【破解作者】 niufq
【使用工具】 OllyDBG 1.10汉化版本,PeID 0.94,hiew7.26
【破解平台】 Win9x/NT/2000/XP
【软件名称】 VP studio v6.75
【下载地址】 http://www.softelec.com/
【软件简介】 这是一个非常好用的光栅矢量转化的CAD辅助软件,可以把TIF、BMP等格式的图片转为矢量图片,
方便用CAD软件进行编辑。
【加壳方式】 不知名的壳
【破解声明】 只是感兴趣,不当之处还请各位大侠斧正。
常年潜水,首次发贴。望大家多多指点。
程序启动时显示,没找到硬件锁或硬件锁包含的用户授权不对,然后启动到 VP studio 演示版,
功能有限制,只能处理很小的图片。通过跟踪发现这个软件是加密狗加密,主程序加了不知名的壳,壳分两段解压。
针对软件的出错提示,我采用从头开始一步一步跟踪方法,寻找出错地方进行破解。
用 OllyDBG 加载VP.EXE 后到这里( OllyDBG 要用插件隐藏)
0045F2A0 > 55 PUSH EBP
0045F2A1 8BEC MOV EBP,ESP
0045F2A3 83EC 78 SUB ESP,78
0045F2A6 53 PUSH EBX
0045F2A7 56 PUSH ESI
0045F2A8 57 PUSH EDI
0045F2A9 C745 90 00000000 MOV DWORD PTR SS:[EBP-70],0
0045F2B0 C745 E0 8641550E MOV DWORD PTR SS:[EBP-20],0E554186
0045F2B7 C745 EC FFFFFFFF MOV DWORD PTR SS:[EBP-14],-1
0045F2BE C745 9C FFFFFFFF MOV DWORD PTR SS:[EBP-64],-1
0045F2C5 C745 F8 FFFFFFFF MOV DWORD PTR SS:[EBP-8],-1
0045F2CC C745 F0 FFFFFFFF MOV DWORD PTR SS:[EBP-10],-1
0045F2D3 C745 E8 FFFFFFFF MOV DWORD PTR SS:[EBP-18],-1
0045F2DA C745 F4 FFFFFFFF MOV DWORD PTR SS:[EBP-C],-1
0045F2E1 C745 88 F09F97B9 MOV DWORD PTR SS:[EBP-78],B9979FF0
0045F2E8 C745 E4 00000000 MOV DWORD PTR SS:[EBP-1C],0
0045F2EF C745 98 05AA8902 MOV DWORD PTR SS:[EBP-68],289AA05
0045F2F6 6A 1C PUSH 1C
0045F2F8 8D45 C4 LEA EAX,DWORD PTR SS:[EBP-3C]
0045F2FB 50 PUSH EAX
0045F2FC 68 A0F24500 PUSH vp.<模块入口点>
0045F301 FF15 F0A24600 CALL DWORD PTR DS:[<&KERNEL32.VirtualQuery>] ; kernel32.VirtualQuery
0045F307 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
0045F30A 8945 90 MOV DWORD PTR SS:[EBP-70],EAX
0045F30D 837D 90 00 CMP DWORD PTR SS:[EBP-70],0
0045F311 0F85 05000000 JNZ vp.0045F31C
0045F317 5F POP EDI
0045F318 5E POP ESI
0045F319 5B POP EBX
0045F31A C9 LEAVE
0045F31B C3 RETN
;
省略
;
0045F478 3245 98 XOR AL,BYTE PTR SS:[EBP-68]
0045F47B 8B4D 94 MOV ECX,DWORD PTR SS:[EBP-6C]
0045F47E 8B49 10 MOV ECX,DWORD PTR DS:[ECX+10]
0045F481 034D C0 ADD ECX,DWORD PTR SS:[EBP-40]
0045F484 8B55 90 MOV EDX,DWORD PTR SS:[EBP-70]
0045F487 880411 MOV BYTE PTR DS:[ECX+EDX],AL
0045F48A ^ E9 A1FFFFFF JMP vp.0045F430
0045F48F 8D45 C0 LEA EAX,DWORD PTR SS:[EBP-40]
0045F492 50 PUSH EAX
0045F493 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
0045F496 50 PUSH EAX
0045F497 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
0045F49A 50 PUSH EAX
0045F49B 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C]
0045F49E 50 PUSH EAX
0045F49F FF15 78A24600 CALL DWORD PTR DS:[<&KERNEL32.VirtualProtect>] ; kernel32.VirtualProtect
0045F4A5 837D F8 00 CMP DWORD PTR SS:[EBP-8],0
0045F4A9 0F85 0A000000 JNZ vp.0045F4B9
0045F4AF 837D F0 FF CMP DWORD PTR SS:[EBP-10],-1
0045F4B3 0F84 14000000 JE vp.0045F4CD
0045F4B9 8D45 C0 LEA EAX,DWORD PTR SS:[EBP-40]
0045F4BC 50 PUSH EAX
0045F4BD 6A 40 PUSH 40
0045F4BF 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
0045F4C2 50 PUSH EAX
0045F4C3 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C]
0045F4C6 50 PUSH EAX
0045F4C7 FF15 78A24600 CALL DWORD PTR DS:[<&KERNEL32.VirtualProtect>] ; kernel32.VirtualProtect
0045F4CD 53 PUSH EBX
0045F4CE E8 00000000 CALL vp.0045F4D3
0045F4D3 8F45 8C POP DWORD PTR SS:[EBP-74]
0045F4D6 8345 8C 0A ADD DWORD PTR SS:[EBP-74],0A
0045F4DA FF55 8C CALL DWORD PTR SS:[EBP-74] //最后未压缩的代码,下面的代码都是压缩的//
0045F4DD D4 65 AAM 65
0045F4DF CE INTO
0045F4E0 AE SCAS BYTE PTR ES:[EDI]
0045F4E1 E7 98 OUT 98,EAX ; I/O 命令
0045F4E3 6C INS BYTE PTR ES:[EDI],DX ; I/O 命令
0045F4E4 5C POP ESP
0045F4E5 ^ 79 AA JNS SHORT vp.0045F491
0045F4E7 DEFA FDIVP ST(2),ST
0045F4E9 93 XCHG EAX,EBX
0045F4EA B8 A59B42EF MOV EAX,EF429BA5
0045F4EF 5A POP EDX
0045F4F0 68 5DBA8141 PUSH 4181BA5D
0045F4F5 3853 D2 CMP BYTE PTR DS:[EBX-2E],DL
0045F4F8 63F5 ARPL BP,SI
0045F4FA 2857 94 SUB BYTE PTR DS:[EDI-6C],DL
0045F4FD 0F9DB0 80290127 SETGE BYTE PTR DS:[EAX+27012980]
0045F504 A7 CMPS DWORD PTR DS:[ESI],DWORD PTR ES:[EDI]
0045F505 C6 ??? ; 未知命令
0045F506 9E SAHF
0045F507 ^ 7D 93 JGE SHORT vp.0045F49C
0045F509 43 INC EBX
0045F50A ^ 7D F0 JGE SHORT vp.0045F4FC
0045F50C 0FC8 BSWAP EAX
0045F50E 48 DEC EAX
0045F50F 6B40 99 FF IMUL EAX,DWORD PTR DS:[EAX-67],-1
0045F513 BC 78FFE257 MOV ESP,57E2FF78
0045F518 07 POP ES ; 段寄存器更改
0045F519 2C 4E SUB AL,4E
下面这一段运行后发生变化
0045F47E 8B49 10 MOV ECX,DWORD PTR DS:[ECX+10]
0045F481 034D C0 ADD ECX,DWORD PTR SS:[EBP-40]
0045F484 8B55 90 MOV EDX,DWORD PTR SS:[EBP-70]
0045F487 880411 MOV BYTE PTR DS:[ECX+EDX],AL
0045F48A ^ E9 A1FFFFFF JMP vp.0045F430
0045F48F 8D45 C0 LEA EAX,DWORD PTR SS:[EBP-40]
0045F492 50 PUSH EAX
0045F493 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
0045F496 50 PUSH EAX
0045F497 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
0045F49A 50 PUSH EAX
0045F49B 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C]
0045F49E 50 PUSH EAX
0045F49F FF15 78A24600 CALL DWORD PTR DS:[<&KERNEL32.VirtualProtect>] ; kernel32.VirtualProtect
0045F4A5 837D F8 00 CMP DWORD PTR SS:[EBP-8],0
0045F4A9 0F85 0A000000 JNZ vp.0045F4B9
0045F4AF 837D F0 FF CMP DWORD PTR SS:[EBP-10],-1
0045F4B3 0F84 14000000 JE vp.0045F4CD
0045F4B9 8D45 C0 LEA EAX,DWORD PTR SS:[EBP-40]
0045F4BC 50 PUSH EAX
0045F4BD 6A 40 PUSH 40
0045F4BF 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
0045F4C2 50 PUSH EAX
0045F4C3 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C]
0045F4C6 50 PUSH EAX //第1段解压缩结束,运行到这里,下面的代码出现//
