【文章标题】: ScreenShot2Email 1.0.0.66 算法分析
【文章作者】: xss517
【作者主页】:
【作者QQ号】: 251496329
【软件名称】: ScreenShot2Email 1.0.066
【下载地址】: 自己搜索下载
【编写语言】: Borland Delphi 6.0 - 7.0
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
ScreenShot2Email一个使用方便的屏幕截图工具,可将截取的屏幕图像发送到指定的电子信箱中。它体积小巧,速度很快,可以支持jpeg、tiff、png、gif、bmp等五种格式,可以最小化在系统托盘中。
http://www.screenshot2.com/
一直很喜欢选择体积比较小的软件来练习, 安装后目录里面有ScreenShot2Email.exe和ScreenShot2Email.dll这两个文件
peid一查看都是Borland Delphi的东西,肯定用到dede来处理
先看看ScreenShot2Email.exe文件,od加载
0040F1F0 >/$ 55 push ebp ; (initial cpu selection)
0040F1F1 |. 8BEC mov ebp, esp
0040F1F3 |. B9 07000000 mov ecx, 7
0040F1F8 |> 6A 00 /push 0
0040F1FA |. 6A 00 |push 0
0040F1FC |. 49 |dec ecx
0040F1FD |.^ 75 F9 \jnz short 0040F1F8
0040F1FF |. B8 94EA4000 mov eax, 0040EA94
0040F204 |. E8 7F66FFFF call 00405888
0040F209 |. 33C0 xor eax, eax
0040F20B |. 55 push ebp
0040F20C |. 68 8CF34000 push 0040F38C
0040F211 |. 64:FF30 push dword ptr fs:[eax]
0040F214 |. 64:8920 mov dword ptr fs:[eax], esp
0040F217 |. 68 98F34000 push 0040F398 ; /gdiplus.dllscreenshot2email.dll
0040F21C |. E8 9B67FFFF call <jmp.&kernel32.LoadLibraryA> ; \LoadLibraryA
0040F221 |. 83F8 20 cmp eax, 20
0040F224 |. 72 17 jb short 0040F23D
0040F226 |. 50 push eax ; /hLibModule
0040F227 |. E8 1067FFFF call <jmp.&kernel32.FreeLibrary> ; \FreeLibrary
0040F22C |. 6A 00 push 0 ; /ShowState = SW_HIDE
0040F22E |. 68 A4F34000 push 0040F3A4 ; |screenshot2email.dll
0040F233 |. E8 9467FFFF call <jmp.&kernel32.WinExec> ; \WinExec
0040F238 |. E9 34010000 jmp 0040F371
0040F23D |> 8D45 EC lea eax, dword ptr [ebp-14]
0040F240 |. 50 push eax
0040F241 |. B1 01 mov cl, 1
0040F243 |. BA C4F34000 mov edx, 0040F3C4 ; ASCII "gdiplus.dll"
0040F248 |. B8 D8F34000 mov eax, 0040F3D8 ; c:\program files
0040F24D |. E8 E6F5FFFF call 0040E838
0040F252 |. 8B55 EC mov edx, dword ptr [ebp-14]
0040F255 |. B8 CC424100 mov eax, 004142CC
0040F25A |. E8 DD4EFFFF call 0040413C
0040F25F |. 833D CC424100>cmp dword ptr [4142CC], 0
0040F266 |. 0F85 B1000000 jnz 0040F31D
0040F26C |. 8D45 E8 lea eax, dword ptr [ebp-18]
0040F26F |. 50 push eax
0040F270 |. B9 F4F34000 mov ecx, 0040F3F4 ; language
0040F275 |. BA 08F44000 mov edx, 0040F408 ; software\screenshot2.com\screenshot2email\
0040F27A |. B8 01000080 mov eax, 80000001
0040F27F |. E8 2468FFFF call 00405AA8
0040F284 |. 8B55 E8 mov edx, dword ptr [ebp-18]
0040F287 |. B8 C8424100 mov eax, 004142C8
0040F28C |. E8 AB4EFFFF call 0040413C
0040F291 |. 833D C8424100>cmp dword ptr [4142C8], 0
0040F298 |. 75 0F jnz short 0040F2A9
0040F29A |. B8 C8424100 mov eax, 004142C8
0040F29F |. BA 3CF44000 mov edx, 0040F43C ; englishscreenshot2email
0040F2A4 |. E8 934EFFFF call 0040413C
0040F2A9 |> 6A 00 push 0
0040F2AB |. 68 44F44000 push 0040F444 ; screenshot2email
0040F2B0 |. 68 60F44000 push 0040F460 ; ASCII "GDIPlus.DLL not installed, read manual's ""System Requirements"" for details."
