一早期acad平台上的工程软件。工具OllyICE_1.10,先启动工程软件,然后用od附加acad进程,找到加密的模块,剩下的就是枯燥的跟踪调试了。共修改17处,主要为跳转,另外编写一小段源码,放到程序段或程序头的空白位置。下边是17处修改的段落,上边的是修改后的下边是原程序的,最后是新加的一段代码。狗是早期的RG-UMH。
----1----------------------------------------------------------------------------------------------------------------------------
0396388C 56 push esi
0396388D 57 push edi
0396388E 8965 F0 mov dword ptr [ebp-10], esp
03963891 FF15 0450BA03 call dword ptr [<&KERNEL32.IsDebugger>; kernel32.IsDebuggerPresent
03963897 85C0 test eax, eax
03963899 33C0 xor eax, eax
0396389B 90 nop
0396389C A3 B402BD03 mov dword ptr [3BD02B4], eax
039638A1 8B45 08 mov eax, dword ptr [ebp+8]
039638A4 48 dec eax
039638A5 83F8 64 cmp eax, 64
039638A8 0F87 01020000 ja 03963AAF
039638AE 33C9 xor ecx, ecx
039638B0 8A88 E43A9603 mov cl, byte ptr [eax+3963AE4]
---------------------------------------------------------------------------------------------------------------------------------
037A388C 56 push esi
037A388D 57 push edi
037A388E 8965 F0 mov dword ptr [ebp-10], esp
037A3891 FF15 04509E03 call dword ptr [<&KERNEL32.IsDebugger>; kernel32.IsDebuggerPresent
037A3897 85C0 test eax, eax
037A3899 74 06 je short 037A38A1 ; (initial cpu selection)
037A389B FF05 B402A103 inc dword ptr [3A102B4]
037A38A1 8B45 08 mov eax, dword ptr [ebp+8]
037A38A4 48 dec eax
037A38A5 83F8 64 cmp eax, 64
037A38A8 0F87 01020000 ja 037A3AAF
037A38AE 33C9 xor ecx, ecx
037A38B0 8A88 E43A7A03 mov cl, byte ptr [eax+37A3AE4]
---2----------------------------------------------------------------------------------------------------------------------------
0396393F 8D4D D0 lea ecx, dword ptr [ebp-30]
03963942 50 push eax
03963943 B3 01 mov bl, 1
03963945 51 push ecx
03963946 E8 B5CBF4FF call 038B0500 ;自编代码位置
0396394B 90 nop
0396394C 90 nop
0396394D 8D4D C0 lea ecx, dword ptr [ebp-40]
03963950 885D FC mov byte ptr [ebp-4], bl
03963953 E8 384B0300 call 03998490
---------------------------------------------------------------------------------------------------------------------------------
037A393F 8D4D D0 lea ecx, dword ptr [ebp-30]
037A3942 50 push eax
037A3943 B3 01 mov bl, 1
037A3945 51 push ecx
037A3946 C745 FC 0000000>mov dword ptr [ebp-4], 0
037A394D 8D4D C0 lea ecx, dword ptr [ebp-40]
037A3950 885D FC mov byte ptr [ebp-4], bl
037A3953 E8 384B0300 call 037D8490
----3---------------------------------------------------------------------------------------------------------------------------
03968897 50 push eax
03968898 A1 A406BD03 mov eax, dword ptr [3BD06A4]
0396889D 50 push eax
0396889E C3 retn
0396889F 8B45 EC mov eax, dword ptr [ebp-14]
039688A2 F6C4 80 test ah, 80
039688A5 EB 63 jmp short 0396890A
039688A7 8D4D E8 lea ecx, dword ptr [ebp-18]
039688AA 6A 05 push 5
039688AC 51 push ecx
039688AD E8 96FA0200 call <jmp.&HintConf.#3>
039688B2 83C4 08 add esp, 8
039688B5 8D55 8C lea edx, dword ptr [ebp-74]
---------------------------------------------------------------------------------------------------------------------------------
037A8897 50 push eax
037A8898 A1 A406A103 mov eax, dword ptr [3A106A4]
037A889D 50 push eax
037A889E C3 retn
037A889F 8B45 EC mov eax, dword ptr [ebp-14]
037A88A2 F6C4 80 test ah, 80
