1st Security Center Pro 7.5.2.3的算法分析

没有什么太多需要说的,只是把分析时的一些摘录整理到这里而已。
1、用PEid查壳,无壳
2、直接用OD载入,F9运行起来,然后输入试练码,确认后有弹出提示框
3、在出现提示框后,先不确定,F12暂停,然后在堆栈调用窗口,找到对MessageBox的调用位置,跟随进去
4、往上看,很快看到关键的CALL了
5、下面的摘录就是对关键CALL的一些分析:


005CA06C    /$  55                   push ebp
005CA06D    |.  8BEC                 mov ebp,esp
005CA06F    |.  B9 08000000          mov ecx,8
005CA074    |>  6A 00                /push 0
005CA076    |.  6A 00                |push 0
005CA078    |.  49                   |dec ecx
005CA079    |.^ 75 F9                \jnz short sc.005CA074
005CA07B    |.  53                   push ebx
005CA07C    |.  56                   push esi
005CA07D    |.  8955 F8              mov dword ptr ss:[ebp-8],edx
005CA080    |.  8945 FC              mov dword ptr ss:[ebp-4],eax
005CA083    |.  8B45 FC              mov eax,dword ptr ss:[ebp-4]
005CA086    |.  E8 B1BAE3FF          call sc.00405B3C
005CA08B    |.  8B45 F8              mov eax,dword ptr ss:[ebp-8]
005CA08E    |.  E8 A9BAE3FF          call sc.00405B3C
005CA093    |.  33C0                 xor eax,eax
005CA095    |.  55                   push ebp
005CA096    |.  68 72A25C00          push sc.005CA272
005CA09B    |.  64:FF30              push dword ptr fs:[eax]
005CA09E    |.  64:8920              mov dword ptr fs:[eax],esp
005CA0A1    |.  33DB                 xor ebx,ebx
005CA0A3    |.  8D45 E8              lea eax,dword ptr ss:[ebp-18]
005CA0A6    |.  8B55 FC              mov edx,dword ptr ss:[ebp-4]
005CA0A9    |.  E8 A6B6E3FF          call sc.00405754
005CA0AE    |.  B8 AC5D5D00          mov eax,sc.005D5DAC
005CA0B3    |.  8B55 FC              mov edx,dword ptr ss:[ebp-4]
005CA0B6    |.  E8 55B6E3FF          call sc.00405710
005CA0BB    |.  B8 B05D5D00          mov eax,sc.005D5DB0
005CA0C0    |.  8B55 F8              mov edx,dword ptr ss:[ebp-8]
005CA0C3    |.  E8 48B6E3FF          call sc.00405710
005CA0C8    |.  8B55 E8              mov edx,dword ptr ss:[ebp-18]                     ;  得到注册码的长度
005CA0CB    |.  8BC2                 mov eax,edx
005CA0CD    |.  85C0                 test eax,eax
005CA0CF    |.  74 05                je short sc.005CA0D6
005CA0D1    |.  83E8 04              sub eax,4
005CA0D4    |.  8B00                 mov eax,dword ptr ds:[eax]
005CA0D6    |>  83F8 0B              cmp eax,0B                                        ;  将注册码的长度与0xB相比
005CA0D9    |.  0F8E F5000000        jle sc.005CA1D4                                   ;  小于等于则跳出出错
005CA0DF    |.  8BC2                 mov eax,edx
005CA0E1    |.  85C0                 test eax,eax
005CA0E3    |.  74 05                je short sc.005CA0EA
005CA0E5    |.  83E8 04              sub eax,4
005CA0E8    |.  8B00                 mov eax,dword ptr ds:[eax]
005CA0EA    |>  83F8 0E              cmp eax,0E                                        ;  将注册码的长度与0xE相比
005CA0ED    |.  0F8F E1000000        jg sc.005CA1D4                                    ;  大于则跳出出错
005CA0F3    |.  8D45 F4              lea eax,dword ptr ss:[ebp-C]                      ;  所以,注册码的长度范围是0xC到0xE
005CA0F6    |.  50                   push eax
005CA0F7    |.  B9 06000000          mov ecx,6
005CA0FC    |.  BA 01000000          mov edx,1
005CA101    |.  8B45 FC              mov eax,dword ptr ss:[ebp-4]
005CA104    |.  E8 ABBAE3FF          call sc.00405BB4
005CA109    |.  8D45 D0              lea eax,dword ptr ss:[ebp-30]
005CA10C    |.  B9 8CA25C00          mov ecx,sc.005CA28C                               ;  ASCII "1st Security Center Pro"
005CA111    |.  8B15 B05D5D00        mov edx,dword ptr ds:[5D5DB0]
