AIMPR算法注册码分析
AIMPR简介:elcomsoft公司产品,用来恢复保存在本地的多种即时消息的密码,呵呵
说明:水平很差,共享出来只是想和大家交流,高手见笑了
背景: 软件以前有壳的,两年前脱的壳,好像用的什么工具,没有什么技术可谈,略去,附件中是脱过壳的
0041DF80 /$ 51 push ecx
0041DF81 |. 53 push ebx
0041DF82 |. 55 push ebp
0041DF83 |. 56 push esi
0041DF84 |. 57 push edi
0041DF85 |. 68 02030000 push 302 ; /MemSize = 302 (770.)
0041DF8A |. 6A 42 push 42 ; |Flags = GHND
0041DF8C |. FF15 1C914200 call dword ptr [<&kernel32.GlobalAlloc>] ; \GlobalAlloc
0041DF92 |. 50 push eax ; /hMem
0041DF93 |. 894424 14 mov dword ptr [esp+14], eax ; |
0041DF97 |. FF15 20914200 call dword ptr [<&kernel32.GlobalLock>] ; \GlobalLock
0041DF9D |. 8B7C24 1C mov edi, dword ptr [esp+1C]
0041DFA1 |. 8BD0 mov edx, eax
0041DFA3 |. 83C9 FF or ecx, FFFFFFFF
0041DFA6 |. 33C0 xor eax, eax
0041DFA8 |. F2:AE repne scas byte ptr es:[edi]
0041DFAA |. F7D1 not ecx
0041DFAC |. 2BF9 sub edi, ecx
0041DFAE |. 8D9A 00010000 lea ebx, dword ptr [edx+100]
0041DFB4 |. 8BC1 mov eax, ecx
0041DFB6 |. 8BF7 mov esi, edi
0041DFB8 |. 8BFA mov edi, edx
0041DFBA |. 52 push edx ; /lParam
0041DFBB |. C1E9 02 shr ecx, 2 ; |
0041DFBE |. F3:A5 rep movs dword ptr es:[edi], dword ptr [esi] ; |
0041DFC0 |. 8BC8 mov ecx, eax ; |
0041DFC2 |. 33C0 xor eax, eax ; |
0041DFC4 |. 83E1 03 and ecx, 3 ; |
0041DFC7 |. 68 80DE4100 push 0041DE80 ; |DlgProc = _AIMPR.0041DE80
0041DFCC |. F3:A4 rep movs byte ptr es:[edi], byte ptr [esi] ; |
0041DFCE |. 8B7C24 28 mov edi, dword ptr [esp+28] ; |
0041DFD2 |. 83C9 FF or ecx, FFFFFFFF ; |
0041DFD5 |. F2:AE repne scas byte ptr es:[edi] ; |
0041DFD7 |. F7D1 not ecx ; |
0041DFD9 |. 2BF9 sub edi, ecx ; |
0041DFDB |. 8BC1 mov eax, ecx ; |
0041DFDD |. 8BF7 mov esi, edi ; |
0041DFDF |. 8BFB mov edi, ebx ; |
0041DFE1 |. 8D9A 00020000 lea ebx, dword ptr [edx+200] ; |
0041DFE7 |. C1E9 02 shr ecx, 2 ; |
0041DFEA |. F3:A5 rep movs dword ptr es:[edi], dword ptr [esi] ; |
0041DFEC |. 8BC8 mov ecx, eax ; |
0041DFEE |. 33C0 xor eax, eax ; |
0041DFF0 |. 83E1 03 and ecx, 3 ; |
0041DFF3 |. F3:A4 rep movs byte ptr es:[edi], byte ptr [esi] ; |
0041DFF5 |. 8B7C24 2C mov edi, dword ptr [esp+2C] ; |
0041DFF9 |. 83C9 FF or ecx, FFFFFFFF ; |
0041DFFC |. F2:AE repne scas byte ptr es:[edi] ; |
0041DFFE |. F7D1 not ecx ; |
