版本号:2.07.230420 build:2305161537
目标程序是64位的delphi程序,无法用IDR等工具反编译。
一般来说,验证程序首先是对输入的注册码进行长度检验,所以查找导入表看看那些函数带了len的关键字。总计找到3个,strlen、lstrlenA、lstrlenW。
分别对这3个函数下断点,在输入注册码时就会自动计算注册码的正确性。虽然在lstrlenW断下多次,但是没有出现输入的注册码。
但是有两个值得关注的点,一个是有lstrlenW的参数是无效的,另一个lstrlenW的参数是无法解析的注册码,也许能通过这两条线索溯源到注册码算法。
在第一种情况断下时,查看调用栈,看到是一个SetWindowTextW函数调用,这看来是是在设置某个窗口的文本,在这里下断,下次看看是对什么窗口设置了什么文本。
重新走一遍注册过程,发现这里是对静态文本框设置无法解析的注册码的文本,在往上追溯,就找到更多与注册相关的字符串,如注册码已过期等。此时,离注册码算法一步之遥了(sub_1F56520)。
为什么没有在IDA的字符串中找到
注册码相关的字符串呢?原因为IDA将这些UTF16的字符串视作数据,所以没有出现在IDA字符串列表中。以后需要用不同编码的文本的16进制数据搜索,不能简单依赖IDA的字符串列表。
仔细分析函数sub_1F56520,该函数已经是注册算法运行过后。在栈溯源没有什么成果时,把目光瞄准sub_1F56520的参数,其参数3是一个字符串无法解析注册码,在IDA中搜索16进制。找到这个字符串的位置继续分析。
引用该字符串的函数只有一个(sub_1284430),在函数开头下断,查看函数的参数,终于看到心心念的序列号和注册码。
主要由两个函数分别处理序列号和注册码,一个是sub_1285860,另一个是sub_1285090。
序列号处理很简单,把不是16进制有效字符去掉,组成一个长度为16的字符串,将该字符串转成二进制/整数。如8D9D7\0FF6D\008B0\0将得到8D 9D 70 FF 6D 00 8B 00。
注册码的处理:
- 首先将注册码逐字符找到在千字文中位置(记为数组pos),但注册码长度不能超过21。
- pos异或解扰,算法如下:
for ( i = 1; i != 21; ++i )
pos[i] ^= pos[0] + i;
- 将前20字节累加得到检验和,与第21字节比较。
处理完后,序列号和注册码分别位于某个实例的+45和+24处,分别记为xser和xreg。
要求以下条件成立:
-
xser[0:4] == xreg[1:5],否则报告
注册码、序列号不匹配-H -
xser[4:6] == xreg[5:7],否则报告
注册码、序列号不匹配-V -
xser[6:8] == xreg[7:9],否则报告
注册码、序列号不匹配-D
经过分析,xreg的结构如下:
上述结果仅第19字节未明晰功能,计算Hash的函数为sub_5210F0,目前暂未分析。
代码:
I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8c3RkbGliLmg+DQojaW5jbHVkZSA8c3RkaW50Lmg+DQoNCnN0YXRpYyBjb25zdCBjaGFyIHRob3VzYW5kX3dvcmRzW10gPSANCnsNCiAgICAi5aSp5Zyw546E6buE5a6H5a6Z5rSq6I2S5pel5pyI55uI6L6w5a6/5YiX5byg5a+S5p2l5pqR5b6A56eL5pS25Yas6JeP6Zew5L2Z5oiQ5bKB5b6L5ZCV6LCD6Ziz5LqRIg0KICAgICLohb7oh7Tpm6jpnLLnu5PkuLrpnJzph5HnlJ/kuL3msLTnjonlh7rmmIblhojliZHlj7flt6jnj6Dnp7DlpJzlhYnmnpznj43mnY7oj5zph43oiqXlp5zmtbflkrjmsrMiDQogICAgIua3oemznua9nOe+vee/lOm+meW4iOeBq+W4nem4n+WumOS6uueah+Wni+WItuaWh+Wtl+S5g+acjeiho+ijs+aOqOS9jeiuqeWbveaciemZtuWUkOawkeWRqOWPkeautyINCiAgICAi5rGk5Z2Q5pyd6Zeu6YGT5oux5bmz56ug54ix6IKy6buO6aaW6Iej5oiO576M5L2T546H5a6+5b2S546L6bij5Yek5Zyo56u555m96am56aOf5Zy65YyW6KKr6I2J5pyoIg0KICAgICLlj4rkuIfmlrnnm5bmraTouqvlm5vlpKfkupTluLjmga3pnqDlhbvmlaLmhZXotJ7mtIHmlYjmiY3oia/nn6Xlv4Xlvpfog73ojqvlv5josIjlvbznn63plb/kv6Hkvb8iDQogICAgIuWPr+WZqOassumHj+WiqOS4neivl+i1nue+iuaZr+ihjOe7tOi0pOW/teS9nOWco+W+t+W7uuWQjeeri+W9ouerr+ihqOato+epuuiwt+S8oOWjsOWgguS5oOWQrOWboCINCiAgICAi56ev56aP57yY5ZaE5bqG5bC66Z2e5a6d5a+45piv56ue6LWE5LqL5ZCb5LiO5pWs5a2d5b2T5Yqb5b+g5YiZ5Li06JaE5YW05rip5Ly85YWw5pav6aao5aaC5p2+5LmLIg0KICAgICLnm5vlt53mtYHkuI3mga/muIrmvoTlj5bmmKDlrrnmraLoi6XmgJ3oqIDovp7lronlrprliJ3or5rnvo7lrpzku6TojaPkuJrmiYDln7rnsY3nlJrml6DlrabkvJjnmbsiDQogICAgIuS7leaRhOiBjOS7juaUv+WtmOS7peeUmOajoOWOu+iAjOebiuWSj+S5kOauiui0teekvOWIq+WwiuS4iuWSjOS4i+edpuWkq+WUseWmh+maj+WkluiureWFpeWlieavjSINCiAgICAi5Luq6K+45aeR5Lyv5Y+U54q55a2Q5q+U5oCA5YWE5byf5ZCM6L+e5p6d5Y+L5oqV5YiG56Oo6KeE5LuB5oWI6YCg56a76IqC5LmJ5buJ6YCA6Z2Z5oOF6YC45b+D5YqoIg0KICAgICLnpZ7lrojnnJ/lv5fmu6HpgJDnianmhI/np7vlnZrmjIHpm4Xlpb3niLXoh6rpg73ljY7lpI/kuJzopb/kuozkuqzog4zpnaLmtJvmta7muK3mja7lrqvmrr/nm5jmpbwiDQogICAgIuingumjnuWbvuWGmeeUu+W9qeS7meeBteS4meiIjeaXgeWQr+eUsuW4kOWvueiuvuW4rem8k+eRn+WNh+mYtue6s+i9rOaYn+WPs+mAmuW5v+WGheW3pui+vuaJv+aYjiINCiAgICAi5pei6ZuG5YW45Lqm6IGa576k6Iux5p2c56i/6ZKf5ryG5Lmm57uP5bqc572X5bCG55u46Lev5L6g5Y2/5oi35bCB5YWr5Y6/5a6257uZ5Y2D5YW16auY5Yag6Zmq5oyvIg0KICAgICLkuJbnpoTlr4zovabpqb7ovbvnrZblip/ojILlrp7nopHliLvpk63muqrkvIrlsLnkvZDml7bpmL/ooaHlroXmm7LpmJzlvq7ml6blrbDokKXlhazljKHlkIjmtY7lvLEiDQogICAgIuaJtuWAvuWbnuaxieaDoOivtOaEn+atpuS4geS/iuWvhuWkmuWjq+WugeaZi+almuabtOmcuOi1temtj+aoqumAlOi3teWcn+S8muebn+S9lemBtee6puazlemfqei1tyINCiAgICAi6aKH54mn55So5Yab5pyA57K+5a6j5aiB5rKZ5ryg6amw6KqJ5Li56Z2S5Lmd5bee56a56L+555m+6YOh56em5bm25bKz5a6X5rOw5bKx56aF5Li75Lqt6ZuB6Zeo57SrIg0KICAgICLpuKHnlLDotaTmsaDnoqPnn7Pph47mtJ7luq3ml7fov5znu7XlsqnmsrvmnKzkuo7lhpzliqHovb3ljZfkuqnmiJHoibrnqI7nhp/otKHmlrDlip3otY/lrZ/mlabntKAiDQogICAgIuWPsumxvOenieebtOW6tuWHoOS4reWKs+iwpuiwqOiBhumfs+Wvn+eQhumJtOiyjOi+qOWLieWFtuakjeecgei6rOWinuaKl+aegei/keael+eai+W5uOWNs+S4pOeWjyINCiAgICAi6KeB5py66Kej57uE6LCB57Si5bGF6Zey5aSE5rKJ6buY5a+C5rGC5Y+k5a+76K665pWj6JmR6YCN6YGl5qyj5aWP57Sv5oia6LCi5qyi5oub5rig6I2355qE5Y6G5ZutIg0KICAgICLmnaHmnofmnbfmmZrnv6DmoqfmoZDpmYjmoLnlp5Tlj7bpo5jmkYfmuLjov5Dlh4zpnITor7vnjqnluILlr5Pnm67nrrHmmJPlsZ7ogLPlopnlhbfppJDppa3pgILlj6MiDQogICAgIuWFheiCoOmlseS6suiAgeWwkeW8gueyruW+oee7qee6uuS+jeW3vuaIv+aJh+WchumTtueDm+aYvOWkleiTneesi+ixoeW6iuW8puatjOmFkuWutOaOpeadr+S4vumhvyINCiAgICAi5oKm6LGr5LiU5bq35ZCO57ut5bCd5YaN5ouc566A6KaB6aG+562U5a6h6K+m5oOz5omn54Ot5oS/5YeJ54m56LeD6LaF6I635Y+b5biD5Li455C06Ziu56yU5Lym57q4Ig0KICAgICLpkqflt6fku7vpkpPph4rnurfliKnkv5fnmobkvbPlppnmr5vmlr3mt5Hlp7/lt6Xlpo3nrJHlubTmr4/lgqzmnJfmgqznjq/nhafmjIfolqrkv67msLjnu6XlkInnn6kiDQogICAgIuatpeW8lemihuS/r+S7sOW7iuadn+W4puefnOW6hOW+mOW+iueeu+ecuumXu+iSmeetieiwk+ivreWKqeiAheeEieWTieS5juS5nyINCn07DQoNCmludCB0aG91c2FuZF93b3Jkc19maW5kKGNoYXIgY2gxLCBjaGFyIGNoMikNCnsNCiAgICBjaGFyKiBwb3MgPSAoY2hhciopdGhvdXNhbmRfd29yZHMtMTsNCiAgICANCiAgICB3aGlsZSgxKQ0KICAgIHsNCiAgICAgICAgcG9zID0gc3RyY2hyKHBvcysxLCBjaDEpOw0KICAgICAgICBpZihwb3MgPT0gTlVMTCkNCiAgICAgICAgew0KICAgICAgICAgICAgYnJlYWs7DQogICAgICAgIH0NCiAgICAgICAgaWYocG9zWzFdID09IGNoMikNCiAgICAgICAgew0KICAgICAgICAgICAgcmV0dXJuIChwb3MtdGhvdXNhbmRfd29yZHMpLzI7DQogICAgICAgIH0gICAgICAgDQogICAgfQ0KICAgIHJldHVybiAtMTsNCn0NCg0KaW50IHJlZ19kZWNvZGUodWludDhfdCAqcmVnLCBjaGFyICpyZWdfaW5wdXQpDQp7DQogICAgaW50IGk7DQogICAgZm9yKGk9MDtpPDIxO2krKykNCiAgICB7DQogICAgICAgIHJlZ1tpXSA9IHRob3VzYW5kX3dvcmRzX2ZpbmQocmVnX2lucHV0W2kqMl0sIHJlZ19pbnB1dFtpKjIrMV0pOw0KICAgIH0NCiAgICByZXR1cm4gMTsNCn0NCg0KaW50IHJlZ19lbmNvZGUodWludDhfdCAqcmVnLCBjaGFyICpyZWdfb3V0cHV0KQ0Kew0KICAgIGludCBpOw0KICAgIGZvcihpPTA7aTwyMTtpKyspDQogICAgew0KICAgICAgICBtZW1jcHkoJnJlZ19vdXRwdXRbaSoyXSwgJnRob3VzYW5kX3dvcmRzW3JlZ1tpXSoyXSwgMik7DQogICAgfQ0KICAgIHJlZ19vdXRwdXRbaSoyXSA9IDA7DQogICAgcmV0dXJuIDE7DQp9DQoNCnZvaWQgcmVnX3NjcmFtYmxpbmcodWludDhfdCAqcmVnLCB1aW50OF90IHhvcl9jb2RlKQ0Kew0KICAgIGludCBpOw0KICAgIGZvcihpPTA7aTwyMDtpKyspDQogICAgew0KICAgICAgICByZWdbaV0gXj0geG9yX2NvZGUgKyBpICsgMTsNCiAgICB9DQp9DQoNCnVpbnQ4X3QgcmVnX2NoZWNrc3VtKHVpbnQ4X3QgKnJlZykNCnsNCiAgICBpbnQgaTsNCiAgICB1aW50OF90IGNoZWNrc3VtID0gMDsNCiAgICBmb3IoaT0wO2k8MjA7aSsrKQ0KICAgIHsNCiAgICAgICAgY2hlY2tzdW0gKz0gcmVnW2ldOw0KICAgIH0NCiAgICByZXR1cm4gY2hlY2tzdW07DQp9DQoNCmludCBnZW5lcmF0ZSh1aW50OF90ICpzZXIsIGNoYXIgKnJlZ19vdXRwdXQpDQp7DQogICAgdWludDhfdCByZWdbMjFdID0gezB9Ow0KICAgIA0KICAgIG1lbWNweSgmcmVnWzFdLCAmc2VyWzBdLCA0KTsgICAgLy9IDQogICAgbWVtY3B5KCZyZWdbNV0sICZzZXJbNF0sIDIpOyAgICAvL1YNCiAgICBtZW1jcHkoJnJlZ1s3XSwgJnNlcls2XSwgMik7ICAgIC8vRCAtIOW8gOWni+aXtumXtCANCiAgICANCiAgICAvL3hvcl9jb2RlDQogICAgcmVnWzBdID0gMHhBMzsNCg0KICAgIC8v57uT5p2f5pe26Ze0PTB4RkZGID0+IHBlcnBldHVhbA0KICAgIHJlZ1s5XSA9IDB4RkY7DQogICAgcmVnWzEwXSA9IDB4RkY7DQogICAgDQogICAgLy90ZXN0IEQgZmllbGQgb3RoZXIgdmFsdWUNCiAgICBpbnQgaTsNCiAgICBmb3IoaT0wO2k8OTtpKyspDQogICAgew0KICAgICAgICByZWdbMTEraV0gPSAweEZGOw0KICAgIH0NCiAgICByZWdbMjBdID0gcmVnX2NoZWNrc3VtKHJlZyk7DQogICAgDQogICAgcmVnX3NjcmFtYmxpbmcoJnJlZ1sxXSwgcmVnWzBdKTsNCiAgICByZWdfZW5jb2RlKHJlZywgcmVnX291dHB1dCk7DQogICAgDQogICAgcmV0dXJuIDE7DQp9DQoNCmludCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndikNCnsNCiAgICBjaGFyIG91dHB1dFs2NF0gPSB7MH07DQogICAgY2hhciBzZXJfaW5wdXRbMTI4XSA9IHswfTsNCiAgICBwcmludGYoIui+k+WFpeW6j+WIl+WPt++8miIpOw0KICAgIHNjYW5mKCIlcyIsIHNlcl9pbnB1dCk7DQogICAgDQogICAgY2hhciAqcHRyID0gc2VyX2lucHV0Ow0KICAgIGlmKHN0cnN0cihzZXJfaW5wdXQsICLluo/liJflj7fvvJoiKSAhPSBOVUxMKQ0KICAgIHsNCiAgICAgICAgcHRyID0gc3Ryc3RyKHNlcl9pbnB1dCwgIuW6j+WIl+WPt++8miIpICsgc3RybGVuKCLluo/liJflj7fvvJoiKTsNCiAgICB9DQogICAgDQogICAgY2hhciB0bXBbM10gPSB7MH07DQogICAgdWludDhfdCBzZXJpYWxbOF0gPSB7MH07DQogICAgaW50IGk7DQogICAgZm9yKGk9MDtpPDg7aSsrKQ0KICAgIHsNCiAgICAgICAgaW50IGogPSAwOw0KICAgICAgICB3aGlsZShqIT0yKQ0KICAgICAgICB7DQogICAgICAgICAgICBpZigqcHRyID09IDApDQogICAgICAgICAgICAgICAgYnJlYWs7DQogICAgICAgICAgICBpZigqcHRyICE9ICdcXCcpDQogICAgICAgICAgICAgICAgdG1wW2orK10gPSAqcHRyOw0KICAgICAgICAgICAgcHRyKys7DQogICAgICAgIH0NCiAgICAgICAgc2VyaWFsW2ldID0gc3RydG9sKHRtcCwgTlVMTCwgMTYpOw0KICAgIH0NCg0KICAgIGdlbmVyYXRlKHNlcmlhbCwgb3V0cHV0KTsNCiAgICBwcmludGYoIuazqOWGjOegge+8miVzXG4iLCBvdXRwdXQpOw0KICAgIHN5c3RlbSgicGF1c2UiKTsgDQogICAgcmV0dXJuIDE7DQp9DQoNCiNpZiAwDQppbnQgbWFpbihpbnQgYXJnYywgY2hhciAqKmFyZ3YpDQp7DQogICAgdWludDhfdCBzZXJpYWxbOF0gPSB7IDB4OEQsMHg5RCwweDcwLDB4RkYsMHg2RCwweDAwLDB4OEIsMHgwMCB9Ow0KICAgIGNoYXIgb3V0cHV0WzY0XSA9IHswfTsNCiAgICANCiAgICBnZW5lcmF0ZShzZXJpYWwsIG91dHB1dCk7DQogICAgcHJpbnRmKCIlc1xuIiwgb3V0cHV0KTsNCglyZXR1cm4gMTsNCn0NCiNlbmRpZg0KDQo