Re——看雪

发表于 | 分类于 | 作者:ESE

去膜拜看雪师傅啦,看雪论坛是个软件安全技术交流场所,为安全技术爱好者提供一个技术交流平台和资源。从单一版块『软件调试论坛』,发展到以软件安全技术为主题多个版块的综合论坛。其实这是一个超级大神级别的存在,来膜拜一波

Re1

签到题直接过

Re2

1、题目

链接:http://pan.baidu.com/s/1qXVQmok 密码:h5sw
去年你已经知道看雪啦,只是不敢去做题,自己太菜了,今年去试一试,第一道题签到题,很开心。然而,第二题,我已经跪啦,不过,在公布wp后,还是学到了许多,这里记录一下学习到的知识。

2、分析

一、侦查:无壳 Microsoft Visual C/C++(6.0)[libc],有明确提示成功和失败信息。
二、入坑:OD加载,查找字符,定位到:“You get it!”

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
地址       反汇编                                    文本字符串
00401000  /$  68 6CB04100   PUSH ctf2017_.0041B06C                   ;  \n Crackme for CTF2017 @Pediy.\n
00401005  |.  E8 382D0100   CALL ctf2017_.00413D42
0040100A  |.  83C4 04       ADD ESP,0x4
0040100D  |.  C705 34B04100>MOV DWORD PTR DS:[0x41B034],0x2          ;  2
00401017  |.  E8 34000000   CALL ctf2017_.00401050                   ;  input
0040101C  |.  E8 6F000000   CALL ctf2017_.00401090                   ;  check1
00401021  |.  E8 BA000000   CALL ctf2017_.004010E0                   ;  check2
00401026  |.  A1 34B04100   MOV EAX,DWORD PTR DS:[0x41B034]          ;  0
0040102B  |.  85C0          TEST EAX,EAX
0040102D  |.  75 10         JNZ Xctf2017_.0040103F
0040102F  |.  68 5CB04100   PUSH ctf2017_.0041B05C                   ;  You get it!\n
00401034  |.  E8 092D0100   CALL ctf2017_.00413D42
00401039  |.  83C4 04       ADD ESP,0x4
0040103C  |.  33C0          XOR EAX,EAX
0040103E  |.  C3            RETN
0040103F  |>  68 38B04100   PUSH ctf2017_.0041B038                   ;  Bad register-code, keep trying.\n
00401044  |.  E8 F92C0100   CALL ctf2017_.00413D42
00401049  |.  83C4 04       ADD ESP,0x4
0040104C  |.  33C0          XOR EAX,EAX
0040104E  \.  C3            RETN
0040104F      90            NOP
00401050  /$  83EC 0C       SUB ESP,0xC
00401053  |.  68 ACB04100   PUSH ctf2017_.0041B0AC                   ;   Coded by Fpc.\n\n
00401058  |.  E8 E52C0100   CALL ctf2017_.00413D42
0040105D  |.  83C4 04       ADD ESP,0x4
00401060  |.  68 90B04100   PUSH ctf2017_.0041B090                   ;   Please input your code:
00401065  |.  E8 D82C0100   CALL ctf2017_.00413D42
0040106A  |.  83C4 04       ADD ESP,0x4
0040106D  |.  8D4424 00     LEA EAX,DWORD PTR SS:[ESP]
00401071  |.  50            PUSH EAX
00401072  |.  68 8CB04100   PUSH ctf2017_.0041B08C                   ;  %s
00401077  |.  E8 F72C0100   CALL ctf2017_.00413D73
0040107C  |.  8D4424 08     LEA EAX,DWORD PTR SS:[ESP+0x8]
00401080  |.  83C4 14       ADD ESP,0x14
00401083  \.  C3            RETN

简单跟踪几步发现 401090、4010E0 为显性算法比较,分析 401090、4010E0:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
void check1()
{
  int v0; // [sp+4h] [bp-8h]@0
  int v1; // [sp+8h] [bp-4h]@0
  if ( v1 && v0 && v1 != v0 && 5 * (v1 - v0) + v1 == 0x8F503A42 && 13 * (v1 - v0) + v0 == 0xEF503A42 )
    --dword_41B034;
}
void check2()
{
  int v0; // [sp+4h] [bp-8h]@0
  int v1; // [sp+8h] [bp-4h]@0
  if ( v1 && v0 && v1 != v0 && 17 * (v1 - v0) + v1 == 0xF3A94883 && 7 * (v1 - v0) + v0 == 0x33A94883 )
    --dword_41B034;
}

把输入每4个字符ASCII作为十六进制赋值计算,假设为a,b则:
⑴:0x5 ( a - b ) + a == 0x8F503A42
⑵:0xD ( a - b ) + b == 0xEF503A42
⑶:0x11 ( a - b ) + a == 0xF3A94883
⑷:0x7 ( a - b ) + b == 0x33A94883
然而我分析到这里,感觉只能穷举。。。。结果当然失败了
后来看了大佬们的wp,果然学到了许多
大佬1:考虑该显性算法未随机打乱数值,低位特征依然继承到计算结果,因此先尝试求解低位,再逐个往高位求解,避免穷举范围过大:

