[原创]脱yoda's cryptor 1.x / modified+ASProtect双层壳之跑跑卡丁车主程序-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

[原创]脱yoda's cryptor 1.x / modified+ASProtect双层壳之跑跑卡丁车主程序

发表于: 2006-12-10 16:01 8600

[原创]脱yoda's cryptor 1.x / modified+ASProtect双层壳之跑跑卡丁车主程序

cxhcxh

2006-12-10 16:01

8600

【文章标题】: 脱yoda's cryptor 1.x / modified+ASProtect 1.23 RC4 - 1.3.08.24双层壳之跑跑卡丁车主程序
【文章作者】: cxhcxh
【作者邮箱】: [email]cxh852456@163.com[/email]
【作者QQ号】: 290019543
【软件名称】: 跑跑卡丁车
【下载地址】: 自己搜索下载
【加壳方式】: yoda's cryptor 1.x / modified+ASProtect 1.23 RC4 - 1.3
【保护方式】: yoda's cryptor 1.x / modified+ASProtect
【编写语言】: Microsoft Visual C++ 7.0 [Debug]
【使用工具】: OD
【操作平台】: XP
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
   今天玩这个游戏玩到无聊，就想看看他的加密情况，结果一不小心将他的壳脱掉，在这里将过程写出来，请各位指点
  本人并无他意，纯属交流。下面开工.

  一。查壳
  用PEID0.94查出第一层为yoda's cryptor 1.x / modified
  第2层为ASProtect 1.33 - 2.1 Registered -> Alexey Solodovnikov *
  用PEID0.94插件VERA0.15查出第2层为ASProtect 1.23 RC4 - 1.3.08.24

  二。脱壳
  用OD载入主程序KartRider.exe，设置OD除拉内存以外的异常全勾上
  00912060 >  60             PUSHAD
  00912061 E8 00000000    CALL KartRide.00912066
  00912066 5D             POP EBP
  00912067 81ED 0F1E4000 SUB EBP,KartRide.00401E0F
  0091206D B9 57090000    MOV ECX,957
  00912072 8DBD 571E4000 LEA EDI,DWORD PTR SS:[EBP+401E57]
  00912078 8BF7          MOV ESI,EDI
  0091207A AC             LODS BYTE PTR DS:[ESI]
  0091207B F8             CLC
  0091207C 02C1          ADD AL,CL
  0091207E EB 01          JMP SHORT KartRide.00912081
  00912080  - E9 EB01C234    JMP 35532270
  00912085 10EB          ADC BL,CH
  00912087 01E8          ADD EAX,EBP
  00912089 C0C0 59       ROL AL,59                               ; 移位常量超出 1..31 的范围
  0091208C 34 22          XOR AL,22
  0091208E 34 E7          XOR AL,0E7
  00912090 34 32          XOR AL,32
  00912092 2C D3          SUB AL,0D3

  SHIFT+F9 第一次异常
  009126B9 CD 68          INT 68
  009126BB 33DB          XOR EBX,EBX
  009126BD 64:8F03       POP DWORD PTR FS:[EBX]
  009126C0 83C4 04       ADD ESP,4
  009126C3 66:81FF 9712 CMP DI,1297
  009126C8 74 0E          JE SHORT KartRide.009126D8
  009126CA 66:81FF 7712 CMP DI,1277
  009126CF 74 07          JE SHORT KartRide.009126D8

  SHIFT+F9 第二次异常
  00912745 0000          ADD BYTE PTR DS:[EAX],AL
  00912747 0000          ADD BYTE PTR DS:[EAX],AL
  00912749 0000          ADD BYTE PTR DS:[EAX],AL
  0091274B 0000          ADD BYTE PTR DS:[EAX],AL
  0091274D 0000          ADD BYTE PTR DS:[EAX],AL
  0091274F 0000          ADD BYTE PTR DS:[EAX],AL
  00912751 0000          ADD BYTE PTR DS:[EAX],AL
  00912753 0000          ADD BYTE PTR DS:[EAX],AL
  00912755 0000          ADD BYTE PTR DS:[EAX],AL
  00912757 0000          ADD BYTE PTR DS:[EAX],AL
  00912759 0000          ADD BYTE PTR DS:[EAX],AL
  0091275B 0000          ADD BYTE PTR DS:[EAX],AL
  0091275D 0000          ADD BYTE PTR DS:[EAX],AL
  0091275F 0000          ADD BYTE PTR DS:[EAX],AL
  00912761 0000          ADD BYTE PTR DS:[EAX],AL

  脱过yoda's cryptor的人都会知道，一般到这个异常的时候就要去OEP拉
  ALT+M打开内存镜象
  AMEMORY, 条目 23
地址=00401000
大小=0041C000 (4308992.)
属主=KartRide 00400000
区段=
包含=代码
类型=Imag 01001008
访问=RW  CopyOnWr
初始访问=RWE
  在CODE段下内存断点  SHIFT+F9就可以看到ASProtect熟悉的入口拉
  00401000 68 01E08F00    PUSH KartRide.008FE001----------------------------断在这里
  00401005 E8 01000000    CALL KartRide.0040100B
  0040100A C3             RETN
  0040100B C3             RETN
  0040100C 64:F6A2 79C2F32>MUL BYTE PTR FS:[EDX+2CF3C279]
  00401013 02E1          ADD AH,CL
  00401015 B1 A5          MOV CL,0A5
  00401017 1C 09          SBB AL,9
  00401019 46             INC ESI

