设为首页收藏本站官方微博

飘云阁(PYG官方论坛)

 找回密码
 加入论坛

QQ登录

只需一步,快速开始

扫一扫,访问微社区

[x86]PYG官方Dll优雅破解补丁制作工具[x64]PYG官方DLL优雅破解补丁制作工具[x86]PYG官方Exe优雅破解补丁制作工具飘云阁工具包(已更新第4季)PYG十周年第十一期软件安全教学视频
查看: 188|回复: 1

[分享] Atlantis Word Processor 3.1.0

[复制链接]
  • TA的每日心情
    奋斗
    2017-12-7 21:27
  • 签到天数: 251 天

    [LV.8]以坛为家I

    发表于 2017-10-12 16:05:53 | 显示全部楼层 |阅读模式
    本帖最后由 九层楼 于 2017-10-12 16:04 编辑

    Atlantis Word Processor 是PYG54 教学中的练习软件, 近日更新到了 3.1.0. 因为教学中老师已经进行过详细的分析, 所以试试新版本.

    使用 x64dbg 加载, 尝试注册, 查找字符串, 就可以看到以下代码等等.

    [Asm] 纯文本查看 复制代码
    004995E0 | 55                       | push ebp                                |
    004995E1 | 8B EC                    | mov ebp,esp                             |
    004995E3 | 83 C4 F0                 | add esp,FFFFFFF0                        |
    004995E6 | 53                       | push ebx                                |
    004995E7 | 56                       | push esi                                |
    004995E8 | 33 C9                    | xor ecx,ecx                             |
    004995EA | 89 4D F4                 | mov dword ptr ss:[ebp-C],ecx            | 0
    004995ED | 89 4D F0                 | mov dword ptr ss:[ebp-10],ecx           | 0
    004995F0 | 89 55 F8                 | mov dword ptr ss:[ebp-8],edx            | code
    004995F3 | 89 45 FC                 | mov dword ptr ss:[ebp-4],eax            | name
    004995F6 | 8D 45 FC                 | lea eax,dword ptr ss:[ebp-4]            |
    004995F9 | E8 9E A8 F6 FF           | call <awp.str copy ?>                   |
    004995FE | 8B 45 F8                 | mov eax,dword ptr ss:[ebp-8]            | 
    00499601 | E8 F2 A0 F6 FF           | call awp.4036F8                         | ??
    00499606 | 33 C0                    | xor eax,eax                             |
    00499608 | 55                       | push ebp                                |
    00499609 | 68 B9 96 49 00           | push awp.4996B9                         |
    0049960E | 64 FF 30                 | push dword ptr fs:[eax]                 |
    00499611 | 64 89 20                 | mov dword ptr fs:[eax],esp              |
    00499614 | 33 DB                    | xor ebx,ebx                             |
    00499616 | 8D 45 F4                 | lea eax,dword ptr ss:[ebp-C]            | 
    00499619 | 50                       | push eax                                |
    0049961A | 8D 55 F0                 | lea edx,dword ptr ss:[ebp-10]           | 
    0049961D | 8B 45 F8                 | mov eax,dword ptr ss:[ebp-8]            | 
    00499620 | E8 13 1D F7 FF           | call <awp.UpperCase>                    |
    00499625 | 8B 45 F0                 | mov eax,dword ptr ss:[ebp-10]           | 
    00499628 | B1 30                    | mov cl,30                               | 30:'0'
    0049962A | B2 4F                    | mov dl,4F                               | 4F:'O'
    0049962C | E8 F7 3C 17 00           | call <awp.replace O with 0>             |
    00499631 | 8B 55 F4                 | mov edx,dword ptr ss:[ebp-C]            | 
    00499634 | 8D 45 F8                 | lea eax,dword ptr ss:[ebp-8]            | 
    00499637 | E8 14 9D F6 FF           | call <awp.str copy>                     |
    0049963C | 8B 45 F8                 | mov eax,dword ptr ss:[ebp-8]            | 
    0049963F | E8 00 9F F6 FF           | call <awp.str length>                   |
    00499644 | 8B F0                    | mov esi,eax                             |
