-
-
ACProtect v2.0 RSALock 顶层处理的一点分析
-
发表于:
2006-2-21 11:36
7904
-
ACProtect v2.0 RSALock 顶层处理的一点分析
因为没有key.dat无法解码,所以只是简单看了下,可能对伪注册有点帮助。
0079AA76
CALL <GetDeltaInEbp>
0079AA7B
CALL 0079AA91
0079AA91
PUSH DWORD PTR [
EBP+<hKernel32>]
; kernel32.7C800000
0079AA97
CALL DWORD PTR [
EBP+<AddrGetProcAddress>]
0079AA9D
CALL EAX ; GetCommandLineA
0079AA9F
MOV ESI,
EAX
0079AAA1
LEA EDI,
DWORD PTR [
EBP+<lpPathkeydat>]
0079AAA7
LODS BYTE PTR [
ESI]
0079AAA8
OR AL,
AL
0079AAAA
JE SHORT 0079AADC
0079AAAC
NOP
0079AAAD
NOP
0079AAAE
NOP
0079AAAF
NOP
0079AAB0
CMP AL,5C
0079AAB2
JNZ SHORT 0079AABF
0079AAB4
NOP
0079AAB5
NOP
0079AAB6
NOP
0079AAB7
NOP
0079AAB8
MOV BYTE PTR [
EBP+413A90],1
0079AABF
CMP DWORD PTR [
ESI-5],4558452E
; '.EXE'
0079AAC6
JE SHORT 0079AADC
0079AAC8
NOP
0079AAC9
NOP
0079AACA
NOP
0079AACB
NOP
0079AACC
CMP DWORD PTR [
ESI-5],6578652E
; '.exe'
0079AAD3
JE SHORT 0079AADC
0079AAD5
NOP
0079AAD6
NOP
0079AAD7
NOP
0079AAD8
NOP
0079AAD9
STOS BYTE PTR ES:[
EDI]
0079AADA
JMP SHORT 0079AAA7
0079AADC
DEC EDI
0079AADD
MOV AL,
BYTE PTR [
EDI]
0079AADF
OR AL,
AL
0079AAE1
JE SHORT 0079AAEB
0079AAE3
NOP
0079AAE4
NOP
0079AAE5
NOP
0079AAE6
NOP
0079AAE7
CMP AL,5C
; '\'
0079AAE9
JNZ SHORT 0079AADC
0079AAEB
INC EDI ; 定位到exe文件名
0079AAEC
CMP BYTE PTR [
EBP+413A90],1
0079AAF3
JE SHORT 0079AAFF
0079AAF5
NOP
0079AAF6
NOP
0079AAF7
NOP
0079AAF8
NOP
0079AAF9
LEA EDI,
DWORD PTR [
EBP+<lpPathkeydat>]
0079AAFF
LEA ESI,
DWORD PTR [
EBP+<szkeydat>]
0079AB05
MOV ECX,1B
0079AB0A
REP MOVS BYTE PTR ES:[
EDI],
BYTE PTR [
ESI]
0079AB0C
CMP BYTE PTR [
EBP+413A90],1
0079AB15
NOP
0079AB16
NOP
0079AB17
NOP
0079AB18
NOP
0079AB19
LEA EDI,
DWORD PTR [
EBP+<szkeydat>]
0079AB1F
JMP SHORT 0079AB35
0079AB21
NOP
0079AB22
NOP
0079AB23
NOP
0079AB24
MOV AX,
WORD PTR [
EDI]
0079AB27
CMP AX,5C3A
; ":\"
0079AB2B
JE SHORT 0079AB34
0079AB2D
NOP
0079AB2E
NOP
0079AB2F
NOP
0079AB30
NOP
0079AB31
DEC EDI
0079AB32
JMP SHORT 0079AB24
0079AB34
DEC EDI
0079AB35
PUSH 0
0079AB37
PUSH 80
0079AB3C
PUSH 3
0079AB3E
PUSH 0
0079AB40
PUSH 1
0079AB42
PUSH 80000000
0079AB47
PUSH EDI
0079AB47
PUSH EDI
0079AB48
CALL DWORD PTR [
EBP+<AddrCreateFileA>]
0079AB4E
OR EAX,
EAX
0079AB50
JNZ SHORT 0079AB5B
0079AB52
NOP
0079AB53
NOP
0079AB54
NOP
0079AB55
NOP
0079AB56
JMP 0079ACBB
0079AB5B
