木马清除专家20070425脱壳去效验
【破文标题】木马清除专家20070425脱壳去效验【破文作者】allcam
【作者邮箱】[email protected]
【作者主页】
【破解工具】PEID ollydbg
【破解平台】WINXP SP2
【软件名称】木马清除专家20070425
【软件大小】8406KB
【原版下载】http://www.onlinedown.net/soft/49004.htm
【保护方式】注册码
【软件简介】软件详细信息
木马清除专家2006是专业防杀木马软件,针对目前流行的木马病毒特别有效,彻底查杀各种流行QQ盗号木马,网游盗号木马,冲击波,灰鸽子,黑客后门等上万种木马间谍程序,是您电脑不可缺少的的坚固堡垒。
【破解声明】学习CREACK提高自己的水平
------------------------------------------------------------------------
【破解过程】第一步下载运行试注册提示重起,没有注册失败等错误提示!PEID查壳发现是ASPack 2.12 -> Alexey SolodovnikovOD载入先脱壳!
004BD001 >60 PUSHAD 程序停在里,用ESP下断 HR ESP
004BD002 E8 03000000 CALL mmqczj.004BD00A
004BD007- E9 EB045D45 JMP 45A8D4F7
004BD00C 55 PUSH EBP
004BD00D C3 RETN
004BD00E E8 01000000 CALL mmqczj.004BD014
004BD013 EB 5D JMP SHORT mmqczj.004BD072
004BD015 BB EDFFFFFF MOV EBX,-13
004BD01A 03DD ADD EBX,EBP
004BD01C 81EB 00D00B00 SUB EBX,0BD000
004BD022 83BD 22040000 0>CMP DWORD PTR SS:,0
004BD029 899D 22040000 MOV DWORD PTR SS:,EBX
004BD02F 0F85 65030000 JNZ mmqczj.004BD39A
004BD035 8D85 2E040000 LEA EAX,DWORD PTR SS:
004BD03B 50 PUSH EAX
004BD03C FF95 4D0F0000 CALL DWORD PTR SS:
004BD042 8985 26040000 MOV DWORD PTR SS:,EAX
004BD048 8BF8 MOV EDI,EAX
004BD04A 8D5D 5E LEA EBX,DWORD PTR SS:
004BD04D 53 PUSH EBX
004BD04E 50 PUSH EAX
004BD04F FF95 490F0000 CALL DWORD PTR SS:
004BD055 8985 4D050000 MOV DWORD PTR SS:,EAX
004BD05B 8D5D 6B LEA EBX,DWORD PTR SS:
004BD05E 53 PUSH EBX
004BD05F 57 PUSH EDI
004BD060 FF95 490F0000 CALL DWORD PTR SS:
004BD066 8985 51050000 MOV DWORD PTR SS:,EAX
004BD06C 8D45 77 LEA EAX,DWORD PTR SS:
004BD06F FFE0 JMP EAX
F9一次来到这里
004BD3B0 /75 08 JNZ SHORT mmqczj.004BD3BA F8 3次
004BD3B2 |B8 01000000 MOV EAX,1
004BD3B7 |C2 0C00 RETN 0C
004BD3BA \68 00104000 PUSH mmqczj.00401000 这里要返回到OEP的地方
004BD3BF C3 RETN
OEP到了在下面00401000处脱壳
00401000 E8 06000000 CALL mmqczj.0040100B
00401005 50 PUSH EAX
00401006 E8 BB010000 CALL mmqczj.004011C6 ; JMP 到 kernel32.ExitProcess
0040100B 55 PUSH EBP
0040100C 8BEC MOV EBP,ESP
0040100E 81C4 F0FEFFFF ADD ESP,-110
00401014 E9 83000000 JMP mmqczj.0040109C
00401019 6B72 6E 6C IMUL ESI,DWORD PTR DS:,6C
0040101D 6E OUTS DX,BYTE PTR ES: ; I/O 命令
0040101E 2E:66:6E OUTS DX,BYTE PTR ES: ; I/O 命令
00401021 72 00 JB SHORT mmqczj.00401023
00401023 6B72 6E 6C IMUL ESI,DWORD PTR DS:,6C
00401027 6E OUTS DX,BYTE PTR ES: ; I/O 命令
00401028 2E:66:6E OUTS DX,BYTE PTR ES: ; I/O 命令
0040102B 65:0047 65 ADD BYTE PTR GS:,AL
0040102F 74 4E JE SHORT mmqczj.0040107F
00401031 65:77 53 JA SHORT mmqczj.00401087 ; 多余的前缀
00401034 6F OUTS DX,DWORD PTR ES: ; I/O 命令
00401035 636B 00 ARPL WORD PTR DS:,BP
