- UID
- 33462
注册时间2007-8-6
阅读权限20
最后登录1970-1-1
以武会友
 
TA的每日心情 | 无聊
2018-8-23 00:04 |
|---|
签到天数: 2 天 [LV.1]初来乍到
|
本帖最后由 月之精灵 于 2010-6-2 19:11 编辑
【破文标题】中华灯谜算法分析
【文章作者】: 天下
【软件名称】: 中华灯谜
【加壳方式】: aspack
【使用工具】: OD keymake
【作者声明】: 失误之处敬请诸位大侠赐教!
========================================
程序载入后,脱壳。。。。来到
======================================================
0054EE9A |. E8 4584EBFF CALL <JMP.&kernel32.GetSystemDirectoryA> ; \GetSystemDirectoryA
0054EE9F |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0054EEA2 |. 8D95 7BFFFFFF LEA EDX,DWORD PTR SS:[EBP-85]
0054EEA8 |. B9 81000000 MOV ECX,81
0054EEAD |. E8 665DEBFF CALL dumped_.00404C18
0054EEB2 |. 8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
0054EEB8 |. 8B83 C8030000 MOV EAX,DWORD PTR DS:[EBX+3C8]
0054EEBE |. E8 C58CEFFF CALL dumped_.00447B88
0054EEC3 |. 83BD 74FFFFFF 00 CMP DWORD PTR SS:[EBP-8C],0 ; 检测注册码是否为空
0054EECA |. 74 1A JE SHORT dumped_.0054EEE6
0054EECC |. 8D95 70FFFFFF LEA EDX,DWORD PTR SS:[EBP-90]
0054EED2 |. 8B83 C0030000 MOV EAX,DWORD PTR DS:[EBX+3C0]
0054EED8 |. E8 AB8CEFFF CALL dumped_.00447B88
0054EEDD |. 83BD 70FFFFFF 00 CMP DWORD PTR SS:[EBP-90],0 ; 检测订单号是否为空
0054EEE4 |. 75 0F JNZ SHORT dumped_.0054EEF5
0054EEE6 |> B8 D4F05400 MOV EAX,dumped_.0054F0D4 ; 注册信息没有填写齐全
0054EEEB |. E8 8C1EEFFF CALL dumped_.00440D7C
0054EEF0 |. E9 51010000 JMP dumped_.0054F046
0054EEF5 |> 8D95 6CFFFFFF LEA EDX,DWORD PTR SS:[EBP-94]
0054EEFB |. 8B83 C8030000 MOV EAX,DWORD PTR DS:[EBX+3C8]
0054EF01 |. E8 828CEFFF CALL dumped_.00447B88
0054EF06 |. 8B85 6CFFFFFF MOV EAX,DWORD PTR SS:[EBP-94] ; 假码入EAX
0054EF0C |. 50 PUSH EAX
0054EF0D |. 8D95 64FFFFFF LEA EDX,DWORD PTR SS:[EBP-9C]
0054EF13 |. 8B83 C0030000 MOV EAX,DWORD PTR DS:[EBX+3C0]
0054EF19 |. E8 6A8CEFFF CALL dumped_.00447B88
0054EF1E |. 8B85 64FFFFFF MOV EAX,DWORD PTR SS:[EBP-9C] ; 获取定单号
0054EF24 |. E8 DBA6EBFF CALL dumped_.00409604 ; 123456
0054EF29 |. B9 3A000000 MOV ECX,3A
0054EF2E |. 99 CDQ ; edx 清0
0054EF2F |. F7F9 IDIV ECX ; EAX=123456除3A 取商给 eax, 余数EDX
0054EF31 |. 8BC2 MOV EAX,EDX
0054EF33 |. 8D95 68FFFFFF LEA EDX,DWORD PTR SS:[EBP-98]
0054EF39 |. E8 62A6EBFF CALL dumped_.004095A0 ; ???????
0054EF3E |. 8D85 68FFFFFF LEA EAX,DWORD PTR SS:[EBP-98]
0054EF44 |. 50 PUSH EAX
0054EF45 |. 8D95 58FFFFFF LEA EDX,DWORD PTR SS:[EBP-A8]
0054EF4B |. 8B83 C0030000 MOV EAX,DWORD PTR DS:[EBX+3C0]
0054EF51 |. E8 328CEFFF CALL dumped_.00447B88
0054EF56 |. 8B85 58FFFFFF MOV EAX,DWORD PTR SS:[EBP-A8]
0054EF5C |. E8 A3A6EBFF CALL dumped_.00409604
0054EF61 |. 8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4]
0054EF67 |. E8 80DCFFFF CALL dumped_.0054CBEC ; ================
0054EF6C |. 8B85 5CFFFFFF MOV EAX,DWORD PTR SS:[EBP-A4]
0054EF72 |. E8 8DA6EBFF CALL dumped_.00409604
0054EF77 |. 8D95 60FFFFFF LEA EDX,DWORD PTR SS:[EBP-A0]
0054EF7D |. E8 4ADDFFFF CALL dumped_.0054CCCC ; 出注册码
0054EF82 |. 8B95 60FFFFFF MOV EDX,DWORD PTR SS:[EBP-A0]
0054EF88 |. 58 POP EAX
0054EF89 |. E8 E25CEBFF CALL dumped_.00404C70
0054EF8E |. 8B95 68FFFFFF MOV EDX,DWORD PTR SS:[EBP-98]
0054EF94 |. 58 POP EAX
0054EF95 |. E8 125EEBFF CALL dumped_.00404DAC ; 做内存注册机
0054EF9A |. 0F85 8F000000 JNZ dumped_.0054F02F
0054EFA0 |. B8 F4F05400 MOV EAX,dumped_.0054F0F4 ; 注册成功,谢谢你的注册!
0054EFA5 |. E8 D21DEFFF CALL dumped_.00440D7C
0054EFAA |. BA 18F15400 MOV EDX,dumped_.0054F118 ; 本软件已注册
=====================================================================================================================
00409604 /$ 53 PUSH EBX
00409605 |. 56 PUSH ESI
00409606 |. 83C4 F4 ADD ESP,-0C
00409609 |. 8BD8 MOV EBX,EAX
0040960B |. 8BD4 MOV EDX,ESP
0040960D |. 8BC3 MOV EAX,EBX
0040960F |. E8 509DFFFF CALL dumped_.00403364 ; 订单号的算法
00409614 |. 8BF0 MOV ESI,EAX
00409616 |. 833C24 00 CMP DWORD PTR SS:[ESP],0
0040961A |. 74 19 JE SHORT dumped_.00409635
0040961C |. 895C24 04 MOV DWORD PTR SS:[ESP+4],EBX
00409620 |. C64424 08 0B MOV BYTE PTR SS:[ESP+8],0B
00409625 |. 8D5424 04 LEA EDX,DWORD PTR SS:[ESP+4]
======================================================================================================================
00403377 |> /8A1E /MOV BL,BYTE PTR DS:[ESI] ; 取第1位
00403379 |. |46 |INC ESI
0040337A |. |80FB 20 |CMP BL,20 ; 和空格比较
0040337D |.^\74 F8 \JE SHORT dumped_.00403377
0040337F |. B5 00 MOV CH,0
00403381 |. 80FB 2D CMP BL,2D ; 和-比较
00403384 |. 74 62 JE SHORT dumped_.004033E8
00403386 |. 80FB 2B CMP BL,2B ; +
00403389 |. 74 5F JE SHORT dumped_.004033EA
0040338B |. 80FB 24 CMP BL,24 ; $
0040338E |. 74 5F JE SHORT dumped_.004033EF
00403390 |. 80FB 78 CMP BL,78 ; x
00403393 |. 74 5A JE SHORT dumped_.004033EF
00403395 |. 80FB 58 CMP BL,58 ; X
00403398 |. 74 55 JE SHORT dumped_.004033EF
0040339A |. 80FB 30 CMP BL,30 ; 0
0040339D |. 75 13 JNZ SHORT dumped_.004033B2
0040339F |. 8A1E MOV BL,BYTE PTR DS:[ESI]
004033A1 |. 46 INC ESI
