标 题:
【原创】《图章制作系统 V3.63》脱壳去校验解除自杀代码[分析篇]
发帖人:KuNgBiM
时 间: 2005-08-02 16:03
原文链接:http://bbs.pediy.com/showthread.php?threadid=15801
详细信息:
【破文标题】:《图章制作系统 V3.63》脱壳去校验解除自杀代码[分析篇]
【破文作者】: KuNgBiM[DFCG]
【作者邮箱】: gb_1227@163.com
【软件名称】: 图章制作系统 V3.63
【整理时间】: 2005-07-29
【下载地址】: http://www.downreg.com/Software/View-Software-4587.htm
【保护方式】: 注册码 + 试用功能限制
【加密保护】: ASPack 2.12 + 脱壳自校验 + 程序自杀代码(调用系统autoexec.bat命令删除校验失败的程序) + Anti-Loader(反加载)
【编译语言】: Borland Delphi 6.0 - 7.0
【调试环境】: WinXP、PEiD、Ollydbg、LordPE、ImportREC
【破解日期】: 2005-09-01
【破解目的】: 推广使用ESP定律脱壳,去除自校验,以及研究算法分析
【作者声明】: 初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
—————————————————————————————————
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 【脱壳过程】 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
侦壳脱壳:用PEiD查壳,ASPack 2.12 -> Alexey Solodovnikov加壳。
使用法宝:我们既然知道了是ASPack所加壳保护的,所以拿出Ollydbg结合文章题目手动脱之~~
————————————————————
Ollydbg载入主程序:
005FA001 > 60 pushad ; 载入程序后停在这里,F8一次
005FA002 E8 03000000 call MakeSign.005FA00A ; 到这里,这时查看寄存器窗口
005FA007 - E9 EB045D45 jmp 45BCA4F7
005FA00C 55 push ebp
005FA00D C3 retn
\\\\\\\\\\\\\\\寄存器\\\\\\\\\\\\\\\\
EAX 00000000
ECX 0012FFB0
EDX 7FFE0304
EBX 7FFDF000
ESP 0012FFA4 ; esp=0012ffa4
EBP 0012FFF0
ESI 77F57D70 ntdll.77F57D70
EDI 77F944A8 ntdll.77F944A8
EIP 005FA002 MakeSign.005FA002
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
根据ESP定律规则,现在在命令栏中下 hr 0012ffa4 命令,回车,F9运行:
005FA3B0 /75 08 jnz short MakeSign.005FA3BA ; 这里断下,F7继续
005FA3B2 |B8 01000000 mov eax,1
005FA3B7 |C2 0C00 retn 0C
005FA3BA \68 10CA5800 push MakeSign.0058CA10 ; 这里0058CA10所指的就是OEP,F7继续
005FA3BF C3 retn ; 返回到程序原始入口,飞向光明之颠~~ F7继续
返回到这里:
0058CA10 55 push ebp ; 在这儿用LordPE纠正ImageSize后完全DUMP这个进程
0058CA11 8BEC mov ebp,esp
0058CA13 83C4 F0 add esp,-10
0058CA16 B8 E0C55800 mov eax,MakeSign.0058C5E0
0058CA1B E8 64A2E7FF call MakeSign.00406C84
0058CA20 A1 A48B5900 mov eax,dword ptr ds:[598BA4]
0058CA25 8B00 mov eax,dword ptr ds:[eax]
0058CA27 E8 4427EEFF call MakeSign.0046F170
0058CA2C A1 A48B5900 mov eax,dword ptr ds:[598BA4]
0058CA31 8B00 mov eax,dword ptr ds:[eax]
0058CA33 BA 70CA5800 mov edx,MakeSign.0058CA70
0058CA38 E8 3F23EEFF call MakeSign.0046ED7C
0058CA3D 8B0D 90885900 mov ecx,dword ptr ds:[598890] ; MakeSign.005A5BE8
0058CA43 A1 A48B5900 mov eax,dword ptr ds:[598BA4]
0058CA48 8B00 mov eax,dword ptr ds:[eax]
脱壳修复:
运行ImportREC 1.6,选择这个进程,把OEP改为 0018CA10 ,点IT AutoSearch,指针全部有效。FixDump!
