WebDrive 2.2(主程式webdrive.exe長度106,828位元組)
http://www.riverfrontsoftware.com
這個東西用VBox 4.20加密的,只有一個DLL即vboxs420.dll。我的SoftICE 4.05用SoftICE Backdoor Keeper打過補丁,沒看見它檢測到SoftICE。用bpx
DialogBoxParamaA設斷點,等它顯示Nag時就會斷下來,按一下f12,然後點選Try按鈕,就會看見如下的程式碼:
:10002FA0 CALL [EAX+2C] //若未過期則在EAX中返回B164
:10002FA3 CMP EAX,EBX
:10002FA5 JNZ 10002FBA //這個地方如果不跳走就說明程式出錯了
:10002FA7 MOV EAX,[1006EDB8]
:10002FAC PUSH EDI
:10002FAD PUSH FF
:10002FAF PUSH ESI
:10002FB0 MOV ECX,[EAX+04]
:10002FB3 CALL 100282F0
:10002FB8 JMP 10002FF1
:10002FBA MOV EAX,[1006EDB8]
:10002FBF PUSH 00
:10002FC1 PUSH 1000322F
:10002FC6 PUSH DWORD PTR [EAX+3C]
:10002FC9 MOV EAX,[100696B0]
:10002FCE PUSH 000000CB
:10002FD3 PUSH DWORD PTR [EAX+08]
:10002FD6 CALL [USER32!DialogBoxParamA] //顯示Nag
:10002FDC MOV ESI,EAX
//若選Try則EAX為0,選Quit則為1
:10002FDE CALL 100031B0
:10002FE3 PUSH ESI
:10002FE4 CALL 10002FF5
:10002FE9 AND DWORD PTR [1006EDB8],00
:10002FF0 POP ECX
:10002FF1 POP EDI
:10002FF2 POP ESI
:10002FF3 POP EBX
:10002FF4 RET
按幾下F12就到如下的地方:
:00406B8A PUSH 01
:00406B8C CALL 004063D0 //在這裡頭顯示Nag
:00406B91 ADD ESP,04
:00406B94 TEST EAX,EAX
:00406B96 JZ 00406DE8 //過期則跳走
:00406B9C MOV ECX,0040F320
:00406BA1 CALL 004016E0
:00406BA6 MOV ECX,0040F348
很顯然,只要不要讓它跳走即可,由於Vboxs420.dll和webdrive.exe均變換過,而且結合得比較緊密(就是所吹的injection)寫一個process
patcher即可,它沒有CRC校驗。跳過JZ前面的那個CALL則連Nag也沒有了。