DiamondCS Port Explorer 暴力分析未完成篇
【介绍】DiamondCS Port Explorer 2.0
一个查看端口的安全工具
【下载】
http://www.diamondcs.com.au/portexplorer/ ,几百K
下面是我的脱壳(完成),跟踪(不成功)过程。
我也网上搜索了下,竟没有破解(也许是不值得大鸟费工夫)。
我破解不成功,但把手记(没怎么整理,似乎很长:-))留于此,如果哪位有心得了 ,请跟贴。
这是一个充满反跟踪的程序,我暂时是没辙了。
主程序PortExplorer.exe为 PECompact2.x壳,
用 OD v1.10载入 后 运行PECOMPACT2.X脚本,程序竟跑飞起来了 。只好
【手工脱壳了】:
忽略全部异常,OD加载来到:
0042BB99 P>B>mov eax,PortExpl.004D3EF8 ;停在这里,此时ESP=0012FFC4
0042BB9E 5>push eax
0042BB9F 6>push dword ptr fs:
0042BBA6 6>mov dword ptr fs:,esp
0042BBAD 3>xor eax,eax
0042BBAF 8>mov dword ptr ds:,ecx
0042BBB1 5>push eax
0042BBB2 4>inc ebp
0042BBB3 4>inc ebx
0042BBB4 6>outs dx,dword ptr es:
用ESP定律,在0012FFC0下硬件读中断,F9中断3次后来到,
004D3F2B 5>push ebx ;停在这里
004D3F2C 5>push ecx
004D3F2D 5>push edi
004D3F2E 5>push esi
004D3F2F 5>push edx
004D3F30 8>lea ebx,dword ptr ds:
004D3F36 8>mov edx,dword ptr ds:
004D3F39 5>push edx
004D3F3A 8>mov ebp,eax
004D3F3C 6>push 40
004D3F3E 6>push 1000
004D3F43 F>push dword ptr ds:
004D3F46 6>push 0
004D3F48 8>mov ecx,dword ptr ds:
004D3F4B 0>add ecx,edx
004D3F4D 8>mov eax,dword ptr ds: ; kernel32.VirtualAlloc,值得注意哦,往下看
004D3F4F F>call eax
004D3F51 5>pop edx
004D3F52 8>mov edi,eax
004D3F54 5>push eax
004D3F55 5>push edx
004D3F56 8>mov esi,dword ptr ds:
004D3F58 8>mov eax,dword ptr ds:
004D3F5B 0>add eax,edx
004D3F5D 8>mov ecx,dword ptr ds:
004D3F5F 8>mov dword ptr ds:,ecx
004D3F62 8>mov eax,dword ptr ds:
004D3F65 0>add eax,edx
004D3F67 8>mov ecx,dword ptr ds:
004D3F69 8>mov dword ptr ds:,ecx
004D3F6C 0>add esi,edx
004D3F6E 8>mov ecx,dword ptr ds:
004D3F71 0>add ecx,edx
004D3F73 8>lea eax,dword ptr ds:
004D3F76 5>push eax
004D3F77 5>push edi
004D3F78 5>push esi
004D3F79 F>call ecx
004D3F7B 5>pop edx
004D3F7C 5>pop eax
004D3F7D 0>add eax,dword ptr ds:
004D3F80 8>mov edi,eax
004D3F82 5>push edx
004D3F83 8>mov esi,eax
004D3F85 8>mov eax,dword ptr ds:
004D3F88 8>add eax,4
004D3F8B 2>sub esi,eax
004D3F8D 8>mov dword ptr ds:,edx
004D3F90 8>mov ecx,dword ptr ds:
004D3F93 8>mov dword ptr ds:,ecx
004D3F96 8>mov ecx,dword ptr ds:
004D3F99 5>push ecx
004D3F9A 8>mov dword ptr ds:,ecx
004D3F9D 8>mov ecx,dword ptr ds:
004D3FA0 8>mov dword ptr ds:,ecx
004D3FA3 F>call edi
004D3FA5 8>mov dword ptr ss:,eax
004D3FAB 8>mov esi,eax
004D3FAD 5>pop ecx
004D3FAE 5>pop edx
004D3FAF 0>add ecx,edx
004D3FB1 6>push 8000
004D3FB6 6>push 0
004D3FB8 5>push edi
004D3FB9 F>call dword ptr ds:
004D3FBB 8>mov eax,esi
004D3FBD 5>pop edx
004D3FBE 5>pop esi
004D3FBF 5>pop edi
004D3FC0 5>pop ecx
004D3FC1 5>pop ebx
004D3FC2 5>pop ebp
004D3FC3 F>jmp eax ;这里应该是飞向OEP了,F4到这里
004D3FC5 0>add byte ptr ds:,al
004D3FC7 0>add byte ptr ds:,al
004D3FC9 0>add byte ptr ds:,al
004D3FCB 0>add byte ptr ds:,al
F4后,
004D3FC3 - F>jmp eax ; PortExpl.<ModuleEntryPoint> —长跳标志
004D3FC5 9>cdq
004D3FC6 B>mov ebx,42
004D3FCB 0>add byte ptr ds:,al
004D3FCD 0>add byte ptr ds:,al
F7,来到了
0042BB99 P>5>push ebp ; OEP HERE!!!!
