Board logo

标题: 强奸木马克星(未成年勿进) !! [打印本页]
作者: 大漠的苍凉    时间: 2004-11-16 06:40     标题: 强奸木马克星(未成年勿进) !!

算法以前发过了,再写也没意思,这次主要谈谈如何可以升级.
自上次答应作者不再破解之后,我的9.99++可升级版就没有再更新了(别以为我和作者有一腿,我向毛主席保证,我是清白的),谁知前两天逛他的网站,他竟在他的论坛说封了我的所有破解版(真是个小人),并且还说他现在的版本加密多么的强,请大家破解,于是我下了个0301版看了一下,趁着酒性把强奸他的过程写了出来,让高手见笑了.
0301版和他以前的版本不同在于对升级地址加了密,他的升级地址是http://www.luosoft.com/cgi-bin/test.pl?name=用户名,如果用户名不是他服务器里的就显示NO OK,软件就会说你不是注册用户.
如果用户名正确,就会得到一个病毒库文件的地址,具他自己讲病毒库地址30分钟换一次(真是变态).
我们现在所能做的就是将他的升级地址换成我们自己的服务器地址,软件通过我们的服务器认证后获得病毒库文件,但是他的升级地址显示的是"Fn2yhGnF7PxJGNVN4g6IinGmjFDbkxlXXTpPy0ZkMN6UvUS9Ipls24II"只有在软件运行时通过几千行的变态算法后才还原成http://www.luosoft.com/cgi-bin/test.pl?name=,最后存放在下面的[edx]中
原文件:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B4B79(C)
|
:004B4B38 8A06 mov al, byte ptr [esi]
:004B4B3A 8845F7 mov byte ptr [ebp-09], al
:004B4B3D 8B4B34 mov ecx, dword ptr [ebx+34]
:004B4B40 8B5330 mov edx, dword ptr [ebx+30]
:004B4B43 8BC3 mov eax, ebx
:004B4B45 8B38 mov edi, dword ptr [eax]
:004B4B47 FF5760 call [edi+60]
:004B4B4A 8B4334 mov eax, dword ptr [ebx+34]
:004B4B4D 8A00 mov al, byte ptr [eax]
:004B4B4F 3206 xor al, byte ptr [esi]
:004B4B51 8B55F8 mov edx, dword ptr [ebp-08]
:004B4B54 8802 mov byte ptr [edx], al------通过不知名的几千行变态算法计算后将最终的升级地址放在[edx]中,我们就改了他.
:004B4B56 8B4B38 mov ecx, dword ptr [ebx+38]
:004B4B59 49 dec ecx
:004B4B5A 8B5330 mov edx, dword ptr [ebx+30]
:004B4B5D 8B4330 mov eax, dword ptr [ebx+30]
:004B4B60 40 inc eax
:004B4B61 E862DEF4FF call 004029C8
:004B4B66 8B4330 mov eax, dword ptr [ebx+30]
:004B4B69 034338 add eax, dword ptr [ebx+38]
:004B4B6C 48 dec eax
:004B4B6D 8A55F7 mov dl, byte ptr [ebp-09]
:004B4B70 8810 mov byte ptr [eax], dl
:004B4B72 46 inc esi
:004B4B73 FF45F8 inc [ebp-08]
:004B4B76 FF4DF0 dec [ebp-10]
:004B4B79 75BD jne 004B4B38
:004B4B7B 5F pop edi
:004B4B7C 5E pop esi
:004B4B7D 5B pop ebx
:004B4B7E 8BE5 mov esp, ebp
:004B4B80 5D pop ebp
:004B4B81 C20400 ret 0004

