|
論壇說明 | 標記討論區已讀 |
歡迎您來到『史萊姆論壇』 ^___^ 您目前正以訪客的身份瀏覽本論壇,訪客所擁有的權限將受到限制,您可以瀏覽本論壇大部份的版區與文章,但您將無法參與任何討論或是使用私人訊息與其他會員交流。若您希望擁有完整的使用權限,請註冊成為我們的一份子,註冊的程序十分簡單、快速,而且最重要的是--註冊是完全免費的! 請點擊這裡:『註冊成為我們的一份子!』 |
|
主題工具 | 顯示模式 |
2003-12-20, 11:52 PM | #1 |
榮譽會員
|
帶殼分析共享軟體
軟體:Advanced Email Parser1.22
下載:http://www.mailutilities.com/ 保護方式:aspretect+md5 作者:lordor 工具:ollyDBG+隱身插件。 用ollyDbg載入帶殼的程序,還是按老辦法,來到這裡 00463E38 RETN 00463E39 LEA EAX,DWORD PTR SS:[ESP+8] 00463E3D PUSH EAX 00463E3E CALL aep.00463AE0 00463E43 ADD ESP,4 00463E46 PUSH 40 00463E48 PUSH aep.00546B74 ; ASCII "Registration" 00463E4D PUSH aep.00546B54 ; ASCII "Thank you for registering AEP!" 00463E52 CALL EDI 00463E54 PUSH EAX 00463E55 CALL DWORD PTR DS:[537674] ; user32.MessageBoxA 00463E5B MOV EAX,ESI 00463E5D POP EDI 00463E5E POP ESI 00463E5F MOV ESP,EBP 00463E61 POP EBP 00463E62 RETN 00463E63 PUSH 30 00463E65 PUSH aep.00546B74 ; ASCII "Registration" 00463E6A PUSH aep.00546B30 ; ASCII "The code you've entered is invalid!" 00463E6F CALL EDI 00463E71 PUSH EAX 00463E72 CALL DWORD PTR DS:[537674] ; user32.MessageBoxA 00463E78 POP EDI 00463E79 MOV EAX,ESI 00463E7B POP ESI 00463E7C MOV ESP,EBP 00463E7E POP EBP ===>在這下斷,看一下那裡使用,來到下面 00463E7F RETN 00473250 PUSH ESI 00473251 MOV ESI,ECX 00473253 CALL aep.00463DC0 ; 跳出輸入框,F7進入 00473258 CALL aep.00463B30 0047325D TEST EAX,EAX 0047325F JE SHORT aep.00473287 00473261 CALL aep.00412840 00473266 TEST EAX,EAX 00473268 JNZ SHORT aep.00473272 0047326A PUSH 1 0047326C CALL DWORD PTR DS:[5373B0] ; kernel32.ExitProcess 00473272 JMP aep.00473287 00473277 JA SHORT aep.0047328B 00473279 ??? ; Unknown command 0047327A ADC EAX,384B7548 0047327F JL SHORT aep.004732A7 00473281 SBB DWORD PTR SS:[ESP+EDX*2+5E0A9CE7],ED> -------------------------------------- 來到上面的call: 00463DC0 PUSH EBP 00463DC1 MOV EBP,ESP 00463DC3 AND ESP,FFFFFFF8 00463DC6 SUB ESP,100 00463DCC PUSH ESI 00463DCD PUSH EDI 00463DCE XOR EAX,EAX 00463DD0 MOV BYTE PTR SS:[ESP+8],0 00463DD5 MOV ECX,3F 00463DDA LEA EDI,DWORD PTR SS:[ESP+9] 00463DDE REP STOS DWORD PTR ES:[EDI] 00463DE0 STOS WORD PTR ES:[EDI] 00463DE2 STOS BYTE PTR ES:[EDI] 00463DE3 MOV EDI,DWORD PTR DS:[537780] ; user32.GetFocus 00463DE9 PUSH 100 00463DEE LEA EAX,DWORD PTR SS:[ESP+C] 00463DF2 