037A88A5 74 63 je short 037A890A
037A88A7 8D4D E8 lea ecx, dword ptr [ebp-18]
037A88AA 6A 05 push 5
037A88AC 51 push ecx
037A88AD E8 96FA0200 call <jmp.&HintConf.#3>
037A88B2 83C4 08 add esp, 8
037A88B5 8D55 8C lea edx, dword ptr [ebp-74]
------4-------------------------------------------------------------------------------------------------------------------------
039688FE A1 A406BD03 mov eax, dword ptr [3BD06A4]
03968903 50 push eax
03968904 C3 retn
03968905 E9 EF000000 jmp 039689F9
0396890A 66:3D 0100 cmp ax, 1
0396890E 90 nop
0396890F E9 CC000000 jmp 039689E0
03968914 FF15 0050BA03 call dword ptr [<&KERNEL32.GetTickCou>; kernel32.GetTickCount
0396891A 50 push eax
0396891B FF15 CC54BA03 call dword ptr [<&MSVCRT.srand>] ; MSVCRT.srand
03968921 8B3D 6C54BA03 mov edi, dword ptr [<&MSVCRT.rand>] ; MSVCRT.rand
03968927 8B5D EC mov ebx, dword ptr [ebp-14]
0396892A 83C4 04 add esp, 4
0396892D FFD7 call edi
--------------------------------------------------------------------------------------------------------------------------------
037A88FE A1 A406A103 mov eax, dword ptr [3A106A4]
037A8903 50 push eax
037A8904 C3 retn
037A8905 E9 EF000000 jmp 037A89F9
037A890A 66:3D 0100 cmp ax, 1
037A890E 0F83 CC000000 jnb 037A89E0
037A8914 FF15 00509E03 call dword ptr [<&KERNEL32.GetTickCou>; kernel32.GetTickCount
037A891A 50 push eax
037A891B FF15 CC549E03 call dword ptr [<&MSVCRT.srand>] ; MSVCRT.srand
037A8921 8B3D 6C549E03 mov edi, dword ptr [<&MSVCRT.rand>] ; MSVCRT.rand
037A8927 8B5D EC mov ebx, dword ptr [ebp-14]
037A892A 83C4 04 add esp, 4
037A892D FFD7 call edi
--------5------------------------------------------------------------------------------------------------------------------------
039689D6 50 push eax
039689D7 A1 A406BD03 mov eax, dword ptr [3BD06A4]
039689DC 50 push eax
039689DD C3 retn
039689DE EB 1F jmp short 039689FF
039689E0 EB 17 jmp short 039689F9
039689E2 EB 01 jmp short 039689E5
039689E4 E4 58 in al, 58
039689E6 A1 A806BD03 mov eax, dword ptr [3BD06A8]
039689EB 50 push eax
039689EC A1 A823BD03 mov eax, dword ptr [3BD23A8]
---------------------------------------------------------------------------------------------------------------------------------
037A89D6 50 push eax
037A89D7 A1 A406A103 mov eax, dword ptr [3A106A4]
037A89DC 50 push eax
037A89DD C3 retn
037A89DE EB 1F jmp short 037A89FF
037A89E0 76 17 jbe short 037A89F9
037A89E2 EB 01 jmp short 037A89E5
037A89E4 E4 58 in al, 58
037A89E6 A1 A806A103 mov eax, dword ptr [3A106A8]
037A89EB 50 push eax
037A89EC A1 A823A103 mov eax, dword ptr [3A123A8]
-------6-----------------------------------------------------------------------------------------------------------------------
03968E3C E8 9090F4FF call 038B1ED1
03968E41 8B45 E0 mov eax, dword ptr [ebp-20]
03968E44 8B3D 6C54BA03 mov edi, dword ptr [<&MSVCRT.rand>] ; MSVCRT.rand
03968E4A C1E8 08 shr eax, 8
03968E4D 83F8 23 cmp eax, 23
03968E50 EB 0A jmp short 03968E5C
03968E52 ^ 72 F9 jb short 03968E4D
03968E54 FFFF ??? ; 未知命令
03968E56 0F85 27040000 jnz 03969283
03968E5C A1 AC23BD03 mov eax, dword ptr [3BD23AC]
03968E61 25 FF000000 and eax, 0FF
03968E66 83F8 09 cmp eax, 9
