【破解作者】 stasi[DCM][BCG][DFCG][FCG][OCN][CZG][D.4s]
【作者邮箱】 stasi@163.com
【使用工具】 od
【破解平台】 Win9x/NT/2000/XP
【软件名称】 北斗nspack2.3
【下载地址】 www.nsdsn.com
【软件简介】 北斗nspack2.3 国产优秀加壳软件
【软件大小】 5k
【加壳方式】 nspack2.3
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
下载了有两个版本的北斗2.3和2.6,2.6脱壳不能跨平台,就只有2.3可用。
北斗加密dll,可以选择处理重定位表,直接在oep处脱壳后,找不到重定位表,说明对输出表动过手脚
100045F8 R> 9C pushfd **** entry point
100045F9 60 pushad
100045FA E8 00000000 call REALIGN.100045FF
100045FF 5D pop ebp
10004600 B8 07000000 mov eax,7
10004605 2BE8 sub ebp,eax
10004607 8DB5 88FEFFFF lea esi,dword ptr ss:[ebp-178]
1000460D 8B06 mov eax,dword ptr ds:[esi]
1000460F 83F8 00 cmp eax,0
10004612 74 11 je short REALIGN.10004625
0006FB6C 100045F8 offset REALIGN.
0006FB70 0006FBA0
0006FB74 0006FBAC
0006FB78 0006FB8C
hr 0006FB6C
10004871 9D popfd
10004872 - E9 EAD2FFFF jmp REALIGN.10001B61
10004877 8BB5 3CFEFFFF mov esi,dword ptr ss:[ebp-1C4]
1000487D 0BF6 or esi,esi
1000487F 0F84 97000000 je REALIGN.1000491C
10001B61 /. 55 push ebp **** oep=1B61
10001B62 |. 8BEC mov ebp,esp
10001B64 |. 53 push ebx
10001B65 |. 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
10001B68 |. 56 push esi
10001B69 |. 8B75 0C mov esi,dword ptr ss:[ebp+C]
10001B6C |. 57 push edi
10001B6D |. 8B7D 10 mov edi,dword ptr ss:[ebp+10]
10001B70 |. 85F6 test esi,esi
10001B72 |. 75 09 jnz short REALIGN.10001B7D
10001B74 |. 833D 041C0010 >cmp dword ptr ds:[10001C04],0
size=48 的输入表
10001000 77903039 IMAGEHLP.ImageNtHeader
10001004 00000000
10001008 77E69168 KERNEL32.CloseHandle
1000100C 77E6F2A6 KERNEL32.SetEndOfFile
10001010 77E7C912 KERNEL32.DisableThreadLibraryCalls
10001014 77E7D7CC KERNEL32.SetFilePointer
10001018 77E757E2 KERNEL32.CreateFileA
1000101C 77E732AF KERNEL32.GlobalFree
10001020 77E716B4 KERNEL32.GlobalAlloc
10001024 77E7154E KERNEL32.SetHandleCount
10001028 77E6A63A KERNEL32.LoadResource
1000102C 77E7D38D KERNEL32.FindResourceA
10001030 00000000
10001034 780014A9
10001038 7800BD6A
1000103C 78001DB0
10001040 7800119B
10001044 7801F4E5
10001048 7803A670
基址重定位表可手动修复:
找到重定位代码
1000108C 1000170B REALIGN.1000170B
10001090 10001711 REALIGN.10001711
1000109C 100019E9 REALIGN.100019E9
100010A0 100019EF REALIGN.100019EF
。
。
。
1000446C 10001000 REALIGN.10001000
100044B0 10001000 REALIGN.10001000
自己构造基址重定位表:
unsigned char data[320] = {
0x00, 0x10, 0x00, 0x00, 0x30, 0x01, 0x00, 0x00, 0x8C, 0x30, 0x90, 0x30, 0x9C, 0x30, 0xA0, 0x30,
0xBD, 0x30, 0xC3, 0x30, 0xEA, 0x30, 0x07, 0x31, 0x0E, 0x31, 0x15, 0x31, 0x3D, 0x31, 0x6F, 0x31,
0x96, 0x31, 0x9B, 0x31, 0xBE, 0x31, 0xDE, 0x31, 0xE4, 0x31, 0xFD, 0x31, 0x26, 0x32, 0x77, 0x32,
0x8D, 0x32, 0xAE, 0x32, 0xBD, 0x32, 0xC2, 0x32, 0xC8, 0x32, 0xCF, 0x32, 0xD9, 0x32, 0xE0, 0x32,
0xEA, 0x32, 0x1D, 0x33, 0x25, 0x33, 0x2B, 0x33, 0x30, 0x33, 0x4D, 0x33, 0x63, 0x33, 0x75, 0x33,
0x7B, 0x33, 0x83, 0x33, 0xA5, 0x33, 0xAD, 0x33, 0xB3, 0x33, 0xBE, 0x33, 0xC9, 0x33, 0xCF, 0x33,
0xE6, 0x33, 0xEC, 0x33, 0xF4, 0x33, 0xFD, 0x33, 0x0B, 0x34, 0x11, 0x34, 0x1A, 0x34, 0x20, 0x34,
0x2B, 0x34, 0x35, 0x34, 0x3E, 0x34, 0x47, 0x34, 0x4D, 0x34, 0x53, 0x34, 0x5F, 0x34, 0x81, 0x34,
0x9A, 0x34, 0xA1, 0x34, 0xAC, 0x34, 0xB3, 0x34, 0xBF, 0x34, 0xC5, 0x34, 0xCA, 0x34, 0xD6, 0x34,
0xE3, 0x34, 0xEA, 0x34, 0x11, 0x35, 0x17, 0x35, 0x20, 0x35, 0x35, 0x35, 0x3D, 0x35, 0x43, 0x35,
0x49, 0x35, 0x4F, 0x35, 0x5F, 0x35, 0x6C, 0x35, 0x74, 0x35, 0x80, 0x35, 0xB5, 0x35, 0xC2, 0x35,
0xCE, 0x35, 0xDD, 0x35, 0xE6, 0x35, 0xEE, 0x35, 0xF9, 0x35, 0x09, 0x36, 0x10, 0x36, 0x17, 0x36,
0x1D, 0x36, 0x22, 0x36, 0x38, 0x36, 0x3E, 0x36, 0x47, 0x36, 0x4D, 0x36, 0x53, 0x36, 0x5C, 0x36,
0x67, 0x36, 0x71, 0x36, 0x7A, 0x36, 0x80, 0x36, 0x86, 0x36, 0x8C, 0x36, 0x9D, 0x36, 0xAB, 0x36,
0xB1, 0x36, 0xB8, 0x36, 0xC7, 0x36, 0xD4, 0x36, 0xDB, 0x36, 0xE9, 0x36, 0x01, 0x37, 0x17, 0x37,
0x1D, 0x37, 0x29, 0x37, 0x2E, 0x37, 0x39, 0x37, 0x41, 0x37, 0x47, 0x37, 0x4F, 0x37, 0x96, 0x37,
0x9B, 0x37, 0x17, 0x3A, 0xB2, 0x3A, 0xC0, 0x3A, 0xC8, 0x3A, 0xCE, 0x3A, 0xD9, 0x3A, 0xE6, 0x3A,
0xEE, 0x3A, 0xFC, 0x3A, 0x01, 0x3B, 0x06, 0x3B, 0x0B, 0x3B, 0x16, 0x3B, 0x23, 0x3B, 0x2D, 0x3B,
0x42, 0x3B, 0x4E, 0x3B, 0x54, 0x3B, 0x76, 0x3B, 0x88, 0x3B, 0xE4, 0x3B, 0x00, 0x3C, 0x98, 0x3C,
0x00, 0x40, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x3C, 0x34, 0x6C, 0x34, 0x90, 0x34, 0xB0, 0x34
};
基址重定位表有三部分组成:
0x00, 0x10, 0x00, 0x00 是 VirtualAdress: 0x00001000
0x30, 0x01, 0x00, 0x00 是 SizeOfBlock: 0x00000130 (0x130-0x8)/0x2=0x94 就是有148组
0x8C, 0x30 是 重定位数组 08C是偏移 3是HIGHLOW定义
同样:
0x00, 0x40, 0x00, 0x00,是 VirtualAdress: 0x00004000
0x10, 0x00, 0x00, 0x00 是 SizeOfBlock: 0x00000010 (0x10-0x8)/0x2=0x4 就是有4组
0x3C, 0x34 是 重定位数组 43C是偏移 3是HIGHLOW定义
修正pe头
100000E0 8D4F0000 DD 00004F8D ; Relocation Table address = 4F8D
100000E4 08000000 DD 00000008 ; Relocation Table size = 8
改为:
100000E0 00900000 DD 00009000 ; Relocation Table address = 8E90
100000E4 40010000 DD 00000140 ; Relocation Table size = 140 (320.)
