软件名称:
Windows变脸王 4.4(桌面辅助)
使用平台:Win9x/Me/NT/2000/XP
软件简介:你是不是早已对
windows的界面看得不耐烦了?那就试试“
Windows变脸王”吧,她能让你的
windows与众不同!
Windows变脸王具有以下功能:
·更改开机、关机画面。支持BMP,JPG,并可自动缩放图像。
·替换系统内的各种图标,图标主题功能能一次性替换所有图标。
·具有IE反修改功能,并可更改IE浏览器背景,动画图标等。
·成套替换鼠标样式,内置几套极酷鼠标主题。
·更改驱动器图标及文件夹图标、提示文字、颜色等。
·更换窗口外观颜色,让你的
WINDOWS窗口五彩缤纷。
·更改OEM标志,更改系统中各种用户信息,如用户名,序列号等。
·永久透明桌面文字,更改文字颜色,桌面文字右对齐,圆圈对齐。
·蓝屏的背景颜色和文字颜色,窗口凹3D效果,启动声音修改等。
特点 :·程序不驻留内存,即使关闭程序,各种效果照样存在。
·本软件自带了许多图片图标资源,你可以直接使用现成的效果,无需额外制作。
·强大的还原功能,使你无后顾之忧。
·界面直观,使用方便,特别适合初级
电脑用户使用。
加密方式:ASPROTECT1.2+注册码
功能限制:未注册信息提示
PJ工具:TRW20001.23注册版(加SuperBPM)、W32Dasm8.93黄金版,FI2.5,Import Reconstructor 1.4.2+,fs0-loader,eXeScope6.30
PJ日期:2003-04-02
作者newlaos申明:只是学习,请不用于商业用途或是将本文方法制作的注册机任意传播,造成后果,本人一概不负。水平低,只能找到爆破点,而没有办法找到关键算法,还请高手指点!
注:由于这个软件是在程序开始运行的时候才验证注册信息,所以下面的过程是在你已经运行过这个软件,并在注册的地方填入了newlaos[DFCG]和注册码7878787878787878
1、先用FI2.5看一下主文件“WinBeautician.exe”,加了ASPROTECT1.22壳,只有手动脱壳了。
a、用fs0_loader找入口点工具,找到入口点。软件提示入口点在4F7BF8。好!先记下来。
b、用trw2000初步脱壳,打开SuperBPM,点erase,用trw载入WinBeautician.exe,下g 4F7BF8. 接着下pedump脱出程序为DUMP1.EXE。
C、打开原加壳程序,在Import REConstructor v1.4.2+ 的 Attach to an Active Process 窗口中选取WinBeautician.exe的进程,然后在下方的oep处填入rva即F7BF8(入口点地址4F7BF8-40000),点IAT AutoSearch,再点Get Imports,点Auto Trace,然后点Show Invalid,在Imported Functions Found窗口里的无效地址上点鼠标右键,选Trace Leve11(disasm),再点show invaids,发现部分修复。再在无效地址上点鼠标右键,选Trace Leve11(HOOK),再点show invaids,发现又有几个被修复。同理再选Trace Leve11(Tray Flag),又修复几个。若还有几个没有修复,再次在那几个没有修复的地址上点鼠标右键. 选中Plugin Tracer(Asprotect 1.2X Emul),再点show invaids应发现所有的dll显示 valid:Yes了。
再点Fix Dump,选中你用trw2000 pedump出的文件DUMP1.EXE修复,最后生成完全脱壳程序名称为dump1_.exe。退出一运行,脱壳成功!
2、用W32Dasm8.93黄金版对AntiSpam.exe进行静态反汇编,再用串式数据参考,找不到什么经典的句子,怎么办?先用eXeScope6.30对文件的资源进行分析,在“资源\字串表\8”,可以看见:
112,这是未注册版,按下确定后会自动连接到洪亮软件网站。请您可以通过注册取消此限制。
120,setting
121,name
122,left
123,right
再在软件安装的目录下,打开config.ini文件可以看见:
[setting]
name=newlaos
right=7878787878787878 <===呵呵,注册码在这里呀
再回到W32Dasm8.93,找到String Resource ID=00123: "right",双击,晕~~~~有一大片,怎么办?将它们都记下来,备用。
3、再用TRW20001.23注册版进行动态跟踪,由于这个软件是在程序开始运行的时候就验证,所在一开始就在刚才记下的地址上下断。天助我也,程序很快断了下来,而且只是在一个地方,那就是004F0A06,这样就能定位关键的注册算法段了
.......
