Registering Trojan Remover 4.2.1
1、下载地址:http://www.simplysup.com/tremover/
2、大小:1430Kb
3、破解工具: SoftICE 4.05,TRW2000,Win32dasm 8.93,Hiew 6.40
4、软件简介: 是一款查杀木马的相当流行的工具,这是最新版本。
主程序用ASPack压缩过,程序是用Dephi 3.0写成,主程序只有197K,脱壳后居然有1.08Mb。
用Win32dasm反汇编后看到了一组->"Temporary registration Code "
* Possible StringData Ref from Code Obj ->"419246"
* Possible StringData Ref from Code Obj ->"387192"
* Possible StringData Ref from Code Obj ->"388028"
* Possible StringData Ref from Code Obj ->"422199"
试了一下还是可以的,出现了这样的提示窗->"Temporary registration has been applied successfully.
This registration will be valid for the next 72 hours."
只能用72个小时,我#%^&$#^,也太小气了。于是决定操刀解之而后快:)
5、破解过程: 运行程序输入 Username: CoolBob
Organisation:
China Cracker Group
Serial Number:
26313818 (随机产生的)
Registration
Key: 12345
一开始用TRW2000,发现上当。该程序注册验证时用到float运算。所以,换SoftICE上场,下BPX hmemcpy,F5跳出来后,点OK按钮被SoftICE拦截,12次F12来到这里---->
Copyright ?1999-2001 Simply Super Software
* Reference To: VCL30.Controls.TControl.GetText@23EDC2EF, Ord:0000h
|
:0044591A E811C2FBFF Call
00401B30
:0044591F 8B45F0
mov eax, dword ptr [ebp-10] <----Here we come
:00445922 50
push eax
<----Save Serial Number
:00445923 8D55EC
lea edx, dword ptr [ebp-14]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004458BF(C)
|
:00445926 8B45FC
mov eax, dword ptr [ebp-04]
:00445929 8B80E8010000 mov eax, dword
ptr [eax+000001E8]
* Reference To: VCL30.Controls.TControl.GetText@23EDC2EF, Ord:0000h
|
:0044592F E8FCC1FBFF Call
00401B30
:00445934 8B55EC
mov edx, dword ptr [ebp-14] <----Get Name
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004458D4(C)
|
:00445937 A1B86B4C00 mov eax,
dword ptr [004C6BB8]
:0044593C 8B00
mov eax, dword ptr [eax]
:0044593E 59
pop ecx
:0044593F E80C3B0700 call
004B9450
:00445944 8D55F0
lea edx, dword ptr [ebp-10]
:00445947 8B45FC
mov eax, dword ptr [ebp-04]
:0044594A 8B8008020000 mov eax, dword
ptr [eax+00000208]
* Reference To: VCL30.Controls.TControl.GetText@23EDC2EF, Ord:0000h
|
:00445950 E8DBC1FBFF Call
00401B30
:00445955 8B55F0
mov edx, dword ptr [ebp-10] <----Real Registration Key
:00445958 8B45F8
mov eax, dword ptr [ebp-08] <----12345
* Reference To: VCL30.System.@LStrCmp@51F89FF7, Ord:0000h
|
:0044595B E848B8FBFF Call
004011A8 <---Hmmm,What
about this call?
:00445960 0F856B020000 jne 00445BD1
<---If jump,bad guy
:00445966 A19C6B4C00 mov eax,
dword ptr [004C6B9C]
:0044596B C60001
mov byte ptr [eax], 01
:0044596E A1D46B4C00 mov eax,
dword ptr [004C6BD4]
:00445973 C60000
mov byte ptr [eax], 00
:00445976 B201
mov dl, 01
:00445978 A11C8B4E00 mov eax,
dword ptr [004E8B1C]
* Reference To: VCL30.Registry.TRegistry.Create@23EDC2EF, Ord:0000h
|
:0044597D E83EC6FBFF Call
00401FC0
:00445982 8945F4
mov dword ptr [ebp-0C], eax
:00445985 BA02000080 mov edx,
80000002
:0044598A 8B45F4
mov eax, dword ptr [ebp-0C]
* Reference To: VCL30.Registry.TRegistry.SetRootKey@23EDC2EF, Ord:0000h
|
:0044598D E83EC6FBFF Call
00401FD0
:00445992 B101
mov cl, 01
* Possible StringData Ref from Code Obj ->"SOFTWARE\Simply Super Software\Trojan
"
->"Remover\User"
|
:00445994 BA385F4400 mov edx,
00445F38
:00445999 8B45F4
mov eax, dword ptr [ebp-0C]
* Reference To: VCL30.Registry.TRegistry.OpenKey@23EDC2EF, Ord:0000h
|
:0044599C E837C6FBFF Call
00401FD8
:004459A1 84C0
test al, al
:004459A3 0F84DC000000 je 00445A85
:004459A9 33C0
xor eax, eax
:004459AB 55
push ebp
:004459AC 685D5A4400 push
00445A5D
:004459B1 64FF30
push dword ptr fs:[eax]
:004459B4 648920
mov dword ptr fs:[eax], esp
:004459B7 8D55F0
lea edx, dword ptr [ebp-10]
:004459BA 8B45FC
mov eax, dword ptr [ebp-04]
:004459BD 8B80E8010000 mov eax, dword
ptr [eax+000001E8]
如果只是简单的找注册码,到这里应该结束了,但作为Cracker我们应该有一种一追到底的精神,就像追MM一样:)要追到她们感动为止,否则,不要轻易放弃。情圣守则第一条。
又扯远了^O^
让我们来分析一下注册码生成过程,
在这里的时候:00445922 50
push eax
<----Save Serial Number
下BPR eax eax+7 r,按一下F5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B943B(C)
|
:004B94A6 8B55FC
mov edx, dword ptr [ebp-04]
:004B94A9 8A543AFF
mov dl, byte ptr [edx+edi-01] <----Here we come
* Reference To: VCL30.System.@LStrFromChar@001FB870, Ord:0000h
|
:004B94AD E8B67CF4FF Call
00401168
:004B94B2 8B45E8
mov eax, dword ptr [ebp-18]
* Reference To: VCL30.SysUtils.StrToInt@0F6FDFF6, Ord:0000h
<---StrToInt(Serial Number)
|
:004B94B5 E8EE80F4FF Call
004015A8
:004B94BA 83F802
cmp eax, 00000002 <---if
SN[i]>=2 jump
:004B94BD 7D44
jge 004B9503
:004B94BF 8D45E8
lea eax, dword ptr [ebp-18]
:004B94C2 8B55FC
mov edx, dword ptr [ebp-04]
:004B94C5 8A543AFF
mov dl, byte ptr [edx+edi-01]
* Reference To: VCL30.System.@LStrFromChar@001FB870, Ord:0000h
|
:004B94C9 E89A7CF4FF Call
00401168
:004B94CE 8B45E8
mov eax, dword ptr [ebp-18]
* Reference To: VCL30.SysUtils.StrToInt@0F6FDFF6, Ord:0000h <----StrToInt(SN[i])
|
:004B94D1 E8D280F4FF Call
004015A8
:004B94D6 83C003
add eax, 00000003 <----SN[i]=SN[i]+3
:004B94D9 7105
jno 004B94E0
* Reference To: VCL30.System.@IntOver@51F89FF7, Ord:0000h
|
:004B94DB E8C07BF4FF Call
004010A0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B94D9(C)
|
:004B94E0 6BC051
imul eax, 00000051 <----SN[i]=SN[i]*0x51
:004B94E3 7105
jno 004B94EA
* Reference To: VCL30.System.@IntOver@51F89FF7, Ord:0000h
|
