软件简介:帮助您创建基于
JavaScript 的密码保护页面
DOWNLOAD: http://www.inhua.com/down/htl.zip
pj工具:RegMon,TRW
2000 V1.03
**************************************************************************************************************
精华三里paulyoung写了一个pj的暴力篇,我来一个婉约派的温柔篇,而且还有些很有意思的发现,各位大小虾,不妨看看。
一、用 RegMon 监视,运行软件,发觉它读取如下两个注册表键值:
HKLM\SOFTWARE\VirTime\HTL1.4.0\UserName
SUCCESS "NOBODY" (用户名)
HKLM\SOFTWARE\VirTime\HTL1.4.0\RegKey
SUCCESS "NOKEY" (注册码)
我想它会不会是启动时读取这两个键值并正确与否,来判断它是否为注册版,后经我反汇编分析,证实了我的猜测(分析过程略)
二、打开 REGEDIT ,把这两个键值分别改为 "killer" and "" 6789543267895432678954326789543267895432
三、用trw中搜索字串,然后用bpm拦后跟踪。
四、代码分析如下:
//******************** Program Entry
Point ********
:004630EC 55
push ebp
:004630ED 8BEC
mov ebp, esp
:004630EF 83C4F4
add esp, FFFFFFF4
:004630F2
B8642F4600 mov eax, 00462F64
:004630F7
E8042FFAFF call 00406000
:004630FC
A138574600 mov eax, dword ptr
[00465738]
:00463101 8B00
mov eax, dword ptr [eax]
*
Possible StringData Ref from Code Obj ->"HTMLock"
|
:00463103 BA6C314600
mov edx, 0046316C
:00463108 E81B18FEFF
call 00444928
:0046310D E896DEFFFF
call 00460FA8 //F8 跟进看一看
:00463112
84C0 test
al, al
:00463114 7446
je 0046315C
***************
* Referenced by a CALL at Address:
|:0046310D
|
:00460FA8
55 push
ebp
:00460FA9 8BEC
mov ebp, esp
:00460FAB 6A00
push 00000000
:00460FAD 6A00
push 00000000
:00460FAF
6A00 push
00000000
...
F10直到
...
:0046102A
B9C8104600 mov ecx, 004610C8
:0046102F
8B15E8684600 mov edx, dword ptr [004668E8]
:00461035 E85E2CFAFF call
00403C98
:0046103A C605F068460000 mov byte
ptr [004668F0], 00
:00461041 C6050869460000 mov
byte ptr [00466908], 00
:00461048 E87FFDFFFF
call 00460DCC
:0046104D 8B15F4684600
mov edx, dword ptr [004668F4]
:00461053 A1F8684600
mov eax, dword ptr [004668F8]
:00461058
E827EBFFFF call 0045FB84
//D EAX=假注册码D EDX=假的注册名。
(F8 跟进看一看)
********
*
Referenced by a CALL at Addresses:
|:004609C3 , :00460A3F , :00460C82
, :00461058
|
:0045FB84 55
push ebp
:0045FB85 8BEC
mov ebp, esp
:0045FB87
83C4F8 add esp,
FFFFFFF8
:0045FB8A 53
push ebx
:0045FB8B 56
push esi
:0045FB8C 33C9
xor ecx, ecx
:0045FB8E
894DF8 mov dword
ptr [ebp-08], ecx
:0045FB91 8BDA
mov ebx, edx
:0045FB93 8BF0
mov esi, eax
:0045FB95 33C0
xor eax,
eax
:0045FB97 55
push ebp
:0045FB98 681EFC4500
push 0045FC1E
:0045FB9D 64FF30
push dword ptr fs:[eax]
:0045FBA0 648920
mov dword ptr fs:[eax],
esp
:0045FBA3 C645FF00 mov
[ebp-01], 00
:0045FBA7 8BC3
mov eax, ebx
:0045FBA9 E89E40FAFF
call 00403C4C
:0045FBAE 83F802
cmp eax, 00000002 /名字是否小于2位
:0045FBB1
7C55 jl 0045FC08
/:0045FBB3//是则跳至末注册
8BC6
mov eax, esi
:0045FBB5 E89240FAFF
call 00403C4C
:0045FBBA 83F824
cmp eax, 00000024
//注册码是否小于36位
:0045FBBD 7C49
jl 0045FC08
//是则跳至末注册
:0045FBBF 33DB
xor ebx, ebx
:0045FBC1 8BC6
mov eax, esi
:0045FBC3 E88440FAFF
call 00403C4C
:0045FBC8 83E802
sub eax, 00000002
:0045FBCB 85C0
test eax, eax
:0045FBCD 7E0F
jle 0045FBDE
:0045FBCF BA01000000
mov edx, 00000001
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045FBDC(C)
|
:0045FBD4 8A4C16FF
mov cl, byte ptr [esi+edx-01]----- 此代码段,将注册码除最后两
:0045FBD8
02D9 add
bl, cl
*位以外,相加。和的末两位存入bl.
