- UID
- 1874
注册时间2005-6-3
阅读权限30
最后登录1970-1-1
龙战于野
该用户从未签到
|
【介绍】
DiamondCS Port Explorer 2.0
一个查看端口的安全工具
【下载】
http://www.diamondcs.com.au/portexplorer/ ,几百K
下面是我的脱壳(完成),跟踪(不成功)过程。
我也网上搜索了下,竟没有破解(也许是不值得大鸟费工夫)。
我破解不成功,但把手记(没怎么整理,似乎很长:-))留于此,如果哪位有心得了 ,请跟贴。
这是一个充满反跟踪的程序,我暂时是没辙了。
主程序PortExplorer.exe为 PECompact2.x壳,
用 OD v1.10载入 后 运行PECOMPACT2.X脚本,程序竟跑飞起来了 。只好
【手工脱壳了】:
忽略全部异常,OD加载来到:
0042BB99 P> B>mov eax,PortExpl.004D3EF8 ;停在这里,此时ESP=0012FFC4
0042BB9E 5>push eax
0042BB9F 6>push dword ptr fs:[0]
0042BBA6 6>mov dword ptr fs:[0],esp
0042BBAD 3>xor eax,eax
0042BBAF 8>mov dword ptr ds:[eax],ecx
0042BBB1 5>push eax
0042BBB2 4>inc ebp
0042BBB3 4>inc ebx
0042BBB4 6>outs dx,dword ptr es:[edi]
用ESP定律,在0012FFC0下硬件读中断,F9中断3次后来到,
004D3F2B 5>push ebx ;停在这里
004D3F2C 5>push ecx
004D3F2D 5>push edi
004D3F2E 5>push esi
004D3F2F 5>push edx
004D3F30 8>lea ebx,dword ptr ds:[eax+10001132]
004D3F36 8>mov edx,dword ptr ds:[ebx+18]
004D3F39 5>push edx
004D3F3A 8>mov ebp,eax
004D3F3C 6>push 40
004D3F3E 6>push 1000
004D3F43 F>push dword ptr ds:[ebx+4]
004D3F46 6>push 0
004D3F48 8>mov ecx,dword ptr ds:[ebx+10]
004D3F4B 0>add ecx,edx
004D3F4D 8>mov eax,dword ptr ds:[ecx] ; kernel32.VirtualAlloc ,值得注意哦,往下看
004D3F4F F>call eax
004D3F51 5>pop edx
004D3F52 8>mov edi,eax
004D3F54 5>push eax
004D3F55 5>push edx
004D3F56 8>mov esi,dword ptr ds:[ebx]
004D3F58 8>mov eax,dword ptr ds:[ebx+20]
004D3F5B 0>add eax,edx
004D3F5D 8>mov ecx,dword ptr ds:[eax]
004D3F5F 8>mov dword ptr ds:[ebx+20],ecx
004D3F62 8>mov eax,dword ptr ds:[ebx+1C]
004D3F65 0>add eax,edx
004D3F67 8>mov ecx,dword ptr ds:[eax]
004D3F69 8>mov dword ptr ds:[ebx+1C],ecx
004D3F6C 0>add esi,edx
004D3F6E 8>mov ecx,dword ptr ds:[ebx+C]
004D3F71 0>add ecx,edx
004D3F73 8>lea eax,dword ptr ds:[ebx+1C]
004D3F76 5>push eax
004D3F77 5>push edi
004D3F78 5>push esi
004D3F79 F>call ecx
004D3F7B 5>pop edx
004D3F7C 5>pop eax
004D3F7D 0>add eax,dword ptr ds:[ebx+8]
004D3F80 8>mov edi,eax
004D3F82 5>push edx
004D3F83 8>mov esi,eax
004D3F85 8>mov eax,dword ptr ds:[esi-4]
004D3F88 8>add eax,4
004D3F8B 2>sub esi,eax
004D3F8D 8>mov dword ptr ds:[esi+8],edx
004D3F90 8>mov ecx,dword ptr ds:[ebx+10]
004D3F93 8>mov dword ptr ds:[esi+24],ecx
004D3F96 8>mov ecx,dword ptr ds:[ebx+14]
004D3F99 5>push ecx
004D3F9A 8>mov dword ptr ds:[esi+28],ecx
004D3F9D 8>mov ecx,dword ptr ds:[ebx+C]
004D3FA0 8>mov dword ptr ds:[esi+14],ecx
004D3FA3 F>call edi
004D3FA5 8>mov dword ptr ss:[ebp+10001223],eax
004D3FAB 8>mov esi,eax
004D3FAD 5>pop ecx
004D3FAE 5>pop edx
004D3FAF 0>add ecx,edx
004D3FB1 6>push 8000
004D3FB6 6>push 0
004D3FB8 5>push edi
004D3FB9 F>call dword ptr ds:[ecx]
004D3FBB 8>mov eax,esi
004D3FBD 5>pop edx
004D3FBE 5>pop esi
004D3FBF 5>pop edi
004D3FC0 5>pop ecx
004D3FC1 5>pop ebx
004D3FC2 5>pop ebp
004D3FC3 F>jmp eax ;这里应该是飞向OEP了,F4到这里
004D3FC5 0>add byte ptr ds:[eax],al
004D3FC7 0>add byte ptr ds:[eax],al
004D3FC9 0>add byte ptr ds:[eax],al
004D3FCB 0>add byte ptr ds:[eax],al
F4后,
004D3FC3 - F>jmp eax ; PortExpl.<ModuleEntryPoint> —长跳标志
004D3FC5 9>cdq
004D3FC6 B>mov ebx,42
004D3FCB 0>add byte ptr ds:[eax],al
004D3FCD 0>add byte ptr ds:[eax],al
F7,来到了
0042BB99 P> 5>push ebp ; OEP HERE!!!!
