【破解作者】 stasi[DCM][BCG][DFCG][FCG][OCN][CZG][D.4s]
【作者邮箱】 stasi@163.com
【作者主页】 stasi.126.com
【使用工具】 peid ollydbg ImportREC
【破解平台】 Win9x/NT/2000/XP
【软件名称】 魔兽皇冠5.0.0805免费版 lib.dll
【下载地址】 www.92299.com
【软件简介】 1、新增自动剥皮功能。
2、新增自动采矿功能。
3、新增自动采药功能。
4、新增快捷键自动捡物功能。
【软件大小】 153k
【加壳方式】 ASProtect 2.0x Registered -> Alexey Solodovnikov
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
ASProtect 2.0x Registered -> Alexey Solodovnikov 的dll 基本没人提到 。
为了补全dll的脱壳,方便大家对以后版本的调试,我就先抛一块砖,希望能起到引玉的作用。
对象还是魔兽皇冠5.0.0805免费版,它目录下的DLL都是ASProtect 2.0x Registered -> Alexey Solodovnikov
的壳,我选 lib.dll
忽略所有的异常,使用原版的ollydbg
1000C001 l> 60 pushad
1000C002 E8 03000000 call lib.1000C00A
1000C007 - E9 EB045D45 jmp 555DC4F7
1000C00C 55 push ebp
1000C00D C3 retn
1000C00E E8 01000000 call lib.1000C014
1000C013 EB 5D jmp short lib.1000C072
1000C015 BB EDFFFFFF mov ebx,-13
1000C01A 03DD add ebx,ebp
1000C01C 81EB 00C00000 sub ebx,0C000
1000C022 807D 4D 01 cmp byte ptr ss:[ebp+4D],1
1000C026 75 0C jnz short lib.1000C034
。
。
。
00CAC407 891F mov dword ptr ds:[edi],ebx 异常
00CAC409 16 push ss
00CAC40A 26:AA stos byte ptr es:[edi]
00CAC40C 95 xchg eax,ebp
00CAC40D ^ 70 A2 jo short 00CAC3B1
00CAC40F ^ 72 C9 jb short 00CAC3DA
00CAC411 ^ E2 CA loopd short 00CAC3DD
00CAD2FC C601 F6 mov byte ptr ds:[ecx],0F6 异常
00CAD2FF 70 67 jo short 00CAD368
00CAD301 64:8F06 pop dword ptr fs:[esi]
00CAD304 0000 add byte ptr ds:[eax],al
00CAD306 83C4 04 add esp,4
00CAD309 3E:EB 02 jmp short 00CAD30E
00CAD30C CD20 2BCF59A1 vxdjump A159CF2B
00CAD312 E8 47CB00C6 call C6CB9E5E
00CAD317 00CF add bh,cl
00CAD319 EB 7F jmp short 00CAD39A
00CAE55A C601 76 mov byte ptr ds:[ecx],76 异常
00CAE55D 10D4 adc ah,dl
00CAE55F F3:65: prefix rep:
00CAE561 25 3B71E4E0 and eax,E0E4713B
00CAE566 6F outs dx,dword ptr es:[edi]
00CAE567 AA stos byte ptr es:[edi]
00CAE568 B5 F1 mov ch,0F1
00CAE56A F1 int1
00CAE56B F3: prefix rep:
00CAE56C EB 02 jmp short 00CAE570
00CAE570 67:64:8F06 0000 pop dword ptr fs:[0] fs:[0]的异常
00CAE576 3E:EB 02 jmp short 00CAE57B 步进这个jmp
00CAE579 CD20 83C4041B vxdjump 1B04C483
00CAE57F CB retf
00CAE580 59 pop ecx
00CAE581 A1 E847CB00 mov eax,dword ptr ds:[CB47E8]
00CAE586 C600 D1 mov byte ptr ds:[eax],0D1
00CAE589 8B7C24 08 mov edi,dword ptr ss:[esp+8]
00CAE58D 85FF test edi,edi
00CAE58F 75 09 jnz short 00CAE59A
jmp到这里,处理DLL的重定位
00CAE57B 83C4 04 add esp,4
00CAE57E 1BCB sbb ecx,ebx
00CAE580 59 pop ecx
00CAE581 A1 E847CB00 mov eax,dword ptr ds:[CB47E8]
00CAE586 C600 D1 mov byte ptr ds:[eax],0D1
00CAE589 8B7C24 08 mov edi,dword ptr ss:[esp+8]
00CAE58D 85FF test edi,edi
00CAE58F 75 09 jnz short 00CAE59A
00CAE591 33C0 xor eax,eax
00CAE593 A3 FCC4CB00 mov dword ptr ds:[CBC4FC],eax
00CAE598 EB 3B jmp short 00CAE5D5
00CAE59A 8B06 mov eax,dword ptr ds:[esi]
00CAE59C 8B00 mov eax,dword ptr ds:[eax]
00CAE59E 03C7 add eax,edi
00CAE5A0 8B5424 0C mov edx,dword ptr ss:[esp+C]
00CAE5A4 E8 6F5EFEFF call 00C94418 EBX=0000A000 重定位表的RVA
00CAE5A9 8BE8 mov ebp,eax
00CAE5AB 892D 04C5CB00 mov dword ptr ds:[CBC504],ebp
00CAE5B1 3B6C24 10 cmp ebp,dword ptr ss:[esp+10]
00CAE5B5 74 0C je short 00CAE5C3
00CAE5B7 68 48E6CA00 push 0CAE648 ; ASCII "45"
00CAE5BC E8 D76DFEFF call 00C95398
00CAE5C1 EB 12 jmp short 00CAE5D5
00CAE5C3 8B4424 0C mov eax,dword ptr ss:[esp+C]
00CAE5C7 A3 00C5CB00 mov dword ptr ds:[CBC500],eax
00CAE5CC 8B4424 08 mov eax,dword ptr ss:[esp+8]
00CAE5D0 A3 FCC4CB00 mov dword ptr ds:[CBC4FC],eax
00CAE5D5 833C24 00 cmp dword ptr ss:[esp],0
00CAE5D9 74 5D je short 00CAE638 基址相符判断
00CAE5DB 035C24 04 add ebx,dword ptr ss:[esp+4]
00CAE5DF EB 51 jmp short 00CAE632
00CAE5E1 8D43 04 lea eax,dword ptr ds:[ebx+4]
00CAE5E4 8B00 mov eax,dword ptr ds:[eax]
00CAE5E6 83E8 08 sub eax,8
00CAE5E9 D1E8 shr eax,1
00CAE5EB 8BFA mov edi,edx
00CAE5ED 037C24 04 add edi,dword ptr ss:[esp+4]
00CAE5F1 83C3 08 add ebx,8
00CAE5F4 8BF0 mov esi,eax
00CAE5F6 85F6 test esi,esi
00CAE5F8 76 38 jbe short 00CAE632
00CAE5FA 66:8B13 mov dx,word ptr ds:[ebx]
00CAE5FD 0FB7C2 movzx eax,dx
00CAE600 C1E8 0C shr eax,0C
00CAE603 66:83E8 01 sub ax,1
00CAE607 72 23 jb short 00CAE62C
00CAE609 66:83E8 02 sub ax,2
00CAE60D 74 02 je short 00CAE611
00CAE60F EB 11 jmp short 00CAE622
00CAE611 66:81E2 FF0F and dx,0FFF
00CAE616 0FB7C2 movzx eax,dx
00CAE619 03C7 add eax,edi
00CAE61B 8B1424 mov edx,dword ptr ss:[esp]
00CAE61E 0110 add dword ptr ds:[eax],edx
00CAE620 EB 0A jmp short 00CAE62C
00CAE622 68 58E6CA00 push 0CAE658 ; ASCII "34"
00CAE627 E8 6C6DFEFF call 00C95398
00CAE62C 83C3 02 add ebx,2
00CAE62F 4E dec esi
00CAE630 ^ 75 C8 jnz short 00CAE5FA
00CAE632 8B13 mov edx,dword ptr ds:[ebx]
00CAE634 85D2 test edx,edx
00CAE636 ^ 75 A9 jnz short 00CAE5E1
00CAE638 83C4 14 add esp,14
00CAE63B 5D pop ebp
00CAE63C 5F pop edi
00CAE63D 5E pop esi
00CAE63E 5B pop ebx
00CAE63F C3 retn
再找oep:
00CAE8F9 C601 9E mov byte ptr ds:[ecx],9E 最后一次异常
00CAE8FC BB 71FE8A67 mov ebx,678AFE71
00CAE901 64:8F06 pop dword ptr fs:[esi]
00CAE904 0000 add byte ptr ds:[eax],al
0006FB00 0006FB4C 指针到下一个 SEH 记录
0006FB04 00CAE84A SE 句柄
在0006FB00处 选择去EBP
0006FB64 1000C3FE 返回到 lib.1000C3FE 来自 lib.1000C3FE
事情就简单多了
hr 1000C3FE
停在下面:
00CAE906 83C4 04 add esp,4
