您现在的位置: 骇客基地 >> 黑客文章 >> 黑客攻防 >> 黑客编程 >> 正文

菜鸟学破解之DELPHI编程宝典算法分析历程
骇客基地 阅读: 时间:2005-8-7 18:05:27 来源:www.hookbase.com
  

目标程序DELPHI编程宝典
1)用PEID看了一下,无壳,DELPHI编写
(2)试着输入阅读密码,提示"阅读文书密码错误"
(3)W32DASM反汇编,搜索"阅读文书密码错误"双击来到这里

004AAD35   |.  E8 4A20FFFF     call Delphi编.0049CD84<---------------算法CALL跟进    
004AAD3A   |>  8D95 E4FDFFFF   lea edx,dword ptr ss:[ebp-21C]
004AAD40   |.  8B83 94030000   mov eax,dword ptr ds:[ebx+394]
004AAD46   |.  E8 5159F8FF     call Delphi编.0043069C                  


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAD10(C)
|
:004AAD3A 8D95E4FDFFFF            lea edx, dword ptr [ebp+FFFFFDE4]
:004AAD40 8B8394030000            mov eax, dword ptr [ebx+00000394]
:004AAD46 E85159F8FF              call 0043069C
:004AAD4B 8B85E4FDFFFF            mov eax, dword ptr [ebp+FFFFFDE4]<---------------取试炼码EAX    
:004AAD51 8B55FC                  mov edx, dword ptr [ebp-04]<---------------取计算好的注册码EDX    
:004AAD54 E87391F5FF              call 00403ECC<---------------跟进这个CALL可以发现明文密码,也就是上面计算好的,来到这个CALL进行比较
:004AAD59 0F85F0000000            jne 004AAE4F<---------------不相等就提示密码错误
:004AAD5F 33C0                    xor eax, eax
:004AAD61 898328380200            mov dword ptr [ebx+00023828], eax
:004AAD67 8B8304060000            mov eax, dword ptr [ebx+00000604]
:004AAD6D 8B10                    mov edx, dword ptr [eax]
:004AAD6F FF92B4000000            call dword ptr [edx+000000B4]
:004AAD75 3C01                    cmp al, 01
:004AAD77 0F85B8000000            jne 004AAE35<---------------al不等于1就提示成功
:004AAD7D 8D85E0FDFFFF            lea eax, dword ptr [ebp+FFFFFDE0]
:004AAD83 50                      push eax
:004AAD84 8D95DCFDFFFF            lea edx, dword ptr [ebp+FFFFFDDC]
:004AAD8A A128DB4A00              mov eax, dword ptr [004ADB28]
:004AAD8F 8B00                    mov eax, dword ptr [eax]
:004AAD91 E8DA42FAFF              call 0044F070
:004AAD96 8B85DCFDFFFF            mov eax, dword ptr [ebp+FFFFFDDC]
:004AAD9C E81B90F5FF              call 00403DBC
:004AADA1 83E803                  sub eax, 00000003
:004AADA4 50                      push eax
:004AADA5 8D95D8FDFFFF            lea edx, dword ptr [ebp+FFFFFDD8]
:004AADAB A128DB4A00              mov eax, dword ptr [004ADB28]
:004AADB0 8B00                    mov eax, dword ptr [eax]
:004AADB2 E8B942FAFF              call 0044F070
:004AADB7 8B85D8FDFFFF            mov eax, dword ptr [ebp+FFFFFDD8]
:004AADBD BA01000000              mov edx, 00000001
:004AADC2 59                      pop ecx
:004AADC3 E8FC91F5FF              call 00403FC4
:004AADC8 8B95E0FDFFFF            mov edx, dword ptr [ebp+FFFFFDE0]
:004AADCE 8D45F8                  lea eax, dword ptr [ebp-08]

