废话我就不多说了,我就直奔主题吧。
呵呵,首先,因为这个CrackMe加了壳,所以我们先将他的壳去掉。
//外壳入口,第一层外壳,往下拉动滚动条,找到RETN子程序返回语句。
代码:
004B5000 > 9C PUSHFD
004B5001 60 PUSHAD
004B5002 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+24]
004B5006 E8 00000000 CALL CRACKME1.004B500B
004B500B 5D POP EBP
004B500C 81ED 351C4000 SUB EBP,CRACKME1.00401C35
004B5012 50 PUSH EAX
004B5013 E8 ED020000 CALL CRACKME1.004B5305
004B5018 85C0 TEST EAX,EAX
004B501A 0F84 B3000000 JE CRACKME1.004B50D3
004B5020 8985 9C224000 MOV DWORD PTR SS:[EBP+40229C],EAX
004B5026 E8 95030000 CALL CRACKME1.004B53C0
004B502B 85C0 TEST EAX,EAX
004B502D 0F84 87000000 JE CRACKME1.004B50BA
004B5033 6A 00 PUSH 0
004B5035 FF95 D7214000 CALL DWORD PTR SS:[EBP+4021D7]
004B503B 8985 AC224000 MOV DWORD PTR SS:[EBP+4022AC],EAX
004B5041 80BD B0224000 0>CMP BYTE PTR SS:[EBP+4022B0],1
004B5048 0F85 86000000 JNZ CRACKME1.004B50D4
004B504E E8 9E010000 CALL CRACKME1.004B51F1
004B5053 85C0 TEST EAX,EAX
004B5055 74 63 JE SHORT CRACKME1.004B50BA
004B5057 E8 C4010000 CALL CRACKME1.004B5220
004B505C E8 DE030000 CALL CRACKME1.004B543F
004B5061 85C0 TEST EAX,EAX
004B5063 74 3D JE SHORT CRACKME1.004B50A2
004B5065 FFB5 A4224000 PUSH DWORD PTR SS:[EBP+4022A4]
004B506B 6A 00 PUSH 0
004B506D 68 72010000 PUSH 172
004B5072 FFB5 A0224000 PUSH DWORD PTR SS:[EBP+4022A0]
004B5078 FF95 66224000 CALL DWORD PTR SS:[EBP+402266]
004B507E FFB5 A0224000 PUSH DWORD PTR SS:[EBP+4022A0]
004B5084 FF95 77224000 CALL DWORD PTR SS:[EBP+402277]
004B508A FFB5 A8224000 PUSH DWORD PTR SS:[EBP+4022A8]
004B5090 FF95 C2214000 CALL DWORD PTR SS:[EBP+4021C2]
004B5096 FFB5 A0224000 PUSH DWORD PTR SS:[EBP+4022A0]
004B509C FF95 28224000 CALL DWORD PTR SS:[EBP+402228]
004B50A2 FFB5 A4224000 PUSH DWORD PTR SS:[EBP+4022A4]
004B50A8 FF95 AA214000 CALL DWORD PTR SS:[EBP+4021AA]
004B50AE FFB5 98224000 PUSH DWORD PTR SS:[EBP+402298]
004B50B4 FF95 F6214000 CALL DWORD PTR SS:[EBP+4021F6]
004B50BA 8B85 AC224000 MOV EAX,DWORD PTR SS:[EBP+4022AC]
004B50C0 0385 94224000 ADD EAX,DWORD PTR SS:[EBP+402294]
004B50C6 8985 F91C4000 MOV DWORD PTR SS:[EBP+401CF9],EAX
004B50CC 61 POPAD
004B50CD 9D POPFD
004B50CE 68 00000000 PUSH 0
004B50D3 C3 RETN //在这里下一个断点,F9运行程序将中断在这里
//返回到这里,和上面一样,往下拉到滚动条,找到第一个JMP语句就行。
代码:
004B4000 90 NOP
004B4001 90 NOP
004B4002 90 NOP
004B4003 90 NOP
............................... //省略一大段NOP语句,
...............................
004B41A6 90 NOP
004B41A7 90 NOP
004B41A8 90 NOP
004B41A9 - E9 32D1FFFF JMP CRACKME1.004B12E0 //到这里,在这里下一个断点,F9运行程序将中断在这里。
//接着到这里,这是UPX的外壳,也是最后一层壳,UPX也很好脱,还是和前面一样,往下拉动滚动条到下面,找到POPAD语句就是跳向程序入口的OEP处。
代码:
004B12E0 60 PUSHAD
004B12E1 BE 00104700 MOV ESI,CRACKME1.00471000
004B12E6 8DBE 0000F9FF LEA EDI,DWORD PTR DS:[ESI+FFF90000]
004B12EC C787 D0240900 7>MOV DWORD PTR DS:[EDI+924D0],484B2170
004B12F6 57 PUSH EDI
004B12F7 83CD FF OR EBP,FFFFFFFF
004B12FA EB 0E JMP SHORT CRACKME1.004B130A
004B12FC 90 NOP
004B12FD 90 NOP
004B12FE 90 NOP
004B12FF 90 NOP
004B1300 8A06 MOV AL,BYTE PTR DS:[ESI]
004B1302 46 INC ESI
004B1303 8807 MOV BYTE PTR DS:[EDI],AL
004B1305 47 INC EDI
004B1306 01DB ADD EBX,EBX
004B1308 75 07 JNZ SHORT CRACKME1.004B1311
004B130A 8B1E MOV EBX,DWORD PTR DS:[ESI]
004B130C 83EE FC SUB ESI,-4
004B130F 11DB ADC EBX,EBX
004B1311 ^ 72 ED JB SHORT CRACKME1.004B1300
004B1313 B8 01000000 MOV EAX,1
004B1318 01DB ADD EBX,EBX
004B131A 75 07 JNZ SHORT CRACKME1.004B1323
004B131C 8B1E MOV EBX,DWORD PTR DS:[ESI]
004B131E 83EE FC SUB ESI,-4
004B1321 11DB ADC EBX,EBX
004B1323 11C0 ADC EAX,EAX
004B1325 01DB ADD EBX,EBX
004B1327 73 0B JNB SHORT CRACKME1.004B1334
004B1329 75 19 JNZ SHORT CRACKME1.004B1344
004B132B 8B1E MOV EBX,DWORD PTR DS:[ESI]
