- UID
- 13801
注册时间2006-5-22
阅读权限40
最后登录1970-1-1
独步武林
 
该用户从未签到
|
【文章标题】: TT86刷QQ空间人气软件版算法分析
【文章作者】: caterpilla(惊涛)
【软件名称】: TT86刷QQ空间人气软件版
【下载地址】: 自己搜索下载
【编写语言】: VB
【操作平台】: XP,SP2
【软件介绍】: OD
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
应香香油油饭兄弟之邀,尝试跟踪这个软件,总算弄出来了,写破文以记之。。。。。。。
一、PEID查壳
实际上我得到这个软件的时候,香香油油饭兄弟已经脱壳了(嘿嘿,脱壳比较弱,正好占便宜),只用PEID查了下算法,发现有MD5标记。
二、跟踪
OD载入,没有任何反跟踪,直接在RTCMSGBOX各参考上下断,运行之。
运行后,中断,向上看,找由哪跳过来的,发现这段代码。
00422388 > \C785 7CFEFFFF>mov dword ptr [ebp-184], 0
00422392 > C785 48FFFFFF>mov dword ptr [ebp-B8], 5
0042239C . C785 40FFFFFF>mov dword ptr [ebp-C0], 2
004223A6 . 8B85 7CFFFFFF mov eax, [ebp-84] ; 注册码
004223AC . 8985 98FEFFFF mov [ebp-168], eax
004223B2 . C785 7CFFFFFF>mov dword ptr [ebp-84], 0
004223BC . 8B8D 98FEFFFF mov ecx, [ebp-168]
004223C2 . 898D 58FFFFFF mov [ebp-A8], ecx
004223C8 . C785 50FFFFFF>mov dword ptr [ebp-B0], 8
004223D2 . 8D95 40FFFFFF lea edx, [ebp-C0]
004223D8 . 52 push edx ; /Arg4
004223D9 . 6A 01 push 1 ; |Arg3 = 00000001
004223DB . 8D85 50FFFFFF lea eax, [ebp-B0] ; |
004223E1 . 50 push eax ; |Arg2
004223E2 . 8D8D 30FFFFFF lea ecx, [ebp-D0] ; |
004223E8 . 51 push ecx ; |Arg1
004223E9 . FF15 C0104000 call [<&msvbvm60.rtcMidCharVar>] ; \rtcMidCharVar//取前五位
004223EF . 8D95 30FFFFFF lea edx, [ebp-D0]
004223F5 . 8D4D B0 lea ecx, [ebp-50]
004223F8 . FF15 1C104000 call [<&msvbvm60.__vbaVarMove>] ; msvbvm60.__vbaVarMove
004223FE . 8D8D 64FFFFFF lea ecx, [ebp-9C]
00422404 . FF15 0C124000 call [<&msvbvm60.__vbaFreeObj>] ; msvbvm60.__vbaFreeObj
0042240A . 8D95 40FFFFFF lea edx, [ebp-C0]
00422410 . 52 push edx
00422411 . 8D85 50FFFFFF lea eax, [ebp-B0]
00422417 . 50 push eax
00422418 . 6A 02 push 2
0042241A . FF15 38104000 call [<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList
00422420 . 83C4 0C add esp, 0C
00422423 . C745 FC 04000>mov dword ptr [ebp-4], 4
0042242A . 8B4D 08 mov ecx, [ebp+8]
0042242D . 8B11 mov edx, [ecx]
0042242F . 8B45 08 mov eax, [ebp+8]
00422432 . 50 push eax
00422433 . FF92 FC020000 call [edx+2FC]
00422439 . 50 push eax ; /Arg2
0042243A . 8D8D 64FFFFFF lea ecx, [ebp-9C] ; |
00422440 . 51 push ecx ; |Arg1
00422441 . FF15 88104000 call [<&msvbvm60.__vbaObjSet>] ; \__vbaObjSet
00422447 . 8985 DCFEFFFF mov [ebp-124], eax
0042244D . 8D95 7CFFFFFF lea edx, [ebp-84]
00422453 . 52 push edx
00422454 . 8B85 DCFEFFFF mov eax, [ebp-124]
0042245A . 8B08 mov ecx, [eax]
0042245C . 8B95 DCFEFFFF mov edx, [ebp-124]
00422462 . 52 push edx
00422463 . FF91 A0000000 call [ecx+A0]
00422469 . DBE2 fclex
0042246B . 8985 D8FEFFFF mov [ebp-128], eax
00422471 . 83BD D8FEFFFF>cmp dword ptr [ebp-128], 0
00422478 . 7D 26 jge short 004224A0
0042247A . 68 A0000000 push 0A0 ; /Arg4 = 000000A0
0042247F . 68 54874000 push 00408754 ; |Arg3 = 00408754
00422484 . 8B85 DCFEFFFF mov eax, [ebp-124] ; |
0042248A . 50 push eax ; |Arg2
0042248B . 8B8D D8FEFFFF mov ecx, [ebp-128] ; |