0040F2B5 |. 8D45 E4 lea eax, dword ptr [ebp-1C]
0040F2B8 |. 50 push eax
0040F2B9 |. 8D55 D4 lea edx, dword ptr [ebp-2C]
0040F2BC |. 33C0 xor eax, eax
0040F2BE |. E8 A13BFFFF call 00402E64
0040F2C3 |. 8B45 D4 mov eax, dword ptr [ebp-2C]
0040F2C6 |. 8D55 D8 lea edx, dword ptr [ebp-28]
0040F2C9 |. E8 8AF2FFFF call 0040E558
0040F2CE |. 8B45 D8 mov eax, dword ptr [ebp-28]
0040F2D1 |. 8D55 DC lea edx, dword ptr [ebp-24]
0040F2D4 |. E8 FFF4FFFF call 0040E7D8
0040F2D9 |. FF75 DC push dword ptr [ebp-24]
0040F2DC |. 68 B4F44000 push 0040F4B4 ; langs\
0040F2E1 |. FF35 C8424100 push dword ptr [4142C8]
0040F2E7 |. 68 C4F44000 push 0040F4C4 ; .lng
0040F2EC |. 8D45 E0 lea eax, dword ptr [ebp-20]
0040F2EF |. BA 04000000 mov edx, 4
0040F2F4 |. E8 4F51FFFF call 00404448
0040F2F9 |. 8B45 E0 mov eax, dword ptr [ebp-20]
0040F2FC |. B9 D4F44000 mov ecx, 0040F4D4 ; nogdiplus
0040F301 |. BA E8F44000 mov edx, 0040F4E8 ; messages
0040F306 |. E8 3D67FFFF call 00405A48
0040F30B |. 8B45 E4 mov eax, dword ptr [ebp-1C]
0040F30E |. E8 7552FFFF call 00404588
0040F313 |. 50 push eax ; |Text
0040F314 |. 6A 00 push 0 ; |hOwner = NULL
0040F316 |. E8 E166FFFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
0040F31B |. EB 54 jmp short 0040F371
0040F31D |> 6A 00 push 0
0040F31F |. 8D55 C8 lea edx, dword ptr [ebp-38]
0040F322 |. 33C0 xor eax, eax
0040F324 |. E8 3B3BFFFF call 00402E64
0040F329 |. 8B45 C8 mov eax, dword ptr [ebp-38]
0040F32C |. 8D55 CC lea edx, dword ptr [ebp-34]
0040F32F |. E8 24F2FFFF call 0040E558
0040F334 |. 8B45 CC mov eax, dword ptr [ebp-34]
0040F337 |. 8D55 D0 lea edx, dword ptr [ebp-30]
0040F33A |. E8 99F4FFFF call 0040E7D8
0040F33F |. 8D45 D0 lea eax, dword ptr [ebp-30]
0040F342 |. BA C4F34000 mov edx, 0040F3C4 ; ASCII "gdiplus.dll"
0040F347 |. E8 4450FFFF call 00404390
0040F34C |. 8B45 D0 mov eax, dword ptr [ebp-30]
0040F34F |. E8 3452FFFF call 00404588
0040F354 |. 50 push eax
0040F355 |. A1 CC424100 mov eax, dword ptr [4142CC]
0040F35A |. E8 2952FFFF call 00404588
0040F35F |. 50 push eax ; |ExistingFileName
0040F360 |. E8 8765FFFF call <jmp.&kernel32.CopyFileA> ; \CopyFileA
0040F365 |. 6A 00 push 0 ; /ShowState = SW_HIDE
0040F367 |. 68 A4F34000 push 0040F3A4 ; |screenshot2email.dll
0040F36C |. E8 5B66FFFF call <jmp.&kernel32.WinExec> ; \WinExec
0040F371 |> 33C0 xor eax, eax
0040F373 |. 5A pop edx
0040F374 |. 59 pop ecx
0040F375 |. 59 pop ecx
0040F376 |. 64:8910 mov dword ptr fs:[eax], edx
0040F379 |. 68 93F34000 push 0040F393
0040F37E |> 8D45 C8 lea eax, dword ptr [ebp-38]
0040F381 |. BA 0A000000 mov edx, 0A
0040F386 |. E8 814DFFFF call 0040410C
0040F38B \. C3 retn
----------------------------------------------------------------------------
这里很奇怪调用了winexe来运行screenshot2email.dll,我们知道dll文件不可能单独运行,这里就十分古怪
一看screenshot2email.dll近600KB的体积比exe文件大多了,猜想这个exe像个loder来加载实际为可执行文件的dll
screenshot2email.dll改名为screenshot2email.dll.exe果然可以顺利运行
peid查看screenshot2email.dll,也是Delphi写的东西,用KANAL插件一看
MD5 :: 0006DFAB :: 0046EBAB
原来是用到MD5加密算法
dede加载screenshot2email.dll.exe,在过程里面的uRegistration里面的btnOKClick 找到地址0046F744
找到这里我们就成功一半了
od里面ctrl+g 填入 0046F744,F2下内存断点,F9运行
填入注册名xss517和假的注册码123456,确定,稳稳的中断在0046F744,F8大致跟一下
-----------------------------------------------------------------------------
0046F744 /. 55 push ebp
0046F745 |. 8BEC mov ebp, esp
0046F747 |. B9 06000000 mov ecx, 6
0046F74C |> 6A 00 /push 0
0046F74E |. 6A 00 |push 0
0046F750 |. 49 |dec ecx
0046F751 |.^ 75 F9 \jnz short 0046F74C
0046F753 |. 53 push ebx
0046F754 |. 56 push esi
0046F755 |. 8BD8 mov ebx, eax
0046F757 |. 33C0 xor eax, eax
0046F759 |. 55 push ebp
0046F75A |. 68 18F94600 push 0046F918
0046F75F |. 64:FF30 push dword ptr fs:[eax]
0046F762 |. 64:8920 mov dword ptr fs:[eax], esp
0046F765 |. 8D55 F4 lea edx, dword ptr [ebp-C]
0046F768 |. 8B83 68030000 mov eax, dword ptr [ebx+368]
0046F76E |. E8 C599FDFF call 00449138
0046F773 |. 8B45 F4 mov eax, dword ptr [ebp-C]
0046F776 |. 8D55 FC lea edx, dword ptr [ebp-4] ; eax=注册名 xss517
0046F779 |. E8 36FCFFFF call 0046F3B4
0046F77E |. 8D45 F8 lea eax, dword ptr [ebp-8]
0046F781 |. 8B55 FC mov edx, dword ptr [ebp-4] ; edx=MD5(注册名) F5D8D5D774391CA908D4E0A46E8258EE
0046F784 |. E8 BF51F9FF call 00404948
0046F789 |. 8D4D F0 lea ecx, dword ptr [ebp-10]
0046F78C |. A1 1CAE4700 mov eax, dword ptr [47AE1C]
0046F791 |. 8B00 mov eax, dword ptr [eax]
0046F793 |. 8B55 F8 mov edx, dword ptr [ebp-8]
0046F796 |. E8 7D760000 call 00476E18 ; 算法,对MD5结果进行转换
0046F79B |. 8B55 F0 mov edx, dword ptr [ebp-10]
0046F79E |. 8D45 F8 lea eax, dword ptr [ebp-8]
0046F7A1 |. E8 A251F9FF call 00404948
0046F7A6 |. 8D55 EC lea edx, dword ptr [ebp-14]
0046F7A9 |. 8B83 6C030000 mov eax, dword ptr [ebx+36C]
0046F7AF |. E8 8499FDFF call 00449138
0046F7B4 |. 8B45 EC mov eax, dword ptr [ebp-14] ; 真注册码 FPBD5JHFDMDLJHE7
0046F7B7 |. 8B55 F8 mov edx, dword ptr [ebp-8] ; 假注册码 123456
0046F7BA |. E8 0155F9FF call 00404CC0
0046F7BF |. 0F85 EF000000 jnz 0046F8B4 ; 关键跳
0046F7C5 |. B8 90000000 mov eax, 90
0046F7CA |. E8 D934F9FF call 00402CA8
0046F7CF |. 8BF0 mov esi, eax
0046F7D1 |. 68 90000000 push 90 ; /BufSize = 90 (144.)
0046F7D6 |. 56 push esi ; |Buffer
0046F7D7 |. E8 6C72F9FF call <jmp.&kernel32.GetWindowsDirecto>; \GetWindowsDirectoryA
0046F7DC |. 8D45 E0 lea eax, dword ptr [ebp-20]
0046F7DF |. 8BD6 mov edx, esi
0046F7E1 |. E8 C252F9FF call 00404AA8
0046F7E6 |. 8B45 E0 mov eax, dword ptr [ebp-20]
0046F7E9 |. 8D55 E4 lea edx, dword ptr [ebp-1C]
0046F7EC |. E8 5F86FFFF call 00467E50
0046F7F1 |. 8B45 E4 mov eax, dword ptr [ebp-1C]
0046F7F4 |. 8D55 E8 lea edx, dword ptr [ebp-18]
0046F7F7 |. E8 9CFEFFFF call 0046F698
0046F7FC |. 8B4D E8 mov ecx, dword ptr [ebp-18]
0046F7FF |. 8D45 F8 lea eax, dword ptr [ebp-8]
0046F802 |. 8B55 FC mov edx, dword ptr [ebp-4]
0046F805 |. E8 B653F9FF call 00404BC0
0046F80A |. 8D4D DC lea ecx, dword ptr [ebp-24]
0046F80D |. A1 1CAE4700 mov eax, dword ptr [47AE1C]
0046F812 |. 8B00 mov eax, dword ptr [eax]
0046F814 |. 8B55 F8 mov edx, dword ptr [ebp-8]
0046F817 |. E8 FC750000 call 00476E18
0046F81C |. 8B55 DC mov edx, dword ptr [ebp-24]
0046F81F |. 8D45 F8 lea eax, dword ptr [ebp-8]
0046F822 |. E8 2151F9FF call 00404948
0046F827 |. 8B55 F8 mov edx, dword ptr [ebp-8]
0046F82A |. B8 30F94600 mov eax, 0046F930 ; ASCII "Value1"
0046F82F |. E8 F87F0000 call 0047782C
0046F834 |. 8D55 D8 lea edx, dword ptr [ebp-28]
0046F837 |. 8B83 68030000 mov eax, dword ptr [ebx+368]
0046F83D |. E8 F698FDFF call 00449138
0046F842 |. 8B55 D8 mov edx, dword ptr [ebp-28]
0046F845 |. B8 40F94600 mov eax, 0046F940 ; ASCII "Value2"
0046F84A |. E8 DD7F0000 call 0047782C
0046F84F |. A1 14AB4700 mov eax, dword ptr [47AB14]
0046F854 |. FF30 push dword ptr [eax]
0046F856 |. 68 50F94600 push 0046F950
0046F85B |. 8D55 D0 lea edx, dword ptr [ebp-30]
0046F85E |. 8B83 68030000 mov eax, dword ptr [ebx+368]
0046F864 |. E8 CF98FDFF call 00449138
0046F869 |. FF75 D0 push dword ptr [ebp-30]
0046F86C |. 8D45 D4 lea eax, dword ptr [ebp-2C]
0046F86F |. BA 03000000 mov edx, 3
0046F874 |. E8 BB53F9FF call 00404C34
0046F879 |. 8B55 D4 mov edx, dword ptr [ebp-2C]
0046F87C |. A1 1CAE4700 mov eax, dword ptr [47AE1C]
0046F881 |. 8B00 mov eax, dword ptr [eax]
0046F883 |. 8B80 80040000 mov eax, dword ptr [eax+480]
0046F889 |. E8 DA98FDFF call 00449168
0046F88E |. A1 1CAE4700 mov eax, dword ptr [47AE1C]