004B132D 83EE FC SUB ESI,-4
004B1330 11DB ADC EBX,EBX
004B1332 72 10 JB SHORT CRACKME1.004B1344
004B1334 48 DEC EAX
004B1335 01DB ADD EBX,EBX
004B1337 75 07 JNZ SHORT CRACKME1.004B1340
004B1339 8B1E MOV EBX,DWORD PTR DS:[ESI]
004B133B 83EE FC SUB ESI,-4
004B133E 11DB ADC EBX,EBX
004B1340 11C0 ADC EAX,EAX
004B1342 ^ EB D4 JMP SHORT CRACKME1.004B1318
004B1344 31C9 XOR ECX,ECX
004B1346 83E8 03 SUB EAX,3
004B1349 72 11 JB SHORT CRACKME1.004B135C
004B134B C1E0 08 SHL EAX,8
004B134E 8A06 MOV AL,BYTE PTR DS:[ESI]
004B1350 46 INC ESI
004B1351 83F0 FF XOR EAX,FFFFFFFF
004B1354 74 78 JE SHORT CRACKME1.004B13CE
004B1356 D1F8 SAR EAX,1
004B1358 89C5 MOV EBP,EAX
004B135A EB 0B JMP SHORT CRACKME1.004B1367
004B135C 01DB ADD EBX,EBX
004B135E 75 07 JNZ SHORT CRACKME1.004B1367
004B1360 8B1E MOV EBX,DWORD PTR DS:[ESI]
004B1362 83EE FC SUB ESI,-4
004B1365 11DB ADC EBX,EBX
004B1367 11C9 ADC ECX,ECX
004B1369 01DB ADD EBX,EBX
004B136B 75 07 JNZ SHORT CRACKME1.004B1374
004B136D 8B1E MOV EBX,DWORD PTR DS:[ESI]
004B136F 83EE FC SUB ESI,-4
004B1372 11DB ADC EBX,EBX
004B1374 11C9 ADC ECX,ECX
004B1376 75 20 JNZ SHORT CRACKME1.004B1398
004B1378 41 INC ECX
004B1379 01DB ADD EBX,EBX
004B137B 75 07 JNZ SHORT CRACKME1.004B1384
004B137D 8B1E MOV EBX,DWORD PTR DS:[ESI]
004B137F 83EE FC SUB ESI,-4
004B1382 11DB ADC EBX,EBX
004B1384 11C9 ADC ECX,ECX
004B1386 01DB ADD EBX,EBX
004B1388 ^ 73 EF JNB SHORT CRACKME1.004B1379
004B138A 75 09 JNZ SHORT CRACKME1.004B1395
004B138C 8B1E MOV EBX,DWORD PTR DS:[ESI]
004B138E 83EE FC SUB ESI,-4
004B1391 11DB ADC EBX,EBX
004B1393 ^ 73 E4 JNB SHORT CRACKME1.004B1379
004B1395 83C1 02 ADD ECX,2
004B1398 81FD 00FBFFFF CMP EBP,-500
004B139E 83D1 01 ADC ECX,1
004B13A1 8D142F LEA EDX,DWORD PTR DS:[EDI+EBP]
004B13A4 83FD FC CMP EBP,-4
004B13A7 76 0F JBE SHORT CRACKME1.004B13B8
004B13A9 8A02 MOV AL,BYTE PTR DS:[EDX]
004B13AB 42 INC EDX
004B13AC 8807 MOV BYTE PTR DS:[EDI],AL
004B13AE 47 INC EDI
004B13AF 49 DEC ECX
004B13B0 ^ 75 F7 JNZ SHORT CRACKME1.004B13A9
004B13B2 ^ E9 4FFFFFFF JMP CRACKME1.004B1306
004B13B7 90 NOP
004B13B8 8B02 MOV EAX,DWORD PTR DS:[EDX]
004B13BA 83C2 04 ADD EDX,4
004B13BD 8907 MOV DWORD PTR DS:[EDI],EAX
004B13BF 83C7 04 ADD EDI,4
004B13C2 83E9 04 SUB ECX,4
004B13C5 ^ 77 F1 JA SHORT CRACKME1.004B13B8
004B13C7 01CF ADD EDI,ECX
004B13C9 ^ E9 38FFFFFF JMP CRACKME1.004B1306
004B13CE 5E POP ESI
004B13CF 89F7 MOV EDI,ESI
004B13D1 B9 A6470000 MOV ECX,47A6
004B13D6 8A07 MOV AL,BYTE PTR DS:[EDI]
004B13D8 47 INC EDI
004B13D9 2C E8 SUB AL,0E8
004B13DB 3C 01 CMP AL,1
004B13DD ^ 77 F7 JA SHORT CRACKME1.004B13D6
004B13DF 803F 19 CMP BYTE PTR DS:[EDI],19
004B13E2 ^ 75 F2 JNZ SHORT CRACKME1.004B13D6
004B13E4 8B07 MOV EAX,DWORD PTR DS:[EDI]
004B13E6 8A5F 04 MOV BL,BYTE PTR DS:[EDI+4]
004B13E9 66:C1E8 08 SHR AX,8
004B13ED C1C0 10 ROL EAX,10
004B13F0 86C4 XCHG AH,AL
004B13F2 29F8 SUB EAX,EDI
004B13F4 80EB E8 SUB BL,0E8
004B13F7 01F0 ADD EAX,ESI
004B13F9 8907 MOV DWORD PTR DS:[EDI],EAX
004B13FB 83C7 05 ADD EDI,5
004B13FE 89D8 MOV EAX,EBX
004B1400 ^ E2 D9 LOOPD SHORT CRACKME1.004B13DB
004B1402 8DBE 00E00A00 LEA EDI,DWORD PTR DS:[ESI+AE000]
004B1408 8B07 MOV EAX,DWORD PTR DS:[EDI]
004B140A 09C0 OR EAX,EAX
004B140C 74 3C JE SHORT CRACKME1.004B144A
004B140E 8B5F 04 MOV EBX,DWORD PTR DS:[EDI+4]
004B1411 8D8430 30200B00 LEA EAX,DWORD PTR DS:[EAX+ESI+B2030]
004B1418 01F3 ADD EBX,ESI
004B141A 50 PUSH EAX
004B141B 83C7 08 ADD EDI,8
004B141E FF96 F8200B00 CALL DWORD PTR DS:[ESI+B20F8]
004B1424 95 XCHG EAX,EBP
004B1425 8A07 MOV AL,BYTE PTR DS:[EDI]
004B1427 47 INC EDI
004B1428 08C0 OR AL,AL
004B142A ^ 74 DC JE SHORT CRACKME1.004B1408
