JZTXT

UmVkZQ

发布时间 2023-05-29 21:32:04作者: bluefish0x

目标程序是一个InstallShield按转包,根据DIE信息,InstallShield版本为2.x-3.x。

首先通过看雪上一份帖子提供的工具解压目标程序,帖子地址:ISx: 一款新的 InstallShield 解包工具

解包后得到以下内容:

与多数人遇到的情况不同,此处得到的时setup.isn而不是setup.isx。

分别查看这些文件信息,发现msi文件较大,并且可以用7zip解压。

解压后发现包含多个文件,见下图:

继续查看这些文件信息,大多数是一些资源文件,包含图标、字体和一些额外的控制信息,最醒目的是cab文件,该文件是一个压缩包,是整个有效程序文件的集合。

除此之外,还有对两个dll的导出函数引起了巨大的兴趣,分别如下所示:


我们将焦点放在第二个dll上,第一个dll显然是用于解密某些字符串的。

经过一番分析,确定相关的注册算法位于导出函数compSerial。整个过程主要对MAC地址进行编码、加密处理。

在注册过程中,最有趣的是遇到一个弱RSA算法,RSA长度仅17位,很容易就破解(密钥对:13和2437)。

注册码校验过程如下:

  1. 将20位注册码在ABCDEFGHIJKLMNOPQRSTUVWXYZ234567中寻找索引,构成索引序列,长度20字节。

  2. 索引序列每个字节的前3比特无效,最后一个字节第5个比特有效,去掉无效比特后,剩余96比特,共计12字节,记为ser1。

  3. ser1每2个字节构成一个100进制数据,组合成ser2,长度6个short。例:ser2[0] = 100*ser1[0]+ser1[1];

  4. ser2经过公钥2439模8099的RSA解密,得到ser3, 长度6个short。

  5. 将ser3按100进制拆解,得到ser4,长度12字节。例:ser4[0] = ser3[0]/100; ser4[1] = ser3[0]%100;

