标 题: 【原创】1st Security Agent V7.1算法分析
作 者: foresee
时 间: 2007-05-21,11:48
链 接:
【文章标题】: 1st Security Agent V7.1算法分析
【文章作者】: foresee
【作者邮箱】: vangjian@hotmail.com
【作者主页】: ******
【作者QQ号】: ******
【软件名称】: 1st Security Agent V7.1
【下载地址】:
34aK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4G2k6Y4c8Z5k6h3q4H3i4K6u0W2j5$3!0E0i4K6u0r3L8X3g2%4j5h3c8E0K9h3&6Q4x3X3g2Z5N6r3#2D9
【加壳方式】: 无
【保护方式】: 序列号
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OD
【软件介绍】: protect and secure Windows PC
【作者声明】: 只是感兴趣,没有其他目的。
--------------------------------------------------------------------------------
【详细过程】
先运行程序,提示输入序列号,随便输入,显示“This Registration Colde Is Invalid”,关闭程序,用OD载入
004D5008 >/$ 55 push ebp
004D5009 |. 8BEC mov ebp, esp
004D500B |. 83C4 EC add esp, -14
004D500E |. 33C0 xor eax, eax
004D5010 |. 8945 EC mov dword ptr [ebp-14], eax
004D5013 |. B8 404C4D00 mov eax, 004D4C40
004D5018 |. E8 8319F3FF call 004069A0
004D501D |. 33C0 xor eax, eax
004D501F |. 55 push ebp
004D5020 |. 68 81514D00 push 004D5181
004D5025 |. 64:FF30 push dword ptr fs:[eax]
004D5028 |. 64:8920 mov dword ptr fs:[eax], esp
004D502B |. A1 08814D00 mov eax, dword ptr [4D8108]
004D5030 |. 8B00 mov eax, dword ptr [eax]
004D5032 |. E8 F564FBFF call 0048B52C
004D5037 |. 68 90514D00 push 004D5190 ; /MsgName = "XX0MZZIARRSS04121972"
004D503C |. E8 2B26F3FF call <jmp.&user32.RegisterWindowMessa>; \RegisterWindowMessageA
004D5041 |. 8B15 84804D00 mov edx, dword ptr [4D8084] ; newadmin.004D9DA4
004D5047 |. 8902 mov dword ptr [edx], eax
004D5049 |. E8 9AFAFFFF call 004D4AE8
004D504E |. 3C 06 cmp al, 6
004D5050 |. 75 0A jnz short 004D505C
004D5052 |. E8 C5E8FFFF call 004D391C
004D5057 |. E9 0F010000 jmp 004D516B
004D505C |> E8 87FAFFFF call 004D4AE8
004D5061 |. 3C 03 cmp al, 3
004D5063 |. 75 17 jnz short 004D507C
下断Bpx MESSAGEBOXA,F9运行,输入序列号123456789,点OK以后,断在以下处
0048B83A |. E8 D5BDF7FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA 断在此处,F8单步步过,弹出注册错误的窗口
0048B83F |. 8945 F8 mov dword ptr [ebp-8], eax ;
0048B842 |. 33C0 xor eax, eax ;
0048B844 |. 5A pop edx ;
0048B845 |. 59 pop ecx
0048B846 |. 59 pop ecx
0048B847 |. 64:8910 mov dword ptr fs:[eax], edx
0048B84A |. 68 B0B84800 push 0048B8B0
0048B84F |> 8B45 EC mov eax, dword ptr [ebp-14]
0048B852 |. 3B45 E8 cmp eax, dword ptr [ebp-18]
0048B855 |. 74 38 je short 0048B88F
0048B857 |. 6A 1D push 1D
0048B859 |. 6A 00 push 0
