PC掌中宝的破解
PC掌中宝
作者: ngaut
光盘里的,网上多的是
工具:w32dasm, ollydbg,aspackdie141, peid
用了2天,每天8个小时也没有搞清楚算法
找注册码很简单,本想用PC掌中宝完成自己的第一次算法分析
可惜啊
呵呵
查壳,脱壳
用W32DASM很容易找到关键点,用OLLYDBG可以轻松找到注册码
但算法◎◎◎◎◎◎◎◎◎◎◎◎
0055CFB1 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
0055CFB4 |. 8B83 D4020000 MOV EAX,DWORD PTR DS:[EBX+2D4]
0055CFBA |. E8 C5C4EDFF CALL unpacked.00439484
0055CFBF |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] ; 试练码送 EDX
0055CFC2 |. B8 50AC5A00 MOV EAX,unpacked.005AAC50
0055CFC7 |. E8 286FEAFF CALL unpacked.00403EF4
0055CFCC |. FF35 4CAC5A00 PUSH DWORD PTR DS:[5AAC4C]
0055CFD2 |. 68 84D05500 PUSH unpacked.0055D084 ; 机器码入栈 地址(0050084)
0055CFD7 |. FF35 50AC5A00 PUSH DWORD PTR DS:[5AAC50] ; 试练码入栈
0055CFDD |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] ; 装入试练码有效地址(12874F874)
0055CFE0 |. BA 03000000 MOV EDX,3 ; EDX 作计数器
0055CFE5 |. E8 F271EAFF CALL unpacked.004041DC
0055CFEA |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0055CFED |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
0055CFF0 |. E8 67E90300 CALL unpacked.0059B95C //关键::算法,产生注册码
0055CFF5 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0055CFF8 |. BA 90D05500 MOV EDX,unpacked.0055D090 ; ASCII "no"
0055CFFD |. E8 2A72EAFF CALL unpacked.0040422C //这里可以看到注册码了
0055D002 |. 75 0C JNZ SHORT unpacked.0055D010 //跳就完了
0055D004 |. C783 2C020000>MOV DWORD PTR DS:[EBX+22C],1
0055D00E |. EB 3C JMP SHORT unpacked.0055D04C
0055D010 |> 33C9 XOR ECX,ECX
0055D012 |. B2 01 MOV DL,1
0055D014 |. A1 F87F5500 MOV EAX,DWORD PTR DS:[557FF8]
0055D019 |. E8 FA22EFFF CALL unpacked.0044F318
0055D01E |. 8B15 D4285A00 MOV EDX,DWORD PTR DS:[5A28D4] ; unpacked.005AABC0
0055D024 |. 8902 MOV DWORD PTR DS:[EDX],EAX
0055D026 |. A1 D4285A00 MOV EAX,DWORD PTR DS:[5A28D4]
0055D02B |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
0055D02D |. 8B80 C8020000 MOV EAX,DWORD PTR DS:[EAX+2C8]
0055D033 |. BA 9CD05500 MOV EDX,unpacked.0055D09C
0055D038 |. E8 77C4EDFF CALL unpacked.004394B4
0055D03D |. A1 D4285A00 MOV EAX,DWORD PTR DS:[5A28D4]
######################################
进入 0055CFF0 CALL //关键::算法
0059B95C /$ 55 PUSH EBP
0059B95D |. 8BEC MOV EBP,ESP
0059B95F |. 33C9 XOR ECX,ECX
0059B961 |. 51 PUSH ECX
0059B962 |. 51 PUSH ECX
0059B963 |. 51 PUSH ECX
0059B964 |. 51 PUSH ECX
0059B965 |. 53 PUSH EBX
0059B966 |. 8BDA MOV EBX,EDX
0059B968 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0059B96B |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0059B96E |. E8 5D89E6FF CALL unpacked.004042D0
0059B973 |. 33C0 XOR EAX,EAX
0059B975 |. 55 PUSH EBP
0059B976 |. 68 19BA5900 PUSH unpacked.0059BA19
0059B97B |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0059B97E |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0059B981 |. 8BC3 MOV EAX,EBX
0059B983 |. BA 30BA5900 MOV EDX,unpacked.0059BA30 ; ASCII "no"
0059B988 |. E8 AB85E6FF CALL unpacked.00403F38
0059B98D |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
0059B990 |. 50 PUSH EAX
0059B991 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] ; 机器码和试练码送 EDX
0059B994 |. B8 3CBA5900 MOV EAX,unpacked.0059BA3C
0059B999 |. E8 668AE6FF CALL unpacked.00404404 ; 跟人看看
0059B99E |. 8BC8 MOV ECX,EAX
0059B9A0 |. 49 DEC ECX
0059B9A1 |. BA 01000000 MOV EDX,1 ; 计数器
0059B9A6 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 机器码和试练码送 EAX
0059B9A9 |. E8 7289E6FF CALL unpacked.00404320
0059B9AE |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0059B9B1 |. 50 PUSH EAX
0059B9B2 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] ; 机器码和试练码送 EDX
0059B9B5 |. B8 3CBA5900 MOV EAX,unpacked.0059BA3C
0059B9BA |. E8 458AE6FF CALL unpacked.00404404