  下面就开始使用ASProtect的脱壳的方法拉
  SHIFT+F9大概17次来到最后一次异常处
  00EF39EC 3100          XOR DWORD PTR DS:[EAX],EAX
  00EF39EE 64:8F05 0000000>POP DWORD PTR FS:[0]
  00EF39F5 58             POP EAX
  00EF39F6 833D B07EEF00 0>CMP DWORD PTR DS:[EF7EB0],0
  00EF39FD 74 14          JE SHORT 00EF3A13
  00EF39FF 6A 0C          PUSH 0C
  00EF3A01 B9 B07EEF00    MOV ECX,0EF7EB0
  00EF3A06 8D45 F8       LEA EAX,DWORD PTR SS:[EBP-8]
  00EF3A09 BA 04000000    MOV EDX,4
  00EF3A0E E8 2DD1FFFF    CALL 00EF0B40
  00EF3A13 FF75 FC       PUSH DWORD PTR SS:[EBP-4]
  00EF3A16 FF75 F8       PUSH DWORD PTR SS:[EBP-8]
  00EF3A19 8B45 F4       MOV EAX,DWORD PTR SS:[EBP-C]
  00EF3A1C 8338 00       CMP DWORD PTR DS:[EAX],0
  00EF3A1F 74 02          JE SHORT 00EF3A23
  00EF3A21 FF30          PUSH DWORD PTR DS:[EAX]
  00EF3A23 FF75 F0       PUSH DWORD PTR SS:[EBP-10]
  00EF3A26 FF75 EC       PUSH DWORD PTR SS:[EBP-14]
  00EF3A29 C3             RETN----------------------------------------------在这里下断
  00EF3A2A 5F             POP EDI
  00EF3A2B 5E             POP ESI
  00EF3A2C 5B             POP EBX
  00EF3A2D 8BE5          MOV ESP,EBP
  00EF3A2F 5D             POP EBP
  00EF3A30 C3             RETN
  00EF3A31 8D40 00       LEA EAX,DWORD PTR DS:[EAX]

  在00ef3a29处下好断点运行断下 F8返回
  01294E94 8ACB          MOV CL,BL-----------------------------返回到这里
  01294E96 E8 07000000    CALL 01294EA2
  01294E9B 8300 39       ADD DWORD PTR DS:[EAX],39
  01294E9E  ^ 7E DF          JLE SHORT 01294E7F
  01294EA0 2C F5          SUB AL,0F5
  01294EA2 68 18F6A70C    PUSH 0CA7F618
  01294EA7 68 E2A1BF6A    PUSH 6ABFA1E2
  01294EAC 0F84 00000000 JE 01294EB2
  01294EB2 E9 14000000    JMP 01294ECB
  01294EB7 5C             POP ESP
  01294EB8 65:3AEB       CMP CH,BL                               ; 多余的前缀
  01294EBB 48             DEC EAX
  01294EBC E1 06          LOOPDE SHORT 01294EC4
  01294EBE C7             ???                                     ; 未知命令

  此时就可以直接在CODE段下内存断点直达OEP了
  ALT+M打开内存镜象
  AMEMORY, 条目 23
地址=00401000
大小=0041C000 (4308992.)
属主=KartRide 00400000
区段=
包含=代码
类型=Imag 01001008
访问=RW  CopyOnWr
初始访问=RWE

  断在
  006DA2EA C3             RETN
  006DA2EB 8B4D F0       MOV ECX,DWORD PTR SS:[EBP-10]
  006DA2EE 64:890D 0000000>MOV DWORD PTR FS:[0],ECX
  006DA2F5 59             POP ECX
  006DA2F6 5F             POP EDI
  006DA2F7 5E             POP ESI
  006DA2F8 5B             POP EBX
  006DA2F9 C9             LEAVE

  F8一下就到伪OEP拉，然后拿出LORDPE抓出来，显然有STOLEN CODE
  006D9FDA BF 94000000    MOV EDI,94
  006D9FDF 8BC7          MOV EAX,EDI
  006D9FE1 E8 2AFBFFFF    CALL KartRide.006D9B10
  006D9FE6 8965 E8       MOV DWORD PTR SS:[EBP-18],ESP
  006D9FE9 8BF4          MOV ESI,ESP
  006D9FEB 893E          MOV DWORD PTR DS:[ESI],EDI
  006D9FED 56             PUSH ESI
  006D9FEE FF15 5CD28100 CALL DWORD PTR DS:[81D25C]
  006D9FF4 8B4E 10       MOV ECX,DWORD PTR DS:[ESI+10]
  006D9FF7 890D C0A38A00 MOV DWORD PTR DS:[8AA3C0],ECX


