最近拿到一款雕刻软件,需要配套彩虹加密狗使用。
在调试过程当中遇到如下问题:
1. 软件不在调试状态下,有狗则可以正常运行程序。但在调试状态下,仍然显示没有找到狗。
-- 原因:壳在运行时通过IsDebuggerPresent, ZwQuerySystemInformation, ZwQueryInformationProcess等函数来判断程序是否被调试,并用CreateFile来检查是否有SoftIce,TRW的存在。
-- 解决:我下载的OllyDbg已经对IsDebuggerPresent免疫,但对ZwQueryInformationProcess仍然返回调试状态,现临时在ZwQueryInformationProcess上下断点,并在返回时修改返回值来达到调试目的。本来想在壳中加入自己的代码来修改壳的代码,但修改后程序运行出错,原因暂不清楚。
2. 通过对壳代码的分析,发现壳自己做了重定位和建立IAT。但此壳在内存的45D000和52C1CC处有2张IAT表,使用ImportRec无法修复,因此脱壳失败.
请问各位大大有什么好的办法?
3. 壳在运行时会动态解码原始Exe文件的代码和壳的部分代码到内存当中执行。
而且此壳同时具备加密和压缩功能。压缩功能的反汇编代码如下:
请各位大大帮忙看下这个是什么压缩算法,能给出压缩原理更好.
(因刚注册,无法上传附件,所以只能贴出代码了,^_^)
__declspec( naked ) void UnzipCode()
{
__asm {
push ebp
mov ebp, esp
sub esp, 14h
push ebx
push esi
push edi
mov eax, [ebp+0Ch]
add eax, [ebp+8]
mov [ebp-14h], eax
mov eax, [ebp+10h]
mov [ebp-10h], eax
mov eax, [ebp+8]
mov [ebp-8], eax
mov eax, [ebp-8]
xor ecx, ecx
mov cl, [eax]
cmp ecx, 11h
jle short loc_53A645
mov eax, [ebp-8]
xor ecx, ecx
mov cl, [eax]
sub ecx, 11h
mov [ebp-4], ecx
inc dword ptr [ebp-8]
cmp dword ptr [ebp-4], 4
jnb short loc_53A627
jmp loc_53A99E
; ---------------------------------------------------------------------------
loc_53A627: ; CODE XREF: RCC1:0053A620.j
; RCC1:0053A63E.j
mov eax, [ebp-8]
mov al, [eax]
mov ecx, [ebp-10h]
mov [ecx], al
inc dword ptr [ebp-8]
inc dword ptr [ebp-10h]
dec dword ptr [ebp-4]
cmp dword ptr [ebp-4], 0
ja short loc_53A627
jmp loc_53A701
; ---------------------------------------------------------------------------
loc_53A645: ; CODE XREF: RCC1:0053A60A.j
; RCC1:0053A9C9.j
mov eax, [ebp-8]
xor ecx, ecx
mov cl, [eax]
mov [ebp-4], ecx
inc dword ptr [ebp-8]
cmp dword ptr [ebp-4], 10h
jb short loc_53A65D
jmp loc_53A77C
; ---------------------------------------------------------------------------
loc_53A65D: ; CODE XREF: RCC1:0053A656.j
cmp dword ptr [ebp-4], 0
jnz short loc_53A68A
loc_53A663: ; CODE XREF: RCC1:0053A678.j
mov eax, [ebp-8]
xor ecx, ecx
mov cl, [eax]
test ecx, ecx
jnz short loc_53A67A
add dword ptr [ebp-4], 0FFh
inc dword ptr [ebp-8]
jmp short loc_53A663
; ---------------------------------------------------------------------------
loc_53A67A: ; CODE XREF: RCC1:0053A66C.j
mov eax, [ebp-8]
xor ecx, ecx
mov cl, [eax]
add ecx, 0Fh
add [ebp-4], ecx
