分类分类
关注+2004-10-15作者:蓝点
软件名称:Shiznit Scanner V2.1
软件介绍:Fast configurable highly featured UDP/TCP Port/Subnet Scanner for windows. Some key features are: TCP Port scanning of stealth and non-stealth hosts, Extreme UDP Port scanning, UDP Subnet scanning!, High speed ping scanning of subnets, TCP Subnet scanning of stealth and non-stealth hosts, Setting of start and stop ports, Gives you the ability to save results, Nice looking interface, Tells you if remote computer being scanned is stealth, You choose the speed of scan, Tells you the host responses for TCP Port scan and Subnet scan, Tells you the port use from huge lists of ports as found, Port scanner & Subnet scanner integration, so as though you can double click an IP found with the Subnet scanner to port scan with the Port scanner... Many new features in V2.0, a must have for TCP/IP network administrators.
破解人:BurSH[FCG][BCG][DFCG] (于2003.4.20)
破解工具:Trw2000 1.23
Ok,Let's begin now!
Ctrl+n呼出Trw2000,下断点BPX GetDlgItemTextA,输入任意注册信息,点击Register Shiznit Scanner 2.1.拦住了!我们下PMODULE指令回到软件领空,然后下BC指令清除断点,按三下F10,看到下面的代码:
016F:00406DB7 PUSH BYTE +01
016F:00406DB9 PUSH BYTE +00
016F:00406DBB PUSH DWORD 0421
016F:00406DC0 MOV ECX,[EBP+FFFFFBEC]
016F:00406DC6 CALL 004379C8==>取输入的注册码
016F:00406DCB PUSH EAX==>输入的注册码入栈
016F:00406DCC LEA EAX,[EBP-20]==>将取得到的用户名放到EAX中
016F:00406DCF PUSH EAX==>用户名入栈
016F:00406DD0 CALL 00406870==>关键Call,进行了注册码的计算与校验!F8跟进去~
016F:00406DD5 AND EAX,FF
016F:00406DDA TEST EAX,EAX==>注册码正确吗?
016F:00406DDC JZ NEAR 00406E98==>不正确就跳去死:(
016F:00406DE2 PUSH BYTE +00
016F:00406DE4 PUSH DWORD 00448C98
016F:00406DE9 PUSH DWORD 00448BCC
016F:00406DEE MOV ECX,[EBP+FFFFFBEC]
016F:00406DF4 CALL 004368A5
F8跟入406DD0的关键后看到:
016F:00406870 PUSH EBP
016F:00406871 MOV EBP,ESP
016F:00406873 SUB ESP,0430
016F:00406879 PUSH EBX
016F:0040687A PUSH ESI
016F:0040687B PUSH EDI
016F:0040687C MOV EDI,[EBP+08]
016F:0040687F LEA EDX,[EBP-2C]
016F:00406882 OR ECX,BYTE -01
016F:00406885 XOR EAX,EAX
016F:00406887 REPNE SCASB
016F:00406889 NOT ECX
016F:0040688B SUB EDI,ECX
016F:0040688D MOV ESI,EDI
016F:0040688F MOV EAX,ECX
016F:00406891 MOV EDI,EDX
016F:00406893 SHR ECX,02
016F:00406896 REP MOVSD ==>这句汇编指令我不明白,哪位高手教我一下?若F8跳过就会出现注册失败:(所以,我就直接g 到了下一条指令
016F:00406898 MOV ECX,EAX
016F:0040689A AND ECX,BYTE +03
016F:0040689D REP MOVSB ==>g 40689F
016F:0040689F MOV DWORD [EBP-08],00
016F:004068A6 JMP SHORT 004068B1==>跳到下面4068B1处
016F:004068A8 MOV ECX,[EBP-08]
016F:004068AB ADD ECX,BYTE +01==>ECX加1!
016F:004068AE MOV [EBP-08],ECX==>将ECX值赋给[EBP-08]
016F:004068B1 MOV EDX,[EBP-08]==>EDX为计数器
016F:004068B4 MOVSX EAX,BYTE [EBP+EDX-2C]==>依次取出用户名的十六进制放入EAX([EBP-2C]放的是用户名)
016F:004068B9 TEST EAX,EAX==>用户名所有字符取出了没有?
