QQ2010聊天记录查看器 7.5算法分析
以前分析过09版本的,10版本的改为机器码验证了,而且改了算法,但是依然很弱,下面分析分析
无壳,VC6.0写的,通过分析知道程序用WriteProfileStringA保存注册信息,会将字符串复制到Win.ini文件中,然后重启验证;OD重新载入,下GetProfileStringA断点,返回后来到下面:
00413250 /$ 6A FF push -1
00413252 |. 68 08E54300 push 0043E508 ; SE 处理程序安装
00413257 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
0041325D |. 50 push eax
0041325E |. 64:8925 00000>mov dword ptr fs:[0], esp
00413265 |. 81EC 04010000 sub esp, 104
0041326B |. 53 push ebx
0041326C |. 55 push ebp
0041326D |. 56 push esi
0041326E |. 57 push edi
0041326F |. 8BF1 mov esi, ecx
00413271 |. 8D5E 18 lea ebx, dword ptr [esi+18]
00413274 |. 8D8424 240100>lea eax, dword ptr [esp+124]
0041327B |. 50 push eax
0041327C |. 8BCB mov ecx, ebx
0041327E |. C78424 200100>mov dword ptr [esp+120], 0
00413289 |. E8 44BC0100 call 0042EED2
0041328E |. 8B9424 240100>mov edx, dword ptr [esp+124]
00413295 |. B9 40000000 mov ecx, 40
0041329A |. 33C0 xor eax, eax
0041329C |. 8D7C24 14 lea edi, dword ptr [esp+14]
004132A0 |. 8B2D B0024400 mov ebp, dword ptr [<&KERNEL32.GetPr>; kernel32.GetProfileStringA
004132A6 |. 68 00010000 push 100 ; /BufSize = 100 (256.)
004132AB |. F3:AB rep stos dword ptr es:[edi] ; |
004132AD |. 8D4C24 18 lea ecx, dword ptr [esp+18] ; |
004132B1 |. 51 push ecx ; |ReturnBuffer
004132B2 |. 68 E04A4500 push 00454AE0 ; |Default = “”
004132B7 |. 68 A0064500 push 004506A0 ; |notetext
004132BC |. 52 push edx ; |Section
004132BD |. FFD5 call ebp ; \GetProfileStringA
004132BF |. 8D4424 14 lea eax, dword ptr [esp+14] ; 取注册码
004132C3 |. 8D7E 0C lea edi, dword ptr [esi+C]
004132C6 |. 50 push eax
004132C7 |. 68 00F14400 push 0044F100 ; %s
004132CC |. 57 push edi ; QQ2010聊.00454A7C
004132CD |. E8 FB9E0100 call 0042D1CD
004132D2 |. 83C4 0C add esp, 0C
004132D5 |. 8BCF mov ecx, edi
004132D7 |. E8 509F0100 call 0042D22C
004132DC |. 8BCF mov ecx, edi
004132DE |. E8 FD9E0100 call 0042D1E0
004132E3 |. 8B9424 240100>mov edx, dword ptr [esp+124]
004132EA |. B9 40000000 mov ecx, 40
004132EF |. 33C0 xor eax, eax
004132F1 |. 8D7C24 14 lea edi, dword ptr [esp+14]
004132F5 |. F3:AB rep stos dword ptr es:[edi]
004132F7 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
004132FB |. 68 00010000 push 100
00413300 |. 51 push ecx
00413301 |. 68 E04A4500 push 00454AE0
00413306 |. 68 98064500 push 00450698 ; noteid
0041330B |. 52 push edx
0041330C |. FFD5 call ebp ; 取订单号
0041330E |. 8D4424 14 lea eax, dword ptr [esp+14]
00413312 |. 8D7E 10 lea edi, dword ptr [esi+10]
