-
-
[原创]RemObject SDK 4.0.13.527主程序脱壳+破解
-
发表于: 2007-3-4 17:39
-
【文章标题】: RemObject SDK 4.0.13.527主程序脱壳+破解
【文章作者】: Arwin
【作者邮箱】: [email]arwin.c@gmail.com[/email]
【作者主页】: http://hi.baidu.com/arwin
【软件名称】: RemObject SDK 4.0.13.527
【下载地址】: http://www.remobjects.com/
【保护方式】: 未知
【使用工具】: OD,LordPE, ImportREC
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
参考刹那恍惚高手的教程,高手路过,不到之处还请多多指教,以下是脱壳的单步跟踪记录,可参考。
0054C20C ROServic.> 55 push ebp ; 程序入口
0054C20D 8BEC mov ebp,esp
0054C20F B9 0E000000 mov ecx,0E
0054C214 6A 00 push 0
0054C216 6A 00 push 0
0054C218 49 dec ecx
0054C219 ^ 75 F9 jnz short ROServic.0054C214
0054C21B 51 push ecx
0054C21C 53 push ebx
0054C21D 56 push esi
因为程序有时间效验。下断点BP GetLocalTime,然后Shift+F9运行,断下后清除断点Alt+F9返回
7C82F32B kern> 8BFF mov edi,edi ; 断到这里,清除断点,ALT+F9返回
7C82F32D 55 push ebp
7C82F32E 8BEC mov ebp,esp
7C82F330 83EC 18 sub esp,18
7C82F333 A1 3CB0887C mov eax,dword ptr ds:[7C88B03C]
7C82F338 83B8 BC1A0000 FF cmp dword ptr ds:[eax+1ABC],-1
7C82F33F 8D90 B01A0000 lea edx,dword ptr ds:[eax+1AB0]
7C82F345 75 05 jnz short kernel32.7C82F34C
7C82F347 BA 2000FE7F mov edx,7FFE0020
7C82F34C A1 1800FE7F mov eax,dword ptr ds:[7FFE0018]
0054187F 50 push eax
00541880 E8 8FE0FFFF call <jmp.&kernel32.GetLocalTime>
00541885 66:8B4C24 0E mov cx,word ptr ss:[esp+E] ; 返回到这里,F8往下
0054188A 66:8B5424 0A mov dx,word ptr ss:[esp+A]
0054188F 66:8B4424 08 mov ax,word ptr ss:[esp+8]
00541894 E8 6BFFFFFF call ROServic.00541804
00541899 DD5C24 18 fstp qword ptr ss:[esp+18]
0054189D 9B wait
0054189E 66:8B4424 16 mov ax,word ptr ss:[esp+16]
005418A3 50 push eax
005418A4 66:8B4C24 18 mov cx,word ptr ss:[esp+18]
005418A9 66:8B5424 16 mov dx,word ptr ss:[esp+16]
005418AE 66:8B4424 14 mov ax,word ptr ss:[esp+14]
005418B3 E8 D0FDFFFF call ROServic.00541688
005418B8 DC4424 18 fadd qword ptr ss:[esp+18]
005418BC DD1C24 fstp qword ptr ss:[esp]
005418BF 9B wait
005418C0 DD0424 fld qword ptr ss:[esp]
005418C3 83C4 20 add esp,20
005418C6 C3 retn ; 到这里返回到 0054C5F4
005418C7 90 nop
005418C8 53 push ebx
0054C5EF E8 8452FFFF call ROServic.00541878
0054C5F4 E8 3B02FFFF call ROServic.0053C834 ; 到这里,继续F8
0054C5F9 8945 B4 mov dword ptr ss:[ebp-4C],eax
0054C5FC 8955 B8 mov dword ptr ss:[ebp-48],edx
0054C5FF DF6D B4 fild qword ptr ss:[ebp-4C]
0054C602 DD1D 18105500 fstp qword ptr ds:[551018]
0054C608 9B wait
0054C609 DD05 200A5500 fld qword ptr ds:[550A20]
0054C60F E8 2002FFFF call ROServic.0053C834
0054C614 8945 B4 mov dword ptr ss:[ebp-4C],eax
0054C617 8955 B8 mov dword ptr ss:[ebp-48],edx
0054C61A DF6D B4 fild qword ptr ss:[ebp-4C]
0054C61D DD1D 20105500 fstp qword ptr ds:[551020]