:004B94E5 E8B67BF4FF Call
004010A0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B94E3(C)
|
:004B94EA 8BF8
mov edi, eax
:004B94EC 8D55E8
lea edx, dword ptr [ebp-18]
:004B94EF 8BC7
mov eax, edi
* Reference To: VCL30.SysUtils.IntToStr@0F6FDFF6, Ord:0000h
|
:004B94F1 E8AA80F4FF Call
004015A0 <---IntToStr
:004B94F6 8B55E8
mov edx, dword ptr [ebp-18]
:004B94F9 8D45F8
lea eax, dword ptr [ebp-08]
* Reference To: VCL30.System.@LStrCat@51F89FF7, Ord:0000h
|
:004B94FC E88F7CF4FF Call
00401190 <---StrCat
:004B9501 EB38
jmp 004B953B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B94BD(C)
|
:004B9503 8D45E8
lea eax, dword ptr [ebp-18]
:004B9506 8B55FC
mov edx, dword ptr [ebp-04]
:004B9509 8A543AFF
mov dl, byte ptr [edx+edi-01]
* Reference To: VCL30.System.@LStrFromChar@001FB870, Ord:0000h
|
:004B950D E8567CF4FF Call
00401168
:004B9512 8B45E8
mov eax, dword ptr [ebp-18]
* Reference To: VCL30.SysUtils.StrToInt@0F6FDFF6, Ord:0000h
|
:004B9515 E88E80F4FF Call
004015A8
:004B951A 6BC02F
imul eax, 0000002F <---eax=eax*2F
:004B951D 7105
jno 004B9524
* Reference To: VCL30.System.@IntOver@51F89FF7, Ord:0000h
|
:004B951F E87C7BF4FF Call
004010A0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B951D(C)
|
:004B9524 8BF8
mov edi, eax
:004B9526 8D55E8
lea edx, dword ptr [ebp-18]
:004B9529 8BC7
mov eax, edi
* Reference To: VCL30.SysUtils.IntToStr@0F6FDFF6, Ord:0000h
|
:004B952B E87080F4FF Call
004015A0 <----IntToStr
:004B9530 8B55E8
mov edx, dword ptr [ebp-18]
:004B9533 8D45F8
lea eax, dword ptr [ebp-08]
* Reference To: VCL30.System.@LStrCat@51F89FF7, Ord:0000h
|
:004B9536 E8557CF4FF Call
00401190 <-----String catenating
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B9501(U)
|
:004B953B 43
inc ebx
:004B953C 4E
dec esi
:004B953D 0F855EFFFFFF jne 004B94A1
<---jump if SN[i]<>nil
上面的程序无非做了这些工作,把Serial Number的字符串中的每一个字符变成整数,
然后乘以2F,结果再转换为字符串,以便连结字符串。我的Serial Number=26313818,
按以上的规律则变成这样:
IntToStr(2*2F)+IntToStr(6*2F)+IntToStr(3*2F)+IntToStr((1+3)*0x51)+IntToStr(3*2F)+IntToStr(8*2F)+IntToStr((1+3)*0x51)+IntToStr(8*2F)=>"94282141324141376324376"
<--Now we call this StrA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B9496(C)
|
:004B9543 8B45F8
mov eax, dword ptr [ebp-08] <---D eax, You'll Look StrA
* Reference To: VCL30.SysUtils.StrToFloat@044134E0, Ord:0000h
|
:004B9546 E86D81F4FF Call
004016B8 <---StrA convert
To Float
:004B954B DB7DEE
fstp tbyte ptr [ebp-12] <---Store at ebp-12
:004B954E 9B
wait
:004B954F DB6DEE
fld tbyte ptr [ebp-12] <---Load StrA
:004B9552 DB2DE4954B00 fld tbyte
ptr [004B95E4] <---Load some Float value
:004B9558 DEC9
fmulp st(1), st(0) <---st(0)=st(1)*st(0)
:004B955A DB2DF0954B00 fld tbyte
ptr [004B95F0] <---Load another value
:004B9560 DEE9
fsubp st(1), st(0) <---st(0)=st(1)-st(0)
:004B9562 DB7DEE
fstp tbyte ptr [ebp-12] <---Save st(0)
:004B9565 9B
wait
:004B9566 EB1A
jmp 004B9582
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B9590(C)