00CAE909 8D0C07 lea ecx,dword ptr ds:[edi+eax]
00CAE90C 59 pop ecx
00CAE90D A1 4848CB00 mov eax,dword ptr ds:[CB4848]
00CAE912 8B00 mov eax,dword ptr ds:[eax]
00CAE914 8B68 1C mov ebp,dword ptr ds:[eax+1C]
00CAE917 A1 4848CB00 mov eax,dword ptr ds:[CB4848]
00CAE91C 8B00 mov eax,dword ptr ds:[eax]
00CAE91E 8B00 mov eax,dword ptr ds:[eax]
00CAE920 894424 04 mov dword ptr ss:[esp+4],eax
00CAE924 A1 4848CB00 mov eax,dword ptr ds:[CB4848]
00CAE929 8B00 mov eax,dword ptr ds:[eax]
00CAE92B 8D78 18 lea edi,dword ptr ds:[eax+18]
00CAE92E A1 B847CB00 mov eax,dword ptr ds:[CB47B8]
00CAE933 8858 08 mov byte ptr ds:[eax+8],bl
00CAE936 833F 00 cmp dword ptr ds:[edi],0
00CAE939 75 1D jnz short 00CAE958
00CAE93B 83C5 20 add ebp,20
00CAE93E A1 9846CB00 mov eax,dword ptr ds:[CB4698]
00CAE943 8078 09 00 cmp byte ptr ds:[eax+9],0
00CAE947 75 0F jnz short 00CAE958
00CAE949 B8 1F000000 mov eax,1F
00CAE94E E8 BD3FFDFF call 00C82910
00CAE953 C1E0 02 shl eax,2
00CAE956 2BE8 sub ebp,eax
00CAE958 E8 B3CFFFFF call 00CAB910
00CAE95D 8BD8 mov ebx,eax
00CAE95F 833D E0C4CB00 00 cmp dword ptr ds:[CBC4E0],0
00CAE966 74 15 je short 00CAE97D
00CAE968 6A 04 push 4
00CAE96A B9 E0C4CB00 mov ecx,0CBC4E0
00CAE96F 8D4424 04 lea eax,dword ptr ss:[esp+4]
00CAE973 BA 04000000 mov edx,4
00CAE978 E8 A75BFEFF call 00C94524
00CAE97D 833D FCC4CB00 00 cmp dword ptr ds:[CBC4FC],0
00CAE984 74 15 je short 00CAE99B
00CAE986 6A 0C push 0C
00CAE988 B9 FCC4CB00 mov ecx,0CBC4FC
00CAE98D 8D4424 04 lea eax,dword ptr ss:[esp+4]
00CAE991 BA 04000000 mov edx,4
00CAE996 E8 895BFEFF call 00C94524
00CAE99B 833F 00 cmp dword ptr ds:[edi],0
00CAE99E 74 08 je short 00CAE9A8
00CAE9A0 8B0424 mov eax,dword ptr ss:[esp]
00CAE9A3 A3 0CC5CB00 mov dword ptr ds:[CBC50C],eax
00CAE9A8 8B07 mov eax,dword ptr ds:[edi]
00CAE9AA 894424 08 mov dword ptr ss:[esp+8],eax
00CAE9AE 896C24 10 mov dword ptr ss:[esp+10],ebp
00CAE9B2 8B0424 mov eax,dword ptr ss:[esp]
00CAE9B5 894424 14 mov dword ptr ss:[esp+14],eax
00CAE9B9 A1 B847CB00 mov eax,dword ptr ds:[CB47B8]
00CAE9BE 8818 mov byte ptr ds:[eax],bl
00CAE9C0 A1 E847CB00 mov eax,dword ptr ds:[CB47E8]
00CAE9C5 C600 E1 mov byte ptr ds:[eax],0E1
00CAE9C8 E8 EBEBFEFF call 00C9D5B8
00CAE9CD 8B15 A847CB00 mov edx,dword ptr ds:[CB47A8]
00CAE9D3 8802 mov byte ptr ds:[edx],al
00CAE9D5 A1 F4C4CB00 mov eax,dword ptr ds:[CBC4F4]
00CAE9DA E8 8580FFFF call 00CA6A64
00CAE9DF A1 A847CB00 mov eax,dword ptr ds:[CB47A8]
00CAE9E4 8038 00 cmp byte ptr ds:[eax],0
00CAE9E7 74 26 je short 00CAEA0F
00CAE9E9 A1 8447CB00 mov eax,dword ptr ds:[CB4784]
00CAE9EE C600 EA mov byte ptr ds:[eax],0EA
