~~~~~~~~~~~~~~
SubmitWolf是宣传因特网站点的自动提交向导,它能够在几分钟内将一个URL排列
到数百个搜索引擎和链接目录上。
保护方法:
~~~~~~~~
简单的name/code保护;未注册版本中,大多数站点不可使用,URL只能被提交到少数
几个选定的站点。
破解过程:
~~~~~~~~
(第一次) 启动TRW2000,按OK,TRW2000已隐藏在TaskBar了。运行SubmitWolf,按“注册”,
分别填入:
注册名称:iloveeagle
序列号: 10101010
CTRL-N,进入TRW2000,下断点bpx getdlgitemtexta,再CTRL-N,按“确定”。程序中断在:
* Reference To: USER32.GetDlgItemTextA, Ord:0104h
|
:00418588 8B355C514300 mov esi, dword ptr [0043515C]
:0041858E 8D44240C lea eax, dword ptr [esp+0C]<---注册码地址
:00418592 6A50 push 00000050
:00418594 50 push eax
:00418595 6814040000 push 00000414
:0041859A 53 push ebx
:0041859B FFD6 call esi<----------取得注册码
我们中断在此CALL内,F12来到RET语句,再F10回到下面一句。然后清除所有断点
:BC *
再F10一路走下。
:0041859D 8D8C248C000000 lea ecx, dword ptr [esp+0000008C] ;name地址
:004185A4 6A50 push 00000050
:004185A6 51 push ecx
* Possible Reference to Dialog: DialogID_0098, CONTROL_ID:0405, ""
|
:004185A7 6805040000 push 00000405
:004185AC 53 push ebx
:004185AD FFD6 call esi<-----------------取得name
:004185AF 8D54240C lea edx, dword ptr [esp+0C]
:004185B3 6A52 push 00000052
:004185B5 52 push edx
:004185B6 E8254F0100 call 0042D4E0<---------若注册码中含有字符"R",则返回
:004185BB 83C408 add esp, 00000008 "R"的地址;否则返回0。对应于第二
:004185BE 85C0 test eax, eax 种注册码的情形。
:004185C0 7475 je 00418637
:004185C2 8D7C240C lea edi, dword ptr [esp+0C]---|这个过程是把name和code调换位置
:004185C6 83C9FF or ecx, FFFFFFFF |注册码为第二种形式时,执行这
:004185C9 33C0 xor eax, eax |里的语句。(***)
:004185CB 8D54240C lea edx, dword ptr [esp+0C] |
:004185CF F2 repnz |
:004185D0 AE scasb |
:004185D1 F7D1 not ecx |
:004185D3 2BF9 sub edi, ecx |
:004185D5 8BC1 mov eax, ecx |
:004185D7 8BF7 mov esi, edi |
:004185D9 BF60E64300 mov edi, 0043E660 |
:004185DE C1E902 shr ecx, 02 |
:004185E1 F3 repz |
:004185E2 A5 movsd |
:004185E3 8BC8 mov ecx, eax |
:004185E5 33C0 xor eax, eax |
:004185E7 83E103 and ecx, 00000003 |
:004185EA F3 repz |
:004185EB A4 movsb |
:004185EC 8DBC248C000000 lea edi, dword ptr [esp+0000008C]
:004185F3 83C9FF or ecx, FFFFFFFF |
:004185F6 F2 repnz |
:004185F7 AE scasb |
:004185F8 F7D1 not ecx |
:004185FA 2BF9 sub edi, ecx |
:004185FC 8BC1 mov eax, ecx |
:004185FE 8BF7 mov esi, edi |
:00418600 8BFA mov edi, edx |
:00418602 8D94248C000000 lea edx, dword ptr [esp+0000008C]
:00418609 C1E902 shr ecx, 02 |
:0041860C F3 repz |
:0041860D A5 movsd |
:0041860E 8BC8 mov ecx, eax |
:00418610 33C0 xor eax, eax |
:00418612 83E103 and ecx, 00000003 |
:00418615 F3 repz |
:00418616 A4 movsb |
:00418617 BF60E64300 mov edi, 0043E660 |
:0041861C 83C9FF or ecx, FFFFFFFF |
:0041861F F2 repnz |
:00418620 AE scasb |
:00418621 F7D1 not ecx |
:00418623 2BF9 sub edi, ecx |
:00418625 8BC1 mov eax, ecx |
:00418627 8BF7 mov esi, edi |
:00418629 8BFA mov edi, edx |
:0041862B C1E902 shr ecx, 02 |
:0041862E F3 repz |
:0041862F A5 movsd |
:00418630 8BC8 mov ecx, eax |
:00418632 83E103 and ecx, 00000003 |
:00418635 F3 repz |
:00418636 A4 movsb-------------------------|
走到:004185C0处,看看跳转的两个方向,都没要出对话框的意思。那么先F10跟它走,看看有何结果。我们来
到:00418637处。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004185C0(C)
|
:00418637 8D8C248C000000 lea ecx, dword ptr [esp+0000008C]
:0041863E 51 push ecx
:0041863F E83CDBFFFF call 00416180<-------------对name的第一位和最后一位字符
:00418644 8D542410 lea edx, dword ptr [esp+10] 做有效性检查.
