The Cleaner 3.2 BUILD 3205

标题：The Cleaner 3.2 BUILD 3205的破解(10千字)
作者：TAE!
时间：2001-1-27 13:03:37
链接：http://bbs.pediy.com

我(TAE!)的第二篇破解教程
目标软件:The Cleaner 3.2 BUILD 3205
保护方式:序列号
破解方法:暴力破解
下载地址:http://www.moosoft.com
软件简介:The Cleaner searches your hard drive cleans it of all known
Trojans. Using a unique patent-pending technology, The Cleaner
compares each file against a list of all know Trojans. You
can scan your entire system or just one file. The program
also allows you to periodically update your Trojan database
file to keep it current with the latest research. If you're
going to expose your system to the dangers of the internet,
keep it clean with The Cleaner!

此软件以前的版本如3.1很好破解,但这个3.2版的注册码始终搞不定,跟踪的时候
发现内存中出现了3.1版本的两个注册码,但在此版本中不能用.
但暴力破解却非常简单,先用fileinfo检查一下它穿了什么"衣服",哦,原来是UPX0.9?
用TRW载入程序,跟踪,脱壳.

顺便问一下
:XXXX:XXXXXXXX PUSH EAX <-----为什么我在这一行用TRW的makepe命令时,它会说: ........ Rebuild Import Table error!
脱壳后反汇编它,查找串式数据,发现出现了以前版本的注册码3310-EEC2-21D0-0C82于是
双击它,出现下面的程序.
* Referenced by a CALL at Addresses:
|:00495B11 , :004A98CD , :004AD6B2
|
:004B252C 55 push ebp
:004B252D 8BEC mov ebp, esp
:004B252F 81C4F0FDFFFF add esp, FFFFFDF0
:004B2535 53 push ebx
:004B2536 56 push esi
:004B2537 57 push edi
:004B2538 33D2 xor edx, edx
:004B253A 8995F4FDFFFF mov dword ptr [ebp+FFFFFDF4], edx
:004B2540 8995F0FDFFFF mov dword ptr [ebp+FFFFFDF0], edx
:004B2546 8955FC mov dword ptr [ebp-04], edx
:004B2549 8955F8 mov dword ptr [ebp-08], edx
:004B254C 8BF8 mov edi, eax
:004B254E B908000000 mov ecx, 00000008
:004B2553 8D8508FEFFFF lea eax, dword ptr [ebp+FFFFFE08]

* Possible StringData Ref from Data Obj ->"
String?@"
|
:004B2559 8B15AC104000 mov edx, dword ptr [004010AC]
:004B255F E8441DF5FF call 004042A8
:004B2564 33C0 xor eax, eax
:004B2566 55 push ebp
:004B2567 68F1284B00 push 004B28F1
:004B256C 64FF30 push dword ptr fs:[eax]
:004B256F 648920 mov dword ptr fs:[eax], esp
:004B2572 33C0 xor eax, eax
:004B2574 55 push ebp
:004B2575 68A4284B00 push 004B28A4
:004B257A 64FF30 push dword ptr fs:[eax]
:004B257D 648920 mov dword ptr fs:[eax], esp
:004B2580 8B9750530000 mov edx, dword ptr [edi+00005350]
:004B2586 8D45FC lea eax, dword ptr [ebp-04]

* Possible StringData Ref from Data Obj ->"ibu.dll"
|
:004B2589 B90C294B00 mov ecx, 004B290C
:004B258E E8F517F5FF call 00403D88
:004B2593 8D8770B35101 lea eax, dword ptr [edi+0151B370]

* Possible StringData Ref from Data Obj ->"Unregistered Shareware"
|
:004B2599 BA1C294B00 mov edx, 004B291C
:004B259E E87115F5FF call 00403B14
:004B25A3 8D8774B35101 lea eax, dword ptr [edi+0151B374]
:004B25A9 E81215F5FF call 00403AC0
:004B25AE 8B45FC mov eax, dword ptr [ebp-04]
:004B25B1 E89E55F5FF call 00407B54
:004B25B6 84C0 test al, al
:004B25B8 0F84BA020000 je 004B2878
:004B25BE 8B55FC mov edx, dword ptr [ebp-04]
:004B25C1 8D8528FEFFFF lea eax, dword ptr [ebp+FFFFFE28]
:004B25C7 E8562CF5FF call 00405222
:004B25CC 8D8528FEFFFF lea eax, dword ptr [ebp+FFFFFE28]
:004B25D2 E8502FF5FF call 00405527
:004B25D7 8D9770B35101 lea edx, dword ptr [edi+0151B370]
:004B25DD 8D8528FEFFFF lea eax, dword ptr [ebp+FFFFFE28]
:004B25E3 E8101BF5FF call 004040F8
:004B25E8 8D8528FEFFFF lea eax, dword ptr [ebp+FFFFFE28]
:004B25EE E8D12EF5FF call 004054C4
:004B25F3 8D55F8 lea edx, dword ptr [ebp-08]
:004B25F6 8D8528FEFFFF lea eax, dword ptr [ebp+FFFFFE28]
:004B25FC E8F71AF5FF call 004040F8
:004B2601 8D8528FEFFFF lea eax, dword ptr [ebp+FFFFFE28]
:004B2607 E8B82EF5FF call 004054C4
:004B260C 8D8528FEFFFF lea eax, dword ptr [ebp+FFFFFE28]
:004B2612 E8112DF5FF call 00405328
:004B2617 8D8774B35101 lea eax, dword ptr [edi+0151B374]
:004B261D 8B55F8 mov edx, dword ptr [ebp-08]
:004B2620 E8EF14F5FF call 00403B14
:004B2625 8B45F8 mov eax, dword ptr [ebp-08]

