- UID
- 2446
注册时间2005-7-21
阅读权限30
最后登录1970-1-1
龙战于野
该用户从未签到
|
【破解作者】 风球
【作者邮箱】 [email protected]
【使用工具】 OD
【破解平台】 WinXP
【软件名称】 在DFCG上看到的东东
【破解声明】 我是一只小菜鸟,请高手们多指教。:)
--------------------------------------------------------------------------------
【破解内容】
破解目的:去掉自校验
这个东东是我在DFCG上看到,有自校验,刚好跟第四课的东东有点类似,拿来练习```由于发贴人只放上脱壳的程序,所以这里我主要是练习去掉自校验
OD载入```下断 bp CreateFileA 运行来到这里
看堆栈友好提示:
0011FBB0 00403350 /CALL 到 CreateFileA 来自 unpacked.0040334B
0011FBB4 0012FC44 |FileName = "C:\Documents and Settings\☆挽☆\桌面\unpacked_.exe"
0011FBB8 80000000 |Access = GENERIC_READ
0011FBBC 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0011FBC0 00000000 |pSecurity = NULL
0011FBC4 00000003 |Mode = OPEN_EXISTING
0011FBC8 00000080 |Attributes = NORMAL
0011FBCC 00000000 \hTemplateFile = NULL
0011FBD0 00535B48 unpacked.00535B48
CTRL+G 填写0040334B 来到这里:
004032F7 /EB 60 je short unpacked.00403359 此处改为JMP,跳过CreateFileA
004032F9 |B8 000000C0 mov eax,C0000000
004032FE |8A15 0C805300 mov dl,byte ptr ds:[53800C]
00403304 |83E2 70 and edx,70
00403307 |C1EA 02 shr edx,2
0040330A |8B92 58805300 mov edx,dword ptr ds:[edx+538058]
00403310 |B9 02000000 mov ecx,2
00403315 |83EF 03 sub edi,3
00403318 |74 21 je short unpacked.0040333B
0040331A |B9 03000000 mov ecx,3
0040331F |47 inc edi
00403320 |74 19 je short unpacked.0040333B
00403322 |B8 00000040 mov eax,40000000
00403327 |47 inc edi
00403328 |66:C743 04 B2D7 mov word ptr ds:[ebx+4],0D7B2
0040332E |74 0B je short unpacked.0040333B
00403330 |B8 00000080 mov eax,80000000
00403335 |66:C743 04 B1D7 mov word ptr ds:[ebx+4],0D7B1
0040333B |6A 00 push 0
0040333D |68 80000000 push 80
00403342 |51 push ecx
00403343 |6A 00 push 0
00403345 |52 push edx
00403346 |50 push eax
00403347 |8D43 48 lea eax,dword ptr ds:[ebx+48]
0040334A |50 push eax
0040334B |E8 80DFFFFF call <jmp.&KERNEL32.CreateFileA> =====CreateFileA
00403350 |83F8 FF cmp eax,-1
00403353 |74 24 je short unpacked.00403379
00403355 |8903 mov dword ptr ds:[ebx],eax
00403357 |EB 30 jmp short unpacked.00403389
00403359 \C743 24 102D400>mov dword ptr ds:[ebx+24],unpacke>
00403360 83FF 03 cmp edi,3
...
修改保存为55.exe 运行 在启动时有一个错误提示"I/O error 6."
命令行下断: BP MessageBoxA 回车,F9运行
中断,堆栈友好提示:
0011F52C 004654BF /CALL 到 MessageBoxA 来自 55.004654BA
0011F530 00710298 |hOwner = 00710298 (class='TApplication')
0011F534 00F74128 |Text = "I/O error 6."
0011F538 00404DA1 |Title = ""
0011F53C 00000010 \Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
代码窗口 Ctrl+G 填入 004654BA 来到
004653D1 C3 retn
004653D2 8BC0 mov eax,eax
004653D4 55 push ebp //这里是代码开始段,改为JMP 00465528 跳到结束处
004653D5 8BEC mov ebp,esp
004653D7 83C4 AC add esp,-54
004653DA 53 push ebx
004653DB 56 push esi
004653DC 57 push edi
004653DD 8BF9 mov edi,ecx
004653DF 8BF2 mov esi,edx
004653E1 8945 FC mov dword ptr ss:[ebp-4],eax
004653E4 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
004653E7 E8 F425FAFF call <jmp.&USER32.GetActiveWindow>
004653EC 8945 F4 mov dword ptr ss:[ebp-C],eax
004653EF 6A 02 push 2
004653F1 8B45 F4 mov eax,dword ptr ss:[ebp-C]
004653F4 50 push eax
004653F5 A1 10B15300 mov eax,dword ptr ds:[53B110]
004653FA 8B00 mov eax,dword ptr ds:[eax]
004653FC FFD0 call eax
004653FE 8945 EC mov dword ptr ss:[ebp-14],eax
00465401 6A 02 push 2
00465403 8B45 FC mov eax,dword ptr ss:[ebp-4]
00465406 8B40 30 mov eax,dword ptr ds:[eax+30]
00465409 50 push eax
0046540A A1 10B15300 mov eax,dword ptr ds:[53B110]
0046540F 8B00 mov eax,dword ptr ds:[eax]
00465411 FFD0 call eax
00465413 8945 E8 mov dword ptr ss:[ebp-18],eax
00465416 8B45 EC mov eax,dword ptr ss:[ebp-14]
00465419 3B45 E8 cmp eax,dword ptr ss:[ebp-18]
0046541C 74 60 je short 55.0046547E
0046541E C745 BC 2800000>mov dword ptr ss:[ebp-44],28
00465425 8D45 BC lea eax,dword ptr ss:[ebp-44]
00465428 50 push eax
