-
-
关于UltraProtect 1.x修复问题请教,希望各位朋友们的帮助,最后难关
-
发表于: 2004-12-6 18:00 4531
-
经过几天的努力软件的OEP终于找到了OEP:000AAD6C,但是又遇到难题DUMP下来怎么也修复不好,我想请求朋友们指导一下,我是新手正在学习中,这个绝对不是变相破解,因为这个软件我已经弄了快一个星期了,也得到论坛中各位朋友的帮助,我发的提问贴子都是提出我自己不会的问题相信大家能看到的,现在就剩下最后一块修复了,如果能把这个问题解决,我会整理一下这个文章,以新手的角度写一篇脱UltraProtect 1.x壳的文章,希望大家帮忙
这个是我寻找OEP的过程文章,写的应该很详细,因为我是新手所以我估计大多数新手都能看懂:
http://bbs.pediy.com/showthread.php?s=&threadid=8025
【程序下载地址】
http://bbs.pediy.com/upload/file/2004/12/cm-p1.1.7.part1.rar_673.rar
http://bbs.pediy.com/upload/file/2004/12/cm-p1.1.7.part2.rar_744.rar
言归正传:
下面是我自己IAT获得的输入信息
但是我看了很多关于UltraProtect 1.x修复的文章,可是有很多地方不懂,如果直白得说我真的不指导无从入手
OEP: 000AAD6C IATRVA: 0016EB3C IATSize: 000002C8
FThunk: 0016EB40 NbFunc: 000000B0
1 0016EB40 user32.dll 0001 ActivateKeyboardLayout
1 0016EB44 user32.dll 0003 AdjustWindowRectEx
1 0016EB48 user32.dll 000D BeginPaint
1 0016EB4C user32.dll 0016 CallNextHookEx
1 0016EB50 user32.dll 0017 CallWindowProcA
1 0016EB54 user32.dll 0022 CharLowerA
1 0016EB58 user32.dll 0023 CharLowerBuffA
1 0016EB5C user32.dll 0026 CharNextA
1 0016EB60 user32.dll 0031 CharUpperBuffA
1 0016EB64 user32.dll 0035 CheckMenuItem
1 0016EB68 user32.dll 0038 ChildWindowFromPoint
1 0016EB6C user32.dll 003C ClientToScreen
1 0016EB70 user32.dll 003E CloseClipboard
1 0016EB74 user32.dll 0053 CreateIcon
1 0016EB78 user32.dll 0059 CreateMenu
1 0016EB7C user32.dll 005A CreatePopupMenu
1 0016EB80 user32.dll 005B CreateWindowExA
1 0016EB84 user32.dll 0083 DefFrameProcA
1 0016EB88 user32.dll 0085 DefMDIChildProcA
1 0016EB8C user32.dll 0087 DefWindowProcA
1 0016EB90 user32.dll 008A DeleteMenu
1 0016EB94 user32.dll 008E DestroyCursor
1 0016EB98 user32.dll 008E DestroyCursor
1 0016EB9C user32.dll 0090 DestroyMenu
1 0016EBA0 user32.dll 0091 DestroyWindow
1 0016EBA4 user32.dll 0098 DispatchMessageA
1 0016EBA8 user32.dll 00A8 DrawEdge
1 0016EBAC user32.dll 00A9 DrawFocusRect
1 0016EBB0 user32.dll 00AB DrawFrameControl
1 0016EBB4 user32.dll 00AC DrawIcon
1 0016EBB8 user32.dll 00AD DrawIconEx
1 0016EBBC user32.dll 00AE DrawMenuBar
1 0016EBC0 user32.dll 00B2 DrawTextA
1 0016EBC4 user32.dll 00B7 EmptyClipboard
1 0016EBC8 user32.dll 00B8 EnableMenuItem
1 0016EBCC user32.dll 00B9 EnableScrollBar
1 0016EBD0 user32.dll 00BA EnableWindow
1 0016EBD4 user32.dll 00BE EndPaint
1 0016EBD8 user32.dll 00C1 EnumClipboardFormats
1 0016EBDC user32.dll 00D0 EnumThreadWindows
1 0016EBE0 user32.dll 00D3 EnumWindows
1 0016EBE4 user32.dll 00D4 EqualRect
1 0016EBE8 user32.dll 00D7 FillRect
1 0016EBEC user32.dll 00D8 FindWindowA
1 0016EBF0 user32.dll 00DE FrameRect
1 0016EBF4 user32.dll 00E0 GetActiveWindow
1 0016EBF8 user32.dll 00E8 GetCapture
