【破文标题】 阿达连连看 3.80再脱再爆
【破文作者】 二哥weiyi75[Dfcg]
【作者邮箱】 [email]weiyi75@sohu.com[/email]
【作者主页】 Dfcg官方大本营+龙族联盟论坛
【使用工具】 peid,UnkillOD
【破解平台】 Win2000/XP
【软件名称】 阿达连连看 3.80
【下载地址】 http://www.chinadfcg.com/viewthread.php?tid=11729
【软件简介】 漂亮的办公小姐在电脑前埋头苦干的时候,十之八九,她在玩阿达连连看! 这是一款很耐玩的桌面游戏,时下办公一族的新宠。
一、游戏中包含了数套图案关卡,可以测试玩家眼明手快及逻辑判断能力。
二、包含关卡有可爱的动物、神奇宝贝、星座传说、麻将、甜点饼干、电脑系统、街头霸王、机器猫。
三、绿色软件,不在系统中留下任何垃圾。
四、华丽的画面、动人的音效,令人欲罢不能。
【软件大小】 4.66M
【破解目的】 为我的破解之路铺一块小石头。
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
上次二哥的阿达连连看 3.58先脱后爆没有脱衣爆破,随着这个软件流程的熟悉,先脱后爆更容易。
首先Peid查壳,Nothing found *!再看EP区段.perplex,原来是Acprotect1.X版加的壳。
因为是VB程序,Stolen Code很简单,没有必要苦苦跟踪,VB的IAT加密目前大部分加密软件都是有心无力的。
OD异常设置不忽略内存异常,全自动隐藏OD插件帮你隐藏住OD,载入程序。
1. 初跟踪Stolen Code
00451000 a> 60 pushad //外壳入口,F9运行。
00451001 66:81C0 EE8F add ax,8FEE
00451006 66:13EF adc bp,di
00451009 FC cld
0045100A 85C8 test eax,ecx
0045100C 72 03 jb short adalinks.00451011
0045100E 73 01 jnb short adalinks.00451011
00451010 - 72 D3 jb short adalinks.00450FE5
00451012 DDB9 59104500 fstsw word ptr ds:[ecx+451059]
00451018 68 E860726B push 6B7260E8
0045101D 66:81DF BA66 sbb di,66BA
00451022 58 pop eax
00451023 BA 1A2B66B2 mov edx,B2662B1A
00451028 0F81 04000000 jno adalinks.00451032
0045102E 66:BD 002E mov bp,2E00
00451032 81EA 092B66B2 sub edx,B2662B09
00451038 8B19 mov ebx,dword ptr ds:[ecx]
..............................................................................
0045FAAD CD 01 int 1 //最后一次异常。
0045FAAF 40 inc eax
0045FAB0 40 inc eax
0045FAB1 0BC0 or eax,eax
0045FAB3 75 05 jnz short adalinks.0045FABA
0045FAB5 90 nop
0045FAB6 90 nop
0045FAB7 90 nop
0045FAB8 90 nop
0045FAB9 61 popad
0045FABA 33C0 xor eax,eax
0045FABC 64:8F00 pop dword ptr fs:[eax]
0045FABF 58 pop eax
0045FAC0 60 pushad
0045FAC1 E8 00000000 call adalinks.0045FAC6
0045FAC6 5E pop esi
0045FAC7 83EE 06 sub esi,6
0045FACA B9 57000000 mov ecx,57
..............................................................................
Alt+M 打开内存镜像
内存镜像,项目 21
地址=00401000 //对准这里F2断点,Shift+F9飞向光明之巅
大小=00048000 (294912.)
Owner=adalinks 00400000
区段=.text
包含=code
类型=Imag 01001002
访问=R
初始访问=RWE
004023F6 - FF25 40114000 jmp dword ptr ds:[401140] ; MSVBVM60.EVENT_SINK_Release
004023FC - FF25 E4114000 jmp dword ptr ds:[4011E4] ; MSVBVM60.ThunRTMain
Stolen Code2 Call 004023FC执行效果
00402402 0000 add byte ptr ds:[eax],al
00402404 41 inc ecx
00402405 D22D F009800C shr byte ptr ds:[C8009F0],cl
0040240B BD 6C6E0000 mov ebp,6E6C
00402410 48 dec eax
00402411 0000 add byte ptr ds:[eax],al
00402413 0030 add byte ptr ds:[eax],dh
00402415 0000 add byte ptr ds:[eax],al
00402417 0040 00 add byte ptr ds:[eax],al
0040241A 0000 add byte ptr ds:[eax],al
堆栈友好提示
0012FFBC 0046A1F8 返回到 adalinks.0046A1F8 来自 adalinks.004023FC
0012FFC0 004028C8 adalinks.004028C8 //Stolen Code1 Push 4028C8 执行效果
0012FFC4 77E614C7 返回到 kernel32.77E614C7
0012FFC8 0012CEA8
0012FFCC 004AA38C
0012FFD0 7FFDF000
根据五种语言入口熟悉和堆栈提示修复入口如下
004023F0 - FF25 F4104000 jmp dword ptr ds:[<&msvbvm60.EVENT_SINK_Add>; msvbvm60.EVENT_SINK_AddRef
004023F6 - FF25 40114000 jmp dword ptr ds:[<&msvbvm60.EVENT_SINK_Rel>; msvbvm60.EVENT_SINK_Release
004023FC - FF25 E4114000 jmp dword ptr ds:[<&msvbvm60.ThunRTMain>] ; msvbvm60.ThunRTMain
00402402 0000 add byte ptr ds:[eax],al //不能在这里处理,否则无法运行
00402404 U> 68 C8284000 push Unpack_.004028C8 //修复如下,用OD插件直接修正入口为2404,重建输入表方式1即可运行。
00402409 E8 EEFFFFFF call <jmp.&msvbvm60.ThunRTMain>
...............................................................................
