- UID
- 5512
注册时间2005-12-19
阅读权限30
最后登录1970-1-1
龙战于野
TA的每日心情 | 开心 2022-9-25 11:58 |
---|
签到天数: 12 天 [LV.3]偶尔看看II
|
【文章标题】: IE Accelerator 2.22 脱壳分析+算法分析
【文章作者】: KuNgBiM
【作者邮箱】: [email protected]
【软件名称】: IE Accelerator 2.22
【软件大小】: 281KB
【下载地址】: 附件下载
【加壳方式】: 双层壳(未知私壳+UPX修改壳)
【保护方式】: 序列号+15天试用+启动NAG
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OllyICE、LordPE、ImportREC
【操作平台】: 盗版非标准XPsp2
【作者声明】: PYG论坛求助帖研究。
--------------------------------------------------------------------------------
【脱壳分析部分】
OllyICE载入目标程序,忽略所有异常。
004CF000 > 60 pushad ; EP入口
004CF001 E8 00000000 call IEAccele.004CF006
004CF006 5D pop ebp
004CF007 81ED 48124000 sub ebp,IEAccele.00401248
004CF00D 60 pushad
004CF00E E8 2B030000 call IEAccele.004CF33E ; F8到这里,命令ESP定律:hr esp,F9运行
004CF013 61 popad
004CF014 AC lodsb ; 这里断下,修改代码已经基本解压完毕
004CF015 5B pop ebx
004CF016 46 inc esi
004CF017 44 inc esp
004CF018 44 inc esp
004CF019 FD std
004CF01A 4C dec esp
004CF01B 44 inc esp
004CF01C 44 inc esp
004CF01D 44 inc esp
004CF01E C9 leave
F9运行后,代码改变:
004CF000 > 60 pushad ; EP入口
004CF001 E8 00000000 call IEAccele.004CF006
004CF006 5D pop ebp
004CF007 81ED 48124000 sub ebp,IEAccele.00401248
004CF00D 60 pushad
004CF00E E8 2B030000 call IEAccele.004CF33E ; F8到这里,命令ESP定律:hr esp,F9运行
004CF013 61 popad
004CF014 E8 1F020000 call IEAccele.004CF238 ; 中断后取消硬件断点
004CF019 B9 08000000 mov ecx,8
004CF01E 8DB5 88124000 lea esi,dword ptr ss:[ebp+401288]
004CF024 E8 2B020000 call IEAccele.004CF254
004CF029 FF95 EF124000 call dword ptr ss:[ebp+4012EF] ; 校验内存数据是否正常
004CF02F 8BD8 mov ebx,eax
004CF031 90 nop
004CF032 90 nop
004CF033 FF95 EF124000 call dword ptr ss:[ebp+4012EF] ; 校验内存数据是否正常
004CF039 2BC3 sub eax,ebx
004CF03B 0F85 8B020000 jnz IEAccele.004CF2CC ; 这里不能跳,我们可以NOP掉
004CF041 E9 86000000 jmp IEAccele.004CF0CC ; 跳向下一处调试器检测
004CF046 0C 4C or al,4C
004CF048 6F outsd
004CF049 61 popad
============================== 注意:此步可省略)===============================
004CF0CC FF95 DE124000 call dword ptr ss:[ebp+4012DE] ; 利用IsDebuggerPresent检测调试器
004CF0D2 85C0 test eax,eax
004CF0D4 0F85 F2010000 jnz IEAccele.004CF2CC ; 这里不能跳
004CF0DA 8DB5 70154000 lea esi,dword ptr ss:[ebp+401570]
004CF0E0 8D85 46134000 lea eax,dword ptr ss:[ebp+401346]
004CF0E6 8946 08 mov dword ptr ds:[esi+8],eax
004CF0E9 8BFD mov edi,ebp
004CF0EB 8D85 49144000 lea eax,dword ptr ss:[ebp+401449]
