能力值:
( LV2,RANK:10 )
|
-
-
2 楼
附原文如下:
【破解内容】
首先Peid查壳,Nothing found *!再看EP区段.perplex,原来是Acprotect1.X版加的壳。感觉脱壳比普通Acprotect加壳要稍难一点点,多了入口检查,可能还有一点暗桩,但不影响破解。
因为是VB程序,Stolen Code很简单,没有必要苦苦跟踪,VB的IAT加密目前大部分加密软件都是有心无力的。
OD异常设置不忽略内存异常,全自动隐藏OD插件帮你隐藏住OD,载入程序。
0044F000 > 60 PUSHAD //外壳入口,F9运行。
0044F001 66:8BCB MOV CX,BX
0044F004 D3E9 SHR ECX,CL
0044F006 8BFB MOV EDI,EBX
0044F008 49 DEC ECX
0044F009 D3CB ROR EBX,CL
0044F00B F8 CLC
0044F00C 42 INC EDX
0044F00D 87D5 XCHG EBP,EDX
0044F00F F9 STC
0044F010 85E9 TEST ECX,EBP
0044F012 B8 56F04400 MOV EAX,adalinks.0044F056
0044F017 BB C7C7DFB6 MOV EBX,B6DFC7C7
0044F01C 66:8BE8 MOV BP,AX
0044F01F 81F3 F3D9770E XOR EBX,0E77D9F3
..................................................
0045DAAD CD 01 INT 1 //最后一次异常。
0045DAAF 40 INC EAX
0045DAB0 40 INC EAX
0045DAB1 0BC0 OR EAX,EAX
0045DAB3 75 05 JNZ SHORT adalinks.0045DABA
0045DAB5 90 NOP
0045DAB6 90 NOP
0045DAB7 90 NOP
0045DAB8 90 NOP
0045DAB9 61 POPAD
0045DABA 33C0 XOR EAX,EAX
0045DABC 64:8F00 POP DWORD PTR FS:[EAX]
0045DABF 58 POP EAX
0045DAC0 60 PUSHAD
0045DAC1 E8 00000000 CALL adalinks.0045DAC6
..................................................
Alt+M 打开内存镜像
内存镜像,项目 12
地址=00401000 //下内存访问断点
大小=00046000 (286720.)
Owner=adalinks 00400000
区段=.text
包含=code
类型=Imag 01001002
访问=R
初始访问=RWE
00402280 - FF25 DC114000 JMP DWORD PTR DS:[4011DC] //停在VB程序的伪Oep入口。
00402286 0000 ADD BYTE PTR DS:[EAX],AL
00402288 6A 1C PUSH 1C
0040228A A0 9A2B7379 MOV AL,BYTE PTR DS:[79732B9A]
0040228F BA F0AA0000 MOV EDX,0AAF0
00402294 48 DEC EAX
00402295 0000 ADD BYTE PTR DS:[EAX],AL
00402297 0030 ADD BYTE PTR DS:[EAX],DH
00402299 0000 ADD BYTE PTR DS:[EAX],AL
0040229B 0040 00 ADD BYTE PTR DS:[EAX],AL
0040229E 0000 ADD BYTE PTR DS:[EAX],AL
.....................................................
堆栈友好提示。
0012FFBC 004681FA 返回到 adalinks.004681FA 来自 adalinks.00402280
0012FFC0 0040271C adalinks.0040271C //这里是 OEP第一句执行结果。
0012FFC4 77E67903 返回到 KERNEL32.77E67903
VB的入口代码能搞飞机的地方就两句。
00401166 - FF25 6C104000 JMP DWORD PTR DS:[<&MSVBVM60.#100>] ; MSVBVM60.ThunRTMain
0040116C > 68 147C4000 PUSH Packme.00407C14 //比如这就是一个VB程序入口例子。
00401171 E8 F0FFFFFF CALL <JMP.&MSVBVM60.#100> //这里实际就是Call 00401166
00401176 0000 ADD BYTE PTR DS:[EAX],AL
00401178 0000 ADD BYTE PTR DS:[EAX],AL
0040117A 0000 ADD BYTE PTR DS:[EAX],AL
0040117C 3000 XOR BYTE PTR DS:[EAX],AL
0040117E 0000 ADD BYTE PTR DS:[EAX],AL
00401180 3800 CMP BYTE PTR DS:[EAX],AL
00401182 0000 ADD BYTE PTR DS:[EAX],AL
00401184 0000 ADD BYTE PTR DS:[EAX],AL
.....................................................
