软件:飞翔鸟卫星网络电视机
1、查壳
用PEiD查是 ASPack 2.1 -> Alexey Solodovnikov
用脱壳器脱后竟然不能运行,那就手动脱壳,再修复,搞定
2、破解
DEDE分析,确定SuiButton3Click即为注册确定按钮,地址为:4C4B60,那就到这个地方下断
OD载入程序,下断
004C4B60 . 55 push ebp
004C4B61 . 8BEC mov ebp,esp
004C4B63 . 33C9 xor ecx,ecx
004C4B65 . 51 push ecx
004C4B66 . 51 push ecx
004C4B67 . 51 push ecx
004C4B68 . 51 push ecx
004C4B69 . 53 push ebx
004C4B6A . 56 push esi
004C4B6B . 57 push edi
004C4B6C . 8BD8 mov ebx,eax
004C4B6E . 33C0 xor eax,eax
004C4B70 . 55 push ebp
004C4B71 . 68 744C4C00 push unpacked.004C4C74
004C4B76 . 64:FF30 push dword ptr fs:[eax]
004C4B79 . 64:8920 mov dword ptr fs:[eax],esp
004C4B7C . 33D2 xor edx,edx
004C4B7E . 55 push ebp
004C4B7F . 68 344C4C00 push unpacked.004C4C34
004C4B84 . 64:FF32 push dword ptr fs:[edx]
004C4B87 . 64:8922 mov dword ptr fs:[edx],esp
004C4B8A . 8D55 F8 lea edx,dword ptr ss:[ebp-8]
004C4B8D . 8B83 E0020000 mov eax,dword ptr ds:[ebx+2E0]
004C4B93 . E8 AC7CF6FF call unpacked.0042C844 ; 取得用户名
004C4B98 . 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004C4B9B . 8D55 FC lea edx,dword ptr ss:[ebp-4]
004C4B9E . E8 E539F4FF call unpacked.00408588
004C4BA3 . 837D FC 00 cmp dword ptr ss:[ebp-4],0
004C4BA7 . 75 18 jnz short unpacked.004C4BC1
004C4BA9 . A1 E0834C00 mov eax,dword ptr ds:[4C83E0]
004C4BAE . 8B00 mov eax,dword ptr ds:[eax]
004C4BB0 . E8 AB2EF8FF call unpacked.00447A60
004C4BB5 . A1 E4994C00 mov eax,dword ptr ds:[4C99E4]
004C4BBA . E8 992EF8FF call unpacked.00447A58
004C4BBF . EB 69 jmp short unpacked.004C4C2A
004C4BC1 > 8D55 F0 lea edx,dword ptr ss:[ebp-10]
004C4BC4 . 8B83 E4020000 mov eax,dword ptr ds:[ebx+2E4]
004C4BCA . E8 757CF6FF call unpacked.0042C844 ; 取得密码
004C4BCF . 8B45 F0 mov eax,dword ptr ss:[ebp-10]
004C4BD2 . 8D55 F4 lea edx,dword ptr ss:[ebp-C]
004C4BD5 . E8 AE39F4FF call unpacked.00408588
004C4BDA . 837D F4 00 cmp dword ptr ss:[ebp-C],0
004C4BDE . 75 18 jnz short unpacked.004C4BF8
004C4BE0 . A1 E0834C00 mov eax,dword ptr ds:[4C83E0]
004C4BE5 . 8B00 mov eax,dword ptr ds:[eax]
004C4BE7 . E8 742EF8FF call unpacked.00447A60
004C4BEC . A1 E4994C00 mov eax,dword ptr ds:[4C99E4]
004C4BF1 . E8 622EF8FF call unpacked.00447A58
004C4BF6 . EB 32 jmp short unpacked.004C4C2A
004C4BF8 > 8BC3 mov eax,ebx
004C4BFA . E8 39020000 call unpacked.004C4E38 ; 检验用户名和密码
004C4BFF . 84C0 test al,al
004C4C01 . 74 09 je short unpacked.004C4C0C
004C4C03 . 8BC3 mov eax,ebx
004C4C05 . E8 7A000000 call unpacked.004C4C84
004C4C0A . EB 1E jmp short unpacked.004C4C2A
004C4C0C > B8 F4010000 mov eax,1F4
004C4C11 > 48 dec eax
004C4C12 .^ 75 FD jnz short unpacked.004C4C11
在004C4BFA . E8 39020000 call unpacked.004C4E38 ; 检验用户名和密码
跟进
004C4E38 /$ 55 push ebp
004C4E39 |. 8BEC mov ebp,esp
004C4E3B |. 83C4 E8 add esp,-18
004C4E3E |. 53 push ebx
004C4E3F |. 56 push esi
004C4E40 |. 33D2 xor edx,edx
004C4E42 |. 8955 E8 mov dword ptr ss:[ebp-18],edx
004C4E45 |. 8955 EC mov dword ptr ss:[ebp-14],edx
004C4E48 |. 8955 F4 mov dword ptr ss:[ebp-C],edx
004C4E4B |. 8945 FC mov dword ptr ss:[ebp-4],eax
004C4E4E |. 33C0 xor eax,eax
004C4E50 |. 55 push ebp