.......
* Possible Reference to String Resource ID=00123: "right"
|
:004F0A06 B87B000000 mov eax, 0000007B
:004F0A0B E88085F1FF call 00408F90
:004F0A10 8B85B8FEFFFF mov eax, dword ptr [ebp+FFFFFEB8]
:004F0A16 50 push eax
:004F0A17 8D95B4FEFFFF lea edx, dword ptr [ebp+FFFFFEB4]
* Possible Reference to String Resource ID=00120: "setting"
|
:004F0A1D B878000000 mov eax, 00000078
:004F0A22 E86985F1FF call 00408F90
:004F0A27 8B95B4FEFFFF mov edx, dword ptr [ebp+FFFFFEB4]
:004F0A2D 8B45F8 mov eax, dword ptr [ebp-08]
:004F0A30 59 pop ecx
:004F0A31 8B30 mov esi, dword ptr [eax]
:004F0A33 FF16 call dword ptr [esi]
:004F0A35 837DEC00 cmp dword ptr [ebp-14], 00000000
:004F0A39 0F8483000000 je 004F0AC2
:004F0A3F 837DE400 cmp dword ptr [ebp-1C], 00000000
:004F0A43 747D je 004F0AC2
:004F0A45 8D8DB0FEFFFF lea ecx, dword ptr [ebp+FFFFFEB0]
* Possible StringData Ref from Code Obj ->"holer@21cn.com"
|
:004F0A4B BA00124F00 mov edx, 004F1200 <===EDX=holer@21cn.com
:004F0A50 8B45E4 mov eax, dword ptr [ebp-1C]<===eax=7878787878787878
:004F0A53 E830A2FBFF call 004AAC88 <===关键的算法CALL,F8跟进
:004F0A58 8B95B0FEFFFF mov edx, dword ptr [ebp+FFFFFEB0] <===EDX此处为注册码的变形
:004F0A5E 8B45EC mov eax, dword ptr [ebp-14] <===EAX=newlaos
:004F0A61 E87E36F1FF call 004040E4 <===要想注册成功,则上面EDX必须和EAX相等
:004F0A66 755A jne 004F0AC2 <===这里可以爆破此软件,将755A改成745A
:004F0A68 8B8378030000 mov eax, dword ptr [ebx+00000378]
:004F0A6E 8B8038020000 mov eax, dword ptr [eax+00000238]
:004F0A74 B201 mov dl, 01
:004F0A76 E83DF5F3FF call 0042FFB8
:004F0A7B 8B8378030000 mov eax, dword ptr [ebx+00000378]
:004F0A81 8B8034020000 mov eax, dword ptr [eax+00000234]
:004F0A87 33D2 xor edx, edx
:004F0A89 E82AF5F3FF call 0042FFB8
:004F0A8E 8B8378030000 mov eax, dword ptr [ebx+00000378]
:004F0A94 8B8024020000 mov eax, dword ptr [eax+00000224]
:004F0A9A B201 mov dl, 01
:004F0A9C E817F5F3FF call 0042FFB8
:004F0AA1 8B8378030000 mov eax, dword ptr [ebx+00000378]
:004F0AA7 8B8068020000 mov eax, dword ptr [eax+00000268]
:004F0AAD 33D2 xor edx, edx
:004F0AAF E804F5F3FF call 0042FFB8
:004F0AB4 8B55E0 mov edx, dword ptr [ebp-20]
:004F0AB7 8B831C030000 mov eax, dword ptr [ebx+0000031C]
:004F0ABD E80EF6F3FF call 004300D0
.......
.......