1
2
3
4
5
6
7
8
9
10
11
12
def solve_false():
    start_time = time.clock()
    for a1 in range(0x30,0x7b):
        for b1 in range(0x30,0x7b):
            if (0x5 * (a1 - b1) + a1) & 0xff == 0x42:
                if (0xd * (a1 - b1) + b1) & 0xff == 0x42:
                    if (0x11 *(a1 - b1) + a1) & 0xff == 0x83:
                        if (0x7 * (a1 - b1) + b1) & 0xff == 0x83:
                            print ("found sn a1 : %x" % a1)
                            print ("found sn b1 : %x" % b1)
    print ('use time: %.3f second' % (time.clock()-start_time))
    return

迅速识别该方程组无合法答案,无疑是作者埋的坑,立即寻找其他途径。
大佬2:z3识别改方程组无解(这里我还是没有懂,z3太强大啦)
大佬3:

1
2
0x11 * ( a - b ) + a == 0xF3A94883
0x5 * ( a - b ) + a == 0x8F503A42

推出:
12 * ( a - b ) == 0x64590d41
右边为偶数,左边为奇数,无解

这道题由于没有判断输入长度,便存在溢出(这里我完全没有想打RE,还有溢出,涨知识了),那溢出到哪里呢?,大佬们发现0x00413131存在shellcode编码(膜拜),溢出到这里

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
.text:0040112B                 db 5 dup(90h)
.text:00401130                 dd 4800h dup(0)
.text:00413130 ; ---------------------------------------------------------------------------
.text:00413130                 retn
.text:00413130 ; ---------------------------------------------------------------------------
.text:00413131                 db 83h, 0C4h, 0F0h
.text:00413134                 dd 20712A70h, 0F1C75F2h, 28741C71h, 2E0671DDh, 870F574h
.text:00413134                 dd 74F17169h, 0DC167002h, 0EA74C033h, 0DC261275h, 0F471E771h
.text:00413134                 dd 6903740Fh, 0EB75EB70h, 0FDF7069h, 22712C70h, 0B8261F7Dh
.text:00413134                 dd 2B741E71h, 3E067169h, 870F57Ch, 7CF17169h, 0DC197002h
.text:00413134                 dd 41B034A3h, 75E77400h, 0E571DC12h, 7CDCF271h, 0E9706903h
.text:00413134                 dd 6965E97Dh, 70B8DC70h, 3E1D7127h, 710F1971h, 0DD257019h
.text:00413134                 dd 0F6700571h, 71DD0870h, 700270F2h, 70580F14h, 0F1171ECh
.text:00413134                 dd 0F671EA71h, 0DD03700Fh, 0ED71ED70h, 0FE170DDh, 7F36217Eh
.text:00413134                 dd 671A7D27h, 1D2A74B8h, 65690D7Eh, 67C067Fh, 1D361C7Eh
.text:00413134                 dd 8BDC0E7Fh, 75EA74C8h, 7E69DC14h, 0C1F47FEFh, 0F97CFB7Fh
.text:00413134                 dd 0EA7DE27Fh, 0D87E6965h, 772076B8h, 2E1A7F27h, 0DD2978B8h
.text:00413134                 dd 778D0D76h, 67EF207h, 0DD261B76h, 58B80E77h, 1479EB78h
.text:00413134                 dd 768DB865h, 0FF477EFh, 0F97EFB77h, 0EA7FE177h, 0B8D9768Dh
.text:00413134                 dd 73F22372h, 1C756729h, 0DD2C740Fh, 66690E72h, 6740673h
.text:00413134                 dd 0DD361E72h, 0DD261073h, 0E974D88Bh, 12751575h, 73ED72DCh
.text:00413134                 dd 0FB730FF3h, 0E073F974h, 6966E875h, 740FD672h, 2E1D7527h
.text:00413134                 dd 75DC1973h, 0DD267C19h, 742E0475h, 0F3751D08h, 16740272h
.text:00413134                 dd 0ED7C58C1h, 0C1F3137Dh, 0F575EA75h, 1D03720Fh, 0EC73EC74h
.text:00413134                 dd 0DF741D66h, 0F23EBDCh, 0EB227585h, 85261DFAh, 74D08B29h
.text:00413134                 dd 0EBF6EB18h, 75D08BF4h, 32F2EBECh, 0E9754A3Eh, 6256F2EBh
.text:00413134                 dd 0EDEB7A6Eh, 7D267C7Ah, 187DF21Ch, 70187D0Fh, 37D1D25h
.text:00413134                 dd 7D69087Ch, 7C027CF4h, 0C18BDC16h, 1271ED70h, 7DEB7DDCh
.text:00413134                 dd 37CC1F5h, 7DEC7C69h, 7C6966ECh, 2A780FDFh, 793E2079h
.text:00413134                 dd 1C79B81Ch, 798D2874h, 0F5783606h, 79DD0878h, 780278F1h
.text:00413134                 dd 0C32B0F16h, 1275EA74h, 0E7790F2Eh, 78B8F479h, 0EB78DD03h
.text:00413134                 dd 78DDEB79h, 2B70B8DFh, 79662271h, 1E71C11Eh, 71692A70h
.text:00413134                 dd 70F67805h, 0F271DD08h, 19700278h, 2E0C10Fh, 1471EA70h
.text:00413134                 dd 0F107966h, 0F171E571h, 700278DCh, 36E979E9h, 0C1DC70DDh
.text:00413134                 dd 22712B70h, 0B81E7326h, 29781E71h, 571DD3Eh, 870F572h
.text:00413134                 dd 72F1711Dh, 0C1177002h, 0EA78C103h, 733E1379h, 0E671C10Fh