0046F893 |. 8B00 mov eax, dword ptr [eax]
0046F895 |. C680 59050000>mov byte ptr [eax+559], 0
0046F89C |. A1 C8AA4700 mov eax, dword ptr [47AAC8]
0046F8A1 |. 8B00 mov eax, dword ptr [eax]
0046F8A3 |. E8 74B9FCFF call 0043B21C
0046F8A8 |. C783 94020000>mov dword ptr [ebx+294], 1
0046F8B2 |. EB 0C jmp short 0046F8C0
0046F8B4 |> A1 BCAB4700 mov eax, dword ptr [47ABBC]
0046F8B9 |. 8B00 mov eax, dword ptr [eax]
0046F8BB |. E8 5CB9FCFF call 0043B21C
0046F8C0 |> 33C0 xor eax, eax
0046F8C2 |. 5A pop edx
0046F8C3 |. 59 pop ecx
0046F8C4 |. 59 pop ecx
0046F8C5 |. 64:8910 mov dword ptr fs:[eax], edx
0046F8C8 |. 68 1FF94600 push 0046F91F
0046F8CD |> 8D45 D0 lea eax, dword ptr [ebp-30]
0046F8D0 |. E8 DB4FF9FF call 004048B0
0046F8D5 |. 8D45 D4 lea eax, dword ptr [ebp-2C]
0046F8D8 |. E8 D34FF9FF call 004048B0
0046F8DD |. 8D45 D8 lea eax, dword ptr [ebp-28]
0046F8E0 |. E8 CB4FF9FF call 004048B0
0046F8E5 |. 8D45 DC lea eax, dword ptr [ebp-24]
0046F8E8 |. BA 04000000 mov edx, 4
0046F8ED |. E8 E24FF9FF call 004048D4
0046F8F2 |. 8D45 EC lea eax, dword ptr [ebp-14]
0046F8F5 |. E8 B64FF9FF call 004048B0
0046F8FA |. 8D45 F0 lea eax, dword ptr [ebp-10]
0046F8FD |. E8 AE4FF9FF call 004048B0
0046F902 |. 8D45 F4 lea eax, dword ptr [ebp-C]
0046F905 |. E8 A64FF9FF call 004048B0
0046F90A |. 8D45 F8 lea eax, dword ptr [ebp-8]
0046F90D |. BA 02000000 mov edx, 2
0046F912 |. E8 BD4FF9FF call 004048D4
0046F917 \. C3 retn
---------------------------------------------------------------------
F8跟一下注册码就在这里出来了,但是我们要分析软件的算法而不是仅仅做个内存注册机
0046F7B4 |. 8B45 EC mov eax, dword ptr [ebp-14] ; 真注册码 FPBD5JHFDMDLJHE7
还记得我们用插件知道软件使用了MD5加密手段,我用飘云阁出的密码学综合工具 ver 2.0 里面的MD5计算模块验证了
0046F781 |. 8B55 FC mov edx, dword ptr [ebp-4] ; edx=MD5(注册名)
edx=MD5注册名,但是最终注册码并不是白痴的MD5注册名的32位,而是做了一番转换,下面这个call很可疑,F7跟入看看
0046F796 |. E8 7D760000 call 00476E18 ; 算法,对MD5结果进行转换
-------------------------------------------------------------------------
00476E18 /$ 55 push ebp
00476E19 |. 8BEC mov ebp, esp
00476E1B |. 83C4 E0 add esp, -20
00476E1E |. 53 push ebx
00476E1F |. 56 push esi
00476E20 |. 57 push edi
00476E21 |. 33DB xor ebx, ebx
00476E23 |. 895D E0 mov dword ptr [ebp-20], ebx
00476E26 |. 895D EC mov dword ptr [ebp-14], ebx
00476E29 |. 895D F8 mov dword ptr [ebp-8], ebx
00476E2C |. 894D F4 mov dword ptr [ebp-C], ecx
00476E2F |. 8955 FC mov dword ptr [ebp-4], edx
00476E32 |. 8B45 FC mov eax, dword ptr [ebp-4]
00476E35 |. E8 2ADFF8FF call 00404D64
00476E3A |. 33C0 xor eax, eax
00476E3C |. 55 push ebp
00476E3D |. 68 6D6F4700 push 00476F6D
00476E42 |. 64:FF30 push dword ptr fs:[eax]
00476E45 |. 64:8920 mov dword ptr fs:[eax], esp
00476E48 |. 8B45 FC mov eax, dword ptr [ebp-4] ; 貌似一个黑名单检测,封杀泄露的注册码
00476E4B |. 85C0 test eax, eax
00476E4D |. 74 05 je short 00476E54
00476E4F |. 83E8 04 sub eax, 4
00476E52 |. 8B00 mov eax, dword ptr [eax]
00476E54 |> D1F8 sar eax, 1
00476E56 |. 79 03 jns short 00476E5B
00476E58 |. 83D0 00 adc eax, 0
00476E5B |> 8945 F0 mov dword ptr [ebp-10], eax
00476E5E |. 8D45 F8 lea eax, dword ptr [ebp-8]
00476E61 |. 8B55 F0 mov edx, dword ptr [ebp-10]
00476E64 |. E8 93E1F8FF call 00404FFC
00476E69 |. 8B7D F0 mov edi, dword ptr [ebp-10]
00476E6C |. 85FF test edi, edi
00476E6E |. 0F8E C3000000 jle 00476F37
00476E74 |. BB 01000000 mov ebx, 1
00476E79 |> BA 7C6F4700 /mov edx, 00476F7C
00476E7E |. 8D45 E8 |lea eax, dword ptr [ebp-18]
00476E81 |. E8 BAC3F8FF |call 00403240
00476E86 |. 8D45 E4 |lea eax, dword ptr [ebp-1C]
00476E89 |. 8B55 FC |mov edx, dword ptr [ebp-4]
00476E8C |. 0FB6541A FF |movzx edx, byte ptr [edx+ebx-1] ; 依次取前16位的每一位
00476E91 |. 8850 01 |mov byte ptr [eax+1], dl
