<好帮手进销存>算法分析-骇客基地-黑客编程

00557344 . 55       push ebp
00557345 . 68 09765500 push unpacked.00557609
0055734A . 64:FF30 push dword ptr fs:[eax]
0055734D . 64:8920 mov dword ptr fs:[eax],esp
00557350 . 8D55 DC lea edx,dword ptr ss:[ebp-24]
00557353 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00557356 . 8B80 F40200>mov eax,dword ptr ds:[eax+2F4]
0055735C . E8 4B72EFFF call unpacked.0044E5AC
00557361 . 8B45 DC mov eax,dword ptr ss:[ebp-24]
00557364 . E8 9BD8EAFF call unpacked.00404C04
00557369 . 83F8 08 cmp eax,8                   --------用户名是否等于8位
0055736C . 74 25    je short unpacked.00557393 --------不是则提示用户名错误
0055736E . BA 20765500 mov edx,unpacked.00557620
00557373 . B8 30765500 mov eax,unpacked.00557630
00557378 . E8 1797FBFF call unpacked.00510A94
0055737D . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00557380 . 8B80 F40200>mov eax,dword ptr ds:[eax+2F4]
00557386 . 8B10    mov edx,dword ptr ds:[eax]
00557388 . FF92 C00000>call dword ptr ds:[edx+C0]
0055738E . E9 46020000 jmp unpacked.005575D9
00557393 > 33C0    xor eax,eax
00557395 . 55       push ebp
00557396 . 68 C6735500 push unpacked.005573C6
0055739B . 64:FF30 push dword ptr fs:[eax]
0055739E . 64:8920 mov dword ptr fs:[eax],esp
005573A1 . 8D55 D8 lea edx,dword ptr ss:[ebp-28]
005573A4 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
005573A7 . 8B80 F40200>mov eax,dword ptr ds:[eax+2F4]
005573AD . E8 FA71EFFF call unpacked.0044E5AC
005573B2 . 8B45 D8 mov eax,dword ptr ss:[ebp-28]
005573B5 . E8 2A3FEBFF call unpacked.0040B2E4    -----------判断是否为纯数字。不是则提示用户名出错

现在很清楚了可以知道。软件是以8位纯数字当用户名

``````````````````````````````````````````````````````````````````````````````````````````````````````````
软件算法是f1(用户名)=f2(注册码) 这种算法没有明文比较。
0055746D . E8 3A71EFFF call unpacked.0044E5AC       -----取用户名
00557472 . 8B45 D0 mov eax,dword ptr ss:[ebp-30] -----用户名入eax
00557475 . E8 1E21EBFF call unpacked.00409598       -----算法call f7跟进
0055747A . 8945 E8 mov dword ptr ss:[ebp-18],eax -----把用户名经过处理后的值入栈
0055747D . 8955 EC mov dword ptr ss:[ebp-14],edx
00557480 . 8D55 CC lea edx,dword ptr ss:[ebp-34]
00557483 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00557486 . 8B80 FC0200>mov eax,dword ptr ds:[eax+2FC]
0055748C . E8 1B71EFFF call unpacked.0044E5AC       -----取注册码
00557491 . 8B45 CC mov eax,dword ptr ss:[ebp-34] -----注册码存入eax
00557494 . E8 FF20EBFF call unpacked.00409598       -----又是算法call跟上面的一样
00557499 . 8945 E0 mov dword ptr ss:[ebp-20],eax -----把注册码经过处理后的值入栈
0055749C . 8955 E4 mov dword ptr ss:[ebp-1C],edx
0055749F . 8B45 E0 mov eax,dword ptr ss:[ebp-20] -----把注册码经过外理后的值存入eax
005574A2 . 8B55 E4 mov edx,dword ptr ss:[ebp-1C]
005574A5 . 81F0 C4B3A2>xor eax,1A2B3C4             -----把注册码经过外理后的值与1a2b3c4异或
005574AB . 81F2 000000>xor edx,0
005574B1 . 8945 E0 mov dword ptr ss:[ebp-20],eax ----- 经过异或后的值入栈
005574B4 . 8955 E4 mov dword ptr ss:[ebp-1C],edx
005574B7 . 6A 00    push 0
005574B9 . 6A 13    push 13
005574BB . 8B45 E8 mov eax,dword ptr ss:[ebp-18] 把用户名经过处理后的值出栈存入eax