PUSH EAX 00463DF3 PUSH aep.00546B84 ; ASCII "Enter registration code:" 00463DF8 PUSH aep.00546B74 ; ASCII "Registration" 00463DFD XOR ESI,ESI 00463DFF CALL EDI 00463E01 PUSH EAX 00463E02 CALL aep.00463CF0 ==>這裡彈出輸入框 00463E07 ADD ESP,14 00463E0A CMP EAX,1 00463E0D JNZ SHORT aep.00463E78 ==>輸入嗎? 00463E0F LEA ECX,DWORD PTR SS:[ESP+8] ==>輸入的註冊碼入ecx 00463E13 PUSH ECX 00463E14 CALL aep.00463930 ==>關鍵call,F7進入 00463E19 MOV ESI,EAX 00463E1B ADD ESP,4 00463E1E TEST ESI,ESI 00463E20 JE SHORT aep.00463E63 ==>關鍵跳,不能跳 00463E22 LEA EDX,DWORD PTR SS:[ESP+8] 00463E26 PUSH EDX 00463E27 CALL aep.004056D0 ==>關鍵call,F7進入 00463E2C ADD ESP,4 00463E2F TEST EAX,EAX 00463E31 JNZ SHORT aep.00463E39 ==>要成功這裡要跳 00463E33 POP EDI 00463E34 POP ESI 00463E35 MOV ESP,EBP 00463E37 POP EBP 00463E38 RETN 00463E39 LEA EAX,DWORD PTR SS:[ESP+8] 00463E3D PUSH EAX 00463E3E CALL aep.00463AE0 00463E43 ADD ESP,4 00463E46 PUSH 40 00463E48 PUSH aep.00546B74 ; ASCII "Registration" 00463E4D PUSH aep.00546B54 ; ASCII "Thank you for registering AEP!" 00463E52 CALL EDI 00463E54 PUSH EAX 00463E55 CALL DWORD PTR DS:[537674] ; user32.MessageBoxA 00463E5B MOV EAX,ESI 00463E5D POP EDI 00463E5E POP ESI 00463E5F MOV ESP,EBP 00463E61 POP EBP 00463E62 RETN 00463E63 PUSH 30 00463E65 PUSH aep.00546B74 ; ASCII "Registration" 00463E6A PUSH aep.00546B30 ; ASCII "The code you've entered is invalid!" 00463E6F CALL EDI 00463E71 PUSH EAX 00463E72 CALL DWORD PTR DS:[537674] ; user32.MessageBoxA 00463E78 POP EDI 00463E79 MOV EAX,ESI 00463E7B POP ESI 00463E7C MOV ESP,EBP 00463E7E POP EBP 00463E7F RETN 00463E80 PUSH ESI 00463E81 MOV ESI,ECX 00463E83 MOV EAX,DWORD PTR DS:[ESI+4] 00463E86 TEST EAX,EAX 00463E88 MOV DWORD PTR DS:[ESI],aep.00546BA0 00463E8E JE SHORT aep.00463E97 00463E90 PUSH EAX 00463E91 CALL DWORD PTR DS:[537430] ----------------------------------------------------------------- 來到上面的第一個關鍵CALL aep.00463930,注意返回的值EAX不能為0 00463930 SUB ESP,68 00463933 PUSH EBX 00463934 PUSH ESI 00463935 LEA EAX,DWORD PTR SS:[ESP+18] ===>md5初始值 00463939 PUSH EDI 0046393A PUSH EAX 0046393B CALL aep.00462D30 00463940 MOV ESI,DWORD PTR SS:[ESP+7C] ==>輸入註冊碼 00463944 MOV EAX,ESI 00463946 ADD ESP,4 00463949 LEA EDX,DWORD PTR DS:[EAX+1] 0046394C LEA ESP,DWORD PTR