|
[求助]那位兄弟知道Armadillo 3.78的壳怎么脱?
浅谈Armadillo V.3.75 与 V.3.78的保护【原创】 http://www.pediy.com/bbshtml/BBS6/pediy6906.htm |
|
|
|
[转帖]Quick Unpack V0.6
辛苦了... |
|
[求助]有谁知道可以监视硬盘新增加的文件的软件
http://www.ryclub.com/software/system/xzgj.htm |
|
SDprotector Pro Edition v1.12 手工脱壳教
SDprotector Pro Edition v1.12 Manually Unpacking Tutorial by KaGra Download SDPR at www.sdprotector.com,till now is 1.12 pro edition the most recent ver. Hallo,hallo.Nice talking with U again.Well,this time the victim is SDprotector. Well,here I followed a little different approach to unpack this protector.What I mean?HeRe it Comes... Tools Used: Olly v1.10 and ImpRec v1.6f,Ollydump Plug,HideOlly Plug (I will not refer to it) Well,I have checked all the Options of protection in SDprotector and protected the file.Those options are in Options->Left part of the screen.I didn't touch anything else. Load the exe target in Olly.In debugging options,check them all so that the execution of the programm will not be interrupted by any exception (and then ask U to press Shift+F9 or Shift+F8 or Shift+F7 to continue).Run the exe.A messagebox appearz saying that debugger is detected.Well it is hard to find what exactly protection against debugger this may has. I found out that it detects a debbuger using CreateToolHelp32Snapshot to find out what windows are open and compere them with a default string list (in the list is also Olly).It also uses SetUnhandledException filter to find the debugger,but I really tried hard to find out how the exception occured after the calling of this API.But I didnt find it.So I thought this:Why just run the exe,not under Olly,and then just attach to the process? Well,let's do so.I run the exe,a messagebox appears saying something of a demo version of the packer (don't worry,the features we enabled for protecting this file work),and then the screenbox of the exe process appears.Now,open Olly.Before U attach,a messagebox appears saying that a debugger is detected,and closes the debugger.Run the exe again,and open LordPE to dump it. Before U ever try to dump,it closes LordPE and exits.What is going on? Well,it can't be using SetUnhandledExceptionFiler or any other kind of exception trick,because it is not being debugged.So,the only thing that comes in my mind is that it has hardcoded strings refering to processes or Window handles.It also has a loop that checks all the running processes and windows handles with those strings,althought it is supposed to be in the original exe's code section.Well,it is but the packer has given him some extra code and this code still remains and makes this security check loop,althought we have passed the OEP. And my quess is true.Rename LordPE.exe to something else.Run the exe.Now run the renamed LordPE.It does not closes LordPE.So,do the same with Olly.Damn,it still closes her.Well,this happens because Olly has inside her .data and .edata section strings that start with "Olly" chars,and all those are hardcoded in the security loop that I mentioned before.So,open Olly,and load Olly (yes,U hear right) in the first Olly.Click the "M" button and see the section of the loaded Olly,in first Olly: Memory map Address Size Owner Section Contains Type Access Initial Mapped as 00400000 00001000 OLLYDBG PE header Imag R RWE 00401000 000AF000 OLLYDBG .text code Imag R RWE 004B0000 0005B000 OLLYDBG .data data Imag R RWE 0050B000 00001000 OLLYDBG .tls Imag R RWE 0050C000 00001000 OLLYDBG .rdata Imag R RWE 0050D000 00002000 OLLYDBG .idata imports Imag R RWE 0050F000 00002000 OLLYDBG .edata exports Imag R RWE 00511000 00036000 OLLYDBG .rsrc resources Imag R RWE 00547000 0000C000 OLLYDBG .reloc relocations Imag R RWE Go to the .idata section and search for the string Olly,withought having the case sensitive checked.U find this: 0050F780 6F 6C 6C 79 64 62 67 2E 65 78 65 00 5F 41 64 64 ollydbg.exe._Add 0050F790 73 6F 72 74 65 64 64 61 74 61 00 5F 41 64 64 74 sorteddata._Addt 0050F7A0 6F 6C 69 73 74 00 5F 41 6E 61 6C 79 73 65 63 6F olist._Analyseco Change ollydbg.exe to something else eg. fffffff.exe.Search again in this section. We are lucky,because it is found just once.Go to the .data section and search