在研读了SYSCOM,machenglin两位大侠的文章,历经n天,动手试验n次,终于用补区段的方法搞定一个Asprotect壳,发出来给跟我一样菜的人参考。
贴图片比较麻烦,我还是上传附件。
8.15心血来潮,对此程序进行恢复代码,记录如下:
文件夹保护 2006 2.10
ASProtect 2.1x SKE -> Alexey Solodovnikov
Version: ASProtect 2.11 SKE build 03.13 Release [1]
Microsoft Visual C++ 7.0 Method2 [Debug]
安装后不方便打开文件夹,拷贝地址备用:
E:\Program Files\文件夹保护 2006\fp.exe
1.OEP+DUMP+IAT:
Volx脚本IAT修复,提示Stolen code After API,保存在SCafAPI.bin,然后停在伪OEP:
017002EC 6A 74 push 74 ; 00040E8BD
017002EE F2: prefix repne:
017002EF EB 01 jmp short 017002F2
0040E8BD d>- E9 2A1A2F01 jmp 017002EC ; 真正的OEP
有Stolen OEP,上LordPE选择进程dump,保存为dump.exe。
Ctrl+G到401000,Ctrl+B:FF25
0040E052 - FF25 6C404D00 jmp dword ptr ds:[4D406C] ; crtool.CCRTools::Init
0040E058 - FF25 C4464D00 jmp dword ptr ds:[4D46C4] ; <jmp.&MSVCR71.free>
0040E05E - FF25 BC464D00 jmp dword ptr ds:[4D46BC] ; MFC71.7C1CAE35
数据窗口:dd 4D46C4,上下翻翻
004D4000 796D1E76 ADVAPI32.RegCloseKey
004D4004 796D6315 ADVAPI32.RegSetValueA
004D4008 796D33CB ADVAPI32.RegSetValueExA
...
004D52C0 00000000
004D52C4 77A344BA OLE32.CoInitialize
004D52C8 77A3435E OLE32.CoUninitialize
004D52CC 00000000
RVA=000D4000,Size=12CC
上ImportREC,选择进程,填入RVA+Size,获取函数,全部有效,修改OEP=0000E052,Refix dump。
2.变形跳转及变形call的分析:
01700461 68 690C7001 push dumped_1.01700C69 ; 变形call
01700466 E8 95FB0700 call dumped_1.01780000 ; 进入第一层
第一层:一直F7直到第一个call
01780157 /EB 01 jmp short dumped_1.0178015A
0178015A FFD3 call ebx ; 进入第二层
0178015C FF7424 04 push dword ptr ss:[esp+4]
01780160 EB 02 jmp short dumped_1.01780164
第二层:经过Route Check后来到循环
014D8A87 8B45 F8 mov eax,dword ptr ss:[ebp-8]
014D8A8A 0FB600 movzx eax,byte ptr ds:[eax]
014D8A8D 8B5483 40 mov edx,dword ptr ds:[ebx+eax*4+40]
014D8A91 8BC6 mov eax,esi
014D8A93 FFD2 call edx
014D8A95 3B45 FC cmp eax,dword ptr ss:[ebp-4]
014D8A98 75 1A jnz short dumped_1.014D8AB4
014D8A9A 8B45 10 mov eax,dword ptr ss:[ebp+10]
014D8A9D 50 push eax
014D8A9E 8B45 14 mov eax,dword ptr ss:[ebp+14]
014D8AA1 50 push eax
014D8AA2 E8 19FAFFFF call dumped_1.014D84C0
014D8AA7 50 push eax
014D8AA8 8BCE mov ecx,esi
014D8AAA 8B55 18 mov edx,dword ptr ss:[ebp+18]
014D8AAD 8BC3 mov eax,ebx
014D8AAF E8 D4FDFFFF call dumped_1.014D8888 ; 进入第3层
014D8AB4 4F dec edi
014D8AB5 0373 6C add esi,dword ptr ds:[ebx+6C]
014D8AB8 85FF test edi,edi
014D8ABA ^ 77 CB ja short dumped_1.014D8A87
第3层:变形种类的分类
014D88D8 FFD2 call edx
014D88DA 2C 02 sub al,2 ; 注意al值
014D88DC 72 12 jb short dumped_1.014D88F0
014D88DE 74 3D je short dumped_1.014D891D
014D88E0 FEC8 dec al
014D88E2 0F84 82000000 je dumped_1.014D896A
014D88E8 E9 DA000000 jmp dumped_1.014D89C7
...