00422491 . 51 push ecx ; |Arg1
00422492 . FF15 70104000 call [<&msvbvm60.__vbaHresultCheckObj>; \__vbaHresultCheckObj
00422498 . 8985 78FEFFFF mov [ebp-188], eax
0042249E . EB 0A jmp short 004224AA
004224A0 > C785 78FEFFFF>mov dword ptr [ebp-188], 0
004224AA > C785 48FFFFFF>mov dword ptr [ebp-B8], 1
004224B4 . C785 40FFFFFF>mov dword ptr [ebp-C0], 2
004224BE . 8B95 7CFFFFFF mov edx, [ebp-84]
004224C4 . 8995 94FEFFFF mov [ebp-16C], edx
004224CA . C785 7CFFFFFF>mov dword ptr [ebp-84], 0
004224D4 . 8B85 94FEFFFF mov eax, [ebp-16C]
004224DA . 8985 58FFFFFF mov [ebp-A8], eax
004224E0 . C785 50FFFFFF>mov dword ptr [ebp-B0], 8
004224EA . 8D8D 40FFFFFF lea ecx, [ebp-C0]
004224F0 . 51 push ecx ; /Arg4
004224F1 . 6A 12 push 12 ; |Arg3 = 00000012
004224F3 . 8D95 50FFFFFF lea edx, [ebp-B0] ; |
004224F9 . 52 push edx ; |Arg2
004224FA . 8D85 30FFFFFF lea eax, [ebp-D0] ; |
00422500 . 50 push eax ; |Arg1
00422501 . FF15 C0104000 call [<&msvbvm60.rtcMidCharVar>] ; \rtcMidCharVar取第18位
00422507 . 8D95 30FFFFFF lea edx, [ebp-D0]
0042250D . 8D4D A0 lea ecx, [ebp-60]
00422510 . FF15 1C104000 call [<&msvbvm60.__vbaVarMove>] ; msvbvm60.__vbaVarMove
00422516 . 8D8D 64FFFFFF lea ecx, [ebp-9C]
0042251C . FF15 0C124000 call [<&msvbvm60.__vbaFreeObj>] ; msvbvm60.__vbaFreeObj
00422522 . 8D8D 40FFFFFF lea ecx, [ebp-C0]
00422528 . 51 push ecx
00422529 . 8D95 50FFFFFF lea edx, [ebp-B0]
0042252F . 52 push edx
00422530 . 6A 02 push 2
00422532 . FF15 38104000 call [<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList
00422538 . 83C4 0C add esp, 0C
0042253B . C745 FC 05000>mov dword ptr [ebp-4], 5
00422542 . C785 18FFFFFF>mov dword ptr [ebp-E8], 00409240 ; UNICODE "TT86-"
0042254C . C785 10FFFFFF>mov dword ptr [ebp-F0], 8008
00422556 . C785 08FFFFFF>mov dword ptr [ebp-F8], 00409250
00422560 . C785 00FFFFFF>mov dword ptr [ebp-100], 8008
0042256A . 8D45 B0 lea eax, [ebp-50]
0042256D . 50 push eax ; /Arg3
0042256E . 8D8D 10FFFFFF lea ecx, [ebp-F0] ; |
00422574 . 51 push ecx ; |Arg2
00422575 . 8D95 50FFFFFF lea edx, [ebp-B0] ; |
0042257B . 52 push edx ; |Arg1
0042257C . FF15 60104000 call [<&msvbvm60.__vbaVarCmpNe>] ; \__vbaVarCmpNe//前五位要等于TT86-
00422582 . 50 push eax
00422583 . 8D45 A0 lea eax, [ebp-60]
00422586 . 50 push eax ; /Arg3
00422587 . 8D8D 00FFFFFF lea ecx, [ebp-100] ; |
0042258D . 51 push ecx ; |Arg2
0042258E . 8D95 40FFFFFF lea edx, [ebp-C0] ; |
00422594 . 52 push edx ; |Arg1
00422595 . FF15 60104000 call [<&msvbvm60.__vbaVarCmpNe>] ; \__vbaVarCmpNe//最后一位要等于-
0042259B . 50 push eax
0042259C . 8D85 30FFFFFF lea eax, [ebp-D0]
004225A2 . 50 push eax
004225A3 . FF15 F8104000 call [<&msvbvm60.__vbaVarOr>] ; msvbvm60.__vbaVarOr
004225A9 . 50 push eax ; /Arg1
004225AA . FF15 AC104000 call [<&msvbvm60.__vbaBoolVarNull>] ; \__vbaBoolVarNull
004225B0 . 0FBFC8 movsx ecx, ax
004225B3 . 85C9 test ecx, ecx