again for the same string.Damn,here the string exists in many places.Well,change all the words that have this string inside them. When done,dump with OllyDump the process,without checking the Import Rebuild Option on. Well,Olly is now patched.Rename the dumped to anything that has not the string Olly in it.Now, run the protected exe again till the main window of the crackme appearz.Now,run the dumped new patched Olly.Wait a little (some seconds). Well,it dooesn't detect Olly!Well,if in this part U have done something wrong,or make something wrong in the following steps,next time will detect Olly,and U will need to change the patched strings ALL to something else,again.I think that the protected exe,if once find an exe string signature that may be a possible debugger or any other "hostile" program for it,it put it somewhere (registry,memory,I don't know) and rembers it.So,just do the patch right and follow every single instruction of the next linez.But there are pacthes that will patch Olly against this protected exe once and for all.Such a patch is putting Fh 's in all strings that will be replaced.I don't really know why this string makes this good thing for us,but it works.So,patch Olly with Fh 's where U should patch (Hey,Fh ascii not chars!). Now,in patched Olly that is running,check all the options of exceptions in Debugger Options,and in option of Ignore also following custom exceptions should be nothing. Now select the process of the protected exe that runs and attach to it.Do not open any other window becuase the protected exe may detect Olly.Just the Debugging options and then the attach window.U are HeRe: 77F767CE C3 RETN 77F767CF > CC INT3 77F767D0 C3 RETN 77F767D1 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] 77F767D5 CC INT3 77F767D6 C2 0400 RETN 4 77F767D9 > 64:A1 18000000 MOV EAX,DWORD PTR FS:[18] 77F767DF C3 RETN 77F767E0 > 57 PUSH EDI 77F767E1 8B7C24 0C MOV EDI,DWORD PTR SS:[ESP+C] 77F767E5 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+8] 77F767E9 C702 00000000 MOV DWORD PTR DS:[EDX],0 77F767EF 897A 04 MOV DWORD PTR DS:[EDX+4],EDI 77F767F2 0BFF OR EDI,EDI 77F767F4 74 11 JE SHORT ntdll.77F76807 77F767F6 83C9 FF OR ECX,FFFFFFFF 77F767F9 33C0 XOR EAX,EAX 77F767FB F2:AE REPNE SCAS BYTE PTR ES:[EDI] Now,press the "M" button and set a memory breakpoint on access in .text section.In this section is the original code of the protected exe.Go to your clock and change the hour.Make it one hour less or one hour more.This is done,because changing it we stop the loop of the anti-debugging feature that the running protected exe has.It seems that this loop checks periodicall the hour-mins-secs and then performs the detection of debugger check.Really nasty,I made 2 hours to understand this!Now press F9 to run the process.The debugger pauses at the breakpoint we have just set,HeRe: 0040111B C8 000000 ENTER 0,0 0040111F 53 PUSH EBX 00401120 56 PUSH ESI 00401121 57 PUSH EDI 00401122 817D 0C 11010000 CMP DWORD PTR SS:[EBP+C],111 00401129 0F84 AB000000 JE sdprotec.004011DA 0040112F 817D 0C 10010000 CMP DWORD PTR SS:[EBP+C],110 00401136 0F84 86000000 JE sdprotec.004011C2 0040113C 837D 0C 10 CMP DWORD PTR SS:[EBP+C],10 00401140 0F84 B5000000 JE sdprotec.004011FB 00401146 B8 00000000 MOV EAX,0 If u hadn't check the time of your clock,an exception that could not be handled would occur,and after some tracing U would have made (u cann't stay in a place forever!) the exe would have traced Olly and exit.If u fail and try again,change accordinglt the time clock every time U try. Yes,we are at the unpacked,original code of the exe.But where is the OEP?As U will know,we have passed the OEP becuase we run the exe before patched Olly.But,becuase the exe is just appearing a screen that asks for a Name and Registration code,it is in a loop,and not far "after" the OEP, because no basic routine has been executed,that will make the flow of the programm to go much away from the OEP.Now,we are at 0040111B paused.Just check a few lines up.We see this place: 004010C2 6A 00 PUSH 0 004010C4 E8 E1010000 CALL sdprotec.004012AA ; JMP to kernel32.GetModuleHandleA 004010C9 A3 F3204000 MOV DWORD PTR DS:[4020F3],EAX 