[转载]优盘自动复制王4.0_简单分析手稿

文章作者:fcrjzmd

用PEID查哦。。显示Nothingfound*这些字样。在想肯定加有壳不管那么多了OD载入

004B4F2E>9CPUSHFD;壳的入口
004B4F2F60PUSHAD
004B4F30E800000000CALLUcopyKin.004B4F35;用ESP定律吧!

看ESP值为0012FFA0,在命令窗口下hr0012FFA0F9运行，

004B519DC20C00RETN0C
004B51A061POPAD
004B51A19DPOPFD;断在这里
004B51A2-E91508FDFFJMPUcopyKin.004859BC;这就是奔向小康了，这段跨越好大哦!

===================================================================================

脱完壳再查一下BorlandDelphi6.0-7.0语言写的，再查一下算法是MD5的晕哦!!!(不懂MD5算法)接下来就是找算法了!!


0048151455PUSHEBP;下断F12
004815158BECMOVEBP,ESP
004815176A00PUSH0
004815196A00PUSH0
0048151B6A00PUSH0
0048151D53PUSHEBX
0048151E56PUSHESI
0048151F8BD8MOVEBX,EAX
0048152133C0XOREAX,EAX
0048152355PUSHEBP
004815246859164800PUSHUcopyKin.00481659
0048152964:FF30PUSHDWORDPTRFS:[EAX]
0048152C64:8920MOVDWORDPTRFS:[EAX],ESP
0048152F8BC3MOVEAX,EBX
00481531E85AFBFFFFCALLUcopyKin.00481090;★★★关键CALL跟进!!★★★
0048153684C0TESTAL,AL
004815380F84DF000000JEUcopyKin.0048161D;关键跳转!爆破处。。
0048153E6A40PUSH40
004815406868164800PUSHUcopyKin.00481668;注册成功!
004815456874164800PUSHUcopyKin.00481674;谢谢你的注册!

======================================================================
跟进00481090


