【作者大名】fobnn
【作者邮箱】luoyue_2005@163.com
【作者主页】
www.hack58.com
【使用工具】OD PEID LORDPE ImportREC1.42
【操作系统】Windows XP
【软件名称】Flash Album Creator 1.59
【下载地址】GOOGLE
【软件大小】1.48M
【加壳方式】Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks
【软件简介】
Flash Album Creator lets you create your own digital photo album.
It's the perfect way to organize
and share your photographs.
You can export photo album as stand-alone (independently run) executable file, super convenient for distribution
and use. Burn it on CDs, send it by email. It's your Art to Share! You can also publish photo album online without HTML coding, since a ready to use HTML page was generated at the same time.
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
------------------------------------------------------------------
【内容】
①.用PEID载入为Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks
运行后出现未注册提示,并有双进程.
②.转双进程为单进程.
用OD载入,HideOD打上.
004E9914 f>/$ 55
push ebp ;停在这里,仿VC的入口.
004E9915 |. 8BEC
mov ebp,
esp
004E9917 |. 6A FF
push -1
004E9919 |. 68 D0354F00
push flashbum.004F35D0
004E991E |. 68 34944E00
push flashbum.004E9434
; SE handler installation
004E9923 |. 64:A1 00000000
mov eax,
dword ptr fs:[0]
1.下断
BP OpenMutexA,F9run,运行中断
7C80EC1B k> 8BFF
mov edi,
edi ;中断在此
7C80EC1D 55
push ebp
7C80EC1E 8BEC
mov ebp,
esp
7C80EC20 51
push ecx
7C80EC21 51
push ecx
7C80EC22 837D 10 00
cmp dword ptr ss:[
ebp+10],0
****************************************************************
此时堆栈如下
0013F5B8 004E485D /
CALL 到 OpenMutexA 来自 flashbum.004E4857
0013F5BC 001F0001 |Access = 1F0001
0013F5C0 00000000 |Inheritable =
FALSE
0013F5C4 0013FBF8 \MutexName =
"A8::DAECE28122" ;这个在后面有用,其实把滚动条向上拖动一下,也能看到.
*****************************************************************************************************
2.CRTL+G前往表达式401000
在此键入代码
00401000 60
pushad ;此处新建EIP,RUN
00401001 9C
pushfd
00401002 68 F8FB1300
push 13FBF8
;这为上面堆栈的值,不同机器下不同吧 ; ASCII "A8::DAECE28122"
00401007 33C0
xor eax,
eax
00401009 50
push eax
0040100A 50
push eax
0040100B E8 2FDB407C
call kernel32.CreateMutexA
;这不能直接用十六进制添入
00401010 9D
popfd
00401011 61
popad
00401012 - E9 04DC407C
jmp kernel32.OpenMutexA
;这不能直接用十六进制添入
3.再次中断在OpenMutexA,取消断点后,我们回到401000,撤消修改.
②.寻找Magic Jump,避开输入表加密
1.下断点
BP GetModuleHandleA,F9run
运行中断,下面每次F9都要注意观察堆栈显示的情况
************************************************************
1.
0013ED50 77F45BD8 /
CALL to GetModuleHandleA from 77F45BD2
0013ED54 77F4501C \pModule =
"KERNEL32.DLL"
2.
0013F570 0047DDD9 /
CALL to GetModuleHandleA from pptFlash.0047DDD3
0013F574 00000000 \pModule = NULL
3.
0013E00C 00C160DB /
CALL to GetModuleHandleA from 00C160D5
0013E010 00C2B808 \pModule =
"kernel32.dll"
4.
0013E00C 00C160DB /
CALL to GetModuleHandleA from 00C160D5
0013E010 00C2B7FC \pModule =
"user32.dll"
5.
0013E048 00C20375 /
CALL to GetModuleHandleA from 00C2036F
0013E04C 00C71FF8 \pModule =
"SHLWAPI.dll"
6.
0013E02C 00C1653E /
CALL to GetModuleHandleA from 00C16538
;在此我们取消断点ALT+F9返回.
0013E030 00000000 \pModule = NULL
************************************************************
2.返回到
00C7653E 8B4D 08
mov ecx,
dword ptr ss:[
ebp+8]
; SHLWAPI.77F40000
00C76541 3BC8
cmp ecx,
eax
00C76543 75 07
jnz short 00C7654C
00C76545 B8 A8B3C800
mov eax,0C8B3A8
00C7654A EB 2F
jmp short 00C7657B
00C7654C 393D D8B7C800
cmp dword ptr ds:[C8B7D8],
edi
00C76552 B8 D8B7C800
mov eax,0C8B7D8
00C76557 74 0C
je short 00C76565
;改为jmp short 00C76565
00C76559 3B48 08
cmp ecx,
dword ptr ds:[
eax+8]
00C7655C 74 1A
je short 00C76578
00C7655E 83C0 0C
add eax,0C
00C76561 3938
cmp dword ptr ds:[
eax],
edi
00C76563 ^ 75 F4
jnz short 00C76559
00C76565 FF75 0C
push dword ptr ss:[
ebp+C]
00C76568 FF75 08
push dword ptr ss:[
ebp+8]
00C7656B FF15 F890C800
call dword ptr ds:[C890F8]
; kernel32.GetProcAddress
00C76571 5F
pop edi
00C76572 5E
pop esi
00C76573 5B
pop ebx
00C76574 5D
pop ebp
00C76575 C2 0800
retn 8
3.取消断点,完成.
③.用内存断点走到OEP,
内存映射,项目 23
地址=00401000
;在此设,内存访问断点.F9RUN
大小=00096000 (614400.)
Owner=flashbum 00400000
区段=.text
类型=Imag 01001002
访问=R
初始访问=RWE
中断在OEP
004720D8 6A 60
push 60
;中断在OEP
004720DA 68 50244C00
push flashbum.004C2450
004720DF E8 042A0000
call flashbum.00474AE8
004720E4 BF 94000000
mov edi,94
004720E9 8BC7
mov eax,
edi
004720EB E8 30F8FFFF
call flashbum.00471920
004720F0 8965 E8
mov dword ptr ss:[
ebp-18],
esp
004720F3 8BF4
mov esi,
esp
004720F5 893E
mov dword ptr ds:[
esi],
edi
004720F7 56
push esi
004720F8 FF15 EC714900
call dword ptr ds:[4971EC]
; kernel32.GetVersionExA
④.DUMP ,FIXIAT.
----------------------------------------------------------------------
【总结】
看了许多大侠的Armadillo脱壳教程,今天抽出一点时间来,也写了一篇.望大侠们指点!
脱壳后,软件已经没有注册限制,其注册名就是WINDOWS当前的用户名.
--------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[课程]Android-CTF解题方法汇总!