一个软件自校验的求助!

c1235 · 发表于 2009-2-28 10:49:16

最近在弄一个软件，脱壳后有自校验，弄了半天都没办法，请各位指教一下。
软件下载地址：http://www.rayfile.com/files/6e0 ... -ae51-0014221b798a/

关键代码：
0040113A 55             PUSH EBP
0040113B 8BEC          MOV EBP,ESP
0040113D 81EC 98020000 SUB ESP,298
00401143 53             PUSH EBX
00401144 56             PUSH ESI
00401145 57             PUSH EDI
00401146 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
0040114C 68 04010000    PUSH 104
00401151 50             PUSH EAX
00401152 FF75 08       PUSH DWORD PTR SS:[EBP+8]
00401155 33DB          XOR EBX,EBX
00401157 895D FC       MOV DWORD PTR SS:[EBP-4],EBX
0040115A 895D F8       MOV DWORD PTR SS:[EBP-8],EBX
0040115D 895D F0       MOV DWORD PTR SS:[EBP-10],EBX
00401160 FF15 24604000 CALL DWORD PTR DS:[<&KERNEL32.GetModuleF>; kernel32.GetModuleFileNameA
00401166 53             PUSH EBX
00401167 68 80000000    PUSH 80
0040116C 6A 03          PUSH 3
0040116E 53             PUSH EBX
0040116F 6A 01          PUSH 1
00401171 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
00401177 68 00000080    PUSH 80000000
0040117C 50             PUSH EAX
0040117D FF15 20604000 CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; kernel32.CreateFileA
00401183 8BF8          MOV EDI,EAX
00401185 83FF FF       CMP EDI,-1
00401188 75 0C          JNZ SHORT unpack.00401196
0040118A C745 FC C071400>MOV DWORD PTR SS:[EBP-4],unpack.004071C0 ; ASCII "Can't open file!"
00401191 E9 37030000    JMP unpack.004014CD
00401196 8B35 1C604000 MOV ESI,DWORD PTR DS:[<&KERNEL32.SetFile>; kernel32.SetFilePointer
0040119C 6A 02          PUSH 2
0040119E 53             PUSH EBX
0040119F 6A F8          PUSH -8
004011A1 57             PUSH EDI
004011A2 FFD6          CALL ESI
004011A4 3D E8030000    CMP EAX,3E8
004011A9 8945 F4       MOV DWORD PTR SS:[EBP-C],EAX
004011AC 0F82 FD020000 JB unpack.004014AF
004011B2 8D45 E4       LEA EAX,DWORD PTR SS:[EBP-1C]
004011B5 53             PUSH EBX
004011B6 50             PUSH EAX
004011B7 8D45 DC       LEA EAX,DWORD PTR SS:[EBP-24]
004011BA 6A 08          PUSH 8
004011BC 50             PUSH EAX
004011BD 57             PUSH EDI
004011BE 895D E4       MOV DWORD PTR SS:[EBP-1C],EBX
004011C1 FF15 18604000 CALL DWORD PTR DS:[<&KERNEL32.ReadFile>] ; kernel32.ReadFile
004011C7 85C0          TEST EAX,EAX
004011C9 0F84 E9020000 JE unpack.004014B8
004011CF 837D E4 08    CMP DWORD PTR SS:[EBP-1C],8
004011D3 0F85 DF020000 JNZ unpack.004014B8
004011D9 8B45 DC       MOV EAX,DWORD PTR SS:[EBP-24]
004011DC 817D E0 A5B79A8>CMP DWORD PTR SS:[EBP-20],829AB7A5
004011E3 8945 08       MOV DWORD PTR SS:[EBP+8],EAX
004011E6 0F85 C3020000 JNZ unpack.004014AF
004011EC 83F8 04       CMP EAX,4
004011EF 0F8C BA020000 JL unpack.004014AF
004011F5 3B45 F4       CMP EAX,DWORD PTR SS:[EBP-C]
004011F8 0F8D B1020000 JGE unpack.004014AF
004011FE 50             PUSH EAX
004011FF E8 32220000    CALL unpack.00403436
