|
 | 作者: yongmin [yongmin]
 论坛用户 |
登录 |
| QUOTE: 【文章标题】: AD Popup Killer 2.1 解析 【文章作者】: KuNgBiM 【作者邮箱】: kungbim@163.com 【作者主页】: http://www.crkcn.com 【作者QQ号】: N/A 【软件名称】: AD Popup Killer 2.1 【软件大小】: 156KB 【下载地址】: 论坛附件下载 【加壳方式】: N/A 【保护方式】: 注册码 【编写语言】: Microsoft Visual C++ 6.0 【使用工具】: OD 【操作平台】: 盗版XP 【软件介绍】: 保护IE不受广告捆扰! 【作者声明】: 只是感兴趣,体验一下kanxue文章书写器,没有其他目的。失误之处敬请诸位大侠赐教! -------------------------------------------------------------------------------- 【详细过程】 程序无壳,OD载入,使用字符串搜索: 0040B990 . 64:A1 0000000>mov eax, dword ptr fs:[0] ; 搜索字符串来到这里 0040B996 . 6A FF push -1 0040B998 . 68 C8F94000 push 0040F9C8 0040B99D . 50 push eax 0040B99E . 64:8925 00000>mov dword ptr fs:[0], esp 0040B9A5 . 83EC 08 sub esp, 8 0040B9A8 . 56 push esi 0040B9A9 . 57 push edi 0040B9AA . 8BF1 mov esi, ecx 0040B9AC . 6A 01 push 1 0040B9AE . E8 DF280000 call <jmp.&MFC42.#6334_CWnd::UpdateDa> 0040B9B3 . 8B86 E4000000 mov eax, dword ptr [esi+E4] ; 试炼码入EAX,ASCII "9999999999" 0040B9B9 . 8DBE E4000000 lea edi, dword ptr [esi+E4] 0040B9BF . 8B48 F8 mov ecx, dword ptr [eax-8] ; 计算试炼码长度 ds:[00383EA0]=0000000A 0040B9C2 . 85C9 test ecx, ecx 0040B9C4 . 75 24 jnz short 0040B9EA ; 注册码长度大于零合法,跳! 0040B9C6 . 6A 00 push 0 0040B9C8 . 68 AC624100 push 004162AC ; AD Popup Killer 0040B9CD . 68 186A4100 push 00416A18 ; Please input the SN of AD Popup Killer. 0040B9D2 . 8BCE mov ecx, esi 0040B9D4 . E8 31290000 call <jmp.&MFC42.#4224_CWnd::MessageB> 0040B9D9 . 8B4C24 10 mov ecx, dword ptr [esp+10] 0040B9DD . 64:890D 00000>mov dword ptr fs:[0], ecx 0040B9E4 . 5F pop edi 0040B9E5 . 5E pop esi 0040B9E6 . 83C4 14 add esp, 14 0040B9E9 . C3 retn 0040B9EA > 8B8E E0000000 mov ecx, dword ptr [esi+E0] ; 用户名入ECX,ASCII "KuNgBiM" 0040B9F0 . 8B41 F8 mov eax, dword ptr [ecx-8] ; 计算用户名长度 ds:[00383E50]=00000007 0040B9F3 . 85C0 test eax, eax 0040B9F5 . 75 24 jnz short 0040BA1B ; 用户名长度大于零合法,跳! 0040B9F7 . 6A 00 push 0 0040B9F9 . 68 AC624100 push 004162AC ; AD Popup Killer 0040B9FE . 68 006A4100 push 00416A00 ; Please input your name. 0040BA03 . 8BCE mov ecx, esi 0040BA05 . E8 00290000 call <jmp.&MFC42.#4224_CWnd::MessageB> 0040BA0A . 8B4C24 10 mov ecx, dword ptr [esp+10] 0040BA0E . 64:890D 00000>mov dword ptr fs:[0], ecx 0040BA15 . 5F pop edi 0040BA16 . 5E pop esi 0040BA17 . 83C4 14 add esp, 14 0040BA1A . C3 retn 0040BA1B > 8D4C24 08 lea ecx, dword ptr [esp+8] 0040BA1F . E8 06270000 call <jmp.