我已爆破3.62版,要小心啊!有暗樁的…… (15千字)AcitveX控制元件
ActiveSkin是一個很出色的skin(“皮膚”)AcitveX控制元件。支援vb,vc,dephi等,功能十分強大。
下載地址:http://www.softshape.com/download/activeskin.zip (v3.62版)
安裝後,將在windows的system下產生ActiveSkin.ocx檔案。
它的加密方式比較特別,如果直接修改原檔案的話,修改後的ActiveSkin.ocx將不能再次註冊成為控制元件。(即:用“Regsvr32.exe ActiveSkin.ocx”命令註冊控制元件會失敗,導致你開發的程式不能用在其他電腦上)。
因為是未註冊的,所以當你的程式呼叫ActiveSkin時,將彈出Unregistered的對話方塊。
用w32asm反彙編ActiveSkin.ocx,查詢字元“Unregistered control”,可看到下面程式碼:
:12121503 E879350000 call 12124A81
:12121508 33DB
xor ebx, ebx
:1212150A 395DF8
cmp dword ptr [ebp-08], ebx
:1212150D 7441
je 12121550
:1212150F 389E44010000 cmp byte ptr
[esi+00000144], bl
:12121515 7548
jne 1212155F
* Reference To: KERNEL32.GetTickCount, Ord:016Dh
|
:12121517 8B3DB4211512 mov edi, dword
ptr [121521B4]
:1212151D FFD7
call edi
:1212151F 8945F4
mov dword ptr [ebp-0C], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:12121549(C)
|
:12121522 6A10
push 00000010
* Possible StringData Ref from Data Obj ->"Unregistered control"
|
:12121524 68F0851512 push 121585F0
* Possible StringData Ref from Data Obj ->"Warning! This application was "
->"created with
trial version of "
->"ActiveSkin
control."
|
:12121529 685C851512 push 1215855C
:1212152E 53
push ebx
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:1212152F FF155C231512 Call dword ptr
[1215235C]
============================================================================
很顯然,修改12121515處,將jne改為jmp就可跳過對話方塊。為什麼不改[esi+00000144]的初始化程式碼呢?因為有好幾個地方將[esi+00000144]置0,其中包括mfc42.dll。改好後拿到別人電腦上註冊控制元件,命令列方式下輸入“Regsvr32.exe
ActiveSkin.ocx”,失敗!看來還有暗樁。將ActiveSkin.ocx恢復回原來的檔案。再用w32asm反彙編。我們知道AcitveX控制元件註冊時都要提供一個引出函式“DllRegisterServer”供Regsvr32.exe呼叫。可能ActiveSkin.ocx在函式DllRegisterServer檢查自身是否被修改過。如果被修改過將註冊失敗。
現在看看DllRegisterServer函式,選選單Functions->Exports,查DllRegisterServer函式,知道它的地址在12125386處。
好!先執行trw2000,control-n,下斷點bpx loadlibraryexa do "d *(esp+4)",這個命令當 loadlibraryexa
被執行是中斷,並顯示出引數。然後在開始選單的執行視窗輸入“Regsvr32.exe 路徑\ActiveSkin.ocx”
中斷後,看一下引數,f5,直到引數為ActiveSkin.ocx,f12數次,回到Regsvr32.exe領空,此時下命令:bpx 12125386;f5,來到ActiveSkin的領空:
==============================================================================================
Exported fn(): DllRegisterServer - Ord:0003h
:12125386 833D94DB151200 cmp dword ptr [1215DB94],
00000000 <==解碼標誌
:1212538D 7523
jne 121253B2
:1212538F 68534F1312 push 12134F53
* Possible StringData Ref from Code Obj ->"?+?"
