- UID
- 22527
注册时间2006-10-1
阅读权限40
最后登录1970-1-1
独步武林
 
TA的每日心情 | 无聊
2015-9-5 20:32 |
|---|
签到天数: 1 天 [LV.1]初来乍到
|
【破文标题】手脱Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks
【破文作者】王者之剑
【作者邮箱】[email protected]
【作者主页】www.chinapojie.cn
【破解工具】ImportREC,LordPE,OD
【破解平台】XP
【软件名称】一个学习的软件
【软件大小】2,78 MB
【破解声明】看过一个教程后学脱的,为了让自己学的更巩固所以写下了这编文章,请大家多多指教.
------------------------------------------------------------------------
【破解过程】先查壳是Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks双进程的壳,再OD载入
,忽略所有异常.
入口点:
00817000 > 60 pushad
00817001 E8 00000000 call 00817006
00817006 5D pop ebp
00817007 50 push eax
00817008 51 push ecx
00817009 0FCA bswap edx
0081700B F7D2 not edx
0081700D 9C pushfd
0081700E F7D2 not edx
00817010 0FCA bswap edx
00817012 EB 0F jmp short 00817023
00817014 B9 EB0FB8EB mov ecx, EBB80FEB
00817019 07 pop es
0081701A B9 EB0F90EB mov ecx, EB900FEB
0081701F 08FD or ch, bh
00817021 EB 0B jmp short 0081702E
00817023 F2: prefix repne:
00817024 ^ EB F5 jmp short 0081701B
00817026 ^ EB F6 jmp short 0081701E
00817028 F2: prefix repne:
00817029 EB 08 jmp short 00817033
0081702B FD std
0081702C ^ EB E9 jmp short 00817017
在command处输入bp OpenMutexA 再shift+F9 走到如下地址:
008205C3 F0: prefix lock:
008205C4 F0:C7 ??? ; 未知命令
008205C6 C8 64678F enter 6764, 8F
008205CA 06 push es
008205CB 0000 add byte ptr [eax], al
008205CD 83C4 04 add esp, 4
008205D0 C3 retn
008205D1 03C5 add eax, ebp
008205D3 C3 retn
008205D4 B9 EA7A0000 mov ecx, 7AEA
008205D9 C3 retn
008205DA B8 661A0000 mov eax, 1A66
008205DF C3 retn
008205E0 D800 fadd dword ptr [eax]
008205E2 0000 add byte ptr [eax], al
008205E4 DA95 0000D195 ficom dword ptr [ebp+95D10000]
008205EA 0000 add byte ptr [eax], al
008205EC D4 95 aam 95
008205EE 0000 add byte ptr [eax], al
008205F0 50 push eax
再添加C000001E (INVALID LOCK SEQUENCE)异常后再shift+F9,发现如下代码:
7C80EA1B > 8BFF mov edi, edi
7C80EA1D 55 push ebp
7C80EA1E 8BEC mov ebp, esp
7C80EA20 51 push ecx
7C80EA21 51 push ecx
7C80EA22 837D 10 00 cmp dword ptr [ebp+10], 0
7C80EA26 56 push esi
7C80EA27 0F84 66530300 je 7C843D93
7C80EA2D 64:A1 18000000 mov eax, dword ptr fs:[18]
7C80EA33 FF75 10 push dword ptr [ebp+10]
7C80EA36 8DB0 F80B0000 lea esi, dword ptr [eax+BF8]
7C80EA3C 8D45 F8 lea eax, dword ptr [ebp-8]
7C80EA3F 50 push eax
7C80EA40 FF15 8C10807C call dword ptr [<&ntdll.RtlInitAnsiSt>;
ntdll.RtlInitAnsiString
7C80EA46 6A 00 push 0
7C80EA48 8D45 F8 lea eax, dword ptr [ebp-8]
7C80EA4B 50 push eax
7C80EA4C 56 push esi
7C80EA4D FF15 8810807C call dword ptr [<&ntdll.RtlAnsiString>;
ntdll.RtlAnsiStringToUnicodeString
7C80EA53 85C0 test eax, eax
7C80EA55 0F8C 22530300 jl 7C843D7D
再ctrl+G 输入查找00401000,再更改如下代码:
0401000 60 pushad
00401001 9C pushfd
00401002 68 A0FD1200 push 12FDA0 ; ASCII
"44C::DA47D45903"
00401007 33C0 xor eax,eax
00401009 50 push eax
0040100A 50 push eax
0040100B E8 E694A677 call KERNEL32.CreateMutexA
00401010 9D popfd
00401011 61 popad
00401012 - E9 8F9FA777 jmp KERNEL32.OpenMutexA
加入后再将此处改为新的EIP,再F9运行.去掉断点再ctrl+G输入查找00401000,再撤消刚才手动加入的
代码.
