宣宣极速网络电视脱壳去自校验及算法分析
【破文标题】宣宣极速网络电视脱壳去自校验及算法分析【破文作者】lhl8730
【作者邮箱】[email protected]
【作者主页】
【破解工具】OD、PEID、UE
【破解平台】xp-sp2
【软件名称】宣宣极速网络电视
【软件大小】396KB
【原版下载】http://www.xuansoft.com/
【保护方式】自校验+序列号
【软件简介】高速体育直播频道:ESPN,卫视体育,北京体育,cctv5,goalTV足球等◎港澳台地区:无线翡翠,亚视本港,凤凰系列(中文,资讯,电影),星空系列(卫视,体育,电影),TVB8,HBO,东森系列,华娱,东风,华视等高收视率电视台◎CCTV及各省市(湖南,上海,江苏,浙江,海南等)优秀电视台◎国外电视:ABC,BBC,CNN,CNBC,Arirang,Discovery,德国之声等全球著名电视节目
软件优势:
1.本软件运用了尖端的加速技术,播放更流畅
2.清晰地节目分类,方便地树型节目菜单,更加易用
3.电视屏幕自由缩放停靠,不影响等其它操作
4.一次注册,终身免费使用,终身免费在线升级
------------------------------------------------------------------------
先用OD直接脱壳,简单。运行脱壳后的文件弹出一个错误窗口,提示关闭程序。这很显然是自校验。
1、去掉自校验。
用OD载入调试想爆破去自校验均告失败,因为后面还有好几个自校验,换方法。
进入程序后停在这:
0049CC5C >/$55 PUSH EBP
0049CC5D|.8BEC MOV EBP,ESP
0049CC5F|.83C4 EC ADD ESP,-14
0049CC62|.33C0 XOR EAX,EAX
0049CC64|.8945 EC MOV DWORD PTR SS:,EAX
0049CC67|.B8 BCC84900 MOV EAX,15.0049C8BC
0049CC6C|.E8 2398F6FF CALL 15.00406494
0049CC71|.33C0 XOR EAX,EAX
0049CC73|.55 PUSH EBP
0049CC74|.68 2ACD4900 PUSH 15.0049CD2A
0049CC79|.64:FF30 PUSH DWORD PTR FS:
0049CC7C|.64:8920 MOV DWORD PTR FS:,ESP
0049CC7F|.6A 40 PUSH 40
0049CC81|.8D55 EC LEA EDX,DWORD PTR SS:
0049CC84|.33C0 XOR EAX,EAX
0049CC86|.E8 8D5EF6FF CALL 15.00402B18 ;这个CALL得程序路径。
0049CC8B > 8B4D EC MOV ECX,DWORD PTR SS: ;路径给ECX
0049CC8E B2 01 MOV DL,1 ;1给DL
0049CC90|.A1 DC7E4100 MOV EAX,DWORD PTR DS:
0049CC95|.E8 E6FBF7FF CALL 15.0041C880
0049CC9A|.A3 541E4A00 MOV DWORD PTR DS:,EAX
0049CC9F|.33C0 XOR EAX,EAX
0049CCA1|.55 PUSH EBP
0049CCA2|.68 0DCD4900 PUSH 15.0049CD0D
0049CCA7|.64:FF30 PUSH DWORD PTR FS:
0049CCAA|.64:8920 MOV DWORD PTR FS:,ESP
0049CCAD|.A1 AC024A00 MOV EAX,DWORD PTR DS:
0049CCB2|.8B00 MOV EAX,DWORD PTR DS:
0049CCB4|.E8 53B1FDFF CALL 15.00477E0C
0049CCB9|.A1 AC024A00 MOV EAX,DWORD PTR DS:
0049CCBE|.8B00 MOV EAX,DWORD PTR DS:
0049CCC0|.C640 5B 00 MOV BYTE PTR DS:,0
0049CCC4|.A1 58014A00 MOV EAX,DWORD PTR DS:
0049CCC9|.8B15 541E4A00 MOV EDX,DWORD PTR DS:
0049CCCF|.8910 MOV DWORD PTR DS:,EDX
0049CCD1|.8B0D 98004A00 MOV ECX,DWORD PTR DS: ;15.004A1E48
0049CCD7|.A1 AC024A00 MOV EAX,DWORD PTR DS:
0049CCDC|.8B00 MOV EAX,DWORD PTR DS:
0049CCDE|.8B15 58974900 MOV EDX,DWORD PTR DS: ;15.004997A4
0049CCE4|.E8 3BB1FDFF CALL 15.00477E24 ;到这出现了自校验提示的错误窗口
0049CCE9|.A1 AC024A00 MOV EAX,DWORD PTR DS:
0049CCEE|.8B00 MOV EAX,DWORD PTR DS:
