【破文标题】:《图章制作系统 V3.63》脱壳去校验解除自杀代码[分析篇]
【破文作者】: KuNgBiM[DFCG]
【作者邮箱】: [email]gb_1227@163.com[/email]
【软件名称】: 图章制作系统 V3.63
【软件大小】: 724 KB
【软件类别】: 国产软件/共享软件/设计制作
【整理时间】: 2005-07-29
【下载地址】: http://www.downreg.com/Software/View-Software-4587.html
【软件简介】: 制作公章、手章,输出为gif图形,支持图片透明。支持圆形、椭圆、方形、矩形多种外观,多个参数可调,支持自定义文字大小,支持格式保存。
【保护方式】: 注册码 + 试用功能限制
【加密保护】: ASPack 2.12 + 脱壳自校验 + 程序自杀代码(调用系统autoexec.bat命令删除校验失败的程序) + Anti-Loader(反加载)
【编译语言】: Borland Delphi 6.0 - 7.0
【调试环境】: WinXP、PEiD、Ollydbg、LordPE、ImportREC
【破解日期】: 2005-09-01
【破解目的】: 推广使用ESP定律脱壳,去除自校验,以及研究算法分析
【作者声明】: 初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
―――――――――――――――――――――――――――――――――
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
【脱壳过程】 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
侦壳脱壳:用PEiD查壳,ASPack 2.12 -> Alexey Solodovnikov加壳。
使用法宝:我们既然知道了是ASPack所加壳保护的,所以拿出Ollydbg结合文章题目手动脱之~~
――――――――――――――――――――
Ollydbg
载入主程序:
005FA001 > 60
pushad ; 载入程序后停在这里,F8一次
005FA002 E8 03000000
call MakeSign.005FA00A
; 到这里,这时查看寄存器窗口
005FA007 - E9 EB045D45
jmp 45BCA4F7
005FA00C 55
push ebp
005FA00D C3
retn
\\\\\\\\\\\\\\\
寄存器\\\\\\\\\\\\\\\\
EAX 00000000
ECX 0012FFB0
EDX 7FFE0304
EBX 7FFDF000
ESP 0012FFA4
; esp=0012ffa4
EBP 0012FFF0
ESI 77F57D70 ntdll.77F57D70
EDI 77F944A8 ntdll.77F944A8
EIP 005FA002 MakeSign.005FA002
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
根据ESP定律规则,现在在命令栏中下 hr 0012ffa4 命令,回车,F9运行:
005FA3B0 /75 08
jnz short MakeSign.005FA3BA
; 这里断下,F7继续
005FA3B2 |B8 01000000
mov eax,1
005FA3B7 |C2 0C00
retn 0C
005FA3BA \68 10CA5800
push MakeSign.0058CA10
; 这里0058CA10所指的就是OEP,F7继续
005FA3BF C3
retn ; 返回到程序原始入口,飞向光明之颠~~ F7继续
返回到这里:
0058CA10 55
push ebp ; 在这儿用LordPE纠正ImageSize后完全DUMP这个进程
0058CA11 8BEC
mov ebp,
esp
0058CA13 83C4 F0
add esp,-10
0058CA16 B8 E0C55800
mov eax,MakeSign.0058C5E0
0058CA1B E8 64A2E7FF
call MakeSign.00406C84
0058CA20 A1 A48B5900
mov eax,
dword ptr ds:[598BA4]
0058CA25 8B00
mov eax,
dword ptr ds:[
eax]
0058CA27 E8 4427EEFF
call MakeSign.0046F170
0058CA2C A1 A48B5900
mov eax,
dword ptr ds:[598BA4]
0058CA31 8B00
mov eax,
dword ptr ds:[
eax]
0058CA33 BA 70CA5800
mov edx,MakeSign.0058CA70
0058CA38 E8 3F23EEFF
call MakeSign.0046ED7C
0058CA3D 8B0D 90885900
mov ecx,
dword ptr ds:[598890]
; MakeSign.005A5BE8
0058CA43 A1 A48B5900
mov eax,
dword ptr ds:[598BA4]
0058CA48 8B00
mov eax,
dword ptr ds:[
eax]
脱壳修复:
运行ImportREC 1.6,选择这个进程,把OEP改为 0018CA10 ,点IT AutoSearch,指针全部有效。FixDump!
再用LordPE重建优化一下,程序大小变为 1.83 MB,Borland Delphi 6.0 - 7.0编译。
关闭Ollydbg,试运行,正常运行!不过。。。↓
意外发生了:我正准备反编译看看程序的时候,发现我们刚刚脱壳后运行过的程序不见了!~?奇怪~~!?难道这个程序有“脱壳自校验”以及传说中的“程序自杀代码”?,接着我就试着跟了跟,发现真有那么一回事,好吧~~“你”荒废我的“脱壳心血”我就跟“你”没完~!呵呵,下面就接着讲讲怎样去掉这个烦人的“程序自杀自校验”!!!GO~~
―――――――――――――――――――――――――――――――――
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
【去自校验过程】 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
重新打开Ollydbg,载入刚刚我们脱壳修复优化后的“dumped_.exe”文件(这里我采用的是默认脱壳文件名)
在命令栏中下 bpx CreateFileA 断点命令,回车,F9运行:
程序运行后,点圾“确定”关闭提示框后程序断下:
004093BC 50
push eax
004093BD E8 C2DAFFFF
call dumped_.00406E84
; 这里断下,F7跟进,jmp to kernel32.CreateFileA
004093C2 5F
pop edi
004093C3 5E
pop esi
004093C4 5B
pop ebx
004093C5 C3
retn
跟进后:
00406E84 - FF25 1C645A00
jmp dword ptr ds:[5A641C]
; 这里继续F7跳过!kernel32.CreateFileA
00406E8A 8BC0
mov eax,
eax
跳向这里:
77E5B476 > 55
push ebp ; 跳到这里,一路F8!