再用LordPE重建优化一下,程序大小变为 1.83 MB,Borland Delphi 6.0 - 7.0编译。
关闭Ollydbg,试运行,正常运行!不过。。。↓
意外发生了:我正准备反编译看看程序的时候,发现我们刚刚脱壳后运行过的程序不见了!~?奇怪~~!?难道这个程序有“脱壳自校验”以及传说中的“程序自杀代码”?,接着我就试着跟了跟,发现真有那么一回事,好吧~~“你”荒废我的“脱壳心血”我就跟“你”没完~!呵呵,下面就接着讲讲怎样去掉这个烦人的“程序自杀自校验”!!!GO~~
—————————————————————————————————
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 【去自校验过程】 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
重新打开Ollydbg,载入刚刚我们脱壳修复优化后的“dumped_.exe”文件(这里我采用的是默认脱壳文件名)
在命令栏中下 bpx CreateFileA 断点命令,回车,F9运行:
程序运行后,点圾“确定”关闭提示框后程序断下:
004093BC 50 push eax
004093BD E8 C2DAFFFF call dumped_.00406E84 ; 这里断下,F7跟进,jmp to kernel32.CreateFileA
004093C2 5F pop edi
004093C3 5E pop esi
004093C4 5B pop ebx
004093C5 C3 retn
跟进后:
00406E84 - FF25 1C645A00 jmp dword ptr ds:[5A641C] ; 这里继续F7跳过!kernel32.CreateFileA
00406E8A 8BC0 mov eax,eax
跳向这里:
77E5B476 > 55 push ebp ; 跳到这里,一路F8!
77E5B477 8BEC mov ebp,esp
77E5B479 FF75 08 push dword ptr ss:[ebp+8]
77E5B47C E8 11FFFFFF call kernel32.77E5B392
77E5B481 85C0 test eax,eax
77E5B483 0F84 A3FF0100 je kernel32.77E7B42C
77E5B489 FF75 20 push dword ptr ss:[ebp+20]
77E5B48C FF75 1C push dword ptr ss:[ebp+1C]
77E5B48F FF75 18 push dword ptr ss:[ebp+18]
77E5B492 FF75 14 push dword ptr ss:[ebp+14]
77E5B495 FF75 10 push dword ptr ss:[ebp+10]
77E5B498 FF75 0C push dword ptr ss:[ebp+C]
77E5B49B FF70 04 push dword ptr ds:[eax+4]
77E5B49E E8 EEFBFFFF call kernel32.CreateFileW
77E5B4A3 5D pop ebp
77E5B4A4 C2 1C00 retn 1C ; F8到这里返回
返回到这里(也就是上面断点的下一个地址):
004093C2 5F pop edi ; 赋值数据,F7单步,00B80000
004093C3 5E pop esi ; 赋值数据,F7单步,00BC689C
004093C4 5B pop ebx ; 赋值数据,F7单步,00B8942C
004093C5 C3 retn ; 返回下一个检测空间
返回到这里:
0041F9D5 8BC8 mov ecx,eax ; 返回到这里
0041F9D7 33D2 xor edx,edx
0041F9D9 8BC3 mov eax,ebx
0041F9DB E8 7CFEFFFF call dumped_.0041F85C
0041F9E0 837B 04 00 cmp dword ptr ds:[ebx+4],0
0041F9E4 7D 24 jge short dumped_.0041FA0A
0041F9E6 8975 F4 mov dword ptr ss:[ebp-C],esi
0041F9E9 C645 F8 0B mov byte ptr ss:[ebp-8],0B
0041F9ED 8D45 F4 lea eax,dword ptr ss:[ebp-C]
0041F9F0 50 push eax
0041F9F1 6A 00 push 0
0041F9F3 8B0D A08C5900 mov ecx,dword ptr ds:[598CA0] ; dumped_.00418198
0041F9F9 B2 01 mov dl,1
0041F9FB A1 E49E4100 mov eax,dword ptr ds:[419EE4]
0041FA00 E8 03D1FEFF call dumped_.0040CB08
0041FA05 E8 0E46FEFF call dumped_.00404018
0041FA0A 8BC3 mov eax,ebx
0041FA0C 807D FF 00 cmp byte ptr ss:[ebp-1],0
0041FA10 74 0F je short dumped_.0041FA21
