对某安全检测软件的分析

至于软件名称么，不便透露，只是做的安全测试，程序是通过外部的key验证的。保护为upx修改壳。默认验证界面如下：

所谓的key验证也就是那么几行代码：

0050A409    /7F 2B                     JG SHORT dumped_.0050A436                       ; 跳到验证比较
0050A40B    |0F84 04010000             JE dumped_.0050A515
0050A411    |83E9 99                   SUB ECX,-67
0050A414    |0F84 0C020000             JE dumped_.0050A626
0050A41A    |49                        DEC ECX
0050A41B    |0F84 C1010000             JE dumped_.0050A5E2
0050A421    |49                        DEC ECX
0050A422    |0F84 73010000             JE dumped_.0050A59B
0050A428    |83E9 60                   SUB ECX,60
0050A42B    |0F84 2B010000             JE dumped_.0050A55C                             ; 验证码错误
0050A431    |E9 32020000               JMP dumped_.0050A668
0050A436    \83E9 FD                   SUB ECX,-3
0050A439     0F84 97000000             JE dumped_.0050A4D6                             ; 验证码错误，请重新导入
0050A43F     49                        DEC ECX
0050A440     74 55                     JE SHORT dumped_.0050A497                       ; 该验证已经被其他机器占用，请重新导入授权文件
0050A442     49                        DEC ECX
0050A443     74 13                     JE SHORT dumped_.0050A458                       ; 跳转后未通过验证，上面跳转均跳向错误
0050A445     49                        DEC ECX
0050A446     0F85 1C020000             JNZ dumped_.0050A668                            ; 跳转后直接退出
0050A44C     C685 6BFFFFFF 01          MOV BYTE PTR SS:[EBP-95],1
0050A453     E9 10020000               JMP dumped_.0050A668
0050A458     66:C785 7CFFFFFF 7400     MOV WORD PTR SS:[EBP-84],74
0050A461     BA 7243A600               MOV EDX,dumped_.00A64372
0050A466     8D45 AC                   LEA EAX,DWORD PTR SS:[EBP-54]
0050A469     E8 BE974100               CALL dumped_.00923C2C
0050A46E     FF45 88                   INC DWORD PTR SS:[EBP-78]
0050A471     8B10                      MOV EDX,DWORD PTR DS:[EAX]
0050A473     B8 01000000               MOV EAX,1
0050A478     E8 4F38F4FF               CALL dumped_.0044DCCC

0050A409 /7F 2B JG SHORT dumped_.0050A436 ; 跳到验证比较 0050A40B |0F84 04010000 JE dumped_.0050A515 0050A411 |83E9 99 SUB ECX,-67 0050A414 |0F84 0C020000 JE dumped_.0050A626 0050A41A |49 DEC ECX 0050A41B |0F84 C1010000 JE dumped_.0050A5E2 0050A421 |49 DEC ECX 0050A422 |0F84 73010000 JE dumped_.0050A59B 0050A428 |83E9 60 SUB ECX,60 0050A42B |0F84 2B010000 JE dumped_.0050A55C ; 验证码错误 0050A431 |E9 32020000 JMP dumped_.0050A668 0050A436 \83E9 FD SUB ECX,-3 0050A439 0F84 97000000 JE dumped_.0050A4D6 ; 验证码错误，请重新导入 0050A43F 49 DEC ECX 0050A440 74 55 JE SHORT dumped_.0050A497 ; 该验证已经被其他机器占用，请重新导入授权文件 0050A442 49 DEC ECX 0050A443 74 13 JE SHORT dumped_.0050A458 ; 跳转后未通过验证，上面跳转均跳向错误 0050A445 49 DEC ECX 0050A446 0F85 1C020000 JNZ dumped_.0050A668 ; 跳转后直接退出 0050A44C C685 6BFFFFFF 01 MOV BYTE PTR SS:[EBP-95],1 0050A453 E9 10020000 JMP dumped_.0050A668 0050A458 66:C785 7CFFFFFF 7400 MOV WORD PTR SS:[EBP-84],74 0050A461 BA 7243A600 MOV EDX,dumped_.00A64372 0050A466 8D45 AC LEA EAX,DWORD PTR SS:[EBP-54] 0050A469 E8 BE974100 CALL dumped_.00923C2C 0050A46E FF45 88 INC DWORD PTR SS:[EBP-78] 0050A471 8B10 MOV EDX,DWORD PTR DS:[EAX] 0050A473 B8 01000000 MOV EAX,1 0050A478 E8 4F38F4FF CALL dumped_.0044DCCC

原创文章，转载请注明： 转载自 obaby@mars

本文标题: 《对某安全检测软件的分析》

本文链接地址: http://h4ck.org.cn/2009/12/netanylist/