好友
阅读权限25
听众
最后登录1970-1-1
|
揰掵佲
发表于 2018-7-18 21:39
某视频的逆向分析(爆破\注册机\提取源)
1、爆破分析
2、注册机分析
3、提取源文件
分析过程
1、查壳 Microsoft Visual C++ v6.0
2、打开视频
当前目录下生成 reg 文件,notepad++打开
3、典型的重启验证,OD载入 定位关键字 reg 找到2处 分别下断
[Asm] 纯文本查看 复制代码
004011AE |. 68 30504000 push demo.00405030 ; \reg
004019D8 |. 68 30504000 push demo.00405030 ; \reg
4、F9运行 跑起来
[Asm] 纯文本查看 复制代码 004019D8 |. 68 30504000 push demo.00405030 ; \reg
004019DD |. 8D4C24 08 lea ecx,dword ptr ss:[esp+0x8]
004019E1 |. 50 push eax
004019E2 |. 51 push ecx
004019E3 |. C74424 24 00000000 mov dword ptr ss:[esp+0x24],0x0
004019EB |. E8 38090000 call <jmp.&MFC42.#operator+_924>
004019F0 |. 8D4C24 08 lea ecx,dword ptr ss:[esp+0x8]
004019F4 |. C64424 18 02 mov byte ptr ss:[esp+0x18],0x2
004019F9 |. E8 12090000 call <jmp.&MFC42.#CString::~CString_800>
004019FE |. 8B5424 04 mov edx,dword ptr ss:[esp+0x4]
00401A02 |. 52 push edx ; /Path = ""
00401A03 |. FF15 7C324000 call dword ptr ds:[<&SHLWAPI.PathFileExistsA>] ; \PathFileExistsA
00401A09 |. 85C0 test eax,eax
00401A0B |. 74 1A je short demo.00401A27
00401A0D |. 51 push ecx
00401A0E |. 8D4424 08 lea eax,dword ptr ss:[esp+0x8]
00401A12 |. 8BCC mov ecx,esp
00401A14 |. 896424 10 mov dword ptr ss:[esp+0x10],esp
00401A18 |. 50 push eax
00401A19 |. E8 F8080000 call <jmp.&MFC42.#CString::CString_535>
00401A1E |. 8BCE mov ecx,esi
00401A20 |. E8 3B000000 call demo.00401A60
00401A25 |. EB 07 jmp short demo.00401A2E
00401A27 |> 8BCE mov ecx,esi
00401A29 |. E8 12FFFFFF call demo.00401940
00401A2E |> 8D4C24 04 lea ecx,dword ptr ss:[esp+0x4]
00401A32 |. C74424 18 FFFFFFFF mov dword ptr ss:[esp+0x18],-0x1
00401A3A |. E8 D1080000 call <jmp.&MFC42.#CString::~CString_800>
00401A3F |. 8B4C24 10 mov ecx,dword ptr ss:[esp+0x10]
00401A43 |. B8 01000000 mov eax,0x1
00401A20 |. E8 3B000000 call demo.00401A60 这里是关键Call 进入
[Asm] 纯文本查看 复制代码 00401A60 /$ 6A FF push -0x1
00401A62 |. 68 0E2A4000 push demo.00402A0E ; 葛9@; SE 处理程序安装
00401A67 |. 64:A1 00000000 mov eax,dword ptr fs:[0]
00401A6D |. 50 push eax
00401A6E |. 64:8925 00000000 mov dword ptr fs:[0],esp
00401A75 |. 81EC 10030000 sub esp,0x310
00401A7B |. 55 push ebp
00401A7C |. 56 push esi
00401A7D |. 57 push edi ; user32.SendMessageA
00401A7E |. 8BE9 mov ebp,ecx
00401A80 |. 8D4C24 0C lea ecx,dword ptr ss:[esp+0xC]