:00418648 52 push edx
:00418649 E832DBFFFF call 00416180<-------------对code的第一位和最后一位字符
:0041864E 8D442414 lea eax, dword ptr [esp+14] 做有效性检查.
:00418652 8D8C2494000000 lea ecx, dword ptr [esp+00000094]
:00418659 50 push eax
:0041865A 51 push ecx
:0041865B E890090000 call 00418FF0<---------注册码不正确则返回0.重要,F8进入.
* Reference To: USER32.LoadStringA, Ord:01ABh
|
:00418660 8B35A8514300 mov esi, dword ptr [004351A8]
:00418666 83C410 add esp, 00000010
:00418669 85C0 test eax, eax
:0041866B 0F85AE000000 jne 0041871F<---------这里是要害所在!
走到这里,抬头看看eax,它的值为0。程序不会跳走,再看看下面的语句,将要显示一个出错对话框。我们
马上明白:要想注册成功,eax必须不为0。问题的焦点马上集中在:0041865B处的那个CALL上了。
:00418671 8B1550624400 mov edx, dword ptr [00446250] 下面的messageboxa.
:00418677 68D00F0000 push 00000FD0
:0041867C 6860E64300 push 0043E660
* Possible Reference to String Resource ID=01459: "鑼
??鬣H"
|
:00418681 68B3050000 push 000005B3
:00418686 52 push edx
:00418687 FFD6 call esi
:00418689 A150624400 mov eax, dword ptr [00446250]
:0041868E 68D00F0000 push 00000FD0
:00418693 6800D44300 push 0043D400
* Possible Reference to String Resource ID=01460: "鑼郒"
|
:00418698 68B4050000 push 000005B4
:0041869D 50 push eax
:0041869E FFD6 call esi
:004186A0 6A30 push 00000030
:004186A2 6800D44300 push 0043D400
:004186A7 6860E64300 push 0043E660
:004186AC 53 push ebx
* Reference To: USER32.MessageBoxA, Ord:01BEh
(第二次) CTRL-N,回到程序,重新输入注册信息。这次CODE我输的是191919(为了便于进行内存搜索,我
每次都输不同的CODE,这是个小经验)。CTRL-N进入TRW2000,在:0041859D处双击鼠标,设置断
点。再CTRL-N回到程序,按下“确定”钮。(BC *)清除所有断点,F10一直到
:0041865B E890090000 call 00418FF0
F8进入。再F10一路走下。
下面是call 00418FF0的内容:
:00418FF0 83EC70 sub esp, 00000070
:00418FF3 53 push ebx
:00418FF4 8B5C2478 mov ebx, dword ptr [esp+78] ;[ebx]->code
:00418FF8 56 push esi
:00418FF9 57 push edi
:00418FFA 85DB test ebx, ebx
:00418FFC 7436 je 00419034
:00418FFE 6A52 push 00000052<--"R"----------------------------|注册码为第二种
:00419000 53 push ebx |形式时,执行这
:00419001 E8DA440100 call 0042D4E0<--返回code中"R"的地址. |里的语句。
:00419006 83C408 add esp, 00000008 |(***)
:00419009 85C0 test eax, eax |
:0041900B 7427 je 00419034 |
:0041900D 8BBC2484000000 mov edi, dword ptr [esp+00000084] ;[edi]->name|
:00419014 85FF test edi, edi |
:00419016 0F84ED010000 je 00419209 |
:0041901C 6A40 push 00000040 |
:0041901E 57 push edi |
:0041901F E8BC440100 call 0042D4E0<--返回name中"@"的地址. |
:00419024 83C408 add esp, 00000008 |
:00419027 85C0 test eax, eax |
:00419029 7410 je 0041903B |
:0041902B 8BFB mov edi, ebx |
|
* Possible StringData Ref from Data Obj ->"EPAK" |
| |
:0041902D BB44824300 mov ebx, 00438244 |
:00419032 EB07 jmp 0041903B-----------------------------------|
