FlashScreenMaker

标题： FlashScreenMaker算法分析
作者：网游难民
时间：2006-10-16 20:43
链接：http://bbs.pediy.com/showthread.php?threadid=33374

【文章标题】: FlashScreenMaker算法分析
【文章作者】: 网游难民
【作者主页】: www.chinapyg.com
【软件名称】: FlashScreenMaker
【下载地址】: http://www.screensaver-maker.biz
【加壳方式】: UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
【保护方式】: 壳，注册码
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: PEID，OD
【操作平台】: XP SP2
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
偶脱这个壳时有点郁闷，竟然忘记怎么脱的了，最后搜索popad,下断，运行，F8两步，脱掉了！！！
呵呵，偶壳盲的方法，高手误笑~~~
OD载入后，搜索字符串，有两处错误提示，找到合适的地方下断，开始分析~~：
004B78FC 55 PUSH EBP
004B78FD 8BEC MOV EBP,ESP
004B78FF 83C4 BC ADD ESP,-44
004B7902 53 PUSH EBX
004B7903 56 PUSH ESI
004B7904 57 PUSH EDI
004B7905 33C9 XOR ECX,ECX
004B7907 894D BC MOV DWORD PTR SS:[EBP-44],ECX
004B790A 894D C0 MOV DWORD PTR SS:[EBP-40],ECX
004B790D 894D C4 MOV DWORD PTR SS:[EBP-3C],ECX
004B7910 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
004B7913 894D F4 MOV DWORD PTR SS:[EBP-C],ECX
004B7916 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
004B7919 33C0 XOR EAX,EAX
004B791B 55 PUSH EBP
004B791C 68 3C7C4B00 PUSH BE3A0.004B7C3C
004B7921 64:FF30 PUSH DWORD PTR FS:[EAX]
004B7924 64:8920 MOV DWORD PTR FS:[EAX],ESP
004B7927 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B792A 8B80 2C030000 MOV EAX,DWORD PTR DS:[EAX+32C]
004B7930 33D2 XOR EDX,EDX
004B7932 E8 F1F0F7FF CALL BE3A0.00436A28
004B7937 8B0D 301F4C00 MOV ECX,DWORD PTR DS:[4C1F30] ; BE3A0.004C13F8
004B793D 8B09 MOV ECX,DWORD PTR DS:[ECX] ; 固定字符串 Flash ScreenSaver Maker
004B793F 8B15 B41D4C00 MOV EDX,DWORD PTR DS:[4C1DB4] ; BE3A0.004C18B8
004B7945 8B12 MOV EDX,DWORD PTR DS:[EDX] ; 用户名~
004B7947 8D45 C4 LEA EAX,DWORD PTR SS:[EBP-3C]
004B794A E8 BDD1F4FF CALL BE3A0.00404B0C ; 把用户名和固定字符串Flash ScreenSaver Maker连接起来~记为A~
004B794F 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C]
004B7952 8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38]
004B7955 E8 8AEFFFFF CALL BE3A0.004B68E4
004B795A 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38]
004B795D 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004B7960 E8 F3EFFFFF CALL BE3A0.004B6958
004B7965 E9 AD000000 JMP BE3A0.004B7A17
004B796A 33C0 XOR EAX,EAX
004B796C 55 PUSH EBP
004B796D 68 B0794B00 PUSH BE3A0.004B79B0
004B7972 64:FF30 PUSH DWORD PTR FS:[EAX]
004B7975 64:8920 MOV DWORD PTR FS:[EAX],ESP
004B7978 8D45 C0 LEA EAX,DWORD PTR SS:[EBP-40]
004B797B 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
004B797E 8A12 MOV DL,BYTE PTR DS:[EDX]
004B7980 E8 63D0F4FF CALL BE3A0.004049E8
004B7985 8B45 C0 MOV EAX,DWORD PTR SS:[EBP-40]
004B7988 E8 5F15F5FF CALL BE3A0.00408EEC
004B798D 8D0440 LEA EAX,DWORD PTR DS:[EAX+EAX*2]
004B7990 8B15 241B4C00 MOV EDX,DWORD PTR DS:[4C1B24] ; BE3A0.004C4854
004B7996 8D34C2 LEA ESI,DWORD PTR DS:[EDX+EAX*8]
