最近帮朋友分析某软件,系深思4加密狗加密,
某深思4加密狗分析笔记
。主程序没有加密,庆幸!其实深思4加密狗的加密算法也就DES/RSA/MD5等几种。只要主程序没有被VMP、SE等强壳加密,分析起来还是不难的。
分析后发现,主程序用了BlowFish/DES/RSA/MD5/SHA1等成熟算法。而加密狗里只有DES/RSA/SHA1几种算法,此外还有自定义的几种加密算法,
但都很简单,分析一下入狗数据和出狗数据就可以发现,只不过是加加减减或XOR某个DWORD而已。
分析后得知,程序除了检查加密狗、验证用户PIN码等几个基本函数外,主要执行ID为BCFF的函数。
共有5个功能:
00411A16 CALL <执行狗函数> 01 写数据文件 FileID:0xA021 就是存入某个变量值
0041186C CALL <执行狗函数> 02 读取数据文件 FileID:0xA021 就是读取某个变量值
00411F7A CALL <执行狗函数> 03 校验PIN码
004120C6 CALL <执行狗函数> 04 验证密码,程序用密码控制功能模块
00411B1E CALL <执行狗函数> 05 计算试用日期,然后判断是否到期
01号功能:
0040BF6C |. 6A 04 PUSH 0x4
0040BF6E |. 8D4C24 68 LEA ECX,DWORD PTR SS:[ESP+0x68]
0040BF72 |. 51 PUSH ECX
0040BF73 |. 6A 14 PUSH 0x14
0040BF75 |. 8D5424 0C LEA EDX,DWORD PTR SS:[ESP+0xC]
0040BF79 |. 68 21A00000 PUSH 0xA021 //明显是操作数据文件
0040BF7E |. 52 PUSH EDX
0040BF7F |. E8 7C590000 CALL 00411900
00411900 /$ 81EC FC000000 SUB ESP,0xFC
00411906 |. 56 PUSH ESI
00411907 |. 8BB424 100100>MOV ESI,DWORD PTR SS:[ESP+0x110]
0041190E |. 57 PUSH EDI
0041190F |. 33C0 XOR EAX,EAX
00411911 |. 85F6 TEST ESI,ESI
00411913 |. B9 3D000000 MOV ECX,0x3D
00411918 |. 8D7C24 0E LEA EDI,DWORD PTR SS:[ESP+0xE]
0041191C |. 66:C74424 0C >MOV WORD PTR SS:[ESP+0xC],0x0
00411923 |. F3:AB REP STOS DWORD PTR ES:[EDI]
00411925 |. 894424 08 MOV DWORD PTR SS:[ESP+0x8],EAX
00411929 |. 75 09 JNZ SHORT 00411934
0041192B |. 5F POP EDI
0041192C |. 5E POP ESI
0041192D |. 81C4 FC000000 ADD ESP,0xFC
00411933 |. C3 RETN
00411934 |> 66:8B8424 0C0>MOV AX,WORD PTR SS:[ESP+0x10C] //FileID
0041193C |. 66:8B8C24 100>MOV CX,WORD PTR SS:[ESP+0x110] //Offset 0x10
00411944 |. 53 PUSH EBX
00411945 |. 8B9C24 1C0100>MOV EBX,DWORD PTR SS:[ESP+0x11C]
0041194C |. 6A 00 PUSH 0x0
0041194E |. 66:894424 14 MOV WORD PTR SS:[ESP+0x14],AX //FileID
00411953 |. 66:894C24 16 MOV WORD PTR SS:[ESP+0x16],CX //Offset
00411958 |. 885C24 18 MOV BYTE PTR SS:[ESP+0x18],BL //Len
0041195C |. E8 08EA0000 CALL <获取系统时间作为随机数>
00411961 |. 50 PUSH EAX
00411962 |. E8 D3E90000 CALL <保存随机数>
00411967 |. 83C4 08 ADD ESP,0x8
0041196A |. 33FF XOR EDI,EDI
0041196C |> E8 D6E90000 CALL <加密随机数>
00411971 |. 99 CDQ
00411972 |. B9 FF000000 MOV ECX,0xFF
00411977 |. F7F9 IDIV ECX
00411979 |. 47 INC EDI
0041197A |. 81FF F0000000 CMP EDI,0xF0
00411980 |. 8897 21E04500 MOV BYTE PTR DS:[EDI+0x45E021],DL
00411986 |.^ 7C E4 JL SHORT 0041196C
00411988 |. 8BCB MOV ECX,EBX
0041198A |. 8BD1 MOV EDX,ECX
0041198C |. C1E9 02 SHR ECX,0x2
0041198F |. 8D7C24 16 LEA EDI,DWORD PTR SS:[ESP+0x16]
00411993 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
00411995 |. 8BCA MOV ECX,EDX
00411997 |. 83E1 03 AND ECX,0x3
0041199A |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] //系统时间放入缓冲区
0041199C |. 8A4424 14 MOV AL,BYTE PTR SS:[ESP+0x14] //数据长度0x4
004119A0 |. 33C9 XOR ECX,ECX
004119A2 |. 04 06 ADD AL,0x6
004119A4 |. 8AC8 MOV CL,AL
004119A6 |. A2 21E04500 MOV BYTE PTR DS:[0x45E021],AL
