• 标 题:Registering Trojan Remover 4.2.1 (14千字)
  • 作 者:CoolBob[CCG]
  • 时 间:2001-4-16 23:46:25
  • 链 接:http://bbs.pediy.com

Registering Trojan Remover 4.2.1
1、下载地址:http://www.simplysup.com/tremover/
2、大小:1430Kb
3、破解工具: SoftICE 4.05,TRW2000,Win32dasm 8.93,Hiew 6.40
4、软件简介: 是一款查杀木马的相当流行的工具,这是最新版本。
  主程序用ASPack压缩过,程序是用Dephi 3.0写成,主程序只有197K,脱壳后居然有1.08Mb。
  用Win32dasm反汇编后看到了一组->"Temporary registration Code "
* Possible StringData Ref from Code Obj ->"419246"
* Possible StringData Ref from Code Obj ->"387192"
* Possible StringData Ref from Code Obj ->"388028"
* Possible StringData Ref from Code Obj ->"422199"
试了一下还是可以的,出现了这样的提示窗->"Temporary registration has been applied successfully. This registration will be valid for the next 72 hours."
只能用72个小时,我#%^&$#^,也太小气了。于是决定操刀解之而后快:)

5、破解过程: 运行程序输入  Username:          CoolBob
              Organisation:      China Cracker Group
              Serial Number:    26313818 (随机产生的)
              Registration Key:  12345

一开始用TRW2000,发现上当。该程序注册验证时用到float运算。所以,换SoftICE上场,下BPX hmemcpy,F5跳出来后,点OK按钮被SoftICE拦截,12次F12来到这里---->

Copyright ?1999-2001 Simply Super Software
* Reference To: VCL30.Controls.TControl.GetText@23EDC2EF, Ord:0000h
                                  |
:0044591A E811C2FBFF              Call 00401B30
:0044591F 8B45F0                  mov eax, dword ptr [ebp-10] <----Here we come
:00445922 50                      push eax              <----Save Serial Number
:00445923 8D55EC                  lea edx, dword ptr [ebp-14]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004458BF(C)
|
:00445926 8B45FC                  mov eax, dword ptr [ebp-04]
:00445929 8B80E8010000            mov eax, dword ptr [eax+000001E8]

* Reference To: VCL30.Controls.TControl.GetText@23EDC2EF, Ord:0000h
                                  |
:0044592F E8FCC1FBFF              Call 00401B30
:00445934 8B55EC                  mov edx, dword ptr [ebp-14] <----Get Name

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004458D4(C)
|
:00445937 A1B86B4C00              mov eax, dword ptr [004C6BB8]
:0044593C 8B00                    mov eax, dword ptr [eax]
:0044593E 59                      pop ecx
:0044593F E80C3B0700              call 004B9450
:00445944 8D55F0                  lea edx, dword ptr [ebp-10]
:00445947 8B45FC                  mov eax, dword ptr [ebp-04]
:0044594A 8B8008020000            mov eax, dword ptr [eax+00000208]

* Reference To: VCL30.Controls.TControl.GetText@23EDC2EF, Ord:0000h
                                  |
:00445950 E8DBC1FBFF              Call 00401B30
:00445955 8B55F0                  mov edx, dword ptr [ebp-10] <----Real Registration Key
:00445958 8B45F8                  mov eax, dword ptr [ebp-08] <----12345

* Reference To: VCL30.System.@LStrCmp@51F89FF7, Ord:0000h
                                  |
:0044595B E848B8FBFF              Call 004011A8              <---Hmmm,What about this call?
:00445960 0F856B020000            jne 00445BD1              <---If jump,bad guy
:00445966 A19C6B4C00              mov eax, dword ptr [004C6B9C]
:0044596B C60001                  mov byte ptr [eax], 01
:0044596E A1D46B4C00              mov eax, dword ptr [004C6BD4]
:00445973 C60000                  mov byte ptr [eax], 00
:00445976 B201                    mov dl, 01
:00445978 A11C8B4E00              mov eax, dword ptr [004E8B1C]

