脫殼IglooFTP PRO v3.0的詳細過程 (11千字)
脫殼IglooFTP PRO v3.0的詳細過程
在我貼過註冊Advanced Ra-Renamer1.2後,有人回貼要我試IglooFTP PRO v3.0,ok no problem。不過這位1212兄真是有眼光,知道我在集中學習脫aspr保護的期間有貼必回(當然是回的是有關aspr殼保護的貼子啦),不知道是要考考我還是要逼我學手動脫aspr的殼。不管這麼多了,反正學會了,這可是我第一次手動脫殼成功啦,為了慶祝一下,過程稍微寫詳細點好啦。let's
go~~~~~~`
unpack(2001.9.13)
這個程式無法利用快速尋找aspr入口的方法找到程式的oep,原因就是IglooFTP
PRO v3.0是用vc寫的,而那種方法只對delphi程式有效,vc程式入口沒有特徵,所以只能手動脫殼。具體的參考我寫的aspr脫殼總結。
首先,用trw(我選trw的原因:1.方便寫過程,用u x,x ><drive:>x就可以匯出程式碼,2.s-ice+icedump跑不到這麼遠就會當掉的)載入IglooFTP
PRO,下bpx getprocaddress,g,被攔到後,按2次f12,接著按f10慢慢跟蹤到:
0187:00AC1ACD
LEA EAX,[EAX+00]
0187:00AC1AD0 PUSH
EBP
0187:00AC1AD1 MOV EBP,ESP
0187:00AC1AD3
ADD ESP,BYTE -0C
0187:00AC1AD6 CALL
00AB3130
0187:00AC1ADB JNZ NEAR 00AB3E4C
0187:00AC1AE1
CALL 00AB4308
0187:00AC1AE6 CALL 00AB8AC8
0187:00AC1AEB CALL 00AB945C
0187:00AC1AF0 CALL
00ABBF90
0187:00AC1AF5 CALL 00AB3E4C <---按f8從這進去
0187:00AC1AFA MOV ESP,EBP
0187:00AC1AFC
POP EBP
按f10慢慢走到:
0187:00AC05EA
MOV EAX,[ESP+0C]
0187:00AC05EE JMP
SHORT 00AC05F1 <---從這開始要小心啦,偶現在還眼花呢,原來花指令是這個意思呀;-)
0187:00AC05F0
XCHG AL,[EBX+B880]
0187:00AC05F6 ADD
[EDX],AL
0187:00AC05F8 JMP SHORT 00AC0614
0187:00AC05FA MOV ESP,EBE817EB
0187:00AC05FF
ADC AL,E8
0187:00AC0601 JMP
SHORT 00AC0614
0187:00AC0603 CALL EC9414F3
0187:00AC0608
OR EBP,EAX
0187:00AC060A JMP
SHORT 00AC0614
0187:00AC060C INT 20
0187:00AC060E
JMP SHORT 00AC0614
0187:00AC0610 CALL
32940800
0187:00AC0615 ROL BL,EB
0187:00AC0618
ADD EAX,EBP
在00AC119F直接下斷好了,可以跳過那些讓人眼花的程式碼。
0187:00AC118D MOV EDX,02
0187:00AC1192
CALL 00AB31B0
0187:00AC1197 RET
0187:00AC1198
JMP 00AB2DE8
0187:00AC119D JMP
SHORT 00AC1172
0187:00AC119F POP EDI
<----bpx這裡
0187:00AC11A0 POP ESI
0187:00AC11A1
POP EBX
0187:00AC11A2 MOV ESP,EBP
0187:00AC11A4 POP EBP
0187:00AC11A5
RET
按幾次f10會走到:
0187:00AC11C4 PUSH DWORD
331A69FF
0187:00AC11C9 PUSH DWORD 2550
0187:00AC11CE
PUSH DWORD EC70
0187:00AC11D3 PUSH DWORD
00016000
0187:00AC11D8 PUSH DWORD [00AC3014]
0187:00AC11DE
CALL 00AC11E4
0187:00AC11E3 ADD DWORD
[EBX+88E804C4],E8FFFFB8
0187:00AC11ED ADD [EAX],EAX
0187:00AC11EF ADD [EAX],AL
0187:00AC11F1
ADD DWORD [EBX+043104C4],0001E824
0187:00AC11FB
ADD [EAX],AL
0187:00AC11FD PUSH DWORD
