设为首页 | 加入收藏 | 返回首页 |

cnpaf.net - 中国协议分析网

投递文章 投稿指南 RSS订阅 网站通告:
搜索: 您的位置主页>网络安全>工具使用>阅读文章

驱动精灵(WinDriver Ghost) V2.02 个人版 下

12-20 13:40 来源: 作者: 【 评论:0 浏览:
support.
We will work even harder and
notify you future releases."
0049D41E . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D421 . E8 22CCFAFF CALL WinDrvGh.0044A048
0049D426 . 50 PUSH EAX ; |hOwner
0049D427 . E8 F8A7F6FF CALL ; \MessageBoxA
0049D42C . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D42F . C680 31030000 >MOV BYTE PTR DS:[EAX+331],0
0049D436 . B2 01 MOV DL,1
0049D438 . A1 54604600 MOV EAX,DWORD PTR DS:[466054>
0049D43D . E8 128DFCFF CALL WinDrvGh.00466154
0049D442 . 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
0049D445 . 33C0 XOR EAX,EAX
0049D447 . 55 PUSH EBP
0049D448 . 68 49D54900 PUSH WinDrvGh.0049D549
0049D44D . 64:FF30 PUSH DWORD PTR FS:[EAX]
0049D450 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
0049D453 . BA 01000080 MOV EDX,80000001
0049D458 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049D45B . E8 948DFCFF CALL WinDrvGh.004661F4
0049D460 . B1 01 MOV CL,1
0049D462 . BA 04D84900 MOV EDX,WinDrvGh.0049D804 ; ASCII

