System Cleaner 4.89 Build 110

看雪資料發表於2015-11-15

用OllyDbg脫ASPR 1.3x的殼
   ================================================

作者:LaBBa
翻譯:gmh001
軟體: System Cleaner 4.89 Build 110
Url    : http://www.allerasoft.com/products/systemcleaner/

前言
==================
OK,貼上來!!這是我第三次寫這篇破解文章,第一次正在寫的時候機當機了,第二次停電了。
(呵呵,運氣有點背啊…)
現在…

這篇文章講述如何真正快速簡單的脫掉ASPR 1.3x的殼,並且找出被抽掉的位元組…

並且不使用SoftIce、IceDump和 /tracex!

用什麼?

使用OllyDbg !


所需工具
================
1. OllyDbg 1.09b2 or newer
2. ProcDump(G-rom)/Pe-edit(y0da)
3. imprec 1.3 (MackT/UCF)(protools.cjb.net)
4. HVIEW / Hex Editor

脫殼步驟
=======================
1. 找到 OEP+從記憶體中抓取程式
2. 找到抽掉的位元組
3. 重建IAT
4. 修正OEP
5. 結束


====================================
第一步―找到 OEP+從記憶體中抓取程式
====================================

1. 執行Olly並載入應用程式(如果有提示就按 YES!)
2. 現在按F9就會在這兒中斷:

   017E3414  3100            XOR DWORD PTR DS:[EAX],EAX  〈-我們在這兒中斷!
   017E3416  EB 01            JMP SHORT 017E3419
   017E3418  68 648F0500      PUSH 58F64

 為什麼Olly會中斷?我們不用設斷點嗎?!
 呵呵,Olly在每次進入一個新模組時都會中斷…我們將繼續使用它!!

3. 按Shift+F9,這樣Olly會繼續執行直到遇到一個新模組。
4. 按Shift+F926次後我們將到達這裡:

   017E2D7A  3100            XOR DWORD PTR DS:[EAX],EAX〈-我們停在這裡
   017E2D7C  64:8F05 00000000 POP DWORD PTR FS:[0]   〈在這裡設斷點
   017E2D83  58              POP EAX
   017E2D84  833D 806D7E01 00 CMP DWORD PTR DS:[17E6D80],0
   017E2D8B  74 14            JE SHORT 017E2DA1
   017E2D8D  6A 0C            PUSH 0C
   017E2D8F  B9 806D7E01      MOV ECX,17E6D80
   017E2D94  8D45 F8          LEA EAX,DWORD PTR SS:[EBP-8]
   017E2D97  BA 04000000      MOV EDX,4
   017E2D9C  E8 EFE0FFFF      CALL 017E0E90
   017E2DA1  FF75 FC          PUSH DWORD PTR SS:[EBP-4]
   017E2DA4  FF75 F8          PUSH DWORD PTR SS:[EBP-8]
   017E2DA7  8B45 F4          MOV EAX,DWORD PTR SS:[EBP-C]
   017E2DAA  8338 00          CMP DWORD PTR DS:[EAX],0
   017E2DAD  74 02            JE SHORT 017E2DB1
   017E2DAF  FF30            PUSH DWORD PTR DS:[EAX]
   017E2DB1  FF75 F0          PUSH DWORD PTR SS:[EBP-10]
   017E2DB4  FF75 EC          PUSH DWORD PTR SS:[EBP-14]
   017E2DB7  C3              RETN

 如果我們再按一次Shift+F9,軟體就執行了…千萬別這麼做!!

5. 現在我們向下移游標,到這裡:

   017E2D7C  64:8F05 00000000 POP DWORD PTR FS:[0]

 按 F2(設斷點)。
 再按Shift+F9,Olly就會在斷點中斷。

6. 現在按F8單步追蹤,執行RETN將會到達這裡:

   017F4EC8  E9 080A0000      JMP 017F58D5 〈-在這裡
   
 按F8執行這個跳轉…
 現在我們來到這裡:
   017F58D5  D3DE            RCR ESI,CL          〈-停在這裡
   017F58D7  B9 7D966271      MOV ECX,7162967D
   017F58DC  81C1 38F10A23    ADD ECX,230AF138
   017F58E2  D3EE            SHR ESI,CL
   017F58E4  BA 9ECC7376      MOV EDX,7673CC9E
   017F58E9  81EA C56EFFD4    SUB EDX,D4FF6EC5
   017F58EF  81F2 B7104902    XOR EDX,24910B7
   017F58F5  C1CA 94          ROR EDX,94
   017F58F8  8BF2            MOV ESI,EDX
   017F58FA  81EE 87D851D2    SUB ESI,D251D887
   017F5900  C1CE B0          ROR ESI,0B0
   017F5903  8BC6            MOV EAX,ESI
   017F5905  C1C8 28          ROR EAX,28  
   017F5908  53              PUSH EBX
   017F5909  5E              POP ESI
   017F590A  81C5 974FAF73    ADD EBP,73AF4F97
   017F5910  BA 048A9178      MOV EDX,78918A04
   017F5915  F7D2            NOT EDX
   017F5917  F7D2            NOT EDX
   017F5919  81C2 FC756E87    ADD EDX,876E75FC
   017F591F  8BDA            MOV EBX,EDX
   017F5921  41              INC ECX-------------------------
   017F5922  8BD9            MOV EBX,ECX            |
   017F5924  D1C3            ROL EBX,1            | a Realy Long
   017F5926  81F3 A38FD7AC    XOR EBX,ACD78FA3        |    Loop
   017F592C  3BD8            CMP EBX,EAX            |
   017F592E  ^0F85 EDFFFFFF    JNZ 017F5921--------------------
   017F5934  8BC1            MOV EAX,ECX  〈〈-在這裡設斷點!!

 好了,我們可以不用透過按 F8 來追蹤整個迴圈!!我們在下面的指令上設一個斷點:
 
     017F5934  8BC1            MOV EAX,ECX

 設定斷點後(F2),按F9(執行),將會在斷點上停下來。

7. 為什麼??總是用F8 / F7追蹤??!!
 好吧…不!!
 Olly裡有一個很好的功能:呼叫命令列。
 從選單裡選擇:Plugins->Command line->Command line

 現在我們將寫一個條件追蹤命令!
 YES ! Olly有一個追蹤命令!它呼叫-TC-條件追蹤
 它將會在條件表示式為真時中斷!

 這樣…在文字框裡寫入:TC EIP<900000
 按Enter鍵。
 在視窗的右下會出現:“正在追蹤”

 我的機子慢,花了大約8分鐘(350MHz)
 在另一臺較快的機子上花了2分鐘多一點(900MHz Celeron)

8. 追蹤完成後中斷在這裡:

   0057EA5B    E8            DB E8
   0057EA5C    00            DB 00
   0057EA5D    8A            DB 8A
   0057EA5E    E8            DB E8
   0057EA5F    FF            DB FF

嘿!!  i Dont See Shit !!這是為什麼?!
 噢,Olly沒有分析這段程式碼,實際上我們並沒有真提停在OEP上!
 OEP=57EA5B

9. 重點!! 在OEP處看盾EAX值(CPU視窗的右上面)
 EAX=57E318
 記住它,以後會用到它的。

10. 開啟 ProcDump/Pe-Edit,完全抓取程式。


===================================
第三步-找出抽掉的位元組=
===================================

找出抽掉的位元組有三種方法:

1. ASPR會執行抽掉的位元組,象下面這樣跳轉到OEP:

   Stolen_Bytes_1
   Stolen_Bytes_2
   Stolen_Bytes_3
   .....
   .....
   PUSH_THE_ADDRESS_OF_OEP
   RET_TO_OEP

