Registering Trojan Remover 4.2.1 (14千字)
Registering Trojan Remover 4.2.1
1、下載地址:http://www.simplysup.com/tremover/
2、大小:1430Kb
3、破解工具: SoftICE 4.05,TRW2000,Win32dasm 8.93,Hiew 6.40
4、軟體簡介: 是一款查殺木馬的相當流行的工具,這是最新版本。
主程式用ASPack壓縮過,程式是用Dephi 3.0寫成,主程式只有197K,脫殼後居然有1.08Mb。
用Win32dasm反彙編後看到了一組->"Temporary registration Code "
* Possible StringData Ref from Code Obj ->"419246"
* Possible StringData Ref from Code Obj ->"387192"
* Possible StringData Ref from Code Obj ->"388028"
* Possible StringData Ref from Code Obj ->"422199"
試了一下還是可以的,出現了這樣的提示窗->"Temporary registration has been applied successfully.
This registration will be valid for the next 72 hours."
只能用72個小時,我#%^&$#^,也太小氣了。於是決定操刀解之而後快:)
5、破解過程: 執行程式輸入 Username: CoolBob
Organisation:
China Cracker Group
Serial Number:
26313818 (隨機產生的)
Registration
Key: 12345
一開始用TRW2000,發現上當。該程式註冊驗證時用到float運算。所以,換SoftICE上場,下BPX hmemcpy,F5跳出來後,點OK按鈕被SoftICE攔截,12次F12來到這裡---->
Copyright ?1999-2001 Simply Super Software
* Reference To: VCL30.Controls.TControl.GetText@23EDC2EF, Ord:0000h
|
:0044591A E811C2FBFF Call
00401B30
:0044591F 8B45F0
mov eax, dword ptr [ebp-10] <----Here we come
:00445922 50
push eax
<----Save Serial Number
:00445923 8D55EC
lea edx, dword ptr [ebp-14]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004458BF(C)
|
:00445926 8B45FC
mov eax, dword ptr [ebp-04]
:00445929 8B80E8010000 mov eax, dword
ptr [eax+000001E8]
* Reference To: VCL30.Controls.TControl.GetText@23EDC2EF, Ord:0000h
|
:0044592F E8FCC1FBFF Call
00401B30
:00445934 8B55EC
mov edx, dword ptr [ebp-14] <----Get Name
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004458D4(C)
|
:00445937 A1B86B4C00 mov eax,
dword ptr [004C6BB8]
:0044593C 8B00
mov eax, dword ptr [eax]
:0044593E 59
pop ecx
:0044593F E80C3B0700 call
004B9450
:00445944 8D55F0
lea edx, dword ptr [ebp-10]
:00445947 8B45FC
mov eax, dword ptr [ebp-04]
:0044594A 8B8008020000 mov eax, dword
ptr [eax+00000208]
* Reference To: VCL30.Controls.TControl.GetText@23EDC2EF, Ord:0000h
|
:00445950 E8DBC1FBFF Call
00401B30
:00445955 8B55F0
mov edx, dword ptr [ebp-10] <----Real Registration Key
:00445958 8B45F8
mov eax, dword ptr [ebp-08] <----12345
* Reference To: VCL30.System.@LStrCmp@51F89FF7, Ord:0000h
|
:0044595B E848B8FBFF Call
004011A8 <---Hmmm,What
about this call?
:00445960 0F856B020000 jne 00445BD1
<---If jump,bad guy
:00445966 A19C6B4C00 mov eax,
dword ptr [004C6B9C]
:0044596B C60001
mov byte ptr [eax], 01
:0044596E A1D46B4C00 mov eax,
dword ptr [004C6BD4]
:00445973 C60000
mov byte ptr [eax], 00
:00445976 B201
mov dl, 01
:00445978 A11C8B4E00 mov eax,
dword ptr [004E8B1C]
* Reference To: VCL30.Registry.TRegistry.Create@23EDC2EF, Ord:0000h
|
:0044597D E83EC6FBFF Call
00401FC0
:00445982 8945F4
mov dword ptr [ebp-0C], eax
:00445985 BA02000080 mov edx,
80000002
:0044598A 8B45F4
mov eax, dword ptr [ebp-0C]
* Reference To: VCL30.Registry.TRegistry.SetRootKey@23EDC2EF, Ord:0000h
|
:0044598D E83EC6FBFF Call
00401FD0
:00445992 B101
mov cl, 01
* Possible StringData Ref from Code Obj ->"SOFTWARE\Simply Super Software\Trojan
"
->"Remover\User"
|
:00445994 BA385F4400 mov edx,
00445F38
