本帖最后由 speedboy 于 2016-7-9 10:03 编辑
若觉得分析的不够贴切深入,请不要拍砖。
一、如何来到算法代码处
1、OD加载并运行程序,查找字符串“Registration key is incorrect.”,双击来到汇编窗口。 2、往上看到(00404EB1 |> \A1 C0554300 mov eax,dwordptr ds:[0x4355C0])跳转来自(00404E2B |. /0F84 80000000 je ChemPlot.00404EB1) 二、注册验证代码实现过程
紧挨着跳转上面的call即为算法call,F7跟进,来到这里。
[Asm] 纯文本查看 复制代码 00404A10 /$ 55 push ebp ; 》算法代码段首
00404A11 |. 8BEC mov ebp,esp
00404A13 |. 6A FF push -0x1
00404A15 |. 68 0B7A4200 push ChemPlot.00427A0B
00404A1A |. 64:A1 0000000>mov eax,dword ptr fs:[0]
00404A20 |. 50 push eax
00404A21 |. 83EC 0C sub esp,0xC
00404A24 |. 53 push ebx
00404A25 |. 56 push esi
00404A26 |. 57 push edi
00404A27 |. A1 9C554300 mov eax,dword ptr ds:[0x43559C]
00404A2C |. 33C5 xor eax,ebp
00404A2E |. 50 push eax
00404A2F |. 8D45 F4 lea eax,[local.3]
00404A32 |. 64:A3 0000000>mov dword ptr fs:[0],eax
00404A38 |. 894D F0 mov [local.4],ecx
00404A3B |. 8B35 60B14200 mov esi,dword ptr ds:[<&MSVCR100>; msvcr100.malloc
00404A41 |. 68 C8000000 push 0xC8 ; /size = C8 (200.)
00404A46 |. FFD6 call esi ; \malloc
00404A48 |. 8BD8 mov ebx,eax
00404A4A |. 83C4 04 add esp,0x4
00404A4D |. 895D EC mov [local.5],ebx
00404A50 |. 85DB test ebx,ebx
00404A52 |. 0F84 AC010000 je ChemPlot.00404C04
00404A58 |. 68 C8000000 push 0xC8
00404A5D |. FFD6 call esi
00404A5F |. 8BF0 mov esi,eax
00404A61 |. 83C4 04 add esp,0x4
00404A64 |. 85F6 test esi,esi
00404A66 |. 0F84 98010000 je ChemPlot.00404C04
00404A6C |. 8B7D 08 mov edi,[arg.1] ; ChemPlot.<ModuleEntryPoint>
00404A6F |. 8B07 mov eax,dword ptr ds:[edi]
00404A71 |. 8D50 01 lea edx,dword ptr ds:[eax+0x1]
00404A74 |> 8A08 /mov cl,byte ptr ds:[eax]
00404A76 |. 40 |inc eax
00404A77 |. 84C9 |test cl,cl
00404A79 |.^ 75 F9 \jnz short ChemPlot.00404A74
00404A7B |. 2BC2 sub eax,edx ; ntdll.KiFastSystemCallRet
00404A7D |. 83F8 10 cmp eax,0x10 ; 》检测注册码字符个数是否是16位
00404A80 |. 0F85 7E010000 jnz ChemPlot.00404C04
00404A86 |. 6A 04 push 0x4
00404A88 |. E8 FF130200 call <jmp.&mfc100.#1294>
00404A8D |. 83C4 04 add esp,0x4
00404A90 |. 8945 08 mov [arg.1],eax
00404A93 |. C745 FC 00000>mov [local.1],0x0
00404A9A |. 85C0 test eax,eax
00404A9C |. 74 0F je short ChemPlot.00404AAD
00404A9E |. 8B0F mov ecx,dword ptr ds:[edi]
00404AA0 |. 51 push ecx
00404AA1 |. 8BC8 mov ecx,eax
00404AA3 |. FF15 C8B84200 call dword ptr ds:[<&mfc100.#310>; mfc100.#310
00404AA9 |. 8BF8 mov edi,eax
00404AAB |. EB 02 jmp short ChemPlot.00404AAF
00404AAD |> 33FF xor edi,edi
00404AAF |> 6A 04 push 0x4
00404AB1 |. 6A 00 push 0x0
00404AB3 |. 8D55 08 lea edx,[arg.1]
00404AB6 |. 52 push edx ; ntdll.KiFastSystemCallRet
