1、脱壳
-----------------------------------------------
壳: ASPack 1.06b / 1.061b -> Alexey Solodovnikov
脱壳软件:超级巡警之虚拟机自动脱壳器
编程软件:DELPHI
2、使用DARKDEDE找出“注册”按键的事件。下断点,分析之。。。
00488D8C /. 55 push ebp
00488D8D |. 8BEC mov ebp, esp
00488D8F |. 33C9 xor ecx, ecx
00488D91 |. 51 push ecx
00488D92 |. 51 push ecx
00488D93 |. 51 push ecx
00488D94 |. 51 push ecx
00488D95 |. 51 push ecx
00488D96 |. 51 push ecx
00488D97 |. 51 push ecx
00488D98 |. 53 push ebx
00488D99 |. 56 push esi
00488D9A |. 57 push edi
00488D9B |. 8945 FC mov dword ptr [ebp-4], eax
00488D9E |. 33C0 xor eax, eax
00488DA0 |. 55 push ebp
00488DA1 |. 68 2E8F4800 push 00488F2E
00488DA6 |. 64:FF30 push dword ptr fs:[eax]
00488DA9 |. 64:8920 mov dword ptr fs:[eax], esp
00488DAC |. 8D45 F4 lea eax, dword ptr [ebp-C]
00488DAF |. E8 A4ADF7FF call 00403B58
00488DB4 |. 8D55 F0 lea edx, dword ptr [ebp-10]
00488DB7 |. 8B45 FC mov eax, dword ptr [ebp-4]
00488DBA |. 8B80 18030000 mov eax, dword ptr [eax+318] ; "4JB"
00488DC0 |. E8 6B86FAFF call 00431430
00488DC5 |. 837D F0 00 cmp dword ptr [ebp-10], 0 ; 判断输入的用户名是否为空
00488DC9 |. 0F84 2C010000 je 00488EFB
00488DCF |. 8D55 F8 lea edx, dword ptr [ebp-8]
00488DD2 |. 8B45 FC mov eax, dword ptr [ebp-4]
00488DD5 |. 8B80 18030000 mov eax, dword ptr [eax+318]
00488DDB |. E8 5086FAFF call 00431430
00488DE0 |. 8B45 F8 mov eax, dword ptr [ebp-8]
00488DE3 |. E8 F0AFF7FF call 00403DD8 ; 计算用户名长度
00488DE8 |. 8BF0 mov esi, eax
00488DEA |. 85F6 test esi, esi
00488DEC |. 7E 3C jle short 00488E2A
00488DEE |. BF 01000000 mov edi, 1
00488DF3 |> 8B45 F8 /mov eax, dword ptr [ebp-8]
00488DF6 |. 33DB |xor ebx, ebx
00488DF8 |. 8A5C38 FF |mov bl, byte ptr [eax+edi-1] ; 分别取用户名的每一位
00488DFC |. 8BC3 |mov eax, ebx
00488DFE |. F7EB |imul ebx ; 将Ascii进行立方操作
00488E00 |. F7EB |imul ebx
00488E02 |. 8945 EC |mov dword ptr [ebp-14], eax
00488E05 |. DB45 EC |fild dword ptr [ebp-14] ; 将计算的结果放入ST(0)浮点数寄存器
00488E08 |. D9FA |fsqrt ; 将st(0)浮点数寄存器中的数取平方根,再放入st(0)
00488E0A |. E8 CD9BF7FF |call 004029DC
00488E0F |. 8BD8 |mov ebx, eax ; 将计算结果放入ebx
00488E11 |. 8D55 E8 |lea edx, dword ptr [ebp-18]
00488E14 |. 8BC3 |mov eax, ebx
00488E16 |. E8 BDF7F7FF |call 004085D8
00488E1B |. 8B55 E8 |mov edx, dword ptr [ebp-18]
00488E1E |. 8D45 F4 |lea eax, dword ptr [ebp-C]
00488E21 |. E8 BAAFF7FF |call 00403DE0 ; 将计算出的值依次合并
00488E26 |. 47 |inc edi
00488E27 |. 4E |dec esi
00488E28 |.^ 75 C9 \jnz short 00488DF3
00488E2A |> 8B45 F4 mov eax, dword ptr [ebp-C]
00488E2D |. E8 A6AFF7FF call 00403DD8 ; 通过之上的算法,获得一个字符串,计算字符串的长度
00488E32 |. 83F8 0A cmp eax, 0A ; 将字符串长度和10比较
00488E35 |. 7E 16 jle short 00488E4D
00488E37 |. 8D45 F4 lea eax, dword ptr [ebp-C]
00488E3A |. 50 push eax
00488E3B |. B9 0A000000 mov ecx, 0A
00488E40 |. BA 01000000 mov edx, 1 ; mov之前,edx的值为去掉前10位之后的值
00488E45 |. 8B45 F4 mov eax, dword ptr [ebp-C]
00488E48 |. E8 93B1F7FF call 00403FE0
00488E4D |> 8D55 E4 lea edx, dword ptr [ebp-1C]
00488E50 |. 8B45 FC mov eax, dword ptr [ebp-4]
00488E53 |. 8B80 1C030000 mov eax, dword ptr [eax+31C]
00488E59 |. E8 D285FAFF call 00431430
00488E5E |. 8B55 E4 mov edx, dword ptr [ebp-1C]
00488E61 |. 8B45 F4 mov eax, dword ptr [ebp-C]
00488E64 |. E8 7FB0F7FF call 00403EE8
00488E69 |. 0F85 8C000000 jnz 00488EFB
00488E6F |. 8B45 FC mov eax, dword ptr [ebp-4]
00488E72 |. 8B80 90030000 mov eax, dword ptr [eax+390]
00488E78 |. BA 448F4800 mov edx, 00488F44 ; 您已经注册,感谢使用无超软件工作室的产品!
