夢幻Ollydbg ―― 淺談 ACProtect V1.09 Pro 的反跟蹤And脫殼
夢幻Ollydbg ―― 淺談 ACProtect V1.09 Pro 的反跟蹤And脫殼
ACPr下載: http://www.ultraprotect.com acpro_up.exe
軟體大小: 1.44 M
【軟體簡介】:ACProtect is an application that allows you to protect Windows executable files against piracy,using public keys encryption algorithms (RSA) to create and verify the registration keys and unlock some RSA key locked code,it has embedded cryptor against dump and unpacker.it also has many anti debug tricks. And you can use it to create evaluation and trial application versions. with specialized API system, mutual communication between loader and application is also can be achieved.
【作者宣告】:初學Crack,只是感興趣,沒有其他目的。失誤之處敬請諸位大俠賜教!
【除錯環境】:WinXP、Ollydbg1.09D修改版、LordPE、ImportREC
―――――――――――――――――――――――――――――――――
【過 程】:
偶的試煉品:用ACProtect V1.09 Pro未註冊版加殼的某個小程式。上傳在本貼後的附件裡。
首先鄭重申明:偶僅僅是剛開始學習脫殼的菜鳥,錯誤之處肯定多多,煩請諸位朋友批評、指點!偶洗耳恭聽。以下的一點筆記只是偶跟蹤這個試煉品所記錄的,不適用於ACProtect主程式;其他用ACProtect註冊版加殼的程式偶沒看過不清楚。
篇名的所謂“夢幻Ollydbg”云云只是仿 123112 脫俠的《妖幻TRW and videofixer的脫殼方法之我之拙見》,因為用偶修改後的Ollydbg可以避開ACProtect的反跟蹤,不會被ACProtect自動關閉。有點“譁眾取寵”,無他意。
“嚴重” :-) 感謝 jingulong 老兄三番五次的指點!如果不是老兄的指教偶現在還找不到思路,jingulong 兄真是深藏不露的脫俠!佩服佩服!
由於ACProtect比較新,偵殼工具均不認識。用ACProtect加殼的程式一般會有一個“.perplex”區段,某些程式執行時會在臨時資料夾下釋放一個perplex.dll檔案,如:videofixer.exe;Win XP的釋放在Documents and Settings使用者名稱Local SettingsTemp下。當然,還是載入偵錯程式跟蹤一下關鍵程式碼看的清楚點。
―――――――――――――――――――――――――――――――――
一、反跟蹤
ACProtect 的反跟蹤比起 幻影 來說可謂是很“照顧”CRACKER了,:-) 作者別生氣呀,其實已經做的很好了。
偶簡單整理了一下,分作5類,歡迎朋友們補充! 為了分析這點東西,偶大約除錯了兩週,比較笨啦。 :-(
1、呼叫CreateFileA 檢測諸多CRACK工具。即《加密與解密》上說的“MeltICE”型別
如果發現“違禁”產品則用TerminateProcess殺掉其程式。123112 脫俠已經說的很清楚啦。
0040A46E 56 push esi
0040A46F 50 push eax
0040A470 8B85 0D454000 mov eax,dword ptr ss:[ebp+40450D]
0040A476 8038 CC cmp byte ptr ds:[eax],0CC
0040A479 74 10 je short 試煉ACP.0040A48B
0040A47B 90 nop
0040A47C 90 nop
0040A47D 90 nop
0040A47E 90 nop
0040A47F 58 pop eax
0040A480 FF95 0D454000 call dword ptr ss:[ebp+40450D] ; kernel32.CreateFileA
0040A609 58 pop eax
0040A60A 46 inc esi
0040A60B 803E 00 cmp byte ptr ds:[esi],0
0040A60E 75 FA jnz short 試煉ACP.0040A60A
0040A610 46 inc esi
0040A611 803E 00 cmp byte ptr ds:[esi],0
0040A614 0F84 66010000 je 試煉ACP.0040A780
0040A61A E9 3DFEFFFF jmp 試煉ACP.0040A45C
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
“上榜”產品: :-)
0040A6C5 5C 5C 2E 5C 53 49 43 45 00 5C 5C 2E 5C 4E 54 49 \.SICE.\.NTI
0040A6D5 43 45 00 5C 5C 2E 5C 4E 54 49 43 45 37 38 37 31 CE.\.NTICE7871
0040A6E5 00 5C 5C 2E 5C 4E 54 49 43 45 44 30 35 32 00 5C .\.NTICED052.
0040A6F5 5C 2E 5C 54 52 57 44 45 42 55 47 00 5C 5C 2E 5C .TRWDEBUG.\.
0040A705 54 52 57 00 5C 5C 2E 5C 54 52 57 32 30 30 30 00 TRW.\.TRW2000.
0040A715 5C 5C 2E 5C 53 55 50 45 52 42 50 4D 00 5C 5C 2E \.SUPERBPM.\.
0040A725 5C 49 43 45 44 55 4D 50 00 5C 5C 2E 5C 52 45 47 ICEDUMP.\.REG
0040A735 4D 4F 4E 00 5C 5C 2E 5C 46 49 4C 45 4D 4F 4E 00 MON.\.FILEMON.
0040A745 5C 5C 2E 5C 52 45 47 56 58 44 00 5C 5C 2E 5C 46 \.REGVXD.\.F
0040A755 49 4C 45 56 58 44 00 5C 5C 2E 5C 56 4B 45 59 50 ILEVXD.\.VKEYP
0040A765 52 4F 44 00 5C 5C 2E 5C 42 57 32 4B 00 5C 5C 2E ROD.\.BW2K.\.
0040A775 5C 53 49 57 44 45 42 55 47 00 00 60 E8 00 00 00 SIWDEBUG..`....
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
^O^ ^O^ →對付方法:修改跳轉或用TRW娃娃修改版或用Ollydbg或你自己“照顧”好SoftICE。
――――――――――――――――――――――――
2、檢測API斷點
檢測關鍵API的入口的第1個位元組是否為INT 3(0xCC)?是則OVER
00408DF6 53 push ebx
00408DF7 50 push eax
00408DF8 52 push edx
00408DF9 03C5 add eax,ebp
00408DFB 50 push eax
00408DFC 53 push ebx
00408DFD 50 push eax
00408DFE 8B85 68C24100 mov eax,dword ptr ss:[ebp+41C268]
00408E04 8038 CC cmp byte ptr ds:[eax],0CC
====>比較第1個位元組是否為CC?是則被設定了BPX斷點
00408E07 74 10 je short 試煉ACP.00408E19
00408E09 90 nop
00408E0A 90 nop
00408E0B 90 nop
00408E0C 90 nop
00408E0D 58 pop eax
00408E0E FF95 68C24100 call dword ptr ss:[ebp+41C268]
00408E14 E9 AD000000 jmp 試煉ACP.00408EC6
下面的每1處CALL檢測一個關鍵API,並且其他地方也隨處可見這種方式的檢測。
0040C091 B8 72434000 mov eax,試煉ACP.00404372
0040C096 BA E1444000 mov edx,試煉ACP.004044E1
0040C09B E8 56CDFFFF call 試煉ACP.00408DF6
0040C0A0 B8 7E434000 mov eax,試煉ACP.0040437E
0040C0A5 BA E5444000 mov edx,試煉ACP.004044E5
0040C0AA E8 47CDFFFF call 試煉ACP.00408DF6
0040C0AF B8 89434000 mov eax,試煉ACP.00404389
0040C0B4 BA F9444000 mov edx,試煉ACP.004044F9
0040C0B9 E8 38CDFFFF call 試煉ACP.00408DF6
0040C0BE B8 9D434000 mov eax,試煉ACP.0040439D
0040C0C3 BA FD444000 mov edx,試煉ACP.004044FD
0040C0C8 E8 29CDFFFF call 試煉ACP.00408DF6
0040C0CD B8 B6434000 mov eax,試煉ACP.004043B6
0040C0D2 BA 01454000 mov edx,試煉ACP.00404501
0040C0D7 E8 1ACDFFFF call 試煉ACP.00408DF6
0040C0DC B8 C5434000 mov eax,試煉ACP.004043C5
0040C0E1 BA 05454000 mov edx,試煉ACP.00404505
0040C0E6 E8 0BCDFFFF call 試煉ACP.00408DF6
0040C0EB B8 D3434000 mov eax,試煉ACP.004043D3
0040C0F0 BA 09454000 mov edx,試煉ACP.00404509
0040C0F5 E8 FCCCFFFF call 試煉ACP.00408DF6
0040C0FA B8 DF434000 mov eax,試煉ACP.004043DF
0040C0FF BA 0D454000 mov edx,試煉ACP.0040450D
0040C104 E8 EDCCFFFF call 試煉ACP.00408DF6
0040C109 B8 EB434000 mov eax,試煉ACP.004043EB
0040C10E BA 11454000 mov edx,試煉ACP.00404511
0040C113 E8 DECCFFFF call 試煉ACP.00408DF6
0040C118 B8 FC434000 mov eax,試煉ACP.004043FC
0040C11D BA 29454000 mov edx,試煉ACP.00404529
0040C122 E8 CFCCFFFF call 試煉ACP.00408DF6
0040C127 B8 0E444000 mov eax,試煉ACP.0040440E
0040C12C BA 2D454000 mov edx,試煉ACP.0040452D
0040C131 E8 C0CCFFFF call 試煉ACP.00408DF6
0040C136 B8 1A444000 mov eax,試煉ACP.0040441A
0040C13B BA 31454000 mov edx,試煉ACP.00404531
0040C140 E8 B1CCFFFF call 試煉ACP.00408DF6
0040C145 B8 23444000 mov eax,試煉ACP.00404423
0040C14A BA 35454000 mov edx,試煉ACP.00404535
0040C14F E8 A2CCFFFF call 試煉ACP.00408DF6
0040C154 B8 2D444000 mov eax,試煉ACP.0040442D
0040C159 BA 39454000 mov edx,試煉ACP.00404539
0040C15E E8 93CCFFFF call 試煉ACP.00408DF6
0040C163 B8 39444000 mov eax,試煉ACP.00404439
0040C168 BA 3D454000 mov edx,試煉ACP.0040453D
0040C16D E8 84CCFFFF call 試煉ACP.00408DF6
0040C172 B8 46444000 mov eax,試煉ACP.00404446
0040C177 BA 41454000 mov edx,試煉ACP.00404541
0040C17C E8 75CCFFFF call 試煉ACP.00408DF6
0040C181 B8 5F444000 mov eax,試煉ACP.0040445F
0040C186 BA 49454000 mov edx,試煉ACP.00404549
0040C18B E8 66CCFFFF call 試煉ACP.00408DF6
0040C190 B8 70444000 mov eax,試煉ACP.00404470
0040C195 BA 4D454000 mov edx,試煉ACP.0040454D
0040C19A E8 57CCFFFF call 試煉ACP.00408DF6
0040C19F B8 81444000 mov eax,試煉ACP.00404481
0040C1A4 BA 51454000 mov edx,試煉ACP.00404551
0040C1A9 E8 48CCFFFF call 試煉ACP.00408DF6
0040C1AE B8 81454000 mov eax,試煉ACP.00404581
0040C1B3 BA 7D454000 mov edx,試煉ACP.0040457D
0040C1B8 E8 39CCFFFF call 試煉ACP.00408DF6
0040C1BD 83BD F1204000 00 cmp dword ptr ss:[ebp+4020F1],0
====>[ebp+4020F1]應=0
0040C1C4 74 24 je short 試煉ACP.0040C1EA
…… …… 省 略 …… ……
0040C396 B8 9D444000 mov eax,試煉ACP.0040449D
0040C39B BA E9444000 mov edx,試煉ACP.004044E9
0040C3A0 E8 51CAFFFF call 試煉ACP.00408DF6
0040C3A5 B8 A9444000 mov eax,試煉ACP.004044A9
0040C3AA BA ED444000 mov edx,試煉ACP.004044ED
0040C3AF E8 42CAFFFF call 試煉ACP.00408DF6
0040C3B4 B8 B8444000 mov eax,試煉ACP.004044B8
0040C3B9 BA F1444000 mov edx,試煉ACP.004044F1
0040C3BE E8 33CAFFFF call 試煉ACP.00408DF6
0040C3C3 B8 C6444000 mov eax,試煉ACP.004044C6
0040C3C8 BA F5444000 mov edx,試煉ACP.004044F5
0040C3CD E8 24CAFFFF call 試煉ACP.00408DF6
0040C3D2 C3 retn
^O^ ^O^ →對付方法:可下斷如 BP GetProcAddress+1 避開第1位元組的檢測!
――――――――――――――――――――――――
3、呼叫 IsDebuggerPresent 檢測使用 Debug API 跟蹤程式的偵錯程式
0040B88B FF95 29454000 call dword ptr ss:[ebp+404529]
0040B891 0BC0 or eax,eax
0040B893 0F84 B4000000 je 試煉ACP.0040B94D
77E52E92 64:A1 18000000 mov eax,dword ptr fs:[18]
77E52E98 8B40 30 mov eax,dword ptr ds:[eax+30]
77E52E9B 0FB640 02 movzx eax,byte ptr ds:[eax+2]
====>或者把這裡的返回值改為:0
77E52E9F C3 retn
^O^ ^O^ →對付方法:最方便的直接用Ollydbg的IsDebug外掛 去掉偵錯程式標誌 即可。
――――――――――――――――――――――――
4、黑名單
0040A100 FF95 01454000 call dword ptr ss:[ebp+404501] ; kernel32.Process32First
…… …… 省 略 …… ……
0040A14D 47 inc edi
0040A14E 8BF0 mov esi,eax
0040A150 E8 01F1FFFF call 試煉ACP.00409256
====>裡面逐位比較是否有黑名單中的成員:0040928E cmp dh,dl
0040A155 80FE 01 cmp dh,1
0040A158 74 1C je short 試煉ACP.0040A176
0040A15A 90 nop
0040A15B 90 nop
0040A15C 90 nop
0040A15D 90 nop
0040A15E EB D7 jmp short 試煉ACP.0040A137
0040A160 B8 3D424000 mov eax,試煉ACP.0040423D
0040A165 03C5 add eax,ebp
0040A167 50 push eax
0040A168 FFB5 39424000 push dword ptr ss:[ebp+404239]
0040A16E FF95 05454000 call dword ptr ss:[ebp+404505] ; kernel32.Process32Next
0040A174 EB 90 jmp short 試煉ACP.0040A106
====>迴圈取程式名
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
黑名單: 作者想的很“周全”,還有沒有“漏網之魚”? :-)
004092A1 45 58 45 53 50 59 00 57 58 52 39 35 00 52 45 47 EXESPY.WXR95.REG
004092B1 4D 4F 4E 00 46 49 4C 45 20 4D 4F 4E 49 54 4F 52 MON.FILE MONITOR
004092C1 00 52 45 47 4D 4F 4E 45 58 00 57 49 4E 44 4F 57 .REGMONEX.WINDOW
004092D1 20 44 45 54 45 43 54 49 56 45 00 44 45 42 55 47 DETECTIVE.DEBUG
004092E1 56 49 45 57 00 52 45 53 53 50 59 00 41 44 56 41 VIEW.RESSPY.ADVA
004092F1 4E 43 45 44 20 52 45 47 49 53 54 52 59 20 54 52 NCED REGISTRY TR
00409301 41 43 45 52 00 52 45 47 53 4E 41 50 00 4D 45 4D ACER.REGSNAP.MEM
00409311 53 50 59 00 4D 45 4D 4F 52 59 20 44 4F 43 54 4F SPY.MEMORY DOCTO
00409321 52 00 50 52 4F 43 44 55 4D 50 33 32 00 4D 45 4D R.PROCDUMP32.MEM
00409331 4F 52 59 20 45 44 49 54 4F 52 00 46 52 4F 47 53 ORY EDITOR.FROGS
00409341 49 43 45 00 53 4D 55 20 57 49 4E 53 50 45 43 54 ICE.SMU WINSPECT
00409351 4F 52 00 4D 45 4D 4F 52 59 20 44 55 4D 50 45 52 OR.MEMORY DUMPER
00409361 00 4D 45 4D 4F 52 59 4D 4F 4E 49 54 4F 52 00 4E .MEMORYMONITOR.N
00409371 55 4D 45 47 41 20 53 4F 46 54 49 43 45 20 4C 4F UMEGA SOFTICE LO
00409381 41 44 45 52 00 55 52 53 4F 46 54 20 57 33 32 44 ADER.URSOFT W32D
00409391 41 53 4D 00 2D 3D 43 48 49 4E 41 20 43 52 41 43 ASM.-=CHINA CRAC
004093A1 4B 49 4E 47 20 47 52 4F 55 50 3D 2D 00 4F 6C 6C KING GROUP=-.Oll
004093B1 79 44 62 67 00 54 52 57 32 30 30 30 00 4F 4C 4C yDbg.TRW2000.OLL
004093C1 59 44 42 47 00 00 00 00 00 00 00 00 00 00 00 00 YDBG............
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
^O^ ^O^ →對付方法:修改跳轉、改掉黑名單 或者 用偶修改的Ollydbg來跟蹤。
――――――――――――――――――――――――
5、檢查加殼程式的父程式名
現在偶覺得ACProtect的反跟蹤算是比較“溫柔”的了,只是用TerminateProcess悄悄關掉你,而不是讓人心悸的藍色畫面當機!感謝作者 :-) 唯獨這個“檢查加殼程式的父程式名”比較別出心裁,可以讓一般修改版的Ollydbg難逃此劫!
004097B9 FF95 01454000 call dword ptr ss:[ebp+404501] ; kernel32.Process32First
004097BF E9 AD000000 jmp 試煉ACP.00409871
00409871 0BC0 or eax,eax
00409873 0F84 A7050000 je 試煉ACP.00409E20
00409879 8B95 45424000 mov edx,dword ptr ss:[ebp+404245]
0040987F 3B95 31424000 cmp edx,dword ptr ss:[ebp+404231]
====>比較自身程式的程式ID,然後取其父程式ID
…… …… 省 略 …… ……
00409CE7 8DB5 61424000 lea esi,dword ptr ss:[ebp+404261]
00409CED E8 E7F0FFFF call 試煉ACP.00408DD9
====>把自身程式的父程式名轉為大寫字母
00409CF2 803E 00 cmp byte ptr ds:[esi],0
00409CF5 74 07 je short 試煉ACP.00409CFE
00409D35 5E pop esi
00409D36 8BFE mov edi,esi
00409D38 83EF 07 sub edi,7
00409D3B 813F 434D442E cmp dword ptr ds:[edi],2E444D43
====>①、比較EXE前是否是CMD.
00409D41 0F84 D9000000 je 試煉ACP.00409E20
====>可以強迫跳轉
00409D47 83EE 0C sub esi, 0C
00409D4A AD lods dword ptr ds:[esi]
00409D4B 0306 add eax, dword ptr ds:[esi]
00409D4D 0346 04 add eax, dword ptr ds:[esi+4]
00409D50 8BD8 mov ebx, eax
00409D52 8DB5 AF554000 lea esi, dword ptr ss:[ebp+4055AF]
00409D58 AD lods dword ptr ds:[esi]
00409D59 0BC0 or eax, eax
00409D5B 74 0E je short 試煉ACP.00409D6B
00409D5D 90 nop
00409D5E 90 nop
00409D5F 90 nop
00409D60 90 nop
00409D61 2BC3 sub eax, ebx
====>②、這裡EAX必須=0
00409D63 0F84 B7000000 je 試煉ACP.00409E20
====>不跳就要被KILL啦! :-(
00409D69 EB ED jmp short 試煉ACP.00409D58
00409E1A FF95 11454000 call dword ptr ss:[ebp+404511] ; kernel32.TerminateProcess
====>呵呵,很小心的關掉你!讓你休息休息 :-)
^O^ ^O^ →對付方法:改掉上面的跳轉避開被殺。或者用偶修改的Ollydbg來跟蹤。
如果不是 jingulong 兄的指教,偶現在可能還沒找到這個地方,也就沒有這篇筆記。 再次感謝!
―――――――――――――――――――――――――――――――――
二、脫殼例項
OK,用偶修改的Ollydbg來脫殼。隱藏Ollydbg、設定不忽略所有異常。
0040B08E CD 01 int 1
====>第1次異常
0040B090 40 inc eax
0040B091 40 inc eax
0040B092 0BC0 or eax,eax
0040B094 0F85 B6000000 jnz 試煉ACP.0040B150
0040B394 CC int3
====>第2次異常
0040B395 90 nop
0040B396 64:67:8F06 0000 pop dword ptr fs:[0]
0040B39C 83C4 04 add esp,4
0040B39F 60 pushad
0040B3A0 E8 00000000 call 試煉ACP.0040B3A5
――――――――――――――――――――――――
下斷:BP GetProcAddress+1 然後CTRL+F9走,因為偶用的是未註冊的ACProtect加殼,所以一直CTRL+F9走直至彈出 “Protected by Unregistered ACProtect!”的提示停下!
留意看看堆疊的函式名,或許對以後脫這種殼的其他程式有參考價值。
77E5A5FD 55 push ebp
77E5A5FE 8BEC mov ebp,esp
====>斷在這裡 GetProcAddress+1
…… …… 省 略 …… ……
77D3AADF FF15 E412D177 call dword ptr ds:[<&KERNEL32.HeapFree>]
77D3AAE5 33F6 xor esi,esi
77D3AAE7 3975 04 cmp dword ptr ss:[ebp+4],esi
77D3AAEA 0F85 C7840100 jnz USER32.77D52FB7
77D3AAF0 3975 18 cmp dword ptr ss:[ebp+18],esi
77D3AAF3 0F85 D3840100 jnz USER32.77D52FCC
77D3AAF9 8B45 40 mov eax,dword ptr ss:[ebp+40]
77D3AAFC 5F pop edi
77D3AAFD 5E pop esi
77D3AAFE 5B pop ebx
77D3AAFF 83C5 74 add ebp,74
77D3AB02 C9 leave
77D3AB03 C2 0400 retn 4
====>確定那個未註冊保護提示後返回到這裡!
――――――――――――――――――――――――
77D3AC40 66:837E 2C 00 cmp word ptr ds:[esi+2C],0
77D3AC45 8BF8 mov edi,eax
77D3AC47 0F85 F0840100 jnz USER32.77D5313D
77D3AC4D 8BC7 mov eax,edi
77D3AC4F 5F pop edi
77D3AC50 5E pop esi
77D3AC51 5B pop ebx
77D3AC52 83C5 74 add ebp,74
77D3AC55 C9 leave
77D3AC56 C2 0400 retn 4
77D3ADCC C9 leave
77D3ADCD C2 1800 retn 18
77D3AE8A FF75 FC push dword ptr ss:[ebp-4]
77D3AE8D 8B35 E412D177 mov esi,dword ptr ds:[<&KERNEL32.HeapFree>]
77D3AE93 57 push edi
77D3AE94 FF35 A4D1D677 push dword ptr ds:[77D6D1A4]
77D3AE9A 8BD8 mov ebx,eax
77D3AE9C FFD6 call esi
77D3AE9E 397D F8 cmp dword ptr ss:[ebp-8],edi
77D3AEA1 74 0C je short USER32.77D3AEAF
77D3AEA3 FF75 F8 push dword ptr ss:[ebp-8]
77D3AEA6 57 push edi
77D3AEA7 FF35 A4D1D677 push dword ptr ds:[77D6D1A4]
77D3AEAD FFD6 call esi
77D3AEAF 8BC3 mov eax,ebx
77D3AEB1 5F pop edi
77D3AEB2 5E pop esi
77D3AEB3 5B pop ebx
77D3AEB4 C9 leave
77D3AEB5 C2 1800 retn 18
77D3AE17 5D pop ebp
77D3AE18 C2 1400 retn 14
77D3ADFB C2 1000 retn 10
====>返回到 0041F78B 看見希望啦 :-)
――――――――――――――――――――――――
下面用F7單步走,簡單迴圈用F4跳過即可。需要一點耐心,有些東東要走很長時間
0041F78B 45 inc ebp
0041F78C 4B dec ebx
0041F78D 81CB D350FA80 or ebx,80FA50D3
0041F793 66:81F5 F613 xor bp,13F6
0041F798 E8 01000000 call 試煉ACP.0041F79E
0041F79E 83C4 04 add esp,4
0041F7A1 C1ED AF shr ebp,0AF
0041F7A4 E8 01000000 call 試煉ACP.0041F7AA
0041F7AA 83C4 04 add esp,4
0041F7AD 8BD9 mov ebx,ecx
0041F7AF E8 01000000 call 試煉ACP.0041F7B5
0041F7B5 830424 06 add dword ptr ss:[esp],6
0041F7B9 C3 retn
0041F7BA 66:BB EDA2 mov bx,0A2ED
0041F7BE 50 push eax
0041F7BF E8 01000000 call 試煉ACP.0041F7C5
0041F7C5 58 pop eax
0041F7C6 58 pop eax
0041F7C7 F8 clc
0041F7C8 50 push eax
0041F7C9 E8 01000000 call 試煉ACP.0041F7CF
0041F7CF 58 pop eax
0041F7D0 58 pop eax
0041F7D1 0F83 02000000 jnb 試煉ACP.0041F7D9
0041F7D9 E8 01000000 call 試煉ACP.0041F7DF
0041F7DF 83C4 04 add esp,4
0041F7E2 0F85 02000000 jnz 試煉ACP.0041F7EA
0041F7EA E8 01000000 call 試煉ACP.0041F7F0
0041F7F0 830424 06 add dword ptr ss:[esp],6
0041F7F4 C3 retn
0041F7F5 FC cld
0041F7F6 78 03 js short 試煉ACP.0041F7FB
0041F7F8 79 01 jns short 試煉ACP.0041F7FB
0041F7FB 49 dec ecx
0041F7FC 50 push eax
0041F7FD E8 01000000 call 試煉ACP.0041F803
0041F803 58 pop eax
0041F804 58 pop eax
0041F805 85D9 test ecx,ebx
0041F807 50 push eax
0041F808 E8 01000000 call 試煉ACP.0041F80E
0041F80E 58 pop eax
0041F80F 58 pop eax
0041F810 85CB test ebx,ecx
0041F812 E8 01000000 call 試煉ACP.0041F818
0041F818 83C4 04 add esp,4
0041F81B 87EB xchg ebx,ebp
0041F81D E8 01000000 call 試煉ACP.0041F823
0041F823 83C4 04 add esp,4
0041F826 7C 01 jl short 試煉ACP.0041F829
0041F828 FC cld
0041F829 50 push eax
0041F82A E8 01000000 call 試煉ACP.0041F830
0041F830 58 pop eax
0041F831 58 pop eax
0041F832 4D dec ebp
0041F833 7C 03 jl short 試煉ACP.0041F838
0041F835 7D 01 jge short 試煉ACP.0041F838
0041F838 66:13E8 adc bp,ax
0041F83B 50 push eax
0041F83C E8 01000000 call 試煉ACP.0041F842
0041F842 58 pop eax
0041F843 58 pop eax
0041F844 66:8BDE mov bx,si
0041F847 E8 01000000 call 試煉ACP.0041F84D
0041F84D 830424 06 add dword ptr ss:[esp],6
0041F851 C3 retn
0041F852 79 04 jns short 試煉ACP.0041F858
0041F854 66:BD 303E mov bp,3E30
0041F858 50 push eax
0041F859 E8 01000000 call 試煉ACP.0041F85F
0041F85F 58 pop eax
0041F860 58 pop eax
0041F861 0F86 02000000 jbe 試煉ACP.0041F869
0041F867 87CB xchg ebx,ecx
0041F869 74 03 je short 試煉ACP.0041F86E
0041F86B 75 01 jnz short 試煉ACP.0041F86E
0041F86E 87DD xchg ebp,ebx
0041F870 EB 01 jmp short 試煉ACP.0041F873
0041F873 66:13EE adc bp,si
0041F876 72 03 jb short 試煉ACP.0041F87B
0041F878 73 01 jnb short 試煉ACP.0041F87B
0041F87B 66:81C1 FEEE add cx,0EEFE
0041F880 EB 01 jmp short 試煉ACP.0041F883
0041F883 4D dec ebp
0041F884 50 push eax
0041F885 E8 01000000 call 試煉ACP.0041F88B
0041F88B 58 pop eax
0041F88C 58 pop eax
0041F88D 66:C1D5 54 rcl bp,54
0041F891 E8 01000000 call 試煉ACP.0041F897
0041F897 830424 06 add dword ptr ss:[esp],6
0041F89B C3 retn
0041F89C FC cld
0041F89D EB 01 jmp short 試煉ACP.0041F8A0
0041F8A0 87CB xchg ebx,ecx
0041F8A2 72 03 jb short 試煉ACP.0041F8A7
0041F8A4 73 01 jnb short 試煉ACP.0041F8A7
0041F8A7 77 03 ja short 試煉ACP.0041F8AC
0041F8AC E8 01000000 call 試煉ACP.0041F8B2
0041F8B2 830424 06 add dword ptr ss:[esp],6
0041F8B6 C3 retn
0041F8B7 66:81E9 352E sub cx,2E35
0041F8BC EB 01 jmp short 試煉ACP.0041F8BF
0041F8BF 0F88 04000000 js 試煉ACP.0041F8C9
0041F8C5 |66:C1FB C9 sar bx,0C9
0041F8C9 E8 01000000 call 試煉ACP.0041F8CF
0041F8CF 830424 06 add dword ptr ss:[esp],6
0041F8D3 C3 retn
0041F8D4 8BEB mov ebp,ebx
0041F8D6 7A 03 jpe short 試煉ACP.0041F8DB
0041F8DB 0F82 06000000 jb 試煉ACP.0041F8E7
0041F8E1 |E8 00000000 call 試煉ACP.0041F8E6
0041F8E6 |59 pop ecx
0041F8E7 EB 01 jmp short 試煉ACP.0041F8EA
0041F8EA 41 inc ecx
0041F8EB E8 01000000 call 試煉ACP.0041F8F1
0041F8F1 830424 06 add dword ptr ss:[esp],6
0041F8F5 C3 retn
0041F8F6 F9 stc
0041F8F7 50 push eax
0041F8F8 E8 01000000 call 試煉ACP.0041F8FE
0041F8FE 58 pop eax
0041F8FF 58 pop eax
0041F900 F8 clc
0041F901 E8 01000000 call 試煉ACP.0041F907
0041F907 83C4 04 add esp,4
0041F90A 0F8D 04000000 jge 試煉ACP.0041F914
0041F914 E8 01000000 call 試煉ACP.0041F91A
0041F91A 830424 06 add dword ptr ss:[esp],6
0041F91E C3 retn
0041F91F 4D dec ebp
0041F920 EB 01 jmp short 試煉ACP.0041F923
0041F923 8BDE mov ebx,esi
0041F925 50 push eax
0041F926 E8 01000000 call 試煉ACP.0041F92C
0041F92C 58 pop eax
0041F92D 58 pop eax
0041F92E 66:13E9 adc bp,cx
0041F931 E8 01000000 call 試煉ACP.0041F937
0041F937 830424 06 add dword ptr ss:[esp],6
0041F93B C3 retn
0041F93C FC cld
0041F93D E8 01000000 call 試煉ACP.0041F943
0041F943 830424 06 add dword ptr ss:[esp],6
0041F947 C3 retn
0041F948 85CB test ebx,ecx
0041F94A 76 03 jbe short 試煉ACP.0041F94F
0041F94C 77 01 ja short 試煉ACP.0041F94F
0041F94F 0F8B 05000000 jpo 試煉ACP.0041F95A
0041F95A EB 01 jmp short 試煉ACP.0041F95D
0041F95D 66:03CE add cx,si
0041F960 E8 01000000 call 試煉ACP.0041F966
0041F966 830424 06 add dword ptr ss:[esp],6
0041F96A C3 retn
0041F96B 4B dec ebx
0041F96C E8 01000000 call 試煉ACP.0041F972
0041F972 830424 06 add dword ptr ss:[esp],6
0041F976 C3 retn
0041F977 1BCF sbb ecx,edi
0041F979 E8 00000000 call 試煉ACP.0041F97E
0041F97E 5D pop ebp
0041F97F 8BC5 mov eax,ebp
0041F981 3B45 1C cmp eax,dword ptr ss:[ebp+1C]
0041F984 7C 06 jl short 試煉ACP.0041F98C
0041F986 0345 1C add eax,dword ptr ss:[ebp+1C]
0041F989 8945 1C mov dword ptr ss:[ebp+1C],eax
0041F98C EB 01 jmp short 試煉ACP.0041F98F
0041F98F 66:C1D5 58 rcl bp,58
0041F993 87EB xchg ebx,ebp
0041F995 D3ED shr ebp,cl
0041F997 85CD test ebp,ecx
0041F999 68 C5FA4100 push 試煉ACP.0041FAC5
0041F99E 66:D3EB shr bx,cl
0041F9A1 5A pop edx
0041F9A2 E8 01000000 call 試煉ACP.0041F9A8
0041F9A8 830424 06 add dword ptr ss:[esp],6
0041F9AC C3 retn
0041F9AD 4B dec ebx
0041F9AE C1C3 E9 rol ebx,0E9
0041F9B1 E9 05000000 jmp 試煉ACP.0041F9BB
0041F9BB BE 38CEF63E mov esi,3EF6CE38
0041F9C0 75 04 jnz short 試煉ACP.0041F9C6
0041F9C6 81F6 F74B5C74 xor esi,745C4BF7
0041F9CC E8 01000000 call 試煉ACP.0041F9D2
0041F9D2 83C4 04 add esp,4
0041F9D5 85EB test ebx,ebp
0041F9D7 C1E3 79 shl ebx,79
0041F9DA B8 0C000000 mov eax,0C
0041F9DF EB 01 jmp short 試煉ACP.0041F9E2
0041F9E2 E9 03000000 jmp 試煉ACP.0041F9EA
0041F9EA 66:8BEF mov bp,di
0041F9ED 8B3A mov edi,dword ptr ds:[edx]
0041F9EF E8 01000000 call 試煉ACP.0041F9F5
0041F9F5 830424 06 add dword ptr ss:[esp],6
0041F9F9 C3 retn
0041F9FA F8 clc
0041F9FB D3D5 rcl ebp,cl
0041F9FD E9 08000000 jmp 試煉ACP.0041FA0A
0041FA0A 33FE xor edi,esi
0041FA0C E8 01000000 call 試煉ACP.0041FA12
0041FA12 83C4 04 add esp,4
0041FA15 E9 05000000 jmp 試煉ACP.0041FA1F
0041FA1F 8BCF mov ecx,edi
0041FA21 C1CF 19 ror edi,19
0041FA24 E8 01000000 call 試煉ACP.0041FA2A
0041FA2A 83C4 04 add esp,4
0041FA2D 7A 05 jpe short 試煉ACP.0041FA34
0041FA2F B9 021E239D mov ecx,9D231E02
0041FA34 4D dec ebp
0041FA35 E9 02000000 jmp 試煉ACP.0041FA3C
0041FA3C 337A 04 xor edi,dword ptr ds:[edx+4]
0041FA3F 50 push eax
0041FA40 E8 01000000 call 試煉ACP.0041FA46
0041FA46 58 pop eax
0041FA47 58 pop eax
0041FA48 E9 05000000 jmp 試煉ACP.0041FA52
0041FA52 85CD test ebp,ecx
0041FA54 85E9 test ecx,ebp
0041FA56 893A mov dword ptr ds:[edx],edi
0041FA58 50 push eax
0041FA59 E8 01000000 call 試煉ACP.0041FA5F
0041FA5F 58 pop eax
0041FA60 58 pop eax
0041FA61 F8 clc
0041FA62 E9 06000000 jmp 試煉ACP.0041FA6D
0041FA6D 81C6 097B16A2 add esi,A2167B09
0041FA73 E8 01000000 call 試煉ACP.0041FA79
0041FA79 83C4 04 add esp,4
0041FA7C F9 stc
0041FA7D 87EB xchg ebx,ebp
0041FA7F 83C2 04 add edx,4
0041FA82 E8 01000000 call 試煉ACP.0041FA88
0041FA88 830424 06 add dword ptr ss:[esp],6
0041FA8C C3 retn
0041FA8D E9 07000000 jmp 試煉ACP.0041FA99
0041FA99 E9 08000000 jmp 試煉ACP.0041FAA6
0041FAA6 83C0 FF add eax,-1
0041FAA9 0F85 3EFFFFFF jnz 試煉ACP.0041F9ED
====>F4下去
0041FAAF 78 03 js short 試煉ACP.0041FAB4
0041FAB1 79 01 jns short 試煉ACP.0041FAB4
0041FAB4 E9 01000000 jmp 試煉ACP.0041FABA
0041FABA 0F82 05000000 jb 試煉ACP.0041FAC5
0041FAC5 E8 8790FEFF call 試煉ACP.00408B51
====>F8帶過
0041FACA 8B85 D4BE4100 mov eax,dword ptr ss:[ebp+41BED4]
====>EAX=00001000
0041FAD0 0385 28404000 add eax,dword ptr ss:[ebp+404028]
====>EAX=00001000 + 00400000=00401000 這就是OEP值 :-)
0041FAD6 8985 D4BE4100 mov dword ptr ss:[ebp+41BED4],eax
====>[ebp+41BED4]=[41FED4]=EAX=00401000
當然,可以一步步F7跟蹤下去,但是偶還是快點吧。在記憶體0041FED4的001040 下 記憶體訪問 斷點。
F9 執行,數秒鐘後程式自動停下!偶的機子速度還可以 :-)
0041FECE FF25 D4FE4100 jmp dword ptr ds:[41FED4] ; 試煉ACP.00401000
====>飛向光明之巔!
―――――――――――――――――――――――
00401000 33DB xor ebx,ebx
====>在這兒用LordPE完全DUMP這個程式
00401002 53 push ebx
00401003 E8 28020000 call 試煉ACP.00401230 ; jmp to offset 試煉ACP.<ModuleEntryPoint>
00401008 A3 4C314000 mov dword ptr ds:[40314C],eax
0040100D 53 push ebx
0040100E 68 22104000 push 試煉ACP.00401022
00401013 53 push ebx
00401014 6A 67 push 67
00401016 50 push eax
00401017 E8 20020000 call 試煉ACP.0040123C
――――――――――――――――――――――――
重新執行試煉ACP.exe,執行ImportREC,選擇這個程式。把OEP改為00001000,點IT AutoSearch,點“Get Import”,函式無效,用“追蹤層次3”全部修復。FixDump,正常執行! 114K ->136K 用FileScan最佳化後是115K。
―――――――――――――――――――――――――――――――――
三、關於輸入表及其他問題
因為偶用ImportREC能夠修復輸入表,沒有出現無法修復的問題,所以只是看了一下123112所說的需要NOP的地方。
0040E319 FF95 68C24100 call dword ptr ss:[ebp+41C268]
0040E31F 3B9D 28404000 cmp ebx,dword ptr ss:[ebp+404028]
0040E325 7C 0F jl short 試煉ACP.0040E336
0040E327 90 nop
0040E328 90 nop
0040E329 90 nop
0040E32A 90 nop
0040E32B 60 pushad
0040E32C 2BC0 sub eax,eax
0040E32E 8803 mov byte ptr ds:[ebx],al
0040E330 43 inc ebx
0040E331 3803 cmp byte ptr ds:[ebx],al
0040E333 75 F9 jnz short 試煉ACP.0040E32E
0040E335 61 popad
0040E336 0BC0 or eax,eax
0040E338 0F84 2EFFFFFF je 試煉ACP.0040E26C
0040E33E 3B85 78C24100 cmp eax,dword ptr ss:[ebp+41C278]
0040E344 75 0A jnz short 試煉ACP.0040E350
――――――――――――――――
0040E296 FF95 74C24100 call dword ptr ss:[ebp+41C274]
0040E29C 60 pushad
0040E29D 2BC0 sub eax, eax
0040E29F 8803 mov byte ptr ds:[ebx], al
0040E2A1 43 inc ebx
0040E2A2 3803 cmp byte ptr ds:[ebx], al
0040E2A4 75 F9 jnz short 試煉ACP.0040E29F
0040E2A6 61 popad
0040E2A7 8985 20404000 mov dword ptr ss:[ebp+404020], eax
0040E2AD C785 24404000 000000>mov dword ptr ss:[ebp+404024], 0
0040E2B7 8B95 28404000 mov edx, dword ptr ss:[ebp+404028]
0040E2BD 8B06 mov eax, dword ptr ds:[esi]
0040E2BF 0BC0 or eax, eax
0040E2C1 75 07 jnz short 試煉ACP.0040E2CA
注:這2個地方的地址差值:0040E32C-0040E29D=8F 好像是固定的 :-)
其他問題:偶發現用ACProtect相同選項加殼的某些程式入口處的6個位元組被替換了,某些程式卻又正常。以上只是偶的一點膚淺之見,歡迎朋友們討論、指正!
―――――――――――――――――――――――――――――――――
, _/
/| _.-~/ _ , 青春都一餉
( /~ / ~-._ |
`\ _/ ~ ) 忍把浮名
_-~~~-.) )__/;;,. _ //'
/'_, --~ ~~~- ,;;___( (.-~~~-. 換了破解輕狂
`~ _( ,_..-- ( ,;'' / ~-- /._`
/~~//' /' `~ ) /--.._, )_ `~
" `~" " `" /~'` `\~~
" " "~' ""
Cracked By 巢水工作坊――fly [OCN][FCG]
2003-11-01 01:10
相關文章
- 淺談用Ollydbg跟蹤vb程式---soli
兄弟的問題2015-11-15
- 模擬跟蹤+修復方法之ACProtect脫殼――完美解除安裝XP V9.122015-11-15
- ACProtect 1.21專業版主程式的脫殼2015-11-15
- 用ollydbg跟蹤te!lock加殼的軟體
(2千字)2015-11-15
- 寫給新手
- 淺談脫殼方法2004-12-18
- 淺談利用 TEB 實現的反跟蹤 (6千字)2003-02-09
- 用ollydbg跟蹤asproctect1.2加殼的軟體
(1千字)2015-11-15
- 淺談DBPE2.33脫殼修復2015-11-15
- 對Crunch v1.1加殼程式的手動脫殼及反跟蹤程式碼的一點分析
(15千字)2000-10-02
- 用Ollydbg手脫Petite
V2.2加殼的DLL2004-12-27
- 較完善的舊版Acprotect1.0x-1.2x脫殼指令碼2004-12-20指令碼
- 反跟蹤技術2021-01-05
- ASProtect 1.23
b18脫殼淺談 (5千字)2015-11-15
- tElock 0.9x-1.0x (private) 反Ollydbg分析和脫殼――BadCopyProV3_71_0727
KeyGen2015-11-15
- 用Ollydbg快速手脫Krypton 0.5加殼程式――Krypton主程式
等2015-11-15
- 幻影使用的反跟蹤技術2003-06-21
- 用Armadillo標準加殼的程式的脫殼和引入表修復方案---OLLYDBG (8千字)2015-11-15
- 殼的工作原理脫殼2013-04-10
- 跟蹤aspr殼的pre-dip,解除使用限制2004-06-28
- 淺談SVKP 1.3X殼的輸入表修復――登錄檔醫生 V2.96 脫殼+破解2015-11-15
- 再次進階Acprotect1.09的殼2015-11-15
- 脫Advanced Email Extractor PRO的殼 (19千字)2001-08-19AI
- 如何用 OllyDbg 的跟蹤功能分析虛擬機器保護2017-01-14虛擬機
- iOS應用程式的脫殼實現原理淺析2019-03-04iOS
- Acprotect之完美解除安裝XP V9.15脫殼修復 (狗尾續貂)2015-11-15
- 淺談被加殼ELF的除錯2020-08-19除錯
- 談談如何使用加殼保護自己的軟體不被常用方法脫殼(2千字)2000-10-10
- 壹次脫殼法――Armadillo 雙程式標準殼 快速脫殼2015-11-15
- 如何跟蹤ASProtect外殼加密過的程式? (7千字)2001-04-13加密
- 夢幻布丁2024-08-11
- 淺談在分析殼時IDC的使用2015-11-15
- VBExplorer.exe脫殼教程
附脫殼指令碼2015-11-15指令碼
- 妖幻TRW and videofixer的脫殼方法之我之拙見 (13千字)2015-11-15IDE
- 控制程式碼--而不是跟隨程式碼--脫殼隨想2015-11-15
- ASPRTECT1.2X加殼的Delphi
Application Peeper Pro 2.3.1.9 脫殼(簡單) (3千字)2002-04-06APP
- Armadillo V3.01標準加殼方式的脫殼(第一篇)--SoundEdit
Pro2015-11-15
- ExeStealth 常用脫殼方法 + ExeStealth V2.72主程式脫殼2015-11-15
- 脫殼----對用pecompact加殼的程式進行手動脫殼
(1千字)2000-07-30