【破文作者】S.P.S.G
【作者邮箱】spsgeyro@gmail.com
【所属组织】Winter[CZG][D.4s]
【个人主页】http://winternight.blogchina.com/
【使用工具】自己修改的OD,PEiD
【操作系统】Windows 2003
--------------------------------------------------------------------------------
【软件名称】桌面篮球 V1.0
【下载地址】http://www2.skycn.com/soft/22054.html
【软件大小】1970 KB
【破解难度】Easy
【保护方式】SoftSentry 3.0 -> 20/20 Software
【软件语言】Microsoft Visual Basic 5.0 / 6.0
【软件简介】超级好玩的桌面篮球。在工作学习之余,放轻身心!(我倒是没发现)
【破解声明】
对各位为我们开路的大侠表示敬意。
【破解目的】看过大侠的文章,实践一下有利于提高。
--------------------------------------------------------------------------------
【过程】
最近不是很爽,开始对老壳下手,从各位大侠的脱文中汲取精华,在此先行谢过。
拿到软件,运行一下,弹出注册窗口,点cancel。
PEiD查一下,SoftSentry 3.0 -> 20/20 Software,好像是个没看到过的老壳,记得fly大侠早有脱文,边看边学。
OD载入,停在这里:
00429270 > 55 PUSH EBP
00429271 8BEC MOV EBP,ESP
00429273 83EC 78 SUB ESP,78
00429276 53 PUSH EBX
00429277 56 PUSH ESI
00429278 57 PUSH EDI
00429279 E9 B0060000 JMP basketba.0042992E //跳
0042992C /EB 05 JMP SHORT basketba.00429933
0042992E ^|E9 3BFAFFFF JMP basketba.0042936E //回跳
0042936E C745 E4 0000000>MOV DWORD PTR SS:[EBP-1C],0
00429375 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48]
00429378 50 PUSH EAX
00429379 FF15 30414300 CALL DWORD PTR DS:[<&KERNEL32.GetStartup>; kernel32.GetStartupInfoA
0042937F 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C]
00429382 83E1 01 AND ECX,1
00429385 85C9 TEST ECX,ECX
00429387 74 0E JE SHORT basketba.00429397
00429389 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18]
0042938C 81E2 FFFF0000 AND EDX,0FFFF
00429392 8955 88 MOV DWORD PTR SS:[EBP-78],EDX
00429395 EB 07 JMP SHORT basketba.0042939E //跳到隔壁
0042939E 8B45 88 MOV EAX,DWORD PTR SS:[EBP-78]
004293A1 8945 14 MOV DWORD PTR SS:[EBP+14],EAX
004293A4 6A 00 PUSH 0
004293A6 FF15 40414300 CALL DWORD PTR DS:[<&KERNEL32.GetModuleH>; kernel32.GetModuleHandleA
004293AC 8945 08 MOV DWORD PTR SS:[EBP+8],EAX
004293AF C745 0C 0000000>MOV DWORD PTR SS:[EBP+C],0
004293B6 FF15 1C414300 CALL DWORD PTR DS:[<&KERNEL32.GetCommand>; kernel32.GetCommandLineA
004293BC 8945 10 MOV DWORD PTR SS:[EBP+10],EAX
004293BF 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
004293C2 894D AC MOV DWORD PTR SS:[EBP-54],ECX
004293C5 66:C705 103E430>MOV WORD PTR DS:[433E10],0
004293CE 66:C705 083B430>MOV WORD PTR DS:[433B08],0
004293D7 837D 0C 00 CMP DWORD PTR SS:[EBP+C],0
004293DB 75 13 JNZ SHORT basketba.004293F0
004293DD 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
004293E0 E8 EB100000 CALL basketba.0042A4D0
004293E5 85C0 TEST EAX,EAX
004293E7 75 07 JNZ SHORT basketba.004293F0 //这个壳很喜欢往隔壁跳
004293F0 68 04010000 PUSH 104
004293F5 68 7C3C4300 PUSH basketba.00433C7C
004293FA 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
004293FD 52 PUSH EDX
004293FE FF15 20414300 CALL DWORD PTR DS:[<&KERNEL32.GetModuleF>; kernel32.GetModuleFileNameA
00429404 85C0 TEST EAX,EAX
00429406 75 07 JNZ SHORT basketba.0042940F //继续跳
0042940F 8B55 14 MOV EDX,DWORD PTR SS:[EBP+14]
00429412 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
00429415 E8 16110000 CALL basketba.0042A530
0042941A 85C0 TEST EAX,EAX
0042941C 75 1B JNZ SHORT basketba.00429439 //跳
00429439 C745 B4 0100000>MOV DWORD PTR SS:[EBP-4C],1
00429440 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
00429443 A3 1C3C4300 MOV DWORD PTR DS:[433C1C],EAX
00429448 E8 C32E0000 CALL basketba.0042C310
0042944D 85C0 TEST EAX,EAX
0042944F 0F84 28010000 JE basketba.0042957D //这里不能跳,nop掉,下去找OEP
004294D3 8915 143E4300 MOV DWORD PTR DS:[433E14],EDX
004294D9 A1 803D4300 MOV EAX,DWORD PTR DS:[433D80]
004294DE 35 000A0000 XOR EAX,0A00
004294E3 A3 803D4300 MOV DWORD PTR DS:[433D80],EAX
004294E8 8B0D 143E4300 MOV ECX,DWORD PTR DS:[433E14]
004294EE 81E1 00E00000 AND ECX,0E000
