运行分析
- 需要破解Username和Serial
PE分析
- Delphi程序,32位,无壳
静态分析&动态调试
- ida搜索到关键字符串,双击进入函数
- 进行动态调制函数较长,共有5个循环,以循环为单位逐步分析,注释如上
- 循环1:将str1每个字符值+1,赋值给str2,其实就是strcpy函数
- 循环2:将str1每个字符值+1,赋值给str3,同上
- 循环3:将Username赋值给str3[54]之后的值
- 循环4:提取str3每一位进行判断,改变Username的值,此循环为关键计算步骤,也是最难点,跟着一步一步写出算法
- 循环5:提取改变后的Username每一位字符,累加计算得到a3
- 查看全局变量,str1 = str_______________________= ";;;;;;;;;;;;;,=,====*===**==**===* "
- 查看a3计算前的值为0x19F50C
算法分析
Username = 'conceal'
Username_list = [ord(i)for i in Username]
# 得到str3
str1 = ';;;;;;;;;;;;;**====,,=,,========*=**=*=**=*=**=*=*=* '
str2 = []
for i in str1:
str2.append(ord(i) + 1)
str3 = str2
str3.append(0)
str3.extend(Username_list)
str3.extend([0]*(1000-len(str3)))
# 计算得到str3的Username部分
v17 = 0
v16 = 1
str1_length_plus_2 = 0x37
while ( v17 != 1 ):
v18 = str3[v16 - 1];
if ( v18 > 0x3C ):
v21 = v18 - 0x3E;
if ( v21 ):
v22 = v21 - 0x1D;
if ( v22 ):
if ( v22 == 2 and str3[str1_length_plus_2 - 1] ):
v16 -= 1
while ( str3[v16 - 1] != 91 ):
v16 -= 1
elif ( str3[str1_length_plus_2 - 1] == 0 ):
v16 += 1;
while ( str3[v16 - 1] != 93 ):
v16 += 1;
else:
str1_length_plus_2 += 1;
elif ( v18 == 0x3C ):
str1_length_plus_2 -= 1;
else:
v19 = v18 - 0x21;
if ( v19 ):
v20 = v19 - 10;
if ( v20 ):
if ( v20 == 2 ):
str3[str1_length_plus_2 - 1] -= 1;
else:
str3[str1_length_plus_2 - 1] += 1;
else:
v17 = 1;
v16 += 1
Username_calc = str3[0x36:0x36+len(Username)]
# 计算得到Serial
Serial = 0x19F50C
for i in Username_calc:
Serial += i
print(Username + '的Serial为:\n' + str(Serial))
- 验证成功