00401204 3BC3          CMP EAX,EBX
00401206 59             POP ECX
00401207 8945 F8       MOV DWORD PTR SS:[EBP-8],EAX
0040120A 0F84 07010000 JE unpack.00401317
00401210 6A 02          PUSH 2
00401212 53             PUSH EBX
00401213 6A F8          PUSH -8
00401215 895D E8       MOV DWORD PTR SS:[EBP-18],EBX
00401218 58             POP EAX
00401219 2B45 08       SUB EAX,DWORD PTR SS:[EBP+8]
0040121C 50             PUSH EAX
0040121D 57             PUSH EDI
0040121E FFD6          CALL ESI
00401220 83F8 FF       CMP EAX,-1
00401223 0F84 7D020000 JE unpack.004014A6
00401229 8B75 F8       MOV ESI,DWORD PTR SS:[EBP-8]
0040122C 8D45 E8       LEA EAX,DWORD PTR SS:[EBP-18]
0040122F 53             PUSH EBX
00401230 50             PUSH EAX
00401231 FF75 08       PUSH DWORD PTR SS:[EBP+8]
00401234 56             PUSH ESI
00401235 57             PUSH EDI
00401236 FF15 18604000 CALL DWORD PTR DS:[<&KERNEL32.ReadFile>] ; kernel32.ReadFile
0040123C 85C0          TEST EAX,EAX
0040123E 0F84 62020000 JE unpack.004014A6
00401244 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
00401247 3945 E8       CMP DWORD PTR SS:[EBP-18],EAX
0040124A 0F85 56020000 JNZ unpack.004014A6
00401250 813E A5B79A82 CMP DWORD PTR DS:[ESI],829AB7A5
00401256 0F85 4A020000 JNZ unpack.004014A6
0040125C 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
00401262 83C6 04       ADD ESI,4
00401265 50             PUSH EAX
00401266 68 04010000    PUSH 104
0040126B FF15 14604000 CALL DWORD PTR DS:[<&KERNEL32.GetTempPat>; kernel32.GetTempPathA
00401271 85C0          TEST EAX,EAX
00401273 75 0C          JNZ SHORT unpack.00401281
00401275 C745 FC 9871400>MOV DWORD PTR SS:[EBP-4],unpack.00407198 ; ASCII "Can't retrieve the temporary directory!"
0040127C E9 3E020000    JMP unpack.004014BF
00401281 8B06          MOV EAX,DWORD PTR DS:[ESI]
00401283 83C6 04       ADD ESI,4
00401286 50             PUSH EAX
00401287 8D85 70FFFFFF LEA EAX,DWORD PTR SS:[EBP-90]
0040128D 68 90714000    PUSH unpack.00407190                   ; ASCII "E_%X"
00401292 50             PUSH EAX
00401293 FF15 B0604000 CALL DWORD PTR DS:[<&USER32.wsprintfA>]  ; USER32.wsprintfA
00401299 8D85 70FFFFFF LEA EAX,DWORD PTR SS:[EBP-90]
0040129F 50             PUSH EAX
004012A0 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
004012A6 50             PUSH EAX
004012A7 E8 24200000    CALL unpack.004032D0
004012AC 83C4 14       ADD ESP,14
004012AF 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
004012B5 53             PUSH EBX
004012B6 50             PUSH EAX
004012B7 FF15 10604000 CALL DWORD PTR DS:[<&KERNEL32.CreateDire>; kernel32.CreateDirectoryA
004012BD 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
004012C3 68 8C714000    PUSH unpack.0040718C
004012C8 50             PUSH EAX
004012C9 E8 02200000    CALL unpack.004032D0
004012CE FF36          PUSH DWORD PTR DS:[ESI]
004012D0 836D 08 0C    SUB DWORD PTR SS:[EBP+8],0C