0042BB9A 8>mov ebp,esp
0042BB9C 6>push -1
0042BB9E 6>push PortExpl.00433560
0042BBA3 6>push PortExpl.0042C334
0042BBA8 6>mov eax,dword ptr fs:
0042BBAE 5>push eax
0042BBAF 6>mov dword ptr fs:,esp
0042BBB6 8>sub esp,58
0042BBB9 5>push ebx
0042BBBA 5>push esi
0042BBBB 5>push edi
0042BBBC 8>mov dword ptr ss:,esp
0042BBBF F>call dword ptr ds: ; kernel32.GetVersion
用LORDPE14脱壳到dumped.exe,
运行IMPORTREC16,OEP添2BB99,IAT搜索,获取输入表,全部为真,点修复dumped.exe为dumped_.exe(856K)。
【PECOMPACT2.X脱壳规律总结】
其实可以发现脱壳前后OEP没有改变,都是0042BB99,因此可以一开始加载后就在EIP处设置断点(注意是“硬断点,执行时”而不是一般的F2断点)。
当然也可以在第一次ESP定律后,查找00000000,首次出现的地址上一个是jmp eax就是跳OEP了(注意看OD —长跳标志)。
【】
运行dumped_.exe,哦,只见屏幕闪了下,文件浏览器没有了。
(Explorer.exe被关闭,然后操作系统会自动重新启动另一个Explorer.exe)
怀疑程序有自校验,OD一下dumped_.exe看看。
004202BD |.8>test eax,eax
004202BF |.7>je short dumped_.004202DE
004202C1 |.5>push ebx ; /Style
004202C2 |.6>push dumped_.0044C488 ; |Title = "Error"
004202C7 |.6>push dumped_.0044C42C ; |Text = "Port Explorer does not run under the context of a debugger.
Port Explorer will now close."
004202CC |.5>push ebx ; |hOwner
004202CD |.F>call dword ptr ds:[<&user32.MessageBoxA>]; \MessageBoxA
00427E33 |.F>|push dword ptr ds: ; /ProcessId
00427E35 |.6>|push 0 ; |Inheritable = FALSE
00427E37 |.6>|push 410 ; |Access = VM_READ|QUERY_INFORMATION
00427E3C |.F>|call dword ptr ds:[<&kernel32.Open>; \OpenProcess <---------
00427E42 |.8>|mov ebx,eax
00427E44 |.8>|test ebx,ebx
00427E46 |.8>|mov dword ptr ss:,ebx
00427E49 |.0>|je dumped_.00427ED5
00427E4F |.8>|lea eax,dword ptr ss:
00427E52 |.5>|push eax
00427E53 |.8>|lea eax,dword ptr ss:
00427E56 |.6>|push 4
00427E58 |.5>|push eax
00427E59 |.5>|push ebx
00427E5A |.F>|call dword ptr ss:
00427E5D |.8>|test eax,eax
00427E5F |.7>|je short dumped_.00427ECC
00427E61 |.8>|lea eax,dword ptr ss:
00427E67 |.6>|push 104
00427E6C |.5>|push eax
00427E6D |.F>|push dword ptr ss:
00427E70 |.5>|push ebx
00427E71 |.F>|call dword ptr ss:
00427E74 |.8>|test eax,eax
00427E76 |.7>|jnz short dumped_.00427E80
00427E78 |.2>|and byte ptr ss:,al
00427E7E |.E>|jmp short dumped_.00427ECC
00427E80 |>8>|lea eax,dword ptr ss:
00427E86 |.5>|push eax
00427E87 |.E>|call dumped_.00429CE0
00427E8C |.4>|dec eax
00427E8D |.5>|pop ecx
00427E8E |.8>|mov dword ptr ss:,eax
00427E91 |.7>|js short dumped_.00427EC6
00427E93 |.8>|lea ebx,dword ptr ss:
00427E9A |>8>|/cmp byte ptr ds:,5C
00427E9E |.7>||jnz short dumped_.00427EB3
00427EA0 |.6>||push dumped_.0044C88C ; /String2 = "explorer.exe" <------
00427EA5 |.5>||push ebx ; |String1 = "Ollydbg V1.10 2005.3汉化修正版+最新最全插件\Ollydbg\OLLYDBG.EXE"
00427EA6 |.F>||call dword ptr ds:[<&kernel32.lst>; \lstrcmpiA
00427EAC |.8>||test eax,eax
00427EAE |.7>||je short dumped_.00427EBE
不断列举系统当前进程,与explorer.exe进行比较,当列举到explorer.exe时,F8跟到
00427EED |.F>call esi ;KERNEL32.GetProcessHeap
004205B0 .5>push eax
004205B1 ?5>push ebx
004205B2 .6>push 1 Access = TERMINATE
004205B4 .F>call dword ptr ds:[<&kernel32.OpenP>;KERNEL32.OpenProcess
004205BA ?5>push ebx
004205BB ?5>push eax
004205BC .F>call dword ptr ss: ;KERNEL32.TerminateProcess
004205BF ?F>test byte ptr ss:,8