004C4E51 |. 68 374F4C00 push unpacked.004C4F37
004C4E56 |. 64:FF30 push dword ptr fs:[eax]
004C4E59 |. 64:8920 mov dword ptr fs:[eax],esp
004C4E5C |. 33DB xor ebx,ebx
004C4E5E |. 8D55 F4 lea edx,dword ptr ss:[ebp-C]
004C4E61 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004C4E64 |. 8B80 E0020000 mov eax,dword ptr ds:[eax+2E0]
004C4E6A |. E8 D579F6FF call unpacked.0042C844
004C4E6F |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
004C4E72 |. E8 01EFF3FF call unpacked.00403D78 ; 取得用户名的位数
004C4E77 |. 8BF0 mov esi,eax
004C4E79 |. 85F6 test esi,esi
004C4E7B |. 7E 38 jle short unpacked.004C4EB5
004C4E7D |. C745 F0 01000000 mov dword ptr ss:[ebp-10],1
004C4E84 |> 8D45 EC /lea eax,dword ptr ss:[ebp-14] ; 检验用户名
004C4E87 |. 50 |push eax
004C4E88 |. B9 01000000 |mov ecx,1
004C4E8D |. 8B55 F0 |mov edx,dword ptr ss:[ebp-10]
004C4E90 |. 8B45 F4 |mov eax,dword ptr ss:[ebp-C]
004C4E93 |. E8 E8F0F3FF |call unpacked.00403F80
004C4E98 |. 8B45 EC |mov eax,dword ptr ss:[ebp-14]
004C4E9B |. E8 9CF0F3FF |call unpacked.00403F3C ; 取用户名各位
004C4EA0 |. 8A00 |mov al,byte ptr ds:[eax]
004C4EA2 |. 25 FF000000 |and eax,0FF
004C4EA7 |. 03D8 |add ebx,eax
004C4EA9 |. 81F3 05FA0B00 |xor ebx,0BFA05
004C4EAF |. FF45 F0 |inc dword ptr ss:[ebp-10]
004C4EB2 |. 4E |dec esi
004C4EB3 |.^ 75 CF \jnz short unpacked.004C4E84
004C4EB5 |> A1 F0994C00 mov eax,dword ptr ds:[4C99F0]
004C4EBA |. 8BD0 mov edx,eax
004C4EBC |. C1E0 04 shl eax,4
004C4EBF |. 03C2 add eax,edx
004C4EC1 |. 03D8 add ebx,eax
004C4EC3 |. 81C3 D4A31300 add ebx,13A3D4
004C4EC9 |. 81F3 8DED5900 xor ebx,59ED8D
004C4ECF |. 8D55 E8 lea edx,dword ptr ss:[ebp-18]
004C4ED2 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004C4ED5 |. 8B80 E4020000 mov eax,dword ptr ds:[eax+2E4]
004C4EDB |. E8 6479F6FF call unpacked.0042C844
004C4EE0 |. 8B45 E8 mov eax,dword ptr ss:[ebp-18] ; 输入密码
004C4EE3 |. E8 3438F4FF call unpacked.0040871C ; 处理密码
004C4EE8 |. 8BF3 mov esi,ebx
004C4EEA |. 81F6 2473C400 xor esi,0C47324
004C4EF0 |. 3BC6 cmp eax,esi
004C4EF2 75 19 jnz short unpacked.004C4F0D ; jnz
004C4EF4 |. C645 FB 01 mov byte ptr ss:[ebp-5],1
004C4EF8 |. B8 E8994C00 mov eax,unpacked.004C99E8
004C4EFD |. 8B55 F4 mov edx,dword ptr ss:[ebp-C]
004C4F00 |. E8 47ECF3FF call unpacked.00403B4C
004C4F05 |. 8935 EC994C00 mov dword ptr ds:[4C99EC],esi
004C4F0B |. EB 04 jmp short unpacked.004C4F11
004C4F0D |> C645 FB 00 mov byte ptr ss:[ebp-5],0
004C4F11 |> 33C0 xor eax,eax
004C4F13 |. 5A pop edx
004C4F14 |. 59 pop ecx
004C4F15 |. 59 pop ecx
004C4F16 |. 64:8910 mov dword ptr fs:[eax],edx
004C4F19 |. 68 3E4F4C00 push unpacked.004C4F3E
004C4F1E |> 8D45 E8 lea eax,dword ptr ss:[ebp-18]
004C4F21 |. E8 D2EBF3FF call unpacked.00403AF8
004C4F26 |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
004C4F29 |. E8 CAEBF3FF call unpacked.00403AF8
004C4F2E |. 8D45 F4 lea eax,dword ptr ss:[ebp-C]
004C4F31 |. E8 C2EBF3FF call unpacked.00403AF8
004C4F36 \. C3 retn
在004C4EE3 |. E8 3438F4FF call unpacked.0040871C ; 处理密码
跟进
0040871C /$ 53 push ebx
0040871D |. 56 push esi
0040871E |. 83C4 F4 add esp,-0C
