欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

Web-CT 网站压力测试V4.0 破解手记

来源:www.hack58.com 作者:佚名 时间:2006-01-05 TAG: 我要投稿
    前段时间网络出现另类的DDOS攻击。其中CC就是其中一个。它的攻击原来其实就是服务器压力测试。与常规不同的是。它通过代理。

软件名:Web-CT 网站压力测试V4.0

简介:《Web能力测试》是般若网络科技公司自主开发、独立版权的、对Web能力进行全面测试软件产品,简称Web-CT(Web Capacity Test)。
般若网络科技开发 Web-CT 的只是为了测试用户上网质量和服务器性  
能,任何将其作为“拒绝服务攻击”DoS、或利用Web-CT并行测试能  
力进行分“布式拒绝服务攻击”DDoS都是违法的,必将受到相关法律  
的制裁。  
般若网络科技公司对于非测试试验目使用Web-CT所产生的后果不负任  
何责任。

软件限制:试用版测试速率不能大于40;持续时间不能大于10秒!

该软件无壳。注册方式以授权文件方式注册."建立一个名为webctregcodet的文件
首先用W32DASM反汇编:
````````````````````````````````````````````````````````````````
:00416B8F 57                      push edi
:00416B90 8BF9                    mov edi, ecx
:00416B92 33C0                    xor eax, eax
:00416B94 83C9FF                  or ecx, FFFFFFFF
:00416B97 F2                      repnz
:00416B98 AE                      scasb
:00416B99 F7D1                    not ecx
:00416B9B 2BF9                    sub edi, ecx
:00416B9D 8DB590FEFFFF            lea esi, dword ptr [ebp+FFFFFE90]
:00416BA3 87F7                    xchg edi, esi
:00416BA5 8BD1                    mov edx, ecx
:00416BA7 8BC7                    mov eax, edi
:00416BA9 C1E902                  shr ecx, 02
:00416BAC 8D8590FEFFFF            lea eax, dword ptr [ebp+FFFFFE90]
:00416BB2 F3                      repz
:00416BB3 A5                      movsd
:00416BB4 8BCA                    mov ecx, edx
:00416BB6 8D95A8FEFFFF            lea edx, dword ptr [ebp+FFFFFEA8]
:00416BBC 83E103                  and ecx, 00000003
:00416BBF F3                      repz
:00416BC0 A4                      movsb
:00416BC1 5F                      pop edi
:00416BC2 6A14                    push 00000014
:00416BC4 50                      push eax
:00416BC5 52                      push edx
:00416BC6 E8F9570900              call 004AC3C4 <====用OD在这下断点。点击"安装授权文件"选择自己建的假KEY文件。OD在这里断停。EAX里出现注册码:1@2H1E4F5@6@D3A6D1B2
:00416BCB 83C40C                  add esp, 0000000C
:00416BCE 85C0                    test eax, eax
:00416BD0 744B                    je 00416C1D <=====关健跳 其实爆破了就行了
:00416BD2 E8CDD60800              call 004A42A4
:00416BD7 A1CC2F4E00              mov eax, dword ptr [004E2FCC]
:00416BDC 6A20                    push 00000020

* Possible StringData Ref from Data Obj ->"警告..."
                                  |
:00416BDE B938554D00              mov ecx, 004D5538

* Possible StringData Ref from Data Obj ->"授权号码有错误!安装授权文件失败..."
                                  |
:00416BE3 BA14554D00              mov edx, 004D5514
:00416BE8 8B00                    mov eax, dword ptr [eax]
:00416BEA E8A5060A00              call 004B7294
:00416BEF FF4F1C                  dec [edi+1C]
:00416BF2 8D45F8                  lea eax, dword ptr [ebp-08]
:00416BF5 BA02000000              mov edx, 00000002
:00416BFA E8A9070A00              call 004B73A8
:00416BFF FF4F1C                  dec [edi+1C]
:00416C02 8D45FC                  lea eax, dword ptr [ebp-04]
:00416C05 BA02000000              mov edx, 00000002
:00416C0A E899070A00              call 004B73A8
:00416C0F 8B0F                    mov ecx, dword ptr [edi]
:00416C11 64890D00000000          mov dword ptr fs:[00000000], ecx
:00416C18 E9CC000000              jmp 00416CE9

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00416BD0(C)
|
:00416C1D 68D0354E00              push 004E35D0
:00416C22 E8D9720900              call 004ADF00
:00416C27 59                      pop ecx
:00416C28 6802810000              push 00008102

* Possible StringData Ref from Data Obj ->"WebCTRegCode"
                                  |
:00416C2D 6840554D00              push 004D5540
:00416C32 E8397C0900              call 004AE870
:00416C37 83C408                  add esp, 00000008
:00416C3A 8BF0                    mov esi, eax
:00416C3C 6A14                    push 00000014
:00416C3E 8D85A8FEFFFF            lea eax, dword ptr [ebp+FFFFFEA8]
:00416C44 50                      push eax
:00416C45 56                      push esi
:00416C46 E8F5890900              call 004AF640
:00416C4B 83C40C                  add esp, 0000000C
:00416C4E 56                      push esi
:00416C4F E844730900              call 004ADF98
:00416C54 59                      pop ecx
:00416C55 33D2                    xor edx, edx
:00416C57 8B83A4030000            mov eax, dword ptr [ebx+000003A4]
:00416C5D E8AA520500              call 0046BF0C
:00416C62 33D2                    xor edx, edx
:00416C64 8B83A0030000            mov eax, dword ptr [ebx+000003A0]
:00416C6A E89D520500              call 0046BF0C
:00416C6F 66C747105000            mov [edi+10], 0050

* Possible StringData Ref from Data Obj ->"Prajna Web-CT"
                                  |
:00416C75 BA4D554D00              mov edx, 004D554D
:00416C7A 8D45E4                  lea eax, dword ptr [ebp-1C]
:00416C7D E82A060A00              call 004B72AC
:00416C82 FF471C                  inc [edi+1C]
:00416C85 8B10                    mov edx, dword ptr [eax]
:00416C87 A18C3A4E00              mov eax, dword ptr [004E3A8C]
:00416C8C E893530500              call 0046C024
:00416C91 FF4F1C                  dec [edi+1C]
:00416C94 8D45E4                  lea eax, dword ptr [ebp-1C]
:00416C97 BA02000000              mov edx, 00000002
:00416C9C E807070A00              call 004B73A8
:00416CA1 C605D0394E0000          mov byte ptr [004E39D0], 00
:00416CA8 6A40                    push 00000040

* Possible StringData Ref from Data Obj ->"信息"
                                  |
:00416CAA B973554D00              mov ecx, 004D5573

* Possible StringData Ref from Data Obj ->"授权文件安装成功 !....."
                                  |
:00416CAF BA5B554D00              mov edx, 004D555B
:00416CB4 A1CC2F4E00              mov eax, dword ptr [004E2FCC]
:00416CB9 8B00                    mov eax, dword ptr [eax]
:00416CBB E8D4050A00              call 004B7294

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00416A5F(C)