:00445999 8B45F4
mov eax, dword ptr [ebp-0C]
* Reference To: VCL30.Registry.TRegistry.OpenKey@23EDC2EF, Ord:0000h
|
:0044599C E837C6FBFF Call
00401FD8
:004459A1 84C0
test al, al
:004459A3 0F84DC000000 je 00445A85
:004459A9 33C0
xor eax, eax
:004459AB 55
push ebp
:004459AC 685D5A4400 push
00445A5D
:004459B1 64FF30
push dword ptr fs:[eax]
:004459B4 648920
mov dword ptr fs:[eax], esp
:004459B7 8D55F0
lea edx, dword ptr [ebp-10]
:004459BA 8B45FC
mov eax, dword ptr [ebp-04]
:004459BD 8B80E8010000 mov eax, dword
ptr [eax+000001E8]
如果只是簡單的找註冊碼,到這裡應該結束了,但作為Cracker我們應該有一種一追到底的精神,就像追MM一樣:)要追到她們感動為止,否則,不要輕易放棄。情聖守則第一條。
又扯遠了^O^
讓我們來分析一下注冊碼生成過程,
在這裡的時候:00445922 50
push eax
<----Save Serial Number
下BPR eax eax+7 r,按一下F5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B943B(C)
|
:004B94A6 8B55FC
mov edx, dword ptr [ebp-04]
:004B94A9 8A543AFF
mov dl, byte ptr [edx+edi-01] <----Here we come
* Reference To: VCL30.System.@LStrFromChar@001FB870, Ord:0000h
|
:004B94AD E8B67CF4FF Call
00401168
:004B94B2 8B45E8
mov eax, dword ptr [ebp-18]
* Reference To: VCL30.SysUtils.StrToInt@0F6FDFF6, Ord:0000h
<---StrToInt(Serial Number)
|
:004B94B5 E8EE80F4FF Call
004015A8
:004B94BA 83F802
cmp eax, 00000002 <---if
SN[i]>=2 jump
:004B94BD 7D44
jge 004B9503
:004B94BF 8D45E8
lea eax, dword ptr [ebp-18]
:004B94C2 8B55FC
mov edx, dword ptr [ebp-04]
:004B94C5 8A543AFF
mov dl, byte ptr [edx+edi-01]
* Reference To: VCL30.System.@LStrFromChar@001FB870, Ord:0000h
|
:004B94C9 E89A7CF4FF Call
00401168
:004B94CE 8B45E8
mov eax, dword ptr [ebp-18]
* Reference To: VCL30.SysUtils.StrToInt@0F6FDFF6, Ord:0000h <----StrToInt(SN[i])
|
:004B94D1 E8D280F4FF Call
004015A8
:004B94D6 83C003
add eax, 00000003 <----SN[i]=SN[i]+3
:004B94D9 7105
jno 004B94E0
* Reference To: VCL30.System.@IntOver@51F89FF7, Ord:0000h
|
:004B94DB E8C07BF4FF Call
004010A0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B94D9(C)
|
:004B94E0 6BC051
imul eax, 00000051 <----SN[i]=SN[i]*0x51
:004B94E3 7105
jno 004B94EA
* Reference To: VCL30.System.@IntOver@51F89FF7, Ord:0000h
|
:004B94E5 E8B67BF4FF Call
004010A0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B94E3(C)
|
:004B94EA 8BF8
mov edi, eax
:004B94EC 8D55E8
lea edx, dword ptr [ebp-18]
:004B94EF 8BC7
mov eax, edi
* Reference To: VCL30.SysUtils.IntToStr@0F6FDFF6, Ord:0000h
|
:004B94F1 E8AA80F4FF Call
004015A0 <---IntToStr
:004B94F6 8B55E8
mov edx, dword ptr [ebp-18]
:004B94F9 8D45F8
lea eax, dword ptr [ebp-08]
* Reference To: VCL30.System.@LStrCat@51F89FF7, Ord:0000h
|
:004B94FC E88F7CF4FF Call
00401190 <---StrCat
:004B9501 EB38
jmp 004B953B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B94BD(C)
|
:004B9503 8D45E8
lea eax, dword ptr [ebp-18]
:004B9506 8B55FC
mov edx, dword ptr [ebp-04]
:004B9509 8A543AFF
mov dl, byte ptr [edx+edi-01]
* Reference To: VCL30.System.@LStrFromChar@001FB870, Ord:0000h
|
:004B950D E8567CF4FF Call
00401168
:004B9512 8B45E8
mov eax, dword ptr [ebp-18]
* Reference To: VCL30.SysUtils.StrToInt@0F6FDFF6, Ord:0000h
|
:004B9515 E88E80F4FF Call
004015A8
:004B951A 6BC02F
imul eax, 0000002F <---eax=eax*2F
:004B951D 7105
jno 004B9524
