没有什么太多需要说的,只是把分析时的一些摘录整理到这里而已。
1、用PEid查壳,无壳
2、直接用OD载入,F9运行起来,然后输入试练码,确认后有弹出提示框
3、在出现提示框后,先不确定,F12暂停,然后在堆栈调用窗口,找到对MessageBox的调用位置,跟随进去
4、往上看,很快看到关键的CALL了
5、下面的摘录就是对关键CALL的一些分析:
005CA06C /$ 55 push ebp
005CA06D |. 8BEC mov ebp,esp
005CA06F |. B9 08000000 mov ecx,8
005CA074 |> 6A 00 /push 0
005CA076 |. 6A 00 |push 0
005CA078 |. 49 |dec ecx
005CA079 |.^ 75 F9 \jnz short sc.005CA074
005CA07B |. 53 push ebx
005CA07C |. 56 push esi
005CA07D |. 8955 F8 mov dword ptr ss:[ebp-8],edx
005CA080 |. 8945 FC mov dword ptr ss:[ebp-4],eax
005CA083 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
005CA086 |. E8 B1BAE3FF call sc.00405B3C
005CA08B |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
005CA08E |. E8 A9BAE3FF call sc.00405B3C
005CA093 |. 33C0 xor eax,eax
005CA095 |. 55 push ebp
005CA096 |. 68 72A25C00 push sc.005CA272
005CA09B |. 64:FF30 push dword ptr fs:[eax]
005CA09E |. 64:8920 mov dword ptr fs:[eax],esp
005CA0A1 |. 33DB xor ebx,ebx
005CA0A3 |. 8D45 E8 lea eax,dword ptr ss:[ebp-18]
005CA0A6 |. 8B55 FC mov edx,dword ptr ss:[ebp-4]
005CA0A9 |. E8 A6B6E3FF call sc.00405754
005CA0AE |. B8 AC5D5D00 mov eax,sc.005D5DAC
005CA0B3 |. 8B55 FC mov edx,dword ptr ss:[ebp-4]
005CA0B6 |. E8 55B6E3FF call sc.00405710
005CA0BB |. B8 B05D5D00 mov eax,sc.005D5DB0
005CA0C0 |. 8B55 F8 mov edx,dword ptr ss:[ebp-8]
005CA0C3 |. E8 48B6E3FF call sc.00405710
005CA0C8 |. 8B55 E8 mov edx,dword ptr ss:[ebp-18] ; 得到注册码的长度
005CA0CB |. 8BC2 mov eax,edx
005CA0CD |. 85C0 test eax,eax
005CA0CF |. 74 05 je short sc.005CA0D6
005CA0D1 |. 83E8 04 sub eax,4
005CA0D4 |. 8B00 mov eax,dword ptr ds:[eax]
005CA0D6 |> 83F8 0B cmp eax,0B ; 将注册码的长度与0xB相比
005CA0D9 |. 0F8E F5000000 jle sc.005CA1D4 ; 小于等于则跳出出错
005CA0DF |. 8BC2 mov eax,edx
005CA0E1 |. 85C0 test eax,eax
005CA0E3 |. 74 05 je short sc.005CA0EA
005CA0E5 |. 83E8 04 sub eax,4
005CA0E8 |. 8B00 mov eax,dword ptr ds:[eax]
005CA0EA |> 83F8 0E cmp eax,0E ; 将注册码的长度与0xE相比
005CA0ED |. 0F8F E1000000 jg sc.005CA1D4 ; 大于则跳出出错
005CA0F3 |. 8D45 F4 lea eax,dword ptr ss:[ebp-C] ; 所以,注册码的长度范围是0xC到0xE
005CA0F6 |. 50 push eax
005CA0F7 |. B9 06000000 mov ecx,6
005CA0FC |. BA 01000000 mov edx,1
005CA101 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
005CA104 |. E8 ABBAE3FF call sc.00405BB4
005CA109 |. 8D45 D0 lea eax,dword ptr ss:[ebp-30]
005CA10C |. B9 8CA25C00 mov ecx,sc.005CA28C ; ASCII "1st Security Center Pro"
005CA111 |. 8B15 B05D5D00 mov edx,dword ptr ds:[5D5DB0]
005CA117 |. E8 B8B8E3FF call sc.004059D4 ; 将上面的字符串与用户名相连
005CA11C |. 8B45 D0 mov eax,dword ptr ss:[ebp-30]
005CA11F |. 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
005CA122 |. E8 39A5FEFF call sc.005B4660
005CA127 |. 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
005CA12A |. 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
005CA12D |. E8 BAA4FEFF call sc.005B45EC ; MD5加密
005CA132 |. 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
005CA135 |. 8D55 F0 lea edx,dword ptr ss:[ebp-10]
005CA138 |. E8 B302E4FF call sc.0040A3F0
005CA13D |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
005CA140 |. E8 77B5E3FF call sc.004056BC
005CA145 |. 8D45 CC lea eax,dword ptr ss:[ebp-34]
005CA148 |. 50 push eax
005CA149 |. B9 02000000 mov ecx,2
005CA14E |. BA 01000000 mov edx,1
005CA153 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
005CA156 |. E8 59BAE3FF call sc.00405BB4 ; 取假码前2位
005CA15B |. 8B45 CC mov eax,dword ptr ss:[ebp-34] ; 得num1
005CA15E |. E8 B90BE4FF call sc.0040AD1C ; 必须是数字,否则异常出错
005CA163 |. 8BF0 mov esi,eax
005CA165 |. 8D45 C8 lea eax,dword ptr ss:[ebp-38]
005CA168 |. 50 push eax
005CA169 |. B9 02000000 mov ecx,2