00427D06 /$5>push ebp
00427D07 |.8>mov ebp,esp
00427D09 |.8>sub esp,260
00427D0F |.8>or dword ptr ss:,FFFFFFFF
00427D13 |.5>push ebx
00427D14 |.5>push esi
00427D15 |.5>push edi
00427D16 |.E>call dumped_.0040FB99
00427D1B |.B>mov edi,400
00427D20 |.8>test edi,eax
00427D22 |.0>je dumped_.00427F00
00427D28 |.8>mov esi,dword ptr ds:[<&kernel32.LoadLibraryA>];KERNEL32.LoadLibraryA
00427D2E |.6>push dumped_.00436744 ; /FileName = "PSAPI.DLL"
00427D33 |.F>call esi ; \LoadLibraryA
00427D35 |.8>test eax,eax
00427D37 |.8>mov dword ptr ss:,eax
00427D3A |.0>je dumped_.00427F1D
00427D40 |.6>push dumped_.0044C89C ; /FileName = "VDMDBG.DLL"
00427D45 |.F>call esi ; \LoadLibraryA
00427D47 |.8>test eax,eax
00427D49 |.8>mov dword ptr ss:,eax
00427D4C |.0>je dumped_.00427F1D
00427D52 |.8>mov esi,dword ptr ds:[<&kernel32.GetProcAddress>>;KERNEL32.GetProcAddress
00427D58 |.6>push dumped_.00436734 ; /ProcNameOrOrdinal = "EnumProcesses"
00427D5D |.F>push dword ptr ss: ; |hModule
00427D60 |.F>call esi ; \GetProcAddress
00427D62 |.6>push dumped_.00436720 ; /ProcNameOrOrdinal = "EnumProcessModules"
00427D67 |.8>mov ebx,eax ; |
00427D69 |.F>push dword ptr ss: ; |hModule
00427D6C |.F>call esi ; \GetProcAddress
00427D6E |.6>push dumped_.00436A3C ; /ProcNameOrOrdinal = "GetModuleFileNameExA"
00427D73 |.8>mov dword ptr ss:,eax ; |
00427D76 |.F>push dword ptr ss: ; |hModule
00427D79 |.F>call esi ; \GetProcAddress
00427D7B |.6>push dumped_.00437EDC ; /ProcNameOrOrdinal = "VDMEnumTaskWOWEx"
00427D80 |.8>mov dword ptr ss:,eax ; |
00427D83 |.F>push dword ptr ss: ; |hModule
00427D86 |.F>call esi ; \GetProcAddress
00427D88 |.3>xor ecx,ecx
00427D8A |.3>cmp ebx,ecx
00427D8C |.7>je short dumped_.00427DFD
00427D8E |.3>cmp dword ptr ss:,ecx
00427D91 |.7>je short dumped_.00427DFD
00427D93 |.3>cmp dword ptr ss:,ecx
00427D96 |.7>je short dumped_.00427DFD
00427D98 |.3>cmp eax,ecx
00427D9A |.7>je short dumped_.00427DFD
00427D9C |.8>mov esi,dword ptr ds:[<&kernel32.GetProcessHeap>>;KERNEL32.GetProcessHeap
00427DA2 |.8>mov dword ptr ss:,edi
00427DA5 |.8>mov edi,dword ptr ds:[<&kernel32.HeapFree>] ;ntdll.RtlFreeHeap
00427DAB |.8>mov dword ptr ss:,ecx
00427DAE |>8>/cmp dword ptr ss:,0
00427DB2 |.7>|je short dumped_.00427DC6
00427DB4 |.F>|push dword ptr ss:
00427DB7 |.6>|push 0
00427DB9 |.F>|call esi
00427DBB |.5>|push eax
00427DBC |.F>|call edi
00427DBE |.8>|mov eax,dword ptr ss:
00427DC1 |.0>|add eax,eax
00427DC3 |.8>|mov dword ptr ss:,eax
00427DC6 |>F>|push dword ptr ss:
00427DC9 |.6>|push 0
00427DCB |.F>|call esi
00427DCD |.5>|push eax ; |hHeap
00427DCE |.F>|call dword ptr ds:[<&kernel32.HeapAlloc>] ; \HeapAlloc
00427DD4 |.8>|test eax,eax
00427DD6 |.8>|mov dword ptr ss:,eax
00427DD9 |.7>|je short dumped_.00427DFD
00427DDB |.8>|lea ecx,dword ptr ss:
00427DDE |.5>|push ecx
00427DDF |.F>|push dword ptr ss:
00427DE2 |.5>|push eax
00427DE3 |.F>|call ebx
00427DE5 |.8>|test eax,eax
00427DE7 |.7>|je short dumped_.00427DF3
00427DE9 |.8>|mov eax,dword ptr ss:
00427DEC |.3>|cmp eax,dword ptr ss:
00427DEF |.7>|jnz short dumped_.00427E12