00476E94 |. C600 01 |mov byte ptr [eax], 1
00476E97 |. 8D55 E4 |lea edx, dword ptr [ebp-1C]
00476E9A |. 8D45 E8 |lea eax, dword ptr [ebp-18]
00476E9D |. B1 02 |mov cl, 2e
00476E9F |. E8 6CC3F8FF |call 00403210
00476EA4 |. 8D55 E8 |lea edx, dword ptr [ebp-18]
00476EA7 |. 8D45 EC |lea eax, dword ptr [ebp-14]
00476EAA |. E8 65DCF8FF |call 00404B14
00476EAF |. 8B45 EC |mov eax, dword ptr [ebp-14] eax的16进制值
00476EB2 |. E8 390DFFFF |call 00467BF0
00476EB7 |. BE 10000000 |mov esi, 10 ; esi=10
00476EBC |. 2BF0 |sub esi, eax ; esi=esi-eax
00476EBE |. BA 7C6F4700 |mov edx, 00476F7C
00476EC3 |. 8D45 E8 |lea eax, dword ptr [ebp-18]
00476EC6 |. E8 75C3F8FF |call 00403240
00476ECB |. 8D45 E4 |lea eax, dword ptr [ebp-1C]
00476ECE |. 8B55 F0 |mov edx, dword ptr [ebp-10]
00476ED1 |. 03D2 |add edx, edx
00476ED3 |. 42 |inc edx
00476ED4 |. 2BD3 |sub edx, ebx
00476ED6 |. 8B4D FC |mov ecx, dword ptr [ebp-4]
00476ED9 |. 0FB65411 FF |movzx edx, byte ptr [ecx+edx-1] ; 从最后向前取依次取后16位的每一位
00476EDE |. 8850 01 |mov byte ptr [eax+1], dl
00476EE1 |. C600 01 |mov byte ptr [eax], 1
00476EE4 |. 8D55 E4 |lea edx, dword ptr [ebp-1C]
00476EE7 |. 8D45 E8 |lea eax, dword ptr [ebp-18]
00476EEA |. B1 02 |mov cl, 2
00476EEC |. E8 1FC3F8FF |call 00403210
00476EF1 |. 8D55 E8 |lea edx, dword ptr [ebp-18]
00476EF4 |. 8D45 E0 |lea eax, dword ptr [ebp-20]
00476EF7 |. E8 18DCF8FF |call 00404B14
00476EFC |. 8B45 E0 |mov eax, dword ptr [ebp-20]
00476EFF |. E8 EC0CFFFF |call 00467BF0
00476F04 |. 03F0 |add esi, eax ; esi=esi+eax
00476F06 |. 83FE 09 |cmp esi, 9 ; 与9比较
00476F09 |. 7F 13 |jg short 00476F1E
00476F0B |. 8D45 F8 |lea eax, dword ptr [ebp-8]
00476F0E |. E8 B9DEF8FF |call 00404DCC
00476F13 |. 8BD6 |mov edx, esi
00476F15 |. 80C2 30 |add dl, 30 ; esi=esi+30 转换为注册码
00476F18 |. 885418 FF |mov byte ptr [eax+ebx-1], dl
00476F1C |. EB 11 |jmp short 00476F2F
00476F1E |> 8D45 F8 |lea eax, dword ptr [ebp-8]
00476F21 |. E8 A6DEF8FF |call 00404DCC
00476F26 |. 8BD6 |mov edx, esi
00476F28 |. 80C2 37 |add dl, 37 ; esi=esi+37 转换为注册码
00476F2B |. 885418 FF |mov byte ptr [eax+ebx-1], dl
00476F2F |> 43 |inc ebx
00476F30 |. 4F |dec edi
00476F31 |.^ 0F85 42FFFFFF \jnz 00476E79
00476F37 |> 8B45 F4 mov eax, dword ptr [ebp-C] 注册码
00476F3A |. 8B55 F8 mov edx, dword ptr [ebp-8]
00476F3D |. E8 C2D9F8FF call 00404904
00476F42 |. 33C0 xor eax, eax
00476F44 |. 5A pop edx
00476F45 |. 59 pop ecx
00476F46 |. 59 pop ecx
00476F47 |. 64:8910 mov dword ptr fs:[eax], edx
00476F4A |. 68 746F4700 push 00476F74
00476F4F |> 8D45 E0 lea eax, dword ptr [ebp-20]
00476F52 |. E8 59D9F8FF call 004048B0
00476F57 |. 8D45 EC lea eax, dword ptr [ebp-14]
00476F5A |. E8 51D9F8FF call 004048B0
00476F5F |. 8D45 F8 lea eax, dword ptr [ebp-8]
00476F62 |. BA 02000000 mov edx, 2
00476F67 |. E8 68D9F8FF call 004048D4
00476F6C \. C3 retn
---------------------------------------------------------------------------------------
0046F744 /. 55 push ebp本地调用来自 0046F796, 0046F817, 004744BB, 00476C95, 00476D6E
这里下断点重新加载就可以看到黑名单上的名字的MD5值
注册机里面的一个小问题,我上网查了一下资料解决了:
Hex函数和Oct函数返回的都是字符串,如果是想将十六进制或是八进制的字符串变量转换成十进制,可以按如下方法进行:
C=”17” 17为十六进制数值的String
C=”&H” & C
Ic=Cint(C) 返回23
ScreenShot2Email 1.0.0.66 注册机VB代码
Option Explicit
Private Sub Text1_change()
Dim i As Integer, key1 As String, key2 As String, key3 As String, key4 As String, key5 As String
key1 = UCase(Md5_String_Calc(Text1.Text))
key2 = Mid(key1, 1, 16)
key3 = StrReverse(Mid(key1, 17, 16)) '逆序取字符串
key1 = ""
For i = 1 To 16
key4 = Mid(key2, i, 1)
key5 = Mid(key3, i, 1)
j = 16
j = j - CInt("&H" & key4) + CInt("&H" & key5) '十六进制的字符串变量转换成十进制
If j > 9 Then
j = j + 55
key1 = key1 & Chr(j)
Else
j = j + 48