---------------------------------------------------------------------------------------------------------------------------------
037A8E3C E8 9090F4FF call 036F1ED1
037A8E41 8B45 E0 mov eax, dword ptr [ebp-20]
037A8E44 8B3D 6C549E03 mov edi, dword ptr [<&MSVCRT.rand>] ; MSVCRT.rand
037A8E4A C1E8 08 shr eax, 8
037A8E4D 83F8 23 cmp eax, 23
037A8E50 ^ 0F87 72F9FFFF ja 037A87C8
037A8E56 0F85 27040000 jnz 037A9283
037A8E5C A1 AC23A103 mov eax, dword ptr [3A123AC]
037A8E61 25 FF000000 and eax, 0FF
037A8E66 83F8 09 cmp eax, 9
-----------7--------------------------------------------------------------------------------------------------------------------
03969036 4B dec ebx
03969037 41 inc ecx
03969038 3BDE cmp ebx, esi
0396903A ^ 7F A9 jg short 03968FE5
0396903C 807D F3 28 cmp byte ptr [ebp-D], 28
03969040 EB 0C jmp short 0396904E
03969042 8B0D A823BD03 mov ecx, dword ptr [3BD23A8]
03969048 51 push ecx
03969049 ^ E9 81F7FFFF jmp 039687CF
0396904E FFD7 call edi
03969050 99 cdq
--------------------------------------------------------------------------------------------------------------------------------
037A9036 4B dec ebx
037A9037 41 inc ecx
037A9038 3BDE cmp ebx, esi
037A903A ^ 7F A9 jg short 037A8FE5
037A903C 807D F3 28 cmp byte ptr [ebp-D], 28
037A9040 76 0C jbe short 037A904E
037A9042 8B0D A823A103 mov ecx, dword ptr [3A123A8]
037A9048 51 push ecx
037A9049 ^ E9 81F7FFFF jmp 037A87CF
037A904E FFD7 call edi
037A9050 99 cdq
-----------8--------------------------------------------------------------------------------------------------------------------
0397C382 890D 9806BD03 mov dword ptr [3BD0698], ecx
0397C388 33C0 xor eax, eax
0397C38A A1 9C23BD03 mov eax, dword ptr [3BD239C]
0397C38F 2B05 A023BD03 sub eax, dword ptr [3BD23A0]
0397C395 EB 05 jmp short 0397C39C
0397C397 05 9823BD03 add eax, 03BD2398
0397C39C 0305 A023BD03 add eax, dword ptr [3BD23A0]
0397C3A2 EB 01 jmp short 0397C3A5
0397C3A4 E5 50 in eax, 50
0397C3A6 33C0 xor eax, eax
--------------------------------------------------------------------------------------------------------------------------------
037BC382 890D 9806A103 mov dword ptr [3A10698], ecx
037BC388 33C0 xor eax, eax
037BC38A A1 9C23A103 mov eax, dword ptr [3A1239C]
037BC38F 2B05 A023A103 sub eax, dword ptr [3A123A0]
037BC395 0FAF05 9823A103 imul eax, dword ptr [3A12398]
037BC39C 0305 A023A103 add eax, dword ptr [3A123A0]
037BC3A2 EB 01 jmp short 037BC3A5
037BC3A4 E5 50 in eax, 50
037BC3A6 33C0 xor eax, eax
---------------9----------------------------------------------------------------------------------------------------------------
0397C730 0F94C0 sete al
0397C733 A3 9823BD03 mov dword ptr [3BD2398], eax
0397C738 33C0 xor eax, eax
0397C73A A1 9C23BD03 mov eax, dword ptr [3BD239C]
0397C73F 2B05 A023BD03 sub eax, dword ptr [3BD23A0]
0397C745 EB 05 jmp short 0397C74C
0397C747 05 9823BD03 add eax, 03BD2398
0397C74C 0305 A023BD03 add eax, dword ptr [3BD23A0]
0397C752 EB 01 jmp short 0397C755
0397C754 E5 50 in eax, 50
0397C756 33C0 xor eax, eax
--------------------------------------------------------------------------------------------------------------------------------
037BC730 0F94C0 sete al
037BC733 A3 9823A103 mov dword ptr [3A12398], eax
