某CM分析-吾爱汇编-防破解,反调试,反汇编,软件安全,逆向分析-52hb.com

label 发表于 2014-10-18 16:30

某CM分析

本帖最后由 label 于 2014-10-18 16:33 编辑

这个CM是今天在吾爱上瞎转悠看到的觉得有点意思,就玩了下
首先查壳

UPX的直接用脱壳机脱了!!

脱完壳之后

点击运行.程序发现无反应我想应该是自校验了~放入OD 下个ExitProcess断点。木有反应。蛋疼有木有~~~~
在CM下面点评也有

其实这个作者HOOK了自身好些函数的。。就算在ExitProcess中断了你回溯过去这个地址还是不对的。因为A函数调用它居然从B函数返回、。。(正常是A函数调用执行完之后从A函数尾返回)
那么我们下个自校验常用的断点吧
GetFileSize

程序将返回到

00401189 50          push eax
0040118A 68 01000000 push 0x1
0040118F BB 58020000 mov ebx,0x258
00401194 E8 770D0100 call KingCeac.00411F10
00401199 83C4 10       add esp,0x10                         ; 程序将返回到此处
0040119C 8945 F8       mov dword ptr ss:,eax       ; 保存取得文件大小到变量
0040119F 8B5D FC       mov ebx,dword ptr ss:
004011A2 85DB          test ebx,ebx
004011A4 74 09       je short KingCeac.004011AF
004011A6 53          push ebx
004011A7 E8 5EFE0000 call KingCeac.0041100A
004011AC 83C4 04       add esp,0x4
004011AF 817D F8 0AC4010>cmp dword ptr ss:,0x1C40A    ; 比较当前文件大小是否小于0x1c40a (未脱壳文件大小0x1c40a)
004011B6 0F8C 0A000000 jl KingCeac.004011C6                   ; 如果小于等于则跳转实现将这里改成JMP
004011BC 6A 00       push 0x0
004011BE E8 2FFE0000 call KingCeac.00410FF2                ; 退出函数
004011C3 83C4 04       add esp,0x4
004011C6 68 01030080 push 0x80000301
004011CB 6A 00       push 0x0

