|
ASProtect.2.x.Inline.Patching-JW 教学
接上面 Now we got all addresses we wanna use as redirections to our cave: 1. 0040B17B E921000000 JMP 0040B1A1 (harcoded in .exe) 2. 0040B282 E919000000 JMP 0040B2A0 (encrypted, we patch in memory) 3. 0040B343 E92B000000 JMP 0040B373 (encrypted, we patch in memory) 4. 0040B417 E91F000000 JMP 0040B43B (encrypted, we patch in memory) 5. 0040B5F8 6800800000 PUSH 00008000 (encrypted, we patch in memory) (EDI hold our address baserange) 6. 007C00F3 68008000006A PUSH 00008000 (encrypted, we patch in memory) 7. 007C05C1 617508B80100 xxx xxxxxxxx (encrypted, we patch in memory) 8. 007AD418 8BD857E84B01 xxx xxxxxxxx (encrypted, we patch in memory) (EAX point at memory mapped .exe) 9. 007AE17F 8B1504277B00 MOV xxxxxxxx (encrypted, we patch in memory) (Here we patch target in memory) Let's prepare the .exe for our patch cave/code. Open .exe in LordPE, click on the "Sections" button and then right click on last section and select "edit section header". Change RawSize from 00000000 -> 00001000. Save changes and close LordPE, then open .exe in Hex Workshop and scroll down to the bottom of the .exe and insert 1000 "90" bytes(hex). Close Hex Workshop and confirm to save changes. Run target and break on MapViewOfFileEx, when your located on address 7AD418 which is right after the MapViewOfFile call, do a search for the bytes 90 90 90 90 90 90 90 90 90 90. You should find the bytes on address 42B005, these are the bytes we added with Hex Workshop but some of them has been overwritten by ASProtect so we do this search to find out where the patch cave actually start. So our patch cave will start on address 42B005. Open .exe in Hex Workshop, scroll down to the end of the file and select the 1000 "90" bytes and fill them with 00. This is optional, but it does make it a lot easier when we are gonna write our patch code into the cave. Let's redirect end of 1st decryption block to our cave. Open .exe in Hiew and search for the bytes E921000000, these are the bytes of our 1st redirection we found which is the only redirection that is hardcoded. You should see this in Hiew > .0040B176: BFCAFFB26D mov edi,06DB2FFCA .0040B17B: E921000000 jmp .00040B1A1 --- (4) <------ We need to change this jump to goto the patch cave. .0040B180: 58 pop eax .0040B176: BFCAFFB26D mov edi,06DB2FFCA .0040B17B: E985FE0100 jmp .00042B005 --- (4) <------ This jump now goes to the patch cave. .0040B180: 58 pop eax Now it's time to write the patch code into our cave..... [drinking coffee and beating the crap out of the keyboard] ...here's our finished patch cave > Cave Part 1: 0042B005 C70582B24000E98DFD01 MOV DWORD PTR DS:[40B282],1FD8DE9 <-- Patching 2nd redirection to goto cave part 2. 0042B00F E98D01FEFF JMP Patched_.0040B1A1 <------------------ Jumping back to original destination the the jump we used as redirection 1 jumped to. Cave Part 2: 0042B014 C70543B34000E9DBFC01 MOV DWORD PTR DS:[40B343],1FCDBE9 <-- Patching 3rd redirection to goto cave part 3. 