- UID
- 91679
注册时间2015-6-9
阅读权限30
最后登录1970-1-1
龙战于野
TA的每日心情 | 奋斗
2023-11-21 08:38 |
|---|
签到天数: 276 天 [LV.8]以坛为家I
|
本帖最后由 九层楼 于 2017-10-12 16:04 编辑
Atlantis Word Processor 是PYG54 教学中的练习软件, 近日更新到了 3.1.0. 因为教学中老师已经进行过详细的分析, 所以试试新版本.
使用 x64dbg 加载, 尝试注册, 查找字符串, 就可以看到以下代码等等.
[Asm] 纯文本查看 复制代码 004995E0 | 55 | push ebp |
004995E1 | 8B EC | mov ebp,esp |
004995E3 | 83 C4 F0 | add esp,FFFFFFF0 |
004995E6 | 53 | push ebx |
004995E7 | 56 | push esi |
004995E8 | 33 C9 | xor ecx,ecx |
004995EA | 89 4D F4 | mov dword ptr ss:[ebp-C],ecx | 0
004995ED | 89 4D F0 | mov dword ptr ss:[ebp-10],ecx | 0
004995F0 | 89 55 F8 | mov dword ptr ss:[ebp-8],edx | code
004995F3 | 89 45 FC | mov dword ptr ss:[ebp-4],eax | name
004995F6 | 8D 45 FC | lea eax,dword ptr ss:[ebp-4] |
004995F9 | E8 9E A8 F6 FF | call <awp.str copy ?> |
004995FE | 8B 45 F8 | mov eax,dword ptr ss:[ebp-8] |
00499601 | E8 F2 A0 F6 FF | call awp.4036F8 | ??
00499606 | 33 C0 | xor eax,eax |
00499608 | 55 | push ebp |
00499609 | 68 B9 96 49 00 | push awp.4996B9 |
0049960E | 64 FF 30 | push dword ptr fs:[eax] |
00499611 | 64 89 20 | mov dword ptr fs:[eax],esp |
00499614 | 33 DB | xor ebx,ebx |
00499616 | 8D 45 F4 | lea eax,dword ptr ss:[ebp-C] |
00499619 | 50 | push eax |
0049961A | 8D 55 F0 | lea edx,dword ptr ss:[ebp-10] |
0049961D | 8B 45 F8 | mov eax,dword ptr ss:[ebp-8] |
00499620 | E8 13 1D F7 FF | call <awp.UpperCase> |
00499625 | 8B 45 F0 | mov eax,dword ptr ss:[ebp-10] |
00499628 | B1 30 | mov cl,30 | 30:'0'
0049962A | B2 4F | mov dl,4F | 4F:'O'
0049962C | E8 F7 3C 17 00 | call <awp.replace O with 0> |
00499631 | 8B 55 F4 | mov edx,dword ptr ss:[ebp-C] |
00499634 | 8D 45 F8 | lea eax,dword ptr ss:[ebp-8] |
00499637 | E8 14 9D F6 FF | call <awp.str copy> |
0049963C | 8B 45 F8 | mov eax,dword ptr ss:[ebp-8] |
0049963F | E8 00 9F F6 FF | call <awp.str length> |
00499644 | 8B F0 | mov esi,eax |
00499646 | 83 FE 01 | cmp esi,1 |
00499649 | 7C 32 | jl awp.49967D |
0049964B | 8B 45 F8 | mov eax,dword ptr ss:[ebp-8] |
0049964E | 8A 44 30 FF | mov al,byte ptr ds:[eax+esi-1] | 从后往前逐个取字符
00499652 | 8B D0 | mov edx,eax |
00499654 | 80 EA 20 | sub dl,20 |
00499657 | 74 05 | je awp.49965E |
00499659 | 80 EA 0D | sub dl,D |
0049965C | 75 11 | jne awp.49966F |
0049965E | 8D 45 F8 | lea eax,dword ptr ss:[ebp-8] |
00499661 | B9 01 00 00 00 | mov ecx,1 |
00499666 | 8B D6 | mov edx,esi |
00499668 | E8 1B A1 F6 FF | call awp.403788 |
0049966D | EB 09 | jmp awp.499678 |
0049966F | 8B 55 F8 | mov edx,dword ptr ss:[ebp-8] | edx = [ebp-8] = 注册码数据
00499672 | 04 D0 | add al,D0 | 字符 + 0xD0 (会溢出)
00499674 | 2C 0A | sub al,A | 字符 - 0xA
00499676 | 73 1E | jae awp.499696 | 字符 + 0xD0 需要小于 0x10A, 即 字符 需要小于 0x3A (看来需要是数字)
00499678 | 4E | dec esi |
00499679 | 85 F6 | test esi,esi |
0049967B | 75 CE | jne awp.49964B | 循环16次
0049967D | 8D 55 F4 | lea edx,dword ptr ss:[ebp-C] |
00499680 | 8B 45 FC | mov eax,dword ptr ss:[ebp-4] |
00499683 | E8 10 FE FF FF | call awp.499498 | 扩展并变形 注册码数据 ??