1 0016EBFC user32.dll 00EA GetCaretPos
1 0016EC00 user32.dll 00EB GetClassInfoA
1 0016EC04 user32.dll 00F1 GetClassNameA
1 0016EC08 user32.dll 00F4 GetClientRect
1 0016EC0C user32.dll 00F6 GetClipboardData
1 0016EC10 user32.dll 00FD GetCursor
1 0016EC14 user32.dll 0100 GetCursorPos
1 0016EC18 user32.dll 0101 GetDC
1 0016EC1C user32.dll 0102 GetDCEx
1 0016EC20 user32.dll 0103 GetDesktopWindow
1 0016EC24 user32.dll 0106 GetDlgItem
1 0016EC28 user32.dll 010A GetDoubleClickTime
1 0016EC2C user32.dll 010B GetFocus
1 0016EC30 user32.dll 010C GetForegroundWindow
1 0016EC34 user32.dll 010F GetIconInfo
1 0016EC38 user32.dll 0114 GetKeyNameTextA
1 0016EC3C user32.dll 0116 GetKeyState
1 0016EC40 user32.dll 0117 GetKeyboardLayout
1 0016EC44 user32.dll 0118 GetKeyboardLayoutList
1 0016EC48 user32.dll 011B GetKeyboardState
1 0016EC4C user32.dll 011C GetKeyboardType
1 0016EC50 user32.dll 011D GetLastActivePopup
1 0016EC54 user32.dll 0120 GetMenu
1 0016EC58 user32.dll 0126 GetMenuItemCount
1 0016EC5C user32.dll 0127 GetMenuItemID
1 0016EC60 user32.dll 0128 GetMenuItemInfoA
1 0016EC64 user32.dll 012B GetMenuState
1 0016EC68 user32.dll 012C GetMenuStringA
1 0016EC6C user32.dll 0130 GetMessagePos
1 0016EC70 user32.dll 0131 GetMessageTime
1 0016EC74 user32.dll 0139 GetParent
1 0016EC78 user32.dll 013E GetPropA
1 0016EC7C user32.dll 0142 GetScrollInfo
1 0016EC80 user32.dll 0143 GetScrollPos
1 0016EC84 user32.dll 0144 GetScrollRange
1 0016EC88 user32.dll 0146 GetSubMenu
1 0016EC8C user32.dll 0149 GetSystemMenu
1 0016EC90 user32.dll 014A GetSystemMetrics
1 0016EC94 user32.dll 0150 GetTopWindow
1 0016EC98 user32.dll 0157 GetWindow
1 0016EC9C user32.dll 0159 GetWindowDC
1 0016ECA0 user32.dll 015B GetWindowLongA
1 0016ECA4 user32.dll 0160 GetWindowPlacement
1 0016ECA8 user32.dll 0161 GetWindowRect
1 0016ECAC user32.dll 0163 GetWindowTextA
1 0016ECB0 user32.dll 0167 GetWindowThreadProcessId
1 0016ECB4 user32.dll 0176 InflateRect
1 0016ECB8 user32.dll 0179 InsertMenuA
1 0016ECBC user32.dll 017A InsertMenuItemA
1 0016ECC0 user32.dll 017E IntersectRect
1 0016ECC4 user32.dll 017F InvalidateRect
1 0016ECC8 user32.dll 0182 IsCharAlphaA
1 0016ECCC user32.dll 0183 IsCharAlphaNumericA
1 0016ECD0 user32.dll 018A IsChild
1 0016ECD4 user32.dll 018C IsDialogMessage
1 0016ECD8 user32.dll 0191 IsIconic
1 0016ECDC user32.dll 0193 IsRectEmpty
1 0016ECE0 user32.dll 0194 IsWindow
1 0016ECE4 user32.dll 0195 IsWindowEnabled
1 0016ECE8 user32.dll 0197 IsWindowVisible
1 0016ECEC user32.dll 0198 IsZoomed
1 0016ECF0 user32.dll 019A KillTimer
1 0016ECF4 user32.dll 019D LoadBitmapA
1 0016ECF8 user32.dll 019F LoadCursorA