--------004F0A53 call 004AAC88 关键的算法CALL,F8跟进来到下列代码段-----------------
初始值:EDX=holer@21cn.com eax=7878787878
:004AAC88 55 push ebp
:004AAC89 8BEC mov ebp, esp
:004AAC8B 6A00 push 00000000
:004AAC8D 6A00 push 00000000
:004AAC8F 6A00 push 00000000
:004AAC91 6A00 push 00000000
:004AAC93 6A00 push 00000000
:004AAC95 53 push ebx
:004AAC96 56 push esi
:004AAC97 57 push edi
:004AAC98 8BF9 mov edi, ecx
:004AAC9A 8955F8 mov dword ptr [ebp-08], edx
:004AAC9D 8945FC mov dword ptr [ebp-04], eax
:004AACA0 8B45FC mov eax, dword ptr [ebp-04]
:004AACA3 E8E094F5FF call 00404188
:004AACA8 8B45F8 mov eax, dword ptr [ebp-08]
:004AACAB E8D894F5FF call 00404188
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAC74(C)
|
:004AACB0 33C0 xor eax, eax
:004AACB2 55 push ebp
:004AACB3 683EAD4A00 push 004AAD3E
:004AACB8 64FF30 push dword ptr fs:[eax]
:004AACBB 648920 mov dword ptr fs:[eax], esp
:004AACBE 8D45F4 lea eax, dword ptr [ebp-0C]
:004AACC1 E88E90F5FF call 00403D54
:004AACC6 8B45FC mov eax, dword ptr [ebp-04]
:004AACC9 E80693F5FF call 00403FD4
:004AACCE 8BD8 mov ebx, eax
:004AACD0 D1FB sar ebx, 1
:004AACD2 7903 jns 004AACD7
:004AACD4 83D300 adc ebx, 00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AACD2(C)
|
:004AACD7 4B dec ebx
:004AACD8 85DB test ebx, ebx
:004AACDA 7C3A jl 004AAD16
:004AACDC 43 inc ebx
:004AACDD 33F6 xor esi, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAD14(C) <===从这一行开始循环
|
:004AACDF 8D45F0 lea eax, dword ptr [ebp-10]
:004AACE2 50 push eax
:004AACE3 8BD6 mov edx, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAC71(C)
|
:004AACE5 03D2 add edx, edx
:004AACE7 42 inc edx
* Possible Reference to String Resource ID=00002: "
http://www.holer.net" |
:004AACE8 B902000000 mov ecx, 00000002
:004AACED 8B45FC mov eax, dword ptr [ebp-04] <===EAX=7878787878787878
:004AACF0 E8E794F5FF call 004041DC
:004AACF5 8B45F0 mov eax, dword ptr [ebp-10]
:004AACF8 E89BFEFFFF call 004AAB98
:004AACFD 8BD0 mov edx, eax
:004AACFF 8D45EC lea eax, dword ptr [ebp-14]
:004AAD02 E8F591F5FF call 00403EFC
:004AAD07 8B55EC mov edx, dword ptr [ebp-14]
:004AAD0A 8D45F4 lea eax, dword ptr [ebp-0C]
:004AAD0D E8CA92F5FF call 00403FDC
:004AAD12 46 inc esi
:004AAD13 4B dec ebx
:004AAD14 75C9 jne 004AACDF <===这里向上构成一个小循环,提出的是输入的注册码每两个数字对应一个ASC码值的字符,我们这里就对应的是xxxxxxxx(78对应的就是字符x),所这里也是循环8次
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AACDA(C)
|
:004AAD16 8BCF mov ecx, edi
:004AAD18 8B55F8 mov edx, dword ptr [ebp-08]<===EDX=holer@21cn.com
:004AAD1B 8B45F4 mov eax, dword ptr [ebp-0C]<===EAX=xxxxxxxx
:004AAD1E E8E1FCFFFF call 004AAA04 <===这个CALL,再将xxxxxxxx做最后的变形,F8跟进
:004AAD23 33C0 xor eax, eax
:004AAD25 5A pop edx
:004AAD26 59 pop ecx
:004AAD27 59 pop ecx
:004AAD28 648910 mov dword ptr fs:[eax], edx
:004AAD2B 6845AD4A00 push 004AAD45
:004AAD30 8D45EC lea eax, dword ptr [ebp-14]
:004AAD33 BA05000000 mov edx, 00000005
:004AAD38 E83B90F5FF call 00403D78
:004AAD45 5F pop edi
:004AAD46 5E pop esi
:004AAD47 5B pop ebx
:004AAD48 8BE5 mov esp, ebp
:004AAD4A 5D pop ebp
:004AAD4B C3 ret
-----004AAD1E call 004AAA04 这个CALL将xxxxxxxx做最后的变形,F8跟进-------------------
:004AAA04 55 push ebp
