• 标 题:木马克星5.33.60破解过程 (9千字)
  • 作 者:zwlzwl
  • 时 间:2002-3-28 17:58:36
  • 链 接:http://bbs.pediy.com

木马克星5.33.60破解过程

老是听朋友说现在的网页很多木马(特别是一种叫网络神偷的软件能穿过很多防伙墙进入我们的系统进行盗窃),只要你看了它的网页就会中招,所以担心的情况下就马上到华军的网页上下了一个叫“木马克星”的软件,但是要注册码的,反正最近心情一般,就打算拿这个软件来试试,增加一下信心!

软件介绍:
软件名称:木马克星(iparmor)
整理日期:2002.3.27
最新版本:5.33.60
文件大小:1392KB
软件授权:共享软件
使用平台:Win9x/Me/NT/2000
发布公司:http://www.luosoft.com/
软件简介:
  可以查杀5021种国际木马,112种电子邮件木马,保证查杀冰河类文件关联木马,oicq类寄生木马,icmp类幽灵木马,网络神偷类反弹木马。内置木马防火墙,任何黑客试图与本机建立连接,都需要Iparmor 确认,不仅可以查杀木马,更可以查黑客。


下栽地址:http://gwbn.onlinedown.net/down/iparmor.exe

破解工具:trw2000(ver:1.23), PW32Dasm9b.exe

破解作者:zwlzwl
信箱:tsgmx@21cn.com


首先用PW32Dasm9b.exe把Iparmor.exe进行反编译
在字串参考中找到:“软件已经被成功注册”的字符串,再向上能看到下面的代码,大家请跟我一起来分析一下这些代码

:004F6C39 8B8024020000            mov eax, dword ptr [eax+00000224]
:004F6C3F 2D6E020000              sub eax, 0000026E
:004F6C44 E86B31F1FF              call 00409DB4
:004F6C49 8B95ECFEFFFF            mov edx, dword ptr [ebp+FFFFFEEC]
:004F6C4F 8B45FC                  mov eax, dword ptr [ebp-04]
:004F6C52 E861DFF0FF              call 00404BB8〈--因为下面的是关键,所以说明注册码是在这里比较的,所以我们进入去做深入研究
:004F6C57 0F858F000000            jne 004F6CEC〈---关键的跳,不能跳,一跳就出错
:004F6C5D C6050C12510001          mov byte ptr [0051120C], 01
:004F6C64 33D2                    xor edx, edx
:004F6C66 8B83E0020000            mov eax, dword ptr [ebx+000002E0]
:004F6C6C E8830BF4FF              call 004377F4

* Possible StringData Ref from Code Obj ->"Reistered successfully."
                                  |
:004F6C71 BA3C774F00              mov edx, 004F773C
:004F6C76 8B83E8020000            mov eax, dword ptr [ebx+000002E8]
:004F6C7C E8670DF4FF              call 004379E8
:004F6C81 803F00                  cmp byte ptr [edi], 00
:004F6C84 7410                    je 004F6C96

* Possible StringData Ref from Code Obj ->"软件已经被
成功注册."
                                  |
:004F6C86 BA5C774F00              mov edx, 004F775C
:004F6C8B 8B83E8020000            mov eax, dword ptr [ebx+000002E8]
:004F6C91 E8520DF4FF              call 004379E8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F6C84(C)
|
:004F6C96 33D2                    xor edx, edx


