD ESP,-0C
00423786 53 PUSH EBX
00423787 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
0042378A E8 7934FEFF CALL <JMP.&kernel32.GetCurrentThreadId>
0042378F 8B15 84EE4900 MOV EDX,DWORD PTR DS:[49EE84] ; ppp_.0049F034
00423795 3B02 CMP EAX,DWORD PTR DS:[EDX]
00423797 75 0E JNZ SHORT ppp_.004237A7 //这里NOP就可以去掉自效验
00423799 8B5D FC MOV EBX,DWORD PTR SS:[EBP-4]
0042379C 8B43 0C MOV EAX,DWORD PTR DS:[EBX+C]
0042379F FF53 08 CALL DWORD PTR DS:[EBX+8]
004237A2 E9 13010000 JMP ppp_.004238BA
3。算法分析
该程序检测KEY文件VODSERVER.dat是否合法
我先找个别人注册了的KEY文件VODSERVER.dat放到程序安装目录跟踪看看
搜索字符串" vodserver.dat"定位到
0049A708 B8 C4A94900 MOV EAX,ppp6.0049A9C4 ; VodServer.DAT
0049A70D E8 7EECF6FF CALL ppp6.00409390
0049A712 84C0 TEST AL,AL
0049A714 0F84 FB010000 JE ppp6.0049A915 //比较是否存在KEY文件
0049A71A 8B83 30030000 MOV EAX,DWORD PTR DS:[EBX+330]
0049A720 8B80 20020000 MOV EAX,DWORD PTR DS:[EAX+220]
0049A726 BA C4A94900 MOV EDX,ppp6.0049A9C4 ; VodServer.DAT
0049A72B 8B08 MOV ECX,DWORD PTR DS:[EAX]
0049A72D FF51 68 CALL DWORD PTR DS:[ECX+68]
0049A730 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
0049A733 8B83 30030000 MOV EAX,DWORD PTR DS:[EBX+330]
0049A739 E8 42AEFAFF CALL ppp6.00445580
0049A73E 837D F0 00 CMP DWORD PTR SS:[EBP-10],0
0049A742 74 34 JE SHORT ppp6.0049A778
0049A744 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
0049A747 8B83 30030000 MOV EAX,DWORD PTR DS:[EBX+330]
0049A74D E8 2EAEFAFF CALL ppp6.00445580
0049A752 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
// EAX=‘NPhpW`aGYRqBU@irHP\sY@uDXs]>ZRlgRAQ@ORugQryTQpm=NseeLrugW@E?RSEVXPE^W?ABIrlmMq]
mHQeIYbiBPsAgM`qq‘
KEY文件里的数据
0049A755 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
0049A758 E8 A7DBFFFF CALL ppp6.00498304 //第一种变形Base64
0049A75D 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
//EAX=’IK4nIKumFdKv1H7tNHsxByl+XUDMnkWoXWLAKziCnklBCYrZqBbl1F7l1GXq1ZMvkFSqkFMu‘
第一种变形Base64 解密后的数据
0049A760 50 PUSH EAX
0049A761 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0049A764 50 PUSH EAX
0049A765 E8 BAFEFFFF CALL <JMP.&mmsoft.MMVod50SCode> //第二种变形Base64
0049A76A 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14] //返回注册数据
看到EDX=‘WD-WMANM6273659+湖北来凤滨河之春使用权+17+0+2006-12-05 ’
第二种变形Base64 解密后的数据
WD-WMANM6273659为机器号,"湖北来凤滨河之春使用权"为注册名,17 为授权台数
0 为注册天数(为0时表示无限制),2006-12-05为注册日期
好了到这里我们知道了基本的解密过程了,接下来就看Base64 是怎么变形的了
第一种变形Base64:
0049A758 E8 A7DBFFFF CALL ppp6.00498304 //第一种变形Base64 ,进入
来到:
00498302 8BC0 MOV EAX,EAX
00498304 55 PUSH EBP
00498305 8BEC MOV EBP,ESP