004033A2 |. 80FB 78 CMP BL,78
004033A5 |. 74 48 JE SHORT dumped_.004033EF
004033A7 |. 80FB 58 CMP BL,58
004033AA |. 74 43 JE SHORT dumped_.004033EF
004033AC |. 84DB TEST BL,BL
004033AE |. 74 20 JE SHORT dumped_.004033D0
004033B0 |. EB 04 JMP SHORT dumped_.004033B6
004033B2 |> 84DB TEST BL,BL
004033B4 |. 74 2D JE SHORT dumped_.004033E3
004033B6 |> 80EB 30 /SUB BL,30
004033B9 |. 80FB 09 |CMP BL,9
004033BC |. 77 25 |JA SHORT dumped_.004033E3
004033BE |. 39F8 |CMP EAX,EDI
004033C0 |. 77 21 |JA SHORT dumped_.004033E3
004033C2 |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX+EAX*4] ; EAX*5
004033C5 |. 01C0 |ADD EAX,EAX ; eax+eax
004033C7 |. 01D8 |ADD EAX,EBX ; EAX=eax+ebx
004033C9 |. 8A1E |MOV BL,BYTE PTR DS:[ESI]
004033CB |. 46 |INC ESI
004033CC |. 84DB |TEST BL,BL
004033CE |.^ 75 E6 \JNZ SHORT dumped_.004033B6
=============================================================================================================
上面是订单号的算法 每位*10 再相加
================================================================================================================
0040A07E |> /31D2 /XOR EDX,EDX
0040A080 |. |F7F1 |DIV ECX
0040A082 |. |80C2 30 |ADD DL,30
0040A085 |. |80FA 3A |CMP DL,3A
0040A088 |. |72 03 |JB SHORT dumped_.0040A08D
0040A08A |. |80C2 07 |ADD DL,7
0040A08D |> |4E |DEC ESI
0040A08E |. |8816 |MOV BYTE PTR DS:[ESI],DL
0040A090 |. |09C0 |OR EAX,EAX
0040A092 |.^\75 EA \JNZ SHORT dumped_.0040A07E
算出前几位
==============================================================
0054CC06 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0054CC09 |. 81F3 F1250B00 XOR EBX,0B25F1 ; 123456 xor 0B25F1=706481
0054CC0F |. 8BC3 MOV EAX,EBX
0054CC11 |. 33D2 XOR EDX,EDX
0054CC13 |. 52 PUSH EDX ; /Arg2 => 00000000
0054CC14 |. 50 PUSH EAX ; |Arg1
0054CC15 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] ; |
0054CC18 |. E8 B3C9EBFF CALL dumped_.004095D0 ; \dumped_.004095D0
0054CC1D |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0054CC20 |. 0FB600 MOVZX EAX,BYTE PTR DS:[EAX] ; 取十进制第一个数ASCI37 ('7')
0054CC23 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
0054CC26 |. 0FB652 01 MOVZX EDX,BYTE PTR DS:[EDX+1] ; 取十进制第二个数ASCI30 ('0')
0054CC2A |. 03C2 ADD EAX,EDX ; EAX+EDX
0054CC2C |. B9 05000000 MOV ECX,5
0054CC31 |. 99 CDQ ; EDX清0
0054CC32 |. F7F9 IDIV ECX ; EAX%ECX
0054CC34 |. 80C2 34 ADD DL,34 ; 余数+34
0054CC37 |. 8855 F8 MOV BYTE PTR SS:[EBP-8],DL ; 37 (‘7’) ===[[ebp-8]
0054CC3A |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0054CC3D |. 0FB640 02 MOVZX EAX,BYTE PTR DS:[EAX+2] ; 取十进制第三个数ASCI36 ('6')
0054CC41 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
