MoleBox捆绑文件的解包方法――MoleBox Pro V2.3.3主程序脱壳+破解
下载页面: http://www.molebox.com/
软件大小: 929 KB
软件简介: MoleBox is a runtime exe packer for Windows applications. It bundles the executable together with the DLL and data files into a single EXE file, without losing the ability to run the application.MoleBox compresses and encrypts all the application files. With MoleBox you can protect your application's data and media files from viewing and modifications, and your DLLs from usage by third party programs.Moleboxing does not affect the original application's functionality in any way nor requires any additional coding. Unpacking and decryption (if required) are performed automatically and insensibly for application. Packed program runs without extracting files to the disk.
【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教
【调试环境】:WinXP、OllyDBG、PEiD、LordPE、ImportREC
―――――――――――――――――――――――――――――――――
【脱壳过程】:
MoleBox Pro V2.3.3的主程序mbox2w.exe外面是ASProtect V2.0x Registered加壳,不过里面依旧是MoleBox捆绑壳,所以脱壳时可以不管外面的ASProtect,直接去对付里面的MoleBox就行了。
[MoleBox V2.3X -> MoleStudio.com]
signature = E8 00 00 00 00 60 E8 4F 00 00 00
ep_only = true
―――――――――――――――――――――――――――――――――
一、MoleBox捆绑了哪些文件
设置OllyDBG忽略所有异常选项。用IsDebug插件去掉OllyDBG的调试器标志。
00401000 68 01404400 push 444001
//进入OllyDBG后暂停在这
00401005 E8 01000000 call 0040100B
0040100A C3 retn
0040100B C3 retn
下断:BP GetFileTime Shift+F9,中断后取消断点Alt+F9返回
00432061 FF15 C4F44300 call dword ptr ds:[43F4C4] ; kernel32.GetFileTime
00432067 C745 B8 0000000>mov dword ptr ss:[ebp-48],0
0043206E EB 09 jmp short 00432079
00432070 8B4D B8 mov ecx,dword ptr ss:[ebp-48]
00432073 83C1 01 add ecx,1
00432076 894D B8 mov dword ptr ss:[ebp-48],ecx
00432079 8B55 B8 mov edx,dword ptr ss:[ebp-48]
0043207C 3B55 AC cmp edx,dword ptr ss:[ebp-54]
//[ebp-54]=5 这是捆绑文件的数目
0043207F 0F83 E3000000 jnb 00432168
00432085 8B45 B8 mov eax,dword ptr ss:[ebp-48]
00432088 C1E0 04 shl eax,4
0043208B 8B4D E4 mov ecx,dword ptr ss:[ebp-1C]
0043208E 8B51 04 mov edx,dword ptr ds:[ecx+4]
00432091 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
//[ebp-20]=[0012FBE0]=00BB2F00 在数据窗口中可以看见捆绑的文件名
00BB2F00 6D 62 6F 78 32 5F 62 6C 61 63 6B 6C 69 73 74 2E mbox2_blacklist.
00BB2F10 74 78 74 00 6D 62 6F 78 32 5F 62 6F 6F 74 75 70 txt.mbox2_bootup
00BB2F20 44 62 67 4C 74 44 65 6D 6F 00 6D 62 6F 78 32 5F DbgLtDemo.mbox2_
00BB2F30 62 6F 6F 74 75 70 4C 74 44 65 6D 6F 00 4D 53 6B bootupLtDemo.MSk
00BB2F40 69 6E 43 6F 72 65 2E 64 6C 6C 00 6D 73 76 63 70 inCore.dll.msvcp
00BB2F50 36 30 2E 64 6C 6C 60.dll ―――――――――――――――――――――――――――――――――
二、主程序mbox2w.exe的脱壳 Ctrl+S搜索以下命令序列:
mov eax,dword ptr ss:[ebp-10]
add eax,dword ptr ds:[edx+8]
mov dword ptr ss:[ebp-8],eax
找到在00432B36处,下断,Shift+F9中断后取消断点
00432B26 E8 65000000 call 00432B90
//解压主程序
00432B2B E9 4DFFFFFF jmp 00432A7D
00432B30 8B15 44F44300 mov edx,dword ptr ds:[43F444]
//[0043F444]=00BB1F20
//[00BB1F20]=0041C46E ★ mbox2w.exe的OEP
