-
-
[旧帖] (邀请码已发)[原创]心情***日记的脱壳与破解(答<问答区一位提问者> 0.00雪花
-
发表于: 2009-12-15 12:21
-
PEid 查壳为PECompact 2.x -> Jeremy Collake (求一个邀请码)
OD载入 第一次单步走进入系统领空,alt+f9返回
向下找 jmp eax 下F2断点,
00654524 5B pop ebx
00654525 5D pop ebp
00654526 FFE0 jmp eax ; F2下断 后F9运行
00654528 0000 add byte ptr ds:[eax],al
0065452A 0000 add byte ptr ds:[eax],al
重新加载 F9运行,在00654526 FFE0 jmp eax 断下
然后单步到OEP
0059A710 55 push ebp
0059A711 8BEC mov ebp,esp
0059A713 83C4 F0 add esp,-10
0059A716 53 push ebx
0059A717 B8 D89E5900 mov eax,mydiary.00599ED8
0059A71C E8 2BCAE6FF call mydiary.0040714C
0059A721 8B1D 2CED5900 mov ebx,dword ptr ds:[59ED2C] ; mydiary.005A0BF4
0059A727 8B03 mov eax,dword ptr ds:[ebx]
0059A729 BA 04A85900 mov edx,mydiary.0059A804
0059A72E E8 B136EFFF call mydiary.0048DDE4
0059A733 8B03 mov eax,dword ptr ds:[ebx]
脱壳成功
试运行脱壳文件,注册,注册文件是Mydiary.Keyfile
下文件操作有关的断点发现为CreateFileA
于是搜索--所有模块间的调用 对调用CreateFile的Call使用下断
第三次断下时
004034BA 50 push eax
004034BB E8 60DEFFFF call <jmp.&kernel32.#80> ; 读取注册文件
004034C0 83F8 FF cmp eax,-1
004034C3 74 24 je short UNpack_.004034E9
004034C5 8903 mov dword ptr ds:[ebx],eax
下面一段注册码的算法,汇编不太好,没想研究算法,只想爆破
下面一路单步
00590A01 8B95 E8FCFFFF mov edx,dword ptr ss:[ebp-318]
00590A07 58 pop eax
00590A08 E8 BF44E7FF call UNpack_.00404ECC ; 到达这儿(eax,edx中就是注册码)
00590A0D 75 76 jnz short UNpack_.00590A85
00590A0F 807D D8 01 cmp byte ptr ss:[ebp-28],1
00590A13 75 36 jnz short UNpack_.00590A4B
00590A15 B8 E4125900 mov eax,UNpack_.005912E4
进入 00590A08
00404ECC 53 push ebx
00404ECD 56 push esi
00404ECE 57 push edi
00404ECF 89C6 mov esi,eax
00404ED1 89D7 mov edi,edx
00404ED3 39D0 cmp eax,edx
00404ED5 0F84 8F000000 je UNpack_.00404F6A ;改成JMP就爆破成功,其他功能未试
00404EDB 85F6 test esi,esi
00404EDD 74 68 je short UNpack_.00404F47
00404EDF 85FF test edi,edi
00404EE1 74 6B je short UNpack_.00404F4E
00404EE3 8B46 FC mov eax,dword ptr ds:[esi-4]
00404EE6 8B57 FC mov edx,dword ptr ds:[edi-4]
00404EE9 29D0 sub eax,edx
00404EEB 77 02 ja short UNpack_.00404EEF
00404EED 01C2 add edx,eax
00404EEF 52 push edx
00404EF0 C1EA 02 shr edx,2
00404EF3 74 26 je short UNpack_.00404F1B
00404EF5 8B0E mov ecx,dword ptr ds:[esi]
00404EF7 8B1F mov ebx,dword ptr ds:[edi]
00404EF9 39D9 cmp ecx,ebx
00404EFB 75 58 jnz short UNpack_.00404F55
00404EFD 4A dec edx
00404EFE 74 15 je short UNpack_.00404F15
00404F00 8B4E 04 mov ecx,dword ptr ds:[esi+4]
00404F03 8B5F 04 mov ebx,dword ptr ds:[edi+4]
00404F06 39D9 cmp ecx,ebx
00404F08 75 4B jnz short UNpack_.00404F55
00404F0A 83C6 08 add esi,8
00404F0D 83C7 08 add edi,8
00404F10 4A dec edx
00404F11 ^ 75 E2 jnz short UNpack_.00404EF5
00404F13 EB 06 jmp short UNpack_.00404F1B
00404F15 83C6 04 add esi,4
