偶也放个UnPackMe——SoftDefender 1.12加壳试炼品(点击下载)
SoftDefender 原程序下载:
【调试环境】:WinXP、Ollydbg1.09、PEiD、LordPE、ImportREC 1.4.2+
http://www.softdefender.com/setup.exe
—————————————————————————————————
SoftDefender 是新出的猛壳啦 ,反跟踪、仿Armadillo CopyMem-II双进程、Stolen Code、IAT加密…… …… 诸多好东东呀。
发现SoftDefender对 Delphi 的程序支持好点,所以偶找了个查看硬盘分区序列号的小工具加壳试验,是[IPB]的DiKeN和heXer老大的东东,希望二位不要介意呀
脱壳是一件比较费时费力且容易陷入的事。如果你看了几次就不耐烦的话,那就不必浪费时间啦。
未注册版保护的应该强度弱点。欢迎大家探讨!看看是你折磨它,还是它折磨你。
—————————————————————————————————
【脱壳过程】:
SoftDefender是新出的猛壳啦,反跟踪、仿Armadillo CopyMem-II双进程、Stolen Code、IAT加密…… 诸多好东东呀。:-)
看看其帮助文件:Compression of the application. Encryption of the application. Counteraction to dumping application memory with the tool like ProcDump. Application integrity check. Counteraction to disassemblers, defeating reverse engineering. Counteraction to memory patching. Counteraction to API hook (protect some special technique you have used).
偶觉得SoftDefender的反跟踪和双进程做的不错。其对于SoftICE的防护是非常严密的,还辅之以其它检测手段。幸好其结果是比较温柔的,只是提示一下然后退出,如果是蓝屏死机的话,偶恐怕会得上“蓝屏恐惧症”的。:-)
主程序运行后会在临时文件下生成一个~***.tmp文件,然后CreateProcessA产生子进程,父进程自动退出!“The son unpacks itself, modifies its own IAT, unpacks the first section on his own and finally jumps to its OEP.”呵呵,或许可以借用Armadillo的Nanomites特点来描述一下。:-)
下面偶是用Ollydbg来试脱一下SoftDefender未注册版加壳的试炼品,没有分析程序反SoftICE的方式。试炼品是[IPB]的DiKeN和heXer老大的东东,希望二位不要介意呀。
SoftDefender 1.12加壳试炼品 下载:
http://tongtian.net/pediybbs/download.php?id=577
说明:★未注册版SoftDefender加壳的最大弱点就是:可以非常容易的进入其子进程!★ 如果你只想看如何脱这个未注册版SoftDefender加壳的试炼品,可以直接看下面的B部分!前面的A部分只是对于父进程的简单分析。
Let's Go! :-D 欢迎各位补充!
—————————————————————————————————
设置Ollydbg忽略所有的异常选项。用Ollydbg手动脱壳,老规矩:用IsDebug 1.4插件去掉Ollydbg的调试器标志。载入后弹出“是压缩代码——要继续进行分析吗?”,点“否”。
00450000 74 07 je short VolID.00450009 //进入OD后停在这!