修改后的代码:
:004B4B0A 807B2400 cmp byte ptr [ebx+24], 00
:004B4B0E 7516 jne 004B4B26
* Possible StringData Ref from Code Obj ->"Cipher not initialized"
|
:004B4B10 B98C4B4B00 mov ecx, 004B4B8C
:004B4B15 B201 mov dl, 01
* Possible StringData Ref from Code Obj ->"EDCP_blockcipher岪"
|
:004B4B17 A1C4404B00 mov eax, dword ptr [004B40C4]
:004B4B1C E83780F5FF call 0040CB58
:004B4B21 E832EEF4FF call 00403958
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B4B0E(C)
|
:004B4B26 B868747470 mov eax, 70747468
:004B4B2B 8902 mov dword ptr [edx], eax
:004B4B2D B83A2F2F66 mov eax, 662F2F3A
:004B4B32 894204 mov dword ptr [edx+04], eax
:004B4B35 B87265652E mov eax, 2E656572
:004B4B3A 894208 mov dword ptr [edx+08], eax
:004B4B3D B868626973 mov eax, 73696268
:004B4B42 89420C mov dword ptr [edx+0C], eax
:004B4B45 B8702E636F mov eax, 6F632E70
:004B4B4A 894210 mov dword ptr [edx+10], eax
:004B4B4D B86D2F6C65 mov eax, 656C2F6D
:004B4B52 894214 mov dword ptr [edx+14], eax
:004B4B55 B86F7A656D mov eax, 6D657A6F
:004B4B5A 894218 mov dword ptr [edx+18], eax
:004B4B5D B82F736865 mov eax, 6568732F
:004B4B62 89421C mov dword ptr [edx+1C], eax
:004B4B65 B86E676A69 mov eax, 696A676E
:004B4B6A 894220 mov dword ptr [edx+20], eax
:004B4B6D B82E617370 mov eax, 7073612E
:004B4B72 894224 mov dword ptr [edx+24], eax
:004B4B75 B83F6D7A3D mov eax, 3D7A6D3F
:004B4B7A 894228 mov dword ptr [edx+28], eax
:004B4B7D 5B pop ebx
:004B4B7E 8BE5 mov esp, ebp
:004B4B80 5D pop ebp
:004B4B81 C20400 ret 0004
上面这段代码就是将我的升级地址http://free.hbisp.com/leozem/shengji.asp?mz=替换进去,dword ptr [edx]也就是他最终的升级地址所存放的位置.
接下来就是讲如何做升级服务器了,打开记事本,打入下列代码:

然后保存为shengji.asp放到你的服务器上,他的病毒库文件有很多方法可以获得,在这就不讲了.
:005434B8 8B83D8020000 mov eax, dword ptr [ebx+000002D8]
:005434BE 8B8010010100 mov eax, dword ptr [eax+00010110]
* Possible StringData Ref from Code Obj ->"no ok"
|
:005434C4 BA80365400 mov edx, 00543680
:005434C9 E8060EECFF call 004042D4---是否显示"NO OK"
:005434CE 753D jne 0054350D-----不是从得到的升级地址下载升级文件.
:005434D0 33D2 xor edx, edx
:005434D2 A1C8375800 mov eax, dword ptr [005837C8]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0054348F(C)
|
:005434D7 8B08 mov ecx, dword ptr [eax]
:005434D9 FF515C call [ecx+5C]
:005434DC A16CA65600 mov eax, dword ptr [0056A66C]
:005434E1 803800 cmp byte ptr [eax], 00---是否为英文版,是就跳
:005434E4 740C je 005434F2
* Possible StringData Ref from Code Obj ->"服务器认证错误!你不是合法用户."
|
:005434E6 B890365400 mov eax, 00543690
:005434EB E89087F1FF call 0045BC80
:005434F0 EB0A jmp 005434FC

他以前的版本,在杀毒时需要连接网络,但到了这版却不需要,可能是他顾着对付我,整天只进行加密的研究,疏忽了这点,但软件的代码中还保存有杀毒时的服务器认证,NND这版连我的大名也进了他的软件,搞什么鬼,我可不怕你,我的硬盘保修期还没过,呵呵.
* Possible StringData Ref from Code Obj ->"loezem"
|
:0055E89A B874EE5500 mov eax, 0055EE74
:0055E89F E80C5CEAFF call 004044B0---启动判断软件中是否含有loezem,估计是怕我改他的软件,但是可气的是竟把我的leozem写成loezem,晕.如果软件中含有loezem只是报错误,还好,没有格我的盘.
:0055E8A4 85C0 test eax, eax
:0055E8A6 0F8F25050000 jg 0055EDD1
:0055E8AC 8D55E8 lea edx, dword ptr [ebp-18]
:0055E8AF A11C385800 mov eax, dword ptr [0058381C]
:0055E8B4 E8DB79EDFF call 00436294
:0055E8B9 8B45E8 mov eax, dword ptr [ebp-18]
:0055E8BC 8D55EC lea edx, dword ptr [ebp-14]
:0055E8BF E8B8A7EAFF call 0040907C
:0055E8C4 8B55EC mov edx, dword ptr [ebp-14]
* Possible StringData Ref from Code Obj ->"loezem"
|
:0055E8C7 B874EE5500 mov eax, 0055EE74
:0055E8CC E8DF5BEAFF call 004044B0
:0055E8D1 85C0 test eax, eax
:0055E8D3 0F8FF8040000 jg 0055EDD1
:0055E8D9 8D55E0 lea edx, dword ptr [ebp-20]
:0055E8DC A11C385800 mov eax, dword ptr [0058381C]
:0055E8E1 E8AE79EDFF call 00436294
:0055E8E6 8B45E0 mov eax, dword ptr [ebp-20]
:0055E8E9 8D55E4 lea edx, dword ptr [ebp-1C]
:0055E8EC E88BA7EAFF call 0040907C
:0055E8F1 8B55E4 mov edx, dword ptr [ebp-1C]
* Possible StringData Ref from Code Obj ->"loezem"
|
:0055E8F4 B874EE5500 mov eax, 0055EE74
:0055E8F9 E8B25BEAFF call 004044B0
:0055E8FE 85C0 test eax, eax
:0055E900 0F8FCB040000 jg 0055EDD1
:0055E906 8D55D8 lea edx, dword ptr [ebp-28]
:0055E909 A11C385800 mov eax, dword ptr [0058381C]
:0055E90E E88179EDFF call 00436294
:0055E913 8B45D8 mov eax, dword ptr [ebp-28]
:0055E916 8D55DC lea edx, dword ptr [ebp-24]
:0055E919 E85EA7EAFF call 0040907C
:0055E91E 8B55DC mov edx, dword ptr [ebp-24]
* Possible StringData Ref from Code Obj ->"loezem"
|
:0055E921 B874EE5500 mov eax, 0055EE74
:0055E926 E8855BEAFF call 004044B0
:0055E92B 85C0 test eax, eax
:0055E92D 0F8F9E040000 jg 0055EDD1
:0055E933 8D55D0 lea edx, dword ptr [ebp-30]
:0055E936 A11C385800 mov eax, dword ptr [0058381C]
:0055E93B E85479EDFF call 00436294
:0055E940 8B45D0 mov eax, dword ptr [ebp-30]
:0055E943 8D55D4 lea edx, dword ptr [ebp-2C]
:0055E946 E831A7EAFF call 0040907C
:0055E94B 8B55D4 mov edx, dword ptr [ebp-2C]
* Possible StringData Ref from Code Obj ->"破解"
|
:0055E94E B884EE5500 mov eax, 0055EE84
:0055E953 E8585BEAFF call 004044B0----软件中是否含有"破解"
:0055E958 85C0 test eax, eax
:0055E95A 0F8F71040000 jg 0055EDD1
:0055E960 8D55C8 lea edx, dword ptr [ebp-38]
:0055E963 A11C385800 mov eax, dword ptr [0058381C]
:0055E968 E82779EDFF call 00436294
:0055E96D 8B45C8 mov eax, dword ptr [ebp-38]
:0055E970 8D55CC lea edx, dword ptr [ebp-34]
:0055E973 E804A7EAFF call 0040907C
:0055E978 8B55CC mov edx, dword ptr [ebp-34]
* Possible StringData Ref from Code Obj ->"破解"
|
:0055E97B B884EE5500 mov eax, 0055EE84
:0055E980 E82B5BEAFF call 004044B0
:0055E985 85C0 test eax, eax
:0055E987 0F8F44040000 jg 0055EDD1
:0055E98D 8D55C0 lea edx, dword ptr [ebp-40]
:0055E990 A11C385800 mov eax, dword ptr [0058381C]
:0055E995 E8FA78EDFF call 00436294
:0055E99A 8B45C0 mov eax, dword ptr [ebp-40]
