【文章标题】: Armadillo 3.00a - 3.61遇难,求救~0~
【文章作者】: fonge
【作者邮箱】: fonge520@163.com
【作者QQ号】: 170247260
【下载地址】: http://www.righthemisphere.com/products/dp3d/downloads/deeppaint3d.exe
【保护方式】: Armadillo 3.00a - 3.61 -> Silicon Realms
【使用工具】: ollydbg1.10 peid0.94 recimport v1.4.2+ procdump
【软件介绍】: 三维贴图绘制软件Deep Paint 3D 2.1
【作者声明】: 只是感兴趣,没有其他目的。(本身这个软件就已是破解版本,没有商业价值)
--------------------------------------------------------------------------------
【详细过程】
OD载入,来到入口处
009F4000 > 60 pushad
009F4001 E8 00000000 call 009F4006
009F4006 5D pop ebp
009F4007 50 push eax
009F4008 51 push ecx
009F4009 EB 0F jmp short 009F401A
009F400B B9 EB0FB8EB mov ecx, EBB80FEB
009F4010 07 pop es
009F4011 B9 EB0F90EB mov ecx, EB900FEB
009F4016 08FD or ch, bh
009F4018 EB 0B jmp short 009F4025
009F401A F2: prefix repne:
009F401B ^ EB F5 jmp short 009F4012
009F401D ^ EB F6 jmp short 009F4015
009F401F F2: prefix repne:
009F4020 EB 08 jmp short 009F402A
下断HE GetModuleHandleA,出现两次异常,ALT+F9过,注意堆栈,中断到第12次,返回
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
0164F558 7365D4A4 /CALL 到 GetModuleHandleA 来自 msctfime.7365D49E
0164F55C 0164F560 \pModule = "D:\WINDOWS\system32\ntdll.dll"
0164F560 575C3A44
0164F564 4F444E49
0164F568 735C5357
0164F56C 65747379
0164F570 5C32336D
0164F574 6C64746E
0164EA70 77F45BD8 /CALL 到 GetModuleHandleA 来自 SHLWAPI.77F45BD2
0164EA74 77F4501C \pModule = "KERNEL32.DLL"
0164EA78 00000001
0164EA7C 77F40000 SHLWAPI.77F40000
0164EA80 00000000
0164EA84 0000083E
0164EA88 /0164EA9C
0164EA8C |77F452DD 返回到 SHLWAPI.77F452DD 来自 SHLWAPI.77F45BB5
0164EA90 |00000000
0164E9B0 5D175394 /CALL 到 GetModuleHandleA 来自 COMCTL32.5D17538E
0164E9B4 5D1753E0 \pModule = "kernel32.dll"
0164E9B8 5D1E2B38 COMCTL32.5D1E2B38
0164E9BC 00000000
0164E9C0 5D170000 offset COMCTL32.#240
0164E9C4 7C812972 返回到 kernel32.7C812972 来自 ntdll.RtlCreateHeap
0164E9C8 40001062
0164E9CC 0164E9B8
0164E9D0 00010000 UNICODE "ALLUSERSPROFILE=D:\Documents and Settings\All Users"
0164E9D4 0164EBD4 指向下一个 SEH 记录的指针
0164EA08 7320F55D /CALL 到 GetModuleHandleA 来自 WINWB86.7320F557
0164EA0C 7321B3B8 \pModule = "USER32.DLL"
0164EA10 00000001
0164EA14 73200000 WINWB86.73200000
0164EA18 7320FB0D 返回到 WINWB86.7320FB0D 来自 WINWB86.7320F550
0164EA1C 00000001
0164EA20 73200000 WINWB86.73200000
0164EA24 0164EADC
0164EA28 73210610 WINWB86.<模块入口点>
0012BEB8 013D5407 /CALL 到 GetModuleHandleA 来自 013D5401
0012BEBC 0012BFF4 \pModule = "kernel32.dll"
0012BEC0 0012EF74
0012BEC4 01428FF8
0012BEC8 00000000
0012BECC 00000000
0012BED0 00000000
0012BEB8 013D5407 /CALL 到 GetModuleHandleA 来自 013D5401
0012BEBC 0012BFF4 \pModule = "user32.dll"
0012BEC0 0012EF74
0012BEC4 01428FF8
0012BEC8 00000000
0012BECC 00000140
0012BED0 00000000
0012BEB8 013D5407 /CALL 到 GetModuleHandleA 来自 013D5401
0012BEBC 0012BFF4 \pModule = "MSVBVM60.DLL"
0012BEC0 0012EF74
0012BEC4 01428FF8
0012BEC8 00000000
0012BECC 00000028
0012BED0 00000000
0012B764 73391BC1 /CALL 到 GetModuleHandleA 来自 73391BBB
