tElock 0.9x-1.0x (private) 反Ollydbg分析和脫殼――BadCopyProV3_71_0727 KeyGen

看雪資料發表於2015-11-15

tElock 0.9x-1.0x (private) 反Ollydbg分析和脫殼――BadCopyProV3_71_0727 KeyGen
 
 

【作者宣告】:初學Crack,只是感興趣,沒有其他目的。失誤之處敬請諸位大俠賜教!

【除錯環境】:WinXP、Ollydbg1.09、PEiD、LordPE、WinHex、PEditor

――――――――――――――――――――――――――――――――― 
【過    程】:


TEAM ECLiPSE 釋出的BadCopyProV3_71_0727的序號產生器,網上應該很多,自己找找吧。
PEiD 0.9顯示:tElock 0.9x - 1.0x (private)  ,呵呵,應該是高手們調教過的變形tElock啦。
沒什麼大變化,值得注意的是這個東東自動關閉Ollydbg啦,以前的tElock沒有這個效果。

WinXP下可以隱藏OD啦。除錯前先設定一下Ollydbg。開啟:Ollydbg――>選項――>除錯設定――>異常  
把“忽略在KERNEL32中的記憶體訪問異常”、“INT3中斷”、“單步中斷” 這3個選項選上。

―――――――――――――――――――――――――――――――――
一、反Ollydbg分析


用Ollydbg手動脫殼,老規矩:載入後彈出“是壓縮程式碼――要繼續進行分析嗎?”,點“否”。


004390BC     E9 3FDFFFFF          jmp BadCopyP.00437000
                                  ====>進入OD後斷在這!F9執行,程式會在異常處中斷。

004370A7     F7F3                 div ebx
                                  ====>第1次異常

如果Shift+F9程式就自動退出啦,所以現在就跟蹤看看啦。注:用F7走,省略的地方沒什麼大跳轉。

004370C5     8B4424 04            mov eax,dword ptr ss:[esp+4]
                                  ====>堆疊區的第二條地址  設斷  Shift+F9斷在此處
  …… ……  省 略  …… ……
004370FE     EB 60                jmp short BadCopyP.00437160

00437160     C3                   retn
                                  ====>進入系統DLL,在下面的地方下斷,F9斷下。
00437161     2C 04                sub al,4
  …… ……  省 略  …… ……
00437188   ^ EB F1                jmp short BadCopyP.0043717B

0043718A     8B42 3C              mov eax,dword ptr ds:[edx+3C]
  …… ……  省 略  …… ……
004371C4     74 07                je short BadCopyP.004371CD

004371CD     8D7416 FC            lea esi,dword ptr ds:[esi+edx-4]
  …… ……  省 略  …… ……
004371DE   ^ 7C E6                jl short BadCopyP.004371C6

004371E0     8B06                 mov eax,dword ptr ds:[esi]
004371E2     03C2                 add eax,edx
004371E4     8138 4C6F6164        cmp dword ptr ds:[eax],64616F4C
004371EA     75 50                jnz short BadCopyP.0043723C
  …… ……  省 略  …… ……
004373F4     8138 47657450        cmp dword ptr ds:[eax],50746547
004373FA   ^ 0F85 D8FDFFFF        jnz BadCopyP.004371D8
00437400     8178 04 726F6341     cmp dword ptr ds:[eax+4],41636F72
00437407   ^ 0F85 CBFDFFFF        jnz BadCopyP.004371D8
0043740D     8178 08 64647265     cmp dword ptr ds:[eax+8],65726464
00437414   ^ 0F85 BEFDFFFF        jnz BadCopyP.004371D8
0043741A     68 82080000          push 882
0043741F   ^ E9 DFFDFFFF          jmp BadCopyP.00437203
                                  ====>F4下去跳出迴圈!
00437424     58                   pop eax
  …… ……  省 略  …… ……
0043744E   ^ E2 F0                loopd short BadCopyP.00437440
                                  ====>F4跳出LOOP
00437450     60                   pushad
00437451     8DBD DA070000        lea edi,dword ptr ss:[ebp+7DA]
00437457     E8 2A000000          call BadCopyP.00437486

00437486     58                   pop eax  
00437487     83C0 0A              add eax,0A
0043748A     AB                   stos dword ptr es:[edi]
0043748B     83C0 F6              add eax,-0A
0043748E     50                   push eax
0043748F     FF95 95200000        call dword ptr ss:[ebp+2095]
00437495     33D8                 xor ebx,eax
00437497     33C3                 xor eax,ebx
00437499     33D8                 xor ebx,eax
0043749B     E8 0C000000          call BadCopyP.004374AC

