tElock 0.9x-1.0x (private) 反Ollydbg分析和脱壳——BadCopyProV3_71_0727 KeyGen
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
【调试环境】:WinXP、Ollydbg1.09、PEiD、LordPE、WinHex、PEditor
—————————————————————————————————
【过 程】:
TEAM ECLiPSE 发布的BadCopyProV3_71_0727的注册机,网上应该很多,自己找找吧。
PEiD 0.9显示:tElock 0.9x - 1.0x (private) ,呵呵,应该是高手们调教过的变形tElock啦。
没什么大变化,值得注意的是这个东东自动关闭Ollydbg啦,以前的tElock没有这个效果。
WinXP下可以隐藏OD啦。调试前先设置一下Ollydbg。打开:Ollydbg——>选项——>调试设置——>异常
把“忽略在KERNEL32中的内存访问异常”、“INT3中断”、“单步中断” 这3个选项选上。
—————————————————————————————————
一、反Ollydbg分析
用Ollydbg手动脱壳,老规矩:载入后弹出“是压缩代码——要继续进行分析吗?”,点“否”。
004390BC E9 3FDFFFFF jmp BadCopyP.00437000
====>进入OD后断在这!F9运行,程序会在异常处中断。
004370A7 F7F3 div ebx
====>第1次异常
如果Shift+F9程序就自动退出啦,所以现在就跟踪看看啦。注:用F7走,省略的地方没什么大跳转。
004370C5 8B4424 04 mov eax,dword ptr ss:[esp+4]
====>堆栈区的第二条地址 设断 Shift+F9断在此处
…… …… 省 略 …… ……
004370FE EB 60 jmp short BadCopyP.00437160
00437160 C3 retn
====>进入系统DLL,在下面的地方下断,F9断下。
00437161 2C 04 sub al,4
…… …… 省 略 …… ……
00437188 ^ EB F1 jmp short BadCopyP.0043717B
0043718A 8B42 3C mov eax,dword ptr ds:[edx+3C]
…… …… 省 略 …… ……
004371C4 74 07 je short BadCopyP.004371CD
004371CD 8D7416 FC lea esi,dword ptr ds:[esi+edx-4]
…… …… 省 略 …… ……
004371DE ^ 7C E6 jl short BadCopyP.004371C6
004371E0 8B06 mov eax,dword ptr ds:[esi]
004371E2 03C2 add eax,edx
004371E4 8138 4C6F6164 cmp dword ptr ds:[eax],64616F4C
004371EA 75 50 jnz short BadCopyP.0043723C
…… …… 省 略 …… ……
004373F4 8138 47657450 cmp dword ptr ds:[eax],50746547
004373FA ^ 0F85 D8FDFFFF jnz BadCopyP.004371D8
00437400 8178 04 726F6341 cmp dword ptr ds:[eax+4],41636F72
00437407 ^ 0F85 CBFDFFFF jnz BadCopyP.004371D8
0043740D 8178 08 64647265 cmp dword ptr ds:[eax+8],65726464
00437414 ^ 0F85 BEFDFFFF jnz BadCopyP.004371D8
0043741A 68 82080000 push 882
0043741F ^ E9 DFFDFFFF jmp BadCopyP.00437203
====>F4下去跳出循环!