00CAE9F1 B8 32000000 mov eax,32
00CAE9F6 E8 153FFDFF call 00C82910
00CAE9FB 2905 08C5CB00 sub dword ptr ds:[CBC508],eax
00CAEA01 B8 64000000 mov eax,64
00CAEA06 E8 053FFDFF call 00C82910
00CAEA0B 014424 04 add dword ptr ss:[esp+4],eax
00CAEA0F A1 08C5CB00 mov eax,dword ptr ds:[CBC508]
00CAEA14 894424 0C mov dword ptr ss:[esp+C],eax
00CAEA18 8B4424 04 mov eax,dword ptr ss:[esp+4]
00CAEA1C 894424 18 mov dword ptr ss:[esp+18],eax
00CAEA20 A1 F4C4CB00 mov eax,dword ptr ds:[CBC4F4]
00CAEA25 E8 3642FDFF call 00C82C60
00CAEA2A A1 E847CB00 mov eax,dword ptr ds:[CB47E8]
00CAEA2F C600 E3 mov byte ptr ds:[eax],0E3
00CAEA32 8D5424 08 lea edx,dword ptr ss:[esp+8]
00CAEA36 A1 14C5CB00 mov eax,dword ptr ds:[CBC514]
00CAEA3B E8 8094FFFF call 00CA7EC0
00CAEA40 E8 B35FFFFF call 00CA49F8
00CAEA45 8BC6 mov eax,esi
00CAEA47 E8 1442FDFF call 00C82C60
00CAEA4C E8 23D0FFFF call 00CABA74
00CAEA51 83C4 2C add esp,2C
00CAEA54 5D pop ebp
00CAEA55 5F pop edi
00CAEA56 5E pop esi
00CAEA57 5B pop ebx
00CAEA58 C3 retn
再注意:
0006FB0C 29635411
0006FB10 10000000 lib.10000000
0006FB14 1000C066 lib.1000C066
hr 1000C066
步进:
00ED0102 81C0 3841684F add eax,4F684138
00ED0108 58 pop eax
00ED0109 EB 01 jmp short 00ED010C
00ED010B - 0F8D 8086F39C jge 9DE08791
00ED0111 D6 salc
00ED0112 5C pop esp
00ED0113 8D0418 lea eax,dword ptr ds:[eax+ebx]
00ED0116 894424 1C mov dword ptr ss:[esp+1C],eax
00ED011A 61 popad
00ED011B FFE0 jmp eax
如果是exe的话,这里就不是这么温柔了:(
不过我还是能成功修复几个:)
00ED010C 8D80 86F39CD6 lea eax,dword ptr ds:[eax+D69CF386]
00ED0112 5C pop esp
00ED0113 8D0418 lea eax,dword ptr ds:[eax+ebx]
00ED0116 894424 1C mov dword ptr ss:[esp+1C],eax
00ED011A 61 popad
00ED011B FFE0 jmp eax
10004797 55 db 55 ; CHAR 'U'
10004798 8B db 8B
10004799 EC db EC
1000479A 53 db 53 ; CHAR 'S'
1000479B 8B db 8B
1000479C 5D db 5D ; CHAR ']'
1000479D 08 db 08
1000479E 56 db 56 ; CHAR 'V'
1000479F 8B db 8B
100047A0 75 db 75 ; CHAR 'u'
100047A1 0C db 0C
100047A2 57 db 57 ; CHAR 'W'
100047A3 8B db 8B
分析:
10004797 /. 55 push ebp **** oep
10004798 |. 8BEC mov ebp,esp
1000479A |. 53 push ebx
1000479B |. 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
1000479E |. 56 push esi
1000479F |. 8B75 0C mov esi,dword ptr ss:[ebp+C]
100047A2 |. 57 push edi
100047A3 |. 8B7D 10 mov edi,dword ptr ss:[ebp+10]
100047A6 |. 85F6 test esi,esi
100047A8 |. 75 09 jnz short lib.100047B3
100047AA |. 833D 04860010 >cmp dword ptr ds:[10008604],0 重定位
100047B1 |. EB 26 jmp short lib.100047D9
LordPE 完全dump
基址不用修改
LordPE修正重定位
RVA=0000A000 size=798 (大小用眼睛看!看雪说过:连RVA都能看出来,让大家看出个size不难吧?)
