运行分析
- 需破解Name和Serial
PE分析
- ASM程序,32位,无壳
静态分析&动态调试
- ida找到关键字符串
INT_PTR __stdcall DialogFunc(HWND hDlg, UINT a2, WPARAM a3, LPARAM a4)
{
HICON IconA; // eax
int v5; // edi
unsigned int v6; // ebx
char v7; // al
int v8; // ecx
char v9; // al
int v10; // ecx
int v11; // ecx
int v12; // eax
int v13; // ebx
int v14; // edi
int v15; // esi
int v16; // ebp
int v17; // ebx
int v18; // esi
unsigned int v19; // ecx
unsigned int v20; // edx
unsigned int v21; // eax
int v22; // ecx
int v23; // esi
int v24; // edx
char v25; // al
int v26; // esi
char v27; // al
char Name_i; // [esp-Ch] [ebp-Ch]
unsigned int v30; // [esp-8h] [ebp-8h]
unsigned int Name_len; // [esp-4h] [ebp-4h]
switch ( a2 )
{
case 0x110u:
GetDlgItem(hDlg, 1002);
GetDlgItem(hDlg, 1003);
IconA = LoadIconA(hInstance, (LPCSTR)0x68);
SendMessageA(hDlg, 0x80u, 0, (LPARAM)IconA);
break;
case 0x10u:
SendMessageA(hDlg, 0x111u, 0x3EEu, 0);
break;
case 0x111u:
switch ( (_WORD)a3 )
{
case 0x3EE:
PostQuitMessage(0);
break;
case 0x3EF:
MessageBoxA(0, Text, Caption, 0x40u);
break;
case 0x3ED:
Name_len = SendDlgItemMessageA(hDlg, 1002, 0xDu, 0x40u, (LPARAM)Name);
sub_401032();
Name_len_ = Name_len;
if ( Name_len <= 4 )
{
if ( !Name_len )
{
MessageBoxA(0, aNoNameDetected, Caption, 0x10u);
return 1;
}
}
else if ( Name_len < 33 ) // Name长度小于33
{
v5 = 0;
v6 = 2 * Name_len_;
do // 循环1:将Name[i]//16和Name[i]%16的数拼接得到Name_encode_1,若得到结果不是数字则+7
{
Name_i = Name[v5];
v7 = plus_0_or_7((unsigned __int16)Name_i / 16u);
Name_encode_1[v8] = v7;
v9 = plus_0_or_7((unsigned __int16)Name_i % 16u);
Name_encode_1[v10] = v9;
++v5;
}
while ( v10 + 1 < v6 );
v11 = 0;
v12 = 0;
v13 = 0;
v14 = 0;
v15 = 1;
v16 = 0;
n = 0;
do // 循环2:对Name_encode_1进行计算取得Name_encode_2
{
LOBYTE(v12) = Name_encode_1[v16 + v11];
LOBYTE(v13) = Name_encode_1_1[v16 + v11];
if ( v12 == v13 )
{
++v15;
++n;
++v16;
if ( n != 1 )
{
v14 -= 2;
++v15;
}
}
else
{
if ( (unsigned __int8)n > 1u )
v14 -= 2;
n = 0;
v15 = 1;
}
*(_WORD *)((char *)&Name_encode_2 + v14) = ((_WORD)v12 << 8) + v15;
v14 += 2;
++v11;
}
while ( Name_encode_1[v16 + v11] );
sub_401097();
SendDlgItemMessageA(hDlg, 1003, 0xDu, 0x40u, (LPARAM)Serial);
HIWORD(v17) = 0;
v18 = 1;
v19 = 1;
do // 循环3:提取Name和Name_encode_2进行计算,得到Name_encode_3
{
LOWORD(v17) = *(_WORD *)(v18 + 0x40321B);// 提取Name_encode_1
v20 = (v17 + *(char *)(v19 + 0x403157) - v19) % v19;
v21 = (v17 + *(char *)(v19 + 0x403157) - v19) / v19 - Name_len_4;
v17 += v19;
Name_encode_3[v19] = v17 ^ (v20 + v21);
