TA的每日心情 | 开心
2018-3-29 07:24 |
|---|
签到天数: 4 天 [LV.2]偶尔看看I
|
发表于 2008-8-30 22:42:02
|
显示全部楼层
拜楼上的,耐心好的用IDA反编译看代码确实很省事!
感谢蚊香老大的支持与慷慨/:002 ,以下流程是本人的调试流程(未知反跟踪与调试陷井),先贴张图(跑这个CM用F7单步法效果好点/:014 )
如图所示,在引发错误的调用处我们都设置断点
为了使程序能正常的跑起来并设断,我们需要修改以下几个跳转好正常的分析算法
①
........
00401519 >mov edi, 00401296 ; 入口地址
0040151E >mov ecx, 100
00401523 >mov al, 99
00401525 >xor al, 55
00401527 >repne scas byte ptr es:[edi]
00401529 >test ecx, ecx
0040152B >je short 00401533 ; 此处改为jmp short 00401533,跳过后面的jmp short 004014F5
0040152D >pop esi
0040152E >xor esi, esi
00401530 >push edi
00401531 >jmp short 004014F5
00401533 >retn
00401534 >int3
................
②
.........
004014B1 mov edi, dword ptr [edi]
004014B3 mov ecx, 6
004014B8 mov al, 0CC
004014BA repne scas byte ptr es:[edi]
004014BC test ecx, ecx
004014BE je short 004014C6 ; 同理,此处改为jmp short 004014C6
004014C0 pop esi
004014C1 xor esi, esi
004014C3 push edi
004014C4 jmp short 004014F5
004014C6 retn
........
③
.......
0040139A mov byte ptr [40304F], dl
004013A0 mov cl, byte ptr [403044]
004013A6 cmp cl, 40
004013A9 jmp short 004013B0 ; 此处改为jmp short 004013B0
004013AB jmp 004014F5
004013B0 jmp 00401480
004013B5 retn
........
④
接着往后走会发现
.......
00401510 mov al, byte ptr [403024] ; 注册码的第二位赋值给al
00401515 cmp al, 45 ; 由此可知注册码的第二位为"E"
00401517 jnz short 004014F5
00401519 mov edi, 00401296 ; 入口地址
0040151E mov ecx, 100
00401523 mov al, 99
00401525 xor al, 55
00401527 repne scas byte ptr es:[edi]
00401529 test ecx, ecx
0040152B jmp short 00401533
0040152D pop esi
0040152E xor esi, esi
00401530 push edi
00401531 jmp short 004014F5
00401533 retn
.......
⑤
......
00401480 call 00401510
00401485 xor ebx, ebx
00401487 mov edi, 00401480
0040148C sub edi, 60
0040148F mov eax, 0DE
00401494 xor eax, 12
00401497 mov ecx, 59
0040149C repne scas byte ptr es:[edi]
0040149E test ecx, ecx
004014A0 je short 004014A8 ; 改为jmp short 004014A8
004014A2 pop esi
004014A3 xor esi, esi
004014A5 push edi
004014A6 jmp short 004014F5
004014A8 retn
.......
将以上的修改另存为一个文件,用OD重新载入,断点看代码或者字串参考也知道了很好下的,bp GetDlgItemTextA,会断在以下代码
........
0040129A mov esi, 004012FE
0040129F push esi
004012A0 push dword ptr fs:[0]
004012A7 mov dword ptr fs:[0], esp
004012AE push dword ptr [40303C] ; /Count = 1E (30.)
004012B4 push 00403000 ; |Buffer = KGM1Tal1.00403000
004012B9 push 3EC ; |ControlID = 3EC (1004.)
004012BE push dword ptr [ebp+8] ; |hWnd
004012C1 call <jmp.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
004012C6 push dword ptr [403040] ; /Count = 14 (20.)
004012CC push 00403023 ; |Buffer = KGM1Tal1.00403023
004012D1 push 3ED ; |ControlID = 3ED (1005.)
