ASProtect 1.23RC4 以壳解壳+暗桩修复+解除自校验+破解――ArtCursors V3.99B3
下载页面: http://www.onlinedown.net/soft/27328.htm
软件大小: 993KB
软件语言: 英文
软件类别: 国外软件/共享版/图标工具
运行环境: Win9x/Me/NT/2000/XP
加入时间: 2004-6-10 20:18:29
下载次数: 707
软件评级: ****
软件介绍: Aha-soft继ArtIcons后,又一套极佳的鼠标光标编辑工具,支持标准的16x16、32x32..及自订尺寸图示,除可观看、绘制、抓取、收集、和管理等功能外,亦有渐层着色功能及齐全的编辑工具。支持格式包括:ico、ani、cur、wmf、emf、bmp、jpg、jpeg、gif、png,它并从图像ICO、JPG等文件中导入。
【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
【调试环境】:WinXP、Ollydbg、PEiD、LordPE、ImportREC
―――――――――――――――――――――――――――――――――
【脱壳过程】:
有兄弟让看看这个东东,抽空看了一下,发现和以前版本的没有太多区别。
还看了一下其同门软件ArtIcons Pro V4.06b,脱壳方法和这个一样。
―――――――――――――――――――――――――――――――――
一、以壳解壳:Stolen Code + OEP
设置Ollydbg忽略除了“内存访问异常”之外的所有其它异常选项。老规矩:用IsDebug 1.4插件去掉Ollydbg的调试器标志。
00401000 68 01C05900 push ARTCUR.0059C001//进入OD后停在这
00401005 E8 01000000 call ARTCUR.0040100B
0040100A C3 retn
00B539EC 3100 xor dword ptr ds:[eax],eax//最后1次异常
00B539EE 64:8F05 00000000 pop dword ptr fs:[0]
00B539F5 58 pop eax
00B539F6 833D B07EB500 00 cmp dword ptr ds:[B57EB0],0
00B539FD 74 14 je short 00B53A13
00B539FF 6A 0C push 0C
00B53A01 B9 B07EB500 mov ecx,0B57EB0
00B53A06 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00B53A09 BA 04000000 mov edx,4
00B53A0E E8 2DD1FFFF call 00B50B40
00B53A13 FF75 FC push dword ptr ss:[ebp-4]
00B53A16 FF75 F8 push dword ptr ss:[ebp-8]
00B53A19 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00B53A1C 8338 00 cmp dword ptr ds:[eax],0
00B53A1F 74 02 je short 00B53A23
00B53A21 FF30 push dword ptr ds:[eax]
00B53A23 FF75 F0 push dword ptr ss:[ebp-10]
00B53A26 FF75 EC push dword ptr ss:[ebp-14]
00B53A29 C3 retn//此处下断,Shift+F9,断在这!
0012FF5C 00B67190
0012FF60 00400000 ASCII "MZP"
0012FF64 32C336F0
0012FF68 0012FFA4 //注意这里 ★
00B672D3 03C3 add eax,ebx
00B672D5 BB AC060000 mov ebx,6AC//注意这个值 ★ 这里就可以按“以壳解壳”的方法来脱壳了
00B672DA 0BDB or ebx,ebx
00B672DC 75 07 jnz short 00B672E5
00B672E5 E8 00000000 call 00B672EA
00B672EA 5D pop ebp
00B672EB 81ED 4DE14B00 sub ebp,4BE14D
00B672F1 8D85 F2E04B00 lea eax,dword ptr ss:[ebp+4BE0F2]
00B672F7 8D8D 94E14B00 lea ecx,dword ptr ss:[ebp+4BE194]
00B672FD 03CB add ecx,ebx
00B672FF 8941 01 mov dword ptr ds:[ecx+1],eax
00B67302 8D85 36E14B00 lea eax,dword ptr ss:[ebp+4BE136]
00B67308 8D8D FAE04B00 lea ecx,dword ptr ss:[ebp+4BE0FA]
00B6730E 8901 mov dword ptr ds:[ecx],eax
00B67310 B8 5E140000 mov eax,145E
00B67315 8D8D FFE04B00 lea ecx,dword ptr ss:[ebp+4BE0FF]
00B6731B 8901 mov dword ptr ds:[ecx],eax
00B6731D 8D8D 94E14B00 lea ecx,dword ptr ss:[ebp+4BE194]
00B67323 8D85 94F34B00 lea eax,dword ptr ss:[ebp+4BF394]
00B67329 51 push ecx
00B6732A 50 push eax
00B6732B E8 76FFFFFF call 00B672A6
00B67330 61 popad
00B67331 F3: prefix rep:
00B67332 EB 02 jmp short 00B67336
00B67362 FF53 0E call dword ptr ds:[ebx+E]//这个CALL里面处理 Stolen Code ★
00B67399 896C24 04 mov dword ptr ss:[esp+4],ebp
00B673A1 8D6424 04 lea esp,dword ptr ss:[esp+4]//push ebp ★
00B673A5 8BEC mov ebp,esp ★
00B673A7 81EC 0C000000 sub esp,0C//ADD ESP,-0C ★
00B674DE 8BC3 mov eax,ebx ; ARTCUR.00544CC3
00B674E3 83C0 51 add eax,51//mov eax,00544D14 ★
005451AC 55 push ebp
005451AD 8BEC mov ebp,esp
005451AF 83C4 F4 add esp,-0C
005451B2 B8 144D5400 mov eax,00544D14//Stolen Code
005451B7 E8 7018ECFF call ARTCUR.00406A2C
005451BC FF15 14BC5400 call dword ptr ds:[54BC14]; ARTCUR.00544BC0
005451C2 E8 4DEAEBFF call ARTCUR.00403C14
AsprDbgr v1.0beta (:P) Made by me... Manko.
iEP=401000 (E:\试炼场\脱壳学习\ASProtect\ArtCursors 4.02 Beta\ARTCUR.EXE
GST returns to: B42667
Trick aspr GST... (EAX=12121212h)
GV returns to: B51A61
IAT Start: 54E1A4
End: 54E994
Length: 7F0
IATentry 54E1F8 = B517A4 resolved as GetProcAddress
IATentry 54E1FC = B51C64 resolved as GetModuleHandleA
IATentry 54E210 = B51CD8 resolved as GetCommandLineA
IATentry 54E2B0 = B51C64 resolved as GetModuleHandleA
IATentry 54E340 = B51CC8 resolved as LockResource
IATentry 54E38C = B51C8C resolved as GetVersion
IATentry 54E3A8 = B517A4 resolved as GetProcAddress
IATentry 54E3B0 = B51C64 resolved as GetModuleHandleA
IATentry 54E3E4 = B51CC0 resolved as GetCurrentProcessId
IATentry 54E3F0 = B51CF0 resolved as FreeResource
SymbolInitialize seems to have frozen.
Any invalid IAT entries was NOT erased...
Dip-Table at adress: B57AB4
0 4FEE78 0 0 4FEECC 0 0 544BC0 544CBC 544CDC 0 4FEEF4 4FEEE4 0
Last SEH passed. Searching for signatures. Singlestepping to OEP!
Call + OEP-jump-setup at: B68015 ( Code: E8000000 5D81ED )
Mutated, stolen bytes at: B68060 ( Code: 61F3EB02 CD20EB01 )
Erase of stolen bytes at: B67FC4 ( Code: 9CFCBF03 80B600B9 )
Repz ... found. Skipping erase of stolen bytes. ;)
Dip from pre-OEP: 40692C (Reached from: B67FD5)
Sugested tempOEP at: 5451B7
00B60000 BB AC060000 mov ebx,6AC
00B60005 E9 DB720000 jmp UnPacked.00B672E5//跳至“以壳解壳”代码段
00B6896B 00A4E1 14006B65 add byte ptr ds:[ecx+656B0014],ah//异常
0012FDFC 00539780 返回到 dumped_.00539780
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课