005574BE . 8B55 EC mov edx,dword ptr ss:[ebp-14]
005574C1 . E8 CAE4EAFF call unpacked.00405990       eax=eax*13
005574C6 . 8B0D 484557>mov ecx,dword ptr ds:[574548]    ; unpacked.00575F0C
005574CC . 0301    add eax,dword ptr ds:[ecx] eax=eax+bc614a 这个bc614a是个常数
005574CE . 1351 04 adc edx,dword ptr ds:[ecx+4]
005574D1 . 3B55 E4 cmp edx,dword ptr ss:[ebp-1C]
005574D4 . 75 03    jnz short unpacked.005574D9
005574D6 . 3B45 E0 cmp eax,dword ptr ss:[ebp-20] ------这里是比较f1(用户名)是不等于f2(注册码)
005574D9 > 74 14    je short unpacked.005574EF    ------ 是就跳转到写注册表后再次判断
                                                            如果这里爆破会把用户名与注册码存入注册表再次读出判断
                                                            因无法TNT，只有追注册码了 :(
005574DB . BA 20765500 mov edx,unpacked.00557620
005574E0 . B8 44765500 mov eax,unpacked.00557644
005574E5 . E8 AA95FBFF call unpacked.00510A94       -----出错提示
005574EA . E9 EA000000 jmp unpacked.005575D9
005574EF > 8D55 F8 lea edx,dword ptr ss:[ebp-8]
005574F2 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
005574F5 . 8B80 F40200>mov eax,dword ptr ds:[eax+2F4]
005574FB . E8 AC70EFFF call unpacked.0044E5AC
00557500 . 8D55 F4 lea edx,dword ptr ss:[ebp-C]
00557503 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00557506 . 8B80 FC0200>mov eax,dword ptr ds:[eax+2FC]
0055750C . E8 9B70EFFF call unpacked.0044E5AC
00557511 . B2 01    mov dl,1
00557513 . A1 2C0E4700 mov eax,dword ptr ds:[470E2C]
00557518 . E8 0F9AF1FF call unpacked.00470F2C
0055751D . 8BD8    mov ebx,eax
0055751F . BA 02000080 mov edx,80000002
00557524 . 8BC3    mov eax,ebx
00557526 . E8 A19AF1FF call unpacked.00470FCC
0055752B . BA 50765500 mov edx,unpacked.00557650       ; ASCII 10,"Software\Wmsoft\"
00557530 . 8D45 A0 lea eax,dword ptr ss:[ebp-60]
00557533 . E8 94BCEAFF call unpacked.004031CC
00557538 . 8B15 1C4357>mov edx,dword ptr ds:[57431C]    ; unpacked.00575EF4
0055753E . 8D45 A0 lea eax,dword ptr ss:[ebp-60]
00557541 . B1 24    mov cl,24
00557543 . E8 54BCEAFF call unpacked.0040319C
00557548 . 8D55 A0 lea edx,dword ptr ss:[ebp-60]
0055754B . 8D45 C8 lea eax,dword ptr ss:[ebp-38]
0055754E . E8 55D6EAFF call unpacked.00404BA8
00557553 . 8B55 C8 mov edx,dword ptr ss:[ebp-38]
00557556 . 33C9    xor ecx,ecx
00557558 . 8BC3    mov eax,ebx
0055755A . E8 AD9BF1FF call unpacked.0047110C
0055755F . 84C0    test al,al
00557561 . 74 1E    je short unpacked.00557581
00557563 . 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
00557566 . BA 6C765500 mov edx,unpacked.0055766C       ; ASCII "ID1"
0055756B . 8BC3    mov eax,ebx
0055756D . E8 369DF1FF call unpacked.004712A8
00557572 . 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
00557575 . BA 78765500 mov edx,unpacked.00557678       ; ASCII "ID2"
0055757A . 8B

[1] [2] [3] [4] 下一页


	黑客首页　\|　服务指南　\|　软件发布　\|　关于我们　\|　本站声明　\|　隐私声明　\|　诚征英才　\|　网站地图　\|　友情链接　\|
	中国·黑客·骇客·基地　请使用IE6.0版本, 分辩率1024×768进行浏览 www.hookbase.com 站长：利客　Email:hookbase@163.com Copyright © 2004-2009 All Rights Reserved. 粤ICP备05000985号