Nom : SuperCleaner Version : 1.6 Disponiblité : http://www.firase.com/ Protection : name+serial Tools : SoftICE TMG Ripper Studio (http://www.tmg.f2s.com) Tasm Supercleaner est petit soft qui permet de nettoyer les fichiers Temp ,internet etc... Perso, j'aime poa trop ce genre de soft : ca enleve souvent plus de fichiers que ca ne devrait ...Enfin c'est un bon exemple de l'utilisation de TMG Ripper studio . Ce dernier permet de ripper directement une routine asm en sauvant le contenu des labels ...Et ca, c'est vachement interrsant,héhé :) Bon, c'est vrai,IDA fait ca aussi,mais c'est long . On commence par aller catcher le serial . On se dirige a l'option qui permet de rentrer un nom + un serial . On saisit le tout mais on ne valide pas . On fait surgir SI en pressant CTRL + D .On entre notre Breakpoint : BPX HMEMCPY et on relance le tout avec F5 . Cette fois on valide et SI se bloque au debut de l'api Hmemcpy . On fait une backtrace pour ressortir de l'api et se retrouver dans le code principale du proggy. Pour cela on presse 9 fois F12 et on arrive a ceci : 0167:00407BDF CALL [USER32!GetDlgItemTextA] 0167:00407BE5 PUSH 00000100--------- on arrive ici en pressant 8 fois F12 0167:00407BEA LEA ECX,[EBP-0200] 0167:00407BF0 PUSH ECX 0167:00407BF1 PUSH 000003FC 0167:00407BF6 MOV EDX,[EBP+08] 0167:00407BF9 PUSH EDX 0167:00407BFA CALL [USER32!GetDlgItemTextA] 0167:00407C00 LEA EAX,[EBP-0200] 0167:00407C06 PUSH EAX 0167:00407C07 LEA ECX,[EBP-0100] 0167:00407C0D PUSH ECX 0167:00407C0E CALL 00408020-------- le call qui genere et compare le serial avec celui entré Le proggy recopie en memoire ce qui a ete saisi dans les champs name et serial (via les 2 GetDlgItemTextA) . En 407C0E, il y a un call 408020 qui génère et compare le serial bidon a celui généré en fonction du nom .Quant vous etes en 407C0E,vous pressez F8 pour rentrer dans le call 408020 . On tombe sur ceci : 0167:00408020 PUSH EBP 0167:00408021 MOV EBP,ESP 0167:00408023 SUB ESP,00000104 0167:00408029 PUSH EDI 0167:0040802A MOV DWORD PTR [EBP-04],00000000 0167:00408031 LEA EAX,[EBP-0104] 0167:00408037 PUSH EAX 0167:00408038 MOV ECX,[EBP+08] 0167:0040803B PUSH ECX 0167:0040803C CALL 00408100--- le call qui genere le serial 0167:00408041 ADD ESP,08 0167:00408044 LEA EDX,[EBP-0104] 0167:0040804A PUSH EDX 0167:0040804B MOV EAX,[EBP+0C] on tombe encore sur un call 408100 . F8 pour voir ce qui se passe dedans et : 0167:00408100 PUSH EBP 0167:00408101 MOV EBP,ESP 0167:00408103 SUB ESP,0000010C 0167:00408109 PUSH EDI 0167:0040810A MOV AL,[0041840C] 0167:0040810F