[转载]优盘自动复制王4.0_简单分析手稿
<P>文章作者:<FONT color=#666686>fcrjzmd</FONT></P><P><FONT face=宋体>用PEID查哦。。显示Nothingfound*这些字样。在想肯定加有壳不管那么多了OD载入<BR><BR>004B4F2E>9CPUSHFD;壳的入口<BR>004B4F2F60PUSHAD<BR>004B4F30E800000000CALLUcopyKin.004B4F35;用ESP定律吧!<BR><BR>看ESP值为0012FFA0,在命令窗口下hr0012FFA0F9运行,<BR><BR>004B519DC20C00RETN0C<BR>004B51A061POPAD<BR>004B51A19DPOPFD;断在这里<BR>004B51A2-E91508FDFFJMPUcopyKin.004859BC;这就是奔向小康了,这段跨越好大哦!<BR><BR>===================================================================================<BR><BR>脱完壳再查一下BorlandDelphi6.0-7.0语言写的,再查一下算法是MD5的晕哦!!!(不懂MD5算法)接下来就是找算法了!!<BR><BR><BR>0048151455PUSHEBP;下断F12<BR>004815158BECMOVEBP,ESP<BR>004815176A00PUSH0<BR>004815196A00PUSH0<BR>0048151B6A00PUSH0<BR>0048151D53PUSHEBX<BR>0048151E56PUSHESI<BR>0048151F8BD8MOVEBX,EAX<BR>0048152133C0XOREAX,EAX<BR>0048152355PUSHEBP<BR>004815246859164800PUSHUcopyKin.00481659<BR>0048152964:FF30PUSHDWORDPTRFS:[EAX]<BR>0048152C64:8920MOVDWORDPTRFS:[EAX],ESP<BR>0048152F8BC3MOVEAX,EBX<BR>00481531E85AFBFFFFCALLUcopyKin.00481090;★★★关键CALL跟进!!★★★<BR>0048153684C0TESTAL,AL<BR>004815380F84DF000000JEUcopyKin.0048161D;关键跳转!爆破处。。<BR>0048153E6A40PUSH40<BR>004815406868164800PUSHUcopyKin.00481668;注册成功!<BR>004815456874164800PUSHUcopyKin.00481674;谢谢你的注册!<BR><BR>======================================================================<BR>跟进00481090<BR><BR><BR>0048109055PUSHEBP<BR>004810918BECMOVEBP,ESP<BR>00481093B906000000MOVECX,6<BR>004810986A00PUSH0<BR>0048109A6A00PUSH0<BR>0048109C49DECECX<BR>0048109D^75F9JNZSHORTUcopyKin.00481098<BR>0048109F53PUSHEBX<BR>004810A08BD8MOVEBX,EAX<BR>004810A233C0XOREAX,EAX<BR>004810A455PUSHEBP<BR>004810A56894114800PUSHUcopyKin.00481194<BR>004810AA64:FF30PUSHDWORDPTRFS:[EAX]<BR>004810AD64:8920MOVDWORDPTRFS:[EAX],ESP<BR>004810B08D55F0LEAEDX,DWORDPTRSS:[EBP-10]<BR>004810B38B8340030000MOVEAX,DWORDPTRDS:[EBX+340]<BR>004810B9E85AA3FBFFCALLUcopyKin.0043B418;获取用户名,长度送入EAX<BR>004810BE8B55F0MOVEDX,DWORDPTRSS:[EBP-10];EDX=用户名,fcrjzmd<BR>004810C18D4DF4LEAECX,DWORDPTRSS:[EBP-C]<BR>004810C48BC3MOVEAX,EBX<BR>004810C6E8F5020000CALLUcopyKin.004813C0;★用户名运算(计算用户名得到值139266)<BR>004810CB8B45F4MOVEAX,DWORDPTRSS:[EBP-C];EAX=139266<BR>004810CE50PUSHEAX;压入139266<BR>004810CF8D55E4LEAEDX,DWORDPTRSS:[EBP-1C]<BR>004810D28B8330030000MOVEAX,DWORDPTRDS:[EBX+330]<BR>004810D8E83BA3FBFFCALLUcopyKin.0043B418;获取用机器码,长度送入EAX<BR>004810DD8B55E4MOVEDX,DWORDPTRSS:[EBP-1C];EDX=587-207-186<BR>004810E08D4DE8LEAECX,DWORDPTRSS:[EBP-18]<BR>004810E38BC3MOVEAX,EBX<BR>004810E5E876030000CALLUcopyKin.00481460;将机器码合并587207186<BR>004810EA8B55E8MOVEDX,DWORDPTRSS:[EBP-18];EDX=587207186<BR>004810ED8D4DECLEAECX,DWORDPTRSS:[EBP-14]<BR>004810F08BC3MOVEAX,EBX<BR>004810F2E8C9020000CALLUcopyKin.004813C0;★机器码运算(得出1152625)<BR>004810F78B55