key1 = key1 & Chr(j)
End If
Next i
Text2.Text = key1
Clipboard.Clear
Clipboard.SetText Text2.Text
End Sub
Private Sub Command2_Click()
End
End Sub
VB MD5 模块代码
Option Explicit
Private Const OFFSET_4 = 4294967296#
Private Const MAXINT_4 = 2147483647
Private State(4) As Long
Private ByteCounter As Long
Private ByteBuffer(63) As Byte
Private Const S11 = 7
Private Const S12 = 12
Private Const S13 = 17
Private Const S14 = 22
Private Const S21 = 5
Private Const S22 = 9
Private Const S23 = 14
Private Const S24 = 20
Private Const S31 = 4
Private Const S32 = 11
Private Const S33 = 16
Private Const S34 = 23
Private Const S41 = 6
Private Const S42 = 10
Private Const S43 = 15
Private Const S44 = 21
Property Get RegisterA() As String
RegisterA = State(1)
End Property
Property Get RegisterB() As String
RegisterB = State(2)
End Property
Property Get RegisterC() As String
RegisterC = State(3)
End Property
Property Get RegisterD() As String
RegisterD = State(4)
End Property
Public Function Md5_String_Calc(SourceString As String) As String
MD5Init
MD5Update LenB(StrConv(SourceString, vbFromUnicode)), StringToArray(SourceString)
MD5Final
Md5_String_Calc = GetValues
End Function
Public Function Md5_File_Calc(InFile As String) As String
On Error GoTo errorhandler
GoSub begin
errorhandler:
Md5_File_Calc = ""
Exit Function
begin:
Dim FileO As Integer
FileO = FreeFile
Call FileLen(InFile)
Open InFile For Binary Access Read As #FileO
MD5Init
Do While Not EOF(FileO)
Get #FileO, , ByteBuffer
If Loc(FileO) < LOF(FileO) Then
ByteCounter = ByteCounter + 64
MD5Transform ByteBuffer
End If
Loop
ByteCounter = ByteCounter + (LOF(FileO) Mod 64)
Close #FileO
MD5Final
Md5_File_Calc = GetValues
End Function
Private Function StringToArray(InString As String) As Byte()
Dim i As Integer, bytBuffer() As Byte
ReDim bytBuffer(LenB(StrConv(InString, vbFromUnicode)))
bytBuffer = StrConv(InString, vbFromUnicode)
StringToArray = bytBuffer
End Function
Public Function GetValues() As String
GetValues = LongToString(State(1)) & LongToString(State(2)) & LongToString(State(3)) & LongToString(State(4))
End Function
Private Function LongToString(Num As Long) As String
Dim A As Byte, B As Byte, C As Byte, d As Byte
A = Num And &HFF&
If A < 16 Then LongToString = "0" & Hex(A) Else LongToString = Hex(A)
B = (Num And &HFF00&) \ 256
If B < 16 Then LongToString = LongToString & "0" & Hex(B) Else LongToString = LongToString & Hex(B)
C = (Num And &HFF0000) \ 65536
If C < 16 Then LongToString = LongToString & "0" & Hex(C) Else LongToString = LongToString & Hex(C)
If Num < 0 Then d = ((Num And &H7F000000) \ 16777216) Or &H80& Else d = (Num And &HFF000000) \ 16777216
If d < 16 Then LongToString = LongToString & "0" & Hex(d) Else LongToString = LongToString & Hex(d)
End Function
Public Sub MD5Init()
ByteCounter = 0
State(1) = UnsignedToLong(1732584193#)
State(2) = UnsignedToLong(4023233417#)
State(3) = UnsignedToLong(2562383102#)
State(4) = UnsignedToLong(271733878#)
End Sub
Public Sub MD5Final()
Dim dblBits As Double, padding(72) As Byte, lngBytesBuffered As Long
padding(0) = &H80
dblBits = ByteCounter * 8
lngBytesBuffered = ByteCounter Mod 64
If lngBytesBuffered <= 56 Then MD5Update 56 - lngBytesBuffered, padding Else MD5Update 120 - ByteCounter, padding
padding(0) = UnsignedToLong(dblBits) And &HFF&
padding(1) = UnsignedToLong(dblBits) \ 256 And &HFF&
padding(2) = UnsignedToLong(dblBits) \ 65536 And &HFF&
padding(3) = UnsignedToLong(dblBits) \ 16777216 And &HFF&
padding(4) = 0
padding(5) = 0
padding(6) = 0
padding(7) = 0
MD5Update 8, padding
End Sub
Public Sub MD5Update(InputLen As Long, InputBuffer() As Byte)
