流光2001完全暴力破解
================================================
hehan china 多情俏狐
(轉載請保持完整)
軟體說明:小榕駭客軟體系列產品中主打產品,能對pop3,ftp,http伺服器及其它密碼進行快速猜解。還兼有追捕和雙向IP查詢功能。
所用工具:trw2000,hedit和w32dasm
1.去除過期提示:
把日期向前改一年不過期,隨懷疑是呼叫了getsystemtime函式
執行trw2000,用getsystime設斷,程式在出現調查表之前中斷:
* Reference To: MSVCRT.time, Ord:02D0h====>呼叫API函式getsystemtime
|
:00406149 FF15F0D64800 Call dword ptr
[0048D6F0]
:0040614F 8B442410 mov
eax, dword ptr [esp+10]
:00406153 83C404
add esp, 00000004
:00406156 3DB7F1C53A cmp eax,
3AC5F1B7
:0040615B 7E4C
jle 004061A9=====>不跳就過期
所以改為跳 那74 改EB
:0040615D 6A00
push 00000000
:0040615F 8D4C2434 lea
ecx, dword ptr [esp+34]
:00406163 E848950000 call 0040F6B0
:00406168 A148FB4A00 mov eax,
dword ptr [004AFB48]
:0040616D 51
push ecx
:0040616E 85C0
test eax, eax
:00406170 C78424CC05000000000000 mov dword ptr [esp+000005CC], 00000000
:0040617B 8BCC
mov ecx, esp
:0040617D 740B
je 0040618A
:0040617F 8964240C mov
dword ptr [esp+0C], esp
2.去除防暴破程式自檢點:
啟動後雖然沒過期提示,但程式自動檢測,暴破後照樣出錯退出:
用w32dasm反彙編後的串式參考正好可以打到出錯提示:
(不過中文提示很多,很難找)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040695C(U)
|
:00406963 85C0
test eax, eax
:00406965 7439
je 004069A0====》offset 6965h
如果程式被修改就跳,說可能被病毒感染或者捆綁了惡意程式,然後程式非正常退出。
:00406967 A148FB4A00 mov eax,
dword ptr [004AFB48]
:0040696C 51
push ecx
:0040696D 85C0
test eax, eax
:0040696F 8BCC
mov ecx, esp
:00406971 740B
je 0040697E
:00406973 89642424 mov
dword ptr [esp+24], esp
* Possible StringData Ref from Data Obj ->"數字驗證失敗,可能被病毒感染或者捆綁了惡意程式"
->"。"
|
:00406977 6894404A00 push 004A4094
:0040697C EB09
jmp 00406987
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406971(C)
|
:0040697E 89642424 mov
dword ptr [esp+24], esp
* Possible StringData Ref from Data Obj ->"Digit Authenticate Failed, Quit."
|
:00406982 6870404A00 push 004A4070
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040697C(U)
|
* Reference To: MFC42.Ordinal:0219, Ord:0219h
3.開始使用者調查表的去除:
曾經嘗試從成功訊息和出錯訊息兩處用動態和靜態分析均步成功,隨決定從開始一步步進行跟蹤。
* Possible Reference to Dialog:
|
:00407E08 68D0434A00 push 004A43D0
:00407E0D 8D4C240C lea
ecx, dword ptr [esp+0C]
:00407E11 C784242C08000000000000 mov dword ptr [esp+0000082C], 00000000
:00407E1C E88F730700 call 0047F1B0
:00407E21 85C0
test eax, eax
:00407E23 750A
jne 00407E2F
:00407E25 8B06
mov eax, dword ptr [esi]
:00407E27 8BCE
mov ecx, esi
:00407E29 FF90C0000000 call dword ptr
[eax+000000C0]
^^^^^^^這才是那個令人討厭的調查表
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407E23(C)
|跳到這裡就一片晴空了
:00407E2F 8D4C2408 lea
ecx, dword ptr [esp+08]
:00407E33 E828740700 call 0047F260
:00407E38 8BF8
mov edi, eax
====================================>
止此完全破解成功!!!!!
哈哈哈!!!!!!
2001-08-14