- UID
- 12736
注册时间2006-5-10
阅读权限40
最后登录1970-1-1
独步武林
 
TA的每日心情 | 开心
2024-1-13 22:14 |
|---|
签到天数: 1471 天 [LV.10]以坛为家III
|
【软件名称】: 飞雪桌面日历2.0
【加壳方式】: UPX
【保护方式】: 注册码重启验证
【编写语言】: VB
【使用工具】: OD
【操作平台】: WINXP
【软件介绍】: 集合了:万年历、时钟、定时运行、定时关机等
【详细过程】
该软件小巧而强大!集合了以下超多功能:万年历、时钟、定时运行、定时关机(2000/XP关机仅需3秒!)、限时用机、休息提醒(可锁定系统)、备忘录、系统热键、世界时间、光驱控制、定期清理电脑、语音报时、整点/半点报时等,并支持自定义软件皮肤,能以四种界面存在,即:日历、挂历、时钟、迷你栏。但其是共享版,动不动就弹出“您还未注册”的提示,让人看着就烦~~于是只好将它搬上手术台^_^
1.先试用该程序,发现注册码的验证为重启验证。
2.PEID查壳,原来是UPX的壳,这个壳很基本,三下五除二脱了,脱了之后再查壳,无壳了是VB编写的程序,试运行,轰的一声,电脑关机了。我晕,好恶劣的行径,看来是非破不可了,重启电脑再来。
3.既然会关机,就说明有暗桩,多半是检查文件的大小,OD载入脱壳之后的程序,在所有对模块MSVBVM60.DLL的输出函数rtcFileLen的调用上下断(一共8处)。F9运行,中断在如下的地方:
........
00531B57 . FF15 C8104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcRand>; 产生一个随机数
00531B5D . D80D 0C394000 FMUL DWORD PTR DS:[40390C] ; ×10
00531B63 . FF15 F0124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaR8>; 转为整数
00531B69 . 8BF8 MOV EDI, EAX
00531B6B . 8D4D B8 LEA ECX, DWORD PTR SS:[EBP-48]
00531B6E . FFD6 CALL ESI
00531B70 . 0FBFC7 MOVSX EAX, DI
00531B73 . 83F8 09 CMP EAX, 9 ; Switch (cases 0..9)
00531B76 . 0F87 A5020000 JA 00531E21
00531B7C . FF2485 8C1E53>JMP DWORD PTR DS:[EAX*4+531E8C]
00531B83 > 8B4D E0 MOV ECX, DWORD PTR SS:[EBP-20] ; Case 1 of switch 00531B73
00531B86 . 51 PUSH ECX
00531B87 . E9 3C010000 JMP 00531CC8
00531B8C > 8B55 E0 MOV EDX, DWORD PTR SS:[EBP-20] ; Case 2 of switch 00531B73
00531B8F . 52 PUSH EDX
00531B90 . FF15 9C124000 CALL DWORD PTR DS:[<&MSVBVM60.rtcFile>; 检查程序大小
00531B96 . 3D 004E0500 CMP EAX, 54E00 ; 与0x54e00比较,下同
00531B9B . 0F84 80020000 JE 00531E21 ; 相等就跳向正确的代码,下同//改JE为JMP
00531BA1 . 8B45 D8 MOV EAX, DWORD PTR SS:[EBP-28]
00531BA4 . 85C0 TEST EAX, EAX
00531BA6 . 75 12 JNZ SHORT 00531BBA
00531BA8 . 8D45 D8 LEA EAX, DWORD PTR SS:[EBP-28]
00531BAB . 50 PUSH EAX
00531BAC . 68 A8784000 PUSH 004078A8
00531BB1 . FF15 58124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaNe>; MSVBVM60.__vbaNew2
00531BB7 . 8B45 D8 MOV EAX, DWORD PTR SS:[EBP-28]
00531BBA > 8BF0 MOV ESI, EAX
00531BBC . 8B08 MOV ECX, DWORD PTR DS:[EAX]
00531BBE . 50 PUSH EAX
00531BBF . FF51 24 CALL DWORD PTR DS:[ECX+24] ; 否则关机~!
