- UID
- 4011
注册时间2005-10-27
阅读权限10
最后登录1970-1-1
周游历练
TA的每日心情 | 开心
2017-2-23 16:41 |
|---|
签到天数: 1 天 [LV.1]初来乍到
|
[转帖] 带壳分析易语言+简单浮点算法
【破文名称】带壳分析易语言+简单浮点算法 靓仔系统保护专家
【软件名称】靓仔系统保护专家1.34版!
【软件介绍】 靓仔系统保护专家是一款小巧而功能强大的系统保护软件,可以保护您的系统安全,支持 现今所有的windows操作系统,本软件有三大功能模块!!系统安全锁功能:能够强制锁定计算机并支持 远程解锁(通过因特网对目标计算机进行远程解锁),初始密码为空,建议用户使用后马上更改密码, 文件加密功能:用户可采用强大的RC4或DES算法对任何类型的文件进行加密!!伪装文件夹:可以让你 分不清文件夹的真伪,让您文件夹里的数据更加安全!
【软件地址】http://www4.skycn.com/soft/15386.html
【破文作者】KiLlL[DFCG]
【破解时间】2005-7-13
【简要说明】可以看作简单的易语言入门CRACKME
【破解过程】
peid查壳,知道是ASPack 2.12 -> Alexey Solodovnikov [覆盖],对于我壳盲来说,先用peid的 general unpack试试,可以脱,但是脱了运行提示:文件数据错误!这个不好玩!如果对易语言有点了 解,估计可以知道是易语言编写的。
各位大哥,小弟不知如何脱壳,只有硬着头皮来带壳分析了
唯一的好处就是知道了语言,易语言的弱点就是下断了,且看:
od载入后,ALT+M,看看是不是有ecode?运行,提示是否注册,点注册,弹出注册窗口。
好,输入假码123之后进行alt+m,盯准ecode狠狠按下F2,点注册,ok,断了,成功了一半:
00413C08 55 push ebp ; 程序断下了
00413C09 8BEC mov ebp,esp
00413C0B 81EC 34000000 sub esp,34
00413C11 6A FF push -1
00413C13 6A 0A push 0A
00413C15 68 DB000116 push 160100DB
00413C1A 68 D8000152 push 520100D8
00413C1F E8 2F100000 call lzbhzj.00414C53
00413C24 83C4 10 add esp,10
00413C27 8945 FC mov dword ptr ss:[ebp-4],eax
省略一些
00413CCC 83C4 04 add esp,4
00413CCF 837D F8 00 cmp dword ptr ss:[ebp-8],0
00413CD3 0F84 D9040000 je lzbhzj.004141B2
00413CD9 6A FF push -1
00413CDB 6A 08 push 8
00413CDD 68 DD000116 push 160100DD
00413CE2 68 D8000152 push 520100D8
00413CE7 E8 670F0000 call lzbhzj.00414C53
00413CEC 83C4 10 add esp,10
00413CEF 8945 FC mov dword ptr ss:[ebp-4],eax ; 读取假码123
00413CF2 68 CA914000 push lzbhzj.004091CA
00413CF7 FF75 FC push dword ptr ss:[ebp-4]
00413CFA E8 E5B1FFFF call lzbhzj.0040EEE4
00413CFF 83C4 08 add esp,8
00413D02 83F8 00 cmp eax,0
00413D05 B8 00000000 mov eax,0
00413D0A 0F94C0 sete al
00413D0D 8945 F8 mov dword ptr ss:[ebp-8],eax
00413D10 8B5D FC mov ebx,dword ptr ss:[ebp-4]
00413D13 85DB test ebx,ebx ; 判断是否为空
00413D15 74 09 je short lzbhzj.00413D20
00413D17 53 push ebx
00413D18 E8 300F0000 call lzbhzj.00414C4D
00413D1D 83C4 04 add esp,4
00413D20 837D F8 00 cmp dword ptr ss:[ebp-8],0
00413D24 0F84 61000000 je lzbhzj.00413D8B
00413D2A 68 04000080 push 80000004
00413D2F 6A 00 push 0
00413D31 68 D3A24000 push lzbhzj.0040A2D3
00413D36 68 01030080 push 80000301
00413D3B 6A 00 push 0
00413D3D 68 40000000 push 40
00413D42 68 04000080 push 80000004
00413D47 6A 00 push 0
00413D49 68 DAA24000 push lzbhzj.0040A2DA
00413D4E 68 03000000 push 3
00413D53 BB 00030000 mov ebx,300
00413D58 E8 E40E0000 call lzbhzj.00414C41
00413D5D 83C4 28 add esp,28
00413D60 68 05000100 push 10005
00413D65 68 DD000116 push 160100DD
00413D6A 68 D8000152 push 520100D8
00413D6F 68 01000000 push 1
00413D74 BB 64030000 mov ebx,364
00413D79 E8 C30E0000 call lzbhzj.00414C41
00413D7E 83C4 10 add esp,10
00413D81 E9 2C040000 jmp lzbhzj.004141B2