由于Acprotect更新N代,简单的Esp定律已经无法找到Stolen Code.
Fly大侠的话
在壳把所有的代码解压之后、处理Stolen Code之前,把进程Dump出来,补上那段壳代码,模仿构造当时的堆栈和寄存器值环境,这样就由壳自己来解决Stolen Code的问题啦。推而广之,这个Stolen Code简便解决方案也适用于某些其他壳。
由于Acprotect更新N代,这个版本已经很强悍了,入口校验我们后面分析。
借VB的软柿子了解如何能带发修行。
用
push 004028C8
入手
ESP定律辅助
重起OD
00451000 a> 60 pushad //F8
00451001 66:81C0 EE8F add ax,8FEE //hr esp ,F9运行
00451006 66:13EF adc bp,di
00451009 FC cld
0045100A 85C8 test eax,ecx
0045100C 72 03 jb short adalinks.00451011
0045100E 73 01 jnb short adalinks.00451011
...............................................................................
还是分对中断
004626FF 61 popad '1
00462700 893D 8F1E4500 mov dword ptr ds:[451E8F],edi
00462750 60 pushad '2
00462751 E8 0ABDFFFF call adalinks.0045E460
0046276E 61 popad
0046276F 8B1C24 mov ebx,dword ptr ss:[esp]
004627BF 60 pushad '3
004627C0 E8 9BBCFFFF call adalinks.0045E460
004627D0 61 popad
004627D1 8F05 F31E4500 pop dword ptr ds:[451EF3]
00462821 60 pushad '4
00462822 E8 39BCFFFF call adalinks.0045E460
0046282E 61 popad
0046282F BA EF1E4500 mov edx,adalinks.00451EEF
0046287F 60 pushad '5
00462880 E8 15DEFFFF call adalinks.0046069A
00462885 61 popad
00462886 8B3C24 mov edi,dword ptr ss:[esp]
004628D6 60 pushad '6
004628D7 E8 5BDBFFFF call adalinks.00460437
004628DC 61 popad
004628DD 8B35 A71E4500 mov esi,dword ptr ds:[451EA7]
0046292D 60 pushad '7
0046292E E8 86FDFFFF call adalinks.004626B9
00462933 61 popad
00462934 891D 971E4500 mov dword ptr ds:[451E97],ebx '到这里滚动条往下,不注意下面的Stolen Code变形位置根本发现不了,这里代发修行,重建输入表方式1即可运行,代码资源已经解压。
0046293A FF35 971E4500 push dword ptr ds:[451E97]
00462940 57 push edi
00462941 BF E31E4500 mov edi,adalinks.00451EE3
00462946 8BDF mov ebx,edi
00462948 5F pop edi
00462949 8B3B mov edi,dword ptr ds:[ebx]
0046294B 8F05 931E4500 pop dword ptr ds:[451E93]
00462951 8B1D 931E4500 mov ebx,dword ptr ds:[451E93]
00462957 8B0C24 mov ecx,dword ptr ss:[esp]
0046295A 8F05 FF1E4500 pop dword ptr ds:[451EFF]
00462960 8907 mov dword ptr ds:[edi],eax
00462962 8F05 071F4500 pop dword ptr ds:[451F07]
00462968 FF35 071F4500 push dword ptr ds:[451F07]
0046296E 8B3C24 mov edi,dword ptr ss:[esp]
00462971 8F05 DF1E4500 pop dword ptr ds:[451EDF]
00462977 FF35 0F1F4500 push dword ptr ds:[451F0F]
0046297D C70424 C8284000 mov dword ptr ss:[esp],adalinks.004028C8 //这个,我是 12ffc0下硬件断点发现的
00462984 60 pushad //保存所有寄存器,后面的代码变形处理Stolen
00462985 E8 D6BAFFFF call adalinks.0045E460
0046298A 6A 00 push 0
0046298C E8 0A000000 call adalinks.0046299B //里面有INT1中断
00462991 41 inc ecx
00462992 43 inc ebx
00462993 50 push eax
00462994 72 6F jb short adalinks.00462A05
00462996 74 65 je short adalinks.004629FD
00462998 637400 E8 arpl word ptr ds:[eax+eax-18],si
0046299C 25 00000050 and eax,50000000
004629A1 72 6F jb short adalinks.00462A12
...........................................................................................