00401A84 |. C78424 24030000 00000000 mov dword ptr ss:[esp+0x324],0x0
00401A8F |. E8 B2080000 call <jmp.&MFC42.#CString::CString_540>
00401A94 |. 8B8424 2C030000 mov eax,dword ptr ss:[esp+0x32C]
00401A9B |. 68 A4514000 push demo.004051A4 ; /r
00401AA0 |. 50 push eax ; |path = "@;9"
00401AA1 |. C68424 2C030000 01 mov byte ptr ss:[esp+0x32C],0x1 ; |
00401AA9 |. FF15 5C324000 call dword ptr ds:[<&MSVCRT.fopen>] ; \fopen
00401AAF |. 83C4 08 add esp,0x8
00401AB2 |. 8BF0 mov esi,eax
00401AB4 |. 8D4C24 0C lea ecx,dword ptr ss:[esp+0xC]
00401AB8 |. 56 push esi
00401AB9 |. 6A 0A push 0xA
00401ABB |. 6A 00 push 0x0
00401ABD |. E8 D00A0000 call <jmp.&MFC42.#CString::GetBuffer_2915>
00401AC2 |. 50 push eax ; |s = 0012F840
00401AC3 |. FF15 54324000 call dword ptr ds:[<&MSVCRT.fgets>] ; \fgets
00401AC9 |. 56 push esi ; /stream = 0012FE50
00401ACA |. FF15 64324000 call dword ptr ds:[<&MSVCRT.fclose>] ; \fclose
00401AD0 |. 83C4 0C add esp,0xC
00401AD3 |. 8D5424 10 lea edx,dword ptr ss:[esp+0x10]
00401AD7 |. 8BCC mov ecx,esp
00401AD9 |. 896424 14 mov dword ptr ss:[esp+0x14],esp
00401ADD |. 52 push edx ; mfc42.73E02630
00401ADE |. E8 33080000 call <jmp.&MFC42.#CString::CString_535>
00401AE3 |. 8BCD mov ecx,ebp
00401AE5 |. E8 46010000 call demo.00401C30
00401AEA |. 85C0 test eax,eax
00401AEC |. 0F84 E8000000 je demo.00401BDA
5、 爆破
00401AEC |. /0F84 E8000000 je demo.00401BDA nop之后 可以直接播放
6、分析算法
00401AE5 |. E8 46010000 call demo.00401C30 ; 进入关键call
[Asm] 纯文本查看 复制代码 00401C30 /$ 6A FF push -0x1
00401C32 |. 68 402A4000 push demo.00402A40 ; SE 处理程序安装
00401C37 |. 64:A1 00000000 mov eax,dword ptr fs:[0]
00401C3D |. 50 push eax
00401C3E |. 64:8925 00000000 mov dword ptr fs:[0],esp
00401C45 |. 83EC 10 sub esp,0x10
00401C48 |. 56 push esi
00401C49 |. 8BF1 mov esi,ecx
00401C4B |. 8D4C24 08 lea ecx,dword ptr ss:[esp+0x8]
00401C4F |. C74424 1C 00000000 mov dword ptr ss:[esp+0x1C],0x0
00401C57 |. E8 EA060000 call <jmp.&MFC42.#CString::CString_540>
00401C5C |. 8D4C24 04 lea ecx,dword ptr ss:[esp+0x4]
00401C60 |. C64424 1C 01 mov byte ptr ss:[esp+0x1C],0x1
00401C65 |. E8 DC060000 call <jmp.&MFC42.#CString::CString_540>
00401C6A |. 8D4424 08 lea eax,dword ptr ss:[esp+0x8]
00401C6E |. C64424 1C 02 mov byte ptr ss:[esp+0x1C],0x2
00401C73 |. 50 push eax
00401C74 |. E8 47F4FFFF call demo.004010C0 ; 取机器码
00401C79 |. 83C4 04 add esp,0x4