00432B36 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; mbox2w.00400000
//中断在这里
00432B39 0342 08 add eax,dword ptr ds:[edx+8]
//[edx+8]=[00BB1F28]=00022488 ★ mbox2w.exe的Import Table RVA
00432B3C 8945 F8 mov dword ptr ss:[ebp-8],eax
00432B3F C705 78F64300 0>mov dword ptr ds:[43F678],0
00432B49 6A 00 push 0
00432B4B 68 84EA4300 push 43EA84 ; ASCII "EXECUTABLE"
00432B50 8B0D 74F64300 mov ecx,dword ptr ds:[43F674] ; mbox2w.00400100
00432B56 51 push ecx
00432B57 8B55 F0 mov edx,dword ptr ss:[ebp-10]
00432B5A 52 push edx
00432B5B 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00432B5E 50 push eax
00432B5F E8 4CFCFFFF call 004327B0
00432B64 83C4 14 add esp,14
00432B67 68 C4EA4300 push 43EAC4 ; ASCII "imm32.dll"
00432B6C FF15 D8F44300 call dword ptr ds:[43F4D8] ; kernel32.GetModuleHandleA
00432B72 8945 EC mov dword ptr ss:[ebp-14],eax
00432B75 837D EC 00 cmp dword ptr ss:[ebp-14],0
00432B79 74 0E je short 00432B89 ; 00432B89
00432B7B 68 C4EA4300 push 43EAC4 ; ASCII "imm32.dll"
00432B80 8B4D EC mov ecx,dword ptr ss:[ebp-14]
00432B83 51 push ecx
00432B84 E8 F7010000 call 00432D80 ; 00432D80
00432B89 8BE5 mov esp,ebp
00432B8B 5D pop ebp
00432B8C C3 retn
//这里下个断点,处理完毕后要走OEP
当我们中断在00432B39处时,mbox2w.exe代码已经解开,运行LordPE完全Dump这个进程。
用LordPE修正dumped.exe的Import Table RVA=00022488,会发现输入表中2个非系统文件的Dll:MSkinCore.dll和MSVCP60.dll,这2个正是捆绑的文件,下面就想办法“拿”出这2个躲藏起来的东东吧。 ―――――――――――――――――――――――――――――――――
三、出来吧:MSVCP60.dll+MSkinCore.dll
BP GetCurrentProcessId 中断后取消断点,继续下断
BP CreateFileA 中断后取消断点,看堆栈
0012FB64 004345A6 /CALL 到 CreateFileA 来自 mbox2w.004345A0
0012FB68 00BB3A78 |FileName = "D:\DOCUME~1\FLY\LOCALS~1\TEMP\MBX@89C@BB31A0.###"
0012FB6C 40000000 |Access = GENERIC_WRITE
0012FB70 00000000 |ShareMode = 0
0012FB74 00000000 |pSecurity = NULL
0012FB78 00000002 |Mode = CREATE_ALWAYS
0012FB7C 00000000 |Attributes = 0
0012FB80 00000000 \hTemplateFile = NULL
0012FB84 00BB37E0
0012FB88 0042C83E mbox2w.0042C83E
0012FB8C 00400000 mbox2w.00400000
0012FB90 0012FBCC
0012FB94 00000000
0012FB98 00000006
0012FB9C 0012FC04
0012FBA0 77D1A1D3 返回到 USER32.77D1A1D3 来自 USER32.77D1A270
0012FBA4 00000000
0012FBA8 00CF38EA ASCII "MSVCP60.dll"
看到0012FBA8处的"MSVCP60.dll"了?对了,创建的这个文件其实就是MSVCP60.dll,MoleBox想捣乱一下,随意改名字,不行,在数据窗口里直接修改文件名,让MoleBox老老实实地创建MSVCP60.dll吧。
0012FB68 00BB3A78 FileName = "D:\DOCUME~1\FLY\LOCALS~1\TEMP\MSVCP60.dll"
004345A0 FF15 68F44300 call dword ptr ds:[43F468] ; kernel32.CreateFileA
004345A6 8945 B4 mov dword ptr ss:[ebp-4C],eax
//返回这里
004345A9 837D B4 FF cmp dword ptr ss:[ebp-4C],-1
004345AD 75 0A jnz short 004345B9
004345AF B9 110000EF mov ecx,EF000011
004345B4 E8 BE0F0000 call 00435577
004345B9 6A 00 push 0
004345BB 8D85 54FFFFFF lea eax,dword ptr ss:[ebp-AC]
004345C1 50 push eax
004345C2 FF75 D0 push dword ptr ss:[ebp-30]
004345C5 FF75 E4 push dword ptr ss:[ebp-1C]
004345C8 FF75 B4 push dword ptr ss:[ebp-4C]
004345CB FF15 7CF54300 call dword ptr ds:[43F57C] ; kernel32.WriteFile
004345D1 837D D8 00 cmp dword ptr ss:[ebp-28],0