004B142C 89F9 MOV ECX,EDI
004B142E 57 PUSH EDI
004B142F 48 DEC EAX
004B1430 F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004B1432 55 PUSH EBP
004B1433 FF96 FC200B00 CALL DWORD PTR DS:[ESI+B20FC]
004B1439 09C0 OR EAX,EAX
004B143B 74 07 JE SHORT CRACKME1.004B1444
004B143D 8903 MOV DWORD PTR DS:[EBX],EAX
004B143F 83C3 04 ADD EBX,4
004B1442 ^ EB E1 JMP SHORT CRACKME1.004B1425
004B1444 FF96 00210B00 CALL DWORD PTR DS:[ESI+B2100]
004B144A 61 POPAD //到这里,下一个断点,F9运行程序将中断在这里。
004B144B ^ E9 A8EBFDFF JMP CRACKME1.0048FFF8 //跨段跳,跳到程序入口。
//程序入口点,在这里用OD插件Dump下来,再用ImpERC软件修复一下就行。本来我脱这个壳的目的是为了方便OD跟踪的,但一听说楼主有自验效,偶就不敢用他来调试了,嘿嘿!不过,偶还是有办法,偶就不脱他的壳直接带壳调试了(估计楼主加壳就是为了自验效:D)。脱壳后的文件我可以用来使用DeDe反汇编以方便动态跟踪。^Q^
代码:
0048FFF8 55 PUSH EBP
0048FFF9 8BEC MOV EBP,ESP
0048FFFB 83C4 F4 ADD ESP,-0C
0048FFFE B8 18FE4800 MOV EAX,CRACKME1.0048FE18
00490003 E8 6C65F7FF CALL CRACKME1.00406574
00490008 A1 6C234900 MOV EAX,DWORD PTR DS:[49236C]
0049000D 8B00 MOV EAX,DWORD PTR DS:[EAX]
0049000F E8 D890FAFF CALL CRACKME1.004390EC
00490014 E8 FFFCFFFF CALL CRACKME1.0048FD18
00490019 84C0 TEST AL,AL
0049001B 74 0E JE SHORT CRACKME1.0049002B
0049001D A1 6C234900 MOV EAX,DWORD PTR DS:[49236C]
00490022 8B00 MOV EAX,DWORD PTR DS:[EAX]
00490024 E8 0F92FAFF CALL CRACKME1.00439238
00490029 EB 24 JMP SHORT CRACKME1.0049004F
0049002B 8B0D 6C244900 MOV ECX,DWORD PTR DS:[49246C] ; CRACKME1.0049393C
00490031 A1 6C234900 MOV EAX,DWORD PTR DS:[49236C]
00490036 8B00 MOV EAX,DWORD PTR DS:[EAX]
00490038 8B15 68F24800 MOV EDX,DWORD PTR DS:[48F268] ; CRACKME1.0048F2B4
0049003E E8 C190FAFF CALL CRACKME1.00439104
00490043 A1 6C234900 MOV EAX,DWORD PTR DS:[49236C]
00490048 8B00 MOV EAX,DWORD PTR DS:[EAX]
0049004A E8 3591FAFF CALL CRACKME1.00439184
0049004F E8 5839F7FF CALL CRACKME1.004039AC
00490054 0000 ADD BYTE PTR DS:[EAX],AL
00490056 0000 ADD BYTE PTR DS:[EAX],AL
00490058 0000 ADD BYTE PTR DS:[EAX],AL
0049005A 0000 ADD BYTE PTR DS:[EAX],AL
//现在我们用DeDe反汇编脱壳后的文件,看看有什么蛛丝马迹(注意,我使用的是小黑的修改版DeDe,原版无法反汇编加过壳的程序,小黑修改版DeDe你们可以去零度地带主页上下载。),我在DeDe里看到了三个“比较”有用的过程。^_^
//第一个过程:BUTTON1过程。不过看了一下,发现这个过程跟本没有对我们的注册码和用户名进行过运算,只是将我们的用户名和注册码写入注册表而已,OK,我们不用去管这个过程了。
代码:
0048FB2C 55 push ebp
0048FB2D 8BEC mov ebp, esp
0048FB2F 6A00 push $00
0048FB31 6A00 push $00
0048FB33 6A00 push $00
0048FB35 33C0 xor eax, eax
0048FB37 55 push ebp
0048FB38 68E5FB4800 push $0048FBE5
***** TRY
|
0048FB3D 64FF30 push dword ptr fs:[eax]
0048FB40 648920 mov fs:[eax], esp
0048FB43 8D55FC lea edx, [ebp-$04]
0048FB46 A13C394900 mov eax, dword ptr [$0049393C]
* Reference to control Edit1 : TEdit
|
0048FB4B 8B80D8020000 mov eax, [eax+$02D8]
* Reference to: controls.TControl.GetText(TControl):TCaption;
|
0048FB51 E89670FBFF call 00446BEC
0048FB56 8B45FC mov eax, [ebp-$04]
0048FB59 50 push eax
* Possible String Reference to: 'name'
|
0048FB5A B9F8FB4800 mov ecx, $0048FBF8
* Possible String Reference to: 'Reg'
|
0048FB5F BA08FC4800 mov edx, $0048FC08
0048FB64 A144394900 mov eax, dword ptr [$00493944]
* Reference to: registry.TRegIniFile.WriteString(TRegIniFile;AnsiString;AnsiString;AnsiString);
|
0048FB69 E8E2F5FFFF call 0048F150
0048FB6E 8D55F8 lea edx, [ebp-$08]
0048FB71 A13C394900 mov eax, dword ptr [$0049393C]
* Reference to control Edit2 : TEdit
|
0048FB76 8B80E0020000 mov eax, [eax+$02E0]
* Reference to: controls.TControl.GetText(TControl):TCaption;
|
0048FB7C E86B70FBFF call 00446BEC
0048FB81 8B45F8 mov eax, [ebp-$08]
0048FB84 50 push eax
* Possible String Reference to: 'code'
|
0048FB85 B914FC4800 mov ecx, $0048FC14
* Possible String Reference to: 'Reg'
|
0048FB8A BA08FC4800 mov edx, $0048FC08
0048FB8F A144394900 mov eax, dword ptr [$00493944]
