软件性质: **软件.通过KEY FILE文件保护自己,并存多重效验.
软件下载地址:
http://s9456.ys168.com/
下面是我的思路.但是没有成功爆破!请高手知道..
去壳:
PEiD 查壳 => PECompact 2.x -> Jeremy Collake
用 ESP定律去壳:
载入 OD ssQss.exe
下断 hw 0012FFC0
F9 ->
00685CB3 00B8 53680055 ADD BYTE PTR DS:[EAX+55006853],BH
00685CB9 8BEC MOV EBP,ESP
00685CBB 83C4 F0 ADD ESP,-10 ; 我认为这是 OEP
00685CBE B8 E0536800 MOV EAX,ssQss.006853E0
00685CC3 E8 1017D8FF CALL ssQss.004073D8
dump 为ssss.exe后 用 ImportREC 修复;当中有两个指针错误,全部改为 GetProcAddress,修复为ssss_.exe
去自效验(软件启动时对自身的效验,其他的我还没有解决.):
然后OD 加载ssss_.exe
下载断 bp CreateFileA 到
0012FD40 0040A4FB /CALL 到 CreateFileA 来自 ssss_.0040A4F6
0012FD44 00FF3A9C |FileName = "C:\Downloads\ssQss7.0\ssss_.exe"
0012FD48 80000000 |Access = GENERIC_READ
0012FD4C 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FD50 00000000 |pSecurity = NULL
0012FD54 00000003 |Mode = OPEN_EXISTING
0012FD58 00000080 |Attributes = NORMAL
0012FD5C 00000000 \hTemplateFile = NULL
再下断 bp SetFilePointer 到
0012FD70 0040A5AB /CALL 到 SetFilePointer 来自 ssss_.0040A5A6
0012FD74 00000080 |hFile = 00000080 (window)
0012FD78 00000000 |OffsetLo = 0
0012FD7C 0012FD90 |pOffsetHi = 0012FD90
0012FD80 00000000 \Origin = FILE_BEGIN
返回领空。。。。
一直回到 效验比较文件的地方
00653F93 . 3B02 CMP EAX,DWORD PTR DS:[EDX]
00653F95 . 0F94C0 SETE AL
00653F98 . 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00653F9B . 8882 8C290000 MOV BYTE PTR DS:[EDX+298C],AL
00653FA1 . A1 841D6900 MOV EAX,DWORD PTR DS:[691D84]
00653FA6 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00653FA8 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00653FAA . 8B15 18236900 MOV EDX,DWORD PTR DS:[692318] ; ssss_.00694560
00653FB0 . 8B12 MOV EDX,DWORD PTR DS:[EDX]
00653FB2 . 3B02 CMP EAX,DWORD PTR DS:[EDX]
00653FB4 . 74 0C JE SHORT ssss_.00653FC2
00653FB6 . A1 84226900 MOV EAX,DWORD PTR DS:[692284]
把
00653F95 . 0F94C0 SETE AL =》SETNE AL
00653FB4 . 74 0C JE SHORT ssss_.00653FC2 =》JMP SHORT ssss_.00653FC2
去关闭时弹出网页:
查找 .cn 字串。到http://www.***w.cn
0067CABD . /75 1D JNZ SHORT ssss_.0067CADC
0067CABF . |6A 01 PUSH 1 ; /IsShown = 1
0067CAC1 . |6A 00 PUSH 0 ; |DefDir = NULL
0067CAC3 . |6A 00 PUSH 0 ; |Parameters = NULL
0067CAC5 . |68 48CB6700 PUSH ssss_.0067CB48 ; |http://www.***w.cn
0067CACA . |6A 00 PUSH 0 ; |Operation = NULL
0067CACC . |A1 84226900 MOV EAX,DWORD PTR DS:[692284] ; |
把
0067CABD . /75 1D => JMP SHORT ssss_.0067CADC
保存文件。。。完成脱壳。关于破解:
下断:bp CreateFileA 但是没有找到 效验 sRegFile.Dat 文件的地方
查找 sRegFile.Dat 字串也没有找到
查找 注册给 字串:
0061A6C2 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0061A6C5 |. BA 84A76100 MOV EDX,ssss_.0061A784 ; **
0061A6CA |. E8 89A6DEFF CALL ssss_.00404D58
0061A6CF |. 68 94A76100 PUSH ssss_.0061A794 ; 版权归 ****工作室(
0061A6D4 |. FF75 FC PUSH DWORD PTR SS:[EBP-4]
0061A6D7 |. 68 B8A76100 PUSH ssss_.0061A7B8 ; ) 所有!