0042BB9A 8>mov ebp,esp
0042BB9C 6>push -1
0042BB9E 6>push PortExpl.00433560
0042BBA3 6>push PortExpl.0042C334
0042BBA8 6>mov eax,dword ptr fs:[0]
0042BBAE 5>push eax
0042BBAF 6>mov dword ptr fs:[0],esp
0042BBB6 8>sub esp,58
0042BBB9 5>push ebx
0042BBBA 5>push esi
0042BBBB 5>push edi
0042BBBC 8>mov dword ptr ss:[ebp-18],esp
0042BBBF F>call dword ptr ds:[4330D0] ; kernel32.GetVersion
用LORDPE14脱壳到dumped.exe,
运行IMPORTREC16,OEP添2BB99,IAT搜索,获取输入表,全部为真,点修复dumped.exe为dumped_.exe(856K)。
【PECOMPACT2.X脱壳规律总结】
其实可以发现脱壳前后OEP没有改变,都是0042BB99,因此可以一开始加载后就在EIP处设置断点(注意是“硬断点,执行时”而不是一般的F2断点)。
当然也可以在第一次ESP定律后,查找00000000,首次出现的地址上一个是jmp eax就是跳OEP了(注意看OD —长跳标志)。
【】
运行dumped_.exe,哦,只见屏幕闪了下,文件浏览器没有了。
(Explorer.exe被关闭,然后操作系统会自动重新启动另一个Explorer.exe)
怀疑程序有自校验,OD一下dumped_.exe看看。
004202BD |. 8>test eax,eax
004202BF |. 7>je short dumped_.004202DE
004202C1 |. 5>push ebx ; /Style
004202C2 |. 6>push dumped_.0044C488 ; |Title = "Error"
004202C7 |. 6>push dumped_.0044C42C ; |Text = "Port Explorer does not run under the context of a debugger.
Port Explorer will now close."
004202CC |. 5>push ebx ; |hOwner
004202CD |. F>call dword ptr ds:[<&user32.MessageBoxA>] ; \MessageBoxA
00427E33 |. F>|push dword ptr ds:[eax] ; /ProcessId
00427E35 |. 6>|push 0 ; |Inheritable = FALSE
00427E37 |. 6>|push 410 ; |Access = VM_READ|QUERY_INFORMATION
00427E3C |. F>|call dword ptr ds:[<&kernel32.Open>; \OpenProcess <---------
00427E42 |. 8>|mov ebx,eax
00427E44 |. 8>|test ebx,ebx
00427E46 |. 8>|mov dword ptr ss:[ebp-28],ebx
00427E49 |. 0>|je dumped_.00427ED5
00427E4F |. 8>|lea eax,dword ptr ss:[ebp-8]
00427E52 |. 5>|push eax
00427E53 |. 8>|lea eax,dword ptr ss:[ebp-34]
00427E56 |. 6>|push 4
00427E58 |. 5>|push eax
00427E59 |. 5>|push ebx
00427E5A |. F>|call dword ptr ss:[ebp-2C]
00427E5D |. 8>|test eax,eax
00427E5F |. 7>|je short dumped_.00427ECC
00427E61 |. 8>|lea eax,dword ptr ss:[ebp-260]
00427E67 |. 6>|push 104
00427E6C |. 5>|push eax
00427E6D |. F>|push dword ptr ss:[ebp-34]
00427E70 |. 5>|push ebx
00427E71 |. F>|call dword ptr ss:[ebp-30]
00427E74 |. 8>|test eax,eax
00427E76 |. 7>|jnz short dumped_.00427E80
00427E78 |. 2>|and byte ptr ss:[ebp-260],al
00427E7E |. E>|jmp short dumped_.00427ECC
00427E80 |> 8>|lea eax,dword ptr ss:[ebp-260]
00427E86 |. 5>|push eax
00427E87 |. E>|call dumped_.00429CE0
00427E8C |. 4>|dec eax
00427E8D |. 5>|pop ecx
00427E8E |. 8>|mov dword ptr ss:[ebp-14],eax
00427E91 |. 7>|js short dumped_.00427EC6
00427E93 |. 8>|lea ebx,dword ptr ss:[ebp+eax-25F]
00427E9A |> 8>|/cmp byte ptr ds:[ebx-1],5C
00427E9E |. 7>||jnz short dumped_.00427EB3
00427EA0 |. 6>||push dumped_.0044C88C ; /String2 = "explorer.exe" <------
00427EA5 |. 5>||push ebx ; |String1 = "Ollydbg V1.10 2005.3汉化修正版+最新最全插件\Ollydbg\OLLYDBG.EXE"
00427EA6 |. F>||call dword ptr ds:[<&kernel32.lst>; \lstrcmpiA
00427EAC |. 8>||test eax,eax
00427EAE |. 7>||je short dumped_.00427EBE
不断列举系统当前进程,与explorer.exe进行比较,当列举到explorer.exe时,F8跟到
00427EED |. F>call esi ; KERNEL32.GetProcessHeap
004205B0 . 5>push eax
004205B1 ? 5>push ebx
004205B2 . 6>push 1 Access = TERMINATE
004205B4 . F>call dword ptr ds:[<&kernel32.OpenP>; KERNEL32.OpenProcess
004205BA ? 5>push ebx
004205BB ? 5>push eax
004205BC . F>call dword ptr ss:[ebp-14] ; KERNEL32.TerminateProcess
004205BF ? F>test byte ptr ss:[ebp-3],8
00427D06 /$ 5>push ebp
00427D07 |. 8>mov ebp,esp
