-
-
用Ollydbg手脱HASP Protection V1.X加壳的EXE和DLL
-
发表于: 2006-3-11 20:14
-
用Ollydbg手脱HASP Protection V1.X加壳的EXE和DLL
软件下载: http://fs1.minitab.com/Store/MTB14_StandardSetup.exe
软件下载: ftp://ftp.aladdin.com/pub/hasp/hl/windows/installed/VendorTools/HASP_HL_Envelope.zip
驱动下载: ftp://ftp.aladdin.com/pub/hasp/hl/windows/installed/redistribute/drivers/HASP_HL_driver_setup.zip
软件简介: HASP HL protection and licensing software tools make up the Vendor Center program suite. HASP HL Envelope is one of the three programs included in the Vendor Center. The HASP HL Envelope is a tool that wraps your applications within a protective shield. The tool offers advanced protection features to enhance the overall level of security of your software. Implementing HASP HL Envelope protection is the fastest way to secure your software, and does not require you to alter any source code. You simply use the HASP HL Envelope graphical interface to apply protection parameters to an executable file. In addition, you can modify all protection parameters and customize messages displayed to end-users running the protected applications.
【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教
【调试环境】:WinXP、OllyDBG、PEiD、LordPE、WinHex
―――――――――――――――――――――――――――――――――
【脱壳过程】:
目前而言,通常狗壳带狗或者无狗可运行的脱壳都不算太难,以后狗壳应该会增加强度的。
数年前看过HASP,现在整理一下。当然,必须有狗才能运行的HASP我是无能为力了。
以Minitab作为EXE的脱壳例子。
从Aladdin公司主页下载的是HASP_HL_Envelope V1.30,其中的EXE需要软件狗才可运行,那就用haspenv.dll作为DLL的例子吧。还需要下载、安装HASP驱动文件,可以开工了。
HASP Protection加壳的程序默认区段名为.protect,PEiD的Sign可以为:
[HASP HL Protection V1.X -> Aladdin]
signature = 55 8B EC 53 56 57 60 8B C4 A3 ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 15 8B 0D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 83 C4 04 E9 A5 00 00 00 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B 15
ep_only = true
设置OllyDBG忽略所有异常选项,用IsDebug插件去掉OllyDBG的调试器标志。
―――――――――――――――――――――――――――――――――
一、用OllyDBG手脱HASP Protection V1.X加壳的EXE
下载的Minitab V14.20.0.0可以试用一个月,无狗可以运行。
Potassium写过一篇《Manually_Unpacking_HASP_SL》教程,为何我还写这个?对比看看就明白了。
――――――――――――――――――――――――
1、EP
00B9F280 55 push ebp
//进入OllyDBG后暂停在这
00B9F281 8BEC mov ebp,esp
00B9F283 53 push ebx
00B9F284 56 push esi
00B9F285 57 push edi
00B9F286 60 pushad
00B9F287 8BC4 mov eax,esp
00B9F289 A3 F4FEB900 mov dword ptr ds:[B9FEF4],eax
00B9F28E B8 18F5B900 mov eax,Mtb14.00B9F518
00B9F293 2B05 3CF5B900 sub eax,dword ptr ds:[B9F53C]
00B9F299 A3 3CF5B900 mov dword ptr ds:[B9F53C],eax
00B9F29E 833D F0FEB900 00 cmp dword ptr ds:[B9FEF0],0
00B9F2A5 74 15 je short Mtb14.00B9F2BC
00B9F2A7 8B0D F4FEB900 mov ecx,dword ptr ds:[B9FEF4]
00B9F2AD 51 push ecx
00B9F2AE FF15 F0FEB900 call near dword ptr ds:[B9FEF0]
00B9F2B4 83C4 04 add esp,4
00B9F2B7 E9 A5000000 jmp Mtb14.00B9F361
00B9F2BC 68 DCFEB900 push Mtb14.00B9FEDC ; ASCII "kernel32""
00B9F2C1 FF15 40FFB900 call near dword ptr ds:[<&KERNEL32.GetModuleHandleA>]
00B9F2C7 A3 F8F4B900 mov dword ptr ds:[B9F4F8],eax
00B9F2CC 68 E8FEB900 push Mtb14.00B9FEE8 ; ASCII "user32"
00B9F2D1 FF15 40FFB900 call near dword ptr ds:[<&KERNEL32.GetModuleHandleA>]
――――――――――――――――――――――――
2、Anti
看看这个HASP SL有什么反跟踪。
BP IsDebuggerPresent
Shift+F9,中断后取消断点,返回
00BAA4AC 55 push ebp
00BAA4AD 8BEC mov ebp,esp
00BAA4AF 81EC 9C000000 sub esp,9C
00BAA4B5 53 push ebx
00BAA4B6 FF15 6CF8BA00 call near dword ptr ds:[<&KERNEL32.IsDebuggerPresent>]
//IsDebuggerPresent 检测
00BAA4BC 8BD8 mov ebx,eax
//EAX当然要为00000000了
00BAA4BE 85DB test ebx,ebx
00BAA4C0 0F85 AC000000 jnz Mtb14.00BAA572
00BAA4C6 57 push edi
00BAA4C7 90 nop
00BAA4C8 90 nop
00BAA4C9 6A 24 push 24
00BAA4CB 90 nop
00BAA4CC 59 pop ecx
00BAA4CD 8DBD 68FFFFFF lea edi,dword ptr ss:[ebp-98]
00BAA4D3 F3:AB rep stos dword ptr es:[edi]
00BAA4D5 90 nop
00BAA4D6 8D85 64FFFFFF lea eax,dword ptr ss:[ebp-9C]
00BAA4DC 50 push eax
00BAA4DD 90 nop
00BAA4DE C785 64FFFFFF 9400000>mov dword ptr ss:[ebp-9C],94
00BAA4E8 FF15 4CF8BA00 call near dword ptr ds:[<&KERNEL32.GetVersionExA>]
00BAA4EE 85C0 test eax,eax
00BAA4F0 74 7F je short Mtb14.00BAA571
00BAA4F2 83BD 74FFFFFF 02 cmp dword ptr ss:[ebp-8C],2
00BAA4F9 75 76 jnz short Mtb14.00BAA571
00BAA4FB FF15 48F8BA00 call near dword ptr ds:[<&KERNEL32.GetCurrentProcessId>]
00BAA501 50 push eax
00BAA502 53 push ebx
00BAA503 68 00040000 push 400
00BAA508 90 nop
00BAA509 90 nop
00BAA50A 90 nop
00BAA50B FF15 44F8BA00 call near dword ptr ds:[<&KERNEL32.OpenProcess>]
00BAA511 8BF8 mov edi,eax
00BAA513 90 nop
00BAA514 90 nop
00BAA515 90 nop
00BAA516 90 nop
00BAA517 85FF test edi,edi
00BAA519 74 56 je short Mtb14.00BAA571
00BAA51B 68 88FEBA00 push Mtb14.00BAFE88
00BAA520 90 nop
00BAA521 FF15 50F8BA00 call near dword ptr ds:[<&KERNEL32.GetModuleHandleA>]
00BAA527 85C0 test eax,eax
00BAA529 74 3F je short Mtb14.00BAA56A
00BAA52B 90 nop
00BAA52C 90 nop
00BAA52D 68 6CFEBA00 push Mtb14.00BAFE6C
00BAA532 90 nop
00BAA533 90 nop
00BAA534 50 push eax
00BAA535 90 nop
00BAA536 90 nop
00BAA537 90 nop
00BAA538 FF15 3CF8BA00 call near dword ptr ds:[<&KERNEL32.GetProcAddress>]
00BAA53E 85C0 test eax,eax
00BAA540 74 28 je short Mtb14.00BAA56A
00BAA542 215D F8 and dword ptr ss:[ebp-8],ebx
00BAA545 90 nop
00BAA546 215D FC and dword ptr ss:[ebp-4],ebx
00BAA549 8D4D F8 lea ecx,dword ptr ss:[ebp-8]
00BAA54C 90 nop
00BAA54D 90 nop
00BAA54E 90 nop
00BAA54F 51 push ecx
00BAA550 6A 04 push 4
00BAA552 8D4D FC lea ecx,dword ptr ss:[ebp-4]
00BAA555 51 push ecx
