新手第一篇非爆破
今天网上搜索点儿资料,从国外网站上下载来些ps后缀文件,还以为是Photoshop文件,用PhotoShop打开,哇擦擦,就一图层上面有点英文字母,类似论文题目似的,觉得不对劲。
用UltraEdit打开,乱码,更不对劲了。
于是上网查了一下,原来是PostScript(PS),是专门为打印图形和文字而设计的一个编程语言。得装两个东西,ghostscript和gsview。装过后用gsview打开刚那文件,可以看了,但提示注册。
试了一下,那个Online Registration,网页上不去,但不注册也可以用。但是呢,邪恶的心理出来了,咱不是初学逆向嘛,准备自己动手。
右键PEID载入,Nothing found,deep也还是nothing,不管了,直接OD吧。
OD载入后,直接Ctrl + G下GetDlgItemTextA的断点了,瞎猜的。然后F9,出现注册框后,输入registered to : pediy,number:12345-6789
然后OK,还真被断下了,Alt + F9回到用户领空,如下 :
0043D93C |. /0F84 10010000 je gsview32.0043DA52
0043D942 |. |E9 32010000 jmp gsview32.0043DA79
0043D947 |> |6A 00 push 0 ; /IsSigned = FALSE
0043D949 |. |6A 00 push 0 ; |pSuccess = NULL
0043D94B |. |68 EB080000 push 8EB ; |ControlID = 8EB (2283.)
0043D950 |. |8B4D 08 mov ecx, dword ptr [ebp+8] ; |
0043D953 |. |51 push ecx ; |hWnd
0043D954 |. |FF15 58334600 call dword ptr [<&USER32.GetDlgItemIn>; \GetDlgItemInt
0043D95A |. |8945 FC mov dword ptr [ebp-4], eax
0043D95D |. |6A 00 push 0 ; /IsSigned = FALSE
0043D95F |. |6A 00 push 0 ; |pSuccess = NULL
0043D961 |. |68 EC080000 push 8EC ; |ControlID = 8EC (2284.)
0043D966 |. |8B55 08 mov edx, dword ptr [ebp+8] ; |
0043D969 |. |52 push edx ; |hWnd
0043D96A |. |FF15 58334600 call dword ptr [<&USER32.GetDlgItemIn>; \GetDlgItemInt
0043D970 |. |8985 F4FEFFFF mov dword ptr [ebp-10C], eax
0043D976 |. |68 00010000 push 100 ; /Count = 100 (256.)
0043D97B |. |8D85 F8FEFFFF lea eax, dword ptr [ebp-108] ; |
0043D981 |. |50 push eax ; |Buffer
0043D982 |. |68 EA080000 push 8EA ; |ControlID = 8EA (2282.)
0043D987 |. |8B4D 08 mov ecx, dword ptr [ebp+8] ; |
0043D98A |. |51 push ecx ; |hWnd
0043D98B |. |FF15 04344600 call dword ptr [<&USER32.GetDlgItemTe>; \GetDlgItemTextA
0043D991 |. |837D FC 00 cmp dword ptr [ebp-4], 0 ;断到这点
0043D995 |. |74 70 je short gsview32.0043DA07
0043D997 |. |8B55 FC mov edx, dword ptr [ebp-4]
0043D99A |. |52 push edx ; 第一个码框值
0043D99B |. |E8 F0FEFDFF call gsview32.0041D890
0043D9A0 |. |83C4 04 add esp, 4
0043D9A3 |. |3985 F4FEFFFF cmp dword ptr [ebp-10C], eax
0043D9A9 |75 5C jnz short gsview32.0043DA07
0043D9AB |. |8D85 F8FEFFFF lea eax, dword ptr [ebp-108]
0043D9B1 |. |50 push eax ; /String
0043D9B2 |. |FF15 08334600 call dword ptr [<&KERNEL32.lstrlenA>] ; \lstrlenA
0043D9B8 |. |85C0 test eax, eax
0043D9BA |. |7E 4B jle short gsview32.0043DA07
返回到0043D991,从这点往上看,有两个GetDlgItemInt,猜这两个应该是读取注册码的了。
查这时的EBP为0006EA68,
然后看这两条
0043D95A |. |8945 FC mov dword ptr [ebp-4], eax
在堆栈中查EBP-4 = 0006EA64,值为0x00003039,换成十进制,12345,这就对了
下面这句[ebp-10C]也一样
0043D970 |. |8985 F4FEFFFF mov dword ptr [ebp-10C], eax
0x00001A85 = 6789,PS:在这看到了pediy,输入的名字,瞅一下GetDlgItemTextA
0043D976 |. |68 00010000 push 100 ; /Count = 100 (256.)