MOV [EBP-0100],AL 0167:00408115 MOV ECX,0000003F 0167:0040811A XOR EAX,EAX 0167:0040811C LEA EDI,[EBP-00FF] 0167:00408122 REPZ STOSD 0167:00408124 STOSW 0167:00408126 STOSB 0167:00408127 MOV ECX,[EBP+08] 0167:0040812A PUSH ECX 0167:0040812B CALL [KERNEL32!lstrlen] 0167:00408131 MOV [EBP-010C],EAX 0167:00408137 MOV DWORD PTR [EBP-0108],00000000 0167:00408141 MOV DWORD PTR [EBP-0104],00000000 0167:0040814B JMP 0040815C 0167:0040814D MOV EDX,[EBP-0104] 0167:00408153 ADD EDX,01 0167:00408156 MOV [EBP-0104],EDX 0167:0040815C MOV EAX,[EBP-0104] 0167:00408162 CMP EAX,[EBP-010C] 0167:00408168 JAE 0040818C 0167:0040816A MOV ECX,[EBP+08] 0167:0040816D ADD ECX,[EBP-0104] 0167:00408173 MOVSX EDX,BYTE PTR [ECX] 0167:00408176 ADD EDX,[004157D0] 0167:0040817C MOV EAX,[EBP-0108] 0167:00408182 ADD EAX,EDX 0167:00408184 MOV [EBP-0108],EAX 0167:0040818A JMP 0040814D 0167:0040818C MOV ECX,[EBP-0108]----1ere partie du serial 0167:00408192 PUSH ECX 0167:00408193 PUSH 004155D0 0167:00408198 MOV EDX,[EBP+0C] 0167:0040819B PUSH EDX 0167:0040819C CALL [USER32!wsprintfA] 0167:004081A2 ADD ESP,0C 0167:004081A5 MOV DWORD PTR [EBP-0108],00000000 0167:004081AF MOV DWORD PTR [EBP-0104],00000000 0167:004081B9 JMP 004081CA 0167:004081BB MOV EAX,[EBP-0104] 0167:004081C1 ADD EAX,01 0167:004081C4 MOV [EBP-0104],EAX 0167:004081CA MOV ECX,[EBP-0104] 0167:004081D0 CMP ECX,[EBP-010C] 0167:004081D6 JAE 004081FB 0167:004081D8 MOV EDX,[EBP+08] 0167:004081DB ADD EDX,[EBP-0104] 0167:004081E1 MOVSX EAX,BYTE PTR [EDX] 0167:004081E4 IMUL EAX,[004157D4] 0167:004081EB MOV ECX,[EBP-0108] 0167:004081F1 ADD ECX,EAX 0167:004081F3 MOV [EBP-0108],ECX 0167:004081F9 JMP 004081BB 0167:004081FB MOV EDX,[EBP-0108]----2eme partie du serial 0167:00408201 PUSH EDX 0167:00408202 PUSH 004155D0 0167:00408207 LEA EAX,[EBP-0100] 0167:0040820D PUSH EAX 0167:0040820E CALL [USER32!wsprintfA] 0167:00408214 ADD ESP,0C 0167:00408217 LEA ECX,[EBP-0100] 0167:0040821D PUSH ECX 0167:0040821E MOV EDX,[EBP+0C] 0167:00408221 PUSH EDX 0167:00408222 CALL [KERNEL32!lstrcat] 0167:00408228 MOV DWORD PTR [EBP-0108],00000000 0167:00408232 MOV DWORD PTR [EBP-0104],00000000 0167:0040823C JMP 0040824D 0167:0040823E MOV EAX,[EBP-0104] 0167:00408244 ADD EAX,01 0167:00408247 MOV [EBP-0104],EAX 0167:0040824D MOV ECX,[EBP-0104] 0167:00408253 CMP ECX,[EBP-010C] 0167:00408259 JAE 0040827D 0167:0040825B MOV EDX,[EBP+08] 0167:0040825E ADD EDX,[EBP-0104] 0167:00408264 MOVSX EAX,BYTE PTR [EDX] 0167:00408267 ADD EAX,[004157D8] 0167:0040826D MOV ECX,[EBP-0108] 0167:00408273 ADD ECX,EAX 0167:00408275 