【文章标题】: 说说VA_X的补丁方法
【文章作者】: yangjt
【作者邮箱】: yangjietao123@163.com
【作者QQ号】: 325002492
【软件名称】: VA_X
【加壳方式】: Armadillo V5.00-V5.X Dll -> Silicon Realms Toolworks
【操作平台】: Win XP sp3
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
总的来说补丁方法可以分为
1.直接打补丁(即Code Injection,好像是给Arm释放的那个ArmAccess.DLL Inline补丁,我还没太明白,就不赘述了^_^)
2.脱壳后打补丁(速度啊……)
从打的补丁的内容分可以分为三类,以VAX10.5.1709.0为例
载入后入口如下
1F256C0A >/$ 837C24 08 01 [color=#0000FF]cmp[/color] [color=#FF0000]dword[/color] [color=#FF0000]ptr[/color] [[color=#808000]esp[/color]+8], 1
1F256C0F |. 75 05 [color=#0000FF]jnz[/color] [color=#FF0000]short[/color] 1F256C16
1F256C11 |. E8 CA4A0000 [color=#0000FF]call[/color] 1F25B6E0
1F256C16 |> FF7424 04 [color=#0000FF]push[/color] [color=#FF0000]dword[/color] [color=#FF0000]ptr[/color] [[color=#808000]esp[/color]+4]
1F256C1A |. 8B4C24 10 [color=#0000FF]mov[/color] [color=#808000]ecx[/color], [color=#FF0000]dword[/color] [color=#FF0000]ptr[/color] [[color=#808000]esp[/color]+10]
1F256C1E |. 8B5424 0C [color=#0000FF]mov[/color] [color=#808000]edx[/color], [color=#FF0000]dword[/color] [color=#FF0000]ptr[/color] [[color=#808000]esp[/color]+C]
1F256C22 |. E8 EDFEFFFF [color=#0000FF]call[/color] 1F256B14
1F256C27 |. 59 [color=#0000FF]pop[/color] [color=#808000]ecx[/color]
1F256C28 \. C2 0C00 [color=#0000FF]retn[/color] 0C
为了图方便,这里不详述脱壳步骤,用我提供的脚本就好……第一次写脚本……所以只能帮助大家走到MagicJump后啦~~
00CB865A /EB 03 [color=#0000FF]jmp[/color] [color=#FF0000]short[/color] 00CB865F
00CB865C |D6 [color=#0000FF]salc[/color]
00CB865D |D6 [color=#0000FF]salc[/color]
00CB865E |8F ??? [color=#008000]; ????[/color]
00CB865F \8B15 8C4CD100 [color=#0000FF]mov[/color] [color=#808000]edx[/color], [color=#FF0000]dword[/color] [color=#FF0000]ptr[/color] [D14C8C]
00CB8665 8995 B4FDFFFF [color=#0000FF]mov[/color] [color=#FF0000]dword[/color] [color=#FF0000]ptr[/color] [[color=#808000]ebp[/color]-24C], [color=#808000]edx[/color]
应该会停在这里,然后Alt+M在这里
然后就到了OEP,Dump后修复,就该打补丁了……
第一种CCDebuger的方法,好像原理是把监测是否注册那段不让它运行,然后把eax改成TRUE
先搜索字符串VAX:IDE Main Thread
找到以后往下拉,然后把找到的地方如下改好
1EDA8119 |. 68 00000100 [color=#0000FF]push[/color] 10000 [color=#008000]; UNICODE "=::=::\"[/color]
1EDA811E |. E8 4FB41900 [color=#0000FF]call[/color] 1EF43572
1EDA8123 |. 83C4 08 [color=#0000FF]add[/color] [color=#808000]esp[/color], 8
1EDA8126 |> E8 A5CAF7FF [color=#0000FF]call[/color] 1ED24BD0
1EDA812B |. 50 [color=#0000FF]push[/color] [color=#808000]eax[/color]
1EDA812C |. 8D4C24 1C [color=#0000FF]lea[/color] [color=#808000]ecx[/color], [color=#FF0000]dword[/color] [color=#FF0000]ptr[/color] [[color=#808000]esp[/color]+1C]
