【脱文标题】 Acprotect v1.41 完美脱壳+破解 -- Acprotect 主程序
【脱文作者】 股林精怪
【作者邮箱】 gljg@macd.cn
【使用工具】 Olydbg1.1、LordPE、WinHex
【破解平台】 WinXP
【软件名称】 Acprotect1.41 (2004/10/07)
【下载地址】 简体中文专业安装版 http://www.acprotector.com/download/acpr_std_1.41.exe
【软件简介】 ACProtect是由傲锐公司研发并拥有自主知识产权的加密软件精品,它有许多技术已经达到并超过了国外同类产品,是一个为 Windows下的EXE/DLL/OCX/SCR等32位可运行文件加密认证系统。
【加壳方式】 UltraProtect 1.x -> RISCO Software Inc.
【破解声明】 初学Crack,只是感兴趣,没有其他目的。
--------------------------------------------------------------------------------
【脱壳过程】
最近手头有几个用Acprotect加壳的软件,也就对Acprotect壳作了番研究,为提高境界也就以Acprotect主程序展开进攻,花费好几个业余的夜晚,终于一举拿下:)
现就重点简单整理一下,这也算是我学Crack以来的第一篇破文,有失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
一、脱壳
设置Olydbg忽略所有异常选项。用IsDebug 1.4插件去掉Ollydbg的调试器标志。
代码:
--------------------------------------------------------------------------------
00776000 > 60 pushad//进入OD后停在这
00776001 E8 01000000 call ACProtec.00776007
--------------------------------------------------------------------------------
.idata区段设置内存写入断点
代码:
--------------------------------------------------------------------------------
0078A47F 03F2 add esi,edx
0078A481 8B46 0C mov eax,dword ptr ds:[esi+C]
0078A484 0BC0 or eax,eax
0078A486 0F84 25020000 je ACProtec.0078A6B1
0078A48C 8366 0C 00 and dword ptr ds:[esi+C],0//断在这里,NOP掉 ★
0078A490 03C2 add eax,edx
0078A492 8BD8 mov ebx,eax
0078A494 56 push esi
0078A495 57 push edi
0078A496 50 push eax
0078A497 8BF3 mov esi,ebx
0078A499 8BFB mov edi,ebx
0078A49B AC lods byte ptr ds:[esi]
0078A49C C0C0 03 rol al,3
0078A49F AA stos byte ptr es:[edi]//还原API函数
0078A4A0 803F 00 cmp byte ptr ds:[edi],0
0078A4A3 ^ 75 F6 jnz short ACProtec.0078A49B
0078A4A5 58 pop eax
0078A4A6 5F pop edi
0078A4A7 5E pop esi
0078A4A8 50 push eax
0078A4A9 FF95 20854100 call dword ptr ss:[ebp+418520] ; kernel32.GetModuleHandleA
0078A4AF 0BC0 or eax,eax
0078A4B1 75 43 jnz short ACProtec.0078A4F6
0078A4B3 90 nop
0078A4B4 90 nop
0078A4B5 90 nop
0078A4B6 90 nop
0078A4B7 53 push ebx
0078A4B8 FF95 24854100 call dword ptr ss:[ebp+418524]
0078A4BE 0BC0 or eax,eax
0078A4C0 75 34 jnz short ACProtec.0078A4F6
0078A4C2 90 nop
0078A4C3 90 nop
0078A4C4 90 nop
0078A4C5 90 nop
0078A4C6 8B95 46F84000 mov edx,dword ptr ss:[ebp+40F846]
0078A4CC 0195 351B4000 add dword ptr ss:[ebp+401B35],edx
0078A4D2 0195 391B4000 add dword ptr ss:[ebp+401B39],edx
0078A4D8 6A 00 push 0
0078A4DA FFB5 351B4000 push dword ptr ss:[ebp+401B35]
0078A4E0 FFB5 391B4000 push dword ptr ss:[ebp+401B39]
0078A4E6 6A 00 push 0
0078A4E8 FF95 2C854100 call dword ptr ss:[ebp+41852C]
0078A4EE 6A 00 push 0
0078A4F0 FF95 28854100 call dword ptr ss:[ebp+418528]
0078A4F6 60 pushad
0078A4F7 2BC0 sub eax,eax//改jmp 0078A500
0078A4F9 8803 mov byte ptr ds:[ebx],al//将还原的API函数清零
0078A4FB 43 inc ebx
0078A4FC 3803 cmp byte ptr ds:[ebx],al//将还原的API函数清零
0078A4FE ^ 75 F9 jnz short ACProtec.0078A4F9
