|
|
【破解作者】 飘之叶
【作者主页】 http://hi.baidu.com/piaozhiye
【使用工具】 OD PEID DIE
【破解平台】 Win9x/NT/2000/XP
【软件名称】 3D-FTP
【下载地址】 http://jx.newhua.com/soft/385.htm#
【软件简介】
界面具有3D立体感的FTP连接工具、除具有一般功能外、亦有传输曲线表、且它可如Winamp
、般更换SKIN相当漂亮,喜欢漂亮界面或有软件测试兴趣的网友可玩玩
【加壳方式】 Armadillo 4.10
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
首先PEID查壳是Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks,
用DIE查壳是4.10 是个双线程!
脱壳:
忽略所有异常,手动添加C000001E,E06D7363异常。隐藏OD!
一、双变单(使程序把自己当成子进程运行)
bp OpenMutexA
断在这里:
7C80EA1B kernel> 8BFF mov edi,edi
7C80EA1D 55 push ebp
7C80EA1E 8BEC mov ebp,esp
7C80EA20 51 push ecx
7C80EA21 51 push ecx
7C80EA22 837D 10 00 cmp dword ptr ss:[ebp+10],0
7C80EA26 56 push esi
7C80EA27 0F84 66530300 je kernel32.7C843D93
7C80EA2D 64:A1 18000000 mov eax,dword ptr fs:[18]
7C80EA33 FF75 10 push dword ptr ss:[ebp+10]
堆栈:
0019F770 006B0808 /CALL 到 OpenMutexA 来自 3dftp.006B0802
0019F774 001F0001 |Access = 1F0001
0019F778 00000000 |Inheritable = FALSE
0019F77C 0019FDB0 \MutexName = "F84::DAF320876B"
0019F780 00000004
Ctrl+G:00401000
00401000 60 pushad
00401001 9C pushfd
00401002 68 B0FD1900 push 19FDB0 ; ASCII "F84::DAF320876B"
00401007 33C0 xor eax,eax
00401009 50 push eax
0040100A 50 push eax
0040100B E8 2FD9407C call kernel32.CreateMutexA
00401010 9D popfd
00401011 61 popad
00401012 - E9 04DA407C jmp kernel32.OpenMutexA
00401017 90 nop
60 9C 68 B0 FD 19 00 33 C0 50 50 E8 2F D9 40 7C 9D 61 E9 04 DA 40 7C 90
填好以上贴码后此处新建EIP,F9
断在原来的断点:
7C80EA1B kernel> 8BFF mov edi,edi
7C80EA1D 55 push ebp
7C80EA1E 8BEC mov ebp,esp
7C80EA20 51 push ecx
7C80EA21 51 push ecx
7C80EA22 837D 10 00 cmp dword ptr ss:[ebp+10],0
7C80EA26 56 push esi
此时取消断点。Ctrl+G 00401000
选择以下代码代码后撤销选择(修改)
--------------------------------------------------------
00401000 60 pushad
00401001 9C pushfd
00401002 68 B0FD1900 push 19FDB0 ; ASCII
"F84::DAF320876B"
00401007 33C0 xor eax,eax
00401009 50 push eax
0040100A 50 push eax
0040100B E8 2FD9407C call kernel32.CreateMutexA
00401010 9D popfd
00401011 61 popad
00401012 - E9 04DA407C jmp kernel32.OpenMutexA
00401017 90 nop
--------------------------------------------------------------------
变成原来的
00401000 0000 add byte ptr ds:[eax],al
00401002 0000 add byte ptr ds:[eax],al
00401004 0000 add byte ptr ds:[eax],al
00401006 0000 add byte ptr ds:[eax],al
00401008 0000 add byte ptr ds:[eax],al
0040100A 0000 add byte ptr ds:[eax],al
0040100C 0000 add byte ptr ds:[eax],al
-----------------------------------------------------------------------
二、避开Anti
he OutputDebugStringA
中断2次!
