Trojan Remover 4.3.0破解手記 (8千字)

Trojan Remover 4.3.0破解手記

作者：X man or lb[BCG]
軟體版本 4.3.0
使用平臺 Win9x/Me/NT/2000
檔案大小 1458KB
軟體性質共享軟體
簡單說明是一個專門用來清除特洛伊木馬和自動修復系統檔案的工具。能夠檢查系統登入檔案、掃描WIN.INI
、SYSTEM.INI和系統登入檔案，且掃描完成後會產生Log資訊檔案，並幫你自動清除特洛伊木馬和修復系統文
件。

注:安裝該程式時就要求填入name、Organisation在這裡我填的是：
name:lb[BCG]
Organisation:Beginner's Cracking Group

FIRST：
用FI檢測RmvTrjan.exe，未發現加殼。GOOD！用W32DASM反編譯它，卻發現“String Data references”中沒有
任何資訊。奇怪難道是被FI騙了，於是用PROCDUMP來PE Editor它，終於找到了，是用ASPack加殼，好辦脫掉它
就可以用W32DASM了。

當然，本文不是討論如何脫殼的，所以告訴您一個簡單的辦法，用“Ding Boy的衝擊波2000”找到切入點，再
用TRW2000的MAKEPE來搞定它！

NEXT：
用W32DASM反編譯後，查詢“Registration key is invalid ”來到

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043CDCF(C)
|
:0043D032 6A30 push 00000030
:0043D034 E83F44FCFF call 00401478
:0043D039 6A00 push 00000000
:0043D03B 668B0DD4D34300 mov cx, word ptr [0043D3D4]
:0043D042 B201 mov dl, 01

* Possible StringData Ref from Code Obj ->"Registration key is invalid - "
->"please ensure you have typed the "
->"Registration Key correctly. Most "
->"registration problems are caused "
->"because the Serial Number does "
->"not match that originally supplied "
->"by the user when registering. "
->"Check that the Serial Number displayed "
->"is identical to that shown in "
->"the registration email. If it "
->"is not, send email to support@simplysup.com "
->"giving your new Serial "
|
:0043D044 B8E0D34300 mov eax, 0043D3E0
:0043D049 E8EA4EFCFF call 00401F38
:0043D04E 83F804 cmp eax, 00000004
:0043D051 7523 jne 0043D076
:0043D053 8B45FC mov eax, dword ptr [ebp-04]
:0043D056 8B8008020000 mov eax, dword ptr [eax+00000208]
:0043D05C 33D2 xor edx, edx
:0043D05E E8D54AFCFF call 00401B38
:0043D063 8B45FC mov eax, dword ptr [ebp-04]
:0043D066 8B9008020000 mov edx, dword ptr [eax+00000208]
:0043D06C 8B45FC mov eax, dword ptr [ebp-04]
:0043D06F E8B44CFCFF call 00401D28
:0043D074 EB08 jmp 0043D07E

看到是有0043CDCF處跳來的，於是轉到該處
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043CAE0(C)
|
:0043CD51 8D55F0 lea edx, dword ptr [ebp-10]
:0043CD54 8B45FC mov eax, dword ptr [ebp-04]
:0043CD57 8B8008020000 mov eax, dword ptr [eax+00000208]
:0043CD5D E8CE4DFCFF call 00401B30
:0043CD62 8B45F0 mov eax, dword ptr [ebp-10]

* Possible StringData Ref from Code Obj ->"419246"
|
:0043CD65 BA50D24300 mov edx, 0043D250
:0043CD6A E83944FCFF call 004011A8
:0043CD6F 7464 je 0043CDD5
:0043CD71 8D55F0 lea edx, dword ptr [ebp-10]
:0043CD74 8B45FC mov eax, dword ptr [ebp-04]
:0043CD77 8B8008020000 mov eax, dword ptr [eax+00000208]
:0043CD7D E8AE4DFCFF call 00401B30
:0043CD82 8B45F0 mov eax, dword ptr [ebp-10]

* Possible StringData Ref from Code Obj ->"387192"
|
:0043CD85 BA60D24300 mov edx, 0043D260
:0043CD8A E81944FCFF call 004011A8
:0043CD8F 7444 je 0043CDD5
:0043CD91 8D55F0 lea edx, dword ptr [ebp-10]
:0043CD94 8B45FC mov eax, dword ptr [ebp-04]
:0043CD97 8B8008020000 mov eax, dword ptr [eax+00000208]
:0043CD9D E88E4DFCFF call 00401B30
:0043CDA2 8B45F0 mov eax, dword ptr [ebp-10]