0078A500 61 popad
0078A501 8985 3EF84000 mov dword ptr ss:[ebp+40F83E],eax
0078A507 C785 42F84000 00000000 mov dword ptr ss:[ebp+40F842],0
0078A511 8B95 46F84000 mov edx,dword ptr ss:[ebp+40F846]
0078A517 8B06 mov eax,dword ptr ds:[esi]
0078A519 0BC0 or eax,eax
0078A51B 75 07 jnz short ACProtec.0078A524
0078A51D 90 nop
0078A51E 90 nop
0078A51F 90 nop
0078A520 90 nop
0078A521 8B46 10 mov eax,dword ptr ds:[esi+10]
0078A524 03C2 add eax,edx
0078A526 0385 42F84000 add eax,dword ptr ss:[ebp+40F842]
0078A52C 8B18 mov ebx,dword ptr ds:[eax]
0078A52E 8B7E 10 mov edi,dword ptr ds:[esi+10]
0078A531 03FA add edi,edx
0078A533 03BD 42F84000 add edi,dword ptr ss:[ebp+40F842]
0078A539 85DB test ebx,ebx
0078A53B 0F84 62010000 je ACProtec.0078A6A3
0078A541 F7C3 00000080 test ebx,80000000
0078A547 75 1D jnz short ACProtec.0078A566
0078A549 90 nop
0078A54A 90 nop
0078A54B 90 nop
0078A54C 90 nop
0078A54D 03DA add ebx,edx
0078A54F 83C3 02 add ebx,2
0078A552 56 push esi
0078A553 57 push edi
0078A554 50 push eax
0078A555 8BF3 mov esi,ebx
0078A557 8BFB mov edi,ebx
0078A559 AC lods byte ptr ds:[esi]
0078A55A C0C0 03 rol al,3
0078A55D AA stos byte ptr es:[edi]//还原API函数
0078A55E 803F 00 cmp byte ptr ds:[edi],0
0078A561 ^ 75 F6 jnz short ACProtec.0078A559
0078A563 58 pop eax
0078A564 5F pop edi
0078A565 5E pop esi
0078A566 3B9D 46F84000 cmp ebx,dword ptr ss:[ebp+40F846]
0078A56C 7C 11 jl short ACProtec.0078A57F
0078A56E 90 nop
0078A56F 90 nop
0078A570 90 nop
0078A571 90 nop
0078A572 83BD 1A204000 00 cmp dword ptr ss:[ebp+40201A],0
0078A579 75 0A jnz short ACProtec.0078A585
0078A57B 90 nop
0078A57C 90 nop
0078A57D 90 nop
0078A57E 90 nop
0078A57F 81E3 FFFFFF0F and ebx,0FFFFFFF
0078A585 53 push ebx
0078A586 FFB5 3EF84000 push dword ptr ss:[ebp+40F83E]
0078A58C FF95 1C854100 call dword ptr ss:[ebp+41851C] ; kernel32.GetProcAddress
0078A592 3B9D 46F84000 cmp ebx,dword ptr ss:[ebp+40F846]
0078A598 7C 0F jl short ACProtec.0078A5A9
0078A59A 90 nop
0078A59B 90 nop
0078A59C 90 nop
0078A59D 90 nop
0078A59E 60 pushad
0078A59F 2BC0 sub eax,eax//改jmp 0078A5A8
0078A5A1 8803 mov byte ptr ds:[ebx],al//将还原的API函数清零
0078A5A3 43 inc ebx
0078A5A4 3803 cmp byte ptr ds:[ebx],al//将还原的API函数清零
0078A5A6 ^ 75 F9 jnz short ACProtec.0078A5A1
0078A5A8 61 popad
0078A5A9 0BC0 or eax,eax
0078A5AB ^ 0F84 15FFFFFF je ACProtec.0078A4C6
0078A5B1 3B85 2C854100 cmp eax,dword ptr ss:[ebp+41852C]
0078A5B7 74 20 je short ACProtec.0078A5D9
0078A5B9 90 nop
0078A5BA 90 nop
0078A5BB 90 nop
0078A5BC 90 nop
0078A5BD 3B85 C4FD4000 cmp eax,dword ptr ss:[ebp+40FDC4]
0078A5C3 74 09 je short ACProtec.0078A5CE
0078A5C5 90 nop
0078A5C6 90 nop
0078A5C7 90 nop
0078A5C8 90 nop
0078A5C9 EB 14 jmp short ACProtec.0078A5DF
0078A5CB 90 nop
0078A5CC 90 nop
0078A5CD 90 nop
0078A5CE 8D85 31FE4000 lea eax,dword ptr ss:[ebp+40FE31]
0078A5D4 EB 09 jmp short ACProtec.0078A5DF
0078A5D6 90 nop
0078A5D7 90 nop
0078A5D8 90 nop
0078A5D9 8D85 4BFE4000 lea eax,dword ptr ss:[ebp+40FE4B]
0078A5DF 56 push esi
0078A5E0 FFB5 3EF84000 push dword ptr ss:[ebp+40F83E]
0078A5E6 5E pop esi
0078A5E7 39B5 12204000 cmp dword ptr ss:[ebp+402012],esi
0078A5ED 74 15 je short ACProtec.0078A604
0078A5EF 90 nop
0078A5F0 90 nop
0078A5F1 90 nop
0078A5F2 90 nop
0078A5F3 39B5 16204000 cmp dword ptr ss:[ebp+402016],esi
0078A5F9 74 09 je short ACProtec.0078A604
0078A5FB 90 nop
0078A5FC 90 nop
0078A5FD 90 nop
0078A5FE 90 nop
0078A5FF EB 63 jmp short ACProtec.0078A664
0078A601 90 nop
0078A602 90 nop
0078A603 90 nop
0078A604 80BD 16564100 00 cmp byte ptr ss:[ebp+415616],0
0078A60B 74 57 je short ACProtec.0078A664
0078A60D 90 nop
0078A60E 90 nop
0078A60F 90 nop
0078A610 90 nop
0078A611 EB 07 jmp short ACProtec.0078A61A
0078A613 90 nop
0078A614 90 nop
0078A615 90 nop
0078A616 0100 add dword ptr ds:[eax],eax
0078A618 0000 add byte ptr ds:[eax],al
0078A61A 8BB5 0BF94000 mov esi,dword ptr ss:[ebp+40F90B]
0078A620 83C6 0D add esi,0D
0078A623 81EE 02184000 sub esi,ACProtec.00401802
0078A629 2BF5 sub esi,ebp
0078A62B 83FE 00 cmp esi,0
0078A62E 7F 34 jg short ACProtec.0078A664
0078A630 90 nop
0078A631 90 nop
0078A632 90 nop
0078A633 90 nop
0078A634 8BB5 0BF94000 mov esi,dword ptr ss:[ebp+40F90B]
0078A63A 53 push ebx
0078A63B 50 push eax
0078A63C E8 8DB2FFFF call ACProtec.007858CE
0078A641 8BD8 mov ebx,eax
0078A643 58 pop eax
0078A644 33C3 xor eax,ebx
0078A646 C606 68 mov byte ptr ds:[esi],68
0078A649 8946 01 mov dword ptr ds:[esi+1],eax
0078A64C C746 05 81342400 mov dword ptr ds:[esi+5],243481
0078A653 895E 08 mov dword ptr ds:[esi+8],ebx
0078A656 C646 0C C3 mov byte ptr ds:[esi+C],0C3
0078A65A 5B pop ebx
0078A65B 8BC6 mov eax,esi
0078A65D 8385 0BF94000 0D add dword ptr ss:[ebp+40F90B],0D
0078A664 5E pop esi
0078A665 60 pushad
0078A666 8BD0 mov edx,eax
0078A668 2BBD 46F84000 sub edi,dword ptr ss:[ebp+40F846]
0078A66E 8BC7 mov eax,edi
0078A670 B9 01010000 mov ecx,101
0078A675 8DBD EBEC4000 lea edi,dword ptr ss:[ebp+40ECEB]
0078A67B F2:AF repne scas dword ptr es:[edi]
0078A67D 0BC9 or ecx,ecx
0078A67F 74 13 je short ACProtec.0078A694
0078A681 90 nop
0078A682 90 nop
0078A683 90 nop
0078A684 90 nop
0078A685 81E9 01010000 sub ecx,101
0078A68B F7D1 not ecx
0078A68D 89948D EBE84000 mov dword ptr ss:[ebp+ecx*4+40E8EB],edx
0078A694 61 popad
0078A695 8907 mov dword ptr ds:[edi],eax//加密后的地址写入,NOP掉 ★
0078A697 8385 42F84000 04 add dword ptr ss:[ebp+40F842],4
0078A69E ^ E9 6EFEFFFF jmp ACProtec.0078A511
0078A6A3 83C6 14 add esi,14
0078A6A6 8B95 46F84000 mov edx,dword ptr ss:[ebp+40F846]
0078A6AC ^ E9 D0FDFFFF jmp ACProtec.0078A481
0078A6B1 8DBD EBEC4000 lea edi,dword ptr ss:[ebp+40ECEB]
0078A6B7 33C0 xor eax,eax//清除内存断点,F4直接到这,程序全部解压完成,快DUMP一下吧!