016F:004068BB JZ 004068D0==>没有则继续往下
016F:004068BD MOV ECX,[EBP-08]==>ECX为计数器
016F:004068C0 MOV DL,[EBP+ECX-2C]==>依次取出用户名的十六进制放入DL([EBP-2C]放的是用户名)
016F:004068C4 ADD DL,0A==>依次将用户名的十六进制加AH,结果放入DL!
016F:004068C7 MOV EAX,[EBP-08]
016F:004068CA MOV [EBP+EAX-2C],DL==>将用户名逐个转换后放入[EBP-2C]
016F:004068CE JMP SHORT 004068A8
016F:004068D0 MOV DWORD [EBP+FFFFFBE0],00448B50==>448B50处放的是一串字符:^OKW*V_MsN(逐个减AH后为:TEAM LUiD.黑名单哟!^0^)
016F:004068DA LEA ECX,[EBP-2C]==>将上面转换后的用户名放入ECX
016F:004068DD MOV [EBP+FFFFFBDC],ECX------------
016F:004068E3 MOV EDX,[EBP+FFFFFBDC] \
016F:004068E9 MOV AL,[EDX] |
016F:004068EB MOV [EBP+FFFFFBDB],AL |这
016F:004068F1 MOV ECX,[EBP+FFFFFBE0] |段
016F:004068F7 CMP AL,[ECX] |逐
016F:004068F9 JNZ 00406941 |位
016F:004068FB CMP BYTE [EBP+FFFFFBDB],00 |比
016F:00406902 JZ 00406935 |较
016F:00406904 MOV EDX,[EBP+FFFFFBDC] |用
016F:0040690A MOV AL,[EDX+01] |户
016F:0040690D MOV [EBP+FFFFFBDA],AL |名
016F:00406913 MOV ECX,[EBP+FFFFFBE0] |是
016F:00406919 CMP AL,[ECX+01] |否
016F:0040691C JNZ 00406941 |属
016F:0040691E ADD DWORD [EBP+FFFFFBDC],BYTE +02 |于
016F:00406925 ADD DWORD [EBP+FFFFFBE0],BYTE +02 |黑
016F:0040692C CMP BYTE [EBP+FFFFFBDA],00 |名
016F:00406933 JNZ 004068E3 |单
016F:00406935 MOV DWORD [EBP+FFFFFBD4],00 |.
016F:0040693F JMP SHORT 0040694C |不
016F:00406941 SBB EDX,EDX |是
016F:00406943 SBB EDX,BYTE -01 |就
016F:00406946 MOV [EBP+FFFFFBD4],EDX |跳
016F:0040694C MOV EAX,[EBP+FFFFFBD4] |去
016F:00406952 MOV [EBP+FFFFFBD0],EAX |4
016F:00406958 CMP DWORD [EBP+FFFFFBD0],BYTE +00 |0
016F:0040695F JNZ NEAR 00406AB1 |6
016F:00406965 MOV DWORD [EBP+FFFFFBE8],00 |A
016F:0040696F CMP DWORD [EBP+FFFFFBE8],BYTE +00 |C
016F:00406976 JNZ 0040697F |3
016F:00406978 XOR AL,AL==>注册码校验错误的标志! /
016F:0040697A JMP 00406D61==>黑名单?你死定了^_^--
016F:0040697F MOV EDI,00448B48
016F:00406984 LEA EDX,[EBP-2C]
016F:00406987 OR ECX,BYTE -01
016F:0040698A XOR EAX,EAX
016F:0040698C REPNE SCASB
016F:0040698E NOT ECX
016F:00406990 SUB EDI,ECX
016F:00406992 MOV ESI,EDI
016F:00406994 MOV EAX,ECX
上面罗里罗嗦半天就是校验一个黑名单-_-0作者"不好意思"把黑名单直接写出来,搞成"f(用户名)=特定字符串"进行比较……
…………
016F:00406ABA MOV EAX,[EBP-04]
016F:00406ABD ADD EAX,BYTE +01
016F:00406AC0 MOV [EBP-04],EAX
016F:00406AC3 MOV ECX,[EBP+08]==>ECX为计数器!
