火狐压力测试服务端上线地址解密
【破文标题】火狐压力测试服务端上线地址解密
【破文作者】HackWm
【作者邮箱】 [email protected]
【作者主页】 http://hackwm.blog.51cto.com
【破解工具】OD
【破解平台】XP SP3
【软件名称】火狐压力测试服务端
【软件大小】
【原版下载】不知道哪里下
【保护方式】无
【软件简介】
【破解声明】只为学习.
------------------------------------------------------------------------
【破解过程】OD载入后入口如下:
00404ABF > 55 PUSH EBP
00404AC0 8BEC MOV EBP,ESP
00404AC2 6A FF PUSH -1
00404AC4 68 28524000 PUSH FF_Serve.00405228
00404AC9 68 604A4000 PUSH <JMP.&MSVCRT._except_handler3>
00404ACE 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00404AD4 50 PUSH EAX
00404AD5 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
00404ADC 83EC 68 SUB ESP,68
00404ADF 53 PUSH EBX
00404AE0 56 PUSH ESI
00404AE1 57 PUSH EDI
【破文作者】HackWm
【作者邮箱】 [email protected]
【作者主页】 http://hackwm.blog.51cto.com
【破解工具】OD
【破解平台】XP SP3
【软件名称】火狐压力测试服务端
【软件大小】
【原版下载】不知道哪里下
【保护方式】无
【软件简介】
【破解声明】只为学习.
------------------------------------------------------------------------
【破解过程】OD载入后入口如下:
00404ABF > 55 PUSH EBP
00404AC0 8BEC MOV EBP,ESP
00404AC2 6A FF PUSH -1
00404AC4 68 28524000 PUSH FF_Serve.00405228
00404AC9 68 604A4000 PUSH <JMP.&MSVCRT._except_handler3>
00404ACE 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00404AD4 50 PUSH EAX
00404AD5 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
00404ADC 83EC 68 SUB ESP,68
00404ADF 53 PUSH EBX
00404AE0 56 PUSH ESI
00404AE1 57 PUSH EDI
单步走,当然要小心,毕竟是木马,最好在虚拟机里弄.
00404BE4 56 PUSH ESI
00404BE5 53 PUSH EBX
00404BE6 53 PUSH EBX
00404BE7 FF15 C4504000 CALL DWORD PTR DS:[<&kernel32.GetModuleH>; kernel32.GetModuleHandleA
00404BED 50 PUSH EAX
00404BEE E8 7DD2FFFF CALL FF_Serve.00401E70
00404BF3 8945 98 MOV DWORD PTR SS:[EBP-68],EAX
00404BF6 50 PUSH EAX
00404BF7 FF15 5C514000 CALL DWORD PTR DS:[<&MSVCRT.exit>] ; MSVCRT.exit
00404BFD 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00404C00 8B08 MOV ECX,DWORD PTR DS:[EAX]
00404BE5 53 PUSH EBX
00404BE6 53 PUSH EBX
00404BE7 FF15 C4504000 CALL DWORD PTR DS:[<&kernel32.GetModuleH>; kernel32.GetModuleHandleA
00404BED 50 PUSH EAX
00404BEE E8 7DD2FFFF CALL FF_Serve.00401E70
00404BF3 8945 98 MOV DWORD PTR SS:[EBP-68],EAX
00404BF6 50 PUSH EAX
00404BF7 FF15 5C514000 CALL DWORD PTR DS:[<&MSVCRT.exit>] ; MSVCRT.exit
00404BFD 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00404C00 8B08 MOV ECX,DWORD PTR DS:[EAX]
这里要注意下了 CALL FF_Serve.00401E70 下面又CALL 了退出函数 CALL FF_Serve.00401E70过了后就跑飞
所以咱F7进去
所以咱F7进去
00401E70 55 PUSH EBP
00401E71 8BEC MOV EBP,ESP
00401E73 81EC 1C030000 SUB ESP,31C
00401E79 56 PUSH ESI
00401E7A 6A 01 PUSH 1
00401E7C FF15 EC504000 CALL DWORD PTR DS:[<&kernel32.SetErrorMo>; kernel32.SetErrorMode
00401E82 EB 10 JMP SHORT FF_Serve.00401E94
00401E71 8BEC MOV EBP,ESP
00401E73 81EC 1C030000 SUB ESP,31C
00401E79 56 PUSH ESI
00401E7A 6A 01 PUSH 1
00401E7C FF15 EC504000 CALL DWORD PTR DS:[<&kernel32.SetErrorMo>; kernel32.SetErrorMode
00401E82 EB 10 JMP SHORT FF_Serve.00401E94
然后再单步几下通过这个JMP就到了
00401E94 68 D9070000 PUSH 7D9 ; 算法
00401E99 68 B0010000 PUSH 1B0
00401E9E 68 60744000 PUSH FF_Serve.00407460
00401EA3 E8 28230000 CALL FF_Serve.004041D0
00401EA8 68 D8070000 PUSH 7D8
00401EAD 68 B0010000 PUSH 1B0
00401EB2 68 60744000 PUSH FF_Serve.00407460
00401EB7 E8 14230000 CALL FF_Serve.004041D0
00401EBC 68 D7070000 PUSH 7D7
00401EC1 68 B0010000 PUSH 1B0