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00418FFC(C), :0041900B(C)
|
:00419034 8BBC2484000000 mov edi, dword ptr [esp+00000084] ;[edi]->code
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00419029(C), :00419032(U)
|
:0041903B 85FF test edi, edi
:0041903D 0F84C6010000 je 00419209
:00419043 85DB test ebx, ebx
:00419045 0F84BE010000 je 00419209
* Possible Ref to Menu: MenuID_0064, Item: ""
|
:0041904B 6A02 push 00000002
* Possible StringData Ref from Data Obj ->"PY"
|
:0041904D 685C824300 push 0043825C
:00419052 57 push edi
:00419053 E898450100 call 0042D5F0<------比较code前两位是否为"PY",相等则返回0...(1)
:00419058 83C40C add esp, 0000000C 否则不为0
:0041905B 85C0 test eax, eax
:0041905D 7418 je 00419077
* Possible Ref to Menu: MenuID_0064, Item: ""
|
:0041905F 6A02 push 00000002
* Possible StringData Ref from Data Obj ->"EY"
|
:00419061 6858824300 push 00438258
:00419066 57 push edi
:00419067 E884450100 call 0042D5F0<------比较code前两位是否为"EY",相等则返回....(2)
:0041906C 83C40C add esp, 0000000C 否则不为0
:0041906F 85C0 test eax, eax
:00419071 0F8592010000 jne 00419209
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041905D(C)
|
* Possible Ref to Menu: MenuID_0064, Item: ""
|
:00419077 6A02 push 00000002
* Possible StringData Ref from Data Obj ->"EY"
|
:00419079 6858824300 push 00438258
:0041907E 57 push edi
:0041907F E86C450100 call 0042D5F0<----同上.....................................(3)
:00419084 F7D8 neg eax
:00419086 1BC0 sbb eax, eax
:00419088 6A2D push 0000002D
:0041908A 40 inc eax
:0041908B 57 push edi
:0041908C A304BC4300 mov dword ptr [0043BC04], eax
:00419091 E81A470100 call 0042D7B0<-----------------返回code中"-"的位置.........(4)
:00419096 83C414 add esp, 00000014
:00419099 85C0 test eax, eax
:0041909B 0F8468010000 je 00419209<------若无"-",则死
:004190A1 83C9FF or ecx, FFFFFFFF
:004190A4 33C0 xor eax, eax
:004190A6 F2 repnz
:004190A7 AE scasb
:004190A8 F7D1 not ecx
:004190AA 2BF9 sub edi, ecx
:004190AC 8D542414 lea edx, dword ptr [esp+14]
:004190B0 8BC1 mov eax, ecx
:004190B2 8BF7 mov esi, edi
:004190B4 8BFA mov edi, edx
:004190B6 6A2D push 0000002D
:004190B8 C1E902 shr ecx, 02
:004190BB F3 repz
:004190BC A5 movsd
:004190BD 8BC8 mov ecx, eax
:004190BF 83E103 and ecx, 00000003
:004190C2 F3 repz
:004190C3 A4 movsb
:004190C4 8D4C2418 lea ecx, dword ptr [esp+18]
:004190C8 51 push ecx
:004190C9 E8E2460100 call 0042D7B0<--------------------同上....................(5)
:004190CE 8BF8 mov edi, eax
:004190D0 83C408 add esp, 00000008
:004190D3 85FF test edi, edi
:004190D5 0F842E010000 je 00419209