0041E000 |. 2BF9 sub edi, ecx ; |
0041E002 |. 8BC1 mov eax, ecx ; |
0041E004 |. 8BF7 mov esi, edi ; |
0041E006 |. 8BFB mov edi, ebx ; |
0041E008 |. C1E9 02 shr ecx, 2 ; |
0041E00B |. F3:A5 rep movs dword ptr es:[edi], dword ptr [esi] ; |
0041E00D |. 8BC8 mov ecx, eax ; |
0041E00F |. 83E1 03 and ecx, 3 ; |
0041E012 |. F3:A4 rep movs byte ptr es:[edi], byte ptr [esi] ; |
0041E014 |. 66:8B4C24 30 mov cx, word ptr [esp+30] ; |
0041E019 |. 66:898A 00030>mov word ptr [edx+300], cx ; |弹出密码框
0041E020 |. 8B5424 20 mov edx, dword ptr [esp+20] ; |
0041E024 |. 52 push edx ; |hOwner
0041E025 |. 68 30724300 push 00437230 ; |pTemplate = "INPUT"
0041E02A |. 6A 00 push 0 ; |/pModule = NULL
0041E02C |. FF15 E8904200 call dword ptr [<&kernel32.GetModuleHandleA>] ; |\GetModuleHandleA
0041E032 |. 50 push eax ; |hInst
0041E033 |. FF15 CC924200 call dword ptr [<&user32.DialogBoxParamA>] ; \DialogBoxParamA
0041E039 |. 8BE8 mov ebp, eax ; 这里截获输入密码的对话框
0041E03B |. 83FD 01 cmp ebp, 1
0041E03E |. 75 29 jnz short 0041E069
0041E040 |. 8B5424 24 mov edx, dword ptr [esp+24]
0041E044 |. 85D2 test edx, edx
0041E046 |. 74 2B je short 0041E073
0041E048 |. 8BFB mov edi, ebx ; ebx 获取密码
0041E04A |. 83C9 FF or ecx, FFFFFFFF
0041E04D |. 33C0 xor eax, eax
0041E04F |. F2:AE repne scas byte ptr es:[edi]
0041E051 |. F7D1 not ecx
0041E053 |. 2BF9 sub edi, ecx
0041E055 |. 8BC1 mov eax, ecx
0041E057 |. 8BF7 mov esi, edi
0041E059 |. 8BFA mov edi, edx
0041E05B |. C1E9 02 shr ecx, 2
0041E05E |. F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
0041E060 |. 8BC8 mov ecx, eax
0041E062 |. 83E1 03 and ecx, 3
0041E065 |. F3:A4 rep movs byte ptr es:[edi], byte ptr [esi]
0041E067 |. EB 0A jmp short 0041E073
0041E069 |> 83FD FF cmp ebp, -1
0041E06C |. 75 05 jnz short 0041E073
0041E06E |. BD 02000000 mov ebp, 2
0041E073 |> 8B7424 10 mov esi, dword ptr [esp+10]
0041E077 |. 56 push esi ; /hMem
0041E078 |. FF15 18914200 call dword ptr [<&kernel32.GlobalUnlock>] ; \GlobalUnlock
0041E07E |. 56 push esi ; /hMem
0041E07F |. FF15 28914200 call dword ptr [<&kernel32.GlobalFree>] ; \GlobalFree
0041E085 |. 5F pop edi
0041E086 |. 8BC5 mov eax, ebp
0041E088 |. 5E pop esi
0041E089 |. 5D pop ebp
0041E08A |. 5B pop ebx
