【文章标题】: 《办公室收文登记 1.0》算法分析
【文章作者】: 水中花
【软件名称】: 办公室收文登记
【下载地址】: 自己搜索下载
【加壳方式】: UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub -> Markus & Laszlo
【编写语言】: Delphi
【使用工具】: OD
【操作平台】: xp+sp2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
一、用UPX加的壳,手动脱壳,用PEiD查看,是Delphi编写,请出DeDe,找到注册模块。
二、下断在此处
0057142C /. 55 push ebp
0057142D |. 8BEC mov ebp, esp
0057142F |. 33C9 xor ecx, ecx
00571431 |. 51 push ecx
00571432 |. 51 push ecx
00571433 |. 51 push ecx
00571434 |. 51 push ecx
00571435 |. 51 push ecx
00571436 |. 53 push ebx
00571437 |. 8BD8 mov ebx, eax
00571439 |. 33C0 xor eax, eax
0057143B |. 55 push ebp
0057143C |. 68 BE155700 push swdj_Unp.005715BE
00571441 |. 64:FF30 push dword ptr fs:[eax]
00571444 |. 64:8920 mov dword ptr fs:[eax], esp
00571447 |. 8D55 FC lea edx, dword ptr [ebp-4]
0057144A |. 8B83 DC020000 mov eax, dword ptr [ebx+2DC]
00571450 |. E8 E78BECFF call swdj_Unp.0043A03C
00571455 |. 8B45 FC mov eax, dword ptr [ebp-4] ; 输入的假码
00571458 |. 50 push eax
00571459 |. 8D55 F4 lea edx, dword ptr [ebp-C]
0057145C |. 8B83 D8020000 mov eax, dword ptr [ebx+2D8]
00571462 |. E8 D58BECFF call swdj_Unp.0043A03C
00571467 |. 8B45 F4 mov eax, dword ptr [ebp-C] ; 机器码
0057146A |. 8D4D F8 lea ecx, dword ptr [ebp-8]
0057146D |. BA FF748200 mov edx, 8274FF ; 固定值8274FF
00571472 |. E8 6D28FFFF call swdj_Unp.00563CE4 ; 算法关键处
00571477 |. 8B55 F8 mov edx, dword ptr [ebp-8] ; 出现真码
0057147A |. 58 pop eax
0057147B |. E8 F82CE9FF call swdj_Unp.00404178 ; 真假注册码比较
00571480 |. 74 22 je short swdj_Unp.005714A4 ; 关键跳
00571482 |. BA D4155700 mov edx, swdj_Unp.005715D4
00571487 |. B8 E4155700 mov eax, swdj_Unp.005715E4
0057148C |. E8 672CFFFF call swdj_Unp.005640F8
00571491 |. 8B83 DC020000 mov eax, dword ptr [ebx+2DC]
00571497 |. 8B10 mov edx, dword ptr [eax]
00571499 |. FF92 B0000000 call dword ptr [edx+B0]
0057149F |. E9 EF000000 jmp swdj_Unp.00571593
005714A4 |> BA 14165700 mov edx, swdj_Unp.00571614
005714A9 |. B8 24165700 mov eax, swdj_Unp.00571624
005714AE |. E8 452CFFFF call swdj_Unp.005640F8
005714B3 |. BA 48165700 mov edx, swdj_Unp.00571648
005714B8 |. 8BC3 mov eax, ebx
005714BA |. E8 AD8BECFF call swdj_Unp.0043A06C
跟进算法0057147B |. E8 F82CE9FF call swdj_Unp.00404178 处
00563CE4 /$ 55 push ebp
00563CE5 |. 8BEC mov ebp, esp
00563CE7 |. 6A 00 push 0
00563CE9 |. 6A 00 push 0
00563CEB |. 6A 00 push 0
00563CED |. 6A 00 push 0
00563CEF |. 6A 00 push 0
00563CF1 |. 53 push ebx
00563CF2 |. 56 push esi
00563CF3 |. 57 push edi
00563CF4 |. 8BF9 mov edi, ecx
00563CF6 |. 8BDA mov ebx, edx
00563CF8 |. 8BF0 mov esi, eax ; 机器码存入esi中
00563CFA |. 33C0 xor eax, eax ; 清零
00563CFC |. 55 push ebp
00563CFD |. 68 F83D5600 push swdj_Unp.00563DF8
00563D02 |. 64:FF30 push dword ptr fs:[eax]
00563D05 |. 64:8920 mov dword ptr fs:[eax], esp
00563D08 |. 8D45 F4 lea eax, dword ptr [ebp-C]
00563D0B |. 8BD6 mov edx, esi
00563D0D |. E8 6E01EAFF call swdj_Unp.00403E80
00563D12 |. 895D F8 mov dword ptr [ebp-8], ebx
00563D15 |. 8BC7 mov eax, edi
00563D17 |. 8B55 F4 mov edx, dword ptr [ebp-C] ; 机器码
00563D1A |. E8 1D01EAFF call swdj_Unp.00403E3C
00563D1F |. 8B45 F4 mov eax, dword ptr [ebp-C]
00563D22 |. E8 4103EAFF call swdj_Unp.00404068 ; 取机器码的长度
00563D27 |. 8BF0 mov esi, eax
00563D29 |. 85F6 test esi, esi
00563D2B |. 7E 3B jle short swdj_Unp.00563D68
00563D2D |. BB 01000000 mov ebx, 1
