System Cleaner 4.89 Build 110

用OllyDbg脫ASPR 1.3x的殼
================================================

作者：LaBBa
翻譯：gmh001
軟體： System Cleaner 4.89 Build 110
Url : http://www.allerasoft.com/products/systemcleaner/

前言
==================
ＯＫ，貼上來！！這是我第三次寫這篇破解文章，第一次正在寫的時候機當機了，第二次停電了。
（呵呵，運氣有點背啊…）
現在…

這篇文章講述如何真正快速簡單的脫掉ASPR 1.3x的殼，並且找出被抽掉的位元組…

並且不使用SoftIce、IceDump和 /tracex！

用什麼？

使用OllyDbg ！

所需工具
================
1. OllyDbg 1.09b2 or newer
2. ProcDump(G-rom)/Pe-edit(y0da)
3. imprec 1.3 (MackT/UCF)(protools.cjb.net)
4. HVIEW / Hex Editor

脫殼步驟
=======================
1. 找到 OEP＋從記憶體中抓取程式
2. 找到抽掉的位元組
3. 重建IAT
4. 修正OEP
5. 結束

====================================
第一步―找到 OEP＋從記憶體中抓取程式
====================================

1. 執行Olly並載入應用程式（如果有提示就按 YES！）
2. 現在按Ｆ９就會在這兒中斷：

017E3414 3100 XOR DWORD PTR DS:[EAX],EAX 〈－我們在這兒中斷！
017E3416 EB 01 JMP SHORT 017E3419
017E3418 68 648F0500 PUSH 58F64

為什麼Olly會中斷？我們不用設斷點嗎？！
呵呵，Olly在每次進入一個新模組時都會中斷…我們將繼續使用它！！

3. 按Shift+F9，這樣Olly會繼續執行直到遇到一個新模組。
4. 按Shift+F9２６次後我們將到達這裡：

017E2D7A 3100 XOR DWORD PTR DS:[EAX],EAX〈－我們停在這裡
017E2D7C 64:8F05 00000000 POP DWORD PTR FS:[0] 〈在這裡設斷點
017E2D83 58 POP EAX
017E2D84 833D 806D7E01 00 CMP DWORD PTR DS:[17E6D80],0
017E2D8B 74 14 JE SHORT 017E2DA1
017E2D8D 6A 0C PUSH 0C
017E2D8F B9 806D7E01 MOV ECX,17E6D80
017E2D94 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
017E2D97 BA 04000000 MOV EDX,4
017E2D9C E8 EFE0FFFF CALL 017E0E90
017E2DA1 FF75 FC PUSH DWORD PTR SS:[EBP-4]
017E2DA4 FF75 F8 PUSH DWORD PTR SS:[EBP-8]
017E2DA7 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
017E2DAA 8338 00 CMP DWORD PTR DS:[EAX],0
017E2DAD 74 02 JE SHORT 017E2DB1
017E2DAF FF30 PUSH DWORD PTR DS:[EAX]
017E2DB1 FF75 F0 PUSH DWORD PTR SS:[EBP-10]
017E2DB4 FF75 EC PUSH DWORD PTR SS:[EBP-14]
017E2DB7 C3 RETN

如果我們再按一次Shift+F9，軟體就執行了…千萬別這麼做！！

5. 現在我們向下移游標，到這裡：

017E2D7C 64:8F05 00000000 POP DWORD PTR FS:[0]

