• 标 题:PictureToTv 程序分析--请前辈指正
  • 作 者:essorg
  • 时 间:004-10-02,16:06
  • 链 接:http://bbs.pediy.com

PictureToTV version1.0

cracker:essorg
tools:language2k探壳,trw2000pll跟踪,c32asm1001截码
level:0

language2k探壳,无壳,VC编程,载入trw2000pll,

运行软件,出现注册界面,点击马上注册。。。到填写注册信息页,用户名及注册码必填,注册码16位(跟踪结果)
用户名:essorg
注册码:7878787878787878
Ctrl + N 呼出TRW,下 bpx hmemcpy,回到程序,点击下一步,中断进入TRW调试窗


017F:00466623 33DB             XOR      EBX,EBX
017F:00466625 8B45EC           MOV      EAX,[EBP-14]
017F:00466628 8B5064           MOV      EDX,[EAX+64]    〈----输入注册码地址;
017F:0046662B 8B4AF8           MOV      ECX,[EDX-08]    〈----输入注册码长度;
017F:0046662E 85C9             TEST     ECX,ECX
017F:00466630 7E2F             JNG      00466661    〈----输入注册码长度为0;
017F:00466632 0FBE041A         MOVSX    EAX,BYTE [EDX+EBX]  〈----
017F:00466636 83F830           CMP      EAX,BYTE +30    〈----
017F:00466639 7C05             JL       00466640    〈----
017F:0046663B 83F839           CMP      EAX,BYTE +39    〈----筛选字符在0-9、
017F:0046663E 7E0A             JNG      0046664A    〈----A-F之间,无效
017F:00466640 83F841           CMP      EAX,BYTE +41    〈----字符删除
017F:00466643 7C17             JL       0046665C    〈----
017F:00466645 83F846           CMP      EAX,BYTE +46    〈----
017F:00466648 7F12             JG       0046665C    〈----
017F:0046664A 8D4DDC           LEA      ECX,[EBP-24]    〈----
017F:0046664D 50               PUSH     EAX
017F:0046664E E899D70D00       CALL     `MFC42!ord_000003AC`
017F:00466653 8B45EC           MOV      EAX,[EBP-14]    〈----恢复
017F:00466656 8B5064           MOV      EDX,[EAX+64]    〈----初始
017F:00466659 8B4AF8           MOV      ECX,[EDX-08]    〈----信息;
017F:0046665C 43               INC      EBX      〈----注册码下一位;
017F:0046665D 3BD9             CMP      EBX,ECX      〈----比较有无筛选完, 
017F:0046665F 7CD1             JL       00466632    〈----没有则继续;
017F:00466661 8B4DDC           MOV      ECX,[EBP-24]    〈----有效注册码地址
017F:00466664 8B41F8           MOV      EAX,[ECX-08]    〈----有效注册码长度
017F:00466667 85C0             TEST     EAX,EAX
017F:00466669 7E4A             JNG      004666B5    〈----有效注册码长度为0,显示注册失败
017F:0046666B 8B45EC           MOV      EAX,[EBP-14]
017F:0046666E 8B4060           MOV      EAX,[EAX+60]    〈----Email地址
017F:00466671 8B50F8           MOV      EDX,[EAX-08]    〈----输入Email长度
017F:00466674 85D2             TEST     EDX,EDX    
017F:00466676 7E3D             JNG      004666B5    〈----空输入,显示注册失败
017F:00466678 51               PUSH     ECX      〈----输入注册码地址
017F:00466679 50               PUSH     EAX      〈----输入Email地址
017F:0046667A E835FBFFFF       CALL     004661B4    〈----比对核心
017F:0046667F 83C408           ADD      ESP,BYTE +08
017F:00466682 85C0             TEST     EAX,EAX