004345D5 74 18 je short 004345EF
004345D7 6A 00 push 0
004345D9 8D85 54FFFFFF lea eax,dword ptr ss:[ebp-AC]
004345DF 50 push eax
004345E0 FF75 D4 push dword ptr ss:[ebp-2C]
004345E3 FF75 D8 push dword ptr ss:[ebp-28]
004345E6 FF75 B4 push dword ptr ss:[ebp-4C]
004345E9 FF15 7CF54300 call dword ptr ds:[43F57C] ; kernel32.WriteFile
004345EF 6A 00 push 0
004345F1 8D85 54FFFFFF lea eax,dword ptr ss:[ebp-AC]
004345F7 50 push eax
004345F8 68 00020000 push 200
004345FD FF75 B8 push dword ptr ss:[ebp-48]
00434600 FF75 B4 push dword ptr ss:[ebp-4C]
00434603 FF15 7CF54300 call dword ptr ds:[43F57C] ; kernel32.WriteFile
00434609 FF75 B4 push dword ptr ss:[ebp-4C]
0043460C FF15 98F44300 call dword ptr ds:[43F498] ; kernel32.FlushFileBuffers
00434612 FF75 B4 push dword ptr ss:[ebp-4C]
00434615 FF15 64F44300 call dword ptr ds:[43F464] ; kernel32.CloseHandle
0043461B C705 8CF64300 0>mov dword ptr ds:[43F68C],1
00434625 FF75 DC push dword ptr ss:[ebp-24]
00434628 FF15 1CF54300 call dword ptr ds:[43F51C] ; kernel32.LoadLibraryA
//载入这个DLL,我们要把其抓出来
0043462E 8985 50FFFFFF mov dword ptr ss:[ebp-B0],eax
00434634 83BD 50FFFFFF 0>cmp dword ptr ss:[ebp-B0],0
0043463B 75 24 jnz short 00434661
到达00434628处,BP GetSystemTimeAsFileTime 中断2次后取消断点
0042FAF9 FF15 ECF44300 call dword ptr ds:[43F4EC] ; kernel32.GetSystemTimeAsFileTime
0042FAFF 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
//返回这里 [ebp-3C]=00C000A0
00C000A0 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ?......?..
00C000B0 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ?......@.......
00C000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00C000D0 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00 ............?..
00C000E0 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ?.???L?Th
00C000F0 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
00C00100 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
00C00110 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
00C00120 F5 7E EE 54 B1 1F 80 07 B1 1F 80 07 B1 1F 80 07 觜钤??????
00C00130 D3 00 93 07 B3 1F 80 07 32 03 8E 07 B3 1F 80 07 ????2???
00C00140 B1 1F 81 07 E6 1F 80 07 DE 00 8B 07 A3 1F 80 07 ????????
00C00150 DE 00 8A 07 95 1F 80 07 09 19 86 07 B0 1F 80 07 ????.???
00C00160 DE 00 84 07 B5 1F 80 07 52 69 63 68 B1 1F 80 07 ????Rich??
00C00170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00C00180 50 45 00 00 4C 01 05 00 20 8E AB 39 00 00 00 00 PE..L. ?9....
00C00190 00 00 00 00 E0 00 0E 21 0B 01 06 00 00 A0 02 00 ....?!..?.
00C001A0 00 60 03 00 00 00 00 00 00 10 00 00 00 10 00 00 .`...........
00C001B0 00 C0 02 00 00 00 0C 78 00 10 00 00 00 10 00 00 .?....x......
00C001C0 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ..............
00C001D0 00 10 06 00 00 10 00 00 00 00 00 00 02 00 00 00 ............
00C001E0 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ............
00C001F0 00 00 00 00 10 00 00 00 90 38 03 00 44 60 02 00 .......?.D`.