004012D4 8D7E 04       LEA EDI,DWORD PTR DS:[ESI+4]
004012D7 FF75 08       PUSH DWORD PTR SS:[EBP+8]
004012DA 57             PUSH EDI
004012DB E8 39FEFFFF    CALL unpack.00401119
004012E0 836D 08 08    SUB DWORD PTR SS:[EBP+8],8
004012E4 8B47 04       MOV EAX,DWORD PTR DS:[EDI+4]
004012E7 83C4 14       ADD ESP,14
004012EA 395D 08       CMP DWORD PTR SS:[EBP+8],EBX
004012ED 8945 EC       MOV DWORD PTR SS:[EBP-14],EAX
004012F0 0F8E A7010000 JLE unpack.0040149D
004012F6 813F 0D0F3E03 CMP DWORD PTR DS:[EDI],33E0F0D
004012FC 0F85 9B010000 JNZ unpack.0040149D
00401302 3BC3          CMP EAX,EBX
00401304 0F8E 93010000 JLE unpack.0040149D
0040130A 50             PUSH EAX
0040130B E8 26210000    CALL unpack.00403436
00401310 8BF0          MOV ESI,EAX
00401312 59             POP ECX
00401313 3BF3          CMP ESI,EBX
00401315 75 0C          JNZ SHORT unpack.00401323
00401317 C745 FC 7471400>MOV DWORD PTR SS:[EBP-4],unpack.00407174 ; ASCII "Insufficient memory!"
0040131E E9 9C010000    JMP unpack.004014BF
00401323 FF75 08       PUSH DWORD PTR SS:[EBP+8]
00401326 83C7 08       ADD EDI,8
00401329 8D45 EC       LEA EAX,DWORD PTR SS:[EBP-14]
0040132C 57             PUSH EDI
0040132D 50             PUSH EAX
0040132E 56             PUSH ESI
0040132F E8 E71E0000    CALL unpack.0040321B
00401334 83C4 10       ADD ESP,10
00401337 85C0          TEST EAX,EAX
00401339 74 13          JE SHORT unpack.0040134E
0040133B 56             PUSH ESI
0040133C E8 EA200000    CALL unpack.0040342B
00401341 59             POP ECX
00401342 C745 FC 5871400>MOV DWORD PTR SS:[EBP-4],unpack.00407158 ; ASCII "Failed to decompress data!"
00401349 E9 71010000    JMP unpack.004014BF
0040134E FF75 F8       PUSH DWORD PTR SS:[EBP-8]
00401351 E8 D5200000    CALL unpack.0040342B
00401356 8B45 EC       MOV EAX,DWORD PTR SS:[EBP-14]
00401359 59             POP ECX
0040135A 03C6          ADD EAX,ESI
0040135C 8975 F8       MOV DWORD PTR SS:[EBP-8],ESI
0040135F 3BF0          CMP ESI,EAX
00401361 8945 F4       MOV DWORD PTR SS:[EBP-C],EAX
00401364 885D A4       MOV BYTE PTR SS:[EBP-5C],BL
00401367 0F83 B4000000 JNB unpack.00401421
0040136D 8BFE          /MOV EDI,ESI
0040136F 56             |PUSH ESI
00401370 897D 08       |MOV DWORD PTR SS:[EBP+8],EDI
00401373 E8 38200000    |CALL unpack.004033B0
00401378 C70424 4C714000 |MOV DWORD PTR SS:[ESP],unpack.0040714C  ; ASCII "krnln.fnr"
0040137F 57             |PUSH EDI
00401380 8D7406 01    |LEA ESI,DWORD PTR DS:[ESI+EAX+1]
00401384 E8 47480000    |CALL unpack.00405BD0
00401389 59             |POP ECX
0040138A 85C0          |TEST EAX,EAX
0040138C 59             |POP ECX
0040138D 74 11          |JE SHORT unpack.004013A0
0040138F 68 40714000    |PUSH unpack.00407140                   ; ASCII "krnln.fne"
00401394 57             |PUSH EDI
00401395 E8 36480000    |CALL unpack.00405BD0
0040139A 59             |POP ECX
0040139B 85C0          |TEST EAX,EAX