00401038 53 PUSH EBX
00401039 6F OUTS DX,DWORD PTR ES: ; I/O 命令
0040103A- 66:74 77 JE SHORT 000010B4
0040103D 61 POPAD
0040103E 72 65 JB SHORT mmqczj.004010A5
00401040 5C POP ESP
00401041 46 INC ESI
00401042 6C INS BYTE PTR ES:,DX ; I/O 命令
00401043 79 53 JNS SHORT mmqczj.00401098
00401045 6B79 5C 45 IMUL EDI,DWORD PTR DS:,45
00401049 5C POP ESP
0040104A 49 DEC ECX
0040104B 6E OUTS DX,BYTE PTR ES: ; I/O 命令
0040104C 73 74 JNB SHORT mmqczj.004010C2
0040104E 61 POPAD
脱壳以后发现是E语言编写的程序 E language * EP区段有ecode 000030000的字样 试运行提示“
木马清除专家2007支持文件被破坏或被非法修改!请重新安装.” 看来文件有自效验,查找提示的方法如下。
打开内存映射 M
003F0000 00003000
00400000 00001000 mmqczj_T PE 文件头
00401000 00001000 mmqczj_T .text 代码
00402000 00001000 mmqczj_T .rdata 数据
00403000 000B7000 mmqczj_T .ecode ...........在这里F2下断F9运行
004BA000 00003000 mmqczj_T .rsrc 资源
004BD000 00002000 mmqczj_T .aspack 重定位
004BF000 00001000 mmqczj_T .adata
004C0000 00001000 mmqczj_T .idata2 输入表
F9一次来到下面的代码
1002894D 8B42 30 MOV EAX,DWORD PTR DS:
10028950 83E0 01 AND EAX,1
10028953 85C0 TEST EAX,EAX
10028955 75 10 JNZ SHORT krnln.10028967
10028957 8B4D 08 MOV ECX,DWORD PTR SS:
1002895A 51 PUSH ECX
1002895B 8B4D F8 MOV ECX,DWORD PTR SS:
1002895E E8 8DE90200 CALL krnln.100572F0
10028963 FFE0 JMP EAX
10028965 EB 0E JMP SHORT krnln.10028975 .......F8到这里
004B6E2B FC CLD 这里可以搜索ASCII码 ; (Initial CPU selection)
004B6E2C DBE3 FINIT
004B6E2E E8 B3FCFFFF CALL mmqczj_T.004B6AE6
004B6E33 68 3E6B4B00 PUSH mmqczj_T.004B6B3E
004B6E38 B8 03000000 MOV EAX,3
004B6E3D E8 2C000000 CALL mmqczj_T.004B6E6E
004B6E42 83C4 04 ADD ESP,4
004B6E45 E8 6068FDFF CALL mmqczj_T.0048D6AA
004B6E4A E8 3E68FDFF CALL mmqczj_T.0048D68D
004B6E4F E8 106AFDFF CALL mmqczj_T.0048D864
004B6E54 50 PUSH EAX
004B6E55 E8 0E000000 CALL mmqczj_T.004B6E68
004B6E5A E8 03000000 CALL mmqczj_T.004B6E62
004B6E5F 83C4 04 ADD ESP,4
004B6E62- FF25 D59F4800 JMP DWORD PTR DS: ; krnln.10029274
004B6E68- FF25 D99F4800 JMP DWORD PTR DS: ; krnln.100291DF
004B6E6E- FF25 E19F4800 JMP DWORD PTR DS: ; krnln.10028A25
004B6E74- FF25 D19F4800 JMP DWORD PTR DS: ; krnln.1002933C
004B6E7A- FF25 C99F4800 JMP DWORD PTR DS: ; krnln.10029234
004B6E80- FF25 BD9F4800 JMP DWORD PTR DS: ; krnln.10028AA1
004B6E86- FF25 C19F4800 JMP DWORD PTR DS: ; krnln.10029199
004B6E8C- FF25 B99F4800 JMP DWORD PTR DS: ; krnln.10028A4A
004B6E92- FF25 C59F4800 JMP DWORD PTR DS: ; krnln.100291B8
004B6E98- FF25 B19F4800 JMP DWORD PTR DS: ; krnln.1002917B
004B6E9E- FF25 B59F4800 JMP DWORD PTR DS: ; krnln.10028A3F
004B6EA4- FF25 CD9F4800 JMP DWORD PTR DS: ; krnln.10029291