|
:004B9568 8B45FC
mov eax, dword ptr [ebp-04]
* Reference To: VCL30.SysUtils.StrToInt@0F6FDFF6, Ord:0000h
|
:004B956B E83880F4FF Call
004015A8
:004B9570 8945E4
mov dword ptr [ebp-1C], eax <---eax=Serial Number
:004B9573 DB45E4
fild dword ptr [ebp-1C] <---Load it
:004B9576 DB6DEE
fld tbyte ptr [ebp-12] <---Load st(0)
* Reference To: VCL30.System.@FSafeDivideR@51F89FF7, Ord:0000h
|
:004B9579 E8EA7CF4FF Call
00401268 <---st(0)=st(1)/st(0)
:004B957E DB7DEE
fstp tbyte ptr [ebp-12] <---Save *result*
:004B9581 9B
wait
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B9566(U)
|
:004B9582 DB6DEE
fld tbyte ptr [ebp-12] <---Load st(0)
:004B9585 DB2DFC954B00 fld tbyte
ptr [004B95FC] <---Load value
:004B958B DED9
fcompp
<---Compare
:004B958D DFE0
fstsw ax
<---Store Status Word
:004B958F 9E
sahf
<---Store AH Register into FLAGS
:004B9590 72D6
jb 004B9568
:004B9592 668B45F6
mov ax, word ptr [ebp-0A]
:004B9596 50
push eax
:004B9597 FF75F2
push [ebp-0E]
:004B959A FF75EE
push [ebp-12]
:004B959D 8B4508
mov eax, dword ptr [ebp+08]
:004B95A0 50
push eax
:004B95A1 33C9
xor ecx, ecx
:004B95A3 BA12000000 mov edx,
00000012
:004B95A8 B002
mov al, 02
* Reference To: VCL30.SysUtils.FloatToStrF@0DD792DD, Ord:0000h
|
:004B95AA E80181F4FF Call
004016B0
:004B95AF 33C0
xor eax, eax
:004B95B1 5A
pop edx
:004B95B2 59
pop ecx
:004B95B3 59
pop ecx
:004B95B4 648910
mov dword ptr fs:[eax], edx
:004B95B7 68D9954B00 push
004B95D9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B95D7(U)
|
:004B95BC 8D45E8
lea eax, dword ptr [ebp-18]
* Reference To: VCL30.System.@LStrClr@40929B27, Ord:0000h
|
:004B95BF E87C7BF4FF Call
00401140
:004B95C4 8D45F8
lea eax, dword ptr [ebp-08]
:004B95C7 BA02000000 mov edx,
00000002
* Reference To: VCL30.System.@LStrArrayClr@51F89FF7, Ord:0000h
|
:004B95CC E8777BF4FF Call
00401148
:004B95D1 C3
ret
其实上面的:004B957E DB7DEE
fstp tbyte ptr [ebp-12] <---Save *result*
中的结果就是正确的注册码了。
1、注册码与Username,Organisation无关,只与Serial Number有关。
2、注册过程:
procedure TForm1.Button3Click(Sender: TObject);
var I: Integer; MyString,StrA: String;
begin
MyString:=edit1.text;
i:=1;
while I <=Length(MyString) do
begin
if StrToInt(MyString[I])<2 then
StrA :=StrA+IntToStr((StrToInt(MyString[I])+3)*81)
else
StrA :=StrA+IntToStr(StrToInt(MyString[I])*47);
I := I + 1;
end;
edit2.text:=IntToStr(Round((StrToFloat(StrA)*0.1428571428571428571-480547639)/StrToInt(MyString))
);
end;
3、该程序注册后信息在注册表中如下:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Simply Super Software\Trojan Remover\User]
"Name"="CoolBob"
"Organisation"="China Cracker Group"
"Serial Number"=hex:00,00,00,a0,45,18,79,41
"Registration"=hex:f0,32,4c,04,7b,18,fd,42
-----------------------------------------------------------written by CoolBob[CCG]
2001.4.16
- 标 题:Registering Trojan Remover 4.2.1 (14千字)
- 作 者:CoolBob[CCG]
- 时 间:2001-4-16 23:46:25
- 链 接:http://bbs.pediy.com