以壳解壳--ASProtect 1.23 RC4 [System Cleaner v4.91]
【破解作者】 hmimys
【作者邮箱】 [email]hmimys@163.com[/email]
【软件名称】 System Cleaner v4.91
【保护方式】 ASProtect 1.23 RC4 - 1.3.08.24
【软件简介】 提供了叁种简单有效的减肥方式。执行清除的速度很快,如果你不想清理某文件也可以设定
System Cleaner 2000
把文件先放到一个目录暂存,或是执行ZIP把文件压缩起来。有定时的
功能,可以让你订定大扫除的时间,或是定时清理你的硬盘。
【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
【调试环境】:WinXP+SP1、hmimyOD、PEiD、LordPE、AsprDbgr、ImportREC 1.6
===========================================================================================================
【脱壳过程】:
一、Pre-Dip\Dump以及区域脱壳老规矩:用IsDebug 1.4插件去掉Ollydbg的调试器标志。
设置Ollydbg忽略除了“内存访问异常”之外的所有其它异常选项。
代码:
-------------------------------------------------------------------------------------------------------------
00401000 > 68 01B05F00
PUSH 5FB001 \\OD
载入后来到这里
00401005 E8 01000000
CALL 0040100B
; SystemCl.0040100B
0040100A C3
RETN
0040100B C3
RETN
0040100C 0F39 ???
; 未知命令
-------------------------------------------------------------------------------------------------------------
Shift+F9
通过异常,当堆栈第二次出现硬盘指纹
代码:
-------------------------------------------------------------------------------------------------------------
017F46E5 3100
XOR [
EAX],
EAX
017F46E7 EB 01
JMP SHORT 017F46EA
017F46E9 68 648F0500
PUSH 58F64
017F46EE 0000
ADD [
EAX],
AL
017F46F0 00EB
ADD BL,
CH
017F46F2 02E8
ADD CH,
AL
017F46F4 0158 A1
ADD [
EAX-5F],
EBX
017F46F7 B4 64
MOV AH, 64
017F46F9 7F 01
JG SHORT 017F46FC
017F46FB 8038 00
CMP BYTE PTR [
EAX], 0
017F46FE 0F84 63010000
JE 017F4867
017F4704 33C0
XOR EAX,
EAX
017F4706 55
PUSH EBP
017F4707 68 65477F01
PUSH 17F4765
017F470C 64:FF30
PUSH DWORD PTR FS:[
EAX]
-------------------------------------------------------------------------------------------------------------
代码:
-------------------------------------------------------------------------------------------------------------
0012FF3C 0012FF44
指针到下一个 SEH 记录
0012FF40 017F469C SE
句柄
0012FF44 0012FFE0
指针到下一个 SEH 记录
0012FF48 017F4C89 SE
句柄
0012FF4C 0012FF90
0012FF50 017E0000
0012FF54 017C0000
0012FF58 017F4178
0012FF5C 01811118 ASCII
"wrpj/ABwEfQ=" 硬盘指纹
0012FF60 00000001
-------------------------------------------------------------------------------------------------------------
我们Alt+M打开内存镜像
在这里下内存访问断点,Shift+F9运行
代码:
-------------------------------------------------------------------------------------------------------------
00563EB0 55
PUSH EBP \\
断在这里,清除内存断点
00563EB1 8BEC
MOV EBP,
ESP
00563EB3 A1 2CD75600
MOV EAX, [56D72C] \\F4
来到这行,[56D72C]=00566578 先记下这个值
00563EB8 8B55 08
MOV EDX, [
EBP+8]
00563EBB 8910
MOV [
EAX],
EDX
00563EBD 5D
POP EBP
00563EBE C2 0400
RETN 4
00563EC1 8D40 00
LEA EAX, [
EAX]
00563EC4 55
PUSH EBP
00563EC5 8BEC
MOV EBP,
ESP
00563EC7 A1 6CD25600
MOV EAX, [56D26C]
00563ECC 8B55 08
MOV EDX, [
EBP+8]
00563ECF 8910
MOV [
EAX],
EDX
00563ED1 A1 44D85600
MOV EAX, [56D844]
00563ED6 8B55 0C
MOV EDX, [
EBP+C]
00563ED9 8910
MOV [
EAX],
EDX
00563EDB 5D
POP EBP
00563EDC C2 0800
RETN 8
-------------------------------------------------------------------------------------------------------------
取消内存断点,继续Shift+F9运行。来到ASProtect最后1次典型异常处。
代码:
-------------------------------------------------------------------------------------------------------------
017F3A2C 3100
XOR [
EAX],
EAX \\
也就是这里了,代码很有特征的!
017F3A2E 64:8F05 0000000>
POP DWORD PTR FS:[0]
017F3A35 58
POP EAX
017F3A36 833D B07E7F01 0>
CMP DWORD PTR [17F7EB0], 0
017F3A3D 74 14
JE SHORT 017F3A53
017F3A3F 6A 0C
PUSH 0C
017F3A41 B9 B07E7F01
MOV ECX, 17F7EB0
017F3A46 8D45 F8
LEA EAX, [
EBP-8]
017F3A49 BA 04000000
MOV EDX, 4
017F3A4E E8 EDD0FFFF
CALL 017F0B40
017F3A53 FF75 FC
PUSH DWORD PTR [
EBP-4]
017F3A56 FF75 F8
PUSH DWORD PTR [
EBP-8]
017F3A59 8B45 F4
MOV EAX, [
EBP-C]
017F3A5C 8338 00
CMP DWORD PTR [
EAX], 0
017F3A5F 74 02
JE SHORT 017F3A63
017F3A61 FF30
PUSH DWORD PTR [
EAX]
017F3A63 FF75 F0
PUSH DWORD PTR [
EBP-10]
017F3A66 FF75 EC
PUSH DWORD PTR [
EBP-14]
017F3A69 C3
RETN \\
这里F2设断
-------------------------------------------------------------------------------------------------------------
Shift+F9
断在下断处,此时我们看堆栈!
代码:
-------------------------------------------------------------------------------------------------------------
0012FF5C 01809510
0012FF60 00400000 ASCII
"MZP"
0012FF64 3F17F5E4
0012FF68 0012FFA4 \\
注意此行0012FF68这个值!
-------------------------------------------------------------------------------------------------------------
在命令栏里输入HR 0012FF68,F9运行
代码:
-------------------------------------------------------------------------------------------------------------
0180C0EC /EB 44
JMP SHORT 0180C132 \\
断在这里
0180C0EE |EB 01
JMP SHORT 0180C0F1
0180C0F0 |9A 51579CFC BF0>
CALL FAR 00BF:FC9C5751
0180C0F7 |0000
ADD [
EAX],
AL
0180C0F9 |00B9 00000000
ADD [
ECX],
BH
0180C0FF |F3:AA
REP STOS BYTE PTR ES:[
EDI]
0180C101 |9D
POPFD
0180C102 |5F
POP EDI
0180C103 |59
POP ECX
0180C104 |C3
RETN
-------------------------------------------------------------------------------------------------------------
删除硬件断点,F7一下!
代码:
-------------------------------------------------------------------------------------------------------------
0180C132 03C3
ADD EAX,
EBX \\
来到这里 ; SystemCl.00400000
0180C134 BB CC050000
MOV EBX, 5CC \\
记注这里,等会修复时用的着
0180C139 0BDB
OR EBX,
EBX
0180C13B 75 07
JNZ SHORT 0180C144
0180C13D 894424 1C
MOV [
ESP+1C],
EAX
0180C141 61
POPAD
0180C142 50
PUSH EAX
0180C143 C3
RETN
0180C144 E8 00000000
CALL 0180C149 \\
记住这个CALL前的地址,修复时用的着
0180C149 5D
POP EBP
0180C14A 81ED 49E14B00
SUB EBP, 4BE149
0180C150 8D85 EEE04B00
LEA EAX, [
EBP+4BE0EE]
0180C156 8D8D 90E14B00
LEA ECX, [
EBP+4BE190]
0180C15C 03CB
ADD ECX,
EBX
0180C15E 8941 01
MOV [
ECX+1],
EAX
0180C161 8D85 32E14B00
LEA EAX, [
EBP+4BE132]
0180C167 8D8D F6E04B00
LEA ECX, [
EBP+4BE0F6]
0180C16D 8901
MOV [
ECX],
EAX
0180C16F B8 5E140000
MOV EAX, 145E
0180C174 8D8D FBE04B00
LEA ECX, [
EBP+4BE0FB]
0180C17A 8901
MOV [
ECX],
EAX
0180C17C 8D8D 90E14B00
LEA ECX, [
EBP+4BE190]
0180C182 8D85 90F34B00
LEA EAX, [
EBP+4BF390]
0180C188 51
PUSH ECX
0180C189 50
PUSH EAX
0180C18A E8 76FFFFFF
CALL 0180C105
-------------------------------------------------------------------------------------------------------------
还记得00566578吗,不要告诉我不记得了,下命令DD 00566578
00566578 017E3861---->
这里指向注册名 ,改成00566808
0056657C 0000001E---->
这里指向使用天数,改成FFFFFFFF
00566580 0000001E---->
这里指向剩余天数,改成FFFFFFFF
找个空的空间,我选了00566808,写入Cracked by hmimys
F7
后程序将跳到这里,到了这里程序代码已经解开,可以用LordPE纠正一下文件大小后完整Dump下程序。
接着我们再进行区域脱壳:地址=0180C000,大小=00008000,也就是脱出上面的部分壳处理代码段。
至此我们已经将ASProtect 1.23RC4壳脱出来。
现在我们来“组装”一下dumped.exe。先用LordPE打开dumped.exe,然后从磁盘载入刚才区域脱壳的
Region0180C000-01814000.dmp
区段,修改其Voffset=0140C000(0180C000-00400000=0140C000),
只保留LordPE的“验证PE”选项,最后重建PE。
三、用AsprDbgr搞定输入表
现在我们接着来修复IAT,用AsprDbgr搞定输入表比较简单。启动AsprDbgr,加载未脱壳的程序,一路按确定键,直到目标程序启动。
代码:
-------------------------------------------------------------------------------------------------------------
AsprDbgr v1.0beta (:P) Made by me... Manko.
iEP=401000 (C:\Program Files\System Cleaner 2001\SystemCleaner.exe)
IAT Start: 57221C
End: 572BA0
Length: 984
IATentry 572244 = 17F1CCC resolved as
GetVersion
IATentry 57227C = 17F17E4 resolved as
GetProcAddress
IATentry 572280 = 17F1CA4 resolved as GetModuleHandleA
IATentry 572294 = 17F1D18 resolved as GetCommandLineA
IATentry 57232C = 17F1CA4 resolved as GetModuleHandleA
IATentry 5723F4 = 17F1D08 resolved as
LockResource
IATentry 572444 = 17F1CCC resolved as
GetVersion
IATentry 572474 = 17F17E4 resolved as
GetProcAddress
IATentry 572480 = 17F1CA4 resolved as GetModuleHandleA
IATentry 5724C8 = 17F1D00 resolved as
GetCurrentProcessId
IATentry 5724CC = 17F1CF8 resolved as
GetCurrentProcess
IATentry 5724D8 = 17F1D30 resolved as
FreeResource
26 invalid entries erased.
Dip-Table at adress: 17F7AB4
0 563EB0 0 0 563EC4 0 0 563EE0 5642D8 56430C 0 0 0 0
Last SEH passed. (17F3A2E) Searching for signatures. Singlestepping to OEP!
Call + OEP-jump-setup at: 180C144 ( Code: E8000000 5D81ED )
Mutated, stolen bytes at: 180C190 ( Code: 26EB01F2 F2EB01F3 )
Erase of stolen bytes at: 180C0F3 ( Code: 9CFCBF32 C18001B9 )
Repz ... found. Skipping erase of stolen bytes.
;)
possible (temp)OEP: 407278 (Reached from preOEP: 180C104)
Sugested tempOEP at: 564A5F
-------------------------------------------------------------------------------------------------------------
启动RecImport,OEP:0140C000,RAV:0017221C,大小:984,搜索IAT,找到的IAT全部有效,修复Dump文件。IAT修复完毕。四、以壳解壳:Stolen Code简便解决方案
最后我们只用OD加载脱壳修复后的程序,现在的OEP是0180C000,修改其入口代码为:
代码:
-------------------------------------------------------------------------------------------------------------
0180C000 BB CC050000
MOV EBX, 5CC
0180C005 E9 3A010000
JMP 0180C144
-------------------------------------------------------------------------------------------------------------
这样就利用了原壳的代码来处理Stolen Code了。保存之后就可以运行了。
Thanks Fly.Forgot.loveboom.jwh51.lordor.temerata.David.all of my friends
and you!
本代码的着色效果由xTiNt自动完成
下载xTiNt
http://211.90.75.84/web/kanaun/download/xTiNt.rar
[培训]《安卓高级研修班(网课)》月薪三万计划,掌
握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法