*Relocation Table address 可以随便找个空白的地方,因为重定位表的地方可以任意,我就选择和iat
放在一起。如果想使用reloc段,就要手动增加一个区段,那么段数目还要加一。
也可用relox帮助还原重定位表,比较简单。
; Original filename and image base (the separator is a TAB)
C:\1500000.dll 01500000
; Code section indexes (the separator is a TAB)
0 1
; Syntax for each relocation (the separator is a TAB)
; ---------------------------------------------------
; RVA Type
0000108C 3
00001090 3
0000109C 3
000010A0 3
000010BD 3
000010C3 3
000010EA 3
00001107 3
0000110E 3
00001115 3
0000113D 3
0000116F 3
00001196 3
0000119B 3
000011BE 3
000011DE 3
000011E4 3
000011FD 3
00001226 3
00001277 3
0000128D 3
000012AE 3
000012BD 3
000012C2 3
000012C8 3
000012CF 3
000012D9 3
000012E0 3
000012EA 3
0000131D 3
00001325 3
0000132B 3
00001330 3
0000134D 3
00001363 3
00001375 3
0000137B 3
00001383 3
000013A5 3
000013AD 3
000013B3 3
000013BE 3
000013C9 3
000013CF 3
000013E6 3
000013EC 3
000013F4 3
000013FD 3
0000140B 3
00001411 3
0000141A 3
00001420 3
0000142B 3
00001435 3
0000143E 3
00001447 3
0000144D 3
00001453 3
0000145F 3
00001481 3
0000149A 3
000014A1 3
000014AC 3
000014B3 3
000014BF 3
000014C5 3
000014CA 3
000014D6 3
000014E3 3
000014EA 3
00001511 3
00001517 3
00001520 3
00001535 3
0000153D 3
00001543 3
00001549 3
0000154F 3
0000155F 3
0000156C 3
00001574 3
00001580 3
000015B5 3
000015C2 3
000015CE 3
000015DD 3
000015E6 3
000015EE 3
000015F9 3
00001609 3
00001610 3
00001617 3
0000161D 3
00001622 3
00001638 3
0000163E 3
00001647 3
0000164D 3
00001653 3
0000165C 3
00001667 3
00001671 3
0000167A 3
00001680 3
00001686 3
0000168C 3
0000169D 3
000016AB 3
000016B1 3
000016B8 3
000016C7 3
000016D4 3
000016DB 3
000016E9 3
00001701 3
00001717 3
0000171D 3
00001729 3
0000172E 3
00001739 3
00001741 3
00001747 3
0000174F 3
00001796 3
0000179B 3
00001A17 3
00001AB2 3
00001AC0 3
00001AC8 3
00001ACE 3
00001AD9 3
00001AE6 3
00001AEE 3
00001AFC 3
00001B01 3
00001B06 3
00001B0B 3
00001B16 3
00001B23 3
00001B2D 3
00001B42 3
00001B4E 3
00001B54 3
00001B76 3
00001B88 3
00001BE4 3
00001C00 3
00001C98 3
0000443C 3
0000446C 3
00004490 3
000044B0 3
自动修复基址重定位表。
--------------------------------------------------------------------------------
【破解总结】
搞定dll的同时,温习基址重定位表知识。
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
2005-8-30
附件:nspack 2.3.dll.rar
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)