|
:12125394 68744E1312 push 12134E74
:12125399 BA5F161212 mov edx,
1212165F
:1212539E B9C1141212 mov ecx,
121214C1
:121253A3 E8E7900100 call 1213E48F
<=========注意此call;進入
:121253A8 C70594DB151201000000 mov dword ptr [1215DB94], 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1212538D(C)
|
:121253B2 6A00
push 00000000
:121253B4 6A01
push 00000001
:121253B6 6810DB1512 push 1215DB10
:121253BB E83C150000 call 121268FC
:121253C0 C3
ret
===============================================================================================
* Referenced by a CALL at Addresses:
|:121210DC , :121253A3 , :121253DE , :1214792D , :1214AC65
|
:1213E48F 55
push ebp
:1213E490 8BEC
mov ebp, esp
:1213E492 83EC24
sub esp, 00000024
:1213E495 53
push ebx
:1213E496 56
push esi
:1213E497 33DB
xor ebx, ebx
:1213E499 57
push edi
:1213E49A 8955E0
mov dword ptr [ebp-20], edx
:1213E49D 894DDC
mov dword ptr [ebp-24], ecx
:1213E4A0 894DF4
mov dword ptr [ebp-0C], ecx
:1213E4A3 885DFE
mov byte ptr [ebp-02], bl
:1213E4A6 885DFD
mov byte ptr [ebp-03], bl
:1213E4A9 885DFF
mov byte ptr [ebp-01], bl
:1213E4AC 885DFC
mov byte ptr [ebp-04], bl
:1213E4AF 895DF8
mov dword ptr [ebp-08], ebx
:1213E4B2 895DE4
mov dword ptr [ebp-1C], ebx
* Reference To: KERNEL32.GetCurrentProcess, Ord:00F7h
|
:1213E4B5 FF15CC211512 Call dword ptr
[121521CC]
:1213E4BB BE30DC1512 mov esi,
1215DC30
:1213E4C0 8945E8
mov dword ptr [ebp-18], eax
:1213E4C3 6804010000 push 00000104
:1213E4C8 56
push esi
:1213E4C9 FF3514DB1512 push dword ptr
[1215DB14]
* Reference To: KERNEL32.GetModuleFileNameA, Ord:0124h
|
:1213E4CF FF154C211512 Call dword ptr
[1215214C]
:1213E4D5 53
push ebx
:1213E4D6 6880000000 push 00000080
:1213E4DB 6A03
push 00000003
:1213E4DD 53
push ebx
:1213E4DE 6A01
push 00000001
:1213E4E0 6800000080 push 80000000
:1213E4E5 56
push esi <=====開啟"ActiveSkin.ocx"
* Reference To: KERNEL32.CreateFileA, Ord:0034h
|
:1213E4E6 FF15D8211512 Call dword ptr
[121521D8]
:1213E4EC BE00101212 mov esi,
12121000
:1213E4F1 8945F0
mov dword ptr [ebp-10], eax
:1213E4F4 8BC6
mov eax, esi
:1213E4F6 2B054CA51512 sub eax, dword
ptr [1215A54C]
:1213E4FC 8945EC
mov dword ptr [ebp-14], eax
:1213E4FF 740E
je 1213E50F
:1213E501 3AC3
cmp al, bl
:1213E503 750A
jne 1213E50F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1213E50A(C)
|
:1213E505 C1F808
sar eax, 08
:1213E508 3AC3
cmp al, bl
:1213E50A 74F9
je 1213E505
:1213E50C 8945EC
mov dword ptr [ebp-14], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1213E4FF(C), :1213E503(C)
|
* Reference To: KERNEL32.SetFilePointer, Ord:026Ah
|
:1213E50F 8B3DDC201512 mov edi, dword
ptr [121520DC]
:1213E515 8945F8
mov dword ptr [ebp-08], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1213E5F3(C)
|
:1213E518 53
push ebx