004119AB |. C605 20E04500>MOV BYTE PTR DS:[0x45E020],0x1 //01号功能,应该是写狗,因为后面没有对返回数据进行处理
004119B2 |. 8D7424 10 LEA ESI,DWORD PTR SS:[ESP+0x10]
004119B6 |. BF 22E04500 MOV EDI,0045E022 //从偏移0X2处开始写数据
004119BB |. 68 C8000000 PUSH 0xC8 ; /Arg5 = 000000C8
004119C0 |. 68 20E04500 PUSH 0045E020 ; |Arg4 = 0045E020
004119C5 |. 8BC1 MOV EAX,ECX ; |
004119C7 |. C1E9 02 SHR ECX,0x2 ; |
004119CA |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; |将待写入数据传入缓冲区
004119CC |. 8BC8 MOV ECX,EAX ; |
004119CE |. 83E1 03 AND ECX,0x3 ; |
004119D1 |. 68 20E04500 PUSH 0045E020 ; |Arg3 = 0045E020
004119D6 |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; |
004119D8 |. 8B0D FEE04500 MOV ECX,DWORD PTR DS:[0x45E0FE] ; |
004119DE |. 6A 01 PUSH 0x1 ; |Arg2 = 00000001
004119E0 |. 68 90EE4300 PUSH 0043EE90 ; |Arg1 = 0043EE90
004119E5 |. 890D 94EE4300 MOV DWORD PTR DS:[0x43EE94],ECX ; |
004119EB |. E8 C0970000 CALL <加解密函数> ; \
004119F0 |. 8B8424 0C0100>MOV EAX,DWORD PTR SS:[ESP+0x10C]
004119F7 |. 8D5424 0C LEA EDX,DWORD PTR SS:[ESP+0xC]
004119FB |. 52 PUSH EDX ; /Arg7
004119FC |. 68 FA000000 PUSH 0xFA ; |Arg6 = 000000FA
00411A01 |. 68 20E14500 PUSH 0045E120 ; |Arg5 = 0045E120
00411A06 |. 68 FA000000 PUSH 0xFA ; |Arg4 = 000000FA
00411A0B |. 68 20E04500 PUSH 0045E020 ; |Arg3 = 0045E020
00411A10 |. 68 F0EF4300 PUSH 0043EFF0 ; |Arg2 = 0043EFF0 ASCII "BCFF"
00411A15 |. 50 PUSH EAX ; |Arg1
00411A16 |. E8 455C0000 CALL <执行狗内函数> ; \
00411A1B |. 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+0xC] //执行狗内函数后没有对数据进行解密,估计没有返回数据,判断是写狗。
00411A1F |. 33C9 XOR ECX,ECX
00411A21 |. 8A0D 20E14500 MOV CL,BYTE PTR DS:[0x45E120]
00411A27 |. 51 PUSH ECX
00411A28 |. 52 PUSH EDX
00411A29 |. 50 PUSH EAX
00411A2A |. E8 F1FCFFFF CALL <判断执行狗内函数是否成功>
00411A2F |. 83C4 0C ADD ESP,0xC
00411A32 |. F7D8 NEG EAX
00411A34 |. 5B POP EBX
00411A35 |. 1BC0 SBB EAX,EAX
00411A37 |. 5F POP EDI
00411A38 |. F7D8 NEG EAX
00411A3A |. 5E POP ESI
00411A3B |. 81C4 FC000000 ADD ESP,0xFC
00411A41 \. C3 RETN
02号功能:
0040B77E |. 8D4C24 78 LEA ECX,DWORD PTR SS:[ESP+0x78]
0040B782 |. 51 PUSH ECX
0040B783 |. 55 PUSH EBP
0040B784 |. 6A 0E PUSH 0xE
0040B786 |. 53 PUSH EBX
0040B787 |. 8D5424 28 LEA EDX,DWORD PTR SS:[ESP+0x28]
0040B78B |. 68 21A00000 PUSH 0xA021 //明显是操作数据文件
0040B790 |. 52 PUSH EDX
0040B791 |. E8 CA5F0000 CALL 00411760
00411760 /$ 81EC FC000000 SUB ESP,0xFC
00411766 |. 53 PUSH EBX
00411767 |. 8B9C24 100100>MOV EBX,DWORD PTR SS:[ESP+0x110]
0041176E |. 55 PUSH EBP
0041176F |. 56 PUSH ESI
00411770 |. 33F6 XOR ESI,ESI
00411772 |. 57 PUSH EDI
00411773 |. 33C0 XOR EAX,EAX
00411775 |. B9 3D000000 MOV ECX,0x3D
0041177A |. 8D7C24 16 LEA EDI,DWORD PTR SS:[ESP+0x16]
0041177E |. 66:897424 14 MOV WORD PTR SS:[ESP+0x14],SI
00411783 |. F3:AB REP STOS DWORD PTR ES:[EDI]
00411785 |. 8B8424 240100>MOV EAX,DWORD PTR SS:[ESP+0x124]
0041178C |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
0041178E |. 8BEB MOV EBP,EBX
00411790 |. 81E5 FF000000 AND EBP,0xFF
00411796 |. 3BCD CMP ECX,EBP
00411798 |. 897424 10 MOV DWORD PTR SS:[ESP+0x10],ESI
0041179C |. 7D 0F JGE SHORT 004117AD
0041179E |. 5F POP EDI
0041179F |. 5E POP ESI
004117A0 |. 8928 MOV DWORD PTR DS:[EAX],EBP
004117A2 |. 5D POP EBP
004117A3 |. 33C0 XOR EAX,EAX
004117A5 |. 5B POP EBX
004117A6 |. 81C4 FC000000 ADD ESP,0xFC
004117AC |. C3 RETN
004117AD |> 66:8B8424 140>MOV AX,WORD PTR SS:[ESP+0x114]
004117B5 |. 66:8B8C24 180>MOV CX,WORD PTR SS:[ESP+0x118]
004117BD |. 56 PUSH ESI
004117BE |. 66:894424 18 MOV WORD PTR SS:[ESP+0x18],AX
004117C3 |. 66:894C24 1A MOV WORD PTR SS:[ESP+0x1A],CX
004117C8 |. 885C24 1C MOV BYTE PTR SS:[ESP+0x1C],BL
004117CC |. E8 98EB0000 CALL <获取系统时间作为随机数>
004117D1 |. 50 PUSH EAX
004117D2 |. E8 63EB0000 CALL <保存随机数>
004117D7 |. 83C4 08 ADD ESP,0x8
004117DA |> E8 68EB0000 /CALL <加密随机数>
004117DF |. 99 |CDQ
004117E0 |. B9 FF000000 |MOV ECX,0xFF
004117E5 |. F7F9 |IDIV ECX
004117E7 |. 46 |INC ESI
004117E8 |. 81FE F0000000 |CMP ESI,0xF0
004117EE |. 8896 21E04500 |MOV BYTE PTR DS:[ESI+0x45E021],DL
004117F4 |.^ 7C E4 \JL SHORT 004117DA
004117F6 |. 33C9 XOR ECX,ECX
004117F8 |. 80C3 06 ADD BL,0x6
004117FB |. 8ACB MOV CL,BL
004117FD |. C605 20E04500>MOV BYTE PTR DS:[0x45E020],0x2 //02号功能
00411804 |. 881D 21E04500 MOV BYTE PTR DS:[0x45E021],BL
0041180A |. 8D7424 14 LEA ESI,DWORD PTR SS:[ESP+0x14]
0041180E |. BF 22E04500 MOV EDI,0045E022
00411813 |. 68 C8000000 PUSH 0xC8 ; /Arg5 = 000000C8
00411818 |. 68 20E04500 PUSH 0045E020 ; |Arg4 = 0045E020
0041181D |. 8BD1 MOV EDX,ECX ; |
0041181F |. C1E9 02 SHR ECX,0x2 ; |
00411822 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; |
00411824 |. 8BCA MOV ECX,EDX ; |
00411826 |. 68 20E04500 PUSH 0045E020 ; |Arg3 = 0045E020
0041182B |. 83E1 03 AND ECX,0x3 ; |
0041182E |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; |
00411830 |. A1 FEE04500 MOV EAX,DWORD PTR DS:[0x45E0FE] ; |
00411835 |. 6A 01 PUSH 0x1 ; |Arg2 = 00000001
00411837 |. 68 90EE4300 PUSH 0043EE90 ; |Arg1 = 0043EE90
0041183C |. A3 94EE4300 MOV DWORD PTR DS:[0x43EE94],EAX ; |
00411841 |. E8 6A990000 CALL <加解密函数> ; \0041B1B0
00411846 |. 8B9424 100100>MOV EDX,DWORD PTR SS:[ESP+0x110]
0041184D |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+0x10]
00411851 |. 51 PUSH ECX ; /Arg7
00411852 |. 68 FA000000 PUSH 0xFA ; |Arg6 = 000000FA
00411857 |. 68 20E14500 PUSH 0045E120 ; |Arg5 = 0045E120
0041185C |. 68 FA000000 PUSH 0xFA ; |Arg4 = 000000FA
00411861 |. 68 20E04500 PUSH 0045E020 ; |Arg3 = 0045E020
00411866 |. 68 F0EF4300 PUSH 0043EFF0 ; |Arg2 = 0043EFF0 ASCII "BCFF"
0041186B |. 52 PUSH EDX ; |Arg1
0041186C |. E8 EF5D0000 CALL <执行狗内函数> ; \00417660
00411871 |. 8B5424 10 MOV EDX,DWORD PTR SS:[ESP+0x10]
00411875 |. 33C9 XOR ECX,ECX
00411877 |. 8A0D 20E14500 MOV CL,BYTE PTR DS:[0x45E120]
0041187D |. 51 PUSH ECX
0041187E |. 52 PUSH EDX
0041187F |. 50 PUSH EAX
00411880 |. E8 9BFEFFFF CALL <判断执行狗内函数是否成功>
00411885 |. 83C4 0C ADD ESP,0xC
00411888 |. 85C0 TEST EAX,EAX
0041188A |. 75 0B JNZ SHORT 00411897
0041188C |. 5F POP EDI
0041188D |. 5E POP ESI
0041188E |. 5D POP EBP
0041188F |. 5B POP EBX
00411890 |. 81C4 FC000000 ADD ESP,0xFC
00411896 |. C3 RETN
00411897 |> A1 FEE14500 MOV EAX,DWORD PTR DS:[0x45E1FE] //解密返回数据,判断是读狗
0041189C |. 68 C8000000 PUSH 0xC8 ; /Arg5 = 000000C8
004118A1 |. 68 20E14500 PUSH 0045E120 ; |Arg4 = 0045E120
004118A6 |. 68 20E14500 PUSH 0045E120 ; |Arg3 = 0045E120
004118AB |. 6A 00 PUSH 0x0 ; |Arg2 = 00000000
004118AD |. 68 98EE4300 PUSH 0043EE98 ; |Arg1 = 0043EE98
004118B2 |. A3 9CEE4300 MOV DWORD PTR DS:[0x43EE9C],EAX ; |
004118B7 |. E8 F4980000 CALL <加解密函数> ; 跟踪后发现是DES算法,密钥明眼人一看就明白
004118BC |. 8BBC24 200100>MOV EDI,DWORD PTR SS:[ESP+0x120]
004118C3 |. 8B8424 240100>MOV EAX,DWORD PTR SS:[ESP+0x124]
004118CA |. 8BCD MOV ECX,EBP
004118CC |. 8BD1 MOV EDX,ECX
004118CE |. C1E9 02 SHR ECX,0x2
004118D1 |. BE 22E14500 MOV ESI,0045E122
004118D6 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
004118D8 |. 8BCA MOV ECX,EDX
004118DA |. 83E1 03 AND ECX,0x3
004118DD |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
004118DF |. 5F POP EDI
004118E0 |. 5E POP ESI
004118E1 |. 8928 MOV DWORD PTR DS:[EAX],EBP
004118E3 |. 5D POP EBP
004118E4 |. B8 01000000 MOV EAX,0x1
004118E9 |. 5B POP EBX
004118EA |. 81C4 FC000000 ADD ESP,0xFC
004118F0 \. C3 RETN
03号功能:校验PIN码
00411E05 |. E8 76000000 CALL 00411E80 //执行此CALL后,后面有提示:"Verify Pin failed!
"
00411E0A |. 8BF0 MOV ESI,EAX
00411E0C |. 83C4 04 ADD ESP,0x4
00411E0F |. 85F6 TEST ESI,ESI
00411E11 |. 74 2C JE SHORT 00411E3F
00411E13 |. 55 PUSH EBP
00411E14 |> E8 17030000 CALL 00412130
00411E19 |. 83C4 04 ADD ESP,0x4
00411E1C |. 56 PUSH ESI
00411E1D |. 68 F8EF4300 PUSH 0043EFF8 ; ASCII "Verify Pin failed!
"
00411E22 |. E8 72EB0000 CALL 00420999
00411E27 |. 83C4 08 ADD ESP,0x8
00411E2A |> 5F POP EDI
00411E2B |. 5E POP ESI
00411E80 /$ 81EC 94000000 SUB ESP,0x94 //判断是校验PIN码
00411E86 |. 33C0 XOR EAX,EAX
00411E88 |. 56 PUSH ESI
00411E89 |. 57 PUSH EDI
00411E8A |. C64424 1C 00 MOV BYTE PTR SS:[ESP+0x1C],0x0
00411E8F |. B9 1F000000 MOV ECX,0x1F
00411E94 |. 8D7C24 1D LEA EDI,DWORD PTR SS:[ESP+0x1D]
00411E98 |. F3:AB REP STOS DWORD PTR ES:[EDI]
00411E9A |. 66:AB STOS WORD PTR ES:[EDI]
00411E9C |. AA STOS BYTE PTR ES:[EDI]
00411E9D |. 33C0 XOR EAX,EAX
00411E9F |. 894424 0D MOV DWORD PTR SS:[ESP+0xD],EAX
00411EA3 |. 894424 11 MOV DWORD PTR SS:[ESP+0x11],EAX
00411EA7 |. 894424 15 MOV DWORD PTR SS:[ESP+0x15],EAX
00411EAB |. 66:894424 19 MOV WORD PTR SS:[ESP+0x19],AX
00411EB0 |. C74424 08 000>MOV DWORD PTR SS:[ESP+0x8],0x0
00411EB8 |. C64424 0C 00 MOV BYTE PTR SS:[ESP+0xC],0x0
00411EBD |. 884424 1B MOV BYTE PTR SS:[ESP+0x1B],AL
00411EC1 |. 50 PUSH EAX
00411EC2 |. E8 A2E40000 CALL <获取系统时间作为随机数>
00411EC7 |. 50 PUSH EAX