00C00200 80 99 05 00 56 00 00 00 00 D0 05 00 A8 03 00 00 ?.V....?.?..
00C00210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00C00220 00 E0 05 00 F0 2C 00 00 00 00 00 00 00 00 00 00 .?.?..........
00C00230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00C00240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00C00250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00C00260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00C00270 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 .........text...
00C00280 BC 9B 02 00 00 10 00 00 00 A0 02 00 00 20 00 00 ?.....?.. ..
00C00290 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
00C002A0 2E 72 64 61 74 61 00 00 30 F0 02 00 00 B0 02 00 .rdata..0?..?.
00C002B0 00 00 03 00 00 C0 02 00 00 00 00 00 00 00 00 00 ....?.........
00C002C0 00 00 00 00 40 00 00 40 2E 64 61 74 61 00 00 00 ....@..@.data...
00C002D0 88 17 00 00 00 B0 05 00 00 20 00 00 00 C0 05 00 ?...?.. ...?.
00C002E0 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 ............@..
很明显,这是一个文件的PE头,把这个PE头数据保存下来存为1.bin
BP GetModuleHandleA 中断后取消断点
0012F2D4 004375D8 /CALL 到 GetModuleHandleA 来自 mbox2w.004375D2
0012F2D8 781199C8 \pModule = "KERNEL32.DLL"
MSVCP60.dll开始处理输入表了。
用LodPE把mbox2w.exe进程里的MSVCP60.dll Dump下来,存为MSVCP60_Dump.dll
用刚才获取的PE头数据覆盖MSVCP60_Dump.dll的PE头
用PEditor对MSVCP60_Dump.dll进行dumpfix(RS=VS&RO=VO)
OK,这样MSVCP60_Dump.dll的OEP RVA、Import Table RVA、Relocation RVA都修复好了
另外:如果还不确定此文件究竟是哪个文件,可以看其输出表的NameString:MSVCP60.dll
重复一次上面的操作流程,我们就能获得另个捆绑文件的脱壳版:MSkinCore.dll ―――――――――――――――――――――――――――――――――
四、飞向光明之巅 还记得在00432B8C处下的断点不?获取2个捆绑文件后Shift+F9后就中断在00432B8C
0042CF6B 8B4D EC mov ecx,dword ptr ss:[ebp-14] ; mbox2w.0041C46E
//00432B8C返回这里
0042CF6E 894D 08 mov dword ptr ss:[ebp+8],ecx
0042CF71 33C0 xor eax,eax
0042CF73 5F pop edi
0042CF74 5E pop esi
0042CF75 5B pop ebx
0042CF76 8BE5 mov esp,ebp
0042CF78 5D pop ebp
0042CF79 C3 retn
0042C3CB 58 pop eax
0042C3CC 894424 20 mov dword ptr ss:[esp+20],eax
0042C3D0 61 popad
0042C3D1 58 pop eax
0042C3D2 FFD0 call eax ; mbox2w.0041C46E
//飞向光明之巅 0041C46E 55 push ebp
//OEP
0041C46F 8BEC mov ebp,esp
0041C471 6A FF push -1
0041C473 68 D8034200 push 4203D8
0041C478 68 24C64100 push 41C624 ; jmp to msvcrt._except_handler3
0041C47D 64:A1 00000000 mov eax,dword ptr fs:[0]
0041C483 50 push eax
0041C484 64:8925 0000000>mov dword ptr fs:[0],esp
0041C48B 83EC 68 sub esp,68
0041C48E 53 push ebx
0041C48F 56 push esi
0041C490 57 push edi
0041C491 8965 E8 mov dword ptr ss:[ebp-18],esp
0041C494 33DB xor ebx,ebx
0041C496 895D FC mov dword ptr ss:[ebp-4],ebx
0041C499 6A 02 push 2
0041C49B FF15 48014200 call dword ptr ds:[420148] ; msvcrt.__set_app_type
用LordPE修正dumped.exe的OEP RVA=0001C46E ―――――――――――――――――――――――――――――――――
五、MoleBox还替换了多少代码 但是运行dumped.exe失败了,不忽略内存异常跟踪dumped.exe,发现还需要访问壳代码
004175F9 68 00006200 push 620000
004175FE E8 3B520100 call 0042C83E
//访问壳代码
查找所有这个命令,还不少:
地址 反汇编
0040253A call 0042C83E
00405DAD call 0042C83E
00405E4C call 0042C83E
00407738 call 0042C83E
004095F3 call 0042C83E
0040B076 call 0042C83E
0040B0B0 call 0042C83E
0040B0CD call 0042C83E
0040B177 call 0042C83E
0040B19B call 0042C83E
0040BE59 call 0042C83E
0040BE86 call 0042C83E
0040BEB0 call 0042C83E
0040BED3 call 0042C83E
0040E791 call 0042C83E
0040E7CF call 0042C83E
0040FAE9 call 0042C83E