00437424 58 pop eax
…… …… 省 略 …… ……
0043744E ^ E2 F0 loopd short BadCopyP.00437440
====>F4跳出LOOP
00437450 60 pushad
00437451 8DBD DA070000 lea edi,dword ptr ss:[ebp+7DA]
00437457 E8 2A000000 call BadCopyP.00437486
00437486 58 pop eax
00437487 83C0 0A add eax,0A
0043748A AB stos dword ptr es:[edi]
0043748B 83C0 F6 add eax,-0A
0043748E 50 push eax
0043748F FF95 95200000 call dword ptr ss:[ebp+2095]
00437495 33D8 xor ebx,eax
00437497 33C3 xor eax,ebx
00437499 33D8 xor ebx,eax
0043749B E8 0C000000 call BadCopyP.004374AC
004374AC 53 push ebx
004374AD FF95 82080000 call dword ptr ss:[ebp+882] ; kernel32.GetProcAddress
004374B3 40 inc eax
004374B4 48 dec eax
004374B5 0F84 32020000 je BadCopyP.004376ED
004374BB AB stos dword ptr es:[edi]
004374BC 8A00 mov al,byte ptr ds:[eax]
004374BE 2C CC sub al,0CC 33-CC=67
004374C0 0F84 27020000 je BadCopyP.004376ED
004374C6 E8 0D000000 call BadCopyP.004374D8
004374D8 53 push ebx
004374D9 FF95 82080000 call dword ptr ss:[ebp+882]
004374DF 40 inc eax
004374E0 48 dec eax
004374E1 0F84 06020000 je BadCopyP.004376ED
004374DE 0040 48 add byte ptr ds:[eax+48],al
004374E1 0F84 06020000 je BadCopyP.004376ED
004374E7 AB stos dword ptr es:[edi]
004374E8 8A00 mov al,byte ptr ds:[eax]
004374EA 2C CC sub al,0CC
004374EC 0F84 FB010000 je BadCopyP.004376ED
004374F2 E8 0E000000 call BadCopyP.00437505
004374F7 47 inc edi
004374F8 65:74 43 je short BadCopyP.0043753E
00437505 53 push ebx
00437506 FF95 82080000 call dword ptr ss:[ebp+882] ; kernel32.GetProcAddress
0043750C 40 inc eax
0043750D 48 dec eax
0043750E 0F84 D9010000 je BadCopyP.004376ED
0043750E /0F84 D9010000 je BadCopyP.004376ED
00437514 |AB stos dword ptr es:[edi]
00437515 |8A00 mov al,byte ptr ds:[eax]
00437517 |2C CC sub al,0CC 6A-CC=9E
00437519 |0F84 CE010000 je BadCopyP.004376ED
0043751F |80BD 1D240000 00 cmp byte ptr ss:[ebp+241D],0
00437526 |75 0C jnz short BadCopyP.00437534
00437528 |AB stos dword ptr es:[edi]
00437529 |AB stos dword ptr es:[edi]
0043752A |AB stos dword ptr es:[edi]
0043752B |AB stos dword ptr es:[edi]
0043752C |AB stos dword ptr es:[edi]
0043752D |AB stos dword ptr es:[edi]
0043752E |AB stos dword ptr es:[edi]
0043752F |E9 20030000 jmp BadCopyP.00437854
00437854 83C7 D4 add edi,-2C
00437857 EB 30 jmp short BadCopyP.00437889
00437889 57 push edi
0043788A E8 58000000 call BadCopyP.004378E7
004378E7 FF57 04 call dword ptr ds:[edi+4] ; user32.EnumWindows
====>F7进入
77D17627 33C0 xor eax,eax
77D17629 50 push eax
77D1762A 50 push eax
77D1762B FF7424 10 push dword ptr ss:[esp+10]
77D1762F FF7424 10 push dword ptr ss:[esp+10]
77D17633 50 push eax
77D17634 50 push eax
77D17635 E8 BAFEFFFF call user32.77D174F4
77D174F4 55 push ebp
77D174F5 8BEC mov ebp,esp
77D174F7 51 push ecx
77D174F8 57 push edi
77D174F9 8D45 1C lea eax,dword ptr ss:[ebp+1C]
77D174FC 50 push eax
77D174FD FF75 18 push dword ptr ss:[ebp+18]
77D17500 C745 FC 01000000 mov dword ptr ss:[ebp-4],1
77D17507 FF75 1C push dword ptr ss:[ebp+1C]
77D1750A FF75 0C push dword ptr ss:[ebp+C]
77D1750D FF75 08 push dword ptr ss:[ebp+8]
77D17510 E8 24000000 call user32.77D17539
77D17515 8BF8 mov edi,eax
77D17517 83FF FF cmp edi,-1
77D1751A 0F84 43710300 je user32.77D4E663
77D17520 53 push ebx
77D17521 33DB xor ebx,ebx
77D17523 3BFB cmp edi,ebx
77D17525 0F85 F2000000 jnz user32.77D1761D
77D1761D 3BFB cmp edi,ebx
77D1761F 56 push esi
77D17620 8B75 1C mov esi,dword ptr ss:[ebp+1C]
77D17623 ^ 76 D5 jbe short user32.77D175FA
77D17625 ^ EB B1 jmp short user32.77D175D8
77D175D8 8B0E mov ecx,dword ptr ds:[esi]
77D175DA E8 71C5FFFF call user32.77D13B50
77D175DF 85C0 test eax,eax
77D175E1 74 0F je short user32.77D175F2
77D175E3 FF75 14 push dword ptr ss:[ebp+14]
77D175E6 FF36 push dword ptr ds:[esi]
77D175E8 FF55 10 call dword ptr ss:[ebp+10]
====>注意:这里面进行检测啦!