0041FA12 E8 F141FEFF call dumped_.00403C08
0041FA17 64:8F05 00000000 pop dword ptr fs:[0]
0041FA1E 83C4 0C add esp,0C
0041FA21 8BC3 mov eax,ebx
0041FA23 5F pop edi
0041FA24 5E pop esi
0041FA25 5B pop ebx
0041FA26 8BE5 mov esp,ebp
0041FA28 5D pop ebp
0041FA29 C2 0800 retn 8 ; 又一次一路F8后来到这里返回
返回到这里:
0041F945 8BC6 mov eax,esi
0041F947 84DB test bl,bl
0041F949 74 0F je short dumped_.0041F95A
0041F94B E8 B842FEFF call dumped_.00403C08
0041F950 64:8F05 00000000 pop dword ptr fs:[0]
0041F957 83C4 0C add esp,0C
0041F95A 8BC6 mov eax,esi
0041F95C 5E pop esi
0041F95D 5B pop ebx
0041F95E 5D pop ebp
0041F95F C2 0400 retn 4 ; 再次一路F8后来到这里返回
返回到这里:(★重要★)
00581E4A 8945 F4 mov dword ptr ss:[ebp-C],eax
00581E4D 33C0 xor eax,eax ; 这里脱壳前和脱壳后数据不一样,eax=00B8942C
00581E4F 55 push ebp
00581E50 68 7C1E5800 push dumped_.00581E7C
00581E55 64:FF30 push dword ptr fs:[eax]
00581E58 64:8920 mov dword ptr fs:[eax],esp
00581E5B 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00581E5E E8 D5D5E9FF call dumped_.0041F438 ; CRC冗余代码校验CALL
00581E63 8945 F8 mov dword ptr ss:[ebp-8],eax ; 当前文件大小赋值给eax,eax=001D5200 //1D5200 =1921536字节
00581E66 33C0 xor eax,eax ; 异或,eax=001D5200
00581E68 5A pop edx
00581E69 59 pop ecx
00581E6A 59 pop ecx
00581E6B 64:8910 mov dword ptr fs:[eax],edx
00581E6E 68 831E5800 push dumped_.00581E83
00581E73 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00581E76 E8 D119E8FF call dumped_.0040384C
00581E7B C3 retn
00581E7C ^\E9 5F21E8FF jmp dumped_.00403FE0
00581E81 ^ EB F0 jmp short dumped_.00581E73
00581E83 33C0 xor eax,eax
00581E85 5A pop edx
00581E86 59 pop ecx
00581E87 59 pop ecx
00581E88 64:8910 mov dword ptr fs:[eax],edx
00581E8B EB 0A jmp short dumped_.00581E97
00581E8D ^ E9 9A1EE8FF jmp dumped_.00403D2C
00581E92 E8 FD21E8FF call dumped_.00404094
00581E97 33C0 xor eax,eax
00581E99 5A pop edx
00581E9A 59 pop ecx
00581E9B 59 pop ecx
00581E9C 64:8910 mov dword ptr fs:[eax],edx
00581E9F 68 B41E5800 push dumped_.00581EB4
00581EA4 8D45 FC lea eax,dword ptr ss:[ebp-4]
00581EA7 E8 9027E8FF call dumped_.0040463C
00581EAC C3 retn
00581EAD ^\E9 2E21E8FF jmp dumped_.00403FE0
00581EB2 ^ EB F0 jmp short dumped_.00581EA4
00581EB4 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 最终赋值,堆栈 ss:[0012FDBC]=001D5200
00581EB7 5F pop edi
00581EB8 5E pop esi
00581EB9 5B pop ebx
00581EBA 8BE5 mov esp,ebp
00581EBC 5D pop ebp
00581EBD C3 retn ; 返回程序,告诉程序下一步该做什么!