分析比对核心内容:
#########################################################################################
017F:004661B4 55               PUSH     EBP
017F:004661B5 8BEC             MOV      EBP,ESP
017F:004661B7 6AFF             PUSH     BYTE -01
017F:004661B9 68DCBD5400       PUSH     DWORD 0054BDDC
017F:004661BE 64A100000000     MOV      EAX,`DOSMGR_BackFill_Allowed`
017F:004661C4 50               PUSH     EAX
017F:004661C5 64892500000000   MOV      `DOSMGR_BackFill_Allowed`,ESP
017F:004661CC 81EC9C000000     SUB      ESP,9C
017F:004661D2 8965F0           MOV      [EBP-10],ESP
017F:004661D5 897DE0           MOV      [EBP-20],EDI
017F:004661D8 8975E4           MOV      [EBP-1C],ESI
017F:004661DB 895DE8           MOV      [EBP-18],EBX
017F:004661DE 8D8D58FFFFFF     LEA      ECX,[EBP+FFFFFF58]
017F:004661E4 FF7508           PUSH     DWORD [EBP+08]
017F:004661E7 E8C6D60D00       CALL     `MFC42!ord_00000219`
017F:004661EC C745FC00000000   MOV      DWORD [EBP-04],00
017F:004661F3 8D8D58FFFFFF     LEA      ECX,[EBP+FFFFFF58]
017F:004661F9 E848E20D00       CALL     `MFC42!ord_0000106A`
017F:004661FE 8D8D58FFFFFF     LEA      ECX,[EBP+FFFFFF58]
017F:00466204 6A40             PUSH     BYTE +40
017F:00466206 E889E20D00       CALL     `MFC42!ord_00000ACB`
017F:0046620B 83F8FF           CMP      EAX,BYTE -01
017F:0046620E 7522             JNZ      00466232

017F:00466210 C745FCFFFFFFFF   MOV      DWORD [EBP-04],FFFFFFFF
017F:00466217 8D8D58FFFFFF     LEA      ECX,[EBP+FFFFFF58]
017F:0046621D E8A8D60D00       CALL     `MFC42!ord_00000320`
017F:00466222 33C0             XOR      EAX,EAX
017F:00466224 8B4DF4           MOV      ECX,[EBP-0C]
017F:00466227 64890D00000000   MOV      `DOSMGR_BackFill_Allowed`,ECX
017F:0046622E 8BE5             MOV      ESP,EBP
017F:00466230 5D               POP      EBP
017F:00466231 C3               RET     

017F:00466232 8D8D5CFFFFFF     LEA      ECX,[EBP+FFFFFF5C]
017F:00466238 FF750C           PUSH     DWORD [EBP+0C]
017F:0046623B E872D60D00       CALL     `MFC42!ord_00000219`
017F:00466240 C745FC01000000   MOV      DWORD [EBP-04],01
017F:00466247 8B855CFFFFFF     MOV      EAX,[EBP+FFFFFF5C]    〈----有效注册码地址
017F:0046624D 8B50F8           MOV      EDX,[EAX-08]      〈----有效注册码长度
017F:00466250 83FA10           CMP      EDX,BYTE +10      〈----比较有效注册码是否是16位
017F:00466253 7434             JZ       00466289
017F:00466255 C745FC00000000   MOV      DWORD [EBP-04],00
017F:0046625C 8D8D5CFFFFFF     LEA      ECX,[EBP+FFFFFF5C]
017F:00466262 E863D60D00       CALL     `MFC42!ord_00000320`
017F:00466267 C745FCFFFFFFFF   MOV      DWORD [EBP-04],FFFFFFFF
017F:0046626E 8D8D58FFFFFF     LEA      ECX,[EBP+FFFFFF58]
017F:00466274 E851D60D00       CALL     `MFC42!ord_00000320`
017F:00466279 33C0             XOR      EAX,EAX
017F:0046627B 8B4DF4           MOV      ECX,[EBP-0C]
017F:0046627E 64890D00000000   MOV      `DOSMGR_BackFill_Allowed`,ECX
017F:00466285 8BE5             MOV      ESP,EBP
017F:00466287 5D               POP      EBP
017F:00466288 C3               RET  
   
