美萍反黄专家2.36暗桩分析。
By 娃娃(NYDoll)
//最近本来比较懒 ^_^ 还有很多事要做
但是jsjyt大哥非要我写个关于美萍的反跟踪代码的破解,所以小弟只好
//一边喊着“反对暴政”,一边对jsjyt大哥面带甜美的微笑的奉上了这篇拙文
让大家见笑了 呵呵
//以下是在美萍反黄专家载入时候的暗桩代码:
:004722CA 6A00
push 00000000
:004722CC
49
dec ecx
:004722CD 75F9
jne 004722C8
:004722CF 53
push ebx
:004722D0 56
push esi
:004722D1
33C0 xor
eax, eax
:004722D3 55
push ebp
:004722D4 68D6244700
push 004724D6
:004722D9 64FF30
push dword ptr fs:[eax]
:004722DC 648920
mov dword ptr fs:[eax],
esp
:004722DF 33F6
xor esi, esi
:004722E1 C645FF00
mov [ebp-01], 00
:004722E5 B201
mov dl, 01
*
Possible StringData Ref from Code Obj ->"DA"
|
:004722E7 A1C4F44000
mov eax, dword ptr [0040F4C4]
:004722EC E88B0BF9FF
call 00402E7C
:004722F1 8945F8
mov dword ptr [ebp-08], eax
:004722F4
8D45F0 lea eax,
dword ptr [ebp-10]
* Possible StringData Ref from Code Obj ->"c:\autoexec.bat"
//打开C盘根目录下的AUTOEXEC.BAT文件,对DOS稍微熟悉的朋友都知道,在DOS的时代这是一个很重要的文件,基本上所有要在启动时运行的程序都要通过这里载入系统,而且在Win时代通过这个文件载入的程序通常优先级都很高
一般都为杀毒软件之类的常驻内存的程序,我们可爱的SoFTICE也是通过这里载入内存的
|
:004722F7 BAF0244700 mov
edx, 004724F0
:004722FC E88F19F9FF
call 00403C90
:00472301 8B45F0
mov eax, dword ptr [ebp-10]
:00472304 E89F67F9FF
call 00408AA8
:00472309 84C0
test al, al
:0047230B 740B
je 00472318
:0047230D 8B55F0
mov edx, dword ptr [ebp-10]
:00472310 8B45F8
mov eax, dword ptr [ebp-08]
:00472313
8B08 mov
ecx, dword ptr [eax]
:00472315 FF5158
call [ecx+58]
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0047230B(C)
|
:00472318 8D45F0
lea eax, dword ptr [ebp-10]
* Possible StringData Ref from Code Obj ->"WINICE" //挨行检查是否有WinICE字样的字符出现
|
:0047231B BA08254700
mov edx, 00472508
:00472320 E86B19F9FF
call 00403C90
:00472325 8B45F8
mov eax, dword ptr [ebp-08]
:00472328 8B10
mov edx, dword ptr [eax]
:0047232A FF5214
call [edx+14]
:0047232D 8BD8
mov ebx, eax
:0047232F
4B
dec ebx
:00472330 85DB
test ebx, ebx
:00472332 7C38
jl 0047236C
:00472334 43
inc ebx
:00472335
C745F400000000 mov [ebp-0C], 00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047236A(C)
|
:0047233C 8D4DE8
lea ecx, dword ptr [ebp-18]
:0047233F 8B55F4
mov edx, dword ptr [ebp-0C]
:00472342
8B45F8 mov eax,
dword ptr [ebp-08]
:00472345 8B30
mov esi, dword ptr [eax]
:00472347 FF560C
call [esi+0C]
:0047234A
8B45E8 mov eax,
dword ptr [ebp-18]
:0047234D 8D55EC
lea edx, dword ptr [ebp-14]
:00472350 E8CB61F9FF
call 00408520
:00472355 8B55EC
mov edx, dword ptr [ebp-14]
:00472358 8B45F0
mov eax, dword ptr [ebp-10]
:0047235B E8041EF9FF
call 00404164
:00472360 8BF0
mov esi, eax
:00472362 85F6
test esi, esi
:00472364 7506
jne 0047236C
:00472366 FF45F4
inc [ebp-0C]
:00472369 4B
dec ebx
:0047236A 75D0
