【破解作者】 小虾(战神[DFCG])
【使用工具】 Ollydbg, LordPE, AsprDbgr, RecImport
【官方主页】 http://www.chinadfcg.com
【破解平台】 NT/2000/XP/Win98下不推荐
【软件名称】 notepad.exe
【下载地址】 本地下载
【软件简介】 win98下的记事本
【软件大小】 52K
【加壳方式】 ASProtect 1.23 RC4
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】 以前一直用98系统,以致一直到现在也只会脱一些简单的压缩壳,这一次为了学习脱猛壳下决心安装了双 系统(win98 OR winXP)^_^!,这是我的第一篇脱文,ASProtect 1.23RC4脱文。关于ASProtect 1.23RC4脱文坛 子Fly前辈等大侠已经写了很多,我只是将我脱壳过程及一点心得写出来供像我一样的菜鸟学习,写得有些罗嗦 ,高手就不用看了。在此我要感谢Fly前辈,没有他的精彩文章和他的无私指点,就不会有我今天的脱文。OK, 我们开始吧^O^。
首先用OD载入目标程序,用OD隐藏插件隐藏OD,并在调试选项中除了内存异常不要选之外,其余全选上。
00401000 N> 68 01D04000 [color=#0000D0]push[/color] NOTEPADy.0040D001[color=#008000] //载入后停在这里。[/color]
00401005 E8 01000000 [color=#0000D0]call[/color] NOTEPADy.0040100B
0040100A C3 [color=#0000D0]retn[/color]
0040100B C3 [color=#0000D0]retn[/color]
0040100C 72 79 [color=#0000D0]jb[/color] short NOTEPADy.00401087
0040100E BD 1E8EF67C [color=#0000D0]mov[/color] [color=#FF0000]ebp[/color],7CF68E1E
00401013 871E [color=#0000D0]xchg[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ds[/color]:[[color=#FF0000]esi[/color]],[color=#FF0000]ebx[/color]
00401015 89BD 723363B2 [color=#0000D0]mov[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ss[/color]:[[color=#FF0000]ebp[/color]+B2633372],e>
0040101B B1 39 [color=#0000D0]mov[/color] [color=#FF0000]cl[/color],39
按Shift+F9来到最后一次异常(大约27、28次),
00C539EC 3100 [color=#0000D0]xor[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ds[/color]:[[color=#FF0000]eax[/color]],eax[color=#008000] //最后一次异常[/color]
00C539EE 64:8F05 00000000 [color=#0000D0]pop[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]fs[/color]:[0]
00C539F5 58 [color=#0000D0]pop[/color] [color=#FF0000]eax[/color]
00C539F6 833D B07EC500 00 [color=#0000D0]cmp[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ds[/color]:[C57EB0],0
00C539FD 74 14 [color=#0000D0]je[/color] short 00C53A13
00C539FF 6A 0C [color=#0000D0]push[/color] 0C
00C53A01 B9 B07EC500 [color=#0000D0]mov[/color] [color=#FF0000]ecx[/color],0C57EB0
00C53A06 8D45 F8 [color=#0000D0]lea[/color] [color=#FF0000]eax[/color],[color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ss[/color]:[[color=#FF0000]ebp[/color]-8]
00C53A09 BA 04000000 [color=#0000D0]mov[/color] [color=#FF0000]edx[/color],4
00C53A0E E8 2DD1FFFF [color=#0000D0]call[/color] 00C50B40
00C53A13 FF75 FC [color=#0000D0]push[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ss[/color]:[[color=#FF0000]ebp[/color]-4]
00C53A16 FF75 F8 [color=#0000D0]push[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ss[/color]:[[color=#FF0000]ebp[/color]-8]
00C53A19 8B45 F4 [color=#0000D0]mov[/color] [color=#FF0000]eax[/color],[color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ss[/color]:[[color=#FF0000]ebp[/color]-C]
00C53A1C 8338 00 [color=#0000D0]cmp[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ds[/color]:[[color=#FF0000]eax[/color]],0
00C53A1F 74 02 [color=#0000D0]je[/color] short 00C53A23
00C53A21 FF30 [color=#0000D0]push[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ds[/color]:[[color=#FF0000]eax[/color]]
00C53A23 FF75 F0 [color=#0000D0]push[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ss[/color]:[[color=#FF0000]ebp[/color]-10]
00C53A26 FF75 EC [color=#0000D0]push[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ss[/color]:[[color=#FF0000]ebp[/color]-14]
00C53A29 C3 retn[color=#008000] //我们在这里F2设一个断点,Shift+F9运行,中断在这里。[/color]
现在我们停下来看一看堆栈,
0012FF5C 00C6392C
0012FF60 00400000 NOTEPADy.00400000
0012FF64 F370A663