0049CCF0|.E8 AFB1FDFF CALL 15.00477EA4
0049CCF5|.33C0 XOR EAX,EAX
0049CCF7|.5A POP EDX
0049CCF8|.59 POP ECX
0049CCF9|.59 POP ECX
经分析该自校验是把文件的一些值经过运算后进行比较,正确再运行程序。所以只须把原文件路径传给ECX就可以了。
具体方法见prince的文章(http://bbs.pediy.com/showthread.php?threadid=14860)
我脱壳后的文件名是1.exe。首先用UE打开1.exe在000cf3000处粘贴原文件路径D:\Program Files\xuansoft\xuansoft.exe
另存为15.exe.,用OD打开15.exe,在0049CC8B修改为JMP4C9FE0
0049CC86|.E8 8D5EF6FF CALL 15.00402B18 ;这个CALL得程序路径。
0049CC8B > E9 50D30200 JMP 15.004C9FE0
0049CC90|.A1 DC7E4100 MOV EAX,DWORD PTR DS:
0049CC95|.E8 E6FBF7FF CALL 15.0041C880
0049CC9A|.A3 541E4A00 MOV DWORD PTR DS:,EAX
在4C9FE0处编成这样
004C9FE0 B9 0030CF04 MOV ECX,4CF3000 ;4cf3000是原文件路径。
004C9FE5 B2 01 MOV DL,1
004C9FE7 ^ E9 A42CFDFF JMP 15.0049CC90
004C9FEC 00 DB 00
004C9FED 00 DB 00
再把文件保存为151.exe.文件运行了。
2、算法分析
运行文件后,有错误提示,但找不到字符串。用插件下万能断点,断在这
77D3353D F3:A5 REP MOVS DWORD PTR ES:,DWORD PTR DS>
77D3353F 8BC8 MOV ECX,EAX
77D33541 83E1 03 AND ECX,3
77D33544 F3:A4 REP MOVS BYTE PTR ES:,BYTE PTR DS:[>
77D33546 E8 E3FBFFFF CALL USER32.77D3312E
77D3354B 5F POP EDI
77D3354C 5E POP ESI
77D3354D 8BC3 MOV EAX,EBX
77D3354F 5B POP EBX
77D33550 5D POP EBP
77D33551 C2 1000 RETN 10
按Ctrl+F9几次,返回到程序领空。停在这
0045C705 C3 RETN
0045C706 8BC0 MOV EAX,EAX
0045C708 53 PUSH EBX
0045C709 56 PUSH ESI
0045C70A 57 PUSH EDI
0045C70B 8BF2 MOV ESI,EDX
0045C70D 33DB XOR EBX,EBX
0045C70F E8 448AFFFF CALL 151.00455158
0045C714 8BF8 MOV EDI,EAX
接下来一直按F8到这
00498779|.8B45 FC MOV EAX,DWORD PTR SS:
0049877C|.50 PUSH EAX ;假码
0049877D|.8D55 F8 LEA EDX,DWORD PTR SS:
00498780|.8BC3 MOV EAX,EBX
00498782|.8B08 MOV ECX,DWORD PTR DS:
00498784|.FF91 F8000000 CALL DWORD PTR DS:
0049878A|.8B45 F8 MOV EAX,DWORD PTR SS: ;机器码
0049878D|.8B8B 20030000 MOV ECX,DWORD PTR DS: ;字符串“haoxuan",计算用的。
00498793|.5A POP EDX ;00EA8F44
00498794|.E8 B7ECFFFF CALL 151.00497450 ;关键CALL,跟进
00498799|.8BD8 MOV EBX,EAX
0049879B|.33C0 XOR EAX,EAX
0049879D|.5A POP EDX
0049879E|.59 POP ECX
0049879F|.59 POP ECX
004987A0|.64:8910 MOV DWORD PTR FS:,EDX
004987A3|.68 BD874900 PUSH 151.004987BD
004987A8|>8D45 F8 LEA EAX,DWORD PTR SS:
004987AB|.BA 02000000 MOV EDX,2
004987B0|.E8 E7B9F6FF CALL 151.0040419C
004987B5\.C3 RETN
004987B6 .- E9 C1B3F6FF JMP 151.00403B7C
004987BB .^ EB EB JMP SHORT 151.004987A8
004987BD .8BC3 MOV EAX,EBX
