【文章标题】: 速填助手Quickfill 2.42 完整分析
【文章作者】: KuNgBiM
【作者邮箱】: kungbim@163.com
【作者主页】: http://www.crkcn.com
【软件名称】: 速填助手Quickfill 2.42
【软件大小】: 942KB
【下载地址】: 自己搜索下载
【加壳方式】: N/A
【保护方式】: NAG+序列号+Keyfile
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OD
【操作平台】: 盗版XPsp2
【软件介绍】: 速填助手Quickfill 是一款帮助您更轻松的实现键盘输入的软件。
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
试用注册:
用户名:KuNgBiM
试炼码:1234567890
程序无壳,为Borland Delphi 6.0 - 7.0所编译,OD直接载入调试。
OD加载插件查找该提示字符串找到这里下断:
004EB084 /. 55 push ebp ; 查找后在这里设断,F9运行中断
004EB085 |. 8BEC mov ebp, esp
004EB087 |. B9 05000000 mov ecx, 5
004EB08C |> 6A 00 /push 0
004EB08E |. 6A 00 |push 0
004EB090 |. 49 |dec ecx
004EB091 |.^ 75 F9 \jnz short 004EB08C
004EB093 |. 53 push ebx
004EB094 |. 56 push esi
004EB095 |. 8BD8 mov ebx, eax
004EB097 |. 33C0 xor eax, eax
004EB099 |. 55 push ebp
004EB09A |. 68 0DB34E00 push 004EB30D
004EB09F |. 64:FF30 push dword ptr fs:[eax]
004EB0A2 |. 64:8920 mov dword ptr fs:[eax], esp
004EB0A5 |. 8D55 F8 lea edx, dword ptr [ebp-8]
004EB0A8 |. 8B83 0C030000 mov eax, dword ptr [ebx+30C]
004EB0AE |. E8 4159F7FF call 004609F4 ; 获取用户名,并计算长度
004EB0B3 |. 8B45 F8 mov eax, dword ptr [ebp-8] ; ASCII "KuNgBiM"
004EB0B6 |. E8 159CF1FF call 00404CD0
004EB0BB |. 8BF0 mov esi, eax
004EB0BD |. 8D55 F4 lea edx, dword ptr [ebp-C]
004EB0C0 |. 8B83 10030000 mov eax, dword ptr [ebx+310]
004EB0C6 |. E8 2959F7FF call 004609F4 ; 获取试炼码,并计算长度
004EB0CB |. 8B45 F4 mov eax, dword ptr [ebp-C] ; ASCII "1234567890"
004EB0CE |. E8 FD9BF1FF call 00404CD0
004EB0D3 |. 0FAFF0 imul esi, eax ; 整数乘法,EAX=0xA,ESI=0x7
004EB0D6 |. 85F6 test esi, esi ; EAX*ESI=0x46
004EB0D8 |. 0F84 CF010000 je 004EB2AD
004EB0DE |. 8D55 E8 lea edx, dword ptr [ebp-18]
004EB0E1 |. 8B83 0C030000 mov eax, dword ptr [ebx+30C] ; EAX=0xA
004EB0E7 |. E8 0859F7FF call 004609F4 ; 获取用户名,并计算长度
004EB0EC |. 8B45 E8 mov eax, dword ptr [ebp-18] ; ASCII "KuNgBiM"
004EB0EF |. 8D55 EC lea edx, dword ptr [ebp-14]
004EB0F2 |. E8 B1DDF1FF call 00408EA8 ; 把用户名全转为大写
004EB0F7 |. 8B45 EC mov eax, dword ptr [ebp-14] ; ASCII "KUNGBIM"
004EB0FA |. 8D4D F0 lea ecx, dword ptr [ebp-10]
004EB0FD |. 66:BA 3E03 mov dx, 33E ; ★关键值dx=0x33E★
004EB101 |. E8 5AD1FDFF call 004C8260 ; ★关键CALL,跟进(第一次运算)
004EB106 |. 8B45 F0 mov eax, dword ptr [ebp-10]
004EB109 |. 8D55 FC lea edx, dword ptr [ebp-4]
004EB10C |. E8 C7D1FDFF call 004C82D8 ; ★关键CALL,跟进(第二次运算)
004EB111 |. 8D55 E4 lea edx, dword ptr [ebp-1C]
004EB114 |. 8B83 10030000 mov eax, dword ptr [ebx+310]
004EB11A |. E8 D558F7FF call 004609F4