1EDA8130 |. E8 7B68F6FF [color=#0000FF]call[/color] 1ED0E9B0
1EDA8135 |. 89BC24 CC0100>[color=#0000FF]mov[/color] [color=#FF0000]dword[/color] [color=#FF0000]ptr[/color] [[color=#808000]esp[/color]+1CC], [color=#808000]edi[/color]
1EDA813C |. E8 AF29FAFF [color=#0000FF]call[/color] 1ED4AAF0 //[color=#0000FF]这个地方改成mov[/color] [color=#808000]eax[/color],1
1EDA8141 |. 85C0 [color=#0000FF]test[/color] [color=#808000]eax[/color], [color=#808000]eax[/color]
1EDA8143 |. 0F84 71020000 [color=#0000FF]je[/color] 1EDA83BA
然后接着搜索VAX:ArmThread
处理成如下这个样
1ED82201 . 68 9C86FD1E [color=#0000FF]push[/color] 1EFD869C [color=#008000]; ASCII "VAX:ArmThread"[/color]
1ED82206 . 8BF1 [color=#0000FF]mov[/color] [color=#808000]esi[/color], [color=#808000]ecx[/color]
1ED82208 . E8 4304FAFF [color=#0000FF]call[/color] 1ED22650
1ED8220D . 83C4 04 [color=#0000FF]add[/color] [color=#808000]esp[/color], 4
1ED82210 . E8 BB3A1000 [color=#0000FF]call[/color] 1EE85CD0
1ED82215 85C0 [color=#0000FF]test[/color] [color=#808000]eax[/color], [color=#808000]eax[/color] //[color=#0000FF]这里改成inc[/color] [color=#808000]eax[/color]
如此便完成了第一种方法……保存以后拍屁股走人
第二种是BRD的方法,据说可以跳过暗桩,实际上就是无限延长了试用期限
具体操作见我跟踪BRD破解文件的笔记
Find
1F02A5E8=1F02A5E8 (ASCII [color=#FF00FF]"Visual Assist X is loaded but dormant. You should uninstall the "[/color],LF,[color=#FF00FF]"software or purchase a license if your trial has expired."[/color])
1ED4EE4B |. E8 80111700 [color=#0000FF]call[/color] 1EEBFFD0 ////[color=#0000FF]enter[/color] 33 C0 40 C3 Repalcer
1ED4EE50 |. 83C4 04 [color=#0000FF]add[/color] [color=#808000]esp[/color], 4
1ED4EE53 |. 85C0 [color=#0000FF]test[/color] [color=#808000]eax[/color], [color=#808000]eax[/color]
1ED4EE55 |. 75 2B [color=#0000FF]jnz[/color] [color=#FF0000]short[/color] 1ED4EE82
1ED4EE57 |. 8B15 000A0F1F [color=#0000FF]mov[/color] [color=#808000]edx[/color], [color=#FF0000]dword[/color] [color=#FF0000]ptr[/color] [1F0F0A00]
1ED4EE5D |. 50 [color=#0000FF]push[/color] [color=#808000]eax[/color] [color=#008000]; /Style[/color]
1ED4EE5E |. 68 A44D021F [color=#0000FF]push[/color] 1F024DA4 [color=#008000]; |Title = "Visual Assist X"[/color]
1ED4EE63 |. 68 E8A5021F [color=#0000FF]push[/color] 1F02A5E8 [color=#008000]; |Text = "Visual Assist X is loaded but dormant. You should uninstall the ",LF,"software or purchase a license if your trial has expired."[/color]
1ED4EE68 |. 52 [color=#0000FF]push[/color] [color=#808000]edx[/color] [color=#008000]; |hOwner => NULL[/color]
1ED4EE69 |. FF15 143A021F [color=#0000FF]call[/color] [color=#FF0000]dword[/color] [color=#FF0000]ptr[/color] [<&user32.MessageBoxA>>[color=#008000]; \MessageBoxA[/color]
