unpack and crak Cabinet Manager 2001 3.5 Beta
by Fpc[CCG]/6767[BCG] @2001/09
tools: si, icedump, peditor, wdasm, regmon
level: 1.5/5
软件名称:Cabinet Manager 2001b
整理日期:2001.9.1
最新版本:3.5 Beta 2
文件大小:1064KB
软件授权:共享软件
使用平台:Win9x/Me/NT/2000
发布公司:Home Page
软件简介:是一套CAB格式压缩工具软件,它除可用来建立及解压缩CAB压缩文件外,另可制成自解包文件及自动安装程序,且支持鼠标右键的快显功能、使用上相当的方便。
下载地址:http://newhua.ruyi.com/down/cab2001b.zip
又是一个压缩工具,仿Window XP界面,是测试版,有时间限制,这个可以解除,不过没有注册码,不爽。
目标由Pe-Encryptor 0.75,因其不需要重建IT,手动的难度不大。里面用到SEH知识,白天刚在Ljtt的网站看过,呵呵,首先要感谢他。下面是过程:
[Begin]
1、用peditor看主程序文件,Size=5A000。
2、用symble loader载入,当然先要运行icedump,停在入口处(下面的代码我是按执行顺序贴出的):
017F:00459601 PUSH EBP
<- 入口
017F:00459602 CALL 004596F3
<- F10
017F:00459607 XCHG EDX,EBP
017F:00459609 POP EBP
017F:0045960A PUSHAD
017F:0045960B XCHG EDX,EBP
017F:0045960D CMP BYTE PTR [EBP+402715],01
017F:00459614 JZ 0045964F
<- 不会跳走
017F:00459616 MOV BYTE PTR [EBP+402715],01
017F:0045961D JMP 00459706
<- 跳走
... ...
017F:00459706 CALL 00459726
<- F8
017F:0045970B MOV ESP,[ESP+08]
... ...
017F:00459726 PUSH DWORD PTR FS:[0000] <-
!!此处很重要:建立seh链
017F:0045972C MOV FS:[0000],ESP
<- !!
017F:00459732 LEA ESI,[EBP+00402647] <-
准备smc,esi=00459623
017F:00459738 MOV EDI,ESI
<- edi=esi
017F:0045973A MOV ECX,000000CA
<- 长度
017F:0045973F MOV AH,[EBP+00402711]
017F:00459745 LODSB
017F:00459746 XOR AL,AH
017F:00459748 INC AH
017F:0045974A ROL AH,02
017F:0045974D ADD AH,90
017F:00459750 STOSB
017F:00459751 LOOP 00459745
017F:00459753 JMP 00459623
<- smc结束后跳走到 00459623
... ...
017F:00459623 CALL 00459628
<- 这是被还原后的代码,F8
017F:00459628 MOV EBX,[EBP+00402705]
017F:0045962E ADD EBX,28
017F:00459631 POP EAX
017F:00459632 SUB EAX,EBX
017F:00459634 MOV [EBP+0040270D],EAX
017F:0045963A INT 3
<- !!关键!! 产生一个例外,如果正常跟下去,程序要么运行,要么会崩溃
... ...
3、好了,在此处先停下来,检查seh链以跟踪程序:
下DD FS:0 ,在数据窗口中显示 0068FE10;继续 D 68FE10+4 得到 0045970B; U 45970B得到下面的代码,就是对例外的处理部分。下Bpx
45970B。按一次F8或F10,立刻被拦到:?
017F:0045970B MOV ESP,[ESP+08]
<- 拦在此处
017F:0045970F CALL 004596F3
<- F10
017F:00459714 MOV BYTE PTR [EBP+004026CC],C3
017F:0045971B CALL 0045966B
<- F10,是对文件内容进行还原
017F:00459720 JMP 0045963B
<- 跳走
... ...
