标题:Easy Real Converter 1.6.2分析{重启验证}
链接:http://www.unpack.cn/viewthread.php?tid=19668
贴者:鹭影依凌
日期:2007-11-30 06:48
一、脱壳
PEID扫描下,ASPack 2.001 -> Alexey Solodovnikov
ESP定律搞定
试运行脱壳程序,正常运行
二、定位代码段
;====================================================================|
;超级字符串搜索下,发现几处敏感信息
;--------------------------------------------------------------------|
(1)注册标志:licenced to & unregistered version
004AB333 push 004AB340 open
004AB35B push 004AB368 open
004AB39B mov edx, 004AB3F0 licenced to
004AB3B5 mov edx, 004AB408 unregistered version
004AB79B mov edx, 004AB854 \software\easy real converter
004AB7BC mov edx, 004AB87C user
004AB7D9 mov edx, 004AB88C keythank you
004AB7EE push 004AB890 thank you
004AB8EF push 004AB8FC open
(2)运行提示:please register to
004AEDB1 mov eax, 004AEE50 65537
004AEDBE mov eax, 004AEE60 11854405724806361658422632892116497718759520709779
004AF1F0 mov edx, 004AF28C you have no free conversions remaining! please register to get unlimited conversions.
004AF226 push 004AF304 free conversions remaining! this action will perform
(3)软件标题:unregistered version
004B9A8D mov edx, 004B9B58 easy real converter (unregistered version)
(4)注册表信息:\software\easy real converter
004BAFB9 push 004BAFC8 open
004BAFE1 push 004BAFF0 open
004BB009 push 004BB018 open
004BB076 mov edx, 004BB0EC magicutils
004BB090 mov edx, 004BB11C 1.50
004BB163 mov edx, 004BB290 \software\easy real converter
004BB173 mov edx, 004BB2B8 user
004BB186 mov edx, 004BB2B8 user
(5)隐含提示(注册表信息被删除)
004BCEFB mov ecx, 004BCF90 error
004BCF00 mov edx, 004BCF98 easy real converter is not installed correctly, please reinstall easy real converter!
004BCF21 mov ecx, 004BCF90 error
004BCF26 mov edx, 004BCFF0 error in initializing!
004BCF59 mov edx, 004BD010 easy real converter
;----------------------------------------------------|
先来看看第(1)处
;--------------------------------------------------------------------|
004AB370 /. 55 push ebp
004AB371 |. 8BEC mov ebp, esp
004AB373 |. 6A 00 push 0
004AB375 |. 53 push ebx
004AB376 |. 8BD8 mov ebx, eax
004AB378 |. 33C0 xor eax, eax
004AB37A |. 55 push ebp
004AB37B |. 68 DBB34A00 push 004AB3DB
004AB380 |. 64:FF30 push dword ptr fs:[eax]
004AB383 |. 64:8920 mov dword ptr fs:[eax], esp
004AB386 |. A1 14014C00 mov eax, dword ptr [4C0114] ; EAX = [4C0114]
004AB38B |. 8038 00 cmp byte ptr [eax], 0 ; [EAX] 和 0比较
004AB38E |. 74 25 je short 004AB3B5 ; //跳向未注册版本
004AB390 |. 8B0D 1C044C00 mov ecx, dword ptr [4C041C] ; 1.004C1FD8
004AB396 |. 8B09 mov ecx, dword ptr [ecx]
004AB398 |. 8D45 FC lea eax, dword ptr [ebp-4]
004AB39B |. BA F0B34A00 mov edx, 004AB3F0 ; licenced to
004AB3A0 |. E8 8793F5FF call 0040472C
004AB3A5 |. 8B55 FC mov edx, dword ptr [ebp-4]
004AB3A8 |. 8B83 14030000 mov eax, dword ptr [ebx+314]
004AB3AE |. E8 89BBFBFF call 00466F3C
004AB3B3 |. EB 10 jmp short 004AB3C5 ; //跳走
004AB3B5 |> BA 08B44A00 mov edx, 004AB408 ; unregistered version
004AB3BA |. 8B83 14030000 mov eax, dword ptr [ebx+314]
004AB3C0 |. E8 77BBFBFF call 00466F3C
004AB3C5 |> 33C0 xor eax, eax
004AB3C7 |. 5A pop edx
004AB3C8 |. 59 pop ecx
004AB3C9 |. 59 pop ecx
004AB3CA |. 64:8910 mov dword ptr fs:[eax], edx
004AB3CD |. 68 E2B34A00 push 004AB3E2
004AB3D2 |> 8D45 FC lea eax, dword ptr [ebp-4]
004AB3D5 |. E8 4690F5FF call 00404420
004AB3DA \. C3 retn
004AB3DB .^ E9 6489F5FF jmp 00403D44
004AB3E0 .^ EB F0 jmp short 004AB3D2
004AB3E2 . 5B pop ebx
004AB3E3 . 59 pop ecx
004AB3E4 . 5D pop ebp
004AB3E5 . C3 retn
;--------------------------------------------------------------------|
OD搜索下4C0114,米结果-_-"
继续下一个,偶就直接第三个咯~~
;--------------------------------------------------------------------|
004B9850 /. 55 push ebp
004B9851 |. 8BEC mov ebp, esp
004B9853 |. 33C9 xor ecx, ecx
............................................
