The Cleaner 3.2 BUILD 3205的破解(10千字)

看雪資料發表於2001-01-27

我(TAE!)的第二篇破解教程
目標軟體:The Cleaner 3.2 BUILD 3205
保護方式:序列號
破解方法:暴力破解
下載地址:http://www.moosoft.com
軟體簡介:The Cleaner searches your hard drive cleans it of all known
        Trojans.  Using a unique patent-pending technology, The Cleaner
        compares each file against a list of all know Trojans.  You
        can scan your entire system or just one file.  The program
        also allows you to periodically update your Trojan database
        file to keep it current with the latest research.  If you're
        going to expose your system to the dangers of the internet,
        keep it clean with The Cleaner!


    此軟體以前的版本如3.1很好破解,但這個3.2版的註冊碼始終搞不定,跟蹤的時候
發現記憶體中出現了3.1版本的兩個註冊碼,但在此版本中不能用.
    但暴力破解卻非常簡單,先用fileinfo檢查一下它穿了什麼"衣服",哦,原來是UPX0.9?
用TRW載入程式,跟蹤,脫殼.

順便問一下
:XXXX:XXXXXXXX PUSH EAX  <-----為什麼我在這一行用TRW的makepe命令時,它會說:                    ........        Rebuild Import Table error!
脫殼後反彙編它,查詢串式資料,發現出現了以前版本的註冊碼3310-EEC2-21D0-0C82於是
雙擊它,出現下面的程式.
* Referenced by a CALL at Addresses:
|:00495B11  , :004A98CD  , :004AD6B2 
|
:004B252C 55                      push ebp
:004B252D 8BEC                    mov ebp, esp
:004B252F 81C4F0FDFFFF            add esp, FFFFFDF0
:004B2535 53                      push ebx
:004B2536 56                      push esi
:004B2537 57                      push edi
:004B2538 33D2                    xor edx, edx
:004B253A 8995F4FDFFFF            mov dword ptr [ebp+FFFFFDF4], edx
:004B2540 8995F0FDFFFF            mov dword ptr [ebp+FFFFFDF0], edx
:004B2546 8955FC                  mov dword ptr [ebp-04], edx
:004B2549 8955F8                  mov dword ptr [ebp-08], edx
:004B254C 8BF8                    mov edi, eax
:004B254E B908000000              mov ecx, 00000008
:004B2553 8D8508FEFFFF            lea eax, dword ptr [ebp+FFFFFE08]

* Possible StringData Ref from Data Obj ->"
String?@"
                                  |
:004B2559 8B15AC104000            mov edx, dword ptr [004010AC]
:004B255F E8441DF5FF              call 004042A8
:004B2564 33C0                    xor eax, eax
:004B2566 55                      push ebp
:004B2567 68F1284B00              push 004B28F1
:004B256C 64FF30                  push dword ptr fs:[eax]
:004B256F 648920                  mov dword ptr fs:[eax], esp
:004B2572 33C0                    xor eax, eax
:004B2574 55                      push ebp
:004B2575 68A4284B00              push 004B28A4
:004B257A 64FF30                  push dword ptr fs:[eax]
:004B257D 648920                  mov dword ptr fs:[eax], esp
:004B2580 8B9750530000            mov edx, dword ptr [edi+00005350]
:004B2586 8D45FC                  lea eax, dword ptr [ebp-04]

* Possible StringData Ref from Data Obj ->"ibu.dll"
                                  |
:004B2589 B90C294B00              mov ecx, 004B290C
:004B258E E8F517F5FF              call 00403D88
:004B2593 8D8770B35101            lea eax, dword ptr [edi+0151B370]

