拣一个普通的练手,好久没脱Armadillo,怕手生。
在Asprotect学习注册标志的修改,顺便用在Armadillo,挺好。
最后学习一下程序优化,不知道有没有优化完全。
软件名称:VBto Converter 2.14
下载页面:http://www.vbto.net/SetupVBto.exe
软件大小:1.39 MB (1,458,176 bytes)
软件语言: 英文
应用平台:Windows 98/Me/2000/XP/2003.
软件介绍:
VBto Converter is powerful tool which allows you fast and easy convert your Microsoft Visual Basic 6.0 project to following languages:
・ MS Visual C++
・ MS C#.NET
・ MS VB.NET
・ MS Visual J#
・ Borland C++ Builder
・ Borland Delphi
The current version of VBto Converter allows to convert forms, event handlers and source code. Result of conversion is generated by VBto Converter new project.
Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks
双进程
!- <Protection Options>
Debug-Blocker
CopyMem-II
Enable Memory-Patching Protections
试用有NAG+时间限制
OEP+DUMP:
bp WaitForDebugEvent
0012BCB8 0062D7AF /CALL 到 WaitForDebugEvent 来自 VBto.0062D7A9
0012BCBC 0012CD90 |pDebugEvent = 0012CD90 // 跟随到数据窗口
0012BCC0 000003E8 \Timeout = 1000. ms
bp WriteProcessMemory
0012BB58 00631747 /CALL 到 WriteProcessMemory 来自 VBto.00631741
0012BB5C 0000004C |hProcess = 0000004C (window)
0012BB60 00401000 |Address = 401000
0012BB64 00BE8768 |Buffer = 00BE8768
0012BB68 00001000 |BytesToWrite = 1000 (4096.)
0012BB6C 0012BC74 \pBytesWritten = 0012BC74
DD 0012CD90 :
0012CD90 00000001
0012CD94 0000026C
0012CD98 0000012C
0012CD9C 80000001
0012CDA0 00000000
0012CDA4 00000000
0012CDA8 004014D0 VBto.004014D0 // OEP
0012CDAC 00000002
0012CDB0 00000000
0012CDB4 004014D0 VBto.004014D0
0012CDB8 004014D0 VBto.004014D0
0012CDBC 813DB460
返回到:
00631741 FF15 10216600 call dword ptr ds:[<&KERNEL32.WriteProcessMemory>]
00631747 85C0 test eax,eax // 返回到此
00631749 75 4B jnz short VBto.00631796
搜索:or eax,-8:
0062DD33 83BD CCF5FFFF 00 cmp dword ptr ss:[ebp-A34],0 ; 断下后清0
0062DD3A 0F8C A8020000 jl VBto.0062DFE8
0062DD40 8B8D CCF5FFFF mov ecx,dword ptr ss:[ebp-A34]
0062DD46 3B0D 488F6600 cmp ecx,dword ptr ds:[668F48] ; 注意这个地址
0062DD4C 0F8D 96020000 jge VBto.0062DFE8 ; 跟随下断
0062DD52 8B95 40F6FFFF mov edx,dword ptr ss:[ebp-9C0]
0062DD58 81E2 FF000000 and edx,0FF
0062DD5E 85D2 test edx,edx
0062DD60 0F84 AD000000 je VBto.0062DE13
0062DD66 6A 00 push 0
0062DD68 8BB5 CCF5FFFF mov esi,dword ptr ss:[ebp-A34]
0062DD6E C1E6 04 shl esi,4
0062DD71 8B85 CCF5FFFF mov eax,dword ptr ss:[ebp-A34]
0062DD77 25 07000080 and eax,80000007
0062DD7C 79 05 jns short VBto.0062DD83
0062DD7E 48 dec eax
0062DD7F 83C8 F8 or eax,FFFFFFF8 ; 搜索到这里
0062DD82 40 inc eax
0062DD83 33C9 xor ecx,ecx
0062DD85 8A88 1C696600 mov cl,byte ptr ds:[eax+66691C]
0062DD8B 8B95 CCF5FFFF mov edx,dword ptr ss:[ebp-A34]
0062DD91 81E2 07000080 and edx,80000007
0062DD97 79 05 jns short VBto.0062DD9E
0062DD99 4A dec edx
0062DD9A 83CA F8 or edx,FFFFFFF8
0062DD9D 42 inc edx
0062DD9E 33C0 xor eax,eax
0062DDA0 8A82 1D696600 mov al,byte ptr ds:[edx+66691D]
0062DDA6 8B3C8D 70236600 mov edi,dword ptr ds:[ecx*4+662370]
0062DDAD 333C85 70236600 xor edi,dword ptr ds:[eax*4+662370]
0062DDB4 8B8D CCF5FFFF mov ecx,dword ptr ss:[ebp-A34]
0062DDBA 81E1 07000080 and ecx,80000007
0062DDC0 79 05 jns short VBto.0062DDC7
0062DDC2 49 dec ecx
0062DDC3 83C9 F8 or ecx,FFFFFFF8
0062DDC6 41 inc ecx
0062DDC7 33D2 xor edx,edx
0062DDC9 8A91 1E696600 mov dl,byte ptr ds:[ecx+66691E]
0062DDCF 333C95 70236600 xor edi,dword ptr ds:[edx*4+662370]
0062DDD6 8B85 CCF5FFFF mov eax,dword ptr ss:[ebp-A34]
0062DDDC 99 cdq
0062DDDD B9 1C000000 mov ecx,1C
0062DDE2 F7F9 idiv ecx
0062DDE4 8BCA mov ecx,edx
0062DDE6 D3EF shr edi,cl
0062DDE8 83E7 0F and edi,0F
0062DDEB 03F7 add esi,edi
0062DDED 8B15 2C8F6600 mov edx,dword ptr ds:[668F2C]
0062DDF3 8D04B2 lea eax,dword ptr ds:[edx+esi*4]
0062DDF6 50 push eax
0062DDF7 8B8D CCF5FFFF mov ecx,dword ptr ss:[ebp-A34]
0062DDFD 51 push ecx
0062DDFE E8 2F210000 call VBto.0062FF32
0062DE03 83C4 0C add esp,0C
0062DE06 25 FF000000 and eax,0FF ; patch的位置
0062DE0B 85C0 test eax,eax
0062DE0D 0F84 D5010000 je VBto.0062DFE8
...
0062DFE8 /E9 D4100000 jmp VBto.0062F0C1 // 下断
patch的代码:
inc dword ptr ss:[ebp-0A34] ; patch的位置
mov dword ptr ds:[668F4C],1 ; 地址+4
jmp 0062DD33 ; 跳回清0处
断在0062DFE8后可以dump,修改OEP为000014D0。
IAT修复:
OD载入dump的程序,确定IAT范围:RVA=001E611C,Size=1000(搞大点)
重新载入原程序,下断:BP DebugActiveProcess,中断后看堆栈:
0012BCBC 0062D60A /CALL 到 DebugActiveProcess 来自 VBto.0062D604
0012BCC0 000004A8 \ProcessId = 4A8
新开OD,附加此进程,F9,再F12,会暂停在EP处:
0063D633 V>- EB FE jmp short VBto.<ModuleEntryPoint>
0063D635 EC in al,dx
0063D636 6A FF push -1
修改回原来的代码:
0063D633 V> 55 push ebp
0063D634 8BEC mov ebp,esp
0063D636 6A FF push -1
脚本转单进程:
Magic Jump:
00D1AB8E /0F84 32010000 je 00D1ACC6
飞向光明之巅:
00D3BD45 FFD7 call edi ; VBto.004014D0
上ImportREC,RVA=001E611C,Size=1000,OEP=000014D0,cut无效函数,保存备用,修复dumped.exe。
运行ok,Borland C++ 1999。
解决About的注册问题:
载入后内存搜索版本2.14:
00592191 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
005921A1 32 2E 31 34 00 76 65 72 73 69 6F 6E 20 00 20 20 2.14.version .
005921B1 28 00 4A 75 6C 20 31 30 20 32 30 30 36 00 29 00 (.Jul 10 2006.).
005921C1 41 4C 54 55 53 45 52 4E 41 4D 45 00 55 53 45 52 ALTUSERNAME.USER
005921D1 4B 45 59 00 52 65 67 69 73 74 65 72 65 64 3A 20 KEY.Registered:
005921E1 22 00 22 00 55 6E 72 65 67 69 73 74 65 72 65 64 ".".Unregistered
005921F1 20 21 21 21 00 !!!.
所有注册信息都在。
对版本下硬件访问断点,点击About断下,然后一路返回:
00447C85 8B15 941C5900 mov edx,dword ptr ds:[591C94] ; dumped_.005921A1
00447C8B E8 881F1100 call dumped_.00559C18
00447C90 50 push eax ; 返回处
看到吧,call上面的edx值=005921A1,就是版本号2.14:
ds:[00591C94]=005921A1 (dumped_.005921A1), ASCII "2.14"
一路往下,来到跳转:
00447E35 833D B4015700 00 cmp dword ptr ds:[5701B4],0
00447E3C 75 08 jnz short cyto.00447E46
00447E3E 85F6 test esi,esi
00447E40 0F84 DA000000 je cyto.00447F20 // here
如果不修改跳转的话,来到:
00447F26 8D57 48 lea edx,dword ptr ds:[edi+48]
提示:地址=005921E5, (ASCII "Unregistered !!!")
如果修改这个跳转,来到:
00447E61 8D57 38 lea edx,dword ptr ds:[edi+38]
提示:地址=005921D5, (ASCII "Registered: "")
跳转前后有几个可疑的赋值,跟踪后发现:
00447DE0 BE 981C5900 mov esi,dumped_.00591C98 // 注册名
00447E06 BE 991D5900 mov esi,dumped_.00591D99 // ?
00447F6C BE 9A1E5900 mov esi,dumped_.00591E9A // 版权类型
写入信息:
00591C98 63 79 74 6F 00 00 00 00 cyto....
00591D99 42 75 73 69 6E 65 73 73 Business
00591E9A 42 75 73 69 6E 65 73 73 Business
并修改00447E40的跳转,nop掉或改为jne。
ok,About提示:
程序优化:
脱壳后程序很庞大,各个区段下断,一路F9直到运行,然后点击各个功能模块,最后发现几个区段没用:
上LordPE删除005F8000到00682000的区段,此时程序还是不能正常运行,因为IAT要重来,只好也删除00790000的.mackt区段,然后Rebuild PE,然后ImportREC导入之前保存的IAT表,然后修复。
如下:
呵呵可以运行了,从3.57M减到1.94M。
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法