运行分析
- 输入Name和Serial,点击Registrieren按钮,显示疑似错误提示
- 百度翻译查看一下,发现是德语
PE分析
- Delphi程序,32位,无壳
静态分析&动态调试
- ida字符串发现正确提示,双击跟进
- 来到关键函数,进行动态调试,发现要想跳转至成功提示,需要使136行cmp(v21,Names)相等,分析计算过程如下:
- 1、提取Name前6位进行计算,得到低位v5
- 2、将Name长度乘19070的结果为v20
- 3、v5十六进制转十进制,得到v17
- 3、拼接字符串,v21 = v20 + dword_421DD8 + v17
- 4、dword_421DD8 的值为’-’
算法分析
Name = 'concealbear'
Serial = ''
dword_421DD8 = '-'
v5 = 93
for i in range(0,5):
if Name[i] == 'a':
v7 = 24
elif Name[i] == 'b':
v7 = 37
elif Name[i] == 'c':
v7 = 66
elif Name[i] == 'd':
v7 = 12
elif Name[i] == 'e':
v7 = 13
elif Name[i] == 'f':
v7 = 6
elif Name[i] == 'g':
v7 = 54
elif Name[i] == 'h':
v7 = 43
elif Name[i] == 'i':
v7 = 23
elif Name[i] == 'j':
v7 = 47
elif Name[i] == 'k':
v7 = 19
elif Name[i] == 'l':
v7 = -126
elif Name[i] == 'm':
v7 = -101
elif Name[i] == 'n':
v7 = -110
elif Name[i] == 'o':
v7 = 3
elif Name[i] == 'p':
v7 = 99
elif Name[i] == 'q':
v7 = 33
elif Name[i] == 'r':
v7 = 66
elif Name[i] == 's':
v7 = 92
elif Name[i] == 't':
v7 = 41
elif Name[i] == 'u':
v7 = -57
elif Name[i] == 'v':
v7 = 102
elif Name[i] == 'w':
v7 = 88
elif Name[i] == 'x':
v7 = 10
elif Name[i] == 'y':
v7 = 40
elif Name[i] == 'z':
v7 = 80
else:
v7 = 93
v5 = (v5 + v7) & 0xff
v20 = len(Name) * 19070
v17 = v5
Serial = str(v17) + dword_421DD8 + str(v20)
print(Name + '的Serial为:\n' + Serial)
- 验证成功