&MFC42.#540_CString::CStrin> 0040BA24 . 68 7C604100 push 0041607C ; bsoft 0040BA29 . 8D4C24 0C lea ecx, dword ptr [esp+C] 0040BA2D . C74424 1C 000>mov dword ptr [esp+1C], 0 0040BA35 . E8 06CFFFFF call 00408940 0040BA3A . 51 push ecx 0040BA3B . 8BCC mov ecx, esp 0040BA3D . 896424 10 mov dword ptr [esp+10], esp 0040BA41 . 57 push edi 0040BA42 . E8 B5270000 call <jmp.&MFC42.#535_CString::CStrin> 0040BA47 . E8 54090000 call 0040C3A0 ; 算法CALL,跟进! 0040BA4C . 83C4 04 add esp, 4 0040BA4F . 85C0 test eax, eax 0040BA51 . 74 61 je short 0040BAB4 0040BA53 . 8B3F mov edi, dword ptr [edi] ; 写入试炼码 0040BA55 . 8D4C24 08 lea ecx, dword ptr [esp+8] 0040BA59 . 57 push edi 0040BA5A . 68 C0604100 push 004160C0 ; passw 0040BA5F . 68 6C604100 push 0041606C ; registe 0040BA64 . E8 57D2FFFF call 00408CC0 0040BA69 . 8B86 E0000000 mov eax, dword ptr [esi+E0] ; 写入用户名 0040BA6F . 8D4C24 08 lea ecx, dword ptr [esp+8] 0040BA73 . 50 push eax 0040BA74 . 68 74604100 push 00416074 ; user 0040BA79 . 68 6C604100 push 0041606C ; registe 0040BA7E . E8 3DD2FFFF call 00408CC0 0040BA83 . 6A 01 push 1 0040BA85 . 68 B8604100 push 004160B8 ; breg 0040BA8A . 68 6C604100 push 0041606C ; registe 0040BA8F . 8D4C24 14 lea ecx, dword ptr [esp+14] 0040BA93 . E8 D8D1FFFF call 00408C70 0040BA98 . 6A 00 push 0 0040BA9A . 68 AC624100 push 004162AC ; AD Popup Killer 0040BA9F . 68 E8694100 push 004169E8 ; Register Successfully! 0040BAA4 . 8BCE mov ecx, esi 0040BAA6 . E8 5F280000 call <jmp.&MFC42.#4224_CWnd::MessageB> 0040BAAB . 8BCE mov ecx, esi 0040BAAD . E8 3A250000 call <jmp.&MFC42.#4853_CDialog::OnOK> 0040BAB2 . EB 13 jmp short 0040BAC7 0040BAB4 > 6A 00 push 0 0040BAB6 . 68 AC624100 push 004162AC ; AD Popup Killer 0040BABB . 68 C4694100 push 004169C4 ; Please make sure your SN is valid. 0040BAC0 . 8BCE mov ecx, esi 0040BAC2 . E8 43280000 call <jmp.&MFC42.#4224_CWnd::MessageB> 0040BAC7 > 8D4C24 08 lea ecx, dword ptr [esp+8] 0040BACB . C74424 18 FFF>mov dword ptr [esp+18], -1 0040BAD3 . E8 46260000 call <jmp.&MFC42.#800_CString::~CStri> 0040BAD8 . 8B4C24 10 mov ecx, dword ptr [esp+10] 0040BADC . 5F pop edi 0040BADD . 64:890D 00000>mov dword ptr fs:[0], ecx 0040BAE4 . 5E pop esi 0040BAE5 . 83C4 14 add esp, 14 0040BAE8 . C3 retn 跟进0040BA47: 0040C3A0 /$ 6A FF push -1 ; 跟进到这里 0040C3A2 |. 