............................................ ; //省略若干代码
004B9A33 |. 8B83 30030000 mov eax, dword ptr [ebx+330]
004B9A39 |. 8B80 08020000 mov eax, dword ptr [eax+208]
004B9A3F |. BA 05000000 mov edx, 5
004B9A44 |. E8 539DF8FF call 0044379C
004B9A49 |. 5A pop edx
004B9A4A |. E8 A99CF8FF call 004436F8
004B9A4F |. 803D D41F4C00>cmp byte ptr [4C1FD4], 0 ; [4C1FD4] 和 0比较
004B9A56 |. 74 35 je short 004B9A8D ; //跳则运行"未注册版本"
004B9A58 |. BA 3C9B4B00 mov edx, 004B9B3C ; ASCII "Easy Real Converter"
004B9A5D |. 8BC3 mov eax, ebx
004B9A5F |. E8 D8D4FAFF call 00466F3C
004B9A64 |. 33D2 xor edx, edx
004B9A66 |. 8B83 1C030000 mov eax, dword ptr [ebx+31C]
004B9A6C |. E8 1BFEFBFF call 0047988C
004B9A71 |. 33D2 xor edx, edx
004B9A73 |. 8B83 A4030000 mov eax, dword ptr [ebx+3A4]
004B9A79 |. E8 0EFEFBFF call 0047988C
004B9A7E |. 33D2 xor edx, edx
004B9A80 |. 8B83 80040000 mov eax, dword ptr [ebx+480]
004B9A86 |. E8 A1D3FAFF call 00466E2C
004B9A8B |. EB 0C jmp short 004B9A99 ; //跳走
004B9A8D |> BA 589B4B00 mov edx, 004B9B58 ; easy real converter (unregistered version)
004B9A92 |. 8BC3 mov eax, ebx
004B9A94 |. E8 A3D4FAFF call 00466F3C
004B9A99 |> B2 01 mov dl, 1
004B9A9B |. A1 B8774100 mov eax, dword ptr [4177B8]
004B9AA0 |. E8 DB9AF4FF call 00403580
004B9AA5 |. 8983 3C050000 mov dword ptr [ebx+53C], eax
004B9AAB |. B2 01 mov dl, 1
004B9AAD |. A1 B8774100 mov eax, dword ptr [4177B8]
004B9AB2 |. E8 C99AF4FF call 00403580
004B9AB7 |. 8983 40050000 mov dword ptr [ebx+540], eax
004B9ABD |. 33C0 xor eax, eax
004B9ABF |. 5A pop edx
004B9AC0 |. 59 pop ecx
004B9AC1 |. 59 pop ecx
004B9AC2 |. 64:8910 mov dword ptr fs:[eax], edx
004B9AC5 |. 68 DF9A4B00 push 004B9ADF
004B9ACA |> 8D45 EC lea eax, dword ptr [ebp-14]
004B9ACD |. BA 05000000 mov edx, 5
004B9AD2 |. E8 6DA9F4FF call 00404444
004B9AD7 \. C3 retn
004B9AD8 .^ E9 67A2F4FF jmp 00403D44
004B9ADD .^ EB EB jmp short 004B9ACA
004B9ADF . 5F pop edi
004B9AE0 . 5E pop esi
004B9AE1 . 5B pop ebx
004B9AE2 . 8BE5 mov esp, ebp
004B9AE4 . 5D pop ebp
004B9AE5 . C3 retn
;--------------------------------------------------------------------|
OD搜索下4C1FD4,结果如下:
地址 反汇编 注释
004B939C cmp byte ptr [4C1FD4], 0 ds:[004C1FD4]=00
004B9493 cmp byte ptr [4C1FD4], 0 ds:[004C1FD4]=00
004B96AA cmp byte ptr [4C1FD4], 0 ds:[004C1FD4]=00
004B98E1 mov byte ptr [4C1FD4], 0 ds:[004C1FD4]=00
004B991A cmp byte ptr [4C1FD4], 0 ds:[004C1FD4]=00
004B9A4F cmp byte ptr [4C1FD4], 0 ds:[004C1FD4]=00
004B9AC2 mov dword ptr fs:[eax], edx (初始 CPU 选择)
004BB140 mov byte ptr [4C1FD4], 0 ds:[004C1FD4]=00
004BB24C mov byte ptr [4C1FD4], 1 [4C1FD4] = 1
004BB255 mov byte ptr [4C1FD4], 0 [4C1FD4] = 0
;--------------------------------------------------------------------|
呵呵,开始分析吧,经验告诉我们
0:未注册
1:已注册
cmp byte ptr [4C1FD4], 0:是检测是否已经注册
mov byte ptr [4C1FD4], 0:注册信息错误,标志位赋值0
mov byte ptr [4C1FD4], 1:注册信息正确,标志位赋值1
我们双击004BB24C,来到代码(明显这个地址是注册成功的标志)
三、代码分析
在段首下断,CTRL+F2重载,F9运行,分析代码如下:
;====================================================================| <第一层>
004BB124 $ 55 push ebp ; //本地调用来自 004B9915
004BB125 . 8BEC mov ebp, esp
004BB127 . 33C9 xor ecx, ecx ; ECX置零
004BB129 . 51 push ecx
004BB12A . 51 push ecx
004BB12B . 51 push ecx
004BB12C . 51 push ecx
004BB12D . 53 push ebx
004BB12E . 56 push esi
004BB12F . 57 push edi
004BB130 . 8BF0 mov esi, eax
004BB132 . 33C0 xor eax, eax ; EAX置零
004BB134 . 55 push ebp
004BB135 . 68 77B24B00 push 004BB277
004BB13A . 64:FF30 push dword ptr fs:[eax]
004BB13D . 64:8920 mov dword ptr fs:[eax], esp
004BB140 . C605 D41F4C00>mov byte ptr [4C1FD4], 0
004BB147 . B2 01 mov dl, 1
004BB149 . A1 54AB4300 mov eax, dword ptr [43AB54]
004BB14E . E8 01FBF7FF call 0043AC54
004BB153 . 8BD8 mov ebx, eax
004BB155 . BA 01000080 mov edx, 80000001
004BB15A . 8BC3 mov eax, ebx
004BB15C . E8 93FBF7FF call 0043ACF4
004BB161 . B1 01 mov cl, 1
004BB163 . BA 90B24B00 mov edx, 004BB290 ; ASCII "\Software\Easy Real Converter"
004BB168 . 8BC3 mov eax, ebx
004BB16A . E8 E9FBF7FF call 0043AD58 ; 读取根键"\Software\Easy Real Converter"
004BB16F . 84C0 test al, al ; 成功(al = 1)
004BB171 . 74 70 je short 004BB1E3 ; //不跳
004BB173 . BA B8B24B00 mov edx, 004BB2B8 ; ASCII "User"
004BB178 . 8BC3 mov eax, ebx
004BB17A . E8 39FFF7FF call 0043B0B8 ; 读取根键"User"
004BB17F . 84C0 test al, al ; 成功(al = 1)
004BB181 . 74 1E je short 004BB1A1 ; //不跳
004BB183 . 8D4D F4 lea ecx, dword ptr [ebp-C]
004BB186 . BA B8B24B00 mov edx, 004BB2B8 ; ASCII "User"
004BB18B . 8BC3 mov eax, ebx
004BB18D . E8 8EFDF7FF call 0043AF20 ; 获取"User"键值
004BB192 . 8B55 F4 mov edx, dword ptr [ebp-C] ; EDX = 用户名
004BB195 . B8 D81F4C00 mov eax, 004C1FD8
004BB19A . E8 D592F4FF call 00404474
004BB19F . EB 0A jmp short 004BB1AB ; //跳走
004BB1A1 > B8 D81F4C00 mov eax, 004C1FD8
004BB1A6 . E8 7592F4FF call 00404420
004BB1AB > BA C8B24B00 mov edx, 004BB2C8 ; ASCII "Key"
004BB1B0 . 8BC3 mov eax, ebx
004BB1B2 . E8 01FFF7FF call 0043B0B8 ; 读取根键"Key"
004BB1B7 . 84C0 test al, al ; 成功(al = 1)
004BB1B9 . 74 1E je short 004BB1D9 ; //不跳
004BB1BB . 8D4D F0 lea ecx, dword ptr [ebp-10]
004BB1BE . BA C8B24B00 mov edx, 004BB2C8 ; ASCII "Key"
004BB1C3 . 8BC3 mov eax, ebx
004BB1C5 . E8 56FDF7FF call 0043AF20 ; 获取"KEY"键值
004BB1CA . 8B55 F0 mov edx, dword ptr [ebp-10] ; EDX = 序列号
004BB1CD . B8 DC1F4C00 mov eax, 004C1FDC ; ASCII "餫?
004BB1D2 . E8 9D92F4FF call 00404474
004BB1D7 . EB 0A jmp short 004BB1E3 ; //跳走
004BB1D9 > B8 DC1F4C00 mov eax, 004C1FDC ; ASCII "餫?