Dim II As Integer, i As Integer, j As Integer, K As Integer, lngBufferedBytes As Long, lngBufferRemaining As Long, lngRem As Long
lngBufferedBytes = ByteCounter Mod 64
lngBufferRemaining = 64 - lngBufferedBytes
ByteCounter = ByteCounter + InputLen
If InputLen >= lngBufferRemaining Then
For II = 0 To lngBufferRemaining - 1
ByteBuffer(lngBufferedBytes + II) = InputBuffer(II)
Next II
MD5Transform ByteBuffer
lngRem = (InputLen) Mod 64
For i = lngBufferRemaining To InputLen - II - lngRem Step 64
For j = 0 To 63
ByteBuffer(j) = InputBuffer(i + j)
Next j
MD5Transform ByteBuffer
Next i
lngBufferedBytes = 0
Else
i = 0
End If
For K = 0 To InputLen - i - 1
ByteBuffer(lngBufferedBytes + K) = InputBuffer(i + K)
Next K
End Sub
Private Sub MD5Transform(Buffer() As Byte)
Dim X(16) As Long, A As Long, B As Long, C As Long, d As Long
A = State(1)
B = State(2)
C = State(3)
d = State(4)
Decode 64, X, Buffer
FF A, B, C, d, X(0), S11, -680876936
FF d, A, B, C, X(1), S12, -389564586
FF C, d, A, B, X(2), S13, 606105819
FF B, C, d, A, X(3), S14, -1044525330
FF A, B, C, d, X(4), S11, -176418897
FF d, A, B, C, X(5), S12, 1200080426
FF C, d, A, B, X(6), S13, -1473231341
FF B, C, d, A, X(7), S14, -45705983
FF A, B, C, d, X(8), S11, 1770035416
FF d, A, B, C, X(9), S12, -1958414417
FF C, d, A, B, X(10), S13, -42063
FF B, C, d, A, X(11), S14, -1990404162
FF A, B, C, d, X(12), S11, 1804603682
FF d, A, B, C, X(13), S12, -40341101
FF C, d, A, B, X(14), S13, -1502002290
FF B, C, d, A, X(15), S14, 1236535329
GG A, B, C, d, X(1), S21, -165796510
GG d, A, B, C, X(6), S22, -1069501632
GG C, d, A, B, X(11), S23, 643717713
GG B, C, d, A, X(0), S24, -373897302
GG A, B, C, d, X(5), S21, -701558691
GG d, A, B, C, X(10), S22, 38016083
GG C, d, A, B, X(15), S23, -660478335
GG B, C, d, A, X(4), S24, -405537848
GG A, B, C, d, X(9), S21, 568446438
GG d, A, B, C, X(14), S22, -1019803690
GG C, d, A, B, X(3), S23, -187363961
GG B, C, d, A, X(8), S24, 1163531501
GG A, B, C, d, X(13), S21, -1444681467
GG d, A, B, C, X(2), S22, -51403784
GG C, d, A, B, X(7), S23, 1735328473
GG B, C, d, A, X(12), S24, -1926607734
HH A, B, C, d, X(5), S31, -378558
HH d, A, B, C, X(8), S32, -2022574463
HH C, d, A, B, X(11), S33, 1839030562
HH B, C, d, A, X(14), S34, -35309556
HH A, B, C, d, X(1), S31, -1530992060
HH d, A, B, C, X(4), S32, 1272893353
HH C, d, A, B, X(7), S33, -155497632
HH B, C, d, A, X(10), S34, -1094730640
HH A, B, C, d, X(13), S31, 681279174
HH d, A, B, C, X(0), S32, -358537222
HH C, d, A, B, X(3), S33, -722521979
HH B, C, d, A, X(6), S34, 76029189
HH A, B, C, d, X(9), S31, -640364487
HH d, A, B, C, X(12), S32, -421815835
HH C, d, A, B, X(15), S33, 530742520
HH B, C, d, A, X(2), S34, -995338651
II A, B, C, d, X(0), S41, -198630844
II d, A, B, C, X(7), S42, 1126891415
II C, d, A, B, X(14), S43, -1416354905
II B, C, d, A, X(5), S44, -57434055
II A, B, C, d, X(12), S41, 1700485571
II d, A, B, C, X(3), S42, -1894986606
II C, d, A, B, X(10), S43, -1051523
II B, C, d, A, X(1), S44, -2054922799
II A, B, C, d, X(8), S41, 1873313359
II d, A, B, C, X(15), S42, -30611744
II C, d, A, B, X(6), S43, -1560198380
II B, C, d, A, X(13), S44, 1309151649
II A, B, C, d, X(4), S41, -145523070
II d, A, B, C, X(11), S42, -1120210379
II C, d, A, B, X(2), S43, 718787259
II B, C, d, A, X(9), S44, -343485551
State(1) = LongOverflowAdd(State(1), A)
State(2) = LongOverflowAdd(State(2), B)
State(3) = LongOverflowAdd(State(3), C)
State(4) = LongOverflowAdd(State(4), d)
End Sub
Private Sub Decode(Length As Integer, OutputBuffer() As Long, InputBuffer() As Byte)
Dim intDblIndex As Integer, intByteIndex As Integer, dblSum As Double