    00499646 | 83 FE 01                 | cmp esi,1                               |
    00499649 | 7C 32                    | jl awp.49967D                           |
    0049964B | 8B 45 F8                 | mov eax,dword ptr ss:[ebp-8]            | 
    0049964E | 8A 44 30 FF              | mov al,byte ptr ds:[eax+esi-1]          | 从后往前逐个取字符
    00499652 | 8B D0                    | mov edx,eax                             | 
    00499654 | 80 EA 20                 | sub dl,20                               |
    00499657 | 74 05                    | je awp.49965E                           |
    00499659 | 80 EA 0D                 | sub dl,D                                |
    0049965C | 75 11                    | jne awp.49966F                          |
    0049965E | 8D 45 F8                 | lea eax,dword ptr ss:[ebp-8]            | 
    00499661 | B9 01 00 00 00           | mov ecx,1                               |
    00499666 | 8B D6                    | mov edx,esi                             | 
    00499668 | E8 1B A1 F6 FF           | call awp.403788                         |
    0049966D | EB 09                    | jmp awp.499678                          |
    0049966F | 8B 55 F8                 | mov edx,dword ptr ss:[ebp-8]            | edx = [ebp-8] = 注册码数据
    00499672 | 04 D0                    | add al,D0                               | 字符 + 0xD0 (会溢出)
    00499674 | 2C 0A                    | sub al,A                                | 字符 - 0xA
    00499676 | 73 1E                    | jae awp.499696                          | 字符 + 0xD0 需要小于 0x10A, 即 字符 需要小于 0x3A (看来需要是数字)
    00499678 | 4E                       | dec esi                                 |
    00499679 | 85 F6                    | test esi,esi                            |
    0049967B | 75 CE                    | jne awp.49964B                          | 循环16次
    0049967D | 8D 55 F4                 | lea edx,dword ptr ss:[ebp-C]            | 
    00499680 | 8B 45 FC                 | mov eax,dword ptr ss:[ebp-4]            |
    00499683 | E8 10 FE FF FF           | call awp.499498                         | 扩展并变形 注册码数据 ??
    00499688 | 8B 55 F4                 | mov edx,dword ptr ss:[ebp-C]            | 
    0049968B | 8B 45 F8                 | mov eax,dword ptr ss:[ebp-8]            | 
    0049968E | E8 C1 9F F6 FF           | call <awp.str compare>                  |
    00499693 | 0F 94 C3                 | sete bl                                 |
    00499696 | 33 C0                    | xor eax,eax                             |
    00499698 | 5A                       | pop edx                                 | 
    00499699 | 59                       | pop ecx                                 |
    0049969A | 59                       | pop ecx                                 |
    0049969B | 64 89 10                 | mov dword ptr fs:[eax],edx              | 
    0049969E | 68 C0 96 49 00           | push awp.4996C0                         |
    004996A3 | 8D 45 F0                 | lea eax,dword ptr ss:[ebp-10]           | 
    004996A6 | BA 03 00 00 00           | mov edx,3                               | 
    004996AB | E8 2C 9C F6 FF           | call awp.4032DC                         |
    004996B0 | 8D 45 FC                 | lea eax,dword ptr ss:[ebp-4]            |
    004996B3 | E8 38 A2 F6 FF           | call awp.4038F0                         |
    004996B8 | C3                       | ret                                     |
    


