Home > Cloud Computing > Cloud Security

Cracking system beautification expert

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Text/figure zjjtr
System beautification experts are a software dedicated to beautification and personalization of Windows. The software interface is beautiful and easy to operate. New users can also transform Windows to be personalized! It is a shared software. If it is not registered, it will be so restrictive. If it is not great, do it yourself.
After a simple registration, I found no registration prompt. It seems that the author still has some security awareness. PEiD is used to check the shell and find that the shell with ASPack 2.1 is directly removed from the shell with the PEiD shell plug-in. The second test is written by Borland Delphi 6.0-7.0. No error message. You can only use a resumable upload. Use OD to load the software, run F9, enter the username "zjjtr" and password "1234567890", click the omnipotent breakpoint, click Register, and the program is disconnected.
77D3352D F3: A5 rep movs dword ptr es: [EDI], dword ptr ds>
77D3352F 8BC8 mov ecx, EAX
77D33531 83E1 03 and ecx, 3
77D33534 F3: A4 rep movs byte ptr es: [EDI], byte ptr ds: [>
77D33536 E8 E3FBFFFF CALL USER32.77D3311E
77D3353B 5F POP EDI

Check that the Register window on the right says "zjjtr" and press F9 until "1234567890" appears ". Select EDI, right-click "data window follow", Press F8 to go to the next call of the breakpoint, select the registration code in the window in the lower left corner, access breakpoint in the lower memory, and press F9.
 
004093E7 90 NOP
004093E8/$53 PUSH EBX
004093E9 |. 56 PUSH ESI
004093EA |. 57 push edi; here
004093EB |. 8BFA mov edi, EDX
004093ED |. 8BF0 mov esi, EAX
004093EF |. 8BC6 mov eax, ESI
004093F1 |. E8 12B8FFFF CALL xp2003_e.00404C08
Check whether the user name registration code is null
004093F6 |. BB 01000000 mov ebx, 1
004093FB |. EB 01 jmp short xp2003_e.004093FE
004093FD |> 43/INC EBX
004093FE |> 3BC3 cmp eax, EBX
00409400 |. 7C 07 | jl short xp2003_e.00409409
00409402 |. 807C1E FF 20 | cmp byte ptr ds: [ESI + EBX-1], 20
00409407 |. ^ 76 F4 jbe short xp2003_e.004093FD
00409409 |> 57 PUSH EDI
0040940A |. B9 FFFFFF7F mov ecx, 7 FFFFFFF
0040940F |. 8BD3 mov edx, EBX
00409411 |. 8BC6 mov eax, ESI
00409413 |. E8 48 baffff call xp2003_e.00404E60
00409418 |. 5F POP EDI
00409419 |. 5E POP ESI
0040941A |. 5B POP EBX
0040941B. C3 RETN

F8. return to the following code at 0040941B.
 
005D9D52. 33C0 xor eax, EAX
005D9D54. 55 PUSH EBP
005D9D55. 68 349E5D00 PUSH xp2003_e.005D9E34
005D9D5A. 64: FF30 push dword ptr fs: [EAX]
005D9D5D. 64: 8920 mov dword ptr fs: [EAX], ESP
005D9D60. 33D2 xor edx, EDX
005D9D62. 55 PUSH EBP
005D9D63. 68 F49D5D00 PUSH xp2003_e.005D9DF4
005D9D68. 64: FF32 push dword ptr fs: [EDX]
0005d9d6b. 64: 8922 mov dword ptr fs: [EDX], ESP
005D9D6E. 8D55 F8 lea edx, dword ptr ss: [EBP-8]
005D9D71. 8B83 04030000 mov eax, dword ptr ds: [EBX + 304]
005D9D77. E8 A4CFE6FF CALL xp2003_e.00446D20
005D9D7C. 8B45 F8 mov eax, dword ptr ss: [EBP-8]
005D9D7F. 8D55 fc lea edx, dword ptr ss: [EBP-4]
005D9D82. E8 61F6E2FF CALL xp2003_e.004093E8
005D9D87. 837D FC 00 cmp dword ptr ss: [EBP-4], 0
; Check whether the user name is empty
005D9D8B. 75 0C jnz short xp2003_e.005D9D99
005D9D8D. A1 B8056300 mov eax, dword ptr ds: [6305B8]
005D9D92. E8 35A8E8FF CALL xp2003_e.004645CC
005D9D97. EB 51 jmp short xp2003_e.005D9DEA
005D9D99> 8D55 F0 lea edx, dword ptr ss: [EBP-10]
005D9D9C. 8B83 08030000 mov eax, dword ptr ds: [EBX + 308]
005D9DA2. E8 79CFE6FF CALL xp2003_e.00446D20
005D9DA7. 8B45 F0 mov eax, dword ptr ss: [EBP-10]
005D9DAA. 8D55 F4 lea edx, dword ptr ss: [EBP-C]
005D9DAD. E8 36F6E2FF CALL xp2003_e.004093E8
005D9DB2. 837D F4 00 cmp dword ptr ss: [EBP-C], 0
; Check whether the registration code is null
005D9DB6. 75 0C jnz short xp2003_e.005D9DC4
005D9DB8. A1 B8056300 mov eax, dword ptr ds: [6305B8]
005D9DBD. E8 0AA8E8FF CALL xp2003_e.004645CC
005D9DC2. EB 26 jmp short xp2003_e.005D9DEA
005D9DC4> 8BC3 mov eax, EBX
005D9DC6. E8 C9020000 CALL xp2003_e.005DA094
; Algorithm call, F7 followed
005D9DCB. 84C0 test al, AL
005D9DCD. 74 09 je short xp2003_e.005D9DD8
005D9DCF. 8BC3 mov eax, EBX
005D9DD1. E8 6E000000 CALL xp2003_e.005D9E44
005D9DD6. EB 12 jmp short xp2003_e.005D9DEA
005D9DD8> B8 F4010000 mov eax, 1F4
005D9DDD> 48 DEC EAX
005D9DDE. ^ 75 fd jnz short xp2003_e.005D9DDD
005D9DE0. A1 B8056300 mov eax, dword ptr ds: [6305B8]
005D9DE5. E8 E2A7E8FF CALL xp2003_e.004645CC
005D9DEA> 33C0 xor eax, EAX
005D9DEC. 5A POP EDX
005D9DED. 59 POP ECX
005D9DEE. 59 POP ECX
005D9DEF. 64: 8910 mov dword ptr fs: [EAX], EDX
005D9DF2. EB 12 jmp short xp2003_e.005D9E06
005D9DF4. ^ E9 27A2E2FF JMP xp2003_e.00404020
005D9DF9. B8 F4010000 mov eax, 1F4
005D9DFE> 48 DEC EAX
005D9DFF. ^ 75 fd jnz short xp2003_e.005D9DFE
005D9E01. E8 82A5E2FF CALL xp2003_e.00404388
005D9E06> 33C0 xor eax, EAX
005D9E08. 5A POP EDX
005D9E09. 59 POP ECX
005D9E0A. 59 POP ECX
0005d9e0b. 64: 8910 mov dword ptr fs: [EAX], EDX
005D9E0E. 68 3B9E5D00 PUSH xp2003_e.005D9E3B
005D9E13> 8D45 F0 lea eax, dword ptr ss: [EBP-10]
005D9E16. E8 35ABE2FF CALL xp2003_e.00404950
005D9E1B. 8D45 F4 lea eax, dword ptr ss: [EBP-C]
005D9E1E. E8 2DABE2FF CALL xp2003_e.00404950
005D9E23. 8D45 F8 lea eax, dword ptr ss: [EBP-8]
005D9E26. E8 25ABE2FF CALL xp2003_e.00404950
005D9E2B. 8D45 fc lea eax, dword ptr ss: [EBP-4]
005D9E2E. E8 1DABE2FF CALL xp2003_e.00404950
005D9E33. C3 RETN
005D9E34. ^ E9 9BA4E2FF JMP xp2003_e.004042D4
005D9E39. ^ EB D8 jmp short xp2003_e.005D9E13
005D9E3B. 5F POP EDI
005D9E3C. 5E POP ESI
005D9E3D. 5B POP EBX
005D9E3E. 8BE5 mov esp, EBP
005D9E40. 5D POP EBP
005D9E41. C3 RETN