0059B9BF |. 8BD0 MOV EDX,EAX
0059B9C1 |. 42 INC EDX
0059B9C2 |. B9 FF000000 MOV ECX,0FF
0059B9C7 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 机器码和试练码送 EAX
0059B9CA |. E8 5189E6FF CALL unpacked.00404320
0059B9CF |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
0059B9D2 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 机器码送 EAX
0059B9D5 |. E8 66000000 CALL unpacked.0059BA40 ; 重要!!!!!!! 进入
0059B9DA |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ; 注册码送 EAX
0059B9DD |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] ; 试练码送 EDX
0059B9E0 |. E8 4788E6FF CALL unpacked.0040422C ; 关键 CALL 比较
0059B9E5 |. 75 17 JNZ SHORT unpacked.0059B9FE
0059B9E7 |. FF75 F8 PUSH DWORD PTR SS:[EBP-8]
0059B9EA |. 68 3CBA5900 PUSH unpacked.0059BA3C
0059B9EF |. FF75 F4 PUSH DWORD PTR SS:[EBP-C]
0059B9F2 |. 8BC3 MOV EAX,EBX
0059B9F4 |. BA 03000000 MOV EDX,3
0059B9F9 |. E8 DE87E6FF CALL unpacked.004041DC
0059B9FE |> 33C0 XOR EAX,EAX
0059BA00 |. 5A POP EDX
0059BA01 |. 59 POP ECX
0059BA02 |. 59 POP ECX
0059BA03 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
0059BA06 |. 68 20BA5900 PUSH unpacked.0059BA20
0059BA0B |> 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0059BA0E |. BA 04000000 MOV EDX,4
0059BA13 |. E8 AC84E6FF CALL unpacked.00403EC4
0059BA18 . C3 RETN
···································································
进入
0059B9D5的CALL ;
0059BA40 /$ 55 PUSH EBP
0059BA41 |. 8BEC MOV EBP,ESP
0059BA43 |. 83C4 EC ADD ESP,-14
0059BA46 |. 53 PUSH EBX
0059BA47 |. 56 PUSH ESI
0059BA48 |. 57 PUSH EDI
0059BA49 |. 33C9 XOR ECX,ECX
0059BA4B |. 894D EC MOV DWORD PTR SS:[EBP-14],ECX
0059BA4E |. 894D F0 MOV DWORD PTR SS:[EBP-10],ECX
0059BA51 |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
0059BA54 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0059BA57 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0059BA5A |. E8 7188E6FF CALL unpacked.004042D0 ; 不重要
0059BA5F |. 33C0 XOR EAX,EAX
0059BA61 |. 55 PUSH EBP
0059BA62 |. 68 69BB5900 PUSH unpacked.0059BB69
0059BA67 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0059BA6A |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0059BA6D |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0059BA70 |. E8 2B84E6FF CALL unpacked.00403EA0
0059BA75 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0059BA78 |. E8 2384E6FF CALL unpacked.00403EA0
0059BA7D |. 33C0 XOR EAX,EAX
0059BA7F |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
0059BA82 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 机器码送 EAX
0059BA85 |. E8 9286E6FF CALL unpacked.0040411C ; 得到机器码长度
0059BA8A |. 8BF0 MOV ESI,EAX ; 机器码长度送 ESI
0059BA8C |. 85F6 TEST ESI,ESI
0059BA8E |. 0F8E 8A000000 JLE unpacked.0059BB1E
0059BA94 |. BF 01000000 MOV EDI,1 ; 下面的循环计算注册码的前4位
0059BA99 |> 8B45 FC /MOV EAX,DWORD PTR SS:[EBP-4] ; 比较是否在 A 和 Z 之间
0059BA9C |. 8A5C38 FF |MOV BL,BYTE PTR DS:[EAX+EDI-1] ; 机器码的一位的 ASC||码送 BL
0059BAA0 |. 8BC3 |MOV EAX,EBX
0059BAA2 |. 3C 4D |CMP AL,4D ; 是否大于 M ?
0059BAA4 |. 72 2D |JB SHORT unpacked.0059BAD3
0059BAA6 |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4]
0059BAA9 |. 3C 41 |CMP AL,41
0059BAAB |. 72 26 |JB SHORT unpacked.0059BAD3
0059BAAD |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4]
0059BAB0 |. 3C 5A |CMP AL,5A
0059BAB2 |. 77 1F |JA SHORT unpacked.0059BAD3
0059BAB4 |. 8D45 EC |LEA EAX,DWORD PTR SS:[EBP-14] ; ?????????
0059BAB7 |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4] ; ????????????
0059BABA |. 33D2 |XOR EDX,EDX
0059BABC |. 8AD3 |MOV DL,BL
0059BABE |. 83EA 05 |SUB EDX,5
0059BAC1 |. E8 7E85E6FF |CALL unpacked.00404044 ; ????????
