ASProtect.2.x.Inline.Patching-JW 教学-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

最新回复 (8)
闪电狼雪币： 108 活跃值： (42) 能力值： ( LV2，RANK：10 ) 在线值：发帖 16 回帖 709 粉丝 0 关注私信	闪电狼 2 楼支持 2005-10-26 13:50 0
okdodo 雪币： 233 活跃值： (10) 能力值： ( LV6，RANK：90 ) 在线值：发帖 12 回帖 396 粉丝 1 关注私信	okdodo 2 3 楼谢谢分享。 2005-10-26 14:04 0
pendan2001 雪币： 61 活跃值： (160) 能力值： ( LV9，RANK：170 ) 在线值：发帖 25 回帖 1180 粉丝 0 关注私信	pendan2001 4 4 楼 THX！！偶直接将下载下来的文章贴上来方便查看： ASProtect 1.x -> 2.x inline patching tutorial by JohnWho. ------------------------------------------------------------ In this tutorial i'll show you how to inline patch ASProtect 1.2 -> 2.x without dealing with any crypto stuff. The example program(PatchMe.exe) which will be our target has a startup NAG we need to patch away. The target is protect with ASProtect 2.1. Tool used: SoftICE, Hex Workshop, Hiew, LordPE. Let's get started. First thing to do would be to find out where to patch our target so we get rid of that annoying NAG, but we'll skip that in this tutorial(easy anyway, patch 40108D 74 -> EB). Now we need to get to the code where to VirtualAlloc call is made, it will tell us where ASProtects code will be allocated to. ASProtect uses 4-5 decryption loops/blocks to decrypt the code where the first 2 VirtualAlloc calls are made, we need to reach the 2nd call. Run the target and make sure you break on EP(401000), from here trace into all calls with F7 until you reach the below code chunk. End of 1st decryption block: 0040B170 0F85 1A000000 JNZ PatchMe.0040B190 <----- This jump will keep jumping until 2nd decryption block is decrypted. 0040B176 BF CAFFB26D MOV EDI, 6DB2FFCA 0040B17B E9 21000000 JMP PatchMe.0040B1A1 <----- When we reach this jump the 2nd decryption block is decrypted to memory 0040B180 58 POP EAX and ready to get patched. We use this jump as our 1st redirection, notice 0040B181 B1 96 MOV CL, 96 that this will be the only hardcoded redirection as the rest will be in memory 0040B183 17 POP SS on runtime. 0040B184 04 ED ADD AL, 0ED 0040B186 22B3 70E96E0F AND DH, BYTE PTR DS:[EBX+F6EE970] 0040B18C 9C PUSHFD 0040B18D A5 MOVS DWORD PTR ES:[EDI], DWORD PTR DS:[ESI] 0040B18E 7A 2B JPE SHORT PatchMe.0040B1BB 0040B190 66:8BFE MOV DI, SI 0040B193 E9 75FFFFFF JMP PatchMe.0040B10D Now set a breakpoint on address 40B17B and press F5, when you break on address 40B17B keep tracing with F7 until you reach the below code chunk. End of 2nd decryption block: 0040B278 0F85 11000000 JNZ PatchMe.0040B28F <----- This jump will keep jumping until 3rd decryption block is decrypted. 0040B27E 66:BF 624F MOV DI, 4F62 0040B282 E9 19000000 JMP PatchMe.0040B2A0 <----- When we reach this jump the 3rd decryption block is decrypted to memory 0040B287 B0 29 MOV AL, 29 and ready to get patched. We use this jump as our 2nd redirection. 0040B289 AE SCAS BYTE PTR ES:[EDI] 0040B28A 4F DEC EDI 0040B28B DCE5 FSUBR ST(5), ST 0040B28D BA 6B668BF9 MOV EDX, F98B666B 0040B292 E9 4BFFFFFF JMP PatchMe.0040B1E2 Now set a breakpoint on address 40B282 and press F5, when you break on address 40B282 keep tracing with F7 until you reach the below code chunk. End of 3rd decryption block: 0040B32F 0F85 25000000 JNZ PatchMe.0040B35A <----- This jump will keep jumping until 4th decryption block is decrypted. 0040B335 E8 05000000 CALL PatchMe.0040B33F 0040B33A B9 FE5FAC75 MOV ECX, 75AC5FFE 0040B33F 80D6 57 ADC DH, 57 0040B342 5E POP ESI 0040B343 E9 2B000000 JMP PatchMe.0040B373 <----- When we reach this jump the 4th decryption block is decrypted to memory 0040B348 62F3 BOUND ESI, EBX and ready to get patched. We use this jump as our 3rd redirection. 0040B34A B0 29 MOV AL, 29 0040B34C AE SCAS BYTE PTR ES:[EDI] 0040B34D 4F DEC EDI 0040B34E DCE5 FSUBR ST(5), ST 0040B350 BA 6BC86186 MOV EDX, 8661C86B 0040B355 47 INC EDI 0040B356 74 9D JE SHORT PatchMe.0040B2F5 0040B358 12E3 ADC AH, BL 0040B35A 66:8BD1 MOV DX, CX 0040B35D E9 81FFFFFF JMP PatchMe.0040B2E3 Now set a breakpoint on address 40B343 and press F5, when you break on address 40B343 keep tracing with F7 until you reach the below code chunk. End of 4th decryption block: 0040B40E 0F85 13000000 JNZ PatchMe.0040B427 <----- This jump will keep jumping until the code part with the first 2 VirtualAlloc 0040B414 66:8BDE MOV BX, SI calls are decrypted. 0040B417 E9 1F000000 JMP PatchMe.0040B43B <----- When we reach this jump the the code part with the first 2 VirtualAlloc calls 0040B41C A7 CMPS DWORD PTR DS: is decrypted and ready to be patched. We use this jump as our 4th redirection. 0040B41D 54 PUSH ESP 0040B41E FD STD 0040B41F F2: PREFIX REPNE: 0040B420 43 INC EBX 0040B421 C0F9 3E SAR CL, 3E 0040B424 9F LAHF 0040B425 EC IN AL, DX 0040B426 B5 66 MOV CH, 66 0040B428 8BF1 MOV ESI, ECX 0040B42A E9 8DFFFFFF JMP PatchMe.0040B3BC So far so good. We now got the info on where to patch in order to get through the decryption blocks with control on our side. The following addresses we wanna use as redirections to our cave: 1. 0040B17B E921000000 JMP 0040B1A1 (harcoded in .exe) 2. 0040B282 E919000000 JMP 0040B2A0 (encrypted, we patch in memory) 3. 0040B343 E92B000000 JMP 0040B373 (encrypted, we patch in memory) 4. 0040B417 E91F000000 JMP 0040B43B (encrypted, we patch in memory) Now set a breakpoint on address 40B417 and press F5, when you break on address 40B417 keep tracing with F8 until you reach the below code chunk. 0040B4EF 6A 00 PUSH 0 0040B4F1 FF95 F0030000 CALL NEAR DWORD PTR SS:[EBP+3F0] <----- This is the 1st VirtualAlloc call. 0040B4F7 8985 CC010000 MOV DWORD PTR SS:[EBP+1CC], EAX 0040B4FD 8B9D 00040000 MOV EBX, DWORD PTR SS:[EBP+400] 0040B503 039D 0D040000 ADD EBX, DWORD PTR SS:[EBP+40D] 0040B509 50 PUSH EAX 0040B50A 53 PUSH EBX 0040B50B E8 04010000 CALL PatchMe.0040B614 0040B510 6A 40 PUSH 40 0040B512 68 00100000 PUSH 1000 0040B517 FFB5 08040000 PUSH DWORD PTR SS:[EBP+408] 0040B51D 6A 00 PUSH 0 0040B51F FF95 F0030000 CALL NEAR DWORD PTR SS:[EBP+3F0] <----- This is the 2nd VirtualAlloc call. When this call has been executed 0040B525 8985 31040000 MOV DWORD PTR SS:[EBP+431], EAX EAX will contain the address baserange where ASProtects code 0040B52B 8985 D0010000 MOV DWORD PTR SS:[EBP+1D0], EAX will be decrypted to. We need this baserange address in order to ........ patch ASProtects virtual allocated code. Skipping code ........ 