简单分析——蓝星广告杀手 V3.20
下载页面:
http://www.skycn.com/soft
软件大小:
802 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 浏览辅助
应用平台: Win9x/NT/2000/XP
加入时间:
2002-12-29 14:30:32
下载次数: 1815
【软件简介】:蓝星广告杀手,清除弹出广告和网页中的图片、Flash广告,让您更顺畅、快速、安全的在网络海洋中畅游。给您轻松、顺畅的上网体验。
【软件限制】:15天试用。
【作者声明】:小弟初学Crack,只是感兴趣,没有其它目的。失误之处敬请各大侠赐教!
————————————————————————————————————————
【过
程】:
AdKiller.exe无壳。VC++6.0编。
OK,开工吧!
TRW载入。BPX
HMEMCPY 拦下!PMODULE 返回程序领空。F12三次至 004070F3
-----------------------------------------------------------------
:004070F3
8BCF mov
ecx, edi
====>停在这儿!
:004070F5
E879A90400 call 00451A73
:004070FA
8BCF mov
ecx, edi
:004070FC E8F7580400 call
0044C9F8
:00407101 8BCF
mov ecx, edi
:00407103 E83C580400
call 0044C944
:00407108 8D9E10010000
lea ebx, dword ptr [esi+00000110]
:0040710E 8BCB
mov ecx, ebx
:00407110
E8E3580400 call 0044C9F8
:00407115
8BCB mov
ecx, ebx
:00407117 E828580400 call
0044C944
:0040711C 8B07
mov eax, dword ptr [edi]
:0040711E C745FC00000000
mov [ebp-04], 00000000
:00407125 8B40F8
mov eax, dword ptr [eax-08]
:00407128
83F804 cmp eax,
00000004
:0040712B 0F8C84000000 jl
004071B5
:00407131 83F878
cmp eax, 00000078
:00407134 7F7F
jg 004071B5
:00407136 8B0B
mov ecx, dword ptr [ebx]
:00407138
8379F808 cmp dword ptr
[ecx-08], 00000008
:0040713C 7577
jne 004071B5
:0040713E 51
push ecx
:0040713F 8BCC
mov ecx, esp
:00407141
8965E4 mov dword
ptr [ebp-1C], esp
:00407144 53
push ebx
:00407145 E80EA20400
call 00451358
:0040714A 51
push ecx
:0040714B C645FC01
mov [ebp-04], 01
:0040714F
8BCC mov
ecx, esp
:00407151 8965E8
mov dword ptr [ebp-18], esp
:00407154 57
push edi
:00407155 E8FEA10400
call 00451358
:0040715A C645FC00
mov [ebp-04], 00
:0040715E
E86D020000 call 004073D0
====>关键CALL!
:00407163 83C408
add esp, 00000008
:00407166
84C0 test
al, al
:00407168 744B
je 004071B5
====>跳则OVER!
:0040716A
8B1518574700 mov edx, dword ptr [00475718]
:00407170
8955EC mov dword
ptr [ebp-14], edx
*
Possible Reference to String Resource ID=00181: ""ㄨ屳J@K"
|
:00407173 68B5000000
push 000000B5
:00407178 8D4DEC
lea ecx, dword ptr [ebp-14]
:0040717B
C745FC03000000 mov [ebp-04], 00000003
:00407182
E810A90400 call 00451A97
:00407187
8B45EC mov eax,
dword ptr [ebp-14]
:0040718A 6A40
push 00000040
:0040718C 6A00
push 00000000
:0040718E 50
push
eax
:0040718F 8BCE
mov ecx, esi
:00407191 E8D5890400
call 0044FB6B
====>感谢注册!
:004071DC
E88A890400 call 0044FB6B
====>BAD BOY!