:004AAA05 8BEC mov ebp, esp
:004AAA07 83C4CC add esp, FFFFFFCC
:004AAA0A 53 push ebx
:004AAA0B 56 push esi
:004AAA0C 33DB xor ebx, ebx
:004AAA0E 895DCC mov dword ptr [ebp-34], ebx
:004AAA11 895DD8 mov dword ptr [ebp-28], ebx
:004AAA14 894DF4 mov dword ptr [ebp-0C], ecx
:004AAA17 8955F8 mov dword ptr [ebp-08], edx
:004AAA1A 8945FC mov dword ptr [ebp-04], eax
:004AAA1D 8B45FC mov eax, dword ptr [ebp-04]
:004AAA20 E86397F5FF call 00404188
:004AAA25 8B45F8 mov eax, dword ptr [ebp-08]
:004AAA28 E85B97F5FF call 00404188
:004AAA2D 33C0 xor eax, eax
:004AAA2F 55 push ebp
:004AAA30 687DAB4A00 push 004AAB7D
:004AAA35 64FF30 push dword ptr fs:[eax]
:004AAA38 648920 mov dword ptr fs:[eax], esp
:004AAA3B 8B45F8 mov eax, dword ptr [ebp-08]
:004AAA3E E89195F5FF call 00403FD4
:004AAA43 83F808 cmp eax, 00000008
:004AAA46 7D1C jge 004AAA64
:004AAA48 EB0D jmp 004AAA57
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAA62(C)
|
:004AAA4A 8D45F8 lea eax, dword ptr [ebp-08]
:004AAA4D BA94AB4A00 mov edx, 004AAB94
:004AAA52 E88595F5FF call 00403FDC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAA48(U)
|
:004AAA57 8B45F8 mov eax, dword ptr [ebp-08]
:004AAA5A E87595F5FF call 00403FD4
:004AAA5F 83F808 cmp eax, 00000008
:004AAA62 7CE6 jl 004AAA4A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAA46(C)
|
:004AAA64 33DB xor ebx, ebx
:004AAA66 8D45DC lea eax, dword ptr [ebp-24]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAA76(C)
|
:004AAA69 8B55F8 mov edx, dword ptr [ebp-08]
:004AAA6C 8A141A mov dl, byte ptr [edx+ebx]
:004AAA6F 8810 mov byte ptr [eax], dl
:004AAA71 43 inc ebx
:004AAA72 40 inc eax
:004AAA73 83FB08 cmp ebx, 00000008<===这里只循环8次
:004AAA76 75F1 jne 004AAA69 <===这里构成一个循环结构,用于再次定位holer@21(仅是holer@21cn.com的前8位)
:004AAA78 6A0F push 0000000F
:004AAA7A B980B94F00 mov ecx, 004FB980
:004AAA7F 8D45DC lea eax, dword ptr [ebp-24]
:004AAA82 BA07000000 mov edx, 00000007
:004AAA87 E848FBFFFF call 004AA5D4
:004AAA8C 8D45D8 lea eax, dword ptr [ebp-28]
:004AAA8F E8C092F5FF call 00403D54
:004AAA94 8B45FC mov eax, dword ptr [ebp-04]
:004AAA97 E83895F5FF call 00403FD4
:004AAA9C 85C0 test eax, eax
:004AAA9E 7903 jns 004AAAA3
:004AAAA0 83C007 add eax, 00000007
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAA9E(C)
|
:004AAAA3 C1F803 sar eax, 03
:004AAAA6 48 dec eax
:004AAAA7 85C0 test eax, eax
:004AAAA9 7C7E jl 004AAB29
:004AAAAB 40 inc eax
:004AAAAC 8945D0 mov dword ptr [ebp-30], eax
:004AAAAF C745D400000000 mov [ebp-2C], 00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAB0E(C)
|
:004AAAB6 33DB xor ebx, ebx
:004AAAB8 8D45EC lea eax, dword ptr [ebp-14]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAAD0(C)
|
:004AAABB 8B55D4 mov edx, dword ptr [ebp-2C]
:004AAABE C1E203 shl edx, 03
:004AAAC1 03D3 add edx, ebx
:004AAAC3 8B4DFC mov ecx, dword ptr [ebp-04]
:004AAAC6 8A1411 mov dl, byte ptr [ecx+edx]
:004AAAC9 8810 mov byte ptr [eax], dl
:004AAACB 43 inc ebx
:004AAACC 40 inc eax
:004AAACD 83FB08 cmp ebx, 00000008 <===这里说明要循环8次,也就是注册码只取16位
:004AAAD0 75E9 jne 004AAABB <===这里构成一个循环结构,用于再次定位xxxxxxxx
:004AAAD2 8D45E4 lea eax, dword ptr [ebp-1C]
:004AAAD5 50 push eax