PUSH EAX
0079AB5C
LEA ESI,
DWORD PTR [
EBP+<lpBytesRead>]
0079AB62
LEA EDI,
DWORD PTR [
EBP+<szRegName8>]
0079AB68
PUSH 0
0079AB6A
PUSH ESI
0079AB6B
PUSH 200
0079AB70
PUSH EDI
0079AB71
PUSH EAX
0079AB72
CALL DWORD PTR [
EBP+<AddrReadFile>]
; 读200h个字节
0079AB78
CALL DWORD PTR [
EBP+<AddrCloseHandle>]
0079AB7E
CMP DWORD PTR [
EBP+<lpBytesRead>],200
0079AB88
JNZ 0079ACBB
0079AB8E
LEA EAX,
DWORD PTR [
EBP+<szRegName8pE0>]
0079AB94
MOV ECX,80
0079AB99
CALL <MulAdd>
; 初步加权和校验
0079AB9E
CMP EAX,
DWORD PTR [
EBP+<ValMulAdd>]
0079ABA4
JE SHORT 0079ABB8
0079ABA6
NOP
0079ABA7
NOP
0079ABA8
NOP
0079ABA9
NOP
0079ABAA
MOV WORD PTR [
EBP+<szRegName8>],0FF00
0079ABB3
JMP 0079ACBB
0079ABB8
LEA ESI,
DWORD PTR [
EBP+<szBannedID>]
; 黑名单
0079ABBE
LEA EDI,
DWORD PTR [
EBP+<szRegName8>]
0079ABC4
CMP DWORD PTR [
ESI],0
0079ABC7
JE SHORT 0079AC04
0079ABC9
NOP
0079ABCA
NOP
0079ABCB
NOP
0079ABCC
NOP
0079ABCD
CMP DWORD PTR [
ESI],20202020
0079ABD3
JE SHORT 0079AC04
0079ABD5
NOP
0079ABD6
NOP
0079ABD7
NOP
0079ABD8
NOP
0079ABD9
MOV ECX,20
0079ABDE
REPE CMPS BYTE PTR ES:[
EDI],
BYTE PTR [
ESI]
0079ABE0
OR ECX,
ECX
0079ABE2
JE SHORT 0079ABF6
0079ABE4
NOP
0079ABE5
NOP
0079ABE6
NOP
0079ABE7
NOP
0079ABE8
CMP BYTE PTR [
ESI-1],0
0079ABEC
JE SHORT 0079ABF6
0079ABEE
NOP
0079ABEF
NOP
0079ABF0
NOP
0079ABF1
NOP
0079ABF2
ADD ESI,
ECX
0079ABF4
JMP SHORT 0079ABBE
0079ABF6
MOV WORD PTR [
EBP+<szRegName8>],0FF01
0079ABFF
JMP 0079ACBB
0079AC04
PUSH 10
0079AC06
LEA ESI,
DWORD PTR [
EBP+<szRegName8p200>]
0079AC0C
PUSH ESI
0079AC0D
LEA ESI,
DWORD PTR [
EBP+<szRegName8pE0>]
0079AC13
PUSH ESI
0079AC14
LEA ESI,
DWORD PTR [
EBP+<szRegName8pD0>]
0079AC1A
PUSH ESI
0079AC1B
LEA ESI,
DWORD PTR [
EBP+<szRegName8p170>]
0079AC21
PUSH ESI
0079AC22
CALL DWORD PTR [
EBP+<AddrPerplex_zcf_decrypt>]
; RSA解码
0079AC28
ADD ESP,14
0079AC2B
MOV ECX,10
0079AC30
LEA ESI,
DWORD PTR [
EBP+<szRegName8>]
0079AC36
LEA EDI,
DWORD PTR [
EBP+<szRegName8p200>]
0079AC3C
LODS DWORD PTR [
ESI]
0079AC3D
MOV EBX,
DWORD PTR [
EDI]
0079AC3F
ADD EDI,4
0079AC42
DEC ECX
0079AC43
JE SHORT 0079AC61
0079AC45
NOP
0079AC46
NOP
0079AC47
NOP
0079AC48
NOP
0079AC49
CMP EAX,
EBX ; 开头10h个字节的解码校验
0079AC4B
JNZ SHORT 0079AC53
0079AC4D
NOP
0079AC4E
NOP
0079AC4F
NOP
0079AC50
NOP
0079AC51
JMP SHORT 0079AC3C
0079AC53