004012D6 push dword ptr [ebp+8] ; |hWnd
004012D9 call <jmp.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
004012DE call 00401332 ;这个Call要跟进一下,是判断注册码并对用户名进行初始计算的
004012E3 push 00403053 ; ASCII "ZWATRQLCGHPSXYENVBJDFKMU",内置码表
004012E8 call 004013B6 ;关键的算法Call了
004012ED call 004014CE ;对注册码的最后一位进行判断的Call了
004012F2 push 0 ; /Result = 0
004012F4 push dword ptr [ebp+8] ; |hWnd
004012F7 call <jmp.&user32.EndDialog> ; \EndDialog
004012FC jmp short 00401324
.......
关键算法部分,未加注释,大家动态跟踪一下,很容易看懂的(主要是自己功力不够,怕越说越乱/:017 )
........
004013B6 push ebp
004013B7 mov ebp, esp
004013B9 push 00403023 ; ASCII "1E2345678",假码
004013BE call 00401540 ; 取假码位数
004013C3 cmp eax, 0A ; 注册码的位数为10位
004013C6 jnz 004014F5
004013CC mov esi, 00403023 ; ASCII "1E2345678",假码
004013D1 mov eax, 0
004013D6 mov ebx, 0
004013DB xor ecx, ecx
004013DD jmp short 004013E5
004013DF mov cl, byte ptr [eax+esi]
004013E2 add ebx, ecx
004013E4 inc eax
004013E5 cmp eax, 9 ;
004013E8 jb short 004013DF
004013EA mov eax, ebx
004013EC mov ecx, 9
004013F1 cdq
004013F2 idiv ecx
004013F4 mov dword ptr [40304A], eax
004013F9 mov edi, dword ptr [ebp+8]
004013FC mov dl, byte ptr [40304F]
00401402 mov al, dl
00401404 cmp al, 18
00401406 jbe short 0040140A
00401408 sub al, 18
0040140A mov byte ptr [40304E], al
0040140F xor eax, eax
00401411 mov al, byte ptr [40304E]
00401416 mov ah, byte ptr [eax+edi]
00401419 mov dh, byte ptr [esi]
0040141B cmp ah, dh
0040141D jnz 004014F5
00401423 sub dh, 41
00401426 mov dh, dl
00401428 mov ah, 0
0040142A mov byte ptr [40304E], al
0040142F xor eax, eax
00401431 mov al, byte ptr [40304E]
00401436 add al, dl
00401438 cmp al, 18
0040143A jbe short 0040143E
0040143C sub al, 18
0040143E mov ecx, 2
00401443 mov ah, byte ptr [eax+edi]
00401446 mov dh, byte ptr [ecx+esi]
00401449 cmp ah, dh
0040144B jnz 004014F5
00401451 jmp short 00401477
00401453 mov byte ptr [40304E], al
00401458 xor eax, eax
0040145A mov al, byte ptr [40304E]
0040145F sub dh, 41
00401462 mov dl, dh
00401464 inc ecx
00401465 add al, dl
00401467 cmp al, 18
00401469 jbe short 0040146D
0040146B sub al, 18
0040146D mov ah, byte ptr [eax+edi]
00401470 mov dh, byte ptr [ecx+esi]
00401473 cmp ah, dh
00401475 jnz short 004014F5
00401477 cmp ecx, 8
0040147A jb short 00401453
0040147C leave
0040147D retn 4
........
算法部分省略了,省点篇幅,以免看着眼花/:001 !个人感觉反跟踪调试部分搞定了其余的大家跟一下应该不难的.
[ 本帖最后由 x80x88 于 2008-8-30 23:41 编辑 ] |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?加入我们
x
|
楼主: 229402931
IP卡
发表于 2008-8-28 14:31:58
显身卡
发表于 2008-8-28 16:22:20