0045FAAD CD 01 int 1 //内存异常
0045FAAF 40 inc eax
0045FAB0 40 inc eax
0045FAB1 0BC0 or eax,eax
0045FAB3 75 05 jnz short adalinks.0045FABA
0045FAB5 90 nop
0045FAB6 90 nop
0045FAB7 90 nop
0045FAB8 90 nop
0045FAB9 61 popad
0045FABA 33C0 xor eax,eax
0045FABC 64:8F00 pop dword ptr fs:[eax]
0045FABF 58 pop eax
0045FAC0 60 pushad
0045FAC1 E8 00000000 call adalinks.0045FAC6
0045FAC6 5E pop esi
0045FAC7 83EE 06 sub esi,6
0045FACA B9 57000000 mov ecx,57
0045FACF 29CE sub esi,ecx
0045FAD1 BA D4BB3510 mov edx,1035BBD4
0045FAD6 C1E9 02 shr ecx,2
0045FAD9 83E9 02 sub ecx,2
0045FADC 83F9 00 cmp ecx,0
0045FADF 7C 1A jl short adalinks.0045FAFB
0045FAE1 8B048E mov eax,dword ptr ds:[esi+ecx*4]
0045FAE4 8B5C8E 04 mov ebx,dword ptr ds:[esi+ecx*4+4]
0045FAE8 03C3 add eax,ebx
0045FAEA C1C8 1B ror eax,1B
0045FAED 03C2 add eax,edx
0045FAEF 81C2 C7E901AD add edx,AD01E9C7
0045FAF5 89048E mov dword ptr ds:[esi+ecx*4],eax
0045FAF8 49 dec ecx
0045FAF9 ^ EB E1 jmp short adalinks.0045FADC
0045FAFB 61 popad
0045FAFC 61 popad
0045FAFD C3 retn //这里下断,Shift+F9断下
堆栈友好提示
0012FF9C 00464141 返回到 adalinks.00464141 来自 adalinks.0045F8BE
0012FFA0 0012CEA8
0012FFA4 004AA38C
0012FFA8 0012FFF0
0012FFAC 0012FFC0
0012FFB0 7FFDF000
0012FFB4 7FFE0304
0012FFB8 0012FFB0
0012FFBC 00000000
0012FFC0 004028C8 adalinks.004028C8 //知道12ffc0保存 Stolen ,于是启动是硬件写入断点发现前面我提到的位置
要找第二句代码处理位置,Alt+O设置异常不忽略INT3异常。
0045FCFF 90 nop //INT3中断
0045FD00 64:67:8F06 0000 pop dword ptr fs:[0]
0045FD06 83C4 04 add esp,4
0045FD09 60 pushad
0045FD0A E8 00000000 call adalinks.0045FD0F
0045FD0F 5E pop esi
0045FD10 83EE 06 sub esi,6
0045FD13 B9 5B000000 mov ecx,5B
0045FD18 29CE sub esi,ecx
0045FD1A BA 9575B0C3 mov edx,C3B07595
0045FD1F C1E9 02 shr ecx,2
0045FD22 83E9 02 sub ecx,2
0045FD25 83F9 00 cmp ecx,0
0045FD28 7C 1A jl short adalinks.0045FD44
0045FD2A 8B048E mov eax,dword ptr ds:[esi+ecx*4]
0045FD2D 8B5C8E 04 mov ebx,dword ptr ds:[esi+ecx*4+4]
0045FD31 03C3 add eax,ebx
0045FD33 C1C0 1E rol eax,1E
0045FD36 33C2 xor eax,edx
0045FD38 81F2 3E24211C xor edx,1C21243E
0045FD3E 89048E mov dword ptr ds:[esi+ecx*4],eax
0045FD41 49 dec ecx
0045FD42 ^ EB E1 jmp short adalinks.0045FD25
0045FD44 61 popad
0045FD45 61 popad
0045FD46 C3 retn //这里下F2断点,Shift+F9到这里,F9运行。
0046A0E2 61 popad
0046A0E3 57 push edi ; USER32.77D29D31
0046A0E4 890424 mov dword ptr ss:[esp],eax
0046A0E7 8F05 FF1E4500 pop dword ptr ds:[451EFF]
0046A0ED FF35 FF1E4500 push dword ptr ds:[451EFF]
0046A0F3 890C24 mov dword ptr ss:[esp],ecx
0046A0F6 8905 E71E4500 mov dword ptr ds:[451EE7],eax
0046A0FC FF35 E71E4500 push dword ptr ds:[451EE7] ; adalinks.00451F0F
0046A102 C70424 FC234000 mov dword ptr ss:[esp],adalinks.004023FC ; jmp to MSVBVM60.ThunRTMain
//平时看OD载入VB程序应该很熟悉这个 jmp to MSVBVM60.ThunRTMain Stolen2,待处理
0046A109 8F05 071F4500 pop dword ptr ds:[451F07] ; USER32.77D29D31
0046A10F FF35 071F4500 push dword ptr ds:[451F07] ; USER32.77D29D31
0046A115 8F05 F31E4500 pop dword ptr ds:[451EF3]
0046A11B 53 push ebx
0046A11C BB F31E4500 mov ebx,adalinks.00451EF3
0046A121 8B0B mov ecx,dword ptr ds:[ebx]
0046A123 5B pop ebx
0046A124 891D E31E4500 mov dword ptr ds:[451EE3],ebx
0046A12A FF35 E31E4500 push dword ptr ds:[451EE3] ; adalinks.00451F0F
0046A130 51 push ecx
0046A131 90 nop
0046A132 90 nop
0046A133 60 pushad //系列处理变形,使得本来效率不高的VB程序更慢,加密软件可不管你。
0046A134 E8 2743FFFF call adalinks.0045E460
0046A139 8B85 7AA24100 mov eax,dword ptr ss:[ebp+41A27A]
0046A13F 0385 AAD24000 add eax,dword ptr ss:[ebp+40D2AA]
0046A145 8985 7AA24100 mov dword ptr ss:[ebp+41A27A],eax
0046A14B 61 popad
......................................................................... //慢慢回到
004023F6 - FF25 40114000 jmp dword ptr ds:[401140] ; MSVBVM60.EVENT_SINK_Release
004023FC - FF25 E4114000 jmp dword ptr ds:[4011E4] ; MSVBVM60.ThunRTMain
带发修行
00462934 891D 971E4500 mov dword ptr ds:[451E97],ebx '到这里滚动条往下,不注意下面的Stolen Code变形位置根本发现不了,这里代发修行,重建输入表方式1即可运行,代码资源已经解压。
0046293A FF35 971E4500 push dword ptr ds:[451E97]
00462940 57 push edi
00462941 BF E31E4500 mov edi,adalinks.00451EE3
00462946 8BDF mov ebx,edi
00462948 5F pop edi
..................................................................................
上述两种脱法各位读者不知看懂没有,不知喜欢哪种。
呵呵,带发修行还是好玩些。
2. 对付SDK方式的入口校验。
继续载入带发程序,运行,伪注册后确认程序出错,进入程序后退出也出错,显然是作者的SDK方式阻止脱壳破解。
我们以退出时错误突破
00143358 0000 add byte ptr ds:[eax],al //这里错误
0014335A 0000 add byte ptr ds:[eax],al
0014335C 0000 add byte ptr ds:[eax],al
0014335E 0000 add byte ptr ds:[eax],al
00143360 0000 add byte ptr ds:[eax],al
00143362 0000 add byte ptr ds:[eax],al
00143364 0000 add byte ptr ds:[eax],al
00143366 0000 add byte ptr ds:[eax],al
00143368 0000 add byte ptr ds:[eax],al
//堆栈友好提示
0012F440 0042FA16 返回到 fsfd.0042FA16 来自 0014334A //直接右键反汇编中跟随
0012F444 0012F5F8
0012F448 0012F67C
0012F44C 00000001
0012F450 7E192002 返回到 GDI32.7E192002 来自 GDI32.7E192033
0012F454 001A82E8
0012F458 00380910
0012F45C 00000001
0012F460 0185A008
0012F464 00000000
0012F468 00000000
向上返回定律找事件代码第一句
0042F940 $ 55 push ebp //第1句,跟踪原程序对比分析
0042F941 . 8BEC mov ebp,esp
0042F943 . 83EC 08 sub esp,8
0042F946 . 68 66204000 push fsfd.00402066 ; jmp to MSVBVM60.__vbaExceptHandler; SE handler installation
0042F94B . 64:A1 00000000 mov eax,dword ptr fs:[0]
0042F951 . 50 push eax
0042F952 . 64:8925 00000000 mov dword ptr fs:[0],esp
...............................................................................................
0042FA0E . 50 push eax
0042FA0F . FFD7 call edi
0042FA11 . E8 3439D1FF call 0014334A //问题是这里错误,跟进看看。
进去看看就用了我6-7个小时,哎,总算是清楚了一些。
0045240C $ 60 pushad //首先用花指令插件清除34个小花
0045240D . 78 01 js short fsfd.00452410
0045240F . FC cld
00452410 > 72 03 jb short fsfd.00452415
00452412 . 73 01 jnb short fsfd.00452415
00452414 7A db 7A ; CHAR 'z'
00452415 . 66:2BC5 sub ax,bp
00452418 . EB 01 jmp short fsfd.0045241B
这一大段带小花的语句作用是对
004525B7 E8 A4BE0000 call 0045E460 等语句解码
004525BC 8B4424 20 mov eax,dword ptr ss:[esp+20]
004525C0 33C9 xor ecx,ecx
0045240C 60 pushad
0045240D 78 01 js short fsfd.00452410
0045240F FC cld
00452410 90 nop
00452411 90 nop
00452412 90 nop
00452413 90 nop
00452414 90 nop
00452415 66:2BC5 sub ax,bp
.......................................................................
0045259F ^\0F85 6BFFFFFF jnz fsfd.00452510 //循环解码
004525A5 90 nop //F4下来可以看到
004525B7
到
004526E1
之间的代码已经解压
004525A6 90 nop
004525A7 90 nop
004525A8 90 nop
004525A9 90 nop
004525AA 90 nop
004525AB 90 nop
004525AC 90 nop
004525AD 90 nop
004525AE 90 nop
004525AF 90 nop
004525B0 90 nop
004525B1 90 nop
004525B2 90 nop
004525B3 90 nop
004525B4 90 nop
004525B5 90 nop
004525B6 90 nop
004525B7 82AD 343433E6 EC sub byte ptr ss:[ebp+E6333434],-14 //一直到这里后面代码没有解压,有未知命令,可以直接F4下来。
004525BE 0C 30 or al,30
004525C0 2C 01 sub al,1
004525C2 99 cdq
004525C3 2F das
004525C4 863A xchg byte ptr ds:[edx],bh
004525C6 C3 retn
004525C7 FF7F ??? ; 未知命令
004525C9 B9 1F286FA6 mov ecx,A66F281F
............................................................................................
转到这里继续
004525B7 E8 A4BE0000 call fsfd.0045E460
004525BC 8B4424 20 mov eax,dword ptr ss:[esp+20]
004525C0 33C9 xor ecx,ecx
004525C2 8B9C8D E2264000 mov ebx,dword ptr ss:[ebp+ecx*4+4026E2]
004525C9 039D AAD24000 add ebx,dword ptr ss:[ebp+40D2AA]
004525CF 3BC3 cmp eax,ebx
004525D1 74 07 je short fsfd.004525DA
004525D3 90 nop
004525D4 90 nop
004525D5 90 nop
004525D6 90 nop
004525D7 41 inc ecx
004525D8 ^ EB E8 jmp short fsfd.004525C2 //这段循环看不懂,好像不重要
004525DA C7848D E2264000 00000000 mov dword ptr ss:[ebp+ecx*4+4026E2],0
004525E5 8DB5 C2554000 lea esi,dword ptr ss:[ebp+4055C2]
004525EB B8 0A000000 mov eax,0A
004525F0 F7E1 mul ecx
004525F2 03F0 add esi,eax
004525F4 56 push esi
004525F5 51 push ecx
004525F6 8A85 FC234000 mov al,byte ptr ss:[ebp+4023FC]
004525FC 0AC0 or al,al
004525FE 75 28 jnz short fsfd.00452628 //慢慢到这里注意了,精神些。
00452600 90 nop
00452601 90 nop
00452602 90 nop
00452603 90 nop
00452604 8B85 AAD24000 mov eax,dword ptr ss:[ebp+40D2AA] ; fsfd.00400000
0045260A 8B70 3C mov esi,dword ptr ds:[eax+3C]
0045260D 03B5 AAD24000 add esi,dword ptr ss:[ebp+40D2AA] ; fsfd.00400000
00452613 83C6 28 add esi,28
00452616 AD lods dword ptr ds:[esi] //就是这个dword ptr ds:[esi],值00062934就是我的入口,读者可以用Peid看看就知道了,原程序这里是51000 ,这句执行后 EAX=00062934
00452617 8AD8 mov bl,al
00452619 02DC add bl,ah
0045261B C1E8 10 shr eax,10
0045261E 02D8 add bl,al
00452620 02DC add bl,ah //后面某处和原程序入口51000对比,正确则解压004526E1处需要的正确代码,否则是错误的垃圾代码。
00452622 889D FC234000 mov byte ptr ss:[ebp+4023FC],bl
00452628 59 pop ecx
..................................................................................
004526CE C1C0 09 rol eax,9
004526D1 2BC2 sub eax,edx
004526D3 81C2 820378F5 add edx,F5780382
004526D9 89048E mov dword ptr ds:[esi+ecx*4],eax
004526DC 49 dec ecx
004526DD ^ EB E1 jmp short fsfd.004526C0
004526DF 61 popad
004526E0 61 popad
004526E1 C3 retn //返回14XXXX低内存段,此时是错误的垃圾代码。
0014334A FD std //执行OVER
0014334B 33DA xor ebx,edx
0014334D 25 FD7E2DB5 and eax,B52D7EFD
00143352 9F lahf
00143353 A0 00071C00 mov al,byte ptr ds:[1C0700]
00143358 0000 add byte ptr ds:[eax],al //空地址
0014335A 0000 add byte ptr ds:[eax],al
0014335C 0000 add byte ptr ds:[eax],al
..................................................................................
基本分析清楚,可以用Fly大侠的方法修改为原入口然后跳到脱壳程序入口。
也可以这样,麻烦但是可以锻炼技术。
修改1
0045240C 60 pushad
0045240D 78 01 js short fsfd.00452410
0045240F FC cld
00452410 72 03 jb short fsfd.00452415
00452412 73 01 jnb short fsfd.00452415
00452414 7A 66 jpe short fsfd.0045247C
修改为
0045240C 60 pushad
0045240D E9 A5010000 jmp fsfd.004525B7
00452412 73 01 jnb short fsfd.00452415
00452414 7A 66 jpe short fsfd.0045247C
下面的代码是通过跟踪原程序得到,可以通过二进制复制粘贴覆盖原代码,这个二哥的
ASF-AVI-RM-WMV Repair V1.41 脱壳去暗桩+汉化完美爆破
ASProtect 1.1b Registered SDK 之神奇挂挂3.7版脱壳+去暗桩
都详细写过,是OD的基本操作,必须掌握,不再赘述。
修改2,动态代码
004525B7 E8 A4BE0000 call fsfd.0045E460
004525BC 8B4424 20 mov eax,dword ptr ss:[esp+20]
004525C0 33C9 xor ecx,ecx
004525C2 8B9C8D E2264000 mov ebx,dword ptr ss:[ebp+ecx*4+4026E2]
004525C9 039D AAD24000 add ebx,dword ptr ss:[ebp+40D2AA]
004525CF 3BC3 cmp eax,ebx
004525D1 74 07 je short fsfd.004525DA
004525D3 90 nop
004525D4 90 nop
004525D5 90 nop
004525D6 90 nop
004525D7 41 inc ecx
004525D8 ^ EB E8 jmp short fsfd.004525C2
004525DA C7848D E2264000 00000000 mov dword ptr ss:[ebp+ecx*4+4026E2],0
004525E5 8DB5 C2554000 lea esi,dword ptr ss:[ebp+4055C2]
004525EB B8 0A000000 mov eax,0A
004525F0 F7E1 mul ecx
004525F2 03F0 add esi,eax
004525F4 56 push esi
004525F5 51 push ecx
004525F6 8A85 FC234000 mov al,byte ptr ss:[ebp+4023FC]
004525FC 0AC0 or al,al
004525FE 75 28 jnz short fsfd.00452628
00452600 90 nop
00452601 90 nop
00452602 90 nop
00452603 90 nop
**************************************************************************************
00452604 8B85 AAD24000 mov eax,dword ptr ss:[ebp+40D2AA]
0045260A 8B70 3C mov esi,dword ptr ds:[eax+3C]
