TraceMe.exe是一個示例程序,用於逆向的學習,簡單地模擬了註冊機制。
我們把它拖進IDA中無腦F5一波:
雙擊DialogFunc進入這個函數:
BOOL __stdcall DialogFunc(HWND hWnd, UINT a2, WPARAM a3, LPARAM a4)
{
int v5; // ebx
HWND v6; // eax
HWND v7; // eax
HWND v8; // eax
HICON v9; // eax
CHAR String2[4]; // [esp+8h] [ebp-F4h]
int v11; // [esp+Ch] [ebp-F0h]
int v12; // [esp+10h] [ebp-ECh]
__int16 v13; // [esp+14h] [ebp-E8h]
char v14; // [esp+16h] [ebp-E6h]
CHAR v15; // [esp+18h] [ebp-E4h]
char v16; // [esp+2Eh] [ebp-CEh]
CHAR v17; // [esp+30h] [ebp-CCh]
__int16 v18; // [esp+44h] [ebp-B8h]
char v19; // [esp+46h] [ebp-B6h]
CHAR String; // [esp+48h] [ebp-B4h]
CHAR String1; // [esp+98h] [ebp-64h]
qmemcpy(&v15, byte_405060, 0x16u);
v11 = dword_405054;
v16 = byte_405060[22];
v14 = byte_40505E;
qmemcpy(&v17, &unk_405038, 0x14u);
*(_DWORD *)String2 = dword_405050;
v18 = *((_WORD *)&unk_405038 + 10);
v13 = word_40505C;
v12 = dword_405058;
v19 = *((_BYTE *)&unk_405038 + 22);
if ( a2 == 16 )
{
DestroyWindow(hWnd);
return 1;
}
if ( a2 == 272 )
{
v9 = LoadIconA(hInstance, (LPCSTR)0x70);
SendMessageA(hWnd, 0x80u, 1u, (LPARAM)v9);
SendDlgItemMessageA(hWnd, 110, 0xC5u, 0x50u, 0);
return 1;
}
if ( a2 != 273 )
return 0;
if ( (signed int)(unsigned __int16)a3 > 1013 )
{
if ( (unsigned __int16)a3 == 1014 || (unsigned __int16)a3 == 40002 )
DialogBoxParamA(hInstance, (LPCSTR)0x67, hWnd, sub_401020, 0);
return 0;
}
if ( (unsigned __int16)a3 != 1013 )
{
if ( (unsigned __int16)a3 == 2 || (unsigned __int16)a3 == 1002 )
{
SendMessageA(hWnd, 0x10u, 0, 0);
return 0;
}
return 0;
}
v5 = GetDlgItemTextA(hWnd, 110, &String, 81);
GetDlgItemTextA(hWnd, 1000, &String1, 101);
if ( String && v5 >= 5 )
{
if ( sub_401340(&String1, &String, v5) )
{
lstrcpyA(::String1, String2);
v6 = GetDlgItem(hWnd, 110);
EnableWindow(v6, 0);
v7 = GetDlgItem(hWnd, 1000);
EnableWindow(v7, 0);
v8 = GetDlgItem(hWnd, 1000);
}
else
{
lstrcpyA(::String1, &v17);
v8 = GetDlgItem(hWnd, 1000);
}
}
else
{
lstrcpyA(::String1, &v15);
v8 = GetDlgItem(hWnd, 110);
}
SetFocus(v8);
MessageBeep(0);
DialogBoxParamA(hInstance, (LPCSTR)0x79, hWnd, sub_401060, 0);
return 0;
}
看到第60行:
v5 = GetDlgItemTextA(hWnd, 110, &String, 81);
GetDlgItemTextA(hWnd, 1000, &String1, 101);
if ( String && v5 >= 5 )
{
if ( sub_401340(&String1, &String, v5) )
{
lstrcpyA(::String1, String2);
v6 = GetDlgItem(hWnd, 110);
EnableWindow(v6, 0);
v7 = GetDlgItem(hWnd, 1000);
EnableWindow(v7, 0);
v8 = GetDlgItem(hWnd, 1000);
}
else
{
lstrcpyA(::String1, &v17);
v8 = GetDlgItem(hWnd, 1000);
}
}
這裏就是程序主要的邏輯:
使用函數GetDlgItemTextA讀取輸入的用戶名和序列號,如果用戶名超長則截取前100位。
然後送入函數sub_401340計算,計算結果是true則驗證通過。
進入sub_401340這個函數看下:
BOOL __cdecl sub_401340(LPCSTR lpString1, LPSTR a2, int a3)
{
int v3; // ecx
int v4; // esi
signed int i; // eax
v3 = 3;
v4 = 0;
for ( i = 0; v3 < a3; ++i )
{
if ( i > 7 )
i = 0;
v4 += (unsigned __int8)byte_405030[i] * (unsigned __int8)a2[v3++];
}
wsprintfA(a2, aLd, v4);
return lstrcmpA(lpString1, a2) == 0;
}
這就是具體的算法。邏輯大概就是根據傳入的變量lpstring、a2、a3計算序列號,並與用戶輸入的序列號比對。
針對該邏輯,給出python3寫的根據用戶名計算序列號的代碼:
f=[0x0C, 0x0A, 0x13, 0x09, 0x0C, 0x0B, 0x0A, 0x08]
inputs="asdfg"
f2=list(inputs)
a2=[]
for c in f2:
a2.append(ord(c))
v3=3
v4=0
a3=len(inputs)
i=0
while v3<a3:
if(i>7): i=0
fi = f[i]
a2v3=a2[v3]
v4+=fi*a2v3
v3+=1
i+=1
print(hex(v4))
變量inputs就是輸入的用戶名,這裏我們輸入asdfg,運行這段python代碼,看到輸出註冊碼爲2254:
把用戶名和註冊碼輸入進去,看到驗證通過: