Trojan Remover 4.3.0破解手记
作者:X man or lb[BCG]
软件版本 4.3.0
使用平台 Win9x/Me/NT/2000
文件大小 1458KB
软件性质 共享软件
简单说明 是一个专门用来清除特洛伊木马和自动修复系统文件的工具。能够检查系统登录文件、扫描WIN.INI
、SYSTEM.INI和系统登录文件,且扫描完成后会产生Log信息文件,并帮你自动清除特洛伊木马和修复系统文
件。
注:安装该程序时就要求填入name、Organisation在这里我填的是:
name:lb[BCG]
Organisation:Beginner's Cracking Group
FIRST:
用FI检测RmvTrjan.exe,未发现加壳。GOOD!用W32DASM反编译它,却发现“String Data references”中没有
任何信息。奇怪难道是被FI骗了,于是用PROCDUMP来PE Editor它,终于找到了,是用ASPack加壳,好办脱掉它
就可以用W32DASM了。
当然,本文不是讨论如何脱壳的,所以告诉您一个简单的办法,用“Ding Boy的冲击波2000”找到切入点,再
用TRW2000的MAKEPE来搞定它!
NEXT:
用W32DASM反编译后,查找“Registration key is invalid ”来到
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043CDCF(C)
|
:0043D032 6A30
push 00000030
:0043D034 E83F44FCFF call 00401478
:0043D039 6A00
push 00000000
:0043D03B 668B0DD4D34300 mov cx, word ptr
[0043D3D4]
:0043D042 B201
mov dl, 01
* Possible StringData Ref from Code Obj ->"Registration key is invalid - "
->"please ensure
you have typed the "
->"Registration
Key correctly. Most "
->"registration
problems are caused "
->"because the
Serial Number does "
->"not match
that originally supplied "
->"by the user
when registering. "
->"Check that
the Serial Number displayed "
->"is identical
to that shown in "
->"the registration
email. If it "
->"is not, send
email to support@simplysup.com "
->"giving your
new Serial "
|
:0043D044 B8E0D34300 mov eax,
0043D3E0
:0043D049 E8EA4EFCFF call 00401F38
:0043D04E 83F804
cmp eax, 00000004
:0043D051 7523
jne 0043D076
:0043D053 8B45FC
mov eax, dword ptr [ebp-04]
:0043D056 8B8008020000 mov eax, dword
ptr [eax+00000208]
:0043D05C 33D2
xor edx, edx
:0043D05E E8D54AFCFF call 00401B38
:0043D063 8B45FC
mov eax, dword ptr [ebp-04]
:0043D066 8B9008020000 mov edx, dword
ptr [eax+00000208]
:0043D06C 8B45FC
mov eax, dword ptr [ebp-04]
:0043D06F E8B44CFCFF call 00401D28
:0043D074 EB08
jmp 0043D07E
看到是有0043CDCF处跳来的,于是转到该处
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043CAE0(C)
|
:0043CD51 8D55F0
lea edx, dword ptr [ebp-10]
:0043CD54 8B45FC
mov eax, dword ptr [ebp-04]
:0043CD57 8B8008020000 mov eax, dword
ptr [eax+00000208]
:0043CD5D E8CE4DFCFF call 00401B30
:0043CD62 8B45F0
mov eax, dword ptr [ebp-10]
* Possible StringData Ref from Code Obj ->"419246"
|
:0043CD65 BA50D24300 mov edx,
0043D250
:0043CD6A E83944FCFF call 004011A8
:0043CD6F 7464
je 0043CDD5
:0043CD71 8D55F0
lea edx, dword ptr [ebp-10]
:0043CD74 8B45FC
mov eax, dword ptr [ebp-04]
:0043CD77 8B8008020000 mov eax, dword
ptr [eax+00000208]
:0043CD7D E8AE4DFCFF call 00401B30
:0043CD82 8B45F0
mov eax, dword ptr [ebp-10]
* Possible StringData Ref from Code Obj ->"387192"
|
:0043CD85 BA60D24300 mov edx,
0043D260
:0043CD8A E81944FCFF call 004011A8
:0043CD8F 7444
je 0043CDD5
:0043CD91 8D55F0
lea edx, dword ptr [ebp-10]
:0043CD94 8B45FC
mov eax, dword ptr [ebp-04]
:0043CD97 8B8008020000 mov eax, dword
ptr [eax+00000208]
:0043CD9D E88E4DFCFF call 00401B30
:0043CDA2 8B45F0
mov eax, dword ptr [ebp-10]
* Possible StringData Ref from Code Obj ->"388028"