木马清除专家2007支持文件被破坏或被非法修改!请重新安装. 共有3处分别下断 通过对比法发现有2处和原版不一样的地方。
004A87DE /0F84 33010000 je mmqczj_T.004A8917 原版跳成功!,脱壳的不成功,一个字“改”JNE
004A87E4 |68 04000080 push 80000004
004A87E9 |6A 00 push 0
004A87EB |68 37354000 push mmqczj_T.00403537
004A87F0 |68 01030080 push 80000301
004A87F5 |6A 00 push 0
004A87F7 |68 40000000 push 40
004A87FC |68 04000080 push 80000004
004A8801 |6A 00 push 0
004A8803 |68 C6334200 push mmqczj_T.004233C6
004A8808 |68 03000000 push 3
004A880D |BB 00030000 mov ebx,300
004A8812 |E8 69E60000 call mmqczj_T.004B6E80
004A8817 |83C4 28 add esp,28
004A881A |68 4D354000 push mmqczj_T.0040354D ; ASCII "uptime.dat"
004B4043 /0F84 33010000 je mmqczj_T.004B417C 原版跳成功!脱壳的不成功,又一个字“改”JNE
004B4049 |68 04000080 push 80000004
004B404E |6A 00 push 0
004B4050 |68 37354000 push mmqczj_T.00403537
004B4055 |68 01030080 push 80000301
004B405A |6A 00 push 0
004B405C |68 40000000 push 40
004B4061 |68 04000080 push 80000004
004B4066 |6A 00 push 0
004B4068 |68 C6334200 push mmqczj_T.004233C6
004B406D |68 03000000 push 3
004B4072 |BB 00030000 mov ebx,300
004B4077 |E8 042E0000 call mmqczj_T.004B6E80
004B407C |83C4 28 add esp,28
004B407F |68 4D354000 push mmqczj_T.0040354D ; ASCII "uptime.dat"
保存所有修改后运行成功了,很高兴哦!!!!!!下面到了找注册码的时候了,调试的时候要隐藏一下OD要不然程序会关掉OD的。
还是到刚才的 004B6E2B FC CLD 这里搜索ASCII码!
可以搜索到这个字符 “注册码已经保存,点击确定即将重新启动软件验证注册.”双击来到4B118D向上在
004B102C 55 PUSH EBP 此处下断运行F9
004B102D 8BEC MOV EBP,ESP
004B102F 81EC 08000000 SUB ESP,8
004B1035 6A FF PUSH -1
004B1037 6A 08 PUSH 8
004B1039 68 FC050116 PUSH 160105FC
004B103E 68 01000152 PUSH 52010001
004B1043 E8 3E5E0000 CALL mmqczj_T.004B6E86
004B1048 83C4 10 ADD ESP,10
004B104B 8945 FC MOV DWORD PTR SS:,EAX
004B104E 68 FB344000 PUSH mmqczj_T.004034FB
004B1053 FF75 FC PUSH DWORD PTR SS:
004B1056 E8 A5C6FDFF CALL mmqczj_T.0048D700
004B105B 83C4 08 ADD ESP,8
004B105E 83F8 00 CMP EAX,0
004B1061 B8 00000000 MOV EAX,0
004B1066 0F94C0 SETE AL
004B1069 8945 F8 MOV DWORD PTR SS:,EAX
004B106C 8B5D FC MOV EBX,DWORD PTR SS:
004B106F 85DB TEST EBX,EBX
004B1071 74 09 JE SHORT mmqczj_T.004B107C
004B1073 53 PUSH EBX
004B1074 E8 FB5D0000 CALL mmqczj_T.004B6E74
004B1079 83C4 04 ADD ESP,4
004B107C 837D F8 00 CMP DWORD PTR SS:,0
004B1080 0F84 3B000000 JE mmqczj_T.004B10C1
004B1086 68 04000080 PUSH 80000004
004B108B 6A 00 PUSH 0
004B108D 68 37354000 PUSH mmqczj_T.00403537 ; 木马清除专家2007
004B1092 68 01030080 PUSH 80000301
004B1097 6A 00 PUSH 0
004B1099 68 40000000 PUSH 40
004B109E 68 04000080 PUSH 80000004
004B10A3 6A 00 PUSH 0
004B10A5 68 10554200 PUSH mmqczj_T.00425510 ; 注册码不能为空,请输入注册码!