004374AC     53                   push ebx    
004374AD     FF95 82080000        call dword ptr ss:[ebp+882]  ; kernel32.GetProcAddress
004374B3     40                   inc eax
004374B4     48                   dec eax
004374B5     0F84 32020000        je BadCopyP.004376ED
004374BB     AB                   stos dword ptr es:[edi]
004374BC     8A00                 mov al,byte ptr ds:[eax
004374BE     2C CC                sub al,0CC 33-CC=67
004374C0     0F84 27020000        je BadCopyP.004376ED
004374C6     E8 0D000000          call BadCopyP.004374D8

004374D8     53                   push ebx
004374D9     FF95 82080000        call dword ptr ss:[ebp+882]
004374DF     40                   inc eax
004374E0     48                   dec eax
004374E1     0F84 06020000        je BadCopyP.004376ED

004374DE     0040 48              add byte ptr ds:[eax+48],al
004374E1     0F84 06020000        je BadCopyP.004376ED
004374E7     AB                   stos dword ptr es:[edi]
004374E8     8A00                 mov al,byte ptr ds:[eax]
004374EA     2C CC                sub al,0CC
004374EC     0F84 FB010000        je BadCopyP.004376ED
004374F2     E8 0E000000          call BadCopyP.00437505
004374F7     47                   inc edi
004374F8     65:74 43             je short BadCopyP.0043753E 

00437505     53                   push ebx   
00437506     FF95 82080000        call dword ptr ss:[ebp+882] ; kernel32.GetProcAddress
0043750C     40                   inc eax
0043750D     48                   dec eax
0043750E     0F84 D9010000        je BadCopyP.004376ED

0043750E    /0F84 D9010000        je BadCopyP.004376ED
00437514    |AB                   stos dword ptr es:[edi]
00437515    |8A00                 mov al,byte ptr ds:[eax]
00437517    |2C CC                sub al,0CC  6A-CC=9E
00437519    |0F84 CE010000        je BadCopyP.004376ED
0043751F    |80BD 1D240000 00     cmp byte ptr ss:[ebp+241D],0
00437526    |75 0C                jnz short BadCopyP.00437534
00437528    |AB                   stos dword ptr es:[edi]
00437529    |AB                   stos dword ptr es:[edi]
0043752A    |AB                   stos dword ptr es:[edi]
0043752B    |AB                   stos dword ptr es:[edi]
0043752C    |AB                   stos dword ptr es:[edi]
0043752D    |AB                   stos dword ptr es:[edi]
0043752E    |AB                   stos dword ptr es:[edi]
0043752F    |E9 20030000          jmp BadCopyP.00437854

00437854     83C7 D4              add edi,-2C
00437857     EB 30                jmp short BadCopyP.00437889

00437889     57                   push edi   
0043788A     E8 58000000          call BadCopyP.004378E7

004378E7     FF57 04              call dword ptr ds:[edi+4] ; user32.EnumWindows
                                  ====>F7進入

77D17627     33C0                 xor eax,eax 
77D17629     50                   push eax
77D1762A     50                   push eax
77D1762B     FF7424 10            push dword ptr ss:[esp+10]
77D1762F     FF7424 10            push dword ptr ss:[esp+10]
77D17633     50                   push eax
77D17634     50                   push eax
77D17635     E8 BAFEFFFF          call user32.77D174F4

77D174F4     55                   push ebp
77D174F5     8BEC                 mov ebp,esp
77D174F7     51                   push ecx
77D174F8     57                   push edi
77D174F9     8D45 1C              lea eax,dword ptr ss:[ebp+1C]
77D174FC     50                   push eax
77D174FD     FF75 18              push dword ptr ss:[ebp+18]
77D17500     C745 FC 01000000     mov dword ptr ss:[ebp-4],1
77D17507     FF75 1C              push dword ptr ss:[ebp+1C]
77D1750A     FF75 0C              push dword ptr ss:[ebp+C]
77D1750D     FF75 08              push dword ptr ss:[ebp+8]
77D17510     E8 24000000          call user32.77D17539
77D17515     8BF8                 mov edi,eax
77D17517     83FF FF              cmp edi,-1
77D1751A     0F84 43710300        je user32.77D4E663 
77D17520     53                   push ebx
77D17521     33DB                 xor ebx,ebx
77D17523     3BFB                 cmp edi,ebx
77D17525     0F85 F2000000        jnz user32.77D1761D