00416733 call 0042C83E
00416A85 call 0042C83E
004175FE call 0042C83E
00417632 call 0042C83E
00417654 call 0042C83E
这些call有的是解码,有的是把运行后的解码重新加密。直接运行原版,定位在这些call上面的push处,新建EIP运行,等其解码后复制进脱壳后的文件里面。然后再nop掉这些push和call。 ―――――――――――――――――――――――――――――――――
六、其他文件 还有几个文件是程序执行某些功能时才调用的,跟踪原版把其提取出来。
――――――――――――――――――――――――
1、mbox2_bootupLtDemo 现在可以运行了,但是还无法加壳,提示:“ERROR, process aborted.Can't open bootup stub”
用OllyDBG载入mbox2w.exe原版,Shift+F9让其运行,随便找几个文件测试加壳
BP GetSystemTimeAsFileTime,然后点“Pack To Box”,中断2次后取消断点Alt+F9返回
0042FAF9 FF15 ECF44300 call dword ptr ds:[43F4EC] ; kernel32.GetSystemTimeAsFileTime
0042FAFF 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
//返回这里 [ebp-3C]=[0118F3E8]=00C200D0
00C200D0 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ?......?..
00C200E0 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ?......@.......
明显是文件头数据,选择00C200D0处几个字节,设置“内存访问”断点,F9运行
0042FB98 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
//中断在这里
//[esi]=[00C200D0]=00905A4D
//[edi]=[00168688]=BAADF00D
0042FB9A 8BC8 mov ecx,eax
0042FB9C 83E1 03 and ecx,3
0042FB9F F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
0042FBA1 B8 00000100 mov eax,10000
0042FBA6 2B45 F8 sub eax,dword ptr ss:[ebp-8]
0042FBA9 3945 10 cmp dword ptr ss:[ebp+10],eax
//[ebp+10]=[0118F470]=00014600 ★ 文件长度
0042FBAC 73 08 jnb short 0042FBB6
0042FBAE 8B45 10 mov eax,dword ptr ss:[ebp+10]
0042FBB1 8945 E4 mov dword ptr ss:[ebp-1C],eax
0042FBB4 EB 0B jmp short 0042FBC1
0042FBB6 B8 00000100 mov eax,10000
0042FBBB 2B45 F8 sub eax,dword ptr ss:[ebp-8]
0042FBBE 8945 E4 mov dword ptr ss:[ebp-1C],eax
0042FBC1 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
0042FBC4 8945 F8 mov dword ptr ss:[ebp-8],eax
0042FBC7 8B45 FC mov eax,dword ptr ss:[ebp-4]
0042FBCA 3B45 F0 cmp eax,dword ptr ss:[ebp-10]
0042FBCD 0F86 A3000000 jbe 0042FC76
0042FBD3 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0042FBD6 40 inc eax
0042FBD7 8945 F0 mov dword ptr ss:[ebp-10],eax
0042FBDA 8B45 10 mov eax,dword ptr ss:[ebp+10]
0042FBDD 3B45 F8 cmp eax,dword ptr ss:[ebp-8]
0042FBE0 77 16 ja short 0042FBF8
0042FBE2 FF35 D8B44300 push dword ptr ds:[43B4D8]
0042FBE8 68 BB000000 push 0BB
0042FBED FF35 DCB44300 push dword ptr ds:[43B4DC]
0042FBF3 E8 C95A0000 call 004356C1
0042FBF8 FF75 F0 push dword ptr ss:[ebp-10]
0042FBFB FF75 08 push dword ptr ss:[ebp+8]
0042FBFE E8 61FBFFFF call 0042F764
0042FC03 8945 F4 mov dword ptr ss:[ebp-C],eax
0042FC06 837D F4 00 cmp dword ptr ss:[ebp-C],0
0042FC0A 75 04 jnz short 0042FC10
0042FC0C 33C0 xor eax,eax
0042FC0E EB 69 jmp short 0042FC79
0042FC10 8B45 10 mov eax,dword ptr ss:[ebp+10]
0042FC13 2B45 F8 sub eax,dword ptr ss:[ebp-8]
0042FC16 3D 00000100 cmp eax,10000
0042FC1B 73 0B jnb short 0042FC28
0042FC1D 8B45 10 mov eax,dword ptr ss:[ebp+10]
0042FC20 2B45 F8 sub eax,dword ptr ss:[ebp-8]
0042FC23 8945 E0 mov dword ptr ss:[ebp-20],eax
0042FC26 EB 07 jmp short 0042FC2F
0042FC28 C745 E0 0000010>mov dword ptr ss:[ebp-20],10000
0042FC2F 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
0042FC32 8B75 F4 mov esi,dword ptr ss:[ebp-C]
0042FC35 8B7D 0C mov edi,dword ptr ss:[ebp+C]
0042FC38 037D F8 add edi,dword ptr ss:[ebp-8]
0042FC3B 8BC1 mov eax,ecx
0042FC3D C1E9 02 shr ecx,2
0042FC40 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
//继续复制 ecx=00001180 (十进制 4480.)