0042B01E E97D02FEFF JMP Patched_.0040B2A0 <-------------------------- Jumping back to original destination the the jump we used as redirection 2 jumped to. Cave Part 3: 0042B023 C70517B44000E916FC01 MOV DWORD PTR DS:[40B417],1FC16E9 <-- Patching 4th redirection to goto cave part 4. 0042B02D E94103FEFF JMP Patched_.0040B373 <-------------------------- Jumping back to original destination the the jump we used as redirection 3 jumped to. Cave Part 4: 0042B032 C705F8B54000E944FA01 MOV DWORD PTR DS:[40B5F8],1FA44E9 <-- Patching 5th redirection to goto cave part 5. 0042B03C E9FA03FEFF JMP Patched_.0040B43B <-------------------------- Jumping back to original destination the the jump we used as redirection 4 jumped to. Cave Part 5: 0042B041 893DFCBF4200 MOV DWORD PTR DS:[42BFFC],EDI <------------------ Moving aspr address baserange into end of cave. 0042B047 C705F8B5400068008000 MOV DWORD PTR DS:[40B5F8],800068 <------------ Patching back original bytes to redirection 5 address. 0042B051 C787F30004006867B042 MOV DWORD PTR DS:[EDI+400F3],42B06768 <-- Patching 6th redirection to goto cave part 6 by using 0042B05B C687F8000400C3 MOV BYTE PTR DS:[EDI+400F8],0C3 address baserange in EDI 0042B062 E99105FEFF JMP Patched_.0040B5F8 <---------------------------------- Jumping back to the restored redirection 5 address. Cave Part 6: 0042B067 60 PUSHAD <---------------------------------------------------------------------- Save registers(EAX). 0042B068 A1FCBF4200 MOV EAX, DWORD PTR DS:[42BFFC] <---------------- Move address baserange into EAX. 0042B06D C780F300040068008000 MOV DWORD PTR DS:[EAX+400F3],800068 <------ Patching back original bytes to redirection 6 address 0042B077 C680F80004006A MOV BYTE PTR DS:[EAX+400F8],6A by using address baserange in EAX. 0042B07E C780C105040068A2B042 MOV DWORD PTR DS:[EAX+405C1],42B0A268 <-- Patching 7th redirection to goto cave part 7 by using 0042B088 66C780C505040000C3 MOV WORD PTR DS:[EAX+405C5],0C300 address baserange in EAX. 0042B091 05F3000400 ADD EAX, 400F3 <------------------------------------------------ Adding address return base to EAX. 0042B096 A39DB04200 MOV DWORD PTR DS:[42B09D],EAX <------------------ Moving return address from EAX to PUSH instruction. 0042B09B 61 POPAD <------------------------------------------------------------------------ Restore registers(EAX). 0042B09C 6800000000 PUSH 0 <------------------------------------------------------------------ Push return address. 0042B0A1 C3 RETN <-------------------------------------------------------------------------- Return to return address. Cave Part 7: 0042B0A2 60 PUSHAD <---------------------------------------------------------------------- Save registers(EAX). 0042B0A3 A1FCBF4200 MOV EAX, DWORD PTR DS:[42BFFC] <---------------- Move address baserange into EAX. 0042B0A8 C780C1050400617508B8 MOV DWORD PTR DS:[EAX+405C1],B8087561 <-- Patching back original bytes to redirection 7 address 0042B0B2 66C780C50504000100 MOV WORD PTR DS:[EAX+405C5],1 by using address baserange in EAX. 0042B0BB C68007D4020001 MOV BYTE PTR DS:[EAX+2D407],1 <------------------ Patch PUSH 6A04 -> 6A01 to make mapped .exe in mem writable 0042B0C2 C78018D4020068E6B042 MOV DWORD PTR DS:[EAX+2D418],42B0E668 <-- Patching 8th redirection to goto cave part 8 by using 0042B0CC 66C7801CD4020000C3 MOV WORD PTR DS:[EAX+2D41C],0C300 address baserange in EAX. 0042B0D5 05C1050400 ADD EAX, 405C1 <------------------------------------------------ Adding address return base to EAX. 0042B0DA A3E1B04200 MOV DWORD PTR DS:[42B0E1],EAX <------------------ Moving return address from EAX to PUSH instruction. 