004BB1DE . E8 3D92F4FF call 00404420
004BB1E3 > 8BC3 mov eax, ebx
004BB1E5 . E8 C683F4FF call 004035B0
004BB1EA . 833D D81F4C00>cmp dword ptr [4C1FD8], 0 ; [4C1FD8] = 用户名
004BB1F1 . 74 69 je short 004BB25C ; //跳则挂
004BB1F3 . 8D4D FC lea ecx, dword ptr [ebp-4]
004BB1F6 . 8B15 D81F4C00 mov edx, dword ptr [4C1FD8] ; EDX = 用户名
004BB1FC . 8BC6 mov eax, esi
004BB1FE . E8 1DFEFFFF call 004BB020 ; //用户名加密
004BB203 . 33C0 xor eax, eax
004BB205 . 55 push ebp
004BB206 . 68 28B24B00 push 004BB228
004BB20B . 64:FF30 push dword ptr fs:[eax]
004BB20E . 64:8920 mov dword ptr fs:[eax], esp
004BB211 . 8D55 F8 lea edx, dword ptr [ebp-8]
004BB214 . A1 DC1F4C00 mov eax, dword ptr [4C1FDC]
004BB219 . E8 1E3BFFFF call 004AED3C ; //序列号加密
004BB21E . 33C0 xor eax, eax
004BB220 . 5A pop edx
004BB221 . 59 pop ecx
004BB222 . 59 pop ecx
004BB223 . 64:8910 mov dword ptr fs:[eax], edx
004BB226 . EB 17 jmp short 004BB23F ; //跳走
004BB228 .^ E9 6388F4FF jmp 00403A90
004BB22D . 8D45 F8 lea eax, dword ptr [ebp-8]
004BB230 . BA D4B24B00 mov edx, 004BB2D4 ; ASCII "Error!!"
004BB235 . E8 7E92F4FF call 004044B8
004BB23A . E8 7D8CF4FF call 00403EBC ; -\来到下面
004BB23F > 8B45 FC mov eax, dword ptr [ebp-4] ; 用户名密文
004BB242 . 8B55 F8 mov edx, dword ptr [ebp-8] ; 序列号密文
004BB245 . E8 E295F4FF call 0040482C ; //两密文比较
004BB24A . 75 09 jnz short 004BB255 ; //跳则挂
004BB24C . C605 D41F4C00>mov byte ptr [4C1FD4], 1 ; [4C1FD4] = 1
004BB253 . EB 07 jmp short 004BB25C
004BB255 > C605 D41F4C00>mov byte ptr [4C1FD4], 0 ; [4C1FD4] = 0
004BB25C > 33C0 xor eax, eax ; EAX置零
004BB25E . 5A pop edx
004BB25F . 59 pop ecx
004BB260 . 59 pop ecx
004BB261 . 64:8910 mov dword ptr fs:[eax], edx
004BB264 . 68 7EB24B00 push 004BB27E
004BB269 > 8D45 F0 lea eax, dword ptr [ebp-10]
004BB26C . BA 04000000 mov edx, 4
004BB271 . E8 CE91F4FF call 00404444
004BB276 . C3 retn
004BB277 .^ E9 C88AF4FF jmp 00403D44
004BB27C .^ EB EB jmp short 004BB269
004BB27E . 5F pop edi
004BB27F . 5E pop esi
004BB280 . 5B pop ebx
004BB281 . 8BE5 mov esp, ebp
004BB283 . 5D pop ebp
004BB284 . C3 retn ; //结束
;====================================================================|
;在地址004BB1FE处F7跟进关键CALL->004BB020
;--------------------------------------------------------------------| <第二层>
004BB020 /$ 55 push ebp ; //本地调用来自 004BB1FE
004BB021 |. 8BEC mov ebp, esp
004BB023 |. 6A 00 push 0
004BB025 |. 6A 00 push 0
004BB027 |. 6A 00 push 0
004BB029 |. 6A 00 push 0
004BB02B |. 6A 00 push 0
004BB02D |. 6A 00 push 0
004BB02F |. 6A 00 push 0
004BB031 |. 53 push ebx
004BB032 |. 8BD9 mov ebx, ecx
004BB034 |. 8955 FC mov dword ptr [ebp-4], edx ; [ebp-4] = 用户名
004BB037 |. 8B45 FC mov eax, dword ptr [ebp-4]
004BB03A |. E8 9198F4FF call 004048D0
004BB03F |. 33C0 xor eax, eax ; EAX置零
004BB041 |. 55 push ebp
004BB042 |. 68 C8B04B00 push 004BB0C8
004BB047 |. 64:FF30 push dword ptr fs:[eax]
004BB04A |. 64:8920 mov dword ptr fs:[eax], esp
004BB04D |. 8D55 E4 lea edx, dword ptr [ebp-1C]
004BB050 |. 8B45 FC mov eax, dword ptr [ebp-4]
004BB053 |. E8 48DBF4FF call 00408BA0
004BB058 |. 8B45 E4 mov eax, dword ptr [ebp-1C] ; [ebp-1C] = 用户名
004BB05B |. 8D55 E8 lea edx, dword ptr [ebp-18]
004BB05E |. E8 EDD8F4FF call 00408950 ; 将用户名转化为大写
004BB063 |. 8B55 E8 mov edx, dword ptr [ebp-18] ; [ebp-18] = 用户名(大写)
004BB066 |. 8D45 F8 lea eax, dword ptr [ebp-8]
004BB069 |. B9 DCB04B00 mov ecx, 004BB0DC ; ASCII "zhiyuan"
004BB06E |. E8 B996F4FF call 0040472C ; 字符串链接
004BB073 |. 8D45 F4 lea eax, dword ptr [ebp-C]
004BB076 |. BA ECB04B00 mov edx, 004BB0EC ; ASCII "MagicUtils"
004BB07B |. E8 3894F4FF call 004044B8
004BB080 |. 8D45 F0 lea eax, dword ptr [ebp-10]
004BB083 |. BA 00B14B00 mov edx, 004BB100 ; ASCII "Easy_Real_Converter"
004BB088 |. E8 2B94F4FF call 004044B8
004BB08D |. 8D45 EC lea eax, dword ptr [ebp-14]
004BB090 |. BA 1CB14B00 mov edx, 004BB11C ; ASCII "1.50"
004BB095 |. E8 1E94F4FF call 004044B8
004BB09A |. 8B45 EC mov eax, dword ptr [ebp-14]
004BB09D |. 50 push eax
004BB09E |. 53 push ebx
004BB09F |. 8B4D F0 mov ecx, dword ptr [ebp-10] ; ASCII "Easy_Real_Converter"
004BB0A2 |. 8B55 F4 mov edx, dword ptr [ebp-C] ; ASCII "MagicUtils"
004BB0A5 |. 8B45 F8 mov eax, dword ptr [ebp-8] ; ASCII "LUYING10zhiyuan"
004BB0A8 |. E8 E70AFFFF call 004ABB94 ; //关键CALL
004BB0AD |. 33C0 xor eax, eax
004BB0AF |. 5A pop edx
004BB0B0 |. 59 pop ecx
004BB0B1 |. 59 pop ecx
004BB0B2 |. 64:8910 mov dword ptr fs:[eax], edx
004BB0B5 |. 68 CFB04B00 push 004BB0CF