选中%s%之类的字符,点右键->二进制->使用00填充
SHIFT+F9
堆栈
0019EC48 00EA5251 /CALL 到 OutputDebugStringA 来自 00EA524B
0019EC4C 0019F5C0 \String = "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%
s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s"
选择:
-----------------------------------------------------------------------------------------
0019EC4C 0019F5C0 \String = "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%
s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s"
------------------------------------------------------------------------------------------
数据窗口跟随,点右键->二进制->使用00填充
变成:
0019EC48 00EA5251 /CALL 到 OutputDebugStringA 来自 00EA524B
0019EC4C 0019F5C0 \String = ""
第二处:
0019EC48 00EA5883 /CALL 到 OutputDebugStringA 来自 00EA587D
0019EC4C 0019F5C0 \String = "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%
s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s"
数据窗口跟随,点右键->二进制->使用00填充
变成:
0019EC48 00EA5883 /CALL 到 OutputDebugStringA 来自 00EA587D
0019EC4C 0019F5C0 \String = ""
------------------------------------------------------------------------------------------
删除此断点!
三、Magic Jump,避开IAT加密
he GetModuleHandleA
00199500 00EA6829 /CALL 到 GetModuleHandleA 来自 00EA6823
00199504 00EBAC1C \pModule = "kernel32.dll"
00199508 00EBBEC4 ASCII "VirtualAlloc"
0019950C 00EBEA98
00199510 7C9210ED ntdll.RtlLeaveCriticalSection
00199500 00EA6846 /CALL 到 GetModuleHandleA 来自 00EA6840
00199504 00EBAC1C \pModule = "kernel32.dll"
00199508 00EBBEB8 ASCII "VirtualFree"
0019950C 00EBEA98
00199510 7C9210ED ntdll.RtlLeaveCriticalSection
堆栈依次出现后是返回时机。
断在这里:
------------------------------------------------------------------------------------------
7C80B6A1 kernel> 8BFF mov edi,edi ;断在这里
7C80B6A3 55 push ebp
7C80B6A4 8BEC mov ebp,esp
7C80B6A6 837D 08 00 cmp dword ptr ss:[ebp+8],0
7C80B6AA 74 18 je short kernel32.7C80B6C4
7C80B6AC FF75 08 push dword ptr ss:[ebp+8]
7C80B6AF E8 C0290000 call kernel32.7C80E074
7C80B6B4 85C0 test eax,eax
7C80B6B6 74 08 je short kernel32.7C80B6C0
7C80B6B8 FF70 04 push dword ptr ds:[eax+4]
7C80B6BB E8 7D2D0000 call kernel32.GetModuleHandleW
7C80B6C0 5D pop ebp
7C80B6C1 C2 0400 retn 4
----------------------------------------------------------------------------------------
堆栈出现:
-----------------------------------------------------------------------------------------
00199264 00E957E9 /CALL 到 GetModuleHandleA 来自 00E957E3
00199268 001993B4 \pModule = "kernel32.dll"
------------------------------------------------------------------------------------------
此时是返回时机。取消这个断点,ALT+F9 执行到用户代码.
返回到这里:
00E957E9 8B0D AC30EC00 mov ecx,dword ptr ds:[EC30AC]
00E957EF 89040E mov dword ptr ds:[esi+ecx],eax
00E957F2 A1 AC30EC00 mov eax,dword ptr ds:[EC30AC]
00E957F7 391C06 cmp dword ptr ds:[esi+eax],ebx
00E957FA 75 16 jnz short 00E95812
00E957FC 8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-14C]
00E95802 50 push eax
00E95803 FF15 BC52EB00 call dword ptr ds:[EB52BC] ; kernel32.LoadLibraryA
00E95809 8B0D AC30EC00 mov ecx,dword ptr ds:[EC30AC]
00E9580F 89040E mov dword ptr ds:[esi+ecx],eax
00E95812 A1 AC30EC00 mov eax,dword ptr ds:[EC30AC]
00E95817 391C06 cmp dword ptr ds:[esi+eax],ebx
00E9581A 0F84 2F010000 je 00E9594F ; Magic Jump
往下拉,找如此类似的序列(一个jnz,一个jmp,两个salc/Magic Jump)
也可以这样做:Ctrl+F在当前位置查找命令: salc
01055C0E ^\0F85 49FEFFFF jnz 01055A5D
01055C14 EB 03 jmp short 01055C19 //F2下断,Shift+F9,断下!取消断点!
01055C16 D6 salc
01055C17 D6 salc
重要:断下后,记得要撤消Magic Jump处的修改!
为何要这样做?我发现程序在下面会依据原先的代码进行解码,
以前下 硬件断点 操作没有修改原代码,所以解码正确。
而直接修改Magic Jump后改变了原先的代码,导致解码不正确而异常出错!
