饶过瑞星网络升级验证
其中考试结束了有点无聊,于是便研究下了瑞星2006的升级系统.结果研究出一些
心得和在这里和大家分享.
抓取网络封包并分析
前提是你有正版的KEY,用做比较.打开防火墙把SmartUp.exe这个规则删除(后面
有用的).好现在使用的是正版KEY,点击升级,防火墙提示访问网络,现在打开
WINSockExpert选择程Smartup监听数据.防火墙则选允许访问网络.
看看我们截取到的数据.
GET /register/pcver/autoupgradepad/ver2006/NewVer.asp?tag=&exp=0
HTTP/1.1 ;验证开始
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98; Rising)
Host: update.rising.com.cn
Connection: Keep-Alive
GET /register/PcVer/AutoUpgradePad/ver2006/PcVerLayerRequest.asp?
Product=278921232132&Ver=18.51.42 HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98; Rising)
Host: update.rising.com.cn
Connection: Keep-Alive
Cookie: ASPSESSIONIDAQBARTQT=JOGJHFLDIKLFGBMNOOMCHFDA
Object moved
Object MovedThis object may be found here.
GET /register/pcver/autoupgradePad/ver2006/PcVerRequestUpgrade.asp?
Ver=18.51.42&Info=C8zxN3MDAF21321321321321321321GwgODAodaRUaGV
IQfVZbUAUcfVNRT2FMIwgHCENIclJ32133123213
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98; Rising)
Host: 219.238.233.223
Connection: Keep-Alive
GET /register/pcver/autoupgradePad/ver2006/PcVerRequestUpgrade.asp?
Ver=18.51.42 ;到这里已经通过验证拉
&Info=C8zx1321321321YaRI213213213MiPxpuHVcuIHkABVcxUGQeYlkvL32132
13Kj4sH1JfGwgODAodaRUaGVI213213MIwgHCENIclJSXg4asw== HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98; Rising)
Host: 219.238.233.223
Connection: Keep-Alive
一些不重要的信息省略.
最后抓到的升级文件信息,到这里我们抓包已经结束拉.
http://download.rising.com.cn/re ... pad/pcver2006new/Co
mpsVer18.53.42.inf
调试分析升级程序
我们知道瑞星的升级程序是Smartup,用OD载入,右键分析找找关键信息.
004115A3 E8 C4060100 call
004115A8 8B55 00 mov edx,dword ptr ss:[ebp]
004115AB 68 10334300 push SmartUp.00433310 ; ASCII
;"CompsVer.inf" 取得本地路径
004115B0 52 push edx
004115B1 8D4424 18 lea eax,dword ptr ss:[esp+18]
004115B5 68 70324300 push SmartUp.00433270 ; ASCII "%s\%s"
004115BA 50 push eax
004115BB C74424 44 00000>mov dword ptr ss:[esp+44],0
004115C3 E8 1C070100 call
004115C8 8B4C24 20 mov ecx,dword ptr ss:[esp+20]
004115CC 83C4 10 add esp,10
004115CF 8DBE 84070000 lea edi,dword ptr ds:[esi+784]
004115D5 51 push ecx
004115D6 6A 20 push 20
004115D8 6A 20 push 20
004115DA 8BCF mov ecx,edi
004115DC E8 3F070100 call
004115E1 50 push eax
004115E2 68 F8324300 push SmartUp.004332F8 ; ASCII "18.00"
004115E7 68 F0324300 push SmartUp.004332F0 ; ASCII "Version"
004115EC 68 E0414300 push SmartUp.004341E0 ; ASCII "Update"
004115F1 FF15 ECC04200 call dword ptr ds:[<&KERNEL32.G>;
kernel32.GetPrivateProfileStringA ;取得本地升级版本号,下面验证是不是最
新版本
004115F7 6A FF push -1
004115F9 8BCF mov ecx,edi
004115FB E8 1A070100 call
00411600 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
00411604 E8 63060100 call