再输入下硬件断点he OutputDebugStringA F9运行.找到如下代码.
7C859D78 > 68 34020000 push 234
7C859D7D 68 A0A0857C push 7C85A0A0
7C859D82 E8 3F87FAFF call 7C8024C6
7C859D87 A1 CC46887C mov eax, dword ptr [7C8846CC]
7C859D8C 8945 E4 mov dword ptr [ebp-1C], eax
7C859D8F 8B4D 08 mov ecx, dword ptr [ebp+8]
7C859D92 898D C4FDFFFF mov dword ptr [ebp-23C], ecx
7C859D98 8365 FC 00 and dword ptr [ebp-4], 0
7C859D9C 8BC1 mov eax, ecx
7C859D9E 8D70 01 lea esi, dword ptr [eax+1]
7C859DA1 8A10 mov dl, byte ptr [eax]
7C859DA3 40 inc eax
7C859DA4 84D2 test dl, dl
7C859DA6 ^ 75 F9 jnz short 7C859DA1
7C859DA8 2BC6 sub eax, esi
7C859DAA 40 inc eax
7C859DAB 8985 BCFDFFFF mov dword ptr [ebp-244], eax
7C859DB1 898D C0FDFFFF mov dword ptr [ebp-240], ecx
7C859DB7 8D85 BCFDFFFF lea eax, dword ptr [ebp-244]
再看到堆栈如下代码
0012EBB8 0012F53C \String = "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%
s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s"
点数据窗口中跟随更改闪存里的0012F53C 73257325二进制用00填充再F9运行出现同样的代码再做一
次.
0012EBB8 0012F53C \String = "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%
s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s"
0012F53C 73257325
再删除断点,再次下硬件断点he GetModuleHandleA+5到如下代码:
7C80B6A6 837D 08 00 cmp dword ptr [ebp+8], 0
7C80B6AA 74 18 je short 7C80B6C4
7C80B6AC FF75 08 push dword ptr [ebp+8]
7C80B6AF E8 C0290000 call 7C80E074
7C80B6B4 85C0 test eax, eax
7C80B6B6 74 08 je short 7C80B6C0
7C80B6B8 FF70 04 push dword ptr [eax+4]
7C80B6BB E8 7D2D0000 call GetModuleHandleW
7C80B6C0 5D pop ebp
7C80B6C1 C2 0400 retn 4
7C80B6C4 64:A1 18000000 mov eax, dword ptr fs:[18]
7C80B6CA 8B40 30 mov eax, dword ptr [eax+30]
7C80B6CD 8B40 08 mov eax, dword ptr [eax+8]
7C80B6D0 ^ EB EE jmp short 7C80B6C0
到此处按两下shift+F9看堆栈如下代码:
00129008 /001292A8
0012900C |010B5A99 返回到 010B5A99 来自 kernel32.GetModuleHandleA
00129010 |0012915C ASCII "kernel32.dll"
再去掉硬件断点再alt+F9看到如下代码
010B5A99 8B0D 6C500E01 mov ecx, dword ptr [10E506C]
010B5A9F 89040E mov dword ptr [esi+ecx], eax
010B5AA2 A1 6C500E01 mov eax, dword ptr [10E506C]
010B5AA7 391C06 cmp dword ptr [esi+eax], ebx
010B5AAA 75 16 jnz short 010B5AC2
010B5AAC 8D85 B4FEFFFF lea eax, dword ptr [ebp-14C]
010B5AB2 50 push eax
010B5AB3 FF15 B8620D01 call dword ptr [10D62B8] ;
kernel32.LoadLibraryA
010B5AB9 8B0D 6C500E01 mov ecx, dword ptr [10E506C]
010B5ABF 89040E mov dword ptr [esi+ecx], eax
010B5AC2 A1 6C500E01 mov eax, dword ptr [10E506C]
010B5AC7 391C06 cmp dword ptr [esi+eax], ebx
010B5ACA 0F84 2F010000 je 010B5BFF
010B5AD0 33C9 xor ecx, ecx
010B5AD2 8B07 mov eax, dword ptr [edi]
010B5AD4 3918 cmp dword ptr [eax], ebx
010B5AD6 74 06 je short 010B5ADE
010B5AD8 41 inc ecx
010B5AD9 83C0 0C add eax, 0C
010B5ADC ^ EB F6 jmp short 010B5AD4
010B5ADE 8BD9 mov ebx, ecx
010B5AE0 C1E3 02 shl ebx, 2
010B5AE3 53 push ebx
以上代码中我们可以看到有两个JE,上面的一个JE就是Magic Jump,我们将JE改为JMP我们再找到如下
代码:
010B5C14 /EB 03 jmp short 010B5C19
010B5C16 |D6 salc
010B5C17 |D6 salc
我就就在JMP处下硬件断点再F9运行,然后再返回到刚才更改的JE处,撤消回到原来的代码.