77D175EB 85C0 test eax,eax
77D175ED 8945 FC mov dword ptr ss:[ebp-4],eax
77D175F0 74 08 je short user32.77D175FA
77D175F2 83C6 04 add esi,4
77D175F5 43 inc ebx
77D175F6 3BDF cmp ebx,edi
77D175F8 ^ 72 DE jb short user32.77D175D8
====>循环比较当前进程!
————————————————————————
进入:77D175E8 call dword ptr ss:[ebp+10]
0043788F C8 000000 enter 0,0
00437893 57 push edi
00437894 8B7D 0C mov edi,dword ptr ss:[ebp+C]
00437897 6A 20 push 20
00437899 FF37 push dword ptr ds:[edi]
0043789B FF75 08 push dword ptr ss:[ebp+8]
0043789E FF57 0C call dword ptr ds:[edi+C]; user32.GetClassNameA
====>GetClassNameA 得到当前窗口的类名
004378A1 8B07 mov eax,dword ptr ds:[edi]
004378A3 8138 4F4C4C59 cmp dword ptr ds:[eax],594C4C4F
====>有“OLLY”?即:检测Ollydbg
004378A9 74 21 je short BadCopyP.004378CC
====>跳则OVER!
004378AB 8138 4F574C5F cmp dword ptr ds:[eax],5F4C574F
====>有“OWL_”?什么武器?
004378B1 74 19 je short BadCopyP.004378CC
====>跳则OVER!
004378B3 8138 54446544 cmp dword ptr ds:[eax],44654454
====>有“TDeD”?即:检测DeDe
004378B9 74 11 je short BadCopyP.004378CC
====>跳则OVER!
004378BB 8138 46696C65 cmp dword ptr ds:[eax],656C6946
004378C1 75 1C jnz short BadCopyP.004378DF
====>不跳则OVER!
004378C3 8178 04 4D6F6E43 cmp dword ptr ds:[eax+4],436E6F4D
004378CA 75 13 jnz short BadCopyP.004378DF
====>不跳则OVER!
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
看看内存中藏着什么“好东东”
00437899 FF 37 FF 75 08 FF 57 0C 8B 07 81 38 4F 4C 4C 59 .7.u..W....8OLLY
004378A9 74 21 81 38 4F 57 4C 5F 74 19 81 38 54 44 65 44 t!.8OWL_t..8TDeD
004378B9 74 11 81 38 46 69 6C 65 75 1C 81 78 04 4D 6F 6E t..8Fileu..x.Mon
004378C9 43 75 13 6A 00 6A 00 6A 10 FF 75 08 FF 57 08 33 Cu.j.j.j..u..W.3
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
004378CC 6A 00 push 0
004378CE 6A 00 push 0
004378D0 6A 10 push 10
004378D2 FF75 08 push dword ptr ss:[ebp+8]
004378D5 FF57 08 call dword ptr ds:[edi+8]
====>这里就OVER啦!Ollydbg自动退出!
004378D8 33C0 xor eax,eax
004378DA 5F pop edi
004378DB C9 leave
004378DC C2 0800 retn 8
004378DF 6A 01 push 1
====> push 1 则OK!