005CA16E |. BA 03000000 mov edx,3
005CA173 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
005CA176 |. E8 39BAE3FF call sc.00405BB4 ; 取3、4位
005CA17B |. 8B45 C8 mov eax,dword ptr ss:[ebp-38] ; 得num2
005CA17E |. E8 990BE4FF call sc.0040AD1C
005CA183 |. 03F0 add esi,eax
005CA185 |. 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
005CA188 |. 50 push eax
005CA189 |. B9 02000000 mov ecx,2
005CA18E |. BA 05000000 mov edx,5
005CA193 |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 取5、6位
005CA196 |. E8 19BAE3FF call sc.00405BB4 ; 得num3
005CA19B |. 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
005CA19E |. E8 790BE4FF call sc.0040AD1C
005CA1A3 |. 03F0 add esi,eax ; 将取得3个值相加
005CA1A5 |. 8B5D FC mov ebx,dword ptr ss:[ebp-4]
005CA1A8 |. 85DB test ebx,ebx ; Num=num1+num2+num3
005CA1AA |. 74 05 je short sc.005CA1B1
005CA1AC |. 83EB 04 sub ebx,4
005CA1AF |. 8B1B mov ebx,dword ptr ds:[ebx]
005CA1B1 |> 8D45 C0 lea eax,dword ptr ss:[ebp-40]
005CA1B4 |. 50 push eax
005CA1B5 |. 8BD3 mov edx,ebx
005CA1B7 |. 4A dec edx
005CA1B8 |. B9 02000000 mov ecx,2
005CA1BD |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
005CA1C0 |. E8 EFB9E3FF call sc.00405BB4
005CA1C5 |. 8B45 C0 mov eax,dword ptr ss:[ebp-40] ; 取最后2位
005CA1C8 |. E8 4F0BE4FF call sc.0040AD1C ; 得num4
005CA1CD |. 3BF0 cmp esi,eax ; 与上面前6位相加的和比较(Num==num4)
005CA1CF |. 0F94C0 sete al
005CA1D2 |. 8BD8 mov ebx,eax
005CA1D4 |> 84DB test bl,bl
005CA1D6 |. 74 72 je short sc.005CA24A ; 不等则跳出出错
005CA1D8 |. A1 7C655D00 mov eax,dword ptr ds:[5D657C]
005CA1DD |. 8B00 mov eax,dword ptr ds:[eax]
005CA1DF |. 8B4D F4 mov ecx,dword ptr ss:[ebp-C] ; 前6位假码
005CA1E2 |. BA ACA25C00 mov edx,sc.005CA2AC ; ASCII "KY"
005CA1E7 |. E8 F49CECFF call sc.00493EE0
005CA1EC |. A1 7C655D00 mov eax,dword ptr ds:[5D657C]
005CA1F1 |. 8B00 mov eax,dword ptr ds:[eax]
005CA1F3 |. 8B4D FC mov ecx,dword ptr ss:[ebp-4] ; 假码
005CA1F6 |. BA B8A25C00 mov edx,sc.005CA2B8 ; ASCII "UK"
005CA1FB |. E8 E09CECFF call sc.00493EE0
005CA200 |. A1 7C655D00 mov eax,dword ptr ds:[5D657C]
005CA205 |. 8B00 mov eax,dword ptr ds:[eax]
005CA207 |. 8B4D F8 mov ecx,dword ptr ss:[ebp-8] ; 用户名
005CA20A |. BA C4A25C00 mov edx,sc.005CA2C4 ; ASCII "UN"
005CA20F |. E8 CC9CECFF call sc.00493EE0
005CA214 |. A1 7C655D00 mov eax,dword ptr ds:[5D657C]
005CA219 |. 8B00 mov eax,dword ptr ds:[eax]
005CA21B |. 8B4D F0 mov ecx,dword ptr ss:[ebp-10] ; MD5值
005CA21E |. BA D0A25C00 mov edx,sc.005CA2D0 ; ASCII "ES"
005CA223 |. E8 B89CECFF call sc.00493EE0
005CA228 |. A1 7C655D00 mov eax,dword ptr ds:[5D657C]
005CA22D |. 8B00 mov eax,dword ptr ds:[eax]
005CA22F |. 8B4D EC mov ecx,dword ptr ss:[ebp-14]
005CA232 |. BA DCA25C00 mov edx,sc.005CA2DC ; ASCII "DS"
005CA237 |. E8 A49CECFF call sc.00493EE0
005CA23C |. A1 7C655D00 mov eax,dword ptr ds:[5D657C]
005CA241 |. 8B00 mov eax,dword ptr ds:[eax]
005CA243 |. B2 01 mov dl,1
005CA245 |. E8 5697ECFF call sc.004939A0
005CA24A |> 33C0 xor eax,eax
005CA24C |. 5A pop edx
005CA24D |. 59 pop ecx
005CA24E |. 59 pop ecx
005CA24F |. 64:8910 mov dword ptr fs:[eax],edx
005CA252 |. 68 79A25C00 push sc.005CA279
005CA257 |> 8D45 C0 lea eax,dword ptr ss:[ebp-40]
005CA25A |. BA 05000000 mov edx,5
005CA25F |. E8 7CB4E3FF call sc.004056E0
005CA264 |. 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
005CA267 |. BA 07000000 mov edx,7
005CA26C |. E8 6FB4E3FF call sc.004056E0
005CA271 \. C3 retn
005CA272 .^ E9 F9ABE3FF jmp sc.00404E70
005CA277 .^ EB DE jmp short sc.005CA257
005CA279 . 8BC3 mov eax,ebx
005CA27B . 5E pop esi
005CA27C . 5B pop ebx
005CA27D . 8BE5 mov esp,ebp
005CA27F . 5D pop ebp
005CA280 . C3 retn