软件的功能概述:
~~~~~~~~~~~~~~ SubmitWolf是宣传因特网站点的自动提交向导,它能够在几分钟内将一个URL排列 到数百个搜索引擎和链接目录上。 保护方法: ~~~~~~~~ 简单的name/code保护;未注册版本中,大多数站点不可使用,URL只能被提交到少数 几个选定的站点。 破解过程: ~~~~~~~~ (第一次) 启动TRW2000,按OK,TRW2000已隐藏在TaskBar了。运行SubmitWolf,按“注册”, 分别填入: 注册名称:iloveeagle 序列号: 10101010 CTRL-N,进入TRW2000,下断点bpx getdlgitemtexta,再CTRL-N,按“确定”。程序中断在: * Reference To: USER32.GetDlgItemTextA, Ord:0104h | :00418588 8B355C514300 mov esi, dword ptr [0043515C] :0041858E 8D44240C lea eax, dword ptr [esp+0C]<---注册码地址 :00418592 6A50 push 00000050 :00418594 50 push eax :00418595 6814040000 push 00000414 :0041859A 53 push ebx :0041859B FFD6 call esi<----------取得注册码 我们中断在此CALL内,F12来到RET语句,再F10回到下面一句。然后清除所有断点 :BC * 再F10一路走下。 :0041859D 8D8C248C000000 lea ecx, dword ptr [esp+0000008C] ;name地址 :004185A4 6A50 push 00000050 :004185A6 51 push ecx * Possible Reference to Dialog: DialogID_0098, CONTROL_ID:0405, "" | :004185A7 6805040000 push 00000405 :004185AC 53 push ebx :004185AD FFD6 call esi<-----------------取得name :004185AF 8D54240C lea edx, dword ptr [esp+0C] :004185B3 6A52 push 00000052 :004185B5 52 push edx :004185B6 E8254F0100 call 0042D4E0<---------若注册码中含有字符"R",则返回 :004185BB 83C408 add esp, 00000008 "R"的地址;否则返回0。对应于第二 :004185BE 85C0 test eax, eax 种注册码的情形。 :004185C0 7475 je 00418637 :004185C2 8D7C240C lea edi, dword ptr [esp+0C]---|这个过程是把name和code调换位置 :004185C6 83C9FF or ecx, FFFFFFFF |注册码为第二种形式时,执行这 :004185C9 33C0 xor eax, eax |里的语句。(***) :004185CB 8D54240C lea edx, dword ptr [esp+0C] | :004185CF F2 repnz | :004185D0 AE scasb | :004185D1 F7D1 not ecx | :004185D3 2BF9 sub edi, ecx | :004185D5 8BC1 mov eax, ecx | :004185D7 8BF7 mov esi, edi | :004185D9 BF60E64300 mov edi, 0043E660 | :004185DE C1E902 shr ecx, 02 | :004185E1 F3 repz | :004185E2 A5 movsd | :004185E3 8BC8 mov ecx, eax | :004185E5 33C0 xor eax, eax | :004185E7 83E103 and ecx, 00000003 | :004185EA F3 repz | :004185EB A4 movsb | :004185EC 8DBC248C000000 lea edi, dword ptr [esp+0000008C] :004185F3 83C9FF or ecx, FFFFFFFF | :004185F6 F2 repnz | :004185F7 AE scasb | :004185F8 F7D1 not ecx | :004185FA 2BF9 sub edi, ecx | :004185FC 8BC1 mov eax, ecx | :004185FE 8BF7 mov esi, edi | :00418600 8BFA mov edi, edx | :00418602 8D94248C000000 lea edx, dword ptr [esp+0000008C] :00418609 C1E902 shr ecx, 02 | :0041860C F3 repz | :0041860D A5 movsd | :0041860E 8BC8 mov ecx, eax | :00418610 33C0 xor eax, eax | :00418612 83E103 and ecx, 00000003 | :00418615 F3 repz | :00418616 A4 movsb | :00418617 BF60E64300 mov edi, 0043E660 | :0041861C 83C9FF or ecx, FFFFFFFF | :0041861F F2 repnz | :00418620 AE scasb | :00418621 F7D1 not ecx | :00418623 2BF9 sub edi, ecx | :00418625 8BC1 mov eax, ecx | :00418627 8BF7 mov esi, edi | :00418629 8BFA mov edi, edx | :0041862B C1E902 shr ecx, 02 | :0041862E F3 repz | :0041862F A5 movsd | :00418630 8BC8 mov ecx, eax | :00418632 83E103 and ecx, 00000003 | :00418635 F3 repz | :00418636 A4 movsb-------------------------| 走到:004185C0处,看看跳转的两个方向,都没要出对话框的意思。