按 F2（設斷點）。
再按Shift+F9，Olly就會在斷點中斷。

6. 現在按F8單步追蹤，執行RETN將會到達這裡：

017F4EC8 E9 080A0000 JMP 017F58D5 〈－在這裡

按F8執行這個跳轉…
現在我們來到這裡：
017F58D5 D3DE RCR ESI,CL 〈－停在這裡
017F58D7 B9 7D966271 MOV ECX,7162967D
017F58DC 81C1 38F10A23 ADD ECX,230AF138
017F58E2 D3EE SHR ESI,CL
017F58E4 BA 9ECC7376 MOV EDX,7673CC9E
017F58E9 81EA C56EFFD4 SUB EDX,D4FF6EC5
017F58EF 81F2 B7104902 XOR EDX,24910B7
017F58F5 C1CA 94 ROR EDX,94
017F58F8 8BF2 MOV ESI,EDX
017F58FA 81EE 87D851D2 SUB ESI,D251D887
017F5900 C1CE B0 ROR ESI,0B0
017F5903 8BC6 MOV EAX,ESI
017F5905 C1C8 28 ROR EAX,28
017F5908 53 PUSH EBX
017F5909 5E POP ESI
017F590A 81C5 974FAF73 ADD EBP,73AF4F97
017F5910 BA 048A9178 MOV EDX,78918A04
017F5915 F7D2 NOT EDX
017F5917 F7D2 NOT EDX
017F5919 81C2 FC756E87 ADD EDX,876E75FC
017F591F 8BDA MOV EBX,EDX
017F5921 41 INC ECX-------------------------
017F5922 8BD9 MOV EBX,ECX |
017F5924 D1C3 ROL EBX,1 | a Realy Long
017F5926 81F3 A38FD7AC XOR EBX,ACD78FA3 | Loop
017F592C 3BD8 CMP EBX,EAX |
017F592E ^0F85 EDFFFFFF JNZ 017F5921--------------------
017F5934 8BC1 MOV EAX,ECX 〈〈－在這裡設斷點！！

好了，我們可以不用透過按 F8 來追蹤整個迴圈！！我們在下面的指令上設一個斷點：

017F5934 8BC1 MOV EAX,ECX

設定斷點後（F2），按F9（執行），將會在斷點上停下來。

7. 為什麼？？總是用F8 / F7追蹤？？！！
好吧…不！！
Olly裡有一個很好的功能：呼叫命令列。
從選單裡選擇：Plugins->Command line->Command line

現在我們將寫一個條件追蹤命令！
YES ! Olly有一個追蹤命令！它呼叫－TC－條件追蹤
它將會在條件表示式為真時中斷！

這樣…在文字框裡寫入：TC EIP<900000
按Enter鍵。
在視窗的右下會出現：“正在追蹤”

我的機子慢，花了大約８分鐘(350MHz)
在另一臺較快的機子上花了２分鐘多一點(900MHz Celeron)

8. 追蹤完成後中斷在這裡：

0057EA5B E8 DB E8
0057EA5C 00 DB 00
0057EA5D 8A DB 8A
0057EA5E E8 DB E8
0057EA5F FF DB FF

嘿！！ i Dont See Shit !!這是為什麼？！
噢，Olly沒有分析這段程式碼，實際上我們並沒有真提停在OEP上！
OEP=57EA5B

9. 重點！！在OEP處看盾EAX值（CPU視窗的右上面）
EAX=57E318
記住它，以後會用到它的。

10. 開啟 ProcDump/Pe-Edit，完全抓取程式。

===================================
第三步－找出抽掉的位元組＝
===================================

找出抽掉的位元組有三種方法：

1. ASPR會執行抽掉的位元組，象下面這樣跳轉到OEP：

Stolen_Bytes_1
Stolen_Bytes_2
Stolen_Bytes_3
.....
.....
PUSH_THE_ADDRESS_OF_OEP
RET_TO_OEP

2. ASPR首先儲存抽掉的位元組，然後從OEP處還原，再象下面這樣跳轉到OEP：

Stolen_Bytes_1
Stolen_Bytes_2
Stolen_Bytes_3
PUSH EBX
PUSH ESI
PUSH EDI
......
......
......
REPZ STOSB 〈－還原位元組
POPFD
POPAD
JMP_TO_OEP

3. 沒有抽掉的位元組時，只執行PopAD指令和跳轉到OEP。

那麼我們怎麼處理它呢？
看看ASPR在跳轉到OEP前的最後幾步是什麼。這需要檢視跟蹤日記。
太好了！Olly可以使用"Run Trace"功能來得到一個跟蹤日記。
這樣…選擇選單： View->Run trace
現在我們看見一個新視窗…跳轉到最後一行的前一行，你會看到CPU視窗也變為同樣的地址，象下面這樣：

017F5779 F3:AA REP STOS BYTE PTR ES:[EDI]
017F577B 9D POPFD
017F577C 61 POPAD
017F577D -E9 D992D8FE JMP SYSTEMCL.0057EA5B 〈－OEP的地址

