【文章标题】: Ghoul捆绑检测工具VB浮点算法分析[带壳][易]
【文章作者】: wynney
【软件名称】: Ghoul捆绑检测工具
【加壳方式】: FSG 2.0 -> bart/xt
【作者声明】: 今天在Unpack上看到这么个工具,就拿下来玩玩
--------------------------------------------------------------------------------
【详细过程】
太简单了,高手跳过吧
1、PEID查壳FSG 2.0 -> bart/xt
2、人懒,不脱了
3、试注册,123456789,注册玛保存在zcm.ini
4、OD设置忽略所有异常
5、bp CreateFileA
6、中断下来,看堆栈
0012F788 660EC6D7 /CALL 到 CreateFileA 来自 MSVBVM60.660EC6D1
0012F78C 0012F800 |FileName = "D:\Made\Ghoul捆绑检测工具\zcm.ini"
0012F790 80000000 |Access = GENERIC_READ
0012F794 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012F798 0012F7C0 |pSecurity = 0012F7C0
0012F79C 00000003 |Mode = OPEN_EXISTING
0012F7A0 00000080 |Attributes = NORMAL
0012F7A4 00000000 \hTemplateFile = NULL
如果在这里就“反汇编中跟随”的话就要多走点弯路了
7、往下翻看
0012F91C |0041A5E4 返回到 Ghoul.0041A5E4 来自 MSVBVM60.__vbaFileOpen
0012F920 |FFFFFFFF
0012F924 |00000200
0012F928 |00000004
0012F92C |00000001
0012F930 |0012FB20
反汇编中跟随
0041A5E4 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84] ; 到这里,he,F9开始跟了
0041A5EA 50 push eax
0041A5EB 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
0041A616 FF15 28104000 call dword ptr ds:[401028] ; MSVBVM60.__vbaLineInputStr
0041A61C C745 FC 09000000 mov dword ptr ss:[ebp-4],9 ; 看名字就知道上面是读取试炼码的
0041A623 6A 04 push 4
0041A625 FF15 8C104000 call dword ptr ds:[40108C] ; MSVBVM60.__vbaFileClose
0041A62B C745 FC 0A000000 mov dword ptr ss:[ebp-4],0A ; 读完,上面关闭配置文件
0041A632 6A FF push -1
0041A634 FF15 64104000 call dword ptr ds:[401064] ; MSVBVM60.__vbaOnError
0041A6F7 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
0041A6FA 8B51 48 mov edx,dword ptr ds:[ecx+48] ; 堆栈中试炼码
0041A6FD 8995 A4FEFFFF mov dword ptr ss:[ebp-15C],edx
0041A703 C785 9CFEFFFF 08800>mov dword ptr ss:[ebp-164],8008
0041A70D C785 54FFFFFF 08000>mov dword ptr ss:[ebp-AC],8
0041A717 C785 4CFFFFFF 02000>mov dword ptr ss:[ebp-B4],2
0041A721 8B45 80 mov eax,dword ptr ss:[ebp-80] ; 堆栈中机器码
0041A724 50 push eax
0041A725 FF15 0C114000 call dword ptr ds:[40110C] ; 浮点化
0041A72B DC0D 68124000 fmul qword ptr ds:[401268] ; 浮点形式,ST0 = 机器码*3
0041A731 DC05 60124000 fadd qword ptr ds:[401260] ; 浮点形式,ST0 = ST0 + 521725
0041A737 DD9D 64FFFFFF fstp qword ptr ss:[ebp-9C]
0041A73D DFE0 fstsw ax
0041A73F A8 0D test al,0D
0041A741 0F85 BE050000 jnz Ghoul.0041AD05
0041A768 FF15 84104000 call dword ptr ds:[401084] ; 跟进,取前8位记为A
0041A76E C785 D4FEFFFF 41010>mov dword ptr ss:[ebp-12C],141
0041A778 C785 CCFEFFFF 02000>mov dword ptr ss:[ebp-134],2
0041A782 C785 C4FEFFFF 0000E>mov dword ptr ss:[ebp-13C],5E00000
0041A78C C785 C8FEFFFF 8FE80>mov dword ptr ss:[ebp-138],4201E88F
