好友
阅读权限20
听众
最后登录1970-1-1
|
本帖最后由 damgda 于 2014-10-20 09:58 编辑
主程序WinXAR.exe 用的PEtite 2.x加壳,脱壳没有任何难度,esp定律,alt+F9几次后到达oep下一行,dump,修复。追码过程我是带壳分析的,脱壳是后来做的,因为很少见到这种壳。
未注册的时候:
注册后:
首先填入假码:12345-AAAAA-67890-BBBBB-123CC
用户名:52pojie
跟踪过程发现第一、三组和第第四组的前三位与注册无关,
注册码是第二、四组及注册码的后两位
看看关键代码:
[Asm] 纯文本查看 复制代码 0051510D |. 55 push ebp
0051510E |. 68 A7525100 push WinXAR.005152A7
00515113 |. 64:FF30 push dword ptr fs:[eax]
00515116 |. 64:8920 mov dword ptr fs:[eax],esp
00515119 |. 8D55 F8 lea edx,[local.2]
0051511C |. 8B83 FC020000 mov eax,dword ptr ds:[ebx+0x2FC]
00515122 |. E8 6DD1F5FF call WinXAR.00472294
00515127 |. FF75 F8 push [local.2]
0051512A |. 8D55 F4 lea edx,[local.3]
0051512D |. 8B83 04030000 mov eax,dword ptr ds:[ebx+0x304]
00515133 |. E8 5CD1F5FF call WinXAR.00472294
00515138 |. FF75 F4 push [local.3]
0051513B |. 8D55 F0 lea edx,[local.4]
0051513E |. 8B83 0C030000 mov eax,dword ptr ds:[ebx+0x30C]
00515144 |. E8 4BD1F5FF call WinXAR.00472294
00515149 |. FF75 F0 push [local.4]
0051514C |. 8D55 EC lea edx,[local.5]
0051514F |. 8B83 14030000 mov eax,dword ptr ds:[ebx+0x314]
00515155 |. E8 3AD1F5FF call WinXAR.00472294
0051515A |. FF75 EC push [local.5]
0051515D |. 8D55 E8 lea edx,[local.6]
00515160 |. 8B83 1C030000 mov eax,dword ptr ds:[ebx+0x31C]
00515166 |. E8 29D1F5FF call WinXAR.00472294
0051516B |. FF75 E8 push [local.6]
0051516E |. 8D45 FC lea eax,[local.1]
00515171 |. BA 05000000 mov edx,0x5
00515176 |. E8 A9FAEEFF call WinXAR.00404C24
0051517B |. 8B45 FC mov eax,[local.1]
0051517E |. E8 01CAFDFF call WinXAR.004F1B84
00515183 |. 84C0 test al,al
00515185 |. 0F84 E0000000 je WinXAR.0051526B ; -----------------------------关键跳,可以直接爆破掉
0051518B |. 8D55 E4 lea edx,[local.7]
0051518E |. 8B83 3C030000 mov eax,dword ptr ds:[ebx+0x33C]
00515194 |. E8 FBD0F5FF call WinXAR.00472294
00515199 |. 837D E4 00 cmp [local.7],0x0
0051519D |. 75 26 jnz XWinXAR.005151C5 ; -----------------判断是否有username
0051519F |. 8B83 3C030000 mov eax,dword ptr ds:[ebx+0x33C]
005151A5 |. 8B10 mov edx,dword ptr ds:[eax]
005151A7 |. FF92 C4000000 call dword ptr ds:[edx+0xC4]
005151AD |. 66:8B0D B4525>mov cx,word ptr ds:[0x5152B4]
005151B4 |. B2 01 mov dl,0x1
005151B6 |. B8 C0525100 mov eax,WinXAR.005152C0 ; Please enter your full name.
005151BB |. E8 80A1FDFF call WinXAR.004EF340
005151C0 |. E9 C7000000 jmp WinXAR.0051528C
005151C5 |> 8D55 E0 lea edx,[local.8]
005151C8 |. 8B83 FC020000 mov eax,dword ptr ds:[ebx+0x2FC]
005151CE |. E8 C1D0F5FF call WinXAR.00472294
005151D3 |. FF75 E0 push [local.8]
005151D6 |. 8D55 DC lea edx,[local.9]
005151D9 |. 8B83 04030000 mov eax,dword ptr ds:[ebx+0x304]
005151DF |. E8 B0D0F5FF call WinXAR.00472294
005151E4 |. FF75 DC push [local.9]
005151E7 |. 8D55 D8 lea edx,[local.10]
005151EA |. 8B83 0C030000 mov eax,dword ptr ds:[ebx+0x30C]
005151F0 |. E8 9FD0F5FF call WinXAR.00472294
005151F5 |. FF75 D8 push [local.10]
005151F8 |. 8D55 D4 lea edx,[local.11]
005151FB |. 8B83 14030000 mov eax,dword ptr ds:[ebx+0x314]
00515201 |. E8 8ED0F5FF call WinXAR.00472294
00515206 |. FF75 D4 push [local.11]
00515209 |. 8D55 D0 lea edx,[local.12]
0051520C |. 8B83 1C030000 mov eax,dword ptr ds:[ebx+0x31C]
00515212 |. E8 7DD0F5FF call WinXAR.00472294
00515217 |. FF75 D0 push [local.12]
0051521A |. A1 788E5200 mov eax,dword ptr ds:[0x528E78] ; 啸R
0051521F |. BA 05000000 mov edx,0x5
00515224 |. E8 FBF9EEFF call WinXAR.00404C24
00515229 |. 8D55 CC lea edx,[local.13]
0051522C |. 8B83 3C030000 mov eax,dword ptr ds:[ebx+0x33C]
00515232 |. E8 5DD0F5FF call WinXAR.00472294
00515237 |. 8B55 CC mov edx,[local.13]
0051523A |. A1 10845200 mov eax,dword ptr ds:[0x528410] ; 去R
0051523F |. E8 B4F6EEFF call WinXAR.004048F8
00515244 |. A1 E8815200 mov eax,dword ptr ds:[0x5281E8] ; 磨R
00515249 |. C600 01 mov byte ptr ds:[eax],0x1
0051524C |. 66:8B0D B4525>mov cx,word ptr ds:[0x5152B4]
00515253 |. B2 02 mov dl,0x2
00515255 |. B8 E8525100 mov eax,WinXAR.005152E8 ; Thank you for registering!