017F:0045963B lea edi, dword ptr [ebp+00402624]
017F:00459641 mov ecx, 0000003B
... ...
017F:00459655 ADD [EBP+00402709],EAX
017F:0045965B POPAD
017F:0045965C POPFD
017F:0045965D MOV EBX,[EDX+00402709] <-
ebx=Oeip=43ABC0
017F:00459663 MOV [EDX+00402709],ECX
017F:00459669 JMP EBX
<- 到Oeip
4、在459669按一次F10到原程序入口,下:/pedump 400000 3ABC0 d:dumped.exe就得到脱壳文件,执行完全没有问题。为什么用pedump而不用dump?原因在于移植性:dump命令对ImportTable的没有处理,pedump默认是建新的IT,移植不会有问题。当然这仅适用于IT没有被破坏的情况。
5、用wdasm反出脱壳后的文件,找可疑目标,有一个:Beta 2。它是显示在关于对话框中,根据前面的跳转到相应的CALL中:
:00417162 6A01
push 00000001
:00417164 898F88030000 mov dword ptr
[edi+00000388], ecx
:0041716A E83127FFFF call 004098A0
<- 很重要
:0041716F 85C0
test eax, eax <-
出口eax==0表示是试用版
:00417171 8B8788030000 mov eax, dword
ptr [edi+00000388]
:00417177 740F
je 00417188
:00417179 05B0000000 add eax,
000000B0
:0041717E 8BCE
mov ecx, esi
:00417180 50
push eax
:00417181 E8B02C0200 call 00439E36
:00417186 EB17
jmp 0041719F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00417177(C)
|
:00417188 6A28
push 00000028
:0041718A 8B882C010000 mov ecx, dword
ptr [eax+0000012C]
:00417190 51
push ecx
* Possible StringData Ref from Data Obj ->"(Beta 2)"
<- 疑点啦
|
:00417191 68A8864400 push 004486A8
:00417196 56
push esi
:00417197 E8582C0200 call 00439DF4
:0041719C 83C410
add esp, 00000010
6、到CALL 4098A0中:
* Referenced by a CALL at Addresses:
|Many reference here
|
:004098A0 64A100000000 mov eax, dword
ptr fs:[00000000]
:004098A6 55
push ebp
:004098A7 8BEC
mov ebp, esp
:004098A9 6AFF
push FFFFFFFF
... ...复杂的加密过程
:0040A954 8B45EC
mov eax, dword ptr [ebp-14]
:0040A957 8B88B4000000 mov ecx, dword
ptr [eax+000000B4]
:0040A95D 8B8558FCFFFF mov eax, dword
ptr [ebp+FFFFFC58]
:0040A963 338D54FCFFFF xor ecx, dword
ptr [ebp+FFFFFC54]
:0040A969 25FFFF0000 and eax,
0000FFFF
:0040A96E 03C9
add ecx, ecx
:0040A970 33C8
xor ecx, eax
:0040A972 51
push ecx
* Possible StringData Ref from Data Obj ->"%d"
<- Guess
|
:0040A973 68087A4400 push 00447A08
:0040A978 68EC924400 push 004492EC
<- 目标地址
* Reference To: MFC42.Ordinal:0B02, Ord:0B02h
|
:0040A97D E872F40200 Call 00439DF4
<- 相当于sprintf(wsprintf),打印字符串
:0040A982 83C40C
add esp, 0000000C
:0040A985 8B4DEC
mov ecx, dword ptr [ebp-14]
:0040A988 8B81B8000000 mov eax, dword
ptr [ecx+000000B8]
:0040A98E 81C1B8000000 add ecx, 000000B8
:0040A994 8B40F8
mov eax, dword ptr [eax-08]
:0040A997 85C0
test eax, eax
:0040A999 743D
je 0040A9D8
:0040A99B 83E803
sub eax, 00000003
:0040A99E 8D55E8
lea edx, dword ptr [ebp-18]
:0040A9A1 50