037BC738 33C0 xor eax, eax
037BC73A A1 9C23A103 mov eax, dword ptr [3A1239C]
037BC73F 2B05 A023A103 sub eax, dword ptr [3A123A0]
037BC745 0FAF05 9823A103 imul eax, dword ptr [3A12398]
037BC74C 0305 A023A103 add eax, dword ptr [3A123A0]
037BC752 EB 01 jmp short 037BC755
037BC754 E5 50 in eax, 50
037BC756 33C0 xor eax, eax
------------10-------------------------------------------------------------------------------------------------------------------
0397CC69 81E1 FF000000 and ecx, 0FF
0397CC6F 890D 9806BD03 mov dword ptr [3BD0698], ecx
0397CC75 33C0 xor eax, eax
0397CC77 A1 9C23BD03 mov eax, dword ptr [3BD239C]
0397CC7C 2B05 A023BD03 sub eax, dword ptr [3BD23A0]
0397CC82 EB 05 jmp short 0397CC89
0397CC84 05 9823BD03 add eax, 03BD2398
0397CC89 0305 A023BD03 add eax, dword ptr [3BD23A0]
0397CC8F EB 01 jmp short 0397CC92
0397CC91 E5 50 in eax, 50
0397CC93 33C0 xor eax, eax
--------------------------------------------------------------------------------------------------------------------------------
037BCC69 81E1 FF000000 and ecx, 0FF
037BCC6F 890D 9806A103 mov dword ptr [3A10698], ecx
037BCC75 33C0 xor eax, eax
037BCC77 A1 9C23A103 mov eax, dword ptr [3A1239C]
037BCC7C 2B05 A023A103 sub eax, dword ptr [3A123A0]
037BCC82 0FAF05 9823A103 imul eax, dword ptr [3A12398]
037BCC89 0305 A023A103 add eax, dword ptr [3A123A0]
037BCC8F EB 01 jmp short 037BCC92
037BCC91 E5 50 in eax, 50
037BCC93 33C0 xor eax, eax
---------11---------------------------------------------------------------------------------------------------------------------
0397D01D 0F94C0 sete al
0397D020 A3 9823BD03 mov dword ptr [3BD2398], eax
0397D025 33C0 xor eax, eax
0397D027 A1 9C23BD03 mov eax, dword ptr [3BD239C]
0397D02C 2B05 A023BD03 sub eax, dword ptr [3BD23A0]
0397D032 EB 05 jmp short 0397D039
0397D034 05 9823BD03 add eax, 03BD2398
0397D039 0305 A023BD03 add eax, dword ptr [3BD23A0]
0397D03F EB 01 jmp short 0397D042
0397D041 E5 50 in eax, 50
--------------------------------------------------------------------------------------------------------------------------------
037BD01D 0F94C0 sete al
037BD020 A3 9823A103 mov dword ptr [3A12398], eax
037BD025 33C0 xor eax, eax
037BD027 A1 9C23A103 mov eax, dword ptr [3A1239C]
037BD02C 2B05 A023A103 sub eax, dword ptr [3A123A0]
037BD032 0FAF05 9823A103 imul eax, dword ptr [3A12398]
037BD039 0305 A023A103 add eax, dword ptr [3A123A0]
037BD03F EB 01 jmp short 037BD042
037BD041 E5 50 in eax, 50
-------12-----------------------------------------------------------------------------------------------------------------------
03980BA2 890D 9806BD03 mov dword ptr [3BD0698], ecx
03980BA8 33C0 xor eax, eax
03980BAA A1 9C23BD03 mov eax, dword ptr [3BD239C]
03980BAF 2B05 A023BD03 sub eax, dword ptr [3BD23A0]
03980BB5 EB 05 jmp short 03980BBC
03980BB7 05 9823BD03 add eax, 03BD2398
03980BBC 0305 A023BD03 add eax, dword ptr [3BD23A0]
03980BC2 EB 01 jmp short 03980BC5
03980BC4 E7 50 out 50, eax
--------------------------------------------------------------------------------------------------------------------------------
037C0BA2 890D 9806A103 mov dword ptr [3A10698], ecx
037C0BA8 33C0 xor eax, eax
037C0BAA A1 9C23A103 mov eax, dword ptr [3A1239C]