* Possible StringData Ref from Data Obj ->"Unregistered Shareware"
                                  |
:004B2599 BA1C294B00              mov edx, 004B291C
:004B259E E87115F5FF              call 00403B14
:004B25A3 8D8774B35101            lea eax, dword ptr [edi+0151B374]
:004B25A9 E81215F5FF              call 00403AC0
:004B25AE 8B45FC                  mov eax, dword ptr [ebp-04]
:004B25B1 E89E55F5FF              call 00407B54
:004B25B6 84C0                    test al, al
:004B25B8 0F84BA020000            je 004B2878
:004B25BE 8B55FC                  mov edx, dword ptr [ebp-04]
:004B25C1 8D8528FEFFFF            lea eax, dword ptr [ebp+FFFFFE28]
:004B25C7 E8562CF5FF              call 00405222
:004B25CC 8D8528FEFFFF            lea eax, dword ptr [ebp+FFFFFE28]
:004B25D2 E8502FF5FF              call 00405527
:004B25D7 8D9770B35101            lea edx, dword ptr [edi+0151B370]
:004B25DD 8D8528FEFFFF            lea eax, dword ptr [ebp+FFFFFE28]
:004B25E3 E8101BF5FF              call 004040F8
:004B25E8 8D8528FEFFFF            lea eax, dword ptr [ebp+FFFFFE28]
:004B25EE E8D12EF5FF              call 004054C4
:004B25F3 8D55F8                  lea edx, dword ptr [ebp-08]
:004B25F6 8D8528FEFFFF            lea eax, dword ptr [ebp+FFFFFE28]
:004B25FC E8F71AF5FF              call 004040F8
:004B2601 8D8528FEFFFF            lea eax, dword ptr [ebp+FFFFFE28]
:004B2607 E8B82EF5FF              call 004054C4
:004B260C 8D8528FEFFFF            lea eax, dword ptr [ebp+FFFFFE28]
:004B2612 E8112DF5FF              call 00405328
:004B2617 8D8774B35101            lea eax, dword ptr [edi+0151B374]
:004B261D 8B55F8                  mov edx, dword ptr [ebp-08]
:004B2620 E8EF14F5FF              call 00403B14
:004B2625 8B45F8                  mov eax, dword ptr [ebp-08]

* Possible StringData Ref from Data Obj ->"3310-EEC2-21D0-0C82"***
                                  |
:004B2628 BA3C294B00              mov edx, 004B293C
:004B262D E81A18F5FF              call 00403E4C
:004B2632 740F                    je 004B2643
:004B2634 8B45F8                  mov eax, dword ptr [ebp-08]

* Possible StringData Ref from Data Obj ->"27F9-996A-BBBA-793E"***
                                  |
:004B2637 BA58294B00              mov edx, 004B2958
:004B263C E80B18F5FF              call 00403E4C
:004B2641 752A                    jne 004B266D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B2632(C)
|
:004B2643 8D8770B35101            lea eax, dword ptr [edi+0151B370]

* Possible StringData Ref from Data Obj ->"Unregistered Shareware"
                                  |
:004B2649 BA1C294B00              mov edx, 004B291C
:004B264E E8C114F5FF              call 00403B14
:004B2653 8D8774B35101            lea eax, dword ptr [edi+0151B374]
:004B2659 E86214F5FF              call 00403AC0
:004B265E 33DB                    xor ebx, ebx
:004B2660 33C0                    xor eax, eax
:004B2662 5A                      pop edx
:004B2663 59                      pop ecx
:004B2664 59                      pop ecx
:004B2665 648910                  mov dword ptr fs:[eax], edx
:004B2668 E943020000              jmp 004B28B0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B2641(C)
|
:004B266D 8B45F8                  mov eax, dword ptr [ebp-08]
:004B2670 E8C716F5FF              call 00403D3C
:004B2675 83F813                  cmp eax, 00000013
:004B2678 742A                    je 004B26A4
:004B267A 8D8770B35101            lea eax, dword ptr [edi+0151B370]

