+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
程序下载:http://www.warelex.com/installers/webcam/s60/mobiola_webcam_2_5_7_wl_s60.zip
程序说明:Symbian S60 3rd智能手机软件,含PC端及手机端,可通过蓝牙或USB数据线将你的S60第三版智能手机变成网络摄像头。
保护模式:Armadillo5.20双进程标准模式+Debug-Blocker(反调试)脱壳修复
保护选项:实际使用了Strategic Code Splicing(策略代码拼接)+Import Table Elimination(输入表乱序)+Nanomites Processing(CC)+Memory-Patching Protections(反内存补丁),并无CopyMem-II。
使用工具:OD修改版、LodePE-DLX、ImportREC1.6f、ArmInline0.96f、ArmFP1.6、WinXPSP2
Cracked By WksWlj999@sohu.com(q1q2q3999@nokia.it168.com) Jan.2008
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
WinXPSP2下用ArmFP1.6检测结果:
!- Protected Armadillo
Protection system (Professional)
!- <Protection Options>
Debug-Blocker
CopyMem-II(实际没用此项,Strategic Code Splicing也未检测出)
Enable Import Table Elimination
Enable Nanomites Processing
Enable Memory-Patching Protections
!- <Backup Key Options>
Variable Backup Keys
!- <Compression Options>
Better/Slower Compression
!- <Other Options>
Store Environment Vars Externally
Allow Only One Copy
Disable Monitoring Thread
Use eSellerate Edition Keys
?- Signature 47267400 30-10-2007
OD载入,忽略所有异常,IsDebugPresent插件隐藏OD.
//双进程转成单进程
bp OpenMutexA,F9运行,断下查看堆栈
0012F720 0057B1AA /CALL 到 OpenMutexA 来自 BtCam.0057B1A4
0012F724 001F0001 |Access = 1F0001
0012F728 00000000 |Inheritable = FALSE
0012F72C 0012FD7C \MutexName = "584::DA017846DA" ==> 注意堆栈的0012FD7C
0012F730 00A6BECB
Ctrl+G 到00401000处,汇编以下代码:
00401000 60 pushad
00401001 9C pushfd
00401002 68 7CFD1200 push 12FD7C ==> 堆栈里看到的值
00401007 33C0 xor eax,eax
00401009 50 push eax
0040100A 50 push eax
0040100B E8 B4B2A577 call kernel32.CreateMutexA
00401010 9D popfd
00401011 61 popad
00401012 E9 33F7A577 jmp kernel32.OpenMutexA
00401000新建EIP,F9执行.停在kernel32.OpenMutexA中断,取消断点,取消00401000处修改.
//避开IAT加密
he GetModuleHandleA,35次F9时出现异常,按确定后Shift+F9,看堆栈
...
00129468 00DA5BB5 /CALL 到 GetModuleHandleA 来自 00DA5BAF
0012946C 00DD1BB0 \pModule = "kernel32.dll"
00129470 00DD2B44 ASCII "VirtualAlloc" ==> 注意
00129474 2E40D6FB
00129468 00DA5BD3 /CALL 到 GetModuleHandleA 来自 00DA5BCD
0012946C 00DD1BB0 \pModule = "kernel32.dll"
00129470 00DD2B38 ASCII "VirtualFree"
00129474 2E40D6FB
001291B4 00D88264 /CALL 到 GetModuleHandleA 来自 00D8825E
001291B8 00129330 \pModule = "kernel32.dll" ==> 注意,可以取消断点,Alt+F9返回了
001291BC 00000000
返回如下:
00D88257 8D8D C8FEFFFF lea ecx, dword ptr [ebp-138]
00D8825D 51 push ecx
00D8825E FF15 C0F0DC00 call dword ptr [DCF0C0] ;
KERNEL32.GetModuleHandleA
00D88264 8B55 F4 mov edx, dword ptr [ebp-C] ==> 返回到这里
00D88267 8B0D 84EFDD00 mov ecx, dword ptr [DDEF84]
00D8826D 890491 mov dword ptr [ecx+edx*4], eax
00D88270 8B55 F4 mov edx, dword ptr [ebp-C]
00D88273 A1 84EFDD00 mov eax, dword ptr [DDEF84]
00D88278 833C90 00 cmp dword ptr [eax+edx*4], 0
00D8827C 75 5C jnz short 00D882DA
00D8827E 8B4D F8 mov ecx, dword ptr [ebp-8]
00D88281 8B51 08 mov edx, dword ptr [ecx+8]
