-
-
[原创]破解eBookStudio
-
发表于:
2006-1-28 01:10
4146
-
【破文标题】破解eBookStudio
【破文作者】yijun
【作者邮箱】yijun8354@sina.com
【破解工具】ollyice,peid0.94
【破解平台】XP
【软件名称】eBookStudio
【软件大小】2.5M
【原版下载】http://www.thespringsoft.com/products/ebookmaker/release/1.1/ebs11.exe
【保护方式】Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks [Overlay]
【软件简介】一款电子书制作工具,还有加密功能!!!
------------------------------------------------------------------------
设置Ollydbg忽略所有异常。
OD载入程序eBookStudio.exe:
005A80B9 >/$ 55
push ebp
005A80BA |. 8BEC
mov ebp,
esp
005A80BC |. 6A FF
push -1
005A80BE |. 68 68025C00
push 005C0268
005A80C3 |. 68 007B5A00
push 005A7B00
; SE 处理程序安装
下BP OpenMutexA断点F9:
7C80EC1B > 8BFF
mov edi,
edi
7C80EC1D 55
push ebp
7C80EC1E 8BEC
mov ebp,
esp
7C80EC20 51
push ecx
7C80EC21 51
push ecx
7C80EC22 837D 10 00
cmp dword ptr [
ebp+10], 0
7C80EC26 56
push esi
此时堆栈为:
0012F5B8 005A190C /
CALL 到 OpenMutexA 来自 eBookStu.005A1906
0012F5BC 001F0001 |Access = 1F0001
0012F5C0 00000000 |Inheritable =
FALSE
0012F5C4 0012FBF8 \MutexName =
"D3C::DAA19B8698" //记下0012FBF8这个值!
Ctrl+G:401000 输入:
00401000 60
pushad
00401001 9C
pushfd
00401002 68 F8FB1200
push 12FBF8 //刚才记下的值
00401007 33C0
xor eax,
eax
00401009 50
push eax
0040100A 50
push eax
0040100B E8 B5A6A577
call kernel32.CreateMutexA
00401010 9D
popfd
00401011 61
popad
00401012 - E9 7A13A677
jmp kernel32.OpenMutexA
(注:二进制代码为:60 9C 68 F8 FB 12 00 33 C0 50 50 E8 2F
DB 40 7C 9D 61 E9 04 DC 40 7C)
将401000设为新EIP,F9断在OpenMutexA处,取消该断点,然后来到401000处撤消刚才的输入代码。
下BP GetModuleHandleA断点并运行,断在以下地方:
7C80B529 > 8BFF
mov edi,
edi
7C80B52B 55
push ebp
7C80B52C 8BEC
mov ebp,
esp
7C80B52E 837D 08 00
cmp dword ptr [
ebp+8], 0
7C80B532 74 18
je short 7C80B54C
7C80B534 FF75 08
push dword ptr [
ebp+8]
7C80B537 E8 682D0000
call 7C80E2A4
7C80B53C 85C0
test eax,
eax
7C80B53E 74 08
je short 7C80B548
F9 十次,将会在堆栈看到:
0012DEF8 003D4B82 /
CALL 到 GetModuleHandleA 来自 003D4B7C
0012DEFC 00000000 \pModule = NULL
清除断点ALT+F9:
003D4B82 8B4D 08
mov ecx, [
ebp+8]
; //返回到这里
003D4B85 3BC8
cmp ecx,
eax
003D4B87 75 07
jnz short 003D4B90
003D4B89 B8 18D33E00
mov eax, 3ED318
003D4B8E EB 30
jmp short 003D4BC0
003D4B90 393D D8D73E00
cmp [3ED7D8],
edi
003D4B96 B8 D8D73E00
mov eax, 3ED7D8
003D4B9B 74 0C
je short 003D4BA9 //JE改为JMP
003D4B9D 3B48 08
cmp ecx, [
eax+8]
003D4BA0 74 1B
je short 003D4BBD
003D4BA2 83C0 0C
add eax, 0C
003D4BA5 3938
cmp [
eax],
ediALT+M在401000地址上下内存访问断点后F9:
005753A0 55
push ebp //此时可以看见此处代码是红色,删除内存断点后在此直接用OD插件脱壳(选中重建输入表)!!!
005753A1 8BEC
mov ebp,
esp
005753A3 83C4 F0
add esp, -10
005753A6 B8 E04C5700
mov eax, 00574CE0
005753AB E8 C015E9FF
call 00406970
005753B0 A1 70AC5700
mov eax, [57AC70]
005753B5 8B00
mov eax, [
eax]
005753B7 E8 ECB1EFFF
call 004705A8
005753BC 8B0D 70AC5700
mov ecx, [57AC70]
; eBookStu.0057BB7C
005753C2 8B09
mov ecx, [
ecx]
005753C4 B2 01
mov dl, 1
005753C6 A1 44874A00
mov eax, [4A8744]
005753CB E8 FC2AEFFF
call 00467ECC
005753D0 8B15 38AD5700
mov edx, [57AD38]
; eBookStu.0057C8E8
005753D6 8902
mov [
edx],
eax
005753D8 A1 38AD5700
mov eax, [57AD38]
005753DD 8B00
mov eax, [
eax]
005753DF E8 A876EFFF
call 0046CA8C
005753E4 A1 38AD5700
mov eax, [57AD38]
005753E9 8B00
mov eax, [
eax]
005753EB 8B10
mov edx, [
eax]
脱壳后该程序可以直接运行并且已经是注册版了^_^
------------------------------------------------------------------------
我本来参考csjwaman大侠的“联众台球圣手v4.7试用版-ARM3.60双进程非标准壳”一文,原文地址:http://bbs.pediy.com/showthread.php?threadid=17080。文中提到Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks [Overlay]实际应为ARM3.60双进程非标准壳。我参考了很久都没搞明白,结果还是照着原来脱Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks的思路去搞才解决,期待高人指点^_^
题外话:以前也脱过Armadillo 1.xx - 2.xx的壳不过不很成功,虽然可以用PEID查出软件是何种语言编写但是不能运行,更倒霉的是还被作者告了黑状,哎~~~~~~~~~~~~~不过今天终于把这个壳搞定了!!!
看看注册版做的电子书的效果吧!
------------------------------------------------------------------------
【版权声明】该文仅作学术交流,请支持正版软件!!
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法