017F:00466289 8D8D5CFFFFFF     LEA      ECX,[EBP+FFFFFF5C]    〈----前4位返回地址
017F:0046628F 8D8560FFFFFF     LEA      EAX,[EBP+FFFFFF60]
017F:00466295 6A04             PUSH     BYTE +04
017F:00466297 50               PUSH     EAX
017F:00466298 E83FD60D00       CALL     `MFC42!ord_00001021`    〈----取字符串前4位
017F:0046629D C745FC02000000   MOV      DWORD [EBP-04],02
017F:004662A4 8D8D64FFFFFF     LEA      ECX,[EBP+FFFFFF64]
017F:004662AA 8D8560FFFFFF     LEA      EAX,[EBP+FFFFFF60]
017F:004662B0 50               PUSH     EAX
017F:004662B1 E86AD70D00       CALL     `MFC42!ord_00000217`
017F:004662B6 C745FC01000000   MOV      DWORD [EBP-04],01
017F:004662BD C745FC03000000   MOV      DWORD [EBP-04],03
017F:004662C4 8D8D60FFFFFF     LEA      ECX,[EBP+FFFFFF60]
017F:004662CA E8FBD50D00       CALL     `MFC42!ord_00000320`
017F:004662CF 8D8D5CFFFFFF     LEA      ECX,[EBP+FFFFFF5C]
017F:004662D5 8D8568FFFFFF     LEA      EAX,[EBP+FFFFFF68]
017F:004662DB 6A04             PUSH     BYTE +04
017F:004662DD 50               PUSH     EAX
017F:004662DE E823D90D00       CALL     `MFC42!ord_000010B5`
017F:004662E3 C745FC04000000   MOV      DWORD [EBP-04],04
017F:004662EA 8D8D5CFFFFFF     LEA      ECX,[EBP+FFFFFF5C]
017F:004662F0 8D8568FFFFFF     LEA      EAX,[EBP+FFFFFF68]    〈----后12位地址  
017F:004662F6 50               PUSH     EAX
017F:004662F7 E8C8D50D00       CALL     `MFC42!ord_0000035A`
017F:004662FC C745FC03000000   MOV      DWORD [EBP-04],03

017F:00466303 8D8D68FFFFFF     LEA      ECX,[EBP+FFFFFF68]
017F:00466309 E8BCD50D00       CALL     `MFC42!ord_00000320`
017F:0046630E 8D8D6CFFFFFF     LEA      ECX,[EBP+FFFFFF6C]
017F:00466314 6880CF6000       PUSH     DWORD 0060CF80
017F:00466319 E894D50D00       CALL     `MFC42!ord_00000219`
017F:0046631E C745FC05000000   MOV      DWORD [EBP-04],05
017F:00466325 8D8D70FFFFFF     LEA      ECX,[EBP+FFFFFF70]
017F:0046632B E8C8FFFEFF       CALL     004562F8

[EBP+FFFFFF70]计算标尺内容:
[00A6F4FC]:01 23 45 67 89 AB CD EF - FE DC BA 98 76 54 32 10
[00A6F50C]:E8 00 00 00 00 00 00 00 - 37 38 37 38 65 73 73 6F
[00A6F51C]:72 67 40 31 36 33 2E 63 - 6F 6D 50 69 63 74 75 72
[00A6F52C]:65 54 6F 54 56 F5 A6 00

017F:00466330 8B8564FFFFFF     MOV      EAX,[EBP+FFFFFF64]    〈----前4位地址
017F:00466336 8D8D70FFFFFF     LEA      ECX,[EBP+FFFFFF70]
017F:0046633C FF70F8           PUSH     DWORD [EAX-08]      〈----前4位字符的长度
017F:0046633F 50               PUSH     EAX
017F:00466340 E8D3F3FEFF       CALL     00455718    -00457E3  根据标尺计算
017F:00466345 8B8558FFFFFF     MOV      EAX,[EBP+FFFFFF58]    〈----Email地址
017F:0046634B 8D8D70FFFFFF     LEA      ECX,[EBP+FFFFFF70]
017F:00466351 FF70F8           PUSH     DWORD [EAX-08]      〈----Email字符的长度
017F:00466354 50               PUSH     EAX
017F:00466355 E8BEF3FEFF       CALL     00455718
017F:0046635A 8B856CFFFFFF     MOV      EAX,[EBP+FFFFFF6C]    〈----PictureToTV地址
017F:00466360 8D8D70FFFFFF     LEA      ECX,[EBP+FFFFFF70]
017F:00466366 FF70F8           PUSH     DWORD [EAX-08]      〈----PictureToTV字符的长度
017F:00466369 50               PUSH     EAX
017F:0046636A E8A9F3FEFF       CALL     00455718