00450002 75 05 jnz short VolID.00450009 //花指令
★★★★★★★★★★★★
★★★★★ A、对于父进程的简单分析★★★★★
★★★★★★★★★★★★
一、下断:BP ZwQueryInformationProcess+5 F9运行,断下。
77F7ED53 B8 9A000000 mov eax,9A
77F7ED58 BA 0003FE7F mov edx,7FFE0300//断在这!Ctrl+F9执行到返回
77F7ED5D FFD2 call edx
77F7ED5F C2 1400 retn 14 //返回到 77E77011
77E77011 85C0 test eax,eax//Ctrl+F9执行到返回返回
77E77013 0F8C 45CB0000 jl kernel32.77E83B5E
…… …… 省 略 …… ……
77E77055 C2 1400 retn 14 //返回到 00457E61
00457E5F FFD6 call esi
00457E61 85C0 test eax,eax //返回到这里
00457E63 74 37 je short VolID.00457E9C//改变标志位Z=1,使这里JMP
00457E65 8D4C24 04 lea ecx,dword ptr ss:[esp+4]
00457E69 51 push ecx
00457E6A E8 0A0C0000 call VolID.00458A79
00457E6F 8B4424 08 mov eax,dword ptr ss:[esp+8]
00457E73 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
00457E77 2BC1 sub eax,ecx
00457E79 74 2B je short VolID.00457EA6
00457E7B 83F8 01 cmp eax,1
00457E7E 77 38 ja short VolID.00457EB8
00457E80 8B4424 04 mov eax,dword ptr ss:[esp+4]
00457E84 8B4C24 0C mov ecx,dword ptr ss:[esp+C]
00457E88 C1E8 04 shr eax,4
00457E8B C1E9 04 shr ecx,4
00457E8E 05 00000010 add eax,10000000
00457E93 2BC1 sub eax,ecx
00457E95 3D 00000001 cmp eax,1000000
00457E9A 77 1C ja short VolID.00457EB8
00457E9C B8 4F5346D2 mov eax,D246534F
00457EA1 5E pop esi
00457EA2 83C4 10 add esp,10
00457EA5 C3 retn
当然,如果你的手够快,是《红警》或《星际》快手,:-) 这里就不必理会啦,直接看下面
————————————————————————
二、F9再来一次,再次断在 ZwQueryInformationProcess+5 处
77F7ED53 B8 9A000000 mov eax,9A
77F7ED58 BA 0003FE7F mov edx,7FFE0300//断在这!Ctrl+F9执行到返回
77F7ED5D FFD2 call edx
77F7ED5F C2 1400 retn 14 //返回到 00457FAC
00457FAC FFD6 call esi
00457FAE 85C0 test eax,eax //返回到这里。改变EAX=1
00457FB0 75 08 jnz short VolID.00457FBA
00457FB2 8B4424 08 mov eax,dword ptr ss:[esp+8]
00457FB6 85C0 test eax,eax
00457FB8 75 0E jnz short VolID.00457FC8
00457FBA E8 4BFFFFFF call VolID.00457F0A
00457FBF 85C0 test eax,eax
00457FC1 75 05 jnz short VolID.00457FC8
00457FC3 BF 00000080 mov edi,80000000
00457FC8 8BC7 mov eax,edi
00457FCA 5F pop edi
00457FCB 5E pop esi
00457FCC 59 pop ecx
00457FCD C3 retn
————————————————————————
三、在 CreateFileA 处下 硬件执行 断点
先BP CreateFileA,Alt+B查看断点,在77EB5D3F处,取消这个断点,双击之,在77EB5D3F处下 硬件执行 断点
77EB5D3F E9 BEA34F80 jmp F83B0102//此处下 硬件执行 断点
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
看看CreateFileA时的堆栈:
0012FE58 0045713B /CALL 到 CreateFileA 来自 VolID.00457136
0012FE5C 0012FEBC |FileName = "D:DOCUME~1flyLOCALS~1Temp~temp0540738194.tmp"
0012FE60 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FE64 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FE68 00000000 |pSecurity = NULL
0012FE6C 00000004 |Mode = OPEN_ALWAYS
0012FE70 00000002 |Attributes = HIDDEN
0012FE74 00000000 hTemplateFile = NULL
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
产生 ~temp0540738194.tmp 这个临时文件
————————————————————————
四、调用 CreateProcessA 产生子进程
00458AF7 58 pop eax
00458AF8 05 400D0000 add eax,0D40
00458AFD 8B00 mov eax,dword ptr ds:[eax] ; kernel32.CreateProcessA
00458AFF 8038 CC cmp byte ptr ds:[eax],0CC
00458B02 74 22 je short VolID.00458B26
00458B04 8078 01 CC cmp byte ptr ds:[eax+1],0CC
00458B08 74 1C je short VolID.00458B26
00458B0A 8078 02 CC cmp byte ptr ds:[eax+2],0CC
00458B0E 74 16 je short VolID.00458B26
00458B10 8078 03 CC cmp byte ptr ds:[eax+3],0CC
00458B14 74 10 je short VolID.00458B26
00458B16 8078 04 CC cmp byte ptr ds:[eax+4],0CC
00458B1A 74 0A je short VolID.00458B26
00458B1C 50 push eax
00458B1D C3 retn
忠告:不能在主要的API上直接下断,程序检测前5个字节是否有CC!对于最常用的API函数,SoftDefender甚至整个检测其是否是原有数据!!