进入了
:004F6C52 E861DFF0FF              call 00404BB8
我们能看到下面代码,大家请看我的分析


:00404BB8 53                      push ebx
:00404BB9 56                      push esi
:00404BBA 57                      push edi
:00404BBB 89C6                    mov esi, eax〈--使用ESI做EAX的影象,[EAX]里放着假的注册码
:00404BBD 89D7                    mov edi, edx〈--使用EDI做EDX的影象,[EDX]里放着真的注册码
:00404BBF 39D0                    cmp eax, edx〈--比较真假注册码的地址是不是一样
:00404BC1 0F848F000000            je 00404C56 〈--如相同就跳到不能注册里去
:00404BC7 85F6                    test esi, esi〈--测试假注册码的地址是不是0(也就是是不是存在)
:00404BC9 7468                    je 00404C33  〈--如等于0(不存在)就跳到不能注册里去
:00404BCB 85FF                    test edi, edi〈--测试假注册码的地址是不是0(也就是是不是存在)
:00404BCD 746B                    je 00404C3A  〈--如等于0(不存在)就跳到不能注册里去
:00404BCF 8B46FC                  mov eax, dword ptr [esi-04]〈--取得假注册码的位数
:00404BD2 8B57FC                  mov edx, dword ptr [edi-04] 〈--取得真注册码的位数
:00404BD5 29D0                    sub eax, edx〈--真假注册码的位数相减
:00404BD7 7702                    ja 00404BDB 〈--假注册码的位数大过真的注册码,就跳到不能注册
:00404BD9 01C2                    add edx, eax〈--把假注册码的位数放到EDX中去

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404BD7(C)
|
:00404BDB 52                      push edx〈----把假注册码的位数保存起来
:00404BDC C1EA02                  shr edx, 02〈--把位数值(2进制)右移动2位
:00404BDF 7426                    je 00404C07〈--如假注册码的位数小于不大于2就跳到不能注册那里

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404BFD(C)
|
:00404BE1 8B0E                    mov ecx, dword ptr [esi]〈--取出假注册码的ASCII码转换的前4位
:00404BE3 8B1F                    mov ebx, dword ptr [edi]〈--取出真注册码的ASCII码转换的前4位
:00404BE5 39D9                    cmp ecx, ebx〈--比较这4个ASCII码
:00404BE7 7558                    jne 00404C41〈--不相等就跳到不能注册
:00404BE9 4A                      dec edx〈--注册码位数计数器减1
:00404BEA 7415                    je 00404C01〈--如计数器等于0就跳到不能注册
:00404BEC 8B4E04                  mov ecx, dword ptr [esi+04]〈--取出假注册码的ASCII码转换的5-8位
:00404BEF 8B5F04                  mov ebx, dword ptr [edi+04]〈--取出真注册码的ASCII码转换的5-8位
:00404BF2 39D9                    cmp ecx, ebx〈--比较这4个ASCII码
:00404BF4 754B                    jne 00404C41〈--不相等就跳到不能注册
:00404BF6 83C608                  add esi, 00000008〈--把地址指针指向第9个假ASCII码
:00404BF9 83C708                  add edi, 00000008〈--把地址指针指向第9个真ASCII码
:00404BFC 4A                      dec edx〈--注册码位数计数器再次减1
:00404BFD 75E2                    jne 00404BE1〈--不等于0就继续跳回上面去进行每次4个ASCII码比较的流程里面去
:00404BFF EB06                    jmp 00404C07〈--如计数器等于0就跳到每次1个ASCII码比较的流程里面去(因为如是正确的注册码现在只剩下9-8=1位ASCII码了)

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404BEA(C)
|
:00404C01 83C604                  add esi, 00000004
:00404C04 83C704                  add edi, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404BDF(C), :00404BFF(U)
|
:00404C07 5A                      pop edx〈--取回假注册码的位数
:00404C08 83E203                  and edx, 00000003〈--截取2进制表达式的最后两位数放到EDX中
:00404C0B 7422                    je 00404C2F〈--如最后两位都是0就跳到不能注册里去
:00404C0D 8B0E                    mov ecx, dword ptr [esi]〈--取出最后一位假ASCII码放到CL中
:00404C0F 8B1F                    mov ebx, dword ptr [edi]〈--取出最后一位假ASCII码放到BL中
:00404C11 38D9                    cmp cl, bl〈--比较最后一位ASCII码
:00404C13 7541                    jne 00404C56〈--不相等就跳到不能注册里去
:00404C15 4A                      dec edx〈--最后两位数 的 位数计数器 减一
:00404C16 7417                    je 00404C2F〈--如位数计数器等于0就比较完毕,跳到正确注册里去
:00404C18 38FD                    cmp ch, bh
:00404C1A 753A                    jne 00404C56
:00404C1C 4A                      dec edx
:00404C1D 7410                    je 00404C2F
:00404C1F 81E30000FF00            and ebx, 00FF0000
:00404C25 81E10000FF00            and ecx, 00FF0000
:00404C2B 39D9                    cmp ecx, ebx
:00404C2D 7527                    jne 00404C56