MOV [EBP-0108],ECX 0167:0040827B JMP 0040823E 0167:0040827D MOV EDX,[EBP-0108]---- 3eme partie du serial 0167:00408283 PUSH EDX 0167:00408284 PUSH 004155D0 0167:00408289 LEA EAX,[EBP-0100] 0167:0040828F PUSH EAX 0167:00408290 CALL [USER32!wsprintfA] 0167:00408296 ADD ESP,0C 0167:00408299 LEA ECX,[EBP-0100] 0167:0040829F PUSH ECX 0167:004082A0 MOV EDX,[EBP+0C] 0167:004082A3 PUSH EDX 0167:004082A4 CALL [KERNEL32!lstrcat] 0167:004082AA MOV DWORD PTR [EBP-0108],00000000 0167:004082B4 MOV DWORD PTR [EBP-0104],00000000 0167:004082BE JMP 004082CF 0167:004082C0 MOV EAX,[EBP-0104] 0167:004082C6 ADD EAX,01 0167:004082C9 MOV [EBP-0104],EAX 0167:004082CF MOV ECX,[EBP-0104] 0167:004082D5 CMP ECX,[EBP-010C] 0167:004082DB JAE 00408300 0167:004082DD MOV EDX,[EBP+08] 0167:004082E0 ADD EDX,[EBP-0104] 0167:004082E6 MOVSX EAX,BYTE PTR [EDX] 0167:004082E9 IMUL EAX,[004157DC] 0167:004082F0 MOV ECX,[EBP-0108] 0167:004082F6 ADD ECX,EAX 0167:004082F8 MOV [EBP-0108],ECX 0167:004082FE JMP 004082C0 0167:00408300 MOV EDX,[EBP-0108]----- 4eme partie du serial 0167:00408306 PUSH EDX 0167:00408307 PUSH 004155CC 0167:0040830C LEA EAX,[EBP-0100] 0167:00408312 PUSH EAX 0167:00408313 CALL [USER32!wsprintfA] 0167:00408319 ADD ESP,0C 0167:0040831C LEA ECX,[EBP-0100] 0167:00408322 PUSH ECX 0167:00408323 MOV EDX,[EBP+0C] 0167:00408326 PUSH EDX 0167:00408327 CALL [KERNEL32!lstrcat] 0167:0040832D POP EDI 0167:0040832E MOV ESP,EBP 0167:00408330 POP EBP 0167:00408331 RET bon,hehehe,la routine est longue mais pas du tout dur a recoder ...Le serial est découpé en 4 parties .Le prog prend chaque caractère de notre nom via les MOVSX EAX,BYTE PTR [EDX]. Pour chaque partie du serial ,il fait une petite opetation sur les caractères de notre nom (somme,multiplication avec des valeurs) . Comme ca me faisait bien chier de recoder ca, j'ai utilisé le TMG Ripper Studio. On lance le proggy et on ouvre notre exe .Dans 'virtual address' on entre l'@ de la routine que l'on veut ripper : pour ce proggy,la routine commence en 408100 . On peut aussi lui indiquer la fin de la routine a ripper : 408331.Et on clicke sur 'Start Trace' . Et 2s plus tard, Tmg ripper nous sort le code source avec les data reference correspondant . Now, on clicke sur 'Process Datarefs' .Et voila,c'est terminé :) . On sauvegarde notre source .Normalement, vous devriez avoir un truc comme ca : .DATA ; les differentes références que le proggy utilisent LOC_0041840C dd 000000000h LOC_004155D0 db '%u-',0 LOC_004155CC dd 000007525h LOC_004157DC dd 00000000Eh LOC_004157D8 dd 00000000Ch LOC_004157D4 