|
[原创]汉化初学者进阶教程 3[压缩壳程序脱壳修复与优化]
自上一篇文章引起的讨论之后,在网上仔细地搜索了CxLrb的文章,觉得CxLrb是个很敬业的人,对汉化不是很清楚,但是一定要支持你的工作! |
|
请大家不要下载“ADSL密码帐号查看器”!!!
哈,还是我的金山网镖厉害!我也下载了,双击运行,没出现我要看到的东东,我想是这个程序没有做好,当即就删除了它。不曾想到它是专为捆绑木马而做的呀。 强力建议国人安装金山正版软件! |
|
关于木马的生成技术
我靠,重翻 一次,居然补丁成功了!! |
|
关于木马的生成技术
支持你这种说法,不过我地另外一个地方看到一破文,但是照猫画虎也不成功。 看下面: s Tutorial: How to do Inline Patch in Aspack'ed applications! Ok, as you know, I haven't written a tutor by myself for long time, so since I'm on holiday now, I decided to write one. This time, we'll do an Inline Patching in Aspack'ed application. Very easy, no fear! Ok, I've coded a small crackme for the education, and it's packed with Aspack v2.12. So on this crackme, we must remove the messagebox. Still as I said, the main goal is to do Inline Patching on this Crackme, not to remove the messagebox only! ;) Ok, let's go.. What we'll need: OllyDbg - to find Program Entry Point (OEP) in the Crackme HIEW v6.83 - to edit the Crackme W32Dasm v8.93 - to disassemble the Crackme LordPE Deluxe - to unpack the Crackme and edit PE headers PEiD v0.80 - to identify the PE in Crackme Pen and paper, and your brain!! Step 1. Let's run PEiDentifier on this Crackme to confirm it's packed with Aspack! Or you can use any similiar file scanner. (They can be found at Protools sites!). While we're at it, run Crackme and see what happens. Ok, the messagebox appears, so it has to be removed. I'm not teaching you how to remove the box, just how to do Inline Patch. Step 2. Ok, coz it's packed with Aspack, we all know that Aspack'ed applications first goto its own decryption procedures, to check CRC etc, then if it's OK then it goes to Main procedure of applications or else gives you errors. So we gotta find the jump to OEP in Crackme in decryption codes. When run, we all know Aspack'ed applications contain the "known" instructions near the end of decryption part: xxxxxxxx 61 popad xxxxxxxx 7508 jne cccccccc xxxxxxxx B801000000 mov eax,00000001 xxxxxxxx C20C00 retn 000C cccccccc 68aaaaaaaa push aaaaaaaa <--- aaaaaaaa is our OEP value xxxxxxxx C3 ret We gotta find the OEP value in this unpacking code, remember we will NOT find the OEP value in Aspack'ed files, only when you run 'em, you'll find it in memory. Of course, it's hardcoded in Aspack'ed files, but hard to find it. So the known bytes we always can find in Aspack'ed files looks like: 61 7508 B801000000 C20C00 6800000000 <--- always 00000000, so that's why we don't know the OEP yet! C3 Step 3. Ok, now we can open HIEW on Crackme and search for bytes: 6800000000C3. We found it at: .0040D3AF: 61 popad .0040D3B0: 7508 jne 00040D3BA .0040D3B2: B801000000 mov eax,000000001 .0040D3B7: C20C00 retn 0000C .0040D3BA: 6800000000 push 000000000 .0040D3BF: C3 retn Ok cool, we know it's Aspack'ed and we have the address "40D3BA", so write down this address on paper. Step 4. Next thing we gotta do, is to load the debugger to find the real OEP. Load OllyDbg, open Crackme.exe. (If you're unfamiliar with OllyDbg, find some tutors on how to use it.) Anyway, back to OllyDbg, at CPU, main thread window at first line, you'll see like this: 0040D000 90 NOP 0040D001 60 PUSHAD 0040D002 E8 03000000 CALL ASPCrack.0040D00A 0040D007 E9 EB045D45 JMP 459DD4F7 0040D00C 55 PUSH EBP Step 5. Ok, now scroll down to 40D3BA where it looks like this: 0040D3BA 68 00000000 PUSH 0 Ok, on that line, press F2 to set breakpoint on this line. Then finally press F9 to run Crackme in OllyDbg. Awesome, what do we find? Here's what I found: 0040D3BA 68 345A4000 PUSH ASPCrack.00405A34 See? 405A34 is our real OEP! Write down this OEP. We're done with OllyDbg for now. Step 6. What now? We gotta unpack the Crackme, not to remove the messagebox only, but to get/write down the Address that needs to be patched. Ok, run Crackme again, don't close it yet! Now run LordPE, scroll down till you see like this: Path PID ImageBase ImageSize c:\Crkme\ASPCrackme.exe 000007D8 00400000 00010000 ^^^^^^^^^^^^^^^^^^^^^^^ This path might be different where you stored the Crackme! Ok good, now RightClick on that line and select "dump full...", then save the dumped to wherever you want. You'll see we got dumped.exe with 65,536 bytes in size. Now close Crackme, don't close LordPE yet! Step 7. Now we need to rebuild the PE headers since the dumped.exe won't run good. In LordPE, click "Rebuild PE" and select dumped.exe file. You'll see Rebuild Status, and it has been finished rebuilding. Now try run dumped.exe, good it runs fine now. Close it now. Again, don't close LordPE yet. Step 8. Now run W32Dasm and open dumped.exe. WTF? It's not disassembled... Oh yes, PE sections in dumped.exe aren't fixed yet. Go back to LordPE, click "PE Editor", select dumped.exe. Click "Sections". Ok, wtf are we doing? On the first line you'll see like this: Name VOffset