004010CE C705 C7204000 03>MOV DWORD PTR DS:[4020C7],4003 004010D8 C705 CB204000 89>MOV DWORD PTR DS:[4020CB],sdprotec.00401> 004010E2 C705 CF204000 00>MOV DWORD PTR DS:[4020CF],0 004010EC C705 D3204000 00>MOV DWORD PTR DS:[4020D3],0 004010F6 A1 F3204000 MOV EAX,DWORD PTR DS:[4020F3] Good place for an entry point,because we see a call at GetModuleHandleA (many progs need the return value from such an API call,and call it some opcodes after the OEP) and we don't see any other API calls of any kind before the opcode at 004010C2 (and generally,after the OEP API calls like GetVersion,GetModuleHandleA,LoadLibrary or GetCommandLineA follow.).U may say,why could it be not an earlier?Well,I tried and after the IAT rebuilding (that will follow) I couldn't make it work.Eventually the OEP is 004010C2.In some other cases,when an exe is compiled with a language compiler eg. C++,at the OEP arefour to five opcodes that are the same for every produced with the same compiler exe.So,after landing at a place of code after the attach and dump,the OEP cannot be far away,since not many opcode sequences like these exist from the place we landed,and near it.Anyway,have in mind that it is NOT ALWAYS necessary to land exactly at OEP,in order for the dump to work.We just say that OEP is the most ideal place,becuase all sections are intact,nice and clean (and not changed by self-modifications or of modifications that happen during runtime,between the exe in memory and other processes,or by itself).Remove the memory breakpoint. Before dumping,right click in all section that u see in tha patched Olly (and PEheader as well) and set access->Full access.This is done becuase during unpacking,the protector has protected the access of those memory locations using probably VirtualProtect API's,and if we try to dump the dumper will fail,or may create a false dump.Also,ImpreC will not be able to read the process from memory,meaning the data that are contained and to be used,in order to fix the Imports (u can check it!) Now,dump the exe with OllyDump,without having checked the IMport Rebuilding,and as an OEP the value of (OEP as seen in addressing)-Imagebase=004010C2-00400000=10C2.We now have the dump. For the rebuilding part we will do everything without executing anything in Olly,just seing the code, because we cannot put any software or hardware breakpoints,the packer detects them all.But don't mind,because code at that time is not self-modified any more and the mem locations that we will need contain hard-coded bytes,so no need to run it in Olly actually.Just using Olly as a Dasm.OpenImpRec and put as OEP the value 10C2.Now IAT autosearch and Get Imports. Now press Show invalid.We have many invalid.Select one invalid and right click in it->Disassemble.What we see here is that in the place where the code of a valid API should have been,are instructions that generate the call to that API.So the only thing we have to do for all those invalids,is to follow in debugger this codes and see where they finally jamp,at API's.We will know that we are for the first time in API's code,because the address of the first opcode will be (and all those who follow and are in the API!) in 7XXXXXXX format.Then,just a search in all module names in Olly will reveal which API has as starting address this value,and we can identify this API.Then,we will manually put the name of that API at the invalid thunk. But how are we going to follow all those invlid thunks?We,check the Disassm of one invalid,eg the 00143B98h: 00143B98 58 POP EAX 00143B99 50 PUSH EAX 00143B9A 60 PUSHAD 00143B9B 9C PUSHFD 00143B9C 68 02000000 PUSH 2 00143BA1 50 PUSH EAX 00143BA2 B8 32DEE44B MOV EAX,4BE4DE32 00143BA7 50 PUSH EAX 00143BA8 B8 2C1CB9C3 MOV EAX,C3B91C2C 00143BAD 50 PUSH EAX 00143BAE E8 BD5C3200 CALL sdprotec.00469870 00143BB3 9D POPFD 00143BB4 61 POPAD 00143BB5 B8 2C1CB9C3 MOV EAX,C3B91C2C 00143BBA 9C PUSHFD 00143BBB 2D 32DEE44B SUB EAX,4BE4DE32 00143BC0 9D POPFD 00143BC1 50 PUSH EAX 00143BC2 C3 RETN Well,all code till 00143BB5 is junk code,to confuse the reverser.So at 00143BB5 moves a value at EAX,then a PUSHFD (junk opcode also,don't care about this) and at 00143BBB subtract 