* Reference To: VCL30.Registry.TRegistry.Create@23EDC2EF, Ord:0000h
                                  |
:0044597D E83EC6FBFF              Call 00401FC0
:00445982 8945F4                  mov dword ptr [ebp-0C], eax
:00445985 BA02000080              mov edx, 80000002
:0044598A 8B45F4                  mov eax, dword ptr [ebp-0C]

* Reference To: VCL30.Registry.TRegistry.SetRootKey@23EDC2EF, Ord:0000h
                                  |
:0044598D E83EC6FBFF              Call 00401FD0
:00445992 B101                    mov cl, 01

* Possible StringData Ref from Code Obj ->"SOFTWARE\Simply Super Software\Trojan "
                                        ->"Remover\User"
                                  |
:00445994 BA385F4400              mov edx, 00445F38
:00445999 8B45F4                  mov eax, dword ptr [ebp-0C]

* Reference To: VCL30.Registry.TRegistry.OpenKey@23EDC2EF, Ord:0000h
                                  |
:0044599C E837C6FBFF              Call 00401FD8
:004459A1 84C0                    test al, al
:004459A3 0F84DC000000            je 00445A85
:004459A9 33C0                    xor eax, eax
:004459AB 55                      push ebp
:004459AC 685D5A4400              push 00445A5D
:004459B1 64FF30                  push dword ptr fs:[eax]
:004459B4 648920                  mov dword ptr fs:[eax], esp
:004459B7 8D55F0                  lea edx, dword ptr [ebp-10]
:004459BA 8B45FC                  mov eax, dword ptr [ebp-04]
:004459BD 8B80E8010000            mov eax, dword ptr [eax+000001E8]
如果只是简单的找注册码,到这里应该结束了,但作为Cracker我们应该有一种一追到底的精神,就像追MM一样:)要追到她们感动为止,否则,不要轻易放弃。情圣守则第一条。 又扯远了^O^

让我们来分析一下注册码生成过程,
在这里的时候:00445922 50                      push eax              <----Save Serial Number
下BPR eax eax+7 r,按一下F5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B943B(C)
|
:004B94A6 8B55FC                  mov edx, dword ptr [ebp-04]
:004B94A9 8A543AFF                mov dl, byte ptr [edx+edi-01]      <----Here we come

* Reference To: VCL30.System.@LStrFromChar@001FB870, Ord:0000h
                                  |
:004B94AD E8B67CF4FF              Call 00401168
:004B94B2 8B45E8                  mov eax, dword ptr [ebp-18]

* Reference To: VCL30.SysUtils.StrToInt@0F6FDFF6, Ord:0000h        <---StrToInt(Serial Number)
                                  |
:004B94B5 E8EE80F4FF              Call 004015A8
:004B94BA 83F802                  cmp eax, 00000002            <---if SN[i]>=2 jump
:004B94BD 7D44                    jge 004B9503
:004B94BF 8D45E8                  lea eax, dword ptr [ebp-18]
:004B94C2 8B55FC                  mov edx, dword ptr [ebp-04]
:004B94C5 8A543AFF                mov dl, byte ptr [edx+edi-01]

* Reference To: VCL30.System.@LStrFromChar@001FB870, Ord:0000h
                                  |
:004B94C9 E89A7CF4FF              Call 00401168
:004B94CE 8B45E8                  mov eax, dword ptr [ebp-18]

* Reference To: VCL30.SysUtils.StrToInt@0F6FDFF6, Ord:0000h    <----StrToInt(SN[i])
                                  |
:004B94D1 E8D280F4FF              Call 004015A8
:004B94D6 83C003                  add eax, 00000003        <----SN[i]=SN[i]+3
:004B94D9 7105                    jno 004B94E0

* Reference To: VCL30.System.@IntOver@51F89FF7, Ord:0000h
                                  |
:004B94DB E8C07BF4FF              Call 004010A0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B94D9(C)
|
:004B94E0 6BC051                  imul eax, 00000051          <----SN[i]=SN[i]*0x51 
:004B94E3 7105                    jno 004B94EA

* Reference To: VCL30.System.@IntOver@51F89FF7, Ord:0000h
                                  |
:004B94E5 E8B67BF4FF              Call 004010A0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B94E3(C)
|
:004B94EA 8BF8                    mov edi, eax
:004B94EC 8D55E8                  lea edx, dword ptr [ebp-18]
:004B94EF 8BC7                    mov eax, edi