00413315 |. 50 push eax
00413316 |. 68 00F14400 push 0044F100 ; %s
0041331B |. 57 push edi
0041331C |. E8 AC9E0100 call 0042D1CD
继续返回后来到下面代码:
0040CCE7 |. 51 push ecx
0040CCE8 |. 8BCC mov ecx, esp
0040CCEA |. 896424 14 mov dword ptr [esp+14], esp
0040CCEE |. 68 FCFD4400 push 0044FDFC ; ASCII “qq2010″
0040CCF3 |. E8 0F210200 call 0042EE07
0040CCF8 |. B9 704A4500 mov ecx, 00454A70
0040CCFD |. E8 4E650000 call 00413250 ; 取注册信息
0040CD02 |. 51 push ecx ; 返回到这里
0040CD03 |. 8BCC mov ecx, esp
0040CD05 |. 896424 14 mov dword ptr [esp+14], esp
0040CD09 |. 68 CC4A4500 push 00454ACC
0040CD0E |. E8 FB1D0200 call 0042EB0E
0040CD13 |. B9 704A4500 mov ecx, 00454A70
0040CD18 |. E8 E3690000 call 00413700 ; 注册信息验证,F7跟进
0040CD1D |. 8B0D D04A4500 mov ecx, dword ptr [454AD0]
0040CD23 |. 51 push ecx
0040CD24 |. 51 push ecx
0040CD25 |. 8BCC mov ecx, esp
0040CD27 |. 896424 18 mov dword ptr [esp+18], esp
0040CD2B |. 68 FCFD4400 push 0044FDFC ; ASCII “qq2010″
跟进0040CD18的CALL:
00413700 /$ 6A FF push -1
00413702 |. 68 80E54300 push 0043E580 ; SE 处理程序安装
00413707 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
0041370D |. 50 push eax
0041370E |. 64:8925 00000>mov dword ptr fs:[0], esp
00413715 |. 83EC 24 sub esp, 24
00413718 |. 53 push ebx
00413719 |. 55 push ebp
0041371A |. 56 push esi
0041371B |. 57 push edi
0041371C |. 8BE9 mov ebp, ecx
0041371E |. 8D4D 20 lea ecx, dword ptr [ebp+20]
00413721 |. 68 E04A4500 push 00454AE0
00413726 |. C74424 40 000>mov dword ptr [esp+40], 0
0041372E |. 894C24 28 mov dword ptr [esp+28], ecx
00413732 |. E8 EBB70100 call 0042EF22
00413737 |. 8D45 0C lea eax, dword ptr [ebp+C]
0041373A |. 8D4C24 10 lea ecx, dword ptr [esp+10]
0041373E |. 50 push eax
0041373F |. E8 CAB30100 call 0042EB0E
00413744 |. 8D4C24 44 lea ecx, dword ptr [esp+44]
00413748 |. C64424 3C 01 mov byte ptr [esp+3C], 1
0041374D |. 51 push ecx
0041374E |. 8D4D 1C lea ecx, dword ptr [ebp+1C]
00413751 |. E8 7CB70100 call 0042EED2
00413756 |. 8B45 28 mov eax, dword ptr [ebp+28]
00413759 |. 85C0 test eax, eax
0041375B |. 74 40 je short 0041379D
0041375D |. 51 push ecx
0041375E |. 8D5424 48 lea edx, dword ptr [esp+48]
00413762 |. 8BCC mov ecx, esp
00413764 |. 896424 28 mov dword ptr [esp+28], esp
00413768 |. 52 push edx
00413769 |. E8 A0B30100 call 0042EB0E
0041376E |. 8BCD mov ecx, ebp
00413770 |. E8 4BFDFFFF call 004134C0 ; 注册信息验证CALL,F7跟进
00413775 |. 8D4C24 10 lea ecx, dword ptr [esp+10]
00413779 |. 8BF0 mov esi, eax