00BAA556 6A 07 push 7
00BAA558 90 nop
00BAA559 90 nop
00BAA55A 57 push edi
00BAA55B FFD0 call near eax ;ntdll.ZwQueryInformationProcess
//ZwQueryInformationProcess 检测
00BAA55D 85C0 test eax,eax
00BAA55F 75 09 jnz short Mtb14.00BAA56A
00BAA561 90 nop
00BAA562 3945 FC cmp dword ptr ss:[ebp-4],eax
//[ebp-4]应为00000000
00BAA565 74 03 je short Mtb14.00BAA56A
//此处应跳转
00BAA567 90 nop
00BAA568 90 nop
00BAA569 43 inc ebx
00BAA56A 57 push edi
00BAA56B FF15 F4F7BA00 call near dword ptr ds:[<&KERNEL32.CloseHandle>]
00BAA571 5F pop edi
00BAA572 8BC3 mov eax,ebx
00BAA574 5B pop ebx
00BAA575 90 nop
00BAA576 C9 leave
00BAA577 C3 retn
由于这段检测有很多次,所以我们直接在OpenProcess里Patch
7C81E079 33C0 xor eax,eax
7C81E07B C2 0C00 retn 0C
――――――――――――――――――――――――
3、Import Table
BP VirtualProtect [ESP]<10000000
Shift+F9,弹出试用信息,点击“I want to try MINITAB Release 14”
中断后取消断点。继续下断:BP GetModuleHandleA
Shift+F9,中断后取消断点。看堆栈和寄存器:
0012FBAC 00BA3145 /CALL to GetModuleHandleA from Mtb14.00BA3142
0012FBB0 00B0508C \pModule = "IMM32.dll"
EAX 00B0508C ASCII "IMM32.dll"
ECX 00B0508C ASCII "IMM32.dll"
EDX 00AFDF08 Mtb14.00AFDF08 ★
EBX 00000000
ESP 0012FBAC
EBP 0012FC00
ESI 00BA5C08 Mtb14.00BA5C08
EDI 00BA3FC0 Mtb14.00BA3FC0
EIP 7C80B529 kernel32.GetModuleHandleA
注意EDX值就是Import Table VA,在EDX寄存器上点击右键,Follow in Dump,可以看到IID数组
下面就是HASP对输入表的处理。如果我们跟踪到OEP再dump的话,HASP则会加密部分函数。
而此时HASP对程序完全解码,还没有加密,现在dump都不需要用ImportREC修复输入表,正是dump的最佳时机!
运行LordPE,完全dump出此进程吧。
00BA311A 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00BA311D 83C0 14 add eax,14
00BA3120 8945 F4 mov dword ptr ss:[ebp-C],eax
00BA3123 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
00BA3126 8379 0C 00 cmp dword ptr ds:[ecx+C],0
00BA312A 0F84 2C030000 je Mtb14.00BA345C
00BA3130 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00BA3133 A1 6452BA00 mov eax,dword ptr ds:[BA5264]
00BA3138 0342 0C add eax,dword ptr ds:[edx+C]
00BA313B 8945 FC mov dword ptr ss:[ebp-4],eax
00BA313E 8B4D FC mov ecx,dword ptr ss:[ebp-4]
00BA3141 51 push ecx
00BA3142 FF55 E4 call near dword ptr ss:[ebp-1C]
00BA3145 8945 E0 mov dword ptr ss:[ebp-20],eax
//GetModuleHandleA后返回这里
00BA3148 837D E0 00 cmp dword ptr ss:[ebp-20],0
00BA314C 75 0A jnz short Mtb14.00BA3158
00BA314E 8B55 FC mov edx,dword ptr ss:[ebp-4]
00BA3151 52 push edx
00BA3152 FF55 DC call near dword ptr ss:[ebp-24]
00BA3155 8945 E0 mov dword ptr ss:[ebp-20],eax
00BA3158 837D E0 00 cmp dword ptr ss:[ebp-20],0
00BA315C 75 40 jnz short Mtb14.00BA319E
00BA315E 68 B451BA00 push Mtb14.00BA51B4
00BA3163 68 0052BA00 push Mtb14.00BA5200
00BA3168 E8 FC0C0000 call Mtb14.00BA3E69
00BA316D 83C4 08 add esp,8
00BA3170 6A 2D push 2D
00BA3172 8B45 FC mov eax,dword ptr ss:[ebp-4]
00BA3175 50 push eax
00BA3176 68 0052BA00 push Mtb14.00BA5200
00BA317B E8 510C0000 call Mtb14.00BA3DD1
00BA3180 83C4 0C add esp,0C
00BA3183 68 0052BA00 push Mtb14.00BA5200
00BA3188 6A 1F push 1F
00BA318A 6A 00 push 0
00BA318C 8B0D BC3FBA00 mov ecx,dword ptr ds:[BA3FBC]
00BA3192 FF11 call near dword ptr ds:[ecx]
00BA3194 B8 03000000 mov eax,3
00BA3199 E9 C0020000 jmp Mtb14.00BA345E
00BA319E 68 2850BA00 push Mtb14.00BA5028
00BA31A3 8B55 FC mov edx,dword ptr ss:[ebp-4]
00BA31A6 52 push edx
00BA31A7 E8 ECFCFFFF call Mtb14.00BA2E98
00BA31AC 83C4 08 add esp,8
00BA31AF F7D8 neg eax
00BA31B1 1BC0 sbb eax,eax
00BA31B3 40 inc eax
00BA31B4 8945 D4 mov dword ptr ss:[ebp-2C],eax
00BA31B7 8B45 FC mov eax,dword ptr ss:[ebp-4]
00BA31BA 50 push eax
00BA31BB E8 E50C0000 call Mtb14.00BA3EA5
00BA31C0 83C4 04 add esp,4
00BA31C3 50 push eax
00BA31C4 68 8C52BA00 push Mtb14.00BA528C
00BA31C9 8B4D FC mov ecx,dword ptr ss:[ebp-4]
00BA31CC 51 push ecx
00BA31CD E8 28070000 call Mtb14.00BA38FA
00BA31D2 83C4 0C add esp,0C
00BA31D5 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00BA31D8 A1 6452BA00 mov eax,dword ptr ds:[BA5264]
00BA31DD 0342 10 add eax,dword ptr ds:[edx+10]
00BA31E0 8945 B8 mov dword ptr ss:[ebp-48],eax
00BA31E3 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
00BA31E6 8339 00 cmp dword ptr ds:[ecx],0
00BA31E9 75 08 jnz short Mtb14.00BA31F3
00BA31EB 8B55 B8 mov edx,dword ptr ss:[ebp-48]
00BA31EE 8955 F8 mov dword ptr ss:[ebp-8],edx
00BA31F1 EB 0E jmp short Mtb14.00BA3201
00BA31F3 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00BA31F6 8B0D 6452BA00 mov ecx,dword ptr ds:[BA5264]
00BA31FC 0308 add ecx,dword ptr ds:[eax]
00BA31FE 894D F8 mov dword ptr ss:[ebp-8],ecx
00BA3201 EB 1B jmp short Mtb14.00BA321E
00BA3203 8B55 F8 mov edx,dword ptr ss:[ebp-8]
00BA3206 83C2 04 add edx,4
00BA3209 8955 F8 mov dword ptr ss:[ebp-8],edx
00BA320C 8B45 B8 mov eax,dword ptr ss:[ebp-48]
00BA320F 83C0 04 add eax,4
00BA3212 8945 B8 mov dword ptr ss:[ebp-48],eax
00BA3215 8B4D D0 mov ecx,dword ptr ss:[ebp-30]
00BA3218 83C1 01 add ecx,1
00BA321B 894D D0 mov dword ptr ss:[ebp-30],ecx
00BA321E 8B55 F8 mov edx,dword ptr ss:[ebp-8]
00BA3221 833A 00 cmp dword ptr ds:[edx],0
00BA3224 0F84 23020000 je Mtb14.00BA344D
00BA322A 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00BA322D 8B08 mov ecx,dword ptr ds:[eax]
00BA322F 81E1 00000080 and ecx,80000000
00BA3235 85C9 test ecx,ecx
00BA3237 74 0F je short Mtb14.00BA3248
00BA3239 8B55 F8 mov edx,dword ptr ss:[ebp-8]
00BA323C 8B02 mov eax,dword ptr ds:[edx]
00BA323E 25 FFFF0000 and eax,0FFFF
00BA3243 8945 BC mov dword ptr ss:[ebp-44],eax
00BA3246 EB 49 jmp short Mtb14.00BA3291