0040B5EA 53 PUSH EBX 0040B5EB 6A 00 PUSH 0 0040B5ED 6A 00 PUSH 0 0040B5EF 6A 01 PUSH 1 0040B5F1 57 PUSH EDI 0040B5F2 8B5E 08 MOV EBX, DWORD PTR DS:[ESI+8] 0040B5F5 03DF ADD EBX, EDI 0040B5F7 53 PUSH EBX 0040B5F8 68 00800000 PUSH 8000 <--------------------------------------------------- Here EDI contains the address baserange. We use this as our 5th 0040B5FD 6A 00 PUSH 0 redirection. 0040B5FF 56 PUSH ESI 0040B600 FF95 F4030000 CALL NEAR DWORD PTR SS:[EBP+3F4] 0040B606 68 00000000 PUSH 0 0040B60B C3 RETN <--------------------------------------------------- This return will bring us to the 1st part of ASProtect virtual allocated memory. So from this point on we need to use our baserange to all further patching of ASProtect code! So far we got following addresses we wanna use as redirections to our cave: 1. 0040B17B E921000000 JMP 0040B1A1 (harcoded in .exe) 2. 0040B282 E919000000 JMP 0040B2A0 (encrypted, we patch in memory) 3. 0040B343 E92B000000 JMP 0040B373 (encrypted, we patch in memory) 4. 0040B417 E91F000000 JMP 0040B43B (encrypted, we patch in memory) 5. 0040B5F8 6800800000 PUSH 00008000 (encrypted, we patch in memory) (EDI hold our address baserange) Now set a breakpoint on address 40B5F8 and press F5, when you break on address 40B5F8 keep tracing with F8 until you reach the below code chunk. Notice that from now on the address range probably is different on your computer. 007C00B6 6A 04 PUSH 4 007C00B8 68 00100000 PUSH 1000 007C00BD 68 46050000 PUSH 546 007C00C2 6A 00 PUSH 0 007C00C4 FF95 79294400 CALL NEAR DWORD PTR SS:[EBP+442979] <----- This is the 3rd VirtualAlloc call. 007C00CA 8985 75294400 MOV DWORD PTR SS:[EBP+442975], EAX 007C00D0 8D9D 452A4400 LEA EBX, DWORD PTR SS:[EBP+442A45] 007C00D6 50 PUSH EAX 007C00D7 53 PUSH EBX 007C00D8 E8 74050000 CALL 007C0651 007C00DD 8BC8 MOV ECX, EAX 007C00DF 8DBD 452A4400 LEA EDI, DWORD PTR SS:[EBP+442A45] 007C00E5 8BB5 75294400 MOV ESI, DWORD PTR SS:[EBP+442975] 007C00EB F3:A4 REP MOVS BYTE PTR ES:[EDI], BYTE PTR DS:[ESI] 007C00ED 8B85 75294400 MOV EAX, DWORD PTR SS:[EBP+442975] 007C00F3 68 00800000 PUSH 8000 <--------------------------------------------------------- We redirect here. This is our 6th redirection. 007C00F8 6A 00 PUSH 0 007C00FA 50 PUSH EAX 007C00FB FF95 7D294400 CALL NEAR DWORD PTR SS:[EBP+44297D] 007C0101 8D85 512C4400 LEA EAX, DWORD PTR SS:[EBP+442C51] 007C0107 50 PUSH EAX 007C0108 C3 RETN So far we got following addresses we wanna use as redirections to our cave: 1. 0040B17B E921000000 JMP 0040B1A1 (harcoded in .exe) 2. 0040B282 E919000000 JMP 0040B2A0 (encrypted, we patch in memory) 3. 0040B343 E92B000000 JMP 0040B373 (encrypted, we patch in memory) 4. 0040B417 E91F000000 JMP 0040B43B (encrypted, we patch in memory) 5. 0040B5F8 6800800000 PUSH 00008000 (encrypted, we patch in memory) (EDI hold our address baserange) 6. 007C00F3 68008000006A PUSH 00008000 (encrypted, we patch in memory) Keep tracing with F8 until you reach the below code chunk. 007C030D 8B9D 552A4400 MOV EBX, DWORD PTR SS:[EBP+442A55] 007C0313 0BDB OR EBX, EBX 007C0315 74 0A JE SHORT 007C0321 007C0317 8B03 MOV EAX, DWORD PTR DS:[EBX] 007C0319 8785 592A4400 XCHG DWORD PTR SS:[EBP+442A59], EAX 007C031F 8903 MOV DWORD PTR DS:[EBX], EAX 007C0321 8DB5 712A4400 LEA ESI, DWORD PTR SS:[EBP+442A71] 007C0327 833E 00 CMP DWORD PTR DS:[ESI], 0 007C032A 0F84 D3000000 JE 007C0403 007C0330 8DB5 712A4400 LEA ESI, DWORD PTR SS:[EBP+442A71] 007C0336 8B46 04 MOV EAX, DWORD PTR DS:[ESI+4] 007C0339 6A 04 PUSH 4 007C033B 68 00100000 PUSH 1000 007C0340 50 PUSH EAX 007C0341 6A 00 PUSH 0 ........ Skipping code ........ 007C05BB 8985 112F4400 MOV DWORD PTR SS:[EBP+442F11], EAX 007C05C1 61 POPAD <--------------------------------------------------------------- We redirect here. This is our 7th redirection. 007C05C2 75 08 JNZ SHORT 007C05CC 007C05C4 B8 01000000 MOV EAX, 1 007C05C9 C2 0C00 RETN 0C 007C05CC 68 00000000 PUSH 0 007C05D1 C3 RETN So far we got following addresses we wanna use as redirections to our cave: 1. 0040B17B E921000000 JMP 0040B1A1 (harcoded in .exe) 2. 0040B282 E919000000 JMP 0040B2A0 (encrypted, we patch in memory) 3. 0040B343 E92B000000 JMP 0040B373 (encrypted, we patch in memory) 4. 0040B417 E91F000000 JMP 0040B43B (encrypted, we patch in memory) 5. 0040B5F8 6800800000 PUSH 00008000 (encrypted, we patch in memory) (EDI hold our address baserange) 6. 007C00F3 68008000006A PUSH 00008000 (encrypted, we patch in memory) 7. 007C05C1 617508B80100 xxx xxxxxxxx (encrypted, we patch in memory) Clear all breakpoints you may have and set a new one on MapViewOfFileEx, press F5 and then F12 2 times. You should now see the below code chunk. 007AD400 6A 00 PUSH 0 007AD402 6A 00 PUSH 0 007AD404 6A 00 PUSH 0 007AD406 6A 04 PUSH 4 <--------------------------------------------------------------- We need to patch this instruction to push 1 so the 007AD408 A1 58A57B00 MOV EAX, DWORD PTR DS:[7BA558] mapped .exe in memory becomes writeable. 007AD40D 50 PUSH EAX 007AD40E A1 D4277B00 MOV EAX, DWORD PTR DS:[7B27D4] 007AD413 8B40 08 MOV EAX, DWORD PTR DS:[EAX+8] 007AD416 FFD0 CALL NEAR EAX <------------------------------------------------- MapViewOfFile call. 007AD418 8BD8 MOV EBX, EAX <------------------------------------------------- Here EAX point at mapped .exe in memory. We need to 007AD41A 57 PUSH EDI patch the mapped .exe to deal with the CRC check. We 007AD41B E8 4B010000 CALL 007AD56B use this as our 8th redirection. 0040B5FD 6A 00 PUSH 0 So far we got following addresses we wanna use as redirections to our cave: 1. 0040B17B E921000000 JMP 0040B1A1 (harcoded in .exe) 2. 0040B282 E919000000 JMP 0040B2A0 (encrypted, we patch in memory) 3. 0040B343 E92B000000 JMP 0040B373 (encrypted, we patch in memory) 4. 0040B417 E91F000000 JMP 0040B43B (encrypted, we patch in memory) 5. 0040B5F8 6800800000 PUSH 00008000 (encrypted, we patch in memory) (EDI hold our address baserange) 6. 007C00F3 68008000006A PUSH 00008000 (encrypted, we patch in memory) 7. 007C05C1 617508B80100 xxx xxxxxxxx (encrypted, we patch in memory) 8. 007AD418 8BD857E84B01 xxx xxxxxxxx (encrypted, we patch in memory) (EAX point at memory mapped .exe) Now the CRC check is dealt with and we only need to patch our target to get rid of the NAG, but at this point code we wanna patch hasn't been decrypted to memory so we need one more redirection after it has been decrypted. Clear your breakpoint and set a new one on read to memory address 40108D (bpm 40108D r) which is the address we wanna patch to get rid of NAG. Press F5 5 times, the 3rd time you break you can see that the bytes on address 40108D has been decrypted. The 5th time you break your in the memory CRC check routine and you should see the below code chunk. 