平时苦练的基本功发生效果。基本功==观察未脱壳程序入口代码执行过程-堆栈内容。
于是补上
00402280 - FF25 DC114000 JMP DWORD PTR DS:[4011DC] ; MSVBVM60.ThunRTMain
00402286 68 1C274000 PUSH adalinks.0040271C
0040228B E8 F0FFFFFF CALL adalinks.00402280 ; JMP to MSVBVM60.ThunRTMain
00402290 F0:AA LOCK STOS BYTE PTR ES:[EDI] //这句极度可疑,我用最新版未注册的Acprotect1.23b加密的VB程序补上Stolen Code后,不是这样的语句,可能是未注册和文件大小的原因。因为IAT没有也无法加密,所以直接用OD插件修正入口为2286用重建输入表方式1脱壳。
00402292 0000 ADD BYTE PTR DS:[EAX],AL
00402294 48 DEC EAX
00402295 0000 ADD BYTE PTR DS:[EAX],AL
00402297 0030 ADD BYTE PTR DS:[EAX],DH
00402299 0000 ADD BYTE PTR DS:[EAX],AL
0040229B 0040 00 ADD BYTE PTR DS:[EAX],AL
0040229E 0000 ADD BYTE PTR DS:[EAX],AL
004022A0 0000 ADD BYTE PTR DS:[EAX],AL
004022A2 0000 ADD BYTE PTR DS:[EAX],AL
.....................................................
用OD载入脱壳文件,可以运行了,但是填入注册码后,确认注册,OD内存异常。
0013453B 6B0D F0ADBA0D F>IMUL ECX,DWORD PTR DS:[DBAADF0],-10
00134542 AD LODS DWORD PTR DS:[ESI]
00134543 BA 0DF0ADBA MOV EDX,BAADF00D
00134548 0D F0ADBA0D OR EAX,0DBAADF0
0013454D F0:AD LOCK LODS DWORD PTR DS:[ESI] ; 锁定前缀是不允许的
0013454F BA 0DF0ADBA MOV EDX,BAADF00D
00134554 0D F0ADBA0D OR EAX,0DBAADF0
00134559 F0:AD LOCK LODS DWORD PTR DS:[ESI] ; 锁定前缀是不允许的
0013455B BA 0DF0ADBA MOV EDX,BAADF00D
00134560 0D F0ADBA0D OR EAX,0DBAADF0
00134565 F0:AD LOCK LODS DWORD PTR DS:[ESI] ; 锁定前缀是不允许的
00134567 BA 0DF0ADBA MOV EDX,BAADF00D
0013456C 0D F0ADBA0D OR EAX,0DBAADF0
00134571 F0:AD LOCK LODS DWORD PTR DS:[ESI] ; 锁定前缀是不允许的
00134573 BA 0DF0ADBA MOV EDX,BAADF00D
00134578 0D F0ADBA0D OR EAX,0DBAADF0
0013457D F0:AD LOCK LODS DWORD PTR DS:[ESI] ; 锁定前缀是不允许的
0013457F BA 0DF0ADBA MOV EDX,BAADF00D
00134584 0D F0ADBA0D OR EAX,0DBAADF0
00134589 F0:AD LOCK LODS DWORD PTR DS:[ESI] ; 锁定前缀是不允许的
0013458B BA 0DF0ADBA MOV EDX,BAADF00D
00134590 0D F0ADBA0D OR EAX,0DBAADF0
.....................................................