2. ASPR首先儲存抽掉的位元組,然後從OEP處還原,再象下面這樣跳轉到OEP:

   Stolen_Bytes_1
   Stolen_Bytes_2
   Stolen_Bytes_3
   PUSH EBX
   PUSH ESI
   PUSH EDI
   ......
   ......
   ......
   REPZ STOSB 〈-還原位元組
       POPFD
       POPAD
   JMP_TO_OEP

3. 沒有抽掉的位元組時,只執行PopAD指令和跳轉到OEP。

 那麼我們怎麼處理它呢?
 看看ASPR在跳轉到OEP前的最後幾步是什麼。這需要檢視跟蹤日記。
 太好了!Olly可以使用"Run Trace"功能來得到一個 跟蹤日記。
 這樣…選擇選單: View->Run trace
 現在我們看見一個新視窗…跳轉到最後一行的前一行,你會看到CPU視窗也變為同樣的地址,象下面這樣:

   017F5779  F3:AA            REP STOS BYTE PTR ES:[EDI]
   017F577B  9D              POPFD
   017F577C  61              POPAD
   017F577D  -E9 D992D8FE      JMP SYSTEMCL.0057EA5B  〈-OEP的地址

 我們用第二種方法對付它!!

 上面的內容我是在 winXP下發現的,不是 win98::
 在CPU視窗裡按 Ctrl+S(搜尋命令的次序)
 寫入下面的:

   PUSH EBX
   PUSH ESI
   PUSH EDI  

 你會發現:

   01029227  0055 8B          ADD BYTE PTR SS:[EBP-75],DL
   0102922A  EC              IN AL,DX                                                      ; I/O命令
   0102922B  83EC 54          SUB ESP,54
   0102922E  53              PUSH EBX
   0102922F  56              PUSH ESI
   01029230  57              PUSH EDI
   01029231  6A 11            PUSH 11

忽略 "00",你會找到抽掉的位元組:55,8b,ec,83,ec,54
 記下它們,以後會有用的…

關閉OLLY…
目前是不需要它啦…


=============================
第三步-重建IAT=
=============================

1. 首先執行軟體,等候它被載入。
2. 執行Imprec,從列表中選擇程式。
3. 按"IAT AutoSearch"
4. 把大小從"BC"修改為1000(BC太小了!!)
5. 按"Get Imports"
6. 按"Show Invalid"
7. 在顯示無效的專案上右擊滑鼠,選擇"Trace level 1"
8. 再次按"Show Invalid"…現在我們應該得到下面的東西:

   (從儲存的樹中剪下)
   FThunk: 0019E258    NbFunc: 00000400
   1    0019E258    kernel32.dll    00D6    DeleteCriticalSection
   1    0019E25C    kernel32.dll    0228    LeaveCriticalSection
   ................
   省略-省略
   ................
   1    0019E2A4    kernel32.dll    01D1    GetThreadLocale
   1    0019E2A8    kernel32.dll    01B9    GetStartupInfoA
   0    0019E2AC    ?    0000    017E0F2C            <-- good
   0    0019E2B0    ?    0000    017E139C            <-- good
   1    0019E2B4    kernel32.dll    018B    GetModuleFileNameA
   1    0019E2B8    kernel32.dll    0183    GetLocaleInfoA
   1    0019E2BC    kernel32.dll    0181    GetLastError
   1    0019E2C0    kernel32.dll    0158    GetCurrentDirectoryA
   0    0019E2C4    ?    0000    017E1408            <-- good
   1    0019E2C8    kernel32.dll    0133    FreeLibrary
   1    0019E2CC    kernel32.dll    011C    FindFirstFileA
   ..................
   省略-省略
   ..................
   1    0019E314    kernel32.dll    00A0    CloseHandle
   0    0019E318    ?    0000    0255A00E            <-- BAD
   1    0019E31C    user32.dll    0112    GetKeyboardType
   1    0019E320    user32.dll    019F    LoadStringA
   1    0019E324    user32.dll    01AD    MessageBoxA
   1    0019E328    user32.dll    0026    CharNextA
   0    0019E32C    ?    0000    70F7D832            <-- BAD
   1    0019E330    advapi32.dll    00F7    RegQueryvalueExA
   1    0019E334    advapi32.dll    00EF    RegOpenKeyExA
   1    0019E338    advapi32.dll    00D8    RegCloseKey
   0    0019E33C    ?    0000    F37514C2            <-- BAD
   1    0019E340    oleaut32.dll    0006    SysFreeString
   1    0019E344    oleaut32.dll    0005    SysReAllocStringLen
   1    0019E348    oleaut32.dll    0004    SysAllocStringLen
   0    0019E34C    ?    0000    4007F56E            <-- BAD
   1    0019E350    kernel32.dll    0307    TlsSetvalue
   1        0019E354    kernel32.dll    0306    TlsGetvalue
   1    0019E358    kernel32.dll    01E6    GlobalAlloc
   0    0019E35C    ?    0000    017E139C            <-- good
   0    0019E360    ?    0000    BF57C0D8            <-- BAD
   .......................
   省略-省略
   .......................
   