  6. ser4中有效值为1-16,分别对应0123456789ABCDEF,无效值将对应空格,将ser4映射后,得到MAC。

  7. 得到MAC与获取的系统MAC作比较。

反推整个过程很容易就能写出注册机。

I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8c3RkbGliLmg+DQojaW5jbHVkZSA8c3RkaW50Lmg+DQojaW5jbHVkZSA8d2luc29jazIuaD4NCiNpbmNsdWRlIDxpcGhscGFwaS5oPg0KI3ByYWdtYSBjb21tZW50KGxpYiwgIklQSExQQVBJLmxpYiIpDQovL25ldyBwcm9qZWN0IGFuZCBhZGQgbGliaXBobHBhcGkuYSBpbiBwYXJhbWV0ZXIgcGFnZSBvZiBwcm9qZWN0IHByb3BlcnRpZXMNCg0KdHlwZWRlZiB1aW50OF90IHViaXRfdDsNCnN0YXRpYyBpbnQgZ19kZWJ1ZyA9IDA7DQoNCmludCBHZXRNYWNCeUdldEFkYXB0ZXJzQWRkcmVzc2VzKGNoYXIgKm1hY19vdXQpDQp7DQoJaW50IHJldCA9IDA7DQoJIA0KCVVMT05HIG91dEJ1ZkxlbiA9IHNpemVvZihJUF9BREFQVEVSX0FERFJFU1NFUyk7DQoJUElQX0FEQVBURVJfQUREUkVTU0VTIHBBZGRyZXNzZXMgPSAoSVBfQURBUFRFUl9BRERSRVNTRVMqKW1hbGxvYyhvdXRCdWZMZW4pOw0KCWlmIChwQWRkcmVzc2VzID09IE5VTEwpIA0KCQlyZXR1cm4gcmV0Ow0KCS8vIE1ha2UgYW4gaW5pdGlhbCBjYWxsIHRvIEdldEFkYXB0ZXJzQWRkcmVzc2VzIHRvIGdldCB0aGUgbmVjZXNzYXJ5IHNpemUgaW50byB0aGUgdWxPdXRCdWZMZW4gdmFyaWFibGUNCglpZihHZXRBZGFwdGVyc0FkZHJlc3NlcyhBRl9VTlNQRUMsIDAsIE5VTEwsIHBBZGRyZXNzZXMsICZvdXRCdWZMZW4pID09IEVSUk9SX0JVRkZFUl9PVkVSRkxPVykNCgl7DQoJCWZyZWUocEFkZHJlc3Nlcyk7DQoJCXBBZGRyZXNzZXMgPSAoSVBfQURBUFRFUl9BRERSRVNTRVMqKW1hbGxvYyhvdXRCdWZMZW4pOw0KCQlpZiAocEFkZHJlc3NlcyA9PSBOVUxMKSANCgkJCXJldHVybiByZXQ7DQoJfQ0KCQ0KCWlmKEdldEFkYXB0ZXJzQWRkcmVzc2VzKEFGX1VOU1BFQywgMCwgTlVMTCwgcEFkZHJlc3NlcywgJm91dEJ1ZkxlbikgPT0gTk9fRVJST1IpDQoJew0KCS8vIElmIHN1Y2Nlc3NmdWwsIG91dHB1dCBzb21lIGluZm9ybWF0aW9uIGZyb20gdGhlIGRhdGEgd2UgcmVjZWl2ZWQNCgkJUElQX0FEQVBURVJfQUREUkVTU0VTIHBDdXJyQWRkcmVzc2VzOw0KCQlmb3IocEN1cnJBZGRyZXNzZXMgPSBwQWRkcmVzc2VzOyBwQ3VyckFkZHJlc3NlcyAhPSBOVUxMOyBwQ3VyckFkZHJlc3NlcyA9IHBDdXJyQWRkcmVzc2VzLT5OZXh0KQ0KCQl7DQoJCQlpZihnX2RlYnVnKQ0KCQkJCXdwcmludGYoTCIlcyAtICVkIC0gJWRcbiIsIHBDdXJyQWRkcmVzc2VzLT5EZXNjcmlwdGlvbiwgcEN1cnJBZGRyZXNzZXMtPklmVHlwZSwgcEN1cnJBZGRyZXNzZXMtPlBoeXNpY2FsQWRkcmVzc0xlbmd0aCk7DQoJCQlpZiggKHdjc3N0cihwQ3VyckFkZHJlc3Nlcy0+RGVzY3JpcHRpb24sIEwiSW50ZWwiKQ0KCQkJICAgfHx3Y3NzdHIocEN1cnJBZGRyZXNzZXMtPkRlc2NyaXB0aW9uLCBMIlBDSSIpDQoJCQkgICB8fHdjc3N0cihwQ3VyckFkZHJlc3Nlcy0+RGVzY3JpcHRpb24sIEwiUmVhbHRlayIpDQoJCQkgICB8fHdjc3N0cihwQ3VyckFkZHJlc3Nlcy0+RGVzY3JpcHRpb24sIEwiQnJvYWRjb20iKQ0KCQkJICAgfHx3Y3NzdHIocEN1cnJBZGRyZXNzZXMtPkRlc2NyaXB0aW9uLCBMIktpbGxlciIpDQoJCQkgICB8fHdjc3N0cihwQ3VyckFkZHJlc3Nlcy0+RGVzY3JpcHRpb24sIEwiU2FuZ2ZvciIpDQoJCQkgICB8fHdjc3N0cihwQ3VyckFkZHJlc3Nlcy0+RGVzY3JpcHRpb24sIEwiVEFQLVdpbmRvd3MiKSkNCgkJCSAgICYmIHBDdXJyQWRkcmVzc2VzLT5JZlR5cGUgPT0gNg0KCQkJICAgJiYgcEN1cnJBZGRyZXNzZXMtPlBoeXNpY2FsQWRkcmVzc0xlbmd0aCA9PSA2KQ0KCQkJew0KCQkJCXNwcmludGYobWFjX291dCwgIiUwMlglMDJYJTAyWCUwMlglMDJYJTAyWCIsDQoJCQkJCXBDdXJyQWRkcmVzc2VzLT5QaHlzaWNhbEFkZHJlc3NbMF0sDQoJCQkJCXBDdXJyQWRkcmVzc2VzLT5QaHlzaWNhbEFkZHJlc3NbMV0sDQoJCQkJCXBDdXJyQWRkcmVzc2VzLT5QaHlzaWNhbEFkZHJlc3NbMl0sDQoJCQkJCXBDdXJyQWRkcmVzc2VzLT5QaHlzaWNhbEFkZHJlc3NbM10sDQoJCQkJCXBDdXJyQWRkcmVzc2VzLT5QaHlzaWNhbEFkZHJlc3NbNF0sDQoJCQkJCXBDdXJyQWRkcmVzc2VzLT5QaHlzaWNhbEFkZHJlc3NbNV0pOw0KCQkJCWlmKGdfZGVidWcpDQoJCQkJCXByaW50ZigiJXNcbiIsIG1hY19vdXQpOw0KCQkJCXJldCA9IDE7CQkJICAgDQoJCQl9DQoJCX0NCgl9IA0KCSANCglmcmVlKHBBZGRyZXNzZXMpOw0KCXJldHVybiByZXQ7DQp9DQoNCmludCByc2FfZGVjKGludCBkYXRhX2luKQ0Kew0KCWRhdGFfaW4gJT0gODA5OTsNCglpbnQga2V5ID0gMTM7IC8va2V5IHBhaXI6IDEzIGFuZCAyNDM3DQoJaW50IGNvZWYgPSBkYXRhX2luOw0KCWludCB0bXAgPSAxOw0KCXdoaWxlICgga2V5ICE9IDEgKQ0KCXsNCgkJaWYgKCAoa2V5ICYgMSkgIT0gMCApDQoJCQl0bXAgPSBjb2VmICogdG1wICUgODA5OTsNCgkJY29lZiA9IGNvZWYgKiBjb2VmICUgODA5OTsNCgkJa2V5ID4+PSAxOw0KCX0NCglyZXR1cm4gdG1wICogY29lZiAlIDgwOTk7CQ0KfQ0KDQppbnQgYnl0ZXNfdG9fYml0cyh1aW50OF90ICpiaXRzLCBpbnQgYml0c19sZW4sIHVpbnQ4X3QgKmJ5dGVzLCBpbnQgYnl0ZXNfbGVuKQ0Kew0KICAgIGludCBpLCBqOw0KICAgIHVpbnQ4X3QgbWFzazsNCg0KICAgIGZvciAoaSA9IDA7IGkgPCBieXRlc19sZW47IGkrKykNCiAgICB7DQogICAgICAgIG1hc2sgPSAweDgwOw0KICAgICAgICBmb3IgKGogPSAwOyBqIDwgODsgaisrKQ0KICAgICAgICB7DQogICAgICAgICAgICBiaXRzW2kgKiA4ICsgal0gPSAoYnl0ZXNbaV0gJiBtYXNrKSA+PiAoNyAtIGopOw0KICAgICAgICAgICAgbWFzayA+Pj0gMTsNCiAgICAgICAgICAgIGJpdHNfbGVuLS07DQogICAgICAgICAgICBpZiAoYml0c19sZW4gPD0gMCkNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICByZXR1cm4gMDsNCiAgICAgICAgICAgIH0NCiAgICAgICAgfQ0KICAgIH0NCiAgICByZXR1cm4gMTsNCn0NCg0KaW50IGJpdHNfcGFjayh1aW50OF90ICpiaXRzLCBpbnQgbGVuKQ0Kew0KICAgIGludCBpLCB2YWw7DQoNCiAgICB2YWwgPSAwOw0KICAgIGZvciAoaSA9IDA7IGkgPCAobGVuID4gMzIgPyAzMiA6IGxlbik7IGkrKykNCiAgICB7DQogICAgICAgIHZhbCA8PD0gMTsNCiAgICAgICAgdmFsIHw9IGJpdHNbaV07DQogICAgfQ0KDQogICAgcmV0dXJuIHZhbDsNCn0NCg0KaW50IEdlblNlcmlhbChjaGFyICpzZXJpYWxfb3V0LCBjaGFyICptYWNfaW4pDQp7DQoJc3RhdGljIGNvbnN0IGNoYXIgbWFwXzE2cmFkaXhbXSA9ICIgMDEyMzQ1Njc4OUFCQ0RFRiI7DQoJc3RhdGljIGNvbnN0IGNoYXIgbWFwX3NlcmlhbFtdID0gIkFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaMjM0NTY3IjsNCglpbnQgaTsNCgkNCgl1aW50OF90IHNlcjRbMTJdID0gezB9Ow0KCWZvcihpPTA7aTwxMjtpKyspDQoJew0KCQlpZihzdHJjaHIobWFwXzE2cmFkaXgsIG1hY19pbltpXSkgPT0gTlVMTCkNCgkJCXNlcjRbaV0gPSBtYXBfMTZyYWRpeFswXTsNCgkJZWxzZQ0KCQkJc2VyNFtpXSA9IHN0cmNocihtYXBfMTZyYWRpeCwgbWFjX2luW2ldKSAtIG1hcF8xNnJhZGl4Ow0KCX0NCgkNCglzaG9ydCBzZXIzWzZdID0gezB9Ow0KCXNob3J0IHNlcjJbNl0gPSB7MH07DQoJdWludDhfdCBzZXIxWzEyXSA9IHswfTsNCglmb3IoaT0wO2k8NjtpKyspDQoJew0KCQlzZXIzW2ldID0gMTAwKnNlcjRbaSoyKzBdK3NlcjRbaSoyKzFdOw0KCQlzZXIyW2ldID0gcnNhX2RlYyhzZXIzW2ldKTsNCgkJc2VyMVtpKjIrMF0gPSBzZXIyW2ldIC8gMTAwOw0KCQlzZXIxW2kqMisxXSA9IHNlcjJbaV0gJSAxMDA7DQoJfQ0KCQ0KCXViaXRfdCBzZXIxX2JpdHNbOTZdID0gezB9Ow0KCWJ5dGVzX3RvX2JpdHMoc2VyMV9iaXRzLCBzaXplb2Yoc2VyMV9iaXRzKSwgc2VyMSwgc2l6ZW9mKHNlcjEpKTsNCgkNCgl1aW50OF90IGluZGV4WzIwXSA9IHswfTsNCglmb3IoaT0wO2k8MTk7aSsrKQ0KCXsNCgkJaW5kZXhbaV0gPSBiaXRzX3BhY2soJnNlcjFfYml0c1tpKjVdLCA1KTsNCgl9DQoJaW5kZXhbMTldID0gc2VyMV9iaXRzWzk1XSA8PCA0Ow0KCQ0KCWZvcihpPTA7aTwyMDtpKyspDQoJew0KCQlzZXJpYWxfb3V0W2ldID0gbWFwX3NlcmlhbFtpbmRleFtpXV07DQoJfQ0KCXJldHVybiAxOw0KfQ0KDQppbnQgbWFpbihpbnQgYXJnYywgY2hhciAqKmFyZ3YpDQp7DQoJaWYoYXJnYyA9PSAyKQ0KCXsNCgkJaWYoc3RyY21wKGFyZ3ZbMV0sIi12IikgPT0gMCkNCgkJCWdfZGVidWcgPSAxOyANCgl9DQoJY2hhciBtYWNbMTNdID0gezB9Ow0KCWNoYXIgc2VyaWFsWzIxXSA9IHswfTsNCglHZXRNYWNCeUdldEFkYXB0ZXJzQWRkcmVzc2VzKG1hYyk7CQ0KCXByaW50ZigiTUFDOiAlc1xuIiwgbWFjKTsNCglHZW5TZXJpYWwoc2VyaWFsLCBtYWMpOw0KCXByaW50Zigic2VyaWFsOiAlc1xuIiwgc2VyaWFsKTsNCglzeXN0ZW0oInBhdXNlIik7DQoJcmV0dXJuIDA7DQp9DQo