00411EC8 |. E8 6DE40000 CALL <保存随机数>
00411ECD |. 83C4 08 ADD ESP,0x8
00411ED0 |. 33F6 XOR ESI,ESI
00411ED2 |> E8 70E40000 /CALL <加密随机数>
00411ED7 |. 99 |CDQ
00411ED8 |. B9 FF000000 |MOV ECX,0xFF
00411EDD |. F7F9 |IDIV ECX
00411EDF |. 46 |INC ESI
00411EE0 |. 81FE F0000000 |CMP ESI,0xF0
00411EE6 |. 8896 21E04500 |MOV BYTE PTR DS:[ESI+0x45E021],DL
00411EEC |.^ 7C E4 \JL SHORT 00411ED2
00411EEE |. C605 20E04500>MOV BYTE PTR DS:[0x45E020],0x3 //03号功能,校验PIN码
00411EF5 |. E8 4DE40000 CALL <加密随机数>
00411EFA |. 99 CDQ
00411EFB |. B9 FF000000 MOV ECX,0xFF
00411F00 |. F7F9 IDIV ECX
00411F02 |. A1 38E04500 MOV EAX,DWORD PTR DS:[0x45E038] 18---4
00411F07 |. 8B0D 3CE04500 MOV ECX,DWORD PTR DS:[0x45E03C] 1c---8
00411F0D |. 68 C8000000 PUSH 0xC8 ; /Arg5 = 000000C8
00411F12 |. 68 20E04500 PUSH 0045E020 ; |Arg4 = 0045E020
00411F17 |. 68 20E04500 PUSH 0045E020 ; |Arg3 = 0045E020
00411F1C |. 894424 1C MOV DWORD PTR SS:[ESP+0x1C],EAX ; |
00411F20 |. A1 FEE04500 MOV EAX,DWORD PTR DS:[0x45E0FE] ; |
00411F25 |. 6A 01 PUSH 0x1 ; |Arg2 = 00000001
00411F27 |. 68 90EE4300 PUSH 0043EE90 ; |Arg1 = 0043EE90
00411F2C |. 894C24 28 MOV DWORD PTR SS:[ESP+0x28],ECX ; |
00411F30 |. A3 94EE4300 MOV DWORD PTR DS:[0x43EE94],EAX ; |
00411F35 |. 8815 21E04500 MOV BYTE PTR DS:[0x45E021],DL ; |
00411F3B |. 8B15 34E04500 MOV EDX,DWORD PTR DS:[0x45E034] ; | 14---0
00411F41 |. 895424 20 MOV DWORD PTR SS:[ESP+0x20],EDX ; |
00411F45 |. 8B15 40E04500 MOV EDX,DWORD PTR DS:[0x45E040] ; | 20---c
00411F4B |. 895424 2C MOV DWORD PTR SS:[ESP+0x2C],EDX ; |
00411F4F |. E8 5C920000 CALL <加解密函数> ; \ 跟踪后发现是DES算法,密钥明眼人一看就明白
00411F54 |. 8B9424 A00000>MOV EDX,DWORD PTR SS:[ESP+0xA0]
00411F5B |. 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+0x8]
00411F5F |. 51 PUSH ECX ; /Arg7
00411F60 |. 68 FA000000 PUSH 0xFA ; |Arg6 = 000000FA
00411F65 |. 68 20E14500 PUSH 0045E120 ; |Arg5 = 0045E120
00411F6A |. 68 FA000000 PUSH 0xFA ; |Arg4 = 000000FA
00411F6F |. 68 20E04500 PUSH 0045E020 ; |Arg3 = 0045E020
00411F74 |. 68 F0EF4300 PUSH 0043EFF0 ; |Arg2 = 0043EFF0 ASCII "BCFF"
00411F79 |. 52 PUSH EDX ; |Arg1
00411F7A |. E8 E1560000 CALL <执行狗内函数> ; \00417660
00411F7F |. 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+0x8]
00411F83 |. 33C9 XOR ECX,ECX
00411F85 |. 8A0D 20E14500 MOV CL,BYTE PTR DS:[0x45E120]
00411F8B |. 51 PUSH ECX
00411F8C |. 52 PUSH EDX
00411F8D |. 50 PUSH EAX
00411F8E |. E8 8DF7FFFF CALL <判断执行狗内函数是否成功>
00411F93 |. 83C4 0C ADD ESP,0xC
00411F96 |. 85C0 TEST EAX,EAX
00411F98 |. 5F POP EDI
00411F99 |. 5E POP ESI
00411F9A |. 75 07 JNZ SHORT 00411FA3
00411F9C |. 81C4 94000000 ADD ESP,0x94
00411FA2 |. C3 RETN
00411FA3 |> A1 FEE14500 MOV EAX,DWORD PTR DS:[0x45E1FE] //对返回数据进行解密
00411FA8 |. 68 C8000000 PUSH 0xC8 ; /Arg5 = 000000C8
00411FAD |. 68 20E14500 PUSH 0045E120 ; |Arg4 = 0045E120
00411FB2 |. 68 20E14500 PUSH 0045E120 ; |Arg3 = 0045E120
