|
哪位兄弟,翻译一下这边外文,Armadillo 4.01a的
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@ Armadillo 4.01a (Public Build) manually unpacking by KaGra @@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ See tutor with notepad,Font Fixedsys Regular size 9. Well,sometimez in the life of a reverser comes a great day.Well this is one of them.I introcude U the manuall unpacking tutorial for Armadillo for latest version at that time 4.01a.Well here is startz... Toolz Used: Olly v1.10,commandline Plug,HideOlly Plug,Ollydump Plug, LordPE and NO IMPREC. Yes,as U heared.No Import Rebuilding using ImpRec or other toolz.The way we will do it is manually and extremelly easy and can be done for ALL packerz at that time.Well,I packed a crackme with a downloaded version of armadillo.The thing is that it is a demo version,but all features that I checked as protections in options work just fine. So,the only difference from the registered version using the options I choosen (and I will say later who are these options) is just a nug screen when the protected file starts. Well if U go in Dillo'z menu Protection->Edit Project U will see the protection options.I 've chosen those: Protection options:Standard Protection only,Enable import elimination, Enable strategic code splicing,enable memory patching protections. All otherz options as they are when U open Dillo for first time. In the zip U will find a packed and a clean version of the exe.Well open the packed version of the exe and load it in Olly.Then make sure that U have placed NO breakpoints of any kind and U have only checked in Debugging Options the Ignore memory Access Violations in KERNEL32.Well,these options in Dillo I set give two anti-debugging protections.The first is the usual call at IsDebuggerPresent API but becasue of the HideOlly plug we don't have a problem.The second is a call at OutPutDebugString API which prints a string in a debugger,if he is running.The thing is that Olly v1.10 has a format stack buffer overflow (bug) and if U give as a string something like %x this will trigger the overflow and will make Olly crash (check article at http://www.securiteam.com/windowsntfocus/5ZP0N00DFE.html) We will defeat this using this trick:In Olly code window,right click and Search for Name in all modules.Find OutPutDebugString and double click on it and U are at the memory location where the code of that API starts.Do not place a breakpoint of any kind there,because Dillo'z enable memory patching protection will find it(and other optionz maybe).So U should be here at start of OutPutDebugString: 77E949B7 > 68 2C020000 PUSH 22C 77E949BC 68 8853E977 PUSH kernel32.77E95388 77E949C1 E8 1259FEFF CALL kernel32.77E7A2D8 77E949C6 8365 FC 00 AND DWORD PTR SS:[EBP-4],0 77E949CA 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 77E949CD 8BC1 MOV EAX,ECX 77E949CF 8D70 01 LEA ESI,DWORD PTR DS:[EAX+1] 77E949D2 8A10 MOV DL,BYTE PTR DS:[EAX] 77E949D4 40 INC EAX 77E949D5 84D2 TEST DL,DL 77E949D7 ^75 F9 JNZ SHORT kernel32.77E949D2 77E949D9 2BC6 SUB EAX,ESI 77E949DB 40 INC EAX 77E949DC 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX 77E949DF 894D E4 MOV DWORD PTR SS:[EBP-1C],ECX 77E949E2 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20] 77E949E5 50 PUSH EAX 