* Reference to: registry.TRegIniFile.WriteString(TRegIniFile;AnsiString;AnsiString;AnsiString);
|
0048FB94 E8B7F5FFFF call 0048F150
0048FB99 6A01 push $01
0048FB9B 8D55F4 lea edx, [ebp-$0C]
0048FB9E A16C234900 mov eax, dword ptr [$0049236C]
0048FBA3 8B00 mov eax, [eax]
* Reference to: ddeman.TDdeMgr.GetExeName(TDdeMgr):AnsiString;
| or: forms.TApplication.GetExeName(TApplication):AnsiString;
|
0048FBA5 E8A29AFAFF call 0043964C
0048FBAA 8B45F4 mov eax, [ebp-$0C]
* Reference to: system.@LStrToPChar;
|
0048FBAD E87643F7FF call 00403F28
0048FBB2 50 push eax
* Reference to: Y.WinExec()
|
0048FBB3 E8386CF7FF call 004067F0
0048FBB8 A13C394900 mov eax, dword ptr [$0049393C]
* Reference to: forms.TCustomForm.Close(TCustomForm);
|
0048FBBD E8D663FAFF call 00435F98
0048FBC2 33C0 xor eax, eax
0048FBC4 5A pop edx
0048FBC5 59 pop ecx
0048FBC6 59 pop ecx
0048FBC7 648910 mov fs:[eax], edx
****** FINALLY
|
0048FBCA 68ECFB4800 push $0048FBEC
0048FBCF 8D45F4 lea eax, [ebp-$0C]
* Reference to: system.@LStrClr(String;String);
|
0048FBD2 E80D3FF7FF call 00403AE4
0048FBD7 8D45F8 lea eax, [ebp-$08]
0048FBDA BA02000000 mov edx, $00000002
* Reference to: system.@LStrArrayClr;
|
0048FBDF E8243FF7FF call 00403B08
0048FBE4 C3 ret
* Reference to: system.@HandleFinally;
|
0048FBE5 E99239F7FF jmp 0040357C
0048FBEA EBE3 jmp 0048FBCF
****** END
|
0048FBEC 8BE5 mov esp, ebp
0048FBEE 5D pop ebp
0048FBEF C3 ret
//呵呵~~!我们来看看第二个过程(注意:这个过程是启动时运行的),不过我发现这个过程也没有什么用,只是将我们的用户名和注册码取出来而已,OK,这个过程我们也不用管了。了。
代码:
0048F574 55 push ebp
0048F575 8BEC mov ebp, esp
0048F577 6A00 push $00
0048F579 6A00 push $00
0048F57B 33C0 xor eax, eax
0048F57D 55 push ebp
* Possible String Reference to: '閛??腚YY]?
|
0048F57E 6808F64800 push $0048F608
***** TRY
|
0048F583 64FF30 push dword ptr fs:[eax]
0048F586 648920 mov fs:[eax], esp
* Possible String Reference to: 'Software\aCaFeeL\CrackMe'
|
0048F589 B91CF64800 mov ecx, $0048F61C
0048F58E B201 mov dl, $01
0048F590 A108E94800 mov eax, dword ptr [$0048E908]
* Reference to: registry.TRegIniFile.Create(TRegIniFile;boolean;AnsiString);overload;
| or: registry.TRegistryIniFile.Create(TRegistryIniFile;boolean;AnsiString);overload;
|
0048F595 E856FAFFFF call 0048EFF0
0048F59A A344394900 mov dword ptr [$00493944], eax
0048F59F 6A00 push $00
0048F5A1 8D45FC lea eax, [ebp-$04]
0048F5A4 50 push eax
* Possible String Reference to: 'name'
|
0048F5A5 B940F64800 mov ecx, $0048F640
* Possible String Reference to: 'Reg'
|
0048F5AA BA50F64800 mov edx, $0048F650
0048F5AF A144394900 mov eax, dword ptr [$00493944]
* Reference to: registry.TRegIniFile.ReadString(TRegIniFile;AnsiString;AnsiString;AnsiString):AnsiString;
|
0048F5B4 E8CBFAFFFF call 0048F084
0048F5B9 8B55FC mov edx, [ebp-$04]
0048F5BC B848394900 mov eax, $00493948
* Reference to: system.@LStrAsg;
|
0048F5C1 E87245F7FF call 00403B38
0048F5C6 6A00 push $00
0048F5C8 8D45F8 lea eax, [ebp-$08]
0048F5CB 50 push eax
* Possible String Reference to: 'code'
|
0048F5CC B95CF64800 mov ecx, $0048F65C
* Possible String Reference to: 'Reg'
|
0048F5D1 BA50F64800 mov edx, $0048F650
0048F5D6 A144394900 mov eax, dword ptr [$00493944]
* Reference to: registry.TRegIniFile.ReadString(TRegIniFile;AnsiString;AnsiString;AnsiString):AnsiString;
|
0048F5DB E8A4FAFFFF call 0048F084
0048F5E0 8B55F8 mov edx, [ebp-$08]
0048F5E3 B84C394900 mov eax, $0049394C
* Reference to: system.@LStrAsg;
|
0048F5E8 E84B45F7FF call 00403B38
0048F5ED 33C0 xor eax, eax
0048F5EF 5A pop edx
0048F5F0 59 pop ecx
0048F5F1 59 pop ecx
0048F5F2 648910 mov fs:[eax], edx
****** FINALLY
|
* Possible String Reference to: 'YY]?
