破解PYG CrackMe2006 8.28自校验
破解PYG CrackMe2006 8.28自校验先脱壳,然后开两个od比较文件的不同
下断点为: BP rtcFileLen,回车, 然后F9运行,断下后,ALT+F9返回
ASPack 2.12 -> Alexey Solodovnikov
004034DC .83C4 28 ADD ESP,28
004034DF .81FE 003C0000 CMP ESI,3C00 ?
004034E5 .74 06 JE SHORT 130C.004034ED 自校验
004034E7 .FF15 14104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaEnd>] ;msvbvm60.__vbaEnd
004034ED >8D4D B4 LEA ECX,DWORD PTR SS:
00403069 .0FBF8D 48FFFF>MOVSX ECX,WORD PTR SS:
00403070 .85C9 TEST ECX,ECX
00403072 .0F84 98000000 JE 88.00403110 ?
00403078 .C745 FC 1D000>MOV DWORD PTR SS:,1D
0040307F .C745 9C 04000>MOV DWORD PTR SS:,80020004
00403086 .C745 94 0A000>MOV DWORD PTR SS:,0A
0040308D .C745 AC 04000>MOV DWORD PTR SS:,80020004
00403094 .C745 A4 0A000>MOV DWORD PTR SS:,0A
0040309B .C785 7CFFFFFF>MOV DWORD PTR SS:,88.004022BC
004030A5 .C785 74FFFFFF>MOV DWORD PTR SS:,8
004030AF .8D95 74FFFFFF LEA EDX,DWORD PTR SS:
004030B5 .8D4D B4 LEA ECX,DWORD PTR SS:
004030B8 .FF15 B4104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarDu>;msvbvm60.__vbaVarDup
004030BE .C745 8C A8224>MOV DWORD PTR SS:,88.004022A8
004030C5 .C745 84 08000>MOV DWORD PTR SS:,8
004030CC .8D55 84 LEA EDX,DWORD PTR SS:
004030CF .8D4D C4 LEA ECX,DWORD PTR SS:
004030D2 .FF15 B4104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarDu>;msvbvm60.__vbaVarDup
004030D8 .8D55 94 LEA EDX,DWORD PTR SS:
004030DB .52 PUSH EDX
004030DC .8D45 A4 LEA EAX,DWORD PTR SS:
004030DF .50 PUSH EAX
004030E0 .8D4D B4 LEA ECX,DWORD PTR SS:
004030E3 .51 PUSH ECX
004030E4 .6A 40 PUSH 40
004030E6 .8D55 C4 LEA EDX,DWORD PTR SS:
004030E9 .52 PUSH EDX
004030EA .FF15 38104000 CALL DWORD PTR DS:[<&msvbvm60.rtcMsgBox>>;msvbvm60.rtcMsgBox
004030F0 .8D45 94 LEA EAX,DWORD PTR SS:
004030F3 .50 PUSH EAX
**** Hidden Message ***** 不错哦..沙发顶!! 不错,学习!/:014 谢谢共享~!~! 看雪文章写的不错大家一定要学习 http://bbs.pediy.com/showthread.php?t=28298
我试着Crackme方法还行
00401B84 .6A 02 PUSH 2
00401B86 .FF15 14104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeO>;msvbvm60.__vbaFreeObjList
00401B8C .83C4 24 ADD ESP,24
00401B8F .81FE 002A0000 CMP ESI,2A00 ?
00401B95 .75 6E JNZ SHORT FILELEN-.00401C05 ?
00401B97 .B9 04000280 MOV ECX,80020004
00401B9C .B8 0A000000 MOV EAX,0A
00401BA1 .894D 94 MOV DWORD PTR SS:,ECX
00401BA4 .894D A4 MOV DWORD PTR SS:,ECX
00401BA7 .894D B4 MOV DWORD PTR SS:,ECX
00401BAA .8D95 7CFFFFFF LEA EDX,DWORD PTR SS:
00401BB0 .8D4D BC LEA ECX,DWORD PTR SS:
********************************************
00401048|.E8 BDFFFFFF CALL sample2-.0040100A
0040104D|.85C0 TEST EAX,EAX
0040104F|.74 1F JE SHORT sample2-.00401070 ?
00401051|.8BF4 MOV ESI,ESP
00401053|.6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00401055|.68 28004200 PUSH sample2-.00420028 ; |Title = "提示"
0040105A|.68 1C004200 PUSH sample2-.0042001C ; |Text = "正常运行!"
0040105F|.6A 00 PUSH 0 ; |hOwner = NULL
00401061|.FF15 B4524200 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
00401067|.3BF4 CMP ESI,ESP
***************************************************
00401048|.E8 BDFFFFFF CALL dumped.0040100A
0040104D|.85C0 TEST EAX,EAX
0040104F|.74 1F JE SHORT dumped.00401070 ?
00401051|.8BF4 MOV ESI,ESP
00401053|.6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00401055|.68 40004200 PUSH dumped.00420040 ; |Title = "提示"
0040105A|.68 34004200 PUSH dumped.00420034 ; |Text = "正常运行!"
0040105F|.6A 00 PUSH 0 ; |hOwner = NULL
00401061|.FF15 B4524200 CALL DWORD PTR DS:[<&user32.MessageBoxA>>; \MessageBoxA
00401067|.3BF4 CMP ESI,ESP
00401069|.E8 C2030000 CALL dumped.00401430
0040106E|.EB 1D JMP SHORT dumped.0040108D
00401070|>8BF4 MOV ESI,ESP
00401072|.6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00401074|.68 40004200 PUSH dumped.00420040 ; |Title = "提示"
00401079|.68 1C004200 PUSH dumped.0042001C ; |Text = "文件被非法修改! !"
0040107E|.6A 00 PUSH 0 ; |hOwner = NULL
00401080|.FF15 B4524200 CALL DWORD PTR DS:[<&user32.MessageBoxA>>; \MessageBoxA
00401086|.3BF4 CMP ESI,ESP
*********************************
三个实例大家可以学习动画不演示了
三、利用第三方软件辅助查找关键的地方。很多软件利用CRC或者MD5实现磁盘文件校验或者内存映像校验等,对此类软件我们可以利用算法识别工具找到密码学算法和核心,然后层层向上,找到最初的调用地方更改其流程方向。还是附件中的sample1.EXE,脱壳的文件为dumped.EXE,我们来解决这个软件的自校检。先用PEID的插件kanal分析dumped.EXE所采的密码学算法,如图, 谢谢发表,现在自校验的程序太多,正需要学习! 下来看看!/:001 下一个教程看看。 真是太感谢了 /:014 自检验的实在是烦人 烦人