004BB0BA |> 8D45 E4 lea eax, dword ptr [ebp-1C]
004BB0BD |. BA 07000000 mov edx, 7
004BB0C2 |. E8 7D93F4FF call 00404444
004BB0C7 \. C3 retn
004BB0C8 .^ E9 778CF4FF jmp 00403D44
004BB0CD .^ EB EB jmp short 004BB0BA
004BB0CF . 5B pop ebx
004BB0D0 . 8BE5 mov esp, ebp
004BB0D2 . 5D pop ebp
004BB0D3 . C3 retn ; //返回
;====================================================================|
;在地址004BB0A8处F7跟进关键CALL->004ABB94
;--------------------------------------------------------------------| <第三层>
004ABB94 /$ 55 push ebp ; //本地调用来自 004BB0A8
004ABB95 |. 8BEC mov ebp, esp
004ABB97 |. 83C4 EC add esp, -14
004ABB9A |. 53 push ebx
004ABB9B |. 33DB xor ebx, ebx ; EBX置零
004ABB9D |. 895D EC mov dword ptr [ebp-14], ebx
004ABBA0 |. 895D F0 mov dword ptr [ebp-10], ebx
004ABBA3 |. 894D F4 mov dword ptr [ebp-C], ecx
004ABBA6 |. 8955 F8 mov dword ptr [ebp-8], edx
004ABBA9 |. 8945 FC mov dword ptr [ebp-4], eax
004ABBAC |. 8B45 FC mov eax, dword ptr [ebp-4] ; ASCII "LUYING10zhiyuan"
004ABBAF |. E8 1C8DF5FF call 004048D0
004ABBB4 |. 8B45 F8 mov eax, dword ptr [ebp-8] ; ASCII "MagicUtils"
004ABBB7 |. E8 148DF5FF call 004048D0
004ABBBC |. 8B45 F4 mov eax, dword ptr [ebp-C] ; ASCII "Easy_Real_Converter"
004ABBBF |. E8 0C8DF5FF call 004048D0
004ABBC4 |. 8B45 0C mov eax, dword ptr [ebp+C] ; ASCII "1.50"
004ABBC7 |. E8 048DF5FF call 004048D0
004ABBCC |. 33C0 xor eax, eax ; EAX置零
004ABBCE |. 55 push ebp
004ABBCF |. 68 3ABC4A00 push 004ABC3A
004ABBD4 |. 64:FF30 push dword ptr fs:[eax]
004ABBD7 |. 64:8920 mov dword ptr fs:[eax], esp
004ABBDA |. FF75 FC push dword ptr [ebp-4] ; ASCII "LUYING10zhiyuan"
004ABBDD |. FF75 F8 push dword ptr [ebp-8]
004ABBE0 |. FF75 F4 push dword ptr [ebp-C]
004ABBE3 |. FF75 0C push dword ptr [ebp+C]
004ABBE6 |. 8B45 0C mov eax, dword ptr [ebp+C]
004ABBE9 |. 50 push eax
004ABBEA |. 8D45 EC lea eax, dword ptr [ebp-14]
004ABBED |. 50 push eax
004ABBEE |. 8B4D F4 mov ecx, dword ptr [ebp-C]
004ABBF1 |. 8B55 F8 mov edx, dword ptr [ebp-8]
004ABBF4 |. 8B45 FC mov eax, dword ptr [ebp-4]
004ABBF7 |. E8 80FDFFFF call 004AB97C ; //尾部字符串算法
004ABBFC |. FF75 EC push dword ptr [ebp-14] ; (ASCII "kr:I^LqKV")
004ABBFF |. 8D45 F0 lea eax, dword ptr [ebp-10]
004ABC02 |. BA 05000000 mov edx, 5
004ABC07 |. E8 948BF5FF call 004047A0
004ABC0C |. 8B55 08 mov edx, dword ptr [ebp+8]
004ABC0F |. 8B45 F0 mov eax, dword ptr [ebp-10] ; (ASCII"LUYING10zhiyuanMagicUtilsEasy_Real_Converter1.50)
004ABC12 |. E8 31000000 call 004ABC48 ; //用户名密文算法
004ABC17 |. 33C0 xor eax, eax ; EAX置零
004ABC19 |. 5A pop edx
004ABC1A |. 59 pop ecx
004ABC1B |. 59 pop ecx
004ABC1C |. 64:8910 mov dword ptr fs:[eax], edx
004ABC1F |. 68 41BC4A00 push 004ABC41
004ABC24 |> 8D45 EC lea eax, dword ptr [ebp-14]
004ABC27 |. BA 05000000 mov edx, 5
004ABC2C |. E8 1388F5FF call 00404444
004ABC31 |. 8D45 0C lea eax, dword ptr [ebp+C]
004ABC34 |. E8 E787F5FF call 00404420
004ABC39 \. C3 retn
004ABC3A .^ E9 0581F5FF jmp 00403D44
004ABC3F .^ EB E3 jmp short 004ABC24
004ABC41 . 5B pop ebx
004ABC42 . 8BE5 mov esp, ebp
004ABC44 . 5D pop ebp
004ABC45 . C2 0800 retn 8 ; //返回
;====================================================================|
>>>>>>>>>>>>>>>>>>>>>>>>>>>>用户名加密算法<<<<<<<<<<<<<<<<<<<<<<<<<<<<
;--------------------------------------------------------------------|
;在地址004ABC12处F7跟进关键CALL->004ABC48
;--------------------------------------------------------------------| <第四层>
004ABC48 /$ 55 push ebp ; //本地调用来自 004ABC12
004ABC49 |. 8BEC mov ebp, esp
004ABC4B |. 83C4 F4 add esp, -0C
004ABC4E |. 53 push ebx
004ABC4F |. 56 push esi
004ABC50 |. 33C9 xor ecx, ecx ; EAX置零
004ABC52 |. 894D F4 mov dword ptr [ebp-C], ecx
004ABC55 |. 8955 F8 mov dword ptr [ebp-8], edx
004ABC58 |. 8945 FC mov dword ptr [ebp-4], eax ; (ASCII "LUYING10zhiyuanMagicUtilsEasy_Real_Converter)
004ABC5B |. 8B45 FC mov eax, dword ptr [ebp-4]
004ABC5E |. E8 6D8CF5FF call 004048D0
004ABC63 |. 33C0 xor eax, eax ; EAX置零
004ABC65 |. 55 push ebp
004ABC66 |. 68 E7BC4A00 push 004ABCE7
004ABC6B |. 64:FF30 push dword ptr fs:[eax]
004ABC6E |. 64:8920 mov dword ptr fs:[eax], esp
004ABC71 |. 33DB xor ebx, ebx ; EBX置零
004ABC73 |. 8B45 FC mov eax, dword ptr [ebp-4]
004ABC76 |. E8 658AF5FF call 004046E0 ; 字符串长度
004ABC7B |. 85C0 test eax, eax
004ABC7D |. 7E 2C jle short 004ABCAB ; 为空则跳走
004ABC7F |. BE 01000000 mov esi, 1 ; ESI初始化为1
004ABC84 |> 8B55 FC /mov edx, dword ptr [ebp-4] ; 字符串
004ABC87 |. 8A5432 FF |mov dl, byte ptr [edx+esi-1] ; 字符串的第i个字符