004EB11F |. 8B55 E4 mov edx, dword ptr [ebp-1C] ; 假码,ASCII "1234567890"
004EB122 |. 8B45 FC mov eax, dword ptr [ebp-4] ; 真码,ASCII "H162348251617"
004EB125 |. E8 F29CF1FF call 00404E1C ; 标准的比较CALL
004EB12A |. 0F85 7D010000 jnz 004EB2AD ; 这里跳了就GAME OVER了
004EB130 |. A1 A0E64E00 mov eax, dword ptr [4EE6A0]
004EB135 |. C600 00 mov byte ptr [eax], 0
004EB138 |. 6A 40 push 40
004EB13A |. 68 1CB34E00 push 004EB31C ; 注册:
004EB13F |. 68 24B34E00 push 004EB324 ; 注册成功!\r真诚感谢您注册,好运永远伴随您。
004EB144 |. 8BC3 mov eax, ebx
004EB146 |. E8 A9C2F7FF call 004673F4
004EB14B |. 50 push eax ; |hOwner
004EB14C |. E8 AFC7F1FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004EB151 |. A1 2CE44E00 mov eax, dword ptr [4EE42C]
004EB156 |. 8B00 mov eax, dword ptr [eax]
004EB158 |. 8B80 98030000 mov eax, dword ptr [eax+398]
004EB15E |. E8 7596FCFF call 004B47D8 ; 开始写入注册文件
004EB163 |. A1 2CE44E00 mov eax, dword ptr [4EE42C]
004EB168 |. 8B00 mov eax, dword ptr [eax]
004EB16A |. 8B80 98030000 mov eax, dword ptr [eax+398]
004EB170 |. E8 EBBFFCFF call 004B7160
004EB175 |. A1 2CE44E00 mov eax, dword ptr [4EE42C]
004EB17A |. 8B00 mov eax, dword ptr [eax]
004EB17C |. 8B80 98030000 mov eax, dword ptr [eax+398]
004EB182 |. BA 58B34E00 mov edx, 004EB358 ; Item
004EB187 |. E8 5CA6FCFF call 004B57E8
004EB18C |. BA 68B34E00 mov edx, 004EB368 ; UserName
004EB191 |. 8B08 mov ecx, dword ptr [eax]
004EB193 |. FF91 B0000000 call dword ptr [ecx+B0]
004EB199 |. 8D55 E0 lea edx, dword ptr [ebp-20]
004EB19C |. 8B83 0C030000 mov eax, dword ptr [ebx+30C]
004EB1A2 |. E8 4D58F7FF call 004609F4
004EB1A7 |. 8B45 E0 mov eax, dword ptr [ebp-20]
004EB1AA |. 50 push eax
004EB1AB |. A1 2CE44E00 mov eax, dword ptr [4EE42C]
004EB1B0 |. 8B00 mov eax, dword ptr [eax]
004EB1B2 |. 8B80 98030000 mov eax, dword ptr [eax+398]
004EB1B8 |. BA 7CB34E00 mov edx, 004EB37C ; Value
004EB1BD |. E8 26A6FCFF call 004B57E8
004EB1C2 |. 5A pop edx
004EB1C3 |. 8B08 mov ecx, dword ptr [eax]
004EB1C5 |. FF91 B0000000 call dword ptr [ecx+B0]
004EB1CB |. A1 2CE44E00 mov eax, dword ptr [4EE42C]
004EB1D0 |. 8B00 mov eax, dword ptr [eax]
004EB1D2 |. 8B80 98030000 mov eax, dword ptr [eax+398]
004EB1D8 |. 8B10 mov edx, dword ptr [eax]
004EB1DA |. FF92 4C020000 call dword ptr [edx+24C]
004EB1E0 |. A1 2CE44E00 mov eax, dword ptr [4EE42C]
004EB1E5 |. 8B00 mov eax, dword ptr [eax]
004EB1E7 |. 8B80 98030000 mov eax, dword ptr [eax+398]
004EB1ED |. E8 6EBFFCFF call 004B7160
004EB1F2 |. A1 2CE44E00 mov eax, dword ptr [4EE42C]
