软件名称
渗透
版 本 2.63
版权所有 软件发行商
软件平台 Win9x WinNT Win2000
WinME
整理日期 2003-03-29
软件授权 共享
评 分
软件大小
2630KB
软件简介
PMT可以将多个文件保存于一个24位的BMP文件中,并允许用户进行权限设置,这样,不知情的人只能看到一幅正常的BMP图片,而你,却可在夜深人静时分,打开BMP图片慢慢欣赏里面的内容;或将BMP图片发给好友,即使好友的某某人与他(她)共用一个信箱也无所谓,呵呵,有点像间谍传送情报的味道:)
1.利用FLASH
SWF、24bit BMP、JPG文件的冗余空间,把一批文件插入到这类文件中去,而不破坏原文件的结构和显示效果,以达到隐藏用户重要文件的目的!注意2.6暂时支持用FLASH
4、5做的SWF文件,作者将在短期内推出支持flash MX的版本。2.同时支持把文件追加到任何文件后!3.支持把一个文件作为密钥,这样使你的私人文件更安全!4.隐藏后的文件,可以在宿主文件中直接用渗透2.6打开使用。5.关闭渗透后,渗透2.6的内置文件粉碎机将删除临时目录中的文件,使得整个系统的安全性加强了!(2.5用户的建议)考虑到因为捆绑了其他文件而使宿主文件突然增大,易于明显,所以渗透2.6仍然提供最大不超过2M的渗透空间用于保存你的重要文件。另,安装包中提供渗透伴侣-寄生虫
1.0,该软件弥补渗透2.6的不足,满足用户另一种捆绑加密方式,两者最大的区别是:寄生虫不限制隐私文件的大小,现在您可以把您的电影藏起来了:),详细内容见渗透readme.
破解工具:ollydbg1.09+w32Dasm
注册码:94A9E1C6
假序列号:4321-5432-6543-7654
一、脱壳后,在w32Dasm找出错信息。
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B5002(C),
:004B5008(U)
|
:004B500E 807DFB00
cmp byte ptr [ebp-05], 00
:004B5012 7442
je 004B5056======>会跳到成功
:004B5014
A128B24C00 mov eax, dword ptr
[004CB228]
:004B5019 8B00
mov eax, dword ptr [eax]
:004B501B 8B80F4020000
mov eax, dword ptr [eax+000002F4]
*
Possible StringData Ref from Code Obj ->"注册错误"
|
:004B5021 BAA8514B00
mov edx, 004B51A8
:004B5026 E821DDF8FF
call 00442D4C
:004B502B A128B24C00
mov eax, dword ptr [004CB228]
:004B5030 8B00
mov eax, dword ptr
[eax]
二、向上看,为输入验证部分,对输入的序列号作检验(请看以下代码),
004B4F68
|. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
004B4F6B
|. 8B83 10030000 MOV EAX,DWORD PTR DS:[EBX+310]
004B4F71 |.
E8 A6DDF8FF CALL AA.00442D1C
; 取第一个串4321
004B4F76 |. 8B45 F4
MOV EAX,DWORD PTR SS:[EBP-C]
004B4F79 |. E8 F6FBFFFF
CALL AA.004B4B74 ;
eax的值为00004321
004B4F7E |. 8BF0
MOV ESI,EAX
004B4F80 |. 66:F7D6 NOT
SI
; 异或si为BCDE(串1)
004B4F83 |. 8D55 F0
LEA EDX,DWORD PTR SS:[EBP-10]
004B4F86 |. 8B83 14030000
MOV EAX,DWORD PTR DS:[EBX+314]
004B4F8C |. E8 8BDDF8FF CALL
AA.00442D1C ; 取第二串
004B4F91
|. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004B4F94
|. E8 DBFBFFFF CALL AA.004B4B74
004B4F99 |. 8BF8
MOV EDI,EAX
; eax值为5432
004B4F9B |.
66:F7D7 NOT DI
; 异或DI为BCDE(串2)
004B4F9E
|. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
004B4FA1
|. 8B83 18030000 MOV EAX,DWORD PTR DS:[EBX+318]
004B4FA7 |.
E8 70DDF8FF CALL AA.00442D1C
; 取第三串6543
004B4FAC |. 8B45 EC
MOV EAX,DWORD PTR SS:[EBP-14]
004B4FAF |. E8 C0FBFFFF
CALL AA.004B4B74
004B4FB4 |. 66:8945 FE MOV WORD PTR
SS:[EBP-2],AX ; eax值为6543
004B4FB8 |.
8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
004B4FBB |.
8B83 1C030000 MOV EAX,DWORD PTR DS:[EBX+31C]
004B4FC1 |. E8
56DDF8FF CALL AA.00442D1C
; 取第四串7654
004B4FC6 |. 8B45 E8
MOV EAX,DWORD PTR SS:[EBP-18]
004B4FC9 |. E8 A6FBFFFF CALL
AA.004B4B74 ; eax值为7654
004B4FCE
|. 66:8945 FC MOV WORD PTR SS:[EBP-4],AX
; 7654入ebp-4
004B4FD2 |. C645 FB 00 MOV
BYTE PTR SS:[EBP-5],0
004B4FD6 |. 8BD6
MOV EDX,ESI
; 第二串非或值入EDX,此为BCDE
004B4FD8 |. 8BC7
MOV EAX,EDI
; 第一串非或值入EAX,此为ABCD
004B4FDA |.
E8 39FCFFFF CALL AA.004B4C18
; 关键call(1):第一串与第二串作运算,第一串值ABCD作相应运算再与串二BCDE作比较,如相等,则AL置1。
004B4FDF
|. 84C0 TEST AL,AL
004B4FE1 |.
74 27 JE SHORT AA.004B500A
004B4FE3 |.
8BD7 MOV EDX,EDI
004B4FE5 |.
66:33D6 XOR DX,SI
; 串1与串2xor值入DX,DX=1713
004B4FE8
|. 8BC2 MOV EAX,EDX
; xor值入eax
004B4FEA
|. 66:35 A500 XOR AX,0A5
; 再与0A5xor
004B4FEE
|. 66:33C6 XOR AX,SI
; 再与SI(SI即为BCDE)xor
004B4FF1
|. 66:F7D0 NOT AX
; AX再not
004B4FF4
|. 66:3B55 FE CMP DX,WORD PTR SS:[EBP-2]
; 1713与6543串比较
004B4FF8 |. 74 04
JE SHORT AA.004B4FFE=============>(1)je改为jne
004B4FFA |.
C645 FB 01 MOV BYTE PTR SS:[EBP-5],1
004B4FFE |>
66:3B45 FC CMP AX,WORD PTR SS:[EBP-4]
004B5002 |.
74 0A JE SHORT AA.004B500E=============>(2)je改为jne
004B5004
|. C645 FB 01 MOV BYTE PTR SS:[EBP-5],1
004B5008 |.
EB 04 JMP SHORT AA.004B500E
004B500A |>
C645 FB 01 MOV BYTE PTR SS:[EBP-5],1
004B500E |>
807D FB 00 CMP BYTE PTR SS:[EBP-5],0
004B5012 |. 74
42 JE SHORT AA.004B5056============>(3)je改为jne
004B5014
|. A1 28B24C00 MOV EAX,DWORD PTR DS:[4CB228]
004B5019 |.
8B00 MOV EAX,DWORD PTR DS:[EAX]
004B501B
|. 8B80 F4020000 MOV EAX,DWORD PTR DS:[EAX+2F4]
004B5021 |.
BA A8514B00 MOV EDX,AA.004B51A8
004B5026 |. E8 21DDF8FF
CALL AA.00442D4C
004B502B |. A1 28B24C00 MOV EAX,DWORD
PTR DS:[4CB228]
004B5030 |. 8B00 MOV
EAX,DWORD PTR DS:[EAX]
004B5032 |. 8B80 04030000 MOV EAX,DWORD
PTR DS:[EAX+304]
004B5038 |. BA BC514B00 MOV EDX,AA.004B51BC
004B503D
|. E8 0ADDF8FF CALL AA.00442D4C
004B5042 |. A1
28B24C00 MOV EAX,DWORD PTR DS:[4CB228]
004B5047 |. 8B00
MOV EAX,DWORD PTR DS:[EAX]
004B5049 |.
8B10 MOV EDX,DWORD PTR DS:[EAX]
004B504B
|. FF92 E8000000 CALL DWORD PTR DS:[EDX+E8] ;
出错框
----------------------------------------------------
CAll(1)
----------------------------------------------------
004B4C18
/$ 55 PUSH EBP
004B4C19
|. 8BEC MOV EBP,ESP
004B4C1B
|. 83C4 F8 ADD ESP,-8
004B4C1E |. 53
PUSH EBX
004B4C1F |. 56
PUSH ESI
004B4C20 |. 33C9
XOR ECX,ECX
004B4C22 |. 894D
F8 MOV DWORD PTR SS:[EBP-8],ECX
004B4C25 |. 66:8955
FE MOV WORD PTR SS:[EBP-2],DX
004B4C29 |. 8BD8
MOV EBX,EAX
004B4C2B |. 33C0
XOR EAX,EAX
004B4C2D |. 55
PUSH EBP
004B4C2E |. 68 A94C4B00
PUSH AA.004B4CA9
004B4C33 |. 64:FF30 PUSH
DWORD PTR FS:[EAX]
004B4C36 |. 64:8920 MOV
DWORD PTR FS:[EAX],ESP
004B4C39 |. 6A 00
PUSH 0
004B4C3B |. 8D45 F8 LEA EAX,DWORD PTR
SS:[EBP-8]
004B4C3E |. B9 C04C4B00 MOV ECX,AA.004B4CC0
; ASCII "pmt.dat"
004B4C43
|. 8B15 BC649601 MOV EDX,DWORD PTR DS:[19664BC]
004B4C49 |.
E8 8EFEF4FF CALL AA.00404ADC
004B4C4E |. 8B4D F8
MOV ECX,DWORD PTR SS:[EBP-8] ; |
004B4C51 |.
B2 01 MOV DL,1
; |
004B4C53 |.
A1 14504100 MOV EAX,DWORD PTR DS:[415014] ; |
004B4C58
|. E8 F751F6FF CALL AA.00419E54
; \AA.00419E54
004B4C5D |. 8BF0
MOV ESI,EAX
004B4C5F |. 0FB7D3
MOVZX EDX,BX
; BX=ABCD
004B4C62 |. 66:8B4D
FC MOV CX,WORD PTR SS:[EBP-4]
004B4C66 |. 8BC6
MOV EAX,ESI
004B4C68 |. 8B18
MOV EBX,DWORD PTR DS:[EAX]
004B4C6A |. FF53
10 CALL DWORD PTR DS:[EBX+10] ;
main
004B4C6D |. 8D55 FC LEA EDX,DWORD
PTR SS:[EBP-4] ; EBP-4为BCDE0000
004B4C70 |. B9
02000000 MOV ECX,2
004B4C75 |. 8BC6
MOV EAX,ESI
004B4C77 |. 8B18
MOV EBX,DWORD PTR DS:[EAX]
004B4C79 |. FF53 08
CALL DWORD PTR DS:[EBX+8] ; main
004B4C7C
|. 66:8B45 FC MOV AX,WORD PTR SS:[EBP-4]
; AX置
004B4C80 |. 66:3B45 FE CMP
AX,WORD PTR SS:[EBP-2] ; AX与BCDE比较
004B4C84
74 04 JE SHORT AA.004B4C8A
; 关键跳
004B4C86 |. B3
01 MOV BL,1
004B4C88 |. EB 02
JMP SHORT AA.004B4C8C
004B4C8A |> 33DB
XOR EBX,EBX
004B4C8C |> 8BC6
MOV EAX,ESI
004B4C8E |. E8 55EDF4FF
CALL AA.004039E8
004B4C93 |. 33C0
XOR EAX,EAX
004B4C95 |. 5A
POP EDX
004B4C96 |. 59
POP ECX
004B4C97 |. 59
POP ECX
004B4C98 |. 64:8910 MOV DWORD
PTR FS:[EAX],EDX
004B4C9B |. 68 B04C4B00 PUSH AA.004B4CB0
004B4CA0
|> 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004B4CA3
|. E8 30FBF4FF CALL AA.004047D8
004B4CA8 \. C3
RETN
--------------------------------
三、重启后,验证部分
004B4CF5
|. E8 D2D90000 CALL bb.004C26CC
004B4CFA |. 8D45 F8
LEA EAX,DWORD PTR SS:[EBP-8]
004B4CFD |. BA
C44E4B00 MOV EDX,bb.004B4EC4
; ASCII "\pmt.ini"
004B4D02
|. E8 91FDF4FF CALL bb.00404A98
004B4D07 |. 8B4D F8
MOV ECX,DWORD PTR SS:[EBP-8]
004B4D0A |. B2
01 MOV DL,1
004B4D0C |. A1 FC7A4600
MOV EAX,DWORD PTR DS:[467AFC]
004B4D11 |. E8 962EFBFF
CALL bb.00467BAC
004B4D16 |. 8BF0
MOV ESI,EAX
004B4D18 |. 68 D84E4B00 PUSH bb.004B4ED8
;
ASCII "1111"
004B4D1D |. 8D45 F4
LEA EAX,DWORD PTR SS:[EBP-C]
004B4D20 |. 50
PUSH EAX
004B4D21 |. B9 E84E4B00 MOV
ECX,bb.004B4EE8
004B4D26 |. BA F44E4B00 MOV EDX,bb.004B4EF4
004B4D2B
|. 8BC6 MOV EAX,ESI
004B4D2D |.
8B38 MOV EDI,DWORD PTR DS:[EAX]
004B4D2F
|. FF17 CALL DWORD PTR DS:[EDI]
004B4D31
|. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
004B4D34
|. 8B83 10030000 MOV EAX,DWORD PTR DS:[EBX+310]
004B4D3A |.
E8 0DE0F8FF CALL bb.00442D4C
004B4D3F |. 68 D84E4B00
PUSH bb.004B4ED8
; ASCII "1111"
004B4D44 |.
8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004B4D47 |.
50 PUSH EAX
004B4D48 |. B9
004F4B00 MOV ECX,bb.004B4F00
004B4D4D |. BA F44E4B00
MOV EDX,bb.004B4EF4
004B4D52 |. 8BC6
MOV EAX,ESI
004B4D54 |. 8B38
MOV EDI,DWORD PTR DS:[EAX]
004B4D56 |. FF17
CALL DWORD PTR DS:[EDI]
004B4D58 |. 8B55 F0
MOV EDX,DWORD PTR SS:[EBP-10]
004B4D5B |. 8B83 14030000 MOV
EAX,DWORD PTR DS:[EBX+314]
004B4D61 |. E8 E6DFF8FF CALL
bb.00442D4C
004B4D66 |. 68 D84E4B00 PUSH bb.004B4ED8
;
ASCII "1111"
004B4D6B |. 8D45 EC
LEA EAX,DWORD PTR SS:[EBP-14]
004B4D6E |. 50
PUSH EAX
004B4D6F |. B9 0C4F4B00 MOV
ECX,bb.004B4F0C
004B4D74 |. BA F44E4B00 MOV EDX,bb.004B4EF4
004B4D79
|. 8BC6 MOV EAX,ESI
004B4D7B |.
8B38 MOV EDI,DWORD PTR DS:[EAX]
004B4D7D
|. FF17 CALL DWORD PTR DS:[EDI]
004B4D7F
|. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
004B4D82
|. 8B83 18030000 MOV EAX,DWORD PTR DS:[EBX+318]
004B4D88 |.
E8 BFDFF8FF CALL bb.00442D4C
004B4D8D |. 68 D84E4B00
PUSH bb.004B4ED8
; ASCII "1111"
004B4D92 |.
8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
004B4D95 |.
50 PUSH EAX
004B4D96 |. B9
184F4B00 MOV ECX,bb.004B4F18
004B4D9B |. BA F44E4B00
MOV EDX,bb.004B4EF4
004B4DA0 |. 8BC6
MOV EAX,ESI
004B4DA2 |. 8B38
MOV EDI,DWORD PTR DS:[EAX]
004B4DA4 |. FF17
CALL DWORD PTR DS:[EDI]
004B4DA6 |. 8B55 E8
MOV EDX,DWORD PTR SS:[EBP-18]
004B4DA9 |. 8B83 1C030000 MOV
EAX,DWORD PTR DS:[EBX+31C]
004B4DAF |. E8 98DFF8FF CALL
bb.00442D4C
004B4DB4 |. 68 D84E4B00 PUSH bb.004B4ED8
;
ASCII "1111"
004B4DB9 |. 8D45 E4
LEA EAX,DWORD PTR SS:[EBP-1C]
004B4DBC |. 50
PUSH EAX
004B4DBD |. B9 244F4B00 MOV
ECX,bb.004B4F24
; ASCII "ID"
004B4DC2 |. BA 304F4B00
MOV EDX,bb.004B4F30
; ASCII "code"
004B4DC7 |.
8BC6 MOV EAX,ESI
004B4DC9 |. 8B38
MOV EDI,DWORD PTR DS:[EAX]
004B4DCB |.
FF17 CALL DWORD PTR DS:[EDI]
; 取机器码bb.0
004B4DCD
|. 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
004B4DD0
|. 8B83 F8020000 MOV EAX,DWORD PTR DS:[EBX+2F8]
004B4DD6 |.
E8 71DFF8FF CALL bb.00442D4C
004B4DDB |. 8BC6
MOV EAX,ESI
004B4DDD |. E8 06ECF4FF CALL
bb.004039E8
004B4DE2 |. 8D55 E0 LEA EDX,DWORD
PTR SS:[EBP-20]
004B4DE5 |. 8B83 10030000 MOV EAX,DWORD PTR DS:[EBX+310]
004B4DEB
|. E8 2CDFF8FF CALL bb.00442D1C
再重启时与注册码作运算(请看以下代码)
004B4DC7
|. 8BC6 MOV EAX,ESI
004B4DC9
|. 8B38 MOV EDI,DWORD PTR DS:[EAX]
004B4DCB
|. FF17 CALL DWORD PTR DS:[EDI]
; 取注册码
004B4DCD
|. 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
004B4DD0
|. 8B83 F8020000 MOV EAX,DWORD PTR DS:[EBX+2F8]
004B4DD6 |.
E8 71DFF8FF CALL BB.00442D4C
; main
004B4DDB |.
8BC6 MOV EAX,ESI
004B4DDD |.
E8 06ECF4FF CALL BB.004039E8
004B4DE2 |. 8D55 E0
LEA EDX,DWORD PTR SS:[EBP-20]
004B4DE5 |. 8B83 10030000
MOV EAX,DWORD PTR DS:[EBX+310]
004B4DEB |. E8 2CDFF8FF CALL
BB.00442D1C
004B4DF0 |. 8B45 E0 MOV EAX,DWORD
PTR SS:[EBP-20]
004B4DF3 |. E8 7CFDFFFF CALL BB.004B4B74
004B4DF8
|. 8BF0 MOV ESI,EAX
004B4DFA
|. 66:F7D6 NOT SI
004B4DFD |. 8D55
DC LEA EDX,DWORD PTR SS:[EBP-24]
004B4E00 |. 8B83
14030000 MOV EAX,DWORD PTR DS:[EBX+314]
004B4E06 |. E8 11DFF8FF
CALL BB.00442D1C
004B4E0B |. 8B45 DC
MOV EAX,DWORD PTR SS:[EBP-24]
004B4E0E |. E8 61FDFFFF CALL
BB.004B4B74
004B4E13 |. 8BF8 MOV
EDI,EAX
004B4E15 |. 66:F7D7 NOT DI
004B4E18
|. 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28]
004B4E1B
|. 8B83 18030000 MOV EAX,DWORD PTR DS:[EBX+318]
004B4E21 |.
E8 F6DEF8FF CALL BB.00442D1C
004B4E26 |. 8B45 D8
MOV EAX,DWORD PTR SS:[EBP-28]
004B4E29 |. E8 46FDFFFF
CALL BB.004B4B74
004B4E2E |. 66:8945 FE MOV
WORD PTR SS:[EBP-2],AX
004B4E32 |. 8D55 D4
LEA EDX,DWORD PTR SS:[EBP-2C]
004B4E35 |. 8B83 1C030000 MOV EAX,DWORD
PTR DS:[EBX+31C]
004B4E3B |. E8 DCDEF8FF CALL BB.00442D1C
004B4E40
|. 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
004B4E43
|. E8 2CFDFFFF CALL BB.004B4B74
004B4E48 |. 66:8945
FC MOV WORD PTR SS:[EBP-4],AX
004B4E4C |. 33DB
XOR EBX,EBX
004B4E4E |. 8BD6
MOV EDX,ESI
004B4E50 |. 8BC7
MOV EAX,EDI
004B4E52 |. E8 C1FDFFFF
CALL BB.004B4C18
004B4E57 |. 84C0
TEST AL,AL
004B4E59 /74 23
JE SHORT BB.004B4E7E=============>(4)je改为jne
004B4E5B |. 8BD7
MOV EDX,EDI
004B4E5D |. 66:33D6
XOR DX,SI
004B4E60 |. 8BC2
MOV EAX,EDX
004B4E62 |. 66:35 A500 XOR
AX,0A5
004B4E66 |. 66:33C6 XOR AX,SI
004B4E69
|. 66:F7D0 NOT AX
004B4E6C |. 66:3B55
FE CMP DX,WORD PTR SS:[EBP-2]
004B4E70 /74 02
JE SHORT BB.004B4E74=============>(5)je改为jne
004B4E72
|. B3 01 MOV BL,1
004B4E74 |>
66:3B45 FC CMP AX,WORD PTR SS:[EBP-4]
004B4E78
/74 06 JE SHORT BB.004B4E80============>(6)je改为jne
004B4E7A
|. B3 01 MOV BL,1
004B4E7C |.
EB 02 JMP SHORT BB.004B4E80
004B4E7E |>
B3 01 MOV BL,1
004B4E80 |> 80F3
01 XOR BL,1
为实现爆破,只需在(1)-(6)处作相应更改即可实现破解。
另:
本来想跟出注册码,可惜,功力不够,关健CAll(1)有一部分算法看不明白,那位兄弟帮我补充一下。
还有一条寄生虫,大家可以拿来练手。
lordor
4.10