-
-
ProActivate V1.0X 脱壳——RemObjects SDK V4.0.13.527
-
发表于: 2007-4-7 14:07
-
ProActivate V1.0X 脱壳——RemObjects SDK V4.0.13.527
下载地址: http://www.remobjects.com
软件大小: 7.01 M
软件简介: RemObjects SDK is the essential remoting framework for .NET and Delphi. It allows you to remotely access objects residing on a server from clients inside the LAN or across the Internet.
【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教
【调试环境】:WinXP、OllyDbg、PEiD、LordPE、ImportREC
_____________________________________________________________
【脱壳过程】:
浮生若梦,奈何桥头孟婆汤。
很久没写脱壳教程了,ProActivate算是很老的壳,使用ProActivate保护的国内有顺丰猪病诊断软件系列国外有remobjects系列软件。
此教程适合学习过压缩壳脱壳的新手跟随练习。
http://www.proactivate.net/proactivate/index.php
ProActivate partners with forward-thinking sales leaders to increase profits by increasing revenue, decreasing expenses for finding new talent, and minimizing lost opportunity costs. We do this by our advanced technological approach to matching your company's critical performance characteristics to our A-list of top sales talent in the market today. Through this new, revolutionary approach, we provide our clients with a continuous stream of highly qualified individuals on a consistent basis.When your organization does not have the sales associates, sales leaders and sales executives it needs, the costs are high. Conservative estimates reveal that the loss of a top-performing sales associate can cost an organization $1 million or more when factors such as lost opportunities, time/resources needed to fill an open position, and ramp up time are considered. These high stakes underscore the importance for sales organizations to be proactive to this volatile situation.
TurboPower公司的Delphi/BCB控件:用于开发共享软件的试用版、电子注册等
0day出过TurboPower.ProActivate.v1.08.incl.Source-RENEGADE/TurboPower.ProActivate.v1.09.Full.Sources.For.Delphi.BCB-RENEGADE
http://www.unpack.cn/viewthread.php?tid=10712
_____________________________________________________________
一、PEiD Sign
设置OllyDbg忽略所有异常选项,用IsDebugPresent插件Hide,清除以前的所有断点。
0054C20C 55 push ebp
//进入OllyDbg后暂停在这
0054C20D 8BEC mov ebp,esp
0054C20F B9 0E000000 mov ecx,0E
0054C214 6A 00 push 0
0054C216 6A 00 push 0
0054C218 49 dec ecx
0054C219 75 F9 jnz short 0054C214
0054C21B 51 push ecx
0054C21C 53 push ebx
0054C21D 56 push esi
0054C21E 57 push edi
0054C21F B8 74C15400 mov eax,54C174
0054C224 90 nop
0054C225 90 nop
0054C226 90 nop
0054C227 90 nop
0054C228 90 nop
0054C229 33C0 xor eax,eax
0054C22B 55 push ebp
0054C22C 68 C0CE5400 push 54CEC0
0054C231 64:FF30 push dword ptr fs:[eax]
0054C234 64:8920 mov dword ptr fs:[eax],esp
0054C237 A1 78F75400 mov eax,dword ptr ds:[54F778]
0054C23C 83C0 05 add eax,5
0054C23F A3 BC065500 mov dword ptr ds:[5506BC],eax
0054C244 C705 C0065500 0D000>mov dword ptr ds:[5506C0],0D
0054C24E E8 85E2FFFF call 0054A4D8
0054C253 813D 7CF65400 217E7>cmp dword ptr ds:[54F67C],407E7E21
0054C25D 75 7A jnz short 0054C2D9
0054C25F 813D E8F65400 43524>cmp dword ptr ds:[54F6E8],33435243
0054C269 75 6E jnz short 0054C2D9
0054C26B 813D F4F65400 32407>cmp dword ptr ds:[54F6F4],7E7E4032
0054C275 75 62 jnz short 0054C2D9
0054C277 813D FCF65400 217E7>cmp dword ptr ds:[54F6FC],407E7E21
0054C281 75 56 jnz short 0054C2D9
0054C283 813D 04F75400 43524>cmp dword ptr ds:[54F704],33435243
0054C28D 75 4A jnz short 0054C2D9
0054C28F 813D 10F75400 32407>cmp dword ptr ds:[54F710],7E7E4032
0054C299 75 3E jnz short 0054C2D9
0054C29B 813D 74F75400 217E7>cmp dword ptr ds:[54F774],407E7E21
0054C2A5 75 32 jnz short 0054C2D9
0054C2A7 813D 84F75400 43524>cmp dword ptr ds:[54F784],33435243
0054C2B1 75 26 jnz short 0054C2D9
ProActivate的入口代码都相似,因此可以用其制作PEiD Sign
[ProActivate V1.0X -> TurboPower Software Company * Sign.By.fly]