//[esi]=[00C000A0]=458DFF6A
//[edi]=[00178688]=BAADF00D
直接从OllyDBG里面复制数据,地址=00168688、长度=00014600
另存为:mbox2_bootupLtDemo
――――――――――――――――――――――――
2、mbox2_bootupDbgLtDemo 选择Option ->General ->Log Box files access actions 加壳时会提示“Can't open bootup stub”
同样按上面的流程来获取这个文件。
0042FAF9 FF15 ECF44300 call dword ptr ds:[43F4EC] ; kernel32.GetSystemTimeAsFileTime
0042FAFF 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
//返回这里 [ebp-3C]=[0117F3E8]=00C000A0
00C000A0 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ?......?..
选择00C000A0处几个字节,设置“内存访问”断点,F9运行
0042FB98 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
//中断在这里
//[esi]=[00C000A0]=00905A4D
//[edi]=[0016A0E8]=BAADF00D
0042FC40 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
//[esi]=[00C100B8]=3B47D233
//[edi]=[0017A0E8]=BAADF00D
0042FC42 8BC8 mov ecx,eax
0042FC44 83E1 03 and ecx,3
0042FC47 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
0042FC49 8B45 10 mov eax,dword ptr ss:[ebp+10]
//[ebp+10]=00016E00 ★ 文件长度
直接从OllyDBG里面复制数据,地址=0016A0E8、长度=00016E00
另存为:mbox2_bootupDbgLtDemo
怎样知道这2个文件名?没有分析,看文件捆绑列表猜的。
至于mbox2_blacklist.txt应该是注册时才调用,无所谓了。 ―――――――――――――――――――――――――――――――――
七、破解 作者发布的是试用版,屏蔽了注册模块,直接去除其限制即可。
――――――――――――――――――――――――
1、去除启动时的Nag 00417611 6A 00 push 0
//修改为:push 1
00417613 68 49040000 push 449
//Dialog ID
00417618 E8 B3400000 call 0041B6D0
0041761D 83C4 10 add esp,10
00417620 E8 7BF4FFFF call 00416AA0
00417625 84C0 test al,al
00417627 0F85 95010000 jnz 004177C2
――――――――――――――――――――――――
2、加壳后程序启动时的Nag在mbox2_bootupLtDemo里面 100039F1 68 1C440110 push 1001441C ; ASCII "MessageBoxA"
100039F6 8B55 CC mov edx,dword ptr ss:[ebp-34]
100039F9 52 push edx
100039FA FF15 AC550110 call dword ptr ds:[100155AC]
10003A00 8945 D0 mov dword ptr ss:[ebp-30],eax
10003A03 837D D0 00 cmp dword ptr ss:[ebp-30],0
10003A07 75 11 jnz short 10003A1A ; 10003A1A
10003A09 6A 00 push 0
10003A0B 6A 00 push 0
10003A0D 6A 00 push 0
10003A0F 68 FC0000EF push EF0000FC
10003A14 FF15 FC550110 call dword ptr ds:[100155FC]
10003A1A 68 00400000 push 4000
10003A1F 6A 40 push 40
10003A21 FF15 E4550110 call dword ptr ds:[100155E4]
10003A27 8945 D8 mov dword ptr ss:[ebp-28],eax
10003A2A 68 00440110 push 10014400 ; ASCII "ATTENTION!The program
10003A2F 8B45 D8 mov eax,dword ptr ss:[ebp-28]
10003A32 50 push eax
10003A33 FF15 00100110 call dword ptr ds:[10011000] ; kernel32.lstrcatA
10003A39 8B7D D8 mov edi,dword ptr ss:[ebp-28]
10003A3C 83C9 FF or ecx,FFFFFFFF
10003A3F 33C0 xor eax,eax