0042B0DF 61 POPAD <------------------------------------------------------------------------ Restore registers(EAX). 0042B0E0 6800000000 PUSH 0 <------------------------------------------------------------------ Push return address. 0042B0E5 C3 RETN <-------------------------------------------------------------------------- Return to return address. Cave Part 8: 0042B0E6 C680F902000000 MOV BYTE PTR DS:[EAX+2F9],0 <---------------------- Patching back "1000" bytes in mem mapped .exe(in header) 0042B0ED C7807B5F0000E9210000 MOV DWORD PTR DS:[EAX+5F7B],21E9 <------------ Patching back redirection 1 in mem mapped .exe. CRC check killed. 0042B0F7 60 PUSHAD <---------------------------------------------------------------------- Save registers(EAX). 0042B0F8 A1FCBF4200 MOV EAX, DWORD PTR DS:[42BFFC] <---------------- Move address baserange into EAX. 0042B0FD C78018D402008BD857E8 MOV DWORD PTR DS:[EAX+2D418],E857D88B <-- Patching back original bytes to redirection 8 address 0042B107 66C7801CD402004B01 MOV WORD PTR DS:[EAX+2D41C],14B by using address baserange in EAX. 0042B110 C68007D4020004 MOV BYTE PTR DS:[EAX+2D407],4 <------------------ Patch PUSH 6A01 -> 6A01 so ASProtect won't crash us. 0042B117 C7807FE10200683BB142 MOV DWORD PTR DS:[EAX+2E17F],42B13B68 <-- Patching 9th redirection to goto cave part 9 by using 0042B121 66C78083E1020000C3 MOV WORD PTR DS:[EAX+2E183],0C300 address baserange in EAX. 0042B12A 0518D40200 ADD EAX, 2D418 <------------------------------------------------ Adding address return base to EAX. 0042B12F A336B14200 MOV DWORD PTR DS:[42B136],EAX <------------------ Moving return address from EAX to PUSH instruction. 0042B134 61 POPAD <------------------------------------------------------------------------ Restore registers(EAX). 0042B135 6800000000 PUSH 0 <------------------------------------------------------------------ Push return address. 0042B13A C3 RETN <-------------------------------------------------------------------------- Return to return address. Cave Part 9: 0042B13B 60 PUSHAD <---------------------------------------------------------------------- Save registers(EAX). 0042B13C A1FCBF4200 MOV EAX, DWORD PTR DS:[42BFFC] <---------------- Move address baserange into EAX. 0042B141 C7807FE102008B150427 MOV DWORD PTR DS:[EAX+2E17F],2704158B <-- Patching back original bytes to redirection 9 address 0042B14B 66C78083E102007B00 MOV WORD PTR DS:[EAX+2E183],7B by using address baserange in EAX. 0042B154 C6058D104000EB MOV BYTE PTR DS:[40108D],0EB <-------------------- Patching our NAG away 0042B15B 057FE10200 ADD EAX, 2E17F <------------------------------------------------ Adding address return base to EAX. 0042B160 A367B14200 MOV DWORD PTR DS:[42B167],EAX <------------------ Moving return address from EAX to PUSH instruction. 0042B165 61 POPAD <------------------------------------------------------------------------ Restore registers(EAX). 0042B166 6800000000 PUSH 0 <------------------------------------------------------------------ Push return address. 0042B16B C3 RETN <-------------------------------------------------------------------------- Return to return address. Well thats it. |
