不好意思,pll823和pll621是亲戚不?:D
这个不是什么“在线下载的安装制作程序”
http://get.games.yahoo.com/proddesc?gamekey=lemonadetycoon2
这个是用它加壳的一个程序
这个是rce上的人分析的
1. Facts :
It appears to be protected by ActiveMark from TryMedia. I had a look at it, dumped it,
fixed import table, fixed relevant api calls. They actually emulate a few API for which
u can find a translation table in memory (ie APINAME, Offset of garbaged emulation),
hence u can easily fix those :
call dword ptr is replaced by nop call emulatedAPI (90 E8 XX XX XX XX).
jmp dword ptr is replaced by nop jmp emulatedtAPI (90 E9 XX XX XX XX).
mov dword ptr is replaced by nop mov reg32, Offset emulatedAPI (90 BX XX XX XX XX).
The following detection strings are used, it is easily bypassed :
FilemonClass
RegmonClass
File Monitor - Sysinternals:
www.sysinternals.com
Registry Monitor - Sysinternals:
www.sysinternals.com
\\.\NTICE
\\.\SICE
\\.\SIWVID
\\.\FROGSICE
\\.\SUPERBPM
INT3 backdoor is used too.
Loader APIs are checked for softBP (1st and 2nd byte... sounds dangerous to me, ah well).
Some API code is replicated in a buffer too (CreateThread for instance and Sleep).
Entrypoint is easy to find as well (0x2958D), the image is using thread for doing some
tasks, and you will find the UPX loader code to decompress, resolve API of some code
inside (Sigh !!!) which is garbaged.
2. Problem :
For some reason, it does an infinite loop after being fixed while accessing the file
MAIN.ARF (Seek Offsets are different from trial and dumped version). I Looked at it for
2 days and I can't figure out what is the thing I missed. I'd be very glad to get any
input from you guyz from this target. It must be a very stupid thing, coz the whole scheme
looks plain dodgy (we are very far from a ProtectCD, ASPR, VBOX, or SafeDisc wrapping scheme).
他包含的算法和anti
CRC32 loops, SHA-1 checks on the crypted-tunnel-VFS, Rijndael, anti debug threads, obfuscation and code-interleaving is the same. A lot of EBFF's to make Disasm'ing harder. Dumping is very easy, fixing the dump is harder (to hard for me ). I think
generating a valid license file (<VID>.lcn) is still the proper way for an
attack. But im not that Crypt-Wizard.