现在我们在解码以前恢复原先的代码,因此就不会再出错了!
此时,打开内存镜像,在00401000段下断,Shift+F9直达OEP!
00EAF06D 8B0C3A mov ecx,dword ptr ds:[edx+edi] ; 来到这里,F8
00EAF070 5B pop ebx
00EAF071 03D7 add edx,edi
00EAF073 A1 E4F0EB00 mov eax,dword ptr ds:[EBF0E4]
00EAF078 3188 80000000 xor dword ptr ds:[eax+80],ecx
00EAF07E A1 E4F0EB00 mov eax,dword ptr ds:[EBF0E4]
00EAF083 3188 80000000 xor dword ptr ds:[eax+80],ecx
00EAF089 A1 E4F0EB00 mov eax,dword ptr ds:[EBF0E4]
00EAF08E 8B16 mov edx,dword ptr ds:[esi]
00EAF090 8B48 64 mov ecx,dword ptr ds:[eax+64]
00EAF093 3348 5C xor ecx,dword ptr ds:[eax+5C]
00EAF096 3348 40 xor ecx,dword ptr ds:[eax+40]
00EAF099 030D FCF0EB00 add ecx,dword ptr ds:[EBF0FC] ; 3dftp.00400000
00EAF09F 85D2 test edx,edx
00EAF0A1 75 18 jnz short 00EAF0BB
00EAF0A3 8B50 60 mov edx,dword ptr ds:[eax+60]
00EAF0A6 FF76 18 push dword ptr ds:[esi+18]
00EAF0A9 3350 40 xor edx,dword ptr ds:[eax+40]
00EAF0AC FF76 14 push dword ptr ds:[esi+14]
00EAF0AF 3350 14 xor edx,dword ptr ds:[eax+14]
00EAF0B2 FF76 10 push dword ptr ds:[esi+10]
00EAF0B5 2BCA sub ecx,edx
00EAF0B7 FFD1 call ecx
00EAF0B9 EB 1D jmp short 00EAF0D8
00EAF0BB 83FA 01 cmp edx,1
00EAF0BE 75 1B jnz short 00EAF0DB
00EAF0C0 FF76 04 push dword ptr ds:[esi+4]
00EAF0C3 8B50 60 mov edx,dword ptr ds:[eax+60]
00EAF0C6 3350 40 xor edx,dword ptr ds:[eax+40]
00EAF0C9 FF76 08 push dword ptr ds:[esi+8]
00EAF0CC 3350 14 xor edx,dword ptr ds:[eax+14]
00EAF0CF 6A 00 push 0
00EAF0D1 FF76 0C push dword ptr ds:[esi+C]
00EAF0D4 2BCA sub ecx,edx
00EAF0D6 FFD1 call ecx ; F7进去!直接到达OEP!
-----------------------------------------------------------------------------------------
OEP:
看就知道是VB程序
004103C8 68 D40D4100 push 3dftp.00410DD4 ; ASCII "VB5!6&*"//OEP
004103CD E8 F0FFFFFF call 3dftp.004103C2 ; jmp to
MSVBVM60.ThunRTMain
004103D2 0000 add byte ptr ds:[eax],al
004103D4 40 inc eax
004103D5 0000 add byte ptr ds:[eax],al
004103D7 0030 add byte ptr ds:[eax],dh
004103D9 0000 add byte ptr ds:[eax],al
004103DB 0038 add byte ptr ds:[eax],bh
004103DD 0000 add byte ptr ds:[eax],al
004103DF 0000 add byte ptr ds:[eax],al
004103E1 0000 add byte ptr ds:[eax],al
004103E3 00CD add ch,cl
004103E5 6A 00 push 0
004103E7 ^ 7F CB jg short 3dftp.004103B4
004103E9 90 nop
004103EA 8142 B7 ED41196D add dword ptr ds:[edx-49],6D1941>
004103F1 DF15 BC000000 fist word ptr ds:[BC]
004103F7 0000 add byte ptr ds:[eax],al
004103F9 0001 add byte ptr ds:[ecx],al
LordPE纠正大小Dump!打开Import 1.6,OEP填103C8,修复后有1个无效指针,CUT,正常运行!
但是注册的时候会出现错误。
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! |
评分
-
查看全部评分
|
IP卡
发表于 2008-6-23 19:02:07
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2008-6-29 08:48:59
发表于 2008-10-17 13:07:36