00BA3248 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
00BA324B 8B11 mov edx,dword ptr ds:[ecx]
00BA324D A1 6452BA00 mov eax,dword ptr ds:[BA5264]
00BA3252 8D4C10 02 lea ecx,dword ptr ds:[eax+edx+2]
00BA3256 894D BC mov dword ptr ss:[ebp-44],ecx
00BA3259 837D D4 00 cmp dword ptr ss:[ebp-2C],0
00BA325D 74 32 je short Mtb14.00BA3291
00BA325F 68 3850BA00 push Mtb14.00BA5038
00BA3264 8B55 BC mov edx,dword ptr ss:[ebp-44]
00BA3267 52 push edx
00BA3268 E8 E4FCFFFF call Mtb14.00BA2F51
00BA326D 83C4 08 add esp,8
00BA3270 F7D8 neg eax
00BA3272 1BC0 sbb eax,eax
00BA3274 40 inc eax
00BA3275 8945 CC mov dword ptr ss:[ebp-34],eax
00BA3278 68 4450BA00 push Mtb14.00BA5044
00BA327D 8B45 BC mov eax,dword ptr ss:[ebp-44]
00BA3280 50 push eax
00BA3281 E8 CBFCFFFF call Mtb14.00BA2F51
00BA3286 83C4 08 add esp,8
00BA3289 F7D8 neg eax
00BA328B 1BC0 sbb eax,eax
00BA328D 40 inc eax
00BA328E 8945 C0 mov dword ptr ss:[ebp-40],eax
00BA3291 8B4D BC mov ecx,dword ptr ss:[ebp-44]
00BA3294 51 push ecx
00BA3295 8B55 E0 mov edx,dword ptr ss:[ebp-20]
00BA3298 52 push edx
00BA3299 FF15 B03FBA00 call near dword ptr ds:[BA3FB0]
00BA329F 8B4D C8 mov ecx,dword ptr ss:[ebp-38]
00BA32A2 8B15 6852BA00 mov edx,dword ptr ds:[BA5268]
00BA32A8 89048A mov dword ptr ds:[edx+ecx*4],eax
00BA32AB 8B45 C8 mov eax,dword ptr ss:[ebp-38]
00BA32AE 8B0D 6852BA00 mov ecx,dword ptr ds:[BA5268]
00BA32B4 833C81 00 cmp dword ptr ds:[ecx+eax*4],0
00BA32B8 0F85 AB000000 jnz Mtb14.00BA3369
00BA32BE 68 C451BA00 push Mtb14.00BA51C4
00BA32C3 68 0052BA00 push Mtb14.00BA5200
00BA32C8 E8 9C0B0000 call Mtb14.00BA3E69
00BA32CD 83C4 08 add esp,8
00BA32D0 8B55 F8 mov edx,dword ptr ss:[ebp-8]
00BA32D3 8B02 mov eax,dword ptr ds:[edx]
00BA32D5 25 00000080 and eax,80000000
00BA32DA 85C0 test eax,eax
00BA32DC 74 39 je short Mtb14.00BA3317
00BA32DE 68 E051BA00 push Mtb14.00BA51E0
00BA32E3 68 0052BA00 push Mtb14.00BA5200
00BA32E8 E8 8E0A0000 call Mtb14.00BA3D7B
00BA32ED 83C4 08 add esp,8
00BA32F0 6A 10 push 10
00BA32F2 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
00BA32F5 51 push ecx
00BA32F6 8B55 BC mov edx,dword ptr ss:[ebp-44]
00BA32F9 52 push edx
00BA32FA E8 A3090000 call Mtb14.00BA3CA2
00BA32FF 83C4 0C add esp,0C
00BA3302 6A 46 push 46
00BA3304 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00BA3307 50 push eax
00BA3308 68 0052BA00 push Mtb14.00BA5200
00BA330D E8 BF0A0000 call Mtb14.00BA3DD1
00BA3312 83C4 0C add esp,0C
00BA3315 EB 13 jmp short Mtb14.00BA332A
00BA3317 6A 46 push 46
00BA3319 8B4D BC mov ecx,dword ptr ss:[ebp-44]
00BA331C 51 push ecx
00BA331D 68 0052BA00 push Mtb14.00BA5200
00BA3322 E8 AA0A0000 call Mtb14.00BA3DD1
00BA3327 83C4 0C add esp,0C
00BA332A 68 EC51BA00 push Mtb14.00BA51EC
00BA332F 68 0052BA00 push Mtb14.00BA5200
00BA3334 E8 420A0000 call Mtb14.00BA3D7B
00BA3339 83C4 08 add esp,8
00BA333C 6A 59 push 59
00BA333E 8B55 FC mov edx,dword ptr ss:[ebp-4]
00BA3341 52 push edx
00BA3342 68 0052BA00 push Mtb14.00BA5200
00BA3347 E8 850A0000 call Mtb14.00BA3DD1
00BA334C 83C4 0C add esp,0C
00BA334F 68 0052BA00 push Mtb14.00BA5200
00BA3354 6A 1F push 1F
00BA3356 6A 00 push 0
00BA3358 A1 BC3FBA00 mov eax,dword ptr ds:[BA3FBC]
00BA335D FF10 call near dword ptr ds:[eax]
00BA335F B8 03000000 mov eax,3
00BA3364 E9 F5000000 jmp Mtb14.00BA345E
00BA3369 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
00BA336C 8B11 mov edx,dword ptr ds:[ecx]
00BA336E 81E2 00000080 and edx,80000000
00BA3374 85D2 test edx,edx
00BA3376 75 1E jnz short Mtb14.00BA3396
00BA3378 8B45 BC mov eax,dword ptr ss:[ebp-44]
00BA337B 50 push eax
00BA337C E8 240B0000 call Mtb14.00BA3EA5
00BA3381 83C4 04 add esp,4
00BA3384 50 push eax
00BA3385 68 9052BA00 push Mtb14.00BA5290
00BA338A 8B4D BC mov ecx,dword ptr ss:[ebp-44]
00BA338D 51 push ecx
00BA338E E8 67050000 call Mtb14.00BA38FA
00BA3393 83C4 0C add esp,0C
00BA3396 8B55 F8 mov edx,dword ptr ss:[ebp-8]
00BA3399 C702 00000000 mov dword ptr ds:[edx],0
00BA339F 837D CC 00 cmp dword ptr ss:[ebp-34],0
00BA33A3 74 15 je short Mtb14.00BA33BA
00BA33A5 8B45 B8 mov eax,dword ptr ss:[ebp-48]
00BA33A8 C700 BA38BA00 mov dword ptr ds:[eax],Mtb14.00BA38BA
00BA33AE C745 CC 00000000 mov dword ptr ss:[ebp-34],0
00BA33B5 E9 8E000000 jmp Mtb14.00BA3448
00BA33BA 837D C0 00 cmp dword ptr ss:[ebp-40],0
00BA33BE 74 12 je short Mtb14.00BA33D2
00BA33C0 8B4D B8 mov ecx,dword ptr ss:[ebp-48]
00BA33C3 C701 A62FBA00 mov dword ptr ds:[ecx],Mtb14.00BA2FA6
00BA33C9 C745 C0 00000000 mov dword ptr ss:[ebp-40],0
00BA33D0 EB 76 jmp short Mtb14.00BA3448
00BA33D2 8B75 D0 mov esi,dword ptr ss:[ebp-30]
00BA33D5 C1EE 05 shr esi,5
00BA33D8 8B45 D0 mov eax,dword ptr ss:[ebp-30]
00BA33DB 33D2 xor edx,edx
00BA33DD B9 20000000 mov ecx,20
00BA33E2 F7F1 div ecx
00BA33E4 8BCA mov ecx,edx
00BA33E6 BA 01000000 mov edx,1
00BA33EB D3E2 shl edx,cl
00BA33ED 8B04B5 EC3FBA00 mov eax,dword ptr ds:[esi*4+BA3FEC]
00BA33F4 23C2 and eax,edx
00BA33F6 85C0 test eax,eax
00BA33F8 74 2E je short Mtb14.00BA3428
00BA33FA 8B4D C8 mov ecx,dword ptr ss:[ebp-38]
00BA33FD 8B15 6C52BA00 mov edx,dword ptr ds:[BA526C]
00BA3403 8D04CA lea eax,dword ptr ds:[edx+ecx*8]
00BA3406 8B4D B8 mov ecx,dword ptr ss:[ebp-48]
00BA3409 8901 mov dword ptr ds:[ecx],eax
00BA340B 8B55 C8 mov edx,dword ptr ss:[ebp-38]
00BA340E 83C2 01 add edx,1
00BA3411 8955 C8 mov dword ptr ss:[ebp-38],edx
