113 lines
7.3 KiB
Markdown
113 lines
7.3 KiB
Markdown
|
打包工具: ASPack(2.000)
|
|||
|
|
|
|||
|
|
1. 脱壳
|
|||
|
|
|
|||
|
|
步骤和上一篇类似,OEP: 445834 (45834)
|
|||
|
|
|
|||
|
|
2. 搜索“Registered"找到可疑函数
|
|||
|
|
|
|||
|
|
这里整理了一下:
|
|||
|
|
|
|||
|
|
```c#
|
|||
|
|
//读取同目录下cm5.dat
|
|||
|
|
//第一行name //ebp-1E8 //ebp-1E9开头含长度位
|
|||
|
|
//第二行serial //ebp-1FD //ebp-1FE开头含长度位
|
|||
|
|
//每行最大读取0x14长度
|
|||
|
|
|
|||
|
|
string name = "cm5.dat 第一行";
|
|||
|
|
int length = name.Length; //esi
|
|||
|
|
string v = "159357852645875692311335664857125469857213526859478212124569348647951232165728761953213754495421375678543126721831"; //ebp-8
|
|||
|
|
string result = ""; //ebp-4
|
|||
|
|
int p=0;
|
|||
|
|
|
|||
|
|
do{
|
|||
|
|
int v3 = name[p]; //edx
|
|||
|
|
result+=(char)(v[v3-0xB]);
|
|||
|
|
p++;
|
|||
|
|
length--;
|
|||
|
|
} while (length>0);
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
细节:
|
|||
|
|
|
|||
|
|
```assembly
|
|||
|
|
004453C6 | 55 | push ebp |
|
|||
|
|
004453C7 | 68 87554400 | push <ad_cm#5.sub_445587> |
|
|||
|
|
004453CC | 64:FF30 | push dword ptr fs:[eax] |
|
|||
|
|
004453CF | 64:8920 | mov dword ptr fs:[eax],esp |
|
|||
|
|
004453D2 | 8D45 F8 | lea eax,dword ptr ss:[ebp-8] |
|
|||
|
|
004453D5 | BA A0554400 | mov edx,ad_cm#5.4455A0 | 4455A0:"159357852645875692311335664857125469857213526859478212124569348647951232165728761953213754495421375678543126721831"
|
|||
|
|
004453DA | E8 99E5FBFF | call <ad_cm#5.sub_403978> |
|
|||
|
|
004453DF | 33D2 | xor edx,edx |
|
|||
|
|
004453E1 | 55 | push ebp |
|
|||
|
|
004453E2 | 68 3F554400 | push <ad_cm#5.sub_44553F> |
|
|||
|
|
004453E7 | 64:FF32 | push dword ptr fs:[edx] |
|
|||
|
|
004453EA | 64:8922 | mov dword ptr fs:[edx],esp |
|
|||
|
|
004453ED | BA 1C564400 | mov edx,<ad_cm#5.sub_44561C> | 44561C:"cm5.dat"
|
|||
|
|
004453F2 | 8D85 2CFEFFFF | lea eax,dword ptr ss:[ebp-1D4] |
|
|||
|
|
004453F8 | E8 AD00FCFF | call <ad_cm#5.ASSIGN> | ebp-1D4: File var
|
|||
|
|
004453FD | 8D85 2CFEFFFF | lea eax,dword ptr ss:[ebp-1D4] |
|
|||
|
|
00445403 | E8 EF02FCFF | call <ad_cm#5.RESETTEXT> | 准备读取文件内容
|
|||
|
|
00445408 | E8 8FD3FBFF | call <ad_cm#5._IOTest> |
|
|||
|
|
0044540D | 8D95 17FEFFFF | lea edx,dword ptr ss:[ebp-1E9] | ebp-1E9: Read content(Name)
|
|||
|
|
00445413 | B9 14000000 | mov ecx,14 | 读取0x14长度内容
|
|||
|
|
00445418 | 8D85 2CFEFFFF | lea eax,dword ptr ss:[ebp-1D4] |
|
|||
|
|
0044541E | E8 D901FCFF | call <ad_cm#5.READSTRING> |
|
|||
|
|
00445423 | 8D85 2CFEFFFF | lea eax,dword ptr ss:[ebp-1D4] |
|
|||
|
|
00445429 | E8 6602FCFF | call <ad_cm#5.READLN> |
|
|||
|
|
0044542E | E8 69D3FBFF | call <ad_cm#5._IOTest> |
|
|||
|
|
00445433 | 8D95 02FEFFFF | lea edx,dword ptr ss:[ebp-1FE] | ebp-1FE: Read content(Serial)
|
|||
|
|
00445439 | B9 14000000 | mov ecx,14 | 读取0x14长度内容
|
|||
|
|
0044543E | 8D85 2CFEFFFF | lea eax,dword ptr ss:[ebp-1D4] |
|
|||
|
|
00445444 | E8 B301FCFF | call <ad_cm#5.READSTRING> |
|
|||
|
|
00445449 | 8D85 2CFEFFFF | lea eax,dword ptr ss:[ebp-1D4] |
|
|||
|
|
0044544F | E8 4002FCFF | call <ad_cm#5.READLN> |
|
|||
|
|
00445454 | E8 43D3FBFF | call <ad_cm#5._IOTest> |
|
|||
|
|
00445459 | 8D85 2CFEFFFF | lea eax,dword ptr ss:[ebp-1D4] |
|
|||
|
|
0044545F | E8 E800FCFF | call <ad_cm#5.CLOSE> |
|
|||
|
|
00445464 | E8 33D3FBFF | call <ad_cm#5._IOTest> |
|
|||
|
|
00445469 | 80BD 17FEFFFF 05 | cmp byte ptr ss:[ebp-1E9],5 | 检查Name长度需>=5
|
|||
|
|
00445470 | 73 0A | jae ad_cm#5.44547C |
|
|||
|
|
00445472 | B8 2C564400 | mov eax,<ad_cm#5.sub_44562C> | 44562C:"Name must be at least 5 characters long!"