0043D97B |. |8D85 F8FEFFFF lea eax, dword ptr [ebp-108] ; |
0043D981 |. |50 push eax ; |Buffer
0043D982 |. |68 EA080000 push 8EA ; |ControlID = 8EA (2282.)
0043D987 |. |8B4D 08 mov ecx, dword ptr [ebp+8] ; |
0043D98A |. |51 push ecx ; |hWnd
0043D98B |. |FF15 04344600 call dword ptr [<&USER32.GetDlgItemTe>; \GetDlgItemTextA
Buffer的地址是[ebp-108],这就和上面对着了
一路F8到0043D998
0043D99B |. |E8 F0FEFDFF call gsview32.0041D890
0043D9A0 |. |83C4 04 add esp, 4
0043D9A3 |. |3985 F4FEFFFF cmp dword ptr [ebp-10C], eax
0043D9A9 |75 5C jnz short gsview32.0043DA07
这时下面有一句jnz short gsview32.0043DA07
看看这点的代码
0043DA07 |> \68 FF000000 push 0FF
0043DA0C |. 8D85 F0FDFFFF lea eax, dword ptr [ebp-210]
0043DA12 |. 50 push eax
0043DA13 |. 68 60030000 push 360
0043DA18 |. E8 C3F2FFFF call gsview32.0043CCE0
0043DA1D |. 83C4 0C add esp, 0C
0043DA20 |. 6A 30 push 30 ; /Style =
0043DA22 |. 68 A0014700 push gsview32.004701A0 ; |Title = "GSview"
0043DA27 |. 8D8D F0FDFFFF lea ecx, dword ptr [ebp-210] ; |
0043DA2D |. 51 push ecx ; |Text
0043DA2E |. 8B55 08 mov edx, dword ptr [ebp+8] ; |
0043DA31 |. 52 push edx ; |hOwner
0043DA32 |. FF15 38344600 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA
0043DA38 |> B8 01000000 mov eax, 1
0043DA3D |. EB 40 jmp short gsview32.0043DA7F
看出来是跳到MessageBoxA提示错误了,那上面那个函数,就是关键的了。F7之前先看一下下面两条语句
0043D9A0 |. |83C4 04 add esp, 4
0043D9A3 |. |3985 F4FEFFFF cmp dword ptr [ebp-10C], eax
第一条是平衡栈,第二条,函数的返回值竟然是和我们输入的第二个框的码值比较!!!