00401C7C |. 8D4C24 24 lea ecx,dword ptr ss:[esp+0x24]
00401C80 |. 51 push ecx
00401C81 |. 8D4C24 08 lea ecx,dword ptr ss:[esp+0x8]
00401C85 |. E8 92060000 call <jmp.&MFC42.#CString::operator=_858>
00401C8A |. 51 push ecx
00401C8B |. 8D5424 08 lea edx,dword ptr ss:[esp+0x8]
00401C8F |. 8BCC mov ecx,esp
00401C91 |. 896424 10 mov dword ptr ss:[esp+0x10],esp
00401C95 |. 52 push edx ; mfc42.73E02630
00401C96 |. E8 7B060000 call <jmp.&MFC42.#CString::CString_535>
00401C9B |. 51 push ecx
00401C9C |. 8D4424 10 lea eax,dword ptr ss:[esp+0x10]
00401CA0 |. 8BCC mov ecx,esp
00401CA2 |. 896424 18 mov dword ptr ss:[esp+0x18],esp
00401CA6 |. 50 push eax
00401CA7 |. C64424 28 03 mov byte ptr ss:[esp+0x28],0x3
00401CAC |. E8 65060000 call <jmp.&MFC42.#CString::CString_535>
00401CB1 |. 8BCE mov ecx,esi
00401CB3 |. C64424 24 02 mov byte ptr ss:[esp+0x24],0x2
00401CB8 |. E8 83000000 call demo.00401D40 ; 对比Call
00401CBD |. 85C0 test eax,eax
00401CBF |. C64424 1C 01 mov byte ptr ss:[esp+0x1C],0x1
00401CC4 |. 8D4C24 04 lea ecx,dword ptr ss:[esp+0x4]
00401CC8 |. 74 3B je short demo.00401D05 ;
00401CB8 |. E8 83000000 call demo.00401D40 ; 关键对比Call 进入
[Asm] 纯文本查看 复制代码 00401D40 /$ 6A FF push -0x1
00401D42 |. 68 602A4000 push demo.00402A60 ; SE 处理程序安装
00401D47 |. 64:A1 00000000 mov eax,dword ptr fs:[0]
00401D4D |. 50 push eax
00401D4E |. 64:8925 00000000 mov dword ptr fs:[0],esp
00401D55 |. 83EC 08 sub esp,0x8
00401D58 |. 53 push ebx
00401D59 |. 55 push ebp
00401D5A |. 56 push esi
00401D5B |. 57 push edi ; user32.SendMessageA
00401D5C |. C74424 20 00000000 mov dword ptr ss:[esp+0x20],0x0
00401D64 |. 8B4424 28 mov eax,dword ptr ss:[esp+0x28] ; 1147521097 机器码传递给eax
00401D68 |. 8A08 mov cl,byte ptr ds:[eax]
00401D6A |. 884C24 14 mov byte ptr ss:[esp+0x14],cl ; esp+14 真码给第一个
00401D6E |. 8B4C24 2C mov ecx,dword ptr ss:[esp+0x2C] ; ecx是假码 210971147
00401D72 |. 8A11 mov dl,byte ptr ds:[ecx]
00401D74 |. 885424 10 mov byte ptr ss:[esp+0x10],dl ; 假码第一个给 esp+10
00401D78 |. 8B5424 14 mov edx,dword ptr ss:[esp+0x14] ; edx 真码第一个
00401D7C |. 8B7424 10 mov esi,dword ptr ss:[esp+0x10] ; esi 假码第一个
00401D80 |. 81E2 FF000000 and edx,0xFF ; 位与FF 取出31 1--31
00401D86 |. 81E6 FF000000 and esi,0xFF ; 取出32 2--32
00401D8C |. 03F2 add esi,edx ; esi=esi+edx 63
00401D8E |. 8A50 01 mov dl,byte ptr ds:[eax+0x1] ; 真码第二位