004B10AA 68 03000000 PUSH 3
004B10AF BB 00030000 MOV EBX,300
004B10B4 E8 C75D0000 CALL mmqczj_T.004B6E80
004B10B9 83C4 28 ADD ESP,28
004B10BC E9 C6010000 JMP mmqczj_T.004B1287
004B10C1 6A FF PUSH -1
004B10C3 6A 08 PUSH 8
004B10C5 68 FC050116 PUSH 160105FC
004B10CA 68 01000152 PUSH 52010001
004B10CF E8 B25D0000 CALL mmqczj_T.004B6E86
004B10D4 83C4 10 ADD ESP,10
004B10D7 8945 FC MOV DWORD PTR SS:,EAX
004B10DA 68 04000080 PUSH 80000004
004B10DF 6A 00 PUSH 0
004B10E1 8B45 FC MOV EAX,DWORD PTR SS:
004B10E4 85C0 TEST EAX,EAX
004B10E6 75 05 JNZ SHORT mmqczj_T.004B10ED
004B10E8 B8 FB344000 MOV EAX,mmqczj_T.004034FB
004B10ED 50 PUSH EAX
004B10EE 68 01000000 PUSH 1
004B10F3 BB 74010000 MOV EBX,174
004B10F8 E8 835D0000 CALL mmqczj_T.004B6E80
004B10FD 83C4 10 ADD ESP,10
004B1100 8945 F8 MOV DWORD PTR SS:,EAX
004B1103 8B5D FC MOV EBX,DWORD PTR SS:
004B1106 85DB TEST EBX,EBX
004B1108 74 09 JE SHORT mmqczj_T.004B1113
004B110A 53 PUSH EBX
004B110B E8 645D0000 CALL mmqczj_T.004B6E74
004B1110 83C4 04 ADD ESP,4
004B1113 8B1D E805A600 MOV EBX,DWORD PTR DS:
004B1119 85DB TEST EBX,EBX
004B111B 74 09 JE SHORT mmqczj_T.004B1126
004B111D 53 PUSH EBX
004B111E E8 515D0000 CALL mmqczj_T.004B6E74
004B1123 83C4 04 ADD ESP,4
004B1126 8B45 F8 MOV EAX,DWORD PTR SS:
004B1129 A3 E805A600 MOV DWORD PTR DS:,EAX
004B112E 68 04000080 PUSH 80000004
004B1133 6A 00 PUSH 0
004B1135 A1 E805A600 MOV EAX,DWORD PTR DS:
004B113A 85C0 TEST EAX,EAX
004B113C 75 05 JNZ SHORT mmqczj_T.004B1143
004B113E B8 FB344000 MOV EAX,mmqczj_T.004034FB
004B1143 50 PUSH EAX
004B1144 68 04000080 PUSH 80000004
004B1149 6A 00 PUSH 0
004B114B 68 56334200 PUSH mmqczj_T.00423356 ; Software\木马清除专家2006\regcode 这里把注册码写到注册表下次启动是对比是否正确
004B1150 68 01030080 PUSH 80000301
004B1155 6A 00 PUSH 0
004B1157 68 03000000 PUSH 3
004B115C 68 03000000 PUSH 3
004B1161 BB A4060000 MOV EBX,6A4
004B1166 E8 155D0000 CALL mmqczj_T.004B6E80
004B116B 83C4 28 ADD ESP,28
004B116E 68 04000080 PUSH 80000004
004B1173 6A 00 PUSH 0
004B1175 68 37354000 PUSH mmqczj_T.00403537 ; 木马清除专家2007
004B117A 68 01030080 PUSH 80000301
004B117F 6A 00 PUSH 0
004B1181 68 40000000 PUSH 40
004B1186 68 04000080 PUSH 80000004
004B118B 6A 00 PUSH 0
004B118D 68 2D554200 PUSH mmqczj_T.0042552D ; 注册码已经保存,点击确定即将重新启动软件验证注册.