0041377B |. C64424 3C 00 mov byte ptr [esp+3C], 0
00413780 |. E8 14B60100 call 0042ED99
00413785 |. 8D4C24 44 lea ecx, dword ptr [esp+44]
00413789 |. C74424 3C FFF>mov dword ptr [esp+3C], -1
00413791 |. E8 03B60100 call 0042ED99
00413796 |. 8BC6 mov eax, esi
00413798 |. E9 DB010000 jmp 00413978
继续跟进00413770处的CALL:
004134C0 /$ 6A FF push -1
004134C2 |. 68 60E54300 push 0043E560 ; SE 处理程序安装
004134C7 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
004134CD |. 50 push eax
004134CE |. 64:8925 00000>mov dword ptr fs:[0], esp
004134D5 |. 83EC 10 sub esp, 10
004134D8 |. 53 push ebx
004134D9 |. 55 push ebp
004134DA |. 56 push esi
004134DB |. 57 push edi
004134DC |. 8BD9 mov ebx, ecx
004134DE |. 33C9 xor ecx, ecx
004134E0 |. 8D7B 0C lea edi, dword ptr [ebx+C]
004134E3 |. 894C24 28 mov dword ptr [esp+28], ecx
004134E7 |. 8B17 mov edx, dword ptr [edi]
004134E9 |. 8B72 F8 mov esi, dword ptr [edx-8]
004134EC |. 83FE 14 cmp esi, 14 ; 注册码20位
004134EF |. 74 0C je short 004134FD
004134F1 |> C743 14 02000>mov dword ptr [ebx+14], 2
004134F8 |. E9 5E010000 jmp 0041365B
004134FD |> 3BF1 cmp esi, ecx
004134FF |. 7E 10 jle short 00413511
00413501 |> 8A040A /mov al, byte ptr [edx+ecx] ; 判断注册码是不是都是数字
00413504 |. 3C 30 |cmp al, 30
00413506 |.^ 7C E9 |jl short 004134F1
00413508 |. 3C 39 |cmp al, 39
0041350A |.^ 7F E5 |jg short 004134F1
0041350C |. 41 |inc ecx
0041350D |. 3BCE |cmp ecx, esi
0041350F |.^ 7C F0 \jl short 00413501
00413511 |> 8D6B 20 lea ebp, dword ptr [ebx+20]
00413514 |. 68 E04A4500 push 00454AE0
00413519 |. 8BCD mov ecx, ebp
0041351B |. 896C24 20 mov dword ptr [esp+20], ebp
0041351F |. E8 FEB90100 call 0042EF22
00413524 |. 57 push edi
00413525 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
00413529 |. E8 E0B50100 call 0042EB0E ; 取机器码
0041352E |. C64424 28 01 mov byte ptr [esp+28], 1
00413533 |. 8B43 24 mov eax, dword ptr [ebx+24]
00413536 |. 8B40 F8 mov eax, dword ptr [eax-8]
00413539 |. 83F8 0A cmp eax, 0A
0041353C |. 7D 26 jge short 00413564
0041353E |. 8D4C24 10 lea ecx, dword ptr [esp+10]
00413542 |. C64424 28 00 mov byte ptr [esp+28], 0
00413547 |. E8 4DB80100 call 0042ED99
0041354C |. 8D4C24 30 lea ecx, dword ptr [esp+30]
00413550 |. C74424 28 FFF>mov dword ptr [esp+28], -1
00413558 |. E8 3CB80100 call 0042ED99
0041355D |. 33C0 xor eax, eax
0041355F |. E9 7F010000 jmp 004136E3
00413564 |> 8B4C24 10 mov ecx, dword ptr [esp+10]
00413568 |. 8379 F8 0A cmp dword ptr [ecx-8], 0A
