【文章标题】: AD Popup Killer 2.1 解析
【文章作者】: KuNgBiM
【作者邮箱】: kungbim@163.com
【作者主页】: http://www.crkcn.com
【作者QQ号】: N/A
【软件名称】: AD Popup Killer 2.1
【软件大小】: 156KB
【下载地址】: 论坛附件下载
【加壳方式】: N/A
【保护方式】: 注册码
【编写语言】: Microsoft Visual C++ 6.0
【使用工具】: OD
【操作平台】: 盗版XP
【软件介绍】: 保护IE不受广告捆扰!
【作者声明】: 只是感兴趣,体验一下clide2000 文章书写器,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
程序无壳,OD载入,使用字符串搜索:
0040B990 . 64:A1 0000000>mov eax, dword ptr fs:[0] ; 搜索字符串来到这里
0040B996 . 6A FF push -1
0040B998 . 68 C8F94000 push 0040F9C8
0040B99D . 50 push eax
0040B99E . 64:8925 00000>mov dword ptr fs:[0], esp
0040B9A5 . 83EC 08 sub esp, 8
0040B9A8 . 56 push esi
0040B9A9 . 57 push edi
0040B9AA . 8BF1 mov esi, ecx
0040B9AC . 6A 01 push 1
0040B9AE . E8 DF280000 call <jmp.&MFC42.#6334_CWnd::UpdateDa>
0040B9B3 . 8B86 E4000000 mov eax, dword ptr [esi+E4] ; 试炼码入EAX,ASCII "9999999999"
0040B9B9 . 8DBE E4000000 lea edi, dword ptr [esi+E4]
0040B9BF . 8B48 F8 mov ecx, dword ptr [eax-8] ; 计算试炼码长度 ds:[00383EA0]=0000000A
0040B9C2 . 85C9 test ecx, ecx
0040B9C4 . 75 24 jnz short 0040B9EA ; 注册码长度大于零合法,跳!
0040B9C6 . 6A 00 push 0
0040B9C8 . 68 AC624100 push 004162AC ; AD Popup Killer
0040B9CD . 68 186A4100 push 00416A18 ; Please input the SN of AD Popup Killer.
0040B9D2 . 8BCE mov ecx, esi
0040B9D4 . E8 31290000 call <jmp.&MFC42.#4224_CWnd::MessageB>
0040B9D9 . 8B4C24 10 mov ecx, dword ptr [esp+10]
0040B9DD . 64:890D 00000>mov dword ptr fs:[0], ecx
0040B9E4 . 5F pop edi
0040B9E5 . 5E pop esi
0040B9E6 . 83C4 14 add esp, 14
0040B9E9 . C3 retn
0040B9EA > 8B8E E0000000 mov ecx, dword ptr [esi+E0] ; 用户名入ECX,ASCII "KuNgBiM"
0040B9F0 . 8B41 F8 mov eax, dword ptr [ecx-8] ; 计算用户名长度 ds:[00383E50]=00000007
0040B9F3 . 85C0 test eax, eax
0040B9F5 . 75 24 jnz short 0040BA1B ; 用户名长度大于零合法,跳!
0040B9F7 . 6A 00 push 0
0040B9F9 . 68 AC624100 push 004162AC ; AD Popup Killer
0040B9FE . 68 006A4100 push 00416A00 ; Please input your name.
0040BA03 . 8BCE mov ecx, esi
0040BA05 . E8 00290000 call <jmp.&MFC42.#4224_CWnd::MessageB>
0040BA0A . 8B4C24 10 mov ecx, dword ptr [esp+10]
0040BA0E . 64:890D 00000>mov dword ptr fs:[0], ecx
0040BA15 . 5F pop edi
0040BA16 . 5E pop esi
0040BA17 . 83C4 14 add esp, 14
0040BA1A . C3 retn
0040BA1B > 8D4C24 08 lea ecx, dword ptr [esp+8]
0040BA1F . E8 06270000 call <jmp.&MFC42.#540_CString::CStrin>
0040BA24 . 68 7C604100 push 0041607C ; bsoft
0040BA29 . 8D4C24 0C lea ecx, dword ptr [esp+C]
0040BA2D . C74424 1C 000>mov dword ptr [esp+1C], 0
0040BA35 . E8 06CFFFFF call 00408940
0040BA3A . 51 push ecx
0040BA3B . 8BCC mov ecx, esp
0040BA3D . 896424 10 mov dword ptr [esp+10], esp
0040BA41 . 57 push edi
0040BA42 . E8 B5270000 call <jmp.&MFC42.#535_CString::CStrin>
0040BA47 . E8 54090000 call 0040C3A0 ; 算法CALL,跟进!