0054C623 9B wait
0054C624 DD05 20105500 fld qword ptr ds:[551020]
0054C62A D81D 54CF5400 fcomp dword ptr ds:[54CF54]
0054C630 DFE0 fstsw ax
0054C632 9E sahf
0054C633 75 18 jnz short ROServic.0054C64D
0054C635 8B05 18105500 mov eax,dword ptr ds:[551018]
0054C63B 8905 20105500 mov dword ptr ds:[551020],eax
0054C641 8B05 1C105500 mov eax,dword ptr ds:[55101C]
0054C647 8905 24105500 mov dword ptr ds:[551024],eax
0054C64D E8 86DEFFFF call ROServic.0054A4D8
0054C652 DD05 20105500 fld qword ptr ds:[551020]
0054C658 DC1D 18105500 fcomp qword ptr ds:[551018]
0054C65E DFE0 fstsw ax
0054C660 9E sahf
0054C661 77 30 ja short ROServic.0054C693
0054C663 8B05 18105500 mov eax,dword ptr ds:[551018]
0054C669 8905 200A5500 mov dword ptr ds:[550A20],eax
0054C66F 8B05 1C105500 mov eax,dword ptr ds:[55101C]
0054C675 8905 240A5500 mov dword ptr ds:[550A24],eax
0054C67B C705 C4065500 FFF>mov dword ptr ds:[5506C4],-1
0054C685 C705 C8065500 FFF>mov dword ptr ds:[5506C8],-1
0054C68F 33DB xor ebx,ebx
0054C691 EB 28 jmp short ROServic.0054C6BB
0054C693 8B05 200A5500 mov eax,dword ptr ds:[550A20]
0054C699 8905 18105500 mov dword ptr ds:[551018],eax
0054C69F 8B05 240A5500 mov eax,dword ptr ds:[550A24]
0054C6A5 8905 1C105500 mov dword ptr ds:[55101C],eax
0054C6AB 33C0 xor eax,eax
0054C6AD A3 C4065500 mov dword ptr ds:[5506C4],eax
0054C6B2 33C0 xor eax,eax
0054C6B4 A3 C8065500 mov dword ptr ds:[5506C8],eax
0054C6B9 B3 01 mov bl,1
0054C6BB A1 C4F75400 mov eax,dword ptr ds:[54F7C4]
0054C6C0 3B05 78F75400 cmp eax,dword ptr ds:[54F778]
0054C6C6 74 5A je short ROServic.0054C722 ; 鼠标双击 Z 寄存器改 0 为 1 避过判断
0054C6C8 DD05 F0065500 fld qword ptr ds:[5506F0]
0054C6CE D81D 54CF5400 fcomp dword ptr ds:[54CF54]
0054C6D4 DFE0 fstsw ax
0054C71D A3 C4065500 mov dword ptr ds:[5506C4],eax
0054C722 A1 C4F75400 mov eax,dword ptr ds:[54F7C4] ; 到这
0054C727 3B05 78F75400 cmp eax,dword ptr ds:[54F778]
0054C72D 0F84 89000000 je ROServic.0054C7BC ; 鼠标双击 Z 寄存器改 0 为 1 避过判断
0054C733 DD05 F8065500 fld qword ptr ds:[5506F8]
0054C739 D81D 54CF5400 fcomp dword ptr ds:[54CF54]
0054C73F DFE0 fstsw ax
0054C741 9E sahf
0054C7B6 8935 C4065500 mov dword ptr ds:[5506C4],esi
0054C7BC A1 C4F75400 mov eax,dword ptr ds:[54F7C4] ; 到这
0054C7C1 3B05 78F75400 cmp eax,dword ptr ds:[54F778]
0054C7C7 74 50 je short ROServic.0054C819 ; 鼠标双击 Z 寄存器改 0 为 1 避过判断
0054C7C9 803D 10075500 00 cmp byte ptr ds:[550710],0
0054C7D0 74 47 je short ROServic.0054C819
0054C7D2 8D45 B0 lea eax,dword ptr ss:[ebp-50]
0054C7D5 BA 10075500 mov edx,ROServic.00550710 ; ASCII "!TRIAL|TRIAL|TRIAL|TRIAL|1|TRIAL|4"
0054C7DA E8 290EFFFF call ROServic.0053D608