应对:可下 硬件执行 断点,或者把断点下在其检测语句的下一条上!如:BP CreateProcessA+5
77E41BB8 55 push ebp
77E41BB9 8BEC mov ebp,esp
77E41BBB 6A 00 push 0
77E41BBD FF75 2C push dword ptr ss:[ebp+2C]
77E41BC0 FF75 28 push dword ptr ss:[ebp+28]
77E41BC3 FF75 24 push dword ptr ss:[ebp+24]
77E41BC6 FF75 20 push dword ptr ss:[ebp+20]
77E41BC9 FF75 1C push dword ptr ss:[ebp+1C]
77E41BCC FF75 18 push dword ptr ss:[ebp+18]
77E41BCF FF75 14 push dword ptr ss:[ebp+14]
77E41BD2 FF75 10 push dword ptr ss:[ebp+10]
77E41BD5 FF75 0C push dword ptr ss:[ebp+C]
77E41BD8 FF75 08 push dword ptr ss:[ebp+8]
77E41BDB 6A 00 push 0
77E41BDD E8 646E0000 call kernel32.CreateProcessInternal>
77E41BE2 5D pop ebp
77E41BE3 C2 2800 retn 28
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
CreateProcessA 堆栈:
0012FF98 00450D69 /CALL 到 CreateProcessA
0012FF9C 00000000 |ModuleFileName = NULL
0012FFA0 00450224 |CommandLine = """E:..............SoftDefenderVolIDVolID.exe"""
0012FFA4 00000000 |pProcessSecurity = NULL
0012FFA8 00000000 |pThreadSecurity = NULL
0012FFAC 00000001 |InheritHandles = TRUE
0012FFB0 00000000 |CreationFlags = 0
0012FFB4 00000000 |pEnvironment = NULL
0012FFB8 00000000 |CurrentDir = NULL
0012FFBC 00450328 |pStartupInfo = VolID.00450328
0012FFC0 00450214 pProcessInfo = VolID.00450214
0012FFC4 00450A1A VolID.00450A1A
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
————————————————————————
六、产生子进程后,父进程完成使命,ExitProcess 退出。这点不象Armadillo Copymem-II那样时刻监视。
00450D69 6A 00 push 0
00450D6B E8 01000000 call VolID.00450D71
00459020 05 B8070000 add eax,7B8
00459025 8B00 mov eax,dword ptr ds:[eax] ; kernel32.ExitProcess
00459027 8038 CC cmp byte ptr ds:[eax],0CC
0045902A 74 22 je short VolID.0045904E
0045902C 8078 01 CC cmp byte ptr ds:[eax+1],0CC
00459030 74 1C je short VolID.0045904E
00459032 8078 02 CC cmp byte ptr ds:[eax+2],0CC
00459036 74 16 je short VolID.0045904E
00459038 8078 03 CC cmp byte ptr ds:[eax+3],0CC
0045903C 74 10 je short VolID.0045904E
0045903E 8078 04 CC cmp byte ptr ds:[eax+4],0CC
00459042 74 0A je short VolID.0045904E
00459044 50 push eax
00459045 C3 retn
—————————————————————————————————
★★★★★★★★★★★★
★★★★★ B、对于子进程的脱壳分析★★★★★
★★★★★★★★★★★★
未注册版SoftDefender加壳的最大弱点就是:可以非常容易的进入其子进程![可惜偶的SoftICE总是没有躲藏好,无法正常断下SoftDefender.exe主程序的子进程。] :-( 既然有这个致命的弱点,那么偶们就来脱掉这个新新的马甲吧 :-)
上面的A部分此时对于这个试炼品的脱壳已没有什么意义了。直接运行 SoftDefender试炼品.exe ,弹出“未注册SoftDefender”保护的提示,运行Ollydbg附加上这个进程!这就是 CreateProcessA 产生的子进程!父进程已然退出了,孤独的留下刚刚生成的子进程任人“鱼肉”啦 :-)
————————————————————————
一、BP IsDebuggerPresent+6 跳开运行时间检测!
