运行分析
- 输入Name和Serial,点击Registrieren按钮,显示疑似错误提示
- 百度翻译查看一下,发现是德语
PE分析
- Delphi程序,32位,无壳
静态分析&动态调试
- ida字符串发现正确提示,双击跟进
- 来到关键函数,进行动态调试,发现要想跳转至成功提示,需要使136行cmp(v21,Names)相等,分析计算过程如下:
- 1、提取Name前6位进行计算,得到低位v5
- 2、将Name长度乘19070的结果为v20
- 3、v5十六进制转十进制,得到v17
- 3、拼接字符串,v21 = v20 + dword_421DD8 + v17
- 4、dword_421DD8 的值为’-’
算法分析
Name = 'concealbear'
Serial = ''
dword_421DD8 = '-'v5 = 93
for i in range(0,5):if Name[i] == 'a':v7 = 24elif Name[i] == 'b':v7 = 37elif Name[i] == 'c':v7 = 66elif Name[i] == 'd':v7 = 12elif Name[i] == 'e':v7 = 13elif Name[i] == 'f':v7 = 6elif Name[i] == 'g':v7 = 54elif Name[i] == 'h':v7 = 43elif Name[i] == 'i':v7 = 23elif Name[i] == 'j':v7 = 47elif Name[i] == 'k':v7 = 19elif Name[i] == 'l':v7 = -126elif Name[i] == 'm':v7 = -101elif Name[i] == 'n':v7 = -110elif Name[i] == 'o':v7 = 3elif Name[i] == 'p':v7 = 99elif Name[i] == 'q':v7 = 33elif Name[i] == 'r':v7 = 66elif Name[i] == 's':v7 = 92elif Name[i] == 't':v7 = 41elif Name[i] == 'u':v7 = -57elif Name[i] == 'v':v7 = 102elif Name[i] == 'w':v7 = 88elif Name[i] == 'x':v7 = 10elif Name[i] == 'y':v7 = 40elif Name[i] == 'z':v7 = 80else:v7 = 93v5 = (v5 + v7) & 0xffv20 = len(Name) * 19070
v17 = v5Serial = str(v17) + dword_421DD8 + str(v20)print(Name + '的Serial为:\n' + Serial)
- 验证成功