0041356C |. 7D 26 jge short 00413594
0041356E |. 8D4C24 10 lea ecx, dword ptr [esp+10]
00413572 |. C64424 28 00 mov byte ptr [esp+28], 0
00413577 |. E8 1DB80100 call 0042ED99
0041357C |. 8D4C24 30 lea ecx, dword ptr [esp+30]
00413580 |. C74424 28 FFF>mov dword ptr [esp+28], -1
00413588 |. E8 0CB80100 call 0042ED99
0041358D |. 33C0 xor eax, eax
0041358F |. E9 4F010000 jmp 004136E3
00413594 |> 68 E04A4500 push 00454AE0
00413599 |. 8D4C24 1C lea ecx, dword ptr [esp+1C]
0041359D |. E8 65B80100 call 0042EE07
004135A2 |. 68 E04A4500 push 00454AE0
004135A7 |. 8D4C24 18 lea ecx, dword ptr [esp+18]
004135AB |. C64424 2C 02 mov byte ptr [esp+2C], 2
004135B0 |. E8 52B80100 call 0042EE07
004135B5 |. C64424 28 03 mov byte ptr [esp+28], 3
004135BA |. 8B4B 24 mov ecx, dword ptr [ebx+24]
004135BD |. 33C0 xor eax, eax
004135BF |. 8B51 F8 mov edx, dword ptr [ecx-8]
004135C2 |. 85D2 test edx, edx
004135C4 |. 7E 55 jle short 0041361B
004135C6 |> 0FBE2C08 /movsx ebp, byte ptr [eax+ecx] ; 机器码奇数位ASCII值
004135CA |. 8D78 01 |lea edi, dword ptr [eax+1]
004135CD |. BE 68000000 |mov esi, 68
004135D2 |. 3BFA |cmp edi, edx
004135D4 |. 7D 07 |jge short 004135DD
004135D6 |. 0FBE7408 01 |movsx esi, byte ptr [eax+ecx+1] ; 机器码偶数位ASCII值
004135DB |. 03F5 |add esi, ebp ; 奇数位加偶数位值
004135DD |> 8D45 05 |lea eax, dword ptr [ebp+5] ; 奇数位加5
004135E0 |. B9 0A000000 |mov ecx, 0A ; 下面除法运算的除数为10
004135E5 |. 0BC6 |or eax, esi ; 或运算
004135E7 |. 99 |cdq ; 寄存器清理
004135E8 |. F7F9 |idiv ecx ; EAX/10,商在EDX
004135EA |. 52 |push edx ; 商入栈作为参数
004135EB |. 8D5424 18 |lea edx, dword ptr [esp+18]
004135EF |. 68 44FF4400 |push 0044FF44 ; %d
004135F4 |. 52 |push edx
004135F5 |. E8 D39B0100 |call 0042D1CD ; 格式转换
004135FA |. 83C4 0C |add esp, 0C
004135FD |. 8D4424 14 |lea eax, dword ptr [esp+14]
00413601 |. 8D4C24 18 |lea ecx, dword ptr [esp+18]
00413605 |. 50 |push eax
00413606 |. E8 A6BB0100 |call 0042F1B1
0041360B |. 8B4B 24 |mov ecx, dword ptr [ebx+24]
0041360E |. 8BC7 |mov eax, edi
00413610 |. 8B51 F8 |mov edx, dword ptr [ecx-8]
00413613 |. 3BC2 |cmp eax, edx
00413615 |.^ 7C AF \jl short 004135C6
00413617 |. 8B6C24 1C mov ebp, dword ptr [esp+1C]
0041361B |> 8B4C24 10 mov ecx, dword ptr [esp+10]
0041361F |. 8B5424 18 mov edx, dword ptr [esp+18] ; 真码
00413623 |. 51 push ecx ; 假码
00413624 |. 52 push edx ; 疑真码
00413625 |. E8 CCA00000 call 0041D6F6 ; 假码与真码比较
0041362A |. 83C4 08 add esp, 8
0041362D |. 85C0 test eax, eax
0041362F |. 74 3F je short 00413670 ; 相等则跳
00413631 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
00413635 |. C64424 28 02 mov byte ptr [esp+28], 2
0041363A |. E8 5AB70100 call 0042ED99
0041363F |. 8D4C24 18 lea ecx, dword ptr [esp+18]
00413643 |. C64424 28 01 mov byte ptr [esp+28], 1
00413648 |. E8 4CB70100 call 0042ED99
0041364D |. 8D4C24 10 lea ecx, dword ptr [esp+10]
00413651 |. C64424 28 00 mov byte ptr [esp+28], 0
00413656 |. E8 3EB70100 call 0042ED99
0041365B |> 8D4C24 30 lea ecx, dword ptr [esp+30]
0041365F |. C74424 28 FFF>mov dword ptr [esp+28], -1
00413667 |. E8 2DB70100 call 0042ED99
0041366C |. 33C0 xor eax, eax
0041366E |. EB 73 jmp short 004136E3
00413670 |> C743 14 01000>mov dword ptr [ebx+14], 1
00413677 |. 8B3D D0024400 mov edi, dword ptr [<&KERNEL32.Sleep>; kernel32.Sleep
0041367D |. 33F6 xor esi, esi
0041367F |> 8BCB /mov ecx, ebx
00413681 |. E8 0AFDFFFF |call 00413390 ; 网络验证,F7跟进
00413686 |. 85C0 |test eax, eax
00413688 |. 75 0D |jnz short 00413697 ; 验证结果判断,成功则跳过
0041368A |. 68 E8030000 |push 3E8
0041368F |. FFD7 |call edi
00413691 |. 46 |inc esi
00413692 |. 83FE 03 |cmp esi, 3 ; 循环验证次数为3
00413695 |.^ 7C E8 \jl short 0041367F
00413697 |> 68 FC064500 push 004506FC ; 12
0041369C |. 8BCD mov ecx, ebp
0041369E |. E8 7FB80100 call 0042EF22
004136A3 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
004136A7 |. C64424 28 02 mov byte ptr [esp+28], 2
004136AC |. E8 E8B60100 call 0042ED99
004136B1 |. 8D4C24 18 lea ecx, dword ptr [esp+18]
004136B5 |. C64424 28 01 mov byte ptr [esp+28], 1
004136BA |. E8 DAB60100 call 0042ED99
跟进00413681的网络验证:
00413390 /$ 64:A1 0000000>mov eax, dword ptr fs:[0]
00413396 |. 6A FF push -1
00413398 |. 68 30E54300 push 0043E530
0041339D |. 50 push eax
0041339E |. 64:8925 00000>mov dword ptr fs:[0], esp
004133A5 |. 83EC 0C sub esp, 0C
004133A8 |. 53 push ebx
004133A9 |. 56 push esi
004133AA |. 8BF1 mov esi, ecx
004133AC |. 33DB xor ebx, ebx
004133AE |. 8B46 1C mov eax, dword ptr [esi+1C]
004133B1 |. 3958 F8 cmp dword ptr [eax-8], ebx
004133B4 |. 0F84 F1000000 je 004134AB
004133BA |. 8B4E 10 mov ecx, dword ptr [esi+10]
004133BD |. 3959 F8 cmp dword ptr [ecx-8], ebx
004133C0 |. 0F84 E5000000 je 004134AB
004133C6 |. 8B56 0C mov edx, dword ptr [esi+C]
004133C9 |. 395A F8 cmp dword ptr [edx-8], ebx
004133CC |. 0F84 D9000000 je 004134AB
004133D2 |. 68 E04A4500 push 00454AE0
004133D7 |. 8D4C24 10 lea ecx, dword ptr [esp+10]
004133DB |. E8 27BA0100 call 0042EE07
004133E0 |. 68 E04A4500 push 00454AE0