* Possible StringData Ref from Code Obj ->"388028"
|
:0043CDA5 BA70D24300 mov edx, 0043D270
:0043CDAA E8F943FCFF call 004011A8
:0043CDAF 7424 je 0043CDD5
:0043CDB1 8D55F0 lea edx, dword ptr [ebp-10]
:0043CDB4 8B45FC mov eax, dword ptr [ebp-04]
:0043CDB7 8B8008020000 mov eax, dword ptr [eax+00000208]
:0043CDBD E86E4DFCFF call 00401B30
:0043CDC2 8B45F0 mov eax, dword ptr [ebp-10]

* Possible StringData Ref from Code Obj ->"422199"
|
:0043CDC5 BA80D24300 mov edx, 0043D280
:0043CDCA E8D943FCFF call 004011A8
:0043CDCF 0F855D020000 jne 0043D032---------------------由這裡跳到出錯資訊處，看到上面
的422199，可能它就是註冊碼，好，把它填進去後，
果然沒有彈出錯誤的對話方塊。不過卻說這是臨時注
冊碼云云，嗚嗚~~~，居然是這麼回事，好！把日期
往後調動後，再次執行該軟體，又彈出錯誤的對話方塊（這樣一開始有可以填如註冊碼），於是從此處向上看，
來到0043CD51處，發現這一切都是0043CAE0引來的。

NEXT：
轉營，來到0043CAE0處

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043CA54(C)
|
:0043CAB7 A1ACDB4B00 mov eax, dword ptr [004BDBAC]
:0043CABC 8B00 mov eax, dword ptr [eax]
:0043CABE 59 pop ecx
:0043CABF E8C0420700 call 004B0D84
:0043CAC4 8D55F0 lea edx, dword ptr [ebp-10]
:0043CAC7 8B45FC mov eax, dword ptr [ebp-04]
:0043CACA 8B8008020000 mov eax, dword ptr [eax+00000208]
:0043CAD0 E85B50FCFF call 00401B30
:0043CAD5 8B55F0 mov edx, dword ptr [ebp-10]-----可疑哦！這裡D EAX試試
:0043CAD8 8B45F8 mov eax, dword ptr [ebp-08]-----EAX：真的註冊碼
:0043CADB E8C846FCFF call 004011A8-------------------EDX：您輸入的假註冊碼
:0043CAE0 0F856B020000 jne 0043CD51 ------------就是這兒開始引導我出錯
:0043CAE6 A194DB4B00 mov eax, dword ptr [004BDB94]
:0043CAEB C60001 mov byte ptr [eax], 01
:0043CAEE A1C8DB4B00 mov eax, dword ptr [004BDBC8]
:0043CAF3 C60000 mov byte ptr [eax], 00
:0043CAF6 B201 mov dl, 01
:0043CAF8 A114FB4D00 mov eax, dword ptr [004DFB14]
:0043CAFD E8B654FCFF call 00401FB8
:0043CB02 8945F4 mov dword ptr [ebp-0C], eax
:0043CB05 BA02000080 mov edx, 80000002
:0043CB0A 8B45F4 mov eax, dword ptr [ebp-0C]
:0043CB0D E8B654FCFF call 00401FC8
:0043CB12 B101 mov cl, 01

* Possible StringData Ref from Code Obj ->"SOFTWARE\Simply Super Software\Trojan "
->"Remover\User"
|
:0043CB14 BAB8D04300 mov edx, 0043D0B8
:0043CB19 8B45F4 mov eax, dword ptr [ebp-0C]
:0043CB1C E8AF54FCFF call 00401FD0
:0043CB21 84C0 test al, al
:0043CB23 0F84DC000000 je 0043CC05
:0043CB29 33C0 xor eax, eax
:0043CB2B 55 push ebp
:0043CB2C 68DDCB4300 push 0043CBDD
:0043CB31 64FF30 push dword ptr fs:[eax]
:0043CB34 648920 mov dword ptr fs:[eax], esp
:0043CB37 8D55F0 lea edx, dword ptr [ebp-10]
:0043CB3A 8B45FC mov eax, dword ptr [ebp-04]
:0043CB3D 8B80E8010000 mov eax, dword ptr [eax+000001E8]
:0043CB43 E8E84FFCFF call 00401B30
:0043CB48 8B4DF0 mov ecx, dword ptr [ebp-10]
…………………………（省略一部分）

END：
好了，Trojan Remover就破解到這了，我的註冊碼是：
name:lb[BCG]
Organisation:Beginner's Cracking Group
Serial No:80208956
Reg No:67011387897120

該軟體的註冊資訊放在HKEY_LOCAL_MACHINE\Software\Simply Super Software\Trojan Remover\User處

各位高手看了本文不要見笑，我是個Beginner。
                              X man or lb[BCG]
                              lbcool@elong.com
                              2001.8.30

Trojan Remover 4.3.0破解手記 (8千字)

相關文章