 好了,我們繼續重複這樣做…
 我們需要手工選擇所有壞地址(不在壓縮程式碼內),然後在它們上面右擊滑鼠,從選單裡選擇 "Cut Thunk(s)"。
 觀察視窗在最下…那兒有好的Thunk(s)…

 現在我們需要修正這些好位元組…你可能從fraviamb.cjb.net下載過一些外掛
 或者看我其他關於如何重建的文章(New2Cracking.cjb.net或者Fraviamb.cjb.net)
 這是我修正的:

   0019E2AC-> 017E0F2C ->GetProcAddress
   0019E2B0-> 017E139C ->GetModuleHandleA
   0019E2C4-> 017E1408 ->GetCommandLineA
   0019E35C-> 017E139C ->GetModuleHandleA
   0019E428-> 017E1420 ->LockResource
   0019E47C-> 017E13C4 ->GetVersion
   0019E4AC-> 017E0F2C ->GetProcAddress
   0019E4B8-> 017E139C ->GetModuleHandleA
   0019E4FC-> 017E13F8 ->GetCurrentProcessId
   0019E500-> 017E13F0 ->GetCurrentProcess
   0019E50C-> 017E1430 ->FreeResource

9. 按"Fix Dump",選擇我們抓取的檔案…
 imprec將會以在檔名前加"_"的方式儲存抓取的檔案。


=========================
第四步-修正OEP=
=========================

1.開啟HVIEW /Hex編輯器,跳轉到OEP的偏移地址:57ea5b處,
 向後移6位元組到57ea55處,用"00"替換寫入  stolen bytes. 儲存為新檔案。

2. 開啟ProcDump/Pe-Edit ,點選“Pe-Edit”按紐載入重建的新檔案,修改入口點為:57ea55 (因為抽掉的位元組)

3. 如果你現在試圖執行程式,它會死掉的!!

4. 開啟Olly並載入我們的修正檔案。

5. 停在OEP: 57ea55處,EAX暫存器的值是什麼?還記得我告訴過你在抓取之前儲存的EAX的值嗎?它是EAX=57E318,兩個值的差別意味著有兩個以上的命令:  that is stolen:

   MOV EAX, 0157E318

 這條指令佔用5個位元組(你可自己在 HVIEW裡試一下)
   B818E35700      MOV EAX, 0157E318
 這意味著有6+5=11(十進位制)個抽掉的位元組
 那麼,真正的OEP是:
 11=B(hex)
 OLD_OEP-STOLEN_BYTES=57EA5B-B=57EA50
 OEP = 57EA50
 用HVIEW/Hex開啟,跳轉到新的OEP,寫入:
   
   55,8B,EC,83,EC,54,B8,18,E3,57,00

 用ProcDump\Pe-Edit修改入口點為:57EA50
 哈哈,這下程式能執行了!!!
 收工!!!