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404C0B(C), :00404C16(C), :00404C1D(C)
|
:00404C2F 01C0                    add eax, eax
:00404C31 EB23                    jmp 00404C56

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404BC9(C)
|
:00404C33 8B57FC                  mov edx, dword ptr [edi-04]
:00404C36 29D0                    sub eax, edx
:00404C38 EB1C                    jmp 00404C56

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404BCD(C)
|
:00404C3A 8B46FC                  mov eax, dword ptr [esi-04]
:00404C3D 29D0                    sub eax, edx
:00404C3F EB15                    jmp 00404C56

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404BE7(C), :00404BF4(C)
|
:00404C41 5A                      pop edx
:00404C42 38D9                    cmp cl, bl
:00404C44 7510                    jne 00404C56
:00404C46 38FD                    cmp ch, bh
:00404C48 750C                    jne 00404C56
:00404C4A C1E910                  shr ecx, 10
:00404C4D C1EB10                  shr ebx, 10
:00404C50 38D9                    cmp cl, bl
:00404C52 7502                    jne 00404C56
:00404C54 38FD                    cmp ch, bh

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404BC1(C), :00404C13(C), :00404C1A(C), :00404C2D(C), :00404C31(U)
|:00404C38(U), :00404C3F(U), :00404C44(C), :00404C48(C), :00404C52(C)
|
:00404C56 5F                      pop edi
:00404C57 5E                      pop esi
:00404C58 5B                      pop ebx
:00404C59 C3                      ret

所以我们从上面分析可知道在
:00404BBB 89C6                    mov esi, eax〈--按下D EAX能看到假的注册码
:00404BBD 89D7                    mov edi, edx〈--按下D EDX能看到真的注册码

我的为
name:zyx
code:381039972

因为我写这篇文章的对象是那些和我一样是菜鸟的朋友看的,所以就尽量详细一点,
希望各位高手不要看到我的文章说我写得太烦琐了。
本篇文章只可做交流技术使用,不要用做商业用途。
希望大家转载时能保持完整!

如有什么地方写得不好,或不对的地方,欢迎大家来信指出
我的信箱:tsgmx@21cn.com

  • 标 题:放个注册机源码 (7千字)
  • 作 者:TAE!
  • 时 间:2002-3-28 20:28:45
  • 链 接:http://bbs.pediy.com

#include <iostream.h>
#include <math.h>
#include <string.h>
#include <ctype.h>
#include <stdio.h>
main()
{
char name[30];
long i=0,l=0;
long ebx=0,edx=0,esi=0,edx1=0,edx2=0,edx3=0,edx4=0;
static unsigned char table[1025] =
{
    0x00, 0x00, 0x00, 0x00, 0x96, 0x30, 0x07, 0x77,
    0x2C, 0x61, 0x0E, 0xEE, 0xBA, 0x51, 0x09, 0x99,
    0x19, 0xC4, 0x6D, 0x07, 0x8F, 0xF4, 0x6A, 0x70,
    0x35, 0xA5, 0x63, 0xE9, 0xA3, 0x95, 0x64, 0x9E,
    0x32, 0x88, 0xDB, 0x0E, 0xA4, 0xB8, 0xDC, 0x79,
    0x1E, 0xE9, 0xD5, 0xE0, 0x88, 0xD9, 0xD2, 0x97,
    0x2B, 0x4C, 0xB6, 0x09, 0xBD, 0x7C, 0xB1, 0x7E,
    0x07, 0x2D, 0xB8, 0xE7, 0x91, 0x1D, 0xBF, 0x90,
    0x64, 0x10, 0xB7, 0x1D, 0xF2, 0x20, 0xB0, 0x6A,
    0x48, 0x71, 0xB9, 0xF3, 0xDE, 0x41, 0xBE, 0x84,
    0x7D, 0xD4, 0xDA, 0x1A, 0xEB, 0xE4, 0xDD, 0x6D,
    0x51, 0xB5, 0xD4, 0xF4, 0xC7, 0x85, 0xD3, 0x83,
    0x56, 0x98, 0x6C, 0x13, 0xC0, 0xA8, 0x6B, 0x64,
    0x7A, 0xF9, 0x62, 0xFD, 0xEC, 0xC9, 0x65, 0x8A,
    0x4F, 0x5C, 0x01, 0x14, 0xD9, 0x6C, 0x06, 0x63,
    0x63, 0x3D, 0x0F, 0xFA, 0xF5, 0x0D, 0x08, 0x8D,
    0xC8, 0x20, 0x6E, 0x3B, 0x5E, 0x10, 0x69, 0x4C,
    0xE4, 0x41, 0x60, 0xD5, 0x72, 0x71, 0x67, 0xA2,
    0xD1, 0xE4, 0x03, 0x3C, 0x47, 0xD4, 0x04, 0x4B,
    0xFD, 0x85, 0x0D, 0xD2, 0x6B, 0xB5, 0x0A, 0xA5,
    0xFA, 0xA8, 0xB5, 0x35, 0x6C, 0x98, 0xB2, 0x42,
    0xD6, 0xC9, 0xBB, 0xDB, 0x40, 0xF9, 0xBC, 0xAC,
    0xE3, 0x6C, 0xD8, 0x32, 0x75, 0x5C, 0xDF, 0x45,
    0xCF, 0x0D, 0xD6, 0xDC, 0x59, 0x3D, 0xD1, 0xAB,
    0xAC, 0x30, 0xD9, 0x26, 0x3A, 0x00, 0xDE, 0x51,
    0x80, 0x51, 0xD7, 0xC8, 0x16, 0x61, 0xD0, 0xBF,
    0xB5, 0xF4, 0xB4, 0x21, 0x23, 0xC4, 0xB3, 0x56,
    0x99, 0x95, 0xBA, 0xCF, 0x0F, 0xA5, 0xBD, 0xB8,
    0x9E, 0xB8, 0x02, 0x28, 0x08, 0x88, 0x05, 0x5F,
    0xB2, 0xD9, 0x0C, 0xC6, 0x24, 0xE9, 0x0B, 0xB1,
    0x87, 0x7C, 0x6F, 0x2F, 0x11, 0x4C, 0x68, 0x58,
    0xAB, 0x1D, 0x61, 0xC1, 0x3D, 0x2D, 0x66, 0xB6,
    0x90, 0x41, 0xDC, 0x76, 0x06, 0x71, 0xDB, 0x01,
    0xBC, 0x20, 0xD2, 0x98, 0x2A, 0x10, 0xD5, 0xEF,
    0x89, 0x85, 0xB1, 0x71, 0x1F, 0xB5, 0xB6, 0x06,
    0xA5, 0xE4, 0xBF, 0x9F, 0x33, 0xD4, 0xB8, 0xE8,
    0xA2, 0xC9, 0x07, 0x78, 0x34, 0xF9, 0x00, 0x0F,
    0x8E, 0xA8, 0x09, 0x96, 0x18, 0x98, 0x0E, 0xE1,
    0xBB, 0x0D, 0x6A, 0x7F, 0x2D, 0x3D, 0x6D, 0x08,
    0x97, 0x6C, 0x64, 0x91, 0x01, 0x5C, 0x63, 0xE6,
    0xF4, 0x51, 0x6B, 0x6B, 0x62, 0x61, 0x6C, 0x1C,
    0xD8, 0x30, 0x65, 0x85, 0x4E, 0x00, 0x62, 0xF2,
    0xED, 0x95, 0x06, 0x6C, 0x7B, 0xA5, 0x01, 0x1B,
    0xC1, 0xF4, 0x08, 0x82, 0x57, 0xC4, 0x0F, 0xF5,
    0xC6, 0xD9, 0xB0, 0x65, 0x50, 0xE9, 0xB7, 0x12,
    0xEA, 0xB8, 0xBE, 0x8B, 0x7C, 0x88, 0xB9, 0xFC,
    0xDF, 0x1D, 0xDD, 0x62, 0x49, 0x2D, 0xDA, 0x15,
    0xF3, 0x7C, 0xD3, 0x8C, 0x65, 0x4C, 0xD4, 0xFB,
    0x58, 0x61, 0xB2, 0x4D, 0xCE, 0x51, 0xB5, 0x3A,
    0x74, 0x00, 0xBC, 0xA3, 0xE2, 0x30, 0xBB, 0xD4,
    0x41, 0xA5, 0xDF, 0x4A, 0xD7, 0x95, 0xD8, 0x3D,
    0x6D, 0xC4, 0xD1, 0xA4, 0xFB, 0xF4, 0xD6, 0xD3,
    0x6A, 0xE9, 0x69, 0x43, 0xFC, 0xD9, 0x6E, 0x34,
    0x46, 0x88, 0x67, 0xAD, 0xD0, 0xB8, 0x60, 0xDA,
    0x73, 0x2D, 0x04, 0x44, 0xE5, 0x1D, 0x03, 0x33,
    0x5F, 0x4C, 0x0A, 0xAA, 0xC9, 0x7C, 0x0D, 0xDD,
    0x3C, 0x71, 0x05, 0x50, 0xAA, 0x41, 0x02, 0x27,
    0x10, 0x10, 0x0B, 0xBE, 0x86, 0x20, 0x0C, 0xC9,
    0x25, 0xB5, 0x68, 0x57, 0xB3, 0x85, 0x6F, 0x20,
    0x09, 0xD4, 0x66, 0xB9, 0x9F, 0xE4, 0x61, 0xCE,
    0x0E, 0xF9, 0xDE, 0x5E, 0x98, 0xC9, 0xD9, 0x29,
    0x22, 0x98, 0xD0, 0xB0, 0xB4, 0xA8, 0xD7, 0xC7,
