共享资料保护专家2.0算法分析-菜鸟学习的好教材
【文章作者】: tzl
【作者邮箱】: 无
【软件名称】: 共享资料保护专家2.0
【软件大小】: 555KB
【下载地址】: http://sq2.newhua.com/down/files_52586.rar
【加壳方式】: 无
【保护方式】: 注册码
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OD
【操作平台】: XP SP2
【软件介绍】: 软件对文件夹加密后,用户只能浏览该文件夹内的word、Excel或图片文件等的内容,不能修改、拷贝或盗取。
软件语言:简体中文;
软件类别:国产软件/共享版/系统安全;
运行环境:WinNT/2000/XP/2003;
加入时间:2006-9-26 10:52:32
【作者声明】: 只是研究技术,没有其他目的。失误之处敬请诸位大侠赐教!
一、查壳,无。
二、运行程序注册提示“需重新启动认证注册”,这是个重启验证类软件,查看字符串相关信息,我们在这里下断开始分析。
004D3725 55 push ebp
004D3726 68 1E3B4D00 push 共享资料.004D3B1E
004D372B 64:FF30 push dword ptr fs:[eax]
004D372E 64:8920 mov dword ptr fs:[eax],esp
004D3731 8D95 20FEFFFF lea edx,dword ptr ss:[ebp-1E0]
004D3737 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]
004D373D E8 6621F7FF call 共享资料.004458A8
004D3742 8B85 20FEFFFF mov eax,dword ptr ss:[ebp-1E0]
004D3748 8D95 24FEFFFF lea edx,dword ptr ss:[ebp-1DC]
004D374E E8 7154F3FF call 共享资料.00408BC4
004D3753 8B85 24FEFFFF mov eax,dword ptr ss:[ebp-1DC]
004D3759 8D55 F8 lea edx,dword ptr ss:[ebp-8]
004D375C E8 B356F3FF call 共享资料.00408E14
004D3761 8D95 1CFEFFFF lea edx,dword ptr ss:[ebp-1E4]
004D3767 A1 C0E14D00 mov eax,dword ptr ds:[4DE1C0]
004D376C 8B00 mov eax,dword ptr ds:[eax]
004D376E E8 25360000 call 共享资料.004D6D98
004D3773 8B85 1CFEFFFF mov eax,dword ptr ss:[ebp-1E4]
004D3779 BA 803B4D00 mov edx,共享资料.004D3B80 ; ASCII "winnt"
004D377E E8 8914F3FF call 共享资料.00404C0C
004D3783 75 47 jnz short 共享资料.004D37CC
004D3785 8D8D 18FEFFFF lea ecx,dword ptr ss:[ebp-1E8]
004D378B A1 C0E14D00 mov eax,dword ptr ds:[4DE1C0]
004D3790 8B00 mov eax,dword ptr ds:[eax]
004D3792 BA 903B4D00 mov edx,共享资料.004D3B90 ; ASCII "c:\"
004D3797 E8 642F0000 call 共享资料.004D6700
004D379C 8B85 18FEFFFF mov eax,dword ptr ss:[ebp-1E8]
004D37A2 BA 9C3B4D00 mov edx,共享资料.004D3B9C ; ASCII "NTFS"
004D37A7 E8 6014F3FF call 共享资料.00404C0C
004D37AC 75 0F jnz short 共享资料.004D37BD
004D37AE 8D45 FC lea eax,dword ptr ss:[ebp-4]
004D37B1 BA AC3B4D00 mov edx,共享资料.004D3BAC
004D37B6 E8 ED10F3FF call 共享资料.004048A8
004D37BB EB 1C jmp short 共享资料.004D37D9
004D37BD 8D45 FC lea eax,dword ptr ss:[ebp-4]
004D37C0 BA C83B4D00 mov edx,共享资料.004D3BC8
004D37C5 E8 DE10F3FF call 共享资料.004048A8
004D37CA EB 0D jmp short 共享资料.004D37D9
004D37CC 8D45 FC lea eax,dword ptr ss:[ebp-4]
004D37CF BA E43B4D00 mov edx,共享资料.004D3BE4
004D37D4 E8 CF10F3FF call 共享资料.004048A8
004D37D9 8B45 FC mov eax,dword ptr ss:[ebp-4]
004D37DC E8 FB5AF3FF call 共享资料.004092DC
004D37E1 84C0 test al,al
004D37E3 0F85 BF000000 jnz 共享资料.004D38A8
004D37E9 8D95 14FEFFFF lea edx,dword ptr ss:[ebp-1EC]
004D37EF A1 C0E14D00 mov eax,dword ptr ds:[4DE1C0]
004D37F4 8B00 mov eax,dword ptr ds:[eax]