0045F4C7 FF15 78A24600 CALL DWORD PTR DS:[<&KERNEL32.VirtualProtect>] ; kernel32.VirtualProtect //patch1 位置 //
0045F4CD 53 PUSH EBX
0045F4CE E8 00000000 CALL vp.0045F4D3
0045F4D3 8F45 8C POP DWORD PTR SS:[EBP-74]
0045F4D6 8345 8C 0A ADD DWORD PTR SS:[EBP-74],0A
0045F4DA FF55 8C CALL DWORD PTR SS:[EBP-74]
0045F4DD 5B POP EBX
0045F4DE 5B POP EBX
0045F4DF 8B45 9C MOV EAX,DWORD PTR SS:[EBP-64]
0045F4E2 50 PUSH EAX
0045F4E3 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0045F4E6 50 PUSH EAX
0045F4E7 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
0045F4EA 50 PUSH EAX
0045F4EB 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0045F4EE 50 PUSH EAX
0045F4EF 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0045F4F2 50 PUSH EAX
0045F4F3 8B45 88 MOV EAX,DWORD PTR SS:[EBP-78]
0045F4F6 50 PUSH EAX
0045F4F7 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
0045F4FA 50 PUSH EAX
0045F4FB 8B45 90 MOV EAX,DWORD PTR SS:[EBP-70]
0045F4FE 50 PUSH EAX
0045F4FF E8 2C000000 CALL vp.0045F530
0045F504 83C4 20 ADD ESP,20 //第2段解压缩结束//
0045F507 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
0045F50A 837D E0 00 CMP DWORD PTR SS:[EBP-20],0
0045F50E 0F85 05000000 JNZ vp.0045F519
0045F514 5F POP EDI
0045F515 5E POP ESI
0045F516 5B POP EBX
0045F517 C9 LEAVE
0045F518 C3 RETN
0045F519 E9 9B0E0000 JMP vp.004603B9 //patch2 修改的第1个地方,被改为跳回 patch2 处继续下一个修改//
0045F51E 5F POP EDI
/////////////////////////////////////////////////////////////////////////////////////////////////////////////
下面是模糊主程序进入点以防止被跟踪,需要在相应点单步跟踪。
004638AC 55 PUSH EBP
004638AD 8BEC MOV EBP,ESP
004638AF 6A FF PUSH -1
004638B1 68 78E94600 PUSH vp.0046E978
004638B6 68 163A4600 PUSH <JMP.&MSVCRT._except_handler3>
004638BB 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004638C1 50 PUSH EAX
004638C2 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
004638C9 83EC 68 SUB ESP,68
004638CC 53 PUSH EBX
004638CD 56 PUSH ESI
004638CE 57 PUSH EDI
004638CF 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
004638D2 33DB XOR EBX,EBX
004638D4 895D FC MOV DWORD PTR SS:[EBP-4],EBX
004638D7 6A 02 PUSH 2
004638D9 FF15 3CAC4600 CALL DWORD PTR DS:[<&MSVCRT.__set_app_ty>; msvcrt.__set_app_type
004638DF 59 POP ECX
004638E0 830D E4A94800 FF OR DWORD PTR DS:[48A9E4],FFFFFFFF
004638E7 830D E8A94800 FF OR DWORD PTR DS:[48A9E8],FFFFFFFF
004638EE FF15 40AC4600 CALL DWORD PTR DS:[<&MSVCRT.__p__fmode>] ; msvcrt.__p__fmode
004638F4 8B0D D8A94800 MOV ECX,DWORD PTR DS:[48A9D8]
004638FA 8908 MOV DWORD PTR DS:[EAX],ECX
004638FC FF15 44AC4600 CALL DWORD PTR DS:[<&MSVCRT.__p__commode>; msvcrt.__p__commode
00463902 8B0D D4A94800 MOV ECX,DWORD PTR DS:[48A9D4]
00463908 8908 MOV DWORD PTR DS:[EAX],ECX
.
省略
.