77E5B477 8BEC
mov ebp,
esp
77E5B479 FF75 08
push dword ptr ss:[
ebp+8]
77E5B47C E8 11FFFFFF
call kernel32.77E5B392
77E5B481 85C0
test eax,
eax
77E5B483 0F84 A3FF0100
je kernel32.77E7B42C
77E5B489 FF75 20
push dword ptr ss:[
ebp+20]
77E5B48C FF75 1C
push dword ptr ss:[
ebp+1C]
77E5B48F FF75 18
push dword ptr ss:[
ebp+18]
77E5B492 FF75 14
push dword ptr ss:[
ebp+14]
77E5B495 FF75 10
push dword ptr ss:[
ebp+10]
77E5B498 FF75 0C
push dword ptr ss:[
ebp+C]
77E5B49B FF70 04
push dword ptr ds:[
eax+4]
77E5B49E E8 EEFBFFFF
call kernel32.CreateFileW
77E5B4A3 5D
pop ebp
77E5B4A4 C2 1C00
retn 1C
; F8到这里返回
返回到这里(也就是上面断点的下一个地址):
004093C2 5F
pop edi ; 赋值数据,F7单步,00B80000
004093C3 5E
pop esi ; 赋值数据,F7单步,00BC689C
004093C4 5B
pop ebx ; 赋值数据,F7单步,00B8942C
004093C5 C3
retn ; 返回下一个检测空间
返回到这里:
0041F9D5 8BC8
mov ecx,
eax ; 返回到这里
0041F9D7 33D2
xor edx,
edx
0041F9D9 8BC3
mov eax,
ebx
0041F9DB E8 7CFEFFFF
call dumped_.0041F85C
0041F9E0 837B 04 00
cmp dword ptr ds:[
ebx+4],0
0041F9E4 7D 24
jge short dumped_.0041FA0A
0041F9E6 8975 F4
mov dword ptr ss:[
ebp-C],
esi
0041F9E9 C645 F8 0B
mov byte ptr ss:[
ebp-8],0B
0041F9ED 8D45 F4
lea eax,
dword ptr ss:[
ebp-C]
0041F9F0 50
push eax
0041F9F1 6A 00
push 0
0041F9F3 8B0D A08C5900
mov ecx,
dword ptr ds:[598CA0]
; dumped_.00418198
0041F9F9 B2 01
mov dl,1
0041F9FB A1 E49E4100
mov eax,
dword ptr ds:[419EE4]
0041FA00 E8 03D1FEFF
call dumped_.0040CB08
0041FA05 E8 0E46FEFF
call dumped_.00404018
0041FA0A 8BC3
mov eax,
ebx
0041FA0C 807D FF 00
cmp byte ptr ss:[
ebp-1],0
0041FA10 74 0F
je short dumped_.0041FA21
0041FA12 E8 F141FEFF
call dumped_.00403C08
0041FA17 64:8F05 00000000
pop dword ptr fs:[0]
0041FA1E 83C4 0C
add esp,0C
0041FA21 8BC3
mov eax,
ebx
0041FA23 5F
pop edi
0041FA24 5E
pop esi
0041FA25 5B
pop ebx
0041FA26 8BE5
mov esp,
ebp
0041FA28 5D
pop ebp
0041FA29 C2 0800
retn 8
; 又一次一路F8后来到这里返回
返回到这里:
0041F945 8BC6
mov eax,
esi
0041F947 84DB
test bl,
bl
0041F949 74 0F
je short dumped_.0041F95A
0041F94B E8 B842FEFF
call dumped_.00403C08
0041F950 64:8F05 00000000
pop dword ptr fs:[0]
0041F957 83C4 0C
add esp,0C
0041F95A 8BC6
mov eax,
esi
0041F95C 5E
pop esi
0041F95D 5B
pop ebx
0041F95E 5D
pop ebp
0041F95F C2 0400
retn 4
; 再次一路F8后来到这里返回
返回到这里:(★重要★)
00581E4A 8945 F4
mov dword ptr ss:[
ebp-C],
eax
00581E4D 33C0
xor eax,
eax ; 这里脱壳前和脱壳后数据不一样,eax=00B8942C
00581E4F 55
push ebp
00581E50 68 7C1E5800
push dumped_.00581E7C
00581E55 64:FF30
push dword ptr fs:[
eax]
00581E58 64:8920
mov dword ptr fs:[
eax],
esp
00581E5B 8B45 F4
mov eax,
dword ptr ss:[
ebp-C]
00581E5E E8 D5D5E9FF
call dumped_.0041F438
; CRC冗余代码校验CALL
00581E63 8945 F8
mov dword ptr ss:[
ebp-8],
eax ; 当前文件大小赋值给eax,eax=001D5200 //1D5200 =1921536字节
00581E66 33C0
xor eax,
eax ; 异或,eax=001D5200
00581E68 5A
pop edx
00581E69 59
pop ecx
00581E6A 59
pop ecx
00581E6B 64:8910
mov dword ptr fs:[
eax],
edx
00581E6E 68 831E5800
push dumped_.00581E83
00581E73 8B45 F4
mov eax,
dword ptr ss:[
ebp-C]
00581E76 E8 D119E8FF
call dumped_.0040384C
00581E7B C3
retn
00581E7C ^\E9 5F21E8FF
jmp dumped_.00403FE0
00581E81 ^ EB F0
jmp short dumped_.00581E73
00581E83 33C0
xor eax,
eax
00581E85 5A
pop edx
00581E86 59
pop ecx
00581E87 59
pop ecx
00581E88 64:8910
mov dword ptr fs:[
eax],
edx
00581E8B EB 0A
jmp short dumped_.00581E97
00581E8D ^ E9 9A1EE8FF
jmp dumped_.00403D2C
00581E92 E8 FD21E8FF
call dumped_.00404094
00581E97 33C0
xor eax,
eax
00581E99 5A
pop edx
00581E9A 59
pop ecx
00581E9B 59
pop ecx
00581E9C 64:8910
mov dword ptr fs:[
eax],
edx
00581E9F 68 B41E5800
push dumped_.00581EB4
00581EA4 8D45 FC
lea eax,
dword ptr ss:[
ebp-4]
00581EA7 E8 9027E8FF
call dumped_.0040463C
00581EAC C3
retn
00581EAD ^\E9 2E21E8FF
jmp dumped_.00403FE0
00581EB2 ^ EB F0
jmp short dumped_.00581EA4
00581EB4 8B45 F8
mov eax,
dword ptr ss:[
ebp-8]
; 最终赋值,堆栈 ss:[0012FDBC]=001D5200
00581EB7 5F
pop edi
00581EB8 5E
pop esi
00581EB9 5B
pop ebx
00581EBA 8BE5
mov esp,
ebp
00581EBC 5D
pop ebp
00581EBD C3
retn ; 返回程序,告诉程序下一步该做什么!
返回到这里:(★重要★【第一处】)
00584B87 E8 78D2FFFF
call dumped_.00581E04
00584B8C 3D 00A00F00
cmp eax,0FA000
; 这里作者怕加壳后出错,所以给定了程序一个大小限制范围 FA000
; FA000 = 1024000字节
00584B91 7E 1C
jle short dumped_.00584BAF
; 如果文件大小,小于这个数据,那么才能正常运行,必须跳!
*************************
代码修改:
00584B8C 3D 00A00F00
cmp eax,0FA000 //
我改为:cmp eax,0FFFFFFF (嘿嘿,268435455字节约为256MB,有多少的软件能大过256MB啊?)
*************************
00584B93 8D55 F0
lea edx,
dword ptr ss:[
ebp-10]
00584B96 A1 A48B5900
mov eax,
dword ptr ds:[598BA4]
00584B9B 8B00
mov eax,
dword ptr ds:[
eax]
00584B9D E8 3EACEEFF
call dumped_.0046F7E0
00584BA2 8B45 F0
mov eax,
dword ptr ss:[
ebp-10]
00584BA5 E8 16D3FFFF
call dumped_.00581EC0
00584BAA E8 19F9E7FF
call dumped_.004044C8
00584BAF E8 E0D4FFFF
call dumped_.00582094
00584BB4 84C0
test al,
al
00584BB6 74 1C
je short dumped_.00584BD4
; 跳
00584BB8 8D55 EC
lea edx,
dword ptr ss:[
ebp-14]
00584BBB A1 A48B5900
mov eax,
dword ptr ds:[598BA4]
00584BC0 8B00
mov eax,
dword ptr ds:[
eax]
00584BC2 E8 19ACEEFF
call dumped_.0046F7E0
00584BC7 8B45 EC
mov eax,
dword ptr ss:[
ebp-14]
00584BCA E8 F1D2FFFF
call dumped_.00581EC0
00584BCF E8 F4F8E7FF
call dumped_.004044C8
00584BD4 8B83 B8040000
mov eax,
dword ptr ds:[
ebx+4B8]
00584BDA E8 8D9CFEFF
call dumped_.0056E86C
00584BDF E8 ECD7FFFF
call dumped_.005823D0
00584BE4 8B93 44030000
mov edx,
dword ptr ds:[
ebx+344]
00584BEA 8B52 48
mov edx,
dword ptr ds:[
edx+48]
00584BED 3BC2
cmp eax,
edx
00584BEF 7E 02
jle short dumped_.00584BF3
; 跳
00584BF1 8BC2
mov eax,
edx
00584BF3 8BD0
mov edx,
eax
00584BF5 8B83 48030000
mov eax,
dword ptr ds:[
ebx+348]
00584BFB E8 748DECFF
call dumped_.0044D974
00584C00 8B83 C4040000
mov eax,
dword ptr ds:[
ebx+4C4]
00584C06 E8 619CFEFF
call dumped_.0056E86C
00584C0B E8 90D8FFFF
call dumped_.005824A0
00584C10 8B93 44030000
mov edx,
dword ptr ds:[
ebx+344]
00584C16 8B52 4C
mov edx,
dword ptr ds:[
edx+4C]
00584C19 3BC2
cmp eax,
edx
00584C1B 7E 02
jle short dumped_.00584C1F
; 跳
00584C1D 8BC2
mov eax,
edx
00584C1F 8BD0
mov edx,
eax
00584C21 8B83 48030000
mov eax,
dword ptr ds:[
ebx+348]
00584C27 E8 6C8DECFF
call dumped_.0044D998
00584C2C 8B93 44030000
mov edx,
dword ptr ds:[
ebx+344]
00584C32 8B52 48
mov edx,
dword ptr ds:[
edx+48]
00584C35 8B83 48030000
mov eax,
dword ptr ds:[
ebx+348]
00584C3B 2B50 48
sub edx,
dword ptr ds:[
eax+48]
00584C3E D1FA
sar edx,1
00584C40 79 03
jns short dumped_.00584C45
; 跳
00584C42 83D2 00
adc edx,0
00584C45 E8 DE8CECFF
call dumped_.0044D928
00584C4A 8B93 44030000
mov edx,
dword ptr ds:[
ebx+344]
00584C50 8B52 4C
mov edx,
dword ptr ds:[
edx+4C]
00584C53 8B83 48030000
mov eax,
dword ptr ds:[
ebx+348]
00584C59 2B50 4C
sub edx,
dword ptr ds:[
eax+4C]
00584C5C D1FA
sar edx,1
00584C5E 79 03
jns short dumped_.00584C63
; 跳
00584C60 83D2 00
adc edx,0
00584C63 E8 E48CECFF
call dumped_.0044D94C
00584C68 B2 06
mov dl,6
00584C6A 8B83 4C030000
mov eax,
dword ptr ds:[
ebx+34C]
00584C70 E8 578AECFF
call dumped_.0044D6CC
00584C75 B2 05
mov dl,5
00584C77 8B83 4C030000
mov eax,
dword ptr ds:[
ebx+34C]
00584C7D E8 4A8AECFF
call dumped_.0044D6CC
00584C82 8BC3
mov eax,
ebx
00584C84 E8 939AECFF
call dumped_.0044E71C
00584C89 B2 06
mov dl,6
00584C8B 8B83 4C030000
mov eax,
dword ptr ds:[
ebx+34C]
00584C91 E8 368AECFF
call dumped_.0044D6CC
00584C96 8B83 48030000
mov eax,
dword ptr ds:[
ebx+348]
00584C9C 8B50 48
mov edx,
dword ptr ds:[
eax+48]
00584C9F 83EA 02
sub edx,2
00584CA2 8B83 4C030000
mov eax,
dword ptr ds:[
ebx+34C]
00584CA8 E8 C78CECFF
call dumped_.0044D974
00584CAD 8B83 48030000
mov eax,
dword ptr ds:[
ebx+348]
00584CB3 8B50 4C
mov edx,
dword ptr ds:[
eax+4C]
00584CB6 83EA 02
sub edx,2
00584CB9 8B83 4C030000
mov eax,
dword ptr ds:[
ebx+34C]
00584CBF E8 D48CECFF
call dumped_.0044D998
00584CC4 8B83 64030000
mov eax,
dword ptr ds:[
ebx+364]
00584CCA 66:BE EBFF
mov si,0FFEB
00584CCE E8 75EDE7FF
call dumped_.00403A48
; 跟进,返回程序,进行2次校验
返回到这里:
004093BC 50
push eax
004093BD E8 C2DAFFFF
call dumped_.00406E84
; 返回到这里,F7跟进,jmp to kernel32.CreateFileA
004093C2 5F
pop edi
004093C3 5E
pop esi
004093C4 5B
pop ebx
004093C5 C3
retn
跟进后:
00406E84 - FF25 1C645A00
jmp dword ptr ds:[5A641C]
; 这里继续F7跳过!kernel32.CreateFileA
00406E8A 8BC0
mov eax,
eax
跳向这里:
77E5B476 > 55
push ebp ; 跳到这里,一路F8!
77E5B477 8BEC
mov ebp,
esp
77E5B479 FF75 08
push dword ptr ss:[
ebp+8]
77E5B47C E8 11FFFFFF
call kernel32.77E5B392
77E5B481 85C0
test eax,
eax
77E5B483 0F84 A3FF0100
je kernel32.77E7B42C
77E5B489 FF75 20
push dword ptr ss:[
ebp+20]
77E5B48C FF75 1C
push dword ptr ss:[
ebp+1C]
77E5B48F FF75 18
push dword ptr ss:[
ebp+18]
77E5B492 FF75 14
push dword ptr ss:[
ebp+14]
77E5B495 FF75 10
push dword ptr ss:[
ebp+10]
77E5B498 FF75 0C
push dword ptr ss:[
ebp+C]
77E5B49B FF70 04
push dword ptr ds:[
eax+4]
77E5B49E E8 EEFBFFFF
call kernel32.CreateFileW
77E5B4A3 5D
pop ebp
77E5B4A4 C2 1C00
retn 1C
; F8到这里返回
返回到这里(也就是上面断点的下一个地址):
004093C2 5F
pop edi ; 赋值数据,F7单步,00B80000
004093C3 5E
pop esi ; 赋值数据,F7单步,00BC689C
004093C4 5B
pop ebx ; 赋值数据,F7单步,00B8942C
004093C5 C3
retn ; 返回下一个检测空间
返回到这里:
0041F9D5 8BC8
mov ecx,
eax ; 返回到这里
0041F9D7 33D2
xor edx,
edx
0041F9D9 8BC3
mov eax,
ebx
0041F9DB E8 7CFEFFFF
call dumped_.0041F85C
0041F9E0 837B 04 00
cmp dword ptr ds:[
ebx+4],0
0041F9E4 7D 24
jge short dumped_.0041FA0A
0041F9E6 8975 F4
mov dword ptr ss:[
ebp-C],
esi
0041F9E9 C645 F8 0B
mov byte ptr ss:[
ebp-8],0B
0041F9ED 8D45 F4
lea eax,
dword ptr ss:[
ebp-C]
0041F9F0 50
push eax
0041F9F1 6A 00
push 0
0041F9F3 8B0D A08C5900
mov ecx,
dword ptr ds:[598CA0]
; dumped_.00418198
0041F9F9 B2 01
mov dl,1
0041F9FB A1 E49E4100
mov eax,
dword ptr ds:[419EE4]
0041FA00 E8 03D1FEFF
call dumped_.0040CB08
0041FA05 E8 0E46FEFF
call dumped_.00404018
0041FA0A 8BC3
mov eax,
ebx
0041FA0C 807D FF 00
cmp byte ptr ss:[
ebp-1],0
0041FA10 74 0F
je short dumped_.0041FA21
0041FA12 E8 F141FEFF
call dumped_.00403C08
0041FA17 64:8F05 00000000
pop dword ptr fs:[0]
0041FA1E 83C4 0C
add esp,0C
0041FA21 8BC3
mov eax,
ebx
0041FA23 5F
pop edi
0041FA24 5E
pop esi
0041FA25 5B
pop ebx
0041FA26 8BE5
mov esp,
ebp
0041FA28 5D
pop ebp
0041FA29 C2 0800
retn 8
; 又一次一路F8后来到这里返回
返回到这里:
0041F945 8BC6
mov eax,
esi
0041F947 84DB
test bl,
bl
0041F949 74 0F
je short dumped_.0041F95A
0041F94B E8 B842FEFF
call dumped_.00403C08
0041F950 64:8F05 00000000
pop dword ptr fs:[0]
0041F957 83C4 0C
add esp,0C
0041F95A 8BC6
mov eax,
esi
0041F95C 5E
pop esi
0041F95D 5B
pop ebx
0041F95E 5D
pop ebp
0041F95F C2 0400
retn 4
; 再次一路F8后来到这里返回
返回到这里:(★重要★)
00581E4A 8945 F4
mov dword ptr ss:[
ebp-C],
eax
00581E4D 33C0
xor eax,
eax ; 这里脱壳前和脱壳后数据不一样,eax=00B8942C
00581E4F 55
push ebp
00581E50 68 7C1E5800
push dumped_.00581E7C
00581E55 64:FF30
push dword ptr fs:[
eax]
00581E58 64:8920
mov dword ptr fs:[
eax],
esp
00581E5B 8B45 F4
mov eax,
dword ptr ss:[
ebp-C]
00581E5E E8 D5D5E9FF
call dumped_.0041F438
; CRC冗余代码校验CALL
00581E63 8945 F8
mov dword ptr ss:[
ebp-8],
eax ; 当前文件大小赋值给eax,eax=001D5200 //1D5200 =1921536字节
00581E66 33C0
xor eax,
eax ; 异或,eax=001D5200
00581E68 5A
pop edx
00581E69 59
pop ecx
00581E6A 59
pop ecx
00581E6B 64:8910
mov dword ptr fs:[
eax],
edx
00581E6E 68 831E5800
push dumped_.00581E83
00581E73 8B45 F4
mov eax,
dword ptr ss:[
ebp-C]
00581E76 E8 D119E8FF
call dumped_.0040384C
00581E7B C3
retn
00581E7C ^\E9 5F21E8FF
jmp dumped_.00403FE0
00581E81 ^ EB F0
jmp short dumped_.00581E73
00581E83 33C0
xor eax,
eax
00581E85 5A
pop edx
00581E86 59
pop ecx
00581E87 59
pop ecx
00581E88 64:8910
mov dword ptr fs:[
eax],
edx
00581E8B EB 0A
jmp short dumped_.00581E97
00581E8D ^ E9 9A1EE8FF
jmp dumped_.00403D2C
00581E92 E8 FD21E8FF
call dumped_.00404094
00581E97 33C0
xor eax,
eax
00581E99 5A
pop edx
00581E9A 59
pop ecx
00581E9B 59
pop ecx
00581E9C 64:8910
mov dword ptr fs:[
eax],
edx
00581E9F 68 B41E5800
push dumped_.00581EB4
00581EA4 8D45 FC
lea eax,
dword ptr ss:[
ebp-4]
00581EA7 E8 9027E8FF
call dumped_.0040463C
00581EAC C3
retn
00581EAD ^\E9 2E21E8FF
jmp dumped_.00403FE0
00581EB2 ^ EB F0
jmp short dumped_.00581EA4
00581EB4 8B45 F8
mov eax,
dword ptr ss:[
ebp-8]
; 最终赋值,堆栈 ss:[0012FDBC]=001D5200
00581EB7 5F
pop edi
00581EB8 5E
pop esi
00581EB9 5B
pop ebx
00581EBA 8BE5
mov esp,
ebp
00581EBC 5D
pop ebp
00581EBD C3
retn ; 返回程序,告诉程序下一步该做什么!
返回到这里:(★重要★【第二处】)
005842C4 E8 3BDBFFFF
call dumped_.00581E04
005842C9 3D 00A00F00
cmp eax,0FA000
; 这里作者怕加壳后出错,所以给定了程序一个大小限制范围 FA000
; FA000 = 1024000字节
005842CE 7E 05
jle short dumped_.005842D5
; 如果文件大小,小于这个数据,那么才能正常运行,必须跳!
*************************
代码修改:
005842C9 3D 00A00F00
cmp eax,0FA000 //
我改为:cmp eax,0FFFFFFF (嘿嘿,268435455字节约为256MB,有多少的软件能大过256MB啊?)
*************************
005842D0 BB 01000000
mov ebx,1
005842D5 4B
dec ebx
005842D6 0F85 0C020000
jnz dumped_.005844E8
; 再次CRC冗余代码检测合格后跳(必须跳)!
005842DC B9 24475800
mov ecx,dumped_.00584724
; ASCII "system.ini"
005842E1 B2 01
mov dl,1
005842E3 A1 04084700
mov eax,
dword ptr ds:[470804]
005842E8 E8 C7C5EEFF
call dumped_.004708B4
005842ED 8BF0
mov esi,
eax
005842EF 68 38475800
push dumped_.00584738
005842F4 8D85 70FFFFFF
lea eax,
dword ptr ss:[
ebp-90]
005842FA 50
push eax
005842FB B9 44475800
mov ecx,dumped_.00584744
; ASCII "date" ★这里是为什么脱壳程序运行后会被删除的原因之一★
00584300 BA 54475800
mov edx,dumped_.00584754
; ASCII "hsjsign_install" ★等会儿会作详细说明★
00584305 8BC6
mov eax,
esi
00584307 8B18
mov ebx,
dword ptr ds:[
eax]
00584309 FF13
call dword ptr ds:[
ebx]
0058430B 8B95 70FFFFFF
mov edx,
dword ptr ss:[
ebp-90]
00584311 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
00584314 05 80000000
add eax,80
00584319 E8 7203E8FF
call dumped_.00404690
0058431E 8BC6
mov eax,
esi
00584320 E8 27F5E7FF
call dumped_.0040384C
00584325 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
00584328 8B80 80000000
mov eax,
dword ptr ds:[
eax+80]
0058432E E8 7963E8FF
call dumped_.0040A6AC
00584333 DBBD 64FFFFFF
fstp tbyte
ptr ss:[
ebp-9C]
00584339 9B
wait
0058433A E8 2568E8FF
call dumped_.0040AB64
0058433F DBAD 64FFFFFF
fld tbyte
ptr ss:[
ebp-9C]
00584345 DEE1
fsubrp st(1),
st
00584347 D9E1
fabs
00584349 D81D 64475800
fcomp dword ptr ds:[584764]
0058434F DFE0
fstsw ax
00584351 9E
sahf
00584352 0F86 90010000
jbe dumped_.005844E8
00584358 B9 24475800
mov ecx,dumped_.00584724
; ASCII "system.ini"
0058435D B2 01
mov dl,1
0058435F A1 04084700
mov eax,
dword ptr ds:[470804]
00584364 E8 4BC5EEFF
call dumped_.004708B4
00584369 8BF0
mov esi,
eax
0058436B 68 38475800
push dumped_.00584738
00584370 8D85 60FFFFFF
lea eax,
dword ptr ss:[
ebp-A0]
00584376 50
push eax
00584377 B9 70475800
mov ecx,dumped_.00584770
; ASCII "protect" ★这里是为什么脱壳程序运行后会被删除的原因之一★
0058437C BA 54475800
mov edx,dumped_.00584754
; ASCII "hsjsign_install" ★等会儿会作详细说明★
00584381 8BC6
mov eax,
esi
00584383 8B18
mov ebx,
dword ptr ds:[
eax]
00584385 FF13
call dword ptr ds:[
ebx]
00584387 8B95 60FFFFFF
mov edx,
dword ptr ss:[
ebp-A0]
0058438D 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
00584390 05 80000000
add eax,80
00584395 E8 F602E8FF
call dumped_.00404690
0058439A 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
0058439D 8B80 80000000
mov eax,
dword ptr ds:[
eax+80]
005843A3 E8 104EE8FF
call dumped_.004091B8
005843A8 8BD8
mov ebx,
eax
005843AA 43
inc ebx
005843AB 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
005843AE 8958 0C
mov dword ptr ds:[
eax+C],
ebx
005843B1 8D95 5CFFFFFF
lea edx,
dword ptr ss:[
ebp-A4]
005843B7 8BC3
mov eax,
ebx
005843B9 E8 5A4DE8FF
call dumped_.00409118
005843BE 8B85 5CFFFFFF
mov eax,
dword ptr ss:[
ebp-A4]
005843C4 50
push eax
005843C5 B9 70475800
mov ecx,dumped_.00584770
; ASCII "protect" ★这里是为什么脱壳程序运行后会被删除的原因之一★
005843CA BA 54475800
mov edx,dumped_.00584754
; ASCII "hsjsign_install" ★等会儿会作详细说明★
005843CF 8BC6
mov eax,
esi
005843D1 8B18
mov ebx,
dword ptr ds:[
eax]
005843D3 FF53 04
call dword ptr ds:[
ebx+4]
005843D6 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
005843D9 8378 0C 01
cmp dword ptr ds:[
eax+C],1
005843DD 75 2F
jnz short dumped_.0058440E
005843DF E8 8067E8FF
call dumped_.0040AB64
005843E4 83C4 F4
add esp,-0C
005843E7 DB3C24
fstp tbyte
ptr ss:[
esp]
005843EA 9B
wait
005843EB 8D85 58FFFFFF
lea eax,
dword ptr ss:[
ebp-A8]
005843F1 E8 B261E8FF
call dumped_.0040A5A8
005843F6 8B85 58FFFFFF
mov eax,
dword ptr ss:[
ebp-A8]
005843FC 50
push eax
005843FD B9 44475800
mov ecx,dumped_.00584744
; ASCII "date" ★这里是为什么脱壳程序运行后会被删除的原因之一★
00584402 BA 54475800
mov edx,dumped_.00584754
; ASCII "hsjsign_install" ★等会儿会作详细说明★
00584407 8BC6
mov eax,
esi
00584409 8B18
mov ebx,
dword ptr ds:[
eax]
0058440B FF53 04
call dword ptr ds:[
ebx+4]
0058440E 8BC6
mov eax,
esi
00584410 E8 37F4E7FF
call dumped_.0040384C
00584415 8D95 54FFFFFF
lea edx,
dword ptr ss:[
ebp-AC]
0058441B A1 A48B5900
mov eax,
dword ptr ds:[598BA4]
00584420 8B00
mov eax,
dword ptr ds:[
eax]
00584422 E8 B9B3EEFF
call dumped_.0046F7E0
00584427 8B85 54FFFFFF
mov eax,
dword ptr ss:[
ebp-AC]
0058442D E8 8EDAFFFF
call dumped_.00581EC0
00584432 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
00584435 8B40 0C
mov eax,
dword ptr ds:[
eax+C]
00584438 83F8 01
cmp eax,1
0058443B 0F8E A2000000
