木馬克星1120 完整演算法分析(高手勿進)

看雪資料發表於2015-11-15

軟體介紹: 
軟體名稱:木馬克星(iparmor) 
整理日期:2003.11.20
最新版本:1120
檔案大小:2.5M
軟體授權:共享軟體 
使用平臺:Win9x/Me/NT/2000 
釋出公司:http://www.luosoft.com/ 
軟體簡介: 
  可以查殺5021種國際木馬,112種電子郵件木馬,保證查殺冰河類檔案關聯木馬,oicq類寄生木馬,icmp類幽靈木馬,網路神偷類反彈木馬。內建木馬防火牆,任何駭客試圖與本機建立連線,都需要Iparmor 確認,不僅可以查殺木馬,更可以查駭客。 
下載地址:http://www.luosoft.com/downcn.htm


使用者名稱  :leozem[YCG]
假序列號:8792492
真序列號:493756985

----------------------------破解人:leozem[YCG],轉貼請註名出處.

工具:ollydbg   pw32dasmgold
首先用PW32開啟木馬克星
字串參考“軟體已經被成功註冊”,雙擊
然後再用OD開啟木馬克星

:00568447 E8742EEAFF              call 0040B2C0
:0056844C 8B55FC                  mov edxdword ptr [ebp-04]----註冊名進EDX
:0056844F 8BC6                    mov eaxesi
:00568451 E8C6E3EDFF              call 0044681C
:00568456 8D55F0                  lea edxdword ptr [ebp-10]
:00568459 8BB3D8020000            mov esidword ptr [ebx+000002D8]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005683EA(C)
|
:0056845F 8BC6                    mov eaxesi
:00568461 E876E3EDFF              call 004467DC
:00568466 8B45F0                  mov eaxdword ptr [ebp-10]-----序列號進EAX
:00568469 8D55F4                  lea edxdword ptr [ebp-0C]
:0056846C E84F2EEAFF              call 0040B2C0
:00568471 8B55F4                  mov edxdword ptr [ebp-0C]
:00568474 8BC6                    mov eaxesi
:00568476 E8A1E3EDFF              call 0044681C
:0056847B 8D95E8FEFFFF            lea edxdword ptr [ebp+FFFFFEE8]
:00568481 8B83E0020000            mov eaxdword ptr [ebx+000002E0]
:00568487 E850E3EDFF              call 004467DC
:0056848C 8B85E8FEFFFF            mov eaxdword ptr [ebp+FFFFFEE8]
:00568492 8D95ECFEFFFF            lea edxdword ptr [ebp+FFFFFEEC]
:00568498 E8072BEAFF              call 0040AFA4-----小寫變大寫
:0056849D 8B95ECFEFFFF            mov edxdword ptr [ebp+FFFFFEEC]
:005684A3 8D85F0FEFFFF            lea eaxdword ptr [ebp+FFFFFEF0]
:005684A9 B9FF000000              mov ecx, 000000FF
:005684AE E8CDC6E9FF              call 00404B80
:005684B3 8D95F0FEFFFF            lea edxdword ptr [ebp+FFFFFEF0]
:005684B9 8B83D0020000            mov eaxdword ptr [ebx+000002D0]
:005684BF E848BFF1FF              call 0048440C-----生成關鍵碼的CALL,F7追入得關鍵數1D6E1D4F
:005684C4 8D95E4FEFFFF            lea edxdword ptr [ebp+FFFFFEE4]
:005684CA 8B83D8020000            mov eaxdword ptr [ebx+000002D8]
:005684D0 E807E3EDFF              call 004467DC
:005684D5 8B85E4FEFFFF            mov eaxdword ptr [ebp+FFFFFEE4]
:005684DB 50                      push eax
:005684DC 8B83D0020000            mov eaxdword ptr [ebx+000002D0]
:005684E2 8B8024020000            mov eaxdword ptr [eax+00000224]
:005684E8 05EA040000              add eax, 000004EA----EAX=1D6E1D4F+4EA=1D6E2239
:005684ED 99                      cdq
:005684EE 33C2                    xor eaxedx
:005684F0 2BC2                    sub eaxedx-------求絕對值
:005684F2 8D95E0FEFFFF            lea edxdword ptr [ebp+FFFFFEE0]
:005684F8 E83F30EAFF              call 0040B53C----將1D6E2239轉成十進位制
:005684FD 8B95E0FEFFFF            mov edxdword ptr [ebp+FFFFFEE0]----EDX=493756985(註冊碼)
:00568503 58                      pop eax-------假碼出賤
:00568504 E8ABC7E9FF              call 00404CB4---比較註冊碼的CALL,再追
:00568509 0F85E5000000            jne 005685F4----關鍵跳轉
:0056850F 6A00                    push 00000000
:00568511 8D85DCFEFFFF            lea eaxdword ptr [ebp+FFFFFEDC]
:00568517 50                      push eax
:00568518 8D95D8FEFFFF            lea edxdword ptr [ebp+FFFFFED8]
.......
.......
* Possible StringData Ref from Code Obj ->"註冊成功"
                                  |
:005685A0 B8CC865600              mov eax, 005686CC
:005685A5 E81A84F0FF              call 004709C4
:005685AA EB0A                    jmp 005685B6
........
........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00568509(C)
|
:005685F4 803D1DB7590000          cmp byte ptr [0059B71D], 00
:005685FB 740C                    je 00568609
* Possible StringData Ref from Code Obj ->"註冊失敗!"
                                  |
:005685FD B80C875600              mov eax, 0056870C
:00568602 E8BD83F0FF              call 004709C4
:00568607 EB0A                    jmp 00568613