0078F3A0 81C7 A1EBD96E ADD EDI, 6ED9EBA1 <------- You should be here. 0078F3A6 8BEE MOV EBP, ESI 0078F3A8 33EB XOR EBP, EBX 0078F3AA 33E8 XOR EBP, EAX 0078F3AC 03FD ADD EDI, EBP 0078F3AE 03CF ADD ECX, EDI 0078F3B0 8BF9 MOV EDI, ECX 0078F3B2 C1E7 03 SHL EDI, 3 0078F3B5 C1E9 1D SHR ECX, 1D 0078F3B8 0BF9 OR EDI, ECX 0078F3BA 8BCF MOV ECX, EDI Press F12 or single step over/into the RET instruction on address 78F436 and you should see the below code chunk. 0078F59D 83C7 40 ADD EDI, 40 <--------------------------------------- You should be here. 0078F5A0 83EB 40 SUB EBX, 40 0078F5A3 83FB 40 CMP EBX, 40 0078F5A6 7D EC JGE SHORT 0078F594 0078F5A8 8B0424 MOV EAX, DWORD PTR SS:[ESP] 0078F5AB 03C5 ADD EAX, EBP 0078F5AD 8D56 08 LEA EDX, DWORD PTR DS:[ESI+8] 0078F5B0 8BCB MOV ECX, EBX 0078F5B2 E8 A130FFFF CALL 00782658 0078F5B7 5A POP EDX 0078F5B8 5D POP EBP 0078F5B9 5F POP EDI 0078F5BA 5E POP ESI 0078F5BB 5B POP EBX 0078F5BC C3 RETN Clear your breakpoints and set one on address 78F5BC, press F5 and you break on address 78F5BC. Press F12 2 times and you'll see the code chunk below. 007AE13C 53 PUSH EBX <------------------------------------------------- You should be here. 007AE13D 56 PUSH ESI 007AE13E 57 PUSH EDI 007AE13F 55 PUSH EBP 007AE140 83C4 D8 ADD ESP, -28 007AE143 A1 9C277B00 MOV EAX, DWORD PTR DS:[7B279C] 007AE148 C600 D2 MOV BYTE PTR DS:[EAX], 0D2 007AE14B B2 01 MOV DL, 1 007AE14D A1 F4B07900 MOV EAX, DWORD PTR DS:[79B0F4] 007AE152 E8 F9CFFEFF CALL 0079B150 007AE157 8BF0 MOV ESI, EAX 007AE159 E8 7EE7FFFF CALL 007AC8DC 007AE15E 8BD8 MOV EBX, EAX 007AE160 A1 E0277B00 MOV EAX, DWORD PTR DS:[7B27E0] 007AE165 8B00 MOV EAX, DWORD PTR DS:[EAX] 007AE167 8946 04 MOV DWORD PTR DS:[ESI+4], EAX 007AE16A A1 04277B00 MOV EAX, DWORD PTR DS:[7B2704] 007AE16F 8B00 MOV EAX, DWORD PTR DS:[EAX] 007AE171 33D2 XOR EDX, EDX 007AE173 8950 04 MOV DWORD PTR DS:[EAX+4], EDX 007AE176 A1 F0277B00 MOV EAX, DWORD PTR DS:[7B27F0] 007AE17B 8B00 MOV EAX, DWORD PTR DS:[EAX] 007AE17D 8B00 MOV EAX, DWORD PTR DS:[EAX] 007AE17F 8B15 04277B00 MOV EDX, DWORD PTR DS:[7B2704] <---- When we reach this address the memory CRC check 007AE185 8B12 MOV EDX, DWORD PTR DS:[EDX] is done and we can patch target in memory. So we 007AE187 8942 50 MOV DWORD PTR DS:[EDX+50], EAX use this as our 9th and last redirection. 007AE18A A1 04277B00 MOV EAX, DWORD PTR DS:[7B2704] 2005-10-26 14:16 0
pendan2001 雪币： 61 活跃值： (160) 能力值： ( LV9，RANK：170 ) 在线值：发帖 25 回帖 1180 粉丝 0 关注私信	pendan2001 4 5 楼接上面 Now we got all addresses we wanna use as redirections to our cave: 1. 0040B17B E921000000 JMP 0040B1A1 (harcoded in .exe) 2. 0040B282 E919000000 JMP 0040B2A0 (encrypted, we patch in memory) 3. 0040B343 E92B000000 JMP 0040B373 (encrypted, we patch in memory) 4. 0040B417 E91F000000 JMP 0040B43B (encrypted, we patch in memory) 5. 0040B5F8 6800800000 PUSH 00008000 (encrypted, we patch in memory) (EDI hold our address baserange) 6. 007C00F3 68008000006A PUSH 00008000 (encrypted, we patch in memory) 7. 007C05C1 617508B80100 xxx xxxxxxxx (encrypted, we patch in memory) 8. 007AD418 8BD857E84B01 xxx xxxxxxxx (encrypted, we patch in memory) (EAX point at memory mapped .exe) 9. 007AE17F 8B1504277B00 MOV xxxxxxxx (encrypted, we patch in memory) (Here we patch target in memory) Let's prepare the .exe for our patch cave/code. Open .exe in LordPE, click on the "Sections" button and then right click on last section and select "edit section header". Change RawSize from 00000000 -> 00001000. Save changes and close LordPE, then open .exe in Hex Workshop and scroll down to the bottom of the .exe and insert 1000 "90" bytes(hex). Close Hex Workshop and confirm to save changes. Run target and break on MapViewOfFileEx, when your located on address 7AD418 which is right after the MapViewOfFile call, do a search for the bytes 90 90 90 90 90 90 90 90 90 90. You should find the bytes on address 42B005, these are the bytes we added with Hex Workshop but some of them has been overwritten by ASProtect so we do this search to find out where the patch cave actually start. So our patch cave will start on address 42B005. Open .exe in Hex Workshop, scroll down to the end of the file and select the 1000 "90" bytes and fill them with 00. This is optional, but it does make it a lot easier when we are gonna write our patch code into the cave. Let's redirect end of 1st decryption block to our cave. Open .exe in Hiew and search for the bytes E921000000, these are the bytes of our 1st redirection we found which is the only redirection that is hardcoded. You should see this in Hiew > .0040B176: BFCAFFB26D mov edi,06DB2FFCA .0040B17B: E921000000 jmp .00040B1A1 --- (4) <------ We need to change this jump to goto the patch cave. .0040B180: 58 pop eax .0040B176: BFCAFFB26D mov edi,06DB2FFCA .0040B17B: E985FE0100 jmp .00042B005 --- (4) <------ This jump now goes to the patch cave. .0040B180: 58 pop eax Now it's time to write the patch code into our cave..... [drinking coffee and beating the crap out of the keyboard] ...here's our finished patch cave > Cave Part 1: 0042B005 C70582B24000E98DFD01 MOV DWORD PTR DS:[40B282],1FD8DE9 <-- Patching 2nd redirection to goto cave part 2. 0042B00F E98D01FEFF JMP Patched_.0040B1A1 <------------------ Jumping back to original destination the the jump we used as redirection 1 jumped to. Cave Part 2: 0042B014 C70543B34000E9DBFC01 MOV DWORD PTR DS:[40B343],1FCDBE9 <-- Patching 3rd redirection to goto cave part 3. 0042B01E E97D02FEFF JMP Patched_.0040B2A0 <-------------------------- Jumping back to original destination the the jump we used as redirection 2 jumped to. Cave Part 3: 0042B023 C70517B44000E916FC01 MOV DWORD PTR DS:[40B417],1FC16E9 <-- Patching 4th redirection to goto cave part 4. 0042B02D E94103FEFF JMP Patched_.0040B373 <-------------------------- Jumping back to original destination the the jump we used as redirection 3 jumped to. Cave Part 4: 0042B032 C705F8B54000E944FA01 MOV DWORD PTR DS:[40B5F8],1FA44E9 <-- Patching 5th redirection to goto cave part 5. 0042B03C E9FA03FEFF JMP Patched_.0040B43B <-------------------------- Jumping back to original destination the the jump we used as redirection 4 jumped to. Cave Part 5: 0042B041 893DFCBF4200 MOV DWORD PTR DS:[42BFFC],EDI <------------------ Moving aspr address baserange into end of cave. 0042B047 C705F8B5400068008000 MOV DWORD PTR DS:[40B5F8],800068 <------------ Patching back original bytes to redirection 5 address. 