TRW2000 1.21

标题：如何对付TRW2000 1.21 (7千字)
作者：冰毒
时间：2000-5-26 8:45:26
链接：http://bbs.pediy.com

:0003BBBF A144260600 mov eax, dword ptr [00062644]
:0003BBC4 6A06 push 00000006
:0003BBC6 33D2 xor edx, edx
:0003BBC8 59 pop ecx
:0003BBC9 F7F1 div ecx
:0003BBCB 85D2 test edx, edx
:0003BBCD 0F8516010000 jne 0003BCE9 <- !

如果这里不跳,会一直往下

:0003BBD3 6A04 push 00000004
:0003BBD5 E814CEFFFF call 000389EE
:0003BBDA 3BC3 cmp eax, ebx
:0003BBDC 59 pop ecx
:0003BBDD 740B je 0003BBEA
:0003BBDF 8BC8 mov ecx, eax
:0003BBE1 E8C2D9FEFF call 000295A8
:0003BBE6 8BF8 mov edi, eax
:0003BBE8 EB02 jmp 0003BBEC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0003BBDD(C)
|
:0003BBEA 33FF xor edi, edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0003BBE8(U)
|
:0003BBEC 8D4DD0 lea ecx, dword ptr [ebp-30]

后面是什么,整理一下就十分清楚了.

.0003BCAE: 885DFC mov [ebp][-0004],bl
.0003BCAA: C645FB20 mov b,[ebp][-0005],020 ;" "
.0003BCA6: C645FA21 mov b,[ebp][-0006],021 ;"!"
.0003BC5E: C645F974 mov b,[ebp][-0007],074 ;"t"
.0003BCC9: C645F869 mov b,[ebp][-0008],069 ;"i"
.0003BC5A: C645F720 mov b,[ebp][-0009],020 ;" "
.0003BCB5: C645F672 mov b,[ebp][-000A],072 ;"r"
.0003BC56: C645F565 mov b,[ebp][-000B],065 ;"e"
.0003BBFB: C645F474 mov b,[ebp][-000C],074 ;"t"
.0003BCB1: C645F373 mov b,[ebp][-000D],073 ;"s"
.0003BBEF: C645F269 mov b,[ebp][-000E],069 ;"i"
.0003BBF7: C645F167 mov b,[ebp][-000F],067 ;"g"
.0003BCC5: C645F065 mov b,[ebp][-0010],065 ;"e"
.0003BCA2: C645EF72 mov b,[ebp][-0011],072 ;"r"
.0003BCC1: C645EE20 mov b,[ebp][-0012],020 ;" "
.0003BCB9: C645ED65 mov b,[ebp][-0013],065 ;"e"
.0003BCBD: C645EC73 mov b,[ebp][-0014],073 ;"s"
.0003BC92: C645EB61 mov b,[ebp][-0015],061 ;"a"
.0003BC9E: C645EA65 mov b,[ebp][-0016],065 ;"e"
.0003BC8A: C645E96C mov b,[ebp][-0017],06C ;"l"
.0003BC8E: C645E850 mov b,[ebp][-0018],050 ;"P"
.0003BC86: C645E720 mov b,[ebp][-0019],020 ;" "
.0003BC82: C645E621 mov b,[ebp][-001A],021 ;"!"
.0003BC7E: C645E56E mov b,[ebp][-001B],06E ;"n"
.0003BC1A: C645E46F mov b,[ebp][-001C],06F ;"o"
.0003BC1E: C645E369 mov b,[ebp][-001D],069 ;"i"
.0003BC7A: C645E273 mov b,[ebp][-001E],073 ;"s"
.0003BC16: C645E172 mov b,[ebp][-001F],072 ;"r"
.0003BC72: C645E065 mov b,[ebp][-0020],065 ;"e"
.0003BC76: C645DF76 mov b,[ebp][-0021],076 ;"v"
.0003BC6E: C645DE20 mov b,[ebp][-0022],020 ;" "
.0003BC4A: C645DD6F mov b,[ebp][-0023],06F ;"o"
.0003BC6A: C645DC6D mov b,[ebp][-0024],06D ;"m"
.0003BC42: C645DB65 mov b,[ebp][-0025],065 ;"e"
.0003BC46: C645DA64 mov b,[ebp][-0026],064 ;"d"
.0003BC3E: C645D920 mov b,[ebp][-0027],020 ;" "
.0003BC9A: C645D861 mov b,[ebp][-0028],061 ;"a"
.0003BC96: C645D720 mov b,[ebp][-0029],020 ;" "
.0003BC2E: C645D673 mov b,[ebp][-002A],073 ;"s"
.0003BC3A: C645D569 mov b,[ebp][-002B],069 ;"i"
.0003BC2A: C645D420 mov b,[ebp][-002C],020 ;" "
.0003BC22: C645D373 mov b,[ebp][-002D],073 ;"s"
.0003BC26: C645D269 mov b,[ebp][-002E],069 ;"i"
.0003BC0E: C645D168 mov b,[ebp][-002F],068 ;"h"
.0003BC12: C645D054 mov b,[ebp][-0030],054 ;"T"
.0003BC07: 885DCD mov [ebp][-0033],bl
.0003BC0A: C645CC74 mov b,[ebp][-0034],074 ;"t"
.0003BC62: C645CB68 mov b,[ebp][-0035],068 ;"h"
.0003BC66: C645CA67 mov b,[ebp][-0036],067 ;"g"
.0003BC4E: C645C969 mov b,[ebp][-0037],069 ;"i"
.0003BC52: C645C872 mov b,[ebp][-0038],072 ;"r"
.0003BC36: C645C779 mov b,[ebp][-0039],079 ;"y"
.0003BC03: C645C670 mov b,[ebp][-003A],070 ;"p"
.0003BBFF: C645C56F mov b,[ebp][-003B],06F ;"o"
.0003BC32: C645C443 mov b,[ebp][-003C],043 ;"C"

** Copyright(提示窗标题)
** This is a demo version! Please register it!

时间限制(2000年4月至6月):

.00036006: 8105B8230600201C0000 add d,[0000623B8],000001C20 ?
.00036010: 8305BC23060061 add d,[0000623BC],061 ?
.00036017: 56 push esi
.00036018: 33F6 xor esi,esi
.0003601A: 813DB8230600F0230000 cmp d,[0000623B8],0000023F0 <-!

** 23F0h-1C20h=7D0h=2000

.00036024: 7408 je .00003602E
.00036026: E819FFFFFF call .000035F44 <-
.0003602B: 6A01 push 001
.0003602D: 5E pop esi
.0003602E: A1BC230600 mov eax,[0000623BC]
.00036033: 83F865 cmp eax,065

** 65-61=4

.00036036: 7205 jb .00003603D
.00036038: 83F867 cmp eax,067

** 67-61=6

.0003603B: 7608 jbe .000036045
.0003603D: E802FFFFFF call .000035F44 <-

将35F44之后的一段再整理如下

00035F69: C68578FFFFFF54 mov b,[ebp][0FFFFFF78],054 ;"T"
00035FAE: C68579FFFFFF52 mov b,[ebp][0FFFFFF79],052 ;"R"
00035FA7: C6857AFFFFFF57 mov b,[ebp][0FFFFFF7A],057 ;"W"
00035F77: C6857BFFFFFF32 mov b,[ebp][0FFFFFF7B],032 ;"2"
00035F70: C6857CFFFFFF30 mov b,[ebp][0FFFFFF7C],030 ;"0"
00035F85: C6857DFFFFFF30 mov b,[ebp][0FFFFFF7D],030 ;"0"
00035F7E: C6857EFFFFFF30 mov b,[ebp][0FFFFFF7E],030 ;"0"
00035F98: C6857FFFFFFF20 mov b,[ebp][0FFFFFF7F],020 ;" "

00035F65: C645FB50 mov b,[ebp][-0005],050 ;"P"
00035F90: C645FA4F mov b,[ebp][-0006],04F ;"O"
00035F94: C645F954 mov b,[ebp][-0007],054 ;"T"
00035F61: C645F853 mov b,[ebp][-0008],053 ;"S"

00035FC1: C6458721 mov b,[ebp][-0079],021 ;"!"
00035FC5: C6458664 mov b,[ebp][-007A],064 ;"d"
00035FB9: C6458565 mov b,[ebp][-007B],065 ;"e"
00035FBD: C6458472 mov b,[ebp][-007C],072 ;"r"
00035FA3: C6458369 mov b,[ebp][-007D],069 ;"i"
00035F9F: C6458270 mov b,[ebp][-007E],070 ;"p"
00035FB5: C6458178 mov b,[ebp][-007F],078 ;"x"
00035F8C: C6458045 mov b,[ebp][-0080],045 ;"E"
00035FC9: E8202A0000 call .0000389EE

** TRW2000 STOP Expired!