0041E08B |. 59 pop ecx
0041E08C \. C3 retn
0041DBF0 /$ 83EC 6C sub esp, 6C
0041DBF3 |. 83C9 FF or ecx, FFFFFFFF
0041DBF6 |. 33C0 xor eax, eax
0041DBF8 |. 53 push ebx
0041DBF9 |. 55 push ebp
0041DBFA |. 8B6C24 78 mov ebp, dword ptr [esp+78]
0041DBFE |. 57 push edi
0041DBFF |. 8BFD mov edi, ebp
0041DC01 |. F2:AE repne scas byte ptr es:[edi]
0041DC03 |. F7D1 not ecx
0041DC05 |. 49 dec ecx
0041DC06 |. 83F9 06 cmp ecx, 6 ; 注册码长度和6比较 小于则错
0041DC09 |. 7D 07 jge short 0041DC12
0041DC0B |. 5F pop edi
0041DC0C |. 5D pop ebp
0041DC0D |. 5B pop ebx
0041DC0E |. 83C4 6C add esp, 6C
0041DC11 |. C3 retn
0041DC12 |> 81E1 01000080 and ecx, 80000001 ; 注册码位数为奇数则错
0041DC18 |. 79 05 jns short 0041DC1F
0041DC1A |. 49 dec ecx
0041DC1B |. 83C9 FE or ecx, FFFFFFFE
0041DC1E |. 41 inc ecx
0041DC1F |> 74 09 je short 0041DC2A
0041DC21 |. 5F pop edi
0041DC22 |. 5D pop ebp
0041DC23 |. 33C0 xor eax, eax
0041DC25 |. 5B pop ebx
0041DC26 |. 83C4 6C add esp, 6C
0041DC29 |. C3 retn
0041DC2A |> 8BFD mov edi, ebp
0041DC2C |. 83C9 FF or ecx, FFFFFFFF
0041DC2F |. 33C0 xor eax, eax
0041DC31 |. 56 push esi
0041DC32 |. F2:AE repne scas byte ptr es:[edi]
0041DC34 |. F7D1 not ecx
0041DC36 |. 49 dec ecx
0041DC37 |. 8D4424 20 lea eax, dword ptr [esp+20]
0041DC3B |. 8BD9 mov ebx, ecx
0041DC3D |. 50 push eax
0041DC3E |. 83C3 04 add ebx, 4 ; 注册码长度加4
0041DC41 |. D1EB shr ebx, 1 ; 注册码长度除以2
0041DC43 |. E8 08ECFFFF call 0041C850 ; md5 初始化
0041DC48 |. 53 push ebx
0041DC49 |. 8D4C24 28 lea ecx, dword ptr [esp+28]
0041DC4D |. 55 push ebp
0041DC4E |. 51 push ecx
0041DC4F |. E8 2CECFFFF call 0041C880
0041DC54 |. 8D5424 30 lea edx, dword ptr [esp+30]
0041DC58 |. 8D4424 20 lea eax, dword ptr [esp+20]
0041DC5C |. 52 push edx
0041DC5D |. 50 push eax
0041DC5E |. E8 ADFCFFFF call 0041D910 ; 计算 (strlen("helloworld")+4)/2 的md5值
0041DC63 |. 83C4 18 add esp, 18
0041DC66 |. B9 04000000 mov ecx, 4
0041DC6B |. BF 68714300 mov edi, 00437168
0041DC70 |. 8D7424 10 lea esi, dword ptr [esp+10]
0041DC74 |. 33D2 xor edx, edx
0041DC76 |. F3:A7 repe cmps dword ptr es:[edi], dword ptr [esi] ; 同 437168处的4位值值比较,相等则注册码正确
0041DC78 |. 5E pop esi
0041DC79 |. 74 09 je short 0041DC84
0041DC7B |. 5F pop edi
0041DC7C |. 5D pop ebp
0041DC7D |. 33C0 xor eax, eax