004B7999 8D7D D8 LEA EDI,DWORD PTR SS:[EBP-28]
004B799C B9 06000000 MOV ECX,6
004B79A1 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
004B79A3 33C0 XOR EAX,EAX
004B79A5 5A POP EDX
004B79A6 59 POP ECX
004B79A7 59 POP ECX
004B79A8 64:8910 MOV DWORD PTR FS:[EAX],EDX
004B79AB E9 FC000000 JMP BE3A0.004B7AAC
004B79B0 ^ E9 F7C4F4FF JMP BE3A0.00403EAC
004B79B5 6A 10 PUSH 10
004B79B7 68 4C7C4B00 PUSH BE3A0.004B7C4C ; error
004B79BC 68 547C4B00 PUSH BE3A0.004B7C54 ; register failed, please check user name and serial number.
004B79C1 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B79C4 E8 7704FBFF CALL BE3A0.00467E40
004B79C9 50 PUSH EAX
004B79CA E8 45FAF4FF CALL <JMP.&USER32.MessageBoxA>
004B79CF A1 B41D4C00 MOV EAX,DWORD PTR DS:[4C1DB4]
004B79D4 E8 27CEF4FF CALL BE3A0.00404800
004B79D9 A1 3C1D4C00 MOV EAX,DWORD PTR DS:[4C1D3C]
004B79DE E8 1DCEF4FF CALL BE3A0.00404800
004B79E3 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B79E6 8B80 FC020000 MOV EAX,DWORD PTR DS:[EAX+2FC]
004B79EC 66:BE B5FF MOV SI,0FFB5
004B79F0 E8 D3C1F4FF CALL BE3A0.00403BC8
004B79F5 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B79F8 8B80 FC020000 MOV EAX,DWORD PTR DS:[EAX+2FC]
004B79FE E8 F5E3F9FF CALL BE3A0.00455DF8
004B7A03 E8 0CC8F4FF CALL BE3A0.00404214
004B7A08 E9 07020000 JMP BE3A0.004B7C14
004B7A0D E8 02C8F4FF CALL BE3A0.00404214
004B7A12 E9 95000000 JMP BE3A0.004B7AAC
004B7A17 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004B7A1A BA 06000000 MOV EDX,6
004B7A1F E8 28D4F4FF CALL BE3A0.00404E4C
004B7A24 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004B7A27 E8 ECD2F4FF CALL BE3A0.00404D18
004B7A2C 8B15 3C1D4C00 MOV EDX,DWORD PTR DS:[4C1D3C] ; BE3A0.004C18BC
004B7A32 8B12 MOV EDX,DWORD PTR DS:[EDX] ; 注册码放在EDX中~~
004B7A34 8A52 03 MOV DL,BYTE PTR DS:[EDX+3] ; 取注册码第四位~~
004B7A37 8810 MOV BYTE PTR DS:[EAX],DL
004B7A39 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004B7A3C E8 D7D2F4FF CALL BE3A0.00404D18
004B7A41 8B15 3C1D4C00 MOV EDX,DWORD PTR DS:[4C1D3C] ; BE3A0.004C18BC
004B7A47 8B12 MOV EDX,DWORD PTR DS:[EDX]
004B7A49 8A52 01 MOV DL,BYTE PTR DS:[EDX+1] ; 取注册码第2位
004B7A4C 8850 01 MOV BYTE PTR DS:[EAX+1],DL
004B7A4F 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004B7A52 E8 C1D2F4FF CALL BE3A0.00404D18
004B7A57 8B15 3C1D4C00 MOV EDX,DWORD PTR DS:[4C1D3C] ; BE3A0.004C18BC
004B7A5D 8B12 MOV EDX,DWORD PTR DS:[EDX]
004B7A5F 8A52 02 MOV DL,BYTE PTR DS:[EDX+2] ; 取注册码第三位~
004B7A62 8850 02 MOV BYTE PTR DS:[EAX+2],DL
004B7A65 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004B7A68 E8 ABD2F4FF CALL BE3A0.00404D18
004B7A6D 8B15 3C1D4C00 MOV EDX,DWORD PTR DS:[4C1D3C] ; BE3A0.004C18BC
004B7A73 8B12 MOV EDX,DWORD PTR DS:[EDX]
004B7A75 8A52 05 MOV DL,BYTE PTR DS:[EDX+5] ; 取注册码第六位~
004B7A78 8850 03 MOV BYTE PTR DS:[EAX+3],DL