004225B5 . 0F84 B9000000 je 00422674
通过分析知道,注册码共18位,前五位为定值TT86-,最后一位为-
按照这个规则,再写入18位,中间12位任意,比如写入TT86-0123456789AB-,点注册,在OD中跟踪,发现下面。
004226F1 > \C785 74FEFFFF>mov dword ptr [ebp-18C], 0
004226FB > 8B95 7CFFFFFF mov edx, [ebp-84]
00422701 . 8995 90FEFFFF mov [ebp-170], edx
00422707 . C785 7CFFFFFF>mov dword ptr [ebp-84], 0
00422711 . 8B95 90FEFFFF mov edx, [ebp-170]
00422717 . 8D8D 78FFFFFF lea ecx, [ebp-88]
0042271D . FF15 F4114000 call [<&msvbvm60.__vbaStrMove>] ; msvbvm60.__vbaStrMove
00422723 . 8D85 78FFFFFF lea eax, [ebp-88]
00422729 . 50 push eax
0042272A . E8 A1F80000 call 00431FD0//对上面读入的QQ号进行MD5变化
0042272F . 8985 58FFFFFF mov [ebp-A8], eax
00422735 . C785 50FFFFFF>mov dword ptr [ebp-B0], 8
0042273F . 8D95 50FFFFFF lea edx, [ebp-B0]
然后在下面是漫长的RTCMIDCHARVAR操作,即取子串操作,相当于MID或DELPHI中的MIDSTR。
00422787 . 51 push ecx ; /Arg4
00422788 . 6A 02 push 2 ; |Arg3 = 00000002
0042278A . 8D55 90 lea edx, [ebp-70] ; |
0042278D . 52 push edx ; |Arg2
0042278E . 8D85 40FFFFFF lea eax, [ebp-C0] ; |
00422794 . 50 push eax ; |Arg1
00422795 . FF15 C0104000 call [<&msvbvm60.rtcMidCharVar>] ; \rtcMidCharVar
0042279B . C785 DCFEFFFF>mov dword ptr [ebp-124], 1
004227A5 . 83BD DCFEFFFF>cmp dword ptr [ebp-124], 0D
004227AC . 73 0C jnb short 004227BA
004227AE . C785 70FEFFFF>mov dword ptr [ebp-190], 0
004227B8 . EB 0C jmp short 004227C6
004227BA > FF15 DC104000 call [<&msvbvm60.__vbaGenerateBoundsE>; \__vbaGenerateBoundsError
004227C0 . 8985 70FEFFFF mov [ebp-190], eax
004227C6 > 8D95 40FFFFFF lea edx, [ebp-C0]
004227CC . 8B8D DCFEFFFF mov ecx, [ebp-124]
004227D2 . C1E1 04 shl ecx, 4
004227D5 . 8B45 08 mov eax, [ebp+8]
004227D8 . 8B40 44 mov eax, [eax+44]
004227DB . 03C8 add ecx, eax
004227DD . FF15 1C104000 call [<&msvbvm60.__vbaVarMove>] ; msvbvm60.__vbaVarMove
004227E3 . 8D8D 40FFFFFF lea ecx, [ebp-C0]
004227E9 . 51 push ecx
004227EA . 8D95 50FFFFFF lea edx, [ebp-B0]
004227F0 . 52 push edx
004227F1 . 6A 02 push 2
004227F3 . FF15 38104000 call [<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList
004227F9 . 83C4 0C add esp, 0C
004227FC . C745 FC 0A000>mov dword ptr [ebp-4], 0A
00422803 . C785 58FFFFFF>mov dword ptr [ebp-A8], 1
0042280D . C785 50FFFFFF>mov dword ptr [ebp-B0], 2
00422817 . 8D85 50FFFFFF lea eax, [ebp-B0]
0042281D . 50 push eax ; /Arg4
0042281E . 6A 05 push 5 ; |Arg3 = 00000005
00422820 . 8D4D 90 lea ecx, [ebp-70] ; |
00422823 . 51 push ecx ; |Arg2
00422824 . 8D95 40FFFFFF lea edx, [ebp-C0] ; |
0042282A . 52 push edx ; |Arg1
0042282B . FF15 C0104000 call [<&msvbvm60.rtcMidCharVar>] ; \rtcMidCharVar
00422831 . C785 DCFEFFFF>mov dword ptr [ebp-124], 2
0042283B . 83BD DCFEFFFF>cmp dword ptr [ebp-124], 0D
00422842 . 73 0C jnb short 00422850
00422844 . C785 6CFEFFFF>mov dword ptr [ebp-194], 0
0042284E . EB 0C jmp short 0042285C
00422850 > FF15 DC104000 call [<&msvbvm60.__vbaGenerateBoundsE>; \__vbaGenerateBoundsError