0040BA4C . 83C4 04 add esp, 4
0040BA4F . 85C0 test eax, eax
0040BA51 . 74 61 je short 0040BAB4
0040BA53 . 8B3F mov edi, dword ptr [edi] ; 写入试炼码
0040BA55 . 8D4C24 08 lea ecx, dword ptr [esp+8]
0040BA59 . 57 push edi
0040BA5A . 68 C0604100 push 004160C0 ; passw
0040BA5F . 68 6C604100 push 0041606C ; registe
0040BA64 . E8 57D2FFFF call 00408CC0
0040BA69 . 8B86 E0000000 mov eax, dword ptr [esi+E0] ; 写入用户名
0040BA6F . 8D4C24 08 lea ecx, dword ptr [esp+8]
0040BA73 . 50 push eax
0040BA74 . 68 74604100 push 00416074 ; user
0040BA79 . 68 6C604100 push 0041606C ; registe
0040BA7E . E8 3DD2FFFF call 00408CC0
0040BA83 . 6A 01 push 1
0040BA85 . 68 B8604100 push 004160B8 ; breg
0040BA8A . 68 6C604100 push 0041606C ; registe
0040BA8F . 8D4C24 14 lea ecx, dword ptr [esp+14]
0040BA93 . E8 D8D1FFFF call 00408C70
0040BA98 . 6A 00 push 0
0040BA9A . 68 AC624100 push 004162AC ; AD Popup Killer
0040BA9F . 68 E8694100 push 004169E8 ; Register Successfully!
0040BAA4 . 8BCE mov ecx, esi
0040BAA6 . E8 5F280000 call <jmp.&MFC42.#4224_CWnd::MessageB>
0040BAAB . 8BCE mov ecx, esi
0040BAAD . E8 3A250000 call <jmp.&MFC42.#4853_CDialog::OnOK>
0040BAB2 . EB 13 jmp short 0040BAC7
0040BAB4 > 6A 00 push 0
0040BAB6 . 68 AC624100 push 004162AC ; AD Popup Killer
0040BABB . 68 C4694100 push 004169C4 ; Please make sure your SN is valid.
0040BAC0 . 8BCE mov ecx, esi
0040BAC2 . E8 43280000 call <jmp.&MFC42.#4224_CWnd::MessageB>
0040BAC7 > 8D4C24 08 lea ecx, dword ptr [esp+8]
0040BACB . C74424 18 FFF>mov dword ptr [esp+18], -1
0040BAD3 . E8 46260000 call <jmp.&MFC42.#800_CString::~CStri>
0040BAD8 . 8B4C24 10 mov ecx, dword ptr [esp+10]
0040BADC . 5F pop edi
0040BADD . 64:890D 00000>mov dword ptr fs:[0], ecx
0040BAE4 . 5E pop esi
0040BAE5 . 83C4 14 add esp, 14
0040BAE8 . C3 retn
跟进0040BA47:
0040C3A0 /$ 6A FF push -1 ; 跟进到这里
0040C3A2 |. 68 E0FA4000 push 0040FAE0 ; SE 处理程序安装
0040C3A7 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
0040C3AD |. 50 push eax
0040C3AE |. 64:8925 00000>mov dword ptr fs:[0], esp
0040C3B5 |. 83EC 0C sub esp, 0C
0040C3B8 |. 53 push ebx
0040C3B9 |. 55 push ebp
0040C3BA |. 56 push esi
0040C3BB |. 57 push edi
0040C3BC |. 8D4424 10 lea eax, dword ptr [esp+10]
0040C3C0 |. 6A 08 push 8
0040C3C2 |. 50 push eax
0040C3C3 |. 8D4C24 34 lea ecx, dword ptr [esp+34]
0040C3C7 |. C74424 2C 000>mov dword ptr [esp+2C], 0
0040C3CF |. E8 2A1F0000 call <jmp.&MFC42.#4129_CString::Left>
0040C3D4 |. 8B7424 10 mov esi, dword ptr [esp+10]
0040C3D8 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
0040C3DC |. 33C0 xor eax, eax
0040C3DE |. 2BF1 sub esi, ecx
0040C3E0 |> 8D4C04 14 /lea ecx, dword ptr [esp+eax+14]
0040C3E4 |. 40 |inc eax ; 计算下一位
0040C3E5 |. 83F8 08 |cmp eax, 8 ; 是否计算了8位?
0040C3E8 |. 8A140E |mov dl, byte ptr [esi+ecx]
0040C3EB |. 8811 |mov byte ptr [ecx], dl ; 试炼码变换
; dl=39 ('9')
; 堆栈 ds:[0012F0C0]=7C ('|')
; dl=39 ('9')
; 堆栈 ds:[0012F0C1]=60 ('`')
; dl=39 ('9')
; 堆栈 ds:[0012F0C2]=41 ('A')
; dl=39 ('9')
; 堆栈 ds:[0012F0C3]=00
; dl=39 ('9')
; 堆栈 ds:[0012F0C4]=AE ('?)
; dl=39 ('9')
; 堆栈 ds:[0012F0C5]=43 ('C')
; dl=39 ('9')
; 堆栈 ds:[0012F0C6]=D3 ('?)
