声明:仅学习分析使用
找到敏感信息,进行信息验证
36j5u499~f6242 注册失败036j5u499~f6242! 注册成功
订单号:112233 注册码:036j5u499~f6242!深入分析
将程序载入x64dbg,进行调试分析 关键字搜索:F9运行程序,在所有模块中搜索关键字(简化分析流程) 注册码错误注册码正确双击进入,调试分析,看到注册流程,反向调试,逆转注册流程(输入错误的注册信息,使其注册成功,输入正确的注册信息,使其注册失败)
00510532 | E8 5D46EFFF | call jzyq.404B94 |00510537 | 8B95 68FFFFFF | mov edx,dword ptr ss:[ebp-98] | edx:EntryPoint0051053D | 58 | pop eax |0051053E | E8 D546EFFF | call jzyq.404C18 |00510543 | 0F85 A3000000 | jne jzyq.5105EC |00510549 | B8 D0065100 | mov eax,jzyq.5106D0 | 5106D0:"注册码正确,感谢你的注册!"0051054E | E8 D19CF2FF | call jzyq.43A224 |00510553 | A1 14BA5100 | mov eax,dword ptr ds:[51BA14] |00510558 | 8B00 | mov eax,dword ptr ds:[eax] |0051055A | 8B80 18030000 | mov eax,dword ptr ds:[eax+318] |00510560 | 8B80 08020000 | mov eax,dword ptr ds:[eax+208] |00510566 | 33D2 | xor edx,edx | edx:EntryPoint00510568 | E8 87ECF5FF | call jzyq.46F1F4 |0051056D | BA F4065100 | mov edx,jzyq.5106F4 | edx:EntryPoint, 5106F4:"精装友情-软件已注册"00510572 | E8 D9EBF5FF | call jzyq.46F150 |00510577 | 8D85 50FFFFFF | lea eax,dword ptr ss:[ebp-B0] |0051057D | B9 10075100 | mov ecx,jzyq.510710 | 510710:"\hdwlz.dll"00510582 | 8B55 FC | mov edx,dword ptr ss:[ebp-4] | edx:EntryPoint, [ebp-4]:PEB.InheritedAddressSpace00510585 | E8 9645EFFF | call jzyq.404B20 |0051058A | 8B8D 50FFFFFF | mov ecx,dword ptr ss:[ebp-B0] |00510590 | B2 01 | mov dl,1 |00510592 | A1 C4264600 | mov eax,dword ptr ds:[4626C4] |00510597 | E8 D821F5FF | call jzyq.462774 |0051059C | 8BF0 | mov esi,eax |0051059E | 8D95 4CFFFFFF | lea edx,dword ptr ss:[ebp-B4] | edx:EntryPoint005105A4 | 8B83 10030000 | mov eax,dword ptr ds:[ebx+310] |005105AA | E8 810AF3FF | call jzyq.441030 |005105AF | 8B85 4CFFFFFF | mov eax,dword ptr ss:[ebp-B4] |005105B5 | 50 | push eax |005105B6 | B9 24075100 | mov ecx,jzyq.510724 | 510724:"setet567"005105BB | BA 38075100 | mov edx,jzyq.510738 | edx:EntryPoint, 510738:"sym"005105C0 | 8BC6 | mov eax,esi |005105C2 | 8B18 | mov ebx,dword ptr ds:[eax] | ebx:PEB.InheritedAddressSpace005105C4 | FF53 04 | call dword ptr ds:[ebx+4] | ebx+4:PEB.Mutant005105C7 | 8D85 48FFFFFF | lea eax,dword ptr ss:[ebp-B8] |005105CD | B9 44075100 | mov ecx,jzyq.510744 | 510744:"\hdw1z.dll"005105D2 | 8B55 FC | mov edx,dword ptr ss:[ebp-4] | edx:EntryPoint, [ebp-4]:PEB.InheritedAddressSpace005105D5 | E8 4645EFFF | call jzyq.404B20 |005105DA | 8B85 48FFFFFF | mov eax,dword ptr ss:[ebp-B8] |005105E0 | BA 02000000 | mov edx,2 | edx:EntryPoint005105E5 | E8 7E8FEFFF | call jzyq.409568 |005105EA | EB 24 | jmp jzyq.510610 |005105EC | B8 58075100 | mov eax,jzyq.510758 | 510758:"注册失败,请重新注册!"005105F1 | E8 2E9CF2FF | call jzyq.43A224 |005105F6 | 33D2 | xor edx,edx | edx:EntryPoint005105F8 | 8B83 10030000 | mov eax,dword ptr ds:[ebx+310] |005105FE | E8 5D0AF3FF | call jzyq.441060 |00510603 | 33D2 | xor edx,edx | edx:EntryPoint00510605 | 8B83 34030000 | mov eax,dword ptr ds:[ebx+334] |0051060B | E8 500AF3FF | call jzyq.441060 |00510610 | 33C0 | xor eax,eax |00510612 | 5A | pop edx | edx:EntryPoint分析:汇编指令:JNE 不等于时跳转,改成JE/JZ 等于跳转,这样就逆转了注册流程 运行查看效果,注意:汇编指令—— JE/JZ 等于转移 效果等同
另一种效果,使其注册机制失效,不管输入的注册信息是否正确都显示注册成功跳转指令用nop填充 NOP 空操作
注册机编写
在关键判断上下断点,劫持注册流程,可以看到注册对比情况
EAX 01E0EA9C 11 为输入的注册码EDX 01E0B93C 036j5u499~f6242! 为程序计算出的正确的注册码思路编写程序提取出程序计算出的注册码
0051053E | E8 D546EFFF | call jzyq.404C18 |运行注册机,程序运行,点击注册,填写订单号,注册码,点击注册,注册机机输出正确的注册码
劫持补丁编写
劫持补丁劫持该地址并替换其原始指令程序,到达反注册机制效果,需下列信息已制作劫持补丁 被劫持地址信息
00510543 | 0F85 A3000000 | jne jzyq.5105EC |模块基质:被劫持地址右键在内存布局中转到,查看主程序地址
地址=00400000大小=00001000页面信息=jzyq.exe分配类型=IMG当前保护=-R---初始保护=ERWC-指令:0F85 JNE指令:0F84 JE补丁数据如下 运行补丁,查看效果
扫码关注我们 www.sec-in.com 在这里,探索技术与热爱 原文始发于微信公众号(白帽子):原创 | 逆向分析记录No.1——注册流程分析、注册机、劫持补丁制作
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论