    [Asm] 纯文本查看 复制代码
    00499498 | 55                       | push ebp                                |
    00499499 | 8B EC                    | mov ebp,esp                             |
    0049949B | 83 C4 84                 | add esp,FFFFFF84                        |
    0049949E | 53                       | push ebx                                |
    0049949F | 56                       | push esi                                |
    004994A0 | 57                       | push edi                                |
    004994A1 | 33 C9                    | xor ecx,ecx                             |
    004994A3 | 89 4D 84                 | mov dword ptr ss:[ebp-7C],ecx           | 0
    004994A6 | 89 55 F8                 | mov dword ptr ss:[ebp-8],edx            | 
    004994A9 | 89 45 FC                 | mov dword ptr ss:[ebp-4],eax            | [ebp-4] = eax = name 
    004994AC | 8D 45 FC                 | lea eax,dword ptr ss:[ebp-4]            |
    004994AF | E8 E8 A9 F6 FF           | call <awp.str copy ?>                   | 复制了一份 ? 
    004994B4 | 33 C0                    | xor eax,eax                             |
    004994B6 | 55                       | push ebp                                |
    004994B7 | 68 D2 95 49 00           | push awp.4995D2                         |
    004994BC | 64 FF 30                 | push dword ptr fs:[eax]                 |
    004994BF | 64 89 20                 | mov dword ptr fs:[eax],esp              |
    004994C2 | 8D 55 84                 | lea edx,dword ptr ss:[ebp-7C]           | 0
    004994C5 | 8B 45 FC                 | mov eax,dword ptr ss:[ebp-4]            |
    004994C8 | E8 73 27 F7 FF           | call <awp.str copy, not str length>     | eax = 长度数值好像没用到 ?
    004994CD | 8B 55 84                 | mov edx,dword ptr ss:[ebp-7C]           |
    004994D0 | 8D 45 FC                 | lea eax,dword ptr ss:[ebp-4]            |
    004994D3 | E8 54 A4 F6 FF           | call <awp.Unique String ?>              |
    004994D8 | 8B 45 FC                 | mov eax,dword ptr ss:[ebp-4]            |
    004994DB | E8 FC A5 F6 FF           | call <awp.str length>                   |
    004994E0 | 48                       | dec eax                                 | 长度-1, 为了测试
    004994E1 | 89 45 F0                 | mov dword ptr ss:[ebp-10],eax           | 
    004994E4 | 8B 45 FC                 | mov eax,dword ptr ss:[ebp-4]            |
    004994E7 | E8 E0 A5 F6 FF           | call <awp.is str empty ?>               |
    004994EC | 89 45 F4                 | mov dword ptr ss:[ebp-C],eax            | 
    004994EF | 33 C0                    | xor eax,eax                             |
    004994F1 | 89 45 EC                 | mov dword ptr ss:[ebp-14],eax           | var_0x14 = 0, 计算累加值
    004994F4 | 8B 75 F0                 | mov esi,dword ptr ss:[ebp-10]           | 长度-1
    004994F7 | 85 F6                    | test esi,esi                            |
    004994F9 | 7C 1E                    | jl awp.499519                           |
    004994FB | 46                       | inc esi                                 | 长度+1,恢复长度值
    004994FC | 33 DB                    | xor ebx,ebx                             |
    004994FE | 8B 45 F4                 | mov eax,dword ptr ss:[ebp-C]            | 
    00499501 | 0F B7 0C 58              | movzx ecx,word ptr ds:[eax+ebx*2]       |
    00499505 | 83 F9 20                 | cmp ecx,20                              | 20:' '
    00499508 | 7E 0B                    | jle awp.499515                          |
    0049950A | 81 F9 80 00 00 00        | cmp ecx,80                              |
    00499510 | 7D 03                    | jge awp.499515                          |
    00499512 | 01 4D EC                 | add dword ptr ss:[ebp-14],ecx           | 累加
    00499515 | 43                       | inc ebx                                 |
    00499516 | 4E                       | dec esi                                 |
    00499517 | 75 E5                    | jne awp.4994FE                          |
    00499519 | 8B 45 EC                 | mov eax,dword ptr ss:[ebp-14]           | 各个unicode字符的"unicode值"累加起来
    0049951C | B9 32 00 00 00           | mov ecx,32                              | 除以 0x32
    00499521 | 99                       | cdq                                     |
    00499522 | F7 F9                    | idiv ecx                                | eax = 商, edx = 余数
    00499524 | 8D 04 92                 | lea eax,dword ptr ds:[edx+edx*4]        |
    00499527 | 8D 04 80                 | lea eax,dword ptr ds:[eax+eax*4]        |
    0049952A | 89 45 EC                 | mov dword ptr ss:[ebp-14],eax           | 余数 * 5 * 5
    0049952D | 33 DB                    | xor ebx,ebx                             | i = 0
    0049952F | 8D 45 88                 | lea eax,dword ptr ss:[ebp-78]           |
    00499532 | 8B 55 EC                 | mov edx,dword ptr ss:[ebp-14]           |
    00499535 | 03 D3                    | add edx,ebx                             | 
    00499537 | 8B 14 95 98 7C 64 00     | mov edx,dword ptr ds:[edx*4+647C98]     | 用 余数*5*5+i 查表, 所以最大索引的元素是 (0x31 * 5 * 5 + 0x18) * 4 + 0x647C98
    0049953E | 89 10                    | mov dword ptr ds:[eax],edx              | 存储于 var_0x78 开始的 DWORD 数组中
    00499540 | 43                       | inc ebx                                 | i++
    00499541 | 83 C0 04                 | add eax,4                               | 下一个 DWORD 数组元素
    00499544 | 83 FB 19                 | cmp ebx,19                              | [0,0x19)
    00499547 | 75 E9                    | jne awp.499532                          |
    00499549 | 33 FF                    | xor edi,edi                             | edi = 0
    0049954B | 8B 75 F0                 | mov esi,dword ptr ss:[ebp-10]           | 长度-1