004B1192 68 03000000 PUSH 3
004B1197 BB 00030000 MOV EBX,300
004B119C E8 DF5C0000 CALL mmqczj_T.004B6E80
004B11A1 83C4 28 ADD ESP,28
004B11A4 6A 00 PUSH 0
004B11A6 68 00000000 PUSH 0
004B11AB 6A FF PUSH -1
004B11AD 6A 08 PUSH 8
004B11AF 68 ED050116 PUSH 160105ED
004B11B4 68 01000152 PUSH 52010001
004B11B9 E8 D45C0000 CALL mmqczj_T.004B6E92
004B11BE 83C4 18 ADD ESP,18
004B11C1 833D 1C05A600 0>CMP DWORD PTR DS:,0
004B11C8 0F84 3B000000 JE mmqczj_T.004B1209
004B11CE 68 04000080 PUSH 80000004
004B11D3 6A 00 PUSH 0
004B11D5 68 37354000 PUSH mmqczj_T.00403537 ; 木马清除专家2007
004B11DA 68 01030080 PUSH 80000301
004B11DF 6A 00 PUSH 0
004B11E1 68 40000000 PUSH 40
004B11E6 68 04000080 PUSH 80000004
004B11EB 6A 00 PUSH 0
004B11ED 68 B3CF4000 PUSH mmqczj_T.0040CFB3 ; 内存监控执行中,请稍候退出木马清除专家2007.
004B11F2 68 03000000 PUSH 3
004B11F7 BB 00030000 MOV EBX,300
004B11FC E8 7F5C0000 CALL mmqczj_T.004B6E80
004B1201 83C4 28 ADD ESP,28
004B1204 E9 7E000000 JMP mmqczj_T.004B1287
004B1209 68 01000100 PUSH 10001
004B120E 68 00000106 PUSH 6010000
004B1213 68 01000152 PUSH 52010001
004B1218 68 01000000 PUSH 1
004B121D BB 60030000 MOV EBX,360
004B1222 E8 595C0000 CALL mmqczj_T.004B6E80
004B1227 83C4 10 ADD ESP,10
004B122A 68 00000000 PUSH 0
004B122F BB 08010000 MOV EBX,108
004B1234 E8 475C0000 CALL mmqczj_T.004B6E80
004B1239 83C4 04 ADD ESP,4
004B123C 8945 FC MOV DWORD PTR SS:,EAX
004B123F 6A 00 PUSH 0
004B1241 6A 00 PUSH 0
004B1243 6A 00 PUSH 0
004B1245 68 02000080 PUSH 80000002
004B124A 6A 00 PUSH 0
004B124C 68 00000000 PUSH 0
004B1251 68 04000080 PUSH 80000004
004B1256 6A 00 PUSH 0
004B1258 8B45 FC MOV EAX,DWORD PTR SS:
004B125B 85C0 TEST EAX,EAX
004B125D 75 05 JNZ SHORT mmqczj_T.004B1264
004B125F B8 FB344000 MOV EAX,mmqczj_T.004034FB
004B1264 50 PUSH EAX
004B1265 68 03000000 PUSH 3
004B126A BB C0020000 MOV EBX,2C0
004B126F E8 0C5C0000 CALL mmqczj_T.004B6E80
004B1274 83C4 28 ADD ESP,28
004B1277 8B5D FC MOV EBX,DWORD PTR SS:
004B127A 85DB TEST EBX,EBX
004B127C 74 09 JE SHORT mmqczj_T.004B1287
004B127E 53 PUSH EBX
004B127F E8 F05B0000 CALL mmqczj_T.004B6E74
004B1284 83C4 04 ADD ESP,4
004B1287 8BE5 MOV ESP,EBP
004B1289 5D POP EBP