首先:取消A部分的所有断点,或者运行Ollydbg前直接把相关的 .udd 文件删除!
虽然偶已经用IsDebug 1.4插件去掉Ollydbg的调试器标志,但是这里偶还要借用这个断点。下断后 确定 那个“未注册SoftDefender”保护的提示,立即断在 IsDebuggerPresent+6 处!
77E52E92 64:A1 18000000 mov eax,dword ptr fs:[18]
77E52E98 8B40 30 mov eax,dword ptr ds:[eax+30]//断在这!取消断点,Ctrl+F9执行到返回
77E52E9B 0FB640 02 movzx eax,byte ptr ds:[eax+2]
77E52E9F C3 retn//返回到 0045849D
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
这时你在堆栈里还可以看到程序调用CreateFileA反跟踪的MeltICE表,为何不加上Ollydbg?
0012DBF8 00458291 ASCII "\.SICE"
0012DBFC 0045829A ASCII "\.NTICE"
0012DC00 004582A4 ASCII "\.SIWDEBUG"
0012DC04 004582B1 ASCII "\.SIWVID"
0012DC08 004582BC ASCII "\.FILEMON"
0012DC0C 004582C8 ASCII "\.GlobalFILEMON"
0012DC10 004582DB ASCII "\.REGMON"
0012DC14 004582E6 ASCII "\.GlobalREGMON"
0012DC18 004582F8 ASCII "\.FILEVXD.VXD"
0012DC1C 00458308 ASCII "\.REGVXD.VXD"
0012DC20 00458317 ASCII "\.TRW"
0012DC24 0045831F ASCII "\.TRWDEBUG"
0012DC28 0045832C ASCII "\.ICEDUMP"
0012DC2C 00458338 ASCII "\.FROGSICE"
0012DC30 00458345 ASCII "\.IceExt"
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
00458498 E8 8C0A0000 call SoftDefe.00458F29
0045849D 85C0 test eax,eax//返回到这里!Ctrl+F9执行到返回
0045849F 74 06 je short SoftDefe.004584A7
004584A1 89AB 1C030000 mov dword ptr ds:[ebx+31C],ebp
004584A7 C74424 10 07000000 mov dword ptr ss:[esp+10],7
004584AF 33FF xor edi,edi
004584B1 8D7424 14 lea esi,dword ptr ss:[esp+14]
004584B5 8B0E mov ecx,dword ptr ds:[esi]
004584B7 6A 00 push 0
004584B9 68 80000000 push 80
004584BE 55 push ebp
004584BF 6A 00 push 0
004584C1 6A 01 push 1
004584C3 68 00000080 push 80000000
004584C8 51 push ecx
004584C9 E8 3B0C0000 call SoftDefe.00459109
004584CE 83F8 FF cmp eax,-1
004584D1 74 18 je short SoftDefe.004584EB
004584D3 83FF 04 cmp edi,4
004584D6 7D 0B jge short SoftDefe.004584E3
004584D8 83FF 07 cmp edi,7
004584DB 7E 06 jle short SoftDefe.004584E3
004584DD 89AB 1C030000 mov dword ptr ds:[ebx+31C],ebp
004584E3 50 push eax
004584E4 E8 F00E0000 call SoftDefe.004593D9
004584E9 EB 10 jmp short SoftDefe.004584FB
004584EB E8 250F0000 call SoftDefe.00459415
004584F0 83F8 05 cmp eax,5
004584F3 75 06 jnz short SoftDefe.004584FB
004584F5 89AB 1C030000 mov dword ptr ds:[ebx+31C],ebp