0042B051 C787F30004006867B042 MOV DWORD PTR DS:[EDI+400F3],42B06768 <-- Patching 6th redirection to goto cave part 6 by using 0042B05B C687F8000400C3 MOV BYTE PTR DS:[EDI+400F8],0C3 address baserange in EDI 0042B062 E99105FEFF JMP Patched_.0040B5F8 <---------------------------------- Jumping back to the restored redirection 5 address. Cave Part 6: 0042B067 60 PUSHAD <---------------------------------------------------------------------- Save registers(EAX). 0042B068 A1FCBF4200 MOV EAX, DWORD PTR DS:[42BFFC] <---------------- Move address baserange into EAX. 0042B06D C780F300040068008000 MOV DWORD PTR DS:[EAX+400F3],800068 <------ Patching back original bytes to redirection 6 address 0042B077 C680F80004006A MOV BYTE PTR DS:[EAX+400F8],6A by using address baserange in EAX. 0042B07E C780C105040068A2B042 MOV DWORD PTR DS:[EAX+405C1],42B0A268 <-- Patching 7th redirection to goto cave part 7 by using 0042B088 66C780C505040000C3 MOV WORD PTR DS:[EAX+405C5],0C300 address baserange in EAX. 0042B091 05F3000400 ADD EAX, 400F3 <------------------------------------------------ Adding address return base to EAX. 0042B096 A39DB04200 MOV DWORD PTR DS:[42B09D],EAX <------------------ Moving return address from EAX to PUSH instruction. 0042B09B 61 POPAD <------------------------------------------------------------------------ Restore registers(EAX). 0042B09C 6800000000 PUSH 0 <------------------------------------------------------------------ Push return address. 0042B0A1 C3 RETN <-------------------------------------------------------------------------- Return to return address. Cave Part 7: 0042B0A2 60 PUSHAD <---------------------------------------------------------------------- Save registers(EAX). 0042B0A3 A1FCBF4200 MOV EAX, DWORD PTR DS:[42BFFC] <---------------- Move address baserange into EAX. 0042B0A8 C780C1050400617508B8 MOV DWORD PTR DS:[EAX+405C1],B8087561 <-- Patching back original bytes to redirection 7 address 0042B0B2 66C780C50504000100 MOV WORD PTR DS:[EAX+405C5],1 by using address baserange in EAX. 0042B0BB C68007D4020001 MOV BYTE PTR DS:[EAX+2D407],1 <------------------ Patch PUSH 6A04 -> 6A01 to make mapped .exe in mem writable 0042B0C2 C78018D4020068E6B042 MOV DWORD PTR DS:[EAX+2D418],42B0E668 <-- Patching 8th redirection to goto cave part 8 by using 0042B0CC 66C7801CD4020000C3 MOV WORD PTR DS:[EAX+2D41C],0C300 address baserange in EAX. 0042B0D5 05C1050400 ADD EAX, 405C1 <------------------------------------------------ Adding address return base to EAX. 0042B0DA A3E1B04200 MOV DWORD PTR DS:[42B0E1],EAX <------------------ Moving return address from EAX to PUSH instruction. 0042B0DF 61 POPAD <------------------------------------------------------------------------ Restore registers(EAX). 0042B0E0 6800000000 PUSH 0 <------------------------------------------------------------------ Push return address. 0042B0E5 C3 RETN <-------------------------------------------------------------------------- Return to return address. Cave Part 8: 0042B0E6 C680F902000000 MOV BYTE PTR DS:[EAX+2F9],0 <---------------------- Patching back "1000" bytes in mem mapped .exe(in header) 0042B0ED C7807B5F0000E9210000 MOV DWORD PTR DS:[EAX+5F7B],21E9 <------------ Patching back redirection 1 in mem mapped .exe. CRC check killed. 0042B0F7 60 PUSHAD <---------------------------------------------------------------------- Save registers(EAX). 0042B0F8 A1FCBF4200 MOV EAX, DWORD PTR DS:[42BFFC] <---------------- Move address baserange into EAX. 0042B0FD C78018D402008BD857E8 MOV DWORD PTR DS:[EAX+2D418],E857D88B <-- Patching back original bytes to redirection 8 address 0042B107 66C7801CD402004B01 MOV WORD PTR DS:[EAX+2D41C],14B by using address baserange in EAX. 0042B110 C68007D4020004 MOV BYTE PTR DS:[EAX+2D407],4 <------------------ Patch PUSH 6A01 -> 6A01 so ASProtect won't crash us. 0042B117 C7807FE10200683BB142 MOV DWORD PTR DS:[EAX+2E17F],42B13B68 <-- Patching 9th redirection to goto cave part 9 by using 0042B121 66C78083E1020000C3 MOV WORD PTR DS:[EAX+2E183],0C300 address baserange in EAX. 0042B12A 0518D40200 ADD EAX, 2D418 <------------------------------------------------ Adding address return base to EAX. 0042B12F A336B14200 MOV DWORD PTR DS:[42B136],EAX <------------------ Moving return address from EAX to PUSH instruction. 0042B134 61 POPAD <------------------------------------------------------------------------ Restore registers(EAX). 0042B135 6800000000 PUSH 0 <------------------------------------------------------------------ Push return address. 0042B13A C3 RETN <-------------------------------------------------------------------------- Return to return address. Cave Part 9: 0042B13B 60 PUSHAD <---------------------------------------------------------------------- Save registers(EAX). 0042B13C A1FCBF4200 MOV EAX, DWORD PTR DS:[42BFFC] <---------------- Move address baserange into EAX. 0042B141 C7807FE102008B150427 MOV DWORD PTR DS:[EAX+2E17F],2704158B <-- Patching back original bytes to redirection 9 address 0042B14B 66C78083E102007B00 MOV WORD PTR DS:[EAX+2E183],7B by using address baserange in EAX. 0042B154 C6058D104000EB MOV BYTE PTR DS:[40108D],0EB <-------------------- Patching our NAG away 0042B15B 057FE10200 ADD EAX, 2E17F <------------------------------------------------ Adding address return base to EAX. 0042B160 A367B14200 MOV DWORD PTR DS:[42B167],EAX <------------------ Moving return address from EAX to PUSH instruction. 0042B165 61 POPAD <------------------------------------------------------------------------ Restore registers(EAX). 0042B166 6800000000 PUSH 0 <------------------------------------------------------------------ Push return address. 0042B16B C3 RETN <-------------------------------------------------------------------------- Return to return address. Well thats it. 2005-10-26 14:17 0
闪电狼雪币： 108 活跃值： (42) 能力值： ( LV2，RANK：10 ) 在线值：发帖 16 回帖 709 粉丝 0 关注私信	闪电狼 6 楼谁翻译下 2005-10-26 16:48 0
wwgroup 雪币： 200 活跃值： (13) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 67 粉丝 0 关注私信	wwgroup 7 楼支持一下，不过英文太烂，照楼上说的，哪位大大有时间翻译一下啊！支持国语 2005-11-2 19:56 0
deadlybugs 雪币： 180 活跃值： (59) 能力值： ( LV2，RANK：10 ) 在线值：发帖 41 回帖 156 粉丝 0 关注私信	deadlybugs 8 楼 JohnWho的这个教学很早就出来了 2005-11-2 22:27 0
flashcom 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 3 粉丝 0 关注私信	flashcom 9 楼 e文的看不太懂啊，哪位大哥能翻译一下啊 2005-11-16 16:27 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