|
ASProtect.2.x.Inline.Patching-JW 教学
THX!!偶直接将下载下来的文章贴上来方便查看: ASProtect 1.x -> 2.x inline patching tutorial by JohnWho. ------------------------------------------------------------ In this tutorial i'll show you how to inline patch ASProtect 1.2 -> 2.x without dealing with any crypto stuff. The example program(PatchMe.exe) which will be our target has a startup NAG we need to patch away. The target is protect with ASProtect 2.1. Tool used: SoftICE, Hex Workshop, Hiew, LordPE. Let's get started. First thing to do would be to find out where to patch our target so we get rid of that annoying NAG, but we'll skip that in this tutorial(easy anyway, patch 40108D 74 -> EB). Now we need to get to the code where to VirtualAlloc call is made, it will tell us where ASProtects code will be allocated to. ASProtect uses 4-5 decryption loops/blocks to decrypt the code where the first 2 VirtualAlloc calls are made, we need to reach the 2nd call. Run the target and make sure you break on EP(401000), from here trace into all calls with F7 until you reach the below code chunk. End of 1st decryption block: 0040B170 0F85 1A000000 JNZ PatchMe.0040B190 <----- This jump will keep jumping until 2nd decryption block is decrypted. 0040B176 BF CAFFB26D MOV EDI, 6DB2FFCA 0040B17B E9 21000000 JMP PatchMe.0040B1A1 <----- When we reach this jump the 2nd decryption block is decrypted to memory 0040B180 58 POP EAX and ready to get patched. We use this jump as our 1st redirection, notice 0040B181 B1 96 MOV CL, 96 that this will be the only hardcoded redirection as the rest will be in memory 0040B183 17 POP SS on runtime. 0040B184 04 ED ADD AL, 0ED 0040B186 22B3 70E96E0F AND DH, BYTE PTR DS:[EBX+F6EE970] 0040B18C 9C PUSHFD 0040B18D A5 MOVS DWORD PTR ES:[EDI], DWORD PTR DS:[ESI] 0040B18E 7A 2B JPE SHORT PatchMe.0040B1BB 0040B190 66:8BFE MOV DI, SI 0040B193 E9 75FFFFFF JMP PatchMe.0040B10D Now set a breakpoint on address 40B17B and press F5, when you break on address 40B17B keep tracing with F7 until you reach the below code chunk. End of 2nd decryption block: 0040B278 0F85 11000000 JNZ PatchMe.0040B28F <----- This jump will keep jumping until 3rd decryption block is decrypted. 0040B27E 66:BF 624F MOV DI, 4F62 0040B282 E9 19000000 JMP PatchMe.0040B2A0 <----- When we reach this jump the 3rd decryption block is decrypted to memory 0040B287 B0 29 MOV AL, 29 and ready to get patched. We use this jump as our 2nd redirection. 0040B289 AE SCAS BYTE PTR ES:[EDI] 0040B28A 4F DEC EDI 0040B28B DCE5 FSUBR ST(5), ST 0040B28D BA 6B668BF9 MOV EDX, F98B666B 0040B292 E9 4BFFFFFF JMP PatchMe.0040B1E2 Now set a breakpoint on address 40B282 and press F5, when you break on address 40B282 keep tracing with F7 until you reach the below code chunk. End of 3rd decryption block: 0040B32F 0F85 25000000 JNZ PatchMe.0040B35A <----- This jump will keep jumping until 4th decryption block is decrypted. 