0040139D 59             |POP ECX
0040139E 75 0C          |JNZ SHORT unpack.004013AC
004013A0 8D45 A4       |LEA EAX,DWORD PTR SS:[EBP-5C]
004013A3 57             |PUSH EDI
004013A4 50             |PUSH EAX
004013A5 E8 161F0000    |CALL unpack.004032C0
004013AA 59             |POP ECX
004013AB 59             |POP ECX
004013AC 8B3E          |MOV EDI,DWORD PTR DS:[ESI]
004013AE 8D85 6CFEFFFF |LEA EAX,DWORD PTR SS:[EBP-194]
004013B4 50             |PUSH EAX
004013B5 8D85 68FDFFFF |LEA EAX,DWORD PTR SS:[EBP-298]
004013BB 50             |PUSH EAX
004013BC 83C6 04       |ADD ESI,4
004013BF E8 FC1E0000    |CALL unpack.004032C0
004013C4 FF75 08       |PUSH DWORD PTR SS:[EBP+8]
004013C7 8D85 68FDFFFF |LEA EAX,DWORD PTR SS:[EBP-298]
004013CD 50             |PUSH EAX
004013CE E8 FD1E0000    |CALL unpack.004032D0
004013D3 83C4 10       |ADD ESP,10
004013D6 8D85 68FDFFFF |LEA EAX,DWORD PTR SS:[EBP-298]
004013DC 53             |PUSH EBX
004013DD 68 80000000    |PUSH 80
004013E2 6A 02          |PUSH 2
004013E4 53             |PUSH EBX
004013E5 53             |PUSH EBX
004013E6 68 00000040    |PUSH 40000000
004013EB 50             |PUSH EAX
004013EC FF15 20604000 |CALL DWORD PTR DS:[<&KERNEL32.CreateFil>; kernel32.CreateFileA
004013F2 83F8 FF       |CMP EAX,-1
004013F5 8945 08       |MOV DWORD PTR SS:[EBP+8],EAX
004013F8 74 17          |JE SHORT unpack.00401411
004013FA 8D4D D8       |LEA ECX,DWORD PTR SS:[EBP-28]
004013FD 53             |PUSH EBX
004013FE 51             |PUSH ECX
004013FF 57             |PUSH EDI
00401400 56             |PUSH ESI
00401401 50             |PUSH EAX
00401402 FF15 0C604000 |CALL DWORD PTR DS:[<&KERNEL32.WriteFile>; kernel32.WriteFile
00401408 FF75 08       |PUSH DWORD PTR SS:[EBP+8]
0040140B FF15 08604000 |CALL DWORD PTR DS:[<&KERNEL32.CloseHand>; kernel32.CloseHandle
00401411 03F7          |ADD ESI,EDI
00401413 3B75 F4       |CMP ESI,DWORD PTR SS:[EBP-C]
00401416  ^ 0F82 51FFFFFF \JB unpack.0040136D
0040141C 385D A4       CMP BYTE PTR SS:[EBP-5C],BL
0040141F 75 0C          JNZ SHORT unpack.0040142D
00401421 C745 FC 2071400>MOV DWORD PTR SS:[EBP-4],unpack.00407120 ; ASCII "Not found the kernel library!"
00401428 E9 92000000    JMP unpack.004014BF
0040142D 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
00401433 50             PUSH EAX
00401434 8D85 68FDFFFF LEA EAX,DWORD PTR SS:[EBP-298]
0040143A 50             PUSH EAX
0040143B E8 801E0000    CALL unpack.004032C0
00401440 8D45 A4       LEA EAX,DWORD PTR SS:[EBP-5C]
00401443 50             PUSH EAX
00401444 8D85 68FDFFFF LEA EAX,DWORD PTR SS:[EBP-298]
0040144A 50             PUSH EAX
0040144B E8 801E0000    CALL unpack.004032D0
00401450 83C4 10       ADD ESP,10
00401453 8D85 68FDFFFF LEA EAX,DWORD PTR SS:[EBP-298]
00401459 50             PUSH EAX
0040145A FF15 04604000 CALL DWORD PTR DS:[<&KERNEL32.LoadLibrar>; kernel32.LoadLibraryA
00401460 3BC3          CMP EAX,EBX
