7.3 KiB
7.3 KiB
打包工具: ASPack(2.000)
-
脱壳
步骤和上一篇类似,OEP: 445834 (45834)
-
搜索“Registered"找到可疑函数
这里整理了一下:
//读取同目录下cm5.dat //第一行name //ebp-1E8 //ebp-1E9开头含长度位 //第二行serial //ebp-1FD //ebp-1FE开头含长度位 //每行最大读取0x14长度 string name = "cm5.dat 第一行"; int length = name.Length; //esi string v = "159357852645875692311335664857125469857213526859478212124569348647951232165728761953213754495421375678543126721831"; //ebp-8 string result = ""; //ebp-4 int p=0; do{ int v3 = name[p]; //edx result+=(char)(v[v3-0xB]); p++; length--; } while (length>0);
细节:
004453C6 | 55 | push ebp |
004453C7 | 68 87554400 | push <ad_cm#5.sub_445587> |
004453CC | 64:FF30 | push dword ptr fs:[eax] |
004453CF | 64:8920 | mov dword ptr fs:[eax],esp |
004453D2 | 8D45 F8 | lea eax,dword ptr ss:[ebp-8] |
004453D5 | BA A0554400 | mov edx,ad_cm#5.4455A0 | 4455A0:"159357852645875692311335664857125469857213526859478212124569348647951232165728761953213754495421375678543126721831"
004453DA | E8 99E5FBFF | call <ad_cm#5.sub_403978> |
004453DF | 33D2 | xor edx,edx |
004453E1 | 55 | push ebp |
004453E2 | 68 3F554400 | push <ad_cm#5.sub_44553F> |
004453E7 | 64:FF32 | push dword ptr fs:[edx] |
004453EA | 64:8922 | mov dword ptr fs:[edx],esp |
004453ED | BA 1C564400 | mov edx,<ad_cm#5.sub_44561C> | 44561C:"cm5.dat"
004453F2 | 8D85 2CFEFFFF | lea eax,dword ptr ss:[ebp-1D4] |
004453F8 | E8 AD00FCFF | call <ad_cm#5.ASSIGN> | ebp-1D4: File var
004453FD | 8D85 2CFEFFFF | lea eax,dword ptr ss:[ebp-1D4] |
00445403 | E8 EF02FCFF | call <ad_cm#5.RESETTEXT> | 准备读取文件内容
00445408 | E8 8FD3FBFF | call <ad_cm#5._IOTest> |
0044540D | 8D95 17FEFFFF | lea edx,dword ptr ss:[ebp-1E9] | ebp-1E9: Read content(Name)
00445413 | B9 14000000 | mov ecx,14 | 读取0x14长度内容
00445418 | 8D85 2CFEFFFF | lea eax,dword ptr ss:[ebp-1D4] |
0044541E | E8 D901FCFF | call <ad_cm#5.READSTRING> |
00445423 | 8D85 2CFEFFFF | lea eax,dword ptr ss:[ebp-1D4] |
00445429 | E8 6602FCFF | call <ad_cm#5.READLN> |
0044542E | E8 69D3FBFF | call <ad_cm#5._IOTest> |
00445433 | 8D95 02FEFFFF | lea edx,dword ptr ss:[ebp-1FE] | ebp-1FE: Read content(Serial)
00445439 | B9 14000000 | mov ecx,14 | 读取0x14长度内容
0044543E | 8D85 2CFEFFFF | lea eax,dword ptr ss:[ebp-1D4] |
00445444 | E8 B301FCFF | call <ad_cm#5.READSTRING> |
00445449 | 8D85 2CFEFFFF | lea eax,dword ptr ss:[ebp-1D4] |
0044544F | E8 4002FCFF | call <ad_cm#5.READLN> |
00445454 | E8 43D3FBFF | call <ad_cm#5._IOTest> |
00445459 | 8D85 2CFEFFFF | lea eax,dword ptr ss:[ebp-1D4] |
0044545F | E8 E800FCFF | call <ad_cm#5.CLOSE> |
00445464 | E8 33D3FBFF | call <ad_cm#5._IOTest> |
00445469 | 80BD 17FEFFFF 05 | cmp byte ptr ss:[ebp-1E9],5 | 检查Name长度需>=5
00445470 | 73 0A | jae ad_cm#5.44547C |
00445472 | B8 2C564400 | mov eax,<ad_cm#5.sub_44562C> | 44562C:"Name must be at least 5 characters long!"