00BA3414 8B45 C8 mov eax,dword ptr ss:[ebp-38]
00BA3417 3B05 E83FBA00 cmp eax,dword ptr ds:[BA3FE8]
00BA341D 75 07 jnz short Mtb14.00BA3426
00BA341F C745 C8 00000000 mov dword ptr ss:[ebp-38],0
00BA3426 EB 20 jmp short Mtb14.00BA3448
00BA3428 8B4D B8 mov ecx,dword ptr ss:[ebp-48]
00BA342B 8B55 C8 mov edx,dword ptr ss:[ebp-38]
00BA342E A1 6852BA00 mov eax,dword ptr ds:[BA5268]
00BA3433 8B1490 mov edx,dword ptr ds:[eax+edx*4]
00BA3436 8911 mov dword ptr ds:[ecx],edx
00BA3438 8B45 C8 mov eax,dword ptr ss:[ebp-38]
00BA343B 8B0D 6852BA00 mov ecx,dword ptr ds:[BA5268]
00BA3441 C70481 00000000 mov dword ptr ds:[ecx+eax*4],0
00BA3448 E9 B6FDFFFF jmp Mtb14.00BA3203
00BA344D 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00BA3450 C742 0C 00000000 mov dword ptr ds:[edx+C],0
00BA3457 E9 BEFCFFFF jmp Mtb14.00BA311A
00BA345C 33C0 xor eax,eax
00BA345E 5E pop esi
00BA345F 8BE5 mov esp,ebp
00BA3461 5D pop ebp
00BA3462 C3 retn
――――――――――――――――――――――――
4、OEP
使用第二区段内存断点法去OEP
Alt+M,在00401000段设置内存访问断点,Shift+F9
也可以使用ESP定律去OEP,不详述了。
009DB8B4 55 push ebp
//OEP
009DB8B5 8BEC mov ebp,esp
009DB8B7 6A FF push -1
009DB8B9 68 00D5A700 push Mtb14.00A7D500
009DB8BE 68 12BF9D00 push Mtb14.009DBF12
009DB8C3 64:A1 00000000 mov eax,dword ptr fs:[0]
009DB8C9 50 push eax
009DB8CA 64:8925 00000000 mov dword ptr fs:[0],esp
009DB8D1 83EC 68 sub esp,68
009DB8D4 53 push ebx
009DB8D5 56 push esi
009DB8D6 57 push edi
009DB8D7 8965 E8 mov dword ptr ss:[ebp-18],esp
009DB8DA 33DB xor ebx,ebx
009DB8DC 895D FC mov dword ptr ss:[ebp-4],ebx
009DB8DF 6A 02 push 2
009DB8E1 5F pop edi
009DB8E2 57 push edi
009DB8E3 FF15 C07FA300 call near dword ptr ds:[A37FC0] ; MSLURT.__set_app_type
――――――――――――――――――――――――
5、Over
用LordPE修正dumped.exe的EntryPoint=009DB8B4-00400000=005DB8B4,Import Table RVA=00AFDF08-00400000=006FDF08,把Relocation数据清0,删除最后的.protect壳区段,用WinHex删除.protect区段数据。
OK,可以算作是Minitab V14.20.0.0的完美脱壳吧。
Game Over
―――――――――――――――――――――――――――――――――
二、用Ollydbg手脱HASP Protection V1.X加壳的DLL
以HASP_HL_Envelope V1.30安装目录下的hhle_w32.dll作为此篇教程演示的目标。
――――――――――――――――――――――――
1、EP
hhle_w32.dll的HASP壳没有使用Anti。
不过OllyDBG载入时无法暂停在EP,简单处理一下,可以修改EP为死循环载入后再恢复代码,也可以先载入一次,设置相应的API断点后重新载入。
先载入一次hhle_w32.dll,BP VirtualProtect
Ctrl+F2,Restart,中断在VirtualProtect处了
0006F0F8 10351884 /CALL to VirtualProtect from 1035187E
0006F0FC 10001000 |Address = 10001000
0006F100 00001000 |Size = 1000 (4096.)
0006F104 00000004 |NewProtect = PAGE_READWRITE
0006F108 0006F120 \pOldProtect = 0006F120
注意看堆栈中的调用地址,如果不是目标DLL的进程空间则需要继续Shift+F9中断。
――――――――――――――――――――――――
2、Import Table
取消VirtualProtect处断点,继续下断:BP GetModuleHandleA
Shift+F9,中断后取消断点。看堆栈和寄存器:
0006F124 1033E616 /CALL to GetModuleHandleA from 1033E613
0006F128 100AAE20 \pModule = "KERNEL32.dll"
EAX 100AAE20 ASCII "KERNEL32.dll"
ECX 100AAE20 ASCII "KERNEL32.dll"
EDX 100AA870 ★
EBX F1D1758D
ESP 0006F124
EBP 0006F178
ESI 10351B40
EDI 10341EB0
EIP 7C80B529 kernel32.GetModuleHandleA
EDX值就是Import Table VA
运行LordPE,完全dump出此进程
――――――――――――――――――――――――
3、OEP
使用第二区段内存断点法去OEP吧
Alt+M,在10001000段设置内存访问断点,Shift+F9
1000FF6D 55 push ebp
//OEP
1000FF6E 8BEC mov ebp,esp
1000FF70 53 push ebx
1000FF71 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
1000FF74 56 push esi
1000FF75 8B75 0C mov esi,dword ptr ss:[ebp+C]
1000FF78 57 push edi
1000FF79 8B7D 10 mov edi,dword ptr ss:[ebp+10]
1000FF7C 85F6 test esi,esi
1000FF7E 75 09 jnz short hhle_w32.1000FF89
1000FF80 833D 08DE2A10 00 cmp dword ptr ds:[102ADE08],0
1000FF87 EB 26 jmp short hhle_w32.1000FFAF
1000FF89 83FE 01 cmp esi,1
1000FF8C 74 05 je short hhle_w32.1000FF93
1000FF8E 83FE 02 cmp esi,2
1000FF91 75 22 jnz short hhle_w32.1000FFB5
――――――――――――――――――――――――
4、Relocation Table
HASP没有加密重定位表,因此直接看.reloc段就能修正Relocation Table数据了。
.reloc段的开始地址就是重定位表的RVA,一直向下找很多00的结束地址,计算Size
Relocation Table RVA=00325000,Size=0000D2E8
――――――――――――――――――――――――
5、Over
再修正各项PE信息就行了。
OEP RVA=1000FF6D-10000000=0000FF6D
Import Table RVA=100AA870-10000000=000AA870
删除最后的.protect壳区段,用WinHex删除.protect区段数据。
是否很容易?是也非也
找到某个最佳的切入点,会使得事半功倍。
―――――――――――――――――――――――――――――――――
, _/
/| _.-~/ \_ , 青春都一晌
( /~ / \~-._ |\
`\\ _/ \ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_ //'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-. 换了脱壳轻狂
`~ _( ,_..--\ ( ,;'' / ~-- /._`\
/~~//' /' `~\ ) /--.._, )_ `~
" `~" " `" /~'`\ `\\~~\
" " "~' ""
UnPacKed By : fly
2006-03-10 24:00
软件下载: http://fs1.minitab.com/Store/MTB14_StandardSetup.exe
软件下载: ftp://ftp.aladdin.com/pub/hasp/hl/windows/installed/VendorTools/HASP_HL_Envelope.zip
驱动下载: ftp://ftp.aladdin.com/pub/hasp/hl/windows/installed/redistribute/drivers/HASP_HL_driver_setup.zip
软件简介: HASP HL protection and licensing software tools make up the Vendor Center program suite. HASP HL Envelope is one of the three programs included in the Vendor Center. The HASP HL Envelope is a tool that wraps your applications within a protective shield. The tool offers advanced protection features to enhance the overall level of security of your software. Implementing HASP HL Envelope protection is the fastest way to secure your software, and does not require you to alter any source code. You simply use the HASP HL Envelope graphical interface to apply protection parameters to an executable file. In addition, you can modify all protection parameters and customize messages displayed to end-users running the protected applications.