0059BAC6 |. 8B55 EC |MOV EDX,DWORD PTR SS:[EBP-14]
0059BAC9 |. 8D45 F0 |LEA EAX,DWORD PTR SS:[EBP-10]
0059BACC |. E8 5386E6FF |CALL unpacked.00404124 ; ????????
0059BAD1 |. EB 38 |JMP SHORT unpacked.0059BB0B
0059BAD3 |> 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]
0059BAD6 |. 8A5C38 FF |MOV BL,BYTE PTR DS:[EAX+EDI-1]
0059BADA |. 8BC3 |MOV EAX,EBX
0059BADC |. 3C 4D |CMP AL,4D ; 机器码的第6位是否大于 M
0059BADE |. 73 2B |JNB SHORT unpacked.0059BB0B
0059BAE0 |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4]
0059BAE3 |. 3C 41 |CMP AL,41 ; 是否大于 A
0059BAE5 |. 72 24 |JB SHORT unpacked.0059BB0B
0059BAE7 |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4]
0059BAEA |. 3C 5A |CMP AL,5A ; 是否小于 Z
0059BAEC |. 77 1D |JA SHORT unpacked.0059BB0B
0059BAEE |. 8D45 EC |LEA EAX,DWORD PTR SS:[EBP-14]
0059BAF1 |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4]
0059BAF4 |. 33D2 |XOR EDX,EDX
0059BAF6 |. 8AD3 |MOV DL,BL
0059BAF8 |. 83C2 06 |ADD EDX,6
0059BAFB |. E8 4485E6FF |CALL unpacked.00404044
0059BB00 |. 8B55 EC |MOV EDX,DWORD PTR SS:[EBP-14]
0059BB03 |. 8D45 F0 |LEA EAX,DWORD PTR SS:[EBP-10]
0059BB06 |. E8 1986E6FF |CALL unpacked.00404124 ; 关键!!进入
0059BB0B |> 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]
0059BB0E |. 0FB64438 FF |MOVZX EAX,BYTE PTR DS:[EAX+EDI-1]
0059BB13 |. 0145 F4 |ADD DWORD PTR SS:[EBP-C],EAX
0059BB16 |. 47 |INC EDI
0059BB17 |. 4E |DEC ESI ; ESI (机器码长度) - 1
0059BB18 |.^ 0F85 7BFFFFFF JNZ unpacked.0059BA99
0059BB1E |> 6945 F4 B8220>IMUL EAX,DWORD PTR SS:[EBP-C],22B8 ; 取完机器码中的 A 和 Z 之间的 后面 * 22B8
0059BB25 |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
0059BB28 |. 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
0059BB2B |. BA 06000000 MOV EDX,6
0059BB30 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0059BB33 |. E8 58DFE6FF CALL unpacked.00409A90 ; 关键!!
0059BB38 |. 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
0059BB3B |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0059BB3E |. 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
0059BB41 |. E8 2286E6FF CALL unpacked.00404168
0059BB46 |. 33C0 XOR EAX,EAX
0059BB48 |. 5A POP EDX
0059BB49 |. 59 POP ECX
0059BB4A |. 59 POP ECX
0059BB4B |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
0059BB4E |. 68 70BB5900 PUSH unpacked.0059BB70
0059BB53 |> 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0059BB56 |. BA 02000000 MOV EDX,2
0059BB5B |. E8 6483E6FF CALL unpacked.00403EC4
0059BB60 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0059BB63 |. E8 3883E6FF CALL unpacked.00403EA0 ; 连接注册码
··································································
进入
0059BB33的CALL
00404124 $ 85D2 TEST EDX,EDX
00404126 . 74 3F JE SHORT unpacked.00404167
00404128 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
0040412A . 85C9 TEST ECX,ECX
0040412C .^ 0F84 C2FDFFFF JE unpacked.00403EF4
00404132 . 53 PUSH EBX
00404133 . 56 PUSH ESI
00404134 . 57 PUSH EDI
00404135 . 89C3 MOV EBX,EAX
00404137 . 89D6 MOV ESI,EDX
00404139 . 8B79 FC MOV EDI,DWORD PTR DS:[ECX-4]
0040413C . 8B56 FC MOV EDX,DWORD PTR DS:[ESI-4]
0040413F . 01FA ADD EDX,EDI
00404141 . 39CE CMP ESI,ECX
00404143 . 74 17 JE SHORT unpacked.0040415C
00404145 . E8 02030000 CALL unpacked.0040444C
0040414A . 89F0 MOV EAX,ESI
0040414C . 8B4E FC MOV ECX,DWORD PTR DS:[ESI-4]
0040414F > 8B13 MOV EDX,DWORD PTR DS:[EBX]
00404151 . 01FA ADD EDX,EDI
00404153 . E8 10E9FFFF CALL unpacked.00402A68 ; 关键!!!
00404158 . 5F POP EDI
00404159 . 5E POP ESI
0040415A . 5B POP EBX
0040415B . C3 RETN
········································································
正在学习
期待指点