|
0048F5F5 680FF64800 push $0048F60F
0048F5FA 8D45F8 lea eax, [ebp-$08]
0048F5FD BA02000000 mov edx, $00000002
* Reference to: system.@LStrArrayClr;
|
0048F602 E80145F7FF call 00403B08
0048F607 C3 ret
* Reference to: system.@HandleFinally;
|
0048F608 E96F3FF7FF jmp 0040357C
0048F60D EBEB jmp 0048F5FA
****** END
|
0048F60F 59 pop ecx
0048F610 59 pop ecx
0048F611 5D pop ebp
0048F612 C3 ret
//最后,我们来到最后一个过程,这个过程是关键过程(注意:这个过程也是程序启动时运行的),现在我们来看看他进行什么操作^Q^。
代码:
0048F848 55 push ebp
0048F849 8BEC mov ebp, esp
0048F84B 33C9 xor ecx, ecx
0048F84D 51 push ecx
0048F84E 51 push ecx
0048F84F 51 push ecx
0048F850 51 push ecx
0048F851 51 push ecx
0048F852 51 push ecx
0048F853 51 push ecx
0048F854 51 push ecx
0048F855 53 push ebx
0048F856 56 push esi
0048F857 57 push edi
0048F858 8945FC mov [ebp-$04], eax
0048F85B 33C0 xor eax, eax
0048F85D 55 push ebp
0048F85E 686EFA4800 push $0048FA6E
//注册SEH异常,我们不管他
***** TRY
|
0048F863 64FF30 push dword ptr fs:[eax]
0048F866 648920 mov fs:[eax], esp
0048F869 BFF7000000 mov edi, $000000F7
0048F86E 8D45F8 lea eax, [ebp-$08]
//下面是解密“螜┴1”字符,。。。。。。忘了是解密什么了,不过也不是很重要的。^_^
* Possible String Reference to: '螜┴1'
|
0048F871 BA84FA4800 mov edx, $0048FA84
* Reference to: system.@LStrLAsg;
|
0048F876 E80143F7FF call 00403B7C
0048F87B 8B45F8 mov eax, [ebp-$08]
* Reference to: system.@LStrLen:Integer;
| or: system.@DynArrayLength;
| or: system.DynArraySize(Pointer):Integer;
|
0048F87E E8E144F7FF call 00403D64
0048F883 8BF0 mov esi, eax
0048F885 85F6 test esi, esi
0048F887 7E1F jle 0048F8A8
0048F889 BB01000000 mov ebx, $00000001
0048F88E 8D45F8 lea eax, [ebp-$08]
* Reference to: system.UniqueString(String;String);
|
0048F891 E89E46F7FF call 00403F34
0048F896 8B55F8 mov edx, [ebp-$08]
0048F899 0FB6541AFF movzx edx, byte ptr [edx+ebx-$01] //开始解密字符。
0048F89E 2BD7 sub edx, edi
0048F8A0 885418FF mov [eax+ebx-$01], dl
0048F8A4 43 inc ebx
0048F8A5 4E dec esi
0048F8A6 75E6 jnz 0048F88E
0048F8A8 8D45F8 lea eax, [ebp-$08]
0048F8AB 8B55F8 mov edx, [ebp-$08]
* Reference to: system.@LStrLAsg;
|
0048F8AE E8C942F7FF call 00403B7C
0048F8B3 8D45F4 lea eax, [ebp-$0C]
0048F8B6 BA94FA4800 mov edx, $0048FA94
* Reference to: system.@LStrLAsg;
|
0048F8BB E8BC42F7FF call 00403B7C
0048F8C0 8B45F4 mov eax, [ebp-$0C]
* Reference to: system.@LStrLen:Integer;
| or: system.@DynArrayLength;
| or: system.DynArraySize(Pointer):Integer;
|
0048F8C3 E89C44F7FF call 00403D64
0048F8C8 8BF0 mov esi, eax
0048F8CA 85F6 test esi, esi
0048F8CC 7E1F jle 0048F8ED
0048F8CE BB01000000 mov ebx, $00000001
0048F8D3 8D45F4 lea eax, [ebp-$0C]
* Reference to: system.UniqueString(String;String);
|
0048F8D6 E85946F7FF call 00403F34
0048F8DB 8B55F4 mov edx, [ebp-$0C]
0048F8DE 0FB6541AFF movzx edx, byte ptr [edx+ebx-$01]
0048F8E3 2BD7 sub edx, edi
0048F8E5 885418FF mov [eax+ebx-$01], dl
0048F8E9 43 inc ebx
0048F8EA 4E dec esi
0048F8EB 75E6 jnz 0048F8D3
0048F8ED 8D45F4 lea eax, [ebp-$0C]
0048F8F0 8B55F4 mov edx, [ebp-$0C]
* Reference to: system.@LStrLAsg;
|
0048F8F3 E88442F7FF call 00403B7C
0048F8F8 8B45FC mov eax, [ebp-$04]
* Reference to control FLabel1 : TFLabel
|
0048F8FB 8B9804030000 mov ebx, [eax+$0304]
0048F901 80BB3801000001 cmp byte ptr [ebx+$0138], $01
0048F908 7519 jnz 0048F923 //这个跳转不用去管他。
0048F90A 8D55F0 lea edx, [ebp-$10]
0048F90D 8BC3 mov eax, ebx
* Reference to: controls.TControl.GetText(TControl):TCaption;
|
0048F90F E8D872FBFF call 00446BEC
0048F914 8B45F0 mov eax, [ebp-$10]
* Possible String Reference to: '尚未注册的版本!'
