接上面
Now we got all addresses we wanna use as redirections to our cave:
1. 0040B17B E921000000 JMP 0040B1A1 (harcoded in .exe)
2. 0040B282 E919000000 JMP 0040B2A0 (encrypted, we patch in memory)
3. 0040B343 E92B000000 JMP 0040B373 (encrypted, we patch in memory)
4. 0040B417 E91F000000 JMP 0040B43B (encrypted, we patch in memory)
5. 0040B5F8 6800800000 PUSH 00008000 (encrypted, we patch in memory) (EDI hold our address baserange)
6. 007C00F3 68008000006A PUSH 00008000 (encrypted, we patch in memory)
7. 007C05C1 617508B80100 xxx xxxxxxxx (encrypted, we patch in memory)
8. 007AD418 8BD857E84B01 xxx xxxxxxxx (encrypted, we patch in memory) (EAX point at memory mapped .exe)
9. 007AE17F 8B1504277B00 MOV xxxxxxxx (encrypted, we patch in memory) (Here we patch target in memory)
Let's prepare the .exe for our patch cave/code. Open .exe in LordPE, click on the "Sections"
button and then right click on last section and select "edit section header". Change RawSize
from 00000000 -> 00001000. Save changes and close LordPE, then open .exe in Hex Workshop and
scroll down to the bottom of the .exe and insert 1000 "90" bytes(hex). Close Hex Workshop and
confirm to save changes.
Run target and break on MapViewOfFileEx, when your located on address 7AD418 which is right
after the MapViewOfFile call, do a search for the bytes 90 90 90 90 90 90 90 90 90 90. You
should find the bytes on address 42B005, these are the bytes we added with Hex Workshop but
some of them has been overwritten by ASProtect so we do this search to find out where the
patch cave actually start. So our patch cave will start on address 42B005.
Open .exe in Hex Workshop, scroll down to the end of the file and select the 1000 "90" bytes
and fill them with 00. This is optional, but it does make it a lot easier when we are gonna
write our patch code into the cave.
Let's redirect end of 1st decryption block to our cave. Open .exe in Hiew and search for the
bytes E921000000, these are the bytes of our 1st redirection we found which is the only
redirection that is hardcoded. You should see this in Hiew >
.0040B176: BFCAFFB26D mov edi,06DB2FFCA
.0040B17B: E921000000 jmp .00040B1A1 --- (4) <------ We need to change this jump to goto the patch cave.
.0040B180: 58 pop eax
.0040B176: BFCAFFB26D mov edi,06DB2FFCA
.0040B17B: E985FE0100 jmp .00042B005 --- (4) <------ This jump now goes to the patch cave.
.0040B180: 58 pop eax
Now it's time to write the patch code into our cave.....
[drinking coffee and beating the crap out of the keyboard]
...here's our finished patch cave >
Cave Part 1:
0042B005 C70582B24000E98DFD01 MOV DWORD PTR DS:[40B282],1FD8DE9 <-- Patching 2nd redirection to goto cave part 2.
0042B00F E98D01FEFF JMP Patched_.0040B1A1 <------------------ Jumping back to original destination the
the jump we used as redirection 1 jumped to.
Cave Part 2:
0042B014 C70543B34000E9DBFC01 MOV DWORD PTR DS:[40B343],1FCDBE9 <-- Patching 3rd redirection to goto cave part 3.
0042B01E E97D02FEFF JMP Patched_.0040B2A0 <-------------------------- Jumping back to original destination the
the jump we used as redirection 2 jumped to.
Cave Part 3:
0042B023 C70517B44000E916FC01 MOV DWORD PTR DS:[40B417],1FC16E9 <-- Patching 4th redirection to goto cave part 4.
0042B02D E94103FEFF JMP Patched_.0040B373 <-------------------------- Jumping back to original destination the
the jump we used as redirection 3 jumped to.
Cave Part 4:
0042B032 C705F8B54000E944FA01 MOV DWORD PTR DS:[40B5F8],1FA44E9 <-- Patching 5th redirection to goto cave part 5.
0042B03C E9FA03FEFF JMP Patched_.0040B43B <-------------------------- Jumping back to original destination the
the jump we used as redirection 4 jumped to.
Cave Part 5:
0042B041 893DFCBF4200 MOV DWORD PTR DS:[42BFFC],EDI <------------------ Moving aspr address baserange into end of cave.
0042B047 C705F8B5400068008000 MOV DWORD PTR DS:[40B5F8],800068 <------------ Patching back original bytes to redirection 5 address.
0042B051 C787F30004006867B042 MOV DWORD PTR DS:[EDI+400F3],42B06768 <-- Patching 6th redirection to goto cave part 6 by using
0042B05B C687F8000400C3 MOV BYTE PTR DS:[EDI+400F8],0C3 address baserange in EDI
0042B062 E99105FEFF JMP Patched_.0040B5F8 <---------------------------------- Jumping back to the restored redirection 5 address.
Cave Part 6:
0042B067 60 PUSHAD <---------------------------------------------------------------------- Save registers(EAX).
0042B068 A1FCBF4200 MOV EAX, DWORD PTR DS:[42BFFC] <---------------- Move address baserange into EAX.
0042B06D C780F300040068008000 MOV DWORD PTR DS:[EAX+400F3],800068 <------ Patching back original bytes to redirection 6 address
0042B077 C680F80004006A MOV BYTE PTR DS:[EAX+400F8],6A by using address baserange in EAX.
0042B07E C780C105040068A2B042 MOV DWORD PTR DS:[EAX+405C1],42B0A268 <-- Patching 7th redirection to goto cave part 7 by using
0042B088 66C780C505040000C3 MOV WORD PTR DS:[EAX+405C5],0C300 address baserange in EAX.
0042B091 05F3000400 ADD EAX, 400F3 <------------------------------------------------ Adding address return base to EAX.
0042B096 A39DB04200 MOV DWORD PTR DS:[42B09D],EAX <------------------ Moving return address from EAX to PUSH instruction.
0042B09B 61 POPAD <------------------------------------------------------------------------ Restore registers(EAX).
0042B09C 6800000000 PUSH 0 <------------------------------------------------------------------ Push return address.
0042B0A1 C3 RETN <-------------------------------------------------------------------------- Return to return address.
Cave Part 7:
0042B0A2 60 PUSHAD <---------------------------------------------------------------------- Save registers(EAX).
0042B0A3 A1FCBF4200 MOV EAX, DWORD PTR DS:[42BFFC] <---------------- Move address baserange into EAX.
0042B0A8 C780C1050400617508B8 MOV DWORD PTR DS:[EAX+405C1],B8087561 <-- Patching back original bytes to redirection 7 address
0042B0B2 66C780C50504000100 MOV WORD PTR DS:[EAX+405C5],1 by using address baserange in EAX.
0042B0BB C68007D4020001 MOV BYTE PTR DS:[EAX+2D407],1 <------------------ Patch PUSH 6A04 -> 6A01 to make mapped .exe in mem writable
0042B0C2 C78018D4020068E6B042 MOV DWORD PTR DS:[EAX+2D418],42B0E668 <-- Patching 8th redirection to goto cave part 8 by using
0042B0CC 66C7801CD4020000C3 MOV WORD PTR DS:[EAX+2D41C],0C300 address baserange in EAX.
0042B0D5 05C1050400 ADD EAX, 405C1 <------------------------------------------------ Adding address return base to EAX.
0042B0DA A3E1B04200 MOV DWORD PTR DS:[42B0E1],EAX <------------------ Moving return address from EAX to PUSH instruction.
0042B0DF 61 POPAD <------------------------------------------------------------------------ Restore registers(EAX).
0042B0E0 6800000000 PUSH 0 <------------------------------------------------------------------ Push return address.
0042B0E5 C3 RETN <-------------------------------------------------------------------------- Return to return address.
Cave Part 8:
0042B0E6 C680F902000000 MOV BYTE PTR DS:[EAX+2F9],0 <---------------------- Patching back "1000" bytes in mem mapped .exe(in header)
0042B0ED C7807B5F0000E9210000 MOV DWORD PTR DS:[EAX+5F7B],21E9 <------------ Patching back redirection 1 in mem mapped .exe. CRC check killed.
0042B0F7 60 PUSHAD <---------------------------------------------------------------------- Save registers(EAX).
0042B0F8 A1FCBF4200 MOV EAX, DWORD PTR DS:[42BFFC] <---------------- Move address baserange into EAX.
0042B0FD C78018D402008BD857E8 MOV DWORD PTR DS:[EAX+2D418],E857D88B <-- Patching back original bytes to redirection 8 address
0042B107 66C7801CD402004B01 MOV WORD PTR DS:[EAX+2D41C],14B by using address baserange in EAX.
0042B110 C68007D4020004 MOV BYTE PTR DS:[EAX+2D407],4 <------------------ Patch PUSH 6A01 -> 6A01 so ASProtect won't crash us.
0042B117 C7807FE10200683BB142 MOV DWORD PTR DS:[EAX+2E17F],42B13B68 <-- Patching 9th redirection to goto cave part 9 by using
0042B121 66C78083E1020000C3 MOV WORD PTR DS:[EAX+2E183],0C300 address baserange in EAX.
0042B12A 0518D40200 ADD EAX, 2D418 <------------------------------------------------ Adding address return base to EAX.
0042B12F A336B14200 MOV DWORD PTR DS:[42B136],EAX <------------------ Moving return address from EAX to PUSH instruction.
0042B134 61 POPAD <------------------------------------------------------------------------ Restore registers(EAX).
0042B135 6800000000 PUSH 0 <------------------------------------------------------------------ Push return address.
0042B13A C3 RETN <-------------------------------------------------------------------------- Return to return address.
Cave Part 9:
0042B13B 60 PUSHAD <---------------------------------------------------------------------- Save registers(EAX).
0042B13C A1FCBF4200 MOV EAX, DWORD PTR DS:[42BFFC] <---------------- Move address baserange into EAX.
0042B141 C7807FE102008B150427 MOV DWORD PTR DS:[EAX+2E17F],2704158B <-- Patching back original bytes to redirection 9 address
0042B14B 66C78083E102007B00 MOV WORD PTR DS:[EAX+2E183],7B by using address baserange in EAX.
0042B154 C6058D104000EB MOV BYTE PTR DS:[40108D],0EB <-------------------- Patching our NAG away
0042B15B 057FE10200 ADD EAX, 2E17F <------------------------------------------------ Adding address return base to EAX.
0042B160 A367B14200 MOV DWORD PTR DS:[42B167],EAX <------------------ Moving return address from EAX to PUSH instruction.
0042B165 61 POPAD <------------------------------------------------------------------------ Restore registers(EAX).
0042B166 6800000000 PUSH 0 <------------------------------------------------------------------ Push return address.
0042B16B C3 RETN <-------------------------------------------------------------------------- Return to return address.
Well thats it.