* Reference To: VCL30.SysUtils.IntToStr@0F6FDFF6, Ord:0000h
                                  |
:004B94F1 E8AA80F4FF              Call 004015A0              <---IntToStr
:004B94F6 8B55E8                  mov edx, dword ptr [ebp-18]
:004B94F9 8D45F8                  lea eax, dword ptr [ebp-08]

* Reference To: VCL30.System.@LStrCat@51F89FF7, Ord:0000h
                                  |
:004B94FC E88F7CF4FF              Call 00401190             <---StrCat
:004B9501 EB38                    jmp 004B953B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B94BD(C)
|
:004B9503 8D45E8                  lea eax, dword ptr [ebp-18]
:004B9506 8B55FC                  mov edx, dword ptr [ebp-04]
:004B9509 8A543AFF                mov dl, byte ptr [edx+edi-01]

* Reference To: VCL30.System.@LStrFromChar@001FB870, Ord:0000h
                                  |
:004B950D E8567CF4FF              Call 00401168
:004B9512 8B45E8                  mov eax, dword ptr [ebp-18]

* Reference To: VCL30.SysUtils.StrToInt@0F6FDFF6, Ord:0000h
                                  |
:004B9515 E88E80F4FF              Call 004015A8
:004B951A 6BC02F                  imul eax, 0000002F        <---eax=eax*2F
:004B951D 7105                    jno 004B9524

* Reference To: VCL30.System.@IntOver@51F89FF7, Ord:0000h
                                  |
:004B951F E87C7BF4FF              Call 004010A0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B951D(C)
|
:004B9524 8BF8                    mov edi, eax
:004B9526 8D55E8                  lea edx, dword ptr [ebp-18]
:004B9529 8BC7                    mov eax, edi

* Reference To: VCL30.SysUtils.IntToStr@0F6FDFF6, Ord:0000h
                                  |
:004B952B E87080F4FF              Call 004015A0              <----IntToStr
:004B9530 8B55E8                  mov edx, dword ptr [ebp-18]
:004B9533 8D45F8                  lea eax, dword ptr [ebp-08]

* Reference To: VCL30.System.@LStrCat@51F89FF7, Ord:0000h
                                  |
:004B9536 E8557CF4FF              Call 00401190              <-----String catenating

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B9501(U)
|
:004B953B 43                      inc ebx
:004B953C 4E                      dec esi
:004B953D 0F855EFFFFFF            jne 004B94A1            <---jump if SN[i]<>nil
上面的程序无非做了这些工作,把Serial Number的字符串中的每一个字符变成整数,
然后乘以2F,结果再转换为字符串,以便连结字符串。我的Serial Number=26313818,
按以上的规律则变成这样:
IntToStr(2*2F)+IntToStr(6*2F)+IntToStr(3*2F)+IntToStr((1+3)*0x51)+IntToStr(3*2F)+IntToStr(8*2F)+IntToStr((1+3)*0x51)+IntToStr(8*2F)=>"94282141324141376324376"  <--Now we call this StrA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B9496(C)
|
:004B9543 8B45F8                  mov eax, dword ptr [ebp-08] <---D eax, You'll Look StrA

* Reference To: VCL30.SysUtils.StrToFloat@044134E0, Ord:0000h
                                  |
:004B9546 E86D81F4FF              Call 004016B8              <---StrA convert To Float
:004B954B DB7DEE                  fstp tbyte ptr [ebp-12]    <---Store at ebp-12
:004B954E 9B                      wait
:004B954F DB6DEE                  fld tbyte ptr [ebp-12]    <---Load StrA
:004B9552 DB2DE4954B00            fld tbyte ptr [004B95E4]  <---Load some Float value
:004B9558 DEC9                    fmulp st(1), st(0)        <---st(0)=st(1)*st(0)
:004B955A DB2DF0954B00            fld tbyte ptr [004B95F0]  <---Load another value
:004B9560 DEE9                    fsubp st(1), st(0)        <---st(0)=st(1)-st(0)
:004B9562 DB7DEE                  fstp tbyte ptr [ebp-12]    <---Save st(0)
:004B9565 9B                      wait
:004B9566 EB1A                    jmp 004B9582