8B04C483
0187:00AC1202 ADD EAX,00AC3014
0187:00AC1207
CALL 00AC120E <----bpx這裡,接著按f8走出去
0187:00AC120C
CALL 05709579
0187:00AC1211 ADD [ESP],EAX
0187:00AC1214 RET
0187:00AC1215 RET
按幾次f10會走到:
0187:00AC005D LEA EAX,[EAX+00]
0187:00AC0060 MOV EAX,00AC39BC
0187:00AC0065
MOV EDX,0A
0187:00AC006A CALL 00ABC318
0187:00AC006F CALL 00ABFEA0 <----按f8進去
0187:00AC0074
RET
按幾次f10會走到:
0187:00ABFFD5 CALL 00AB2E90
0187:00ABFFDA CMP DWORD [00AC39A4],BYTE +00
0187:00ABFFE1 JZ 00ABFFF7
0187:00ABFFE3 PUSH
BYTE +04
0187:00ABFFE5 MOV ECX,00AC39A4
0187:00ABFFEA LEA EAX,[EBP-08]
0187:00ABFFED
MOV EDX,04
0187:00ABFFF2 CALL 00ABC470
0187:00ABFFF7 CALL 00AC0011 <----按f8進去
0187:00ABFFFC MOV EAX,[ESP+0C]
0187:00AC0000
ADD DWORD [EAX+B8],BYTE +02
0187:00AC0007 MOV
DWORD [EAX+18],00
按幾次f10會走到:
0187:00AC0043
PUSH DWORD [EBP-08]
0187:00AC0046 MOV
EAX,[EBP-0C]
0187:00AC0049 CMP DWORD [EAX],BYTE
+00
0187:00AC004C JZ 00AC0050
0187:00AC004E
PUSH DWORD [EAX]
0187:00AC0050 PUSH DWORD
[EBP-10]
0187:00AC0053 JMP NEAR [EBP-14]
<----fs0大哥說走到這裡就離oep不遠了,????
0187:00AC0056 POP
EDI
0187:00AC0057 POP ESI
0187:00AC0058
POP EBX
0187:00AC0059 MOV ESP,EBP
0187:00AC005B POP EBP
0187:00AC005C
RET
按幾次f10會走到:
0187:00AD2970 PUSH DWORD
063429E1 <----直接跳到這裡
0187:00AD2975 POP
EAX
0187:00AD2976 JMP 00AD298E
0187:00AD297B
MOV EDI,DBEAD58C
0187:00AD2980 JS
00AD29D3
0187:00AD2982 MOV DH,B7
0187:00AD2984
AND AL,8D
0187:00AD2986 INC
EDX
0187:00AD2987 PUSH EBX
0187:00AD2988 NOP
0187:00AD2989 MOV [ESI+E845BCAF],ECX
0187:00AD298F SLDT [EAX]
0187:00AD2992 ADD
BL,CL
走到這裡trw的任務基本完成了,因為下面是死迴圈(不知道這麼說是否恰當),我搜了周圍超過20000行程式碼也沒找到jmp
eax,所以該換superbpm+icedumpice強檔組合了。用sice載入IglooFTP PRO,下g ad2970,按幾次f8來到死迴圈處,下/tracex
400000 eip-8,g,hoho直接來到程式的入口處47f732,至此尋找oep的任務結束了,繼續脫殼。
ok,下面要在入口處脫殼,開啟SuperBPM,點erase,用trw載入IglooFTP PRO v3.0,下g 47f732,下suspend。用prodump選IglooFTP
PRO程式dump(full),再打ctrl+n,f5。
接著修復import table:ImportREC1.2final無法提取完整的it,要手動修復超過70個函式,累死偶啦~~~,配合ImportREC1.2beta2重建it效果會好些,hoho,good
luck:)
以下操作必須在IglooFTP PRO的地盤裡才能探測到
FThunk: 0008A01C
NbFunc: 00000002
1 0008A01C COMCTL32.dll
003B ImageList_GetIcon
1 0008A020
COMCTL32.dll 002A ImageList_AddMasked
1 0008A09C KERNEL32.dll 01E9