以下是演算法部分
*****************************從005684BF追入***************************
|
:0048440C 53                      push ebx
:0048440D 56                      push esi
:0048440E 57                      push edi
:0048440F 81C400FFFFFF            add esp, FFFFFF00
:00484415 8BF2                    mov esiedx
:00484417 8D3C24                  lea edidword ptr [esp]
:0048441A 33C9                    xor ecxecx
:0048441C 8A0E                    mov clbyte ptr [esi]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00484433(U)
|
:0048444C 8BC3                    mov eaxebx
:0048444E E805010000              call 00484558-------再F7追入
:00484453 81C400010000            add esp, 00000100
:00484459 5F                      pop edi
:0048445A 5E                      pop esi
:0048445B 5B                      pop ebx

*****************************從00484453追入******************************
:00484558 53                      push ebx
:00484559 83C4B8                  add esp, FFFFFFB8
:0048455C 8BD8                    mov ebxeax
:0048455E 33C0                    xor eaxeax
:00484560 8A4324                  mov albyte ptr [ebx+24]
:00484563 40                      inc eax
:00484564 83F846                  cmp eax, 00000046----註冊名位數和70比較
:00484567 7F0B                    jg 00484574--大於或等於70就跳到484574
:00484569 C64403242A              mov [ebx+eax+24], 2A--小於70位用*(2A)補上
:0048456E 40                      inc eax---位數加1
:0048456F 83F847                  cmp eax, 00000047------和71比較
:00484572 75F5                    jne 00484569-----不等繼續迴圈
:00484578 8A4C0324                mov clbyte ptr [ebx+eax+24]
:0048457C 880A                    mov byte ptr [edx], cl
:0048457E 40                      inc eax
:0048457F 42                      inc edx
:00484580 83F847                  cmp eax, 00000047
:00484583 75F3                    jne 00484578
:00484585 8BCC                    mov ecxesp
:00484587 8B932C020000            mov edxdword ptr [ebx+0000022C]
:0048458D 8BC3                    mov eaxebx
:0048458F E87CFFFFFF              call 00484510----再F7跟入
:00484594 898324020000            mov dword ptr [ebx+00000224], eax
:0048459A 33C0                    xor eaxeax
:0048459C 8A8324010000            mov albyte ptr [ebx+00000124]
:004845A2 40                      inc eax
:004845A3 83F846                  cmp eax, 00000046
*****************************從00484510追入******************************

:00484510 53                      push ebx
:00484511 56                      push esi
:00484512 57                      push edi
:00484513 83C4B8                  add esp, FFFFFFB8
:00484516 8BF1                    mov esiecx
:00484518 8D3C24                  lea edidword ptr [esp]
:0048451B B911000000              mov ecx, 00000011
:00484520 F3                      repz---將註冊名位數OB放在註冊名前
:00484521 A5                      movsd
:00484522 66A5                    movsw
:00484524 A4                      movsb
:00484525 B147                    mov cl, 47
:00484527 8BC4                    mov eaxesp------BLEOZEM[YCG],B為註冊名位數11
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048454D(C)
|
:00484529 8BDA                    mov ebxedx---EBX=EDX=EFCA99(羅建斌給的)
:0048452B C1EB08                  shr ebx, 08-----EBX=EFCA
:0048452E 81E3FFFFFF00            and ebx, 00FFFFFF----EBX=EFCA AND FFFFFF=EFCA
:00484534 0FB630                  movzx esibyte ptr [eax]---迴圈取變化後註冊名(字元)的ASCALL碼進ESI
變化後註冊名等於BLEOZEM[YCG]*******************共71位,第1位是輸入的註冊名的長度,後面用*補足.
:00484537 33D6                    xor edxesi-----EDX=EDX XOR ESI=EFCA99 XOR B=EFCA92
:00484539 81E2FF000000            and edx, 000000FF----EDX=92
:0048453F 8B149530F05700          mov edxdword ptr [4*edx+0057F030]--根據EDX取下面的數,共256個.
:00484546 33DA                    xor ebxedx---EBX=EFCA XOR 1E01F268=1E011DA2
:00484548 8BD3                    mov edxebx---EDX=1E011DA2
:0048454A 40                      inc eax-------EAX=EAX+1
:0048454B FEC9                    dec cl--------CL=CL-1
:0048454D 75DA                    jne 00484529---CL不等0就繼續迴圈
:0048454F 8BC2                    mov eaxedx-------EAX=1D6E1D4F(關鍵數)
:00484551 83C448                  add esp, 00000048
:00484554 5F                      pop edi
:00484555 5E                      pop esi
:00484556 5B                      pop ebx
:00484557 C3                      ret
:004845A6 7F0E                    jg 004845B6
-----------------------------讓0048453F中EDX取的數------------------
77073096 EE0E612C 990951BA 076DC419 706AF48F E963A535 9E6495A3 0EDB8832 
79DCB8A4 E0D5E91E 97D2D988 09B64C2B 7EB17CBD E7B82D07 90BF1D91 00000000 
6AB020F2 F3B97148 84BE41DE 1ADAD47D 6DDDE4EB F4D4B551 83D385C7 136C9856 
646BA8C0 FD62F97A 8A65C9EC 14015C4F 63066CD9 FA0F3D63 8D080DF5 3B6E20C8 
4C69105E D56041E4 A2677172 3C03E4D1 4B04D447 D20D85FD A50AB56B 35B5A8FA 
42B2986C DBBBC9D6 ACBCF940 32D86CE3 45DF5C75 DCD60DCF ABD13D59 26D930AC 
51DE003A C8D75180 BFD06116 21B4F4B5 56B3C423 CFBA9599 B8BDA50F 2802B89E 
5F058808 C60CD9B2 B10BE924 2F6F7C87 58684C11 C1611DAB B6662D3D 76DC4190 
01DB7106 98D220BC EFD5102A 71B18589 06B6B51F 9FBFE4A5 E8B8D433 7807C9A2 
0F00F934 9609A88E E10E9818 7F6A0DBB 086D3D2D 91646C97 E6635C01 6B6B51F4 
1C6C6162 856530D8 F262004E 6C0695ED 1B01A57B 8208F4C1 F50FC457 65B0D9C6 
12B7E950 8BBEB8EA FCB9887C 62DD1DDF 15DA2D49 8CD37CF3 FBD44C65 4DB26158 
3AB551CE A3BC0074 D4BB30E2 4ADFA541 3DD895D7 A4D1C46D D3D6F4FB 4369E96A 
346ED9FC AD678846 DA60B8D0 44042D73 33031DE5 AA0A4C5F DD0D7CC9 5005713C 
270241AA BE0B1010 C90C2086 5768B525 206F85B3 B966D409 CE61E49F 5EDEF90E 
29D9C998 B0D09822 C7D7A8B4 59B33D17 2EB40D81 B7BD5C3B C0BA6CAD EDB88320 
9ABFB3B6 03B6E20C 74B1D29A EAD54739 9DD277AF 04DB2615 73DC1683 E3630B12 
94643B84 0D6D6A3E 7A6A5AA8 E40ECF0B 9309FF9D 0A00AE27 7D079EB1 F00F9344 
8708A3D2 1E01F268 6906C2FE F762575D 806567CB 196C3671 6E6B06E7 FED41B76 
89D32BE0 10DA7A5A 67DD4ACC F9B9DF6F 8EBEEFF9 17B7BE43 60B08ED5 D6D6A3E8 
A1D1937E 38D8C2C4 4FDFF252 D1BB67F1 A6BC5767 3FB506DD 48B2364B D80D2BDA 
AF0A1B4C 36034AF6 41047A60 DF60EFC3 A867DF55 316E8EEF 4669BE79 CB61B38C 
BC66831A 256FD2A0 5268E236 CC0C7795 BB0B4703 220216B9 5505262F C5BA3BBE 
B2BD0B28 2BB45A92 5CB36A04 C2D7FFA7 B5D0CF31 2CD99E8B 5BDEAE1D 9B64C2B0 
EC63F226 756AA39C 026D930A 9C0906A9 EB0E363F 72076785 05005713 95BF4A82 
E2B87A14 7BB12BAE 0CB61B38 92D28E9B E5D5BE0D 7CDCEFB7 0BDBDF21 86D3D2D4 
F1D4E242 68DDB3F8 1FDA836E 81BE16CD F6B9265B 6FB077E1 18B74777 88085AE6 
FF0F6A70 66063BCA 11010B5C 8F659EFF F862AE69 616BFFD3 166CCF45 A00AE278 
D70DD2EE 4E048354 3903B3C2 A7672661 D06016F7 4969474D 3E6E77DB AED16A4A 
D9D65ADC 40DF0B66 37D83BF0 A9BCAE53 DEBB9EC5 47B2CF7F 30B5FFE9 BDBDF21C
CABAC28A 53B39330 24B4A3A6 BAD03605 CDD70693 54DE5729 23D967BF B3667A2E 
C4614AB8 5D681B02 2A6F2B94 B40BBE37 C30C8EA1 5A05DF1B 2D02EF8D 004C3E50 
----------------------------------------------------------------------------

以下是比較註冊碼部分:
******************************從00568504追入*******************************
:00404CB4 53                      push ebx
:00404CB5 56                      push esi
:00404CB6 57                      push edi
:00404CB7 89C6                    mov esieax-----假碼進ESI
:00404CB9 89D7                    mov ediedx-----真碼進EDI
:00404CBB 39D0                    cmp eaxedx-----比較真假碼的地址是不是一樣
:00404CBD 0F848F000000            je 00404D52-----一樣就玩完
:00404CC3 85F6                    test esiesi----假碼是否存在
:00404CC5 7468                    je 00404D2F------不存在就玩完
:00404CC7 85FF                    test ediedi----真碼是否存在
:00404CC9 746B                    je 00404D36------不存在就玩完
:00404CCB 8B46FC                  mov eaxdword ptr [esi-04]--假碼位數進EAX
:00404CCE 8B57FC                  mov edxdword ptr [edi-04]--真碼位樹進EDX
:00404CD1 29D0                    sub eaxedx----真減假
:00404CD3 7702                    ja 00404CD7-----真大於假則跳
:00404CD5 01C2                    add edxeax----假碼位數進EDX

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404CD3(C)
|
:00404CD7 52                      push edx-------假碼位數進見
:00404CD8 C1EA02                  shr edx, 02----假碼位數右移兩位
:00404CDB 7426                    je 00404D03----小於或等於則跳

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404CF9(C)
|
:00404CDD 8B0E                    mov ecxdword ptr [esi]----取假碼的ASCII碼的前4位進ECX
:00404CDF 8B1F                    mov ebxdword ptr [edi]----取真碼的ASCII碼的前4位進EDX
:00404CE1 39D9                    cmp ecxebx-------比較真假ASCII碼
:00404CE3 7558                    jne 00404D3D-------不等則跳
:00404CE5 4A                      dec edx--------真碼位數減1
:00404CE6 7415                    je 00404CFD-----等0則跳
:00404CE8 8B4E04                  mov ecxdword ptr [esi+04]---取假碼的ASCII碼的5到8位進ECX
:00404CEB 8B5F04                  mov ebxdword ptr [edi+04]---取真碼的ASCII碼的5到8位進EDX
:00404CEE 39D9                    cmp ecxebx-------比較真假ASCII碼
:00404CF0 754B                    jne 00404D3D-------不等則跳
:00404CF2 83C608                  add esi, 00000008----ESI指向假碼第九位
:00404CF5 83C708                  add edi, 00000008----EDI指向真碼第九位
:00404CF8 4A                      dec edx------EDX減1
:00404CF9 75E2                    jne 00404CDD------不等0跳上去再比
:00404CFB EB06                    jmp 00404D03------等0跳下去

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404CE6(C)
|
:00404CFD 83C604                  add esi, 00000004
:00404D00 83C704                  add edi, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404CDB(C), :00404CFB(U)
|
:00404D03 5A                      pop edx------假碼位數出賤
:00404D04 83E203                  and edx, 00000003----EDX=9 AND 3=1
:00404D07 7422                    je 00404D2B------等0則跳
:00404D09 8B0E                    mov ecxdword ptr [esi]----最後一位假碼的ASCII進ECX
:00404D0B 8B1F                    mov ebxdword ptr [edi]----最後一位真碼的ASCII進EBX
:00404D0D 38D9                    cmp clbl------比較CL與BL
:00404D0F 7541                    jne 00404D52----不等則玩完
:00404D11 4A                      dec edx---------EDX減1
:00404D12 7417                    je 00404D2B------等於0就註冊正確了
---------------------------破解人:leozem[YCG],轉貼請註名出處.-------------------------------

相關文章