* Possible StringData Ref from Code Obj ->"txt"
                                  |
:004AADD1 B9E8AF4A00              mov ecx, 004AAFE8
:004AADD6 E82D90F5FF              call 00403E08
:004AADDB 8B55F8                  mov edx, dword ptr [ebp-08]
:004AADDE 8D852CFEFFFF            lea eax, dword ptr [ebp+FFFFFE2C]
:004AADE4 E8DDB0F5FF              call 00405EC6
:004AADE9 8D852CFEFFFF            lea eax, dword ptr [ebp+FFFFFE2C]
:004AADEF E872B4F5FF              call 00406266
:004AADF4 E8537AF5FF              call 0040284C
:004AADF9 8D95D4FDFFFF            lea edx, dword ptr [ebp+FFFFFDD4]
:004AADFF 8B8394030000            mov eax, dword ptr [ebx+00000394]
:004AAE05 E89258F8FF              call 0043069C
:004AAE0A 8B95D4FDFFFF            mov edx, dword ptr [ebp+FFFFFDD4]
:004AAE10 8D852CFEFFFF            lea eax, dword ptr [ebp+FFFFFE2C]
:004AAE16 E83993F5FF              call 00404154
:004AAE1B E88BB6F5FF              call 004064AB
:004AAE20 E8277AF5FF              call 0040284C
:004AAE25 8D852CFEFFFF            lea eax, dword ptr [ebp+FFFFFE2C]
:004AAE2B E800B2F5FF              call 00406030
:004AAE30 E8177AF5FF              call 0040284C

 

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAD77(C)
|
:004AAE35 6A00                    push 00000000

* Possible StringData Ref from Code Obj ->"提示"
                                  |
:004AAE37 B958AF4A00              mov ecx, 004AAF58

* Possible StringData Ref from Code Obj ->"现在可阅读全部目录了!"
                                  |
:004AAE3C BAECAF4A00              mov edx, 004AAFEC
:004AAE41 A128DB4A00              mov eax, dword ptr [004ADB28]
:004AAE46 8B00                    mov eax, dword ptr [eax]
:004AAE48 E8B33EFAFF              call 0044ED00
:004AAE4D EB18                    jmp 004AAE67

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAD59(C)
|
:004AAE4F 6A00                    push 00000000

* Possible StringData Ref from Code Obj ->"提示"
                                  |
:004AAE51 B958AF4A00              mov ecx, 004AAF58

* Possible StringData Ref from Code Obj ->"阅读文书密码错误!"<------------------双击来到这里
                                  |
:004AAE56 BA04B04A00              mov edx, 004AB004
:004AAE5B A128DB4A00              mov eax, dword ptr [004ADB28]
:004AAE60 8B00                    mov eax, dword ptr [eax]
:004AAE62 E8993EFAFF              call 0044ED00


--------------------------------------------------------------------------------
跟进算法CALL