004584FB 47 inc edi
004584FC 83C6 04 add esi,4
004584FF 83FF 0F cmp edi,0F
00458502 72 B1 jb short SoftDefe.004584B5
00458504 8B0B mov ecx,dword ptr ds:[ebx]
00458506 8B4424 10 mov eax,dword ptr ss:[esp+10]
0045850A 41 inc ecx
0045850B 48 dec eax
0045850C 890B mov dword ptr ds:[ebx],ecx
0045850E 894424 10 mov dword ptr ss:[esp+10],eax
00458512 75 9B jnz short SoftDefe.004584AF
00458514 E8 100A0000 call SoftDefe.00458F29//这里还有一次IsDebuggerPresent检测
00458519 85C0 test eax,eax
0045851B 74 06 je short SoftDefe.00458523
0045851D 89AB 1C030000 mov dword ptr ds:[ebx+31C],ebp
00458523 8B03 mov eax,dword ptr ds:[ebx]
00458525 5F pop edi
00458526 40 inc eax
00458527 5E pop esi
00458528 8903 mov dword ptr ds:[ebx],eax
0045852A 5D pop ebp
0045852B B8 01000000 mov eax,1
00458530 5B pop ebx
00458531 83C4 40 add esp,40
00458534 C3 retn//返回到 004586BB
注意:下面有3个地方应该是比较程序运行时间的!
004586BB E8 1D090000 call SoftDefe.00458FDD//返回到这里!
004586C0 85F6 test esi,esi
004586C2 74 17 je short SoftDefe.004586DB
004586C4 85C0 test eax,eax
004586C6 74 13 je short SoftDefe.004586DB
004586C8 8BC8 mov ecx,eax
004586CA 2BCE sub ecx,esi
004586CC 81F9 D0070000 cmp ecx,7D0 //2000?
004586D2 77 07 ja short SoftDefe.004586DB//①、改变标志位Z=1,使其不跳!◆
004586D4 8BF0 mov esi,eax
004586D6 83C7 0A add edi,0A
004586D9 EB 20 jmp short SoftDefe.004586FB
004586FB 8D4C24 48 lea ecx,dword ptr ss:[esp+48]
004586FF E8 47FEFFFF call SoftDefe.0045854B
00458704 E8 D4080000 call SoftDefe.00458FDD
00458709 85F6 test esi,esi
0045870B 74 17 je short SoftDefe.00458724
0045870D 85C0 test eax,eax
0045870F 74 13 je short SoftDefe.00458724
00458711 8BC8 mov ecx,eax
00458713 2BCE sub ecx,esi
00458715 81F9 E8030000 cmp ecx,3E8 //1000?
0045871B 77 07 ja short SoftDefe.00458724//②、改变标志位Z=1,使其不跳!◆
0045871D 8BF0 mov esi,eax
0045871F 83C7 0A add edi,0A
00458722 EB 20 jmp short SoftDefe.00458744
0045876E 4F dec edi
0045876F E8 E3DAFFFF call SoftDefe.00456257
00458774 E8 64080000 call SoftDefe.00458FDD
00458779 85F6 test esi,esi
0045877B 74 12 je short SoftDefe.0045878F
0045877D 85C0 test eax,eax
0045877F 74 0E je short SoftDefe.0045878F
00458781 2BC6 sub eax,esi
00458783 3D E8030000 cmp eax,3E8 //1000?
