|
发表于 2010-1-24 17:49:10
|显示全部楼层
【文章标题】: 算法分析:Delphi内嵌汇编又一例
【文章作者】: BeyondMe
【作者邮箱】: futuring@126.com
【作者主页】: http://hi.baidu.com/beyond0769
【软件名称】: GroundControl 3.32
【下载地址】: http://www.acrasoft.com/download/gc.zip
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
关于Delphi内嵌汇编的资料太少,加上本人汇编常识匮乏,只能通过大量分析和实践去慢慢理解。
又发现一个比较适合做简单内嵌汇编的例子。不多说,马上搞它。
用户名:BeyondMe
注册码:12345678
有错误提示,bp MessageBoxA 下断成功,Alt + F9 返回
00415738 . 68 58A64200 PUSH gc.0042A658 ; ASCII "Invalid registration number"
0041573D . E8 EA110000 CALL
00415742 > 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10] ; --> Alt + F9 返回到这里,往上是主算法过程
00415746 . FF15 7C334200 CALL DWORD PTR DS:[<&MFC71.#578>] ; MFC71.7C1771B1
这是一个MFC程序,OD初次加载时没有分析MFC库函数,为了方便理解被调用的函数作用,
在OD的主菜单里选择 "调试→选择导入库",然后加载 MFC42.Lib 和 mfc71.Lib ,重新OD加载一次程序
就可以看到MFC函数被分析出函数名出来,这样就很明了啦~~~
00415580 PUSH -1
00415582 PUSH gc.004197D2 ; SE 处理程序安装
00415587 MOV EAX,DWORD PTR FS:[0]
0041558D PUSH EAX
0041558E MOV DWORD PTR FS:[0],ESP
00415595 SUB ESP,24
00415598 PUSH EBX
00415599 PUSH EBP
0041559A PUSH ESI
0041559B PUSH EDI
0041559C PUSH 1
0041559E MOV EBP,ECX
004155A0 CALL ; 读取假码
004155A5 CALL
004155AA MOV EBX,DWORD PTR DS:[EAX+4]
004155AD LEA ESI,DWORD PTR SS:[EBP+74]
004155B0 MOV ECX,ESI
004155B2 MOV DWORD PTR SS:[ESP+18],EBX
004155B6 CALL DWORD PTR DS:[<&MFC71.#6174_?TrimLeft@?$CStrin>; MFC71.7C18A05C
004155BC MOV ECX,ESI
004155BE CALL DWORD PTR DS:[<&MFC71.#6180_?TrimRight@?$CStri>; MFC71.7C18A010
004155C4 LEA EDI,DWORD PTR SS:[EBP+78]
004155C7 MOV ECX,EDI
004155C9 CALL DWORD PTR DS:[<&MFC71.#6174_?TrimLeft@?$CStrin>; MFC71.7C18A05C
004155CF MOV ECX,EDI
004155D1 CALL DWORD PTR DS:[<&MFC71.#6180_?TrimRight@?$CStri>; MFC71.7C18A010
004155D7 PUSH ECX
004155D8 MOV ECX,ESP
004155DA MOV DWORD PTR SS:[ESP+18],ESP
004155DE PUSH ESI
004155DF CALL DWORD PTR DS:[<&MFC71.#297_??0?$CStringT@DV?$S>; MFC71.7C14E575
004155E5 MOV ECX,EBX
004155E7 CALL gc.00409410
004155EC TEST EAX,EAX
004155EE JE gc.0041574C
004155F4 PUSH gc.00426E24 ; ASCII "GC"
004155F9 LEA ECX,DWORD PTR SS:[ESP+14] ; 以上GC是内置字符串
004155FD CALL DWORD PTR DS:[<&MFC71.#304_??0?$CStringT@DV?$S>; MFC71.7C16A59C
00415603 PUSH ESI
00415604 LEA ECX,DWORD PTR SS:[ESP+14]
00415608 MOV DWORD PTR SS:[ESP+40],0
00415610 CALL DWORD PTR DS:[<&MFC71.#907_??Y?$CStringT@DV?$S>; GC+用户名,合并成新字符串,记为 UserName
00415616 LEA ECX,DWORD PTR SS:[ESP+10]