014D89E5 FF75 0C push dword ptr ss:[ebp+C]
014D89E8 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; dumped_1.01510E28
014D89EB FF60 20 jmp dword ptr ds:[eax+20] ;跟进到第4层
014D89EE /EB 01 jmp short dumped_1.014D89F1
014D89F0 |9A 5F5E5B8B E55D call far 5DE5:8B5B5E5F
014D89F7 C2 0C00 retn 0C
014D89FA 8BC0 mov eax,eax
第4层:指向最后的地址
017900AD - FF6424 FC jmp dword ptr ss:[esp-4] ; dumped_1.01700A9B
如果不是code,那就是call里还有stolen。
3.Stolen OEP的恢复:
0040E8BD c> 6A 74 push 74
0040E8BF 68 20894D00 push cyto-wj.004D8920
0040E8C4 E8 F3010000 call cyto-wj.0040EABC ; (1)
0040E8C9 33DB xor ebx,ebx
0040E8CB 895D E0 mov dword ptr ss:[ebp-20],ebx
0040E8CE 53 push ebx
0040E8CF 8B3D AC414D00 mov edi,dword ptr ds:[<&kernel32.GetModuleHandleA>]
0040E8D5 FFD7 call edi
0040E8D7 66:8138 4D5A cmp word ptr ds:[eax],5A4D
0040E8DC 75 1F jnz short cyto-wj.0040E8FD
0040E8DE 8B48 3C mov ecx,dword ptr ds:[eax+3C]
0040E8E1 03C8 add ecx,eax
0040E8E3 8139 50450000 cmp dword ptr ds:[ecx],4550
0040E8E9 75 12 jnz short cyto-wj.0040E8FD
0040E8EB 0FB741 18 movzx eax,word ptr ds:[ecx+18]
0040E8EF 3D 0B010000 cmp eax,10B
0040E8F4 74 1F je short cyto-wj.0040E915
0040E8F6 3D 0B020000 cmp eax,20B
0040E8FB 74 05 je short cyto-wj.0040E902
0040E8FD 895D E4 mov dword ptr ss:[ebp-1C],ebx
0040E900 EB 27 jmp short cyto-wj.0040E929
0040E902 83B9 84000000 0E cmp dword ptr ds:[ecx+84],0E
0040E909 ^ 76 F2 jbe short cyto-wj.0040E8FD
0040E90B 33C0 xor eax,eax
0040E90D 3999 F8000000 cmp dword ptr ds:[ecx+F8],ebx
0040E913 EB 0E jmp short cyto-wj.0040E923
0040E915 8379 74 0E cmp dword ptr ds:[ecx+74],0E
0040E919 ^ 76 E2 jbe short cyto-wj.0040E8FD
0040E91B 33C0 xor eax,eax
0040E91D 3999 E8000000 cmp dword ptr ds:[ecx+E8],ebx
0040E923 0F95C0 setne al
0040E926 8945 E4 mov dword ptr ss:[ebp-1C],eax
0040E929 895D FC mov dword ptr ss:[ebp-4],ebx
0040E92C 6A 02 push 2
0040E92E FF15 D04E4D00 call dword ptr ds:[<&msvcr71.__set_app_type>]
0040E934 59 pop ecx
0040E935 830D 1CE34F00 FF or dword ptr ds:[4FE31C],FFFFFFFF
0040E93C 830D 20E34F00 FF or dword ptr ds:[4FE320],FFFFFFFF
0040E943 FF15 D44E4D00 call dword ptr ds:[<&msvcr71.__p__fmode>]
0040E949 8B0D BCCD4F00 mov ecx,dword ptr ds:[4FCDBC]
0040E94F 8908 mov dword ptr ds:[eax],ecx
0040E951 FF15 D84E4D00 call dword ptr ds:[<&msvcr71.__p__commode>]
0040E957 8B0D B8CD4F00 mov ecx,dword ptr ds:[4FCDB8]
0040E95D 8908 mov dword ptr ds:[eax],ecx
0040E95F A1 DC4E4D00 mov eax,dword ptr ds:[<&msvcr71._adjust_fdiv>]
0040E964 8B00 mov eax,dword ptr ds:[eax]