`````````````````````````````````````````````````````````````
退出OD 打开假的授技文件,把里面的内容改为1@2H1E4F5@6@D3A6D1B2。再导入授权文件。终于搞定?????????再次运行软件。程序窗口标题经没有了"试用版测试速率不能大于40;持续时间不能大于10秒!" 。机器码显示部份经消失.各项设置都没有问题。注:没有注册时。选项那的速速不能超过每秒40,如果超出了就会有"试用版!测试速率不能大于40"的提示和时间不能大于10秒.超出了同样有"试用版!最大技持时间不能大于10秒".现在可以设置.本以为就这个完工。想不到。设置好了。点击立即测试.我晕了。又出现:"试用版测试速率不能大于40;持续时间不能大于10秒"。再来看:
..............................................................................................................
:0041EC94 0F9FC2                  setg dl
:0041EC97 83E201                  and edx, 00000001
:0041EC9A 52                      push edx
:0041EC9B BA02000000              mov edx, 00000002
:0041ECA0 FF4DF0                  dec [ebp-10]
:0041ECA3 E800870900              call 004B73A8
:0041ECA8 59                      pop ecx
:0041ECA9 85C9                    test ecx, ecx
:0041ECAB 744B                    je 0041ECF8
:0041ECAD A1CC2F4E00              mov eax, dword ptr [004E2FCC]
:0041ECB2 6A20                    push 00000020

* Possible StringData Ref from Data Obj ->"错误"
                                  |
:0041ECB4 B937894D00              mov ecx, 004D8937

* Possible StringData Ref from Data Obj ->"试用版,最大测试速率不能大于'40'.......!"
                                  |
:0041ECB9 BA0E894D00              mov edx, 004D890E
:0041ECBE 8B00                    mov eax, dword ptr [eax]
:0041ECC0 E8CF850900              call 004B7294
:0041ECC5 66C745E41400            mov [ebp-1C], 0014
:0041ECCB 8D45F8                  lea eax, dword ptr [ebp-08]
:0041ECCE BA28000000              mov edx, 00000028
:0041ECD3 E848860900              call 004B7320
:0041ECD8 FF45F0                  inc [ebp-10]
:0041ECDB 8B10                    mov edx, dword ptr [eax]
:0041ECDD 8B831C030000            mov eax, dword ptr [ebx+0000031C]
:0041ECE3 E83CD30400              call 0046C024
:0041ECE8 FF4DF0                  dec [ebp-10]
:0041ECEB 8D45F8                  lea eax, dword ptr [ebp-08]
:0041ECEE BA02000000              mov edx, 00000002
:0041ECF3 E8B0860900              call 004B73A8
....................................................................................................................
:0041EC94 0F9FC2                  setg dl
:0041EC97 83E201                  and edx, 00000001
:0041EC9A 52                      push edx
:0041EC9B BA02000000              mov edx, 00000002
:0041ECA0 FF4DF0                  dec [ebp-10]
:0041ECA3 E800870900              call 004B73A8
:0041ECA8 59                      pop ecx
:0041ECA9 85C9                    test ecx, ecx
:0041ECAB 744B                    je 0041ECF8
:0041ECAD A1CC2F4E00              mov eax, dword ptr [004E2FCC]
:0041ECB2 6A20                    push 00000020

* Possible StringData Ref from Data Obj ->"错误"
                                  |
:0041ECB4 B937894D00              mov ecx, 004D8937

* Possible StringData Ref from Data Obj ->"试用版,最大测试速率不能大于'40'.......!"
                                  |
:0041ECB9 BA0E894D00              mov edx, 004D890E
:0041ECBE 8B00                    mov eax, dword ptr [eax]
:0041ECC0 E8CF850900              call 004B7294
:0041ECC5 66C745E41400            mov [ebp-1C], 0014
:0041ECCB 8D45F8                  lea eax, dword ptr [ebp-08]
:0041ECCE BA28000000              mov edx, 00000028
:0041ECD3 E848860900              call 004B7320
:0041ECD8 FF45F0                  inc [ebp-10]
:0041ECDB 8B10                    mov edx, dword ptr [eax]
:0041ECDD 8B831C030000            mov eax, dword ptr [ebx+0000031C]
:0041ECE3 E83CD30400              call 0046C024
:0041ECE8 FF4DF0                  dec [ebp-10]
:0041ECEB 8D45F8                  lea eax, dword ptr [ebp-08]
:0041ECEE BA02000000              mov edx, 00000002
:0041ECF3 E8B0860900              call 004B73A8
````````````````````````````````````````````````````````````````````
:0041888A 0F9FC2                  setg dl
:0041888D 83E201                  and edx, 00000001
:00418890 52                      push edx
:00418891 BA02000000              mov edx, 00000002
:00418896 FF8D64FFFFFF            dec dword ptr [ebp+FFFFFF64]
:0041889C E807EB0900              call 004B73A8
:004188A1 59                      pop ecx
:004188A2 85C9                    test ecx, ecx
:004188A4 742F                    je 004188D5

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041885D(C)
|
:004188A6 E8F9B90800              call 004A42A4
:004188AB A1CC2F4E00              mov eax, dword ptr [004E2FCC]
:004188B0 6A20                    push 00000020

* Possible StringData Ref from Data Obj ->"Web-CT提示"
                                  |
:004188B2 B9DB564D00              mov ecx, 004D56DB

* Possible StringData Ref from Data Obj ->"试用版测试速率不能大于40;持续时间不能大于10秒!"
                                        ->" "
                                  |
:004188B7 BAAB564D00              mov edx, 004D56AB
:004188BC 8B00                    mov eax, dword ptr [eax]
:004188BE E8D1E90900              call 004B7294
:004188C3 8B9548FFFFFF            mov edx, dword ptr [ebp+FFFFFF48]
:004188C9 64891500000000          mov dword ptr fs:[00000000], edx
:004188D0 E9B50B0000              jmp 0041948A

````````````````````````````````````````````````````````````````````
总结。在 00416BD0处的744B改为754B(导入假授权文件后在自身目录生成正式密锁文件
004188A4处的742F改为752F
再测试没有问题~~~~~~~~~~! 其实有一个不明白的地方。本想弄懂。反正现在能用了。也不想砖牛角尖了
【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载