一个软件的dll算法，求给点思路

wintop

通过一系列的od 追踪到了 一个dll，通过ViewApi.exe 查到了dll 函数，并看到了汇编代码

[Asm] 纯文本查看 复制代码

PUSH -1
PUSH 10002908
MOV EAX,FS:[0]
PUSH EAX
MOV FS:[0],ESP
SUB ESP,44
PUSH EBX
PUSH EBP
PUSH ESI
PUSH EDI
LEA ECX,SS:[ESP+10]
CALL <jmp.&MFC42.ID:540>
LEA ECX,SS:[ESP+14]
MOV DWORD PTR SS:[ESP+5C],0
CALL <jmp.&MFC42.ID:540>
LEA ECX,SS:[ESP+18]
MOV BYTE PTR SS:[ESP+5C],1
CALL <jmp.&MFC42.ID:540>
LEA ECX,SS:[ESP+1C]
MOV BYTE PTR SS:[ESP+5C],2
CALL <jmp.&MFC42.ID:540>
MOV ESI,SS:[ESP+64]
MOV EBX,3
PUSH ESI
LEA ECX,SS:[ESP+20]
MOV SS:[ESP+60],BL
CALL <jmp.&MFC42.ID:860>
MOV EAX,SS:[ESP+1C]
MOV EBP,DS:[EAX-8]
CMP EBP,EBX
MOV SS:[ESP+44],EBP
JGE SHORT 1000190B
LEA ECX,SS:[ESP+1C]
MOV BYTE PTR SS:[ESP+5C],2
CALL <jmp.&MFC42.ID:800>
LEA ECX,SS:[ESP+18]
MOV BYTE PTR SS:[ESP+5C],1
CALL <jmp.&MFC42.ID:800>
LEA ECX,SS:[ESP+14]
MOV BYTE PTR SS:[ESP+5C],0
CALL <jmp.&MFC42.ID:800>
LEA ECX,SS:[ESP+10]
MOV DWORD PTR SS:[ESP+5C],-1
CALL <jmp.&MFC42.ID:800>
OR EAX,FFFFFFFF
JMP 10001C34
PUSH 100041D0
LEA ECX,SS:[ESP+1C]
CALL <jmp.&MFC42.ID:860>
PUSH ESI
MOV ECX,SS:[ESP+1C]
MOV EDX,DS:[ECX-8]
LEA ECX,SS:[ESP+14]
MOV SS:[ESP+68],EDX
CALL <jmp.&MFC42.ID:860>
CMP EBP,1
MOV DWORD PTR SS:[ESP+20],1
JL 10001BC3
PUSH 1000433C
LEA ECX,SS:[ESP+18]
CALL <jmp.&MFC42.ID:860>
PUSH 1
LEA EDX,SS:[ESP+28]
MOV EAX,SS:[ESP+14]
MOV EDI,DS:[EAX-8]
LEA ECX,DS:[EDI-1]
PUSH ECX
PUSH EDX
LEA ECX,SS:[ESP+1C]
CALL <jmp.&MFC42.ID:4278>
MOV EAX,DS:[EAX]
LEA ECX,SS:[ESP+18]
PUSH EAX
MOV BYTE PTR SS:[ESP+60],4
CALL <jmp.&MFC42.ID:2784>
MOV ESI,EAX
LEA ECX,SS:[ESP+24]
INC ESI
MOV SS:[ESP+5C],BL
CALL <jmp.&MFC42.ID:800>
ADD EDI,-2
PUSH 1
LEA EAX,SS:[ESP+2C]
PUSH EDI
PUSH EAX
LEA ECX,SS:[ESP+1C]
CALL <jmp.&MFC42.ID:4278>
MOV EAX,DS:[EAX]
LEA ECX,SS:[ESP+18]
PUSH EAX
MOV BYTE PTR SS:[ESP+60],5
CALL <jmp.&MFC42.ID:2784>
MOV EDI,EAX
LEA ECX,SS:[ESP+28]
INC EDI
MOV SS:[ESP+5C],BL
CALL <jmp.&MFC42.ID:800>
TEST ESI,ESI
JLE 10001C8B
TEST EDI,EDI
JLE 10001C8B
MOV EAX,SS:[ESP+64]
SUB ESI,EDI
CMP ESI,1
JGE SHORT 100019DB
ADD ESI,EAX
ADD ESI,ESI
CMP ESI,EAX
JLE SHORT 100019E3
SUB ESI,EAX
DEC ESI
PUSH 1
LEA ECX,SS:[ESP+34]
PUSH ESI
PUSH ECX
LEA ECX,SS:[ESP+24]
CALL <jmp.&MFC42.ID:4278>
LEA EDX,SS:[ESP+10]
MOV BYTE PTR SS:[ESP+5C],6
PUSH EDX
PUSH EAX
LEA EAX,SS:[ESP+34]
PUSH EAX
CALL <jmp.&MFC42.ID:922>
PUSH EAX
LEA ECX,SS:[ESP+14]
MOV BYTE PTR SS:[ESP+60],7
CALL <jmp.&MFC42.ID:858>
LEA ECX,SS:[ESP+2C]
MOV BYTE PTR SS:[ESP+5C],6
CALL <jmp.&MFC42.ID:800>
LEA ECX,SS:[ESP+30]
MOV SS:[ESP+5C],BL
CALL <jmp.&MFC42.ID:800>
MOV ECX,SS:[ESP+10]
MOV EAX,DS:[ECX-8]
CMP EAX,2
JL 10001B2B
LEA EBP,DS:[EAX-2]
LEA EDX,SS:[EBP+1]
PUSH 1
LEA EAX,SS:[ESP+38]