:004AAAD6 6A07 push 00000007
:004AAAD8 8D55EC lea edx, dword ptr [ebp-14]
:004AAADB B907000000 mov ecx, 00000007
:004AAAE0 B001 mov al, 01
:004AAAE2 E845FDFFFF call 004AA82C <===又是一个关键的CALL,最终生成注册码变形,F8跟进
:004AAAE7 BB08000000 mov ebx, 00000008
:004AAAEC 8D75E4 lea esi, dword ptr [ebp-1C]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAB06(C)
|
:004AAAEF 8D45CC lea eax, dword ptr [ebp-34]
:004AAAF2 8A16 mov dl, byte ptr [esi]
:004AAAF4 E80394F5FF call 00403EFC
:004AAAF9 8B55CC mov edx, dword ptr [ebp-34]
:004AAAFC 8D45D8 lea eax, dword ptr [ebp-28]
:004AAAFF E8D894F5FF call 00403FDC
:004AAB04 46 inc esi
:004AAB05 4B dec ebx
:004AAB06 75E7 jne 004AAAEF <===这里构成循环,用于再次定位最后生成的注册码变形
:004AAB08 FF45D4 inc [ebp-2C]
:004AAB0B FF4DD0 dec [ebp-30]
:004AAB0E 75A6 jne 004AAAB6
:004AAB10 EB17 jmp 004AAB29
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAB45(C)
|
:004AAB12 8B45D8 mov eax, dword ptr [ebp-28]
:004AAB15 E8BA94F5FF call 00403FD4
:004AAB1A 8BD0 mov edx, eax
:004AAB1C 8D45D8 lea eax, dword ptr [ebp-28]
* Possible Reference to String Resource ID=00001: "
http://www.holer.net/cn/cooperate.htm" |
:004AAB1F B901000000 mov ecx, 00000001
:004AAB24 E8F396F5FF call 0040421C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004AAAA9(C), :004AAB10(U)
|
:004AAB29 8B45D8 mov eax, dword ptr [ebp-28]
:004AAB2C E8A394F5FF call 00403FD4
:004AAB31 85C0 test eax, eax
:004AAB33 7E12 jle 004AAB47
:004AAB35 8B45D8 mov eax, dword ptr [ebp-28]
:004AAB38 E89794F5FF call 00403FD4
:004AAB3D 8B55D8 mov edx, dword ptr [ebp-28]
:004AAB40 807C02FF00 cmp byte ptr [edx+eax-01], 00
:004AAB45 74CB je 004AAB12
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAB33(C)
|
:004AAB47 8B45F4 mov eax, dword ptr [ebp-0C]
:004AAB4A 8B55D8 mov edx, dword ptr [ebp-28]
:004AAB4D E85692F5FF call 00403DA8
:004AAB52 33C0 xor eax, eax
:004AAB54 5A pop edx
:004AAB55 59 pop ecx
:004AAB56 59 pop ecx
:004AAB57 648910 mov dword ptr fs:[eax], edx
:004AAB5A 6884AB4A00 push 004AAB84
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAB82(U)
|
:004AAB5F 8D45CC lea eax, dword ptr [ebp-34]
:004AAB62 E8ED91F5FF call 00403D54
:004AAB67 8D45D8 lea eax, dword ptr [ebp-28]
:004AAB6A E8E591F5FF call 00403D54
:004AAB6F 8D45F8 lea eax, dword ptr [ebp-08]
* Possible Reference to String Resource ID=00002: "
http://www.holer.net" |
:004AAB72 BA02000000 mov edx, 00000002
:004AAB77 E8FC91F5FF call 00403D78
:004AAB7C C3 ret
:004AAB7D E96A8CF5FF jmp 004037EC
:004AAB82 EBDB jmp 004AAB5F
:004AAB84 5E pop esi
:004AAB85 5B pop ebx
:004AAB86 8BE5 mov esp, ebp
:004AAB88 5D pop ebp
:004AAB89 C3 ret
---------004AAAE2 call 004AA82C 关键的CALL,最终生成注册码变形,F8跟进-------------
:004AA82C 55 push ebp
:004AA82D 8BEC mov ebp, esp
:004AA82F 83C4E8 add esp, FFFFFFE8
:004AA832 53 push ebx
:004AA833 56 push esi
:004AA834 57 push edi
:004AA835 8BD9 mov ebx, ecx
:004AA837 85DB test ebx, ebx
:004AA839 780A js 004AA845
:004AA83B C1EB02 shr ebx, 02
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA843(C)
|
:004AA83E 8B349A mov esi, dword ptr [edx+4*ebx]
:004AA841 4B dec ebx
:004AA842 56 push esi
:004AA843 79F9 jns 004AA83E
减小字体
增大字体