00401EC6 68 60744000 PUSH FF_Serve.00407460
00401ECB E8 00230000 CALL FF_Serve.004041D0
00401ED0 68 D6070000 PUSH 7D6
00401ED5 68 B0010000 PUSH 1B0
00401EDA 68 60744000 PUSH FF_Serve.00407460
00401EDF E8 EC220000 CALL FF_Serve.004041D0
00401EE4 A1 EC754000 MOV EAX,DWORD PTR DS:[4075EC]
也就是解密部分了.这4个CALL都是.就是说进行了4次解密.里面就有算法了,进入了解下
004041D0 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
004041D4 B9 FE000000 MOV ECX,0FE
004041D9 25 FF000000 AND EAX,0FF
004041DE 56 PUSH ESI
004041DF 99 CDQ
004041E0 F7F9 IDIV ECX
004041E2 8B7424 0C MOV ESI,DWORD PTR SS:[ESP+C]
004041E6 FEC2 INC DL
004041E8 85F6 TEST ESI,ESI
004041EA 76 10 JBE SHORT FF_Serve.004041FC
004041EC 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
004041F0 8A08 MOV CL,BYTE PTR DS:[EAX] ; 将密文的ASCII马给CL
004041F2 2ACA SUB CL,DL ; CL=CL-DL
004041F4 32CA XOR CL,DL ; CL=CL XOR DL
004041F6 8808 MOV BYTE PTR DS:[EAX],CL ; 结果存放起来
004041F8 40 INC EAX ; FF_Serve.00407610
004041F9 4E DEC ESI
004041FA ^ 75 F4 JNZ SHORT FF_Serve.004041F0 ; 就这羊循环N次
004041FC 5E POP ESI ; FF_Serve.00401EA8
004041FD C3 RETN
004041D4 B9 FE000000 MOV ECX,0FE
004041D9 25 FF000000 AND EAX,0FF
004041DE 56 PUSH ESI
004041DF 99 CDQ
004041E0 F7F9 IDIV ECX
004041E2 8B7424 0C MOV ESI,DWORD PTR SS:[ESP+C]
004041E6 FEC2 INC DL
004041E8 85F6 TEST ESI,ESI
004041EA 76 10 JBE SHORT FF_Serve.004041FC
004041EC 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
004041F0 8A08 MOV CL,BYTE PTR DS:[EAX] ; 将密文的ASCII马给CL
004041F2 2ACA SUB CL,DL ; CL=CL-DL
004041F4 32CA XOR CL,DL ; CL=CL XOR DL
004041F6 8808 MOV BYTE PTR DS:[EAX],CL ; 结果存放起来
004041F8 40 INC EAX ; FF_Serve.00407610
004041F9 4E DEC ESI
004041FA ^ 75 F4 JNZ SHORT FF_Serve.004041F0 ; 就这羊循环N次
004041FC 5E POP ESI ; FF_Serve.00401EA8
004041FD C3 RETN
4次解密的算法都是一样 那3个我就略过
00401EAD 68 B0010000 PUSH 1B0
00401EB2 68 60744000 PUSH FF_Serve.00407460 ; ASCII "127.0.0.1:2010"
00401EB7 E8 14230000 CALL FF_Serve.004041D0
00401EBC 68 D7070000 PUSH 7D7
00401EC1 68 B0010000 PUSH 1B0
00401EC6 68 60744000 PUSH FF_Serve.00407460 ; ASCII "127.0.0.1:2010"
00401ECB E8 00230000 CALL FF_Serve.004041D0
00401ED0 68 D6070000 PUSH 7D6
00401ED5 68 B0010000 PUSH 1B0
00401EDA 68 60744000 PUSH FF_Serve.00407460 ; ASCII "127.0.0.1:2010"
00401EDF E8 EC220000 CALL FF_Serve.004041D0
00401EE4 A1 EC754000 MOV EAX,DWORD PTR DS:[4075EC]
00401EB2 68 60744000 PUSH FF_Serve.00407460 ; ASCII "127.0.0.1:2010"
00401EB7 E8 14230000 CALL FF_Serve.004041D0
00401EBC 68 D7070000 PUSH 7D7
00401EC1 68 B0010000 PUSH 1B0
00401EC6 68 60744000 PUSH FF_Serve.00407460 ; ASCII "127.0.0.1:2010"
00401ECB E8 00230000 CALL FF_Serve.004041D0
00401ED0 68 D6070000 PUSH 7D6
00401ED5 68 B0010000 PUSH 1B0
00401EDA 68 60744000 PUSH FF_Serve.00407460 ; ASCII "127.0.0.1:2010"
00401EDF E8 EC220000 CALL FF_Serve.004041D0
00401EE4 A1 EC754000 MOV EAX,DWORD PTR DS:[4075EC]
4个CALL都过去后就显示出了明文上线地址 127.0.0.1:2010
所以也就是说解密完了 也可以功成身退了!
------------------------------------------------------------------------
【破解总结】第一次接触 谢谢帮助我的人 有所感悟 不过解密实在是头疼的事!
------------------------------------------------------------------------
------------------------------------------------------------------------
【破解总结】第一次接触 谢谢帮助我的人 有所感悟 不过解密实在是头疼的事!
------------------------------------------------------------------------