0054CC44 |. 0FB652 03 MOVZX EDX,BYTE PTR DS:[EDX+3] ; 取十进制第4个数ASCI34 ('4')
0054CC48 |. 03C2 ADD EAX,EDX ; EAX+EDX
0054CC4A |. B9 05000000 MOV ECX,5 ; ECX=5
0054CC4F |. 99 CDQ ; EDX清0
0054CC50 |. F7F9 IDIV ECX ; EAX/ECX
0054CC52 |. 8BDA MOV EBX,EDX
0054CC54 |. 80C3 33 ADD BL,33 ; 余数+33
0054CC57 |. 885D F9 MOV BYTE PTR SS:[EBP-7],BL ; 34 (‘4’)
0054CC5A |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0054CC5D |. 8A55 F8 MOV DL,BYTE PTR SS:[EBP-8]
0054CC60 |. E8 2B7FEBFF CALL dumped_.00404B90
0054CC65 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0054CC68 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
0054CC6B |. B9 1B000000 MOV ECX,1B ; ECX=1B
=======================================================================================================
0054CCEB |. 81F3 8776FBDD XOR EBX,DDFB7687 ; 0436016E(ebx) xor DDFB7687
0054CCF1 |. 8BC3 MOV EAX,EBX
0054CCF3 |. 33D2 XOR EDX,EDX
0054CCF5 |. 52 PUSH EDX ; /Arg2 => 00000000
0054CCF6 |. 50 PUSH EAX ; |Arg1
0054CCF7 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] ; |
0054CCFA |. E8 D1C8EBFF CALL dumped_.004095D0 ; \dumped_.004095D0
0054CCFF |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 3654121449 =0436016E(ebx) xor DDFB7687
0054CD02 |. 0FB600 MOVZX EAX,BYTE PTR DS:[EAX] ; 取第一位 33(3)
0054CD05 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
0054CD08 |. 0FB652 01 MOVZX EDX,BYTE PTR DS:[EDX+1] ; 取第二位 36 6
0054CD0C |. 03C2 ADD EAX,EDX ; EAX+EDX=69
0054CD0E |. B9 05000000 MOV ECX,5 ; ECX=5
0054CD13 |. 99 CDQ ; edx 清0
0054CD14 |. F7F9 IDIV ECX ; EAX/ECX
0054CD16 |. 80C2 66 ADD DL,66
0054CD19 |. 8855 F8 MOV BYTE PTR SS:[EBP-8],DL ; 66 f
0054CD1C |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0054CD1F |. 0FB640 02 MOVZX EAX,BYTE PTR DS:[EAX+2] ; 取第3位 35 5
0054CD23 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
0054CD26 |. 0FB652 03 MOVZX EDX,BYTE PTR DS:[EDX+3] ; 取第4位
0054CD2A |. 03C2 ADD EAX,EDX ; eax+edx
0054CD2C |. B9 05000000 MOV ECX,5
0054CD31 |. 99 CDQ
0054CD32 |. F7F9 IDIV ECX
0054CD34 |. 80C2 75 ADD DL,75
0054CD37 |. 8855 F9 MOV BYTE PTR SS:[EBP-7],DL ; 75 u
0054CD3A |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0054CD3D |. 0FB640 04 MOVZX EAX,BYTE PTR DS:[EAX+4] ; 第5位 31 1
0054CD41 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
0054CD44 |. 0FB652 05 MOVZX EDX,BYTE PTR DS:[EDX+5] ; 第6位 32 2
0054CD48 |. 03C2 ADD EAX,EDX ; EAX+EDX
0054CD4A |. B9 05000000 MOV ECX,5
0054CD4F |. 99 CDQ
0054CD50 |. F7F9 IDIV ECX
0054CD52 |. 80C2 7A ADD DL,7A
0054CD55 |. 8855 FA MOV BYTE PTR SS:[EBP-6],DL ; 7E ~
0054CD58 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0054CD5B |. 0FB640 06 MOVZX EAX,BYTE PTR DS:[EAX+6] ; 第7位 31 1