0051525A |. E8 E1A0FDFF call WinXAR.004EF340
0051525F |. C783 4C020000>mov dword ptr ds:[ebx+0x24C],0x1
00515269 |. EB 21 jmp XWinXAR.0051528C
0051526B |> 8B83 FC020000 mov eax,dword ptr ds:[ebx+0x2FC]
00515271 |. 8B10 mov edx,dword ptr ds:[eax]
00515273 |. FF92 C4000000 call dword ptr ds:[edx+0xC4]
00515279 |. 66:8B0D B4525>mov cx,word ptr ds:[0x5152B4]
00515280 |. B2 01 mov dl,0x1
00515282 |. B8 0C535100 mov eax,WinXAR.0051530C ; Invalid register code.
00515287 |. E8 B4A0FDFF call WinXAR.004EF340
0051528C |> 33C0 xor eax,eax
0051528E |. 5A pop edx
0051528F |. 59 pop ecx
00515290 |. 59 pop ecx
00515291 |. 64:8910 mov dword ptr fs:[eax],edx
00515294 |. 68 AE525100 push WinXAR.005152AE
00515299 |> 8D45 CC lea eax,[local.13]
0051529C |. BA 0D000000 mov edx,0xD
005152A1 |. E8 22F6EEFF call WinXAR.004048C8
005152A6 \. C3 retn
让我们看看0051517E |. E8 01CAFDFF call WinXAR.004F1B84处的代码:
[Asm] 纯文本查看 复制代码 004F1B98 |. 55 push ebp
004F1B99 |. 68 BB1C4F00 push WinXAR.004F1CBB
004F1B9E |. 64:FF30 push dword ptr fs:[eax]
004F1BA1 |. 64:8920 mov dword ptr fs:[eax],esp
004F1BA4 |. 8BC3 mov eax,ebx
004F1BA6 |. E8 B92FF1FF call WinXAR.00404B64
004F1BAB |. 83F8 19 cmp eax,0x19
004F1BAE |. 74 07 je XWinXAR.004F1BB7
004F1BB0 |. 33DB xor ebx,ebx
004F1BB2 |. E9 E9000000 jmp WinXAR.004F1CA0
004F1BB7 |> 8D45 F4 lea eax,[local.3]
004F1BBA |. 50 push eax
004F1BBB |. B9 05000000 mov ecx,0x5
004F1BC0 |. BA 01000000 mov edx,0x1
004F1BC5 |. 8BC3 mov eax,ebx
004F1BC7 |. E8 F831F1FF call WinXAR.00404DC4
004F1BCC |. FF75 F4 push [local.3]
004F1BCF |. 8D45 F0 lea eax,[local.4]
004F1BD2 |. 50 push eax
004F1BD3 |. B9 05000000 mov ecx,0x5
004F1BD8 |. BA 0B000000 mov edx,0xB
004F1BDD |. 8BC3 mov eax,ebx
004F1BDF |. E8 E031F1FF call WinXAR.00404DC4
004F1BE4 |. FF75 F0 push [local.4]
004F1BE7 |. 8D45 EC lea eax,[local.5]
004F1BEA |. 50 push eax
004F1BEB |. B9 03000000 mov ecx,0x3
004F1BF0 |. BA 15000000 mov edx,0x15
004F1BF5 |. 8BC3 mov eax,ebx
004F1BF7 |. E8 C831F1FF call WinXAR.00404DC4
004F1BFC |. FF75 EC push [local.5]
004F1BFF |. 8D45 FC lea eax,[local.1]
004F1C02 |. BA 03000000 mov edx,0x3
004F1C07 |. E8 1830F1FF call WinXAR.00404C24
004F1C0C |. 8D45 E8 lea eax,[local.6]
004F1C0F |. 50 push eax
004F1C10 |. B9 05000000 mov ecx,0x5
004F1C15 |. BA 06000000 mov edx,0x6
004F1C1A |. 8BC3 mov eax,ebx
004F1C1C |. E8 A331F1FF call WinXAR.00404DC4
004F1C21 |. FF75 E8 push [local.6]
004F1C24 |. 8D45 E4 lea eax,[local.7]
004F1C27 |. 50 push eax
004F1C28 |. B9 05000000 mov ecx,0x5