    0x17, 0x3D, 0xB3, 0x59, 0x81, 0x0D, 0xB4, 0x2E,
    0x3B, 0x5C, 0xBD, 0xB7, 0xAD, 0x6C, 0xBA, 0xC0,
    0x20, 0x83, 0xB8, 0xED, 0xB6, 0xB3, 0xBF, 0x9A,
    0x0C, 0xE2, 0xB6, 0x03, 0x9A, 0xD2, 0xB1, 0x74,
    0x39, 0x47, 0xD5, 0xEA, 0xAF, 0x77, 0xD2, 0x9D,
    0x15, 0x26, 0xDB, 0x04, 0x83, 0x16, 0xDC, 0x73,
    0x12, 0x0B, 0x63, 0xE3, 0x84, 0x3B, 0x64, 0x94,
    0x3E, 0x6A, 0x6D, 0x0D, 0xA8, 0x5A, 0x6A, 0x7A,
    0x0B, 0xCF, 0x0E, 0xE4, 0x9D, 0xFF, 0x09, 0x93,
    0x27, 0xAE, 0x00, 0x0A, 0xB1, 0x9E, 0x07, 0x7D,
    0x44, 0x93, 0x0F, 0xF0, 0xD2, 0xA3, 0x08, 0x87,
    0x68, 0xF2, 0x01, 0x1E, 0xFE, 0xC2, 0x06, 0x69,
    0x5D, 0x57, 0x62, 0xF7, 0xCB, 0x67, 0x65, 0x80,
    0x71, 0x36, 0x6C, 0x19, 0xE7, 0x06, 0x6B, 0x6E,
    0x76, 0x1B, 0xD4, 0xFE, 0xE0, 0x2B, 0xD3, 0x89,
    0x5A, 0x7A, 0xDA, 0x10, 0xCC, 0x4A, 0xDD, 0x67,
    0x6F, 0xDF, 0xB9, 0xF9, 0xF9, 0xEF, 0xBE, 0x8E,
    0x43, 0xBE, 0xB7, 0x17, 0xD5, 0x8E, 0xB0, 0x60,
    0xE8, 0xA3, 0xD6, 0xD6, 0x7E, 0x93, 0xD1, 0xA1,
    0xC4, 0xC2, 0xD8, 0x38, 0x52, 0xF2, 0xDF, 0x4F,
    0xF1, 0x67, 0xBB, 0xD1, 0x67, 0x57, 0xBC, 0xA6,
    0xDD, 0x06, 0xB5, 0x3F, 0x4B, 0x36, 0xB2, 0x48,
    0xDA, 0x2B, 0x0D, 0xD8, 0x4C, 0x1B, 0x0A, 0xAF,
    0xF6, 0x4A, 0x03, 0x36, 0x60, 0x7A, 0x04, 0x41,
    0xC3, 0xEF, 0x60, 0xDF, 0x55, 0xDF, 0x67, 0xA8,
    0xEF, 0x8E, 0x6E, 0x31, 0x79, 0xBE, 0x69, 0x46,
    0x8C, 0xB3, 0x61, 0xCB, 0x1A, 0x83, 0x66, 0xBC,
    0xA0, 0xD2, 0x6F, 0x25, 0x36, 0xE2, 0x68, 0x52,
    0x95, 0x77, 0x0C, 0xCC, 0x03, 0x47, 0x0B, 0xBB,
    0xB9, 0x16, 0x02, 0x22, 0x2F, 0x26, 0x05, 0x55,
    0xBE, 0x3B, 0xBA, 0xC5, 0x28, 0x0B, 0xBD, 0xB2,
    0x92, 0x5A, 0xB4, 0x2B, 0x04, 0x6A, 0xB3, 0x5C,
    0xA7, 0xFF, 0xD7, 0xC2, 0x31, 0xCF, 0xD0, 0xB5,
    0x8B, 0x9E, 0xD9, 0x2C, 0x1D, 0xAE, 0xDE, 0x5B,
    0xB0, 0xC2, 0x64, 0x9B, 0x26, 0xF2, 0x63, 0xEC,
    0x9C, 0xA3, 0x6A, 0x75, 0x0A, 0x93, 0x6D, 0x02,
    0xA9, 0x06, 0x09, 0x9C, 0x3F, 0x36, 0x0E, 0xEB,
    0x85, 0x67, 0x07, 0x72, 0x13, 0x57, 0x00, 0x05,
    0x82, 0x4A, 0xBF, 0x95, 0x14, 0x7A, 0xB8, 0xE2,
    0xAE, 0x2B, 0xB1, 0x7B, 0x38, 0x1B, 0xB6, 0x0C,
    0x9B, 0x8E, 0xD2, 0x92, 0x0D, 0xBE, 0xD5, 0xE5,
    0xB7, 0xEF, 0xDC, 0x7C, 0x21, 0xDF, 0xDB, 0x0B,
    0xD4, 0xD2, 0xD3, 0x86, 0x42, 0xE2, 0xD4, 0xF1,
    0xF8, 0xB3, 0xDD, 0x68, 0x6E, 0x83, 0xDA, 0x1F,
    0xCD, 0x16, 0xBE, 0x81, 0x5B, 0x26, 0xB9, 0xF6,
    0xE1, 0x77, 0xB0, 0x6F, 0x77, 0x47, 0xB7, 0x18,
    0xE6, 0x5A, 0x08, 0x88, 0x70, 0x6A, 0x0F, 0xFF,
    0xCA, 0x3B, 0x06, 0x66, 0x5C, 0x0B, 0x01, 0x11,
    0xFF, 0x9E, 0x65, 0x8F, 0x69, 0xAE, 0x62, 0xF8,
    0xD3, 0xFF, 0x6B, 0x61, 0x45, 0xCF, 0x6C, 0x16,
    0x78, 0xE2, 0x0A, 0xA0, 0xEE, 0xD2, 0x0D, 0xD7,
    0x54, 0x83, 0x04, 0x4E, 0xC2, 0xB3, 0x03, 0x39,
    0x61, 0x26, 0x67, 0xA7, 0xF7, 0x16, 0x60, 0xD0,
    0x4D, 0x47, 0x69, 0x49, 0xDB, 0x77, 0x6E, 0x3E,
    0x4A, 0x6A, 0xD1, 0xAE, 0xDC, 0x5A, 0xD6, 0xD9,
    0x66, 0x0B, 0xDF, 0x40, 0xF0, 0x3B, 0xD8, 0x37,
    0x53, 0xAE, 0xBC, 0xA9, 0xC5, 0x9E, 0xBB, 0xDE,
    0x7F, 0xCF, 0xB2, 0x47, 0xE9, 0xFF, 0xB5, 0x30,
    0x1C, 0xF2, 0xBD, 0xBD, 0x8A, 0xC2, 0xBA, 0xCA,
    0x30, 0x93, 0xB3, 0x53, 0xA6, 0xA3, 0xB4, 0x24,
    0x05, 0x36, 0xD0, 0xBA, 0x93, 0x06, 0xD7, 0xCD,
    0x29, 0x57, 0xDE, 0x54, 0xBF, 0x67, 0xD9, 0x23,
    0x2E, 0x7A, 0x66, 0xB3, 0xB8, 0x4A, 0x61, 0xC4,
    0x02, 0x1B, 0x68, 0x5D, 0x94, 0x2B, 0x6F, 0x2A,
    0x37, 0xBE, 0x0B, 0xB4, 0xA1, 0x8E, 0x0C, 0xC3,
    0x1B, 0xDF, 0x05, 0x5A, 0x8D, 0xEF, 0x02, 0x2D,