返回到这里:(★重要★【第一处】)
00584B87 E8 78D2FFFF call dumped_.00581E04
00584B8C 3D 00A00F00 cmp eax,0FA000 ; 这里作者怕加壳后出错,所以给定了程序一个大小限制范围 FA000
; FA000 = 1024000字节
00584B91 7E 1C jle short dumped_.00584BAF ; 如果文件大小,小于这个数据,那么才能正常运行,必须跳!
*************************
代码修改:
00584B8C 3D 00A00F00 cmp eax,0FA000 // 我改为:cmp eax,0FFFFFFF (嘿嘿,268435455字节约为256MB,有多少的软件能大过256MB啊?)
*************************
00584B93 8D55 F0 lea edx,dword ptr ss:[ebp-10]
00584B96 A1 A48B5900 mov eax,dword ptr ds:[598BA4]
00584B9B 8B00 mov eax,dword ptr ds:[eax]
00584B9D E8 3EACEEFF call dumped_.0046F7E0
00584BA2 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00584BA5 E8 16D3FFFF call dumped_.00581EC0
00584BAA E8 19F9E7FF call dumped_.004044C8
00584BAF E8 E0D4FFFF call dumped_.00582094
00584BB4 84C0 test al,al
00584BB6 74 1C je short dumped_.00584BD4 ; 跳
00584BB8 8D55 EC lea edx,dword ptr ss:[ebp-14]
00584BBB A1 A48B5900 mov eax,dword ptr ds:[598BA4]
00584BC0 8B00 mov eax,dword ptr ds:[eax]
00584BC2 E8 19ACEEFF call dumped_.0046F7E0
00584BC7 8B45 EC mov eax,dword ptr ss:[ebp-14]
00584BCA E8 F1D2FFFF call dumped_.00581EC0
00584BCF E8 F4F8E7FF call dumped_.004044C8
00584BD4 8B83 B8040000 mov eax,dword ptr ds:[ebx+4B8]
00584BDA E8 8D9CFEFF call dumped_.0056E86C
00584BDF E8 ECD7FFFF call dumped_.005823D0
00584BE4 8B93 44030000 mov edx,dword ptr ds:[ebx+344]
00584BEA 8B52 48 mov edx,dword ptr ds:[edx+48]
00584BED 3BC2 cmp eax,edx
00584BEF 7E 02 jle short dumped_.00584BF3 ; 跳
00584BF1 8BC2 mov eax,edx
00584BF3 8BD0 mov edx,eax
00584BF5 8B83 48030000 mov eax,dword ptr ds:[ebx+348]
00584BFB E8 748DECFF call dumped_.0044D974
00584C00 8B83 C4040000 mov eax,dword ptr ds:[ebx+4C4]
00584C06 E8 619CFEFF call dumped_.0056E86C
00584C0B E8 90D8FFFF call dumped_.005824A0
00584C10 8B93 44030000 mov edx,dword ptr ds:[ebx+344]
00584C16 8B52 4C mov edx,dword ptr ds:[edx+4C]
00584C19 3BC2 cmp eax,edx
00584C1B 7E 02 jle short dumped_.00584C1F ; 跳
00584C1D 8BC2 mov eax,edx
00584C1F 8BD0 mov edx,eax
00584C21 8B83 48030000 mov eax,dword ptr ds:[ebx+348]
00584C27 E8 6C8DECFF call dumped_.0044D998
00584C2C 8B93 44030000 mov edx,dword ptr ds:[ebx+344]
00584C32 8B52 48 mov edx,dword ptr ds:[edx+48]
00584C35 8B83 48030000 mov eax,dword ptr ds:[ebx+348]
00584C3B 2B50 48 sub edx,dword ptr ds:[eax+48]
00584C3E D1FA sar edx,1
00584C40 79 03 jns short dumped_.00584C45 ; 跳
00584C42 83D2 00 adc edx,0
00584C45 E8 DE8CECFF call dumped_.0044D928
00584C4A 8B93 44030000 mov edx,dword ptr ds:[ebx+344]
00584C50 8B52 4C mov edx,dword ptr ds:[edx+4C]
00584C53 8B83 48030000 mov eax,dword ptr ds:[ebx+348]
00584C59 2B50 4C sub edx,dword ptr ds:[eax+4C]
00584C5C D1FA sar edx,1
00584C5E 79 03 jns short dumped_.00584C63 ; 跳