这个是ACProtect的特性。
● 嵌入式加密系统 – 你可以自行指定程序中所需加密的代码段,通过使用这个系统,那怕破解者知道你的程序的入口点(OEP),也无法在脱壳后重建输入表。
● 多态引擎 - 有效的动态变异,使受保护的软件代码进行职能转换。只有在正常使用时才能被正确解码,运行完毕之后,可以恢复到加密状态。
简单处理就是让程序从加密程序的OEP开始运行。
加密程序
0044F000 > 60 PUSHAD //加密程序入口。
0044F001 66:8BCB MOV CX,BX
0044F004 D3E9 SHR ECX,CL
0044F006 8BFB MOV EDI,EBX
0044F008 49 DEC ECX
0044F009 D3CB ROR EBX,CL
0044F00B F8 CLC
0044F00C 42 INC EDX
..............................................
00402286 > 68 1C274000 PUSH 1.0040271C //脱壳程序入口。
0040228B E8 F0FFFFFF CALL <JMP.&MSVBVM60.ThunRTMain>
00402290 F0:AA LOCK STOS BYTE PTR ES:[EDI] ; 锁定前缀是不允许的
00402292 0000 ADD BYTE PTR DS:[EAX],AL
00402294 48 DEC EAX
00402295 0000 ADD BYTE PTR DS:[EAX],AL
00402297 0030 ADD BYTE PTR DS:[EAX],DH
00402299 0000 ADD BYTE PTR DS:[EAX],AL
..............................................
Ctrl+G去 0044F000
OD直接修改
0044F000 60 PUSHAD
0044F001 66:8BCB MOV CX,BX
0044F004 D3E9 SHR ECX,CL
0044F006 8BFB MOV EDI,EBX
0044F008 49 DEC ECX
0044F009 D3CB ROR EBX,CL
0044F00B F8 CLC
0044F00C 42 INC EDX
0044F00D 87D5 XCHG EBP,EDX
0044F00F F9 STC
0044F010 85E9 TEST ECX,EBP
0044F012 B8 56F04400 MOV EAX,1.0044F056
0044F017 BB C7C7DFB6 MOV EBX,B6DFC7C7
为
0044F000 - E9 8132FBFF JMP 00402286
0044F005 90 NOP
0044F006 8BFB MOV EDI,EBX
0044F008 49 DEC ECX
0044F009 D3CB ROR EBX,CL
0044F00B F8 CLC
0044F00C 42 INC EDX
0044F00D 87D5 XCHG EBP,EDX
0044F00F F9 STC
复制所有修改到文件中,覆盖脱壳文件,用Loadpe修正入口为4F000。
脱壳基本完成,可以进入程序注册了,完全进入程序,退出有异常,还有暗桩没有解决,但已经可以搞定它的注册了。
看到注册失败的提示是个VB窗口,不好下断点,W32dasm也找不到注册失败!这种双字节的VB资源。
先用Getvbres修改 注册失败!为 zzzzz ,注意字符长度相等,不然文件损坏,保存修改。
W32Dasm 反汇编程序直接发现
* Possible StringData Ref from Code Obj ->"zzzzz" //就是注册失败!
|
:00437F4A C78558FFFFFF50954000 mov dword ptr [ebp+FFFFFF58], 00409550
:00437F54 C78550FFFFFF08000000 mov dword ptr [ebp+FFFFFF50], 00000008
:00437F5E FFD3 call ebx
:00437F60 6A0D push 0000000D
:00437F62 8D4D90 lea ecx, dword ptr [ebp-70]
:00437F65 51 push ecx
:00437F66 FFD3 call ebx
向上截取一段关键代码分析。
* Possible StringData Ref from Code Obj ->"760010" //应该是不用网上注册的通用注册名。
|
:00437F14 683C954000 push 0040953C
:00437F19 F7DB neg ebx
:00437F1B FF15F8104000 call dword ptr [004010F8]
:00437F21 F7D8 neg eax
:00437F23 1BC0 sbb eax, eax
:00437F25 40 inc eax
:00437F26 0BD8 or ebx, eax
:00437F28 C7852CFFFFFFFFFFFFFF mov dword ptr [ebp+FFFFFF2C], FFFFFFFF
:00437F32 89BD28FFFFFF mov dword ptr [ebp+FFFFFF28], edi
:00437F38 0F85CF000000 jne 0043800D //必须跳转。
:00437F3E 8B1D74114000 mov ebx, dword ptr [00401174]
:00437F44 6A0A push 0000000A
:00437F46 8D45B0 lea eax, dword ptr [ebp-50]
:00437F49 50 push eax
当我们任意输入
用户名: 760010
注册码: 9999999
软件提示注册成功,重启动软件又是没有注册。
跟踪了一下,发现它是先祝贺注册成功,再校验注册码真伪。
这次用
用户名: Mr.David
注册码: 9999999
试试,OD动态调试时候先修改上面的Z标志,Alt+F5切换OD的前台显示便于调试。
* Possible StringData Ref from Code Obj ->"zzzzz" //注册失败。
|
:00437F4A C78558FFFFFF50954000 mov dword ptr [ebp+FFFFFF58], 00409550
:00437F54 C78550FFFFFF08000000 mov dword ptr [ebp+FFFFFF50], 00000008
:00437F5E FFD3 call ebx
:00437F60 6A0D push 0000000D
:00437F62 8D4D90 lea ecx, dword ptr [ebp-70]
....................................................................
