VirTime HTMLock V1.4.0 pj之溫柔篇

軟體簡介：幫助您建立基於 JavaScript 的密碼保護頁面
DOWNLOAD: http://www.inhua.com/down/htl.zip
pj工具：RegMon,TRW 2000 V1.03

**************************************************************************************************************

　精華三里paulyoung寫了一個pj的暴力篇，我來一個婉約派的溫柔篇，而且還有些很有意思的發現，各位大小蝦，不妨看看。
　　
　　一、用 RegMon 監視，執行軟體，發覺它讀取如下兩個登錄檔鍵值：

HKLM\SOFTWARE\VirTime\HTL1.4.0\UserName SUCCESS "NOBODY" （使用者名稱）
HKLM\SOFTWARE\VirTime\HTL1.4.0\RegKey SUCCESS "NOKEY"　（註冊碼）

　　我想它會不會是啟動時讀取這兩個鍵值並正確與否，來判斷它是否為註冊版，後經我反彙編分析，證實了我的猜測（分析過程略）
　　
　　二、開啟 REGEDIT ，把這兩個鍵值分別改為 "killer" and "" 6789543267895432678954326789543267895432
　　三、用trw中搜尋字串，然後用bpm攔後跟蹤。
四、程式碼分析如下：
//******************** Program Entry Point ********
:004630EC 55 push ebp
:004630ED 8BEC mov ebp, esp
:004630EF 83C4F4 add esp, FFFFFFF4
:004630F2 B8642F4600 mov eax, 00462F64
:004630F7 E8042FFAFF call 00406000
:004630FC A138574600 mov eax, dword ptr [00465738]
:00463101 8B00 mov eax, dword ptr [eax]

* Possible StringData Ref from Code Obj ->"HTMLock"
|
:00463103 BA6C314600 mov edx, 0046316C
:00463108 E81B18FEFF call 00444928
:0046310D E896DEFFFF call 00460FA8 //F8 跟進看一看
:00463112 84C0 test al, al
:00463114 7446 je 0046315C

***************
* Referenced by a CALL at Address:
|:0046310D
|
:00460FA8 55 push ebp
:00460FA9 8BEC mov ebp, esp
:00460FAB 6A00 push 00000000
:00460FAD 6A00 push 00000000
:00460FAF 6A00 push 00000000

...

F10直到

...

:0046102A B9C8104600 mov ecx, 004610C8
:0046102F 8B15E8684600 mov edx, dword ptr [004668E8]
:00461035 E85E2CFAFF call 00403C98
:0046103A C605F068460000 mov byte ptr [004668F0], 00
:00461041 C6050869460000 mov byte ptr [00466908], 00
:00461048 E87FFDFFFF call 00460DCC
:0046104D 8B15F4684600 mov edx, dword ptr [004668F4]
:00461053 A1F8684600 mov eax, dword ptr [004668F8]
:00461058 E827EBFFFF call 0045FB84 //D EAX=假註冊碼D EDX=假的註冊名。
(F8 跟進看一看)

********
* Referenced by a CALL at Addresses:
|:004609C3 , :00460A3F , :00460C82 , :00461058
|
:0045FB84 55 push ebp
:0045FB85 8BEC mov ebp, esp
:0045FB87 83C4F8 add esp, FFFFFFF8
:0045FB8A 53 push ebx
:0045FB8B 56 push esi
:0045FB8C 33C9 xor ecx, ecx
:0045FB8E 894DF8 mov dword ptr [ebp-08], ecx
:0045FB91 8BDA mov ebx, edx
:0045FB93 8BF0 mov esi, eax
:0045FB95 33C0 xor eax, eax
:0045FB97 55 push ebp
:0045FB98 681EFC4500 push 0045FC1E
:0045FB9D 64FF30 push dword ptr fs:[eax]
:0045FBA0 648920 mov dword ptr fs:[eax], esp
:0045FBA3 C645FF00 mov [ebp-01], 00
:0045FBA7 8BC3 mov eax, ebx
:0045FBA9 E89E40FAFF call 00403C4C
:0045FBAE 83F802 cmp eax, 00000002 /名字是否小於2位