  三。修复IAT
  用Imprec获取IAT，发现有部分IAT无法识别，被加密了
  ASProtect 1.23 RC4 - 1.3加密IAT的方式早被论坛的人研究透了
  如果你有兴趣的话可以到加密的地方看看他的加密流程
  一般都是比较AL=1.2.3.4.5。。。。。。。。等等
  来确定加密方式
  你可以下BP GetModuleHandle+5找到加密的地方也可以对已知的下内存访问断点
  或者运行到ASProtect的壳时搜索cmp al，1等等

  我现在偷个懒直接用Imprec的追踪1修复大部分
  还有部分不能识别
  用ASProtect的插件修复，全部有效

  ; Syntax for each function in a thunk (the separator is a TAB)
  ; ------------------------------------------------------------
  ; Flag RVA ModuleName Ordinal name
  ;
  ; Details for <Valid> parameter:
  ; ------------------------------
  ; Flag:  0 = valid: no  -> - Name contains the address of the redirected API (you can set
  ;                         it to zero if you edit it).
  ;                         - Ordinal is not considered but you should let '0000' as value.
  ;                         - ModuleName is not considered but you should let '?' as value.
  ;
  ;       1 = valid: yes -> All next parameters on the line will be considered.
  ;                         Function imported by ordinal must have no name (the 4th TAB must
  ;                                                                         be there though).
  ;
  ;       2 = Equivalent to 0 but it is for the loader.
  ;
  ;       3 = Equivalent to 1 but it is for the loader.
  ;
  ;       4 = Equivalent to 0 with (R) tag.
  ;
  ;       5 = Equivalent to 1 with (R) tag.
  ;
  ; And finally, edit this file as your own risk! :-)

  Target: C:\Program Files\TianCity\PopKart\M01\KartRider.exe
  OEP: 002D9FCE IATRVA: 0041D000 IATSize: 000004F8

  FThunk: 0041D000 NbFunc: 00000015
  1 0041D000 advapi32.dll 008E CryptDestroyKey
  1 0041D004 advapi32.dll 0231 SetSecurityDescriptorDacl
  1 0041D008 advapi32.dll 0133 InitializeSecurityDescriptor
  1 0041D00C advapi32.dll 0125 GetUserNameA
  1 0041D010 advapi32.dll 01FB RegSetValueExA
  1 0041D014 advapi32.dll 01EE RegQueryValueExA
  1 0041D018 advapi32.dll 01CF RegCreateKeyExA
  1 0041D01C advapi32.dll 01E4 RegOpenKeyExA
  1 0041D020 advapi32.dll 01D4 RegDeleteValueA
  1 0041D024 advapi32.dll 01DB RegEnumValueA
  1 0041D028 advapi32.dll 0087 CryptAcquireContextA
  1 0041D02C advapi32.dll 00A2 CryptReleaseContext
  1 0041D030 advapi32.dll 01CB RegCloseKey
  1 0041D034 advapi32.dll 008D CryptDestroyHash
  1 0041D038 advapi32.dll 00AC CryptVerifySignatureA
  1 0041D03C advapi32.dll 009F CryptHashData
  1 0041D040 advapi32.dll 008A CryptCreateHash
  1 0041D044 advapi32.dll 00A1 CryptImportKey
  1 0041D048 advapi32.dll 008B CryptDecrypt
  1 0041D04C advapi32.dll 008C CryptDeriveKey
  1 0041D050 advapi32.dll 009B CryptGetHashParam

  FThunk: 0041D058 NbFunc: 00000001
  1 0041D058 dinput8.dll 0001 DirectInput8Create

  FThunk: 0041D060 NbFunc: 00000001
  1 0041D060 dsound.dll 000B DirectSoundCreate8

  FThunk: 0041D068 NbFunc: 0000000E
  1 0041D068 gdi32.dll 020F SelectObject
  1 0041D06C gdi32.dll 0048 CreatePen
  1 0041D070 gdi32.dll 01D2 MoveToEx
  1 0041D074 gdi32.dll 01CE LineTo
  1 0041D078 gdi32.dll 023D SetTextColor
  1 0041D07C gdi32.dll 01A6 GetStockObject
  1 0041D080 gdi32.dll 016C GetDeviceCaps
  1 0041D084 gdi32.dll 0217 SetBkMode
  1 0041D088 gdi32.dll 0216 SetBkColor
  1 0041D08C gdi32.dll 002D CreateCompatibleBitmap
  1 0041D090 gdi32.dll 008D DeleteDC
  1 0041D094 gdi32.dll 019D GetPixel
  1 0041D098 gdi32.dll 0090 DeleteObject
  1 0041D09C gdi32.dll 002E CreateCompatibleDC

  FThunk: 0041D0A4 NbFunc: 00000090
  1 0041D0A4 kernel32.dll 0247 LoadResource
  1 0041D0A8 kernel32.dll 0302 SetEvent
  1 0041D0AC kernel32.dll 037B WaitForSingleObject
  1 0041D0B0 kernel32.dll 0169 GetLastError
  1 0041D0B4 kernel32.dll 034B Thread32Next
  1 0041D0B8 kernel32.dll 034A Thread32First
  1 0041D0BC kernel32.dll 0225 IsBadReadPtr
  1 0041D0C0 kernel32.dll 0293 QueryPerformanceFrequency
  1 0041D0C4 kernel32.dll 0292 QueryPerformanceCounter
  1 0041D0C8 kernel32.dll 022B IsDebuggerPresent
  1 0041D0CC kernel32.dll 0204 HeapCompact
  1 0041D0D0 kernel32.dll 019C GetProcessHeaps
  1 0041D0D4 kernel32.dll 01DE GetVolumeInformationA
  1 0041D0D8 kernel32.dll 01E6 GetWindowsDirectoryA
  1 0041D0DC kernel32.dll 0219 InterlockedCompareExchange
  1 0041D0E0 kernel32.dll 0038 CompareStringA
  1 0041D0E4 kernel32.dll 0176 GetModuleHandleA
  1 0041D0E8 kernel32.dll 0174 GetModuleFileNameA
  1 0041D0EC kernel32.dll 01B7 GetSystemDirectoryA
  1 0041D0F0 kernel32.dll 02BF RestoreLastError
  1 0041D0F4 kernel32.dll 0080 DeleteCriticalSection
  1 0041D0F8 kernel32.dll 0216 InitializeCriticalSection
  1 0041D0FC kernel32.dll 01CD GetThreadLocale
  1 0041D100 kernel32.dll 0255 LockResource
  1 0041D104 kernel32.dll 033E SizeofResource
  1 0041D108 kernel32.dll 00F1 FreeLibrary
  1 0041D10C kernel32.dll 0242 LoadLibraryA
  1 0041D110 kernel32.dll 0241 LeaveCriticalSection
  1 0041D114 kernel32.dll 0097 EnterCriticalSection
  1 0041D118 kernel32.dll 0209 HeapFree
  1 0041D11C kernel32.dll 019B GetProcessHeap
  1 0041D120 kernel32.dll 016C GetLocaleInfoA
  1 0041D124 kernel32.dll 00F7 GetACP
  1 0041D128 kernel32.dll 021B InterlockedExchange
  1 0041D12C kernel32.dll 033F Sleep
  1 0041D130 kernel32.dll 01DB GetVersion
  1 0041D134 kernel32.dll 01F7 GlobalMemoryStatus
  1 0041D138 kernel32.dll 0264 MulDiv
  1 0041D13C kernel32.dll 013D GetCurrentProcessId
  1 0041D140 kernel32.dll 015C GetFileSize
  1 0041D144 kernel32.dll 015E GetFileTime
  1 0041D148 kernel32.dll 0032 CloseHandle
  1 0041D14C kernel32.dll 0340 SleepEx
  1 0041D150 kernel32.dll 01D2 GetTickCount
  1 0041D154 kernel32.dll 0248 LocalAlloc
  1 0041D158 kernel32.dll 024C LocalFree
  1 0041D15C kernel32.dll 018B GetOEMCP
  1 0041D160 kernel32.dll 01F6 GlobalLock
  1 0041D164 kernel32.dll 01FD GlobalUnlock
  1 0041D168 kernel32.dll 0297 RaiseException
  1 0041D16C kernel32.dll 021A InterlockedDecrement
  1 0041D170 kernel32.dll 0089 DeviceIoControl
  1 0041D174 kernel32.dll 01EB GlobalAlloc
  1 0041D178 kernel32.dll 01F2 GlobalFree
  1 0041D17C kernel32.dll 0258 MapViewOfFile
  1 0041D180 kernel32.dll 035B UnmapViewOfFile
  1 0041D184 kernel32.dll 0341 SuspendThread
  1 0041D188 kernel32.dll 0354 TryEnterCriticalSection
  1 0041D18C kernel32.dll 0217 InitializeCriticalSectionAndSpinCount
  1 0041D190 kernel32.dll 00C4 FileTimeToSystemTime
  1 0041D194 kernel32.dll 0345 SystemTimeToTzSpecificLocalTime
  1 0041D198 kernel32.dll 0203 HeapAlloc
  1 0041D19C kernel32.dll 025A Module32First
  1 0041D1A0 kernel32.dll 025C Module32Next
  1 0041D1A4 kernel32.dll 0070 CreateToolhelp32Snapshot
  1 0041D1A8 kernel32.dll 0285 Process32First
  1 0041D1AC kernel32.dll 0287 Process32Next
  1 0041D1B0 kernel32.dll 013F GetCurrentThreadId
  1 0041D1B4 kernel32.dll 013D GetCurrentProcessId
  1 0041D1B8 kernel32.dll 0333 SetUnhandledExceptionFilter