jle dumped_.005844E3
00584441 83F8 02
cmp eax,2
00584444 75 34
jnz short dumped_.0058447A
00584446 6A 00
push 0
00584448 68 78475800
push dumped_.00584778
0058444D 68 80475800
push dumped_.00584780
00584452 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
00584455 E8 CA05EDFF
call dumped_.00454A24
0058445A 50
push eax
0058445B E8 E433E8FF
call dumped_.00407844
; jmp to user32.MessageBoxA
00584460 6A 00
push 0
00584462 68 64485800
push dumped_.00584864
00584467 68 70485800
push dumped_.00584870
0058446C 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
0058446F E8 B005EDFF
call dumped_.00454A24
00584474 50
push eax
00584475 E8 CA33E8FF
call dumped_.00407844
; jmp to user32.MessageBoxA
0058447A E8 95E6E7FF
call dumped_.00402B14
0058447F B8 0A000000
mov eax,0A
00584484 E8 7BECE7FF
call dumped_.00403104
00584489 8D95 50FFFFFF
lea edx,
dword ptr ss:[
ebp-B0]
0058448F E8 844CE8FF
call dumped_.00409118
00584494 8B85 50FFFFFF
mov eax,
dword ptr ss:[
ebp-B0]
0058449A 8A10
mov dl,
byte ptr ds:[
eax]
0058449C 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
0058449F 05 80000000
add eax,80
005844A4 E8 7303E8FF
call dumped_.0040481C
005844A9 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
005844AC 8B80 80000000
mov eax,
dword ptr ds:[
eax+80]
005844B2 E8 014DE8FF
call dumped_.004091B8
005844B7 8BD8
mov ebx,
eax
005844B9 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
005844BC 8958 0C
mov dword ptr ds:[
eax+C],
ebx
005844BF D1FB
sar ebx,1
005844C1 79 03
jns short dumped_.005844C6
005844C3 83D3 00
adc ebx,0
005844C6 85DB
test ebx,
ebx
005844C8 75 12
jnz short dumped_.005844DC
005844CA 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
005844CD 8B80 7C060000
mov eax,
dword ptr ds:[
eax+67C]
005844D3 B2 01
mov dl,1
005844D5 E8 4EF2EBFF
call dumped_.00443728
005844DA EB 0C
jmp short dumped_.005844E8
005844DC E8 E7FFE7FF
call dumped_.004044C8
005844E1 EB 05
jmp short dumped_.005844E8
005844E3 E8 E0FFE7FF
call dumped_.004044C8
005844E8 33C0
xor eax,
eax ; 异或,eax=001D5200
005844EA 5A
pop edx
005844EB 59
pop ecx
005844EC 59
pop ecx
005844ED 64:8910
mov dword ptr fs:[
eax],
edx
005844F0 68 A8455800
push dumped_.005845A8
005844F5 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
005844F8 8B80 9C030000
mov eax,
dword ptr ds:[
eax+39C]
005844FE 33D2
xor edx,
edx
00584500 E8 57F8EFFF
call dumped_.00483D5C
00584505 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
00584508 8B80 4C030000
mov eax,
dword ptr ds:[
eax+34C]
0058450E B2 05
mov dl,5
00584510 E8 B791ECFF
call dumped_.0044D6CC
00584515 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
00584518 8B80 28060000
mov eax,
dword ptr ds:[
eax+628]
0058451E 33D2
xor edx,
edx
00584520 E8 DB9BECFF
call dumped_.0044E100
00584525 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
00584528 8B80 5C060000
mov eax,
dword ptr ds:[
eax+65C]
0058452E 33D2
xor edx,
edx
00584530 E8 CB9BECFF
call dumped_.0044E100
00584535 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
00584538 8B80 60030000
mov eax,
dword ptr ds:[
eax+360]
0058453E 33D2
xor edx,
edx
00584540 E8 BB9BECFF
call dumped_.0044E100
00584545 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
00584548 8B80 68030000
mov eax,
dword ptr ds:[
eax+368]
0058454E 33D2
xor edx,
edx
00584550 E8 AB9BECFF
call dumped_.0044E100
00584555 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
00584558 8B80 6C030000
mov eax,
dword ptr ds:[
eax+36C]
0058455E 33D2
xor edx,
edx
00584560 E8 9B9BECFF
call dumped_.0044E100
00584565 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
00584568 8B80 70030000
mov eax,
dword ptr ds:[
eax+370]
0058456E 33D2
xor edx,
edx
00584570 E8 8B9BECFF
call dumped_.0044E100
00584575 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
00584578 8B80 0C060000
mov eax,
dword ptr ds:[
eax+60C]
0058457E 33D2
xor edx,
edx
00584580 E8 7B9BECFF
call dumped_.0044E100
00584585 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
00584588 8B80 4C030000
mov eax,
dword ptr ds:[
eax+34C]
0058458E 33D2
xor edx,
edx
00584590 E8 6B9BECFF
call dumped_.0044E100
00584595 8B45 F8
mov eax,
dword ptr ss:[
ebp-8]
00584598 E8 AFF2E7FF
call dumped_.0040384C
0058459D C3
retn
0058459E ^\E9 3DFAE7FF
jmp dumped_.00403FE0
005845A3 ^ E9 4DFFFFFF
jmp dumped_.005844F5
005845A8 33C0
xor eax,
eax ; 异或,eax=00000000
005845AA 5A
pop edx
005845AB 59
pop ecx ; ecx=00000000
005845AC 59
pop ecx ; ecx=00584660
005845AD 64:8910
mov dword ptr fs:[
eax],
edx
005845B0 68 6A465800
push dumped_.0058466A
005845B5 8D85 50FFFFFF
lea eax,
dword ptr ss:[
ebp-B0]
005845BB BA 05000000
mov edx,5
005845C0 E8 9B00E8FF
call dumped_.00404660
005845C5 8D85 70FFFFFF
lea eax,
dword ptr ss:[
ebp-90]
005845CB BA 03000000
mov edx,3
005845D0 E8 8B00E8FF
call dumped_.00404660
005845D5 8D85 7CFFFFFF
lea eax,
dword ptr ss:[
ebp-84]
005845DB E8 5C00E8FF
call dumped_.0040463C
005845E0 8D45 80
lea eax,
dword ptr ss:[
ebp-80]
005845E3 E8 8007E8FF
call dumped_.00404D68
005845E8 8D45 84
lea eax,
dword ptr ss:[
ebp-7C]
005845EB E8 4C00E8FF
call dumped_.0040463C
005845F0 8D45 88
lea eax,
dword ptr ss:[
ebp-78]
005845F3 E8 7007E8FF
call dumped_.00404D68
005845F8 8D45 8C
lea eax,
dword ptr ss:[
ebp-74]
005845FB E8 3C00E8FF
call dumped_.0040463C
00584600 8D45 90
lea eax,
dword ptr ss:[
ebp-70]
00584603 E8 6007E8FF
call dumped_.00404D68
00584608 8D45 94
lea eax,
dword ptr ss:[
ebp-6C]
0058460B E8 2C00E8FF
call dumped_.0040463C
00584610 8D45 98
lea eax,
dword ptr ss:[
ebp-68]
00584613 E8 5007E8FF
call dumped_.00404D68
00584618 8D45 9C
lea eax,
dword ptr ss:[
ebp-64]
0058461B E8 1C00E8FF
call dumped_.0040463C
00584620 8D45 A0
lea eax,
dword ptr ss:[
ebp-60]
00584623 E8 4007E8FF
call dumped_.00404D68
00584628 8D45 A4
lea eax,
dword ptr ss:[
ebp-5C]
0058462B BA 06000000
mov edx,6
00584630 E8 2B00E8FF
call dumped_.00404660
00584635 8D45 BC
lea eax,
dword ptr ss:[
ebp-44]
00584638 BA 07000000
mov edx,7
0058463D E8 1E00E8FF
call dumped_.00404660
00584642 8D45 D8
lea eax,
dword ptr ss:[
ebp-28]
00584645 E8 F2FFE7FF
call dumped_.0040463C
0058464A 8D45 E0
lea eax,
dword ptr ss:[
ebp-20]
0058464D BA 03000000
mov edx,3
00584652 E8 0900E8FF
call dumped_.00404660
00584657 8D45 F4
lea eax,
dword ptr ss:[
ebp-C]
0058465A E8 0907E8FF
call dumped_.00404D68
0058465F C3
retn
00584660 ^\E9 7BF9E7FF
jmp dumped_.00403FE0
00584665 ^ E9 4BFFFFFF
jmp dumped_.005845B5
0058466A 5F
pop edi ; edi=00470850
0058466B 5E
pop esi ; esi=0043E118
0058466C 5B
pop ebx ; ebx=FFFFFFFF
0058466D 8BE5
mov esp,
ebp
0058466F 5D
pop ebp
00584670 C3
retn ; 第二次校验正常,返回校验结果
返回到这里:
0044F798 FF93 20010000
call dword ptr ds:[
ebx+120]
0044F79E 5B
pop ebx ; 返回到这里,ebx=00B762AC
0044F79F C3
retn ; 继续返回校验结果
返回到这里:
0043E134 E8 FB150100
call dumped_.0044F734
0043E139 5B
pop ebx ; 堆栈 [0012FDC4]=00B6D110 (00B6D110),ebx=00B762AC
0043E13A C3
retn ; 继续返回校验结果
返回到这里:
00584CCE E8 75EDE7FF
call dumped_.00403A48
00584CD3 33C0
xor eax,
eax ; 返回到这里进行异或,eax=0012FDA8
00584CD5 5A
pop edx ; edx=00000000
00584CD6 59
pop ecx ; ecx=00000000
00584CD7 59
pop ecx ; ecx=00584CEE
00584CD8 64:8910
mov dword ptr fs:[
eax],
edx
00584CDB 68 F54C5800
push dumped_.00584CF5
00584CE0 8D45 EC
lea eax,
dword ptr ss:[
ebp-14]
00584CE3 BA 05000000
mov edx,5
00584CE8 E8 73F9E7FF
call dumped_.00404660
00584CED C3
retn
00584CEE ^\E9 EDF2E7FF
jmp dumped_.00403FE0
00584CF3 ^ EB EB
jmp short dumped_.00584CE0
00584CF5 5F
pop edi ; edi=00470850
00584CF6 5E
pop esi ; esi=0043E118
00584CF7 5B
pop ebx ; ebx=00B6D110
00584CF8 8BE5
mov esp,
ebp
00584CFA 5D
pop ebp
00584CFB C3
retn ; 继续返回校验结果
返回到这里:
0044376F FF53 38
call dword ptr ds:[
ebx+38]
00443772 5B
pop ebx ; 返回到这里,ebx=00BBC654
00443773 C3
retn ; 继续返回校验结果
返回到这里:
00443658 33C0
xor eax,
eax ; 返回到这里进行异或清零,eax=00000000
0044365A 5A
pop edx
0044365B 59
pop ecx
0044365C 59
pop ecx
0044365D 64:8910
mov dword ptr fs:[
eax],
edx
00443660 EB 33
jmp short dumped_.00443695
00443662 ^ E9 C506FCFF
jmp dumped_.00403D2C
00443667 A1 A48B5900
mov eax,
dword ptr ds:[598BA4]
0044366C 8B00
mov eax,
dword ptr ds:[
eax]
0044366E 8B55 FC
mov edx,
dword ptr ss:[
ebp-4]
00443671 E8 92BC0200
call dumped_.0046F308
00443676 E8 190AFCFF
call dumped_.00404094
0044367B EB 18
jmp short dumped_.00443695
0044367D 8B43 08
mov eax,
dword ptr ds:[
ebx+8]
00443680 50
push eax
00443681 8B43 04
mov eax,
dword ptr ds:[
ebx+4]
00443684 50
push eax
00443685 56
push esi
00443686 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
00443689 8B40 34
mov eax,
dword ptr ds:[
eax+34]
0044368C 50
push eax
0044368D E8 423EFCFF
call dumped_.004074D4
; jmp to user32.DefWindowProcA
00443692 8943 0C
mov dword ptr ds:[
ebx+C],
eax
00443695 5F
pop edi
00443696 5E
pop esi
00443697 5B
pop ebx
00443698 59
pop ecx
00443699 5D
pop ebp
0044369A C3
retn ; 继续返回校验结果
返回到这里:
00426448 FF11
call dword ptr ds:[
ecx]
0042644A 83C4 0C
add esp,0C
; 返回到这里
0042644D 58
pop eax ; eax清零,eax=00000000
0042644E 5D
pop ebp
0042644F C2 1000
retn 10
; 继续返回校验结果
返回到这里:
77D37AD7 817C24 04 CDABBADC
cmp dword ptr ss:[
esp+4],DCBAABCD
; 返回到这里,堆栈 ss:[0012FE58]=DCBAABCD
77D37ADF 74 11
je short user32.77D37AF2
77D37AE1 813C24 CDABBADC
cmp dword ptr ss:[
esp],DCBAABCD
77D37AE8 75 05
jnz short user32.77D37AEF
77D37AEA 83EC 04
sub esp,4
77D37AED EB 03
jmp short user32.77D37AF2
77D37AEF 83C4 10
add esp,10
77D37AF2 83C4 08
add esp,8
77D37AF5 5B
pop ebx
77D37AF6 5F
pop edi
77D37AF7 5E
pop esi
77D37AF8 5D
pop ebp
77D37AF9 C2 1400
retn 14
; 继续返回校验结果
返回到这里:
77D3CCD4 8945 E4
mov dword ptr ss:[
ebp-1C],
eax ; 返回到这里
77D3CCD7 ^ EB B0
jmp short user32.77D3CC89
; 向上跳转
向上跳转到这里:
77D3CC89 834D FC FF
or dword ptr ss:[
ebp-4],FFFFFFFF