00411FB7 |. 6A 00 PUSH 0x0 ; |Arg2 = 00000000
00411FB9 |. 68 98EE4300 PUSH 0043EE98 ; |Arg1 = 0043EE98
00411FBE |. A3 9CEE4300 MOV DWORD PTR DS:[0x43EE9C],EAX ; |
00411FC3 |. E8 E8910000 CALL <加解密函数> ; \跟踪后发现是DES算法,密钥明眼人一看就明白
00411FC8 |. 8B0D AAE14500 MOV ECX,DWORD PTR DS:[0x45E1AA]
00411FCE |. 68 80000000 PUSH 0x80 ; /Arg5 = 00000080
00411FD3 |. 68 22E14500 PUSH 0045E122 ; |Arg4 = 0045E122
00411FD8 |. 8D5424 1C LEA EDX,DWORD PTR SS:[ESP+0x1C] ; |
00411FDC |. 52 PUSH EDX ; |Arg3
00411FDD |. 6A 00 PUSH 0x0 ; |Arg2 = 00000000
00411FDF |. 68 90EE4300 PUSH 0043EE90 ; |Arg1 = 0043EE90
00411FE4 |. 890D 94EE4300 MOV DWORD PTR DS:[0x43EE94],ECX ; |
00411FEA |. E8 C1910000 CALL <加解密函数> ; \跟踪后发现是DES算法,密钥明眼人一看就明白
00411FEF |. 68 A0EE4300 PUSH 0043EEA0 ; /Arg6 = 0043EEA0
00411FF4 |. 68 80000000 PUSH 0x80 ; |Arg5 = 00000080
00411FF9 |. 8D4424 1C LEA EAX,DWORD PTR SS:[ESP+0x1C] ; |
00411FFD |. 50 PUSH EAX ; |Arg4
00411FFE |. 6A 10 PUSH 0x10 ; |Arg3 = 00000010
00412000 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+0x14] ; |
00412004 |. 51 PUSH ECX ; |Arg2
00412005 |. 6A 1A PUSH 0x1A ; |Arg1 = 0000001A
00412007 |. E8 24910000 CALL 0041B130 ; \0041B130
0041200C |. 81C4 94000000 ADD ESP,0x94
00412012 \. C3 RETN
04号功能:验证密码
0040D332 |. 8B5424 78 MOV EDX,DWORD PTR SS:[ESP+0x78]
0040D336 |. 8B4424 74 MOV EAX,DWORD PTR SS:[ESP+0x74]
0040D33A |. 8B4C24 70 MOV ECX,DWORD PTR SS:[ESP+0x70]
0040D33E |. 52 PUSH EDX
0040D33F |. 50 PUSH EAX
0040D340 |. 51 PUSH ECX
0040D341 |. 8D5424 10 LEA EDX,DWORD PTR SS:[ESP+0x10]
0040D345 |. 52 PUSH EDX
0040D346 |. E8 D54C0000 CALL 00412020
00412020 /$ 51 PUSH ECX
00412021 |. 56 PUSH ESI
00412022 |. 6A 00 PUSH 0x0
00412024 |. C74424 08 000>MOV DWORD PTR SS:[ESP+0x8],0x0
0041202C |. E8 38E30000 CALL <获取系统时间作为随机数>
00412031 |. 50 PUSH EAX
00412032 |. E8 03E30000 CALL <保存随机数>
00412037 |. 83C4 08 ADD ESP,0x8
0041203A |. 33F6 XOR ESI,ESI
0041203C |> E8 06E30000 /CALL <加密随机数>
00412041 |. 99 |CDQ
00412042 |. B9 FF000000 |MOV ECX,0xFF
00412047 |. F7F9 |IDIV ECX
00412049 |. 46 |INC ESI
0041204A |. 81FE F0000000 |CMP ESI,0xF0
00412050 |. 8896 21E04500 |MOV BYTE PTR DS:[ESI+0x45E021],DL
00412056 |.^ 7C E4 \JL SHORT 0041203C
00412058 |. C605 20E04500>MOV BYTE PTR DS:[0x45E020],0x4
0041205F |. E8 E3E20000 CALL <加密随机数>
00412064 |. 99 CDQ
00412065 |. B9 FF000000 MOV ECX,0xFF
0041206A |. F7F9 IDIV ECX
0041206C |. 8B7424 10 MOV ESI,DWORD PTR SS:[ESP+0x10]
00412070 |. A1 FEE04500 MOV EAX,DWORD PTR DS:[0x45E0FE] //取出随机数作为密钥
00412075 |. 68 C8000000 PUSH 0xC8 ; /Arg5 = 000000C8 待加密长度
0041207A |. 68 20E04500 PUSH 0045E020 ; |Arg4 = 0045E020
0041207F |. 68 20E04500 PUSH 0045E020 ; |Arg3 = 0045E020
00412084 |. 6A 01 PUSH 0x1 ; |Arg2 = 00000001
00412086 |. 68 90EE4300 PUSH 0043EE90 ; |Arg1 = 0043EE90
0041208B |. 8815 21E04500 MOV BYTE PTR DS:[0x45E021],DL ; |加密长度
00412091 |. 8B16 MOV EDX,DWORD PTR DS:[ESI] ; |
