对某安全检测软件的分析

net2

至于软件名称么,不便透露,只是做的安全测试,程序是通过外部的key验证的。保护为upx修改壳。默认验证界面如下:

net1

net3

所谓的key验证也就是那么几行代码:

0050A409    /7F 2B                     JG SHORT dumped_.0050A436                       ; 跳到验证比较
0050A40B    |0F84 04010000             JE dumped_.0050A515
0050A411    |83E9 99                   SUB ECX,-67
0050A414    |0F84 0C020000             JE dumped_.0050A626
0050A41A    |49                        DEC ECX
0050A41B    |0F84 C1010000             JE dumped_.0050A5E2
0050A421    |49                        DEC ECX
0050A422    |0F84 73010000             JE dumped_.0050A59B
0050A428    |83E9 60                   SUB ECX,60
0050A42B    |0F84 2B010000             JE dumped_.0050A55C                             ; 验证码错误
0050A431    |E9 32020000               JMP dumped_.0050A668
0050A436    \83E9 FD                   SUB ECX,-3
0050A439     0F84 97000000             JE dumped_.0050A4D6                             ; 验证码错误,请重新导入
0050A43F     49                        DEC ECX
0050A440     74 55                     JE SHORT dumped_.0050A497                       ; 该验证已经被其他机器占用,请重新导入授权文件
0050A442     49                        DEC ECX
0050A443     74 13                     JE SHORT dumped_.0050A458                       ; 跳转后未通过验证,上面跳转均跳向错误
0050A445     49                        DEC ECX
0050A446     0F85 1C020000             JNZ dumped_.0050A668                            ; 跳转后直接退出
0050A44C     C685 6BFFFFFF 01          MOV BYTE PTR SS:[EBP-95],1
0050A453     E9 10020000               JMP dumped_.0050A668
0050A458     66:C785 7CFFFFFF 7400     MOV WORD PTR SS:[EBP-84],74
0050A461     BA 7243A600               MOV EDX,dumped_.00A64372
0050A466     8D45 AC                   LEA EAX,DWORD PTR SS:[EBP-54]
0050A469     E8 BE974100               CALL dumped_.00923C2C
0050A46E     FF45 88                   INC DWORD PTR SS:[EBP-78]
0050A471     8B10                      MOV EDX,DWORD PTR DS:[EAX]
0050A473     B8 01000000               MOV EAX,1
0050A478     E8 4F38F4FF               CALL dumped_.0044DCCC

原创文章,转载请注明: 转载自 obaby@mars

本文标题: 《对某安全检测软件的分析》

本文链接地址: http://h4ck.org.cn/2009/12/netanylist/

You may also like

发表评论

电子邮件地址不会被公开。 必填项已用*标注