00458788 77 05 ja short SoftDefe.0045878F//③、改变标志位Z=1,使其不跳!◆
0045878A 83C7 0A add edi,0A
0045878D EB 20 jmp short SoftDefe.004587AF
如果这上面的3个地方跳转的话,则提示 时间错误 等等,然后OVER!
————————————————————————
二、寻找OEP、避开Stolen Code
OK,偶们开始快速寻找OEP :-D 程序接下来要干的“坏事”是Stolen Code,:-) 恰恰是Stolen Code使其轻易暴露了OEP,让偶们省了很多麻烦去寻觅OEP
Ctrl+F在整个区段搜索命令:mov byte ptr ss:[esp+1C],dl 找到下面的地方!
在00456A9E(或其下的代码)处下 硬件执行 断点!切记:不要直接用F2下断!会OVER的!F9运行,顺利断在00456A9E处。
让偶们看看 寄存器 窗口,现在的EDI=00405248 猜猜看,这个是什么?这个就是OEP啦! :-)
程序会把OEP处的14个字节改掉!前8个字节改为00 00 00 00 00 00 00 00
偶们现在要做的就是让SoftDefender别给原来的程序动手脚!Come On!
00456A9E 885424 1C mov byte ptr ss:[esp+1C],dl//这里下 硬件执行 断点!:-)
00456AA2 884C24 1D mov byte ptr ss:[esp+1D],cl
00456AA6 884424 1E mov byte ptr ss:[esp+1E],al
00456AAA C64424 1F 6A mov byte ptr ss:[esp+1F],6A
00456AAF C64424 20 FF mov byte ptr ss:[esp+20],0FF
00456AB4 885424 24 mov byte ptr ss:[esp+24],dl
00456AB8 884C24 25 mov byte ptr ss:[esp+25],cl
00456ABC 884424 26 mov byte ptr ss:[esp+26],al
00456AC0 C64424 27 83 mov byte ptr ss:[esp+27],83
00456AC5 C64424 28 C4 mov byte ptr ss:[esp+28],0C4
00456ACA C64424 29 F4 mov byte ptr ss:[esp+29],0F4
00456ACF C64424 2A B8 mov byte ptr ss:[esp+2A],0B8
00456AD4 885424 34 mov byte ptr ss:[esp+34],dl
00456AD8 884C24 35 mov byte ptr ss:[esp+35],cl
00456ADC 884424 36 mov byte ptr ss:[esp+36],al
00456AE0 C64424 37 83 mov byte ptr ss:[esp+37],83
00456AE5 C64424 38 C4 mov byte ptr ss:[esp+38],0C4
00456AEA C64424 39 F4 mov byte ptr ss:[esp+39],0F4
00456AEF C64424 3A 53 mov byte ptr ss:[esp+3A],53
00456AF4 C64424 3B 56 mov byte ptr ss:[esp+3B],56
00456AF9 C64424 3C 57 mov byte ptr ss:[esp+3C],57
00456AFE C64424 3D B8 mov byte ptr ss:[esp+3D],0B8
00456B03 885424 2C mov byte ptr ss:[esp+2C],dl
00456B07 884C24 2D mov byte ptr ss:[esp+2D],cl
00456B0B 884424 2E mov byte ptr ss:[esp+2E],al
00456B0F C64424 2F 83 mov byte ptr ss:[esp+2F],83
00456B14 C64424 30 C4 mov byte ptr ss:[esp+30],0C4
00456B19 C64424 31 F8 mov byte ptr ss:[esp+31],0F8
00456B1E C64424 32 B8 mov byte ptr ss:[esp+32],0B8
00456B23 885424 40 mov byte ptr ss:[esp+40],dl
00456B27 884C24 41 mov byte ptr ss:[esp+41],cl
00456B2B 884424 42 mov byte ptr ss:[esp+42],al
00456B2F C64424 43 83 mov byte ptr ss:[esp+43],83
00456B34 C64424 44 C4 mov byte ptr ss:[esp+44],0C4
00456B39 C64424 45 F8 mov byte ptr ss:[esp+45],0F8