0048B85B |. 6A 00 push 0
0048B85D |. 8B4D B8 mov ecx, dword ptr [ebp-48]
0048B860 |. 8B55 B0 mov edx, dword ptr [ebp-50]
0048B863 |. 2BCA sub ecx, edx
0048B865 |. D1F9 sar ecx, 1
0048B867 |. 79 03 jns short 0048B86C
0048B869 |. 83D1 00 adc ecx, 0
0048B86C |> 03CA add ecx, edx
0048B86E |. 51 push ecx
0048B86F |. 8B55 B4 mov edx, dword ptr [ebp-4C]
0048B872 |. 8B45 AC mov eax, dword ptr [ebp-54]
0048B875 |. 2BD0 sub edx, eax
0048B877 |. D1FA sar edx, 1
0048B879 |. 79 03 jns short 0048B87E
0048B87B |. 83D2 00 adc edx, 0
0048B87E |> 03D0 add edx, eax ; |
0048B880 |. 52 push edx ; |X
0048B881 |. 6A 00 push 0 ; |InsertAfter = HWND_TOP
0048B883 |. 8B45 FC mov eax, dword ptr [ebp-4] ; |
0048B886 |. 8B40 30 mov eax, dword ptr [eax+30] ; |
0048B889 |. 50 push eax ; |hWnd
0048B88A |. E8 ADBEF7FF call <jmp.&user32.SetWindowPos> ; \SetWindowPos
0048B88F |> 8B45 F0 mov eax, dword ptr [ebp-10]
0048B892 |. E8 256BFFFF call 004823BC
0048B897 |. 8B45 F4 mov eax, dword ptr [ebp-C]
0048B89A |. 50 push eax ; /hWnd
0048B89B |. E8 0CBEF7FF call <jmp.&user32.SetActiveWindow> ; \SetActiveWindow
0048B8A0 |. 8B45 E4 mov eax, dword ptr [ebp-1C]
0048B8A3 |. E8 8469FFFF call 0048222C
0048B8A8 \. C3 retn
序列号已经算过了,往下走走,找到retn跳出段程序,来到这段
0049AAA4 /$ 55 push ebp
0049AAA5 |. 8BEC mov ebp, esp
0049AAA7 |. 83C4 F8 add esp, -8
0049AAAA |. 33D2 xor edx, edx
0049AAAC |. 8955 F8 mov dword ptr [ebp-8], edx
0049AAAF |. 8945 FC mov dword ptr [ebp-4], eax
0049AAB2 |. 8B45 FC mov eax, dword ptr [ebp-4]
0049AAB5 |. E8 0EA2F6FF call 00404CC8
0049AABA |. 33C0 xor eax, eax
0049AABC |. 55 push ebp
0049AABD |. 68 12AB4900 push 0049AB12
0049AAC2 |. 64:FF30 push dword ptr fs:[eax]
0049AAC5 |. 64:8920 mov dword ptr fs:[eax], esp
0049AAC8 |. 6A 10 push 10
0049AACA |. 8D55 F8 lea edx, dword ptr [ebp-8]
0049AACD |. B8 28AB4900 mov eax, 0049AB28 ; ASCII "L_ERROR"
0049AAD2 |. E8 DDF0FFFF call 00499BB4
0049AAD7 |. 8B45 F8 mov eax, dword ptr [ebp-8]
0049AADA |. E8 F9A1F6FF call 00404CD8
0049AADF |. 50 push eax
0049AAE0 |. 8B45 FC mov eax, dword ptr [ebp-4]
0049AAE3 |. E8 F0A1F6FF call 00404CD8
0049AAE8 |. 8BD0 mov edx, eax
0049AAEA |. A1 08814D00 mov eax, dword ptr [4D8108]
0049AAEF |. 8B00 mov eax, dword ptr [eax]
0049AAF1 |. 59 pop ecx
0049AAF2 |. E8 5D0CFFFF call 0048B754 ;这个Call就是CAll我们注册错误的那段代码
0049AAF7 |. 33C0 xor eax, eax
0049AAF9 |. 5A pop edx