00404F18 83C7 04 add edi,4
00404F1B 5A pop edx
00404F1C 83E2 03 and edx,3
00404F1F 74 22 je short UNpack_.00404F43
00404F21 8B0E mov ecx,dword ptr ds:[esi]
00404F23 8B1F mov ebx,dword ptr ds:[edi]
00404F25 38D9 cmp cl,bl
00404F27 75 41 jnz short UNpack_.00404F6A
00404F29 4A dec edx
00404F2A 74 17 je short UNpack_.00404F43
00404F2C 38FD cmp ch,bh
00404F2E 75 3A jnz short UNpack_.00404F6A
00404F30 4A dec edx
00404F31 74 10 je short UNpack_.00404F43
00404F33 81E3 0000FF00 and ebx,0FF0000
00404F39 81E1 0000FF00 and ecx,0FF0000
00404F3F 39D9 cmp ecx,ebx
00404F41 75 27 jnz short UNpack_.00404F6A
00404F43 01C0 add eax,eax
00404F45 EB 23 jmp short UNpack_.00404F6A
00404F47 8B57 FC mov edx,dword ptr ds:[edi-4]
00404F4A 29D0 sub eax,edx
00404F4C EB 1C jmp short UNpack_.00404F6A
00404F4E 8B46 FC mov eax,dword ptr ds:[esi-4]
00404F51 29D0 sub eax,edx
00404F53 EB 15 jmp short UNpack_.00404F6A
00404F55 5A pop edx
00404F56 38D9 cmp cl,bl
00404F58 75 10 jnz short UNpack_.00404F6A
00404F5A 38FD cmp ch,bh
00404F5C 75 0C jnz short UNpack_.00404F6A
00404F5E C1E9 10 shr ecx,10
00404F61 C1EB 10 shr ebx,10
00404F64 38D9 cmp cl,bl
00404F66 75 02 jnz short UNpack_.00404F6A
00404F68 38FD cmp ch,bh
00404F6A 5F pop edi
00404F6B 5E pop esi
00404F6C 5B pop ebx
00404F6D C3 retn
出来后才发现原来进入call之前,eax,edx是的值就是注册码
成功
第一步自己手脱,破解重启验证成功
回答别人的问题,后来贴子找不到了
OD载入 第一次单步走进入系统领空,alt+f9返回
向下找 jmp eax 下F2断点,
00654524 5B pop ebx
00654525 5D pop ebp
00654526 FFE0 jmp eax ; F2下断 后F9运行
00654528 0000 add byte ptr ds:[eax],al
0065452A 0000 add byte ptr ds:[eax],al
重新加载 F9运行,在00654526 FFE0 jmp eax 断下
然后单步到OEP
0059A710 55 push ebp
0059A711 8BEC mov ebp,esp
0059A713 83C4 F0 add esp,-10
0059A716 53 push ebx
0059A717 B8 D89E5900 mov eax,mydiary.00599ED8
0059A71C E8 2BCAE6FF call mydiary.0040714C
0059A721 8B1D 2CED5900 mov ebx,dword ptr ds:[59ED2C] ; mydiary.005A0BF4
0059A727 8B03 mov eax,dword ptr ds:[ebx]
0059A729 BA 04A85900 mov edx,mydiary.0059A804
0059A72E E8 B136EFFF call mydiary.0048DDE4
0059A733 8B03 mov eax,dword ptr ds:[ebx]
脱壳成功
试运行脱壳文件,注册,注册文件是Mydiary.Keyfile
下文件操作有关的断点发现为CreateFileA
于是搜索--所有模块间的调用 对调用CreateFile的Call使用下断
第三次断下时
004034BA 50 push eax
004034BB E8 60DEFFFF call <jmp.&kernel32.#80> ; 读取注册文件
004034C0 83F8 FF cmp eax,-1
004034C3 74 24 je short UNpack_.004034E9
004034C5 8903 mov dword ptr ds:[ebx],eax
下面一段注册码的算法,汇编不太好,没想研究算法,只想爆破
下面一路单步
00590A01 8B95 E8FCFFFF mov edx,dword ptr ss:[ebp-318]
00590A07 58 pop eax
00590A08 E8 BF44E7FF call UNpack_.00404ECC ; 到达这儿(eax,edx中就是注册码)
00590A0D 75 76 jnz short UNpack_.00590A85
00590A0F 807D D8 01 cmp byte ptr ss:[ebp-28],1
00590A13 75 36 jnz short UNpack_.00590A4B
00590A15 B8 E4125900 mov eax,UNpack_.005912E4
进入 00590A08
00404ECC 53 push ebx
00404ECD 56 push esi
00404ECE 57 push edi
00404ECF 89C6 mov esi,eax
00404ED1 89D7 mov edi,edx
00404ED3 39D0 cmp eax,edx
00404ED5 0F84 8F000000 je UNpack_.00404F6A ;改成JMP就爆破成功,其他功能未试
00404EDB 85F6 test esi,esi
00404EDD 74 68 je short UNpack_.00404F47
00404EDF 85FF test edi,edi
00404EE1 74 6B je short UNpack_.00404F4E
00404EE3 8B46 FC mov eax,dword ptr ds:[esi-4]
00404EE6 8B57 FC mov edx,dword ptr ds:[edi-4]
00404EE9 29D0 sub eax,edx
00404EEB 77 02 ja short UNpack_.00404EEF
00404EED 01C2 add edx,eax
00404EEF 52 push edx
00404EF0 C1EA 02 shr edx,2
00404EF3 74 26 je short UNpack_.00404F1B
00404EF5 8B0E mov ecx,dword ptr ds:[esi]
00404EF7 8B1F mov ebx,dword ptr ds:[edi]
00404EF9 39D9 cmp ecx,ebx
00404EFB 75 58 jnz short UNpack_.00404F55
00404EFD 4A dec edx
00404EFE 74 15 je short UNpack_.00404F15
00404F00 8B4E 04 mov ecx,dword ptr ds:[esi+4]
00404F03 8B5F 04 mov ebx,dword ptr ds:[edi+4]
00404F06 39D9 cmp ecx,ebx
00404F08 75 4B jnz short UNpack_.00404F55
00404F0A 83C6 08 add esi,8
00404F0D 83C7 08 add edi,8
00404F10 4A dec edx
00404F11 ^ 75 E2 jnz short UNpack_.00404EF5
00404F13 EB 06 jmp short UNpack_.00404F1B
00404F15 83C6 04 add esi,4
00404F18 83C7 04 add edi,4
00404F1B 5A pop edx
00404F1C 83E2 03 and edx,3
00404F1F 74 22 je short UNpack_.00404F43
00404F21 8B0E mov ecx,dword ptr ds:[esi]
00404F23 8B1F mov ebx,dword ptr ds:[edi]
00404F25 38D9 cmp cl,bl
00404F27 75 41 jnz short UNpack_.00404F6A
00404F29 4A dec edx
00404F2A 74 17 je short UNpack_.00404F43
00404F2C 38FD cmp ch,bh
00404F2E 75 3A jnz short UNpack_.00404F6A
00404F30 4A dec edx
00404F31 74 10 je short UNpack_.00404F43
00404F33 81E3 0000FF00 and ebx,0FF0000
00404F39 81E1 0000FF00 and ecx,0FF0000
00404F3F 39D9 cmp ecx,ebx
00404F41 75 27 jnz short UNpack_.00404F6A
00404F43 01C0 add eax,eax
00404F45 EB 23 jmp short UNpack_.00404F6A
00404F47 8B57 FC mov edx,dword ptr ds:[edi-4]
00404F4A 29D0 sub eax,edx
00404F4C EB 1C jmp short UNpack_.00404F6A
00404F4E 8B46 FC mov eax,dword ptr ds:[esi-4]
00404F51 29D0 sub eax,edx
00404F53 EB 15 jmp short UNpack_.00404F6A
00404F55 5A pop edx
00404F56 38D9 cmp cl,bl
00404F58 75 10 jnz short UNpack_.00404F6A
00404F5A 38FD cmp ch,bh
00404F5C 75 0C jnz short UNpack_.00404F6A
00404F5E C1E9 10 shr ecx,10
00404F61 C1EB 10 shr ebx,10
00404F64 38D9 cmp cl,bl
00404F66 75 02 jnz short UNpack_.00404F6A
00404F68 38FD cmp ch,bh
00404F6A 5F pop edi
00404F6B 5E pop esi
00404F6C 5B pop ebx
00404F6D C3 retn
出来后才发现原来进入call之前,eax,edx是的值就是注册码
成功
第一步自己手脱,破解重启验证成功
回答别人的问题,后来贴子找不到了
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
晕,
转?可能吗,我不会打肿充胖子的,请对我劳动尊重,谢谢 |
|
|
|
|
|
|
|
|
|