"\Software\Microsoft\Windows\CurrentVersion\IPSecs"
0049D467 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049D46A . E8 ED8DFCFF CALL WinDrvGh.0046625C
0049D46F . 84C0 TEST AL,AL
0049D471 . 74 0C JE SHORT WinDrvGh.0049D47F
0049D473 . 33C0 XOR EAX,EAX
0049D475 . 8945 F0 MOV DWORD PTR SS:[EBP-10],EA>
0049D478 . C745 F4 00000E>MOV DWORD PTR SS:[EBP-C],400>
0049D47F > 33C0 XOR EAX,EAX
0049D481 . 55 PUSH EBP
0049D482 . 68 D6D44900 PUSH WinDrvGh.0049D4D6
0049D487 . 64:FF30 PUSH DWORD PTR FS:[EAX]
0049D48A . 64:8920 MOV DWORD PTR FS:[EAX],ESP
0049D48D . FF75 F4 PUSH DWORD PTR SS:[EBP-C] ; /Arg2
0049D490 . FF75 F0 PUSH DWORD PTR SS:[EBP-10] ; |Arg1
0049D493 . 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50>; |
0049D496 . E8 89E9F6FF CALL WinDrvGh.0040BE24 ; \WinDrvGh.0040BE24
0049D49B . 8B4D B0 MOV ECX,DWORD PTR SS:[EBP-50>
0049D49E . BA 40D84900 MOV EDX,WinDrvGh.0049D840 ; ASCII "RISCx86"
0049D4A3 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049D4A6 . E8 F591FCFF CALL WinDrvGh.004666A0
0049D4AB . 8D55 AC LEA EDX,DWORD PTR SS:[EBP-54>
0049D4AE . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D4B1 . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D4B7 . E8 E863FAFF CALL WinDrvGh.004438A4
0049D4BC . 8B4D AC MOV ECX,DWORD PTR SS:[EBP-54>
0049D4BF . BA 50D84900 MOV EDX,WinDrvGh.0049D850 ; ASCII "UserName"
0049D4C4 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049D4C7 . E8 D491FCFF CALL WinDrvGh.004666A0
0049D4CC . 33C0 XOR EAX,EAX
0049D4CE . 5A POP EDX
0049D4CF . 59 POP ECX
0049D4D0 . 59 POP ECX
0049D4D1 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
0049D4D4 . EB 55 JMP SHORT WinDrvGh.0049D52B
0049D4D6 .^E9 2D6EF6FF JMP WinDrvGh.00404308
0049D4DB 01 DB 01
0049D4DC 00 DB 00
0049D4DD 00 DB 00
0049D4DE > 00F4 ADD AH,DH ; |
0049D4E0 . 5F POP EDI ; |
0049D4E1 . 46 INC ESI ; |
0049D4E2 . 00E7 ADD BH,AH ; |
0049D4E4 . D4 49 AAM 49 ; |
0049D4E6 . 00FF ADD BH,BH ; |
0049D4E8 .^75 F4 JNZ SHORT WinDrvGh.0049D4DE ; |
0049D4EA . FF75 F0 PUSH DWORD PTR SS:[EBP-10] ; |Arg1
0049D4ED . 8D45 A8 LEA EAX,DWORD PTR SS:[EBP-58>; |
0049D4F0 . E8 2FE9F6FF CALL WinDrvGh.0040BE24 ; \WinDrvGh.0040BE24
0049D4F5 . 8B4D A8 MOV ECX,DWORD PTR SS:[EBP-58>
0049D4F8 . BA 40D84900 MOV EDX,WinDrvGh.0049D840 ; ASCII "RISCx86"
0049D4FD . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049D500 . E8 9B91FCFF CALL WinDrvGh.004666A0
0049D505 . 8D55 A4 LEA EDX,DWORD PTR SS:[EBP-5C>
0049D508 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D50B . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D511 . E8 8E63FAFF CALL WinDrvGh.004438A4
0049D516 . 8B4D A4 MOV ECX,DWORD PTR SS:[EBP-5C>
0049D519 . BA 50D84900 MOV EDX,WinDrvGh.0049D850 ; ASCII "UserName"
0049D51E . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049D521 . E8 7A91FCFF CALL WinDrvGh.004666A0
0049D526 . E8 1970F6FF CALL WinDrvGh.00404544
0049D52B > 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049D52E . E8 918CFCFF CALL WinDrvGh.004661C4
0049D533 . 33C0 XOR EAX,EAX
0049D535 . 5A POP EDX
0049D536 . 59 POP ECX
0049D537 . 59 POP ECX
0049D538 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
0049D53B . 68 50D54900 PUSH WinDrvGh.0049D550
0049D540 > 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049D543 . E8 B467F6FF CALL WinDrvGh.00403CFC
0049D548 . C3 RETN
0049D549 .^E9 426FF6FF JMP WinDrvGh.00404490
0049D54E .^EB F0 JMP SHORT WinDrvGh.0049D540
0049D550 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D553 . 8B80 04030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D559 . 33D2 XOR EDX,EDX
0049D55B . E8 7463FAFF CALL WinDrvGh.004438D4
0049D560 . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14>
0049D563 . E8 8475F6FF CALL WinDrvGh.00404AEC
0049D568 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D56B . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D571 . 33D2 XOR EDX,EDX
0049D573 . E8 5C63FAFF CALL WinDrvGh.004438D4
0049D578 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D57B . C680 30030000 >MOV BYTE PTR DS:[EAX+330],0
0049D582 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D585 . 8B80 24030000 MOV EAX,DWORD PTR DS:[EAX+32>
0049D58B . B2 01 MOV DL,1
0049D58D . E8 E6CFF9FF CALL WinDrvGh.0043A578
0049D592 . EB 54 JMP SHORT WinDrvGh.0049D5E8
0049D594 > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]《=跳到这里
0049D597 . 8B80 04030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D59D . 33D2 XOR EDX,EDX
0049D59F . E8 3063FAFF CALL WinDrvGh.004438D4
0049D5A4 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D5A7 . 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+30>
0049D5AD . 33D2 XOR EDX,EDX
0049D5AF . E8 2063FAFF CALL WinDrvGh.004438D4
0049D5B4 . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14>
0049D5B7 . BA 03000000 MOV EDX,3
0049D5BC . E8 677BF6FF CALL WinDrvGh.00405128
0049D5C1 . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14>
0049D5C4 . BA 64D84900 MOV EDX,WinDrvGh.0049D864 ; ASCII "$%^"
0049D5C9 . E8 B675F6FF CALL WinDrvGh.00404B84
0049D5CE . 6A 00 PUSH 0
0049D5D0 . 68 68D84900 PUSH WinDrvGh.0049D868 ; ASCII "Invalid Registration