0040B335 E8 05000000 CALL PatchMe.0040B33F 0040B33A B9 FE5FAC75 MOV ECX, 75AC5FFE 0040B33F 80D6 57 ADC DH, 57 0040B342 5E POP ESI 0040B343 E9 2B000000 JMP PatchMe.0040B373 <----- When we reach this jump the 4th decryption block is decrypted to memory 0040B348 62F3 BOUND ESI, EBX and ready to get patched. We use this jump as our 3rd redirection. 0040B34A B0 29 MOV AL, 29 0040B34C AE SCAS BYTE PTR ES:[EDI] 0040B34D 4F DEC EDI 0040B34E DCE5 FSUBR ST(5), ST 0040B350 BA 6BC86186 MOV EDX, 8661C86B 0040B355 47 INC EDI 0040B356 74 9D JE SHORT PatchMe.0040B2F5 0040B358 12E3 ADC AH, BL 0040B35A 66:8BD1 MOV DX, CX 0040B35D E9 81FFFFFF JMP PatchMe.0040B2E3 Now set a breakpoint on address 40B343 and press F5, when you break on address 40B343 keep tracing with F7 until you reach the below code chunk. End of 4th decryption block: 0040B40E 0F85 13000000 JNZ PatchMe.0040B427 <----- This jump will keep jumping until the code part with the first 2 VirtualAlloc 0040B414 66:8BDE MOV BX, SI calls are decrypted. 0040B417 E9 1F000000 JMP PatchMe.0040B43B <----- When we reach this jump the the code part with the first 2 VirtualAlloc calls 0040B41C A7 CMPS DWORD PTR DS: is decrypted and ready to be patched. We use this jump as our 4th redirection. 0040B41D 54 PUSH ESP 0040B41E FD STD 0040B41F F2: PREFIX REPNE: 0040B420 43 INC EBX 0040B421 C0F9 3E SAR CL, 3E 0040B424 9F LAHF 0040B425 EC IN AL, DX 0040B426 B5 66 MOV CH, 66 0040B428 8BF1 MOV ESI, ECX 0040B42A E9 8DFFFFFF JMP PatchMe.0040B3BC So far so good. We now got the info on where to patch in order to get through the decryption blocks with control on our side. The following addresses we wanna use as redirections to our cave: 1. 0040B17B E921000000 JMP 0040B1A1 (harcoded in .exe) 2. 0040B282 E919000000 JMP 0040B2A0 (encrypted, we patch in memory) 3. 0040B343 E92B000000 JMP 0040B373 (encrypted, we patch in memory) 4. 0040B417 E91F000000 JMP 0040B43B (encrypted, we patch in memory) Now set a breakpoint on address 40B417 and press F5, when you break on address 40B417 keep tracing with F8 until you reach the below code chunk. 0040B4EF 6A 00 PUSH 0 0040B4F1 FF95 F0030000 CALL NEAR DWORD PTR SS:[EBP+3F0] <----- This is the 1st VirtualAlloc call. 0040B4F7 8985 CC010000 MOV DWORD PTR SS:[EBP+1CC], EAX 0040B4FD 8B9D 00040000 MOV EBX, DWORD PTR SS:[EBP+400] 0040B503 039D 0D040000 ADD EBX, DWORD PTR SS:[EBP+40D] 0040B509 50 PUSH EAX 0040B50A 53 PUSH EBX 0040B50B E8 04010000 CALL PatchMe.0040B614 0040B510 6A 40 PUSH 40 0040B512 68 00100000 PUSH 1000 0040B517 FFB5 08040000 PUSH DWORD PTR SS:[EBP+408] 0040B51D 6A 00 PUSH 0 0040B51F FF95 F0030000 CALL NEAR DWORD PTR SS:[EBP+3F0] <----- This is the 2nd VirtualAlloc call. When this call has been executed 0040B525 8985 31040000 MOV DWORD PTR SS:[EBP+431], EAX EAX will contain the address baserange where ASProtects code 0040B52B 8985 D0010000 MOV DWORD PTR SS:[EBP+1D0], EAX will be decrypted to. We need this baserange address in order to ........ patch ASProtects virtual allocated code. Skipping code ........ 0040B5EA 53 PUSH EBX 0040B5EB 6A 00 PUSH 0 0040B5ED 6A 00 PUSH 0 0040B5EF 6A 01 PUSH 1 0040B5F1 57 PUSH EDI 0040B5F2 8B5E 08 MOV EBX, DWORD PTR DS:[ESI+8] 0040B5F5 03DF ADD EBX, EDI 0040B5F7 53 PUSH EBX 0040B5F8 68 00800000 PUSH 8000 <--------------------------------------------------- Here EDI contains the address baserange. We use this as our 5th 0040B5FD 6A 00 PUSH 0 redirection. 0040B5FF 56 PUSH ESI 0040B600 FF95 F4030000 CALL NEAR DWORD PTR SS:[EBP+3F4] 0040B606 68 00000000 PUSH 0 0040B60B C3 RETN <--------------------------------------------------- This return will bring us to the 1st part of ASProtect virtual allocated memory. So from this point on we need to use our baserange to all further patching of ASProtect code! So far we got following addresses we wanna use as redirections to our cave: 1. 0040B17B E921000000 JMP 0040B1A1 (harcoded in .exe) 2. 0040B282 E919000000 JMP 0040B2A0 (encrypted, we patch in memory) 3. 0040B343 E92B000000 JMP 0040B373 (encrypted, we patch in memory) 4. 0040B417 E91F000000 JMP 0040B43B (encrypted, we patch in memory) 5. 0040B5F8 6800800000 PUSH 00008000 (encrypted, we patch in memory) (EDI hold our address baserange) Now set a breakpoint on address 40B5F8 and press F5, when you break on address 40B5F8 keep tracing with F8 until you reach the below code chunk. Notice that from now on the address range probably is different on your computer. 007C00B6 6A 04 PUSH 4 007C00B8 68 00100000 PUSH 1000 007C00BD 68 46050000 PUSH 546 007C00C2 6A 00 PUSH 0 007C00C4 FF95 79294400 CALL NEAR DWORD PTR SS:[EBP+442979] <----- This is the 3rd VirtualAlloc call. 007C00CA 8985 75294400 MOV DWORD PTR SS:[EBP+442975], EAX 007C00D0 8D9D 452A4400 LEA EBX, DWORD PTR SS:[EBP+442A45] 007C00D6 50 PUSH EAX 007C00D7 53 PUSH EBX 007C00D8 E8 74050000 CALL 007C0651 007C00DD 8BC8 MOV ECX, EAX 007C00DF 8DBD 452A4400 LEA EDI, DWORD PTR SS:[EBP+442A45] 007C00E5 8BB5 75294400 MOV ESI, DWORD PTR SS:[EBP+442975] 007C00EB F3:A4 REP MOVS BYTE PTR ES:[EDI], BYTE PTR DS:[ESI] 007C00ED 8B85 75294400 MOV EAX, DWORD PTR SS:[EBP+442975] 007C00F3 68 00800000 PUSH 8000 <--------------------------------------------------------- We redirect here. This is our 6th redirection. 007C00F8 6A 00 PUSH 0 007C00FA 50 PUSH EAX 007C00FB FF95 7D294400 CALL NEAR DWORD PTR SS:[EBP+44297D] 007C0101 8D85 512C4400 LEA EAX, DWORD PTR SS:[EBP+442C51] 007C0107 50 PUSH EAX 007C0108 C3 RETN So far we got following addresses we wanna use as redirections to our cave: 1. 0040B17B E921000000 JMP 0040B1A1 (harcoded in .exe) 2. 0040B282 E919000000 JMP 0040B2A0 (encrypted, we patch in memory) 3. 0040B343 E92B000000 JMP 0040B373 (encrypted, we patch in memory) 4. 0040B417 E91F000000 JMP 0040B43B (encrypted, we patch in memory) 5. 0040B5F8 6800800000 PUSH 00008000 (encrypted, we patch in memory) (EDI hold our address baserange) 6. 007C00F3 68008000006A PUSH 00008000 (encrypted, we patch in memory) Keep tracing with F8 until you reach the below code chunk. 