闪电狼

雪币： 108

活跃值： (42)

能力值：

( LV2，RANK：10 )

在线值：

发帖

16

回帖

709

粉丝

0

关注

私信

闪电狼: 2 楼

支持

2005-10-26 13:50

0

okdodo

雪币： 233

活跃值： (10)

能力值：

( LV6，RANK：90 )

在线值：

发帖

12

回帖

396

粉丝

1

关注

私信

okdodo 2: 3 楼

谢谢分享。

2005-10-26 14:04

0

pendan2001

雪币： 61

活跃值： (160)

能力值：

( LV9，RANK：170 )

在线值：

发帖

25

回帖

1180

粉丝

0

关注

私信

pendan2001 4: 4 楼

THX！！偶直接将下载下来的文章贴上来方便查看：

ASProtect 1.x -> 2.x inline patching tutorial by JohnWho.
------------------------------------------------------------

In this tutorial i'll show you how to inline patch ASProtect 1.2 -> 2.x without dealing with any crypto stuff. The
example program(PatchMe.exe) which will be our target has a startup NAG we need to patch away. The target
is protect with ASProtect 2.1.

Tool used:  SoftICE, Hex Workshop, Hiew, LordPE.

Let's get started. First thing to do would be to find out where to patch our target so we get rid of that annoying
NAG, but we'll skip that in this tutorial(easy anyway, patch 40108D 74 -> EB).

Now we need to get to the code where to VirtualAlloc call is made, it will tell us where ASProtects code will
be allocated to. ASProtect uses 4-5 decryption loops/blocks to decrypt the code where the first 2 VirtualAlloc
calls are made, we need to reach the 2nd call.

Run the target and make sure you break on EP(401000), from here trace into all calls with F7 until you reach
the below code chunk.

End of 1st decryption block:
0040B170 0F85 1A000000  JNZ    PatchMe.0040B190  <----- This jump will keep jumping until 2nd decryption block is decrypted.
0040B176 BF CAFFB26D MOV    EDI, 6DB2FFCA
0040B17B E9 21000000 JMP    PatchMe.0040B1A1  <----- When we reach this jump the 2nd decryption block is decrypted to memory
0040B180 58          POP    EAX                and ready to get patched. We use this jump as our 1st redirection, notice
0040B181 B1 96       MOV    CL, 96             that this will be the only hardcoded redirection as the rest will be in memory
0040B183 17          POP    SS                   on runtime.
0040B184 04 ED       ADD    AL, 0ED
0040B186 22B3 70E96E0F  AND    DH, BYTE PTR DS:[EBX+F6EE970]
0040B18C 9C          PUSHFD
0040B18D A5          MOVS DWORD PTR ES:[EDI], DWORD PTR DS:[ESI]
0040B18E 7A 2B       JPE    SHORT PatchMe.0040B1BB
0040B190 66:8BFE       MOV    DI, SI
0040B193 E9 75FFFFFF JMP    PatchMe.0040B10D

Now set a breakpoint on address 40B17B and press F5, when you break on address 40B17B keep tracing with
F7 until you reach the below code chunk.

End of 2nd decryption block:
0040B278 0F85 11000000  JNZ    PatchMe.0040B28F  <----- This jump will keep jumping until 3rd decryption block is decrypted.
0040B27E 66:BF 624F    MOV    DI, 4F62
0040B282 E9 19000000 JMP    PatchMe.0040B2A0  <----- When we reach this jump the 3rd decryption block is decrypted to memory
0040B287 B0 29       MOV    AL, 29             and ready to get patched. We use this jump as our 2nd redirection.
0040B289 AE          SCAS BYTE PTR ES:[EDI]
0040B28A 4F          DEC    EDI
0040B28B DCE5          FSUBR ST(5), ST
0040B28D BA 6B668BF9 MOV    EDX, F98B666B
0040B292 E9 4BFFFFFF JMP    PatchMe.0040B1E2

Now set a breakpoint on address 40B282 and press F5, when you break on address 40B282 keep tracing with
F7 until you reach the below code chunk.

End of 3rd decryption block:
0040B32F 0F85 25000000  JNZ    PatchMe.0040B35A  <----- This jump will keep jumping until 4th decryption block is decrypted.
0040B335 E8 05000000 CALL PatchMe.0040B33F
0040B33A B9 FE5FAC75 MOV    ECX, 75AC5FFE
0040B33F 80D6 57       ADC    DH, 57
0040B342 5E          POP    ESI
0040B343 E9 2B000000 JMP    PatchMe.0040B373  <----- When we reach this jump the 4th decryption block is decrypted to memory
0040B348 62F3          BOUND ESI, EBX             and ready to get patched. We use this jump as our 3rd redirection.
0040B34A B0 29       MOV    AL, 29
0040B34C AE          SCAS BYTE PTR ES:[EDI]
0040B34D 4F          DEC    EDI
0040B34E DCE5          FSUBR ST(5), ST
0040B350 BA 6BC86186 MOV    EDX, 8661C86B
0040B355 47          INC    EDI
0040B356 74 9D       JE    SHORT PatchMe.0040B2F5
0040B358 12E3          ADC    AH, BL
0040B35A 66:8BD1       MOV    DX, CX
0040B35D E9 81FFFFFF JMP    PatchMe.0040B2E3

Now set a breakpoint on address 40B343 and press F5, when you break on address 40B343 keep tracing with
F7 until you reach the below code chunk.

End of 4th decryption block:
0040B40E 0F85 13000000  JNZ    PatchMe.0040B427  <----- This jump will keep jumping until the code part with the first 2 VirtualAlloc
0040B414 66:8BDE       MOV    BX, SI             calls are decrypted.
0040B417 E9 1F000000 JMP    PatchMe.0040B43B  <----- When we reach this jump the the code part with the first 2 VirtualAlloc calls
0040B41C A7          CMPS DWORD PTR DS:       is decrypted and ready to be patched. We use this jump as our 4th redirection.
0040B41D 54          PUSH ESP
0040B41E FD          STD
0040B41F F2:          PREFIX REPNE:
0040B420 43          INC    EBX
0040B421 C0F9 3E       SAR    CL, 3E
0040B424 9F          LAHF
0040B425 EC          IN    AL, DX
0040B426 B5 66       MOV    CH, 66
0040B428 8BF1          MOV    ESI, ECX
0040B42A E9 8DFFFFFF JMP    PatchMe.0040B3BC

So far so good. We now got the info on where to patch in order to get through the decryption blocks with control
on our side. The following addresses we wanna use as redirections to our cave:

1. 0040B17B E921000000 JMP 0040B1A1 (harcoded in .exe)
2. 0040B282 E919000000 JMP 0040B2A0 (encrypted, we patch in memory)
3. 0040B343 E92B000000 JMP 0040B373 (encrypted, we patch in memory)
4. 0040B417 E91F000000 JMP 0040B43B (encrypted, we patch in memory)

Now set a breakpoint on address 40B417 and press F5, when you break on address 40B417 keep tracing with
F8 until you reach the below code chunk.