037C0BAF 2B05 A023A103 sub eax, dword ptr [3A123A0]
037C0BB5 0FAF05 9823A103 imul eax, dword ptr [3A12398]
037C0BBC 0305 A023A103 add eax, dword ptr [3A123A0]
037C0BC2 EB 01 jmp short 037C0BC5
037C0BC4 E7 50 out 50, eax
--------13----------------------------------------------------------------------------------------------------------------------
03980F50 0F94C0 sete al
03980F53 A3 9823BD03 mov dword ptr [3BD2398], eax
03980F58 33C0 xor eax, eax
03980F5A A1 9C23BD03 mov eax, dword ptr [3BD239C]
03980F5F 2B05 A023BD03 sub eax, dword ptr [3BD23A0]
03980F65 EB 05 jmp short 03980F6C
03980F67 05 9823BD03 add eax, 03BD2398
03980F6C 0305 A023BD03 add eax, dword ptr [3BD23A0]
03980F72 EB 01 jmp short 03980F75
03980F74 E7 50 out 50, eax
--------------------------------------------------------------------------------------------------------------------------------
037C0F50 0F94C0 sete al
037C0F53 A3 9823A103 mov dword ptr [3A12398], eax
037C0F58 33C0 xor eax, eax
037C0F5A A1 9C23A103 mov eax, dword ptr [3A1239C]
037C0F5F 2B05 A023A103 sub eax, dword ptr [3A123A0]
037C0F65 0FAF05 9823A103 imul eax, dword ptr [3A12398]
037C0F6C 0305 A023A103 add eax, dword ptr [3A123A0]
037C0F72 EB 01 jmp short 037C0F75
037C0F74 E7 50 out 50, eax
---------14----------------------------------------------------------------------------------------------------------------------
03981392 890D 9806BD03 mov dword ptr [3BD0698], ecx
03981398 33C0 xor eax, eax
0398139A A1 9C23BD03 mov eax, dword ptr [3BD239C]
0398139F 2B05 A023BD03 sub eax, dword ptr [3BD23A0]
039813A5 EB 05 jmp short 039813AC
039813A7 05 9823BD03 add eax, 03BD2398
039813AC 0305 A023BD03 add eax, dword ptr [3BD23A0]
039813B2 EB 01 jmp short 039813B5
039813B4 E7 50 out 50, eax
--------------------------------------------------------------------------------------------------------------------------------
037C1392 890D 9806A103 mov dword ptr [3A10698], ecx
037C1398 33C0 xor eax, eax
037C139A A1 9C23A103 mov eax, dword ptr [3A1239C]
037C139F 2B05 A023A103 sub eax, dword ptr [3A123A0]
037C13A5 0FAF05 9823A103 imul eax, dword ptr [3A12398]
037C13AC 0305 A023A103 add eax, dword ptr [3A123A0]
037C13B2 EB 01 jmp short 037C13B5
037C13B4 E7 50 out 50, eax
---------15----------------------------------------------------------------------------------------------------------------------
03981743 A3 9823BD03 mov dword ptr [3BD2398], eax
03981748 33C0 xor eax, eax
0398174A A1 9C23BD03 mov eax, dword ptr [3BD239C]
0398174F 2B05 A023BD03 sub eax, dword ptr [3BD23A0]
03981755 EB 05 jmp short 0398175C
03981757 05 9823BD03 add eax, 03BD2398
0398175C 0305 A023BD03 add eax, dword ptr [3BD23A0]
03981762 EB 01 jmp short 03981765
03981764 E7 50 out 50, eax
--------------------------------------------------------------------------------------------------------------------------------
037C1743 A3 9823A103 mov dword ptr [3A12398], eax
037C1748 33C0 xor eax, eax
037C174A A1 9C23A103 mov eax, dword ptr [3A1239C]
037C174F 2B05 A023A103 sub eax, dword ptr [3A123A0]
037C1755 0FAF05 9823A103 imul eax, dword ptr [3A12398]
037C175C 0305 A023A103 add eax, dword ptr [3A123A0]
037C1762 EB 01 jmp short 037C1765