004639D3 53 PUSH EBX
004639D4 FF15 ECA24600 CALL DWORD PTR DS:[<&KERNEL32.GetModuleH>; kernel32.GetModuleHandleA
004639DA 50 PUSH EAX
004639DB E8 12060000 CALL vp.00463FF2 // f7 进去 //
004639E0 8945 98 MOV DWORD PTR SS:[EBP-68],EAX
004639E3 50 PUSH EAX
004639E4 FF15 5CAC4600 CALL DWORD PTR DS:[<&MSVCRT.exit>] ; msvcrt.exit
004639EA 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004639ED 8B08 MOV ECX,DWORD PTR DS:[EAX]
004639EF 8B09 MOV ECX,DWORD PTR DS:[ECX]
004639F1 894D 88 MOV DWORD PTR SS:[EBP-78],ECX
004639F4 50 PUSH EAX
004639F5 51 PUSH ECX
004639F6 E8 33000000 CALL <JMP.&MSVCRT._XcptFilter>
004639FB 59 POP ECX
004639FC 59 POP ECX
004639FD C3 RETN
到这里
00463FF2 FF7424 10 PUSH DWORD PTR SS:[ESP+10]
00463FF6 FF7424 10 PUSH DWORD PTR SS:[ESP+10]
00463FFA FF7424 10 PUSH DWORD PTR SS:[ESP+10]
00463FFE FF7424 10 PUSH DWORD PTR SS:[ESP+10]
00464002 E8 49000000 CALL <JMP.&MFC42.#1576> // f7 进去 //
00464007 C2 1000 RETN 10
0046400A E8 C9E8FFFF CALL <JMP.&MFC42.#1168>
0046400F 8B4C24 04 MOV ECX,DWORD PTR SS:[ESP+4]
00464013 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+8]
00464017 85C9 TEST ECX,ECX
00464019 8848 14 MOV BYTE PTR DS:[EAX+14],CL
0046401C 8990 40100000 MOV DWORD PTR DS:[EAX+1040],EDX
00464022 75 09 JNZ SHORT vp.0046402D
00464024 6A FD PUSH -3
00464026 FF15 34AC4600 CALL DWORD PTR DS:[<&MSVCRT._setmbcp>] ; msvcrt._setmbcp
0046402C 59 POP ECX
0046402D 6A 01 PUSH 1
0046402F 58 POP EAX
00464030 C2 0800 RETN 8
00464033 E9 00000000 JMP vp.00464038
00464038 68 00060000 PUSH 600
0046403D 6A 00 PUSH 0
0046403F E8 C6FFFFFF CALL vp.0046400A
00464044 A2 DCA94800 MOV BYTE PTR DS:[48A9DC],AL
00464049 C3 RETN
0046404A - FF25 34AC4600 JMP DWORD PTR DS:[<&MSVCRT._setmbcp>] ; msvcrt._setmbcp
00464050 - FF25 6CA34600 JMP DWORD PTR DS:[<&MFC42.#1576>] ; MFC42.#1576
00464056 CC INT3
到这里
73D3CF2B > 8BFF MOV EDI,EDI ; ntdll.7C930738
73D3CF2D 53 PUSH EBX
73D3CF2E 56 PUSH ESI
73D3CF2F 57 PUSH EDI
73D3CF30 83CB FF OR EBX,FFFFFFFF
73D3CF33 E8 CD40FFFF CALL MFC42.#1175
73D3CF38 8BF0 MOV ESI,EAX
73D3CF3A E8 97B30800 CALL MFC42.#1168
73D3CF3F FF7424 1C PUSH DWORD PTR SS:[ESP+1C]
73D3CF43 8B78 04 MOV EDI,DWORD PTR DS:[EAX+4]
73D3CF46 FF7424 1C PUSH DWORD PTR SS:[ESP+1C]
73D3CF4A FF7424 1C PUSH DWORD PTR SS:[ESP+1C]
73D3CF4E FF7424 1C PUSH DWORD PTR SS:[ESP+1C]
73D3CF52 E8 C1CC0800 CALL MFC42.#1575
73D3CF57 85C0 TEST EAX,EAX
73D3CF59 74 3C JE SHORT MFC42.73D3CF97
73D3CF5B 85FF TEST EDI,EDI
73D3CF5D 74 0E JE SHORT MFC42.73D3CF6D
73D3CF5F 8B07 MOV EAX,DWORD PTR DS:[EDI]
73D3CF61 8BCF MOV ECX,EDI
73D3CF63 FF90 8C000000 CALL DWORD PTR DS:[EAX+8C]
73D3CF69 85C0 TEST EAX,EAX
73D3CF6B 74 2A JE SHORT MFC42.73D3CF97
73D3CF6D 8B06 MOV EAX,DWORD PTR DS:[ESI]
73D3CF6F 8BCE MOV ECX,ESI
73D3CF71 FF50 58 CALL DWORD PTR DS:[EAX+58] // f7 进去 //
73D3CF74 85C0 TEST EAX,EAX
73D3CF76 75 16 JNZ SHORT MFC42.73D3CF8E
73D3CF78 3946 20 CMP DWORD PTR DS:[ESI+20],EAX
73D3CF7B 74 08 JE SHORT MFC42.73D3CF85
73D3CF7D 8B4E 20 MOV ECX,DWORD PTR DS:[ESI+20]
73D3CF80 8B01 MOV EAX,DWORD PTR DS:[ECX]
73D3CF82 FF50 60 CALL DWORD PTR DS:[EAX+60]
73D3CF85 8B06 MOV EAX,DWORD PTR DS:[ESI]
73D3CF87 8BCE MOV ECX,ESI
73D3CF89 FF50 70 CALL DWORD PTR DS:[EAX+70]