我們用第二種方法對付它！！

上面的內容我是在 winXP下發現的，不是 win98：:
在CPU視窗裡按 Ctrl+S（搜尋命令的次序）
寫入下面的：

PUSH EBX
PUSH ESI
PUSH EDI

你會發現：

01029227 0055 8B ADD BYTE PTR SS:[EBP-75],DL
0102922A EC IN AL,DX ; I/O命令
0102922B 83EC 54 SUB ESP,54
0102922E 53 PUSH EBX
0102922F 56 PUSH ESI
01029230 57 PUSH EDI
01029231 6A 11 PUSH 11

忽略 "00"，你會找到抽掉的位元組：55,8b,ec,83,ec,54
記下它們，以後會有用的…

關閉OLLY…
目前是不需要它啦…

=============================
第三步－重建IAT＝
=============================

1. 首先執行軟體，等候它被載入。
2. 執行Imprec，從列表中選擇程式。
3. 按"IAT AutoSearch"
4. 把大小從"BC"修改為1000（BC太小了！！）
5. 按"Get Imports"
6. 按"Show Invalid"
7. 在顯示無效的專案上右擊滑鼠，選擇"Trace level 1"
8. 再次按"Show Invalid"…現在我們應該得到下面的東西：

（從儲存的樹中剪下）
FThunk: 0019E258 NbFunc: 00000400
1 0019E258 kernel32.dll 00D6 DeleteCriticalSection
1 0019E25C kernel32.dll 0228 LeaveCriticalSection
................
省略－省略
................
1 0019E2A4 kernel32.dll 01D1 GetThreadLocale
1 0019E2A8 kernel32.dll 01B9 GetStartupInfoA
0 0019E2AC ? 0000 017E0F2C <-- good
0 0019E2B0 ? 0000 017E139C <-- good
1 0019E2B4 kernel32.dll 018B GetModuleFileNameA
1 0019E2B8 kernel32.dll 0183 GetLocaleInfoA
1 0019E2BC kernel32.dll 0181 GetLastError
1 0019E2C0 kernel32.dll 0158 GetCurrentDirectoryA
0 0019E2C4 ? 0000 017E1408 <-- good
1 0019E2C8 kernel32.dll 0133 FreeLibrary
1 0019E2CC kernel32.dll 011C FindFirstFileA
..................
省略－省略
..................
1 0019E314 kernel32.dll 00A0 CloseHandle
0 0019E318 ? 0000 0255A00E <-- BAD
1 0019E31C user32.dll 0112 GetKeyboardType
1 0019E320 user32.dll 019F LoadStringA
1 0019E324 user32.dll 01AD MessageBoxA
1 0019E328 user32.dll 0026 CharNextA
0 0019E32C ? 0000 70F7D832 <-- BAD
1 0019E330 advapi32.dll 00F7 RegQueryvalueExA
1 0019E334 advapi32.dll 00EF RegOpenKeyExA
1 0019E338 advapi32.dll 00D8 RegCloseKey
0 0019E33C ? 0000 F37514C2 <-- BAD
1 0019E340 oleaut32.dll 0006 SysFreeString
1 0019E344 oleaut32.dll 0005 SysReAllocStringLen
1 0019E348 oleaut32.dll 0004 SysAllocStringLen
0 0019E34C ? 0000 4007F56E <-- BAD
1 0019E350 kernel32.dll 0307 TlsSetvalue
1 0019E354 kernel32.dll 0306 TlsGetvalue
1 0019E358 kernel32.dll 01E6 GlobalAlloc
0 0019E35C ? 0000 017E139C <-- good
0 0019E360 ? 0000 BF57C0D8 <-- BAD
.......................
省略－省略
.......................