004378E1 58 pop eax
004378E2 5F pop edi
004378E3 C9 leave
004378E4 C2 0800 retn 8
晕倒,原来是调用EnumWindows、GetClassNameA 枚举窗口列表中的所有父窗口、取得窗口名,然后与作者内置的OLLY、OWL_、TDeD比较,如果有其中之一,那就对不起不陪你玩啦 呵呵,和FindWindow的效果差不多吗,算是比较温柔的反跟踪啦。
由于tElock有很强的内存、文件自校验,如果改动程序的话会弹出CRC ERROR的错误提示然后退出。所以懒人如偶就采用了最简便的方法啦。以前无聊时曾简单修改了一下Ollydbg,仅有的作用是:避开 {目标程序 通过在内存中检测本工具原有窗口类名} 而反调试。没想到这次终于派上了小用场。
—————————————————————————————————
二、部分脱壳,得到IAT
继续脱壳吧,换上偶修改的Ollydbg进行跟踪!这次程序变乖啦,没有“不告而别”
Shift+F9通过异常,6次程序运行。Try Again,按4次Shift+F9
00438069 CD 68 int 68
====>第4次异常
004386E4 8B95 42D84000 mov edx,dword ptr ss:[ebp+40D842]
004386EA 8BB5 32D84000 mov esi,dword ptr ss:[ebp+40D832]
004386F0 85F6 test esi,esi
====>F2此处下断!ESI=输入表的RVA
004386F2 0F84 18040000 je BadCopyP.00438B10
====>《加密与解密》说这里可以强行跳过,但是偶跳过却无法运行了
004386F8 03F2 add esi,edx
004386FA 83A5 32D94000 00 and dword ptr ss:[ebp+40D932],0
====>找到这里!
在004386F0下断,按Shift+F9断了下来,看看esi的值:0000A1EC,这就是IAT的位置了,然后 D 0040A1EC,看见IAT,大小0040A8D0-0040A1EC=6E4 这时可以用LordPE部分脱壳。位置:0040A1EC,大小:6E4 存为:部分dumped.dmp
—————————————————————————————————
三、OK,让偶继续!Shift+F9再来一次,手动寻找OEP啦!
00438BD7 8DC0 lea eax,eax
====>第5次异常
00438BE5 8B6424 08 mov esp,dword ptr ss:[esp+8]
====>堆栈区的第二条地址 设断 Shift+F9断在此处
00438BE9 33C0 xor eax,eax
00438BEB FF6424 08 jmp dword ptr ss:[esp+8]
00438BFA 64:8F00 pop dword ptr fs:[eax]
00438BFD 58 pop eax
00438BFE EB 02 jmp short BadCopyP.00438C02
00438C02 58 pop eax
00438C03 5D pop ebp
00438C04 EB 02 jmp short BadCopyP.00438C08
00438C08 3D 5868133F cmp eax,3F136858
00438C0D E8 7E000000 call BadCopyP.00438C90
00438C90 F9 stc
00438C91 72 01 jb short BadCopyP.00438C94
00438C94 FC cld
00438C95 60 pushad
00438C96 E8 06000000 call BadCopyP.00438CA1
00438CA1 33C9 xor ecx,ecx
00438CA3 64:FF31 push dword ptr fs:[ecx]
00438CA6 64:8921 mov dword ptr fs:[ecx],esp
00438CA9 F1 int1
00438CAA F7F1 div ecx
====>异常!注意这里看看堆栈区的第二条地址!
00438C9B 8B6424 08 mov esp,dword ptr ss:[esp+8]
00438C9F EB 0D jmp short BadCopyP.00438CAE
====>堆栈区的第二条地址 设断 Shift+F9断在此处
00438CAE /EB 01 jmp short BadCopyP.00438CB1
00438CB1 15 09403318 adc eax,18334009
00438CB6 BE 00000000 mov esi,0
00438CBB 64:8F06 pop dword ptr fs:[esi]
00438CBE 5E pop esi
00438CBF EB 01 jmp short BadCopyP.00438CC2
00438CC2 F8 clc
00438CC3 60 pushad
00438CC4 E8 06000000 call BadCopyP.00438CCF
00438CCF 64:67:FF36 0000 push dword ptr fs:[0]
00438CD5 64:67:8926 0000 mov dword ptr fs:[0],esp
00438CDB 9C pushfd
00438CDC 810C24 00010000 or dword ptr ss:[esp],100
00438CE3 9D popfd
00438CE4 F8 clc
====>异常!注意这里看看堆栈区的第二条地址!