signature = 55 8B EC B9 0E 00 00 00 6A 00 6A 00 49 75 F9 51 53 56 57 B8 ?? ?? ?? ?? 90 90 90 90 90 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 A1 ?? ?? ?? ?? 83 C0 05 A3 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 0D 00 00 00 E8 85 E2 FF FF 81 3D ?? ?? ?? ?? 21 7E 7E 40 75 7A 81 3D ?? ?? ?? ?? 43 52 43 33 75 6E 81 3D ?? ?? ?? ?? 32 40 7E 7E 75 62 81 3D ?? ?? ?? ?? 21 7E 7E 40 75 56 81 3D ?? ?? ?? ?? 43 52 43 33 75 4A 81 3D ?? ?? ?? ?? 32 40 7E 7E 75 3E 81 3D ?? ?? ?? ?? 21 7E 7E 40 75 32 81 3D ?? ?? ?? ?? 43 52 43 33
ep_only = true
_____________________________________________________________
二、解码:设置第二区段内存写入断点
ProActivate需要解压原来的代码
地址 大小 (十进制) 物主 区段 包含
00400000 00001000 (4096.) ROServic 00400000 (自身) PE header
00401000 00060000 (393216.) ROServic 00400000 CODE code
00461000 00004000 (16384.) ROServic 00400000 DATA code,data
00465000 00002000 (8192.) ROServic 00400000 BSS code
00467000 00010000 (65536.) ROServic 00400000 .idata code
00477000 00001000 (4096.) ROServic 00400000 .edata exports
00478000 00001000 (4096.) ROServic 00400000 .tls
00479000 00001000 (4096.) ROServic 00400000 .rdata
0047A000 00006000 (24576.) ROServic 00400000 .reloc
00480000 000BB000 (765952.) ROServic 00400000 .rsrc resources
0053B000 00012000 (73728.) ROServic 00400000 SFX
0054D000 00005000 (20480.) ROServic 00400000
00552000 00002000 (8192.) ROServic 00400000 imports
00554000 00001000 (4096.) ROServic 00400000
在00401000第二区段上设置内存写入断点,Shift+F9
0053C6EB F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
//中断在这里
0053C6ED 89C1 mov ecx,eax
0053C6EF 83E1 03 and ecx,3
0053C6F2 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
0053C6F4 5F pop edi
0053C6F5 5E pop esi
0053C6F6 C3 retn
清除内存断点后Ctrl+F9
0054610A E8 C965FFFF call 0053C6D8
0054610F 0173 0C add dword ptr ds:[ebx+C],esi
//返回这里,继续Ctrl+F9
00546112 EB 02 jmp short 00546116
00546114 33F6 xor esi,esi
00546116 8BC6 mov eax,esi
00546118 5F pop edi
00546119 5E pop esi
0054611A 5B pop ebx
0054611B C3 retn
0054A9DC FF53 04 call dword ptr ds:[ebx+4]
0054A9DF 33C0 xor eax,eax
//返回这里,继续Ctrl+F9
0054A9E1 5A pop edx
0054A9E2 59 pop ecx
0054A9E3 59 pop ecx
0054A9E4 64:8910 mov dword ptr fs:[eax],edx
0054A9E7 68 04AA5400 push 54AA04
0054A9EC 8B45 FC mov eax,dword ptr ss:[ebp-4]
0054A9EF E8 0421FFFF call 0053CAF8
0054A9F4 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0054A9F7 E8 FC20FFFF call 0053CAF8
0054A9FC C3 retn
0054AA04 5F pop edi
0054AA05 5E pop esi
0054AA06 5B pop ebx
0054AA07 8BE5 mov esp,ebp
0054AA09 5D pop ebp
0054AA0A C3 retn
0054CA4C 833B 00 cmp dword ptr ds:[ebx],0
0054CA4F 74 07 je short 0054CA58
0054CA51 8BC3 mov eax,ebx
0054CA53 E8 60DEFFFF call 0054A8B8
//返回这里
0054CA58 46 inc esi
0054CA59 83C3 0C add ebx,0C
0054CA5C 83FE 08 cmp esi,8
0054CA5F 75 EB jnz short 0054CA4C
//循环解码
0054CA61 A1 64065500 mov eax,dword ptr ds:[550664]
//这里设断
0054CA66 8B78 3C mov edi,dword ptr ds:[eax+3C]
0054CA69 033D 64065500 add edi,dword ptr ds:[550664]
0054CA6F 8B47 50 mov eax,dword ptr ds:[edi+50]
0054CA72 A3 98065500 mov dword ptr ds:[550698],eax
在0054CA61处设断,F9中断后解码完毕。如果ProActivate加壳时选择了Encrypt Resources,则需要到OEP处再dump一次。
此时程序代码完全还原,输入表也是原始的,正是dump的好时机。运行LordPE完全dump此进程。
_____________________________________________________________
三、输入表
0054CA77 A1 88F65400 mov eax,dword ptr ds:[54F688]
//[54F688]=00067000
//00067000就是原始的ImportTable RVA
0054CA7C E8 1BDCFFFF call 0054A69C
0054CA81 8BD8 mov ebx,eax
0054CA83 8BC3 mov eax,ebx
0054CA85 E8 AEF5FFFF call 0054C038
//系统函数地址填充FirstThunk
0054CA8A 84C0 test al,al
0054CA8C 0F84 06040000 je 0054CE98
0054CA92 E8 41DAFFFF call 0054A4D8
0054CA97 A1 90F65400 mov eax,dword ptr ds:[54F690]
0054CA9C E8 FBDBFFFF call 0054A69C
0054CAA1 8BD8 mov ebx,eax
0054CAA3 833D D8F85400 00 cmp dword ptr ds:[54F8D8],0
//判断是否Encrypt Resources
0054CAAA 76 07 jbe short 0054CAB3
0054CAAC 8BC3 mov eax,ebx
0054CAAE E8 59F4FFFF call 0054BF0C
//处理资源加密
0054CAB3 A1 94F65400 mov eax,dword ptr ds:[54F694]
0054CAB8 833D DCF85400 00 cmp dword ptr ds:[54F8DC],0
0054CABF 76 30 jbe short 0054CAF1
修正第二步dump文件的ImportTable RVA=00067000,Size用原来的即可,当然也可以手动计算一下。
为何知道0054CA77处看到的[54F688]值是ImportTable RVA ?
