轉貼一篇:FlashFXP v1.4.1 build 823 的脫殼與破解 (16千字)
FlashFXP v1.4.1 build 823 的脫殼與破解
軟體名稱:FlashFXP v1.4.1 build 823
下載:http://www.onlinedown.net/flashfxp
大小:828KB
工具:W32dasm+TRW2000
軟體評價:功能強大的FXP /FTP軟體,融合了一些其他優秀FTP軟體的優點。
我認為它許多方面比cuteftp要好,所以才會有很多朋友喜歡它.
破解: moonlite\edea 聯合制作
脫殼爆破過程:
flashfxp1.4.1 823的殼是telock.它的主要特點是anti-debug太多,只要搞定anti-debug,脫殼就容易了。像類似下面的(1)、(2)兩段的程式碼有很多處。所以追蹤時要格外小心,最好用F8、F7。
(1)
0167:00583A12 60 PUSHA
0167:00583A13 E806000000 CALL 00583A1E
0167:00583A18 8B642408 MOV ESP,[ESP+08]
《――――異常處理入口,此處下斷。F5一下。
0167:00583A1C EB0D JMP
SHORT 00583A2B
0167:00583A1E 2BFF SUB
EDI,EDI
0167:00583A20 64FF37 PUSH DWORD
[FS:EDI]
0167:00583A23 648927 MOV
[FS:EDI],ESP 《――――從這裡後不要往下F8了。
0167:00583A26 F1 INT1
0167:00583A27 FF07 INC
DWORD [EDI]
0167:00583A29 EBE8 JMP
SHORT 00583A13
0167:00583A2B 85E4 TEST
ESP,ESP
0167:00583A2D 7903 JNS
00583A32
(2)
0167:00583A3B F8 CLC
0167:00583A3C 0BC1 OR
EAX,ECX
0167:00583A3E 60 PUSHA
0167:00583A3F E806000000 CALL 00583A4A
0167:00583A44 8B642408 MOV ESP,[ESP+08]
《――――異常處理入口
0167:00583A48 EB1A JMP
SHORT 00583A64
0167:00583A4A 6467FF360000 PUSH DWORD [WORD FS:00]
0167:00583A50 646789260000 MOV [WORD FS:00],ESP
0167:00583A56 9C PUSHF
《――――從這裡開始不要走了,想圖方便的話,將eip改為583a48就行了。
0167:00583A57 810C2400010000 OR DWORD [ESP],0100
0167:00583A5E 9D POPF
0167:00583A5F F8 CLC
0167:00583A60 73DC JNC
00583A3E
0167:00583A62 CD20 INT
20
0167:00583A64 64678F060000 POP DWORD [WORD
FS:00]
0167:00583A6A 58 POP
EAX
0167:00583A6B 61 POPA
0167:00583A6C F9 STC
0167:00583A6D 7202 JC
00583A71
(3) 這裡是整個殼中最精彩的(不知亂說沒有,請多多指教),
0167:00582078 7FE9 JG
00582063
0167:0058207A E800000000 CALL 0058207F
0167:0058207F 5D POP
EBP
0167:00582080 8D4546 LEA
EAX,[EBP+46]
0167:00582083 50 PUSH
EAX
0167:00582084 33C0 XOR
EAX,EAX
0167:00582086 64FF30 PUSH DWORD
[FS:EAX]
0167:00582089 648920 MOV
[FS:EAX],ESP
0167:0058208C CC INT3
0167:0058208D 90 NOP
0167:0058208E 8BC0 MOV
EAX,EAX
0167:00582090 F9 STC
0167:00582091 90 NOP
0167:00582092 8D045D34120000 LEA EAX,[EBX*2+1234]
0167:00582099 F8 CLC
0167:0058209A 90 NOP
0167:0058209B C1EB05 SHR
EBX,05
0167:0058209E FC CLD
0167:0058209F 90 NOP
0167:005820A0 C1C007 ROL
EAX,07
0167:005820A3 90 NOP
0167:005820A4 90 NOP
0167:005820A5 33DB XOR
EBX,EBX
0167:005820A7 F7F3 DIV
EBX
0167:005820A9 64678F060000 POP DWORD [WORD
FS:00]
0167:005820AF 83C404 ADD
ESP,BYTE +04
0167:005820B2 66BE4746 MOV SI,4647
0167:005820B6 66BF4D4A MOV DI,4A4D
0167:005820BA 8A8599000000 MOV AL,[EBP+99]
0167:005820C0 E99C000000 JMP 00582161
0167:005820C5 8B442404 MOV EAX,[ESP+04]
0167:005820C9 8B4C240C MOV ECX,[ESP+0C]
0167:005820CD FF81B8000000 INC DWORD [ECX+B8]
0167:005820D3 8B00 MOV
EAX,[EAX]
0167:005820D5 3D940000C0 CMP EAX,C0000094
0167:005820DA 7524 JNZ
00582100
0167:005820DC FF81B8000000 INC DWORD [ECX+B8]
0167:005820E2 33C0 XOR
EAX,EAX
0167:005820E4 214104 AND
[ECX+04],EAX
0167:005820E7 214108 AND
[ECX+08],EAX
0167:005820EA 21410C AND
[ECX+0C],EAX
0167:005820ED 214110 AND
[ECX+10],EAX
0167:005820F0 816114F00FFFFF AND DWORD [ECX+14],FFFF0FF0
0167:005820F7 81611800DC0000 AND DWORD [ECX+18],DC00
0167:005820FE EB60 JMP
SHORT 00582160
0167:00582100 3D04000080 CMP EAX,80000004
0167:00582105 740C JZ
00582113
0167:00582107 3D03000080 CMP EAX,80000003
0167:0058210C 7412 JZ
00582120
0167:0058210E 6A01 PUSH
BYTE +01
0167:00582110 58 POP
EAX
0167:00582111 EB4D JMP
SHORT 00582160
0167:00582113 E801000000 CALL 00582119
0167:00582118 0058FE ADD
[EAX-02],BL
0167:0058211B 002B ADD
[EBX],CH
0167:0058211D C0EB40 SHR
BL,40
0167:00582120 8B81B4000000 MOV EAX,[ECX+B4]
0167:00582126 8D4024 LEA
EAX,[EAX+24]
0167:00582129 894104 MOV
[ECX+04],EAX
0167:0058212C 8B81B4000000 MOV EAX,[ECX+B4]
0167:00582132 8D401F LEA
EAX,[EAX+1F]
0167:00582135 894108 MOV
[ECX+08],EAX
0167:00582138 8B81B4000000 MOV EAX,[ECX+B4]
0167:0058213E 8D401A LEA
EAX,[EAX+1A]
0167:00582141 89410C MOV
[ECX+0C],EAX
0167:00582144 8B81B4000000 MOV EAX,[ECX+B4]
0167:0058214A 8D4011 LEA
EAX,[EAX+11]
0167:0058214D 894110 MOV
[ECX+10],EAX
0167:00582150 33C0 XOR
EAX,EAX
0167:00582152 816114F00FFFFF AND DWORD [ECX+14],FFFF0FF0
0167:00582159 C7411855010000 MOV DWORD [ECX+18],0155
0167:00582160 C3 RET
0167:00582161 2C04 SUB
AL,04
0167:00582163 888599000000 MOV [EBP+99],AL
0167:00582169 8B95CF1B0000 MOV EDX,[EBP+1BCF]
0167:0058216F 81E20000FFFF AND EDX,FFFF0000
0167:00582175 8BC4 MOV
EAX,ESP
0167:00582177 33E4 XOR
ESP,ESP
0167:00582179 8BE0 MOV
ESP,EAX
0167:0058217B 66813A4D5A CMP WORD [EDX],5A4D
0167:00582180 7408 JZ
0058218A
如果覺得麻煩,可跳過58208c int3,然後在5820c5處下斷。斷下後一路F8到達582160時(不要再走了),停下,下中斷bpx 5820ba.按一下F5,停在了5820ba處。走到582161時,快給al賦值4,好了,這一關算過去了。下面還有很多anti-debug,主要形式是
int1 、div ebx、inc [esi] 、pushf 等等,夠煩的,只要小心一些,都會過去的。
當你走到這樣的程式碼:call 583145 時,停一下,為了偷懶,直接下中斷:bpx 583683. F5斷下後,一路又要小心了,還有anti-debug,還是那些東東。順利走過那些陷阱後,到達下面就是終點了:
167:005837AF INT 20
0167:005837B1 POPA
0167:005837B2 JMP NEAR [ESP-30]
《――――oep=[esp-30]==535334,
0167:005837B6 ADD BYTE [EAX],00
0167:005837B9 ADD [EAX],AL
0167:005837BB JMP SHORT 005837BE
0167:005837BD MOV EAX,6090C523
0167:005837C2 CALL 005837CD
0167:005837C7 MOV ESP,[ESP+08]
到達535334後,pedump,得到脫殼檔案。用importREC 的 Auto trace一次,會發現有138個函式需修正,如果耐心好的話,那就一個一個的搞;不然,想想辦法,有竅門的。具體如何修復重建請參考那些高人的教程。
4)先用W32dasm反彙編脫殼檔案,在SDR中可以發現 " - Evaluation Copy"。雙擊它
會找到很多處。看一下這裡:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00525E08(C)
|
:00525E1D 803DA0A0530000 cmp byte ptr [0053A0A0],
00 //比較
:00525E24 7411
je 00525E37------------------>不要跳
* Possible StringData Ref from Code Obj ->"FlashFXP"
|
:00525E26 BAA0615200 mov edx,
005261A0
:00525E2B A120C05300 mov eax,
dword ptr [0053C020]
:00525E30 E87F21F2FF call 00447FB4
:00525E35 EB0F
jmp 00525E46
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00525E24(C)
|
* Possible StringData Ref from Code Obj ->"FlashFXP - Evaluation Copy"
|
:00525E37 BAB4615200 mov edx,
005261B4
:00525E3C A120C05300 mov eax,
dword ptr [0053C020]
:00525E41 E86E21F2FF call 00447FB4
啊,很明顯,[0053A0A0]這個記憶體地址中的值與註冊關係滿密切的,查詢文字
"cmp byte [00533ec0],00"這樣的地方好像有48處之多!!
5)好,開始吧!
執行flashfxp.exe,註冊的nag視窗出來了!填入build 819的key
退出後,用TRW載入,下斷bpm 53A0A0 W,F5來到:
:0050C55F E82079EFFF call 00403E84
:0050C564 83F811
cmp eax, 00000011 <------------------此時 查eax=11
:0050C567 0F9405A0A05300 sete byte ptr [0053A0A0]<------------置1
:0050C56E 803DA0A0530000 cmp byte ptr [0053A0A0],
00<---------游標
:0050C575 0F849A020000 je 0050C815
:0050C57B A188C25300 mov eax,
dword ptr [0053C288]
:0050C580 3DCE7F210B cmp eax,
0B217FCE
:0050C585 0F8F53010000 jg 0050C6DE
......
不用說,後面有暗樁了,往下追追看。。會來到:
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0050C58B(C), :0050C59C(C), :0050C5A9(C), :0050C5B6(C), :0050C5C1(C)
|:0050C5CC(C), :0050C5D7(C), :0050C5E7(C), :0050C5F2(C), :0050C604(C)
|:0050C60F(C), :0050C61A(C), :0050C62A(C), :0050C635(C), :0050C647(C)
|:0050C654(C), :0050C65F(C), :0050C66A(C), :0050C675(C), :0050C685(C)
|:0050C690(C), :0050C6A2(C), :0050C6AD(C), :0050C6B8(C), :0050C6C8(C)
|:0050C6D3(C), :0050C6E9(C), :0050C6F6(C), :0050C703(C), :0050C70E(C)
|:0050C719(C), :0050C724(C), :0050C734(C), :0050C73F(C), :0050C751(C)
|:0050C758(C), :0050C75F(C), :0050C76B(C), :0050C772(C), :0050C780(C)
|:0050C789(C), :0050C790(C), :0050C797(C), :0050C7A0(C), :0050C7A7(C)
|:0050C7B2(C), :0050C7B9(C), :0050C7C0(C), :0050C7C9(C)
|
:0050C7D2 C605A0A0530000 mov byte ptr [0053A0A0],
00<------置0後,當然是未註冊了!####
:0050C7D9 33C0
xor eax, eax
:0050C7DB A334C05300 mov dword
ptr [0053C034], eax
:0050C7E0 B828C05300 mov eax,
0053C028
:0050C7E5 8B15FCA55300 mov edx, dword
ptr [0053A5FC]
....
這麼jump到0050C7D2,這真是“熱點”啊。還是改改吧,在0050C7D2 改為 jmp 0050C815後,往下走:
:0050C815 A188C25300 mov eax,
dword ptr [0053C288]
:0050C81A 33D2
xor edx, edx
:0050C81C 52
push edx
:0050C81D 50
push eax
:0050C81E 8D45F0
lea eax, dword ptr [ebp-10]
:0050C821 E8AAC6EFFF call 00408ED0
:0050C826 8B4DF0
mov ecx, dword ptr [ebp-10]
* Possible StringData Ref from Code Obj ->"Main"
|
:0050C829 BA40CE5000 mov edx,
0050CE40
:0050C82E A17CC05300 mov eax,
dword ptr [0053C07C]
:0050C833 E87CFDFAFF call 004BC5B4----------->進入
:0050C838 84C0
test al, al<--------------------標誌測試
:0050C83A 7443
je 0050C87F
:0050C83C C605A0A0530000 mov byte ptr [0053A0A0],
00<----注意這裡
。。。
call 004BC5B4--------->進入後來到
* Possible StringData Ref from Code Obj ->""
|
:004BC5EE BA2CC64B00 mov edx,
004BC62C
:004BC5F3 E89C79F4FF call 00403F94
:004BC5F8 0F95C0
setne al<------置標誌 #####
:004BC5FB 8BD8
mov ebx, eax
:004BC5FD 33C0
xor eax, eax
:004BC5FF 5A
pop edx
:004BC600 59
pop ecx
:004BC601 59
pop ecx
:004BC602 648910
mov dword ptr fs:[eax], edx
:004BC605 681AC64B00 push 004BC61A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BC618(U)
|
:004BC60A 8D45FC
lea eax, dword ptr [ebp-04]
:004BC60D E8F675F4FF call 00403C08
:004BC612 C3
ret
置標誌的地方,打補丁mov al,0 後繼續走來到:
:0050CA82 A354C25300 mov dword
ptr [0053C254], eax
:0050CA87 8B45FC
mov eax, dword ptr [ebp-04]
:0050CA8A E845810200 call 00534BD4----------->進入
:0050CA8F 84C0
test al, al<--------------------標誌測試
:0050CA91 7443
je 0050CAD6
:0050CA93 C605A0A0530000 mov byte ptr [0053A0A0],
00<----注意這裡
:0050CA9A 33C0
xor eax, eax
...
call 00534BD4--------->進入後來到
:00534C5D 8B55F4
mov edx, dword ptr [ebp-0C]
:00534C60 8B45F8
mov eax, dword ptr [ebp-08]
:00534C63 E8F0CEF2FF call 00461B58
:00534C68 84C0
test al, al<------標誌測試 #####
:00534C6A 7504
jne 00534C70<-----不要在這跳啊!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534C4A(C)
|
:00534C6C 33C0
xor eax, eax
:00534C6E EB02
jmp 00534C72
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00534C6A(C)
|
:00534C70 B001
mov al, 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
......
在00534C68打補丁: xor al,al
之後, BD* 暫停所有斷點,F5。。。哇,註冊成功!
6)把key中的名字換成自己的又如何呢??(^_^畢竟我想註冊給自己啊)
好, 刪除原來的key檔案,執行flashfxp.exe,註冊的nag視窗出來了!填入build 819的key,
並改成自己的名字。填完後,OK,程式退出。用TRW重新載入flashfxp.exe,下bpm 53A0A0 W,
F5後來到:
:0050C550 E8A3CAEFFF call 00408FF8
:0050C555 A388C25300 mov dword
ptr [0053C288], eax
:0050C55A A128C05300 mov eax,
dword ptr [0053C028]
:0050C55F E82079EFFF call 00403E84
:0050C564 83F811
cmp eax, 00000011 <-----------------在此eax=0 ###
:0050C567 0F9405A0A05300 sete byte ptr [0053A0A0]<-----------註冊標誌
:0050C56E 803DA0A0530000 cmp byte ptr [0053A0A0],
00<---------游標
:0050C575 0F849A020000 je 0050C815
:0050C57B A188C25300 mov eax,
dword ptr [0053C288]
:0050C580 3DCE7F210B cmp eax,
0B217FCE
:0050C585 0F8F53010000 jg 0050C6DE
:0050C58B 0F8441020000 je 0050C7D2
:0050C591 3D125EF9C9 cmp eax,
C9F95E12
:0050C596 0F8FA4000000 jg 0050C640
:0050C59C 0F8430020000 je 0050C7D2
:0050C5A2 3DAB90A0A2 cmp eax,
A2A090AB
:0050C5A7 7F54
jg 0050C5FD
:0050C5A9 0F8423020000 je 0050C7D2
........後邊判斷很長呵......
反正得叫[0053A0A0]=1,聰明的你知道哪裡打補丁了吧。我是在50C564處改:xor eax,eax
然後BD*, F5,哈哈,提示註冊的nag視窗沒有了,那個-Evaluation Copy的字樣也沒有了,點選Help->About,
竟然註冊給你了!不要高興的太早了,看看右下角的出錯視窗有
---
DEBUG VERSION
An internal error has occurred.
Access violation at address 0051293D in module 'FLASHFXP823.EXE'. Read of address
FFFFFFFF
---
然後,你點選各個選單項,再上網試試它的各項功能,注意它的出錯視窗--還真有不少錯誤!一邊試,一邊把
出錯的地址記錄下來。(還真是debug,一點沒有錯。)開啟w32dasm,查詢出錯的地址,找到它上面的跳轉語句,
將其改為Jmp。直到Error/Transfer Window 沒有錯誤為止。大概有十來條跳轉該改啊。
另外,該程式執行出錯的話,會log到它所在目錄下的errorlog.txt,和debug.log中,根據它們除錯就可以了,
就看你的耐心了。反覆除錯,直到滿意為止。
7)結束了嗎? No,還有一項不要忘記測試,就是過期問題。將時間向後調2年,再執行程式。註冊視窗又來了!!
好,再下斷點bpm 53A0A0 W:
會來到:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005035AD(C)
|
:005035C6 8B45E8
mov eax, dword ptr [ebp-18]
:005035C9 A394C05300 mov dword
ptr [0053C094], eax
:005035CE 837DE820 cmp
dword ptr [ebp-18], 00000020<--------使用天數比較
:005035D2 7C2E
jl 00503602<---------------------------沒有過期就轉走!
:005035D4 A128C05300 mov eax,
dword ptr [0053C028]
:005035D9 E8A608F0FF call 00403E84
:005035DE 83F811
cmp eax, 00000011
哈哈,知道怎麼打補丁了吧!好,收工!!!
8)小結:搞完這個鼕鼕後,頭昏腦脹的。盼望大客們拿出更聰明的辦法,小弟也學學。
最後,恭祝大家新年快樂!
作者:moonlite[bcg][fcg] Edea
22:31 01-12-26
相關文章
- 脫Flashfxp 1.3 build 780的殼 (10千字)2001-08-15UI
- 不脫殼破解極光多能鬧鐘
(16千字)2003-04-14
- jdpack的脫殼及破解 (5千字)2002-06-25
- 以殼解殼--SourceRescuer脫殼手記破解分析2004-11-16
- 誰與我共續這破解的故事?《破解“黎之工資”對抗脫殼之故事(上集)》
(9千字)2001-03-25
- FTPrint的脫殼(asprotect) (2千字)2001-02-05FTP
- 股市風暴4.0的外殼分析與脫殼方法(一) (7千字)2001-06-10
- 脫殼----對用pecompact加殼的程式進行手動脫殼
(1千字)2000-07-30
- MySQL Manager 2.8.0.1脫殼破解手記破解分析2004-11-03MySql
- 脫Crunch/PE -> BitArts的殼。 (3千字)2002-05-03
- HTMLZip 1.0 beta 的脫殼 (3千字)2001-02-03HTML
- PicturesToExe3.51的脫殼 (2千字)2001-04-22REST
- 不脫殼破解ACDSee v3.0 trial build 1209(SMC初步,很詳細,國外文章)
(8千字)2001-10-04UI
- telock脫殼總結 (12千字)2001-09-27
- 手動脫ASProtect 的殼-Synchromagic
v3.5 build 5572003-08-03UI
- 再貼一篇cd-chcek破解譯文 (4千字)2000-08-27
- ASPROtect 1.22加殼的ahaview2.0脫殼 (5千字)2002-03-24View
- 脫PicturesToExe v3.60的殼 (1千字)2001-09-15REST
- 脫殼----對用Petite2.2加殼的程式進行手動脫殼的一點分析
(5千字)2000-07-27
- 轉載:Petite 脫殼“標準”解決方法 (1千字)2001-02-06
- “天音怒放”手動脫殼及破解2015-11-15
- 菜鳥脫 UltraFXP 0.9941 殼( SVKP )+ 破解2015-11-15
- 控制元件破解指南(轉貼) (4千字)2002-06-27控制元件
- 另類Armadillo脫殼+破解――StayOn Pro V4.00
Build 2003.03.012015-11-15UI
- DEF分析與打造其脫殼軟體----我的一篇析文2015-11-15
- Vampp 2.0.8 Build 311的脫殼(Vbox 4.10)2000-12-06UI
- 先分析,再脫殼(二) (13千字)2003-09-04
- WinKawaks 1.45脫殼筆記
(10千字)2002-08-12筆記
- 一點脫殼經驗。(7千字)2001-04-20
- The Bat! 1.39脫殼筆記 (1千字)2000-03-12BAT筆記
- 對PECompact加殼的DLL脫殼的一點分析 (7千字)2000-08-17
- 脫Advanced Email Extractor PRO的殼 (19千字)2001-08-19AI
- 殼的工作原理脫殼2013-04-10
- 破解NetAlert v2 [熱點]
指導如何自動脫殼!! (4千字)2000-03-16
- 手動脫殼的教程(由petite v2.2加殼) (4千字)2001-11-26
- ArtCursors 3.03 ASPR殼軟體脫殼後修整記 (10千字)2015-11-15
- 轉載一篇破解教程(LeapFTP) (10千字)2001-03-29FTP
- 轉貼:破解時間限制的老文章(一) (2千字)2000-10-23