0012FF68 0012FFA4[color=#008000] //注意这个值。[/color]
0012FF6C 00C40000
我们在0012FF68处下硬件访问断点,按F9运行,中断在这里。
00C656D4 /EB 44 [color=#0000D0]jmp[/color] short 00C6571A[color=#008000] //硬件中断在这里。[/color]
00C656D6 |EB 01 [color=#0000D0]jmp[/color] short 00C656D9
00C656D8 |9A 51579CFC BF00 [color=#0000D0]call[/color] far 00BF:FC9C5751
00C656DF |0000 [color=#0000D0]add[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ds[/color]:[[color=#FF0000]eax[/color]],[color=#FF0000]al[/color]
00C656E1 |00B9 00000000 [color=#0000D0]add[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ds[/color]:[[color=#FF0000]ecx[/color]],[color=#FF0000]bh[/color]
00C656E7 |F3:AA [color=#0000D0]rep[/color] [color=#0000D0]stos[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [color=#FF0000]es[/color]:[[color=#FF0000]edi[/color]][color=#008000] //在这里F2设一个断点。[/color]
00C656E9 |9D [color=#0000D0]popfd[/color]
00C656EA |5F [color=#0000D0]pop[/color] [color=#FF0000]edi[/color]
00C656EB |59 [color=#0000D0]pop[/color] [color=#FF0000]ecx[/color]
00C656EC |C3 [color=#0000D0]retn[/color]
F8后程序将跳到这里,到了这里程序代码已经解开,可以用LordPE纠正一下文件大小后完整Dump下程序。 接着我们再进行区域脱壳:00C60000,大小=00008000,也就是脱出上面的部分壳处理代码段。至此我们已经 将ASProtect 1.23RC4壳脱出来,后面的不管他了(其实是不知接着要怎样干下去)^O^。
00C6571A 03C3 [color=#0000D0]add[/color] [color=#FF0000]eax[/color],[color=#FF0000]ebx[/color] [color=#008000]; NOTEPADy.00400000[/color]
00C6571C BB AC000000 [color=#0000D0]mov[/color] [color=#FF0000]ebx[/color],0AC[color=#008000] //注意这个值,等下修复程序我们用得上。[/color]
00C65721 0BDB [color=#0000D0]or[/color] [color=#FF0000]ebx[/color],[color=#FF0000]ebx[/color]
00C65723 75 07 [color=#0000D0]jnz[/color] short 00C6572C
00C65725 894424 1C [color=#0000D0]mov[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ss[/color]:[[color=#FF0000]esp[/color]+1C],[color=#FF0000]eax[/color]
00C65729 61 [color=#0000D0]popad[/color]
00C6572A 50 [color=#0000D0]push[/color] [color=#FF0000]eax[/color]
00C6572B C3 [color=#0000D0]retn[/color]
00C6572C E8 00000000 [color=#0000D0]call[/color] 00C65731[color=#008000] //00C6572C动态地址必须记住,等一下用得着,这个地[/color]
[color=#008000]址是动态生成的,以你机器的地址为准。[/color]
00C65731 5D [color=#0000D0]pop[/color] [color=#FF0000]ebp[/color]
00C65732 81ED 4DE14B00 [color=#0000D0]sub[/color] [color=#FF0000]ebp[/color],4BE14D
00C65738 8D85 F2E04B00 [color=#0000D0]lea[/color] [color=#FF0000]eax[/color],[color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ss[/color]:[[color=#FF0000]ebp[/color]+4BE0F2]
00C6573E 8D8D 94E14B00 [color=#0000D0]lea[/color] [color=#FF0000]ecx[/color],[color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ss[/color]:[[color=#FF0000]ebp[/color]+4BE194]
00C65744 03CB [color=#0000D0]add[/color] [color=#FF0000]ecx[/color],[color=#FF0000]ebx[/color]
00C65746 8941 01 [color=#0000D0]mov[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ds[/color]:[[color=#FF0000]ecx[/color]+1],[color=#FF0000]eax[/color]
00C65749 8D85 36E14B00 [color=#0000D0]lea[/color] [color=#FF0000]eax[/color],[color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ss[/color]:[[color=#FF0000]ebp[/color]+4BE136]
00C6574F 8D8D FAE04B00 [color=#0000D0]lea[/color] [color=#FF0000]ecx[/color],[color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ss[/color]:[[color=#FF0000]ebp[/color]+4BE0FA]
00C65755 8901 [color=#0000D0]mov[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ds[/color]:[[color=#FF0000]ecx[/color]],[color=#FF0000]eax[/color]
00C65757 B8 5E140000 [color=#0000D0]mov[/color] [color=#FF0000]eax[/color],145E