};
cout<<endl<<"              Iparmor(木马克星)5.33.31/32/34 keygen by TAE![CCG]"<<endl;
cout<<endl<<"Please input your name: ";
cin>>name;
l=strlen(name);
for(i=0;i<l;i++)
name[i]=toupper(name[i]);
char name1[72];
name1[0]=l;
for (i=0;i<0x47;i++)
  {name1[i+1]=name[i];
  if (i>=l) name1[i+1]='*';
  }
  edx=0xEFCA99;
for (i=0;i<0x47;i++)
  {
  ebx=edx;
  ebx=ebx>>8;
  ebx=ebx&0x00FFFFFF;
  esi=name1[i];
  edx=edx^esi;
  edx=edx&0x000000FF;
  edx1=table[edx*4];
  edx2=table[edx*4+1];
  edx3=table[edx*4+2];
  edx4=table[edx*4+3];
  edx=edx1+edx2*0x100+edx3*0x10000+edx4*0x1000000;
  ebx=ebx^edx;
  edx=ebx;
  }
ebx=ebx+0x4EA;
if (ebx<0){ebx=ebx^0xffffffff;(ebx=ebx-0xffffffff);}
cout<<endl<<"Your registration code: "<<ebx;
getchar();
return 0;
}

  • 标 题:使用中再发现一些问题,现在补充一下! (1千字)
  • 作 者:zwlzwl
  • 时 间:2002-3-31 21:59:08
  • 链 接:http://bbs.pediy.com