00498307 51 PUSH ECX
00498308 53 PUSH EBX
00498309 8BDA MOV EBX,EDX
0049830B 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0049830E 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00498311 E8 C6C4F6FF CALL ppp6.004047DC
00498316 33C0 XOR EAX,EAX
00498318 55 PUSH EBP
00498319 68 90834900 PUSH ppp6.00498390
0049831E 64:FF30 PUSH DWORD PTR FS:[EAX]
00498321 64:8920 MOV DWORD PTR FS:[EAX],ESP
00498324 33C0 XOR EAX,EAX
00498326 55 PUSH EBP
00498327 68 73834900 PUSH ppp6.00498373
0049832C 64:FF30 PUSH DWORD PTR FS:[EAX]
0049832F 64:8920 MOV DWORD PTR FS:[EAX],ESP
00498332 68 18FE4900 PUSH ppp6.0049FE18
00498337 E8 4CE8F6FF CALL <JMP.&kernel32.EnterCriticalSection>
0049833C B9 00040000 MOV ECX,400
00498341 8B15 34FE4900 MOV EDX,DWORD PTR DS:[49FE34]
00498347 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049834A E8 91FEFFFF CALL ppp6.004981E0 //跟进,算法在这里面
0049834F 8BD3 MOV EDX,EBX
00498351 A1 34FE4900 MOV EAX,DWORD PTR DS:[49FE34]
00498356 E8 1514F7FF CALL ppp6.00409770
0049835B 33C0 XOR EAX,EAX
0049835D 5A POP EDX
0049835E 59 POP ECX
0049835F 59 POP ECX
00498360 64:8910 MOV DWORD PTR FS:[EAX],EDX
00498363 68 7A834900 PUSH ppp6.0049837A
00498368 68 18FE4900 PUSH ppp6.0049FE18
0049836D E8 86E9F6FF CALL <JMP.&kernel32.LeaveCriticalSection>
00498372 C3 RETN
来到:
004981E0 55 PUSH EBP
004981E1 8BEC MOV EBP,ESP
004981E3 83C4 EC ADD ESP,-14
004981E6 53 PUSH EBX
004981E7 56 PUSH ESI
004981E8 57 PUSH EDI
。。。。
。。。。
00498235 894D EC MOV DWORD PTR SS:[EBP-14],ECX
00498238 BF 01000000 MOV EDI,1
0049823D 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
00498240 0FB64C39 FF MOVZX ECX,BYTE PTR DS:[ECX+EDI-1] //取KEY文件数据的每一位的ASC
00498245 83E9 3C SUB ECX,3C //减去$3c
00498248 78 0F JS SHORT ppp6.00498259 //小于$3c就跳
0049824A 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
0049824D 8A4C39 FF MOV CL,BYTE PTR DS:[ECX+EDI-1] //取KEY文件数据的每一位的ASC
00498251 80E9 3C SUB CL,3C //减去$3c
00498254 884D F3 MOV BYTE PTR SS:[EBP-D],CL
后面就是Base64解码了,改变的就是每位减去$3c ,呵呵!
------------------------------------------------------------------------------------------------------------------------------------
第二种变形Base64:
0049A765 E8 BAFEFFFF CALL <JMP.&mmsoft.MMVod50SCode> //第二种变形Base64 ,跟进
来到:
0056899C > 55 PUSH EBP
0056899D 8BEC MOV EBP,ESP
0056899F B9 0F000000 MOV ECX,0F
005689A4 6A 00 PUSH 0
005689A6 6A 00 PUSH 0
005689A8 49 DEC ECX
005689A9 ^ 75 F9 JNZ SHORT mmsoft.005689A4
005689AB 53 PUSH EBX
.............
..............
..............
