- UID
- 37790
注册时间2007-12-1
阅读权限20
最后登录1970-1-1
以武会友
 
该用户从未签到
|
我是个小菜,这是我的一个处女作,一个带狗的行业软件。
第一次写文章或者说是记录也可以,写的不好。(高手路过)
软件地址:http://www.mslaser.cn/xiazai.asp
Peid查出是yoda's Protector v1.02 (.dll,.ocx) -> Ashkbiz Danehkar (h) *的壳
但是单步跟踪时才发现好像是双层壳(菜菜)。
OD载入
0076F000 > 60 pushad
0076F001 F9 stc //ESP定律
0076F002 BE 0ACA5DB1 mov esi,B15DCA0A
0076F007 EB 01 jmp short dkqg.0076F00A
0076F009 7B FC jpo short dkqg.0076F007
0076F00B 50 push eax
0076F00C E8 01000000 call dkqg.0076F012
0076F011 7A 58 jpe short dkqg.0076F06B
0076F013 58 pop eax
0076F014 F9 stc
0076F015 E8 01000000 call dkqg.0076F01B
0076F01A - 76 83 jbe short dkqg.0076EF9F
0076F01C C404F8 les eax,fword ptr ds:[eax+edi*>
0076F01F E8 01000000 call dkqg.0076F025
0076F024 - 78 83 js short dkqg.0076EFA9
运行到下面的代码段
00789AF3 4F dec edi //F8单步跟踪
00789AF4 45 inc ebp
00789AF5 50 push eax
00789AF6 4F dec edi
00789AF7 45 inc ebp
00789AF8 50 push eax
00789AF9 60 pushad
00789AFA 60 pushad
00789AFB E8 00000000 call dkqg.00789B00
00789B00 5E pop esi
00789B01 83EE 06 sub esi,6
00789B04 B9 35000000 mov ecx,35
00789B09 29CE sub esi,ecx
00789B0B BA 4F65BA73 mov edx,73BA654F
00789B10 C1E9 02 shr ecx,2
00789B13 83E9 02 sub ecx,2
00789B16 83F9 00 cmp ecx,0
00789B19 7C 1A jl short dkqg.00789B35
00789B1B 8B048E mov eax,dword ptr ds:[esi+ecx*>
00789B1E 8B5C8E 04 mov ebx,dword ptr ds:[esi+ecx*>
遇到向上跳的,F4运行到所选
00789EA8 83E9 02 sub ecx,2
00789EAB 83F9 00 cmp ecx,0
00789EAE 7C 1A jl short dkqg.00789ECA
00789EB0 8B048E mov eax,dword ptr ds:[esi+ecx*>
00789EB3 8B5C8E 04 mov ebx,dword ptr ds:[esi+ecx*>
00789EB7 03C3 add eax,ebx
00789EB9 C1C0 01 rol eax,1
00789EBC 03C2 add eax,edx
00789EBE 81EA C76EBE54 sub edx,54BE6EC7
00789EC4 89048E mov dword ptr ds:[esi+ecx*4],e>
00789EC7 49 dec ecx
00789EC8 ^ EB E1 jmp short dkqg.00789EAB
00789ECA 61 popad //F4运行到所选
00789ECB EB 01 jmp short dkqg.00789ECE //大跳转
00789ECD - E9 FF25D49E jmp 9F4CC4D1
00789ED2 78 00 js short dkqg.00789ED4
00789ED4 0010 add byte ptr ds:[eax],dl
一直单步跟踪到以下代码
00401000 B8 70EA7600 mov eax,dkqg.0076EA70
00401005 50 push eax
00401006 64:FF35 00000000 push dword ptr fs:[0] //ESP定律
0040100D 64:8925 00000000 mov dword ptr fs:[0],esp
00401014 33C0 xor eax,eax
00401016 8908 mov dword ptr ds:[eax],ecx
00401018 50 push eax
00401019 45 inc ebp
0040101A 43 inc ebx
0040101B 6F outs dx,dword ptr es:[edi]
0040101C 6D ins dword ptr es:[edi],dx
0040101D 70 61 jo short dkqg.00401080
0040101F 637432 00 arpl word ptr ds:[edx+esi],si
00401023 65:04 54 add al,54
00401026 72 75 jb short dkqg.0040109D
00401028 65:8D0D 2C110908 lea ecx,dword ptr gs:[809112C]
0040102F 57 push edi
00401030 696465 43 E2C2420>imul esp,dword ptr ss:[ebp+43]>
00401038 68 61720323 push 23037261
ESP定律运行到以下代码,F8单步跟踪
7C94A9B5 3B45 F8 cmp eax,dword ptr ss:[ebp-8]
7C94A9B8 72 09 jb short ntdll.7C94A9C3
7C94A9BA 3B45 F4 cmp eax,dword ptr ss:[ebp-C]
7C94A9BD ^ 0F82 53F9FFFF jb ntdll.7C94A316
7C94A9C3 50 push eax
7C94A9C4 E8 67000000 call ntdll.7C94AA30
7C94A9C9 84C0 test al,al
7C94A9CB ^ 0F84 45F9FFFF je ntdll.7C94A316
7C94A9D1 F605 FAB3997C 80 test byte ptr ds:[7C99B3FA],80
7C94A9D8 0F85 05390200 jnz ntdll.7C96E2E3
7C94A9DE FF73 04 push dword ptr ds:[ebx+4]
7C94A9E1 8D45 EC lea eax,dword ptr ss:[ebp-14]
7C94A9E4 50 push eax
7C94A9E5 FF75 0C push dword ptr ss:[ebp+C]
7C94A9E8 53 push ebx
7C94A9E9 56 push esi
7C94A9EA E8 5888FDFF call ntdll.7C923247
7C94A9EF F605 FAB3997C 80 test byte ptr ds:[7C99B3FA],80
7C94A9F6 8BF8 mov edi,eax
一直跟踪到下面的JMP,这个JMP就是跳向OEP的
0076EB35 - FFE0 jmp eax ; dkqg.0058BFF8
0076EB37 F8 clc
0076EB38 BF 5800006C mov edi,6C000058
0076EB3D EB 76 jmp short dkqg.0076EBB5
0076EB3F 0090 EB760054 add byte ptr ds:[eax+540076EB]>
0076EB45 EB 76 jmp short dkqg.0076EBBD
用LordPE脱壳,再用ImportREC修复一下
0058BFF8 55 push ebp //这里就是OEP了
Borland Delphi 6.0 - 7.0写的
这个行业软件是有USB狗,目前我只能跟到这里了,狗还没打死(继续努力~!)
如果能打掉狗会再贴上的。Q398298998(欢迎交流) |
|
IP卡
发表于 2009-5-11 09:59:57
提升卡
置顶卡
变色卡
千斤顶
显身卡