0049AAFA |. 59 pop ecx
0049AAFB |. 59 pop ecx
0049AAFC |. 64:8910 mov dword ptr fs:[eax], edx
0049AAFF |. 68 19AB4900 push 0049AB19
0049AB04 |> 8D45 F8 lea eax, dword ptr [ebp-8]
0049AB07 |. BA 02000000 mov edx, 2
0049AB0C |. E8 2B9DF6FF call 0040483C
0049AB11 \. C3 retn
清除以前断点,在0049AAA4下断,运行以后断在此处,F8跟踪,结果序列号也是算好了,不在此段代码中,从retn中出来,来到此处
004A97CF |> \33C0 xor eax, eax
004A97D1 |. 5A pop edx
004A97D2 |. 59 pop ecx
004A97D3 |. 59 pop ecx
004A97D4 |. 64:8910 mov dword ptr fs:[eax], edx
004A97D7 |. 68 06984A00 push 004A9806
004A97DC |> 8D45 CC lea eax, dword ptr [ebp-34]
004A97DF |. BA 0A000000 mov edx, 0A
004A97E4 |. E8 53B0F5FF call 0040483C
004A97E9 |. 8D45 F4 lea eax, dword ptr [ebp-C]
004A97EC |. E8 27B0F5FF call 00404818
004A97F1 |. 8D45 F8 lea eax, dword ptr [ebp-8]
004A97F4 |. BA 02000000 mov edx, 2
004A97F9 |. E8 3EB0F5FF call 0040483C
在此处往上看看,以下是此段代码
004A9696 |. 55 push ebp
004A9697 |. 68 FF974A00 push 004A97FF
004A969C |. 64:FF30 push dword ptr fs:[eax]
004A969F |. 64:8920 mov dword ptr fs:[eax], esp
004A96A2 |. 8D55 F4 lea edx, dword ptr [ebp-C]
004A96A5 |. 8B86 48030000 mov eax, dword ptr [esi+348]
004A96AB |. E8 740BFCFF call 0046A224
004A96B0 |. 8B45 F4 mov eax, dword ptr [ebp-C]
004A96B3 |. 8D55 F8 lea edx, dword ptr [ebp-8]
004A96B6 |. E8 E135FEFF call 0048CC9C
004A96BB |. 8B55 F8 mov edx, dword ptr [ebp-8] ; 用户输入的伪序列号
004A96BE |. B8 4C9D4D00 mov eax, 004D9D4C
004A96C3 |. E8 A4B1F5FF call 0040486C
004A96C8 |. E8 FBFDFFFF call 004A94C8 ;此处为关键call,跟进
004A96CD |. 8BD8 mov ebx, eax
004A96CF |. 84DB test bl, bl
004A96D1 |. 0F84 D9000000 je 004A97B0
004A96D7 |. C686 70030000>mov byte ptr [esi+370], 1
004A96DE |. 8D45 FC lea eax, dword ptr [ebp-4]
004A96E1 |. 50 push eax
004A96E2 |. 8D55 F0 lea edx, dword ptr [ebp-10]
004A96E5 |. B8 18984A00 mov eax, 004A9818 ; ASCII "BF8A83B980"
004A96EA |. E8 394AFEFF call 0048E128
004A96EF |. 8B45 F0 mov eax, dword ptr [ebp-10]
004A96F2 |. 50 push eax
004A96F3 |. 8D55 EC lea edx, dword ptr [ebp-14]
004A96F6 |. B8 2C984A00 mov eax, 004A982C ; ASCII "BE828B999A8C9F88B1A0848E9F829E828B99B1A9BFA0BFBEB5"
004A96FB |. E8 284AFEFF call 0048E128
004A9700 |. 8B55 EC mov edx, dword ptr [ebp-14] ;注册表项Software\Microsoft\DRMRSX"
004A9703 |. A1 549D4D00 mov eax, dword ptr [4D9D54]
004A9708 |. 59 pop ecx
004A9709 |. E8 A680FEFF call 004917B4
004A970E |. 8D55 E8 lea edx, dword ptr [ebp-18]