00422856 . 8985 6CFEFFFF mov [ebp-194], eax
0042285C > 8D95 40FFFFFF lea edx, [ebp-C0]
00422862 . 8B85 DCFEFFFF mov eax, [ebp-124]
00422868 . C1E0 04 shl eax, 4
0042286B . 8B4D 08 mov ecx, [ebp+8]
0042286E . 8B49 44 mov ecx, [ecx+44]
00422871 . 03C8 add ecx, eax
00422873 . FF15 1C104000 call [<&msvbvm60.__vbaVarMove>] ; msvbvm60.__vbaVarMove
00422879 . 8D95 40FFFFFF lea edx, [ebp-C0]
0042287F . 52 push edx
00422880 . 8D85 50FFFFFF lea eax, [ebp-B0]
00422886 . 50 push eax
00422887 . 6A 02 push 2
00422889 . FF15 38104000 call [<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList
0042288F . 83C4 0C add esp, 0C
00422892 . C745 FC 0B000>mov dword ptr [ebp-4], 0B
00422899 . C785 58FFFFFF>mov dword ptr [ebp-A8], 1
004228A3 . C785 50FFFFFF>mov dword ptr [ebp-B0], 2
004228AD . 8D8D 50FFFFFF lea ecx, [ebp-B0]
004228B3 . 51 push ecx ; /Arg4
004228B4 . 6A 08 push 8 ; |Arg3 = 00000008
004228B6 . 8D55 90 lea edx, [ebp-70] ; |
004228B9 . 52 push edx ; |Arg2
004228BA . 8D85 40FFFFFF lea eax, [ebp-C0] ; |
004228C0 . 50 push eax ; |Arg1
004228C1 . FF15 C0104000 call [<&msvbvm60.rtcMidCharVar>] ; \rtcMidCharVar
004228C7 . C785 DCFEFFFF>mov dword ptr [ebp-124], 3
004228D1 . 83BD DCFEFFFF>cmp dword ptr [ebp-124], 0D
004228D8 . 73 0C jnb short 004228E6
004228DA . C785 68FEFFFF>mov dword ptr [ebp-198], 0
004228E4 . EB 0C jmp short 004228F2
004228E6 > FF15 DC104000 call [<&msvbvm60.__vbaGenerateBoundsE>; \__vbaGenerateBoundsError
004228EC . 8985 68FEFFFF mov [ebp-198], eax
004228F2 > 8D95 40FFFFFF lea edx, [ebp-C0]
004228F8 . 8B8D DCFEFFFF mov ecx, [ebp-124]
004228FE . C1E1 04 shl ecx, 4
00422901 . 8B45 08 mov eax, [ebp+8]
00422904 . 8B40 44 mov eax, [eax+44]
00422907 . 03C8 add ecx, eax
00422909 . FF15 1C104000 call [<&msvbvm60.__vbaVarMove>] ; msvbvm60.__vbaVarMove
0042290F . 8D8D 40FFFFFF lea ecx, [ebp-C0]
00422915 . 51 push ecx
00422916 . 8D95 50FFFFFF lea edx, [ebp-B0]
0042291C . 52 push edx
0042291D . 6A 02 push 2
0042291F . FF15 38104000 call [<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList
00422925 . 83C4 0C add esp, 0C
00422928 . C745 FC 0C000>mov dword ptr [ebp-4], 0C
0042292F . C785 58FFFFFF>mov dword ptr [ebp-A8], 1
00422939 . C785 50FFFFFF>mov dword ptr [ebp-B0], 2
00422943 . 8D85 50FFFFFF lea eax, [ebp-B0]
。。。。。。。。。。。。。。。。。。。
这里面略去了很多取子串的操作,这里每次都是取一位,只不过起点不同,跟踪注意起点和所取的子串就没问题了,因为其中
有时取的是MD5变化过的串,有时取的是原始串(作者比较阻险,呵呵,一般人都会以为只在MD5串取呢。。。。。。。)
这部分串一共12位,正好是中间要补充的串,假设为B,最后注册码就为TT86-B-这样的形式。
算法总结:
中间串生成规则:
起点:2,5,8,A,D,E ——MD5
起点:2 ——原始串,即QQ号
起点:15,17,19,1E ——MD5
起点:5 ——原始串
一共12位拼成一个串再加上头尾就可以了,呵呵
下面是算法注册机和原始程序。
--------------------------------------------------------------------------------
2006年07月17日 16:27:39
[ 本帖最后由 caterpilla 于 2006-7-18 10:29 编辑 ] |
|
IP卡
发表于 2006-7-17 16:28:55
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-7-17 16:31:03
楼主
发表于 2007-2-3 22:05:45