SS:[ESP] 00463950 MOV CL,BYTE PTR DS:[EAX] 00463952 INC EAX 00463953 TEST CL,CL 00463955 JNZ SHORT aep.00463950 00463957 SUB EAX,EDX 00463959 PUSH EAX 0046395A LEA ECX,DWORD PTR SS:[ESP+20] 0046395E PUSH ESI ==>註冊碼 0046395F PUSH ECX ==>md5初始值 00463960 CALL aep.00463640 ==>計算md5 00463965 LEA EDX,DWORD PTR SS:[ESP+28] 00463969 PUSH EDX 0046396A LEA EAX,DWORD PTR SS:[ESP+1C] 0046396E PUSH EAX 0046396F CALL aep.00463700 ==>產生md5的值:654321為C33367701511B4F6020EC61DED352059 00463974 MOV EDI,DWORD PTR DS:[537520] ; SHLWAPI.StrCmpNIA 0046397A ADD ESP,14 0046397D PUSH 0B 0046397F PUSH aep.00546AE0 ; ASCII "AEP-D9MK316" 00463984 PUSH ESI ==>註冊碼 00463985 MOV EBX,1 0046398A CALL EDI ==>比較是否相等 0046398C TEST EAX,EAX 0046398E JNZ SHORT aep.004639AA 00463990 LEA ECX,DWORD PTR SS:[ESP+C] 00463994 PUSH ECX 00463995 MOV EBX,3 0046399A PUSH EBX 0046399B CALL aep.004638C0 ==>關鍵call, 004639A0 ADD ESP,8 004639A3 POP EDI 004639A4 POP ESI 004639A5 POP EBX 004639A6 ADD ESP,68 004639A9 RETN 004639AA PUSH 0B 004639AC PUSH aep.00546AD4 ; ASCII "AEP-D9MK3PE" 004639B1 PUSH ESI 004639B2 CALL EDI 004639B4 TEST EAX,EAX 004639B6 JNZ SHORT aep.004639D2 004639B8 LEA ECX,DWORD PTR SS:[ESP+C] 004639BC PUSH ECX 004639BD MOV EBX,1 004639C2 PUSH EBX 004639C3 CALL aep.004638C0 004639C8 ADD ESP,8 004639CB POP EDI 004639CC POP ESI 004639CD POP EBX 004639CE ADD ESP,68 004639D1 RETN 004639D2 PUSH 0B 004639D4 PUSH aep.00546AC8 ; ASCII "AEP-D9MK3PR" 004639D9 PUSH ESI 004639DA CALL EDI 004639DC TEST EAX,EAX 004639DE JNZ SHORT aep.004639FA 004639E0 LEA ECX,DWORD PTR SS:[ESP+C] 004639E4 PUSH ECX 004639E5 MOV EBX,2 004639EA PUSH EBX 004639EB CALL aep.004638C0 004639F0 ADD ESP,8 004639F3 POP EDI 004639F4 POP ESI 004639F5 POP EBX 004639F6 ADD ESP,68 004639F9 RETN 004639FA PUSH 0B 004639FC PUSH aep.00546ABC ; ASCII "AEP-RU56STE" 00463A01 PUSH ESI 00463A02 CALL EDI 00463A04 TEST EAX,EAX 00463A06 JNZ SHORT aep.00463A1F 00463A08 LEA ECX,DWORD PTR SS:[ESP+C] 00463A0C PUSH ECX 00463A0D XOR EBX,EBX 00463A0F PUSH EBX 00463A10 CALL aep.004638C0 00463A15 ADD ESP,8 00463A18 POP EDI 00463A19 POP ESI 00463A1A POP EBX 00463A1B ADD ESP,68 00463A1E RETN 00463A1F PUSH 0B 00463A21 PUSH aep.00546AB0 ; ASCII "AEP-D9MK3LT" 00463A26 PUSH ESI 00463A27 CALL