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437F38(C) //注册成功跳转。
|
:0043800D 8D9550FFFFFF lea edx, dword ptr [ebp+FFFFFF50]
:00438013 8D4DB0 lea ecx, dword ptr [ebp-50]
:00438016 C78558FFFFFF90954000 mov dword ptr [ebp+FFFFFF58], 00409590
:00438020 C78550FFFFFF08000000 mov dword ptr [ebp+FFFFFF50], 00000008
:0043802A FF15EC114000 call dword ptr [004011EC]
:00438030 8D952CFFFFFF lea edx, dword ptr [ebp+FFFFFF2C]
:00438036 52 push edx
:00438037 8D8528FFFFFF lea eax, dword ptr [ebp+FFFFFF28]
:0043803D 50 push eax
:0043803E 8D4DB0 lea ecx, dword ptr [ebp-50]
:00438041 51 push ecx
:00438042 E8695FFFFF call 0042DFB0 //提示注册成功,比较注册码在下面。
:00438047 8D4DB0 lea ecx, dword ptr [ebp-50]
:0043804A FF151C104000 call dword ptr [0040101C]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00437FF7(C), :0043800B(U)
|
:00438050 8B5D10 mov ebx, dword ptr [ebp+10]
:00438053 8B13 mov edx, dword ptr [ebx]
:00438055 8B45D0 mov eax, dword ptr [ebp-30]
:00438058 52 push edx 假注册码9999999999999"
:00438059 50 push eax 真注册码grrm7++baoo',.+%e[j
:0043805A FF15F8104000 call dword ptr [004010F8] MSVBVM60.__vbaStrCmp比较函数。
:00438060 8B0B mov ecx, dword ptr [ebx]
:00438062 8BD0 mov edx, eax
:00438064 8B45D4 mov eax, dword ptr [ebp-2C]
:00438067 F7DA neg edx
:00438069 1BD2 sbb edx, edx
:0043806B 51 push ecx
:0043806C F7DA neg edx
:0043806E 50 push eax
:0043806F 899504FFFFFF mov dword ptr [ebp+FFFFFF04], edx
:00438075 FF15F8104000 call dword ptr [004010F8]
:0043807B 8B8D04FFFFFF mov ecx, dword ptr [ebp+FFFFFF04]
:00438081 F7D8 neg eax
:00438083 1BC0 sbb eax, eax
:00438085 F7D8 neg eax
:00438087 85C8 test eax, ecx
:00438089 0F85F0000000 jne 0043817F 注册码不对跳转。
:0043808F 8B55EC mov edx, dword ptr [ebp-14] C:\Winnt\System32
:00438092 52 push edx
* Possible StringData Ref from Code Obj ->"\iwin_ada.dll" 写入注册信息 Mr.David。
|
:00438093 686C874000 push 0040876C
:00438098 FF1570104000 call dword ptr [00401070]
:0043809E 8BD0 mov edx, eax
:004380A0 8D4DCC lea ecx, dword ptr [ebp-34]
:004380A3 FFD6 call esi
:004380A5 8B1D9C114000 mov ebx, dword ptr [0040119C]
:004380AB 50 push eax
:004380AC 6A01 push 00000001
:004380AE 6AFF push FFFFFFFF
:004380B0 6A02 push 00000002
:004380B2 FFD3 call ebx
:004380B4 8D4DCC lea ecx, dword ptr [ebp-34]
:004380B7 FF1558124000 call dword ptr [00401258]
:004380BD 8B450C mov eax, dword ptr [ebp+0C]
:004380C0 8B08 mov ecx, dword ptr [eax]
:004380C2 51 push ecx
:004380C3 6A01 push 00000001
:004380C5 6838874000 push 00408738
:004380CA FF155C114000 call dword ptr [0040115C]
:004380D0 83C40C add esp, 0000000C
:004380D3 6A01 push 00000001