那溢出长度是多少呢?输入aaaabbbbccccddddeeee,发现返回地址是dddd,

再次输入aaaabbbbccc11A


黑色,这里右键-分析-从模块删除分析

这里出现花指令(代码混淆,花指令不影响程序运行。就是看耐心。就拿这个题目来说。花指令就是跳来跳去。可以脱去,其实不脱话也一样的)

一步一步分析
在0x413131位置设置新断点,回车断下,忽略花指令,仅摘录算法相关代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
00413131    83C4 F0         add esp,-0x10
00413150    33C0            xor eax,eax
00413184    A3 34B04100     mov dword ptr ds:[0x41B034],eax 
004131BA    58              pop eax          //aaaa
004131EB    8BC8            mov ecx,eax
0041321F    58              pop eax     //bbbb
00413254    8BD8            mov ebx,eax
00413289    58              pop eax   //cccc
004132B5    8BD0            mov edx,eax
004132AD    8BD0            mov edx,eax
004132E2    8BC1            mov eax,ecx  //eax=aaaa
00413316    2BC3            sub eax,ebx   //ebx=bbbb eax=a-b
00413349    C1E0 02         shl eax,0x2    //(a-b)*4
00413380    03C1            add eax,ecx     //(a-b)*4+a
004133B5    03C2            add eax,edx     //(a-b)*4+a+c
004133E9    2D E217F9EA     sub eax,0xEAF917E2   ///0xEAF917E2==((a-b)*4+a+c)
00413B1E    58              pop eax                ; ctf2017_.00413E3E
00413B4E    35 0E210100     xor eax,0x1210E
00413B83    3305 34B04100   xor eax,dword ptr ds:[0x41B034]
0040103F    68 38B04100     push ctf2017_.0041B038         "Bad register-code"
00413455    03C1            add eax,ecx     //ecx=aaaa
00413489    2BC3            sub eax,ebx    //ebx=bbbb
004134BF    8BD8            mov ebx,eax    //ebx=eax=a-b
004134F3    D1E0            shl eax,1   //(a-b)*2
00413525    03C3            add eax,ebx  //(a-b)*3
00413559    03C1            add eax,ecx   //(a-b)*3+a
0041358F    8BC8            mov ecx,eax //
004135C3    03C2            add eax,edx   //(a-b)*3+a+c
004135F7    2D C808F5E8     sub eax,0xE8F508C8 //(a-b)*3+a+c==0xE8F508C8
00413665    8BC1            mov eax,ecx
0041365D    8BC1            mov eax,ecx //(a-b)*3+a
004136A7    2BC2            sub eax,edx  //(a-b)*3+a-c
004136D8    2D 683C0A0C     sub eax,0xC0A3C68 // (a-b)*3+a-c==0xC0A3C68

3、求解

1
2
3
(a-b)*3+a-c==0xC0A3C68
(a-b)*3+a+c==0xE8F508C8
(a-b)*4+a+c==0xEAF917E2

以参考了许多大神的代码
学到了一种解决方程的方法,贼好用

1
2
3
4
5
from sympy import *
a=Symbol('a')
b=Symbol('b')
c=Symbol('c')
print (solve([(a-b)*3+a-c-0xC0A3C68,(a-b)*3+a+c-0xE8F508C8,(a-b)*4+a+c-0xEAF917E2],[a,b,c]))

3、Re3

1、题目

链接:http://pan.baidu.com/s/1kUYItoz 密码:xem0
第三题,我感觉世界观坍塌啦。依然不会,还是学习为主。看大神们的记录,学习一遍

3、分析

一、侦查:无壳 Microsoft Visual C/C++(6.0)[libc],诸多反调试
二、入坑:
OD加载(好像我的od直接过了反调试),f9,运行,什么鬼,直接跳到了dll,继续f9….终于出现对话框,输入
12345678,结果程序崩溃。