0078A6B9 B9 00010000 mov ecx,100
0078A6BE F3:AB rep stos dword ptr es:[edi]
0078A6C0 60 pushad
0078A6C1 E8 00000000 call ACProtec.0078A6C6
--------------------------------------------------------------------------------
二、寻找修复壳的入口
用Olydbg重新打开ACProtec,.idata区段设置内存写入断点,再选CODE区段设置内存访问断点,对一般没入口点变形的可直达OEP。
代码:
--------------------------------------------------------------------------------
004069BE C3 retn
004069BF 90 nop
004069C0 53 push ebx//断在这里,从堆栈可以看出并非OEP,记下eax值
004069C1 8BD8 mov ebx,eax
004069C3 33C0 xor eax,eax
004069C5 A3 CC604F00 mov dword ptr ds:[4F60CC],eax
004069CA 6A 00 push 0
--------------------------------------------------------------------------------
由于ACProtec采用Delphi编写,入口段也非常容易得到,如下:
代码:
--------------------------------------------------------------------------------
004F556C > 55 push ebp
004F556D 8BEC mov ebp,esp
004F556F 83C4 F0 add esp,-10
004F5572 B8 3C534F00 mov eax,Dumped.004F533C
004F5577 E8 4414F1FF call Dumped.004069C0
004F557C A1 6CA25100 mov eax,dword ptr ds:[51A26C]
004F5581 8B00 mov eax,dword ptr ds:[eax]
004F5583 E8 788BF7FF call Dumped.0046E100
004F5588 8B0D EC9F5100 mov ecx,dword ptr ds:[519FEC] ; Dumped.0051CD24
004F558E A1 6CA25100 mov eax,dword ptr ds:[51A26C]
004F5593 8B00 mov eax,dword ptr ds:[eax]
004F5595 8B15 BCB34700 mov edx,dword ptr ds:[47B3BC] ; Dumped.0047B408
004F559B E8 788BF7FF call Dumped.0046E118
004F55A0 8B0D 089F5100 mov ecx,dword ptr ds:[519F08] ; Dumped.0051CD1C
004F55A6 A1 6CA25100 mov eax,dword ptr ds:[51A26C]
004F55AB 8B00 mov eax,dword ptr ds:[eax]
004F55AD 8B15 28B04700 mov edx,dword ptr ds:[47B028] ; Dumped.0047B074
004F55B3 E8 608BF7FF call Dumped.0046E118
004F55B8 A1 6CA25100 mov eax,dword ptr ds:[51A26C]
004F55BD 8B00 mov eax,dword ptr ds:[eax]
004F55BF E8 D48BF7FF call Dumped.0046E198
004F55C4 E8 D3F3F0FF call Dumped.0040499C
--------------------------------------------------------------------------------
修复好入口,再用LordPE修改导入表 RAV=00339000,大小=154,这样脱壳基本完成。
三、修复代码替换 Code Replace
Code Replace 的基本原理是:选取5个字节两句指令,且一定是2+3或3+2,转换为一个call,call后还原时无规律的增加了如add ecx,ebp和sub ecx,ebp//inc ebp和dec ebp//push esp和pop esp//xor esi,ebx和xor esi,ebx等等一些垃圾代码。
Code Replace的地址也很容易得到
Code Replace代码:
--------------------------------------------------------------------------------
0077702E 60 pushad
0077702F FC cld
----------------
----------------
----------------
007771D9 E8 22EF0000 call ACProtec.00786100//等于 mov ebp,37500
007771DE 8B4424 20 mov eax,dword ptr ss:[esp+20]
007771E2 33C9 xor ecx,ecx
007771E4 8B9C8D 812E4000 mov ebx,dword ptr ss:[ebp+ecx*4+402E81]//ebp+402E81=777E81
007771EB 039D 46F84000 add ebx,dword ptr ss:[ebp+40F846]
007771F1 3BC3 cmp eax,ebx
007771F3 74 07 je short ACProtec.007771FC
007771F5 90 nop
007771F6 90 nop
007771F7 90 nop
007771F8 90 nop
007771F9 41 inc ecx
007771FA ^ EB E8 jmp short ACProtec.007771E4
007771FC 8DB5 615D4000 lea esi,dword ptr ss:[ebp+405D61]//ebp+405D61=77AD61
00777202 B8 0A000000 mov eax,0A
00777207 F7E1 mul ecx
00777209 03F0 add esi,eax
0077720B 8DBD 07184000 lea edi,dword ptr ss:[ebp+401807]
00777211 0FB6840D C9224000 movzx eax,byte ptr ss:[ebp+ecx+4022C9]
00777219 FEC0 inc al
0077721B 88840D C9224000 mov byte ptr ss:[ebp+ecx+4022C9],al
00777222 3C 20 cmp al,20
00777224 75 13 jnz short ACProtec.00777239
00777226 90 nop
00777227 90 nop
00777228 90 nop
00777229 90 nop
0077722A 8BBD 4AF84000 mov edi,dword ptr ss:[ebp+40F84A]
00777230 B8 0A000000 mov eax,0A
00777235 F7E1 mul ecx
00777237 03F8 add edi,eax
00777239 8A9D 1E204000 mov bl,byte ptr ss:[ebp+40201E]//ss:[0077701E]=97
0077723F B9 0A000000 mov ecx,0A
00777244 AC lods byte ptr ds:[esi]
00777245 32C3 xor al,bl
00777247 AA stos byte ptr es:[edi]
00777248 ^ E2 FA loopd short ACProtec.00777244
0077724A 83EF 0A sub edi,0A
0077724D 57 push edi
0077724E 8DB5 07184000 lea esi,dword ptr ss:[ebp+401807]
00777254 33F7 xor esi,edi
00777256 74 19 je short ACProtec.00777271
00777258 90 nop
00777259 90 nop
0077725A 90 nop
0077725B 90 nop
0077725C 8B7424 24 mov esi,dword ptr ss:[esp+24]
00777260 83EE 04 sub esi,4
00777263 AD lods dword ptr ds:[esi]
00777264 81EF 2E204000 sub edi,ACProtec.0040202E
0077726A 2BFD sub edi,ebp
0077726C 03C7 add eax,edi
0077726E 8946 FC mov dword ptr ds:[esi-4],eax
00777271 5F pop edi
00777272 57 push edi
00777273 33C9 xor ecx,ecx
00777275 83F9 08 cmp ecx,8
00777278 74 0E je short ACProtec.00777288
0077727A 90 nop
0077727B 90 nop
0077727C 90 nop
0077727D 90 nop
0077727E 8B448C 04 mov eax,dword ptr ss:[esp+ecx*4+4]
00777282 89048C mov dword ptr ss:[esp+ecx*4],eax
00777285 41 inc ecx
00777286 ^ EB ED jmp short ACProtec.00777275
--------------------------------------------------------------------------------
为了完美还原回原处,我写了段还原代码如下:
--------------------------------------------------------------------------------
0077702E 60 pushad
0077702F 33C0 xor eax,eax
00777031 BF 61AD7700 mov edi,ACProtec.0077AD61
00777036 833C38 00 cmp dword ptr ds:[eax+edi],0
0077703A 74 07 je short ACProtec.00777043
0077703C 803438 97 xor byte ptr ds:[eax+edi],97
00777040 40 inc eax
00777041 ^ EB F3 jmp short ACProtec.00777036
00777043 33C9 xor ecx,ecx
00777045 8B348D 817E7700 mov esi,dword ptr ds:[ecx*4+777E81]
0077704C 83FE 00 cmp esi,0
0077704F 75 06 jnz short ACProtec.00777057
00777051 61 popad
00777052 832C24 05 sub dword ptr ss:[esp],5
00777056 C3 retn
00777057 BF 61AD7700 mov edi,ACProtec.0077AD61
0077705C 81C6 FBFF3F00 add esi,3FFFFB
00777062 B8 0A000000 mov eax,0A
00777067 F7E1 mul ecx
00777069 03F8 add edi,eax
0077706B 33C0 xor eax,eax
0077706D 803C38 03 cmp byte ptr ds:[eax+edi],3
00777071 74 7D je short ACProtec.007770F0
00777073 803C38 33 cmp byte ptr ds:[eax+edi],33
00777077 0F84 D7000000 je ACProtec.00777154
0077707D 803C38 40 cmp byte ptr ds:[eax+edi],40
00777081 72 06 jb short ACProtec.00777089
00777083 803C38 58 cmp byte ptr ds:[eax+edi],58
00777087 72 03 jb short ACProtec.0077708C
00777089 40 inc eax
0077708A ^ EB E1 jmp short ACProtec.0077706D
0077708C 8A1438 mov dl,byte ptr ds:[eax+edi]