77D1761D     3BFB                 cmp edi,ebx
77D1761F     56                   push esi
77D17620     8B75 1C              mov esi,dword ptr ss:[ebp+1C]
77D17623   ^ 76 D5                jbe short user32.77D175FA
77D17625   ^ EB B1                jmp short user32.77D175D8

77D175D8     8B0E                 mov ecx,dword ptr ds:[esi]
77D175DA     E8 71C5FFFF          call user32.77D13B50
77D175DF     85C0                 test eax,eax
77D175E1     74 0F                je short user32.77D175F2
77D175E3     FF75 14              push dword ptr ss:[ebp+14]
77D175E6     FF36                 push dword ptr ds:[esi]
77D175E8     FF55 10              call dword ptr ss:[ebp+10]
                                  ====>注意:這裡面進行檢測啦!

77D175EB     85C0                 test eax,eax
77D175ED     8945 FC              mov dword ptr ss:[ebp-4],eax 
77D175F0     74 08                je short user32.77D175FA
77D175F2     83C6 04              add esi,4
77D175F5     43                   inc ebx
77D175F6     3BDF                 cmp ebx,edi
77D175F8   ^ 72 DE                jb short user32.77D175D8
                                  ====>迴圈比較當前程式!

――――――――――――――――――――――――
進入:77D175E8   call dword ptr ss:[ebp+10]


0043788F     C8 000000            enter 0,0
00437893     57                   push edi
00437894     8B7D 0C              mov edi,dword ptr ss:[ebp+C]
00437897     6A 20                push 20
00437899     FF37                 push dword ptr ds:[edi]
0043789B     FF75 08              push dword ptr ss:[ebp+8]
0043789E     FF57 0C              call dword ptr ds:[edi+C]; user32.GetClassNameA
                                  ====>GetClassNameA  得到當前視窗的類名

004378A1     8B07                 mov eax,dword ptr ds:[edi]
004378A3     8138 4F4C4C59        cmp dword ptr ds:[eax],594C4C4F
                                  ====>有“OLLY”?即:檢測Ollydbg
004378A9     74 21                je short BadCopyP.004378CC
                                  ====>跳則OVER!
004378AB     8138 4F574C5F        cmp dword ptr ds:[eax],5F4C574F
                                  ====>有“OWL_”?什麼武器?
004378B1     74 19                je short BadCopyP.004378CC
                                  ====>跳則OVER!
004378B3     8138 54446544        cmp dword ptr ds:[eax],44654454
                                  ====>有“TDeD”?即:檢測DeDe
004378B9     74 11                je short BadCopyP.004378CC
                                  ====>跳則OVER!
004378BB     8138 46696C65        cmp dword ptr ds:[eax],656C6946
004378C1     75 1C                jnz short BadCopyP.004378DF
                                  ====>不跳則OVER!
004378C3     8178 04 4D6F6E43     cmp dword ptr ds:[eax+4],436E6F4D
004378CA     75 13                jnz short BadCopyP.004378DF
                                  ====>不跳則OVER!
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
看看記憶體中藏著什麼“好東東”  

00437899  FF 37 FF 75 08 FF 57 0C 8B 07 81 38 4F 4C 4C 59  .7.u..W....8OLLY
004378A9  74 21 81 38 4F 57 4C 5F 74 19 81 38 54 44 65 44  t!.8OWL_t..8TDeD
004378B9  74 11 81 38 46 69 6C 65 75 1C 81 78 04 4D 6F 6E  t..8Fileu..x.Mon
004378C9  43 75 13 6A 00 6A 00 6A 10 FF 75 08 FF 57 08 33  Cu.j.j.j..u..W.3
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆

004378CC     6A 00                push 0
004378CE     6A 00                push 0
004378D0     6A 10                push 10
004378D2     FF75 08              push dword ptr ss:[ebp+8]
004378D5     FF57 08              call dword ptr ds:[edi+8]
                                  ====>這裡就OVER啦!Ollydbg自動退出!
004378D8     33C0                 xor eax,eax
004378DA     5F                   pop edi
004378DB     C9                   leave
004378DC     C2 0800              retn 8
004378DF     6A 01                push 1
                                  ====> push 1 則OK!
004378E1     58                   pop eax
004378E2     5F                   pop edi
004378E3     C9                   leave
004378E4     C2 0800              retn 8


