【破解作者】 kyc
【使用工具】 ollydbg
【破解平台】 Win2003
【软件名称】 Windows信使群发器 5.0
http://www.cnysoft.com/software/nsm/
【软件大小】 812KB
【软件简介】 Windows信使群发器,取了多线程设计,超大广告量,无需软件支持,操作简易
【加壳方式】 ASPack 2.12 -> Alexey Solodovnikov
【破解声明】 本破解纯以学习和交流为目的,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
今日上网有位网友提供一款Windows信使群发器 5.0软件,我一时兴起开始对她开刀。
没想到,ASP壳脱完一运行就无影无踪。偶大怒开始带壳强暴她。。。
这个软件一定是使用了自校验,脱壳文件若在软件根目录运行原始文件就把脱壳文件进行处理让
他变成非PE格式的文件,软件的注册码保存在Software\Extice\NetSendMsg
利用注册表RegQueryValueExA下断失败,利用CREATEFILE失败。
怎么办突然想起了SearchPath函数查找当前目录的文件路径函数。
DWORD SearchPath(
LPCTSTR lpPath, // address of search path
LPCTSTR lpFileName, // address of filename
LPCTSTR lpExtension, // address of extension
DWORD nBufferLength, // size, in characters, of buffer
LPTSTR lpBuffer, // address of buffer for found filename
LPTSTR *lpFilePart // address of pointer to file component
);
OLD载入带壳文件BPX SearchPath F9
按几次F8就来到
00406F02 |. 68 16CB4400 push NetSendM.0044CB16 ; SE handler installation
00406F07 |. 64:A1 00000000 mov eax,dword ptr fs:[0]
00406F0D |. 50 push eax
00406F0E |. 64:8925 00000000 mov dword ptr fs:[0],esp
00406F15 |. 81EC 18010000 sub esp,118
00406F1B |. A1 7C5A4600 mov eax,dword ptr ds:[465A7C]
00406F20 |. 56 push esi
00406F21 |. 57 push edi
00406F22 |. 50 push eax ; /<%s> => "DEKJLNJKLMNO" *** 机器码
00406F23 |. 8BF9 mov edi,ecx ; |
00406F25 |. 8D8C24 A4000000 lea ecx,dword ptr ss:[esp+A4] ; |
00406F2C |. 68 AC084600 push NetSendM.004608AC ; |Format = "NSM%s"
00406F31 |. 51 push ecx ; |s
00406F32 |. FF15 38F64400 call dword ptr ds:[44F638] ; \wsprintfA
00406F38 |. 83C4 0C add esp,0C
00406F3B |. 8D9424 A0000000 lea edx,dword ptr ss:[esp+A0]
00406F42 |. 52 push edx ; /Arg2
00406F43 |. 8D4424 14 lea eax,dword ptr ss:[esp+14] ; |
00406F47 |. 8DB7 28080000 lea esi,dword ptr ds:[edi+828] ; |
00406F4D |. 50 push eax ; |Arg1
00406F4E |. 8BCE mov ecx,esi ; |
00406F50 |. E8 3BB6FFFF call NetSendM.00402590 ; \NetSendM.00402590
00406F55 |. 8B00 mov eax,dword ptr ds:[eax]
00406F57 |. 50 push eax ; /String2
00406F58 |. 8D8C24 A4000000 lea ecx,dword ptr ss:[esp+A4] ; |
00406F5F |. 51 push ecx ; |String1
00406F60 |. FF15 44F34400 call dword ptr ds:[44F344] ; \lstrcpyA
00406F66 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00406F6A |. E8 E4AF0300 call NetSendM.00441F53
00406F6F |. 51 push ecx
00406F70 |. 8D9424 A4000000 lea edx,dword ptr ss:[esp+A4]
00406F77 |. 8BCC mov ecx,esp
00406F79 |. 896424 10 mov dword ptr ss:[esp+10],esp
00406F7D |. 52 push edx
00406F7E |. E8 3EB00300 call NetSendM.00441FC1
00406F83 |. 8D4424 0C lea eax,dword ptr ss:[esp+C] ; |
00406F87 |. 50 push eax ; |Arg1
00406F88 |. 8BCE mov ecx,esi ; |
00406F8A |. E8 91B6FFFF call NetSendM.00402620 ; \NetSendM.00402620
00406F8F |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00406F93 |. C78424 28010000 00>mov dword ptr ss:[esp+128],0
00406F9E |. E8 AD0C0000 call NetSendM.00407C50
00406FA3 |. 68 8C024600 push NetSendM.0046028C ; ASCII "Software\Extice\NetSendMsg"
00406FA8 |. 68 02000080 push 80000002
00406FAD |. 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
00406FB1 |. C68424 30010000 01 mov byte ptr ss:[esp+130],1
00406FB9 |. E8 320D0000 call NetSendM.00407CF0
00406FBE |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00406FC2 |. E8 690D0000 call NetSendM.00407D30
00406FC7 |. 85C0 test eax,eax
00406FC9 |. 74 2A je short NetSendM.00406FF5
00406FCB |. 8D8F 04020000 lea ecx,dword ptr ds:[edi+204]
00406FD1 |. 51 push ecx
00406FD2 |. 51 push ecx
00406FD3 |. 8BCC mov ecx,esp
00406FD5 |. 896424 14 mov dword ptr ss:[esp+14],esp
00406FD9 |. 68 80024600 push NetSendM.00460280 ; ASCII "Key"
00406FDE |. E8 DEAF0300 call NetSendM.00441FC1
00406FE3 |. 8D4C24 1C lea ecx,dword ptr ss:[esp+1C] ; |
00406FE7 |. E8 240E0000 call NetSendM.00407E10 ; \NetSendM.00407E10
00406FEC |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00406FF0 |. E8 6B0D0000 call NetSendM.00407D60
00406FF5 |> 8BBF 04020000 mov edi,dword ptr ds:[edi+204]
00406FFB |. 8B5424 08 mov edx,dword ptr ss:[esp+8]
00406FFF |. 57 push edi
00407000 |. 52 push edx
00407001 |. E8 06370200 call NetSendM.0042A70C
00407006 |. 83C4 08 add esp,8
00407009 |. 85C0 test eax,eax
0040700B |. C68424 28010000 00 mov byte ptr ss:[esp+128],0
00407013 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00407017 |. 75 35 jnz short NetSendM.0040704E
00407019 |. E8 B20C0000 call NetSendM.00407CD0
0040701E |. 8D4C24 08 lea ecx,dword ptr ss:[esp+8]
00407022 |. C78424 28010000 FF>mov dword ptr ss:[esp+128],-1
0040702D |. E8 21AF0300 call NetSendM.00441F53
00407032 |. B8 01000000 mov eax,1
00407037 |. 8B8C24 20010000 mov ecx,dword ptr ss:[esp+120]
0040703E |. 64:890D 00000000 mov dword ptr fs:[0],ecx
00407045 |. 5F pop edi
00407046 |. 5E pop esi
00407047 |. 81C4 24010000 add esp,124
看一下堆栈段
0012E828 00C75A0C
0012E82C 0012F05C
0012E830 009D4250 ASCII "3I1NDXKK3UHEKWKY"
0012E834 0012E820
0012E838 009D4200 ASCII "Key"
0012E83C 00450760 NetSendM.00450760
0012E840 74666F53
这个软件好象一个病毒在他的软件目录里放PE文件都会变成一个无效的PE文件,哪位大虾研究一下他的加密算法吧.
太狠毒了。
我的机器码:DEKJLNJKLMNO
注册码: 3I1NDXKK3UHEKWKY
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)