73D3CF8C EB 07 JMP SHORT MFC42.73D3CF95
73D3CF8E 8B06 MOV EAX,DWORD PTR DS:[ESI]
73D3CF90 8BCE MOV ECX,ESI
73D3CF92 FF50 5C CALL DWORD PTR DS:[EAX+5C]
73D3CF95 8BD8 MOV EBX,EAX
73D3CF97 E8 37B6FFFF CALL MFC42.#1577
73D3CF9C 5F POP EDI
73D3CF9D 5E POP ESI
73D3CF9E 8BC3 MOV EAX,EBX
73D3CFA0 5B POP EBX
73D3CFA1 C2 1000 RETN 10
73D3CFA4 CC INT3
/////////////////////////////////////////////////////////////////////////////////////////////////////
进入主程序
0042E800 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0042E806 6A FF PUSH -1
0042E808 68 16774600 PUSH vp.00467716
0042E80D 50 PUSH EAX
0042E80E 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
0042E815 81EC 84030000 SUB ESP,384
0042E81B 53 PUSH EBX
0042E81C 55 PUSH EBP
0042E81D 56 PUSH ESI
0042E81E 57 PUSH EDI
0042E81F 33FF XOR EDI,EDI
0042E821 8BE9 MOV EBP,ECX
0042E823 57 PUSH EDI
0042E824 FF15 ECA24600 CALL DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>] ; kernel32.GetModuleHandleA
0042E82A A3 04A74800 MOV DWORD PTR DS:[48A704],EAX
0042E82F 8D4C24 74 LEA ECX,DWORD PTR SS:[ESP+74]
0042E833 6A 1C PUSH 1C
0042E835 05 00100000 ADD EAX,1000
0042E83A 51 PUSH ECX
0042E83B 50 PUSH EAX
0042E83C FF15 F0A24600 CALL DWORD PTR DS:[<&KERNEL32.VirtualQuery>] ; kernel32.VirtualQuery
0042E842 8B8C24 80000000 MOV ECX,DWORD PTR SS:[ESP+80]
0042E849 8B4424 74 MOV EAX,DWORD PTR SS:[ESP+74]
.
省略
.
0042EB75 E8 C672FFFF CALL vp.00425E40 // 读狗 ,正确 eax=1,追进去//
0042EB7A 85C0 TEST EAX,EAX
0042EB7C 75 7A JNZ SHORT vp.0042EBF8
0042EB7E 8B85 10020000 MOV EAX,DWORD PTR SS:[EBP+210]
0042EB84 85C0 TEST EAX,EAX
0042EB86 75 42 JNZ SHORT vp.0042EBCA
0042EB88 51 PUSH ECX
0042EB89 8D5424 20 LEA EDX,DWORD PTR SS:[ESP+20]
0042EB8D 8BCC MOV ECX,ESP
0042EB8F 896424 18 MOV DWORD PTR SS:[ESP+18],ESP
0042EB93 52 PUSH EDX
0042EB94 E8 27190300 CALL vp.004604C0 //无狗出错提示//
0042EB99 E8 E2F9FFFF CALL vp.0042E580
0042EB9E 83C4 04 ADD ESP,4
0042EBA1 8B0D 9CA14600 MOV ECX,DWORD PTR DS:[<&DIALOG.?vtable@@3VVarTable>; DIALOG.?vtable@@3VVarTable@@A
0042EBA7 68 E0534800 PUSH vp.004853E0 ; ASCII "ARX"
0042EBAC FF15 78A14600 CALL DWORD PTR DS:[<&DIALOG.??4VarTable@@QAEXPAU_v>; DIALOG.??4VarTable@@QAEXPAU_var@@@Z
0042EBB2 E8 33460300 CALL <JMP.&MFC42.#1205>
0042EBB7 85C0 TEST EAX,EAX
0042EBB9 75 4B JNZ SHORT vp.0042EC06
0042EBBB 6A FF PUSH -1
0042EBBD 50 PUSH EAX
0042EBBE 6A 64 PUSH 64
0042EBC0 E8 FB420300 CALL <JMP.&MFC42.#1199>
0042EBC5 E9 99070000 JMP vp.0042F363
0042EBCA 6A FD PUSH -3
0042EBCC 68 607A4800 PUSH vp.00487A60 ; ASCII "VPINTL.DLL"
0042EBD1 6A 10 PUSH 10
0042EBD3 68 80A04700 PUSH vp.0047A080 ; ASCII "IDP_LOADEXT"
0042EBD8 68 03300000 PUSH 3003
0042EBDD FF15 A0A14600 CALL DWORD PTR DS:[<&DIALOG.?_Message@@YAHHPADIZZ>>; DIALOG.?_Message@@YAHHPADIZZ
0042EBE3 8B4424 30 MOV EAX,DWORD PTR SS:[ESP+30]
0042EBE7 C78424 B0030000 FFFF>MOV DWORD PTR SS:[ESP+3B0],-1
0042EBF2 50 PUSH EAX
0042EBF3 E9 B8090000 JMP vp.0042F5B0
0042EBF8 3D B03CFFFF CMP EAX,FFFF3CB0
0042EBFD ^ 75 A2 JNZ SHORT vp.0042EBA1
0042EBFF 6A FC PUSH -4
0042EC01 E9 83090000 JMP vp.0042F589
0042EC06 8BCD MOV ECX,EBP
0042EC08 E8 D7450300 CALL <JMP.&MFC42.#2621>
0042EC0D 6A 04 PUSH 4
0042EC0F 8BCD MOV ECX,EBP