1 0016ECFC user32.dll 01A3 LoadIconA
1 0016ED00 user32.dll 01A7 LoadKeyboardLayoutA
1 0016ED04 user32.dll 01B0 LoadStringA
1 0016ED08 user32.dll 01BB MapVirtualKeyA
1 0016ED0C user32.dll 01BF MapWindowPoints
1 0016ED10 user32.dll 01C3 MessageBeep
0 0016ED14 ? 0000 005A4233
1 0016ED18 user32.dll 01D4 OemToCharA
1 0016ED1C user32.dll 01D8 OffsetRect
1 0016ED20 user32.dll 01D9 OpenClipboard
1 0016ED24 user32.dll 01E2 PeekMessageA
1 0016ED28 user32.dll 01E4 PostMessageA
1 0016ED2C user32.dll 01E6 PostQuitMessage
1 0016ED30 user32.dll 01EF PtInRect
1 0016ED34 user32.dll 01F6 RedrawWindow
1 0016ED38 user32.dll 01F7 RegisterClassA
1 0016ED3C user32.dll 01FB RegisterClipboardFormatA
1 0016ED40 user32.dll 01FB RegisterClipboardFormatA
1 0016ED44 user32.dll 0207 ReleaseCapture
1 0016ED48 user32.dll 0208 ReleaseDC
1 0016ED4C user32.dll 0209 RemoveMenu
1 0016ED50 user32.dll 020A RemovePropA
1 0016ED54 user32.dll 020F ScreenToClient
1 0016ED58 user32.dll 0212 ScrollWindow
1 0016ED5C user32.dll 0213 ScrollWindowEx
1 0016ED60 user32.dll 0219 SendMessageA
1 0016ED64 user32.dll 0221 SetActiveWindow
1 0016ED68 user32.dll 0222 SetCapture
1 0016ED6C user32.dll 0225 SetClassLongA
1 0016ED70 user32.dll 0228 SetClipboardData
1 0016ED74 user32.dll 022B SetCursor
1 0016ED78 user32.dll 0234 SetFocus
1 0016ED7C user32.dll 0235 SetForegroundWindow
1 0016ED80 user32.dll 0237 SetKeyboardState
1 0016ED84 user32.dll 023B SetMenu
1 0016ED88 user32.dll 0240 SetMenuItemInfoA
1 0016ED8C user32.dll 0248 SetPropA
1 0016ED90 user32.dll 024A SetRect
1 0016ED94 user32.dll 024C SetScrollInfo
1 0016ED98 user32.dll 024D SetScrollPos
1 0016ED9C user32.dll 024E SetScrollRange
1 0016EDA0 user32.dll 0258 SetTimer
1 0016EDA4 user32.dll 025E SetWindowLongA
1 0016EDA8 user32.dll 0260 SetWindowPlacement
1 0016EDAC user32.dll 0261 SetWindowPos
1 0016EDB0 user32.dll 0264 SetWindowTextA
1 0016EDB4 user32.dll 0268 SetWindowsHookExA
1 0016EDB8 user32.dll 026C ShowCursor
1 0016EDBC user32.dll 026D ShowOwnedPopups
1 0016EDC0 user32.dll 026E ShowScrollBar
1 0016EDC4 user32.dll 0270 ShowWindow
1 0016EDC8 user32.dll 0277 SystemParametersInfoA
1 0016EDCC user32.dll 0282 TrackPopupMenu
1 0016EDD0 user32.dll 0287 TranslateMDISysAccel
1 0016EDD4 user32.dll 0288 TranslateMessage
1 0016EDD8 user32.dll 028C UnhookWindowsHookEx
1 0016EDDC user32.dll 028D UnionRect
1 0016EDE0 user32.dll 0291 UnregisterClassA
1 0016EDE4 user32.dll 0297 UpdateWindow
1 0016EDE8 user32.dll 02A1 ValidateRect
1 0016EDEC user32.dll 02AC WaitMessage
1 0016EDF0 user32.dll 02AE WinHelpA
1 0016EDF4 user32.dll 02B1 WindowFromPoint
1 0016EDF8 user32.dll 02B4 wsprintfA
