美萍反黄专家2.36暗桩分析

标题：CHiNA CrACKiNG GrOUp (12千字)
作者：娃娃[CCG]
时间：2001-9-12 11:01:36
链接：http://bbs.pediy.com

美萍反黄专家2.36暗桩分析。
By 娃娃(NYDoll)

//最近本来比较懒 ^_^ 还有很多事要做但是jsjyt大哥非要我写个关于美萍的反跟踪代码的破解，所以小弟只好
//一边喊着“反对暴政”，一边对jsjyt大哥面带甜美的微笑的奉上了这篇拙文让大家见笑了呵呵

//以下是在美萍反黄专家载入时候的暗桩代码：

:004722CA 6A00 push 00000000
:004722CC 49 dec ecx
:004722CD 75F9 jne 004722C8
:004722CF 53 push ebx
:004722D0 56 push esi
:004722D1 33C0 xor eax, eax
:004722D3 55 push ebp
:004722D4 68D6244700 push 004724D6
:004722D9 64FF30 push dword ptr fs:[eax]
:004722DC 648920 mov dword ptr fs:[eax], esp
:004722DF 33F6 xor esi, esi
:004722E1 C645FF00 mov [ebp-01], 00
:004722E5 B201 mov dl, 01

* Possible StringData Ref from Code Obj ->"DA"
|
:004722E7 A1C4F44000 mov eax, dword ptr [0040F4C4]
:004722EC E88B0BF9FF call 00402E7C
:004722F1 8945F8 mov dword ptr [ebp-08], eax
:004722F4 8D45F0 lea eax, dword ptr [ebp-10]

* Possible StringData Ref from Code Obj ->"c:\autoexec.bat" //打开C盘根目录下的AUTOEXEC.BAT文件，对DOS稍微熟悉的朋友都知道，在DOS的时代这是一个很重要的文件，基本上所有要在启动时运行的程序都要通过这里载入系统，而且在Win时代通过这个文件载入的程序通常优先级都很高一般都为杀毒软件之类的常驻内存的程序，我们可爱的SoFTICE也是通过这里载入内存的
|
:004722F7 BAF0244700 mov edx, 004724F0
:004722FC E88F19F9FF call 00403C90
:00472301 8B45F0 mov eax, dword ptr [ebp-10]
:00472304 E89F67F9FF call 00408AA8
:00472309 84C0 test al, al
:0047230B 740B je 00472318
:0047230D 8B55F0 mov edx, dword ptr [ebp-10]
:00472310 8B45F8 mov eax, dword ptr [ebp-08]
:00472313 8B08 mov ecx, dword ptr [eax]
:00472315 FF5158 call [ecx+58]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047230B(C)
|
:00472318 8D45F0 lea eax, dword ptr [ebp-10]

* Possible StringData Ref from Code Obj ->"WINICE" //挨行检查是否有WinICE字样的字符出现
|
:0047231B BA08254700 mov edx, 00472508
:00472320 E86B19F9FF call 00403C90
:00472325 8B45F8 mov eax, dword ptr [ebp-08]
:00472328 8B10 mov edx, dword ptr [eax]
:0047232A FF5214 call [edx+14]
:0047232D 8BD8 mov ebx, eax
:0047232F 4B dec ebx
:00472330 85DB test ebx, ebx
:00472332 7C38 jl 0047236C
:00472334 43 inc ebx
:00472335 C745F400000000 mov [ebp-0C], 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047236A(C)
|
:0047233C 8D4DE8 lea ecx, dword ptr [ebp-18]
:0047233F 8B55F4 mov edx, dword ptr [ebp-0C]
:00472342 8B45F8 mov eax, dword ptr [ebp-08]
:00472345 8B30 mov esi, dword ptr [eax]
:00472347 FF560C call [esi+0C]
:0047234A 8B45E8 mov eax, dword ptr [ebp-18]
:0047234D 8D55EC lea edx, dword ptr [ebp-14]
:00472350 E8CB61F9FF call 00408520
:00472355 8B55EC mov edx, dword ptr [ebp-14]
:00472358 8B45F0 mov eax, dword ptr [ebp-10]
:0047235B E8041EF9FF call 00404164
:00472360 8BF0 mov esi, eax
:00472362 85F6 test esi, esi
:00472364 7506 jne 0047236C
:00472366 FF45F4 inc [ebp-0C]
:00472369 4B dec ebx
:0047236A 75D0 jne 0047233C