004ABC8B |. 32D3 |xor dl, bl ; dl = dl | bl
004ABC8D |. 81E2 FF000000 |and edx, 0FF ; EDX = EDX & 0FF
004ABC93 |. 8B1495 88FB4B>|mov edx, dword ptr [edx*4+4BFB88] ; 查表
004ABC9A |. C1EB 08 |shr ebx, 8 ; EBX = EBX / 2^8
004ABC9D |. 81E3 FFFFFF00 |and ebx, 0FFFFFF ; EBX = EBX & 0FFFFFF
004ABCA3 |. 33D3 |xor edx, ebx ; EDX = EDX | EBX
004ABCA5 |. 8BDA |mov ebx, edx ; EBX = EDX
004ABCA7 |. 46 |inc esi ; ESI++
004ABCA8 |. 48 |dec eax ; EAX--
004ABCA9 |.^ 75 D9 \jnz short 004ABC84 ; //循环
004ABCAB |> 8BC3 mov eax, ebx ; ebx=8A90424A
004ABCAD |. 33D2 xor edx, edx ; EDX置零
004ABCAF |. 52 push edx ; /Arg2 => 00000000
004ABCB0 |. 50 push eax ; |Arg1
004ABCB1 |. 8D55 F4 lea edx, dword ptr [ebp-C] ; |
004ABCB4 |. B8 08000000 mov eax, 8 ; |
004ABCB9 |. E8 BED2F5FF call 00408F7C ; \将数值转化为字符串
004ABCBE |. 8B45 F4 mov eax, dword ptr [ebp-C] ; (ASCII "8A90424A")
004ABCC1 |. 8B55 F8 mov edx, dword ptr [ebp-8]
004ABCC4 |. E8 C3CCF5FF call 0040898C
004ABCC9 |. 33C0 xor eax, eax
004ABCCB |. 5A pop edx
004ABCCC |. 59 pop ecx
004ABCCD |. 59 pop ecx
004ABCCE |. 64:8910 mov dword ptr fs:[eax], edx
004ABCD1 |. 68 EEBC4A00 push 004ABCEE
004ABCD6 |> 8D45 F4 lea eax, dword ptr [ebp-C]
004ABCD9 |. E8 4287F5FF call 00404420
004ABCDE |. 8D45 FC lea eax, dword ptr [ebp-4]
004ABCE1 |. E8 3A87F5FF call 00404420
004ABCE6 \. C3 retn
004ABCE7 .^ E9 5880F5FF jmp 00403D44
004ABCEC .^ EB E8 jmp short 004ABCD6
004ABCEE . 5E pop esi
004ABCEF . 5B pop ebx
004ABCF0 . 8BE5 mov esp, ebp
004ABCF2 . 5D pop ebp
004ABCF3 . C3 retn //返回
;====================================================================|
>>>>>>>>>>>>>>>>>>>>>>>>>>>>"尾部字符串算法"算法<<<<<<<<<<<<<<<<<<<<<<
;--------------------------------------------------------------------|
在地址004ABBF7处跟进CALL->004AB97C
;--------------------------------------------------------------------|
004AB97C /$ 55 push ebp ; //本地调用来自 004ABBF7
004AB97D |. 8BEC mov ebp, esp
004AB97F |. 83C4 E8 add esp, -18
004AB982 |. 53 push ebx
004AB983 |. 33DB xor ebx, ebx
004AB985 |. 895D E8 mov dword ptr [ebp-18], ebx
004AB988 |. 895D EC mov dword ptr [ebp-14], ebx
004AB98B |. 895D F0 mov dword ptr [ebp-10], ebx
004AB98E |. 894D F4 mov dword ptr [ebp-C], ecx ; ASCII "Easy_Real_Converter"
004AB991 |. 8955 F8 mov dword ptr [ebp-8], edx ; ASCII "MagicUtils"
004AB994 |. 8945 FC mov dword ptr [ebp-4], eax ; ASCII "LUYING10zhiyuan"
004AB997 |. 8B45 FC mov eax, dword ptr [ebp-4]
004AB99A |. E8 318FF5FF call 004048D0
004AB99F |. 8B45 F8 mov eax, dword ptr [ebp-8] ; ASCII "MagicUtils"
004AB9A2 |. E8 298FF5FF call 004048D0
004AB9A7 |. 8B45 F4 mov eax, dword ptr [ebp-C] ; ASCII "Easy_Real_Converter"
004AB9AA |. E8 218FF5FF call 004048D0
004AB9AF |. 8B45 0C mov eax, dword ptr [ebp+C] ; ASCII "1.50"
004AB9B2 |. E8 198FF5FF call 004048D0
004AB9B7 |. 33C0 xor eax, eax
004AB9B9 |. 55 push ebp
004AB9BA |. 68 37BA4A00 push 004ABA37
004AB9BF |. 64:FF30 push dword ptr fs:[eax]
004AB9C2 |. 64:8920 mov dword ptr fs:[eax], esp
004AB9C5 |. 33D2 xor edx, edx
004AB9C7 |. 8B45 0C mov eax, dword ptr [ebp+C]
004AB9CA |. E8 19D6F5FF call 00408FE8
004AB9CF |. 8BD0 mov edx, eax
004AB9D1 |. 8D4D F0 lea ecx, dword ptr [ebp-10]
004AB9D4 |. B8 48BA4A00 mov eax, 004ABA48
004AB9D9 |. E8 6E000000 call 004ABA4C ; 第一次CALL(参数初始化)
;---------------------------|
004AB9DE |. 8B45 F4 mov eax, dword ptr [ebp-C] ; ASCII "Easy_Real_Converter"
004AB9E1 |. E8 FA8EF5FF call 004048E0
004AB9E6 |. 8D4D EC lea ecx, dword ptr [ebp-14] ;
004AB9E9 |. 33D2 xor edx, edx
004AB9EB |. E8 5C000000 call 004ABA4C ; 第二次CALL
;---------------------------|
004AB9F0 |. 8B45 FC mov eax, dword ptr [ebp-4] ; ASCII "LUYING10zhiyuan"
004AB9F3 |. E8 E88EF5FF call 004048E0
004AB9F8 |. 8D4D E8 lea ecx, dword ptr [ebp-18]
004AB9FB |. 33D2 xor edx, edx
004AB9FD |. E8 4A000000 call 004ABA4C ; 第三次CALL
;---------------------------|
004ABA02 |. 8B45 F8 mov eax, dword ptr [ebp-8] ; ASCII "MagicUtils"
004ABA05 |. E8 D68EF5FF call 004048E0
004ABA0A |. 8B4D 08 mov ecx, dword ptr [ebp+8]
004ABA0D |. 33D2 xor edx, edx
004ABA0F |. E8 38000000 call 004ABA4C ; 第四次CALL
;---------------------------|
004ABA14 |. 33C0 xor eax, eax
004ABA16 |. 5A pop edx
004ABA17 |. 59 pop ecx
004ABA18 |. 59 pop ecx
004ABA19 |. 64:8910 mov dword ptr fs:[eax], edx
004ABA1C |. 68 3EBA4A00 push 004ABA3E
004ABA21 |> 8D45 E8 lea eax, dword ptr [ebp-18]
004ABA24 |. BA 06000000 mov edx, 6
004ABA29 |. E8 168AF5FF call 00404444
004ABA2E |. 8D45 0C lea eax, dword ptr [ebp+C]
004ABA31 |. E8 EA89F5FF call 00404420