00488E7D |. E8 DE85FAFF call 00431460
00488E82 |. 8B45 FC mov eax, dword ptr [ebp-4]
00488E85 |. 8B80 94030000 mov eax, dword ptr [eax+394]
00488E8B |. 33D2 xor edx, edx
00488E8D |. E8 B684FAFF call 00431348
00488E92 |. B2 01 mov dl, 1
00488E94 |. A1 80DE4700 mov eax, dword ptr [47DE80]
00488E99 |. E8 E250FFFF call 0047DF80
00488E9E |. 8BD8 mov ebx, eax
00488EA0 |. BA 02000080 mov edx, 80000002
00488EA5 |. 8BC3 mov eax, ebx
00488EA7 |. E8 7451FFFF call 0047E020
00488EAC |. BA 788F4800 mov edx, 00488F78 ; software\microsoft\windows\currentversion\qiangzhi
00488EB1 |. 8BC3 mov eax, ebx
00488EB3 |. E8 1C57FFFF call 0047E5D4
00488EB8 |. 84C0 test al, al
00488EBA |. 75 0C jnz short 00488EC8
00488EBC |. BA 788F4800 mov edx, 00488F78 ; software\microsoft\windows\currentversion\qiangzhi
00488EC1 |. 8BC3 mov eax, ebx
00488EC3 |. E8 BC51FFFF call 0047E084
00488EC8 |> 33C9 xor ecx, ecx
00488ECA |. BA 788F4800 mov edx, 00488F78 ; software\microsoft\windows\currentversion\qiangzhi
00488ECF |. 8BC3 mov eax, ebx
00488ED1 |. E8 8A52FFFF call 0047E160
00488ED6 |. BA B48F4800 mov edx, 00488FB4 ; zhuche
00488EDB |. 8BC3 mov eax, ebx
00488EDD |. E8 4A56FFFF call 0047E52C
00488EE2 |. 84C0 test al, al
00488EE4 |. 75 0E jnz short 00488EF4
00488EE6 |. B1 01 mov cl, 1
00488EE8 |. BA B48F4800 mov edx, 00488FB4 ; zhuche
00488EED |. 8BC3 mov eax, ebx
00488EEF |. E8 E054FFFF call 0047E3D4
00488EF4 |> 8BC3 mov eax, ebx
00488EF6 |. E8 959FF7FF call 00402E90
00488EFB |> 33C0 xor eax, eax
00488EFD |. 5A pop edx
00488EFE |. 59 pop ecx
00488EFF |. 59 pop ecx
00488F00 |. 64:8910 mov dword ptr fs:[eax], edx
00488F03 |. 68 358F4800 push 00488F35
00488F08 |> 8D45 E4 lea eax, dword ptr [ebp-1C]
00488F0B |. E8 48ACF7FF call 00403B58
00488F10 |. 8D45 E8 lea eax, dword ptr [ebp-18]
00488F13 |. E8 40ACF7FF call 00403B58
00488F18 |. 8D45 F0 lea eax, dword ptr [ebp-10]
00488F1B |. E8 38ACF7FF call 00403B58
00488F20 |. 8D45 F4 lea eax, dword ptr [ebp-C]
00488F23 |. BA 02000000 mov edx, 2
00488F28 |. E8 4FACF7FF call 00403B7C
00488F2D \. C3 retn
3、算法分析:
3.1、取用户名的每个字符,先立方再开方。得出的数值依次组成字符串。
3.2、如果字符串的长度超过10,只取10位。
4、注册机:
#include <iostream>
#include <string>
#include <math.h>
#include <sstream>
using namespace std;
string calcKey(const char * username)
{
int length = strlen(username);
string key = "";
cout << length;
for (int i=0;i<length;i++)
{
int valueA;
valueA = (int)((unsigned char)(username[i]));
int valueB = (int)(sqrt(pow(valueA,3.0)) + 0.5); //先立方,在取平方根
stringstream ss; //将整形转换为字符串
ss << valueB;
key.append(ss.str());
}
if (key.length() > 10)
key.resize(10); //截短字符串。
return key;
}
int main(void)
{
string username;
cout << "请输入用户名:";
cin >> username;
cout << endl << "注册码是" << calcKey(username.c_str());
cin.get();
cin.get();
return 0;
}