-----------------------------------------------------------------
F8进入0040715E call 004073D0
*
Referenced by a CALL at Addresses:
|:0040715E , :0040ADA1
|
:004073D0
6AFF push
FFFFFFFF
:004073D2 6848984500 push
00459848
:004073D7 64A100000000 mov
eax, dword ptr fs:[00000000]
:004073DD 50
push eax
:004073DE 64892500000000
mov dword ptr fs:[00000000], esp
:004073E5
81EC5C010000 sub esp, 0000015C
:004073EB
53 push
ebx
:004073EC 57
push edi
:004073ED 8B842474010000
mov eax, dword ptr [esp+00000174]
:004073F4 33DB
xor ebx, ebx
:004073F6 C784246C01000001000000
mov dword ptr [esp+0000016C], 00000001
:00407401 C644240B00
mov [esp+0B], 00
:00407406 8B40F8
mov eax, dword ptr [eax-08]
====>D EAX=fly4099@sohu.com
:00407409
3BC3 cmp
eax, ebx
====>检测 E-Mail
:0040740B
0F8E2D060000 jle 00407A3E
====>跳则OVER!
:00407411
8B8C2478010000 mov ecx, dword ptr [esp+00000178]
:00407418
3959F8 cmp dword
ptr [ecx-08], ebx
====>注册码8位?
:0040741B
0F8E1D060000 jle 00407A3E
====>跳则OVER!
F10一直走。
…… …… 省 略 …… ……
:00407584
FF15D0F14500 Call dword ptr [0045F1D0]
:0040758A
0FBE461C movsx eax, byte
ptr [esi+1C]
:0040758E 0FBE4E02
movsx ecx, byte ptr [esi+02]\
:00407592 0FBE5619
movsx edx, byte ptr [esi+19] \
:00407596
50 push
eax \
:00407597
51 push
ecx D ESI可看到一张表。从表中不同位置取数
:00407598 0FBE4601
movsx eax, byte ptr [esi+01] \
:0040759C 0FBE4E09
movsx ecx, byte ptr [esi+09]
\
:004075A0 52
push edx
\
:004075A1 50
push eax
得出真码!
:004075A2
0FBE560C movsx edx, byte
ptr [esi+0C] /
:004075A6 0FBE464D
movsx eax, byte ptr [esi+4D] /
:004075AA
51 push
ecx
:004075AB 52
push edx
:004075AC 0FBE4E13
movsx ecx, byte ptr [esi+13] /
:004075B0 50
push eax
:004075B1
51 push
ecx
:004075B2 8D542438 lea
edx, dword ptr [esp+38]/
*
Possible StringData Ref from Data Obj ->"%c%c%c%c%c%c%c%c"
|
:004075B6 6850144700
push 00471450
:004075BB 52
push edx
:004075BC E8D4520400
call 0044C895
:004075C1 8B8424A8010000
mov eax, dword ptr [esp+000001A8]
:004075C8
8B4C2440 mov ecx, dword
ptr [esp+40]
:004075CC 50
push eax
====>D
EAX=44445555
:004075CD
51 push
ecx
====>D ECX=真码!
:004075CE
E8E4310200 call 0042A7B7
====>比较注册码
:004075D3
83C430 add esp,
00000030
:004075D6 85C0
test eax, eax
:004075D8 0F8537040000
jne 00407A15
====>跳则OVER!
————————————————————————————————————————
【KeyMake之内存注册机】:
中断地址:4075CD
中断次数:1
第一字节:51
指令长度:1
内存方式:ECX
————————————————————————————————————————
【注册信息保存】:
REGEDIT4
[HKEY_CLASSES_ROOT\CLSID\{C3C6A060-C344-11D0-A20B-0800361A1803}]
"BlueStarAdKillerReg"=dword:00000001
"BlueStarAdKillerStart"=hex:48,c7,15,3e
"BlueStarAdKillerName"="FLY4099@SOHU.COM"
"BlueStarAdKillerCode"="CF1EC37C"
————————————————————————————————————————
【整
理】:
注:E-Mail格式要正确。试炼码要8位!
电
邮:fly4099@sohu.com
注册码:CF1EC37C
————————————————————————————————————————
Cracked
By 巢水工作坊——fly【OCN】
2003-1-4