004987BF .5B POP EBX
004987C0 .59 POP ECX
004987C1 .59 POP ECX
004987C2 .5D POP EBP
004987C3 .C3 RETN
进CALL498794到这
00497450/$55 PUSH EBP
00497451|.8BEC MOV EBP,ESP
00497453|.81C4 FCFEFFFF ADD ESP,-104
00497459|.53 PUSH EBX
0049745A|.56 PUSH ESI
0049745B|.57 PUSH EDI
0049745C|.33DB XOR EBX,EBX
0049745E|.895D FC MOV DWORD PTR SS:,EBX
00497461|.8BF9 MOV EDI,ECX
00497463|.8BF2 MOV ESI,EDX
00497465|.8BD8 MOV EBX,EAX
00497467|.33C0 XOR EAX,EAX
00497469|.55 PUSH EBP
0049746A|.68 B7744900 PUSH 151.004974B7
0049746F|.64:FF30 PUSH DWORD PTR FS:
00497472|.64:8920 MOV DWORD PTR FS:,ESP
00497475|.8D8D FCFEFFFF LEA ECX,DWORD PTR SS:
0049747B|.8BD7 MOV EDX,EDI
0049747D|.8BC3 MOV EAX,EBX
0049747F|.E8 64FEFFFF CALL 151.004972E8 算法CALL跟进
00497484|.8D95 FCFEFFFF LEA EDX,DWORD PTR SS:
0049748A|.8D45 FC LEA EAX,DWORD PTR SS:
0049748D|.E8 4ACFF6FF CALL 151.004043DC
00497492|.8B45 FC MOV EAX,DWORD PTR SS:
00497495|.8BD6 MOV EDX,ESI
00497497|.E8 E8D0F6FF CALL 151.00404584
0049749C|.0F94C0 SETE AL
0049749F|.8BD8 MOV EBX,EAX
004974A1|.33C0 XOR EAX,EAX
004974A3|.5A POP EDX
004974A4|.59 POP ECX
004974A5|.59 POP ECX
004974A6|.64:8910 MOV DWORD PTR FS:,EDX
004974A9|.68 BE744900 PUSH 151.004974BE
004974AE|>8D45 FC LEA EAX,DWORD PTR SS:
004974B1|.E8 C2CCF6FF CALL 151.00404178
004974B6\.C3 RETN
004974B7 .- E9 C0C6F6FF JMP 151.00403B7C
004974BC .^ EB F0 JMP SHORT 151.004974AE
004974BE .8BC3 MOV EAX,EBX
004974C0 .5F POP EDI
004974C1 .5E POP ESI
004974C2 .5B POP EBX
004974C3 .8BE5 MOV ESP,EBP
004974C5 .5D POP EBP
004974C6 .C3 RETN
进CALL 4972E8到这
004972E8/$55 PUSH EBP
004972E9|.8BEC MOV EBP,ESP
004972EB|.83C4 E0 ADD ESP,-20
004972EE|.53 PUSH EBX
004972EF|.56 PUSH ESI
004972F0|.57 PUSH EDI
004972F1|.33DB XOR EBX,EBX
004972F3|.895D E0 MOV DWORD PTR SS:,EBX
004972F6|.895D E4 MOV DWORD PTR SS:,EBX
004972F9|.895D E8 MOV DWORD PTR SS:,EBX
004972FC|.8BF9 MOV EDI,ECX
004972FE|.8955 F8 MOV DWORD PTR SS:,EDX
00497301|.8945 FC MOV DWORD PTR SS:,EAX
00497304|.8B45 FC MOV EAX,DWORD PTR SS:
00497307|.E8 1CD3F6FF CALL 151.00404628
0049730C|.8B45 F8 MOV EAX,DWORD PTR SS:
0049730F|.E8 14D3F6FF CALL 151.00404628
00497314|.33C0 XOR EAX,EAX
00497316|.55 PUSH EBP
00497317|.68 41744900 PUSH 151.00497441
0049731C|.64:FF30 PUSH DWORD PTR FS:
0049731F|.64:8920 MOV DWORD PTR FS:,ESP