0061A6DC |. 68 CCA76100 PUSH ssss_.0061A7CC ; \n\n
0061A6E1 |. 68 D8A76100 PUSH ssss_.0061A7D8 ; copyright ssstudio 2006.5 - 2009.1
0061A6E6 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
0061A6E9 |. BA 05000000 MOV EDX,5
0061A6EE |. E8 5DA9DEFF CALL ssss_.00405050
0061A6F3 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0061A6F6 |. 8B83 08030000 MOV EAX,DWORD PTR DS:[EBX+308]
0061A6FC |. E8 53B4E4FF CALL ssss_.00465B54
0061A701 |. A1 60266900 MOV EAX,DWORD PTR DS:[692660]
0061A706 |. 8338 00 CMP DWORD PTR DS:[EAX],0
0061A709 |. 74 36 JE SHORT ssss_.0061A741
0061A70B |. A1 60266900 MOV EAX,DWORD PTR DS:[692660]
0061A710 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
0061A712 |. BA 04A86100 MOV EDX,ssss_.0061A804 ; *@!#+%$^
0061A717 |. E8 C0A9DEFF CALL ssss_.004050DC
0061A71C |. 74 23 JE SHORT ssss_.0061A741
0061A71E |. 8B0D 60266900 MOV ECX,DWORD PTR DS:[692660] ; ssss_.0069453C
0061A724 |. 8B09 MOV ECX,DWORD PTR DS:[ECX]
0061A726 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0061A729 |. BA 18A86100 MOV EDX,ssss_.0061A818 ; 注册给:
...........
期待高人讲解....
=================================================
下面是我自己随便跟的,没有什么不知道是不走错了.没有什么解释.因为是随便走的...
下断 bp CreateFileA 跟到:
0012ED0C 0056F274 /CALL 到 CreateFileA 来自 ssss.0056F26F
0012ED10 0056F394 |FileName = "\\.\PhysicalDrive0"
0012ED14 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012ED18 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012ED1C 00000000 |pSecurity = NULL
0012ED20 00000003 |Mode = OPEN_EXISTING
0012ED24 00000000 |Attributes = 0
0012ED28 00000000 \hTemplateFile = NULL
下断 bp ReadFile 跟到:
0012EDF8 0040A4FB /CALL 到 CreateFileA 来自 ssss.0040A4F6
0012EDFC 010161E8 |FileName = "C:\Downloads\ss\ssQss7.0\sRegFile.Dat"
0012EE00 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012EE04 00000000 |ShareMode = 0
0012EE08 00000000 |pSecurity = NULL
0012EE0C 00000003 |Mode = OPEN_EXISTING
0012EE10 00000080 |Attributes = NORMAL
0012EE14 00000000 \hTemplateFile = NULL
返回:
0040A4EE |. 8BC7 MOV EAX,EDI
0040A4F0 |. E8 9BACFFFF CALL ssss.00405190
0040A4F5 |. 50 PUSH EAX ; |FileName
0040A4F6 |. E8 4DD1FFFF CALL <JMP.&kernel32.CreateFileA> ; \CreateFileA
0040A4FB |> 5F POP EDI ; 01010002
0040A4FC |. 5E POP ESI
跟到下面:
004224EC |. 56 PUSH ESI
004224ED |. 84D2 TEST DL,DL
004224EF |. 74 08 JE SHORT ssss.004224F9
004224F1 |. 83C4 F0 ADD ESP,-10
004224F4 |. E8 371DFEFF CALL ssss.00404230
004224F9 |> 8BDA MOV EBX,EDX
004224FB |. 8BF0 MOV ESI,EAX
004224FD |. 66:8B45 08 MOV AX,WORD PTR SS:[EBP+8]
00422501 |. 50 PUSH EAX
00422502 |. 6A 00 PUSH 0
00422504 |. 33D2 XOR EDX,EDX
00422506 |. 8BC6 MOV EAX,ESI
00422508 |. E8 1F000000 CALL ssss.0042252C
0042250D |. 8BC6 MOV EAX,ESI
0042250F |. 84DB TEST BL,BL
00422511 |. 74 0F JE SHORT ssss.00422522
00422513 |. E8 701DFEFF CALL ssss.00404288
00422518 |. 64:8F05 00000>POP DWORD PTR FS:[0]
之后就没有了头绪....
[课程]Linux pwn 探索篇!