005CA117    |.  E8 B8B8E3FF          call sc.004059D4                                  ;  将上面的字符串与用户名相连
005CA11C    |.  8B45 D0              mov eax,dword ptr ss:[ebp-30]
005CA11F    |.  8D55 D4              lea edx,dword ptr ss:[ebp-2C]
005CA122    |.  E8 39A5FEFF          call sc.005B4660
005CA127    |.  8D45 D4              lea eax,dword ptr ss:[ebp-2C]
005CA12A    |.  8D55 E4              lea edx,dword ptr ss:[ebp-1C]
005CA12D    |.  E8 BAA4FEFF          call sc.005B45EC                                  ;  MD5加密
005CA132    |.  8B45 E4              mov eax,dword ptr ss:[ebp-1C]
005CA135    |.  8D55 F0              lea edx,dword ptr ss:[ebp-10]
005CA138    |.  E8 B302E4FF          call sc.0040A3F0
005CA13D    |.  8D45 EC              lea eax,dword ptr ss:[ebp-14]
005CA140    |.  E8 77B5E3FF          call sc.004056BC
005CA145    |.  8D45 CC              lea eax,dword ptr ss:[ebp-34]
005CA148    |.  50                   push eax
005CA149    |.  B9 02000000          mov ecx,2
005CA14E    |.  BA 01000000          mov edx,1
005CA153    |.  8B45 FC              mov eax,dword ptr ss:[ebp-4]
005CA156    |.  E8 59BAE3FF          call sc.00405BB4                                  ;  取假码前2位
005CA15B    |.  8B45 CC              mov eax,dword ptr ss:[ebp-34]                     ;  得num1
005CA15E    |.  E8 B90BE4FF          call sc.0040AD1C                                  ;  必须是数字,否则异常出错
005CA163    |.  8BF0                 mov esi,eax
005CA165    |.  8D45 C8              lea eax,dword ptr ss:[ebp-38]
005CA168    |.  50                   push eax
005CA169    |.  B9 02000000          mov ecx,2
005CA16E    |.  BA 03000000          mov edx,3
005CA173    |.  8B45 FC              mov eax,dword ptr ss:[ebp-4]
005CA176    |.  E8 39BAE3FF          call sc.00405BB4                                  ;  取3、4位
005CA17B    |.  8B45 C8              mov eax,dword ptr ss:[ebp-38]                     ;  得num2
005CA17E    |.  E8 990BE4FF          call sc.0040AD1C
005CA183    |.  03F0                 add esi,eax
005CA185    |.  8D45 C4              lea eax,dword ptr ss:[ebp-3C]
005CA188    |.  50                   push eax
005CA189    |.  B9 02000000          mov ecx,2
005CA18E    |.  BA 05000000          mov edx,5
005CA193    |.  8B45 FC              mov eax,dword ptr ss:[ebp-4]                      ;  取5、6位
005CA196    |.  E8 19BAE3FF          call sc.00405BB4                                  ;  得num3
005CA19B    |.  8B45 C4              mov eax,dword ptr ss:[ebp-3C]
005CA19E    |.  E8 790BE4FF          call sc.0040AD1C
005CA1A3    |.  03F0                 add esi,eax                                       ;  将取得3个值相加
005CA1A5    |.  8B5D FC              mov ebx,dword ptr ss:[ebp-4]
005CA1A8    |.  85DB                 test ebx,ebx                                      ;  Num=num1+num2+num3
005CA1AA    |.  74 05                je short sc.005CA1B1
005CA1AC    |.  83EB 04              sub ebx,4
005CA1AF    |.  8B1B                 mov ebx,dword ptr ds:[ebx]
005CA1B1    |>  8D45 C0              lea eax,dword ptr ss:[ebp-40]
005CA1B4    |.  50                   push eax
005CA1B5    |.  8BD3                 mov edx,ebx
005CA1B7    |.  4A                   dec edx
005CA1B8    |.  B9 02000000          mov ecx,2
005CA1BD    |.  8B45 FC              mov eax,dword ptr ss:[ebp-4]
005CA1C0    |.  E8 EFB9E3FF          call sc.00405BB4
005CA1C5    |.  8B45 C0              mov eax,dword ptr ss:[ebp-40]                     ;  取最后2位
005CA1C8    |.  E8 4F0BE4FF          call sc.0040AD1C                                  ;  得num4