:004380D5 FF15E8104000 call dword ptr [004010E8]
:004380DB 8B55E8 mov edx, dword ptr [ebp-18] C:\winnt
:004380DE 52 push edx
* Possible StringData Ref from Code Obj ->"\iwin_ada.dll"
|
:004380DF 686C874000 push 0040876C
:004380E4 FF1570104000 call dword ptr [00401070]
:004380EA 8BD0 mov edx, eax
:004380EC 8D4DCC lea ecx, dword ptr [ebp-34]
:004380EF FFD6 call esi
:004380F1 50 push eax
:004380F2 6A02 push 00000002
:004380F4 6AFF push FFFFFFFF
:004380F6 6A02 push 00000002
:004380F8 FFD3 call ebx
:004380FA 8D4DCC lea ecx, dword ptr [ebp-34]
:004380FD FF1558124000 call dword ptr [00401258]
:00438103 8B4510 mov eax, dword ptr [ebp+10]
:00438106 8B08 mov ecx, dword ptr [eax]
:00438108 51 push ecx
:00438109 6A02 push 00000002
:0043810B 6838874000 push 00408738
:00438110 FF155C114000 call dword ptr [0040115C]
:00438116 83C40C add esp, 0000000C
:00438119 6A02 push 00000002
:0043811B FF15E8104000 call dword ptr [004010E8]
:00438121 393D947D4400 cmp dword ptr [00447D94], edi
:00438127 7510 jne 00438139
:00438129 68947D4400 push 00447D94
:0043812E 684C7F4000 push 00407F4C
:00438133 FF15A0114000 call dword ptr [004011A0]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00438127(C)
|
:00438139 A1947D4400 mov eax, dword ptr [00447D94]
:0043813E 8B5508 mov edx, dword ptr [ebp+08]
:00438141 8B18 mov ebx, dword ptr [eax]
:00438143 898524FFFFFF mov dword ptr [ebp+FFFFFF24], eax
:00438149 52 push edx
:0043814A 8D45C0 lea eax, dword ptr [ebp-40]
:0043814D 50 push eax
:0043814E FF15B4104000 call dword ptr [004010B4]
:00438154 8BCB mov ecx, ebx
:00438156 8B9D24FFFFFF mov ebx, dword ptr [ebp+FFFFFF24]
:0043815C 50 push eax
:0043815D 53 push ebx
:0043815E FF5110 call [ecx+10]
:00438161 DBE2 fclex
:00438163 3BC7 cmp eax, edi
:00438165 7D0F jge 00438176
:00438167 6A10 push 00000010
:00438169 683C7F4000 push 00407F3C
:0043816E 53 push ebx
:0043816F 50 push eax
:00438170 FF1580104000 call dword ptr [00401080]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00438165(C)
|
:00438176 8D4DC0 lea ecx, dword ptr [ebp-40]
:00438179 FF1554124000 call dword ptr [00401254]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00438089(C)
|
:0043817F 8B7D10 mov edi, dword ptr [ebp+10]
:00438182 8B17 mov edx, dword ptr [edi]
:00438184 8B45D0 mov eax, dword ptr [ebp-30]
:00438187 8B1DF8104000 mov ebx, dword ptr [004010F8]
:0043818D 52 push edx
:0043818E 50 push eax
:0043818F FFD3 call ebx
:00438191 8B0F mov ecx, dword ptr [edi]
:00438193 8BD0 mov edx, eax
:00438195 8B45D4 mov eax, dword ptr [ebp-2C]
:00438198 F7DA neg edx
:0043819A 1BD2 sbb edx, edx
:0043819C 51 push ecx
:0043819D F7DA neg edx