翻譯後記:俺一直用Softice,沒用過OllyDbg,所以有些內容不知道是否準確,再者水平有限,如有錯誤,請各位大蝦指點!!

以下附原文:

Unpacking ASPR 1.3x With OllyDbg
================================================

Writer     : LaBBa
App    : System Cleaner 4.89 Build 110
Url    : http://www.allerasoft.com/products/systemcleaner/

Pre to this tut
==================
ok listen up ! this is the 3rd time i write this tut !!
the first time my computer crash while writing it
the second time there was a power fail in my house !!

now..

this tut is going to show us how to unpack real easy and fast ASPR 1.3x
and finding the stolen bytes real easy and fast too...

and all that without using SoftIce and IceDump and the /tracex !

how u ask ?

by using OllyDbg !


Needed Tools
================
1. OllyDbg 1.09b2 or newer
2. ProcDump(G-rom)/Pe-edit(y0da)
3. imprec 1.3 (MackT/UCF)(protools.cjb.net)
4. HVIEW / Hex Editor

Steps of Unpacking
=======================
1. Finding the OEP + Dumping
2. Finding the Stolen Bytes
3. Rebuilding the IAT
4. Fixing the OEP
5. The End.


====================================
Step 1 - Finding the OEP + Dumping =
====================================

1. load Olly and load the App to it (if it ask somthing just say YES!)
2. now press F9 and the prog will break here :

   017E3414  3100            XOR DWORD PTR DS:[EAX],EAX  <- we break Here!
   017E3416  EB 01            JMP SHORT 017E3419
   017E3418  68 648F0500      PUSH 58F64

 why Olly Break ? we didn't ask for break points ?!
 well Olly Break every time that it enter a new module ... AND WE ARE GOING TO USE IT !!

3. press Shift+F9 so Olly continue to run till new module.
4. after 26 times of Shift+F9 we will be here :

   017E2D7A  3100            XOR DWORD PTR DS:[EAX],EAX  <-we land here
   017E2D7C  64:8F05 00000000 POP DWORD PTR FS:[0]     <-here to set a Break Point
   017E2D83  58              POP EAX
   017E2D84  833D 806D7E01 00 CMP DWORD PTR DS:[17E6D80],0
   017E2D8B  74 14            JE SHORT 017E2DA1
   017E2D8D  6A 0C            PUSH 0C
   017E2D8F  B9 806D7E01      MOV ECX,17E6D80
   017E2D94  8D45 F8          LEA EAX,DWORD PTR SS:[EBP-8]
   017E2D97  BA 04000000      MOV EDX,4
   017E2D9C  E8 EFE0FFFF      CALL 017E0E90
   017E2DA1  FF75 FC          PUSH DWORD PTR SS:[EBP-4]
   017E2DA4  FF75 F8          PUSH DWORD PTR SS:[EBP-8]
   017E2DA7  8B45 F4          MOV EAX,DWORD PTR SS:[EBP-C]
   017E2DAA  8338 00          CMP DWORD PTR DS:[EAX],0
   017E2DAD  74 02            JE SHORT 017E2DB1
   017E2DAF  FF30            PUSH DWORD PTR DS:[EAX]
   017E2DB1  FF75 F0          PUSH DWORD PTR SS:[EBP-10]
   017E2DB4  FF75 EC          PUSH DWORD PTR SS:[EBP-14]
   017E2DB7  C3              RETN

 if we do another Shift+F9 the App will strat runing .. so DON'T!!

5. now move the marker down to :

   017E2D7C  64:8F05 00000000 POP DWORD PTR FS:[0]

 and now press F2 (set Break Point).
 now press Shift+F9 and Olly will Break at our break point.

6. now trace with F8 (Trace Over) and execute the RETN and you will be here:

   017F4EC8  E9 080A0000      JMP 017F58D5 <- we are here

 execute with F8 this jump too..
 now we will be here:
   017F58D5  D3DE            RCR ESI,CL          <--we Land Here
   017F58D7  B9 7D966271      MOV ECX,7162967D
   017F58DC  81C1 38F10A23    ADD ECX,230AF138
   017F58E2  D3EE            SHR ESI,CL
   017F58E4  BA 9ECC7376      MOV EDX,7673CC9E
   017F58E9  81EA C56EFFD4    SUB EDX,D4FF6EC5
   017F58EF  81F2 B7104902    XOR EDX,24910B7
   017F58F5  C1CA 94          ROR EDX,94
   017F58F8  8BF2            MOV ESI,EDX
   017F58FA  81EE 87D851D2    SUB ESI,D251D887
   017F5900  C1CE B0          ROR ESI,0B0
   017F5903  8BC6            MOV EAX,ESI
   017F5905  C1C8 28          ROR EAX,28  
   017F5908  53              PUSH EBX
   017F5909  5E              POP ESI
   017F590A  81C5 974FAF73    ADD EBP,73AF4F97
   017F5910  BA 048A9178      MOV EDX,78918A04
   017F5915  F7D2            NOT EDX
   017F5917  F7D2            NOT EDX
   017F5919  81C2 FC756E87    ADD EDX,876E75FC
   017F591F  8BDA            MOV EBX,EDX
   017F5921  41              INC ECX-------------------------
   017F5922  8BD9            MOV EBX,ECX            |
   017F5924  D1C3            ROL EBX,1            | a Realy Long
   017F5926  81F3 A38FD7AC    XOR EBX,ACD78FA3        |    Loop
   017F592C  3BD8            CMP EBX,EAX            |
   017F592E  ^0F85 EDFFFFFF    JNZ 017F5921--------------------
   017F5934  8BC1            MOV EAX,ECX  <<-- Here To Set A Break Point!

 well we will not trace the hole loop by pressing F8 !! we will put a Break Point
 on :
   017F5934  8BC1            MOV EAX,ECX

 now after setting the Break Point (F2) press F9 (Run) and we will break at our BP

7. now what ?? we trace all with F8 / F7(Trace Into) all the way ??!!
 well.. NO!!
 we have a nice feature in Olly called Command Line
 Choose from the menu Plugins->Command line->Command line

 now we are going to write a trace command with condition!
 YES ! Olly does have a Trace command! It's call - TC - Trace Condition
 it will trace till the condition it True !

 So.. Write in the text Box : TC EIP<900000
 and now press Enter.
 at the window right Down you will see : "Tracing"

 at my Slow computer it took me about 8+ min (350MHz)
 at another computer that i tried it took 2+ min (900MHz Celeron)

 so if anyone would like to buy me a computer u know where to find me and msg me.

8. after the trace is done we break here  :

   0057EA5B    E8            DB E8
   0057EA5C    00            DB 00
   0057EA5D    8A            DB 8A
   0057EA5E    E8            DB E8
   0057EA5F    FF            DB FF

 Hey !!  i Dont See Shit !! what is this ?!
 well this code has not been analyse yet by Olly  
 it doesn't realy matter WE ARE AT THE OEP!
 OEP=57EA5B

9. Important ! at the OEP look at the value of EAX (top right - CPU Window)
 EAX=57E318
 write it down and Keep it we could need it !

10. Now opne ProcDump/Pe-Edit and Dump fully our process.


===================================
Step 2 - Finding the Stolen Bytes =
===================================

well to the Stolen Bytes there is corntly 3 ways:

1. ASPR will Execute the stolen bytes and then go to the OEP like this:

   Stolen_Bytes_1
   Stolen_Bytes_2
   Stolen_Bytes_3
   .....
   .....
   PUSH_THE_ADDRESS_OF_OEP
   RET_TO_OEP

2. ASPR will first Save the Stolen Bytes then it will Eares the bytes From the OEP
 then will Jmp to the OEP like this :

   Stolen_Bytes_1
   Stolen_Bytes_2
   Stolen_Bytes_3
   PUSH EBX
   PUSH ESI
   PUSH EDI
   ......
   ......
   ......
   REPZ STOSB <- Eares the bytes
       POPFD
       POPAD
   JMP_TO_OEP

3. With NO Stolen Bytes it just PopAD and jumps to the OEP (No Stolen Bytes)

 so with what we are dealing with ??
 to view the last steps of ASPR before it got to our OEP we need to See the Trace Log
 YES ! Olly got a Trace code log that called "Run Trace"
 so.. choose the menu View->Run trace
 now we will See a new Window .. go to the line one before the last and u will see
 that the CPU window also changes to the same address and it will look like this :

   017F5779  F3:AA            REP STOS BYTE PTR ES:[EDI]
   017F577B  9D              POPFD
   017F577C  61              POPAD
   017F577D  -E9 D992D8FE      JMP SYSTEMCL.0057EA5B  <-- the address of the OEP

 so we are dealing with #2 way! ;)

 this i found that is working on winXP NOT win98 :
 so now in the CPU window Press Ctrl+S (Serch for Seqeuance of Commads)
 and write this there :

   PUSH EBX
   PUSH ESI
   PUSH EDI  

 you will find :

   01029227  0055 8B          ADD BYTE PTR SS:[EBP-75],DL
   0102922A  EC              IN AL,DX                                                      ; I/O command
   0102922B  83EC 54          SUB ESP,54
   0102922E  53              PUSH EBX
   0102922F  56              PUSH ESI
   01029230  57              PUSH EDI
   01029231  6A 11            PUSH 11

 ignor the "00" and you will have :
 our stolen bytes : 55,8b,ec,83,ec,54
 write them down too we will need them later...

NOW CLOSE OLLY AND EXIT IT...
WE DONT NEED IT FOR NOW...


=============================
Step 3 - Rebuilding the IAT =
=============================

1. first run our app an wait till its loaded.
2. open Imprec and choose our process from the list
3. press on "IAT AutoSearch"
4. change the size from "BC" to 1000 (BC is too small !!)
5. press on "Get Imports"
6. press on "Show Invalid"
7. right click on the invalid that was shown and choose "Trace level 1"
8. press on "Show Invalid" again .. and now we should get somthing like this:

   (cut from the saved tree)
   FThunk: 0019E258    NbFunc: 00000400
   1    0019E258    kernel32.dll    00D6    DeleteCriticalSection
   1    0019E25C    kernel32.dll    0228    LeaveCriticalSection
   ................
   snip-snip
   ................
   1    0019E2A4    kernel32.dll    01D1    GetThreadLocale
   1    0019E2A8    kernel32.dll    01B9    GetStartupInfoA
   0    0019E2AC    ?    0000    017E0F2C            <-- good
   0    0019E2B0    ?    0000    017E139C            <-- good
   1    0019E2B4    kernel32.dll    018B    GetModuleFileNameA
   1    0019E2B8    kernel32.dll    0183    GetLocaleInfoA
   1    0019E2BC    kernel32.dll    0181    GetLastError
   1    0019E2C0    kernel32.dll    0158    GetCurrentDirectoryA
   0    0019E2C4    ?    0000    017E1408            <-- good
   1    0019E2C8    kernel32.dll    0133    FreeLibrary
   1    0019E2CC    kernel32.dll    011C    FindFirstFileA
   ..................
   snip-snip
   ..................
   1    0019E314    kernel32.dll    00A0    CloseHandle
   0    0019E318    ?    0000    0255A00E            <-- BAD
   1    0019E31C    user32.dll    0112    GetKeyboardType
   1    0019E320    user32.dll    019F    LoadStringA
   1    0019E324    user32.dll    01AD    MessageBoxA
   1    0019E328    user32.dll    0026    CharNextA
   0    0019E32C    ?    0000    70F7D832            <-- BAD
   1    0019E330    advapi32.dll    00F7    RegQueryvalueExA
   1    0019E334    advapi32.dll    00EF    RegOpenKeyExA
   1    0019E338    advapi32.dll    00D8    RegCloseKey
   0    0019E33C    ?    0000    F37514C2            <-- BAD
   1    0019E340    oleaut32.dll    0006    SysFreeString
   1    0019E344    oleaut32.dll    0005    SysReAllocStringLen
   1    0019E348    oleaut32.dll    0004    SysAllocStringLen
   0    0019E34C    ?    0000    4007F56E            <-- BAD
   1    0019E350    kernel32.dll    0307    TlsSetvalue
   1        0019E354    kernel32.dll    0306    TlsGetvalue
   1    0019E358    kernel32.dll    01E6    GlobalAlloc
   0    0019E35C    ?    0000    017E139C            <-- good
   0    0019E360    ?    0000    BF57C0D8            <-- BAD
   .......................
   snip-snip
   .......................
   
 well it continue like this on and on..
 we need to manualy choose all the BAD address (Not in the packer code) and then
 choose "Cut Thunk(s)" from the right click of the mouse on them.
 * Wachout at the end .. there is a good thunk in there..

 now we need to fix those other Good bytes.. u can download from fraviamb.cjb.net some plugs
 i saw there or to read my other tuts about how to rebuild those (New2Cracking.cjb.net or Fraviamb.cjb.net)
 here is my fix :

   0019E2AC-> 017E0F2C ->GetProcAddress
   0019E2B0-> 017E139C ->GetModuleHandleA
   0019E2C4-> 017E1408 ->GetCommandLineA
   0019E35C-> 017E139C ->GetModuleHandleA
   0019E428-> 017E1420 ->LockResource
   0019E47C-> 017E13C4 ->GetVersion
   0019E4AC-> 017E0F2C ->GetProcAddress
   0019E4B8-> 017E139C ->GetModuleHandleA
   0019E4FC-> 017E13F8 ->GetCurrentProcessId
   0019E500-> 017E13F0 ->GetCurrentProcess
   0019E50C-> 017E1430 ->FreeResource

9. now press on "Fix Dump" and choose our Dumped file..
 imprec will save the file with "_" before the name of the dump file.


=========================
Step 4 - Fixing the OEP =
=========================

1. now open HVIEW /Hex Editor and go to the OEP offset: 57ea5b
 go up (back) to 57ea55 (6 bytes back) and write instad of the "00" our
 stolen bytes. now save our new file.

2. now open ProcDump/Pe-Edit and load to Pe-Edit our rebuild file and change
 the Entery Point to : 57ea55 (because of the stolen bytes)

3. if u will now try to run the App it will Crash!!

4. open Olly and load to it our Fixed File

5. at the OEP : 57ea55 what is the value of EAX ? Remember that i told you
 to save the value of EAX at the OEP before the dumping ? it was EAX=57E318
 this value is deffrent from our value that means that we have one more Command
 that is stolen:

   MOV EAX, 0157E318

 in bytes it takes 5 bytes(you can try it your self at HVIEW)
   B818E35700      MOV EAX, 0157E318
 that means we have 6+5=11(decimal) stolen bytes
 that means that the real OEP is:
 11=B(hex)
 OLD_OEP-STOLEN_BYTES=57EA5B-B=57EA50
 OEP = 57EA50
 now go to the new OEP at HVIEW/Hex Edit and write there :
   
   55,8B,EC,83,EC,54,B8,18,E3,57,00

 now fix with ProcDump\Pe-Edit the Entery Point to : 57EA50
 and now the prog can RUN!!!!!  
 The End!

相關文章