004A9711 |. A1 4C9D4D00 mov eax, dword ptr [4D9D4C]
004A9716 |. E8 7149FEFF call 0048E08C
004A971B |. 8B45 E8 mov eax, dword ptr [ebp-18]
004A971E |. 50 push eax
004A971F |. 8D55 E4 lea edx, dword ptr [ebp-1C]
004A9722 |. B8 68984A00 mov eax, 004A9868 ; ASCII "BF9D9FAE999E"
004A9727 |. E8 FC49FEFF call 0048E128
004A972C |. 8B45 E4 mov eax, dword ptr [ebp-1C]
004A972F |. 50 push eax
004A9730 |. 8D45 E0 lea eax, dword ptr [ebp-20]
004A9733 |. 50 push eax
004A9734 |. B8 2C984A00 mov eax, 004A982C ; ASCII "BE828B999A8C9F88B1A0848E9F829E828B99B1A9BFA0BFBEB5"
004A9739 |. 5A pop edx
004A973A |. E8 E949FEFF call 0048E128
004A973F |. 8B55 E0 mov edx, dword ptr [ebp-20]
004A9742 |. A1 549D4D00 mov eax, dword ptr [4D9D54]
004A9747 |. 59 pop ecx
004A9748 |. E8 A781FEFF call 004918F4
004A974D |. 837D FC 00 cmp dword ptr [ebp-4], 0
004A9751 |. 75 46 jnz short 004A9799
004A9753 |. E8 6C16F6FF call 0040ADC4
004A9758 |. 83C4 F8 add esp, -8
004A975B |. DD1C24 fstp qword ptr [esp]
004A975E |. 9B wait
004A975F |. 8D45 DC lea eax, dword ptr [ebp-24]
004A9762 |. E8 014CFEFF call 0048E368
004A9767 |. 8B45 DC mov eax, dword ptr [ebp-24]
004A976A |. 50 push eax
004A976B |. 8D55 D8 lea edx, dword ptr [ebp-28]
004A976E |. B8 18984A00 mov eax, 004A9818 ; ASCII "BF8A83B980"
004A9773 |. E8 B049FEFF call 0048E128
004A9778 |. 8B45 D8 mov eax, dword ptr [ebp-28]
004A977B |. 50 push eax
004A977C |. 8D45 D4 lea eax, dword ptr [ebp-2C]
004A977F |. 50 push eax
004A9780 |. B8 2C984A00 mov eax, 004A982C ; ASCII "BE828B999A8C9F88B1A0848E9F829E828B99B1A9BFA0BFBEB5"
004A9785 |. 5A pop edx
004A9786 |. E8 9D49FEFF call 0048E128
004A978B |. 8B55 D4 mov edx, dword ptr [ebp-2C]
004A978E |. A1 549D4D00 mov eax, dword ptr [4D9D54]
004A9793 |. 59 pop ecx
004A9794 |. E8 5B81FEFF call 004918F4
004A9799 |> 8D55 D0 lea edx, dword ptr [ebp-30]
004A979C |. B8 80984A00 mov eax, 004A9880 ; ASCII "M_THANKS"
004A97A1 |. E8 0E04FFFF call 00499BB4
004A97A6 |. 8B45 D0 mov eax, dword ptr [ebp-30]
004A97A9 |. E8 8213FFFF call 0049AB30
004A97AE |. EB 1F jmp short 004A97CF
004A97B0 |> B8 4C9D4D00 mov eax, 004D9D4C
004A97B5 |. E8 5EB0F5FF call 00404818
004A97BA |. 8D55 CC lea edx, dword ptr [ebp-34]
004A97BD |. B8 94984A00 mov eax, 004A9894 ; ASCII "M_BADCODE"
004A97C2 |. E8 ED03FFFF call 00499BB4
004A97C7 |. 8B45 CC mov eax, dword ptr [ebp-34]