68 E0FA4000 push 0040FAE0 ; SE 处理程序安装 0040C3A7 |. 64:A1 0000000>mov eax, dword ptr fs:[0] 0040C3AD |. 50 push eax 0040C3AE |. 64:8925 00000>mov dword ptr fs:[0], esp 0040C3B5 |. 83EC 0C sub esp, 0C 0040C3B8 |. 53 push ebx 0040C3B9 |. 55 push ebp 0040C3BA |. 56 push esi 0040C3BB |. 57 push edi 0040C3BC |. 8D4424 10 lea eax, dword ptr [esp+10] 0040C3C0 |. 6A 08 push 8 0040C3C2 |. 50 push eax 0040C3C3 |. 8D4C24 34 lea ecx, dword ptr [esp+34] 0040C3C7 |. C74424 2C 000>mov dword ptr [esp+2C], 0 0040C3CF |. E8 2A1F0000 call <jmp.&MFC42.#4129_CString:eft> 0040C3D4 |. 8B7424 10 mov esi, dword ptr [esp+10] 0040C3D8 |. 8D4C24 14 lea ecx, dword ptr [esp+14] 0040C3DC |. 33C0 xor eax, eax 0040C3DE |. 2BF1 sub esi, ecx 0040C3E0 |> 8D4C04 14 /lea ecx, dword ptr [esp+eax+14] 0040C3E4 |. 40 |inc eax ; 计算下一位 0040C3E5 |. 83F8 08 |cmp eax, 8 ; 是否计算了8位? 0040C3E8 |. 8A140E |mov dl, byte ptr [esi+ecx] 0040C3EB |. 8811 |mov byte ptr [ecx], dl ; 试炼码变换 ; dl=39 ('9') ; 堆栈 ds:[0012F0C0]=7C ('|') ; dl=39 ('9') ; 堆栈 ds:[0012F0C1]=60 ('`') ; dl=39 ('9') ; 堆栈 ds:[0012F0C2]=41 ('A') ; dl=39 ('9') ; 堆栈 ds:[0012F0C3]=00 ; dl=39 ('9') ; 堆栈 ds:[0012F0C4]=AE ('?) ; dl=39 ('9') ; 堆栈 ds:[0012F0C5]=43 ('C') ; dl=39 ('9') ; 堆栈 ds:[0012F0C6]=D3 ('?) ; dl=39 ('9') ; 堆栈 ds:[0012F0C7]=73 ('s') 0040C3ED |.^ 7C F1 \jl short 0040C3E0 0040C3EF |. 0FBE7424 15 movsx esi, byte ptr [esp+15] 0040C3F4 |. 0FBE6C24 14 movsx ebp, byte ptr [esp+14] 0040C3F9 |. 0FBE7C24 18 movsx edi, byte ptr [esp+18] 0040C3FE |. 8D0C2E lea ecx, dword ptr [esi+ebp] 0040C401 |. B8 56555555 mov eax, 55555556 ; 地址=72 0040C406 |. 03CF add ecx, edi ; EDI加ECX,edi=39,ecx=72 0040C408 |. F7E9 imul ecx ; 相加后的值送入ECX,ecx=AB 0040C40A |. 0FBE5C24 16 movsx ebx, byte ptr [esp+16] 0040C40F |. 8BC2 mov eax, edx ; EDX送给EAX,edx=39,eax=72 0040C411 |. C1E8 1F shr eax, 1F ; EAX逻辑右移1F 0040C414 |. 03D0 add edx, eax ; EAX加EDX 0040C416 |. 3BDA cmp ebx, edx 0040C418 |. 0F85 8E000000 jnz 0040C4AC 0040C41E |. 0FBE4C24 17 movsx ecx, byte ptr [esp+17] ; 取出ECX值,ecx=AB 0040C423 |. 8D043B lea eax, dword ptr [ebx+edi] ; 地址=72 0040C426 |. 99 cdq ; 把EAX中的字的符号扩展到EDX中去 0040C427 |. 2BC2 sub eax, edx ; EDX减EAX,edx=00,eax=72 0040C429 |. D1F8 sar eax, 1 ; EAX算术右移1 0040C42B |. 3BC8 cmp ecx, eax 0040C42D |. 75 7D jnz short 0040C4AC 0040C42F |. 8A5C24 19 mov bl, byte ptr [esp+19] ; bl=39 ('9') 0040C433 |. 8D042E lea eax, dword ptr [esi+ebp] ; 地址=72 0040C436 |. 99 cdq ; 把EAX中的字的符号扩展到EDX中去 0040C437 |. 2BC2 sub eax, edx ; EDX减EAX,edx=00,eax=72 0040C439 |. 0FBED3 movsx edx, bl ; BL先符号扩展,再传送EDX 0040C43C |. D1F8 sar eax, 1 ; EAX算术右移1 0040C43E |. 3BD0 cmp edx, eax 0040C440 |. 75 6A jnz short 0040C4AC 0040C442 |. 8A4C24 1B mov cl, byte ptr [esp+1B] ; cl=39 ('9') 0040C446 |. 0FBEC1 movsx eax, cl ; CL先符号扩展,再传送EAX 0040C449 |. 03C6 add eax, esi ; ESI加EAX,esi=39,eax=39 0040C44B |. 99 cdq ; 把EAX中的字的符号扩展到EDX中去 0040C44C |. 2BC2 sub eax, edx ; EDX减EAX,edx=00,eax=72 0040C44E |. 0FBE5424 1A movsx edx, byte ptr [esp+1A] 0040C453 |. D1F8 sar eax, 1 ; EAX算术右移1,eax=72 0040C455 |. 3BD0 cmp edx, eax 0040C457 |. 75 53 jnz short 0040C4AC 0040C459 |. 8A4424 15 mov al, byte ptr [esp+15] ; al=39 ('9') 0040C45D |. 8A5424 14 mov dl, byte ptr [esp+14] ; dl=39 ('9') 0040C461 |. 3AD0 cmp dl, al ; al与dl值不能相等 0040C463 |. 74 47 je short 0040C4AC ; 这里不能跳!爆破点A 0040C465 |. 8A5424 18 mov dl, byte ptr [esp+18] 0040C469 |. 8A4424 16 mov al, byte ptr [esp+16] 0040C46D |. 3AC2 cmp al, dl ; dl与al值不能相等 0040C46F |. 74 3B je short 0040C4AC ; 再次比较,这里不能跳!爆破点B 0040C471 |. 3AD9 cmp bl, cl ; cl与bl值不能相等 0040C473 |. 74 37 je short 0040C4AC ; 再次比较,这里不能跳!爆破点C 0040C475 |. 8D4C24 10 lea ecx, dword ptr [esp+10] 0040C479 |. C64424 24 00 mov byte ptr [esp+24], 0 0040C47E |. E8 9B1C0000 call <jmp.&MFC42.#800_CString::~CStri> 0040C483 |. 8D4C24 2C lea ecx, dword ptr [esp+2C] 0040C487 |. C74424 24 FFF>mov dword ptr [esp+24], -1 0040C48F |. E8 8A1C0000 call <jmp.&MFC42.#800_CString::~CStri> 0040C494 |. 5F pop edi 0040C495 |. 5E pop esi 0040C496 |. 5D pop ebp 0040C497 |. B8 01000000 mov eax, 1 0040C49C |. 5B pop ebx 0040C49D |. 8B4C24 0C mov ecx, dword ptr [esp+C] 0040C4A1 |. 64:890D 00000>mov dword ptr fs:[0], ecx 0040C4A8 |. 83C4 18 add esp, 18 0040C4AB |. C3 retn -------------------------------------------------------------------------------- 【经验总结】 不知道写什么好,凑合看吧! -------------------------------------------------------------------------------- 【版权声明】: 本文原创于看雪技术、UnPacKcN Security 论坛, 转载请注明作者并保持文章的完整, 谢谢! |
| 地主 发表时间: 07-02-14 09:48 |
 | 回复: jhkdiy [jhkdiy]  版主 |
登录 |
 |
| B1层 发表时间: 07-02-14 19:39 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 编程破解
标题: [转帖]ADPopupKiller2.1解析