0045260D 03B5 AAD24000 add esi,dword ptr ss:[ebp+40D2AA]
00452613 83C6 28 add esi,28
00452616 AD lods dword ptr ds:[esi] //需要动外科手术,针对dword ptr ds:[esi]
**************************************************************************************
修改为
**************************************************************************************
00452604 B8 00100500 mov eax,51000 //原入口
00452609 90 nop
0045260A 90 nop
0045260B 90 nop
0045260C 90 nop
0045260D 90 nop
0045260E 90 nop
0045260F 90 nop
00452610 90 nop
00452611 90 nop
00452612 90 nop
00452613 90 nop
00452614 90 nop
00452615 90 nop
00452616 90 nop
**************************************************************************************
00452617 8AD8 mov bl,al
00452619 02DC add bl,ah
0045261B C1E8 10 shr eax,10
0045261E 02D8 add bl,al
00452620 02DC add bl,ah
00452622 889D FC234000 mov byte ptr ss:[ebp+4023FC],bl
00452628 59 pop ecx
00452629 5E pop esi
0045262A 60 pushad
0045262B B8 02000000 mov eax,2
00452630 E8 B5BB0000 call fsfd.0045E1EA
00452635 0BC0 or eax,eax
00452637 75 24 jnz short fsfd.0045265D
00452639 90 nop
0045263A 90 nop
0045263B 90 nop
0045263C 90 nop
0045263D 61 popad
0045263E 8BBD AED24000 mov edi,dword ptr ss:[ebp+40D2AE]
00452644 B8 0A000000 mov eax,0A
00452649 F7E1 mul ecx
0045264B 03F8 add edi,eax
0045264D B9 0A000000 mov ecx,0A
00452652 8A9D FC234000 mov bl,byte ptr ss:[ebp+4023FC]
00452658 EB 11 jmp short fsfd.0045266B
0045265A 90 nop
0045265B 90 nop
0045265C 90 nop
0045265D 61 popad
0045265E 8BFE mov edi,esi
00452660 B9 0A000000 mov ecx,0A
00452665 8A9D FC234000 mov bl,byte ptr ss:[ebp+4023FC]
0045266B AC lods byte ptr ds:[esi]
0045266C 32C3 xor al,bl
0045266E AA stos byte ptr es:[edi]
0045266F ^ E2 FA loopd short fsfd.0045266B
00452671 83EF 0A sub edi,0A
00452674 57 push edi
00452675 8B7424 24 mov esi,dword ptr ss:[esp+24]
00452679 83EE 04 sub esi,4
0045267C AD lods dword ptr ds:[esi]
0045267D 81EF 0C244000 sub edi,fsfd.0040240C ; ASCII "ln"
00452683 2BFD sub edi,ebp
00452685 03C7 add eax,edi
00452687 8946 FC mov dword ptr ds:[esi-4],eax
0045268A 5F pop edi
0045268B 57 push edi
0045268C 33C9 xor ecx,ecx
0045268E 83F9 08 cmp ecx,8
00452691 74 0E je short fsfd.004526A1
00452693 90 nop
00452694 90 nop
00452695 90 nop
00452696 90 nop
00452697 8B448C 04 mov eax,dword ptr ss:[esp+ecx*4+4]
0045269B 89048C mov dword ptr ss:[esp+ecx*4],eax
0045269E 41 inc ecx
.................................................................................................
保存所有修改,仍然无法运行。
原因是这里
0045268E 83F9 08 cmp ecx,8
00452691 74 0E je short fsfd.004526A1
00452693 90 nop
00452694 90 nop
00452695 90 nop
00452696 90 nop
00452697 8B448C 04 mov eax,dword ptr ss:[esp+ecx*4+4]
0045269B 89048C mov dword ptr ss:[esp+ecx*4],eax
0045269E 41 inc ecx
0045269F ^ EB ED jmp short fsfd.0045268E
004526A1 893C8C mov dword ptr ss:[esp+ecx*4],edi //到这里既然我们已经手动解码了,当然要功成身退了。
004526A4 60 pushad //注意,下面这段代码是解压我们复制的二进制代码,我们已经提前修改了,这里在次解码就会冲突,具体原因向下看标签1,所以直接跳到004526E0
外科手术
004526A4 60 pushad
004526A4 - E9 3700FBFF jmp fsfd.004026E0
004526A9 90 nop
这次就没问题了。
004526A5 E8 00000000 call fsfd.004526AA
004526AA 5E pop esi
004526AB 83EE 06 sub esi,6
004526AE B9 ED000000 mov ecx,0ED
004526B3 29CE sub esi,ecx
004526B5 BA 73F68FC7 mov edx,C78FF673
004526BA C1E9 02 shr ecx,2
004526BD 83E9 02 sub ecx,2
004526C0 83F9 00 cmp ecx,0
004526C3 7C 1A jl short fsfd.004526DF
004526C5 8B048E mov eax,dword ptr ds:[esi+ecx*4]
004526C8 8B5C8E 04 mov ebx,dword ptr ds:[esi+ecx*4+4]
004526CC 2BC3 sub eax,ebx
004526CE C1C0 09 rol eax,9
004526D1 2BC2 sub eax,edx
004526D3 81C2 820378F5 add edx,F5780382
004526D9 89048E mov dword ptr ds:[esi+ecx*4],eax
004526DC 49 dec ecx
004526DD ^ EB E1 jmp short fsfd.004526C0
004526DF 61 popad //注意
004526E0 61 popad
004526E1 C3 retn
标签1
我们回头一看,这里都是红色动态解压代码
004525B5 87C1 xchg ecx,eax
004525B7 11C4 adc esp,eax //这你不Over吗?