:0045FBDA
42 inc
edx
*此时我的和为7F
:0045FBDB 48
dec eax
*
:0045FBDC 75F6
jne 0045FBD4
--------------------------
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:0045FBCD(C)
|
:0045FBDE 33C0
xor eax, eax
:0045FBE0 8AC3
mov al, bl
:0045FBE2 33D2
xor edx, edx
:0045FBE4 52
push edx
:0045FBE5 50
push eax
:0045FBE6
8D45F8 lea eax,
dword ptr [ebp-08]
:0045FBE9 E85AFEFFFF
call 0045FA48
:0045FBEE 8B45F8
mov eax, dword ptr [ebp-08]
:0045FBF1 8A400E
mov al, byte ptr [eax+0E]
:0045FBF4 3A4622 cmp
al, byte ptr [esi+22] //比较第35位(比较是否为 "e " )
:0045FBF7
750F jne
0045FC08 不相等则跳至末注册
:0045FBF9 8B45F8
mov eax, dword ptr [ebp-08]
:0045FBFC
8A400F mov al, byte
ptr [eax+0F]
:0045FBFF 3A4623
cmp al, byte ptr [esi+23] //比较第36位(比较是否为"o"
)
:0045FC02 7504
jne 0045FC08 //不相等则跳至末注册
:0045FC04 C645FF01
mov [ebp-01], 01
//程序走到这里就可以注册成功了
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0045FBB1(C),
:0045FBBD(C), :0045FBF7(C), :0045FC02(C)
|
:0045FC08 33C0
xor eax, eax
:0045FC0A
5A pop
edx
*****
:0046312E
E8BDDAFFFF call 00460BF0
:00463133
84C0 test
al, al
:00463135 7514
jne 0046314B
:00463137 8B1570554600
mov edx, dword ptr [00465570]
:0046313D 8B12
mov edx, dword ptr [edx]
:0046313F
A170554600 mov eax, dword ptr
[00465570]
:00463144 8B00
mov eax, dword ptr [eax]
:00463146 E885F7FFFF
call 004628D0
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463135(C)
|
:0046314B A138574600 mov
eax, dword ptr [00465738]
:00463150 8B00
mov eax, dword ptr [eax]
:00463152 E8351CFEFF
call 00444D8C
//弹出软件运行界面
那么把regkey改为:6789543267895432678954326789543267eo5432应该可以了吧。
但是运行完还是未注册。这时变为
:0045FBF4
3A4622 cmp al, byte
ptr [esi+22] //比较第35位(比较是否为 "M" )
:0045FBF7
750F jne
0045FC08 // 不相等则跳至末注册
:0045FBF9 8B45F8
mov eax, dword ptr [ebp-08]
:0045FBFC
8A400F mov al, byte
ptr [eax+0F]
:0045FBFF 3A4623
cmp al, byte ptr [esi+23] //比较第36位(比较是否为"u"
)
:0045FC02 7504
jne 0045FC08 //不相等则跳至末注册
:0045FC04 C645FF01
mov [ebp-01], 01
//程序走到这里就可以注册成功了
原来是bl中注册码和为指引,提取字串“HACKERYouMUSTDie”(哈哈,我好怕怕啊,难道有下什么套?)的字母,与35位及36位的注册码进行比较。但其实也很简单,令注册码的和仍为7F且
35,36位为e,o就可注册成功。如下:
regname:killer
regkey: 6789543267895432678954326789543267eoMP5432
就可显示注册给killer了。
哈哈 so easy!!
但运行对文件加密,却跳出提示框“你的文件超过4kb,请注册你的软件”。呜呜,无法使用。是不是我高兴的太早了?是不是我MUST
Die?
Can u
help me ?