00427DF1 |.^ E>\jmp short dumped_.00427DAE
00427DF3 |>F>push dword ptr ss:
00427DF6 |.6>push 0
00427DF8 |.F>call esi
00427DFA |.5>push eax
00427DFB |.F>call edi
00427DFD |>F>push dword ptr ss: ; /hLibModule
00427E00 |.8>mov esi,dword ptr ds:[<&kernel32.FreeLibrary>] ; |KERNEL32.FreeLibrary
00427E06 |.F>call esi ; \FreeLibrary
00427E08 |.F>push dword ptr ss: ; /hLibModule
00427E0B |.F>call esi ; \FreeLibrary
00427E0D |.E>jmp dumped_.00427F1D
00427E12 |>C>shr dword ptr ss:,2
00427E16 |.C>mov dword ptr ss:,0
00427E1D |.0>je dumped_.00427EE8
00427E23 |.8>mov eax,dword ptr ss:
00427E26 |.8>mov dword ptr ss:,eax
00427E29 |>8>/mov eax,dword ptr ss:
00427E2C |.8>|and byte ptr ss:,0
00427E33 |.F>|push dword ptr ds: ; /ProcessId
00427E35 |.6>|push 0 ; |Inheritable = FALSE
00427E37 |.6>|push 410 ; |Access = VM_READ|QUERY_INFORMATION
00427E3C |.F>|call dword ptr ds:[<&kernel32.OpenProcess>] ; \OpenProcess
00427E42 |.8>|mov ebx,eax
00427E44 |.8>|test ebx,ebx
00427E46 |.8>|mov dword ptr ss:,ebx
00427E49 |.0>|je dumped_.00427ED5
00427E4F |.8>|lea eax,dword ptr ss:
00427E52 |.5>|push eax
00427E53 |.8>|lea eax,dword ptr ss:
00427E56 |.6>|push 4
00427E58 |.5>|push eax
00427E59 |.5>|push ebx
00427E5A |.F>|call dword ptr ss:
00427E5D |.8>|test eax,eax
00427E5F |.7>|je short dumped_.00427ECC
00427E61 |.8>|lea eax,dword ptr ss:
00427E67 |.6>|push 104
00427E6C |.5>|push eax
00427E6D |.F>|push dword ptr ss:
00427E70 |.5>|push ebx
00427E71 |.F>|call dword ptr ss:
00427E74 |.8>|test eax,eax
00427E76 |.7>|jnz short dumped_.00427E80
00427E78 |.2>|and byte ptr ss:,al
00427E7E |.E>|jmp short dumped_.00427ECC
00427E80 |>8>|lea eax,dword ptr ss:
00427E86 |.5>|push eax
00427E87 |.E>|call dumped_.00429CE0
00427E8C |.4>|dec eax
00427E8D |.5>|pop ecx
00427E8E |.8>|mov dword ptr ss:,eax
00427E91 |.7>|js short dumped_.00427EC6
00427E93 |.8>|lea ebx,dword ptr ss:
00427E9A |>8>|/cmp byte ptr ds:,5C
00427E9E |.7>||jnz short dumped_.00427EB3
00427EA0 |.6>||push dumped_.0044C88C ; /String2 = "explorer.exe"
00427EA5 |.5>||push ebx ; |String1
00427EA6 |.F>||call dword ptr ds:[<&kernel32.lstrcmpi>] ; \lstrcmpiA
00427EAC |.8>||test eax,eax
00427EAE |.7>||je short dumped_.00427EBE
00427EB0 |.8>||mov eax,dword ptr ss:
00427EB3 |>4>||dec eax
00427EB4 |.4>||dec ebx
00427EB5 |.8>||test eax,eax
00427EB7 |.8>||mov dword ptr ss:,eax
00427EBA |.^ 7>|\jge short dumped_.00427E9A
00427EBC |.E>|jmp short dumped_.00427EC6
00427EBE |>8>|mov eax,dword ptr ss:
00427EC1 |.8>|mov eax,dword ptr ds:
00427EC3 |.8>|mov dword ptr ss:,eax
00427EC6 |>8>|cmp dword ptr ss:,-1
00427ECA |.7>|jnz short dumped_.00427EE8
00427ECC |>F>|push dword ptr ss: ; /hObject
00427ECF |.F>|call dword ptr ds:[<&kernel32.CloseHandle>] ; \CloseHandle
00427ED5 |>F>|inc dword ptr ss:
00427ED8 |.8>|add dword ptr ss:,4
00427EDC |.8>|mov eax,dword ptr ss:
00427EDF |.3>|cmp eax,dword ptr ss:
00427EE2 |.^ 0>\jb dumped_.00427E29
00427EE8 |>F>push dword ptr ss:
00427EEB |.6>push 0
00427EED |.F>call esi
00427EEF |.5>push eax
00427EF0 |.F>call edi
00427EF2 |.F>push dword ptr ss: ; /hLibModule