00C6575C 8D8D FFE04B00 [color=#0000D0]lea[/color] [color=#FF0000]ecx[/color],[color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ss[/color]:[[color=#FF0000]ebp[/color]+4BE0FF]
00C65762 8901 [color=#0000D0]mov[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ds[/color]:[[color=#FF0000]ecx[/color]],[color=#FF0000]eax[/color]
00C65764 8D8D 94E14B00 [color=#0000D0]lea[/color] [color=#FF0000]ecx[/color],[color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ss[/color]:[[color=#FF0000]ebp[/color]+4BE194]
00C6576A 8D85 94F34B00 [color=#0000D0]lea[/color] [color=#FF0000]eax[/color],[color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ss[/color]:[[color=#FF0000]ebp[/color]+4BF394]
00C65770 51 [color=#0000D0]push[/color] [color=#FF0000]ecx[/color]
00C65771 50 [color=#0000D0]push[/color] [color=#FF0000]eax[/color]
00C65772 E8 76FFFFFF [color=#0000D0]call[/color] 00C656ED
00C65777 61 [color=#0000D0]popad[/color]
00C65778 EB 02 [color=#0000D0]jmp[/color] short 00C6577C
现在我们来“组装”一下dumped.exe。先用LordPE打开dumped.exe,然后从磁盘载入刚才区域脱壳的 Region00C60000-00C68000.dmp
区段,修改其Voffset=00860000(00C60000-00400000=00860000),只保留 LordPE
的“验证PE”选项,最后重建PE。Dump完成!^O^,不过这时程序还不能运行,因为我们还没有修复IAT 和入口点及参数。现在我们接着来修复IAT,修复IAT我用AsprDbr,因为简单。启动AsprDbgr,加载未脱壳的程 序,一路按确定键,直到目标程序启动。
=================================================================
AsprDbgr v1.0beta <:P> Made by me... Manko.
iEP=401000 <G:\Documents [color=#0000D0]and[/color] Settings\whx\[color=#008000]桌面\NOTEPADy.EXE>[/color]
IAT Start: 4062E4[color=#008000] //这个是IAT开始位置[/color]
[color=#b000b0]End[/color]: 406524[color=#008000] //结束地址[/color]
Length: 240[color=#008000] //IAT大小[/color]
IATentry 40639C = C51C64 resolved as GetModuleHandleA
IATentry 4063E4 = C51CD8 resoLved as GetCommandLineA
6 invalid entries erased.
Dip-Table at adress: C57AB4
0 0 0 0 0 0 0 0 0 0 0 0 0 0
Last SEH passed. <C530EE> Searching for signatures. Singlestepping to OEP!
[color=#0000D0]Call[/color] + OEP-jump-setup at: C63AD4 < Gode: E8000000 5D81ED >
Mutated, stolen byets at: C63B20 < Code: EB02CD20 F2EB019A >
Erase of stolen bytes at: C63A83 < Code: 9CFCBFC2 3AC600B9 >
[color=#0000D0]Repz[/color] ... found. Skipping erase of stolen bytes. [color=#008000];>[/color]
possible <temp)OEP: 4010D3 <Reached from preOEP: C63A94>
启动RecImport,OEP:00860000,RAV:000062E4,大小:240,搜索IAT,找到的IAT全部有效,修复Dump 文件。IAT修复完毕。最后我们只用OD加载脱壳修复后的程序,将入口前两句修改成以下语句,保存文件即可, 最后运行脱壳程序,启动正常整个脱壳过程完成。^_^
00C60000 d> BB AC000000 [color=#0000D0]mov[/color] [color=#FF0000]ebx[/color],0AC[color=#008000] //还记得这个值吗?[/color]
00C60005 E9 CA3A0000 [color=#0000D0]jmp[/color] dumped_.00C6572C[color=#008000] //跳到解壳地址。[/color]
00C6000A 0000 [color=#0000D0]add[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ds[/color]:[[color=#FF0000]eax[/color]],[color=#FF0000]al[/color]
00C6000C 0000 [color=#0000D0]add[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ds[/color]:[[color=#FF0000]eax[/color]],[color=#FF0000]al[/color]
00C6000E 0000 [color=#0000D0]add[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ds[/color]:[[color=#FF0000]eax[/color]],[color=#FF0000]al[/color]
00C60010 0000 [color=#0000D0]add[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [color=#FF0000]ds[/color]:[[color=#FF0000]eax[/color]],[color=#FF0000]al[/color]
--------------------------------------------------------------------------------
【破解总结】
懒得写了...
作者:小虾(战神[DFCG])
2004年7月12日
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
本代码的着色效果由xTiNt自动完成
下载xTiNt
http://211.90.75.84/web/kanaun/download/xTiNt.rar
阿里云助力开发者!2核2G 3M带宽不限流量!6.18限时价,开
发者可享99元/年,续费同价!
上传的附件: