XXDownload1.14分析(注意版本) (5千字)
from DEDE we got the info below:
--------------------------------
005A1F1D
E84224E6FF call 00404364
; cat MC behind NAME and
a '-', and form a long STRING
005A1F22 8B45EC
mov eax, [ebp-$14]
005A1F25
5A pop
edx
005A1F26 E859180300
call 005D3784
; here is the main call for CODE
005A1F2B 84C0
test al,
al
let's deep into CALL 5D3784, and see what is in it:
---------------------------------------------------
005D37C8 8B45FC
mov eax, [ebp-$04] ; here
is the long STRING
005D37CB E848000000
call 005D3818
; some kind calculation
005D37D0 8B45F0
mov eax, [ebp-$10]
; the result CODE
005D37D3 8B55F8
mov edx, [ebp-$08]
; the input CODE
* Reference to:
system.@LStrCmp;
005D37D6 E8D90BE3FF
call 004043B4
005D37DB 7506
jnz 005D37E3
; FAILED!
see
what is in CALL 005D3818:
-----------------------------
005D3851
|. 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
005D3854
|. BA B8385D00 MOV EDX,unpacked.005D38B8
; ASCII "hidownload1.14"
005D3859 |. 8B45
FC MOV EAX,DWORD PTR SS:[EBP-4]
; Long STRING
005D385C |. E8 8FDF0000
CALL unpacked.005E17F0
; step 1()
result1 is: 'ylUQQbbOCBkVHn7X/POg+V/BefqmnRucVd3yORd/xh=='
005D3861 |. 8B45 D8 MOV EAX,DWORD
PTR SS:[EBP-28] ; result1
005D3864
|. 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
005D3867
|. E8 4037FAFF CALL unpacked.00576FAC
; step 2()
result2 is: 92 B6 9C FE 3A 66 FE 95 7C 11 C0 AD 28 2B 6C F1 128bits
005D386C |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
; result2
005D386F |. 8B55 F8
MOV EDX,DWORD PTR SS:[EBP-8]
005D3872 |. E8 A937FAFF
CALL unpacked.00577020
; step 3(change result2 to a HEX string)
; the HEX string is the right
code
----------------------------------
see step 1 in CALL 005E17F0
first:
----------------------------------
005E182A |. A1 F8C85400
MOV EAX,DWORD PTR DS:[54C8F8]
005E182F |. E8 9CB1F6FF
CALL unpacked.0054C9D0
; BlowFish.Create
005E1834 |. 8945 F0
MOV DWORD PTR SS:[EBP-10],EAX
; store BlowFish
005E1837 |. 8B55 F8 MOV
EDX,DWORD PTR SS:[EBP-8]
005E183A |. 8B45 F0
MOV EAX,DWORD PTR SS:[EBP-10]
005E183D |. E8 1EAFF6FF
CALL unpacked.0054C760
CALL unpacked.0054C760:
-----------------------
0054C76C |. A1 C0BD5400 MOV EAX,DWORD
PTR DS:[54BDC0]
0054C771 |. E8 06F7FFFF
CALL unpacked.0054BE7C ; SHA1.Create
0054C776 |. 8BD8
MOV EBX,EAX
0054C778 |. 8BC3
MOV EAX,EBX
0054C77A |. 8B10 MOV EDX,DWORD PTR DS:[EAX]
0054C77C |. FF52 34
CALL NEAR DWORD PTR DS:[EDX+34]; SHA1.Initial values(0x67452301...)
0054C7B0 |. 8B08
MOV ECX,DWORD PTR DS:[EAX] ; 'hidownload1.14'
0054C7B2 |. FF51 40
CALL NEAR DWORD PTR DS:[ECX+40]; SHA1.Encrypt
SHA1('hidownload1.14') = FD BD AD D9 20 79 52 03 2A 24 0B
AE 48 E7 ED 7E F0 28 6A 8B
0054C7D0
|. 8BD6 MOV EDX,ESI
0054C7D2 |. 8BCD MOV ECX,EBP
0054C7D4 |. 8BC7
MOV EAX,EDI
0054C7D6
|. 8B38 MOV EDI,DWORD PTR DS:[EAX]
0054C7D8 |. FF57 30
CALL NEAR DWORD PTR DS:[EDI+30]; BlowFish_Init(SHA1.result)
; BlowFish_EN(-1)
005E1867 |. 8BD0 MOV EDX,EAX
005E1869 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
005E186C |. 59 POP ECX
005E186D |. 8B18 MOV EBX,DWORD PTR DS:[EAX]
005E186F |. FF53 4C CALL NEAR DWORD PTR
DS:[EBX+4C] ; Loops of BlowFish_EN xor long
STRING
; if U want to know more, just track in
005E1875 |. 8B45 EC
MOV EAX,DWORD PTR SS:[EBP-14]
; result of last op
005E1878 |. E8 FBA2F6FF
CALL unpacked.0054BB78
; something like base64
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
005E187D |. 8B55 E8 MOV EDX,DWORD PTR
SS:[EBP-18] ; result of last op
--------------------------------------
then see step 2 in CALL 00576FAC
next:
--------------------------------------
00576FCE |. 8D45
A0 LEA EAX,DWORD PTR SS:[EBP-60]
00576FD1
|. E8 1AFEFFFF CALL unpacked.00576DF0
; MD5.Initial
00576FED |. E8
52FEFFFF CALL unpacked.00576E44
; grouped result1
00576FF2 |. 8B55 F8
MOV EDX,DWORD PTR SS:[EBP-8]
00576FF5 |. 8D45
A0 LEA EAX,DWORD PTR SS:[EBP-60]
00576FF8
|. E8 1FFFFFFF CALL unpacked.00576F1C
; MD5.Encrypt
; it is the result2
In HiDownLoad1.15 it still use visible code compare:), but how to get the code
changed:
Name + ':' + EMail + 'chs-1.15'
MD5
change MD5's to string
相關文章
- Sitman2.1
演算法分析 (5千字)2015-11-15演算法
- 如何破解Bestofware SmartUI Activex 所有版本。(過程)
(5千字)2000-12-31UI
- IPTOOLS (5千字)2001-03-12
- EffeTech HTTP Sniffer 3.2註冊演算法分析 (5千字)2002-06-24HTTP演算法
- Cute Email Searcher2.2註冊過程分析 (5千字)2001-11-18AI
- ASPR1.2x新版本的脫殼初步探討 (5千字)2015-11-15
- 輕鬆試卷 V4.50 演算法分析 (5千字)2002-01-03演算法
- PolyView 破解 (5千字)2000-12-31View
- 破解MyMahj (5千字)2001-06-20
- 注意:Go 1.18版本iota的bug2022-05-03Go
- 不同版本exp/imp使用注意事項2018-06-27
- 破解TurboLaunch 4.04 (5千字)2001-06-06
- 初學者(14) (5千字)2000-06-10
- WebZIP 3.71.508 (5千字)2000-06-24Web
- 看世界盃,漫步ASProtect
----- ASProtect的加密演算法初步分析 (5千字)2002-06-07加密演算法
- 一個區域網工具的註冊演算法分析
(5千字)2015-11-15演算法
- 最應該注意的Oracle版本之一2016-06-10Oracle
- 【exp/imp不同版本】Oracle不同版本的exp/imp使用注意事項2019-02-13Oracle
- 1.6正式版本PJ方法
(6千字)2002-06-27
- HTML5面試注意事項2021-08-04HTML面試
- 破解入門5 (3千字)2000-09-23
- duelist crackme 1 破解 (5千字)2000-10-16
- IPTools 1.10 破解 (5千字)2001-02-11
- see This 破解實戰! (5千字)2000-06-26
- 如何破解CuteFTP 4.0 (5千字)2000-07-20FTP
- 注意事項:golang 編譯的 glibc 版本2017-07-13Golang編譯
- 5、Git之版本號2024-06-07Git
- 統計分析注意事項12017-11-22
- webgl 系列 —— 繪製一個點(版本2、版本3、版本4、版本5)2023-03-01Web
- 幻影v1.5b破解應注意的地方 (2千字)2002-01-02
- PolyView再破解---請指教 (5千字)2001-01-02View
- 我的破解心得(5) (16千字)2001-03-13
- 破解XFtpSvr =====> 請進 (5千字)2001-07-01FTPVR
- 破解MailScan V3.5.1.2 (5千字)2001-08-31AI
- 關於vSphere 5.5硬體版本注意事項2013-11-13
- oracle 11.2.0.3 版本 vote盤需要注意的地方2012-08-02Oracle
- 千字分享|自然語言分析NLA2022-05-30
- Cleaner 3.2註冊分析 (18千字)2001-12-09