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B9590(C)
|
:004B9568 8B45FC                  mov eax, dword ptr [ebp-04]

* Reference To: VCL30.SysUtils.StrToInt@0F6FDFF6, Ord:0000h
                                  |
:004B956B E83880F4FF              Call 004015A8
:004B9570 8945E4                  mov dword ptr [ebp-1C], eax <---eax=Serial Number
:004B9573 DB45E4                  fild dword ptr [ebp-1C]    <---Load it
:004B9576 DB6DEE                  fld tbyte ptr [ebp-12]      <---Load st(0)

* Reference To: VCL30.System.@FSafeDivideR@51F89FF7, Ord:0000h
                                  |
:004B9579 E8EA7CF4FF              Call 00401268              <---st(0)=st(1)/st(0)
:004B957E DB7DEE                  fstp tbyte ptr [ebp-12]    <---Save *result*
:004B9581 9B                      wait

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B9566(U)
|
:004B9582 DB6DEE                  fld tbyte ptr [ebp-12]    <---Load st(0)
:004B9585 DB2DFC954B00            fld tbyte ptr [004B95FC]  <---Load value
:004B958B DED9                    fcompp                    <---Compare

:004B958D DFE0                    fstsw ax                  <---Store Status Word
:004B958F 9E                      sahf                 <---Store AH Register into FLAGS

:004B9590 72D6                    jb 004B9568
:004B9592 668B45F6                mov ax, word ptr [ebp-0A]
:004B9596 50                      push eax
:004B9597 FF75F2                  push [ebp-0E]
:004B959A FF75EE                  push [ebp-12]
:004B959D 8B4508                  mov eax, dword ptr [ebp+08]
:004B95A0 50                      push eax
:004B95A1 33C9                    xor ecx, ecx
:004B95A3 BA12000000              mov edx, 00000012
:004B95A8 B002                    mov al, 02

* Reference To: VCL30.SysUtils.FloatToStrF@0DD792DD, Ord:0000h
                                  |
:004B95AA E80181F4FF              Call 004016B0
:004B95AF 33C0                    xor eax, eax
:004B95B1 5A                      pop edx
:004B95B2 59                      pop ecx
:004B95B3 59                      pop ecx
:004B95B4 648910                  mov dword ptr fs:[eax], edx
:004B95B7 68D9954B00              push 004B95D9

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B95D7(U)
|
:004B95BC 8D45E8                  lea eax, dword ptr [ebp-18]

* Reference To: VCL30.System.@LStrClr@40929B27, Ord:0000h
                                  |
:004B95BF E87C7BF4FF              Call 00401140
:004B95C4 8D45F8                  lea eax, dword ptr [ebp-08]
:004B95C7 BA02000000              mov edx, 00000002

* Reference To: VCL30.System.@LStrArrayClr@51F89FF7, Ord:0000h
                                  |
:004B95CC E8777BF4FF              Call 00401148
:004B95D1 C3                      ret

其实上面的:004B957E DB7DEE                  fstp tbyte ptr [ebp-12]    <---Save *result*
中的结果就是正确的注册码了。

1、注册码与Username,Organisation无关,只与Serial Number有关。
2、注册过程:
procedure TForm1.Button3Click(Sender: TObject);

var I: Integer;  MyString,StrA: String;

begin
MyString:=edit1.text;
  i:=1;
  while I <=Length(MyString) do
  begin
  if StrToInt(MyString[I])<2 then

  StrA :=StrA+IntToStr((StrToInt(MyString[I])+3)*81)
else
    StrA :=StrA+IntToStr(StrToInt(MyString[I])*47);
    I := I + 1;
  end;


edit2.text:=IntToStr(Round((StrToFloat(StrA)*0.1428571428571428571-480547639)/StrToInt(MyString)) );

end;



3、该程序注册后信息在注册表中如下:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Simply Super Software\Trojan Remover\User]
"Name"="CoolBob"
"Organisation"="China Cracker Group"
"Serial Number"=hex:00,00,00,a0,45,18,79,41
"Registration"=hex:f0,32,4c,04,7b,18,fd,42

-----------------------------------------------------------written by CoolBob[CCG] 2001.4.16