0054CD5F |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
0054CD62 |. 0FB652 07 MOVZX EDX,BYTE PTR DS:[EDX+7] ; 第8位 34 4
0054CD66 |. 03C2 ADD EAX,EDX ; EAX+EDX
0054CD68 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
0054CD6B |. 0FB652 08 MOVZX EDX,BYTE PTR DS:[EDX+8] ; 第9位 34 4
0054CD6F |. 03C2 ADD EAX,EDX ; EAX+EDX
0054CD71 |. B9 05000000 MOV ECX,5
0054CD76 |. 99 CDQ
0054CD77 |. F7F9 IDIV ECX
0054CD79 |. 80C2 69 ADD DL,69
0054CD7C |. 8855 FB MOV BYTE PTR SS:[EBP-5],DL ; 6C l
0054CD7F |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0054CD82 |. 8A55 F8 MOV DL,BYTE PTR SS:[EBP-8] ; f
0054CD85 |. E8 067EEBFF CALL dumped_.00404B90
0054CD8A |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0054CD8D |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
0054CD90 |. B9 07000000 MOV ECX,7
0054CD95 |. E8 AE81EBFF CALL dumped_.00404F48
0054CD9A |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0054CD9D |. 8A55 FB MOV DL,BYTE PTR SS:[EBP-5] ; l
0054CDA0 |. E8 EB7DEBFF CALL dumped_.00404B90
0054CDA5 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0054CDA8 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
0054CDAB |. B9 03000000 MOV ECX,3
0054CDB0 |. E8 9381EBFF CALL dumped_.00404F48
0054CDB5 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0054CDB8 |. 8A55 F9 MOV DL,BYTE PTR SS:[EBP-7] ; u
0054CDBB |. E8 D07DEBFF CALL dumped_.00404B90
0054CDC0 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0054CDC3 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
0054CDC6 |. B9 05000000 MOV ECX,5
0054CDCB |. E8 7881EBFF CALL dumped_.00404F48
0054CDD0 |. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
0054CDD3 |. 8A55 FA MOV DL,BYTE PTR SS:[EBP-6] ; ~
========================================================================
算出注册码
===========================
0054EFF8 |. 50 PUSH EAX
0054EFF9 |. B9 44F15400 MOV ECX,dumped_.0054F144 ; sepop
0054EFFE |. BA 54F15400 MOV EDX,dumped_.0054F154 ; syssetup
0054F003 |. 8BC6 MOV EAX,ESI
0054F005 |. 8B18 MOV EBX,DWORD PTR DS:[EAX]
0054F007 |. FF53 04 CALL DWORD PTR DS:[EBX+4]
0054F00A |. 8D85 4CFFFFFF LEA EAX,DWORD PTR SS:[EBP-B4]
0054F010 |. B9 30F15400 MOV ECX,dumped_.0054F130 ; \dC0n.dll
0054F015 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
0054F018 |. E8 975CEBFF CALL dumped_.00404CB4
0054F01D |. 8B85 4CFFFFFF MOV EAX,DWORD PTR SS:[EBP-B4]
注册成功后,信息写入
"C:\WINDOWS\system32\dC0n.dll")
不会编程,只能简单分析下。。。。
================================
最后附一个内存注册机
中华灯谜内存注册机.rar
(14.17 KB, 下载次数: 0)
[/hide] |
|
IP卡
发表于 2010-6-2 19:03:51
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2011-1-13 15:31:54