環境:
Windows xp sp3
工具:
1.ollydbg
2.exeinfope
0x00 查殼
無殼就下一步
0x01 分析
随便輸入個錯的,出現了不知道哪國的語言。有個6,應該就是name的長度要大于6吧
OD載入,搜字元串。
BD7 |. 807D EF 06 cmp byte ptr ss:[ebp-0x11],0x6 ; 比較輸入name的長度不能小于6
BDB |. 73 15 jnb XDope2112.00421BF2
BDD |. 8B86 C0010000 mov eax,dword ptr ds:[esi+0x1C0]
BE3 |. BA A81D4200 mov edx,Dope2112.00421DA8 ; ASCII "Der Name muss min. Zeichen lang sein"
BE8 |. E8 3BFCFEFF call Dope2112.00411828
BED |. E9 72010000 jmp Dope2112.00421D64
BF2 |> 33C0 xor eax,eax
BF4 |> 33D2 /xor edx,edx
BF6 |. 8AD0 |mov dl,al
BF8 |. 8B4D FC |mov ecx,[local.1]
BFB |. 0FB65411 FF |movzx edx,byte ptr ds:[ecx+edx-0x1] ; 根據不同的内容跳轉到不同的位置
C00 |. 83C2 9F |add edx,-0x61 ; Switch (cases 61..7A)
C03 |. 83FA 19 |cmp edx,0x19
C06 |. 0F87 D7000000 |ja Dope2112.00421CE3
C0C |. FF2495 131C42>|jmp dword ptr ds:[edx*4+0x421C13]
C13 |. 7B1C4200 |dd Dope2112.00421C7B ; 分支表 被用于 00421C0C
C17 |. 7F1C4200 |dd Dope2112.00421C7F
C1B |. 831C4200 |dd Dope2112.00421C83
C1F |. 871C4200 |dd Dope2112.00421C87
C23 |. 8B1C4200 |dd Dope2112.00421C8B
C27 |. 8F1C4200 |dd Dope2112.00421C8F
C2B |. 931C4200 |dd Dope2112.00421C93
C2F |. 971C4200 |dd Dope2112.00421C97
C33 |. 9B1C4200 |dd Dope2112.00421C9B
C37 |. 9F1C4200 |dd Dope2112.00421C9F
C3B |. A31C4200 |dd Dope2112.00421CA3
C3F |. A71C4200 |dd Dope2112.00421CA7
C43 |. AB1C4200 |dd Dope2112.00421CAB
C47 |. AF1C4200 |dd Dope2112.00421CAF
C4B |. B31C4200 |dd Dope2112.00421CB3
C4F |. B71C4200 |dd Dope2112.00421CB7
C53 |. BB1C4200 |dd Dope2112.00421CBB
C57 |. BF1C4200 |dd Dope2112.00421CBF
C5B |. C31C4200 |dd Dope2112.00421CC3
C5F |. C71C4200 |dd Dope2112.00421CC7
C63 |. CB1C4200 |dd Dope2112.00421CCB
C67 |. CF1C4200 |dd Dope2112.00421CCF
C6B |. D31C4200 |dd Dope2112.00421CD3
C6F |. D71C4200 |dd Dope2112.00421CD7
C73 |. DB1C4200 |dd Dope2112.00421CDB
C77 |. DF1C4200 |dd Dope2112.00421CDF
C7B |> B2 18 |mov dl,0x18 ; Case 61 ('a') of switch 00421C00
C7D |. EB 66 |jmp XDope2112.00421CE5
C7F |> B2 25 |mov dl,0x25 ; Case 62 ('b') of switch 00421C00
C81 |. EB 62 |jmp XDope2112.00421CE5
C83 |> B2 42 |mov dl,0x42 ; Case 63 ('c') of switch 00421C00
C85 |. EB 5E |jmp XDope2112.00421CE5
C87 |> B2 0C |mov dl,0xC ; Case 64 ('d') of switch 00421C00
C89 |. EB 5A |jmp XDope2112.00421CE5
C8B |> B2 0D |mov dl,0xD ; Case 65 ('e') of switch 00421C00
C8D |. EB 56 |jmp XDope2112.00421CE5
C8F |> B2 06 |mov dl,0x6 ; Case 66 ('f') of switch 00421C00
C91 |. EB 52 |jmp XDope2112.00421CE5
C93 |> B2 36 |mov dl,0x36 ; Case 67 ('g') of switch 00421C00
C95 |. EB 4E |jmp XDope2112.00421CE5
C97 |> B2 2B |mov dl,0x2B ; Case 68 ('h') of switch 00421C00
C99 |. EB 4A |jmp XDope2112.00421CE5
C9B |> B2 17 |mov dl,0x17 ; Case 69 ('i') of switch 00421C00
C9D |. EB 46 |jmp XDope2112.00421CE5
C9F |> B2 2F |mov dl,0x2F ; Case 6A ('j') of switch 00421C00
CA1 |. EB 42 |jmp XDope2112.00421CE5
CA3 |> B2 13 |mov dl,0x13 ; Case 6B ('k') of switch 00421C00
CA5 |. EB 3E |jmp XDope2112.00421CE5