ECMOVEDX,DWORDPTRSS:[EBP-14];EDX=1152625<BR>004810FA8D45FCLEAEAX,DWORDPTRSS:[EBP-4]<BR>004810FD59POPECX;弹出用户名运算得出139266<BR>004810FEE84D34F8FFCALLUcopyKin.00404550;将机器码运算的值(1152625)和用户名运算的值(139266)合并<BR>004811038D55D4LEAEDX,DWORDPTRSS:[EBP-2C]<BR>004811068B45FCMOVEAX,DWORDPTRSS:[EBP-4];EAX=1152625139266(机器码和用户值的合并)<BR>00481109E882FBFFFFCALLUcopyKin.00480C90;★★★MD5算法CALL<BR>0048110E8D45D4LEAEAX,DWORDPTRSS:[EBP-2C]<BR>004811118D55F8LEAEDX,DWORDPTRSS:[EBP-8]<BR>00481114E8EBFBFFFFCALLUcopyKin.00480D04;★★★核心算法!<BR>004811198D4DFCLEAECX,DWORDPTRSS:[EBP-4]<BR>0048111C8B55F8MOVEDX,DWORDPTRSS:[EBP-8];EDX=80776f60d672ba41acb6188034e680ac<BR>0048111F8BC3MOVEAX,EBX<BR>00481121E87E000000CALLUcopyKin.004811A4<BR>004811268D55D0LEAEDX,DWORDPTRSS:[EBP-30]<BR>004811298B8344030000MOVEAX,DWORDPTRDS:[EBX+344]<BR>0048112FE8E4A2FBFFCALLUcopyKin.0043B418;获取假码,长度送入EAX<BR>004811348B55D0MOVEDX,DWORDPTRSS:[EBP-30];EDX=假码<BR>004811378D4DF8LEAECX,DWORDPTRSS:[EBP-8]<BR>0048113A8BC3MOVEAX,EBX<BR>0048113CE81F030000CALLUcopyKin.00481460;★★★核心算法!真码出现!!<BR>004811418B45FCMOVEAX,DWORDPTRSS:[EBP-4];EAX=8Y776P6YN672LK41KML6188Y34H68YKM<BR>004811448B55F8MOVEDX,DWORDPTRSS:[EBP-8]<BR>00481147E80435F8FFCALLUcopyKin.00404650;真假码对比CALL<BR>0048114C7504JNZSHORTUcopyKin.00481152;不相等则失败,反之相等则成功!!※爆破最佳位置NOP<BR>0048114EB301MOVBL,1;将1送入BL是注册码检证成功标志!!<BR>00481150EB02JMPSHORTUcopyKin.00481154<BR>0048115233DBXOREBX,EBX<BR>0048115433C0XOREAX,EAX<BR>004811565APOPEDX<BR>0048115759POPECX<BR>0048115859POPECX<BR>0048115964:8910MOVDWORDPTRFS:[EAX],EDX<BR>0048115C689B114800PUSHUcopyKin.0048119B<BR>004811618D45D0LEAEAX,DWORDPTRSS:[EBP-30]<BR>00481164E8DB30F8FFCALLUcopyKin.00404244<BR>004811698D45E4LEAEAX,DWORDPTRSS:[EBP-1C]<BR>0048116CE8D330F8FFCALLUcopyKin.00404244<BR>004811718D45E8LEAEAX,DWORDPTRSS:[EBP-18]<BR>00481174BA02000000MOVEDX,2<BR>00481179E8EA30F8FFCALLUcopyKin.00404268<BR>0048117E8D45F0LEAEAX,DWORDPTRSS:[EBP-10]<BR>00481181E8BE30F8FFCALLUcopyKin.00404244<BR>004811868D45F4LEAEAX,DWORDPTRSS:[EBP-C]<BR>00481189BA03000000MOVEDX,3<BR>0048118EE8D530F8FFCALLUcopyKin.00404268<BR>00481193C3RETN<BR>00481194^E9132AF8FFJMPUcopyKin.00403BAC<BR>00481199^EBC6JMPSHORTUcopyKin.00481161<BR>0048119B8BC3MOVEAX,EBX<BR>0048119D5BPOPEBX<BR>0048119E8BE5MOVESP,EBP<BR>004811A05DPOPEBP<BR>004811A1C3RETN<BR><BR><BR><BR>用户名的算法和机器码算法都一样的逐个取出ASCII码,乘4再和下ASCII码累加,累加的值再乘4,一直循环计算直至到取完,<BR><BR>取完得出的值除以A,余数和30相加,一直循环计算直至到取完,用户名和机器分计算得出的值合并(我得出值1152625139266)<BR><BR>接下来就是MD5算法了,这个MD5我是不懂看了对于我这个菜鸟难度太高了。这个是我初步分析的手稿以后搞懂MD5再分析吧。(N年吧)<BR><BR>再看一下注册表信息吧,注册成功后的注册表如下:<BR><BR>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SetUCK]<BR><BR>"UsrName"="fcrjzmd"<BR><BR>"Passwd"="8Y776P6YN672LK41KML6188Y34H68YKM"<BR><BR>删掉就变成10天试用版了!</FONT><BR></P>
页:
[1]