00427EF5 |.F>call dword ptr ds:[<&kernel32.FreeLibrary>] ; \FreeLibrary
00427EFB |.E>jmp dumped_.00427FE3
00427F00 |>F>test ah,8
00427F03 |.0>je dumped_.00427FE3
00427F09 |.6>push dumped_.00436710 ; /FileName = "Kernel32.DLL"
00427F0E |.F>call dword ptr ds:[<&kernel32.LoadLibraryA>] ; \LoadLibraryA
00427F14 |.8>mov edi,eax
00427F16 |.8>test edi,edi
00427F18 |.8>mov dword ptr ss:,edi
00427F1B |.7>jnz short dumped_.00427F24
00427F1D |>3>xor eax,eax
00427F1F |.E>jmp dumped_.00427FF1
00427F24 |>8>mov esi,dword ptr ds:[<&kernel32.GetProcAddress>>;KERNEL32.GetProcAddress
00427F2A |.6>push dumped_.004366F4 ; /ProcNameOrOrdinal = "CreateToolhelp32Snapshot"
00427F2F |.5>push edi ; |hModule
00427F30 |.F>call esi ; \GetProcAddress
00427F32 |.6>push dumped_.004366E4 ; /ProcNameOrOrdinal = "Process32First"
00427F37 |.5>push edi ; |hModule
00427F38 |.8>mov ebx,eax ; |
00427F3A |.F>call esi ; \GetProcAddress
00427F3C |.6>push dumped_.004366D4 ; /ProcNameOrOrdinal = "Process32Next"
00427F41 |.5>push edi ; |hModule
00427F42 |.8>mov dword ptr ss:,eax ; |
00427F45 |.F>call esi ; \GetProcAddress
00427F47 |.3>xor esi,esi
00427F49 |.8>mov dword ptr ss:,eax
00427F4C |.3>cmp eax,esi
00427F4E |.0>je dumped_.00427FE6
00427F54 |.3>cmp dword ptr ss:,esi
00427F57 |.0>je dumped_.00427FE6
00427F5D |.3>cmp ebx,esi
00427F5F |.0>je dumped_.00427FE6
00427F65 |.5>push esi
00427F66 |.6>push 2
00427F68 |.F>call ebx
00427F6A |.8>mov ebx,eax
00427F6C |.8>cmp ebx,-1
00427F6F |.7>je short dumped_.00427FE6
00427F71 |.8>lea eax,dword ptr ss:
00427F77 |.C>mov dword ptr ss:,128
00427F81 |.5>push eax
00427F82 |.5>push ebx
00427F83 |.F>call dword ptr ss:
00427F86 |>8>/test eax,eax
00427F88 |.7>|je short dumped_.00427FDC
00427F8A |.8>|lea eax,dword ptr ss:
00427F90 |.5>|push eax
00427F91 |.E>|call dumped_.00429CE0
00427F96 |.8>|mov edi,eax
00427F98 |.5>|pop ecx
00427F99 |.4>|dec edi
00427F9A |.7>|js short dumped_.00427FCF
00427F9C |.8>|lea esi,dword ptr ss:
00427FA3 |>8>|/cmp byte ptr ds:,5C
00427FA7 |.7>||jnz short dumped_.00427FB9
00427FA9 |.6>||push dumped_.0044C88C ; /String2 = "explorer.exe"
00427FAE |.5>||push esi ; |String1 <----找到explorer.exe进程后杀死
00427FAF |.F>||call dword ptr ds:[<&kernel32.lstrcmpi>] ; \lstrcmpiA
00427FB5 |.8>||test eax,eax
00427FB7 |.7>||je short dumped_.00427FC1
00427FB9 |>4>||dec edi
00427FBA |.4>||dec esi
00427FBB |.8>||test edi,edi
00427FBD |.^ 7>|\jge short dumped_.00427FA3
00427FBF |.E>|jmp short dumped_.00427FCF
00427FC1 |>8>|mov eax,dword ptr ss:
00427FC7 |.8>|cmp eax,-1
00427FCA |.8>|mov dword ptr ss:,eax
00427FCD |.7>|jnz short dumped_.00427FDC
00427FCF |>8>|lea eax,dword ptr ss:
00427FD5 |.5>|push eax
00427FD6 |.5>|push ebx
00427FD7 |.F>|call dword ptr ss:
00427FDA |.^ E>\jmp short dumped_.00427F86
00427FDC |>5>push ebx ; /hObject
00427FDD |.F>call dword ptr ds:[<&kernel32.CloseHandle>] ; \CloseHandle
00427FE3 |>8>mov esi,dword ptr ss:
00427FE6 |>F>push dword ptr ss: ; /hLibModule
00427FE9 |.F>call dword ptr ds:[<&kernel32.FreeLibrary>] ; \FreeLibrary
00427FEF |.8>mov eax,esi
00427FF1 |>5>pop edi
00427FF2 |.5>pop esi
00427FF3 |.5>pop ebx
00427FF4 |.C>leave
00427FF5 \.C>retn
05-09-16继续跟踪--------------------------:
00415928 /$55 push ebp
00415929 |.8BEC mov ebp,esp
0041592B |.81EC 40010000 sub esp,140
00415931 |.53 push ebx
00415932 |.56 push esi
00415933 |.57 push edi
00415934 |.6A 07 push 7
00415936 |.33F6 xor esi,esi
00415938 |.59 pop ecx
00415939 |.FF35 30794800 push dword ptr ds: ; /hWnd = NULL
0041593F |.33C0 xor eax,eax ; |
00415941 |.8D7D E4 lea edi,dword ptr ss: ; |
00415944 |.8975 E0 mov dword ptr ss:,esi ; |"Software\Diamond Computer Systems\Port Explorer"
00415947 |.F3:AB rep stos dword ptr es: ; |
00415949 |.FF15 C0334300 call dword ptr ds: ; \IsWindow
0041594F |.3975 0C cmp dword ptr ss:,esi
00415952 |.8945 DC mov dword ptr ss:,eax
00415955 |.75 59 jnz short PortExpl.004159B0
00415957 |.68 00A00100 push 1A000
0041595C |.56 push esi
0041595D |.68 E8D74600 push PortExpl.0046D7E8 ;ASCII "&File"
00415962 |.E8 594B0100 call PortExpl.0042A4C0
00415967 |.8B45 08 mov eax,dword ptr ss:
0041596A |.83C4 0C add esp,0C
0041596D |.48 dec eax ;Switch (cases 1..8)
0041596E |.83F8 07 cmp eax,7
00415971 |.77 38 ja short PortExpl.004159AB ; 尚未完成字符串信息复制的初始化工作则跳
00415973 |.FF2485 8D5D4100 jmp dword ptr ds:
0041597A |>E8 33450000 call PortExpl.00419EB2 ;Case 1 of switch 0041596D
0041597F |.EB 2F jmp short PortExpl.004159B0
00415981 |>E8 991E0000 call PortExpl.0041781F ;Case 3 of switch 0041596D
00415986 |.EB 28 jmp short PortExpl.004159B0
00415988 |>E8 DB310000 call PortExpl.00418B68 ;Case 4 of switch 0041596D
0041598D |.EB 21 jmp short PortExpl.004159B0
0041598F |>E8 71580000 call PortExpl.0041B205 ;Case 5 of switch 0041596D
00415994 |.EB 1A jmp short PortExpl.004159B0
00415996 |>E8 BD6B0000 call PortExpl.0041C558 ;Case 6 of switch 0041596D
0041599B |.EB 13 jmp short PortExpl.004159B0
0041599D |>E8 47920000 call PortExpl.0041EBE9 ;Case 7 of switch 0041596D
004159A2 |.EB 0C jmp short PortExpl.004159B0
004159A4 |>E8 F37E0000 call PortExpl.0041D89C ;Case 8 of switch 0041596D
004159A9 |.EB 05 jmp short PortExpl.004159B0
004159AB |>E8 1F0B0000 call PortExpl.004164CF ;Default case of switch 0041596D<---提示到期后返回这里
重新加载,HE EIP,F9,已经脱壳解码,在上段代码首部00415928地址出F2设断,F9,
再次跟进到 PortExpl.004164CF函数,其完成各个字符串的复制,其中
00416CEC |.6>push PortExpl.00439DF0 ; /String2 = "This feature is only available to licensed users of Port Explorer."
00416CF1 |.6>push PortExpl.004757E8 ; |String1 = PortExpl.004757E8
00416CF6 |.F>call esi ; \lstrcpyA
在内存004757E8处设置硬件读断点,则点到受限制的功能时会读该提示。
类似的,
00416DA0 |.6>push PortExpl.004399F0 ; /String2 = "You have %d executions or %d days left to evaluate Port Explorer."
00416DA5 |.6>push PortExpl.004766E8 ; |String1 = PortExpl.004766E8 <-----HR 004766E8
00416DAA |.F>call esi ; \lstrcpyA
F9,中断后返回用户主程序空间
0040256C |.3>cmp dword ptr ds:,ebx ;ds:=0000001E(十进制的30,表示还有30天可试用)
00402572 |.7>jl short PortExpl.004025E9
00402574 |.3>cmp dword ptr ds:,ebx ;ds:=00000032(十进制的50,表示还有50次可使用)
0040257A |.7>jl short PortExpl.004025E9
0040257C |.B>mov edi,565
00402581 |.6>push PortExpl.004363BC ; /Text = "3"
00402586 |.5>push edi ; |ControlID => 565 (1381.)
00402587 |.F>push dword ptr ss: ; |hWnd
0040258A |.F>call esi ; \SetDlgItemTextA
0040258C |.6>push PortExpl.004766E8 ; /<%s> = "You have %d executions or %d days left to evaluate Port Explorer."
00402591 |.6>push PortExpl.004762E8 ; |<%s> = "To upgrade to the registered version, simply press the Purchase Port Explorer button."
00402596 |.6>push PortExpl.004765E8 ; |<%s> = "If you wish to use Port Explorer beyond this period you must upgrade to the full registered version."
0040259B |.6>push PortExpl.004764E8 ; |<%s> = "This evaluation may be used for up to 30 days or as many as 50 executions."
004025A0 |.6>push PortExpl.004763E8 ; |<%s> = "Welcome to DiamondCS Port Explorer - Evaluation Version."
004025A5 |.8>lea eax,dword ptr ss: ; |
004025AB |.6>push PortExpl.004363A4 ; |Format = "%s %s %s %s %s"
004025B0 |.5>push eax ; |s
004025B1 |.C>mov dword ptr ds:,3 ; |
004025BB |.F>call dword ptr ds: ; \wsprintfA
004025C1 |.8>add esp,1C ;返回这里
呵呵,如果选择爆破时间、次数的话可以做内存补丁(ds:天数,ds:次数,注意要选则等程序自解码后patch)。
如果注册对话框中输入假注册码,提示Error
00416C08 |.68 B0A14300 push PortExpl.0043A1B0 ; /String2 = "Error!"
00416C0D |.68 E8444700 push PortExpl.004744E8 ; |String1 = PortExpl.004744E8
00416C12 |.FFD6 call esi ; \lstrcpyA
下硬件断点HR 004744E8,
00402F48 |.6>push 200 ; /Count = 200 (512.)
00402F4D |.F>rep stos dword ptr es: ; |
00402F4F |.6>stos word ptr es: ; |
00402F51 |.A>stos byte ptr es: ; |
00402F52 |.8>lea eax,dword ptr ss: ; |
00402F58 |.8>mov dword ptr ss:,ebx ; |
00402F5B |.5>push eax ; |Buffer
00402F5C |.6>push 46E ; |ControlID = 46E (1134.)
00402F61 |.F>push dword ptr ss: ; |hWnd
00402F64 |.8>mov dword ptr ss:,ebx ; |
00402F67 |.F>call dword ptr ds: ; \GetDlgItemTextA ;在此处下断寻找注册比较算法CALL
00402F6D |.8>lea eax,dword ptr ss: ;EAX返回输入的假激活码串!!!!!!!
00402F73 |.5>push eax
00402F74 |.E>call PortExpl.00429CE0
00402F79 |.3>cmp eax,esi ;ESI=100 EAX=假码长度,要求激活码为十进制256字节长
00402F7B |.5>pop ecx
00402F7C |.0>jl PortExpl.00403086 ;跳到出错Error
00402F82 |.3>xor edx,edx
00402F84 |.3>cmp eax,ebx
00402F86 |.7>jle short PortExpl.00402FA1
00402F88 |>8>/cmp byte ptr ss:,50 ;P=0x50
00402F90 |.8>|lea ecx,dword ptr ss:
00402F97 |.7>|je short PortExpl.00402FA1
00402F99 |.4>|inc edx
00402F9A |.C>|mov byte ptr ds:,20
00402F9D |.3>|cmp edx,eax
00402F9F |.^ 7>\jl short PortExpl.00402F88
00402FA1 |>8>lea eax,dword ptr ss:
00402FA7 |.6>push PortExpl.00436464 ;ASCII "PS"
00402FAC |.5>push eax
00402FAD |.E>call PortExpl.00429EA0
00402FB2 |.5>pop ecx
00402FB3 |.3>cmp eax,ebx
00402FB5 |.5>pop ecx
00402FB6 |.0>je PortExpl.00403086 -------------------->Error
00402FBC |.6>push PortExpl.00436460 ;ASCII "PE"
00402FC1 |.5>push eax
00402FC2 |.E>call PortExpl.00429EA0
00402FC7 |.5>pop ecx
00402FC8 |.3>cmp eax,ebx
00402FCA |.5>pop ecx
00402FCB |.0>je PortExpl.00403086 ----------------------->Error
00402FD1 |.6>push -7F
00402FD3 |.8>mov byte ptr ds:,bl ;这里EAX应该是有效内存地址,修改此处作标记还是改代码?
00402FD6 |.8>mov byte ptr ds:,bl
00402FD8 |.5>pop esi
00402FD9 |>8>/cmp esi,30
00402FDC |.7>|jl short PortExpl.00402FE3
00402FDE |.8>|cmp esi,39
00402FE1 |.7>|jle short PortExpl.00402FFC
00402FE3 |>8>|cmp esi,41
00402FE6 |.7>|jl short PortExpl.00402FED
00402FE8 |.8>|cmp esi,46
00402FEB |.7>|jle short PortExpl.00402FFC
00402FED |>8>|lea eax,dword ptr ss:
00402FF3 |.5>|push esi
00402FF4 |.5>|push eax
00402FF5 |.E>|call PortExpl.0040EC83
00402FFA |.5>|pop ecx
00402FFB |.5>|pop ecx
00402FFC |>4>|inc esi
00402FFD |.8>|cmp esi,80
00403003 |.^ 7>\jl short PortExpl.00402FD9
00403005 |.8>lea eax,dword ptr ss:
0040300B |.5>push eax ; /<%s>
0040300C |.8>lea eax,dword ptr ss: ; |
00403012 |.6>push PortExpl.00436458 ; |Format = "PS%sPE"
00403017 |.5>push eax ; |s
00403018 |.F>call dword ptr ds: ; \wsprintfA
0040301E |.8>add esp,0C
00403021 |.8>lea eax,dword ptr ss:
00403027 |.5>push eax ; /String2
00403028 |.8>lea eax,dword ptr ss: ; |
0040302E |.5>push eax ; |String1
0040302F |.F>call dword ptr ds: ; \lstrcpyA
00403035 |.8>lea eax,dword ptr ss:
0040303B |.5>push eax
0040303C |.6>push PortExpl.00436450 ;ASCII "pecode"
00403041 |.6>push PortExpl.0044C0FC ;ASCII "Software\Diamond Computer Systems\Port Explorer"
00403046 |.E>call PortExpl.00429699
0040304B |.F>push dword ptr ds:
00403051 |.8>lea eax,dword ptr ss:
00403054 |.F>push dword ptr ds:
0040305A |.5>push eax
0040305B |.8>lea eax,dword ptr ss:
0040305E |.5>push eax
0040305F |.8>lea eax,dword ptr ss:
00403065 |.F>push dword ptr ds:
0040306B |.5>push eax
0040306C |.E>call PortExpl.004149CF
00403071 |.8>add esp,24
00403074 |.3>cmp eax,ebx
00403076 |.7>je short PortExpl.00403086
00403078 |.6>push 40
0040307A |.6>push PortExpl.004743E8 ;ASCII "Please Note!"
0040307F |.6>push PortExpl.00436418 ;ASCII "Please restart Port Explorer to complete the upgrade"
00403084 |.E>jmp short PortExpl.0040308F
00403086 |> \B>mov eax,PortExpl.004744E8 ;ASCII "Error!" <------------------
0040308B |.6>push 10
0040308D |.5>push eax
0040308E |.5>push eax
0040308F |>5>push ebx ; |hOwner
00403090 |.F>call dword ptr ds: ; \MessageBoxA
00403096 |.5>push ebx ; /Result
00403097 |.F>push dword ptr ss: ; |hWnd
0040309A |.F>call dword ptr ds: ; \EndDialog
试着输入假码(252 decimal长):
1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
1234567890123456789012345678901234567890123456789012
跟踪过程中会要求重启验证,software\Diamond Computer Systems\Port Explorer
(脱壳程序似乎还没有解密输入表)
那么会用到ADVAPI32.DLL中的4个读注册表函数(用api工具查的):
796E2C47RegQueryValueA
796EF5E6RegQueryValueExA
796F4ABARegQueryValueExW
796EE7C9RegQueryValueW
在OD数据窗口查得:
00433020E6 F5 6E 79 对应于----RegQueryValueExA ,程序会如此调用 CALL DS:
因此下硬件访问断点HR 00433020
运行,中断,返回(连续共2处,此为其一)
00429703 |.5>push eax ; /pHandle
00429704 |.3>xor esi,esi ; |
00429706 |.6>push 1 ; |Access = KEY_QUERY_VALUE
00429708 |.5>push esi ; |Reserved => 0
00429709 |.F>push dword ptr ss: ; |Subkey
0042970C |.F>push dword ptr ss: ; |hKey
0042970F |.F>call dword ptr ds: ; \RegOpenKeyExA
00429715 |.8>test eax,eax
00429717 |.7>je short PortExpl.0042971E
00429719 |.6>push 1
0042971B |.5>pop eax
0042971C |.E>jmp short PortExpl.00429745
0042971E |>8>lea eax,dword ptr ss:
00429721 |.5>push eax ; /pBufSize
00429722 |.F>push dword ptr ss: ; |Buffer
00429725 |.5>push esi ; |pValueType
00429726 |.5>push esi ; |Reserved
00429727 |.F>push dword ptr ss: ; |ValueName
0042972A |.F>push dword ptr ss: ; |hKey
0042972D |.F>call dword ptr ds: ; \RegQueryValueExA <-----------------
00429733 |.8>test eax,eax
00429735 |.7>je short PortExpl.0042973A
00429737 |.6>push 1
00429739 |.5>pop esi
0042973A |>F>push dword ptr ss: ; /hKey
0042973D |.F>call dword ptr ds: ; \RegCloseKey 等搞定在莱看看,thanks!
页:
[1]