00408721 |. 8BD8 mov ebx,eax
00408723 |. 8BD4 mov edx,esp
00408725 |. 8BC3 mov eax,ebx
00408727 |. E8 E0A3FFFF call unpacked.00402B0C ; 处理密码
0040872C |. 8BF0 mov esi,eax
0040872E |. 833C24 00 cmp dword ptr ss:[esp],0
00408732 |. 74 19 je short unpacked.0040874D
00408734 |. 895C24 04 mov dword ptr ss:[esp+4],ebx
00408738 |. C64424 08 0B mov byte ptr ss:[esp+8],0B
0040873D |. 8D5424 04 lea edx,dword ptr ss:[esp+4]
00408741 |. A1 C4814C00 mov eax,dword ptr ds:[4C81C4]
00408746 |. 33C9 xor ecx,ecx
00408748 |. E8 F7FAFFFF call unpacked.00408244 ; 出错
0040874D |> 8BC6 mov eax,esi
0040874F |. 83C4 0C add esp,0C
00408752 |. 5E pop esi
00408753 |. 5B pop ebx
00408754 \. C3 retn
在00408727 |. E8 E0A3FFFF call unpacked.00402B0C ; 处理密码
跟进
00402B0C /$ 53 push ebx
00402B0D |. 56 push esi
00402B0E |. 57 push edi
00402B0F |. 89C6 mov esi,eax
00402B11 |. 50 push eax
00402B12 |. 85C0 test eax,eax
00402B14 |. 74 73 je short unpacked.00402B89
00402B16 |. 31C0 xor eax,eax
00402B18 |. 31DB xor ebx,ebx
00402B1A |. BF CCCCCC0C mov edi,0CCCCCCC
00402B1F |> 8A1E /mov bl,byte ptr ds:[esi]
00402B21 |. 46 |inc esi
00402B22 |. 80FB 20 |cmp bl,20
00402B25 |.^ 74 F8 \je short unpacked.00402B1F
00402B27 |. B5 00 mov ch,0
00402B29 |. 80FB 2D cmp bl,2D
00402B2C |. 74 69 je short unpacked.00402B97
00402B2E |. 80FB 2B cmp bl,2B
00402B31 |. 74 66 je short unpacked.00402B99
00402B33 |. 80FB 24 cmp bl,24
00402B36 |. 74 66 je short unpacked.00402B9E
00402B38 |. 80FB 78 cmp bl,78
00402B3B |. 74 61 je short unpacked.00402B9E
00402B3D |. 80FB 58 cmp bl,58
00402B40 |. 74 5C je short unpacked.00402B9E
00402B42 |. 80FB 30 cmp bl,30
00402B45 |. 75 13 jnz short unpacked.00402B5A
00402B47 |. 8A1E mov bl,byte ptr ds:[esi]
00402B49 |. 46 inc esi
00402B4A |. 80FB 78 cmp bl,78
00402B4D |. 74 4F je short unpacked.00402B9E
00402B4F |. 80FB 58 cmp bl,58
00402B52 |. 74 4A je short unpacked.00402B9E
00402B54 |. 84DB test bl,bl
00402B56 |. 74 20 je short unpacked.00402B78
00402B58 |. EB 04 jmp short unpacked.00402B5E
00402B5A |> 84DB test bl,bl
00402B5C |. 74 34 je short unpacked.00402B92
00402B5E |> 80EB 30 /sub bl,30 ; 处理数字
00402B61 |. 80FB 09 |cmp bl,9
00402B64 |. 77 2C |ja short unpacked.00402B92
00402B66 |. 39F8 |cmp eax,edi
00402B68 |. 77 28 |ja short unpacked.00402B92
00402B6A |. 8D0480 |lea eax,dword ptr ds:[eax+eax*4]
00402B6D |. 01C0 |add eax,eax
00402B6F |. 01D8 |add eax,ebx
00402B71 |. 8A1E |mov bl,byte ptr ds:[esi]
00402B73 |. 46 |inc esi
00402B74 |. 84DB |test bl,bl
00402B76 |.^ 75 E6 \jnz short unpacked.00402B5E
00402B78 |> FECD dec ch
00402B7A |. 74 10 je short unpacked.00402B8C
00402B7C |. 85C0 test eax,eax
00402B7E |. 7C 12 jl short unpacked.00402B92
00402B80 |> 59 pop ecx
00402B81 |. 31F6 xor esi,esi
00402B83 |> 8932 mov dword ptr ds:[edx],esi
00402B85 |. 5F pop edi
00402B86 |. 5E pop esi
00402B87 |. 5B pop ebx
00402B88 |. C3 retn
至此,算法已经很了然了
用户名是:
设输入为:X[i],输出为 Name
算法描述为:
Name={[(Name+X[i])&0BFA05]+3E88E684+13A3D4} xor 59ED8D xor 0C47324
密码是:
设输入为:Y[i],输出为Pass,密码位数为10
Pass=Pass*10+Y[i]
如果Pass=Name就通过
注册机还不会写