037C1764 E7 50 out 50, eax
-------16-----------------------------------------------------------------------------------------------------------------------
03989FA3 890D 9806BD03 mov dword ptr [3BD0698], ecx
03989FA9 33C0 xor eax, eax
03989FAB A1 9C23BD03 mov eax, dword ptr [3BD239C]
03989FB0 2B05 A023BD03 sub eax, dword ptr [3BD23A0]
03989FB6 EB 05 jmp short 03989FBD
03989FB8 05 9823BD03 add eax, 03BD2398
03989FBD 0305 A023BD03 add eax, dword ptr [3BD23A0]
03989FC3 EB 01 jmp short 03989FC6
03989FC5 E5 50 in eax, 50
--------------------------------------------------------------------------------------------------------------------------------
037C9FA3 890D 9806A103 mov dword ptr [3A10698], ecx
037C9FA9 33C0 xor eax, eax
037C9FAB A1 9C23A103 mov eax, dword ptr [3A1239C]
037C9FB0 2B05 A023A103 sub eax, dword ptr [3A123A0]
037C9FB6 0FAF05 9823A103 imul eax, dword ptr [3A12398]
037C9FBD 0305 A023A103 add eax, dword ptr [3A123A0]
037C9FC3 EB 01 jmp short 037C9FC6
037C9FC5 E5 50 in eax, 50
-----------17-------------------------------------------------------------------------------------------------------------------
0398A358 A3 9823BD03 mov dword ptr [3BD2398], eax
0398A35D 33C0 xor eax, eax
0398A35F A1 9C23BD03 mov eax, dword ptr [3BD239C]
0398A364 2B05 A023BD03 sub eax, dword ptr [3BD23A0]
0398A36A EB 05 jmp short 0398A371
0398A36C 05 9823BD03 add eax, 03BD2398
0398A371 0305 A023BD03 add eax, dword ptr [3BD23A0]
0398A377 EB 01 jmp short 0398A37A
0398A379 E5 50 in eax, 50
0398A37B 33C0 xor eax, eax
--------------------------------------------------------------------------------------------------------------------------------
037CA358 A3 9823A103 mov dword ptr [3A12398], eax
037CA35D 33C0 xor eax, eax
037CA35F A1 9C23A103 mov eax, dword ptr [3A1239C]
037CA364 2B05 A023A103 sub eax, dword ptr [3A123A0]
037CA36A 0FAF05 9823A103 imul eax, dword ptr [3A12398]
037CA371 0305 A023A103 add eax, dword ptr [3A123A0]
037CA377 EB 01 jmp short 037CA37A
037CA379 E5 50 in eax, 50
037CA37B 33C0 xor eax, eax
自编代码:
036F0500 60 pushad
036F0501 E8 00000000 call 036F0506
036F0506 58 pop eax
036F0507 66:B8 0010 mov ax, 1000
036F050B 8BD8 mov ebx, eax
036F050D 81C3 F02F2F00 add ebx, 2F2FF0
036F0513 8178 FA 2B05A02>cmp dword ptr [eax-6], 23A0052B
036F051A 75 16 jnz short 036F0532
036F051C 8138 0FAF0598 cmp dword ptr [eax], 9805AF0F
036F0522 75 0E jnz short 036F0532
036F0524 8178 07 0305A02>cmp dword ptr [eax+7], 23A00503
036F052B 75 05 jnz short 036F0532
036F052D 66:C700 EB05 mov word ptr [eax], 5EB
036F0532 40 inc eax
036F0533 3BC3 cmp eax, ebx
036F0535 ^ 72 DC jb short 036F0513
036F0537 E8 1B000000 call 036F0557
036F053C 8B4425 04 mov eax, dword ptr [ebp+4]
036F0540 66:33C0 xor ax, ax
036F0543 05 58053200 add eax, 320558
036F0548 C700 182D4454 mov dword ptr [eax], 54442D18
036F054E C740 04 FB21094>mov dword ptr [eax+4], 400921FB
036F0555 33C0 xor eax, eax
036F0557 5E pop esi
036F0558 89F7 mov edi, esi
036F055A 66:BF 1623 mov di, 2316
036F055E B9 1B000000 mov ecx, 1B
036F0563 F3:A4 rep movs byte ptr es:[edi], byte ptr>
036F0565 61 popad
036F0566 C745 FC 0000000>mov dword ptr [ebp-4], 0
036F056D C3 retn
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法