|
|||
|
|
00445477 | E8 A4F8FFFF | call <ad_cm#5.ShowMessage> |
|
|||
|
|
0044547C | 0FB6B5 17FEFFFF | movzx esi,byte ptr ss:[ebp-1E9] |
|
|||
|
|
00445483 | 85F6 | test esi,esi |
|
|||
|
|
00445485 | 7E 2E | jle ad_cm#5.4454B5 |
|
|||
|
|
00445487 | 8D9D 18FEFFFF | lea ebx,dword ptr ss:[ebp-1E8] |
|
|||
|
|
0044548D | 8D85 FCFDFFFF | lea eax,dword ptr ss:[ebp-204] |
|
|||
|
|
00445493 | 33D2 | xor edx,edx |
|
|||
|
|
00445495 | 8A13 | mov dl,byte ptr ds:[ebx] |
|
|||
|
|
00445497 | 8B4D F8 | mov ecx,dword ptr ss:[ebp-8] |
|
|||
|
|
0044549A | 8A5411 F5 | mov dl,byte ptr ds:[ecx+edx-B] |
|
|||
|
|
0044549E | E8 E5E5FBFF | call <ad_cm#5.sub_403A88> |
|
|||
|
|
004454A3 | 8B95 FCFDFFFF | mov edx,dword ptr ss:[ebp-204] |
|
|||
|
|
004454A9 | 8D45 FC | lea eax,dword ptr ss:[ebp-4] | [ebp-04]:&"l贎"
|
|||
|
|
004454AC | E8 B7E6FBFF | call <ad_cm#5._LStrCat> |
|
|||
|
|
004454B1 | 43 | inc ebx |
|
|||
|
|
004454B2 | 4E | dec esi |
|
|||
|
|
004454B3 | 75 D8 | jne ad_cm#5.44548D |
|
|||
|
|
004454B5 | 8D85 F8FDFFFF | lea eax,dword ptr ss:[ebp-208] |
|
|||
|
|
004454BB | 8D95 02FEFFFF | lea edx,dword ptr ss:[ebp-1FE] |
|
|||
|
|
004454C1 | E8 3EE6FBFF | call <ad_cm#5.Len> |
|
|||
|
|
004454C6 | 8B85 F8FDFFFF | mov eax,dword ptr ss:[ebp-208] |
|
|||
|
|
004454CC | 8B55 FC | mov edx,dword ptr ss:[ebp-4] | [ebp-04]:&"l贎"
|
|||
|
|
004454CF | E8 9CE7FBFF | call <ad_cm#5._LStrCmp> |
|
|||
|
|
004454D4 | 75 55 | jne ad_cm#5.44552B |
|
|||
|
|
004454D6 | 8D85 F4FDFFFF | lea eax,dword ptr ss:[ebp-20C] |
|
|||
|
|
004454DC | 8D95 17FEFFFF | lea edx,dword ptr ss:[ebp-1E9] |
|
|||
|
|
004454E2 | E8 1DE6FBFF | call <ad_cm#5.Len> |
|
|||
|
|
004454E7 | 8B95 F4FDFFFF | mov edx,dword ptr ss:[ebp-20C] |
|
|||
|
|
004454ED | 8B87 D4020000 | mov eax,dword ptr ds:[edi+2D4] |
|
|||
|
|
004454F3 | E8 B4F5FDFF | call <ad_cm#5.SetText> |
|
|||
|
|
004454F8 | 8B87 D8020000 | mov eax,dword ptr ds:[edi+2D8] |
|
|||
|
|
004454FE | 8B55 FC | mov edx,dword ptr ss:[ebp-4] | [ebp-04]:&"l贎"
|
|||
|
|
00445501 | E8 A6F5FDFF | call <ad_cm#5.SetText> |
|
|||
|
|
00445506 | 8B87 E8020000 | mov eax,dword ptr ds:[edi+2E8] |
|
|||
|
|
0044550C | BA 60564400 | mov edx,<ad_cm#5.sub_445660> | 445660:"Registered ... well done!"
|
|||
|
|
00445511 | E8 96F5FDFF | call <ad_cm#5.SetText> |
|
|||
|
|
00445516 | 8B87 E8020000 | mov eax,dword ptr ds:[edi+2E8] |
|
|||
|
|
0044551C | 8B40 58 | mov eax,dword ptr ds:[eax+58] |
|
|||
|
|
0044551F | BA 00800000 | mov edx,8000 |
|
|||
|
|
```
|
|||
|
|
|