004CF0F1 33DB xor ebx,ebx
004CF0F3 50 push eax
004CF0F4 64:FF33 push dword ptr fs:[ebx]
004CF0F7 64:8923 mov dword ptr fs:[ebx],esp
004CF0FA BD 4B484342 mov ebp,4243484B
004CF0FF 66:B8 0400 mov ax,4
004CF103 CC int3
004CF104 8BEF mov ebp,edi
004CF106 33DB xor ebx,ebx
004CF108 64:8F03 pop dword ptr fs:[ebx]
004CF10B 83C4 04 add esp,4
004CF10E 3C 04 cmp al,4
================================================================================
命令下断:bp VirtualProtect
F9运行中断2次后取消所有断点:
004CF14A 40 inc eax ; 中断在这里,向下找出口。
004CF14B 85C0 test eax,eax
004CF14D 0F85 79010000 jnz IEAccele.004CF2CC
004CF153 8D85 24144000 lea eax,dword ptr ss:[ebp+401424]
004CF159 50 push eax
004CF15A 64:FF35 00000000 push dword ptr fs:[0]
004CF161 64:8925 00000000 mov dword ptr fs:[0],esp
004CF168 CC int3
004CF169 90 nop
004CF16A 90 nop
004CF16B 8B85 16154000 mov eax,dword ptr ss:[ebp+401516]
004CF171 60 pushad
004CF172 54 push esp
004CF173 6A 40 push 40
004CF175 68 C8000000 push 0C8
004CF17A 50 push eax
004CF17B FF95 B8124000 call dword ptr ss:[ebp+4012B8] ; VirtualProtect
004CF181 61 popad
004CF182 B9 1E000000 mov ecx,1E
004CF187 8DB5 1A154000 lea esi,dword ptr ss:[ebp+40151A]
004CF18D 8BF8 mov edi,eax
004CF18F F3:A4 rep movsb
004CF191 B9 1E000000 mov ecx,1E
004CF196 8DB5 38154000 lea esi,dword ptr ss:[ebp+401538]
004CF19C 8BF8 mov edi,eax
004CF19E 8B95 5B154000 mov edx,dword ptr ss:[ebp+40155B]
004CF1A4 03FA add edi,edx
004CF1A6 F3:A4 rep movsb
004CF1A8 8B85 5F154000 mov eax,dword ptr ss:[ebp+40155F]
004CF1AE 60 pushad
004CF1AF 54 push esp
004CF1B0 6A 40 push 40
004CF1B2 6A 05 push 5
004CF1B4 50 push eax
004CF1B5 FF95 B8124000 call dword ptr ss:[ebp+4012B8] ; VirtualProtect
004CF1BB 61 popad
004CF1BC B9 05000000 mov ecx,5
004CF1C1 8DB5 56154000 lea esi,dword ptr ss:[ebp+401556]
004CF1C7 8BF8 mov edi,eax
004CF1C9 F3:A4 rep movsb
004CF1CB 32C0 xor al,al
004CF1CD 8DBD 42124000 lea edi,dword ptr ss:[ebp+401242]
004CF1D3 B9 CB010000 mov ecx,1CB
004CF1D8 AA stosb
004CF1D9 ^ E2 FD loopd short IEAccele.004CF1D8
004CF1DB 61 popad
004CF1DC 68 10C54C00 push IEAccele.004CC510
004CF1E1 C3 retn ; 找到这里,F2下断,F9运行中断后,F8返回到下一壳EP
中断后返回:
004CC510 60 pushad ; 返回到这里,貌似UPX的EP
004CC511 BE 00804800 mov esi,IEAccele.00488000 ; F8到这里,命令ESP定律:hr esp,F9运行
004CC516 8DBE 0090F7FF lea edi,dword ptr ds:[esi+FFF79000]
004CC51C C787 10270900 2DF5>mov dword ptr ds:[edi+92710],5374F5>
