前言:simonzh2000兄是我的偶像,偶像的壳当然要好好研究一下了,偶不懂脚本,只好用手脱了,写下过程,希望对simonzh2000兄有所启发,将壳做得更加强硬.
*********************************************************************************
一、破解目标: safeguard 1.0 主程序
二、破解工具:OllyDbg v1.10,ImportREC 1.6 Final,LordPE
三、破解作者:DarkBull@email.com.cn
四、破解过程:
1.载入程序,EP如下:
safeguar.> E8 0000000>CALL safeguar.00414005
00414005 EB 29 JMP SHORT safeguar.00414030
00414007 DFBA CD541>FISTP QWORD PTR DS:[EDX+621854CD]
0041400D C05D EB 4E RCR BYTE PTR SS:[EBP-15],4E ; Shift constant out of range 1..31
00414011 EB 47 JMP SHORT safeguar.0041405A
不忽略所有异常,设置IsDebuggerPresent位为1,给GetTickCount打补丁,F9运行,至第二个INT3时,修改EIP为00415989,并在00415875处写入:
00415875 5C 3F 3F 5C 63 3A 5C 77 69 6E 64 6F 77 73 5C 73 \??\c:\windows\s
00415885 79 73 74 65 6D 33 32 5C 77 69 6E 6C 6F 67 6F 6E ystem32\winlogon
00415895 2E 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 .exe............
按F9运行,停在如下处:
004165BD F0:0FC7C8 LOCK CMPXCHG8B EAX ; Illegal use of register
004165C1 00A3 A3D1A>ADD BYTE PTR DS:[EBX+ACA3D1A3],AH
修改EIP为0041c470,查找“XOR AL,AH”,找到在0041D104处,改为“XOR AL,54”,按F9运行,停在如下处:
0041DD4C CC INT3
0041DD4D 90 NOP
0041DD4E 98 CWDE
0041DD4F 5A POP EDX
0041DD50 AC LODS BYTE PTR DS:[ESI]
0041DD51 51 PUSH ECX
0041DD52 4C DEC ESP ; Unaligned stack operation
0041DD53 - E9 B3F8FE9>JMP A040D60B
将原程序中一段代码拷到对应位置(见附件),下断BP GetProcAddress,按F9运行,拦截后运行至如下处:
0041ECCF 8901 MOV DWORD PTR DS:[ECX],EAX ; Write IAT(加密)
0041ECD1 EB 4C JMP SHORT safeguar.0041ED1F
0041ECD3 EB 47 JMP SHORT safeguar.0041ED1C
将上述代码改成:
0041ECCF 50 PUSH EAX
0041ECD0 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
0041ECD4 8901 MOV DWORD PTR DS:[ECX],EAX ; Write IAT(未加密)
0041ECD6 58 POP EAX
0041ECD7 EB 46 JMP SHORT safeguar.0041ED1F
这样就可以用ImportRec修复IAT了。
2.忽略所有异常,下断BP GetModuleHandle,按F9运行,拦截后返回到壳代码处:
004208E5 68 0000000>PUSH 0 ; Stolen Code 开始处
004208EA EB 03 JMP SHORT safeguar.004208EF
004208EC FD STD
004208ED 50 PUSH EAX
004208EE FB STI
004208EF E8 0000000>CALL safeguar.004208F4
004208F4 830424 0A ADD DWORD PTR SS:[ESP],0A
004208F8 68 38F4400>PUSH safeguar.0040F438
004208FD C3 RETN ; 相当于CALL 0040F438
004208FE EB 03 JMP SHORT safeguar.00420903
00420900 0351 FB ADD EDX,DWORD PTR DS:[ECX-5]
00420903 A3 6220410>MOV DWORD PTR DS:[412062],EAX ; 原代码
00420908 EB 00 JMP SHORT safeguar.0042090A
0042090A 68 0000000>PUSH 0 ; 原代码
0042090F EB 01 JMP SHORT safeguar.00420912
00420911 05 6847F24>ADD EAX,40F24768 ; PUSH 0040F247
00420916 00EB ADD BL,CH
00420918 0106 ADD DWORD PTR DS:[ESI],EAX
0042091A 68 0000000>PUSH 0 ; 原代码
0042091F EB 03 JMP SHORT safeguar.00420924
00420921 06 PUSH ES
00420922 51 PUSH ECX
00420923 FB STI
00420924 68 6500000>PUSH 65 ; 原代码
00420929 EB 03 JMP SHORT safeguar.0042092E
0042092B 06 PUSH ES
0042092C 51 PUSH ECX
0042092D FB STI
0042092E 68 07F4400>PUSH safeguar.0040F407
00420933 C3 RETN ; 返回到代码段
在0040F407处有片空地,将原代码写回,如下:
safeguar.>/$ 6A 00 PUSH 0 ; /pModule = NULL
0040F3F2 |. E8 41000>CALL <JMP.&kernel32.GetModuleHandleA>; \GetModuleHandleA
0040F3F7 |. A3 62204>MOV DWORD PTR DS:[412062],EAX
0040F3FC |. 6A 00 PUSH 0 ; /lParam = NULL
0040F3FE |. 68 47F24>PUSH safeguar.0040F247 ; |DlgProc = safeguar.0040F247
0040F403 |. 6A 00 PUSH 0 ; |hOwner = NULL
0040F405 |. 6A 65 PUSH 65 ; |pTemplate = 65
0040F407 |. FF35 622>PUSH DWORD PTR DS:[412062] ; |hInst = 00400000
0040F40D |. E8 7A000>CALL <JMP.&user32.DialogBoxParamA> ; \DialogBoxParamA
0040F412 |. 6A 00 PUSH 0 ; /ExitCode = 0
0040F414 \. E8 13000>CALL <JMP.&kernel32.ExitProcess> ; \ExitProcess
DUMP OK,是TASM32/MASM32的程序。
附件:safeguard10_unpacked.rar
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课