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00472332(C), :00472364(C)
|
:0047236C 85F6 test esi, esi
:0047236E 7442 je 004723B2
:00472370 8D4DE0 lea ecx, dword ptr [ebp-20]
:00472373 8B55F4 mov edx, dword ptr [ebp-0C]
:00472376 8B45F8 mov eax, dword ptr [ebp-08]
:00472379 8B18 mov ebx, dword ptr [eax]
:0047237B FF530C call [ebx+0C]
:0047237E 8B45E0 mov eax, dword ptr [ebp-20]
:00472381 8D55E4 lea edx, dword ptr [ebp-1C]
:00472384 E89761F9FF call 00408520
:00472389 8B55E4 mov edx, dword ptr [ebp-1C]

* Possible StringData Ref from Code Obj ->"REM" /检查这个加载SOFTICE的语句前是否有注释关键字“REM”
|
:0047238C B818254700 mov eax, 00472518
:00472391 E8CE1DF9FF call 00404164
:00472396 85C0 test eax, eax
:00472398 7518 jne 004723B2
:0047239A C645FF01 mov [ebp-01], 01

* Possible StringData Ref from Data Obj ->"DBG"
|
:0047239E A184C44700 mov eax, dword ptr [0047C484]

* Possible StringData Ref from Code Obj ->"User32"
|
:004723A3 BA24254700 mov edx, 00472524
:004723A8 E89F18F9FF call 00403C4C
:004723AD E909010000 jmp 004724BB

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047236E(C), :00472398(C)
|
:004723B2 8B45F8 mov eax, dword ptr [ebp-08]
:004723B5 8B10 mov edx, dword ptr [eax]
:004723B7 FF5240 call [edx+40]
:004723BA E845FEFFFF call 00472204
:004723BF 8945F8 mov dword ptr [ebp-08], eax
:004723C2 E87D020000 call 00472644
:004723C7 84C0 test al, al //标志位非0就关机！
:004723C9 7409 je 004723D4 //如果发现没有载入SoftICE的指令则跳到下面检查TRW
:004723CB 6A00 push 00000000
:004723CD 6A05 push 00000005

* Reference To: user32.ExitWindowsEx, Ord:0000h //熟悉吧 ^_^ 这个就是美萍调用的关机的函数
|
:004723CF E8D04BF9FF Call 00406FA4

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004723C9(C)
|
:004723D4 8D45F0 lea eax, dword ptr [ebp-10]

* Possible StringData Ref from Code Obj ->"TRW" //将“TRW”字符串载入寄存器中
|
:004723D7 BA34254700 mov edx, 00472534 //获得窗口数目
:004723DC E8AF18F9FF call 00403C90
:004723E1 8B45F8 mov eax, dword ptr [ebp-08] //循环获得窗口的32位整数型句柄
:004723E4 8B10 mov edx, dword ptr [eax]
:004723E6 FF5214 call [edx+14]
:004723E9 8BD8 mov ebx, eax
:004723EB 4B dec ebx
:004723EC 85DB test ebx, ebx
:004723EE 7C50 jl 00472440 //是否循环完，若循环完成则到下面判断标志位
:004723F0 43 inc ebx
:004723F1 C745F400000000 mov [ebp-0C], 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047243E(C)
|
:004723F8 8D4DD8 lea ecx, dword ptr [ebp-28] ——————\
:004723FB 8B55F4 mov edx, dword ptr [ebp-0C] \
:004723FE 8B45F8 mov eax, dword ptr [ebp-08] \
:00472401 8B30 mov esi, dword ptr [eax] \
:00472403 FF560C call [esi+0C] \
:00472406 8B45D8 mov eax, dword ptr [ebp-28] \
:00472409 8D55DC lea edx, dword ptr [ebp-24] | 循环对比所获得的窗口句柄是否有含有TRW字样的出现！
:0047240C E80F61F9FF call 00408520 |
:00472411 8B55DC mov edx, dword ptr [ebp-24] /
:00472414 8B45F0 mov eax, dword ptr [ebp-10] /
:00472417 E8481DF9FF call 00404164 /
:0047241C 8BF0 mov esi, eax /
:0047241E 85F6 test esi, esi /
:00472420 7418 je 0047243A ——————————————/
:00472422 C645FF01 mov [ebp-01], 01