004525B9 AA stos byte ptr es:[edi]
004525BA B3 27 mov bl,27
004525BC 2BAD C50DCC24 sub ebp,dword ptr ss:[ebp+24CC0DC5]
004525C2 1F pop ds
004525C3 5F pop edi
004525C4 74 77 je short fsfd.0045263D
004525C6 D4 88 aam 88
004525C8 ^ E1 B0 loopde short fsfd.0045257A
004525CA 07 pop es
004525CB 78 73 js short fsfd.00452640
004525CD 32AA 1AC199D6 xor ch,byte ptr ds:[edx+D699C11A]
004525D3 06 push es
004525D4 3AB2 CD2137CD cmp dh,byte ptr ds:[edx+CD3721CD]
004525DA A1 5540B60C mov eax,dword ptr ds:[CB64055]
004525DF 15 2A75925E adc eax,5E92752A
004525E4 ^ 79 CA jns short fsfd.004525B0
.................................................................................................
也许你会问以壳解壳的作用,它和加壳程序的区别是。
你不用找Stolen Code即可修复程序运行,最重要的是破解需要的代码和资源都可以提取修改。
运筹帷幄完毕,去带发修行的程序修改代码到我上面写的。
运行程序,注册和退出都是共用动态解码,退出时候有友好提示,这时你可以知道你已经彻底脱壳了。
3. 爆破程序
PEID算法侦测到MD5算法,这个作者没采取Acprotect的RsaKey,不知是盗版的的AC,还是信不过AC,而是采用自己的保护方法。
既然外壳已经攻破,当然要爆了。
OD载入带发程序
00462934 f> 891D 971E4500 mov dword ptr ds:[451E97],ebx //特殊入口,呵呵,这里还是壳,我们动态调试它,Shift+F9直到运行为止。
0046293A FF35 971E4500 push dword ptr ds:[451E97]
00462940 57 push edi
00462941 BF E31E4500 mov edi,fsfd.00451EE3
00462946 8BDF mov ebx,edi
00462948 5F pop edi
00462949 8B3B mov edi,dword ptr ds:[ebx]
0046294B 8F05 931E4500 pop dword ptr ds:[451E93]
00462951 8B1D 931E4500 mov ebx,dword ptr ds:[451E93]
00462957 8B0C24 mov ecx,dword ptr ss:[esp]
0046295A 8F05 FF1E4500 pop dword ptr ds:[451EFF]
00462960 8907 mov dword ptr ds:[edi],eax
00462962 8F05 071F4500 pop dword ptr ds:[451F07]
00462968 FF35 071F4500 push dword ptr ds:[451F07]
0046296E 8B3C24 mov edi,dword ptr ss:[esp]
00462971 8F05 DF1E4500 pop dword ptr ds:[451EDF]
00462977 FF35 0F1F4500 push dword ptr ds:[451F0F]
0046297D C70424 C8284000 mov dword ptr ss:[esp],fsfd.004028C8
直接 Ctrl+G 401000 去程序领空
老罗的插件搜索双字节
Ultra 字符串参考
地址 反汇编 文本字符串
0042C048 push fsfd.00408DE0 \iwinada.dll //这里应该是注册生成的
0042C056 push fsfd.00408DE0 \iwinada.dll
0042C1A3 push fsfd.00408E00 @t@
0042CD4C push fsfd.00408DE0 \iwinada.dll
0042CDE9 push fsfd.00408E0C @
0042CE15 push fsfd.00408DE0 \iwinada.dll
0042CE48 push fsfd.00408DE0 \iwinada.dll
0042D197 push fsfd.00408E14 \0O0O0O.dll
0042D1B0 push fsfd.00408E30 \O0O0O0.dll
0042D26B push fsfd.00408DE0 \iwinada.dll
0042D29E push fsfd.00408DE0 \iwinada.dll
0042D6DC push fsfd.00408DE0 \iwinada.dll
0042D779 push fsfd.00408E4C .