0048109055PUSHEBP
004810918BECMOVEBP,ESP
00481093B906000000MOVECX,6
004810986A00PUSH0
0048109A6A00PUSH0
0048109C49DECECX
0048109D^75F9JNZSHORTUcopyKin.00481098
0048109F53PUSHEBX
004810A08BD8MOVEBX,EAX
004810A233C0XOREAX,EAX
004810A455PUSHEBP
004810A56894114800PUSHUcopyKin.00481194
004810AA64:FF30PUSHDWORDPTRFS:[EAX]
004810AD64:8920MOVDWORDPTRFS:[EAX],ESP
004810B08D55F0LEAEDX,DWORDPTRSS:[EBP-10]
004810B38B8340030000MOVEAX,DWORDPTRDS:[EBX+340]
004810B9E85AA3FBFFCALLUcopyKin.0043B418;获取用户名，长度送入EAX
004810BE8B55F0MOVEDX,DWORDPTRSS:[EBP-10];EDX=用户名，fcrjzmd
004810C18D4DF4LEAECX,DWORDPTRSS:[EBP-C]
004810C48BC3MOVEAX,EBX
004810C6E8F5020000CALLUcopyKin.004813C0;★用户名运算(计算用户名得到值139266)
004810CB8B45F4MOVEAX,DWORDPTRSS:[EBP-C];EAX=139266
004810CE50PUSHEAX;压入139266
004810CF8D55E4LEAEDX,DWORDPTRSS:[EBP-1C]
004810D28B8330030000MOVEAX,DWORDPTRDS:[EBX+330]
004810D8E83BA3FBFFCALLUcopyKin.0043B418;获取用机器码,长度送入EAX
004810DD8B55E4MOVEDX,DWORDPTRSS:[EBP-1C];EDX=587-207-186
004810E08D4DE8LEAECX,DWORDPTRSS:[EBP-18]
004810E38BC3MOVEAX,EBX
004810E5E876030000CALLUcopyKin.00481460;将机器码合并587207186
004810EA8B55E8MOVEDX,DWORDPTRSS:[EBP-18];EDX=587207186
004810ED8D4DECLEAECX,DWORDPTRSS:[EBP-14]
004810F08BC3MOVEAX,EBX
004810F2E8C9020000CALLUcopyKin.004813C0;★机器码运算(得出1152625)
004810F78B55ECMOVEDX,DWORDPTRSS:[EBP-14];EDX=1152625
004810FA8D45FCLEAEAX,DWORDPTRSS:[EBP-4]
004810FD59POPECX;弹出用户名运算得出139266
004810FEE84D34F8FFCALLUcopyKin.00404550;将机器码运算的值(1152625)和用户名运算的值(139266)合并
004811038D55D4LEAEDX,DWORDPTRSS:[EBP-2C]
004811068B45FCMOVEAX,DWORDPTRSS:[EBP-4];EAX=1152625139266(机器码和用户值的合并)
00481109E882FBFFFFCALLUcopyKin.00480C90;★★★MD5算法CALL
0048110E8D45D4LEAEAX,DWORDPTRSS:[EBP-2C]
004811118D55F8LEAEDX,DWORDPTRSS:[EBP-8]
00481114E8EBFBFFFFCALLUcopyKin.00480D04;★★★核心算法!
004811198D4DFCLEAECX,DWORDPTRSS:[EBP-4]
0048111C8B55F8MOVEDX,DWORDPTRSS:[EBP-8];EDX=80776f60d672ba41acb6188034e680ac
0048111F8BC3MOVEAX,EBX
00481121E87E000000CALLUcopyKin.004811A4
004811268D55D0LEAEDX,DWORDPTRSS:[EBP-30]
004811298B8344030000MOVEAX,DWORDPTRDS:[EBX+344]
0048112FE8E4A2FBFFCALLUcopyKin.0043B418;获取假码，长度送入EAX
004811348B55D0MOVEDX,DWORDPTRSS:[EBP-30];EDX=假码
004811378D4DF8LEAECX,DWORDPTRSS:[EBP-8]
0048113A8BC3MOVEAX,EBX
0048113CE81F030000CALLUcopyKin.00481460;★★★核心算法!真码出现!!
004811418B45FCMOVEAX,DWORDPTRSS:[EBP-4];EAX=8Y776P6YN672LK41KML6188Y34H68YKM
004811448B55F8MOVEDX,DWORDPTRSS:[EBP-8]
00481147E80435F8FFCALLUcopyKin.00404650;真假码对比CALL
0048114C7504JNZSHORTUcopyKin.00481152;不相等则失败，反之相等则成功!!※爆破最佳位置NOP
0048114EB301MOVBL,1;将1送入BL是注册码检证成功标志!!
00481150EB02JMPSHORTUcopyKin.00481154
0048115233DBXOREBX,EBX
0048115433C0XOREAX,EAX
004811565APOPEDX
0048115759POPECX
0048115859POPECX
0048115964:8910MOVDWORDPTRFS:[EAX],EDX
0048115C689B114800PUSHUcopyKin.0048119B
004811618D45D0LEAEAX,DWORDPTRSS:[EBP-30]
00481164E8DB30F8FFCALLUcopyKin.00404244
004811698D45E4LEAEAX,DWORDPTRSS:[EBP-1C]
0048116CE8D330F8FFCALLUcopyKin.00404244
004811718D45E8LEAEAX,DWORDPTRSS:[EBP-18]
00481174BA02000000MOVEDX,2
00481179E8EA30F8FFCALLUcopyKin.00404268
0048117E8D45F0LEAEAX,DWORDPTRSS:[EBP-10]
00481181E8BE30F8FFCALLUcopyKin.00404244
004811868D45F4LEAEAX,DWORDPTRSS:[EBP-C]
00481189BA03000000MOVEDX,3
0048118EE8D530F8FFCALLUcopyKin.00404268
00481193C3RETN
00481194^E9132AF8FFJMPUcopyKin.00403BAC
00481199^EBC6JMPSHORTUcopyKin.00481161
0048119B8BC3MOVEAX,EBX
0048119D5BPOPEBX
0048119E8BE5MOVESP,EBP
004811A05DPOPEBP
004811A1C3RETN



用户名的算法和机器码算法都一样的逐个取出ASCII码，乘4再和下ASCII码累加，累加的值再乘4，一直循环计算直至到取完，

取完得出的值除以A，余数和30相加，一直循环计算直至到取完，用户名和机器分计算得出的值合并(我得出值1152625139266)

接下来就是MD5算法了，这个MD5我是不懂看了对于我这个菜鸟难度太高了。这个是我初步分析的手稿以后搞懂MD5再分析吧。(N年吧)

再看一下注册表信息吧，注册成功后的注册表如下：

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SetUCK]

"UsrName"="fcrjzmd"

"Passwd"="8Y776P6YN672LK41KML6188Y34H68YKM"

删掉就变成10天试用版了!