1.你可以去00400000+00067000处观察一下,会发现那里就是IMAGE_IMPORT_DESCRIPTOR结构
2.我用ProActivate加壳Notepad.exe比较过
_____________________________________________________________
四、OEP
去OEP就很简单了,可以使用第二区段内存断点法。
也可以向下搜索特定码,Ctrl+B:64 ?? ?? FF ?? ?? ?? ?? ?? C3
0054CCD9 A1 BC065500 mov eax,dword ptr ds:[5506BC]
0054CCDE 83C0 08 add eax,8
0054CCE1 3BD8 cmp ebx,eax
0054CCE3 75 3D jnz short 0054CD22
0054CCE5 A1 C0065500 mov eax,dword ptr ds:[5506C0]
0054CCEA 0105 A0065500 add dword ptr ds:[5506A0],eax
0054CCF0 33C0 xor eax,eax
0054CCF2 55 push ebp
0054CCF3 68 0FCD5400 push 54CD0F
0054CCF8 64:FF30 push dword ptr fs:[eax]
0054CCFB 64:8920 mov dword ptr fs:[eax],esp
//找到这里
0054CCFE FF35 A0065500 push dword ptr ds:[5506A0]
0054CD04 C3 retn
//这里设置 硬件执行 断点
//飞向光明之巅
壳有校验,因此不要设置普通CC断点,可以直接F4至0054CD04处,或者设置硬件执行断点后再Shift+F9
0046034C 55 push ebp
//OEP
0046034D 8BEC mov ebp,esp
0046034F 83C4 E0 add esp,-20
00460352 53 push ebx
00460353 33C0 xor eax,eax
00460355 8945 E4 mov dword ptr ss:[ebp-1C],eax
00460358 8945 E0 mov dword ptr ss:[ebp-20],eax
0046035B 8945 EC mov dword ptr ss:[ebp-14],eax
0046035E 8945 E8 mov dword ptr ss:[ebp-18],eax
00460361 B8 B4F94500 mov eax,45F9B4
00460366 E8 1911FAFF call 00401484[/code]
_____________________________________________________________
五、优化
修正脱壳文件的OEP RVA=0006034C,ImportTable RVA=00067000
如果是Encrypt Resources,到OEP dump后把资源部分再粘贴进第二步dump文件的相应部分
也可以到OEP后dump,使用ImportREC修复输入表,不过有原始输入表就显得多此一举了
使用LordPE删除.rsrc后面的4个壳区段,用WinHex删除数据
只保留LordPE的Rebuilder中Validate PE选项,对上面处理的文件Rebuild
脱壳完成
_____________________________________________________________
六、破解
运行脱壳后文件提示“Invalid License info”
载入脱壳后文件搜索字符串,可以找到下面
0044FC07 BA 78004500 mov edx,450078 ; ASCII "Reading License Data"
0044FC0C E8 3FFBFFFF call 0044F750
0044FC11 33D2 xor edx,edx
0044FC13 55 push ebp
0044FC14 68 24004500 push 450024
0044FC19 64:FF32 push dword ptr fs:[edx]
0044FC1C 64:8922 mov dword ptr fs:[edx],esp
0044FC1F C645 FF 00 mov byte ptr ss:[ebp-1],0
0044FC23 B2 01 mov dl,1
0044FC25 A1 D4DF4400 mov eax,dword ptr ds:[44DFD4]
0044FC2A E8 9114FBFF call 004010C0
0044FC2F 8945 F8 mov dword ptr ss:[ebp-8],eax
0044FC32 33D2 xor edx,edx
0044FC34 55 push ebp
0044FC35 68 00004500 push 450000
0044FC3A 64:FF32 push dword ptr fs:[edx]
0044FC3D 64:8922 mov dword ptr fs:[edx],esp
0044FC40 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0044FC43 E8 D4E4FFFF call 0044E11C
//可以看到此CALL是关键
0044FC48 84C0 test al,al
0044FC4A 0F84 4F030000 je 0044FF9F
0044FC50 8D45 F4 lea eax,dword ptr ss:[ebp-C]
0044FC53 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0044FC56 8B52 24 mov edx,dword ptr ds:[edx+24]
0044FC59 E8 6215FBFF call 004011C0
0044FC5E 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
0044FC61 B2 7C mov dl,7C
0044FC63 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0044FC66 E8 4194FFFF call 004490AC
0044FC6B 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0044FC6E E8 9516FBFF call 00401308
0044FC73 83F8 05 cmp eax,5
0044FC76 7D 58 jge short 0044FCD0
0044FC78 E8 9BFAFFFF call 0044F718
0044FC7D 33C9 xor ecx,ecx
0044FC7F BA 98004500 mov edx,450098 ; ASCII "Invalid License Data"
0044FC84 E8 AFFAFFFF call 0044F738
0044FC89 8D55 E0 lea edx,dword ptr ss:[ebp-20]
0044FC8C A1 2C8B4600 mov eax,dword ptr ds:[468B2C]
0044FC91 8B00 mov eax,dword ptr ds:[eax]
0044FC93 E8 1086FFFF call 004482A8
0044FC98 8B45 E0 mov eax,dword ptr ss:[ebp-20]
0044FC9B 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
0044FC9E BA B8004500 mov edx,4500B8 ; ASCII ".lic"
0044FCA3 E8 7888FFFF call 00448520
0044FCA8 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
0044FCAB 8945 E8 mov dword ptr ss:[ebp-18],eax
0044FCAE C645 EC 0B mov byte ptr ss:[ebp-14],0B
0044FCB2 8D55 E8 lea edx,dword ptr ss:[ebp-18]
0044FCB5 33C9 xor ecx,ecx
0044FCB7 B8 C8004500 mov eax,4500C8 ; ASCII "Invalid License info in %s file."