00413D86 E9 22040000 jmp lzbhzj.004141AD
00413D8B DB05 200DD600 fild dword ptr ds:[D60D20] ; 机器码1347647860
00413D91 DD5D F8 fstp qword ptr ss:[ebp-8]
00413D94 DD45 F8 fld qword ptr ss:[ebp-8]
00413D97 DC35 1C924000 fdiv qword ptr ds:[40921C] ; /67 固定数
00413D9D DD5D F8 fstp qword ptr ss:[ebp-8] ; st=20114147.164179105280
00413DA0 DD45 F8 fld qword ptr ss:[ebp-8]
00413DA3 DC05 24924000 fadd qword ptr ds:[409224] ; 加上固定数 8762454
00413DA9 DD5D F0 fstp qword ptr ss:[ebp-10]
00413DAC DD45 F0 fld qword ptr ss:[ebp-10] ; st=28876601.164179107840
00413DAF DC0D 1C924000 fmul qword ptr ds:[40921C] ; *67 固定数
00413DB5 DD5D E8 fstp qword ptr ss:[ebp-18]
00413DB8 6A 00 push 0
00413DBA 6A 00 push 0
00413DBC 6A 00 push 0
00413DBE 68 01060080 push 80000601
00413DC3 FF75 EC push dword ptr ss:[ebp-14]
00413DC6 FF75 E8 push dword ptr ss:[ebp-18]
00413DC9 68 02000000 push 2
00413DCE BB 68000000 mov ebx,68
00413DD3 E8 690E0000 call lzbhzj.00414C41
00413DD8 83C4 1C add esp,1C
00413DDB 8945 D8 mov dword ptr ss:[ebp-28],eax
00413DDE 8955 DC mov dword ptr ss:[ebp-24],edx ; 1104991338
00413DE1 DD45 D8 fld qword ptr ss:[ebp-28] ; 计算结果 1934732278.000000
00413DE4 E8 98B1FFFF call lzbhzj.0040EF81
00413DE9 A3 240DD600 mov dword ptr ds:[D60D24],eax ; 转成十六进制eax=7351ABF6
00413DEE DB05 200DD600 fild dword ptr ds:[D60D20] ; 机器码 1104991338
00413DF4 DD5D F8 fstp qword ptr ss:[ebp-8]
00413DF7 DD45 F8 fld qword ptr ss:[ebp-8]
00413DFA DC35 1C924000 fdiv qword ptr ds:[40921C] ; /67
00413E00 DD5D F8 fstp qword ptr ss:[ebp-8] ; st=20114147.164179105280
00413E03 DD45 F8 fld qword ptr ss:[ebp-8]
00413E06 DC05 24924000 fadd qword ptr ds:[409224] ; 加上固定数 8762454
00413E0C DD5D F0 fstp qword ptr ss:[ebp-10]
00413E0F DD45 F0 fld qword ptr ss:[ebp-10]
00413E12 DC0D 1C924000 fmul qword ptr ds:[40921C] ; 再乘以67
00413E18 DD5D E8 fstp qword ptr ss:[ebp-18] ; 结果:1934732278
00413E1B 6A 00 push 0 ; 怎么又计算了一次?BUG
00413E1D 6A 00 push 0
00413E1F 6A 00 push 0
00413E21 68 01060080 push 80000601
00413E26 FF75 EC push dword ptr ss:[ebp-14]
00413E29 FF75 E8 push dword ptr ss:[ebp-18]
00413E2C 68 02000000 push 2
00413E31 BB 68000000 mov ebx,68
00413E36 E8 060E0000 call lzbhzj.00414C41
00413E3B 83C4 1C add esp,1C
00413E3E 8945 E0 mov dword ptr ss:[ebp-20],eax
00413E41 8955 E4 mov dword ptr ss:[ebp-1C],edx
00413E44 6A FF push -1
00413E46 6A 08 push 8
00413E48 68 DD000116 push 160100DD
00413E4D 68 D8000152 push 520100D8
00413E52 E8 FC0D0000 call lzbhzj.00414C53
00413E57 83C4 10 add esp,10
00413E5A 8945 DC mov dword ptr ss:[ebp-24],eax ; 假码123
00413E5D 68 04000080 push 80000004
00413E62 6A 00 push 0
00413E64 8B45 DC mov eax,dword ptr ss:[ebp-24]
00413E67 85C0 test eax,eax
00413E69 75 05 jnz short lzbhzj.00413E70
00413E6B B8 CA914000 mov eax,lzbhzj.004091CA