那么先F10跟它走,看看有何结果。我们来 到:00418637处。 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004185C0(C) | :00418637 8D8C248C000000 lea ecx, dword ptr [esp+0000008C] :0041863E 51 push ecx :0041863F E83CDBFFFF call 00416180<-------------对name的第一位和最后一位字符 :00418644 8D542410 lea edx, dword ptr [esp+10] 做有效性检查. :00418648 52 push edx :00418649 E832DBFFFF call 00416180<-------------对code的第一位和最后一位字符 :0041864E 8D442414 lea eax, dword ptr [esp+14] 做有效性检查. :00418652 8D8C2494000000 lea ecx, dword ptr [esp+00000094] :00418659 50 push eax :0041865A 51 push ecx :0041865B E890090000 call 00418FF0<---------注册码不正确则返回0.重要,F8进入. * Reference To: USER32.LoadStringA, Ord:01ABh | :00418660 8B35A8514300 mov esi, dword ptr [004351A8] :00418666 83C410 add esp, 00000010 :00418669 85C0 test eax, eax :0041866B 0F85AE000000 jne 0041871F<---------这里是要害所在! 走到这里,抬头看看eax,它的值为0。程序不会跳走,再看看下面的语句,将要显示一个出错对话框。我们 马上明白:要想注册成功,eax必须不为0。问题的焦点马上集中在:0041865B处的那个CALL上了。 :00418671 8B1550624400 mov edx, dword ptr [00446250] 下面的messageboxa. :00418677 68D00F0000 push 00000FD0 :0041867C 6860E64300 push 0043E660 * Possible Reference to String Resource ID=01459: "鑼 ??鬣H" | :00418681 68B3050000 push 000005B3 :00418686 52 push edx :00418687 FFD6 call esi :00418689 A150624400 mov eax, dword ptr [00446250] :0041868E 68D00F0000 push 00000FD0 :00418693 6800D44300 push 0043D400 * Possible Reference to String Resource ID=01460: "鑼郒" | :00418698 68B4050000 push 000005B4 :0041869D 50 push eax :0041869E FFD6 call esi :004186A0 6A30 push 00000030 :004186A2 6800D44300 push 0043D400 :004186A7 6860E64300 push 0043E660 :004186AC 53 push ebx * Reference To: USER32.MessageBoxA, Ord:01BEh (第二次) CTRL-N,回到程序,重新输入注册信息。这次CODE我输的是191919(为了便于进行内存搜索,我 每次都输不同的CODE,这是个小经验)。CTRL-N进入TRW2000,在:0041859D处双击鼠标,设置断 点。再CTRL-N回到程序,按下“确定”钮。(BC *)清除所有断点,F10一直到 :0041865B E890090000 call 00418FF0 F8进入。再F10一路走下。 下面是call 00418FF0的内容: :00418FF0 83EC70 sub esp, 00000070 :00418FF3 53 push ebx :00418FF4 8B5C2478 mov ebx, dword ptr [esp+78] ;[ebx]->code :00418FF8 56 push esi :00418FF9 57 push edi :00418FFA 85DB test ebx, ebx :00418FFC 7436 je 00419034 :00418FFE 6A52 push 00000052<--"R"----------------------------|注册码为第二种 :00419000 53 push ebx |形式时,执行这 :00419001 E8DA440100 call 0042D4E0<--返回code中"R"的地址. |里的语句。 :00419006 83C408 add esp, 00000008 |(***) :00419009 85C0 test eax, eax | :0041900B 7427 je 00419034 | :0041900D 8BBC2484000000 mov edi, dword ptr [esp+00000084] ;[edi]->name| :00419014 85FF test edi, edi | :00419016 0F84ED010000 je 00419209 | :0041901C 6A40 push 00000040 | :0041901E 57 push edi | :0041901F E8BC440100 call 0042D4E0<--返回name中"@"的地址. | :00419024 83C408 add esp, 00000008 | :00419027 85C0 test eax, eax | :00419029 7410 je 0041903B | :0041902B 8BFB mov edi, ebx | | * Possible StringData Ref from Data Obj ->"EPAK" | | | :0041902D BB44824300 mov ebx, 00438244 | :00419032 EB07 jmp 0041903B-----------------------------------| * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00418FFC(C), :0041900B(C) | :00419034 8BBC2484000000 mov edi, dword ptr [esp+00000084] ;[edi]->code * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00419029(C), :00419032(U) | :0041903B 85FF test edi, edi :0041903D 0F84C6010000 je 00419209 :00419043 85DB test ebx, ebx :00419045 0F84BE010000 je 00419209 * Possible Ref to Menu: MenuID_0064, Item: "" | :0041904B 6A02 push 00000002 * Possible StringData Ref from Data Obj ->"PY" | :0041904D 685C824300 push 0043825C :00419052 57 push edi :00419053 E898450100 call 0042D5F0<------比较code前两位是否为"PY",相等则返回0...(1) :00419058 83C40C add esp, 0000000C 否则不为0 :0041905B 85C0 test eax, eax :0041905D 7418 je 00419077 * Possible Ref to Menu: MenuID_0064, Item: "" | :0041905F 6A02 push 00000002 * Possible StringData Ref from Data Obj ->"EY" | :00419061 6858824300 push 00438258 :00419066 57 push edi :00419067 E884450100 call 0042D5F0<------比较code前两位是否为"EY",相等则返回....(2) :0041906C 83C40C add esp, 0000000C 否则不为0 :0041906F 85C0 test eax, eax :00419071 0F8592010000 jne 00419209 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041905D(C) | * Possible Ref to Menu: MenuID_0064, Item: "" | :00419077 6A02 push 00000002 * Possible StringData Ref from Data Obj ->"EY" | :00419079 6858824300 push 00438258 :0041907E 57 push edi :0041907F E86C450100 call 0042D5F0<----同上.....................................(3) :00419084 F7D8 neg eax :00419086 1BC0 sbb eax, eax :00419088 6A2D push 0000002D :0041908A 40 inc eax :0041908B 57 push edi :0041908C A304BC4300 mov dword ptr [0043BC04], eax :00419091 E81A470100 call 0042D7B0<-----------------返回code中"-"的位置.........(4) :00419096 83C414 add esp, 00000014 :00419099 85C0 test eax, eax :0041909B 0F8468010000 je 00419209<------若无"-",则死 :004190A1 83C9FF or ecx, FFFFFFFF :004190A4 33C0 xor eax, eax :004190A6 F2 repnz :004190A7 AE scasb :004190A8 F7D1 not ecx :004190AA 2BF9 sub edi, ecx :004190AC 8D542414 lea edx, dword ptr [esp+14] :004190B0 8BC1 mov eax, ecx :004190B2 8BF7 mov esi, edi :004190B4 8BFA mov edi, edx :004190B6 6A2D push 0000002D :004190B8 C1E902 shr ecx, 02 :004190BB F3 repz :004190BC A5 movsd :004190BD 8BC8 mov ecx, eax :004190BF 83E103 and ecx, 00000003 :004190C2 F3 repz :004190C3 A4 movsb :004190C4 8D4C2418 lea ecx, dword ptr [esp+18] :004190C8 51 push ecx :004190C9 E8E2460100 call 0042D7B0<--------------------同上....................