00438CC9 8B6424 08 mov esp,dword ptr ss:[esp+8]
====>堆栈区的第二条地址 设断 Shift+F9断在此处
00438CCD EB 1A jmp short BadCopyP.00438CE9
00438CE9 64:67:8F06 0000 pop dword ptr fs:[0]
00438CEF 58 pop eax
00438CF0 61 popad
00438CF1 F8 clc
00438CF2 73 02 jnb short BadCopyP.00438CF6
00438CF6 98 cwde
00438CF7 E8 0A000000 call BadCopyP.00438D06
00438D06 83E0 CF and eax,FFFFFFCF
00438D09 C3 retn
====>返回到 00438CFC 其实是变形的JMP
00438CFC 33C3 xor eax,ebx
00438CFE E9 08000000 jmp BadCopyP.00438D0B
00438D0B C1E0 16 shl eax,16
00438D0E E8 00000000 call BadCopyP.00438D13 //F8带过
00438D13 85E4 test esp,esp
00438D15 79 03 jns short BadCopyP.00438D1A
00438D1A 0BC3 or eax,ebx
00438D1C 8B2C24 mov ebp,dword ptr ss:[esp]
00438D1F 58 pop eax
00438D20 81ED 4E1F4100 sub ebp,BadCopyP.00411F4E
00438D26 F9 stc
00438D27 72 02 jb short BadCopyP.00438D2B
00438D2B F5 cmc
00438D2C 03C2 add eax,edx
00438D2E B8 4EEB5FAC mov eax,AC5FEB4E
00438D33 8BD8 mov ebx,eax
00438D35 81EB 01CD1EAC sub ebx,AC1ECD01
00438D3B F8 clc
00438D3C 73 02 jnb short BadCopyP.00438D40
00438D40 03DD add ebx,ebp
00438D42 B8 BA6B902C mov eax,2C906BBA
00438D47 8BF8 mov edi,eax
00438D49 81EF 9D6B902C sub edi,2C906B9D
00438D4F EB 01 jmp short BadCopyP.00438D52
00438D52 BE 7C40980E mov esi,0E98407C
00438D57 0BE4 or esp,esp
00438D59 75 01 jnz short BadCopyP.00438D5C
00438D5C 3D B3A81711 cmp eax,1117A8B3
00438D61 E8 0A000000 call BadCopyP.00438D70
00438D70 C3 retn
====>返回到 00438D66
00438D66 1BC3 sbb eax,ebx
00438D68 E9 09000000 jmp BadCopyP.00438D76
00438D76 23C3 and eax,ebx
00438D78 90 nop
00438D79 F9 stc
00438D7A 6BF6 4D imul esi,esi,4D
00438D7D 3133 xor dword ptr ds:[ebx],esi
00438D7F C1C6 03 rol esi,3
00438D82 F9 stc
00438D83 83D6 4B adc esi,4B
00438D86 43 inc ebx
00438D87 43 inc ebx
00438D88 43 inc ebx
00438D89 43 inc ebx
00438D8A EB 02 jmp short BadCopyP.00438D8E
00438D8E FC cld
00438D8F 81C6 0C519A22 add esi,229A510C
00438D95 F9 stc
00438D96 72 01 jb short BadCopyP.00438D99
00438D99 1D F99D6513 sbb eax,13659DF9
00438D9E 83EF 01 sub edi,1
00438DA1 EB 02 jmp short BadCopyP.00438DA5
00438DA5 48 dec eax
00438DA6 1BC6 sbb eax,esi
00438DA8 51 push ecx
00438DA9 8BCF mov ecx,edi
00438DAB E3 03 jecxz short BadCopyP.00438DB0
00438DAD 59 pop ecx
00438DAE ^ EB C9 jmp short BadCopyP.00438D79
====>注意这个循环!向上找发现00438DAB可以跳过!
00438DB0 59 pop ecx
====>此处下断,F9,断在这! 跳出循环!
