- UID
- 13340
注册时间2006-5-17
阅读权限20
最后登录1970-1-1
以武会友
TA的每日心情 | 开心 2020-11-18 08:13 |
---|
签到天数: 6 天 [LV.2]偶尔看看I
|
楼主 |
发表于 2007-1-14 19:52:18
|
显示全部楼层
龙文输入通 3.03 注册分析 作者: 来源:
阅读 210 人次 , 2006-4-26 15:46:00
今天在001看到一个输入法设断点的方法,很是好用,立即开始工作.
首先用Ollydbg加载一个记事本,输入法切换到龙文,到注册界面.然后回到Ollydbg界面里,查找到lwsrf.ime模块,进入后,搜索模块名称"ChatupperA".
向上翻页,找到算法部分.
;取机器码的第一组
10024B96 66:8B45 00 MOV AX,WORD PTR SS:[EBP]
10024B9A C1E0 05 SHL EAX,5
10024B9D 894424 10 MOV DWORD PTR SS:[ESP+10],EAX
10024BA1 66:8945 00 MOV WORD PTR SS:[EBP],AX
10024BA5 33C0 XOR EAX,EAX
;取机器码的第二组
10024BA7 66:8B45 02 MOV AX,WORD PTR SS:[EBP+2]
10024BAB 8D04C0 LEA EAX,DWORD PTR DS:[EAX+EAX*8]
10024BAE C1E0 02 SHL EAX,2
10024BB1 894424 10 MOV DWORD PTR SS:[ESP+10],EAX
10024BB5 66:8945 02 MOV WORD PTR SS:[EBP+2],AX
10024BB9 33C0 XOR EAX,EAX
;取机器码的第三组
10024BBB 66:8B45 04 MOV AX,WORD PTR SS:[EBP+4]
10024BBF 8D0C80 LEA ECX,DWORD PTR DS:[EAX+EAX*4]
10024BC2 8D0448 LEA EAX,DWORD PTR DS:[EAX+ECX*2]
10024BC5 33C9 XOR ECX,ECX
10024BC7 8D0480 LEA EAX,DWORD PTR DS:[EAX+EAX*4]
10024BCA 894424 10 MOV DWORD PTR SS:[ESP+10],EAX
;取机器码的第四组
10024BCE 66:8B4D 06 MOV CX,WORD PTR SS:[EBP+6]
10024BD2 66:8945 04 MOV WORD PTR SS:[EBP+4],AX
10024BD6 8BC1 MOV EAX,ECX
10024BD8 C1E0 04 SHL EAX,4
10024BDB 03C1 ADD EAX,ECX
10024BDD D1E0 SHL EAX,1
10024BDF 894424 10 MOV DWORD PTR SS:[ESP+10],EAX
10024BE3 66:8945 06 MOV WORD PTR SS:[EBP+6],AX
10024BE7 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
10024BEB 25 FFFF0000 AND EAX,0FFFF
10024BF0 8BD0 MOV EDX,EAX
10024BF2 C1E2 04 SHL EDX,4
10024BF5 03D0 ADD EDX,EAX
10024BF7 33C0 XOR EAX,EAX
;取机器码的第五组
10024BF9 66:8B45 08 MOV AX,WORD PTR SS:[EBP+8]
10024BFD 8D0C40 LEA ECX,DWORD PTR DS:[EAX+EAX*2]
10024C00 C1E1 03 SHL ECX,3
10024C03 2BC8 SUB ECX,EAX
10024C05 8D0449 LEA EAX,DWORD PTR DS:[ECX+ECX*2]
10024C08 8D0450 LEA EAX,DWORD PTR DS:[EAX+EDX*2]
10024C0B 33D2 XOR EDX,EDX
10024C0D 894424 10 MOV DWORD PTR SS:[ESP+10],EAX
10024C11 66:8945 08 MOV WORD PTR SS:[EBP+8],AX
10024C15 33C0 XOR EAX,EAX
;取机器码的第六组
10024C17 66:8B45 0A MOV AX,WORD PTR SS:[EBP+A]
10024C1B 8D0CC0 LEA ECX,DWORD PTR DS:[EAX+EAX*8]
10024C1E 8D0488 LEA EAX,DWORD PTR DS:[EAX+ECX*4]
10024C21 894424 10 MOV DWORD PTR SS:[ESP+10],EAX
10024C25 66:8945 0A MOV WORD PTR SS:[EBP+A],AX
;第六组的结果与第四组运算
10024C29 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
10024C2D 66:8B55 00 MOV DX,WORD PTR SS:[EBP]
10024C31 25 FFFF0000 AND EAX,0FFFF
10024C36 8BC8 MOV ECX,EAX
10024C38 C1E1 05 SHL ECX,5
10024C3B 03C8 ADD ECX,EAX
10024C3D 8D0451 LEA EAX,DWORD PTR DS:[ECX+EDX*2]
10024C40 33D2 XOR EDX,EDX
10024C42 894424 10 MOV DWORD PTR SS:[ESP+10],EAX
10024C46 66:8B55 04 MOV DX,WORD PTR SS:[EBP+4]
10024C4A 66:8945 0A MOV WORD PTR SS:[EBP+A],AX
10024C4E 33C0 XOR EAX,EAX
;第五组的结果与第三组运算
10024C50 66:8B45 08 MOV AX,WORD PTR SS:[EBP+8]
10024C54 8D0450 LEA EAX,DWORD PTR DS:[EAX+EDX*2]
10024C57 894424 10 MOV DWORD PTR SS:[ESP+10],EAX
10024C5B 66:8945 08 MOV WORD PTR SS:[EBP+8],AX
10024C5F 399C24 80000000 CMP DWORD PTR SS:[ESP+80],EBX
10024C66 0F84 16010000 JE lwsrf.10024D82
;-----------------------------------------------------------
10024EB4 C705 E0600510 3>MOV DWORD PTR DS:[100560E0],1234
10024EBE FF15 58930410 CALL DWORD PTR DS:[<&USER32.CharUpperA>] ; USER32.CharUpperA ;注册码转换为大写
;-----------------------------------------------------------
;对注册码进行一次变换
10024F3D 33C0 XOR EAX,EAX
10024F3F 66:8B01 MOV AX,WORD PTR DS:[ECX]
10024F42 83C1 02 ADD ECX,2
10024F45 83C0 34 ADD EAX,34
10024F48 4E DEC ESI
10024F49 894424 10 MOV DWORD PTR SS:[ESP+10],EAX
10024F4D 66:8941 FE MOV WORD PTR DS:[ECX-2],AX
10024F51 ^ 75 EA JNZ SHORT lwsrf.10024F3D
10024F53 B9 09000000 MOV ECX,9
10024F58 8BFA MOV EDI,EDX
10024F5A 8D7424 54 LEA ESI,DWORD PTR SS:[ESP+54]
10024F5E 33C0 XOR EAX,EAX
;比较前两组注册码,应该相等
10024F60 F3:A6 REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:>
10024F62 895C24 10 MOV DWORD PTR SS:[ESP+10],EBX
10024F66 74 22 JE SHORT lwsrf.10024F8A
;-----------------------------------------------------------
;累加注册码,求和
10024FB0 66:8B444D 00 MOV AX,WORD PTR SS:[EBP+ECX*2]
10024FB5 66:F7D0 NOT AX
10024FB8 66:89444D 00 MOV WORD PTR SS:[EBP+ECX*2],AX
10024FBD 25 FFFF0000 AND EAX,0FFFF
10024FC2 03D8 ADD EBX,EAX
10024FC4 83F9 03 CMP ECX,3
10024FC7 75 03 JNZ SHORT lwsrf.10024FCC
;第四组时多一次运算,*2后加上累计和
10024FC9 8D1C43 LEA EBX,DWORD PTR DS:[EBX+EAX*2]
10024FCC 41 INC ECX
10024FCD 83F9 06 CMP ECX,6 ;六组是否加完
10024FD0 ^ 7C DE JL SHORT lwsrf.10024FB0
;-----------------------------------------------------------
10024FD6 85F6 TEST ESI,ESI
10024FD8 7D 11 JGE SHORT lwsrf.10024FEB
10024FDA 33C9 XOR ECX,ECX
10024FDC 66:8B4D 00 MOV CX,WORD PTR SS:[EBP]
10024FE0 0FAFCE IMUL ECX,ESI
10024FE3 D1E1 SHL ECX,1
10024FE5 894C24 10 MOV DWORD PTR SS:[ESP+10],ECX
10024FE9 EB 44 JMP SHORT lwsrf.1002502F
10024FEB 8B17 MOV EDX,DWORD PTR DS:[EDI]
10024FED 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
10024FF1 50 PUSH EAX
10024FF2 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+28]
10024FF6 68 48C50410 PUSH lwsrf.1004C548 ; ASCII "%lx"
10024FFB 51 PUSH ECX
10024FFC C64424 34 00 MOV BYTE PTR SS:[ESP+34],0
10025001 895424 30 MOV DWORD PTR SS:[ESP+30],EDX
10025005 E8 D2CB0100 CALL lwsrf.10041BDC
1002500A 83C4 0C ADD ESP,0C
;如果为第六组则跳
1002500D 83FE 05 CMP ESI,5
10025010 7D 06 JGE SHORT lwsrf.10025018
10025012 035C24 10 ADD EBX,DWORD PTR SS:[ESP+10]
10025016 EB 17 JMP SHORT lwsrf.1002502F
10025018 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
1002501C 81E3 FFFF0000 AND EBX,0FFFF
10025022 25 FFFF0000 AND EAX,0FFFF
;比较累加和是否相等,第一次比较时是不相等的,作者的桩了.
10025027 3BC3 CMP EAX,EBX
10025029 894424 10 MOV DWORD PTR SS:[ESP+10],EAX
1002502D 75 3D JNZ SHORT lwsrf.1002506C
1002502F 46 INC ESI
10025030 83C5 02 ADD EBP,2
10025033 83C7 05 ADD EDI,5
10025036 83FE 06 CMP ESI,6
10025039 ^ 7C 9B JL SHORT lwsrf.10024FD6
;-----------------------------------------------------------
子程序返回
100258DF FF15 68930410 CALL DWORD PTR DS:[<&USER32.GetWindowTex>; USER32.GetWindowTextA
100258E5 6A 01 PUSH 1
100258E7 6A 00 PUSH 0
100258E9 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+20]
100258ED 6A 01 PUSH 1
100258EF 51 PUSH ECX
;此处是第二次比较,进入.过程跟上边的是一样的.唯一区别就是六组注册码的累加和比较应该相等.此时会显示注册成功的.
100258F0 E8 FBF1FFFF CALL lwsrf.10024AF0 |
|