0042D7A5 push fsfd.00408DE0 \iwinada.dll
0042D7D8 push fsfd.00408DE0 \iwinada.dll
0042DEE1 push fsfd.00408E64 http://www.myadasoft.com/gift.htm
00437C28 push fsfd.00408DE0 \iwinada.dll //看了一下就发现这里
00437C3F push fsfd.00408DE0 \iwinada.dll
00438ED1 push fsfd.00408EAC http://www.ayesoftware.com/adagame/
00438EDD push fsfd.00408E54 Open
00439577 push fsfd.00409B34 http://www.suous.com/readgjq.asp?user=
00437C28 68 E08D4000 push fsfd.00408DE0 ; UNICODE "\iwinada.dll"
00437C2D 66:C705 3E904400 0000 mov word ptr ds:[44903E],0
00437C36 FFD6 call esi
00437C38 8945 C8 mov dword ptr ss:[ebp-38],eax
00437C3B 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
00437C3E 50 push eax
00437C3F 68 E08D4000 push fsfd.00408DE0 ; UNICODE "\iwinada.dll"
00437C44 C745 C0 08000000 mov dword ptr ss:[ebp-40],8
00437C4B FFD6 call esi
00437C4D 6A 00 push 0
00437C4F 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
00437C52 51 push ecx
00437C53 8945 B8 mov dword ptr ss:[ebp-48],eax
00437C56 C745 B0 08000000 mov dword ptr ss:[ebp-50],8
00437C5D FF15 98114000 call dword ptr ds:[401198] ; MSVBVM60.rtcDir
00437C63 8BD0 mov edx,eax
00437C65 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
00437C68 FFD7 call edi
00437C6A 50 push eax
00437C6B 68 F8864000 push fsfd.004086F8
00437C70 FF15 00114000 call dword ptr ds:[401100] ; MSVBVM60.__vbaStrCmp
00437C76 8BF0 mov esi,eax
00437C78 F7DE neg esi
00437C7A 1BF6 sbb esi,esi
00437C7C 6A 00 push 0
00437C7E 8D55 C0 lea edx,dword ptr ss:[ebp-40]
00437C81 F7DE neg esi
00437C83 52 push edx
00437C84 F7DE neg esi
00437C86 FF15 98114000 call dword ptr ds:[401198] ; MSVBVM60.rtcDir
00437C8C 8BD0 mov edx,eax
00437C8E 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
00437C91 FFD7 call edi
00437C93 50 push eax
00437C94 68 F8864000 push fsfd.004086F8
00437C99 FF15 00114000 call dword ptr ds:[401100] ; MSVBVM60.__vbaStrCmp
00437C9F F7D8 neg eax
00437CA1 1BC0 sbb eax,eax
00437CA3 F7D8 neg eax
00437CA5 F7D8 neg eax
00437CA7 23F0 and esi,eax
00437CA9 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
00437CAC 50 push eax
00437CAD 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
00437CB0 51 push ecx
00437CB1 6A 02 push 2
00437CB3 FFD3 call ebx
00437CB5 8D55 B0 lea edx,dword ptr ss:[ebp-50]
00437CB8 52 push edx
00437CB9 8D45 C0 lea eax,dword ptr ss:[ebp-40]
00437CBC 50 push eax
00437CBD 6A 02 push 2
00437CBF FF15 38104000 call dword ptr ds:[401038] ; MSVBVM60.__vbaFreeVarList
00437CC5 83C4 18 add esp,18
00437CC8 66:85F6 test si,si
00437CCB 74 09 je short fsfd.00437CD6 //爆破点1
00437CCD 66:C705 3E904400 FFFF mov word ptr ds:[44903E],0FFFF //这里一看就是标志位,FFFF就是真的意思
00437CD6 66:833D 3E904400 00 cmp word ptr ds:[44903E],0
00437CDE 75 05 jnz short fsfd.00437CE5
00437CE0 E8 4B84FFFF call fsfd.00430130
这里
在 44903E处下内存读取断点
监视程序哪里想修改它为0
不久就发现
0042D23F . FF15 38104000 call dword ptr ds:[401038] ; MSVBVM60.__vbaFreeVarList
0042D245 . 83C4 0C add esp,0C
0042D248 . 0FBF4D 8C movsx ecx,word ptr ss:[ebp-74]
0042D24C . 85C9 test ecx,ecx
0042D24E . 74 76 je short fsfd.0042D2C6 //爆破点2
0042D250 . C745 FC 09000000 mov dword ptr ss:[ebp-4],9
0042D257 . 66:C705 3E904400 0000 mov word ptr ds:[44903E],0 //改写标志位
0042D260 . C745 FC 0A000000 mov dword ptr ss:[ebp-4],0A
0042D267 . 8B55 DC mov edx,dword ptr ss:[ebp-24]
0042D26A . 52 push edx
0042D26B . 68 E08D4000 push fsfd.00408DE0 ; UNICODE "\iwinada.dll"
0042D270 . FF15 70104000 call dword ptr ds:[401070] ; MSVBVM60.__vbaStrCat
0042D276 . 8945 BC mov dword ptr ss:[ebp-44],eax
0042D279 . C745 B4 08000000 mov dword ptr ss:[ebp-4C],8
0042D280 . 8D45 B4 lea eax,dword ptr ss:[ebp-4C]
0042D283 . 50 push eax
0042D284 . FF15 04114000 call dword ptr ds:[401104] ; MSVBVM60.rtcKillFiles
0042D28A . 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
0042D28D . FF15 1C104000 call dword ptr ds:[40101C] ; MSVBVM60.__vbaFreeVar
0042D293 . C745 FC 0B000000 mov dword ptr ss:[ebp-4],0B
0042D29A . 8B4D D8 mov ecx,dword ptr ss:[ebp-28]
0042D29D . 51 push ecx
0042D29E . 68 E08D4000 push fsfd.00408DE0 ; UNICODE "\iwinada.dll"
0042D2A3 . FF15 70104000 call dword ptr ds:[401070] ; MSVBVM60.__vbaStrCat
....................................................................................
共两处,你可以用这个作品去讨好MM了,成了好事别忘记二哥我啊. ^_^
【破解总结】
启动校验
00437CCB /74 09 je short fsfd.00437CD6
修改为
00437CCB 90 nop
00437CCC 90 nop
实时校验
0042D24E . /74 76 je short fsfd.0042D2C6
修改为
0042D24E /EB 76 jmp short fsfd.0042D2C6
2004年12月2日 13点25分完成文章,历时7-8小时。
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
最后请看胜利截图
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)