* Possible StringData Ref from Data Obj ->"3310-EEC2-21D0-0C82"***
|
:004B2628 BA3C294B00 mov edx, 004B293C
:004B262D E81A18F5FF call 00403E4C
:004B2632 740F je 004B2643
:004B2634 8B45F8 mov eax, dword ptr [ebp-08]

* Possible StringData Ref from Data Obj ->"27F9-996A-BBBA-793E"***
|
:004B2637 BA58294B00 mov edx, 004B2958
:004B263C E80B18F5FF call 00403E4C
:004B2641 752A jne 004B266D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B2632(C)
|
:004B2643 8D8770B35101 lea eax, dword ptr [edi+0151B370]

* Possible StringData Ref from Data Obj ->"Unregistered Shareware"
|
:004B2649 BA1C294B00 mov edx, 004B291C
:004B264E E8C114F5FF call 00403B14
:004B2653 8D8774B35101 lea eax, dword ptr [edi+0151B374]
:004B2659 E86214F5FF call 00403AC0
:004B265E 33DB xor ebx, ebx
:004B2660 33C0 xor eax, eax
:004B2662 5A pop edx
:004B2663 59 pop ecx
:004B2664 59 pop ecx
:004B2665 648910 mov dword ptr fs:[eax], edx
:004B2668 E943020000 jmp 004B28B0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B2641(C)
|
:004B266D 8B45F8 mov eax, dword ptr [ebp-08]
:004B2670 E8C716F5FF call 00403D3C
:004B2675 83F813 cmp eax, 00000013
:004B2678 742A je 004B26A4
:004B267A 8D8770B35101 lea eax, dword ptr [edi+0151B370]

* Possible StringData Ref from Data Obj ->"Unregistered Shareware"
|
:004B2680 BA1C294B00 mov edx, 004B291C
:004B2685 E88A14F5FF call 00403B14
:004B268A 8D8774B35101 lea eax, dword ptr [edi+0151B374]
:004B2690 E82B14F5FF call 00403AC0
:004B2695 33DB xor ebx, ebx
:004B2697 33C0 xor eax, eax
:004B2699 5A pop edx
:004B269A 59 pop ecx
:004B269B 59 pop ecx
:004B269C 648910 mov dword ptr fs:[eax], edx
:004B269F E90C020000 jmp 004B28B0

一看就知道有三个地方调用,经过分析发现第一个Call是输入注册数据时的调用.第二个未知,而第三个就是程序启动时检查你是否已经注册,所以来到了这里

* Possible StringData Ref from Data Obj ->"Windows Directory: "
|
:004AD69A BA2CDE4A00 mov edx, 004ADE2C
:004AD69F E8E466F5FF call 00403D88
:004AD6A4 8B8574FFFFFF mov eax, dword ptr [ebp+FFFFFF74]
:004AD6AA E849F1FDFF call 0048C7F8
:004AD6AF 8B45FC mov eax, dword ptr [ebp-04]
:004AD6B2 E8754E0000 call 004B252C \ <----- 来到这里
:004AD6B7 84C0 test al, al - 看起来很眼熟呀!
:004AD6B9 754C jne 004AD707 / 将这里改为je试试
:004AD6BB 8B45FC mov eax, dword ptr [ebp-04]
:004AD6BE 0570B35101 add eax, 0151B370

* Possible StringData Ref from Data Obj ->"Unregistered Shareware"
|
:004AD6C3 BA48DE4A00 mov edx, 004ADE48
:004AD6C8 E84764F5FF call 00403B14
:004AD6CD 8B0DF06F4B00 mov ecx, dword ptr [004B6FF0]
:004AD6D3 A1B86F4B00 mov eax, dword ptr [004B6FB8]
:004AD6D8 8B00 mov eax, dword ptr [eax]

* Possible StringData Ref from Data Obj ->"念@"
|
:004AD6DA 8B15548D4900 mov edx, dword ptr [00498D54]
:004AD6E0 E85F37F8FF call 00430E44
:004AD6E5 A1F06F4B00 mov eax, dword ptr [004B6FF0]
:004AD6EA 8B00 mov eax, dword ptr [eax]
:004AD6EC E8DB18F8FF call 0042EFCC
:004AD6F1 83F802 cmp eax, 00000002
:004AD6F4 7511 jne 004AD707
:004AD6F6 A1B86F4B00 mov eax, dword ptr [004B6FB8]
:004AD6FB 8B00 mov eax, dword ptr [eax]
:004AD6FD E88238F8FF call 00430F84
:004AD702 E951060000 jmp 004ADD58

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004AD6B9(C), :004AD6F4(C)
|

* Possible StringData Ref from Data Obj ->"Load Database"
|
:004AD707 B868DE4A00 mov eax, 004ADE68
:004AD70C E8E7F0FDFF call 0048C7F8
:004AD711 8B45FC mov eax, dword ptr [ebp-04]
:004AD714 80B86053000000 cmp byte ptr [eax+00005360], 00
:004AD71B 7417 je 004AD734
:004AD71D A12C6F4B00 mov eax, dword ptr [004B6F2C]
:004AD722 8B00 mov eax, dword ptr [eax]
:004AD724 8B80E4010000 mov eax, dword ptr [eax+000001E4]

* Possible StringData Ref from Data Obj ->"Loading database..."
|
:004AD72A BA80DE4A00 mov edx, 004ADE80
:004AD72F E88C57F9FF call 00442EC0

将:004AD6B9 754C jne 004AD707
改为: 744C je 004ad707

运行一下,果然注册成功,再也不会出现注册提示框了.