0041561A CALL DWORD PTR DS:[<&MFC71.#876_??B?$CSimpleStringT>; MFC71.7C158BCD
00415620 PUSH EAX
00415621 LEA EAX,DWORD PTR SS:[ESP+18]
00415625 PUSH EAX
00415626 CALL DWORD PTR DS:[<&AcraGC.?StringToKey@CGCEngine@>; 核心算法过程
0041562C ADD ESP,8 ; 寄存器EDX指向真正注册码
0041562F MOV ECX,EDI
00415631 MOV EBX,EAX
00415633 CALL DWORD PTR DS:[<&MFC71.#876_??B?$CSimpleStringT>; MFC71.7C158BCD
00415639 PUSH EAX ; 假码
0041563A MOV ECX,EBX
0041563C CALL DWORD PTR DS:[<&MFC71.#1482_?Compare@?$CString>; 真假码比较
00415642 MOV EBX,EAX
00415644 NEG EBX
00415646 SBB BL,BL
00415648 LEA ECX,DWORD PTR SS:[ESP+14]
0041564C INC BL
0041564E CALL DWORD PTR DS:[<&MFC71.#578_??1?$CStringT@DV?$S>; MFC71.7C1771B1
00415654 TEST BL,BL
00415656 JE gc.00415734 ; 跳走失败
0041565C MOV ECX,EBP
0041565E CALL
00415663 PUSH 80000002
00415668 LEA ECX,DWORD PTR SS:[ESP+20] ; 以下把注册码保存到注册表中
0041566C CALL DWORD PTR DS:[<&AcraCmn.??0CRegistry@@QAE@PAUH>; AcraCmn.??0CRegistry@@QAE@PAUHKEY__@@@Z
00415672 PUSH gc.00426D90 ; ASCII "Software\Acrasoft\GroundControl\Registration"
00415677 PUSH 80000002
0041567C LEA ECX,DWORD PTR SS:[ESP+24]
00415680 MOV BYTE PTR SS:[ESP+44],1
00415685 CALL DWORD PTR DS:[<&AcraCmn.?VerifyKey@CRegistry@@>; AcraCmn.?VerifyKey@CRegistry@@QAEHPAUHKEY__@@PBD@Z
0041568B TEST EAX,EAX
0041568D JNZ SHORT gc.004156A3
0041568F PUSH gc.00426D90 ; ASCII "Software\Acrasoft\GroundControl\Registration"
00415694 PUSH 80000002
00415699 LEA ECX,DWORD PTR SS:[ESP+24]
0041569D CALL DWORD PTR DS:[<&AcraCmn.?CreateKey@CRegistry@@>; AcraCmn.?CreateKey@CRegistry@@QAEHPAUHKEY__@@PBD@Z
004156A3 PUSH gc.00426D90 ; ASCII "Software\Acrasoft\GroundControl\Registration"
004156A8 PUSH 80000002
004156AD LEA ECX,DWORD PTR SS:[ESP+24]
004156B1 CALL DWORD PTR DS:[<&AcraCmn.?Open@CRegistry@@QAEHP>; AcraCmn.?Open@CRegistry@@QAEHPAUHKEY__@@PBD@Z
004156B7 TEST EAX,EAX
004156B9 JE SHORT gc.004156FF
004156BB MOV ECX,ESI
004156BD CALL DWORD PTR DS:[<&MFC71.#876_??B?$CSimpleStringT>; MFC71.7C158BCD
004156C3 MOV EBX,DWORD PTR DS:[<&AcraCmn.?Write@CRegistry@@Q>; AcraCmn.?Write@CRegistry@@QAEHPBD0@Z
004156C9 PUSH EAX
004156CA PUSH gc.00426D88 ; ASCII "Name"
004156CF LEA ECX,DWORD PTR SS:[ESP+24]
004156D3 CALL EBX ; <&AcraCmn.?Write@CRegistry@@QAEHPBD0@Z>
004156D5 MOV ECX,EDI
004156D7 MOV EBP,EAX
004156D9 CALL DWORD PTR DS:[<&MFC71.#876_??B?$CSimpleStringT>; MFC71.7C158BCD |
|