:0045FBB1 7C55 jl 0045FC08 /:0045FBB3//是則跳至末註冊
8BC6 mov eax, esi
:0045FBB5 E89240FAFF call 00403C4C
:0045FBBA 83F824 cmp eax, 00000024 //註冊碼是否小於36位
:0045FBBD 7C49 jl 0045FC08 //是則跳至末註冊
:0045FBBF 33DB xor ebx, ebx
:0045FBC1 8BC6 mov eax, esi
:0045FBC3 E88440FAFF call 00403C4C
:0045FBC8 83E802 sub eax, 00000002
:0045FBCB 85C0 test eax, eax
:0045FBCD 7E0F jle 0045FBDE
:0045FBCF BA01000000 mov edx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045FBDC(C)
|
:0045FBD4 8A4C16FF mov cl, byte ptr [esi+edx-01]----- 此程式碼段，將註冊碼除最後兩
:0045FBD8 02D9 add bl, cl *位以外，相加。和的末兩位存入bl.
:0045FBDA 42 inc edx *此時我的和為7F
:0045FBDB 48 dec eax *
:0045FBDC 75F6 jne 0045FBD4 --------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045FBCD(C)
|
:0045FBDE 33C0 xor eax, eax
:0045FBE0 8AC3 mov al, bl
:0045FBE2 33D2 xor edx, edx
:0045FBE4 52 push edx
:0045FBE5 50 push eax
:0045FBE6 8D45F8 lea eax, dword ptr [ebp-08]
:0045FBE9 E85AFEFFFF call 0045FA48
:0045FBEE 8B45F8 mov eax, dword ptr [ebp-08]
:0045FBF1 8A400E mov al, byte ptr [eax+0E]
:0045FBF4 3A4622 cmp al, byte ptr [esi+22] 　 //比較第35位（比較是否為 "e " )
:0045FBF7 750F jne 0045FC08 　　　　　　不相等則跳至末註冊
:0045FBF9 8B45F8 mov eax, dword ptr [ebp-08]
:0045FBFC 8A400F mov al, byte ptr [eax+0F]
:0045FBFF 3A4623 cmp al, byte ptr [esi+23]　　 //比較第36位（比較是否為"o" )
:0045FC02 7504 jne 0045FC08 　　　　　　//不相等則跳至末註冊
:0045FC04 C645FF01 mov [ebp-01], 01 //程式走到這裡就可以註冊成功了

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0045FBB1(C), :0045FBBD(C), :0045FBF7(C), :0045FC02(C)
|
:0045FC08 33C0 xor eax, eax
:0045FC0A 5A pop edx

*****

:0046312E E8BDDAFFFF call 00460BF0
:00463133 84C0 test al, al
:00463135 7514 jne 0046314B
:00463137 8B1570554600 mov edx, dword ptr [00465570]
:0046313D 8B12 mov edx, dword ptr [edx]
:0046313F A170554600 mov eax, dword ptr [00465570]
:00463144 8B00 mov eax, dword ptr [eax]
:00463146 E885F7FFFF call 004628D0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463135(C)
|
:0046314B A138574600 mov eax, dword ptr [00465738]
:00463150 8B00 mov eax, dword ptr [eax]
:00463152 E8351CFEFF call 00444D8C //彈出軟體執行介面
那麼把regkey改為:6789543267895432678954326789543267eo5432應該可以了吧。
但是執行完還是未註冊。這時變為

　:0045FBF4 3A4622 cmp al, byte ptr [esi+22] 　 //比較第35位（比較是否為 "M" )
:0045FBF7 750F jne 0045FC08 　　　　　　 // 不相等則跳至末註冊
:0045FBF9 8B45F8 mov eax, dword ptr [ebp-08]
:0045FBFC 8A400F mov al, byte ptr [eax+0F]
:0045FBFF 3A4623 cmp al, byte ptr [esi+23]　　 //比較第36位（比較是否為"u" )
:0045FC02 7504 jne 0045FC08 　　　　　　//不相等則跳至末註冊
:0045FC04 C645FF01 mov [ebp-01], 01 //程式走到這裡就可以註冊成功了

原來是bl中註冊碼和為指引，提取字串“HACKERYouMUSTDie”(哈哈，我好怕怕啊，難道有下什麼套？)的字母，與35位及36位的註冊碼進行比較。但其實也很簡單，令註冊碼的和仍為7F且
35，36位為e,o就可註冊成功。如下：
regname:killer
regkey: 6789543267895432678954326789543267eoMP5432
就可顯示註冊給killer了。
哈哈 so easy!!
但執行對檔案加密，卻跳出提示框“你的檔案超過4kb,請註冊你的軟體”。嗚嗚，無法使用。是不是我高興的太早了？是不是我MUST Die?
Can u help me ?

VirTime HTMLock V1.4.0 pj之溫柔篇

相關文章