For intByteIndex = 0 To Length - 1 Step 4
dblSum = InputBuffer(intByteIndex) + InputBuffer(intByteIndex + 1) * 256# + InputBuffer(intByteIndex + 2) * 65536# + InputBuffer(intByteIndex + 3) * 16777216#
OutputBuffer(intDblIndex) = UnsignedToLong(dblSum)
intDblIndex = intDblIndex + 1
Next intByteIndex
End Sub
Private Function FF(A As Long, B As Long, C As Long, d As Long, X As Long, S As Long, ac As Long) As Long
A = LongOverflowAdd4(A, (B And C) Or (Not (B) And d), X, ac)
A = LongLeftRotate(A, S)
A = LongOverflowAdd(A, B)
End Function
Private Function GG(A As Long, B As Long, C As Long, d As Long, X As Long, S As Long, ac As Long) As Long
A = LongOverflowAdd4(A, (B And d) Or (C And Not (d)), X, ac)
A = LongLeftRotate(A, S)
A = LongOverflowAdd(A, B)
End Function
Private Function HH(A As Long, B As Long, C As Long, d As Long, X As Long, S As Long, ac As Long) As Long
A = LongOverflowAdd4(A, B Xor C Xor d, X, ac)
A = LongLeftRotate(A, S)
A = LongOverflowAdd(A, B)
End Function
Private Function II(A As Long, B As Long, C As Long, d As Long, X As Long, S As Long, ac As Long) As Long
A = LongOverflowAdd4(A, C Xor (B Or Not (d)), X, ac)
A = LongLeftRotate(A, S)
A = LongOverflowAdd(A, B)
End Function
Function LongLeftRotate(value As Long, Bits As Long) As Long
Dim lngSign As Long, lngI As Long
Bits = Bits Mod 32
If Bits = 0 Then LongLeftRotate = value: Exit Function
For lngI = 1 To Bits
lngSign = value And &HC0000000
value = (value And &H3FFFFFFF) * 2
value = value Or ((lngSign < 0) And 1) Or (CBool(lngSign And &H40000000) And &H80000000)
Next
LongLeftRotate = value
End Function
Private Function LongOverflowAdd(Val1 As Long, Val2 As Long) As Long
Dim lngHighWord As Long, lngLowWord As Long, lngOverflow As Long
lngLowWord = (Val1 And &HFFFF&) + (Val2 And &HFFFF&)
lngOverflow = lngLowWord \ 65536
lngHighWord = (((Val1 And &HFFFF0000) \ 65536) + ((Val2 And &HFFFF0000) \ 65536) + lngOverflow) And &HFFFF&
LongOverflowAdd = UnsignedToLong((lngHighWord * 65536#) + (lngLowWord And &HFFFF&))
End Function
Private Function LongOverflowAdd4(Val1 As Long, Val2 As Long, val3 As Long, val4 As Long) As Long
Dim lngHighWord As Long, lngLowWord As Long, lngOverflow As Long
lngLowWord = (Val1 And &HFFFF&) + (Val2 And &HFFFF&) + (val3 And &HFFFF&) + (val4 And &HFFFF&)
lngOverflow = lngLowWord \ 65536
lngHighWord = (((Val1 And &HFFFF0000) \ 65536) + ((Val2 And &HFFFF0000) \ 65536) + ((val3 And &HFFFF0000) \ 65536) + ((val4 And &HFFFF0000) \ 65536) + lngOverflow) And &HFFFF&
LongOverflowAdd4 = UnsignedToLong((lngHighWord * 65536#) + (lngLowWord And &HFFFF&))
End Function
Private Function UnsignedToLong(value As Double) As Long
If value < 0 Or value >= OFFSET_4 Then Error 6
If value <= MAXINT_4 Then UnsignedToLong = value Else UnsignedToLong = value - OFFSET_4
End Function
Private Function LongToUnsigned(value As Long) As Double
If value < 0 Then LongToUnsigned = value + OFFSET_4 Else LongToUnsigned = value
End Function
--------------------------------------------------------------------------------
【经验总结】
算法总结:key1=MD5注册名 分成16位长的两部分,key2=前面的16位,key3=逆序后面的16位
esi=16
esi=esi-oct(key2的每一位的对应的HEX值)
esi=esi+oct(key3的每一位的对应的HEX值)
if esi>9
注册码=注册码 & chr(esi+55)
else
注册码=注册码 & chr(esi+48)
end if
程序启动是还有对黑名单的检测,估计是泄露出去的一些注册码被封杀了
本来想给文章以xss517的菜鸟破解手札系列为标题的,后来想了一下还是改成ScreenShot2Email 1.0.066 算法分析了
--------------------------------------------------------------------------------
【版权声明】: 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
2008年01月26日 16:58:37
- 标 题:ScreenShot2Email 1.0.066 算法分析
- 作 者:xss
- 时 间:2008-01-26 17:03
- 链 接:http://bbs.pediy.com/showthread.php?t=58939