1 0016EDFC user32.dll 0147 GetSysColor
我看了 DFCG官方论坛 的xslxdcom 发的《UltraProtect 1.x 代码段的还原》
文章,我看的朦朦胧胧的,仅仅知道了UltraProtect 1.x 是把代码放到壳中支运行,解决方法是把壳中运行的代码还原到程序中,但是由于刚开始学真的有些不明白怎么还原,自己尝试着还原了一下把程序弄得乱七八糟。
在二哥的《Acprotect之完美卸载XP V9.15脱壳修复+伪破解篇》文章中
看到了下面的一段
载自二哥的《Acprotect之完美卸载XP V9.15脱壳修复+伪破解篇》:
寻找出错原因。
004431C4 |. 68 00404500 PUSH 2_.00454000
004431C9 |. E8 DC000000 CALL <JMP.&msvcrt._initterm> //这个Call可能是新版Acprotect的解码<==(这个位置我根本没有找到,郁闷)
技术,进这个Call里面,循环解码,没解完程序就崩溃。
004431CE |. 83C4 24 ADD ESP,24 //这里类似代码,我没有再次跟踪。
其实本版本Acprotect嵌有Oep处代码检验程序,发现Oep处代码被替换,立即拒绝解码,你失去了关键的代码当然程序无法运行,还要承认N次错误确定按钮。
004CBB31 55 push ebp //Stolen Code<==(我的代码入口也不是这里阿,而且和这里的也不一样,郁闷)
004CBB32 8BEC mov ebp, esp //Stolen Code //一切尽在掌握<==(为什么这里就是尽在掌握呢?,郁闷)
004CBB34 6A FF push -1 //Stolen Code
我们已经掌握。
004432D9 . 68 D8B24400 push NetClean.0044B2D8 //临时Oep也知道。
<==(临时OEP是什么呢?怎么找到的?,郁闷)
现在做什么,让程序认为你没有脱壳,将perplex段里面有用的内容全部解码。
方法
push ebp //Stolen Code
mov ebp, esp //Stolen Code //一切尽在掌握
push -1 //Stolen Code
jmp 004432D9
Od载入脱壳修复后的程序,Ctrl+G 004AE000
004AE000 60 pushad //4AE000是原来壳的入口点,狸猫换太子,将Oep入口代码复制到这里。<==(这里我倒是找到了,但是究竟如何知道到底替换入口多少代吗?意思就是替换代码的起始和结束究竟如何判断的呢?)
004AE001 FC cld
004AE002 48 dec eax
004AE003 66:81C2 2FAC add dx, 0AC2F
004AE008 50 push eax
004AE009 E8 01000000 call Unpack_.004AE00F
004AE00E EA 5858668B F55>jmp far 50F5:8B665858
004AE015 E8 01000000 call Unpack_.004AE01B
004AE01A EB 58 jmp short Unpack_.004AE074
004AE01C 58 pop eax
004AE01D 87F2 xchg edx, esi
004AE01F E8 01000000 call Unpack_.004AE025
004AE024 9A 83042406 C30>call far 0FC3:06240483
004AE02B 8801 mov byte ptr ds:[ecx], al
004AE02D 0000 add byte ptr ds:[eax], al
004AE02F 0048 E8 add byte ptr ds:[eax-18], cl
004AE032 0100 add dword ptr ds:[eax], eax
004AE034 0000 add byte ptr ds:[eax], al
004AE036 - 76 83 jbe short Unpack_.004ADFBB
.............................................................
004AE000 55 push ebp<==(我的入口和这个一点也不一样阿?,郁闷)
004AE001 8BEC mov ebp, esp
004AE003 6A FF push -1
004AE005 - E9 CF52F9FF jmp Unpack_.004432D9
004AE00A 90 nop
004AE00B 90 nop //注意保持代码完整,填入4个Nop
004AE00C 90 nop
004AE00D 90 nop
004AE00E EA 5858668B F55>jmp far 50F5:8B665858
004AE015 E8 01000000 call Unpack_.004AE01B
004AE01A EB 58 jmp short Unpack_.004AE074
004AE01C 58 pop eax
004AE01D 87F2 xchg edx, esi
004AE01F E8 01000000 call Unpack_.004AE025
004AE024 9A 83042406 C30>call far 0FC3:06240483
004AE02B 8801 mov byte ptr ds:[ecx], al
004AE02D 0000 add byte ptr ds:[eax], al
004AE02F 0048 E8 add byte ptr ds:[eax-18], cl
004AE032 0100 add dword ptr ds:[eax], eax
004AE034 0000 add byte ptr ds:[eax], al<==(为什么替换到这里结束?,郁闷)
.........................................................