0012B768 73393DBC \pModule = "kernel32.dll"
0012B76C 73391B60 返回到 73391B60 来自 73391B8C
0012B770 73390000
0012B774 00000001
0012B778 00000000
0012B77C 00000001
0012B780 0012B79C
0012B758 73392858 /CALL 到 GetModuleHandleA 来自 73392852
0012B75C 73393DE8 \pModule = "KERNEL32"
0012B760 73392808 返回到 73392808 来自 7339284D
0012B764 733927D9 返回到 733927D9
0012B768 73391C66 返回到 73391C66 来自 733927CE
0012B76C 73391B60 返回到 73391B60 来自 73391B8C
0012B770 73390000
0012B774 00000001
0012B778 00000000
0012B77C 00000001
0012B750 73393208 /CALL 到 GetModuleHandleA 来自 73393202
0012B754 00000000 \pModule = NULL
0012B758 73393172 返回到 73393172 来自 733931F7
0012B75C 73390000
0012B760 00000001
0012B764 73390000
0012B768 /0012B7A8
0012B76C |73391B21 返回到 73391B21 来自 73393146
0012BEB8 013D5407 /CALL 到 GetModuleHandleA 来自 013D5401
0012BEBC 0012BFF4 \pModule = "advapi32.dll" ///////////到站了
0012BEC0 0012EF74
0012BEC4 01428FF8
0012BEC8 00000000
0012C144 013EC073 /CALL 到 GetModuleHandleA 来自 013EC06D
0012C148 00000000 \pModule = NULL ///////////Ctrl+F9 返回
0012C14C 0012EF74
0012C150 01428FF8
0012C154 00000000
0012C158 001403F8
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
清除硬件断点,
013EC073 3985 BCE9FFFF cmp [ebp-1644], eax ; Deep3D.00400000
013EC079 75 0F jnz short 013EC08A
013EC07B C785 B8E9FFFF 0>mov dword ptr [ebp-1648], 13FA408
013EC085 E9 C4000000 jmp 013EC14E
013EC08A 83A5 90E7FFFF 0>and dword ptr [ebp-1870], 0
013EC091 C785 8CE7FFFF 0>mov dword ptr [ebp-1874], 13FAA08
013EC09B EB 1C jmp short 013EC0B9
013EC09D 8B85 8CE7FFFF mov eax, [ebp-1874]
013EC0A3 83C0 0C add eax, 0C
013EC0A6 8985 8CE7FFFF mov [ebp-1874], eax
013EC0AC 8B85 90E7FFFF mov eax, [ebp-1870]
013EC0B2 40 inc eax
013EC0B3 8985 90E7FFFF mov [ebp-1870], eax
013EC0B9 8B85 8CE7FFFF mov eax, [ebp-1874]
013EC0BF 8338 00 cmp dword ptr [eax], 0
013EC0C2 0F84 86000000 je 013EC14E ///magic jmp
013EC0C8 8B85 8CE7FFFF mov eax, [ebp-1874]
013EC0CE 8B40 08 mov eax, [eax+8]
013EC0D1 83E0 01 and eax, 1
修改magic jmp:
013EC0C2 0F84 86000000 JMP 013EC14E //////////记下地址0013EC0C2,过一会要用
CTRL+F查找命令salc,直接找到(jmp ++++++++ salc salc)在salc 前的jmp上下断
013EC679 E8 644CFEFF call 013D12E2
013EC67E 59 pop ecx
013EC67F EB 03 jmp short 013EC684 /////在这里下断
013EC681 D6 salc
013EC682 D6 salc
F9运行到0013ECF处断下,CTRL+G 0013EC0C2 的magic jmp处,撤消magic jmp处的修改
恢复原来的:
013EC0C2 0F84 86000000 je 013EC14E
清除所有断点,ALT+M 调出Memory map,在00401000处右击设置内存访问断点,F9运行,直接断在OEP处
005D060C 55 push ebp ///////////直接来到了OEP,dump(full)
005D060D 8BEC mov ebp, esp
005D060F 6A FF push -1
005D0611 68 48176000 push 00601748
005D0616 68 6A075D00 push 005D076A ; jmp 到 msvcrt._except_handler3
005D061B 64:A1 00000000 mov eax, fs:[0]
005D0621 50 push eax
005D0622 64:8925 0000000>mov fs:[0], esp
005D0629 83EC 68 sub esp, 68
005D062C 53 push ebx
005D062D 56 push esi
005D062E 57 push edi
005D062F 8965 E8 mov [ebp-18], esp
后用importREC修复,OEP=1D060C, Iat autoSearch ,Get Imports ,16个指针无效,CUT,修复!
但没修复成功!?
--------------------------------------------------------------------------------
【经验总结】
013EC21E 6A 01 push 1
013EC220 58 pop eax
013EC221 85C0 test eax, eax
013EC223 0F84 79030000 je 013EC5A2
013EC229 66:83A5 88E7FFF>and word ptr [ebp-1878], 0
013EC231 83A5 80E7FFFF 0>and dword ptr [ebp-1880], 0
013EC238 83A5 84E7FFFF 0>and dword ptr [ebp-187C], 0
013EC23F 8B85 94ECFFFF mov eax, [ebp-136C]
013EC245 0FBE00 movsx eax, byte ptr [eax]
013EC248 85C0 test eax, eax
013EC24A 0F85 0C010000 jnz 013EC35C
013EC250 C785 30E7FFFF A>mov dword ptr [ebp-18D0], 13D62A5
013EC25A C785 34E7FFFF C>mov dword ptr [ebp-18CC], 13D62CB
013EC264 C785 38E7FFFF 4>mov dword ptr [ebp-18C8], 13D6341
013EC26E C785 3CE7FFFF E>mov dword ptr [ebp-18C4], 13D62EE
013EC278 C785 40E7FFFF 2>mov dword ptr [ebp-18C0], 13D632B
013EC282 C785 44E7FFFF 3>mov dword ptr [ebp-18BC], 13D6330
013EC28C C785 48E7FFFF 3>mov dword ptr [ebp-18B8], 13D6335
013EC296 C785 4CE7FFFF 6>mov dword ptr [ebp-18B4], 13D6363
013EC2A0 C785 50E7FFFF 8>mov dword ptr [ebp-18B0], 13D6389
013EC2AA C785 54E7FFFF 3>mov dword ptr [ebp-18AC], 13D633A
013EC2B4 C785 58E7FFFF A>mov dword ptr [ebp-18A8], 13D62A5
013EC2BE C785 5CE7FFFF C>mov dword ptr [ebp-18A4], 13D62CB
013EC2C8 C785 60E7FFFF 4>mov dword ptr [ebp-18A0], 13D6341
013EC2D2 C785 64E7FFFF E>mov dword ptr [ebp-189C], 13D62EE
013EC2DC C785 68E7FFFF 5>mov dword ptr [ebp-1898], 13D6354
013EC2E6 C785 6CE7FFFF 5>mov dword ptr [ebp-1894], 13D6359
013EC2F0 C785 70E7FFFF 5>mov dword ptr [ebp-1890], 13D635E
013EC2FA C785 74E7FFFF 6>mov dword ptr [ebp-188C], 13D6363
013EC304 C785 78E7FFFF 8>mov dword ptr [ebp-1888], 13D6389
013EC30E C785 7CE7FFFF A>mov dword ptr [ebp-1884], 13D63AF
013EC318 8D8D 68ECFFFF lea ecx, [ebp-1398]
013EC31E E8 1D4DFEFF call 013D1040
013EC323 0FB6C0 movzx eax, al
013EC326 99 cdq
013EC327 6A 14 push 14
013EC329 59 pop ecx
013EC32A F7F9 idiv ecx
013EC32C 8B85 A4E9FFFF mov eax, [ebp-165C]
013EC332 8B8C95 30E7FFFF mov ecx, [ebp+edx*4-18D0] ********************************
013EC339 8908 mov [eax], ecx
013EC33B 8B85 A4E9FFFF mov eax, [ebp-165C]
013EC341 83C0 04 add eax, 4
013EC344 8985 A4E9FFFF mov [ebp-165C], eax
013EC34A 8B85 94ECFFFF mov eax, [ebp-136C]
013EC350 40 inc eax
013EC351 8985 94ECFFFF mov [ebp-136C], eax
013EC357 E9 46020000 jmp 013EC5A2
013EC35C 8B85 94ECFFFF mov eax, [ebp-136C]
013EC362 0FB600 movzx eax, byte ptr [eax]
013EC365 3D FF000000 cmp eax, 0FF
013EC36A 0F85 8A000000 jnz 013EC3FA
013EC370 8B85 94ECFFFF mov eax, [ebp-136C]
013EC376 40 inc eax
013EC377 8985 94ECFFFF mov [ebp-136C], eax
013EC37D 8B85 94ECFFFF mov eax, [ebp-136C]
013EC383 66:8B00 mov ax, [eax]
013EC386 66:8985 88E7FFF>mov [ebp-1878], ax
013EC38D 8B85 94ECFFFF mov eax, [ebp-136C]
013EC393 40 inc eax
013EC394 40 inc eax
013EC395 8985 94ECFFFF mov [ebp-136C], eax
013EC39B 83BD B8E9FFFF 0>cmp dword ptr [ebp-1648], 0
013EC3A2 74 51 je short 013EC3F5 *********************************
013EC3A4 8B85 B8E9FFFF mov eax, [ebp-1648]
013EC3AA 8985 2CE7FFFF mov [ebp-18D4], eax
013EC3B0 EB 0F jmp short 013EC3C1
013EC3B2 8B85 2CE7FFFF mov eax, [ebp-18D4]
013EC3B8 83C0 0C add eax, 0C
013EC3BB 8985 2CE7FFFF mov [ebp-18D4], eax
013EC3C1 8B85 2CE7FFFF mov eax, [ebp-18D4]
013EC3C7 8378 08 00 cmp dword ptr [eax+8], 0
013EC3CB 74 28 je short 013EC3F5
013EC3CD 0FB785 88E7FFFF movzx eax, word ptr [ebp-1878]
013EC3D4 8B8D 2CE7FFFF mov ecx, [ebp-18D4]
013EC3DA 0FB749 04 movzx ecx, word ptr [ecx+4]
013EC3DE 3BC1 cmp eax, ecx
013EC3E0 75 11 jnz short 013EC3F3
013EC3E2 8B85 2CE7FFFF mov eax, [ebp-18D4]
013EC3E8 8B40 08 mov eax, [eax+8]
013EC3EB 8985 84E7FFFF mov [ebp-187C], eax
013EC3F1 EB 02 jmp short 013EC3F5
013EC3F3 ^ EB BD jmp short 013EC3B2
013EC3F5 E9 9B000000 jmp 013EC495
013EC3FA 8B85 94ECFFFF mov eax, [ebp-136C]
013EC400 8985 80E7FFFF mov [ebp-1880], eax
013EC406 6A 00 push 0
013EC408 FFB5 94ECFFFF push dword ptr [ebp-136C]
013EC40E E8 CD400000 call 013F04E0
013EC413 59 pop ecx
013EC414 59 pop ecx
013EC415 40 inc eax
013EC416 8985 94ECFFFF mov [ebp-136C], eax
013EC41C 83BD B8E9FFFF 0>cmp dword ptr [ebp-1648], 0
013EC423 74 70 je short 013EC495
013EC425 8B85 B8E9FFFF mov eax, [ebp-1648]
这一段代码动都不能动,一动就走不完了
--------------------------------------------------------------------------------
[课程]Linux pwn 探索篇!