0077708F 80C2 08 add dl,8
00777092 8BD8 mov ebx,eax
00777094 43 inc ebx
00777095 3A143B cmp dl,byte ptr ds:[ebx+edi]
00777098 74 07 je short ACProtec.007770A1
0077709A 83FB 08 cmp ebx,8
0077709D ^ 72 F5 jb short ACProtec.00777094
0077709F ^ EB E8 jmp short ACProtec.00777089
007770A1 2BD8 sub ebx,eax
007770A3 83F8 00 cmp eax,0
007770A6 75 22 jnz short ACProtec.007770CA
007770A8 83FB 02 cmp ebx,2
007770AB ^ 72 DC jb short ACProtec.00777089
007770AD 4B dec ebx
007770AE 47 inc edi
007770AF 33ED xor ebp,ebp
007770B1 8A142F mov dl,byte ptr ds:[edi+ebp]
007770B4 88142E mov byte ptr ds:[esi+ebp],dl
007770B7 83FD 04 cmp ebp,4
007770BA 0F84 F3000000 je ACProtec.007771B3
007770C0 45 inc ebp
007770C1 3BDD cmp ebx,ebp
007770C3 ^ 75 EC jnz short ACProtec.007770B1
007770C5 47 inc edi
007770C6 33DB xor ebx,ebx
007770C8 ^ EB E7 jmp short ACProtec.007770B1
007770CA 83FB 02 cmp ebx,2
007770CD ^ 74 BA je short ACProtec.00777089
007770CF 33ED xor ebp,ebp
007770D1 8A142F mov dl,byte ptr ds:[edi+ebp]
007770D4 88142E mov byte ptr ds:[esi+ebp],dl
007770D7 83FD 04 cmp ebp,4
007770DA 0F84 D3000000 je ACProtec.007771B3
007770E0 45 inc ebp
007770E1 3BC5 cmp eax,ebp
007770E3 ^ 75 EC jnz short ACProtec.007770D1
007770E5 47 inc edi
007770E6 33C0 xor eax,eax
007770E8 83FB 01 cmp ebx,1
007770EB ^ 75 E4 jnz short ACProtec.007770D1
007770ED 47 inc edi
007770EE ^ EB E1 jmp short ACProtec.007770D1
007770F0 66:8B1438 mov dx,word ptr ds:[eax+edi]
007770F4 66:83C2 28 add dx,28
007770F8 8BD8 mov ebx,eax
007770FA 43 inc ebx
007770FB 43 inc ebx
007770FC 66:39143B cmp word ptr ds:[ebx+edi],dx
00777100 74 07 je short ACProtec.00777109
00777102 83FB 08 cmp ebx,8
00777105 ^ 72 F4 jb short ACProtec.007770FB
00777107 ^ EB 80 jmp short ACProtec.00777089
00777109 83F8 00 cmp eax,0
0077710C 75 23 jnz short ACProtec.00777131
0077710E 8D43 FE lea eax,dword ptr ds:[ebx-2]
00777111 83C7 02 add edi,2
00777114 33ED xor ebp,ebp
00777116 8A142F mov dl,byte ptr ds:[edi+ebp]
00777119 88142E mov byte ptr ds:[esi+ebp],dl
0077711C 83FD 04 cmp ebp,4
0077711F 0F84 8E000000 je ACProtec.007771B3
00777125 45 inc ebp
00777126 3BC5 cmp eax,ebp
00777128 ^ 75 EC jnz short ACProtec.00777116
0077712A 83C7 02 add edi,2
0077712D 33C0 xor eax,eax
0077712F ^ EB E5 jmp short ACProtec.00777116
00777131 2BD8 sub ebx,eax
00777133 33ED xor ebp,ebp
00777135 8A142F mov dl,byte ptr ds:[edi+ebp]
00777138 88142E mov byte ptr ds:[esi+ebp],dl
0077713B 83FD 04 cmp ebp,4
0077713E 74 73 je short ACProtec.007771B3
00777140 45 inc ebp
00777141 3BC5 cmp eax,ebp
00777143 ^ 75 F0 jnz short ACProtec.00777135
00777145 83C7 02 add edi,2
00777148 33C0 xor eax,eax
0077714A 83FB 02 cmp ebx,2
0077714D ^ 75 E6 jnz short ACProtec.00777135
0077714F 83C7 02 add edi,2
00777152 ^ EB E1 jmp short ACProtec.00777135
00777154 66:8B1438 mov dx,word ptr ds:[eax+edi]
00777158 8BD8 mov ebx,eax
0077715A 43 inc ebx
0077715B 43 inc ebx
0077715C 66:39143B cmp word ptr ds:[ebx+edi],dx
00777160 74 0A je short ACProtec.0077716C
00777162 83FB 08 cmp ebx,8