00401D91 |. 885424 10 mov byte ptr ss:[esp+0x10],dl ; 第二位给esp+10
00401D95 |. 8A51 01 mov dl,byte ptr ds:[ecx+0x1] ; 假码第二位
00401D98 |. 885424 14 mov byte ptr ss:[esp+0x14],dl ; 给esp+14
00401D9C |. 8B5424 10 mov edx,dword ptr ss:[esp+0x10]
00401DA0 |. 8B7C24 14 mov edi,dword ptr ss:[esp+0x14] ; demo.004029E0
00401DA4 |. 81E2 FF000000 and edx,0xFF ; 真码第二位 31 1
00401DAA |. 81E7 FF000000 and edi,0xFF ; 假码第二位 31 -1
00401DB0 |. 03FA add edi,edx ; edi=edi+edx 62
00401DB2 |. 8A50 02 mov dl,byte ptr ds:[eax+0x2]
00401DB5 |. 885424 10 mov byte ptr ss:[esp+0x10],dl
00401DB9 |. 8A51 02 mov dl,byte ptr ds:[ecx+0x2]
00401DBC |. 885424 14 mov byte ptr ss:[esp+0x14],dl
00401DC0 |. 8B5424 10 mov edx,dword ptr ss:[esp+0x10]
00401DC4 |. 8B6C24 14 mov ebp,dword ptr ss:[esp+0x14] ; demo.004029E0
00401DC8 |. 81E2 FF000000 and edx,0xFF ; 真码第三
00401DCE |. 81E5 FF000000 and ebp,0xFF ; 假码第三
00401DD4 |. 03EA add ebp,edx ; ebp= ebp+edx 64
00401DD6 |. 8A50 03 mov dl,byte ptr ds:[eax+0x3]
00401DD9 |. 885424 10 mov byte ptr ss:[esp+0x10],dl
00401DDD |. 8A51 03 mov dl,byte ptr ds:[ecx+0x3]
00401DE0 |. 8B5C24 10 mov ebx,dword ptr ss:[esp+0x10]
00401DE4 |. 885424 14 mov byte ptr ss:[esp+0x14],dl
00401DE8 |. 8B5424 14 mov edx,dword ptr ss:[esp+0x14] ; demo.004029E0
00401DEC |. 81E3 FF000000 and ebx,0xFF ; 真4
00401DF2 |. 81E2 FF000000 and edx,0xFF ; 假4
00401DF8 |. 03D3 add edx,ebx ; 70 = edx=edx+ebx
00401DFA |. 03EA add ebp,edx ; ebp =ebp+edx 64+70 0D4
00401DFC |. 8A50 04 mov dl,byte ptr ds:[eax+0x4] ; 真5
00401DFF |. 885424 10 mov byte ptr ss:[esp+0x10],dl
00401E03 |. 8A51 04 mov dl,byte ptr ds:[ecx+0x4] ; 假5
00401E06 |. 03EF add ebp,edi ; ebp=ebp+edi 0d4+062 136
00401E08 |. 885424 14 mov byte ptr ss:[esp+0x14],dl
00401E0C |. 8B5424 10 mov edx,dword ptr ss:[esp+0x10]
00401E10 |. 03EE add ebp,esi ; ebp =ebp +esi 136 +63 199
00401E12 |. 8B7424 14 mov esi,dword ptr ss:[esp+0x14] ; demo.004029E0
00401E16 |. 81E2 FF000000 and edx,0xFF ; 35 真5
00401E1C |. 81E6 FF000000 and esi,0xFF ; 假5 37
00401E22 |. 03F2 add esi,edx ; esi= esi+edx = 6c
00401E24 |. 8A50 05 mov dl,byte ptr ds:[eax+0x5]
00401E27 |. 885424 10 mov byte ptr ss:[esp+0x10],dl
00401E2B |. 8A51 05 mov dl,byte ptr ds:[ecx+0x5]
00401E2E |. 885424 14 mov byte ptr ss:[esp+0x14],dl
00401E32 |. 8B5424 10 mov edx,dword ptr ss:[esp+0x10]