00401462 75 09          JNZ SHORT unpack.0040146D
00401464 C745 FC 0071400>MOV DWORD PTR SS:[EBP-4],unpack.00407100 ; ASCII "Failed to load kernel library!"
0040146B EB 52          JMP SHORT unpack.004014BF
0040146D 68 F4704000    PUSH unpack.004070F4                   ; ASCII "GetNewSock"
00401472 50             PUSH EAX
00401473 FF15 00604000 CALL DWORD PTR DS:[<&KERNEL32.GetProcAdd>; kernel32.GetProcAddress
00401479 3BC3          CMP EAX,EBX
0040147B 75 09          JNZ SHORT unpack.00401486
0040147D C745 FC D470400>MOV DWORD PTR SS:[EBP-4],unpack.004070D4 ; ASCII "The kernel library is invalid!"
00401484 EB 39          JMP SHORT unpack.004014BF
00401486 68 E8030000    PUSH 3E8
0040148B FFD0          CALL EAX
0040148D 3BC3          CMP EAX,EBX
0040148F 8945 F0       MOV DWORD PTR SS:[EBP-10],EAX
00401492 75 2B          JNZ SHORT unpack.004014BF
00401494 C745 FC A870400>MOV DWORD PTR SS:[EBP-4],unpack.004070A8 ; ASCII "The inte**ce of kernel library is invalid!"
0040149B EB 22          JMP SHORT unpack.004014BF
0040149D C745 FC 8C70400>MOV DWORD PTR SS:[EBP-4],unpack.0040708C ; ASCII "Invalid data in the file!"
004014A4 EB 19          JMP SHORT unpack.004014BF
004014A6 C745 FC 5C70400>MOV DWORD PTR SS:[EBP-4],unpack.0040705C ; ASCII "Failed to read file or invalid data in file!"
004014AD EB 10          JMP SHORT unpack.004014BF
004014AF C745 FC 8C70400>MOV DWORD PTR SS:[EBP-4],unpack.0040708C ; ASCII "Invalid data in the file!"
004014B6 EB 15          JMP SHORT unpack.004014CD
004014B8 C745 FC 3870400>MOV DWORD PTR SS:[EBP-4],unpack.00407038 ; ASCII "Failed to read data from the file!"
004014BF 395D F8       CMP DWORD PTR SS:[EBP-8],EBX
004014C2 74 09          JE SHORT unpack.004014CD
004014C4 FF75 F8       PUSH DWORD PTR SS:[EBP-8]
004014C7 E8 5F1F0000    CALL unpack.0040342B
004014CC 59             POP ECX
004014CD 395D FC       CMP DWORD PTR SS:[EBP-4],EBX
004014D0 75 13          JNZ SHORT unpack.004014E5
004014D2 8B45 F0       MOV EAX,DWORD PTR SS:[EBP-10]
004014D5 E8 00000000    CALL unpack.004014DA
004014DA 810424 267B0000 ADD DWORD PTR SS:[ESP],7B26
004014E1 FFD0          CALL EAX
004014E3 EB 11          JMP SHORT unpack.004014F6
004014E5 6A 10          PUSH 10
004014E7 68 30704000    PUSH unpack.00407030                   ; ASCII "Error"
004014EC FF75 FC       PUSH DWORD PTR SS:[EBP-4]
004014EF 53             PUSH EBX
004014F0 FF15 AC604000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; USER32.MessageBoxA
004014F6 5F             POP EDI
004014F7 5E             POP ESI
004014F8 33C0          XOR EAX,EAX
004014FA 5B             POP EBX
004014FB C9             LEAVE
004014FC C2 1000       RETN 10

静慕者 · 发表于 2009-3-1 12:29:01

用两个OD对比着看看

bubaizai · 发表于 2009-3-1 13:19:18

不太高手等待高手解决问题..

jzyjd · 发表于 2009-3-1 22:17:18

可以用两个OD对比一下。我采用一步步的跟，跟到哪关闭了我就找它上面的哪个跳。呵呵。

		自动登录	找回密码
密码			加入我们

[讨论] 一个软件自校验的求助!

相关帖子