00D88284 83E2 02 and edx, 2
00D88287 74 38 je short 00D882C1
00D88289 B8 02000000 mov eax, 2
00D8828E C1E0 02 shl eax, 2
00D88291 8B0D 04CBDD00 mov ecx, dword ptr [DDCB04] ; BtCam.005B7378
00D88297 8B15 04CBDD00 mov edx, dword ptr [DDCB04] ; BtCam.005B7378
00D8829D 8B35 04CBDD00 mov esi, dword ptr [DDCB04] ; BtCam.005B7378
00D882A3 8B5E 24 mov ebx, dword ptr [esi+24]
00D882A6 335A 34 xor ebx, dword ptr [edx+34]
00D882A9 331C01 xor ebx, dword ptr [ecx+eax]
00D882AC 83E3 10 and ebx, 10
00D882AF F7DB neg ebx
00D882B1 1BDB sbb ebx, ebx
00D882B3 F7DB neg ebx
00D882B5 0FB6C3 movzx eax, bl
00D882B8 85C0 test eax, eax
00D882BA 75 05 jnz short 00D882C1
00D882BC ^ E9 1BFFFFFF jmp 00D881DC
00D882C1 8D8D C8FEFFFF lea ecx, dword ptr [ebp-138]
00D882C7 51 push ecx
00D882C8 FF15 88F0DC00 call dword ptr [DCF088] ;
KERNEL32.LoadLibraryA
00D882CE 8B55 F4 mov edx, dword ptr [ebp-C]
00D882D1 8B0D 84EFDD00 mov ecx, dword ptr [DDEF84]
00D882D7 890491 mov dword ptr [ecx+edx*4], eax
00D882DA 8B55 F4 mov edx, dword ptr [ebp-C]
00D882DD A1 84EFDD00 mov eax, dword ptr [DDEF84]
00D882E2 833C90 00 cmp dword ptr [eax+edx*4], 0
00D882E6 75 05 jnz short 00D882ED ==> Magic JMP,Nop掉
00D882E8 ^ E9 EFFEFFFF jmp 00D881DC
00D882ED C785 BCFEFFFF 00000000 mov dword ptr [ebp-144], 0
00D882F7 C785 C0FEFFFF 00000000 mov dword ptr [ebp-140], 0
向下查找两个连续的Salc指令
00D8855F 8B45 F4 mov eax, dword ptr [ebp-C]
00D88562 8B0D 84EFDD00 mov ecx, dword ptr [DDEF84]
00D88568 893481 mov dword ptr [ecx+eax*4], esi
00D8856B ^ E9 6CFCFFFF jmp 00D881DC
00D88570 EB 03 jmp short 00D88575 ==> 这里下断点
00D88572 D6 salc
00D88573 D6 salc
00D88574 8F ??? ; 未知命令
00D88575 8B15 EC5CDE00 mov edx, dword ptr [DE5CEC]
00D8857B 8995 B4FDFFFF mov dword ptr [ebp-24C], edx
00D88581 83BD B4FDFFFF 00 cmp dword ptr [ebp-24C], 0
00D88588 74 36 je short 00D885C0
F9运行,断在00D88570后将Magic JMP恢复到修改前的代码,IAT加密已被避开.
//解除时间校验
取消00D88570的断点,下硬件断点he GetTickCount
第一次中断后Alt+F9返回在此:
00DA9029 FF15 44F3DC00 call dword ptr [DCF344] ;
KERNEL32.GetTickCount
00DA902F 8985 64D7FFFF mov dword ptr [ebp-289C], eax ==> 时间1到[ebp-289C]
00DA9035 8B85 48D6FFFF mov eax, dword ptr [ebp-29B8]
00DA903B 8985 68D7FFFF mov dword ptr [ebp-2898], eax
00DA9041 8BB5 60D7FFFF mov esi, dword ptr [ebp-28A0]
00DA9047 6BF6 03 imul esi, esi, 3
00DA904A E8 21720000 call 00DB0270
第二次中断后Alt+F9返回在此:
00DA91F8 83C1 04 add ecx, 4
00DA91FB 898D 54D6FFFF mov dword ptr [ebp-29AC], ecx
00DA9201 FF15 44F3DC00 call dword ptr [DCF344] ;
KERNEL32.GetTickCount
00DA9207 2B85 64D7FFFF sub eax, dword ptr [ebp-289C] ==> 时间2减[ebp-289C]的时间1,得到间隔
00DA920D 3D B80B0000 cmp eax, 0BB8 ==> 和BB8(3000ms)比较
00DA9212 76 12 jbe short 00DA9226 ==> 改为jmp short 00DA9226,F7单步一次
00DA9214 8B95 98D7FFFF mov edx, dword ptr [ebp-2868]
00DA921A 81F2 C31C724B xor edx, 4B721CC3
00DA9220 8995 98D7FFFF mov dword ptr [ebp-2868], edx
00DA9226 8B85 48D6FFFF mov eax, dword ptr [ebp-29B8] ==> 来到此处,取消断点及恢复00DA9212处修改
00DA922C 8985 ACABFFFF mov dword ptr [ebp+FFFFABAC], eax
00DA9232 8B8D ACABFFFF mov ecx, dword ptr [ebp+FFFFABAC]
//找OEP
下断bp CreateThread,Shift+F9中断第二次时发现返回的是程序空间,取消断点,Alt+F9返回
00D939B6 FF15 5CF1DC00 call dword ptr [DCF15C] ;
KERNEL32.CreateThread
00D939BC 50 push eax ==> 返回到此
00D939BD FF15 5CF2DC00 call dword ptr [DCF25C] ; KERNEL32.CloseHandle
00D939C3 5E pop esi
00D939C4 5B pop ebx
00D939C5 8BE5 mov esp, ebp
00D939C7 5D pop ebp
00D939C8 C3 retn ==> 返回到00DAFA7B
00DAFA7B 83C4 04 add esp, 4 ==> 这里停住
00DAFA7E B9 B8C4DD00 mov ecx, 0DDC4B8
00DAFA83 E8 18BBFBFF call 00D6B5A0
00DAFA88 0FB6C0 movzx eax, al
00DAFA8B 85C0 test eax, eax
00DAFA8D 74 0C je short 00DAFA9B
向下查找最近的一个Retn
00DAFB6F 8B4D 08 mov ecx, dword ptr [ebp+8]
00DAFB72 8B51 08 mov edx, dword ptr [ecx+8]
00DAFB75 52 push edx
00DAFB76 6A 00 push 0
00DAFB78 8B45 08 mov eax, dword ptr [ebp+8]
00DAFB7B 8B48 0C mov ecx, dword ptr [eax+C]
00DAFB7E 51 push ecx
00DAFB7F 8B55 F4 mov edx, dword ptr [ebp-C]
00DAFB82 2B55 DC sub edx, dword ptr [ebp-24]
00DAFB85 FFD2 call edx ==> 进OEP的Call,此处F2下断点,F9断下后F7跟进
00DAFB87 8945 FC mov dword ptr [ebp-4], eax
00DAFB8A 8B45 FC mov eax, dword ptr [ebp-4]
00DAFB8D 5E pop esi
00DAFB8E 8BE5 mov esp, ebp
00DAFB90 5D pop ebp
00DAFB91 C3 retn ==> 这里,向上查看call edx
来到OEP
00425AB5 E8 D76C0000 call 0042C791 ==> 停在OEP处,一片大红。
00425ABA ^ E9 17FEFFFF jmp 004258D6
00425ABF 51 push ecx
00425AC0 C701 38C84400 mov dword ptr [ecx], 0044C838
00425AC6 E8 5A6D0000 call 0042C825
00425ACB 59 pop ecx
00425ACC C3 retn
00425ACD 56 push esi
00425ACE 8BF1 mov esi, ecx
00425AD0 E8 EAFFFFFF call 00425ABF
00425AD5 F64424 08 01 test byte ptr [esp+8], 1
00425ADA 74 07 je short 00425AE3
//用ArmInlinev0.96f分别修复Strategic Code Splicing(策略代码拼接)和Import Table Elimination(输入表混淆)。全是自动的没啥好说的。然后用LodePE-DLX全部Dump出该进程(只有一个,因为被转成单进程了)。
//抓取正确的输入表
打开ImportREC1.6f选择程序进程,参照ArmInlinev0.96f重建的IAT基址为54C000,大小为640,填写如下:
OEP 00025AB5
RVA 0014C000
Size 00000640
Get Imports,函数全部合法,毕竟ArmInlinev0.96f整理过了,修复前面的dumped.exe。现在可以退出OD、LodePE-DLX和ImportREC1.6f了。
运行修复的dumped_.exe出现异常,OD载入到发生异常处发现CC(int3),继续修复CC。
//修复Nanomites Processing(CC)
先运行加壳的原程序,再打开ArmInlinev0.96f,F5刷新,选择子进程,(策略代码拼接)和(输入表混淆)地址自动找到,若找不到换另外一个进程。不用修复(策略代码拼接)和(输入表混淆),直接点Locate按钮,在约5800个CC中,找到436处有效CC并成功修复。然后Repair Dump得到dumped_ NanoFix.exe,XPSP2上运行正常。
//破解:原程序有3天试用限制及5分钟连接时间限制。脱壳后3天试用限制就解除了,至于5分钟连接时间限制用OD调试很容易就找到关键点,修改为24小时,呵呵,足够用于视频聊天了。
//后记:要及时取消对代码所做的修改,以防进入下一断点前跑飞。关于跨平台问题:虽然用kernel32.dll中的相应函数替换了ntdll.dll中的函数,RtlRestoreLastWin32Error也用SetLastError替换了。还是不能在2KSP4上运行,OD跟踪发现问题出在ArmInlinev0.96f为了修复CC附加的代码段,一个函数RtlAddVectoredExceptionHandler的定位有问题,这个是XP上的新版Kernel32.dll新增的函数,Win2KSP4里的Kernel32.dll没有。看来只能在XPSP2上运行了(不过,按照ArmInlinev0.96f的CC跳转表,手工修复程序的CC的话,应该是可以跨平台运行的,OD跟踪dumped_.exe,尽量测试所有功能,修改了约60几个CC后,可以正常运行在2KSP4和XPSP2上了。)。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)