004CC526 57 push edi
004CC527 83CD FF or ebp,FFFFFFFF
004CC52A EB 0E jmp short IEAccele.004CC53A
004CC52C 90 nop
004CC52D 90 nop
004CC52E 90 nop
004CC52F 90 nop
004CC530 8A06 mov al,byte ptr ds:[esi]
004CC532 46 inc esi
004CC533 8807 mov byte ptr ds:[edi],al
004CC535 47 inc edi
004CC536 01DB add ebx,ebx
004CC538 75 07 jnz short IEAccele.004CC541
004CC53A 8B1E mov ebx,dword ptr ds:[esi]
004CC53C 83EE FC sub esi,-4
004CC53F 11DB adc ebx,ebx
004CC541 ^ 72 ED jb short IEAccele.004CC530
004CC543 B8 01000000 mov eax,1
中断在这里后,取消所有断点:
004CC6B6 8D4424 80 lea eax,dword ptr ss:[esp-80] ; 使用ESP定律后中断在此,看来内层的UPX也被修改过
004CC6BA 6A 00 push 0
004CC6BC 39C4 cmp esp,eax
004CC6BE ^ 75 FA jnz short IEAccele.004CC6BA
004CC6C0 83EC 80 sub esp,-80
004CC6C3 ^ E9 C447FCFF jmp IEAccele.00490E8C ; 直接找到这里,F2下断,F9运行中断后,F8返回程序OEP
004CC6C8 ^ E0 C6 loopdne short IEAccele.004CC690
004CC6CA 4C dec esp
004CC6CB 00F0 add al,dh
004CC6CD C6 ??? ; 未知命令
004CC6CE 4C dec esp
004CC6CF 0010 add byte ptr ds:[eax],dl
004CC6D1 37 aaa
004CC6D2 49 dec ecx
飞向光明之巅:
00490E8C 55 push ebp ; OEP
00490E8D 8BEC mov ebp,esp
00490E8F 83C4 F0 add esp,-10
00490E92 B8 D40B4900 mov eax,IEAccele.00490BD4
00490E97 E8 CC5AF7FF call IEAccele.00406968
00490E9C A1 D8234900 mov eax,dword ptr ds:[4923D8]
00490EA1 8B00 mov eax,dword ptr ds:[eax]
00490EA3 E8 BC04FDFF call IEAccele.00461364
00490EA8 A1 D8234900 mov eax,dword ptr ds:[4923D8]
00490EAD 8B00 mov eax,dword ptr ds:[eax]
00490EAF BA EC0E4900 mov edx,IEAccele.00490EEC ; ASCII "IE Accelerator 2.22"
00490EB4 E8 B700FDFF call IEAccele.00460F70
00490EB9 8B0D E4244900 mov ecx,dword ptr ds:[4924E4] ; IEAccele.00493FC8
00490EBF A1 D8234900 mov eax,dword ptr ds:[4923D8]
00490EC4 8B00 mov eax,dword ptr ds:[eax]
00490EC6 8B15 40B74800 mov edx,dword ptr ds:[48B740] ; IEAccele.0048B78C
00490ECC E8 AB04FDFF call IEAccele.0046137C
00490ED1 A1 D8234900 mov eax,dword ptr ds:[4923D8]
00490ED6 8B00 mov eax,dword ptr ds:[eax]
00490ED8 E8 1F05FDFF call IEAccele.004613FC
00490EDD E8 D634F7FF call IEAccele.004043B8
LordPE抓取内存镜像,ImportREC修复:OEP=00490E8C-00400000=00090E8C,自动获取IAT,RVA=0009413C,SIZE=00000710,
指针全部有效,修复后程序运行正常!目标为:Borland Delphi 6.0 - 7.0编译程序。
附件:IAT.txt为ImportREC获取的完全输入表
================================================================================
【算法分析部分】
再次打开OllyICE载入脱壳后的文件,利用字符串插件直捣“黄龙”(过程略....)