77E949E6 6A 02 PUSH 2 77E949E8 6A 00 PUSH 0 77E949EA 68 06000140 PUSH 40010006 77E949EF E8 43EEFDFF CALL kernel32.RaiseException 77E949F4 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF 77E949F8 E8 A259FEFF CALL kernel32.77E7A39F 77E949FD C2 0400 RETN 4 U see that it ends with a RETN 4.So just enter this opcode as the first at 77E949B7 (your addresses may be different due to different version of Windowz) and this is a memory patch that Dillo won't catch,because it's in OS memory location.Now start pressing Shift+F9 so many times till the prog executes.How many times was it?In me was 31 times.Now restart Olly and do the anti-debbuging trick all over,start pressing Shift+f9 so many times as before minus 2.For me this is 29 times.Don't mind if during this a nug screen apprearz,just press OK.U should be HeRe: 00ADD266 8900 MOV DWORD PTR DS:[EAX],EAX <- Olly breaks HeRe 00ADD268 90 NOP 00ADD269 E9 57010000 JMP 00ADD3C5 00ADD26E FF75 EC PUSH DWORD PTR SS:[EBP-14] 00ADD271 E8 34F5FFFF CALL 00ADC7AA 00ADD276 59 POP ECX 00ADD277 C3 RETN 00ADD278 8B65 E8 MOV ESP,DWORD PTR SS:[EBP-18] 00ADD27B 70 07 JO SHORT 00ADD284 00ADD27D 7C 03 JL SHORT 00ADD282 00ADD27F EB 05 JMP SHORT 00ADD286 00ADD281 E8 74FBEBF9 CALL FA99CDFA 00ADD286 A1 5C4DAF00 MOV EAX,DWORD PTR DS:[AF4D5C] 00ADD28B 85C0 TEST EAX,EAX 00ADD28D 0F84 0C010000 JE 00ADD39F 00ADD293 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4] 00ADD296 8B0D B84DAF00 MOV ECX,DWORD PTR DS:[AF4DB8] ; packed.00400000 00ADD29C 3BD1 CMP EDX,ECX 00ADD29E 8B1D BC4DAF00 MOV EBX,DWORD PTR DS:[AF4DBC] ; packed.004A5000 Now,place a memory breakpoint on access at the code section of your program,that U will see pushing the "M" button in Olly (for me it was located at address 401000 with size of 1000).Now press one more time Shift+F9 and U are at OEP.This should look like this: 00401099 EB 27 JMP SHORT packed.004010C2 <--- Olly Breakz HeRe at OEP.So OEP=00401099 0040109B 33C0 XOR EAX,EAX 0040109D A3 F7204000 MOV DWORD PTR DS:[4020F7],EAX 004010A2 6A 29 PUSH 29 004010A4 68 0E204000 PUSH packed.0040200E 004010A9 6A 65 PUSH 65 004010AB FF75 08 PUSH DWORD PTR SS:[EBP+8] 004010AE E8 D9010000 CALL packed.0040128C ; JMP to USER32.GetDlgItemTextA 004010B3 A3 F7204000 MOV DWORD PTR DS:[4020F7],EAX 004010B8 B8 01000000 MOV EAX,1 004010BD E9 89000000 JMP packed.0040114B 004010C2 6A 00 PUSH 0 004010C4 E8 E1010000 CALL packed.004012AA 004010C9 A3 F3204000 MOV DWORD PTR DS:[4020F3],EAX 004010CE C705 C7204000 03>MOV DWORD PTR DS:[4020C7],4003 004010D8 C705 CB204000 89>MOV DWORD PTR DS:[4020CB],packed.0040118> 004010E2 C705 CF204000 00>MOV DWORD PTR DS:[4020CF],0 004010EC C705 D3204000 00>MOV DWORD PTR DS:[4020D3],0 004010F6 A1 F3204000 MOV EAX,DWORD PTR DS:[4020F3] 004010FB A3 D7204000 MOV DWORD PTR DS:[4020D7],EAX Remove the memory breakpoint and dump the file with OllyDump plugin.Try to load in Olly the dumped file,or to open it with LordPe.Well,it is not regignized as a valid PE file becasue Dillo has destroyed the PE header as an anti-dumping trick.Well this is easy to be fixed.When U are at OEP see the PE header pressing the "M" button in Olly.This is just before the program's code (for me it has start address 400000 and Size 1000).Now open a second Olly and load the packed