007C030D 8B9D 552A4400 MOV EBX, DWORD PTR SS:[EBP+442A55] 007C0313 0BDB OR EBX, EBX 007C0315 74 0A JE SHORT 007C0321 007C0317 8B03 MOV EAX, DWORD PTR DS:[EBX] 007C0319 8785 592A4400 XCHG DWORD PTR SS:[EBP+442A59], EAX 007C031F 8903 MOV DWORD PTR DS:[EBX], EAX 007C0321 8DB5 712A4400 LEA ESI, DWORD PTR SS:[EBP+442A71] 007C0327 833E 00 CMP DWORD PTR DS:[ESI], 0 007C032A 0F84 D3000000 JE 007C0403 007C0330 8DB5 712A4400 LEA ESI, DWORD PTR SS:[EBP+442A71] 007C0336 8B46 04 MOV EAX, DWORD PTR DS:[ESI+4] 007C0339 6A 04 PUSH 4 007C033B 68 00100000 PUSH 1000 007C0340 50 PUSH EAX 007C0341 6A 00 PUSH 0 ........ Skipping code ........ 007C05BB 8985 112F4400 MOV DWORD PTR SS:[EBP+442F11], EAX 007C05C1 61 POPAD <--------------------------------------------------------------- We redirect here. This is our 7th redirection. 007C05C2 75 08 JNZ SHORT 007C05CC 007C05C4 B8 01000000 MOV EAX, 1 007C05C9 C2 0C00 RETN 0C 007C05CC 68 00000000 PUSH 0 007C05D1 C3 RETN So far we got following addresses we wanna use as redirections to our cave: 1. 0040B17B E921000000 JMP 0040B1A1 (harcoded in .exe) 2. 0040B282 E919000000 JMP 0040B2A0 (encrypted, we patch in memory) 3. 0040B343 E92B000000 JMP 0040B373 (encrypted, we patch in memory) 4. 0040B417 E91F000000 JMP 0040B43B (encrypted, we patch in memory) 5. 0040B5F8 6800800000 PUSH 00008000 (encrypted, we patch in memory) (EDI hold our address baserange) 6. 007C00F3 68008000006A PUSH 00008000 (encrypted, we patch in memory) 7. 007C05C1 617508B80100 xxx xxxxxxxx (encrypted, we patch in memory) Clear all breakpoints you may have and set a new one on MapViewOfFileEx, press F5 and then F12 2 times. You should now see the below code chunk. 007AD400 6A 00 PUSH 0 007AD402 6A 00 PUSH 0 007AD404 6A 00 PUSH 0 007AD406 6A 04 PUSH 4 <--------------------------------------------------------------- We need to patch this instruction to push 1 so the 007AD408 A1 58A57B00 MOV EAX, DWORD PTR DS:[7BA558] mapped .exe in memory becomes writeable. 007AD40D 50 PUSH EAX 007AD40E A1 D4277B00 MOV EAX, DWORD PTR DS:[7B27D4] 007AD413 8B40 08 MOV EAX, DWORD PTR DS:[EAX+8] 007AD416 FFD0 CALL NEAR EAX <------------------------------------------------- MapViewOfFile call. 007AD418 8BD8 MOV EBX, EAX <------------------------------------------------- Here EAX point at mapped .exe in memory. We need to 007AD41A 57 PUSH EDI patch the mapped .exe to deal with the CRC check. We 007AD41B E8 4B010000 CALL 007AD56B use this as our 8th redirection. 0040B5FD 6A 00 PUSH 0 So far we got following addresses we wanna use as redirections to our cave: 1. 0040B17B E921000000 JMP 0040B1A1 (harcoded in .exe) 2. 0040B282 E919000000 JMP 0040B2A0 (encrypted, we patch in memory) 3. 0040B343 E92B000000 JMP 0040B373 (encrypted, we patch in memory) 4. 0040B417 E91F000000 JMP 0040B43B (encrypted, we patch in memory) 5. 0040B5F8 6800800000 PUSH 00008000 (encrypted, we patch in memory) (EDI hold our address baserange) 6. 007C00F3 68008000006A PUSH 00008000 (encrypted, we patch in memory) 7. 007C05C1 617508B80100 xxx xxxxxxxx (encrypted, we patch in memory) 8. 