:1213E519 8D45FE
lea eax, dword ptr [ebp-02]
:1213E51C 6A01
push 00000001
:1213E51E 50
push eax
:1213E51F FF7508
push [ebp+08] 〈=======初始地址為12134e74
:1213E522 FF75E8
push [ebp-18]
* Reference To: KERNEL32.ReadProcessMemory, Ord:021Ch
|
:1213E525 FF15D8201512 Call dword ptr
[121520D8]
:1213E52B 8B4508
mov eax, dword ptr [ebp+08] --+
:1213E52E 2BC6
sub eax, esi
|透過虛擬地址
:1213E530 53
push ebx
|計算檔案偏移
:1213E531 0500100000 add eax,
00001000 --+
:1213E536 53
push ebx
:1213E537 50
push eax
:1213E538 FF75F0
push [ebp-10]
:1213E53B FFD7
call edi
:1213E53D 8D45E4
lea eax, dword ptr [ebp-1C]
:1213E540 53
push ebx
:1213E541 50
push eax
:1213E542 8D45FC
lea eax, dword ptr [ebp-04]
:1213E545 6A01
push 00000001
:1213E547 50
push eax
:1213E548 FF75F0
push [ebp-10]
* Reference To: KERNEL32.ReadFile, Ord:0218h
|
:1213E54B FF15D0211512 Call dword ptr
[121521D0]
:1213E551 8B45F4
mov eax, dword ptr [ebp-0C]
:1213E554 2BC6
sub eax, esi
:1213E556 53
push ebx
:1213E557 0500100000 add eax,
00001000
:1213E55C 53
push ebx
:1213E55D 50
push eax
:1213E55E FF75F0
push [ebp-10]
:1213E561 FFD7
call edi <==========edi 為"setfilepointer"
:1213E563 8D45E4
lea eax, dword ptr [ebp-1C]
:1213E566 53
push ebx
:1213E567 50
push eax
:1213E568 8D45FD
lea eax, dword ptr [ebp-03]
:1213E56B 6A01
push 00000001
:1213E56D 50
push eax
:1213E56E FF75F0
push [ebp-10]
* Reference To: KERNEL32.ReadFile, Ord:0218h
|
:1213E571 FF15D0211512 Call dword ptr
[121521D0]
:1213E577 8A45FC
mov al, byte ptr [ebp-04]
:1213E57A 3845FE
cmp byte ptr [ebp-02], al
:1213E57D 7534
jne 1213E5B3
:1213E57F 395DF8
cmp dword ptr [ebp-08], ebx
:1213E582 7408
je 1213E58C
:1213E584 8B4DF8
mov ecx, dword ptr [ebp-08]
:1213E587 3B4DEC
cmp ecx, dword ptr [ebp-14]
:1213E58A 7527
jne 1213E5B3
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1213E582(C)
|
:1213E58C 8A45FF
mov al, byte ptr [ebp-01]
:1213E58F 53
push ebx
:1213E590 3245FD
xor al, byte ptr [ebp-03]
:1213E593 6A01
push 00000001
:1213E595 3245FE
xor al, byte ptr [ebp-02]
:1213E598 8845FF
mov byte ptr [ebp-01], al
:1213E59B 8B45EC
mov eax, dword ptr [ebp-14]
:1213E59E 8945F8
mov dword ptr [ebp-08], eax
:1213E5A1 8D45FF
lea eax, dword ptr [ebp-01]
:1213E5A4 50
push eax
:1213E5A5 FF7508
push [ebp+08]
:1213E5A8 FF75E8
push [ebp-18]
* Reference To: KERNEL32.WriteProcessMemory, Ord:02E9h
|
:1213E5AB FF15EC201512 Call dword ptr
[121520EC] <==將解碼後的資料寫回
:1213E5B1 EB26
jmp 1213E5D9
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1213E57D(C), :1213E58A(C)
|
:1213E5B3 3245FF
xor al, byte ptr [ebp-01]
:1213E5B6 53
push ebx
:1213E5B7 6A01
push 00000001
:1213E5B9 3245FD
xor al, byte ptr [ebp-03]
:1213E5BC 8845FF
mov byte ptr [ebp-01], al
:1213E5BF 0FB6C0
movzx eax, al
:1213E5C2 0145F8
add dword ptr [ebp-08], eax