77D3CC8D E8 49000000
call user32.77D3CCDB
77D3CC92 8B45 E4
mov eax,
dword ptr ss:[
ebp-1C]
77D3CC95 E8 B7070200
call user32.77D5D451
77D3CC9A C2 2000
retn 20
返回到这里:
77D14455 8BC8
mov ecx,
eax ; 返回到这里
77D14457 A1 585ED677
mov eax,
dword ptr ds:[77D65E58]
77D1445C F640 02 04
test byte ptr ds:[
eax+2],4
77D14460 ^ 75 AF
jnz short user32.77D14411
; 向下跳转
向下跳转到这里:
77D14411 33D2
xor edx,
edx
77D14413 3955 E4
cmp dword ptr ss:[
ebp-1C],
edx
77D14416 74 4A
je short user32.77D14462
; 向下跳转
向下跳转到这里:
77D14416 /74 4A
je short user32.77D14462
; 向下跳转
77D14418 |64:A1 18000000
mov eax,
dword ptr fs:[18]
77D1441E |3990 40070000
cmp dword ptr ds:[
eax+740],
edx
77D14424 |74 3C
je short user32.77D14462
77D14426 |64:A1 18000000
mov eax,
dword ptr fs:[18]
......(
代码太多以次省略一部分)
0046F047 E8 C084F9FF
call dumped_.0040750C
; jmp to user32.DispatchMessageA
0046F04C EB 07
jmp short dumped_.0046F055
; 最终返回到这里,说名在第2次校验时,作者很下了一点功夫滴~~
0046F04E C686 9C000000 01
mov byte ptr ds:[
esi+9C],1
0046F055 8BC3
mov eax,
ebx
0046F057 5A
pop edx
0046F058 5F
pop edi
0046F059 5E
pop esi
0046F05A 5B
pop ebx
0046F05B C3
retn ; 为返回程序做最后准备
返回到这里:
0046F07E E8 41FFFFFF
call dumped_.0046EFC4
0046F083 84C0
test al,
al ; 返回到这里,al=01
0046F085 75 09
jnz short dumped_.0046F090
0046F087 8BD4
mov edx,
esp
0046F089 8BC3
mov eax,
ebx
0046F08B E8 98080000
call dumped_.0046F928
0046F090 83C4 1C
add esp,1C
0046F093 5B
pop ebx
0046F094 C3
retn ; 为返回程序做最后准备
返回到这里:(★)
0046F2A3 33C0
xor eax,
eax ; 返回到这里
0046F2A5 5A
pop edx
0046F2A6 59
pop ecx
0046F2A7 59
pop ecx
0046F2A8 64:8910
mov dword ptr fs:[
eax],
edx
0046F2AB EB 15
jmp short dumped_.0046F2C2
0046F2AD ^ E9 7A4AF9FF
jmp dumped_.00403D2C
0046F2B2 8B55 FC
mov edx,
dword ptr ss:[
ebp-4]
0046F2B5 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
0046F2B8 E8 4B000000
call dumped_.0046F308
0046F2BD E8 D24DF9FF
call dumped_.00404094
0046F2C2 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
0046F2C5 80B8 9C000000 00
cmp byte ptr ds:[
eax+9C],0
0046F2CC ^ 74 BF
je short dumped_.0046F28D
; 向上跳转,作循环运算
0046F2CE 33C0
xor eax,
eax
0046F2D0 5A
pop edx
0046F2D1 59
pop ecx
0046F2D2 59
pop ecx
0046F2D3 64:8910
mov dword ptr fs:[
eax],
edx
0046F2D6 68 EDF24600
push dumped_.0046F2ED
0046F2DB 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
0046F2DE C680 A5000000 00
mov byte ptr ds:[
eax+A5],0
0046F2E5 C3
retn ; 返回程序,时时刻刻作校验
●KuNgBiM小帖士●
程序一般采用了CRC冗余校验方式,那么,肯定它不会只用在一处,所以,我们应趁热打铁,用代码搜索的方法,一气呵成,把能改的相同处一起改掉!
但这种方法不是万能的,不是很全面,所以最好的办法还是用UE、WinHEX等16进制搜索代码修改,比较全面,这里主要讲的是跟踪代码,获得关键信息的方法。
利用上述办法,我们在OD中用 Ctrl + S 搜索“cmp eax,0FA000”,还真搜到一处:
(
★重要★【第三处】)
00584E88 E8 77CFFFFF
call dumped_.00581E04
00584E8D 3D 00A00F00
cmp eax,0FA000
; 这里作者怕加壳后出错,所以给定了程序一个大小限制范围 FA000
; FA000 = 1024000字节
00584E92 7E 1C
jle short dumped_.00584EB0
; 如果文件大小,小于这个数据,那么才能正常运行,必须跳!
*************************
代码修改:
00584E8D 3D 00A00F00
cmp eax,0FA000 //
我改为:cmp eax,0FFFFFFF (嘿嘿,268435455字节约为256MB,有多少的软件能大过256MB啊?)
*************************
●KuNgBiM小帖士●
好了,到此代码就算修改完毕了,不过提醒一点,用UE、WinHEX等16进制搜索代码修改时,搜索“00A00F”一共搜索到了4处,而程序需要改的只有3处,有一处为程序界面校验,这处关系到程序有无边框,若你觉得“无边框”的程序窗口看的过去,那么,就使用UE、WinHEX等16进制搜索代码修改,否则,还是学我乖乖的一步一步用“土办法”来吧~~~呵呵~~
――――――――――――――――――――――――――――――――――――――――
【总结去自校验修改点】
00584B8C 3D 00A00F00
cmp eax,0FA000
005842C9 3D 00A00F00
cmp eax,0FA000
00584E8D 3D 00A00F00
cmp eax,0FA000
以上的汇编代码“cmp eax,0FA000”全部替换为“cmp eax,0FFFFFFF”保存即可!
再次运行我们修改保存后的程序,OK,正常运行!自校验解除咯~~~~哈哈~~~程序也不会“自杀”了~~方便以后我研究这个软件的算法分析了~~~~
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
【程序自杀(原因)代码分析过程】 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
呼~~总算完成了上面的脱壳去校验分析了,下面我们又来研究一下程序脱壳后校验失败从而引发的“自杀”原因:
既然是“自杀”,无非就是2种可能性:
①程序作者在程序中编写加入的“自杀”代码
②调用系统自身的“autoexec.bat”批处理命令,从而达到删除校验失败的程序
我们在程序的分析过程中却定了该程序是使用后者(②)的“自杀”方式,下面跟我来目睹程序的“自杀”吧:
准备条件:脱壳未去校验的原始程序(N个)以防万一,不成功失去程序目标,嘿嘿~~~ 我们的好帮手:Ollydbg
――――――――――――――――――――――――――――――――――――――――
打开Ollydbg,载入我们准备好的脱壳修复优化后的“dumped_.exe”文件(这里我采用的是默认脱壳文件名)
重复去自校验完全过程,到达下面这一步时请勿改动任何代码:
00584B87 E8 78D2FFFF
call dumped_.00581E04
00584B8C 3D 00A00F00
cmp eax,0FA000
; 大小校验数据
00584B91 /7E 1C
jle short dumped_.00584BAF
; 到这里时,任其发展,不要改动任何代码,让它校验失败!
00584B93 |8D55 F0
lea edx,
dword ptr ss:[
ebp-10]
00584B96 |A1 A48B5900
mov eax,
dword ptr ds:[598BA4]
00584B9B |8B00
mov eax,
dword ptr ds:[
eax]
00584B9D |E8 3EACEEFF
call dumped_.0046F7E0
00584BA2 |8B45 F0
mov eax,
dword ptr ss:[
ebp-10]
00584BA5 |E8 16D3FFFF
call dumped_.00581EC0
00584BAA |E8 19F9E7FF
call dumped_.004044C8
; F8到这里,程序再次被 bpx CreateFileA 断点中断
00584BAF \E8 E0D4FFFF
call dumped_.00582094
00584BB4 84C0
test al,
al
00584BB6 74 1C
je short dumped_.00584BD4
断点效应:
004093E5 E8 9ADAFFFF
call dumped_.00406E84
; 断在这里,重复去校验过程,jmp to kernel32.CreateFileA
004093EA 5B
pop ebx ; 程序返回一个失败的数据
004093EB C3
retn
004093EC E8 D7FFFFFF
call dumped_.004093C8
004093F1 C3
retn ; 这里继续返回,准备下一步校验!