004A97CA |. E8 D512FFFF call 0049AAA4
终于来到核心了,在004A9696下断,分析代码如上。004A96C8处为关键call,F7跟进
004A94C8 /$ 53 push ebx
004A94C9 |. 56 push esi
004A94CA |. 57 push edi
004A94CB |. BF 4C9D4D00 mov edi, 004D9D4C
004A94D0 |. 33F6 xor esi, esi
004A94D2 |. 33DB xor ebx, ebx
004A94D4 |. 8B07 mov eax, dword ptr [edi]
004A94D6 |. E8 FDB5F5FF call 00404AD8
004A94DB |. 83F8 0E cmp eax, 0E ; 此处关键跳,比较输入的序列号位数必须是14位
004A94DE |. 75 67 jnz short 004A9547 ; 如果不等就不需要计算序列号了,直接注册失败
004A94E0 |. 8B07 mov eax, dword ptr [edi]
004A94E2 |. 8038 31 cmp byte ptr [eax], 31 ;第一位与1比较,如果相同为true
004A94E5 |. 0F94C0 sete al
004A94E8 |. 83E0 7F and eax, 7F
004A94EB |. 03F0 add esi, eax
004A94ED |. 8B07 mov eax, dword ptr [edi]
004A94EF |. 8078 02 32 cmp byte ptr [eax+2], 32 ;与上面比较过程相同,以下也一样
004A94F3 |. 0F94C0 sete al
004A94F6 |. 83E0 7F and eax, 7F
004A94F9 |. 03F0 add esi, eax
004A94FB |. 8B07 mov eax, dword ptr [edi]
004A94FD |. 8078 03 31 cmp byte ptr [eax+3], 31
004A9501 |. 0F94C0 sete al
004A9504 |. 83E0 7F and eax, 7F
004A9507 |. 03F0 add esi, eax
004A9509 |. 8B07 mov eax, dword ptr [edi]
004A950B |. 8078 04 39 cmp byte ptr [eax+4], 39
004A950F |. 0F94C0 sete al
004A9512 |. 83E0 7F and eax, 7F
004A9515 |. 03F0 add esi, eax
004A9517 |. 8B07 mov eax, dword ptr [edi]
004A9519 |. 8078 07 30 cmp byte ptr [eax+7], 30
004A951D |. 0F94C0 sete al
004A9520 |. 83E0 7F and eax, 7F
004A9523 |. 03F0 add esi, eax
004A9525 |. 8B07 mov eax, dword ptr [edi]
004A9527 |. 8078 08 35 cmp byte ptr [eax+8], 35
004A952B |. 0F94C0 sete al
004A952E |. 83E0 7F and eax, 7F
004A9531 |. 03F0 add esi, eax
004A9533 |. 8B07 mov eax, dword ptr [edi]
004A9535 |. 8078 0A 33 cmp byte ptr [eax+A], 33
004A9539 |. 0F94C0 sete al
004A953C |. 83E0 7F and eax, 7F
004A953F |. 03F0 add esi, eax
004A9541 |. 83FE 07 cmp esi, 7
004A9544 |. 0F94C3 sete bl
004A9547 |> 8BC3 mov eax, ebx
004A9549 |. 5F pop edi
004A954A |. 5E pop esi
004A954B |. 5B pop ebx
004A954C \. C3 retn
注册算法总结:
1.注册码长度为14
2.注册码格式为1X219XX05X3XXX(X代表任意数字)
3.只要上面14位数字中已经说明的数字不动,X任意填写即可注册成功。
--------------------------------------------------------------------------------
【经验总结】
这个软件算法比较容易直观.本文是看了作者sliphades对6.4版的软件分析文章后写的此文,7.1版和6.4基本上没太大变化,希望对新手有所帮助。
--------------------------------------------------------------------------------
【版权声明】: 转载请注明作者并保持文章的完整, 谢谢!
2007年05月21日 AM 12:52:00
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