* Reference To: VCL30.System.@IntOver@51F89FF7, Ord:0000h
|
:004B951F E87C7BF4FF Call
004010A0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B951D(C)
|
:004B9524 8BF8
mov edi, eax
:004B9526 8D55E8
lea edx, dword ptr [ebp-18]
:004B9529 8BC7
mov eax, edi
* Reference To: VCL30.SysUtils.IntToStr@0F6FDFF6, Ord:0000h
|
:004B952B E87080F4FF Call
004015A0 <----IntToStr
:004B9530 8B55E8
mov edx, dword ptr [ebp-18]
:004B9533 8D45F8
lea eax, dword ptr [ebp-08]
* Reference To: VCL30.System.@LStrCat@51F89FF7, Ord:0000h
|
:004B9536 E8557CF4FF Call
00401190 <-----String catenating
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B9501(U)
|
:004B953B 43
inc ebx
:004B953C 4E
dec esi
:004B953D 0F855EFFFFFF jne 004B94A1
<---jump if SN[i]<>nil
上面的程式無非做了這些工作,把Serial Number的字串中的每一個字元變成整數,
然後乘以2F,結果再轉換為字串,以便連結字串。我的Serial Number=26313818,
按以上的規律則變成這樣:
IntToStr(2*2F)+IntToStr(6*2F)+IntToStr(3*2F)+IntToStr((1+3)*0x51)+IntToStr(3*2F)+IntToStr(8*2F)+IntToStr((1+3)*0x51)+IntToStr(8*2F)=>"94282141324141376324376"
<--Now we call this StrA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B9496(C)
|
:004B9543 8B45F8
mov eax, dword ptr [ebp-08] <---D eax, You'll Look StrA
* Reference To: VCL30.SysUtils.StrToFloat@044134E0, Ord:0000h
|
:004B9546 E86D81F4FF Call
004016B8 <---StrA convert
To Float
:004B954B DB7DEE
fstp tbyte ptr [ebp-12] <---Store at ebp-12
:004B954E 9B
wait
:004B954F DB6DEE
fld tbyte ptr [ebp-12] <---Load StrA
:004B9552 DB2DE4954B00 fld tbyte
ptr [004B95E4] <---Load some Float value
:004B9558 DEC9
fmulp st(1), st(0) <---st(0)=st(1)*st(0)
:004B955A DB2DF0954B00 fld tbyte
ptr [004B95F0] <---Load another value
:004B9560 DEE9
fsubp st(1), st(0) <---st(0)=st(1)-st(0)
:004B9562 DB7DEE
fstp tbyte ptr [ebp-12] <---Save st(0)
:004B9565 9B
wait
:004B9566 EB1A
jmp 004B9582
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B9590(C)
|
:004B9568 8B45FC
mov eax, dword ptr [ebp-04]
* Reference To: VCL30.SysUtils.StrToInt@0F6FDFF6, Ord:0000h
|
:004B956B E83880F4FF Call
004015A8
:004B9570 8945E4
mov dword ptr [ebp-1C], eax <---eax=Serial Number
:004B9573 DB45E4
fild dword ptr [ebp-1C] <---Load it
:004B9576 DB6DEE
fld tbyte ptr [ebp-12] <---Load st(0)
* Reference To: VCL30.System.@FSafeDivideR@51F89FF7, Ord:0000h
|
:004B9579 E8EA7CF4FF Call
00401268 <---st(0)=st(1)/st(0)
:004B957E DB7DEE
fstp tbyte ptr [ebp-12] <---Save *result*
:004B9581 9B
wait
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B9566(U)
|
:004B9582 DB6DEE
fld tbyte ptr [ebp-12] <---Load st(0)
:004B9585 DB2DFC954B00 fld tbyte
ptr [004B95FC] <---Load value
:004B958B DED9
fcompp
<---Compare
:004B958D DFE0
fstsw ax
<---Store Status Word
:004B958F 9E
sahf
<---Store AH Register into FLAGS
:004B9590 72D6
jb 004B9568
:004B9592 668B45F6
mov ax, word ptr [ebp-0A]
:004B9596 50
push eax
:004B9597 FF75F2
push [ebp-0E]
:004B959A FF75EE
push [ebp-12]
:004B959D 8B4508
mov eax, dword ptr [ebp+08]
:004B95A0 50
push eax
:004B95A1 33C9
xor ecx, ecx
:004B95A3 BA12000000 mov edx,
00000012
:004B95A8 B002
mov al, 02
* Reference To: VCL30.SysUtils.FloatToStrF@0DD792DD, Ord:0000h
|
:004B95AA E80181F4FF Call
004016B0
:004B95AF 33C0