    0049954E | 85 F6                    | test esi,esi                            |
    00499550 | 7C 2C                    | jl awp.49957E                           |
    00499552 | 46                       | inc esi                                 | 恢复长度
    00499553 | 33 DB                    | xor ebx,ebx                             | ebx = 0
    00499555 | 8B 45 F4                 | mov eax,dword ptr ss:[ebp-C]            | 
    00499558 | 0F B7 0C 58              | movzx ecx,word ptr ds:[eax+ebx*2]       | ecx = 逐个unicode字符值
    0049955C | 83 F9 20                 | cmp ecx,20                              | 20:' '
    0049955F | 7E 19                    | jle awp.49957A                          |
    00499561 | 81 F9 80 00 00 00        | cmp ecx,80                              |
    00499567 | 7D 11                    | jge awp.49957A                          |
    00499569 | 8B C7                    | mov eax,edi                             | eax = edi = 0
    0049956B | 51                       | push ecx                                |
    0049956C | B9 19 00 00 00           | mov ecx,19                              |
    00499571 | 99                       | cdq                                     |
    00499572 | F7 F9                    | idiv ecx                                |
    00499574 | 59                       | pop ecx                                 |
    00499575 | 01 4C 95 88              | add dword ptr ss:[ebp+edx*4-78],ecx     | 逐个加到 var_0x78 开始的 DWORD 数组元素上
    00499579 | 47                       | inc edi                                 |
    0049957A | 43                       | inc ebx                                 |
    0049957B | 4E                       | dec esi                                 |
    0049957C | 75 D7                    | jne awp.499555                          |
    0049957E | 8B 45 F8                 | mov eax,dword ptr ss:[ebp-8]            | 
    00499581 | BA 19 00 00 00           | mov edx,19                              | 
    00499586 | E8 E9 A2 F6 FF           | call awp.403874                         | 复制了一份注册码, 只复制 0x19 个字符 ?
    0049958B | 33 DB                    | xor ebx,ebx                             |
    0049958D | 8D 75 88                 | lea esi,dword ptr ss:[ebp-78]           | 要开始查看 var_0x78 数组了
    00499590 | 8B 45 F8                 | mov eax,dword ptr ss:[ebp-8]            | [eax] = [[ebp-8]] = 注册码数据
    00499593 | E8 7C A1 F6 FF           | call awp.403714                         | 释放字串 ?
    00499598 | 03 C3                    | add eax,ebx                             |
    0049959A | 50                       | push eax                                |
    0049959B | 8B 06                    | mov eax,dword ptr ds:[esi]              | var_0x78 数组元素除以
    0049959D | B9 0A 00 00 00           | mov ecx,A                               | 0xA
    004995A2 | 99                       | cdq                                     |
    004995A3 | F7 F9                    | idiv ecx                                |
    004995A5 | 80 C2 30                 | add dl,30                               | 余数 + 0x30
    004995A8 | 58                       | pop eax                                 |
    004995A9 | 88 10                    | mov byte ptr ds:[eax],dl                | 存回注册码数据中, 好像这里只是需要了空间, 并没有需要注册码数据 ?
    004995AB | 43                       | inc ebx                                 |
    004995AC | 83 C6 04                 | add esi,4                               |
    004995AF | 83 FB 19                 | cmp ebx,19                              |
    004995B2 | 75 DC                    | jne awp.499590                          |
    004995B4 | 33 C0                    | xor eax,eax                             |
    004995B6 | 5A                       | pop edx                                 | 
    004995B7 | 59                       | pop ecx                                 |
    004995B8 | 59                       | pop ecx                                 |
    004995B9 | 64 89 10                 | mov dword ptr fs:[eax],edx              | 
    004995BC | 68 D9 95 49 00           | push awp.4995D9                         |
    004995C1 | 8D 45 84                 | lea eax,dword ptr ss:[ebp-7C]           |
    004995C4 | E8 27 A3 F6 FF           | call awp.4038F0                         |
    004995C9 | 8D 45 FC                 | lea eax,dword ptr ss:[ebp-4]            |
    004995CC | E8 1F A3 F6 FF           | call awp.4038F0                         |
    004995D1 | C3                       | ret                                     |
    004995D2 | E9 55 98 F6 FF           | jmp awp.402E2C                          |
    004995D7 | EB E8                    | jmp awp.4995C1                          |
    004995D9 | 5F                       | pop edi                                 |
    004995DA | 5E                       | pop esi                                 |
    004995DB | 5B                       | pop ebx                                 |
    004995DC | 8B E5                    | mov esp,ebp                             |
    004995DE | 5D                       | pop ebp                                 |
    004995DF | C3                       | ret                                     |

    注册机截图

    注册机截图

    AtlantisWordProcessorKeygen.20171012155349.rar

    239.74 KB, 下载次数: 4, 下载积分: 威望 -1 , 飘云币 -2 枚

    算法注册机源码

    评分

    参与人数 2威望 +7 飘云币 +7 收起 理由
    cfc1680 + 2 + 2 PYG有你更精彩!
    不破不立 + 5 + 5 感谢发布原创作品!

    查看全部评分

  • TA的每日心情
    开心
    3 天前
  • 签到天数: 221 天

    [LV.7]常住居民III

    发表于 2017-10-12 18:23:31 | 显示全部楼层
    坐沙发学习
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 加入论坛

    本版积分规则

    小黑屋|手机版|Archiver|飘云阁安全论坛 ( 粤ICP备15107817号-2|友情赞助  

    GMT+8, 2017-12-16 01:52

    Powered by Discuz! X3.3 Licensed

    © 2001-2017 Comsenz Inc.

    快速回复 返回顶部 返回列表