好了，我們繼續重複這樣做…
我們需要手工選擇所有壞地址（不在壓縮程式碼內），然後在它們上面右擊滑鼠，從選單裡選擇 "Cut Thunk(s)"。
觀察視窗在最下…那兒有好的Thunk(s)…

現在我們需要修正這些好位元組…你可能從fraviamb.cjb.net下載過一些外掛
或者看我其他關於如何重建的文章（New2Cracking.cjb.net或者Fraviamb.cjb.net）
這是我修正的：

0019E2AC-> 017E0F2C ->GetProcAddress
0019E2B0-> 017E139C ->GetModuleHandleA
0019E2C4-> 017E1408 ->GetCommandLineA
0019E35C-> 017E139C ->GetModuleHandleA
0019E428-> 017E1420 ->LockResource
0019E47C-> 017E13C4 ->GetVersion
0019E4AC-> 017E0F2C ->GetProcAddress
0019E4B8-> 017E139C ->GetModuleHandleA
0019E4FC-> 017E13F8 ->GetCurrentProcessId
0019E500-> 017E13F0 ->GetCurrentProcess
0019E50C-> 017E1430 ->FreeResource

9. 按"Fix Dump"，選擇我們抓取的檔案…
imprec將會以在檔名前加"_"的方式儲存抓取的檔案。

=========================
第四步－修正OEP＝
=========================

1.開啟HVIEW /Hex編輯器，跳轉到OEP的偏移地址：57ea5b處，
向後移６位元組到57ea55處，用"00"替換寫入 stolen bytes. 儲存為新檔案。

2. 開啟ProcDump/Pe-Edit ，點選“Pe-Edit”按紐載入重建的新檔案，修改入口點為：57ea55 （因為抽掉的位元組）

3. 如果你現在試圖執行程式，它會死掉的！！

4. 開啟Olly並載入我們的修正檔案。

5. 停在OEP： 57ea55處，EAX暫存器的值是什麼？還記得我告訴過你在抓取之前儲存的EAX的值嗎？它是EAX=57E318，兩個值的差別意味著有兩個以上的命令： that is stolen:

MOV EAX, 0157E318

這條指令佔用５個位元組（你可自己在 HVIEW裡試一下）
B818E35700 MOV EAX, 0157E318
這意味著有6+5=11（十進位制）個抽掉的位元組
那麼，真正的OEP是：
11=B(hex)
OLD_OEP-STOLEN_BYTES=57EA5B-B=57EA50
OEP = 57EA50
用HVIEW/Hex開啟，跳轉到新的OEP，寫入：

55,8B,EC,83,EC,54,B8,18,E3,57,00

用ProcDump\Pe-Edit修改入口點為：57EA50
哈哈，這下程式能執行了！！！
收工！！！

翻譯後記：俺一直用Softice，沒用過OllyDbg，所以有些內容不知道是否準確，再者水平有限，如有錯誤，請各位大蝦指點！！

以下附原文：

Unpacking ASPR 1.3x With OllyDbg
================================================

Writer : LaBBa
App : System Cleaner 4.89 Build 110
Url : http://www.allerasoft.com/products/systemcleaner/

Pre to this tut
==================
ok listen up ! this is the 3rd time i write this tut !!
the first time my computer crash while writing it
the second time there was a power fail in my house !!

now..

this tut is going to show us how to unpack real easy and fast ASPR 1.3x
and finding the stolen bytes real easy and fast too...

and all that without using SoftIce and IceDump and the /tracex !

how u ask ?

by using OllyDbg !

Needed Tools
================
1. OllyDbg 1.09b2 or newer
2. ProcDump(G-rom)/Pe-edit(y0da)
3. imprec 1.3 (MackT/UCF)(protools.cjb.net)
4. HVIEW / Hex Editor

Steps of Unpacking
=======================
1. Finding the OEP + Dumping
2. Finding the Stolen Bytes
3. Rebuilding the IAT
4. Fixing the OEP
5. The End.

====================================
Step 1 - Finding the OEP + Dumping =
====================================

1. load Olly and load the App to it (if it ask somthing just say YES!)
2. now press F9 and the prog will break here :

017E3414 3100 XOR DWORD PTR DS:[EAX],EAX <- we break Here!
017E3416 EB 01 JMP SHORT 017E3419
017E3418 68 648F0500 PUSH 58F64

why Olly Break ? we didn't ask for break points ?!
well Olly Break every time that it enter a new module ... AND WE ARE GOING TO USE IT !!

3. press Shift+F9 so Olly continue to run till new module.
4. after 26 times of Shift+F9 we will be here :

017E2D7A 3100 XOR DWORD PTR DS:[EAX],EAX <-we land here
017E2D7C 64:8F05 00000000 POP DWORD PTR FS:[0] <-here to set a Break Point
017E2D83 58 POP EAX
017E2D84 833D 806D7E01 00 CMP DWORD PTR DS:[17E6D80],0
017E2D8B 74 14 JE SHORT 017E2DA1
017E2D8D 6A 0C PUSH 0C
017E2D8F B9 806D7E01 MOV ECX,17E6D80
017E2D94 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
017E2D97 BA 04000000 MOV EDX,4
017E2D9C E8 EFE0FFFF CALL 017E0E90
017E2DA1 FF75 FC PUSH DWORD PTR SS:[EBP-4]
017E2DA4 FF75 F8 PUSH DWORD PTR SS:[EBP-8]
017E2DA7 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
017E2DAA 8338 00 CMP DWORD PTR DS:[EAX],0
017E2DAD 74 02 JE SHORT 017E2DB1
017E2DAF FF30 PUSH DWORD PTR DS:[EAX]
017E2DB1 FF75 F0 PUSH DWORD PTR SS:[EBP-10]
017E2DB4 FF75 EC PUSH DWORD PTR SS:[EBP-14]
017E2DB7 C3 RETN

if we do another Shift+F9 the App will strat runing .. so DON'T!!

5. now move the marker down to :

017E2D7C 64:8F05 00000000 POP DWORD PTR FS:[0]

and now press F2 (set Break Point).
now press Shift+F9 and Olly will Break at our break point.

6. now trace with F8 (Trace Over) and execute the RETN and you will be here:

017F4EC8 E9 080A0000 JMP 017F58D5 <- we are here

execute with F8 this jump too..
now we will be here:
017F58D5 D3DE RCR ESI,CL <--we Land Here
017F58D7 B9 7D966271 MOV ECX,7162967D
017F58DC 81C1 38F10A23 ADD ECX,230AF138
017F58E2 D3EE SHR ESI,CL
017F58E4 BA 9ECC7376 MOV EDX,7673CC9E
017F58E9 81EA C56EFFD4 SUB EDX,D4FF6EC5
017F58EF 81F2 B7104902 XOR EDX,24910B7
017F58F5 C1CA 94 ROR EDX,94
017F58F8 8BF2 MOV ESI,EDX
017F58FA 81EE 87D851D2 SUB ESI,D251D887
017F5900 C1CE B0 ROR ESI,0B0
017F5903 8BC6 MOV EAX,ESI
017F5905 C1C8 28 ROR EAX,28
017F5908 53 PUSH EBX
017F5909 5E POP ESI
017F590A 81C5 974FAF73 ADD EBP,73AF4F97
017F5910 BA 048A9178 MOV EDX,78918A04
017F5915 F7D2 NOT EDX
017F5917 F7D2 NOT EDX
017F5919 81C2 FC756E87 ADD EDX,876E75FC
017F591F 8BDA MOV EBX,EDX
017F5921 41 INC ECX-------------------------
017F5922 8BD9 MOV EBX,ECX |
017F5924 D1C3 ROL EBX,1 | a Realy Long
017F5926 81F3 A38FD7AC XOR EBX,ACD78FA3 | Loop
017F592C 3BD8 CMP EBX,EAX |
017F592E ^0F85 EDFFFFFF JNZ 017F5921--------------------
017F5934 8BC1 MOV EAX,ECX <<-- Here To Set A Break Point!

well we will not trace the hole loop by pressing F8 !! we will put a Break Point
on :
017F5934 8BC1 MOV EAX,ECX

now after setting the Break Point (F2) press F9 (Run) and we will break at our BP

7. now what ?? we trace all with F8 / F7(Trace Into) all the way ??!!
well.. NO!!
we have a nice feature in Olly called Command Line
Choose from the menu Plugins->Command line->Command line

now we are going to write a trace command with condition!
YES ! Olly does have a Trace command! It's call - TC - Trace Condition
it will trace till the condition it True !

So.. Write in the text Box : TC EIP<900000
and now press Enter.
at the window right Down you will see : "Tracing"

at my Slow computer it took me about 8+ min (350MHz)
at another computer that i tried it took 2+ min (900MHz Celeron)

so if anyone would like to buy me a computer u know where to find me and msg me.