0044FCBC E8 5F8EFFFF call 00448B20
0044FCC1 E8 B214FBFF call 00401178
0044FCC6 E8 AD14FBFF call 00401178
0044FCCB E9 5B030000 jmp 0045002B
0044FCD0 8D43 68 lea eax,dword ptr ds:[ebx+68]
0044FCD3 8B55 F0 mov edx,dword ptr ss:[ebp-10]
0044FCD6 8B12 mov edx,dword ptr ds:[edx]
0044FCD8 E8 DB14FBFF call 004011B8
0044FCDD 8D43 74 lea eax,dword ptr ds:[ebx+74]
0044FCE0 8B55 F0 mov edx,dword ptr ss:[ebp-10]
0044FCE3 8B52 04 mov edx,dword ptr ds:[edx+4]
0044FCE6 E8 CD14FBFF call 004011B8
0044FCEB 8D43 78 lea eax,dword ptr ds:[ebx+78]
0044FCEE 8B55 F0 mov edx,dword ptr ss:[ebp-10]
0044FCF1 8B52 08 mov edx,dword ptr ds:[edx+8]
0044FCF4 E8 BF14FBFF call 004011B8
0044FCF9 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0044FCFC 8B40 0C mov eax,dword ptr ds:[eax+C]
0044FCFF BA F4004500 mov edx,4500F4 ; ASCII "FULL"
0044FD04 E8 1715FBFF call 00401220
0044FD09 0F85 87000000 jnz 0044FD96
0044FD0F 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0044FD12 8B40 10 mov eax,dword ptr ds:[eax+10]
0044FD15 BA 04014500 mov edx,450104 ; ASCII "SITE"
0044FD1A E8 0115FBFF call 00401220
0044FD1F 75 1C jnz short 0044FD3D
0044FD21 E8 F2F9FFFF call 0044F718
0044FD26 33C9 xor ecx,ecx
0044FD28 BA 14014500 mov edx,450114 ; ASCII "Site License."
0044FD2D E8 06FAFFFF call 0044F738
0044FD32 C643 6C 02 mov byte ptr ds:[ebx+6C],2
0044FD36 33C0 xor eax,eax
0044FD38 8943 70 mov dword ptr ds:[ebx+70],eax
0044FD3B EB 41 jmp short 0044FD7E
0044FD3D 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0044FD40 8B40 10 mov eax,dword ptr ds:[eax+10]
0044FD43 BA 01000000 mov edx,1
0044FD48 E8 A387FFFF call 004484F0
0044FD4D 8943 70 mov dword ptr ds:[ebx+70],eax
0044FD50 6A 00 push 0
0044FD52 E8 C1F9FFFF call 0044F718
0044FD57 8B53 70 mov edx,dword ptr ds:[ebx+70]
0044FD5A 8955 E8 mov dword ptr ss:[ebp-18],edx
0044FD5D C645 EC 00 mov byte ptr ss:[ebp-14],0
0044FD61 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
0044FD64 BA 2C014500 mov edx,45012C ; ASCII "Full License, %d instances."
0044FD69 E8 F2F9FFFF call 0044F760
跟进call 0044E11C里面修改
0044E1F6 E8 BD2FFBFF call 004011B8
0044E1FB 85F6 test esi,esi
0044E1FD 74 0A je short 0044E209
0044E1FF 85FF test edi,edi
0044E201 74 06 je short 0044E209
0044E203 837D FC 00 cmp dword ptr ss:[ebp-4],0
0044E207 75 04 jnz short 0044E20D
0044E209 33DB xor ebx,ebx
0044E20B EB 02 jmp short 0044E20F
0044E20D B3 01 mov bl,1
//修改为mov bl,0即可
0044E20F 33C0 xor eax,eax
0044E211 5A pop edx
0044E212 59 pop ecx
0044E213 59 pop ecx
0044E214 64:8910 mov dword ptr fs:[eax],edx
0044E217 68 2CE24400 push 44E22C
0044E21C 8D45 F4 lea eax,dword ptr ss:[ebp-C]
0044E21F E8 842FFBFF call 004011A8
0044E224 C3 retn
_____________________________________________________________
, _/
/| _.-~/ \_ , 青春都一晌
( /~ / \~-._ |\
`\\ _/ \ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_ //'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-. 换了脱壳轻狂
`~ _( ,_..--\ ( ,;'' / ~-- /._`\
/~~//' /' `~\ ) /--.._, )_ `~
" `~" " `" /~'`\ `\\~~\
" " "~' ""
UnPacKed By : fly
http://www.unpack.cn
2007-03-03 24:00
下载地址: http://www.remobjects.com
软件大小: 7.01 M
软件简介: RemObjects SDK is the essential remoting framework for .NET and Delphi. It allows you to remotely access objects residing on a server from clients inside the LAN or across the Internet.
【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教
【调试环境】:WinXP、OllyDbg、PEiD、LordPE、ImportREC
_____________________________________________________________
【脱壳过程】:
浮生若梦,奈何桥头孟婆汤。
很久没写脱壳教程了,ProActivate算是很老的壳,使用ProActivate保护的国内有顺丰猪病诊断软件系列国外有remobjects系列软件。
此教程适合学习过压缩壳脱壳的新手跟随练习。
http://www.proactivate.net/proactivate/index.php
ProActivate partners with forward-thinking sales leaders to increase profits by increasing revenue, decreasing expenses for finding new talent, and minimizing lost opportunity costs. We do this by our advanced technological approach to matching your company's critical performance characteristics to our A-list of top sales talent in the market today. Through this new, revolutionary approach, we provide our clients with a continuous stream of highly qualified individuals on a consistent basis.When your organization does not have the sales associates, sales leaders and sales executives it needs, the costs are high. Conservative estimates reveal that the loss of a top-performing sales associate can cost an organization $1 million or more when factors such as lost opportunities, time/resources needed to fill an open position, and ramp up time are considered. These high stakes underscore the importance for sales organizations to be proactive to this volatile situation.
TurboPower公司的Delphi/BCB控件:用于开发共享软件的试用版、电子注册等
0day出过TurboPower.ProActivate.v1.08.incl.Source-RENEGADE/TurboPower.ProActivate.v1.09.Full.Sources.For.Delphi.BCB-RENEGADE
http://www.unpack.cn/viewthread.php?tid=10712
_____________________________________________________________
一、PEiD Sign
设置OllyDbg忽略所有异常选项,用IsDebugPresent插件Hide,清除以前的所有断点。
0054C20C 55 push ebp
//进入OllyDbg后暂停在这
0054C20D 8BEC mov ebp,esp
0054C20F B9 0E000000 mov ecx,0E
0054C214 6A 00 push 0
0054C216 6A 00 push 0
0054C218 49 dec ecx
0054C219 75 F9 jnz short 0054C214
0054C21B 51 push ecx
0054C21C 53 push ebx
0054C21D 56 push esi
0054C21E 57 push edi
0054C21F B8 74C15400 mov eax,54C174
0054C224 90 nop
0054C225 90 nop
0054C226 90 nop
0054C227 90 nop
0054C228 90 nop
0054C229 33C0 xor eax,eax
0054C22B 55 push ebp
0054C22C 68 C0CE5400 push 54CEC0
0054C231 64:FF30 push dword ptr fs:[eax]
0054C234 64:8920 mov dword ptr fs:[eax],esp
0054C237 A1 78F75400 mov eax,dword ptr ds:[54F778]
0054C23C 83C0 05 add eax,5
0054C23F A3 BC065500 mov dword ptr ds:[5506BC],eax
0054C244 C705 C0065500 0D000>mov dword ptr ds:[5506C0],0D
0054C24E E8 85E2FFFF call 0054A4D8
0054C253 813D 7CF65400 217E7>cmp dword ptr ds:[54F67C],407E7E21
0054C25D 75 7A jnz short 0054C2D9
0054C25F 813D E8F65400 43524>cmp dword ptr ds:[54F6E8],33435243
0054C269 75 6E jnz short 0054C2D9
0054C26B 813D F4F65400 32407>cmp dword ptr ds:[54F6F4],7E7E4032
0054C275 75 62 jnz short 0054C2D9
0054C277 813D FCF65400 217E7>cmp dword ptr ds:[54F6FC],407E7E21
0054C281 75 56 jnz short 0054C2D9
0054C283 813D 04F75400 43524>cmp dword ptr ds:[54F704],33435243
0054C28D 75 4A jnz short 0054C2D9
0054C28F 813D 10F75400 32407>cmp dword ptr ds:[54F710],7E7E4032
0054C299 75 3E jnz short 0054C2D9
0054C29B 813D 74F75400 217E7>cmp dword ptr ds:[54F774],407E7E21
0054C2A5 75 32 jnz short 0054C2D9
0054C2A7 813D 84F75400 43524>cmp dword ptr ds:[54F784],33435243
0054C2B1 75 26 jnz short 0054C2D9
ProActivate的入口代码都相似,因此可以用其制作PEiD Sign
[ProActivate V1.0X -> TurboPower Software Company * Sign.By.fly]
signature = 55 8B EC B9 0E 00 00 00 6A 00 6A 00 49 75 F9 51 53 56 57 B8 ?? ?? ?? ?? 90 90 90 90 90 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 A1 ?? ?? ?? ?? 83 C0 05 A3 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 0D 00 00 00 E8 85 E2 FF FF 81 3D ?? ?? ?? ?? 21 7E 7E 40 75 7A 81 3D ?? ?? ?? ?? 43 52 43 33 75 6E 81 3D ?? ?? ?? ?? 32 40 7E 7E 75 62 81 3D ?? ?? ?? ?? 21 7E 7E 40 75 56 81 3D ?? ?? ?? ?? 43 52 43 33 75 4A 81 3D ?? ?? ?? ?? 32 40 7E 7E 75 3E 81 3D ?? ?? ?? ?? 21 7E 7E 40 75 32 81 3D ?? ?? ?? ?? 43 52 43 33