017F:0046636F 8D8D70FFFFFF     LEA      ECX,[EBP+FFFFFF70]
017F:00466375 E88EF4FEFF       CALL     00455808
017F:0046637A 8D8D70FFFFFF     LEA      ECX,[EBP+FFFFFF70]
017F:00466380 E823F5FEFF       CALL     004558A8  将[00A6F4FC]16位数据拷贝到[00B945C0]

[00A6F578]:5A F7 AE 26 73 92 61 70 - C5 86 9F 22 F6 AB 2A 70
标尺6-12位与0-5位异或,置于0-5位
017F:00466385 8945EC           MOV      [EBP-14],EAX  将[00B945C0]16位数据拷贝到[00A6F578]
017F:00466388 33C9             XOR      ECX,ECX
017F:0046638A 8B55EC           MOV      EDX,[EBP-14]      〈----[00A6F578]
017F:0046638D 8A441106         MOV      AL,[ECX+EDX+06]
017F:00466391 300411           XOR      [ECX+EDX],AL
017F:00466394 41               INC      ECX
017F:00466395 83F906           CMP      ECX,BYTE +06
017F:00466398 7CF0             JL       0046638A
标尺13-16位与0-3位异或,置于0-3位
017F:0046639A 33C9             XOR      ECX,ECX
017F:0046639C 8B55EC           MOV      EDX,[EBP-14]
017F:0046639F 8A44110C         MOV      AL,[ECX+EDX+0C]
017F:004663A3 300411           XOR      [ECX+EDX],AL
017F:004663A6 41               INC      ECX
017F:004663A7 83F904           CMP      ECX,BYTE +04
017F:004663AA 7CF0             JL       0046639C

017F:004663AC 8D4DDC           LEA      ECX,[EBP-24]
017F:004663AF E8F8D40D00       CALL     `MFC42!ord_0000021C`
017F:004663B4 C745FC06000000   MOV      DWORD [EBP-04],06
017F:004663BB 8B7DEC           MOV      EDI,[EBP-14]      〈----返回计算出“计算尺”地址
017F:004663BE 0FB637           MOVZX    ESI,BYTE [EDI]
017F:004663C1 0FB65F01         MOVZX    EBX,BYTE [EDI+01]
017F:004663C5 0FB64F02         MOVZX    ECX,BYTE [EDI+02]
017F:004663C9 0FB65703         MOVZX    EDX,BYTE [EDI+03]
017F:004663CD 0FB64704         MOVZX    EAX,BYTE [EDI+04]
017F:004663D1 0FB67F05         MOVZX    EDI,BYTE [EDI+05]
017F:004663D5 57               PUSH     EDI
017F:004663D6 50               PUSH     EAX
017F:004663D7 8D45DC           LEA      EAX,[EBP-24]
017F:004663DA 52               PUSH     EDX
017F:004663DB 51               PUSH     ECX
017F:004663DC 53               PUSH     EBX
017F:004663DD 56               PUSH     ESI
017F:004663DE 68C0536100       PUSH     DWORD 006153C0
017F:004663E3 50               PUSH     EAX
017F:004663E4 E8EDD40D00       CALL     `MFC42!ord_00000B02`
017F:004663E9 8B45EC           MOV      EAX,[EBP-14]
017F:004663EC 50               PUSH     EAX
017F:004663ED E802D50D00       CALL     `MFC42!ord_00000339`
017F:004663F2 FFB55CFFFFFF     PUSH     DWORD [EBP+FFFFFF5C]    〈----输入后12位注册码地址
017F:004663F8 FF75DC           PUSH     DWORD [EBP-24]      〈----计算出后12位注册码地址
017F:004663FB FF1530EB5400     CALL     `MSVCRT!_mbsicmp`

总结:
程序注册要求输入邮件地址和注册码。
程序校验注册码过程:
首先筛选输入注册码,筛除0-9、A-F以外的字符,形成计算有效注册码;如是空输入则显示注册错误信息。
进入比对核心后,首先判断有效注册码长度,如不是16位则显示注册错误;是16位先取前4位保存,后12位、邮件地址、程序名(PictureToTV)根据16字长的计算尺进行计算得出后12位注册码与输入后12位注册码比较。
破解方法:
在计算出后12位注册码进行比较处中断,取前4位注册码地址后计算出后12位注册码地址,合并两字符串得到注册码。