004D37F6 E8 9D350000 call 共享资料.004D6D98
004D37FB 8B85 14FEFFFF mov eax,dword ptr ss:[ebp-1EC]
004D3801 BA 803B4D00 mov edx,共享资料.004D3B80 ; ASCII "winnt"
004D3806 E8 0114F3FF call 共享资料.00404C0C
004D380B 75 7D jnz short 共享资料.004D388A
004D380D 8D8D 10FEFFFF lea ecx,dword ptr ss:[ebp-1F0]
004D3813 A1 C0E14D00 mov eax,dword ptr ds:[4DE1C0]
004D3818 8B00 mov eax,dword ptr ds:[eax]
004D381A BA 903B4D00 mov edx,共享资料.004D3B90 ; ASCII "c:\"
004D381F E8 DC2E0000 call 共享资料.004D6700
004D3824 8B85 10FEFFFF mov eax,dword ptr ss:[ebp-1F0]
004D382A BA 9C3B4D00 mov edx,共享资料.004D3B9C ; ASCII "NTFS"
004D382F E8 D813F3FF call 共享资料.00404C0C
004D3834 74 2A je short 共享资料.004D3860
004D3836 B8 243C4D00 mov eax,共享资料.004D3C24 ; ASCII "c:\...\"
004D383B E8 2C5EF3FF call 共享资料.0040966C
004D3840 B8 343C4D00 mov eax,共享资料.004D3C34
004D3845 E8 225EF3FF call 共享资料.0040966C
004D384A B8 483C4D00 mov eax,共享资料.004D3C48
004D384F E8 185EF3FF call 共享资料.0040966C
004D3854 B8 603C4D00 mov eax,共享资料.004D3C60
004D3859 E8 0E5EF3FF call 共享资料.0040966C
004D385E EB 48 jmp short 共享资料.004D38A8
004D3860 B8 7C3C4D00 mov eax,共享资料.004D3C7C ; ASCII "c:\....\"
004D3865 E8 025EF3FF call 共享资料.0040966C
004D386A B8 903C4D00 mov eax,共享资料.004D3C90
004D386F E8 F85DF3FF call 共享资料.0040966C
004D3874 B8 A43C4D00 mov eax,共享资料.004D3CA4
004D3879 E8 EE5DF3FF call 共享资料.0040966C
004D387E B8 BC3C4D00 mov eax,共享资料.004D3CBC
004D3883 E8 E45DF3FF call 共享资料.0040966C
004D3888 EB 1E jmp short 共享资料.004D38A8
004D388A B8 D83C4D00 mov eax,共享资料.004D3CD8 ; ASCII "c:\aux.{645FF040-5081-101B-9F08-00AA002F954E}\"
004D388F E8 D85DF3FF call 共享资料.0040966C
004D3894 B8 103D4D00 mov eax,共享资料.004D3D10
004D3899 E8 CE5DF3FF call 共享资料.0040966C
004D389E B8 4C3D4D00 mov eax,共享资料.004D3D4C
004D38A3 E8 C45DF3FF call 共享资料.0040966C
004D38A8 8D85 0CFEFFFF lea eax,dword ptr ss:[ebp-1F4]
004D38AE B9 8C3D4D00 mov ecx,共享资料.004D3D8C ; ASCII "\readsn.dll"
004D38B3 8B55 FC mov edx,dword ptr ss:[ebp-4]
004D38B6 E8 5912F3FF call 共享资料.00404B14
004D38BB 8B85 0CFEFFFF mov eax,dword ptr ss:[ebp-1F4]
004D38C1 E8 065AF3FF call 共享资料.004092CC
004D38C6 3C 01 cmp al,1
004D38C8 0F85 23010000 jnz 共享资料.004D39F1
004D38CE 68 80000000 push 80
004D38D3 8D85 08FEFFFF lea eax,dword ptr ss:[ebp-1F8]
004D38D9 B9 8C3D4D00 mov ecx,共享资料.004D3D8C ; ASCII "\readsn.dll"
004D38DE 8B55 FC mov edx,dword ptr ss:[ebp-4]
004D38E1 E8 2E12F3FF call 共享资料.00404B14
004D38E6 8B85 08FEFFFF mov eax,dword ptr ss:[ebp-1F8]
004D38EC E8 CF13F3FF call 共享资料.00404CC0
004D38F1 50 push eax
004D38F2 E8 8137F3FF call <jmp.&kernel32.SetFileAttri>
004D38F7 8D85 04FEFFFF lea eax,dword ptr ss:[ebp-1FC]
004D38FD B9 8C3D4D00 mov ecx,共享资料.004D3D8C ; ASCII "\readsn.dll"