00497322|.837D FC 00 CMP DWORD PTR SS:,0 ;比较机器码是否为0
00497326|.74 6F JE SHORT 151.00497397
00497328|.BB 01000000 MOV EBX,1
0049732D|.8D75 EF LEA ESI,DWORD PTR SS:
00497330|>8B45 FC /MOV EAX,DWORD PTR SS: ;机器码给EAX
00497333|.E8 00D1F6FF |CALL 151.00404438 ;得机器码的位
00497338|.50 |PUSH EAX
00497339|.8BC3 |MOV EAX,EBX
0049733B|.48 |DEC EAX
0049733C|.5A |POP EDX
0049733D|.8BCA |MOV ECX,EDX
0049733F|.99 |CDQ
00497340|.F7F9 |IDIV ECX
00497342|.8B45 FC |MOV EAX,DWORD PTR SS: ;机器码给EAX
00497345|.8A0410 |MOV AL,BYTE PTR DS: ;取机器第一位
00497348|.50 |PUSH EAX
00497349|.8B45 FC |MOV EAX,DWORD PTR SS:
0049734C|.E8 E7D0F6FF |CALL 151.00404438
00497351|.5A |POP EDX
00497352|.32D0 |XOR DL,AL ;机器码第一位的十六进值跟机器码位数进行异或运算
00497354|.32D3 |XOR DL,BL ;运算结果跟BL的值再异或运算
00497356|.8816 |MOV BYTE PTR DS:,DL ;结果保存在12F637里,用DD 12F637查看,注意值的变化,下面是循环取机器码
00497358|.43 |INC EBX
00497359|.46 |INC ESI
0049735A|.83FB 0A |CMP EBX,0A
0049735D|.^ 75 D1 \JNZ SHORT 151.00497330
0049735F|.8B45 FC MOV EAX,DWORD PTR SS:
00497362|.E8 D1D0F6FF CALL 151.00404438
00497367|.8BF0 MOV ESI,EAX
00497369|.85F6 TEST ESI,ESI
0049736B|.7E 2A JLE SHORT 151.00497397
0049736D|.BB 01000000 MOV EBX,1
00497372|>8B45 FC /MOV EAX,DWORD PTR SS:
00497375|.E8 BED0F6FF |CALL 151.00404438
0049737A|.2BC3 |SUB EAX,EBX ;这一过程从机器码的后面位数取起与前面对应的结果进行异或运算
0049737C|.8B55 FC |MOV EDX,DWORD PTR SS:
0049737F|.8A0C02 |MOV CL,BYTE PTR DS:
00497382|.8BC3 |MOV EAX,EBX
00497384|.48 |DEC EAX
00497385|.51 |PUSH ECX
00497386|.B9 09000000 |MOV ECX,9
0049738B|.99 |CDQ
0049738C|.F7F9 |IDIV ECX
0049738E|.59 |POP ECX
0049738F|.304C15 EF |XOR BYTE PTR SS:,CL ;注意地址12F637值的变化。
00497393|.43 |INC EBX
00497394|.4E |DEC ESI
00497395|.^ 75 DB \JNZ SHORT 151.00497372
00497397|>837D F8 00 CMP DWORD PTR SS:,0
0049739B|.74 39 JE SHORT 151.004973D6
0049739D|.BB 01000000 MOV EBX,1
004973A2|.8D75 EF LEA ESI,DWORD PTR SS:
004973A5|>8B45 F8 /MOV EAX,DWORD PTR SS: ;字符串:haoxuan
004973A8|.E8 8BD0F6FF |CALL 151.00404438
004973AD|.50 |PUSH EAX
004973AE|.8BC3 |MOV EAX,EBX
004973B0|.48 |DEC EAX
004973B1|.5A |POP EDX
004973B2|.8BCA |MOV ECX,EDX ;这一过程是上面的结果跟字符串相应字母的值进行异或运算
004973B4|.99 |CDQ
004973B5|.F7F9 |IDIV ECX
004973B7|.8B45 F8 |MOV EAX,DWORD PTR SS:
004973BA|.8A0410 |MOV AL,BYTE PTR DS:
004973BD|.3206 |XOR AL,BYTE PTR DS:
004973BF|.50 |PUSH EAX
004973C0|.8B45 F8 |MOV EAX,DWORD PTR SS:
004973C3|.E8 70D0F6FF |CALL 151.00404438
004973C8|.5A |POP EDX
004973C9|.32D0 |XOR DL,AL
004973CB|.32D3 |XOR DL,BL
004973CD|.8816 |MOV BYTE PTR DS:,DL ;结果还是在12F637里
004973CF|.43 |INC EBX
004973D0|.46 |INC ESI
004973D1|.83FB 0A |CMP EBX,0A
004973D4|.^ 75 CF \JNZ SHORT 151.004973A5
004973D6|>8D45 E8 LEA EAX,DWORD PTR SS:
004973D9|.E8 9ACDF6FF CALL 151.00404178
004973DE|.BB 09000000 MOV EBX,9
004973E3|.8D75 EF LEA ESI,DWORD PTR SS:
004973E6|>8D45 E4 /LEA EAX,DWORD PTR SS:
004973E9|.8A16 |MOV DL,BYTE PTR DS:
004973EB|.E8 70CFF6FF |CALL 151.00404360
004973F0|.8B55 E4 |MOV EDX,DWORD PTR SS:
004973F3|.8D45 E8 |LEA EAX,DWORD PTR SS:
004973F6|.E8 45D0F6FF |CALL 151.00404440 ;这一过程把上面结果值转为字符
004973FB|.46 |INC ESI ;得到一个字符串
004973FC|.4B |DEC EBX
004973FD|.^ 75 E7 \JNZ SHORT 151.004973E6
004973FF|.8D55 E0 LEA EDX,DWORD PTR SS:
00497402|.8B45 E8 MOV EAX,DWORD PTR SS:
00497405|.E8 9AFDFFFF CALL 151.004971A4 ;算法CALL跟进
0049740A|.8B55 E0 MOV EDX,DWORD PTR SS:
0049740D|.8BC7 MOV EAX,EDI 真码出现
0049740F|.B9 FF000000 MOV ECX,0FF
00497414|.E8 FBCFF6FF CALL 151.00404414
00497419|.33C0 XOR EAX,EAX
0049741B|.5A POP EDX
0049741C|.59 POP ECX
0049741D|.59 POP ECX
0049741E|.64:8910 MOV DWORD PTR FS:,EDX
00497421|.68 48744900 PUSH 151.00497448
00497426|>8D45 E0 LEA EAX,DWORD PTR SS:
00497429|.BA 03000000 MOV EDX,3
0049742E|.E8 69CDF6FF CALL 151.0040419C
00497433|.8D45 F8 LEA EAX,DWORD PTR SS:
00497436|.BA 02000000 MOV EDX,2
0049743B|.E8 5CCDF6FF CALL 151.0040419C
00497440\.C3 RETN
00497441 .- E9 36C7F6FF JMP 151.00403B7C
00497446 .^ EB DE JMP SHORT 151.00497426
00497448 .5F POP EDI
00497449 .5E POP ESI
0049744A .5B POP EBX
0049744B .8BE5 MOV ESP,EBP
0049744D .5D POP EBP
0049744E .C3 RETN
------------------------------------------------------------------------
由于时间关系,就到这了,希哪位大侠能把第二个CALL的算法写出来。
------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者信息并保持文章的完整,谢谢!
[ 本帖最后由 lhl8730 于 2006-4-22 20:56 编辑 ] 明码比较我喜欢哟 学习一二 我脱壳之后好运行的,没发现有自校验现象。下面是我脱壳后的软件
[ 本帖最后由 yunfeng 于 2006-4-23 13:28 编辑 ] 你脱壳后的文件怎么比原文件还要大,不知你是怎么脱的壳。 请问有万能断点以哪个插件 插件里选APIBREAK 原帖由 lhl8730 于 2006-4-23 15:53 发表
你脱壳后的文件怎么比原文件还要大,不知你是怎么脱的壳。
莫非脱壳后的比原文件小? 原帖由 飘云 于 2006-4-29 20:06 发表
莫非脱壳后的比原文件小?
脱壳后确实比原文件小 会吗?我来试试 ,呵呵,恩,是小了!!!
[ 本帖最后由 godhack 于 2006-5-13 19:25 编辑 ]
页:
[1]
2