破traceboy2.0 高手勿看!
ftp://ftp.eware.com.cn/pub/system/syssafe/traceboy20.zip
traceboy.exe 708KB
我吹:
运行本软件后,程序将驻留内存,时刻记录着键盘的一举一动,同时可以定时记
录,并控制软件运行时间、启动热键和存储文件路径以及保护软件运行等多项功
能,随时可以浏览记录,并可以通互联网过将记录文件发送给您。
电脑报2001年第3期上有介绍。
怎么我老跟电脑报过不去?
怎么跟PCGHOST一样?
作者俩是亲兄弟?
但它多一关联?
象木马病毒?
你病我毒!
我ZEST!
gogo!
go!
运行traceboy.exe后,在注册处填:
姓 名:zzzzzz
注册码:1234567890
RUN trw2k103
bpx hmemcpy
按确定后中断于hmemcpy
bd
pmodule
经过若干RET后到:cs:0048A6E4
:0048A6DF E81424FAFF call
0042CAF8
//取姓名
:0048A6E4 8B45F8
mov eax, dword ptr [ebp-08] //到这里
:0048A6E7 E87496F7FF call
00403D60
:0048A6EC 83F805
cmp eax, 00000005
//name number>5
:0048A6EF 0F8EEC030000 jle 0048AAE1
//jump
bye!
:0048A6F5 8D55E0
lea edx, dword ptr [ebp-20]
:0048A6F8 8B87E0020000 mov eax, dword
ptr [edi+000002E0]
:0048A6FE E8F523FAFF call
0042CAF8
//注册码不能空
:0048A703 837DE000
cmp dword ptr [ebp-20], 00000000
:0048A707 0F84D4030000 je 0048AAE1
//空 bye!
:0048A70D 33F6
xor esi, esi
:0048A70F 8D45E8
lea eax, dword ptr [ebp-18]
* Possible StringData Ref from Code Obj ->"MyNamesZEDLhYScbdQfuBHXtvpqriJACjkFUVTzwxPGngR"
->"WuKXR"
|
:0048A712 BA30AB4800 mov edx,
0048AB30
:0048A717 E85C94F7FF call
00403B78
:0048A71C 8D45F0
lea eax, dword ptr [ebp-10]
:0048A71F E8BC93F7FF call
00403AE0
:0048A724 8D45F4
lea eax, dword ptr [ebp-0C]
:0048A727 E8B493F7FF call
00403AE0
:0048A72C 8D55E4
lea edx, dword ptr [ebp-1C]
:0048A72F 8B87E0020000 mov eax, dword
ptr [edi+000002E0]
:0048A735 E8BE23FAFF call
0042CAF8
//取注册码
:0048A73A 8B45E4
mov eax, dword ptr [ebp-1C] //1234567890
:0048A73D E81E96F7FF call
00403D60
//无聊的重复
:0048A742 8BD8
mov ebx, eax
//code number=A
:0048A744 85DB
test ebx, ebx
:0048A746 7E2B
jle 0048A773
:0048A748 C745FC01000000 mov [ebp-04], 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048A771(C)
|
:0048A74F 8B45E4
mov eax, dword ptr [ebp-1C] *//
:0048A752 8B55FC
mov edx, dword ptr [ebp-04] *//
:0048A755 0FB64410FF movzx
eax, byte ptr [eax+edx-01] *//
:0048A75A 8D55DC
lea edx, dword ptr [ebp-24] *//
:0048A75D E8C6DBF7FF call
00408328
*//
:0048A762 8B55DC
mov edx, dword ptr [ebp-24] *//变换后数值放入EDX
:0048A765 8D45F4
lea eax, dword ptr [ebp-0C] *//
:0048A768 E8FB95F7FF call
00403D68
*//整理成串。
:0048A76D FF45FC
inc [ebp-04]
*//
:0048A770 4B
dec ebx
*//
:0048A771 75DC
jne 0048A74F
*//
注:*//处很重要,是变换填入的注册码的,你可进入各CALL看看。
变换过程是这样的:取注册码的一个数值,找出其ASCII码值(十六进制),
变换为十进制。如:
1的ASCII值为31,31的十进制为49
A的ASCII值为41,31的十进制为65
a的ASCII值为61,31的十进制为97
等等等等......
然后整理成串49505152535455565748。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048A746(C)
|
:0048A773 686CAB4800 push
0048AB6C //f5
:0048A778 FF75F4
push [ebp-0C] //49505152535455565748
:0048A77B 6878AB4800 push
0048AB78 //k6
:0048A780 8D45F4
lea eax, dword ptr [ebp-0C]
:0048A783 BA03000000 mov edx,
00000003
:0048A788 E89396F7FF call
00403E20 //整理f549505152535455565748k6
:0048A78D 8B45F8
mov eax, dword ptr [ebp-08]//zzzzzz
:0048A790 E8CB95F7FF call
00403D60
:0048A795 85C0
test eax, eax
:0048A797 7E0F
jle 0048A7A8
......
......
......
后面是zzzzzz变换的过程,好大的循环,有你看一阵子的。不写了,我累?我泪!
谁有空可写个注册机出来。还是别写了,支持一下国产软件吧!
......
......
......
:0048A9A9 686CAB4800 push
0048AB6C //f5
:0048A9AE FF75F0
push [ebp-10] //变换得78501145685539055114558850
:0048A9B1 6878AB4800 push
0048AB78 //k6
:0048A9B6 8D45F0
lea eax, dword ptr [ebp-10]
:0048A9B9 BA03000000 mov edx,
00000003
:0048A9BE E85D94F7FF call
00403E20 //整理f578501145685539055114558850k6
:0048A9C3 8B45F0
mov eax, dword ptr [ebp-10]//f578501145685539055114558850k6
:0048A9C6 8B55F4
mov edx, dword ptr [ebp-0C]//f549505152535455565748k6
:0048A9C9 E8A294F7FF call
00403E70 //对比CALL可进入看
:0048A9CE 0F8504010000 jne 0048AAD8
//jump bye!
:0048A9D4 8B87D0020000 mov eax, dword
ptr [edi+000002D0]//后面的很多CALL变成
:0048A9DA B201
mov dl, 01
//三口肉!
:0048A9DC E82F20FAFF call
0042CA10
//注册成功!!
:0048A9E1 8B87D8020000 mov eax, dword
ptr [edi+000002D8]
:0048A9E7 33D2
xor edx, edx
:0048A9E9 E82220FAFF call
0042CA10
:0048A9EE 8B87E0020000 mov eax, dword
ptr [edi+000002E0]
:0048A9F4 33D2
xor edx, edx
:0048A9F6 E81520FAFF call
0042CA10
:0048A9FB 8B87E4020000 mov eax, dword
ptr [edi+000002E4]
:0048AA01 33D2
xor edx, edx
:0048AA03 E80820FAFF call
0042CA10
:0048AA08 8B87E8020000 mov eax, dword
ptr [edi+000002E8]
:0048AA0E 33D2
xor edx, edx
:0048AA10 E8FB1FFAFF call
0042CA10
:0048AA15 8B87D4020000 mov eax, dword
ptr [edi+000002D4]
:0048AA1B 33D2
xor edx, edx
:0048AA1D E8EE1FFAFF call
0042CA10
:0048AA22 8B87DC020000 mov eax, dword
ptr [edi+000002DC]
:0048AA28 33D2
xor edx, edx
:0048AA2A E8E11FFAFF call
0042CA10
:0048AA2F A150634900 mov eax,
dword ptr [00496350]
:0048AA34 8B00
mov eax, dword ptr [eax]
:0048AA36 8B807C030000 mov eax, dword
ptr [eax+0000037C]
:0048AA3C 33D2
xor edx, edx
:0048AA3E E8CD1FFAFF call
0042CA10
:0048AA43 A150634900 mov eax,
dword ptr [00496350]
:0048AA48 8B00
mov eax, dword ptr [eax]
:0048AA4A 8B8078030000 mov eax, dword
ptr [eax+00000378]
:0048AA50 B201
mov dl, 01
:0048AA52 E8B91FFAFF call
0042CA10
:0048AA57 B201
mov dl, 01
:0048AA59 A1BCEF4500 mov eax,
dword ptr [0045EFBC]
:0048AA5E E85946FDFF call
0045F0BC
:0048AA63 8BD8
mov ebx, eax
:0048AA65 BA02000080 mov edx,
80000002
:0048AA6A 8BC3
mov eax, ebx
:0048AA6C E8EB46FDFF call
0045F15C
:0048AA71 33C9
xor ecx, ecx
* Possible StringData Ref from Code Obj ->"\software\stonari\xpghostd"
|
:0048AA73 BA84AB4800 mov edx,
0048AB84
:0048AA78 8BC3
mov eax, ebx
:0048AA7A E84547FDFF call
0045F1C4
:0048AA7F 8D4D90
lea ecx, dword ptr [ebp-70]
* Possible StringData Ref from Code Obj ->"38309"
|
:0048AA82 BAA8AB4800 mov edx,
0048ABA8
* Possible StringData Ref from Code Obj ->"yesreg"
|
:0048AA87 B8B8AB4800 mov eax,
0048ABB8
:0048AA8C E8B3FAFFFF call
0048A544 //组合变换
:0048AA91 8B4D90
mov ecx, dword ptr [ebp-70] //变换后得73DF7DC306528A
//注:此值每次都变
* Possible StringData Ref from Code Obj ->"zecixy"
|
:0048AA94 BAC8AB4800 mov edx,
0048ABC8
:0048AA99 8BC3
mov eax, ebx
:0048AA9B E8C04AFDFF call
0045F560 //该值写入注册表
:0048AAA0 8BC3
mov eax, ebx
......
......
**小节**
姓名与注册码分别计算变化后对比。
关键对比:
:0048A9C3 8B45F0
mov eax, dword ptr [ebp-10] //f578501145685539055114558850k6
:0048A9C6 8B55F4
mov edx, dword ptr [ebp-0C] //f549505152535455565748k6
:0048A9C9 E8A294F7FF call
00403E70
:0048A9CE 0F8504010000 jne 0048AAD8
call马上到jne(je)是DELPHI编写通病,不不不,
是关键!对比处一般在上两行,
你也可进入此CALL看看即知。
其实此程序根本不用找注册码,只要用TRW调试到
0048A9CE处使其不跳它就乖乖注册了。
注册在H_L_M\software\stonari\xpghostd中
zecixy键值为73DF7DC306528A
你的值可能与我的不一样。
由上分析:
一个注册码:
f5 78 50 114 56 85 53 90 55 114 55 88 50 k6
N 2 r 8 U 5 Z 7
r 7 X 2
所以:
姓 名:zzzzzz
注册码:N2r8U5Z7r7X2
/\zest/\
2001.1
- 标 题:破traceboy2.0 高手勿看! (9千字)
- 作 者:zest
- 时 间:2001-1-29 14:14:03
- 链 接:http://bbs.pediy.com