0048A8D4 55 push ebp ; KuNgBiM算法分析开始
0048A8D5 8BEC mov ebp,esp
0048A8D7 B9 0A000000 mov ecx,0A
0048A8DC 6A 00 push 0
0048A8DE 6A 00 push 0
0048A8E0 49 dec ecx
0048A8E1 ^ 75 F9 jnz short Dumped_.0048A8DC
0048A8E3 51 push ecx
0048A8E4 53 push ebx
0048A8E5 56 push esi
0048A8E6 57 push edi
0048A8E7 8945 FC mov dword ptr ss:[ebp-4],eax
0048A8EA 33C0 xor eax,eax
0048A8EC 55 push ebp
0048A8ED 68 DDAC4800 push Dumped_.0048ACDD
0048A8F2 64:FF30 push dword ptr fs:[eax]
0048A8F5 64:8920 mov dword ptr fs:[eax],esp
0048A8F8 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
0048A8FB 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048A8FE 8B80 00030000 mov eax,dword ptr ds:[eax+300]
0048A904 E8 4B6AFBFF call Dumped_.00441354
0048A909 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
0048A90C E8 4F9EF7FF call Dumped_.00404760
0048A911 05 57040000 add eax,457
0048A916 8D55 E8 lea edx,dword ptr ss:[ebp-18]
0048A919 E8 26E2F7FF call Dumped_.00408B44
0048A91E 8D55 E0 lea edx,dword ptr ss:[ebp-20]
0048A921 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048A924 8B80 00030000 mov eax,dword ptr ds:[eax+300]
0048A92A E8 256AFBFF call Dumped_.00441354 ; 比较是否为黑名单用户
0048A92F 8B45 E0 mov eax,dword ptr ss:[ebp-20]
0048A932 BA F4AC4800 mov edx,Dumped_.0048ACF4 ; distinct
0048A937 E8 689FF7FF call Dumped_.004048A4
0048A93C 0F84 EA020000 je Dumped_.0048AC2C
0048A942 8D55 DC lea edx,dword ptr ss:[ebp-24]
0048A945 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048A948 8B80 00030000 mov eax,dword ptr ds:[eax+300]
0048A94E E8 016AFBFF call Dumped_.00441354 ; 比较是否为黑名单用户
0048A953 8B45 DC mov eax,dword ptr ss:[ebp-24]
0048A956 BA 08AD4800 mov edx,Dumped_.0048AD08 ; team insane
0048A95B E8 449FF7FF call Dumped_.004048A4
0048A960 0F84 C6020000 je Dumped_.0048AC2C
0048A966 8D55 D8 lea edx,dword ptr ss:[ebp-28]
0048A969 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048A96C 8B80 00030000 mov eax,dword ptr ds:[eax+300]
0048A972 E8 DD69FBFF call Dumped_.00441354 ; 比较是否为黑名单用户
0048A977 8B45 D8 mov eax,dword ptr ss:[ebp-28]
0048A97A BA 1CAD4800 mov edx,Dumped_.0048AD1C ; tnt!2000
0048A97F E8 209FF7FF call Dumped_.004048A4
0048A984 0F84 A2020000 je Dumped_.0048AC2C
0048A98A 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
0048A98D 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048A990 8B80 00030000 mov eax,dword ptr ds:[eax+300]
0048A996 E8 B969FBFF call Dumped_.00441354 ; 比较是否为黑名单用户
0048A99B 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
0048A99E BA 30AD4800 mov edx,Dumped_.0048AD30 ; -=demian/tnt!=-
0048A9A3 E8 FC9EF7FF call Dumped_.004048A4
0048A9A8 0F84 7E020000 je Dumped_.0048AC2C
0048A9AE 8D55 D0 lea edx,dword ptr ss:[ebp-30]
0048A9B1 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048A9B4 8B80 00030000 mov eax,dword ptr ds:[eax+300]
0048A9BA E8 9569FBFF call Dumped_.00441354 ; 比较是否为黑名单用户
0048A9BF 8B45 D0 mov eax,dword ptr ss:[ebp-30]
0048A9C2 BA 48AD4800 mov edx,Dumped_.0048AD48 ; -=demian/tnt!=-
0048A9C7 E8 D89EF7FF call Dumped_.004048A4
0048A9CC 0F84 5A020000 je Dumped_.0048AC2C
0048A9D2 8D55 CC lea edx,dword ptr ss:[ebp-34]
0048A9D5 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048A9D8 8B80 00030000 mov eax,dword ptr ds:[eax+300]