xor eax, eax
:004B95B1 5A
pop edx
:004B95B2 59
pop ecx
:004B95B3 59
pop ecx
:004B95B4 648910
mov dword ptr fs:[eax], edx
:004B95B7 68D9954B00 push
004B95D9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B95D7(U)
|
:004B95BC 8D45E8
lea eax, dword ptr [ebp-18]
* Reference To: VCL30.System.@LStrClr@40929B27, Ord:0000h
|
:004B95BF E87C7BF4FF Call
00401140
:004B95C4 8D45F8
lea eax, dword ptr [ebp-08]
:004B95C7 BA02000000 mov edx,
00000002
* Reference To: VCL30.System.@LStrArrayClr@51F89FF7, Ord:0000h
|
:004B95CC E8777BF4FF Call
00401148
:004B95D1 C3
ret
其實上面的:004B957E DB7DEE
fstp tbyte ptr [ebp-12] <---Save *result*
中的結果就是正確的註冊碼了。
1、註冊碼與Username,Organisation無關,只與Serial Number有關。
2、註冊過程:
procedure TForm1.Button3Click(Sender: TObject);
var I: Integer; MyString,StrA: String;
begin
MyString:=edit1.text;
i:=1;
while I <=Length(MyString) do
begin
if StrToInt(MyString[I])<2 then
StrA :=StrA+IntToStr((StrToInt(MyString[I])+3)*81)
else
StrA :=StrA+IntToStr(StrToInt(MyString[I])*47);
I := I + 1;
end;
edit2.text:=IntToStr(Round((StrToFloat(StrA)*0.1428571428571428571-480547639)/StrToInt(MyString))
);
end;
3、該程式註冊後資訊在登錄檔中如下:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Simply Super Software\Trojan Remover\User]
"Name"="CoolBob"
"Organisation"="China Cracker Group"
"Serial Number"=hex:00,00,00,a0,45,18,79,41
"Registration"=hex:f0,32,4c,04,7b,18,fd,42
-----------------------------------------------------------written by CoolBob[CCG]
2001.4.16
相關文章
- Trojan Remover 4.3.0破解手記 (8千字)2001-08-31REM
- Registering a program on the Gateway2009-01-20Gateway
- Ext.js4.2.1 Proxy2017-08-18JS
- Trojan.OceanLotus.UrsuA分析報告2019-06-26
- Omni Remover for Mac(系統清理軟體)2021-11-04REMMac
- 初學者(14) (5千字)2000-06-10
- 4.2.1 關於配置Oracle Restart2020-04-02OracleREST
- Charles 4.2.1 HTTPS抓包2018-01-26HTTP
- 雲伺服器如何部署Trojan代理?2024-02-13伺服器
- Ext.js4.2.1 Ext.Class2017-08-16JS
- Ext.js4.2.1 Ext.define2017-08-10JS
- Ext.js4.2.1 事件機制2017-08-10JS事件
- Omni Remover for Mac(多功能系統清理軟體)2023-02-10REMMac
- Email地址搜尋器 (14千字)2000-10-17AI
- 破解webclaw――全憑眼力 (14千字)2001-05-21Web
- 遭遇木馬Trojan-PWS.Win32.Agent.BU2017-11-12Win32
- Trojan.win32.StartPage.amg病毒解決方案2006-11-19Win32
- Ext.js4.2.1 Ext.panel.Table2017-08-17JS
- Ext.js4.2.1 Ext.data.Record2017-08-18JS
- Ext.js4.2.1 Ext.Loader2017-08-09JS
- Ext.js4.2.1 Ext.Component2017-08-11JS
- Ext.js4.2.1 Ext.panel.Panel2017-08-15JS
- HitPaw Watermark Remover for Mac(圖片影片去水印工具)2022-08-28REMMac
- Mac專業水印去除軟體:HitPaw Watermark Remover2022-06-28MacREM
- WebTimeSync 5.2.0 破解過程 (14千字)2001-10-05Web
- S-DEMO2 註冊分析 (14千字)2002-06-25
- Ext.js4.2.1 Ext.container.Container2017-08-14JSAI
- FolderView 1.7
註冊演算法分析 (14千字)2015-11-15View演算法
- python Trojan 模組(我忘記幾了)—— 通訊隧道建立2019-07-02Python
- 圖片影片去水印工具:HitPaw Watermark Remover mac中文版2022-08-28REMMac
- XXDownload1.14分析(注意版本) (5千字)2015-11-15
- HGHAC4.2.1開啟DCS Failsafe Mode的步驟2023-11-09AI
- 久其新某整合賬務核算軟體(14千字)2003-02-20
- Active Ebook Compiler的註冊演算法 (14千字)2001-05-09Compile演算法
- 菜鳥破解vis_ddr v1.11 (14千字)2001-12-08
- 3Dmark2003演算法研究 (14千字)2003-02-133D演算法
- 修改指標法破解VB程式 騰圖影視'97 (14千字)2001-07-25指標
- FINDITNOW!1.25 or 102 中文版 破解心得 (14千字)2002-02-09