0040E966 A3 18E34F00 mov dword ptr ds:[4FE318],eax
0040E96B E8 4A020000 call cyto-wj.0040EBBA ; (2)
0040E970 E8 E5020000 call cyto-wj.0040EC5A
0040E975 391D B0C34F00 cmp dword ptr ds:[4FC3B0],ebx
0040E97B 75 0C jnz short cyto-wj.0040E989
0040E97D 68 5AEC4000 push cyto-wj.0040EC5A
0040E982 FF15 E04E4D00 call dword ptr ds:[<&msvcr71.__setusermatherr>]
0040E988 59 pop ecx
0040E989 E8 BA020000 call cyto-wj.0040EC48 ; (3)
0040E98E 68 E0C24F00 push cyto-wj.004FC2E0
0040E993 68 DCC24F00 push cyto-wj.004FC2DC
0040E998 E8 A5020000 call <jmp.&msvcr71._initterm>
0040E99D 68 FEEB4000 push cyto-wj.0040EBFE
0040E9A2 E8 87FDFFFF call cyto-wj.0040E72E ; (4)
0040E9A7 A1 B4CD4F00 mov eax,dword ptr ds:[4FCDB4]
0040E9AC 8945 D8 mov dword ptr ss:[ebp-28],eax
0040E9AF 8D45 D8 lea eax,dword ptr ss:[ebp-28]
0040E9B2 50 push eax
0040E9B3 FF35 B0CD4F00 push dword ptr ds:[4FCDB0]
0040E9B9 8D45 D0 lea eax,dword ptr ss:[ebp-30]
0040E9BC 50 push eax
0040E9BD 8D45 CC lea eax,dword ptr ss:[ebp-34]
0040E9C0 50 push eax
0040E9C1 8D45 C8 lea eax,dword ptr ss:[ebp-38]
0040E9C4 50 push eax
0040E9C5 FF15 404F4D00 call dword ptr ds:[<&msvcr71.__getmainargs>]
0040E9CB 83C4 20 add esp,20
0040E9CE 8945 C4 mov dword ptr ss:[ebp-3C],eax
0040E9D1 3BC3 cmp eax,ebx
0040E9D3 7D 08 jge short cyto-wj.0040E9DD
0040E9D5 6A 08 push 8
0040E9D7 E8 D8010000 call <jmp.&msvcr71._amsg_exit>
0040E9DC 59 pop ecx
0040E9DD 68 D8C24F00 push cyto-wj.004FC2D8
0040E9E2 68 00C04F00 push cyto-wj.004FC000
0040E9E7 E8 56020000 call <jmp.&msvcr71._initterm>
0040E9EC 59 pop ecx
0040E9ED 59 pop ecx
0040E9EE A1 484F4D00 mov eax,dword ptr ds:[<&msvcr71._acmdln>]
0040E9F3 8B30 mov esi,dword ptr ds:[eax]
0040E9F5 8975 DC mov dword ptr ss:[ebp-24],esi
0040E9F8 8A06 mov al,byte ptr ds:[esi]
0040E9FA 3C 20 cmp al,20
0040E9FC 77 5D ja short cyto-wj.0040EA5B
0040E9FE 3AC3 cmp al,bl
0040EA00 74 05 je short cyto-wj.0040EA07
0040EA02 395D E0 cmp dword ptr ss:[ebp-20],ebx
0040EA05 75 54 jnz short cyto-wj.0040EA5B
0040EA07 8A06 mov al,byte ptr ds:[esi]
0040EA09 3AC3 cmp al,bl
0040EA0B 74 0A je short cyto-wj.0040EA17
0040EA0D 3C 20 cmp al,20
0040EA0F 77 06 ja short cyto-wj.0040EA17
0040EA11 46 inc esi
0040EA12 8975 DC mov dword ptr ss:[ebp-24],esi
0040EA15 ^ EB F0 jmp short cyto-wj.0040EA07
0040EA17 895D A8 mov dword ptr ss:[ebp-58],ebx
0040EA1A 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84]
0040EA20 50 push eax
0040EA21 FF15 18424D00 call dword ptr ds:[<&kernel32.GetStartupInfoA>]