00401E36 |. 8B7C24 14 mov edi,dword ptr ss:[esp+0x14] ; demo.004029E0
00401E3A |. 81E2 FF000000 and edx,0xFF ; 真6
00401E40 |. 81E7 FF000000 and edi,0xFF ; 假6
00401E46 |. 03FA add edi,edx ; edi=edi+edx 63
00401E48 |. 8A50 06 mov dl,byte ptr ds:[eax+0x6] ; 真7
00401E4B |. 8A40 07 mov al,byte ptr ds:[eax+0x7] ; 真8
00401E4E |. 885424 10 mov byte ptr ss:[esp+0x10],dl
00401E52 |. 8A51 06 mov dl,byte ptr ds:[ecx+0x6] ; 假7
00401E55 |. 8A49 07 mov cl,byte ptr ds:[ecx+0x7] ; 假8
00401E58 |. 8B5C24 10 mov ebx,dword ptr ss:[esp+0x10] ; 真7真8
00401E5C |. 885424 14 mov byte ptr ss:[esp+0x14],dl ; 假7 假8
00401E60 |. 8B5424 14 mov edx,dword ptr ss:[esp+0x14] ; demo.004029E0
00401E64 |. 884C24 14 mov byte ptr ss:[esp+0x14],cl
00401E68 |. 81E2 FF000000 and edx,0xFF ; 31 假7
00401E6E |. 81E3 FF000000 and ebx,0xFF ; 31 真7
00401E74 |. 884424 10 mov byte ptr ss:[esp+0x10],al ; 真8
00401E78 |. 8B4424 14 mov eax,dword ptr ss:[esp+0x14] ; demo.004029E0
00401E7C |. 03D3 add edx,ebx ; edx=edx+ebx 62
00401E7E |. 25 FF000000 and eax,0xFF ; 假8 34
00401E83 |. 8B4C24 10 mov ecx,dword ptr ss:[esp+0x10]
00401E87 |. C64424 20 00 mov byte ptr ss:[esp+0x20],0x0
00401E8C |. 81E1 FF000000 and ecx,0xFF ; 30 真8
00401E92 |. 03C1 add eax,ecx ; eax=eax+ecx 64
00401E94 |. 8D4C24 28 lea ecx,dword ptr ss:[esp+0x28]
00401E98 |. 03D0 add edx,eax ; edx+eax = 0c6
00401E9A |. 03D7 add edx,edi ; 129 edx+eax
00401E9C |. 5F pop edi ; 0012FE50
00401E9D |. 03D6 add edx,esi ; edx=edx+esi 195
00401E9F |. 5E pop esi ; 0012FE50
00401EA0 |. 3BEA cmp ebp,edx ; 对比结果
00401EA2 |. 5D pop ebp ; 0012FE50
00401EA3 |. 5B pop ebx ; 0012FE50
00401EA4 |. 75 2C jnz short demo.00401ED2 ; 爆破第三处
7、注册机算法
简单说
机器码前4位 每一位(和FF进行and运算后)分别和注册码前4位 每一位(和FF进行and运算后)相加,最后的和加起来 A
机器码后4位 每一位(和FF进行and运算后)分别和注册码后4位 每一位(和FF进行and运算后)相加,最后的和加起来 B
判断 A和B是否一致 一致则正确 不一致择错误
换句话说 注册码是8位的。
8、注册机编写
代码很简单
[C++] 纯文本查看 复制代码 .版本 2
.子程序 生成播放码, 文本型
.参数 机器码, 文本型
.局部变量 机器码字节集, 字节集
.局部变量 i, 整数型
.局部变量 注册码字节集, 字节集
机器码字节集 = 到字节集 (机器码)
注册码字节集 = 取空白字节集 (8)
.计次循环首 (8, i)
注册码字节集 [i] = 位与 (机器码字节集 [9 - i], 255)
.计次循环尾 ()
返回 (到文本 (注册码字节集))
9、提取文件 下个 createfile的断点即可 释放到临时目录的
有兴趣的自己去写一个提取的程序即可
某视频逆向分析.zip
(305 Bytes, 下载次数: 57)
百度网盘文件名52发帖算法跟踪.zip
|
免费评分
-
查看全部评分
本帖被以下淘专辑推荐:
- · 学习及教程|主题: 1129, 订阅: 1116
- · 分析示例|主题: 563, 订阅: 97
|
[复制链接]
|
发表于 2018-7-19 09:36