00568A17 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
EAX=’MmGZSVOD50Bk1N2r4J9FsILjPQiU7YaWbEcHdef3ghTlXnCop8qtKuvRwxAy6z+/‘
仔细看下,这不就是变形了的Base64表吗
下面就是Base64解码了
00568A1A 50 PUSH EAX
00568A1B 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
00568A1E 8A5437 FF MOV DL,BYTE PTR DS:[EDI+ESI-1]
00568A22 E8 05B7FAFF CALL mmsoft.0051412C
--------------------------------------------------------------------------------------------------------------------------
总结:
第一种变形Base64: 把每位减去$3c ,所以加密就是结果的每位加上$3c
第二种变形Base64:
Base64表由标准的’ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/‘
改变成了’MmGZSVOD50Bk1N2r4J9FsILjPQiU7YaWbEcHdef3ghTlXnCop8qtKuvRwxAy6z+/‘
注册机DELPHI代码:
const BaseTable:string='MmGZSVOD50Bk1N2r4J9FsILjPQiU7YaWbEcHdef3ghTlXnCop8qtKuvRwxAy6z+/=';
var
Form1: TForm1;
implementation
{$R *.dfm}
function EncodeBase64(Source:string;ljj:Integer):string; //第一种变形Base64
var
Times,LenSrc,i:integer;
x1,x2,x3,x4:char;
xt:byte;
begin
result:='';
LenSrc:=length(Source);
if LenSrc mod 3 =0 then Times:=LenSrc div 3
else Times:=LenSrc div 3 + 1;
for i:=0 to times-1 do
begin
if LenSrc >= (3+i*3) then
begin
x1:=char((ord(Source[1+i*3]) shr 2)+ljj);
xt:=(ord(Source[1+i*3]) shl 4) and 48;
xt:=xt or (ord(Source[2+i*3]) shr 4);
x2:=char(xt+ljj);
xt:=(Ord(Source[2+i*3]) shl 2) and 60;
xt:=xt or (ord(Source[3+i*3]) shr 6);
x3:=char(xt+ljj);
xt:=(ord(Source[3+i*3]) and 63);
x4:=char(xt+ljj);
end
else if LenSrc>=(2+i*3) then
begin
x1:=char((ord(Source[1+i*3]) shr 2)+ljj);
xt:=(ord(Source[1+i*3]) shl 4) and 48;
xt:=xt or (ord(Source[2+i*3]) shr 4);
x2:=char(xt+ljj);
xt:=(ord(Source[2+i*3]) shl 2) and 60;
x3:=char(xt+ljj);
x4:=char(0);
end else
begin
x1:=char((ord(Source[1+i*3]) shr 2)+ljj);
xt:=(ord(Source[1+i*3]) shl 4) and 48;
x2:=char(xt+ljj);
x3:=char(0);
x4:=char(0);
end;
result:=result+x1+x2+x3+x4;
end;
end;
function EncodeBase642(Source:string):string; ////第二种变形Base64
var
Times,LenSrc,i:integer;
x1,x2,x3,x4:char;
xt:byte;
begin
result:='';
LenSrc:=length(Source);
if LenSrc mod 3 =0 then Times:=LenSrc div 3
else Times:=LenSrc div 3 + 1;
for i:=0 to times-1 do
begin
if LenSrc >= (3+i*3) then
begin
x1:=BaseTable[(ord(Source[1+i*3]) shr 2)+1];
xt:=(ord(Source[1+i*3]) shl 4) and 48;
xt:=xt or (ord(Source[2+i*3]) shr 4);
x2:=BaseTable[xt+1];
xt:=(Ord(Source[2+i*3]) shl 2) and 60;
xt:=xt or (ord(Source[3+i*3]) shr 6);
x3:=BaseTable[xt+1];
xt:=(ord(Source[3+i*3]) and 63);
x4:=BaseTable[xt+1];
end
else if LenSrc>=(2+i*3) then
begin
x1:=BaseTable[(ord(Source[1+i*3]) shr 2)+1];
xt:=(ord(Source[1+i*3]) shl 4) and 48;
xt:=xt or (ord(Source[2+i*3]) shr 4);
x2:=BaseTable[xt+1];
xt:=(ord(Source[2+i*3]) shl 2) and 60;
x3:=BaseTable[xt+1];
x4:=char(0);
end else
begin
x1:=BaseTable[(ord(Source[1+i*3]) shr 2)+1];
xt:=(ord(Source[1+i*3]) shl 4) and 48;
x2:=BaseTable[xt+1];
x3:=char(0);
x4:=char(0);
end;
result:=result+x1+x2+x3+x4;
end;
end;
procedure TForm1.btn1Click(Sender: TObject);
var
ppp,regsn:string;
h:Integer;
begin
ppp:=edt1.text+'+'+edt2.Text+'+'+edt3.Text+'+'+edt4.Text+'+'+edt5.Text;
regsn:=EncodeBase64(EncodeBase642(ppp),$3c);
dlgSave1.FileName:='VODSERVER'+'-'+edt3.Text+'授权数.dat';
if dlgSave1.Execute then
begin
h:=FileCreate(dlgSave1.FileName);
FileWrite(h,PChar(regsn)^,Length(regsn));
FileClose(h);
end;
end;
procedure TForm1.FormCreate(Sender: TObject);
begin
edt5.Text:=DateToStr(date);
end;
end. |
|
IP卡
发表于 2007-8-19 10:50:12
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2007-8-19 12:44:20
发表于 2007-8-19 15:07:23
发表于 2007-8-25 13:54:33
发表于 2007-9-13 18:56:15