0041DC7F |. 5B pop ebx
0041DC80 |. 83C4 6C add esp, 6C
0041DC83 |. C3 retn
0041DC84 |> \8D4424 1C lea eax, dword ptr [esp+1C]
0041DC88 |. 50 push eax
0041DC89 |. E8 C2EBFFFF call 0041C850 ; 奶奶的,又来了,md5_init
0041DC8E |. 8BFD mov edi, ebp
0041DC90 |. 83C9 FF or ecx, FFFFFFFF
0041DC93 |. 33C0 xor eax, eax
0041DC95 |. F2:AE repne scas byte ptr es:[edi]
0041DC97 |. F7D1 not ecx
0041DC99 |. 49 dec ecx
0041DC9A |. 51 push ecx
0041DC9B |. 8D4C24 24 lea ecx, dword ptr [esp+24]
0041DC9F |. 55 push ebp
0041DCA0 |. 51 push ecx
0041DCA1 |. E8 DAEBFFFF call 0041C880 ; md5_update,注意,这次是整个注册码
0041DCA6 |. 8D5424 2C lea edx, dword ptr [esp+2C]
0041DCAA |. 8D4424 1C lea eax, dword ptr [esp+1C]
0041DCAE |. 52 push edx
0041DCAF |. 50 push eax
0041DCB0 |. E8 5BFCFFFF call 0041D910 ; md5_Final
0041DCB5 |. 8D4C24 24 lea ecx, dword ptr [esp+24]
0041DCB9 |. 51 push ecx
0041DCBA |. E8 C1FEFFFF call 0041DB80 ; md5与取自资源的保存值比较(资源类型:RT_RCDATA,DB)
0041DCBF |. 83C4 1C add esp, 1C
0041DCC2 |. 85C0 test eax, eax ; 一致则认为注册成功
0041DCC4 75 07 jnz short 0041DCCD
0041DCC6 |. 5F pop edi
0041DCC7 |. 5D pop ebp
0041DCC8 |. 5B pop ebx
0041DCC9 |. 83C4 6C add esp, 6C
0041DCCC |. C3 retn
0041DCCD |> A1 60BE4300 mov eax, dword ptr [43BE60]
0041DCD2 |. 85C0 test eax, eax
0041DCD4 |. 75 14 jnz short 0041DCEA
0041DCD6 |. 53 push ebx
0041DCD7 |. 55 push ebp
0041DCD8 |. E8 03FEFFFF call 0041DAE0
0041DCDD |. 83C4 08 add esp, 8
0041DCE0 |. C705 60BE4300>mov dword ptr [43BE60], 1
0041DCEA |> 5F pop edi
0041DCEB |. 5D pop ebp
0041DCEC |. B8 01000000 mov eax, 1 ; 成功
0041DCF1 |. 5B pop ebx
0041DCF2 |. 83C4 6C add esp, 6C
0041DCF5 \. C3 retn
软件注册过程:
1.输入注册码
2.比较注册位数是否小于6,小于则直接错误
3.测试注册码位数是否是偶数,不是则直接错误
4.注册码长度加4 除以2, 取注册其长度,如:假注册码为"helloworld", 则取其"hellowo";
5.计算"hellowo"的md5值
6.取内存437168处的值(固定值),同时与"hellowo"md5值比较, 成功则继续,否则失败.
7. 再来一次md5,这次是整个注册码的md5,即"helloworld"
8. 取得(RT_RCdata,DB)资源数据,在此资源数据中寻找第七步计算的md5值,找到则认为注册成功
9. 返回,开启软件所有功能,注册版本可用
比较遗憾的是,我不能找到一个有效的注册码,除非去穷举md5了, 爆破的点有很多处,不过爆破就没啥意思了. 逆向是一个学习的过程,共享出来大家讨论一下也好
顺便请教各位大侠一个问题:它是如何把md5值写入资源的?我对资源一窍不通,还有,象这种注册程序,除了爆破,真的就不能找出有效的注册码吗?
恳请大侠指点。
- 标 题:AIMPR算法注册码分析
- 作 者:arryang
- 时 间:2008-05-24 00:12
- 链 接:http://bbs.pediy.com/showthread.php?t=65354