【文章标题】: 一个E语言写的crackme脱壳后解决自校验
【文章作者】: gzdang
【软件名称】: BST ECM01.EXE
【下载地址】: 自己搜索下载
【加壳方式】: ASPack 2.12 -> Alexey Solodovnikov
【保护方式】: 自校验
【编写语言】: E语言
【使用工具】: od peid AspackDie
【操作平台】: winxp sp2
【软件介绍】: 一个E语言写的crackme
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
1 先用PEiD查壳ASPack 2.12 -> Alexey Solodovnikov,用手脱或自动都可解决,我是懒人,所以用AspackDie脱了它
。运行脱壳程序,一闪而过,有校验。还把脱壳程序都删除了。
2 再用AspackDie脱了它。OD载入程序,开始我用下ExitProcess断点,回溯到关键代码。但是,程序自删除很麻烦。
先到易格式代码的起始位置,看下字符串
OD载入:
00401000 > E8 06000000 call dumped_.0040100B :载入程序后停在这里
00401005 50 push eax
00401006 E8 BB010000 call <jmp.&kernel32.ExitProcess>
0040100B 55 push ebp
0040100C 8BEC mov ebp,esp
0040100E 81C4 F0FEFFFF add esp,-110
00401014 E9 83000000 jmp dumped_.0040109C
00401019 6B72 6E 6C imul esi,dword ptr ds:[edx+6E],6C
0040101D 6E outs dx,byte ptr es:[edi]
0040101E 2E:66:6E outs dx,byte ptr es:[edi]
00401021 72 00 jb short dumped_.00401023
用 Alt + M 打开内存映射,找不到“.ecode”区段。笨办法一步一步过去。找到最后一个call eax
00401183 /74 15 je short dumped_.0040119A
00401185 |E8 00000000 call dumped_.0040118A
0040118A |810424 761E0000 add dword ptr ss:[esp],1E76
00401191 |FFD0 call eax :f7进去
00401193 |6A 00 push 0
00401195 |E8 2C000000 call <jmp.&kernel32.ExitProcess>
0040119A \FFB5 F8FEFFFF push dword ptr ss:[ebp-108]
004011A0 E8 27000000 call <jmp.&kernel32.FreeLibrary>
004011A5 6A 10 push 10
来到:
100298FA 55 push ebp
100298FB 8BEC mov ebp,esp
100298FD 8B45 08 mov eax,dword ptr ss:[ebp+8]
10029900 50 push eax
10029901 B9 68CF0E10 mov ecx,krnln.100ECF68
10029906 E8 04F5FFFF call krnln.10028E0F :f7进去
1002990B 5D pop ebp
1002990C C2 0400 retn 4
来到:
10028E0F 55 push ebp
10028E10 8BEC mov ebp,esp
10028E12 83EC 08 sub esp,8
10028E15 53 push ebx
10028E16 56 push esi
10028E17 57 push edi
10028E18 894D F8 mov dword ptr ss:[ebp-8],ecx
10028E1B FF15 E4330C10 call dword ptr ds:[<&KERNEL32.GetProcessHeap>] ; kernel32.GetProcessHeap
10028E21 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
10028E24 8981 8C040000 mov dword ptr ds:[ecx+48C],eax
10028E2A 8B55 08 mov edx,dword ptr ss:[ebp+8]
10028E2D 8B42 30 mov eax,dword ptr ds:[edx+30]
10028E30 83E0 01 and eax,1
10028E33 85C0 test eax,eax
10028E35 75 10 jnz short krnln.10028E47
10028E37 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
10028E3A 51 push ecx
10028E3B 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
10028E3E E8 CD050300 call krnln.10059410
10028E43 FFE0 jmp eax :f8就到了
10028E45 EB 0E jmp short krnln.10028E55
来到:
00407B32 FC cld :易格式代码的起始位置
00407B33 DBE3 finit
00407B35 E8 F7FFFFFF call dumped_.00407B31
00407B3A 68 397A4000 push dumped_.00407A39
00407B3F B8 03000000 mov eax,3
00407B44 E8 40000000 call dumped_.00407B89
00407B49 83C4 04 add esp,4
00407B4C E8 86DEFFFF call dumped_.004059D7
00407B51 E8 70DEFFFF call dumped_.004059C6
00407B56 E8 D5DEFFFF call dumped_.00405A30
00407B5B 68 6E000152 push 5201006E
00407B60 E8 1E000000 call dumped_.00407B83
00407B65 83C4 04 add esp,4
00407B68 6A 00 push 0
00407B6A E8 0E000000 call dumped_.00407B7D
00407B6F E8 03000000 call dumped_.00407B77
查找字符串:
Ultra String Reference, item 20
Address=004071EB
Disassembly=mov eax,dumped_.00403353
Text String=DeleteFileA
过去
004071B1 55 push ebp :段首下断
004071B2 8BEC mov ebp,esp
004071B4 81EC 40000000 sub esp,40
004071BA C745 FC 00000000 mov dword ptr ss:[ebp-4],0
004071C1 C745 F8 00000000 mov dword ptr ss:[ebp-8],0
004071C8 C745 F4 00000000 mov dword ptr ss:[ebp-C],0
004071CF C745 F0 00000000 mov dword ptr ss:[ebp-10],0
004071D6 C745 EC 00000000 mov dword ptr ss:[ebp-14],0
004071DD C745 E8 00000000 mov dword ptr ss:[ebp-18],0
004071E4 C745 E4 00000000 mov dword ptr ss:[ebp-1C],0
004071EB B8 53334000 mov eax,dumped_.00403353 ; ASCII "DeleteFileA"
004071F0 8945 E0 mov dword ptr ss:[ebp-20],eax
004071F3 8D45 E0 lea eax,dword ptr ss:[ebp-20]
004071F6 50 push eax
004071F7 B8 5F334000 mov eax,dumped_.0040335F ; ASCII "Kernel32.dll"
004071FC 8945 DC mov dword ptr ss:[ebp-24],eax
004071FF 8D45 DC lea eax,dword ptr ss:[ebp-24]
00407202 50 push eax
00407203 E8 05060000 call dumped_.0040780D
段首下断,OD重载程序。OD断下。看堆栈:
0012FA10 00406FB8 返回到 dumped_.00406FB8 来自 dumped_.004071B1
0012FA14 00F50000
0012FA18 0001000C
0012FA1C 00000003
0012FA20 0012F97C
0012FA24 0012FA18
0012FA28 00010078 UNICODE "APPDATA=E:\Documents and Settings\gkai\Application Data"
0012FA2C 0012FA18
0012FA30 00000000
0012FA34 00000000
0012FA38 00000000
0012FA3C 00F50000
0012FA40 000000CC
0012FA44 000005BC
0012FA48 /0012FA50
0012FA4C |00406E4B 返回到 dumped_.00406E4B 来自 dumped_.00406E4F
0012FA50 ]0012FA88
0012FA54 |00406D23 返回到 dumped_.00406D23 来自 dumped_.00406E43 :反汇编窗口中跟随
0012FA58 |0015D3F4
0012FA5C |00010001
0012FA60 |100584C6 返回到 krnln.100584C6 来自 krnln.1002A460
来到:
00406D0C 83C4 04 add esp,4
00406D0F 837D F8 00 cmp dword ptr ss:[ebp-8],0
00406D13 0F84 05000000 je dumped_.00406D1E〈----------------- :nop掉
00406D19 E9 05000000 jmp dumped_.00406D23
00406D1E E8 20010000 call dumped_.00406E43 :问题call
00406D23 68 00000000 push 0 :od来到这里
00406D28 BB 08010000 mov ebx,108
00406D2D E8 630E0000 call dumped_.00407B95
00406D32 83C4 04 add esp,4
下面还有一个
00406E2F /0F84 05000000 je dumped_.00406E3A〈----------------- :nop掉
00406E35 |E9 05000000 jmp dumped_.00406E3F
00406E3A \E8 04000000 call dumped_.00406E43
00406E3F 8BE5 mov esp,ebp
00406E41 5D pop ebp
00406E42 C3 retn
退出od,运行脱壳程序。可以出现界面。成功了。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2008年12月05日 1:51:46
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!