假设:
用户编号:222961388
注册码:654321
一、先脱壳,查找出错信息。
* referenced by a (u)nconditional or (c)onditional jump at address:
|:0047a05c(c)
|
:0047a19f 6830000400 push 00040030
:0047a1a4 b908a24700 mov ecx, 0047a208
* possible stringdata ref from code obj ->"注册码无效!"
|
:0047a1a9 ba6ca24700 mov edx, 0047a26c
:0047a1ae a1e8794b00 mov eax, dword ptr [004b79e8]
:0047a1b3 8b00 mov eax, dword ptr [eax]
:0047a1b5 e8a22afdff call 0044cc5c
:0047a1ba 8b86e8020000 mov eax, dword ptr [esi+000002e8]
:0047a1c0 8b10 mov edx, dword ptr [eax]
:0047a1c2 ff92cc000000 call dword ptr [edx+000000cc]
向上看:
0047a053 8b55f8 mov edx, dword ptr [ebp-08]==>在这下断
:0047a056 58 pop eax
:0047a057 e8489ef8ff call 00403ea4
:0047a05c 0f853d010000 jne 0047a19f=========>
:0047a062 6840000400 push 00040040
:0047a067 b908a24700 mov ecx, 0047a208
* possible stringdata ref from code obj ->"注册成功!请保留好您的注册码,谢谢!"
|
二、用ollydbg载入,动态分析。
0047a002 |. 8b1d 28784b00 mov ebx,dword ptr ds:[4b7828] ; unpacked.004b8930
0047a008 |. 33c0 xor eax,eax
0047a00a |. 55 push ebp
0047a00b |. 68 fba14700 push unpacked.0047a1fb
0047a010 |. 64:ff30 push dword ptr fs:[eax]
0047a013 |. 64:8920 mov dword ptr fs:[eax],esp
0047a016 |. 6a 00 push 0
0047a018 |. 6a 1b push 1b
0047a01a |. e8 a9fdffff call unpacked.00479dc8 ; 用户编号十六进制值入eax,此eax=0d4a1eec
0047a01f |. 2d 1f17f601 sub eax,1f6171f ; eax减1f6171f,eax=b5407cd
0047a024 |. 83da 00 sbb edx,0
0047a027 |. e8 44c5f8ff call unpacked.00406570 ; b5407cd值乘以1b,此eax=131dcd29f
0047a02c |. 52 push edx ; /arg2
0047a02d |. 50 push eax ; |arg1
0047a02e |. 8d45 fc lea eax,dword ptr ss:[ebp-4] ; |
0047a031 |. e8 6ae9f8ff call unpacked.004089a0 ; \把串31dcd29f转换为十进制,即为5131522719
0047a036 |. 8b45 fc mov eax,dword ptr ss:[ebp-4]
0047a039 |. 50 push eax
0047a03a |. 8d55 f4 lea edx,dword ptr ss:[ebp-c]
0047a03d |. 8b86 e8020000 mov eax,dword ptr ds:[esi+2e8]
0047a043 |. e8 444afbff call unpacked.0042ea8c ; 取输入注册码
0047a048 |. 8b45 f4 mov eax,dword ptr ss:[ebp-c]
0047a04b |. 8d55 f8 lea edx,dword ptr ss:[ebp-8]
0047a04e |. e8 9de7f8ff call unpacked.004087f0
0047a053 |. 8b55 f8 mov edx,dword ptr ss:[ebp-8] ; 输入注册码,此为edx=654321
0047a056 |. 58 pop eax ; 真码入eax
0047a057 |. e8 489ef8ff call unpacked.00403ea4 ; 关键比较unpa
0047a05c |. 0f85 3d010000 jnz unpacked.0047a19f ; 不等就跳npac
0047a062 |. 68 40000400 push 40040
总结:
1、用户编号转为十六进制:222961388->d4a1eec
2、十六进制值减1f6171f:d4a1eec-1f6171f=b5407cd
3、第二步的值乘1b:b5407cd*1b=131dcd29f
4、第三步的值转为十进制就是注册码:131dcd29f->5131522719
所以我的注册码如下:
用户编号:222961388
注册码:5131522719