00404AB7 |. 8BCF mov ecx,edi
00404AB9 |. C745 FC FFFFF>mov [local.1],-0x1
00404AC0 |. FF15 D4B84200 call dword ptr ds:[<&mfc100.#787>; mfc100.#7876
00404AC6 |. 8BC8 mov ecx,eax
00404AC8 |. FF15 98B94200 call dword ptr ds:[<&mfc100.#144>; mfc100.#6207
00404ACE |. 50 push eax ; 》取注册码前四位压栈
00404ACF |. 68 C8000000 push 0xC8
00404AD4 |. 53 push ebx
00404AD5 |. 8B1D 44B14200 mov ebx,dword ptr ds:[<&MSVCR100>; msvcr100.strcpy_s
00404ADB |. FFD3 call ebx ; <&MSVCR100.strcpy_s>
00404ADD |. 83C4 0C add esp,0xC
00404AE0 |. 8D4D 08 lea ecx,[arg.1]
00404AE3 |. FF15 A0B94200 call dword ptr ds:[<&mfc100.#901>; mfc100.#13970
00404AE9 |. 8B45 EC mov eax,[local.5]
00404AEC |. 8B4D F0 mov ecx,[local.4]
00404AEF |. 6A 04 push 0x4
00404AF1 |. 50 push eax
00404AF2 |. E8 B9F6FFFF call ChemPlot.004041B0 ; 》取注册码前四位,检测每位是数字还是字母,是字母的转成大写输出
00404AF7 |. 6A 08 push 0x8
00404AF9 |. 6A 00 push 0x0
00404AFB |. 8D4D 08 lea ecx,[arg.1]
00404AFE |. 51 push ecx
00404AFF |. 8BCF mov ecx,edi
00404B01 |. 8945 E8 mov [local.6],eax
00404B04 |. FF15 D4B84200 call dword ptr ds:[<&mfc100.#787>; mfc100.#7876
00404B0A |. 8BC8 mov ecx,eax
00404B0C |. FF15 98B94200 call dword ptr ds:[<&mfc100.#144>; mfc100.#6207
00404B12 |. 50 push eax ; 》取注册码前八位压栈
00404B13 |. 68 C8000000 push 0xC8
00404B18 |. 56 push esi
00404B19 |. FFD3 call ebx
00404B1B |. 83C4 0C add esp,0xC
00404B1E |. 8D4D 08 lea ecx,[arg.1]
00404B21 |. FF15 A0B94200 call dword ptr ds:[<&mfc100.#901>; mfc100.#13970
00404B27 |. 8B4D F0 mov ecx,[local.4]
00404B2A |. 6A 08 push 0x8
00404B2C |. 56 push esi
00404B2D |. E8 7EF6FFFF call ChemPlot.004041B0 ; 》取注册码前八位,检测每位是数字还是字母,是字母的转成大写输出
00404B32 |. 6A 0F push 0xF
00404B34 |. 6A 08 push 0x8
00404B36 |. 8D55 EC lea edx,[local.5]
00404B39 |. 52 push edx ; ntdll.KiFastSystemCallRet
00404B3A |. 8BCF mov ecx,edi
00404B3C |. 8945 08 mov [arg.1],eax
00404B3F |. FF15 D4B84200 call dword ptr ds:[<&mfc100.#787>; mfc100.#7876
00404B45 |. 8BC8 mov ecx,eax
00404B47 |. FF15 98B94200 call dword ptr ds:[<&mfc100.#144>; mfc100.#6207
00404B4D |. 50 push eax ; 》取注册码后八位压栈
00404B4E |. 68 C8000000 push 0xC8
00404B53 |. 56 push esi
00404B54 |. FFD3 call ebx
00404B56 |. 83C4 0C add esp,0xC
00404B59 |. 8D4D EC lea ecx,[local.5]
00404B5C |. FF15 A0B94200 call dword ptr ds:[<&mfc100.#901>; mfc100.#13970
00404B62 |. 8B4D F0 mov ecx,[local.4]
00404B65 |. 6A 08 push 0x8
00404B67 |. 56 push esi
00404B68 |. E8 43F6FFFF call ChemPlot.004041B0 ; 》取注册码后八位,检测每位是数字还是字母,是字母的转成大写输出
00404B6D |. 0FB74D E8 movzx ecx,word ptr ss:[ebp-0x18] ; 》取注册码前四位
00404B71 |. 8BD1 mov edx,ecx