004EB1F7 |. 8B00 mov eax, dword ptr [eax]
004EB1F9 |. 8B80 98030000 mov eax, dword ptr [eax+398]
004EB1FF |. BA 58B34E00 mov edx, 004EB358 ; Item
004EB204 |. E8 DFA5FCFF call 004B57E8
004EB209 |. BA 8CB34E00 mov edx, 004EB38C ; SerialNumber
004EB20E |. 8B08 mov ecx, dword ptr [eax]
004EB210 |. FF91 B0000000 call dword ptr [ecx+B0]
004EB216 |. 8D55 DC lea edx, dword ptr [ebp-24]
004EB219 |. 8B83 10030000 mov eax, dword ptr [ebx+310]
004EB21F |. E8 D057F7FF call 004609F4
004EB224 |. 8B45 DC mov eax, dword ptr [ebp-24]
004EB227 |. 50 push eax
004EB228 |. A1 2CE44E00 mov eax, dword ptr [4EE42C]
004EB22D |. 8B00 mov eax, dword ptr [eax]
004EB22F |. 8B80 98030000 mov eax, dword ptr [eax+398]
004EB235 |. BA 7CB34E00 mov edx, 004EB37C ; Value
004EB23A |. E8 A9A5FCFF call 004B57E8
004EB23F |. 5A pop edx
004EB240 |. 8B08 mov ecx, dword ptr [eax]
004EB242 |. FF91 B0000000 call dword ptr [ecx+B0]
004EB248 |. A1 2CE44E00 mov eax, dword ptr [4EE42C]
004EB24D |. 8B00 mov eax, dword ptr [eax]
004EB24F |. 8B80 98030000 mov eax, dword ptr [eax+398]
004EB255 |. 8B10 mov edx, dword ptr [eax]
004EB257 |. FF92 4C020000 call dword ptr [edx+24C] ; 写入系统目录,文件为“WinQuickFill.dll”
004EB25D |. 8B15 E4E64E00 mov edx, dword ptr [4EE6E4]
004EB263 |. 8B12 mov edx, dword ptr [edx] ; C:\WINDOWS\system32\WinQuickFill.dll
004EB265 |. A1 2CE44E00 mov eax, dword ptr [4EE42C]
004EB26A |. 8B00 mov eax, dword ptr [eax]
004EB26C |. 8B80 98030000 mov eax, dword ptr [eax+398]
004EB272 |. 33C9 xor ecx, ecx
004EB274 |. E8 2B71FDFF call 004C23A4
004EB279 |. A1 2CE44E00 mov eax, dword ptr [4EE42C]
004EB27E |. 8B00 mov eax, dword ptr [eax]
004EB280 |. 8B80 98030000 mov eax, dword ptr [eax+398]
004EB286 |. E8 5995FCFF call 004B47E4
004EB28B |. 8D55 D8 lea edx, dword ptr [ebp-28]
004EB28E |. 8B83 0C030000 mov eax, dword ptr [ebx+30C]
004EB294 |. E8 5B57F7FF call 004609F4
004EB299 |. 8B55 D8 mov edx, dword ptr [ebp-28]
004EB29C |. A1 4CE14E00 mov eax, dword ptr [4EE14C]
004EB2A1 |. E8 BE97F1FF call 00404A64
004EB2A6 |. 8BC3 mov eax, ebx
004EB2A8 |. E8 9321F9FF call 0047D440
004EB2AD |> A1 A0E64E00 mov eax, dword ptr [4EE6A0]
004EB2B2 |. 8038 00 cmp byte ptr [eax], 0
004EB2B5 |. 74 19 je short 004EB2D0
004EB2B7 |. 6A 30 push 30
004EB2B9 |. 68 9CB34E00 push 004EB39C ; 注册失败
004EB2BE |. 68 A8B34E00 push 004EB3A8 ; 您输入的注册用户名与注册码不相符合。
; \r请检查输入是否有误。您可使用“复制”、
; “粘贴”操作以避免键盘输入失误。
004EB2C3 |. 8BC3 mov eax, ebx
004EB2C5 |. E8 2AC1F7FF call 004673F4
004EB2CA |. 50 push eax ; |hOwner