00412093 |. 8915 2EE04500 MOV DWORD PTR DS:[0x45E02E],EDX ; |待加密数据
00412099 |. A3 94EE4300 MOV DWORD PTR DS:[0x43EE94],EAX ; |密钥
0041209E |. E8 0D910000 CALL <加解密函数> ; \跟踪后发现是DES算法,密钥明眼人一看就明白
004120A3 |. 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+0xC]
004120A7 |. 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+0x4]
004120AB |. 51 PUSH ECX ; /Arg7
004120AC |. 68 FA000000 PUSH 0xFA ; |Arg6 = 000000FA
004120B1 |. 68 20E14500 PUSH 0045E120 ; |Arg5 = 0045E120
004120B6 |. 68 FA000000 PUSH 0xFA ; |Arg4 = 000000FA
004120BB |. 68 20E04500 PUSH 0045E020 ; |Arg3 = 0045E020
004120C0 |. 68 F0EF4300 PUSH 0043EFF0 ; |Arg2 = 0043EFF0 ASCII "BCFF"
004120C5 |. 52 PUSH EDX ; |Arg1
004120C6 |. E8 95550000 CALL <执行狗内函数> ; \
004120CB |. 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+0x4]
004120CF |. 33C9 XOR ECX,ECX
004120D1 |. 8A0D 20E14500 MOV CL,BYTE PTR DS:[0x45E120]
004120D7 |. 51 PUSH ECX
004120D8 |. 52 PUSH EDX
004120D9 |. 50 PUSH EAX
004120DA |. E8 41F6FFFF CALL <判断执行狗内函数是否成功>
004120DF |. 83C4 0C ADD ESP,0xC
004120E2 |. 85C0 TEST EAX,EAX
004120E4 |. 74 44 JE SHORT 0041212A
004120E6 |. A1 FEE14500 MOV EAX,DWORD PTR DS:[0x45E1FE]
004120EB |. 68 C8000000 PUSH 0xC8 ; /Arg5 = 000000C8
004120F0 |. 68 20E14500 PUSH 0045E120 ; |Arg4 = 0045E120
004120F5 |. 68 20E14500 PUSH 0045E120 ; |Arg3 = 0045E120
004120FA |. 6A 00 PUSH 0x0 ; |Arg2 = 00000000
004120FC |. 68 98EE4300 PUSH 0043EE98 ; |Arg1 = 0043EE98
00412101 |. A3 9CEE4300 MOV DWORD PTR DS:[0x43EE9C],EAX ; |
00412106 |. E8 A5900000 CALL <加解密函数> ; \跟踪后发现是DES算法,密钥明眼人一看就明白
0041210B |. 8B0D 74E14500 MOV ECX,DWORD PTR DS:[0x45E174]
00412111 |. 8B5424 14 MOV EDX,DWORD PTR SS:[ESP+0x14]
00412115 |. 890E MOV DWORD PTR DS:[ESI],ECX
00412117 |. A1 2AE14500 MOV EAX,DWORD PTR DS:[0x45E12A]
0041211C |. 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+0x18]
00412120 |. 8902 MOV DWORD PTR DS:[EDX],EAX
00412122 |. 8B15 3EE14500 MOV EDX,DWORD PTR DS:[0x45E13E]
00412128 |. 8911 MOV DWORD PTR DS:[ECX],EDX
0041212A |> 33C0 XOR EAX,EAX
0041212C |. 5E POP ESI
0041212D |. 59 POP ECX
0041212E \. C3 RETN
05功能:
00411A50 /$ 81EC FC000000 SUB ESP,0xFC
00411A56 |. 56 PUSH ESI
00411A57 |. 33C0 XOR EAX,EAX
00411A59 |. 57 PUSH EDI
00411A5A |. B9 3D000000 MOV ECX,0x3D
00411A5F |. 8D7C24 0E LEA EDI,DWORD PTR SS:[ESP+0xE]
00411A63 |. F3:AB REP STOS DWORD PTR ES:[EDI]
00411A65 |. 894424 08 MOV DWORD PTR SS:[ESP+0x8],EAX
00411A69 |. 8B8424 0C0100>MOV EAX,DWORD PTR SS:[ESP+0x10C]
00411A70 |. 48 DEC EAX
00411A71 |. 6A 00 PUSH 0x0
00411A73 |. 66:C74424 10 >MOV WORD PTR SS:[ESP+0x10],0xA021 //出现数据文件ID 0xa021,估计和读写数据文件有关
00411A7A |. 66:894424 12 MOV WORD PTR SS:[ESP+0x12],AX //数据文件偏移 0x00
00411A7F |. C64424 14 02 MOV BYTE PTR SS:[ESP+0x14],0x2 //长度
00411A84 |. E8 E0E80000 CALL <获取系统时间作为随机数>
00411A89 |. 50 PUSH EAX
00411A8A |. E8 ABE80000 CALL <保存随机数>
00411A8F |. 83C4 08 ADD ESP,0x8
00411A92 |. 33F6 XOR ESI,ESI
