[主题:狗外壳、外壳加密压缩、脱狗外壳!㈡]
大家都来研究狗外壳!<2004/7/21>
昨天的文章,.gdata+1Ch破解密钥应为44,各位请见谅(天热、发昏)。
今见点击率很高甚是欣喜!时时守着邮箱,盼寻并肩战友。
上篇所提新旧两版应用程序有如下相似之处:
①类似旧版压制工具制作的程序外壳.gdata处(关键.gdata+1C)。
新程序(NewPe1.exe)在<没有发现硬件狗>字符前有如下内容(关键.??+3E):
0029e000h: 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00
0029e010h: FF FF FF FF 00 00 00 00 07 06 05 04 03 02 01 00
0029e020h: 32 0A 00 00 B1 74 68 00 28 5A 68 00 4D 91 98 D5
0029e030h: 80 DD AD 33 7E CE 79 00 00 00 01 00 00 00 C6 91
0029e040h: BE 48 00 00 00 00 C1 C9 7A F2 D2 E8 60 25 98 D0
0029e050h: 0B 00 00 00 01 00 00 00 2E 64 61 74 61 00 00 00
0029e060h: 44 41 54 41 00 00 00 00 44 47 52 4F 55 50 00 00
0029e070h: 47 6F 6C 64 65 6E 20 54 69 64 65 00 00 40 69 00
0029e080h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0029e090h: 00 00 00 00 24 00 A9 BA 00 00 00 00 00 00 00 00
这里对上面说明一下,.gdata+1C是关键,真.hp所说的 .gdata+2E处可不改动。新程序.??+2C可不改动,.??+3E倒是关键(见后面)。
②反汇编的代码类似处
NewPe1.exe(脱了一层壳) Old.exe(旧版)
00689665 cmp [00], 00
jne
cmp [8C], 00 005AC114 cmp [7C], 00
je je
mov eax, [3E] 005AC1A7 mov eax, [1C]
xor eax, [2D2]
xor eax, [2C] xor eax, [2E]
00689C89 cmp [8C], 00 005AC27E cmp [7C], 00
je je
mov eax, [3E] mov eax, [1C]
xor eax, [2D2]
xor eax, [2C] xor eax, [2E]
0068A59B cmp [8C], 00 005AC303 cmp [7C], 00
je je
mov eax, [3E] 005AC399 mov eax, [1C]
xor eax, [2D2]
xor eax, [2C] xor eax, [2E]
。 。
。 。
。 。
旧版反汇编如下:
* Referenced by a CALL at Address:
:005AC0F9
******************** Program Entry Point ********
:005ABC11 55 push ebp
:005ABC12 8BEC mov ebp, esp
:005ABC14 83EC1C sub esp, 0000001C
:005ABC17 53 push ebx
:005ABC18 56 push esi
:005ABC19 57 push edi
:005ABC1A 56 push esi
:005ABC1B 57 push edi
:005ABC1C 52 push edx
:005ABC1D 51 push ecx
:005ABC1E 53 push ebx
:005ABC1F 50 push eax
:005ABC20 833D980E5C0000 cmp dword ptr [005C0E98], 00000000
:005ABC27 0F857B030000 jne 005ABFA8
:005ABC2D E8B01A0000 call 005AD6E2
:005ABC32 C745E800000000 mov [ebp-18], 00000000
:005ABC39 EB03 jmp 005ABC3E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:005ABC52(U)
:005ABC3B FF45E8 inc [ebp-18]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:005ABC39(U)
:005ABC3E 837DE81E cmp dword ptr [ebp-18], 0000001E
:005ABC42 7D10 jge 005ABC54
:005ABC44 8B45E8 mov eax, dword ptr [ebp-18]
:005ABC47 C704859C005C00FFFFFFFF mov dword ptr [4*eax+005C009C], FFFFFFFF
:005ABC52 EBE7 jmp 005ABC3B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:005ABC42(C)
:005ABC54 EB01 jmp 005ABC57
:005ABC56 E8 BYTE E8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:005ABC54(U)
:005ABC57 E8C6080000 call 005AC522
:005ABC5C 85C0 test eax, eax
:005ABC5E 7505 jne 005ABC65
:005ABC60 E953030000 jmp 005ABFB8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:005ABC5E(C)
:005ABC65 EB01 jmp 005ABC68
:005ABC67 E8 BYTE E8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:005ABC65(U)
:005ABC68 833D74005C0000 cmp dword ptr [005C0074], 00000000
:005ABC6F 7545 jne 005ABCB6
:005ABC71 EB01 jmp 005ABC74
:005ABC73 E8 BYTE E8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:005ABC71(U)
:005ABC74 E88F040000 call 005AC108
:005ABC79 85C0 test eax, eax
:005ABC7B 7509 jne 005ABC86
:005ABC7D E858060000 call 005AC2DA 此处为显示提示
:005ABC82 85C0 test eax, eax
:005ABC84 7405 je 005ABC8B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:005ABC7B(C)
:005ABC86 E92D030000 jmp 005ABFB8
* Referenced by a CALL at Addresses:
:005AB0ED , :005AB0F6 , :005ABC74
:005AC108 55 push ebp
:005AC109 8BEC mov ebp, esp
:005AC10B 83EC3C sub esp, 0000003C
:005AC10E 53 push ebx
:005AC10F 56 push esi
:005AC110 57 push edi
:005AC111 EB01 jmp 005AC114
:005AC113 E8 BYTE E8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:005AC111(U)
:005AC114 833D7C005C0000 cmp dword ptr [005C007C], 00000000
:005AC11B 0F845D010000 je 005AC124 其实上行的.gdata+7Ch处不用改为1,改这里就行了
:005AC121 EB01 jmp 005AC124
:005AC123 E8 BYTE E8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:005AC1A4(U)
:005AC1A7 A11C005C00 mov eax, dword ptr [005C001C] ******
:005AC1AC 33052E005C00 xor eax, dword ptr [005C002E] ******
:005AC1B2 8945D0 mov dword ptr [ebp-30], eax 密钥= 44
:005AC1B5 8B45E8 mov eax, dword ptr [ebp-18]
:005AC1B8 25FFFF0000 and eax, 0000FFFF
:005AC1BD 8B4DD0 mov ecx, dword ptr [ebp-30]
:005AC1C0 C1E910 shr ecx, 10
:005AC1C3 3BC1 cmp eax, ecx
:005AC1C5 756D jne 005AC234
:005AC1C7 EB01 jmp 005AC1CA
:005AC1C9 E8 BYTE E8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:005AC1C5(C)
:005AC234 8B45E8 mov eax, dword ptr [ebp-18]
:005AC237 25FFFF0000 and eax, 0000FFFF
:005AC23C 8B4DD0 mov ecx, dword ptr [ebp-30]
:005AC23F C1E910 shr ecx, 10
:005AC242 3BC1 cmp eax, ecx
:005AC244 7312 jnb 005AC258 二次校核是否过期
:005AC246 EB01 jmp 005AC249
:005AC248 E8 BYTE E8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:005AC246(U)
:005AC249 8B45D0 mov eax, dword ptr [ebp-30]
:005AC24C A3BA025C00 mov dword ptr [005C02BA], eax
:005AC251 C745CC01000000 mov [ebp-34], 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:005AC232(U)
:005AC258 837DCC00 cmp dword ptr [ebp-34], 00000000
:005AC25C 7420 je 005AC27E
:005AC25E 8B45F4 mov eax, dword ptr [ebp-0C]
:005AC261 50 push eax
:005AC262 8B45F0 mov eax, dword ptr [ebp-10]
:005AC265 50 push eax
:005AC266 8B45EC mov eax, dword ptr [ebp-14]
:005AC269 50 push eax
:005AC26A 8B45E8 mov eax, dword ptr [ebp-18]
:005AC26D 50 push eax
:005AC26E E8E4EFFFFF call 005AB257
:005AC273 83C410 add esp, 00000010
:005AC276 85C0 test eax, eax
:005AC278 7404 je 005AC27E 判断20字节的试用记录文件
:005AC27A 33C0 xor eax, eax
:005AC27C EB57 jmp 005AC2D5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:005AC25C(C)
:005AC27E 833D7C005C0000 cmp dword ptr [005C007C], 00000000
:005AC285 7416 je 005AC29D
:005AC287 A11C005C00 mov eax, dword ptr [005C001C] ******
:005AC28C 33052E005C00 xor eax, dword ptr [005C002E] ******
:005AC292 3305BE025C00 xor eax, dword ptr [005C02BE]
:005AC298 8945FC mov dword ptr [ebp-04], eax
:005AC29B EB0D jmp 005AC2AA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:005AC396(U)
:005AC399 A11C005C00 mov eax, dword ptr [005C001C] ******
:005AC39E 33052E005C00 xor eax, dword ptr [005C002E] ******
:005AC3A4 8945D0 mov dword ptr [ebp-30], eax
:005AC3A7 8B45E8 mov eax, dword ptr [ebp-18]
:005AC3AA 25FFFF0000 and eax, 0000FFFF
:005AC3AF 8B4DD0 mov ecx, dword ptr [ebp-30]
:005AC3B2 C1E910 shr ecx, 10
:005AC3B5 3BC1 cmp eax, ecx
:005AC3B7 756D jne 005AC426
:005AC3B9 EB01 jmp 005AC3BC
:005AC3BB E8 BYTE E8
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
:005AC30A(C), :005AC44E(C), :005AC46A(C)
:005AC473 833D7C005C0000 cmp dword ptr [005C007C], 00000000
:005AC47A 7416 je 005AC492
:005AC47C A11C005C00 mov eax, dword ptr [005C001C] ******
:005AC481 33052E005C00 xor eax, dword ptr [005C002E] ******
:005AC487 3305BE025C00 xor eax, dword ptr [005C02BE]
:005AC48D 8945FC mov dword ptr [ebp-04], eax
:005AC490 EB0D jmp 005AC49F
对于新版需带狗才能脱得NewPe1.exe(本人目前认为)。
旧版密钥44我是这样得到的:参考真.hp修改后运行,得一警告框(一个全是乱码的长框)。采用笨办法从00~FF一个个试,直至44,这期间不知用了多少次Ctrl+Alt+Del中断程序。
新程序NwePe1.exe的 .??+8Ch改为01即可出现警告框,但需插狗运行,无狗则提示《没有发现硬件狗》,真是空欢喜!
虹狗加密软件外壳模块中的DLL文件子模块。
上述应用软件还有一套很旧的程序系列(依旧VFP),主程序与DLL文件之间有传送密钥,DLL文件有独立外壳密钥(本人未搞定)。因对VFP运行库加密,与其它VFP程序冲突,所以每单套应用程序下均有VFP运行库文件,全套则体积庞大,现以不采用(真是庆幸)。
补充
⑴新版软件进入主界面后,还有18处应用模块需读狗。若此时再运行系列中的任一NewPe1.Exe提示《你的软件可能感染了病毒!!!》后,原程序不论插不插狗,均死档了(内存大挪移?)。
⑵本人另有一彩虹狗,对应的应用系列自动安装后,低版RCmhdog.vxd顶掉了新版RCmhdog.vxd(有此文件说明版本不会太旧)。上面所提软件又《没有发现硬件狗》。
根据以上2点,本人想出个歪点子。杀掉NewPe1.Exe程序有狗时的《你的软件可能感染了病毒!!!》、无狗时的《没有发现硬件狗》提示,捆绑另套彩虹狗应用软件主程序。借两套软件不能同时运行为由,向开发商索要新软件旧外壳程序。
此法太阴、下三烂。虽已制作,终未实施。
新软件安装包 12.2M
新狗驱动 0.5M
NewPe1+2.exe 各2.3M
旧狗驱动 0.2M
以上全部 17.5M
简装(另需VFP运行库) 2.5M
需要的朋友发个邮箱过来,立马传送!
本人文章请广为转载传播!
相关文档:狗外壳、外壳加密压缩、脱狗外壳!㈠ <2004/7/20>
贾洪七公
E-mail: [email]jhqg3721@yahoo.com.cn[/email]
[课程]Linux pwn 探索篇!