004EB2CB |. E8 30C6F1FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004EB2D0 |> 33C0 xor eax, eax
004EB2D2 |. 5A pop edx
004EB2D3 |. 59 pop ecx
004EB2D4 |. 59 pop ecx
004EB2D5 |. 64:8910 mov dword ptr fs:[eax], edx
004EB2D8 |. 68 14B34E00 push 004EB314
004EB2DD |> 8D45 D8 lea eax, dword ptr [ebp-28]
004EB2E0 |. BA 05000000 mov edx, 5
004EB2E5 |. E8 4A97F1FF call 00404A34
004EB2EA |. 8D45 EC lea eax, dword ptr [ebp-14]
004EB2ED |. BA 02000000 mov edx, 2
004EB2F2 |. E8 3D97F1FF call 00404A34
004EB2F7 |. 8D45 F4 lea eax, dword ptr [ebp-C]
004EB2FA |. BA 02000000 mov edx, 2
004EB2FF |. E8 3097F1FF call 00404A34
004EB304 |. 8D45 FC lea eax, dword ptr [ebp-4]
004EB307 |. E8 0497F1FF call 00404A10
004EB30C \. C3 retn
004EB30D .^ E9 3E90F1FF jmp 00404350
004EB312 .^ EB C9 jmp short 004EB2DD
004EB314 . 5E pop esi
004EB315 . 5B pop ebx
004EB316 . 8BE5 mov esp, ebp
004EB318 . 5D pop ebp
004EB319 . C3 retn
★第一次加密运算★
004C8260 /$ 53 push ebx ; call 004C8260 来到这里
004C8261 |. 56 push esi
004C8262 |. 57 push edi
004C8263 |. 55 push ebp
004C8264 |. 83C4 F8 add esp, -8
004C8267 |. 8BE9 mov ebp, ecx
004C8269 |. 8BF2 mov esi, edx
004C826B |. 890424 mov dword ptr [esp], eax
004C826E |. 8B0424 mov eax, dword ptr [esp]
004C8271 |. E8 5ACAF3FF call 00404CD0
004C8276 |. 8BD0 mov edx, eax
004C8278 |. 8BC5 mov eax, ebp
004C827A |. E8 DDCDF3FF call 0040505C
004C827F |. 8B0424 mov eax, dword ptr [esp]
004C8282 |. E8 49CAF3FF call 00404CD0
004C8287 |. 84C0 test al, al
004C8289 |. 76 45 jbe short 004C82D0
004C828B |. 884424 04 mov byte ptr [esp+4], al
004C828F |. B3 01 mov bl, 1
004C8291 |> /8BC5 /mov eax, ebp ; 第一次用户名加密变换
004C8293 |. |E8 90CCF3FF |call 00404F28
004C8298 |. |8BFB |mov edi, ebx
004C829A |. |81E7 FF000000 |and edi, 0FF
004C82A0 |. |8B1424 |mov edx, dword ptr [esp]
004C82A3 |. 8A543A FF |mov dl, byte ptr [edx+edi-1] ; 依次取用户名字符
; ds:[00E3C384]=4B ('K')
; ds:[00E3C385]=55 ('U')
; ds:[00E3C386]=4E ('N')
; ds:[00E3C387]=47 ('G')
; ds:[00E3C388]=42 ('B')
; ds:[00E3C389]=49 ('I')
; ds:[00E3C38A]=4D ('M')
;
004C82A7 |. |0FB7CE |movzx ecx, si ; 调用dx的初始值入si
; si=0x033E // 初始值
; si=0xF416
; si=0xA1DB
; si=0x77AA
; si=0xBDFA
; si=0xEAC5
; si=0xE320
;
004C82AA |. C1E9 08 |shr ecx, 8 ; 逻辑右移2位给ECX
004C82AD |. 32D1 |xor dl, cl ; 异或运算,cl xor dl
; 0x03 xor 0x4B = 0x48
; 0xF4 xor 0x55 = 0xA1
; 0xA1 xor 0x4E = 0xEF
; 0x77 xor 0x47 = 0x30
; 0xBD xor 0x42 = 0xFF
; 0xEA xor 0x49 = 0xA3
; 0xE3 xor 0x4D = 0xAE
;
004C82AF |. 885438 FF |mov byte ptr [eax+edi-1], dl ; ★得到第二次运算值★
; dl=0x48 ('H')
; dl=0xA1
; dl=0xEF ('?)
