Natural code Input Method

encryption features: Before comparing the registration code, first generate another process Call VxD bypass window API read fingerprint disk, if no fingerprint disk does not compare the registration code. In fact, this software is the comparison of the use of the shell is not shelled, but the DLL is a lot of beginners have not mastered the basic skills, so it is superfluous to trm32.ime the shells off. (Trm32.ime is just a DLL)

The difficulty with DLL shell is that DLL is dynamically loaded (nonsense!), so you can't use loader. So we have to add the int 3 instruction to the DLL's entry point.

With Peditor Mount Windowssystemtrm32.ime, you can see entry point = 0003d210;image Base = 10000000; compute peditor Point (FLC) with entry 1003d210 The offset is: 00013610. The binary editor is then changed to CC (that is, int 3 's machine code) at the offset of 00013610 machine code 80H.

Now run TRW2K, and under command "I3here on", open the Input Method manager for the task bar. Select Natural Code, point "Properties" will activate TRW2K, stop at the entrance of the DLL:

017f:1003d210 CC INT3

017f:1003d211 7c24 JL 1003d237 (NO JUMP)

017f:1003d213 0801 OR [ecx],al

017f:1003d215 0f8581010000 jnz NEAR 1003d39c

017f:1003d21b Pusha

017f:1003d21c be00a00210 MOV esi,1002a000

"R eip eip-1", "D EIP", the 017f:1003d210 place to 80H:

017f:1003d210 807c240801 CMP BYTE [esp+08],01

017f:1003d215 0f8581010000 jnz NEAR 1003d39c

017f:1003d21b Pusha

017f:1003d21c be00a00210 MOV esi,1002a000

017f:1003d221 8DBE0070FDFF LEA edi,[esi+fffd7000]

017f:1003d227 PUSH EDI

F10 tracking, came here:

017f:1003d344 Xchg EAX,EBP

017f:1003d345 8a07 MOV Al,[edi]

017f:1003d347 INC EDI "===edi for the introduced function name

017f:1003d348 08c0 OR Al,al

017f:1003d34a 74DC JZ 1003d328

017f:1003d34c 89f9 MOV Ecx,edi

017f:1003d34e PUSH EDI

017f:1003d34f DEC EAX

017f:1003d350 f2ae Repne SCASB

017f:1003d352 PUSH EBP

017f:1003d353 ff9634da0300 call NEAR [esi+0003da34]〈==getprocessaddress

017f:1003d359 09c0 OR Eax,eax

017f:1003d35b 7407 JZ 1003d364

017f:1003d35d 8903 MOV [ebx],eax

017f:1003d35f 83c304 ADD ebx,byte +04

017f:1003d362 EBE1 JMP Short 1003d345

The above code introduces a table for recovery. Continue F10 tracking, come here:

017f:1003d38c EBE2 JMP Short 1003d370

017f:1003d38e 240F and al,0f

017f:1003d390 c1e010 SHL eax,10

017f:1003d393 668b07 MOV Ax,[edi]

017f:1003d396 83c702 ADD edi,byte +02

017f:1003d399 EBE2 JMP Short 1003d37d

017f:1003d39b popa〈==== very familiar with it!

017f:1003d39c E906BBFCFF JMP 10008ea7〈====oep

So oep at the 10008ea7 place. Dump the file at the 10008ea7. First look at Trm32.ime's imte. "MOD32 TRM32. IME "

Can see Imte as: xxxxxxxx; " Pedump C:trm32. DLL xxxxxxxx ". and suspends the process "SUSPEND".

Back to Window run Imprec 1.3. Select Rundll32.exe Point "Pick DLL" in the task list to find Trm32.ime. Input Oep (8EA7)

Get Imports can fix the IAT. Then "Fix dump". will produce trm32_. DLL, rename it to Trm32.ime. To complete the shelling.

Replace the original file with the dump Trm32.ime. Run the Input method manager again. Choose Natural Code, point "attribute", will eject MessageBox said no fingerprint disk or disk serial wrong. Control-n activates TRW2K, "Pmodule", "OK" after returning to TRW2K:

: 00401514 89442410 mov dword ptr [esp+10], eax

: 00401518 8b442434 mov eax, DWORD ptr [esp+34]

: 0040151C push EAX

: 0040151D e88efcffff Call 004011b0〈===== Enter

: 00401522 8BD8 mov ebx, eax

: 00401524 3BDE cmp ebx, ESI

: 00401526 7528 jne 00401550

: 00401528 push ESI

* Possible stringdata Ref from Data Obj-> "Diskserial"

|

: 00401529 68dc704000 Push 004070DC

: 0040152E b8847f4000 mov eax, 00407f84

* Possible stringdata Ref from Data Obj-> ' Disk not exists or process failed '

-> "!"

|

: 00401533 68b8704000 Push 004070B8

: 00401538 push ESI

: 00401539 89442424 mov dword ptr [esp+24], eax

: 0040153D 89442428 mov dword ptr [esp+28], eax

: 00401541 89442420 mov dword ptr [esp+20], eax

* Reference To:user32. MessageBoxA, Ord:01beh

|

: 00401545 ff15c8604000 call DWORD ptr [004060C8]

: 0040154B e9a1000000 jmp 004015f1

Note that this is at Getdiskserial.exe's airspace. (That is, Trm32.ime produces getdiskserial.exe processes). Look up, notice the call 004011b0 at 0040151D, break the breakpoint here, run again into "Call 004011b0" here:

017f:00401439 PUSH EAX

017f:0040143a 8d8c2488030000 LEA ecx,[esp+0388]

017f:00401441 6a04 PUSH BYTE +04

017f:00401443 Wuyi ECX

017f:00401444 6a00 PUSH BYTE +00

017f:00401446 6a00 PUSH BYTE +00

017f:00401448 6a01 PUSH BYTE +01

017f:0040144a PUSH ESI

017f:0040144b FF1514604000 call ' kernel32! DeviceIoControl ' 〈= call VxD

017f:00401451 PUSH ESI

017f:00401452 ff151c604000 call ' kernel32! Findclosechangenotification '

017f:00401458 8bb42490130000 MOV esi,[esp+1390]

017f:0040145f 8a843484030000 MOV al,[esp+esi+0384]

017f:00401466 84c0 TEST al,al〈== is there a fingerprint disk or disk serial?

017f:00401468 744D JZ 004014b7〈== No, jump.

017f:0040146a 8bc6 MOV Eax,esi

017f:0040144b Place calls Diskserial.vxd absolute read disk, 017f:00401468 is judged. Because there is no fingerprint disk, change this here to Nop;nop; Replace getdiskserial.exe (under Window's system).

Run again, this time can come to the "Properties" window, the point "OK" can come to the registration window, my machine code is 123456789012, enter the username leo_cyl, registration code 12121212. Next breakpoint hmemcpy, tracking came here:

: 10001FC2 8d4c240c Lea ecx, DWORD ptr [esp+0c]

: 10001fc6 8d542414 Lea edx, DWORD ptr [ESP+14]

: 10001FCA I push ECX

: 10001FCB 8d442434 Lea eax, DWORD ptr [esp+34]

: 10001FCF push EdX

: 10001fd0 push EAX

: 10001fd1 e85a5e0000 Call 10007E30

: 10001fd6 83c40c add ESP, 0000000C

: 10001fd9 E822600000 Call 10008000 "===== attention

: 10001FDE a1acf90110 mov eax, DWORD ptr [1001F9AC]

: 10001fe3 6a00 Push 00000000

: 10001fe5 85c0 test eax, eax

: 10001fe7 7425 JE 1000200e〈=== jump to register failure

: 10001fe9 6878f10010 Push 1000f178

: 10001FEE 686cf10010 Push 1000f16c

: 10001FF3 push ESI

* Reference To:user32. MessageBoxA, ord:01b7h

|

: 10001ff4 ff15a0d10010 call DWORD ptr [1000D1A0]

: 10001FFA 6A01 Push 00000001

: 10001FFC push ESI

* Reference To:user32. EndDialog, ord:00b9h

|

: 10001FFD ff1590d20010 call DWORD ptr [1000d290]

: 10002003 5F Pop EDI

: 10002004 5E pop ESI

: 10002005 33c0 xor eax, eax

: 10002007 5B pop ebx

: 10002008 83c438 add ESP, 00000038

: 1000200B C21000 ret 0010

Enter: Call 10008000 at 10001FD9:

。。。。。

。。。。。

: 10008038 894c2450 mov dword ptr [esp+50], ECX

: 1000803C 89542410 mov dword ptr [esp+10], edx

: 10008040 89442420 mov dword ptr [esp+20], eax

: 10008044 894c2454 mov dword ptr [esp+54], ECX

: 10008048 push ESI

: 10008049 6689542418 mov word ptr [esp+18], DX

: 1000804E 6689442428 mov word ptr [esp+28], ax

: 10008053 66894c245c mov word ptr [esp+5c], CX

: 10008058 Push EDI

: 10008059 8854241E mov byte ptr [esp+1e], DL

: 1000805D 8844242E mov byte ptr [esp+2e], AL

: 10008061 884c2462 mov byte ptr [esp+62], cl

: 10008065 e826a4ffff Call 10002490〈====== Note this call

: 1000806A 8bf8 mov edi, eax

: 1000806C 83c9ff or ECX, ffffffff

: 1000806F 33c0 xor eax, eax

: 10008071 8d542410 Lea edx, DWORD ptr [ESP+10]

: 10008075 F2 REPNZ

: 10008076 AE SCASB

: 10008077 f7d1 not ECX

Call at 10008065 invokes the Shellexecutea window API to produce the Getdiskserial.exe process. If you have not changed Getdiskserial.exe, there are two processes to track, more trouble, if illegal users getdiskserial will pop MessageBox, registration failure.

Keep track of coming here:

* Referenced by a (U) nconditional or (C) onditional Jump at address:

|:10008191 (C)

|

: 1000817D 8a540430 mov dl, byte ptr [esp+eax+30]〈== This is a fake registration code

: 10008181 8a4c0468 mov cl, byte ptr [esp+eax+68]〈== correct registration code

: 10008185 3ad1 CMP DL, cl

: 10008187 0f851bffffff jne 100080a8

: 1000818D Inc EAX

: 1000818E 83f809 cmp eax, 00000009

: 10008191 7CEA JL 1000817D

: 10008193 5F Pop EDI

: 10008194 c705acf9011001000000 mov dword ptr [1001F9AC], 00000001

: 1000819E 5E pop ESI

: 1000819F 81c480000000 add ESP, 00000080

: 100081a5 C3 RET

To this PJ finish. Playing so many words, very tired ah!