|
0048F917 BAACFA4800 mov edx, $0048FAAC
* Reference to: system.@LStrCmp;
|
0048F91C E85345F7FF call 00403E74
0048F921 7411 jz 0048F934 //这个跳转也不用去管他
0048F923 A16C234900 mov eax, dword ptr [$0049236C]
0048F928 8B00 mov eax, [eax]
* Reference to: forms.TApplication.Terminate(TApplication);
|
0048F92A E80999FAFF call 00439238
0048F92F E98C000000 jmp 0048F9C0
0048F934 8D55EC lea edx, [ebp-$14]
0048F937 A148394900 mov eax, dword ptr [$00493948]
//嘿嘿关键的地方终于到了。:D
|
0048F93C E823FDFFFF call 0048F664 //关键Call,运算注册码子程序。F7进。
0048F941 8B45EC mov eax, [ebp-$14]
0048F944 8B154C394900 mov edx, [$0049394C]
//真假注册码比较Call子程序
* Reference to: sysutils.AnsiCompareStr(AnsiString;AnsiString):Integer;
| or: sysutils.AnsiSameStr(AnsiString;AnsiString):Boolean;
|
0048F94A E8B989F7FF call 00408308 //真假注册码比较,明码比较,追到这里可以看到真假注册码。
0048F94F 84C0 test al, al //测试Al值。
0048F951 746D jz 0048F9C0 //不跳就注册成功,下面的不管他。
0048F953 8B45FC mov eax, [ebp-$04]
* Reference to control FLabel1 : TFLabel
|
0048F956 8B8004030000 mov eax, [eax+$0304]
0048F95C 33D2 xor edx, edx
* Reference to : TFLabel._PROC_0048E79C()
|
0048F95E E839EEFFFF call 0048E79C
0048F963 8B45FC mov eax, [ebp-$04]
* Reference to control FLabel1 : TFLabel
|
0048F966 8B8004030000 mov eax, [eax+$0304]
0048F96C 8B4058 mov eax, [eax+$58]
0048F96F 33D2 xor edx, edx
* Reference to: graphics.TFont.SetColor(TFont;TColor);
|
0048F971 E8B6A9F8FF call 0041A32C
0048F976 8D45E8 lea eax, [ebp-$18]
0048F979 8B0D48394900 mov ecx, [$00493948]
0048F97F 8B55F8 mov edx, [ebp-$08]
* Reference to: system.@LStrCat3;
|
0048F982 E82944F7FF call 00403DB0
0048F987 8B55E8 mov edx, [ebp-$18]
0048F98A 8B45FC mov eax, [ebp-$04]
* Reference to control FLabel1 : TFLabel
|
0048F98D 8B8004030000 mov eax, [eax+$0304]
* Reference to: controls.TControl.SetText(TControl;TCaption);
|
0048F993 E88472FBFF call 00446C1C
0048F998 8B45FC mov eax, [ebp-$04]
* Reference to control Edit1 : TEdit
|
0048F99B 8B80D8020000 mov eax, [eax+$02D8]
0048F9A1 8B1548394900 mov edx, [$00493948]
* Reference to: controls.TControl.SetText(TControl;TCaption);
|
0048F9A7 E87072FBFF call 00446C1C
0048F9AC 8B45FC mov eax, [ebp-$04]
* Reference to control Edit2 : TEdit
|
0048F9AF 8B80E0020000 mov eax, [eax+$02E0]
0048F9B5 8B154C394900 mov edx, [$0049394C]
* Reference to: controls.TControl.SetText(TControl;TCaption);
|
0048F9BB E85C72FBFF call 00446C1C
0048F9C0 8D55E4 lea edx, [ebp-$1C]
0048F9C3 A148394900 mov eax, dword ptr [$00493948]
|
0048F9C8 E897FCFFFF call 0048F664
0048F9CD 8B45E4 mov eax, [ebp-$1C]
0048F9D0 8B154C394900 mov edx, [$0049394C]
* Reference to: sysutils.AnsiCompareStr(AnsiString;AnsiString):Integer;
| or: sysutils.AnsiSameStr(AnsiString;AnsiString):Boolean;
|
0048F9D6 E82D89F7FF call 00408308
0048F9DB 84C0 test al, al
0048F9DD 7557 jnz 0048FA36
0048F9DF 8D55E0 lea edx, [ebp-$20]
0048F9E2 8B45FC mov eax, [ebp-$04]
* Reference to control FLabel1 : TFLabel
|
0048F9E5 8B8004030000 mov eax, [eax+$0304]
* Reference to: controls.TControl.GetText(TControl):TCaption;
|
0048F9EB E8FC71FBFF call 00446BEC
0048F9F0 8B55E0 mov edx, [ebp-$20]
0048F9F3 8B45F8 mov eax, [ebp-$08]
* Reference to: system.@LStrPos;
|
0048F9F6 E85546F7FF call 00404050
0048F9FB 85C0 test eax, eax
0048F9FD 7E37 jle 0048FA36
0048F9FF 8B45FC mov eax, [ebp-$04]
* Reference to control FLabel1 : TFLabel
|
0048FA02 8B8004030000 mov eax, [eax+$0304]
0048FA08 B201 mov dl, $01
* Reference to : TFLabel._PROC_0048E79C()
|
0048FA0A E88DEDFFFF call 0048E79C
0048FA0F 8B45FC mov eax, [ebp-$04]
* Reference to control FLabel1 : TFLabel
|
0048FA12 8B8004030000 mov eax, [eax+$0304]
0048FA18 8B4058 mov eax, [eax+$58]
0048FA1B BAFF000000 mov edx, $000000FF
* Reference to: graphics.TFont.SetColor(TFont;TColor);
|
0048FA20 E807A9F8FF call 0041A32C
0048FA25 8B45FC mov eax, [ebp-$04]
* Reference to control FLabel1 : TFLabel
|
0048FA28 8B8004030000 mov eax, [eax+$0304]
0048FA2E 8B55F4 mov edx, [ebp-$0C]
* Reference to: controls.TControl.SetText(TControl;TCaption);
|
0048FA31 E8E671FBFF call 00446C1C
0048FA36 33C0 xor eax, eax
0048FA38 5A pop edx
0048FA39 59 pop ecx
0048FA3A 59 pop ecx
0048FA3B 648910 mov fs:[eax], edx
****** FINALLY
|
0048FA3E 6875FA4800 push $0048FA75
0048FA43 8D45E0 lea eax, [ebp-$20]
* Reference to: system.@LStrClr(String;String);
|
0048FA46 E89940F7FF call 00403AE4
0048FA4B 8D45E4 lea eax, [ebp-$1C]
0048FA4E BA03000000 mov edx, $00000003
* Reference to: system.@LStrArrayClr;
|
0048FA53 E8B040F7FF call 00403B08
0048FA58 8D45F0 lea eax, [ebp-$10]
* Reference to: system.@LStrClr(String;String);
|
0048FA5B E88440F7FF call 00403AE4
0048FA60 8D45F4 lea eax, [ebp-$0C]
0048FA63 BA02000000 mov edx, $00000002
* Reference to: system.@LStrArrayClr;
|
0048FA68 E89B40F7FF call 00403B08
0048FA6D C3 ret
* Reference to: system.@HandleFinally;
|
0048FA6E E9093BF7FF jmp 0040357C
0048FA73 EBCE jmp 0048FA43
****** END
|
0048FA75 5F pop edi
0048FA76 5E pop esi
0048FA77 5B pop ebx
0048FA78 8BE5 mov esp, ebp
0048FA7A 5D pop ebp
0048FA7B C3 ret
//这里是运算注册码的关键Call部分。
代码:
0048F664 55 push ebp
0048F665 8BEC mov ebp, esp
0048F667 33C9 xor ecx, ecx
0048F669 51 push ecx
0048F66A 51 push ecx
0048F66B 51 push ecx
0048F66C 51 push ecx
0048F66D 51 push ecx
0048F66E 51 push ecx
0048F66F 51 push ecx
0048F670 51 push ecx
0048F671 53 push ebx
0048F672 56 push esi
0048F673 57 push edi
0048F674 8955F8 mov [ebp-$08], edx
0048F677 8945FC mov [ebp-$04], eax
0048F67A 8B45FC mov eax, [ebp-$04]
* Reference to: system.@LStrAddRef;
|
0048F67D E89648F7FF call 00403F18
0048F682 33C0 xor eax, eax
0048F684 55 push ebp
//解密字符,不重要,不管他。
* Possible String Reference to: '楱=?脬_^[嬪]?