0042EC11 E8 C8450300 CALL <JMP.&MFC42.#4159>
0042EC16 68 A8534800 PUSH vp.004853A8 ; ASCII "CELTYPE"
到这里 ,一路向下
00425E40 6A FF PUSH -1
00425E42 68 BA6B4600 PUSH vp.00466BBA
00425E47 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00425E4D 50 PUSH EAX
00425E4E 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
00425E55 81EC 90000000 SUB ESP,90
00425E5B 53 PUSH EBX
00425E5C 55 PUSH EBP
00425E5D 56 PUSH ESI
00425E5E 8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18]
00425E62 57 PUSH EDI
00425E63 BB 01000000 MOV EBX,1
00425E68 50 PUSH EAX
00425E69 33ED XOR EBP,EBP
00425E6B 53 PUSH EBX
00425E6C 55 PUSH EBP
00425E6D 68 CCAF4700 PUSH vp.0047AFCC ; ASCII "SOFTWARE\softelec\VPLM"
00425E72 894C24 20 MOV DWORD PTR SS:[ESP+20],ECX
00425E76 68 02000080 PUSH 80000002
00425E7B C74424 3C 20000000 MOV DWORD PTR SS:[ESP+3C],20
00425E83 C64424 54 00 MOV BYTE PTR SS:[ESP+54],0
00425E88 FF15 18A04600 CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKeyExA>] ; ADVAPI32.RegOpenKeyExA
.
省略
.
00426282 C78424 B0000000 FFF>MOV DWORD PTR SS:[ESP+B0],-1
0042628D E8 9EDD0200 CALL vp.00454030
00426292 66:85C0 TEST AX,AX
00426295 74 0D JE SHORT vp.004262A4
00426297 3BF5 CMP ESI,EBP
00426299 0F84 A3010000 JE vp.00426442
0042629F E9 8E010000 JMP vp.00426432
004262A4 3BF5 CMP ESI,EBP
004262A6 74 16 JE SHORT vp.004262BE
004262A8 8BCE MOV ECX,ESI
004262AA E8 81DB0200 CALL vp.00453E30
004262AF 56 PUSH ESI
004262B0 E8 41C60300 CALL <JMP.&MFC42.#825_??3@YAXPAX@Z>
004262B5 83C4 04 ADD ESP,4
004262B8 EB 04 JMP SHORT vp.004262BE
004262BA 8B5C24 10 MOV EBX,DWORD PTR SS:[ESP+10]
004262BE 57 PUSH EDI
004262BF 8BCB MOV ECX,EBX ; vp.0048A3C0
004262C1 E8 FA050000 CALL vp.004268C0 // 读狗核心 ,正确 eax=1,追进去//
004262C6 3BC5 CMP EAX,EBP
004262C8 0F85 A9010000 JNZ vp.00426477
004262CE 392D 789A4800 CMP DWORD PTR DS:[489A78],EBP
004262D4 0F84 9D010000 JE vp.00426477
004262DA 8BB3 98020000 MOV ESI,DWORD PTR DS:[EBX+298]
004262E0 3BF5 CMP ESI,EBP
004262E2 74 10 JE SHORT vp.004262F4
004262E4 8BCE MOV ECX,ESI
004262E6 E8 45DB0200 CALL vp.00453E30
004262EB 56 PUSH ESI
004262EC E8 05C60300 CALL <JMP.&MFC42.#825_??3@YAXPAX@Z>
004262F1 83C4 04 ADD ESP,4
004262F4 89AB 98020000 MOV DWORD PTR DS:[EBX+298],EBP
004262FA 8B0D 589A4800 MOV ECX,DWORD PTR DS:[489A58]
00426300 6A 01 PUSH 1
00426302 8D5424 64 LEA EDX,DWORD PTR SS:[ESP+64]
00426306 51 PUSH ECX
读狗核心。一路向下
004268C0 6A FF PUSH -1
004268C2 68 AF6C4600 PUSH vp.00466CAF
004268C7 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004268CD 50 PUSH EAX
004268CE 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
004268D5 81EC E4000000 SUB ESP,0E4
004268DB 53 PUSH EBX
004268DC 55 PUSH EBP
004268DD 56 PUSH ESI
004268DE 33ED XOR EBP,EBP
004268E0 57 PUSH EDI
004268E1 894C24 14 MOV DWORD PTR SS:[ESP+14],ECX
004268E5 896C24 3C MOV DWORD PTR SS:[ESP+3C],EBP
004268E9 896C24 34 MOV DWORD PTR SS:[ESP+34],EBP
004268ED 896C24 38 MOV DWORD PTR SS:[ESP+38],EBP
004268F1 896C24 1C MOV DWORD PTR SS:[ESP+1C],EBP
004268F5 896C24 10 MOV DWORD PTR SS:[ESP+10],EBP
004268F9 FF15 B8A34800 CALL DWORD PTR DS:[48A3B8] ; VPINTL.vpintl
004268FF 8BD8 MOV EBX,EAX
00426901 A1 0CA84700 MOV EAX,DWORD PTR DS:[47A80C]
.
省略
.
00426AD8 8D8C24 AC000000 LEA ECX,DWORD PTR SS:[ESP+AC]
00426ADF E8 B2C00300 CALL <JMP.&MFC42.#6197_?SetWindowPos@CWnd@@QAEHPBV1@HHHHI@Z>
00426AE4 6A 05 PUSH 5
00426AE6 8D8C24 98000000 LEA ECX,DWORD PTR SS:[ESP+98]
00426AED E8 84C20300 CALL <JMP.&MFC42.#6215_?ShowWindow@CWnd@@QAEHH@Z> //显示加密狗检测窗//
00426AF2 56 PUSH ESI
00426AF3 8D8C24 98000000 LEA ECX,DWORD PTR SS:[ESP+98]
00426AFA E8 C5BF0300 CALL <JMP.&MFC42.#6199_?SetWindowTextA@CWnd@@QAEXPBD@Z>
00426AFF 8B4C24 30 MOV ECX,DWORD PTR SS:[ESP+30]
00426B03 51 PUSH ECX
00426B04 68 504F0000 PUSH 4F50
00426B09 8D8C24 9C000000 LEA ECX,DWORD PTR SS:[ESP+9C]
00426B10 E8 D3C20300 CALL <JMP.&MFC42.#5953_?SetDlgItemTextA@CWnd@@QAEXHPBD@Z>
00426B15 8B4C24 2C MOV ECX,DWORD PTR SS:[ESP+2C]
00426B19 8D6C24 28 LEA EBP,DWORD PTR SS:[ESP+28]
00426B1D F7DD NEG EBP
00426B1F 1BED SBB EBP,EBP
00426B21 68 514F0000 PUSH 4F51
00426B26 23E9 AND EBP,ECX
00426B28 8D8C24 98000000 LEA ECX,DWORD PTR SS:[ESP+98]
00426B2F E8 BCC00300 CALL <JMP.&MFC42.#3092_?GetDlgItem@CWnd@@QBEPAV1@H@Z>
.
省略
.
00426F68 85C9 TEST ECX,ECX
00426F6A 74 12 JE SHORT vp.00426F7E
00426F6C E8 BFCE0200 CALL vp.00453E30
00426F71 8B5424 20 MOV EDX,DWORD PTR SS:[ESP+20]
00426F75 52 PUSH EDX
00426F76 E8 7BB90300 CALL <JMP.&MFC42.#825_??3@YAXPAX@Z>
00426F7B 83C4 04 ADD ESP,4
00426F7E 8B6C24 14 MOV EBP,DWORD PTR SS:[ESP+14]
00426F82 8D8C24 94000000 LEA ECX,DWORD PTR SS:[ESP+94]
00426F89 C68424 FC000000 01 MOV BYTE PTR SS:[ESP+FC],1
00426F91 E8 48BC0300 CALL <JMP.&MFC42.#641_??1CDialog@@UAE@XZ>
00426F96 C74424 28 A0B44600 MOV DWORD PTR SS:[ESP+28],vp.0046B4A0
00426F9E 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+28]
00426FA2 C68424 FC000000 08 MOV BYTE PTR SS:[ESP+FC],8
00426FAA E8 CDBA0300 CALL <JMP.&MFC42.#2414_?DeleteObject@CGdiObject@@QAEHXZ>
00426FAF 8D4C24 30 LEA ECX,DWORD PTR SS:[ESP+30]
00426FB3 C74424 28 D0B44600 MOV DWORD PTR SS:[ESP+28],vp.0046B4D0
00426FBB C78424 FC000000 FFF>MOV DWORD PTR SS:[ESP+FC],-1
00426FC6 E8 1FB90300 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00426FCB 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
00426FCF 85C0 TEST EAX,EAX
00426FD1 75 07 JNZ SHORT vp.00426FDA // 关键点,跳就完全破解 //patch2 修改的第2个地方//
00426FD3 33C0 XOR EAX,EAX
00426FD5 E9 87000000 JMP vp.00427061
00426FDA 8B8D 98020000 MOV ECX,DWORD PTR SS:[EBP+298]
00426FE0 8D4424 38 LEA EAX,DWORD PTR SS:[ESP+38]
00426FE4 50 PUSH EAX
00426FE5 E8 86CF0200 CALL vp.00453F70
00426FEA 8D4C24 3C LEA ECX,DWORD PTR SS:[ESP+3C]
00426FEE 51 PUSH ECX
00426FEF 8B8D 98020000 MOV ECX,DWORD PTR SS:[EBP+298]
00426FF5 6A 3A PUSH 3A
00426FF7 E8 44CE0200 CALL vp.00453E40
00426FFC 8B8D 98020000 MOV ECX,DWORD PTR SS:[EBP+298]
00427002 8D5424 34 LEA EDX,DWORD PTR SS:[ESP+34]
00427006 52 PUSH EDX
00427007 6A 3B PUSH 3B
00427009 E8 32CE0200 CALL vp.00453E40
0042700E 8B46 74 MOV EAX,DWORD PTR DS:[ESI+74]
00427011 8B4C24 38 MOV ECX,DWORD PTR SS:[ESP+38]
00427015 8B5424 3C MOV EDX,DWORD PTR SS:[ESP+3C]
00427019 50 PUSH EAX
0042701A 8B4424 38 MOV EAX,DWORD PTR SS:[ESP+38]
0042701E 51 PUSH ECX
0042701F 52 PUSH EDX
00427020 50 PUSH EAX
00427021 68 FC504800 PUSH vp.004850FC ; ASCII "DEMO"
00427026 E8 75070000 CALL vp.004277A0
0042702B 8A4424 30 MOV AL,BYTE PTR SS:[ESP+30]
0042702F 83C4 14 ADD ESP,14
00427032 A8 01 TEST AL,1
00427034 C785 9C020000 00000>MOV DWORD PTR SS:[EBP+29C],0
0042703E 74 0A JE SHORT vp.0042704A
00427040 C785 9C020000 01000>MOV DWORD PTR SS:[EBP+29C],1
0042704A A8 02 TEST AL,2
0042704C 74 0E JE SHORT vp.0042705C
0042704E 8B85 9C020000 MOV EAX,DWORD PTR SS:[EBP+29C]
00427054 0C 02 OR AL,2
00427056 8985 9C020000 MOV DWORD PTR SS:[EBP+29C],EAX
0042705C B8 01000000 MOV EAX,1 //返回正确值//
00427061 8B8C24 F4000000 MOV ECX,DWORD PTR SS:[ESP+F4]
00427068 5F POP EDI
00427069 5E POP ESI
0042706A 5D POP EBP
0042706B 5B POP EBX
0042706C 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
00427073 81C4 F0000000 ADD ESP,0F0
00427079 C2 0400 RETN 4
***************************************************************************************************
由于程序是加壳的,并且是一种未知的壳,脱壳后的程序运行有问题,所以使用SMC方式对程序打补丁。
一共需打两处补丁。
patch 1
修改45F4C7这里的指令让程序跳到patch 2处,原指令有6个字节改为jmp vp.00479fb0 补1个nop,代码为E9 E4 AA 01 00 90
patch 2
用PEID查 VP.EXE 段信息 得知 vp.rdata 段未压缩 ,就选这个段放补丁代码,在段最后附近选了下面这段空间
00479FAE 0000 ADD BYTE PTR DS:[EAX],AL
00479FB0 FF15 78A24600 CALL DWORD PTR DS:[<&KERNEL32.VirtualPro>; //还原原地址的代码//
00479FB6 C705 19F54500 E9AFAA01 MOV DWORD PTR DS:[45F519],1AAAFE9 //修改45f519处的代码,注意这里的数据要反过来写//
00479FC0 - E9 0855FEFF JMP vp.0045F4CD //跳回原程序继续解压缩//
00479FC5 0000 ADD BYTE PTR DS:[EAX],AL
00479FC7 0000 ADD BYTE PTR DS:[EAX],AL
00479FC9 0000 ADD BYTE PTR DS:[EAX],AL
00479FCB 0000 ADD BYTE PTR DS:[EAX],AL
00479FCD C605 D16F4200 EB MOV BYTE PTR DS:[426FD1],0EB //修改426fd1处的代码,破解程序//
00479FD4 - E9 E063FEFF JMP vp.004603B9 //跳回原程序继续执行//
00479FD9 0000 ADD BYTE PTR DS:[EAX],AL
00479FDB 0000 ADD BYTE PTR DS:[EAX],AL
也可以使用LOADER破解,改00426FD1处75为EB。
破解心得:
1. 对付有未知壳的程序用SMC方式打补丁比较好,本程序的分段解压缩SMC有点难度。
2. 这个程序在解压完成后的模糊主程序进入点的防跟踪措施有点意思。
3. 加密狗动作时一般比较费时间,可以根据这点判断是否到了读加密狗的地方。
niufq 2006.5.19
[注意]APP应用上架合规检测服务,协助应用顺利上架!