; dl=0x30 ('0')
; dl=0xFF
; dl=0xA3 ('?)
; dl=0xAE ('?)
;
004C82B3 |. |8B45 00 |mov eax, dword ptr [ebp]
004C82B6 |. |0FB64438 FF |movzx eax, byte ptr [eax+edi-1]
004C82BB |. |66:03F0 |add si, ax ; 加法运算,ax+si
; 0x48+0x33E=0x386
; 0xA1+0xF416=0xFFB7
; 0xEF+0xA1DB=0xA134
; 0x30+0x77AA=0x77DA
; 0xFF+0xBDFA=0xBEF9
; 0xA3+0xEAC5=0xEB68
; 0xAE+0xE320=0xE3CE
;
004C82BE |. |66:69C6 D500 |imul ax, si, 0D5 ; 整数乘法,0xD5*si*ax
004C82C3 |. |66:05 9805 |add ax, 598 ; 加法运算,0x598+ax
; ax=0xF416
; ax=0x9C43
; ax=0x7212
; ax=0xB862
; ax=0xE52D
; ax=0xDD88
; ax=0x8A66
004C82C7 |. |8BF0 |mov esi, eax
004C82C9 |. |43 |inc ebx
004C82CA |. |FE4C24 04 |dec byte ptr [esp+4]
004C82CE |.^\75 C1 \jnz short 004C8291 ; 用户名循环运算
004C82D0 |> \59 pop ecx
004C82D1 |. 5A pop edx
004C82D2 |. 5D pop ebp
004C82D3 |. 5F pop edi
004C82D4 |. 5E pop esi
004C82D5 |. 5B pop ebx
004C82D6 \. C3 retn ; 返回,准备第二次运算
★第二次加密(转换)运算★
004C82D8 /$ 55 push ebp ; call 004C82D8 来到这里
004C82D9 |. 8BEC mov ebp, esp
004C82DB |. 33C9 xor ecx, ecx
004C82DD |. 51 push ecx
004C82DE |. 51 push ecx
004C82DF |. 51 push ecx
004C82E0 |. 51 push ecx
004C82E1 |. 51 push ecx
004C82E2 |. 51 push ecx
004C82E3 |. 53 push ebx
004C82E4 |. 56 push esi
004C82E5 |. 8955 F8 mov dword ptr [ebp-8], edx
004C82E8 |. 8945 FC mov dword ptr [ebp-4], eax
004C82EB |. 8B45 FC mov eax, dword ptr [ebp-4]
004C82EE |. E8 CDCBF3FF call 00404EC0
004C82F3 |. 33C0 xor eax, eax
004C82F5 |. 55 push ebp
004C82F6 |. 68 B0834C00 push 004C83B0
004C82FB |. 64:FF30 push dword ptr fs:[eax]
004C82FE |. 64:8920 mov dword ptr fs:[eax], esp
004C8301 |. 8B45 FC mov eax, dword ptr [ebp-4]
004C8304 |. E8 C7C9F3FF call 00404CD0
004C8309 |. 8BF0 mov esi, eax
004C830B |. 85F6 test esi, esi
004C830D |. 7E 73 jle short 004C8382
004C830F |. BB 01000000 mov ebx, 1
004C8314 |> 8B45 FC /mov eax, dword ptr [ebp-4] ; 依次取第一次用户名加密变换结果
004C8317 |. 8A4418 FF |mov al, byte ptr [eax+ebx-1] ; dl=0x48 ('H')
; dl=0xA1
; dl=0xEF ('?)
; dl=0x30 ('0')
; dl=0xFF
; dl=0xA3 ('?)
; dl=0xAE ('?)