004B128A C3 RETN
这次寻找不成功,没发现哪个地方象注册码只发现一个写注册表的一个地址看来注册码要在下次启动的时候由注册表调出进行比较的 ,请高手们指点以下怎么弄自己也在抓紧研究 这个的算法是RSA,可以看到有公钥和模数(好像是这么叫吧 ..不懂加密算法 /:02 )
我搞不定所以爆破了之..我改了两个文件..主程序和Uptime.dat
注意下ID.dat Uptime.dat 还有另外一个叫什么忘记了,会自动删除. 厉害,好好学一下
发现一个错误以修改大家可以试试
004A7ECB /74 09 JE SHORT mmqczj.004A7ED6 这里也要改要不点升级的时候提示文件被非法修改!!004A7ECD |53 PUSH EBX
004A7ECE |E8 A1EF0000 CALL mmqczj.004B6E74
004A7ED3 |83C4 04 ADD ESP,4
004A7ED6 \8B5D CC MOV EBX,DWORD PTR SS:
004A7ED9 85DB TEST EBX,EBX
004A7EDB 74 09 JE SHORT mmqczj.004A7EE6
004A7EDD 53 PUSH EBX
004A7EDE E8 91EF0000 CALL mmqczj.004B6E74
004A7EE3 83C4 04 ADD ESP,4
004A7EE6 837D C8 00 CMP DWORD PTR SS:,0
004A7EEA 0F85 33010000 JNZ mmqczj.004A8023 强,学习了,经过了分析,是E语言程序.
在自校验处多次改跳转,未成功,晕,
用过对比分析,有时程序跳飞,汗.立马再次来过 原帖由 极速暴龙 于 2007-4-26 10:29 发表 https://www.chinapyg.com/images/common/back.gif
这个的算法是RSA,可以看到有公钥和模数(好像是这么叫吧 ..不懂加密算法 /:02 )
我搞不定所以爆破了之..我改了两个文件..主程序和Uptime.dat
注意下ID.dat Uptime.dat 还有另外一个叫什么忘记了,会自动删除.
如何改,在哪个位置改 用ECE,发现注册按钮地址:4B102C,在OD中下断,运行,断在这里,注册987654321,后F8向下走,
堆栈发现下列提示:
0012F63C 01651948ASCII "987654321"
0012F640 001B82D8ASCII "sys258842"
004B11A1 83C4 28 ADD ESP,28
004B11A4 6A 00 PUSH 0
004B11A6 68 00000000 PUSH 0
004B11AB 6A FF PUSH -1
004B11AD 6A 08 PUSH 8,,,注册不对,还是不是正式用户,问题在哪
脱壳解决自校验文件附后
[ 本帖最后由 aoshxi001 于 2007-4-28 11:07 编辑 ] 向前辈们学习。
是RSA算法,用工具SIQSV1.1来计算大数结果,用注册,结果仍不对
本人机器中公钥为E797F9352F349CA35D826B181CA327FD31DE43F82F50C6E5AEBE76192CDD7E291374B,用RSATOOL换算为十进制为 109841253031692118977764010210612357229341366266503381425235612917443094535390443339再用SIQSV1.1计算大数N,2个小时后,分解结果如下:
========================= by SIQS
#FB 16736
(f)type 4458 total 18014
(p)type 65432( p_p 4455, p_p_pp 2294,p_p_p_p_pp_pp 739)
(pp) type 116791( pp_pp 1679, pp_pp_pp 1025,others 2056)
109841253031692118977764010210612357229341366266503381425235612917443094535390443339 = C3 * C81
C3 = 477(十六进制1DD)
C81 = 230275163588453079617953899812604522493378126344870820597978224145583007411720007(十六进制7C4B1F3D4806C4C5290FC9D8585BDB7FD611510600B4BE780C34D7CD1BD5DDBCF47)
cputime 2:15:56:69
再用RSATOOL计算出D,得到1C5CD649952E2EDA69A215C58E360BC55ADF0CB05D2E997BBC87B5E07B0AFE4778AB9
将此输入注册框,还是不对啊,未注册用户.问题在哪个位置?? 自校验烦人啊
页:
[1]
2