-
-
[旧帖] 脱壳ACProtect 1.4x -> RISCO soft *+破解 0.00雪花
-
发表于: 2008-10-23 22:49
-
- 看雪:
-
- 一蓑烟雨:
-
- 飘云阁:
-
- 百度:
-
今天内容:脱壳ACProtect 1.4x -> RISCO soft *+破解目标程序:阿达连连看3.58
视频及程序下载地址:http://rapidshare.de/files/40742130/____acprotect1.4X______.rar
1、脱壳
od载入停在
0044F000 > 60 pushad 壳入口
0044F001 66:8BCB mov cx, bx
0044F004 D3E9 shr ecx, cl
0044F006 8BFB mov edi, ebx
0044F008 49 dec ecx
0044F009 D3CB ror ebx, cl
0044F00B F8 clc
0044F00C 42 inc edx
0044F00D 87D5 xchg ebp, edx
设置od忽略除int3 外的所有异常 f9运行,来到
0045DCFF 90 nop 最后一次异常
0045DD00 64:67:8F06 0000 pop dword ptr fs:[0]
0045DD06 83C4 04 add esp, 4
0045DD09 60 pushad
0045DD0A E8 00000000 call 0045DD0F
0045DD0F 5E pop esi
0045DD10 83EE 06 sub esi, 6
看堆栈异常句柄,数据窗口跟随,下内存访问断点。shift+f9运行,中断后下f2断点,继续f9,中断后取消所有断点,f4到短尾
此时
打开内存镜像 00401000 F2下断,shift+f9 运行来到oep,显示如下
00402280 - FF25 DC114000 jmp dword ptr [4011DC] ; MSVBVM60.ThunRTMain
00402286 0000 add byte ptr [eax], al
00402288 6A 1C push 1C
0040228A A0 9A2B7379 mov al, byte ptr [79732B9A]
0040228F BA F0AA0000 mov edx, 0AAF0
00402294 48 dec eax
根据代码特征可知是vb程序,且壳偷取的oep处的代码,因为是vb程序,偷取的代码只有两行,分析可知为
push 0040271c
call 00402280
补回两行代码,脱壳。可以运行,但有异常。
这个是ACProtect的特性。
a、嵌入式加密系统 – 你可以自行指定程序中所需加密的代码段,通过使用这个系统,那怕破解者知道你的程序的入口点(OEP),也无法在脱壳后重建输入表。
b、多态引擎 - 只有在正常使用时才能被正确解码,运行完毕之后,可以恢复到加密状态。
简单处理就是让程序从壳的入口开始运行。即修改
0044F000 > 60 pushad 壳入口
为
0044F000 >- E9 8136FBFF jmp 00402686
用load pe修改入口,并重建pe,一切搞定。
2、破解
我们下断点 bp __vbaStrCmp ,取消断点返回到下面,单步粗略跟踪
00436E0F . 8BF0 mov esi, eax
00436E11 . F7DE neg esi
00436E13 . 1BF6 sbb esi, esi
继续单步
00436ED6 . /0F85 7B010000 jnz 00437057 这个跳转可以跳过,经试验跳走后没反应
00436EDC . |C745 FC 12000>mov dword ptr [ebp-4], 12
00436EE3 . |8B55 08 mov edx, dword ptr [ebp+8]
00436EE6 . |8B02 mov eax, dword ptr [edx]
00436EE8 . |8B4D 08 mov ecx, dword ptr [ebp+8]
00436EEB . |51 push ecx
00436EEC . |FF90 00030000 call dword ptr [eax+300]
00436EF2 . |50 push eax
00436EF3 . |8D55 90 lea edx, dword ptr [ebp-70]
00436EF6 . |52 push edx
00436EF7 . |FF15 A8B04600 call dword ptr [<&msvbvm60.__vbaObjSe>; msvbvm60.__vbaObjSet
00436EFD . |8985 60FFFFFF mov dword ptr [ebp-A0], eax
00436F03 . |8D45 A0 lea eax, dword ptr [ebp-60]
00436F06 . |50 push eax
00436F07 . |8B8D 60FFFFFF mov ecx, dword ptr [ebp-A0]
00436F0D . |8B11 mov edx, dword ptr [ecx]
00436F0F . |8B85 60FFFFFF mov eax, dword ptr [ebp-A0]
00436F15 . |50 push eax
00436F16 . |FF92 A0000000 call dword ptr [edx+A0]
00436F1C . |DBE2 fclex
00436F1E . |8985 5CFFFFFF mov dword ptr [ebp-A4], eax
00436F24 . |83BD 5CFFFFFF>cmp dword ptr [ebp-A4], 0
00436F2B . |7D 26 jge short 00436F53
00436F2D . |68 A0000000 push 0A0
00436F32 . |68 A48D4000 push 00408DA4
00436F37 . |8B8D 60FFFFFF mov ecx, dword ptr [ebp-A0]
00436F3D . |51 push ecx
00436F3E . |8B95 5CFFFFFF mov edx, dword ptr [ebp-A4]
00436F44 . |52 push edx
00436F45 . |FF15 80B04600 call dword ptr [<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
00436F4B . |8985 C4FEFFFF mov dword ptr [ebp-13C], eax
00436F51 . |EB 0A jmp short 00436F5D
00436F53 > |C785 C4FEFFFF>mov dword ptr [ebp-13C], 0
00436F5D > |8B45 08 mov eax, dword ptr [ebp+8]
00436F60 . |8B08 mov ecx, dword ptr [eax]
00436F62 . |8B55 08 mov edx, dword ptr [ebp+8]
00436F65 . |52 push edx
00436F66 . |FF91 FC020000 call dword ptr [ecx+2FC]