  1 0041D1BC kernel32.dll 01BC GetSystemTime
  1 0041D1C0 kernel32.dll 03AD lstrcpy
  1 0041D1C4 kernel32.dll 0280 PeekNamedPipe
  1 0041D1C8 kernel32.dll 0062 CreatePipe
  1 0041D1CC kernel32.dll 0092 DuplicateHandle
  1 0041D1D0 kernel32.dll 015B GetFileInformationByHandle
  1 0041D1D4 kernel32.dll 00CD FindClose
  1 0041D1D8 kernel32.dll 0082 DeleteFileA
  1 0041D1DC kernel32.dll 01C9 GetTempPathA
  1 0041D1E0 kernel32.dll 01C7 GetTempFileNameA
  1 0041D1E4 kernel32.dll 0040 CopyFileA
  1 0041D1E8 kernel32.dll 0243 LoadLibraryExA
  1 0041D1EC kernel32.dll 03A7 lstrcmp
  1 0041D1F0 kernel32.dll 0157 GetFileAttributesA
  1 0041D1F4 kernel32.dll 021E InterlockedIncrement
  1 0041D1F8 kernel32.dll 03B3 lstrlen
  1 0041D1FC kernel32.dll 010E GetComputerNameA
  1 0041D200 kernel32.dll 02B1 ReleaseMutex
  1 0041D204 kernel32.dll 005D CreateMutexA
  1 0041D208 kernel32.dll 0348 TerminateThread
  1 0041D20C kernel32.dll 006D CreateThread
  1 0041D210 kernel32.dll 0273 OpenMutexA
  1 0041D214 kernel32.dll 0048 CreateDirectoryA
  1 0041D218 kernel32.dll 03A4 lstrcat
  1 0041D21C kernel32.dll 0050 CreateFileA
  1 0041D220 kernel32.dll 026C OpenEventA
  1 0041D224 kernel32.dll 004C CreateEventA
  1 0041D228 kernel32.dll 0063 CreateProcessA
  1 0041D22C kernel32.dll 0379 WaitForMultipleObjects
  1 0041D230 kernel32.dll 0153 GetExitCodeProcess
  1 0041D234 kernel32.dll 02BD ResetEvent
  1 0041D238 kernel32.dll 02C0 ResumeThread
  1 0041D23C kernel32.dll 016B GetLocalTime
  1 0041D240 kernel32.dll 02FE SetEndOfFile
  1 0041D244 kernel32.dll 02A4 ReadFile
  1 0041D248 kernel32.dll 01D5 GetTimeZoneInformation
  1 0041D24C kernel32.dll 0322 SetStdHandle
  1 0041D250 kernel32.dll 00E7 FlushFileBuffers
  1 0041D254 kernel32.dll 0222 IsBadCodePtr
  1 0041D258 kernel32.dll 027C OutputDebugStringA
  1 0041D25C kernel32.dll 01DC GetVersionExA
  1 0041D260 kernel32.dll 0207 HeapDestroy
  1 0041D264 kernel32.dll 020D HeapReAlloc
  1 0041D268 kernel32.dll 020F HeapSize
  1 0041D26C kernel32.dll 00B7 ExitProcess
  1 0041D270 kernel32.dll 0347 TerminateProcess
  1 0041D274 kernel32.dll 02C5 RtlUnwind
  1 0041D278 kernel32.dll 034C TlsAlloc
  1 0041D27C kernel32.dll 013E GetCurrentThread
  1 0041D280 kernel32.dll 034D TlsFree
  1 0041D284 kernel32.dll 034F TlsSetValue
  1 0041D288 kernel32.dll 034E TlsGetValue
  1 0041D28C kernel32.dll 0205 HeapCreate
  1 0041D290 kernel32.dll 036E VirtualFree
  1 0041D294 kernel32.dll 036B VirtualAlloc
  1 0041D298 kernel32.dll 0228 IsBadWritePtr
  1 0041D29C kernel32.dll 0371 VirtualProtect
  1 0041D2A0 kernel32.dll 01B9 GetSystemInfo
  1 0041D2A4 kernel32.dll 0373 VirtualQuery
  1 0041D2A8 kernel32.dll 0234 LCMapStringA
  1 0041D2AC kernel32.dll 01B0 GetStringTypeA
  1 0041D2B0 kernel32.dll 038C WriteFile
  1 0041D2B4 kernel32.dll 01AF GetStdHandle
  1 0041D2B8 kernel32.dll 0358 UnhandledExceptionFilter
  1 0041D2BC kernel32.dll 00EF FreeEnvironmentStringsA
  1 0041D2C0 kernel32.dll 014E GetEnvironmentStrings
  1 0041D2C4 kernel32.dll 010A GetCommandLineA
  1 0041D2C8 kernel32.dll 010B GetCommandLineW
  1 0041D2CC kernel32.dll 0255 LockResource
  1 0041D2D0 kernel32.dll 015F GetFileType
  1 0041D2D4 kernel32.dll 01AD GetStartupInfoA
  1 0041D2D8 kernel32.dll 01BE GetSystemTimeAsFileTime
  1 0041D2DC kernel32.dll 0307 SetFilePointer
  1 0041D2E0 kernel32.dll 00B8 ExitThread

  FThunk: 0041D2E8 NbFunc: 00000007
  1 0041D2E8 oleaut32.dll 0009 VariantClear
  1 0041D2EC oleaut32.dll 0006 SysFreeString
  1 0041D2F0 oleaut32.dll 0010 SafeArrayDestroy
  1 0041D2F4 oleaut32.dll 0004 SysAllocStringLen
  1 0041D2F8 oleaut32.dll 0008 VariantInit
  1 0041D2FC oleaut32.dll 0002 SysAllocString
  1 0041D300 oleaut32.dll 000F SafeArrayCreate

  FThunk: 0041D308 NbFunc: 00000003
  1 0041D308 rpcrt4.dll 01E2 UuidCreate
  1 0041D30C rpcrt4.dll 01EA UuidToStringA
  1 0041D310 rpcrt4.dll 01D8 RpcStringFreeA

  FThunk: 0041D318 NbFunc: 00000001
  1 0041D318 shell32.dll 013E SHGetSpecialFolderPathW

  FThunk: 0041D320 NbFunc: 00000036
  1 0041D320 user32.dll 01B8 LoadCursorA
  1 0041D324 user32.dll 0217 RegisterClassA
  1 0041D328 user32.dll 023C SendMessageA
  1 0041D32C user32.dll 0218 RegisterClassExA
  1 0041D330 user32.dll 015E GetSystemMetrics
  1 0041D334 user32.dll 0061 CreateWindowExA
  1 0041D338 user32.dll 0284 SetWindowPos
  1 0041D33C user32.dll 00A2 DispatchMessageA
  1 0041D340 user32.dll 027B SetTimer
  1 0041D344 user32.dll 008F DefWindowProcA
  1 0041D348 user32.dll 01B3 KillTimer
  1 0041D34C user32.dll 02D7 keybd_event
  1 0041D350 user32.dll 02BC UpdateWindow
  1 0041D354 user32.dll 02AB TranslateMessage
  1 0041D358 user32.dll 0293 ShowWindow
  1 0041D35C user32.dll 009A DestroyWindow
  1 0041D360 user32.dll 028F ShowCursor
  1 0041D364 user32.dll 0122 GetKeyState
  1 0041D368 user32.dll 01F4 OpenClipboard
  1 0041D36C user32.dll 0123 GetKeyboardLayout
  1 0041D370 user32.dll 00C2 EmptyClipboard
  1 0041D374 user32.dll 024B SetClipboardData
  1 0041D378 user32.dll 02D9 wsprintfA
  1 0041D37C user32.dll 010F GetDesktopWindow
  1 0041D380 user32.dll 0043 CloseClipboard
  1 0041D384 user32.dll 013B GetMessageA
  1 0041D388 user32.dll 0110 GetDialogBaseUnits
  1 0041D38C user32.dll 01EA MoveWindow
  1 0041D390 user32.dll 00DC EnumThreadWindows
  1 0041D394 user32.dll 00C7 EndDialog
  1 0041D398 user32.dll 001B CallNextHookEx
  1 0041D39C user32.dll 02AF UnhookWindowsHookEx
  1 0041D3A0 user32.dll 0194 InvalidateRect
  1 0041D3A4 user32.dll 0216 RedrawWindow
  1 0041D3A8 user32.dll 004B CopyRect
  1 0041D3AC user32.dll 01AC IsWindow
  1 0041D3B0 user32.dll 00F3 GetAsyncKeyState
  1 0041D3B4 user32.dll 010C GetCursorPos
  1 0041D3B8 user32.dll 0232 ScreenToClient
  1 0041D3BC user32.dll 0112 GetDlgItem
  1 0041D3C0 user32.dll 000E BeginPaint
  1 0041D3C4 user32.dll 00C9 EndPaint
  1 0041D3C8 user32.dll 0100 GetClientRect
  1 0041D3CC user32.dll 01B0 IsWindowVisible
  1 0041D3D0 user32.dll 026D SetRect
  1 0041D3D4 user32.dll 010D GetDC
  1 0041D3D8 user32.dll 015B GetSysColor
  1 0041D3DC user32.dll 0257 SetFocus
  1 0041D3E0 user32.dll 022B ReleaseDC
  1 0041D3E4 user32.dll 0202 PostQuitMessage
  1 0041D3E8 user32.dll 024E SetCursor
  1 0041D3EC user32.dll 0178 GetWindowTextA
  1 0041D3F0 user32.dll 0002 AdjustWindowRect
  1 0041D3F4 user32.dll 0175 GetWindowRect

  FThunk: 0041D3FC NbFunc: 00000010
  1 0041D3FC wininet.dll 0110 InternetReadFile
  1 0041D400 wininet.dll 00CF HttpSendRequestA
  1 0041D404 wininet.dll 00CD HttpQueryInfoA
  1 0041D408 wininet.dll 0108 InternetOpenA
  1 0041D40C wininet.dll 00E5 InternetConnectA
  1 0041D410 wininet.dll 0118 InternetSetCookieW
  1 0041D414 wininet.dll 010B InternetOpenW
  1 0041D418 wininet.dll 00DF InternetCloseHandle
  1 0041D41C wininet.dll 00D2 HttpSendRequestW
  1 0041D420 wininet.dll 00CC HttpOpenRequestW
  1 0041D424 wininet.dll 00E6 InternetConnectW
  1 0041D428 wininet.dll 010A InternetOpenUrlW
  1 0041D42C wininet.dll 010C InternetQueryDataAvailable
  1 0041D430 wininet.dll 00CE HttpQueryInfoW
  1 0041D434 wininet.dll 0125 InternetSetStatusCallbackW
  1 0041D438 wininet.dll 00CB HttpOpenRequestA