8. after the trace is done we break here :

0057EA5B E8 DB E8
0057EA5C 00 DB 00
0057EA5D 8A DB 8A
0057EA5E E8 DB E8
0057EA5F FF DB FF

Hey !! i Dont See Shit !! what is this ?!
well this code has not been analyse yet by Olly
it doesn't realy matter WE ARE AT THE OEP!
OEP=57EA5B

9. Important ! at the OEP look at the value of EAX (top right - CPU Window)
EAX=57E318
write it down and Keep it we could need it !

10. Now opne ProcDump/Pe-Edit and Dump fully our process.

===================================
Step 2 - Finding the Stolen Bytes =
===================================

well to the Stolen Bytes there is corntly 3 ways:

1. ASPR will Execute the stolen bytes and then go to the OEP like this:

Stolen_Bytes_1
Stolen_Bytes_2
Stolen_Bytes_3
.....
.....
PUSH_THE_ADDRESS_OF_OEP
RET_TO_OEP

2. ASPR will first Save the Stolen Bytes then it will Eares the bytes From the OEP
then will Jmp to the OEP like this :

Stolen_Bytes_1
Stolen_Bytes_2
Stolen_Bytes_3
PUSH EBX
PUSH ESI
PUSH EDI
......
......
......
REPZ STOSB <- Eares the bytes
POPFD
POPAD
JMP_TO_OEP

3. With NO Stolen Bytes it just PopAD and jumps to the OEP (No Stolen Bytes)

so with what we are dealing with ??
to view the last steps of ASPR before it got to our OEP we need to See the Trace Log
YES ! Olly got a Trace code log that called "Run Trace"
so.. choose the menu View->Run trace
now we will See a new Window .. go to the line one before the last and u will see
that the CPU window also changes to the same address and it will look like this :

017F5779 F3:AA REP STOS BYTE PTR ES:[EDI]
017F577B 9D POPFD
017F577C 61 POPAD
017F577D -E9 D992D8FE JMP SYSTEMCL.0057EA5B <-- the address of the OEP

so we are dealing with #2 way! ;)

this i found that is working on winXP NOT win98 :
so now in the CPU window Press Ctrl+S (Serch for Seqeuance of Commads)
and write this there :

PUSH EBX
PUSH ESI
PUSH EDI

you will find :

01029227 0055 8B ADD BYTE PTR SS:[EBP-75],DL
0102922A EC IN AL,DX ; I/O command
0102922B 83EC 54 SUB ESP,54
0102922E 53 PUSH EBX
0102922F 56 PUSH ESI
01029230 57 PUSH EDI
01029231 6A 11 PUSH 11

ignor the "00" and you will have :
our stolen bytes : 55,8b,ec,83,ec,54
write them down too we will need them later...

NOW CLOSE OLLY AND EXIT IT...
WE DONT NEED IT FOR NOW...

=============================
Step 3 - Rebuilding the IAT =
=============================

1. first run our app an wait till its loaded.
2. open Imprec and choose our process from the list
3. press on "IAT AutoSearch"
4. change the size from "BC" to 1000 (BC is too small !!)
5. press on "Get Imports"
6. press on "Show Invalid"
7. right click on the invalid that was shown and choose "Trace level 1"
8. press on "Show Invalid" again .. and now we should get somthing like this:

(cut from the saved tree)
FThunk: 0019E258 NbFunc: 00000400
1 0019E258 kernel32.dll 00D6 DeleteCriticalSection
1 0019E25C kernel32.dll 0228 LeaveCriticalSection
................
snip-snip
................
1 0019E2A4 kernel32.dll 01D1 GetThreadLocale
1 0019E2A8 kernel32.dll 01B9 GetStartupInfoA
0 0019E2AC ? 0000 017E0F2C <-- good
0 0019E2B0 ? 0000 017E139C <-- good
1 0019E2B4 kernel32.dll 018B GetModuleFileNameA
1 0019E2B8 kernel32.dll 0183 GetLocaleInfoA
1 0019E2BC kernel32.dll 0181 GetLastError
1 0019E2C0 kernel32.dll 0158 GetCurrentDirectoryA
0 0019E2C4 ? 0000 017E1408 <-- good
1 0019E2C8 kernel32.dll 0133 FreeLibrary
1 0019E2CC kernel32.dll 011C FindFirstFileA
..................
snip-snip
..................
1 0019E314 kernel32.dll 00A0 CloseHandle
0 0019E318 ? 0000 0255A00E <-- BAD
1 0019E31C user32.dll 0112 GetKeyboardType
1 0019E320 user32.dll 019F LoadStringA
1 0019E324 user32.dll 01AD MessageBoxA
1 0019E328 user32.dll 0026 CharNextA
0 0019E32C ? 0000 70F7D832 <-- BAD
1 0019E330 advapi32.dll 00F7 RegQueryvalueExA
1 0019E334 advapi32.dll 00EF RegOpenKeyExA
1 0019E338 advapi32.dll 00D8 RegCloseKey
0 0019E33C ? 0000 F37514C2 <-- BAD
1 0019E340 oleaut32.dll 0006 SysFreeString
1 0019E344 oleaut32.dll 0005 SysReAllocStringLen
1 0019E348 oleaut32.dll 0004 SysAllocStringLen
0 0019E34C ? 0000 4007F56E <-- BAD
1 0019E350 kernel32.dll 0307 TlsSetvalue
1 0019E354 kernel32.dll 0306 TlsGetvalue
1 0019E358 kernel32.dll 01E6 GlobalAlloc
0 0019E35C ? 0000 017E139C <-- good
0 0019E360 ? 0000 BF57C0D8 <-- BAD
.......................
snip-snip
.......................

well it continue like this on and on..
we need to manualy choose all the BAD address (Not in the packer code) and then
choose "Cut Thunk(s)" from the right click of the mouse on them.
* Wachout at the end .. there is a good thunk in there..

now we need to fix those other Good bytes.. u can download from fraviamb.cjb.net some plugs
i saw there or to read my other tuts about how to rebuild those (New2Cracking.cjb.net or Fraviamb.cjb.net)
here is my fix :

0019E2AC-> 017E0F2C ->GetProcAddress
0019E2B0-> 017E139C ->GetModuleHandleA
0019E2C4-> 017E1408 ->GetCommandLineA
0019E35C-> 017E139C ->GetModuleHandleA
0019E428-> 017E1420 ->LockResource
0019E47C-> 017E13C4 ->GetVersion
0019E4AC-> 017E0F2C ->GetProcAddress
0019E4B8-> 017E139C ->GetModuleHandleA
0019E4FC-> 017E13F8 ->GetCurrentProcessId
0019E500-> 017E13F0 ->GetCurrentProcess
0019E50C-> 017E1430 ->FreeResource

9. now press on "Fix Dump" and choose our Dumped file..
imprec will save the file with "_" before the name of the dump file.

=========================
Step 4 - Fixing the OEP =
=========================

1. now open HVIEW /Hex Editor and go to the OEP offset: 57ea5b
go up (back) to 57ea55 (6 bytes back) and write instad of the "00" our
stolen bytes. now save our new file.

2. now open ProcDump/Pe-Edit and load to Pe-Edit our rebuild file and change
the Entery Point to : 57ea55 (because of the stolen bytes)

3. if u will now try to run the App it will Crash!!

4. open Olly and load to it our Fixed File

5. at the OEP : 57ea55 what is the value of EAX ? Remember that i told you
to save the value of EAX at the OEP before the dumping ? it was EAX=57E318
this value is deffrent from our value that means that we have one more Command
that is stolen:

MOV EAX, 0157E318

in bytes it takes 5 bytes(you can try it your self at HVIEW)
B818E35700 MOV EAX, 0157E318
that means we have 6+5=11(decimal) stolen bytes
that means that the real OEP is:
11=B(hex)
OLD_OEP-STOLEN_BYTES=57EA5B-B=57EA50
OEP = 57EA50
now go to the new OEP at HVIEW/Hex Edit and write there :

55,8B,EC,83,EC,54,B8,18,E3,57,00

now fix with ProcDump\Pe-Edit the Entery Point to : 57EA50
and now the prog can RUN!!!!!
The End!

System Cleaner 4.89 Build 110

相關文章