00413E70 50 push eax
00413E71 68 01000000 push 1
00413E76 BB 78010000 mov ebx,178
00413E7B E8 C10D0000 call lzbhzj.00414C41
00413E80 83C4 10 add esp,10
00413E83 8945 D8 mov dword ptr ss:[ebp-28],eax
00413E86 8B5D DC mov ebx,dword ptr ss:[ebp-24]
00413E89 85DB test ebx,ebx
00413E8B 74 09 je short lzbhzj.00413E96
00413E8D 53 push ebx
00413E8E E8 BA0D0000 call lzbhzj.00414C4D
00413E93 83C4 04 add esp,4
00413E96 68 04000080 push 80000004
00413E9B 6A 00 push 0
00413E9D 8B45 D8 mov eax,dword ptr ss:[ebp-28]
00413EA0 85C0 test eax,eax
00413EA2 75 05 jnz short lzbhzj.00413EA9
00413EA4 B8 CA914000 mov eax,lzbhzj.004091CA
00413EA9 50 push eax
00413EAA 68 01000000 push 1
00413EAF BB 64010000 mov ebx,164
00413EB4 E8 880D0000 call lzbhzj.00414C41
00413EB9 83C4 10 add esp,10
00413EBC 8945 D0 mov dword ptr ss:[ebp-30],eax
00413EBF 8955 D4 mov dword ptr ss:[ebp-2C],edx
00413EC2 8B5D D8 mov ebx,dword ptr ss:[ebp-28]
00413EC5 85DB test ebx,ebx
00413EC7 74 09 je short lzbhzj.00413ED2
00413EC9 53 push ebx
00413ECA E8 7E0D0000 call lzbhzj.00414C4D
00413ECF 83C4 04 add esp,4
00413ED2 DD45 E0 fld qword ptr ss:[ebp-20] ; 计算结果
00413ED5 DC65 D0 fsub qword ptr ss:[ebp-30] ; -假码
00413ED8 D9E4 ftst
00413EDA DFE0 fstsw ax
00413EDC F6C4 01 test ah,1
00413EDF 74 02 je short lzbhzj.00413EE3 ; 结果是不是0
00413EE1 D9E0 fchs
00413EE3 DC1D 2C924000 fcomp qword ptr ds:[40922C] ; 然后跟固定数 9.999999999999998e-08比较
00413EE9 DFE0 fstsw ax
00413EEB F6C4 41 test ah,41
00413EEE 0F85 61000000 jnz lzbhzj.00413F55 ; 消除误差后还不跳,完蛋了
00413EF4 68 04000080 push 80000004
00413EF9 6A 00 push 0
00413EFB 68 919E4000 push lzbhzj.00409E91
00413F00 68 01030080 push 80000301
00413F05 6A 00 push 0
00413F07 68 10000000 push 10
00413F0C 68 04000080 push 80000004
00413F11 6A 00 push 0
00413F13 68 EBA24000 push lzbhzj.0040A2EB
00413F18 68 03000000 push 3
00413F1D BB 00030000 mov ebx,300
00413F22 E8 1A0D0000 call lzbhzj.00414C41 ; 弹出错误窗口
00413F27 83C4 28 add esp,28
00413F2A 68 05000100 push 10005
00413F2F 68 DD000116 push 160100DD
00413F34 68 D8000152 push 520100D8
00413F39 68 01000000 push 1
算法太简单,不好意思说了,就是(机器码*67 +8762454 )/67
同样的,如果开始就下断的话,会看到操作注册表:
004137D6 55 push ebp ; 程序断到这里
004137D7 8BEC mov ebp,esp
004137D9 81EC 30000000 sub esp,30
004137DF 6A 00 push 0
004137E1 68 95A04000 push lzbhzj.0040A095
004137E6 6A FF push -1
004137E8 6A 08 push 8
004137EA 68 D9000116 push 160100D9
004137EF 68 D8000152 push 520100D8
004137F4 E8 4E140000 call lzbhzj.00414C47
004137F9 83C4 18 add esp,18
004137FC 6A 00 push 0
004137FE 6A 00 push 0
00413800 6A 00 push 0 ; 读取注册表
00413802 68 04000080 push 80000004
00413807 6A 00 push 0
00413809 68 0F924000 push lzbhzj.0040920F ; ASCII "lijunxi"
0041380E 68 04000080 push 80000004
00413813 6A 00 push 0
00413815 68 17924000 push lzbhzj.00409217 ; ASCII "user"