0041A796 C785 BCFEFFFF 05000>mov dword ptr ss:[ebp-144],5
0041A7A0 C785 B4FEFFFF 00000>mov dword ptr ss:[ebp-14C],30000000
0041A7AA C785 B8FEFFFF 3CEC9>mov dword ptr ss:[ebp-148],4196EC3C
0041A7B4 C785 ACFEFFFF 05000>mov dword ptr ss:[ebp-154],5
0041A7BE 8D8D 9CFEFFFF lea ecx,dword ptr ss:[ebp-164]
0041A7C4 51 push ecx
0041A7C5 8D95 3CFFFFFF lea edx,dword ptr ss:[ebp-C4]
0041A7CB 52 push edx
0041A7CC 8D85 CCFEFFFF lea eax,dword ptr ss:[ebp-134]
0041A7D2 50 push eax
0041A7D3 8D8D 2CFFFFFF lea ecx,dword ptr ss:[ebp-D4]
0041A7D9 51 push ecx
0041A7DA FF15 C0104000 call dword ptr ds:[4010C0] ; 跟进A,B=A*321
跟进A
0041A7EF FF15 40114000 call dword ptr ds:[401140] ; 跟进B
跟进B
0041A804 FF15 00104000 call dword ptr ds:[401000] ; 跟进C
跟进C
0041A80B FF15 38114000 call dword ptr ds:[401138] ; __vbaVarTstNe比较了
0041A811 66:8985 84FEFFFF mov word ptr ss:[ebp-17C],ax
0041A818 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
0041A81B FF15 6C114000 call dword ptr ds:[40116C] ; MSVBVM60.__vbaFreeStr
0041A821 8D8D 6CFFFFFF lea ecx,dword ptr ss:[ebp-94]
0041A827 FF15 70114000 call dword ptr ds:[401170] ; MSVBVM60.__vbaFreeObj
0041A82D 8D85 1CFFFFFF lea eax,dword ptr ss:[ebp-E4]
0041A833 50 push eax
0041A834 8D8D 3CFFFFFF lea ecx,dword ptr ss:[ebp-C4]
0041A83A 51 push ecx
0041A83B 8D95 4CFFFFFF lea edx,dword ptr ss:[ebp-B4]
0041A841 52 push edx
0041A842 8D85 5CFFFFFF lea eax,dword ptr ss:[ebp-A4]
0041A848 50 push eax
0041A849 6A 04 push 4
0041A84B FF15 2C104000 call dword ptr ds:[40102C] ; MSVBVM60.__vbaFreeVarList
0041A851 83C4 14 add esp,14
0041A854 0FBF8D 84FEFFFF movsx ecx,word ptr ss:[ebp-17C]
0041A85B 85C9 test ecx,ecx
0041A85D 0F84 07010000 je Ghoul.0041A96A ; 关键跳,jmp爆破成功
算法总结
注册码=前8位(机器码*3 + 521725)*321 + 9614516412 - 96145164
Delphi源码
unit test;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, jpeg, CnWaterImage, SUISkinEngine, StdCtrls, SUIMemo, AAFont,AACtrls,
SUIButton, SUIEdit, Math;
type
TForm1 = class(TForm)
CnWaterImage1: TCnWaterImage;
suiSkinEngine1: TsuiSkinEngine;
Name: TsuiEdit;
Pasw: TsuiEdit;
Get: TsuiButton;
suiButton1: TsuiButton;
Label1: TLabel;
Label2: TLabel;
procedure GetClick(Sender: TObject);
procedure suiButton1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
procedure TForm1.GetClick(Sender: TObject);
begin
if Name.Text='' then Exit;
Pasw.Text:=FloatToStr(StrToFloat(Copy(FloatToStr(StrToFloat(Name.Text) * 3 + 521725),1,8))*321+9614516412-96145164);
end;
procedure TForm1.suiButton1Click(Sender: TObject);
begin
Close;
end;
end.
源码,借用了China的带音乐的注册机模板:),Thanks
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年12月08日 下午 02:27:25