inc dword ptr [ebp-8]
loc_53A68A: ; CODE XREF: RCC1:0053A661.j
mov eax, [ebp-8]
mov eax, [eax]
mov ecx, [ebp-10h]
mov [ecx], eax
add dword ptr [ebp-10h], 4
add dword ptr [ebp-8], 4
dec dword ptr [ebp-4]
cmp dword ptr [ebp-4], 0
jbe short loc_53A701
cmp dword ptr [ebp-4], 4
jb short loc_53A6E8
loc_53A6AB: ; CODE XREF: RCC1:0053A6C5.j
mov eax, [ebp-8] ;
mov eax, [eax]
mov ecx, [ebp-10h]
mov [ecx], eax
add dword ptr [ebp-10h], 4
add dword ptr [ebp-8], 4
sub dword ptr [ebp-4], 4
cmp dword ptr [ebp-4], 4
jnb short loc_53A6AB ;
cmp dword ptr [ebp-4], 0
jbe short loc_53A6E6
loc_53A6CD: ; CODE XREF: RCC1:0053A6E4.j
mov eax, [ebp-8] ;
mov al, [eax]
mov ecx, [ebp-10h]
mov [ecx], al
inc dword ptr [ebp-8]
inc dword ptr [ebp-10h]
dec dword ptr [ebp-4]
cmp dword ptr [ebp-4], 0
ja short loc_53A6CD ;
loc_53A6E6: ; CODE XREF: RCC1:0053A6CB.j
jmp short loc_53A701
; ---------------------------------------------------------------------------
loc_53A6E8: ; CODE XREF: RCC1:0053A6A9.j
; RCC1:0053A6FF.j
mov eax, [ebp-8]
mov al, [eax]
mov ecx, [ebp-10h]
mov [ecx], al
inc dword ptr [ebp-8]
inc dword ptr [ebp-10h]
dec dword ptr [ebp-4]
cmp dword ptr [ebp-4], 0
ja short loc_53A6E8
loc_53A701: ; CODE XREF: RCC1:0053A640.j
; RCC1:0053A6A3.j ...
mov eax, [ebp-8]
xor ecx, ecx
mov cl, [eax]
mov [ebp-4], ecx
inc dword ptr [ebp-8]
cmp dword ptr [ebp-4], 10h
jb short loc_53A716
jmp short loc_53A77C
; ---------------------------------------------------------------------------
loc_53A716: ; CODE XREF: RCC1:0053A712.j
mov eax, [ebp-10h]
sub eax, 801h
mov [ebp-0Ch], eax
xor eax, eax
mov ecx, [ebp-4]
shr ecx, 2
sub eax, ecx
neg eax
sub [ebp-0Ch], eax
xor eax, eax
mov ecx, [ebp-8]
xor edx, edx
mov dl, [ecx]
lea ecx, ds:0[edx*4]
sub eax, ecx
neg eax
sub [ebp-0Ch], eax
inc dword ptr [ebp-8]
mov eax, [ebp-0Ch]
mov al, [eax]
mov ecx, [ebp-10h]
mov [ecx], al
inc dword ptr [ebp-0Ch]
inc dword ptr [ebp-10h]
mov eax, [ebp-0Ch]
mov al, [eax]
mov ecx, [ebp-10h]
mov [ecx], al
inc dword ptr [ebp-0Ch]
inc dword ptr [ebp-10h]
mov eax, [ebp-0Ch]
mov al, [eax]
mov ecx, [ebp-10h]
mov [ecx], al
inc dword ptr [ebp-10h]
jmp loc_53A988
; ---------------------------------------------------------------------------
loc_53A77C: ; CODE XREF: RCC1:0053A658.j
; RCC1:0053A714.j ...