00584C60 83D2 00 adc edx,0
00584C63 E8 E48CECFF call dumped_.0044D94C
00584C68 B2 06 mov dl,6
00584C6A 8B83 4C030000 mov eax,dword ptr ds:[ebx+34C]
00584C70 E8 578AECFF call dumped_.0044D6CC
00584C75 B2 05 mov dl,5
00584C77 8B83 4C030000 mov eax,dword ptr ds:[ebx+34C]
00584C7D E8 4A8AECFF call dumped_.0044D6CC
00584C82 8BC3 mov eax,ebx
00584C84 E8 939AECFF call dumped_.0044E71C
00584C89 B2 06 mov dl,6
00584C8B 8B83 4C030000 mov eax,dword ptr ds:[ebx+34C]
00584C91 E8 368AECFF call dumped_.0044D6CC
00584C96 8B83 48030000 mov eax,dword ptr ds:[ebx+348]
00584C9C 8B50 48 mov edx,dword ptr ds:[eax+48]
00584C9F 83EA 02 sub edx,2
00584CA2 8B83 4C030000 mov eax,dword ptr ds:[ebx+34C]
00584CA8 E8 C78CECFF call dumped_.0044D974
00584CAD 8B83 48030000 mov eax,dword ptr ds:[ebx+348]
00584CB3 8B50 4C mov edx,dword ptr ds:[eax+4C]
00584CB6 83EA 02 sub edx,2
00584CB9 8B83 4C030000 mov eax,dword ptr ds:[ebx+34C]
00584CBF E8 D48CECFF call dumped_.0044D998
00584CC4 8B83 64030000 mov eax,dword ptr ds:[ebx+364]
00584CCA 66:BE EBFF mov si,0FFEB
00584CCE E8 75EDE7FF call dumped_.00403A48 ; 跟进,返回程序,进行2次校验
返回到这里:
004093BC 50 push eax
004093BD E8 C2DAFFFF call dumped_.00406E84 ; 返回到这里,F7跟进,jmp to kernel32.CreateFileA
004093C2 5F pop edi
004093C3 5E pop esi
004093C4 5B pop ebx
004093C5 C3 retn
跟进后:
00406E84 - FF25 1C645A00 jmp dword ptr ds:[5A641C] ; 这里继续F7跳过!kernel32.CreateFileA
00406E8A 8BC0 mov eax,eax
跳向这里:
77E5B476 > 55 push ebp ; 跳到这里,一路F8!
77E5B477 8BEC mov ebp,esp
77E5B479 FF75 08 push dword ptr ss:[ebp+8]
77E5B47C E8 11FFFFFF call kernel32.77E5B392
77E5B481 85C0 test eax,eax
77E5B483 0F84 A3FF0100 je kernel32.77E7B42C
77E5B489 FF75 20 push dword ptr ss:[ebp+20]
77E5B48C FF75 1C push dword ptr ss:[ebp+1C]
77E5B48F FF75 18 push dword ptr ss:[ebp+18]
77E5B492 FF75 14 push dword ptr ss:[ebp+14]
77E5B495 FF75 10 push dword ptr ss:[ebp+10]
77E5B498 FF75 0C push dword ptr ss:[ebp+C]
77E5B49B FF70 04 push dword ptr ds:[eax+4]
77E5B49E E8 EEFBFFFF call kernel32.CreateFileW
77E5B4A3 5D pop ebp
77E5B4A4 C2 1C00 retn 1C ; F8到这里返回
返回到这里(也就是上面断点的下一个地址):
004093C2 5F pop edi ; 赋值数据,F7单步,00B80000
004093C3 5E pop esi ; 赋值数据,F7单步,00BC689C
004093C4 5B pop ebx ; 赋值数据,F7单步,00B8942C
004093C5 C3 retn ; 返回下一个检测空间
返回到这里:
0041F9D5 8BC8 mov ecx,eax ; 返回到这里
0041F9D7 33D2 xor edx,edx
0041F9D9 8BC3 mov eax,ebx
0041F9DB E8 7CFEFFFF call dumped_.0041F85C
0041F9E0 837B 04 00 cmp dword ptr ds:[ebx+4],0
0041F9E4 7D 24 jge short dumped_.0041FA0A
0041F9E6 8975 F4 mov dword ptr ss:[ebp-C],esi
0041F9E9 C645 F8 0B mov byte ptr ss:[ebp-8],0B
0041F9ED 8D45 F4 lea eax,dword ptr ss:[ebp-C]
0041F9F0 50 push eax
0041F9F1 6A 00 push 0
0041F9F3 8B0D A08C5900 mov ecx,dword ptr ds:[598CA0] ; dumped_.00418198
0041F9F9 B2 01 mov dl,1
0041F9FB A1 E49E4100 mov eax,dword ptr ds:[419EE4]
0041FA00 E8 03D1FEFF call dumped_.0040CB08
0041FA05 E8 0E46FEFF call dumped_.00404018
0041FA0A 8BC3 mov eax,ebx
0041FA0C 807D FF 00 cmp byte ptr ss:[ebp-1],0
0041FA10 74 0F je short dumped_.0041FA21
0041FA12 E8 F141FEFF call dumped_.00403C08
0041FA17 64:8F05 00000000 pop dword ptr fs:[0]
0041FA1E 83C4 0C add esp,0C
0041FA21 8BC3 mov eax,ebx
0041FA23 5F pop edi
0041FA24 5E pop esi
0041FA25 5B pop ebx
0041FA26 8BE5 mov esp,ebp
0041FA28 5D pop ebp
0041FA29 C2 0800 retn 8 ; 又一次一路F8后来到这里返回
返回到这里:
0041F945 8BC6 mov eax,esi
0041F947 84DB test bl,bl
0041F949 74 0F je short dumped_.0041F95A
0041F94B E8 B842FEFF call dumped_.00403C08
0041F950 64:8F05 00000000 pop dword ptr fs:[0]
0041F957 83C4 0C add esp,0C
0041F95A 8BC6 mov eax,esi
0041F95C 5E pop esi
0041F95D 5B pop ebx
0041F95E 5D pop ebp
0041F95F C2 0400 retn 4 ; 再次一路F8后来到这里返回
返回到这里:(★重要★)
00581E4A 8945 F4 mov dword ptr ss:[ebp-C],eax
00581E4D 33C0 xor eax,eax ; 这里脱壳前和脱壳后数据不一样,eax=00B8942C
00581E4F 55 push ebp
00581E50 68 7C1E5800 push dumped_.00581E7C
00581E55 64:FF30 push dword ptr fs:[eax]
00581E58 64:8920 mov dword ptr fs:[eax],esp
00581E5B 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00581E5E E8 D5D5E9FF call dumped_.0041F438 ; CRC冗余代码校验CALL
00581E63 8945 F8 mov dword ptr ss:[ebp-8],eax ; 当前文件大小赋值给eax,eax=001D5200 //1D5200 =1921536字节
00581E66 33C0 xor eax,eax ; 异或,eax=001D5200
00581E68 5A pop edx
00581E69 59 pop ecx
00581E6A 59 pop ecx
00581E6B 64:8910 mov dword ptr fs:[eax],edx
00581E6E 68 831E5800 push dumped_.00581E83
00581E73 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00581E76 E8 D119E8FF call dumped_.0040384C
00581E7B C3 retn
00581E7C ^\E9 5F21E8FF jmp dumped_.00403FE0
00581E81 ^ EB F0 jmp short dumped_.00581E73
00581E83 33C0 xor eax,eax
00581E85 5A pop edx
00581E86 59 pop ecx
00581E87 59 pop ecx
00581E88 64:8910 mov dword ptr fs:[eax],edx
00581E8B EB 0A jmp short dumped_.00581E97
00581E8D ^ E9 9A1EE8FF jmp dumped_.00403D2C
00581E92 E8 FD21E8FF call dumped_.00404094
00581E97 33C0 xor eax,eax
00581E99 5A pop edx
00581E9A 59 pop ecx
00581E9B 59 pop ecx
00581E9C 64:8910 mov dword ptr fs:[eax],edx
00581E9F 68 B41E5800 push dumped_.00581EB4
00581EA4 8D45 FC lea eax,dword ptr ss:[ebp-4]
00581EA7 E8 9027E8FF call dumped_.0040463C
00581EAC C3 retn
00581EAD ^\E9 2E21E8FF jmp dumped_.00403FE0
00581EB2 ^ EB F0 jmp short dumped_.00581EA4
00581EB4 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 最终赋值,堆栈 ss:[0012FDBC]=001D5200
00581EB7 5F pop edi
00581EB8 5E pop esi
00581EB9 5B pop ebx
00581EBA 8BE5 mov esp,ebp
00581EBC 5D pop ebp
00581EBD C3 retn ; 返回程序,告诉程序下一步该做什么!
返回到这里:(★重要★【第二处】)
005842C4 E8 3BDBFFFF call dumped_.00581E04
005842C9 3D 00A00F00 cmp eax,0FA000 ; 这里作者怕加壳后出错,所以给定了程序一个大小限制范围 FA000
; FA000 = 1024000字节
005842CE 7E 05 jle short dumped_.005842D5 ; 如果文件大小,小于这个数据,那么才能正常运行,必须跳!
*************************
代码修改:
005842C9 3D 00A00F00 cmp eax,0FA000 // 我改为:cmp eax,0FFFFFFF (嘿嘿,268435455字节约为256MB,有多少的软件能大过256MB啊?)
*************************
005842D0 BB 01000000 mov ebx,1
005842D5 4B dec ebx
005842D6 0F85 0C020000 jnz dumped_.005844E8 ; 再次CRC冗余代码检测合格后跳(必须跳)!
005842DC B9 24475800 mov ecx,dumped_.00584724 ; ASCII "system.ini"
005842E1 B2 01 mov dl,1
005842E3 A1 04084700 mov eax,dword ptr ds:[470804]
005842E8 E8 C7C5EEFF call dumped_.004708B4
005842ED 8BF0 mov esi,eax
005842EF 68 38475800 push dumped_.00584738
005842F4 8D85 70FFFFFF lea eax,dword ptr ss:[ebp-90]
005842FA 50 push eax
005842FB B9 44475800 mov ecx,dumped_.00584744 ; ASCII "date" ★这里是为什么脱壳程序运行后会被删除的原因之一★
00584300 BA 54475800 mov edx,dumped_.00584754 ; ASCII "hsjsign_install" ★等会儿会作详细说明★
00584305 8BC6 mov eax,esi
00584307 8B18 mov ebx,dword ptr ds:[eax]
00584309 FF13 call dword ptr ds:[ebx]
0058430B 8B95 70FFFFFF mov edx,dword ptr ss:[ebp-90]
00584311 8B45 FC mov eax,dword ptr ss:[ebp-4]
00584314 05 80000000 add eax,80
00584319 E8 7203E8FF call dumped_.00404690
0058431E 8BC6 mov eax,esi
00584320 E8 27F5E7FF call dumped_.0040384C
00584325 8B45 FC mov eax,dword ptr ss:[ebp-4]
00584328 8B80 80000000 mov eax,dword ptr ds:[eax+80]
0058432E E8 7963E8FF call dumped_.0040A6AC
00584333 DBBD 64FFFFFF fstp tbyte ptr ss:[ebp-9C]
00584339 9B wait
0058433A E8 2568E8FF call dumped_.0040AB64
0058433F DBAD 64FFFFFF fld tbyte ptr ss:[ebp-9C]
00584345 DEE1 fsubrp st(1),st
00584347 D9E1 fabs
00584349 D81D 64475800 fcomp dword ptr ds:[584764]
0058434F DFE0 fstsw ax
00584351 9E sahf
00584352 0F86 90010000 jbe dumped_.005844E8
00584358 B9 24475800 mov ecx,dumped_.00584724 ; ASCII "system.ini"
0058435D B2 01 mov dl,1
0058435F A1 04084700 mov eax,dword ptr ds:[470804]
00584364 E8 4BC5EEFF call dumped_.004708B4
00584369 8BF0 mov esi,eax
0058436B 68 38475800 push dumped_.00584738
00584370 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-A0]
00584376 50 push eax
00584377 B9 70475800 mov ecx,dumped_.00584770 ; ASCII "protect" ★这里是为什么脱壳程序运行后会被删除的原因之一★
0058437C BA 54475800 mov edx,dumped_.00584754 ; ASCII "hsjsign_install" ★等会儿会作详细说明★
00584381 8BC6 mov eax,esi
00584383 8B18 mov ebx,dword ptr ds:[eax]
00584385 FF13 call dword ptr ds:[ebx]
00584387 8B95 60FFFFFF mov edx,dword ptr ss:[ebp-A0]
0058438D 8B45 FC mov eax,dword ptr ss:[ebp-4]
00584390 05 80000000 add eax,80
00584395 E8 F602E8FF call dumped_.00404690
0058439A 8B45 FC mov eax,dword ptr ss:[ebp-4]
0058439D 8B80 80000000 mov eax,dword ptr ds:[eax+80]
005843A3 E8 104EE8FF call dumped_.004091B8
005843A8 8BD8 mov ebx,eax
005843AA 43 inc ebx
005843AB 8B45 FC mov eax,dword ptr ss:[ebp-4]
005843AE 8958 0C mov dword ptr ds:[eax+C],ebx
005843B1 8D95 5CFFFFFF lea edx,dword ptr ss:[ebp-A4]
005843B7 8BC3 mov eax,ebx
005843B9 E8 5A4DE8FF call dumped_.00409118
005843BE 8B85 5CFFFFFF mov eax,dword ptr ss:[ebp-A4]
005843C4 50 push eax
005843C5 B9 70475800 mov ecx,dumped_.00584770 ; ASCII "protect" ★这里是为什么脱壳程序运行后会被删除的原因之一★
005843CA BA 54475800 mov edx,dumped_.00584754 ; ASCII "hsjsign_install" ★等会儿会作详细说明★
005843CF 8BC6 mov eax,esi
005843D1 8B18 mov ebx,dword ptr ds:[eax]
005843D3 FF53 04 call dword ptr ds:[ebx+4]
005843D6 8B45 FC mov eax,dword ptr ss:[ebp-4]
005843D9 8378 0C 01 cmp dword ptr ds:[eax+C],1
005843DD 75 2F jnz short dumped_.0058440E
005843DF E8 8067E8FF call dumped_.0040AB64
005843E4 83C4 F4 add esp,-0C
005843E7 DB3C24 fstp tbyte ptr ss:[esp]
005843EA 9B wait
005843EB 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-A8]
005843F1 E8 B261E8FF call dumped_.0040A5A8
005843F6 8B85 58FFFFFF mov eax,dword ptr ss:[ebp-A8]
005843FC 50 push eax
005843FD B9 44475800 mov ecx,dumped_.00584744 ; ASCII "date" ★这里是为什么脱壳程序运行后会被删除的原因之一★
00584402 BA 54475800 mov edx,dumped_.00584754 ; ASCII "hsjsign_install" ★等会儿会作详细说明★
00584407 8BC6 mov eax,esi
00584409 8B18 mov ebx,dword ptr ds:[eax]
0058440B FF53 04 call dword ptr ds:[ebx+4]
0058440E 8BC6 mov eax,esi
00584410 E8 37F4E7FF call dumped_.0040384C
00584415 8D95 54FFFFFF lea edx,dword ptr ss:[ebp-AC]
0058441B A1 A48B5900 mov eax,dword ptr ds:[598BA4]
00584420 8B00 mov eax,dword ptr ds:[eax]
00584422 E8 B9B3EEFF call dumped_.0046F7E0
00584427 8B85 54FFFFFF mov eax,dword ptr ss:[ebp-AC]
0058442D E8 8EDAFFFF call dumped_.00581EC0
00584432 8B45 FC mov eax,dword ptr ss:[ebp-4]
00584435 8B40 0C mov eax,dword ptr ds:[eax+C]
00584438 83F8 01 cmp eax,1
0058443B 0F8E A2000000 jle dumped_.005844E3
00584441 83F8 02 cmp eax,2
00584444 75 34