|
0048F685 68CFF74800 push $0048F7CF
***** TRY
|
0048F68A 64FF30 push dword ptr fs:[eax]
0048F68D 648920 mov fs:[eax], esp
0048F690 BF1B000000 mov edi, $0000001B
0048F695 8D45E4 lea eax, [ebp-$1C]
//解密字符,不重要,不管他。
* Possible String Reference to: '屋疖'
|
0048F698 BAE8F74800 mov edx, $0048F7E8
* Reference to: system.@LStrLAsg;
|
0048F69D E8DA44F7FF call 00403B7C
0048F6A2 8B45E4 mov eax, [ebp-$1C]
* Reference to: system.@LStrLen:Integer;
| or: system.@DynArrayLength;
| or: system.DynArraySize(Pointer):Integer;
|
0048F6A5 E8BA46F7FF call 00403D64
0048F6AA 8BD8 mov ebx, eax
0048F6AC 85DB test ebx, ebx
0048F6AE 7E1F jle 0048F6CF
0048F6B0 BE01000000 mov esi, $00000001
0048F6B5 8D45E4 lea eax, [ebp-$1C]
* Reference to: system.UniqueString(String;String);
|
0048F6B8 E87748F7FF call 00403F34
0048F6BD 8B55E4 mov edx, [ebp-$1C]
0048F6C0 0FB65432FF movzx edx, byte ptr [edx+esi-$01]
0048F6C5 2BD7 sub edx, edi
0048F6C7 885430FF mov [eax+esi-$01], dl
0048F6CB 46 inc esi
0048F6CC 4B dec ebx
0048F6CD 75E6 jnz 0048F6B5
0048F6CF 8D45E4 lea eax, [ebp-$1C]
0048F6D2 8B55E4 mov edx, [ebp-$1C]
* Reference to: system.@LStrLAsg;
|
0048F6D5 E8A244F7FF call 00403B7C
0048F6DA 8D45E8 lea eax, [ebp-$18]
//解密字符,重要,这里是解密注册码的Key,当解密成功后的Key形式是:“AaBbC0cDdEe1FfGgH2hIiJj3KkLMm4NnOoP5pQqRr6SsTtU7uVvWw8XxYyZ9”
,保存下来,这个做注册机时有用。:
* Possible String Reference to: '\|]}^K~_`€La乥俢M僤別匩f唃h圤i塲妅
| P媗宮峇n巓弍R恞憆扴s搕攗T'
|
0048F6DD BAF8F74800 mov edx, $0048F7F8
* Reference to: system.@LStrLAsg;
|
0048F6E2 E89544F7FF call 00403B7C
0048F6E7 8B45E8 mov eax, [ebp-$18]
* Reference to: system.@LStrLen:Integer;
| or: system.@DynArrayLength;
| or: system.DynArraySize(Pointer):Integer;
|
0048F6EA E87546F7FF call 00403D64
0048F6EF 8BD8 mov ebx, eax
0048F6F1 85DB test ebx, ebx
0048F6F3 7E1F jle 0048F714
0048F6F5 BE01000000 mov esi, $00000001
0048F6FA 8D45E8 lea eax, [ebp-$18]
//开始解密Key。
* Reference to: system.UniqueString(String;String);
|
0048F6FD E83248F7FF call 00403F34
0048F702 8B55E8 mov edx, [ebp-$18]
0048F705 0FB65432FF movzx edx, byte ptr [edx+esi-$01]
0048F70A 2BD7 sub edx, edi
0048F70C 885430FF mov [eax+esi-$01], dl
0048F710 46 inc esi
0048F711 4B dec ebx
0048F712 75E6 jnz 0048F6FA
0048F714 8D45E8 lea eax, [ebp-$18]
0048F717 8B55E8 mov edx, [ebp-$18]
* Reference to: system.@LStrLAsg;
|
0048F71A E85D44F7FF call 00403B7C
0048F71F 8D45F0 lea eax, [ebp-$10]
0048F722 8B55E8 mov edx, [ebp-$18]
* Reference to: system.@LStrLAsg;
|
0048F725 E85244F7FF call 00403B7C
0048F72A 8B45FC mov eax, [ebp-$04]
0048F72D 8B154C394900 mov edx, [$0049394C]
//比较用户名和注册码是否相同,不用管他。
* Reference to: system.@LStrCmp;
|
0048F733 E83C47F7FF call 00403E74
0048F738 750F jnz 0048F749
0048F73A 8B45F8 mov eax, [ebp-$08]
* Possible String Reference to: '陈樟'
|
0048F73D BA40F84800 mov edx, $0048F840
* Reference to: system.@LStrAsg;
|
0048F742 E8F143F7FF call 00403B38
0048F747 EB63 jmp 0048F7AC
0048F749 8D45F4 lea eax, [ebp-$0C]
0048F74C 8B55FC mov edx, [ebp-$04]
* Reference to: system.@LStrLAsg;
|
0048F74F E82844F7FF call 00403B7C
0048F754 8B45FC mov eax, [ebp-$04]
//取得用户名的长度,程序开始运算注册码,我们要开始注意以下语句,做注册码时有用。
* Reference to: system.@LStrLen:Integer;
| or: system.@DynArrayLength;
| or: system.DynArraySize(Pointer):Integer;
|
0048F757 E80846F7FF call 00403D64 //取得用户名长度
0048F75C 8BD8 mov ebx, eax
0048F75E 85DB test ebx, ebx
0048F760 7E3F jle 0048F7A1
0048F762 BF01000000 mov edi, $00000001
0048F767 8B45F4 mov eax, [ebp-$0C]
0048F76A 33C9 xor ecx, ecx //ECX清0
0048F76C 8A4C38FF mov cl, byte ptr [eax+edi-$01] //依次循环取出用户名。
0048F770 81C1E01E0000 add ecx, $00001EE0 //用户名的ASCII码和0x1EE0相加,
0048F776 8BC1 mov eax, ecx //保存到EAX作下一次运算
0048F778 B91B000000 mov ecx, $0000001B //ECX等于0x1B
0048F77D 99 cdq //寄存器符号扩展
0048F77E F7F9 idiv ecx //EAX和ECX相除,结果到EAX,余数到EDX(我们要得到的是余数)
0048F780 8BF2 mov esi, edx //相除的余数送给ESI
0048F782 46 inc esi //ESI加1
0048F783 8D45E0 lea eax, [ebp-$20]
0048F786 8B55F0 mov edx, [ebp-$10] //取得解密后的Key
0048F789 8A5432FF mov dl, byte ptr [edx+esi-$01] //以余数作为指针取得Key中的任意一个值作为注册码。
* Reference to: system.@LStrFromChar(String;String;Char);
| or: system.@LStrFromWChar(String;String;WideChar);
| or: system.@WStrFromChar(WideString;WideString;Char);
| or: system.@WStrFromWChar(WideString;WideString;WideChar);
|
0048F78D E8FA44F7FF call 00403C8C //将取出的取转成Char字符。
0048F792 8B55E0 mov edx, [ebp-$20]
0048F795 8D45EC lea eax, [ebp-$14]
* Reference to: system.@LStrCat;
|
0048F798 E8CF45F7FF call 00403D6C //保存
0048F79D 47 inc edi 指针加1
0048F79E 4B dec ebx 计数减1
0048F79F 75C6 jnz 0048F767 //用户名未运算完毕跳回去继续,完毕之后退出循环。
0048F7A1 8B45F8 mov eax, [ebp-$08] //到这里注册码的已经运算完毕,以下的我们就不用管他了。
0048F7A4 8B55EC mov edx, [ebp-$14]
* Reference to: system.@LStrAsg;
|
0048F7A7 E88C43F7FF call 00403B38
0048F7AC 33C0 xor eax, eax
0048F7AE 5A pop edx
0048F7AF 59 pop ecx
0048F7B0 59 pop ecx
0048F7B1 648910 mov fs:[eax], edx
****** FINALLY
|
* Possible String Reference to: '_^[嬪]?
|
0048F7B4 68D6F74800 push $0048F7D6
0048F7B9 8D45E0 lea eax, [ebp-$20]
0048F7BC BA06000000 mov edx, $00000006
* Reference to: system.@LStrArrayClr;
|
0048F7C1 E84243F7FF call 00403B08
0048F7C6 8D45FC lea eax, [ebp-$04]
* Reference to: system.@LStrClr(String;String);
|
0048F7C9 E81643F7FF call 00403AE4
0048F7CE C3 ret
* Reference to: system.@HandleFinally;
|
0048F7CF E9A83DF7FF jmp 0040357C
0048F7D4 EBE3 jmp 0048F7B9
****** END
|
0048F7D6 5F pop edi
0048F7D7 5E pop esi
0048F7D8 5B pop ebx
0048F7D9 8BE5 mov esp, ebp
0048F7DB 5D pop ebp
0048F7DC C3 ret
至此,注册码算法分析完毕,因为我是带壳调试,所以没有遇到自验效,没去看他的自验效在哪里,你们有兴趣的可以去找找。
这注册码算法用Delphi来表达则是:
代码:
Key := 'AaBbC0cDdEe1FfGgH2hIiJj3KkLMm4NnOoP5pQqRr6SsTtU7uVvWw8XxYyZ9';
Name := 用户名;
Function KeyGen(Name,Key:String):String;
var i,j:Integer;
k:String;
begin
for i := 1 to length(Name) do
begin
j := ((byte(ord(Name[i])) + $1EE0) mod $1B) + 1;
k := k + chr(byte(ord(Key[j])));
end;
Result := k
end;
最后附上Delphi的注册机源码和注册机编写器的源码。
Delphi源码:
代码:
Function KeyGen(Name,Key:String):String;
var i,j:Integer;
k:String;
begin
for i := 1 to length(Name) do
begin
j := ((byte(ord(Name[i])) + $1EE0) mod $1B) + 1;
k := k + chr(byte(ord(Key[j])));
end;
Result := k
end;
procedure TForm1.Button1Click(Sender: TObject);
var Name,Key:String;
begin
if Edit1.Text <> '' then
begin
Key := 'AaBbC0cDdEe1FfGgH2hIiJj3KkLMm4NnOoP5pQqRr6SsTtU7uVvWw8XxYyZ9';
Name := Edit1.Text;
Edit2.Text := KeyGen(Name,Key);
end;
end;
注册机编写器源码:
代码:
.const
.data
szHomePage db "http://www.chinadfcg.com",0
szEmail db "mailto:ljyljx@163.com",0
szErrMess db "输入的序列号不正确!",0
Key db "AaBbC0cDdEe1FfGgH2hIiJj3KkLMm4NnOoP5pQqRr6SsTtU7uVvWw8XxYyZ9",0
SN db 50 dup(0)
.code
mov esi,1
loc_01:
lea eax,hInput1
mov al,byte ptr [eax+esi-1]
test al,al
jz loc_02
and eax,0ffh
add eax,1EE0h
mov ecx,1Bh
cdq
idiv ecx
and edx,0ffh
inc dl
lea ebx,Key
lea ecx,SN
mov al,byte ptr [ebx+edx]
mov [ecx+esi-1],al
inc esi
jmp loc_01
loc_02:
lea eax,SN
|
|