IDA打开,定位到CrackMe字符串,找到关键函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
int __stdcall sub_434EF0(HWND hDlg, int a2, int a3, int a4)
{
  int v4; // ST0C_4@17
  CHAR *v5; // esi@17
  int v6; // eax@17
  int v8; // [sp+0h] [bp-1A4Ch]@18
  int v9; // [sp+4h] [bp-1A48h]@18
  int v10; // [sp+8h] [bp-1A44h]@18
  int v11; // [sp+Ch] [bp-1A40h]@1
  int i; // [sp+1C4h] [bp-1888h]@14
  char v13[1032]; // [sp+1D0h] [bp-187Ch]@16
  char v14[40]; // [sp+5D8h] [bp-1474h]@14
  int v15; // [sp+600h] [bp-144Ch]@14
  char v16; // [sp+60Ch] [bp-1440h]@14
  char v17; // [sp+60Dh] [bp-143Fh]@14
  char v18; // [sp+A14h] [bp-1038h]@14
  char v19; // [sp+A15h] [bp-1037h]@14
  char v20; // [sp+E1Ch] [bp-C30h]@14
  char v21; // [sp+E1Dh] [bp-C2Fh]@14
  CHAR String; // [sp+1224h] [bp-828h]@14
  char v23; // [sp+1225h] [bp-827h]@14
  int v24; // [sp+162Ch] [bp-420h]@14
  char v25; // [sp+1638h] [bp-414h]@1
  char v26; // [sp+1639h] [bp-413h]@1
  int v27; // [sp+1A40h] [bp-Ch]@1
  unsigned int v28; // [sp+1A48h] [bp-4h]@1
  int savedregs; // [sp+1A4Ch] [bp+0h]@1
  memset(&v11, 0xCCu, 0x1A40u);
  v28 = (unsigned int)&savedregs ^ dword_49B344;
  v27 = 0;
  v25 = 0;
  sub_42D5E6(&v26, 0, 1023);
  v11 = a2;
  if ( a2 == 16 )
    ExitProcess(0);
  if ( v11 == 272 )
  {
    v27 = sub_42D4F1();
    if ( v27 == 1 )
      ExitProcess(0);
    v27 = 0;
    v27 = sub_42E428();
    if ( v27 == 1 )
      ExitProcess(0);
    v27 = 0;
    v27 = sub_42D825();
    if ( v27 == 1 )
      ExitProcess(0);
    sub_42D14F(hDlg, 1);
  }
  else if ( v11 == 273 )
  {
    v11 = (unsigned __int16)a3;
    if ( (unsigned __int16)a3 == 1002 )
    {
      String = 0;
      sub_42D5E6(&v23, 0, 1023);
      v20 = 0;
      sub_42D5E6(&v21, 0, 1023);
      GetDlgItemTextA(hDlg, 1001, &String, 1025);
      v24 = sub_42DE51();
      v18 = 0;
      sub_42D5E6(&v19, 0, 1023);
      sub_42D267(&String, 1024, &v20);
      v16 = 0;
      sub_42D5E6(&v17, 0, 1023);
      sub_42D267(&v20, 1024, &v18);
      sub_42D96A(&v18, &v16, 1024);
      v15 = 3;
      sub_42DA78(&v18, 3, v14);
      for ( i = 0; i < 32; ++i )
        sub_42DF05(&v13[2 * i], "%02x", v14[i]);
      v4 = sub_42D794(v13);
      v5 = &String + sub_42D794(&String);
      v6 = sub_42D794(v13);
      if ( !sub_42DB27(v13, &v5[-v6], v4) )
      {
        sub_42D0B4(v8, v9, v10);
        if ( (unsigned __int8)sub_42D9AB(&unk_49B000, &v16) == 1 )
        {
          MessageBoxA(0, "ok", "CrackMe", 0);
          sub_42DE51();
        }
      }
    }
  }
  sub_42D65E(&savedregs, &dword_435250);
  sub_42D1E5();
  return sub_42DE51();
}

哇,还是经验太少,这里许多函数看不懂。

再用OD打开,发现程序有随机化,好烦,f9…出现对话框,按道理这时候可以在读取字符的API下断点,这里是GetDlgItemTextA。然而,我在当前模块中没有找到,后来发现个插件-设置API断点,总算断下来啦。接下来分析算法啦(这是我的能力还是太弱了)。

借助大神们的wp
IDA反汇编关键函数

这个直接明文:

我自己尝试,然而,我来到这个函数,程序执行后就崩溃了

继续分析。

猜测作者意图
1、获取输入 ipt
2、两次 base64 解码得到 buf
3、自定义解码得到 cmd
4、判断 sm3(buf[:3) == ipt[-64:]
5、cmd 能在迷宫走到终点

4、Re4

1、题目

链接:http://pan.baidu.com/s/1kUYItoz 密码:xem0
学习为主。看大神们的记录,学习一遍

3、分析

一、侦查:无壳 Microsoft Visual C/C++(6.0)[libc],诸多反调试
二、OD附加,过反调试
先运行exe程序,再打开od附加exe进程,再调用GetWindowTextW的API时候下断点,点击运行,exe程序输入sn,此时会断在od中的GetWindowTextW的断点(还在api系统区)