0040B4EF 6A 00       PUSH 0
0040B4F1 FF95 F0030000  CALL NEAR DWORD PTR SS:[EBP+3F0]  <----- This is the 1st VirtualAlloc call.
0040B4F7 8985 CC010000  MOV    DWORD PTR SS:[EBP+1CC], EAX
0040B4FD 8B9D 00040000  MOV    EBX, DWORD PTR SS:[EBP+400]
0040B503 039D 0D040000  ADD    EBX, DWORD PTR SS:[EBP+40D]
0040B509 50          PUSH EAX
0040B50A 53          PUSH EBX
0040B50B E8 04010000 CALL PatchMe.0040B614
0040B510 6A 40       PUSH 40
0040B512 68 00100000 PUSH 1000
0040B517 FFB5 08040000  PUSH DWORD PTR SS:[EBP+408]
0040B51D 6A 00       PUSH 0
0040B51F FF95 F0030000  CALL NEAR DWORD PTR SS:[EBP+3F0]  <----- This is the 2nd VirtualAlloc call. When this call has been executed
0040B525 8985 31040000  MOV    DWORD PTR SS:[EBP+431], EAX    EAX will contain the address baserange where ASProtects code
0040B52B 8985 D0010000  MOV    DWORD PTR SS:[EBP+1D0], EAX    will be decrypted to. We need this baserange address in order to
........                                                          patch ASProtects virtual allocated code.
Skipping code
........
0040B5EA 53          PUSH EBX
0040B5EB 6A 00       PUSH 0
0040B5ED 6A 00       PUSH 0
0040B5EF 6A 01       PUSH 1
0040B5F1 57          PUSH EDI
0040B5F2 8B5E 08       MOV    EBX, DWORD PTR DS:[ESI+8]
0040B5F5 03DF          ADD    EBX, EDI
0040B5F7 53          PUSH EBX
0040B5F8 68 00800000 PUSH 8000  <--------------------------------------------------- Here EDI contains the address baserange. We use this as our 5th
0040B5FD 6A 00       PUSH 0                               redirection.
0040B5FF 56          PUSH ESI
0040B600 FF95 F4030000  CALL NEAR DWORD PTR SS:[EBP+3F4]
0040B606 68 00000000 PUSH 0
0040B60B C3          RETN       <--------------------------------------------------- This return will bring us to the 1st part of ASProtect virtual allocated
                                                               memory. So from this point on we need to use our baserange to
                                                               all further patching of ASProtect code!

So far we got following addresses we wanna use as redirections to our cave:

1. 0040B17B E921000000 JMP  0040B1A1 (harcoded in .exe)
2. 0040B282 E919000000 JMP  0040B2A0 (encrypted, we patch in memory)
3. 0040B343 E92B000000 JMP  0040B373 (encrypted, we patch in memory)
4. 0040B417 E91F000000 JMP  0040B43B (encrypted, we patch in memory)
5. 0040B5F8 6800800000 PUSH 00008000 (encrypted, we patch in memory) (EDI hold our address baserange)

Now set a breakpoint on address 40B5F8 and press F5, when you break on address 40B5F8 keep tracing with
F8 until you reach the below code chunk. Notice that from now on the address range probably is different on
your computer.

007C00B6 6A 04       PUSH 4
007C00B8 68 00100000 PUSH 1000
007C00BD 68 46050000 PUSH 546
007C00C2 6A 00       PUSH 0
007C00C4 FF95 79294400  CALL NEAR DWORD PTR SS:[EBP+442979]  <----- This is the 3rd VirtualAlloc call.
007C00CA 8985 75294400  MOV    DWORD PTR SS:[EBP+442975], EAX
007C00D0 8D9D 452A4400  LEA    EBX, DWORD PTR SS:[EBP+442A45]
007C00D6 50          PUSH EAX
007C00D7 53          PUSH EBX
007C00D8 E8 74050000 CALL 007C0651
007C00DD 8BC8          MOV    ECX, EAX
007C00DF 8DBD 452A4400  LEA    EDI, DWORD PTR SS:[EBP+442A45]
007C00E5 8BB5 75294400  MOV    ESI, DWORD PTR SS:[EBP+442975]
007C00EB F3:A4       REP    MOVS BYTE PTR ES:[EDI], BYTE PTR DS:[ESI]
007C00ED 8B85 75294400  MOV    EAX, DWORD PTR SS:[EBP+442975]
007C00F3 68 00800000 PUSH 8000  <--------------------------------------------------------- We redirect here. This is our 6th redirection.
007C00F8 6A 00       PUSH 0
007C00FA 50          PUSH EAX
007C00FB FF95 7D294400  CALL NEAR DWORD PTR SS:[EBP+44297D]
007C0101 8D85 512C4400  LEA    EAX, DWORD PTR SS:[EBP+442C51]
007C0107 50          PUSH EAX
007C0108 C3          RETN

So far we got following addresses we wanna use as redirections to our cave:

1. 0040B17B E921000000 JMP  0040B1A1 (harcoded in .exe)
2. 0040B282 E919000000 JMP  0040B2A0 (encrypted, we patch in memory)
3. 0040B343 E92B000000 JMP  0040B373 (encrypted, we patch in memory)
4. 0040B417 E91F000000 JMP  0040B43B (encrypted, we patch in memory)
5. 0040B5F8 6800800000 PUSH 00008000 (encrypted, we patch in memory) (EDI hold our address baserange)
6. 007C00F3 68008000006A PUSH 00008000 (encrypted, we patch in memory)

Keep tracing with F8 until you reach the below code chunk.

007C030D 8B9D 552A4400  MOV    EBX, DWORD PTR SS:[EBP+442A55]
007C0313 0BDB          OR    EBX, EBX
007C0315 74 0A       JE    SHORT 007C0321
007C0317 8B03          MOV    EAX, DWORD PTR DS:[EBX]
007C0319 8785 592A4400  XCHG DWORD PTR SS:[EBP+442A59], EAX
007C031F 8903          MOV    DWORD PTR DS:[EBX], EAX
007C0321 8DB5 712A4400  LEA    ESI, DWORD PTR SS:[EBP+442A71]
007C0327 833E 00       CMP    DWORD PTR DS:[ESI], 0
007C032A 0F84 D3000000  JE    007C0403
007C0330 8DB5 712A4400  LEA    ESI, DWORD PTR SS:[EBP+442A71]
007C0336 8B46 04       MOV    EAX, DWORD PTR DS:[ESI+4]
007C0339 6A 04       PUSH 4
007C033B 68 00100000 PUSH 1000
007C0340 50          PUSH EAX
007C0341 6A 00       PUSH 0
........
Skipping code
........
007C05BB 8985 112F4400  MOV    DWORD PTR SS:[EBP+442F11], EAX
007C05C1 61          POPAD  <--------------------------------------------------------------- We redirect here. This is our 7th redirection.
007C05C2 75 08       JNZ    SHORT 007C05CC
007C05C4 B8 01000000 MOV    EAX, 1
007C05C9 C2 0C00       RETN 0C
007C05CC 68 00000000 PUSH 0
007C05D1 C3          RETN

So far we got following addresses we wanna use as redirections to our cave:

1. 0040B17B E921000000 JMP  0040B1A1 (harcoded in .exe)
2. 0040B282 E919000000 JMP  0040B2A0 (encrypted, we patch in memory)
3. 0040B343 E92B000000 JMP  0040B373 (encrypted, we patch in memory)
4. 0040B417 E91F000000 JMP  0040B43B (encrypted, we patch in memory)
5. 0040B5F8 6800800000 PUSH 00008000 (encrypted, we patch in memory) (EDI hold our address baserange)
6. 007C00F3 68008000006A PUSH 00008000 (encrypted, we patch in memory)
7. 007C05C1 617508B80100 xxx  xxxxxxxx (encrypted, we patch in memory)

Clear all breakpoints you may have and set a new one on MapViewOfFileEx, press F5 and then
F12 2 times. You should now see the below code chunk.

007AD400 6A 00       PUSH 0
007AD402 6A 00       PUSH 0
007AD404 6A 00       PUSH 0
007AD406 6A 04       PUSH 4  <--------------------------------------------------------------- We need to patch this instruction to push 1 so the
007AD408 A1 58A57B00 MOV    EAX, DWORD PTR DS:[7BA558]       mapped .exe in memory becomes writeable.
007AD40D 50          PUSH EAX
007AD40E A1 D4277B00 MOV    EAX, DWORD PTR DS:[7B27D4]
007AD413 8B40 08       MOV    EAX, DWORD PTR DS:[EAX+8]
007AD416 FFD0          CALL NEAR EAX  <------------------------------------------------- MapViewOfFile call.
007AD418 8BD8          MOV    EBX, EAX  <------------------------------------------------- Here EAX point at mapped .exe in memory. We need to
007AD41A 57          PUSH EDI                               patch the mapped .exe to deal with the CRC check. We
007AD41B E8 4B010000 CALL 007AD56B                         use this as our 8th redirection.
0040B5FD 6A 00       PUSH 0

So far we got following addresses we wanna use as redirections to our cave:

1. 0040B17B E921000000 JMP  0040B1A1 (harcoded in .exe)
2. 0040B282 E919000000 JMP  0040B2A0 (encrypted, we patch in memory)
3. 0040B343 E92B000000 JMP  0040B373 (encrypted, we patch in memory)
4. 0040B417 E91F000000 JMP  0040B43B (encrypted, we patch in memory)
5. 0040B5F8 6800800000 PUSH 00008000 (encrypted, we patch in memory) (EDI hold our address baserange)
6. 007C00F3 68008000006A PUSH 00008000 (encrypted, we patch in memory)
7. 007C05C1 617508B80100 xxx  xxxxxxxx (encrypted, we patch in memory)
8. 007AD418 8BD857E84B01 xxx  xxxxxxxx (encrypted, we patch in memory) (EAX point at memory mapped .exe)

Now the CRC check is dealt with and we only need to patch our target to get rid of the NAG, but at this
point code we wanna patch hasn't been decrypted to memory so we need one more redirection after
it has been decrypted.

