因为一些原因,不便于公布软件名称.
下面说下分析过程,以及所遇到的问题,希望高手帮个忙.
用工具分析,加密狗是 域天狗,程序采用Delphi编写,没有加壳.
不带狗运行,程序提示找不到加密狗.
用W32dsm载入,串式参考.代码如下:
* Possible StringData Ref from Code Obj ->"snooker.oem"
:00642EFC B95C3D6400 mov ecx, 00643D5C
:00642F01 E89A1DDCFF call 00404CA0
:00642F06 8B55C4 mov edx, dword ptr [ebp-3C]
:00642F09 A1343C6500 mov eax, dword ptr [00653C34]
:00642F0E 8B00 mov eax, dword ptr [eax]
:00642F10 E80BB7F7FF call 005BE620
:00642F15 A1343C6500 mov eax, dword ptr [00653C34]
:00642F1A 8B00 mov eax, dword ptr [eax]
:00642F1C 80780400 cmp byte ptr [eax+04], 00
:00642F20 750D jne 00642F2F----//有狗 无狗,没跳
:00642F22 A1343C6500 mov eax, dword ptr [00653C34]
:00642F27 8B00 mov eax, dword ptr [eax]
:00642F29 80780500 cmp byte ptr [eax+05], 00
:00642F2D 7410 je 00642F3F---//有狗 无狗,跳转
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00642F20(C)|
:00642F2F 8B45FC mov eax, dword ptr [ebp-04]
:00642F32 8B8098050000 mov eax, dword ptr [eax+00000598]
:00642F38 33D2 xor edx, edx
:00642F3A E891DAE1FF call 004609D0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00642F2D(C)|
:00642F3F E8B4E8F9FF call 005E17F8//可能是关键 ①
:00642F44 BA2C010000 mov edx, 0000012C
:00642F49 B864000000 mov eax, 00000064
:00642F4E E8E1ECF9FF call 005E1C34//可能是关键 ②
:00642F53 3D90010000 cmp eax, 00000190
:00642F58 0F94C3 sete bl
:00642F5B 84DB test bl, bl
:00642F5D 741F je 00642F7E-------//有狗,没跳 无狗,跳转
:00642F5F E8ECA1FAFF call 005ED150
:00642F64 8BF0 mov esi, eax
:00642F66 A150426500 mov eax, dword ptr [00654250]
:00642F6B 8B00 mov eax, dword ptr [eax]
:00642F6D 89B0A8010000 mov dword ptr [eax+000001A8], esi
:00642F73 A150426500 mov eax, dword ptr [00654250]
:00642F78 85F6 test esi, esi
:00642F7A 7502 jne 00642F7E-----//有狗,跳转
:00642F7C 33DB xor ebx, ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00642F5D(C), :00642F7A(C)|
:00642F7E 84DB test bl, bl
:00642F80 7532 jne 00642FB4//无狗,不跳 有狗,跳转
:00642F82 6A10 push 00000010
:00642F84 68683B6400 push 00643B68
* Possible StringData Ref from Code Obj ->"找不到加密狗!"
:00642F89 68683D6400 push 00643D68
* Reference To: user32.GetFocus, Ord:0000h
:00642F8E E8354EDCFF Call 00407DC8
:00642F93 50 push eax
* Reference To: user32.MessageBoxA, Ord:0000h
:00642F94 E82F50DCFF Call 00407FC8//无狗,此处弹出 无狗窗口
:00642F99 8B45FC mov eax, dword ptr [ebp-04]
:00642F9C C6801407000001 mov byte ptr [eax+00000714], 01
:00642FA3 A1B0436500 mov eax, dword ptr [006543B0]
:00642FA8 8B00 mov eax, dword ptr [eax]
:00642FAA E86DCEE2FF call 0046FE1C
:00642FAF E981090000 jmp 00643935
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00642F80(C)|
:00642FB4 A150426500 mov eax, dword ptr [00654250]
把00642F80 7532 jne 00642FB4改为JMP 00642FB4不出现提示了,但是软件运行不正常.
以上代码,跟了好几天的时间.还是没看出点门道.
-----------------------------------代码分界线------------------------------------
查看输入表:
得到查狗,读狗的部分为以下部分:
005E3938 $- FF25 E85A6700 jmp dword ptr [<&my3l_ex.FindPort>] ; my3l_ex.FindPort
005E393E 8BC0 mov eax, eax
005E3940 $- FF25 E45A6700 jmp dword ptr [<&my3l_ex.CalculateEx>; my3l_ex.CalculateEx_2
005E3946 8BC0 mov eax, eax
005E3948 $- FF25 E05A6700 jmp dword ptr [<&my3l_ex.YReadEx>] ; my3l_ex.YReadEx
005E394E 8BC0 mov eax, eax
005E3950 /$ 55 push ebp
005E3951 |. 8BEC mov ebp, esp
005E3953 |. 83C4 F0 add esp, -10
005E3956 |. 53 push ebx
005E3957 |. 56 push esi
005E3958 |. 57 push edi
005E3959 |. 33C9 xor ecx, ecx
005E395B |. 894D F0 mov dword ptr [ebp-10], ecx
005E395E |. 894D F4 mov dword ptr [ebp-C], ecx
005E3961 |. 8955 FC mov dword ptr [ebp-4], edx
005E3964 |. 8BF8 mov edi, eax
005E3966 |. 33C0 xor eax, eax
005E3968 |. 55 push ebp
005E3969 |. 68 273A5E00 push 005E3A27
005E396E |. 64:FF30 push dword ptr fs:[eax]
005E3971 |. 64:8920 mov dword ptr fs:[eax], esp
005E3974 |. 8BC7 mov eax, edi
005E3976 |. E8 1110E2FF call 0040498C
005E397B |. 8B45 FC mov eax, dword ptr [ebp-4]
005E397E |. E8 0910E2FF call 0040498C
005E3983 |. 33DB xor ebx, ebx
005E3985 |> A1 C0976500 /mov eax, dword ptr [6597C0]
005E398A |. E8 BD14E2FF |call 00404E4C
005E398F |. 50 |push eax
005E3990 |. 8D45 FB |lea eax, dword ptr [ebp-5]
005E3993 |. 50 |push eax
005E3994 |. 53 |push ebx
005E3995 |. E8 AEFFFFFF |call <jmp.&my3l_ex.YReadEx>
005E399A |. 8BF0 |mov esi, eax
005E399C |. 85F6 |test esi, esi
005E399E |. 75 6C |jnz short 005E3A0C
005E39A0 |. 8D4D F4 |lea ecx, dword ptr [ebp-C]
005E39A3 |. 33C0 |xor eax, eax
005E39A5 |. 8A45 FB |mov al, byte ptr [ebp-5]
005E39A8 |. BA 02000000 |mov edx, 2
005E39AD |. E8 8E62E2FF |call 00409C40
005E39B2 |. 8B55 F4 |mov edx, dword ptr [ebp-C]
005E39B5 |. 8B0F |mov ecx, dword ptr [edi]
005E39B7 |. 8BC7 |mov eax, edi
005E39B9 |. E8 E212E2FF |call 00404CA0
005E39BE |. 43 |inc ebx
005E39BF |. 83FB 04 |cmp ebx, 4
005E39C2 |.^ 75 C1 \jnz short 005E3985
可就是理解不了,希望高手能指点一二,给个思路.在线等.
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法