Code"
0049D5D5 . 68 84D84900 PUSH WinDrvGh.0049D884 ; ASCII "Please make sure the

registration
code and the registration name are
correct."
0049D5DA . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D5DD . E8 66CAFAFF CALL WinDrvGh.0044A048
0049D5E2 . 50 PUSH EAX ; |hOwner
0049D5E3 . E8 3CA6F6FF CALL ; \MessageBoxA《=彻底完蛋!!

总结:根据用户名及其长短计算出注册码后N个是什么,但最长不超过25个。注册码前5个固定为MTW20,

前5个后还有4个也不固定,它与注册名的长短有关。还加了一个“—”。
我的是
注册名:GYJ[OCN]
注册码:MTW201119-47594A5B4F434E5D
注册机还未搞定,改天好吗?累啊!!写了一天啦!!

在注册表

HKEY_USERS\S-1-5-21-1644491937-1957994488-
1060284298-500\Software\Microsoft\Windows\CurrentV

ersion\IPSecs\RISCx86: 中加入“1900-1-2 18:00:00”即可变为注册版。

HKEY_USERS\S-1-5-21-1644491937-1957994488-
1060284298-500\Software\Microsoft\Windows\CurrentV

ersion\IPSecs\DriverUpdate: "2002-12-28 17:16:21"《==这是你安装时的时间

 


XXDOWNLOAD1.14分析(注意版本)
from DEDE we got the info below:
--------------------------------
005A1F1D E84224E6FF call 00404364 ; cat MC behind NAME and a '-', and form a long STRING
005A1F22 8B45EC mov eax, [ebp-$14]
005A1F25 5A pop edx

005A1F26 E859180300 call 005D3784 ; here is the main call for CODE
005A1F2B 84C0 test al, al

let's deep into CALL 5D3784, and see what is in it:
---------------------------------------------------
005D37C8 8B45FC mov eax, [ebp-$04] ; here is the long STRING
005D37CB E848000000 call 005D3818 ; some kind calculation
005D37D0 8B45F0 mov eax, [ebp-$10] ; the result CODE
005D37D3 8B55F8 mov edx, [ebp-$08] ; the input CODE

* Reference to: system.@LStrCmp;
005D37D6 E8D90BE3FF call 004043B4
005D37DB 7506 jnz 005D37E3 ; FAILED!


see what is in CALL 005D3818:
-----------------------------
005D3851 |. 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
005D3854 |. BA B8385D00 MOV EDX,unpacked.005D38B8 ; ASCII "hidownload1.14"
005D3859 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; Long STRING
005D385C |. E8 8FDF0000 CALL unpacked.005E17F0 ; step 1()
result1 is: 'ylUQQbbOCBkVHn7X/POg+V/BefqmnRucVd3yORd/xh=='


005D3861 |. 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28] ; result1
005D3864 |. 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
005D3867 |. E8 4037FAFF CALL unpacked.00576FAC ; step 2()
result2 is: 92 B6 9C FE 3A 66 FE 95 7C 11 C0 AD 28 2B 6C F1 128bits

005D386C |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24] ; result2
005D386F |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
005D3872 |. E8 A937FAFF CALL unpacked.00577020 ; step 3(change result2 to a HEX string)
; the HEX string is the right code
----------------------------------
see step 1 in CALL 005E17F0 first:
----------------------------------
005E182A |. A1 F8C85400 MOV EAX,DWORD PTR DS:[54C8F8]
005E182F |. E8 9CB1F6FF CALL unpacked.0054C9D0 ; BlowFish.Create
005E1834 |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX ; store BlowFish
005E1837 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
005E183A |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
005E183D |. E8 1EAFF6FF CALL unpacked.0054C760