004ABA36 \. C3 retn
004ABA37 .^ E9 0883F5FF jmp 00403D44
004ABA3C .^ EB E3 jmp short 004ABA21
004ABA3E . 5B pop ebx
004ABA3F . 8BE5 mov esp, ebp
004ABA41 . 5D pop ebp
004ABA42 . C2 0800 retn 8 ; //返回
;--------------------------------------------------------------------|
;在地址004AB9EB处跟进CALL->004ABA4C
;--------------------------------------------------------------------|
004ABA4C /$ 55 push ebp ; //本地调用来自 004AB9D9, 004AB9EB, 004AB9FD, 004ABA0F
004ABA4D |. 8BEC mov ebp, esp
004ABA4F |. 83C4 EC add esp, -14
004ABA52 |. 53 push ebx
004ABA53 |. 56 push esi
004ABA54 |. 57 push edi
004ABA55 |. 33DB xor ebx, ebx
004ABA57 |. 895D EC mov dword ptr [ebp-14], ebx
004ABA5A |. 895D F0 mov dword ptr [ebp-10], ebx
004ABA5D |. 894D F8 mov dword ptr [ebp-8], ecx
004ABA60 |. 8BF2 mov esi, edx ; ESI = EDX
004ABA62 |. 8945 FC mov dword ptr [ebp-4], eax ; ASCII "Easy_Real_Converter"
004ABA65 |. 33C0 xor eax, eax ; EAX置零
004ABA67 |. 55 push ebp
004ABA68 |. 68 86BB4A00 push 004ABB86
004ABA6D |. 64:FF30 push dword ptr fs:[eax]
004ABA70 |. 64:8920 mov dword ptr fs:[eax], esp
004ABA73 |. 8D45 F0 lea eax, dword ptr [ebp-10]
004ABA76 |. 8B55 FC mov edx, dword ptr [ebp-4]
004ABA79 |. E8 9A8BF5FF call 00404618
004ABA7E |. 8B45 F0 mov eax, dword ptr [ebp-10] ; EAX = 字符串
004ABA81 |. E8 5A8CF5FF call 004046E0 ; 字符串长度
004ABA86 |. 8BD8 mov ebx, eax ; EBX = EAX
004ABA88 |. 85DB test ebx, ebx
004ABA8A |. 75 13 jnz short 004ABA9F ; //跳走
;---------------------------|<仅在第一次执行>
004ABA8C |. 8935 E01E4C00 mov dword ptr [4C1EE0], esi ; [4C1EE0]初始化为0
004ABA92 |. 6BC6 64 imul eax, esi, 64
004ABA95 |. A3 E41E4C00 mov dword ptr [4C1EE4], eax ; [4C1EE4]初始化为0
004ABA9A |. E9 CC000000 jmp 004ABB6B ; //跳过循环体
;---------------------------|<仅在第一次执行>
004ABA9F |> 8B45 F8 mov eax, dword ptr [ebp-8] ; ->来到这
004ABAA2 |. E8 7989F5FF call 00404420 ; 字符串长度
004ABAA7 |. 8BFB mov edi, ebx ; EDI = EBX
004ABAA9 |. 4F dec edi ; EDI--
004ABAAA |. 85FF test edi, edi
004ABAAC |. 0F8C B9000000 jl 004ABB6B
004ABAB2 |. 47 inc edi ; EDI++
004ABAB3 |. 33F6 xor esi, esi ; ESI置零
004ABAB5 |> 8B45 FC /mov eax, dword ptr [ebp-4] ; 字符串
004ABAB8 |. 8A0430 |mov al, byte ptr [eax+esi] ; 字符串的第i个字符
004ABABB |. 3C 20 |cmp al, 20 ; \
004ABABD |. 0F82 A0000000 |jb 004ABB63 ; |排除非法字符
004ABAC3 |. 3C 7E |cmp al, 7E ; |
004ABAC5 |. 0F87 98000000 |ja 004ABB63 ; /
004ABACB |. 8B15 E01E4C00 |mov edx, dword ptr [4C1EE0] ; EDX = [4C1EE0]
004ABAD1 |. 81E2 FFFFFF1F |and edx, 1FFFFFFF ; EDX = EDX & 1FFFFFFF
004ABAD7 |. 8B0D E01E4C00 |mov ecx, dword ptr [4C1EE0] ; ECX = [4C1EE0]
004ABADD |. C1E9 1D |shr ecx, 1D ; ECX = ECX / 2^1D
004ABAE0 |. 83E1 31 |and ecx, 31 ; ECX = ECX & 31
004ABAE3 |. 33D1 |xor edx, ecx ; EDX = EDX | ECX
004ABAE5 |. 8915 E01E4C00 |mov dword ptr [4C1EE0], edx ; [4C1EE0] = EDX
004ABAEB |. 8845 F7 |mov byte ptr [ebp-9], al ; [ebp-9] = al
004ABAEE |. A1 E01E4C00 |mov eax, dword ptr [4C1EE0] ; EAX = [4C1EE0]
004ABAF3 |. B9 5F000000 |mov ecx, 5F ; ECX = 5F
004ABAF8 |. 99 |cdq ; EDX = 0
004ABAF9 |. F7F9 |idiv ecx ; EAX = EAX / ECX
004ABAFB |. 33D2 |xor edx, edx ; EDX置零
004ABAFD |. 8A55 F7 |mov dl, byte ptr [ebp-9] ; dl = [ebp-9]
004ABB00 |. 83EA 20 |sub edx, 20 ; EDX = EDX - 20H
004ABB03 |. 2BC2 |sub eax, edx ; EAX = EAX - EDX
004ABB05 |. E8 32FEFFFF |call 004AB93C ; 运算
004ABB0A |. 8BD8 |mov ebx, eax ; EBX = EAX
004ABB0C |. 80C3 20 |add bl, 20 ; bl = bl + 20H
004ABB0F |. FF05 E41E4C00 |inc dword ptr [4C1EE4] ; [4C1EE4]++
004ABB15 |. 813D E41E4C00>|cmp dword ptr [4C1EE4], 5179 ; 和5179H比较
004ABB1F |. 7C 07 |jl short 004ABB28 ; //小于则跳走
004ABB21 |. 33C0 |xor eax, eax
004ABB23 |. A3 E41E4C00 |mov dword ptr [4C1EE4], eax
004ABB28 |> 8A45 F7 |mov al, byte ptr [ebp-9] ; al = [ebp-9]
004ABB2B |. 32C3 |xor al, bl ; al = al | bl
004ABB2D |. 25 FF000000 |and eax, 0FF ; EAX = EAX & 0FF
004ABB32 |. 8B15 E01E4C00 |mov edx, dword ptr [4C1EE0] ; EDX = [4C1EE0]
004ABB38 |. 0315 E01E4C00 |add edx, dword ptr [4C1EE0] ; EDX = EDX + [4C1EE0]
004ABB3E |. 03C2 |add eax, edx ; EAX = EAX + EDX
004ABB40 |. 0305 E41E4C00 |add eax, dword ptr [4C1EE4] ; EAX = EAX + [4C1EE4]
004ABB46 |. A3 E01E4C00 |mov dword ptr [4C1EE0], eax ; [4C1EE0] = EAX
004ABB4B |. 8D45 EC |lea eax, dword ptr [ebp-14]
004ABB4E |. 8BD3 |mov edx, ebx ; EDX = EBX(转为字符)
004ABB50 |. E8 B38AF5FF |call 00404608
004ABB55 |. 8B55 EC |mov edx, dword ptr [ebp-14]
004ABB58 |. 8B45 F8 |mov eax, dword ptr [ebp-8]
004ABB5B |. E8 888BF5FF |call 004046E8