004B7A7B 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004B7A7E E8 95D2F4FF CALL BE3A0.00404D18
004B7A83 8B15 3C1D4C00 MOV EDX,DWORD PTR DS:[4C1D3C] ; BE3A0.004C18BC
004B7A89 8B12 MOV EDX,DWORD PTR DS:[EDX]
004B7A8B 8A52 06 MOV DL,BYTE PTR DS:[EDX+6] ; 取注册码第七位~
004B7A8E 8850 04 MOV BYTE PTR DS:[EAX+4],DL
004B7A91 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004B7A94 E8 7FD2F4FF CALL BE3A0.00404D18
004B7A99 8B15 3C1D4C00 MOV EDX,DWORD PTR DS:[4C1D3C] ; BE3A0.004C18BC
004B7A9F 8B12 MOV EDX,DWORD PTR DS:[EDX]
004B7AA1 8A52 08 MOV DL,BYTE PTR DS:[EDX+8] ; 取注册码第9位~
004B7AA4 8850 05 MOV BYTE PTR DS:[EAX+5],DL
004B7AA7 ^ E9 BEFEFFFF JMP BE3A0.004B796A ; 把上面字符串连接起来~~记为B~
004B7AAC BA 02000000 MOV EDX,2
004B7AB1 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
004B7AB4 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] ; 把B放在ECX中~~进入循环~
004B7AB7 8A4C11 FF MOV CL,BYTE PTR DS:[ECX+EDX-1]
004B7ABB 8B18 MOV EBX,DWORD PTR DS:[EAX]
004B7ABD 8B75 F8 MOV ESI,DWORD PTR SS:[EBP-8] ; 字符串A经过md5加密后的32位小写密文~~记位C~~
004B7AC0 3A4C1E FF CMP CL,BYTE PTR DS:[ESI+EBX-1]
004B7AC4 74 53 JE SHORT BE3A0.004B7B19 ; 关键跳转~~爆破点~~
004B7AC6 6A 10 PUSH 10
004B7AC8 68 4C7C4B00 PUSH BE3A0.004B7C4C ; error
004B7ACD 68 547C4B00 PUSH BE3A0.004B7C54 ; register failed, please check user name and serial number.
004B7AD2 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B7AD5 E8 6603FBFF CALL BE3A0.00467E40
004B7ADA 50 PUSH EAX
004B7ADB E8 34F9F4FF CALL <JMP.&USER32.MessageBoxA>
004B7AE0 A1 B41D4C00 MOV EAX,DWORD PTR DS:[4C1DB4]
004B7AE5 E8 16CDF4FF CALL BE3A0.00404800
004B7AEA A1 3C1D4C00 MOV EAX,DWORD PTR DS:[4C1D3C]
004B7AEF E8 0CCDF4FF CALL BE3A0.00404800
004B7AF4 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B7AF7 8B80 FC020000 MOV EAX,DWORD PTR DS:[EAX+2FC]
004B7AFD 66:BE B5FF MOV SI,0FFB5
004B7B01 E8 C2C0F4FF CALL BE3A0.00403BC8
004B7B06 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B7B09 8B80 FC020000 MOV EAX,DWORD PTR DS:[EAX+2FC]
004B7B0F E8 E4E2F9FF CALL BE3A0.00455DF8
004B7B14 E9 FB000000 JMP BE3A0.004B7C14
004B7B19 42 INC EDX
004B7B1A 83C0 04 ADD EAX,4
004B7B1D 83FA 07 CMP EDX,7
004B7B20 ^ 75 92 JNZ SHORT BE3A0.004B7AB4 ; 关键循环~~
004B7B22 B2 01 MOV DL,1
004B7B24 A1 A0AD4300 MOV EAX,DWORD PTR DS:[43ADA0]
004B7B29 E8 7233F8FF CALL BE3A0.0043AEA0
004B7B2E 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
上面的循环拿分别用户码第2，3，6，7，9位和字符串C的第16，1，22，9，29位比较，有任何一位不相等就注册失败~

--------------------------------------------------------------------------------
【经验总结】
把用户名和固定字符串Flash ScreenSaver Maker（注意中间有空格）连接起来，求出其md5加密后的32位值，记为字符串C~
然后分别用户码第2，3，6，7，9位和字符串C的第16，1，22，9，29位比较，有任何一位不相等就注册失败~

比较简单的算法，菜鸟第一次独立完成加密算法的分析，兴奋ing~~~~

--------------------------------------------------------------------------------
【版权声明】: 菜鸟初学算法, 失误之处敬请诸位大侠赐教，转载请注明作者并保持文章的完整, 谢谢!