ep_only = true
_____________________________________________________________
二、解码:设置第二区段内存写入断点
ProActivate需要解压原来的代码
地址 大小 (十进制) 物主 区段 包含
00400000 00001000 (4096.) ROServic 00400000 (自身) PE header
00401000 00060000 (393216.) ROServic 00400000 CODE code
00461000 00004000 (16384.) ROServic 00400000 DATA code,data
00465000 00002000 (8192.) ROServic 00400000 BSS code
00467000 00010000 (65536.) ROServic 00400000 .idata code
00477000 00001000 (4096.) ROServic 00400000 .edata exports
00478000 00001000 (4096.) ROServic 00400000 .tls
00479000 00001000 (4096.) ROServic 00400000 .rdata
0047A000 00006000 (24576.) ROServic 00400000 .reloc
00480000 000BB000 (765952.) ROServic 00400000 .rsrc resources
0053B000 00012000 (73728.) ROServic 00400000 SFX
0054D000 00005000 (20480.) ROServic 00400000
00552000 00002000 (8192.) ROServic 00400000 imports
00554000 00001000 (4096.) ROServic 00400000
在00401000第二区段上设置内存写入断点,Shift+F9
0053C6EB F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
//中断在这里
0053C6ED 89C1 mov ecx,eax
0053C6EF 83E1 03 and ecx,3
0053C6F2 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
0053C6F4 5F pop edi
0053C6F5 5E pop esi
0053C6F6 C3 retn
清除内存断点后Ctrl+F9
0054610A E8 C965FFFF call 0053C6D8
0054610F 0173 0C add dword ptr ds:[ebx+C],esi
//返回这里,继续Ctrl+F9
00546112 EB 02 jmp short 00546116
00546114 33F6 xor esi,esi
00546116 8BC6 mov eax,esi
00546118 5F pop edi
00546119 5E pop esi
0054611A 5B pop ebx
0054611B C3 retn
0054A9DC FF53 04 call dword ptr ds:[ebx+4]
0054A9DF 33C0 xor eax,eax
//返回这里,继续Ctrl+F9
0054A9E1 5A pop edx
0054A9E2 59 pop ecx
0054A9E3 59 pop ecx
0054A9E4 64:8910 mov dword ptr fs:[eax],edx
0054A9E7 68 04AA5400 push 54AA04
0054A9EC 8B45 FC mov eax,dword ptr ss:[ebp-4]
0054A9EF E8 0421FFFF call 0053CAF8
0054A9F4 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0054A9F7 E8 FC20FFFF call 0053CAF8
0054A9FC C3 retn
0054AA04 5F pop edi
0054AA05 5E pop esi
0054AA06 5B pop ebx
0054AA07 8BE5 mov esp,ebp
0054AA09 5D pop ebp
0054AA0A C3 retn
0054CA4C 833B 00 cmp dword ptr ds:[ebx],0
0054CA4F 74 07 je short 0054CA58
0054CA51 8BC3 mov eax,ebx
0054CA53 E8 60DEFFFF call 0054A8B8
//返回这里
0054CA58 46 inc esi
0054CA59 83C3 0C add ebx,0C
0054CA5C 83FE 08 cmp esi,8
0054CA5F 75 EB jnz short 0054CA4C
//循环解码
0054CA61 A1 64065500 mov eax,dword ptr ds:[550664]
//这里设断
0054CA66 8B78 3C mov edi,dword ptr ds:[eax+3C]
0054CA69 033D 64065500 add edi,dword ptr ds:[550664]
0054CA6F 8B47 50 mov eax,dword ptr ds:[edi+50]
0054CA72 A3 98065500 mov dword ptr ds:[550698],eax
在0054CA61处设断,F9中断后解码完毕。如果ProActivate加壳时选择了Encrypt Resources,则需要到OEP处再dump一次。
此时程序代码完全还原,输入表也是原始的,正是dump的好时机。运行LordPE完全dump此进程。
_____________________________________________________________
三、输入表
0054CA77 A1 88F65400 mov eax,dword ptr ds:[54F688]
//[54F688]=00067000
//00067000就是原始的ImportTable RVA
0054CA7C E8 1BDCFFFF call 0054A69C
0054CA81 8BD8 mov ebx,eax
0054CA83 8BC3 mov eax,ebx
0054CA85 E8 AEF5FFFF call 0054C038
//系统函数地址填充FirstThunk
0054CA8A 84C0 test al,al
0054CA8C 0F84 06040000 je 0054CE98
0054CA92 E8 41DAFFFF call 0054A4D8
0054CA97 A1 90F65400 mov eax,dword ptr ds:[54F690]
0054CA9C E8 FBDBFFFF call 0054A69C
0054CAA1 8BD8 mov ebx,eax
0054CAA3 833D D8F85400 00 cmp dword ptr ds:[54F8D8],0
//判断是否Encrypt Resources
0054CAAA 76 07 jbe short 0054CAB3
0054CAAC 8BC3 mov eax,ebx
0054CAAE E8 59F4FFFF call 0054BF0C
//处理资源加密
0054CAB3 A1 94F65400 mov eax,dword ptr ds:[54F694]
0054CAB8 833D DCF85400 00 cmp dword ptr ds:[54F8DC],0
0054CABF 76 30 jbe short 0054CAF1
修正第二步dump文件的ImportTable RVA=00067000,Size用原来的即可,当然也可以手动计算一下。
为何知道0054CA77处看到的[54F688]值是ImportTable RVA ?