jne 0047233C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00472332(C),
:00472364(C)
|
:0047236C 85F6
test esi, esi
:0047236E 7442
je 004723B2
:00472370 8D4DE0
lea ecx, dword ptr [ebp-20]
:00472373 8B55F4
mov edx, dword ptr [ebp-0C]
:00472376 8B45F8
mov eax, dword ptr [ebp-08]
:00472379 8B18
mov ebx, dword
ptr [eax]
:0047237B FF530C
call [ebx+0C]
:0047237E 8B45E0
mov eax, dword ptr [ebp-20]
:00472381 8D55E4
lea edx, dword ptr [ebp-1C]
:00472384 E89761F9FF call
00408520
:00472389 8B55E4
mov edx, dword ptr [ebp-1C]
* Possible StringData Ref
from Code Obj ->"REM" /检查这个加载SOFTICE的语句前是否有注释关键字“REM”
|
:0047238C B818254700
mov eax, 00472518
:00472391 E8CE1DF9FF
call 00404164
:00472396 85C0
test eax, eax
:00472398
7518 jne
004723B2
:0047239A C645FF01
mov [ebp-01], 01
* Possible StringData Ref from Data Obj ->"DBG"
|
:0047239E A184C44700
mov eax, dword ptr [0047C484]
* Possible
StringData Ref from Code Obj ->"User32"
|
:004723A3 BA24254700 mov
edx, 00472524
:004723A8 E89F18F9FF
call 00403C4C
:004723AD E909010000
jmp 004724BB
* Referenced by a (U)nconditional or (C)onditional
Jump at Addresses:
|:0047236E(C), :00472398(C)
|
:004723B2 8B45F8
mov eax, dword ptr [ebp-08]
:004723B5 8B10
mov edx, dword ptr [eax]
:004723B7 FF5240
call [edx+40]
:004723BA E845FEFFFF
call 00472204
:004723BF 8945F8
mov dword ptr [ebp-08],
eax
:004723C2 E87D020000
call 00472644
:004723C7 84C0
test al, al //标志位 非0就关机!
:004723C9 7409
je 004723D4 //如果发现没有载入SoftICE的指令则跳到下面检查TRW
:004723CB 6A00
push 00000000
:004723CD 6A05
push 00000005
* Reference To: user32.ExitWindowsEx,
Ord:0000h //熟悉吧 ^_^ 这个就是美萍调用的关机的函数
|
:004723CF E8D04BF9FF Call
00406FA4
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004723C9(C)
|
:004723D4 8D45F0
lea eax, dword ptr [ebp-10]
* Possible
StringData Ref from Code Obj ->"TRW" //将“TRW”字符串载入寄存器中
|
:004723D7 BA34254700
mov edx, 00472534 //获得窗口数目
:004723DC E8AF18F9FF
call 00403C90
:004723E1 8B45F8
mov eax, dword ptr [ebp-08] //循环获得窗口的32位整数型句柄
:004723E4 8B10
mov edx, dword ptr [eax]
:004723E6 FF5214
call [edx+14]
:004723E9 8BD8
mov ebx, eax
:004723EB
4B
dec ebx
:004723EC 85DB
test ebx, ebx
:004723EE 7C50
jl 00472440 //是否循环完,若循环完成则到下面判断标志位
:004723F0
43
inc ebx
:004723F1 C745F400000000 mov [ebp-0C],
00000000
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:0047243E(C)
|
:004723F8 8D4DD8
lea ecx, dword ptr [ebp-28] ——————\
:004723FB
8B55F4 mov edx,
dword ptr [ebp-0C] \
:004723FE 8B45F8
mov eax, dword ptr [ebp-08]
\
:00472401 8B30
mov esi, dword ptr [eax]
\
:00472403 FF560C
call [esi+0C]
\
:00472406 8B45D8
mov eax, dword ptr [ebp-28]
\
:00472409 8D55DC
lea edx, dword ptr [ebp-24]
| 循环对比所获得的窗口句柄是否有含有TRW字样的出现!
:0047240C E80F61F9FF
call 00408520
|
:00472411
8B55DC mov edx,
dword ptr [ebp-24] /
:00472414 8B45F0
mov eax, dword ptr [ebp-10] /
:00472417 E8481DF9FF call
00404164
/
:0047241C 8BF0
mov esi, eax
/
:0047241E
85F6 test
esi, esi
/
:00472420 7418
je 0047243A ——————————————/
:00472422 C645FF01
mov [ebp-01], 01
*
Possible StringData Ref from Data Obj ->"DBG"
|
:00472426 A184C44700
mov eax, dword ptr [0047C484]
* Possible StringData Ref from Code Obj
->"User32"
|
:0047242B BA24254700
mov edx, 00472524
:00472430 E81718F9FF
call 00403C4C
:00472435 E981000000
jmp 004724BB
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00472420(C)
|
:0047243A FF45F4
inc [ebp-0C]
:0047243D 4B
dec ebx
:0047243E 75B8
jne 004723F8 //循环检查完后,将检查标志位
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004723EE(C)
|
:00472440 E803010000
call 00472548
:00472445 84C0
test al, al //AL为标志位,非0则关机
:00472447
7409 je 00472452
//不跳就死翘翘了 呵呵
:00472449 6A00
push 00000000
:0047244B 6A05
push 00000005
* Reference
To: user32.ExitWindowsEx, Ord:0000h //退出WinDows的API函数
|
:0047244D E8524BF9FF
Call 00406FA4
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00472447(C)
|
:00472452 A180C64700
mov eax, dword ptr [0047C680]
:00472457
C70001000000 mov dword ptr [eax], 00000001
:0047245D 8B45F8
mov eax, dword ptr [ebp-08]
:00472460 8B10
mov edx, dword ptr [eax]
:00472462 FF5214
call [edx+14]
:00472465
8BD8 mov
ebx, eax
:00472467 4B
dec ebx
:00472468 85DB
test ebx, ebx
:0047246A 7C4F
jl 004724BB
:0047246C
43
inc ebx
:0047246D C745F400000000 mov [ebp-0C],
00000000
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004724B9(C)
|
:00472474 8D4DD0
lea ecx, dword ptr [ebp-30]
:00472477
8B55F4 mov edx,
dword ptr [ebp-0C]
:0047247A 8B45F8
mov eax, dword ptr [ebp-08]
:0047247D 8B30
mov esi, dword ptr [eax]
:0047247F FF560C
call [esi+0C]
:00472482 8B45D0
mov eax, dword ptr [ebp-30]
:00472485 8D55D4
lea edx, dword ptr [ebp-2C]
:00472488
E89360F9FF call 00408520
:0047248D 8B55D4
mov edx, dword ptr [ebp-2C]
* Possible StringData Ref from Code Obj
->"URSoft" //与上面的相同 这个是检查是否有W32Dasm在运行的特征码
|
:00472490 B840254700 mov
eax, 00472540
:00472495 E8CA1CF9FF
call 00404164
:0047249A 8BF0
mov esi, eax
:0047249C 85F6
test esi, esi
:0047249E
7415 je 004724B5
:004724A0 C645FF01
mov [ebp-01], 01
* Possible StringData Ref from Data Obj ->"DBG"
|
:004724A4 A184C44700
mov eax, dword ptr [0047C484]
* Possible
StringData Ref from Code Obj ->"User32"
|
:004724A9 BA24254700 mov
edx, 00472524
:004724AE E89917F9FF
call 00403C4C
:004724B3 EB06
jmp 004724BB
//小弟只是小鸟一只 希望各位大哥指点一二 小弟感激不尽
^_^ 解决方法说简单也简单 说难也难 ^_^
//如果你想要暴力破解这个软件 可以脱壳后把所有TRW,SOFTICE等字样全部改成AAA,BBB什么的不相干的东西,这样就不
//关机了,但是如果你想要找出这个东西的注册码,我劝你千万不要这样做,因为只要改变了这些字符串 美萍就会算出一个
//不一样的真实的注册码来(很厉害吧),这样就算你从美萍公司买到了产品也不会注册成功,切记
//另外,这个程序还ANTI CrACKCode 只要发现目录下有这个文件立刻采取措施 呵呵 具体是什么措施你试试就知道了,
//总体来说这个东西的保护还没有网管大师成熟,还没有像它那样连REGMON FILEMON都不放过 ^_^ 大家破解的时候手下留
//情哦。
※谨以此拙文献给可爱的CCG,希望它能蒸蒸日上(JOJO老大的话 ^_^)
娃娃(NYDoll)
CHiNA CrACKiNG GrOUp
- 标 题:CHiNA CrACKiNG GrOUp (12千字)
- 作 者:娃娃[CCG]
- 时 间:2001-9-12 11:01:36
- 链 接:http://bbs.pediy.com