:1213E5C5 8D45F8
lea eax, dword ptr [ebp-08]
:1213E5C8 50
push eax
:1213E5C9 FF7508
push [ebp+08]
:1213E5CC FF75E8
push [ebp-18]
* Reference To: KERNEL32.WriteProcessMemory, Ord:02E9h
|
:1213E5CF FF15EC201512 Call dword ptr
[121520EC] <==將解碼後的資料寫回
:1213E5D5 C17DF808 sar
dword ptr [ebp-08], 08
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1213E5B1(U)
|
:1213E5D9 FF45F4
inc [ebp-0C]
:1213E5DC 8B45F4
mov eax, dword ptr [ebp-0C]
:1213E5DF 3B45E0
cmp eax, dword ptr [ebp-20]
:1213E5E2 7E06
jle 1213E5EA
:1213E5E4 8B45DC
mov eax, dword ptr [ebp-24]
:1213E5E7 8945F4
mov dword ptr [ebp-0C], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1213E5E2(C)
|
:1213E5EA FF4508
inc [ebp+08]
:1213E5ED 8B4508
mov eax, dword ptr [ebp+08]
:1213E5F0 3B450C
cmp eax, dword ptr [ebp+0C] <==比較是否修改完;最後
:1213E5F3 0F8C1FFFFFFF jl 1213E518
的地址是12134f53
:1213E5F9 FF75F0
push [ebp-10]
* Reference To: KERNEL32.CloseHandle, Ord:001Bh
|
:1213E5FC FF15C4211512 Call dword ptr
[121521C4]
:1213E602 6A01
push 00000001
:1213E604 58
pop eax
:1213E605 5F
pop edi
:1213E606 5E
pop esi
:1213E607 5B
pop ebx
:1213E608 C9
leave
:1213E609 C20800
ret 0008
============================================================================================
在這裡可以看到很多敏感的函式:CreateFileA,ReadFile,WriteProcessMemory……;經過分析,這段程式將根據自身的程式碼改寫從12134e74到12134f53的程式碼(總長度為12134f53-12134e74=df)。如果原程式被修改的話,將解出一堆亂碼,當執行到12134e74出就會出錯。
好了,解決方法是當程式解出正確程式碼後,再將12134e74到12134f53出程式碼dump出來,再覆蓋剛才第一次修改過的ActiveSkin.ocx檔案。現在按F12,返回後,
u 12134e74;看一下,解碼正確!下命令:"w 12134e74 l df c:\dump.bin".從w32asm中可知:
=======================================================================================
Code Offset = 00001000, Code Size = 00031000
Data Offset = 00038000, Data Size = 00006000
Number of Objects = 0005 (dec), Imagebase = 12120000h
Object01: .text RVA: 00001000 Offset: 00001000 Size: 00031000
Flags: 60000020
Object02: .rdata RVA: 00032000 Offset: 00032000 Size: 00006000
Flags: 40000040
Object03: .data RVA: 00038000 Offset: 00038000 Size: 00006000
Flags: C0000040
Object04: .rsrc RVA: 0003F000 Offset: 0003E000 Size: 00013000
Flags: 40000040
Object05: .reloc RVA: 00052000 Offset: 00051000 Size: 00005000
Flags: 42000040
=========================================================================================
那麼地址12134e74的檔案實際偏移為:12134e74-Imagebase=14e74;(你也可以用peditor的FLC功能計算)
用 hworks32載人第一次修改過的ActiveSkin.ocx檔案,定位在偏移14e74處,用c:\dump.bin的資料覆蓋,長度為0xdf(223)。注意備份。
另外還有兩處要改,一個是DllRegisterServer,另一個是DllUnregisterServer。它們一開始檢查一個標誌,如果解碼過,就不執行解碼函式。
Exported fn(): DllRegisterServer - Ord:0003h
:12125386 833D94DB151200 cmp dword ptr [1215DB94],
00000000
:1212538D 7523
jne 121253B2 <=======改為jmp
:1212538F 68534F1312 push 12134F53
* Possible StringData Ref from Code Obj ->"?+?"
