软件:XXX美容诊断程序
加密方式:序列号+系统码+解锁码方式,vb6程序,无壳。
首先输入序列号,然后输入解锁码。
输入错误的序列号,弹出错误提示,于是在rtcMsgBox上下断点。很快中断了,返回到进程空间。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006B9871(C)
|
* Reference To: MSVBVM60.__vbaVarDup, Ord:0000h
|
:006B9B43 8B3D34134000 mov edi, dword ptr [00401334]
:006B9B49 B904000280 mov ecx, 80020004
:006B9B4E 894D8C mov dword ptr [ebp-74], ecx
:006B9B51 B80A000000 mov eax, 0000000A
:006B9B56 894D9C mov dword ptr [ebp-64], ecx
:006B9B59 8D9554FFFFFF lea edx, dword ptr [ebp+FFFFFF54]
:006B9B5F 8D4DA4 lea ecx, dword ptr [ebp-5C]
:006B9B62 894584 mov dword ptr [ebp-7C], eax
:006B9B65 894594 mov dword ptr [ebp-6C], eax
:006B9B68 C7855CFFFFFFDCFC4300 mov dword ptr [ebp+FFFFFF5C], 0043FCDC
:006B9B72 C78554FFFFFF08000000 mov dword ptr [ebp+FFFFFF54], 00000008
:006B9B7C FFD7 call edi
:006B9B7E 8D9564FFFFFF lea edx, dword ptr [ebp+FFFFFF64]
:006B9B84 8D4DB4 lea ecx, dword ptr [ebp-4C]
:006B9B87 C7856CFFFFFFC0FC4300 mov dword ptr [ebp+FFFFFF6C], 0043FCC0
:006B9B91 C78564FFFFFF08000000 mov dword ptr [ebp+FFFFFF64], 00000008
:006B9B9B FFD7 call edi
:006B9B9D 8D4584 lea eax, dword ptr [ebp-7C]
:006B9BA0 8D4D94 lea ecx, dword ptr [ebp-6C]
:006B9BA3 50 push eax
:006B9BA4 8D55A4 lea edx, dword ptr [ebp-5C]
:006B9BA7 51 push ecx
:006B9BA8 52 push edx
:006B9BA9 8D45B4 lea eax, dword ptr [ebp-4C]
:006B9BAC 6A40 push 00000040
:006B9BAE 50 push eax
* Reference To: MSVBVM60.rtcMsgBox, Ord:0253h
|
:006B9BAF FF15E0104000 Call dword ptr [004010E0]
上面的代码有2个关键的地方,一个是rtcMsgBox,还有一个是参考地址006B9871,来到参考地址处,这里应该是失败的地方。
* Reference To: MSVBVM60.rtcUpperCaseVar, Ord:0210h
|
:006B9837 FF156C114000 Call dword ptr [0040116C]
:006B983D 8D5584 lea edx, dword ptr [ebp-7C]
:006B9840 8D4594 lea eax, dword ptr [ebp-6C]
:006B9843 52 push edx
:006B9844 50 push eax
* Reference To: MSVBVM60.__vbaVarTstEq, Ord:0000h
|
:006B9845 FF1584114000 Call dword ptr [00401184]
:006B984B 8D4DC4 lea ecx, dword ptr [ebp-3C]
:006B984E 668BF8 mov di, ax
* Reference To: MSVBVM60.__vbaFreeObj, Ord:0000h
|
:006B9851 FF15C4134000 Call dword ptr [004013C4]
:006B9857 8D4D94 lea ecx, dword ptr [ebp-6C]
:006B985A 8D5584 lea edx, dword ptr [ebp-7C]
:006B985D 51 push ecx
:006B985E 8D45A4 lea eax, dword ptr [ebp-5C]
:006B9861 52 push edx
:006B9862 8D4DB4 lea ecx, dword ptr [ebp-4C]
:006B9865 50 push eax
:006B9866 51 push ecx
:006B9867 6A04 push 00000004
:006B9869 FFD3 call ebx
:006B986B 83C414 add esp, 00000014
:006B986E 6685FF test di, di
:006B9871 0F84CC020000 je 006B9B43
这里有个__vbaVarTstEq函数,比较是否相等,在006B9871处有个跳转,这个跳转一跳,就失败,所以如果把这个跳转改掉,就顺利进入主界面了。
进入主界面后,点击某些功能,依然弹出注册的对话框,虽然这个时候也能随便注册成功,但是总是不爽。而且启动的时候也有这个对话框。
整理一下思路,首先软件启动的时候弹出注册框,说明在启动的时候先校验是否注册成功,这个时候有2种可能,一种是把序列号和解锁码放在注册表里,启动的时候直接调用某个函数校验,还有一种是在注册表里做一个是否注册成功的标志。如果是第一种方式,那么很可能启动时校验和注册时校验调用的是同一个函数。跟踪注册过程,看到核心函数:00636280:
eax=0017C48C, (UNICODE "1234567890")
Stack ss:[0012EEC4]=001F1444, (UNICODE "QIN-PSIM-BAS-648444312-C8D3F30F4425080D-ANGEL-11111-22222-33333-44444-55555-QI")
006B97E6 > \8B45 D4 mov eax,dword ptr ss:[ebp-2C] ; 解锁码
006B97E9 . 8D55 E8 lea edx,dword ptr ss:[ebp-18]
006B97EC . 8945 8C mov dword ptr ss:[ebp-74],eax ; eax=用户输入解锁码
006B97EF . 8D45 B4 lea eax,dword ptr ss:[ebp-4C]
006B97F2 . 8995 6CFFFFFF mov dword ptr ss:[ebp-94],edx
006B97F8 . 8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-9C]
006B97FE . 50 push eax
006B97FF . 8D55 A4 lea edx,dword ptr ss:[ebp-5C]
006B9802 . 51 push ecx
006B9803 . 52 push edx
006B9804 . C745 D4 00000000 mov dword ptr ss:[ebp-2C],0
006B980B . C745 84 08800000 mov dword ptr ss:[ebp-7C],8008
006B9812 . C745 BC 10000000 mov dword ptr ss:[ebp-44],10
006B9819 . C745 B4 02000000 mov dword ptr ss:[ebp-4C],2
006B9820 . C785 64FFFFFF 0840>mov dword ptr ss:[ebp-9C],4008
006B982A . E8 51CAF7FF call Angel.00636280 《--核心算号的地方
006B982F . 8D45 A4 lea eax,dword ptr ss:[ebp-5C]
006B9832 . 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
006B9835 . 50 push eax
006B9836 . 51 push ecx
006B9837 FF15 6C114000 call dword ptr ds:[<&MSVBVM60.#528>] ; MSVBVM60.rtcUpperCaseVar
006B983D . 8D55 84 lea edx,dword ptr ss:[ebp-7C] ; "-44444-55555"
006B9840 . 8D45 94 lea eax,dword ptr ss:[ebp-6C]
006B9843 . 52 push edx
006B9844 . 50 push eax
006B9845 . FF15 84114000 call dword ptr ds: [<&MSVBVM60.__vbaVarTstEq>] ; MSVBVM60.__vbaVarTstEq
006B984B . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
006B984E . 66:8BF8 mov di,ax
006B9851 . FF15 C4134000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
006B9857 . 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
006B985A . 8D55 84 lea edx,dword ptr ss:[ebp-7C]
006B985D . 51 push ecx
006B985E . 8D45 A4 lea eax,dword ptr ss:[ebp-5C]
006B9861 . 52 push edx
006B9862 . 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
006B9865 . 50 push eax
006B9866 . 51 push ecx
006B9867 . 6A 04 push 4
006B9869 . FFD3 call ebx
006B986B . 83C4 14 add esp,14
006B986E . 66:85FF test di,di ; di是vbaVarTstEq的返回值,为0说明不等。
006B9871 . 0F84 CC020000 je <Angel.Fail>
于是在注册过程中的一个核心函数:00636280处下断点,启动后,果然中断,分析上下文,来到这里:
00656667 . 51 push ecx
00656668 . 52 push edx
00656669 . E8 12FCFDFF call Angel.00636280
0065666E . 8D45 A0 lea eax,dword ptr ss:[ebp-60]
00656671 . 8D4D 90 lea ecx,dword ptr ss:[ebp-70]
00656674 . 50 push eax
00656675 . 51 push ecx
00656676 . FF15 6C114000 call dword ptr ds:[<&MSVBVM60.#528>] ; MSVBVM60.rtcUpperCaseVar
0065667C . 8D55 80 lea edx,dword ptr ss:[ebp-80] ; "G:255 B:"
0065667F . 8D45 90 lea eax,dword ptr ss:[ebp-70]
00656682 . 52 push edx
00656683 . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-90]
00656689 . 50 push eax
0065668A . 51 push ecx
0065668B . FF15 6C124000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; MSVBVM60.__vbaVarCat
00656691 . 50 push eax
00656692 . FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMov>; MSVBVM60.__vbaStrVarMove
00656698 . 8BD0 mov edx,eax
0065669A . 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0065669D . FFD6 call esi
0065669F . 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
006566A2 . 8D45 D8 lea eax,dword ptr ss:[ebp-28]
006566A5 . 52 push edx
006566A6 . 50 push eax
006566A7 . 6A 02 push 2
006566A9 . FF15 DC124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrLi>; MSVBVM60.__vbaFreeStrList
006566AF . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-90]
006566B5 . 8D55 90 lea edx,dword ptr ss:[ebp-70]
006566B8 . 51 push ecx
006566B9 . 8D45 80 lea eax,dword ptr ss:[ebp-80]
006566BC . 52 push edx
006566BD . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
006566C0 . 50 push eax
006566C1 . 8D55 B0 lea edx,dword ptr ss:[ebp-50]
006566C4 . 51 push ecx
006566C5 . 8D45 C0 lea eax,dword ptr ss:[ebp-40]
006566C8 . 52 push edx
006566C9 . 50 push eax
006566CA . 6A 06 push 6
006566CC . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarLi>; MSVBVM60.__vbaFreeVarList
006566D2 . 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
006566D5 . 83C4 28 add esp,28
006566D8 . 68 D09C4300 push Angel.00439CD0 ; UNICODE "QIN-"
006566DD . 51 push ecx
006566DE . FFD3 call ebx
006566E0 . 8BD0 mov edx,eax
006566E2 . 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
006566E5 . FFD6 call esi
006566E7 . 50 push eax
006566E8 . 68 E09C4300 push Angel.00439CE0 ; UNICODE "-ANGEL-"
006566ED . FFD3 call ebx
006566EF . 8BD0 mov edx,eax
006566F1 . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
006566F4 . FFD6 call esi
006566F6 . 8B55 DC mov edx,dword ptr ss:[ebp-24]
006566F9 . 50 push eax
006566FA . 52 push edx
006566FB . FFD3 call ebx
006566FD . 8BD0 mov edx,eax ; UNICODE "QIN-PSIM-BAS-648444312-C8D3F30F4425080D-ANGEL-11111-22222-33333-44444-55555")
这里可以看到,把用户输入的序列号和系统码拼接起来了。
006566FF . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
00656702 . FFD6 call esi
00656704 . 50 push eax
00656705 . 68 F49C4300 push Angel.00439CF4 ; UNICODE "-QI"
0065670A . FFD3 call ebx
0065670C . 8BD0 mov edx,eax
0065670E . 8D4D EC lea ecx,dword ptr ss:[ebp-14]
00656711 . FFD6 call esi
00656713 . 8D45 D0 lea eax,dword ptr ss:[ebp-30]
00656716 . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
00656719 . 50 push eax
0065671A . 8D55 D8 lea edx,dword ptr ss:[ebp-28]
0065671D . 51 push ecx
0065671E . 52 push edx
0065671F . 6A 03 push 3
00656721 . FF15 DC124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrLi>; MSVBVM60.__vbaFreeStrList
00656727 . 83C4 10 add esp,10
0065672A . 8D45 EC lea eax,dword ptr ss:[ebp-14]
0065672D . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00656730 . 8985 68FFFFFF mov dword ptr ss:[ebp-98],eax ; UNICODE "-668135518"
00656736 . 8D95 60FFFFFF lea edx,dword ptr ss:[ebp-A0]
0065673C . 51 push ecx
0065673D . 8D45 B0 lea eax,dword ptr ss:[ebp-50]
00656740 . BB 02000000 mov ebx,2
00656745 . 52 push edx
00656746 . 50 push eax
00656747 . C745 C8 10000000 mov dword ptr ss:[ebp-38],10
0065674E . 895D C0 mov dword ptr ss:[ebp-40],ebx
00656751 . C785 60FFFFFF 0840>mov dword ptr ss:[ebp-A0],4008
0065675B . E8 20FBFDFF call Angel.00636280 调用核心函数,返回后出现明文的解码
00656760 . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
00656763 . 8D55 A0 lea edx,dword ptr ss:[ebp-60]
00656766 . 51 push ecx
00656767 . 52 push edx
00656768 . FF15 6C114000 call dword ptr ds:[<&MSVBVM60.#528>] ; MSVBVM60.rtcUpperCaseVar
0065676E . 8D45 A0 lea eax,dword ptr ss:[ebp-60]
00656771 . 50 push eax
00656772 . FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMov>; MSVBVM60.__vbaStrVarMove
00656778 . 8BD0 mov edx,eax
0065677A . 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0065677D . FFD6 call esi
0065677F . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
00656782 . 8D55 B0 lea edx,dword ptr ss:[ebp-50]
00656785 . 51 push ecx
00656786 . 8D45 C0 lea eax,dword ptr ss:[ebp-40]
00656789 . 52 push edx
0065678A . 50 push eax
0065678B . 6A 03 push 3
0065678D . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarLi>; MSVBVM60.__vbaFreeVarList
00656793 . 8B4D E4 mov ecx,dword ptr ss:[ebp-1C] ; "1234567890"
00656796 . 8B55 E0 mov edx,dword ptr ss:[ebp-20] ; "E32706D6BDC96F56" 〈---明文的解码,可以做内存注册机了。
00656799 . 83C4 10 add esp,10
0065679C . 51 push ecx
0065679D . 52 push edx
0065679E . FF15 78114000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp 比较字符串。
006567A4 . 85C0 test eax,eax
006567A6 . 0F84 9D000000 je Angel.00656849 〈-----如果爆破的话,就是改这个跳转就可以了。
006567AC . 393D E4557B00 cmp dword ptr ds:[7B55E4],edi
006567B2 . 75 10 jnz short Angel.006567C4
总结:软件采用序列号,系统号和解锁码的形式进行保护,入口是rtcMsgBox,不过分析完发现还有一个更加快捷的入口:__vbaStrCmp。系统将序列号,系统号进行组合,然后进行加密生成解锁码,和用户输入的解锁码进行比较,算法有缺陷,导致内存里直接出现解锁码,如果采用将用户输入的解锁码进行逆运算,然后比较会安全些。最终这个软件通过内存注册机或者暴力跳转都能顺利实现完美破解。如果有耐心再去跟踪00636280就可以看到具体的算法过程。