  FThunk: 0041D440 NbFunc: 00000003
  1 0041D440 winmm.dll 00A3 timeEndPeriod
  1 0041D444 winmm.dll 00A2 timeBeginPeriod
  1 0041D448 winmm.dll 00A6 timeGetTime

  FThunk: 0041D450 NbFunc: 00000015
  1 0041D450 ws2_32.dll 004E WSASendTo
  1 0041D454 ws2_32.dll 0009 htons
  1 0041D458 ws2_32.dll 0009 htons
  1 0041D45C ws2_32.dll 0006 getsockname
  1 0041D460 ws2_32.dll 0049 WSARecvFrom
  1 0041D464 ws2_32.dll 003C WSAIoctl
  1 0041D468 ws2_32.dll 0002 bind
  1 0041D46C ws2_32.dll 000B inet_addr
  1 0041D470 ws2_32.dll 0034 gethostbyname
  1 0041D474 ws2_32.dll 0005 getpeername
  1 0041D478 ws2_32.dll 0073 WSAStartup
  1 0041D47C ws2_32.dll 0047 WSARecv
  1 0041D480 ws2_32.dll 0016 shutdown
  1 0041D484 ws2_32.dll 0053 WSASocketW
  1 0041D488 ws2_32.dll 0015 setsockopt
  1 0041D48C ws2_32.dll 0013 send
  1 0041D490 ws2_32.dll 004C WSASend
  1 0041D494 ws2_32.dll 0003 closesocket
  1 0041D498 ws2_32.dll 006F WSAGetLastError
  1 0041D49C ws2_32.dll 0004 connect
  1 0041D4A0 ws2_32.dll 0074 WSACleanup

  FThunk: 0041D4A8 NbFunc: 00000001
  1 0041D4A8 d3d9.dll 000E Direct3DCreate9

  FThunk: 0041D4B0 NbFunc: 00000001
  1 0041D4B0 d3dx9_27.dll 0084 D3DXFilterTexture

  FThunk: 0041D4B8 NbFunc: 00000001
  1 0041D4B8 dbghelp.dll 001C MiniDumpWriteDump

  FThunk: 0041D4C0 NbFunc: 00000002
  1 0041D4C0 iphlpapi.dll 001D GetBestInterface
  1 0041D4C4 iphlpapi.dll 001C GetAdaptersInfo

  FThunk: 0041D4CC NbFunc: 00000004
  1 0041D4CC nxparam_w.dll 0001 ??0NXParam@@QAE@XZ
  1 0041D4D0 nxparam_w.dll 0002 ??1NXParam@@QAE@XZ
  1 0041D4D4 nxparam_w.dll 0018 ?SetParam_U32@NXParam@@QAEHPB_WI@Z
  1 0041D4D8 nxparam_w.dll 000F ?GetTokenW@NXParam@@QAEHPA_W@Z

  FThunk: 0041D4E0 NbFunc: 00000005
  1 0041D4E0 ole32.dll 006A CoUninitialize
  1 0041D4E4 ole32.dll 0012 CoCreateInstance
  1 0041D4E8 ole32.dll 0115 OleUninitialize
  1 0041D4EC ole32.dll 00FE OleInitialize
  1 0041D4F0 ole32.dll 003D CoInitializeEx

  四。修复STOLEN CODE
  在最后一次异常返回01294E94的时候，我门就可以F7一步一步的找出这些STOLEN CODE

  找到
  012950CE 0BDD          OR EBX,EBP
  012950D0 5B             POP EBX
  012950D1 6A 60          PUSH 60---------------------stolen code第一句
  012950D3 68 B0458400    PUSH 8445B0----------------第二句
  012950D8 3E:EB 02       JMP SHORT 012950DD
  012950DB CD 20          INT 20
  012950DD EB 02          JMP SHORT 012950E1
  012950DF CD 20          INT 20
  012950E1 66:812D EA50290>SUB WORD PTR DS:[12950EA],7E8B
  012950EA 7E 6A          JLE SHORT 01295156
  012950EC 02CD          ADD CL,CH
  012950EE 2051 6A       AND BYTE PTR DS:[ECX+6A],DL

  在006D9FCE补上这两句，LORDPE抓出来保存为DUMP.EXE
  再用Imprec修复一下，oep添002D9FCE，保存为DUMP1.EXE


  运行，一切正常，收工




--------------------------------------------------------------------------------
【经验总结】
  ........

--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!