0040EA27 F645 A8 01 test byte ptr ss:[ebp-58],1
0040EA2B 74 06 je short cyto-wj.0040EA33
0040EA2D 0FB745 AC movzx eax,word ptr ss:[ebp-54]
0040EA31 EB 03 jmp short cyto-wj.0040EA36
0040EA33 6A 0A push 0A
0040EA35 58 pop eax
0040EA36 50 push eax
0040EA37 56 push esi
0040EA38 53 push ebx
0040EA39 53 push ebx
0040EA3A FFD7 call edi
0040EA3C 50 push eax
0040EA3D E8 9EF10A00 call cyto-wj.004BDBE0
0040EA42 8BF0 mov esi,eax
0040EA44 8975 C0 mov dword ptr ss:[ebp-40],esi
0040EA47 395D E4 cmp dword ptr ss:[ebp-1C],ebx
0040EA4A 75 07 jnz short cyto-wj.0040EA53
0040EA4C 56 push esi
0040EA4D FF15 4C4F4D00 call dword ptr ds:[<&msvcr71.exit>]
0040EA53 FF15 504F4D00 call dword ptr ds:[<&msvcr71._cexit>]
0040EA59 EB 55 jmp short cyto-wj.0040EAB0
0040EA5B 3C 22 cmp al,22
0040EA5D 75 0B jnz short cyto-wj.0040EA6A
0040EA5F 33C9 xor ecx,ecx
0040EA61 395D E0 cmp dword ptr ss:[ebp-20],ebx
0040EA64 0F94C1 sete cl
0040EA67 894D E0 mov dword ptr ss:[ebp-20],ecx
0040EA6A 0FB6C0 movzx eax,al
0040EA6D 50 push eax
0040EA6E FF15 544F4D00 call dword ptr ds:[<&msvcr71._ismbblead>]
0040EA74 59 pop ecx
0040EA75 85C0 test eax,eax
0040EA77 74 04 je short cyto-wj.0040EA7D
0040EA79 46 inc esi
0040EA7A 8975 DC mov dword ptr ss:[ebp-24],esi
0040EA7D 46 inc esi
0040EA7E ^ E9 72FFFFFF jmp cyto-wj.0040E9F5
OEP中某些call内容也被偷了:
1) call dumped_.0040EABC
0040EABC - E9 DA1F2F01 jmp 01700A9B
0040EABC 68 6CE84000 push <jmp.&msvcr71._except_handler3>
0040EAC1 64:A1 00000000 mov eax,dword ptr fs:[0]
0040EAC7 50 push eax
0040EAC8 8B4424 10 mov eax,dword ptr ss:[esp+10]
0040EACC 896C24 10 mov dword ptr ss:[esp+10],ebp
0040EAD0 8D6C24 10 lea ebp,dword ptr ss:[esp+10]
0040EAD4 2BE0 sub esp,eax
0040EAD6 53 push ebx
0040EAD7 56 push esi
0040EAD8 57 push edi
0040EAD9 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0040EADC 8965 E8 mov dword ptr ss:[ebp-18],esp
0040EADF 50 push eax
0040EAE0 8B45 FC mov eax,dword ptr ss:[ebp-4]
0040EAE3 C745 FC FFFFFFFF mov dword ptr ss:[ebp-4],-1
0040EAEA 8945 F8 mov dword ptr ss:[ebp-8],eax
0040EAED 8D45 F0 lea eax,dword ptr ss:[ebp-10]
0040EAF0 64:A3 00000000 mov dword ptr fs:[0],eax
0040EAF6 C3 retn
2) call cyto-wj.0040EBBA
0040EBBA - E9 991E2F01 jmp 01700A58
0040EBBA 6A 0C push 0C
0040EBBC 68 30894D00 push cyto-wj.004D8930
0040EBC1 E8 F6FEFFFF call cyto-wj.0040EABC
0040EBC6 C745 E4 48E24E00 mov dword ptr ss:[ebp-1C],cyto-wj.004EE248
0040EBCD 817D E4 48E24E00 cmp dword ptr ss:[ebp-1C],cyto-wj.004EE248
0040EBD4 73 22 jnb short cyto-wj.0040EBF8