Clear your breakpoint and set a new one on read to memory address  40108D (bpm 40108D r) which is
the address we wanna patch to get rid of NAG. Press F5 5 times, the 3rd time you break you can see
that the bytes on address 40108D has been decrypted. The 5th time you break your in the memory
CRC check routine and you should see the below code chunk.

0078F3A0 81C7 A1EBD96E  ADD    EDI, 6ED9EBA1  <------- You should be here.
0078F3A6 8BEE          MOV    EBP, ESI
0078F3A8 33EB          XOR    EBP, EBX
0078F3AA 33E8          XOR    EBP, EAX
0078F3AC 03FD          ADD    EDI, EBP
0078F3AE 03CF          ADD    ECX, EDI
0078F3B0 8BF9          MOV    EDI, ECX
0078F3B2 C1E7 03       SHL    EDI, 3
0078F3B5 C1E9 1D       SHR    ECX, 1D
0078F3B8 0BF9          OR    EDI, ECX
0078F3BA 8BCF          MOV    ECX, EDI

Press F12 or single step over/into the RET instruction on address 78F436 and you should see the
below code chunk.

0078F59D 83C7 40       ADD    EDI, 40  <--------------------------------------- You should be here.
0078F5A0 83EB 40       SUB    EBX, 40
0078F5A3 83FB 40       CMP    EBX, 40
0078F5A6 7D EC       JGE    SHORT 0078F594
0078F5A8 8B0424       MOV    EAX, DWORD PTR SS:[ESP]
0078F5AB 03C5          ADD    EAX, EBP
0078F5AD 8D56 08       LEA    EDX, DWORD PTR DS:[ESI+8]
0078F5B0 8BCB          MOV    ECX, EBX
0078F5B2 E8 A130FFFF CALL 00782658
0078F5B7 5A          POP    EDX
0078F5B8 5D          POP    EBP
0078F5B9 5F          POP    EDI
0078F5BA 5E          POP    ESI
0078F5BB 5B          POP    EBX
0078F5BC C3          RETN

Clear your breakpoints and set one on address 78F5BC, press F5 and you break on address 78F5BC. Press
F12 2 times and you'll see the code chunk below.

007AE13C 53          PUSH EBX  <------------------------------------------------- You should be here.
007AE13D 56          PUSH ESI
007AE13E 57          PUSH EDI
007AE13F 55          PUSH EBP
007AE140 83C4 D8       ADD    ESP, -28
007AE143 A1 9C277B00 MOV    EAX, DWORD PTR DS:[7B279C]
007AE148 C600 D2       MOV    BYTE PTR DS:[EAX], 0D2
007AE14B B2 01       MOV    DL, 1
007AE14D A1 F4B07900 MOV    EAX, DWORD PTR DS:[79B0F4]
007AE152 E8 F9CFFEFF CALL 0079B150
007AE157 8BF0          MOV    ESI, EAX
007AE159 E8 7EE7FFFF CALL 007AC8DC
007AE15E 8BD8          MOV    EBX, EAX
007AE160 A1 E0277B00 MOV    EAX, DWORD PTR DS:[7B27E0]
007AE165 8B00          MOV    EAX, DWORD PTR DS:[EAX]
007AE167 8946 04       MOV    DWORD PTR DS:[ESI+4], EAX
007AE16A A1 04277B00 MOV    EAX, DWORD PTR DS:[7B2704]
007AE16F 8B00          MOV    EAX, DWORD PTR DS:[EAX]
007AE171 33D2          XOR    EDX, EDX
007AE173 8950 04       MOV    DWORD PTR DS:[EAX+4], EDX
007AE176 A1 F0277B00 MOV    EAX, DWORD PTR DS:[7B27F0]
007AE17B 8B00          MOV    EAX, DWORD PTR DS:[EAX]
007AE17D 8B00          MOV    EAX, DWORD PTR DS:[EAX]
007AE17F 8B15 04277B00  MOV    EDX, DWORD PTR DS:[7B2704]  <---- When we reach this address the memory CRC check
007AE185 8B12          MOV    EDX, DWORD PTR DS:[EDX]       is done and we can patch target in memory. So we
007AE187 8942 50       MOV    DWORD PTR DS:[EDX+50], EAX    use this as our 9th and last redirection.
007AE18A A1 04277B00 MOV    EAX, DWORD PTR DS:[7B2704]

2005-10-26 14:16

0

pendan2001

雪币： 61

活跃值： (160)

能力值：

( LV9，RANK：170 )

在线值：

发帖

25

回帖

1180

粉丝

0

关注

私信

pendan2001 4: 5 楼

接上面

Now we got all addresses we wanna use as redirections to our cave:

1. 0040B17B E921000000 JMP  0040B1A1 (harcoded in .exe)
2. 0040B282 E919000000 JMP  0040B2A0 (encrypted, we patch in memory)
3. 0040B343 E92B000000 JMP  0040B373 (encrypted, we patch in memory)
4. 0040B417 E91F000000 JMP  0040B43B (encrypted, we patch in memory)
5. 0040B5F8 6800800000 PUSH 00008000 (encrypted, we patch in memory) (EDI hold our address baserange)
6. 007C00F3 68008000006A PUSH 00008000 (encrypted, we patch in memory)
7. 007C05C1 617508B80100 xxx  xxxxxxxx (encrypted, we patch in memory)
8. 007AD418 8BD857E84B01 xxx  xxxxxxxx (encrypted, we patch in memory) (EAX point at memory mapped .exe)
9. 007AE17F 8B1504277B00 MOV  xxxxxxxx (encrypted, we patch in memory) (Here we patch target in memory)

Let's prepare the .exe for our patch cave/code. Open .exe in LordPE, click on the "Sections"
button and then right click on last section and select "edit section header". Change RawSize
from 00000000 -> 00001000. Save changes and close LordPE, then open .exe in Hex Workshop and
scroll down to the bottom of the .exe and insert 1000 "90" bytes(hex). Close Hex Workshop and
confirm to save changes.

Run target and break on MapViewOfFileEx, when your located on address 7AD418 which is right
after the MapViewOfFile call, do a search for the bytes 90 90 90 90 90 90 90 90 90 90. You
should find the bytes on address 42B005, these are the bytes we added with Hex Workshop but
some of them has been overwritten by ASProtect so we do this search to find out where the
patch cave actually start. So our patch cave will start on address 42B005.

Open .exe in Hex Workshop, scroll down to the end of the file and select the 1000 "90" bytes
and fill them with 00. This is optional, but it does make it a lot easier when we are gonna
write our patch code into the cave.

Let's redirect end of 1st decryption block to our cave. Open .exe in Hiew and search for the
bytes E921000000, these are the bytes of our 1st redirection we found which is the only
redirection that is hardcoded. You should see this in Hiew >

.0040B176: BFCAFFB26D    mov       edi,06DB2FFCA
.0040B17B: E921000000    jmp       .00040B1A1  ---  (4)  <------ We need to change this jump to goto the patch cave.
.0040B180: 58             pop       eax

.0040B176: BFCAFFB26D    mov       edi,06DB2FFCA
.0040B17B: E985FE0100    jmp       .00042B005  ---  (4)  <------ This jump now goes to the patch cave.
.0040B180: 58             pop       eax

Now it's time to write the patch code into our cave.....