:0055E99D 8D55C4 lea edx, dword ptr [ebp-3C]
:0055E9A0 E8D7A6EAFF call 0040907C
:0055E9A5 8B55C4 mov edx, dword ptr [ebp-3C]
* Possible StringData Ref from Code Obj ->"破解"
|
:0055E9A8 B884EE5500 mov eax, 0055EE84
:0055E9AD E8FE5AEAFF call 004044B0
:0055E9B2 85C0 test eax, eax
:0055E9B4 0F8F17040000 jg 0055EDD1
:0055E9BA B201 mov dl, 01
接下来说说,他以前版本的杀毒认证,由于找不到以前的版本了,只能口述.
1.将扫到的木马的本机地址(如:木马在D:\SS\ss.eXE),则发送http://www.luosoft.com/cgi-bin/iparmor1.pl?name=用户名!D:\SS\ss.eXE,如果用户名不是他服务器里有的,就显示NO OK,如果有,就返回D:\SS\ss.eXE,此时软件就将D:\SS\ss.eXE删除.
2.如果显示NO OK就说你不是注册用户,并在注册表中删除你的注册项.
3.如果返回的不是D:\SS\ss.eXE,则返回什么他就删除什么.
4.如果返回空就显示"从起计算机才能策底清除木马"(这是在玩你哈).
但此方法有一个BUG,就是当文件名中有%20时,就无法删除,因为%20变成网址就是空格。
解决方法:
打开记事本,打入下列代码:
%>
response.write request("name")
%>
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0055C55E(C)
|
:0055C5D3 8BC6 mov eax, esi
:0055C5D5 E8BA9CEDFF call 00436294
:0055C5DA 8B45F0 mov eax, dword ptr [ebp-10]-----序列号进EAX
:0055C5DD 8D55F4 lea edx, dword ptr [ebp-0C]
:0055C5E0 E89FCCEAFF call 00409284
:0055C5E5 8B55F4 mov edx, dword ptr [ebp-0C]
:0055C5E8 8BC6 mov eax, esi
:0055C5EA E8D59CEDFF call 004362C4
:0055C5EF 8D95E8FEFFFF lea edx, dword ptr [ebp+FFFFFEE8]
:0055C5F5 8B83E0020000 mov eax, dword ptr [ebx+000002E0]
:0055C5FB E8949CEDFF call 00436294
:0055C600 8B85E8FEFFFF mov eax, dword ptr [ebp+FFFFFEE8]
:0055C606 8D95ECFEFFFF lea edx, dword ptr [ebp+FFFFFEEC]
:0055C60C E82FCAEAFF call 00409040-----小写变大写
:0055C611 8B95ECFEFFFF mov edx, dword ptr [ebp+FFFFFEEC]
:0055C617 8D85F0FEFFFF lea eax, dword ptr [ebp+FFFFFEF0]
:0055C61D B9FF000000 mov ecx, 000000FF
:0055C622 E8797BEAFF call 004041A0
:0055C627 8D95F0FEFFFF lea edx, dword ptr [ebp+FFFFFEF0]
:0055C62D 8B83D0020000 mov eax, dword ptr [ebx+000002D0]
:0055C633 E88435F5FF call 004AFBBC-----生成关键码的CALL,F7追入得关键数1D6E1D4F
:0055C638 8D95E4FEFFFF lea edx, dword ptr [ebp+FFFFFEE4]
:0055C63E 8B83D8020000 mov eax, dword ptr [ebx+000002D8]
:0055C644 E84B9CEDFF call 00436294
:0055C649 8B85E4FEFFFF mov eax, dword ptr [ebp+FFFFFEE4]
:0055C64F 50 push eax
:0055C650 8B83D0020000 mov eax, dword ptr [ebx+000002D0]
:0055C656 8B8024020000 mov eax, dword ptr [eax+00000224]
:0055C65C 05EA040000 add eax, 000004EA
:0055C661 99 cdq
:0055C662 33C2 xor eax, edx
:0055C664 2BC2 sub eax, edx
:0055C666 8D95E0FEFFFF lea edx, dword ptr [ebp+FFFFFEE0]
:0055C66C E8C7CDEAFF call 00409438----将1D6E2239转成十进制
:0055C671 8B95E0FEFFFF mov edx, dword ptr [ebp+FFFFFEE0]
:0055C677 58 pop eax-------假码出贱
:0055C678 E8577CEAFF call 004042D4---比较注册码的CALL,再追
:0055C67D 0F85E5000000 jne 0055C768----关键跳转
:0055C683 6A00 push 00000000
:0055C685 8D85DCFEFFFF lea eax, dword ptr [ebp+FFFFFEDC]
:0055C68B 50 push eax
:0055C68C 8D95D8FEFFFF lea edx, dword ptr [ebp+FFFFFED8]
:0055C692 A15CA65600 mov eax, dword ptr [0056A65C]
:0055C697 8B00 mov eax, dword ptr [eax]
:0055C699 E8F69BEDFF call 00436294
:0055C69E 8B8DD8FEFFFF mov ecx, dword ptr [ebp+FFFFFED8]
:0055C6A4 A190A05600 mov eax, dword ptr [0056A090]
:0055C6A9 8B00 mov eax, dword ptr [eax]
* Possible StringData Ref from Code Obj ->"未注册"
|