【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教
【调试环境】:WinXP、OllyDBG、PEiD、LordPE、WinHex
―――――――――――――――――――――――――――――――――
【脱壳过程】:
目前而言,通常狗壳带狗或者无狗可运行的脱壳都不算太难,以后狗壳应该会增加强度的。
数年前看过HASP,现在整理一下。当然,必须有狗才能运行的HASP我是无能为力了。
以Minitab作为EXE的脱壳例子。
从Aladdin公司主页下载的是HASP_HL_Envelope V1.30,其中的EXE需要软件狗才可运行,那就用haspenv.dll作为DLL的例子吧。还需要下载、安装HASP驱动文件,可以开工了。
HASP Protection加壳的程序默认区段名为.protect,PEiD的Sign可以为:
[HASP HL Protection V1.X -> Aladdin]
signature = 55 8B EC 53 56 57 60 8B C4 A3 ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 15 8B 0D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 83 C4 04 E9 A5 00 00 00 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B 15
ep_only = true
设置OllyDBG忽略所有异常选项,用IsDebug插件去掉OllyDBG的调试器标志。
―――――――――――――――――――――――――――――――――
一、用OllyDBG手脱HASP Protection V1.X加壳的EXE
下载的Minitab V14.20.0.0可以试用一个月,无狗可以运行。
Potassium写过一篇《Manually_Unpacking_HASP_SL》教程,为何我还写这个?对比看看就明白了。
――――――――――――――――――――――――
1、EP
00B9F280 55 push ebp
//进入OllyDBG后暂停在这
00B9F281 8BEC mov ebp,esp
00B9F283 53 push ebx
00B9F284 56 push esi
00B9F285 57 push edi
00B9F286 60 pushad
00B9F287 8BC4 mov eax,esp
00B9F289 A3 F4FEB900 mov dword ptr ds:[B9FEF4],eax
00B9F28E B8 18F5B900 mov eax,Mtb14.00B9F518
00B9F293 2B05 3CF5B900 sub eax,dword ptr ds:[B9F53C]
00B9F299 A3 3CF5B900 mov dword ptr ds:[B9F53C],eax
00B9F29E 833D F0FEB900 00 cmp dword ptr ds:[B9FEF0],0
00B9F2A5 74 15 je short Mtb14.00B9F2BC
00B9F2A7 8B0D F4FEB900 mov ecx,dword ptr ds:[B9FEF4]
00B9F2AD 51 push ecx
00B9F2AE FF15 F0FEB900 call near dword ptr ds:[B9FEF0]
00B9F2B4 83C4 04 add esp,4
00B9F2B7 E9 A5000000 jmp Mtb14.00B9F361
00B9F2BC 68 DCFEB900 push Mtb14.00B9FEDC ; ASCII "kernel32""
00B9F2C1 FF15 40FFB900 call near dword ptr ds:[<&KERNEL32.GetModuleHandleA>]
00B9F2C7 A3 F8F4B900 mov dword ptr ds:[B9F4F8],eax
00B9F2CC 68 E8FEB900 push Mtb14.00B9FEE8 ; ASCII "user32"
00B9F2D1 FF15 40FFB900 call near dword ptr ds:[<&KERNEL32.GetModuleHandleA>]
――――――――――――――――――――――――
2、Anti
看看这个HASP SL有什么反跟踪。
BP IsDebuggerPresent
Shift+F9,中断后取消断点,返回
00BAA4AC 55 push ebp
00BAA4AD 8BEC mov ebp,esp
00BAA4AF 81EC 9C000000 sub esp,9C
00BAA4B5 53 push ebx
00BAA4B6 FF15 6CF8BA00 call near dword ptr ds:[<&KERNEL32.IsDebuggerPresent>]
//IsDebuggerPresent 检测
00BAA4BC 8BD8 mov ebx,eax
//EAX当然要为00000000了
00BAA4BE 85DB test ebx,ebx
00BAA4C0 0F85 AC000000 jnz Mtb14.00BAA572
00BAA4C6 57 push edi
00BAA4C7 90 nop
00BAA4C8 90 nop
00BAA4C9 6A 24 push 24
00BAA4CB 90 nop
00BAA4CC 59 pop ecx
00BAA4CD 8DBD 68FFFFFF lea edi,dword ptr ss:[ebp-98]
00BAA4D3 F3:AB rep stos dword ptr es:[edi]
00BAA4D5 90 nop
00BAA4D6 8D85 64FFFFFF lea eax,dword ptr ss:[ebp-9C]
00BAA4DC 50 push eax
00BAA4DD 90 nop
00BAA4DE C785 64FFFFFF 9400000>mov dword ptr ss:[ebp-9C],94
00BAA4E8 FF15 4CF8BA00 call near dword ptr ds:[<&KERNEL32.GetVersionExA>]
00BAA4EE 85C0 test eax,eax
00BAA4F0 74 7F je short Mtb14.00BAA571
00BAA4F2 83BD 74FFFFFF 02 cmp dword ptr ss:[ebp-8C],2
00BAA4F9 75 76 jnz short Mtb14.00BAA571
00BAA4FB FF15 48F8BA00 call near dword ptr ds:[<&KERNEL32.GetCurrentProcessId>]
00BAA501 50 push eax
00BAA502 53 push ebx
00BAA503 68 00040000 push 400
00BAA508 90 nop
00BAA509 90 nop
00BAA50A 90 nop
00BAA50B FF15 44F8BA00 call near dword ptr ds:[<&KERNEL32.OpenProcess>]
00BAA511 8BF8 mov edi,eax
00BAA513 90 nop
00BAA514 90 nop
00BAA515 90 nop
00BAA516 90 nop
00BAA517 85FF test edi,edi
00BAA519 74 56 je short Mtb14.00BAA571
00BAA51B 68 88FEBA00 push Mtb14.00BAFE88
00BAA520 90 nop
00BAA521 FF15 50F8BA00 call near dword ptr ds:[<&KERNEL32.GetModuleHandleA>]
00BAA527 85C0 test eax,eax
00BAA529 74 3F je short Mtb14.00BAA56A
00BAA52B 90 nop
00BAA52C 90 nop
00BAA52D 68 6CFEBA00 push Mtb14.00BAFE6C
00BAA532 90 nop
00BAA533 90 nop
00BAA534 50 push eax
00BAA535 90 nop
00BAA536 90 nop
00BAA537 90 nop
00BAA538 FF15 3CF8BA00 call near dword ptr ds:[<&KERNEL32.GetProcAddress>]
00BAA53E 85C0 test eax,eax
00BAA540 74 28 je short Mtb14.00BAA56A
00BAA542 215D F8 and dword ptr ss:[ebp-8],ebx
00BAA545 90 nop
00BAA546 215D FC and dword ptr ss:[ebp-4],ebx
00BAA549 8D4D F8 lea ecx,dword ptr ss:[ebp-8]
00BAA54C 90 nop
00BAA54D 90 nop
00BAA54E 90 nop
00BAA54F 51 push ecx
00BAA550 6A 04 push 4
00BAA552 8D4D FC lea ecx,dword ptr ss:[ebp-4]
00BAA555 51 push ecx
00BAA556 6A 07 push 7
00BAA558 90 nop
00BAA559 90 nop
00BAA55A 57 push edi
00BAA55B FFD0 call near eax ;ntdll.ZwQueryInformationProcess
//ZwQueryInformationProcess 检测
00BAA55D 85C0 test eax,eax
00BAA55F 75 09 jnz short Mtb14.00BAA56A
00BAA561 90 nop
00BAA562 3945 FC cmp dword ptr ss:[ebp-4],eax
//[ebp-4]应为00000000
00BAA565 74 03 je short Mtb14.00BAA56A
//此处应跳转
00BAA567 90 nop
00BAA568 90 nop
00BAA569 43 inc ebx
00BAA56A 57 push edi
00BAA56B FF15 F4F7BA00 call near dword ptr ds:[<&KERNEL32.CloseHandle>]
00BAA571 5F pop edi
00BAA572 8BC3 mov eax,ebx
00BAA574 5B pop ebx
00BAA575 90 nop
00BAA576 C9 leave
00BAA577 C3 retn
由于这段检测有很多次,所以我们直接在OpenProcess里Patch
7C81E079 33C0 xor eax,eax
7C81E07B C2 0C00 retn 0C
――――――――――――――――――――――――
3、Import Table
BP VirtualProtect [ESP]<10000000
Shift+F9,弹出试用信息,点击“I want to try MINITAB Release 14”
中断后取消断点。继续下断:BP GetModuleHandleA
Shift+F9,中断后取消断点。看堆栈和寄存器:
0012FBAC 00BA3145 /CALL to GetModuleHandleA from Mtb14.00BA3142
0012FBB0 00B0508C \pModule = "IMM32.dll"
EAX 00B0508C ASCII "IMM32.dll"
ECX 00B0508C ASCII "IMM32.dll"
EDX 00AFDF08 Mtb14.00AFDF08 ★
EBX 00000000
ESP 0012FBAC
EBP 0012FC00
ESI 00BA5C08 Mtb14.00BA5C08
EDI 00BA3FC0 Mtb14.00BA3FC0
EIP 7C80B529 kernel32.GetModuleHandleA
注意EDX值就是Import Table VA,在EDX寄存器上点击右键,Follow in Dump,可以看到IID数组
下面就是HASP对输入表的处理。如果我们跟踪到OEP再dump的话,HASP则会加密部分函数。
而此时HASP对程序完全解码,还没有加密,现在dump都不需要用ImportREC修复输入表,正是dump的最佳时机!