00436F6C . |50 push eax
00436F6D . |8D45 8C lea eax, dword ptr [ebp-74]
00436F70 . |50 push eax
00436F71 . |FF15 A8B04600 call dword ptr [<&msvbvm60.__vbaObjSe>; msvbvm60.__vbaObjSet
00436F77 . |8985 58FFFFFF mov dword ptr [ebp-A8], eax
00436F7D . |8D4D 9C lea ecx, dword ptr [ebp-64]
00436F80 . |51 push ecx
00436F81 . |8B95 58FFFFFF mov edx, dword ptr [ebp-A8]
00436F87 . |8B02 mov eax, dword ptr [edx]
00436F89 . |8B8D 58FFFFFF mov ecx, dword ptr [ebp-A8]
00436F8F . |51 push ecx
00436F90 . |FF90 A0000000 call dword ptr [eax+A0]
00436F96 . |DBE2 fclex
00436F98 . |8985 54FFFFFF mov dword ptr [ebp-AC], eax
00436F9E . |83BD 54FFFFFF>cmp dword ptr [ebp-AC], 0
00436FA5 . |7D 26 jge short 00436FCD
00436FA7 . |68 A0000000 push 0A0
00436FAC . |68 A48D4000 push 00408DA4
00436FB1 . |8B95 58FFFFFF mov edx, dword ptr [ebp-A8]
00436FB7 . |52 push edx
00436FB8 . |8B85 54FFFFFF mov eax, dword ptr [ebp-AC]
00436FBE . |50 push eax
00436FBF . |FF15 80B04600 call dword ptr [<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
00436FC5 . |8985 C0FEFFFF mov dword ptr [ebp-140], eax
00436FCB . |EB 0A jmp short 00436FD7
00436FCD > |C785 C0FEFFFF>mov dword ptr [ebp-140], 0
00436FD7 > |8B4D 9C mov ecx, dword ptr [ebp-64]
00436FDA . |898D 20FFFFFF mov dword ptr [ebp-E0], ecx
00436FE0 . |C745 9C 00000>mov dword ptr [ebp-64], 0
00436FE7 . |8B95 20FFFFFF mov edx, dword ptr [ebp-E0]
00436FED . |8D4D 94 lea ecx, dword ptr [ebp-6C]
00436FF0 . |FF15 1CB24600 call dword ptr [<&msvbvm60.__vbaStrMo>; msvbvm60.__vbaStrMove
00436FF6 . |8B55 A0 mov edx, dword ptr [ebp-60]
00436FF9 . |8995 1CFFFFFF mov dword ptr [ebp-E4], edx
00436FFF . |C745 A0 00000>mov dword ptr [ebp-60], 0
00437006 . |8B95 1CFFFFFF mov edx, dword ptr [ebp-E4]
0043700C . |8D4D 98 lea ecx, dword ptr [ebp-68]
0043700F . |FF15 1CB24600 call dword ptr [<&msvbvm60.__vbaStrMo>; msvbvm60.__vbaStrMove
00437015 . |8D45 94 lea eax, dword ptr [ebp-6C]
00437018 . |50 push eax
00437019 . |8D4D 98 lea ecx, dword ptr [ebp-68]
0043701C . |51 push ecx
0043701D . |8B55 08 mov edx, dword ptr [ebp+8]
00437020 . |8B02 mov eax, dword ptr [edx]
00437022 . |8B4D 08 mov ecx, dword ptr [ebp+8]
00437025 . |51 push ecx
00437026 . |FF90 04070000 call dword ptr [eax+704] ; 调用错误对话框
F7跟进跟进 00437026 发现有网络验证一直跟随走
00437F14 . 68 3C954000 push 0040953C ; UNICODE "760010" 这里才到了比较关键的位置
00437F19 . F7DB neg ebx
00437F1B . FF15 F8B04600 call dword ptr [<&msvbvm60.__vbaStrCm>; msvbvm60.__vbaStrCmp
00437F21 . F7D8 neg eax
00437F23 . 1BC0 sbb eax, eax
00437F25 . 40 inc eax
00437F26 . 0BD8 or ebx, eax
00437F28 . C785 2CFFFFFF>mov dword ptr [ebp-D4], -1
00437F32 . 89BD 28FFFFFF mov dword ptr [ebp-D8], edi
00437F38 . 0F85 CF000000 jnz 0043800D 不跳则失败
跳过来继续走没几步就是下面的call
00438042 . E8 695FFFFF call 0042DFB0 恭喜,软件注册十分成功 ,再次打开您可以使用所有功能
点确定继续跟踪,看他往那写注册信息
0012F360 0040953C UNICODE "760010"
0012F364 00191E3C UNICODE "hacker"
0012F360 0017EE64 UNICODE "grrm7++baoo',.+%e[j"
0012F364 001A459C UNICODE "51665166"
eax=001AE954, (UNICODE "F:\WINDOWS\system32\iwin_ada.dll")
eax=001B30BC, (UNICODE "F:\WINDOWS\iwin_ada.dll")
eax=001AE954, (UNICODE "F:\WINDOWS\system32\0O0O0O.dll")
eax=001ABD0C, (UNICODE "F:\WINDOWS\O0O0O0.dll")
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