00465429 8B45 EC mov eax,dword ptr ss:[ebp-14]
0046542C 50 push eax
0046542D A1 10B05300 mov eax,dword ptr ds:[53B010]
00465432 8B00 mov eax,dword ptr ds:[eax]
00465434 FFD0 call eax
00465436 8D45 AC lea eax,dword ptr ss:[ebp-54]
00465439 50 push eax
0046543A 8B45 FC mov eax,dword ptr ss:[ebp-4]
0046543D 8B40 30 mov eax,dword ptr ds:[eax+30]
00465440 50 push eax
00465441 E8 0A27FAFF call <jmp.&USER32.GetWindowRect>
00465446 6A 1D push 1D
00465448 6A 00 push 0
0046544A 6A 00 push 0
0046544C 8B4D CC mov ecx,dword ptr ss:[ebp-34]
0046544F 8B55 C4 mov edx,dword ptr ss:[ebp-3C]
00465452 2BCA sub ecx,edx
00465454 D1F9 sar ecx,1
00465456 79 03 jns short 55.0046545B
00465458 83D1 00 adc ecx,0
0046545B 03CA add ecx,edx
0046545D 51 push ecx
0046545E 8B55 C8 mov edx,dword ptr ss:[ebp-38]
00465461 8B45 C0 mov eax,dword ptr ss:[ebp-40]
00465464 2BD0 sub edx,eax
00465466 D1FA sar edx,1
00465468 79 03 jns short 55.0046546D
0046546A 83D2 00 adc edx,0
0046546D 03D0 add edx,eax
0046546F 52 push edx
00465470 6A 00 push 0
00465472 8B45 FC mov eax,dword ptr ss:[ebp-4]
00465475 8B40 30 mov eax,dword ptr ds:[eax+30]
00465478 50 push eax
00465479 E8 1A29FAFF call <jmp.&USER32.SetWindowPos>
0046547E 33C0 xor eax,eax
00465480 E8 3F6AFFFF call 55.0045BEC4
00465485 8945 F0 mov dword ptr ss:[ebp-10],eax
00465488 E8 5369FFFF call 55.0045BDE0
0046548D 8945 E4 mov dword ptr ss:[ebp-1C],eax
00465490 8B45 FC mov eax,dword ptr ss:[ebp-4]
00465493 E8 78EEFFFF call 55.00464310
00465498 84C0 test al,al
0046549A 74 06 je short 55.004654A2
0046549C 81CB 00001000 or ebx,100000
004654A2 33C9 xor ecx,ecx
004654A4 55 push ebp
004654A5 68 29554690 push 90465529
004654AA 64:FF31 push dword ptr fs:[ecx]
004654AD 64:8921 mov dword ptr fs:[ecx],esp
004654B0 53 push ebx
004654B1 57 push edi
004654B2 56 push esi
004654B3 8B45 FC mov eax,dword ptr ss:[ebp-4]
004654B6 8B40 30 mov eax,dword ptr ds:[eax+30]
004654B9 50 push eax
004654BA E8 8927FAFF call <jmp.&USER32.MessageBoxA> //来到这里,向上找代码开始段
004654BF 8945 F8 mov dword ptr ss:[ebp-8],eax
004654C2 33C0 xor eax,eax
004654C4 5A pop edx
004654C5 59 pop ecx
004654C6 59 pop ecx
004654C7 64:8910 mov dword ptr fs:[eax],edx
004654CA 68 30554600 push 55.00465530
004654CF 8B45 EC mov eax,dword ptr ss:[ebp-14]
004654D2 3B45 E8 cmp eax,dword ptr ss:[ebp-18]
004654D5 74 38 je short 55.0046550F
004654D7 6A 1D push 1D
004654D9 6A 00 push 0
004654DB 6A 00 push 0
004654DD 8B4D B8 mov ecx,dword ptr ss:[ebp-48]
004654E0 8B55 B0 mov edx,dword ptr ss:[ebp-50]
004654E3 2BCA sub ecx,edx
004654E5 D1F9 sar ecx,1
004654E7 79 03 jns short 55.004654EC
004654E9 83D1 00 adc ecx,0
004654EC 03CA add ecx,edx
004654EE 51 push ecx
004654EF 8B55 B4 mov edx,dword ptr ss:[ebp-4C]
004654F2 8B45 AC mov eax,dword ptr ss:[ebp-54]
004654F5 2BD0 sub edx,eax
004654F7 D1FA sar edx,1
004654F9 79 03 jns short 55.004654FE
004654FB 83D2 00 adc edx,0
004654FE 03D0 add edx,eax
00465500 52 push edx
00465501 6A 00 push 0
00465503 8B45 FC mov eax,dword ptr ss:[ebp-4]
00465506 8B40 30 mov eax,dword ptr ds:[eax+30]
00465509 50 push eax
0046550A E8 8928FAFF call <jmp.&USER32.SetWindowPos>
0046550F 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00465512 E8 616AFFFF call 55.0045BF78
00465517 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0046551A 50 push eax
0046551B E8 D827FAFF call <jmp.&USER32.SetActiveWindow>
00465520 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
00465523 E8 C068FFFF call 55.0045BDE8
00465528 C3 retn //代码结束处
这里我按照飘云老大的方法JMP
004653D4 55 push ebp //这里是代码开始段,改为JMP 00465528 跳到结束处
(当然这里在004654BA处NOP掉也可以,或者004654A4 55 push ebp ====>jmp 004654BA也可以正常启动)
运行修改后的软件,正常!!!此时自校验已经去掉
【破解总结】
学习JMP的用法``` |
|
IP卡
发表于 2005-10-2 21:54:30
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2005-10-3 07:44:11