暈倒,原來是呼叫EnumWindows、GetClassNameA 列舉視窗列表中的所有父視窗、取得視窗名,然後與作者內建的OLLY、OWL_、TDeD比較,如果有其中之一,那就對不起不陪你玩啦   呵呵,和FindWindow的效果差不多嗎,算是比較溫柔的反跟蹤啦。

由於tElock有很強的記憶體、檔案自校驗,如果改動程式的話會彈出CRC ERROR的錯誤提示然後退出。所以懶人如偶就採用了最簡便的方法啦。以前無聊時曾簡單修改了一下Ollydbg,僅有的作用是:避開 {目標程式 通過在記憶體中檢測本工具原有視窗類名} 而反除錯。沒想到這次終於派上了小用場。


―――――――――――――――――――――――――――――――――
二、部分脫殼,得到IAT


繼續脫殼吧,換上偶修改的Ollydbg進行跟蹤!這次程式變乖啦,沒有“不告而別” 

Shift+F9通過異常,6次程式執行。Try Again,按4次Shift+F9

00438069     CD 68                int 68
                                  ====>第4次異常

004386E4     8B95 42D84000        mov edx,dword ptr ss:[ebp+40D842]
004386EA     8BB5 32D84000        mov esi,dword ptr ss:[ebp+40D832]
004386F0     85F6                 test esi,esi
                                  ====>F2此處下斷!ESI=輸入表的RVA
004386F2     0F84 18040000        je BadCopyP.00438B10
                                  ====>《加密與解密》說這裡可以強行跳過,但是偶跳過卻無法執行了
004386F8     03F2                 add esi,edx
004386FA     83A5 32D94000 00     and dword ptr ss:[ebp+40D932],0
                                  ====>找到這裡!

在004386F0下斷,按Shift+F9斷了下來,看看esi的值:0000A1EC,這就是IAT的位置了,然後 D 0040A1EC,看見IAT,大小0040A8D0-0040A1EC=6E4  這時可以用LordPE部分脫殼。位置:0040A1EC,大小:6E4  存為:部分dumped.dmp


―――――――――――――――――――――――――――――――――
三、OK,讓偶繼續!Shift+F9再來一次,手動尋找OEP啦!


00438BD7     8DC0                 lea eax,eax  
                                  ====>第5次異常

00438BE5     8B6424 08            mov esp,dword ptr ss:[esp+8]
                                  ====>堆疊區的第二條地址  設斷  Shift+F9斷在此處
00438BE9     33C0                 xor eax,eax
00438BEB     FF6424 08            jmp dword ptr ss:[esp+8]

00438BFA     64:8F00              pop dword ptr fs:[eax]   
00438BFD     58                   pop eax
00438BFE     EB 02                jmp short BadCopyP.00438C02

00438C02     58                   pop eax
00438C03     5D                   pop ebp
00438C04     EB 02                jmp short BadCopyP.00438C08

00438C08     3D 5868133F          cmp eax,3F136858
00438C0D     E8 7E000000          call BadCopyP.00438C90

00438C90     F9                   stc
00438C91     72 01                jb short BadCopyP.00438C94
00438C94     FC                   cld
00438C95     60                   pushad
00438C96     E8 06000000          call BadCopyP.00438CA1

00438CA1     33C9                 xor ecx,ecx  
00438CA3     64:FF31              push dword ptr fs:[ecx]
00438CA6     64:8921              mov dword ptr fs:[ecx],esp
00438CA9     F1                   int1
00438CAA     F7F1                 div ecx
                                  ====>異常!注意這裡看看堆疊區的第二條地址!

00438C9B     8B6424 08            mov esp,dword ptr ss:[esp+8]
00438C9F     EB 0D                jmp short BadCopyP.00438CAE
                                  ====>堆疊區的第二條地址  設斷  Shift+F9斷在此處

00438CAE    /EB 01                jmp short BadCopyP.00438CB1

00438CB1     15 09403318          adc eax,18334009
00438CB6     BE 00000000          mov esi,0
00438CBB     64:8F06              pop dword ptr fs:[esi]
00438CBE     5E                   pop esi
00438CBF     EB 01                jmp short BadCopyP.00438CC2

00438CC2     F8                   clc
00438CC3     60                   pushad
00438CC4     E8 06000000          call BadCopyP.00438CCF

00438CCF     64:67:FF36 0000      push dword ptr fs:[0]
00438CD5     64:67:8926 0000      mov dword ptr fs:[0],esp
00438CDB     9C                   pushfd
00438CDC     810C24 00010000      or dword ptr ss:[esp],100
00438CE3     9D                   popfd
00438CE4     F8                   clc
                                  ====>異常!注意這裡看看堆疊區的第二條地址!

00438CC9     8B6424 08            mov esp,dword ptr ss:[esp+8]
                                  ====>堆疊區的第二條地址  設斷  Shift+F9斷在此處
00438CCD     EB 1A                jmp short BadCopyP.00438CE9

00438CE9     64:67:8F06 0000      pop dword ptr fs:[0]
00438CEF     58                   pop eax
00438CF0     61                   popad
00438CF1     F8                   clc
00438CF2     73 02                jnb short BadCopyP.00438CF6

00438CF6     98                   cwde
00438CF7     E8 0A000000          call BadCopyP.00438D06

00438D06     83E0 CF              and eax,FFFFFFCF
00438D09     C3                   retn
                                  ====>返回到 00438CFC   其實是變形的JMP

00438CFC     33C3                 xor eax,ebx
00438CFE     E9 08000000          jmp BadCopyP.00438D0B

00438D0B     C1E0 16              shl eax,16
00438D0E     E8 00000000          call BadCopyP.00438D13  //F8帶過
00438D13     85E4                 test esp,esp
00438D15     79 03                jns short BadCopyP.00438D1A

00438D1A     0BC3                 or eax,ebx
00438D1C     8B2C24               mov ebp,dword ptr ss:[esp]
00438D1F     58                   pop eax
00438D20     81ED 4E1F4100        sub ebp,BadCopyP.00411F4E
00438D26     F9                   stc
00438D27     72 02                jb short BadCopyP.00438D2B

00438D2B     F5                   cmc
00438D2C     03C2                 add eax,edx
00438D2E     B8 4EEB5FAC          mov eax,AC5FEB4E
00438D33     8BD8                 mov ebx,eax
00438D35     81EB 01CD1EAC        sub ebx,AC1ECD01
00438D3B     F8                   clc
00438D3C     73 02                jnb short BadCopyP.00438D40

00438D40     03DD                 add ebx,ebp
00438D42     B8 BA6B902C          mov eax,2C906BBA
00438D47     8BF8                 mov edi,eax
00438D49     81EF 9D6B902C        sub edi,2C906B9D
00438D4F     EB 01                jmp short BadCopyP.00438D52

00438D52     BE 7C40980E          mov esi,0E98407C
00438D57     0BE4                 or esp,esp
00438D59     75 01                jnz short BadCopyP.00438D5C

00438D5C     3D B3A81711          cmp eax,1117A8B3
00438D61     E8 0A000000          call BadCopyP.00438D70

00438D70     C3                   retn
                                  ====>返回到 00438D66

00438D66     1BC3                 sbb eax,ebx    
00438D68     E9 09000000          jmp BadCopyP.00438D76

00438D76     23C3                 and eax,ebx  
00438D78     90                   nop
00438D79     F9                   stc
00438D7A     6BF6 4D              imul esi,esi,4D
00438D7D     3133                 xor dword ptr ds:[ebx],esi
00438D7F     C1C6 03              rol esi,3
00438D82     F9                   stc
00438D83     83D6 4B              adc esi,4B
00438D86     43                   inc ebx
00438D87     43                   inc ebx
00438D88     43                   inc ebx
00438D89     43                   inc ebx
00438D8A     EB 02                jmp short BadCopyP.00438D8E

00438D8E     FC                   cld
00438D8F     81C6 0C519A22        add esi,229A510C
00438D95     F9                   stc
00438D96     72 01                jb short BadCopyP.00438D99

00438D99     1D F99D6513          sbb eax,13659DF9
00438D9E     83EF 01              sub edi,1
00438DA1     EB 02                jmp short BadCopyP.00438DA5

00438DA5     48                   dec eax
00438DA6     1BC6                 sbb eax,esi
00438DA8     51                   push ecx
00438DA9     8BCF                 mov ecx,edi
00438DAB     E3 03                jecxz short BadCopyP.00438DB0
00438DAD     59                   pop ecx
00438DAE   ^ EB C9                jmp short BadCopyP.00438D79
                                  ====>注意這個迴圈!向上找發現00438DAB可以跳過!
00438DB0     59                   pop ecx
                                  ====>此處下斷,F9,斷在這!    跳出迴圈!
00438DB1     85E4                 test esp,esp
00438DB3     79 03                jns short BadCopyP.00438DB8

00438DB8     F5                   cmc
00438DB9     E8 0C000000          call BadCopyP.00438DCA

00438DCA     2BC5                 sub eax,ebp
00438DCC     40                   inc eax
00438DCD     C3                   retn
                                  ====>返回到 00438DBE

00438DBE     3D B43C9223          cmp eax,23923CB4
00438DC3     E9 0B000000          jmp BadCopyP.00438DD3

00438DD3     3D 96AA2021          cmp eax,2120AA96
00438DD8     61                   popad
00438DD9     0BE4                 or esp,esp
00438DDB     75 01                jnz short BadCopyP.00438DDE

00438DDE     2BC7                 sub eax,edi
00438DE0     C3                   retn
                                  ====>返回到 00438C12

00438C12     8B9D 62D84000        mov ebx,dword ptr ss:[ebp+40D862]
00438C18     33F6                 xor esi,esi
00438C1A     F7D3                 not ebx
00438C1C     0BF3                 or esi,ebx
00438C1E     75 08                jnz short BadCopyP.00438C28

00438C28     039D 42D84000        add ebx,dword ptr ss:[ebp+40D842]
                                  ====>EBX=00004C22 + 00400000=00404C22   這就是OEP值  

00438C2E     895C24 F0            mov dword ptr ss:[esp-10],ebx
00438C32     8DBD 64D74000        lea edi,dword ptr ss:[ebp+40D764]
00438C38     33C0                 xor eax,eax
00438C3A     B9 CE030000          mov ecx,3CE
00438C3F     F3:AA                rep stos byte ptr es:[edi]
00438C41     8DBD 9CB64000        lea edi,dword ptr ss:[ebp+40B69C]
00438C47     B9 3E1C0000          mov ecx,1C3E
00438C4C     F3:AA                rep stos byte ptr es:[edi]
00438C4E     66:AB                stos word ptr es:[edi]
00438C50     8DBD 9CB64000        lea edi,dword ptr ss:[ebp+40B69C]
00438C56     85F6                 test esi,esi
00438C58     75 08                jnz short BadCopyP.00438C62

00438C62     C607 E9              mov byte ptr ds:[edi],0E9
00438C65     47                   inc edi
00438C66     2BDF                 sub ebx,edi
00438C68     83EB 04              sub ebx,4
00438C6B     891F                 mov dword ptr ds:[edi],ebx
00438C6D     8DBD DAD24000        lea edi,dword ptr ss:[ebp+40D2DA]
00438C73     B9 2C000000          mov ecx,2C
00438C78     F3:AA                rep stos byte ptr es:[edi]
00438C7A     66:AB                stos word ptr es:[edi]
00438C7C     EB 02                jmp short BadCopyP.00438C80

00438C80     61                   popad
00438C81     FF6424 D0            jmp dword ptr ss:[esp-30]
                                  ====>飛向光明之巔! 跳至 00404C22

――――――――――――――――――――――――

00404C22     55                   push ebp
                                  ====>在這兒用LordPE糾正ImageSize後完全DUMP這個程式

00404C23     8BEC                 mov ebp,esp
00404C25     6A FF                push -1
00404C27     68 E0A14000          push BadCopyP.0040A1E0
00404C2C     68 DC4D4000          push BadCopyP.00404DDC 


―――――――――――――――――――――――――――――――――
四、手動修復。  當然也可以用ImportREC修復啦。偶學習一下手動修復。


1、用WinHex把 部分dumped.dmp 的程式碼複製、寫入到 dumped.exe 的相應位置儲存。

2、再用PEditor開啟dumped.exe, 修改入口點為00004C22;用dumpfixer修正區塊。

3、用LordPE修正輸入表地址為:0000A1EC。最後重建PE。OK,正常執行!71K ->191K 
   程式是用 VC++ 6.0 編譯的,脫殼後可以跨系統平臺執行!


―――――――――――――――――――――――――――――――――
    
                                
         ,     _/ 
        /| _.-~/            _     ,        青春都一餉
       ( /~   /              ~-._ |
       `\  _/                   ~ )          忍把浮名 
   _-~~~-.)  )__/;;,.          _  //'
  /'_,   --~    ~~~-  ,;;___(  (.-~~~-.        換了破解輕狂
 `~ _( ,_..-- (     ,;'' /    ~--   /._` 
  /~~//'   /' `~         ) /--.._, )_  `~
  "  `~"  "      `"      /~'`    `\~~   
                         "     "   "~'  ""

    

            Cracked By 巢水工作坊――fly [OCN][FCG]

                    2003-10-13 23:00

相關文章