使用了几次发现这个程序还有几个很黑的暗桩,写出来和大家交流一下


:004F6CD2 E8E5C8F0FF              call 004035BC〈--以使用次数为参数的运算
:004F6CD7 83F803                  cmp eax, 00000003
:004F6CDA 0F8512080000            jne 004F74F2〈--如出口参数EAX不等于3就跳过程序再次检测密码
:004F6CE0 8BC3                    mov eax, ebx
:004F6CE2 E8F10C0000              call 004F79D8
:004F6CE7 E906080000              jmp 004F74F2

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F6C57(C)
|
:004F6CEC 8D55F4                  lea edx, dword ptr [ebp-0C]
:004F6CEF 8B45FC                  mov eax, dword ptr [ebp-04]
:004F6CF2 E855FAFFFF              call 004F674C


其实程序要经过很多个地方(使用很多种算法)检测密码的,
每一个正确都是会使程序跳到004F74F2的,
我们从下面这段文字就能看到了
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004F6CDA(C), :004F6CE7(U), :004F6DA1(C), :004F6DAE(U), :004F6E5D(C)
|:004F6E6A(U), :004F6F19(C), :004F6F26(U), :004F6FD5(C), :004F6FE2(U)
|:004F7091(C), :004F709E(U), :004F7152(C), :004F7158(U), :004F7207(C)
|:004F7214(U), :004F72C1(C), :004F72CE(U), :004F737D(C), :004F738A(U)
|
:004F74F2 33C0                    xor eax, eax
:004F74F4 5A                      pop edx

但我们只需要把第一个比较的地方改为跳就可了
也就是把
:004F6CDA            jne 004F74F2
改为
:004F6CDA            jmp 004F74F2
再补上一个NOP(使程序字节数一样)就能破解掉这些暗桩了