我们再alt+M再找到如地址下断,再shift+F9运行
Memory map, 条目 23
地址=00401000
大小=001B3000 (1781760.)
属主=FlyWoool 00400000
区段=.text
类型=Imag 01001002
访问=R
初始访问=RWE
运行后我们看到如下代码:
010D0324 8B0C3A mov ecx, dword ptr [edx+edi]
010D0327 5B pop ebx
010D0328 03D7 add edx, edi
010D032A A1 A4100E01 mov eax, dword ptr [10E10A4]
010D032F 3148 70 xor dword ptr [eax+70], ecx
010D0332 A1 A4100E01 mov eax, dword ptr [10E10A4]
010D0337 3148 70 xor dword ptr [eax+70], ecx
010D033A A1 A4100E01 mov eax, dword ptr [10E10A4]
010D033F 8B16 mov edx, dword ptr [esi]
010D0341 8B88 84000000 mov ecx, dword ptr [eax+84]
010D0347 3348 60 xor ecx, dword ptr [eax+60]
010D034A 3348 34 xor ecx, dword ptr [eax+34]
010D034D 030D BC100E01 add ecx, dword ptr [10E10BC] ; FlyWoool.00400000
010D0353 85D2 test edx, edx
010D0355 75 1E jnz short 010D0375
010D0357 8B90 88000000 mov edx, dword ptr [eax+88]
010D035D FF76 18 push dword ptr [esi+18]
010D0360 3390 84000000 xor edx, dword ptr [eax+84]
010D0366 FF76 14 push dword ptr [esi+14]
010D0369 3350 40 xor edx, dword ptr [eax+40]
010D036C FF76 10 push dword ptr [esi+10]
010D036F 2BCA sub ecx, edx
010D0371 FFD1 call ecx
我们再F8单步向下到call ecx后F7进入
010D038F 6A 00 push 0
010D0391 FF76 0C push dword ptr [esi+C]
010D0394 2BCA sub ecx, edx
010D0396 FFD1 call ecx ; FlyWoool.004B79A6
010D0398 8945 FC mov dword ptr [ebp-4], eax
010D039B 8B45 FC mov eax, dword ptr [ebp-4]
010D039E 5F pop edi
010D039F 5E pop esi
这时我们就可看到红色代码了,那就是我们的OEP了
004B79A6 6A 60 push 60
004B79A8 68 00235D00 push 005D2300
004B79AD E8 26070000 call 004B80D8
004B79B2 BF 94000000 mov edi, 94
004B79B7 8BC7 mov eax, edi
004B79B9 E8 E2D1FFFF call 004B4BA0
004B79BE 8965 E8 mov dword ptr [ebp-18], esp
004B79C1 8BF4 mov esi, esp
004B79C3 893E mov dword ptr [esi], edi
004B79C5 56 push esi
004B79C6 FF15 A4445B00 call dword ptr [5B44A4] ;
kernel32.GetVersionExA
004B79CC 8B4E 10 mov ecx, dword ptr [esi+10]
004B79CF 890D A4367C00 mov dword ptr [7C36A4], ecx
004B79D5 8B46 04 mov eax, dword ptr [esi+4]
004B79D8 A3 B0367C00 mov dword ptr [7C36B0], eax
004B79DD 8B56 08 mov edx, dword ptr [esi+8]
004B79E0 8915 B4367C00 mov dword ptr [7C36B4], edx
004B79E6 8B76 0C mov esi, dword ptr [esi+C]
004B79E9 81E6 FF7F0000 and esi, 7FFF
004B79EF 8935 A8367C00 mov dword ptr [7C36A8], esi
004B79F5 83F9 02 cmp ecx, 2
004B79F8 74 0C je short 004B7A06
004B79FA 81CE 00800000 or esi, 8000
再修复搞定,这个壳就完全搞定了!
------------------------------------------------------------------------
【破解总结】刚看不久,感觉学到的东西不少,相学破解的朋友真的要多看下前辈们写的东西了,真的
都很不错.
欢迎大家有时间来我blog玩.
www.chinapojie.cn
------------------------------------------------------------------------ |
|
IP卡
发表于 2008-2-4 02:02:57
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2008-2-4 11:53:43
发表于 2008-2-6 01:24:46