dd 000000034h LOC_004157D0 dd 000000026h .CODE PUSH EBP MOV EBP,ESP SUB ESP,00000010Ch PUSH EDI MOV AL,BYTE PTR [LOC_0041840C] MOV BYTE PTR [EBP+0FFFFFF00h],AL MOV ECX,00000003Fh XOR EAX,EAX LEA EDI,DWORD PTR [EBP+0FFFFFF01h] REP STOSD STOSW STOSB MOV ECX,DWORD PTR [EBP+008h] PUSH ECX CALL lstrlenA MOV DWORD PTR [EBP+0FFFFFEF4h],EAX MOV DWORD PTR [EBP+0FFFFFEF8h],000000000h MOV DWORD PTR [EBP+0FFFFFEFCh],000000000h JMP LOC_0040815C LOC_0040814D: ;Ref: 0040818A MOV EDX,DWORD PTR [EBP+0FFFFFEFCh] ADD EDX,001h MOV DWORD PTR [EBP+0FFFFFEFCh],EDX LOC_0040815C: ;Ref: 0040814B MOV EAX,DWORD PTR [EBP+0FFFFFEFCh] CMP EAX,DWORD PTR [EBP+0FFFFFEF4h] JNB LOC_0040818C MOV ECX,DWORD PTR [EBP+008h] ADD ECX,DWORD PTR [EBP+0FFFFFEFCh] MOVSX EDX,BYTE PTR [ECX] ADD EDX,DWORD PTR [LOC_004157D0] MOV EAX,DWORD PTR [EBP+0FFFFFEF8h] ADD EAX,EDX MOV DWORD PTR [EBP+0FFFFFEF8h],EAX JMP LOC_0040814D LOC_0040818C: ;Ref: 00408168 MOV ECX,DWORD PTR [EBP+0FFFFFEF8h] PUSH ECX PUSH OFFSET LOC_004155D0 MOV EDX,DWORD PTR [EBP+00Ch] PUSH EDX CALL wsprintfA ADD ESP,00Ch MOV DWORD PTR [EBP+0FFFFFEF8h],000000000h MOV DWORD PTR [EBP+0FFFFFEFCh],000000000h JMP LOC_004081CA LOC_004081BB: ;Ref: 004081F9 MOV EAX,DWORD PTR [EBP+0FFFFFEFCh] ADD EAX,001h MOV DWORD PTR [EBP+0FFFFFEFCh],EAX LOC_004081CA: ;Ref: 004081B9 MOV ECX,DWORD PTR [EBP+0FFFFFEFCh] CMP ECX,DWORD PTR [EBP+0FFFFFEF4h] JNB LOC_004081FB MOV EDX,DWORD PTR [EBP+008h] ADD EDX,DWORD PTR [EBP+0FFFFFEFCh] MOVSX EAX,BYTE PTR [EDX] IMUL EAX,DWORD PTR [LOC_004157D4] MOV ECX,DWORD PTR [EBP+0FFFFFEF8h] ADD ECX,EAX MOV DWORD PTR [EBP+0FFFFFEF8h],ECX JMP LOC_004081BB LOC_004081FB: ;Ref: 004081D6 MOV EDX,DWORD PTR [EBP+0FFFFFEF8h] PUSH EDX PUSH OFFSET LOC_004155D0 LEA EAX,DWORD PTR [EBP+0FFFFFF00h] PUSH EAX CALL wsprintfA ADD ESP,00Ch LEA ECX,DWORD PTR [EBP+0FFFFFF00h] PUSH ECX MOV EDX,DWORD PTR [EBP+00Ch] PUSH EDX CALL lstrcatA MOV DWORD PTR [EBP+0FFFFFEF8h],000000000h MOV DWORD PTR [EBP+0FFFFFEFCh],000000000h JMP LOC_0040824D LOC_0040823E: ;Ref: 0040827B MOV EAX,DWORD PTR [EBP+0FFFFFEFCh] ADD EAX,001h MOV DWORD PTR [EBP+0FFFFFEFCh],EAX LOC_0040824D: ;Ref: 0040823C MOV ECX,DWORD PTR [EBP+0FFFFFEFCh] CMP ECX,DWORD PTR [EBP+0FFFFFEF4h] JNB LOC_0040827D MOV EDX,DWORD PTR [EBP+008h] ADD EDX,DWORD PTR [EBP+0FFFFFEFCh] MOVSX EAX,BYTE PTR [EDX] ADD EAX,DWORD PTR [LOC_004157D8] MOV ECX,DWORD PTR [EBP+0FFFFFEF8h] ADD ECX,EAX MOV DWORD PTR [EBP+0FFFFFEF8h],ECX JMP LOC_0040823E LOC_0040827D: ;Ref: 00408259 MOV EDX,DWORD PTR [EBP+0FFFFFEF8h] PUSH EDX PUSH OFFSET LOC_004155D0 LEA EAX,DWORD PTR [EBP+0FFFFFF00h] PUSH EAX CALL wsprintfA ADD ESP,00Ch LEA ECX,DWORD PTR [EBP+0FFFFFF00h] PUSH ECX MOV EDX,DWORD PTR [EBP+00Ch] PUSH EDX CALL lstrcatA MOV DWORD PTR [EBP+0FFFFFEF8h],000000000h MOV DWORD PTR [EBP+0FFFFFEFCh],000000000h JMP LOC_004082CF LOC_004082C0: ;Ref: 004082FE MOV EAX,DWORD PTR [EBP+0FFFFFEFCh] ADD EAX,001h MOV DWORD PTR [EBP+0FFFFFEFCh],EAX LOC_004082CF: ;Ref: 004082BE MOV ECX,DWORD PTR [EBP+0FFFFFEFCh] CMP ECX,DWORD PTR [EBP+0FFFFFEF4h] JNB LOC_00408300 MOV EDX,DWORD PTR [EBP+008h] ADD EDX,DWORD PTR [EBP+0FFFFFEFCh] MOVSX EAX,BYTE PTR [EDX] IMUL EAX,DWORD PTR [LOC_004157DC] MOV ECX,DWORD PTR [EBP+0FFFFFEF8h] ADD ECX,EAX MOV DWORD PTR [EBP+0FFFFFEF8h],ECX JMP LOC_004082C0 LOC_00408300: ;Ref: 004082DB MOV EDX,DWORD PTR [EBP+0FFFFFEF8h] PUSH EDX PUSH OFFSET LOC_004155CC LEA EAX,DWORD PTR [EBP+0FFFFFF00h] PUSH EAX CALL wsprintfA ADD ESP,00Ch LEA ECX,DWORD PTR [EBP+0FFFFFF00h] PUSH ECX MOV EDX,DWORD PTR [EBP+00Ch] PUSH EDX CALL lstrcatA POP EDI MOV ESP,EBP POP EBP RETN Sachant que ebp+08 contient notre nom et que EBP+00Ch contient le resultat du serial final, il suffit juste de l'indiquer a notre routine...Ce qui nous donne alors la prodédure finale : key proc, Nom :dWord, Taille :Dword ; on crée la procédure Key et on mov ecx,offset buffer ;ou est stocké notre nom mov [ebp+08],ecx ; on le fout dans ebp+8 mov ecx,offset finalserial ; ou est stocké notre serial final mov [EBP+00Ch],ecx ; on le fout dans ebp+0ch MOV ECX,[EBP+008h] PUSH ECX CALL lstrlenA MOV DWORD PTR [EBP+0FFFFFEF4h],EAX MOV DWORD PTR [EBP+0FFFFFEF8h],000000000h MOV DWORD PTR [EBP+0FFFFFEFCh],000000000h JMP LOC_0040815C LOC_0040814D: ;Ref: 0040818A MOV EDX,DWORD PTR [EBP+0FFFFFEFCh] ADD EDX,001h MOV DWORD PTR [EBP+0FFFFFEFCh],EDX LOC_0040815C: ;Ref: 0040814B MOV EAX,DWORD PTR [EBP+0FFFFFEFCh] CMP EAX,DWORD PTR [EBP+0FFFFFEF4h] JNB LOC_0040818C MOV ECX,DWORD PTR [EBP+008h] ADD ECX,DWORD PTR [EBP+0FFFFFEFCh] MOVSX EDX,BYTE PTR [ECX] ADD EDX,DWORD PTR [LOC_004157D0] MOV EAX,DWORD PTR [EBP+0FFFFFEF8h] ADD EAX,EDX MOV DWORD PTR [EBP+0FFFFFEF8h],EAX JMP LOC_0040814D LOC_0040818C: ;Ref: 00408168 MOV ECX,DWORD PTR [EBP+0FFFFFEF8h] PUSH ECX PUSH OFFSET LOC_004155D0 MOV EDX,DWORD PTR [EBP+00Ch] PUSH EDX CALL _wsprintfA ADD ESP,00Ch MOV DWORD PTR [EBP+0FFFFFEF8h],000000000h MOV DWORD PTR [EBP+0FFFFFEFCh],000000000h JMP LOC_004081CA LOC_004081BB: ;Ref: 004081F9 MOV EAX,DWORD PTR [EBP+0FFFFFEFCh] ADD EAX,001h MOV DWORD PTR [EBP+0FFFFFEFCh],EAX LOC_004081CA: ;Ref: 004081B9 MOV ECX,DWORD PTR [EBP+0FFFFFEFCh] CMP ECX,DWORD PTR [EBP+0FFFFFEF4h] JNB