好吧F7进入0043D99B |. |E8 F0FEFDFF call gsview32.0041D890
0041D890 /$ 55 push ebp
0041D891 |. 8BEC mov ebp, esp
0041D893 |. 83EC 14 sub esp, 14 ; 局部变量区域(20byte)
0041D896 |. C745 EC 08840>mov dword ptr [ebp-14], 8408
0041D89D |. 8B45 08 mov eax, dword ptr [ebp+8]
0041D8A0 |. 8945 F0 mov dword ptr [ebp-10], eax ; 局部变量tmp,初始值=12345
0041D8A3 |. C745 F8 00000>mov dword ptr [ebp-8], 0 ; tmp1
0041D8AA |. C745 F4 00000>mov dword ptr [ebp-C], 0 ; i
0041D8B1 |. EB 09 jmp short gsview32.0041D8BC
0041D8B3 |> 8B4D F4 /mov ecx, dword ptr [ebp-C] ; ecx = i
0041D8B6 |. 83C1 01 |add ecx, 1 ; i++
0041D8B9 |. 894D F4 |mov dword ptr [ebp-C], ecx
0041D8BC |> 837D F4 20 cmp dword ptr [ebp-C], 20 ; 判断是否<=0x20 (32次)
0041D8C0 |. 73 35 |jnb short gsview32.0041D8F7
0041D8C2 |. 8B55 F8 |mov edx, dword ptr [ebp-8] ; edx=tmp1
0041D8C5 |. 83E2 01 |and edx, 1 ; edx =edx & 1
0041D8C8 |. 8955 FC |mov dword ptr [ebp-4], edx ; t[ebp-4]
0041D8CB |. 8B45 F8 |mov eax, dword ptr [ebp-8] ; eax = tmp1
0041D8CE |. D1E8 |shr eax, 1 ; eax = eax >> 1
0041D8D0 |. 8B4D F0 |mov ecx, dword ptr [ebp-10] ; ecx = tmp = 12345
0041D8D3 |. 83E1 01 |and ecx, 1 ; ecx = ecx & 1
0041D8D6 |. C1E1 0F |shl ecx, 0F ; ecx = ecx << 15
0041D8D9 |. 03C1 |add eax, ecx
0041D8DB |. 8945 F8 |mov dword ptr [ebp-8], eax ; tmp1 = ((tmp & 1) << 15) + (tmp1 >> 1)
0041D8DE |. 837D FC 01 |cmp dword ptr [ebp-4], 1 ; (t == 1)?
0041D8E2 |. 75 09 |jnz short gsview32.0041D8ED ; if(t == 1)
0041D8E4 |. 8B55 F8 |mov edx, dword ptr [ebp-8]
0041D8E7 |. 3355 EC |xor edx, dword ptr [ebp-14]
0041D8EA |. 8955 F8 |mov dword ptr [ebp-8], edx ; tmp1 = tmp1 ^0x8408
0041D8ED |> 8B45 F0 |mov eax, dword ptr [ebp-10]
0041D8F0 |. D1E8 |shr eax, 1
0041D8F2 |. 8945 F0 |mov dword ptr [ebp-10], eax ; tmp = tmp >> 1
0041D8F5 |.^ EB BC \jmp short gsview32.0041D8B3
0041D8F7 |> 8B45 F8 mov eax, dword ptr [ebp-8] ; eax = tmp1
0041D8FA |. 8BE5 mov esp, ebp
0041D8FC |. 5D pop ebp
0041D8FD \. C3 retn
分析了一下,写成C程序,是下面这
unsigned int Key(unsigned int date)
{
unsigned int uiTmp_ebp_4;
unsigned int uiTmp_ebp_10;
int i;
unsigned int uiTmp_ebp_8;
uiTmp_ebp_10 = date;
uiTmp_ebp_8 = 0;
for ( i = 0; i < 0x20; ++i )
{
uiTmp_ebp_4 = uiTmp_ebp_8 & 1;
uiTmp_ebp_8 = ((uiTmp_ebp_10 & 1) << 15) + (uiTmp_ebp_8 >> 1);
if ( uiTmp_ebp_4 == 1 )
uiTmp_ebp_8 ^= 0x8408u;
uiTmp_ebp_10 >>= 1;
}
return uiTmp_ebp_8;
}
变量名就用和在栈里面的一样了,ebp_4,ebp_8,ebp_10
最后返回时,eax里面的值为0x5039(20537)即key(12345)=20537
这也就是说,第二个框里面是20537了,对应于第一个框的12345
后面的不分析了,自己还以为要有对用户名的验证,但是,重新加载后,输入帐号pediy,12345-20537后,直接成功了,什么也没有,关闭后重新打开也不提示注册了。
猜想应该是在注册表里面写东西了,win+R输入regedit,HLM\Software\ghostgum\gsview,里面显示Name :pediy,receipt:0x00003039(12345)
从头想了一下,这只是一个简单的用户注册吧,第一次分析这算法,之前都是直接爆,,,,,对老手来说简单的要死,可是对我这菜鸟来说,还是挺兴奋,嘿嘿
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