016F:00406AC6 ADD ECX,[EBP-04]==>
016F:00406AC9 MOVSX EDX,BYTE [ECX]==>逐位用户名十六进制放入EDX
016F:00406ACC TEST EDX,EDX==>循环完了?
016F:00406ACE JZ 00406AD2==>完了就走人!这段是为了用户名位数(放在EAX)
016F:00406AD0 JMP SHORT 00406ABA
016F:00406AD2 MOV DWORD [EBP-0C],00==>[EBP-0C]清空
016F:00406AD9 MOV EAX,[EBP+08]==>将用户名放入EAX
016F:00406ADC MOVSX ECX,BYTE [EAX]==>逐位取出第一位用户名的十六进制放入EAX
016F:00406ADF IMUL ECX,ECX,54BF==>将第一位用户名的十六进制乘以54BFH,结果放入ECX
016F:00406AE5 MOV EDX,[EBP-0C]==>将[EBP-0C]值(开始为空,因为406AD2处的运算)放入EDX
016F:00406AE8 ADD EDX,ECX==>相加
016F:00406AEA MOV [EBP-0C],EDX==>再放回去,[EBP-0C]放的上面的计算结果
016F:00406AED MOV EAX,[EBP+08]
016F:00406AF0 MOVSX ECX,BYTE [EAX+01]==>取用户名第二位
016F:00406AF4 MOV EDX,[EBP-0C]==>去得前面计算的结果放入EDX
016F:00406AF7 LEA EAX,[EDX+ECX+00205FDF]==>EAX=EDX+ECX+205FDFH!
016F:00406AFE MOV [EBP-0C],EAX==>结果仍然还是放入到[EBP-0C]中去
016F:00406B01 MOV ECX,[EBP+08]
016F:00406B04 MOVSX EDX,BYTE [ECX+02]
016F:00406B08 IMUL EDX,EDX,5C8F
016F:00406B0E MOV EAX,[EBP-0C]
016F:00406B11 ADD EAX,EDX
016F:00406B13 MOV [EBP-0C],EAX
016F:00406B16 MOV ECX,[EBP+08]
016F:00406B19 MOVSX EDX,BYTE [ECX+03]
016F:00406B1D MOV EAX,[EBP-0C]
016F:00406B20 LEA ECX,[EAX+EDX+00987227]
016F:00406B27 MOV [EBP-0C],ECX
016F:00406B2A MOV EDX,[EBP+08]
016F:00406B2D MOVSX EAX,BYTE [EDX+04]
016F:00406B31 IMUL EAX,EAX,645F
016F:00406B37 MOV ECX,[EBP-0C]
016F:00406B3A ADD ECX,EAX
016F:00406B3C MOV [EBP-0C],ECX
016F:00406B3F MOV EDX,[EBP+08]
016F:00406B42 MOVSX EAX,BYTE [EDX+05]
016F:00406B46 MOV ECX,[EBP-0C]
016F:00406B49 LEA EDX,[ECX+EAX+006A595F]
016F:00406B50 MOV [EBP-0C],EDX
016F:00406B53 MOV EAX,[EBP+08]
016F:00406B56 MOVSX ECX,BYTE [EAX+06]
016F:00406B5A IMUL ECX,ECX,6C2F
016F:00406B60 MOV EDX,[EBP-0C]
016F:00406B63 ADD EDX,ECX
016F:00406B65 MOV [EBP-0C],EDX
016F:00406B68 MOV EAX,[EBP+08]
016F:00406B6B MOVSX ECX,BYTE [EAX+07]
016F:00406B6F MOV EDX,[EBP-0C]
016F:00406B72 LEA EAX,[EDX+ECX+00140B9F]
016F:00406B79 MOV [EBP-0C],EAX
016F:00406B7C MOV ECX,[EBP+08]
016F:00406B7F MOVSX EDX,BYTE [ECX+08]
016F:00406B83 IMUL EDX,EDX,73FF
016F:00406B89 MOV EAX,[EBP-0C]
016F:00406B8C ADD EAX,EDX
016F:00406B8E MOV [EBP-0C],EAX
016F:00406B91 MOV ECX,[EBP+08]
016F:00406B94 MOVSX EDX,BYTE [ECX+09]
016F:00406B98 IMUL EDX,EDX,29C7
016F:00406B9E MOV EAX,[EBP-0C]
016F:00406BA1 ADD EAX,EDX
016F:00406BA3 MOV [EBP-0C],EAX
016F:00406BA6 MOV ECX,[EBP+08]
016F:00406BA9 MOVSX EDX,BYTE [ECX+0A]
016F:00406BAD MOV EAX,[EBP-0C]
016F:00406BB0 LEA ECX,[EAX+EDX+00020A3F]
016F:00406BB7 MOV [EBP-0C],ECX
016F:00406BBA MOV EDX,[EBP+08]
016F:00406BBD MOVSX EAX,BYTE [EDX+0B]
016F:00406BC1 IMUL EAX,EAX,0001DF47
016F:00406BC7 MOV ECX,[EBP-0C]
016F:00406BCA ADD ECX,EAX
016F:00406BCC MOV [EBP-0C],ECX
016F:00406BCF MOV EDX,[EBP+08]
016F:00406BD2 MOVSX EAX,BYTE [EDX+0C]
016F:00406BD6 MOV ECX,[EBP-0C]
016F:00406BD9 LEA EDX,[ECX+EAX+0001B44F]
016F:00406BE0 MOV [EBP-0C],EDX
016F:00406BE3 MOV EAX,[EBP+08]
016F:00406BE6 MOVSX ECX,BYTE [EAX+0D]
016F:00406BEA IMUL ECX,ECX,00018957
016F:00406BF0 MOV EDX,[EBP-0C]
016F:00406BF3 ADD EDX,ECX
016F:00406BF5 MOV [EBP-0C],EDX
016F:00406BF8 MOV EAX,[EBP+08]
016F:00406BFB MOVSX ECX,BYTE [EAX+0E]
016F:00406BFF MOV EDX,[EBP-0C]
016F:00406C02 LEA EAX,[EDX+ECX+00030FF7]
016F:00406C09 MOV [EBP-0C],EAX
016F:00406C0C MOV ECX,[EBP+08]
016F:00406C0F MOVSX EDX,BYTE [ECX+0F]
016F:00406C13 IMUL EDX,EDX,000365E7
016F:00406C19 MOV EAX,[EBP-0C]
016F:00406C1C ADD EAX,EDX
016F:00406C1E MOV [EBP-0C],EAX
016F:00406C21 MOV ECX,[EBP+08]
016F:00406C24 MOVSX EDX,BYTE [ECX+10]
016F:00406C28 MOV EAX,[EBP-0C]
016F:00406C2B LEA ECX,[EAX+EDX+0005177F]
016F:00406C32 MOV [EBP-0C],ECX
016F:00406C35 MOV EDX,[EBP+08]
016F:00406C38 MOVSX EAX,BYTE [EDX+11]
016F:00406C3C IMUL EAX,EAX,0006C917
016F:00406C42 MOV ECX,[EBP-0C]
016F:00406C45 ADD ECX,EAX
016F:00406C47 MOV [EBP-0C],ECX
016F:00406C4A MOV EDX,[EBP+08]
016F:00406C4D MOVSX EAX,BYTE [EDX+12]
016F:00406C51 MOV ECX,[EBP-0C]
016F:00406C54 LEA EDX,[ECX+EAX+00087AAF]
016F:00406C5B MOV [EBP-0C],EDX
016F:00406C5E MOV EAX,[EBP+08]
016F:00406C61 MOVSX ECX,BYTE [EAX+13]
016F:00406C65 IMUL ECX,ECX,3039
016F:00406C6B MOV EDX,[EBP-0C]
016F:00406C6E ADD EDX,ECX
016F:00406C70 MOV [EBP-0C],EDX
016F:00406C73 MOV EAX,[EBP+08]
016F:00406C76 MOVSX ECX,BYTE [EAX+14]
016F:00406C7A IMUL ECX,ECX,D431
016F:00406C80 MOV EDX,[EBP-0C]
016F:00406C83 ADD EDX,ECX
016F:00406C85 MOV [EBP-0C],EDX
016F:00406C88 MOV EAX,[EBP+08]
016F:00406C8B MOVSX ECX,BYTE [EAX+15]
016F:00406C8F IMUL ECX,ECX,372B
016F:00406C95 MOV EDX,[EBP-0C]
016F:00406C98 ADD EDX,ECX
016F:00406C9A MOV [EBP-0C],EDX
016F:00406C9D MOV EAX,[EBP+08]
016F:00406CA0 MOVSX ECX,BYTE [EAX+16]
016F:00406CA4 IMUL ECX,ECX,DE0D
016F:00406CAA MOV EDX,[EBP-0C]
016F:00406CAD ADD EDX,ECX
016F:00406CAF MOV [EBP-0C],EDX
016F:00406CB2 MOV EAX,[EBP+08]
016F:00406CB5 MOVSX ECX,BYTE [EAX+17]
016F:00406CB9 IMUL ECX,ECX,00010104
016F:00406CBF MOV EDX,[EBP-0C]
016F:00406CC2 ADD EDX,ECX
016F:00406CC4 MOV [EBP-0C],EDX
016F:00406CC7 MOV EAX,[EBP+08]
016F:00406CCA MOVSX ECX,BYTE [EAX+18]
016F:00406CCE IMUL ECX,ECX,8711
016F:00406CD4 MOV EDX,[EBP-0C]
016F:00406CD7 ADD EDX,ECX
016F:00406CD9 MOV [EBP-0C],EDX
016F:00406CDC MOV EAX,[EBP+08]
016F:00406CDF MOVSX ECX,BYTE [EAX+19]
016F:00406CE3 IMUL ECX,ECX,00010845
016F:00406CE9 MOV EDX,[EBP-0C]
016F:00406CEC ADD EDX,ECX
016F:00406CEE MOV [EBP-0C],EDX
016F:00406CF1 MOV EAX,[EBP+08]
016F:00406CF4 MOVSX ECX,BYTE [EAX+1A]
016F:00406CF8 IMUL ECX,ECX,8711
016F:00406CFE MOV EDX,[EBP-0C]
016F:00406D01 ADD EDX,ECX
016F:00406D03 MOV [EBP-0C],EDX
016F:00406D06 MOV EAX,[EBP+08]
016F:00406D09 MOVSX ECX,BYTE [EAX+1B]
016F:00406D0D IMUL ECX,ECX,FFBA
016F:00406D13 MOV EDX,[EBP-0C]
016F:00406D16 ADD EDX,ECX
016F:00406D18 MOV [EBP-0C],EDX
016F:00406D1B MOV EAX,[EBP+08]
016F:00406D1E MOVSX ECX,BYTE [EAX+1C]
016F:00406D22 IMUL ECX,ECX,000181B7
016F:00406D28 MOV EDX,[EBP-0C]
016F:00406D2B ADD EDX,ECX
016F:00406D2D MOV [EBP-0C],EDX
016F:00406D30 MOV EAX,[EBP+08]
016F:00406D33 MOVSX ECX,BYTE [EAX+1D]
016F:00406D37 IMUL ECX,ECX,85BA
016F:00406D3D MOV EDX,[EBP-0C]
016F:00406D40 ADD EDX,ECX
016F:00406D42 MOV [EBP-0C],EDX
016F:00406D45 MOV EAX,[EBP-0C]==>将正确注册码放入EAX
016F:00406D48 CMP EAX,[EBP+0C]==>真假注册码比较!
016F:00406D4B JNZ 00406D58
016F:00406D4D MOV DWORD [EBP-0C],00
016F:00406D54 MOV AL,01
016F:00406D56 JMP SHORT 00406D61
016F:00406D58 MOV DWORD [EBP-0C],00
016F:00406D5F XOR AL,AL
016F:00406D61 POP EDI
016F:00406D62 POP ESI
016F:00406D63 POP EBX
016F:00406D64 MOV ESP,EBP
016F:00406D66 POP EBP
016F:00406D67 RET 08
406B01--406D42这段进行一些跟上面(406AD9--406AFE)类似的运算,第2n+1位乘以某一个数后,与前面的计算结果(放在[EBP-0C])相加,结果在继续与下一位和某一定值相加,[EBP-0C]放着地最终计算结果就是真正的注册码!!
BTW:软件的注册信息保存在C:\WINDOWS\Srpesg.dat
Ok,that's all!谢谢你耐心看完:)
相关文章
更多+相同厂商
热门推荐
点击查看更多
点击查看更多
点击查看更多
说两句网友评论