; dl=39 ('9')
; 堆栈 ds:[0012F0C7]=73 ('s')
0040C3ED |.^ 7C F1 \jl short 0040C3E0
0040C3EF |. 0FBE7424 15 movsx esi, byte ptr [esp+15]
0040C3F4 |. 0FBE6C24 14 movsx ebp, byte ptr [esp+14]
0040C3F9 |. 0FBE7C24 18 movsx edi, byte ptr [esp+18]
0040C3FE |. 8D0C2E lea ecx, dword ptr [esi+ebp]
0040C401 |. B8 56555555 mov eax, 55555556 ; 地址=72
0040C406 |. 03CF add ecx, edi ; EDI加ECX,edi=39,ecx=72
0040C408 |. F7E9 imul ecx ; 相加后的值送入ECX,ecx=AB
0040C40A |. 0FBE5C24 16 movsx ebx, byte ptr [esp+16]
0040C40F |. 8BC2 mov eax, edx ; EDX送给EAX,edx=39,eax=72
0040C411 |. C1E8 1F shr eax, 1F ; EAX逻辑右移1F
0040C414 |. 03D0 add edx, eax ; EAX加EDX
0040C416 |. 3BDA cmp ebx, edx
0040C418 |. 0F85 8E000000 jnz 0040C4AC
0040C41E |. 0FBE4C24 17 movsx ecx, byte ptr [esp+17] ; 取出ECX值,ecx=AB
0040C423 |. 8D043B lea eax, dword ptr [ebx+edi] ; 地址=72
0040C426 |. 99 cdq ; 把EAX中的字的符号扩展到EDX中去
0040C427 |. 2BC2 sub eax, edx ; EDX减EAX,edx=00,eax=72
0040C429 |. D1F8 sar eax, 1 ; EAX算术右移1
0040C42B |. 3BC8 cmp ecx, eax
0040C42D |. 75 7D jnz short 0040C4AC
0040C42F |. 8A5C24 19 mov bl, byte ptr [esp+19] ; bl=39 ('9')
0040C433 |. 8D042E lea eax, dword ptr [esi+ebp] ; 地址=72
0040C436 |. 99 cdq ; 把EAX中的字的符号扩展到EDX中去
0040C437 |. 2BC2 sub eax, edx ; EDX减EAX,edx=00,eax=72
0040C439 |. 0FBED3 movsx edx, bl ; BL先符号扩展,再传送EDX
0040C43C |. D1F8 sar eax, 1 ; EAX算术右移1
0040C43E |. 3BD0 cmp edx, eax
0040C440 |. 75 6A jnz short 0040C4AC
0040C442 |. 8A4C24 1B mov cl, byte ptr [esp+1B] ; cl=39 ('9')
0040C446 |. 0FBEC1 movsx eax, cl ; CL先符号扩展,再传送EAX
0040C449 |. 03C6 add eax, esi ; ESI加EAX,esi=39,eax=39
0040C44B |. 99 cdq ; 把EAX中的字的符号扩展到EDX中去
0040C44C |. 2BC2 sub eax, edx ; EDX减EAX,edx=00,eax=72
0040C44E |. 0FBE5424 1A movsx edx, byte ptr [esp+1A]
0040C453 |. D1F8 sar eax, 1 ; EAX算术右移1,eax=72
0040C455 |. 3BD0 cmp edx, eax
0040C457 |. 75 53 jnz short 0040C4AC
0040C459 |. 8A4424 15 mov al, byte ptr [esp+15] ; al=39 ('9')
0040C45D |. 8A5424 14 mov dl, byte ptr [esp+14] ; dl=39 ('9')
0040C461 |. 3AD0 cmp dl, al ; al与dl值不能相等
0040C463 |. 74 47 je short 0040C4AC ; 这里不能跳!爆破点A
0040C465 |. 8A5424 18 mov dl, byte ptr [esp+18]
0040C469 |. 8A4424 16 mov al, byte ptr [esp+16]
0040C46D |. 3AC2 cmp al, dl ; dl与al值不能相等
0040C46F |. 74 3B je short 0040C4AC ; 再次比较,这里不能跳!爆破点B
0040C471 |. 3AD9 cmp bl, cl ; cl与bl值不能相等
0040C473 |. 74 37 je short 0040C4AC ; 再次比较,这里不能跳!爆破点C
0040C475 |. 8D4C24 10 lea ecx, dword ptr [esp+10]
0040C479 |. C64424 24 00 mov byte ptr [esp+24], 0
0040C47E |. E8 9B1C0000 call <jmp.&MFC42.#800_CString::~CStri>
0040C483 |. 8D4C24 2C lea ecx, dword ptr [esp+2C]
0040C487 |. C74424 24 FFF>mov dword ptr [esp+24], -1
0040C48F |. E8 8A1C0000 call <jmp.&MFC42.#800_CString::~CStri>
0040C494 |. 5F pop edi
0040C495 |. 5E pop esi
0040C496 |. 5D pop ebp
0040C497 |. B8 01000000 mov eax, 1
0040C49C |. 5B pop ebx
0040C49D |. 8B4C24 0C mov ecx, dword ptr [esp+C]
0040C4A1 |. 64:890D 00000>mov dword ptr fs:[0], ecx
0040C4A8 |. 83C4 18 add esp, 18
0040C4AB |. C3 retn
--------------------------------------------------------------------------------
【经验总结】
不知道写什么好,凑合看吧!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年02月06日 PM 04:51:00
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课