00411609 8B13 mov edx,dword ptr ds:[ebx]
0041160B 68 10334300 push SmartUp.00433310 ; ASCII
"CompsVer.inf"
00411610 52 push edx
00411611 8D4424 18 lea eax,dword ptr ss:[esp+18]
00411615 68 70324300 push SmartUp.00433270 ; ASCII "%s\%s"
0041161A 50 push eax
0041161B C64424 44 01 mov byte ptr ss:[esp+44],1
00411620 E8 BF060100 call
00411625 8B4C24 20 mov ecx,dword ptr ss:[esp+20]
00411629 83C4 10 add esp,10
0041162C 51 push ecx
0041162D 6A 20 push 20
0041162F 6A 20 push 20
00411631 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
00411635 E8 E6060100 call
0041163A 50 push eax
0041163B 68 F8324300 push SmartUp.004332F8 ; ASCII "18.00"
00411640 68 F0324300 push SmartUp.004332F0 ; ASCII "Version"
00411645 68 E0414300 push SmartUp.004341E0 ; ASCII "Update"
0041164A FF15 ECC04200 call dword ptr ds:[<&KERNEL32.G>;
kernel32.GetPrivateProfileStringA
00411650 6A FF push -1
00411652 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
00411656 E8 BF060100 call
0041165B 8B3F mov edi,dword ptr ds:[edi]
0041165D 8B5424 18 mov edx,dword ptr ss:[esp+18]
00411661 57 push edi
00411662 52 push edx
00411663 FF15 54C44200 call dword ptr ds:[<&MSVCRT._mb>;
msvcrt._mbscmp
00411669 83C4 08 add esp,8
0041166C 85C0 test eax,eax
...........................................
00407601 BF 98364300 mov edi,SmartUp.00433698 ; ASCII "&sn="
;这里EBP=序列号,EBX=ID
00407606 F2:AE repne scas byte ptr es:[edi]
00407608 F7D1 not ecx
0040760A 2BF9 sub edi,ecx
0040760C 8BF7 mov esi,edi
0040760E 8BD1 mov edx,ecx
00407610 83C9 FF or ecx,FFFFFFFF
----
到这里要开始了,是关键的地方大家看好了。
0040C4E4 50 push eax
EAX=11EFADC,http://download.rising.com.cn/register/pcver/autoupgradepad/pc
ver2006new/?Info=MIGIAkIBOFxRs/mtaetkR/YB后面省略(这个信息很重要!)
0040C4E5 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
esp+14处变为
http://download.rising.com.cn/re ... epad/pcver2006new/?
Info=MIGIAkIBOFxRs/mtaetkR/YB后面省略
0040C4E9 E8 78570100 call
0040C4EE 8B86 74070000 mov eax,dword ptr ds:[esi+774]
0040C4F4 85C0 test eax,eax
0040C4F6 0F85 32080000 jnz SmartUp.0040CD2E 不跳
0040C4FC 8B56 20 mov edx,dword ptr ds:[esi+20]
0040C4FF 6A 00 push 0
。。
0040C531 50 push eax
0040C532 51 push ecx
0040C533 FF15 98C04200 call dword ptr ds:[<&KERNEL32.l>;
kernel32.lstrcpyA
0040C539 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0040C53D E8 56580100 call
0040C542 68 C83D4300 push SmartUp.00433DC8 ; ASCII
"notuse.asp"
0040C547 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040C54B E8 DC570100 call
0040C550 83CB FF or ebx,FFFFFFFF
0040C553 3BC3 cmp eax,ebx
0040C555 74 2A je short SmartUp.0040C581 跳
0040C557 68 6FEA0000 push 0EA6F
0040C55C 8BCE mov ecx,esi
0040C55E E8 0D3F0000 call SmartUp.00410470
0040C581 68 B83D4300 push SmartUp.00433DB8 ; ASCII
"toomoreid.asp" ;升级次数过多
0040C586 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040C58A E8 9D570100 call
0040C58F 3BC3 cmp eax,ebx
0040C591 /74 0A je short SmartUp.0040C59D 跳
0040C593 |68 70EA0000 push 0EA70
0040C598 |E9 84010000 jmp SmartUp.0040C721
0040C59D \68 A83D4300 push SmartUp.00433DA8 ; ASCII
"notthisid.asp" ;ID错误
0040C5AD /0F84 25010000 je SmartUp.0040C6D8 ;跳
0040C6D8 68 8C3D4300 push SmartUp.00433D8C ; ASCII
"nomatch.asp" ;还在验证
0040C6DD 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040C6E1 E8 46560100 call
0040C6E6 3BC3 cmp eax,ebx
0040C6E8 74 07 je short SmartUp.0040C6F1 ; 还是要跳
0040C701 /74 07 je short SmartUp.0040C70A ; 跳
0040C703 |68 73EA0000 push 0EA73
0040C708 |EB 17 jmp short SmartUp.0040C721
0040C70A \68 6C3D4300 push SmartUp.00433D6C ; ASCII
"wrongtype.asp"
0040C70F 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040C713 E8 14560100 call
0040C718 3BC3 cmp eax,ebx
0040C71A 74 3A je short SmartUp.0040C756 ; 跳
0040C75E /0F85 CA010000 jnz SmartUp.0040C92E ; 不跳
0040C764 68 5C3D4300 push SmartUp.00433D5C ; ASCII
"notregister.asp"
0040C769 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040C76D E8 BA550100 call
0040C772 3BC3 cmp eax,ebx
0040C774 74 63 je short SmartUp.0040C7D9 ; 不跳则没有注册
0040C776 81C6 18040000 add esi,418
0040C7E1 /0F85 47010000 jnz SmartUp.0040C92E ;不跳
0040C7E7 |68 3C3D4300 push SmartUp.00433D3C ; ASCII
"overtime.asp"
0040C7EC |8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040C7F0 |E8 37550100 call
0040C7F5 |3BC3 cmp eax,ebx ; eax fff
0040C7F7 |0F84 31010000 je SmartUp.0040C92E ; 不跳则提示ID过
期
到这里
0040C92E 8D8424 A4000000 lea eax,dword ptr ss:[esp+A4] ;[ESP+A4]
=11EFADC,压入EAX就是上面的地址
0040C935 6A 3F push 3F ; eax =wanzhi
0040C937 50 push eax
0040C938 FF15 24C44200 call dword ptr ds:[<&MSVCRT._mb>;
msvcrt._mbsrchr
0040C93E 8BF8 mov edi,eax
0040C940 83C4 08 add esp,8
0040C943 33DB xor ebx,ebx
0040C945 85FF test edi,edi
0040C947 0F84 C6030000 je SmartUp.0040CD13 ; 跳则提示返回信
息错误,其实就是地址后面的info=xxxx
下面继续
0040CA80 /0F85 A8020000 jnz SmartUp.0040CD2E ; 不要跳
0040CA86 |8B5424 10 mov edx,dword ptr ss:[esp+10] ; [ESP+10]
=11EFADC压入EDX(就是地址,经过上面的处理已经变成
http://download.rising.com.cn/re ... depad/pcver2006new/呵
呵和我门抓到的比较一下就知道拉~
0040CA8A |B9 94714300 mov ecx,SmartUp.00437194
0040CA8F |52 push edx
0040CA90 |E8 D1510100 call
0040CA95 |8D4424 10 lea eax,dword ptr ss:[esp+10]
0040CA99 |68 203D4300 push SmartUp.00433D20 ; ASCII
"CompsVer"
0040CA9E |8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0040CAA2 |50 push eax
0040CAA3 |51 push ecx
0040CAA4 |E8 8B530100 call
0040CAA9 |8D8E 88070000 lea ecx,dword ptr ds:[esi+788]
0040CAAF |8D5424 20 lea edx,dword ptr ss:[esp+20]
0040CAB3 |51 push ecx
0040CAB4 |50 push eax
0040CAB5 |52 push edx
0040CAB6 |C68424 B8040000>mov byte ptr ss:[esp+4B8],0A
0040CABE |E8 9B530100 call
0040CAC3 |68 183D4300 push SmartUp.00433D18 ; ASCII ".inf"
0040CAC8 |50 push eax
0040CAC9 |8D4424 2C lea eax,dword ptr ss:[esp+2C]
0040CACD |B3 0B mov bl,0B
0040CACF |50 push eax
0040CAD0 |889C24 B8040000 mov byte ptr ss:[esp+4B8],bl
0040CAD7 |E8 58530100 call
0040CADC |50 push eax
0040CADD |8D4C24 18 lea ecx,dword ptr ss:[esp+18]
0040CAE1 |C68424 B0040000>mov byte ptr ss:[esp+4B0],0C
0040CAE9 |E8 FC510100 call
0040CAEE |8D4C24 24 lea ecx,dword ptr ss:[esp+24]
0040CAF2 |889C24 AC040000 mov byte ptr ss:[esp+4AC],bl
0040CAF9 |E8 62510100 call
0040CAFE |8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0040CB02 |C68424 AC040000>mov byte ptr ss:[esp+4AC],0A
0040CB0A |E8 51510100 call
0040CB0F |8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
0040CB13 |C68424 AC040000>mov byte ptr ss:[esp+4AC],3
0040CB1B |E8 40510100 call
0040CB20 |8D8E 18040000 lea ecx,dword ptr ds:[esi+418]
0040CB26 |68 0C3D4300 push SmartUp.00433D0C ; ASCII
"\Download\"
0040CB2B |8D5424 4C lea edx,dword ptr ss:[esp+4C]
0040CB2F |51 push ecx
0040CB30 |52 push edx
0040CB31 |E8 FE520100 call
0040CB36 |68 10334300 push SmartUp.00433310 ; ASCII
"CompsVer.inf"
0040CB3B |50 push eax
0040CB3C |8D4424 54 lea eax,dword ptr ss:[esp+54]
0040CB40 |B3 0D mov bl,0D
0040CB42 |50 push eax
0040CB43 |889C24 B8040000 mov byte ptr ss:[esp+4B8],bl
0040CB4A |E8 E5520100 call
0040CB4F |8DAE 7C070000 lea ebp,dword ptr ds:[esi+77C]
0040CB55 |50 push eax
0040CB56 |8BCD mov ecx,ebp
0040CB58 |C68424 B0040000>mov byte ptr ss:[esp+4B0],0E
0040CB60 |E8 85510100 call
0040CB65 |8D4C24 4C lea ecx,dword ptr ss:[esp+4C]
0040CB69 |889C24 AC040000 mov byte ptr ss:[esp+4AC],bl
0040CB70 |E8 EB500100 call
0040CB75 |8D4C24 48 lea ecx,dword ptr ss:[esp+48]
0040CB79 |C68424 AC040000>mov byte ptr ss:[esp+4AC],3
0040CB81 |E8 DA500100 call
0040CB86 |33DB xor ebx,ebx
0040CB88 |43 inc ebx
0040CB89 |83FB 03 cmp ebx,3
0040CB8C |7F 42 jg short SmartUp.0040CBD0 ; 不跳
0040CB8E > |8B45 00 mov eax,dword ptr ss:[ebp] 取得保存升级文件的
路径EAX=D:\Program Files\Rising\Rav\Download\CompsVer.inf
0040CB91 |8B4C24 14 mov ecx,dword ptr ss:[esp+14] ; [ESP+14]压入
ECX就是
http://download.rising.com.cn/re ... pad/pcver2006new/Co
mpsVer18.53.42.inf,这个是经过上面的处理得到的
0040CB95 |6A 00 push 0 ;
0040CB97 |50 push eax
0040CB98 |51 push ecx