cmp dword ptr [ebp-4], 40h
jb short loc_53A7C9
mov eax, [ebp-10h]
dec eax
mov [ebp-0Ch], eax
xor eax, eax
mov ecx, [ebp-4]
shr ecx, 2
and ecx, 7
sub eax, ecx
neg eax
sub [ebp-0Ch], eax
xor eax, eax
mov ecx, [ebp-8]
xor edx, edx
mov dl, [ecx]
lea ecx, ds:0[edx*8]
sub eax, ecx
neg eax
sub [ebp-0Ch], eax
inc dword ptr [ebp-8]
mov eax, [ebp-4]
shr eax, 5
dec eax
mov [ebp-4], eax
jmp loc_53A94F
; ---------------------------------------------------------------------------
jmp loc_53A8EB
; ---------------------------------------------------------------------------
loc_53A7C9: ; CODE XREF: RCC1:0053A780.j
cmp dword ptr [ebp-4], 20h
jb short loc_53A820
and dword ptr [ebp-4], 1Fh
jnz short loc_53A7FC
loc_53A7D5: ; CODE XREF: RCC1:0053A7EA.j
mov eax, [ebp-8]
xor ecx, ecx
mov cl, [eax]
test ecx, ecx
jnz short loc_53A7EC
add dword ptr [ebp-4], 0FFh
inc dword ptr [ebp-8]
jmp short loc_53A7D5
; ---------------------------------------------------------------------------
loc_53A7EC: ; CODE XREF: RCC1:0053A7DE.j
mov eax, [ebp-8]
xor ecx, ecx
mov cl, [eax]
add ecx, 1Fh
add [ebp-4], ecx
inc dword ptr [ebp-8]
loc_53A7FC: ; CODE XREF: RCC1:0053A7D3.j
mov eax, [ebp-10h]
dec eax
mov [ebp-0Ch], eax
xor eax, eax
mov ecx, [ebp-8]
xor edx, edx
mov dx, [ecx]
sar edx, 2
sub eax, edx
neg eax
sub [ebp-0Ch], eax
add dword ptr [ebp-8], 2
jmp loc_53A8EB
; ---------------------------------------------------------------------------
loc_53A820: ; CODE XREF: RCC1:0053A7CD.j
cmp dword ptr [ebp-4], 10h
jb short loc_53A899
mov eax, [ebp-10h]
mov [ebp-0Ch], eax
xor eax, eax
mov ecx, [ebp-4]
and ecx, 8
shl ecx, 0Bh
sub eax, ecx
neg eax
sub [ebp-0Ch], eax
and dword ptr [ebp-4], 7
jnz short loc_53A86B
loc_53A844: ; CODE XREF: RCC1:0053A859.j
mov eax, [ebp-8]
xor ecx, ecx
mov cl, [eax]
test ecx, ecx
jnz short loc_53A85B
add dword ptr [ebp-4], 0FFh
inc dword ptr [ebp-8]
jmp short loc_53A844
; ---------------------------------------------------------------------------
loc_53A85B: ; CODE XREF: RCC1:0053A84D.j
mov eax, [ebp-8]
xor ecx, ecx
mov cl, [eax]
add ecx, 7
add [ebp-4], ecx
inc dword ptr [ebp-8]
loc_53A86B: ; CODE XREF: RCC1:0053A842.j
xor eax, eax
mov ecx, [ebp-8]
xor edx, edx
mov dx, [ecx]
sar edx, 2
sub eax, edx
neg eax
sub [ebp-0Ch], eax
add dword ptr [ebp-8], 2
mov eax, [ebp-10h]
cmp [ebp-0Ch], eax
jnz short loc_53A890
jmp loc_53A9CE
; ---------------------------------------------------------------------------
loc_53A890: ; CODE XREF: RCC1:0053A889.j
sub dword ptr [ebp-0Ch], 4000h
jmp short loc_53A8EB
; ---------------------------------------------------------------------------
loc_53A899: ; CODE XREF: RCC1:0053A824.j
mov eax, [ebp-10h]
dec eax
mov [ebp-0Ch], eax
xor eax, eax
mov ecx, [ebp-4]
shr ecx, 2
sub eax, ecx
neg eax
sub [ebp-0Ch], eax
xor eax, eax
mov ecx, [ebp-8]
xor edx, edx
mov dl, [ecx]
lea ecx, ds:0[edx*4]
sub eax, ecx
neg eax
sub [ebp-0Ch], eax
inc dword ptr [ebp-8]
mov eax, [ebp-0Ch]
mov al, [eax]
mov ecx, [ebp-10h]
mov [ecx], al
inc dword ptr [ebp-0Ch]
inc dword ptr [ebp-10h]
mov eax, [ebp-0Ch]
mov al, [eax]
mov ecx, [ebp-10h]
mov [ecx], al
inc dword ptr [ebp-10h]
jmp loc_53A988
; ---------------------------------------------------------------------------
loc_53A8EB: ; CODE XREF: RCC1:0053A7C4.j
; RCC1:0053A81B.j ...