004ABB60 |. 8B45 F8 |mov eax, dword ptr [ebp-8]
004ABB63 |> 46 |inc esi ; ESI++
004ABB64 |. 4F |dec edi ; EDI--
004ABB65 |.^ 0F85 4AFFFFFF \jnz 004ABAB5 ; //循环
004ABB6B |> 33C0 xor eax, eax ; EAX置零
004ABB6D |. 5A pop edx
004ABB6E |. 59 pop ecx
004ABB6F |. 59 pop ecx
004ABB70 |. 64:8910 mov dword ptr fs:[eax], edx
004ABB73 |. 68 8DBB4A00 push 004ABB8D
004ABB78 |> 8D45 EC lea eax, dword ptr [ebp-14]
004ABB7B |. BA 02000000 mov edx, 2
004ABB80 |. E8 BF88F5FF call 00404444
004ABB85 \. C3 retn
004ABB86 .^ E9 B981F5FF jmp 00403D44
004ABB8B .^ EB EB jmp short 004ABB78
004ABB8D . 5F pop edi
004ABB8E . 5E pop esi
004ABB8F . 5B pop ebx
004ABB90 . 8BE5 mov esp, ebp
004ABB92 . 5D pop ebp
004ABB93 . C3 retn ; //返回
;--------------------------------------------------------------------|
;在地址004ABB05处F7跟进运算CALL->004AB93C[EAX的处理规则]
;--------------------------------------------------------------------|
004AB93C /$ 3D 1C250000 cmp eax, 251C
004AB941 |. 7C 0C jl short 004AB94F ; 小于则跳
004AB943 |> 2D 1C250000 /sub eax, 251C
004AB948 |. 3D 1C250000 |cmp eax, 251C
004AB94D |.^ 7D F4 \jge short 004AB943
004AB94F |> 3D B6030000 cmp eax, 3B6
004AB954 |. 7C 0C jl short 004AB962 ; 小于则跳
004AB956 |> 2D B6030000 /sub eax, 3B6
004AB95B |. 3D B6030000 |cmp eax, 3B6
004AB960 |.^ 7D F4 \jge short 004AB956
004AB962 |> 83F8 5F cmp eax, 5F
004AB965 |. 7C 08 jl short 004AB96F ; 小于则跳
004AB967 |> 83E8 5F /sub eax, 5F
004AB96A |. 83F8 5F |cmp eax, 5F
004AB96D |.^ 7D F8 \jge short 004AB967
004AB96F |> 85C0 test eax, eax
004AB971 |. 7D 07 jge short 004AB97A ; >=则跳
004AB973 |> 83C0 5F /add eax, 5F
004AB976 |. 85C0 |test eax, eax
004AB978 |.^ 7C F9 \jl short 004AB973
004AB97A \> C3 retn ; //返回
;====================================================================|
>>>>>>>>>>>>>>>>>>>>>>>>>>>>序列号加密算法<<<<<<<<<<<<<<<<<<<<<<<<<<<<
;--------------------------------------------------------------------|
;在地址004BB219处F7跟进关键CALL->004AED3C
;--------------------------------------------------------------------|
004AED3C /$ 55 push ebp ; //本地调用来自 004BB219
004AED3D |. 8BEC mov ebp, esp
004AED3F |. 83C4 DC add esp, -24
004AED42 |. 53 push ebx
004AED43 |. 33C9 xor ecx, ecx
004AED45 |. 894D F8 mov dword ptr [ebp-8], ecx
004AED48 |. 894D F4 mov dword ptr [ebp-C], ecx
004AED4B |. 8BDA mov ebx, edx
004AED4D |. 8945 FC mov dword ptr [ebp-4], eax
004AED50 |. 8B45 FC mov eax, dword ptr [ebp-4] ; [ebp-4] = 序列号
004AED53 |. E8 785BF5FF call 004048D0
004AED58 |. 8D45 EC lea eax, dword ptr [ebp-14]
004AED5B |. 8B15 4CBD4A00 mov edx, dword ptr [4ABD4C] ; 1.004ABD50
004AED61 |. E8 6662F5FF call 00404FCC
004AED66 |. 8D45 E4 lea eax, dword ptr [ebp-1C]
004AED69 |. 8B15 4CBD4A00 mov edx, dword ptr [4ABD4C] ; 1.004ABD50
004AED6F |. E8 5862F5FF call 00404FCC
004AED74 |. 8D45 DC lea eax, dword ptr [ebp-24]
004AED77 |. 8B15 4CBD4A00 mov edx, dword ptr [4ABD4C] ; 1.004ABD50
004AED7D |. E8 4A62F5FF call 00404FCC
004AED82 |. 33C0 xor eax, eax
004AED84 |. 55 push ebp
004AED85 |. 68 3AEE4A00 push 004AEE3A
004AED8A |. 64:FF30 push dword ptr fs:[eax]
004AED8D |. 64:8920 mov dword ptr fs:[eax], esp
004AED90 |. 8D45 F8 lea eax, dword ptr [ebp-8]
004AED93 |. 8B55 FC mov edx, dword ptr [ebp-4] ; EDX = 序列号
004AED96 |. E8 1D57F5FF call 004044B8
004AED9B |. 8D55 F4 lea edx, dword ptr [ebp-C]
004AED9E |. 8B45 F8 mov eax, dword ptr [ebp-8] ; EAX = 序列号
004AEDA1 |. E8 46D3FFFF call 004AC0EC
004AEDA6 |. 8D45 F8 lea eax, dword ptr [ebp-8]
004AEDA9 |. E8 7256F5FF call 00404420
004AEDAE |. 8D55 EC lea edx, dword ptr [ebp-14]
004AEDB1 |. B8 50EE4A00 mov eax, 004AEE50 ; e = 65537
004AEDB6 |. E8 25D7FFFF call 004AC4E0
004AEDBB |. 8D55 E4 lea edx, dword ptr [ebp-1C]
004AEDBE |. B8 60EE4A00 mov eax, 004AEE60 ; n = 11854405724806361658422632892116497718759520709779
004AEDC3 |. E8 18D7FFFF call 004AC4E0
004AEDC8 |. 8D45 DC lea eax, dword ptr [ebp-24]
004AEDCB |. 50 push eax
004AEDCC |. 8D45 DC lea eax, dword ptr [ebp-24]
004AEDCF |. 50 push eax
004AEDD0 |. 8D45 DC lea eax, dword ptr [ebp-24]
004AEDD3 |. 50 push eax
004AEDD4 |. 8D45 DC lea eax, dword ptr [ebp-24]
004AEDD7 |. 50 push eax
004AEDD8 |. 8D45 F8 lea eax, dword ptr [ebp-8]
004AEDDB |. 50 push eax
004AEDDC |. 8D4D E4 lea ecx, dword ptr [ebp-1C]
004AEDDF |. 8D55 EC lea edx, dword ptr [ebp-14]
004AEDE2 |. 8B45 F4 mov eax, dword ptr [ebp-C]
004AEDE5 |. E8 22FBFFFF call 004AE90C
004AEDEA |. 8BC3 mov eax, ebx
004AEDEC |. 8B55 F8 mov edx, dword ptr [ebp-8] ; 堆栈 ss:[0012FD98]=00F6E2E0, (ASCII 03,"c9?)