:0055C6AB BA18C85500 mov edx, 0055C818
:0055C6B0 E8D3A2F7FF call 004D6988
:0055C6B5 8B95DCFEFFFF mov edx, dword ptr [ebp+FFFFFEDC]
:0055C6BB A15CA65600 mov eax, dword ptr [0056A65C]
:0055C6C0 8B00 mov eax, dword ptr [eax]
:0055C6C2 E8FD9BEDFF call 004362C4
:0055C6C7 6A00 push 00000000
:0055C6C9 8D85D4FEFFFF lea eax, dword ptr [ebp+FFFFFED4]
:0055C6CF 50 push eax
:0055C6D0 8D95D0FEFFFF lea edx, dword ptr [ebp+FFFFFED0]
:0055C6D6 A15CA65600 mov eax, dword ptr [0056A65C]
:0055C6DB 8B00 mov eax, dword ptr [eax]
:0055C6DD E8B29BEDFF call 00436294
:0055C6E2 8B8DD0FEFFFF mov ecx, dword ptr [ebp+FFFFFED0]
:0055C6E8 A190A05600 mov eax, dword ptr [0056A090]
:0055C6ED 8B00 mov eax, dword ptr [eax]
* Possible StringData Ref from Code Obj ->"Unregistered"
|
:0055C6EF BA28C85500 mov edx, 0055C828
:0055C6F4 E88FA2F7FF call 004D6988
:0055C6F9 8B95D4FEFFFF mov edx, dword ptr [ebp+FFFFFED4]
:0055C6FF A15CA65600 mov eax, dword ptr [0056A65C]
:0055C704 8B00 mov eax, dword ptr [eax]
:0055C706 E8B99BEDFF call 004362C4
:0055C70B 803D0D38580000 cmp byte ptr [0058380D], 00
:0055C712 740C je 0055C720
* Possible StringData Ref from Code Obj ->"注册成功,请牢记自己的注册信息,如果遗失我们不提"
->"供找回服务!"
|
:0055C714 B840C85500 mov eax, 0055C840
:0055C719 E862F5EFFF call 0045BC80
:0055C71E EB0A jmp 0055C72A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0055C712(C)
|
* Possible StringData Ref from Code Obj ->"Register ok!"
|
:0055C720 B884C85500 mov eax, 0055C884
:0055C725 E856F5EFFF call 0045BC80
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0055C71E(U)
|
:0055C72A E8FDFBFFFF call 0055C32C
:0055C72F 33D2 xor edx, edx
:0055C731 8B83D4020000 mov eax, dword ptr [ebx+000002D4]
:0055C737 E8709AEDFF call 004361AC
:0055C73C 33D2 xor edx, edx
:0055C73E 8B83D8020000 mov eax, dword ptr [ebx+000002D8]
:0055C744 E8639AEDFF call 004361AC
:0055C749 33D2 xor edx, edx
:0055C74B 8B83DC020000 mov eax, dword ptr [ebx+000002DC]
:0055C751 E8569AEDFF call 004361AC
* Possible StringData Ref from Code Obj ->"registed"
|
:0055C756 BA9CC85500 mov edx, 0055C89C
:0055C75B 8B83E4020000 mov eax, dword ptr [ebx+000002E4]
:0055C761 E85E9BEDFF call 004362C4
:0055C766 EB1F jmp 0055C787
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0055C67D(C)
|
:0055C768 803D0D38580000 cmp byte ptr [0058380D], 00
:0055C76F 740C je 0055C77D
* Possible StringData Ref from Code Obj ->"注册失败!"
|
:0055C771 B8B0C85500 mov eax, 0055C8B0
:0055C776 E805F5EFFF call 0045BC80
:0055C77B EB0A jmp 0055C787
适用于现在的升级方式,不过新的版本有点修改.
因为木马克星太垃圾,不破也罢.
建议大家还是用KV或瑞星,金山等.
用KV无须打补丁,只要封了两个IP就可放心升级去吧.
作者: ak2008    时间: 2004-11-26 10:41     标题: 强奸木马克星(未成年勿进) !!

牛腩天天有,今年特别多。
作者: righ    时间: 2004-12-1 08:42     标题: 强奸木马克星(未成年勿进) !!

呵呵   大漠是气不过了
不过   技术是你的保证!   
还是你强!
作者: junge4423    时间: 2004-12-12 21:31     标题: 强奸木马克星(未成年勿进) !!

强人啊~~~~~
作者: 中国    时间: 2005-2-7 23:03     标题: 强奸木马克星(未成年勿进) !!

真地 有点气人哦!~~~~~~~~支持正义``````
作者: 海豚    时间: 2005-2-18 15:23     标题: 强奸木马克星(未成年勿进) !!

顶~!支持~!
作者: 有缘人    时间: 2005-3-13 00:24     标题: 强奸木马克星(未成年勿进) !!

太长了~~~~~~````



欢迎光临 黑色海岸线论坛 (http://bbs.thysea.com/) Powered by Discuz! 7.2