F7 then came here again.

005DA094/$55 PUSH EBP
005DA095 |. 8BEC mov ebp, ESP
005DA097 |. 83C4 E8 add esp,-18
005DA09A |. 53 PUSH EBX
005DA09B |. 56 PUSH ESI
005DA09C |. 33D2 xor edx, EDX
005DA09E |. 8955 E8 mov dword ptr ss: [EBP-18], EDX
005DA0A1 |. 8955 ec mov dword ptr ss: [EBP-14], EDX
005DA0A4 |. 8955 F4 mov dword ptr ss: [EBP-C], EDX
005DA0A7 |. 8945 fc mov dword ptr ss: [EBP-4], EAX
005DA0AA |. 33C0 xor eax, EAX
005DA0AC |. 55 PUSH EBP
005DA0AD |. 68 93A15D00 PUSH xp2003_e.005DA193
005DA0B2 |. 64: FF30 push dword ptr fs: [EAX]
005DA0B5 |. 64: 8920 mov dword ptr fs: [EAX], ESP
005DA0B8 |. 33DB xor ebx, EBX
005DA0BA |. 8D55 F4 lea edx, dword ptr ss: [EBP-C]
005DA0BD |. 8B45 fc mov eax, dword ptr ss: [EBP-4]
005DA0C0 |. 8B80 04030000 mov eax, dword ptr ds: [EAX + 304]
005DA0C6 |. E8 55CCE6FF CALL xp2003_e.00446D20
; Put the username length in EAX
005DA0CB |. 8B45 F4 mov eax, dword ptr ss: [EBP-C]
005DA0CE |. E8 35ABE2FF CALL xp2003_e.00404C08
005DA0D3 |. 8BF0 mov esi, EAX
005DA0D5 |. 85F6 test esi, ESI
; Empty username
005DA0D7 |. 7E 38 jle short xp2003_e.005DA111
005DA0D9 |. C745 F0 01000> mov dword ptr ss: [EBP-10], 1
005DA0E0 |> 8D45 EC/lea eax, dword ptr ss: [EBP-14]
005DA0E3 |. 50 | PUSH EAX
005DA0E4 |. B9 01000000 | mov ecx, 1
005DA0E9 |. 8B55 F0 | mov edx, dword ptr ss: [EBP-10]
005DA0EC |. 8B45 F4 | mov eax, dword ptr ss: [EBP-C]
005DA0EF |. E8 6CADE2FF | CALL xp2003_e.00404E60
005DA0F4 |. 8B45 EC | mov eax, dword ptr ss: [EBP-14]
005DA0F7 |. E8 04ADE2FF | CALL xp2003_e.00404E00
005DA0FC |. 8A00 | mov al, BYTE P

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
php expert system clips expert system internetwork expert drools expert soft expert isf expert pdf expert license key
Related Article
How does personal cloud security guarantee data security?
Model-driven cloud security-automating cloud security with cl...
Cloud security to achieve effective prevention of the future ...
Focus on three major cloud security areas, you know?
Decrypting Cisco type 5 password hashes
Using redis to write webshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More