CALL unpacked.0054C760:
-----------------------
0054C76C |. A1 C0BD5400 MOV EAX,DWORD PTR DS:[54BDC0]
0054C771 |. E8 06F7FFFF CALL unpacked.0054BE7C ; SHA1.Create
0054C776 |. 8BD8 MOV EBX,EAX
0054C778 |. 8BC3 MOV EAX,EBX
0054C77A |. 8B10 MOV EDX,DWORD PTR DS:[EAX]
0054C77C |. FF52 34 CALL NEAR DWORD PTR DS:[EDX+34];
SHA1.Initial values(0x67452301...)

0054C7B0 |. 8B08 MOV ECX,DWORD PTR DS:[EAX] ; 'hidownload1.14'
0054C7B2 |. FF51 40 CALL NEAR DWORD PTR DS:[ECX+40]; SHA1.Encrypt

SHA1('hidownload1.14') = FD BD AD D9 20 79 52 03 2A 24 0B AE 48 E7 ED 7E F0 28 6A 8B

0054C7D0 |. 8BD6 MOV EDX,ESI
0054C7D2 |. 8BCD MOV ECX,EBP
0054C7D4 |. 8BC7 MOV EAX,EDI
0054C7D6 |. 8B38 MOV EDI,DWORD PTR DS:[EAX]
0054C7D8 |. FF57 30 CALL NEAR DWORD PTR DS:[EDI+30]; BlowFish_Init(SHA1.result)
; BlowFish_EN(-1)

005E1867 |. 8BD0 MOV EDX,EAX
005E1869 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
005E186C |. 59 POP ECX
005E186D |. 8B18 MOV EBX,DWORD PTR DS:[EAX]
005E186F |. FF53 4C CALL NEAR DWORD PTR DS:[EBX+4C] ;
Loops of BlowFish_EN xor long STRING
; if U want to know more, just track in

005E1875 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] ; result of last op
005E1878 |. E8 FBA2F6FF CALL unpacked.0054BB78 ; something like base64
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'

005E187D |. 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] ; result of last op

--------------------------------------
then see step 2 in CALL 00576FAC next:
--------------------------------------
00576FCE |. 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]
00576FD1 |. E8 1AFEFFFF CALL unpacked.00576DF0 ; MD5.Initial

00576FED |. E8 52FEFFFF CALL unpacked.00576E44 ; grouped result1
00576FF2 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00576FF5 |. 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]
00576FF8 |. E8 1FFFFFFF CALL unpacked.00576F1C ; MD5.Encrypt
; it is the result2


In HiDownLoad1.15 it still use visible code compare:), but how to get the code changed:

Name + ':' + EMail + 'chs-1.15'

MD5

change MD5's to string

` 返回首页
收藏此篇文章内容到:
Tags:
责任编辑:
  • 上一篇:Easun Studio Windows系统切换工具
  • 下一篇:驱动精灵(WinDriver Ghost) V2.02 个人版 上
  • ASPack的脱壳
  • Asprotect 1.2x 加壳的 Mo
  • 手工脱ASPR壳的一点思路
  • 用OLLYDBG跟踪Krypton v0.
  • Armadillo.exe的脱壳(2.50
  • tElock 0.98b1 -> tE!的简
  • pll621 crackme脱壳
  • 用OLLYDBG快速脱tElock V0
    • 请文明参与讨论,禁止漫骂攻击。 用户名:新注册) 密码: 匿名:
    评论总数:0 [ 查看全部 ] 网友评论
    热门文章
    关于我们 - 广告合作 - 网站地图 - 版权说明 - 网站历史 - 世界排名 - 加入收藏 - 设为首页 - 返回顶部

    版权所有 中国协议分析网 联系信箱:wayky#126.com(请把"#"改成"@")
    Copyright (C) www.Cnpaf.Net 2004-2008 All Rights Reserved. [京ICP备05002225号]