00777165 ^ 72 F4 jb short ACProtec.0077715B
00777167 ^ E9 1DFFFFFF jmp ACProtec.00777089
0077716C 83F8 00 cmp eax,0
0077716F 75 1F jnz short ACProtec.00777190
00777171 8D43 FE lea eax,dword ptr ds:[ebx-2]
00777174 83C7 02 add edi,2
00777177 33ED xor ebp,ebp
00777179 8A142F mov dl,byte ptr ds:[edi+ebp]
0077717C 88142E mov byte ptr ds:[esi+ebp],dl
0077717F 83FD 04 cmp ebp,4
00777182 74 2F je short ACProtec.007771B3
00777184 45 inc ebp
00777185 3BC5 cmp eax,ebp
00777187 ^ 75 F0 jnz short ACProtec.00777179
00777189 83C7 02 add edi,2
0077718C 33C0 xor eax,eax
0077718E ^ EB E9 jmp short ACProtec.00777179
00777190 2BD8 sub ebx,eax
00777192 33ED xor ebp,ebp
00777194 8A142F mov dl,byte ptr ds:[edi+ebp]
00777197 88142E mov byte ptr ds:[esi+ebp],dl
0077719A 83FD 04 cmp ebp,4
0077719D 74 14 je short ACProtec.007771B3
0077719F 45 inc ebp
007771A0 3BC5 cmp eax,ebp
007771A2 ^ 75 F0 jnz short ACProtec.00777194
007771A4 83C7 02 add edi,2
007771A7 33C0 xor eax,eax
007771A9 83FB 02 cmp ebx,2
007771AC ^ 75 E6 jnz short ACProtec.00777194
007771AE 83C7 02 add edi,2
007771B1 ^ EB E1 jmp short ACProtec.00777194
007771B3 41 inc ecx
007771B4 ^ E9 8CFEFFFF jmp ACProtec.00777045
--------------------------------------------------------------------------------
四、还原嵌套加密清除垃圾
这可是件极其艰巨的工作,这里只简要说说:
看下面代码,在0078586D处下断,留意[esp+10],等于5时将要解码段保存,等于4时将5保存的段还原,等于2时用key来解下面的代码,等于3时用key来加密上面的代码。
那我们可以想办法另它只解而不还原,最后再来把垃圾代码去除,呵呵,有几十处之多呀!大家可以打开看看有多少个90就知道有多垃圾啦。
--------------------------------------------------------------------------------
0047C7DC 60 pushad
0047C7DD 6A 05 push 5
0047C7DF 6A 00 push 0
0047C7E1 6A 00 push 0
0047C7E3 6A FF push -1
0047C7E5 E8 83903000 call ACProtec.0078586D
0047C7EA 61 popad
--------------------------------------------------------------------------------
五、还原多态连接
原代码:
--------------------------------------------------------------------------------
0078230B 60 pushad
0078230C 8BEF mov ebp,edi
----------------
----------------
----------------
007824B6 E8 453C0000 call ACProtec.00786100
007824BB 8B4424 20 mov eax,dword ptr ss:[esp+20]
007824BF 2B85 46F84000 sub eax,dword ptr ss:[ebp+40F846]
007824C5 B9 E9030000 mov ecx,3E9
007824CA 8DBD 63D54000 lea edi,dword ptr ss:[ebp+40D563]
007824D0 F2:AF repne scas dword ptr es:[edi]
007824D2 0BC9 or ecx,ecx
007824D4 75 04 jnz short ACProtec.007824DA
007824D6 90 nop
007824D7 90 nop
007824D8 90 nop
007824D9 90 nop
007824DA 81E9 E9030000 sub ecx,3E9
007824E0 F7D1 not ecx
007824E2 0FB69C0D 03E54000 movzx ebx,byte ptr ss:[ebp+ecx+40E503]
007824EA 8D849D EBE84000 lea eax,dword ptr ss:[ebp+ebx*4+40E8EB]
007824F1 8DBD 07184000 lea edi,dword ptr ss:[ebp+401807]
007824F7 66:C707 FF25 mov word ptr ds:[edi],25FF
007824FC 8947 02 mov dword ptr ds:[edi+2],eax
007824FF C647 06 C3 mov byte ptr ds:[edi+6],0C3
00782503 FF7424 20 push dword ptr ss:[esp+20]
00782507 8DBD 07184000 lea edi,dword ptr ss:[ebp+401807]
0078250D 33C9 xor ecx,ecx
0078250F 83F9 08 cmp ecx,8
00782512 74 0E je short ACProtec.00782522
00782514 90 nop
00782515 90 nop
00782516 90 nop
00782517 90 nop
00782518 8B448C 04 mov eax,dword ptr ss:[esp+ecx*4+4]
0078251C 89048C mov dword ptr ss:[esp+ecx*4],eax
0078251F 41 inc ecx
00782520 ^ EB ED jmp short ACProtec.0078250F
--------------------------------------------------------------------------------
下面是我写的一段还原代码:
--------------------------------------------------------------------------------
0078230B 60 pushad
0078230C 33C9 xor ecx,ecx
0078230E 8B148D 63257800 mov edx,dword ptr ds:[ecx*4+782563]
00782315 81C2 FCFF3F00 add edx,3FFFFC
0078231B 0FB699 03357800 movzx ebx,byte ptr ds:[ecx+783503]
00782322 8D049D EB387800 lea eax,dword ptr ds:[ebx*4+7838EB]
00782329 8B18 mov ebx,dword ptr ds:[eax]
0078232B 81FB 00008000 cmp ebx,800000
00782331 72 04 jb short ACProtec.00782337
00782333 8BC3 mov eax,ebx
00782335 EB 06 jmp short ACProtec.0078233D
00782337 43 inc ebx
00782338 8B03 mov eax,dword ptr ds:[ebx]
0078233A 3343 07 xor eax,dword ptr ds:[ebx+7]
0078233D E8 4C000000 call ACProtec.0078238E
00782342 41 inc ecx
00782343 81F9 E8030000 cmp ecx,3E8
00782349 ^ 75 C3 jnz short ACProtec.0078230E
0078234B BA 00104000 mov edx,ACProtec.00401000
00782350 81FA 00604F00 cmp edx,ACProtec.004F6000
00782356 74 2F je short ACProtec.00782387
00782358 42 inc edx
00782359 807A FF E8 cmp byte ptr ds:[edx-1],0E8
0078235D ^ 75 F1 jnz short ACProtec.00782350
0078235F 8B02 mov eax,dword ptr ds:[edx]
00782361 03C2 add eax,edx
00782363 3D 00577800 cmp eax,ACProtec.00785700
00782368 ^ 72 E6 jb short ACProtec.00782350
0078236A 3D 00597800 cmp eax,ACProtec.00785900
0078236F ^ 77 DF ja short ACProtec.00782350
00782371 83C0 05 add eax,5
00782374 66:8138 FF25 cmp word ptr ds:[eax],25FF
00782379 ^ 75 D5 jnz short ACProtec.00782350
0078237B 8B40 02 mov eax,dword ptr ds:[eax+2]
0078237E 8B00 mov eax,dword ptr ds:[eax]
00782380 E8 09000000 call ACProtec.0078238E
00782385 ^ EB C9 jmp short ACProtec.00782350
00782387 61 popad
00782388 832C24 05 sub dword ptr ss:[esp],5
0078238C C3 retn
0078238D 90 nop
0078238E BB 00907300 mov ebx,ACProtec.00739000
00782393 3903 cmp dword ptr ds:[ebx],eax
00782395 74 0D je short ACProtec.007823A4
00782397 83C3 04 add ebx,4
0078239A 81FB 40987300 cmp ebx,ACProtec.00739840
007823A0 ^ 75 F1 jnz short ACProtec.00782393
007823A2 EB 26 jmp short ACProtec.007823CA
007823A4 B8 00104000 mov eax,ACProtec.00401000
007823A9 3918 cmp dword ptr ds:[eax],ebx
007823AB 74 0A je short ACProtec.007823B7
007823AD 40 inc eax
007823AE 3D 00604F00 cmp eax,ACProtec.004F6000
007823B3 ^ 75 F4 jnz short ACProtec.007823A9
007823B5 EB 13 jmp short ACProtec.007823CA
007823B7 66:8178 FE FF25 cmp word ptr ds:[eax-2],25FF
007823BD ^ 75 EE jnz short ACProtec.007823AD
007823BF 8BDA mov ebx,edx
007823C1 2BD8 sub ebx,eax
007823C3 F7D3 not ebx
007823C5 83EB 05 sub ebx,5
007823C8 891A mov dword ptr ds:[edx],ebx
007823CA C3 retn
--------------------------------------------------------------------------------
六、最终修复及破解
不值一提,略过。。。。。。
股林精怪 gljg@macd.cn
2005年1月30日 0:00