往下走来到程序区

往下走,主要细节

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
01151CB0    55              push    ebp
01151CB1    8BEC            mov     ebp, esp
01151CB3    81EC D0000000   sub     esp, 0xD0
01151CB9    A1 14F01601     mov     eax, dword ptr [0x116F014]
01151CBE    33C5            xor     eax, ebp
01151CC0    8945 FC         mov     dword ptr [ebp-0x4], eax
01151CC3    57              push    edi
01151CC4    8BF9            mov     edi, ecx
01151CC6    85FF            test    edi, edi
01151CC8    0F84 61010000   je      01151E2F
01151CCE    85D2            test    edx, edx
01151CD0    0F85 81000000   jnz     01151D57
01151CD6    E8 25FFFFFF     call    01151C00       ;判断注册码是否包含'b'
01151CDB    85C0            test    eax, eax
01151CDD    74 54           je      short 01151D33
01151CDF    68 C8000000     push    0xC8
01151CE4    8D85 34FFFFFF   lea     eax, dword ptr [ebp-0xCC]
01151CEA    6A 00           push    0x0
01151CEC    50              push    eax
01151CED    E8 DE1C0000     call    <memset>
01151CF2    83C4 0C         add     esp, 0xC
01151CF5    8D85 34FFFFFF   lea     eax, dword ptr [ebp-0xCC]
01151CFB    6A 64           push    0x64
01151CFD    50              push    eax
01151CFE    FF77 0C         push    dword ptr [edi+0xC]
01151D01    FF15 4C811601   call    dword ptr [<&USER32.GetWindowTex>; user32.GetWindowTextW
01151D07    6A 70           push    0x70
01151D09    8D95 34FFFFFF   lea     edx, dword ptr [ebp-0xCC]
01151D0F    E8 3C0D0000     call    01152A50    ; 判断注册码里是否包含'p'
01151D14    85C0            test    eax, eax
01151D16    74 1B           je      short 01151D33
01151D18    BA 01000000     mov     edx, 0x1
01151D1D    8BCF            mov     ecx, edi
01151D1F    E8 8CFFFFFF     call    01151CB0
01151D24    5F              pop     edi
01151D25    8B4D FC         mov     ecx, dword ptr [ebp-0x4]
01151D28    33CD            xor     ecx, ebp
01151D2A    E8 960F0000     call    01152CC5
01151D2F    8BE5            mov     esp, ebp
01151D31    5D              pop     ebp
01151D32    C3              retn
01151D33    6A 00           push    0x0
01151D35    68 0F040000     push    0x40F
01151D3A    68 11010000     push    0x111
01151D3F    FF77 04         push    dword ptr [edi+0x4]
01151D42    FF15 50811601   call    dword ptr [<&USER32.SendMessageW>; user32.SendMessageW
01151D48    5F              pop     edi
01151D49    8B4D FC         mov     ecx, dword ptr [ebp-0x4]
01151D4C    33CD            xor     ecx, ebp
01151D4E    E8 720F0000     call    01152CC5
01151D53    8BE5            mov     esp, ebp
01151D55    5D              pop     ebp
01151D56    C3              retn
01151D33    6A 00           push    0x0
01151D35    68 0F040000     push    0x40F
01151D3A    68 11010000     push    0x111
01151D3F    FF77 04         push    dword ptr [edi+0x4]
01151D42    FF15 50811601   call    dword ptr [<&USER32.SendMessageW>; user32.SendMessageW
01151D48    5F              pop     edi
01151D49    8B4D FC         mov     ecx, dword ptr [ebp-0x4]
01151D4C    33CD            xor     ecx, ebp
01151D4E    E8 720F0000     call    01152CC5
01151D53    8BE5            mov     esp, ebp
01151D55    5D              pop     ebp
01151D56    C3              retn
01151D57    56              push    esi
01151D58    E8 812B0000     call    011548DE
01151D5D    68 C8000000     push    0xC8
01151D62    8985 30FFFFFF   mov     dword ptr [ebp-0xD0], eax
01151D68    8D85 34FFFFFF   lea     eax, dword ptr [ebp-0xCC]
01151D6E    6A 00           push    0x0
01151D70    50              push    eax
01151D71    E8 5A1C0000     call    <memset>
01151D76    83C4 0C         add     esp, 0xC
01151D79    8D85 34FFFFFF   lea     eax, dword ptr [ebp-0xCC]
01151D7F    68 C8000000     push    0xC8
01151D84    50              push    eax
01151D85    FF77 0C         push    dword ptr [edi+0xC]
01151D88    FF15 4C811601   call    dword ptr [<&USER32.GetWindowTex>; user32.GetWindowTextW
01151D8E    33F6            xor     esi, esi
01151D90    8D85 34FFFFFF   lea     eax, dword ptr [ebp-0xCC]
01151D96    66:39B5 34FFFFF>cmp     word ptr [ebp-0xCC], si
01151D9D    74 0B           je      short 01151DAA
01151D9F    90              nop
01151DA0    8D40 02         lea     eax, dword ptr [eax+0x2]
01151DA3    46              inc     esi
01151DA4    66:8338 00      cmp     word ptr [eax], 0x0
01151DA8  ^ 75 F6           jnz     short 01151DA0
01151DAA    33C9            xor     ecx, ecx
01151DAC    8D46 01         lea     eax, dword ptr [esi+0x1]
01151DAF    BA 02000000     mov     edx, 0x2
01151DB4    F7E2            mul     edx
01151DB6    53              push    ebx
01151DB7    0F90C1          seto    cl
01151DBA    F7D9            neg     ecx
01151DBC    0BC8            or      ecx, eax
01151DBE    51              push    ecx
01151DBF    E8 120F0000     call    01152CD6
01151DC4    83C4 04         add     esp, 0x4
01151DC7    8BD8            mov     ebx, eax
01151DC9    E8 102B0000     call    011548DE
01151DCE    2B85 30FFFFFF   sub     eax, dword ptr [ebp-0xD0]
01151DD4    83F8 02         cmp     eax, 0x2
01151DD7    7F 65           jg      short 01151E3E
01151DD9    8D85 34FFFFFF   lea     eax, dword ptr [ebp-0xCC]
01151DDF    50              push    eax
01151DE0    53              push    ebx
01151DE1    E8 8A0A0000     call    01152870
01151DE6    83FE 07         cmp     esi, 0x7           ;注册码是否为7位
01151DE9    73 0B           jnb     short 01151DF6
01151DEB    6A 00           push    0x0
01151DED    6A 00           push    0x0
01151DEF    68 0E040000     push    0x40E
01151DF4    EB 0B           jmp     short 01151E01
01151DF6    76 2C           jbe     short 01151E24
01151DF8    6A 00           push    0x0
01151DFA    6A 00           push    0x0
01151DFC    68 0D040000     push    0x40D
01151E01    FF77 04         push    dword ptr [edi+0x4]
01151E04    FF15 50811601   call    dword ptr [<&USER32.SendMessageW>; user32.SendMessageW
01151E0A    53              push    ebx
01151E0B    E8 CF0E0000     call    01152CDF
01151E10    83C4 04         add     esp, 0x4
01151E13    5B              pop     ebx
01151E14    5E              pop     esi
01151E15    5F              pop     edi
01151E16    8B4D FC         mov     ecx, dword ptr [ebp-0x4]
01151E19    33CD            xor     ecx, ebp
01151E1B    E8 A50E0000     call    01152CC5
01151E20    8BE5            mov     esp, ebp
01151E22    5D              pop     ebp
01151E23    C3              retn
01151E24    8BD3            mov     edx, ebx
01151E26    8BCF            mov     ecx, edi
01151E28    E8 33FCFFFF     call    01151A60        ;这里进入最后的判断
01151E2D    5B              pop     ebx
01151E2E    5E              pop     esi
01151E2F    8B4D FC         mov     ecx, dword ptr [ebp-0x4]
01151E32    33CD            xor     ecx, ebp
01151E34    5F              pop     edi
01151E35    E8 8B0E0000     call    01152CC5
01151E3A    8BE5            mov     esp, ebp
01151E3C    5D              pop     ebp
01151E3D    C3              retn
01151E3E    6A 00           push    0x0
01151E40    E8 6C2D0000     call    01154BB1

以上代码得出注册码必须为7位并且包含字符’b’,’p’
再看最后的判断call

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
01151870    55              push    ebp
01151871    8BEC            mov     ebp, esp
01151873    83EC 54         sub     esp, 0x54
01151876    A1 14F01601     mov     eax, dword ptr [0x116F014]
0115187B    33C5            xor     eax, ebp
0115187D    8945 FC         mov     dword ptr [ebp-0x4], eax
01151880    53              push    ebx
01151881    56              push    esi
01151882    57              push    edi
01151883    6A 36           push    0x36
01151885    8D45 B0         lea     eax, dword ptr [ebp-0x50]
01151888    8BD9            mov     ebx, ecx
0115188A    6A 00           push    0x0
0115188C    50              push    eax
0115188D    8BFA            mov     edi, edx
0115188F    895D AC         mov     dword ptr [ebp-0x54], ebx
01151892    E8 39210000     call    <memset>
01151897    83C4 0C         add     esp, 0xC
0115189A    8D4D E8         lea     ecx, dword ptr [ebp-0x18]
0115189D    B8 30000000     mov     eax, 0x30
011518A2    66:8901         mov     word ptr [ecx], ax
011518A5    8D49 02         lea     ecx, dword ptr [ecx+0x2]
011518A8    40              inc     eax
011518A9    83F8 39         cmp     eax, 0x39
011518AC  ^ 7E F4           jle     short 011518A2                   ; 0-9
011518AE    B8 61000000     mov     eax, 0x61
011518B3    8D4D B0         lea     ecx, dword ptr [ebp-0x50]
011518B6    66:8901         mov     word ptr [ecx], ax
011518B9    8D49 02         lea     ecx, dword ptr [ecx+0x2]
011518BC    40              inc     eax
011518BD    83F8 7A         cmp     eax, 0x7A
011518C0  ^ 7E F4           jle     short 011518B6                   ; a-z
011518C2    33D2            xor     edx, edx
011518C4    8D45 B0         lea     eax, dword ptr [ebp-0x50]
011518C7    66:3955 B0      cmp     word ptr [ebp-0x50], dx
011518CB    74 0D           je      short 011518DA
011518CD    0F1F            ???                                      ; 未知命令
011518CF    008D 40024266   add     byte ptr [ebp+0x66420240], cl
011518D5    8338 00         cmp     dword ptr [eax], 0x0
011518D8  ^ 75 F6           jnz     short 011518D0
011518DA    33C9            xor     ecx, ecx
011518DC    85D2            test    edx, edx
011518DE    74 1C           je      short 011518FC
011518E0    0FB7444D B0     movzx   eax, word ptr [ebp+ecx*2-0x50]
011518E5    83F8 61         cmp     eax, 0x61
011518E8    72 0D           jb      short 011518F7
011518EA    83F8 7A         cmp     eax, 0x7A
011518ED    77 08           ja      short 011518F7
011518EF    83C0 E0         add     eax, -0x20
011518F2    66:89444D B0    mov     word ptr [ebp+ecx*2-0x50], ax
011518F7    41              inc     ecx
011518F8    3BCA            cmp     ecx, edx
011518FA  ^ 72 E4           jb      short 011518E0
011518FC    33C9            xor     ecx, ecx
011518FE    8BC7            mov     eax, edi
01151900    85FF            test    edi, edi
01151902    74 76           je      short 0115197A
01151904    66:390F         cmp     word ptr [edi], cx
01151907    74 11           je      short 0115191A
01151909    0F1F            ???                                      ; 未知命令
0115190B    8000 00         add     byte ptr [eax], 0x0
0115190E    0000            add     byte ptr [eax], al
01151910    8D40 02         lea     eax, dword ptr [eax+0x2]
01151913    41              inc     ecx
01151914    66:8338 00      cmp     word ptr [eax], 0x0
01151918  ^ 75 F6           jnz     short 01151910
0115191A    33C0            xor     eax, eax
0115191C    85C9            test    ecx, ecx
0115191E    74 22           je      short 01151942
01151920    83F8 02         cmp     eax, 0x2
01151923    73 07           jnb     short 0115192C
01151925    66:833447 0F    xor     word ptr [edi+eax*2], 0xF
0115192A    EB 11           jmp     short 0115193D
0115192C    83F8 04         cmp     eax, 0x4
0115192F    73 07           jnb     short 01151938
01151931    66:833447 50    xor     word ptr [edi+eax*2], 0x50
01151936    EB 05           jmp     short 0115193D
01151938    66:833447 42    xor     word ptr [edi+eax*2], 0x42
0115193D    40              inc     eax
0115193E    3BC1            cmp     eax, ecx
01151940  ^ 72 DE           jb      short 01151920
01151942    33D2            xor     edx, edx
01151944    8BC7            mov     eax, edi
01151946    66:3917         cmp     word ptr [edi], dx
01151949    74 0F           je      short 0115195A
0115194B    0F1F            ???                                      ; 未知命令
0115194D    44              inc     esp
0115194E    0000            add     byte ptr [eax], al
01151950    8D40 02         lea     eax, dword ptr [eax+0x2]
01151953    42              inc     edx
01151954    66:8338 00      cmp     word ptr [eax], 0x0
01151958  ^ 75 F6           jnz     short 01151950
0115195A    33C9            xor     ecx, ecx
0115195C    85D2            test    edx, edx
0115195E    74 1A           je      short 0115197A
01151960    0FB7044F        movzx   eax, word ptr [edi+ecx*2]
01151964    83F8 61         cmp     eax, 0x61
01151967    72 0C           jb      short 01151975
01151969    83F8 7A         cmp     eax, 0x7A
0115196C    77 07           ja      short 01151975
0115196E    83C0 E0         add     eax, -0x20
01151971    66:89044F       mov     word ptr [edi+ecx*2], ax
01151975    41              inc     ecx
01151976    3BCA            cmp     ecx, edx
01151978  ^ 72 E6           jb      short 01151960
0115197A    33F6            xor     esi, esi
0115197C    0F57C0          xorps   xmm0, xmm0
0115197F    66:0FD6         ???                                      ; 未知命令
01151982    45              inc     ebp
01151983    F0:66:8975 F8   lock mov word ptr [ebp-0x8], si          ; 不允许锁定前缀
01151988    66:3937         cmp     word ptr [edi], si
0115198B    74 48           je      short 011519D5
0115198D    66:8B4D B0      mov     cx, word ptr [ebp-0x50]
01151991    8D5D F0         lea     ebx, dword ptr [ebp-0x10]
01151994    8BC7            mov     eax, edi
01151996    66:85C9         test    cx, cx
01151999    74 2C           je      short 011519C7
0115199B    0FB710          movzx   edx, word ptr [eax]
0115199E    8D4D B0         lea     ecx, dword ptr [ebp-0x50]
011519A1    33C0            xor     eax, eax
011519A3    66:3B11         cmp     dx, word ptr [ecx]
011519A6    74 10           je      short 011519B8
011519A8    40              inc     eax
011519A9    8D4D B0         lea     ecx, dword ptr [ebp-0x50]
011519AC    66:833C41 00    cmp     word ptr [ecx+eax*2], 0x0
011519B1    8D0C41          lea     ecx, dword ptr [ecx+eax*2]
011519B4  ^ 75 ED           jnz     short 011519A3
011519B6    EB 0B           jmp     short 011519C3
011519B8    66:8B4445 B0    mov     ax, word ptr [ebp+eax*2-0x50]
011519BD    66:8903         mov     word ptr [ebx], ax
011519C0    83C3 02         add     ebx, 0x2
011519C3    66:8B4D B0      mov     cx, word ptr [ebp-0x50]
011519C7    46              inc     esi
011519C8    66:833C77 00    cmp     word ptr [edi+esi*2], 0x0
011519CD    8D0477          lea     eax, dword ptr [edi+esi*2]
011519D0  ^ 75 C4           jnz     short 01151996
011519D2    8B5D AC         mov     ebx, dword ptr [ebp-0x54]
011519D5    33C9            xor     ecx, ecx
011519D7    8D45 F0         lea     eax, dword ptr [ebp-0x10]
011519DA    66:394D F0      cmp     word ptr [ebp-0x10], cx
011519DE    74 59           je      short 01151A39
011519E0    8D40 02         lea     eax, dword ptr [eax+0x2]
011519E3    41              inc     ecx
011519E4    66:8338 00      cmp     word ptr [eax], 0x0
011519E8  ^ 75 F6           jnz     short 011519E0
011519EA    83F9 02         cmp     ecx, 0x2
011519ED    75 4A           jnz     short 01151A39
011519EF    33C0            xor     eax, eax
011519F1    C745 F0 3100350>mov     dword ptr [ebp-0x10], 0x350031
011519F8    C745 F4 5000420>mov     dword ptr [ebp-0xC], 0x420050
011519FF    8D77 04         lea     esi, dword ptr [edi+0x4]
01151A02    66:8945 F8      mov     word ptr [ebp-0x8], ax
01151A06    33C9            xor     ecx, ecx
01151A08    0F1F            ???                                      ; 未知命令
01151A0A    8400            test    byte ptr [eax], al
01151A0C    0000            add     byte ptr [eax], al
01151A0E    0000            add     byte ptr [eax], al
01151A10    66:8B444D F0    mov     ax, word ptr [ebp+ecx*2-0x10]
01151A15    66:3B06         cmp     ax, word ptr [esi]
01151A18    75 1F           jnz     short 01151A39
01151A1A    41              inc     ecx
01151A1B    83C6 02         add     esi, 0x2
01151A1E    83F9 04         cmp     ecx, 0x4
01151A21  ^ 72 ED           jb      short 01151A10
01151A23    8BD7            mov     edx, edi
01151A25    8BCB            mov     ecx, ebx
01151A27    E8 14FDFFFF     call    01151740         ; 这里是最后判断的call,
01151A2C    6A 00           push    0x0
01151A2E    85C0            test    eax, eax
01151A30    74 09           je      short 01151A3B
01151A32    68 0B040000     push    0x40B
01151A37    EB 07           jmp     short 01151A40
01151A39    6A 00           push    0x0
01151A3B    68 0A040000     push    0x40A
01151A40    68 11010000     push    0x111
01151A45    FF73 04         push    dword ptr [ebx+0x4]
01151A48    FF15 54811601   call    dword ptr [<&USER32.PostMessageW>; user32.PostMessageW