004294F4 85C9 TEST ECX,ECX
004294F6 75 1E JNZ SHORT basketba.00429516 //来到这里,继续跳
00429516 8B0D 143E4300 MOV ECX,DWORD PTR DS:[433E14]
0042951C 81E1 00000600 AND ECX,60000
00429522 85C9 TEST ECX,ECX
00429524 75 21 JNZ SHORT basketba.00429547 //再跳
00429547 8B0D 143E4300 MOV ECX,DWORD PTR DS:[433E14]
0042954D 81E1 00002000 AND ECX,200000
00429553 85C9 TEST ECX,ECX
00429555 75 21 JNZ SHORT basketba.00429578
00429557 8B15 143E4300 MOV EDX,DWORD PTR DS:[433E14]
0042955D 81CA 00002000 OR EDX,200000
00429563 8915 143E4300 MOV DWORD PTR DS:[433E14],EDX
00429569 A1 803D4300 MOV EAX,DWORD PTR DS:[433D80]
0042956E 35 00002000 XOR EAX,200000
00429573 A3 803D4300 MOV DWORD PTR DS:[433D80],EAX
00429578 E9 1C030000 JMP basketba.00429899 //又跳
00429899 8D55 AC LEA EDX,DWORD PTR SS:[EBP-54]
0042989C 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0042989F E8 1C010000 CALL basketba.004299C0
004298A4 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
004298A7 6A 00 PUSH 0
004298A9 6A 00 PUSH 0
004298AB 6A 10 PUSH 10
004298AD A1 383C4300 MOV EAX,DWORD PTR DS:[433C38]
004298B2 50 PUSH EAX
004298B3 FF15 08424300 CALL DWORD PTR DS:[<&USER32.SendMessageA>; USER32.SendMessageA
004298B9 833D 0C3E4300 0>CMP DWORD PTR DS:[433E0C],2
004298C0 74 4F JE SHORT basketba.00429911
004298C2 837D B4 01 CMP DWORD PTR SS:[EBP-4C],1
004298C6 75 49 JNZ SHORT basketba.00429911
004298C8 33C9 XOR ECX,ECX
004298CA 66:8B0D 103E430>MOV CX,WORD PTR DS:[433E10]
004298D1 85C9 TEST ECX,ECX
004298D3 74 3C JE SHORT basketba.00429911
004298D5 33D2 XOR EDX,EDX
004298D7 66:8B15 743C430>MOV DX,WORD PTR DS:[433C74]
004298DE 81FA 05800000 CMP EDX,8005
004298E4 74 2B JE SHORT basketba.00429911
004298E6 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
004298E9 50 PUSH EAX
004298EA 68 88024300 PUSH basketba.00430288 ;
004298EF FF15 98414300 CALL DWORD PTR DS:[<&USER32.UnregisterCl>; //这里注意一下
004298F5 33C9 XOR ECX,ECX
004298F7 66:8B0D 9802430>MOV CX,WORD PTR DS:[430298]
004298FE 85C9 TEST ECX,ECX
00429900 74 0F JE SHORT basketba.00429911
00429902 8B55 AC MOV EDX,DWORD PTR SS:[EBP-54]
00429905 52 PUSH EDX
00429906 8D55 B0 LEA EDX,DWORD PTR SS:[EBP-50]
00429909 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
0042990C E8 2F000000 CALL basketba.00429940 //跟进
0042995B 33F0 XOR ESI,EAX ; //进来以后直接F4过来,不然会有异常
(fly大侠来到这里没有异常真是奇怪,可能壳里面会检测名字,看见fly就………………小小的拍个马匹^_^)
0042995D 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
00429961 33F2 XOR ESI,EDX
00429963 03F0 ADD ESI,EAX ; //这里是OEP值
00429984 83FA 14 CMP EDX,14
00429987 ^ 7C E0 JL SHORT basketba.00429969
00429989 8B0F MOV ECX,DWORD PTR DS:[EDI] //F4到这里直接跳出循环
00429989 8B0F MOV ECX,DWORD PTR DS:[EDI] ; basketba.00436E64
0042998B E8 B03A0000 CALL basketba.0042D440
00429990 C707 00000000 MOV DWORD PTR DS:[EDI],0
00429996 66:833D 103E430>CMP WORD PTR DS:[433E10],0
0042999E 74 0C JE SHORT basketba.004299AC
004299A0 66:833D 9A02430>CMP WORD PTR DS:[43029A],0
004299A8 74 02 JE SHORT basketba.004299AC
004299AA FFD6 CALL ESI //F7进去就可以脱壳了
00401088 . 68 64 70 40 0>ASCII "hdp@",0 //这个很奇怪的地方是OEP,脱壳
0040108D E8 DB E8
0040108E F0 DB F0
0040108F FF DB FF
00401090 FF DB FF
00401091 FF DB FF
脱完保存,Imprec修复一下,再次运行,没有要求注册,收工。
--------------------------------------------------------------------------------
【总结】
总结一下:很多人看见一些陌生壳常常会在论坛里到处发帖,其实有时候多搜索一下,前人早有文章,有发帖的时间还不如去搜索。
到这里就完成这个软件的再造了,算法懒得看,有兴趣的朋友参考各位大侠的文章自己钻研,最近很是不爽,唉。
2005的情人节,上海下着雨,天上依然乌云密布,什么时候,可以等来属于我的春天?
★';*╊_______。.?。.?
?-?些故事、|-
‘※(°??帮???劫?.′
◆:`* 祗匙';`
\_ㄐ祖?????茬轷劫?*)
??~¨
--------------------------------------------------------------------------------
【版权声明】转载请注明作者以及确保文章完整性,谢谢
附件:Cr-basketball.rar
[课程]Android-CTF解题方法汇总!