运行分析
- 需要破解key
PE分析
- upx壳,32位
- upx -d mfykm1.exe 脱壳成功
- 再次用Exeinfo PE分析,发现是C++程序
静态分析&动态调试
- ida打开就发现了主函数和key
- osver是获取系统信息函数
- osver.dwMajorVersion:高版本号
- osver.dwMinorVersion :次版本号
- osver.dwBuildNumber: build号
if (osver.dwMajorVersion == 5 && osver.dwMinorVersion == 0) {os_name = "Windows 2000";}
else if (osver.dwMajorVersion == 5 && osver.dwMinorVersion == 1){os_name = "Windows XP";}
else if (osver.dwMajorVersion == 6 && osver.dwMinorVersion == 0){os_name = "Windows 2003";}
else if (osver.dwMajorVersion == 5 && osver.dwMinorVersion == 2){os_name = "windows vista";}
else if (osver.dwMajorVersion == 6 && osver.dwMinorVersion == 1){os_name = "windows 7";}
else if (osver.dwMajorVersion == 6 && osver.dwMinorVersion == 2){os_name = "windows 10或11";}
- 查看到本机数据
- osver.dwBuildNumber = 0x23f0
- osver.dwMinorVersion = 2
- osver.dwMajorVersion = 6
算法分析
dwBuildNumber = 0x23f0
dwMinorVersion = 2
dwMajorVersion = 6key = dwBuildNumber + dwBuildNumber + dwMajorVersion * dwMinorVersion - dwMinorVersion + 3293 * dwBuildNumber
flag = str(key)print("key为: " + flag)
- 验证成功