004AEDEF |. E8 8056F5FF call 00404474
004AEDF4 |. 8D45 EC lea eax, dword ptr [ebp-14]
004AEDF7 |. E8 5CD9FFFF call 004AC758
004AEDFC |. 8D45 E4 lea eax, dword ptr [ebp-1C]
004AEDFF |. E8 54D9FFFF call 004AC758
004AEE04 |. 8D45 DC lea eax, dword ptr [ebp-24]
004AEE07 |. E8 4CD9FFFF call 004AC758
004AEE0C |. 33C0 xor eax, eax
004AEE0E |. 5A pop edx
004AEE0F |. 59 pop ecx
004AEE10 |. 59 pop ecx
004AEE11 |. 64:8910 mov dword ptr fs:[eax], edx
004AEE14 |. 68 41EE4A00 push 004AEE41
004AEE19 |> 8D45 DC lea eax, dword ptr [ebp-24]
004AEE1C |. 8B15 4CBD4A00 mov edx, dword ptr [4ABD4C] ; 1.004ABD50
004AEE22 |. B9 03000000 mov ecx, 3
004AEE27 |. E8 BC62F5FF call 004050E8
004AEE2C |. 8D45 F4 lea eax, dword ptr [ebp-C]
004AEE2F |. BA 03000000 mov edx, 3
004AEE34 |. E8 0B56F5FF call 00404444
004AEE39 \. C3 retn
004AEE3A .^ E9 054FF5FF jmp 00403D44
004AEE3F .^ EB D8 jmp short 004AEE19
004AEE41 . 5B pop ebx
004AEE42 . 8BE5 mov esp, ebp
004AEE44 . 5D pop ebp
004AEE45 . C3 retn
;====================================================================|
四、算法总结
1.构造字符串
用户名(大写) + zhiyuan + MagicUtils + Easy_Real_Converter + 1.50 + 尾缀字符串
"尾缀字符串"TailString算法如下:
int [4C1EE0] = 0;
int [4C1EE4] = 0;
srting TailString = "";
str1 = "Easy_Real_Converter";
for(int i = 0; i < str1.length; i++)
{
[4C1EE0] = ([4C1EE0] & 1FFFFFFF) | ([4C1EE0] / 2^1D) & 31;
EAX = ([4C1EE0] / 5F) - (str[i] - 20H);
while(EAX > 0x251C)
EAX = EAX - 0x251C;
while(EAX > 0x3B6)
EAX = EAX - 0x3B6;
while(EAX > 0x5F)
EAX = EAX - 0x5F;
while(EAX < 0)
EAX = EAX + 0x5F;
EBX = EAX + 0X20;
[4C1EE4]++;
if([4C1EE4] >= 0x5179)
[4C1EE4] = 0;
EAX = (str[i] | EBX) & 0FF + 2*[4C1EE0] + [4C1EE4];
[4C1EE0] = EAX;
}
str2 = "用户名(大写)+zhiyuan"
for(int i = 0; i < str1.length; i++)
{
[4C1EE0] = ([4C1EE0] & 1FFFFFFF) | ([4C1EE0] / 2^0x1D) & 0x31;
EAX = ([4C1EE0] / 0x5F) - (str[i] - 0x20);
while(EAX > 0x251C)
EAX = EAX - 0x251C;
while(EAX > 0x3B6)
EAX = EAX - 0x3B6;
while(EAX > 0x5F)
EAX = EAX - 0x5F;
while(EAX < 0)
EAX = EAX + 0x5F;
EBX = EAX + 0x20;
[4C1EE4]++;
if([4C1EE4] >= 0x5179)
[4C1EE4] = 0;
EAX = (str[i] | EBX) & 0xFF + 2*[4C1EE0] + [4C1EE4];
[4C1EE0] = EAX;
}
str3 = "MagicUtils"
for(int i = 0; i < str1.length; i++)
{
[4C1EE0] = ([4C1EE0] & 1FFFFFFF) | ([4C1EE0] / 2^0x1D) & 0x31;
EAX = ([4C1EE0] / 0x5F) - (str[i] - 0x20);
while(EAX > 0x251C)
EAX = EAX - 0x251C;
while(EAX > 0x3B6)
EAX = EAX - 0x3B6;
while(EAX > 0x5F)
EAX = EAX - 0x5F;
while(EAX < 0)
EAX = EAX + 0x5F;
EBX = EAX + 0x20;
TailString = TailString + string.Prase(EBX);
[4C1EE4]++;
if([4C1EE4] >= 0x5179)
[4C1EE4] = 0;
EAX = (str[i] | EBX) & 0FF + 2*[4C1EE0] + [4C1EE4];
[4C1EE0] = EAX;
}
string EncryptName = EBX.ToString;
2.注册码加密
SerStr = "XXXXXXXXXXXXXXXX";
int EBX = 0;
定义一个Table函数,专门用于完成查表返回值
其参数是EDX
;--------------------------------------------------------------------|
;在地址004ABC93处跟随数据窗口得到一张密码表(循环中计算用)
;--------------------------------------------------------------------| <表>
004BFB88 00 00 00 00 96 30 07 77 2C 61 0E EE BA 51 09 99 ....?�w,a�詈Q.�
004BFB98 19 C4 6D 07 8F F4 6A 70 35 A5 63 E9 A3 95 64 9E �膍�忯jp5椋昫�
004BFBA8 32 88 DB 0E A4 B8 DC 79 1E E9 D5 E0 88 D9 D2 97 2堐�じ躽�檎鄨僖�
004BFBB8 2B 4C C6 09 BD 7C E1 7E 07 2D 58 E7 91 1D BF 90 +L?絴醻�-X鐟�繍
004BFBC8 C8 20 6E 3B 5E 10 69 4C E4 41 60 D5 72 71 67 A2 ?n;^�iL銩`誶qg�
XXXXXXXX XXXXXXXXXXXX省略若干行XXXXXXXXXXXXXXXXXXXXXXXXX
004BFF38 53 AE BC A9 8A C2 BA CA 7F CF B2 47 E9 FF B5 30 S潞?喜G??
004BFF48 1C F2 BD BD C5 9E BB DE 30 93 B3 53 A6 A3 B4 24 �蚪脚灮?摮SΓ?
004BFF58 05 36 D0 BA 93 06 D7 CD 29 57 DE 54 BF 67 D9 23 �6泻?淄)W轙縢?
004BFF68 2E 7A 66 B3 B8 4A 61 C4 02 1B 68 5D 94 2B 6F 2A .zf掣Ja?�h]?o*
004BFF78 37 BE 0B B4 A1 8E 0C C3 1B DF 05 5A 8D EF 02 2D 7?础???Z嶏�-
;--------------------------------------------------------------------|
for(int i = 0; i < SerStr.length; i++)
{
EDX = (SerStr[i] | EBX) & 0FF;
EBX = Table(EDX*4+0x4BFB88) | ((EBX / 2^8) & 0xFFFFFF);
}
string EncryptNumber = RSA(SerNum);
3.比较加密结果
004BB245 . E8 E295F4FF call 0040482C
RSA算法不太清楚,序列号加密算法004AED3C在处理上有些微妙的变化
先暴掉,再说:
004BB255 mov byte ptr [4C1FD4], 0
修改为
004BB255 mov byte ptr [4C1FD4], 1
能力有限,暂时先分析到这里,等待高手补充...
已经完成的部分:
1.用户名加密算法分析
2.序列号加密方法判定
待解决的问题:
序列号RSA具体加密算法
呼,天亮了,外面还有公鸡打鸣e_e
太困了,8说了先,去觉觉咯...zZ
|