[drinking coffee and beating the crap out of the keyboard]

...here's our finished patch cave >

Cave Part 1:
0042B005 C70582B24000E98DFD01 MOV DWORD PTR DS:[40B282],1FD8DE9 <-- Patching 2nd redirection to goto cave part 2.
0042B00F E98D01FEFF          JMP    Patched_.0040B1A1 <------------------ Jumping back to original destination the
                                                               the jump we used as redirection 1 jumped to.

Cave Part 2:
0042B014 C70543B34000E9DBFC01 MOV DWORD PTR DS:[40B343],1FCDBE9 <-- Patching 3rd redirection to goto cave part 3.
0042B01E E97D02FEFF          JMP Patched_.0040B2A0 <-------------------------- Jumping back to original destination the
                                                               the jump we used as redirection 2 jumped to.

Cave Part 3:
0042B023 C70517B44000E916FC01 MOV DWORD PTR DS:[40B417],1FC16E9 <-- Patching 4th redirection to goto cave part 4.
0042B02D E94103FEFF          JMP Patched_.0040B373 <-------------------------- Jumping back to original destination the
                                                               the jump we used as redirection 3 jumped to.

Cave Part 4:
0042B032 C705F8B54000E944FA01 MOV DWORD PTR DS:[40B5F8],1FA44E9 <-- Patching 5th redirection to goto cave part 5.
0042B03C E9FA03FEFF          JMP Patched_.0040B43B <-------------------------- Jumping back to original destination the
                                                               the jump we used as redirection 4 jumped to.

Cave Part 5:
0042B041 893DFCBF4200       MOV DWORD PTR DS:[42BFFC],EDI <------------------ Moving aspr address baserange into end of cave.
0042B047 C705F8B5400068008000 MOV DWORD PTR DS:[40B5F8],800068 <------------ Patching back original bytes to redirection 5 address.
0042B051 C787F30004006867B042 MOV DWORD PTR DS:[EDI+400F3],42B06768 <-- Patching 6th redirection to goto cave part 6 by using
0042B05B C687F8000400C3    MOV BYTE PTR DS:[EDI+400F8],0C3       address baserange in EDI
0042B062 E99105FEFF          JMP Patched_.0040B5F8 <---------------------------------- Jumping back to the restored redirection 5 address.

Cave Part 6:
0042B067 60                PUSHAD <---------------------------------------------------------------------- Save registers(EAX).
0042B068 A1FCBF4200          MOV EAX, DWORD PTR DS:[42BFFC] <---------------- Move address baserange into EAX.
0042B06D C780F300040068008000 MOV DWORD PTR DS:[EAX+400F3],800068 <------ Patching back original bytes to redirection 6 address
0042B077 C680F80004006A    MOV BYTE PTR DS:[EAX+400F8],6A          by using address baserange in EAX.
0042B07E C780C105040068A2B042 MOV DWORD PTR DS:[EAX+405C1],42B0A268 <-- Patching 7th redirection to goto cave part 7 by using
0042B088 66C780C505040000C3 MOV WORD PTR DS:[EAX+405C5],0C300       address baserange in EAX.
0042B091 05F3000400          ADD EAX, 400F3 <------------------------------------------------ Adding address return base to EAX.
0042B096 A39DB04200          MOV DWORD PTR DS:[42B09D],EAX <------------------ Moving return address from EAX to PUSH instruction.
0042B09B 61                POPAD <------------------------------------------------------------------------ Restore registers(EAX).
0042B09C 6800000000          PUSH 0 <------------------------------------------------------------------ Push return address.
0042B0A1 C3                RETN <-------------------------------------------------------------------------- Return to return address.

Cave Part 7:
0042B0A2 60                PUSHAD <---------------------------------------------------------------------- Save registers(EAX).
0042B0A3 A1FCBF4200          MOV EAX, DWORD PTR DS:[42BFFC] <---------------- Move address baserange into EAX.
0042B0A8 C780C1050400617508B8 MOV DWORD PTR DS:[EAX+405C1],B8087561 <-- Patching back original bytes to redirection 7 address
0042B0B2 66C780C50504000100 MOV WORD PTR DS:[EAX+405C5],1          by using address baserange in EAX.
0042B0BB C68007D4020001    MOV BYTE PTR DS:[EAX+2D407],1 <------------------ Patch PUSH 6A04 -> 6A01 to make mapped .exe in mem writable
0042B0C2 C78018D4020068E6B042 MOV DWORD PTR DS:[EAX+2D418],42B0E668 <-- Patching 8th redirection to goto cave part 8 by using
0042B0CC 66C7801CD4020000C3 MOV WORD PTR DS:[EAX+2D41C],0C300       address baserange in EAX.
0042B0D5 05C1050400          ADD EAX, 405C1 <------------------------------------------------ Adding address return base to EAX.
0042B0DA A3E1B04200          MOV DWORD PTR DS:[42B0E1],EAX <------------------ Moving return address from EAX to PUSH instruction.
0042B0DF 61                POPAD <------------------------------------------------------------------------ Restore registers(EAX).
0042B0E0 6800000000          PUSH 0 <------------------------------------------------------------------ Push return address.
0042B0E5 C3                RETN <-------------------------------------------------------------------------- Return to return address.

Cave Part 8:
0042B0E6 C680F902000000    MOV BYTE PTR DS:[EAX+2F9],0 <---------------------- Patching back "1000" bytes in mem mapped .exe(in header)
0042B0ED C7807B5F0000E9210000 MOV DWORD PTR DS:[EAX+5F7B],21E9 <------------ Patching back redirection 1 in mem mapped .exe. CRC check killed.
0042B0F7 60                PUSHAD <---------------------------------------------------------------------- Save registers(EAX).
0042B0F8 A1FCBF4200          MOV EAX, DWORD PTR DS:[42BFFC] <---------------- Move address baserange into EAX.
0042B0FD C78018D402008BD857E8 MOV DWORD PTR DS:[EAX+2D418],E857D88B <-- Patching back original bytes to redirection 8 address
0042B107 66C7801CD402004B01 MOV WORD PTR DS:[EAX+2D41C],14B       by using address baserange in EAX.
0042B110 C68007D4020004    MOV BYTE PTR DS:[EAX+2D407],4 <------------------ Patch PUSH 6A01 -> 6A01 so ASProtect won't crash us.
0042B117 C7807FE10200683BB142 MOV DWORD PTR DS:[EAX+2E17F],42B13B68 <-- Patching 9th redirection to goto cave part 9 by using
0042B121 66C78083E1020000C3 MOV WORD PTR DS:[EAX+2E183],0C300       address baserange in EAX.
0042B12A 0518D40200          ADD EAX, 2D418 <------------------------------------------------ Adding address return base to EAX.
0042B12F A336B14200          MOV DWORD PTR DS:[42B136],EAX <------------------ Moving return address from EAX to PUSH instruction.
0042B134 61                POPAD <------------------------------------------------------------------------ Restore registers(EAX).
0042B135 6800000000          PUSH 0 <------------------------------------------------------------------ Push return address.
0042B13A C3                RETN <-------------------------------------------------------------------------- Return to return address.

Cave Part 9:
0042B13B 60                PUSHAD <---------------------------------------------------------------------- Save registers(EAX).
0042B13C A1FCBF4200          MOV EAX, DWORD PTR DS:[42BFFC] <---------------- Move address baserange into EAX.
0042B141 C7807FE102008B150427 MOV DWORD PTR DS:[EAX+2E17F],2704158B <-- Patching back original bytes to redirection 9 address
0042B14B 66C78083E102007B00 MOV WORD PTR DS:[EAX+2E183],7B          by using address baserange in EAX.
0042B154 C6058D104000EB    MOV BYTE PTR DS:[40108D],0EB <-------------------- Patching our NAG away
0042B15B 057FE10200          ADD EAX, 2E17F <------------------------------------------------ Adding address return base to EAX.
0042B160 A367B14200          MOV DWORD PTR DS:[42B167],EAX <------------------ Moving return address from EAX to PUSH instruction.
0042B165 61                POPAD <------------------------------------------------------------------------ Restore registers(EAX).
0042B166 6800000000          PUSH 0 <------------------------------------------------------------------ Push return address.
0042B16B C3                RETN <-------------------------------------------------------------------------- Return to return address.

Well thats it.

2005-10-26 14:17

0