00445477 | E8 A4F8FFFF | call <ad_cm#5.ShowMessage> |
0044547C | 0FB6B5 17FEFFFF | movzx esi,byte ptr ss:[ebp-1E9] |
00445483 | 85F6 | test esi,esi |
00445485 | 7E 2E | jle ad_cm#5.4454B5 |
00445487 | 8D9D 18FEFFFF | lea ebx,dword ptr ss:[ebp-1E8] |
0044548D | 8D85 FCFDFFFF | lea eax,dword ptr ss:[ebp-204] |
00445493 | 33D2 | xor edx,edx |
00445495 | 8A13 | mov dl,byte ptr ds:[ebx] |
00445497 | 8B4D F8 | mov ecx,dword ptr ss:[ebp-8] |
0044549A | 8A5411 F5 | mov dl,byte ptr ds:[ecx+edx-B] |
0044549E | E8 E5E5FBFF | call <ad_cm#5.sub_403A88> |
004454A3 | 8B95 FCFDFFFF | mov edx,dword ptr ss:[ebp-204] |
004454A9 | 8D45 FC | lea eax,dword ptr ss:[ebp-4] | [ebp-04]:&"l贎"
004454AC | E8 B7E6FBFF | call <ad_cm#5._LStrCat> |
004454B1 | 43 | inc ebx |
004454B2 | 4E | dec esi |
004454B3 | 75 D8 | jne ad_cm#5.44548D |
004454B5 | 8D85 F8FDFFFF | lea eax,dword ptr ss:[ebp-208] |
004454BB | 8D95 02FEFFFF | lea edx,dword ptr ss:[ebp-1FE] |
004454C1 | E8 3EE6FBFF | call <ad_cm#5.Len> |
004454C6 | 8B85 F8FDFFFF | mov eax,dword ptr ss:[ebp-208] |
004454CC | 8B55 FC | mov edx,dword ptr ss:[ebp-4] | [ebp-04]:&"l贎"
004454CF | E8 9CE7FBFF | call <ad_cm#5._LStrCmp> |
004454D4 | 75 55 | jne ad_cm#5.44552B |
004454D6 | 8D85 F4FDFFFF | lea eax,dword ptr ss:[ebp-20C] |
004454DC | 8D95 17FEFFFF | lea edx,dword ptr ss:[ebp-1E9] |
004454E2 | E8 1DE6FBFF | call <ad_cm#5.Len> |
004454E7 | 8B95 F4FDFFFF | mov edx,dword ptr ss:[ebp-20C] |
004454ED | 8B87 D4020000 | mov eax,dword ptr ds:[edi+2D4] |
004454F3 | E8 B4F5FDFF | call <ad_cm#5.SetText> |
004454F8 | 8B87 D8020000 | mov eax,dword ptr ds:[edi+2D8] |
004454FE | 8B55 FC | mov edx,dword ptr ss:[ebp-4] | [ebp-04]:&"l贎"
00445501 | E8 A6F5FDFF | call <ad_cm#5.SetText> |
00445506 | 8B87 E8020000 | mov eax,dword ptr ds:[edi+2E8] |
0044550C | BA 60564400 | mov edx,<ad_cm#5.sub_445660> | 445660:"Registered ... well done!"
00445511 | E8 96F5FDFF | call <ad_cm#5.SetText> |
00445516 | 8B87 E8020000 | mov eax,dword ptr ds:[edi+2E8] |
0044551C | 8B40 58 | mov eax,dword ptr ds:[eax+58] |
0044551F | BA 00800000 | mov edx,8000 |