0054C7DF 8B45 B0 mov eax,dword ptr ss:[ebp-50]
0054C808 E8 EBDEFFFF call ROServic.0054A6F8
0054C80D E9 86060000 jmp ROServic.0054CE98
0054C812 830D B4065500 01 or dword ptr ds:[5506B4],1
0054C819 A1 C4F75400 mov eax,dword ptr ds:[54F7C4] ; 到这
0054C81E 3B05 78F75400 cmp eax,dword ptr ds:[54F778]
0054C824 74 50 je short ROServic.0054C876 ; 鼠标双击 Z 寄存器改 0 为 1 避过判断
0054C826 803D 10085500 00 cmp byte ptr ds:[550810],0
0054C82D 74 47 je short ROServic.0054C876
0054C82F 8D45 A8 lea eax,dword ptr ss:[ebp-58]
0054C832 BA 10085500 mov edx,ROServic.00550810
0054C837 E8 CC0DFFFF call ROServic.0053D608
0054C86F 830D B4065500 02 or dword ptr ds:[5506B4],2
0054C876 A1 C4F75400 mov eax,dword ptr ds:[54F7C4] ; 到这
0054C87B 3B05 78F75400 cmp eax,dword ptr ds:[54F778]
0054C881 74 34 je short ROServic.0054C8B7 ; 鼠标双击 Z 寄存器改 0 为 1 避过判断
0054C883 833D 08075500 00 cmp dword ptr ds:[550708],0
0054C88A 74 2B je short ROServic.0054C8B7
0054C88C A1 08075500 mov eax,dword ptr ds:[550708]
0054C891 3B05 A8065500 cmp eax,dword ptr ds:[5506A8]
0054C897 74 1E je short ROServic.0054C8B7
0054C899 833D 98F75400 01 cmp dword ptr ds:[54F798],1
0054C8A0 74 0E je short ROServic.0054C8B0
0054C8A2 B2 01 mov dl,1
0054C8A4 B0 07 mov al,7
0054C8A6 E8 4DDEFFFF call ROServic.0054A6F8
0054C8AB E9 E8050000 jmp ROServic.0054CE98
0054C8B0 830D B4065500 04 or dword ptr ds:[5506B4],4
0054C8B7 A1 C4F75400 mov eax,dword ptr ds:[54F7C4] ; 到这
0054C8BC 3B05 78F75400 cmp eax,dword ptr ds:[54F778]
0054C8C2 74 6B je short ROServic.0054C92F ; 鼠标双击 Z 寄存器改 0 为 1 避过判断
0054C8C4 A1 F0F95400 mov eax,dword ptr ds:[54F9F0]
0054C8C9 8B00 mov eax,dword ptr ds:[eax]
0054C8CB 2305 00075500 and eax,dword ptr ds:[550700]
0054C928 33C0 xor eax,eax
0054C92A A3 C8065500 mov dword ptr ds:[5506C8],eax
0054C92F A1 C4F75400 mov eax,dword ptr ds:[54F7C4] ; 到这
0054C934 3B05 78F75400 cmp eax,dword ptr ds:[54F778]
0054C93A 0F84 D2000000 je ROServic.0054CA12 ; 鼠标双击 Z 寄存器改 0 为 1 避过判断
0054C940 A1 F0F95400 mov eax,dword ptr ds:[54F9F0]
0054C945 8B00 mov eax,dword ptr ds:[eax]
0054C947 2305 04075500 and eax,dword ptr ds:[550704]
0054C94D 0F84 BF000000 je ROServic.0054CA12
0054CA04 830D B4065500 40 or dword ptr ds:[5506B4],40
0054CA0B 33C0 xor eax,eax
0054CA0D A3 C4065500 mov dword ptr ds:[5506C4],eax
0054CA12 E8 E5D8FFFF call ROServic.0054A2FC ; 到这里下内存访问断点
0054CA17 E8 64F3FFFF call ROServic.0054BD80
0054CA1C 90 nop
0054CA1D 90 nop
0054CA1E 90 nop
0054CA1F 90 nop
0054CA20 90 nop
0054CA21 E8 B2DAFFFF call ROServic.0054A4D8
0054CA26 A1 00F75400 mov eax,dword ptr ds:[54F700]
上面不改成JMP是壳后面有自效验。到0054CA12时下内存访问断点,Alt+M打开内存映射窗口,先对代码段下内存访问断点,Shift+F9