返回到这里:(★)
0041F994 8BC8
mov ecx,
eax ; 返回到这里,F8继续分析
0041F996 33D2
xor edx,
edx
0041F998 8BC3
mov eax,
ebx
0041F99A E8 BDFEFFFF
call dumped_.0041F85C
0041F99F 837B 04 00
cmp dword ptr ds:[
ebx+4],0
0041F9A3 7D 65
jge short dumped_.0041FA0A
; 这里跳了
0041F9A5 8975 F4
mov dword ptr ss:[
ebp-C],
esi
0041F9A8 C645 F8 0B
mov byte ptr ss:[
ebp-8],0B
0041F9AC 8D45 F4
lea eax,
dword ptr ss:[
ebp-C]
0041F9AF 50
push eax
0041F9B0 6A 00
push 0
0041F9B2 8B0D 848C5900
mov ecx,
dword ptr ds:[598C84]
; dumped_.00418180
0041F9B8 B2 01
mov dl,1
0041F9BA A1 889E4100
mov eax,
dword ptr ds:[419E88]
0041F9BF E8 44D1FEFF
call dumped_.0040CB08
0041F9C4 E8 4F46FEFF
call dumped_.00404018
0041F9C9 EB 3F
jmp short dumped_.0041FA0A
0041F9CB 0FB7D7
movzx edx,
di
0041F9CE 8BC6
mov eax,
esi
0041F9D0 E8 9799FEFF
call dumped_.0040936C
0041F9D5 8BC8
mov ecx,
eax
0041F9D7 33D2
xor edx,
edx
0041F9D9 8BC3
mov eax,
ebx
0041F9DB E8 7CFEFFFF
call dumped_.0041F85C
0041F9E0 837B 04 00
cmp dword ptr ds:[
ebx+4],0
0041F9E4 7D 24
jge short dumped_.0041FA0A
0041F9E6 8975 F4
mov dword ptr ss:[
ebp-C],
esi
0041F9E9 C645 F8 0B
mov byte ptr ss:[
ebp-8],0B
0041F9ED 8D45 F4
lea eax,
dword ptr ss:[
ebp-C]
0041F9F0 50
push eax
0041F9F1 6A 00
push 0
0041F9F3 8B0D A08C5900
mov ecx,
dword ptr ds:[598CA0]
; dumped_.00418198
0041F9F9 B2 01
mov dl,1
0041F9FB A1 E49E4100
mov eax,
dword ptr ds:[419EE4]
0041FA00 E8 03D1FEFF
call dumped_.0040CB08
0041FA05 E8 0E46FEFF
call dumped_.00404018
0041FA0A 8BC3
mov eax,
ebx ; 跳向这里
0041FA0C 807D FF 00
cmp byte ptr ss:[
ebp-1],0
0041FA10 74 0F
je short dumped_.0041FA21
; 又跳了
0041FA12 E8 F141FEFF
call dumped_.00403C08
0041FA17 64:8F05 00000000
pop dword ptr fs:[0]
0041FA1E 83C4 0C
add esp,0C
0041FA21 8BC3
mov eax,
ebx
0041FA23 5F
pop edi
0041FA24 5E
pop esi
0041FA25 5B
pop ebx
0041FA26 8BE5
mov esp,
ebp
0041FA28 5D
pop ebp
0041FA29 C2 0800
retn 8
; 返回到下一个命令地址
返回到这里:
0041F945 8BC6
mov eax,
esi ; 返回到这里
0041F947 84DB
test bl,
bl
0041F949 74 0F
je short dumped_.0041F95A
; 现在这里不跳了
0041F94B E8 B842FEFF
call dumped_.00403C08
0041F950 64:8F05 00000000
pop dword ptr fs:[0]
0041F957 83C4 0C
add esp,0C
0041F95A 8BC6
mov eax,
esi
0041F95C 5E
pop esi
0041F95D 5B
pop ebx
0041F95E 5D
pop ebp
0041F95F C2 0400
retn 4
; 继续返回到命令地址
返回到这里:(★)
0041EA96 8945 FC
mov dword ptr ss:[
ebp-4],
eax ; 返回到这里
0041EA99 33C0
xor eax,
eax ; eax=00B7D24C
0041EA9B 55
push ebp
0041EA9C 68 C7EA4100
push dumped_.0041EAC7
0041EAA1 64:FF30
push dword ptr fs:[
eax]
0041EAA4 64:8920
mov dword ptr fs:[
eax],
esp
0041EAA7 8B55 FC
mov edx,
dword ptr ss:[
ebp-4]
0041EAAA 8BC6
mov eax,
esi
0041EAAC 8B08
mov ecx,
dword ptr ds:[
eax]
0041EAAE FF51 78
call dword ptr ds:[
ecx+78]
0041EAB1 33C0
xor eax,
eax
0041EAB3 5A
pop edx
0041EAB4 59
pop ecx
0041EAB5 59
pop ecx
0041EAB6 64:8910
mov dword ptr fs:[
eax],
edx
0041EAB9 68 CEEA4100
push dumped_.0041EACE
0041EABE 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
0041EAC1 E8 864DFEFF
call dumped_.0040384C
0041EAC6 C3
retn
0041EAC7 ^ E9 1455FEFF
jmp dumped_.00403FE0
0041EACC ^ EB F0
jmp short dumped_.0041EABE
0041EACE 5E
pop esi
0041EACF 59
pop ecx
0041EAD0 5D
pop ebp
0041EAD1 C3
retn ; 关键的返回,程序“自杀”根本原因所在
返回到这里:(★★★★★)
00581F9E 6A 00
push 0
00581FA0 68 80205800
push dumped_.00582080
; ASCII "c:\autoexec1.bat"
; 在C盘目录下生成一个批处理文件,执行程序所向系统发出的删除命令
; ★跟到这里,我已经拷贝了那个“作恶”的批处理文件★
00581FA5 E8 5251E8FF
call dumped_.004070FC
; jmp to kernel32.WinExec
00581FAA 33C0
xor eax,
eax ; eax=00000021
00581FAC 5A
pop edx
00581FAD 59
pop ecx
00581FAE 59
pop ecx
00581FAF 64:8910
mov dword ptr fs:[
eax],
edx
00581FB2 EB 0A
jmp short dumped_.00581FBE
00581FB4 ^ E9 731DE8FF
jmp dumped_.00403D2C
00581FB9 E8 D620E8FF
call dumped_.00404094
00581FBE 8B45 F8
mov eax,
dword ptr ss:[
ebp-8]
; 清零,eax=00000000
00581FC1 E8 8618E8FF
call dumped_.0040384C
00581FC6 33C0
xor eax,
eax ; 异或清零,eax=00000000
00581FC8 5A
pop edx
00581FC9 59
pop ecx
00581FCA 59
pop ecx
00581FCB 64:8910
mov dword ptr fs:[
eax],
edx
00581FCE 68 F01F5800
push dumped_.00581FF0
00581FD3 8D45 EC
lea eax,
dword ptr ss:[
ebp-14]
00581FD6 BA 03000000
mov edx,3
00581FDB E8 8026E8FF
call dumped_.00404660
00581FE0 8D45 FC
lea eax,
dword ptr ss:[
ebp-4]
; 清零,eax=00000000
00581FE3 E8 5426E8FF
call dumped_.0040463C
00581FE8 C3
retn
00581FE9 ^ E9 F21FE8FF
jmp dumped_.00403FE0
00581FEE ^ EB E3
jmp short dumped_.00581FD3
00581FF0 5F
pop edi ; dumped_.00470850
00581FF1 5E
pop esi
00581FF2 5B
pop ebx
00581FF3 8BE5
mov esp,
ebp
00581FF5 5D
pop ebp
00581FF6 C3
retn ; 返回程序并执行命令
返回到这里:(★★★★★)
00584BAA E8 19F9E7FF
call dumped_.004044C8
; 程序到这里,就已经执行该命令了,Game Over ~
00584BAF E8 E0D4FFFF
call dumped_.00582094
00584BB4 84C0
test al,
al
........
【程序“自杀”原因|批处理文件内容】
:
loop
if exist
"D:\文章试验品\图章制作系统\dumped_.exe" del
"D:\文章试验品\图章制作系统\dumped_.exe"
if exist
"D:\文章试验品\图章制作系统\dumped_.exe" goto
loop
if not exist
"D:\文章试验品\图章制作系统\dumped_.exe" del
"c:\autoexec1.bat"
--------------------------------------------------------------------------------------------
【本章总结】
作者同样采用CRC冗余代码校验方式,检测程序是否已遭受破解,狠心的是在检测程序完整性失败完后(非脱壳校验失败),调用“autoexec.bat”批处理命令以及系统配置文件“system.ini”,在后台随机删除一个系统文件,从而达到程序避免遭受破解的可能性,由之加大了对破解者机器的威胁,而检测是时时刻刻存在的,所以一定要分析完后再做修改!
提醒一点:在脱壳未去校验前,千万请勿对程序作任何代码修改,避免不必要的事件发生!
--------------------------------------------------------------------------------------------
版权所有(C)2005 KuNgBiM[DFCG] Copyright (C) 2005 KuNgBiM[DFCG]--------------------------------------------------------------------------------------------
UnPacked & Cracked By KuNgBiM[DFCG]
2005-08-01
23:09:18 PM
IDA插件开发入门