00427D09 |. 8>sub esp,260
00427D0F |. 8>or dword ptr ss:[ebp-1C],FFFFFFFF
00427D13 |. 5>push ebx
00427D14 |. 5>push esi
00427D15 |. 5>push edi
00427D16 |. E>call dumped_.0040FB99
00427D1B |. B>mov edi,400
00427D20 |. 8>test edi,eax
00427D22 |. 0>je dumped_.00427F00
00427D28 |. 8>mov esi,dword ptr ds:[<&kernel32.LoadLibraryA>] ; KERNEL32.LoadLibraryA
00427D2E |. 6>push dumped_.00436744 ; /FileName = "PSAPI.DLL"
00427D33 |. F>call esi ; \LoadLibraryA
00427D35 |. 8>test eax,eax
00427D37 |. 8>mov dword ptr ss:[ebp-4],eax
00427D3A |. 0>je dumped_.00427F1D
00427D40 |. 6>push dumped_.0044C89C ; /FileName = "VDMDBG.DLL"
00427D45 |. F>call esi ; \LoadLibraryA
00427D47 |. 8>test eax,eax
00427D49 |. 8>mov dword ptr ss:[ebp-10],eax
00427D4C |. 0>je dumped_.00427F1D
00427D52 |. 8>mov esi,dword ptr ds:[<&kernel32.GetProcAddress>>; KERNEL32.GetProcAddress
00427D58 |. 6>push dumped_.00436734 ; /ProcNameOrOrdinal = "EnumProcesses"
00427D5D |. F>push dword ptr ss:[ebp-4] ; |hModule
00427D60 |. F>call esi ; \GetProcAddress
00427D62 |. 6>push dumped_.00436720 ; /ProcNameOrOrdinal = "EnumProcessModules"
00427D67 |. 8>mov ebx,eax ; |
00427D69 |. F>push dword ptr ss:[ebp-4] ; |hModule
00427D6C |. F>call esi ; \GetProcAddress
00427D6E |. 6>push dumped_.00436A3C ; /ProcNameOrOrdinal = "GetModuleFileNameExA"
00427D73 |. 8>mov dword ptr ss:[ebp-2C],eax ; |
00427D76 |. F>push dword ptr ss:[ebp-4] ; |hModule
00427D79 |. F>call esi ; \GetProcAddress
00427D7B |. 6>push dumped_.00437EDC ; /ProcNameOrOrdinal = "VDMEnumTaskWOWEx"
00427D80 |. 8>mov dword ptr ss:[ebp-30],eax ; |
00427D83 |. F>push dword ptr ss:[ebp-10] ; |hModule
00427D86 |. F>call esi ; \GetProcAddress
00427D88 |. 3>xor ecx,ecx
00427D8A |. 3>cmp ebx,ecx
00427D8C |. 7>je short dumped_.00427DFD
00427D8E |. 3>cmp dword ptr ss:[ebp-2C],ecx
00427D91 |. 7>je short dumped_.00427DFD
00427D93 |. 3>cmp dword ptr ss:[ebp-30],ecx
00427D96 |. 7>je short dumped_.00427DFD
00427D98 |. 3>cmp eax,ecx
00427D9A |. 7>je short dumped_.00427DFD
00427D9C |. 8>mov esi,dword ptr ds:[<&kernel32.GetProcessHeap>>; KERNEL32.GetProcessHeap
00427DA2 |. 8>mov dword ptr ss:[ebp-8],edi
00427DA5 |. 8>mov edi,dword ptr ds:[<&kernel32.HeapFree>] ; ntdll.RtlFreeHeap
00427DAB |. 8>mov dword ptr ss:[ebp-C],ecx
00427DAE |> 8>/cmp dword ptr ss:[ebp-C],0
00427DB2 |. 7>|je short dumped_.00427DC6
00427DB4 |. F>|push dword ptr ss:[ebp-C]
00427DB7 |. 6>|push 0
00427DB9 |. F>|call esi
00427DBB |. 5>|push eax
00427DBC |. F>|call edi
00427DBE |. 8>|mov eax,dword ptr ss:[ebp-8]
00427DC1 |. 0>|add eax,eax
00427DC3 |. 8>|mov dword ptr ss:[ebp-8],eax
00427DC6 |> F>|push dword ptr ss:[ebp-8]
00427DC9 |. 6>|push 0
00427DCB |. F>|call esi
00427DCD |. 5>|push eax ; |hHeap
00427DCE |. F>|call dword ptr ds:[<&kernel32.HeapAlloc>] ; \HeapAlloc
00427DD4 |. 8>|test eax,eax
00427DD6 |. 8>|mov dword ptr ss:[ebp-C],eax
00427DD9 |. 7>|je short dumped_.00427DFD
00427DDB |. 8>|lea ecx,dword ptr ss:[ebp-18]
00427DDE |. 5>|push ecx
00427DDF |. F>|push dword ptr ss:[ebp-8]
00427DE2 |. 5>|push eax
00427DE3 |. F>|call ebx
00427DE5 |. 8>|test eax,eax
00427DE7 |. 7>|je short dumped_.00427DF3
00427DE9 |. 8>|mov eax,dword ptr ss:[ebp-18]
00427DEC |. 3>|cmp eax,dword ptr ss:[ebp-8]
00427DEF |. 7>|jnz short dumped_.00427E12
00427DF1 |.^ E>\jmp short dumped_.00427DAE
