------------------------------------------------------------------------------ ÆÐÄ¡ °­Á No. 4 - 25 / 09 / 98 ÇÁ·Î±×·¥ : WinBilli Version 1.50 Beta : Á¤½Äµî·Ï ÆÐÄ¡ »ç¿ë Åø : W32Dasm Version 8.9 Reg ------------------------------------------------------------------------------ ÀÌ ÇÁ·Î±×·¥Àº W32Dasm À» ÀÌ¿ëÇÏ¿© ÆÐÄ¡ Çϵµ·Ï ÇÏ°Ú½À´Ï´Ù. ¸ÕÀú Winbilli.exe ÆÄÀÏÀ» Àоî ÀоîµéÀÔ´Ï´Ù. ½Ã°£ÀÌ Áö³ª±¸³ª¸é ¿ª¾î¼ÀÇÏ¿© ³ª¿À°ÚÁö¿ä? ±×·³. 'W32Dasm List of String Data Items' ¸¦ Ŭ¸¯ÇÏ½Ã°í ´ÙÀ½À» ãÀ¸¼¼¿ä 'Regiatration'À» ãÀ¸¼Å¼­ ´õºíŬ¸¯ÇϽøé! ¾Æ·¡°¡ º¸À̽óª¿ä?? => Soft-Ice ·Î ÀÌ ºÎºÐ±îÁö ¿À¼Ì´Ù¸é?? :00407598 682CB14600 push 0046B12C -> ¿ì¸®°¡ ÀÔ·ÂÇÑ ½Ã¸®¾ó ¹øÈ£ :0040759D 682CB04600 push 0046B02C -> Á¤½Ä µî·Ï ¹øÈ£ ********:004075A2 E8E99B0100 call 00421190 => ¿ä ºÎºÐÀ» ¹»±î?? -> ÀÌ°÷¿¡¼­ µî·Ï¹øÈ£¸¦ °Ë»çÇÏ¿© µî·Ï¹øÈ£°¡ °°Àº°¡? °°Áö ¾ÊÀº°¡¸¦ ÆÇ´ÜÇÏ´Â °÷! :004075A7 83C408 add esp, 00000008 :004075AA 85C0 test eax, eax :004075AC 755C jne 0040760A => jne !!! -> eax = 1 ÀÏ°æ¿ì Jump , eax = 0 ÀÏ°æ¿ì No Jump -> Áö±Ý ¿¡¼­´Â ¿ä±â¿¡¼­ No Jump ¸¦ ¸¸µé¾î Áà¾ß Çϴϱî. -> À§ÀÇ call 00421190 ¿¡¼­ ret Àü¿¡ eax = 0 À¸·Î ¸¸µé¾î Áà¾ß!! --==>> ¾Æ·¡ ºÎºÐÀº WinBilli.ini ÆÄÀÏ¿¡ µî·ÏÁ¤º¸¸¦ ÀÛ¼ºÇÏ´Â °÷ ÀÔ´Ï´Ù. * Possible StringData Ref from Data Obj ->"WinBilli.ini" | :004075AE 68E8EA4300 push 0043EAE8 :004075B3 682CB24600 push 0046B22C * Possible StringData Ref from Data Obj ->"SerialNumber" | :004075B8 68F8EA4300 push 0043EAF8 * Possible StringData Ref from Data Obj ->"Regiatration" | :004075BD 6808EB4300 push 0043EB08 * Reference To: KERNEL32.WritePrivateProfileStringA, Ord:027Fh ==> ±â¾ïÇØ µÎ¼¼¿ä. ÀÌ ÇÔ¼ö°¡ ini ÆÄÀÏÀ» ÀúÀåÇÒ ¶§ ¾²ÀÌ´Â ÇÔ¼ö ÀÔ´Ï´Ù. | :004075C2 FF1550554800 Call dword ptr [00485550] * Possible StringData Ref from Data Obj ->"WinBilli.ini" | :004075C8 6818EB4300 push 0043EB18 :004075CD 682CB14600 push 0046B12C * Possible StringData Ref from Data Obj ->"Password" | :004075D2 6828EB4300 push 0043EB28 * Possible StringData Ref from Data Obj ->"Regiatration" | :004075D7 6834EB4300 push 0043EB34 * Reference To: KERNEL32.WritePrivateProfileStringA, Ord:027Fh | :004075DC FF1550554800 Call dword ptr [00485550] :004075E2 6A01 push 00000001 :004075E4 6A00 push 00000000 :004075E6 6844EB4300 push 0043EB44 :004075EB 6860EB4300 push 0043EB60 :004075F0 6A00 push 00000000 :004075F2 6A64 push 00000064 :004075F4 6A46 push 00000046 :004075F6 E8D29AFFFF call 004010CD :004075FB 83C41C add esp, 0000001C :004075FE C70520B0460001000000 mov dword ptr [0046B020], 00000001 :00407608 EB1F jmp 00407629 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004075AC(C) | ==> ¶È¹Ù·Î ÀÔ·ÂÇ϶ó´Â ¸Þ¼¼Áö¸¦ ÀúÀåÇÏ¿© Ç¥½ÃÇÑ´Ù.. :0040760A 6A01 push 00000001 * Possible StringData Ref from Data Obj ->"HITEL'byunhy'" | :0040760C 686CEB4300 push 0043EB6C :00407611 689CEB4300 push 0043EB9C :00407616 68B4EB4300 push 0043EBB4 :0040761B 6A00 push 00000000 :0040761D 6A64 push 00000064 :0040761F 6A46 push 00000046 :00407621 E8A79AFFFF call 004010CD :00407626 83C41C add esp, 0000001C -===========================================================================- call 00421190 -===========================================================================- * Referenced by a CALL at Addresses: |:00402FDA , :004075A2 , :00407803 , :00409772 , :0040A063 |:0040A59C , :0040A73A , :00413B02 , :00413B31 , :00415F85 |:0041619F , :00429CE7 , :0042F5C0 | =>>>>> À§ ºÎºÐÀÌ º¸À̽óª¿ä??!! Å°¾ß ¸¹À̵µ °Ë»ç¸¦ Çϴ±¸³ª..!! -> ÀÚ ±×·³ eax = 0 À¸·Î ¸¸µé¾î¾ßÁö¿ä! :00421190 8B542404 mov edx, dword ptr [esp+04] :00421194 8B4C2408 mov ecx, dword ptr [esp+08] :00421198 F7C203000000 test edx, 00000003 :0042119E 753C jne 004211DC * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004211CC(C), :004211F6(C), :00421212(U) | => ¹«½¼ °Ë»ç¸¦ À̸® ¸¹ÀÌ ÇÏ´ÂÁö¿ø :004211A0 8B02 mov eax, dword ptr [edx] :004211A2 3A01 cmp al, byte ptr [ecx] :004211A4 752E jne 004211D4 :004211A6 0AC0 or al, al :004211A8 7426 je 004211D0 :004211AA 3A6101 cmp ah, byte ptr [ecx+01] :004211AD 7525 jne 004211D4 :004211AF 0AE4 or ah, ah :004211B1 741D je 004211D0 :004211B3 C1E810 shr eax, 10 :004211B6 3A4102 cmp al, byte ptr [ecx+02] :004211B9 7519 jne 004211D4 :004211BB 0AC0 or al, al :004211BD 7411 je 004211D0 :004211BF 3A6103 cmp ah, byte ptr [ecx+03] :004211C2 7510 jne 004211D4 :004211C4 83C104 add ecx, 00000004 :004211C7 83C204 add edx, 00000004 :004211CA 0AE4 or ah, ah :004211CC 75D2 jne 004211A0 :004211CE 8BC0 mov eax, eax * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004211A8(C), :004211B1(C), :004211BD(C), :004211EE(C), :00421204(C) |:0042120D(C) | :004211D0 33C0 xor eax, eax => ÀÌ °÷ÀÌ º¸À̽óª¿ä!! => À§ÀÇ ºñ±³ºÎºÐ¿¡¼­ ¸ðµÎ´Ù No Jump ¸¦ ÇÑ´Ù¸é.. eax = 0 À̱º¿ä! :004211D2 C3 ret :004211D3 90 nop * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004211A4(C), :004211AD(C), :004211B9(C), :004211C2(C), :004211E9(C) |:00421200(C), :00421209(C) |=> À§ ºñ±³ºÎºÐ¿¡¼­ Ʋ¸®´Ù¸é ¹Ù·Î Àϸ® Jump ÇÏ°ÚÁö¿ä!? ±×·³ ÀÌ ºÎºÐÀ» eax = 0 À¸·Î ¸¸µé¾î ÁÖ¸é ¶¯!!! **:004211D4 1BC0 sbb eax, eax **:004211D6 D1E0 shl eax, 1 **:004211D8 40 inc eax **:004211D9 C3 ret => ¿ä±â¸¦ ¼öÁ¤ ÇÕ´Ï´Ù. ¿ä·¸°Ô 33C0 XOR EAX,EAX 90 NOP 90 NOP 90 NOP => º» ÄÚµå 1BC0 D1E0 40 C3 ¼öÁ¤ÄÚµå 33C0 9090 90 C3 ¿ä·¸°Ô ¼öÁ¤ÇϽñ¸ ÇÁ·Î±×·¥À» ½ÇÇà ½ÃÄѼ­ Á¤½Äµî·Ï¸Å´º¿¡¼­ ¾Æ¹« ¹øÈ£³ª ÀÔ·Â ÇϽøé Á¤½Äµî·ÏÀÌ µË´Ï´Ù. Âü°í·Î Windows µð·ºÅ丮¿¡ º¸½Ã¸é WinBilli.ini ÆÄÀÏÀÌ »ý¼º µÉ °Í ÀÔ´Ï´Ù. ±×·³ ÄÚµå¿Í ¿ì¸®°¡ ÀÔ·ÂÇÑ °¡Â¥ µî·Ï¹øÈ£°¡ ÀúÀåµÇ¾î ÀÖÀ» °Í ÀÔ´Ï´Ù. À½.. °í·³ ¼ö°íÇϼ¼¿ä! ³¡.