运行LordPE,完全dump出此进程吧。
00BA311A 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00BA311D 83C0 14 add eax,14
00BA3120 8945 F4 mov dword ptr ss:[ebp-C],eax
00BA3123 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
00BA3126 8379 0C 00 cmp dword ptr ds:[ecx+C],0
00BA312A 0F84 2C030000 je Mtb14.00BA345C
00BA3130 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00BA3133 A1 6452BA00 mov eax,dword ptr ds:[BA5264]
00BA3138 0342 0C add eax,dword ptr ds:[edx+C]
00BA313B 8945 FC mov dword ptr ss:[ebp-4],eax
00BA313E 8B4D FC mov ecx,dword ptr ss:[ebp-4]
00BA3141 51 push ecx
00BA3142 FF55 E4 call near dword ptr ss:[ebp-1C]
00BA3145 8945 E0 mov dword ptr ss:[ebp-20],eax
//GetModuleHandleA后返回这里
00BA3148 837D E0 00 cmp dword ptr ss:[ebp-20],0
00BA314C 75 0A jnz short Mtb14.00BA3158
00BA314E 8B55 FC mov edx,dword ptr ss:[ebp-4]
00BA3151 52 push edx
00BA3152 FF55 DC call near dword ptr ss:[ebp-24]
00BA3155 8945 E0 mov dword ptr ss:[ebp-20],eax
00BA3158 837D E0 00 cmp dword ptr ss:[ebp-20],0
00BA315C 75 40 jnz short Mtb14.00BA319E
00BA315E 68 B451BA00 push Mtb14.00BA51B4
00BA3163 68 0052BA00 push Mtb14.00BA5200
00BA3168 E8 FC0C0000 call Mtb14.00BA3E69
00BA316D 83C4 08 add esp,8
00BA3170 6A 2D push 2D
00BA3172 8B45 FC mov eax,dword ptr ss:[ebp-4]
00BA3175 50 push eax
00BA3176 68 0052BA00 push Mtb14.00BA5200
00BA317B E8 510C0000 call Mtb14.00BA3DD1
00BA3180 83C4 0C add esp,0C
00BA3183 68 0052BA00 push Mtb14.00BA5200
00BA3188 6A 1F push 1F
00BA318A 6A 00 push 0
00BA318C 8B0D BC3FBA00 mov ecx,dword ptr ds:[BA3FBC]
00BA3192 FF11 call near dword ptr ds:[ecx]
00BA3194 B8 03000000 mov eax,3
00BA3199 E9 C0020000 jmp Mtb14.00BA345E
00BA319E 68 2850BA00 push Mtb14.00BA5028
00BA31A3 8B55 FC mov edx,dword ptr ss:[ebp-4]
00BA31A6 52 push edx
00BA31A7 E8 ECFCFFFF call Mtb14.00BA2E98
00BA31AC 83C4 08 add esp,8
00BA31AF F7D8 neg eax
00BA31B1 1BC0 sbb eax,eax
00BA31B3 40 inc eax
00BA31B4 8945 D4 mov dword ptr ss:[ebp-2C],eax
00BA31B7 8B45 FC mov eax,dword ptr ss:[ebp-4]
00BA31BA 50 push eax
00BA31BB E8 E50C0000 call Mtb14.00BA3EA5
00BA31C0 83C4 04 add esp,4
00BA31C3 50 push eax
00BA31C4 68 8C52BA00 push Mtb14.00BA528C
00BA31C9 8B4D FC mov ecx,dword ptr ss:[ebp-4]
00BA31CC 51 push ecx
00BA31CD E8 28070000 call Mtb14.00BA38FA
00BA31D2 83C4 0C add esp,0C
00BA31D5 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00BA31D8 A1 6452BA00 mov eax,dword ptr ds:[BA5264]
00BA31DD 0342 10 add eax,dword ptr ds:[edx+10]
00BA31E0 8945 B8 mov dword ptr ss:[ebp-48],eax
00BA31E3 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
00BA31E6 8339 00 cmp dword ptr ds:[ecx],0
00BA31E9 75 08 jnz short Mtb14.00BA31F3
00BA31EB 8B55 B8 mov edx,dword ptr ss:[ebp-48]
00BA31EE 8955 F8 mov dword ptr ss:[ebp-8],edx
00BA31F1 EB 0E jmp short Mtb14.00BA3201
00BA31F3 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00BA31F6 8B0D 6452BA00 mov ecx,dword ptr ds:[BA5264]
00BA31FC 0308 add ecx,dword ptr ds:[eax]
00BA31FE 894D F8 mov dword ptr ss:[ebp-8],ecx
00BA3201 EB 1B jmp short Mtb14.00BA321E
00BA3203 8B55 F8 mov edx,dword ptr ss:[ebp-8]
00BA3206 83C2 04 add edx,4
00BA3209 8955 F8 mov dword ptr ss:[ebp-8],edx
00BA320C 8B45 B8 mov eax,dword ptr ss:[ebp-48]
00BA320F 83C0 04 add eax,4
00BA3212 8945 B8 mov dword ptr ss:[ebp-48],eax
00BA3215 8B4D D0 mov ecx,dword ptr ss:[ebp-30]
00BA3218 83C1 01 add ecx,1
00BA321B 894D D0 mov dword ptr ss:[ebp-30],ecx
00BA321E 8B55 F8 mov edx,dword ptr ss:[ebp-8]
00BA3221 833A 00 cmp dword ptr ds:[edx],0
00BA3224 0F84 23020000 je Mtb14.00BA344D
00BA322A 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00BA322D 8B08 mov ecx,dword ptr ds:[eax]
00BA322F 81E1 00000080 and ecx,80000000
00BA3235 85C9 test ecx,ecx
00BA3237 74 0F je short Mtb14.00BA3248
00BA3239 8B55 F8 mov edx,dword ptr ss:[ebp-8]
00BA323C 8B02 mov eax,dword ptr ds:[edx]
00BA323E 25 FFFF0000 and eax,0FFFF
00BA3243 8945 BC mov dword ptr ss:[ebp-44],eax
00BA3246 EB 49 jmp short Mtb14.00BA3291
00BA3248 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
00BA324B 8B11 mov edx,dword ptr ds:[ecx]
00BA324D A1 6452BA00 mov eax,dword ptr ds:[BA5264]
00BA3252 8D4C10 02 lea ecx,dword ptr ds:[eax+edx+2]
00BA3256 894D BC mov dword ptr ss:[ebp-44],ecx
00BA3259 837D D4 00 cmp dword ptr ss:[ebp-2C],0
00BA325D 74 32 je short Mtb14.00BA3291
00BA325F 68 3850BA00 push Mtb14.00BA5038
00BA3264 8B55 BC mov edx,dword ptr ss:[ebp-44]
00BA3267 52 push edx
00BA3268 E8 E4FCFFFF call Mtb14.00BA2F51
00BA326D 83C4 08 add esp,8
00BA3270 F7D8 neg eax
00BA3272 1BC0 sbb eax,eax
00BA3274 40 inc eax
00BA3275 8945 CC mov dword ptr ss:[ebp-34],eax
00BA3278 68 4450BA00 push Mtb14.00BA5044
00BA327D 8B45 BC mov eax,dword ptr ss:[ebp-44]
00BA3280 50 push eax
00BA3281 E8 CBFCFFFF call Mtb14.00BA2F51
00BA3286 83C4 08 add esp,8
00BA3289 F7D8 neg eax
00BA328B 1BC0 sbb eax,eax
00BA328D 40 inc eax
00BA328E 8945 C0 mov dword ptr ss:[ebp-40],eax
00BA3291 8B4D BC mov ecx,dword ptr ss:[ebp-44]
00BA3294 51 push ecx
00BA3295 8B55 E0 mov edx,dword ptr ss:[ebp-20]
00BA3298 52 push edx
00BA3299 FF15 B03FBA00 call near dword ptr ds:[BA3FB0]
00BA329F 8B4D C8 mov ecx,dword ptr ss:[ebp-38]
00BA32A2 8B15 6852BA00 mov edx,dword ptr ds:[BA5268]
00BA32A8 89048A mov dword ptr ds:[edx+ecx*4],eax
00BA32AB 8B45 C8 mov eax,dword ptr ss:[ebp-38]
00BA32AE 8B0D 6852BA00 mov ecx,dword ptr ds:[BA5268]
00BA32B4 833C81 00 cmp dword ptr ds:[ecx+eax*4],0
00BA32B8 0F85 AB000000 jnz Mtb14.00BA3369
00BA32BE 68 C451BA00 push Mtb14.00BA51C4
00BA32C3 68 0052BA00 push Mtb14.00BA5200
00BA32C8 E8 9C0B0000 call Mtb14.00BA3E69
00BA32CD 83C4 08 add esp,8
00BA32D0 8B55 F8 mov edx,dword ptr ss:[ebp-8]
00BA32D3 8B02 mov eax,dword ptr ds:[edx]
00BA32D5 25 00000080 and eax,80000000
00BA32DA 85C0 test eax,eax
00BA32DC 74 39 je short Mtb14.00BA3317
00BA32DE 68 E051BA00 push Mtb14.00BA51E0
00BA32E3 68 0052BA00 push Mtb14.00BA5200
00BA32E8 E8 8E0A0000 call Mtb14.00BA3D7B
00BA32ED 83C4 08 add esp,8
00BA32F0 6A 10 push 10
00BA32F2 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
00BA32F5 51 push ecx
00BA32F6 8B55 BC mov edx,dword ptr ss:[ebp-44]
00BA32F9 52 push edx
00BA32FA E8 A3090000 call Mtb14.00BA3CA2
00BA32FF 83C4 0C add esp,0C
00BA3302 6A 46 push 46
00BA3304 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00BA3307 50 push eax
00BA3308 68 0052BA00 push Mtb14.00BA5200
00BA330D E8 BF0A0000 call Mtb14.00BA3DD1
00BA3312 83C4 0C add esp,0C
00BA3315 EB 13 jmp short Mtb14.00BA332A
00BA3317 6A 46 push 46
00BA3319 8B4D BC mov ecx,dword ptr ss:[ebp-44]
00BA331C 51 push ecx
00BA331D 68 0052BA00 push Mtb14.00BA5200
00BA3322 E8 AA0A0000 call Mtb14.00BA3DD1
00BA3327 83C4 0C add esp,0C
00BA332A 68 EC51BA00 push Mtb14.00BA51EC
00BA332F 68 0052BA00 push Mtb14.00BA5200
00BA3334 E8 420A0000 call Mtb14.00BA3D7B
00BA3339 83C4 08 add esp,8
00BA333C 6A 59 push 59
00BA333E 8B55 FC mov edx,dword ptr ss:[ebp-4]
00BA3341 52 push edx
00BA3342 68 0052BA00 push Mtb14.00BA5200
00BA3347 E8 850A0000 call Mtb14.00BA3DD1
00BA334C 83C4 0C add esp,0C
00BA334F 68 0052BA00 push Mtb14.00BA5200
00BA3354 6A 1F push 1F
00BA3356 6A 00 push 0
00BA3358 A1 BC3FBA00 mov eax,dword ptr ds:[BA3FBC]
00BA335D FF10 call near dword ptr ds:[eax]
00BA335F B8 03000000 mov eax,3
00BA3364 E9 F5000000 jmp Mtb14.00BA345E
00BA3369 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
00BA336C 8B11 mov edx,dword ptr ds:[ecx]
00BA336E 81E2 00000080 and edx,80000000
00BA3374 85D2 test edx,edx
00BA3376 75 1E jnz short Mtb14.00BA3396
00BA3378 8B45 BC mov eax,dword ptr ss:[ebp-44]
00BA337B 50 push eax
00BA337C E8 240B0000 call Mtb14.00BA3EA5
00BA3381 83C4 04 add esp,4
00BA3384 50 push eax
00BA3385 68 9052BA00 push Mtb14.00BA5290
00BA338A 8B4D BC mov ecx,dword ptr ss:[ebp-44]
00BA338D 51 push ecx
00BA338E E8 67050000 call Mtb14.00BA38FA
00BA3393 83C4 0C add esp,0C
00BA3396 8B55 F8 mov edx,dword ptr ss:[ebp-8]
00BA3399 C702 00000000 mov dword ptr ds:[edx],0
00BA339F 837D CC 00 cmp dword ptr ss:[ebp-34],0
00BA33A3 74 15 je short Mtb14.00BA33BA
00BA33A5 8B45 B8 mov eax,dword ptr ss:[ebp-48]
00BA33A8 C700 BA38BA00 mov dword ptr ds:[eax],Mtb14.00BA38BA
00BA33AE C745 CC 00000000 mov dword ptr ss:[ebp-34],0
00BA33B5 E9 8E000000 jmp Mtb14.00BA3448
00BA33BA 837D C0 00 cmp dword ptr ss:[ebp-40],0
00BA33BE 74 12 je short Mtb14.00BA33D2
00BA33C0 8B4D B8 mov ecx,dword ptr ss:[ebp-48]
00BA33C3 C701 A62FBA00 mov dword ptr ds:[ecx],Mtb14.00BA2FA6
00BA33C9 C745 C0 00000000 mov dword ptr ss:[ebp-40],0
00BA33D0 EB 76 jmp short Mtb14.00BA3448
00BA33D2 8B75 D0 mov esi,dword ptr ss:[ebp-30]
00BA33D5 C1EE 05 shr esi,5
00BA33D8 8B45 D0 mov eax,dword ptr ss:[ebp-30]
00BA33DB 33D2 xor edx,edx
00BA33DD B9 20000000 mov ecx,20
00BA33E2 F7F1 div ecx
00BA33E4 8BCA mov ecx,edx
00BA33E6 BA 01000000 mov edx,1
00BA33EB D3E2 shl edx,cl
00BA33ED 8B04B5 EC3FBA00 mov eax,dword ptr ds:[esi*4+BA3FEC]
00BA33F4 23C2 and eax,edx
00BA33F6 85C0 test eax,eax
00BA33F8 74 2E je short Mtb14.00BA3428
00BA33FA 8B4D C8 mov ecx,dword ptr ss:[ebp-38]
00BA33FD 8B15 6C52BA00 mov edx,dword ptr ds:[BA526C]
00BA3403 8D04CA lea eax,dword ptr ds:[edx+ecx*8]
00BA3406 8B4D B8 mov ecx,dword ptr ss:[ebp-48]
00BA3409 8901 mov dword ptr ds:[ecx],eax
00BA340B 8B55 C8 mov edx,dword ptr ss:[ebp-38]
00BA340E 83C2 01 add edx,1
00BA3411 8955 C8 mov dword ptr ss:[ebp-38],edx
00BA3414 8B45 C8 mov eax,dword ptr ss:[ebp-38]
00BA3417 3B05 E83FBA00 cmp eax,dword ptr ds:[BA3FE8]
00BA341D 75 07 jnz short Mtb14.00BA3426
00BA341F C745 C8 00000000 mov dword ptr ss:[ebp-38],0
00BA3426 EB 20 jmp short Mtb14.00BA3448
00BA3428 8B4D B8 mov ecx,dword ptr ss:[ebp-48]
00BA342B 8B55 C8 mov edx,dword ptr ss:[ebp-38]
00BA342E A1 6852BA00 mov eax,dword ptr ds:[BA5268]
00BA3433 8B1490 mov edx,dword ptr ds:[eax+edx*4]
00BA3436 8911 mov dword ptr ds:[ecx],edx
00BA3438 8B45 C8 mov eax,dword ptr ss:[ebp-38]
00BA343B 8B0D 6852BA00 mov ecx,dword ptr ds:[BA5268]
00BA3441 C70481 00000000 mov dword ptr ds:[ecx+eax*4],0
00BA3448 E9 B6FDFFFF jmp Mtb14.00BA3203
00BA344D 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00BA3450 C742 0C 00000000 mov dword ptr ds:[edx+C],0
00BA3457 E9 BEFCFFFF jmp Mtb14.00BA311A
00BA345C 33C0 xor eax,eax
00BA345E 5E pop esi
00BA345F 8BE5 mov esp,ebp
00BA3461 5D pop ebp
00BA3462 C3 retn
――――――――――――――――――――――――
4、OEP
使用第二区段内存断点法去OEP
Alt+M,在00401000段设置内存访问断点,Shift+F9
也可以使用ESP定律去OEP,不详述了。
009DB8B4 55 push ebp
//OEP
009DB8B5 8BEC mov ebp,esp
009DB8B7 6A FF push -1
009DB8B9 68 00D5A700 push Mtb14.00A7D500
009DB8BE 68 12BF9D00 push Mtb14.009DBF12
009DB8C3 64:A1 00000000 mov eax,dword ptr fs:[0]
009DB8C9 50 push eax
009DB8CA 64:8925 00000000 mov dword ptr fs:[0],esp
009DB8D1 83EC 68 sub esp,68
009DB8D4 53 push ebx
009DB8D5 56 push esi
009DB8D6 57 push edi
009DB8D7 8965 E8 mov dword ptr ss:[ebp-18],esp
009DB8DA 33DB xor ebx,ebx
009DB8DC 895D FC mov dword ptr ss:[ebp-4],ebx
009DB8DF 6A 02 push 2
009DB8E1 5F pop edi
009DB8E2 57 push edi
009DB8E3 FF15 C07FA300 call near dword ptr ds:[A37FC0] ; MSLURT.__set_app_type
――――――――――――――――――――――――
5、Over
用LordPE修正dumped.exe的EntryPoint=009DB8B4-00400000=005DB8B4,Import Table RVA=00AFDF08-00400000=006FDF08,把Relocation数据清0,删除最后的.protect壳区段,用WinHex删除.protect区段数据。
OK,可以算作是Minitab V14.20.0.0的完美脱壳吧。
Game Over
―――――――――――――――――――――――――――――――――
二、用Ollydbg手脱HASP Protection V1.X加壳的DLL
以HASP_HL_Envelope V1.30安装目录下的hhle_w32.dll作为此篇教程演示的目标。
――――――――――――――――――――――――
1、EP
hhle_w32.dll的HASP壳没有使用Anti。
不过OllyDBG载入时无法暂停在EP,简单处理一下,可以修改EP为死循环载入后再恢复代码,也可以先载入一次,设置相应的API断点后重新载入。
先载入一次hhle_w32.dll,BP VirtualProtect
Ctrl+F2,Restart,中断在VirtualProtect处了
0006F0F8 10351884 /CALL to VirtualProtect from 1035187E
0006F0FC 10001000 |Address = 10001000
0006F100 00001000 |Size = 1000 (4096.)
0006F104 00000004 |NewProtect = PAGE_READWRITE
0006F108 0006F120 \pOldProtect = 0006F120
注意看堆栈中的调用地址,如果不是目标DLL的进程空间则需要继续Shift+F9中断。
――――――――――――――――――――――――
2、Import Table
取消VirtualProtect处断点,继续下断:BP GetModuleHandleA
Shift+F9,中断后取消断点。看堆栈和寄存器:
0006F124 1033E616 /CALL to GetModuleHandleA from 1033E613
0006F128 100AAE20 \pModule = "KERNEL32.dll"
EAX 100AAE20 ASCII "KERNEL32.dll"
ECX 100AAE20 ASCII "KERNEL32.dll"
EDX 100AA870 ★
EBX F1D1758D
ESP 0006F124
EBP 0006F178
ESI 10351B40
EDI 10341EB0
EIP 7C80B529 kernel32.GetModuleHandleA
EDX值就是Import Table VA
运行LordPE,完全dump出此进程
――――――――――――――――――――――――
3、OEP
使用第二区段内存断点法去OEP吧
Alt+M,在10001000段设置内存访问断点,Shift+F9
1000FF6D 55 push ebp
//OEP
1000FF6E 8BEC mov ebp,esp
1000FF70 53 push ebx
1000FF71 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
1000FF74 56 push esi
1000FF75 8B75 0C mov esi,dword ptr ss:[ebp+C]
1000FF78 57 push edi
1000FF79 8B7D 10 mov edi,dword ptr ss:[ebp+10]
1000FF7C 85F6 test esi,esi
1000FF7E 75 09 jnz short hhle_w32.1000FF89
1000FF80 833D 08DE2A10 00 cmp dword ptr ds:[102ADE08],0
1000FF87 EB 26 jmp short hhle_w32.1000FFAF
1000FF89 83FE 01 cmp esi,1
1000FF8C 74 05 je short hhle_w32.1000FF93
1000FF8E 83FE 02 cmp esi,2
1000FF91 75 22 jnz short hhle_w32.1000FFB5
――――――――――――――――――――――――
4、Relocation Table
HASP没有加密重定位表,因此直接看.reloc段就能修正Relocation Table数据了。
.reloc段的开始地址就是重定位表的RVA,一直向下找很多00的结束地址,计算Size
Relocation Table RVA=00325000,Size=0000D2E8
――――――――――――――――――――――――
5、Over
再修正各项PE信息就行了。
OEP RVA=1000FF6D-10000000=0000FF6D
Import Table RVA=100AA870-10000000=000AA870
删除最后的.protect壳区段,用WinHex删除.protect区段数据。
是否很容易?是也非也
找到某个最佳的切入点,会使得事半功倍。
―――――――――――――――――――――――――――――――――
, _/
/| _.-~/ \_ , 青春都一晌
( /~ / \~-._ |\
`\\ _/ \ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_ //'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-. 换了脱壳轻狂
`~ _( ,_..--\ ( ,;'' / ~-- /._`\
/~~//' /' `~\ ) /--.._, )_ `~
" `~" " `" /~'`\ `\\~~\
" " "~' ""
UnPacKed By : fly
2006-03-10 24:00
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
|
|
|
支持。。
|
|
|
|
|
|
|
|
|
|
|
|
 望其项背 |
|
|
正需要呢?支持!
|
|
|
楼主忘给自己加精了。嘿嘿
|
|
|
|
|
|
 路过
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
用PEID测了一下Fly,应该是假的~!
|
|
|
|
|
|
最初由 kimmal 发布 何以见得 
|
|
|
|
|
|
|
|
|
|
|
|
|