00427DF3 |> F>push dword ptr ss:[ebp-C]
00427DF6 |. 6>push 0
00427DF8 |. F>call esi
00427DFA |. 5>push eax
00427DFB |. F>call edi
00427DFD |> F>push dword ptr ss:[ebp-4] ; /hLibModule
00427E00 |. 8>mov esi,dword ptr ds:[<&kernel32.FreeLibrary>] ; |KERNEL32.FreeLibrary
00427E06 |. F>call esi ; \FreeLibrary
00427E08 |. F>push dword ptr ss:[ebp-10] ; /hLibModule
00427E0B |. F>call esi ; \FreeLibrary
00427E0D |. E>jmp dumped_.00427F1D
00427E12 |> C>shr dword ptr ss:[ebp-18],2
00427E16 |. C>mov dword ptr ss:[ebp-24],0
00427E1D |. 0>je dumped_.00427EE8
00427E23 |. 8>mov eax,dword ptr ss:[ebp-C]
00427E26 |. 8>mov dword ptr ss:[ebp-20],eax
00427E29 |> 8>/mov eax,dword ptr ss:[ebp-20]
00427E2C |. 8>|and byte ptr ss:[ebp-260],0
00427E33 |. F>|push dword ptr ds:[eax] ; /ProcessId
00427E35 |. 6>|push 0 ; |Inheritable = FALSE
00427E37 |. 6>|push 410 ; |Access = VM_READ|QUERY_INFORMATION
00427E3C |. F>|call dword ptr ds:[<&kernel32.OpenProcess>] ; \OpenProcess
00427E42 |. 8>|mov ebx,eax
00427E44 |. 8>|test ebx,ebx
00427E46 |. 8>|mov dword ptr ss:[ebp-28],ebx
00427E49 |. 0>|je dumped_.00427ED5
00427E4F |. 8>|lea eax,dword ptr ss:[ebp-8]
00427E52 |. 5>|push eax
00427E53 |. 8>|lea eax,dword ptr ss:[ebp-34]
00427E56 |. 6>|push 4
00427E58 |. 5>|push eax
00427E59 |. 5>|push ebx
00427E5A |. F>|call dword ptr ss:[ebp-2C]
00427E5D |. 8>|test eax,eax
00427E5F |. 7>|je short dumped_.00427ECC
00427E61 |. 8>|lea eax,dword ptr ss:[ebp-260]
00427E67 |. 6>|push 104
00427E6C |. 5>|push eax
00427E6D |. F>|push dword ptr ss:[ebp-34]
00427E70 |. 5>|push ebx
00427E71 |. F>|call dword ptr ss:[ebp-30]
00427E74 |. 8>|test eax,eax
00427E76 |. 7>|jnz short dumped_.00427E80
00427E78 |. 2>|and byte ptr ss:[ebp-260],al
00427E7E |. E>|jmp short dumped_.00427ECC
00427E80 |> 8>|lea eax,dword ptr ss:[ebp-260]
00427E86 |. 5>|push eax
00427E87 |. E>|call dumped_.00429CE0
00427E8C |. 4>|dec eax
00427E8D |. 5>|pop ecx
00427E8E |. 8>|mov dword ptr ss:[ebp-14],eax
00427E91 |. 7>|js short dumped_.00427EC6
00427E93 |. 8>|lea ebx,dword ptr ss:[ebp+eax-25F]
00427E9A |> 8>|/cmp byte ptr ds:[ebx-1],5C
00427E9E |. 7>||jnz short dumped_.00427EB3
00427EA0 |. 6>||push dumped_.0044C88C ; /String2 = "explorer.exe"
00427EA5 |. 5>||push ebx ; |String1
00427EA6 |. F>||call dword ptr ds:[<&kernel32.lstrcmpi>] ; \lstrcmpiA
00427EAC |. 8>||test eax,eax
00427EAE |. 7>||je short dumped_.00427EBE
00427EB0 |. 8>||mov eax,dword ptr ss:[ebp-14]
00427EB3 |> 4>||dec eax
00427EB4 |. 4>||dec ebx
00427EB5 |. 8>||test eax,eax
00427EB7 |. 8>||mov dword ptr ss:[ebp-14],eax
00427EBA |.^ 7>|\jge short dumped_.00427E9A
00427EBC |. E>|jmp short dumped_.00427EC6
00427EBE |> 8>|mov eax,dword ptr ss:[ebp-20]
00427EC1 |. 8>|mov eax,dword ptr ds:[eax]
00427EC3 |. 8>|mov dword ptr ss:[ebp-1C],eax
00427EC6 |> 8>|cmp dword ptr ss:[ebp-1C],-1
00427ECA |. 7>|jnz short dumped_.00427EE8
00427ECC |> F>|push dword ptr ss:[ebp-28] ; /hObject
00427ECF |. F>|call dword ptr ds:[<&kernel32.CloseHandle>] ; \CloseHandle
00427ED5 |> F>|inc dword ptr ss:[ebp-24]
00427ED8 |. 8>|add dword ptr ss:[ebp-20],4
00427EDC |. 8>|mov eax,dword ptr ss:[ebp-24]
00427EDF |. 3>|cmp eax,dword ptr ss:[ebp-18]
00427EE2 |.^ 0>\jb dumped_.00427E29
00427EE8 |> F>push dword ptr ss:[ebp-C]
00427EEB |. 6>push 0
00427EED |. F>call esi
00427EEF |. 5>push eax
00427EF0 |. F>call edi
00427EF2 |. F>push dword ptr ss:[ebp-10] ; /hLibModule
00427EF5 |. F>call dword ptr ds:[<&kernel32.FreeLibrary>] ; \FreeLibrary
00427EFB |. E>jmp dumped_.00427FE3
00427F00 |> F>test ah,8
00427F03 |. 0>je dumped_.00427FE3
00427F09 |. 6>push dumped_.00436710 ; /FileName = "Kernel32.DLL"
00427F0E |. F>call dword ptr ds:[<&kernel32.LoadLibraryA>] ; \LoadLibraryA
00427F14 |. 8>mov edi,eax
00427F16 |. 8>test edi,edi
00427F18 |. 8>mov dword ptr ss:[ebp-4],edi
00427F1B |. 7>jnz short dumped_.00427F24
00427F1D |> 3>xor eax,eax
00427F1F |. E>jmp dumped_.00427FF1
00427F24 |> 8>mov esi,dword ptr ds:[<&kernel32.GetProcAddress>>; KERNEL32.GetProcAddress
00427F2A |. 6>push dumped_.004366F4 ; /ProcNameOrOrdinal = "CreateToolhelp32Snapshot"
00427F2F |. 5>push edi ; |hModule
00427F30 |. F>call esi ; \GetProcAddress
00427F32 |. 6>push dumped_.004366E4 ; /ProcNameOrOrdinal = "Process32First"
00427F37 |. 5>push edi ; |hModule
00427F38 |. 8>mov ebx,eax ; |
00427F3A |. F>call esi ; \GetProcAddress
00427F3C |. 6>push dumped_.004366D4 ; /ProcNameOrOrdinal = "Process32Next"
00427F41 |. 5>push edi ; |hModule
00427F42 |. 8>mov dword ptr ss:[ebp-14],eax ; |
00427F45 |. F>call esi ; \GetProcAddress
00427F47 |. 3>xor esi,esi
00427F49 |. 8>mov dword ptr ss:[ebp-28],eax
00427F4C |. 3>cmp eax,esi
00427F4E |. 0>je dumped_.00427FE6
00427F54 |. 3>cmp dword ptr ss:[ebp-14],esi
00427F57 |. 0>je dumped_.00427FE6
00427F5D |. 3>cmp ebx,esi
00427F5F |. 0>je dumped_.00427FE6
00427F65 |. 5>push esi
00427F66 |. 6>push 2
00427F68 |. F>call ebx
00427F6A |. 8>mov ebx,eax
00427F6C |. 8>cmp ebx,-1
00427F6F |. 7>je short dumped_.00427FE6
00427F71 |. 8>lea eax,dword ptr ss:[ebp-15C]
00427F77 |. C>mov dword ptr ss:[ebp-15C],128
00427F81 |. 5>push eax
00427F82 |. 5>push ebx
00427F83 |. F>call dword ptr ss:[ebp-14]
00427F86 |> 8>/test eax,eax
00427F88 |. 7>|je short dumped_.00427FDC
00427F8A |. 8>|lea eax,dword ptr ss:[ebp-138]
00427F90 |. 5>|push eax
00427F91 |. E>|call dumped_.00429CE0
00427F96 |. 8>|mov edi,eax
00427F98 |. 5>|pop ecx
00427F99 |. 4>|dec edi
00427F9A |. 7>|js short dumped_.00427FCF
00427F9C |. 8>|lea esi,dword ptr ss:[ebp+edi-137]
00427FA3 |> 8>|/cmp byte ptr ds:[esi-1],5C
00427FA7 |. 7>||jnz short dumped_.00427FB9
00427FA9 |. 6>||push dumped_.0044C88C ; /String2 = "explorer.exe"
00427FAE |. 5>||push esi ; |String1 <----找到explorer.exe进程后杀死
00427FAF |. F>||call dword ptr ds:[<&kernel32.lstrcmpi>] ; \lstrcmpiA
00427FB5 |. 8>||test eax,eax
00427FB7 |. 7>||je short dumped_.00427FC1
00427FB9 |> 4>||dec edi
00427FBA |. 4>||dec esi
00427FBB |. 8>||test edi,edi
00427FBD |.^ 7>|\jge short dumped_.00427FA3
00427FBF |. E>|jmp short dumped_.00427FCF
00427FC1 |> 8>|mov eax,dword ptr ss:[ebp-154]
00427FC7 |. 8>|cmp eax,-1
00427FCA |. 8>|mov dword ptr ss:[ebp-1C],eax
00427FCD |. 7>|jnz short dumped_.00427FDC
00427FCF |> 8>|lea eax,dword ptr ss:[ebp-15C]
00427FD5 |. 5>|push eax
00427FD6 |. 5>|push ebx
00427FD7 |. F>|call dword ptr ss:[ebp-28]
00427FDA |.^ E>\jmp short dumped_.00427F86
00427FDC |> 5>push ebx ; /hObject
00427FDD |. F>call dword ptr ds:[<&kernel32.CloseHandle>] ; \CloseHandle
00427FE3 |> 8>mov esi,dword ptr ss:[ebp-1C]
00427FE6 |> F>push dword ptr ss:[ebp-4] ; /hLibModule
00427FE9 |. F>call dword ptr ds:[<&kernel32.FreeLibrary>] ; \FreeLibrary
00427FEF |. 8>mov eax,esi
00427FF1 |> 5>pop edi
00427FF2 |. 5>pop esi
00427FF3 |. 5>pop ebx
00427FF4 |. C>leave
00427FF5 \. C>retn
05-09-16继续跟踪--------------------------:
00415928 /$ 55 push ebp
00415929 |. 8BEC mov ebp,esp
0041592B |. 81EC 40010000 sub esp,140
00415931 |. 53 push ebx
00415932 |. 56 push esi
00415933 |. 57 push edi
00415934 |. 6A 07 push 7
00415936 |. 33F6 xor esi,esi
00415938 |. 59 pop ecx
00415939 |. FF35 30794800 push dword ptr ds:[487930] ; /hWnd = NULL
0041593F |. 33C0 xor eax,eax ; |
00415941 |. 8D7D E4 lea edi,dword ptr ss:[ebp-1C] ; |
00415944 |. 8975 E0 mov dword ptr ss:[ebp-20],esi ; |"Software\Diamond Computer Systems\Port Explorer"
00415947 |. F3:AB rep stos dword ptr es:[edi] ; |
00415949 |. FF15 C0334300 call dword ptr ds:[4333C0] ; \IsWindow
0041594F |. 3975 0C cmp dword ptr ss:[ebp+C],esi
00415952 |. 8945 DC mov dword ptr ss:[ebp-24],eax
00415955 |. 75 59 jnz short PortExpl.004159B0
00415957 |. 68 00A00100 push 1A000
0041595C |. 56 push esi
0041595D |. 68 E8D74600 push PortExpl.0046D7E8 ; ASCII "&File"
00415962 |. E8 594B0100 call PortExpl.0042A4C0
00415967 |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
0041596A |. 83C4 0C add esp,0C
0041596D |. 48 dec eax ; Switch (cases 1..8)
0041596E |. 83F8 07 cmp eax,7
00415971 |. 77 38 ja short PortExpl.004159AB ; 尚未完成字符串信息复制的初始化工作则跳
00415973 |. FF2485 8D5D4100 jmp dword ptr ds:[eax*4+415D8D]
0041597A |> E8 33450000 call PortExpl.00419EB2 ; Case 1 of switch 0041596D
0041597F |. EB 2F jmp short PortExpl.004159B0
00415981 |> E8 991E0000 call PortExpl.0041781F ; Case 3 of switch 0041596D
00415986 |. EB 28 jmp short PortExpl.004159B0
00415988 |> E8 DB310000 call PortExpl.00418B68 ; Case 4 of switch 0041596D
0041598D |. EB 21 jmp short PortExpl.004159B0
0041598F |> E8 71580000 call PortExpl.0041B205 ; Case 5 of switch 0041596D
00415994 |. EB 1A jmp short PortExpl.004159B0
00415996 |> E8 BD6B0000 call PortExpl.0041C558 ; Case 6 of switch 0041596D
0041599B |. EB 13 jmp short PortExpl.004159B0
0041599D |> E8 47920000 call PortExpl.0041EBE9 ; Case 7 of switch 0041596D
004159A2 |. EB 0C jmp short PortExpl.004159B0
004159A4 |> E8 F37E0000 call PortExpl.0041D89C ; Case 8 of switch 0041596D
004159A9 |. EB 05 jmp short PortExpl.004159B0
004159AB |> E8 1F0B0000 call PortExpl.004164CF ; Default case of switch 0041596D <---提示到期后返回这里
重新加载,HE EIP,F9,已经脱壳解码,在上段代码首部00415928地址出F2设断,F9,
再次跟进到 PortExpl.004164CF函数,其完成各个字符串的复制,其中
00416CEC |. 6>push PortExpl.00439DF0 ; /String2 = "This feature is only available to licensed users of Port Explorer."
00416CF1 |. 6>push PortExpl.004757E8 ; |String1 = PortExpl.004757E8
00416CF6 |. F>call esi ; \lstrcpyA
在内存004757E8处设置硬件读断点,则点到受限制的功能时会读该提示。
类似的,
00416DA0 |. 6>push PortExpl.004399F0 ; /String2 = "You have %d executions or %d days left to evaluate Port Explorer."
00416DA5 |. 6>push PortExpl.004766E8 ; |String1 = PortExpl.004766E8 <-----HR 004766E8
00416DAA |. F>call esi ; \lstrcpyA
F9,中断后返回用户主程序空间
0040256C |. 3>cmp dword ptr ds:[44BA1C],ebx ;ds:[0044BA1C]=0000001E(十进制的30,表示还有30天可试用)
00402572 |. 7>jl short PortExpl.004025E9
00402574 |. 3>cmp dword ptr ds:[44BA20],ebx ;ds:[0044BA20]=00000032(十进制的50,表示还有50次可使用)
0040257A |. 7>jl short PortExpl.004025E9
0040257C |. B>mov edi,565
00402581 |. 6>push PortExpl.004363BC ; /Text = "3"
00402586 |. 5>push edi ; |ControlID => 565 (1381.)
00402587 |. F>push dword ptr ss:[ebp+8] ; |hWnd
0040258A |. F>call esi ; \SetDlgItemTextA
0040258C |. 6>push PortExpl.004766E8 ; /<%s> = "You have %d executions or %d days left to evaluate Port Explorer."
00402591 |. 6>push PortExpl.004762E8 ; |<%s> = "To upgrade to the registered version, simply press the Purchase Port Explorer button."
00402596 |. 6>push PortExpl.004765E8 ; |<%s> = "If you wish to use Port Explorer beyond this period you must upgrade to the full registered version."
0040259B |. 6>push PortExpl.004764E8 ; |<%s> = "This evaluation may be used for up to 30 days or as many as 50 executions."
004025A0 |. 6>push PortExpl.004763E8 ; |<%s> = "Welcome to DiamondCS Port Explorer - Evaluation Version."
004025A5 |. 8>lea eax,dword ptr ss:[ebp-90C] ; |
004025AB |. 6>push PortExpl.004363A4 ; |Format = "%s %s %s %s %s"
004025B0 |. 5>push eax ; |s
004025B1 |. C>mov dword ptr ds:[436390],3 ; |
004025BB |. F>call dword ptr ds:[4333E8] ; \wsprintfA
004025C1 |. 8>add esp,1C ;返回这里
呵呵,如果选择爆破时间、次数的话可以做内存补丁(ds:[0044BA1C]天数,ds:[0044BA20]次数,注意要选则等程序自解码后patch)。
如果注册对话框中输入假注册码,提示Error
00416C08 |. 68 B0A14300 push PortExpl.0043A1B0 ; /String2 = "Error!"
00416C0D |. 68 E8444700 push PortExpl.004744E8 ; |String1 = PortExpl.004744E8
00416C12 |. FFD6 call esi ; \lstrcpyA
下硬件断点HR 004744E8,
00402F48 |. 6>push 200 ; /Count = 200 (512.)
00402F4D |. F>rep stos dword ptr es:[edi] ; |
00402F4F |. 6>stos word ptr es:[edi] ; |
00402F51 |. A>stos byte ptr es:[edi] ; |
00402F52 |. 8>lea eax,dword ptr ss:[ebp-200] ; |
00402F58 |. 8>mov dword ptr ss:[ebp+10],ebx ; |
00402F5B |. 5>push eax ; |Buffer
00402F5C |. 6>push 46E ; |ControlID = 46E (1134.)
00402F61 |. F>push dword ptr ss:[ebp+8] ; |hWnd
00402F64 |. 8>mov dword ptr ss:[ebp+C],ebx ; |
00402F67 |. F>call dword ptr ds:[4333A4] ; \GetDlgItemTextA ;在此处下断寻找注册比较算法CALL
00402F6D |. 8>lea eax,dword ptr ss:[ebp-200] ;EAX返回输入的假激活码串!!!!!!!
00402F73 |. 5>push eax
00402F74 |. E>call PortExpl.00429CE0
00402F79 |. 3>cmp eax,esi ;ESI=100 EAX=假码长度,要求激活码为十进制256字节长
00402F7B |. 5>pop ecx
00402F7C |. 0>jl PortExpl.00403086 ;跳到出错Error
00402F82 |. 3>xor edx,edx
00402F84 |. 3>cmp eax,ebx
00402F86 |. 7>jle short PortExpl.00402FA1
00402F88 |> 8>/cmp byte ptr ss:[ebp+edx-200],50 ;P=0x50
00402F90 |. 8>|lea ecx,dword ptr ss:[ebp+edx-200]
00402F97 |. 7>|je short PortExpl.00402FA1
00402F99 |. 4>|inc edx
00402F9A |. C>|mov byte ptr ds:[ecx],20
00402F9D |. 3>|cmp edx,eax
00402F9F |.^ 7>\jl short PortExpl.00402F88
00402FA1 |> 8>lea eax,dword ptr ss:[ebp-200]
00402FA7 |. 6>push PortExpl.00436464 ; ASCII "PS"
00402FAC |. 5>push eax
00402FAD |. E>call PortExpl.00429EA0
00402FB2 |. 5>pop ecx
00402FB3 |. 3>cmp eax,ebx
00402FB5 |. 5>pop ecx
00402FB6 |. 0>je PortExpl.00403086 -------------------->Error
00402FBC |. 6>push PortExpl.00436460 ; ASCII "PE"
00402FC1 |. 5>push eax
00402FC2 |. E>call PortExpl.00429EA0
00402FC7 |. 5>pop ecx
00402FC8 |. 3>cmp eax,ebx
00402FCA |. 5>pop ecx
00402FCB |. 0>je PortExpl.00403086 ----------------------->Error
00402FD1 |. 6>push -7F
00402FD3 |. 8>mov byte ptr ds:[eax+2],bl ;这里EAX应该是有效内存地址,修改此处作标记还是改代码?