00563D32 |> 8BC7 /mov eax, edi ; 机器码存入eax
00563D34 |. E8 FF04EAFF |call swdj_Unp.00404238
00563D39 |. 8B55 F4 |mov edx, dword ptr [ebp-C] ; 机器码
00563D3C |. 8A541A FF |mov dl, byte ptr [edx+ebx-1] ; 依次取机器码
00563D40 |. 8B4D F8 |mov ecx, dword ptr [ebp-8] ; 初值为8274FF
00563D43 |. C1E9 08 |shr ecx, 8 ; 逻辑右移8位
00563D46 |. 32D1 |xor dl, cl ; 低位异或
00563D48 |. 885418 FF |mov byte ptr [eax+ebx-1], dl ; 低位存入[eax+ebx-1]中
00563D4C |. 8B07 |mov eax, dword ptr [edi] ; 变形后的机器码
00563D4E |. 0FB64418 FF |movzx eax, byte ptr [eax+ebx-1]
00563D53 |. 0345 F8 |add eax, dword ptr [ebp-8] ; 低位异或后 add [ebp-8](初值为8274FF)
00563D56 |. 69C0 D5DD0000 |imul eax, eax, 0DDD5 ; 乘以固定串“0DDD5”
00563D5C |. 05 8BD50000 |add eax, 0D58B ; 加上固定串“0D58B”
00563D61 |. 8945 F8 |mov dword ptr [ebp-8], eax ; 存入[ebp-8]
00563D64 |. 43 |inc ebx ; 计数器加1
00563D65 |. 4E |dec esi
00563D66 |.^ 75 CA \jnz short swdj_Unp.00563D32
00563D68 |> 8D45 F4 lea eax, dword ptr [ebp-C] ; 机器码
00563D6B |. 8B17 mov edx, dword ptr [edi]
00563D6D |. E8 0E01EAFF call swdj_Unp.00403E80
00563D72 |. 8BC7 mov eax, edi
00563D74 |. E8 6F00EAFF call swdj_Unp.00403DE8
00563D79 |. 8B45 F4 mov eax, dword ptr [ebp-C]
00563D7C |. E8 E702EAFF call swdj_Unp.00404068
00563D81 |. 8BF0 mov esi, eax
00563D83 |. 85F6 test esi, esi
00563D85 |. 7E 56 jle short swdj_Unp.00563DDD
00563D87 |. BB 01000000 mov ebx, 1
00563D8C |> 8B45 F4 /mov eax, dword ptr [ebp-C] ; 变形后的机器码地址
00563D8F |. 0FB64418 FF |movzx eax, byte ptr [eax+ebx-1] ; 依次取变形后的机器码
00563D94 |. 8945 FC |mov dword ptr [ebp-4], eax 存入[ebp-4]中
00563D97 |. FF37 |push dword ptr [edi]
00563D99 |. 8B45 FC |mov eax, dword ptr [ebp-4]
00563D9C |. B9 1A000000 |mov ecx, 1A ; 1A为固定值
00563DA1 |. 99 |cdq ; 符号扩展
00563DA2 |. F7F9 |idiv ecx ; 带符号数除法
00563DA4 |. 8BD0 |mov edx, eax ; 商值赋给edx
00563DA6 |. 80C2 41 |add dl, 41 ; 商转换为大写字母
00563DA9 |. 8D45 F0 |lea eax, dword ptr [ebp-10]
00563DAC |. E8 DF01EAFF |call swdj_Unp.00403F90
00563DB1 |. FF75 F0 |push dword ptr [ebp-10]
00563DB4 |. 8B45 FC |mov eax, dword ptr [ebp-4]
00563DB7 |. B9 1A000000 |mov ecx, 1A
00563DBC |. 99 |cdq
00563DBD |. F7F9 |idiv ecx ; 带符号数除法
00563DBF |. 80C2 41 |add dl, 41 ; 余数转换为大写字母
00563DC2 |. 8D45 EC |lea eax, dword ptr [ebp-14]
00563DC5 |. E8 C601EAFF |call swdj_Unp.00403F90
00563DCA |. FF75 EC |push dword ptr [ebp-14]
00563DCD |. 8BC7 |mov eax, edi
00563DCF |. BA 03000000 |mov edx, 3
00563DD4 |. E8 4F03EAFF |call swdj_Unp.00404128
00563DD9 |. 43 |inc ebx
00563DDA |. 4E |dec esi
00563DDB |.^ 75 AF \jnz short swdj_Unp.00563D8C 循环操作
00563DDD |> 33C0 xor eax, eax
00563DDF |. 5A pop edx
00563DE0 |. 59 pop ecx
00563DE1 |. 59 pop ecx
00563DE2 |. 64:8910 mov dword ptr fs:[eax], edx
00563DE5 |. 68 FF3D5600 push swdj_Unp.00563DFF
00563DEA |> 8D45 EC lea eax, dword ptr [ebp-14]
00563DED |. BA 03000000 mov edx, 3
00563DF2 |. E8 1500EAFF call swdj_Unp.00403E0C
00563DF7 \. C3 retn
00563DF8 .- E9 67FAE9FF jmp swdj_Unp.00403864
00563DFD .^ EB EB jmp short swdj_Unp.00563DEA
00563DFF . 5F pop edi
00563E00 . 5E pop esi
00563E01 . 5B pop ebx
00563E02 . 8BE5 mov esp, ebp
00563E04 . 5D pop ebp
00563E05 . C3 retn
--------------------------------------------------------------------------------
【经验总结】
软件注册算法大致如下:
1、将机器码依次与一数据进行异或
2、将变形后的机器码依次与1A相除,分别取商和余数,并将两数化为大写字母
3、将以上所得的字母相连即为注册码
以上是菜鸟的分析,如果不对地方请大家多多指教!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年03月21日 13:00:48