保存文件,打开文件之后程序正常运行

随便输入注册码
点击注册
提示

程序重启了
典型的重启验证啊

重新载入程序
搜索ASCII

00401EEA 58          pop eax
00401EEB 8945 F8       mov dword ptr ss:,eax
00401EEE 6A 00       push 0x0
00401EF0 6A 00       push 0x0
00401EF2 6A 00       push 0x0
00401EF4 68 01030080 push 0x80000301
00401EF9 6A 00       push 0x0
00401EFB 68 01000000 push 0x1
00401F00 68 04000080 push 0x80000004
00401F05 6A 00       push 0x0
00401F07 68 78334300 push KingCeac.00433378                ; user32
00401F0C 68 03000000 push 0x3
00401F11 BB 70020000 mov ebx,0x270
00401F16 E8 650A0100 call KingCeac.00412980                ; 读取文件夹下User32内容
00401F1B 83C4 28       add esp,0x28
00401F1E A3 F5434300 mov dword ptr ds:,eax
00401F23 6A 00       push 0x0
00401F25 6A 00       push 0x0
00401F27 6A 00       push 0x0
00401F29 68 01030080 push 0x80000301
00401F2E 6A 00       push 0x0
00401F30 68 01000000 push 0x1
00401F35 68 04000080 push 0x80000004
00401F3A 6A 00       push 0x0
00401F3C 68 7F334300 push KingCeac.0043337F                ; CallWindowProcA.dll
00401F41 68 03000000 push 0x3
00401F46 BB 70020000 mov ebx,0x270
00401F4B E8 300A0100 call KingCeac.00412980                ; 读取文件夹下CallWindowProcA.dll内容
00401F50 83C4 28       add esp,0x28
00401F53 A3 F9434300 mov dword ptr ds:,eax
00401F58 833D F5434300 0>cmp dword ptr ds:,0x0       ; 判断读取当前目录user32内容是否为空
00401F5F 90          nop                                  ; 这里直接NOP
00401F60 90          nop
00401F61 90          nop
00401F62 90          nop
00401F63 90          nop
00401F64 90          nop
00401F65 68 01030080 push 0x80000301
00401F6A 6A 00       push 0x0
00401F6C FF35 F5434300 push dword ptr ds:
00401F72 68 01000000 push 0x1
00401F77 BB A4020000 mov ebx,0x2A4
00401F7C E8 DF0A0100 call KingCeac.00412A60
00401F81 83C4 10       add esp,0x10
00401F84 8945 E8       mov dword ptr ss:,eax
00401F87 8B45 E8       mov eax,dword ptr ss:
00401F8A 50          push eax
00401F8B 8B5D F4       mov ebx,dword ptr ss:
00401F8E 85DB          test ebx,ebx
00401F90 74 09       je short KingCeac.00401F9B
00401F92 53          push ebx
00401F93 E8 72F00000 call KingCeac.0041100A
00401F98 83C4 04       add esp,0x4
00401F9B 58          pop eax
00401F9C 8945 F4       mov dword ptr ss:,eax
00401F9F 68 01030080 push 0x80000301
00401FA4 6A 00       push 0x0
00401FA6 FF35 F9434300 push dword ptr ds:
00401FAC 68 01000000 push 0x1
00401FB1 BB A4020000 mov ebx,0x2A4
00401FB6 E8 A50A0100 call KingCeac.00412A60
00401FBB 83C4 10       add esp,0x10
00401FBE 8945 E8       mov dword ptr ss:,eax
00401FC1 8B45 E8       mov eax,dword ptr ss:
00401FC4 50          push eax
00401FC5 8B5D F0       mov ebx,dword ptr ss:
00401FC8 85DB          test ebx,ebx
00401FCA 74 09       je short KingCeac.00401FD5
00401FCC 53          push ebx
00401FCD E8 38F00000 call KingCeac.0041100A
00401FD2 83C4 04       add esp,0x4
00401FD5 58          pop eax
00401FD6 8945 F0       mov dword ptr ss:,eax
00401FD9 68 04000080 push 0x80000004
00401FDE 6A 00       push 0x0
00401FE0 8B45 F4       mov eax,dword ptr ss:
00401FE3 85C0          test eax,eax
00401FE5 75 05       jnz short KingCeac.00401FEC
00401FE7 B8 A0324300 mov eax,KingCeac.004332A0
00401FEC 50          push eax
00401FED 68 01000000 push 0x1
00401FF2 BB 98010000 mov ebx,0x198
00401FF7 E8 34010100 call KingCeac.00412130
00401FFC 83C4 10       add esp,0x10
00401FFF 8945 E8       mov dword ptr ss:,eax
00402002 68 05000080 push 0x80000005
00402007 6A 00       push 0x0
00402009 8B45 E8       mov eax,dword ptr ss:
0040200C 85C0          test eax,eax
0040200E 75 05       jnz short KingCeac.00402015
00402010 B8 C3324300 mov eax,KingCeac.004332C3
00402015 50          push eax
00402016 68 01000000 push 0x1
0040201B BB 08000000 mov ebx,0x8
00402020 B8 D08E4100 mov eax,KingCeac.00418ED0
00402025 E8 A6FD0000 call KingCeac.00411DD0
0040202A 83C4 10       add esp,0x10
0040202D 8945 E4       mov dword ptr ss:,eax
00402030 8B5D E8       mov ebx,dword ptr ss:
00402033 85DB          test ebx,ebx
00402035 74 09       je short KingCeac.00402040
00402037 53          push ebx
00402038 E8 CDEF0000 call KingCeac.0041100A
0040203D 83C4 04       add esp,0x4
00402040 8B45 E4       mov eax,dword ptr ss:
00402043 50          push eax
00402044 8B5D EC       mov ebx,dword ptr ss:
00402047 85DB          test ebx,ebx
00402049 74 09       je short KingCeac.00402054
0040204B 53          push ebx
0040204C E8 B9EF0000 call KingCeac.0041100A
00402051 83C4 04       add esp,0x4
00402054 58          pop eax
00402055 8945 EC       mov dword ptr ss:,eax
00402058 68 01030080 push 0x80000301
0040205D 6A 00       push 0x0
0040205F FF35 F5434300 push dword ptr ds:
00402065 68 01000000 push 0x1
0040206A BB 78020000 mov ebx,0x278
0040206F E8 FC0B0100 call KingCeac.00412C70
00402074 83C4 10       add esp,0x10
00402077 68 01030080 push 0x80000301
0040207C 6A 00       push 0x0
0040207E FF35 F9434300 push dword ptr ds:
00402084 68 01000000 push 0x1
00402089 BB 78020000 mov ebx,0x278
0040208E E8 DD0B0100 call KingCeac.00412C70
00402093 83C4 10       add esp,0x10
00402096 FF75 F0       push dword ptr ss:
00402099 FF75 EC       push dword ptr ss:
0040209C B9 02000000 mov ecx,0x2
004020A1 E8 56F0FFFF call KingCeac.004010FC
004020A6 83C4 08       add esp,0x8
004020A9 8945 E8       mov dword ptr ss:,eax
004020AC 8B45 F8       mov eax,dword ptr ss:
004020AF 50          push eax
004020B0 FF75 E8       push dword ptr ss:
004020B3 E8 C4F7FFFF call KingCeac.0040187C
004020B8 83C4 08       add esp,0x8
004020BB 83F8 00       cmp eax,0x0
004020BE B8 00000000 mov eax,0x0
004020C3 0F94C0       sete al
004020C6 8945 E4       mov dword ptr ss:,eax
004020C9 8B5D E8       mov ebx,dword ptr ss:
004020CC 85DB          test ebx,ebx
004020CE 74 09       je short KingCeac.004020D9
004020D0 53          push ebx
004020D1 E8 34EF0000 call KingCeac.0041100A                ; 判断注册码是否正确
004020D6 83C4 04       add esp,0x4
004020D9 837D E4 00    cmp dword ptr ss:,0x0
004020DD 90          nop                                  ; NOP
004020DE 90          nop
004020DF 90          nop
004020E0 90          nop
004020E1 90          nop
004020E2 90          nop
004020E3 E8 68000000 call KingCeac.00402150                ; 成功CALL
004020E8 E9 05000000 jmp KingCeac.004020F2

算法分析简要说明
取注册码MD5保存到运行目录下CallWindowProcA.dll
保存00到运行目录user32

CM下载地址
http://yunpan.cn/cssXJPRqzS55z （提取码：2da8）

keke120 发表于 2014-10-18 16:57

学习了谢谢

彡墨鱼灬丶 发表于 2014-10-18 17:32

{:5_190:}又懂了一点知识，感谢楼主

Shark恒 发表于 2014-10-18 22:25

学习的好机会，感谢楼主制作分享！

小明同学 发表于 2014-10-19 08:15

看不懂.....

bigeorry 发表于 2014-10-27 17:31

感谢楼主无私分享

bigeorry 发表于 2014-10-27 17:39

感谢楼主分享！

520Kelly 发表于 2014-11-19 16:43

膜拜玩mfc的大神、、

飞行太保 发表于 2014-11-19 17:48

支持原创教程谢谢分享

ryangroup 发表于 2014-11-25 15:48

页: [1] 2 3

吾爱汇编's Archiver

某CM分析