00402FD6 |. 8>mov byte ptr ds:[eax],bl
00402FD8 |. 5>pop esi
00402FD9 |> 8>/cmp esi,30
00402FDC |. 7>|jl short PortExpl.00402FE3
00402FDE |. 8>|cmp esi,39
00402FE1 |. 7>|jle short PortExpl.00402FFC
00402FE3 |> 8>|cmp esi,41
00402FE6 |. 7>|jl short PortExpl.00402FED
00402FE8 |. 8>|cmp esi,46
00402FEB |. 7>|jle short PortExpl.00402FFC
00402FED |> 8>|lea eax,dword ptr ss:[ebp-200]
00402FF3 |. 5>|push esi
00402FF4 |. 5>|push eax
00402FF5 |. E>|call PortExpl.0040EC83
00402FFA |. 5>|pop ecx
00402FFB |. 5>|pop ecx
00402FFC |> 4>|inc esi
00402FFD |. 8>|cmp esi,80
00403003 |.^ 7>\jl short PortExpl.00402FD9
00403005 |. 8>lea eax,dword ptr ss:[ebp-200]
0040300B |. 5>push eax ; /<%s>
0040300C |. 8>lea eax,dword ptr ss:[ebp-400] ; |
00403012 |. 6>push PortExpl.00436458 ; |Format = "PS%sPE"
00403017 |. 5>push eax ; |s
00403018 |. F>call dword ptr ds:[4333E8] ; \wsprintfA
0040301E |. 8>add esp,0C
00403021 |. 8>lea eax,dword ptr ss:[ebp-400]
00403027 |. 5>push eax ; /String2
00403028 |. 8>lea eax,dword ptr ss:[ebp-200] ; |
0040302E |. 5>push eax ; |String1
0040302F |. F>call dword ptr ds:[4331F8] ; \lstrcpyA
00403035 |. 8>lea eax,dword ptr ss:[ebp-200]
0040303B |. 5>push eax
0040303C |. 6>push PortExpl.00436450 ; ASCII "pecode"
00403041 |. 6>push PortExpl.0044C0FC ; ASCII "Software\Diamond Computer Systems\Port Explorer"
00403046 |. E>call PortExpl.00429699
0040304B |. F>push dword ptr ds:[488A34]
00403051 |. 8>lea eax,dword ptr ss:[ebp+C]
00403054 |. F>push dword ptr ds:[488A48]
0040305A |. 5>push eax
0040305B |. 8>lea eax,dword ptr ss:[ebp+10]
0040305E |. 5>push eax
0040305F |. 8>lea eax,dword ptr ss:[ebp-200]
00403065 |. F>push dword ptr ds:[488A30]
0040306B |. 5>push eax
0040306C |. E>call PortExpl.004149CF
00403071 |. 8>add esp,24
00403074 |. 3>cmp eax,ebx
00403076 |. 7>je short PortExpl.00403086
00403078 |. 6>push 40
0040307A |. 6>push PortExpl.004743E8 ; ASCII "Please Note!"
0040307F |. 6>push PortExpl.00436418 ; ASCII "Please restart Port Explorer to complete the upgrade"
00403084 |. E>jmp short PortExpl.0040308F
00403086 |> \B>mov eax,PortExpl.004744E8 ; ASCII "Error!" <------------------
0040308B |. 6>push 10
0040308D |. 5>push eax
0040308E |. 5>push eax
0040308F |> 5>push ebx ; |hOwner
00403090 |. F>call dword ptr ds:[4333A8] ; \MessageBoxA
00403096 |. 5>push ebx ; /Result
00403097 |. F>push dword ptr ss:[ebp+8] ; |hWnd
0040309A |. F>call dword ptr ds:[4333B4] ; \EndDialog
试着输入假码(252 decimal长):
1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
1234567890123456789012345678901234567890123456789012
跟踪过程中会要求重启验证,software\Diamond Computer Systems\Port Explorer
(脱壳程序似乎还没有解密输入表)
那么会用到ADVAPI32.DLL中的4个读注册表函数(用api工具查的):
796E2C47 RegQueryValueA
796EF5E6 RegQueryValueExA
796F4ABA RegQueryValueExW
796EE7C9 RegQueryValueW
在OD数据窗口查得:
00433020 E6 F5 6E 79 对应于----RegQueryValueExA ,程序会如此调用 CALL DS:[R32=00433020]
因此下硬件访问断点 HR 00433020
运行,中断,返回(连续共2处,此为其一)
00429703 |. 5>push eax ; /pHandle
00429704 |. 3>xor esi,esi ; |
00429706 |. 6>push 1 ; |Access = KEY_QUERY_VALUE
00429708 |. 5>push esi ; |Reserved => 0
00429709 |. F>push dword ptr ss:[ebp+C] ; |Subkey
0042970C |. F>push dword ptr ss:[ebp+8] ; |hKey
0042970F |. F>call dword ptr ds:[433024] ; \RegOpenKeyExA
00429715 |. 8>test eax,eax
00429717 |. 7>je short PortExpl.0042971E
00429719 |. 6>push 1
0042971B |. 5>pop eax
0042971C |. E>jmp short PortExpl.00429745
0042971E |> 8>lea eax,dword ptr ss:[ebp-4]
00429721 |. 5>push eax ; /pBufSize
00429722 |. F>push dword ptr ss:[ebp+14] ; |Buffer
00429725 |. 5>push esi ; |pValueType
00429726 |. 5>push esi ; |Reserved
00429727 |. F>push dword ptr ss:[ebp+10] ; |ValueName
0042972A |. F>push dword ptr ss:[ebp+18] ; |hKey
0042972D |. F>call dword ptr ds:[433020] ; \RegQueryValueExA <-----------------
00429733 |. 8>test eax,eax
00429735 |. 7>je short PortExpl.0042973A
00429737 |. 6>push 1
00429739 |. 5>pop esi
0042973A |> F>push dword ptr ss:[ebp+18] ; /hKey
0042973D |. F>call dword ptr ds:[43300C] ; \RegCloseKey |
|
IP卡
发表于 2005-9-17 03:02:48
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2005-9-22 21:18:28