将替换的代码复制到程序中,另存为一个文件,用PEedit修正入口为AC000正常运行。
也许是我刚开始接触的有点太深了,但是自己真的不想放弃,希望大家帮助,我也想自己写一篇关于脱UltraProtect 1.x文章,虽然说文章的内容都是大家帮助我的,但是我相信我能学到很多东西,我会把这些东西用新手的角度写下来让更多的新手学习。
希望朋友们能帮我看一下上面的程序修复的问题,只要给我一些指点,我会努力的领悟的!谢谢朋友们,谢谢二哥和FLY。
这个是我寻找OEP的过程文章,写的应该很详细,因为我是新手所以我估计大多数新手都能看懂:
http://bbs.pediy.com/showthread.php?s=&threadid=8025
【程序下载地址】
http://bbs.pediy.com/upload/file/2004/12/cm-p1.1.7.part1.rar_673.rar
http://bbs.pediy.com/upload/file/2004/12/cm-p1.1.7.part2.rar_744.rar
言归正传:
下面是我自己IAT获得的输入信息
但是我看了很多关于UltraProtect 1.x修复的文章,可是有很多地方不懂,如果直白得说我真的不指导无从入手
OEP: 000AAD6C IATRVA: 0016EB3C IATSize: 000002C8
FThunk: 0016EB40 NbFunc: 000000B0
1 0016EB40 user32.dll 0001 ActivateKeyboardLayout
1 0016EB44 user32.dll 0003 AdjustWindowRectEx
1 0016EB48 user32.dll 000D BeginPaint
1 0016EB4C user32.dll 0016 CallNextHookEx
1 0016EB50 user32.dll 0017 CallWindowProcA
1 0016EB54 user32.dll 0022 CharLowerA
1 0016EB58 user32.dll 0023 CharLowerBuffA
1 0016EB5C user32.dll 0026 CharNextA
1 0016EB60 user32.dll 0031 CharUpperBuffA
1 0016EB64 user32.dll 0035 CheckMenuItem
1 0016EB68 user32.dll 0038 ChildWindowFromPoint
1 0016EB6C user32.dll 003C ClientToScreen
1 0016EB70 user32.dll 003E CloseClipboard
1 0016EB74 user32.dll 0053 CreateIcon
1 0016EB78 user32.dll 0059 CreateMenu
1 0016EB7C user32.dll 005A CreatePopupMenu
1 0016EB80 user32.dll 005B CreateWindowExA
1 0016EB84 user32.dll 0083 DefFrameProcA
1 0016EB88 user32.dll 0085 DefMDIChildProcA
1 0016EB8C user32.dll 0087 DefWindowProcA
1 0016EB90 user32.dll 008A DeleteMenu
1 0016EB94 user32.dll 008E DestroyCursor
1 0016EB98 user32.dll 008E DestroyCursor
1 0016EB9C user32.dll 0090 DestroyMenu
1 0016EBA0 user32.dll 0091 DestroyWindow
1 0016EBA4 user32.dll 0098 DispatchMessageA
1 0016EBA8 user32.dll 00A8 DrawEdge
1 0016EBAC user32.dll 00A9 DrawFocusRect
1 0016EBB0 user32.dll 00AB DrawFrameControl
1 0016EBB4 user32.dll 00AC DrawIcon
1 0016EBB8 user32.dll 00AD DrawIconEx
1 0016EBBC user32.dll 00AE DrawMenuBar
1 0016EBC0 user32.dll 00B2 DrawTextA
1 0016EBC4 user32.dll 00B7 EmptyClipboard
1 0016EBC8 user32.dll 00B8 EnableMenuItem
1 0016EBCC user32.dll 00B9 EnableScrollBar
1 0016EBD0 user32.dll 00BA EnableWindow
1 0016EBD4 user32.dll 00BE EndPaint
1 0016EBD8 user32.dll 00C1 EnumClipboardFormats
1 0016EBDC user32.dll 00D0 EnumThreadWindows
1 0016EBE0 user32.dll 00D3 EnumWindows
1 0016EBE4 user32.dll 00D4 EqualRect
1 0016EBE8 user32.dll 00D7 FillRect
1 0016EBEC user32.dll 00D8 FindWindowA
1 0016EBF0 user32.dll 00DE FrameRect
1 0016EBF4 user32.dll 00E0 GetActiveWindow
1 0016EBF8 user32.dll 00E8 GetCapture
1 0016EBFC user32.dll 00EA GetCaretPos
1 0016EC00 user32.dll 00EB GetClassInfoA
1 0016EC04 user32.dll 00F1 GetClassNameA