(5) :004190CE 8BF8 mov edi, eax :004190D0 83C408 add esp, 00000008 :004190D3 85FF test edi, edi :004190D5 0F842E010000 je 00419209 :004190DB C60700 mov byte ptr [edi], 00 :004191BA 8D442448 lea eax, dword ptr [esp+48] (第三次) 这里我略去了一个繁长的计算过程。其实第二次我们不会来到这里,反而会很快跳到:00419209 处,返回eax=0,跳到失败。从第二次的过程我们看到,注册码的前两位必须是“PY”或“EY” 并且必须有一位是“-”。再从头来一次,这次输入name:QQQ/code:EY2000-121212。进入 :0041865B E890090000 call 00418FF0 后,反正是F10,一路按下。突然,看看下面,多么熟悉的身影映入眼帘。这样你就得到了一个 正确的注册码组合。若想作注册机就仔细研究一下略去的部分。 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004191E0(C) | :004191BE 8A10 mov dl, byte ptr [eax]<--------真假code的比较!!!...........(6) :004191C0 8A1E mov bl, byte ptr [esi] :004191C2 8ACA mov cl, dl :004191C4 3AD3 cmp dl, bl :004191C6 752C jne 004191F4 :004191C8 84C9 test cl, cl :004191CA 7416 je 004191E2 :004191CC 8A5001 mov dl, byte ptr [eax+01] :004191CF 8A5E01 mov bl, byte ptr [esi+01] :004191D2 8ACA mov cl, dl :004191D4 3AD3 cmp dl, bl :004191D6 751C jne 004191F4 :004191D8 83C002 add eax, 00000002 :004191DB 83C602 add esi, 00000002 :004191DE 84C9 test cl, cl :004191E0 75DC jne 004191BE * Referenced by a (U)nconditional or (C)onditional Jump at Address:<---跳到这里,则成功 |:004191CA(C) | :004191E2 33C0 xor eax, eax :004191E4 33C9 xor ecx, ecx :004191E6 85C0 test eax, eax :004191E8 0F94C1 sete cl :004191EB 5F pop edi :004191EC 5E pop esi :004191ED 8BC1 mov eax, ecx :004191EF 5B pop ebx :004191F0 83C470 add esp, 00000070 :004191F3 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:<--跳到这里,有可能成功 |:004191C6(C), :004191D6(C) 但看看这两个跳转,都是 | jnz,所以到这里也是死! :004191F4 1BC0 sbb eax, eax :004191F6 5F pop edi :004191F7 83D8FF sbb eax, FFFFFFFF :004191FA 33C9 xor ecx, ecx :004191FC 85C0 test eax, eax :004191FE 0F94C1 sete cl :00419201 5E pop esi :00419202 8BC1 mov eax, ecx :00419204 5B pop ebx :00419205 83C470 add esp, 00000070 :00419208 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:<---若跳到这里,则失败. |:00419016(C), :0041903D(C), :00419045(C), :00419071(C), :0041909B(C) |:004190D5(C) | :00419209 5F pop edi :0041920A 5E pop esi :0041920B 33C0 xor eax, eax :0041920D 5B pop ebx :0041920E 83C470 add esp, 00000070 :00419211 C3 ret 事情完了吗?没有。我们应该研究一下两个标有(***)的程序段。第一个程序段在判断CODE中含有“R” 后,把NAME和CODE在内存的地址对调;第二个程序段是判断NAME中是否含有字符“@”。见下面总结: 总结: 这个程序存在两种类型的注册码: 1、一种注册码形式如: Name:QQQ/code:EY2000-121212 这里,"EY"和"-"间的数字随意。“-”后的数字由Name和“-”前的字符(包括EY) 算出。“EY”也可以是“PY”。当然"EY"和"-"间也可以没东西,这样注册后也可看到 注册成功的画面。但在联网升级时,会发生错误,连选择升级组件的列表都不出现;我 用上面的注册码注册时,会出现选择升级组件的列表,选好组件后,要求我输入email地 址,这时我才犯难了。我怎么知道有哪些email地址在它的服务器上注了册,我又不是 黑客。 2、另一种注册码形式如: Name:anything@anything/code:EYR2002-121212 这种形式的注册码和NAME是无关的。注册码中必须含有“R”,前两位也必须是 “EY”或“PY”。“-”后的数字由字符“EPAK”和“-”前的字符(包括“EY”或“PY”) 算出。而NAME中的“@”是必须有的,作者很可能想让你输入email地址。这种注册码也许和 引擎软件包(Engine Pack)的升级有关。