1.你可以去00400000+00067000处观察一下,会发现那里就是IMAGE_IMPORT_DESCRIPTOR结构
2.我用ProActivate加壳Notepad.exe比较过
_____________________________________________________________
四、OEP
去OEP就很简单了,可以使用第二区段内存断点法。
也可以向下搜索特定码,Ctrl+B:64 ?? ?? FF ?? ?? ?? ?? ?? C3
0054CCD9 A1 BC065500 mov eax,dword ptr ds:[5506BC]
0054CCDE 83C0 08 add eax,8
0054CCE1 3BD8 cmp ebx,eax
0054CCE3 75 3D jnz short 0054CD22
0054CCE5 A1 C0065500 mov eax,dword ptr ds:[5506C0]
0054CCEA 0105 A0065500 add dword ptr ds:[5506A0],eax
0054CCF0 33C0 xor eax,eax
0054CCF2 55 push ebp
0054CCF3 68 0FCD5400 push 54CD0F
0054CCF8 64:FF30 push dword ptr fs:[eax]
0054CCFB 64:8920 mov dword ptr fs:[eax],esp
//找到这里
0054CCFE FF35 A0065500 push dword ptr ds:[5506A0]
0054CD04 C3 retn
//这里设置 硬件执行 断点
//飞向光明之巅
壳有校验,因此不要设置普通CC断点,可以直接F4至0054CD04处,或者设置硬件执行断点后再Shift+F9
0046034C 55 push ebp
//OEP
0046034D 8BEC mov ebp,esp
0046034F 83C4 E0 add esp,-20
00460352 53 push ebx
00460353 33C0 xor eax,eax
00460355 8945 E4 mov dword ptr ss:[ebp-1C],eax
00460358 8945 E0 mov dword ptr ss:[ebp-20],eax
0046035B 8945 EC mov dword ptr ss:[ebp-14],eax
0046035E 8945 E8 mov dword ptr ss:[ebp-18],eax
00460361 B8 B4F94500 mov eax,45F9B4
00460366 E8 1911FAFF call 00401484[/code]
_____________________________________________________________
五、优化
修正脱壳文件的OEP RVA=0006034C,ImportTable RVA=00067000
如果是Encrypt Resources,到OEP dump后把资源部分再粘贴进第二步dump文件的相应部分
也可以到OEP后dump,使用ImportREC修复输入表,不过有原始输入表就显得多此一举了
使用LordPE删除.rsrc后面的4个壳区段,用WinHex删除数据
只保留LordPE的Rebuilder中Validate PE选项,对上面处理的文件Rebuild
脱壳完成
_____________________________________________________________
六、破解
运行脱壳后文件提示“Invalid License info”
载入脱壳后文件搜索字符串,可以找到下面
0044FC07 BA 78004500 mov edx,450078 ; ASCII "Reading License Data"
0044FC0C E8 3FFBFFFF call 0044F750
0044FC11 33D2 xor edx,edx
0044FC13 55 push ebp
0044FC14 68 24004500 push 450024
0044FC19 64:FF32 push dword ptr fs:[edx]
0044FC1C 64:8922 mov dword ptr fs:[edx],esp
0044FC1F C645 FF 00 mov byte ptr ss:[ebp-1],0
0044FC23 B2 01 mov dl,1
0044FC25 A1 D4DF4400 mov eax,dword ptr ds:[44DFD4]
0044FC2A E8 9114FBFF call 004010C0
0044FC2F 8945 F8 mov dword ptr ss:[ebp-8],eax
0044FC32 33D2 xor edx,edx
0044FC34 55 push ebp
0044FC35 68 00004500 push 450000
0044FC3A 64:FF32 push dword ptr fs:[edx]
0044FC3D 64:8922 mov dword ptr fs:[edx],esp
0044FC40 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0044FC43 E8 D4E4FFFF call 0044E11C
//可以看到此CALL是关键
0044FC48 84C0 test al,al
0044FC4A 0F84 4F030000 je 0044FF9F
0044FC50 8D45 F4 lea eax,dword ptr ss:[ebp-C]
0044FC53 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0044FC56 8B52 24 mov edx,dword ptr ds:[edx+24]
0044FC59 E8 6215FBFF call 004011C0
0044FC5E 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
0044FC61 B2 7C mov dl,7C
0044FC63 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0044FC66 E8 4194FFFF call 004490AC
0044FC6B 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0044FC6E E8 9516FBFF call 00401308
0044FC73 83F8 05 cmp eax,5
0044FC76 7D 58 jge short 0044FCD0
0044FC78 E8 9BFAFFFF call 0044F718
0044FC7D 33C9 xor ecx,ecx
0044FC7F BA 98004500 mov edx,450098 ; ASCII "Invalid License Data"
0044FC84 E8 AFFAFFFF call 0044F738
0044FC89 8D55 E0 lea edx,dword ptr ss:[ebp-20]
0044FC8C A1 2C8B4600 mov eax,dword ptr ds:[468B2C]
0044FC91 8B00 mov eax,dword ptr ds:[eax]
0044FC93 E8 1086FFFF call 004482A8
0044FC98 8B45 E0 mov eax,dword ptr ss:[ebp-20]
0044FC9B 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
0044FC9E BA B8004500 mov edx,4500B8 ; ASCII ".lic"
0044FCA3 E8 7888FFFF call 00448520
0044FCA8 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
0044FCAB 8945 E8 mov dword ptr ss:[ebp-18],eax
0044FCAE C645 EC 0B mov byte ptr ss:[ebp-14],0B
0044FCB2 8D55 E8 lea edx,dword ptr ss:[ebp-18]
0044FCB5 33C9 xor ecx,ecx
0044FCB7 B8 C8004500 mov eax,4500C8 ; ASCII "Invalid License info in %s file."