005CA1CD    |.  3BF0                 cmp esi,eax                                       ;  与上面前6位相加的和比较(Num==num4)
005CA1CF    |.  0F94C0               sete al
005CA1D2    |.  8BD8                 mov ebx,eax
005CA1D4    |>  84DB                 test bl,bl
005CA1D6    |.  74 72                je short sc.005CA24A                              ;  不等则跳出出错
005CA1D8    |.  A1 7C655D00          mov eax,dword ptr ds:[5D657C]
005CA1DD    |.  8B00                 mov eax,dword ptr ds:[eax]
005CA1DF    |.  8B4D F4              mov ecx,dword ptr ss:[ebp-C]                      ;  前6位假码
005CA1E2    |.  BA ACA25C00          mov edx,sc.005CA2AC                               ;  ASCII "KY"
005CA1E7    |.  E8 F49CECFF          call sc.00493EE0
005CA1EC    |.  A1 7C655D00          mov eax,dword ptr ds:[5D657C]
005CA1F1    |.  8B00                 mov eax,dword ptr ds:[eax]
005CA1F3    |.  8B4D FC              mov ecx,dword ptr ss:[ebp-4]                      ;  假码
005CA1F6    |.  BA B8A25C00          mov edx,sc.005CA2B8                               ;  ASCII "UK"
005CA1FB    |.  E8 E09CECFF          call sc.00493EE0
005CA200    |.  A1 7C655D00          mov eax,dword ptr ds:[5D657C]
005CA205    |.  8B00                 mov eax,dword ptr ds:[eax]
005CA207    |.  8B4D F8              mov ecx,dword ptr ss:[ebp-8]                      ;  用户名
005CA20A    |.  BA C4A25C00          mov edx,sc.005CA2C4                               ;  ASCII "UN"
005CA20F    |.  E8 CC9CECFF          call sc.00493EE0
005CA214    |.  A1 7C655D00          mov eax,dword ptr ds:[5D657C]
005CA219    |.  8B00                 mov eax,dword ptr ds:[eax]
005CA21B    |.  8B4D F0              mov ecx,dword ptr ss:[ebp-10]                     ;  MD5值
005CA21E    |.  BA D0A25C00          mov edx,sc.005CA2D0                               ;  ASCII "ES"
005CA223    |.  E8 B89CECFF          call sc.00493EE0
005CA228    |.  A1 7C655D00          mov eax,dword ptr ds:[5D657C]
005CA22D    |.  8B00                 mov eax,dword ptr ds:[eax]
005CA22F    |.  8B4D EC              mov ecx,dword ptr ss:[ebp-14]
005CA232    |.  BA DCA25C00          mov edx,sc.005CA2DC                               ;  ASCII "DS"
005CA237    |.  E8 A49CECFF          call sc.00493EE0
005CA23C    |.  A1 7C655D00          mov eax,dword ptr ds:[5D657C]
005CA241    |.  8B00                 mov eax,dword ptr ds:[eax]
005CA243    |.  B2 01                mov dl,1
005CA245    |.  E8 5697ECFF          call sc.004939A0
005CA24A    |>  33C0                 xor eax,eax
005CA24C    |.  5A                   pop edx
005CA24D    |.  59                   pop ecx
005CA24E    |.  59                   pop ecx
005CA24F    |.  64:8910              mov dword ptr fs:[eax],edx
005CA252    |.  68 79A25C00          push sc.005CA279
005CA257    |>  8D45 C0              lea eax,dword ptr ss:[ebp-40]
005CA25A    |.  BA 05000000          mov edx,5
005CA25F    |.  E8 7CB4E3FF          call sc.004056E0
005CA264    |.  8D45 E4              lea eax,dword ptr ss:[ebp-1C]
005CA267    |.  BA 07000000          mov edx,7
005CA26C    |.  E8 6FB4E3FF          call sc.004056E0
005CA271    \.  C3                   retn
005CA272     .^ E9 F9ABE3FF          jmp sc.00404E70
005CA277     .^ EB DE                jmp short sc.005CA257
005CA279     .  8BC3                 mov eax,ebx
005CA27B     .  5E                   pop esi
005CA27C     .  5B                   pop ebx
005CA27D     .  8BE5                 mov esp,ebp
005CA27F     .  5D                   pop ebp
005CA280     .  C3                   retn

发表评论