00456B3E C64424 46 53 mov byte ptr ss:[esp+46],53
00456B43 C64424 47 56 mov byte ptr ss:[esp+47],56
00456B48 C64424 48 57 mov byte ptr ss:[esp+48],57
00456B4D C64424 49 B8 mov byte ptr ss:[esp+49],0B8
00456B52 E8 92270000 call SoftDefe.004592E9
00456B57 50 push eax
00456B58 E8 C8270000 call SoftDefe.00459325
00456B5D 6A 20 push 20
00456B5F 6A 08 push 8
00456B61 894424 14 mov dword ptr ss:[esp+14],eax
00456B65 E8 7F270000 call SoftDefe.004592E9
00456B6A 50 push eax
00456B6B E8 B5270000 call SoftDefe.00459325
00456B70 8BF0 mov esi,eax
00456B72 6A 05 push 5
00456B74 894424 14 mov dword ptr ss:[esp+14],eax
00456B78 8D4424 18 lea eax,dword ptr ss:[esp+18]
00456B7C 50 push eax
00456B7D 57 push edi
00456B7E E8 ADF4FFFF call SoftDefe.00456030
00456B83 85C0 test eax,eax
00456B85 75 5A jnz short SoftDefe.00456BE1//注意:这里应跳!!◆
00456B87 C606 58 mov byte ptr ds:[esi],58
00456B8A 46 inc esi
00456B8B 6A 0F push 0F
00456B8D 57 push edi
00456B8E 56 push esi
00456B8F E8 7DF3FFFF call SoftDefe.00455F11
00456B94 83C6 0F add esi,0F
00456B97 6A 0F push 0F
00456B99 6A 00 push 0
00456B9B 57 push edi
00456B9C C606 FF mov byte ptr ds:[esi],0FF
00456B9F C646 01 E0 mov byte ptr ds:[esi+1],0E0
00456BA3 E8 97F3FFFF call SoftDefe.00455F3F //Stolen Code :-(
00456BA8 8D47 09 lea eax,dword ptr ds:[edi+9]
00456BAB 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
00456BAF 6A 04 push 4
00456BB1 51 push ecx
00456BB2 C600 FF mov byte ptr ds:[eax],0FF
00456BB5 40 inc eax
00456BB6 C600 15 mov byte ptr ds:[eax],15
00456BB9 40 inc eax
00456BBA 50 push eax
00456BBB E8 51F3FFFF call SoftDefe.00455F11
00456BC0 8D5424 10 lea edx,dword ptr ss:[esp+10]
00456BC4 6A 04 push 4
00456BC6 8B4424 10 mov eax,dword ptr ss:[esp+10]
00456BCA 52 push edx
00456BCB 50 push eax
00456BCC E8 40F3FFFF call SoftDefe.00455F11
00456BD1 8B43 18 mov eax,dword ptr ds:[ebx+18]
00456BD4 5F pop edi
00456BD5 83C0 09 add eax,9
00456BD8 5E pop esi
00456BD9 8943 18 mov dword ptr ds:[ebx+18],eax
00456BDC 5B pop ebx
00456BDD 83C4 38 add esp,38
00456BE0 C3 retn
00456BE1 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
00456BE5 6A 07 push 7
00456BE7 51 push ecx
00456BE8 57 push edi
00456BE9 E8 42F4FFFF call SoftDefe.00456030
00456BEE 85C0 test eax,eax
00456BF0 0F84 95000000 je SoftDefe.00456C8B
00456BF6 8D5424 24 lea edx,dword ptr ss:[esp+24]
00456BFA 6A 07 push 7
00456BFC 52 push edx
00456BFD 57 push edi
00456BFE E8 2DF4FFFF call SoftDefe.00456030
00456C03 85C0 test eax,eax
00456C05 0F84 80000000 je SoftDefe.00456C8B
00456C0B 8D4424 2C lea eax,dword ptr ss:[esp+2C]
00456C0F 6A 0A push 0A
00456C11 50 push eax
00456C12 57 push edi
00456C13 E8 18F4FFFF call SoftDefe.00456030
00456C18 85C0 test eax,eax
00456C1A 74 15 je short SoftDefe.00456C31//注意:改变标志位Z=0 使这里不跳!!◆
00456C1C 8D4C24 38 lea ecx,dword ptr ss:[esp+38]
00456C20 6A 0A push 0A
00456C22 51 push ecx
00456C23 57 push edi
00456C24 E8 07F4FFFF call SoftDefe.00456030
00456C29 85C0 test eax,eax
00456C2B 0F85 A8000000 jnz SoftDefe.00456CD9//注意:这里应跳!!◆
00456C31 C606 59 mov byte ptr ds:[esi],59
00456C34 46 inc esi
00456C35 6A 0E push 0E
00456C37 57 push edi
00456C38 56 push esi
00456C39 E8 D3F2FFFF call SoftDefe.00455F11
00456C3E 83C6 0E add esi,0E
00456C41 6A 0E push 0E
00456C43 6A 00 push 0
00456C45 57 push edi
00456C46 C606 FF mov byte ptr ds:[esi],0FF
00456C49 C646 01 E1 mov byte ptr ds:[esi+1],0E1
00456C4D E8 EDF2FFFF call SoftDefe.00455F3F //Stolen Code :-(
看了几个SoftDefender 1.12加壳的试炼品,上面 Stolen Code 处的代码都是相似的,但是具体改哪个跳转是需要跟踪判断的。如:上次goodmorning加壳的Win2000的记事本则只要改一处跳转即可。具体情况具体分析。
————————————————————————
三、DUMP程序,修复输入表
避开Stolen Code后,直接在OEP的00405248处下 内存访问 断点,F9运行,断几次就来到OEP处!
00405248 55 push ebp//在这儿用LordPE完全DUMP这个进程
00405249 8BEC mov ebp,esp
0040524B 83C4 F4 add esp,-0C
0040524E 53 push ebx
0040524F 56 push esi
00405250 57 push edi
00405251 B8 08524000 mov eax,SoftDefe.00405208
00405256 E8 F9EBFFFF call SoftDefe.00403E54
运行ImportREC 1.4.2+,选择这个进程。把OEP改为00005248,点IT AutoSearch,点“Get Import”,用“追踪层次3”或者“ASProtect 1.3 calculated imports.dll”插件修复,只有2个函数没有识别出来:
00008104 ? 0000 0045668E
000081B4 ? 0000 00456640
用“SvkpIAT.dll”插件识别出000081B4=GetVersionExA,00008104根据 跟踪+猜测=GetStartupInfoA
00008104 kernel32.dll 019D GetStartupInfoA
000081B4 kernel32.dll 01C9 GetVersionExA
FixDump,正常运行!用PEiD看是Delphi编写。用LordPE删除“SDPI”区段,重建PE,58.5K->368K->69.1K
—————————————————————————————————
, _/
/| _.-~/ _ , 青春都一饷
( /~ / ~-._ |
`\ _/ ~ ) 忍把浮名
_-~~~-.) )__/;;,. _ //'
/'_, --~ ~~~- ,;;___( (.-~~~-. 换了破解轻狂
`~ _( ,_..-- ( ,;'' / ~-- /._`
/~~//' /' `~ ) /--.._, )_ `~
" `~" " `" /~'` `\~~
" " "~' ""
Cracked By 巢水工作坊——fly [OCN][FCG][NUKE]
2003-12-11 19:19