00499688 | 8B 55 F4 | mov edx,dword ptr ss:[ebp-C] |
0049968B | 8B 45 F8 | mov eax,dword ptr ss:[ebp-8] |
0049968E | E8 C1 9F F6 FF | call <awp.str compare> |
00499693 | 0F 94 C3 | sete bl |
00499696 | 33 C0 | xor eax,eax |
00499698 | 5A | pop edx |
00499699 | 59 | pop ecx |
0049969A | 59 | pop ecx |
0049969B | 64 89 10 | mov dword ptr fs:[eax],edx |
0049969E | 68 C0 96 49 00 | push awp.4996C0 |
004996A3 | 8D 45 F0 | lea eax,dword ptr ss:[ebp-10] |
004996A6 | BA 03 00 00 00 | mov edx,3 |
004996AB | E8 2C 9C F6 FF | call awp.4032DC |
004996B0 | 8D 45 FC | lea eax,dword ptr ss:[ebp-4] |
004996B3 | E8 38 A2 F6 FF | call awp.4038F0 |
004996B8 | C3 | ret |
[Asm] 纯文本查看 复制代码
00499498 | 55 | push ebp |
00499499 | 8B EC | mov ebp,esp |
0049949B | 83 C4 84 | add esp,FFFFFF84 |
0049949E | 53 | push ebx |
0049949F | 56 | push esi |
004994A0 | 57 | push edi |
004994A1 | 33 C9 | xor ecx,ecx |
004994A3 | 89 4D 84 | mov dword ptr ss:[ebp-7C],ecx | 0
004994A6 | 89 55 F8 | mov dword ptr ss:[ebp-8],edx |
004994A9 | 89 45 FC | mov dword ptr ss:[ebp-4],eax | [ebp-4] = eax = name
004994AC | 8D 45 FC | lea eax,dword ptr ss:[ebp-4] |
004994AF | E8 E8 A9 F6 FF | call <awp.str copy ?> | 复制了一份 ?
004994B4 | 33 C0 | xor eax,eax |
004994B6 | 55 | push ebp |
004994B7 | 68 D2 95 49 00 | push awp.4995D2 |
004994BC | 64 FF 30 | push dword ptr fs:[eax] |
004994BF | 64 89 20 | mov dword ptr fs:[eax],esp |
004994C2 | 8D 55 84 | lea edx,dword ptr ss:[ebp-7C] | 0
004994C5 | 8B 45 FC | mov eax,dword ptr ss:[ebp-4] |
004994C8 | E8 73 27 F7 FF | call <awp.str copy, not str length> | eax = 长度数值好像没用到 ?