GetVersion
1 0008A0B0 KERNEL32.dll
00C7 CreateProcessA
1 0008A0BC
KERNEL32.dll 0163 GetCurrentProcessId
1 0008A0F8 KERNEL32.dll 0129
FindNextFileA
1 0008A0FC KERNEL32.dll
0120 FindClose
1 0008A100
KERNEL32.dll 017F GetFileSize
1 0008A104 KERNEL32.dll 0306
Sleep
1 0008A108 KERNEL32.dll
01E1 GetTickCount
FThunk: 0008AE88
NbFunc: 0000003F
1 0008AE88 USER32.dll
0215 SetCursor
1 0008AE8C
USER32.dll 019D LoadCursorA
1 0008AE90 USER32.dll 01E4
RedrawWindow
1 0008AE94 USER32.dll
00E2 GetCapture
1 0008AE98
USER32.dll 0038 CheckMenuItem
1 0008AE9C USER32.dll 015F
GrayStringA
1 0008AEA0 USER32.dll
01C1 ModifyMenuA
1 0008AEA4
USER32.dll 0175 InflateRect
1 0008AEA8 USER32.dll 0133
GetParent
1 0008AEAC USER32.dll
01E1 PtInRect
1 0008AEB0
USER32.dll 00B6 EnableMenuItem
1 0008AEB4 USER32.dll 013F
GetSubMenu
1 0008AEB8 USER32.dll
01DE PostQuitMessage
1 0008AEBC
USER32.dll 025C TabbedTextOutA
1 0008AEC0 USER32.dll 00B0
DrawTextA
1 0008AEC4 USER32.dll
0226 SetMenuDefaultItem
1 0008AEC8
USER32.dll 01DC PostMessageA
1 0008AECC USER32.dll 01C7
MsgWaitForMultipleObjects
1 0008AED0
USER32.dll 01D9 PeekMessageA
1 0008AED4 USER32.dll 0198
KillTimer
1 0008AED8 USER32.dll
01A1 LoadIconA
1 0008AEDC
USER32.dll 023C SetTimer
1 0008AEE0 USER32.dll 000F
BringWindowToTop
1 0008AEE4 USER32.dll
017E InvalidateRect
1 0008AEE8
USER32.dll 00EE GetClientRect
1 0008AEEC USER32.dll 020D
SetCapture
1 0008AEF0 USER32.dll
01F4 ReleaseCapture
1 0008AEF4
USER32.dll 01A7 LoadMenuA
1 0008AEF8 USER32.dll 0140
GetSysColor
1 0008AEFC USER32.dll
00B8 EnableWindow
1 0008AF00
USER32.dll 0299 WinHelpA
1 0008AF04 USER32.dll 0193
IsWindow
1 0008AF08 USER32.dll
01A3 LoadImageA
1 0008AF0C
USER32.dll 0157 GetWindowRect
1 0008AF10 USER32.dll 0204
SendMessageA
1 0008AF14 USER32.dll
019B LoadBitmapA
1 0008AF18
USER32.dll 0277 UpdateWindow
1 0008AF1C USER32.dll 01BA
MessageBoxA
1 0008AF20 USER32.dll
0192 IsRectEmpty
1 0008AF24
USER32.dll 0143 GetSystemMetrics
1 0008AF28 USER32.dll 00D5
FillRect
1 0008AF2C USER32.dll
00E1 GetAsyncKeyState
1 0008AF30
USER32.dll 0224 SetMenu
1
0008AF34 USER32.dll 01C6
MoveWindow
1 0008AF38 USER32.dll
018A IsClipboardFormatAvailable
1 0008AF3C
USER32.dll 00F0 GetClipboardData
1 0008AF40 USER32.dll 01D0
OpenClipboard
1 0008AF44 USER32.dll
00B5 EmptyClipboard
1 0008AF48
USER32.dll 0213 SetClipboardData
1 0008AF4C USER32.dll 0040
CloseClipboard
1 0008AF50 USER32.dll
0128 GetMessagePos
1 0008AF54
USER32.dll 01FB ScreenToClient
1 0008AF58 USER32.dll 01B7
MapWindowPoints
1 0008AF5C USER32.dll
0104 GetFocus
1 0008AF60
USER32.dll 0210 SetClassLongA
1 0008AF64 USER32.dll 003E
ClientToScreen
1 0008AF68 USER32.dll
01E9 RegisterClipboardFormatA
1 0008AF6C
USER32.dll 0232 SetRect
1
0008AF70 USER32.dll 0008
AppendMenuA
1 0008AF74 USER32.dll
0196 IsWindowVisible
1 0008AF78
USER32.dll 01F6 RemoveMenu
1 0008AF7C USER32.dll 00AC
DrawMenuBar
1 0008AF80 USER32.dll
01B9 MessageBeep
FThunk: 0008B008
NbFunc: 00000001
0 0008B008 ?
0000 00410150
最後這個函式我實在是不知道幹什麼的了,刪掉好啦:)
選add new section,然後點fix dump。]
最後把dump.exe的ep改成0007f732。
修復it後,執行IglooFTP PRO非法操作(哪個程式能給我個驚喜不來這個呀),所以就載入看看啦。發現錯誤在這個地方:
:00478593 8B0D28ED4A00 mov
ecx, dword ptr [004AED28]
* Reference To: ADVAPI32., Ord:0000h
|
:00478599 E8726A0000
Call 0047F010
:0047859E FF1554ED4A00
call dword ptr [004AED54] ->call 477c90
這個只能用原版跟進去看看啦,發現這裡最後call的是477c90,在對應的位置改一下就好了。
:004785A4 8B8D2CFFFFFF mov ecx,
dword ptr [ebp+FFFFFF2C]
:004785AA E811040000
call 004789C0
:004785AF 8B952CFFFFFF
mov edx, dword ptr [ebp+FFFFFF2C]
:004785B5 8982D8000000
mov dword ptr [edx+000000D8], eax
:004785BB
8B852CFFFFFF mov eax, dword ptr [ebp+FFFFFF2C]
:004785C1 83B8D800000000 cmp dword ptr
[eax+000000D8], 00000000
:004785C8 7416
je 004785E0
:004785CA B9C8EC4A00
mov ecx, 004AECC8
:004785CF E83C090000
call 00478F10
:004785D4 8B8D2CFFFFFF
mov ecx, dword ptr [ebp+FFFFFF2C]
:004785DA
8981D8000000 mov dword ptr [ecx+000000D8],
eax
執行正常,點ABOUT選單還是非法操作,繼續查詢導致錯誤的原因。在這裡:
:00477D18 FF155CED4A00
CALL [004AED54]
:00477D38 FF1560ED4A00 CALL [004AED60]
call的內容是個ret,老規矩用winhex統統替換成90也就是nop,還好只有一次。哪位大哥有更好的改法,麻煩說一聲。
再有在記憶體中看到AB3405也跟上面3個地址ABC8FC,2個ABC850在一起,這個肯定會導致某個命令的非法操作,不過在不聯網的狀況下我無法找到,哪位大哥能找到的話,麻煩把這個補全了,多謝。
至此執行正常,脫殼任務完成了,有錯誤,不當的地方或建議的話,請提出。
關於程式的crack部分,我只是草草看了一下,發現我在短時間內無法完成,還是請有精力有時間的兄弟們代勞吧,先讓我把突擊aspr脫殼學習完成再說。第一次手動脫殼成功花了我大約3小時,笨呀,天生的:(,不過偶會努力啦:)。
下載:http://zombieys.cn.hongnet.com/unp-iftppro.rar
xixi包括完整的import
table哦
2001.9.14
zombieys[CCG]
―――――――――――――――――――――――――――――――>
.-"
"-. unpacked by zombieys[CCG] >
/ \
qq:1789655 >
| ★
| http://zombieys.yeah.net >
|, .-. .-. ,| http://zombieys.126.com
>
|)(__/ \__)(|
zombieys.cn.hongnet.com >
|/ /\ \|
>
(@_@) (_ ^^
_) Thanks for your supports >
_ )\_______\__|IIIIII|__/_____
>
_)@8@8{}<________|-\IIIIII/-|____China
Crack Group_zombieys___>
相關文章
- 脫Advanced Email Extractor PRO的殼 (19千字)2001-08-19AI
- EmbedPE
1.13 詳細分析和脫殼2005-01-03
- 不脫殼破解ACDSee v3.0 trial build 1209(SMC初步,很詳細,國外文章)
(8千字)2001-10-04UI
- Guitar Pro v3.0 的破文 (11千字)2001-09-08GUI
- Armadillo3.60
加殼的EXE檔案脫殼全過程2004-09-08
- FTPrint的脫殼(asprotect) (2千字)2001-02-05FTP
- 脫殼----對用pecompact加殼的程式進行手動脫殼
(1千字)2000-07-30
- ASPRTECT1.2X加殼的Delphi
Application Peeper Pro 2.3.1.9 脫殼(簡單) (3千字)2002-04-06APP
- 脫Crunch/PE -> BitArts的殼。 (3千字)2002-05-03
- jdpack的脫殼及破解 (5千字)2002-06-25
- HTMLZip 1.0 beta 的脫殼 (3千字)2001-02-03HTML
- PicturesToExe3.51的脫殼 (2千字)2001-04-22REST
- telock脫殼總結 (12千字)2001-09-27
- oracle 11G RAC 建立詳細過程2013-10-27Oracle
- ASPROtect 1.22加殼的ahaview2.0脫殼 (5千字)2002-03-24View
- 脫Flashfxp 1.3 build 780的殼 (10千字)2001-08-15UI
- 脫PicturesToExe v3.60的殼 (1千字)2001-09-15REST
- 脫殼----對用Petite2.2加殼的程式進行手動脫殼的一點分析
(5千字)2000-07-27
- Thebat!139脫殼詳情及對Asprotect加殼保護的一點小結
(4千字)2000-03-27BAT
- 先分析,再脫殼(二) (13千字)2003-09-04
- WinKawaks 1.45脫殼筆記
(10千字)2002-08-12筆記
- 一點脫殼經驗。(7千字)2001-04-20
- The Bat! 1.39脫殼筆記 (1千字)2000-03-12BAT筆記
- 對PECompact加殼的DLL脫殼的一點分析 (7千字)2000-08-17
- Oracle 11G DataGuard重啟詳細過程2014-07-10Oracle
- 殼的工作原理脫殼2013-04-10
- 股市風暴4.0的外殼分析與脫殼方法(一) (7千字)2001-06-10
- 手動脫殼的教程(由petite v2.2加殼) (4千字)2001-11-26
- ArtCursors 3.03 ASPR殼軟體脫殼後修整記 (10千字)2015-11-15
- 對Asprotect脫殼的一點總結
(20千字)2000-08-12
- 泊松過程的詳細理解2020-12-03
- Asprotect 1.2x 加殼的 Advanced Direct
Remailer 2.17 脫殼 (3千字)2002-06-20REMAI
- Armadillo 2.52加殼原理分析和改進的脫殼方法
(12千字)2015-11-15
- 脫Remote Administrator v2.0的殼 (8千字)2001-06-24REM
- 用OD對Aspr加殼程式的手動脫殼及修復 (7千字)2015-11-15
- MySQL MHA詳細搭建過程2019-08-21MySql
- aspr脫殼總結(部分適用於其他殼保護) (3千字)2001-09-14
- Oracle 11g在RHEL 6.4下的詳細安裝過程2013-12-10Oracle