|
|
 |
| 强*木马克星(未成年勿进) |
| 作者:佚名 来源:转载 发布时间:2005-10-30 9:13:07 发布人:黑客动画吧 |
 减小字体  增大字体
By
leozem------转贴请注明出处
算法以前发过了,再写也没意思,这次主要谈谈如何可以升级.
自上次答应作者不再破解之后,我的9.99++可升级版就没有再更新了(别以为我和作者有一腿,我向毛主席保证,我是清白的),谁知前两天逛他的网站,他竟在他的论坛说封了我的所有破解版(真是个小人),并且还说他现在的版本加密多么的强,请大家破解,于是我下了个0301版看了一下,趁着酒性把强*他的过程写了出来,让高手见笑了.
0301版和他以前的版本不同在于对升级地址加了密,他的升级地址是http://www.luosoft.com/cgi-bin/test.pl?name=用户名,如果用户名不是他服务器里的就显示NO
OK,软件就会说你不是注册用户.
如果用户名正确,就会得到一个病毒库文件的地址,具他自己讲病毒库地址30分钟换一次(真是变态).
我们现在所能做的就是将他的升级地址换成我们自己的服务器地址,软件通过我们的服务器认证后获得病毒库文件,但是他的升级地址显示的是"Fn2yhGnF7PxJGNVN4g6IinGmjFDbkxlXXTpPy0ZkMN6UvUS9Ipls24II"只有在软件运行时通过几千行的变态算法后才还原成http://www.luosoft.com/cgi-bin/test.pl?name=,最后存放在下面的[edx]中
原文件:
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004B4B79(C)
|
:004B4B38 8A06
mov al, byte ptr
[esi]
:004B4B3A 8845F7
mov byte ptr [ebp-09], al
:004B4B3D
8B4B34
mov ecx, dword ptr [ebx+34]
:004B4B40 8B5330
mov edx, dword ptr
[ebx+30]
:004B4B43 8BC3
mov eax, ebx
:004B4B45 8B38
mov edi, dword ptr [eax]
:004B4B47 FF5760
call
[edi+60]
:004B4B4A 8B4334
mov eax, dword ptr [ebx+34]
:004B4B4D
8A00
mov al, byte ptr [eax]
:004B4B4F 3206
xor al,
byte ptr [esi]
:004B4B51 8B55F8
mov edx, dword ptr [ebp-08]
:004B4B54
8802
mov byte ptr [edx],
al------通过不知名的几千行变态算法计算后将最终的升级地址放在[edx]中,我们就改了他.
:004B4B56 8B4B38
mov ecx,
dword ptr [ebx+38]
:004B4B59 49
dec ecx
:004B4B5A 8B5330
mov edx,
dword ptr [ebx+30]
:004B4B5D 8B4330
mov eax, dword ptr
[ebx+30]
:004B4B60 40
inc eax
:004B4B61
E862DEF4FF call
004029C8
:004B4B66 8B4330
mov eax, dword ptr [ebx+30]
:004B4B69
034338
add eax, dword ptr [ebx+38]
:004B4B6C 48
dec
eax
:004B4B6D 8A55F7
mov dl, byte ptr [ebp-09]
:004B4B70
8810
mov byte ptr [eax], dl
:004B4B72 46
inc
esi
:004B4B73 FF45F8
inc [ebp-08]
:004B4B76 FF4DF0
dec
[ebp-10]
:004B4B79 75BD
jne 004B4B38
:004B4B7B 5F
pop edi
:004B4B7C 5E
pop esi
:004B4B7D 5B
pop ebx
:004B4B7E 8BE5
mov esp, ebp
:004B4B80 5D
pop ebp
:004B4B81 C20400
ret 0004
修改后的代码:
:004B4B0A
807B2400 cmp
byte ptr [ebx+24], 00
:004B4B0E 7516
jne 004B4B26
*
Possible StringData Ref from Code Obj ->"Cipher not initialized"
|
:004B4B10
B98C4B4B00 mov
ecx, 004B4B8C
:004B4B15 B201
mov dl, 01
* Possible
StringData Ref from Code Obj ->"�EDCP_blockcipher岪"
|
:004B4B17 A1C4404B00
mov eax, dword ptr
[004B40C4]
:004B4B1C E83780F5FF
call 0040CB58
:004B4B21 E832EEF4FF
call 00403958
* Referenced by
a (U)nconditional or (C)onditional Jump at
Address:
|:004B4B0E(C)
|
:004B4B26 B868747470
mov eax, 70747468
:004B4B2B
8902
mov dword ptr [edx], eax
:004B4B2D B83A2F2F66
mov eax,
662F2F3A
:004B4B32 894204
mov dword ptr [edx+04], eax
:004B4B35
B87265652E mov
eax, 2E656572
:004B4B3A 894208
mov dword ptr [edx+08], eax
:004B4B3D
B868626973 mov
eax, 73696268
:004B4B42 89420C
mov dword ptr [edx+0C], eax
:004B4B45
B8702E636F mov
eax, 6F632E70
:004B4B4A 894210
mov dword ptr [edx+10], eax
:004B4B4D
B86D2F6C65 mov
eax, 656C2F6D
:004B4B52 894214
mov dword ptr [edx+14], eax
:004B4B55
B86F7A656D mov
eax, 6D657A6F
:004B4B5A 894218
mov dword ptr [edx+18], eax
:004B4B5D
B82F736865 mov
eax, 6568732F
:004B4B62 89421C
mov dword ptr [edx+1C], eax
:004B4B65
B86E676A69 mov
eax, 696A676E
:004B4B6A 894220
mov dword ptr [edx+20], eax
:004B4B6D
B82E617370 mov
eax, 7073612E
:004B4B72 894224
mov dword ptr [edx+24], eax
:004B4B75
B83F6D7A3D mov
eax, 3D7A6D3F
:004B4B7A 894228
mov dword ptr [edx+28], eax
:004B4B7D
5B
pop ebx
:004B4B7E 8BE5
mov esp,
ebp
:004B4B80 5D
pop ebp
:004B4B81 C20400
ret
0004
上面这段代码就是将我的升级地址http://free.hbisp.com/leozem/shengji.asp?mz=替换进去,dword ptr
[edx]也就是他最终的升级地址所存放的位置.
接下来就是讲如何做升级服务器了,打开记事本,打入下列代码:
然后保存为shengji.asp放到你的服务器上,他的病毒库文件有很多方法可以获得,在这就不讲了.
:005434B8
8B83D8020000 mov eax, dword
ptr [ebx+000002D8]
:005434BE 8B8010010100
mov eax, dword ptr [eax+00010110]
* Possible
StringData Ref from Code Obj ->"no ok"
|
:005434C4 BA80365400
mov edx, 00543680
:005434C9
E8060EECFF call
004042D4---是否显示"NO OK"
:005434CE 753D
jne
0054350D-----不是从得到的升级地址下载升级文件.
:005434D0 33D2
xor edx,
edx
:005434D2 A1C8375800
mov eax, dword ptr [005837C8]
* Referenced by a
(U)nconditional or (C)onditional Jump at
Address:
|:0054348F(C)
|
:005434D7 8B08
mov ecx, dword ptr
[eax]
:005434D9 FF515C
call [ecx+5C]
:005434DC A16CA65600
mov eax, dword ptr
[0056A66C]
:005434E1 803800
cmp byte ptr [eax], 00---是否为英文版,是就跳
:005434E4
740C
je 005434F2
* Possible StringData Ref from Code Obj
->"服务器认证错误!你不是合法用户."
|
:005434E6 B890365400
mov eax, 00543690
:005434EB E89087F1FF
call
0045BC80
:005434F0 EB0A
jmp
005434FC
他以前的版本,在杀毒时需要连接网络,但到了这版却不需要,可能是他顾着对付我,整天只进行加密的研究,疏忽了这点,但软件的代码中还保存有杀毒时的服务器认证,NND这版连我的大名也进了他的软件,搞什么鬼,我可不怕你,我的硬盘保修期还没过,呵呵.
*
Possible StringData Ref from Code Obj ->"loezem"
|
:0055E89A B874EE5500
mov eax,
0055EE74
:0055E89F E80C5CEAFF
call
004044B0---启动判断软件中是否含有loezem,估计是怕我改他的软件,但是可气的是竟把我的leozem写成loezem,晕.如果软件中含有loezem只是报错误,还好,没有格我的盘.
:0055E8A4
85C0
test eax, eax
:0055E8A6 0F8F25050000
jg 0055EDD1
:0055E8AC 8D55E8
lea edx,
dword ptr [ebp-18]
:0055E8AF A11C385800
mov eax, dword ptr [0058381C]
:0055E8B4
E8DB79EDFF call
00436294
:0055E8B9 8B45E8
mov eax, dword ptr [ebp-18]
:0055E8BC
8D55EC
lea edx, dword ptr [ebp-14]
:0055E8BF E8B8A7EAFF
call 0040907C
:0055E8C4
8B55EC
mov edx, dword ptr [ebp-14]
* Possible StringData Ref from Code Obj
->"loezem"
|
:0055E8C7 B874EE5500
mov eax, 0055EE74
:0055E8CC E8DF5BEAFF
call 004044B0
:0055E8D1
85C0
test eax, eax
:0055E8D3 0F8FF8040000
jg 0055EDD1
:0055E8D9 8D55E0
lea edx,
dword ptr [ebp-20]
:0055E8DC A11C385800
mov eax, dword ptr [0058381C]
:0055E8E1
E8AE79EDFF call
00436294
:0055E8E6 8B45E0
mov eax, dword ptr [ebp-20]
:0055E8E9
8D55E4
lea edx, dword ptr [ebp-1C]
:0055E8EC E88BA7EAFF
call 0040907C
:0055E8F1
8B55E4
mov edx, dword ptr [ebp-1C]
* Possible StringData Ref from Code Obj
->"loezem"
|
:0055E8F4 B874EE5500
mov eax, 0055EE74
:0055E8F9 E8B25BEAFF
call 004044B0
:0055E8FE
85C0
test eax, eax
:0055E900 0F8FCB040000
jg 0055EDD1
:0055E906 8D55D8
lea edx,
dword ptr [ebp-28]
:0055E909 A11C385800
mov eax, dword ptr [0058381C]
:0055E90E
E88179EDFF call
00436294
:0055E913 8B45D8
mov eax, dword ptr [ebp-28]
:0055E916
8D55DC
lea edx, dword ptr [ebp-24]
:0055E919 E85EA7EAFF
call 0040907C
:0055E91E
8B55DC
mov edx, dword ptr [ebp-24]
* Possible StringData Ref from Code Obj
->"loezem"
|
:0055E921 B874EE5500
mov eax, 0055EE74
:0055E926 E8855BEAFF
call 004044B0
:0055E92B
85C0
test eax, eax
:0055E92D 0F8F9E040000
jg 0055EDD1
:0055E933 8D55D0
lea edx,
dword ptr [ebp-30]
:0055E936 A11C385800
mov eax, dword ptr [0058381C]
:0055E93B
E85479EDFF call
00436294
:0055E940 8B45D0
mov eax, dword ptr [ebp-30]
:0055E943
8D55D4
lea edx, dword ptr [ebp-2C]
:0055E946 E831A7EAFF
call 0040907C
:0055E94B
8B55D4
mov edx, dword ptr [ebp-2C]
* Possible StringData Ref from Code Obj
->"破解"
|
:0055E94E B884EE5500
mov eax, 0055EE84
:0055E953 E8585BEAFF
call
004044B0----软件中是否含有"破解"
:0055E958 85C0
test eax,
eax
:0055E95A 0F8F71040000
jg 0055EDD1
:0055E960 8D55C8
lea edx, dword ptr
[ebp-38]
:0055E963 A11C385800
mov eax, dword ptr [0058381C]
:0055E968 E82779EDFF
call
00436294
:0055E96D 8B45C8
mov eax, dword ptr [ebp-38]
:0055E970
8D55CC
lea edx, dword ptr [ebp-34]
:0055E973 E804A7EAFF
call 0040907C
:0055E978
8B55CC
mov edx, dword ptr [ebp-34]
* Possible StringData Ref from Code Obj
->"破解"
|
:0055E97B B884EE5500
mov eax, 0055EE84
:0055E980 E82B5BEAFF
call 004044B0
:0055E985
85C0
test eax, eax
:0055E987 0F8F44040000
jg 0055EDD1
:0055E98D 8D55C0
lea edx,
dword ptr [ebp-40]
:0055E990 A11C385800
mov eax, dword ptr [0058381C]
:0055E995
E8FA78EDFF call
00436294
:0055E99A 8B45C0
mov eax, dword ptr [ebp-40]
:0055E99D
8D55C4
lea edx, dword ptr [ebp-3C]
:0055E9A0 E8D7A6EAFF
call 0040907C
:0055E9A5
8B55C4
mov edx, dword ptr [ebp-3C]
* Possible StringData Ref from Code Obj
->"破解"
|
:0055E9A8 B884EE5500
mov eax, 0055EE84
:0055E9AD E8FE5AEAFF
call 004044B0
:0055E9B2
85C0
test eax, eax
:0055E9B4 0F8F17040000
jg 0055EDD1
:0055E9BA B201
mov dl,
01
接下来说说,他以前版本的杀毒认证,由于找不到以前的版本了,只能口述.
1.将扫到的木马的本机地址(如:木马在D:\SS\ss.eXE),则发送http://www.luosoft.com/cgi-bin/iparmor1.pl?name=用户名!D:\SS\ss.eXE,如果用户名不是他服务器里有的,就显示NO
OK,如果有,就返回D:\SS\ss.eXE,此时软件就将D:\SS\ss.eXE删除.
2.如果显示NO
OK就说你不是注册用户,并在注册表中删除你的注册项.
3.如果返回的不是D:\SS\ss.eXE,则返回什么他就删除什么.
4.如果返回空就显示"从起计算机才能策底清除木马"(这是在玩你哈).
但此方法有一个BUG,就是当文件名中有%20时,就无法删除,因为%20变成网址就是空格。
解决方法:
打开记事本,打入下列代码:
%>
response.write
request("name")
%>
* Referenced by a (U)nconditional or
(C)onditional Jump at Address:
|:0055C55E(C)
|
:0055C5D3 8BC6
mov eax, esi
:0055C5D5 E8BA9CEDFF
call 00436294
:0055C5DA
8B45F0
mov eax, dword ptr [ebp-10]-----序列号进EAX
:0055C5DD 8D55F4
lea edx,
dword ptr [ebp-0C]
:0055C5E0 E89FCCEAFF
call 00409284
:0055C5E5 8B55F4
mov edx,
dword ptr [ebp-0C]
:0055C5E8 8BC6
mov eax,
esi
:0055C5EA E8D59CEDFF
call 004362C4
:0055C5EF 8D95E8FEFFFF
lea edx, dword ptr [ebp+FFFFFEE8]
:0055C5F5
8B83E0020000 mov eax, dword
ptr [ebx+000002E0]
:0055C5FB E8949CEDFF
call 00436294
:0055C600 8B85E8FEFFFF
mov eax, dword ptr
[ebp+FFFFFEE8]
:0055C606 8D95ECFEFFFF
lea edx, dword ptr [ebp+FFFFFEEC]
:0055C60C
E82FCAEAFF call
00409040-----小写变大写
:0055C611 8B95ECFEFFFF
mov edx, dword ptr [ebp+FFFFFEEC]
:0055C617
8D85F0FEFFFF lea eax, dword
ptr [ebp+FFFFFEF0]
:0055C61D B9FF000000
mov ecx, 000000FF
:0055C622 E8797BEAFF
call
004041A0
:0055C627 8D95F0FEFFFF
lea edx, dword ptr [ebp+FFFFFEF0]
:0055C62D 8B83D0020000
mov eax, dword ptr
[ebx+000002D0]
:0055C633 E88435F5FF
call
004AFBBC-----生成关键码的CALL,F7追入得关键数1D6E1D4F
:0055C638 8D95E4FEFFFF
lea edx, dword ptr
[ebp+FFFFFEE4]
:0055C63E 8B83D8020000
mov eax, dword ptr [ebx+000002D8]
:0055C644
E84B9CEDFF call
00436294
:0055C649 8B85E4FEFFFF
mov eax, dword ptr [ebp+FFFFFEE4]
:0055C64F 50
push
eax
:0055C650 8B83D0020000
mov eax, dword ptr [ebx+000002D0]
:0055C656 8B8024020000
mov eax, dword ptr
[eax+00000224]
:0055C65C 05EA040000
add eax, 000004EA
:0055C661 99
cdq
:0055C662 33C2
xor eax, edx
:0055C664 2BC2
sub eax, edx
:0055C666 8D95E0FEFFFF
lea edx, dword ptr [ebp+FFFFFEE0]
:0055C66C
E8C7CDEAFF call
00409438----将1D6E2239转成十进制
:0055C671 8B95E0FEFFFF
mov edx, dword ptr [ebp+FFFFFEE0]
:0055C677
58
pop eax-------假码出*
:0055C678 E8577CEAFF
call
004042D4---比较注册码的CALL,再追
:0055C67D 0F85E5000000
jne 0055C768----关键跳转
:0055C683 6A00
push 00000000
:0055C685 8D85DCFEFFFF
lea eax, dword ptr [ebp+FFFFFEDC]
:0055C68B
50
push eax
:0055C68C 8D95D8FEFFFF
lea edx, dword ptr [ebp+FFFFFED8]
:0055C692
A15CA65600 mov
eax, dword ptr [0056A65C]
:0055C697 8B00
mov eax, dword ptr
[eax]
:0055C699 E8F69BEDFF
call 00436294
:0055C69E 8B8DD8FEFFFF
mov ecx, dword ptr [ebp+FFFFFED8]
:0055C6A4
A190A05600 mov
eax, dword ptr [0056A090]
:0055C6A9 8B00
mov eax, dword ptr
[eax]
* Possible StringData Ref from Code Obj ->"未注册"
|
:0055C6AB
BA18C85500 mov
edx, 0055C818
:0055C6B0 E8D3A2F7FF
call 004D6988
:0055C6B5 8B95DCFEFFFF
mov edx, dword ptr
[ebp+FFFFFEDC]
:0055C6BB A15CA65600
mov eax, dword ptr [0056A65C]
:0055C6C0
8B00
mov eax, dword ptr [eax]
:0055C6C2 E8FD9BEDFF
call
004362C4
:0055C6C7 6A00
push 00000000
:0055C6C9
8D85D4FEFFFF lea eax, dword
ptr [ebp+FFFFFED4]
:0055C6CF 50
push eax
:0055C6D0
8D95D0FEFFFF lea edx, dword
ptr [ebp+FFFFFED0]
:0055C6D6 A15CA65600
mov eax, dword ptr [0056A65C]
:0055C6DB
8B00
mov eax, dword ptr [eax]
:0055C6DD E8B29BEDFF
call
00436294
:0055C6E2 8B8DD0FEFFFF
mov ecx, dword ptr [ebp+FFFFFED0]
:0055C6E8 A190A05600
mov eax, dword ptr
[0056A090]
:0055C6ED 8B00
mov eax, dword ptr [eax]
*
Possible StringData Ref from Code Obj ->"Unregistered"
|
:0055C6EF BA28C85500
mov edx,
0055C828
:0055C6F4 E88FA2F7FF
call 004D6988
:0055C6F9 8B95D4FEFFFF
mov edx, dword ptr [ebp+FFFFFED4]
:0055C6FF
A15CA65600 mov
eax, dword ptr [0056A65C]
:0055C704 8B00
mov eax, dword ptr
[eax]
:0055C706 E8B99BEDFF
call 004362C4
:0055C70B 803D0D38580000
cmp byte ptr [0058380D], 00
:0055C712 740C
je 0055C720
* Possible StringData Ref from Code Obj
->"注册成功,请牢记自己的注册信息,如果遗失我们不提"
->"供找回服务!"
|
:0055C714
B840C85500 mov
eax, 0055C840
:0055C719 E862F5EFFF
call 0045BC80
:0055C71E EB0A
jmp 0055C72A
* Referenced by a (U)nconditional or
(C)onditional Jump at Address:
|:0055C712(C)
|
* Possible
StringData Ref from Code Obj ->"Register ok!"
|
:0055C720 B884C85500
mov eax,
0055C884
:0055C725 E856F5EFFF
call 0045BC80
* Referenced by a (U)nconditional or
(C)onditional Jump at Address:
|:0055C71E(U)
|
:0055C72A
E8FDFBFFFF call
0055C32C
:0055C72F 33D2
xor edx, edx
:0055C731
8B83D4020000 mov eax, dword
ptr [ebx+000002D4]
:0055C737 E8709AEDFF
call 004361AC
:0055C73C 33D2
xor edx, edx
:0055C73E 8B83D8020000
mov eax, dword ptr [ebx+000002D8]
:0055C744
E8639AEDFF call
004361AC
:0055C749 33D2
xor edx, edx
:0055C74B
8B83DC020000 mov eax, dword
ptr [ebx+000002DC]
:0055C751 E8569AEDFF
call 004361AC
* Possible StringData Ref
from Code Obj ->"registed"
|
:0055C756 BA9CC85500
mov edx, 0055C89C
:0055C75B 8B83E4020000
mov eax, dword ptr
[ebx+000002E4]
:0055C761 E85E9BEDFF
call 004362C4
:0055C766 EB1F
jmp 0055C787
* Referenced by a (U)nconditional or
(C)onditional Jump at Address:
|:0055C67D(C)
|
:0055C768
803D0D38580000 cmp byte ptr [0058380D],
00
:0055C76F 740C
je 0055C77D
* Possible StringData Ref from
Code Obj ->"注册失败!"
|
:0055C771 B8B0C85500
mov eax, 0055C8B0
:0055C776 E805F5EFFF
call
0045BC80
:0055C77B EB0A
jmp
0055C787
适用于现在的升级方式,不过新的版本有点修改.
因为木马克星太垃圾,不破也罢.
建议大家还是用KV或瑞星,金山等.
用KV无须打补丁,只要封了两个IP就可放心升级去吧.
|
|
| [
]
[返回上一页]
[打 印]
[收 藏] |
|
|
|
|
|
![]() |
|
设为首页
加入收藏
发布作品
栏目导航