push eax
:0040A9A2 52
push edx
* Reference To: MFC42.Ordinal:164E, Ord:164Eh
|
:0040A9A3 E8DAF60200 Call 0043A082
:0040A9A8 C745FC01000000 mov [ebp-04], 00000001
:0040A9AF 8B08
mov ecx, dword ptr [eax] <- 这里来自于注册表:
建立这样一个注册表文件,然后导入:
REGEDIT4
[HKEY_CURRENT_USER\Software\Microlog\Cabinet Manager 3.6\Settings]
"LicNo"="CM-561161061"
"Licensee"="Fpc[CCG]"
:0040A9B1 8B15EC924400 mov edx, dword
ptr [004492EC]
:0040A9B7 51
push ecx
:0040A9B8 52
push edx
* Reference To: MSVCRT._mbscmp, Ord:0154h
|
:0040A9B9 FF15D0D84400 Call dword ptr
[0044D8D0] <- 比较
:0040A9BF C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:0040A9C6 83C408
add esp, 00000008
:0040A9C9 83F801
cmp eax, 00000001
:0040A9CC 1BC0
sbb eax, eax
:0040A9CE F7D8
neg eax
:0040A9D0 8945F0
mov dword ptr [ebp-10], eax <- 保存结果
:0040A9D3 E81D000000 call 0040A9F5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A999(C)
|
:0040A9D8 837DF000 cmp
dword ptr [ebp-10], 0 <- 测试
:0040A9DC 741F
je 0040A9FD <-
不等则错误,跳走
:0040A9DE 6A00
push 00000000
:0040A9E0 8B4DEC
mov ecx, dword ptr [ebp-14]
:0040A9E3 E8B8EEFFFF call 004098A0
<- 对自身的调用! 不懂
:0040A9E8 85C0
test eax, eax
:0040A9EA 7411
je 0040A9FD <-
这里会跳走
:0040A9EC C745F001000000 mov [ebp-10], 00000001
:0040A9F3 EB0F
jmp 0040AA04
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040A9DC(C), :0040A9EA(C)
|
:0040A9FD C745F000000000 mov [ebp-10], 00000000
<- 置失败标志
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A9F3(U)
|
:0040AA04 837DF000 cmp
dword ptr [ebp-10], 0 <- 测试
:0040AA08 0F8430FFFFFF je 0040A93E
<- 失败则跳
:0040AA0E 8B45EC
mov eax, dword ptr [ebp-14]
:0040AA11 C780E000000000000000 mov dword ptr [ebx+000000E0], 00000000
:0040AA1B E91EFFFFFF jmp 0040A93E
7、看跳走到失败处如何处理:
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040993E(C), :0040A860(C), :0040A872(C), :0040AA08(C), :0040AA1B(U)
|:0040AAC3(C), :0040AAD6(U) So Many reference,
Hehe
|
:0040A93E 8B45F0
mov eax, dword ptr [ebp-10] <- 标志值到eax
<- 显然这里要改掉:push
01; pop eax。代码是:6A 01 58
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A91F(U)
|
:0040A941 8B4DF4
mov ecx, dword ptr [ebp-0C]
:0040A944 5F
pop edi
:0040A945 64890D00000000 mov dword ptr fs:[00000000],
ecx
:0040A94C 5E
pop esi
:0040A94D 5B
pop ebx
:0040A94E 8BE5
mov esp, ebp
:0040A950 5D
pop ebp
:0040A951 C20400
ret 0004 <- 返回了
8、用文件编辑器找到offset:9D3E处,改为:6A 01 58。存盘退出,运行。哈! 时间限制没有了,看关于,也注册成功乐。
[End]
- 标 题:uNpack and craK: Cabinet Manager 2001 3.5 Beta (10千字)
- 作 者:6767[BCG]
- 时 间:2001-9-2 16:11:57
- 链 接:http://bbs.pediy.com