0041381A 68 04000080 push 80000004
0041381F 6A 00 push 0
00413821 68 E9914000 push lzbhzj.004091E9 ; ASCII "lzxtbh"
00413826 68 04000000 push 4
0041382B BB EC020000 mov ebx,2EC
00413830 E8 0C140000 call lzbhzj.00414C41
00413835 83C4 34 add esp,34
00413838 8945 F4 mov dword ptr ss:[ebp-C],eax ; 读取到的user 0x50537974
0041383B DB45 F4 fild dword ptr ss:[ebp-C] ; 10进制:1347647860
0041383E DD5D F4 fstp qword ptr ss:[ebp-C]
00413841 DD45 F4 fld qword ptr ss:[ebp-C]
00413844 DC35 1C924000 fdiv qword ptr ds:[40921C] ; /67
0041384A DD5D F4 fstp qword ptr ss:[ebp-C]
0041384D DD45 F4 fld qword ptr ss:[ebp-C]
00413850 DC05 24924000 fadd qword ptr ds:[409224] ; +8762454.000000000
00413856 DD5D EC fstp qword ptr ss:[ebp-14]
00413859 DD45 EC fld qword ptr ss:[ebp-14]
0041385C DC0D 1C924000 fmul qword ptr ds:[40921C] ; *67
00413862 DD5D E4 fstp qword ptr ss:[ebp-1C] ; st=1934732278.0000000560
00413865 6A 00 push 0 ; 转换成10进制hex 50537974
00413867 6A 00 push 0
00413869 6A 00 push 0
0041386B 68 01060080 push 80000601
00413870 FF75 E8 push dword ptr ss:[ebp-18] ; 41DCD46A 1104991338
00413873 FF75 E4 push dword ptr ss:[ebp-1C]
00413876 68 02000000 push 2
0041387B BB 68000000 mov ebx,68
00413880 E8 BC130000 call lzbhzj.00414C41
00413885 83C4 1C add esp,1C
00413888 8945 DC mov dword ptr ss:[ebp-24],eax
0041388B 8955 E0 mov dword ptr ss:[ebp-20],edx
0041388E 6A 00 push 0
00413890 6A 00 push 0
00413892 6A 00 push 0
00413894 68 04000080 push 80000004
00413899 6A 00 push 0 ; 读取注册码
0041389B 68 F0914000 push lzbhzj.004091F0 ; ASCII "ljx"
004138A0 68 04000080 push 80000004
004138A5 6A 00 push 0
004138A7 68 17924000 push lzbhzj.00409217 ; ASCII "user"
004138AC 68 04000080 push 80000004
004138B1 6A 00 push 0
004138B3 68 E9914000 push lzbhzj.004091E9 ; ASCII "lzxtbh"
004138B8 68 04000000 push 4
004138BD BB EC020000 mov ebx,2EC
004138C2 E8 7A130000 call lzbhzj.00414C41
004138C7 83C4 34 add esp,34
004138CA 8945 D0 mov dword ptr ss:[ebp-30],eax
004138CD DB45 D0 fild dword ptr ss:[ebp-30]
004138D0 DD5D D0 fstp qword ptr ss:[ebp-30]
004138D3 DD45 DC fld qword ptr ss:[ebp-24]
004138D6 DC65 D0 fsub qword ptr ss:[ebp-30]
004138D9 D9E4 ftst
004138DB DFE0 fstsw ax
004138DD F6C4 01 test ah,1 ; 比较了
004138E0 74 02 je short lzbhzj.004138E4 ; 下面是不是看看有没有 误差?
004138E2 D9E0 fchs
004138E4 DC1D 2C924000 fcomp qword ptr ds:[40922C]
004138EA DFE0 fstsw ax
004138EC F6C4 41 test ah,41
004138EF 0F84 9B000000 je lzbhzj.00413990 ; 这个跳走就完蛋了~
【算法分析】注册码=(机器码*67 +8762454 )/67
【额外说明】下面是注册成功之后保存的数据,删掉就可以重新注册了
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\lzxtbh\user]
"ljx"=dword:7351abf6
"lijunxi"=dword:50537974 |
|
IP卡
发表于 2005-12-18 12:41:07
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2005-12-31 14:23:34
发表于 2006-3-18 20:02:32