找全输入表:错误的几个,载入一看就知道了:)
10005004 77E6B608 KERNEL32.SetEvent
10005008 77E7C0F8 KERNEL32.VirtualProtect
1000500C 77E7C1C6 KERNEL32.LocalFree
10005010 77E7C13B KERNEL32.LocalAlloc
10005014 000066E2
10005018 00000000
1000501C 6BCA02CB mfc42.#1089
10005020 6BCA02E1 mfc42.#5199
10005024 6BC8E18A mfc42.#2396
10005028 6BC8E6BB mfc42.#3346
1000502C 6BC8E571 mfc42.#5300
10005030 6BC8E775 mfc42.#5302
10005034 6BC8E21E mfc42.#4079
10005038 6BC8E7EC mfc42.#4698
1000503C 6BC8E6D6 mfc42.#5307
10005040 6BC8E421 mfc42.#5289
10005044 6BC8E71C mfc42.#5714
10005048 6BC8DB08 mfc42.#3147
1000504C 6BC8DB08 mfc42.#3147
10005050 6BC8DB08 mfc42.#3147
10005054 6BC8B8FF mfc42.#1776
10005058 6BC8DAC4 mfc42.#3136
1000505C 6BC8DACA mfc42.#3262
10005060 6BC8DB02 mfc42.#2985
10005064 6BC8DABE mfc42.#3081
10005068 6BC8DB0D mfc42.#2976
1000506C 6BC8DA71 mfc42.#3830
10005070 6BC8E19C mfc42.#3825
10005074 6BC8E19C mfc42.#3825
10005078 6BC8DB08 mfc42.#3147
1000507C 6BC8DA6B mfc42.#4080
10005080 6BC8DAD0 mfc42.#4622
10005084 6BC8D95C mfc42.#4424
10005088 6BCB4613 mfc42.#3738
1000508C 6BCB4479 mfc42.#815
10005090 6BC4151D mfc42.#348
。
。
。
100051E8 7801E504 MSVCRT.__dllonexit
100051EC 78007191 MSVCRT.__CxxFrameHandler
100051F0 7800B6EB MSVCRT._mbscmp
100051F4 78009337 MSVCRT.exception::exception
100051F8 780074BC MSVCRT.exception::~exception
100051FC 780092E9 MSVCRT.exception::exception
10005200 78001DB0 MSVCRT.free
10005204 7800119B MSVCRT._initterm
10005208 780014A9 MSVCRT.malloc
1000520C 7803A670 offset MSVCRT._adjust_fdiv
10005210 7800756F MSVCRT.type_info::~type_info
10005214 7801E417 MSVCRT._onexit
10005218 780179D6 MSVCRT._EH_prolog
1000521C 7800BC73 MSVCRT._purecall
10005220 7800FFB4 MSVCRT.memmove
10005224 780070D4 MSVCRT._CxxThrowException
10005228 00000000
1000522C 77DF387F USER32.GetForegroundWindow
10005230 77E12FCB USER32.SetWindowsHookExA
10005234 77DF6E00 USER32.UnhookWindowsHookEx
10005238 77DF679C USER32.CallNextHookEx
1000523C 77DF706A USER32.GetWindowTextA
DLL_Loader显示加载成功!
MISSION ALL OVER!
--------------------------------------------------------------------------------
【破解总结】
9:00就要看抗战60周年纪念了,匆忙写就,望大家谅解。祝大家抗
ASProtect 2.0x Registered -> Alexey Solodovnikov 成功!
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
2005-9-3
附件:asprotect dll.rar
[培训]《安卓高级研修班(网课)》月薪三万计划,掌
握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法