00531BC2 . DBE2 FCLEX
00531BC4 . 85C0 TEST EAX, EAX
00531BC6 . 7D 0F JGE SHORT 00531BD7
00531BC8 . 6A 24 PUSH 24
00531BCA . 68 64C24100 PUSH 0041C264
00531BCF . 56 PUSH ESI
00531BD0 . 50 PUSH EAX
00531BD1 . FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHr>; MSVBVM60.__vbaHresultCheckObj
00531BD7 > 8B45 D8 MOV EAX, DWORD PTR SS:[EBP-28]
00531BDA . 85C0 TEST EAX, EAX
00531BDC . 75 12 JNZ SHORT 00531BF0
00531BDE . 8D55 D8 LEA EDX, DWORD PTR SS:[EBP-28]
00531BE1 . 52 PUSH EDX
00531BE2 . 68 A8784000 PUSH 004078A8
00531BE7 . FF15 58124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaNe>; MSVBVM60.__vbaNew2
00531BED . 8B45 D8 MOV EAX, DWORD PTR SS:[EBP-28]
00531BF0 > 8BF0 MOV ESI, EAX
00531BF2 . 8B08 MOV ECX, DWORD PTR DS:[EAX]
00531BF4 . 50 PUSH EAX
00531BF5 . FF51 20 CALL DWORD PTR DS:[ECX+20]
00531BF8 . DBE2 FCLEX
00531BFA . 85C0 TEST EAX, EAX
00531BFC . 0F8D 1F020000 JGE 00531E21
00531C02 . 6A 20 PUSH 20
00531C04 . 68 64C24100 PUSH 0041C264
00531C09 . 56 PUSH ESI
00531C0A . 50 PUSH EAX
00531C0B . FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHr>; MSVBVM60.__vbaHresultCheckObj
00531C11 . E9 0B020000 JMP 00531E21
00531C16 > 8B55 E0 MOV EDX, DWORD PTR SS:[EBP-20] ; Case 3 of switch 00531B73
00531C19 . 52 PUSH EDX
00531C1A . FF15 9C124000 CALL DWORD PTR DS:[<&MSVBVM60.rtcFile>; MSVBVM60.rtcFileLen
00531C20 . 3D 004E0500 CMP EAX, 54E00
00531C25 . 0F84 F6010000 JE 00531E21 ; 改JE为JMP
00531C2B . 8B45 D8 MOV EAX, DWORD PTR SS:[EBP-28]
00531C2E . 85C0 TEST EAX, EAX
00531C30 . 75 12 JNZ SHORT 00531C44
00531C32 . 8D45 D8 LEA EAX, DWORD PTR SS:[EBP-28]
00531C35 . 50 PUSH EAX
00531C36 . 68 A8784000 PUSH 004078A8
00531C3B . FF15 58124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaNe>; MSVBVM60.__vbaNew2
00531C41 . 8B45 D8 MOV EAX, DWORD PTR SS:[EBP-28]
00531C44 > 8BF0 MOV ESI, EAX
00531C46 . 8B08 MOV ECX, DWORD PTR DS:[EAX]
00531C48 . 50 PUSH EAX
00531C49 . FF51 24 CALL DWORD PTR DS:[ECX+24] 否则关机!!!
00531C4C . DBE2 FCLEX
00531C4E . 85C0 TEST EAX, EAX
00531C50 . 7D 0F JGE SHORT 00531C61
00531C52 . 6A 24 PUSH 24
00531C54 . 68 64C24100 PUSH 0041C264
00531C59 . 56 PUSH ESI
00531C5A . 50 PUSH EAX
00531C5B . FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHr>; MSVBVM60.__vbaHresultCheckObj
00531C61 > 8B45 D8 MOV EAX, DWORD PTR SS:[EBP-28]
00531C64 . 85C0 TEST EAX, EAX
00531C66 . 75 36 JNZ SHORT 00531C9E
00531C68 . EB 22 JMP SHORT 00531C8C
00531C6A > 8B45 E0 MOV EAX, DWORD PTR SS:[EBP-20] ; Case 5 of switch 00531B73
00531C6D . 50 PUSH EAX
00531C6E . EB 58 JMP SHORT 00531CC8
00531C70 > 8B4D E0 MOV ECX, DWORD PTR SS:[EBP-20] ; Case 6 of switch 00531B73
00531C73 . 51 PUSH ECX
00531C74 . FF15 9C124000 CALL DWORD PTR DS:[<&MSVBVM60.rtcFile>; MSVBVM60.rtcFileLen
00531C7A . 3D 004E0500 CMP EAX, 54E00
00531C7F . 0F84 9C010000 JE 00531E21 ; 改JE为JMP
00531C85 . 8B45 D8 MOV EAX, DWORD PTR SS:[EBP-28]
00531C88 . 85C0 TEST EAX, EAX
00531C8A . 75 12 JNZ SHORT 00531C9E