VSize ROffset RSize Flags CODE 00001000 00005000 00000400 00004A68 C0000040 You see "C0000040"? That flags means it's readable, writeable, and no executable code. Normally I use HIEW to change the flags from: 11000000 00000000 00000000 01000000 | C0000040 to 11100000 00000000 00000000 00100000 | E0000020 But within LordPE, it's easier for you. Ok, back at LordPE. RightClick and select "edit section header..." Change C0000040 to E0000020, or simply click "..." button, you'll see checkboxes. Just check the following boxes: 1. Executable as code 2. Readable 3. Writeable 4. Contains executable code Uncheck other boxes, you'll see flags changed at "Current Value". Ok, save and close LordPE. Step 9. Again run W32Dasm and open dumped.exe. Great, it's disassembled now. Now our task is to remove the messagebox, as I said, I'm not teaching you how to crack it, so we skip the "how/why" part. Now click Str.Refs button, scroll down to: "C'mon...you gotta remove this" and DoubleClick on it. Now we're at like this: * Referenced by a CALL at Address: |:004057F9 <--- we gotta goto this address... | * Possible StringData Ref from Code Obj ->"C'mon...you gotta remove this " ->"NAG!!" | :00405904 B818594000 mov eax, 00405918 :00405909 E8B2E1FFFF call 00403AC0 :0040590E C3 ret Now press Shift-F12 and type 4057F9. And we land here: :004057F9 E806010000 call 00405904 This is the address we gotta nop the call, the offset is 4BF9. Write down this address: 4057F9 on paper. Step 10. Now run HIEW and open dumped.exe, press F5, type 4BF9. Then press F3 to edit, type 9090909090, F9 to save. Close HIEW and run dumped.exe. Great, the messagebox is gone. We got OEP address, we got the address where we removed the messagebox, we used 5 bytes (90 90 90 90 90). Now our next task is to do Inline Patch finally. Step 11. Ok, go back to HIEW and open Crackme.exe. First we need space where we can insert the patch instructions in Crackme. We look around and found lots space at 40E100 (Offset: 4D00). Ok good, we have this address too. Now you remember the address where it tells ASPack the real OEP? It's at 40D3BA (Offset: 3FBA) right? Let's goto 40D3BA (press F5 and type 3FBA), we are at: .0040D3AF: 61 popad .0040D3B0: 7508 jne 00040D3BA <--- we gotta change this to JUMP to .0040D3B2: B801000000 mov eax,000000001 40E100, to do Inline Patch .0040D3B7: C20C00 retn 0000C instructions, when done patching .0040D3BA: 6800000000 push 000000000 then it goes back here at the .0040D3BF: C3 retn 40D3B7 address. Scroll up to 40D3B0, press F3, press TAB, then type: jmp 4D00, then nop 2 bytes (90 90), then F9 to save. We get like this: .0040D3AF: 61 popad .0040D3B0: E94B0D0000 jmp .00040E100 .0040D3B5: 90 nop .0040D3B6: 90 nop .0040D3B7: C20C00 retn 0000C .0040D3BA: 6800000000 push 000000000 .0040D3BF: C3 retn Step 12. Ok, good so far. Let's goto 40E100 (press F5, type 4D00), let's insert Patch Instructions. Press F3, then TAB, then type the following: mov d, [004057F9], 090909090 mov b, [004057FD], 090 push 00405A34 ret After saved with F9, we get like this: .0040E100: C705F957400090909090 mov d,[004057F9],090909090 .0040E10A: C605FD57400090 mov b,[004057FD],090 .0040E111: 68345A4000 push 000405A34 .0040E116: C3 retn Ok, lemme explain what the fuck is what: You remember we did 5 bytes to remove the messagebox? So we can only move a maximum of 4 bytes at a time, so that's why we first move 4 bytes, then finally the last 1 byte. mov d, [location], 0xxxxxxxx : d = double word = 4 bytes mov w, [location], 0xxxx : w = word = 2 bytes mov b, [location], 0xx : b = byte = 1 byte See? Good, also remember if you want to store 2 bytes into a certain location example: EB 10, you type: mov w, [location], 010EB Notice that the order of bytes is reversed, as the last byte will be stored first. Let's say for example in 7 bytes: C6 05 95 76 40 00 01, we do then: mov d, [location], 0769505C6 <--- It's better to insert 0 in front, mov w, [location], 00040 otherwise it'll be refused. mov b, [location], 001 Ok, we typed in Crackme above as we did: mov d, [004057F9], 090909090 <--- first 4 bytes mov b, [004057FD], 090 <--- last 1 byte push 00405A34 <--- we push the real OEP (remember we found OEP?) retn <--- we go back to 40D3B7. Step 13. Now close HIEW and try run Crackme....see? It runs good, we did it!! Note: I know there are few tutors on Inline Patch out there, but as you know me, I try my best to teach in easy way to learners ;) Of course the credits goto all the crackers that did in their tutorials. So I really hope this tutorial helps a lot to you learners! Also watch out for next tutorial how to do Inline Patch on ASProtect. You can sleep now, don't worry and fear! ;) Enjoy it, tKC....................tkc@reaper.org |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值