004994CD | 8B 55 84 | mov edx,dword ptr ss:[ebp-7C] |
004994D0 | 8D 45 FC | lea eax,dword ptr ss:[ebp-4] |
004994D3 | E8 54 A4 F6 FF | call <awp.Unique String ?> |
004994D8 | 8B 45 FC | mov eax,dword ptr ss:[ebp-4] |
004994DB | E8 FC A5 F6 FF | call <awp.str length> |
004994E0 | 48 | dec eax | 长度-1, 为了测试
004994E1 | 89 45 F0 | mov dword ptr ss:[ebp-10],eax |
004994E4 | 8B 45 FC | mov eax,dword ptr ss:[ebp-4] |
004994E7 | E8 E0 A5 F6 FF | call <awp.is str empty ?> |
004994EC | 89 45 F4 | mov dword ptr ss:[ebp-C],eax |
004994EF | 33 C0 | xor eax,eax |
004994F1 | 89 45 EC | mov dword ptr ss:[ebp-14],eax | var_0x14 = 0, 计算累加值
004994F4 | 8B 75 F0 | mov esi,dword ptr ss:[ebp-10] | 长度-1
004994F7 | 85 F6 | test esi,esi |
004994F9 | 7C 1E | jl awp.499519 |
004994FB | 46 | inc esi | 长度+1,恢复长度值
004994FC | 33 DB | xor ebx,ebx |
004994FE | 8B 45 F4 | mov eax,dword ptr ss:[ebp-C] |
00499501 | 0F B7 0C 58 | movzx ecx,word ptr ds:[eax+ebx*2] |
00499505 | 83 F9 20 | cmp ecx,20 | 20:' '
00499508 | 7E 0B | jle awp.499515 |
0049950A | 81 F9 80 00 00 00 | cmp ecx,80 |
00499510 | 7D 03 | jge awp.499515 |
00499512 | 01 4D EC | add dword ptr ss:[ebp-14],ecx | 累加
00499515 | 43 | inc ebx |
00499516 | 4E | dec esi |
00499517 | 75 E5 | jne awp.4994FE |
00499519 | 8B 45 EC | mov eax,dword ptr ss:[ebp-14] | 各个unicode字符的"unicode值"累加起来
0049951C | B9 32 00 00 00 | mov ecx,32 | 除以 0x32
00499521 | 99 | cdq |
00499522 | F7 F9 | idiv ecx | eax = 商, edx = 余数
00499524 | 8D 04 92 | lea eax,dword ptr ds:[edx+edx*4] |
00499527 | 8D 04 80 | lea eax,dword ptr ds:[eax+eax*4] |
0049952A | 89 45 EC | mov dword ptr ss:[ebp-14],eax | 余数 * 5 * 5
0049952D | 33 DB | xor ebx,ebx | i = 0
0049952F | 8D 45 88 | lea eax,dword ptr ss:[ebp-78] |
00499532 | 8B 55 EC | mov edx,dword ptr ss:[ebp-14] |
00499535 | 03 D3 | add edx,ebx |
00499537 | 8B 14 95 98 7C 64 00 | mov edx,dword ptr ds:[edx*4+647C98] | 用 余数*5*5+i 查表, 所以最大索引的元素是 (0x31 * 5 * 5 + 0x18) * 4 + 0x647C98
0049953E | 89 10 | mov dword ptr ds:[eax],edx | 存储于 var_0x78 开始的 DWORD 数组中
00499540 | 43 | inc ebx | i++
00499541 | 83 C0 04 | add eax,4 | 下一个 DWORD 数组元素
00499544 | 83 FB 19 | cmp ebx,19 | [0,0x19)
00499547 | 75 E9 | jne awp.499532 |
00499549 | 33 FF | xor edi,edi | edi = 0
0049954B | 8B 75 F0 | mov esi,dword ptr ss:[ebp-10] | 长度-1
0049954E | 85 F6 | test esi,esi |
00499550 | 7C 2C | jl awp.49957E |
00499552 | 46 | inc esi | 恢复长度
00499553 | 33 DB | xor ebx,ebx | ebx = 0
00499555 | 8B 45 F4 | mov eax,dword ptr ss:[ebp-C] |
00499558 | 0F B7 0C 58 | movzx ecx,word ptr ds:[eax+ebx*2] | ecx = 逐个unicode字符值
0049955C | 83 F9 20 | cmp ecx,20 | 20:' '
0049955F | 7E 19 | jle awp.49957A |
00499561 | 81 F9 80 00 00 00 | cmp ecx,80 |
00499567 | 7D 11 | jge awp.49957A |
00499569 | 8B C7 | mov eax,edi | eax = edi = 0
0049956B | 51 | push ecx |
0049956C | B9 19 00 00 00 | mov ecx,19 |
00499571 | 99 | cdq |
00499572 | F7 F9 | idiv ecx |
00499574 | 59 | pop ecx |
00499575 | 01 4C 95 88 | add dword ptr ss:[ebp+edx*4-78],ecx | 逐个加到 var_0x78 开始的 DWORD 数组元素上
00499579 | 47 | inc edi |
0049957A | 43 | inc ebx |
0049957B | 4E | dec esi |
0049957C | 75 D7 | jne awp.499555 |
0049957E | 8B 45 F8 | mov eax,dword ptr ss:[ebp-8] |
00499581 | BA 19 00 00 00 | mov edx,19 |
00499586 | E8 E9 A2 F6 FF | call awp.403874 | 复制了一份注册码, 只复制 0x19 个字符 ?
0049958B | 33 DB | xor ebx,ebx |
0049958D | 8D 75 88 | lea esi,dword ptr ss:[ebp-78] | 要开始查看 var_0x78 数组了
00499590 | 8B 45 F8 | mov eax,dword ptr ss:[ebp-8] | [eax] = [[ebp-8]] = 注册码数据
00499593 | E8 7C A1 F6 FF | call awp.403714 | 释放字串 ?
00499598 | 03 C3 | add eax,ebx |
0049959A | 50 | push eax |
0049959B | 8B 06 | mov eax,dword ptr ds:[esi] | var_0x78 数组元素除以
0049959D | B9 0A 00 00 00 | mov ecx,A | 0xA
004995A2 | 99 | cdq |
004995A3 | F7 F9 | idiv ecx |
004995A5 | 80 C2 30 | add dl,30 | 余数 + 0x30
004995A8 | 58 | pop eax |
004995A9 | 88 10 | mov byte ptr ds:[eax],dl | 存回注册码数据中, 好像这里只是需要了空间, 并没有需要注册码数据 ?
004995AB | 43 | inc ebx |
004995AC | 83 C6 04 | add esi,4 |
004995AF | 83 FB 19 | cmp ebx,19 |
004995B2 | 75 DC | jne awp.499590 |
004995B4 | 33 C0 | xor eax,eax |
004995B6 | 5A | pop edx |
004995B7 | 59 | pop ecx |
004995B8 | 59 | pop ecx |
004995B9 | 64 89 10 | mov dword ptr fs:[eax],edx |
004995BC | 68 D9 95 49 00 | push awp.4995D9 |
004995C1 | 8D 45 84 | lea eax,dword ptr ss:[ebp-7C] |
004995C4 | E8 27 A3 F6 FF | call awp.4038F0 |
004995C9 | 8D 45 FC | lea eax,dword ptr ss:[ebp-4] |
004995CC | E8 1F A3 F6 FF | call awp.4038F0 |
004995D1 | C3 | ret |
004995D2 | E9 55 98 F6 FF | jmp awp.402E2C |
004995D7 | EB E8 | jmp awp.4995C1 |
004995D9 | 5F | pop edi |
004995DA | 5E | pop esi |
004995DB | 5B | pop ebx |
004995DC | 8B E5 | mov esp,ebp |
004995DE | 5D | pop ebp |
004995DF | C3 | ret |
|
评分
-
查看全部评分
|
IP卡
发表于 2017-10-12 16:05:53
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2017-10-12 18:23:31