file.See also its header.Well,compare with your eyes the two headers and make the header of the exe that is at OEP the same with the header that has the packed file(and not in reverse order).Easy to be done since only some bytes of the header (not much) have chenged.When done,dump again the exe that is at OEP,and close the session of the second Olly U recently opened. Now try to open the new dumped file with Olly.It opens just fine.But when running it crashes.Well,time for some IAT rebuilding.In this case IMPRec will not fix many thunks in IAT.And this is being done because not only redirects the API calls and] it erases the IAT (remember the option Enable import elimination I used? ;) but also splices the code in many parts of memory OUT of the image memory dump of the prog in memory (remember also the Enable strategic code splicing option I used? ;).This is done by allocating memory space using Virtualalloc and same kind of API's.So those parts of the code (that is actually taken from the original code segment) are not in the dumped file that Ollu Dump Plugin produced.So new the idea is this: I will dump the part of memory that has been allocated by the protector and contains the exe's code and I will dump also the part of memory that has been allocated and containz the ABSOLUTE api addresses of iat (since at the time of the dumping all ABSOLUTE api addresses the exe uses,either taked from original IAT of the redirected should be present somewhere in memory).Then I will fill the space between the last segment of the exe and the Virtual address that those dumped segments with other segments (not dumped,I will create them with LordPE).Those are useless but need for filling the memory addresses when the exe is being running.So,at the end I will have as a dump a BIGGER file than the protected(because of all this space of segments) but will be an exactly copy of memory,so it will run just fine.But where are those two segments in ourcase?Well this is the way to find out: U are at OEP in Olly,here: 00401099 EB 27 JMP SHORT packed.004010C2 <--- Olly Breakz HeRe at OEP.So OEP=00401099 0040109B 33C0 XOR EAX,EAX 0040109D A3 F7204000 MOV DWORD PTR DS:[4020F7],EAX 004010A2 6A 29 PUSH 29 004010A4 68 0E204000 PUSH packed.0040200E 004010A9 6A 65 PUSH 65 004010AB FF75 08 PUSH DWORD PTR SS:[EBP+8] 004010AE E8 D9010000 CALL packed.0040128C ; JMP to USER32.GetDlgItemTextA 004010B3 A3 F7204000 MOV DWORD PTR DS:[4020F7],EAX 004010B8 B8 01000000 MOV EAX,1 004010BD E9 89000000 JMP packed.0040114B 004010C2 6A 00 PUSH 0 004010C4 E8 E1010000 CALL packed.004012AA Start tracing using F7 till 004010C4.Enter the call with F7 and U are HeRe: 004012AA -FF25 98304000 JMP DWORD PTR DS:[403098] Well,at [403098] was supposed to be an address of the API.Let's trace using F7 and we jamp here: 00AC8C70 55 PUSH EBP 00AC8C71 8BEC MOV EBP,ESP 00AC8C73 51 PUSH ECX 00AC8C74 53 PUSH EBX 00AC8C75 56 PUSH ESI 00AC8C76 57 PUSH EDI 00AC8C77 FF75 08 PUSH DWORD PTR SS:[EBP+8] 00AC8C7A E8 1ACBFFFF CALL 00AC5799 00AC8C7F 85C0 TEST EAX,EAX 00AC8C81 59 POP ECX 00AC8C82 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 00AC8C85 75 2A JNZ SHORT 00AC8CB1 00AC8C87 60 PUSHAD 00AC8C88 8B15 184AAF00 MOV EDX,DWORD PTR DS:[AF4A18] ; kernel32.77E7A237 So,we