以上代码比如初始化0-9,a-z,注册码转换成大写,提取出注册码里所有的字母,纯属多余
接下去直接看里面最后的call

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
01151810   > /66:8B01       mov     ax, word ptr [ecx]
01151813   . |66:3B040E     cmp     ax, word ptr [esi+ecx]           ;  判断第1,2位是否为'12'
01151817   . |75 42         jnz     short 0115185B
01151819   . |83C2 06       add     edx, 0x6
0115181C   . |83C1 02       add     ecx, 0x2
0115181F   . |83FA 39       cmp     edx, 0x39
01151822   .^\7E EC         jle     short 01151810
01151824   .  0FB74F 12     movzx   ecx, word ptr [edi+0x12]    ; 第i位字符+第1位字符是否为0x63(设计不合理?)
01151828   .  0FB703        movzx   eax, word ptr [ebx]
0115182B   .  03C8          add     ecx, eax
0115182D   .  83F9 63       cmp     ecx, 0x63
01151830   .  75 29         jnz     short 0115185B
01151832   .  8B45 B4       mov     eax, dword ptr [ebp-0x4C]
01151835   .  0FB74F 0C     movzx   ecx, word ptr [edi+0xC]
01151839   .  0308          add     ecx, dword ptr [eax]
0115183B   .  8B45 B0       mov     eax, dword ptr [ebp-0x50]
0115183E   .  0FB700        movzx   eax, word ptr [eax]
01151841   .  3BC1          cmp     eax, ecx
01151843   .  75 16         jnz     short 0115185B    ; 这里判断注册码最后一位是否等于用'123456789'替换了注册码的n位之后的字符判断的第0x0c位+n是否相等
01151845   .  5F            pop     edi
01151846   .  5E            pop     esi
01151847   .  B8 01000000   mov     eax, 0x1
0115184C   .  5B            pop     ebx

以上分析完成得到一组注册码1215pb8
1)包含字符’b’’’p’
2) 7位长度
3) 第1、2位为’1’’2’
4) 第0位字符’1’(0x30)+第n位字符(计数所在位)’2’(0x32) = 0x63
5) 第3、4、5、6位为’15pb’
6) 最后1位为‘7’+计数

Donate
-------------本文结束感谢您的阅读-------------