最近因为项目关系使用了一个国外软件,但是过了一段时间后发现Expired了,看来还得动手分析一下,结果发现这个软件的防护还是出奇的脆弱,只能得初级水准。
下面不妨以此为例分析一下其防护(此分析仅限技术研究,用于其它目的者责任自负)。
当你点击注册时,此软件报告: "Sorry, register failed, please try again."
使用wdasm进行静态分析看看,依照字符串定位方式,不难找到如下代码段:
* Reference To: MFC42u.Ordinal:18FF, Ord:18FFh
|
:00401977 E884900000 Call 0040AA00
:0040197C 8B06 mov eax, dword ptr [esi]
:0040197E 8B48F8 mov ecx, dword ptr [eax-08]
:00401981 85C9 test ecx, ecx
:00401983 7437 je 004019BC
:00401985 51 push ecx
:00401986 8BCC mov ecx, esp
:00401988 89642410 mov dword ptr [esp+10], esp
:0040198C 56 push esi
* Reference To: MFC42u.Ordinal:0217, Ord:0217h
|
:0040198D E844900000 Call 0040A9D6
:00401992 E8893B0000 call 00405520
:00401997 83C404 add esp, 00000004
:0040199A 85C0 test eax, eax
:0040199C 742A je 004019C8
:0040199E 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"Register Info"
|
:004019A0 684C024100 push 0041024C
* Possible StringData Ref from Data Obj ->"Thank you for using XX "
->"Finder, register successfully!"
|
:004019A5 68D0014100 push 004101D0
:004019AA 6A00 push 00000000
:004019AC C7051811410001000000 mov dword ptr [00411118], 00000001
* Reference To: USER32.MessageBoxW, Ord:01C3h
|
:004019B6 FF15B4C34000 Call dword ptr [0040C3B4]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401954(C), :00401983(C)
|
:004019BC 8BCB mov ecx, ebx
* Reference To: MFC42u.Ordinal:12EF, Ord:12EFh
|
:004019BE E837900000 Call 0040A9FA
:004019C3 5F pop edi
:004019C4 5E pop esi
:004019C5 5B pop ebx
:004019C6 59 pop ecx
:004019C7 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040199C(C)
|
:004019C8 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"Register Info"
|
:004019CA 684C024100 push 0041024C
* Possible StringData Ref from Data Obj ->"Sorry, register failed, please "
->"try again."
|
:004019CF 687C014100 push 0041017C
:004019D4 6A00 push 00000000
* Reference To: USER32.MessageBoxW, Ord:01C3h
|
:004019D6 FF15B4C34000 Call dword ptr [0040C3B4]
:004019DC 5F pop edi
:004019DD 5E pop esi
:004019DE 5B pop ebx
:004019DF 59 pop ecx
:004019E0 C3 ret
通过分析明显发现可疑跳转:
:0040199C 742A je 004019C8
另外发现下面2个函数为注册码校验函数:
:0040198D E844900000 Call 0040A9D6
:00401992 E8893B0000 call 00405520
对这2个函数的调用进行全局查找,不难发现如下代码:
* Possible StringData Ref from Data Obj ->"Settings"
|
:00401D21 68F8004100 push 004100F8
:00401D26 51 push ecx
:00401D27 8BCE mov ecx, esi
* Reference To: MFC42u.Ordinal:0DBD, Ord:0DBDh
|
:00401D29 E8B48C0000 Call 0040A9E2
:00401D2E 51 push ecx
:00401D2F 8D542410 lea edx, dword ptr [esp+10]
:00401D33 8BCC mov ecx, esp
:00401D35 8964240C mov dword ptr [esp+0C], esp
:00401D39 52 push edx
:00401D3A C784246002000001000000 mov dword ptr [esp+00000260], 00000001
:00401D45 C786D000000001000000 mov dword ptr [esi+000000D0], 00000001
* Reference To: MFC42u.Ordinal:0217, Ord:0217h
|
:00401D4F E8828C0000 Call 0040A9D6
:00401D54 E8C7370000 call 00405520
:00401D59 83C404 add esp, 00000004
:00401D5C 85C0 test eax, eax
:00401D5E 0F8586000000 jne 00401DEA
:00401D64 8BCE mov ecx, esi
:00401D66 8986D0000000 mov dword ptr [esi+000000D0], eax
:00401D6C E85F020000 call 00401FD0
:00401D71 8BD0 mov edx, eax
:00401D73 B931000000 mov ecx, 00000031
:00401D78 33C0 xor eax, eax
:00401D7A 8DBC248A010000 lea edi, dword ptr [esp+0000018A]
:00401D81 66C78424880100000000 mov word ptr [esp+00000188], 0000
:00401D8B 52 push edx
:00401D8C F3 repz
:00401D8D AB stosd
:00401D8E 66AB stosw
:00401D90 8D84248C010000 lea eax, dword ptr [esp+0000018C]
* Possible StringData Ref from Data Obj ->"%ld"
|
:00401D97 68E4024100 push 004102E4
:00401D9C 50 push eax
:00401D9D 8996C8000000 mov dword ptr [esi+000000C8], edx
* Reference To: USER32.wsprintfW, Ord:02ADh
|
:00401DA3 FF15BCC34000 Call dword ptr [0040C3BC]
:00401DA9 83C40C add esp, 0000000C
:00401DAC 8DBECC000000 lea edi, dword ptr [esi+000000CC]
:00401DB2 8BCF mov ecx, edi
* Possible StringData Ref from Data Obj ->"This is a 14-day evaluation version, "
|
:00401DB4 6898024100 push 00410298
* Reference To: MFC42u.Ordinal:035D, Ord:035Dh
|
:00401DB9 E8E88B0000 Call 0040A9A6
:00401DBE 8D8C2488010000 lea ecx, dword ptr [esp+00000188]
:00401DC5 51 push ecx
:00401DC6 8BCF mov ecx, edi
很明显,如下跳转极度可疑:
:00401D5E 0F8586000000 jne 00401DEA
这样全面分析一下,不难看出:
:0040199C 742A je 004019C8
是注册码输入验证失败后弹出message告知用户注册验证失败。
:00401D5E 0F8586000000 jne 00401DEA
是启动码注册码验证后的跳转。
通过动态调试验证后不难发现确实如此,只能为软件的作者脆弱的防护担忧了,呵呵。