PUSH EDX
PUSH EAX
LEA ECX,SS:[ESP+1C]
CALL <jmp.&MFC42.ID:4278>
MOV EAX,DS:[EAX]
LEA ECX,SS:[ESP+18]
PUSH EAX
MOV BYTE PTR SS:[ESP+60],8
CALL <jmp.&MFC42.ID:2784>
MOV ESI,EAX
LEA ECX,SS:[ESP+34]
INC ESI
MOV SS:[ESP+5C],BL
CALL <jmp.&MFC42.ID:800>
PUSH 1
LEA ECX,SS:[ESP+3C]
PUSH EBP
PUSH ECX
LEA ECX,SS:[ESP+1C]
CALL <jmp.&MFC42.ID:4278>
MOV EAX,DS:[EAX]
LEA ECX,SS:[ESP+18]
PUSH EAX
MOV BYTE PTR SS:[ESP+60],9
CALL <jmp.&MFC42.ID:2784>
MOV EDI,EAX
LEA ECX,SS:[ESP+38]
INC EDI
MOV SS:[ESP+5C],BL
CALL <jmp.&MFC42.ID:800>
TEST ESI,ESI
JLE 10001C49
TEST EDI,EDI
JLE 10001C49
SUB ESI,EDI
CMP ESI,1
JGE SHORT 10001AC9
ADD ESI,SS:[ESP+64]
DEC ESI
PUSH 1
LEA EDX,SS:[ESP+44]
PUSH ESI
PUSH EDX
LEA ECX,SS:[ESP+24]
CALL <jmp.&MFC42.ID:4278>
LEA ECX,SS:[ESP+14]
LEA EDX,SS:[ESP+3C]
PUSH ECX
PUSH EAX
PUSH EDX
MOV BYTE PTR SS:[ESP+68],A
CALL <jmp.&MFC42.ID:922>
PUSH EAX
LEA ECX,SS:[ESP+18]
MOV BYTE PTR SS:[ESP+60],B
CALL <jmp.&MFC42.ID:858>
LEA ECX,SS:[ESP+3C]
MOV BYTE PTR SS:[ESP+5C],A
CALL <jmp.&MFC42.ID:800>
LEA ECX,SS:[ESP+40]
MOV SS:[ESP+5C],BL
CALL <jmp.&MFC42.ID:800>
DEC EBP
LEA EAX,SS:[EBP+2]
CMP EAX,2
JGE 10001A47
MOV EBP,SS:[ESP+44]
MOV ECX,SS:[ESP+14]
LEA EDX,SS:[ESP+50]
MOV EAX,DS:[ECX-8]
LEA ECX,SS:[ESP+14]
DEC EAX
PUSH EAX
PUSH 0
PUSH EDX
CALL <jmp.&MFC42.ID:4278>
MOV ESI,EAX
LEA EAX,SS:[ESP+4C]
PUSH 1
PUSH EAX
LEA ECX,SS:[ESP+1C]
MOV BYTE PTR SS:[ESP+64],C
CALL <jmp.&MFC42.ID:5710>
PUSH ESI
LEA ECX,SS:[ESP+4C]
PUSH EAX
PUSH ECX
MOV BYTE PTR SS:[ESP+68],D
CALL <jmp.&MFC42.ID:922>
PUSH EAX
LEA ECX,SS:[ESP+18]
MOV BYTE PTR SS:[ESP+60],E
CALL <jmp.&MFC42.ID:858>
LEA ECX,SS:[ESP+48]
MOV BYTE PTR SS:[ESP+5C],D
CALL <jmp.&MFC42.ID:800>
LEA ECX,SS:[ESP+4C]
MOV BYTE PTR SS:[ESP+5C],C
CALL <jmp.&MFC42.ID:800>
LEA ECX,SS:[ESP+50]
MOV SS:[ESP+5C],BL
CALL <jmp.&MFC42.ID:800>
LEA EDX,SS:[ESP+14]
LEA ECX,SS:[ESP+10]
PUSH EDX
CALL <jmp.&MFC42.ID:858>
MOV EAX,SS:[ESP+20]
INC EAX
CMP EAX,EBP
MOV SS:[ESP+20],EAX
JLE 1000193F
MOV ESI,SS:[ESP+14]
MOV EBX,SS:[ESP+68]
XOR ECX,ECX
MOV EAX,DS:[ESI-8]
TEST EAX,EAX
JLE SHORT 10001BE8
MOV EDI,ESI
MOV EAX,EBX
SUB EDI,EBX
MOV DL,DS:[EDI+EAX]
INC ECX
MOV DS:[EAX],DL
MOV EDX,DS:[ESI-8]
INC EAX
CMP ECX,EDX
JL SHORT 10001BDA
PUSH C8
MOV BYTE PTR DS:[ECX+EBX],0
CALL DS:[<&KERNEL32.Sleep>]
LEA ECX,SS:[ESP+1C]
MOV BYTE PTR SS:[ESP+5C],2
CALL <jmp.&MFC42.ID:800>
LEA ECX,SS:[ESP+18]
MOV BYTE PTR SS:[ESP+5C],1
CALL <jmp.&MFC42.ID:800>
LEA ECX,SS:[ESP+14]
MOV BYTE PTR SS:[ESP+5C],0
CALL <jmp.&MFC42.ID:800>
LEA ECX,SS:[ESP+10]
MOV DWORD PTR SS:[ESP+5C],-1
CALL <jmp.&MFC42.ID:800>
XOR EAX,EAX
MOV ECX,SS:[ESP+54]
POP EDI
POP ESI
POP EBP
POP EBX
MOV FS:[0],ECX
ADD ESP,50
RETN 8

请问到这里后，下一步如何写出注册机。分析这个代码是没有一点思路，或者有推荐的书，看看去

wintop

涛之雨 发表于 2020-7-23 21:21
感觉找的好像不对吧。
这种辅助可以贴一下文件（如果方便的话）
最好说一下是怎么定位的，

定位很简单，很多静态反汇编的都能定位， od 也可以

涛之雨

wintop 发表于 2020-7-24 00:22
定位很简单，很多静态反汇编的都能定位， od 也可以

我当然知道定位简单，但是楼主你这个找到好像不对啊，这似乎是框架的代码

无闻无问

你拿到ida中转换成伪c代码，不就轻松多了吗？

wintop

无闻无问 发表于 2020-7-23 18:36
你拿到ida中转换成伪c代码，不就轻松多了吗？

已经在 ida 查看....复杂的要命

lykenan

天书是什么，说的就是我这种小白看到这。。。。。。想学又不懂....

Light紫星

ida f5啊，这个代码不是很长，只要确定了位置应该很容易搞的

JuncoJet

注册算法确定要MFC?别闹，重新找找

Sound

这个不是算法的汇编代码段吧

别欺负我啊

MFC42... 估计得山总来

涛之雨

感觉找的好像不对吧。
这种辅助可以贴一下文件（如果方便的话）
最好说一下是怎么定位的，

wintop

Sound 发表于 2020-7-23 20:43
这个不是算法的汇编代码段吧

是算法，反汇编的。到IDA 数据很长