4BE4DE32 and in EAX=77D43DFA.Then,the POPFD of junk,and we jamp at 77D43DFA.What API is there?Look in Olly in Search for all module names and this API is TransLateMessage.So,in ImpRec,invalidate the thunk and double click on it,and select from user32.dll the TransLateMessage API.Now again show invalid.Good,we reduced invalids to one.As u can see,by this way we can fix all the invalid thunks.Do the same thing for every invalid then.But there is one thunk that has not a Push eax-retn that jamps at an API.This is thunk 468AB3.Well,in Olly go at 468AB3.U see this: 00468AB3 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] 00468AB7 85C0 TEST EAX,EAX 00468AB9 7D 1D JGE SHORT sdprotec.00468AD8 00468ABB 83F8 F5 CMP EAX,-0B 00468ABE 7E 18 JLE SHORT sdprotec.00468AD8 00468AC0 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10] 00468AC4 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C] 00468AC8 51 PUSH ECX 00468AC9 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C] 00468ACD 52 PUSH EDX 00468ACE 51 PUSH ECX 00468ACF 50 PUSH EAX 00468AD0 E8 A1F7FFFF CALL sdprotec.00468276 00468AD5 C2 1000 RETN 10 00468AD8 8B5424 10 MOV EDX,DWORD PTR SS:[ESP+10] 00468ADC 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C] 00468AE0 52 PUSH EDX 00468AE1 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C] 00468AE5 51 PUSH ECX 00468AE6 52 PUSH EDX 00468AE7 50 PUSH EAX 00468AE8 E8 BD3F0000 CALL sdprotec.0046CAAA 00468AED C2 1000 RETN 10 The call at 00468AE8 goes to the API.All till here is junk code.So in Olly go now at 0046CAAA and we are HeRe: 0046CAAA E8 01000000 CALL sdprotec.0046CAB0 0046CAAF FF58 05 CALL FAR FWORD PTR DS:[EAX+5] ; Far call 0046CAB2 C9 LEAVE 0046CAB3 0A00 OR AL,BYTE PTR DS:[EAX] 0046CAB5 008B 008038CC ADD BYTE PTR DS:[EBX+CC388000],CL 0046CABB 74 0A JE SHORT sdprotec.0046CAC7 0046CABD 50 PUSH EAX 0046CABE C3 RETN It jamps at 0046CAB0.We cannot see the opcode of that,because it is mixed.So just go at 0046CAB0 and u see that: 0046CAB0 58 POP EAX 0046CAB1 05 C90A0000 ADD EAX,0AC9 0046CAB6 8B00 MOV EAX,DWORD PTR DS:[EAX] 0046CAB8 8038 CC CMP BYTE PTR DS:[EAX],0CC 0046CABB 74 0A JE SHORT sdprotec.0046CAC7 0046CABD 50 PUSH EAX 0046CABE C3 RETN Well at 0046CABE jamps at the good API we are looking for.So,at 0046CAB0, EAX=0046CAAF because of the call at 0046CAAA (so stack has return address 0046CAAA ),then adds the value of 0AC9 so eax is now 0046D578.Now at [EAX] is the API address to fix this thunk.A small trick that seeks for a software breakpoint there and then a PUSH EAX-RETN and we jamp there. What is in [EAX]?Well,go at 0046D578 and U see that: 0046D578 76 64 JBE SHORT sdprotec.0046D5DE 0046D57A D6 SALC 0046D57B ^77 E3 JA SHORT sdprotec.0046D560 0046D57D A6 CMPS BYTE PTR DS:[ESI],BYTE PTR ES:[EDI] 0046D57E D4 77 AAM 77 We are interested for the first four bytes in reverse,which give us the address of 77D66476h.I look in Olly,and this is API MessageBoxA.Then,I give this name to out final invalid API thunk.Now press show invalid,no invalids.Fix dump now. Run the fixed exe and...Yeeeaaahh!!!Last version of the so called SDprotector defeated!!! Well,this was a hard protector.Took me at least 6 hours,including writing this tutor.This is one contribution to all of U,that are really interested to see how other people think, including the makers of this packer... I can hear a voice in my mind...time to talk to it... |
|
od调试工具!新版本!好东西呀!
If you like Odbg and you have Windows XP Try Ollyxp for a XP look. |
|
UltraEdit MASM 语法高亮配置文件
支持... 已加如工具栏. |
|
ReFox X FULL
Serial : UK933629 - QSOECLMR Id : 2EAD5005 - D1780000 User : MANRIQUE ORELLANA Company : MANSOFT SYSTEMS |
|
[原创]Shrinker 3.3 轻松脱壳法
支持下.. |
|
ReFox X FULL
重复发贴,合并! |
|
ReFox X FULL
Decompiler and Brander for FoxPro and Visual FoxPro FoxBASE+, FoxPro 1.*- 2.6, Visual FoxPro 3.0, 5.0, 6.0, 7.0, 8.0 and 9.0 |
|
Compuware DriverStudio V3.2 完全版
两台PC是必要条件 |
|
Compuware DriverStudio V3.2 完全版
等新版的... |
|
od调试工具!新版本!好东西呀!
昨天在EXETOOLS见过! |
|
远古Hying壳脱壳机 Dearmor 0.46++
支持你... |
|
[ZT][密界脱壳文集]第二版下载
http://solar.mofile.com/docs/DocsHandler.do?action=ownDownloadLink&pickupCode=0180172798817897 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值