0049CD84   /$  55              push ebp                                ;  右边寄存器显示ECX=机器码,Y14845390524"
EDX="wsy54321`"
0049CD85   |.  8BEC            mov ebp,esp        ;注意1后面还有一个符号(ascii码是60H)
0049CD87   |.  83C4 E4         add esp,-1C
0049CD8A   |.  53              push ebx
0049CD8B   |.  56              push esi
0049CD8C   |.  57              push edi
0049CD8D   |.  33DB            xor ebx,ebx
0049CD8F   |.  895D E4         mov dword ptr ss:[ebp-1C],ebx
0049CD92   |.  895D E8         mov dword ptr ss:[ebp-18],ebx
0049CD95   |.  894D F8         mov dword ptr ss:[ebp-8],ecx            ;  ss:[ebp-8]=机器码
0049CD98   |.  8955 FC         mov dword ptr ss:[ebp-4],edx            ;  ss:[ebp-4]="wsy54321`"
0049CD9B   |.  8B45 FC         mov eax,dword ptr ss:[ebp-4]
0049CD9E   |.  E8 CD71F6FF     call Delphi编.00403F70
0049CDA3   |.  8B45 F8         mov eax,dword ptr ss:[ebp-8]
0049CDA6   |.  E8 C571F6FF     call Delphi编.00403F70
0049CDAB   |.  33C0            xor eax,eax
0049CDAD   |.  55              push ebp
0049CDAE   |.  68 2DCF4900     push Delphi编.0049CF2D
0049CDB3   |.  64:FF30         push dword ptr fs:[eax]
0049CDB6   |.  64:8920         mov dword ptr fs:[eax],esp
0049CDB9   |.  C745 EC 4400000>mov dword ptr ss:[ebp-14],44    ;ss:[ebp-14]=44
0049CDC0   |.  33C0            xor eax,eax
0049CDC2   |.  8945 F4         mov dword ptr ss:[ebp-C],eax
0049CDC5   |.  8D45 E8         lea eax,dword ptr ss:[ebp-18]
0049CDC8   |.  E8 6F6DF6FF     call Delphi编.00403B3C
*************************************************************************************************
0049CDCD   |.  8B45 F8         mov eax,dword ptr ss:[ebp-8]
0049CDD0   |.  E8 E76FF6FF     call Delphi编.00403DBC
0049CDD5   |.  8BF0            mov esi,eax                             ;  机器码长度到ESI
0049CDD7   |.  85F6            test esi,esi
0049CDD9   |.  7E 14           jle short Delphi编.0049CDEF
0049CDDB   |.  BB 01000000     mov ebx,1
0049CDE0   |>  8B45 F8         /mov eax,dword ptr ss:[ebp-8]
0049CDE3   |.  0FB64418 FF     |movzx eax,byte ptr ds:[eax+ebx-1]      ;  EAX=59('Y')
0049CDE8   |.  0145 F4         |add dword ptr ss:[ebp-C],eax
0049CDEB   |.  43              |inc ebx
0049CDEC   |.  4E              |dec esi
0049CDED   |.^ 75 F1           \jnz short Delphi编.0049CDE0
跟了一遍这个循环,发现是机器码的逐位相加(ASCII码的16进制)保存到SS:[EBP-C]
***************************************************************************************************
——————————————————————————————————————————————————
0049CDEF   |>  33C0            xor eax,eax
0049CDF1   |.  8945 F0         mov dword ptr ss:[ebp-10],eax    ;SS:[EBP-10]=0
0049CDF4   |.  8B45 FC         mov eax,dword ptr ss:[ebp-4]    ;EAX="WSY54321`"
0049CDF7   |.  E8 C06FF6FF     call Delphi编.00403DBC      ;取上面字符串的长度
0049CDFC   |.  8BF0            mov esi,eax        ;长度=9到ESI
0049CDFE   |.  85F6            test esi,esi
0049CE00   |.  7E 14           jle short Delphi编.0049CE16
0049CE02   |.  BB 01000000     mov ebx,1
0049CE07   |>  8B45 FC         /mov eax,dword ptr ss:[ebp-4]
0049CE0A   |.  0FB64418 FF     |movzx eax,byte ptr ds:[eax+ebx-1]
0049CE0F   |.  0145 F0         |add dword ptr ss:[ebp-10],eax
0049CE12   |.  43              |inc ebx
0049CE13   |.  4E              |dec esi
0049CE14   |.^ 75 F1           \jnz short Delphi编.0049CE07
跟了一遍这个循环,发现是WSY54321`每一位的十六进制ASCII码逐位相加保存到ss:[ebp-10]
——————————————————————————————————————————————————从这里开始又是一个循环
0049CE16   |>  8B45 FC         mov eax,dword ptr ss:[ebp-4]    ;EAX="wsy54321'"
0049CE19   |.  E8 9E6FF6FF     call Delphi编.00403DBC      取"wsy54321'"长度
0049CE1E   |.  8BF0            mov esi,eax        长度保存到ESI
0049CE20   |.  85F6            test esi,esi        测试ESI  是否等于0   
0049CE22   |.  0F8E D2000000   jle Delphi编.0049CEFA      小于跳出循环
0049CE28   |.  BB 01000000     mov ebx,1        EBX=1(计数器)
0049CE2D   |>  8B45 F8         /mov eax,dword ptr ss:[ebp-8]    EAX=机器码