0048A9DE E8 7169FBFF call Dumped_.00441354 ; 比较是否为黑名单用户
0048A9E3 8B45 CC mov eax,dword ptr ss:[ebp-34]
0048A9E6 BA 64AD4800 mov edx,Dumped_.0048AD64 ; distinct
0048A9EB E8 B49EF7FF call Dumped_.004048A4
0048A9F0 0F84 36020000 je Dumped_.0048AC2C
0048A9F6 8D55 C8 lea edx,dword ptr ss:[ebp-38]
0048A9F9 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048A9FC 8B80 00030000 mov eax,dword ptr ds:[eax+300]
0048AA02 E8 4D69FBFF call Dumped_.00441354 ; 比较是否为黑名单用户
0048AA07 8B45 C8 mov eax,dword ptr ss:[ebp-38]
0048AA0A BA 78AD4800 mov edx,Dumped_.0048AD78 ; tmg
0048AA0F E8 909EF7FF call Dumped_.004048A4
0048AA14 0F84 12020000 je Dumped_.0048AC2C
0048AA1A 68 84AD4800 push Dumped_.0048AD84 ; ASCII "C" // 取固定字符串
0048AA1F 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048AA22 FFB0 2C030000 push dword ptr ds:[eax+32C] ; ASCII "MW" // 取固定字符串
0048AA28 68 90AD4800 push Dumped_.0048AD90 ; ASCII "20" // 取固定字符串
0048AA2D FF75 E8 push dword ptr ss:[ebp-18] ; ASCII "1124" // 取用户名长度+“1111”
0048AA30 68 9CAD4800 push Dumped_.0048AD9C ; ASCII "-" // 用连接符号连接
0048AA35 8D55 C0 lea edx,dword ptr ss:[ebp-40]
0048AA38 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048AA3B 8B80 00030000 mov eax,dword ptr ds:[eax+300]
0048AA41 E8 0E69FBFF call Dumped_.00441354 ; 取用户名
0048AA46 8B45 C0 mov eax,dword ptr ss:[ebp-40] ; ASCII "KuNgBiM/[DCT]"
0048AA49 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
0048AA4C E8 E3FDFFFF call Dumped_.0048A834 ; 取并连接用户名每个字符的ASCII码
0048AA51 FF75 C4 push dword ptr ss:[ebp-3C] ; ASCII "4B754E6742694D2F5B4443545D"
0048AA54 8D45 EC lea eax,dword ptr ss:[ebp-14]
0048AA57 BA 06000000 mov edx,6
0048AA5C E8 BF9DF7FF call Dumped_.00404820 ; 不知道干啥
0048AA61 8D45 E8 lea eax,dword ptr ss:[ebp-18]
0048AA64 BA A8AD4800 mov edx,Dumped_.0048ADA8 ; \system32\spool\drivers\w32x86\2\riched20.dll
; setactiveeditcontrolfont, arial, 30
0048AA69 E8 D29AF7FF call Dumped_.00404540
0048AA6E 8D55 BC lea edx,dword ptr ss:[ebp-44]
0048AA71 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048AA74 8B80 04030000 mov eax,dword ptr ds:[eax+304]
0048AA7A E8 D568FBFF call Dumped_.00441354
0048AA7F 8B55 BC mov edx,dword ptr ss:[ebp-44] ; 试炼码
0048AA82 8B45 EC mov eax,dword ptr ss:[ebp-14] ; 真注册码
0048AA85 E8 12A0F7FF call Dumped_.00404A9C ; 经典比较
0048AA8A 85C0 test eax,eax
0048AA8C 0F84 9A010000 je Dumped_.0048AC2C ; 跳则挂!
0048AA92 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048AA95 8B80 04030000 mov eax,dword ptr ds:[eax+304]
0048AA9B 33D2 xor edx,edx
0048AA9D E8 E268FBFF call Dumped_.00441384
0048AAA2 8D45 EC lea eax,dword ptr ss:[ebp-14]
0048AAA5 E8 FE99F7FF call Dumped_.004044A8
0048AAAA 6A 00 push 0
0048AAAC 68 FCAD4800 push Dumped_.0048ADFC ; 注册成功!
0048AAB1 68 14AE4800 push Dumped_.0048AE14 ; 注册成功,谢谢您对我们的支持.
0048AAB6 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048AAB9 E8 5ECFFBFF call Dumped_.00447A1C
0048AABE 50 push eax
【算法总结】
1、用户名长度+“1111”的和,我们记作KEY_A。
2、连接固定字符串:“C”、“MW”、“20”、KEY_A、“-”,我们记作KEY_B。
3、取并连接用户名每个字符的ASCII码,我们记作KEY_C。
4、注册码等于KEY_B连接KEY_C,我们记作KEY。
5、制作算法注册机(这个我就不写了,风声紧!o(∩_∩)o)
【试验成果】
注册名:KuNgBiM/[DCT]
注册码:CMW201124-4B754E6742694D2F5B4443545D
【特别感谢】
感谢[ICG]的妹妹“Squn”一直长时间对我的关怀,谢谢!
[ICG] = Idol Crack Group
http://icg.uu1001.com
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢! |
|