加入收藏  |  设为首页  |  联系我们
网站首页 公司概况 公司文化 新闻动态 加密狗展示 工作坏境 招贤纳士 精诚合作 在线留言
精诚合作
精诚合作
使用指南
 
地    址:广东省深圳市地王大厦38层8801号。
客服QQ1:4642967
客服QQ2:5915307
手    机:13528540969(刘先生)
邮    箱:4642967@qq.com
网    址:/a/
精诚合作 当前位置:首页 >> 精诚合作 >> 使用指南

|FTP加密狗软件的破解

发表时间:2018-02-08    来源:不详    浏览次数:69

1)启动cutftp32.exe,提示在线注册nag窗口弹出。分析它的注册信息一定存放在注册表中,或有keyfile保护。

2)分别启动filemon和regmon分析:

发现以下可疑点→

AUTONAME.DAT, COMMANDS.DAT-------->调用到的文件


QueryValueEx    HKLM\Software\GlobalSCAPE Inc.\CuteFTP\Key2                    NOTFOUND        

QueryValueEx    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ProductId    SUCCESS    "80123-026-6304672-53376"    
CloseKey    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion                    SUCCESS        
OpenKey    HKCR\Rl                                                            NOTFOUND    ※※※※    
OpenKey    HKLM\Software\GlobalSCAPE Inc.\CuteFTP    SUCCESS    hKey: 0xC2A0E050    
QueryValueEx    HKLM\Software\GlobalSCAPE Inc.\CuteFTP\Key1                    NOTFOUND    


3)我尝试了建Key1 和 Key2两个键值,没有发现效果。就在HKCR\下建了个Rl\1, 随便输入字符串  "23232323232323".

 [HKEY_LOCAL_MACHINE\Software\GlobalSCAPE Inc.\CuteFTP]下建"RegUserName"="moonLite[BCG]"


4)再次运行cutftp32.exe,在线注册窗口弹出。唤出TRW,点击按钮 "Contiue Trial" 并Ctrl+D 激活TRW。程序来到--->

* Reference To: USER32.GetMessageA, Ord:012Ah
                                  |
:004DD7E4 FF1594D75100            Call dword ptr [0051D794]
:004DD7EA 85C0                    test eax, eax<-------------------------光标在这!
:004DD7EC 7426                    je 004DD814
:004DD7EE 817E346A030000          cmp dword ptr [esi+34], 0000036A
:004DD7F5 741A                    je 004DD811
:004DD7F7 8B06                    mov eax, dword ptr [esi]
:004DD7F9 57                      push edi
:004DD7FA 8BCE                    mov ecx, esi
:004DD7FC FF5058                  call [eax+58]
:004DD7FF 85C0                    test eax, ea
:004DD801 750E                    jne 004DD811
:004DD803 57                      push edi


开始按F12+F10, 记录下来可疑的跳转:4D8249,43B873.


:0043B849 68F4235500              push 005523F4
:0043B84E 8BCB                    mov ecx, ebx
:0043B850 E82CB70B00              call 004F6F81
:0043B855 8983DC000000            mov dword ptr [ebx+000000DC], eax
:0043B85B B801000000              mov eax, 00000001
:0043B860 898344060000            mov dword ptr [ebx+00000644], eax
:0043B866 898380060000            mov dword ptr [ebx+00000680], eax
:0043B86C E8FF4F0500              call 00490870------------------------->进入
:0043B871 85C0                    test eax, eax-------------------------|这里,让eax=1 可以跳过nag!
:0043B873 753D                    jne 0043B8B2
:0043B875 33F6                    xor esi, esi
:0043B877 8BCB                    mov ecx, ebx
:0043B879 56                      push esi

* Possible StringData Ref from Data Obj ->"TSUninstaller"
                                  |
:0043B87A 68DC465500              push 005546DC

* Possible StringData Ref from Data Obj ->"CtFPRgsraeoe"
                                  |
:0043B87F 68F4235500              push 005523F4
:0043B884 E85B890A00              call 004E41E4
:0043B889 89B380060000            mov dword ptr [ebx+00000680], esi
:0043B88F 6A01                    push 00000001
:0043B891 8BCB                    mov ecx, ebx
:0043B893 89B388060000            mov dword ptr [ebx+00000688], esi
:0043B899 E812130000              call 0043CBB0
:0043B89E 8BCB                    mov ecx, ebx
:0043B8A0 E87B0A0000              call 0043C320-------------------------|在线注册窗口
:0043B8A5 85C0                    test eax, eax
:0043B8A7 751E                    jne 0043B8C7
:0043B8A9 56                      push esi

可见,0043B86C的CALL 有问题,得进去看看!


5)

* Referenced by a CALL at Addresses:
|:004013FA  , :004300A8  , :004346DB  , :0043B86C  , :0044045B 
|:004459D9  , :004476A3  , :00457F8F  , :0047D15E  , :0047D8FE 
|:0048B82F  , :0048C470  , :00491F79  , :004ACB68 
|
:00490870 64A100000000            mov eax, dword ptr fs:[00000000]


* Possible Reference to String Resource ID=00255: "No entry for the current site found. Do you wish to create o"
                                  |
:00490876 6AFF                    push FFFFFFFF
:00490878 68D34F5100              push 00514FD3
:0049087D 50                      push eax
:0049087E B81C180000              mov eax, 0000181C
:00490883 64892500000000          mov dword ptr fs:[00000000], esp
:0049088A E801130300              call 004C1B90
:0049088F 53                      push ebx
:00490890 8D8424680C0000          lea eax, dword ptr [esp+00000C68]
:00490897 56                      push esi
:00490898 50                      push eax
:00490899 E882F9FFFF              call 00490220
:0049089E 83C404                  add esp, 00000004
:004908A1 85C0                    test eax, eax
:004908A3 7517                    jne 004908BC
:004908A5 5E                      pop esi
:004908A6 5B                      pop ebx
:004908A7 8B8C241C180000          mov ecx, dword ptr [esp+0000181C]
:004908AE 64890D00000000          mov dword ptr fs:[00000000], ecx
:004908B5 81C428180000            add esp, 00001828
:004908BB C3                      ret


-->不断按F10,会来到:

:004908E7 83C40C                  add esp, 0000000C
:004908EA 85C0                    test eax, eax
:004908EC 5F                      pop edi
:004908ED 0F857A020000            jne 00490B6D
:004908F3 8A84249C040000          mov al, byte ptr [esp+0000049C]---------------|从“23232323232323”取一个字符
:004908FA 84C0                    test al, al
:004908FC 0F84C1020000            je 00490BC3
:00490902 8D8C249C040000          lea ecx, dword ptr [esp+0000049C]---------------|ecx指向“23232323232323”字符串
:00490909 8D542418                lea edx, dword ptr [esp+18]
:0049090D 51                      push ecx
:0049090E 52                      push edx
:0049090F C7442420FFFFFF7F        mov [esp+20], 7FFFFFFF
:00490917 E824690200              call 004B7240--------------->注意到紧跟的判断,得追进去
:0049091C 83C408                  add esp, 00000008
:0049091F 6685C0                  test ax, ax---------------|ax不为0,就能成功了!
:00490922 7519                    jne 0049093D---------------|不跳转则失败!
:00490924 5E                      pop esi
:00490925 33C0                    xor eax, eax---------------|eax为注册标志
:00490927 5B                      pop ebx
:00490928 8B8C241C180000          mov ecx, dword ptr [esp+0000181C]
:0049092F 64890D00000000          mov dword ptr fs:[00000000], ecx
:00490936 81C428180000            add esp, 00001828
:0049093C C3                      ret

--------------------

* Referenced by a CALL at Addresses:
|:00490917  , :00490BA2  , :004915A6 
|
:004B7240 83EC20                  sub esp, 00000020--------------------------------------------|
:004B7243 83C9FF                  or ecx, FFFFFFFF                                            |
:004B7246 33C0                    xor eax, eax                                                |
:004B7248 56                      push esi                                                    |
:004B7249 8B74242C                mov esi, dword ptr [esp+2C]/指向从“23232323232323”字符串  |计算字符串长度
:004B724D 57                      push edi                                                    |
:004B724E 8BFE                    mov edi, esi                                                |
:004B7250 F2                      repnz                                                        |
:004B7251 AE                      scasb                                                        |
:004B7252 F7D1                    not ecx                                                      |
:004B7254 49                      dec ecx -----------------------------------------------------|
:004B7255 83F90E                  cmp ecx, 0000000E--------------------|长度不是14位,就不带玩了!
:004B7258 7573                    jne 004B72CD-------------------------|不要在此跳啊!
:004B725A 56                      push esi
:004B725B E863E10000              call 004C53C3

............

接着走到
:004B728C C644242800              mov [esp+28], 00
:004B7291 E86A20FEFF              call 00499300
:004B7296 8D442438                lea eax, dword ptr [esp+38]-------------------|下 d eax 看看

* Possible Reference to String Resource ID=00014: "Paste Url"
                                  |
:004B729A 6A0E                    push 0000000E
:004B729C 8D4C242C                lea ecx, dword ptr [esp+2C]-------------------|下 d ecx 可以看到精彩部分啊!


============================================================================

0030:0071DAE4 41 32 32 32 32 32 32 32-32 32 32 32 32 32 00 C2 A2222222222222.?
0030:0071DAF4 32 33 32 33 32 33 32 33-32 33 32 33 32 33 00 00 23232323232323..

============================================================================


:004B72A0 50                      push eax
:004B72A1 51                      push ecx
:004B72A2 E879C90000              call 004C3C20-------------------|关键的比较部分!(不想列出了,否则篇幅太长了)
:004B72A7 83C42C                  add esp, 0000002C
:004B72AA 85C0                    test eax, eax-------------------|eax=0 就对了!eax=1,则失败
:004B72AC 7510                    jne 004B72BE--------------------|eax=1,则做失败跳转
:004B72AE 8B54242C                mov edx, dword ptr [esp+2C]
:004B72B2 660DFFFF                or ax, FFFF
:004B72B6 893A                    mov dword ptr [edx], edi
:004B72B8 5F                      pop edi
:004B72B9 5E                      pop esi
:004B72BA 83C420                  add esp, 00000020
:004B72BD C3                      ret

▲试着将[HKEY_CLASSES_ROOT\Rl]\1 的键值改为"A2222222222222",重新运行程序--哇!  nag 窗口没有了!!但是在about窗口中是
Licensed to: UNVERIFIED - moonLite [BCG], 难道还要上网验证吗?


5)果然,上网后,启动程序后,自动与它的服务器连接并验证,返回 “moonLite[BCG] & A2222222222222” not accepted....真厉害!
  ——>看来只有爆破了。


新疆时时彩走势图开奖关闭窗口】 【新疆时时彩走势图开奖打印本页】 【收藏页面
Copyright (c) 2013 - 2016 加密狗破解网 Inc. All Rights Reserved 备案号:粤ICP备08125688号 版权所有:加密狗破解网