0044FCBC E8 5F8EFFFF call 00448B20
0044FCC1 E8 B214FBFF call 00401178
0044FCC6 E8 AD14FBFF call 00401178
0044FCCB E9 5B030000 jmp 0045002B
0044FCD0 8D43 68 lea eax,dword ptr ds:[ebx+68]
0044FCD3 8B55 F0 mov edx,dword ptr ss:[ebp-10]
0044FCD6 8B12 mov edx,dword ptr ds:[edx]
0044FCD8 E8 DB14FBFF call 004011B8
0044FCDD 8D43 74 lea eax,dword ptr ds:[ebx+74]
0044FCE0 8B55 F0 mov edx,dword ptr ss:[ebp-10]
0044FCE3 8B52 04 mov edx,dword ptr ds:[edx+4]
0044FCE6 E8 CD14FBFF call 004011B8
0044FCEB 8D43 78 lea eax,dword ptr ds:[ebx+78]
0044FCEE 8B55 F0 mov edx,dword ptr ss:[ebp-10]
0044FCF1 8B52 08 mov edx,dword ptr ds:[edx+8]
0044FCF4 E8 BF14FBFF call 004011B8
0044FCF9 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0044FCFC 8B40 0C mov eax,dword ptr ds:[eax+C]
0044FCFF BA F4004500 mov edx,4500F4 ; ASCII "FULL"
0044FD04 E8 1715FBFF call 00401220
0044FD09 0F85 87000000 jnz 0044FD96
0044FD0F 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0044FD12 8B40 10 mov eax,dword ptr ds:[eax+10]
0044FD15 BA 04014500 mov edx,450104 ; ASCII "SITE"
0044FD1A E8 0115FBFF call 00401220
0044FD1F 75 1C jnz short 0044FD3D
0044FD21 E8 F2F9FFFF call 0044F718
0044FD26 33C9 xor ecx,ecx
0044FD28 BA 14014500 mov edx,450114 ; ASCII "Site License."
0044FD2D E8 06FAFFFF call 0044F738
0044FD32 C643 6C 02 mov byte ptr ds:[ebx+6C],2
0044FD36 33C0 xor eax,eax
0044FD38 8943 70 mov dword ptr ds:[ebx+70],eax
0044FD3B EB 41 jmp short 0044FD7E
0044FD3D 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0044FD40 8B40 10 mov eax,dword ptr ds:[eax+10]
0044FD43 BA 01000000 mov edx,1
0044FD48 E8 A387FFFF call 004484F0
0044FD4D 8943 70 mov dword ptr ds:[ebx+70],eax
0044FD50 6A 00 push 0
0044FD52 E8 C1F9FFFF call 0044F718
0044FD57 8B53 70 mov edx,dword ptr ds:[ebx+70]
0044FD5A 8955 E8 mov dword ptr ss:[ebp-18],edx
0044FD5D C645 EC 00 mov byte ptr ss:[ebp-14],0
0044FD61 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
0044FD64 BA 2C014500 mov edx,45012C ; ASCII "Full License, %d instances."
0044FD69 E8 F2F9FFFF call 0044F760
跟进call 0044E11C里面修改
0044E1F6 E8 BD2FFBFF call 004011B8
0044E1FB 85F6 test esi,esi
0044E1FD 74 0A je short 0044E209
0044E1FF 85FF test edi,edi
0044E201 74 06 je short 0044E209
0044E203 837D FC 00 cmp dword ptr ss:[ebp-4],0
0044E207 75 04 jnz short 0044E20D
0044E209 33DB xor ebx,ebx
0044E20B EB 02 jmp short 0044E20F
0044E20D B3 01 mov bl,1
//修改为mov bl,0即可
0044E20F 33C0 xor eax,eax
0044E211 5A pop edx
0044E212 59 pop ecx
0044E213 59 pop ecx
0044E214 64:8910 mov dword ptr fs:[eax],edx
0044E217 68 2CE24400 push 44E22C
0044E21C 8D45 F4 lea eax,dword ptr ss:[ebp-C]
0044E21F E8 842FFBFF call 004011A8
0044E224 C3 retn
_____________________________________________________________
, _/
/| _.-~/ \_ , 青春都一晌
( /~ / \~-._ |\
`\\ _/ \ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_ //'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-. 换了脱壳轻狂
`~ _( ,_..--\ ( ,;'' / ~-- /._`\
/~~//' /' `~\ ) /--.._, )_ `~
" `~" " `" /~'`\ `\\~~\
" " "~' ""
UnPacKed By : fly
http://www.unpack.cn
2007-03-03 24:00
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
|
|
|---|---|
|
|
学习
|
|
|
学习再学习!
|
|
|
|
|
|
|
|
|
好久没有给你发精华,即然今天赶上了,那就给你一个吧
|
|
|
|
|
|
又见2006
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