0040EBD6 8365 FC 00 and dword ptr ss:[ebp-4],0
0040EBDA 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
0040EBDD 8B00 mov eax,dword ptr ds:[eax]
0040EBDF 85C0 test eax,eax
0040EBE1 74 0B je short cyto-wj.0040EBEE
0040EBE3 FFD0 call eax
0040EBE5 EB 07 jmp short cyto-wj.0040EBEE
0040EBE7 33C0 xor eax,eax
0040EBE9 40 inc eax
0040EBEA C3 retn
0040EBEB 8B65 E8 mov esp,dword ptr ss:[ebp-18]
0040EBEE 834D FC FF or dword ptr ss:[ebp-4],FFFFFFFF
0040EBF2 8345 E4 04 add dword ptr ss:[ebp-1C],4
0040EBF6 ^ EB D5 jmp short cyto-wj.0040EBCD
0040EBF8 E8 FAFEFFFF call cyto-wj.0040EAF7
0040EBFD C3 retn
call cyto-wj.0040EAF7
0040EAF7 - E9 7C1B2F01 jmp 01700678
0040EAF7 8B4D F0 mov ecx,dword ptr ss:[ebp-10]
0040EAFA 64:890D 00000000 mov dword ptr fs:[0],ecx
0040EB01 59 pop ecx
0040EB02 5F pop edi
0040EB03 5E pop esi
0040EB04 5B pop ebx
0040EB05 C9 leave
0040EB06 51 push ecx
0040EB07 C3 retn
3) call cyto-wj.0040EC48
0040EC48 - E9 BB1B2F01 jmp 01700808
0040EC48 68 00000300 push 30000
0040EC4D 68 00000100 push 10000
0040EC52 E8 07000000 call <jmp.&msvcr71._controlfp>
0040EC57 59 pop ecx
0040EC58 59 pop ecx
0040EC59 C3 retn
4) call cyto-wj.0040E72E
0040E72E - E9 17232F01 jmp 01700A4A
0040E72E FF7424 04 push dword ptr ss:[esp+4]
0040E732 E8 D1FFFFFF call cyto-wj.0040E708
0040E737 F7D8 neg eax
0040E739 1BC0 sbb eax,eax
0040E73B F7D8 neg eax
0040E73D 59 pop ecx
0040E73E 48 dec eax
0040E73F C3 retn
4.Stolen code After API:
8种Stolen code After API的分类处:
014DAA9B 8B55 F8 mov edx,dword ptr ss:[ebp-8]
014DAA9E 3A42 4A cmp al,byte ptr ds:[edx+4A]
014DAAA1 74 0B je short 014DAAAE
014DAAA3 8B55 F8 mov edx,dword ptr ss:[ebp-8]
014DAAA6 3A42 4B cmp al,byte ptr ds:[edx+4B]
014DAAA9 75 3E jnz short 014DAAE9
014DAAAB EB 01 jmp short 014DAAAE
0=eax,1=ecx,2=edx,3=ebx,4=esp,5=ebp,6=esi,7=edi
打开脚本运行后产生的文件SCafAPI.bin:
004D4000 >00401606 cyto-wj.00401606 // mov ecx,esi,隐藏
004D4004 >00401B75 cyto-wj.00401B75 // mov esi,eax,加密码
004D4008 >00402679 cyto-wj.00402679 //
004D400C >0040588C cyto-wj.0040588C //
004D4010 >00405F4C cyto-wj.00405F4C // mov ecx,edi,输入注册码
004D4014 >0040816B cyto-wj.0040816B //
004D4018 >00409AE4 cyto-wj.00409AE4 // mov ecx,esi,加密码
004D401C >00409C05 cyto-wj.00409C05 //
004D4020 >00411BCC cyto-wj.00411BCC //
004D4024 >0041286A cyto-wj.0041286A // mov eax,esi,程序启动
004D4028 >004167B2 cyto-wj.004167B2 //
004D402C >004167E9 cyto-wj.004167E9 //
004D4030 >00416F94 cyto-wj.00416F94 //
点击各个功能模块,有几个没能断下,可能要注册才能用到?
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课