004D3902 8B55 FC mov edx,dword ptr ss:[ebp-4]
004D3905 E8 0A12F3FF call 共享资料.00404B14
004D390A 8B95 04FEFFFF mov edx,dword ptr ss:[ebp-1FC]
004D3910 8D85 28FEFFFF lea eax,dword ptr ss:[ebp-1D8]
004D3916 E8 0DF5F2FF call 共享资料.00402E28
004D391B 8D85 28FEFFFF lea eax,dword ptr ss:[ebp-1D8]
004D3921 E8 92F2F2FF call 共享资料.00402BB8
004D3926 E8 A1EFF2FF call 共享资料.004028CC
004D392B 8D55 F4 lea edx,dword ptr ss:[ebp-C]
004D392E 8D85 28FEFFFF lea eax,dword ptr ss:[ebp-1D8]
004D3934 E8 A3F8F2FF call 共享资料.004031DC
004D3939 8D85 28FEFFFF lea eax,dword ptr ss:[ebp-1D8]
004D393F E8 04F9F2FF call 共享资料.00403248
004D3944 E8 83EFF2FF call 共享资料.004028CC
004D3949 8D85 28FEFFFF lea eax,dword ptr ss:[ebp-1D8]
004D394F E8 9CF5F2FF call 共享资料.00402EF0
004D3954 E8 73EFF2FF call 共享资料.004028CC
004D3959 6A 06 push 6
004D395B 8D85 00FEFFFF lea eax,dword ptr ss:[ebp-200]
004D3961 B9 8C3D4D00 mov ecx,共享资料.004D3D8C ; ASCII "\readsn.dll"
004D3966 8B55 FC mov edx,dword ptr ss:[ebp-4]
004D3969 E8 A611F3FF call 共享资料.00404B14
004D396E 8B85 00FEFFFF mov eax,dword ptr ss:[ebp-200]
004D3974 E8 4713F3FF call 共享资料.00404CC0
004D3979 50 push eax
004D397A E8 F936F3FF call <jmp.&kernel32.SetFileAttri>
004D397F 8D95 FCFDFFFF lea edx,dword ptr ss:[ebp-204]
004D3985 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; 试练码123456789送eax
004D3988 E8 8754F3FF call 共享资料.00408E14
004D398D 8B85 FCFDFFFF mov eax,dword ptr ss:[ebp-204]
004D3993 50 push eax
004D3994 8D95 F4FDFFFF lea edx,dword ptr ss:[ebp-20C]
004D399A A1 C0E14D00 mov eax,dword ptr ds:[4DE1C0]
004D399F 8B00 mov eax,dword ptr ds:[eax]
004D39A1 E8 FE2F0000 call 共享资料.004D69A4 ; 算法分析call(1)
004D39A6 8B85 F4FDFFFF mov eax,dword ptr ss:[ebp-20C]
004D39AC 8D95 F8FDFFFF lea edx,dword ptr ss:[ebp-208]
004D39B2 E8 5D54F3FF call 共享资料.00408E14 这里可以做内存注册机
004D39B7 8B95 F8FDFFFF mov edx,dword ptr ss:[ebp-208]
004D39BD 58 pop eax
004D39BE E8 4912F3FF call 共享资料.00404C0C
004D39C3 75 2C jnz short 共享资料.004D39F1 ; 关键跳转,不等则失败
004D39C5 6A 40 push 40
004D39C7 B9 983D4D00 mov ecx,共享资料.004D3D98
004D39CC BA A43D4D00 mov edx,共享资料.004D3DA4
004D39D1 A1 ACE24D00 mov eax,dword ptr ds:[4DE2AC]
004D39D6 8B00 mov eax,dword ptr ds:[eax]
004D39D8 E8 1F30F9FF call 共享资料.004669FC
004D39DD 8BC3 mov eax,ebx
004D39DF E8 DCF7F8FF call 共享资料.004631C0
004D39E4 33C0 xor eax,eax
004D39E6 5A pop edx
004D39E7 59 pop ecx
004D39E8 59 pop ecx
004D39E9 64:8910 mov dword ptr fs:[eax],edx
004D39EC E9 37010000 jmp 共享资料.004D3B28
…………
*********************************************************
跟进call(1),来到这里
004D69A4 55 push ebp
004D69A5 8BEC mov ebp,esp
004D69A7 6A 00 push 0
004D69A9 6A 00 push 0
004D69AB 6A 00 push 0
004D69AD 53 push ebx
004D69AE 56 push esi
004D69AF 57 push edi
004D69B0 8955 FC mov dword ptr ss:[ebp-4],edx
004D69B3 8BD8 mov ebx,eax
004D69B5 33C0 xor eax,eax
004D69B7 55 push ebp
004D69B8 68 346A4D00 push 共享资料.004D6A34
004D69BD 64:FF30 push dword ptr fs:[eax]
004D69C0 64:8920 mov dword ptr fs:[eax],esp
004D69C3 33C0 xor eax,eax
004D69C5 55 push ebp
004D69C6 68 026A4D00 push 共享资料.004D6A02
004D69CB 64:FF30 push dword ptr fs:[eax]
004D69CE 64:8920 mov dword ptr fs:[eax],esp
004D69D1 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004D69D4 50 push eax
004D69D5 8D55 F4 lea edx,dword ptr ss:[ebp-C]
004D69D8 8BC3 mov eax,ebx
004D69DA E8 9D000000 call 共享资料.004D6A7C
004D69DF 8B55 F4 mov edx,dword ptr ss:[ebp-C] ; 机器码8768458777送edx
004D69E2 66:B9 D500 mov cx,0D5 ; 0D5送cx
004D69E6 8BC3 mov eax,ebx ; ecx=D5
004D69E8 E8 BBFEFFFF call 共享资料.004D68A8 ; 算法分析call(2)
004D69ED 8B45 FC mov eax,dword ptr ss:[ebp-4]
004D69F0 8B55 F8 mov edx,dword ptr ss:[ebp-8] ; 取codeB前十位数字codeC送edx,这里的codeC即是注册码,我的是2212102112
004D69F3 E8 6CDEF2FF call 共享资料.00404864
004D69F8 33C0 xor eax,eax
004D69FA 5A pop edx
004D69FB 59 pop ecx
004D69FC 59 pop ecx
004D69FD 64:8910 mov dword ptr fs:[eax],edx
004D6A00 EB 17 jmp short 共享资料.004D6A19
004D6A02 ^ E9 F9D4F2FF jmp 共享资料.00403F00
004D6A07 8B45 FC mov eax,dword ptr ss:[ebp-4]
004D6A0A BA 4C6A4D00 mov edx,共享资料.004D6A4C ; ASCII "1398502186"
004D6A0F E8 50DEF2FF call 共享资料.00404864
004D6A14 E8 4FD8F2FF call 共享资料.00404268
004D6A19 33C0 xor eax,eax
004D6A1B 5A pop edx
004D6A1C 59 pop ecx
004D6A1D 59 pop ecx
004D6A1E 64:8910 mov dword ptr fs:[eax],edx
004D6A21 68 3B6A4D00 push 共享资料.004D6A3B
004D6A26 8D45 F4 lea eax,dword ptr ss:[ebp-C]
004D6A29 BA 02000000 mov edx,2
004D6A2E E8 01DEF2FF call 共享资料.00404834
004D6A33 C3 retn
004D6A34 ^ E9 7BD7F2FF jmp 共享资料.004041B4
004D6A39 ^ EB EB jmp short 共享资料.004D6A26
004D6A3B 5F pop edi
004D6A3C 5E pop esi
004D6A3D 5B pop ebx
004D6A3E 8BE5 mov esp,ebp
004D6A40 5D pop ebp
004D6A41 C3 retn
*********************************************************
跟进算法分析call(2),来到这里
004D68A8 55 push ebp
004D68A9 8BEC mov ebp,esp
004D68AB 6A 00 push 0
004D68AD 6A 00 push 0
004D68AF 6A 00 push 0
004D68B1 6A 00 push 0
004D68B3 53 push ebx
004D68B4 56 push esi
004D68B5 57 push edi
004D68B6 66:894D FE mov word ptr ss:[ebp-2],cx ; D5=ebp-2
004D68BA 8BFA mov edi,edx ; 机器码8768458777送edi
004D68BC 33C0 xor eax,eax ; eax清零
004D68BE 55 push ebp
004D68BF 68 7E694D00 push 共享资料.004D697E ; edx=8768458777
004D68C4 64:FF30 push dword ptr fs:[eax]
004D68C7 64:8920 mov dword ptr fs:[eax],esp
004D68CA 33C0 xor eax,eax
004D68CC 55 push ebp
004D68CD 68 4C694D00 push 共享资料.004D694C
004D68D2 64:FF30 push dword ptr fs:[eax]
004D68D5 64:8920 mov dword ptr fs:[eax],esp
004D68D8 8B45 08 mov eax,dword ptr ss:[ebp+8]
004D68DB E8 30DFF2FF call 共享资料.00404810
004D68E0 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004D68E3 E8 28DFF2FF call 共享资料.00404810
004D68E8 8BC7 mov eax,edi ; 机器码8768458777送eax
004D68EA E8 D9E1F2FF call 共享资料.00404AC8
004D68EF 8BD8 mov ebx,eax ; 机器码位数10送ebx
004D68F1 85DB test ebx,ebx
004D68F3 7E 36 jle short 共享资料.004D692B
004D68F5 BE 01000000 mov esi,1 ; 1送esi
004D68FA 8D45 F0 lea eax,dword ptr ss:[ebp-10]
004D68FD 8A5437 FF mov dl,byte ptr ds:[edi+esi-1] ; 机器码8768458777逐位送dl,后送edx
004D6901 E8 EAE0F2FF call 共享资料.004049F0
004D6906 8B45 F0 mov eax,dword ptr ss:[ebp-10]
004D6909 E8 8627F3FF call 共享资料.00409094
004D690E 0FB755 FE movzx edx,word ptr ss:[ebp-2] ; 机器码逐位送eax
004D6912 33C2 xor eax,edx ; 机器码逐位与D5进行xor运算,结果记做codeA
004D6914 8D55 F4 lea edx,dword ptr ss:[ebp-C]
004D6917 E8 1427F3FF call 共享资料.00409030 ; 将十六进制结果codeA逐个转换成十进制数字
004D691C 8B55 F4 mov edx,dword ptr ss:[ebp-C] ; 221,220,211,221,209,208,221,210,210,210
004D691F 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004D6922 E8 A9E1F2FF call 共享资料.00404AD0
004D6927 46 inc esi
004D6928 4B dec ebx
004D6929 ^ 75 CF jnz short 共享资料.004D68FA
004D692B 8B45 08 mov eax,dword ptr ss:[ebp+8]
004D692E 50 push eax
004D692F 8BC7 mov eax,edi
004D6931 E8 92E1F2FF call 共享资料.00404AC8
004D6936 8BC8 mov ecx,eax
004D6938 33D2 xor edx,edx
004D693A 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 将所有的codeA排列起来,结果codeB(221210211221209208221210210210)
004D693D E8 DEE3F2FF call 共享资料.00404D20
004D6942 33C0 xor eax,eax
004D6944 5A pop edx
004D6945 59 pop ecx
004D6946 59 pop ecx
004D6947 64:8910 mov dword ptr fs:[eax],edx
004D694A EB 17 jmp short 共享资料.004D6963
004D694C ^ E9 AFD5F2FF jmp 共享资料.00403F00
004D6951 8B45 08 mov eax,dword ptr ss:[ebp+8]
004D6954 BA 98694D00 mov edx,共享资料.004D6998 ; ASCII "1398502186"
004D6959 E8 06DFF2FF call 共享资料.00404864
004D695E E8 05D9F2FF call 共享资料.00404268
004D6963 33C0 xor eax,eax
004D6965 5A pop edx
004D6966 59 pop ecx
004D6967 59 pop ecx
004D6968 64:8910 mov dword ptr fs:[eax],edx
004D696B 68 85694D00 push 共享资料.004D6985
004D6970 8D45 F0 lea eax,dword ptr ss:[ebp-10]
004D6973 BA 03000000 mov edx,3
004D6978 E8 B7DEF2FF call 共享资料.00404834
004D697D C3 retn
004D697E ^ E9 31D8F2FF jmp 共享资料.004041B4
004D6983 ^ EB EB jmp short 共享资料.004D6970
004D6985 5F pop edi
004D6986 5E pop esi
004D6987 5B pop ebx
004D6988 8BE5 mov esp,ebp
004D698A 5D pop ebp
004D698B C2 0400 retn 4
**********************************************************
算法总结:这个软件算法比较简单,即将机器产生的机器码诸位与D5进行xor运算记做codeA,把诸位运算结果转成十进制并按顺序排列起来记做codeB,最后取codeB的前十位记做codeC,codeC即为注册码。