                                                   2006年12月10日下午 03:56:57

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

收藏・1

免费・0

支持

最新回复 (10)
cyto 雪币： 417 活跃值： (475) 能力值： ( LV9，RANK：1250 ) 在线值：发帖 41 回帖 624 粉丝 0 关注私信	cyto 31 2 楼学习. 看的简单,动手很累. 2006-12-10 16:24 0
icefall 雪币： 154 活跃值： (80) 能力值： ( LV4，RANK：50 ) 在线值：发帖 18 回帖 156 粉丝 0 关注私信	icefall 1 3 楼辛苦,先顶起再学 2006-12-10 19:17 0
elance 雪币： 716 活跃值： (162) 能力值： ( LV9，RANK：250 ) 在线值：发帖 13 回帖 570 粉丝 0 关注私信	elance 6 4 楼不错的教程， 2006-12-10 22:53 0
playboyjoe 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 34 粉丝 0 关注私信	playboyjoe 5 楼向前人学习。 2006-12-12 14:56 0
二毛雪币： 143 活跃值： (17) 能力值： ( LV2，RANK：10 ) 在线值：发帖 70 回帖 392 粉丝 0 关注私信	二毛 6 楼和惊天动地差不多 2006-12-18 01:27 0
Isaiah 雪币： 331 活跃值： (56) 能力值： ( LV13，RANK：410 ) 在线值：发帖 68 回帖 1293 粉丝 2 关注私信	Isaiah 10 7 楼关键是NP. 2006-12-18 01:37 0
ViperDodge 雪币： 257 活跃值： (11) 能力值： ( LV4，RANK：50 ) 在线值：发帖 8 回帖 168 粉丝 0 关注私信	ViperDodge 1 8 楼最初由二毛发布和惊天动地差不多简直就是一模一样 2006-12-18 02:11 0
鸡蛋壳雪币： 427 活跃值： (412) 能力值： ( LV2，RANK：10 ) 在线值：发帖 456 回帖 3147 粉丝 9 关注私信	鸡蛋壳 9 楼肯定是盗版壳. 2006-12-18 16:03 0
zgsbid 雪币： 219 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 19 粉丝 0 关注私信	zgsbid 10 楼 "用ASProtect的插件修复，全部有效". 这里指的是哪个插件？怎么用？请楼主指教 2006-12-28 18:43 0
极品男人雪币： 0 能力值： (RANK：10 ) 在线值：发帖 8 回帖 21 粉丝 0 关注私信	极品男人 11 楼国F游戏的NF能有多高版本?我没弄过这个游戏,不乱说.反正估计应该不会象某游戏一样是912.哈哈 8XX以下NP是垃圾. 8XX到900有点看头 900以上是挑战 2006-12-28 20:23 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

cxhcxh

发帖

245

回帖

130

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (10)
cyto 雪币： 417 活跃值： (475) 能力值： ( LV9，RANK：1250 ) 在线值：发帖 41 回帖 624 粉丝 0 关注私信	cyto 31 2 楼学习. 看的简单,动手很累. 2006-12-10 16:24 0
icefall 雪币： 154 活跃值： (80) 能力值： ( LV4，RANK：50 ) 在线值：发帖 18 回帖 156 粉丝 0 关注私信	icefall 1 3 楼辛苦,先顶起再学 2006-12-10 19:17 0
elance 雪币： 716 活跃值： (162) 能力值： ( LV9，RANK：250 ) 在线值：发帖 13 回帖 570 粉丝 0 关注私信	elance 6 4 楼不错的教程， 2006-12-10 22:53 0
playboyjoe 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 34 粉丝 0 关注私信	playboyjoe 5 楼向前人学习。 2006-12-12 14:56 0
二毛雪币： 143 活跃值： (17) 能力值： ( LV2，RANK：10 ) 在线值：发帖 70 回帖 392 粉丝 0 关注私信	二毛 6 楼和惊天动地差不多 2006-12-18 01:27 0
Isaiah 雪币： 331 活跃值： (56) 能力值： ( LV13，RANK：410 ) 在线值：发帖 68 回帖 1293 粉丝 2 关注私信	Isaiah 10 7 楼关键是NP. 2006-12-18 01:37 0
ViperDodge 雪币： 257 活跃值： (11) 能力值： ( LV4，RANK：50 ) 在线值：发帖 8 回帖 168 粉丝 0 关注私信	ViperDodge 1 8 楼最初由二毛发布和惊天动地差不多简直就是一模一样 2006-12-18 02:11 0
鸡蛋壳雪币： 427 活跃值： (412) 能力值： ( LV2，RANK：10 ) 在线值：发帖 456 回帖 3147 粉丝 9 关注私信	鸡蛋壳 9 楼肯定是盗版壳. 2006-12-18 16:03 0
zgsbid 雪币： 219 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 19 粉丝 0 关注私信	zgsbid 10 楼 "用ASProtect的插件修复，全部有效". 这里指的是哪个插件？怎么用？请楼主指教 2006-12-28 18:43 0
极品男人雪币： 0 能力值： (RANK：10 ) 在线值：发帖 8 回帖 21 粉丝 0 关注私信	极品男人 11 楼国F游戏的NF能有多高版本?我没弄过这个游戏,不乱说.反正估计应该不会象某游戏一样是912.哈哈 8XX以下NP是垃圾. 8XX到900有点看头 900以上是挑战 2006-12-28 20:23 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复