0053C6E6 C1F9 02 sar ecx,2
0053C6E9 78 2A js short ROServic.0053C715
0053C6EB F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi>; 中断到此处
0053C6ED 89C1 mov ecx,eax
0053C6EF 83E1 03 and ecx,3
0053C6F2 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
0053C6F4 5F pop edi
0053C6F5 5E pop esi
0053C6F6 C3 retn
Alt+M打开内存映射窗口,对PE文件头下内存访问断点,Shift+F9
0054CA5C 83FE 08 cmp esi,8
0054CA5F ^ 75 EB jnz short ROServic.0054CA4C
0054CA61 A1 64065500 mov eax,dword ptr ds:[550664]
0054CA66 8B78 3C mov edi,dword ptr ds:[eax+3C] ; 中断到此处
0054CA69 033D 64065500 add edi,dword ptr ds:[550664] ; ROServic.00400000
0054CA6F 8B47 50 mov eax,dword ptr ds:[edi+50]
0054CA72 A3 98065500 mov dword ptr ds:[550698],eax
0054CA77 A1 88F65400 mov eax,dword ptr ds:[54F688]
0054CA7C E8 1BDCFFFF call ROServic.0054A69C
Alt+M打开内存映射窗口,对代码段下内存访问断点,Shift+F9
0046034C 55 push ebp ; 这里就是OEP了.
0046034D 8BEC mov ebp,esp
0046034F 83C4 E0 add esp,-20
00460352 53 push ebx
00460353 33C0 xor eax,eax
00460355 8945 E4 mov dword ptr ss:[ebp-1C],eax
00460358 8945 E0 mov dword ptr ss:[ebp-20],eax
0046035B 8945 EC mov dword ptr ss:[ebp-14],eax
0046035E 8945 E8 mov dword ptr ss:[ebp-18],eax
00460361 B8 B4F94500 mov eax,ROServic.0045F9B4
00460366 E8 1911FAFF call ROServic.00401484
用LoadPE修正映像大小后完全DUMP。用ImportREC选择进程,OEP填6034C,自动搜索IAT,获取输入表,得到正确输入表后修复抓取文件就可以了。
字符串搜索Trial License 向上找到reading license data,跟随到0044FC07,向下找到0044FC4A将je修改为JMP即可实现Internal Development Copy版本了。
0044FC02 E8 11FBFFFF call <jmp.&roservicebuilder70.Edebugserver::D>
0044FC07 BA 78004500 mov edx,dumped_.00450078 ; reading license data
0044FC0C E8 3FFBFFFF call <jmp.&roservicebuilder70.Udsdebugserver:>
0044FC11 33D2 xor edx,edx
0044FC13 55 push ebp
0044FC14 68 24004500 push dumped_.00450024
0044FC19 64:FF32 push dword ptr fs:[edx]
0044FC1C 64:8922 mov dword ptr fs:[edx],esp
0044FC1F C645 FF 00 mov byte ptr ss:[ebp-1],0
0044FC23 B2 01 mov dl,1
0044FC25 A1 D4DF4400 mov eax,dword ptr ds:[44DFD4]
0044FC2A E8 9114FBFF call <jmp.&rtl70.System::TObject::TObject>
0044FC2F 8945 F8 mov dword ptr ss:[ebp-8],eax
0044FC32 33D2 xor edx,edx
0044FC34 55 push ebp
0044FC35 68 00004500 push dumped_.00450000
0044FC3A 64:FF32 push dword ptr fs:[edx]
0044FC3D 64:8922 mov dword ptr fs:[edx],esp
0044FC40 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0044FC43 E8 D4E4FFFF call dumped_.0044E11C
0044FC48 84C0 test al,al
0044FC4A 0F84 4F030000 je dumped_.0044FF9F ; 此处改为JMP即可
0044FC50 8D45 F4 lea eax,dword ptr ss:[ebp-C]
0044FC53 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0044FC56 8B52 24 mov edx,dword ptr ds:[edx+24]
完。
【文章作者】: Arwin
【作者邮箱】: [email]arwin.c@gmail.com[/email]
【作者主页】: http://hi.baidu.com/arwin
【软件名称】: RemObject SDK 4.0.13.527
【下载地址】: http://www.remobjects.com/
【保护方式】: 未知
【使用工具】: OD,LordPE, ImportREC
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
参考刹那恍惚高手的教程,高手路过,不到之处还请多多指教,以下是脱壳的单步跟踪记录,可参考。
0054C20C ROServic.> 55 push ebp ; 程序入口
0054C20D 8BEC mov ebp,esp
0054C20F B9 0E000000 mov ecx,0E
0054C214 6A 00 push 0
0054C216 6A 00 push 0
0054C218 49 dec ecx
0054C219 ^ 75 F9 jnz short ROServic.0054C214
0054C21B 51 push ecx
0054C21C 53 push ebx
0054C21D 56 push esi
因为程序有时间效验。下断点BP GetLocalTime,然后Shift+F9运行,断下后清除断点Alt+F9返回
7C82F32B kern> 8BFF mov edi,edi ; 断到这里,清除断点,ALT+F9返回
7C82F32D 55 push ebp
7C82F32E 8BEC mov ebp,esp
7C82F330 83EC 18 sub esp,18
7C82F333 A1 3CB0887C mov eax,dword ptr ds:[7C88B03C]
7C82F338 83B8 BC1A0000 FF cmp dword ptr ds:[eax+1ABC],-1
7C82F33F 8D90 B01A0000 lea edx,dword ptr ds:[eax+1AB0]
7C82F345 75 05 jnz short kernel32.7C82F34C
7C82F347 BA 2000FE7F mov edx,7FFE0020
7C82F34C A1 1800FE7F mov eax,dword ptr ds:[7FFE0018]
0054187F 50 push eax
00541880 E8 8FE0FFFF call <jmp.&kernel32.GetLocalTime>
00541885 66:8B4C24 0E mov cx,word ptr ss:[esp+E] ; 返回到这里,F8往下
0054188A 66:8B5424 0A mov dx,word ptr ss:[esp+A]
0054188F 66:8B4424 08 mov ax,word ptr ss:[esp+8]
00541894 E8 6BFFFFFF call ROServic.00541804
00541899 DD5C24 18 fstp qword ptr ss:[esp+18]
0054189D 9B wait
0054189E 66:8B4424 16 mov ax,word ptr ss:[esp+16]
005418A3 50 push eax
005418A4 66:8B4C24 18 mov cx,word ptr ss:[esp+18]
005418A9 66:8B5424 16 mov dx,word ptr ss:[esp+16]
005418AE 66:8B4424 14 mov ax,word ptr ss:[esp+14]
005418B3 E8 D0FDFFFF call ROServic.00541688
005418B8 DC4424 18 fadd qword ptr ss:[esp+18]
005418BC DD1C24 fstp qword ptr ss:[esp]
005418BF 9B wait
005418C0 DD0424 fld qword ptr ss:[esp]
005418C3 83C4 20 add esp,20
005418C6 C3 retn ; 到这里返回到 0054C5F4
005418C7 90 nop
005418C8 53 push ebx
0054C5EF E8 8452FFFF call ROServic.00541878
0054C5F4 E8 3B02FFFF call ROServic.0053C834 ; 到这里,继续F8
0054C5F9 8945 B4 mov dword ptr ss:[ebp-4C],eax
0054C5FC 8955 B8 mov dword ptr ss:[ebp-48],edx
0054C5FF DF6D B4 fild qword ptr ss:[ebp-4C]
0054C602 DD1D 18105500 fstp qword ptr ds:[551018]
0054C608 9B wait
0054C609 DD05 200A5500 fld qword ptr ds:[550A20]
0054C60F E8 2002FFFF call ROServic.0053C834
0054C614 8945 B4 mov dword ptr ss:[ebp-4C],eax
0054C617 8955 B8 mov dword ptr ss:[ebp-48],edx
0054C61A DF6D B4 fild qword ptr ss:[ebp-4C]
0054C61D DD1D 20105500 fstp qword ptr ds:[551020]
0054C623 9B wait
0054C624 DD05 20105500 fld qword ptr ds:[551020]
0054C62A D81D 54CF5400 fcomp dword ptr ds:[54CF54]
0054C630 DFE0 fstsw ax
0054C632 9E sahf
0054C633 75 18 jnz short ROServic.0054C64D
0054C635 8B05 18105500 mov eax,dword ptr ds:[551018]
0054C63B 8905 20105500 mov dword ptr ds:[551020],eax
0054C641 8B05 1C105500 mov eax,dword ptr ds:[55101C]
0054C647 8905 24105500 mov dword ptr ds:[551024],eax
0054C64D E8 86DEFFFF call ROServic.0054A4D8
0054C652 DD05 20105500 fld qword ptr ds:[551020]
0054C658 DC1D 18105500 fcomp qword ptr ds:[551018]
0054C65E DFE0 fstsw ax
0054C660 9E sahf
0054C661 77 30 ja short ROServic.0054C693
0054C663 8B05 18105500 mov eax,dword ptr ds:[551018]
0054C669 8905 200A5500 mov dword ptr ds:[550A20],eax
0054C66F 8B05 1C105500 mov eax,dword ptr ds:[55101C]
0054C675 8905 240A5500 mov dword ptr ds:[550A24],eax
0054C67B C705 C4065500 FFF>mov dword ptr ds:[5506C4],-1
0054C685 C705 C8065500 FFF>mov dword ptr ds:[5506C8],-1
0054C68F 33DB xor ebx,ebx
0054C691 EB 28 jmp short ROServic.0054C6BB
0054C693 8B05 200A5500 mov eax,dword ptr ds:[550A20]
0054C699 8905 18105500 mov dword ptr ds:[551018],eax
0054C69F 8B05 240A5500 mov eax,dword ptr ds:[550A24]
0054C6A5 8905 1C105500 mov dword ptr ds:[55101C],eax
0054C6AB 33C0 xor eax,eax
0054C6AD A3 C4065500 mov dword ptr ds:[5506C4],eax
0054C6B2 33C0 xor eax,eax
0054C6B4 A3 C8065500 mov dword ptr ds:[5506C8],eax
0054C6B9 B3 01 mov bl,1
0054C6BB A1 C4F75400 mov eax,dword ptr ds:[54F7C4]
0054C6C0 3B05 78F75400 cmp eax,dword ptr ds:[54F778]
0054C6C6 74 5A je short ROServic.0054C722 ; 鼠标双击 Z 寄存器改 0 为 1 避过判断
0054C6C8 DD05 F0065500 fld qword ptr ds:[5506F0]
0054C6CE D81D 54CF5400 fcomp dword ptr ds:[54CF54]
0054C6D4 DFE0 fstsw ax
0054C71D A3 C4065500 mov dword ptr ds:[5506C4],eax
0054C722 A1 C4F75400 mov eax,dword ptr ds:[54F7C4] ; 到这
0054C727 3B05 78F75400 cmp eax,dword ptr ds:[54F778]
0054C72D 0F84 89000000 je ROServic.0054C7BC ; 鼠标双击 Z 寄存器改 0 为 1 避过判断
0054C733 DD05 F8065500 fld qword ptr ds:[5506F8]
0054C739 D81D 54CF5400 fcomp dword ptr ds:[54CF54]
0054C73F DFE0 fstsw ax
0054C741 9E sahf
0054C7B6 8935 C4065500 mov dword ptr ds:[5506C4],esi
0054C7BC A1 C4F75400 mov eax,dword ptr ds:[54F7C4] ; 到这
0054C7C1 3B05 78F75400 cmp eax,dword ptr ds:[54F778]
0054C7C7 74 50 je short ROServic.0054C819 ; 鼠标双击 Z 寄存器改 0 为 1 避过判断
0054C7C9 803D 10075500 00 cmp byte ptr ds:[550710],0
0054C7D0 74 47 je short ROServic.0054C819
0054C7D2 8D45 B0 lea eax,dword ptr ss:[ebp-50]
0054C7D5 BA 10075500 mov edx,ROServic.00550710 ; ASCII "!TRIAL|TRIAL|TRIAL|TRIAL|1|TRIAL|4"
0054C7DA E8 290EFFFF call ROServic.0053D608
0054C7DF 8B45 B0 mov eax,dword ptr ss:[ebp-50]
0054C808 E8 EBDEFFFF call ROServic.0054A6F8
0054C80D E9 86060000 jmp ROServic.0054CE98
0054C812 830D B4065500 01 or dword ptr ds:[5506B4],1
0054C819 A1 C4F75400 mov eax,dword ptr ds:[54F7C4] ; 到这
0054C81E 3B05 78F75400 cmp eax,dword ptr ds:[54F778]
0054C824 74 50 je short ROServic.0054C876 ; 鼠标双击 Z 寄存器改 0 为 1 避过判断
0054C826 803D 10085500 00 cmp byte ptr ds:[550810],0
0054C82D 74 47 je short ROServic.0054C876
0054C82F 8D45 A8 lea eax,dword ptr ss:[ebp-58]
0054C832 BA 10085500 mov edx,ROServic.00550810
0054C837 E8 CC0DFFFF call ROServic.0053D608
0054C86F 830D B4065500 02 or dword ptr ds:[5506B4],2
0054C876 A1 C4F75400 mov eax,dword ptr ds:[54F7C4] ; 到这
0054C87B 3B05 78F75400 cmp eax,dword ptr ds:[54F778]
0054C881 74 34 je short ROServic.0054C8B7 ; 鼠标双击 Z 寄存器改 0 为 1 避过判断
0054C883 833D 08075500 00 cmp dword ptr ds:[550708],0
0054C88A 74 2B je short ROServic.0054C8B7
0054C88C A1 08075500 mov eax,dword ptr ds:[550708]
0054C891 3B05 A8065500 cmp eax,dword ptr ds:[5506A8]
0054C897 74 1E je short ROServic.0054C8B7
0054C899 833D 98F75400 01 cmp dword ptr ds:[54F798],1
0054C8A0 74 0E je short ROServic.0054C8B0
0054C8A2 B2 01 mov dl,1
0054C8A4 B0 07 mov al,7
0054C8A6 E8 4DDEFFFF call ROServic.0054A6F8
0054C8AB E9 E8050000 jmp ROServic.0054CE98
0054C8B0 830D B4065500 04 or dword ptr ds:[5506B4],4
0054C8B7 A1 C4F75400 mov eax,dword ptr ds:[54F7C4] ; 到这
0054C8BC 3B05 78F75400 cmp eax,dword ptr ds:[54F778]
0054C8C2 74 6B je short ROServic.0054C92F ; 鼠标双击 Z 寄存器改 0 为 1 避过判断
0054C8C4 A1 F0F95400 mov eax,dword ptr ds:[54F9F0]
0054C8C9 8B00 mov eax,dword ptr ds:[eax]
0054C8CB 2305 00075500 and eax,dword ptr ds:[550700]
0054C928 33C0 xor eax,eax
0054C92A A3 C8065500 mov dword ptr ds:[5506C8],eax
0054C92F A1 C4F75400 mov eax,dword ptr ds:[54F7C4] ; 到这
0054C934 3B05 78F75400 cmp eax,dword ptr ds:[54F778]
0054C93A 0F84 D2000000 je ROServic.0054CA12 ; 鼠标双击 Z 寄存器改 0 为 1 避过判断
0054C940 A1 F0F95400 mov eax,dword ptr ds:[54F9F0]
0054C945 8B00 mov eax,dword ptr ds:[eax]
0054C947 2305 04075500 and eax,dword ptr ds:[550704]
0054C94D 0F84 BF000000 je ROServic.0054CA12
0054CA04 830D B4065500 40 or dword ptr ds:[5506B4],40
0054CA0B 33C0 xor eax,eax
0054CA0D A3 C4065500 mov dword ptr ds:[5506C4],eax
0054CA12 E8 E5D8FFFF call ROServic.0054A2FC ; 到这里下内存访问断点
0054CA17 E8 64F3FFFF call ROServic.0054BD80
0054CA1C 90 nop
0054CA1D 90 nop
0054CA1E 90 nop
0054CA1F 90 nop
0054CA20 90 nop
0054CA21 E8 B2DAFFFF call ROServic.0054A4D8
0054CA26 A1 00F75400 mov eax,dword ptr ds:[54F700]
上面不改成JMP是壳后面有自效验。到0054CA12时下内存访问断点,Alt+M打开内存映射窗口,先对代码段下内存访问断点,Shift+F9
0053C6E6 C1F9 02 sar ecx,2
0053C6E9 78 2A js short ROServic.0053C715
0053C6EB F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi>; 中断到此处
0053C6ED 89C1 mov ecx,eax
0053C6EF 83E1 03 and ecx,3
0053C6F2 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
0053C6F4 5F pop edi
0053C6F5 5E pop esi
0053C6F6 C3 retn
Alt+M打开内存映射窗口,对PE文件头下内存访问断点,Shift+F9
0054CA5C 83FE 08 cmp esi,8
0054CA5F ^ 75 EB jnz short ROServic.0054CA4C
0054CA61 A1 64065500 mov eax,dword ptr ds:[550664]
0054CA66 8B78 3C mov edi,dword ptr ds:[eax+3C] ; 中断到此处
0054CA69 033D 64065500 add edi,dword ptr ds:[550664] ; ROServic.00400000
0054CA6F 8B47 50 mov eax,dword ptr ds:[edi+50]
0054CA72 A3 98065500 mov dword ptr ds:[550698],eax
0054CA77 A1 88F65400 mov eax,dword ptr ds:[54F688]
0054CA7C E8 1BDCFFFF call ROServic.0054A69C
Alt+M打开内存映射窗口,对代码段下内存访问断点,Shift+F9
0046034C 55 push ebp ; 这里就是OEP了.
0046034D 8BEC mov ebp,esp
0046034F 83C4 E0 add esp,-20
00460352 53 push ebx
00460353 33C0 xor eax,eax
00460355 8945 E4 mov dword ptr ss:[ebp-1C],eax
00460358 8945 E0 mov dword ptr ss:[ebp-20],eax
0046035B 8945 EC mov dword ptr ss:[ebp-14],eax
0046035E 8945 E8 mov dword ptr ss:[ebp-18],eax
00460361 B8 B4F94500 mov eax,ROServic.0045F9B4
00460366 E8 1911FAFF call ROServic.00401484
用LoadPE修正映像大小后完全DUMP。用ImportREC选择进程,OEP填6034C,自动搜索IAT,获取输入表,得到正确输入表后修复抓取文件就可以了。
字符串搜索Trial License 向上找到reading license data,跟随到0044FC07,向下找到0044FC4A将je修改为JMP即可实现Internal Development Copy版本了。
0044FC02 E8 11FBFFFF call <jmp.&roservicebuilder70.Edebugserver::D>
0044FC07 BA 78004500 mov edx,dumped_.00450078 ; reading license data
0044FC0C E8 3FFBFFFF call <jmp.&roservicebuilder70.Udsdebugserver:>
0044FC11 33D2 xor edx,edx
0044FC13 55 push ebp
0044FC14 68 24004500 push dumped_.00450024
0044FC19 64:FF32 push dword ptr fs:[edx]
0044FC1C 64:8922 mov dword ptr fs:[edx],esp
0044FC1F C645 FF 00 mov byte ptr ss:[ebp-1],0
0044FC23 B2 01 mov dl,1
0044FC25 A1 D4DF4400 mov eax,dword ptr ds:[44DFD4]
0044FC2A E8 9114FBFF call <jmp.&rtl70.System::TObject::TObject>
0044FC2F 8945 F8 mov dword ptr ss:[ebp-8],eax
0044FC32 33D2 xor edx,edx
0044FC34 55 push ebp
0044FC35 68 00004500 push dumped_.00450000
0044FC3A 64:FF32 push dword ptr fs:[edx]
0044FC3D 64:8922 mov dword ptr fs:[edx],esp
0044FC40 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0044FC43 E8 D4E4FFFF call dumped_.0044E11C
0044FC48 84C0 test al,al
0044FC4A 0F84 4F030000 je dumped_.0044FF9F ; 此处改为JMP即可
0044FC50 8D45 F4 lea eax,dword ptr ss:[ebp-C]
0044FC53 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0044FC56 8B52 24 mov edx,dword ptr ds:[edx+24]
完。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
沙发,~!~!~
|
|
|
破解完的 主程序 传个上来
|
|
|
|
|
|
|
|
|
|