007AD418 8BD857E84B01 xxx xxxxxxxx (encrypted, we patch in memory) (EAX point at memory mapped .exe) Now the CRC check is dealt with and we only need to patch our target to get rid of the NAG, but at this point code we wanna patch hasn't been decrypted to memory so we need one more redirection after it has been decrypted. Clear your breakpoint and set a new one on read to memory address 40108D (bpm 40108D r) which is the address we wanna patch to get rid of NAG. Press F5 5 times, the 3rd time you break you can see that the bytes on address 40108D has been decrypted. The 5th time you break your in the memory CRC check routine and you should see the below code chunk. 0078F3A0 81C7 A1EBD96E ADD EDI, 6ED9EBA1 <------- You should be here. 0078F3A6 8BEE MOV EBP, ESI 0078F3A8 33EB XOR EBP, EBX 0078F3AA 33E8 XOR EBP, EAX 0078F3AC 03FD ADD EDI, EBP 0078F3AE 03CF ADD ECX, EDI 0078F3B0 8BF9 MOV EDI, ECX 0078F3B2 C1E7 03 SHL EDI, 3 0078F3B5 C1E9 1D SHR ECX, 1D 0078F3B8 0BF9 OR EDI, ECX 0078F3BA 8BCF MOV ECX, EDI Press F12 or single step over/into the RET instruction on address 78F436 and you should see the below code chunk. 0078F59D 83C7 40 ADD EDI, 40 <--------------------------------------- You should be here. 0078F5A0 83EB 40 SUB EBX, 40 0078F5A3 83FB 40 CMP EBX, 40 0078F5A6 7D EC JGE SHORT 0078F594 0078F5A8 8B0424 MOV EAX, DWORD PTR SS:[ESP] 0078F5AB 03C5 ADD EAX, EBP 0078F5AD 8D56 08 LEA EDX, DWORD PTR DS:[ESI+8] 0078F5B0 8BCB MOV ECX, EBX 0078F5B2 E8 A130FFFF CALL 00782658 0078F5B7 5A POP EDX 0078F5B8 5D POP EBP 0078F5B9 5F POP EDI 0078F5BA 5E POP ESI 0078F5BB 5B POP EBX 0078F5BC C3 RETN Clear your breakpoints and set one on address 78F5BC, press F5 and you break on address 78F5BC. Press F12 2 times and you'll see the code chunk below. 007AE13C 53 PUSH EBX <------------------------------------------------- You should be here. 007AE13D 56 PUSH ESI 007AE13E 57 PUSH EDI 007AE13F 55 PUSH EBP 007AE140 83C4 D8 ADD ESP, -28 007AE143 A1 9C277B00 MOV EAX, DWORD PTR DS:[7B279C] 007AE148 C600 D2 MOV BYTE PTR DS:[EAX], 0D2 007AE14B B2 01 MOV DL, 1 007AE14D A1 F4B07900 MOV EAX, DWORD PTR DS:[79B0F4] 007AE152 E8 F9CFFEFF CALL 0079B150 007AE157 8BF0 MOV ESI, EAX 007AE159 E8 7EE7FFFF CALL 007AC8DC 007AE15E 8BD8 MOV EBX, EAX 007AE160 A1 E0277B00 MOV EAX, DWORD PTR DS:[7B27E0] 007AE165 8B00 MOV EAX, DWORD PTR DS:[EAX] 007AE167 8946 04 MOV DWORD PTR DS:[ESI+4], EAX 007AE16A A1 04277B00 MOV EAX, DWORD PTR DS:[7B2704] 007AE16F 8B00 MOV EAX, DWORD PTR DS:[EAX] 007AE171 33D2 XOR EDX, EDX 007AE173 8950 04 MOV DWORD PTR DS:[EAX+4], EDX 007AE176 A1 F0277B00 MOV EAX, DWORD PTR DS:[7B27F0] 007AE17B 8B00 MOV EAX, DWORD PTR DS:[EAX] 007AE17D 8B00 MOV EAX, DWORD PTR DS:[EAX] 007AE17F 8B15 04277B00 MOV EDX, DWORD PTR DS:[7B2704] <---- When we reach this address the memory CRC check 007AE185 8B12 MOV EDX, DWORD PTR DS:[EDX] is done and we can patch target in memory. So we 007AE187 8942 50 MOV DWORD PTR DS:[EDX+50], EAX use this as our 9th and last redirection. 007AE18A A1 04277B00 MOV EAX, DWORD PTR DS:[7B2704] |
|
|
|
|
|
anti trick Ⅲ --erase module
いい见札でした |
|
|
|
[求助]有哪位大侠能破解“网络信息采集专家0.999”吗?
喜欢就注册一个算拉 |
|
SoftSentry 2.11脱壳
程序运行后,点"我要试用",接着会出现一个异常: Exception C0000008 (INVALID HANDLE)的异常, 这个异常简单的手动NOP掉就可以了。 |
|
|
|
|
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值