cmp dword ptr [ebp-4], 6
jb short loc_53A94F
mov eax, [ebp-10h]
sub eax, [ebp-0Ch]
cmp eax, 4
jl short loc_53A94F
mov eax, [ebp-0Ch]
mov eax, [eax]
mov ecx, [ebp-10h]
mov [ecx], eax
add dword ptr [ebp-10h], 4
add dword ptr [ebp-0Ch], 4
sub dword ptr [ebp-4], 2
loc_53A912: ; CODE XREF: RCC1:0053A92C.j
mov eax, [ebp-0Ch]
mov eax, [eax]
mov ecx, [ebp-10h]
mov [ecx], eax
add dword ptr [ebp-10h], 4
add dword ptr [ebp-0Ch], 4
sub dword ptr [ebp-4], 4
cmp dword ptr [ebp-4], 4
jnb short loc_53A912
cmp dword ptr [ebp-4], 0
jbe short loc_53A94D
loc_53A934: ; CODE XREF: RCC1:0053A94B.j
mov eax, [ebp-0Ch]
mov al, [eax]
mov ecx, [ebp-10h]
mov [ecx], al
inc dword ptr [ebp-0Ch]
inc dword ptr [ebp-10h]
dec dword ptr [ebp-4]
cmp dword ptr [ebp-4], 0
ja short loc_53A934
loc_53A94D: ; CODE XREF: RCC1:0053A932.j
jmp short loc_53A988
; ---------------------------------------------------------------------------
loc_53A94F: ; CODE XREF: RCC1:0053A7BF.j
; RCC1:0053A8EF.j ...
mov eax, [ebp-0Ch]
mov al, [eax]
mov ecx, [ebp-10h]
mov [ecx], al
inc dword ptr [ebp-0Ch]
inc dword ptr [ebp-10h]
mov eax, [ebp-0Ch]
mov al, [eax]
mov ecx, [ebp-10h]
mov [ecx], al
inc dword ptr [ebp-0Ch]
inc dword ptr [ebp-10h]
loc_53A96F: ; CODE XREF: RCC1:0053A986.j
mov eax, [ebp-0Ch]
mov al, [eax]
mov ecx, [ebp-10h]
mov [ecx], al
inc dword ptr [ebp-0Ch]
inc dword ptr [ebp-10h]
dec dword ptr [ebp-4]
cmp dword ptr [ebp-4], 0
ja short loc_53A96F
loc_53A988: ; CODE XREF: RCC1:0053A777.j
; RCC1:0053A8E6.j ...
mov eax, [ebp-8]
xor ecx, ecx
mov cl, [eax-2]
and ecx, 3
mov [ebp-4], ecx
cmp dword ptr [ebp-4], 0
jnz short loc_53A99E
jmp short loc_53A9C9
; ---------------------------------------------------------------------------
loc_53A99E: ; CODE XREF: RCC1:0053A622.j
; RCC1:0053A99A.j ...
mov eax, [ebp-8]
mov al, [eax]
mov ecx, [ebp-10h]
mov [ecx], al
inc dword ptr [ebp-8]
inc dword ptr [ebp-10h]
dec dword ptr [ebp-4]
cmp dword ptr [ebp-4], 0
ja short loc_53A99E
mov eax, [ebp-8]
xor ecx, ecx
mov cl, [eax]
mov [ebp-4], ecx
inc dword ptr [ebp-8]
jmp loc_53A77C
; ---------------------------------------------------------------------------
loc_53A9C9: ; CODE XREF: RCC1:0053A99C.j
jmp loc_53A645
; ---------------------------------------------------------------------------
loc_53A9CE: ; CODE XREF: RCC1:0053A88B.j
mov eax, [ebp-8]
cmp [ebp-14h], eax
jz short loc_53A9DD
mov eax, 0FFFFFFFFh
jmp short loc_53A9E5
; ---------------------------------------------------------------------------
loc_53A9DD: ; CODE XREF: RCC1:0053A9D4.j
mov eax, [ebp-10h]
sub eax, [ebp+10h]
jmp short $+2
loc_53A9E5: ; CODE XREF: RCC1:0053A9DB.j
pop edi
pop esi
pop ebx
leave
retn 0Ch
}
}
最后感谢各位大大看完此文章,谢谢。
[==== 2007.3.28 16:56 增加 ====]
关于Unzip汇编代码,以及压缩前/解压后的数据,都在下面这个包里面。http://www.live-share.com/files/188560/Crack.rar.html
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