can assume that becasue the Base Address of our exe is at 00400000 this part of code is the spliced code from Dillo.So the segment that has code that has been sliced from Dillo is located at 00ACXXXX,and if U see in memory map pressing the "M" button in Olly,this is the segment that has address AB0000 and size 4E000.So first in Olly right click on the segment in memory image (pressing "M" button) and set access->Full access.If U don't do so then it will not be dumped.Now open lordPE,select the process and dump partial this segment.Now where is the segment of valid API addresses?Well we stoped tracing at 00AC8C70,continue tracing using F7 and enter the call at 00AC8C7A.We are HeRe: 00AC5799 55 PUSH EBP 00AC579A 8BEC MOV EBP,ESP 00AC579C 6A FF PUSH -1 00AC579E 68 E826AE00 PUSH 0AE26E8 00AC57A3 68 4017AE00 PUSH 0AE1740 ; JMP to msvcrt._except_handler3 00AC57A8 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] 00AC57AE 50 PUSH EAX 00AC57AF 64:8925 00000000 MOV DWORD PTR FS:[0],ESP 00AC57B6 83EC 0C SUB ESP,0C 00AC57B9 53 PUSH EBX 00AC57BA 56 PUSH ESI 00AC57BB 57 PUSH EDI 00AC57BC 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP 00AC57BF 8365 FC 00 AND DWORD PTR SS:[EBP-4],0 00AC57C3 6A 3A PUSH 3A 00AC57C5 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8] 00AC57C8 57 PUSH EDI 00AC57C9 FF15 0423AE00 CALL DWORD PTR DS:[AE2304] ; msvcrt.strchr Trace with F7 till 00AC57C9.Check contents at [AE2304].U See this: 00AE2304 00 36 C4 77 00 3A C4 77 90 35 C4 77 60 2E C4 77 .6镊.:镊?镊`.镊 00AE2314 50 32 C4 77 25 89 C2 77 10 2F C4 77 33 89 C2 77 P2镊%?w/镊3?w 00AE2324 70 BD C1 77 44 3F C4 77 F8 C5 C1 77 66 CD C3 77 p搅wD?镊?流f兔w 00AE2334 75 D9 C3 77 34 E0 C3 77 C1 3F C4 77 F0 3D C4 77 u倜w4嗝w?镊?镊 00AE2344 C5 CB C1 77 42 89 C2 77 DC 7A C3 77 40 31 C3 77 潘流B?w茭明@1明 00AE2354 F6 30 C3 77 6B AA C2 77 DB 79 C3 77 46 AC C2 77 ?明k?w垸明F?w 00AE2364 88 D3 C5 77 82 E3 C3 77 BF E1 C3 77 85 BF C3 77 ?坯?明酷明?明 00AE2374 20 26 C4 77 A2 22 C4 77 B8 27 C4 77 F5 24 C4 77 &镊?镊?镊?镊 00AE2384 70 26 C4 77 62 23 C4 77 9A 2A C4 77 F5 19 C2 77 p&镊b#镊?镊?瞒 00AE2394 C0 36 C4 77 00 00 00 00 50 16 12 77 4B 17 12 77 ?镊....PwKw 00AE23A4 7E 36 12 77 EC 14 12 77 00 00 00 00 97 28 43 77 ~6w?w....?Cw 00AE23B4 00 00 00 00 E6 56 D4 77 69 8E D6 77 79 96 D4 77 ....嬷憎i?wy?w 00AE23C4 3C 97 D6 77 C4 C6 D4 77 CA 6B D4 77 CB 0B D6 77 <?w钠憎孰憎?主 00AE23D4 6F 68 D4 77 0C 86 D4 77 C0 5A D4 77 D9 55 D4 77 oh憎.?w磊憎僬憎 00AE23E4 E9 D9 D4 77 9D 56 D4 77 09 53 D4 77 27 8E D4 77 橘憎?憎.S憎'?w Well,these are the valid absolute IAT addresses.So if we trace with F7 once more we will jamp at api 77C43600.So,this is the same segment we dumped before.No more dumping. Open now lordPE.U remember that the dumped section had as started address the address AB0000?So,create a new segment and make the Virtual size and the Raw size so big,that now,adding a section from file (choosing the dumped section before) the Raw Offset and Virtual Offset will be AB0000-ImageBase.For ImageBase=0040000 Roffset and Voffset are same 6B0000.So,when it will run this segment will go at AB0000 and the exe will find its spliced code and the IAT addresses there.The segments in memory when we are at OEP in Olly are: Memory map Address Size Owner Section Contains Type Access Initial Mapped as 00010000 