10003A41 F2:AE repne scas byte ptr es:[edi]
10003A43 F7D1 not ecx
10003A45 83C1 FF add ecx,-1
10003A48 894D D4 mov dword ptr ss:[ebp-2C],ecx
10003A4B 68 04010000 push 104
10003A50 8B4D D8 mov ecx,dword ptr ss:[ebp-28]
10003A53 034D D4 add ecx,dword ptr ss:[ebp-2C]
10003A56 51 push ecx
10003A57 6A 00 push 0
10003A59 FF15 9C550110 call dword ptr ds:[1001559C]
10003A5F 50 push eax
10003A60 FF15 98550110 call dword ptr ds:[10015598]
10003A66 68 C4430110 push 100143C4 ; ASCII "is packed with unregistered copy of Packer MoleBox 2.3"
10003A6B 8B55 D8 mov edx,dword ptr ss:[ebp-28]
10003A6E 52 push edx
10003A6F FF15 00100110 call dword ptr ds:[10011000] ; kernel32.lstrcatA
10003A75 68 90430110 push 10014390 ; ASCII "This package is NOT allowed for distribution
10003A7A 8B45 D8 mov eax,dword ptr ss:[ebp-28]
10003A7D 50 push eax
10003A7E FF15 00100110 call dword ptr ds:[10011000] ; kernel32.lstrcatA
10003A84 68 5C430110 push 1001435C ; ASCII "Are you sure you want to execute this program?"
10003A89 8B4D D8 mov ecx,dword ptr ss:[ebp-28]
10003A8C 51 push ecx
10003A8D FF15 00100110 call dword ptr ds:[10011000] ; kernel32.lstrcatA
10003A93 6A 04 push 4
10003A95 68 F0540110 push 100154F0
10003A9A 8B55 D8 mov edx,dword ptr ss:[ebp-28]
10003A9D 52 push edx
10003A9E 6A 00 push 0
//修改为:push 1
10003AA0 FF55 D0 call dword ptr ss:[ebp-30]
10003AA3 83F8 07 cmp eax,7
10003AA6 75 08 jnz short 10003AB0
//修改为:jmp 10003AB0
10003AA8 6A 00 push 0
10003AAA FF15 4C550110 call dword ptr ds:[1001554C]
10003AB0 8B45 D8 mov eax,dword ptr ss:[ebp-28]
10003AB3 50 push eax
10003AB4 FF15 E8550110 call dword ptr ds:[100155E8]
10003ABA 837D E0 00 cmp dword ptr ss:[ebp-20],0
10003ABE 0F84 38010000 je 10003BFC
10003AC4 8D8D 90FEFFFF lea ecx,dword ptr ss:[ebp-170]
10003ACA E8 EE6F0000 call 1000AABD
10003ACF C785 8CFEFFFF 1>mov dword ptr ss:[ebp-174],10
10003AD9 E9 05000000 jmp 10003AE3
――――――――――――――――――――――――
3、修改mbox2_bootupDbgLtDemo 10003C1E 6A 00 push 0
//修改为:push 1
10003C20 FF55 D0 call dword ptr ss:[ebp-30]
10003C23 83F8 07 cmp eax,7
10003C26 75 08 jnz short 10003C30
//修改为:jmp 10003C30 ―――――――――――――――――――――――――――――――――
, _/
/| _.-~/ \_ , 青春都一晌
( /~ / \~-._ |\
`\\ _/ \ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_ //'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-. 换了破解轻狂
`~ _( ,_..--\ ( ,;'' / ~-- /._`\
/~~//' /' `~\ ) /--.._, )_ `~
" `~" " `" /~'`\ `\\~~\
" " "~' ""
UnPacKed By : fly
2005-06-18 零点
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)