|
:0043CDA5 BA70D24300 mov edx,
0043D270
:0043CDAA E8F943FCFF call 004011A8
:0043CDAF 7424
je 0043CDD5
:0043CDB1 8D55F0
lea edx, dword ptr [ebp-10]
:0043CDB4 8B45FC
mov eax, dword ptr [ebp-04]
:0043CDB7 8B8008020000 mov eax, dword
ptr [eax+00000208]
:0043CDBD E86E4DFCFF call 00401B30
:0043CDC2 8B45F0
mov eax, dword ptr [ebp-10]
* Possible StringData Ref from Code Obj ->"422199"
|
:0043CDC5 BA80D24300 mov edx,
0043D280
:0043CDCA E8D943FCFF call 004011A8
:0043CDCF 0F855D020000 jne 0043D032---------------------由这里跳到出错信息处,看到上面
的422199,可能它就是注册码,好,把它填进去后,
果然没有弹出错误的对话框。不过却说这是临时注
册码云云,呜呜~~~,居然是这么回事,好!把日期
往后调动后,再次运行该软件,又弹出错误的对话框(这样一开始有可以填如注册码),于是从此处向上看,
来到0043CD51处,发现这一切都是0043CAE0引来的。
NEXT:
转营,来到0043CAE0处
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043CA54(C)
|
:0043CAB7 A1ACDB4B00 mov eax,
dword ptr [004BDBAC]
:0043CABC 8B00
mov eax, dword ptr [eax]
:0043CABE 59
pop ecx
:0043CABF E8C0420700 call 004B0D84
:0043CAC4 8D55F0
lea edx, dword ptr [ebp-10]
:0043CAC7 8B45FC
mov eax, dword ptr [ebp-04]
:0043CACA 8B8008020000 mov eax, dword
ptr [eax+00000208]
:0043CAD0 E85B50FCFF call 00401B30
:0043CAD5 8B55F0
mov edx, dword ptr [ebp-10]-----可疑哦!这里D EAX试试
:0043CAD8 8B45F8
mov eax, dword ptr [ebp-08]-----EAX:真的注册码
:0043CADB E8C846FCFF call 004011A8-------------------EDX:您输入的假注册码
:0043CAE0 0F856B020000 jne 0043CD51
------------就是这儿开始引导我出错
:0043CAE6 A194DB4B00 mov eax,
dword ptr [004BDB94]
:0043CAEB C60001
mov byte ptr [eax], 01
:0043CAEE A1C8DB4B00 mov eax,
dword ptr [004BDBC8]
:0043CAF3 C60000
mov byte ptr [eax], 00
:0043CAF6 B201
mov dl, 01
:0043CAF8 A114FB4D00 mov eax,
dword ptr [004DFB14]
:0043CAFD E8B654FCFF call 00401FB8
:0043CB02 8945F4
mov dword ptr [ebp-0C], eax
:0043CB05 BA02000080 mov edx,
80000002
:0043CB0A 8B45F4
mov eax, dword ptr [ebp-0C]
:0043CB0D E8B654FCFF call 00401FC8
:0043CB12 B101
mov cl, 01
* Possible StringData Ref from Code Obj ->"SOFTWARE\Simply Super Software\Trojan
"
->"Remover\User"
|
:0043CB14 BAB8D04300 mov edx,
0043D0B8
:0043CB19 8B45F4
mov eax, dword ptr [ebp-0C]
:0043CB1C E8AF54FCFF call 00401FD0
:0043CB21 84C0
test al, al
:0043CB23 0F84DC000000 je 0043CC05
:0043CB29 33C0
xor eax, eax
:0043CB2B 55
push ebp
:0043CB2C 68DDCB4300 push 0043CBDD
:0043CB31 64FF30
push dword ptr fs:[eax]
:0043CB34 648920
mov dword ptr fs:[eax], esp
:0043CB37 8D55F0
lea edx, dword ptr [ebp-10]
:0043CB3A 8B45FC
mov eax, dword ptr [ebp-04]
:0043CB3D 8B80E8010000 mov eax, dword
ptr [eax+000001E8]
:0043CB43 E8E84FFCFF call 00401B30
:0043CB48 8B4DF0
mov ecx, dword ptr [ebp-10]
…………………………(省略一部分)
END:
好了,Trojan Remover就破解到这了,我的注册码是:
name:lb[BCG]
Organisation:Beginner's Cracking Group
Serial No:80208956
Reg No:67011387897120
该软件的注册信息放在HKEY_LOCAL_MACHINE\Software\Simply Super Software\Trojan Remover\User处
各位高手看了本文不要见笑,我是个Beginner。
X man or
lb[BCG]
lbcool@elong.com
2001.8.30
- 标 题:Trojan Remover 4.3.0破解手记 (8千字)
- 作 者:X man
- 时 间:2001-8-31 15:02:44
- 链 接:http://bbs.pediy.com