1 0016EC08 user32.dll 00F4 GetClientRect
1 0016EC0C user32.dll 00F6 GetClipboardData
1 0016EC10 user32.dll 00FD GetCursor
1 0016EC14 user32.dll 0100 GetCursorPos
1 0016EC18 user32.dll 0101 GetDC
1 0016EC1C user32.dll 0102 GetDCEx
1 0016EC20 user32.dll 0103 GetDesktopWindow
1 0016EC24 user32.dll 0106 GetDlgItem
1 0016EC28 user32.dll 010A GetDoubleClickTime
1 0016EC2C user32.dll 010B GetFocus
1 0016EC30 user32.dll 010C GetForegroundWindow
1 0016EC34 user32.dll 010F GetIconInfo
1 0016EC38 user32.dll 0114 GetKeyNameTextA
1 0016EC3C user32.dll 0116 GetKeyState
1 0016EC40 user32.dll 0117 GetKeyboardLayout
1 0016EC44 user32.dll 0118 GetKeyboardLayoutList
1 0016EC48 user32.dll 011B GetKeyboardState
1 0016EC4C user32.dll 011C GetKeyboardType
1 0016EC50 user32.dll 011D GetLastActivePopup
1 0016EC54 user32.dll 0120 GetMenu
1 0016EC58 user32.dll 0126 GetMenuItemCount
1 0016EC5C user32.dll 0127 GetMenuItemID
1 0016EC60 user32.dll 0128 GetMenuItemInfoA
1 0016EC64 user32.dll 012B GetMenuState
1 0016EC68 user32.dll 012C GetMenuStringA
1 0016EC6C user32.dll 0130 GetMessagePos
1 0016EC70 user32.dll 0131 GetMessageTime
1 0016EC74 user32.dll 0139 GetParent
1 0016EC78 user32.dll 013E GetPropA
1 0016EC7C user32.dll 0142 GetScrollInfo
1 0016EC80 user32.dll 0143 GetScrollPos
1 0016EC84 user32.dll 0144 GetScrollRange
1 0016EC88 user32.dll 0146 GetSubMenu
1 0016EC8C user32.dll 0149 GetSystemMenu
1 0016EC90 user32.dll 014A GetSystemMetrics
1 0016EC94 user32.dll 0150 GetTopWindow
1 0016EC98 user32.dll 0157 GetWindow
1 0016EC9C user32.dll 0159 GetWindowDC
1 0016ECA0 user32.dll 015B GetWindowLongA
1 0016ECA4 user32.dll 0160 GetWindowPlacement
1 0016ECA8 user32.dll 0161 GetWindowRect
1 0016ECAC user32.dll 0163 GetWindowTextA
1 0016ECB0 user32.dll 0167 GetWindowThreadProcessId
1 0016ECB4 user32.dll 0176 InflateRect
1 0016ECB8 user32.dll 0179 InsertMenuA
1 0016ECBC user32.dll 017A InsertMenuItemA
1 0016ECC0 user32.dll 017E IntersectRect
1 0016ECC4 user32.dll 017F InvalidateRect
1 0016ECC8 user32.dll 0182 IsCharAlphaA
1 0016ECCC user32.dll 0183 IsCharAlphaNumericA
1 0016ECD0 user32.dll 018A IsChild
1 0016ECD4 user32.dll 018C IsDialogMessage
1 0016ECD8 user32.dll 0191 IsIconic
1 0016ECDC user32.dll 0193 IsRectEmpty
1 0016ECE0 user32.dll 0194 IsWindow
1 0016ECE4 user32.dll 0195 IsWindowEnabled
1 0016ECE8 user32.dll 0197 IsWindowVisible
1 0016ECEC user32.dll 0198 IsZoomed
1 0016ECF0 user32.dll 019A KillTimer
1 0016ECF4 user32.dll 019D LoadBitmapA
1 0016ECF8 user32.dll 019F LoadCursorA
1 0016ECFC user32.dll 01A3 LoadIconA
1 0016ED00 user32.dll 01A7 LoadKeyboardLayoutA
1 0016ED04 user32.dll 01B0 LoadStringA
1 0016ED08 user32.dll 01BB MapVirtualKeyA
1 0016ED0C user32.dll 01BF MapWindowPoints