00531C8C > 8D55 D8 LEA EDX, DWORD PTR SS:[EBP-28]
00531C8F . 52 PUSH EDX
00531C90 . 68 A8784000 PUSH 004078A8
00531C95 . FF15 58124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaNe>; MSVBVM60.__vbaNew2
00531C9B . 8B45 D8 MOV EAX, DWORD PTR SS:[EBP-28]
00531C9E > 8BF0 MOV ESI, EAX
00531CA0 . 8B08 MOV ECX, DWORD PTR DS:[EAX]
00531CA2 . 50 PUSH EAX
00531CA3 . FF51 20 CALL DWORD PTR DS:[ECX+20]
00531CA6 . DBE2 FCLEX
00531CA8 . 85C0 TEST EAX, EAX
00531CAA . 0F8D 71010000 JGE 00531E21
00531CB0 . 6A 20 PUSH 20
00531CB2 . 68 64C24100 PUSH 0041C264
00531CB7 . 56 PUSH ESI
00531CB8 . 50 PUSH EAX
00531CB9 . FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHr>; MSVBVM60.__vbaHresultCheckObj
00531CBF . E9 5D010000 JMP 00531E21
00531CC4 > 8B55 E0 MOV EDX, DWORD PTR SS:[EBP-20] ; Cases 4,7 of switch 00531B73
00531CC7 . 52 PUSH EDX
00531CC8 > FF15 9C124000 CALL DWORD PTR DS:[<&MSVBVM60.rtcFile>; MSVBVM60.rtcFileLen
00531CCE . 3D 004E0500 CMP EAX, 54E00
00531CD3 . 0F84 48010000 JE 00531E21 ; 改JE为JMP
00531CD9 . E9 3D010000 JMP 00531E1B
00531CDE > DD05 885F4000 FLD QWORD PTR DS:[405F88] ; Case 8 of switch 00531B73
00531CE4 . E8 1B4AEDFF CALL
00531CE9 . DD5D A0 FSTP QWORD PTR SS:[EBP-60]
00531CEC . 8B45 E0 MOV EAX, DWORD PTR SS:[EBP-20]
00531CEF . 50 PUSH EAX
00531CF0 . FF15 9C124000 CALL DWORD PTR DS:[<&MSVBVM60.rtcFile>; MSVBVM60.rtcFileLen
00531CF6 . 8985 78FFFFFF MOV DWORD PTR SS:[EBP-88], EAX
00531CFC . DB85 78FFFFFF FILD DWORD PTR SS:[EBP-88]
00531D02 . DD9D 70FFFFFF FSTP QWORD PTR SS:[EBP-90]
00531D08 . 68 00805840 PUSH 40588000
00531D0D . 6A 00 PUSH 0
00531D0F . DD45 A0 FLD QWORD PTR SS:[EBP-60]
00531D12 . FF15 54134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFP>; MSVBVM60.__vbaFPInt
00531D18 . 83EC 08 SUB ESP, 8
00531D1B . DD1C24 FSTP QWORD PTR SS:[ESP]
00531D1E . FF15 94124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaPo>; MSVBVM60.__vbaPowerR8
00531D24 . DC0D 805F4000 FMUL QWORD PTR DS:[405F80]
00531D2A . FF15 14114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFp>; MSVBVM60.__vbaFpR8
00531D30 . DC9D 70FFFFFF FCOMP QWORD PTR SS:[EBP-90]
00531D36 . DFE0 FSTSW AX
00531D38 . F6C4 40 TEST AH, 40
00531D3B . 75 07 JNZ SHORT 00531D44
00531D3D . B8 01000000 MOV EAX, 1
00531D42 . EB 02 JMP SHORT 00531D46
00531D44 > 33C0 XOR EAX, EAX
00531D46 > F7D8 NEG EAX
00531D48 . 66:85C0 TEST AX, AX
00531D4B . 0F84 D0000000 JE 00531E21 ; 改JE为JMP
00531D51 . E9 C5000000 JMP 00531E1B
00531D56 > DD05 885F4000 FLD QWORD PTR DS:[405F88] ; Case 9 of switch 00531B73
00531D5C . E8 A349EDFF CALL
00531D61 . DD5D A0 FSTP QWORD PTR SS:[EBP-60]
00531D64 . 8B4D E0 MOV ECX, DWORD PTR SS:[EBP-20]
00531D67 . 51 PUSH ECX
00531D68 . FF15 9C124000 CALL DWORD PTR DS:[<&MSVBVM60.rtcFile>; MSVBVM60.rtcFileLen
00531D6E . 8985 6CFFFFFF MOV DWORD PTR SS:[EBP-94], EAX
00531D74 . DB85 6CFFFFFF FILD DWORD PTR SS:[EBP-94]
00531D7A . DD9D 64FFFFFF FSTP QWORD PTR SS:[EBP-9C]
00531D80 . 68 00805840 PUSH 40588000
00531D85 . 6A 00 PUSH 0
00531D87 . DD45 A0 FLD QWORD PTR SS:[EBP-60]
00531D8A . FF15 54134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFP>; MSVBVM60.__vbaFPInt
00531D90 . 83EC 08 SUB ESP, 8
00531D93 . DD1C24 FSTP QWORD PTR SS:[ESP]
00531D96 . FF15 94124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaPo>; MSVBVM60.__vbaPowerR8
00531D9C . DC0D 805F4000 FMUL QWORD PTR DS:[405F80]
00531DA2 . FF15 14114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFp>; MSVBVM60.__vbaFpR8
00531DA8 . DC9D 64FFFFFF FCOMP QWORD PTR SS:[EBP-9C]
00531DAE . DFE0 FSTSW AX
00531DB0 . F6C4 40 TEST AH, 40
00531DB3 . 75 07 JNZ SHORT 00531DBC
00531DB5 . B8 01000000 MOV EAX, 1
00531DBA . EB 02 JMP SHORT 00531DBE
00531DBC > 33C0 XOR EAX, EAX
00531DBE > F7D8 NEG EAX
00531DC0 . 66:85C0 TEST AX, AX
00531DC3 . 74 5C JE SHORT 00531E21 ; 改JE为JMP
00531DC5 . 8B45 D8 MOV EAX, DWORD PTR SS:[EBP-28]
00531DC8 . 85C0 TEST EAX, EAX
00531DCA . 75 12 JNZ SHORT 00531DDE
00531DCC . 8D55 D8 LEA EDX, DWORD PTR SS:[EBP-28]
00531DCF . 52 PUSH EDX
00531DD0 > 68 A8784000 PUSH 004078A8
00531DD5 . FF15 58124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaNe>; MSVBVM60.__vbaNew2
00531DDB . 8B45 D8 MOV EAX, DWORD PTR SS:[EBP-28]
00531DDE > 8BF0 MOV ESI, EAX
00531DE0 . 8B08 MOV ECX, DWORD PTR DS:[EAX]
00531DE2 . 50 PUSH EAX
00531DE3 . FF51 20 CALL DWORD PTR DS:[ECX+20]
00531DE6 . DBE2 FCLEX
00531DE8 . 85C0 TEST EAX, EAX
00531DEA . 7D 35 JGE SHORT 00531E21
00531DEC . 6A 20 PUSH 20
00531DEE . 68 64C24100 PUSH 0041C264
00531DF3 . 56 PUSH ESI
00531DF4 . 50 PUSH EAX
00531DF5 . FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHr>; MSVBVM60.__vbaHresultCheckObj
00531DFB . EB 24 JMP SHORT 00531E21
00531DFD > 8B55 E0 MOV EDX, DWORD PTR SS:[EBP-20] ; Case 0 of switch 00531B73
00531E00 . 52 PUSH EDX
00531E01 . FF15 9C124000 CALL DWORD PTR DS:[<&MSVBVM60.rtcFile>; MSVBVM60.rtcFileLen
00531E07 . 3D 004E0500 CMP EAX, 54E00
00531E0C . 74 13 JE SHORT 00531E21 ; 改JE为JMP
00531E0E . 8B45 D8 MOV EAX, DWORD PTR SS:[EBP-28]
00531E11 . 85C0 TEST EAX, EAX
00531E13 .^ 75 C9 JNZ SHORT 00531DDE
00531E15 . 8D45 D8 LEA EAX, DWORD PTR SS:[EBP-28]
00531E18 . 50 PUSH EAX
00531E19 .^ EB B5 JMP SHORT 00531DD0
00531E1B > FF15 38104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaEn>; 跳到这里也关机
00531E21 > FF15 D4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaEx>; 跳到这里就对了
00531E27 . 9B WAIT
00531E28 . 68 6C1E5300 PUSH 00531E6C
00531E2D . EB 2A JMP SHORT 00531E59
......
从这段程序开头可看出,它先产生一个随机数,然后根据这个随机数跳向不同的分支。因此程序可能中断在上面任意一个CALL DWORD PTR DS:[<&MSVBVM60.rtcFile>处。然后我们F8单步,知道后面是根据返回的文件大小来决定生死,不符合就关你的机没商量。因此我们要修改上面的跳转,使它都跳向正确的地方,改完后记得保存。具体见上面的注释(共修改七处)。
为了免注册这个软件,吃了不少的苦头,在看雪找到这篇文件后转上来,和大家共同学习. |
|
IP卡
发表于 2007-5-29 11:12:47
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2007-5-30 10:38:14
发表于 2007-5-31 14:23:45
发表于 2007-6-1 21:50:20
发表于 2007-11-18 13:39:46