if ( ++v18 >= Name_len_4 )
v18 = 1;
++v19;
}
while ( v19 <= Name_len_ );
v22 = 0;
v23 = 0;
v24 = 2 * Name_len_;
do // 循环4:提取通过Name_encode_3每一位进行计算,得到Name_encode
{
v30 = Name_encode_3_1[v22];
v25 = ((v30 >> 4) & 0xF) + 48;
if ( v25 > 57 )
v25 = ((v30 >> 4) & 0xF) + 55;
Name_encode[v23] = v25;
v26 = v23 + 1;
v27 = (v30 & 0xF) + 48;
if ( v27 > 57 )
v27 = (v30 & 0xF) + 55;
++v22;
Name_encode[v26] = v27;
v23 = v26 + 1;
}
while ( v23 != v24 );
if ( (unsigned __int8)cmp(0) ) // 比较Name_encode和Serial是否相等
MessageBoxA(0, aTheSerialYouEn, Caption, 0x10u);
else
MessageBoxA(0, aWowYouDidItNow, aCrackedSuccess, 0x30u);// 成功
return 1;
}
MessageBoxA(0, aNameIsNotValid, Caption, 0x10u);
break;
}
break;
default:
return 0;
}
return 1;
}
- 进行动调调试,注释如上,一共4个循环计算,得到Name_encode,最后Name_encode需要等于Serial
算法分析
Name = 'concealbear'
# 第一个循环
def plus_0_or_7(a1):
result = (a1 & 0xF) + 0x30
if (result > 0x39):
result += 7;
return result;
Name_encode_1 = []
for i in range(len(Name)):
Name_encode_1.append(plus_0_or_7(ord(Name[i]) // 16))
Name_encode_1.append(plus_0_or_7(ord(Name[i]) % 16))
Name_encode_1.append(0)
# 第二个循环
Name_encode_2 = [0] * len(Name_encode_1) * 2
v11 = 0;
v12 = 0;
v13 = 0;
v14 = 0;
v15 = 1;
v16 = 0;
n = 0;
for i in range(0,10000):
v12 = Name_encode_1[v16 + v11];
v13 = Name_encode_1[v16 + v11 + 1];
if ( v12 == v13 ):
++v15;
++n;
++v16;
if ( n != 1 ):
v14 -= 2;
++v15;
else:
if ( n > 1):
v14 -= 2;
n = 0;
v15 = 1;
Name_encode_2[v14] = int(hex((v12 << 8) + v15)[4:],16);
Name_encode_2[v14 + 1] = int(hex((v12 << 8) + v15)[2:4],16);
v14 += 2;
v11 += 1
if v13:
pass
else:
break
# 循环3
Name_encode_3 = [0] * len(Name) * 2
v18 = 1;
v19 = 1;
for v19 in range(1,len(Name) + 1):
v17 = int(hex(Name_encode_2[v18])[2:].zfill(2) + hex(Name_encode_2[v18-1])[2:].zfill(2),16);
v20 = (v17 + ord(Name[v19-1]) - v19) % v19;
v21 = (v17 + ord(Name[v19-1]) - v19) // v19 - (len(Name) * 4);
v17 += v19;
Name_encode_3[v19] = (v17 ^ (v20 + v21))&0xff;
v18 += 1
if ( v18 >= (len(Name) * 4) ):
v18 = 1;
# 循环4
Name_encode = [0] * len(Name) * 2
v22 = 0;
v23 = 0;
for v22 in range(len(Name)):
v30 = Name_encode_3[v22+1];
v25 = ((v30 >> 4) & 0xF) + 48;
if ( v25 > 57 ):
v25 = ((v30 >> 4) & 0xF) + 55;
Name_encode[v23] = v25;
v26 = v23 + 1;
v27 = (v30 & 0xF) + 48;
if ( v27 > 57 ):
v27 = (v30 & 0xF) + 55;
Name_encode[v26] = v27;
v23 = v26 + 1;
Serial = "".join([chr(i)for i in Name_encode])
print(Name + '的Serial为:\n' + Serial)
- 验证成功
