• 标 题:Trojan Remover 4.3.0破解手记 (8千字)
  • 作 者:X man
  • 时 间:2001-8-31 15:02:44
  • 链 接:http://bbs.pediy.com

Trojan Remover 4.3.0破解手记

作者:X man or lb[BCG]
软件版本 4.3.0 
使用平台 Win9x/Me/NT/2000 
文件大小 1458KB
软件性质 共享软件 
简单说明 是一个专门用来清除特洛伊木马和自动修复系统文件的工具。能够检查系统登录文件、扫描WIN.INI
、SYSTEM.INI和系统登录文件,且扫描完成后会产生Log信息文件,并帮你自动清除特洛伊木马和修复系统文
件。

注:安装该程序时就要求填入name、Organisation在这里我填的是:
name:lb[BCG]
Organisation:Beginner's Cracking Group


FIRST:
用FI检测RmvTrjan.exe,未发现加壳。GOOD!用W32DASM反编译它,却发现“String Data references”中没有
任何信息。奇怪难道是被FI骗了,于是用PROCDUMP来PE Editor它,终于找到了,是用ASPack加壳,好办脱掉它
就可以用W32DASM了。

当然,本文不是讨论如何脱壳的,所以告诉您一个简单的办法,用“Ding Boy的冲击波2000”找到切入点,再
用TRW2000的MAKEPE来搞定它!

NEXT:
用W32DASM反编译后,查找“Registration key is invalid ”来到

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043CDCF(C)     
|
:0043D032 6A30                    push 00000030
:0043D034 E83F44FCFF              call 00401478
:0043D039 6A00                    push 00000000
:0043D03B 668B0DD4D34300          mov cx, word ptr [0043D3D4]
:0043D042 B201                    mov dl, 01

* Possible StringData Ref from Code Obj ->"Registration key is invalid - "
                                        ->"please ensure you have typed the "
                                        ->"Registration Key correctly. Most "
                                        ->"registration problems are caused "
                                        ->"because the Serial Number does "
                                        ->"not match that originally supplied "
                                        ->"by the user when registering. "
                                        ->"Check that the Serial Number displayed "
                                        ->"is identical to that shown in "
                                        ->"the registration email. If it "
                                        ->"is not, send email to support@simplysup.com "
                                        ->"giving your new Serial "
                                  |
:0043D044 B8E0D34300              mov eax, 0043D3E0
:0043D049 E8EA4EFCFF              call 00401F38
:0043D04E 83F804                  cmp eax, 00000004
:0043D051 7523                    jne 0043D076
:0043D053 8B45FC                  mov eax, dword ptr [ebp-04]
:0043D056 8B8008020000            mov eax, dword ptr [eax+00000208]
:0043D05C 33D2                    xor edx, edx
:0043D05E E8D54AFCFF              call 00401B38
:0043D063 8B45FC                  mov eax, dword ptr [ebp-04]
:0043D066 8B9008020000            mov edx, dword ptr [eax+00000208]
:0043D06C 8B45FC                  mov eax, dword ptr [ebp-04]
:0043D06F E8B44CFCFF              call 00401D28
:0043D074 EB08                    jmp 0043D07E

看到是有0043CDCF处跳来的,于是转到该处
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043CAE0(C)
|
:0043CD51 8D55F0                  lea edx, dword ptr [ebp-10]
:0043CD54 8B45FC                  mov eax, dword ptr [ebp-04]
:0043CD57 8B8008020000            mov eax, dword ptr [eax+00000208]
:0043CD5D E8CE4DFCFF              call 00401B30
:0043CD62 8B45F0                  mov eax, dword ptr [ebp-10]

* Possible StringData Ref from Code Obj ->"419246"
                                  |
:0043CD65 BA50D24300              mov edx, 0043D250
:0043CD6A E83944FCFF              call 004011A8
:0043CD6F 7464                    je 0043CDD5
:0043CD71 8D55F0                  lea edx, dword ptr [ebp-10]
:0043CD74 8B45FC                  mov eax, dword ptr [ebp-04]
:0043CD77 8B8008020000            mov eax, dword ptr [eax+00000208]
:0043CD7D E8AE4DFCFF              call 00401B30
:0043CD82 8B45F0                  mov eax, dword ptr [ebp-10]

* Possible StringData Ref from Code Obj ->"387192"
                                  |
:0043CD85 BA60D24300              mov edx, 0043D260
:0043CD8A E81944FCFF              call 004011A8
:0043CD8F 7444                    je 0043CDD5
:0043CD91 8D55F0                  lea edx, dword ptr [ebp-10]
:0043CD94 8B45FC                  mov eax, dword ptr [ebp-04]
:0043CD97 8B8008020000            mov eax, dword ptr [eax+00000208]
:0043CD9D E88E4DFCFF              call 00401B30
:0043CDA2 8B45F0                  mov eax, dword ptr [ebp-10]

* Possible StringData Ref from Code Obj ->"388028"
                                  |
:0043CDA5 BA70D24300              mov edx, 0043D270
:0043CDAA E8F943FCFF              call 004011A8
:0043CDAF 7424                    je 0043CDD5
:0043CDB1 8D55F0                  lea edx, dword ptr [ebp-10]
:0043CDB4 8B45FC                  mov eax, dword ptr [ebp-04]
:0043CDB7 8B8008020000            mov eax, dword ptr [eax+00000208]
:0043CDBD E86E4DFCFF              call 00401B30
:0043CDC2 8B45F0                  mov eax, dword ptr [ebp-10]

* Possible StringData Ref from Code Obj ->"422199"
                                  |
:0043CDC5 BA80D24300              mov edx, 0043D280
:0043CDCA E8D943FCFF              call 004011A8
:0043CDCF 0F855D020000            jne 0043D032---------------------由这里跳到出错信息处,看到上面
                                                    的422199,可能它就是注册码,好,把它填进去后,
                                                    果然没有弹出错误的对话框。不过却说这是临时注
                                                    册码云云,呜呜~~~,居然是这么回事,好!把日期
往后调动后,再次运行该软件,又弹出错误的对话框(这样一开始有可以填如注册码),于是从此处向上看,
来到0043CD51处,发现这一切都是0043CAE0引来的。

NEXT:
转营,来到0043CAE0处

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043CA54(C)
|
:0043CAB7 A1ACDB4B00              mov eax, dword ptr [004BDBAC]
:0043CABC 8B00                    mov eax, dword ptr [eax]
:0043CABE 59                      pop ecx
:0043CABF E8C0420700              call 004B0D84
:0043CAC4 8D55F0                  lea edx, dword ptr [ebp-10]
:0043CAC7 8B45FC                  mov eax, dword ptr [ebp-04]
:0043CACA 8B8008020000            mov eax, dword ptr [eax+00000208]
:0043CAD0 E85B50FCFF              call 00401B30
:0043CAD5 8B55F0                  mov edx, dword ptr [ebp-10]-----可疑哦!这里D EAX试试
:0043CAD8 8B45F8                  mov eax, dword ptr [ebp-08]-----EAX:真的注册码
:0043CADB E8C846FCFF              call 004011A8-------------------EDX:您输入的假注册码
:0043CAE0 0F856B020000            jne 0043CD51              ------------就是这儿开始引导我出错
:0043CAE6 A194DB4B00              mov eax, dword ptr [004BDB94]
:0043CAEB C60001                  mov byte ptr [eax], 01
:0043CAEE A1C8DB4B00              mov eax, dword ptr [004BDBC8]
:0043CAF3 C60000                  mov byte ptr [eax], 00
:0043CAF6 B201                    mov dl, 01
:0043CAF8 A114FB4D00              mov eax, dword ptr [004DFB14]
:0043CAFD E8B654FCFF              call 00401FB8
:0043CB02 8945F4                  mov dword ptr [ebp-0C], eax
:0043CB05 BA02000080              mov edx, 80000002
:0043CB0A 8B45F4                  mov eax, dword ptr [ebp-0C]
:0043CB0D E8B654FCFF              call 00401FC8
:0043CB12 B101                    mov cl, 01

* Possible StringData Ref from Code Obj ->"SOFTWARE\Simply Super Software\Trojan "
                                        ->"Remover\User"
                                  |
:0043CB14 BAB8D04300              mov edx, 0043D0B8
:0043CB19 8B45F4                  mov eax, dword ptr [ebp-0C]
:0043CB1C E8AF54FCFF              call 00401FD0
:0043CB21 84C0                    test al, al
:0043CB23 0F84DC000000            je 0043CC05
:0043CB29 33C0                    xor eax, eax
:0043CB2B 55                      push ebp
:0043CB2C 68DDCB4300              push 0043CBDD
:0043CB31 64FF30                  push dword ptr fs:[eax]
:0043CB34 648920                  mov dword ptr fs:[eax], esp
:0043CB37 8D55F0                  lea edx, dword ptr [ebp-10]
:0043CB3A 8B45FC                  mov eax, dword ptr [ebp-04]
:0043CB3D 8B80E8010000            mov eax, dword ptr [eax+000001E8]
:0043CB43 E8E84FFCFF              call 00401B30
:0043CB48 8B4DF0                  mov ecx, dword ptr [ebp-10]
…………………………(省略一部分)

END:
好了,Trojan Remover就破解到这了,我的注册码是:
name:lb[BCG]
Organisation:Beginner's Cracking Group
Serial No:80208956
Reg No:67011387897120

该软件的注册信息放在HKEY_LOCAL_MACHINE\Software\Simply Super Software\Trojan Remover\User处


各位高手看了本文不要见笑,我是个Beginner。
                                  X man or lb[BCG]
                                lbcool@elong.com
                                2001.8.30