|
:12125394 68744E1312 push 12134E74
:12125399 BA5F161212 mov edx,
1212165F
:1212539E B9C1141212 mov ecx,
121214C1
:121253A3 E8E7900100 call 1213E48F
:121253A8 C70594DB151201000000 mov dword ptr [1215DB94], 00000001
<==解碼完成,置1;
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1212538D(C)
|
:121253B2 6A00
push 00000000
:121253B4 6A01
push 00000001
:121253B6 6810DB1512 push 1215DB10
:121253BB E83C150000 call 121268FC
:121253C0 C3
ret
。
。
。
Exported fn(): DllUnregisterServer - Ord:0004h
:121253C1 833D94DB151200 cmp dword ptr [1215DB94],
00000000
:121253C8 7523
jne 121253ED <=======改為jmp
:121253CA 68534F1312 push 12134F53
==================================================================================
到此爆破完成。
相關文章
- VideoSplitter V2.31 脫殼去暗樁+完美爆破2015-11-15IDE
- Grduw最新版破解過程(爆破keyfile,nag,時間限制,暗樁,字元加密)... (10千字)2001-10-16字元加密
- ASF-AVI-RM-WMV Repair V1.41 脫殼去暗樁+漢化完美爆破2015-11-15AI
- 易語言3.5很暗的暗樁分析:)2015-11-15
- php要小心的坑2019-03-20PHP
- 要小心 JavaScript 的事件代理2020-05-27JavaScript事件
- 倒樁移庫操作要領2008-04-06
- UltraEdit32 v10找註冊碼+去暗樁2015-11-15
- 讓程式自己告訴我們它的註冊碼---爆破進階篇 (3千字)2001-08-22
- 就想寫個爬蟲,我到底要學多少東西啊?2022-12-06爬蟲
- 倒樁移庫操作要領(zt)2007-04-11
- 一篇初級破解過程,很久沒有動手了,大家不要笑我鈍啊! (10千字)2003-01-11
- Glide總是報錯,我已經設定過映象了啊~~2018-02-24IDE
- 爆破NetSpeeder v1.0(我是初學者,不知破得對不對,大家幫我看看好嗎?
) (7千字)2002-08-02
- 關於S-SPLINE的問題,哪位高手給我一個完美的爆破方案? (10千字)2001-05-31
- ASProtect 1.23 SDK之 Aspack2.12r 主程式脫殼去暗樁2015-11-15
- 關於輕應用,我有話要說...2023-03-07
- 手動脫殼ASProtect 1.23beta21之Aspack2.12的主程式and暗樁分析2015-11-15
- 彭老師,急!!!!!!!!!我的jndi連線池有問題.能不能幫一下我啊.2005-09-14
- vTuner Plus 3.0 線上註冊的破解方法一:爆破篇 (7千字)2002-06-16
- 誰能介紹一些有關JSF的書籍啊?要>=06年出版的書-.-2007-07-30JS
- Python做浮點數(float)運算要小心2018-12-27Python
- 安裝藍點Linux2.0 要小心(轉)2007-08-11Linux
- Hello, World!我的房車程式設計生活,已經 150 天了2017-10-13程式設計
- 再來一篇演算法分析,eryl兄弟你要的東西!! (15千字)2015-11-15演算法
- 可樂要加冰才好喝啊 — 裝飾模式2019-02-28模式
- 可樂要加冰才好喝啊 --- 裝飾模式2016-11-23模式
- 模仿者們要小心了,Airbnb 又放了幾個大招2015-11-16AI
- 關聯查詢時使用樹狀查詢要小心2007-10-02
- 除了404,網頁“暗號”還有哪些?2022-03-15網頁
- nyc 插樁無法插樁使用裝飾器的程式碼,請問有什麼解決辦法嗎?2020-11-05
- 我不小心刪除了所有的資料2011-12-12
- 一個delphi控制元件的破解 (12千字)2001-03-31控制元件
- laravel框架的程式碼加密有沒有什麼好的方法啊?2020-09-26Laravel框架加密
- 我也發個帖子,湊湊熱鬧:WINDOWS優化大師 v3.53“暗門”的解決過程
(7千字)2001-04-10Windows優化
- 有沒有在南昌的小夥伴,就業怎麼樣啊2024-04-18就業
- 這是怎麼了啊,我怎麼就是掛載不上啊(轉)2007-08-11
- 使用Kotlin語言兩年後,我有話要說2018-04-28Kotlin