LOC_004081FB MOV EDX,DWORD PTR [EBP+008h] ADD EDX,DWORD PTR [EBP+0FFFFFEFCh] MOVSX EAX,BYTE PTR [EDX] IMUL EAX,DWORD PTR [LOC_004157D4] MOV ECX,DWORD PTR [EBP+0FFFFFEF8h] ADD ECX,EAX MOV DWORD PTR [EBP+0FFFFFEF8h],ECX JMP LOC_004081BB LOC_004081FB: ;Ref: 004081D6 MOV EDX,DWORD PTR [EBP+0FFFFFEF8h] PUSH EDX PUSH OFFSET LOC_004155D0 LEA EAX,DWORD PTR [EBP+0FFFFFF00h] PUSH EAX CALL _wsprintfA ADD ESP,00Ch LEA ECX,DWORD PTR [EBP+0FFFFFF00h] PUSH ECX MOV EDX,DWORD PTR [EBP+00Ch] PUSH EDX CALL lstrcatA MOV DWORD PTR [EBP+0FFFFFEF8h],000000000h MOV DWORD PTR [EBP+0FFFFFEFCh],000000000h JMP LOC_0040824D LOC_0040823E: ;Ref: 0040827B MOV EAX,DWORD PTR [EBP+0FFFFFEFCh] ADD EAX,001h MOV DWORD PTR [EBP+0FFFFFEFCh],EAX LOC_0040824D: ;Ref: 0040823C MOV ECX,DWORD PTR [EBP+0FFFFFEFCh] CMP ECX,DWORD PTR [EBP+0FFFFFEF4h] JNB LOC_0040827D MOV EDX,DWORD PTR [EBP+008h] ADD EDX,DWORD PTR [EBP+0FFFFFEFCh] MOVSX EAX,BYTE PTR [EDX] ADD EAX,DWORD PTR [LOC_004157D8] MOV ECX,DWORD PTR [EBP+0FFFFFEF8h] ADD ECX,EAX MOV DWORD PTR [EBP+0FFFFFEF8h],ECX JMP LOC_0040823E LOC_0040827D: ;Ref: 00408259 MOV EDX,DWORD PTR [EBP+0FFFFFEF8h] PUSH EDX PUSH OFFSET LOC_004155D0 LEA EAX,DWORD PTR [EBP+0FFFFFF00h] PUSH EAX CALL _wsprintfA ADD ESP,00Ch LEA ECX,DWORD PTR [EBP+0FFFFFF00h] PUSH ECX MOV EDX,DWORD PTR [EBP+00Ch] PUSH EDX CALL lstrcatA MOV DWORD PTR [EBP+0FFFFFEF8h],000000000h MOV DWORD PTR [EBP+0FFFFFEFCh],000000000h JMP LOC_004082CF LOC_004082C0: ;Ref: 004082FE MOV EAX,DWORD PTR [EBP+0FFFFFEFCh] ADD EAX,001h MOV DWORD PTR [EBP+0FFFFFEFCh],EAX LOC_004082CF: ;Ref: 004082BE MOV ECX,DWORD PTR [EBP+0FFFFFEFCh] CMP ECX,DWORD PTR [EBP+0FFFFFEF4h] JNB LOC_00408300 MOV EDX,DWORD PTR [EBP+008h] ADD EDX,DWORD PTR [EBP+0FFFFFEFCh] MOVSX EAX,BYTE PTR [EDX] IMUL EAX,DWORD PTR [LOC_004157DC] MOV ECX,DWORD PTR [EBP+0FFFFFEF8h] ADD ECX,EAX MOV DWORD PTR [EBP+0FFFFFEF8h],ECX JMP LOC_004082C0 LOC_00408300: ;Ref: 004082DB MOV EDX,DWORD PTR [EBP+0FFFFFEF8h] PUSH EDX PUSH OFFSET LOC_004155CC LEA EAX,DWORD PTR [EBP+0FFFFFF00h] PUSH EAX CALL _wsprintfA ADD ESP,00Ch LEA ECX,DWORD PTR [EBP+0FFFFFF00h] PUSH ECX MOV EDX,DWORD PTR [EBP+00Ch] PUSH EDX CALL lstrcatA POP EDI MOV ESP,EBP POP EBP jmp returnez key EndP voila,c'est scrupuleusement la meme routine ...J'ai absolument rien changé :p J'ai juste enlevé le debut de la routine qui nous sert a rien . Il faut aussi penser a declarer les apis _wsprintfA,lstrcatA et lstrlenA . Bon,faut pas trop se leurer non plus : le TMG Ripper Studio est quand meme assez limité, mais il vous rendra de fier service ;pp TaMaMBoLo