00001000 Priv RW RW 00020000 00001000 Priv RW RW 000E4000 00001000 Priv RW Guar RW 000E5000 0004B000 stack of mai Priv RW Guar RW 00130000 00001000 Map R R 00140000 00016000 Priv RW RW 00240000 00006000 Priv RW RW 00250000 00001000 Map RW RW 00260000 00016000 Map R R \Device\HarddiskVolume1\WINDOWS\system32\unicode.nls 00280000 00034000 Map R R \Device\HarddiskVolume1\WINDOWS\system32\locale.nls 002C0000 00041000 Map R R \Device\HarddiskVolume1\WINDOWS\system32\sortkey.nls 00310000 00006000 Map R R \Device\HarddiskVolume1\WINDOWS\system32\sorttbls.nls 00320000 00006000 Map R E R E 003E0000 00002000 Map R E R E 003F0000 00001000 Priv RW RW 00400000 00001000 packed Imag R RWE 00401000 00001000 packed CODE Imag R RWE 00402000 00001000 packed DATA Imag R RWE 00403000 00001000 packed .idata Imag R RWE 00404000 00001000 packed .reloc Imag R RWE 00405000 00040000 packed .text code Imag R RWE 00445000 00010000 packed .adata Imag R RWE 00455000 00010000 packed .data data,imports Imag R RWE 00465000 00010000 packed .reloc1 relocations Imag R RWE 00475000 00030000 packed .pdata Imag R RWE 004A5000 00007000 packed .rsrc resources Imag R RWE 004B0000 00103000 Map R R 005C0000 000D4000 Map R E R E 008C0000 00001000 Priv RW RW 008D0000 0000E000 Priv RW RW 008E0000 00003000 Map R R \Device\HarddiskVolume1\WINDOWS\system32\ctype.nls 008F0000 0000E000 Priv RW RW 00900000 00051000 Map R R 00960000 00001000 Map RW RW 00970000 00010000 Map RW RW 009B0000 00001000 Priv RW RW 00AB0000 0004E000 Priv RW RW 00B00000 0000C000 Priv RW RW 00B10000 00002000 Map R R 00B20000 00018000 Priv RW RW 00B40000 000A4000 Priv RW RW 00BF4000 00001000 Priv RW RW 00C04000 00001000 Priv RW RW 00C20000 00006000 Priv RW RW 00C30000 00003000 Priv RW RW 00C70000 00001000 Map RW RW 00C80000 00001000 Map RW RW 00C90000 00001000 Priv RW RW 00CD1000 00002000 Priv RW RW 00E90000 00011000 Map R R \Device\HarddiskVolume1\WINDOWS\system32\c_1253.nls 00EB0000 00001000 |
|
Thinking in ASM (1)
没有哪个初学者写个交换函数会是这么写的 |
|
|
|
主题: 黑掉Themida ??????????怎样搞可以注册呢
最初由 great123 发布 倒,这个还不容易。不过毕竟是网友,外一出了什么杈子你还不给找我,我还是不做的好。 |
|
主题: 黑掉Themida ??????????怎样搞可以注册呢
别信这个人,我早知道Themida有漏洞,但是正式版没有KEY是无法运行的,信这个人,我晕倒。还说修改程序,你要强到能修改的话,还需要研究如何注册THEMIDA吗?呵呵 |
|
|
|
黑掉ASPROTECT
KEY:1FjCTa1TWXHyBbvseEALS9sOwg1VDvvbz83YK2nTq8ojangFyVjOClVJFdGkaM6xKHcOe95eqK2MVi5IzbCHtHc8e4/ExnMYQyn7lzsE1nWu8jxHtcxk8CdJfD/DK8TXImJf13xpOAAIOILr6rOo9J1UqtzJthBRq4mJ7ll826Ws=PATH:Software\test 暂时贴一下。有空研究 |
|
黑掉ASPROTECT
http://www.asprotect.net/cgi-bin/onlineact.exe?ID=OsOtVADg3AE=&P='or''=' ID=OsOtVADg3AE 这个ID后面是经过ASPR编码后的某人的用户名吧 |
|
黑掉Themida
没兴趣了,Themida其实没有XPR版本可定型强。而且价钱比XPR便宜太多了。 |
|
Magic WinMail 4.0(Build 1112)暴力破解[原
你也破解这东西?呵呵,这东西只要锁定3值就可以了,还有2007年限制,没搞。 |
|
[分享]XprotStripper 1.0 汉化版.
最初由 qiweixue 发布 我说过了我不会写驱动,是不懂,但反编译驱动还是能看的点懂,0DAY有一些专门反编译驱动以及写驱动的IDE软件,自己可以去找嘛 |
|
|
|
Xtreme-Protector壳-破
最初由 qiweixue 发布 玩驱动我可不行,我的职业又不是写驱动的,没必要学的那么高深。只有写驱动的才能玩。我只是给个建议而已。 |
|
Xtreme-Protector壳-破
最初由 bokonger 发布 不是我吹的厉害,仅仅去掉了表面上的2个RING0 ANTI,支持RING3调试器进行调试就等于脱了XPR,你觉得呢? |
|
Xtreme-Protector壳-破
最初由 WiNrOOt 发布 虽然我没有硬件调试它,但对它的手册我已经非常的了解了,而且原版包除了手册还带一个TXT文件,上面就有关于作者描叙的杀手锏,宏指令。看作者语气,似乎早就料到会有这天到来。 |
|
Xtreme-Protector壳加破
最初由 Aming 发布 老大,我不是说不可以DUMP,其实能够DUMP XPR的人有很多,这个我清楚的。 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值