004C831B |. 3C 7A |cmp al, 7A
004C831D |. 73 04 |jnb short 004C8323
004C831F |. 3C 61 |cmp al, 61
004C8321 |. 77 11 |ja short 004C8334
004C8323 |> 8B45 FC |mov eax, dword ptr [ebp-4]
004C8326 |. 8A5418 FF |mov dl, byte ptr [eax+ebx-1]
004C832A |. 80FA 5A |cmp dl, 5A
004C832D |. 73 21 |jnb short 004C8350
004C832F |. 80FA 41 |cmp dl, 41
004C8332 |. 76 1C |jbe short 004C8350
004C8334 |> 8D45 EC |lea eax, dword ptr [ebp-14]
004C8337 |. 8B55 FC |mov edx, dword ptr [ebp-4]
004C833A |. 8A541A FF |mov dl, byte ptr [edx+ebx-1]
004C833E |. E8 B5C8F3FF |call 00404BF8
004C8343 |. 8B55 EC |mov edx, dword ptr [ebp-14]
004C8346 |. 8D45 F4 |lea eax, dword ptr [ebp-C]
004C8349 |. E8 8AC9F3FF |call 00404CD8
004C834E |. EB 2E |jmp short 004C837E
004C8350 |> 8D45 F0 |lea eax, dword ptr [ebp-10]
004C8353 |. 50 |push eax
004C8354 |. 8D55 E8 |lea edx, dword ptr [ebp-18]
004C8357 |. 8B45 FC |mov eax, dword ptr [ebp-4]
004C835A |. 0FB64418 FF |movzx eax, byte ptr [eax+ebx-1]
004C835F |. E8 FC10F4FF |call 00409460 ; 十六进制转十进制运算
004C8364 |. 8B45 E8 |mov eax, dword ptr [ebp-18] ; ASCII "H"
; ASCII "161"
; ASCII "239"
; ASCII "48"
; ASCII "255"
; ASCII "163"
; ASCII "174"
;
004C8367 |. B9 02000000 |mov ecx, 2 ; 每次运算结果只取前2位
004C836C |. 33D2 |xor edx, edx
004C836E |. E8 BDCBF3FF |call 00404F30
004C8373 |. 8D45 F4 |lea eax, dword ptr [ebp-C]
004C8376 |. 8B55 F0 |mov edx, dword ptr [ebp-10] ; ASCII "H"
; ASCII "16"
; ASCII "23"
; ASCII "48"
; ASCII "25"
; ASCII "16"
; ASCII "17"
004C8379 |. E8 5AC9F3FF |call 00404CD8
004C837E |> 43 |inc ebx
004C837F |. 4E |dec esi
004C8380 |.^ 75 92 \jnz short 004C8314 ; 循环
004C8382 |> 8B45 F8 mov eax, dword ptr [ebp-8] ; 转换完毕后连接
004C8385 |. 8B55 F4 mov edx, dword ptr [ebp-C] ; 真码出现,ASCII "H162348251617"
004C8388 |. E8 D7C6F3FF call 00404A64
004C838D |. 33C0 xor eax, eax
004C838F |. 5A pop edx
004C8390 |. 59 pop ecx
004C8391 |. 59 pop ecx
004C8392 |. 64:8910 mov dword ptr fs:[eax], edx
004C8395 |. 68 B7834C00 push 004C83B7
004C839A |> 8D45 E8 lea eax, dword ptr [ebp-18]
004C839D |. BA 04000000 mov edx, 4
004C83A2 |. E8 8DC6F3FF call 00404A34
004C83A7 |. 8D45 FC lea eax, dword ptr [ebp-4]
004C83AA |. E8 61C6F3FF call 00404A10
004C83AF \. C3 retn
004C83B0 .^ E9 9BBFF3FF jmp 00404350
004C83B5 .^ EB E3 jmp short 004C839A
004C83B7 . 5E pop esi
004C83B8 . 5B pop ebx
004C83B9 . 8BE5 mov esp, ebp
004C83BB . 5D pop ebp
004C83BC . C3 retn ; 返回程序
★完美爆破点★
004E7779 . /74 47 je short 004E77C2 ; nop掉!
--------------------------------------------------------------------------------
【经验总结】
简单算法,保护垃圾,这篇文章都能看懂,凑合吧!
注册机就不写了,太简单了。。。
祝大家情人节快乐!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年02月14日 PM 11:55:33