1 0016ED10 user32.dll 01C3 MessageBeep
0 0016ED14 ? 0000 005A4233
1 0016ED18 user32.dll 01D4 OemToCharA
1 0016ED1C user32.dll 01D8 OffsetRect
1 0016ED20 user32.dll 01D9 OpenClipboard
1 0016ED24 user32.dll 01E2 PeekMessageA
1 0016ED28 user32.dll 01E4 PostMessageA
1 0016ED2C user32.dll 01E6 PostQuitMessage
1 0016ED30 user32.dll 01EF PtInRect
1 0016ED34 user32.dll 01F6 RedrawWindow
1 0016ED38 user32.dll 01F7 RegisterClassA
1 0016ED3C user32.dll 01FB RegisterClipboardFormatA
1 0016ED40 user32.dll 01FB RegisterClipboardFormatA
1 0016ED44 user32.dll 0207 ReleaseCapture
1 0016ED48 user32.dll 0208 ReleaseDC
1 0016ED4C user32.dll 0209 RemoveMenu
1 0016ED50 user32.dll 020A RemovePropA
1 0016ED54 user32.dll 020F ScreenToClient
1 0016ED58 user32.dll 0212 ScrollWindow
1 0016ED5C user32.dll 0213 ScrollWindowEx
1 0016ED60 user32.dll 0219 SendMessageA
1 0016ED64 user32.dll 0221 SetActiveWindow
1 0016ED68 user32.dll 0222 SetCapture
1 0016ED6C user32.dll 0225 SetClassLongA
1 0016ED70 user32.dll 0228 SetClipboardData
1 0016ED74 user32.dll 022B SetCursor
1 0016ED78 user32.dll 0234 SetFocus
1 0016ED7C user32.dll 0235 SetForegroundWindow
1 0016ED80 user32.dll 0237 SetKeyboardState
1 0016ED84 user32.dll 023B SetMenu
1 0016ED88 user32.dll 0240 SetMenuItemInfoA
1 0016ED8C user32.dll 0248 SetPropA
1 0016ED90 user32.dll 024A SetRect
1 0016ED94 user32.dll 024C SetScrollInfo
1 0016ED98 user32.dll 024D SetScrollPos
1 0016ED9C user32.dll 024E SetScrollRange
1 0016EDA0 user32.dll 0258 SetTimer
1 0016EDA4 user32.dll 025E SetWindowLongA
1 0016EDA8 user32.dll 0260 SetWindowPlacement
1 0016EDAC user32.dll 0261 SetWindowPos
1 0016EDB0 user32.dll 0264 SetWindowTextA
1 0016EDB4 user32.dll 0268 SetWindowsHookExA
1 0016EDB8 user32.dll 026C ShowCursor
1 0016EDBC user32.dll 026D ShowOwnedPopups
1 0016EDC0 user32.dll 026E ShowScrollBar
1 0016EDC4 user32.dll 0270 ShowWindow
1 0016EDC8 user32.dll 0277 SystemParametersInfoA
1 0016EDCC user32.dll 0282 TrackPopupMenu
1 0016EDD0 user32.dll 0287 TranslateMDISysAccel
1 0016EDD4 user32.dll 0288 TranslateMessage
1 0016EDD8 user32.dll 028C UnhookWindowsHookEx
1 0016EDDC user32.dll 028D UnionRect
1 0016EDE0 user32.dll 0291 UnregisterClassA
1 0016EDE4 user32.dll 0297 UpdateWindow
1 0016EDE8 user32.dll 02A1 ValidateRect
1 0016EDEC user32.dll 02AC WaitMessage
1 0016EDF0 user32.dll 02AE WinHelpA
1 0016EDF4 user32.dll 02B1 WindowFromPoint
1 0016EDF8 user32.dll 02B4 wsprintfA
1 0016EDFC user32.dll 0147 GetSysColor
我看了 DFCG官方论坛 的xslxdcom 发的《UltraProtect 1.x 代码段的还原》
文章,我看的朦朦胧胧的,仅仅知道了UltraProtect 1.x 是把代码放到壳中支运行,解决方法是把壳中运行的代码还原到程序中,但是由于刚开始学真的有些不明白怎么还原,自己尝试着还原了一下把程序弄得乱七八糟。
在二哥的《Acprotect之完美卸载XP V9.15脱壳修复+伪破解篇》文章中
看到了下面的一段
载自二哥的《Acprotect之完美卸载XP V9.15脱壳修复+伪破解篇》:
寻找出错原因。
004431C4 |. 68 00404500 PUSH 2_.00454000
004431C9 |. E8 DC000000 CALL <JMP.&msvcrt._initterm> //这个Call可能是新版Acprotect的解码<==(这个位置我根本没有找到,郁闷)
技术,进这个Call里面,循环解码,没解完程序就崩溃。
004431CE |. 83C4 24 ADD ESP,24 //这里类似代码,我没有再次跟踪。
其实本版本Acprotect嵌有Oep处代码检验程序,发现Oep处代码被替换,立即拒绝解码,你失去了关键的代码当然程序无法运行,还要承认N次错误确定按钮。
004CBB31 55 push ebp //Stolen Code<==(我的代码入口也不是这里阿,而且和这里的也不一样,郁闷)
004CBB32 8BEC mov ebp, esp //Stolen Code //一切尽在掌握<==(为什么这里就是尽在掌握呢?,郁闷)
004CBB34 6A FF push -1 //Stolen Code
我们已经掌握。
004432D9 . 68 D8B24400 push NetClean.0044B2D8 //临时Oep也知道。
<==(临时OEP是什么呢?怎么找到的?,郁闷)
现在做什么,让程序认为你没有脱壳,将perplex段里面有用的内容全部解码。
方法
push ebp //Stolen Code
mov ebp, esp //Stolen Code //一切尽在掌握
push -1 //Stolen Code
jmp 004432D9
Od载入脱壳修复后的程序,Ctrl+G 004AE000
004AE000 60 pushad //4AE000是原来壳的入口点,狸猫换太子,将Oep入口代码复制到这里。<==(这里我倒是找到了,但是究竟如何知道到底替换入口多少代吗?意思就是替换代码的起始和结束究竟如何判断的呢?)
004AE001 FC cld
004AE002 48 dec eax
004AE003 66:81C2 2FAC add dx, 0AC2F
004AE008 50 push eax
004AE009 E8 01000000 call Unpack_.004AE00F
004AE00E EA 5858668B F55>jmp far 50F5:8B665858
004AE015 E8 01000000 call Unpack_.004AE01B
004AE01A EB 58 jmp short Unpack_.004AE074
004AE01C 58 pop eax
004AE01D 87F2 xchg edx, esi
004AE01F E8 01000000 call Unpack_.004AE025
004AE024 9A 83042406 C30>call far 0FC3:06240483
004AE02B 8801 mov byte ptr ds:[ecx], al
004AE02D 0000 add byte ptr ds:[eax], al
004AE02F 0048 E8 add byte ptr ds:[eax-18], cl
004AE032 0100 add dword ptr ds:[eax], eax
004AE034 0000 add byte ptr ds:[eax], al
004AE036 - 76 83 jbe short Unpack_.004ADFBB
.............................................................
004AE000 55 push ebp<==(我的入口和这个一点也不一样阿?,郁闷)
004AE001 8BEC mov ebp, esp
004AE003 6A FF push -1
004AE005 - E9 CF52F9FF jmp Unpack_.004432D9
004AE00A 90 nop
004AE00B 90 nop //注意保持代码完整,填入4个Nop
004AE00C 90 nop
004AE00D 90 nop
004AE00E EA 5858668B F55>jmp far 50F5:8B665858
004AE015 E8 01000000 call Unpack_.004AE01B
004AE01A EB 58 jmp short Unpack_.004AE074
004AE01C 58 pop eax
004AE01D 87F2 xchg edx, esi
004AE01F E8 01000000 call Unpack_.004AE025
004AE024 9A 83042406 C30>call far 0FC3:06240483
004AE02B 8801 mov byte ptr ds:[ecx], al
004AE02D 0000 add byte ptr ds:[eax], al
004AE02F 0048 E8 add byte ptr ds:[eax-18], cl
004AE032 0100 add dword ptr ds:[eax], eax
004AE034 0000 add byte ptr ds:[eax], al<==(为什么替换到这里结束?,郁闷)
.........................................................
将替换的代码复制到程序中,另存为一个文件,用PEedit修正入口为AC000正常运行。
也许是我刚开始接触的有点太深了,但是自己真的不想放弃,希望大家帮助,我也想自己写一篇关于脱UltraProtect 1.x文章,虽然说文章的内容都是大家帮助我的,但是我相信我能学到很多东西,我会把这些东西用新手的角度写下来让更多的新手学习。
希望朋友们能帮我看一下上面的程序修复的问题,只要给我一些指点,我会努力的领悟的!谢谢朋友们,谢谢二哥和FLY。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
他的文章
看原图
赞赏
雪币:
留言: