解除aspr壳的使用限制有多种方法,方法之一就是追踪pre-dip
用od加载程序后按Shift+F9跳过异常,直到出现硬盘指纹
代码:
0012FF2C 0012FF34 指针到下一个 SEH 记录 0012FF30 00CFA898 SE 句柄 0012FF34 0012FF40 指针到下一个 SEH 记录 0012FF38 00CFB236 SE 句柄 0012FF3C 0012FF90 0012FF40 0012FFE0 指针到下一个 SEH 记录 0012FF44 00CFB25B SE 句柄 0012FF48 0012FF90 0012FF4C 00CE0000 0012FF50 00B60000 0012FF54 00CFA684 0012FF58 00000000 0012FF5C 00D823DC ASCII "mIjMiACQQJ8=" <<==硬盘指纹 0012FF60 00CE0000 0012FF64 00B60000
以硬盘指纹为第一部分,相对位置如下。
代码:
按Shift+F9 注册名 (第二部分) 按Shift+F9 使用限制 (第三部分) 按Shift+F9 生死转折 (第四部分)
以下为第三部分
代码:
000CFAEBD 58 POP EAX 00CFAEBE 8B15 ECC5CF00 MOV EDX,DWORD PTR DS:[CFC5EC] 00CFAEC4 A1 54C6CF00 MOV EAX,DWORD PTR DS:[CFC654] 00CFAEC9 E8 8A06FFFF CALL 00CEB558 <<==检测是否过期,对内存00CFC5EC区域设置标志 00CFAECE A1 1CC7CF00 MOV EAX,DWORD PTR DS:[CFC71C] 00CFAED3 8378 10 00 CMP DWORD PTR DS:[EAX+10],0 <<==是否有时间限制 00CFAED7 74 2D JE SHORT 00CFAF06 00CFAED9 A1 ECC5CF00 MOV EAX,DWORD PTR DS:[CFC5EC] 00CFAEDE 8078 31 00 CMP BYTE PTR DS:[EAX+31],0 00CFAEE2 74 04 JE SHORT 00CFAEE8 00CFAEE4 33C0 XOR EAX,EAX 00CFAEE6 EB 09 JMP SHORT 00CFAEF1 00CFAEE8 A1 ECC5CF00 MOV EAX,DWORD PTR DS:[CFC5EC] 00CFAEED 0FB740 0C MOVZX EAX,WORD PTR DS:[EAX+C] <<==取限制的时间 00CFAEF1 50 PUSH EAX <<==入栈 00CFAEF2 A1 ECC5CF00 MOV EAX,DWORD PTR DS:[CFC5EC] 00CFAEF7 0FB740 08 MOVZX EAX,WORD PTR DS:[EAX+8] <<==取剩余的时间 00CFAEFB 50 PUSH EAX <<==剩余时间入栈 00CFAEFC A1 1CC7CF00 MOV EAX,DWORD PTR DS:[CFC71C] 00CFAF01 8B40 10 MOV EAX,DWORD PTR DS:[EAX+10] 00CFAF04 FFD0 CALL EAX <<==pre-dip时间限制 00CFAF06 A1 1CC7CF00 MOV EAX,DWORD PTR DS:[CFC71C] 00CFAF0B 8378 14 00 CMP DWORD PTR DS:[EAX+14],0 <<==是否有次数限制 00CFAF0F 74 1E JE SHORT 00CFAF2F 00CFAF11 A1 ECC5CF00 MOV EAX,DWORD PTR DS:[CFC5EC] 00CFAF16 0FB740 12 MOVZX EAX,WORD PTR DS:[EAX+12] 00CFAF1A 50 PUSH EAX 00CFAF1B A1 ECC5CF00 MOV EAX,DWORD PTR DS:[CFC5EC] 00CFAF20 0FB740 0E MOVZX EAX,WORD PTR DS:[EAX+E] 00CFAF24 50 PUSH EAX 00CFAF25 A1 1CC7CF00 MOV EAX,DWORD PTR DS:[CFC71C] 00CFAF2A 8B40 14 MOV EAX,DWORD PTR DS:[EAX+14] 00CFAF2D FFD0 CALL EAX <<==pre-dip次数限制 00CFAF2F A1 1CC7CF00 MOV EAX,DWORD PTR DS:[CFC71C] 00CFAF34 8378 18 00 CMP DWORD PTR DS:[EAX+18],0 00CFAF38 74 57 JE SHORT 00CFAF91
执行00CFAEC9 CALL 00CEB558 执行后00CFDDDC处的内存数据
代码:
00CFDDDC 00 00 00 00 00 00 00 00 1E 00 37 00 1E 00 00 00 .........7.... 00CFDDEC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00CFDDFC 3C 08 8A 16 0D 9C E2 40 1A 6A 8A 54 CE A2 E2 40 <?.溾@j奣微釦 00CFDE0C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00CFDDE4 试用的天数(1E = 30 天)
00CFDDE8 已经使用的天数,如过期改这里00CFDDE8 = 00CFDDE4
00CFDE0C 是否过期标志,(00 = 没有过期,01 = 过期),设置00CFDE0C = 00 00
跟进 00CFAF04 CALL EAX <<==EAX = 0048C6AC
代码:
0048C6AC 55 PUSH EBP <<==程序领空 0048C6AD 8BEC MOV EBP,ESP 0048C6AF A1 1C734E00 MOV EAX,DWORD PTR DS:[4E731C] <<==取标志,这里是FFFFFFFE 0048C6B4 A3 18734E00 MOV DWORD PTR DS:[4E7318],EAX <<==放入标志,如没有壳为0,这两句较少见。 0048C6B9 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] <<==取时间限制天数 0048C6BC A3 1C734E00 MOV DWORD PTR DS:[4E731C],EAX 0048C6C1 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] <<==取剩余天数 0048C6C4 A3 20734E00 MOV DWORD PTR DS:[4E7320],EAX 0048C6C9 5D POP EBP 0048C6CA C2 0800 RETN 8 <<==返回壳 返回壳后按F9到达下一个异常。(第四部分) 00CFAFDF 3100 XOR DWORD PTR DS:[EAX],EAX <<==异常 00CFAFE1 EB 01 JMP SHORT 00CFAFE4 <<==F2设断点,按Shift+F9断在此处。 单步跟踪到 00CFAFEF 58 POP EAX 00CFAFF0 A1 ECC5CF00 MOV EAX,DWORD PTR DS:[CFC5EC] 00CFAFF5 8078 30 00 CMP BYTE PTR DS:[EAX+30],0 <<==是否超过时间限制 00CFAFF9 75 0B JNZ SHORT 00CFB006 <<==跳则过期 00CFAFFB A1 ECC5CF00 MOV EAX,DWORD PTR DS:[CFC5EC] 00CFB000 8078 31 00 CMP BYTE PTR DS:[EAX+31],0 00CFB004 74 3C JE SHORT 00CFB042 <<==必须跳 00CFB006 A1 1CC7CF00 MOV EAX,DWORD PTR DS:[CFC71C] 00CFB00B 8378 24 00 CMP DWORD PTR DS:[EAX+24],0 00CFB00F 74 13 JE SHORT 00CFB024 00CFB011 A1 1CC7CF00 MOV EAX,DWORD PTR DS:[CFC71C] 00CFB016 8B40 20 MOV EAX,DWORD PTR DS:[EAX+20] 00CFB019 50 PUSH EAX 00CFB01A A1 1CC7CF00 MOV EAX,DWORD PTR DS:[CFC71C] 00CFB01F 8B40 24 MOV EAX,DWORD PTR DS:[EAX+24] 00CFB022 FFD0 CALL EAX <<==过期pre-dip,使用工具脱壳,大部分会跳到这里 00CFB024 A1 1CC7CF00 MOV EAX,DWORD PTR DS:[CFC71C] 00CFB029 8378 34 00 CMP DWORD PTR DS:[EAX+34],0 00CFB02D 74 31 JE SHORT 00CFB060 00CFB02F 6A 01 PUSH 1 00CFB031 68 E654CE00 PUSH 0CE54E6 00CFB036 832C24 02 SUB DWORD PTR SS:[ESP],2 00CFB03A FF25 7CDBCF00 JMP DWORD PTR DS:[CFDB7C] 00CFB040 EB 1E JMP SHORT 00CFB060 00CFB042 A1 1CC7CF00 MOV EAX,DWORD PTR DS:[CFC71C] 00CFB047 8378 24 00 CMP DWORD PTR DS:[EAX+24],0 00CFB04B 74 13 JE SHORT 00CFB060 00CFB04D A1 1CC7CF00 MOV EAX,DWORD PTR DS:[CFC71C] 00CFB052 8B40 1C MOV EAX,DWORD PTR DS:[EAX+1C] 00CFB055 50 PUSH EAX 00CFB056 A1 1CC7CF00 MOV EAX,DWORD PTR DS:[CFC71C] 00CFB05B 8B40 24 MOV EAX,DWORD PTR DS:[EAX+24] 00CFB05E FFD0 CALL EAX <<==没有超过限制,跳到此处。 00CFB060 33C9 XOR ECX,ECX 00CFB062 BA 78B2CF00 MOV EDX,0CFB278 跟进00CFB05E CALL EAX 0048C5E0 55 PUSH EBP 0048C5E1 8BEC MOV EBP,ESP 0048C5E3 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 0048C5E6 A3 40AC4E00 MOV DWORD PTR DS:[4EAC40],EAX <<==如果工具脱壳或在之前Dump,需修补此处 0048C5EB 5D POP EBP 0048C5EC C2 0400 RETN 4
使用限制的方法相同,这里就不再重复
以上为跟踪pre-dip过程,望对新手有所帮助
感谢Volx的指点。