00404B73 |. F7C1 00800000 test ecx,0x8000 ; 》检测ecx中的数据第一位是否小于8,小于跳转实现
00404B79 |. 74 0C je short ChemPlot.00404B87 ;
00404B7B |. 8D8C09 0000FF>lea ecx,dword ptr ds:[ecx+ecx-0x>
00404B82 |. 83C9 01 or ecx,0x1
00404B85 |. EB 02 jmp short ChemPlot.00404B89
00404B87 |> 03C9 add ecx,ecx ; 》注册码前四位自加
00404B89 |> 81F1 A8D6FFFF xor ecx,-0x2958 ; 》负16进制数-2958的补码后四位为D6A8
00404B8F |. 81E1 FFFF0000 and ecx,0xFFFF ; 》取后四位数(第一个种子数)
00404B95 |. C1E2 10 shl edx,0x10
00404B98 |. 03D1 add edx,ecx ; 》合成注册码前8位
00404B9A |. F7C1 00800000 test ecx,0x8000 ; 》检测ecx中的数据第一位是否小于8,小于跳转实现
00404BA0 |. 74 0C je short ChemPlot.00404BAE
00404BA2 |. 8D8C09 0000FF>lea ecx,dword ptr ds:[ecx+ecx-0x>;
00404BA9 |. 83C9 01 or ecx,0x1 ;
00404BAC |. EB 02 jmp short ChemPlot.00404BB0
00404BAE |> 03C9 add ecx,ecx
00404BB0 |> 81F1 A8D6FFFF xor ecx,-0x2958
00404BB6 |. 81E1 FFFF0000 and ecx,0xFFFF ; 》取后四位(第二个种子数)
00404BBC |. 8BF1 mov esi,ecx
00404BBE |. F7C1 00800000 test ecx,0x8000 ; 》检测ecx中的数据第一位是否小于8,小于跳转实现
00404BC4 |. 74 0C je short ChemPlot.00404BD2
00404BC6 |. 8D8C09 0000FF>lea ecx,dword ptr ds:[ecx+ecx-0x>
00404BCD |. 83C9 01 or ecx,0x1
00404BD0 |. EB 02 jmp short ChemPlot.00404BD4
00404BD2 |> 03C9 add ecx,ecx
00404BD4 |> 3B55 08 cmp edx,[arg.1] ; 》验证前八位注册码是否正确
00404BD7 |. 75 2B jnz short ChemPlot.00404C04 ; 》不正确跳转实现
00404BD9 |. 81F1 A8D6FFFF xor ecx,-0x2958
00404BDF |. 81E1 FFFF0000 and ecx,0xFFFF
00404BE5 |. C1E6 10 shl esi,0x10
00404BE8 |. 03CE add ecx,esi
00404BEA |. 3BC8 cmp ecx,eax ; 》验证后八位注册码是否正确
00404BEC |. 75 16 jnz short ChemPlot.00404C04
00404BEE |. B0 01 mov al,0x1
00404BF0 |. 8B4D F4 mov ecx,[local.3] ; kernel32.7C839AC0
00404BF3 |. 64:890D 00000>mov dword ptr fs:[0],ecx
00404BFA |. 59 pop ecx ; kernel32.7C817067
00404BFB |. 5F pop edi ; kernel32.7C817067
00404BFC |. 5E pop esi ; kernel32.7C817067
00404BFD |. 5B pop ebx ; kernel32.7C817067
00404BFE |. 8BE5 mov esp,ebp
00404C00 |. 5D pop ebp ; kernel32.7C817067
00404C01 |. C2 0400 retn 0x4
00404C04 |> 32C0 xor al,al
00404C06 |. 8B4D F4 mov ecx,[local.3] ; kernel32.7C839AC0
00404C09 |. 64:890D 00000>mov dword ptr fs:[0],ecx
00404C10 |. 59 pop ecx ; kernel32.7C817067
00404C11 |. 5F pop edi ; kernel32.7C817067
00404C12 |. 5E pop esi ; kernel32.7C817067
00404C13 |. 5B pop ebx ; kernel32.7C817067
00404C14 |. 8BE5 mov esp,ebp
00404C16 |. 5D pop ebp ; kernel32.7C817067
00404C17 \. C2 0400 retn 0x4 |
IP卡
发表于 2016-7-9 09:49:08
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2016-7-9 12:50:55
发表于 2016-7-9 16:46:02
楼主
发表于 2016-7-12 14:28:30
发表于 2016-7-13 10:35:45
发表于 2016-8-1 04:06:10