EDI 00463A29 TEST EAX,EAX 00463A2B JNZ SHORT aep.00463A32 00463A2D MOV EBX,4 00463A32 LEA ECX,DWORD PTR SS:[ESP+C] 00463A36 PUSH ECX 00463A37 PUSH EBX 00463A38 CALL aep.004638C0 ==> 00463A3D ADD ESP,8 00463A40 POP EDI 00463A41 POP ESI 00463A42 POP EBX 00463A43 ADD ESP,68 00463A46 RETN 進入上面CALL aep.004638C0 004638C0 SUB ESP,8 004638C3 MOV ECX,DWORD PTR SS:[ESP+C] 004638C7 LEA EAX,DWORD PTR SS:[ESP] 004638CA PUSH EAX 004638CB PUSH ECX 004638CC CALL aep.00463810 004638D1 ADD ESP,8 004638D4 TEST EAX,EAX 004638D6 MOV DWORD PTR SS:[ESP+4],EAX 004638DA JNZ SHORT aep.004638E0 ==>這裡必須跳走,爆破點1 004638DC ADD ESP,8 004638DF RETN 004638E0 PUSH EBX 004638E1 PUSH EBP 004638E2 MOV EBP,DWORD PTR SS:[ESP+8] 004638E6 XOR EBX,EBX 004638E8 TEST EBP,EBP 004638EA JLE SHORT aep.0046390F 004638EC PUSH ESI 004638ED MOV EDX,EAX 004638EF PUSH EDI 004638F0 MOV ESI,DWORD PTR SS:[ESP+20] 004638F4 MOV ECX,4 004638F9 MOV EDI,EDX 004638FB XOR EAX,EAX 004638FD REPE CMPS DWORD PTR ES:[EDI],DWORD PTR D> 004638FF JE SHORT aep.00463909 00463901 INC EBX 00463902 ADD EDX,10 00463905 CMP EBX,EBP ==>這裡與預置的2000個註冊碼md5比較 00463907 JL SHORT aep.004638F0 00463909 MOV EAX,DWORD PTR SS:[ESP+14] 0046390D POP EDI 0046390E POP ESI 0046390F PUSH EAX 00463910 CALL aep.0048024E 00463915 ADD ESP,4 00463918 CMP EBX,EBP ==>是否循環2000次 0046391A JNZ SHORT aep.00463924 ==>這裡必須跳走,爆破點 0046391C POP EBP 0046391D XOR EAX,EAX 0046391F POP EBX 00463920 ADD ESP,8 00463923 RETN 00463924 POP EBP 00463925 LEA EAX,DWORD PTR DS:[EBX+1] 00463928 POP EBX 00463929 ADD ESP,8 0046392C RETN --------------------------------------------- 來到第二個關鍵CALL aep.004056D0,此返回值eax必須不能為0 004056D0 PUSH EBP 004056D1 MOV EBP,ESP 004056D3 AND ESP,FFFFFFF8 004056D6 PUSH -1 004056D8 PUSH aep.00527756 004056DD MOV EAX,DWORD PTR FS:[0] 004056E3 PUSH EAX 004056E4 MOV DWORD PTR FS:[0],ESP 004056EB SUB ESP,120 004056F1 PUSH EDI 004056F2 CALL aep.00412810 004056F7 TEST EAX,EAX 004056F9 JE aep.004057E2 004056FF JMP aep.004057FD ----------------------------------------- 總結: 這個公司的軟體,好像都是與預置的個註冊碼比較的程序,註冊碼的形式:AEP-D9MK316+XXXXXXX,要破解,只 要在0046391A JNZ SHORT aep.00463924及004638DA JNZ SHORT aep.004638E0處,把jnz改為jmp即可.不過好 像aspreteck加的殼做記憶體修正檔時無效,不知那位高人能不能指點一下。 cracked by lordor 03.9.17 |
送花文章: 3,
|