CA7 |> B2 82 |mov dl,0x82 ; Case 6C ('l') of switch 00421C00
CA9 |. EB 3A |jmp XDope2112.00421CE5
CAB |> B2 9B |mov dl,0x9B ; Case 6D ('m') of switch 00421C00
CAD |. EB 36 |jmp XDope2112.00421CE5
CAF |> B2 92 |mov dl,0x92 ; Case 6E ('n') of switch 00421C00
CB1 |. EB 32 |jmp XDope2112.00421CE5
CB3 |> B2 03 |mov dl,0x3 ; Case 6F ('o') of switch 00421C00
CB5 |. EB 2E |jmp XDope2112.00421CE5
CB7 |> B2 63 |mov dl,0x63 ; Case 70 ('p') of switch 00421C00
CB9 |. EB 2A |jmp XDope2112.00421CE5
CBB |> B2 21 |mov dl,0x21 ; Case 71 ('q') of switch 00421C00
CBD |. EB 26 |jmp XDope2112.00421CE5
CBF |> B2 42 |mov dl,0x42 ; Case 72 ('r') of switch 00421C00
CC1 |. EB 22 |jmp XDope2112.00421CE5
CC3 |> B2 5C |mov dl,0x5C ; Case 73 ('s') of switch 00421C00
CC5 |. EB 1E |jmp XDope2112.00421CE5
CC7 |> B2 29 |mov dl,0x29 ; Case 74 ('t') of switch 00421C00
CC9 |. EB 1A |jmp XDope2112.00421CE5
CCB |> B2 C7 |mov dl,0xC7 ; Case 75 ('u') of switch 00421C00
CCD |. EB 16 |jmp XDope2112.00421CE5
CCF |> B2 66 |mov dl,0x66 ; Case 76 ('v') of switch 00421C00
CD1 |. EB 12 |jmp XDope2112.00421CE5
CD3 |> B2 58 |mov dl,0x58 ; Case 77 ('w') of switch 00421C00
CD5 |. EB 0E |jmp XDope2112.00421CE5
CD7 |> B2 0A |mov dl,0xA ; Case 78 ('x') of switch 00421C00
CD9 |. EB 0A |jmp XDope2112.00421CE5
CDB |> B2 28 |mov dl,0x28 ; Case 79 ('y') of switch 00421C00
CDD |. EB 06 |jmp XDope2112.00421CE5
CDF |> B2 50 |mov dl,0x50 ; Case 7A ('z') of switch 00421C00
CE1 |. EB 02 |jmp XDope2112.00421CE5
CE3 |> B2 5D |mov dl,0x5D ; Default case of switch 00421C00
CE5 |> 02DA |add bl,dl
CE7 |. 40 |inc eax
CE8 |. 3C 06 |cmp al,0x6
CEA |.^ 0F85 04FFFFFF \jnz Dope2112.00421BF4
CF0 |. 8D55 F0 lea edx,[local.4] ; 計算出來的值轉為10進制就是serial前半部分了
CF3 |. 33C0 xor eax,eax
CF5 |. 8A45 EF mov al,byte ptr ss:[ebp-0x11]
CF8 |. 69C0 7E4A0000 imul eax,eax,0x4A7E ; name長度*0x4A7E
CFE |. E8 7136FEFF call Dope2112.00405374 ; 計算後半部分
D03 |. 8D55 E4 lea edx,[local.7]
D06 |. 33C0 xor eax,eax
D08 |. 8AC3 mov al,bl
D0A |. E8 6536FEFF call Dope2112.00405374
D0F |. FF75 E4 push [local.7]
D12 |. 68 D81D4200 push Dope2112.00421DD8
D17 |. FF75 F0 push [local.4]
D1A |. 8D45 F4 lea eax,[local.3]
D1D |. BA 03000000 mov edx,0x3
D22 |. E8 FD16FEFF call Dope2112.00403424
D27 |. 8D55 E8 lea edx,[local.6]
D2A |. 8B86 B0010000 mov eax,dword ptr ds:[esi+0x1B0]
D30 |. E8 C3FAFEFF call Dope2112.004117F8
D35 |. 8B55 E8 mov edx,[local.6]
D38 |. 8B45 F4 mov eax,[local.3]
D3B |. E8 3417FEFF call Dope2112.00403474 ; 明碼比較内容
D40 |. 75 12 jnz XDope2112.00421D54
D42 |. 8B86 C0010000 mov eax,dword ptr ds:[esi+0x1C0]
D48 |. BA E41D4200 mov edx,Dope2112.00421DE4 ; ASCII "Hey du hast es geschaft !"
D4D |. E8 D6FAFEFF call Dope2112.00411828
D52 |. EB 10 jmp XDope2112.00421D64
D54 |> 8B86 C0010000 mov eax,dword ptr ds:[esi+0x1C0]
D5A |. BA 081E4200 mov edx,Dope2112.00421E08 ; ASCII "Leider nicht versuchs noch mal !"
原理十分簡單,根據不同的字元得到對應的值,将這些值相加的結果儲存到bl中,作為serial的前半部分。
後半部分則是将name的長度乘以0x4A7,用“-”連起來就是序列号了。