MOV WORD PTR [
EBP+<szRegName8>],0FF02
0079AC5C
JMP SHORT 0079ACBB
0079AC5E
NOP
0079AC5F
NOP
0079AC60
NOP
0079AC61
CMP DWORD PTR [
EBP+<dwMachineID>],646E6152
0079AC6B
JE SHORT 0079AC83
0079AC6D
NOP
0079AC6E
NOP
0079AC6F
NOP
0079AC70
NOP
0079AC71
MOV EAX,
DWORD PTR [
EBP+<dwMachineID>]
0079AC77
CMP EAX,
DWORD PTR [
EBP+40F74C]
0079AC7D
JNZ SHORT 0079ACBB
0079AC7F
NOP
0079AC80
NOP
0079AC81
NOP
0079AC82
NOP
0079AC83
PUSH 10
0079AC85
LEA ESI,
DWORD PTR [
EBP+<szRegName8p200>]
0079AC8B
PUSH ESI
0079AC8C
LEA ESI,
DWORD PTR [
EBP+<szRegName8pE0>]
0079AC92
PUSH ESI
0079AC93
LEA ESI,
DWORD PTR [
EBP+<szRegName8pD0>]
0079AC99
PUSH ESI
0079AC9A
LEA ESI,
DWORD PTR [
EBP+<szRegName8p40>]
0079ACA0
PUSH ESI
0079ACA1
CALL DWORD PTR [
EBP+<AddrPerplex_zcf_decrypt>]
; RSA解码
0079ACA7
ADD ESP,14
0079ACAA
CALL <RSADecode>
; 对嵌入部分解码
0079ACAF
MOV BYTE PTR [
EBP+<FlagDecodingDone>],1
; 解码成功标志
0079ACB6
JMP SHORT 0079ACF6
0079ACB8
NOP
0079ACB9
NOP
0079ACBA
NOP
0079ACBB
MOV EBX,
DWORD PTR [
EBP+<dwRetAddr>]
; 返回地址表
0079ACC1
ADD EBX,2
0079ACC4
MOV ECX,-1
0079ACC9
INC ECX
0079ACCA
MOV EAX,
DWORD PTR [
EBP+
ECX*4+<lpRetAddrTable>]
0079ACD1
OR EAX,
EAX
0079ACD3
JE SHORT 0079ACF6
0079ACD5
NOP
0079ACD6
NOP
0079ACD7
NOP
0079ACD8
NOP
0079ACD9
ADD EAX,
DWORD PTR [
EBP+<dwImageBase>]
0079ACDF
CMP EAX,
EBX ; 匹配返回地址
0079ACE1
JNZ SHORT 0079ACC9
0079ACE3
SUB EAX,2
0079ACE6
MOV ECX,
DWORD PTR [
EBP+
ECX*4+<lpNoLicJmpTable>]
0079ACED
ADD ECX,8
0079ACF0
MOV BYTE PTR [
EAX],0E9
; 解码失败,修改返回地址处的jmp跳过所有的加密部分
0079ACF3
MOV DWORD PTR [
EAX+1],
ECX
0079ACF6
PUSHAD
0079ACF7
CALL 0079ACFC
0079ACFC
POP ESI
0079ACFD
SUB ESI,6
0079AD00
MOV ECX,280
0079AD05
SUB ESI,
ECX
0079AD07
MOV EDX,3A22136B
0079AD0C
SHR ECX,2
0079AD0F
SUB ECX,2
0079AD12
CMP ECX,0
0079AD15
JL SHORT 0079AD31
0079AD17
MOV EAX,
DWORD PTR [
ESI+
ECX*4]
0079AD1A
MOV EBX,
DWORD PTR [
ESI+
ECX*4+4]
0079AD1E
SUB EAX,
EBX
0079AD20
ROR EAX,10
0079AD23
ADD EAX,
EDX
0079AD25
ADD EDX,18063EBF
0079AD2B
MOV DWORD PTR [
ESI+
ECX*4],
EAX ; 把上面的代码重新加密
0079AD2E
DEC ECX
0079AD2F
JMP SHORT 0079AD12
0079AD31
POPAD
0079AD32
POPAD
0079AD33
RETN
如果没有
"key.dat"或解码失败,观察返回位置变成:
0048193A
CALL 00407684
0048193F
JMP 00485095
; 跳过所有加密代码
ACProtect 2.0只用了一组RSALock。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课