00438DB1 85E4 test esp,esp
00438DB3 79 03 jns short BadCopyP.00438DB8
00438DB8 F5 cmc
00438DB9 E8 0C000000 call BadCopyP.00438DCA
00438DCA 2BC5 sub eax,ebp
00438DCC 40 inc eax
00438DCD C3 retn
====>返回到 00438DBE
00438DBE 3D B43C9223 cmp eax,23923CB4
00438DC3 E9 0B000000 jmp BadCopyP.00438DD3
00438DD3 3D 96AA2021 cmp eax,2120AA96
00438DD8 61 popad
00438DD9 0BE4 or esp,esp
00438DDB 75 01 jnz short BadCopyP.00438DDE
00438DDE 2BC7 sub eax,edi
00438DE0 C3 retn
====>返回到 00438C12
00438C12 8B9D 62D84000 mov ebx,dword ptr ss:[ebp+40D862]
00438C18 33F6 xor esi,esi
00438C1A F7D3 not ebx
00438C1C 0BF3 or esi,ebx
00438C1E 75 08 jnz short BadCopyP.00438C28
00438C28 039D 42D84000 add ebx,dword ptr ss:[ebp+40D842]
====>EBX=00004C22 + 00400000=00404C22 这就是OEP值
00438C2E 895C24 F0 mov dword ptr ss:[esp-10],ebx
00438C32 8DBD 64D74000 lea edi,dword ptr ss:[ebp+40D764]
00438C38 33C0 xor eax,eax
00438C3A B9 CE030000 mov ecx,3CE
00438C3F F3:AA rep stos byte ptr es:[edi]
00438C41 8DBD 9CB64000 lea edi,dword ptr ss:[ebp+40B69C]
00438C47 B9 3E1C0000 mov ecx,1C3E
00438C4C F3:AA rep stos byte ptr es:[edi]
00438C4E 66:AB stos word ptr es:[edi]
00438C50 8DBD 9CB64000 lea edi,dword ptr ss:[ebp+40B69C]
00438C56 85F6 test esi,esi
00438C58 75 08 jnz short BadCopyP.00438C62
00438C62 C607 E9 mov byte ptr ds:[edi],0E9
00438C65 47 inc edi
00438C66 2BDF sub ebx,edi
00438C68 83EB 04 sub ebx,4
00438C6B 891F mov dword ptr ds:[edi],ebx
00438C6D 8DBD DAD24000 lea edi,dword ptr ss:[ebp+40D2DA]
00438C73 B9 2C000000 mov ecx,2C
00438C78 F3:AA rep stos byte ptr es:[edi]
00438C7A 66:AB stos word ptr es:[edi]
00438C7C EB 02 jmp short BadCopyP.00438C80
00438C80 61 popad
00438C81 FF6424 D0 jmp dword ptr ss:[esp-30]
====>飞向光明之巅! 跳至 00404C22
————————————————————————
00404C22 55 push ebp
====>在这儿用LordPE纠正ImageSize后完全DUMP这个进程
00404C23 8BEC mov ebp,esp
00404C25 6A FF push -1
00404C27 68 E0A14000 push BadCopyP.0040A1E0
00404C2C 68 DC4D4000 push BadCopyP.00404DDC
—————————————————————————————————
四、手动修复。 当然也可以用ImportREC修复啦。偶学习一下手动修复。
1、用WinHex把 部分dumped.dmp 的代码复制、写入到 dumped.exe 的相应位置保存。
2、再用PEditor打开dumped.exe, 修改入口点为00004C22;用dumpfixer修正区块。
3、用LordPE修正输入表地址为:0000A1EC。最后重建PE。OK,正常运行!71K ->191K
程序是用 VC++ 6.0 编译的,脱壳后可以跨系统平台运行!
—————————————————————————————————
, _/
/| _.-~/ _ , 青春都一饷
( /~ / ~-._ |
`\ _/ ~ ) 忍把浮名
_-~~~-.) )__/;;,. _ //'
/'_, --~ ~~~- ,;;___( (.-~~~-. 换了破解轻狂
`~ _( ,_..-- ( ,;'' / ~-- /._`
/~~//' /' `~ ) /--.._, )_ `~
" `~" " `" /~'` `\~~
" " "~' ""
Cracked By 巢水工作坊——fly [OCN][FCG]
2003-10-13 23:00