* Possible StringData Ref from Data Obj ->"Unregistered Shareware"
                                  |
:004B2680 BA1C294B00              mov edx, 004B291C
:004B2685 E88A14F5FF              call 00403B14
:004B268A 8D8774B35101            lea eax, dword ptr [edi+0151B374]
:004B2690 E82B14F5FF              call 00403AC0
:004B2695 33DB                    xor ebx, ebx
:004B2697 33C0                    xor eax, eax
:004B2699 5A                      pop edx
:004B269A 59                      pop ecx
:004B269B 59                      pop ecx
:004B269C 648910                  mov dword ptr fs:[eax], edx
:004B269F E90C020000              jmp 004B28B0

一看就知道有三個地方呼叫,經過分析發現第一個Call是輸入註冊資料時的呼叫.第二個未知,而第三個就是程式啟動時檢查你是否已經註冊,所以來到了這裡

* Possible StringData Ref from Data Obj ->"Windows Directory: "
                                  |
:004AD69A BA2CDE4A00              mov edx, 004ADE2C
:004AD69F E8E466F5FF              call 00403D88
:004AD6A4 8B8574FFFFFF            mov eax, dword ptr [ebp+FFFFFF74]
:004AD6AA E849F1FDFF              call 0048C7F8
:004AD6AF 8B45FC                  mov eax, dword ptr [ebp-04]
:004AD6B2 E8754E0000              call 004B252C        \    <----- 來到這裡
:004AD6B7 84C0                    test al, al          - 看起來很眼熟呀! 
:004AD6B9 754C                    jne 004AD707          / 將這裡改為je試試
:004AD6BB 8B45FC                  mov eax, dword ptr [ebp-04]
:004AD6BE 0570B35101              add eax, 0151B370

* Possible StringData Ref from Data Obj ->"Unregistered Shareware"
                                  |
:004AD6C3 BA48DE4A00              mov edx, 004ADE48
:004AD6C8 E84764F5FF              call 00403B14
:004AD6CD 8B0DF06F4B00            mov ecx, dword ptr [004B6FF0]
:004AD6D3 A1B86F4B00              mov eax, dword ptr [004B6FB8]
:004AD6D8 8B00                    mov eax, dword ptr [eax]

* Possible StringData Ref from Data Obj ->"念@"
                                  |
:004AD6DA 8B15548D4900            mov edx, dword ptr [00498D54]
:004AD6E0 E85F37F8FF              call 00430E44
:004AD6E5 A1F06F4B00              mov eax, dword ptr [004B6FF0]
:004AD6EA 8B00                    mov eax, dword ptr [eax]
:004AD6EC E8DB18F8FF              call 0042EFCC
:004AD6F1 83F802                  cmp eax, 00000002
:004AD6F4 7511                    jne 004AD707
:004AD6F6 A1B86F4B00              mov eax, dword ptr [004B6FB8]
:004AD6FB 8B00                    mov eax, dword ptr [eax]
:004AD6FD E88238F8FF              call 00430F84
:004AD702 E951060000              jmp 004ADD58

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004AD6B9(C), :004AD6F4(C)
|

* Possible StringData Ref from Data Obj ->"Load Database"
                                  |
:004AD707 B868DE4A00              mov eax, 004ADE68
:004AD70C E8E7F0FDFF              call 0048C7F8
:004AD711 8B45FC                  mov eax, dword ptr [ebp-04]
:004AD714 80B86053000000          cmp byte ptr [eax+00005360], 00
:004AD71B 7417                    je 004AD734
:004AD71D A12C6F4B00              mov eax, dword ptr [004B6F2C]
:004AD722 8B00                    mov eax, dword ptr [eax]
:004AD724 8B80E4010000            mov eax, dword ptr [eax+000001E4]

* Possible StringData Ref from Data Obj ->"Loading database..."
                                  |
:004AD72A BA80DE4A00              mov edx, 004ADE80
:004AD72F E88C57F9FF              call 00442EC0

將:004AD6B9 754C  jne 004AD707
改為:      744C  je  004ad707

執行一下,果然註冊成功,再也不會出現註冊提示框了.

相關文章