0040CB99 |8D8E C0030000 lea ecx,dword ptr ds:[esi+3C0]
0040CB9F |E8 EC5AFFFF call SmartUp.00402690 ;CALL下载文件
0040CBA4 |8BF8 mov edi,eax
0040CBA6 |85FF test edi,edi ;比较是否下载成功
0040CBA8 |74 44 je short SmartUp.0040CBEE ;下载成功就跳
0040CBAA |8B86 10040000 mov eax,dword ptr ds:[esi+410]
0040CBB0 |50 push eax
0040CBB1 |57 push edi
0040CBB2 |68 10334300 push SmartUp.00433310 ; ASCII
"CompsVer.inf"
0040CBB7 |68 D83C4300 push SmartUp.00433CD8 ; ASCII
"Download %s Error: ErrCode = 0x%x; LastError = %d"
0040CBBC |6A 04 push 4
哎。。。。。。。。。。。。。。。下面的文件我丢了,也不想写了,直接给出
SmartUp.exe的 补丁方法。。。。当然有很多你可以直接把
http://download.rising.com.cn/re ... pad/pcver2006new/Co
mpsVer18.53.42.inf 弄进去,这个以后太麻烦还有自己更新。我给大家的破解就
是这个方法
个人认为
记忆里弄下了。。。。 原来的代码就不给了
0040C4E4 /E9 15F80100 jmp SmartUp2.0042BCFE 这里
开始补丁 跳往补丁
0040C4E9 |E8 78570100 call
0042BCFE B8 34BD4200 mov eax,SmartUp2.0042BD34 ;
ASCII
"http://download.rising.com.cn/register/pcver/autoupgradepad/pcver2006new/"
0042BD03 50 push eax
0042BD04 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0042BD08 ^ E9 DC07FEFF jmp SmartUp2.0040C4E9 返回,
继续执行
0042BD34 68 7474703A push 3A707474
0042BD39 2F das
0042BD3A 2F das
0042BD3B 64:6F outs dx,dword ptr es:[edi]
0042BD3D 77 6E ja short SmartUp2.0042BDAD
0042BD3F 6C ins byte ptr es:[edi],dx
0042BD40 6F outs dx,dword ptr es:[edi]
0042BD41 61 popad
0042BD42 64: prefix fs:
0042BD43 2E:72 69 jb short SmartUp2.0042BDAF
0042BD46 73 69 jnb short SmartUp2.0042BDB1
0042BD48 6E outs dx,byte ptr es:[edi]
0042BD49 67:2E:636F 6D arpl word ptr cs:[bx+6D],bp
0042BD4E 2E:636E 2F arpl word ptr cs:[esi+2F],bp
0042BD52 72 65 jb short SmartUp2.0042BDB9
0042BD54 67:6973 74 6572>imul esi,dword ptr ss:[bp+di+74],702F7265
0042BD5C 6376 65 arpl word ptr ds:[esi+65],si
0042BD5F 72 2F jb short SmartUp2.0042BD90
0042BD61 61 popad
0042BD62 75 74 jnz short SmartUp2.0042BDD8
0042BD64 6F outs dx,dword ptr es:[edi]
0042BD65 75 70 jnz short SmartUp2.0042BDD7
0042BD67 67:72 61 jb short SmartUp2.0042BDCB
0042BD6A 64: prefix fs:
0042BD6B 65:70 61 jo short SmartUp2.0042BDCF
0042BD6E 64:2F das
0042BD70 70 63 jo short SmartUp2.0042BDD5
0042BD72 76 65 jbe short SmartUp2.0042BDD9
0042BD74 72 32 jb short SmartUp2.0042BDA8
0042BD76 3030 xor byte ptr ds:[eax],dh
0042BD78 36:6E outs dx,byte ptr es:[edi]
0042BD7A 65:77 2F ja short SmartUp2.0042BDAC
0042BD7D 0000 add byte ptr ds:[eax],al
0042BD7F 0000 add byte ptr ds:[eax],al
这样可以跳过SmartUP的验证了。。。。 开始下载文件。
启动 RAVCOPY时还有一次,方法类似就不写下去了。。。
升级了2007 老的不能用了/////////
一些关键的地方手记资料丢了,,,升级成2007的了,也不能再分析给大家了.... 大家有兴趣自己玩玩..请海涵.
By FoBnN 2007.1.1
http://chinatrojan.com/0day/pkrav2006/SmartUp.rar |