004F1C2D |. BA 10000000 mov edx,0x10
004F1C32 |. 8BC3 mov eax,ebx
004F1C34 |. E8 8B31F1FF call WinXAR.00404DC4
004F1C39 |. FF75 E4 push [local.7]
004F1C3C |. 8D45 E0 lea eax,[local.8]
004F1C3F |. 50 push eax
004F1C40 |. B9 02000000 mov ecx,0x2
004F1C45 |. BA 18000000 mov edx,0x18
004F1C4A |. 8BC3 mov eax,ebx
004F1C4C |. E8 7331F1FF call WinXAR.00404DC4
004F1C51 |. FF75 E0 push [local.8]
004F1C54 |. 8D45 F8 lea eax,[local.2]
004F1C57 |. BA 03000000 mov edx,0x3
004F1C5C |. E8 C32FF1FF call WinXAR.00404C24
004F1C61 |. 8D4D DC lea ecx,[local.9]
004F1C64 |. BA 310E331C mov edx,0x1C330E31
004F1C69 |. 8B45 FC mov eax,[local.1]
004F1C6C |. E8 C7F4FFFF call WinXAR.004F1138
004F1C71 |. 8B55 DC mov edx,[local.9]
004F1C74 |. 8D45 FC lea eax,[local.1] ; 此处寄存器EDX出现类似注册码,但是多了最后一位
004F1C77 |. E8 C02CF1FF call WinXAR.0040493C
004F1C7C |. 8D45 D8 lea eax,[local.10]
004F1C7F |. 50 push eax
004F1C80 |. B9 0C000000 mov ecx,0xC
004F1C85 |. BA 01000000 mov edx,0x1
004F1C8A |. 8B45 FC mov eax,[local.1]
004F1C8D |. E8 3231F1FF call WinXAR.00404DC4
004F1C92 |. 8B55 D8 mov edx,[local.10]
004F1C95 |. 8B45 F8 mov eax,[local.2]
004F1C98 |. E8 1330F1FF call WinXAR.00404CB0
004F1C9D |. 0F94C3 sete bl
004F1CA0 |> 33C0 xor eax,eax
004F1CA2 |. 5A pop edx
004F1CA3 |. 59 pop ecx
004F1CA4 |. 59 pop ecx
004F1CA5 |. 64:8910 mov dword ptr fs:[eax],edx
004F1CA8 |. 68 C21C4F00 push WinXAR.004F1CC2
004F1CAD |> 8D45 D8 lea eax,[local.10]
004F1CB0 |. BA 0A000000 mov edx,0xA
004F1CB5 |. E8 0E2CF1FF call WinXAR.004048C8
004F1CBA \. C3 retn
堆栈 ss:[0012F22C]=00E996FC, (ASCII "LCAMUNAUPKTFL")
edx=00E8A0A0, (ASCII "1234567890123")
EDX里面的信息和堆栈里面都是LCAMUNAUPKTFL
LCAMUNAUPKTFL是13个字符
比AAAAA BBBBB CC多了一位,尝试分段LCAMUNAUPKTFL为LCAMU-NAUPK-TF
最后一位舍弃。
实验一:假设真码为12345-LCAMU-67890-NAUPK-123TF,用户名为:52pojie,填入注册框:
居然注册成功
实验二:更改注册码数字部分为11111-AAAAA-67890-BBBBB-123CC,验证部分仍然为 LFCJYNAUPKTFL 不变。
[Asm] 纯文本查看 复制代码 EAX 00000000
ECX 00000001
EDX 00EB9668 ASCII "LFCJYNAUPKTFL"
EBX 00EC6028 ASCII "11111AAAAA67890BBBBB123CC"
实验三:改变用户名为52pojie1,寄存器如下:
[Asm] 纯文本查看 复制代码 EAX 00000000
ECX 00000001
EDX 00EB9668 ASCII "LFCJYNAUPKTFL"
EBX 00EC6028 ASCII "11111AAAAA67890BBBBB123CC"
经过上述实验发现,注册码的比较与用户名无关,仅与注册码的第二、四组及第五组的最后两位相关,共12位。
注册码自行分段即可。
例如:
username:52pojie
key:12345-LCAMU-67890-NAUPK-123TF
名字任意,数字部分任意。
另外,注册码其实保存在该目录下的WinXAR.dat文件中。
你可以直接用我的dat文件。
附上注册机、脱壳后的主程序及原始安装包,希望以上分析对你有用。
|
-
-
全部.rar
1.89 MB, 下载次数: 94, 下载积分: 吾爱币 -1 CB
免费评分
-
查看全部评分
|
发表于 2014-10-19 23:48
|
发表于 2014-10-19 23:50