like this
1EEBFFD0 33C0 [color=#0000FF]xor[/color] [color=#808000]eax[/color], [color=#808000]eax[/color]
1EEBFFD2 40 [color=#0000FF]inc[/color] [color=#808000]eax[/color]
1EEBFFD3 C3 [color=#0000FF]retn[/color]
1EEBFFD4 ? 46 [color=#0000FF]inc[/color] [color=#808000]esi[/color]
1ED4EE93 |. 68 D8A5021F [color=#0000FF]push[/color] 1F02A5D8 [color=#008000]; ASCII "CLOCKBACK"[/color]
1ED4EE98 |. 50 [color=#0000FF]push[/color] [color=#808000]eax[/color]
1ED4EE99 |. E8 42FAFFFF [color=#0000FF]call[/color] 1ED4E8E0
1ED4EE9E |. 83C4 08 [color=#0000FF]add[/color] [color=#808000]esp[/color], 8
1ED4EEA1 |. C64424 50 15 [color=#0000FF]mov[/color] [color=#FF0000]byte[/color] [color=#FF0000]ptr[/color] [[color=#808000]esp[/color]+50], 15
1ED4EEA6 |. 8B08 [color=#0000FF]mov[/color] [color=#808000]ecx[/color], [color=#FF0000]dword[/color] [color=#FF0000]ptr[/color] [[color=#808000]eax[/color]]
1ED4EEA8 |. 8B71 F4 [color=#0000FF]mov[/color] [color=#808000]esi[/color], [color=#FF0000]dword[/color] [color=#FF0000]ptr[/color] [[color=#808000]ecx[/color]-C]
1ED4EEAB |. 885C24 50 [color=#0000FF]mov[/color] [color=#FF0000]byte[/color] [color=#FF0000]ptr[/color] [[color=#808000]esp[/color]+50], [color=#808000]bl[/color]
1ED4EEAF |. 8D4C24 38 [color=#0000FF]lea[/color] [color=#808000]ecx[/color], [color=#FF0000]dword[/color] [color=#FF0000]ptr[/color] [[color=#808000]esp[/color]+38]
1ED4EEB3 |. E8 9828FBFF [color=#0000FF]call[/color] 1ED01750
1ED4EEB8 |. 85F6 [color=#0000FF]test[/color] [color=#808000]esi[/color], [color=#808000]esi[/color]
1ED4EEBA |. 74 29 [color=#0000FF]je[/color] [color=#FF0000]short[/color] 1ED4EEE5 //eb
1ED4EEBC |. 8B15 000A0F1F [color=#0000FF]mov[/color] [color=#808000]edx[/color], [color=#FF0000]dword[/color] [color=#FF0000]ptr[/color] [1F0F0A00]
1ED4EEC2 |. 52 [color=#0000FF]push[/color] [color=#808000]edx[/color]
1ED4EEC3 |. 6A 00 [color=#0000FF]push[/color] 0
1ED4EEC5 |. 68 10A5021F [color=#0000FF]push[/color] 1F02A510 [color=#008000]; ASCII "Visual Assist X is unable to start your trial. You may need to reboot your system. If the problem persists, contact us at http://www.wholetomato.com/support/contact.asp for assistance.",LF,LF,"Error: CBX-3"[/color]
1ED4EF10 |. /74 10 [color=#0000FF]je[/color] [color=#FF0000]short[/color] 1ED4EF22 //eb
1ED4EF12 |. |8B15 000A0F1F [color=#0000FF]mov[/color] [color=#808000]edx[/color], [color=#FF0000]dword[/color] [color=#FF0000]ptr[/color] [1F0F0A00]
1ED4EF18 |. |52 [color=#0000FF]push[/color] [color=#808000]edx[/color]
1ED4EF19 |. |6A 00 [color=#0000FF]push[/color] 0
1ED4EF1B |. |68 38A4021F [color=#0000FF]push[/color] 1F02A438 [color=#008000]; ASCII "Visual Assist X is unable to start your trial. You may need to reboot your system. If the problem persists, contact us at http://www.wholetomato.com/support/contact.asp for assistance.",LF,LF,"Error: CFX-3"[/color]
1ED4EF20 |.^|EB A8 [color=#0000FF]jmp[/color] [color=#FF0000]short[/color] 1ED4EECA
1ED4EF22 |> \8D4424 38 [color=#0000FF]lea[/color] [color=#808000]eax[/color], [color=#FF0000]dword[/color] [color=#FF0000]ptr[/color] [[color=#808000]esp[/color]+38]
1ED4EF26 |. 68 70A6021F [color=#0000FF]push[/color] 1F02A670 [color=#008000]; ASCII "EXPIRED"[/color]
1ED4EF4D |. /74 18 [color=#0000FF]je[/color] [color=#FF0000]short[/color] 1ED4EF67/////////eb
1ED4EF4F |. |8B15 000A0F1F [color=#0000FF]mov[/color] [color=#808000]edx[/color], [color=#FF0000]dword[/color] [color=#FF0000]ptr[/color] [1F0F0A00]
1ED4EF55 |. |52 [color=#0000FF]push[/color] [color=#808000]edx[/color]
1ED4EF56 |. |6A 00 [color=#0000FF]push[/color] 0
1ED4EF58 |. |68 98A3021F [color=#0000FF]push[/color] 1F02A398 [color=#008000]; ASCII "There is a problem with your license for Visual Assist X. Please contact us at http://www.wholetomato.com/support/contact.asp for assistance.",LF,"Error: CEX-3"[/color]
1ED4EF5D |.^|E9 68FFFFFF [color=#0000FF]jmp[/color] 1ED4EECA
1ED4EF62 |> |E8 199B0300 [color=#0000FF]call[/color] 1ED88A80
1ED4EF67 |> \833D 14080F1F>[color=#0000FF]cmp[/color] [color=#FF0000]dword[/color] [color=#FF0000]ptr[/color] [1F0F0814], 0
1ED4EF6E |. 74 0D [color=#0000FF]je[/color] [color=#FF0000]short[/color] 1ED4EF7D ////////////////eb
1ED4EF70 |. 68 78A3021F [color=#0000FF]push[/color] 1F02A378 [color=#008000]; ASCII "InitInstance EdDll loaded"[/color]
找了N多字符串,比如最核心的Patch是先找这个字符串
Visual Assist X is loaded but dormant. You should uninstall the
找到以后看到上面那个最近的Call,进去以后把这些ASC II码粘上
33 C0 40 C3
实际上就是
1EEBFFD0 33C0 [color=#0000FF]xor[/color] [color=#808000]eax[/color], [color=#808000]eax[/color]
1EEBFFD2 40 [color=#0000FF]inc[/color] [color=#808000]eax[/color]
1EEBFFD3 C3 [color=#0000FF]retn[/color]
其他的就是改一些JMP,那些字符串搜到需要改的地址你也就晓得了……
最后一种还可以用SetEnvironmentVariable
因为我在程序里发现了这么一段
HMODULE [color=#0000FF]__cdecl[/color] CheckByGetEnvironmentVariableA([color=#0000FF]int[/color] VariableName, [color=#0000FF]int[/color] ValueAddress, [color=#0000FF]int[/color] BufferSize)
{
HMODULE result; [color=#008000]// eax@1[/color]
[color=#0000FF]int[/color] AddressofValue; [color=#008000]// edi@1[/color]
HMODULE v5; [color=#008000]// esi@1[/color]
[color=#0000FF]int[/color] v6; [color=#008000]// esi@4[/color]
AddressofValue = ValueAddress;
*(_BYTE *)ValueAddress = 0;
result = GetModuleHandleA([color=#FF00FF]"kernel32"[/color]);
v5 = result;
[color=#0000FF]if[/color] ( result )
{
result = GetProcAddress(result, [color=#FF00FF]"GetProcAddress"[/color]);
[color=#0000FF]if[/color] ( result )
{
result = (HMODULE)(([color=#0000FF]int[/color] ([color=#0000FF]__stdcall[/color] *)(_DWORD, _DWORD))result)(v5, [color=#FF00FF]"GetEnvironmentVariableA"[/color]);
[color=#0000FF]if[/color] ( result )
{
v6 = BufferSize;
result = (HMODULE)(([color=#0000FF]int[/color] ([color=#0000FF]__stdcall[/color] *)(_DWORD, _DWORD, _DWORD))result)(
VariableName,
AddressofValue,
BufferSize - 1); [color=#008000]// [/color]
[color=#008000]// LPCTSTR lpName, // address of environment variable name[/color]
[color=#008000]// LPTSTR lpBuffer, // address of buffer for variable value[/color]
[color=#008000]// DWORD nSize // size of buffer, in characters[/color]
*(_BYTE *)(AddressofValue + v6 - 1) = 0;
}
}
}
[color=#0000FF]return[/color] result;
}
姑且称它为CheckByGetEnvironmentVariableA,关于这个好像是Arm SDK 里的内容,我没用过也不敢妄下结论,不过程序里的确是在通过GetEnvironmentVariable检查的,这可能是Arm SDK的注册机制吧……同样有刀就有盾,他能用Get 我们就能Set
v13 = CheckEnvironment(([color=#0000FF]int[/color])&v32, ([color=#0000FF]int[/color])[color=#FF00FF]"DAYSLEFT"[/color]);
LOBYTE(v31) = 1;
v14 = CheckEnvironment(([color=#0000FF]int[/color])&v33, ([color=#0000FF]int[/color])[color=#FF00FF]"DAYSINSTALLED"[/color]);
LOBYTE(v31) = 2;
sub_1ED05190(([color=#0000FF]int[/color])&v30, ([color=#0000FF]int[/color])[color=#FF00FF]"TI: %s-%s"[/color], *(_DWORD *)v14);
LOBYTE(v31) = 1;
sub_1ED01790(([color=#0000FF]int[/color])&v33);
LOBYTE(v31) = 0;
sub_1ED01790(([color=#0000FF]int[/color])&v32);
sub_1ED89E10(a1, a2, v13, v30, 192, 0);
v15 = CheckEnvironment(([color=#0000FF]int[/color])&v32, ([color=#0000FF]int[/color])[color=#FF00FF]"DAYSINSTALLED"[/color]);
LOBYTE(v31) = 3;
v16 = *(_DWORD *)(*(_DWORD *)v15 - 12) == 0;
LOBYTE(v31) = 0;
sub_1ED01790(([color=#0000FF]int[/color])&v32);
[color=#0000FF]if[/color] ( v16 )
{
MessageBoxA(dword_1F08AD00, [color=#FF00FF]"Error"[/color], [color=#FF00FF]"License"[/color], 0);
看看,一共读取了3个变量……Set一下不就好了……
这便是第四种补丁方法……前两种是改代码……这一种是写代码……相比之下当然是前两种方便……
--------------------------------------------------------------------------------
【经验总结】
收工收工……
注:本文仅用于学习交流……
--------------------------------------------------------------------------------
【版权声明】: 转载请注明作者并保持文章的完整, 谢谢!
2008年12月06日 15:57:44
阿里云助力开发者!2核2G 3M带宽不限流量!6.18限时价,开
发者可享99元/年,续费同价!