* Possible StringData Ref from Data Obj ->"DBG"
|
:00472426 A184C44700 mov eax, dword ptr [0047C484]

* Possible StringData Ref from Code Obj ->"User32"
|
:0047242B BA24254700 mov edx, 00472524
:00472430 E81718F9FF call 00403C4C
:00472435 E981000000 jmp 004724BB

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00472420(C)
|
:0047243A FF45F4 inc [ebp-0C]
:0047243D 4B dec ebx
:0047243E 75B8 jne 004723F8 //循环检查完后，将检查标志位

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004723EE(C)
|
:00472440 E803010000 call 00472548
:00472445 84C0 test al, al //AL为标志位，非0则关机
:00472447 7409 je 00472452 //不跳就死翘翘了呵呵
:00472449 6A00 push 00000000
:0047244B 6A05 push 00000005

* Reference To: user32.ExitWindowsEx, Ord:0000h //退出WinDows的API函数
|
:0047244D E8524BF9FF Call 00406FA4

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00472447(C)
|
:00472452 A180C64700 mov eax, dword ptr [0047C680]
:00472457 C70001000000 mov dword ptr [eax], 00000001
:0047245D 8B45F8 mov eax, dword ptr [ebp-08]
:00472460 8B10 mov edx, dword ptr [eax]
:00472462 FF5214 call [edx+14]
:00472465 8BD8 mov ebx, eax
:00472467 4B dec ebx
:00472468 85DB test ebx, ebx
:0047246A 7C4F jl 004724BB
:0047246C 43 inc ebx
:0047246D C745F400000000 mov [ebp-0C], 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004724B9(C)
|
:00472474 8D4DD0 lea ecx, dword ptr [ebp-30]
:00472477 8B55F4 mov edx, dword ptr [ebp-0C]
:0047247A 8B45F8 mov eax, dword ptr [ebp-08]
:0047247D 8B30 mov esi, dword ptr [eax]
:0047247F FF560C call [esi+0C]
:00472482 8B45D0 mov eax, dword ptr [ebp-30]
:00472485 8D55D4 lea edx, dword ptr [ebp-2C]
:00472488 E89360F9FF call 00408520
:0047248D 8B55D4 mov edx, dword ptr [ebp-2C]

* Possible StringData Ref from Code Obj ->"URSoft" //与上面的相同这个是检查是否有W32Dasm在运行的特征码
|
:00472490 B840254700 mov eax, 00472540
:00472495 E8CA1CF9FF call 00404164
:0047249A 8BF0 mov esi, eax
:0047249C 85F6 test esi, esi
:0047249E 7415 je 004724B5
:004724A0 C645FF01 mov [ebp-01], 01

* Possible StringData Ref from Data Obj ->"DBG"
|
:004724A4 A184C44700 mov eax, dword ptr [0047C484]

* Possible StringData Ref from Code Obj ->"User32"
|
:004724A9 BA24254700 mov edx, 00472524
:004724AE E89917F9FF call 00403C4C
:004724B3 EB06 jmp 004724BB

//小弟只是小鸟一只希望各位大哥指点一二小弟感激不尽 ^_^ 解决方法说简单也简单说难也难 ^_^
//如果你想要暴力破解这个软件可以脱壳后把所有TRW，SOFTICE等字样全部改成AAA，BBB什么的不相干的东西，这样就不
//关机了，但是如果你想要找出这个东西的注册码，我劝你千万不要这样做，因为只要改变了这些字符串美萍就会算出一个
//不一样的真实的注册码来（很厉害吧），这样就算你从美萍公司买到了产品也不会注册成功，切记

//另外，这个程序还ANTI CrACKCode 只要发现目录下有这个文件立刻采取措施呵呵具体是什么措施你试试就知道了，
//总体来说这个东西的保护还没有网管大师成熟，还没有像它那样连REGMON FILEMON都不放过 ^_^ 大家破解的时候手下留
//情哦。

※谨以此拙文献给可爱的CCG，希望它能蒸蒸日上（JOJO老大的话 ^_^）

娃娃(NYDoll)
CHiNA CrACKiNG GrOUp