004133E5 |. 8D4C24 0C lea ecx, dword ptr [esp+C]
004133E9 |. 895C24 20 mov dword ptr [esp+20], ebx
004133ED |. E8 15BA0100 call 0042EE07
004133F2 |. 8B46 18 mov eax, dword ptr [esi+18]
004133F5 |. 8B4E 0C mov ecx, dword ptr [esi+C]
004133F8 |. 8B56 10 mov edx, dword ptr [esi+10]
004133FB |. 50 push eax
004133FC |. 8B46 1C mov eax, dword ptr [esi+1C]
004133FF |. 51 push ecx
00413400 |. 52 push edx
00413401 |. 50 push eax
00413402 |. 8D4C24 1C lea ecx, dword ptr [esp+1C]
00413406 |. 68 C4064500 push 004506C4 ; %s?key=kbdt96845wqer¬eid=%s¬etext=%s&softname=%s
0041340B |. 51 push ecx
0041340C |. C64424 34 01 mov byte ptr [esp+34], 1
00413411 |. E8 B79D0100 call 0042D1CD ; 注册信息连成验证地址
00413416 |. 83C4 18 add esp, 18
00413419 |. 8D5424 08 lea edx, dword ptr [esp+8]
0041341D |. 8D4424 0C lea eax, dword ptr [esp+C]
00413421 |. 52 push edx
00413422 |. 51 push ecx
00413423 |. 8BCC mov ecx, esp
00413425 |. 896424 18 mov dword ptr [esp+18], esp
00413429 |. 50 push eax
0041342A |. E8 DFB60100 call 0042EB0E
0041342F |. E8 2CDCFFFF call 00411060 ; 进行网络连接,如果验证正确返回:验证返回:tbdt96843aqe1
00413434 |. 83C4 08 add esp, 8
00413437 |. 3BC3 cmp eax, ebx
00413439 |. 74 52 je short 0041348D
0041343B |. 8B4C24 08 mov ecx, dword ptr [esp+8]
0041343F |. 3959 F8 cmp dword ptr [ecx-8], ebx
00413442 |. 74 49 je short 0041348D
00413444 |. 68 AC064500 push 004506AC ; 验证返回:tbdt96843aqe1
00413449 |. 8D4C24 0C lea ecx, dword ptr [esp+C]
0041344D |. E8 F5990100 call 0042CE47 ; 进行返回验证比较
00413452 |. 85C0 test eax, eax
00413454 |. 7C 37 jl short 0041348D ; 关键跳转
00413456 |. 8D4C24 08 lea ecx, dword ptr [esp+8]
0041345A |. 895E 14 mov dword ptr [esi+14], ebx
0041345D |. 885C24 1C mov byte ptr [esp+1C], bl
00413461 |. E8 33B90100 call 0042ED99
上面把这款软件的流程分析了个大概,算法比较简单,而且还在内存中出现,所以就不写注册机了。还有就是网络验证订单号,我们可以改跳转来实现突破网络验证,也可以利用SQL注入漏洞。我们在浏览器里输入:
http://www.zhongyuantech.com.cn/ … wqer¬eid=123,会出现“验证返回:tbdt96843aqe1”,跟OD里找到的一样,如果通过不了,就会返回:“验证失败!”;
我的注册信息就是:
机器码:PXZVEMHPDMBHDXADGWDU
注册码:35598513737511932372
菜单号:fatwolf08′or’1′=’1
【版权声明】本文纯属技术交流, 转载请注明作者信息并保持文章的完整, 谢谢!
声明: 本文采用 BY-NC-SA 协议进行授权 | 漏网小鱼博客
转载请注明转自《QQ2010聊天记录查看器 7.5算法分析【转】》
1楼 于 2012-1-13 10:55
我不是一个互联网读者要诚实,但你的网站真的不错,继续努力吧!我将继续和书签您的网站在未来。非常感谢
2楼 于 2012-1-12 17:59
HOWDY我很高兴我发现您的网站,我真的发现你的错误,当我在Digg寻找别的东西,总之,现在我在这里只想说一个了不起的职位,一个全方位的令人振奋的博客的欢呼声(我也爱的主题/设计) ,我没有时间浏览这一切的那一刻,但我有书标,并在你的RSS源添加,所以当我有时间我会回来的,读一个伟大的处理更多,请不要保持了梦幻般的工作。
3楼 于 2010-4-17 16:37
创意网学习学习…………
于 2010-4-18 08:07
@创意网, 换个链接不?