:0043819F 50 push eax
:004381A0 8995FCFEFFFF mov dword ptr [ebp+FFFFFEFC], edx
:004381A6 FFD3 call ebx
:004381A8 8B8DFCFEFFFF mov ecx, dword ptr [ebp+FFFFFEFC]
:004381AE F7D8 neg eax
:004381B0 1BC0 sbb eax, eax
:004381B2 F7D8 neg eax
:004381B4 85C8 test eax, ecx
:004381B6 0F8590000000 jne 0043824C //第二次校验,不能跳转。
:004381BC 8B55EC mov edx, dword ptr [ebp-14]
:004381BF 8B3D70104000 mov edi, dword ptr [00401070]
:004381C5 52 push edx
* Possible StringData Ref from Code Obj ->"\0O0O0O.dll" //写入相关信息。
|
:004381C6 68A0874000 push 004087A0
:004381CB FFD7 call edi
:004381CD 8BD0 mov edx, eax
:004381CF 8D4DCC lea ecx, dword ptr [ebp-34]
:004381D2 FFD6 call esi
:004381D4 50 push eax
:004381D5 6A01 push 00000001
:004381D7 6AFF push FFFFFFFF
:004381D9 6A02 push 00000002
:004381DB FF159C114000 call dword ptr [0040119C]
:004381E1 8B1D58124000 mov ebx, dword ptr [00401258]
:004381E7 8D4DCC lea ecx, dword ptr [ebp-34]
:004381EA FFD3 call ebx
:004381EC 8B450C mov eax, dword ptr [ebp+0C]
:004381EF 8B08 mov ecx, dword ptr [eax]
:004381F1 51 push ecx
:004381F2 6A01 push 00000001
:004381F4 6838874000 push 00408738
:004381F9 FF155C114000 call dword ptr [0040115C]
:004381FF 83C40C add esp, 0000000C
:00438202 6A01 push 00000001
:00438204 FF15E8104000 call dword ptr [004010E8]
:0043820A 8B55E8 mov edx, dword ptr [ebp-18]
:0043820D 52 push edx
* Possible StringData Ref from Code Obj ->"\O0O0O0.dll" //写入相关信息。
|
:0043820E 68BC874000 push 004087BC
:00438213 FFD7 call edi
:00438215 8BD0 mov edx, eax
:00438217 8D4DCC lea ecx, dword ptr [ebp-34]
:0043821A FFD6 call esi
:0043821C 50 push eax
:0043821D 6A02 push 00000002
:0043821F 6AFF push FFFFFFFF
:00438221 6A02 push 00000002
:00438223 FF159C114000 call dword ptr [0040119C]
:00438229 8D4DCC lea ecx, dword ptr [ebp-34]
:0043822C FFD3 call ebx
:0043822E 8B4510 mov eax, dword ptr [ebp+10]
:00438231 8B08 mov ecx, dword ptr [eax]
:00438233 51 push ecx
:00438234 6A02 push 00000002
:00438236 6838874000 push 00408738
:0043823B FF155C114000 call dword ptr [0040115C]
:00438241 83C40C add esp, 0000000C
:00438244 6A02 push 00000002
:00438246 FF15E8104000 call dword ptr [004010E8]
.....................................................................
运行程序,已经注册成功了。
【破解总结】
c:\winnt\system\iwin_ada.dll 内容 Mr.David
c:\winnt\iwin_ada.dll 内容 grrm7++baoo',.+%e[j
c:\winnt\system\0O0O0O.dll 内容 Mr.David
c:\winnt\O0O0O0.dll 内容 grrm7++baoo',.+%e[j
四处文件同时存在==正式注册用户,缺一不可。
内存注册机。
修改内存
修改地址
00438089
修改长度
6
原始指令
0F85F0000000
修改指令
0F84F0000000
中断地址
0043805A
中断次数
1
第一字节
FF
指令长度
6
内存方式,寄存器EAX,宽字符串。
倒,Acprotect反补丁,反注册机,失败。
不过已经注册了,
|
好像不是这个呀。反正也不是那个a_p改的自动脚本。