00411A94 |> E8 AEE80000 /CALL <加密随机数>
00411A99 |. 99 |CDQ
00411A9A |. B9 FF000000 |MOV ECX,0xFF
00411A9F |. F7F9 |IDIV ECX
00411AA1 |. 46 |INC ESI
00411AA2 |. 81FE F0000000 |CMP ESI,0xF0
00411AA8 |. 8896 21E04500 |MOV BYTE PTR DS:[ESI+0x45E021],DL
00411AAE |.^ 7C E4 \JL SHORT 00411A94
00411AB0 |. 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+0xC]
00411AB4 |. 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+0x10]
00411AB8 |. 8B0D FEE04500 MOV ECX,DWORD PTR DS:[0x45E0FE]
00411ABE |. 68 C8000000 PUSH 0xC8 ; /Arg5 = 000000C8
00411AC3 |. 68 20E04500 PUSH 0045E020 ; |Arg4 = 0045E020
00411AC8 |. 68 20E04500 PUSH 0045E020 ; |Arg3 = 0045E020
00411ACD |. 6A 01 PUSH 0x1 ; |Arg2 = 00000001
00411ACF |. 68 90EE4300 PUSH 0043EE90 ; |Arg1 = 0043EE90
00411AD4 |. C605 20E04500>MOV BYTE PTR DS:[0x45E020],0x5 ; |05号功能
00411ADB |. C605 21E04500>MOV BYTE PTR DS:[0x45E021],0x8 ; |入狗数据长度
00411AE2 |. 8915 22E04500 MOV DWORD PTR DS:[0x45E022],EDX ; |数据文件ID 0xa021
00411AE8 |. A3 26E04500 MOV DWORD PTR DS:[0x45E026],EAX ; |偏移0x0和长度0x2
00411AED |. 890D 94EE4300 MOV DWORD PTR DS:[0x43EE94],ECX ; |密钥
00411AF3 |. E8 B8960000 CALL <加解密函数> ; \跟踪后发现是DES算法,密钥明眼人一看就明白
00411AF8 |. 8B8424 080100>MOV EAX,DWORD PTR SS:[ESP+0x108]
00411AFF |. 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+0x8]
00411B03 |. 52 PUSH EDX ; /Arg7
00411B04 |. 68 FA000000 PUSH 0xFA ; |Arg6 = 000000FA
00411B09 |. 68 20E14500 PUSH 0045E120 ; |Arg5 = 0045E120
00411B0E |. 68 FA000000 PUSH 0xFA ; |Arg4 = 000000FA
00411B13 |. 68 20E04500 PUSH 0045E020 ; |Arg3 = 0045E020
00411B18 |. 68 F0EF4300 PUSH 0043EFF0 ; |Arg2 = 0043EFF0 ASCII "BCFF"
00411B1D |. 50 PUSH EAX ; |Arg1
00411B1E |. E8 3D5B0000 CALL <执行狗内函数> ; \跟踪后发现是DES算法,密钥明眼人一看就明白
00411B23 |. 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+0x8]
00411B27 |. 33C9 XOR ECX,ECX
00411B29 |. 8A0D 20E14500 MOV CL,BYTE PTR DS:[0x45E120]
00411B2F |. 51 PUSH ECX
00411B30 |. 52 PUSH EDX
00411B31 |. 50 PUSH EAX
00411B32 |. E8 E9FBFFFF CALL <判断执行狗内函数是否成功>
00411B37 |. 83C4 0C ADD ESP,0xC
00411B3A |. 85C0 TEST EAX,EAX
00411B3C |. 5F POP EDI
00411B3D |. 5E POP ESI
00411B3E |. 75 07 JNZ SHORT 00411B47
00411B40 |. 81C4 FC000000 ADD ESP,0xFC
00411B46 |. C3 RETN
00411B47 |> A1 FEE14500 MOV EAX,DWORD PTR DS:[0x45E1FE] //对狗内返回数据进行处理,估计05号功能也是读取狗内数据,
电脑资料
《某深思4加密狗分析笔记》(http://meiwen.anslib.com)。00411B4C |. 68 C8000000 PUSH 0xC8 ; /Arg5 = 000000C8
00411B51 |. 68 20E14500 PUSH 0045E120 ; |Arg4 = 0045E120
00411B56 |. 68 20E14500 PUSH 0045E120 ; |Arg3 = 0045E120
00411B5B |. 6A 00 PUSH 0x0 ; |Arg2 = 00000000
00411B5D |. 68 98EE4300 PUSH 0043EE98 ; |Arg1 = 0043EE98
00411B62 |. A3 9CEE4300 MOV DWORD PTR DS:[0x43EE9C],EAX ; |
00411B67 |. E8 44960000 CALL <加解密函数> ; \跟踪后发现是DES算法,密钥明眼人一看就明白
00411B6C |. B8 01000000 MOV EAX,0x1
00411B71 |. 81C4 FC000000 ADD ESP,0xFC
00411B77 \. C3 RETN
函数BCFF的功能就是以上5种,可以直接用深思4的SDK将函数写入狗内达到硬复制的目的。