0049CE30   |.  E8 876FF6FF     |call Delphi编.00403DBC      取机器码长度
0049CE35   |.  83E8 06         |sub eax,6        EAX=长度-6
0049CE38   |.  3BD8            |cmp ebx,eax        计数器EBX和EAX做比较
0049CE3A   |.  7D 4D           |jge short Delphi编.0049CE89    大于跳到下面第29行开始执行
0049CE3C   |.  8D43 05         |lea eax,dword ptr ds:[ebx+5]    EAX=6
0049CE3F   |.  8B55 FC         |mov edx,dword ptr ss:[ebp-4]    EDX="wsy54321'" 
0049CE42   |.  0FB6541A FF     |movzx edx,byte ptr ds:[edx+ebx-1]  取上面字符串第一位的十六进制ASCII码(w就是77)到EDX
0049CE47   |.  F7EA            |imul edx        ;EDX(77)*EAX
0049CE49   |.  03C3            |add eax,ebx        ;EAX=EAX+EBX=2CA+1
0049CE4B   |.  8B55 F8         |mov edx,dword ptr ss:[ebp-8]    ;EDX=机器码
0049CE4E   |.  0FB6541A 03     |movzx edx,byte ptr ds:[edx+ebx+3]  ;机器码第5位开始的十六进制ASCII码(34)到EDX,
0049CE53   |.  F7EA            |imul edx        ;EDX(34)*EAX
0049CE55   |.  8BCB            |mov ecx,ebx        ;ECX=EBX=1
0049CE57   |.  03C9            |add ecx,ecx        ;ECX=ECX+ECX=2
0049CE59   |.  8BD1            |mov edx,ecx        ;EDX=ECX=2
0049CE5B   |.  0FAF55 EC       |imul edx,dword ptr ss:[ebp-14]    ;EDX=EDX*44=88    ;在上面已经被赋值为44,循环过程中不变
0049CE5F   |.  03C2            |add eax,edx        ;EAX=EAX+EDX=913C+88
0049CE61   |.  0FAFCB          |imul ecx,ebx        ;ECX=ECX*EBX=1*2
0049CE64   |.  83C1 0D         |add ecx,0D        ;ECX=ECX+0D=2+0D=F
0049CE67   |.  0FAF4D F4       |imul ecx,dword ptr ss:[ebp-C]    ;ECX=ECX*296=26CA     ;ss:[ebp-C]是上面计算好的结果 
0049CE6B   |.  03C1            |add eax,ecx        ;EAX=EAX+ECX=91C4+26CA 
0049CE6D   |.  8D145B          |lea edx,dword ptr ds:[ebx+ebx*2]  ;EDX=03      ;与[ebx+ebx*2]计算出来的值一样
0049CE70   |.  83C2 0C         |add edx,0C        ;EDX=EDX+0C=F
0049CE73   |.  0FAF55 F0       |imul edx,dword ptr ss:[ebp-10]    ;EDX=EDX*2C2   ;ss:[ebp-10]也是上面计算好的结果
0049CE77   |.  03C2            |add eax,edx        ;EAX=EAX+EDX=B88E+295E
0049CE79   |.  BA 72000000     |mov edx,72        ;EDX=72
0049CE7E   |.  2BD3            |sub edx,ebx        ;EDX=EDX-EBX=72-1
0049CE80   |.  8BCA            |mov ecx,edx        ;ECX=EDX=71
0049CE82   |.  99              |cdq
0049CE83   |.  F7F9            |idiv ecx        ;EAX/ECX
0049CE85   |.  8BFA            |mov edi,edx        ;EDI=EDX=5D(余数到EDI)
0049CE87   |.  EB 49           |jmp short Delphi编.0049CED2    ;跳到CMP EDI,23处执行
************************************************************这部分是EBX>6的时候的算法**********
0049CE89   |>  8BCB            |mov ecx,ebx        ;这里就是与(大于跳到下面第29行开始执行)对应的
0049CE8B   |.  C1E1 02         |shl ecx,2
0049CE8E   |.  8BC1            |mov eax,ecx
0049CE90   |.  83C0 08         |add eax,8
0049CE93   |.  8B55 FC         |mov edx,dword ptr ss:[ebp-4]
0049CE96   |.  0FB6541A FF     |movzx edx,byte ptr ds:[edx+ebx-1]
0049CE9B   |.  8BFA            |mov edi,edx
0049CE9D   |.  C1E2 03         |shl edx,3
0049CEA0   |.  2BD7            |sub edx,edi
0049CEA2   |.  03C2            |add eax,edx
0049CEA4   |.  8B55 F4         |mov edx,dword ptr ss:[ebp-C]
0049CEA7   |.  C1E2 03         |shl edx,3
0049CEAA   |.  03C2            |add eax,edx
0049CEAC   |.  8B55 F0         |mov edx,dword ptr ss:[ebp-10]
0049CEAF   |.  8D14D2          |lea edx,dword ptr ds:[edx+edx*8]
0049CEB2   |.  03C2            |add eax,edx
0049CEB4   |.  8BD3            |mov edx,ebx
0049CEB6   |.  0FAFD3          |imul edx,ebx
0049CEB9   |.  03C2            |add eax,edx
0049CEBB   |.  0FAF4D EC       |imul ecx,dword ptr ss:[ebp-14]
0049CEBF   |.  83C1 17         |add ecx,17
0049CEC2   |.  F7E9            |imul ecx
0049CEC4   |.  BA 77000000     |mov edx,77
0049CEC9   |.  2BD3            |sub edx,ebx
0049CECB   |.  8BCA            |mov ecx,edx
0049CECD   |.  99              |cdq
0049CECE   |.  F7F9            |idiv ecx
0049CED0   |.  8BFA            |mov edi,edx
****************************************************************这部分是EBX>6的时候的算法(下同)**************

0049CED2   |>  83FF 23         |cmp edi,23        ;余数EDI(5D)和23做比较
0049CED5   |.  7D 06           |jge short Delphi编.0049CEDD    ;大于跳到下面第三行
0049CED7   |.  8D443B 22       |lea eax,dword ptr ds:[ebx+edi+22]  ;小于的话EAX=EBX+EDI+22
0049CEDB   |.  8BF8            |mov edi,eax        ;EAX到EDI也就是阅读密码的十六进制进制的ASCII码
0049CEDD   |>  8D45 E4         |lea eax,dword ptr ss:[ebp-1C]
0049CEE0   |.  8BD7            |mov edx,edi        ;大于的时候把EDI保存到EDX就是阅读密码的十六进制进制的ASCII码
0049CEE2   |.  E8 FD6DF6FF     |call Delphi编.00403CE4
0049CEE7   |.  8B55 E4         |mov edx,dword ptr ss:[ebp-1C]
0049CEEA   |.  8D45 E8         |lea eax,dword ptr ss:[ebp-18]
0049CEED   |.  E8 D26EF6FF     |call Delphi编.00403DC4
0049CEF2   |.  43              |inc ebx          ;计数器EBX+1
0049CEF3   |.  4E              |dec esi          ;计数器ESI-1
0049CEF4   |.^ 0F85 33FFFFFF   \jnz Delphi编.0049CE2D      不相等跳到上面继续循环
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
0049CEFA   |>  8B45 08         mov eax,dword ptr ss:[ebp+8]
0049CEFD   |.  8B55 E8         mov edx,dword ptr ss:[ebp-18]      ;计算好的阅读密码到EDX
0049CF00   |.  E8 8B6CF6FF     call Delphi编.00403B90
0049CF05   |.  33C0            xor eax,eax
0049CF07   |.  5A              pop edx
0049CF08   |.  59              pop ecx
0049CF09   |.  59              pop ecx
0049CF0A   |.  64:8910         mov dword ptr fs:[eax],edx
0049CF0D   |.  68 34CF4900     push Delphi编.0049CF34
0049CF12   |>  8D45 E4         lea eax,dword ptr ss:[ebp-1C]
0049CF15   |.  BA 02000000     mov edx,2
0049CF1A   |.  E8 416CF6FF     call Delphi编.00403B60
0049CF1F   |.  8D45 F8         lea eax,dword ptr ss:[ebp-8]
0049CF22   |.  BA 02000000     mov edx,2
0049CF27   |.  E8 346CF6FF     call Delphi编.00403B60
0049CF2C   \.  C3              retn

本人程序表达能力欠佳,想了好久都不能把上面的过程写出来,只能用笔慢慢算了,希望有人给我写一个,我对应的十六进制的ASCII码依次是5D,65,42,2B,66,4B,53,1A,61,转换过来也就是]eB+fKS*a,程序比较过程中虽然出现了明文,但是我为了锻炼一下自己的分析能力,所以跟了一遍,还请不要见笑哦   

 

今天广告
参与评论:
注意事项:
【菜鸟学破解之DELPHI编程宝典算法分析历程】文章由骇客基地网上搜集,其立场行为并不代表本站。
如果您发现该文章若无意中侵犯到您的权利,请联系我们!
未经本站明确许可,任何网站不得非法盗链及抄袭本站资源;如引用页面,请注明来自本站,谢谢您的支持!
最近更新
最新推荐
     
 
黑客首页 | 服务指南 | 软件发布  | 关于我们 | 本站声明  | 隐私声明 | 诚征英才 | 网站地图 | 友情链接 |
 
 
中国·黑客·骇客·基地 请使用IE6.0版本, 分辩率1024×768进行浏览 www.hookbase.com 站长:利客 Email:hookbase@163.com
Copyright © 2004-2009 All Rights Reserved. 粤ICP备05000985号