:004190DB C60700 mov byte ptr [edi], 00
:004191BA 8D442448 lea eax, dword ptr [esp+48]
(第三次) 这里我略去了一个繁长的计算过程。其实第二次我们不会来到这里,反而会很快跳到:00419209
处,返回eax=0,跳到失败。从第二次的过程我们看到,注册码的前两位必须是“PY”或“EY”
并且必须有一位是“-”。再从头来一次,这次输入name:QQQ/code:EY2000-121212。进入
:0041865B E890090000 call 00418FF0
后,反正是F10,一路按下。突然,看看下面,多么熟悉的身影映入眼帘。这样你就得到了一个
正确的注册码组合。若想作注册机就仔细研究一下略去的部分。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004191E0(C)
|
:004191BE 8A10 mov dl, byte ptr [eax]<--------真假code的比较!!!...........(6)
:004191C0 8A1E mov bl, byte ptr [esi]
:004191C2 8ACA mov cl, dl
:004191C4 3AD3 cmp dl, bl
:004191C6 752C jne 004191F4
:004191C8 84C9 test cl, cl
:004191CA 7416 je 004191E2
:004191CC 8A5001 mov dl, byte ptr [eax+01]
:004191CF 8A5E01 mov bl, byte ptr [esi+01]
:004191D2 8ACA mov cl, dl
:004191D4 3AD3 cmp dl, bl
:004191D6 751C jne 004191F4
:004191D8 83C002 add eax, 00000002
:004191DB 83C602 add esi, 00000002
:004191DE 84C9 test cl, cl
:004191E0 75DC jne 004191BE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:<---跳到这里,则成功
|:004191CA(C)
|
:004191E2 33C0 xor eax, eax
:004191E4 33C9 xor ecx, ecx
:004191E6 85C0 test eax, eax
:004191E8 0F94C1 sete cl
:004191EB 5F pop edi
:004191EC 5E pop esi
:004191ED 8BC1 mov eax, ecx
:004191EF 5B pop ebx
:004191F0 83C470 add esp, 00000070
:004191F3 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:<--跳到这里,有可能成功
|:004191C6(C), :004191D6(C) 但看看这两个跳转,都是
| jnz,所以到这里也是死!
:004191F4 1BC0 sbb eax, eax
:004191F6 5F pop edi
:004191F7 83D8FF sbb eax, FFFFFFFF
:004191FA 33C9 xor ecx, ecx
:004191FC 85C0 test eax, eax
:004191FE 0F94C1 sete cl
:00419201 5E pop esi
:00419202 8BC1 mov eax, ecx
:00419204 5B pop ebx
:00419205 83C470 add esp, 00000070
:00419208 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:<---若跳到这里,则失败.
|:00419016(C), :0041903D(C), :00419045(C), :00419071(C), :0041909B(C)
|:004190D5(C)
|
:00419209 5F pop edi
:0041920A 5E pop esi
:0041920B 33C0 xor eax, eax
:0041920D 5B pop ebx
:0041920E 83C470 add esp, 00000070
:00419211 C3 ret
事情完了吗?没有。我们应该研究一下两个标有(***)的程序段。第一个程序段在判断CODE中含有“R”
后,把NAME和CODE在内存的地址对调;第二个程序段是判断NAME中是否含有字符“@”。见下面总结:
总结:
这个程序存在两种类型的注册码:
1、一种注册码形式如:
Name:QQQ/code:EY2000-121212
这里,"EY"和"-"间的数字随意。“-”后的数字由Name和“-”前的字符(包括EY)
算出。“EY”也可以是“PY”。当然"EY"和"-"间也可以没东西,这样注册后也可看到
注册成功的画面。但在联网升级时,会发生错误,连选择升级组件的列表都不出现;我
用上面的注册码注册时,会出现选择升级组件的列表,选好组件后,要求我输入email地
址,这时我才犯难了。我怎么知道有哪些email地址在它的服务器上注了册,我又不是
黑客。
2、另一种注册码形式如:
Name:anything@anything/code:EYR2002-121212
这种形式的注册码和NAME是无关的。注册码中必须含有“R”,前两位也必须是
“EY”或“PY”。“-”后的数字由字符“EPAK”和“-”前的字符(包括“EY”或“PY”)
算出。而NAME中的“@”是必须有的,作者很可能想让你输入email地址。这种注册码也许和
引擎软件包(Engine Pack)的升级有关。